stun: Use libgcrypt for SHA1 support

Now that libstun depends on libgcrypt, we might as well use its SHA1 hash
support, rather than carrying around our own.

Differential Revision: https://phabricator.freedesktop.org/D1612

4 files changed, 18 insertions, 533 deletions

diff --git a/stun/Makefile.am b/stun/Makefile.am
index 77b884e..f532616 100644
--- a/stun/Makefile.am
+++ b/stun/Makefile.am
@@ -29,7 +29,6 @@ libstun_la_SOURCES = constants.h \
 	stunmessage.c stunmessage.h \
 	stun5389.c stun5389.h \
 	stuncrc32.c stuncrc32.h \
-	sha1.c sha1.h \
 	rand.c rand.h \
 	stunhmac.c stunhmac.h \
 	utils.c  utils.h \
diff --git a/stun/sha1.c b/stun/sha1.c
deleted file mode 100644
index 6c95d27..0000000
--- a/stun/sha1.c
+++ /dev/null
@@ -1,457 +0,0 @@
-/*
- * SHA1 hash implementation and interface functions
- * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * Alternatively, this software may be distributed under the terms of BSD
- * license.
- *
- * See README and COPYING for more details.
- */
-
-#include "sha1.h"
-
-#include <string.h>
-
-
-/* ===== start - public domain SHA1 implementation ===== */
-
-/*
-SHA-1 in C
-By Steve Reid <sreid@sea-to-sky.net>
-100% Public Domain
-
------------------
-Modified 7/98 
-By James H. Brown <jbrown@burgoyne.com>
-Still 100% Public Domain
-
-Corrected a problem which generated improper hash values on 16 bit machines
-Routine SHA1Update changed from
-	void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int
-len)
-to
-	void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned
-long len)
-
-The 'len' parameter was declared an int which works fine on 32 bit machines.
-However, on 16 bit machines an int is too small for the shifts being done
-against
-it.  This caused the hash function to generate incorrect values if len was
-greater than 8191 (8K - 1) due to the 'len << 3' on line 3 of SHA1Update().
-
-Since the file IO in main() reads 16K at a time, any file 8K or larger would
-be guaranteed to generate the wrong hash (e.g. Test Vector #3, a million
-"a"s).
-
-I also changed the declaration of variables i & j in SHA1Update to 
-unsigned long from unsigned int for the same reason.
-
-These changes should make no difference to any 32 bit implementations since
-an
-int and a long are the same size in those environments.
-
---
-I also corrected a few compiler warnings generated by Borland C.
-1. Added #include <process.h> for exit() prototype
-2. Removed unused variable 'j' in SHA1Final
-3. Changed exit(0) to return(0) at end of main.
-
-ALL changes I made can be located by searching for comments containing 'JHB'
------------------
-Modified 8/98
-By Steve Reid <sreid@sea-to-sky.net>
-Still 100% public domain
-
-1- Removed #include <process.h> and used return() instead of exit()
-2- Fixed overwriting of finalcount in SHA1Final() (discovered by Chris Hall)
-3- Changed email address from steve@edmweb.com to sreid@sea-to-sky.net
-
------------------
-Modified 4/01
-By Saul Kravitz <Saul.Kravitz@celera.com>
-Still 100% PD
-Modified to run on Compaq Alpha hardware.  
-
------------------
-Modified 4/01
-By Jouni Malinen <j@w1.fi>
-Minor changes to match the coding style used in Dynamics.
-
-Modified September 24, 2004
-By Jouni Malinen <j@w1.fi>
-Fixed alignment issue in SHA1Transform when SHA1HANDSOFF is defined.
-
-*/
-
-/*
-Test Vectors (from FIPS PUB 180-1)
-"abc"
-  A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
-"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
-  84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
-A million repetitions of "a"
-  34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
-*/
-
-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
-
-/* blk0() and blk() perform the initial expand. */
-/* I got the idea of expanding during the round function from SSLeay */
-#define blk0(i) (block->l[i] = blk0_endiansafe (block->l[i]))
-
-#define blk(i) (block->l[i & 15] = rol(block->l[(i + 13) & 15] ^ \
-	block->l[(i + 8) & 15] ^ block->l[(i + 2) & 15] ^ block->l[i & 15], 1))
-
-/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
-#define R0(v,w,x,y,z,i) \
-	z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
-	w = rol(w, 30);
-#define R1(v,w,x,y,z,i) \
-	z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
-	w = rol(w, 30);
-#define R2(v,w,x,y,z,i) \
-	z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); w = rol(w, 30);
-#define R3(v,w,x,y,z,i) \
-	z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
-	w = rol(w, 30);
-#define R4(v,w,x,y,z,i) \
-	z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
-	w=rol(w, 30);
-
-static void SHA1Transform(uint32_t state[5], const unsigned char buffer[64]);
-/* Hash a single 512-bit block. This is the core of the algorithm. */
-
-static int am_big_endian(void)
-{
-  long one= 1;
-  return !(*((char *)(&one)));
-}
-
-static uint32_t blk0_endiansafe (uint32_t l)
-{
-  if (am_big_endian ())
-    return l;
-  else
-    return (rol(l, 24) & 0xFF00FF00) | (rol(l, 8) & 0x00FF00FF);
-}
-
-static void SHA1Transform(uint32_t state[5], const unsigned char buffer[64])
-{
-  uint32_t a, b, c, d, e;
-  typedef union {
-    uint8_t c[64];
-    uint32_t l[16];
-  } CHAR64LONG16;
-  CHAR64LONG16* block;
-  uint8_t workspace[64];
-  block = (CHAR64LONG16 *) workspace;
-  memcpy(block, buffer, 64);
-
-  /* Copy context->state[] to working vars */
-  a = state[0];
-  b = state[1];
-  c = state[2];
-  d = state[3];
-  e = state[4];
-  /* 4 rounds of 20 operations each. Loop unrolled. */
-  R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-  R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-  R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-  R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-  R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-  R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-  R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-  R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-  R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-  R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-  R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-  R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-  R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-  R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-  R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-  R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-  R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-  R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-  R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-  R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
-  /* Add the working vars back into context.state[] */
-  state[0] += a;
-  state[1] += b;
-  state[2] += c;
-  state[3] += d;
-  state[4] += e;
-  /* Wipe variables */
-  a = b = c = d = e = 0;
-  memset(block, 0, 64);
-}
-
-
-/* SHA1Init - Initialize new context */
-
-void SHA1Init(SHA1_CTX* context)
-{
-  /* SHA1 initialization constants */
-  context->state[0] = 0x67452301;
-  context->state[1] = 0xEFCDAB89;
-  context->state[2] = 0x98BADCFE;
-  context->state[3] = 0x10325476;
-  context->state[4] = 0xC3D2E1F0;
-  context->count[0] = context->count[1] = 0;
-}
-
-
-/* Run your data through this. */
-
-void SHA1Update(SHA1_CTX* context, const void *_data, uint32_t len)
-{
-  uint32_t i, j;
-  const unsigned char *data = _data;
-
-  j = (context->count[0] >> 3) & 63;
-  if ((context->count[0] += len << 3) < (len << 3))
-    context->count[1]++;
-  context->count[1] += (len >> 29);
-  if ((j + len) > 63) {
-    memcpy(&context->buffer[j], data, (i = 64-j));
-    SHA1Transform(context->state, context->buffer);
-    for ( ; i + 63 < len; i += 64) {
-      SHA1Transform(context->state, &data[i]);
-    }
-    j = 0;
-  }
-  else i = 0;
-  memcpy(&context->buffer[j], &data[i], len - i);
-}
-
-
-/* Add padding and return the message digest. */
-
-void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
-{
-  uint32_t i;
-  unsigned char finalcount[8];
-
-  for (i = 0; i < 8; i++) {
-    finalcount[i] = (unsigned char)
-        ((context->count[(i >= 4 ? 0 : 1)] >>
-            ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
-  }
-  SHA1Update(context, (unsigned char *) "\200", 1);
-  while ((context->count[0] & 504) != 448) {
-    SHA1Update(context, (unsigned char *) "\0", 1);
-  }
-  SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform()
-					      */
-  for (i = 0; i < 20; i++) {
-    digest[i] = (unsigned char)
-        ((context->state[i >> 2] >> ((3 - (i & 3)) * 8)) &
-            255);
-  }
-  /* Wipe variables */
-  i = 0;
-  memset(context->buffer, 0, 64);
-  memset(context->state, 0, 20);
-  memset(context->count, 0, 8);
-  memset(finalcount, 0, 8);
-}
-
-/* ===== end - public domain SHA1 implementation ===== */
-
-
-void HMACInit(HMAC_CTX* context, const uint8_t *key, size_t key_len)
-{
-  unsigned char ipad[64]; /* padding - key XORd with ipad */
-  unsigned char tk[20];
-  size_t i;
-
-  /* if key is longer than 64 bytes reset it to key = SHA1(key) */
-  if (key_len > 64) {
-    SHA1_CTX sha1_ctx;
-
-    SHA1Init(&sha1_ctx);
-    SHA1Update(&sha1_ctx, key, key_len);
-    SHA1Final(tk, &sha1_ctx);
-
-    key = tk;
-    key_len = 20;
-  }
-
-  /* start out by storing key in ipad */
-  memset(ipad, 0, sizeof(ipad));
-  memcpy(ipad, key, key_len);
-
-  /* XOR key with ipad values */
-  for (i = 0; i < 64; i++)
-    ipad[i] ^= 0x36;
-
-  /* Store the key in our context */
-  memcpy(context->key, key, key_len);
-  context->key_len = key_len;
-
-  SHA1Init (&context->context);
-  SHA1Update (&context->context, ipad, sizeof(ipad));
-}
-
-void HMACUpdate(HMAC_CTX *context, const void *data, uint32_t len)
-{
-  SHA1Update (&context->context, data, len);
-}
-
-void HMACFinal(unsigned char digest[20], HMAC_CTX *context)
-{
-
-  unsigned char opad[64]; /* padding - key XORd with opad */
-  unsigned char sha1_digest[SHA1_MAC_LEN];
-  size_t i;
-  SHA1_CTX outer_sha1_ctx;
-
-  SHA1Final (sha1_digest, &context->context);
-
-  memset(opad, 0, sizeof(opad));
-  memcpy(opad, context->key, context->key_len);
-
-  /* XOR key with opad values */
-  for (i = 0; i < 64; i++)
-    opad[i] ^= 0x5c;
-
-  /* perform outer SHA1 */
-  SHA1Init(&outer_sha1_ctx);
-  SHA1Update(&outer_sha1_ctx, opad, 64);
-  SHA1Update(&outer_sha1_ctx, sha1_digest, SHA1_MAC_LEN);
-  SHA1Final(digest, &outer_sha1_ctx);
-}
-
-
-/**
- * hmac_sha1_vector:
- * @key: Key for HMAC operations
- * @key_len: Length of the key in bytes
- * @num_elem: Number of elements in the data vector
- * @addr: Pointers to the data areas
- * @len: Lengths of the data blocks
- * @mac: Buffer for the hash (20 bytes)
- *
- * HMAC-SHA1 over data vector (RFC 2104)
- */
-void hmac_sha1_vector(const uint8_t *key, size_t key_len, size_t num_elem,
-    const uint8_t *addr[], const size_t *len, uint8_t *mac)
-{
-  unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */
-  unsigned char tk[20];
-  size_t i;
-  SHA1_CTX sha1_ctx;
-
-  /* if key is longer than 64 bytes reset it to key = SHA1(key) */
-  if (key_len > 64) {
-    SHA1Init(&sha1_ctx);
-    SHA1Update(&sha1_ctx, key, key_len);
-    SHA1Final(tk, &sha1_ctx);
-
-    key = tk;
-    key_len = 20;
-  }
-
-  /* the HMAC_SHA1 transform looks like:
-   *
-   * SHA1(K XOR opad, SHA1(K XOR ipad, text))
-   *
-   * where K is an n byte key
-   * ipad is the byte 0x36 repeated 64 times
-   * opad is the byte 0x5c repeated 64 times
-   * and text is the data being protected */
-
-  /* start out by storing key in ipad */
-  memset(k_pad, 0, sizeof(k_pad));
-  memcpy(k_pad, key, key_len);
-  /* XOR key with ipad values */
-  for (i = 0; i < 64; i++)
-    k_pad[i] ^= 0x36;
-
-  /* perform inner SHA1 */
-  SHA1Init(&sha1_ctx);
-  SHA1Update(&sha1_ctx, k_pad, 64);
-  for (i = 0; i < num_elem; i++)
-    SHA1Update(&sha1_ctx, addr[i], len[i]);
-  SHA1Final(mac, &sha1_ctx);
-
-  memset(k_pad, 0, sizeof(k_pad));
-  memcpy(k_pad, key, key_len);
-  /* XOR key with opad values */
-  for (i = 0; i < 64; i++)
-    k_pad[i] ^= 0x5c;
-
-  /* perform outer SHA1 */
-  SHA1Init(&sha1_ctx);
-  SHA1Update(&sha1_ctx, k_pad, 64);
-  SHA1Update(&sha1_ctx, mac, SHA1_MAC_LEN);
-  SHA1Final(mac, &sha1_ctx);
-}
-
-
-/**
- * hmac_sha1:
- * @key: Key for HMAC operations
- * @key_len: Length of the key in bytes
- * @data: Pointers to the data area
- * @data_len: Length of the data area
- * @mac: Buffer for the hash (20 bytes)
- *
- * HMAC-SHA1 over data buffer (RFC 2104)
- */
-void hmac_sha1(const uint8_t *key, size_t key_len,
-    const uint8_t *data, size_t data_len, uint8_t *mac)
-{
-  hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
-}
-
-
-/**
- * sha1_prf:
- * @key: Key for PRF
- * @key_len: Length of the key in bytes
- * @label: A unique label for each purpose of the PRF
- * @data: Extra data to bind into the key
- * @data_len: Length of the data
- * @buf: Buffer for the generated pseudo-random key
- * @buf_len: Number of bytes of key to generate
- *
- * SHA1-based Pseudo-Random Function (PRF) (IEEE 802.11i, 8.5.1.1)
- *
- * This function is used to derive new, cryptographically separate keys from a
- * given key (e.g., PMK in IEEE 802.11i).
- */
-void sha1_prf(const uint8_t *key, size_t key_len, const char *label,
-    const uint8_t *data, size_t data_len, uint8_t *buf, size_t buf_len)
-{
-  uint8_t counter = 0;
-  size_t pos, plen;
-  uint8_t hash[SHA1_MAC_LEN];
-  size_t label_len = strlen(label) + 1;
-  const unsigned char *addr[3];
-  size_t len[3];
-
-  addr[0] = (uint8_t *) label;
-  len[0] = label_len;
-  addr[1] = data;
-  len[1] = data_len;
-  addr[2] = &counter;
-  len[2] = 1;
-
-  pos = 0;
-  while (pos < buf_len) {
-    plen = buf_len - pos;
-    if (plen >= SHA1_MAC_LEN) {
-      hmac_sha1_vector(key, key_len, 3, addr, len, &buf[pos]);
-      pos += SHA1_MAC_LEN;
-    } else {
-      hmac_sha1_vector(key, key_len, 3, addr, len, hash);
-      memcpy(&buf[pos], hash, plen);
-      break;
-    }
-    counter++;
-  }
-}
diff --git a/stun/sha1.h b/stun/sha1.h
deleted file mode 100644
index 27ea014..0000000
--- a/stun/sha1.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * SHA1 hash implementation and interface functions
- * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * Alternatively, this software may be distributed under the terms of BSD
- * license.
- *
- * See README and COPYING for more details.
- */
-
-#ifndef SHA1_H
-#define SHA1_H
-
-#ifdef _WIN32
-#include "win32_common.h"
-#else
-#include <stdint.h>
-#endif
-#include <stddef.h>
-
-#define SHA1_MAC_LEN 20
-
-struct SHA1Context {
-  uint32_t state[5];
-  uint32_t count[2];
-  unsigned char buffer[64];
-};
-
-typedef struct SHA1Context SHA1_CTX;
-
-void SHA1Init(SHA1_CTX *context);
-void SHA1Update(SHA1_CTX *context, const void *data, uint32_t len);
-void SHA1Final(unsigned char digest[20], SHA1_CTX *context);
-
-struct HMACContext {
-  SHA1_CTX context;
-  uint8_t key[64];
-  size_t key_len;
-};
-typedef struct HMACContext HMAC_CTX;
-
-void HMACInit(HMAC_CTX *context, const uint8_t *key, size_t key_len);
-void HMACUpdate(HMAC_CTX *context, const void *data, uint32_t len);
-void HMACFinal(unsigned char digest[20], HMAC_CTX *context);
-
-void sha1_vector(size_t num_elem, const uint8_t *addr[], const size_t *len,
-    uint8_t *mac);
-void hmac_sha1_vector(const uint8_t *key, size_t key_len, size_t num_elem,
-    const uint8_t *addr[], const size_t *len, uint8_t *mac);
-void hmac_sha1(const uint8_t *key, size_t key_len,
-    const uint8_t *data, size_t data_len, uint8_t *mac);
-void sha1_prf(const uint8_t *key, size_t key_len, const char *label,
-    const uint8_t *data, size_t data_len, uint8_t *buf, size_t buf_len);
-
-#endif /* SHA1_H */
diff --git a/stun/stunhmac.c b/stun/stunhmac.c
index cb3848c..795e987 100644
--- a/stun/stunhmac.c
+++ b/stun/stunhmac.c
@@ -40,7 +40,6 @@
 # include <config.h>
 #endif
 
-#include "sha1.h"
 #include "rand.h"
 
 #include "stunmessage.h"
@@ -48,37 +47,40 @@
 
 #include <string.h>
 #include <assert.h>
+#include <gcrypt.h>
 
 void stun_sha1 (const uint8_t *msg, size_t len, size_t msg_len, uint8_t *sha,
     const void *key, size_t keylen, int padding)
 {
   uint16_t fakelen = htons (msg_len);
-  const uint8_t *vector[4];
-  size_t lengths[4];
   uint8_t pad_char[64] = {0};
-  size_t num_elements;
+  gcry_mac_hd_t hd;
+  size_t sha_len = 20;
+
+#define TRY(s) \
+  if (!(s)) \
+    abort ();
 
   assert (len >= 44u);
 
-  vector[0] = msg;
-  lengths[0] = 2;
-  vector[1] = (const uint8_t *)&fakelen;
-  lengths[1] = 2;
-  vector[2] = msg + 4;
-  lengths[2] = len - 28;
-  num_elements = 3;
+  TRY (gcry_mac_open (&hd, GCRY_MAC_HMAC_SHA1, 0  /* flags */, NULL) == 0);
+  TRY (gcry_mac_setkey (hd, key, keylen) == 0);
+
+  TRY (gcry_mac_write (hd, msg, 2) == 0);
+  TRY (gcry_mac_write (hd, &fakelen, 2) == 0);
+  TRY (gcry_mac_write (hd, msg + 4, len - 28) == 0);
 
   /* RFC 3489 specifies that the message's size should be 64 bytes,
      and \x00 padding should be done */
   if (padding && ((len - 24) % 64) > 0) {
     uint16_t pad_size = 64 - ((len - 24) % 64);
-
-    vector[3] = pad_char;
-    lengths[3] = pad_size;
-    num_elements++;
+    TRY (gcry_mac_write (hd, pad_char, pad_size) == 0);
   }
 
-  hmac_sha1_vector(key, keylen, num_elements, vector, lengths, sha);
+  TRY (gcry_mac_read (hd, sha, &sha_len) == 0);
+  assert (sha_len == 20);
+
+  gcry_mac_close (hd);
 }
 
 static const uint8_t *priv_trim_var (const uint8_t *var, size_t *var_len)