/src/libgcrypt/cipher/kdf.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* kdf.c - Key Derivation Functions |
2 | | * Copyright (C) 1998, 2008, 2011 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2013 g10 Code GmbH |
4 | | * |
5 | | * This file is part of Libgcrypt. |
6 | | * |
7 | | * Libgcrypt is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU Lesser General Public License as |
9 | | * published by the Free Software Foundation; either version 2.1 of |
10 | | * the License, or (at your option) any later version. |
11 | | * |
12 | | * Libgcrypt is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU Lesser General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU Lesser General Public |
18 | | * License along with this program; if not, see <http://www.gnu.org/licenses/>. |
19 | | */ |
20 | | |
21 | | #include <config.h> |
22 | | #include <stdio.h> |
23 | | #include <stdlib.h> |
24 | | #include <string.h> |
25 | | #include <errno.h> |
26 | | |
27 | | #include "g10lib.h" |
28 | | #include "cipher.h" |
29 | | #include "kdf-internal.h" |
30 | | |
31 | | |
32 | | /* Transform a passphrase into a suitable key of length KEYSIZE and |
33 | | store this key in the caller provided buffer KEYBUFFER. The caller |
34 | | must provide an HASHALGO, a valid ALGO and depending on that algo a |
35 | | SALT of 8 bytes and the number of ITERATIONS. Code taken from |
36 | | gnupg/agent/protect.c:hash_passphrase. */ |
37 | | static gpg_err_code_t |
38 | | openpgp_s2k (const void *passphrase, size_t passphraselen, |
39 | | int algo, int hashalgo, |
40 | | const void *salt, size_t saltlen, |
41 | | unsigned long iterations, |
42 | | size_t keysize, void *keybuffer) |
43 | 0 | { |
44 | 0 | gpg_err_code_t ec; |
45 | 0 | gcry_md_hd_t md; |
46 | 0 | char *key = keybuffer; |
47 | 0 | int pass, i; |
48 | 0 | int used = 0; |
49 | 0 | int secmode; |
50 | |
|
51 | 0 | if ((algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K) |
52 | 0 | && (!salt || saltlen != 8)) |
53 | 0 | return GPG_ERR_INV_VALUE; |
54 | | |
55 | 0 | secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer); |
56 | |
|
57 | 0 | ec = _gcry_md_open (&md, hashalgo, secmode? GCRY_MD_FLAG_SECURE : 0); |
58 | 0 | if (ec) |
59 | 0 | return ec; |
60 | | |
61 | 0 | for (pass=0; used < keysize; pass++) |
62 | 0 | { |
63 | 0 | if (pass) |
64 | 0 | { |
65 | 0 | _gcry_md_reset (md); |
66 | 0 | for (i=0; i < pass; i++) /* Preset the hash context. */ |
67 | 0 | _gcry_md_putc (md, 0); |
68 | 0 | } |
69 | |
|
70 | 0 | if (algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K) |
71 | 0 | { |
72 | 0 | int len2 = passphraselen + 8; |
73 | 0 | unsigned long count = len2; |
74 | |
|
75 | 0 | if (algo == GCRY_KDF_ITERSALTED_S2K) |
76 | 0 | { |
77 | 0 | count = iterations; |
78 | 0 | if (count < len2) |
79 | 0 | count = len2; |
80 | 0 | } |
81 | |
|
82 | 0 | while (count > len2) |
83 | 0 | { |
84 | 0 | _gcry_md_write (md, salt, saltlen); |
85 | 0 | _gcry_md_write (md, passphrase, passphraselen); |
86 | 0 | count -= len2; |
87 | 0 | } |
88 | 0 | if (count < saltlen) |
89 | 0 | _gcry_md_write (md, salt, count); |
90 | 0 | else |
91 | 0 | { |
92 | 0 | _gcry_md_write (md, salt, saltlen); |
93 | 0 | count -= saltlen; |
94 | 0 | _gcry_md_write (md, passphrase, count); |
95 | 0 | } |
96 | 0 | } |
97 | 0 | else |
98 | 0 | _gcry_md_write (md, passphrase, passphraselen); |
99 | |
|
100 | 0 | _gcry_md_final (md); |
101 | 0 | i = _gcry_md_get_algo_dlen (hashalgo); |
102 | 0 | if (i > keysize - used) |
103 | 0 | i = keysize - used; |
104 | 0 | memcpy (key+used, _gcry_md_read (md, hashalgo), i); |
105 | 0 | used += i; |
106 | 0 | } |
107 | 0 | _gcry_md_close (md); |
108 | 0 | return 0; |
109 | 0 | } |
110 | | |
111 | | |
112 | | /* Transform a passphrase into a suitable key of length KEYSIZE and |
113 | | store this key in the caller provided buffer KEYBUFFER. The caller |
114 | | must provide PRFALGO which indicates the pseudorandom function to |
115 | | use: This shall be the algorithms id of a hash algorithm; it is |
116 | | used in HMAC mode. SALT is a salt of length SALTLEN and ITERATIONS |
117 | | gives the number of iterations. */ |
118 | | gpg_err_code_t |
119 | | _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, |
120 | | int hashalgo, |
121 | | const void *salt, size_t saltlen, |
122 | | unsigned long iterations, |
123 | | size_t keysize, void *keybuffer) |
124 | 1.30k | { |
125 | 1.30k | gpg_err_code_t ec; |
126 | 1.30k | gcry_md_hd_t md; |
127 | 1.30k | int secmode; |
128 | 1.30k | unsigned long dklen = keysize; |
129 | 1.30k | char *dk = keybuffer; |
130 | 1.30k | unsigned int hlen; /* Output length of the digest function. */ |
131 | 1.30k | unsigned int l; /* Rounded up number of blocks. */ |
132 | 1.30k | unsigned int r; /* Number of octets in the last block. */ |
133 | 1.30k | char *sbuf; /* Malloced buffer to concatenate salt and iter |
134 | | as well as space to hold TBUF and UBUF. */ |
135 | 1.30k | char *tbuf; /* Buffer for T; ptr into SBUF, size is HLEN. */ |
136 | 1.30k | char *ubuf; /* Buffer for U; ptr into SBUF, size is HLEN. */ |
137 | 1.30k | unsigned int lidx; /* Current block number. */ |
138 | 1.30k | unsigned long iter; /* Current iteration number. */ |
139 | 1.30k | unsigned int i; |
140 | | |
141 | | /* We allow for a saltlen of 0 here to support scrypt. It is not |
142 | | clear whether rfc2898 allows for this this, thus we do a test on |
143 | | saltlen > 0 only in gcry_kdf_derive. */ |
144 | 1.30k | if (!salt || !iterations || !dklen) |
145 | 160 | return GPG_ERR_INV_VALUE; |
146 | | |
147 | 1.14k | hlen = _gcry_md_get_algo_dlen (hashalgo); |
148 | 1.14k | if (!hlen) |
149 | 0 | return GPG_ERR_DIGEST_ALGO; |
150 | | |
151 | 1.14k | secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer); |
152 | | |
153 | | /* Step 1 */ |
154 | | /* If dkLen > (2^32 - 1) * hLen, output "derived key too long" and |
155 | | * stop. We use a stronger inequality but only if our type can hold |
156 | | * a larger value. */ |
157 | | |
158 | 1.14k | #if SIZEOF_UNSIGNED_LONG > 4 |
159 | 1.14k | if (dklen > 0xffffffffU) |
160 | 0 | return GPG_ERR_INV_VALUE; |
161 | 1.14k | #endif |
162 | | |
163 | | /* Step 2 */ |
164 | 1.14k | l = ((dklen - 1)/ hlen) + 1; |
165 | 1.14k | r = dklen - (l - 1) * hlen; |
166 | | |
167 | | /* Setup buffers and prepare a hash context. */ |
168 | 1.14k | sbuf = (secmode |
169 | 1.14k | ? xtrymalloc_secure (saltlen + 4 + hlen + hlen) |
170 | 1.14k | : xtrymalloc (saltlen + 4 + hlen + hlen)); |
171 | 1.14k | if (!sbuf) |
172 | 0 | return gpg_err_code_from_syserror (); |
173 | 1.14k | tbuf = sbuf + saltlen + 4; |
174 | 1.14k | ubuf = tbuf + hlen; |
175 | | |
176 | 1.14k | ec = _gcry_md_open (&md, hashalgo, (GCRY_MD_FLAG_HMAC |
177 | 1.14k | | (secmode?GCRY_MD_FLAG_SECURE:0))); |
178 | 1.14k | if (ec) |
179 | 0 | { |
180 | 0 | xfree (sbuf); |
181 | 0 | return ec; |
182 | 0 | } |
183 | | |
184 | 1.14k | ec = _gcry_md_setkey (md, passphrase, passphraselen); |
185 | 1.14k | if (ec) |
186 | 0 | { |
187 | 0 | _gcry_md_close (md); |
188 | 0 | xfree (sbuf); |
189 | 0 | return ec; |
190 | 0 | } |
191 | | |
192 | | /* Step 3 and 4. */ |
193 | 1.14k | memcpy (sbuf, salt, saltlen); |
194 | 34.7k | for (lidx = 1; lidx <= l; lidx++) |
195 | 33.6k | { |
196 | 94.6k | for (iter = 0; iter < iterations; iter++) |
197 | 60.9k | { |
198 | 60.9k | _gcry_md_reset (md); |
199 | 60.9k | if (!iter) /* Compute U_1: */ |
200 | 33.6k | { |
201 | 33.6k | sbuf[saltlen] = (lidx >> 24); |
202 | 33.6k | sbuf[saltlen + 1] = (lidx >> 16); |
203 | 33.6k | sbuf[saltlen + 2] = (lidx >> 8); |
204 | 33.6k | sbuf[saltlen + 3] = lidx; |
205 | 33.6k | _gcry_md_write (md, sbuf, saltlen + 4); |
206 | 33.6k | memcpy (ubuf, _gcry_md_read (md, 0), hlen); |
207 | 33.6k | memcpy (tbuf, ubuf, hlen); |
208 | 33.6k | } |
209 | 27.3k | else /* Compute U_(2..c): */ |
210 | 27.3k | { |
211 | 27.3k | _gcry_md_write (md, ubuf, hlen); |
212 | 27.3k | memcpy (ubuf, _gcry_md_read (md, 0), hlen); |
213 | 648k | for (i=0; i < hlen; i++) |
214 | 620k | tbuf[i] ^= ubuf[i]; |
215 | 27.3k | } |
216 | 60.9k | } |
217 | 33.6k | if (lidx == l) /* Last block. */ |
218 | 1.14k | memcpy (dk, tbuf, r); |
219 | 32.4k | else |
220 | 32.4k | { |
221 | 32.4k | memcpy (dk, tbuf, hlen); |
222 | 32.4k | dk += hlen; |
223 | 32.4k | } |
224 | 33.6k | } |
225 | | |
226 | 1.14k | _gcry_md_close (md); |
227 | 1.14k | xfree (sbuf); |
228 | 1.14k | return 0; |
229 | 1.14k | } |
230 | | |
231 | | |
232 | | /* Derive a key from a passphrase. KEYSIZE gives the requested size |
233 | | of the keys in octets. KEYBUFFER is a caller provided buffer |
234 | | filled on success with the derived key. The input passphrase is |
235 | | taken from (PASSPHRASE,PASSPHRASELEN) which is an arbitrary memory |
236 | | buffer. ALGO specifies the KDF algorithm to use; these are the |
237 | | constants GCRY_KDF_*. SUBALGO specifies an algorithm used |
238 | | internally by the KDF algorithms; this is usually a hash algorithm |
239 | | but certain KDF algorithm may use it differently. {SALT,SALTLEN} |
240 | | is a salt as needed by most KDF algorithms. ITERATIONS is a |
241 | | positive integer parameter to most KDFs. 0 is returned on success, |
242 | | or an error code on failure. */ |
243 | | gpg_err_code_t |
244 | | _gcry_kdf_derive (const void *passphrase, size_t passphraselen, |
245 | | int algo, int subalgo, |
246 | | const void *salt, size_t saltlen, |
247 | | unsigned long iterations, |
248 | | size_t keysize, void *keybuffer) |
249 | 1.29k | { |
250 | 1.29k | gpg_err_code_t ec; |
251 | | |
252 | 1.29k | if (!passphrase) |
253 | 0 | { |
254 | 0 | ec = GPG_ERR_INV_DATA; |
255 | 0 | goto leave; |
256 | 0 | } |
257 | | |
258 | 1.29k | if (!keybuffer || !keysize) |
259 | 76 | { |
260 | 76 | ec = GPG_ERR_INV_VALUE; |
261 | 76 | goto leave; |
262 | 76 | } |
263 | | |
264 | | |
265 | 1.21k | switch (algo) |
266 | 1.21k | { |
267 | 0 | case GCRY_KDF_SIMPLE_S2K: |
268 | 0 | case GCRY_KDF_SALTED_S2K: |
269 | 0 | case GCRY_KDF_ITERSALTED_S2K: |
270 | 0 | if (!passphraselen) |
271 | 0 | ec = GPG_ERR_INV_DATA; |
272 | 0 | else |
273 | 0 | ec = openpgp_s2k (passphrase, passphraselen, algo, subalgo, |
274 | 0 | salt, saltlen, iterations, keysize, keybuffer); |
275 | 0 | break; |
276 | | |
277 | 0 | case GCRY_KDF_PBKDF1: |
278 | 0 | ec = GPG_ERR_UNSUPPORTED_ALGORITHM; |
279 | 0 | break; |
280 | | |
281 | 1.03k | case GCRY_KDF_PBKDF2: |
282 | 1.03k | if (!saltlen) |
283 | 34 | ec = GPG_ERR_INV_VALUE; |
284 | 1.00k | else |
285 | 1.00k | { |
286 | | /* FIPS requires minimum passphrase length, see FIPS 140-3 IG D.N */ |
287 | 1.00k | if (fips_mode () && passphraselen < 8) |
288 | 0 | return GPG_ERR_INV_VALUE; |
289 | | |
290 | | /* FIPS requires minimum salt length of 128 b (SP 800-132 sec. 5.1, p.6) */ |
291 | 1.00k | if (fips_mode () && saltlen < 16) |
292 | 0 | return GPG_ERR_INV_VALUE; |
293 | | |
294 | | /* FIPS requires minimum iterations bound (SP 800-132 sec 5.2, p.6) */ |
295 | 1.00k | if (fips_mode () && iterations < 1000) |
296 | 0 | return GPG_ERR_INV_VALUE; |
297 | | |
298 | | /* Check minimum key size */ |
299 | 1.00k | if (fips_mode () && keysize < 14) |
300 | 0 | return GPG_ERR_INV_VALUE; |
301 | | |
302 | 1.00k | ec = _gcry_kdf_pkdf2 (passphrase, passphraselen, subalgo, |
303 | 1.00k | salt, saltlen, iterations, keysize, keybuffer); |
304 | 1.00k | } |
305 | 1.03k | break; |
306 | | |
307 | 1.03k | case 41: |
308 | 179 | case GCRY_KDF_SCRYPT: |
309 | 179 | #if USE_SCRYPT |
310 | 179 | ec = _gcry_kdf_scrypt (passphrase, passphraselen, algo, subalgo, |
311 | 179 | salt, saltlen, iterations, keysize, keybuffer); |
312 | | #else |
313 | | ec = GPG_ERR_UNSUPPORTED_ALGORITHM; |
314 | | #endif /*USE_SCRYPT*/ |
315 | 179 | break; |
316 | | |
317 | 0 | default: |
318 | 0 | ec = GPG_ERR_UNKNOWN_ALGORITHM; |
319 | 0 | break; |
320 | 1.21k | } |
321 | | |
322 | 1.29k | leave: |
323 | 1.29k | return ec; |
324 | 1.21k | } |
325 | | |
326 | | #include "bufhelp.h" |
327 | | |
328 | | typedef struct argon2_context *argon2_ctx_t; |
329 | | |
330 | | /* Per thread data for Argon2. */ |
331 | | struct argon2_thread_data { |
332 | | argon2_ctx_t a; |
333 | | unsigned int pass; |
334 | | unsigned int slice; |
335 | | unsigned int lane; |
336 | | }; |
337 | | |
338 | | /* Argon2 context */ |
339 | | struct argon2_context { |
340 | | int algo; |
341 | | int hash_type; |
342 | | |
343 | | unsigned int outlen; |
344 | | |
345 | | const unsigned char *password; |
346 | | size_t passwordlen; |
347 | | |
348 | | const unsigned char *salt; |
349 | | size_t saltlen; |
350 | | |
351 | | const unsigned char *key; |
352 | | size_t keylen; |
353 | | |
354 | | const unsigned char *ad; |
355 | | size_t adlen; |
356 | | |
357 | | unsigned int m_cost; |
358 | | |
359 | | unsigned int passes; |
360 | | unsigned int memory_blocks; |
361 | | unsigned int segment_length; |
362 | | unsigned int lane_length; |
363 | | unsigned int lanes; |
364 | | |
365 | | u64 *block; |
366 | | struct argon2_thread_data *thread_data; |
367 | | |
368 | | unsigned char out[1]; /* In future, we may use flexible array member. */ |
369 | | }; |
370 | | |
371 | 497 | #define ARGON2_VERSION 0x13 |
372 | | |
373 | 3.72G | #define ARGON2_WORDS_IN_BLOCK (1024/8) |
374 | | |
375 | | static void |
376 | | xor_block (u64 *dst, const u64 *src) |
377 | 28.5M | { |
378 | 28.5M | int i; |
379 | | |
380 | 3.68G | for (i = 0; i < ARGON2_WORDS_IN_BLOCK; i++) |
381 | 3.65G | dst[i] ^= src[i]; |
382 | 28.5M | } |
383 | | |
384 | | static void |
385 | | beswap64_block (u64 *dst) |
386 | 84.5k | { |
387 | | #ifdef WORDS_BIGENDIAN |
388 | | int i; |
389 | | |
390 | | /* Swap a block in big-endian 64-bit word into one in |
391 | | little-endian. */ |
392 | | for (i = 0; i < ARGON2_WORDS_IN_BLOCK; i++) |
393 | | dst[i] = _gcry_bswap64 (dst[i]); |
394 | | #else |
395 | | /* Nothing to do. */ |
396 | 84.5k | (void)dst; |
397 | 84.5k | #endif |
398 | 84.5k | } |
399 | | |
400 | | |
401 | | static gpg_err_code_t |
402 | | argon2_fill_first_blocks (argon2_ctx_t a) |
403 | 497 | { |
404 | 497 | unsigned char h0_01_i[72]; |
405 | 497 | unsigned char buf[10][4]; |
406 | 497 | gcry_buffer_t iov[8]; |
407 | 497 | unsigned int iov_count = 0; |
408 | 497 | int i; |
409 | | |
410 | | /* Generate H0. */ |
411 | 497 | buf_put_le32 (buf[0], a->lanes); |
412 | 497 | buf_put_le32 (buf[1], a->outlen); |
413 | 497 | buf_put_le32 (buf[2], a->m_cost); |
414 | 497 | buf_put_le32 (buf[3], a->passes); |
415 | 497 | buf_put_le32 (buf[4], ARGON2_VERSION); |
416 | 497 | buf_put_le32 (buf[5], a->hash_type); |
417 | 497 | buf_put_le32 (buf[6], a->passwordlen); |
418 | 497 | iov[iov_count].data = buf[0]; |
419 | 497 | iov[iov_count].len = 4 * 7; |
420 | 497 | iov[iov_count].off = 0; |
421 | 497 | iov_count++; |
422 | 497 | if (a->passwordlen) |
423 | 492 | { |
424 | 492 | iov[iov_count].data = (void *)a->password; |
425 | 492 | iov[iov_count].len = a->passwordlen; |
426 | 492 | iov[iov_count].off = 0; |
427 | 492 | iov_count++; |
428 | 492 | } |
429 | | |
430 | 497 | buf_put_le32 (buf[7], a->saltlen); |
431 | 497 | iov[iov_count].data = buf[7]; |
432 | 497 | iov[iov_count].len = 4; |
433 | 497 | iov[iov_count].off = 0; |
434 | 497 | iov_count++; |
435 | 497 | iov[iov_count].data = (void *)a->salt; |
436 | 497 | iov[iov_count].len = a->saltlen; |
437 | 497 | iov[iov_count].off = 0; |
438 | 497 | iov_count++; |
439 | | |
440 | 497 | buf_put_le32 (buf[8], a->keylen); |
441 | 497 | iov[iov_count].data = buf[8]; |
442 | 497 | iov[iov_count].len = 4; |
443 | 497 | iov[iov_count].off = 0; |
444 | 497 | iov_count++; |
445 | 497 | if (a->key) |
446 | 0 | { |
447 | 0 | iov[iov_count].data = (void *)a->key; |
448 | 0 | iov[iov_count].len = a->keylen; |
449 | 0 | iov[iov_count].off = 0; |
450 | 0 | iov_count++; |
451 | 0 | } |
452 | | |
453 | 497 | buf_put_le32 (buf[9], a->adlen); |
454 | 497 | iov[iov_count].data = buf[9]; |
455 | 497 | iov[iov_count].len = 4; |
456 | 497 | iov[iov_count].off = 0; |
457 | 497 | iov_count++; |
458 | 497 | if (a->ad) |
459 | 0 | { |
460 | 0 | iov[iov_count].data = (void *)a->ad; |
461 | 0 | iov[iov_count].len = a->adlen; |
462 | 0 | iov[iov_count].off = 0; |
463 | 0 | iov_count++; |
464 | 0 | } |
465 | | |
466 | 497 | _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count); |
467 | | |
468 | 42.5k | for (i = 0; i < a->lanes; i++) |
469 | 42.0k | { |
470 | 42.0k | memset (h0_01_i+64, 0, 4); |
471 | 42.0k | buf_put_le32 (h0_01_i+64+4, i); |
472 | 42.0k | blake2b_vl_hash (h0_01_i, 72, 1024, |
473 | 42.0k | &a->block[i*a->lane_length*ARGON2_WORDS_IN_BLOCK]); |
474 | 42.0k | beswap64_block (&a->block[i*a->lane_length*ARGON2_WORDS_IN_BLOCK]); |
475 | | |
476 | 42.0k | buf_put_le32 (h0_01_i+64, 1); |
477 | 42.0k | blake2b_vl_hash (h0_01_i, 72, 1024, |
478 | 42.0k | &a->block[(i*a->lane_length+1)*ARGON2_WORDS_IN_BLOCK]); |
479 | 42.0k | beswap64_block (&a->block[(i*a->lane_length+1)*ARGON2_WORDS_IN_BLOCK]); |
480 | 42.0k | } |
481 | 497 | return 0; |
482 | 497 | } |
483 | | |
484 | | static gpg_err_code_t |
485 | | argon2_init (argon2_ctx_t a, unsigned int parallelism, |
486 | | unsigned int m_cost, unsigned int t_cost) |
487 | 497 | { |
488 | 497 | gpg_err_code_t ec = 0; |
489 | 497 | unsigned int memory_blocks; |
490 | 497 | unsigned int segment_length; |
491 | 497 | void *block; |
492 | 497 | struct argon2_thread_data *thread_data; |
493 | | |
494 | 497 | memory_blocks = m_cost; |
495 | 497 | if (memory_blocks < 8 * parallelism) |
496 | 18 | memory_blocks = 8 * parallelism; |
497 | | |
498 | 497 | segment_length = memory_blocks / (parallelism * 4); |
499 | 497 | memory_blocks = segment_length * parallelism * 4; |
500 | | |
501 | 497 | a->passes = t_cost; |
502 | 497 | a->memory_blocks = memory_blocks; |
503 | 497 | a->segment_length = segment_length; |
504 | 497 | a->lane_length = segment_length * 4; |
505 | 497 | a->lanes = parallelism; |
506 | | |
507 | 497 | a->block = NULL; |
508 | 497 | a->thread_data = NULL; |
509 | | |
510 | 497 | block = xtrymalloc (1024 * memory_blocks); |
511 | 497 | if (!block) |
512 | 0 | { |
513 | 0 | ec = gpg_err_code_from_errno (errno); |
514 | 0 | return ec; |
515 | 0 | } |
516 | 497 | memset (block, 0, 1024 * memory_blocks); |
517 | | |
518 | 497 | thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data)); |
519 | 497 | if (!thread_data) |
520 | 0 | { |
521 | 0 | ec = gpg_err_code_from_errno (errno); |
522 | 0 | xfree (block); |
523 | 0 | return ec; |
524 | 0 | } |
525 | | |
526 | 497 | memset (thread_data, 0, a->lanes * sizeof (struct argon2_thread_data)); |
527 | | |
528 | 497 | a->block = block; |
529 | 497 | a->thread_data = thread_data; |
530 | 497 | return 0; |
531 | 497 | } |
532 | | |
533 | | |
534 | | static u64 fBlaMka (u64 x, u64 y) |
535 | 6.20G | { |
536 | 6.20G | const u64 m = U64_C(0xFFFFFFFF); |
537 | 6.20G | return x + y + 2 * (x & m) * (y & m); |
538 | 6.20G | } |
539 | | |
540 | | static u64 rotr64 (u64 w, unsigned int c) |
541 | 6.20G | { |
542 | 6.20G | return (w >> c) | (w << (64 - c)); |
543 | 6.20G | } |
544 | | |
545 | | #define G(a, b, c, d) \ |
546 | 1.55G | do { \ |
547 | 1.55G | a = fBlaMka(a, b); \ |
548 | 1.55G | d = rotr64(d ^ a, 32); \ |
549 | 1.55G | c = fBlaMka(c, d); \ |
550 | 1.55G | b = rotr64(b ^ c, 24); \ |
551 | 1.55G | a = fBlaMka(a, b); \ |
552 | 1.55G | d = rotr64(d ^ a, 16); \ |
553 | 1.55G | c = fBlaMka(c, d); \ |
554 | 1.55G | b = rotr64(b ^ c, 63); \ |
555 | 1.55G | } while ((void)0, 0) |
556 | | |
557 | | #define BLAKE2_ROUND_NOMSG(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, \ |
558 | | v12, v13, v14, v15) \ |
559 | 194M | do { \ |
560 | 194M | G(v0, v4, v8, v12); \ |
561 | 194M | G(v1, v5, v9, v13); \ |
562 | 194M | G(v2, v6, v10, v14); \ |
563 | 194M | G(v3, v7, v11, v15); \ |
564 | 194M | G(v0, v5, v10, v15); \ |
565 | 194M | G(v1, v6, v11, v12); \ |
566 | 194M | G(v2, v7, v8, v13); \ |
567 | 194M | G(v3, v4, v9, v14); \ |
568 | 194M | } while ((void)0, 0) |
569 | | |
570 | | static void |
571 | | fill_block (const u64 *prev_block, const u64 *ref_block, u64 *curr_block, |
572 | | int with_xor) |
573 | 12.1M | { |
574 | 12.1M | u64 block_r[ARGON2_WORDS_IN_BLOCK]; |
575 | 12.1M | u64 block_tmp[ARGON2_WORDS_IN_BLOCK]; |
576 | 12.1M | int i; |
577 | | |
578 | 12.1M | memcpy (block_r, ref_block, 1024); |
579 | 12.1M | if (prev_block) |
580 | 11.9M | xor_block (block_r, prev_block); |
581 | 12.1M | memcpy (block_tmp, block_r, 1024); |
582 | | |
583 | 12.1M | if (with_xor) |
584 | 4.45M | xor_block (block_tmp, curr_block); |
585 | | |
586 | 109M | for (i = 0; i < 8; ++i) |
587 | 97.0M | BLAKE2_ROUND_NOMSG |
588 | 12.1M | (block_r[16 * i], block_r[16 * i + 1], block_r[16 * i + 2], |
589 | 12.1M | block_r[16 * i + 3], block_r[16 * i + 4], block_r[16 * i + 5], |
590 | 12.1M | block_r[16 * i + 6], block_r[16 * i + 7], block_r[16 * i + 8], |
591 | 12.1M | block_r[16 * i + 9], block_r[16 * i + 10], block_r[16 * i + 11], |
592 | 12.1M | block_r[16 * i + 12], block_r[16 * i + 13], block_r[16 * i + 14], |
593 | 12.1M | block_r[16 * i + 15]); |
594 | | |
595 | 109M | for (i = 0; i < 8; i++) |
596 | 97.0M | BLAKE2_ROUND_NOMSG |
597 | 12.1M | (block_r[2 * i], block_r[2 * i + 1], block_r[2 * i + 16], |
598 | 12.1M | block_r[2 * i + 17], block_r[2 * i + 32], block_r[2 * i + 33], |
599 | 12.1M | block_r[2 * i + 48], block_r[2 * i + 49], block_r[2 * i + 64], |
600 | 12.1M | block_r[2 * i + 65], block_r[2 * i + 80], block_r[2 * i + 81], |
601 | 12.1M | block_r[2 * i + 96], block_r[2 * i + 97], block_r[2 * i + 112], |
602 | 12.1M | block_r[2 * i + 113]); |
603 | | |
604 | 12.1M | memcpy (curr_block, block_tmp, 1024); |
605 | 12.1M | xor_block (curr_block, block_r); |
606 | 12.1M | } |
607 | | |
608 | | static void |
609 | | pseudo_random_generate (u64 *random_block, u64 *input_block) |
610 | 107k | { |
611 | 107k | input_block[6]++; |
612 | 107k | fill_block (NULL, input_block, random_block, 0); |
613 | 107k | fill_block (NULL, random_block, random_block, 0); |
614 | 107k | } |
615 | | |
616 | | static u32 |
617 | | index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t, |
618 | | int segment_index, u32 random, int same_lane) |
619 | 11.9M | { |
620 | 11.9M | u32 reference_area_size; |
621 | 11.9M | u64 relative_position; |
622 | 11.9M | u32 start_position; |
623 | | |
624 | 11.9M | if (t->pass == 0) |
625 | 7.46M | { |
626 | 7.46M | if (t->slice == 0) |
627 | 1.80M | reference_area_size = segment_index - 1; |
628 | 5.65M | else |
629 | 5.65M | { |
630 | 5.65M | if (same_lane) |
631 | 434k | reference_area_size = t->slice * a->segment_length |
632 | 434k | + segment_index - 1; |
633 | 5.21M | else |
634 | 5.21M | reference_area_size = t->slice * a->segment_length + |
635 | 5.21M | ((segment_index == 0) ? -1 : 0); |
636 | 5.65M | } |
637 | 7.46M | } |
638 | 4.45M | else |
639 | 4.45M | { |
640 | 4.45M | if (same_lane) |
641 | 276k | reference_area_size = a->lane_length |
642 | 276k | - a->segment_length + segment_index - 1; |
643 | 4.17M | else |
644 | 4.17M | reference_area_size = a->lane_length |
645 | 4.17M | - a->segment_length + ((segment_index == 0) ? -1 : 0); |
646 | 4.45M | } |
647 | | |
648 | 11.9M | relative_position = (random * (u64)random) >> 32; |
649 | 11.9M | relative_position = reference_area_size - 1 - |
650 | 11.9M | ((reference_area_size * relative_position) >> 32); |
651 | | |
652 | 11.9M | if (t->pass == 0) |
653 | 7.46M | start_position = 0; |
654 | 4.45M | else |
655 | 4.45M | start_position = (t->slice == 4 - 1) |
656 | 4.45M | ? 0 |
657 | 4.45M | : (t->slice + 1) * a->segment_length; |
658 | | |
659 | 11.9M | return (start_position + relative_position) % a->lane_length; |
660 | 11.9M | } |
661 | | |
662 | | static void |
663 | | argon2_compute_segment (void *priv) |
664 | 251k | { |
665 | 251k | const struct argon2_thread_data *t = (const struct argon2_thread_data *)priv; |
666 | 251k | argon2_ctx_t a = t->a; |
667 | 251k | int i; |
668 | 251k | int prev_offset, curr_offset; |
669 | 251k | u32 ref_index, ref_lane; |
670 | 251k | u64 input_block[1024/sizeof (u64)]; |
671 | 251k | u64 address_block[1024/sizeof (u64)]; |
672 | 251k | u64 *random_block = NULL; |
673 | | |
674 | 251k | if (a->hash_type == GCRY_KDF_ARGON2I |
675 | 251k | || (a->hash_type == GCRY_KDF_ARGON2ID && t->pass == 0 && t->slice < 2)) |
676 | 97.4k | { |
677 | 97.4k | memset (input_block, 0, 1024); |
678 | 97.4k | input_block[0] = t->pass; |
679 | 97.4k | input_block[1] = t->lane; |
680 | 97.4k | input_block[2] = t->slice; |
681 | 97.4k | input_block[3] = a->memory_blocks; |
682 | 97.4k | input_block[4] = a->passes; |
683 | 97.4k | input_block[5] = a->hash_type; |
684 | 97.4k | random_block = address_block; |
685 | 97.4k | } |
686 | | |
687 | 251k | if (t->pass == 0 && t->slice == 0) |
688 | 39.0k | { |
689 | 39.0k | if (random_block) |
690 | 23.2k | pseudo_random_generate (random_block, input_block); |
691 | 39.0k | i = 2; |
692 | 39.0k | } |
693 | 212k | else |
694 | 212k | i = 0; |
695 | | |
696 | 251k | curr_offset = t->lane * a->lane_length + t->slice * a->segment_length + i; |
697 | 251k | if ((curr_offset % a->lane_length)) |
698 | 227k | prev_offset = curr_offset - 1; |
699 | 23.8k | else |
700 | 23.8k | prev_offset = curr_offset + a->lane_length - 1; |
701 | | |
702 | 12.1M | for (; i < a->segment_length; i++, curr_offset++, prev_offset++) |
703 | 11.9M | { |
704 | 11.9M | u64 *ref_block, *curr_block; |
705 | 11.9M | u64 rand64; |
706 | | |
707 | 11.9M | if ((curr_offset % a->lane_length) == 1) |
708 | 23.8k | prev_offset = curr_offset - 1; |
709 | | |
710 | 11.9M | if (random_block) |
711 | 4.61M | { |
712 | 4.61M | if ((i % (1024/sizeof (u64))) == 0) |
713 | 84.0k | pseudo_random_generate (random_block, input_block); |
714 | | |
715 | 4.61M | rand64 = random_block[(i% (1024/sizeof (u64)))]; |
716 | 4.61M | } |
717 | 7.29M | else |
718 | 7.29M | rand64 = a->block[prev_offset*ARGON2_WORDS_IN_BLOCK]; |
719 | | |
720 | 11.9M | if (t->pass == 0 && t->slice == 0) |
721 | 1.80M | ref_lane = t->lane; |
722 | 10.1M | else |
723 | 10.1M | ref_lane = (rand64 >> 32) % a->lanes; |
724 | | |
725 | 11.9M | ref_index = index_alpha (a, t, i, (rand64 & 0xffffffff), |
726 | 11.9M | ref_lane == t->lane); |
727 | 11.9M | ref_block = |
728 | 11.9M | &a->block[(a->lane_length * ref_lane + ref_index)* ARGON2_WORDS_IN_BLOCK]; |
729 | | |
730 | 11.9M | curr_block = &a->block[curr_offset * ARGON2_WORDS_IN_BLOCK]; |
731 | 11.9M | fill_block (&a->block[prev_offset * ARGON2_WORDS_IN_BLOCK], ref_block, |
732 | 11.9M | curr_block, t->pass != 0); |
733 | 11.9M | } |
734 | 251k | } |
735 | | |
736 | | |
737 | | static gpg_err_code_t |
738 | | argon2_compute (argon2_ctx_t a, const struct gcry_kdf_thread_ops *ops) |
739 | 497 | { |
740 | 497 | gpg_err_code_t ec; |
741 | 497 | unsigned int r; |
742 | 497 | unsigned int s; |
743 | 497 | unsigned int l; |
744 | 497 | int ret; |
745 | | |
746 | 497 | ec = argon2_fill_first_blocks (a); |
747 | 497 | if (ec) |
748 | 0 | return ec; |
749 | | |
750 | 1.23k | for (r = 0; r < a->passes; r++) |
751 | 3.69k | for (s = 0; s < 4; s++) |
752 | 2.95k | { |
753 | 254k | for (l = 0; l < a->lanes; l++) |
754 | 251k | { |
755 | 251k | struct argon2_thread_data *thread_data; |
756 | | |
757 | | /* launch a thread. */ |
758 | 251k | thread_data = &a->thread_data[l]; |
759 | 251k | thread_data->a = a; |
760 | 251k | thread_data->pass = r; |
761 | 251k | thread_data->slice = s; |
762 | 251k | thread_data->lane = l; |
763 | | |
764 | 251k | if (ops) |
765 | 0 | { |
766 | 0 | ret = ops->dispatch_job (ops->jobs_context, |
767 | 0 | argon2_compute_segment, thread_data); |
768 | 0 | if (ret < 0) |
769 | 0 | return GPG_ERR_CANCELED; |
770 | 0 | } |
771 | 251k | else |
772 | 251k | argon2_compute_segment (thread_data); |
773 | 251k | } |
774 | | |
775 | 2.95k | if (ops) |
776 | 0 | { |
777 | 0 | ret = ops->wait_all_jobs (ops->jobs_context); |
778 | 0 | if (ret < 0) |
779 | 0 | return GPG_ERR_CANCELED; |
780 | 0 | } |
781 | 2.95k | } |
782 | | |
783 | 497 | return 0; |
784 | 497 | } |
785 | | |
786 | | |
787 | | static gpg_err_code_t |
788 | | argon2_final (argon2_ctx_t a, size_t resultlen, void *result) |
789 | 497 | { |
790 | 497 | int i; |
791 | | |
792 | 497 | if (resultlen != a->outlen) |
793 | 0 | return GPG_ERR_INV_VALUE; |
794 | | |
795 | 497 | memset (a->block, 0, 1024); |
796 | 42.5k | for (i = 0; i < a->lanes; i++) |
797 | 42.0k | { |
798 | 42.0k | u64 *last_block; |
799 | | |
800 | 42.0k | last_block = &a->block[(a->lane_length * i + (a->lane_length - 1)) |
801 | 42.0k | * ARGON2_WORDS_IN_BLOCK]; |
802 | 42.0k | xor_block (a->block, last_block); |
803 | 42.0k | } |
804 | | |
805 | 497 | beswap64_block (a->block); |
806 | 497 | blake2b_vl_hash (a->block, 1024, a->outlen, result); |
807 | 497 | return 0; |
808 | 497 | } |
809 | | |
810 | | static void |
811 | | argon2_close (argon2_ctx_t a) |
812 | 497 | { |
813 | 497 | size_t n; |
814 | | |
815 | 497 | n = offsetof (struct argon2_context, out) + a->outlen; |
816 | | |
817 | 497 | if (a->block) |
818 | 497 | { |
819 | 497 | wipememory (a->block, 1024 * a->memory_blocks); |
820 | 497 | xfree (a->block); |
821 | 497 | } |
822 | | |
823 | 497 | if (a->thread_data) |
824 | 497 | xfree (a->thread_data); |
825 | | |
826 | 497 | wipememory (a, n); |
827 | 497 | xfree (a); |
828 | 497 | } |
829 | | |
830 | | static gpg_err_code_t |
831 | | argon2_open (gcry_kdf_hd_t *hd, int subalgo, |
832 | | const unsigned long *param, unsigned int paramlen, |
833 | | const void *password, size_t passwordlen, |
834 | | const void *salt, size_t saltlen, |
835 | | const void *key, size_t keylen, |
836 | | const void *ad, size_t adlen) |
837 | 503 | { |
838 | 503 | int hash_type; |
839 | 503 | unsigned int taglen; |
840 | 503 | unsigned int t_cost; |
841 | 503 | unsigned int m_cost; |
842 | 503 | unsigned int parallelism = 1; |
843 | 503 | argon2_ctx_t a; |
844 | 503 | gpg_err_code_t ec; |
845 | 503 | size_t n; |
846 | | |
847 | 503 | if (subalgo != GCRY_KDF_ARGON2D |
848 | 503 | && subalgo != GCRY_KDF_ARGON2I |
849 | 503 | && subalgo != GCRY_KDF_ARGON2ID) |
850 | 0 | return GPG_ERR_INV_VALUE; |
851 | 503 | else |
852 | 503 | hash_type = subalgo; |
853 | | |
854 | | /* param : [ tag_length, t_cost, m_cost, parallelism ] */ |
855 | 503 | if (paramlen < 3 || paramlen > 4) |
856 | 0 | return GPG_ERR_INV_VALUE; |
857 | 503 | else |
858 | 503 | { |
859 | 503 | taglen = (unsigned int)param[0]; |
860 | 503 | t_cost = (unsigned int)param[1]; |
861 | 503 | m_cost = (unsigned int)param[2]; |
862 | 503 | if (paramlen >= 4) |
863 | 503 | parallelism = (unsigned int)param[3]; |
864 | 503 | } |
865 | | |
866 | 503 | if (parallelism == 0) |
867 | 6 | return GPG_ERR_INV_VALUE; |
868 | | |
869 | 497 | n = offsetof (struct argon2_context, out) + taglen; |
870 | 497 | a = xtrymalloc (n); |
871 | 497 | if (!a) |
872 | 0 | return gpg_err_code_from_errno (errno); |
873 | | |
874 | 497 | a->algo = GCRY_KDF_ARGON2; |
875 | 497 | a->hash_type = hash_type; |
876 | | |
877 | 497 | a->outlen = taglen; |
878 | | |
879 | 497 | a->password = password; |
880 | 497 | a->passwordlen = passwordlen; |
881 | 497 | a->salt = salt; |
882 | 497 | a->saltlen = saltlen; |
883 | 497 | a->key = key; |
884 | 497 | a->keylen = keylen; |
885 | 497 | a->ad = ad; |
886 | 497 | a->adlen = adlen; |
887 | | |
888 | 497 | a->m_cost = m_cost; |
889 | | |
890 | 497 | a->block = NULL; |
891 | 497 | a->thread_data = NULL; |
892 | | |
893 | 497 | ec = argon2_init (a, parallelism, m_cost, t_cost); |
894 | 497 | if (ec) |
895 | 0 | { |
896 | 0 | xfree (a); |
897 | 0 | return ec; |
898 | 0 | } |
899 | | |
900 | 497 | *hd = (void *)a; |
901 | 497 | return 0; |
902 | 497 | } |
903 | | |
904 | | typedef struct balloon_context *balloon_ctx_t; |
905 | | |
906 | | /* Per thread data for Balloon. */ |
907 | | struct balloon_thread_data { |
908 | | balloon_ctx_t b; |
909 | | gpg_err_code_t ec; |
910 | | unsigned int idx; |
911 | | unsigned char *block; |
912 | | }; |
913 | | |
914 | | /* Balloon context */ |
915 | | struct balloon_context { |
916 | | int algo; |
917 | | int prng_type; |
918 | | |
919 | | unsigned int blklen; |
920 | | const gcry_md_spec_t *md_spec; |
921 | | |
922 | | const unsigned char *password; |
923 | | size_t passwordlen; |
924 | | |
925 | | const unsigned char *salt; |
926 | | /* Length of salt is fixed. */ |
927 | | |
928 | | unsigned int s_cost; |
929 | | unsigned int t_cost; |
930 | | unsigned int parallelism; |
931 | | |
932 | | u64 n_blocks; |
933 | | |
934 | | unsigned char *block; |
935 | | |
936 | | /* In future, we may use flexible array member. */ |
937 | | struct balloon_thread_data thread_data[1]; |
938 | | }; |
939 | | |
940 | | /* Maximum size of underlining digest size. */ |
941 | 0 | #define BALLOON_BLOCK_LEN_MAX 64 |
942 | | |
943 | | static gpg_err_code_t |
944 | | prng_aes_ctr_init (gcry_cipher_hd_t *hd_p, balloon_ctx_t b, |
945 | | gcry_buffer_t *iov, unsigned int iov_count) |
946 | 0 | { |
947 | 0 | gpg_err_code_t ec; |
948 | 0 | gcry_cipher_hd_t hd; |
949 | 0 | unsigned char key[BALLOON_BLOCK_LEN_MAX]; |
950 | 0 | int cipher_algo; |
951 | 0 | unsigned int keylen, blklen; |
952 | |
|
953 | 0 | switch (b->blklen) |
954 | 0 | { |
955 | 0 | case 64: |
956 | 0 | cipher_algo = GCRY_CIPHER_AES256; |
957 | 0 | break; |
958 | | |
959 | 0 | case 48: |
960 | 0 | cipher_algo = GCRY_CIPHER_AES192; |
961 | 0 | break; |
962 | | |
963 | 0 | default: |
964 | 0 | case 32: |
965 | 0 | cipher_algo = GCRY_CIPHER_AES; |
966 | 0 | break; |
967 | 0 | } |
968 | | |
969 | 0 | keylen = _gcry_cipher_get_algo_keylen (cipher_algo); |
970 | 0 | blklen = _gcry_cipher_get_algo_blklen (cipher_algo); |
971 | |
|
972 | 0 | b->md_spec->hash_buffers (key, b->blklen, iov, iov_count); |
973 | 0 | ec = _gcry_cipher_open (&hd, cipher_algo, GCRY_CIPHER_MODE_CTR, 0); |
974 | 0 | if (ec) |
975 | 0 | return ec; |
976 | | |
977 | 0 | ec = _gcry_cipher_setkey (hd, key, keylen); |
978 | 0 | if (ec) |
979 | 0 | { |
980 | 0 | _gcry_cipher_close (hd); |
981 | 0 | return ec; |
982 | 0 | } |
983 | | |
984 | 0 | if (cipher_algo == GCRY_CIPHER_AES |
985 | 0 | && b->md_spec == &_gcry_digest_spec_sha256) |
986 | | /* Original Balloon uses zero IV. */ |
987 | 0 | ; |
988 | 0 | else |
989 | 0 | { |
990 | 0 | ec = _gcry_cipher_setiv (hd, key+keylen, blklen); |
991 | 0 | if (ec) |
992 | 0 | { |
993 | 0 | _gcry_cipher_close (hd); |
994 | 0 | return ec; |
995 | 0 | } |
996 | 0 | } |
997 | | |
998 | 0 | wipememory (key, BALLOON_BLOCK_LEN_MAX); |
999 | 0 | *hd_p = hd; |
1000 | 0 | return ec; |
1001 | 0 | } |
1002 | | |
1003 | | static u64 |
1004 | | prng_aes_ctr_get_rand64 (gcry_cipher_hd_t hd) |
1005 | 0 | { |
1006 | 0 | static const unsigned char zero64[8]; |
1007 | 0 | unsigned char rand64[8]; |
1008 | |
|
1009 | 0 | _gcry_cipher_encrypt (hd, rand64, sizeof (rand64), zero64, sizeof (zero64)); |
1010 | 0 | return buf_get_le64 (rand64); |
1011 | 0 | } |
1012 | | |
1013 | | static void |
1014 | | prng_aes_ctr_fini (gcry_cipher_hd_t hd) |
1015 | 0 | { |
1016 | 0 | _gcry_cipher_close (hd); |
1017 | 0 | } |
1018 | | |
1019 | | static size_t |
1020 | | ballon_context_size (unsigned int parallelism) |
1021 | 0 | { |
1022 | 0 | size_t n; |
1023 | |
|
1024 | 0 | n = offsetof (struct balloon_context, thread_data) |
1025 | 0 | + parallelism * sizeof (struct balloon_thread_data); |
1026 | 0 | return n; |
1027 | 0 | } |
1028 | | |
1029 | | static gpg_err_code_t |
1030 | | balloon_open (gcry_kdf_hd_t *hd, int subalgo, |
1031 | | const unsigned long *param, unsigned int paramlen, |
1032 | | const void *password, size_t passwordlen, |
1033 | | const void *salt, size_t saltlen) |
1034 | 0 | { |
1035 | 0 | unsigned int blklen; |
1036 | 0 | int hash_type; |
1037 | 0 | unsigned int s_cost; |
1038 | 0 | unsigned int t_cost; |
1039 | 0 | unsigned int parallelism = 1; |
1040 | 0 | balloon_ctx_t b; |
1041 | 0 | gpg_err_code_t ec; |
1042 | 0 | size_t n; |
1043 | 0 | unsigned char *block; |
1044 | 0 | unsigned int i; |
1045 | 0 | const gcry_md_spec_t *md_spec; |
1046 | |
|
1047 | 0 | hash_type = subalgo; |
1048 | 0 | switch (hash_type) |
1049 | 0 | { |
1050 | 0 | case GCRY_MD_SHA256: |
1051 | 0 | md_spec = &_gcry_digest_spec_sha256; |
1052 | 0 | break; |
1053 | | |
1054 | 0 | case GCRY_MD_SHA384: |
1055 | 0 | md_spec = &_gcry_digest_spec_sha384; |
1056 | 0 | break; |
1057 | | |
1058 | 0 | case GCRY_MD_SHA512: |
1059 | 0 | md_spec = &_gcry_digest_spec_sha512; |
1060 | 0 | break; |
1061 | | |
1062 | 0 | case GCRY_MD_SHA3_256: |
1063 | 0 | md_spec = &_gcry_digest_spec_sha3_256; |
1064 | 0 | break; |
1065 | | |
1066 | 0 | case GCRY_MD_SHA3_384: |
1067 | 0 | md_spec = &_gcry_digest_spec_sha3_384; |
1068 | 0 | break; |
1069 | | |
1070 | 0 | case GCRY_MD_SHA3_512: |
1071 | 0 | md_spec = &_gcry_digest_spec_sha3_512; |
1072 | 0 | break; |
1073 | | |
1074 | 0 | default: |
1075 | 0 | return GPG_ERR_NOT_SUPPORTED; |
1076 | 0 | } |
1077 | | |
1078 | 0 | blklen = _gcry_md_get_algo_dlen (hash_type); |
1079 | 0 | if (!blklen || blklen > BALLOON_BLOCK_LEN_MAX) |
1080 | 0 | return GPG_ERR_NOT_SUPPORTED; |
1081 | | |
1082 | 0 | if (saltlen != blklen) |
1083 | 0 | return GPG_ERR_NOT_SUPPORTED; |
1084 | | |
1085 | | /* |
1086 | | * It should have space_cost and time_cost. |
1087 | | * Optionally, for parallelised version, it has parallelism. |
1088 | | * Possibly (in future), it may have option to specify PRNG type. |
1089 | | */ |
1090 | 0 | if (paramlen != 2 && paramlen != 3) |
1091 | 0 | return GPG_ERR_INV_VALUE; |
1092 | 0 | else |
1093 | 0 | { |
1094 | 0 | s_cost = (unsigned int)param[0]; |
1095 | 0 | t_cost = (unsigned int)param[1]; |
1096 | 0 | if (paramlen >= 3) |
1097 | 0 | parallelism = (unsigned int)param[2]; |
1098 | 0 | } |
1099 | | |
1100 | 0 | if (s_cost < 1) |
1101 | 0 | return GPG_ERR_INV_VALUE; |
1102 | | |
1103 | 0 | n = ballon_context_size (parallelism); |
1104 | 0 | b = xtrymalloc (n); |
1105 | 0 | if (!b) |
1106 | 0 | return gpg_err_code_from_errno (errno); |
1107 | | |
1108 | 0 | b->algo = GCRY_KDF_BALLOON; |
1109 | 0 | b->md_spec = md_spec; |
1110 | 0 | b->blklen = blklen; |
1111 | |
|
1112 | 0 | b->password = password; |
1113 | 0 | b->passwordlen = passwordlen; |
1114 | 0 | b->salt = salt; |
1115 | |
|
1116 | 0 | b->s_cost = s_cost; |
1117 | 0 | b->t_cost = t_cost; |
1118 | 0 | b->parallelism = parallelism; |
1119 | |
|
1120 | 0 | b->n_blocks = (s_cost * 1024) / b->blklen; |
1121 | |
|
1122 | 0 | block = xtrycalloc (parallelism * b->n_blocks, b->blklen); |
1123 | 0 | if (!block) |
1124 | 0 | { |
1125 | 0 | ec = gpg_err_code_from_errno (errno); |
1126 | 0 | xfree (b); |
1127 | 0 | return ec; |
1128 | 0 | } |
1129 | 0 | b->block = block; |
1130 | |
|
1131 | 0 | for (i = 0; i < parallelism; i++) |
1132 | 0 | { |
1133 | 0 | struct balloon_thread_data *t = &b->thread_data[i]; |
1134 | |
|
1135 | 0 | t->b = b; |
1136 | 0 | t->ec = 0; |
1137 | 0 | t->idx = i; |
1138 | 0 | t->block = block; |
1139 | 0 | block += b->blklen * b->n_blocks; |
1140 | 0 | } |
1141 | |
|
1142 | 0 | *hd = (void *)b; |
1143 | 0 | return 0; |
1144 | 0 | } |
1145 | | |
1146 | | |
1147 | | static void |
1148 | | balloon_xor_block (balloon_ctx_t b, u64 *dst, const u64 *src) |
1149 | 0 | { |
1150 | 0 | int i; |
1151 | |
|
1152 | 0 | for (i = 0; i < b->blklen/8; i++) |
1153 | 0 | dst[i] ^= src[i]; |
1154 | 0 | } |
1155 | | |
1156 | 0 | #define BALLOON_COMPRESS_BLOCKS 5 |
1157 | | |
1158 | | static void |
1159 | | balloon_compress (balloon_ctx_t b, u64 *counter_p, unsigned char *out, |
1160 | | const unsigned char *blocks[BALLOON_COMPRESS_BLOCKS]) |
1161 | 0 | { |
1162 | 0 | gcry_buffer_t iov[1+BALLOON_COMPRESS_BLOCKS]; |
1163 | 0 | unsigned char octet_counter[sizeof (u64)]; |
1164 | 0 | unsigned int i; |
1165 | |
|
1166 | 0 | buf_put_le64 (octet_counter, *counter_p); |
1167 | 0 | iov[0].data = octet_counter; |
1168 | 0 | iov[0].len = sizeof (octet_counter); |
1169 | 0 | iov[0].off = 0; |
1170 | |
|
1171 | 0 | for (i = 1; i < 1+BALLOON_COMPRESS_BLOCKS; i++) |
1172 | 0 | { |
1173 | 0 | iov[i].data = (void *)blocks[i-1]; |
1174 | 0 | iov[i].len = b->blklen; |
1175 | 0 | iov[i].off = 0; |
1176 | 0 | } |
1177 | |
|
1178 | 0 | b->md_spec->hash_buffers (out, b->blklen, iov, 1+BALLOON_COMPRESS_BLOCKS); |
1179 | 0 | *counter_p += 1; |
1180 | 0 | } |
1181 | | |
1182 | | static void |
1183 | | balloon_expand (balloon_ctx_t b, u64 *counter_p, unsigned char *block, |
1184 | | u64 n_blocks) |
1185 | 0 | { |
1186 | 0 | gcry_buffer_t iov[2]; |
1187 | 0 | unsigned char octet_counter[sizeof (u64)]; |
1188 | 0 | u64 i; |
1189 | |
|
1190 | 0 | iov[0].data = octet_counter; |
1191 | 0 | iov[0].len = sizeof (octet_counter); |
1192 | 0 | iov[0].off = 0; |
1193 | 0 | iov[1].len = b->blklen; |
1194 | 0 | iov[1].off = 0; |
1195 | |
|
1196 | 0 | for (i = 1; i < n_blocks; i++) |
1197 | 0 | { |
1198 | 0 | buf_put_le64 (octet_counter, *counter_p); |
1199 | 0 | iov[1].data = block; |
1200 | 0 | block += b->blklen; |
1201 | 0 | b->md_spec->hash_buffers (block, b->blklen, iov, 2); |
1202 | 0 | *counter_p += 1; |
1203 | 0 | } |
1204 | 0 | } |
1205 | | |
1206 | | static void |
1207 | | balloon_compute_fill (balloon_ctx_t b, |
1208 | | struct balloon_thread_data *t, |
1209 | | const unsigned char *salt, |
1210 | | u64 *counter_p) |
1211 | 0 | { |
1212 | 0 | gcry_buffer_t iov[6]; |
1213 | 0 | unsigned char octet_counter[sizeof (u64)]; |
1214 | 0 | unsigned char octet_s_cost[4]; |
1215 | 0 | unsigned char octet_t_cost[4]; |
1216 | 0 | unsigned char octet_parallelism[4]; |
1217 | |
|
1218 | 0 | buf_put_le64 (octet_counter, *counter_p); |
1219 | 0 | buf_put_le32 (octet_s_cost, b->s_cost); |
1220 | 0 | buf_put_le32 (octet_t_cost, b->t_cost); |
1221 | 0 | buf_put_le32 (octet_parallelism, b->parallelism); |
1222 | |
|
1223 | 0 | iov[0].data = octet_counter; |
1224 | 0 | iov[0].len = sizeof (octet_counter); |
1225 | 0 | iov[0].off = 0; |
1226 | 0 | iov[1].data = (void *)salt; |
1227 | 0 | iov[1].len = b->blklen; |
1228 | 0 | iov[1].off = 0; |
1229 | 0 | iov[2].data = (void *)b->password; |
1230 | 0 | iov[2].len = b->passwordlen; |
1231 | 0 | iov[2].off = 0; |
1232 | 0 | iov[3].data = octet_s_cost; |
1233 | 0 | iov[3].len = 4; |
1234 | 0 | iov[3].off = 0; |
1235 | 0 | iov[4].data = octet_t_cost; |
1236 | 0 | iov[4].len = 4; |
1237 | 0 | iov[4].off = 0; |
1238 | 0 | iov[5].data = octet_parallelism; |
1239 | 0 | iov[5].len = 4; |
1240 | 0 | iov[5].off = 0; |
1241 | 0 | b->md_spec->hash_buffers (t->block, b->blklen, iov, 6); |
1242 | 0 | *counter_p += 1; |
1243 | 0 | balloon_expand (b, counter_p, t->block, b->n_blocks); |
1244 | 0 | } |
1245 | | |
1246 | | static void |
1247 | | balloon_compute_mix (gcry_cipher_hd_t prng, |
1248 | | balloon_ctx_t b, struct balloon_thread_data *t, |
1249 | | u64 *counter_p) |
1250 | 0 | { |
1251 | 0 | u64 i; |
1252 | |
|
1253 | 0 | for (i = 0; i < b->n_blocks; i++) |
1254 | 0 | { |
1255 | 0 | unsigned char *cur_block = t->block + (b->blklen * i); |
1256 | 0 | const unsigned char *blocks[BALLOON_COMPRESS_BLOCKS]; |
1257 | 0 | const unsigned char *prev_block; |
1258 | 0 | unsigned int n; |
1259 | |
|
1260 | 0 | prev_block = i |
1261 | 0 | ? cur_block - b->blklen |
1262 | 0 | : t->block + (b->blklen * (t->b->n_blocks - 1)); |
1263 | |
|
1264 | 0 | n = 0; |
1265 | 0 | blocks[n++] = prev_block; |
1266 | 0 | blocks[n++] = cur_block; |
1267 | |
|
1268 | 0 | for (; n < BALLOON_COMPRESS_BLOCKS; n++) |
1269 | 0 | { |
1270 | 0 | u64 rand64 = prng_aes_ctr_get_rand64 (prng); |
1271 | 0 | blocks[n] = t->block + (b->blklen * (rand64 % b->n_blocks)); |
1272 | 0 | } |
1273 | |
|
1274 | 0 | balloon_compress (b, counter_p, cur_block, blocks); |
1275 | 0 | } |
1276 | 0 | } |
1277 | | |
1278 | | |
1279 | | static void |
1280 | | balloon_compute (void *priv) |
1281 | 0 | { |
1282 | 0 | struct balloon_thread_data *t = (struct balloon_thread_data *)priv; |
1283 | 0 | balloon_ctx_t b = t->b; |
1284 | 0 | gcry_cipher_hd_t prng; |
1285 | 0 | gcry_buffer_t iov[4]; |
1286 | 0 | unsigned char salt[BALLOON_BLOCK_LEN_MAX]; |
1287 | 0 | unsigned char octet_s_cost[4]; |
1288 | 0 | unsigned char octet_t_cost[4]; |
1289 | 0 | unsigned char octet_parallelism[4]; |
1290 | 0 | u32 u; |
1291 | 0 | u64 counter; |
1292 | 0 | unsigned int i; |
1293 | |
|
1294 | 0 | counter = 0; |
1295 | |
|
1296 | 0 | memcpy (salt, b->salt, b->blklen); |
1297 | 0 | u = buf_get_le32 (b->salt) + t->idx; |
1298 | 0 | buf_put_le32 (salt, u); |
1299 | |
|
1300 | 0 | buf_put_le32 (octet_s_cost, b->s_cost); |
1301 | 0 | buf_put_le32 (octet_t_cost, b->t_cost); |
1302 | 0 | buf_put_le32 (octet_parallelism, b->parallelism); |
1303 | |
|
1304 | 0 | iov[0].data = salt; |
1305 | 0 | iov[0].len = b->blklen; |
1306 | 0 | iov[0].off = 0; |
1307 | 0 | iov[1].data = octet_s_cost; |
1308 | 0 | iov[1].len = 4; |
1309 | 0 | iov[1].off = 0; |
1310 | 0 | iov[2].data = octet_t_cost; |
1311 | 0 | iov[2].len = 4; |
1312 | 0 | iov[2].off = 0; |
1313 | 0 | iov[3].data = octet_parallelism; |
1314 | 0 | iov[3].len = 4; |
1315 | 0 | iov[3].off = 0; |
1316 | |
|
1317 | 0 | t->ec = prng_aes_ctr_init (&prng, b, iov, 4); |
1318 | 0 | if (t->ec) |
1319 | 0 | return; |
1320 | | |
1321 | 0 | balloon_compute_fill (b, t, salt, &counter); |
1322 | |
|
1323 | 0 | for (i = 0; i < b->t_cost; i++) |
1324 | 0 | balloon_compute_mix (prng, b, t, &counter); |
1325 | | |
1326 | | /* The result is now at the last block. */ |
1327 | |
|
1328 | 0 | prng_aes_ctr_fini (prng); |
1329 | 0 | } |
1330 | | |
1331 | | static gpg_err_code_t |
1332 | | balloon_compute_all (balloon_ctx_t b, const struct gcry_kdf_thread_ops *ops) |
1333 | 0 | { |
1334 | 0 | unsigned int parallelism = b->parallelism; |
1335 | 0 | unsigned int i; |
1336 | 0 | int ret; |
1337 | |
|
1338 | 0 | for (i = 0; i < parallelism; i++) |
1339 | 0 | { |
1340 | 0 | struct balloon_thread_data *t = &b->thread_data[i]; |
1341 | |
|
1342 | 0 | if (ops) |
1343 | 0 | { |
1344 | 0 | ret = ops->dispatch_job (ops->jobs_context, balloon_compute, t); |
1345 | 0 | if (ret < 0) |
1346 | 0 | return GPG_ERR_CANCELED; |
1347 | 0 | } |
1348 | 0 | else |
1349 | 0 | balloon_compute (t); |
1350 | 0 | } |
1351 | | |
1352 | 0 | if (ops) |
1353 | 0 | { |
1354 | 0 | ret = ops->wait_all_jobs (ops->jobs_context); |
1355 | 0 | if (ret < 0) |
1356 | 0 | return GPG_ERR_CANCELED; |
1357 | 0 | } |
1358 | | |
1359 | 0 | return 0; |
1360 | 0 | } |
1361 | | |
1362 | | static gpg_err_code_t |
1363 | | balloon_final (balloon_ctx_t b, size_t resultlen, void *result) |
1364 | 0 | { |
1365 | 0 | unsigned int parallelism = b->parallelism; |
1366 | 0 | unsigned int i; |
1367 | 0 | u64 out[BALLOON_BLOCK_LEN_MAX/8]; |
1368 | |
|
1369 | 0 | if (resultlen != b->blklen) |
1370 | 0 | return GPG_ERR_INV_VALUE; |
1371 | | |
1372 | 0 | memset (out, 0, b->blklen); |
1373 | 0 | for (i = 0; i < parallelism; i++) |
1374 | 0 | { |
1375 | 0 | struct balloon_thread_data *t = &b->thread_data[i]; |
1376 | 0 | const unsigned char *last_block; |
1377 | |
|
1378 | 0 | if (t->ec) |
1379 | 0 | return t->ec; |
1380 | | |
1381 | 0 | last_block = t->block + (b->blklen * (t->b->n_blocks - 1)); |
1382 | 0 | balloon_xor_block (b, out, (const u64 *)(void *)last_block); |
1383 | 0 | } |
1384 | | |
1385 | 0 | memcpy (result, out, b->blklen); |
1386 | |
|
1387 | 0 | return 0; |
1388 | 0 | } |
1389 | | |
1390 | | static void |
1391 | | balloon_close (balloon_ctx_t b) |
1392 | 0 | { |
1393 | 0 | unsigned int parallelism = b->parallelism; |
1394 | 0 | size_t n = ballon_context_size (parallelism); |
1395 | |
|
1396 | 0 | if (b->block) |
1397 | 0 | { |
1398 | 0 | wipememory (b->block, parallelism * b->n_blocks); |
1399 | 0 | xfree (b->block); |
1400 | 0 | } |
1401 | |
|
1402 | 0 | wipememory (b, n); |
1403 | 0 | xfree (b); |
1404 | 0 | } |
1405 | | |
1406 | | typedef struct onestep_kdf_context *onestep_kdf_ctx_t; |
1407 | | |
1408 | | /* OneStepKDF context */ |
1409 | | struct onestep_kdf_context { |
1410 | | int algo; |
1411 | | gcry_md_hd_t md; |
1412 | | unsigned int blklen; |
1413 | | unsigned int outlen; |
1414 | | const void *input; |
1415 | | size_t inputlen; |
1416 | | const void *fixedinfo; |
1417 | | size_t fixedinfolen; |
1418 | | }; |
1419 | | |
1420 | | static gpg_err_code_t |
1421 | | onestep_kdf_open (gcry_kdf_hd_t *hd, int hashalgo, |
1422 | | const unsigned long *param, unsigned int paramlen, |
1423 | | const void *input, size_t inputlen, |
1424 | | const void *fixedinfo, size_t fixedinfolen) |
1425 | 0 | { |
1426 | 0 | gpg_err_code_t ec; |
1427 | 0 | unsigned int outlen; |
1428 | 0 | onestep_kdf_ctx_t o; |
1429 | 0 | size_t n; |
1430 | |
|
1431 | 0 | if (paramlen != 1) |
1432 | 0 | return GPG_ERR_INV_VALUE; |
1433 | 0 | else |
1434 | 0 | outlen = (unsigned int)param[0]; |
1435 | | |
1436 | 0 | n = sizeof (struct onestep_kdf_context); |
1437 | 0 | o = xtrymalloc (n); |
1438 | 0 | if (!o) |
1439 | 0 | return gpg_err_code_from_errno (errno); |
1440 | | |
1441 | 0 | o->blklen = _gcry_md_get_algo_dlen (hashalgo); |
1442 | 0 | if (!o->blklen) |
1443 | 0 | { |
1444 | 0 | xfree (o); |
1445 | 0 | return GPG_ERR_DIGEST_ALGO; |
1446 | 0 | } |
1447 | 0 | ec = _gcry_md_open (&o->md, hashalgo, 0); |
1448 | 0 | if (ec) |
1449 | 0 | { |
1450 | 0 | xfree (o); |
1451 | 0 | return ec; |
1452 | 0 | } |
1453 | 0 | o->algo = GCRY_KDF_ONESTEP_KDF; |
1454 | 0 | o->outlen = outlen; |
1455 | 0 | o->input = input; |
1456 | 0 | o->inputlen = inputlen; |
1457 | 0 | o->fixedinfo = fixedinfo; |
1458 | 0 | o->fixedinfolen = fixedinfolen; |
1459 | |
|
1460 | 0 | *hd = (void *)o; |
1461 | 0 | return 0; |
1462 | 0 | } |
1463 | | |
1464 | | |
1465 | | static gpg_err_code_t |
1466 | | onestep_kdf_compute (onestep_kdf_ctx_t o, const struct gcry_kdf_thread_ops *ops) |
1467 | 0 | { |
1468 | 0 | (void)o; |
1469 | |
|
1470 | 0 | if (ops != NULL) |
1471 | 0 | return GPG_ERR_INV_VALUE; |
1472 | | |
1473 | 0 | return 0; |
1474 | 0 | } |
1475 | | |
1476 | | static gpg_err_code_t |
1477 | | onestep_kdf_final (onestep_kdf_ctx_t o, size_t resultlen, void *result) |
1478 | 0 | { |
1479 | 0 | u32 counter = 0; |
1480 | 0 | unsigned char cnt[4]; |
1481 | 0 | int i; |
1482 | |
|
1483 | 0 | if (resultlen != o->outlen) |
1484 | 0 | return GPG_ERR_INV_VALUE; |
1485 | | |
1486 | 0 | for (i = 0; i < o->outlen / o->blklen; i++) |
1487 | 0 | { |
1488 | 0 | counter++; |
1489 | 0 | buf_put_be32 (cnt, counter); |
1490 | 0 | _gcry_md_write (o->md, cnt, sizeof (cnt)); |
1491 | 0 | _gcry_md_write (o->md, o->input, o->inputlen); |
1492 | 0 | _gcry_md_write (o->md, o->fixedinfo, o->fixedinfolen); |
1493 | 0 | _gcry_md_final (o->md); |
1494 | 0 | memcpy ((char *)result + o->blklen * i, |
1495 | 0 | _gcry_md_read (o->md, 0), o->blklen); |
1496 | 0 | resultlen -= o->blklen; |
1497 | 0 | _gcry_md_reset (o->md); |
1498 | 0 | } |
1499 | |
|
1500 | 0 | if (resultlen) |
1501 | 0 | { |
1502 | 0 | counter++; |
1503 | 0 | buf_put_be32 (cnt, counter); |
1504 | 0 | _gcry_md_write (o->md, cnt, sizeof (cnt)); |
1505 | 0 | _gcry_md_write (o->md, o->input, o->inputlen); |
1506 | 0 | _gcry_md_write (o->md, o->fixedinfo, o->fixedinfolen); |
1507 | 0 | _gcry_md_final (o->md); |
1508 | 0 | memcpy ((char *)result + o->blklen * i, |
1509 | 0 | _gcry_md_read (o->md, 0), resultlen); |
1510 | 0 | } |
1511 | |
|
1512 | 0 | return 0; |
1513 | 0 | } |
1514 | | |
1515 | | static void |
1516 | | onestep_kdf_close (onestep_kdf_ctx_t o) |
1517 | 0 | { |
1518 | 0 | _gcry_md_close (o->md); |
1519 | 0 | xfree (o); |
1520 | 0 | } |
1521 | | |
1522 | | typedef struct onestep_kdf_mac_context *onestep_kdf_mac_ctx_t; |
1523 | | |
1524 | | /* OneStep_KDF_MAC context */ |
1525 | | struct onestep_kdf_mac_context { |
1526 | | int algo; |
1527 | | gcry_mac_hd_t md; |
1528 | | unsigned int blklen; |
1529 | | unsigned int outlen; |
1530 | | const void *input; |
1531 | | size_t inputlen; |
1532 | | const void *salt; |
1533 | | size_t saltlen; |
1534 | | const void *fixedinfo; |
1535 | | size_t fixedinfolen; |
1536 | | }; |
1537 | | |
1538 | | static gpg_err_code_t |
1539 | | onestep_kdf_mac_open (gcry_kdf_hd_t *hd, int macalgo, |
1540 | | const unsigned long *param, unsigned int paramlen, |
1541 | | const void *input, size_t inputlen, |
1542 | | const void *key, size_t keylen, |
1543 | | const void *fixedinfo, size_t fixedinfolen) |
1544 | 0 | { |
1545 | 0 | gpg_err_code_t ec; |
1546 | 0 | unsigned int outlen; |
1547 | 0 | onestep_kdf_mac_ctx_t o; |
1548 | 0 | size_t n; |
1549 | |
|
1550 | 0 | if (paramlen != 1) |
1551 | 0 | return GPG_ERR_INV_VALUE; |
1552 | 0 | else |
1553 | 0 | outlen = (unsigned int)param[0]; |
1554 | | |
1555 | 0 | n = sizeof (struct onestep_kdf_mac_context); |
1556 | 0 | o = xtrymalloc (n); |
1557 | 0 | if (!o) |
1558 | 0 | return gpg_err_code_from_errno (errno); |
1559 | | |
1560 | 0 | o->blklen = _gcry_mac_get_algo_maclen (macalgo); |
1561 | 0 | if (!o->blklen) |
1562 | 0 | { |
1563 | 0 | xfree (o); |
1564 | 0 | return GPG_ERR_MAC_ALGO; |
1565 | 0 | } |
1566 | 0 | ec = _gcry_mac_open (&o->md, macalgo, 0, NULL); |
1567 | 0 | if (ec) |
1568 | 0 | { |
1569 | 0 | xfree (o); |
1570 | 0 | return ec; |
1571 | 0 | } |
1572 | 0 | o->algo = GCRY_KDF_ONESTEP_KDF_MAC; |
1573 | 0 | o->outlen = outlen; |
1574 | 0 | o->input = input; |
1575 | 0 | o->inputlen = inputlen; |
1576 | 0 | o->salt = key; |
1577 | 0 | o->saltlen = keylen; |
1578 | 0 | o->fixedinfo = fixedinfo; |
1579 | 0 | o->fixedinfolen = fixedinfolen; |
1580 | |
|
1581 | 0 | *hd = (void *)o; |
1582 | 0 | return 0; |
1583 | 0 | } |
1584 | | |
1585 | | |
1586 | | static gpg_err_code_t |
1587 | | onestep_kdf_mac_compute (onestep_kdf_mac_ctx_t o, |
1588 | | const struct gcry_kdf_thread_ops *ops) |
1589 | 0 | { |
1590 | 0 | (void)o; |
1591 | |
|
1592 | 0 | if (ops != NULL) |
1593 | 0 | return GPG_ERR_INV_VALUE; |
1594 | | |
1595 | 0 | return 0; |
1596 | 0 | } |
1597 | | |
1598 | | static gpg_err_code_t |
1599 | | onestep_kdf_mac_final (onestep_kdf_mac_ctx_t o, size_t resultlen, void *result) |
1600 | 0 | { |
1601 | 0 | u32 counter = 0; |
1602 | 0 | unsigned char cnt[4]; |
1603 | 0 | int i; |
1604 | 0 | gcry_err_code_t ec; |
1605 | 0 | size_t len = o->blklen; |
1606 | |
|
1607 | 0 | if (resultlen != o->outlen) |
1608 | 0 | return GPG_ERR_INV_VALUE; |
1609 | | |
1610 | 0 | ec = _gcry_mac_setkey (o->md, o->salt, o->saltlen); |
1611 | 0 | if (ec) |
1612 | 0 | return ec; |
1613 | | |
1614 | 0 | for (i = 0; i < o->outlen / o->blklen; i++) |
1615 | 0 | { |
1616 | 0 | counter++; |
1617 | 0 | buf_put_be32 (cnt, counter); |
1618 | 0 | ec = _gcry_mac_write (o->md, cnt, sizeof (cnt)); |
1619 | 0 | if (ec) |
1620 | 0 | return ec; |
1621 | 0 | ec = _gcry_mac_write (o->md, o->input, o->inputlen); |
1622 | 0 | if (ec) |
1623 | 0 | return ec; |
1624 | 0 | ec = _gcry_mac_write (o->md, o->fixedinfo, o->fixedinfolen); |
1625 | 0 | if (ec) |
1626 | 0 | return ec; |
1627 | 0 | ec = _gcry_mac_read (o->md, (char *)result + o->blklen * i, &len); |
1628 | 0 | if (ec) |
1629 | 0 | return ec; |
1630 | 0 | resultlen -= o->blklen; |
1631 | 0 | ec = _gcry_mac_ctl (o->md, GCRYCTL_RESET, NULL, 0); |
1632 | 0 | if (ec) |
1633 | 0 | return ec; |
1634 | 0 | } |
1635 | | |
1636 | 0 | if (resultlen) |
1637 | 0 | { |
1638 | 0 | counter++; |
1639 | 0 | len = resultlen; |
1640 | 0 | buf_put_be32 (cnt, counter); |
1641 | 0 | ec = _gcry_mac_write (o->md, cnt, sizeof (cnt)); |
1642 | 0 | if (ec) |
1643 | 0 | return ec; |
1644 | 0 | ec = _gcry_mac_write (o->md, o->input, o->inputlen); |
1645 | 0 | if (ec) |
1646 | 0 | return ec; |
1647 | 0 | ec =_gcry_mac_write (o->md, o->fixedinfo, o->fixedinfolen); |
1648 | 0 | if (ec) |
1649 | 0 | return ec; |
1650 | 0 | ec = _gcry_mac_read (o->md, (char *)result + o->blklen * i, &len); |
1651 | 0 | if (ec) |
1652 | 0 | return ec; |
1653 | 0 | } |
1654 | | |
1655 | 0 | return 0; |
1656 | 0 | } |
1657 | | |
1658 | | static void |
1659 | | onestep_kdf_mac_close (onestep_kdf_mac_ctx_t o) |
1660 | 0 | { |
1661 | 0 | _gcry_mac_close (o->md); |
1662 | 0 | xfree (o); |
1663 | 0 | } |
1664 | | |
1665 | | typedef struct hkdf_context *hkdf_ctx_t; |
1666 | | |
1667 | | /* Hkdf context */ |
1668 | | struct hkdf_context { |
1669 | | int algo; |
1670 | | gcry_mac_hd_t md; |
1671 | | int mode; |
1672 | | unsigned int blklen; |
1673 | | unsigned int outlen; |
1674 | | const void *input; |
1675 | | size_t inputlen; |
1676 | | const void *salt; |
1677 | | size_t saltlen; |
1678 | | const void *fixedinfo; |
1679 | | size_t fixedinfolen; |
1680 | | unsigned char *prk; |
1681 | | }; |
1682 | | |
1683 | | static gpg_err_code_t |
1684 | | hkdf_open (gcry_kdf_hd_t *hd, int macalgo, |
1685 | | const unsigned long *param, unsigned int paramlen, |
1686 | | const void *input, size_t inputlen, |
1687 | | const void *salt, size_t saltlen, |
1688 | | const void *fixedinfo, size_t fixedinfolen) |
1689 | 614 | { |
1690 | 614 | gpg_err_code_t ec; |
1691 | 614 | unsigned int outlen; |
1692 | 614 | int mode; |
1693 | 614 | hkdf_ctx_t h; |
1694 | 614 | size_t n; |
1695 | 614 | unsigned char *prk; |
1696 | | |
1697 | 614 | if (paramlen != 1 && paramlen != 2) |
1698 | 0 | return GPG_ERR_INV_VALUE; |
1699 | 614 | else |
1700 | 614 | { |
1701 | 614 | outlen = (unsigned int)param[0]; |
1702 | | /* MODE: support extract only, expand only: FIXME*/ |
1703 | 614 | if (paramlen == 2) |
1704 | 0 | mode = (unsigned int)param[1]; |
1705 | 614 | else |
1706 | 614 | mode = 0; |
1707 | 614 | } |
1708 | | |
1709 | 614 | n = sizeof (struct hkdf_context); |
1710 | 614 | h = xtrymalloc (n); |
1711 | 614 | if (!h) |
1712 | 0 | return gpg_err_code_from_errno (errno); |
1713 | | |
1714 | 614 | h->blklen = _gcry_mac_get_algo_maclen (macalgo); |
1715 | 614 | if (!h->blklen) |
1716 | 0 | { |
1717 | 0 | xfree (h); |
1718 | 0 | return GPG_ERR_MAC_ALGO; |
1719 | 0 | } |
1720 | | |
1721 | 614 | if (outlen > 255 * h->blklen) |
1722 | 119 | { |
1723 | 119 | xfree (h); |
1724 | 119 | return GPG_ERR_INV_VALUE; |
1725 | 119 | } |
1726 | | |
1727 | 495 | ec = _gcry_mac_open (&h->md, macalgo, 0, NULL); |
1728 | 495 | if (ec) |
1729 | 0 | { |
1730 | 0 | xfree (h); |
1731 | 0 | return ec; |
1732 | 0 | } |
1733 | 495 | prk = xtrymalloc (h->blklen); |
1734 | 495 | if (!prk) |
1735 | 0 | { |
1736 | 0 | _gcry_mac_close (h->md); |
1737 | 0 | xfree (h); |
1738 | 0 | return gpg_err_code_from_errno (errno); |
1739 | 0 | } |
1740 | 495 | h->prk = prk; |
1741 | 495 | h->algo = GCRY_KDF_HKDF; |
1742 | 495 | h->outlen = outlen; |
1743 | 495 | h->mode = mode; |
1744 | 495 | h->input = input; |
1745 | 495 | h->inputlen = inputlen; |
1746 | 495 | h->salt = salt; |
1747 | 495 | h->saltlen = saltlen; |
1748 | 495 | h->fixedinfo = fixedinfo; |
1749 | 495 | h->fixedinfolen = fixedinfolen; |
1750 | | |
1751 | 495 | *hd = (void *)h; |
1752 | 495 | return 0; |
1753 | 495 | } |
1754 | | |
1755 | | |
1756 | | static gpg_err_code_t |
1757 | | hkdf_compute (hkdf_ctx_t h, const struct gcry_kdf_thread_ops *ops) |
1758 | 495 | { |
1759 | 495 | gcry_err_code_t ec; |
1760 | 495 | size_t len = h->blklen; |
1761 | | |
1762 | 495 | if (ops != NULL) |
1763 | 0 | return GPG_ERR_INV_VALUE; |
1764 | | |
1765 | | /* Extract */ |
1766 | 495 | ec = _gcry_mac_setkey (h->md, h->salt, h->saltlen); |
1767 | 495 | if (ec) |
1768 | 0 | return ec; |
1769 | | |
1770 | 495 | ec = _gcry_mac_write (h->md, h->input, h->inputlen); |
1771 | 495 | if (ec) |
1772 | 0 | return ec; |
1773 | | |
1774 | 495 | ec = _gcry_mac_read (h->md, h->prk, &len); |
1775 | 495 | if (ec) |
1776 | 0 | return ec; |
1777 | | |
1778 | 495 | ec = _gcry_mac_ctl (h->md, GCRYCTL_RESET, NULL, 0); |
1779 | 495 | if (ec) |
1780 | 0 | return ec; |
1781 | | |
1782 | 495 | return 0; |
1783 | 495 | } |
1784 | | |
1785 | | static gpg_err_code_t |
1786 | | hkdf_final (hkdf_ctx_t h, size_t resultlen, void *result) |
1787 | 495 | { |
1788 | 495 | unsigned char counter = 0; |
1789 | 495 | int i; |
1790 | 495 | gcry_err_code_t ec; |
1791 | 495 | size_t len = h->blklen; |
1792 | | |
1793 | 495 | if (resultlen != h->outlen) |
1794 | 0 | return GPG_ERR_INV_VALUE; |
1795 | | |
1796 | | /* Expand */ |
1797 | 495 | ec = _gcry_mac_setkey (h->md, h->prk, h->blklen); |
1798 | 495 | if (ec) |
1799 | 0 | return ec; |
1800 | | |
1801 | | /* We re-use the memory of ->prk. */ |
1802 | | |
1803 | 57.7k | for (i = 0; i < h->outlen / h->blklen; i++) |
1804 | 57.2k | { |
1805 | 57.2k | counter++; |
1806 | 57.2k | if (i) |
1807 | 56.7k | { |
1808 | 56.7k | ec = _gcry_mac_write (h->md, h->prk, h->blklen); |
1809 | 56.7k | if (ec) |
1810 | 0 | return ec; |
1811 | 56.7k | } |
1812 | 57.2k | if (h->fixedinfo) |
1813 | 57.2k | { |
1814 | 57.2k | ec = _gcry_mac_write (h->md, h->fixedinfo, h->fixedinfolen); |
1815 | 57.2k | if (ec) |
1816 | 0 | return ec; |
1817 | 57.2k | } |
1818 | 57.2k | ec = _gcry_mac_write (h->md, &counter, 1); |
1819 | 57.2k | if (ec) |
1820 | 0 | return ec; |
1821 | 57.2k | ec = _gcry_mac_read (h->md, h->prk, &len); |
1822 | 57.2k | if (ec) |
1823 | 0 | return ec; |
1824 | 57.2k | memcpy ((char *)result + h->blklen * i, h->prk, len); |
1825 | 57.2k | resultlen -= h->blklen; |
1826 | 57.2k | ec = _gcry_mac_ctl (h->md, GCRYCTL_RESET, NULL, 0); |
1827 | 57.2k | if (ec) |
1828 | 0 | return ec; |
1829 | 57.2k | } |
1830 | | |
1831 | 495 | if (resultlen) |
1832 | 471 | { |
1833 | 471 | counter++; |
1834 | 471 | len = resultlen; |
1835 | 471 | if (i) |
1836 | 466 | { |
1837 | 466 | ec = _gcry_mac_write (h->md, h->prk, h->blklen); |
1838 | 466 | if (ec) |
1839 | 0 | return ec; |
1840 | 466 | } |
1841 | 471 | if (h->fixedinfo) |
1842 | 471 | { |
1843 | 471 | ec = _gcry_mac_write (h->md, h->fixedinfo, h->fixedinfolen); |
1844 | 471 | if (ec) |
1845 | 0 | return ec; |
1846 | 471 | } |
1847 | 471 | ec = _gcry_mac_write (h->md, &counter, 1); |
1848 | 471 | if (ec) |
1849 | 0 | return ec; |
1850 | 471 | ec = _gcry_mac_read (h->md, (char *)result + h->blklen * i, &len); |
1851 | 471 | if (ec) |
1852 | 0 | return ec; |
1853 | 471 | } |
1854 | | |
1855 | 495 | return 0; |
1856 | 495 | } |
1857 | | |
1858 | | static void |
1859 | | hkdf_close (hkdf_ctx_t h) |
1860 | 495 | { |
1861 | 495 | _gcry_mac_close (h->md); |
1862 | 495 | xfree (h->prk); |
1863 | 495 | xfree (h); |
1864 | 495 | } |
1865 | | |
1866 | | typedef struct x963_kdf_context *x963_kdf_ctx_t; |
1867 | | |
1868 | | /* X963KDF context */ |
1869 | | struct x963_kdf_context { |
1870 | | int algo; |
1871 | | gcry_md_hd_t md; |
1872 | | unsigned int blklen; |
1873 | | unsigned int outlen; |
1874 | | const void *input; |
1875 | | size_t inputlen; |
1876 | | const void *sharedinfo; |
1877 | | size_t sharedinfolen; |
1878 | | }; |
1879 | | |
1880 | | static gpg_err_code_t |
1881 | | x963_kdf_open (gcry_kdf_hd_t *hd, int hashalgo, |
1882 | | const unsigned long *param, unsigned int paramlen, |
1883 | | const void *input, size_t inputlen, |
1884 | | const void *sharedinfo, size_t sharedinfolen) |
1885 | 517 | { |
1886 | 517 | gpg_err_code_t ec; |
1887 | 517 | unsigned int outlen; |
1888 | 517 | x963_kdf_ctx_t o; |
1889 | 517 | size_t n; |
1890 | | |
1891 | 517 | if (paramlen != 1) |
1892 | 0 | return GPG_ERR_INV_VALUE; |
1893 | 517 | else |
1894 | 517 | outlen = (unsigned int)param[0]; |
1895 | | |
1896 | 517 | n = sizeof (struct x963_kdf_context); |
1897 | 517 | o = xtrymalloc (n); |
1898 | 517 | if (!o) |
1899 | 0 | return gpg_err_code_from_errno (errno); |
1900 | | |
1901 | 517 | o->blklen = _gcry_md_get_algo_dlen (hashalgo); |
1902 | 517 | if (!o->blklen) |
1903 | 0 | { |
1904 | 0 | xfree (o); |
1905 | 0 | return GPG_ERR_DIGEST_ALGO; |
1906 | 0 | } |
1907 | 517 | ec = _gcry_md_open (&o->md, hashalgo, 0); |
1908 | 517 | if (ec) |
1909 | 0 | { |
1910 | 0 | xfree (o); |
1911 | 0 | return ec; |
1912 | 0 | } |
1913 | 517 | o->algo = GCRY_KDF_X963_KDF; |
1914 | 517 | o->outlen = outlen; |
1915 | 517 | o->input = input; |
1916 | 517 | o->inputlen = inputlen; |
1917 | 517 | o->sharedinfo = sharedinfo; |
1918 | 517 | o->sharedinfolen = sharedinfolen; |
1919 | | |
1920 | 517 | *hd = (void *)o; |
1921 | 517 | return 0; |
1922 | 517 | } |
1923 | | |
1924 | | |
1925 | | static gpg_err_code_t |
1926 | | x963_kdf_compute (x963_kdf_ctx_t o, const struct gcry_kdf_thread_ops *ops) |
1927 | 517 | { |
1928 | 517 | (void)o; |
1929 | | |
1930 | 517 | if (ops != NULL) |
1931 | 0 | return GPG_ERR_INV_VALUE; |
1932 | | |
1933 | 517 | return 0; |
1934 | 517 | } |
1935 | | |
1936 | | static gpg_err_code_t |
1937 | | x963_kdf_final (x963_kdf_ctx_t o, size_t resultlen, void *result) |
1938 | 517 | { |
1939 | 517 | u32 counter = 0; |
1940 | 517 | unsigned char cnt[4]; |
1941 | 517 | int i; |
1942 | | |
1943 | 517 | if (resultlen != o->outlen) |
1944 | 0 | return GPG_ERR_INV_VALUE; |
1945 | | |
1946 | 11.9k | for (i = 0; i < o->outlen / o->blklen; i++) |
1947 | 11.4k | { |
1948 | 11.4k | counter++; |
1949 | 11.4k | _gcry_md_write (o->md, o->input, o->inputlen); |
1950 | 11.4k | buf_put_be32 (cnt, counter); |
1951 | 11.4k | _gcry_md_write (o->md, cnt, sizeof (cnt)); |
1952 | 11.4k | if (o->sharedinfolen) |
1953 | 11.0k | _gcry_md_write (o->md, o->sharedinfo, o->sharedinfolen); |
1954 | 11.4k | _gcry_md_final (o->md); |
1955 | 11.4k | memcpy ((char *)result + o->blklen * i, |
1956 | 11.4k | _gcry_md_read (o->md, 0), o->blklen); |
1957 | 11.4k | resultlen -= o->blklen; |
1958 | 11.4k | _gcry_md_reset (o->md); |
1959 | 11.4k | } |
1960 | | |
1961 | 517 | if (resultlen) |
1962 | 485 | { |
1963 | 485 | counter++; |
1964 | 485 | _gcry_md_write (o->md, o->input, o->inputlen); |
1965 | 485 | buf_put_be32 (cnt, counter); |
1966 | 485 | _gcry_md_write (o->md, cnt, sizeof (cnt)); |
1967 | 485 | if (o->sharedinfolen) |
1968 | 466 | _gcry_md_write (o->md, o->sharedinfo, o->sharedinfolen); |
1969 | 485 | _gcry_md_final (o->md); |
1970 | 485 | memcpy ((char *)result + o->blklen * i, |
1971 | 485 | _gcry_md_read (o->md, 0), resultlen); |
1972 | 485 | } |
1973 | | |
1974 | 517 | return 0; |
1975 | 517 | } |
1976 | | |
1977 | | static void |
1978 | | x963_kdf_close (x963_kdf_ctx_t o) |
1979 | 517 | { |
1980 | 517 | _gcry_md_close (o->md); |
1981 | 517 | xfree (o); |
1982 | 517 | } |
1983 | | |
1984 | | struct gcry_kdf_handle { |
1985 | | int algo; |
1986 | | /* And algo specific parts come. */ |
1987 | | }; |
1988 | | |
1989 | | gpg_err_code_t |
1990 | | _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo, |
1991 | | const unsigned long *param, unsigned int paramlen, |
1992 | | const void *input, size_t inputlen, |
1993 | | const void *salt, size_t saltlen, |
1994 | | const void *key, size_t keylen, |
1995 | | const void *ad, size_t adlen) |
1996 | 1.70k | { |
1997 | 1.70k | gpg_err_code_t ec; |
1998 | | |
1999 | 1.70k | switch (algo) |
2000 | 1.70k | { |
2001 | 518 | case GCRY_KDF_ARGON2: |
2002 | 518 | if (!saltlen) |
2003 | 15 | ec = GPG_ERR_INV_VALUE; |
2004 | 503 | else |
2005 | 503 | ec = argon2_open (hd, subalgo, param, paramlen, |
2006 | 503 | input, inputlen, salt, saltlen, |
2007 | 503 | key, keylen, ad, adlen); |
2008 | 518 | break; |
2009 | | |
2010 | 0 | case GCRY_KDF_BALLOON: |
2011 | 0 | if (!inputlen || !saltlen || keylen || adlen) |
2012 | 0 | ec = GPG_ERR_INV_VALUE; |
2013 | 0 | else |
2014 | 0 | { |
2015 | 0 | (void)key; |
2016 | 0 | (void)ad; |
2017 | 0 | ec = balloon_open (hd, subalgo, param, paramlen, |
2018 | 0 | input, inputlen, salt, saltlen); |
2019 | 0 | } |
2020 | 0 | break; |
2021 | | |
2022 | 0 | case GCRY_KDF_ONESTEP_KDF: |
2023 | 0 | if (!inputlen || !paramlen || !adlen) |
2024 | 0 | ec = GPG_ERR_INV_VALUE; |
2025 | 0 | else |
2026 | 0 | { |
2027 | 0 | (void)salt; |
2028 | 0 | (void)key; |
2029 | 0 | ec = onestep_kdf_open (hd, subalgo, param, paramlen, |
2030 | 0 | input, inputlen, ad, adlen); |
2031 | 0 | } |
2032 | 0 | break; |
2033 | | |
2034 | 0 | case GCRY_KDF_ONESTEP_KDF_MAC: |
2035 | 0 | if (!inputlen || !paramlen || !keylen || !adlen) |
2036 | 0 | ec = GPG_ERR_INV_VALUE; |
2037 | 0 | else |
2038 | 0 | { |
2039 | 0 | (void)salt; |
2040 | 0 | ec = onestep_kdf_mac_open (hd, subalgo, param, paramlen, |
2041 | 0 | input, inputlen, key, keylen, ad, adlen); |
2042 | 0 | } |
2043 | 0 | break; |
2044 | | |
2045 | 663 | case GCRY_KDF_HKDF: |
2046 | 663 | if (!inputlen || !paramlen) |
2047 | 49 | ec = GPG_ERR_INV_VALUE; |
2048 | 614 | else |
2049 | 614 | { |
2050 | 614 | (void)salt; |
2051 | 614 | ec = hkdf_open (hd, subalgo, param, paramlen, |
2052 | 614 | input, inputlen, key, keylen, ad, adlen); |
2053 | 614 | } |
2054 | 663 | break; |
2055 | | |
2056 | 519 | case GCRY_KDF_X963_KDF: |
2057 | 519 | if (!inputlen || !paramlen) |
2058 | 2 | ec = GPG_ERR_INV_VALUE; |
2059 | 517 | else |
2060 | 517 | { |
2061 | 517 | (void)salt; |
2062 | 517 | (void)key; |
2063 | 517 | ec = x963_kdf_open (hd, subalgo, param, paramlen, |
2064 | 517 | input, inputlen, ad, adlen); |
2065 | 517 | } |
2066 | 519 | break; |
2067 | | |
2068 | 0 | default: |
2069 | 0 | ec = GPG_ERR_UNKNOWN_ALGORITHM; |
2070 | 0 | break; |
2071 | 1.70k | } |
2072 | | |
2073 | 1.70k | return ec; |
2074 | 1.70k | } |
2075 | | |
2076 | | gpg_err_code_t |
2077 | | _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops) |
2078 | 1.50k | { |
2079 | 1.50k | gpg_err_code_t ec; |
2080 | | |
2081 | 1.50k | switch (h->algo) |
2082 | 1.50k | { |
2083 | 497 | case GCRY_KDF_ARGON2: |
2084 | 497 | ec = argon2_compute ((argon2_ctx_t)(void *)h, ops); |
2085 | 497 | break; |
2086 | | |
2087 | 0 | case GCRY_KDF_BALLOON: |
2088 | 0 | ec = balloon_compute_all ((balloon_ctx_t)(void *)h, ops); |
2089 | 0 | break; |
2090 | | |
2091 | 0 | case GCRY_KDF_ONESTEP_KDF: |
2092 | 0 | ec = onestep_kdf_compute ((onestep_kdf_ctx_t)(void *)h, ops); |
2093 | 0 | break; |
2094 | | |
2095 | 0 | case GCRY_KDF_ONESTEP_KDF_MAC: |
2096 | 0 | ec = onestep_kdf_mac_compute ((onestep_kdf_mac_ctx_t)(void *)h, ops); |
2097 | 0 | break; |
2098 | | |
2099 | 495 | case GCRY_KDF_HKDF: |
2100 | 495 | ec = hkdf_compute ((hkdf_ctx_t)(void *)h, ops); |
2101 | 495 | break; |
2102 | | |
2103 | 517 | case GCRY_KDF_X963_KDF: |
2104 | 517 | ec = x963_kdf_compute ((x963_kdf_ctx_t)(void *)h, ops); |
2105 | 517 | break; |
2106 | | |
2107 | 0 | default: |
2108 | 0 | ec = GPG_ERR_UNKNOWN_ALGORITHM; |
2109 | 0 | break; |
2110 | 1.50k | } |
2111 | | |
2112 | 1.50k | return ec; |
2113 | 1.50k | } |
2114 | | |
2115 | | |
2116 | | gpg_err_code_t |
2117 | | _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result) |
2118 | 1.50k | { |
2119 | 1.50k | gpg_err_code_t ec; |
2120 | | |
2121 | 1.50k | switch (h->algo) |
2122 | 1.50k | { |
2123 | 497 | case GCRY_KDF_ARGON2: |
2124 | 497 | ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result); |
2125 | 497 | break; |
2126 | | |
2127 | 0 | case GCRY_KDF_BALLOON: |
2128 | 0 | ec = balloon_final ((balloon_ctx_t)(void *)h, resultlen, result); |
2129 | 0 | break; |
2130 | | |
2131 | 0 | case GCRY_KDF_ONESTEP_KDF: |
2132 | 0 | ec = onestep_kdf_final ((onestep_kdf_ctx_t)(void *)h, resultlen, result); |
2133 | 0 | break; |
2134 | | |
2135 | 0 | case GCRY_KDF_ONESTEP_KDF_MAC: |
2136 | 0 | ec = onestep_kdf_mac_final ((onestep_kdf_mac_ctx_t)(void *)h, |
2137 | 0 | resultlen, result); |
2138 | 0 | break; |
2139 | | |
2140 | 495 | case GCRY_KDF_HKDF: |
2141 | 495 | ec = hkdf_final ((hkdf_ctx_t)(void *)h, resultlen, result); |
2142 | 495 | break; |
2143 | | |
2144 | 517 | case GCRY_KDF_X963_KDF: |
2145 | 517 | ec = x963_kdf_final ((x963_kdf_ctx_t)(void *)h, resultlen, result); |
2146 | 517 | break; |
2147 | | |
2148 | 0 | default: |
2149 | 0 | ec = GPG_ERR_UNKNOWN_ALGORITHM; |
2150 | 0 | break; |
2151 | 1.50k | } |
2152 | | |
2153 | 1.50k | return ec; |
2154 | 1.50k | } |
2155 | | |
2156 | | void |
2157 | | _gcry_kdf_close (gcry_kdf_hd_t h) |
2158 | 1.50k | { |
2159 | 1.50k | switch (h->algo) |
2160 | 1.50k | { |
2161 | 497 | case GCRY_KDF_ARGON2: |
2162 | 497 | argon2_close ((argon2_ctx_t)(void *)h); |
2163 | 497 | break; |
2164 | | |
2165 | 0 | case GCRY_KDF_BALLOON: |
2166 | 0 | balloon_close ((balloon_ctx_t)(void *)h); |
2167 | 0 | break; |
2168 | | |
2169 | 0 | case GCRY_KDF_ONESTEP_KDF: |
2170 | 0 | onestep_kdf_close ((onestep_kdf_ctx_t)(void *)h); |
2171 | 0 | break; |
2172 | | |
2173 | 0 | case GCRY_KDF_ONESTEP_KDF_MAC: |
2174 | 0 | onestep_kdf_mac_close ((onestep_kdf_mac_ctx_t)(void *)h); |
2175 | 0 | break; |
2176 | | |
2177 | 495 | case GCRY_KDF_HKDF: |
2178 | 495 | hkdf_close ((hkdf_ctx_t)(void *)h); |
2179 | 495 | break; |
2180 | | |
2181 | 517 | case GCRY_KDF_X963_KDF: |
2182 | 517 | x963_kdf_close ((x963_kdf_ctx_t)(void *)h); |
2183 | 517 | break; |
2184 | | |
2185 | 0 | default: |
2186 | 0 | break; |
2187 | 1.50k | } |
2188 | 1.50k | } |
2189 | | |
2190 | | /* Check one KDF call with ALGO and HASH_ALGO using the regular KDF |
2191 | | * API. (passphrase,passphraselen) is the password to be derived, |
2192 | | * (salt,saltlen) the salt for the key derivation, |
2193 | | * iterations is the number of the kdf iterations, |
2194 | | * and (expect,expectlen) the expected result. Returns NULL on |
2195 | | * success or a string describing the failure. */ |
2196 | | |
2197 | | static const char * |
2198 | | check_one (int algo, int hash_algo, |
2199 | | const void *passphrase, size_t passphraselen, |
2200 | | const void *salt, size_t saltlen, |
2201 | | unsigned long iterations, |
2202 | | const void *expect, size_t expectlen) |
2203 | 0 | { |
2204 | 0 | unsigned char key[512]; /* hardcoded to avoid allocation */ |
2205 | 0 | size_t keysize = expectlen; |
2206 | 0 | int rv; |
2207 | |
|
2208 | 0 | if (keysize > sizeof(key)) |
2209 | 0 | return "invalid tests data"; |
2210 | | |
2211 | 0 | rv = _gcry_kdf_derive (passphrase, passphraselen, algo, |
2212 | 0 | hash_algo, salt, saltlen, iterations, |
2213 | 0 | keysize, key); |
2214 | | /* In fips mode we have special requirements for the input and |
2215 | | * output parameters */ |
2216 | 0 | if (fips_mode ()) |
2217 | 0 | { |
2218 | 0 | if (rv && (passphraselen < 8 || saltlen < 16 || |
2219 | 0 | iterations < 1000 || expectlen < 14)) |
2220 | 0 | return NULL; |
2221 | 0 | else if (rv) |
2222 | 0 | return "gcry_kdf_derive unexpectedly failed in FIPS Mode"; |
2223 | 0 | } |
2224 | 0 | else if (rv) |
2225 | 0 | return "gcry_kdf_derive failed"; |
2226 | | |
2227 | 0 | if (memcmp (key, expect, expectlen)) |
2228 | 0 | return "does not match"; |
2229 | | |
2230 | 0 | return NULL; |
2231 | 0 | } |
2232 | | |
2233 | | |
2234 | | static gpg_err_code_t |
2235 | | selftest_pbkdf2 (int extended, selftest_report_func_t report) |
2236 | 0 | { |
2237 | 0 | static const struct { |
2238 | 0 | const char *desc; |
2239 | 0 | const char *p; /* Passphrase. */ |
2240 | 0 | size_t plen; /* Length of P. */ |
2241 | 0 | const char *salt; |
2242 | 0 | size_t saltlen; |
2243 | 0 | int hashalgo; |
2244 | 0 | unsigned long c; /* Iterations. */ |
2245 | 0 | int dklen; /* Requested key length. */ |
2246 | 0 | const char *dk; /* Derived key. */ |
2247 | 0 | int disabled; |
2248 | 0 | } tv[] = { |
2249 | 0 | #if USE_SHA1 |
2250 | 0 | #define NUM_TEST_VECTORS 9 |
2251 | | /* SHA1 test vectors are from RFC-6070. */ |
2252 | 0 | { |
2253 | 0 | "Basic PBKDF2 SHA1 #1", |
2254 | 0 | "password", 8, |
2255 | 0 | "salt", 4, |
2256 | 0 | GCRY_MD_SHA1, |
2257 | 0 | 1, |
2258 | 0 | 20, |
2259 | 0 | "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9" |
2260 | 0 | "\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6" |
2261 | 0 | }, |
2262 | 0 | { |
2263 | 0 | "Basic PBKDF2 SHA1 #2", |
2264 | 0 | "password", 8, |
2265 | 0 | "salt", 4, |
2266 | 0 | GCRY_MD_SHA1, |
2267 | 0 | 2, |
2268 | 0 | 20, |
2269 | 0 | "\xea\x6c\x01\x4d\xc7\x2d\x6f\x8c\xcd\x1e" |
2270 | 0 | "\xd9\x2a\xce\x1d\x41\xf0\xd8\xde\x89\x57" |
2271 | 0 | }, |
2272 | 0 | { |
2273 | 0 | "Basic PBKDF2 SHA1 #3", |
2274 | 0 | "password", 8, |
2275 | 0 | "salt", 4, |
2276 | 0 | GCRY_MD_SHA1, |
2277 | 0 | 4096, |
2278 | 0 | 20, |
2279 | 0 | "\x4b\x00\x79\x01\xb7\x65\x48\x9a\xbe\xad" |
2280 | 0 | "\x49\xd9\x26\xf7\x21\xd0\x65\xa4\x29\xc1" |
2281 | 0 | }, |
2282 | 0 | { |
2283 | 0 | "Basic PBKDF2 SHA1 #4", |
2284 | 0 | "password", 8, |
2285 | 0 | "salt", 4, |
2286 | 0 | GCRY_MD_SHA1, |
2287 | 0 | 16777216, |
2288 | 0 | 20, |
2289 | 0 | "\xee\xfe\x3d\x61\xcd\x4d\xa4\xe4\xe9\x94" |
2290 | 0 | "\x5b\x3d\x6b\xa2\x15\x8c\x26\x34\xe9\x84", |
2291 | 0 | 1 /* This test takes too long. */ |
2292 | 0 | }, |
2293 | 0 | { |
2294 | 0 | "Basic PBKDF2 SHA1 #5", |
2295 | 0 | "passwordPASSWORDpassword", 24, |
2296 | 0 | "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, |
2297 | 0 | GCRY_MD_SHA1, |
2298 | 0 | 4096, |
2299 | 0 | 25, |
2300 | 0 | "\x3d\x2e\xec\x4f\xe4\x1c\x84\x9b\x80\xc8" |
2301 | 0 | "\xd8\x36\x62\xc0\xe4\x4a\x8b\x29\x1a\x96" |
2302 | 0 | "\x4c\xf2\xf0\x70\x38" |
2303 | 0 | }, |
2304 | 0 | { |
2305 | 0 | "Basic PBKDF2 SHA1 #6", |
2306 | 0 | "pass\0word", 9, |
2307 | 0 | "sa\0lt", 5, |
2308 | 0 | GCRY_MD_SHA1, |
2309 | 0 | 4096, |
2310 | 0 | 16, |
2311 | 0 | "\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37" |
2312 | 0 | "\xd7\xf0\x34\x25\xe0\xc3" |
2313 | 0 | }, |
2314 | 0 | { /* empty password test, not in RFC-6070 */ |
2315 | 0 | "Basic PBKDF2 SHA1 #7", |
2316 | 0 | "", 0, |
2317 | 0 | "salt", 4, |
2318 | 0 | GCRY_MD_SHA1, |
2319 | 0 | 2, |
2320 | 0 | 20, |
2321 | 0 | "\x13\x3a\x4c\xe8\x37\xb4\xd2\x52\x1e\xe2" |
2322 | 0 | "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97" |
2323 | 0 | }, |
2324 | | #else |
2325 | | #define NUM_TEST_VECTORS 2 |
2326 | | #endif |
2327 | 0 | { |
2328 | 0 | "Basic PBKDF2 SHA256", |
2329 | 0 | "password", 8, |
2330 | 0 | "salt", 4, |
2331 | 0 | GCRY_MD_SHA256, |
2332 | 0 | 2, |
2333 | 0 | 32, |
2334 | 0 | "\xae\x4d\x0c\x95\xaf\x6b\x46\xd3\x2d\x0a\xdf\xf9\x28\xf0\x6d\xd0" |
2335 | 0 | "\x2a\x30\x3f\x8e\xf3\xc2\x51\xdf\xd6\xe2\xd8\x5a\x95\x47\x4c\x43" |
2336 | 0 | }, |
2337 | 0 | { |
2338 | 0 | "Extended PBKDF2 SHA256", |
2339 | 0 | "passwordPASSWORDpassword", 24, |
2340 | 0 | "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, |
2341 | 0 | GCRY_MD_SHA256, |
2342 | 0 | 4096, |
2343 | 0 | 40, |
2344 | 0 | "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e\x84\xcf" |
2345 | 0 | "\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f\xb8\xdd\x53\xe1" |
2346 | 0 | "\xc6\x35\x51\x8c\x7d\xac\x47\xe9" |
2347 | 0 | }, |
2348 | 0 | { NULL } |
2349 | 0 | }; |
2350 | 0 | const char *what; |
2351 | 0 | const char *errtxt; |
2352 | 0 | int tvidx; |
2353 | |
|
2354 | 0 | for (tvidx=0; tv[tvidx].desc; tvidx++) |
2355 | 0 | { |
2356 | 0 | what = tv[tvidx].desc; |
2357 | 0 | if (tv[tvidx].disabled) |
2358 | 0 | continue; |
2359 | 0 | errtxt = check_one (GCRY_KDF_PBKDF2, tv[tvidx].hashalgo, |
2360 | 0 | tv[tvidx].p, tv[tvidx].plen, |
2361 | 0 | tv[tvidx].salt, tv[tvidx].saltlen, |
2362 | 0 | tv[tvidx].c, |
2363 | 0 | tv[tvidx].dk, tv[tvidx].dklen); |
2364 | 0 | if (errtxt) |
2365 | 0 | goto failed; |
2366 | 0 | if (tvidx >= NUM_TEST_VECTORS - 1 && !extended) |
2367 | 0 | break; |
2368 | 0 | } |
2369 | | |
2370 | 0 | return 0; /* Succeeded. */ |
2371 | | |
2372 | 0 | failed: |
2373 | 0 | if (report) |
2374 | 0 | report ("kdf", GCRY_KDF_PBKDF2, what, errtxt); |
2375 | 0 | return GPG_ERR_SELFTEST_FAILED; |
2376 | 0 | } |
2377 | | |
2378 | | |
2379 | | /* Run the selftests for KDF with KDF algorithm ALGO with optional |
2380 | | reporting function REPORT. */ |
2381 | | gpg_error_t |
2382 | | _gcry_kdf_selftest (int algo, int extended, selftest_report_func_t report) |
2383 | 0 | { |
2384 | 0 | gcry_err_code_t ec = 0; |
2385 | |
|
2386 | 0 | if (algo == GCRY_KDF_PBKDF2) |
2387 | 0 | ec = selftest_pbkdf2 (extended, report); |
2388 | 0 | else |
2389 | 0 | { |
2390 | 0 | ec = GPG_ERR_UNSUPPORTED_ALGORITHM; |
2391 | 0 | if (report) |
2392 | 0 | report ("kdf", algo, "module", "algorithm not available"); |
2393 | 0 | } |
2394 | 0 | return gpg_error (ec); |
2395 | 0 | } |