From: Simon Josefsson Date: Wed, 12 Oct 2005 13:13:29 +0000 (+0000) Subject: Add gc-pbkdf2-sha1 module. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9045e5f89f3d9b8d1033a67f47b4859e2618583c;p=pspp Add gc-pbkdf2-sha1 module. --- diff --git a/ChangeLog b/ChangeLog index 6c4b51c4dd..f2e83ad4c3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2005-10-12 Simon Josefsson + + * modules/gc-pbkdf2-sha1, modules/gc-pbkdf2-sha1-tests: New files. + + * tests/test-gc-pbkdf2-sha1.c: New file. + 2005-10-12 Simon Josefsson * modules/gc-sha1: New file. diff --git a/lib/ChangeLog b/lib/ChangeLog index a6d902aa83..da26e24ff1 100644 --- a/lib/ChangeLog +++ b/lib/ChangeLog @@ -1,3 +1,9 @@ +2005-10-12 Simon Josefsson + + * gc-pbkdf2-sha1.c: New file. + + * gc.h: Add gc_pbkdf2_sha1 prototype. + 2005-10-12 Simon Josefsson * gc.h, gc-gnulib.c, gc-libgcrypt.c: Use Gc_rc for return types, diff --git a/lib/gc-pbkdf2-sha1.c b/lib/gc-pbkdf2-sha1.c new file mode 100644 index 0000000000..afdfcdb065 --- /dev/null +++ b/lib/gc-pbkdf2-sha1.c @@ -0,0 +1,187 @@ +/* gc-pbkdf2-sha1.c --- Password-Based Key Derivation Function a'la PKCS#5 + Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ + +/* Written by Simon Josefsson. The comments in this file are taken + from RFC 2898. */ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include "gc.h" + +#include +#include + +/* + * 5.2 PBKDF2 + * + * PBKDF2 applies a pseudorandom function (see Appendix B.1 for an + * example) to derive keys. The length of the derived key is essentially + * unbounded. (However, the maximum effective search space for the + * derived key may be limited by the structure of the underlying + * pseudorandom function. See Appendix B.1 for further discussion.) + * PBKDF2 is recommended for new applications. + * + * PBKDF2 (P, S, c, dkLen) + * + * Options: PRF underlying pseudorandom function (hLen + * denotes the length in octets of the + * pseudorandom function output) + * + * Input: P password, an octet string (ASCII or UTF-8) + * S salt, an octet string + * c iteration count, a positive integer + * dkLen intended length in octets of the derived + * key, a positive integer, at most + * (2^32 - 1) * hLen + * + * Output: DK derived key, a dkLen-octet string + */ + +Gc_rc +gc_pbkdf2_sha1 (const char *P, size_t Plen, + const char *S, size_t Slen, + unsigned int c, + char *DK, size_t dkLen) +{ + unsigned int hLen = 20; + char U[20]; + char T[20]; + unsigned int u; + unsigned int l; + unsigned int r; + unsigned int i; + unsigned int k; + int rc; + + if (c == 0) + return GC_PKCS5_INVALID_ITERATION_COUNT; + + if (dkLen == 0) + return GC_PKCS5_INVALID_DERIVED_KEY_LENGTH; + + /* + * + * Steps: + * + * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and + * stop. + */ + + if (dkLen > 4294967295U) + return GC_PKCS5_DERIVED_KEY_TOO_LONG; + + /* + * 2. Let l be the number of hLen-octet blocks in the derived key, + * rounding up, and let r be the number of octets in the last + * block: + * + * l = CEIL (dkLen / hLen) , + * r = dkLen - (l - 1) * hLen . + * + * Here, CEIL (x) is the "ceiling" function, i.e. the smallest + * integer greater than, or equal to, x. + */ + + l = dkLen / hLen; + if (dkLen % hLen) + l++; + r = dkLen - (l - 1) * hLen; + + /* + * 3. For each block of the derived key apply the function F defined + * below to the password P, the salt S, the iteration count c, and + * the block index to compute the block: + * + * T_1 = F (P, S, c, 1) , + * T_2 = F (P, S, c, 2) , + * ... + * T_l = F (P, S, c, l) , + * + * where the function F is defined as the exclusive-or sum of the + * first c iterates of the underlying pseudorandom function PRF + * applied to the password P and the concatenation of the salt S + * and the block index i: + * + * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c + * + * where + * + * U_1 = PRF (P, S || INT (i)) , + * U_2 = PRF (P, U_1) , + * ... + * U_c = PRF (P, U_{c-1}) . + * + * Here, INT (i) is a four-octet encoding of the integer i, most + * significant octet first. + * + * 4. Concatenate the blocks and extract the first dkLen octets to + * produce a derived key DK: + * + * DK = T_1 || T_2 || ... || T_l<0..r-1> + * + * 5. Output the derived key DK. + * + * Note. The construction of the function F follows a "belt-and- + * suspenders" approach. The iterates U_i are computed recursively to + * remove a degree of parallelism from an opponent; they are exclusive- + * ored together to reduce concerns about the recursion degenerating + * into a small set of values. + * + */ + + for (i = 1; i <= l; i++) + { + memset (T, 0, hLen); + + for (u = 1; u <= c; u++) + { + if (u == 1) + { + char *tmp; + size_t tmplen = Slen + 4; + + tmp = malloc (tmplen); + if (tmp == NULL) + return GC_MALLOC_ERROR; + + memcpy (tmp, S, Slen); + tmp[Slen + 0] = (i & 0xff000000) >> 24; + tmp[Slen + 1] = (i & 0x00ff0000) >> 16; + tmp[Slen + 2] = (i & 0x0000ff00) >> 8; + tmp[Slen + 3] = (i & 0x000000ff) >> 0; + + rc = gc_hmac_sha1 (P, Plen, tmp, tmplen, U); + + free (tmp); + } + else + rc = gc_hmac_sha1 (P, Plen, U, hLen, U); + + if (rc != GC_OK) + return rc; + + for (k = 0; k < hLen; k++) + T[k] ^= U[k]; + } + + memcpy (DK + (i - 1) * hLen, T, i == l ? r : hLen); + } + + return GC_OK; +} diff --git a/lib/gc.h b/lib/gc.h index 43a7ff6c5c..69e56a02e7 100644 --- a/lib/gc.h +++ b/lib/gc.h @@ -85,6 +85,19 @@ extern Gc_rc gc_hmac_sha1 (const void *key, size_t keylen, const void *in, size_t inlen, char *resbuf); +/* Derive cryptographic keys from a password P of length PLEN, with + salt S of length SLEN, placing the result in pre-allocated buffer + DK of length DKLEN. An iteration count is specified in C, where a + larger value means this function take more time (typical iteration + counts are 1000-20000). This function "stretches" the key to be + exactly dkLen bytes long. GC_OK is returned on success, otherwise + an Gc_rc error code is returned. */ +extern Gc_rc +gc_pbkdf2_sha1 (const char *P, size_t Plen, + const char *S, size_t Slen, + unsigned int c, + char *DK, size_t dkLen); + /* TODO: diff --git a/m4/ChangeLog b/m4/ChangeLog index cebd285944..41aeffe3fe 100644 --- a/m4/ChangeLog +++ b/m4/ChangeLog @@ -1,5 +1,7 @@ 2005-10-12 Simon Josefsson + * gc-pbkdf2-sha1.m4: New file. + * gc-hmac-sha1.m4: New file. * gc-sha1: New file. diff --git a/m4/gc-pbkdf2-sha1.m4 b/m4/gc-pbkdf2-sha1.m4 new file mode 100644 index 0000000000..674f739677 --- /dev/null +++ b/m4/gc-pbkdf2-sha1.m4 @@ -0,0 +1,11 @@ +# gc-pbkdf2-sha1.m4 serial 1 +dnl Copyright (C) 2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +AC_DEFUN([gl_GC_PBKDF2_SHA1], +[ + AC_LIBSOURCES([gc-pbkdf2-sha1.c]) + AC_LIBOBJ([gc-pbkdf2-sha1]) +]) diff --git a/modules/gc-pbkdf2-sha1 b/modules/gc-pbkdf2-sha1 new file mode 100644 index 0000000000..431e054208 --- /dev/null +++ b/modules/gc-pbkdf2-sha1 @@ -0,0 +1,24 @@ +Description: +Password-Based Key Derivation Function according to PKCS#5/RFC2898 + +Files: +lib/gc-pbkdf2-sha1.c +m4/gc-pbkdf2-sha1.m4 + +Depends-on: +gc +gc-hmac-sha1 + +configure.ac: +gl_GC_PBKDF2_SHA1 + +Makefile.am: + +Include: +"gc.h" + +License: +LGPL + +Maintainer: +Simon Josefsson diff --git a/modules/gc-pbkdf2-sha1-tests b/modules/gc-pbkdf2-sha1-tests new file mode 100644 index 0000000000..f1aa118882 --- /dev/null +++ b/modules/gc-pbkdf2-sha1-tests @@ -0,0 +1,11 @@ +Files: +tests/test-gc-pbkdf2-sha1.c + +Depends-on: + +configure.ac: + +Makefile.am: +TESTS += test-gc-pbkdf2-sha1 +noinst_PROGRAMS += test-gc-pbkdf2-sha1 +test_gc_pbkdf2_sha1_SOURCES = test-gc-pbkdf2-sha1.c diff --git a/tests/test-gc-pbkdf2-sha1.c b/tests/test-gc-pbkdf2-sha1.c new file mode 100644 index 0000000000..8027b9cb3e --- /dev/null +++ b/tests/test-gc-pbkdf2-sha1.c @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2002, 2003, 2004, 2005 Free Software Foundation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. */ + +/* Written by Simon Josefsson. */ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include "gc.h" + +#include +#include + +/* Test vectors from RFC 3962. */ + +#define G_CLEF "\xF0\x9D\x84\x9E" + +struct pkcs5 +{ + int iterations; + const char *password; + const char *salt; + int dklen; + const char *expected; +}; +const struct pkcs5 pkcs5[] = { + {1, "password", "ATHENA.MIT.EDUraeburn", 16, + "\xCD\xED\xB5\x28\x1B\xB2\xF8\x01\x56\x5A\x11\x22\xB2\x56\x35\x15"}, + {2, "password", "ATHENA.MIT.EDUraeburn", 16, + "\x01\xdb\xee\x7f\x4a\x9e\x24\x3e\x98\x8b\x62\xc7\x3c\xda\x93\x5d"}, + {2, "password", "ATHENA.MIT.EDUraeburn", 32, + "\x01\xdb\xee\x7f\x4a\x9e\x24\x3e\x98\x8b\x62\xc7\x3c\xda\x93\x5d" + "\xa0\x53\x78\xb9\x32\x44\xec\x8f\x48\xa9\x9e\x61\xad\x79\x9d\x86"}, + {1200, "password", "ATHENA.MIT.EDUraeburn", 16, + "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b"}, + {1200, "password", "ATHENA.MIT.EDUraeburn", 32, + "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b" + "\xa7\xe5\x2d\xdb\xc5\xe5\x14\x2f\x70\x8a\x31\xe2\xe6\x2b\x1e\x13"}, + {5, "password", "\x12\x34\x56\x78\x78\x56\x34\x12\x00", 16, + "\xd1\xda\xa7\x86\x15\xf2\x87\xe6\xa1\xc8\xb1\x20\xd7\x06\x2a\x49"}, + {5, "password", "\x12\x34\x56\x78\x78\x56\x34\x12\x00", 32, + "\xd1\xda\xa7\x86\x15\xf2\x87\xe6\xa1\xc8\xb1\x20\xd7\x06\x2a\x49" + "\x3f\x98\xd2\x03\xe6\xbe\x49\xa6\xad\xf4\xfa\x57\x4b\x6e\x64\xee"}, + {1200, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "pass phrase equals block size", 16, + "\x13\x9c\x30\xc0\x96\x6b\xc3\x2b\xa5\x5f\xdb\xf2\x12\x53\x0a\xc9"}, + {1200, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "pass phrase equals block size", 32, + "\x13\x9c\x30\xc0\x96\x6b\xc3\x2b\xa5\x5f\xdb\xf2\x12\x53\x0a\xc9" + "\xc5\xec\x59\xf1\xa4\x52\xf5\xcc\x9a\xd9\x40\xfe\xa0\x59\x8e\xd1"}, + {1200, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "pass phrase exceeds block size", 16, + "\x9c\xca\xd6\xd4\x68\x77\x0c\xd5\x1b\x10\xe6\xa6\x87\x21\xbe\x61"}, + {1200, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "pass phrase exceeds block size", 32, + "\x9c\xca\xd6\xd4\x68\x77\x0c\xd5\x1b\x10\xe6\xa6\x87\x21\xbe\x61" + "\x1a\x8b\x4d\x28\x26\x01\xdb\x3b\x36\xbe\x92\x46\x91\x5e\xc8\x2a"}, + {50, G_CLEF "\x00", "EXAMPLE.COMpianist", 16, + "\x6b\x9c\xf2\x6d\x45\x45\x5a\x43\xa5\xb8\xbb\x27\x6a\x40\x3b\x39"}, + {50, G_CLEF "\x00", "EXAMPLE.COMpianist", 32, + "\x6b\x9c\xf2\x6d\x45\x45\x5a\x43\xa5\xb8\xbb\x27\x6a\x40\x3b\x39" + "\xe7\xfe\x37\xa0\xc4\x1e\x02\xc2\x81\xff\x30\x69\xe1\xe9\x4f\x52"}, + {500, "All n-entities must communicate with other n-entities via n-1 " + "entiteeheehees", "\x12\x34\x56\x78\x78\x56\x34\x12\x00", 16, + "\x6A\x89\x70\xBF\x68\xC9\x2C\xAE\xA8\x4A\x8D\xF2\x85\x10\x85\x86"} +}; + +int +main (int argc, char *argv[]) +{ + size_t i; + int rc; + char out[BUFSIZ]; + + for (i = 0; i < sizeof (pkcs5) / sizeof (pkcs5[0]); i++) + { + rc = gc_pbkdf2_sha1 (pkcs5[i].password, strlen (pkcs5[i].password), + pkcs5[i].salt, strlen (pkcs5[i].salt), + pkcs5[i].iterations, out, pkcs5[i].dklen); + if (rc != GC_OK) + { + printf ("PKCS5 entry %d failed fatally: %d\n", i, rc); + return 1; + } + + if (memcmp (pkcs5[i].expected, out, pkcs5[i].dklen) != 0) + { + printf ("PKCS5 entry %d failed\n", i); + return 1; + } + } + + return 0; +}