/* hmac.h * * Copyright (C) 2006-2015 wolfSSL Inc. * * This file is part of wolfSSL. (formerly known as CyaSSL) * * wolfSSL is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * wolfSSL is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ #ifdef HAVE_CONFIG_H #include #endif #include #ifndef NO_HMAC #include #ifdef HAVE_FIPS /* does init */ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 keySz) { return HmacSetKey_fips(hmac, type, key, keySz); } int wc_HmacUpdate(Hmac* hmac, const byte* in, word32 sz) { return HmacUpdate_fips(hmac, in, sz); } int wc_HmacFinal(Hmac* hmac, byte* out) { return HmacFinal_fips(hmac, out); } #ifdef HAVE_CAVIUM int wc_HmacInitCavium(Hmac* hmac, int i) { return HmacInitCavium(hmac, i); } void wc_HmacFreeCavium(Hmac* hmac) { HmacFreeCavium(hmac); } #endif int wolfSSL_GetHmacMaxSize(void) { return CyaSSL_GetHmacMaxSize(); } #ifdef HAVE_HKDF int wc_HKDF(int type, const byte* inKey, word32 inKeySz, const byte* salt, word32 saltSz, const byte* info, word32 infoSz, byte* out, word32 outSz) { return HKDF(type, inKey, inKeySz, salt, saltSz, info, infoSz, out, outSz); } #endif /* HAVE_HKDF */ #else /* else build without fips */ #ifdef WOLFSSL_PIC32MZ_HASH #define wc_InitMd5 wc_InitMd5_sw #define wc_Md5Update wc_Md5Update_sw #define wc_Md5Final wc_Md5Final_sw #define wc_InitSha wc_InitSha_sw #define wc_ShaUpdate wc_ShaUpdate_sw #define wc_ShaFinal wc_ShaFinal_sw #define wc_InitSha256 wc_InitSha256_sw #define wc_Sha256Update wc_Sha256Update_sw #define wc_Sha256Final wc_Sha256Final_sw #endif #ifdef HAVE_FIPS /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */ #define FIPS_NO_WRAPPERS #endif #include #ifdef HAVE_CAVIUM static void HmacCaviumFinal(Hmac* hmac, byte* hash); static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length); static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key, word32 length); #endif static int InitHmac(Hmac* hmac, int type) { int ret = 0; hmac->innerHashKeyed = 0; hmac->macType = (byte)type; if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384 || type == SHA512 || type == BLAKE2B_ID)) return BAD_FUNC_ARG; switch (type) { #ifndef NO_MD5 case MD5: wc_InitMd5(&hmac->hash.md5); break; #endif #ifndef NO_SHA case SHA: ret = wc_InitSha(&hmac->hash.sha); break; #endif #ifndef NO_SHA256 case SHA256: ret = wc_InitSha256(&hmac->hash.sha256); break; #endif #ifdef WOLFSSL_SHA384 case SHA384: ret = wc_InitSha384(&hmac->hash.sha384); break; #endif #ifdef WOLFSSL_SHA512 case SHA512: ret = wc_InitSha512(&hmac->hash.sha512); break; #endif #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_InitBlake2b(&hmac->hash.blake2b, BLAKE2B_256); break; #endif default: return BAD_FUNC_ARG; } return ret; } int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) { byte* ip = (byte*) hmac->ipad; byte* op = (byte*) hmac->opad; word32 i, hmac_block_size = 0; int ret; #ifdef HAVE_CAVIUM if (hmac->magic == WOLFSSL_HMAC_CAVIUM_MAGIC) return HmacCaviumSetKey(hmac, type, key, length); #endif ret = InitHmac(hmac, type); if (ret != 0) return ret; #ifdef HAVE_FIPS if (length < HMAC_FIPS_MIN_KEY) return HMAC_MIN_KEYLEN_E; #endif switch (hmac->macType) { #ifndef NO_MD5 case MD5: { hmac_block_size = MD5_BLOCK_SIZE; if (length <= MD5_BLOCK_SIZE) { XMEMCPY(ip, key, length); } else { wc_Md5Update(&hmac->hash.md5, key, length); wc_Md5Final(&hmac->hash.md5, ip); length = MD5_DIGEST_SIZE; } } break; #endif #ifndef NO_SHA case SHA: { hmac_block_size = SHA_BLOCK_SIZE; if (length <= SHA_BLOCK_SIZE) { XMEMCPY(ip, key, length); } else { wc_ShaUpdate(&hmac->hash.sha, key, length); wc_ShaFinal(&hmac->hash.sha, ip); length = SHA_DIGEST_SIZE; } } break; #endif #ifndef NO_SHA256 case SHA256: { hmac_block_size = SHA256_BLOCK_SIZE; if (length <= SHA256_BLOCK_SIZE) { XMEMCPY(ip, key, length); } else { ret = wc_Sha256Update(&hmac->hash.sha256, key, length); if (ret != 0) return ret; ret = wc_Sha256Final(&hmac->hash.sha256, ip); if (ret != 0) return ret; length = SHA256_DIGEST_SIZE; } } break; #endif #ifdef WOLFSSL_SHA384 case SHA384: { hmac_block_size = SHA384_BLOCK_SIZE; if (length <= SHA384_BLOCK_SIZE) { XMEMCPY(ip, key, length); } else { ret = wc_Sha384Update(&hmac->hash.sha384, key, length); if (ret != 0) return ret; ret = wc_Sha384Final(&hmac->hash.sha384, ip); if (ret != 0) return ret; length = SHA384_DIGEST_SIZE; } } break; #endif #ifdef WOLFSSL_SHA512 case SHA512: { hmac_block_size = SHA512_BLOCK_SIZE; if (length <= SHA512_BLOCK_SIZE) { XMEMCPY(ip, key, length); } else { ret = wc_Sha512Update(&hmac->hash.sha512, key, length); if (ret != 0) return ret; ret = wc_Sha512Final(&hmac->hash.sha512, ip); if (ret != 0) return ret; length = SHA512_DIGEST_SIZE; } } break; #endif #ifdef HAVE_BLAKE2 case BLAKE2B_ID: { hmac_block_size = BLAKE2B_BLOCKBYTES; if (length <= BLAKE2B_BLOCKBYTES) { XMEMCPY(ip, key, length); } else { ret = wc_Blake2bUpdate(&hmac->hash.blake2b, key, length); if (ret != 0) return ret; ret = wc_Blake2bFinal(&hmac->hash.blake2b, ip, BLAKE2B_256); if (ret != 0) return ret; length = BLAKE2B_256; } } break; #endif default: return BAD_FUNC_ARG; } if (length < hmac_block_size) XMEMSET(ip + length, 0, hmac_block_size - length); for(i = 0; i < hmac_block_size; i++) { op[i] = ip[i] ^ OPAD; ip[i] ^= IPAD; } return 0; } static int HmacKeyInnerHash(Hmac* hmac) { int ret = 0; switch (hmac->macType) { #ifndef NO_MD5 case MD5: wc_Md5Update(&hmac->hash.md5, (byte*) hmac->ipad, MD5_BLOCK_SIZE); break; #endif #ifndef NO_SHA case SHA: wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, SHA_BLOCK_SIZE); break; #endif #ifndef NO_SHA256 case SHA256: ret = wc_Sha256Update(&hmac->hash.sha256, (byte*) hmac->ipad, SHA256_BLOCK_SIZE); if (ret != 0) return ret; break; #endif #ifdef WOLFSSL_SHA384 case SHA384: ret = wc_Sha384Update(&hmac->hash.sha384, (byte*) hmac->ipad, SHA384_BLOCK_SIZE); if (ret != 0) return ret; break; #endif #ifdef WOLFSSL_SHA512 case SHA512: ret = wc_Sha512Update(&hmac->hash.sha512, (byte*) hmac->ipad, SHA512_BLOCK_SIZE); if (ret != 0) return ret; break; #endif #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*) hmac->ipad,BLAKE2B_BLOCKBYTES); if (ret != 0) return ret; break; #endif default: break; } hmac->innerHashKeyed = 1; return ret; } int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length) { int ret; #ifdef HAVE_CAVIUM if (hmac->magic == WOLFSSL_HMAC_CAVIUM_MAGIC) return HmacCaviumUpdate(hmac, msg, length); #endif if (!hmac->innerHashKeyed) { ret = HmacKeyInnerHash(hmac); if (ret != 0) return ret; } switch (hmac->macType) { #ifndef NO_MD5 case MD5: wc_Md5Update(&hmac->hash.md5, msg, length); break; #endif #ifndef NO_SHA case SHA: wc_ShaUpdate(&hmac->hash.sha, msg, length); break; #endif #ifndef NO_SHA256 case SHA256: ret = wc_Sha256Update(&hmac->hash.sha256, msg, length); if (ret != 0) return ret; break; #endif #ifdef WOLFSSL_SHA384 case SHA384: ret = wc_Sha384Update(&hmac->hash.sha384, msg, length); if (ret != 0) return ret; break; #endif #ifdef WOLFSSL_SHA512 case SHA512: ret = wc_Sha512Update(&hmac->hash.sha512, msg, length); if (ret != 0) return ret; break; #endif #ifdef HAVE_BLAKE2 case BLAKE2B_ID: ret = wc_Blake2bUpdate(&hmac->hash.blake2b, msg, length); if (ret != 0) return ret; break; #endif default: break; } return 0; } int wc_HmacFinal(Hmac* hmac, byte* hash) { int ret; #ifdef HAVE_CAVIUM if (hmac->magic == WOLFSSL_HMAC_CAVIUM_MAGIC) return HmacCaviumFinal(hmac, hash); #endif if (!hmac->innerHashKeyed) { ret = HmacKeyInnerHash(hmac); if (ret != 0) return ret; } switch (hmac->macType) { #ifndef NO_MD5 case MD5: { wc_Md5Final(&hmac->hash.md5, (byte*) hmac->innerHash); wc_Md5Update(&hmac->hash.md5, (byte*) hmac->opad, MD5_BLOCK_SIZE); wc_Md5Update(&hmac->hash.md5, (byte*) hmac->innerHash, MD5_DIGEST_SIZE); wc_Md5Final(&hmac->hash.md5, hash); } break; #endif #ifndef NO_SHA case SHA: { wc_ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash); wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->opad, SHA_BLOCK_SIZE); wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->innerHash, SHA_DIGEST_SIZE); wc_ShaFinal(&hmac->hash.sha, hash); } break; #endif #ifndef NO_SHA256 case SHA256: { ret = wc_Sha256Final(&hmac->hash.sha256, (byte*) hmac->innerHash); if (ret != 0) return ret; ret = wc_Sha256Update(&hmac->hash.sha256, (byte*) hmac->opad, SHA256_BLOCK_SIZE); if (ret != 0) return ret; ret = wc_Sha256Update(&hmac->hash.sha256, (byte*) hmac->innerHash, SHA256_DIGEST_SIZE); if (ret != 0) return ret; ret = wc_Sha256Final(&hmac->hash.sha256, hash); if (ret != 0) return ret; } break; #endif #ifdef WOLFSSL_SHA384 case SHA384: { ret = wc_Sha384Final(&hmac->hash.sha384, (byte*) hmac->innerHash); if (ret != 0) return ret; ret = wc_Sha384Update(&hmac->hash.sha384, (byte*) hmac->opad, SHA384_BLOCK_SIZE); if (ret != 0) return ret; ret = wc_Sha384Update(&hmac->hash.sha384, (byte*) hmac->innerHash, SHA384_DIGEST_SIZE); if (ret != 0) return ret; ret = wc_Sha384Final(&hmac->hash.sha384, hash); if (ret != 0) return ret; } break; #endif #ifdef WOLFSSL_SHA512 case SHA512: { ret = wc_Sha512Final(&hmac->hash.sha512, (byte*) hmac->innerHash); if (ret != 0) return ret; ret = wc_Sha512Update(&hmac->hash.sha512, (byte*) hmac->opad, SHA512_BLOCK_SIZE); if (ret != 0) return ret; ret = wc_Sha512Update(&hmac->hash.sha512, (byte*) hmac->innerHash, SHA512_DIGEST_SIZE); if (ret != 0) return ret; ret = wc_Sha512Final(&hmac->hash.sha512, hash); if (ret != 0) return ret; } break; #endif #ifdef HAVE_BLAKE2 case BLAKE2B_ID: { ret = wc_Blake2bFinal(&hmac->hash.blake2b, (byte*) hmac->innerHash, BLAKE2B_256); if (ret != 0) return ret; ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*) hmac->opad, BLAKE2B_BLOCKBYTES); if (ret != 0) return ret; ret = wc_Blake2bUpdate(&hmac->hash.blake2b, (byte*) hmac->innerHash, BLAKE2B_256); if (ret != 0) return ret; ret = wc_Blake2bFinal(&hmac->hash.blake2b, hash, BLAKE2B_256); if (ret != 0) return ret; } break; #endif default: break; } hmac->innerHashKeyed = 0; return 0; } #ifdef HAVE_CAVIUM /* Initiliaze Hmac for use with Nitrox device */ int wc_HmacInitCavium(Hmac* hmac, int devId) { if (hmac == NULL) return -1; if (CspAllocContext(CONTEXT_SSL, &hmac->contextHandle, devId) != 0) return -1; hmac->keyLen = 0; hmac->dataLen = 0; hmac->type = 0; hmac->devId = devId; hmac->magic = WOLFSSL_HMAC_CAVIUM_MAGIC; hmac->data = NULL; /* buffered input data */ hmac->innerHashKeyed = 0; return 0; } /* Free Hmac from use with Nitrox device */ void wc_HmacFreeCavium(Hmac* hmac) { if (hmac == NULL) return; CspFreeContext(CONTEXT_SSL, hmac->contextHandle, hmac->devId); hmac->magic = 0; XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP); hmac->data = NULL; } static void HmacCaviumFinal(Hmac* hmac, byte* hash) { word32 requestId; if (CspHmac(CAVIUM_BLOCKING, hmac->type, NULL, hmac->keyLen, (byte*)hmac->ipad, hmac->dataLen, hmac->data, hash, &requestId, hmac->devId) != 0) { WOLFSSL_MSG("Cavium Hmac failed"); } hmac->innerHashKeyed = 0; /* tell update to start over if used again */ } static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length) { word16 add = (word16)length; word32 total; byte* tmp; if (length > WOLFSSL_MAX_16BIT) { WOLFSSL_MSG("Too big msg for cavium hmac"); return; } if (hmac->innerHashKeyed == 0) { /* starting new */ hmac->dataLen = 0; hmac->innerHashKeyed = 1; } total = add + hmac->dataLen; if (total > WOLFSSL_MAX_16BIT) { WOLFSSL_MSG("Too big msg for cavium hmac"); return; } tmp = XMALLOC(hmac->dataLen + add, NULL,DYNAMIC_TYPE_CAVIUM_TMP); if (tmp == NULL) { WOLFSSL_MSG("Out of memory for cavium update"); return; } if (hmac->dataLen) XMEMCPY(tmp, hmac->data, hmac->dataLen); XMEMCPY(tmp + hmac->dataLen, msg, add); hmac->dataLen += add; XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP); hmac->data = tmp; } static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key, word32 length) { hmac->macType = (byte)type; if (type == MD5) hmac->type = MD5_TYPE; else if (type == SHA) hmac->type = SHA1_TYPE; else if (type == SHA256) hmac->type = SHA256_TYPE; else { WOLFSSL_MSG("unsupported cavium hmac type"); } hmac->innerHashKeyed = 0; /* should we key Startup flag */ hmac->keyLen = (word16)length; /* store key in ipad */ XMEMCPY(hmac->ipad, key, length); } #endif /* HAVE_CAVIUM */ int wolfSSL_GetHmacMaxSize(void) { return MAX_DIGEST_SIZE; } #ifdef HAVE_HKDF #ifdef min #define WOLFSSL_HAVE_MIN #endif #ifndef WOLFSSL_HAVE_MIN #define WOLFSSL_HAVE_MIN static INLINE word32 min(word32 a, word32 b) { return a > b ? b : a; } #endif /* WOLFSSL_HAVE_MIN */ static INLINE int GetHashSizeByType(int type) { if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384 || type == SHA512 || type == BLAKE2B_ID)) return BAD_FUNC_ARG; switch (type) { #ifndef NO_MD5 case MD5: return MD5_DIGEST_SIZE; #endif #ifndef NO_SHA case SHA: return SHA_DIGEST_SIZE; #endif #ifndef NO_SHA256 case SHA256: return SHA256_DIGEST_SIZE; #endif #ifdef WOLFSSL_SHA384 case SHA384: return SHA384_DIGEST_SIZE; #endif #ifdef WOLFSSL_SHA512 case SHA512: return SHA512_DIGEST_SIZE; #endif #ifdef HAVE_BLAKE2 case BLAKE2B_ID: return BLAKE2B_OUTBYTES; #endif default: return BAD_FUNC_ARG; } } /* HMAC-KDF with hash type, optional salt and info, return 0 on success */ int wc_HKDF(int type, const byte* inKey, word32 inKeySz, const byte* salt, word32 saltSz, const byte* info, word32 infoSz, byte* out, word32 outSz) { Hmac myHmac; #ifdef WOLFSSL_SMALL_STACK byte* tmp; byte* prk; #else byte tmp[MAX_DIGEST_SIZE]; /* localSalt helper and T */ byte prk[MAX_DIGEST_SIZE]; #endif const byte* localSalt; /* either points to user input or tmp */ int hashSz = GetHashSizeByType(type); word32 outIdx = 0; byte n = 0x1; int ret; if (hashSz < 0) return BAD_FUNC_ARG; #ifdef WOLFSSL_SMALL_STACK tmp = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) return MEMORY_E; prk = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (prk == NULL) { XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif localSalt = salt; if (localSalt == NULL) { XMEMSET(tmp, 0, hashSz); localSalt = tmp; saltSz = hashSz; } do { ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, inKey, inKeySz); if (ret != 0) break; ret = wc_HmacFinal(&myHmac, prk); } while (0); if (ret == 0) { while (outIdx < outSz) { int tmpSz = (n == 1) ? 0 : hashSz; word32 left = outSz - outIdx; ret = wc_HmacSetKey(&myHmac, type, prk, hashSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, tmp, tmpSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, info, infoSz); if (ret != 0) break; ret = wc_HmacUpdate(&myHmac, &n, 1); if (ret != 0) break; ret = wc_HmacFinal(&myHmac, tmp); if (ret != 0) break; left = min(left, (word32)hashSz); XMEMCPY(out+outIdx, tmp, left); outIdx += hashSz; n++; } } #ifdef WOLFSSL_SMALL_STACK XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(prk, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } #endif /* HAVE_HKDF */ #endif /* HAVE_FIPS */ #endif /* NO_HMAC */