summaryrefslogtreecommitdiff
path: root/cp/secu
diff options
context:
space:
mode:
authorchertier2008-01-22 14:52:00 +0000
committerchertier2008-01-22 14:52:00 +0000
commit1a96aa5bc0f01aa577a34563a9aca971d8eda6e6 (patch)
treeb776d55752352b656c8f13d611b3b4837cd5cf6b /cp/secu
parentfc36eb18109160b429de64f4411e9f8f0a2e93f9 (diff)
Updating secu module and tests relative to it:
- added/completed secu_nmk2nid() function - passing explicit buffer length when calling secu_hash() function - added tests relative to secu_npw2nmk() and secu_nmk2nid() functions git-svn-id: svn+ssh://pessac/svn/cesar/trunk@1308 017c9cb6-072f-447c-8318-d5b54f68fe89
Diffstat (limited to 'cp/secu')
-rw-r--r--cp/secu/inc/secu_pbkdf1.h12
-rw-r--r--cp/secu/secu.h9
-rw-r--r--cp/secu/src/secu_lib.c33
-rw-r--r--cp/secu/src/secu_pbkdf1.c18
4 files changed, 42 insertions, 30 deletions
diff --git a/cp/secu/inc/secu_pbkdf1.h b/cp/secu/inc/secu_pbkdf1.h
index e622d5fff1..9d12c891e5 100644
--- a/cp/secu/inc/secu_pbkdf1.h
+++ b/cp/secu/inc/secu_pbkdf1.h
@@ -32,13 +32,15 @@ secu_check_password_validity (pwd_type_t pwd_type, u8 password[]);
/**
* pbkdf1
- * \param password the password to use
- * \param salt used salt
- * \param it_count iteration number for the function
- * \param output_key result of calculation
+ * \param input the input data to hash (can be a clear ascii password)
+ * \param input_len length of input
+ * \param salt salt to apply to input data
+ * \param salt_len length of salt
+ * \param it_count iteration number for the hash function
+ * \param output_key result of hash
* \return error code or 0 if success
*/
E_ErrCode
-secu_pbkdf1 (u8 password[], u8 salt[], int it_count, u8 output_key[]);
+secu_pbkdf1 (u8 input[], int input_len, u8 salt[], int salt_len, int it_count, u8 output_key[]);
#endif
diff --git a/cp/secu/secu.h b/cp/secu/secu.h
index 69b96bd8f4..27e1273a7d 100644
--- a/cp/secu/secu.h
+++ b/cp/secu/secu.h
@@ -30,13 +30,14 @@ secu_init (sec_t *p_sec);
/**
* hash password
- * \param pwd_type the password type (DPW, NMK, NPW)
- * \param in password to hash
- * \param key obtained key from password
+ * \param pwd_type the input or password type (DPW, NMK, NPW)
+ * \param in input or password to hash
+ * \param in_len input or password length
+ * \param key obtained key from input or password
* \return error code or 0 if success
*/
E_ErrCode
-secu_hash (pwd_type_t pwd_type, u8 in[], u8 out[]);
+secu_hash (pwd_type_t pwd_type, u8 in[], int in_len, u8 out[]);
/**
* AES key generation
diff --git a/cp/secu/src/secu_lib.c b/cp/secu/src/secu_lib.c
index 109445c9cf..f20b893e73 100644
--- a/cp/secu/src/secu_lib.c
+++ b/cp/secu/src/secu_lib.c
@@ -48,7 +48,7 @@ secu_init (sec_t *p_sec)
p_sec->security_parameters.nmk[0].sl = SIMPLE_CONNECT;
// choisissons la seconde NMK
memcpy(p_sec->security_parameters.nmk[1].nmk, "seconde NMK au p", AES_KEY_SIZE);
- secu_hash(PWD_NMK, p_sec->security_parameters.nmk[1].nmk, p_sec->security_parameters.nmk[1].nid);
+ secu_hash(PWD_NMK, p_sec->security_parameters.nmk[1].nmk, AES_KEY_SIZE, p_sec->security_parameters.nmk[1].nid);
p_sec->security_parameters.nmk[1].sl = SIMPLE_CONNECT;
#endif
@@ -58,22 +58,23 @@ secu_init (sec_t *p_sec)
struct pbkdf1_params_t
{
u8 salt[SALT_SIZE];
+ int salt_len;
int it_count;
int out_key_size;
};
E_ErrCode
-secu_hash (pwd_type_t pwd_type, u8 in[], u8 out[])
+secu_hash (pwd_type_t pwd_type, u8 in[], int in_len, u8 out[])
{
E_ErrCode res;
u8 str[OUTPUT_KEY_SIZE];
struct pbkdf1_params_t pbkdf1params[] =
{
- { { 0x08, 0x85, 0x6D, 0xAF, 0x7C, 0xF5, 0x81, 0x85 }, 1000, 16 }, // obtenir DAK depuis DPW (7.10.7.1)
- { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 5, NID_SIZE }, // obtenir "NID offset" depuis NMK (4.4.3.1)
- { { 0x08, 0x85, 0x6D, 0xAF, 0x7C, 0xF5, 0x81, 0x86 }, 1000, 16 }, // obtenir NMK-HS (7.10.7.1)
- { { 0x58, 0x56, 0x52, 0xf6, 0x9c, 0x04, 0xb5, 0x72 }, 1000, 16 }, // Test
- { { 0x08, 0x85, 0x6D, 0xAF, 0x7C, 0xF5, 0x81, 0x86 }, 1000, 16 } // obtenir NMK depuis NPW
+ { { 0x08, 0x85, 0x6D, 0xAF, 0x7C, 0xF5, 0x81, 0x85 }, 8, 1000, 16 }, // obtenir DAK depuis DPW (7.10.7.1)
+ { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 0, 5, NID_SIZE }, // obtenir "NID offset" depuis NMK (4.4.3.1)
+ { { 0x08, 0x85, 0x6D, 0xAF, 0x7C, 0xF5, 0x81, 0x86 }, 8, 1000, 16 }, // obtenir NMK-HS (7.10.7.1)
+ { { 0x58, 0x56, 0x52, 0xf6, 0x9c, 0x04, 0xb5, 0x72 }, 8, 1000, 16 }, // Test
+ { { 0x08, 0x85, 0x6D, 0xAF, 0x7C, 0xF5, 0x81, 0x86 }, 8, 1000, 16 } // obtenir NMK depuis NPW
};
#ifdef DEBUG
uint i;
@@ -92,7 +93,7 @@ secu_hash (pwd_type_t pwd_type, u8 in[], u8 out[])
if ( (res = secu_check_password_validity (pwd_type, in)) != Success)
return res;
}
- if ( (res = secu_pbkdf1(in, pbkdf1params[pwd_type].salt, pbkdf1params[pwd_type].it_count, str) != Success))
+ if ( (res = secu_pbkdf1(in, in_len, pbkdf1params[pwd_type].salt, pbkdf1params[pwd_type].salt_len, pbkdf1params[pwd_type].it_count, str) != Success))
return res;
memcpy(out, str, pbkdf1params[pwd_type].out_key_size);
return Success;
@@ -158,13 +159,21 @@ E_ErrCode secu_nmk2nid(u8 *nmk, u8 security_level, u8 *nid)
dbg_assert (security_level <= 2); /* supported security-levels = 0, 1 or 2 */
/* generate NID offset value (52 bits) from NMK */
- ret = secu_hash(PWD_NMK, nmk, nid_offset);
+ ret = secu_hash(PWD_NMK, nmk, 16, nid_offset);
if (ret == Success)
{
+ memcpy(nid,nid_offset,NID_SIZE);
/*
- * TODO : combine the NID offset (52 bits) and Security Level (2 bits) together
- * to form the NID value (54 bits)
+ * combine the NID offset (52 bits) and Security Level (2 bits) together
+ * to form the NID value (54 bits)
+ * - Octets[0:5] of NID = octets[0:5] of the 52 Bit Hashed NID offset
+ * (Leftmost octet = Leftmost Octet of 52 Bit Hashed NID Offset)
+ * - Right nibble of rightmost octet of NID = rightmost nibble of the 52 Bit Hashed NID offset
+ * - Left nibble of rightmost octet of NID = Security Level
*/
+ nid[NID_SIZE-1] >>= 4; /* Set the right nibble of rightmost octet of NID = rightmost nibble of the 52 Bit Hashed NID offset*/
+ nid[NID_SIZE-1] &= 0x0F; /* Mask the left nibble of rightmost octet of NID... */
+ nid[NID_SIZE-1] |= ((security_level << 4) & 0xF0); /* ... and then, insert the Security Level */
}
return ret;
@@ -178,7 +187,7 @@ E_ErrCode secu_npw2nmk(char *npw, u8 *nmk)
dbg_assert (nmk);
/* generate default NMK key from NPW password */
- ret = secu_hash(PWD_NPW, (u8*)npw, nmk);
+ ret = secu_hash(PWD_NPW, (u8*)npw, strlen(npw), nmk);
return ret;
}
diff --git a/cp/secu/src/secu_pbkdf1.c b/cp/secu/src/secu_pbkdf1.c
index 0eb7145758..74fad2d25a 100644
--- a/cp/secu/src/secu_pbkdf1.c
+++ b/cp/secu/src/secu_pbkdf1.c
@@ -45,31 +45,31 @@ secu_check_password_validity (pwd_type_t pwd_type, unsigned char password[])
}
E_ErrCode
-secu_pbkdf1 (u8 password[], u8 salt[], int it_count, u8 output_key[])
+secu_pbkdf1 (u8 input[], int input_len, u8 salt[], int salt_len, int it_count, u8 output_key[])
{
u8 dk[MAX_PWD_SIZE + SALT_SIZE] = "";
u8 sha_output[SHA256_OUTPUT_SIZE];
int dp_size, i;
- dbg_assert (password);
+ dbg_assert (input);
dbg_assert (salt);
dbg_assert (output_key);
/*
- * Copy password to DK and count password size
+ * Copy input to DK (max size cannot be greater than DK buffer)
*/
- for (dp_size = 0; (password[dp_size] != '\0') && (dp_size < MAX_PWD_SIZE); dp_size++)
+ for (dp_size = 0; (dp_size < input_len) && (dp_size < MAX_PWD_SIZE); dp_size++)
{
- dk[dp_size] = password[dp_size];
+ dk[dp_size] = input[dp_size];
}
/*
- * Concat salt with password on DK and count password size
+ * Concat salt with input on DK and count total input size
*/
- for (i=0 ; i < SALT_SIZE ; i++)
+ for (i=0 ; i < salt_len ; i++)
{
dk[dp_size+i] = salt[i];
}
- dp_size += SALT_SIZE;
+ dp_size += salt_len;
/*
* Compute the first derived key with sha256
*/
@@ -83,7 +83,7 @@ secu_pbkdf1 (u8 password[], u8 salt[], int it_count, u8 output_key[])
sha2 (dk, SHA256_OUTPUT_SIZE, sha_output, 0);
}
/*
- * we keep only the OutputKeySize left bytes
+ * we keep only the OutputKeySize leftmost bytes
*/
memcpy(output_key, sha_output, OUTPUT_KEY_SIZE);
return Success;