diff options
| author | EmilienCourt <emilien.court@telecomnancy.net> | 2023-01-14 17:58:03 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-14 11:58:03 -0500 |
| commit | 9ebea46300bd1bc4e3ba51b1c7915e3ba42c471a (patch) | |
| tree | 013dfc56976b23c31e5501c9cc31f8ca0aa1c2c2 | |
| parent | 2e618850702bc9a55b1a530c89ab928c2d09501c (diff) | |
| download | Sensor-Watch-9ebea46300bd1bc4e3ba51b1c7915e3ba42c471a.tar.gz Sensor-Watch-9ebea46300bd1bc4e3ba51b1c7915e3ba42c471a.tar.bz2 Sensor-Watch-9ebea46300bd1bc4e3ba51b1c7915e3ba42c471a.zip | |
totp : rework and add SHA256/512 (#151)
* totp : rework and add SHA256/512
* totp : comment code
* totp : fix SHA224/SHA384 and examples
* totp : fix bug in totp_face_lfs
* totp : init_totp_record to SHA1
* totp : move TOTP-MCU to TOTP, update README and example
* totp : SHAX, use size_t n instead of harcoded 8
* clarify what to put in TOTP face
Co-authored-by: Emilien <Emilien>
Co-authored-by: joeycastillo <joeycastillo@utexas.edu>
| -rw-r--r-- | movement/lib/TOTP-MCU/sha1.c | 169 | ||||
| -rw-r--r-- | movement/lib/TOTP-MCU/sha1.h | 15 | ||||
| -rw-r--r-- | movement/lib/TOTP/LICENSE (renamed from movement/lib/TOTP-MCU/LICENSE) | 0 | ||||
| -rw-r--r-- | movement/lib/TOTP/README.md (renamed from movement/lib/TOTP-MCU/README.md) | 43 | ||||
| -rw-r--r-- | movement/lib/TOTP/TOTP.c (renamed from movement/lib/TOTP-MCU/TOTP.c) | 40 | ||||
| -rw-r--r-- | movement/lib/TOTP/TOTP.h (renamed from movement/lib/TOTP-MCU/TOTP.h) | 10 | ||||
| -rw-r--r-- | movement/lib/TOTP/example.c (renamed from movement/lib/TOTP-MCU/blink.c) | 22 | ||||
| -rw-r--r-- | movement/lib/TOTP/sha1.c | 398 | ||||
| -rw-r--r-- | movement/lib/TOTP/sha1.h | 98 | ||||
| -rw-r--r-- | movement/lib/TOTP/sha256.c | 372 | ||||
| -rw-r--r-- | movement/lib/TOTP/sha256.h | 112 | ||||
| -rw-r--r-- | movement/lib/TOTP/sha512.c | 422 | ||||
| -rw-r--r-- | movement/lib/TOTP/sha512.h | 119 | ||||
| -rw-r--r-- | movement/make/Makefile | 8 | ||||
| -rw-r--r-- | movement/watch_faces/complication/totp_face.c | 30 | ||||
| -rw-r--r-- | movement/watch_faces/complication/totp_face_lfs.c | 21 |
16 files changed, 1628 insertions, 251 deletions
diff --git a/movement/lib/TOTP-MCU/sha1.c b/movement/lib/TOTP-MCU/sha1.c deleted file mode 100644 index 3dc02190..00000000 --- a/movement/lib/TOTP-MCU/sha1.c +++ /dev/null @@ -1,169 +0,0 @@ -#include <string.h>
-#include "sha1.h"
-
-#define SHA1_K0 0x5a827999
-#define SHA1_K20 0x6ed9eba1
-#define SHA1_K40 0x8f1bbcdc
-#define SHA1_K60 0xca62c1d6
-
-uint8_t sha1InitState[] = {
- 0x01,0x23,0x45,0x67, // H0
- 0x89,0xab,0xcd,0xef, // H1
- 0xfe,0xdc,0xba,0x98, // H2
- 0x76,0x54,0x32,0x10, // H3
- 0xf0,0xe1,0xd2,0xc3 // H4
-};
-
-union _buffer {
- uint8_t b[BLOCK_LENGTH];
- uint32_t w[BLOCK_LENGTH/4];
-} buffer;
-union _state {
- uint8_t b[HASH_LENGTH];
- uint32_t w[HASH_LENGTH/4];
-} state;
-
-uint8_t bufferOffset;
-uint32_t byteCount;
-uint8_t keyBuffer[BLOCK_LENGTH];
-uint8_t innerHash[HASH_LENGTH];
-
-void init(void) {
- memcpy(state.b,sha1InitState,HASH_LENGTH);
- byteCount = 0;
- bufferOffset = 0;
-}
-
-static uint32_t rol32(uint32_t number, uint8_t bits) {
- return ((number << bits) | (uint32_t)(number >> (32-bits)));
-}
-
-static void hashBlock(void) {
- uint8_t i;
- uint32_t a,b,c,d,e,t;
-
- a=state.w[0];
- b=state.w[1];
- c=state.w[2];
- d=state.w[3];
- e=state.w[4];
- for (i=0; i<80; i++) {
- if (i>=16) {
- t = buffer.w[(i+13)&15] ^ buffer.w[(i+8)&15] ^ buffer.w[(i+2)&15] ^ buffer.w[i&15];
- buffer.w[i&15] = rol32(t,1);
- }
- if (i<20) {
- t = (d ^ (b & (c ^ d))) + SHA1_K0;
- } else if (i<40) {
- t = (b ^ c ^ d) + SHA1_K20;
- } else if (i<60) {
- t = ((b & c) | (d & (b | c))) + SHA1_K40;
- } else {
- t = (b ^ c ^ d) + SHA1_K60;
- }
- t+=rol32(a,5) + e + buffer.w[i&15];
- e=d;
- d=c;
- c=rol32(b,30);
- b=a;
- a=t;
- }
- state.w[0] += a;
- state.w[1] += b;
- state.w[2] += c;
- state.w[3] += d;
- state.w[4] += e;
-}
-
-static void addUncounted(uint8_t data) {
- buffer.b[bufferOffset ^ 3] = data;
- bufferOffset++;
- if (bufferOffset == BLOCK_LENGTH) {
- hashBlock();
- bufferOffset = 0;
- }
-}
-
-static void __write(uint8_t data) {
- ++byteCount;
- addUncounted(data);
-
- return;
-}
-
-void writeArray(uint8_t *buffer, uint8_t size){
- while (size--) {
- __write(*buffer++);
- }
-}
-
-static void pad(void) {
- // Implement SHA-1 padding (fips180-2 ��5.1.1)
-
- // Pad with 0x80 followed by 0x00 until the end of the block
- addUncounted(0x80);
- while (bufferOffset != 56) addUncounted(0x00);
-
- // Append length in the last 8 bytes
- addUncounted(0); // We're only using 32 bit lengths
- addUncounted(0); // But SHA-1 supports 64 bit lengths
- addUncounted(0); // So zero pad the top bits
- addUncounted(byteCount >> 29); // Shifting to multiply by 8
- addUncounted(byteCount >> 21); // as SHA-1 supports bitstreams as well as
- addUncounted(byteCount >> 13); // byte.
- addUncounted(byteCount >> 5);
- addUncounted(byteCount << 3);
-}
-
-uint8_t* result(void) {
- // Pad to complete the last block
- pad();
-
- // Swap byte order back
- uint8_t i;
- for (i=0; i<5; i++) {
- uint32_t a,b;
- a=state.w[i];
- b=a<<24;
- b|=(a<<8) & 0x00ff0000;
- b|=(a>>8) & 0x0000ff00;
- b|=a>>24;
- state.w[i]=b;
- }
-
- // Return pointer to hash (20 characters)
- return state.b;
-}
-
-#define HMAC_IPAD 0x36
-#define HMAC_OPAD 0x5c
-
-void initHmac(const uint8_t* key, uint8_t keyLength) {
- uint8_t i;
- memset(keyBuffer,0,BLOCK_LENGTH);
- if (keyLength > BLOCK_LENGTH) {
- // Hash long keys
- init();
- for (;keyLength--;) __write(*key++);
- memcpy(keyBuffer,result(),HASH_LENGTH);
- } else {
- // Block length keys are used as is
- memcpy(keyBuffer,key,keyLength);
- }
- // Start inner hash
- init();
- for (i=0; i<BLOCK_LENGTH; i++) {
- __write(keyBuffer[i] ^ HMAC_IPAD);
- }
-}
-
-uint8_t* resultHmac(void) {
- uint8_t i;
- // Complete inner hash
- memcpy(innerHash,result(),HASH_LENGTH);
- // Calculate outer hash
- init();
- for (i=0; i<BLOCK_LENGTH; i++) __write(keyBuffer[i] ^ HMAC_OPAD);
- for (i=0; i<HASH_LENGTH; i++) __write(innerHash[i]);
- return result();
-}
diff --git a/movement/lib/TOTP-MCU/sha1.h b/movement/lib/TOTP-MCU/sha1.h deleted file mode 100644 index bd689c34..00000000 --- a/movement/lib/TOTP-MCU/sha1.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef SHA1_H_
-#define SHA1_H_
-
-#include <inttypes.h>
-
-#define HASH_LENGTH 20
-#define BLOCK_LENGTH 64
-
-void init(void);
-void initHmac(const uint8_t* secret, uint8_t secretLength);
-uint8_t* result(void);
-uint8_t* resultHmac(void);
-void writeArray(uint8_t *buffer, uint8_t size);
-
-#endif // SHA1_H
diff --git a/movement/lib/TOTP-MCU/LICENSE b/movement/lib/TOTP/LICENSE index 6de4c0f0..6de4c0f0 100644 --- a/movement/lib/TOTP-MCU/LICENSE +++ b/movement/lib/TOTP/LICENSE diff --git a/movement/lib/TOTP-MCU/README.md b/movement/lib/TOTP/README.md index df5ab96e..bb231221 100644 --- a/movement/lib/TOTP-MCU/README.md +++ b/movement/lib/TOTP/README.md @@ -1,35 +1,46 @@ -TOTP Pure C Library for ALL MCU +TOTP Pure C Library ==================== Library to generate Time-based One-Time Passwords. Implements the Time-based One-Time Password algorithm specified in [RFC 6238](https://tools.ietf.org/html/rfc6238). + Supports different time steps and is compatible with tokens that use the same standard (including software ones, like the Google Authenticator app). -Tested on MCUs: MSP430, RP2040 +The code is made of : + +- [TOTP-MCU](https://github.com/Netthaw/TOTP-MCU) for `TimeStruct2Timestamp`, `getCodeFromTimestamp`, `getCodeFromTimeStruct`, part of `getCodeFromSteps` and `TOTP_HMAC_SHA*` functions +- [mbedtls](https://github.com/Mbed-TLS/mbedtls) for SHA1/SHA224/SHA256/SHA384/SHA512 implementations +- [this project](https://github.com/mygityf/cipher/blob/master/cipher/hmac.c) as an inspiration for writing the code to compute the TOTP using the key and the text to hash + + + +Supported algorithms are SHA1/SHA224/SHA256/SHA384/SHA512. + + Installation & usage: -------------------- First include header to your file -``` -#include <totp.h> +```c +#include "TOTP.h" ``` After included, define key ex. Key is ```MyLegoDoor``` - Note: The format of hmacKey is array of hexadecimal bytes. - Most websites provide the key encoded in base32 - RFC3548/RFC4648, either upper or lower case. You can use [this site](https://cryptii.com/pipes/base32-to-hex) to convert the base32 string to hex (make sure you upcase it first if it's lowercase and remove all whitespaces). -``` +```c uint8_t hmacKey[] = {0x4d, 0x79, 0x4c, 0x65, 0x67, 0x6f, 0x44, 0x6f, 0x6f, 0x72}; // Secret key ``` -Instantiate the TOTP class by providing the secret hmacKey, the length of the hmacKey and the Timestep between codes. -``` -TOTP(hmacKey, 10, 30); // Secret key, Secret key length, Timestep (30s) +Instantiate the TOTP class by providing the secret hmacKey, the length of the hmacKey, the Timestep between codes and the algorithm used (most of the time, `SHA1`). +```c +TOTP(hmacKey, 10, 30, SHA1); // Secret key, Secret key length, Timestep (30s), Algorithm ``` Use the ```getCodeFromTimestamp()``` function to get a TOTP from a unix epoch timestamp -``` +```c uint32_t newCode = getCodeFromTimestamp(1557414000); // Current timestamp since Unix epoch in seconds ``` Or ```getCodeFromTimeStruct()``` if you want to get a TOTP from a tm struct (Time Struct in C), -``` +```c struct tm datetime; datetime.tm_hour = 9; datetime.tm_min = 0; @@ -42,16 +53,16 @@ uint32_t newCode = getCodeFromTimeStruct(datetime); If the provided unix timestamp isn't in UTC±0, use ```setTimezone()``` before ```getCodeFromTimestamp()``` or ```getCodeFromTimeStruct()``` to offset the time. -``` +```c setTimezone(9); // Set timezone +9 Japan ``` -You can see an example in blink.c +You can see an example in example.c (compile it with `gcc -o example example.c sha1.c sha256.c sha512.c TOTP.c -I.`) Thanks to: ---------- -* Jose Damico, https://github.com/damico/ARDUINO-OATH-TOKEN -* Peter Knight, https://github.com/Cathedrow/Cryptosuite -* Maniacbug, https://github.com/maniacbug/Cryptosuite -* lucadentella, https://github.com/lucadentella/TOTP-Arduino +* Netthaw, https://github.com/Netthaw/TOTP-MCU +* Mbed-TLS, https://github.com/Mbed-TLS/mbedtls +* mygityf, https://github.com/mygityf/cipher/blob/master/cipher/hmac.c +* susam, https://github.com/susam/mintotp diff --git a/movement/lib/TOTP-MCU/TOTP.c b/movement/lib/TOTP/TOTP.c index 02858611..7f601337 100644 --- a/movement/lib/TOTP-MCU/TOTP.c +++ b/movement/lib/TOTP/TOTP.c @@ -1,16 +1,21 @@ #include "TOTP.h"
#include "sha1.h"
+#include "sha256.h"
+#include "sha512.h"
+#include <stdio.h>
uint8_t* _hmacKey;
uint8_t _keyLength;
uint8_t _timeZoneOffset;
uint32_t _timeStep;
+hmac_alg _algorithm;
-// Init the library with the private key, its length and the timeStep duration
-void TOTP(uint8_t* hmacKey, uint8_t keyLength, uint32_t timeStep) {
+// Init the library with the private key, its length, the timeStep duration and the algorithm that should be used
+void TOTP(uint8_t* hmacKey, uint8_t keyLength, uint32_t timeStep, hmac_alg algorithm) {
_hmacKey = hmacKey;
_keyLength = keyLength;
_timeStep = timeStep;
+ _algorithm = algorithm;
}
void setTimezone(uint8_t timezone){
@@ -47,23 +52,18 @@ uint32_t getCodeFromSteps(uint32_t steps) { _byteArray[6] = (uint8_t)((steps >> 8) & 0XFF);
_byteArray[7] = (uint8_t)((steps & 0XFF));
- // STEP 1, get the HMAC-SHA1 hash from counter and key
- initHmac(_hmacKey, _keyLength);
- writeArray(_byteArray, 8);
- uint8_t* _hash = resultHmac();
-
- // STEP 2, apply dynamic truncation to obtain a 4-bytes string
- uint32_t _truncatedHash = 0;
- uint8_t _offset = _hash[20 - 1] & 0xF;
- uint8_t j;
- for (j = 0; j < 4; ++j) {
- _truncatedHash <<= 8;
- _truncatedHash |= _hash[_offset + j];
+ switch(_algorithm){
+ case SHA1:
+ return(TOTP_HMAC_SHA1(_hmacKey, _keyLength, _byteArray, 8));
+ case SHA224:
+ return(TOTP_HMAC_SHA256(_hmacKey, _keyLength, _byteArray, 8, 1));
+ case SHA256:
+ return(TOTP_HMAC_SHA256(_hmacKey, _keyLength, _byteArray, 8, 0));
+ case SHA384:
+ return(TOTP_HMAC_SHA512(_hmacKey, _keyLength, _byteArray, 8, 1));
+ case SHA512:
+ return(TOTP_HMAC_SHA512(_hmacKey, _keyLength, _byteArray, 8, 0));
+ default:
+ return(0);
}
-
- // STEP 3, compute the OTP value
- _truncatedHash &= 0x7FFFFFFF; //Disabled
- _truncatedHash %= 1000000;
-
- return _truncatedHash;
}
diff --git a/movement/lib/TOTP-MCU/TOTP.h b/movement/lib/TOTP/TOTP.h index cfef38b1..4b5897eb 100644 --- a/movement/lib/TOTP-MCU/TOTP.h +++ b/movement/lib/TOTP/TOTP.h @@ -4,7 +4,15 @@ #include <inttypes.h>
#include "time.h"
-void TOTP(uint8_t* hmacKey, uint8_t keyLength, uint32_t timeStep);
+typedef enum {
+ SHA1,
+ SHA224,
+ SHA256,
+ SHA384,
+ SHA512
+} hmac_alg;
+
+void TOTP(uint8_t* hmacKey, uint8_t keyLength, uint32_t timeStep, hmac_alg algorithm);
void setTimezone(uint8_t timezone);
uint32_t getCodeFromTimestamp(uint32_t timeStamp);
uint32_t getCodeFromTimeStruct(struct tm time);
diff --git a/movement/lib/TOTP-MCU/blink.c b/movement/lib/TOTP/example.c index 9ec14ec6..a218ff8b 100644 --- a/movement/lib/TOTP-MCU/blink.c +++ b/movement/lib/TOTP/example.c @@ -1,17 +1,13 @@ -#include <msp430.h>
-#include <totp.h>
-#include <stdint.h>
+#include "TOTP.h"
+#include <stdio.h>
/**
- * blink.c
+ * example.c
*/
void main(void)
{
- WDTCTL = WDTPW | WDTHOLD; // stop watchdog timer
- P1DIR |= 0x01; // configure P1.0 as output
-
uint8_t hmacKey[] = {0x4d, 0x79, 0x4c, 0x65, 0x67, 0x6f, 0x44, 0x6f, 0x6f, 0x72}; // Secret key
- TOTP(hmacKey, 10, 7200); // Secret key, Key length, Timestep (7200s - 2hours)
+ TOTP(hmacKey, 10, 7200, SHA1); // Secret key, Key length, Timestep (7200s - 2hours)
setTimezone(9); // Set timezone
uint32_t newCode = getCodeFromTimestamp(1557414000); // Timestamp Now
@@ -27,13 +23,5 @@ void main(void) // uint32_t newCode = getCodeFromTimeStruct(datetime);
///////////////////////////////////////////////////
- volatile unsigned int i; // volatile to prevent optimization
-
- while(1)
- {
- if (newCode == 0){ // 0 = INPUT HERE
- P1OUT ^= 0x01; // toggle P1.0
- }
- for(i=10000; i>0; i--); // delay
- }
+ printf("Code : %06u\n",newCode);
}
diff --git a/movement/lib/TOTP/sha1.c b/movement/lib/TOTP/sha1.c new file mode 100644 index 00000000..84fc83d7 --- /dev/null +++ b/movement/lib/TOTP/sha1.c @@ -0,0 +1,398 @@ +/*
+ * FIPS-180-1 compliant SHA-1 implementation
+ *
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * The SHA-1 standard was published by NIST in 1993.
+ *
+ * http://www.itl.nist.gov/fipspubs/fip180-1.htm
+ */
+
+#include "sha1.h"
+#include <string.h>
+#include <stdio.h>
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+ volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i) \
+{ \
+ (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
+ | ( (uint32_t) (b)[(i) + 1] << 16 ) \
+ | ( (uint32_t) (b)[(i) + 2] << 8 ) \
+ | ( (uint32_t) (b)[(i) + 3] ); \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i) \
+{ \
+ (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
+ (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
+ (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
+ (b)[(i) + 3] = (unsigned char) ( (n) ); \
+}
+#endif
+
+void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
+{
+ memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
+}
+
+void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
+{
+ if( ctx == NULL )
+ return;
+
+ mbedtls_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
+}
+
+/*
+ * SHA-1 context setup
+ */
+void mbedtls_sha1_starts( mbedtls_sha1_context *ctx )
+{
+ ctx->total[0] = 0;
+ ctx->total[1] = 0;
+
+ ctx->state[0] = 0x67452301;
+ ctx->state[1] = 0xEFCDAB89;
+ ctx->state[2] = 0x98BADCFE;
+ ctx->state[3] = 0x10325476;
+ ctx->state[4] = 0xC3D2E1F0;
+}
+
+void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[SHA1_BLOCK_LENGTH] )
+{
+ uint32_t temp, W[16], A, B, C, D, E;
+
+ GET_UINT32_BE( W[ 0], data, 0 );
+ GET_UINT32_BE( W[ 1], data, 4 );
+ GET_UINT32_BE( W[ 2], data, 8 );
+ GET_UINT32_BE( W[ 3], data, 12 );
+ GET_UINT32_BE( W[ 4], data, 16 );
+ GET_UINT32_BE( W[ 5], data, 20 );
+ GET_UINT32_BE( W[ 6], data, 24 );
+ GET_UINT32_BE( W[ 7], data, 28 );
+ GET_UINT32_BE( W[ 8], data, 32 );
+ GET_UINT32_BE( W[ 9], data, 36 );
+ GET_UINT32_BE( W[10], data, 40 );
+ GET_UINT32_BE( W[11], data, 44 );
+ GET_UINT32_BE( W[12], data, 48 );
+ GET_UINT32_BE( W[13], data, 52 );
+ GET_UINT32_BE( W[14], data, 56 );
+ GET_UINT32_BE( W[15], data, 60 );
+
+#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+
+#define R(t) \
+( \
+ temp = W[( t - 3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \
+ W[( t - 14 ) & 0x0F] ^ W[ t & 0x0F], \
+ ( W[t & 0x0F] = S(temp,1) ) \
+)
+
+#define P(a,b,c,d,e,x) \
+{ \
+ e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
+}
+
+ A = ctx->state[0];
+ B = ctx->state[1];
+ C = ctx->state[2];
+ D = ctx->state[3];
+ E = ctx->state[4];
+
+#define F(x,y,z) (z ^ (x & (y ^ z)))
+#define K 0x5A827999
+
+ P( A, B, C, D, E, W[0] );
+ P( E, A, B, C, D, W[1] );
+ P( D, E, A, B, C, W[2] );
+ P( C, D, E, A, B, W[3] );
+ P( B, C, D, E, A, W[4] );
+ P( A, B, C, D, E, W[5] );
+ P( E, A, B, C, D, W[6] );
+ P( D, E, A, B, C, W[7] );
+ P( C, D, E, A, B, W[8] );
+ P( B, C, D, E, A, W[9] );
+ P( A, B, C, D, E, W[10] );
+ P( E, A, B, C, D, W[11] );
+ P( D, E, A, B, C, W[12] );
+ P( C, D, E, A, B, W[13] );
+ P( B, C, D, E, A, W[14] );
+ P( A, B, C, D, E, W[15] );
+ P( E, A, B, C, D, R(16) );
+ P( D, E, A, B, C, R(17) );
+ P( C, D, E, A, B, R(18) );
+ P( B, C, D, E, A, R(19) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) (x ^ y ^ z)
+#define K 0x6ED9EBA1
+
+ P( A, B, C, D, E, R(20) );
+ P( E, A, B, C, D, R(21) );
+ P( D, E, A, B, C, R(22) );
+ P( C, D, E, A, B, R(23) );
+ P( B, C, D, E, A, R(24) );
+ P( A, B, C, D, E, R(25) );
+ P( E, A, B, C, D, R(26) );
+ P( D, E, A, B, C, R(27) );
+ P( C, D, E, A, B, R(28) );
+ P( B, C, D, E, A, R(29) );
+ P( A, B, C, D, E, R(30) );
+ P( E, A, B, C, D, R(31) );
+ P( D, E, A, B, C, R(32) );
+ P( C, D, E, A, B, R(33) );
+ P( B, C, D, E, A, R(34) );
+ P( A, B, C, D, E, R(35) );
+ P( E, A, B, C, D, R(36) );
+ P( D, E, A, B, C, R(37) );
+ P( C, D, E, A, B, R(38) );
+ P( B, C, D, E, A, R(39) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) ((x & y) | (z & (x | y)))
+#define K 0x8F1BBCDC
+
+ P( A, B, C, D, E, R(40) );
+ P( E, A, B, C, D, R(41) );
+ P( D, E, A, B, C, R(42) );
+ P( C, D, E, A, B, R(43) );
+ P( B, C, D, E, A, R(44) );
+ P( A, B, C, D, E, R(45) );
+ P( E, A, B, C, D, R(46) );
+ P( D, E, A, B, C, R(47) );
+ P( C, D, E, A, B, R(48) );
+ P( B, C, D, E, A, R(49) );
+ P( A, B, C, D, E, R(50) );
+ P( E, A, B, C, D, R(51) );
+ P( D, E, A, B, C, R(52) );
+ P( C, D, E, A, B, R(53) );
+ P( B, C, D, E, A, R(54) );
+ P( A, B, C, D, E, R(55) );
+ P( E, A, B, C, D, R(56) );
+ P( D, E, A, B, C, R(57) );
+ P( C, D, E, A, B, R(58) );
+ P( B, C, D, E, A, R(59) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) (x ^ y ^ z)
+#define K 0xCA62C1D6
+
+ P( A, B, C, D, E, R(60) );
+ P( E, A, B, C, D, R(61) );
+ P( D, E, A, B, C, R(62) );
+ P( C, D, E, A, B, R(63) );
+ P( B, C, D, E, A, R(64) );
+ P( A, B, C, D, E, R(65) );
+ P( E, A, B, C, D, R(66) );
+ P( D, E, A, B, C, R(67) );
+ P( C, D, E, A, B, R(68) );
+ P( B, C, D, E, A, R(69) );
+ P( A, B, C, D, E, R(70) );
+ P( E, A, B, C, D, R(71) );
+ P( D, E, A, B, C, R(72) );
+ P( C, D, E, A, B, R(73) );
+ P( B, C, D, E, A, R(74) );
+ P( A, B, C, D, E, R(75) );
+ P( E, A, B, C, D, R(76) );
+ P( D, E, A, B, C, R(77) );
+ P( C, D, E, A, B, R(78) );
+ P( B, C, D, E, A, R(79) );
+
+#undef K
+#undef F
+
+ ctx->state[0] += A;
+ ctx->state[1] += B;
+ ctx->state[2] += C;
+ ctx->state[3] += D;
+ ctx->state[4] += E;
+}
+
+/*
+ * SHA-1 process buffer
+ */
+void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen )
+{
+ size_t fill;
+ uint32_t left;
+
+ if( ilen == 0 )
+ return;
+
+ left = ctx->total[0] & 0x3F;
+ fill = 64 - left;
+
+ ctx->total[0] += (uint32_t) ilen;
+ ctx->total[0] &= 0xFFFFFFFF;
+
+ if( ctx->total[0] < (uint32_t) ilen )
+ ctx->total[1]++;
+
+ if( left && ilen >= fill )
+ {
+ memcpy( (void *) (ctx->buffer + left), input, fill );
+ mbedtls_sha1_process( ctx, ctx->buffer );
+ input += fill;
+ ilen -= fill;
+ left = 0;
+ }
+
+ while( ilen >= 64 )
+ {
+ mbedtls_sha1_process( ctx, input );
+ input += 64;
+ ilen -= 64;
+ }
+
+ if( ilen > 0 )
+ memcpy( (void *) (ctx->buffer + left), input, ilen );
+}
+
+static const unsigned char sha1_padding[SHA1_BLOCK_LENGTH] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * SHA-1 final digest
+ */
+void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[SHA1_DIGEST_LENGTH] )
+{
+ uint32_t last, padn;
+ uint32_t high, low;
+ unsigned char msglen[8];
+
+ high = ( ctx->total[0] >> 29 )
+ | ( ctx->total[1] << 3 );
+ low = ( ctx->total[0] << 3 );
+
+ PUT_UINT32_BE( high, msglen, 0 );
+ PUT_UINT32_BE( low, msglen, 4 );
+
+ last = ctx->total[0] & 0x3F;
+ padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
+
+ mbedtls_sha1_update( ctx, sha1_padding, padn );
+ mbedtls_sha1_update( ctx, msglen, 8 );
+
+ PUT_UINT32_BE( ctx->state[0], output, 0 );
+ PUT_UINT32_BE( ctx->state[1], output, 4 );
+ PUT_UINT32_BE( ctx->state[2], output, 8 );
+ PUT_UINT32_BE( ctx->state[3], output, 12 );
+ PUT_UINT32_BE( ctx->state[4], output, 16 );
+}
+
+/*
+ * output = SHA-1( input buffer )
+ */
+void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[SHA1_DIGEST_LENGTH] )
+{
+ mbedtls_sha1_context ctx;
+
+ mbedtls_sha1_init( &ctx );
+ mbedtls_sha1_starts( &ctx );
+ mbedtls_sha1_update( &ctx, input, ilen );
+ mbedtls_sha1_finish( &ctx, output );
+ mbedtls_sha1_free( &ctx );
+}
+
+/*
+* Compute HMAC_SHA1 using key, key length, text to hash, size of the text, and output buffer
+*/
+void HMAC_SHA1(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, uint8_t out[SHA1_DIGEST_LENGTH]){
+
+ uint8_t i;
+ uint8_t k_ipad[SHA1_BLOCK_LENGTH]; /* inner padding - key XORd with ipad */
+ uint8_t k_opad[SHA1_BLOCK_LENGTH]; /* outer padding - key XORd with opad */
+ uint8_t buffer[SHA1_BLOCK_LENGTH + SHA1_DIGEST_LENGTH];
+
+ /* start out by storing key in pads */
+ memset(k_ipad, 0, sizeof(k_ipad));
+ memset(k_opad, 0, sizeof(k_opad));
+
+ if (key_length <= SHA1_BLOCK_LENGTH) {
+ memcpy(k_ipad, key, key_length);
+ memcpy(k_opad, key, key_length);
+ }
+
+ else {
+ mbedtls_sha1(key, key_length, k_ipad);
+ memcpy(k_opad, k_ipad, SHA1_BLOCK_LENGTH);
+ }
+
+ /* XOR key with ipad and opad values */
+ for (i = 0; i < SHA1_BLOCK_LENGTH; i++) {
+ k_ipad[i] ^= HMAC_IPAD;
+ k_opad[i] ^= HMAC_OPAD;
+ }
+
+ // perform inner SHA1
+ memcpy(buffer, k_ipad, SHA1_BLOCK_LENGTH);
+ memcpy(buffer + SHA1_BLOCK_LENGTH, in, n);
+ mbedtls_sha1(buffer, SHA1_BLOCK_LENGTH + n, out);
+
+ memset(buffer, 0, SHA1_BLOCK_LENGTH + n);
+
+ // perform outer SHA1
+ memcpy(buffer, k_opad, SHA1_BLOCK_LENGTH);
+ memcpy(buffer + SHA1_BLOCK_LENGTH, out, SHA1_DIGEST_LENGTH);
+ mbedtls_sha1(buffer, SHA1_BLOCK_LENGTH + SHA1_DIGEST_LENGTH, out);
+}
+/*
+* Compute TOTP_HMAC_SHA1 using key, key length, text to hash, size of the text
+*/
+uint32_t TOTP_HMAC_SHA1(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n){
+ // STEP 1, get the HMAC-SHA1 hash from counter and key
+ uint8_t hash[SHA1_DIGEST_LENGTH];
+ HMAC_SHA1(key, key_length, in, n, hash);
+
+ // STEP 2, apply dynamic truncation to obtain a 4-bytes string
+ uint32_t truncated_hash = 0;
+ uint8_t _offset = hash[SHA1_DIGEST_LENGTH - 1] & 0xF;
+ uint8_t j;
+ for (j = 0; j < 4; ++j) {
+ truncated_hash <<= 8;
+ truncated_hash |= hash[_offset + j];
+ }
+
+ // STEP 3, compute the OTP value
+ truncated_hash &= 0x7FFFFFFF; //Disabled
+ truncated_hash %= 1000000;
+
+ return truncated_hash;
+}
diff --git a/movement/lib/TOTP/sha1.h b/movement/lib/TOTP/sha1.h new file mode 100644 index 00000000..2743c5a2 --- /dev/null +++ b/movement/lib/TOTP/sha1.h @@ -0,0 +1,98 @@ +/**
+ * \file sha1.h
+ *
+ * \brief SHA-1 cryptographic hash function
+ *
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA1_H
+#define MBEDTLS_SHA1_H
+
+#define SHA1_DIGEST_LENGTH 20
+#define SHA1_BLOCK_LENGTH 64
+#define HMAC_IPAD 0x36
+#define HMAC_OPAD 0x5c
+
+#include <stddef.h>
+#include <stdint.h>
+
+/**
+ * \brief SHA-1 context structure
+ */
+typedef struct
+{
+ uint32_t total[2]; /*!< number of bytes processed */
+ uint32_t state[5]; /*!< intermediate digest state */
+ unsigned char buffer[SHA1_BLOCK_LENGTH]; /*!< data block being processed */
+}
+mbedtls_sha1_context;
+
+/**
+ * \brief Initialize SHA-1 context
+ *
+ * \param ctx SHA-1 context to be initialized
+ */
+void mbedtls_sha1_init( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief Clear SHA-1 context
+ *
+ * \param ctx SHA-1 context to be cleared
+ */
+void mbedtls_sha1_free( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief SHA-1 context setup
+ *
+ * \param ctx context to be initialized
+ */
+void mbedtls_sha1_starts( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief SHA-1 process buffer
+ *
+ * \param ctx SHA-1 context
+ * \param input buffer holding the data
+ * \param ilen length of the input data
+ */
+void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen );
+
+/**
+ * \brief SHA-1 final digest
+ *
+ * \param ctx SHA-1 context
+ * \param output SHA-1 checksum result
+ */
+void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[SHA1_DIGEST_LENGTH] );
+
+/* Internal use */
+void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[SHA1_BLOCK_LENGTH] );
+
+/**
+ * \brief Output = SHA-1( input buffer )
+ *
+ * \param input buffer holding the data
+ * \param ilen length of the input data
+ * \param output SHA-1 checksum result
+ */
+void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[SHA1_DIGEST_LENGTH] );
+void HMAC_SHA1(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, uint8_t out[SHA1_DIGEST_LENGTH]);
+uint32_t TOTP_HMAC_SHA1(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n);
+
+
+#endif /* mbedtls_sha1.h */
diff --git a/movement/lib/TOTP/sha256.c b/movement/lib/TOTP/sha256.c new file mode 100644 index 00000000..cb83f535 --- /dev/null +++ b/movement/lib/TOTP/sha256.c @@ -0,0 +1,372 @@ +/*
+ * FIPS-180-2 compliant SHA-256 implementation
+ *
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * The SHA-256 Secure Hash Standard was published by NIST in 2002.
+ *
+ * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#include "sha256.h"
+
+#include <string.h>
+#include <stdio.h>
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+ volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i) \
+do { \
+ (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
+ | ( (uint32_t) (b)[(i) + 1] << 16 ) \
+ | ( (uint32_t) (b)[(i) + 2] << 8 ) \
+ | ( (uint32_t) (b)[(i) + 3] ); \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i) \
+do { \
+ (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
+ (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
+ (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
+ (b)[(i) + 3] = (unsigned char) ( (n) ); \
+} while( 0 )
+#endif
+
+void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
+{
+ memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
+}
+
+void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
+{
+ if( ctx == NULL )
+ return;
+
+ mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
+}
+
+void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
+ const mbedtls_sha256_context *src )
+{
+ *dst = *src;
+}
+
+/*
+ * SHA-256 context setup
+ */
+void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
+{
+ ctx->total[0] = 0;
+ ctx->total[1] = 0;
+
+ if( is224 == 0 )
+ {
+ /* SHA-256 */
+ ctx->state[0] = 0x6A09E667;
+ ctx->state[1] = 0xBB67AE85;
+ ctx->state[2] = 0x3C6EF372;
+ ctx->state[3] = 0xA54FF53A;
+ ctx->state[4] = 0x510E527F;
+ ctx->state[5] = 0x9B05688C;
+ ctx->state[6] = 0x1F83D9AB;
+ ctx->state[7] = 0x5BE0CD19;
+ }
+ else
+ {
+ /* SHA-224 */
+ ctx->state[0] = 0xC1059ED8;
+ ctx->state[1] = 0x367CD507;
+ ctx->state[2] = 0x3070DD17;
+ ctx->state[3] = 0xF70E5939;
+ ctx->state[4] = 0xFFC00B31;
+ ctx->state[5] = 0x68581511;
+ ctx->state[6] = 0x64F98FA7;
+ ctx->state[7] = 0xBEFA4FA4;
+ }
+
+ ctx->is224 = is224;
+}
+
+static const uint32_t K[] =
+{
+ 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
+ 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
+ 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
+ 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
+ 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
+ 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
+ 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
+ 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
+ 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
+ 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
+ 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
+ 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
+ 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
+ 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
+ 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
+ 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
+};
+
+#define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
+#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
+
+#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
+#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
+
+#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
+#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
+
+#define F0(x,y,z) ((x & y) | (z & (x | y)))
+#define F1(x,y,z) (z ^ (x & (y ^ z)))
+
+#define R(t) \
+( \
+ W[t] = S1(W[t - 2]) + W[t - 7] + \
+ S0(W[t - 15]) + W[t - 16] \
+)
+
+#define P(a,b,c,d,e,f,g,h,x,K) \
+{ \
+ temp1 = h + S3(e) + F1(e,f,g) + K + x; \
+ temp2 = S2(a) + F0(a,b,c); \
+ d += temp1; h = temp1 + temp2; \
+}
+
+void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[SHA256_BLOCK_LENGTH] )
+{
+ uint32_t temp1, temp2, W[64];
+ uint32_t A[8];
+ unsigned int i;
+
+ for( i = 0; i < 8; i++ )
+ A[i] = ctx->state[i];
+
+ for( i = 0; i < 16; i++ )
+ GET_UINT32_BE( W[i], data, 4 * i );
+
+ for( i = 0; i < 16; i += 8 )
+ {
+ P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
+ P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
+ P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
+ P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
+ P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
+ P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
+ P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
+ P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
+ }
+
+ for( i = 16; i < 64; i += 8 )
+ {
+ P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
+ P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
+ P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
+ P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
+ P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
+ P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
+ P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
+ P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
+ }
+
+ for( i = 0; i < 8; i++ )
+ ctx->state[i] += A[i];
+}
+
+/*
+ * SHA-256 process buffer
+ */
+void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input,
+ size_t ilen )
+{
+ size_t fill;
+ uint32_t left;
+
+ if( ilen == 0 )
+ return;
+
+ left = ctx->total[0] & 0x3F;
+ fill = 64 - left;
+
+ ctx->total[0] += (uint32_t) ilen;
+ ctx->total[0] &= 0xFFFFFFFF;
+
+ if( ctx->total[0] < (uint32_t) ilen )
+ ctx->total[1]++;
+
+ if( left && ilen >= fill )
+ {
+ memcpy( (void *) (ctx->buffer + left), input, fill );
+ mbedtls_sha256_process( ctx, ctx->buffer );
+ input += fill;
+ ilen -= fill;
+ left = 0;
+ }
+
+ while( ilen >= 64 )
+ {
+ mbedtls_sha256_process( ctx, input );
+ input += 64;
+ ilen -= 64;
+ }
+
+ if( ilen > 0 )
+ memcpy( (void *) (ctx->buffer + left), input, ilen );
+}
+
+static const unsigned char sha256_padding[SHA256_BLOCK_LENGTH] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * SHA-256 final digest
+ */
+void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char* output )
+{
+ uint32_t last, padn;
+ uint32_t high, low;
+ unsigned char msglen[8];
+
+ high = ( ctx->total[0] >> 29 )
+ | ( ctx->total[1] << 3 );
+ low = ( ctx->total[0] << 3 );
+
+ PUT_UINT32_BE( high, msglen, 0 );
+ PUT_UINT32_BE( low, msglen, 4 );
+
+ last = ctx->total[0] & 0x3F;
+ padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
+
+ mbedtls_sha256_update( ctx, sha256_padding, padn );
+ mbedtls_sha256_update( ctx, msglen, 8 );
+
+ PUT_UINT32_BE( ctx->state[0], output, 0 );
+ PUT_UINT32_BE( ctx->state[1], output, 4 );
+ PUT_UINT32_BE( ctx->state[2], output, 8 );
+ PUT_UINT32_BE( ctx->state[3], output, 12 );
+ PUT_UINT32_BE( ctx->state[4], output, 16 );
+ PUT_UINT32_BE( ctx->state[5], output, 20 );
+ PUT_UINT32_BE( ctx->state[6], output, 24 );
+
+ if( ctx->is224 == 0 )
+ PUT_UINT32_BE( ctx->state[7], output, 28 );
+}
+
+/*
+ * output = SHA-256( input buffer )
+ */
+void mbedtls_sha256( const unsigned char *input, size_t ilen,
+ unsigned char* output, int is224 )
+{
+ mbedtls_sha256_context ctx;
+
+ mbedtls_sha256_init( &ctx );
+ mbedtls_sha256_starts( &ctx, is224 );
+ mbedtls_sha256_update( &ctx, input, ilen );
+ mbedtls_sha256_finish( &ctx, output );
+ mbedtls_sha256_free( &ctx );
+}
+
+/*
+* Compute HMAC_SHA224/256 using key, key length, text to hash, size of the text, output buffer and a switch for SHA224
+*/
+void HMAC_SHA256(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, uint8_t* out, int is224){
+ int digest_length = SHA256_DIGEST_LENGTH;
+ if (is224 == 1) {
+ digest_length = SHA224_DIGEST_LENGTH;
+ }
+
+ uint8_t i;
+ uint8_t k_ipad[SHA256_BLOCK_LENGTH]; /* inner padding - key XORd with ipad */
+ uint8_t k_opad[SHA256_BLOCK_LENGTH]; /* outer padding - key XORd with opad */
+ uint8_t buffer[SHA256_BLOCK_LENGTH + digest_length];
+
+ /* start out by storing key in pads */
+ memset(k_ipad, 0, sizeof(k_ipad));
+ memset(k_opad, 0, sizeof(k_opad));
+
+ if (key_length <= SHA256_BLOCK_LENGTH) {
+ memcpy(k_ipad, key, key_length);
+ memcpy(k_opad, key, key_length);
+ }
+
+ else {
+ mbedtls_sha256(key, key_length, k_ipad, is224);
+ memcpy(k_opad, k_ipad, SHA256_BLOCK_LENGTH);
+ }
+
+ /* XOR key with ipad and opad values */
+ for (i = 0; i < SHA256_BLOCK_LENGTH; i++) {
+ k_ipad[i] ^= HMAC_IPAD;
+ k_opad[i] ^= HMAC_OPAD;
+ }
+
+ // perform inner SHA256
+ memcpy(buffer, k_ipad, SHA256_BLOCK_LENGTH);
+ memcpy(buffer + SHA256_BLOCK_LENGTH, in, n);
+ mbedtls_sha256(buffer, SHA256_BLOCK_LENGTH + n, out, is224);
+
+ memset(buffer, 0, SHA256_BLOCK_LENGTH + n);
+
+ // perform outer SHA256
+ memcpy(buffer, k_opad, SHA256_BLOCK_LENGTH);
+ memcpy(buffer + SHA256_BLOCK_LENGTH, out, digest_length);
+ mbedtls_sha256(buffer, SHA256_BLOCK_LENGTH + digest_length, out, is224);
+}
+
+/*
+* Compute TOTP_HMAC_SHA224/256 using key, key length, text to hash, size of the text and a switch for SHA224
+*/
+uint32_t TOTP_HMAC_SHA256(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, int is224){
+ int digest_length = SHA256_DIGEST_LENGTH;
+ if (is224 == 1) {
+ digest_length = SHA224_DIGEST_LENGTH;
+ }
+
+ // STEP 1, get the HMAC-SHA256 hash from counter and key
+ uint8_t hash[digest_length];
+ HMAC_SHA256(key, key_length, in, n, hash, is224);
+
+ // STEP 2, apply dynamic truncation to obtain a 4-bytes string
+ uint32_t truncated_hash = 0;
+ uint8_t _offset = hash[digest_length - 1] & 0xF;
+ uint8_t j;
+ for (j = 0; j < 4; ++j) {
+ truncated_hash <<= 8;
+ truncated_hash |= hash[_offset + j];
+ }
+
+ // STEP 3, compute the OTP value
+ truncated_hash &= 0x7FFFFFFF; //Disabled
+ truncated_hash %= 1000000;
+
+ return truncated_hash;
+}
\ No newline at end of file diff --git a/movement/lib/TOTP/sha256.h b/movement/lib/TOTP/sha256.h new file mode 100644 index 00000000..2f0febcb --- /dev/null +++ b/movement/lib/TOTP/sha256.h @@ -0,0 +1,112 @@ +/**
+ * \file sha256.h
+ *
+ * \brief SHA-224 and SHA-256 cryptographic hash function
+ *
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA256_H
+#define MBEDTLS_SHA256_H
+
+#define SHA224_DIGEST_LENGTH 28
+#define SHA256_DIGEST_LENGTH 32
+#define SHA256_BLOCK_LENGTH 64
+#define HMAC_IPAD 0x36
+#define HMAC_OPAD 0x5c
+
+#include <stddef.h>
+#include <stdint.h>
+
+/**
+ * \brief SHA-256 context structure
+ */
+typedef struct
+{
+ uint32_t total[2]; /*!< number of bytes processed */
+ uint32_t state[8]; /*!< intermediate digest state */
+ unsigned char buffer[SHA256_BLOCK_LENGTH]; /*!< data block being processed */
+ int is224; /*!< 0 => SHA-256, else SHA-224 */
+}
+mbedtls_sha256_context;
+
+/**
+ * \brief Initialize SHA-256 context
+ *
+ * \param ctx SHA-256 context to be initialized
+ */
+void mbedtls_sha256_init( mbedtls_sha256_context *ctx );
+
+/**
+ * \brief Clear SHA-256 context
+ *
+ * \param ctx SHA-256 context to be cleared
+ */
+void mbedtls_sha256_free( mbedtls_sha256_context *ctx );
+
+/**
+ * \brief Clone (the state of) a SHA-256 context
+ *
+ * \param dst The destination context
+ * \param src The context to be cloned
+ */
+void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
+ const mbedtls_sha256_context *src );
+
+/**
+ * \brief SHA-256 context setup
+ *
+ * \param ctx context to be initialized
+ * \param is224 0 = use SHA256, 1 = use SHA224
+ */
+void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 );
+
+/**
+ * \brief SHA-256 process buffer
+ *
+ * \param ctx SHA-256 context
+ * \param input buffer holding the data
+ * \param ilen length of the input data
+ */
+void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input,
+ size_t ilen );
+
+/**
+ * \brief SHA-256 final digest
+ *
+ * \param ctx SHA-256 context
+ * \param output SHA-224/256 checksum result
+ */
+void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char* output );
+
+/* Internal use */
+void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[SHA256_BLOCK_LENGTH] );
+
+/**
+ * \brief Output = SHA-256( input buffer )
+ *
+ * \param input buffer holding the data
+ * \param ilen length of the input data
+ * \param output SHA-224/256 checksum result
+ * \param is224 0 = use SHA256, 1 = use SHA224
+ */
+void mbedtls_sha256( const unsigned char *input, size_t ilen,
+ unsigned char* output, int is224 );
+void HMAC_SHA256(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, uint8_t* out, int is224);
+uint32_t TOTP_HMAC_SHA256(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, int is224);
+
+#endif /* mbedtls_sha256.h */
diff --git a/movement/lib/TOTP/sha512.c b/movement/lib/TOTP/sha512.c new file mode 100644 index 00000000..d35462b1 --- /dev/null +++ b/movement/lib/TOTP/sha512.c @@ -0,0 +1,422 @@ +/*
+ * FIPS-180-2 compliant SHA-384/512 implementation
+ *
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * The SHA-512 Secure Hash Standard was published by NIST in 2002.
+ *
+ * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#include "sha512.h"
+
+#include <string.h>
+#include <stdio.h>
+
+#if defined(_MSC_VER) || defined(__WATCOMC__)
+ #define UL64(x) x##ui64
+#else
+ #define UL64(x) x##ULL
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+ volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 64-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT64_BE
+#define GET_UINT64_BE(n,b,i) \
+{ \
+ (n) = ( (uint64_t) (b)[(i) ] << 56 ) \
+ | ( (uint64_t) (b)[(i) + 1] << 48 ) \
+ | ( (uint64_t) (b)[(i) + 2] << 40 ) \
+ | ( (uint64_t) (b)[(i) + 3] << 32 ) \
+ | ( (uint64_t) (b)[(i) + 4] << 24 ) \
+ | ( (uint64_t) (b)[(i) + 5] << 16 ) \
+ | ( (uint64_t) (b)[(i) + 6] << 8 ) \
+ | ( (uint64_t) (b)[(i) + 7] ); \
+}
+#endif /* GET_UINT64_BE */
+
+#ifndef PUT_UINT64_BE
+#define PUT_UINT64_BE(n,b,i) \
+{ \
+ (b)[(i) ] = (unsigned char) ( (n) >> 56 ); \
+ (b)[(i) + 1] = (unsigned char) ( (n) >> 48 ); \
+ (b)[(i) + 2] = (unsigned char) ( (n) >> 40 ); \
+ (b)[(i) + 3] = (unsigned char) ( (n) >> 32 ); \
+ (b)[(i) + 4] = (unsigned char) ( (n) >> 24 ); \
+ (b)[(i) + 5] = (unsigned char) ( (n) >> 16 ); \
+ (b)[(i) + 6] = (unsigned char) ( (n) >> 8 ); \
+ (b)[(i) + 7] = (unsigned char) ( (n) ); \
+}
+#endif /* PUT_UINT64_BE */
+
+/*
+ * Round constants
+ */
+static const uint64_t K[80] =
+{
+ UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
+ UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
+ UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
+ UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
+ UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
+ UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
+ UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
+ UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
+ UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
+ UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
+ UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
+ UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
+ UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
+ UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
+ UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
+ UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
+ UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
+ UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
+ UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
+ UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
+ UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
+ UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
+ UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
+ UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
+ UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
+ UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
+ UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
+ UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
+ UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
+ UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
+ UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
+ UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
+ UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
+ UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
+ UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
+ UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
+ UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
+ UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
+ UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
+ UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
+};
+
+void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
+{
+ memset( ctx, 0, sizeof( mbedtls_sha512_context ) );
+}
+
+void mbedtls_sha512_free( mbedtls_sha512_context *ctx )
+{
+ if( ctx == NULL )
+ return;
+
+ mbedtls_zeroize( ctx, sizeof( mbedtls_sha512_context ) );
+}
+
+void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
+ const mbedtls_sha512_context *src )
+{
+ *dst = *src;
+}
+
+/*
+ * SHA-512 context setup
+ */
+void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 )
+{
+ ctx->total[0] = 0;
+ ctx->total[1] = 0;
+
+ if( is384 == 0 )
+ {
+ /* SHA-512 */
+ ctx->state[0] = UL64(0x6A09E667F3BCC908);
+ ctx->state[1] = UL64(0xBB67AE8584CAA73B);
+ ctx->state[2] = UL64(0x3C6EF372FE94F82B);
+ ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
+ ctx->state[4] = UL64(0x510E527FADE682D1);
+ ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
+ ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
+ ctx->state[7] = UL64(0x5BE0CD19137E2179);
+ }
+ else
+ {
+ /* SHA-384 */
+ ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
+ ctx->state[1] = UL64(0x629A292A367CD507);
+ ctx->state[2] = UL64(0x9159015A3070DD17);
+ ctx->state[3] = UL64(0x152FECD8F70E5939);
+ ctx->state[4] = UL64(0x67332667FFC00B31);
+ ctx->state[5] = UL64(0x8EB44A8768581511);
+ ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
+ ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
+ }
+
+ ctx->is384 = is384;
+}
+
+void mbedtls_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[SHA512_BLOCK_LENGTH] )
+{
+ int i;
+ uint64_t temp1, temp2, W[80];
+ uint64_t A, B, C, D, E, F, G, H;
+
+#define SHR(x,n) (x >> n)
+#define ROTR(x,n) (SHR(x,n) | (x << (64 - n)))
+
+#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
+#define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x, 6))
+
+#define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
+#define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
+
+#define F0(x,y,z) ((x & y) | (z & (x | y)))
+#define F1(x,y,z) (z ^ (x & (y ^ z)))
+
+#define P(a,b,c,d,e,f,g,h,x,K) \
+{ \
+ temp1 = h + S3(e) + F1(e,f,g) + K + x; \
+ temp2 = S2(a) + F0(a,b,c); \
+ d += temp1; h = temp1 + temp2; \
+}
+
+ for( i = 0; i < 16; i++ )
+ {
+ GET_UINT64_BE( W[i], data, i << 3 );
+ }
+
+ for( ; i < 80; i++ )
+ {
+ W[i] = S1(W[i - 2]) + W[i - 7] +
+ S0(W[i - 15]) + W[i - 16];
+ }
+
+ A = ctx->state[0];
+ B = ctx->state[1];
+ C = ctx->state[2];
+ D = ctx->state[3];
+ E = ctx->state[4];
+ F = ctx->state[5];
+ G = ctx->state[6];
+ H = ctx->state[7];
+ i = 0;
+
+ do
+ {
+ P( A, B, C, D, E, F, G, H, W[i], K[i] ); i++;
+ P( H, A, B, C, D, E, F, G, W[i], K[i] ); i++;
+ P( G, H, A, B, C, D, E, F, W[i], K[i] ); i++;
+ P( F, G, H, A, B, C, D, E, W[i], K[i] ); i++;
+ P( E, F, G, H, A, B, C, D, W[i], K[i] ); i++;
+ P( D, E, F, G, H, A, B, C, W[i], K[i] ); i++;
+ P( C, D, E, F, G, H, A, B, W[i], K[i] ); i++;
+ P( B, C, D, E, F, G, H, A, W[i], K[i] ); i++;
+ }
+ while( i < 80 );
+
+ ctx->state[0] += A;
+ ctx->state[1] += B;
+ ctx->state[2] += C;
+ ctx->state[3] += D;
+ ctx->state[4] += E;
+ ctx->state[5] += F;
+ ctx->state[6] += G;
+ ctx->state[7] += H;
+}
+
+/*
+ * SHA-512 process buffer
+ */
+void mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *input,
+ size_t ilen )
+{
+ size_t fill;
+ unsigned int left;
+
+ if( ilen == 0 )
+ return;
+
+ left = (unsigned int) (ctx->total[0] & 0x7F);
+ fill = 128 - left;
+
+ ctx->total[0] += (uint64_t) ilen;
+
+ if( ctx->total[0] < (uint64_t) ilen )
+ ctx->total[1]++;
+
+ if( left && ilen >= fill )
+ {
+ memcpy( (void *) (ctx->buffer + left), input, fill );
+ mbedtls_sha512_process( ctx, ctx->buffer );
+ input += fill;
+ ilen -= fill;
+ left = 0;
+ }
+
+ while( ilen >= 128 )
+ {
+ mbedtls_sha512_process( ctx, input );
+ input += 128;
+ ilen -= 128;
+ }
+
+ if( ilen > 0 )
+ memcpy( (void *) (ctx->buffer + left), input, ilen );
+}
+
+static const unsigned char sha512_padding[SHA512_BLOCK_LENGTH] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * SHA-512 final digest
+ */
+void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char* output )
+{
+ size_t last, padn;
+ uint64_t high, low;
+ unsigned char msglen[16];
+
+ high = ( ctx->total[0] >> 61 )
+ | ( ctx->total[1] << 3 );
+ low = ( ctx->total[0] << 3 );
+
+ PUT_UINT64_BE( high, msglen, 0 );
+ PUT_UINT64_BE( low, msglen, 8 );
+
+ last = (size_t)( ctx->total[0] & 0x7F );
+ padn = ( last < 112 ) ? ( 112 - last ) : ( 240 - last );
+
+ mbedtls_sha512_update( ctx, sha512_padding, padn );
+ mbedtls_sha512_update( ctx, msglen, 16 );
+
+ PUT_UINT64_BE( ctx->state[0], output, 0 );
+ PUT_UINT64_BE( ctx->state[1], output, 8 );
+ PUT_UINT64_BE( ctx->state[2], output, 16 );
+ PUT_UINT64_BE( ctx->state[3], output, 24 );
+ PUT_UINT64_BE( ctx->state[4], output, 32 );
+ PUT_UINT64_BE( ctx->state[5], output, 40 );
+
+ if( ctx->is384 == 0 )
+ {
+ PUT_UINT64_BE( ctx->state[6], output, 48 );
+ PUT_UINT64_BE( ctx->state[7], output, 56 );
+ }
+}
+
+/*
+ * output = SHA-512( input buffer )
+ */
+void mbedtls_sha512( const unsigned char *input, size_t ilen,
+ unsigned char* output, int is384 )
+{
+ mbedtls_sha512_context ctx;
+
+ mbedtls_sha512_init( &ctx );
+ mbedtls_sha512_starts( &ctx, is384 );
+ mbedtls_sha512_update( &ctx, input, ilen );
+ mbedtls_sha512_finish( &ctx, output );
+ mbedtls_sha512_free( &ctx );
+}
+
+/*
+* Compute HMAC_SHA384/512 using key, key length, text to hash, size of the text, output buffer and a switch for SHA384
+*/
+void HMAC_SHA512(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, uint8_t* out, int is384){
+ int digest_length = SHA512_DIGEST_LENGTH;
+ if (is384 == 1) {
+ digest_length = SHA384_DIGEST_LENGTH;
+ }
+
+ uint8_t i;
+ uint8_t k_ipad[SHA512_BLOCK_LENGTH]; /* inner padding - key XORd with ipad */
+ uint8_t k_opad[SHA512_BLOCK_LENGTH]; /* outer padding - key XORd with opad */
+ uint8_t buffer[SHA512_BLOCK_LENGTH + digest_length];
+
+ /* start out by storing key in pads */
+ memset(k_ipad, 0, sizeof(k_ipad));
+ memset(k_opad, 0, sizeof(k_opad));
+
+ if (key_length <= SHA512_BLOCK_LENGTH) {
+ memcpy(k_ipad, key, key_length);
+ memcpy(k_opad, key, key_length);
+ }
+
+ else {
+ mbedtls_sha512(key, key_length, k_ipad, is384);
+ memcpy(k_opad, k_ipad, SHA512_BLOCK_LENGTH);
+ }
+
+ /* XOR key with ipad and opad values */
+ for (i = 0; i < SHA512_BLOCK_LENGTH; i++) {
+ k_ipad[i] ^= HMAC_IPAD;
+ k_opad[i] ^= HMAC_OPAD;
+ }
+
+ // perform inner SHA512
+ memcpy(buffer, k_ipad, SHA512_BLOCK_LENGTH);
+ memcpy(buffer + SHA512_BLOCK_LENGTH, in, n);
+ mbedtls_sha512(buffer, SHA512_BLOCK_LENGTH + n, out, is384);
+
+ memset(buffer, 0, SHA512_BLOCK_LENGTH + n);
+
+ // perform outer SHA512
+ memcpy(buffer, k_opad, SHA512_BLOCK_LENGTH);
+ memcpy(buffer + SHA512_BLOCK_LENGTH, out, digest_length);
+ mbedtls_sha512(buffer, SHA512_BLOCK_LENGTH + digest_length, out, is384);
+}
+
+/*
+* Compute TOTP_HMAC_SHA384/512 using key, key length, text to hash, size of the text and a switch for SHA384
+*/
+uint32_t TOTP_HMAC_SHA512(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, int is384){
+ int digest_length = SHA512_DIGEST_LENGTH;
+ if (is384 == 1) {
+ digest_length = SHA384_DIGEST_LENGTH;
+ }
+
+ // STEP 1, get the HMAC-SHA512 hash from counter and key
+ uint8_t hash[digest_length];
+ HMAC_SHA512(key, key_length, in, n, hash, is384);
+
+ // STEP 2, apply dynamic truncation to obtain a 4-bytes string
+ uint32_t truncated_hash = 0;
+ uint8_t _offset = hash[digest_length - 1] & 0xF;
+ uint8_t j;
+ for (j = 0; j < 4; ++j) {
+ truncated_hash <<= 8;
+ truncated_hash |= hash[_offset + j];
+ }
+
+ // STEP 3, compute the OTP value
+ truncated_hash &= 0x7FFFFFFF; //Disabled
+ truncated_hash %= 1000000;
+
+ return truncated_hash;
+}
\ No newline at end of file diff --git a/movement/lib/TOTP/sha512.h b/movement/lib/TOTP/sha512.h new file mode 100644 index 00000000..991ebfaf --- /dev/null +++ b/movement/lib/TOTP/sha512.h @@ -0,0 +1,119 @@ +/**
+ * \file sha512.h
+ *
+ * \brief SHA-384 and SHA-512 cryptographic hash function
+ *
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA512_H
+#define MBEDTLS_SHA512_H
+
+#define SHA384_DIGEST_LENGTH 48
+#define SHA512_DIGEST_LENGTH 64
+#define SHA512_BLOCK_LENGTH 128
+#define HMAC_IPAD 0x36
+#define HMAC_OPAD 0x5c
+
+#include <stddef.h>
+#include <stdint.h>
+
+/**
+ * \brief SHA-512 context structure
+ */
+typedef struct
+{
+ uint64_t total[2]; /*!< number of bytes processed */
+ uint64_t state[8]; /*!< intermediate digest state */
+ unsigned char buffer[SHA512_BLOCK_LENGTH]; /*!< data block being processed */
+ int is384; /*!< 0 => SHA-512, else SHA-384 */
+}
+mbedtls_sha512_context;
+
+/**
+ * \brief Initialize SHA-512 context
+ *
+ * \param ctx SHA-512 context to be initialized
+ */
+void mbedtls_sha512_init( mbedtls_sha512_context *ctx );
+
+/**
+ * \brief Clear SHA-512 context
+ *
+ * \param ctx SHA-512 context to be cleared
+ */
+void mbedtls_sha512_free( mbedtls_sha512_context *ctx );
+
+/**
+ * \brief Clone (the state of) a SHA-512 context
+ *
+ * \param dst The destination context
+ * \param src The context to be cloned
+ */
+void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
+ const mbedtls_sha512_context *src );
+
+/**
+ * \brief SHA-512 context setup
+ *
+ * \param ctx context to be initialized
+ * \param is384 0 = use SHA512, 1 = use SHA384
+ */
+void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 );
+
+/**
+ * \brief SHA-512 process buffer
+ *
+ * \param ctx SHA-512 context
+ * \param input buffer holding the data
+ * \param ilen length of the input data
+ */
+void mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *input,
+ size_t ilen );
+
+/**
+ * \brief SHA-512 final digest
+ *
+ * \param ctx SHA-512 context
+ * \param output SHA-384/512 checksum result
+ */
+void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char* output );
+
+/**
+ * \brief Output = SHA-512( input buffer )
+ *
+ * \param input buffer holding the data
+ * \param ilen length of the input data
+ * \param output SHA-384/512 checksum result
+ * \param is384 0 = use SHA512, 1 = use SHA384
+ */
+void mbedtls_sha512( const unsigned char *input, size_t ilen,
+ unsigned char* output, int is384 );
+
+/**
+ * \brief Checkup routine
+ *
+ * \return 0 if successful, or 1 if the test failed
+ */
+int mbedtls_sha512_self_test( int verbose );
+
+/* Internal use */
+void mbedtls_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[SHA512_BLOCK_LENGTH] );
+void HMAC_SHA512(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, uint8_t* out, int is384);
+uint32_t TOTP_HMAC_SHA512(const uint8_t* key, size_t key_length, const uint8_t *in, size_t n, int is384);
+
+#endif /* mbedtls_sha512.h */
diff --git a/movement/make/Makefile b/movement/make/Makefile index a8b7f4b8..374c04be 100644 --- a/movement/make/Makefile +++ b/movement/make/Makefile @@ -17,7 +17,7 @@ INCLUDES += \ -I../watch_faces/sensor/ \ -I../watch_faces/demo/ \ -I../../littlefs/ \ - -I../lib/TOTP-MCU/ \ + -I../lib/TOTP/ \ -I../lib/base32/ \ -I../lib/sunriset/ \ -I../lib/vsop87/ \ @@ -30,8 +30,10 @@ INCLUDES += \ # ../drivers/lis2dh.c \ # ../watch_faces/fitness/step_count_face.c SRCS += \ - ../lib/TOTP-MCU/sha1.c \ - ../lib/TOTP-MCU/TOTP.c \ + ../lib/TOTP/sha1.c \ + ../lib/TOTP/sha256.c \ + ../lib/TOTP/sha512.c \ + ../lib/TOTP/TOTP.c \ ../lib/base32/base32.c \ ../lib/sunriset/sunriset.c \ ../lib/vsop87/vsop87a_milli.c \ diff --git a/movement/watch_faces/complication/totp_face.c b/movement/watch_faces/complication/totp_face.c index b026803a..b6d3b6a7 100644 --- a/movement/watch_faces/complication/totp_face.c +++ b/movement/watch_faces/complication/totp_face.c @@ -6,25 +6,39 @@ #include "TOTP.h" // Use https://cryptii.com/pipes/base32-to-hex to convert base32 to hex -// Use https://totp.danhersam.com/ to generate test codes for verification +// Use https://github.com/susam/mintotp to generate test codes for verification +// Available algorothms: +// SHA1 (most TOTP codes use this) +// SHA224 +// SHA256 +// SHA384 +// SHA512 +//////////////////////////////////////////////////////////////////////////////// +// Enter your TOTP key data below static const uint8_t num_keys = 2; static uint8_t keys[] = { 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x21, 0xde, 0xad, 0xbe, 0xef, // 1 - JBSWY3DPEHPK3PXP - 0x5c, 0x0d, 0x27, 0x6b, 0x6d, 0x9a, 0x01, 0x22, 0x20, 0x4f // 2 - E9M348K0ADIDFBC2 + 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x21, 0xde, 0xad, 0xbe, 0xef, // 2 - JBSWY3DPEHPK3PXP }; static const uint8_t key_sizes[] = { 10, - 10 + 10, }; static const uint32_t timesteps[] = { 30, - 30 + 30, }; static const char labels[][2] = { - { 'a', 'b' }, - { 'c', 'd' } + { '2', 'F' }, + { 'A', 'C' }, +}; +static const hmac_alg algorithms[] = { + SHA1, + SHA1, }; +// END OF KEY DATA. +//////////////////////////////////////////////////////////////////////////////// void totp_face_setup(movement_settings_t *settings, uint8_t watch_face_index, void ** context_ptr) { (void) settings; @@ -36,7 +50,7 @@ void totp_face_activate(movement_settings_t *settings, void *context) { (void) settings; memset(context, 0, sizeof(totp_state_t)); totp_state_t *totp_state = (totp_state_t *)context; - TOTP(keys, key_sizes[0], timesteps[0]); + TOTP(keys, key_sizes[0], timesteps[0], algorithms[0]); totp_state->timestamp = watch_utility_date_time_to_unix_time(watch_rtc_get_date_time(), movement_timezone_offsets[settings->bit.time_zone] * 60); totp_state->current_code = getCodeFromTimestamp(totp_state->timestamp); } @@ -83,7 +97,7 @@ bool totp_face_loop(movement_event_t event, movement_settings_t *settings, void totp_state->current_key_offset = 0; totp_state->current_index = 0; } - TOTP(keys + totp_state->current_key_offset, key_sizes[totp_state->current_index], timesteps[totp_state->current_index]); + TOTP(keys + totp_state->current_key_offset, key_sizes[totp_state->current_index], timesteps[totp_state->current_index], algorithms[totp_state->current_index]); break; case EVENT_ALARM_BUTTON_DOWN: case EVENT_ALARM_LONG_PRESS: diff --git a/movement/watch_faces/complication/totp_face_lfs.c b/movement/watch_faces/complication/totp_face_lfs.c index 0b542653..e16bbe06 100644 --- a/movement/watch_faces/complication/totp_face_lfs.c +++ b/movement/watch_faces/complication/totp_face_lfs.c @@ -40,6 +40,7 @@ struct totp_record { size_t secret_size; char label[2]; uint32_t period; + hmac_alg algorithm; }; static struct totp_record totp_records[MAX_TOTP_RECORDS]; @@ -50,6 +51,7 @@ static void init_totp_record(struct totp_record *totp_record) { totp_record->label[0] = 'A'; totp_record->label[1] = 'A'; totp_record->period = 30; + totp_record->algorithm = SHA1; } static bool totp_face_lfs_read_param(struct totp_record *totp_record, char *param, char *value) { @@ -84,7 +86,22 @@ static bool totp_face_lfs_read_param(struct totp_record *totp_record, char *para return false; } } else if (!strcmp(param, "algorithm")) { - if (!strcmp(param, "SHA1")) { + if (!strcmp(value, "SHA1")) { + totp_record->algorithm = SHA1; + } + else if (!strcmp(value, "SHA224")) { + totp_record->algorithm = SHA224; + } + else if (!strcmp(value, "SHA256")) { + totp_record->algorithm = SHA256; + } + else if (!strcmp(value, "SHA384")) { + totp_record->algorithm = SHA384; + } + else if (!strcmp(value, "SHA512")) { + totp_record->algorithm = SHA512; + } + else { printf("TOTP ignored due to algorithm %s\n", value); return false; } @@ -169,7 +186,7 @@ static void totp_face_set_record(totp_lfs_state_t *totp_state, int i) { } totp_state->current_index = i; - TOTP(totp_records[i].secret, totp_records[i].secret_size, totp_records[i].period); + TOTP(totp_records[i].secret, totp_records[i].secret_size, totp_records[i].period, totp_records[i].algorithm); totp_state->current_code = getCodeFromTimestamp(totp_state->timestamp); totp_state->steps = totp_state->timestamp / totp_records[i].period; } |