1 1.17 nia /* $NetBSD: pkcs5_pbkdf2.c,v 1.17 2021/11/22 16:04:03 nia Exp $ */ 2 1.1 elric 3 1.1 elric /*- 4 1.2 elric * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. 5 1.1 elric * All rights reserved. 6 1.1 elric * 7 1.1 elric * This code is derived from software contributed to The NetBSD Foundation 8 1.1 elric * by Roland C. Dowdeswell. 9 1.1 elric * 10 1.1 elric * Redistribution and use in source and binary forms, with or without 11 1.1 elric * modification, are permitted provided that the following conditions 12 1.1 elric * are met: 13 1.1 elric * 1. Redistributions of source code must retain the above copyright 14 1.1 elric * notice, this list of conditions and the following disclaimer. 15 1.1 elric * 2. Redistributions in binary form must reproduce the above copyright 16 1.1 elric * notice, this list of conditions and the following disclaimer in the 17 1.1 elric * documentation and/or other materials provided with the distribution. 18 1.1 elric * 19 1.1 elric * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 1.1 elric * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 1.1 elric * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 1.1 elric * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 1.1 elric * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 1.1 elric * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 1.1 elric * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 1.1 elric * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 1.1 elric * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 1.1 elric * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 1.1 elric * POSSIBILITY OF SUCH DAMAGE. 30 1.1 elric */ 31 1.1 elric 32 1.1 elric /* 33 1.1 elric * This code is an implementation of PKCS #5 PBKDF2 which is described 34 1.1 elric * in: 35 1.1 elric * 36 1.1 elric * ``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories, 37 1.1 elric * March 25, 1999. 38 1.1 elric * 39 1.1 elric * and can be found at the following URL: 40 1.1 elric * 41 1.1 elric * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/ 42 1.1 elric * 43 1.1 elric * It was also republished as RFC 2898. 44 1.1 elric */ 45 1.1 elric 46 1.1 elric 47 1.1 elric #include <sys/cdefs.h> 48 1.1 elric #ifndef lint 49 1.17 nia __RCSID("$NetBSD: pkcs5_pbkdf2.c,v 1.17 2021/11/22 16:04:03 nia Exp $"); 50 1.1 elric #endif 51 1.1 elric 52 1.2 elric #include <sys/resource.h> 53 1.10 cbiere #include <sys/endian.h> 54 1.2 elric 55 1.1 elric #include <assert.h> 56 1.17 nia #include <stdio.h> 57 1.1 elric #include <stdlib.h> 58 1.1 elric #include <string.h> 59 1.9 christos #include <err.h> 60 1.9 christos #include <util.h> 61 1.1 elric 62 1.1 elric #include "pkcs5_pbkdf2.h" 63 1.1 elric #include "utils.h" 64 1.1 elric 65 1.11 christos static void prf_iterate(u_int8_t *, const u_int8_t *, size_t, 66 1.11 christos const u_int8_t *, size_t, size_t, size_t); 67 1.11 christos static int pkcs5_pbkdf2_time(size_t, size_t); 68 1.1 elric 69 1.1 elric #define PRF_BLOCKLEN 20 70 1.1 elric 71 1.2 elric static void 72 1.11 christos prf_iterate(u_int8_t *r, const u_int8_t *P, size_t Plen, 73 1.11 christos const u_int8_t *S, size_t Slen, size_t c, size_t ind) 74 1.1 elric { 75 1.1 elric int first_time = 1; 76 1.11 christos size_t i; 77 1.11 christos size_t datalen; 78 1.16 christos ssize_t tmplen; 79 1.1 elric u_int8_t *data; 80 1.16 christos u_int8_t tmp[128]; 81 1.1 elric 82 1.7 christos data = emalloc(Slen + 4); 83 1.11 christos (void)memcpy(data, S, Slen); 84 1.10 cbiere be32enc(data + Slen, ind); 85 1.1 elric datalen = Slen + 4; 86 1.1 elric 87 1.1 elric for (i=0; i < c; i++) { 88 1.16 christos tmplen = hmac("sha1", P, Plen, data, datalen, tmp, sizeof(tmp)); 89 1.1 elric 90 1.1 elric assert(tmplen == PRF_BLOCKLEN); 91 1.1 elric 92 1.1 elric if (first_time) { 93 1.11 christos (void)memcpy(r, tmp, PRF_BLOCKLEN); 94 1.1 elric first_time = 0; 95 1.15 elric } else 96 1.1 elric memxor(r, tmp, PRF_BLOCKLEN); 97 1.11 christos (void)memcpy(data, tmp, PRF_BLOCKLEN); 98 1.1 elric datalen = PRF_BLOCKLEN; 99 1.1 elric } 100 1.1 elric free(data); 101 1.1 elric } 102 1.1 elric 103 1.1 elric /* 104 1.1 elric * pkcs5_pbkdf2 takes all of its lengths in bytes. 105 1.1 elric */ 106 1.1 elric 107 1.1 elric int 108 1.11 christos pkcs5_pbkdf2(u_int8_t **r, size_t dkLen, const u_int8_t *P, size_t Plen, 109 1.11 christos const u_int8_t *S, size_t Slen, size_t c, int compat) 110 1.1 elric { 111 1.11 christos size_t i; 112 1.11 christos size_t l; 113 1.1 elric 114 1.1 elric /* sanity */ 115 1.1 elric if (!r) 116 1.1 elric return -1; 117 1.11 christos if (dkLen == 0) 118 1.1 elric return -1; 119 1.1 elric if (c < 1) 120 1.1 elric return -1; 121 1.1 elric 122 1.1 elric /* Step 2 */ 123 1.1 elric l = (dkLen + PRF_BLOCKLEN - 1) / PRF_BLOCKLEN; 124 1.1 elric 125 1.1 elric /* allocate the output */ 126 1.7 christos *r = emalloc(l * PRF_BLOCKLEN); 127 1.1 elric 128 1.1 elric /* Step 3 */ 129 1.11 christos for (i = 0; i < l; i++) 130 1.15 elric prf_iterate(*r + (PRF_BLOCKLEN * i), P, Plen, S, Slen, c, 131 1.5 dan (compat?i:i+1)); 132 1.1 elric 133 1.1 elric /* Step 4 and 5 134 1.1 elric * by the structure of the code, we do not need to concatenate 135 1.1 elric * the blocks, they're already concatenated. We do not extract 136 1.1 elric * the first dkLen octets, since we [naturally] assume that the 137 1.1 elric * calling function will use only the octets that it needs and 138 1.1 elric * the free(3) will free all of the allocated memory. 139 1.1 elric */ 140 1.1 elric return 0; 141 1.2 elric } 142 1.2 elric 143 1.2 elric /* 144 1.2 elric * We use predefined lengths for the password and salt to ensure that 145 1.2 elric * no analysis can be done on the output of the calibration based on 146 1.2 elric * those parameters. We do not do the same for dkLen because: 147 1.2 elric * 1. dkLen is known to the attacker if they know the iteration 148 1.2 elric * count, and 149 1.2 elric * 2. using the wrong dkLen will skew the calibration by an 150 1.2 elric * integral factor n = (dkLen / 160). 151 1.2 elric */ 152 1.2 elric 153 1.2 elric #define CAL_PASSLEN 64 154 1.2 elric #define CAL_SALTLEN 64 155 1.2 elric #define CAL_TIME 30000 /* Minimum number of microseconds that 156 1.2 elric * are considered significant. 157 1.2 elric */ 158 1.2 elric 159 1.2 elric /* 160 1.6 elric * We return the user time in microseconds that c iterations 161 1.2 elric * of the algorithm take. 162 1.2 elric */ 163 1.2 elric 164 1.2 elric static int 165 1.11 christos pkcs5_pbkdf2_time(size_t dkLen, size_t c) 166 1.2 elric { 167 1.2 elric struct rusage start; 168 1.2 elric struct rusage end; 169 1.2 elric int ret; 170 1.2 elric u_int8_t *r = NULL; 171 1.2 elric u_int8_t P[CAL_PASSLEN]; 172 1.2 elric u_int8_t S[CAL_SALTLEN]; 173 1.2 elric 174 1.11 christos (void)getrusage(RUSAGE_SELF, &start); 175 1.5 dan /* XXX compat flag at end to be removed when _OLD keygen method is */ 176 1.5 dan ret = pkcs5_pbkdf2(&r, dkLen, P, sizeof(P), S, sizeof(S), c, 0); 177 1.2 elric if (ret) 178 1.2 elric return ret; 179 1.11 christos (void)getrusage(RUSAGE_SELF, &end); 180 1.2 elric free(r); 181 1.2 elric 182 1.2 elric return (end.ru_utime.tv_sec - start.ru_utime.tv_sec) * 1000000 183 1.2 elric + (end.ru_utime.tv_usec - start.ru_utime.tv_usec); 184 1.2 elric } 185 1.2 elric 186 1.2 elric int 187 1.11 christos pkcs5_pbkdf2_calibrate(size_t dkLen, int microseconds) 188 1.2 elric { 189 1.11 christos size_t c; 190 1.2 elric int t = 0; 191 1.13 christos size_t ret, i; 192 1.2 elric 193 1.17 nia fprintf(stderr, "pkcs5_pbkdf2: calibrating iterations..."); 194 1.17 nia 195 1.13 christos for (i = 0; i < 5; i++) { 196 1.13 christos /* 197 1.13 christos * First we get a meaningfully long time by doubling the 198 1.13 christos * iteration count until it takes longer than CAL_TIME. This 199 1.13 christos * should take approximately 2 * CAL_TIME. 200 1.13 christos */ 201 1.13 christos for (c = 1;; c *= 2) { 202 1.13 christos t = pkcs5_pbkdf2_time(dkLen, c); 203 1.17 nia fprintf(stderr, "."); 204 1.13 christos if (t > CAL_TIME) 205 1.13 christos break; 206 1.13 christos } 207 1.13 christos 208 1.13 christos /* Now that we know that, we scale it. */ 209 1.13 christos ret = (size_t) ((u_int64_t) c * microseconds / t); 210 1.13 christos 211 1.13 christos /* 212 1.13 christos * Since it is quite important to not get this wrong, 213 1.13 christos * we test the result. 214 1.13 christos */ 215 1.13 christos 216 1.13 christos t = pkcs5_pbkdf2_time(dkLen, ret); 217 1.13 christos 218 1.13 christos /* if we are over 5% off, return an error */ 219 1.13 christos if (abs(microseconds - t) > (microseconds / 20)) 220 1.13 christos continue; 221 1.17 nia fprintf(stderr, " done\n"); 222 1.13 christos return ret; 223 1.2 elric } 224 1.17 nia fprintf(stderr, " failed\n"); 225 1.13 christos return -1; 226 1.1 elric } 227
Indexes created Tue Sep 30 10:09:55 GMT 2025