lib/pkcs5.c

   1 /* pkcs5.c      Implementation of Password-Based Cryptography as per PKCS#5
   2  * Copyright (C) 2002, 2003  Simon Josefsson
   3  *
   4  * This file is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU Lesser General Public
   6  * License as published by the Free Software Foundation; either
   7  * version 2.1 of the License, or (at your option) any later version.
   8  *
   9  * This file is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  12  * Lesser General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU Lesser General Public
  15  * License along with this file; if not, write to the Free Software
  16  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  17  *
  18  */
  19
  20 #include "internal.h"
  21 #ifdef USE_GCRYPT
  22 #include <gcrypt.h>
  23 #else
  24 #include <hmac.h>
  25 #endif
  26
  27 /*
  28  * 5.2 PBKDF2
  29  *
  30  *  PBKDF2 applies a pseudorandom function (see Appendix B.1 for an
  31  *  example) to derive keys. The length of the derived key is essentially
  32  *  unbounded. (However, the maximum effective search space for the
  33  *  derived key may be limited by the structure of the underlying
  34  *  pseudorandom function. See Appendix B.1 for further discussion.)
  35  *  PBKDF2 is recommended for new applications.
  36  *
  37  *  PBKDF2 (P, S, c, dkLen)
  38  *
  39  *  Options:        PRF        underlying pseudorandom function (hLen
  40  *                             denotes the length in octets of the
  41  *                             pseudorandom function output)
  42  *
  43  *  Input:          P          password, an octet string
  44  *                  S          salt, an octet string
  45  *                  c          iteration count, a positive integer
  46  *                  dkLen      intended length in octets of the derived
  47  *                             key, a positive integer, at most
  48  *                             (2^32 - 1) * hLen
  49  *
  50  *  Output:         DK         derived key, a dkLen-octet string
  51  */
  52
  53 #define MAX_PRF_BLOCK_LEN 80
  54
  55 int
  56 shishi_pbkdf2_sha1 (const char *P,
  57                     size_t Plen,
  58                     const char *S,
  59                     size_t Slen,
  60                     unsigned int c,
  61                     unsigned int dkLen,
  62                     char *DK)
  63 {
  64 #ifdef USE_GCRYPT
  65   int PRF = GCRY_MD_SHA1;
  66   gcry_md_hd_t prf;
  67   unsigned int hLen = gcry_md_get_algo_dlen (PRF);
  68 #else
  69   struct hmac_sha1_ctx hmac;
  70   unsigned int hLen = SHA1_DIGEST_SIZE;
  71 #endif
  72   char U[MAX_PRF_BLOCK_LEN];
  73   char T[MAX_PRF_BLOCK_LEN];
  74   unsigned int u;
  75   unsigned int l;
  76   unsigned int r;
  77   int rc;
  78   unsigned char *p;
  79   unsigned int i;
  80   unsigned int k;
  81
  82   if (hLen == 0 || hLen > MAX_PRF_BLOCK_LEN)
  83     return SHISHI_PKCS5_INVALID_PRF;
  84
  85   if (c == 0)
  86     return SHISHI_PKCS5_INVALID_ITERATION_COUNT;
  87
  88   if (dkLen == 0)
  89     return SHISHI_PKCS5_INVALID_DERIVED_KEY_LENGTH;
  90
  91   /*
  92    *
  93    *  Steps:
  94    *
  95    *     1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
  96    *        stop.
  97    */
  98
  99   if (dkLen > 4294967295U)
 100     return SHISHI_PKCS5_DERIVED_KEY_TOO_LONG;
 101
 102   /*
 103    *     2. Let l be the number of hLen-octet blocks in the derived key,
 104    *        rounding up, and let r be the number of octets in the last
 105    *        block:
 106    *
 107    *                  l = CEIL (dkLen / hLen) ,
 108    *                  r = dkLen - (l - 1) * hLen .
 109    *
 110    *        Here, CEIL (x) is the "ceiling" function, i.e. the smallest
 111    *        integer greater than, or equal to, x.
 112    */
 113
 114   l = dkLen / hLen;
 115   if (dkLen % hLen)
 116     l++;
 117   r = dkLen - (l - 1) * hLen;
 118
 119   /*
 120    *     3. For each block of the derived key apply the function F defined
 121    *        below to the password P, the salt S, the iteration count c, and
 122    *        the block index to compute the block:
 123    *
 124    *                  T_1 = F (P, S, c, 1) ,
 125    *                  T_2 = F (P, S, c, 2) ,
 126    *                  ...
 127    *                  T_l = F (P, S, c, l) ,
 128    *
 129    *        where the function F is defined as the exclusive-or sum of the
 130    *        first c iterates of the underlying pseudorandom function PRF
 131    *        applied to the password P and the concatenation of the salt S
 132    *        and the block index i:
 133    *
 134    *                  F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
 135    *
 136    *        where
 137    *
 138    *                  U_1 = PRF (P, S || INT (i)) ,
 139    *                  U_2 = PRF (P, U_1) ,
 140    *                  ...
 141    *                  U_c = PRF (P, U_{c-1}) .
 142    *
 143    *        Here, INT (i) is a four-octet encoding of the integer i, most
 144    *        significant octet first.
 145    *
 146    *     4. Concatenate the blocks and extract the first dkLen octets to
 147    *        produce a derived key DK:
 148    *
 149    *                  DK = T_1 || T_2 ||  ...  || T_l<0..r-1>
 150    *
 151    *     5. Output the derived key DK.
 152    *
 153    *  Note. The construction of the function F follows a "belt-and-
 154    *  suspenders" approach. The iterates U_i are computed recursively to
 155    *  remove a degree of parallelism from an opponent; they are exclusive-
 156    *  ored together to reduce concerns about the recursion degenerating
 157    *  into a small set of values.
 158    *
 159    */
 160
 161 #ifdef USE_GCRYPT
 162   gcry_md_open (&prf, PRF, GCRY_MD_FLAG_HMAC);
 163   if (prf == NULL)
 164     return SHISHI_PKCS5_INVALID_PRF;
 165 #endif
 166
 167   for (i = 1; i <= l; i++)
 168     {
 169       memset (T, 0, hLen);
 170
 171       for (u = 1; u <= c; u++)
 172         {
 173           int Ulen;
 174
 175 #ifdef USE_GCRYPT
 176           gcry_md_reset (prf);
 177
 178           rc = gcry_md_setkey (prf, P, Plen);
 179           if (rc != GPG_ERR_NO_ERROR)
 180             return SHISHI_PKCS5_INVALID_PRF;
 181 #else
 182           hmac_sha1_set_key (&hmac, Plen, P);
 183 #endif
 184
 185           if (u == 1)
 186             {
 187               char tmp[4];
 188               memcpy (U, S, Slen);
 189               tmp[0] = (i & 0xff000000) >> 24;
 190               tmp[1] = (i & 0x00ff0000) >> 16;
 191               tmp[2] = (i & 0x0000ff00) >> 8;
 192               tmp[3] = (i & 0x000000ff) >> 0;
 193               memcpy (U + Slen, tmp, 4);
 194               Ulen = Slen + 4;
 195             }
 196           else
 197             Ulen = hLen;
 198
 199 #ifdef USE_GCRYPT
 200           gcry_md_write (prf, U, Ulen);
 201
 202           p = gcry_md_read (prf, PRF);
 203           if (p == NULL)
 204             return SHISHI_PKCS5_INVALID_PRF;
 205
 206           memcpy (U, p, hLen);
 207 #else
 208           hmac_sha1_update (&hmac, Ulen, U);
 209           hmac_sha1_digest (&hmac, hLen, U);
 210 #endif
 211
 212
 213           for (k = 0; k < hLen; k++)
 214             T[k] ^= U[k];
 215         }
 216
 217       memcpy (DK + (i - 1) * hLen, T, i == l ? r : hLen);
 218     }
 219
 220 #ifdef USE_GCRYPT
 221   gcry_md_close (prf);
 222 #endif
 223
 224   return SHISHI_OK;
 225 }