pkcs5_pbkdf2.c revision 1.9
1 /* $NetBSD: pkcs5_pbkdf2.c,v 1.9 2006/08/26 18:14:28 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Roland C. Dowdeswell. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the NetBSD 21 * Foundation, Inc. and its contributors. 22 * 4. Neither the name of The NetBSD Foundation nor the names of its 23 * contributors may be used to endorse or promote products derived 24 * from this software without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 27 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 28 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 29 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 30 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 31 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 32 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 33 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 34 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 35 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 36 * POSSIBILITY OF SUCH DAMAGE. 37 */ 38 39 /* 40 * This code is an implementation of PKCS #5 PBKDF2 which is described 41 * in: 42 * 43 * ``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories, 44 * March 25, 1999. 45 * 46 * and can be found at the following URL: 47 * 48 * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/ 49 * 50 * It was also republished as RFC 2898. 51 */ 52 53 54 #include <sys/cdefs.h> 55 #ifndef lint 56 __RCSID("$NetBSD: pkcs5_pbkdf2.c,v 1.9 2006/08/26 18:14:28 christos Exp $"); 57 #endif 58 59 #include <sys/resource.h> 60 61 #include <assert.h> 62 #include <stdlib.h> 63 #include <string.h> 64 #include <err.h> 65 #include <util.h> 66 67 #include <openssl/hmac.h> 68 69 #include "pkcs5_pbkdf2.h" 70 #include "utils.h" 71 72 static void int_encode(u_int8_t *, int); 73 static void prf_iterate(u_int8_t *, const u_int8_t *, int, 74 const u_int8_t *, int, int, int); 75 static int pkcs5_pbkdf2_time(int, int); 76 77 #define PRF_BLOCKLEN 20 78 79 /* 80 * int_encode encodes i as a four octet integer, most significant 81 * octet first. (from the end of Step 3). 82 */ 83 84 static void 85 int_encode(u_int8_t *res, int i) 86 { 87 88 *res++ = (i >> 24) & 0xff; 89 *res++ = (i >> 16) & 0xff; 90 *res++ = (i >> 8) & 0xff; 91 *res = (i ) & 0xff; 92 } 93 94 static void 95 prf_iterate(u_int8_t *r, const u_int8_t *P, int Plen, 96 const u_int8_t *S, int Slen, int c, int ind) 97 { 98 int first_time = 1; 99 int i; 100 int datalen; 101 u_int tmplen; 102 u_int8_t *data; 103 u_int8_t tmp[EVP_MAX_MD_SIZE]; 104 105 data = emalloc(Slen + 4); 106 memcpy(data, S, Slen); 107 int_encode(data + Slen, ind); 108 datalen = Slen + 4; 109 110 for (i=0; i < c; i++) { 111 HMAC(EVP_sha1(), P, Plen, data, datalen, tmp, &tmplen); 112 113 assert(tmplen == PRF_BLOCKLEN); 114 115 if (first_time) { 116 memcpy(r, tmp, PRF_BLOCKLEN); 117 first_time = 0; 118 } else 119 memxor(r, tmp, PRF_BLOCKLEN); 120 memcpy(data, tmp, PRF_BLOCKLEN); 121 datalen = PRF_BLOCKLEN; 122 } 123 free(data); 124 } 125 126 /* 127 * pkcs5_pbkdf2 takes all of its lengths in bytes. 128 */ 129 130 int 131 pkcs5_pbkdf2(u_int8_t **r, int dkLen, const u_int8_t *P, int Plen, 132 const u_int8_t *S, int Slen, int c, int compat) 133 { 134 int i; 135 int l; 136 137 /* sanity */ 138 if (!r) 139 return -1; 140 if (dkLen <= 0) 141 return -1; 142 if (c < 1) 143 return -1; 144 145 /* Step 2 */ 146 l = (dkLen + PRF_BLOCKLEN - 1) / PRF_BLOCKLEN; 147 148 /* allocate the output */ 149 *r = emalloc(l * PRF_BLOCKLEN); 150 151 /* Step 3 */ 152 for (i=0; i < l; i++) 153 prf_iterate(*r + (PRF_BLOCKLEN * i), P, Plen, S, Slen, c, 154 (compat?i:i+1)); 155 156 /* Step 4 and 5 157 * by the structure of the code, we do not need to concatenate 158 * the blocks, they're already concatenated. We do not extract 159 * the first dkLen octets, since we [naturally] assume that the 160 * calling function will use only the octets that it needs and 161 * the free(3) will free all of the allocated memory. 162 */ 163 return 0; 164 } 165 166 /* 167 * We use predefined lengths for the password and salt to ensure that 168 * no analysis can be done on the output of the calibration based on 169 * those parameters. We do not do the same for dkLen because: 170 * 1. dkLen is known to the attacker if they know the iteration 171 * count, and 172 * 2. using the wrong dkLen will skew the calibration by an 173 * integral factor n = (dkLen / 160). 174 */ 175 176 #define CAL_PASSLEN 64 177 #define CAL_SALTLEN 64 178 #define CAL_TIME 30000 /* Minimum number of microseconds that 179 * are considered significant. 180 */ 181 182 /* 183 * We return the user time in microseconds that c iterations 184 * of the algorithm take. 185 */ 186 187 static int 188 pkcs5_pbkdf2_time(int dkLen, int c) 189 { 190 struct rusage start; 191 struct rusage end; 192 int ret; 193 u_int8_t *r = NULL; 194 u_int8_t P[CAL_PASSLEN]; 195 u_int8_t S[CAL_SALTLEN]; 196 197 getrusage(RUSAGE_SELF, &start); 198 /* XXX compat flag at end to be removed when _OLD keygen method is */ 199 ret = pkcs5_pbkdf2(&r, dkLen, P, sizeof(P), S, sizeof(S), c, 0); 200 if (ret) 201 return ret; 202 getrusage(RUSAGE_SELF, &end); 203 free(r); 204 205 return (end.ru_utime.tv_sec - start.ru_utime.tv_sec) * 1000000 206 + (end.ru_utime.tv_usec - start.ru_utime.tv_usec); 207 } 208 209 int 210 pkcs5_pbkdf2_calibrate(int dkLen, int microseconds) 211 { 212 int c; 213 int t = 0; 214 int ret; 215 216 /* 217 * First we get a meaningfully long time by doubling the 218 * iteration count until it takes longer than CAL_TIME. This 219 * should take approximately 2 * CAL_TIME. 220 */ 221 for (c=1;; c *= 2) { 222 t = pkcs5_pbkdf2_time(dkLen, c); 223 if (t > CAL_TIME) 224 break; 225 } 226 227 /* Now that we know that, we scale it. */ 228 ret = (int) ((u_int64_t) c * microseconds / t); 229 230 /* 231 * Since it is quite important to not get this wrong, 232 * we test the result. 233 */ 234 235 t = pkcs5_pbkdf2_time(dkLen, ret); 236 237 /* if we are over 5% off, return an error */ 238 if (abs(microseconds - t) > (microseconds / 20)) 239 return -1; 240 241 return ret; 242 } 243
Indexes created Tue Sep 30 20:09:53 GMT 2025