Coverage Report

Created: 2024-11-21 07:03

/src/libgcrypt/cipher/kdf.c
Line
Count
Source (jump to first uncovered line)
1
/* kdf.c  - Key Derivation Functions
2
 * Copyright (C) 1998, 2008, 2011 Free Software Foundation, Inc.
3
 * Copyright (C) 2013 g10 Code GmbH
4
 *
5
 * This file is part of Libgcrypt.
6
 *
7
 * Libgcrypt is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU Lesser General Public License as
9
 * published by the Free Software Foundation; either version 2.1 of
10
 * the License, or (at your option) any later version.
11
 *
12
 * Libgcrypt is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU Lesser General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU Lesser General Public
18
 * License along with this program; if not, see <http://www.gnu.org/licenses/>.
19
 */
20
21
#include <config.h>
22
#include <stdio.h>
23
#include <stdlib.h>
24
#include <string.h>
25
#include <errno.h>
26
27
#include "g10lib.h"
28
#include "cipher.h"
29
#include "kdf-internal.h"
30
31
32
/* Transform a passphrase into a suitable key of length KEYSIZE and
33
   store this key in the caller provided buffer KEYBUFFER.  The caller
34
   must provide an HASHALGO, a valid ALGO and depending on that algo a
35
   SALT of 8 bytes and the number of ITERATIONS.  Code taken from
36
   gnupg/agent/protect.c:hash_passphrase.  */
37
static gpg_err_code_t
38
openpgp_s2k (const void *passphrase, size_t passphraselen,
39
             int algo, int hashalgo,
40
             const void *salt, size_t saltlen,
41
             unsigned long iterations,
42
             size_t keysize, void *keybuffer)
43
0
{
44
0
  gpg_err_code_t ec;
45
0
  gcry_md_hd_t md;
46
0
  char *key = keybuffer;
47
0
  int pass, i;
48
0
  int used = 0;
49
0
  int secmode;
50
51
0
  if ((algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K)
52
0
      && (!salt || saltlen != 8))
53
0
    return GPG_ERR_INV_VALUE;
54
55
0
  secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer);
56
57
0
  ec = _gcry_md_open (&md, hashalgo, secmode? GCRY_MD_FLAG_SECURE : 0);
58
0
  if (ec)
59
0
    return ec;
60
61
0
  for (pass=0; used < keysize; pass++)
62
0
    {
63
0
      if (pass)
64
0
        {
65
0
          _gcry_md_reset (md);
66
0
          for (i=0; i < pass; i++) /* Preset the hash context.  */
67
0
            _gcry_md_putc (md, 0);
68
0
        }
69
70
0
      if (algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K)
71
0
        {
72
0
          int len2 = passphraselen + 8;
73
0
          unsigned long count = len2;
74
75
0
          if (algo == GCRY_KDF_ITERSALTED_S2K)
76
0
            {
77
0
              count = iterations;
78
0
              if (count < len2)
79
0
                count = len2;
80
0
            }
81
82
0
          while (count > len2)
83
0
            {
84
0
              _gcry_md_write (md, salt, saltlen);
85
0
              _gcry_md_write (md, passphrase, passphraselen);
86
0
              count -= len2;
87
0
            }
88
0
          if (count < saltlen)
89
0
            _gcry_md_write (md, salt, count);
90
0
          else
91
0
            {
92
0
              _gcry_md_write (md, salt, saltlen);
93
0
              count -= saltlen;
94
0
              _gcry_md_write (md, passphrase, count);
95
0
            }
96
0
        }
97
0
      else
98
0
        _gcry_md_write (md, passphrase, passphraselen);
99
100
0
      _gcry_md_final (md);
101
0
      i = _gcry_md_get_algo_dlen (hashalgo);
102
0
      if (i > keysize - used)
103
0
        i = keysize - used;
104
0
      memcpy (key+used, _gcry_md_read (md, hashalgo), i);
105
0
      used += i;
106
0
    }
107
0
  _gcry_md_close (md);
108
0
  return 0;
109
0
}
110
111
112
/* Transform a passphrase into a suitable key of length KEYSIZE and
113
   store this key in the caller provided buffer KEYBUFFER.  The caller
114
   must provide PRFALGO which indicates the pseudorandom function to
115
   use: This shall be the algorithms id of a hash algorithm; it is
116
   used in HMAC mode.  SALT is a salt of length SALTLEN and ITERATIONS
117
   gives the number of iterations.  */
118
gpg_err_code_t
119
_gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
120
                 int hashalgo,
121
                 const void *salt, size_t saltlen,
122
                 unsigned long iterations,
123
                 size_t keysize, void *keybuffer)
124
1.30k
{
125
1.30k
  gpg_err_code_t ec;
126
1.30k
  gcry_md_hd_t md;
127
1.30k
  int secmode;
128
1.30k
  unsigned long dklen = keysize;
129
1.30k
  char *dk = keybuffer;
130
1.30k
  unsigned int hlen;   /* Output length of the digest function.  */
131
1.30k
  unsigned int l;      /* Rounded up number of blocks.  */
132
1.30k
  unsigned int r;      /* Number of octets in the last block.  */
133
1.30k
  char *sbuf;          /* Malloced buffer to concatenate salt and iter
134
                          as well as space to hold TBUF and UBUF.  */
135
1.30k
  char *tbuf;          /* Buffer for T; ptr into SBUF, size is HLEN. */
136
1.30k
  char *ubuf;          /* Buffer for U; ptr into SBUF, size is HLEN. */
137
1.30k
  unsigned int lidx;   /* Current block number.  */
138
1.30k
  unsigned long iter;  /* Current iteration number.  */
139
1.30k
  unsigned int i;
140
141
  /* We allow for a saltlen of 0 here to support scrypt.  It is not
142
     clear whether rfc2898 allows for this this, thus we do a test on
143
     saltlen > 0 only in gcry_kdf_derive.  */
144
1.30k
  if (!salt || !iterations || !dklen)
145
160
    return GPG_ERR_INV_VALUE;
146
147
1.14k
  hlen = _gcry_md_get_algo_dlen (hashalgo);
148
1.14k
  if (!hlen)
149
0
    return GPG_ERR_DIGEST_ALGO;
150
151
1.14k
  secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer);
152
153
  /* Step 1 */
154
  /* If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
155
   * stop.  We use a stronger inequality but only if our type can hold
156
   * a larger value.  */
157
158
1.14k
#if SIZEOF_UNSIGNED_LONG > 4
159
1.14k
  if (dklen > 0xffffffffU)
160
0
    return GPG_ERR_INV_VALUE;
161
1.14k
#endif
162
163
  /* Step 2 */
164
1.14k
  l = ((dklen - 1)/ hlen) + 1;
165
1.14k
  r = dklen - (l - 1) * hlen;
166
167
  /* Setup buffers and prepare a hash context.  */
168
1.14k
  sbuf = (secmode
169
1.14k
          ? xtrymalloc_secure (saltlen + 4 + hlen + hlen)
170
1.14k
          : xtrymalloc (saltlen + 4 + hlen + hlen));
171
1.14k
  if (!sbuf)
172
0
    return gpg_err_code_from_syserror ();
173
1.14k
  tbuf = sbuf + saltlen + 4;
174
1.14k
  ubuf = tbuf + hlen;
175
176
1.14k
  ec = _gcry_md_open (&md, hashalgo, (GCRY_MD_FLAG_HMAC
177
1.14k
                                      | (secmode?GCRY_MD_FLAG_SECURE:0)));
178
1.14k
  if (ec)
179
0
    {
180
0
      xfree (sbuf);
181
0
      return ec;
182
0
    }
183
184
1.14k
  ec = _gcry_md_setkey (md, passphrase, passphraselen);
185
1.14k
  if (ec)
186
0
    {
187
0
      _gcry_md_close (md);
188
0
      xfree (sbuf);
189
0
      return ec;
190
0
    }
191
192
  /* Step 3 and 4. */
193
1.14k
  memcpy (sbuf, salt, saltlen);
194
34.7k
  for (lidx = 1; lidx <= l; lidx++)
195
33.6k
    {
196
94.6k
      for (iter = 0; iter < iterations; iter++)
197
60.9k
        {
198
60.9k
          _gcry_md_reset (md);
199
60.9k
          if (!iter) /* Compute U_1:  */
200
33.6k
            {
201
33.6k
              sbuf[saltlen]     = (lidx >> 24);
202
33.6k
              sbuf[saltlen + 1] = (lidx >> 16);
203
33.6k
              sbuf[saltlen + 2] = (lidx >> 8);
204
33.6k
              sbuf[saltlen + 3] = lidx;
205
33.6k
              _gcry_md_write (md, sbuf, saltlen + 4);
206
33.6k
              memcpy (ubuf, _gcry_md_read (md, 0), hlen);
207
33.6k
              memcpy (tbuf, ubuf, hlen);
208
33.6k
            }
209
27.3k
          else /* Compute U_(2..c):  */
210
27.3k
            {
211
27.3k
              _gcry_md_write (md, ubuf, hlen);
212
27.3k
              memcpy (ubuf, _gcry_md_read (md, 0), hlen);
213
648k
              for (i=0; i < hlen; i++)
214
620k
                tbuf[i] ^= ubuf[i];
215
27.3k
            }
216
60.9k
        }
217
33.6k
      if (lidx == l)  /* Last block.  */
218
1.14k
        memcpy (dk, tbuf, r);
219
32.4k
      else
220
32.4k
        {
221
32.4k
          memcpy (dk, tbuf, hlen);
222
32.4k
          dk += hlen;
223
32.4k
        }
224
33.6k
    }
225
226
1.14k
  _gcry_md_close (md);
227
1.14k
  xfree (sbuf);
228
1.14k
  return 0;
229
1.14k
}
230
231
232
/* Derive a key from a passphrase.  KEYSIZE gives the requested size
233
   of the keys in octets.  KEYBUFFER is a caller provided buffer
234
   filled on success with the derived key.  The input passphrase is
235
   taken from (PASSPHRASE,PASSPHRASELEN) which is an arbitrary memory
236
   buffer.  ALGO specifies the KDF algorithm to use; these are the
237
   constants GCRY_KDF_*.  SUBALGO specifies an algorithm used
238
   internally by the KDF algorithms; this is usually a hash algorithm
239
   but certain KDF algorithm may use it differently.  {SALT,SALTLEN}
240
   is a salt as needed by most KDF algorithms.  ITERATIONS is a
241
   positive integer parameter to most KDFs.  0 is returned on success,
242
   or an error code on failure.  */
243
gpg_err_code_t
244
_gcry_kdf_derive (const void *passphrase, size_t passphraselen,
245
                  int algo, int subalgo,
246
                  const void *salt, size_t saltlen,
247
                  unsigned long iterations,
248
                  size_t keysize, void *keybuffer)
249
1.29k
{
250
1.29k
  gpg_err_code_t ec;
251
252
1.29k
  if (!passphrase)
253
0
    {
254
0
      ec = GPG_ERR_INV_DATA;
255
0
      goto leave;
256
0
    }
257
258
1.29k
  if (!keybuffer || !keysize)
259
76
    {
260
76
      ec = GPG_ERR_INV_VALUE;
261
76
      goto leave;
262
76
    }
263
264
265
1.21k
  switch (algo)
266
1.21k
    {
267
0
    case GCRY_KDF_SIMPLE_S2K:
268
0
    case GCRY_KDF_SALTED_S2K:
269
0
    case GCRY_KDF_ITERSALTED_S2K:
270
0
      if (!passphraselen)
271
0
        ec = GPG_ERR_INV_DATA;
272
0
      else
273
0
        ec = openpgp_s2k (passphrase, passphraselen, algo, subalgo,
274
0
                          salt, saltlen, iterations, keysize, keybuffer);
275
0
      break;
276
277
0
    case GCRY_KDF_PBKDF1:
278
0
      ec = GPG_ERR_UNSUPPORTED_ALGORITHM;
279
0
      break;
280
281
1.03k
    case GCRY_KDF_PBKDF2:
282
1.03k
      if (!saltlen)
283
34
        ec = GPG_ERR_INV_VALUE;
284
1.00k
      else
285
1.00k
        {
286
          /* FIPS requires minimum passphrase length, see FIPS 140-3 IG D.N */
287
1.00k
          if (fips_mode () && passphraselen < 8)
288
0
            return GPG_ERR_INV_VALUE;
289
290
          /* FIPS requires minimum salt length of 128 b (SP 800-132 sec. 5.1, p.6) */
291
1.00k
          if (fips_mode () && saltlen < 16)
292
0
            return GPG_ERR_INV_VALUE;
293
294
          /* FIPS requires minimum iterations bound (SP 800-132 sec 5.2, p.6) */
295
1.00k
          if (fips_mode () && iterations < 1000)
296
0
            return GPG_ERR_INV_VALUE;
297
298
          /* Check minimum key size */
299
1.00k
          if (fips_mode () && keysize < 14)
300
0
            return GPG_ERR_INV_VALUE;
301
302
1.00k
          ec = _gcry_kdf_pkdf2 (passphrase, passphraselen, subalgo,
303
1.00k
                                salt, saltlen, iterations, keysize, keybuffer);
304
1.00k
        }
305
1.03k
      break;
306
307
1.03k
    case 41:
308
179
    case GCRY_KDF_SCRYPT:
309
179
#if USE_SCRYPT
310
179
      ec = _gcry_kdf_scrypt (passphrase, passphraselen, algo, subalgo,
311
179
                             salt, saltlen, iterations, keysize, keybuffer);
312
#else
313
      ec = GPG_ERR_UNSUPPORTED_ALGORITHM;
314
#endif /*USE_SCRYPT*/
315
179
      break;
316
317
0
    default:
318
0
      ec = GPG_ERR_UNKNOWN_ALGORITHM;
319
0
      break;
320
1.21k
    }
321
322
1.29k
 leave:
323
1.29k
  return ec;
324
1.21k
}
325

326
#include "bufhelp.h"
327
328
typedef struct argon2_context *argon2_ctx_t;
329
330
/* Per thread data for Argon2.  */
331
struct argon2_thread_data {
332
  argon2_ctx_t a;
333
  unsigned int pass;
334
  unsigned int slice;
335
  unsigned int lane;
336
};
337
338
/* Argon2 context */
339
struct argon2_context {
340
  int algo;
341
  int hash_type;
342
343
  unsigned int outlen;
344
345
  const unsigned char *password;
346
  size_t passwordlen;
347
348
  const unsigned char *salt;
349
  size_t saltlen;
350
351
  const unsigned char *key;
352
  size_t keylen;
353
354
  const unsigned char *ad;
355
  size_t adlen;
356
357
  unsigned int m_cost;
358
359
  unsigned int passes;
360
  unsigned int memory_blocks;
361
  unsigned int segment_length;
362
  unsigned int lane_length;
363
  unsigned int lanes;
364
365
  u64 *block;
366
  struct argon2_thread_data *thread_data;
367
368
  unsigned char out[1];  /* In future, we may use flexible array member.  */
369
};
370
371
497
#define ARGON2_VERSION 0x13
372
373
3.72G
#define ARGON2_WORDS_IN_BLOCK (1024/8)
374
375
static void
376
xor_block (u64 *dst, const u64 *src)
377
28.5M
{
378
28.5M
  int i;
379
380
3.68G
  for (i = 0; i < ARGON2_WORDS_IN_BLOCK; i++)
381
3.65G
    dst[i] ^= src[i];
382
28.5M
}
383
384
static void
385
beswap64_block (u64 *dst)
386
84.5k
{
387
#ifdef WORDS_BIGENDIAN
388
  int i;
389
390
  /* Swap a block in big-endian 64-bit word into one in
391
     little-endian.  */
392
  for (i = 0; i < ARGON2_WORDS_IN_BLOCK; i++)
393
    dst[i] = _gcry_bswap64 (dst[i]);
394
#else
395
  /* Nothing to do.  */
396
84.5k
  (void)dst;
397
84.5k
#endif
398
84.5k
}
399
400
401
static gpg_err_code_t
402
argon2_fill_first_blocks (argon2_ctx_t a)
403
497
{
404
497
  unsigned char h0_01_i[72];
405
497
  unsigned char buf[10][4];
406
497
  gcry_buffer_t iov[8];
407
497
  unsigned int iov_count = 0;
408
497
  int i;
409
410
  /* Generate H0.  */
411
497
  buf_put_le32 (buf[0], a->lanes);
412
497
  buf_put_le32 (buf[1], a->outlen);
413
497
  buf_put_le32 (buf[2], a->m_cost);
414
497
  buf_put_le32 (buf[3], a->passes);
415
497
  buf_put_le32 (buf[4], ARGON2_VERSION);
416
497
  buf_put_le32 (buf[5], a->hash_type);
417
497
  buf_put_le32 (buf[6], a->passwordlen);
418
497
  iov[iov_count].data = buf[0];
419
497
  iov[iov_count].len = 4 * 7;
420
497
  iov[iov_count].off = 0;
421
497
  iov_count++;
422
497
  if (a->passwordlen)
423
492
    {
424
492
      iov[iov_count].data = (void *)a->password;
425
492
      iov[iov_count].len = a->passwordlen;
426
492
      iov[iov_count].off = 0;
427
492
      iov_count++;
428
492
    }
429
430
497
  buf_put_le32 (buf[7], a->saltlen);
431
497
  iov[iov_count].data = buf[7];
432
497
  iov[iov_count].len = 4;
433
497
  iov[iov_count].off = 0;
434
497
  iov_count++;
435
497
  iov[iov_count].data = (void *)a->salt;
436
497
  iov[iov_count].len = a->saltlen;
437
497
  iov[iov_count].off = 0;
438
497
  iov_count++;
439
440
497
  buf_put_le32 (buf[8], a->keylen);
441
497
  iov[iov_count].data = buf[8];
442
497
  iov[iov_count].len = 4;
443
497
  iov[iov_count].off = 0;
444
497
  iov_count++;
445
497
  if (a->key)
446
0
    {
447
0
      iov[iov_count].data = (void *)a->key;
448
0
      iov[iov_count].len = a->keylen;
449
0
      iov[iov_count].off = 0;
450
0
      iov_count++;
451
0
    }
452
453
497
  buf_put_le32 (buf[9], a->adlen);
454
497
  iov[iov_count].data = buf[9];
455
497
  iov[iov_count].len = 4;
456
497
  iov[iov_count].off = 0;
457
497
  iov_count++;
458
497
  if (a->ad)
459
0
    {
460
0
      iov[iov_count].data = (void *)a->ad;
461
0
      iov[iov_count].len = a->adlen;
462
0
      iov[iov_count].off = 0;
463
0
      iov_count++;
464
0
    }
465
466
497
  _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
467
468
42.5k
  for (i = 0; i < a->lanes; i++)
469
42.0k
    {
470
42.0k
      memset (h0_01_i+64, 0, 4);
471
42.0k
      buf_put_le32 (h0_01_i+64+4, i);
472
42.0k
      blake2b_vl_hash (h0_01_i, 72, 1024,
473
42.0k
                       &a->block[i*a->lane_length*ARGON2_WORDS_IN_BLOCK]);
474
42.0k
      beswap64_block (&a->block[i*a->lane_length*ARGON2_WORDS_IN_BLOCK]);
475
476
42.0k
      buf_put_le32 (h0_01_i+64, 1);
477
42.0k
      blake2b_vl_hash (h0_01_i, 72, 1024,
478
42.0k
                       &a->block[(i*a->lane_length+1)*ARGON2_WORDS_IN_BLOCK]);
479
42.0k
      beswap64_block (&a->block[(i*a->lane_length+1)*ARGON2_WORDS_IN_BLOCK]);
480
42.0k
    }
481
497
  return 0;
482
497
}
483
484
static gpg_err_code_t
485
argon2_init (argon2_ctx_t a, unsigned int parallelism,
486
             unsigned int m_cost, unsigned int t_cost)
487
497
{
488
497
  gpg_err_code_t ec = 0;
489
497
  unsigned int memory_blocks;
490
497
  unsigned int segment_length;
491
497
  void *block;
492
497
  struct argon2_thread_data *thread_data;
493
494
497
  memory_blocks = m_cost;
495
497
  if (memory_blocks < 8 * parallelism)
496
18
    memory_blocks = 8 * parallelism;
497
498
497
  segment_length = memory_blocks / (parallelism * 4);
499
497
  memory_blocks = segment_length * parallelism * 4;
500
501
497
  a->passes = t_cost;
502
497
  a->memory_blocks = memory_blocks;
503
497
  a->segment_length = segment_length;
504
497
  a->lane_length = segment_length * 4;
505
497
  a->lanes = parallelism;
506
507
497
  a->block = NULL;
508
497
  a->thread_data = NULL;
509
510
497
  block = xtrymalloc (1024 * memory_blocks);
511
497
  if (!block)
512
0
    {
513
0
      ec = gpg_err_code_from_errno (errno);
514
0
      return ec;
515
0
    }
516
497
  memset (block, 0, 1024 * memory_blocks);
517
518
497
  thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data));
519
497
  if (!thread_data)
520
0
    {
521
0
      ec = gpg_err_code_from_errno (errno);
522
0
      xfree (block);
523
0
      return ec;
524
0
    }
525
526
497
  memset (thread_data, 0, a->lanes * sizeof (struct argon2_thread_data));
527
528
497
  a->block = block;
529
497
  a->thread_data = thread_data;
530
497
  return 0;
531
497
}
532
533
534
static u64 fBlaMka (u64 x, u64 y)
535
6.20G
{
536
6.20G
  const u64 m = U64_C(0xFFFFFFFF);
537
6.20G
  return x + y + 2 * (x & m) * (y & m);
538
6.20G
}
539
540
static u64 rotr64 (u64 w, unsigned int c)
541
6.20G
{
542
6.20G
  return (w >> c) | (w << (64 - c));
543
6.20G
}
544
545
#define G(a, b, c, d)                                                          \
546
1.55G
    do {                                                                       \
547
1.55G
        a = fBlaMka(a, b);                                                     \
548
1.55G
        d = rotr64(d ^ a, 32);                                                 \
549
1.55G
        c = fBlaMka(c, d);                                                     \
550
1.55G
        b = rotr64(b ^ c, 24);                                                 \
551
1.55G
        a = fBlaMka(a, b);                                                     \
552
1.55G
        d = rotr64(d ^ a, 16);                                                 \
553
1.55G
        c = fBlaMka(c, d);                                                     \
554
1.55G
        b = rotr64(b ^ c, 63);                                                 \
555
1.55G
    } while ((void)0, 0)
556
557
#define BLAKE2_ROUND_NOMSG(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11,   \
558
                           v12, v13, v14, v15)                                 \
559
194M
    do {                                                                       \
560
194M
        G(v0, v4, v8, v12);                                                    \
561
194M
        G(v1, v5, v9, v13);                                                    \
562
194M
        G(v2, v6, v10, v14);                                                   \
563
194M
        G(v3, v7, v11, v15);                                                   \
564
194M
        G(v0, v5, v10, v15);                                                   \
565
194M
        G(v1, v6, v11, v12);                                                   \
566
194M
        G(v2, v7, v8, v13);                                                    \
567
194M
        G(v3, v4, v9, v14);                                                    \
568
194M
    } while ((void)0, 0)
569
570
static void
571
fill_block (const u64 *prev_block, const u64 *ref_block, u64 *curr_block,
572
            int with_xor)
573
12.1M
{
574
12.1M
  u64 block_r[ARGON2_WORDS_IN_BLOCK];
575
12.1M
  u64 block_tmp[ARGON2_WORDS_IN_BLOCK];
576
12.1M
  int i;
577
578
12.1M
  memcpy (block_r, ref_block, 1024);
579
12.1M
  if (prev_block)
580
11.9M
    xor_block (block_r, prev_block);
581
12.1M
  memcpy (block_tmp, block_r, 1024);
582
583
12.1M
  if (with_xor)
584
4.45M
    xor_block (block_tmp, curr_block);
585
586
109M
  for (i = 0; i < 8; ++i)
587
97.0M
    BLAKE2_ROUND_NOMSG
588
12.1M
      (block_r[16 * i],      block_r[16 * i + 1],  block_r[16 * i + 2],
589
12.1M
       block_r[16 * i + 3],  block_r[16 * i + 4],  block_r[16 * i + 5],
590
12.1M
       block_r[16 * i + 6],  block_r[16 * i + 7],  block_r[16 * i + 8],
591
12.1M
       block_r[16 * i + 9],  block_r[16 * i + 10], block_r[16 * i + 11],
592
12.1M
       block_r[16 * i + 12], block_r[16 * i + 13], block_r[16 * i + 14],
593
12.1M
       block_r[16 * i + 15]);
594
595
109M
  for (i = 0; i < 8; i++)
596
97.0M
    BLAKE2_ROUND_NOMSG
597
12.1M
      (block_r[2 * i],      block_r[2 * i + 1],  block_r[2 * i + 16],
598
12.1M
       block_r[2 * i + 17], block_r[2 * i + 32], block_r[2 * i + 33],
599
12.1M
       block_r[2 * i + 48], block_r[2 * i + 49], block_r[2 * i + 64],
600
12.1M
       block_r[2 * i + 65], block_r[2 * i + 80], block_r[2 * i + 81],
601
12.1M
       block_r[2 * i + 96], block_r[2 * i + 97], block_r[2 * i + 112],
602
12.1M
       block_r[2 * i + 113]);
603
604
12.1M
  memcpy (curr_block, block_tmp, 1024);
605
12.1M
  xor_block (curr_block, block_r);
606
12.1M
}
607
608
static void
609
pseudo_random_generate (u64 *random_block, u64 *input_block)
610
107k
{
611
107k
  input_block[6]++;
612
107k
  fill_block (NULL, input_block, random_block, 0);
613
107k
  fill_block (NULL, random_block, random_block, 0);
614
107k
}
615
616
static u32
617
index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
618
             int segment_index, u32 random, int same_lane)
619
11.9M
{
620
11.9M
  u32 reference_area_size;
621
11.9M
  u64 relative_position;
622
11.9M
  u32 start_position;
623
624
11.9M
  if (t->pass == 0)
625
7.46M
    {
626
7.46M
      if (t->slice == 0)
627
1.80M
        reference_area_size = segment_index - 1;
628
5.65M
      else
629
5.65M
        {
630
5.65M
          if (same_lane)
631
434k
            reference_area_size = t->slice * a->segment_length
632
434k
              + segment_index - 1;
633
5.21M
          else
634
5.21M
            reference_area_size = t->slice * a->segment_length +
635
5.21M
              ((segment_index == 0) ? -1 : 0);
636
5.65M
        }
637
7.46M
    }
638
4.45M
  else
639
4.45M
    {
640
4.45M
      if (same_lane)
641
276k
        reference_area_size = a->lane_length
642
276k
          - a->segment_length + segment_index - 1;
643
4.17M
      else
644
4.17M
        reference_area_size = a->lane_length
645
4.17M
          - a->segment_length + ((segment_index == 0) ? -1 : 0);
646
4.45M
    }
647
648
11.9M
  relative_position = (random * (u64)random) >> 32;
649
11.9M
  relative_position = reference_area_size - 1 -
650
11.9M
    ((reference_area_size * relative_position) >> 32);
651
652
11.9M
  if (t->pass == 0)
653
7.46M
    start_position = 0;
654
4.45M
  else
655
4.45M
    start_position = (t->slice == 4 - 1)
656
4.45M
      ? 0
657
4.45M
      : (t->slice + 1) * a->segment_length;
658
659
11.9M
  return (start_position + relative_position) % a->lane_length;
660
11.9M
}
661
662
static void
663
argon2_compute_segment (void *priv)
664
251k
{
665
251k
  const struct argon2_thread_data *t = (const struct argon2_thread_data *)priv;
666
251k
  argon2_ctx_t a = t->a;
667
251k
  int i;
668
251k
  int prev_offset, curr_offset;
669
251k
  u32 ref_index, ref_lane;
670
251k
  u64 input_block[1024/sizeof (u64)];
671
251k
  u64 address_block[1024/sizeof (u64)];
672
251k
  u64 *random_block = NULL;
673
674
251k
  if (a->hash_type == GCRY_KDF_ARGON2I
675
251k
      || (a->hash_type == GCRY_KDF_ARGON2ID && t->pass == 0 && t->slice < 2))
676
97.4k
    {
677
97.4k
      memset (input_block, 0, 1024);
678
97.4k
      input_block[0] = t->pass;
679
97.4k
      input_block[1] = t->lane;
680
97.4k
      input_block[2] = t->slice;
681
97.4k
      input_block[3] = a->memory_blocks;
682
97.4k
      input_block[4] = a->passes;
683
97.4k
      input_block[5] = a->hash_type;
684
97.4k
      random_block = address_block;
685
97.4k
    }
686
687
251k
  if (t->pass == 0 && t->slice == 0)
688
39.0k
    {
689
39.0k
      if (random_block)
690
23.2k
        pseudo_random_generate (random_block, input_block);
691
39.0k
      i = 2;
692
39.0k
    }
693
212k
  else
694
212k
    i = 0;
695
696
251k
  curr_offset = t->lane * a->lane_length + t->slice * a->segment_length + i;
697
251k
  if ((curr_offset % a->lane_length))
698
227k
    prev_offset = curr_offset - 1;
699
23.8k
  else
700
23.8k
    prev_offset = curr_offset + a->lane_length - 1;
701
702
12.1M
  for (; i < a->segment_length; i++, curr_offset++, prev_offset++)
703
11.9M
    {
704
11.9M
      u64 *ref_block, *curr_block;
705
11.9M
      u64 rand64;
706
707
11.9M
      if ((curr_offset % a->lane_length) == 1)
708
23.8k
        prev_offset = curr_offset - 1;
709
710
11.9M
      if (random_block)
711
4.61M
        {
712
4.61M
          if ((i % (1024/sizeof (u64))) == 0)
713
84.0k
            pseudo_random_generate (random_block, input_block);
714
715
4.61M
          rand64 = random_block[(i% (1024/sizeof (u64)))];
716
4.61M
        }
717
7.29M
      else
718
7.29M
        rand64 = a->block[prev_offset*ARGON2_WORDS_IN_BLOCK];
719
720
11.9M
      if (t->pass == 0 && t->slice == 0)
721
1.80M
        ref_lane = t->lane;
722
10.1M
      else
723
10.1M
        ref_lane = (rand64 >> 32) % a->lanes;
724
725
11.9M
      ref_index = index_alpha (a, t, i, (rand64 & 0xffffffff),
726
11.9M
                               ref_lane == t->lane);
727
11.9M
      ref_block =
728
11.9M
        &a->block[(a->lane_length * ref_lane + ref_index)* ARGON2_WORDS_IN_BLOCK];
729
730
11.9M
      curr_block = &a->block[curr_offset * ARGON2_WORDS_IN_BLOCK];
731
11.9M
      fill_block (&a->block[prev_offset * ARGON2_WORDS_IN_BLOCK], ref_block,
732
11.9M
                  curr_block, t->pass != 0);
733
11.9M
    }
734
251k
}
735
736
737
static gpg_err_code_t
738
argon2_compute (argon2_ctx_t a, const struct gcry_kdf_thread_ops *ops)
739
497
{
740
497
  gpg_err_code_t ec;
741
497
  unsigned int r;
742
497
  unsigned int s;
743
497
  unsigned int l;
744
497
  int ret;
745
746
497
  ec = argon2_fill_first_blocks (a);
747
497
  if (ec)
748
0
    return ec;
749
750
1.23k
  for (r = 0; r < a->passes; r++)
751
3.69k
    for (s = 0; s < 4; s++)
752
2.95k
      {
753
254k
        for (l = 0; l < a->lanes; l++)
754
251k
          {
755
251k
            struct argon2_thread_data *thread_data;
756
757
            /* launch a thread.  */
758
251k
            thread_data = &a->thread_data[l];
759
251k
            thread_data->a = a;
760
251k
            thread_data->pass = r;
761
251k
            thread_data->slice = s;
762
251k
            thread_data->lane = l;
763
764
251k
            if (ops)
765
0
        {
766
0
    ret = ops->dispatch_job (ops->jobs_context,
767
0
           argon2_compute_segment, thread_data);
768
0
    if (ret < 0)
769
0
      return GPG_ERR_CANCELED;
770
0
        }
771
251k
            else
772
251k
              argon2_compute_segment (thread_data);
773
251k
          }
774
775
2.95k
        if (ops)
776
0
    {
777
0
      ret = ops->wait_all_jobs (ops->jobs_context);
778
0
      if (ret < 0)
779
0
        return GPG_ERR_CANCELED;
780
0
    }
781
2.95k
      }
782
783
497
  return 0;
784
497
}
785
786
787
static gpg_err_code_t
788
argon2_final (argon2_ctx_t a, size_t resultlen, void *result)
789
497
{
790
497
  int i;
791
792
497
  if (resultlen != a->outlen)
793
0
    return GPG_ERR_INV_VALUE;
794
795
497
  memset (a->block, 0, 1024);
796
42.5k
  for (i = 0; i < a->lanes; i++)
797
42.0k
    {
798
42.0k
      u64 *last_block;
799
800
42.0k
      last_block = &a->block[(a->lane_length * i + (a->lane_length - 1))
801
42.0k
                             * ARGON2_WORDS_IN_BLOCK];
802
42.0k
      xor_block (a->block, last_block);
803
42.0k
    }
804
805
497
  beswap64_block (a->block);
806
497
  blake2b_vl_hash (a->block, 1024, a->outlen, result);
807
497
  return 0;
808
497
}
809
810
static void
811
argon2_close (argon2_ctx_t a)
812
497
{
813
497
  size_t n;
814
815
497
  n = offsetof (struct argon2_context, out) + a->outlen;
816
817
497
  if (a->block)
818
497
    {
819
497
      wipememory (a->block, 1024 * a->memory_blocks);
820
497
      xfree (a->block);
821
497
    }
822
823
497
  if (a->thread_data)
824
497
    xfree (a->thread_data);
825
826
497
  wipememory (a, n);
827
497
  xfree (a);
828
497
}
829
830
static gpg_err_code_t
831
argon2_open (gcry_kdf_hd_t *hd, int subalgo,
832
             const unsigned long *param, unsigned int paramlen,
833
             const void *password, size_t passwordlen,
834
             const void *salt, size_t saltlen,
835
             const void *key, size_t keylen,
836
             const void *ad, size_t adlen)
837
503
{
838
503
  int hash_type;
839
503
  unsigned int taglen;
840
503
  unsigned int t_cost;
841
503
  unsigned int m_cost;
842
503
  unsigned int parallelism = 1;
843
503
  argon2_ctx_t a;
844
503
  gpg_err_code_t ec;
845
503
  size_t n;
846
847
503
  if (subalgo != GCRY_KDF_ARGON2D
848
503
      && subalgo != GCRY_KDF_ARGON2I
849
503
      && subalgo != GCRY_KDF_ARGON2ID)
850
0
    return GPG_ERR_INV_VALUE;
851
503
  else
852
503
    hash_type = subalgo;
853
854
  /* param : [ tag_length, t_cost, m_cost, parallelism ] */
855
503
  if (paramlen < 3 || paramlen > 4)
856
0
    return GPG_ERR_INV_VALUE;
857
503
  else
858
503
    {
859
503
      taglen = (unsigned int)param[0];
860
503
      t_cost = (unsigned int)param[1];
861
503
      m_cost = (unsigned int)param[2];
862
503
      if (paramlen >= 4)
863
503
        parallelism = (unsigned int)param[3];
864
503
    }
865
866
503
  if (parallelism == 0)
867
6
    return GPG_ERR_INV_VALUE;
868
869
497
  n = offsetof (struct argon2_context, out) + taglen;
870
497
  a = xtrymalloc (n);
871
497
  if (!a)
872
0
    return gpg_err_code_from_errno (errno);
873
874
497
  a->algo = GCRY_KDF_ARGON2;
875
497
  a->hash_type = hash_type;
876
877
497
  a->outlen = taglen;
878
879
497
  a->password = password;
880
497
  a->passwordlen = passwordlen;
881
497
  a->salt = salt;
882
497
  a->saltlen = saltlen;
883
497
  a->key = key;
884
497
  a->keylen = keylen;
885
497
  a->ad = ad;
886
497
  a->adlen = adlen;
887
888
497
  a->m_cost = m_cost;
889
890
497
  a->block = NULL;
891
497
  a->thread_data = NULL;
892
893
497
  ec = argon2_init (a, parallelism, m_cost, t_cost);
894
497
  if (ec)
895
0
    {
896
0
      xfree (a);
897
0
      return ec;
898
0
    }
899
900
497
  *hd = (void *)a;
901
497
  return 0;
902
497
}
903

904
typedef struct balloon_context *balloon_ctx_t;
905
906
/* Per thread data for Balloon.  */
907
struct balloon_thread_data {
908
  balloon_ctx_t b;
909
  gpg_err_code_t ec;
910
  unsigned int idx;
911
  unsigned char *block;
912
};
913
914
/* Balloon context */
915
struct balloon_context {
916
  int algo;
917
  int prng_type;
918
919
  unsigned int blklen;
920
  const gcry_md_spec_t *md_spec;
921
922
  const unsigned char *password;
923
  size_t passwordlen;
924
925
  const unsigned char *salt;
926
  /* Length of salt is fixed.  */
927
928
  unsigned int s_cost;
929
  unsigned int t_cost;
930
  unsigned int parallelism;
931
932
  u64 n_blocks;
933
934
  unsigned char *block;
935
936
  /* In future, we may use flexible array member.  */
937
  struct balloon_thread_data thread_data[1];
938
};
939
940
/* Maximum size of underlining digest size.  */
941
0
#define BALLOON_BLOCK_LEN_MAX 64
942
943
static gpg_err_code_t
944
prng_aes_ctr_init (gcry_cipher_hd_t *hd_p, balloon_ctx_t b,
945
                   gcry_buffer_t *iov, unsigned int iov_count)
946
0
{
947
0
  gpg_err_code_t ec;
948
0
  gcry_cipher_hd_t hd;
949
0
  unsigned char key[BALLOON_BLOCK_LEN_MAX];
950
0
  int cipher_algo;
951
0
  unsigned int keylen, blklen;
952
953
0
  switch (b->blklen)
954
0
    {
955
0
    case 64:
956
0
      cipher_algo = GCRY_CIPHER_AES256;
957
0
      break;
958
959
0
    case 48:
960
0
      cipher_algo = GCRY_CIPHER_AES192;
961
0
      break;
962
963
0
    default:
964
0
    case 32:
965
0
      cipher_algo = GCRY_CIPHER_AES;
966
0
      break;
967
0
    }
968
969
0
  keylen = _gcry_cipher_get_algo_keylen (cipher_algo);
970
0
  blklen = _gcry_cipher_get_algo_blklen (cipher_algo);
971
972
0
  b->md_spec->hash_buffers (key, b->blklen, iov, iov_count);
973
0
  ec = _gcry_cipher_open (&hd, cipher_algo, GCRY_CIPHER_MODE_CTR, 0);
974
0
  if (ec)
975
0
    return ec;
976
977
0
  ec = _gcry_cipher_setkey (hd, key, keylen);
978
0
  if (ec)
979
0
    {
980
0
      _gcry_cipher_close (hd);
981
0
      return ec;
982
0
    }
983
984
0
  if (cipher_algo == GCRY_CIPHER_AES
985
0
      && b->md_spec == &_gcry_digest_spec_sha256)
986
    /* Original Balloon uses zero IV.  */
987
0
    ;
988
0
  else
989
0
    {
990
0
      ec = _gcry_cipher_setiv (hd, key+keylen, blklen);
991
0
      if (ec)
992
0
        {
993
0
          _gcry_cipher_close (hd);
994
0
          return ec;
995
0
        }
996
0
    }
997
998
0
  wipememory (key, BALLOON_BLOCK_LEN_MAX);
999
0
  *hd_p = hd;
1000
0
  return ec;
1001
0
}
1002
1003
static u64
1004
prng_aes_ctr_get_rand64 (gcry_cipher_hd_t hd)
1005
0
{
1006
0
  static const unsigned char zero64[8];
1007
0
  unsigned char rand64[8];
1008
1009
0
  _gcry_cipher_encrypt (hd, rand64, sizeof (rand64), zero64, sizeof (zero64));
1010
0
  return buf_get_le64 (rand64);
1011
0
}
1012
1013
static void
1014
prng_aes_ctr_fini (gcry_cipher_hd_t hd)
1015
0
{
1016
0
  _gcry_cipher_close (hd);
1017
0
}
1018
1019
static size_t
1020
ballon_context_size (unsigned int parallelism)
1021
0
{
1022
0
  size_t n;
1023
1024
0
  n = offsetof (struct balloon_context, thread_data)
1025
0
    + parallelism * sizeof (struct balloon_thread_data);
1026
0
  return n;
1027
0
}
1028
1029
static gpg_err_code_t
1030
balloon_open (gcry_kdf_hd_t *hd, int subalgo,
1031
              const unsigned long *param, unsigned int paramlen,
1032
              const void *password, size_t passwordlen,
1033
              const void *salt, size_t saltlen)
1034
0
{
1035
0
  unsigned int blklen;
1036
0
  int hash_type;
1037
0
  unsigned int s_cost;
1038
0
  unsigned int t_cost;
1039
0
  unsigned int parallelism = 1;
1040
0
  balloon_ctx_t b;
1041
0
  gpg_err_code_t ec;
1042
0
  size_t n;
1043
0
  unsigned char *block;
1044
0
  unsigned int i;
1045
0
  const gcry_md_spec_t *md_spec;
1046
1047
0
  hash_type = subalgo;
1048
0
  switch (hash_type)
1049
0
    {
1050
0
    case GCRY_MD_SHA256:
1051
0
      md_spec = &_gcry_digest_spec_sha256;
1052
0
      break;
1053
1054
0
    case GCRY_MD_SHA384:
1055
0
      md_spec = &_gcry_digest_spec_sha384;
1056
0
      break;
1057
1058
0
    case GCRY_MD_SHA512:
1059
0
      md_spec = &_gcry_digest_spec_sha512;
1060
0
      break;
1061
1062
0
    case GCRY_MD_SHA3_256:
1063
0
      md_spec = &_gcry_digest_spec_sha3_256;
1064
0
      break;
1065
1066
0
    case GCRY_MD_SHA3_384:
1067
0
      md_spec = &_gcry_digest_spec_sha3_384;
1068
0
      break;
1069
1070
0
    case GCRY_MD_SHA3_512:
1071
0
      md_spec = &_gcry_digest_spec_sha3_512;
1072
0
      break;
1073
1074
0
    default:
1075
0
      return GPG_ERR_NOT_SUPPORTED;
1076
0
    }
1077
1078
0
  blklen = _gcry_md_get_algo_dlen (hash_type);
1079
0
  if (!blklen || blklen > BALLOON_BLOCK_LEN_MAX)
1080
0
    return GPG_ERR_NOT_SUPPORTED;
1081
1082
0
  if (saltlen != blklen)
1083
0
    return GPG_ERR_NOT_SUPPORTED;
1084
1085
  /*
1086
   * It should have space_cost and time_cost.
1087
   * Optionally, for parallelised version, it has parallelism.
1088
   * Possibly (in future), it may have option to specify PRNG type.
1089
   */
1090
0
  if (paramlen != 2 && paramlen != 3)
1091
0
    return GPG_ERR_INV_VALUE;
1092
0
  else
1093
0
    {
1094
0
      s_cost = (unsigned int)param[0];
1095
0
      t_cost = (unsigned int)param[1];
1096
0
      if (paramlen >= 3)
1097
0
        parallelism = (unsigned int)param[2];
1098
0
    }
1099
1100
0
  if (s_cost < 1)
1101
0
    return GPG_ERR_INV_VALUE;
1102
1103
0
  n = ballon_context_size (parallelism);
1104
0
  b = xtrymalloc (n);
1105
0
  if (!b)
1106
0
    return gpg_err_code_from_errno (errno);
1107
1108
0
  b->algo = GCRY_KDF_BALLOON;
1109
0
  b->md_spec = md_spec;
1110
0
  b->blklen = blklen;
1111
1112
0
  b->password = password;
1113
0
  b->passwordlen = passwordlen;
1114
0
  b->salt = salt;
1115
1116
0
  b->s_cost = s_cost;
1117
0
  b->t_cost = t_cost;
1118
0
  b->parallelism = parallelism;
1119
1120
0
  b->n_blocks = (s_cost * 1024) / b->blklen;
1121
1122
0
  block = xtrycalloc (parallelism * b->n_blocks, b->blklen);
1123
0
  if (!block)
1124
0
    {
1125
0
      ec = gpg_err_code_from_errno (errno);
1126
0
      xfree (b);
1127
0
      return ec;
1128
0
    }
1129
0
  b->block = block;
1130
1131
0
  for (i = 0; i < parallelism; i++)
1132
0
    {
1133
0
      struct balloon_thread_data *t = &b->thread_data[i];
1134
1135
0
      t->b = b;
1136
0
      t->ec = 0;
1137
0
      t->idx = i;
1138
0
      t->block = block;
1139
0
      block += b->blklen * b->n_blocks;
1140
0
    }
1141
1142
0
  *hd = (void *)b;
1143
0
  return 0;
1144
0
}
1145
1146
1147
static void
1148
balloon_xor_block (balloon_ctx_t b, u64 *dst, const u64 *src)
1149
0
{
1150
0
  int i;
1151
1152
0
  for (i = 0; i < b->blklen/8; i++)
1153
0
    dst[i] ^= src[i];
1154
0
}
1155
1156
0
#define BALLOON_COMPRESS_BLOCKS 5
1157
1158
static void
1159
balloon_compress (balloon_ctx_t b, u64 *counter_p, unsigned char *out,
1160
                  const unsigned char *blocks[BALLOON_COMPRESS_BLOCKS])
1161
0
{
1162
0
  gcry_buffer_t iov[1+BALLOON_COMPRESS_BLOCKS];
1163
0
  unsigned char octet_counter[sizeof (u64)];
1164
0
  unsigned int i;
1165
1166
0
  buf_put_le64 (octet_counter, *counter_p);
1167
0
  iov[0].data = octet_counter;
1168
0
  iov[0].len = sizeof (octet_counter);
1169
0
  iov[0].off = 0;
1170
1171
0
  for (i = 1; i < 1+BALLOON_COMPRESS_BLOCKS; i++)
1172
0
    {
1173
0
      iov[i].data = (void *)blocks[i-1];
1174
0
      iov[i].len = b->blklen;
1175
0
      iov[i].off = 0;
1176
0
    }
1177
1178
0
  b->md_spec->hash_buffers (out, b->blklen, iov, 1+BALLOON_COMPRESS_BLOCKS);
1179
0
  *counter_p += 1;
1180
0
}
1181
1182
static void
1183
balloon_expand (balloon_ctx_t b, u64 *counter_p, unsigned char *block,
1184
                u64 n_blocks)
1185
0
{
1186
0
  gcry_buffer_t iov[2];
1187
0
  unsigned char octet_counter[sizeof (u64)];
1188
0
  u64 i;
1189
1190
0
  iov[0].data = octet_counter;
1191
0
  iov[0].len = sizeof (octet_counter);
1192
0
  iov[0].off = 0;
1193
0
  iov[1].len = b->blklen;
1194
0
  iov[1].off = 0;
1195
1196
0
  for (i = 1; i < n_blocks; i++)
1197
0
    {
1198
0
      buf_put_le64 (octet_counter, *counter_p);
1199
0
      iov[1].data = block;
1200
0
      block += b->blklen;
1201
0
      b->md_spec->hash_buffers (block, b->blklen, iov, 2);
1202
0
      *counter_p += 1;
1203
0
    }
1204
0
}
1205
1206
static void
1207
balloon_compute_fill (balloon_ctx_t b,
1208
                      struct balloon_thread_data *t,
1209
                      const unsigned char *salt,
1210
                      u64 *counter_p)
1211
0
{
1212
0
  gcry_buffer_t iov[6];
1213
0
  unsigned char octet_counter[sizeof (u64)];
1214
0
  unsigned char octet_s_cost[4];
1215
0
  unsigned char octet_t_cost[4];
1216
0
  unsigned char octet_parallelism[4];
1217
1218
0
  buf_put_le64 (octet_counter, *counter_p);
1219
0
  buf_put_le32 (octet_s_cost, b->s_cost);
1220
0
  buf_put_le32 (octet_t_cost, b->t_cost);
1221
0
  buf_put_le32 (octet_parallelism, b->parallelism);
1222
1223
0
  iov[0].data = octet_counter;
1224
0
  iov[0].len = sizeof (octet_counter);
1225
0
  iov[0].off = 0;
1226
0
  iov[1].data = (void *)salt;
1227
0
  iov[1].len = b->blklen;
1228
0
  iov[1].off = 0;
1229
0
  iov[2].data = (void *)b->password;
1230
0
  iov[2].len = b->passwordlen;
1231
0
  iov[2].off = 0;
1232
0
  iov[3].data = octet_s_cost;
1233
0
  iov[3].len = 4;
1234
0
  iov[3].off = 0;
1235
0
  iov[4].data = octet_t_cost;
1236
0
  iov[4].len = 4;
1237
0
  iov[4].off = 0;
1238
0
  iov[5].data = octet_parallelism;
1239
0
  iov[5].len = 4;
1240
0
  iov[5].off = 0;
1241
0
  b->md_spec->hash_buffers (t->block, b->blklen, iov, 6);
1242
0
  *counter_p += 1;
1243
0
  balloon_expand (b, counter_p, t->block, b->n_blocks);
1244
0
}
1245
1246
static void
1247
balloon_compute_mix (gcry_cipher_hd_t prng,
1248
                     balloon_ctx_t b, struct balloon_thread_data *t,
1249
                     u64 *counter_p)
1250
0
{
1251
0
  u64 i;
1252
1253
0
  for (i = 0; i < b->n_blocks; i++)
1254
0
    {
1255
0
      unsigned char *cur_block = t->block + (b->blklen * i);
1256
0
      const unsigned char *blocks[BALLOON_COMPRESS_BLOCKS];
1257
0
      const unsigned char *prev_block;
1258
0
      unsigned int n;
1259
1260
0
      prev_block = i
1261
0
        ? cur_block - b->blklen
1262
0
        : t->block + (b->blklen * (t->b->n_blocks - 1));
1263
1264
0
      n = 0;
1265
0
      blocks[n++] = prev_block;
1266
0
      blocks[n++] = cur_block;
1267
1268
0
      for (; n < BALLOON_COMPRESS_BLOCKS; n++)
1269
0
        {
1270
0
          u64 rand64 = prng_aes_ctr_get_rand64 (prng);
1271
0
          blocks[n] = t->block + (b->blklen * (rand64 % b->n_blocks));
1272
0
        }
1273
1274
0
      balloon_compress (b, counter_p, cur_block, blocks);
1275
0
    }
1276
0
}
1277
1278
1279
static void
1280
balloon_compute (void *priv)
1281
0
{
1282
0
  struct balloon_thread_data *t = (struct balloon_thread_data *)priv;
1283
0
  balloon_ctx_t b = t->b;
1284
0
  gcry_cipher_hd_t prng;
1285
0
  gcry_buffer_t iov[4];
1286
0
  unsigned char salt[BALLOON_BLOCK_LEN_MAX];
1287
0
  unsigned char octet_s_cost[4];
1288
0
  unsigned char octet_t_cost[4];
1289
0
  unsigned char octet_parallelism[4];
1290
0
  u32 u;
1291
0
  u64 counter;
1292
0
  unsigned int i;
1293
1294
0
  counter = 0;
1295
1296
0
  memcpy (salt, b->salt, b->blklen);
1297
0
  u = buf_get_le32 (b->salt) + t->idx;
1298
0
  buf_put_le32 (salt, u);
1299
1300
0
  buf_put_le32 (octet_s_cost, b->s_cost);
1301
0
  buf_put_le32 (octet_t_cost, b->t_cost);
1302
0
  buf_put_le32 (octet_parallelism, b->parallelism);
1303
1304
0
  iov[0].data = salt;
1305
0
  iov[0].len = b->blklen;
1306
0
  iov[0].off = 0;
1307
0
  iov[1].data = octet_s_cost;
1308
0
  iov[1].len = 4;
1309
0
  iov[1].off = 0;
1310
0
  iov[2].data = octet_t_cost;
1311
0
  iov[2].len = 4;
1312
0
  iov[2].off = 0;
1313
0
  iov[3].data = octet_parallelism;
1314
0
  iov[3].len = 4;
1315
0
  iov[3].off = 0;
1316
1317
0
  t->ec = prng_aes_ctr_init (&prng, b, iov, 4);
1318
0
  if (t->ec)
1319
0
    return;
1320
1321
0
  balloon_compute_fill (b, t, salt, &counter);
1322
1323
0
  for (i = 0; i < b->t_cost; i++)
1324
0
    balloon_compute_mix (prng, b, t, &counter);
1325
1326
  /* The result is now at the last block.  */
1327
1328
0
  prng_aes_ctr_fini (prng);
1329
0
}
1330
1331
static gpg_err_code_t
1332
balloon_compute_all (balloon_ctx_t b, const struct gcry_kdf_thread_ops *ops)
1333
0
{
1334
0
  unsigned int parallelism = b->parallelism;
1335
0
  unsigned int i;
1336
0
  int ret;
1337
1338
0
  for (i = 0; i < parallelism; i++)
1339
0
    {
1340
0
      struct balloon_thread_data *t = &b->thread_data[i];
1341
1342
0
      if (ops)
1343
0
        {
1344
0
          ret = ops->dispatch_job (ops->jobs_context, balloon_compute, t);
1345
0
          if (ret < 0)
1346
0
            return GPG_ERR_CANCELED;
1347
0
        }
1348
0
      else
1349
0
        balloon_compute (t);
1350
0
    }
1351
1352
0
  if (ops)
1353
0
    {
1354
0
      ret = ops->wait_all_jobs (ops->jobs_context);
1355
0
      if (ret < 0)
1356
0
        return GPG_ERR_CANCELED;
1357
0
    }
1358
1359
0
  return 0;
1360
0
}
1361
1362
static gpg_err_code_t
1363
balloon_final (balloon_ctx_t b, size_t resultlen, void *result)
1364
0
{
1365
0
  unsigned int parallelism = b->parallelism;
1366
0
  unsigned int i;
1367
0
  u64 out[BALLOON_BLOCK_LEN_MAX/8];
1368
1369
0
  if (resultlen != b->blklen)
1370
0
    return GPG_ERR_INV_VALUE;
1371
1372
0
  memset (out, 0, b->blklen);
1373
0
  for (i = 0; i < parallelism; i++)
1374
0
    {
1375
0
      struct balloon_thread_data *t = &b->thread_data[i];
1376
0
      const unsigned char *last_block;
1377
1378
0
      if (t->ec)
1379
0
        return t->ec;
1380
1381
0
      last_block = t->block + (b->blklen * (t->b->n_blocks - 1));
1382
0
      balloon_xor_block (b, out, (const u64 *)(void *)last_block);
1383
0
    }
1384
1385
0
  memcpy (result, out, b->blklen);
1386
1387
0
  return 0;
1388
0
}
1389
1390
static void
1391
balloon_close (balloon_ctx_t b)
1392
0
{
1393
0
  unsigned int parallelism = b->parallelism;
1394
0
  size_t n = ballon_context_size (parallelism);
1395
1396
0
  if (b->block)
1397
0
    {
1398
0
      wipememory (b->block, parallelism * b->n_blocks);
1399
0
      xfree (b->block);
1400
0
    }
1401
1402
0
  wipememory (b, n);
1403
0
  xfree (b);
1404
0
}
1405

1406
typedef struct onestep_kdf_context *onestep_kdf_ctx_t;
1407
1408
/* OneStepKDF context */
1409
struct onestep_kdf_context {
1410
  int algo;
1411
  gcry_md_hd_t md;
1412
  unsigned int blklen;
1413
  unsigned int outlen;
1414
  const void *input;
1415
  size_t inputlen;
1416
  const void *fixedinfo;
1417
  size_t fixedinfolen;
1418
};
1419
1420
static gpg_err_code_t
1421
onestep_kdf_open (gcry_kdf_hd_t *hd, int hashalgo,
1422
                  const unsigned long *param, unsigned int paramlen,
1423
                  const void *input, size_t inputlen,
1424
                  const void *fixedinfo, size_t fixedinfolen)
1425
0
{
1426
0
  gpg_err_code_t ec;
1427
0
  unsigned int outlen;
1428
0
  onestep_kdf_ctx_t o;
1429
0
  size_t n;
1430
1431
0
  if (paramlen != 1)
1432
0
    return GPG_ERR_INV_VALUE;
1433
0
  else
1434
0
    outlen = (unsigned int)param[0];
1435
1436
0
  n = sizeof (struct onestep_kdf_context);
1437
0
  o = xtrymalloc (n);
1438
0
  if (!o)
1439
0
    return gpg_err_code_from_errno (errno);
1440
1441
0
  o->blklen = _gcry_md_get_algo_dlen (hashalgo);
1442
0
  if (!o->blklen)
1443
0
    {
1444
0
      xfree (o);
1445
0
      return GPG_ERR_DIGEST_ALGO;
1446
0
    }
1447
0
  ec = _gcry_md_open (&o->md, hashalgo, 0);
1448
0
  if (ec)
1449
0
    {
1450
0
      xfree (o);
1451
0
      return ec;
1452
0
    }
1453
0
  o->algo = GCRY_KDF_ONESTEP_KDF;
1454
0
  o->outlen = outlen;
1455
0
  o->input = input;
1456
0
  o->inputlen = inputlen;
1457
0
  o->fixedinfo = fixedinfo;
1458
0
  o->fixedinfolen = fixedinfolen;
1459
1460
0
  *hd = (void *)o;
1461
0
  return 0;
1462
0
}
1463
1464
1465
static gpg_err_code_t
1466
onestep_kdf_compute (onestep_kdf_ctx_t o, const struct gcry_kdf_thread_ops *ops)
1467
0
{
1468
0
  (void)o;
1469
1470
0
  if (ops != NULL)
1471
0
    return GPG_ERR_INV_VALUE;
1472
1473
0
  return 0;
1474
0
}
1475
1476
static gpg_err_code_t
1477
onestep_kdf_final (onestep_kdf_ctx_t o, size_t resultlen, void *result)
1478
0
{
1479
0
  u32 counter = 0;
1480
0
  unsigned char cnt[4];
1481
0
  int i;
1482
1483
0
  if (resultlen != o->outlen)
1484
0
    return GPG_ERR_INV_VALUE;
1485
1486
0
  for (i = 0; i < o->outlen / o->blklen; i++)
1487
0
    {
1488
0
      counter++;
1489
0
      buf_put_be32 (cnt, counter);
1490
0
      _gcry_md_write (o->md, cnt, sizeof (cnt));
1491
0
      _gcry_md_write (o->md, o->input, o->inputlen);
1492
0
      _gcry_md_write (o->md, o->fixedinfo, o->fixedinfolen);
1493
0
      _gcry_md_final (o->md);
1494
0
      memcpy ((char *)result + o->blklen * i,
1495
0
              _gcry_md_read (o->md, 0), o->blklen);
1496
0
      resultlen -= o->blklen;
1497
0
      _gcry_md_reset (o->md);
1498
0
    }
1499
1500
0
  if (resultlen)
1501
0
    {
1502
0
      counter++;
1503
0
      buf_put_be32 (cnt, counter);
1504
0
      _gcry_md_write (o->md, cnt, sizeof (cnt));
1505
0
      _gcry_md_write (o->md, o->input, o->inputlen);
1506
0
      _gcry_md_write (o->md, o->fixedinfo, o->fixedinfolen);
1507
0
      _gcry_md_final (o->md);
1508
0
      memcpy ((char *)result + o->blklen * i,
1509
0
              _gcry_md_read (o->md, 0), resultlen);
1510
0
    }
1511
1512
0
  return 0;
1513
0
}
1514
1515
static void
1516
onestep_kdf_close (onestep_kdf_ctx_t o)
1517
0
{
1518
0
  _gcry_md_close (o->md);
1519
0
  xfree (o);
1520
0
}
1521

1522
typedef struct onestep_kdf_mac_context *onestep_kdf_mac_ctx_t;
1523
1524
/* OneStep_KDF_MAC context */
1525
struct onestep_kdf_mac_context {
1526
  int algo;
1527
  gcry_mac_hd_t md;
1528
  unsigned int blklen;
1529
  unsigned int outlen;
1530
  const void *input;
1531
  size_t inputlen;
1532
  const void *salt;
1533
  size_t saltlen;
1534
  const void *fixedinfo;
1535
  size_t fixedinfolen;
1536
};
1537
1538
static gpg_err_code_t
1539
onestep_kdf_mac_open (gcry_kdf_hd_t *hd, int macalgo,
1540
                      const unsigned long *param, unsigned int paramlen,
1541
                      const void *input, size_t inputlen,
1542
                      const void *key, size_t keylen,
1543
                      const void *fixedinfo, size_t fixedinfolen)
1544
0
{
1545
0
  gpg_err_code_t ec;
1546
0
  unsigned int outlen;
1547
0
  onestep_kdf_mac_ctx_t o;
1548
0
  size_t n;
1549
1550
0
  if (paramlen != 1)
1551
0
    return GPG_ERR_INV_VALUE;
1552
0
  else
1553
0
    outlen = (unsigned int)param[0];
1554
1555
0
  n = sizeof (struct onestep_kdf_mac_context);
1556
0
  o = xtrymalloc (n);
1557
0
  if (!o)
1558
0
    return gpg_err_code_from_errno (errno);
1559
1560
0
  o->blklen = _gcry_mac_get_algo_maclen (macalgo);
1561
0
  if (!o->blklen)
1562
0
    {
1563
0
      xfree (o);
1564
0
      return GPG_ERR_MAC_ALGO;
1565
0
    }
1566
0
  ec = _gcry_mac_open (&o->md, macalgo, 0, NULL);
1567
0
  if (ec)
1568
0
    {
1569
0
      xfree (o);
1570
0
      return ec;
1571
0
    }
1572
0
  o->algo = GCRY_KDF_ONESTEP_KDF_MAC;
1573
0
  o->outlen = outlen;
1574
0
  o->input = input;
1575
0
  o->inputlen = inputlen;
1576
0
  o->salt = key;
1577
0
  o->saltlen = keylen;
1578
0
  o->fixedinfo = fixedinfo;
1579
0
  o->fixedinfolen = fixedinfolen;
1580
1581
0
  *hd = (void *)o;
1582
0
  return 0;
1583
0
}
1584
1585
1586
static gpg_err_code_t
1587
onestep_kdf_mac_compute (onestep_kdf_mac_ctx_t o,
1588
                         const struct gcry_kdf_thread_ops *ops)
1589
0
{
1590
0
  (void)o;
1591
1592
0
  if (ops != NULL)
1593
0
    return GPG_ERR_INV_VALUE;
1594
1595
0
  return 0;
1596
0
}
1597
1598
static gpg_err_code_t
1599
onestep_kdf_mac_final (onestep_kdf_mac_ctx_t o, size_t resultlen, void *result)
1600
0
{
1601
0
  u32 counter = 0;
1602
0
  unsigned char cnt[4];
1603
0
  int i;
1604
0
  gcry_err_code_t ec;
1605
0
  size_t len = o->blklen;
1606
1607
0
  if (resultlen != o->outlen)
1608
0
    return GPG_ERR_INV_VALUE;
1609
1610
0
  ec = _gcry_mac_setkey (o->md, o->salt, o->saltlen);
1611
0
  if (ec)
1612
0
    return ec;
1613
1614
0
  for (i = 0; i < o->outlen / o->blklen; i++)
1615
0
    {
1616
0
      counter++;
1617
0
      buf_put_be32 (cnt, counter);
1618
0
      ec = _gcry_mac_write (o->md, cnt, sizeof (cnt));
1619
0
      if (ec)
1620
0
        return ec;
1621
0
      ec = _gcry_mac_write (o->md, o->input, o->inputlen);
1622
0
      if (ec)
1623
0
        return ec;
1624
0
      ec = _gcry_mac_write (o->md, o->fixedinfo, o->fixedinfolen);
1625
0
      if (ec)
1626
0
        return ec;
1627
0
      ec = _gcry_mac_read (o->md, (char *)result + o->blklen * i, &len);
1628
0
      if (ec)
1629
0
        return ec;
1630
0
      resultlen -= o->blklen;
1631
0
      ec = _gcry_mac_ctl (o->md, GCRYCTL_RESET, NULL, 0);
1632
0
      if (ec)
1633
0
        return ec;
1634
0
    }
1635
1636
0
  if (resultlen)
1637
0
    {
1638
0
      counter++;
1639
0
      len = resultlen;
1640
0
      buf_put_be32 (cnt, counter);
1641
0
      ec = _gcry_mac_write (o->md, cnt, sizeof (cnt));
1642
0
      if (ec)
1643
0
        return ec;
1644
0
      ec = _gcry_mac_write (o->md, o->input, o->inputlen);
1645
0
      if (ec)
1646
0
        return ec;
1647
0
      ec =_gcry_mac_write (o->md, o->fixedinfo, o->fixedinfolen);
1648
0
      if (ec)
1649
0
        return ec;
1650
0
      ec = _gcry_mac_read (o->md, (char *)result + o->blklen * i, &len);
1651
0
      if (ec)
1652
0
        return ec;
1653
0
    }
1654
1655
0
  return 0;
1656
0
}
1657
1658
static void
1659
onestep_kdf_mac_close (onestep_kdf_mac_ctx_t o)
1660
0
{
1661
0
  _gcry_mac_close (o->md);
1662
0
  xfree (o);
1663
0
}
1664

1665
typedef struct hkdf_context *hkdf_ctx_t;
1666
1667
/* Hkdf context */
1668
struct hkdf_context {
1669
  int algo;
1670
  gcry_mac_hd_t md;
1671
  int mode;
1672
  unsigned int blklen;
1673
  unsigned int outlen;
1674
  const void *input;
1675
  size_t inputlen;
1676
  const void *salt;
1677
  size_t saltlen;
1678
  const void *fixedinfo;
1679
  size_t fixedinfolen;
1680
  unsigned char *prk;
1681
};
1682
1683
static gpg_err_code_t
1684
hkdf_open (gcry_kdf_hd_t *hd, int macalgo,
1685
           const unsigned long *param, unsigned int paramlen,
1686
           const void *input, size_t inputlen,
1687
           const void *salt, size_t saltlen,
1688
           const void *fixedinfo, size_t fixedinfolen)
1689
614
{
1690
614
  gpg_err_code_t ec;
1691
614
  unsigned int outlen;
1692
614
  int mode;
1693
614
  hkdf_ctx_t h;
1694
614
  size_t n;
1695
614
  unsigned char *prk;
1696
1697
614
  if (paramlen != 1 && paramlen != 2)
1698
0
    return GPG_ERR_INV_VALUE;
1699
614
  else
1700
614
    {
1701
614
      outlen = (unsigned int)param[0];
1702
      /* MODE: support extract only, expand only: FIXME*/
1703
614
      if (paramlen == 2)
1704
0
        mode = (unsigned int)param[1];
1705
614
      else
1706
614
        mode = 0;
1707
614
    }
1708
1709
614
  n = sizeof (struct hkdf_context);
1710
614
  h = xtrymalloc (n);
1711
614
  if (!h)
1712
0
    return gpg_err_code_from_errno (errno);
1713
1714
614
  h->blklen = _gcry_mac_get_algo_maclen (macalgo);
1715
614
  if (!h->blklen)
1716
0
    {
1717
0
      xfree (h);
1718
0
      return GPG_ERR_MAC_ALGO;
1719
0
    }
1720
1721
614
  if (outlen > 255 * h->blklen)
1722
119
    {
1723
119
      xfree (h);
1724
119
      return GPG_ERR_INV_VALUE;
1725
119
    }
1726
1727
495
  ec = _gcry_mac_open (&h->md, macalgo, 0, NULL);
1728
495
  if (ec)
1729
0
    {
1730
0
      xfree (h);
1731
0
      return ec;
1732
0
    }
1733
495
  prk = xtrymalloc (h->blklen);
1734
495
  if (!prk)
1735
0
    {
1736
0
      _gcry_mac_close (h->md);
1737
0
      xfree (h);
1738
0
      return gpg_err_code_from_errno (errno);
1739
0
    }
1740
495
  h->prk = prk;
1741
495
  h->algo = GCRY_KDF_HKDF;
1742
495
  h->outlen = outlen;
1743
495
  h->mode = mode;
1744
495
  h->input = input;
1745
495
  h->inputlen = inputlen;
1746
495
  h->salt = salt;
1747
495
  h->saltlen = saltlen;
1748
495
  h->fixedinfo = fixedinfo;
1749
495
  h->fixedinfolen = fixedinfolen;
1750
1751
495
  *hd = (void *)h;
1752
495
  return 0;
1753
495
}
1754
1755
1756
static gpg_err_code_t
1757
hkdf_compute (hkdf_ctx_t h, const struct gcry_kdf_thread_ops *ops)
1758
495
{
1759
495
  gcry_err_code_t ec;
1760
495
  size_t len = h->blklen;
1761
1762
495
  if (ops != NULL)
1763
0
    return GPG_ERR_INV_VALUE;
1764
1765
  /* Extract */
1766
495
  ec = _gcry_mac_setkey (h->md, h->salt, h->saltlen);
1767
495
  if (ec)
1768
0
    return ec;
1769
1770
495
  ec = _gcry_mac_write (h->md, h->input, h->inputlen);
1771
495
  if (ec)
1772
0
    return ec;
1773
1774
495
  ec = _gcry_mac_read (h->md, h->prk, &len);
1775
495
  if (ec)
1776
0
    return ec;
1777
1778
495
  ec = _gcry_mac_ctl (h->md, GCRYCTL_RESET, NULL, 0);
1779
495
  if (ec)
1780
0
    return ec;
1781
1782
495
  return 0;
1783
495
}
1784
1785
static gpg_err_code_t
1786
hkdf_final (hkdf_ctx_t h, size_t resultlen, void *result)
1787
495
{
1788
495
  unsigned char counter = 0;
1789
495
  int i;
1790
495
  gcry_err_code_t ec;
1791
495
  size_t len = h->blklen;
1792
1793
495
  if (resultlen != h->outlen)
1794
0
    return GPG_ERR_INV_VALUE;
1795
1796
  /* Expand */
1797
495
  ec = _gcry_mac_setkey (h->md, h->prk, h->blklen);
1798
495
  if (ec)
1799
0
    return ec;
1800
1801
  /* We re-use the memory of ->prk.  */
1802
1803
57.7k
  for (i = 0; i < h->outlen / h->blklen; i++)
1804
57.2k
    {
1805
57.2k
      counter++;
1806
57.2k
      if (i)
1807
56.7k
        {
1808
56.7k
          ec = _gcry_mac_write (h->md, h->prk, h->blklen);
1809
56.7k
          if (ec)
1810
0
            return ec;
1811
56.7k
        }
1812
57.2k
      if (h->fixedinfo)
1813
57.2k
        {
1814
57.2k
          ec = _gcry_mac_write (h->md, h->fixedinfo, h->fixedinfolen);
1815
57.2k
          if (ec)
1816
0
            return ec;
1817
57.2k
        }
1818
57.2k
      ec = _gcry_mac_write (h->md, &counter, 1);
1819
57.2k
      if (ec)
1820
0
        return ec;
1821
57.2k
      ec = _gcry_mac_read (h->md, h->prk, &len);
1822
57.2k
      if (ec)
1823
0
        return ec;
1824
57.2k
      memcpy ((char *)result + h->blklen * i, h->prk, len);
1825
57.2k
      resultlen -= h->blklen;
1826
57.2k
      ec = _gcry_mac_ctl (h->md, GCRYCTL_RESET, NULL, 0);
1827
57.2k
      if (ec)
1828
0
        return ec;
1829
57.2k
    }
1830
1831
495
  if (resultlen)
1832
471
    {
1833
471
      counter++;
1834
471
      len = resultlen;
1835
471
      if (i)
1836
466
        {
1837
466
          ec = _gcry_mac_write (h->md, h->prk, h->blklen);
1838
466
          if (ec)
1839
0
            return ec;
1840
466
        }
1841
471
      if (h->fixedinfo)
1842
471
        {
1843
471
          ec = _gcry_mac_write (h->md, h->fixedinfo, h->fixedinfolen);
1844
471
          if (ec)
1845
0
            return ec;
1846
471
        }
1847
471
      ec = _gcry_mac_write (h->md, &counter, 1);
1848
471
      if (ec)
1849
0
        return ec;
1850
471
      ec = _gcry_mac_read (h->md, (char *)result + h->blklen * i, &len);
1851
471
      if (ec)
1852
0
        return ec;
1853
471
    }
1854
1855
495
  return 0;
1856
495
}
1857
1858
static void
1859
hkdf_close (hkdf_ctx_t h)
1860
495
{
1861
495
  _gcry_mac_close (h->md);
1862
495
  xfree (h->prk);
1863
495
  xfree (h);
1864
495
}
1865

1866
typedef struct x963_kdf_context *x963_kdf_ctx_t;
1867
1868
/* X963KDF context */
1869
struct x963_kdf_context {
1870
  int algo;
1871
  gcry_md_hd_t md;
1872
  unsigned int blklen;
1873
  unsigned int outlen;
1874
  const void *input;
1875
  size_t inputlen;
1876
  const void *sharedinfo;
1877
  size_t sharedinfolen;
1878
};
1879
1880
static gpg_err_code_t
1881
x963_kdf_open (gcry_kdf_hd_t *hd, int hashalgo,
1882
                  const unsigned long *param, unsigned int paramlen,
1883
                  const void *input, size_t inputlen,
1884
                  const void *sharedinfo, size_t sharedinfolen)
1885
517
{
1886
517
  gpg_err_code_t ec;
1887
517
  unsigned int outlen;
1888
517
  x963_kdf_ctx_t o;
1889
517
  size_t n;
1890
1891
517
  if (paramlen != 1)
1892
0
    return GPG_ERR_INV_VALUE;
1893
517
  else
1894
517
    outlen = (unsigned int)param[0];
1895
1896
517
  n = sizeof (struct x963_kdf_context);
1897
517
  o = xtrymalloc (n);
1898
517
  if (!o)
1899
0
    return gpg_err_code_from_errno (errno);
1900
1901
517
  o->blklen = _gcry_md_get_algo_dlen (hashalgo);
1902
517
  if (!o->blklen)
1903
0
    {
1904
0
      xfree (o);
1905
0
      return GPG_ERR_DIGEST_ALGO;
1906
0
    }
1907
517
  ec = _gcry_md_open (&o->md, hashalgo, 0);
1908
517
  if (ec)
1909
0
    {
1910
0
      xfree (o);
1911
0
      return ec;
1912
0
    }
1913
517
  o->algo = GCRY_KDF_X963_KDF;
1914
517
  o->outlen = outlen;
1915
517
  o->input = input;
1916
517
  o->inputlen = inputlen;
1917
517
  o->sharedinfo = sharedinfo;
1918
517
  o->sharedinfolen = sharedinfolen;
1919
1920
517
  *hd = (void *)o;
1921
517
  return 0;
1922
517
}
1923
1924
1925
static gpg_err_code_t
1926
x963_kdf_compute (x963_kdf_ctx_t o, const struct gcry_kdf_thread_ops *ops)
1927
517
{
1928
517
  (void)o;
1929
1930
517
  if (ops != NULL)
1931
0
    return GPG_ERR_INV_VALUE;
1932
1933
517
  return 0;
1934
517
}
1935
1936
static gpg_err_code_t
1937
x963_kdf_final (x963_kdf_ctx_t o, size_t resultlen, void *result)
1938
517
{
1939
517
  u32 counter = 0;
1940
517
  unsigned char cnt[4];
1941
517
  int i;
1942
1943
517
  if (resultlen != o->outlen)
1944
0
    return GPG_ERR_INV_VALUE;
1945
1946
11.9k
  for (i = 0; i < o->outlen / o->blklen; i++)
1947
11.4k
    {
1948
11.4k
      counter++;
1949
11.4k
      _gcry_md_write (o->md, o->input, o->inputlen);
1950
11.4k
      buf_put_be32 (cnt, counter);
1951
11.4k
      _gcry_md_write (o->md, cnt, sizeof (cnt));
1952
11.4k
      if (o->sharedinfolen)
1953
11.0k
        _gcry_md_write (o->md, o->sharedinfo, o->sharedinfolen);
1954
11.4k
      _gcry_md_final (o->md);
1955
11.4k
      memcpy ((char *)result + o->blklen * i,
1956
11.4k
              _gcry_md_read (o->md, 0), o->blklen);
1957
11.4k
      resultlen -= o->blklen;
1958
11.4k
      _gcry_md_reset (o->md);
1959
11.4k
    }
1960
1961
517
  if (resultlen)
1962
485
    {
1963
485
      counter++;
1964
485
      _gcry_md_write (o->md, o->input, o->inputlen);
1965
485
      buf_put_be32 (cnt, counter);
1966
485
      _gcry_md_write (o->md, cnt, sizeof (cnt));
1967
485
      if (o->sharedinfolen)
1968
466
        _gcry_md_write (o->md, o->sharedinfo, o->sharedinfolen);
1969
485
      _gcry_md_final (o->md);
1970
485
      memcpy ((char *)result + o->blklen * i,
1971
485
              _gcry_md_read (o->md, 0), resultlen);
1972
485
    }
1973
1974
517
  return 0;
1975
517
}
1976
1977
static void
1978
x963_kdf_close (x963_kdf_ctx_t o)
1979
517
{
1980
517
  _gcry_md_close (o->md);
1981
517
  xfree (o);
1982
517
}
1983

1984
struct gcry_kdf_handle {
1985
  int algo;
1986
  /* And algo specific parts come.  */
1987
};
1988
1989
gpg_err_code_t
1990
_gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
1991
                const unsigned long *param, unsigned int paramlen,
1992
                const void *input, size_t inputlen,
1993
                const void *salt, size_t saltlen,
1994
                const void *key, size_t keylen,
1995
                const void *ad, size_t adlen)
1996
1.70k
{
1997
1.70k
  gpg_err_code_t ec;
1998
1999
1.70k
  switch (algo)
2000
1.70k
    {
2001
518
    case GCRY_KDF_ARGON2:
2002
518
      if (!saltlen)
2003
15
        ec = GPG_ERR_INV_VALUE;
2004
503
      else
2005
503
        ec = argon2_open (hd, subalgo, param, paramlen,
2006
503
                          input, inputlen, salt, saltlen,
2007
503
                          key, keylen, ad, adlen);
2008
518
      break;
2009
2010
0
    case GCRY_KDF_BALLOON:
2011
0
      if (!inputlen || !saltlen || keylen || adlen)
2012
0
        ec = GPG_ERR_INV_VALUE;
2013
0
      else
2014
0
        {
2015
0
          (void)key;
2016
0
          (void)ad;
2017
0
          ec = balloon_open (hd, subalgo, param, paramlen,
2018
0
                             input, inputlen, salt, saltlen);
2019
0
        }
2020
0
      break;
2021
2022
0
    case GCRY_KDF_ONESTEP_KDF:
2023
0
      if (!inputlen || !paramlen || !adlen)
2024
0
        ec = GPG_ERR_INV_VALUE;
2025
0
      else
2026
0
        {
2027
0
          (void)salt;
2028
0
          (void)key;
2029
0
          ec = onestep_kdf_open (hd, subalgo, param, paramlen,
2030
0
                                 input, inputlen, ad, adlen);
2031
0
        }
2032
0
      break;
2033
2034
0
    case GCRY_KDF_ONESTEP_KDF_MAC:
2035
0
      if (!inputlen || !paramlen || !keylen || !adlen)
2036
0
        ec = GPG_ERR_INV_VALUE;
2037
0
      else
2038
0
        {
2039
0
          (void)salt;
2040
0
          ec = onestep_kdf_mac_open (hd, subalgo, param, paramlen,
2041
0
                                     input, inputlen, key, keylen, ad, adlen);
2042
0
        }
2043
0
      break;
2044
2045
663
    case GCRY_KDF_HKDF:
2046
663
      if (!inputlen || !paramlen)
2047
49
        ec = GPG_ERR_INV_VALUE;
2048
614
      else
2049
614
        {
2050
614
          (void)salt;
2051
614
          ec = hkdf_open (hd, subalgo, param, paramlen,
2052
614
                          input, inputlen, key, keylen, ad, adlen);
2053
614
        }
2054
663
      break;
2055
2056
519
    case GCRY_KDF_X963_KDF:
2057
519
      if (!inputlen || !paramlen)
2058
2
        ec = GPG_ERR_INV_VALUE;
2059
517
      else
2060
517
        {
2061
517
          (void)salt;
2062
517
          (void)key;
2063
517
          ec = x963_kdf_open (hd, subalgo, param, paramlen,
2064
517
                              input, inputlen, ad, adlen);
2065
517
        }
2066
519
      break;
2067
2068
0
    default:
2069
0
      ec = GPG_ERR_UNKNOWN_ALGORITHM;
2070
0
      break;
2071
1.70k
    }
2072
2073
1.70k
  return ec;
2074
1.70k
}
2075
2076
gpg_err_code_t
2077
_gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
2078
1.50k
{
2079
1.50k
  gpg_err_code_t ec;
2080
2081
1.50k
  switch (h->algo)
2082
1.50k
    {
2083
497
    case GCRY_KDF_ARGON2:
2084
497
      ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
2085
497
      break;
2086
2087
0
    case GCRY_KDF_BALLOON:
2088
0
      ec = balloon_compute_all ((balloon_ctx_t)(void *)h, ops);
2089
0
      break;
2090
2091
0
    case GCRY_KDF_ONESTEP_KDF:
2092
0
      ec = onestep_kdf_compute ((onestep_kdf_ctx_t)(void *)h, ops);
2093
0
      break;
2094
2095
0
    case GCRY_KDF_ONESTEP_KDF_MAC:
2096
0
      ec = onestep_kdf_mac_compute ((onestep_kdf_mac_ctx_t)(void *)h, ops);
2097
0
      break;
2098
2099
495
    case GCRY_KDF_HKDF:
2100
495
      ec = hkdf_compute ((hkdf_ctx_t)(void *)h, ops);
2101
495
      break;
2102
2103
517
    case GCRY_KDF_X963_KDF:
2104
517
      ec = x963_kdf_compute ((x963_kdf_ctx_t)(void *)h, ops);
2105
517
      break;
2106
2107
0
    default:
2108
0
      ec = GPG_ERR_UNKNOWN_ALGORITHM;
2109
0
      break;
2110
1.50k
    }
2111
2112
1.50k
  return ec;
2113
1.50k
}
2114
2115
2116
gpg_err_code_t
2117
_gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
2118
1.50k
{
2119
1.50k
  gpg_err_code_t ec;
2120
2121
1.50k
  switch (h->algo)
2122
1.50k
    {
2123
497
    case GCRY_KDF_ARGON2:
2124
497
      ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
2125
497
      break;
2126
2127
0
    case GCRY_KDF_BALLOON:
2128
0
      ec = balloon_final ((balloon_ctx_t)(void *)h, resultlen, result);
2129
0
      break;
2130
2131
0
    case GCRY_KDF_ONESTEP_KDF:
2132
0
      ec = onestep_kdf_final ((onestep_kdf_ctx_t)(void *)h, resultlen, result);
2133
0
      break;
2134
2135
0
    case GCRY_KDF_ONESTEP_KDF_MAC:
2136
0
      ec = onestep_kdf_mac_final ((onestep_kdf_mac_ctx_t)(void *)h,
2137
0
                                  resultlen, result);
2138
0
      break;
2139
2140
495
    case GCRY_KDF_HKDF:
2141
495
      ec = hkdf_final ((hkdf_ctx_t)(void *)h, resultlen, result);
2142
495
      break;
2143
2144
517
    case GCRY_KDF_X963_KDF:
2145
517
      ec = x963_kdf_final ((x963_kdf_ctx_t)(void *)h, resultlen, result);
2146
517
      break;
2147
2148
0
    default:
2149
0
      ec = GPG_ERR_UNKNOWN_ALGORITHM;
2150
0
      break;
2151
1.50k
    }
2152
2153
1.50k
  return ec;
2154
1.50k
}
2155
2156
void
2157
_gcry_kdf_close (gcry_kdf_hd_t h)
2158
1.50k
{
2159
1.50k
  switch (h->algo)
2160
1.50k
    {
2161
497
    case GCRY_KDF_ARGON2:
2162
497
      argon2_close ((argon2_ctx_t)(void *)h);
2163
497
      break;
2164
2165
0
    case GCRY_KDF_BALLOON:
2166
0
      balloon_close ((balloon_ctx_t)(void *)h);
2167
0
      break;
2168
2169
0
    case GCRY_KDF_ONESTEP_KDF:
2170
0
      onestep_kdf_close ((onestep_kdf_ctx_t)(void *)h);
2171
0
      break;
2172
2173
0
    case GCRY_KDF_ONESTEP_KDF_MAC:
2174
0
      onestep_kdf_mac_close ((onestep_kdf_mac_ctx_t)(void *)h);
2175
0
      break;
2176
2177
495
    case GCRY_KDF_HKDF:
2178
495
      hkdf_close ((hkdf_ctx_t)(void *)h);
2179
495
      break;
2180
2181
517
    case GCRY_KDF_X963_KDF:
2182
517
      x963_kdf_close ((x963_kdf_ctx_t)(void *)h);
2183
517
      break;
2184
2185
0
    default:
2186
0
      break;
2187
1.50k
    }
2188
1.50k
}
2189

2190
/* Check one KDF call with ALGO and HASH_ALGO using the regular KDF
2191
 * API. (passphrase,passphraselen) is the password to be derived,
2192
 * (salt,saltlen) the salt for the key derivation,
2193
 * iterations is the number of the kdf iterations,
2194
 * and (expect,expectlen) the expected result. Returns NULL on
2195
 * success or a string describing the failure.  */
2196
2197
static const char *
2198
check_one (int algo, int hash_algo,
2199
           const void *passphrase, size_t passphraselen,
2200
           const void *salt, size_t saltlen,
2201
           unsigned long iterations,
2202
           const void *expect, size_t expectlen)
2203
0
{
2204
0
  unsigned char key[512]; /* hardcoded to avoid allocation */
2205
0
  size_t keysize = expectlen;
2206
0
  int rv;
2207
2208
0
  if (keysize > sizeof(key))
2209
0
    return "invalid tests data";
2210
2211
0
  rv = _gcry_kdf_derive (passphrase, passphraselen, algo,
2212
0
                         hash_algo, salt, saltlen, iterations,
2213
0
                         keysize, key);
2214
  /* In fips mode we have special requirements for the input and
2215
   * output parameters */
2216
0
  if (fips_mode ())
2217
0
    {
2218
0
      if (rv && (passphraselen < 8 || saltlen < 16 ||
2219
0
                 iterations < 1000 || expectlen < 14))
2220
0
        return NULL;
2221
0
      else if (rv)
2222
0
        return "gcry_kdf_derive unexpectedly failed in FIPS Mode";
2223
0
    }
2224
0
  else if (rv)
2225
0
    return "gcry_kdf_derive failed";
2226
2227
0
  if (memcmp (key, expect, expectlen))
2228
0
    return "does not match";
2229
2230
0
  return NULL;
2231
0
}
2232
2233
2234
static gpg_err_code_t
2235
selftest_pbkdf2 (int extended, selftest_report_func_t report)
2236
0
{
2237
0
  static const struct {
2238
0
    const char *desc;
2239
0
    const char *p;   /* Passphrase.  */
2240
0
    size_t plen;     /* Length of P. */
2241
0
    const char *salt;
2242
0
    size_t saltlen;
2243
0
    int hashalgo;
2244
0
    unsigned long c; /* Iterations.  */
2245
0
    int dklen;       /* Requested key length.  */
2246
0
    const char *dk;  /* Derived key.  */
2247
0
    int disabled;
2248
0
  } tv[] = {
2249
0
#if USE_SHA1
2250
0
#define NUM_TEST_VECTORS 9
2251
    /* SHA1 test vectors are from RFC-6070.  */
2252
0
    {
2253
0
      "Basic PBKDF2 SHA1 #1",
2254
0
      "password", 8,
2255
0
      "salt", 4,
2256
0
      GCRY_MD_SHA1,
2257
0
      1,
2258
0
      20,
2259
0
      "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9"
2260
0
      "\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6"
2261
0
    },
2262
0
    {
2263
0
      "Basic PBKDF2 SHA1 #2",
2264
0
      "password", 8,
2265
0
      "salt", 4,
2266
0
      GCRY_MD_SHA1,
2267
0
      2,
2268
0
      20,
2269
0
      "\xea\x6c\x01\x4d\xc7\x2d\x6f\x8c\xcd\x1e"
2270
0
      "\xd9\x2a\xce\x1d\x41\xf0\xd8\xde\x89\x57"
2271
0
    },
2272
0
    {
2273
0
      "Basic PBKDF2 SHA1 #3",
2274
0
      "password", 8,
2275
0
      "salt", 4,
2276
0
      GCRY_MD_SHA1,
2277
0
      4096,
2278
0
      20,
2279
0
      "\x4b\x00\x79\x01\xb7\x65\x48\x9a\xbe\xad"
2280
0
      "\x49\xd9\x26\xf7\x21\xd0\x65\xa4\x29\xc1"
2281
0
    },
2282
0
    {
2283
0
      "Basic PBKDF2 SHA1 #4",
2284
0
      "password", 8,
2285
0
      "salt", 4,
2286
0
      GCRY_MD_SHA1,
2287
0
      16777216,
2288
0
      20,
2289
0
      "\xee\xfe\x3d\x61\xcd\x4d\xa4\xe4\xe9\x94"
2290
0
      "\x5b\x3d\x6b\xa2\x15\x8c\x26\x34\xe9\x84",
2291
0
      1 /* This test takes too long.  */
2292
0
    },
2293
0
    {
2294
0
      "Basic PBKDF2 SHA1 #5",
2295
0
      "passwordPASSWORDpassword", 24,
2296
0
      "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
2297
0
      GCRY_MD_SHA1,
2298
0
      4096,
2299
0
      25,
2300
0
      "\x3d\x2e\xec\x4f\xe4\x1c\x84\x9b\x80\xc8"
2301
0
      "\xd8\x36\x62\xc0\xe4\x4a\x8b\x29\x1a\x96"
2302
0
      "\x4c\xf2\xf0\x70\x38"
2303
0
    },
2304
0
    {
2305
0
      "Basic PBKDF2 SHA1 #6",
2306
0
      "pass\0word", 9,
2307
0
      "sa\0lt", 5,
2308
0
      GCRY_MD_SHA1,
2309
0
      4096,
2310
0
      16,
2311
0
      "\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37"
2312
0
      "\xd7\xf0\x34\x25\xe0\xc3"
2313
0
    },
2314
0
    { /* empty password test, not in RFC-6070 */
2315
0
      "Basic PBKDF2 SHA1 #7",
2316
0
      "", 0,
2317
0
      "salt", 4,
2318
0
      GCRY_MD_SHA1,
2319
0
      2,
2320
0
      20,
2321
0
      "\x13\x3a\x4c\xe8\x37\xb4\xd2\x52\x1e\xe2"
2322
0
      "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97"
2323
0
    },
2324
#else
2325
#define NUM_TEST_VECTORS 2
2326
#endif
2327
0
    {
2328
0
      "Basic PBKDF2 SHA256",
2329
0
      "password", 8,
2330
0
      "salt", 4,
2331
0
      GCRY_MD_SHA256,
2332
0
      2,
2333
0
      32,
2334
0
      "\xae\x4d\x0c\x95\xaf\x6b\x46\xd3\x2d\x0a\xdf\xf9\x28\xf0\x6d\xd0"
2335
0
      "\x2a\x30\x3f\x8e\xf3\xc2\x51\xdf\xd6\xe2\xd8\x5a\x95\x47\x4c\x43"
2336
0
    },
2337
0
    {
2338
0
      "Extended PBKDF2 SHA256",
2339
0
      "passwordPASSWORDpassword", 24,
2340
0
      "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36,
2341
0
      GCRY_MD_SHA256,
2342
0
      4096,
2343
0
      40,
2344
0
      "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e\x84\xcf"
2345
0
      "\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f\xb8\xdd\x53\xe1"
2346
0
      "\xc6\x35\x51\x8c\x7d\xac\x47\xe9"
2347
0
    },
2348
0
    { NULL }
2349
0
  };
2350
0
  const char *what;
2351
0
  const char *errtxt;
2352
0
  int tvidx;
2353
2354
0
  for (tvidx=0; tv[tvidx].desc; tvidx++)
2355
0
    {
2356
0
      what = tv[tvidx].desc;
2357
0
      if (tv[tvidx].disabled)
2358
0
        continue;
2359
0
      errtxt = check_one (GCRY_KDF_PBKDF2, tv[tvidx].hashalgo,
2360
0
                          tv[tvidx].p, tv[tvidx].plen,
2361
0
                          tv[tvidx].salt, tv[tvidx].saltlen,
2362
0
                          tv[tvidx].c,
2363
0
                          tv[tvidx].dk, tv[tvidx].dklen);
2364
0
      if (errtxt)
2365
0
        goto failed;
2366
0
      if (tvidx >= NUM_TEST_VECTORS - 1 && !extended)
2367
0
        break;
2368
0
    }
2369
2370
0
  return 0; /* Succeeded. */
2371
2372
0
 failed:
2373
0
  if (report)
2374
0
    report ("kdf", GCRY_KDF_PBKDF2, what, errtxt);
2375
0
  return GPG_ERR_SELFTEST_FAILED;
2376
0
}
2377
2378
2379
/* Run the selftests for KDF with KDF algorithm ALGO with optional
2380
   reporting function REPORT.  */
2381
gpg_error_t
2382
_gcry_kdf_selftest (int algo, int extended, selftest_report_func_t report)
2383
0
{
2384
0
  gcry_err_code_t ec = 0;
2385
2386
0
  if (algo == GCRY_KDF_PBKDF2)
2387
0
    ec = selftest_pbkdf2 (extended, report);
2388
0
  else
2389
0
    {
2390
0
      ec = GPG_ERR_UNSUPPORTED_ALGORITHM;
2391
0
      if (report)
2392
0
        report ("kdf", algo, "module", "algorithm not available");
2393
0
    }
2394
0
  return gpg_error (ec);
2395
0
}