2
---------------------------------------------------------------------------
3
Copyright (c) 2002, Dr Brian Gladman < >, Worcester, UK.
8
The free distribution and use of this software in both source and binary
9
form is allowed (with or without changes) provided that:
11
1. distributions of this source code include the above copyright
12
notice, this list of conditions and the following disclaimer;
14
2. distributions in binary form include the above copyright
15
notice, this list of conditions and the following disclaimer
16
in the documentation and/or other associated materials;
18
3. the copyright holder's name is not used to endorse products
19
built using this software without specific written permission.
21
ALTERNATIVELY, provided that this notice is retained in full, this product
22
may be distributed under the terms of the GNU General Public License (GPL),
23
in which case the provisions of the GPL apply INSTEAD OF those given above.
27
This software is provided 'as is' with no explicit or implied warranties
28
in respect of its properties, including, but not limited to, correctness
29
and/or fitness for purpose.
30
---------------------------------------------------------------------------
31
Issue Date: 26/08/2003
33
This is an implementation of RFC2898, which specifies key derivation from
34
a password and a salt value.
40
void derive_key(const unsigned char pwd[], /* the PASSWORD */
41
unsigned int pwd_len, /* and its length */
42
const unsigned char salt[], /* the SALT and its */
43
unsigned int salt_len, /* length */
44
unsigned int iter, /* the number of iterations */
45
unsigned char key[], /* space for the output key */
46
unsigned int key_len)/* and its required length */
48
unsigned int i, j, k, n_blk;
49
unsigned char uu[HASH_OUTPUT_SIZE], ux[HASH_OUTPUT_SIZE];
50
hmac_ctx c1[1], c2[1], c3[1];
52
/* set HMAC context (c1) for password */
54
hmac_sha_key(pwd, pwd_len, c1);
56
/* set HMAC context (c2) for password and salt */
57
memcpy(c2, c1, sizeof(hmac_ctx));
58
hmac_sha_data(salt, salt_len, c2);
60
/* find the number of SHA blocks in the key */
61
n_blk = 1 + (key_len - 1) / HASH_OUTPUT_SIZE;
63
for(i = 0; i < n_blk; ++i) /* for each block in key */
65
/* ux[] holds the running xor value */
66
memset(ux, 0, HASH_OUTPUT_SIZE);
68
/* set HMAC context (c3) for password and salt */
69
memcpy(c3, c2, sizeof(hmac_ctx));
71
/* enter additional data for 1st block into uu */
72
uu[0] = (unsigned char)((i + 1) >> 24);
73
uu[1] = (unsigned char)((i + 1) >> 16);
74
uu[2] = (unsigned char)((i + 1) >> 8);
75
uu[3] = (unsigned char)(i + 1);
77
/* this is the key mixing iteration */
78
for(j = 0, k = 4; j < iter; ++j)
80
/* add previous round data to HMAC */
81
hmac_sha_data(uu, k, c3);
83
/* obtain HMAC for uu[] */
84
hmac_sha_end(uu, HASH_OUTPUT_SIZE, c3);
86
/* xor into the running xor block */
87
for(k = 0; k < HASH_OUTPUT_SIZE; ++k)
90
/* set HMAC context (c3) for password */
91
memcpy(c3, c1, sizeof(hmac_ctx));
94
/* compile key blocks into the key output */
95
j = 0; k = i * HASH_OUTPUT_SIZE;
96
while(j < HASH_OUTPUT_SIZE && k < key_len)
106
{ unsigned int pwd_len;
107
unsigned int salt_len;
108
unsigned int it_count;
110
unsigned char salt[32];
111
unsigned char key[32];
114
{ 8, 4, 5, (unsigned char*)"password",
116
0x12, 0x34, 0x56, 0x78
119
0x5c, 0x75, 0xce, 0xf0, 0x1a, 0x96, 0x0d, 0xf7,
120
0x4c, 0xb6, 0xb4, 0x9b, 0x9e, 0x38, 0xe6, 0xb5
123
{ 8, 8, 5, (unsigned char*)"password",
125
0x12, 0x34, 0x56, 0x78, 0x78, 0x56, 0x34, 0x12
128
0xd1, 0xda, 0xa7, 0x86, 0x15, 0xf2, 0x87, 0xe6,
129
0xa1, 0xc8, 0xb1, 0x20, 0xd7, 0x06, 0x2a, 0x49
132
{ 8, 21, 1, (unsigned char*)"password",
134
"ATHENA.MIT.EDUraeburn"
137
0xcd, 0xed, 0xb5, 0x28, 0x1b, 0xb2, 0xf8, 0x01,
138
0x56, 0x5a, 0x11, 0x22, 0xb2, 0x56, 0x35, 0x15
141
{ 8, 21, 2, (unsigned char*)"password",
143
"ATHENA.MIT.EDUraeburn"
146
0x01, 0xdb, 0xee, 0x7f, 0x4a, 0x9e, 0x24, 0x3e,
147
0x98, 0x8b, 0x62, 0xc7, 0x3c, 0xda, 0x93, 0x5d
150
{ 8, 21, 1200, (unsigned char*)"password",
152
"ATHENA.MIT.EDUraeburn"
155
0x5c, 0x08, 0xeb, 0x61, 0xfd, 0xf7, 0x1e, 0x4e,
156
0x4e, 0xc3, 0xcf, 0x6b, 0xa1, 0xf5, 0x51, 0x2b
162
{ unsigned int i, j, key_len = 256;
163
unsigned char key[256];
165
printf("\nTest of RFC2898 Password Based Key Derivation");
166
for(i = 0; i < 5; ++i)
168
derive_key(tests[i].pwd, tests[i].pwd_len, tests[i].salt,
169
tests[i].salt_len, tests[i].it_count, key, key_len);
171
printf("\ntest %i: ", i + 1);
172
printf("key %s", memcmp(tests[i].key, key, 16) ? "is bad" : "is good");
173
for(j = 0; j < key_len && j < 64; j += 4)
177
printf("0x%02x%02x%02x%02x ", key[j], key[j + 1], key[j + 2], key[j + 3]);
179
printf(j < key_len ? " ... \n" : "\n");