/src/wolfssl/wolfcrypt/src/pwdbased.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* pwdbased.c |
2 | | * |
3 | | * Copyright (C) 2006-2023 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 2 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | |
23 | | #ifdef HAVE_CONFIG_H |
24 | | #include <config.h> |
25 | | #endif |
26 | | |
27 | | #include <wolfssl/wolfcrypt/settings.h> |
28 | | |
29 | | #ifndef NO_PWDBASED |
30 | | |
31 | | #include <wolfssl/wolfcrypt/pwdbased.h> |
32 | | #include <wolfssl/wolfcrypt/hmac.h> |
33 | | #include <wolfssl/wolfcrypt/hash.h> |
34 | | #include <wolfssl/wolfcrypt/wolfmath.h> |
35 | | #include <wolfssl/wolfcrypt/error-crypt.h> |
36 | | |
37 | | #ifdef NO_INLINE |
38 | | #include <wolfssl/wolfcrypt/misc.h> |
39 | | #else |
40 | | #define WOLFSSL_MISC_INCLUDED |
41 | | #include <wolfcrypt/src/misc.c> |
42 | | #endif |
43 | | |
44 | | |
45 | | #ifdef HAVE_PBKDF1 |
46 | | |
47 | | /* PKCS#5 v1.5 with non standard extension to optionally derive the extra data (IV) */ |
48 | | int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen, |
49 | | const byte* passwd, int passwdLen, const byte* salt, int saltLen, |
50 | | int iterations, int hashType, void* heap) |
51 | 0 | { |
52 | 0 | int err; |
53 | 0 | int keyLeft, ivLeft, i; |
54 | 0 | int store; |
55 | 0 | int keyOutput = 0; |
56 | 0 | int digestLen; |
57 | 0 | byte digest[WC_MAX_DIGEST_SIZE]; |
58 | 0 | #ifdef WOLFSSL_SMALL_STACK |
59 | 0 | wc_HashAlg* hash = NULL; |
60 | | #else |
61 | | wc_HashAlg hash[1]; |
62 | | #endif |
63 | 0 | enum wc_HashType hashT; |
64 | |
|
65 | 0 | (void)heap; |
66 | |
|
67 | 0 | if (key == NULL || keyLen < 0 || passwdLen < 0 || saltLen < 0 || ivLen < 0){ |
68 | 0 | return BAD_FUNC_ARG; |
69 | 0 | } |
70 | | |
71 | 0 | if (iterations <= 0) |
72 | 0 | iterations = 1; |
73 | |
|
74 | 0 | hashT = wc_HashTypeConvert(hashType); |
75 | 0 | err = wc_HashGetDigestSize(hashT); |
76 | 0 | if (err < 0) |
77 | 0 | return err; |
78 | 0 | digestLen = err; |
79 | | |
80 | | /* initialize hash */ |
81 | 0 | #ifdef WOLFSSL_SMALL_STACK |
82 | 0 | hash = (wc_HashAlg*)XMALLOC(sizeof(wc_HashAlg), heap, |
83 | 0 | DYNAMIC_TYPE_HASHCTX); |
84 | 0 | if (hash == NULL) |
85 | 0 | return MEMORY_E; |
86 | 0 | #endif |
87 | | |
88 | 0 | err = wc_HashInit_ex(hash, hashT, heap, INVALID_DEVID); |
89 | 0 | if (err != 0) { |
90 | 0 | #ifdef WOLFSSL_SMALL_STACK |
91 | 0 | XFREE(hash, heap, DYNAMIC_TYPE_HASHCTX); |
92 | 0 | #endif |
93 | 0 | return err; |
94 | 0 | } |
95 | | |
96 | 0 | keyLeft = keyLen; |
97 | 0 | ivLeft = ivLen; |
98 | 0 | while (keyOutput < (keyLen + ivLen)) { |
99 | 0 | int digestLeft = digestLen; |
100 | | /* D_(i - 1) */ |
101 | 0 | if (keyOutput) { /* first time D_0 is empty */ |
102 | 0 | err = wc_HashUpdate(hash, hashT, digest, (word32)digestLen); |
103 | 0 | if (err != 0) break; |
104 | 0 | } |
105 | | |
106 | | /* data */ |
107 | 0 | err = wc_HashUpdate(hash, hashT, passwd, (word32)passwdLen); |
108 | 0 | if (err != 0) break; |
109 | | |
110 | | /* salt */ |
111 | 0 | if (salt) { |
112 | 0 | err = wc_HashUpdate(hash, hashT, salt, (word32)saltLen); |
113 | 0 | if (err != 0) break; |
114 | 0 | } |
115 | | |
116 | 0 | err = wc_HashFinal(hash, hashT, digest); |
117 | 0 | if (err != 0) break; |
118 | | |
119 | | /* count */ |
120 | 0 | for (i = 1; i < iterations; i++) { |
121 | 0 | err = wc_HashUpdate(hash, hashT, digest, (word32)digestLen); |
122 | 0 | if (err != 0) break; |
123 | | |
124 | 0 | err = wc_HashFinal(hash, hashT, digest); |
125 | 0 | if (err != 0) break; |
126 | 0 | } |
127 | |
|
128 | 0 | if (err != 0) break; |
129 | | |
130 | 0 | if (keyLeft) { |
131 | 0 | store = (int)min((word32)keyLeft, (word32)digestLen); |
132 | 0 | XMEMCPY(&key[keyLen - keyLeft], digest, (size_t)store); |
133 | |
|
134 | 0 | keyOutput += store; |
135 | 0 | keyLeft -= store; |
136 | 0 | digestLeft -= store; |
137 | 0 | } |
138 | |
|
139 | 0 | if (ivLeft && digestLeft) { |
140 | 0 | store = (int)min((word32)ivLeft, (word32)digestLeft); |
141 | 0 | if (iv != NULL) |
142 | 0 | XMEMCPY(&iv[ivLen - ivLeft], |
143 | 0 | &digest[digestLen - digestLeft], (size_t)store); |
144 | 0 | keyOutput += store; |
145 | 0 | ivLeft -= store; |
146 | 0 | } |
147 | 0 | } |
148 | |
|
149 | 0 | wc_HashFree(hash, hashT); |
150 | |
|
151 | 0 | #ifdef WOLFSSL_SMALL_STACK |
152 | 0 | XFREE(hash, heap, DYNAMIC_TYPE_HASHCTX); |
153 | 0 | #endif |
154 | |
|
155 | 0 | if (err != 0) |
156 | 0 | return err; |
157 | | |
158 | 0 | if (keyOutput != (keyLen + ivLen)) |
159 | 0 | return BUFFER_E; |
160 | | |
161 | 0 | return err; |
162 | 0 | } |
163 | | |
164 | | /* PKCS#5 v1.5 */ |
165 | | int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt, |
166 | | int sLen, int iterations, int kLen, int hashType) |
167 | 0 | { |
168 | 0 | return wc_PBKDF1_ex(output, kLen, NULL, 0, |
169 | 0 | passwd, pLen, salt, sLen, iterations, hashType, NULL); |
170 | 0 | } |
171 | | |
172 | | #endif /* HAVE_PKCS5 */ |
173 | | |
174 | | #if defined(HAVE_PBKDF2) && !defined(NO_HMAC) |
175 | | |
176 | | int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt, |
177 | | int sLen, int iterations, int kLen, int hashType, void* heap, int devId) |
178 | 0 | { |
179 | 0 | int hLen; |
180 | 0 | int ret; |
181 | 0 | #ifdef WOLFSSL_SMALL_STACK |
182 | 0 | byte* buffer; |
183 | 0 | Hmac* hmac; |
184 | | #else |
185 | | byte buffer[WC_MAX_DIGEST_SIZE]; |
186 | | Hmac hmac[1]; |
187 | | #endif |
188 | 0 | enum wc_HashType hashT; |
189 | |
|
190 | 0 | if (output == NULL || pLen < 0 || sLen < 0 || kLen < 0) { |
191 | 0 | return BAD_FUNC_ARG; |
192 | 0 | } |
193 | | |
194 | 0 | if (iterations <= 0) |
195 | 0 | iterations = 1; |
196 | |
|
197 | 0 | hashT = wc_HashTypeConvert(hashType); |
198 | 0 | hLen = wc_HashGetDigestSize(hashT); |
199 | 0 | if (hLen < 0) |
200 | 0 | return BAD_FUNC_ARG; |
201 | | |
202 | 0 | #ifdef WOLFSSL_SMALL_STACK |
203 | 0 | buffer = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER); |
204 | 0 | if (buffer == NULL) |
205 | 0 | return MEMORY_E; |
206 | 0 | hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap, DYNAMIC_TYPE_HMAC); |
207 | 0 | if (hmac == NULL) { |
208 | 0 | XFREE(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER); |
209 | 0 | return MEMORY_E; |
210 | 0 | } |
211 | 0 | #endif |
212 | | |
213 | 0 | ret = wc_HmacInit(hmac, heap, devId); |
214 | 0 | if (ret == 0) { |
215 | 0 | word32 i = 1; |
216 | | /* use int hashType here, since HMAC FIPS uses the old unique value */ |
217 | 0 | ret = wc_HmacSetKey(hmac, hashType, passwd, (word32)pLen); |
218 | |
|
219 | 0 | while (ret == 0 && kLen) { |
220 | 0 | int currentLen; |
221 | 0 | int j; |
222 | |
|
223 | 0 | ret = wc_HmacUpdate(hmac, salt, (word32)sLen); |
224 | 0 | if (ret != 0) |
225 | 0 | break; |
226 | | |
227 | | /* encode i */ |
228 | 0 | for (j = 0; j < 4; j++) { |
229 | 0 | byte b = (byte)(i >> ((3-j) * 8)); |
230 | |
|
231 | 0 | ret = wc_HmacUpdate(hmac, &b, 1); |
232 | 0 | if (ret != 0) |
233 | 0 | break; |
234 | 0 | } |
235 | | |
236 | | /* check ret from inside for loop */ |
237 | 0 | if (ret != 0) |
238 | 0 | break; |
239 | | |
240 | 0 | ret = wc_HmacFinal(hmac, buffer); |
241 | 0 | if (ret != 0) |
242 | 0 | break; |
243 | | |
244 | 0 | currentLen = (int)min((word32)kLen, (word32)hLen); |
245 | 0 | XMEMCPY(output, buffer, (size_t)currentLen); |
246 | |
|
247 | 0 | for (j = 1; j < iterations; j++) { |
248 | 0 | ret = wc_HmacUpdate(hmac, buffer, (word32)hLen); |
249 | 0 | if (ret != 0) |
250 | 0 | break; |
251 | 0 | ret = wc_HmacFinal(hmac, buffer); |
252 | 0 | if (ret != 0) |
253 | 0 | break; |
254 | 0 | xorbuf(output, buffer, (word32)currentLen); |
255 | 0 | } |
256 | | |
257 | | /* check ret from inside for loop */ |
258 | 0 | if (ret != 0) |
259 | 0 | break; |
260 | | |
261 | 0 | output += currentLen; |
262 | 0 | kLen -= currentLen; |
263 | 0 | i++; |
264 | 0 | } |
265 | 0 | wc_HmacFree(hmac); |
266 | 0 | } |
267 | |
|
268 | 0 | #ifdef WOLFSSL_SMALL_STACK |
269 | 0 | XFREE(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER); |
270 | 0 | XFREE(hmac, heap, DYNAMIC_TYPE_HMAC); |
271 | 0 | #endif |
272 | |
|
273 | 0 | return ret; |
274 | 0 | } |
275 | | |
276 | | int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt, |
277 | | int sLen, int iterations, int kLen, int hashType) |
278 | 0 | { |
279 | 0 | return wc_PBKDF2_ex(output, passwd, pLen, salt, sLen, iterations, kLen, |
280 | 0 | hashType, NULL, INVALID_DEVID); |
281 | 0 | } |
282 | | |
283 | | #endif /* HAVE_PBKDF2 && !NO_HMAC */ |
284 | | |
285 | | #ifdef HAVE_PKCS12 |
286 | | |
287 | | /* helper for PKCS12_PBKDF(), does hash operation */ |
288 | | static int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen, |
289 | | byte* Ai, word32 u, int iterations) |
290 | 0 | { |
291 | 0 | int i; |
292 | 0 | int ret = 0; |
293 | 0 | #ifdef WOLFSSL_SMALL_STACK |
294 | 0 | wc_HashAlg* hash = NULL; |
295 | | #else |
296 | | wc_HashAlg hash[1]; |
297 | | #endif |
298 | 0 | enum wc_HashType hashT; |
299 | |
|
300 | 0 | if (buffer == NULL || Ai == NULL) { |
301 | 0 | return BAD_FUNC_ARG; |
302 | 0 | } |
303 | | |
304 | 0 | hashT = wc_HashTypeConvert(hashType); |
305 | | |
306 | | /* initialize hash */ |
307 | 0 | #ifdef WOLFSSL_SMALL_STACK |
308 | 0 | hash = (wc_HashAlg*)XMALLOC(sizeof(wc_HashAlg), NULL, |
309 | 0 | DYNAMIC_TYPE_HASHCTX); |
310 | 0 | if (hash == NULL) |
311 | 0 | return MEMORY_E; |
312 | 0 | #endif |
313 | | |
314 | 0 | ret = wc_HashInit(hash, hashT); |
315 | 0 | if (ret != 0) { |
316 | 0 | #ifdef WOLFSSL_SMALL_STACK |
317 | 0 | XFREE(hash, NULL, DYNAMIC_TYPE_HASHCTX); |
318 | 0 | #endif |
319 | 0 | return ret; |
320 | 0 | } |
321 | | |
322 | 0 | ret = wc_HashUpdate(hash, hashT, buffer, totalLen); |
323 | |
|
324 | 0 | if (ret == 0) |
325 | 0 | ret = wc_HashFinal(hash, hashT, Ai); |
326 | |
|
327 | 0 | for (i = 1; i < iterations; i++) { |
328 | 0 | if (ret == 0) |
329 | 0 | ret = wc_HashUpdate(hash, hashT, Ai, u); |
330 | 0 | if (ret == 0) |
331 | 0 | ret = wc_HashFinal(hash, hashT, Ai); |
332 | 0 | } |
333 | |
|
334 | 0 | wc_HashFree(hash, hashT); |
335 | |
|
336 | 0 | #ifdef WOLFSSL_SMALL_STACK |
337 | 0 | XFREE(hash, NULL, DYNAMIC_TYPE_HASHCTX); |
338 | 0 | #endif |
339 | |
|
340 | 0 | return ret; |
341 | 0 | } |
342 | | |
343 | | |
344 | | int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen, |
345 | | const byte* salt, int saltLen, int iterations, int kLen, int hashType, |
346 | | int id) |
347 | 0 | { |
348 | 0 | return wc_PKCS12_PBKDF_ex(output, passwd, passLen, salt, saltLen, |
349 | 0 | iterations, kLen, hashType, id, NULL); |
350 | 0 | } |
351 | | |
352 | | |
353 | | /* extended API that allows a heap hint to be used */ |
354 | | int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen, |
355 | | const byte* salt, int saltLen, int iterations, int kLen, |
356 | | int hashType, int id, void* heap) |
357 | 0 | { |
358 | | /* all in bytes instead of bits */ |
359 | 0 | word32 u, v, dLen, pLen, iLen, sLen, totalLen; |
360 | 0 | int dynamic = 0; |
361 | 0 | int ret = 0; |
362 | 0 | word32 i; |
363 | 0 | byte *D, *S, *P, *I; |
364 | 0 | #ifdef WOLFSSL_SMALL_STACK |
365 | 0 | byte staticBuffer[1]; /* force dynamic usage */ |
366 | | #else |
367 | | byte staticBuffer[1024]; |
368 | | #endif |
369 | 0 | byte* buffer = staticBuffer; |
370 | |
|
371 | 0 | #ifdef WOLFSSL_SMALL_STACK |
372 | 0 | byte* Ai = NULL; |
373 | 0 | byte* B = NULL; |
374 | 0 | mp_int *B1 = NULL; |
375 | 0 | mp_int *i1 = NULL; |
376 | 0 | mp_int *res = NULL; |
377 | | #else |
378 | | byte Ai[WC_MAX_DIGEST_SIZE]; |
379 | | byte B[WC_MAX_BLOCK_SIZE]; |
380 | | mp_int B1[1]; |
381 | | mp_int i1[1]; |
382 | | mp_int res[1]; |
383 | | #endif |
384 | 0 | enum wc_HashType hashT; |
385 | |
|
386 | 0 | (void)heap; |
387 | |
|
388 | 0 | if (output == NULL || passLen <= 0 || saltLen <= 0 || kLen < 0) { |
389 | 0 | return BAD_FUNC_ARG; |
390 | 0 | } |
391 | | |
392 | 0 | if (iterations <= 0) |
393 | 0 | iterations = 1; |
394 | |
|
395 | 0 | hashT = wc_HashTypeConvert(hashType); |
396 | 0 | ret = wc_HashGetDigestSize(hashT); |
397 | 0 | if (ret < 0) |
398 | 0 | return ret; |
399 | 0 | if (ret == 0) |
400 | 0 | return BAD_STATE_E; |
401 | 0 | u = (word32)ret; |
402 | |
|
403 | 0 | ret = wc_HashGetBlockSize(hashT); |
404 | 0 | if (ret < 0) |
405 | 0 | return ret; |
406 | 0 | if (ret == 0) |
407 | 0 | return BAD_STATE_E; |
408 | 0 | v = (word32)ret; |
409 | |
|
410 | 0 | #ifdef WOLFSSL_SMALL_STACK |
411 | 0 | Ai = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER); |
412 | 0 | if (Ai == NULL) |
413 | 0 | return MEMORY_E; |
414 | | |
415 | 0 | B = (byte*)XMALLOC(WC_MAX_BLOCK_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER); |
416 | 0 | if (B == NULL) { |
417 | 0 | XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER); |
418 | 0 | return MEMORY_E; |
419 | 0 | } |
420 | 0 | #endif |
421 | | |
422 | 0 | XMEMSET(Ai, 0, WC_MAX_DIGEST_SIZE); |
423 | 0 | XMEMSET(B, 0, WC_MAX_BLOCK_SIZE); |
424 | |
|
425 | 0 | dLen = v; |
426 | 0 | sLen = v * (((word32)saltLen + v - 1) / v); |
427 | | |
428 | | /* with passLen checked at the top of the function for >= 0 then passLen |
429 | | * must be 1 or greater here and is always 'true' */ |
430 | 0 | pLen = v * (((word32)passLen + v - 1) / v); |
431 | 0 | iLen = sLen + pLen; |
432 | |
|
433 | 0 | totalLen = dLen + sLen + pLen; |
434 | |
|
435 | 0 | if (totalLen > sizeof(staticBuffer)) { |
436 | 0 | buffer = (byte*)XMALLOC(totalLen, heap, DYNAMIC_TYPE_KEY); |
437 | 0 | if (buffer == NULL) { |
438 | 0 | #ifdef WOLFSSL_SMALL_STACK |
439 | 0 | XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER); |
440 | 0 | XFREE(B, heap, DYNAMIC_TYPE_TMP_BUFFER); |
441 | 0 | #endif |
442 | 0 | return MEMORY_E; |
443 | 0 | } |
444 | 0 | dynamic = 1; |
445 | 0 | } |
446 | | |
447 | 0 | D = buffer; |
448 | 0 | S = D + dLen; |
449 | 0 | P = S + sLen; |
450 | 0 | I = S; |
451 | |
|
452 | 0 | XMEMSET(D, id, dLen); |
453 | |
|
454 | 0 | for (i = 0; i < sLen; i++) |
455 | 0 | S[i] = salt[i % (word32)saltLen]; |
456 | 0 | for (i = 0; i < pLen; i++) |
457 | 0 | P[i] = passwd[i % (word32)passLen]; |
458 | |
|
459 | 0 | #ifdef WOLFSSL_SMALL_STACK |
460 | 0 | if (((B1 = (mp_int *)XMALLOC(sizeof(*B1), heap, DYNAMIC_TYPE_TMP_BUFFER)) |
461 | 0 | == NULL) || |
462 | 0 | ((i1 = (mp_int *)XMALLOC(sizeof(*i1), heap, DYNAMIC_TYPE_TMP_BUFFER)) |
463 | 0 | == NULL) || |
464 | 0 | ((res = (mp_int *)XMALLOC(sizeof(*res), heap, DYNAMIC_TYPE_TMP_BUFFER)) |
465 | 0 | == NULL)) { |
466 | 0 | ret = MEMORY_E; |
467 | 0 | goto out; |
468 | 0 | } |
469 | 0 | #endif |
470 | | |
471 | 0 | while (kLen > 0) { |
472 | 0 | word32 currentLen; |
473 | |
|
474 | 0 | ret = DoPKCS12Hash(hashType, buffer, totalLen, Ai, u, iterations); |
475 | 0 | if (ret < 0) |
476 | 0 | break; |
477 | | |
478 | 0 | for (i = 0; i < v; i++) |
479 | 0 | B[i] = Ai[(word32)i % u]; |
480 | |
|
481 | 0 | if (mp_init(B1) != MP_OKAY) |
482 | 0 | ret = MP_INIT_E; |
483 | 0 | else if (mp_read_unsigned_bin(B1, B, v) != MP_OKAY) |
484 | 0 | ret = MP_READ_E; |
485 | 0 | else if (mp_add_d(B1, (mp_digit)1, B1) != MP_OKAY) |
486 | 0 | ret = MP_ADD_E; |
487 | |
|
488 | 0 | if (ret != 0) { |
489 | 0 | mp_clear(B1); |
490 | 0 | break; |
491 | 0 | } |
492 | | |
493 | 0 | for (i = 0; i < iLen; i += v) { |
494 | 0 | int outSz; |
495 | |
|
496 | 0 | if (mp_init_multi(i1, res, NULL, NULL, NULL, NULL) != MP_OKAY) { |
497 | 0 | ret = MP_INIT_E; |
498 | 0 | break; |
499 | 0 | } |
500 | 0 | if (mp_read_unsigned_bin(i1, I + i, v) != MP_OKAY) |
501 | 0 | ret = MP_READ_E; |
502 | 0 | else if (mp_add(i1, B1, res) != MP_OKAY) |
503 | 0 | ret = MP_ADD_E; |
504 | 0 | else if ( (outSz = mp_unsigned_bin_size(res)) < 0) |
505 | 0 | ret = MP_TO_E; |
506 | 0 | else { |
507 | 0 | if (outSz > (int)v) { |
508 | | /* take off MSB */ |
509 | 0 | byte tmp[WC_MAX_BLOCK_SIZE + 1]; |
510 | 0 | ret = mp_to_unsigned_bin(res, tmp); |
511 | 0 | XMEMCPY(I + i, tmp + 1, v); |
512 | 0 | } |
513 | 0 | else if (outSz < (int)v) { |
514 | 0 | XMEMSET(I + i, 0, v - (word32)outSz); |
515 | 0 | ret = mp_to_unsigned_bin(res, I + i + v - (word32)outSz); |
516 | 0 | } |
517 | 0 | else |
518 | 0 | ret = mp_to_unsigned_bin(res, I + i); |
519 | 0 | } |
520 | |
|
521 | 0 | mp_clear(i1); |
522 | 0 | mp_clear(res); |
523 | 0 | if (ret < 0) break; |
524 | 0 | } |
525 | |
|
526 | 0 | if (ret < 0) { |
527 | 0 | mp_clear(B1); |
528 | 0 | break; |
529 | 0 | } |
530 | | |
531 | 0 | currentLen = min((word32)kLen, u); |
532 | 0 | XMEMCPY(output, Ai, currentLen); |
533 | 0 | output += currentLen; |
534 | 0 | kLen -= (int)currentLen; |
535 | 0 | mp_clear(B1); |
536 | 0 | } |
537 | |
|
538 | 0 | #ifdef WOLFSSL_SMALL_STACK |
539 | 0 | out: |
540 | |
|
541 | 0 | if (Ai != NULL) |
542 | 0 | XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER); |
543 | 0 | if (B != NULL) |
544 | 0 | XFREE(B, heap, DYNAMIC_TYPE_TMP_BUFFER); |
545 | 0 | if (B1 != NULL) |
546 | 0 | XFREE(B1, heap, DYNAMIC_TYPE_TMP_BUFFER); |
547 | 0 | if (i1 != NULL) |
548 | 0 | XFREE(i1, heap, DYNAMIC_TYPE_TMP_BUFFER); |
549 | 0 | if (res != NULL) |
550 | 0 | XFREE(res, heap, DYNAMIC_TYPE_TMP_BUFFER); |
551 | 0 | #endif |
552 | |
|
553 | 0 | if (dynamic) |
554 | 0 | XFREE(buffer, heap, DYNAMIC_TYPE_KEY); |
555 | |
|
556 | 0 | return ret; |
557 | 0 | } |
558 | | |
559 | | #endif /* HAVE_PKCS12 */ |
560 | | |
561 | | #ifdef HAVE_SCRYPT |
562 | | #ifdef NO_HMAC |
563 | | #error scrypt requires HMAC |
564 | | #endif |
565 | | |
566 | | /* Rotate the 32-bit value a by b bits to the left. |
567 | | * |
568 | | * a 32-bit value. |
569 | | * b Number of bits to rotate. |
570 | | * returns rotated value. |
571 | | */ |
572 | 0 | #define R(a, b) rotlFixed(a, b) |
573 | | |
574 | | /* (2^32 - 1) */ |
575 | 0 | #define SCRYPT_WORD32_MAX 4294967295U |
576 | | |
577 | | /* One round of Salsa20/8. |
578 | | * Code taken from RFC 7914: scrypt PBKDF. |
579 | | * |
580 | | * out Output buffer. |
581 | | * in Input data to hash. |
582 | | */ |
583 | | static void scryptSalsa(word32* out, word32* in) |
584 | 0 | { |
585 | 0 | int i; |
586 | 0 | word32 x[16]; |
587 | |
|
588 | 0 | #ifdef LITTLE_ENDIAN_ORDER |
589 | 0 | XMEMCPY(x, in, sizeof(x)); |
590 | | #else |
591 | | for (i = 0; i < 16; i++) |
592 | | x[i] = ByteReverseWord32(in[i]); |
593 | | #endif |
594 | 0 | for (i = 8; i > 0; i -= 2) { |
595 | 0 | x[ 4] ^= R(x[ 0] + x[12], 7); x[ 8] ^= R(x[ 4] + x[ 0], 9); |
596 | 0 | x[12] ^= R(x[ 8] + x[ 4], 13); x[ 0] ^= R(x[12] + x[ 8], 18); |
597 | 0 | x[ 9] ^= R(x[ 5] + x[ 1], 7); x[13] ^= R(x[ 9] + x[ 5], 9); |
598 | 0 | x[ 1] ^= R(x[13] + x[ 9], 13); x[ 5] ^= R(x[ 1] + x[13], 18); |
599 | 0 | x[14] ^= R(x[10] + x[ 6], 7); x[ 2] ^= R(x[14] + x[10], 9); |
600 | 0 | x[ 6] ^= R(x[ 2] + x[14], 13); x[10] ^= R(x[ 6] + x[ 2], 18); |
601 | 0 | x[ 3] ^= R(x[15] + x[11], 7); x[ 7] ^= R(x[ 3] + x[15], 9); |
602 | 0 | x[11] ^= R(x[ 7] + x[ 3], 13); x[15] ^= R(x[11] + x[ 7], 18); |
603 | 0 | x[ 1] ^= R(x[ 0] + x[ 3], 7); x[ 2] ^= R(x[ 1] + x[ 0], 9); |
604 | 0 | x[ 3] ^= R(x[ 2] + x[ 1], 13); x[ 0] ^= R(x[ 3] + x[ 2], 18); |
605 | 0 | x[ 6] ^= R(x[ 5] + x[ 4], 7); x[ 7] ^= R(x[ 6] + x[ 5], 9); |
606 | 0 | x[ 4] ^= R(x[ 7] + x[ 6], 13); x[ 5] ^= R(x[ 4] + x[ 7], 18); |
607 | 0 | x[11] ^= R(x[10] + x[ 9], 7); x[ 8] ^= R(x[11] + x[10], 9); |
608 | 0 | x[ 9] ^= R(x[ 8] + x[11], 13); x[10] ^= R(x[ 9] + x[ 8], 18); |
609 | 0 | x[12] ^= R(x[15] + x[14], 7); x[13] ^= R(x[12] + x[15], 9); |
610 | 0 | x[14] ^= R(x[13] + x[12], 13); x[15] ^= R(x[14] + x[13], 18); |
611 | 0 | } |
612 | 0 | #ifdef LITTLE_ENDIAN_ORDER |
613 | 0 | for (i = 0; i < 16; ++i) |
614 | 0 | out[i] = in[i] + x[i]; |
615 | | #else |
616 | | for (i = 0; i < 16; i++) |
617 | | out[i] = ByteReverseWord32(ByteReverseWord32(in[i]) + x[i]); |
618 | | #endif |
619 | 0 | } |
620 | | |
621 | | /* Mix a block using Salsa20/8. |
622 | | * Based on RFC 7914: scrypt PBKDF. |
623 | | * |
624 | | * b Blocks to mix. |
625 | | * y Temporary storage. |
626 | | * r Size of the block. |
627 | | */ |
628 | | static void scryptBlockMix(byte* b, byte* y, int r) |
629 | 0 | { |
630 | 0 | #ifdef WORD64_AVAILABLE |
631 | 0 | word64 x[8]; |
632 | 0 | word64* b64 = (word64*)b; |
633 | 0 | word64* y64 = (word64*)y; |
634 | | #else |
635 | | word32 x[16]; |
636 | | word32* b32 = (word32*)b; |
637 | | word32* y32 = (word32*)y; |
638 | | #endif |
639 | 0 | int i; |
640 | 0 | int j; |
641 | | |
642 | | /* Step 1. */ |
643 | 0 | XMEMCPY(x, b + (2 * r - 1) * 64, sizeof(x)); |
644 | | /* Step 2. */ |
645 | 0 | for (i = 0; i < 2 * r; i++) |
646 | 0 | { |
647 | 0 | #ifdef WORD64_AVAILABLE |
648 | 0 | for (j = 0; j < 8; j++) |
649 | 0 | x[j] ^= b64[i * 8 + j]; |
650 | |
|
651 | | #else |
652 | | for (j = 0; j < 16; j++) |
653 | | x[j] ^= b32[i * 16 + j]; |
654 | | #endif |
655 | 0 | scryptSalsa((word32*)x, (word32*)x); |
656 | 0 | XMEMCPY(y + i * 64, x, sizeof(x)); |
657 | 0 | } |
658 | | /* Step 3. */ |
659 | 0 | for (i = 0; i < r; i++) { |
660 | 0 | #ifdef WORD64_AVAILABLE |
661 | 0 | for (j = 0; j < 8; j++) { |
662 | 0 | b64[i * 8 + j] = y64[2 * i * 8 + j]; |
663 | 0 | b64[(r + i) * 8 + j] = y64[(2 * i + 1) * 8 + j]; |
664 | 0 | } |
665 | | #else |
666 | | for (j = 0; j < 16; j++) { |
667 | | b32[i * 16 + j] = y32[2 * i * 16 + j]; |
668 | | b32[(r + i) * 16 + j] = y32[(2 * i + 1) * 16 + j]; |
669 | | } |
670 | | #endif |
671 | 0 | } |
672 | 0 | } |
673 | | |
674 | | /* Random oracles mix. |
675 | | * Based on RFC 7914: scrypt PBKDF. |
676 | | * |
677 | | * x Data to mix. |
678 | | * v Temporary buffer. |
679 | | * y Temporary buffer for the block mix. |
680 | | * r Block size parameter. |
681 | | * n CPU/Memory cost parameter. |
682 | | */ |
683 | | static void scryptROMix(byte* x, byte* v, byte* y, int r, word32 n) |
684 | 0 | { |
685 | 0 | word32 i; |
686 | 0 | word32 j; |
687 | 0 | word32 k; |
688 | 0 | word32 bSz = (word32)(128 * r); |
689 | 0 | #ifdef WORD64_AVAILABLE |
690 | 0 | word64* x64 = (word64*)x; |
691 | 0 | word64* v64 = (word64*)v; |
692 | | #else |
693 | | word32* x32 = (word32*)x; |
694 | | word32* v32 = (word32*)v; |
695 | | #endif |
696 | | |
697 | | /* Step 1. X = B (B not needed therefore not implemented) */ |
698 | | /* Step 2. */ |
699 | 0 | for (i = 0; i < n; i++) |
700 | 0 | { |
701 | 0 | XMEMCPY(v + i * bSz, x, bSz); |
702 | 0 | scryptBlockMix(x, y, r); |
703 | 0 | } |
704 | | |
705 | | /* Step 3. */ |
706 | 0 | for (i = 0; i < n; i++) |
707 | 0 | { |
708 | 0 | #ifdef LITTLE_ENDIAN_ORDER |
709 | 0 | #ifdef WORD64_AVAILABLE |
710 | 0 | j = (word32)(*(word64*)(x + (2*r - 1) * 64) & (n-1)); |
711 | | #else |
712 | | j = *(word32*)(x + (2*r - 1) * 64) & (n-1); |
713 | | #endif |
714 | | #else |
715 | | byte* t = x + (2*r - 1) * 64; |
716 | | j = (t[0] | (t[1] << 8) | (t[2] << 16) | ((word32)t[3] << 24)) & (n-1); |
717 | | #endif |
718 | 0 | #ifdef WORD64_AVAILABLE |
719 | 0 | for (k = 0; k < bSz / 8; k++) |
720 | 0 | x64[k] ^= v64[j * bSz / 8 + k]; |
721 | | #else |
722 | | for (k = 0; k < bSz / 4; k++) |
723 | | x32[k] ^= v32[j * bSz / 4 + k]; |
724 | | #endif |
725 | 0 | scryptBlockMix(x, y, r); |
726 | 0 | } |
727 | | /* Step 4. B' = X (B = X = B' so not needed, therefore not implemented) */ |
728 | 0 | } |
729 | | |
730 | | /* Generates an key derived from a password and salt using a memory hard |
731 | | * algorithm. |
732 | | * Implements RFC 7914: scrypt PBKDF. |
733 | | * |
734 | | * output The derived key. |
735 | | * passwd The password to derive key from. |
736 | | * passLen The length of the password. |
737 | | * salt The key specific data. |
738 | | * saltLen The length of the salt data. |
739 | | * cost The CPU/memory cost parameter. Range: 1..(128*r/8-1) |
740 | | * (Iterations = 2^cost) |
741 | | * blockSize The number of 128 byte octets in a working block. |
742 | | * parallel The number of parallel mix operations to perform. |
743 | | * (Note: this implementation does not use threads.) |
744 | | * dkLen The length of the derived key in bytes. |
745 | | * returns BAD_FUNC_ARG when: blockSize is too large for cost. |
746 | | */ |
747 | | int wc_scrypt(byte* output, const byte* passwd, int passLen, |
748 | | const byte* salt, int saltLen, int cost, int blockSize, |
749 | | int parallel, int dkLen) |
750 | 0 | { |
751 | 0 | int ret = 0; |
752 | 0 | int i; |
753 | 0 | byte* v = NULL; |
754 | 0 | byte* y = NULL; |
755 | 0 | byte* blocks = NULL; |
756 | 0 | word32 blocksSz; |
757 | 0 | word32 bSz; |
758 | |
|
759 | 0 | if (blockSize > 8) |
760 | 0 | return BAD_FUNC_ARG; |
761 | | |
762 | 0 | if (cost < 1 || cost >= 128 * blockSize / 8 || parallel < 1 || dkLen < 1) |
763 | 0 | return BAD_FUNC_ARG; |
764 | | |
765 | | /* The following comparison used to be: |
766 | | * ((word32)parallel > (SCRYPT_MAX / (128 * blockSize))) |
767 | | * where SCRYPT_MAX is (2^32 - 1) * 32. For some compilers, the RHS of |
768 | | * the comparison is greater than parallel's type. It wouldn't promote |
769 | | * both sides to word64. What follows is just arithmetic simplification. |
770 | | */ |
771 | 0 | if (parallel > (int)((SCRYPT_WORD32_MAX / 4) / (word32)blockSize)) |
772 | 0 | return BAD_FUNC_ARG; |
773 | | |
774 | 0 | bSz = 128 * (word32)blockSize; |
775 | 0 | if (parallel > (int)(SCRYPT_WORD32_MAX / bSz)) |
776 | 0 | return BAD_FUNC_ARG; |
777 | 0 | blocksSz = bSz * (word32)parallel; |
778 | 0 | blocks = (byte*)XMALLOC((size_t)blocksSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
779 | 0 | if (blocks == NULL) { |
780 | 0 | ret = MEMORY_E; |
781 | 0 | goto end; |
782 | 0 | } |
783 | | /* Temporary for scryptROMix. */ |
784 | 0 | v = (byte*)XMALLOC((size_t)((1 << cost) * bSz), NULL, |
785 | 0 | DYNAMIC_TYPE_TMP_BUFFER); |
786 | 0 | if (v == NULL) { |
787 | 0 | ret = MEMORY_E; |
788 | 0 | goto end; |
789 | 0 | } |
790 | | /* Temporary for scryptBlockMix. */ |
791 | 0 | y = (byte*)XMALLOC((size_t)(blockSize * 128), NULL, |
792 | 0 | DYNAMIC_TYPE_TMP_BUFFER); |
793 | 0 | if (y == NULL) { |
794 | 0 | ret = MEMORY_E; |
795 | 0 | goto end; |
796 | 0 | } |
797 | | |
798 | | /* Step 1. */ |
799 | 0 | ret = wc_PBKDF2(blocks, passwd, passLen, salt, saltLen, 1, (int)blocksSz, |
800 | 0 | WC_SHA256); |
801 | 0 | if (ret != 0) |
802 | 0 | goto end; |
803 | | |
804 | | /* Step 2. */ |
805 | 0 | for (i = 0; i < parallel; i++) |
806 | 0 | scryptROMix(blocks + i * (int)bSz, v, y, (int)blockSize, 1 << cost); |
807 | | |
808 | | /* Step 3. */ |
809 | 0 | ret = wc_PBKDF2(output, passwd, passLen, blocks, (int)blocksSz, 1, dkLen, |
810 | 0 | WC_SHA256); |
811 | 0 | end: |
812 | 0 | if (blocks != NULL) |
813 | 0 | XFREE(blocks, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
814 | 0 | if (v != NULL) |
815 | 0 | XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
816 | 0 | if (y != NULL) |
817 | 0 | XFREE(y, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
818 | |
|
819 | 0 | return ret; |
820 | 0 | } |
821 | | |
822 | | /* Generates an key derived from a password and salt using a memory hard |
823 | | * algorithm. |
824 | | * Implements RFC 7914: scrypt PBKDF. |
825 | | * |
826 | | * output Derived key. |
827 | | * passwd Password to derive key from. |
828 | | * passLen Length of the password. |
829 | | * salt Key specific data. |
830 | | * saltLen Length of the salt data. |
831 | | * iterations Number of iterations to perform. Range: 1 << (1..(128*r/8-1)) |
832 | | * blockSize Number of 128 byte octets in a working block. |
833 | | * parallel Number of parallel mix operations to perform. |
834 | | * (Note: this implementation does not use threads.) |
835 | | * dkLen Length of the derived key in bytes. |
836 | | * returns BAD_FUNC_ARG when: iterations is not a power of 2 or blockSize is too |
837 | | * large for iterations. |
838 | | */ |
839 | | int wc_scrypt_ex(byte* output, const byte* passwd, int passLen, |
840 | | const byte* salt, int saltLen, word32 iterations, |
841 | | int blockSize, int parallel, int dkLen) |
842 | 0 | { |
843 | 0 | int cost; |
844 | | |
845 | | /* Iterations must be a power of 2. */ |
846 | 0 | if ((iterations & (iterations - 1)) != 0) |
847 | 0 | return BAD_FUNC_ARG; |
848 | | |
849 | 0 | for (cost = -1; iterations != 0; cost++) { |
850 | 0 | iterations >>= 1; |
851 | 0 | } |
852 | |
|
853 | 0 | return wc_scrypt(output, passwd, passLen, salt, saltLen, cost, blockSize, |
854 | 0 | parallel, dkLen); |
855 | 0 | } |
856 | | #endif /* HAVE_SCRYPT */ |
857 | | |
858 | | #endif /* NO_PWDBASED */ |