xref: /openbsd/lib/libutil/pkcs5_pbkdf2.c (revision 264ca280) 
1 /*	$OpenBSD: pkcs5_pbkdf2.c,v 1.9 2015/02/05 12:59:57 millert Exp $	*/
2 
3 /*-
4  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <sys/types.h>
20 
21 #include <string.h>
22 #include <stdint.h>
23 #include <stdlib.h>
24 #include <util.h>
25 
26 #include <sha1.h>
27 
28 #define	MINIMUM(a,b) (((a) < (b)) ? (a) : (b))
29 
30 /*
31  * HMAC-SHA-1 (from RFC 2202).
32  */
33 static void
34 hmac_sha1(const u_int8_t *text, size_t text_len, const u_int8_t *key,
35     size_t key_len, u_int8_t digest[SHA1_DIGEST_LENGTH])
36 {
37 	SHA1_CTX ctx;
38 	u_int8_t k_pad[SHA1_BLOCK_LENGTH];
39 	u_int8_t tk[SHA1_DIGEST_LENGTH];
40 	int i;
41 
42 	if (key_len > SHA1_BLOCK_LENGTH) {
43 		SHA1Init(&ctx);
44 		SHA1Update(&ctx, key, key_len);
45 		SHA1Final(tk, &ctx);
46 
47 		key = tk;
48 		key_len = SHA1_DIGEST_LENGTH;
49 	}
50 
51 	bzero(k_pad, sizeof k_pad);
52 	bcopy(key, k_pad, key_len);
53 	for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
54 		k_pad[i] ^= 0x36;
55 
56 	SHA1Init(&ctx);
57 	SHA1Update(&ctx, k_pad, SHA1_BLOCK_LENGTH);
58 	SHA1Update(&ctx, text, text_len);
59 	SHA1Final(digest, &ctx);
60 
61 	bzero(k_pad, sizeof k_pad);
62 	bcopy(key, k_pad, key_len);
63 	for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
64 		k_pad[i] ^= 0x5c;
65 
66 	SHA1Init(&ctx);
67 	SHA1Update(&ctx, k_pad, SHA1_BLOCK_LENGTH);
68 	SHA1Update(&ctx, digest, SHA1_DIGEST_LENGTH);
69 	SHA1Final(digest, &ctx);
70 }
71 
72 /*
73  * Password-Based Key Derivation Function 2 (PKCS #5 v2.0).
74  * Code based on IEEE Std 802.11-2007, Annex H.4.2.
75  */
76 int
77 pkcs5_pbkdf2(const char *pass, size_t pass_len, const uint8_t *salt,
78     size_t salt_len, uint8_t *key, size_t key_len, unsigned int rounds)
79 {
80 	uint8_t *asalt, obuf[SHA1_DIGEST_LENGTH];
81 	uint8_t d1[SHA1_DIGEST_LENGTH], d2[SHA1_DIGEST_LENGTH];
82 	unsigned int i, j;
83 	unsigned int count;
84 	size_t r;
85 
86 	if (rounds < 1 || key_len == 0)
87 		return -1;
88 	if (salt_len == 0 || salt_len > SIZE_MAX - 4)
89 		return -1;
90 	if ((asalt = malloc(salt_len + 4)) == NULL)
91 		return -1;
92 
93 	memcpy(asalt, salt, salt_len);
94 
95 	for (count = 1; key_len > 0; count++) {
96 		asalt[salt_len + 0] = (count >> 24) & 0xff;
97 		asalt[salt_len + 1] = (count >> 16) & 0xff;
98 		asalt[salt_len + 2] = (count >> 8) & 0xff;
99 		asalt[salt_len + 3] = count & 0xff;
100 		hmac_sha1(asalt, salt_len + 4, pass, pass_len, d1);
101 		memcpy(obuf, d1, sizeof(obuf));
102 
103 		for (i = 1; i < rounds; i++) {
104 			hmac_sha1(d1, sizeof(d1), pass, pass_len, d2);
105 			memcpy(d1, d2, sizeof(d1));
106 			for (j = 0; j < sizeof(obuf); j++)
107 				obuf[j] ^= d1[j];
108 		}
109 
110 		r = MINIMUM(key_len, SHA1_DIGEST_LENGTH);
111 		memcpy(key, obuf, r);
112 		key += r;
113 		key_len -= r;
114 	};
115 	explicit_bzero(asalt, salt_len + 4);
116 	free(asalt);
117 	explicit_bzero(d1, sizeof(d1));
118 	explicit_bzero(d2, sizeof(d2));
119 	explicit_bzero(obuf, sizeof(obuf));
120 
121 	return 0;
122 }
123