3 * Copyright (C) 2006-2014 wolfSSL Inc.
5 * This file is part of CyaSSL.
7 * CyaSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * CyaSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
26 #include <cyassl/ctaocrypt/settings.h>
30 #ifdef CYASSL_PIC32MZ_HASH
32 #define InitMd5 InitMd5_sw
33 #define Md5Update Md5Update_sw
34 #define Md5Final Md5Final_sw
36 #define InitSha InitSha_sw
37 #define ShaUpdate ShaUpdate_sw
38 #define ShaFinal ShaFinal_sw
40 #define InitSha256 InitSha256_sw
41 #define Sha256Update Sha256Update_sw
42 #define Sha256Final Sha256Final_sw
47 /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
48 #define FIPS_NO_WRAPPERS
51 #include <cyassl/ctaocrypt/hmac.h>
52 #include <cyassl/ctaocrypt/error-crypt.h>
56 static void HmacCaviumFinal(Hmac* hmac, byte* hash);
57 static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length);
58 static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
62 static int InitHmac(Hmac* hmac, int type)
66 hmac->innerHashKeyed = 0;
67 hmac->macType = (byte)type;
69 if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384
70 || type == SHA512 || type == BLAKE2B_ID))
76 InitMd5(&hmac->hash.md5);
82 ret = InitSha(&hmac->hash.sha);
88 ret = InitSha256(&hmac->hash.sha256);
94 ret = InitSha384(&hmac->hash.sha384);
100 ret = InitSha512(&hmac->hash.sha512);
106 ret = InitBlake2b(&hmac->hash.blake2b, BLAKE2B_256);
118 int HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
120 byte* ip = (byte*) hmac->ipad;
121 byte* op = (byte*) hmac->opad;
122 word32 i, hmac_block_size = 0;
126 if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC)
127 return HmacCaviumSetKey(hmac, type, key, length);
130 ret = InitHmac(hmac, type);
135 if (length < HMAC_FIPS_MIN_KEY)
136 return HMAC_MIN_KEYLEN_E;
139 switch (hmac->macType) {
143 hmac_block_size = MD5_BLOCK_SIZE;
144 if (length <= MD5_BLOCK_SIZE) {
145 XMEMCPY(ip, key, length);
148 Md5Update(&hmac->hash.md5, key, length);
149 Md5Final(&hmac->hash.md5, ip);
150 length = MD5_DIGEST_SIZE;
159 hmac_block_size = SHA_BLOCK_SIZE;
160 if (length <= SHA_BLOCK_SIZE) {
161 XMEMCPY(ip, key, length);
164 ShaUpdate(&hmac->hash.sha, key, length);
165 ShaFinal(&hmac->hash.sha, ip);
166 length = SHA_DIGEST_SIZE;
175 hmac_block_size = SHA256_BLOCK_SIZE;
176 if (length <= SHA256_BLOCK_SIZE) {
177 XMEMCPY(ip, key, length);
180 ret = Sha256Update(&hmac->hash.sha256, key, length);
184 ret = Sha256Final(&hmac->hash.sha256, ip);
188 length = SHA256_DIGEST_SIZE;
197 hmac_block_size = SHA384_BLOCK_SIZE;
198 if (length <= SHA384_BLOCK_SIZE) {
199 XMEMCPY(ip, key, length);
202 ret = Sha384Update(&hmac->hash.sha384, key, length);
206 ret = Sha384Final(&hmac->hash.sha384, ip);
210 length = SHA384_DIGEST_SIZE;
219 hmac_block_size = SHA512_BLOCK_SIZE;
220 if (length <= SHA512_BLOCK_SIZE) {
221 XMEMCPY(ip, key, length);
224 ret = Sha512Update(&hmac->hash.sha512, key, length);
228 ret = Sha512Final(&hmac->hash.sha512, ip);
232 length = SHA512_DIGEST_SIZE;
241 hmac_block_size = BLAKE2B_BLOCKBYTES;
242 if (length <= BLAKE2B_BLOCKBYTES) {
243 XMEMCPY(ip, key, length);
246 ret = Blake2bUpdate(&hmac->hash.blake2b, key, length);
250 ret = Blake2bFinal(&hmac->hash.blake2b, ip, BLAKE2B_256);
254 length = BLAKE2B_256;
263 if (length < hmac_block_size)
264 XMEMSET(ip + length, 0, hmac_block_size - length);
266 for(i = 0; i < hmac_block_size; i++) {
267 op[i] = ip[i] ^ OPAD;
274 static int HmacKeyInnerHash(Hmac* hmac)
278 switch (hmac->macType) {
281 Md5Update(&hmac->hash.md5, (byte*) hmac->ipad, MD5_BLOCK_SIZE);
287 ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, SHA_BLOCK_SIZE);
293 ret = Sha256Update(&hmac->hash.sha256,
294 (byte*) hmac->ipad, SHA256_BLOCK_SIZE);
302 ret = Sha384Update(&hmac->hash.sha384,
303 (byte*) hmac->ipad, SHA384_BLOCK_SIZE);
311 ret = Sha512Update(&hmac->hash.sha512,
312 (byte*) hmac->ipad, SHA512_BLOCK_SIZE);
320 ret = Blake2bUpdate(&hmac->hash.blake2b,
321 (byte*) hmac->ipad,BLAKE2B_BLOCKBYTES);
331 hmac->innerHashKeyed = 1;
337 int HmacUpdate(Hmac* hmac, const byte* msg, word32 length)
342 if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC)
343 return HmacCaviumUpdate(hmac, msg, length);
346 if (!hmac->innerHashKeyed) {
347 ret = HmacKeyInnerHash(hmac);
352 switch (hmac->macType) {
355 Md5Update(&hmac->hash.md5, msg, length);
361 ShaUpdate(&hmac->hash.sha, msg, length);
367 ret = Sha256Update(&hmac->hash.sha256, msg, length);
375 ret = Sha384Update(&hmac->hash.sha384, msg, length);
383 ret = Sha512Update(&hmac->hash.sha512, msg, length);
391 ret = Blake2bUpdate(&hmac->hash.blake2b, msg, length);
405 int HmacFinal(Hmac* hmac, byte* hash)
410 if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC)
411 return HmacCaviumFinal(hmac, hash);
414 if (!hmac->innerHashKeyed) {
415 ret = HmacKeyInnerHash(hmac);
420 switch (hmac->macType) {
424 Md5Final(&hmac->hash.md5, (byte*) hmac->innerHash);
426 Md5Update(&hmac->hash.md5, (byte*) hmac->opad, MD5_BLOCK_SIZE);
427 Md5Update(&hmac->hash.md5,
428 (byte*) hmac->innerHash, MD5_DIGEST_SIZE);
430 Md5Final(&hmac->hash.md5, hash);
438 ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash);
440 ShaUpdate(&hmac->hash.sha, (byte*) hmac->opad, SHA_BLOCK_SIZE);
441 ShaUpdate(&hmac->hash.sha,
442 (byte*) hmac->innerHash, SHA_DIGEST_SIZE);
444 ShaFinal(&hmac->hash.sha, hash);
452 ret = Sha256Final(&hmac->hash.sha256, (byte*) hmac->innerHash);
456 ret = Sha256Update(&hmac->hash.sha256,
457 (byte*) hmac->opad, SHA256_BLOCK_SIZE);
461 ret = Sha256Update(&hmac->hash.sha256,
462 (byte*) hmac->innerHash, SHA256_DIGEST_SIZE);
466 ret = Sha256Final(&hmac->hash.sha256, hash);
476 ret = Sha384Final(&hmac->hash.sha384, (byte*) hmac->innerHash);
480 ret = Sha384Update(&hmac->hash.sha384,
481 (byte*) hmac->opad, SHA384_BLOCK_SIZE);
485 ret = Sha384Update(&hmac->hash.sha384,
486 (byte*) hmac->innerHash, SHA384_DIGEST_SIZE);
490 ret = Sha384Final(&hmac->hash.sha384, hash);
500 ret = Sha512Final(&hmac->hash.sha512, (byte*) hmac->innerHash);
504 ret = Sha512Update(&hmac->hash.sha512,
505 (byte*) hmac->opad, SHA512_BLOCK_SIZE);
509 ret = Sha512Update(&hmac->hash.sha512,
510 (byte*) hmac->innerHash, SHA512_DIGEST_SIZE);
514 ret = Sha512Final(&hmac->hash.sha512, hash);
524 ret = Blake2bFinal(&hmac->hash.blake2b, (byte*) hmac->innerHash,
529 ret = Blake2bUpdate(&hmac->hash.blake2b,
530 (byte*) hmac->opad, BLAKE2B_BLOCKBYTES);
534 ret = Blake2bUpdate(&hmac->hash.blake2b,
535 (byte*) hmac->innerHash, BLAKE2B_256);
539 ret = Blake2bFinal(&hmac->hash.blake2b, hash, BLAKE2B_256);
550 hmac->innerHashKeyed = 0;
558 /* Initiliaze Hmac for use with Nitrox device */
559 int HmacInitCavium(Hmac* hmac, int devId)
564 if (CspAllocContext(CONTEXT_SSL, &hmac->contextHandle, devId) != 0)
571 hmac->magic = CYASSL_HMAC_CAVIUM_MAGIC;
572 hmac->data = NULL; /* buffered input data */
574 hmac->innerHashKeyed = 0;
580 /* Free Hmac from use with Nitrox device */
581 void HmacFreeCavium(Hmac* hmac)
586 CspFreeContext(CONTEXT_SSL, hmac->contextHandle, hmac->devId);
588 XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP);
593 static void HmacCaviumFinal(Hmac* hmac, byte* hash)
597 if (CspHmac(CAVIUM_BLOCKING, hmac->type, NULL, hmac->keyLen,
598 (byte*)hmac->ipad, hmac->dataLen, hmac->data, hash, &requestId,
600 CYASSL_MSG("Cavium Hmac failed");
602 hmac->innerHashKeyed = 0; /* tell update to start over if used again */
606 static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length)
608 word16 add = (word16)length;
612 if (length > CYASSL_MAX_16BIT) {
613 CYASSL_MSG("Too big msg for cavium hmac");
617 if (hmac->innerHashKeyed == 0) { /* starting new */
619 hmac->innerHashKeyed = 1;
622 total = add + hmac->dataLen;
623 if (total > CYASSL_MAX_16BIT) {
624 CYASSL_MSG("Too big msg for cavium hmac");
628 tmp = XMALLOC(hmac->dataLen + add, NULL,DYNAMIC_TYPE_CAVIUM_TMP);
630 CYASSL_MSG("Out of memory for cavium update");
634 XMEMCPY(tmp, hmac->data, hmac->dataLen);
635 XMEMCPY(tmp + hmac->dataLen, msg, add);
637 hmac->dataLen += add;
638 XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP);
643 static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
646 hmac->macType = (byte)type;
648 hmac->type = MD5_TYPE;
649 else if (type == SHA)
650 hmac->type = SHA1_TYPE;
651 else if (type == SHA256)
652 hmac->type = SHA256_TYPE;
654 CYASSL_MSG("unsupported cavium hmac type");
657 hmac->innerHashKeyed = 0; /* should we key Startup flag */
659 hmac->keyLen = (word16)length;
660 /* store key in ipad */
661 XMEMCPY(hmac->ipad, key, length);
664 #endif /* HAVE_CAVIUM */
666 int CyaSSL_GetHmacMaxSize(void)
668 return MAX_DIGEST_SIZE;
675 static INLINE word32 min(word32 a, word32 b)
677 return a > b ? b : a;
683 static INLINE int GetHashSizeByType(int type)
685 if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384
686 || type == SHA512 || type == BLAKE2B_ID))
692 return MD5_DIGEST_SIZE;
698 return SHA_DIGEST_SIZE;
704 return SHA256_DIGEST_SIZE;
710 return SHA384_DIGEST_SIZE;
716 return SHA512_DIGEST_SIZE;
722 return BLAKE2B_OUTBYTES;
733 /* HMAC-KDF with hash type, optional salt and info, return 0 on success */
734 int HKDF(int type, const byte* inKey, word32 inKeySz,
735 const byte* salt, word32 saltSz,
736 const byte* info, word32 infoSz,
737 byte* out, word32 outSz)
740 #ifdef CYASSL_SMALL_STACK
744 byte tmp[MAX_DIGEST_SIZE]; /* localSalt helper and T */
745 byte prk[MAX_DIGEST_SIZE];
747 const byte* localSalt; /* either points to user input or tmp */
748 int hashSz = GetHashSizeByType(type);
756 #ifdef CYASSL_SMALL_STACK
757 tmp = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
761 prk = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
763 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
769 if (localSalt == NULL) {
770 XMEMSET(tmp, 0, hashSz);
776 ret = HmacSetKey(&myHmac, type, localSalt, saltSz);
779 ret = HmacUpdate(&myHmac, inKey, inKeySz);
782 ret = HmacFinal(&myHmac, prk);
786 while (outIdx < outSz) {
787 int tmpSz = (n == 1) ? 0 : hashSz;
788 word32 left = outSz - outIdx;
790 ret = HmacSetKey(&myHmac, type, prk, hashSz);
793 ret = HmacUpdate(&myHmac, tmp, tmpSz);
796 ret = HmacUpdate(&myHmac, info, infoSz);
799 ret = HmacUpdate(&myHmac, &n, 1);
802 ret = HmacFinal(&myHmac, tmp);
806 left = min(left, (word32)hashSz);
807 XMEMCPY(out+outIdx, tmp, left);
814 #ifdef CYASSL_SMALL_STACK
815 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
816 XFREE(prk, NULL, DYNAMIC_TYPE_TMP_BUFFER);
822 #endif /* HAVE_HKDF */