/src/libgcrypt/cipher/kdf.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* kdf.c - Key Derivation Functions |
2 | | * Copyright (C) 1998, 2008, 2011 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2013 g10 Code GmbH |
4 | | * |
5 | | * This file is part of Libgcrypt. |
6 | | * |
7 | | * Libgcrypt is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU Lesser general Public License as |
9 | | * published by the Free Software Foundation; either version 2.1 of |
10 | | * the License, or (at your option) any later version. |
11 | | * |
12 | | * Libgcrypt is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU Lesser General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU Lesser General Public |
18 | | * License along with this program; if not, see <http://www.gnu.org/licenses/>. |
19 | | */ |
20 | | |
21 | | #include <config.h> |
22 | | #include <stdio.h> |
23 | | #include <stdlib.h> |
24 | | #include <string.h> |
25 | | #include <errno.h> |
26 | | |
27 | | #include "g10lib.h" |
28 | | #include "cipher.h" |
29 | | #include "kdf-internal.h" |
30 | | |
31 | | |
32 | | /* Transform a passphrase into a suitable key of length KEYSIZE and |
33 | | store this key in the caller provided buffer KEYBUFFER. The caller |
34 | | must provide an HASHALGO, a valid ALGO and depending on that algo a |
35 | | SALT of 8 bytes and the number of ITERATIONS. Code taken from |
36 | | gnupg/agent/protect.c:hash_passphrase. */ |
37 | | static gpg_err_code_t |
38 | | openpgp_s2k (const void *passphrase, size_t passphraselen, |
39 | | int algo, int hashalgo, |
40 | | const void *salt, size_t saltlen, |
41 | | unsigned long iterations, |
42 | | size_t keysize, void *keybuffer) |
43 | 0 | { |
44 | 0 | gpg_err_code_t ec; |
45 | 0 | gcry_md_hd_t md; |
46 | 0 | char *key = keybuffer; |
47 | 0 | int pass, i; |
48 | 0 | int used = 0; |
49 | 0 | int secmode; |
50 | |
|
51 | 0 | if ((algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K) |
52 | 0 | && (!salt || saltlen != 8)) |
53 | 0 | return GPG_ERR_INV_VALUE; |
54 | | |
55 | 0 | secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer); |
56 | |
|
57 | 0 | ec = _gcry_md_open (&md, hashalgo, secmode? GCRY_MD_FLAG_SECURE : 0); |
58 | 0 | if (ec) |
59 | 0 | return ec; |
60 | | |
61 | 0 | for (pass=0; used < keysize; pass++) |
62 | 0 | { |
63 | 0 | if (pass) |
64 | 0 | { |
65 | 0 | _gcry_md_reset (md); |
66 | 0 | for (i=0; i < pass; i++) /* Preset the hash context. */ |
67 | 0 | _gcry_md_putc (md, 0); |
68 | 0 | } |
69 | |
|
70 | 0 | if (algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K) |
71 | 0 | { |
72 | 0 | int len2 = passphraselen + 8; |
73 | 0 | unsigned long count = len2; |
74 | |
|
75 | 0 | if (algo == GCRY_KDF_ITERSALTED_S2K) |
76 | 0 | { |
77 | 0 | count = iterations; |
78 | 0 | if (count < len2) |
79 | 0 | count = len2; |
80 | 0 | } |
81 | |
|
82 | 0 | while (count > len2) |
83 | 0 | { |
84 | 0 | _gcry_md_write (md, salt, saltlen); |
85 | 0 | _gcry_md_write (md, passphrase, passphraselen); |
86 | 0 | count -= len2; |
87 | 0 | } |
88 | 0 | if (count < saltlen) |
89 | 0 | _gcry_md_write (md, salt, count); |
90 | 0 | else |
91 | 0 | { |
92 | 0 | _gcry_md_write (md, salt, saltlen); |
93 | 0 | count -= saltlen; |
94 | 0 | _gcry_md_write (md, passphrase, count); |
95 | 0 | } |
96 | 0 | } |
97 | 0 | else |
98 | 0 | _gcry_md_write (md, passphrase, passphraselen); |
99 | |
|
100 | 0 | _gcry_md_final (md); |
101 | 0 | i = _gcry_md_get_algo_dlen (hashalgo); |
102 | 0 | if (i > keysize - used) |
103 | 0 | i = keysize - used; |
104 | 0 | memcpy (key+used, _gcry_md_read (md, hashalgo), i); |
105 | 0 | used += i; |
106 | 0 | } |
107 | 0 | _gcry_md_close (md); |
108 | 0 | return 0; |
109 | 0 | } |
110 | | |
111 | | |
112 | | /* Transform a passphrase into a suitable key of length KEYSIZE and |
113 | | store this key in the caller provided buffer KEYBUFFER. The caller |
114 | | must provide PRFALGO which indicates the pseudorandom function to |
115 | | use: This shall be the algorithms id of a hash algorithm; it is |
116 | | used in HMAC mode. SALT is a salt of length SALTLEN and ITERATIONS |
117 | | gives the number of iterations. */ |
118 | | gpg_err_code_t |
119 | | _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, |
120 | | int hashalgo, |
121 | | const void *salt, size_t saltlen, |
122 | | unsigned long iterations, |
123 | | size_t keysize, void *keybuffer) |
124 | 0 | { |
125 | 0 | gpg_err_code_t ec; |
126 | 0 | gcry_md_hd_t md; |
127 | 0 | int secmode; |
128 | 0 | unsigned long dklen = keysize; |
129 | 0 | char *dk = keybuffer; |
130 | 0 | unsigned int hlen; /* Output length of the digest function. */ |
131 | 0 | unsigned int l; /* Rounded up number of blocks. */ |
132 | 0 | unsigned int r; /* Number of octets in the last block. */ |
133 | 0 | char *sbuf; /* Malloced buffer to concatenate salt and iter |
134 | | as well as space to hold TBUF and UBUF. */ |
135 | 0 | char *tbuf; /* Buffer for T; ptr into SBUF, size is HLEN. */ |
136 | 0 | char *ubuf; /* Buffer for U; ptr into SBUF, size is HLEN. */ |
137 | 0 | unsigned int lidx; /* Current block number. */ |
138 | 0 | unsigned long iter; /* Current iteration number. */ |
139 | 0 | unsigned int i; |
140 | | |
141 | | /* We allow for a saltlen of 0 here to support scrypt. It is not |
142 | | clear whether rfc2898 allows for this this, thus we do a test on |
143 | | saltlen > 0 only in gcry_kdf_derive. */ |
144 | 0 | if (!salt || !iterations || !dklen) |
145 | 0 | return GPG_ERR_INV_VALUE; |
146 | | |
147 | 0 | hlen = _gcry_md_get_algo_dlen (hashalgo); |
148 | 0 | if (!hlen) |
149 | 0 | return GPG_ERR_DIGEST_ALGO; |
150 | | |
151 | 0 | secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer); |
152 | | |
153 | | /* Step 1 */ |
154 | | /* If dkLen > (2^32 - 1) * hLen, output "derived key too long" and |
155 | | * stop. We use a stronger inequality but only if our type can hold |
156 | | * a larger value. */ |
157 | |
|
158 | 0 | #if SIZEOF_UNSIGNED_LONG > 4 |
159 | 0 | if (dklen > 0xffffffffU) |
160 | 0 | return GPG_ERR_INV_VALUE; |
161 | 0 | #endif |
162 | | |
163 | | /* FIPS requires minimum passphrase length, see FIPS 140-3 IG D.N */ |
164 | 0 | if (fips_mode () && passphraselen < 8) |
165 | 0 | return GPG_ERR_INV_VALUE; |
166 | | |
167 | | /* FIPS requires minimum salt length of 128 b (SP 800-132 sec. 5.1, p.6) */ |
168 | 0 | if (fips_mode () && saltlen < 16) |
169 | 0 | return GPG_ERR_INV_VALUE; |
170 | | |
171 | | /* FIPS requires minimum iterations bound (SP 800-132 sec 5.2, p.6) */ |
172 | 0 | if (fips_mode () && iterations < 1000) |
173 | 0 | return GPG_ERR_INV_VALUE; |
174 | | |
175 | | /* Check minimum key size */ |
176 | 0 | if (fips_mode () && dklen < 14) |
177 | 0 | return GPG_ERR_INV_VALUE; |
178 | | |
179 | | /* Step 2 */ |
180 | 0 | l = ((dklen - 1)/ hlen) + 1; |
181 | 0 | r = dklen - (l - 1) * hlen; |
182 | | |
183 | | /* Setup buffers and prepare a hash context. */ |
184 | 0 | sbuf = (secmode |
185 | 0 | ? xtrymalloc_secure (saltlen + 4 + hlen + hlen) |
186 | 0 | : xtrymalloc (saltlen + 4 + hlen + hlen)); |
187 | 0 | if (!sbuf) |
188 | 0 | return gpg_err_code_from_syserror (); |
189 | 0 | tbuf = sbuf + saltlen + 4; |
190 | 0 | ubuf = tbuf + hlen; |
191 | |
|
192 | 0 | ec = _gcry_md_open (&md, hashalgo, (GCRY_MD_FLAG_HMAC |
193 | 0 | | (secmode?GCRY_MD_FLAG_SECURE:0))); |
194 | 0 | if (ec) |
195 | 0 | { |
196 | 0 | xfree (sbuf); |
197 | 0 | return ec; |
198 | 0 | } |
199 | | |
200 | 0 | ec = _gcry_md_setkey (md, passphrase, passphraselen); |
201 | 0 | if (ec) |
202 | 0 | { |
203 | 0 | _gcry_md_close (md); |
204 | 0 | xfree (sbuf); |
205 | 0 | return ec; |
206 | 0 | } |
207 | | |
208 | | /* Step 3 and 4. */ |
209 | 0 | memcpy (sbuf, salt, saltlen); |
210 | 0 | for (lidx = 1; lidx <= l; lidx++) |
211 | 0 | { |
212 | 0 | for (iter = 0; iter < iterations; iter++) |
213 | 0 | { |
214 | 0 | _gcry_md_reset (md); |
215 | 0 | if (!iter) /* Compute U_1: */ |
216 | 0 | { |
217 | 0 | sbuf[saltlen] = (lidx >> 24); |
218 | 0 | sbuf[saltlen + 1] = (lidx >> 16); |
219 | 0 | sbuf[saltlen + 2] = (lidx >> 8); |
220 | 0 | sbuf[saltlen + 3] = lidx; |
221 | 0 | _gcry_md_write (md, sbuf, saltlen + 4); |
222 | 0 | memcpy (ubuf, _gcry_md_read (md, 0), hlen); |
223 | 0 | memcpy (tbuf, ubuf, hlen); |
224 | 0 | } |
225 | 0 | else /* Compute U_(2..c): */ |
226 | 0 | { |
227 | 0 | _gcry_md_write (md, ubuf, hlen); |
228 | 0 | memcpy (ubuf, _gcry_md_read (md, 0), hlen); |
229 | 0 | for (i=0; i < hlen; i++) |
230 | 0 | tbuf[i] ^= ubuf[i]; |
231 | 0 | } |
232 | 0 | } |
233 | 0 | if (lidx == l) /* Last block. */ |
234 | 0 | memcpy (dk, tbuf, r); |
235 | 0 | else |
236 | 0 | { |
237 | 0 | memcpy (dk, tbuf, hlen); |
238 | 0 | dk += hlen; |
239 | 0 | } |
240 | 0 | } |
241 | |
|
242 | 0 | _gcry_md_close (md); |
243 | 0 | xfree (sbuf); |
244 | 0 | return 0; |
245 | 0 | } |
246 | | |
247 | | |
248 | | /* Derive a key from a passphrase. KEYSIZE gives the requested size |
249 | | of the keys in octets. KEYBUFFER is a caller provided buffer |
250 | | filled on success with the derived key. The input passphrase is |
251 | | taken from (PASSPHRASE,PASSPHRASELEN) which is an arbitrary memory |
252 | | buffer. ALGO specifies the KDF algorithm to use; these are the |
253 | | constants GCRY_KDF_*. SUBALGO specifies an algorithm used |
254 | | internally by the KDF algorithms; this is usually a hash algorithm |
255 | | but certain KDF algorithm may use it differently. {SALT,SALTLEN} |
256 | | is a salt as needed by most KDF algorithms. ITERATIONS is a |
257 | | positive integer parameter to most KDFs. 0 is returned on success, |
258 | | or an error code on failure. */ |
259 | | gpg_err_code_t |
260 | | _gcry_kdf_derive (const void *passphrase, size_t passphraselen, |
261 | | int algo, int subalgo, |
262 | | const void *salt, size_t saltlen, |
263 | | unsigned long iterations, |
264 | | size_t keysize, void *keybuffer) |
265 | 0 | { |
266 | 0 | gpg_err_code_t ec; |
267 | |
|
268 | 0 | if (!passphrase) |
269 | 0 | { |
270 | 0 | ec = GPG_ERR_INV_DATA; |
271 | 0 | goto leave; |
272 | 0 | } |
273 | | |
274 | 0 | if (!keybuffer || !keysize) |
275 | 0 | { |
276 | 0 | ec = GPG_ERR_INV_VALUE; |
277 | 0 | goto leave; |
278 | 0 | } |
279 | | |
280 | | |
281 | 0 | switch (algo) |
282 | 0 | { |
283 | 0 | case GCRY_KDF_SIMPLE_S2K: |
284 | 0 | case GCRY_KDF_SALTED_S2K: |
285 | 0 | case GCRY_KDF_ITERSALTED_S2K: |
286 | 0 | if (!passphraselen) |
287 | 0 | ec = GPG_ERR_INV_DATA; |
288 | 0 | else |
289 | 0 | ec = openpgp_s2k (passphrase, passphraselen, algo, subalgo, |
290 | 0 | salt, saltlen, iterations, keysize, keybuffer); |
291 | 0 | break; |
292 | | |
293 | 0 | case GCRY_KDF_PBKDF1: |
294 | 0 | ec = GPG_ERR_UNSUPPORTED_ALGORITHM; |
295 | 0 | break; |
296 | | |
297 | 0 | case GCRY_KDF_PBKDF2: |
298 | 0 | if (!saltlen) |
299 | 0 | ec = GPG_ERR_INV_VALUE; |
300 | 0 | else |
301 | 0 | ec = _gcry_kdf_pkdf2 (passphrase, passphraselen, subalgo, |
302 | 0 | salt, saltlen, iterations, keysize, keybuffer); |
303 | 0 | break; |
304 | | |
305 | 0 | case 41: |
306 | 0 | case GCRY_KDF_SCRYPT: |
307 | 0 | #if USE_SCRYPT |
308 | 0 | ec = _gcry_kdf_scrypt (passphrase, passphraselen, algo, subalgo, |
309 | 0 | salt, saltlen, iterations, keysize, keybuffer); |
310 | | #else |
311 | | ec = GPG_ERR_UNSUPPORTED_ALGORITHM; |
312 | | #endif /*USE_SCRYPT*/ |
313 | 0 | break; |
314 | | |
315 | 0 | default: |
316 | 0 | ec = GPG_ERR_UNKNOWN_ALGORITHM; |
317 | 0 | break; |
318 | 0 | } |
319 | | |
320 | 0 | leave: |
321 | 0 | return ec; |
322 | 0 | } |
323 | | � |
324 | | #include "bufhelp.h" |
325 | | |
326 | | typedef struct argon2_context *argon2_ctx_t; |
327 | | |
328 | | /* Per thread data for Argon2. */ |
329 | | struct argon2_thread_data { |
330 | | argon2_ctx_t a; |
331 | | unsigned int pass; |
332 | | unsigned int slice; |
333 | | unsigned int lane; |
334 | | }; |
335 | | |
336 | | /* Argon2 context */ |
337 | | struct argon2_context { |
338 | | int algo; |
339 | | int hash_type; |
340 | | |
341 | | unsigned int outlen; |
342 | | |
343 | | const unsigned char *password; |
344 | | size_t passwordlen; |
345 | | |
346 | | const unsigned char *salt; |
347 | | size_t saltlen; |
348 | | |
349 | | const unsigned char *key; |
350 | | size_t keylen; |
351 | | |
352 | | const unsigned char *ad; |
353 | | size_t adlen; |
354 | | |
355 | | unsigned int m_cost; |
356 | | |
357 | | unsigned int passes; |
358 | | unsigned int memory_blocks; |
359 | | unsigned int segment_length; |
360 | | unsigned int lane_length; |
361 | | unsigned int lanes; |
362 | | |
363 | | u64 *block; |
364 | | struct argon2_thread_data *thread_data; |
365 | | |
366 | | unsigned char out[1]; /* In future, we may use flexible array member. */ |
367 | | }; |
368 | | |
369 | 0 | #define ARGON2_VERSION 0x13 |
370 | | |
371 | 0 | #define ARGON2_WORDS_IN_BLOCK (1024/8) |
372 | | |
373 | | static void |
374 | | xor_block (u64 *dst, const u64 *src) |
375 | 0 | { |
376 | 0 | int i; |
377 | |
|
378 | 0 | for (i = 0; i < ARGON2_WORDS_IN_BLOCK; i++) |
379 | 0 | dst[i] ^= src[i]; |
380 | 0 | } |
381 | | |
382 | | static void |
383 | | beswap64_block (u64 *dst) |
384 | 0 | { |
385 | | #ifdef WORDS_BIGENDIAN |
386 | | int i; |
387 | | |
388 | | /* Swap a block in big-endian 64-bit word into one in |
389 | | little-endian. */ |
390 | | for (i = 0; i < ARGON2_WORDS_IN_BLOCK; i++) |
391 | | dst[i] = _gcry_bswap64 (dst[i]); |
392 | | #else |
393 | | /* Nothing to do. */ |
394 | 0 | (void)dst; |
395 | 0 | #endif |
396 | 0 | } |
397 | | |
398 | | |
399 | | static gpg_err_code_t |
400 | | argon2_fill_first_blocks (argon2_ctx_t a) |
401 | 0 | { |
402 | 0 | unsigned char h0_01_i[72]; |
403 | 0 | unsigned char buf[10][4]; |
404 | 0 | gcry_buffer_t iov[8]; |
405 | 0 | unsigned int iov_count = 0; |
406 | 0 | int i; |
407 | | |
408 | | /* Generate H0. */ |
409 | 0 | buf_put_le32 (buf[0], a->lanes); |
410 | 0 | buf_put_le32 (buf[1], a->outlen); |
411 | 0 | buf_put_le32 (buf[2], a->m_cost); |
412 | 0 | buf_put_le32 (buf[3], a->passes); |
413 | 0 | buf_put_le32 (buf[4], ARGON2_VERSION); |
414 | 0 | buf_put_le32 (buf[5], a->hash_type); |
415 | 0 | buf_put_le32 (buf[6], a->passwordlen); |
416 | 0 | iov[iov_count].data = buf[0]; |
417 | 0 | iov[iov_count].len = 4 * 7; |
418 | 0 | iov[iov_count].off = 0; |
419 | 0 | iov_count++; |
420 | 0 | if (a->passwordlen) |
421 | 0 | { |
422 | 0 | iov[iov_count].data = (void *)a->password; |
423 | 0 | iov[iov_count].len = a->passwordlen; |
424 | 0 | iov[iov_count].off = 0; |
425 | 0 | iov_count++; |
426 | 0 | } |
427 | |
|
428 | 0 | buf_put_le32 (buf[7], a->saltlen); |
429 | 0 | iov[iov_count].data = buf[7]; |
430 | 0 | iov[iov_count].len = 4; |
431 | 0 | iov[iov_count].off = 0; |
432 | 0 | iov_count++; |
433 | 0 | iov[iov_count].data = (void *)a->salt; |
434 | 0 | iov[iov_count].len = a->saltlen; |
435 | 0 | iov[iov_count].off = 0; |
436 | 0 | iov_count++; |
437 | |
|
438 | 0 | buf_put_le32 (buf[8], a->keylen); |
439 | 0 | iov[iov_count].data = buf[8]; |
440 | 0 | iov[iov_count].len = 4; |
441 | 0 | iov[iov_count].off = 0; |
442 | 0 | iov_count++; |
443 | 0 | if (a->key) |
444 | 0 | { |
445 | 0 | iov[iov_count].data = (void *)a->key; |
446 | 0 | iov[iov_count].len = a->keylen; |
447 | 0 | iov[iov_count].off = 0; |
448 | 0 | iov_count++; |
449 | 0 | } |
450 | |
|
451 | 0 | buf_put_le32 (buf[9], a->adlen); |
452 | 0 | iov[iov_count].data = buf[9]; |
453 | 0 | iov[iov_count].len = 4; |
454 | 0 | iov[iov_count].off = 0; |
455 | 0 | iov_count++; |
456 | 0 | if (a->ad) |
457 | 0 | { |
458 | 0 | iov[iov_count].data = (void *)a->ad; |
459 | 0 | iov[iov_count].len = a->adlen; |
460 | 0 | iov[iov_count].off = 0; |
461 | 0 | iov_count++; |
462 | 0 | } |
463 | |
|
464 | 0 | _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count); |
465 | |
|
466 | 0 | for (i = 0; i < a->lanes; i++) |
467 | 0 | { |
468 | 0 | memset (h0_01_i+64, 0, 4); |
469 | 0 | buf_put_le32 (h0_01_i+64+4, i); |
470 | 0 | blake2b_vl_hash (h0_01_i, 72, 1024, |
471 | 0 | &a->block[i*a->lane_length*ARGON2_WORDS_IN_BLOCK]); |
472 | 0 | beswap64_block (&a->block[i*a->lane_length*ARGON2_WORDS_IN_BLOCK]); |
473 | |
|
474 | 0 | buf_put_le32 (h0_01_i+64, 1); |
475 | 0 | blake2b_vl_hash (h0_01_i, 72, 1024, |
476 | 0 | &a->block[(i*a->lane_length+1)*ARGON2_WORDS_IN_BLOCK]); |
477 | 0 | beswap64_block (&a->block[(i*a->lane_length+1)*ARGON2_WORDS_IN_BLOCK]); |
478 | 0 | } |
479 | 0 | return 0; |
480 | 0 | } |
481 | | |
482 | | static gpg_err_code_t |
483 | | argon2_init (argon2_ctx_t a, unsigned int parallelism, |
484 | | unsigned int m_cost, unsigned int t_cost) |
485 | 0 | { |
486 | 0 | gpg_err_code_t ec = 0; |
487 | 0 | unsigned int memory_blocks; |
488 | 0 | unsigned int segment_length; |
489 | 0 | void *block; |
490 | 0 | struct argon2_thread_data *thread_data; |
491 | |
|
492 | 0 | memory_blocks = m_cost; |
493 | 0 | if (memory_blocks < 8 * parallelism) |
494 | 0 | memory_blocks = 8 * parallelism; |
495 | |
|
496 | 0 | segment_length = memory_blocks / (parallelism * 4); |
497 | 0 | memory_blocks = segment_length * parallelism * 4; |
498 | |
|
499 | 0 | a->passes = t_cost; |
500 | 0 | a->memory_blocks = memory_blocks; |
501 | 0 | a->segment_length = segment_length; |
502 | 0 | a->lane_length = segment_length * 4; |
503 | 0 | a->lanes = parallelism; |
504 | |
|
505 | 0 | a->block = NULL; |
506 | 0 | a->thread_data = NULL; |
507 | |
|
508 | 0 | block = xtrymalloc (1024 * memory_blocks); |
509 | 0 | if (!block) |
510 | 0 | { |
511 | 0 | ec = gpg_err_code_from_errno (errno); |
512 | 0 | return ec; |
513 | 0 | } |
514 | 0 | memset (block, 0, 1024 * memory_blocks); |
515 | |
|
516 | 0 | thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data)); |
517 | 0 | if (!thread_data) |
518 | 0 | { |
519 | 0 | ec = gpg_err_code_from_errno (errno); |
520 | 0 | xfree (block); |
521 | 0 | return ec; |
522 | 0 | } |
523 | | |
524 | 0 | memset (thread_data, 0, a->lanes * sizeof (struct argon2_thread_data)); |
525 | |
|
526 | 0 | a->block = block; |
527 | 0 | a->thread_data = thread_data; |
528 | 0 | return 0; |
529 | 0 | } |
530 | | |
531 | | |
532 | | static u64 fBlaMka (u64 x, u64 y) |
533 | 0 | { |
534 | 0 | const u64 m = U64_C(0xFFFFFFFF); |
535 | 0 | return x + y + 2 * (x & m) * (y & m); |
536 | 0 | } |
537 | | |
538 | | static u64 rotr64 (u64 w, unsigned int c) |
539 | 0 | { |
540 | 0 | return (w >> c) | (w << (64 - c)); |
541 | 0 | } |
542 | | |
543 | | #define G(a, b, c, d) \ |
544 | 0 | do { \ |
545 | 0 | a = fBlaMka(a, b); \ |
546 | 0 | d = rotr64(d ^ a, 32); \ |
547 | 0 | c = fBlaMka(c, d); \ |
548 | 0 | b = rotr64(b ^ c, 24); \ |
549 | 0 | a = fBlaMka(a, b); \ |
550 | 0 | d = rotr64(d ^ a, 16); \ |
551 | 0 | c = fBlaMka(c, d); \ |
552 | 0 | b = rotr64(b ^ c, 63); \ |
553 | 0 | } while ((void)0, 0) |
554 | | |
555 | | #define BLAKE2_ROUND_NOMSG(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, \ |
556 | | v12, v13, v14, v15) \ |
557 | 0 | do { \ |
558 | 0 | G(v0, v4, v8, v12); \ |
559 | 0 | G(v1, v5, v9, v13); \ |
560 | 0 | G(v2, v6, v10, v14); \ |
561 | 0 | G(v3, v7, v11, v15); \ |
562 | 0 | G(v0, v5, v10, v15); \ |
563 | 0 | G(v1, v6, v11, v12); \ |
564 | 0 | G(v2, v7, v8, v13); \ |
565 | 0 | G(v3, v4, v9, v14); \ |
566 | 0 | } while ((void)0, 0) |
567 | | |
568 | | static void |
569 | | fill_block (const u64 *prev_block, const u64 *ref_block, u64 *curr_block, |
570 | | int with_xor) |
571 | 0 | { |
572 | 0 | u64 block_r[ARGON2_WORDS_IN_BLOCK]; |
573 | 0 | u64 block_tmp[ARGON2_WORDS_IN_BLOCK]; |
574 | 0 | int i; |
575 | |
|
576 | 0 | memcpy (block_r, ref_block, 1024); |
577 | 0 | if (prev_block) |
578 | 0 | xor_block (block_r, prev_block); |
579 | 0 | memcpy (block_tmp, block_r, 1024); |
580 | |
|
581 | 0 | if (with_xor) |
582 | 0 | xor_block (block_tmp, curr_block); |
583 | |
|
584 | 0 | for (i = 0; i < 8; ++i) |
585 | 0 | BLAKE2_ROUND_NOMSG |
586 | 0 | (block_r[16 * i], block_r[16 * i + 1], block_r[16 * i + 2], |
587 | 0 | block_r[16 * i + 3], block_r[16 * i + 4], block_r[16 * i + 5], |
588 | 0 | block_r[16 * i + 6], block_r[16 * i + 7], block_r[16 * i + 8], |
589 | 0 | block_r[16 * i + 9], block_r[16 * i + 10], block_r[16 * i + 11], |
590 | 0 | block_r[16 * i + 12], block_r[16 * i + 13], block_r[16 * i + 14], |
591 | 0 | block_r[16 * i + 15]); |
592 | |
|
593 | 0 | for (i = 0; i < 8; i++) |
594 | 0 | BLAKE2_ROUND_NOMSG |
595 | 0 | (block_r[2 * i], block_r[2 * i + 1], block_r[2 * i + 16], |
596 | 0 | block_r[2 * i + 17], block_r[2 * i + 32], block_r[2 * i + 33], |
597 | 0 | block_r[2 * i + 48], block_r[2 * i + 49], block_r[2 * i + 64], |
598 | 0 | block_r[2 * i + 65], block_r[2 * i + 80], block_r[2 * i + 81], |
599 | 0 | block_r[2 * i + 96], block_r[2 * i + 97], block_r[2 * i + 112], |
600 | 0 | block_r[2 * i + 113]); |
601 | |
|
602 | 0 | memcpy (curr_block, block_tmp, 1024); |
603 | 0 | xor_block (curr_block, block_r); |
604 | 0 | } |
605 | | |
606 | | static void |
607 | | pseudo_random_generate (u64 *random_block, u64 *input_block) |
608 | 0 | { |
609 | 0 | input_block[6]++; |
610 | 0 | fill_block (NULL, input_block, random_block, 0); |
611 | 0 | fill_block (NULL, random_block, random_block, 0); |
612 | 0 | } |
613 | | |
614 | | static u32 |
615 | | index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t, |
616 | | int segment_index, u32 random, int same_lane) |
617 | 0 | { |
618 | 0 | u32 reference_area_size; |
619 | 0 | u64 relative_position; |
620 | 0 | u32 start_position; |
621 | |
|
622 | 0 | if (t->pass == 0) |
623 | 0 | { |
624 | 0 | if (t->slice == 0) |
625 | 0 | reference_area_size = segment_index - 1; |
626 | 0 | else |
627 | 0 | { |
628 | 0 | if (same_lane) |
629 | 0 | reference_area_size = t->slice * a->segment_length |
630 | 0 | + segment_index - 1; |
631 | 0 | else |
632 | 0 | reference_area_size = t->slice * a->segment_length + |
633 | 0 | ((segment_index == 0) ? -1 : 0); |
634 | 0 | } |
635 | 0 | } |
636 | 0 | else |
637 | 0 | { |
638 | 0 | if (same_lane) |
639 | 0 | reference_area_size = a->lane_length |
640 | 0 | - a->segment_length + segment_index - 1; |
641 | 0 | else |
642 | 0 | reference_area_size = a->lane_length |
643 | 0 | - a->segment_length + ((segment_index == 0) ? -1 : 0); |
644 | 0 | } |
645 | |
|
646 | 0 | relative_position = (random * (u64)random) >> 32; |
647 | 0 | relative_position = reference_area_size - 1 - |
648 | 0 | ((reference_area_size * relative_position) >> 32); |
649 | |
|
650 | 0 | if (t->pass == 0) |
651 | 0 | start_position = 0; |
652 | 0 | else |
653 | 0 | start_position = (t->slice == 4 - 1) |
654 | 0 | ? 0 |
655 | 0 | : (t->slice + 1) * a->segment_length; |
656 | |
|
657 | 0 | return (start_position + relative_position) % a->lane_length; |
658 | 0 | } |
659 | | |
660 | | static void |
661 | | argon2_compute_segment (void *priv) |
662 | 0 | { |
663 | 0 | const struct argon2_thread_data *t = (const struct argon2_thread_data *)priv; |
664 | 0 | argon2_ctx_t a = t->a; |
665 | 0 | int i; |
666 | 0 | int prev_offset, curr_offset; |
667 | 0 | u32 ref_index, ref_lane; |
668 | 0 | u64 input_block[1024/sizeof (u64)]; |
669 | 0 | u64 address_block[1024/sizeof (u64)]; |
670 | 0 | u64 *random_block = NULL; |
671 | |
|
672 | 0 | if (a->hash_type == GCRY_KDF_ARGON2I |
673 | 0 | || (a->hash_type == GCRY_KDF_ARGON2ID && t->pass == 0 && t->slice < 2)) |
674 | 0 | { |
675 | 0 | memset (input_block, 0, 1024); |
676 | 0 | input_block[0] = t->pass; |
677 | 0 | input_block[1] = t->lane; |
678 | 0 | input_block[2] = t->slice; |
679 | 0 | input_block[3] = a->memory_blocks; |
680 | 0 | input_block[4] = a->passes; |
681 | 0 | input_block[5] = a->hash_type; |
682 | 0 | random_block = address_block; |
683 | 0 | } |
684 | |
|
685 | 0 | if (t->pass == 0 && t->slice == 0) |
686 | 0 | { |
687 | 0 | if (random_block) |
688 | 0 | pseudo_random_generate (random_block, input_block); |
689 | 0 | i = 2; |
690 | 0 | } |
691 | 0 | else |
692 | 0 | i = 0; |
693 | |
|
694 | 0 | curr_offset = t->lane * a->lane_length + t->slice * a->segment_length + i; |
695 | 0 | if ((curr_offset % a->lane_length)) |
696 | 0 | prev_offset = curr_offset - 1; |
697 | 0 | else |
698 | 0 | prev_offset = curr_offset + a->lane_length - 1; |
699 | |
|
700 | 0 | for (; i < a->segment_length; i++, curr_offset++, prev_offset++) |
701 | 0 | { |
702 | 0 | u64 *ref_block, *curr_block; |
703 | 0 | u64 rand64; |
704 | |
|
705 | 0 | if ((curr_offset % a->lane_length) == 1) |
706 | 0 | prev_offset = curr_offset - 1; |
707 | |
|
708 | 0 | if (random_block) |
709 | 0 | { |
710 | 0 | if ((i % (1024/sizeof (u64))) == 0) |
711 | 0 | pseudo_random_generate (random_block, input_block); |
712 | |
|
713 | 0 | rand64 = random_block[(i% (1024/sizeof (u64)))]; |
714 | 0 | } |
715 | 0 | else |
716 | 0 | rand64 = a->block[prev_offset*ARGON2_WORDS_IN_BLOCK]; |
717 | |
|
718 | 0 | if (t->pass == 0 && t->slice == 0) |
719 | 0 | ref_lane = t->lane; |
720 | 0 | else |
721 | 0 | ref_lane = (rand64 >> 32) % a->lanes; |
722 | |
|
723 | 0 | ref_index = index_alpha (a, t, i, (rand64 & 0xffffffff), |
724 | 0 | ref_lane == t->lane); |
725 | 0 | ref_block = |
726 | 0 | &a->block[(a->lane_length * ref_lane + ref_index)* ARGON2_WORDS_IN_BLOCK]; |
727 | |
|
728 | 0 | curr_block = &a->block[curr_offset * ARGON2_WORDS_IN_BLOCK]; |
729 | 0 | fill_block (&a->block[prev_offset * ARGON2_WORDS_IN_BLOCK], ref_block, |
730 | 0 | curr_block, t->pass != 0); |
731 | 0 | } |
732 | 0 | } |
733 | | |
734 | | |
735 | | static gpg_err_code_t |
736 | | argon2_compute (argon2_ctx_t a, const struct gcry_kdf_thread_ops *ops) |
737 | 0 | { |
738 | 0 | gpg_err_code_t ec; |
739 | 0 | unsigned int r; |
740 | 0 | unsigned int s; |
741 | 0 | unsigned int l; |
742 | 0 | int ret; |
743 | |
|
744 | 0 | ec = argon2_fill_first_blocks (a); |
745 | 0 | if (ec) |
746 | 0 | return ec; |
747 | | |
748 | 0 | for (r = 0; r < a->passes; r++) |
749 | 0 | for (s = 0; s < 4; s++) |
750 | 0 | { |
751 | 0 | for (l = 0; l < a->lanes; l++) |
752 | 0 | { |
753 | 0 | struct argon2_thread_data *thread_data; |
754 | | |
755 | | /* launch a thread. */ |
756 | 0 | thread_data = &a->thread_data[l]; |
757 | 0 | thread_data->a = a; |
758 | 0 | thread_data->pass = r; |
759 | 0 | thread_data->slice = s; |
760 | 0 | thread_data->lane = l; |
761 | |
|
762 | 0 | if (ops) |
763 | 0 | { |
764 | 0 | ret = ops->dispatch_job (ops->jobs_context, |
765 | 0 | argon2_compute_segment, thread_data); |
766 | 0 | if (ret < 0) |
767 | 0 | return GPG_ERR_CANCELED; |
768 | 0 | } |
769 | 0 | else |
770 | 0 | argon2_compute_segment (thread_data); |
771 | 0 | } |
772 | | |
773 | 0 | if (ops) |
774 | 0 | { |
775 | 0 | ret = ops->wait_all_jobs (ops->jobs_context); |
776 | 0 | if (ret < 0) |
777 | 0 | return GPG_ERR_CANCELED; |
778 | 0 | } |
779 | 0 | } |
780 | | |
781 | 0 | return 0; |
782 | 0 | } |
783 | | |
784 | | |
785 | | static gpg_err_code_t |
786 | | argon2_final (argon2_ctx_t a, size_t resultlen, void *result) |
787 | 0 | { |
788 | 0 | int i; |
789 | |
|
790 | 0 | if (resultlen != a->outlen) |
791 | 0 | return GPG_ERR_INV_VALUE; |
792 | | |
793 | 0 | memset (a->block, 0, 1024); |
794 | 0 | for (i = 0; i < a->lanes; i++) |
795 | 0 | { |
796 | 0 | u64 *last_block; |
797 | |
|
798 | 0 | last_block = &a->block[(a->lane_length * i + (a->lane_length - 1)) |
799 | 0 | * ARGON2_WORDS_IN_BLOCK]; |
800 | 0 | xor_block (a->block, last_block); |
801 | 0 | } |
802 | |
|
803 | 0 | beswap64_block (a->block); |
804 | 0 | blake2b_vl_hash (a->block, 1024, a->outlen, result); |
805 | 0 | return 0; |
806 | 0 | } |
807 | | |
808 | | static void |
809 | | argon2_close (argon2_ctx_t a) |
810 | 0 | { |
811 | 0 | size_t n; |
812 | |
|
813 | 0 | n = offsetof (struct argon2_context, out) + a->outlen; |
814 | |
|
815 | 0 | if (a->block) |
816 | 0 | { |
817 | 0 | wipememory (a->block, 1024 * a->memory_blocks); |
818 | 0 | xfree (a->block); |
819 | 0 | } |
820 | |
|
821 | 0 | if (a->thread_data) |
822 | 0 | xfree (a->thread_data); |
823 | |
|
824 | 0 | wipememory (a, n); |
825 | 0 | xfree (a); |
826 | 0 | } |
827 | | |
828 | | static gpg_err_code_t |
829 | | argon2_open (gcry_kdf_hd_t *hd, int subalgo, |
830 | | const unsigned long *param, unsigned int paramlen, |
831 | | const void *password, size_t passwordlen, |
832 | | const void *salt, size_t saltlen, |
833 | | const void *key, size_t keylen, |
834 | | const void *ad, size_t adlen) |
835 | 0 | { |
836 | 0 | int hash_type; |
837 | 0 | unsigned int taglen; |
838 | 0 | unsigned int t_cost; |
839 | 0 | unsigned int m_cost; |
840 | 0 | unsigned int parallelism = 1; |
841 | 0 | argon2_ctx_t a; |
842 | 0 | gpg_err_code_t ec; |
843 | 0 | size_t n; |
844 | |
|
845 | 0 | if (subalgo != GCRY_KDF_ARGON2D |
846 | 0 | && subalgo != GCRY_KDF_ARGON2I |
847 | 0 | && subalgo != GCRY_KDF_ARGON2ID) |
848 | 0 | return GPG_ERR_INV_VALUE; |
849 | 0 | else |
850 | 0 | hash_type = subalgo; |
851 | | |
852 | | /* param : [ tag_length, t_cost, m_cost, parallelism ] */ |
853 | 0 | if (paramlen < 3 || paramlen > 4) |
854 | 0 | return GPG_ERR_INV_VALUE; |
855 | 0 | else |
856 | 0 | { |
857 | 0 | taglen = (unsigned int)param[0]; |
858 | 0 | t_cost = (unsigned int)param[1]; |
859 | 0 | m_cost = (unsigned int)param[2]; |
860 | 0 | if (paramlen >= 4) |
861 | 0 | parallelism = (unsigned int)param[3]; |
862 | 0 | } |
863 | | |
864 | 0 | if (parallelism == 0) |
865 | 0 | return GPG_ERR_INV_VALUE; |
866 | | |
867 | 0 | n = offsetof (struct argon2_context, out) + taglen; |
868 | 0 | a = xtrymalloc (n); |
869 | 0 | if (!a) |
870 | 0 | return gpg_err_code_from_errno (errno); |
871 | | |
872 | 0 | a->algo = GCRY_KDF_ARGON2; |
873 | 0 | a->hash_type = hash_type; |
874 | |
|
875 | 0 | a->outlen = taglen; |
876 | |
|
877 | 0 | a->password = password; |
878 | 0 | a->passwordlen = passwordlen; |
879 | 0 | a->salt = salt; |
880 | 0 | a->saltlen = saltlen; |
881 | 0 | a->key = key; |
882 | 0 | a->keylen = keylen; |
883 | 0 | a->ad = ad; |
884 | 0 | a->adlen = adlen; |
885 | |
|
886 | 0 | a->m_cost = m_cost; |
887 | |
|
888 | 0 | a->block = NULL; |
889 | 0 | a->thread_data = NULL; |
890 | |
|
891 | 0 | ec = argon2_init (a, parallelism, m_cost, t_cost); |
892 | 0 | if (ec) |
893 | 0 | { |
894 | 0 | xfree (a); |
895 | 0 | return ec; |
896 | 0 | } |
897 | | |
898 | 0 | *hd = (void *)a; |
899 | 0 | return 0; |
900 | 0 | } |
901 | | � |
902 | | typedef struct balloon_context *balloon_ctx_t; |
903 | | |
904 | | /* Per thread data for Balloon. */ |
905 | | struct balloon_thread_data { |
906 | | balloon_ctx_t b; |
907 | | gpg_err_code_t ec; |
908 | | unsigned int idx; |
909 | | unsigned char *block; |
910 | | }; |
911 | | |
912 | | /* Balloon context */ |
913 | | struct balloon_context { |
914 | | int algo; |
915 | | int prng_type; |
916 | | |
917 | | unsigned int blklen; |
918 | | const gcry_md_spec_t *md_spec; |
919 | | |
920 | | const unsigned char *password; |
921 | | size_t passwordlen; |
922 | | |
923 | | const unsigned char *salt; |
924 | | /* Length of salt is fixed. */ |
925 | | |
926 | | unsigned int s_cost; |
927 | | unsigned int t_cost; |
928 | | unsigned int parallelism; |
929 | | |
930 | | u64 n_blocks; |
931 | | |
932 | | unsigned char *block; |
933 | | |
934 | | /* In future, we may use flexible array member. */ |
935 | | struct balloon_thread_data thread_data[1]; |
936 | | }; |
937 | | |
938 | | /* Maximum size of underlining digest size. */ |
939 | 0 | #define BALLOON_BLOCK_LEN_MAX 64 |
940 | | |
941 | | static gpg_err_code_t |
942 | | prng_aes_ctr_init (gcry_cipher_hd_t *hd_p, balloon_ctx_t b, |
943 | | gcry_buffer_t *iov, unsigned int iov_count) |
944 | 0 | { |
945 | 0 | gpg_err_code_t ec; |
946 | 0 | gcry_cipher_hd_t hd; |
947 | 0 | unsigned char key[BALLOON_BLOCK_LEN_MAX]; |
948 | 0 | int cipher_algo; |
949 | 0 | unsigned int keylen, blklen; |
950 | |
|
951 | 0 | switch (b->blklen) |
952 | 0 | { |
953 | 0 | case 64: |
954 | 0 | cipher_algo = GCRY_CIPHER_AES256; |
955 | 0 | break; |
956 | | |
957 | 0 | case 48: |
958 | 0 | cipher_algo = GCRY_CIPHER_AES192; |
959 | 0 | break; |
960 | | |
961 | 0 | default: |
962 | 0 | case 32: |
963 | 0 | cipher_algo = GCRY_CIPHER_AES; |
964 | 0 | break; |
965 | 0 | } |
966 | | |
967 | 0 | keylen = _gcry_cipher_get_algo_keylen (cipher_algo); |
968 | 0 | blklen = _gcry_cipher_get_algo_blklen (cipher_algo); |
969 | |
|
970 | 0 | b->md_spec->hash_buffers (key, b->blklen, iov, iov_count); |
971 | 0 | ec = _gcry_cipher_open (&hd, cipher_algo, GCRY_CIPHER_MODE_CTR, 0); |
972 | 0 | if (ec) |
973 | 0 | return ec; |
974 | | |
975 | 0 | ec = _gcry_cipher_setkey (hd, key, keylen); |
976 | 0 | if (ec) |
977 | 0 | { |
978 | 0 | _gcry_cipher_close (hd); |
979 | 0 | return ec; |
980 | 0 | } |
981 | | |
982 | 0 | if (cipher_algo == GCRY_CIPHER_AES |
983 | 0 | && b->md_spec == &_gcry_digest_spec_sha256) |
984 | | /* Original Balloon uses zero IV. */ |
985 | 0 | ; |
986 | 0 | else |
987 | 0 | { |
988 | 0 | ec = _gcry_cipher_setiv (hd, key+keylen, blklen); |
989 | 0 | if (ec) |
990 | 0 | { |
991 | 0 | _gcry_cipher_close (hd); |
992 | 0 | return ec; |
993 | 0 | } |
994 | 0 | } |
995 | | |
996 | 0 | wipememory (key, BALLOON_BLOCK_LEN_MAX); |
997 | 0 | *hd_p = hd; |
998 | 0 | return ec; |
999 | 0 | } |
1000 | | |
1001 | | static u64 |
1002 | | prng_aes_ctr_get_rand64 (gcry_cipher_hd_t hd) |
1003 | 0 | { |
1004 | 0 | static const unsigned char zero64[8]; |
1005 | 0 | unsigned char rand64[8]; |
1006 | |
|
1007 | 0 | _gcry_cipher_encrypt (hd, rand64, sizeof (rand64), zero64, sizeof (zero64)); |
1008 | 0 | return buf_get_le64 (rand64); |
1009 | 0 | } |
1010 | | |
1011 | | static void |
1012 | | prng_aes_ctr_fini (gcry_cipher_hd_t hd) |
1013 | 0 | { |
1014 | 0 | _gcry_cipher_close (hd); |
1015 | 0 | } |
1016 | | |
1017 | | static size_t |
1018 | | ballon_context_size (unsigned int parallelism) |
1019 | 0 | { |
1020 | 0 | size_t n; |
1021 | |
|
1022 | 0 | n = offsetof (struct balloon_context, thread_data) |
1023 | 0 | + parallelism * sizeof (struct balloon_thread_data); |
1024 | 0 | return n; |
1025 | 0 | } |
1026 | | |
1027 | | static gpg_err_code_t |
1028 | | balloon_open (gcry_kdf_hd_t *hd, int subalgo, |
1029 | | const unsigned long *param, unsigned int paramlen, |
1030 | | const void *password, size_t passwordlen, |
1031 | | const void *salt, size_t saltlen) |
1032 | 0 | { |
1033 | 0 | unsigned int blklen; |
1034 | 0 | int hash_type; |
1035 | 0 | unsigned int s_cost; |
1036 | 0 | unsigned int t_cost; |
1037 | 0 | unsigned int parallelism = 1; |
1038 | 0 | balloon_ctx_t b; |
1039 | 0 | gpg_err_code_t ec; |
1040 | 0 | size_t n; |
1041 | 0 | unsigned char *block; |
1042 | 0 | unsigned int i; |
1043 | 0 | const gcry_md_spec_t *md_spec; |
1044 | |
|
1045 | 0 | hash_type = subalgo; |
1046 | 0 | switch (hash_type) |
1047 | 0 | { |
1048 | 0 | case GCRY_MD_SHA256: |
1049 | 0 | md_spec = &_gcry_digest_spec_sha256; |
1050 | 0 | break; |
1051 | | |
1052 | 0 | case GCRY_MD_SHA384: |
1053 | 0 | md_spec = &_gcry_digest_spec_sha384; |
1054 | 0 | break; |
1055 | | |
1056 | 0 | case GCRY_MD_SHA512: |
1057 | 0 | md_spec = &_gcry_digest_spec_sha512; |
1058 | 0 | break; |
1059 | | |
1060 | 0 | case GCRY_MD_SHA3_256: |
1061 | 0 | md_spec = &_gcry_digest_spec_sha3_256; |
1062 | 0 | break; |
1063 | | |
1064 | 0 | case GCRY_MD_SHA3_384: |
1065 | 0 | md_spec = &_gcry_digest_spec_sha3_384; |
1066 | 0 | break; |
1067 | | |
1068 | 0 | case GCRY_MD_SHA3_512: |
1069 | 0 | md_spec = &_gcry_digest_spec_sha3_512; |
1070 | 0 | break; |
1071 | | |
1072 | 0 | default: |
1073 | 0 | return GPG_ERR_NOT_SUPPORTED; |
1074 | 0 | } |
1075 | | |
1076 | 0 | blklen = _gcry_md_get_algo_dlen (hash_type); |
1077 | 0 | if (!blklen || blklen > BALLOON_BLOCK_LEN_MAX) |
1078 | 0 | return GPG_ERR_NOT_SUPPORTED; |
1079 | | |
1080 | 0 | if (saltlen != blklen) |
1081 | 0 | return GPG_ERR_NOT_SUPPORTED; |
1082 | | |
1083 | | /* |
1084 | | * It should have space_cost and time_cost. |
1085 | | * Optionally, for parallelised version, it has parallelism. |
1086 | | * Possibly (in future), it may have option to specify PRNG type. |
1087 | | */ |
1088 | 0 | if (paramlen != 2 && paramlen != 3) |
1089 | 0 | return GPG_ERR_INV_VALUE; |
1090 | 0 | else |
1091 | 0 | { |
1092 | 0 | s_cost = (unsigned int)param[0]; |
1093 | 0 | t_cost = (unsigned int)param[1]; |
1094 | 0 | if (paramlen >= 3) |
1095 | 0 | parallelism = (unsigned int)param[2]; |
1096 | 0 | } |
1097 | | |
1098 | 0 | if (s_cost < 1) |
1099 | 0 | return GPG_ERR_INV_VALUE; |
1100 | | |
1101 | 0 | n = ballon_context_size (parallelism); |
1102 | 0 | b = xtrymalloc (n); |
1103 | 0 | if (!b) |
1104 | 0 | return gpg_err_code_from_errno (errno); |
1105 | | |
1106 | 0 | b->algo = GCRY_KDF_BALLOON; |
1107 | 0 | b->md_spec = md_spec; |
1108 | 0 | b->blklen = blklen; |
1109 | |
|
1110 | 0 | b->password = password; |
1111 | 0 | b->passwordlen = passwordlen; |
1112 | 0 | b->salt = salt; |
1113 | |
|
1114 | 0 | b->s_cost = s_cost; |
1115 | 0 | b->t_cost = t_cost; |
1116 | 0 | b->parallelism = parallelism; |
1117 | |
|
1118 | 0 | b->n_blocks = (s_cost * 1024) / b->blklen; |
1119 | |
|
1120 | 0 | block = xtrycalloc (parallelism * b->n_blocks, b->blklen); |
1121 | 0 | if (!block) |
1122 | 0 | { |
1123 | 0 | ec = gpg_err_code_from_errno (errno); |
1124 | 0 | xfree (b); |
1125 | 0 | return ec; |
1126 | 0 | } |
1127 | 0 | b->block = block; |
1128 | |
|
1129 | 0 | for (i = 0; i < parallelism; i++) |
1130 | 0 | { |
1131 | 0 | struct balloon_thread_data *t = &b->thread_data[i]; |
1132 | |
|
1133 | 0 | t->b = b; |
1134 | 0 | t->ec = 0; |
1135 | 0 | t->idx = i; |
1136 | 0 | t->block = block; |
1137 | 0 | block += b->blklen * b->n_blocks; |
1138 | 0 | } |
1139 | |
|
1140 | 0 | *hd = (void *)b; |
1141 | 0 | return 0; |
1142 | 0 | } |
1143 | | |
1144 | | |
1145 | | static void |
1146 | | balloon_xor_block (balloon_ctx_t b, u64 *dst, const u64 *src) |
1147 | 0 | { |
1148 | 0 | int i; |
1149 | |
|
1150 | 0 | for (i = 0; i < b->blklen/8; i++) |
1151 | 0 | dst[i] ^= src[i]; |
1152 | 0 | } |
1153 | | |
1154 | 0 | #define BALLOON_COMPRESS_BLOCKS 5 |
1155 | | |
1156 | | static void |
1157 | | balloon_compress (balloon_ctx_t b, u64 *counter_p, unsigned char *out, |
1158 | | const unsigned char *blocks[BALLOON_COMPRESS_BLOCKS]) |
1159 | 0 | { |
1160 | 0 | gcry_buffer_t iov[1+BALLOON_COMPRESS_BLOCKS]; |
1161 | 0 | unsigned char octet_counter[sizeof (u64)]; |
1162 | 0 | unsigned int i; |
1163 | |
|
1164 | 0 | buf_put_le64 (octet_counter, *counter_p); |
1165 | 0 | iov[0].data = octet_counter; |
1166 | 0 | iov[0].len = sizeof (octet_counter); |
1167 | 0 | iov[0].off = 0; |
1168 | |
|
1169 | 0 | for (i = 1; i < 1+BALLOON_COMPRESS_BLOCKS; i++) |
1170 | 0 | { |
1171 | 0 | iov[i].data = (void *)blocks[i-1]; |
1172 | 0 | iov[i].len = b->blklen; |
1173 | 0 | iov[i].off = 0; |
1174 | 0 | } |
1175 | |
|
1176 | 0 | b->md_spec->hash_buffers (out, b->blklen, iov, 1+BALLOON_COMPRESS_BLOCKS); |
1177 | 0 | *counter_p += 1; |
1178 | 0 | } |
1179 | | |
1180 | | static void |
1181 | | balloon_expand (balloon_ctx_t b, u64 *counter_p, unsigned char *block, |
1182 | | u64 n_blocks) |
1183 | 0 | { |
1184 | 0 | gcry_buffer_t iov[2]; |
1185 | 0 | unsigned char octet_counter[sizeof (u64)]; |
1186 | 0 | u64 i; |
1187 | |
|
1188 | 0 | iov[0].data = octet_counter; |
1189 | 0 | iov[0].len = sizeof (octet_counter); |
1190 | 0 | iov[0].off = 0; |
1191 | 0 | iov[1].len = b->blklen; |
1192 | 0 | iov[1].off = 0; |
1193 | |
|
1194 | 0 | for (i = 1; i < n_blocks; i++) |
1195 | 0 | { |
1196 | 0 | buf_put_le64 (octet_counter, *counter_p); |
1197 | 0 | iov[1].data = block; |
1198 | 0 | block += b->blklen; |
1199 | 0 | b->md_spec->hash_buffers (block, b->blklen, iov, 2); |
1200 | 0 | *counter_p += 1; |
1201 | 0 | } |
1202 | 0 | } |
1203 | | |
1204 | | static void |
1205 | | balloon_compute_fill (balloon_ctx_t b, |
1206 | | struct balloon_thread_data *t, |
1207 | | const unsigned char *salt, |
1208 | | u64 *counter_p) |
1209 | 0 | { |
1210 | 0 | gcry_buffer_t iov[6]; |
1211 | 0 | unsigned char octet_counter[sizeof (u64)]; |
1212 | 0 | unsigned char octet_s_cost[4]; |
1213 | 0 | unsigned char octet_t_cost[4]; |
1214 | 0 | unsigned char octet_parallelism[4]; |
1215 | |
|
1216 | 0 | buf_put_le64 (octet_counter, *counter_p); |
1217 | 0 | buf_put_le32 (octet_s_cost, b->s_cost); |
1218 | 0 | buf_put_le32 (octet_t_cost, b->t_cost); |
1219 | 0 | buf_put_le32 (octet_parallelism, b->parallelism); |
1220 | |
|
1221 | 0 | iov[0].data = octet_counter; |
1222 | 0 | iov[0].len = sizeof (octet_counter); |
1223 | 0 | iov[0].off = 0; |
1224 | 0 | iov[1].data = (void *)salt; |
1225 | 0 | iov[1].len = b->blklen; |
1226 | 0 | iov[1].off = 0; |
1227 | 0 | iov[2].data = (void *)b->password; |
1228 | 0 | iov[2].len = b->passwordlen; |
1229 | 0 | iov[2].off = 0; |
1230 | 0 | iov[3].data = octet_s_cost; |
1231 | 0 | iov[3].len = 4; |
1232 | 0 | iov[3].off = 0; |
1233 | 0 | iov[4].data = octet_t_cost; |
1234 | 0 | iov[4].len = 4; |
1235 | 0 | iov[4].off = 0; |
1236 | 0 | iov[5].data = octet_parallelism; |
1237 | 0 | iov[5].len = 4; |
1238 | 0 | iov[5].off = 0; |
1239 | 0 | b->md_spec->hash_buffers (t->block, b->blklen, iov, 6); |
1240 | 0 | *counter_p += 1; |
1241 | 0 | balloon_expand (b, counter_p, t->block, b->n_blocks); |
1242 | 0 | } |
1243 | | |
1244 | | static void |
1245 | | balloon_compute_mix (gcry_cipher_hd_t prng, |
1246 | | balloon_ctx_t b, struct balloon_thread_data *t, |
1247 | | u64 *counter_p) |
1248 | 0 | { |
1249 | 0 | u64 i; |
1250 | |
|
1251 | 0 | for (i = 0; i < b->n_blocks; i++) |
1252 | 0 | { |
1253 | 0 | unsigned char *cur_block = t->block + (b->blklen * i); |
1254 | 0 | const unsigned char *blocks[BALLOON_COMPRESS_BLOCKS]; |
1255 | 0 | const unsigned char *prev_block; |
1256 | 0 | unsigned int n; |
1257 | |
|
1258 | 0 | prev_block = i |
1259 | 0 | ? cur_block - b->blklen |
1260 | 0 | : t->block + (b->blklen * (t->b->n_blocks - 1)); |
1261 | |
|
1262 | 0 | n = 0; |
1263 | 0 | blocks[n++] = prev_block; |
1264 | 0 | blocks[n++] = cur_block; |
1265 | |
|
1266 | 0 | for (; n < BALLOON_COMPRESS_BLOCKS; n++) |
1267 | 0 | { |
1268 | 0 | u64 rand64 = prng_aes_ctr_get_rand64 (prng); |
1269 | 0 | blocks[n] = t->block + (b->blklen * (rand64 % b->n_blocks)); |
1270 | 0 | } |
1271 | |
|
1272 | 0 | balloon_compress (b, counter_p, cur_block, blocks); |
1273 | 0 | } |
1274 | 0 | } |
1275 | | |
1276 | | |
1277 | | static void |
1278 | | balloon_compute (void *priv) |
1279 | 0 | { |
1280 | 0 | struct balloon_thread_data *t = (struct balloon_thread_data *)priv; |
1281 | 0 | balloon_ctx_t b = t->b; |
1282 | 0 | gcry_cipher_hd_t prng; |
1283 | 0 | gcry_buffer_t iov[4]; |
1284 | 0 | unsigned char salt[BALLOON_BLOCK_LEN_MAX]; |
1285 | 0 | unsigned char octet_s_cost[4]; |
1286 | 0 | unsigned char octet_t_cost[4]; |
1287 | 0 | unsigned char octet_parallelism[4]; |
1288 | 0 | u32 u; |
1289 | 0 | u64 counter; |
1290 | 0 | unsigned int i; |
1291 | |
|
1292 | 0 | counter = 0; |
1293 | |
|
1294 | 0 | memcpy (salt, b->salt, b->blklen); |
1295 | 0 | u = buf_get_le32 (b->salt) + t->idx; |
1296 | 0 | buf_put_le32 (salt, u); |
1297 | |
|
1298 | 0 | buf_put_le32 (octet_s_cost, b->s_cost); |
1299 | 0 | buf_put_le32 (octet_t_cost, b->t_cost); |
1300 | 0 | buf_put_le32 (octet_parallelism, b->parallelism); |
1301 | |
|
1302 | 0 | iov[0].data = salt; |
1303 | 0 | iov[0].len = b->blklen; |
1304 | 0 | iov[0].off = 0; |
1305 | 0 | iov[1].data = octet_s_cost; |
1306 | 0 | iov[1].len = 4; |
1307 | 0 | iov[1].off = 0; |
1308 | 0 | iov[2].data = octet_t_cost; |
1309 | 0 | iov[2].len = 4; |
1310 | 0 | iov[2].off = 0; |
1311 | 0 | iov[3].data = octet_parallelism; |
1312 | 0 | iov[3].len = 4; |
1313 | 0 | iov[3].off = 0; |
1314 | |
|
1315 | 0 | t->ec = prng_aes_ctr_init (&prng, b, iov, 4); |
1316 | 0 | if (t->ec) |
1317 | 0 | return; |
1318 | | |
1319 | 0 | balloon_compute_fill (b, t, salt, &counter); |
1320 | |
|
1321 | 0 | for (i = 0; i < b->t_cost; i++) |
1322 | 0 | balloon_compute_mix (prng, b, t, &counter); |
1323 | | |
1324 | | /* The result is now at the last block. */ |
1325 | |
|
1326 | 0 | prng_aes_ctr_fini (prng); |
1327 | 0 | } |
1328 | | |
1329 | | static gpg_err_code_t |
1330 | | balloon_compute_all (balloon_ctx_t b, const struct gcry_kdf_thread_ops *ops) |
1331 | 0 | { |
1332 | 0 | unsigned int parallelism = b->parallelism; |
1333 | 0 | unsigned int i; |
1334 | 0 | int ret; |
1335 | |
|
1336 | 0 | for (i = 0; i < parallelism; i++) |
1337 | 0 | { |
1338 | 0 | struct balloon_thread_data *t = &b->thread_data[i]; |
1339 | |
|
1340 | 0 | if (ops) |
1341 | 0 | { |
1342 | 0 | ret = ops->dispatch_job (ops->jobs_context, balloon_compute, t); |
1343 | 0 | if (ret < 0) |
1344 | 0 | return GPG_ERR_CANCELED; |
1345 | 0 | } |
1346 | 0 | else |
1347 | 0 | balloon_compute (t); |
1348 | 0 | } |
1349 | | |
1350 | 0 | if (ops) |
1351 | 0 | { |
1352 | 0 | ret = ops->wait_all_jobs (ops->jobs_context); |
1353 | 0 | if (ret < 0) |
1354 | 0 | return GPG_ERR_CANCELED; |
1355 | 0 | } |
1356 | | |
1357 | 0 | return 0; |
1358 | 0 | } |
1359 | | |
1360 | | static gpg_err_code_t |
1361 | | balloon_final (balloon_ctx_t b, size_t resultlen, void *result) |
1362 | 0 | { |
1363 | 0 | unsigned int parallelism = b->parallelism; |
1364 | 0 | unsigned int i; |
1365 | 0 | u64 out[BALLOON_BLOCK_LEN_MAX/8]; |
1366 | |
|
1367 | 0 | if (resultlen != b->blklen) |
1368 | 0 | return GPG_ERR_INV_VALUE; |
1369 | | |
1370 | 0 | memset (out, 0, b->blklen); |
1371 | 0 | for (i = 0; i < parallelism; i++) |
1372 | 0 | { |
1373 | 0 | struct balloon_thread_data *t = &b->thread_data[i]; |
1374 | 0 | const unsigned char *last_block; |
1375 | |
|
1376 | 0 | if (t->ec) |
1377 | 0 | return t->ec; |
1378 | | |
1379 | 0 | last_block = t->block + (b->blklen * (t->b->n_blocks - 1)); |
1380 | 0 | balloon_xor_block (b, out, (const u64 *)(void *)last_block); |
1381 | 0 | } |
1382 | | |
1383 | 0 | memcpy (result, out, b->blklen); |
1384 | |
|
1385 | 0 | return 0; |
1386 | 0 | } |
1387 | | |
1388 | | static void |
1389 | | balloon_close (balloon_ctx_t b) |
1390 | 0 | { |
1391 | 0 | unsigned int parallelism = b->parallelism; |
1392 | 0 | size_t n = ballon_context_size (parallelism); |
1393 | |
|
1394 | 0 | if (b->block) |
1395 | 0 | { |
1396 | 0 | wipememory (b->block, parallelism * b->n_blocks); |
1397 | 0 | xfree (b->block); |
1398 | 0 | } |
1399 | |
|
1400 | 0 | wipememory (b, n); |
1401 | 0 | xfree (b); |
1402 | 0 | } |
1403 | | � |
1404 | | typedef struct onestep_kdf_context *onestep_kdf_ctx_t; |
1405 | | |
1406 | | /* OneStepKDF context */ |
1407 | | struct onestep_kdf_context { |
1408 | | int algo; |
1409 | | gcry_md_hd_t md; |
1410 | | unsigned int blklen; |
1411 | | unsigned int outlen; |
1412 | | const void *input; |
1413 | | size_t inputlen; |
1414 | | const void *fixedinfo; |
1415 | | size_t fixedinfolen; |
1416 | | }; |
1417 | | |
1418 | | static gpg_err_code_t |
1419 | | onestep_kdf_open (gcry_kdf_hd_t *hd, int hashalgo, |
1420 | | const unsigned long *param, unsigned int paramlen, |
1421 | | const void *input, size_t inputlen, |
1422 | | const void *fixedinfo, size_t fixedinfolen) |
1423 | 0 | { |
1424 | 0 | gpg_err_code_t ec; |
1425 | 0 | unsigned int outlen; |
1426 | 0 | onestep_kdf_ctx_t o; |
1427 | 0 | size_t n; |
1428 | |
|
1429 | 0 | if (paramlen != 1) |
1430 | 0 | return GPG_ERR_INV_VALUE; |
1431 | 0 | else |
1432 | 0 | outlen = (unsigned int)param[0]; |
1433 | | |
1434 | 0 | n = sizeof (struct onestep_kdf_context); |
1435 | 0 | o = xtrymalloc (n); |
1436 | 0 | if (!o) |
1437 | 0 | return gpg_err_code_from_errno (errno); |
1438 | | |
1439 | 0 | o->blklen = _gcry_md_get_algo_dlen (hashalgo); |
1440 | 0 | if (!o->blklen) |
1441 | 0 | { |
1442 | 0 | xfree (o); |
1443 | 0 | return GPG_ERR_DIGEST_ALGO; |
1444 | 0 | } |
1445 | 0 | ec = _gcry_md_open (&o->md, hashalgo, 0); |
1446 | 0 | if (ec) |
1447 | 0 | { |
1448 | 0 | xfree (o); |
1449 | 0 | return ec; |
1450 | 0 | } |
1451 | 0 | o->algo = GCRY_KDF_ONESTEP_KDF; |
1452 | 0 | o->outlen = outlen; |
1453 | 0 | o->input = input; |
1454 | 0 | o->inputlen = inputlen; |
1455 | 0 | o->fixedinfo = fixedinfo; |
1456 | 0 | o->fixedinfolen = fixedinfolen; |
1457 | |
|
1458 | 0 | *hd = (void *)o; |
1459 | 0 | return 0; |
1460 | 0 | } |
1461 | | |
1462 | | |
1463 | | static gpg_err_code_t |
1464 | | onestep_kdf_compute (onestep_kdf_ctx_t o, const struct gcry_kdf_thread_ops *ops) |
1465 | 0 | { |
1466 | 0 | (void)o; |
1467 | |
|
1468 | 0 | if (ops != NULL) |
1469 | 0 | return GPG_ERR_INV_VALUE; |
1470 | | |
1471 | 0 | return 0; |
1472 | 0 | } |
1473 | | |
1474 | | static gpg_err_code_t |
1475 | | onestep_kdf_final (onestep_kdf_ctx_t o, size_t resultlen, void *result) |
1476 | 0 | { |
1477 | 0 | u32 counter = 0; |
1478 | 0 | unsigned char cnt[4]; |
1479 | 0 | int i; |
1480 | |
|
1481 | 0 | if (resultlen != o->outlen) |
1482 | 0 | return GPG_ERR_INV_VALUE; |
1483 | | |
1484 | 0 | for (i = 0; i < o->outlen / o->blklen; i++) |
1485 | 0 | { |
1486 | 0 | counter++; |
1487 | 0 | buf_put_be32 (cnt, counter); |
1488 | 0 | _gcry_md_write (o->md, cnt, sizeof (cnt)); |
1489 | 0 | _gcry_md_write (o->md, o->input, o->inputlen); |
1490 | 0 | _gcry_md_write (o->md, o->fixedinfo, o->fixedinfolen); |
1491 | 0 | _gcry_md_final (o->md); |
1492 | 0 | memcpy ((char *)result + o->blklen * i, |
1493 | 0 | _gcry_md_read (o->md, 0), o->blklen); |
1494 | 0 | resultlen -= o->blklen; |
1495 | 0 | _gcry_md_reset (o->md); |
1496 | 0 | } |
1497 | |
|
1498 | 0 | if (resultlen) |
1499 | 0 | { |
1500 | 0 | counter++; |
1501 | 0 | buf_put_be32 (cnt, counter); |
1502 | 0 | _gcry_md_write (o->md, cnt, sizeof (cnt)); |
1503 | 0 | _gcry_md_write (o->md, o->input, o->inputlen); |
1504 | 0 | _gcry_md_write (o->md, o->fixedinfo, o->fixedinfolen); |
1505 | 0 | _gcry_md_final (o->md); |
1506 | 0 | memcpy ((char *)result + o->blklen * i, |
1507 | 0 | _gcry_md_read (o->md, 0), resultlen); |
1508 | 0 | } |
1509 | |
|
1510 | 0 | return 0; |
1511 | 0 | } |
1512 | | |
1513 | | static void |
1514 | | onestep_kdf_close (onestep_kdf_ctx_t o) |
1515 | 0 | { |
1516 | 0 | _gcry_md_close (o->md); |
1517 | 0 | xfree (o); |
1518 | 0 | } |
1519 | | � |
1520 | | typedef struct onestep_kdf_mac_context *onestep_kdf_mac_ctx_t; |
1521 | | |
1522 | | /* OneStep_KDF_MAC context */ |
1523 | | struct onestep_kdf_mac_context { |
1524 | | int algo; |
1525 | | gcry_mac_hd_t md; |
1526 | | unsigned int blklen; |
1527 | | unsigned int outlen; |
1528 | | const void *input; |
1529 | | size_t inputlen; |
1530 | | const void *salt; |
1531 | | size_t saltlen; |
1532 | | const void *fixedinfo; |
1533 | | size_t fixedinfolen; |
1534 | | }; |
1535 | | |
1536 | | static gpg_err_code_t |
1537 | | onestep_kdf_mac_open (gcry_kdf_hd_t *hd, int macalgo, |
1538 | | const unsigned long *param, unsigned int paramlen, |
1539 | | const void *input, size_t inputlen, |
1540 | | const void *key, size_t keylen, |
1541 | | const void *fixedinfo, size_t fixedinfolen) |
1542 | 0 | { |
1543 | 0 | gpg_err_code_t ec; |
1544 | 0 | unsigned int outlen; |
1545 | 0 | onestep_kdf_mac_ctx_t o; |
1546 | 0 | size_t n; |
1547 | |
|
1548 | 0 | if (paramlen != 1) |
1549 | 0 | return GPG_ERR_INV_VALUE; |
1550 | 0 | else |
1551 | 0 | outlen = (unsigned int)param[0]; |
1552 | | |
1553 | 0 | n = sizeof (struct onestep_kdf_mac_context); |
1554 | 0 | o = xtrymalloc (n); |
1555 | 0 | if (!o) |
1556 | 0 | return gpg_err_code_from_errno (errno); |
1557 | | |
1558 | 0 | o->blklen = _gcry_mac_get_algo_maclen (macalgo); |
1559 | 0 | if (!o->blklen) |
1560 | 0 | { |
1561 | 0 | xfree (o); |
1562 | 0 | return GPG_ERR_MAC_ALGO; |
1563 | 0 | } |
1564 | 0 | ec = _gcry_mac_open (&o->md, macalgo, 0, NULL); |
1565 | 0 | if (ec) |
1566 | 0 | { |
1567 | 0 | xfree (o); |
1568 | 0 | return ec; |
1569 | 0 | } |
1570 | 0 | o->algo = GCRY_KDF_ONESTEP_KDF_MAC; |
1571 | 0 | o->outlen = outlen; |
1572 | 0 | o->input = input; |
1573 | 0 | o->inputlen = inputlen; |
1574 | 0 | o->salt = key; |
1575 | 0 | o->saltlen = keylen; |
1576 | 0 | o->fixedinfo = fixedinfo; |
1577 | 0 | o->fixedinfolen = fixedinfolen; |
1578 | |
|
1579 | 0 | *hd = (void *)o; |
1580 | 0 | return 0; |
1581 | 0 | } |
1582 | | |
1583 | | |
1584 | | static gpg_err_code_t |
1585 | | onestep_kdf_mac_compute (onestep_kdf_mac_ctx_t o, |
1586 | | const struct gcry_kdf_thread_ops *ops) |
1587 | 0 | { |
1588 | 0 | (void)o; |
1589 | |
|
1590 | 0 | if (ops != NULL) |
1591 | 0 | return GPG_ERR_INV_VALUE; |
1592 | | |
1593 | 0 | return 0; |
1594 | 0 | } |
1595 | | |
1596 | | static gpg_err_code_t |
1597 | | onestep_kdf_mac_final (onestep_kdf_mac_ctx_t o, size_t resultlen, void *result) |
1598 | 0 | { |
1599 | 0 | u32 counter = 0; |
1600 | 0 | unsigned char cnt[4]; |
1601 | 0 | int i; |
1602 | 0 | gcry_err_code_t ec; |
1603 | 0 | size_t len = o->blklen; |
1604 | |
|
1605 | 0 | if (resultlen != o->outlen) |
1606 | 0 | return GPG_ERR_INV_VALUE; |
1607 | | |
1608 | 0 | ec = _gcry_mac_setkey (o->md, o->salt, o->saltlen); |
1609 | 0 | if (ec) |
1610 | 0 | return ec; |
1611 | | |
1612 | 0 | for (i = 0; i < o->outlen / o->blklen; i++) |
1613 | 0 | { |
1614 | 0 | counter++; |
1615 | 0 | buf_put_be32 (cnt, counter); |
1616 | 0 | ec = _gcry_mac_write (o->md, cnt, sizeof (cnt)); |
1617 | 0 | if (ec) |
1618 | 0 | return ec; |
1619 | 0 | ec = _gcry_mac_write (o->md, o->input, o->inputlen); |
1620 | 0 | if (ec) |
1621 | 0 | return ec; |
1622 | 0 | ec = _gcry_mac_write (o->md, o->fixedinfo, o->fixedinfolen); |
1623 | 0 | if (ec) |
1624 | 0 | return ec; |
1625 | 0 | ec = _gcry_mac_read (o->md, (char *)result + o->blklen * i, &len); |
1626 | 0 | if (ec) |
1627 | 0 | return ec; |
1628 | 0 | resultlen -= o->blklen; |
1629 | 0 | ec = _gcry_mac_ctl (o->md, GCRYCTL_RESET, NULL, 0); |
1630 | 0 | if (ec) |
1631 | 0 | return ec; |
1632 | 0 | } |
1633 | | |
1634 | 0 | if (resultlen) |
1635 | 0 | { |
1636 | 0 | counter++; |
1637 | 0 | len = resultlen; |
1638 | 0 | buf_put_be32 (cnt, counter); |
1639 | 0 | ec = _gcry_mac_write (o->md, cnt, sizeof (cnt)); |
1640 | 0 | if (ec) |
1641 | 0 | return ec; |
1642 | 0 | ec = _gcry_mac_write (o->md, o->input, o->inputlen); |
1643 | 0 | if (ec) |
1644 | 0 | return ec; |
1645 | 0 | ec =_gcry_mac_write (o->md, o->fixedinfo, o->fixedinfolen); |
1646 | 0 | if (ec) |
1647 | 0 | return ec; |
1648 | 0 | ec = _gcry_mac_read (o->md, (char *)result + o->blklen * i, &len); |
1649 | 0 | if (ec) |
1650 | 0 | return ec; |
1651 | 0 | } |
1652 | | |
1653 | 0 | return 0; |
1654 | 0 | } |
1655 | | |
1656 | | static void |
1657 | | onestep_kdf_mac_close (onestep_kdf_mac_ctx_t o) |
1658 | 0 | { |
1659 | 0 | _gcry_mac_close (o->md); |
1660 | 0 | xfree (o); |
1661 | 0 | } |
1662 | | � |
1663 | | typedef struct hkdf_context *hkdf_ctx_t; |
1664 | | |
1665 | | /* Hkdf context */ |
1666 | | struct hkdf_context { |
1667 | | int algo; |
1668 | | gcry_mac_hd_t md; |
1669 | | int mode; |
1670 | | unsigned int blklen; |
1671 | | unsigned int outlen; |
1672 | | const void *input; |
1673 | | size_t inputlen; |
1674 | | const void *salt; |
1675 | | size_t saltlen; |
1676 | | const void *fixedinfo; |
1677 | | size_t fixedinfolen; |
1678 | | unsigned char *prk; |
1679 | | }; |
1680 | | |
1681 | | static gpg_err_code_t |
1682 | | hkdf_open (gcry_kdf_hd_t *hd, int macalgo, |
1683 | | const unsigned long *param, unsigned int paramlen, |
1684 | | const void *input, size_t inputlen, |
1685 | | const void *salt, size_t saltlen, |
1686 | | const void *fixedinfo, size_t fixedinfolen) |
1687 | 0 | { |
1688 | 0 | gpg_err_code_t ec; |
1689 | 0 | unsigned int outlen; |
1690 | 0 | int mode; |
1691 | 0 | hkdf_ctx_t h; |
1692 | 0 | size_t n; |
1693 | 0 | unsigned char *prk; |
1694 | |
|
1695 | 0 | if (paramlen != 1 && paramlen != 2) |
1696 | 0 | return GPG_ERR_INV_VALUE; |
1697 | 0 | else |
1698 | 0 | { |
1699 | 0 | outlen = (unsigned int)param[0]; |
1700 | | /* MODE: support extract only, expand only: FIXME*/ |
1701 | 0 | if (paramlen == 2) |
1702 | 0 | mode = (unsigned int)param[1]; |
1703 | 0 | else |
1704 | 0 | mode = 0; |
1705 | 0 | } |
1706 | | |
1707 | 0 | n = sizeof (struct hkdf_context); |
1708 | 0 | h = xtrymalloc (n); |
1709 | 0 | if (!h) |
1710 | 0 | return gpg_err_code_from_errno (errno); |
1711 | | |
1712 | 0 | h->blklen = _gcry_mac_get_algo_maclen (macalgo); |
1713 | 0 | if (!h->blklen) |
1714 | 0 | { |
1715 | 0 | xfree (h); |
1716 | 0 | return GPG_ERR_MAC_ALGO; |
1717 | 0 | } |
1718 | | |
1719 | 0 | if (outlen > 255 * h->blklen) |
1720 | 0 | { |
1721 | 0 | xfree (h); |
1722 | 0 | return GPG_ERR_INV_VALUE; |
1723 | 0 | } |
1724 | | |
1725 | 0 | ec = _gcry_mac_open (&h->md, macalgo, 0, NULL); |
1726 | 0 | if (ec) |
1727 | 0 | { |
1728 | 0 | xfree (h); |
1729 | 0 | return ec; |
1730 | 0 | } |
1731 | 0 | prk = xtrymalloc (h->blklen); |
1732 | 0 | if (!prk) |
1733 | 0 | { |
1734 | 0 | _gcry_mac_close (h->md); |
1735 | 0 | xfree (h); |
1736 | 0 | return gpg_err_code_from_errno (errno); |
1737 | 0 | } |
1738 | 0 | h->prk = prk; |
1739 | 0 | h->algo = GCRY_KDF_HKDF; |
1740 | 0 | h->outlen = outlen; |
1741 | 0 | h->mode = mode; |
1742 | 0 | h->input = input; |
1743 | 0 | h->inputlen = inputlen; |
1744 | 0 | h->salt = salt; |
1745 | 0 | h->saltlen = saltlen; |
1746 | 0 | h->fixedinfo = fixedinfo; |
1747 | 0 | h->fixedinfolen = fixedinfolen; |
1748 | |
|
1749 | 0 | *hd = (void *)h; |
1750 | 0 | return 0; |
1751 | 0 | } |
1752 | | |
1753 | | |
1754 | | static gpg_err_code_t |
1755 | | hkdf_compute (hkdf_ctx_t h, const struct gcry_kdf_thread_ops *ops) |
1756 | 0 | { |
1757 | 0 | gcry_err_code_t ec; |
1758 | 0 | size_t len = h->blklen; |
1759 | |
|
1760 | 0 | if (ops != NULL) |
1761 | 0 | return GPG_ERR_INV_VALUE; |
1762 | | |
1763 | | /* Extract */ |
1764 | 0 | ec = _gcry_mac_setkey (h->md, h->salt, h->saltlen); |
1765 | 0 | if (ec) |
1766 | 0 | return ec; |
1767 | | |
1768 | 0 | ec = _gcry_mac_write (h->md, h->input, h->inputlen); |
1769 | 0 | if (ec) |
1770 | 0 | return ec; |
1771 | | |
1772 | 0 | ec = _gcry_mac_read (h->md, h->prk, &len); |
1773 | 0 | if (ec) |
1774 | 0 | return ec; |
1775 | | |
1776 | 0 | ec = _gcry_mac_ctl (h->md, GCRYCTL_RESET, NULL, 0); |
1777 | 0 | if (ec) |
1778 | 0 | return ec; |
1779 | | |
1780 | 0 | return 0; |
1781 | 0 | } |
1782 | | |
1783 | | static gpg_err_code_t |
1784 | | hkdf_final (hkdf_ctx_t h, size_t resultlen, void *result) |
1785 | 0 | { |
1786 | 0 | unsigned char counter = 0; |
1787 | 0 | int i; |
1788 | 0 | gcry_err_code_t ec; |
1789 | 0 | size_t len = h->blklen; |
1790 | |
|
1791 | 0 | if (resultlen != h->outlen) |
1792 | 0 | return GPG_ERR_INV_VALUE; |
1793 | | |
1794 | | /* Expand */ |
1795 | 0 | ec = _gcry_mac_setkey (h->md, h->prk, h->blklen); |
1796 | 0 | if (ec) |
1797 | 0 | return ec; |
1798 | | |
1799 | | /* We re-use the memory of ->prk. */ |
1800 | | |
1801 | 0 | for (i = 0; i < h->outlen / h->blklen; i++) |
1802 | 0 | { |
1803 | 0 | counter++; |
1804 | 0 | if (i) |
1805 | 0 | { |
1806 | 0 | ec = _gcry_mac_write (h->md, h->prk, h->blklen); |
1807 | 0 | if (ec) |
1808 | 0 | return ec; |
1809 | 0 | } |
1810 | 0 | if (h->fixedinfo) |
1811 | 0 | { |
1812 | 0 | ec = _gcry_mac_write (h->md, h->fixedinfo, h->fixedinfolen); |
1813 | 0 | if (ec) |
1814 | 0 | return ec; |
1815 | 0 | } |
1816 | 0 | ec = _gcry_mac_write (h->md, &counter, 1); |
1817 | 0 | if (ec) |
1818 | 0 | return ec; |
1819 | 0 | ec = _gcry_mac_read (h->md, h->prk, &len); |
1820 | 0 | if (ec) |
1821 | 0 | return ec; |
1822 | 0 | memcpy ((char *)result + h->blklen * i, h->prk, len); |
1823 | 0 | resultlen -= h->blklen; |
1824 | 0 | ec = _gcry_mac_ctl (h->md, GCRYCTL_RESET, NULL, 0); |
1825 | 0 | if (ec) |
1826 | 0 | return ec; |
1827 | 0 | } |
1828 | | |
1829 | 0 | if (resultlen) |
1830 | 0 | { |
1831 | 0 | counter++; |
1832 | 0 | len = resultlen; |
1833 | 0 | if (i) |
1834 | 0 | { |
1835 | 0 | ec = _gcry_mac_write (h->md, h->prk, h->blklen); |
1836 | 0 | if (ec) |
1837 | 0 | return ec; |
1838 | 0 | } |
1839 | 0 | if (h->fixedinfo) |
1840 | 0 | { |
1841 | 0 | ec = _gcry_mac_write (h->md, h->fixedinfo, h->fixedinfolen); |
1842 | 0 | if (ec) |
1843 | 0 | return ec; |
1844 | 0 | } |
1845 | 0 | ec = _gcry_mac_write (h->md, &counter, 1); |
1846 | 0 | if (ec) |
1847 | 0 | return ec; |
1848 | 0 | ec = _gcry_mac_read (h->md, (char *)result + h->blklen * i, &len); |
1849 | 0 | if (ec) |
1850 | 0 | return ec; |
1851 | 0 | } |
1852 | | |
1853 | 0 | return 0; |
1854 | 0 | } |
1855 | | |
1856 | | static void |
1857 | | hkdf_close (hkdf_ctx_t h) |
1858 | 0 | { |
1859 | 0 | _gcry_mac_close (h->md); |
1860 | 0 | xfree (h->prk); |
1861 | 0 | xfree (h); |
1862 | 0 | } |
1863 | | � |
1864 | | struct gcry_kdf_handle { |
1865 | | int algo; |
1866 | | /* And algo specific parts come. */ |
1867 | | }; |
1868 | | |
1869 | | gpg_err_code_t |
1870 | | _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo, |
1871 | | const unsigned long *param, unsigned int paramlen, |
1872 | | const void *input, size_t inputlen, |
1873 | | const void *salt, size_t saltlen, |
1874 | | const void *key, size_t keylen, |
1875 | | const void *ad, size_t adlen) |
1876 | 0 | { |
1877 | 0 | gpg_err_code_t ec; |
1878 | |
|
1879 | 0 | switch (algo) |
1880 | 0 | { |
1881 | 0 | case GCRY_KDF_ARGON2: |
1882 | 0 | if (!saltlen) |
1883 | 0 | ec = GPG_ERR_INV_VALUE; |
1884 | 0 | else |
1885 | 0 | ec = argon2_open (hd, subalgo, param, paramlen, |
1886 | 0 | input, inputlen, salt, saltlen, |
1887 | 0 | key, keylen, ad, adlen); |
1888 | 0 | break; |
1889 | | |
1890 | 0 | case GCRY_KDF_BALLOON: |
1891 | 0 | if (!inputlen || !saltlen || keylen || adlen) |
1892 | 0 | ec = GPG_ERR_INV_VALUE; |
1893 | 0 | else |
1894 | 0 | { |
1895 | 0 | (void)key; |
1896 | 0 | (void)ad; |
1897 | 0 | ec = balloon_open (hd, subalgo, param, paramlen, |
1898 | 0 | input, inputlen, salt, saltlen); |
1899 | 0 | } |
1900 | 0 | break; |
1901 | | |
1902 | 0 | case GCRY_KDF_ONESTEP_KDF: |
1903 | 0 | if (!inputlen || !paramlen || !adlen) |
1904 | 0 | ec = GPG_ERR_INV_VALUE; |
1905 | 0 | else |
1906 | 0 | { |
1907 | 0 | (void)salt; |
1908 | 0 | (void)key; |
1909 | 0 | ec = onestep_kdf_open (hd, subalgo, param, paramlen, |
1910 | 0 | input, inputlen, ad, adlen); |
1911 | 0 | } |
1912 | 0 | break; |
1913 | | |
1914 | 0 | case GCRY_KDF_ONESTEP_KDF_MAC: |
1915 | 0 | if (!inputlen || !paramlen || !keylen || !adlen) |
1916 | 0 | ec = GPG_ERR_INV_VALUE; |
1917 | 0 | else |
1918 | 0 | { |
1919 | 0 | (void)salt; |
1920 | 0 | ec = onestep_kdf_mac_open (hd, subalgo, param, paramlen, |
1921 | 0 | input, inputlen, key, keylen, ad, adlen); |
1922 | 0 | } |
1923 | 0 | break; |
1924 | | |
1925 | 0 | case GCRY_KDF_HKDF: |
1926 | 0 | if (!inputlen || !paramlen) |
1927 | 0 | ec = GPG_ERR_INV_VALUE; |
1928 | 0 | else |
1929 | 0 | { |
1930 | 0 | (void)salt; |
1931 | 0 | ec = hkdf_open (hd, subalgo, param, paramlen, |
1932 | 0 | input, inputlen, key, keylen, ad, adlen); |
1933 | 0 | } |
1934 | 0 | break; |
1935 | | |
1936 | 0 | default: |
1937 | 0 | ec = GPG_ERR_UNKNOWN_ALGORITHM; |
1938 | 0 | break; |
1939 | 0 | } |
1940 | | |
1941 | 0 | return ec; |
1942 | 0 | } |
1943 | | |
1944 | | gpg_err_code_t |
1945 | | _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops) |
1946 | 0 | { |
1947 | 0 | gpg_err_code_t ec; |
1948 | |
|
1949 | 0 | switch (h->algo) |
1950 | 0 | { |
1951 | 0 | case GCRY_KDF_ARGON2: |
1952 | 0 | ec = argon2_compute ((argon2_ctx_t)(void *)h, ops); |
1953 | 0 | break; |
1954 | | |
1955 | 0 | case GCRY_KDF_BALLOON: |
1956 | 0 | ec = balloon_compute_all ((balloon_ctx_t)(void *)h, ops); |
1957 | 0 | break; |
1958 | | |
1959 | 0 | case GCRY_KDF_ONESTEP_KDF: |
1960 | 0 | ec = onestep_kdf_compute ((onestep_kdf_ctx_t)(void *)h, ops); |
1961 | 0 | break; |
1962 | | |
1963 | 0 | case GCRY_KDF_ONESTEP_KDF_MAC: |
1964 | 0 | ec = onestep_kdf_mac_compute ((onestep_kdf_mac_ctx_t)(void *)h, ops); |
1965 | 0 | break; |
1966 | | |
1967 | 0 | case GCRY_KDF_HKDF: |
1968 | 0 | ec = hkdf_compute ((hkdf_ctx_t)(void *)h, ops); |
1969 | 0 | break; |
1970 | | |
1971 | 0 | default: |
1972 | 0 | ec = GPG_ERR_UNKNOWN_ALGORITHM; |
1973 | 0 | break; |
1974 | 0 | } |
1975 | | |
1976 | 0 | return ec; |
1977 | 0 | } |
1978 | | |
1979 | | |
1980 | | gpg_err_code_t |
1981 | | _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result) |
1982 | 0 | { |
1983 | 0 | gpg_err_code_t ec; |
1984 | |
|
1985 | 0 | switch (h->algo) |
1986 | 0 | { |
1987 | 0 | case GCRY_KDF_ARGON2: |
1988 | 0 | ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result); |
1989 | 0 | break; |
1990 | | |
1991 | 0 | case GCRY_KDF_BALLOON: |
1992 | 0 | ec = balloon_final ((balloon_ctx_t)(void *)h, resultlen, result); |
1993 | 0 | break; |
1994 | | |
1995 | 0 | case GCRY_KDF_ONESTEP_KDF: |
1996 | 0 | ec = onestep_kdf_final ((onestep_kdf_ctx_t)(void *)h, resultlen, result); |
1997 | 0 | break; |
1998 | | |
1999 | 0 | case GCRY_KDF_ONESTEP_KDF_MAC: |
2000 | 0 | ec = onestep_kdf_mac_final ((onestep_kdf_mac_ctx_t)(void *)h, |
2001 | 0 | resultlen, result); |
2002 | 0 | break; |
2003 | | |
2004 | 0 | case GCRY_KDF_HKDF: |
2005 | 0 | ec = hkdf_final ((hkdf_ctx_t)(void *)h, resultlen, result); |
2006 | 0 | break; |
2007 | | |
2008 | 0 | default: |
2009 | 0 | ec = GPG_ERR_UNKNOWN_ALGORITHM; |
2010 | 0 | break; |
2011 | 0 | } |
2012 | | |
2013 | 0 | return ec; |
2014 | 0 | } |
2015 | | |
2016 | | void |
2017 | | _gcry_kdf_close (gcry_kdf_hd_t h) |
2018 | 0 | { |
2019 | 0 | switch (h->algo) |
2020 | 0 | { |
2021 | 0 | case GCRY_KDF_ARGON2: |
2022 | 0 | argon2_close ((argon2_ctx_t)(void *)h); |
2023 | 0 | break; |
2024 | | |
2025 | 0 | case GCRY_KDF_BALLOON: |
2026 | 0 | balloon_close ((balloon_ctx_t)(void *)h); |
2027 | 0 | break; |
2028 | | |
2029 | 0 | case GCRY_KDF_ONESTEP_KDF: |
2030 | 0 | onestep_kdf_close ((onestep_kdf_ctx_t)(void *)h); |
2031 | 0 | break; |
2032 | | |
2033 | 0 | case GCRY_KDF_ONESTEP_KDF_MAC: |
2034 | 0 | onestep_kdf_mac_close ((onestep_kdf_mac_ctx_t)(void *)h); |
2035 | 0 | break; |
2036 | | |
2037 | 0 | case GCRY_KDF_HKDF: |
2038 | 0 | hkdf_close ((hkdf_ctx_t)(void *)h); |
2039 | 0 | break; |
2040 | | |
2041 | 0 | default: |
2042 | 0 | break; |
2043 | 0 | } |
2044 | 0 | } |
2045 | | � |
2046 | | /* Check one KDF call with ALGO and HASH_ALGO using the regular KDF |
2047 | | * API. (passphrase,passphraselen) is the password to be derived, |
2048 | | * (salt,saltlen) the salt for the key derivation, |
2049 | | * iterations is the number of the kdf iterations, |
2050 | | * and (expect,expectlen) the expected result. Returns NULL on |
2051 | | * success or a string describing the failure. */ |
2052 | | |
2053 | | static const char * |
2054 | | check_one (int algo, int hash_algo, |
2055 | | const void *passphrase, size_t passphraselen, |
2056 | | const void *salt, size_t saltlen, |
2057 | | unsigned long iterations, |
2058 | | const void *expect, size_t expectlen) |
2059 | 0 | { |
2060 | 0 | unsigned char key[512]; /* hardcoded to avoid allocation */ |
2061 | 0 | size_t keysize = expectlen; |
2062 | | |
2063 | | /* Skip test with shoter passphrase in FIPS mode. */ |
2064 | 0 | if (fips_mode () && passphraselen < 14) |
2065 | 0 | return NULL; |
2066 | | |
2067 | 0 | if (keysize > sizeof(key)) |
2068 | 0 | return "invalid tests data"; |
2069 | | |
2070 | 0 | if (_gcry_kdf_derive (passphrase, passphraselen, algo, |
2071 | 0 | hash_algo, salt, saltlen, iterations, |
2072 | 0 | keysize, key)) |
2073 | 0 | return "gcry_kdf_derive failed"; |
2074 | | |
2075 | 0 | if (memcmp (key, expect, expectlen)) |
2076 | 0 | return "does not match"; |
2077 | | |
2078 | 0 | return NULL; |
2079 | 0 | } |
2080 | | |
2081 | | |
2082 | | static gpg_err_code_t |
2083 | | selftest_pbkdf2 (int extended, selftest_report_func_t report) |
2084 | 0 | { |
2085 | 0 | static const struct { |
2086 | 0 | const char *desc; |
2087 | 0 | const char *p; /* Passphrase. */ |
2088 | 0 | size_t plen; /* Length of P. */ |
2089 | 0 | const char *salt; |
2090 | 0 | size_t saltlen; |
2091 | 0 | int hashalgo; |
2092 | 0 | unsigned long c; /* Iterations. */ |
2093 | 0 | int dklen; /* Requested key length. */ |
2094 | 0 | const char *dk; /* Derived key. */ |
2095 | 0 | int disabled; |
2096 | 0 | } tv[] = { |
2097 | 0 | #if USE_SHA1 |
2098 | 0 | #define NUM_TEST_VECTORS 9 |
2099 | | /* SHA1 test vectors are from RFC-6070. */ |
2100 | 0 | { |
2101 | 0 | "Basic PBKDF2 SHA1 #1", |
2102 | 0 | "password", 8, |
2103 | 0 | "salt", 4, |
2104 | 0 | GCRY_MD_SHA1, |
2105 | 0 | 1, |
2106 | 0 | 20, |
2107 | 0 | "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9" |
2108 | 0 | "\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6" |
2109 | 0 | }, |
2110 | 0 | { |
2111 | 0 | "Basic PBKDF2 SHA1 #2", |
2112 | 0 | "password", 8, |
2113 | 0 | "salt", 4, |
2114 | 0 | GCRY_MD_SHA1, |
2115 | 0 | 2, |
2116 | 0 | 20, |
2117 | 0 | "\xea\x6c\x01\x4d\xc7\x2d\x6f\x8c\xcd\x1e" |
2118 | 0 | "\xd9\x2a\xce\x1d\x41\xf0\xd8\xde\x89\x57" |
2119 | 0 | }, |
2120 | 0 | { |
2121 | 0 | "Basic PBKDF2 SHA1 #3", |
2122 | 0 | "password", 8, |
2123 | 0 | "salt", 4, |
2124 | 0 | GCRY_MD_SHA1, |
2125 | 0 | 4096, |
2126 | 0 | 20, |
2127 | 0 | "\x4b\x00\x79\x01\xb7\x65\x48\x9a\xbe\xad" |
2128 | 0 | "\x49\xd9\x26\xf7\x21\xd0\x65\xa4\x29\xc1" |
2129 | 0 | }, |
2130 | 0 | { |
2131 | 0 | "Basic PBKDF2 SHA1 #4", |
2132 | 0 | "password", 8, |
2133 | 0 | "salt", 4, |
2134 | 0 | GCRY_MD_SHA1, |
2135 | 0 | 16777216, |
2136 | 0 | 20, |
2137 | 0 | "\xee\xfe\x3d\x61\xcd\x4d\xa4\xe4\xe9\x94" |
2138 | 0 | "\x5b\x3d\x6b\xa2\x15\x8c\x26\x34\xe9\x84", |
2139 | 0 | 1 /* This test takes too long. */ |
2140 | 0 | }, |
2141 | 0 | { |
2142 | 0 | "Basic PBKDF2 SHA1 #5", |
2143 | 0 | "passwordPASSWORDpassword", 24, |
2144 | 0 | "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, |
2145 | 0 | GCRY_MD_SHA1, |
2146 | 0 | 4096, |
2147 | 0 | 25, |
2148 | 0 | "\x3d\x2e\xec\x4f\xe4\x1c\x84\x9b\x80\xc8" |
2149 | 0 | "\xd8\x36\x62\xc0\xe4\x4a\x8b\x29\x1a\x96" |
2150 | 0 | "\x4c\xf2\xf0\x70\x38" |
2151 | 0 | }, |
2152 | 0 | { |
2153 | 0 | "Basic PBKDF2 SHA1 #6", |
2154 | 0 | "pass\0word", 9, |
2155 | 0 | "sa\0lt", 5, |
2156 | 0 | GCRY_MD_SHA1, |
2157 | 0 | 4096, |
2158 | 0 | 16, |
2159 | 0 | "\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37" |
2160 | 0 | "\xd7\xf0\x34\x25\xe0\xc3" |
2161 | 0 | }, |
2162 | 0 | { /* empty password test, not in RFC-6070 */ |
2163 | 0 | "Basic PBKDF2 SHA1 #7", |
2164 | 0 | "", 0, |
2165 | 0 | "salt", 4, |
2166 | 0 | GCRY_MD_SHA1, |
2167 | 0 | 2, |
2168 | 0 | 20, |
2169 | 0 | "\x13\x3a\x4c\xe8\x37\xb4\xd2\x52\x1e\xe2" |
2170 | 0 | "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97" |
2171 | 0 | }, |
2172 | | #else |
2173 | | #define NUM_TEST_VECTORS 2 |
2174 | | #endif |
2175 | 0 | { |
2176 | 0 | "Basic PBKDF2 SHA256", |
2177 | 0 | "password", 8, |
2178 | 0 | "salt", 4, |
2179 | 0 | GCRY_MD_SHA256, |
2180 | 0 | 2, |
2181 | 0 | 32, |
2182 | 0 | "\xae\x4d\x0c\x95\xaf\x6b\x46\xd3\x2d\x0a\xdf\xf9\x28\xf0\x6d\xd0" |
2183 | 0 | "\x2a\x30\x3f\x8e\xf3\xc2\x51\xdf\xd6\xe2\xd8\x5a\x95\x47\x4c\x43" |
2184 | 0 | }, |
2185 | 0 | { |
2186 | 0 | "Extended PBKDF2 SHA256", |
2187 | 0 | "passwordPASSWORDpassword", 24, |
2188 | 0 | "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, |
2189 | 0 | GCRY_MD_SHA256, |
2190 | 0 | 4096, |
2191 | 0 | 40, |
2192 | 0 | "\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11\x6e\x84\xcf" |
2193 | 0 | "\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c\x4e\x2a\x1f\xb8\xdd\x53\xe1" |
2194 | 0 | "\xc6\x35\x51\x8c\x7d\xac\x47\xe9" |
2195 | 0 | }, |
2196 | 0 | { NULL } |
2197 | 0 | }; |
2198 | 0 | const char *what; |
2199 | 0 | const char *errtxt; |
2200 | 0 | int tvidx; |
2201 | |
|
2202 | 0 | for (tvidx=0; tv[tvidx].desc; tvidx++) |
2203 | 0 | { |
2204 | 0 | what = tv[tvidx].desc; |
2205 | 0 | if (tv[tvidx].disabled) |
2206 | 0 | continue; |
2207 | 0 | errtxt = check_one (GCRY_KDF_PBKDF2, tv[tvidx].hashalgo, |
2208 | 0 | tv[tvidx].p, tv[tvidx].plen, |
2209 | 0 | tv[tvidx].salt, tv[tvidx].saltlen, |
2210 | 0 | tv[tvidx].c, |
2211 | 0 | tv[tvidx].dk, tv[tvidx].dklen); |
2212 | 0 | if (errtxt) |
2213 | 0 | goto failed; |
2214 | 0 | if (tvidx >= NUM_TEST_VECTORS - 1 && !extended) |
2215 | 0 | break; |
2216 | 0 | } |
2217 | | |
2218 | 0 | return 0; /* Succeeded. */ |
2219 | | |
2220 | 0 | failed: |
2221 | 0 | if (report) |
2222 | 0 | report ("kdf", GCRY_KDF_PBKDF2, what, errtxt); |
2223 | 0 | return GPG_ERR_SELFTEST_FAILED; |
2224 | 0 | } |
2225 | | |
2226 | | |
2227 | | /* Run the selftests for KDF with KDF algorithm ALGO with optional |
2228 | | reporting function REPORT. */ |
2229 | | gpg_error_t |
2230 | | _gcry_kdf_selftest (int algo, int extended, selftest_report_func_t report) |
2231 | 0 | { |
2232 | 0 | gcry_err_code_t ec = 0; |
2233 | |
|
2234 | 0 | if (algo == GCRY_KDF_PBKDF2) |
2235 | 0 | ec = selftest_pbkdf2 (extended, report); |
2236 | 0 | else |
2237 | 0 | { |
2238 | 0 | ec = GPG_ERR_UNSUPPORTED_ALGORITHM; |
2239 | 0 | if (report) |
2240 | 0 | report ("kdf", algo, "module", "algorithm not available"); |
2241 | 0 | } |
2242 | 0 | return gpg_error (ec); |
2243 | 0 | } |