[crypto] Simplify internal HMAC API

Simplify the internal HMAC API so that the key is provided only at the
point of calling hmac_init(), and the (potentially reduced) key is
stored as part of the context for later use by hmac_final().

This simplifies the calling code, and avoids the need for callers such
as TLS to allocate a potentially variable length block in order to
retain a copy of the unmodified key.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

4 files changed, 54 insertions, 93 deletions

diff --git a/src/crypto/hmac.c b/src/crypto/hmac.c
index f898619c8..7109bbf6a 100644
--- a/src/crypto/hmac.c
+++ b/src/crypto/hmac.c
@@ -47,93 +47,61 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/hmac.h>
 
 /**
- * Reduce HMAC key length
- *
- * @v digest		Digest algorithm to use
- * @v digest_ctx	Digest context
- * @v key		Key
- * @v key_len		Length of key
- */
-static void hmac_reduce_key ( struct digest_algorithm *digest,
-			      void *key, size_t *key_len ) {
-	uint8_t digest_ctx[digest->ctxsize];
-
-	digest_init ( digest, digest_ctx );
-	digest_update ( digest, digest_ctx, key, *key_len );
-	digest_final ( digest, digest_ctx, key );
-	*key_len = digest->digestsize;
-}
-
-/**
  * Initialise HMAC
  *
  * @v digest		Digest algorithm to use
- * @v digest_ctx	Digest context
+ * @v ctx		HMAC context
  * @v key		Key
  * @v key_len		Length of key
- *
- * The length of the key should be less than the block size of the
- * digest algorithm being used.  (If the key length is greater, it
- * will be replaced with its own digest, and key_len will be updated
- * accordingly).
  */
-void hmac_init ( struct digest_algorithm *digest, void *digest_ctx,
-		 void *key, size_t *key_len ) {
-	unsigned char k_ipad[digest->blocksize];
+void hmac_init ( struct digest_algorithm *digest, void *ctx, const void *key,
+		 size_t key_len ) {
+	hmac_context_t ( digest ) *hctx = ctx;
 	unsigned int i;
 
-	/* Reduce key if necessary */
-	if ( *key_len > sizeof ( k_ipad ) )
-		hmac_reduce_key ( digest, key, key_len );
-
 	/* Construct input pad */
-	memset ( k_ipad, 0, sizeof ( k_ipad ) );
-	memcpy ( k_ipad, key, *key_len );
-	for ( i = 0 ; i < sizeof ( k_ipad ) ; i++ ) {
-		k_ipad[i] ^= 0x36;
+	memset ( hctx->pad, 0, sizeof ( hctx->pad ) );
+	if ( key_len <= sizeof ( hctx->pad ) ) {
+		memcpy ( hctx->pad, key, key_len );
+	} else {
+		digest_init ( digest, hctx->ctx );
+		digest_update ( digest, hctx->ctx, key, key_len );
+		digest_final ( digest, hctx->ctx, hctx->pad );
+	}
+	for ( i = 0 ; i < sizeof ( hctx->pad ) ; i++ ) {
+		hctx->pad[i] ^= 0x36;
 	}
-	
+
 	/* Start inner hash */
-	digest_init ( digest, digest_ctx );
-	digest_update ( digest, digest_ctx, k_ipad, sizeof ( k_ipad ) );
+	digest_init ( digest, hctx->ctx );
+	digest_update ( digest, hctx->ctx, hctx->pad, sizeof ( hctx->pad ) );
 }
 
 /**
  * Finalise HMAC
  *
  * @v digest		Digest algorithm to use
- * @v digest_ctx	Digest context
- * @v key		Key
- * @v key_len		Length of key
+ * @v ctx		HMAC context
  * @v hmac		HMAC digest to fill in
- *
- * The length of the key should be less than the block size of the
- * digest algorithm being used.  (If the key length is greater, it
- * will be replaced with its own digest, and key_len will be updated
- * accordingly).
  */
-void hmac_final ( struct digest_algorithm *digest, void *digest_ctx,
-		  void *key, size_t *key_len, void *hmac ) {
-	unsigned char k_opad[digest->blocksize];
+void hmac_final ( struct digest_algorithm *digest, void *ctx, void *hmac ) {
+	hmac_context_t ( digest ) *hctx = ctx;
 	unsigned int i;
 
-	/* Reduce key if necessary */
-	if ( *key_len > sizeof ( k_opad ) )
-		hmac_reduce_key ( digest, key, key_len );
-
-	/* Construct output pad */
-	memset ( k_opad, 0, sizeof ( k_opad ) );
-	memcpy ( k_opad, key, *key_len );
-	for ( i = 0 ; i < sizeof ( k_opad ) ; i++ ) {
-		k_opad[i] ^= 0x5c;
+	/* Construct output pad from input pad */
+	for ( i = 0 ; i < sizeof ( hctx->pad ) ; i++ ) {
+		hctx->pad[i] ^= 0x6a;
 	}
-	
+
 	/* Finish inner hash */
-	digest_final ( digest, digest_ctx, hmac );
+	digest_final ( digest, hctx->ctx, hmac );
 
 	/* Perform outer hash */
-	digest_init ( digest, digest_ctx );
-	digest_update ( digest, digest_ctx, k_opad, sizeof ( k_opad ) );
-	digest_update ( digest, digest_ctx, hmac, digest->digestsize );
-	digest_final ( digest, digest_ctx, hmac );
+	digest_init ( digest, hctx->ctx );
+	digest_update ( digest, hctx->ctx, hctx->pad, sizeof ( hctx->pad ) );
+	digest_update ( digest, hctx->ctx, hmac, digest->digestsize );
+	digest_final ( digest, hctx->ctx, hmac );
+
+	/* Erase output pad (from which the key may be derivable) */
+	memset ( hctx->pad, 0, sizeof ( hctx->pad ) );
 }
diff --git a/src/crypto/hmac_drbg.c b/src/crypto/hmac_drbg.c
index 098297716..57bde4d1d 100644
--- a/src/crypto/hmac_drbg.c
+++ b/src/crypto/hmac_drbg.c
@@ -79,7 +79,7 @@ static void hmac_drbg_update_key ( struct digest_algorithm *hash,
 				   struct hmac_drbg_state *state,
 				   const void *data, size_t len,
 				   const uint8_t single ) {
-	uint8_t context[ hash->ctxsize ];
+	uint8_t context[ hmac_ctxsize ( hash ) ];
 	size_t out_len = hash->digestsize;
 
 	DBGC ( state, "HMAC_DRBG_%s %p provided data :\n", hash->name, state );
@@ -92,13 +92,11 @@ static void hmac_drbg_update_key ( struct digest_algorithm *hash,
 	assert ( ( single == 0x00 ) || ( single == 0x01 ) );
 
 	/* K = HMAC ( K, V || single || provided_data ) */
-	hmac_init ( hash, context, state->key, &out_len );
-	assert ( out_len == hash->digestsize );
+	hmac_init ( hash, context, state->key, out_len );
 	hmac_update ( hash, context, state->value, out_len );
 	hmac_update ( hash, context, &single, sizeof ( single ) );
 	hmac_update ( hash, context, data, len );
-	hmac_final ( hash, context, state->key, &out_len, state->key );
-	assert ( out_len == hash->digestsize );
+	hmac_final ( hash, context, state->key );
 
 	DBGC ( state, "HMAC_DRBG_%s %p K = HMAC ( K, V || %#02x || "
 	       "provided_data ) :\n", hash->name, state, single );
@@ -122,7 +120,7 @@ static void hmac_drbg_update_key ( struct digest_algorithm *hash,
  */
 static void hmac_drbg_update_value ( struct digest_algorithm *hash,
 				     struct hmac_drbg_state *state ) {
-	uint8_t context[ hash->ctxsize ];
+	uint8_t context[ hmac_ctxsize ( hash ) ];
 	size_t out_len = hash->digestsize;
 
 	/* Sanity checks */
@@ -130,11 +128,9 @@ static void hmac_drbg_update_value ( struct digest_algorithm *hash,
 	assert ( state != NULL );
 
 	/* V = HMAC ( K, V ) */
-	hmac_init ( hash, context, state->key, &out_len );
-	assert ( out_len == hash->digestsize );
+	hmac_init ( hash, context, state->key, out_len );
 	hmac_update ( hash, context, state->value, out_len );
-	hmac_final ( hash, context, state->key, &out_len, state->value );
-	assert ( out_len == hash->digestsize );
+	hmac_final ( hash, context, state->value );
 
 	DBGC ( state, "HMAC_DRBG_%s %p V = HMAC ( K, V ) :\n",
 	       hash->name, state );
diff --git a/src/crypto/ntlm.c b/src/crypto/ntlm.c
index 870af2132..fb120f8db 100644
--- a/src/crypto/ntlm.c
+++ b/src/crypto/ntlm.c
@@ -117,10 +117,9 @@ void ntlm_key ( const char *domain, const char *username,
 	struct digest_algorithm *md5 = &md5_algorithm;
 	union {
 		uint8_t md4[MD4_CTX_SIZE];
-		uint8_t md5[MD5_CTX_SIZE];
+		uint8_t md5[ MD5_CTX_SIZE + MD5_BLOCK_SIZE ];
 	} ctx;
 	uint8_t digest[MD4_DIGEST_SIZE];
-	size_t digest_len;
 	uint8_t c;
 	uint16_t wc;
 
@@ -141,8 +140,7 @@ void ntlm_key ( const char *domain, const char *username,
 	digest_final ( md4, ctx.md4, digest );
 
 	/* Construct HMAC-MD5 of (Unicode) upper-case username */
-	digest_len = sizeof ( digest );
-	hmac_init ( md5, ctx.md5, digest, &digest_len );
+	hmac_init ( md5, ctx.md5, digest, sizeof ( digest ) );
 	while ( ( c = *(username++) ) ) {
 		wc = cpu_to_le16 ( toupper ( c ) );
 		hmac_update ( md5, ctx.md5, &wc, sizeof ( wc ) );
@@ -151,7 +149,7 @@ void ntlm_key ( const char *domain, const char *username,
 		wc = cpu_to_le16 ( c );
 		hmac_update ( md5, ctx.md5, &wc, sizeof ( wc ) );
 	}
-	hmac_final ( md5, ctx.md5, digest, &digest_len, key->raw );
+	hmac_final ( md5, ctx.md5, key->raw );
 	DBGC ( key, "NTLM key:\n" );
 	DBGC_HDA ( key, 0, key, sizeof ( *key ) );
 }
@@ -170,8 +168,7 @@ void ntlm_response ( struct ntlm_challenge_info *info, struct ntlm_key *key,
 		     struct ntlm_nt_response *nt ) {
 	struct digest_algorithm *md5 = &md5_algorithm;
 	struct ntlm_nonce tmp_nonce;
-	uint8_t ctx[MD5_CTX_SIZE];
-	size_t key_len = sizeof ( *key );
+	uint8_t ctx[ MD5_CTX_SIZE + MD5_BLOCK_SIZE ];
 	unsigned int i;
 
 	/* Generate random nonce, if needed */
@@ -183,10 +180,10 @@ void ntlm_response ( struct ntlm_challenge_info *info, struct ntlm_key *key,
 
 	/* Construct LAN Manager response */
 	memcpy ( &lm->nonce, nonce, sizeof ( lm->nonce ) );
-	hmac_init ( md5, ctx, key->raw, &key_len );
+	hmac_init ( md5, ctx, key->raw, sizeof ( *key ) );
 	hmac_update ( md5, ctx, info->nonce, sizeof ( *info->nonce ) );
 	hmac_update ( md5, ctx, &lm->nonce, sizeof ( lm->nonce ) );
-	hmac_final ( md5, ctx, key->raw, &key_len, lm->digest );
+	hmac_final ( md5, ctx, lm->digest );
 	DBGC ( key, "NTLM LAN Manager response:\n" );
 	DBGC_HDA ( key, 0, lm, sizeof ( *lm ) );
 
@@ -195,14 +192,14 @@ void ntlm_response ( struct ntlm_challenge_info *info, struct ntlm_key *key,
 	nt->version = NTLM_VERSION_NTLMV2;
 	nt->high = NTLM_VERSION_NTLMV2;
 	memcpy ( &nt->nonce, nonce, sizeof ( nt->nonce ) );
-	hmac_init ( md5, ctx, key->raw, &key_len );
+	hmac_init ( md5, ctx, key->raw, sizeof ( *key ) );
 	hmac_update ( md5, ctx, info->nonce, sizeof ( *info->nonce ) );
 	hmac_update ( md5, ctx, &nt->version,
 		      ( sizeof ( *nt ) -
 			offsetof ( typeof ( *nt ), version ) ) );
 	hmac_update ( md5, ctx, info->target, info->len );
 	hmac_update ( md5, ctx, &nt->zero, sizeof ( nt->zero ) );
-	hmac_final ( md5, ctx, key->raw, &key_len, nt->digest );
+	hmac_final ( md5, ctx, nt->digest );
 	DBGC ( key, "NTLM NT response prefix:\n" );
 	DBGC_HDA ( key, 0, nt, sizeof ( *nt ) );
 }
diff --git a/src/crypto/sha1extra.c b/src/crypto/sha1extra.c
index cec0d35e5..9e296eb2c 100644
--- a/src/crypto/sha1extra.c
+++ b/src/crypto/sha1extra.c
@@ -49,7 +49,7 @@ void prf_sha1 ( const void *key, size_t key_len, const char *label,
 	u8 in[strlen ( label ) + 1 + data_len + 1]; /* message to HMAC */
 	u8 *in_blknr;		/* pointer to last byte of in, block number */
 	u8 out[SHA1_DIGEST_SIZE]; /* HMAC-SHA1 result */
-	u8 sha1_ctx[SHA1_CTX_SIZE]; /* SHA1 context */
+	u8 ctx[SHA1_CTX_SIZE + SHA1_BLOCK_SIZE]; /* HMAC-SHA1 context */
 	const size_t label_len = strlen ( label );
 
 	/* The HMAC-SHA-1 is calculated using the given key on the
@@ -65,9 +65,9 @@ void prf_sha1 ( const void *key, size_t key_len, const char *label,
 	for ( blk = 0 ;; blk++ ) {
 		*in_blknr = blk;
 
-		hmac_init ( &sha1_algorithm, sha1_ctx, keym, &key_len );
-		hmac_update ( &sha1_algorithm, sha1_ctx, in, sizeof ( in ) );
-		hmac_final ( &sha1_algorithm, sha1_ctx, keym, &key_len, out );
+		hmac_init ( &sha1_algorithm, ctx, keym, key_len );
+		hmac_update ( &sha1_algorithm, ctx, in, sizeof ( in ) );
+		hmac_final ( &sha1_algorithm, ctx, out );
 
 		if ( prf_len <= sizeof ( out ) ) {
 			memcpy ( prf, out, prf_len );
@@ -100,7 +100,7 @@ static void pbkdf2_sha1_f ( const void *passphrase, size_t pass_len,
 	u8 pass[pass_len];	/* modifiable passphrase */
 	u8 in[salt_len + 4];	/* input buffer to first round */
 	u8 last[SHA1_DIGEST_SIZE]; /* output of round N, input of N+1 */
-	u8 sha1_ctx[SHA1_CTX_SIZE];
+	u8 ctx[SHA1_CTX_SIZE + SHA1_BLOCK_SIZE];
 	u8 *next_in = in;	/* changed to `last' after first round */
 	int next_size = sizeof ( in );
 	int i;
@@ -114,9 +114,9 @@ static void pbkdf2_sha1_f ( const void *passphrase, size_t pass_len,
 	memset ( block, 0, sizeof ( last ) );
 
 	for ( i = 0; i < iterations; i++ ) {
-		hmac_init ( &sha1_algorithm, sha1_ctx, pass, &pass_len );
-		hmac_update ( &sha1_algorithm, sha1_ctx, next_in, next_size );
-		hmac_final ( &sha1_algorithm, sha1_ctx, pass, &pass_len, last );
+		hmac_init ( &sha1_algorithm, ctx, pass, pass_len );
+		hmac_update ( &sha1_algorithm, ctx, next_in, next_size );
+		hmac_final ( &sha1_algorithm, ctx, last );
 
 		for ( j = 0; j < sizeof ( last ); j++ ) {
 			block[j] ^= last[j];