diff options
author | Philip Withnall <philip@tecnocode.co.uk> | 2016-03-07 10:05:27 +0000 |
---|---|---|
committer | Olivier CrĂȘte <olivier.crete@collabora.com> | 2017-03-31 18:26:24 -0400 |
commit | 1513dc4ed5125643407a6a3d31f149fa194f50e8 (patch) | |
tree | d135c4375193550541e7a28b8fdd57a3ddb27a45 /stun | |
parent | ac7f59bac00807fc016a8709e1d284870882dd76 (diff) | |
download | libnice-1513dc4ed5125643407a6a3d31f149fa194f50e8.tar.gz |
stun: Use libgcrypt for SHA1 support
Now that libstun depends on libgcrypt, we might as well use its SHA1 hash
support, rather than carrying around our own.
Differential Revision: https://phabricator.freedesktop.org/D1612
Diffstat (limited to 'stun')
-rw-r--r-- | stun/Makefile.am | 1 | ||||
-rw-r--r-- | stun/sha1.c | 457 | ||||
-rw-r--r-- | stun/sha1.h | 59 | ||||
-rw-r--r-- | stun/stunhmac.c | 34 |
4 files changed, 18 insertions, 533 deletions
diff --git a/stun/Makefile.am b/stun/Makefile.am index 77b884e..f532616 100644 --- a/stun/Makefile.am +++ b/stun/Makefile.am @@ -29,7 +29,6 @@ libstun_la_SOURCES = constants.h \ stunmessage.c stunmessage.h \ stun5389.c stun5389.h \ stuncrc32.c stuncrc32.h \ - sha1.c sha1.h \ rand.c rand.h \ stunhmac.c stunhmac.h \ utils.c utils.h \ diff --git a/stun/sha1.c b/stun/sha1.c deleted file mode 100644 index 6c95d27..0000000 --- a/stun/sha1.c +++ /dev/null @@ -1,457 +0,0 @@ -/* - * SHA1 hash implementation and interface functions - * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - * - * Alternatively, this software may be distributed under the terms of BSD - * license. - * - * See README and COPYING for more details. - */ - -#include "sha1.h" - -#include <string.h> - - -/* ===== start - public domain SHA1 implementation ===== */ - -/* -SHA-1 in C -By Steve Reid <sreid@sea-to-sky.net> -100% Public Domain - ------------------ -Modified 7/98 -By James H. Brown <jbrown@burgoyne.com> -Still 100% Public Domain - -Corrected a problem which generated improper hash values on 16 bit machines -Routine SHA1Update changed from - void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int -len) -to - void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned -long len) - -The 'len' parameter was declared an int which works fine on 32 bit machines. -However, on 16 bit machines an int is too small for the shifts being done -against -it. This caused the hash function to generate incorrect values if len was -greater than 8191 (8K - 1) due to the 'len << 3' on line 3 of SHA1Update(). - -Since the file IO in main() reads 16K at a time, any file 8K or larger would -be guaranteed to generate the wrong hash (e.g. Test Vector #3, a million -"a"s). - -I also changed the declaration of variables i & j in SHA1Update to -unsigned long from unsigned int for the same reason. - -These changes should make no difference to any 32 bit implementations since -an -int and a long are the same size in those environments. - --- -I also corrected a few compiler warnings generated by Borland C. -1. Added #include <process.h> for exit() prototype -2. Removed unused variable 'j' in SHA1Final -3. Changed exit(0) to return(0) at end of main. - -ALL changes I made can be located by searching for comments containing 'JHB' ------------------ -Modified 8/98 -By Steve Reid <sreid@sea-to-sky.net> -Still 100% public domain - -1- Removed #include <process.h> and used return() instead of exit() -2- Fixed overwriting of finalcount in SHA1Final() (discovered by Chris Hall) -3- Changed email address from steve@edmweb.com to sreid@sea-to-sky.net - ------------------ -Modified 4/01 -By Saul Kravitz <Saul.Kravitz@celera.com> -Still 100% PD -Modified to run on Compaq Alpha hardware. - ------------------ -Modified 4/01 -By Jouni Malinen <j@w1.fi> -Minor changes to match the coding style used in Dynamics. - -Modified September 24, 2004 -By Jouni Malinen <j@w1.fi> -Fixed alignment issue in SHA1Transform when SHA1HANDSOFF is defined. - -*/ - -/* -Test Vectors (from FIPS PUB 180-1) -"abc" - A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D -"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" - 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 -A million repetitions of "a" - 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F -*/ - -#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) - -/* blk0() and blk() perform the initial expand. */ -/* I got the idea of expanding during the round function from SSLeay */ -#define blk0(i) (block->l[i] = blk0_endiansafe (block->l[i])) - -#define blk(i) (block->l[i & 15] = rol(block->l[(i + 13) & 15] ^ \ - block->l[(i + 8) & 15] ^ block->l[(i + 2) & 15] ^ block->l[i & 15], 1)) - -/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ -#define R0(v,w,x,y,z,i) \ - z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \ - w = rol(w, 30); -#define R1(v,w,x,y,z,i) \ - z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \ - w = rol(w, 30); -#define R2(v,w,x,y,z,i) \ - z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); w = rol(w, 30); -#define R3(v,w,x,y,z,i) \ - z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \ - w = rol(w, 30); -#define R4(v,w,x,y,z,i) \ - z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \ - w=rol(w, 30); - -static void SHA1Transform(uint32_t state[5], const unsigned char buffer[64]); -/* Hash a single 512-bit block. This is the core of the algorithm. */ - -static int am_big_endian(void) -{ - long one= 1; - return !(*((char *)(&one))); -} - -static uint32_t blk0_endiansafe (uint32_t l) -{ - if (am_big_endian ()) - return l; - else - return (rol(l, 24) & 0xFF00FF00) | (rol(l, 8) & 0x00FF00FF); -} - -static void SHA1Transform(uint32_t state[5], const unsigned char buffer[64]) -{ - uint32_t a, b, c, d, e; - typedef union { - uint8_t c[64]; - uint32_t l[16]; - } CHAR64LONG16; - CHAR64LONG16* block; - uint8_t workspace[64]; - block = (CHAR64LONG16 *) workspace; - memcpy(block, buffer, 64); - - /* Copy context->state[] to working vars */ - a = state[0]; - b = state[1]; - c = state[2]; - d = state[3]; - e = state[4]; - /* 4 rounds of 20 operations each. Loop unrolled. */ - R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); - R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); - R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); - R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); - R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); - R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); - R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); - R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); - R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); - R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); - R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); - R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); - R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); - R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); - R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); - R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); - R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); - R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); - R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); - R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); - /* Add the working vars back into context.state[] */ - state[0] += a; - state[1] += b; - state[2] += c; - state[3] += d; - state[4] += e; - /* Wipe variables */ - a = b = c = d = e = 0; - memset(block, 0, 64); -} - - -/* SHA1Init - Initialize new context */ - -void SHA1Init(SHA1_CTX* context) -{ - /* SHA1 initialization constants */ - context->state[0] = 0x67452301; - context->state[1] = 0xEFCDAB89; - context->state[2] = 0x98BADCFE; - context->state[3] = 0x10325476; - context->state[4] = 0xC3D2E1F0; - context->count[0] = context->count[1] = 0; -} - - -/* Run your data through this. */ - -void SHA1Update(SHA1_CTX* context, const void *_data, uint32_t len) -{ - uint32_t i, j; - const unsigned char *data = _data; - - j = (context->count[0] >> 3) & 63; - if ((context->count[0] += len << 3) < (len << 3)) - context->count[1]++; - context->count[1] += (len >> 29); - if ((j + len) > 63) { - memcpy(&context->buffer[j], data, (i = 64-j)); - SHA1Transform(context->state, context->buffer); - for ( ; i + 63 < len; i += 64) { - SHA1Transform(context->state, &data[i]); - } - j = 0; - } - else i = 0; - memcpy(&context->buffer[j], &data[i], len - i); -} - - -/* Add padding and return the message digest. */ - -void SHA1Final(unsigned char digest[20], SHA1_CTX* context) -{ - uint32_t i; - unsigned char finalcount[8]; - - for (i = 0; i < 8; i++) { - finalcount[i] = (unsigned char) - ((context->count[(i >= 4 ? 0 : 1)] >> - ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ - } - SHA1Update(context, (unsigned char *) "\200", 1); - while ((context->count[0] & 504) != 448) { - SHA1Update(context, (unsigned char *) "\0", 1); - } - SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() - */ - for (i = 0; i < 20; i++) { - digest[i] = (unsigned char) - ((context->state[i >> 2] >> ((3 - (i & 3)) * 8)) & - 255); - } - /* Wipe variables */ - i = 0; - memset(context->buffer, 0, 64); - memset(context->state, 0, 20); - memset(context->count, 0, 8); - memset(finalcount, 0, 8); -} - -/* ===== end - public domain SHA1 implementation ===== */ - - -void HMACInit(HMAC_CTX* context, const uint8_t *key, size_t key_len) -{ - unsigned char ipad[64]; /* padding - key XORd with ipad */ - unsigned char tk[20]; - size_t i; - - /* if key is longer than 64 bytes reset it to key = SHA1(key) */ - if (key_len > 64) { - SHA1_CTX sha1_ctx; - - SHA1Init(&sha1_ctx); - SHA1Update(&sha1_ctx, key, key_len); - SHA1Final(tk, &sha1_ctx); - - key = tk; - key_len = 20; - } - - /* start out by storing key in ipad */ - memset(ipad, 0, sizeof(ipad)); - memcpy(ipad, key, key_len); - - /* XOR key with ipad values */ - for (i = 0; i < 64; i++) - ipad[i] ^= 0x36; - - /* Store the key in our context */ - memcpy(context->key, key, key_len); - context->key_len = key_len; - - SHA1Init (&context->context); - SHA1Update (&context->context, ipad, sizeof(ipad)); -} - -void HMACUpdate(HMAC_CTX *context, const void *data, uint32_t len) -{ - SHA1Update (&context->context, data, len); -} - -void HMACFinal(unsigned char digest[20], HMAC_CTX *context) -{ - - unsigned char opad[64]; /* padding - key XORd with opad */ - unsigned char sha1_digest[SHA1_MAC_LEN]; - size_t i; - SHA1_CTX outer_sha1_ctx; - - SHA1Final (sha1_digest, &context->context); - - memset(opad, 0, sizeof(opad)); - memcpy(opad, context->key, context->key_len); - - /* XOR key with opad values */ - for (i = 0; i < 64; i++) - opad[i] ^= 0x5c; - - /* perform outer SHA1 */ - SHA1Init(&outer_sha1_ctx); - SHA1Update(&outer_sha1_ctx, opad, 64); - SHA1Update(&outer_sha1_ctx, sha1_digest, SHA1_MAC_LEN); - SHA1Final(digest, &outer_sha1_ctx); -} - - -/** - * hmac_sha1_vector: - * @key: Key for HMAC operations - * @key_len: Length of the key in bytes - * @num_elem: Number of elements in the data vector - * @addr: Pointers to the data areas - * @len: Lengths of the data blocks - * @mac: Buffer for the hash (20 bytes) - * - * HMAC-SHA1 over data vector (RFC 2104) - */ -void hmac_sha1_vector(const uint8_t *key, size_t key_len, size_t num_elem, - const uint8_t *addr[], const size_t *len, uint8_t *mac) -{ - unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */ - unsigned char tk[20]; - size_t i; - SHA1_CTX sha1_ctx; - - /* if key is longer than 64 bytes reset it to key = SHA1(key) */ - if (key_len > 64) { - SHA1Init(&sha1_ctx); - SHA1Update(&sha1_ctx, key, key_len); - SHA1Final(tk, &sha1_ctx); - - key = tk; - key_len = 20; - } - - /* the HMAC_SHA1 transform looks like: - * - * SHA1(K XOR opad, SHA1(K XOR ipad, text)) - * - * where K is an n byte key - * ipad is the byte 0x36 repeated 64 times - * opad is the byte 0x5c repeated 64 times - * and text is the data being protected */ - - /* start out by storing key in ipad */ - memset(k_pad, 0, sizeof(k_pad)); - memcpy(k_pad, key, key_len); - /* XOR key with ipad values */ - for (i = 0; i < 64; i++) - k_pad[i] ^= 0x36; - - /* perform inner SHA1 */ - SHA1Init(&sha1_ctx); - SHA1Update(&sha1_ctx, k_pad, 64); - for (i = 0; i < num_elem; i++) - SHA1Update(&sha1_ctx, addr[i], len[i]); - SHA1Final(mac, &sha1_ctx); - - memset(k_pad, 0, sizeof(k_pad)); - memcpy(k_pad, key, key_len); - /* XOR key with opad values */ - for (i = 0; i < 64; i++) - k_pad[i] ^= 0x5c; - - /* perform outer SHA1 */ - SHA1Init(&sha1_ctx); - SHA1Update(&sha1_ctx, k_pad, 64); - SHA1Update(&sha1_ctx, mac, SHA1_MAC_LEN); - SHA1Final(mac, &sha1_ctx); -} - - -/** - * hmac_sha1: - * @key: Key for HMAC operations - * @key_len: Length of the key in bytes - * @data: Pointers to the data area - * @data_len: Length of the data area - * @mac: Buffer for the hash (20 bytes) - * - * HMAC-SHA1 over data buffer (RFC 2104) - */ -void hmac_sha1(const uint8_t *key, size_t key_len, - const uint8_t *data, size_t data_len, uint8_t *mac) -{ - hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); -} - - -/** - * sha1_prf: - * @key: Key for PRF - * @key_len: Length of the key in bytes - * @label: A unique label for each purpose of the PRF - * @data: Extra data to bind into the key - * @data_len: Length of the data - * @buf: Buffer for the generated pseudo-random key - * @buf_len: Number of bytes of key to generate - * - * SHA1-based Pseudo-Random Function (PRF) (IEEE 802.11i, 8.5.1.1) - * - * This function is used to derive new, cryptographically separate keys from a - * given key (e.g., PMK in IEEE 802.11i). - */ -void sha1_prf(const uint8_t *key, size_t key_len, const char *label, - const uint8_t *data, size_t data_len, uint8_t *buf, size_t buf_len) -{ - uint8_t counter = 0; - size_t pos, plen; - uint8_t hash[SHA1_MAC_LEN]; - size_t label_len = strlen(label) + 1; - const unsigned char *addr[3]; - size_t len[3]; - - addr[0] = (uint8_t *) label; - len[0] = label_len; - addr[1] = data; - len[1] = data_len; - addr[2] = &counter; - len[2] = 1; - - pos = 0; - while (pos < buf_len) { - plen = buf_len - pos; - if (plen >= SHA1_MAC_LEN) { - hmac_sha1_vector(key, key_len, 3, addr, len, &buf[pos]); - pos += SHA1_MAC_LEN; - } else { - hmac_sha1_vector(key, key_len, 3, addr, len, hash); - memcpy(&buf[pos], hash, plen); - break; - } - counter++; - } -} diff --git a/stun/sha1.h b/stun/sha1.h deleted file mode 100644 index 27ea014..0000000 --- a/stun/sha1.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * SHA1 hash implementation and interface functions - * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - * - * Alternatively, this software may be distributed under the terms of BSD - * license. - * - * See README and COPYING for more details. - */ - -#ifndef SHA1_H -#define SHA1_H - -#ifdef _WIN32 -#include "win32_common.h" -#else -#include <stdint.h> -#endif -#include <stddef.h> - -#define SHA1_MAC_LEN 20 - -struct SHA1Context { - uint32_t state[5]; - uint32_t count[2]; - unsigned char buffer[64]; -}; - -typedef struct SHA1Context SHA1_CTX; - -void SHA1Init(SHA1_CTX *context); -void SHA1Update(SHA1_CTX *context, const void *data, uint32_t len); -void SHA1Final(unsigned char digest[20], SHA1_CTX *context); - -struct HMACContext { - SHA1_CTX context; - uint8_t key[64]; - size_t key_len; -}; -typedef struct HMACContext HMAC_CTX; - -void HMACInit(HMAC_CTX *context, const uint8_t *key, size_t key_len); -void HMACUpdate(HMAC_CTX *context, const void *data, uint32_t len); -void HMACFinal(unsigned char digest[20], HMAC_CTX *context); - -void sha1_vector(size_t num_elem, const uint8_t *addr[], const size_t *len, - uint8_t *mac); -void hmac_sha1_vector(const uint8_t *key, size_t key_len, size_t num_elem, - const uint8_t *addr[], const size_t *len, uint8_t *mac); -void hmac_sha1(const uint8_t *key, size_t key_len, - const uint8_t *data, size_t data_len, uint8_t *mac); -void sha1_prf(const uint8_t *key, size_t key_len, const char *label, - const uint8_t *data, size_t data_len, uint8_t *buf, size_t buf_len); - -#endif /* SHA1_H */ diff --git a/stun/stunhmac.c b/stun/stunhmac.c index cb3848c..795e987 100644 --- a/stun/stunhmac.c +++ b/stun/stunhmac.c @@ -40,7 +40,6 @@ # include <config.h> #endif -#include "sha1.h" #include "rand.h" #include "stunmessage.h" @@ -48,37 +47,40 @@ #include <string.h> #include <assert.h> +#include <gcrypt.h> void stun_sha1 (const uint8_t *msg, size_t len, size_t msg_len, uint8_t *sha, const void *key, size_t keylen, int padding) { uint16_t fakelen = htons (msg_len); - const uint8_t *vector[4]; - size_t lengths[4]; uint8_t pad_char[64] = {0}; - size_t num_elements; + gcry_mac_hd_t hd; + size_t sha_len = 20; + +#define TRY(s) \ + if (!(s)) \ + abort (); assert (len >= 44u); - vector[0] = msg; - lengths[0] = 2; - vector[1] = (const uint8_t *)&fakelen; - lengths[1] = 2; - vector[2] = msg + 4; - lengths[2] = len - 28; - num_elements = 3; + TRY (gcry_mac_open (&hd, GCRY_MAC_HMAC_SHA1, 0 /* flags */, NULL) == 0); + TRY (gcry_mac_setkey (hd, key, keylen) == 0); + + TRY (gcry_mac_write (hd, msg, 2) == 0); + TRY (gcry_mac_write (hd, &fakelen, 2) == 0); + TRY (gcry_mac_write (hd, msg + 4, len - 28) == 0); /* RFC 3489 specifies that the message's size should be 64 bytes, and \x00 padding should be done */ if (padding && ((len - 24) % 64) > 0) { uint16_t pad_size = 64 - ((len - 24) % 64); - - vector[3] = pad_char; - lengths[3] = pad_size; - num_elements++; + TRY (gcry_mac_write (hd, pad_char, pad_size) == 0); } - hmac_sha1_vector(key, keylen, num_elements, vector, lengths, sha); + TRY (gcry_mac_read (hd, sha, &sha_len) == 0); + assert (sha_len == 20); + + gcry_mac_close (hd); } static const uint8_t *priv_trim_var (const uint8_t *var, size_t *var_len) |