[coreboot-gerrit] Change in coreboot[master]: security/crypto: Add HMAC support

Thu Jan 11 11:49:09 CET 2018

Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/23213


Change subject: security/crypto: Add HMAC support
......................................................................

security/crypto: Add HMAC support

* Add HMAC support
* All coreboot hash functions can be used.
* Integrated code from 3rdparty/vboot

Change-Id: Icea895df340c9bb61a57585347a5cdd4032b7dea
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
---
M src/security/crypto/Kconfig
M src/security/crypto/Makefile.inc
A src/security/crypto/hmac.h
A src/security/crypto/hmac/hmac.c
4 files changed, 125 insertions(+), 6 deletions(-)



  git pull ssh://review.coreboot.org:29418/coreboot refs/changes/13/23213/1

diff --git a/src/security/crypto/Kconfig b/src/security/crypto/Kconfig
index 0f39a8e..b33ff13 100644
--- a/src/security/crypto/Kconfig
+++ b/src/security/crypto/Kconfig
@@ -25,8 +25,7 @@
 	default n
 	select CRYPTO_HASH
 	help
-	  Enable this option to enable hashing support in coreboot.
-	  SHA1 and SHA256 are currently supported.
+	  Enable this option to ensure SHA-1 support.
 
 	  If unsure, say N.
 
@@ -35,8 +34,7 @@
 	default n
 	select CRYPTO_HASH
 	help
-	  Enable this option to enable hashing support in coreboot.
-	  SHA1 and SHA256 are currently supported.
+	  Enable this option to ensure SHA-256 support.
 
 	  If unsure, say N.
 
@@ -45,11 +43,19 @@
 	default n
 	select CRYPTO_HASH
 	help
-	  Enable this option to enable hashing support in coreboot.
-	  SHA1 and SHA256 are currently supported.
+	  Enable this option to to ensure SHA-512 support.
 
 	  If unsure, say N.
 
 endmenu
 
+config CRYPTO_HMAC
+	bool "HMAC support"
+	default n
+	select CRYPTO_HASH
+	help
+	  Enable this option to to ensure HMAC support.
+
+	  If unsure, say N.
+
 endmenu # Cryptographic Primitives
diff --git a/src/security/crypto/Makefile.inc b/src/security/crypto/Makefile.inc
index b1c5cfc..b22ce00 100644
--- a/src/security/crypto/Makefile.inc
+++ b/src/security/crypto/Makefile.inc
@@ -19,3 +19,8 @@
 romstage-$(CONFIG_CRYPTO_HASH) += hash/hash.c
 ramstage-$(CONFIG_CRYPTO_HASH) += hash/hash.c
 smm-$(CONFIG_CRYPTO_HASH) += hash/hash.c
+
+verstage-$(CONFIG_CRYPTO_HMAC) += hmac/hmac.c
+romstage-$(CONFIG_CRYPTO_HMAC) += hmac/hmac.c
+ramstage-$(CONFIG_CRYPTO_HMAC) += hmac/hmac.c
+smm-$(CONFIG_CRYPTO_HMAC) += hmac/hmac.c
diff --git a/src/security/crypto/hmac.h b/src/security/crypto/hmac.h
new file mode 100644
index 0000000..31ff193
--- /dev/null
+++ b/src/security/crypto/hmac.h
@@ -0,0 +1,40 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef CRYPTO_HMAC_H_
+#define CRYPTO_HMAC_H_
+
+#include <stdint.h>
+
+#include <security/crypto/hash.h>
+
+/**
+ * Compute HMAC
+ *
+ * @param alg		Hash algorithm ID
+ * @param key		HMAC key
+ * @param key_size	HMAC key size
+ * @param msg		Message to compute HMAC for
+ * @param msg_size	Message size
+ * @param mac		Computed message authentication code
+ * @param mac_size	Size of the buffer pointed by <mac>
+ * @return
+ */
+int hmac(enum hash_algorithm alg,
+	 const void *key, uint32_t key_size,
+	 const void *msg, uint32_t msg_size,
+	 uint8_t *mac, uint32_t mac_size);
+
+#endif /* CRYPTO_HMAC_H_ */
diff --git a/src/security/crypto/hmac/hmac.c b/src/security/crypto/hmac/hmac.c
new file mode 100644
index 0000000..b6686c4
--- /dev/null
+++ b/src/security/crypto/hmac/hmac.c
@@ -0,0 +1,68 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <security/crypto/hmac.h>
+
+int hmac(enum hash_algorithm alg,
+	 const void *key, uint32_t key_size,
+	 const void *msg, uint32_t msg_size,
+	 uint8_t *mac, uint32_t mac_size)
+{
+	uint32_t block_size;
+	uint32_t digest_length;
+	uint8_t k[MAX_BLOCK_SIZE];
+	uint8_t o_pad[MAX_BLOCK_SIZE];
+	uint8_t i_pad[MAX_BLOCK_SIZE];
+	uint8_t b[MAX_DIGEST_SIZE];
+	struct digest_context dc;
+	int i;
+
+	if (!key | !msg | !mac)
+		return -1;
+
+	digest_length = digest_size(alg);
+	block_size = hash_block_size(alg);
+	if (!digest_length || !block_size)
+		return -1;
+
+	if (mac_size < digest_length)
+		return -1;
+
+	if (key_size > block_size) {
+		digest_buffer((uint8_t *)key, key_size, alg, k, block_size);
+		key_size = digest_length;
+	} else {
+		memcpy(k, key, key_size);
+	}
+	if (key_size < block_size)
+		memset(k + key_size, 0, block_size - key_size);
+
+	for (i = 0; i < block_size; i++) {
+		o_pad[i] = 0x5c ^ k[i];
+		i_pad[i] = 0x36 ^ k[i];
+	}
+
+	digest_init(&dc, alg);
+	digest_extend(&dc, i_pad, block_size);
+	digest_extend(&dc, msg, msg_size);
+	digest_finalize(&dc, b, digest_length);
+
+	digest_init(&dc, alg);
+	digest_extend(&dc, o_pad, block_size);
+	digest_extend(&dc, b, digest_length);
+	digest_finalize(&dc, mac, mac_size);
+
+	return 0;
+}

-- 
To view, visit https://review.coreboot.org/23213
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Icea895df340c9bb61a57585347a5cdd4032b7dea
Gerrit-Change-Number: 23213
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180111/ae4a034d/attachment-0001.html>
