1 |
|
|
/* $OpenBSD: bcrypt_pbkdf.c,v 1.13 2015/01/12 03:20:04 tedu Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* Copyright (c) 2013 Ted Unangst <tedu@openbsd.org> |
4 |
|
|
* |
5 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
6 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
7 |
|
|
* copyright notice and this permission notice appear in all copies. |
8 |
|
|
* |
9 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
10 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
11 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
12 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
13 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
14 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
15 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 |
|
|
*/ |
17 |
|
|
|
18 |
|
|
#include <sys/types.h> |
19 |
|
|
|
20 |
|
|
#include <stdint.h> |
21 |
|
|
#include <stdlib.h> |
22 |
|
|
#include <blf.h> |
23 |
|
|
#include <sha2.h> |
24 |
|
|
#include <string.h> |
25 |
|
|
#include <util.h> |
26 |
|
|
|
27 |
|
|
#define MINIMUM(a,b) (((a) < (b)) ? (a) : (b)) |
28 |
|
|
|
29 |
|
|
/* |
30 |
|
|
* pkcs #5 pbkdf2 implementation using the "bcrypt" hash |
31 |
|
|
* |
32 |
|
|
* The bcrypt hash function is derived from the bcrypt password hashing |
33 |
|
|
* function with the following modifications: |
34 |
|
|
* 1. The input password and salt are preprocessed with SHA512. |
35 |
|
|
* 2. The output length is expanded to 256 bits. |
36 |
|
|
* 3. Subsequently the magic string to be encrypted is lengthened and modifed |
37 |
|
|
* to "OxychromaticBlowfishSwatDynamite" |
38 |
|
|
* 4. The hash function is defined to perform 64 rounds of initial state |
39 |
|
|
* expansion. (More rounds are performed by iterating the hash.) |
40 |
|
|
* |
41 |
|
|
* Note that this implementation pulls the SHA512 operations into the caller |
42 |
|
|
* as a performance optimization. |
43 |
|
|
* |
44 |
|
|
* One modification from official pbkdf2. Instead of outputting key material |
45 |
|
|
* linearly, we mix it. pbkdf2 has a known weakness where if one uses it to |
46 |
|
|
* generate (e.g.) 512 bits of key material for use as two 256 bit keys, an |
47 |
|
|
* attacker can merely run once through the outer loop, but the user |
48 |
|
|
* always runs it twice. Shuffling output bytes requires computing the |
49 |
|
|
* entirety of the key material to assemble any subkey. This is something a |
50 |
|
|
* wise caller could do; we just do it for you. |
51 |
|
|
*/ |
52 |
|
|
|
53 |
|
|
#define BCRYPT_WORDS 8 |
54 |
|
|
#define BCRYPT_HASHSIZE (BCRYPT_WORDS * 4) |
55 |
|
|
|
56 |
|
|
static void |
57 |
|
|
bcrypt_hash(uint8_t *sha2pass, uint8_t *sha2salt, uint8_t *out) |
58 |
|
|
{ |
59 |
|
1044 |
blf_ctx state; |
60 |
|
522 |
uint8_t ciphertext[BCRYPT_HASHSIZE] = |
61 |
|
|
"OxychromaticBlowfishSwatDynamite"; |
62 |
|
522 |
uint32_t cdata[BCRYPT_WORDS]; |
63 |
|
|
int i; |
64 |
|
522 |
uint16_t j; |
65 |
|
|
size_t shalen = SHA512_DIGEST_LENGTH; |
66 |
|
|
|
67 |
|
|
/* key expansion */ |
68 |
|
522 |
Blowfish_initstate(&state); |
69 |
|
522 |
Blowfish_expandstate(&state, sha2salt, shalen, sha2pass, shalen); |
70 |
✓✓ |
67860 |
for (i = 0; i < 64; i++) { |
71 |
|
33408 |
Blowfish_expand0state(&state, sha2salt, shalen); |
72 |
|
33408 |
Blowfish_expand0state(&state, sha2pass, shalen); |
73 |
|
|
} |
74 |
|
|
|
75 |
|
|
/* encryption */ |
76 |
|
522 |
j = 0; |
77 |
✓✓ |
9396 |
for (i = 0; i < BCRYPT_WORDS; i++) |
78 |
|
4176 |
cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext), |
79 |
|
|
&j); |
80 |
✓✓ |
67860 |
for (i = 0; i < 64; i++) |
81 |
|
33408 |
blf_enc(&state, cdata, sizeof(cdata) / sizeof(uint64_t)); |
82 |
|
|
|
83 |
|
|
/* copy out */ |
84 |
✓✓ |
9396 |
for (i = 0; i < BCRYPT_WORDS; i++) { |
85 |
|
4176 |
out[4 * i + 3] = (cdata[i] >> 24) & 0xff; |
86 |
|
4176 |
out[4 * i + 2] = (cdata[i] >> 16) & 0xff; |
87 |
|
4176 |
out[4 * i + 1] = (cdata[i] >> 8) & 0xff; |
88 |
|
4176 |
out[4 * i + 0] = cdata[i] & 0xff; |
89 |
|
|
} |
90 |
|
|
|
91 |
|
|
/* zap */ |
92 |
|
522 |
explicit_bzero(ciphertext, sizeof(ciphertext)); |
93 |
|
522 |
explicit_bzero(cdata, sizeof(cdata)); |
94 |
|
522 |
explicit_bzero(&state, sizeof(state)); |
95 |
|
522 |
} |
96 |
|
|
|
97 |
|
|
int |
98 |
|
|
bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltlen, |
99 |
|
|
uint8_t *key, size_t keylen, unsigned int rounds) |
100 |
|
|
{ |
101 |
|
72 |
SHA2_CTX ctx; |
102 |
|
36 |
uint8_t sha2pass[SHA512_DIGEST_LENGTH]; |
103 |
|
36 |
uint8_t sha2salt[SHA512_DIGEST_LENGTH]; |
104 |
|
36 |
uint8_t out[BCRYPT_HASHSIZE]; |
105 |
|
36 |
uint8_t tmpout[BCRYPT_HASHSIZE]; |
106 |
|
36 |
uint8_t countsalt[4]; |
107 |
|
|
size_t i, j, amt, stride; |
108 |
|
|
uint32_t count; |
109 |
|
|
size_t origkeylen = keylen; |
110 |
|
|
|
111 |
|
|
/* nothing crazy */ |
112 |
✗✓ |
36 |
if (rounds < 1) |
113 |
|
|
return -1; |
114 |
✗✓ |
72 |
if (passlen == 0 || saltlen == 0 || keylen == 0 || |
115 |
|
36 |
keylen > sizeof(out) * sizeof(out)) |
116 |
|
|
return -1; |
117 |
|
36 |
stride = (keylen + sizeof(out) - 1) / sizeof(out); |
118 |
|
36 |
amt = (keylen + stride - 1) / stride; |
119 |
|
|
|
120 |
|
|
/* collapse password */ |
121 |
|
36 |
SHA512Init(&ctx); |
122 |
|
36 |
SHA512Update(&ctx, pass, passlen); |
123 |
|
36 |
SHA512Final(sha2pass, &ctx); |
124 |
|
|
|
125 |
|
|
|
126 |
|
|
/* generate key, sizeof(out) at a time */ |
127 |
✓✓ |
204 |
for (count = 1; keylen > 0; count++) { |
128 |
|
66 |
countsalt[0] = (count >> 24) & 0xff; |
129 |
|
66 |
countsalt[1] = (count >> 16) & 0xff; |
130 |
|
66 |
countsalt[2] = (count >> 8) & 0xff; |
131 |
|
66 |
countsalt[3] = count & 0xff; |
132 |
|
|
|
133 |
|
|
/* first round, salt is salt */ |
134 |
|
66 |
SHA512Init(&ctx); |
135 |
|
66 |
SHA512Update(&ctx, salt, saltlen); |
136 |
|
66 |
SHA512Update(&ctx, countsalt, sizeof(countsalt)); |
137 |
|
66 |
SHA512Final(sha2salt, &ctx); |
138 |
|
66 |
bcrypt_hash(sha2pass, sha2salt, tmpout); |
139 |
|
66 |
memcpy(out, tmpout, sizeof(out)); |
140 |
|
|
|
141 |
✓✓ |
1044 |
for (i = 1; i < rounds; i++) { |
142 |
|
|
/* subsequent rounds, salt is previous output */ |
143 |
|
456 |
SHA512Init(&ctx); |
144 |
|
456 |
SHA512Update(&ctx, tmpout, sizeof(tmpout)); |
145 |
|
456 |
SHA512Final(sha2salt, &ctx); |
146 |
|
456 |
bcrypt_hash(sha2pass, sha2salt, tmpout); |
147 |
✓✓ |
30096 |
for (j = 0; j < sizeof(out); j++) |
148 |
|
14592 |
out[j] ^= tmpout[j]; |
149 |
|
|
} |
150 |
|
|
|
151 |
|
|
/* |
152 |
|
|
* pbkdf2 deviation: output the key material non-linearly. |
153 |
|
|
*/ |
154 |
|
66 |
amt = MINIMUM(amt, keylen); |
155 |
✓✓ |
3636 |
for (i = 0; i < amt; i++) { |
156 |
|
1755 |
size_t dest = i * stride + (count - 1); |
157 |
✓✓ |
1755 |
if (dest >= origkeylen) |
158 |
|
3 |
break; |
159 |
|
1752 |
key[dest] = out[i]; |
160 |
✓✓ |
1752 |
} |
161 |
|
66 |
keylen -= i; |
162 |
|
|
} |
163 |
|
|
|
164 |
|
|
/* zap */ |
165 |
|
36 |
explicit_bzero(&ctx, sizeof(ctx)); |
166 |
|
36 |
explicit_bzero(out, sizeof(out)); |
167 |
|
|
|
168 |
|
36 |
return 0; |
169 |
|
36 |
} |