Context Navigation

source: mainline/uspace/lib/crypto/crypto.c@ 3faf90ad

Visit:

lfn serial ticket/834-toolchain-update topic/msim-upgrade topic/simplify-dev-export

Last change on this file since 3faf90ad was a4cf312, checked in by Jiří Zárevúcky <zarevucky.jiri@…>, 6 years ago
Fix build with -fsanitize=undefined
Property mode set to `100644`
File size: 10.6 KB

Line
1	/*
2	* Copyright (c) 2015 Jan Kolarik
3	* All rights reserved.
4	*
5	* Redistribution and use in source and binary forms, with or without
6	* modification, are permitted provided that the following conditions
7	* are met:
8	*
9	* - Redistributions of source code must retain the above copyright
10	* notice, this list of conditions and the following disclaimer.
11	* - Redistributions in binary form must reproduce the above copyright
12	* notice, this list of conditions and the following disclaimer in the
13	* documentation and/or other materials provided with the distribution.
14	* - The name of the author may not be used to endorse or promote products
15	* derived from this software without specific prior written permission.
16	*
17	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27	*/
28
29	/** @file crypto.c
30	*
31	* Cryptographic functions library.
32	*/
33
34	#include <assert.h>
35	#include <str.h>
36	#include <macros.h>
37	#include <errno.h>
38	#include <byteorder.h>
39	#include <limits.h>
40	#include "crypto.h"
41
42	/** Hash function procedure definition. */
43	typedef void (hash_fnc_t)(uint32_t , uint32_t *);
44
45	/** Length of HMAC block. */
46	#define HMAC_BLOCK_LENGTH 64
47
48	/** Ceiling for uint32_t. */
49	#define ceil_uint32(val) \
50	(((val) - (uint32_t) (val)) > 0 ? \
51	(uint32_t) ((val) + 1) : (uint32_t) (val))
52
53	/** Floor for uint32_t. */
54	#define floor_uint32(val) \
55	(((val) - (uint32_t) (val)) < 0 ? \
56	(uint32_t) ((val) - 1) : (uint32_t) (val))
57
58	/** Pick value at specified index from array or zero if out of bounds. */
59	#define get_at(input, size, i) \
60	((i) < (size) ? (input[i]) : 0)
61
62	/** Init values used in SHA1 and MD5 functions. */
63	static const uint32_t hash_init[] = {
64	0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0
65	};
66
67	/** Shift amount array for MD5 algorithm. */
68	static const uint32_t md5_shift[] = {
69	7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22,
70	5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20,
71	4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23,
72	6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21
73	};
74
75	/** Substitution box for MD5 algorithm. */
76	static const uint32_t md5_sbox[] = {
77	0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
78	0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
79	0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
80	0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
81	0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
82	0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
83	0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
84	0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
85	0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
86	0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
87	0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05,
88	0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
89	0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
90	0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
91	0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
92	0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391
93	};
94
95	/** Working procedure of MD5 cryptographic hash function.
96	*
97	* @param h Working array with interim hash parts values.
98	* @param sched_arr Input array with scheduled values from input string.
99	*
100	*/
101	static void md5_proc(uint32_t h, uint32_t sched_arr)
102	{
103	uint32_t f, g, temp;
104	uint32_t w[HASH_MD5 / 4];
105
106	memcpy(w, h, (HASH_MD5 / 4) * sizeof(uint32_t));
107
108	for (size_t k = 0; k < 64; k++) {
109	if (k < 16) {
110	f = (w[1] & w[2]) \| (~w[1] & w[3]);
111	g = k;
112	} else if ((k >= 16) && (k < 32)) {
113	f = (w[1] & w[3]) \| (w[2] & ~w[3]);
114	g = (5 * k + 1) % 16;
115	} else if ((k >= 32) && (k < 48)) {
116	f = w[1] ^ w[2] ^ w[3];
117	g = (3 * k + 5) % 16;
118	} else {
119	f = w[2] ^ (w[1] \| ~w[3]);
120	g = 7 * k % 16;
121	}
122
123	temp = w[3];
124	w[3] = w[2];
125	w[2] = w[1];
126	w[1] += rotl_uint32(w[0] + f + md5_sbox[k] +
127	uint32_t_byteorder_swap(sched_arr[g]),
128	md5_shift[k]);
129	w[0] = temp;
130	}
131
132	for (uint8_t k = 0; k < HASH_MD5 / 4; k++)
133	h[k] += w[k];
134	}
135
136	/** Working procedure of SHA-1 cryptographic hash function.
137	*
138	* @param h Working array with interim hash parts values.
139	* @param sched_arr Input array with scheduled values from input string.
140	*
141	*/
142	static void sha1_proc(uint32_t h, uint32_t sched_arr)
143	{
144	uint32_t f, cf, temp;
145	uint32_t w[HASH_SHA1 / 4];
146
147	for (size_t k = 16; k < 80; k++) {
148	sched_arr[k] = rotl_uint32(
149	sched_arr[k - 3] ^
150	sched_arr[k - 8] ^
151	sched_arr[k - 14] ^
152	sched_arr[k - 16],
153	1);
154	}
155
156	memcpy(w, h, (HASH_SHA1 / 4) * sizeof(uint32_t));
157
158	for (size_t k = 0; k < 80; k++) {
159	if (k < 20) {
160	f = (w[1] & w[2]) \| (~w[1] & w[3]);
161	cf = 0x5A827999;
162	} else if ((k >= 20) && (k < 40)) {
163	f = w[1] ^ w[2] ^ w[3];
164	cf = 0x6ed9eba1;
165	} else if ((k >= 40) && (k < 60)) {
166	f = (w[1] & w[2]) \| (w[1] & w[3]) \| (w[2] & w[3]);
167	cf = 0x8f1bbcdc;
168	} else {
169	f = w[1] ^ w[2] ^ w[3];
170	cf = 0xca62c1d6;
171	}
172
173	temp = rotl_uint32(w[0], 5) + f + w[4] + cf + sched_arr[k];
174
175	w[4] = w[3];
176	w[3] = w[2];
177	w[2] = rotl_uint32(w[1], 30);
178	w[1] = w[0];
179	w[0] = temp;
180	}
181
182	for (uint8_t k = 0; k < HASH_SHA1 / 4; k++)
183	h[k] += w[k];
184	}
185
186	/** Create hash based on selected algorithm.
187	*
188	* @param input Input message byte sequence.
189	* @param input_size Size of message sequence.
190	* @param output Result hash byte sequence.
191	* @param hash_sel Hash function selector.
192	*
193	* @return EINVAL when input not specified,
194	* ENOMEM when pointer for output hash result
195	* is not allocated, otherwise EOK.
196	*
197	*/
198	errno_t create_hash(uint8_t input, size_t input_size, uint8_t output,
199	hash_func_t hash_sel)
200	{
201	assert(input_size < SSIZE_MAX);
202
203	if (!input)
204	return EINVAL;
205
206	if (!output)
207	return ENOMEM;
208
209	hash_fnc_t hash_func = (hash_sel == HASH_MD5) ? md5_proc : sha1_proc;
210
211	/* Prepare scheduled input. */
212	uint8_t work_input[input_size + 1];
213	memcpy(work_input, input, input_size);
214	work_input[input_size] = 0x80;
215
216	// FIXME: double?
217	size_t blocks = ceil_uint32((((double) input_size + 1) / 4 + 2) / 16);
218	uint32_t work_arr[blocks * 16];
219	for (size_t i = 0; i < blocks; i++) {
220	for (size_t j = 0; j < 16; j++) {
221	work_arr[i * 16 + j] =
222	(get_at(work_input, input_size + 1, i * 64 + j * 4) << 24) \|
223	(get_at(work_input, input_size + 1, i * 64 + j * 4 + 1) << 16) \|
224	(get_at(work_input, input_size + 1, i * 64 + j * 4 + 2) << 8) \|
225	get_at(work_input, input_size + 1, i * 64 + j * 4 + 3);
226	}
227	}
228
229	uint64_t bits_size = (uint64_t) (input_size * 8);
230	if (hash_sel == HASH_MD5)
231	bits_size = uint64_t_byteorder_swap(bits_size);
232
233	work_arr[(blocks - 1) * 16 + 14] = bits_size >> 32;
234	work_arr[(blocks - 1) * 16 + 15] = bits_size & 0xffffffff;
235
236	/* Hash computation. */
237	uint32_t h[hash_sel / 4];
238	memcpy(h, hash_init, (hash_sel / 4) * sizeof(uint32_t));
239	uint32_t sched_arr[80];
240	for (size_t i = 0; i < blocks; i++) {
241	for (size_t k = 0; k < 16; k++)
242	sched_arr[k] = work_arr[i * 16 + k];
243
244	hash_func(h, sched_arr);
245	}
246
247	/* Copy hash parts into final result. */
248	for (size_t i = 0; i < hash_sel / 4; i++) {
249	if (hash_sel == HASH_SHA1)
250	h[i] = uint32_t_byteorder_swap(h[i]);
251
252	memcpy(output + i * sizeof(uint32_t), &h[i], sizeof(uint32_t));
253	}
254
255	return EOK;
256	}
257
258	/** Hash-based message authentication code.
259	*
260	* @param key Cryptographic key sequence.
261	* @param key_size Size of key sequence.
262	* @param msg Message sequence.
263	* @param msg_size Size of message sequence.
264	* @param hash Output parameter for result hash.
265	* @param hash_sel Hash function selector.
266	*
267	* @return EINVAL when key or message not specified,
268	* ENOMEM when pointer for output hash result
269	* is not allocated, otherwise EOK.
270	*
271	*/
272	errno_t hmac(uint8_t key, size_t key_size, uint8_t msg, size_t msg_size,
273	uint8_t *hash, hash_func_t hash_sel)
274	{
275	if ((!key) \|\| (!msg))
276	return EINVAL;
277
278	if (!hash)
279	return ENOMEM;
280
281	uint8_t work_key[HMAC_BLOCK_LENGTH];
282	uint8_t o_key_pad[HMAC_BLOCK_LENGTH];
283	uint8_t i_key_pad[HMAC_BLOCK_LENGTH];
284	uint8_t temp_hash[hash_sel];
285	memset(work_key, 0, HMAC_BLOCK_LENGTH);
286
287	if (key_size > HMAC_BLOCK_LENGTH)
288	create_hash(key, key_size, work_key, hash_sel);
289	else
290	memcpy(work_key, key, key_size);
291
292	for (size_t i = 0; i < HMAC_BLOCK_LENGTH; i++) {
293	o_key_pad[i] = work_key[i] ^ 0x5c;
294	i_key_pad[i] = work_key[i] ^ 0x36;
295	}
296
297	uint8_t temp_work[HMAC_BLOCK_LENGTH + max(msg_size, hash_sel)];
298	memcpy(temp_work, i_key_pad, HMAC_BLOCK_LENGTH);
299	memcpy(temp_work + HMAC_BLOCK_LENGTH, msg, msg_size);
300
301	create_hash(temp_work, HMAC_BLOCK_LENGTH + msg_size, temp_hash,
302	hash_sel);
303
304	memcpy(temp_work, o_key_pad, HMAC_BLOCK_LENGTH);
305	memcpy(temp_work + HMAC_BLOCK_LENGTH, temp_hash, hash_sel);
306
307	create_hash(temp_work, HMAC_BLOCK_LENGTH + hash_sel, hash, hash_sel);
308
309	return EOK;
310	}
311
312	/** Password-Based Key Derivation Function 2.
313	*
314	* As defined in RFC 2898, using HMAC-SHA1 with 4096 iterations
315	* and 32 bytes key result used for WPA/WPA2.
316	*
317	* @param pass Password sequence.
318	* @param pass_size Password sequence length.
319	* @param salt Salt sequence to be used with password.
320	* @param salt_size Salt sequence length.
321	* @param hash Output parameter for result hash (32 byte value).
322	*
323	* @return EINVAL when pass or salt not specified,
324	* ENOMEM when pointer for output hash result
325	* is not allocated, otherwise EOK.
326	*
327	*/
328	errno_t pbkdf2(uint8_t pass, size_t pass_size, uint8_t salt, size_t salt_size,
329	uint8_t *hash)
330	{
331	if ((!pass) \|\| (!salt))
332	return EINVAL;
333
334	if (!hash)
335	return ENOMEM;
336
337	uint8_t work_salt[salt_size + 4];
338	memcpy(work_salt, salt, salt_size);
339	uint8_t work_hmac[HASH_SHA1];
340	uint8_t temp_hmac[HASH_SHA1];
341	uint8_t xor_hmac[HASH_SHA1];
342	uint8_t temp_hash[HASH_SHA1 * 2];
343
344	for (size_t i = 0; i < 2; i++) {
345	uint32_t be_i = host2uint32_t_be(i + 1);
346
347	memcpy(work_salt + salt_size, &be_i, 4);
348	hmac(pass, pass_size, work_salt, salt_size + 4,
349	work_hmac, HASH_SHA1);
350	memcpy(xor_hmac, work_hmac, HASH_SHA1);
351
352	for (size_t k = 1; k < 4096; k++) {
353	memcpy(temp_hmac, work_hmac, HASH_SHA1);
354	hmac(pass, pass_size, temp_hmac, HASH_SHA1,
355	work_hmac, HASH_SHA1);
356
357	for (size_t t = 0; t < HASH_SHA1; t++)
358	xor_hmac[t] ^= work_hmac[t];
359	}
360
361	memcpy(temp_hash + i * HASH_SHA1, xor_hmac, HASH_SHA1);
362	}
363
364	memcpy(hash, temp_hash, PBKDF2_KEY_LENGTH);
365
366	return EOK;
367	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: