[coreboot-gerrit] Change in coreboot[master]: security/crypto: Add HMAC support
Philipp Deppenwiese (Code Review)
gerrit at coreboot.org
Thu Jan 11 11:49:09 CET 2018
Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/23213
Change subject: security/crypto: Add HMAC support
......................................................................
security/crypto: Add HMAC support
* Add HMAC support
* All coreboot hash functions can be used.
* Integrated code from 3rdparty/vboot
Change-Id: Icea895df340c9bb61a57585347a5cdd4032b7dea
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
---
M src/security/crypto/Kconfig
M src/security/crypto/Makefile.inc
A src/security/crypto/hmac.h
A src/security/crypto/hmac/hmac.c
4 files changed, 125 insertions(+), 6 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/13/23213/1
diff --git a/src/security/crypto/Kconfig b/src/security/crypto/Kconfig
index 0f39a8e..b33ff13 100644
--- a/src/security/crypto/Kconfig
+++ b/src/security/crypto/Kconfig
@@ -25,8 +25,7 @@
default n
select CRYPTO_HASH
help
- Enable this option to enable hashing support in coreboot.
- SHA1 and SHA256 are currently supported.
+ Enable this option to ensure SHA-1 support.
If unsure, say N.
@@ -35,8 +34,7 @@
default n
select CRYPTO_HASH
help
- Enable this option to enable hashing support in coreboot.
- SHA1 and SHA256 are currently supported.
+ Enable this option to ensure SHA-256 support.
If unsure, say N.
@@ -45,11 +43,19 @@
default n
select CRYPTO_HASH
help
- Enable this option to enable hashing support in coreboot.
- SHA1 and SHA256 are currently supported.
+ Enable this option to to ensure SHA-512 support.
If unsure, say N.
endmenu
+config CRYPTO_HMAC
+ bool "HMAC support"
+ default n
+ select CRYPTO_HASH
+ help
+ Enable this option to to ensure HMAC support.
+
+ If unsure, say N.
+
endmenu # Cryptographic Primitives
diff --git a/src/security/crypto/Makefile.inc b/src/security/crypto/Makefile.inc
index b1c5cfc..b22ce00 100644
--- a/src/security/crypto/Makefile.inc
+++ b/src/security/crypto/Makefile.inc
@@ -19,3 +19,8 @@
romstage-$(CONFIG_CRYPTO_HASH) += hash/hash.c
ramstage-$(CONFIG_CRYPTO_HASH) += hash/hash.c
smm-$(CONFIG_CRYPTO_HASH) += hash/hash.c
+
+verstage-$(CONFIG_CRYPTO_HMAC) += hmac/hmac.c
+romstage-$(CONFIG_CRYPTO_HMAC) += hmac/hmac.c
+ramstage-$(CONFIG_CRYPTO_HMAC) += hmac/hmac.c
+smm-$(CONFIG_CRYPTO_HMAC) += hmac/hmac.c
diff --git a/src/security/crypto/hmac.h b/src/security/crypto/hmac.h
new file mode 100644
index 0000000..31ff193
--- /dev/null
+++ b/src/security/crypto/hmac.h
@@ -0,0 +1,40 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef CRYPTO_HMAC_H_
+#define CRYPTO_HMAC_H_
+
+#include <stdint.h>
+
+#include <security/crypto/hash.h>
+
+/**
+ * Compute HMAC
+ *
+ * @param alg Hash algorithm ID
+ * @param key HMAC key
+ * @param key_size HMAC key size
+ * @param msg Message to compute HMAC for
+ * @param msg_size Message size
+ * @param mac Computed message authentication code
+ * @param mac_size Size of the buffer pointed by <mac>
+ * @return
+ */
+int hmac(enum hash_algorithm alg,
+ const void *key, uint32_t key_size,
+ const void *msg, uint32_t msg_size,
+ uint8_t *mac, uint32_t mac_size);
+
+#endif /* CRYPTO_HMAC_H_ */
diff --git a/src/security/crypto/hmac/hmac.c b/src/security/crypto/hmac/hmac.c
new file mode 100644
index 0000000..b6686c4
--- /dev/null
+++ b/src/security/crypto/hmac/hmac.c
@@ -0,0 +1,68 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <security/crypto/hmac.h>
+
+int hmac(enum hash_algorithm alg,
+ const void *key, uint32_t key_size,
+ const void *msg, uint32_t msg_size,
+ uint8_t *mac, uint32_t mac_size)
+{
+ uint32_t block_size;
+ uint32_t digest_length;
+ uint8_t k[MAX_BLOCK_SIZE];
+ uint8_t o_pad[MAX_BLOCK_SIZE];
+ uint8_t i_pad[MAX_BLOCK_SIZE];
+ uint8_t b[MAX_DIGEST_SIZE];
+ struct digest_context dc;
+ int i;
+
+ if (!key | !msg | !mac)
+ return -1;
+
+ digest_length = digest_size(alg);
+ block_size = hash_block_size(alg);
+ if (!digest_length || !block_size)
+ return -1;
+
+ if (mac_size < digest_length)
+ return -1;
+
+ if (key_size > block_size) {
+ digest_buffer((uint8_t *)key, key_size, alg, k, block_size);
+ key_size = digest_length;
+ } else {
+ memcpy(k, key, key_size);
+ }
+ if (key_size < block_size)
+ memset(k + key_size, 0, block_size - key_size);
+
+ for (i = 0; i < block_size; i++) {
+ o_pad[i] = 0x5c ^ k[i];
+ i_pad[i] = 0x36 ^ k[i];
+ }
+
+ digest_init(&dc, alg);
+ digest_extend(&dc, i_pad, block_size);
+ digest_extend(&dc, msg, msg_size);
+ digest_finalize(&dc, b, digest_length);
+
+ digest_init(&dc, alg);
+ digest_extend(&dc, o_pad, block_size);
+ digest_extend(&dc, b, digest_length);
+ digest_finalize(&dc, mac, mac_size);
+
+ return 0;
+}
--
To view, visit https://review.coreboot.org/23213
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Icea895df340c9bb61a57585347a5cdd4032b7dea
Gerrit-Change-Number: 23213
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180111/ae4a034d/attachment-0001.html>
More information about the coreboot-gerrit
mailing list