1
/* kdf.c - Key Derivation Functions
2
* Copyright (C) 1998, 2011 Free Software Foundation, Inc.
4
* This file is part of Libgcrypt.
6
* Libgcrypt is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU Lesser general Public License as
8
* published by the Free Software Foundation; either version 2.1 of
9
* the License, or (at your option) any later version.
11
* Libgcrypt is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU Lesser General Public License for more details.
16
* You should have received a copy of the GNU Lesser General Public
17
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
31
/* Transform a passphrase into a suitable key of length KEYSIZE and
32
store this key in the caller provided buffer KEYBUFFER. The caller
33
must provide an HASHALGO, a valid ALGO and depending on that algo a
34
SALT of 8 bytes and the number of ITERATIONS. Code taken from
35
gnupg/agent/protect.c:hash_passphrase. */
37
openpgp_s2k (const void *passphrase, size_t passphraselen,
38
int algo, int hashalgo,
39
const void *salt, size_t saltlen,
40
unsigned long iterations,
41
size_t keysize, void *keybuffer)
45
char *key = keybuffer;
50
if ((algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K)
51
&& (!salt || saltlen != 8))
52
return GPG_ERR_INV_VALUE;
54
secmode = gcry_is_secure (passphrase) || gcry_is_secure (keybuffer);
56
ec = gpg_err_code (gcry_md_open (&md, hashalgo,
57
secmode? GCRY_MD_FLAG_SECURE : 0));
61
for (pass=0; used < keysize; pass++)
66
for (i=0; i < pass; i++) /* Preset the hash context. */
70
if (algo == GCRY_KDF_SALTED_S2K || algo == GCRY_KDF_ITERSALTED_S2K)
72
int len2 = passphraselen + 8;
73
unsigned long count = len2;
75
if (algo == GCRY_KDF_ITERSALTED_S2K)
84
gcry_md_write (md, salt, saltlen);
85
gcry_md_write (md, passphrase, passphraselen);
89
gcry_md_write (md, salt, count);
92
gcry_md_write (md, salt, saltlen);
94
gcry_md_write (md, passphrase, count);
98
gcry_md_write (md, passphrase, passphraselen);
101
i = gcry_md_get_algo_dlen (hashalgo);
102
if (i > keysize - used)
104
memcpy (key+used, gcry_md_read (md, hashalgo), i);
112
/* Transform a passphrase into a suitable key of length KEYSIZE and
113
store this key in the caller provided buffer KEYBUFFER. The caller
114
must provide PRFALGO which indicates the pseudorandom function to
115
use: This shall be the algorithms id of a hash algorithm; it is
116
used in HMAC mode. SALT is a salt of length SALTLEN and ITERATIONS
117
gives the number of iterations. */
119
pkdf2 (const void *passphrase, size_t passphraselen,
121
const void *salt, size_t saltlen,
122
unsigned long iterations,
123
size_t keysize, void *keybuffer)
128
unsigned int dklen = keysize;
129
char *dk = keybuffer;
130
unsigned int hlen; /* Output length of the digest function. */
131
unsigned int l; /* Rounded up number of blocks. */
132
unsigned int r; /* Number of octets in the last block. */
133
char *sbuf; /* Malloced buffer to concatenate salt and iter
134
as well as space to hold TBUF and UBUF. */
135
char *tbuf; /* Buffer for T; ptr into SBUF, size is HLEN. */
136
char *ubuf; /* Buffer for U; ptr into SBUF, size is HLEN. */
137
unsigned int lidx; /* Current block number. */
138
unsigned long iter; /* Current iteration number. */
141
if (!salt || !saltlen || !iterations || !dklen)
142
return GPG_ERR_INV_VALUE;
144
hlen = gcry_md_get_algo_dlen (hashalgo);
146
return GPG_ERR_DIGEST_ALGO;
148
secmode = gcry_is_secure (passphrase) || gcry_is_secure (keybuffer);
150
/* We ignore step 1 from pksc5v2.1 which demands a check that dklen
151
is not larger that 0xffffffff * hlen. */
154
l = ((dklen - 1)/ hlen) + 1;
155
r = dklen - (l - 1) * hlen;
157
/* Setup buffers and prepare a hash context. */
159
? gcry_malloc_secure (saltlen + 4 + hlen + hlen)
160
: gcry_malloc (saltlen + 4 + hlen + hlen));
162
return gpg_err_code_from_syserror ();
163
tbuf = sbuf + saltlen + 4;
166
ec = gpg_err_code (gcry_md_open (&md, hashalgo,
168
| (secmode?GCRY_MD_FLAG_SECURE:0))));
176
memcpy (sbuf, salt, saltlen);
177
for (lidx = 1; lidx <= l; lidx++)
179
for (iter = 0; iter < iterations; iter++)
181
ec = gpg_err_code (gcry_md_setkey (md, passphrase, passphraselen));
188
if (!iter) /* Compute U_1: */
190
sbuf[saltlen] = (lidx >> 24);
191
sbuf[saltlen + 1] = (lidx >> 16);
192
sbuf[saltlen + 2] = (lidx >> 8);
193
sbuf[saltlen + 3] = lidx;
194
gcry_md_write (md, sbuf, saltlen + 4);
195
memcpy (ubuf, gcry_md_read (md, 0), hlen);
196
memcpy (tbuf, ubuf, hlen);
198
else /* Compute U_(2..c): */
200
gcry_md_write (md, ubuf, hlen);
201
memcpy (ubuf, gcry_md_read (md, 0), hlen);
202
for (i=0; i < hlen; i++)
206
if (lidx == l) /* Last block. */
207
memcpy (dk, tbuf, r);
210
memcpy (dk, tbuf, hlen);
221
/* Derive a key from a passphrase. KEYSIZE gives the requested size
222
of the keys in octets. KEYBUFFER is a caller provided buffer
223
filled on success with the derived key. The input passphrase is
224
taken from (PASSPHRASE,PASSPHRASELEN) which is an arbitrary memory
225
buffer. ALGO specifies the KDF algorithm to use; these are the
226
constants GCRY_KDF_*. SUBALGO specifies an algorithm used
227
internally by the KDF algorithms; this is usually a hash algorithm
228
but certain KDF algorithm may use it differently. {SALT,SALTLEN}
229
is a salt as needed by most KDF algorithms. ITERATIONS is a
230
positive integer parameter to most KDFs. 0 is returned on success,
231
or an error code on failure. */
233
gcry_kdf_derive (const void *passphrase, size_t passphraselen,
234
int algo, int subalgo,
235
const void *salt, size_t saltlen,
236
unsigned long iterations,
237
size_t keysize, void *keybuffer)
241
if (!passphrase || (!passphraselen && algo != GCRY_KDF_PBKDF2))
243
ec = GPG_ERR_INV_DATA;
246
if (!keybuffer || !keysize)
248
ec = GPG_ERR_INV_VALUE;
255
case GCRY_KDF_SIMPLE_S2K:
256
case GCRY_KDF_SALTED_S2K:
257
case GCRY_KDF_ITERSALTED_S2K:
258
ec = openpgp_s2k (passphrase, passphraselen, algo, subalgo,
259
salt, saltlen, iterations, keysize, keybuffer);
262
case GCRY_KDF_PBKDF1:
263
ec = GPG_ERR_UNSUPPORTED_ALGORITHM;
266
case GCRY_KDF_PBKDF2:
267
ec = pkdf2 (passphrase, passphraselen, subalgo,
268
salt, saltlen, iterations, keysize, keybuffer);
272
ec = GPG_ERR_UNKNOWN_ALGORITHM;
277
return gpg_error (ec);