1 |
|
|
/* $OpenBSD: pkcs5_pbkdf2.c,v 1.10 2017/04/18 04:06:21 deraadt Exp $ */ |
2 |
|
|
|
3 |
|
|
/*- |
4 |
|
|
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> |
5 |
|
|
* |
6 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
7 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
8 |
|
|
* copyright notice and this permission notice appear in all copies. |
9 |
|
|
* |
10 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 |
|
|
*/ |
18 |
|
|
|
19 |
|
|
#include <sys/types.h> |
20 |
|
|
|
21 |
|
|
#include <string.h> |
22 |
|
|
#include <stdint.h> |
23 |
|
|
#include <stdlib.h> |
24 |
|
|
#include <util.h> |
25 |
|
|
|
26 |
|
|
#include <sha1.h> |
27 |
|
|
|
28 |
|
|
#define MINIMUM(a,b) (((a) < (b)) ? (a) : (b)) |
29 |
|
|
|
30 |
|
|
/* |
31 |
|
|
* HMAC-SHA-1 (from RFC 2202). |
32 |
|
|
*/ |
33 |
|
|
static void |
34 |
|
|
hmac_sha1(const u_int8_t *text, size_t text_len, const u_int8_t *key, |
35 |
|
|
size_t key_len, u_int8_t digest[SHA1_DIGEST_LENGTH]) |
36 |
|
|
{ |
37 |
|
329220 |
SHA1_CTX ctx; |
38 |
|
164610 |
u_int8_t k_pad[SHA1_BLOCK_LENGTH]; |
39 |
|
164610 |
u_int8_t tk[SHA1_DIGEST_LENGTH]; |
40 |
|
|
int i; |
41 |
|
|
|
42 |
✓✓ |
164610 |
if (key_len > SHA1_BLOCK_LENGTH) { |
43 |
|
54000 |
SHA1Init(&ctx); |
44 |
|
54000 |
SHA1Update(&ctx, key, key_len); |
45 |
|
54000 |
SHA1Final(tk, &ctx); |
46 |
|
|
|
47 |
|
|
key = tk; |
48 |
|
|
key_len = SHA1_DIGEST_LENGTH; |
49 |
|
54000 |
} |
50 |
|
|
|
51 |
|
164610 |
bzero(k_pad, sizeof k_pad); |
52 |
|
164610 |
bcopy(key, k_pad, key_len); |
53 |
✓✓ |
21399300 |
for (i = 0; i < SHA1_BLOCK_LENGTH; i++) |
54 |
|
10535040 |
k_pad[i] ^= 0x36; |
55 |
|
|
|
56 |
|
164610 |
SHA1Init(&ctx); |
57 |
|
164610 |
SHA1Update(&ctx, k_pad, SHA1_BLOCK_LENGTH); |
58 |
|
164610 |
SHA1Update(&ctx, text, text_len); |
59 |
|
164610 |
SHA1Final(digest, &ctx); |
60 |
|
|
|
61 |
|
164610 |
bzero(k_pad, sizeof k_pad); |
62 |
|
164610 |
bcopy(key, k_pad, key_len); |
63 |
✓✓ |
21399300 |
for (i = 0; i < SHA1_BLOCK_LENGTH; i++) |
64 |
|
10535040 |
k_pad[i] ^= 0x5c; |
65 |
|
|
|
66 |
|
164610 |
SHA1Init(&ctx); |
67 |
|
164610 |
SHA1Update(&ctx, k_pad, SHA1_BLOCK_LENGTH); |
68 |
|
164610 |
SHA1Update(&ctx, digest, SHA1_DIGEST_LENGTH); |
69 |
|
164610 |
SHA1Final(digest, &ctx); |
70 |
|
164610 |
} |
71 |
|
|
|
72 |
|
|
/* |
73 |
|
|
* Password-Based Key Derivation Function 2 (PKCS #5 v2.0). |
74 |
|
|
* Code based on IEEE Std 802.11-2007, Annex H.4.2. |
75 |
|
|
*/ |
76 |
|
|
int |
77 |
|
|
pkcs5_pbkdf2(const char *pass, size_t pass_len, const uint8_t *salt, |
78 |
|
|
size_t salt_len, uint8_t *key, size_t key_len, unsigned int rounds) |
79 |
|
|
{ |
80 |
|
462 |
uint8_t *asalt, obuf[SHA1_DIGEST_LENGTH]; |
81 |
|
231 |
uint8_t d1[SHA1_DIGEST_LENGTH], d2[SHA1_DIGEST_LENGTH]; |
82 |
|
|
unsigned int i, j; |
83 |
|
|
unsigned int count; |
84 |
|
|
size_t r; |
85 |
|
|
|
86 |
✗✓ |
231 |
if (rounds < 1 || key_len == 0) |
87 |
|
|
return -1; |
88 |
✗✓ |
231 |
if (salt_len == 0 || salt_len > SIZE_MAX - 4) |
89 |
|
|
return -1; |
90 |
✗✓ |
231 |
if ((asalt = malloc(salt_len + 4)) == NULL) |
91 |
|
|
return -1; |
92 |
|
|
|
93 |
|
231 |
memcpy(asalt, salt, salt_len); |
94 |
|
|
|
95 |
✓✓ |
1092 |
for (count = 1; key_len > 0; count++) { |
96 |
|
315 |
asalt[salt_len + 0] = (count >> 24) & 0xff; |
97 |
|
315 |
asalt[salt_len + 1] = (count >> 16) & 0xff; |
98 |
|
315 |
asalt[salt_len + 2] = (count >> 8) & 0xff; |
99 |
|
315 |
asalt[salt_len + 3] = count & 0xff; |
100 |
|
315 |
hmac_sha1(asalt, salt_len + 4, pass, pass_len, d1); |
101 |
|
315 |
memcpy(obuf, d1, sizeof(obuf)); |
102 |
|
|
|
103 |
✓✓ |
329220 |
for (i = 1; i < rounds; i++) { |
104 |
|
164295 |
hmac_sha1(d1, sizeof(d1), pass, pass_len, d2); |
105 |
|
164295 |
memcpy(d1, d2, sizeof(d1)); |
106 |
✓✓ |
6900390 |
for (j = 0; j < sizeof(obuf); j++) |
107 |
|
3285900 |
obuf[j] ^= d1[j]; |
108 |
|
|
} |
109 |
|
|
|
110 |
|
315 |
r = MINIMUM(key_len, SHA1_DIGEST_LENGTH); |
111 |
|
315 |
memcpy(key, obuf, r); |
112 |
|
315 |
key += r; |
113 |
|
315 |
key_len -= r; |
114 |
|
|
}; |
115 |
|
231 |
freezero(asalt, salt_len + 4); |
116 |
|
231 |
explicit_bzero(d1, sizeof(d1)); |
117 |
|
231 |
explicit_bzero(d2, sizeof(d2)); |
118 |
|
231 |
explicit_bzero(obuf, sizeof(obuf)); |
119 |
|
|
|
120 |
|
231 |
return 0; |
121 |
|
231 |
} |