196 lines
6.0 KiB
C
196 lines
6.0 KiB
C
|
/*
|
||
|
|
* hmac_sha1.c
|
||
|
|
*
|
||
|
|
* Version 1.0.0
|
||
|
|
*
|
||
|
|
* Written by Aaron D. Gifford <me@aarongifford.com>
|
||
|
|
*
|
||
|
|
* Copyright 1998, 2000 Aaron D. Gifford. All rights reserved.
|
||
|
|
*
|
||
|
|
* Redistribution and use in source and binary forms, with or without
|
||
|
|
* modification, are permitted provided that the following conditions
|
||
|
|
* are met:
|
||
|
|
* 1. Redistributions of source code must retain the above copyright
|
||
|
|
* notice, this list of conditions and the following disclaimer.
|
||
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||
|
|
* notice, this list of conditions and the following disclaimer in the
|
||
|
|
* documentation and/or other materials provided with the distribution.
|
||
|
|
* 3. Neither the name of the copyright holder nor the names of contributors
|
||
|
|
* may be used to endorse or promote products derived from this software
|
||
|
|
* without specific prior written permission.
|
||
|
|
*
|
||
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTORS ``AS IS'' AND
|
||
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTORS BE LIABLE
|
||
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||
|
|
* SUCH DAMAGE.
|
||
|
|
*/
|
||
|
|
|
||
|
|
/*
|
||
|
|
* The HMAC-SHA256 has is defined as:
|
||
|
|
*
|
||
|
|
* HMAC = SHA256(K XOR opad, SHA256(K XOR ipad, message))
|
||
|
|
*
|
||
|
|
* "opad" is 64 bytes filled with 0x5c
|
||
|
|
* "ipad" is 64 bytes filled with 0x36
|
||
|
|
* "K" is the key material
|
||
|
|
*
|
||
|
|
* If the key material "K" is longer than 64 bytes, then the key material
|
||
|
|
* will first be digested (K = SHA1(K)) resulting in a 20-byte hash.
|
||
|
|
* If the key material is shorter than 64 bytes, it is padded with zero
|
||
|
|
* bytes.
|
||
|
|
*
|
||
|
|
* This code precomputes "K XOR ipad" and "K XOR opad" since that just makes
|
||
|
|
* sense.
|
||
|
|
*
|
||
|
|
* This code was heavily influenced by Eric A. Young's in how the interface
|
||
|
|
* was designed and how this file is formatted.
|
||
|
|
*/
|
||
|
|
|
||
|
|
#ifndef __HMAC_SHA256_H__
|
||
|
|
#define __HMAC_SHA256_H__
|
||
|
|
|
||
|
|
#include "hmac_sha256.h"
|
||
|
|
#include <string.h>
|
||
|
|
|
||
|
|
#ifdef __cplusplus
|
||
|
|
extern "C" {
|
||
|
|
#endif
|
||
|
|
|
||
|
|
/* Filler bytes: */
|
||
|
|
#define IPAD_BYTE 0x36
|
||
|
|
#define OPAD_BYTE 0x5c
|
||
|
|
#define ZERO_BYTE 0x00
|
||
|
|
|
||
|
|
void HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx) {
|
||
|
|
memset(&(ctx->key[0]), ZERO_BYTE, HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
memset(&(ctx->ipad[0]), IPAD_BYTE, HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
memset(&(ctx->opad[0]), OPAD_BYTE, HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
ctx->keylen = 0;
|
||
|
|
ctx->hashkey = 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
void HMAC_SHA256_UpdateKey(HMAC_SHA256_CTX *ctx, unsigned char *key, unsigned int keylen) {
|
||
|
|
|
||
|
|
/* Do we have anything to work with? If not, return right away. */
|
||
|
|
if (keylen < 1)
|
||
|
|
return;
|
||
|
|
|
||
|
|
/*
|
||
|
|
* Is the total key length (current data and any previous data)
|
||
|
|
* longer than the hash block length?
|
||
|
|
*/
|
||
|
|
if (ctx->hashkey !=0 || (keylen + ctx->keylen) > HMAC_SHA256_BLOCK_LENGTH) {
|
||
|
|
/*
|
||
|
|
* Looks like the key data exceeds the hash block length,
|
||
|
|
* so that means we use a hash of the key as the key data
|
||
|
|
* instead.
|
||
|
|
*/
|
||
|
|
if (ctx->hashkey == 0) {
|
||
|
|
/*
|
||
|
|
* Ah, we haven't started hashing the key
|
||
|
|
* data yet, so we must init. the hash
|
||
|
|
* monster to begin feeding it.
|
||
|
|
*/
|
||
|
|
|
||
|
|
/* Set the hash key flag to true (non-zero) */
|
||
|
|
ctx->hashkey = 1;
|
||
|
|
|
||
|
|
/* Init. the hash beastie... */
|
||
|
|
SHA256_Init(&ctx->shactx);
|
||
|
|
|
||
|
|
/* If there's any previous key data, use it */
|
||
|
|
if (ctx->keylen > 0) {
|
||
|
|
SHA256_Update(&ctx->shactx, &(ctx->key[0]), ctx->keylen);
|
||
|
|
}
|
||
|
|
|
||
|
|
/*
|
||
|
|
* Reset the key length to the future true
|
||
|
|
* key length, HMAC_SHA256_DIGEST_LENGTH
|
||
|
|
*/
|
||
|
|
ctx->keylen = HMAC_SHA256_DIGEST_LENGTH;
|
||
|
|
}
|
||
|
|
/* Now feed the latest key data to the has monster */
|
||
|
|
SHA256_Update(&ctx->shactx, key, keylen);
|
||
|
|
} else {
|
||
|
|
/*
|
||
|
|
* Key data length hasn't yet exceeded the hash
|
||
|
|
* block length (HMAC_SHA1_BLOCK_LENGTH), so theres
|
||
|
|
* no need to hash the key data (yet). Copy it
|
||
|
|
* into the key buffer.
|
||
|
|
*/
|
||
|
|
memcpy(&(ctx->key[ctx->keylen]), key, keylen);
|
||
|
|
ctx->keylen += keylen;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
void HMAC_SHA256_EndKey(HMAC_SHA256_CTX *ctx) {
|
||
|
|
unsigned char *ipad, *opad, *key;
|
||
|
|
int i;
|
||
|
|
unsigned int j;
|
||
|
|
|
||
|
|
/* Did we end up hashing the key? */
|
||
|
|
if (ctx->hashkey) {
|
||
|
|
memset(&(ctx->key[0]), ZERO_BYTE, HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
/* Yes, so finish up and copy the key data */
|
||
|
|
SHA256_Final(&(ctx->key[0]), &ctx->shactx);
|
||
|
|
/* ctx->keylen was already set correctly */
|
||
|
|
}
|
||
|
|
/* Pad the key if necessary with zero bytes */
|
||
|
|
if ((i = HMAC_SHA256_BLOCK_LENGTH - ctx->keylen) > 0) {
|
||
|
|
memset(&(ctx->key[ctx->keylen]), ZERO_BYTE, i);
|
||
|
|
}
|
||
|
|
|
||
|
|
ipad = &(ctx->ipad[0]);
|
||
|
|
opad = &(ctx->opad[0]);
|
||
|
|
|
||
|
|
/* Precompute the respective pads XORed with the key */
|
||
|
|
key = &(ctx->key[0]);
|
||
|
|
for (j = 0; j < ctx->keylen; j++, key++) {
|
||
|
|
/* XOR the key byte with the appropriate pad filler byte */
|
||
|
|
*ipad++ ^= *key;
|
||
|
|
*opad++ ^= *key;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
void HMAC_SHA256_StartMessage(HMAC_SHA256_CTX *ctx) {
|
||
|
|
SHA256_Init(&ctx->shactx);
|
||
|
|
SHA256_Update(&ctx->shactx, &(ctx->ipad[0]), HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
}
|
||
|
|
|
||
|
|
void HMAC_SHA256_UpdateMessage(HMAC_SHA256_CTX *ctx, unsigned char *data, unsigned int datalen) {
|
||
|
|
SHA256_Update(&ctx->shactx, data, datalen);
|
||
|
|
}
|
||
|
|
|
||
|
|
void HMAC_SHA256_EndMessage(unsigned char *out, HMAC_SHA256_CTX *ctx) {
|
||
|
|
unsigned char buf[HMAC_SHA256_DIGEST_LENGTH];
|
||
|
|
SHA256_CTX *c = &ctx->shactx;
|
||
|
|
|
||
|
|
SHA256_Final(&(buf[0]), c);
|
||
|
|
SHA256_Init(c);
|
||
|
|
SHA256_Update(c, &(ctx->opad[0]), HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
SHA256_Update(c, buf, HMAC_SHA256_DIGEST_LENGTH);
|
||
|
|
SHA256_Final(out, c);
|
||
|
|
}
|
||
|
|
|
||
|
|
void HMAC_SHA256_Done(HMAC_SHA256_CTX *ctx) {
|
||
|
|
/* Just to be safe, toast all context data */
|
||
|
|
memset(&(ctx->ipad[0]), ZERO_BYTE, HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
memset(&(ctx->ipad[0]), ZERO_BYTE, HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
memset(&(ctx->key[0]), ZERO_BYTE, HMAC_SHA256_BLOCK_LENGTH);
|
||
|
|
ctx->keylen = 0;
|
||
|
|
ctx->hashkey = 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
#ifdef __cplusplus
|
||
|
|
}
|
||
|
|
#endif
|
||
|
|
|
||
|
|
#endif
|