Line data Source code
1 : /* kdf.c - Key Derivation Functions
2 : * Copyright (C) 1998, 2011 Free Software Foundation, Inc.
3 : * Copyright (C) 2013 g10 Code GmbH
4 : *
5 : * This file is part of Libgcrypt.
6 : *
7 : * Libgcrypt is free software; you can redistribute it and/or modify
8 : * it under the terms of the GNU Lesser general Public License as
9 : * published by the Free Software Foundation; either version 2.1 of
10 : * the License, or (at your option) any later version.
11 : *
12 : * Libgcrypt is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : * GNU Lesser General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU Lesser General Public
18 : * License along with this program; if not, see <http://www.gnu.org/licenses/>.
19 : */
20 :
21 : #include <config.h>
22 : #include <stdio.h>
23 : #include <stdlib.h>
24 : #include <string.h>
25 : #include <errno.h>
26 :
27 : #include "g10lib.h"
28 : #include "cipher.h"
29 : #include "kdf-internal.h"
30 :
31 :
32 : /* Transform a passphrase into a suitable key of length KEYSIZE and
33 : store this key in the caller provided buffer KEYBUFFER. The caller
34 : must provide an HASHALGO, a valid ALGO and depending on that algo a
35 : SALT of 8 bytes and the number of ITERATIONS. Code taken from
36 : gnupg/agent/protect.c:hash_passphrase. */
37 : static gpg_err_code_t
38 0 : openpgp_s2k (const void *passphrase, size_t passphraselen,
39 : int algo, int hashalgo,
40 : const void *salt, size_t saltlen,
41 : unsigned long iterations,
42 : size_t keysize, void *keybuffer)
43 : {
44 : gpg_err_code_t ec;
45 : gcry_md_hd_t md;
46 0 : char *key = keybuffer;
47 : int pass, i;
48 0 : int used = 0;
49 : int secmode;
50 :
51 0 : if ((algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K)
52 0 : && (!salt || saltlen != 8))
53 0 : return GPG_ERR_INV_VALUE;
54 :
55 0 : secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer);
56 :
57 0 : ec = _gcry_md_open (&md, hashalgo, secmode? GCRY_MD_FLAG_SECURE : 0);
58 0 : if (ec)
59 0 : return ec;
60 :
61 0 : for (pass=0; used < keysize; pass++)
62 : {
63 0 : if (pass)
64 : {
65 0 : _gcry_md_reset (md);
66 0 : for (i=0; i < pass; i++) /* Preset the hash context. */
67 0 : _gcry_md_putc (md, 0);
68 : }
69 :
70 0 : if (algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K)
71 0 : {
72 0 : int len2 = passphraselen + 8;
73 0 : unsigned long count = len2;
74 :
75 0 : if (algo == GCRY_KDF_ITERSALTED_S2K)
76 : {
77 0 : count = iterations;
78 0 : if (count < len2)
79 0 : count = len2;
80 : }
81 :
82 0 : while (count > len2)
83 : {
84 0 : _gcry_md_write (md, salt, saltlen);
85 0 : _gcry_md_write (md, passphrase, passphraselen);
86 0 : count -= len2;
87 : }
88 0 : if (count < saltlen)
89 0 : _gcry_md_write (md, salt, count);
90 : else
91 : {
92 0 : _gcry_md_write (md, salt, saltlen);
93 0 : count -= saltlen;
94 0 : _gcry_md_write (md, passphrase, count);
95 : }
96 : }
97 : else
98 0 : _gcry_md_write (md, passphrase, passphraselen);
99 :
100 0 : _gcry_md_final (md);
101 0 : i = _gcry_md_get_algo_dlen (hashalgo);
102 0 : if (i > keysize - used)
103 0 : i = keysize - used;
104 0 : memcpy (key+used, _gcry_md_read (md, hashalgo), i);
105 0 : used += i;
106 : }
107 0 : _gcry_md_close (md);
108 0 : return 0;
109 : }
110 :
111 :
112 : /* Transform a passphrase into a suitable key of length KEYSIZE and
113 : store this key in the caller provided buffer KEYBUFFER. The caller
114 : must provide PRFALGO which indicates the pseudorandom function to
115 : use: This shall be the algorithms id of a hash algorithm; it is
116 : used in HMAC mode. SALT is a salt of length SALTLEN and ITERATIONS
117 : gives the number of iterations. */
118 : gpg_err_code_t
119 0 : _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
120 : int hashalgo,
121 : const void *salt, size_t saltlen,
122 : unsigned long iterations,
123 : size_t keysize, void *keybuffer)
124 : {
125 : gpg_err_code_t ec;
126 : gcry_md_hd_t md;
127 : int secmode;
128 0 : unsigned long dklen = keysize;
129 0 : char *dk = keybuffer;
130 : unsigned int hlen; /* Output length of the digest function. */
131 : unsigned int l; /* Rounded up number of blocks. */
132 : unsigned int r; /* Number of octets in the last block. */
133 : char *sbuf; /* Malloced buffer to concatenate salt and iter
134 : as well as space to hold TBUF and UBUF. */
135 : char *tbuf; /* Buffer for T; ptr into SBUF, size is HLEN. */
136 : char *ubuf; /* Buffer for U; ptr into SBUF, size is HLEN. */
137 : unsigned int lidx; /* Current block number. */
138 : unsigned long iter; /* Current iteration number. */
139 : unsigned int i;
140 :
141 : /* We allow for a saltlen of 0 here to support scrypt. It is not
142 : clear whether rfc2898 allows for this this, thus we do a test on
143 : saltlen > 0 only in gcry_kdf_derive. */
144 0 : if (!salt || !iterations || !dklen)
145 0 : return GPG_ERR_INV_VALUE;
146 :
147 0 : hlen = _gcry_md_get_algo_dlen (hashalgo);
148 0 : if (!hlen)
149 0 : return GPG_ERR_DIGEST_ALGO;
150 :
151 0 : secmode = _gcry_is_secure (passphrase) || _gcry_is_secure (keybuffer);
152 :
153 : /* Step 1 */
154 : /* If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
155 : * stop. We use a stronger inequality but only if our type can hold
156 : * a larger value. */
157 :
158 : #if SIZEOF_UNSIGNED_LONG > 4
159 0 : if (dklen > 0xffffffffU)
160 0 : return GPG_ERR_INV_VALUE;
161 : #endif
162 :
163 :
164 : /* Step 2 */
165 0 : l = ((dklen - 1)/ hlen) + 1;
166 0 : r = dklen - (l - 1) * hlen;
167 :
168 : /* Setup buffers and prepare a hash context. */
169 0 : sbuf = (secmode
170 0 : ? xtrymalloc_secure (saltlen + 4 + hlen + hlen)
171 0 : : xtrymalloc (saltlen + 4 + hlen + hlen));
172 0 : if (!sbuf)
173 0 : return gpg_err_code_from_syserror ();
174 0 : tbuf = sbuf + saltlen + 4;
175 0 : ubuf = tbuf + hlen;
176 :
177 0 : ec = _gcry_md_open (&md, hashalgo, (GCRY_MD_FLAG_HMAC
178 : | (secmode?GCRY_MD_FLAG_SECURE:0)));
179 0 : if (ec)
180 : {
181 0 : xfree (sbuf);
182 0 : return ec;
183 : }
184 :
185 0 : ec = _gcry_md_setkey (md, passphrase, passphraselen);
186 0 : if (ec)
187 : {
188 0 : _gcry_md_close (md);
189 0 : xfree (sbuf);
190 0 : return ec;
191 : }
192 :
193 : /* Step 3 and 4. */
194 0 : memcpy (sbuf, salt, saltlen);
195 0 : for (lidx = 1; lidx <= l; lidx++)
196 : {
197 0 : for (iter = 0; iter < iterations; iter++)
198 : {
199 0 : _gcry_md_reset (md);
200 0 : if (!iter) /* Compute U_1: */
201 : {
202 0 : sbuf[saltlen] = (lidx >> 24);
203 0 : sbuf[saltlen + 1] = (lidx >> 16);
204 0 : sbuf[saltlen + 2] = (lidx >> 8);
205 0 : sbuf[saltlen + 3] = lidx;
206 0 : _gcry_md_write (md, sbuf, saltlen + 4);
207 0 : memcpy (ubuf, _gcry_md_read (md, 0), hlen);
208 0 : memcpy (tbuf, ubuf, hlen);
209 : }
210 : else /* Compute U_(2..c): */
211 : {
212 0 : _gcry_md_write (md, ubuf, hlen);
213 0 : memcpy (ubuf, _gcry_md_read (md, 0), hlen);
214 0 : for (i=0; i < hlen; i++)
215 0 : tbuf[i] ^= ubuf[i];
216 : }
217 : }
218 0 : if (lidx == l) /* Last block. */
219 0 : memcpy (dk, tbuf, r);
220 : else
221 : {
222 0 : memcpy (dk, tbuf, hlen);
223 0 : dk += hlen;
224 : }
225 : }
226 :
227 0 : _gcry_md_close (md);
228 0 : xfree (sbuf);
229 0 : return 0;
230 : }
231 :
232 :
233 : /* Derive a key from a passphrase. KEYSIZE gives the requested size
234 : of the keys in octets. KEYBUFFER is a caller provided buffer
235 : filled on success with the derived key. The input passphrase is
236 : taken from (PASSPHRASE,PASSPHRASELEN) which is an arbitrary memory
237 : buffer. ALGO specifies the KDF algorithm to use; these are the
238 : constants GCRY_KDF_*. SUBALGO specifies an algorithm used
239 : internally by the KDF algorithms; this is usually a hash algorithm
240 : but certain KDF algorithm may use it differently. {SALT,SALTLEN}
241 : is a salt as needed by most KDF algorithms. ITERATIONS is a
242 : positive integer parameter to most KDFs. 0 is returned on success,
243 : or an error code on failure. */
244 : gpg_err_code_t
245 0 : _gcry_kdf_derive (const void *passphrase, size_t passphraselen,
246 : int algo, int subalgo,
247 : const void *salt, size_t saltlen,
248 : unsigned long iterations,
249 : size_t keysize, void *keybuffer)
250 : {
251 : gpg_err_code_t ec;
252 :
253 0 : if (!passphrase)
254 : {
255 0 : ec = GPG_ERR_INV_DATA;
256 0 : goto leave;
257 : }
258 :
259 0 : if (!keybuffer || !keysize)
260 : {
261 0 : ec = GPG_ERR_INV_VALUE;
262 0 : goto leave;
263 : }
264 :
265 :
266 0 : switch (algo)
267 : {
268 : case GCRY_KDF_SIMPLE_S2K:
269 : case GCRY_KDF_SALTED_S2K:
270 : case GCRY_KDF_ITERSALTED_S2K:
271 0 : if (!passphraselen)
272 0 : ec = GPG_ERR_INV_DATA;
273 : else
274 0 : ec = openpgp_s2k (passphrase, passphraselen, algo, subalgo,
275 : salt, saltlen, iterations, keysize, keybuffer);
276 0 : break;
277 :
278 : case GCRY_KDF_PBKDF1:
279 0 : ec = GPG_ERR_UNSUPPORTED_ALGORITHM;
280 0 : break;
281 :
282 : case GCRY_KDF_PBKDF2:
283 0 : if (!saltlen)
284 0 : ec = GPG_ERR_INV_VALUE;
285 : else
286 0 : ec = _gcry_kdf_pkdf2 (passphrase, passphraselen, subalgo,
287 : salt, saltlen, iterations, keysize, keybuffer);
288 0 : break;
289 :
290 : case 41:
291 : case GCRY_KDF_SCRYPT:
292 : #if USE_SCRYPT
293 0 : ec = _gcry_kdf_scrypt (passphrase, passphraselen, algo, subalgo,
294 : salt, saltlen, iterations, keysize, keybuffer);
295 : #else
296 : ec = GPG_ERR_UNSUPPORTED_ALGORITHM;
297 : #endif /*USE_SCRYPT*/
298 0 : break;
299 :
300 : default:
301 0 : ec = GPG_ERR_UNKNOWN_ALGORITHM;
302 0 : break;
303 : }
304 :
305 : leave:
306 0 : return ec;
307 : }
|
