~xnox/debian/sid/cryptsetup/ubuntu

« back to all changes in this revision

Viewing changes to lib/crypto_backend/pbkdf2_generic.c

Committer: Package Import Robot
Author(s): Jonas Meurer, Milan Broz, Steve Langasek, Jonas Meurer
Date: 2013-06-28 12:10:41 UTC
mfrom: (0.2.11)
Revision ID: package-import@ubuntu.com-20130628121041-ek9rtel19yehj31t

Tags: 2:1.6.1-1

http://bugs.debian.org/704827

http://bugs.debian.org/707997

http://bugs.debian.org/714331

http://bugs.debian.org/694499

http://bugs.debian.org/677712

http://bugs.debian.org/700777

http://bugs.debian.org/704470

http://bugs.debian.org/713918

http://bugs.debian.org/697446

http://bugs.debian.org/700285

http://bugs.debian.org/697155

http://bugs.debian.org/438481

http://bugs.debian.org/714326

[ Milan Broz ]
* new upstream version. (closes: #704827, 707997)
  - default LUKS encryption mode is XTS (aes-xts-plain64) (closes: #714331)
  - adds native support for Truecrypt and compatible on-disk format
  - adds benchmark command
  - adds cryptsetup-reencrypt, a tool to offline reencrypt LUKS device
  - adds veritysetup, a tool for dm-verity block device verification module
* install docs/examples into docs at cryptsetup-dev package.
* fix compilation warnings in askpass.c.

[ Steve Langasek ]
* fix upstart jobs to not cause boot hangs when actually used in
  conjunction with startpar.  (closes: #694499, #677712).
* in connection with the above, make the cryptdisks-early job explicitly
  wait for 'umountfs' on shutdown just like cryptdisks does; otherwise,
  the teardown of the cryptdisks upstart job may cause the cryptdisks-early
  init script run before we're done unmounting filesystems.

[ Jonas Meurer ]
* minor wording fixes to README.initramfs, suggested by intrigeri and Adam
  D. Barrett.
* add bash-completion script for cryptdisks_{start,stop}. Thanks to Claudius
  Hubig for providing a patch. (closes: #700777)
* support specifying key-slot in crypttab. Thanks to Kevin Locke for the
  patch. (closes: #704470)
* remove evms support code from cryptroot initramfs script. (closes: #713918)
* fix location of keyscripts in initramfs documentation. (closes: #697446)
* fix a typo in decrypt_ssl script that prevented stdout from beeing
  redirected to /dev/null. (closes: #700285)
* give full path to blkid in crytproot initramfs script. (closes: #697155)
* export number of previous tries from cryptroot and cryptdisks to
  keyscript. Thanks to Laurens Blankers for the idea. Opens the possibility
  to fallback after a given number of tries for keyscripts. (closes: #438481,
  #471729, #697455)
* improve check for cpu hardware encryption support in initramfs cryptroot
  hook. (closes: #714326)

files added:
configure.ac

debian/cryptdisks-udev.upstart

debian/cryptdisks.bash_completion

debian/cryptsetup.maintscript

debian/libcryptsetup-dev.docs

docs/ChangeLog.old

docs/v1.5.0-ReleaseNotes

docs/v1.5.1-ReleaseNotes

docs/v1.6.0-ReleaseNotes

docs/v1.6.1-ReleaseNotes

lib/bitops.h

lib/crypto_backend/crc32.c

lib/crypto_backend/crypto_cipher_kernel.c

lib/crypto_backend/pbkdf2_generic.c

lib/crypto_backend/pbkdf_check.c

lib/tcrypt

lib/tcrypt/Makefile.am

lib/tcrypt/Makefile.in

lib/tcrypt/tcrypt.c

lib/tcrypt/tcrypt.h

lib/utils_benchmark.c

lib/utils_device.c

lib/verity

lib/verity/Makefile.am

lib/verity/Makefile.in

lib/verity/verity.c

lib/verity/verity.h

lib/verity/verity_hash.c

man/cryptsetup-reencrypt.8

man/veritysetup.8

misc/dict_search

misc/dict_search/Makefile

misc/dict_search/README

misc/dict_search/crypt_dict.c

misc/dracut_90reencrypt

misc/dracut_90reencrypt/README

misc/dracut_90reencrypt/check.old

misc/dracut_90reencrypt/install.old

misc/dracut_90reencrypt/module-setup.sh

misc/dracut_90reencrypt/parse-reencrypt.sh

misc/dracut_90reencrypt/reencrypt.sh

misc/keyslot_checker

misc/keyslot_checker/Makefile

misc/keyslot_checker/README

misc/keyslot_checker/chk_luks_keyslots.c

src/cryptsetup_reencrypt.c

src/utils_password.c

src/utils_tools.c

src/veritysetup.c

tests/compatv10image.img.bz2

tests/reencryption-compat-test

tests/tcrypt-compat-test

tests/tcrypt-images.tar.bz2

tests/verity-compat-test

files removed:
configure.in

debian/cryptdisks-early.upstart

lib/luks1/pbkdf.c

lib/luks1/pbkdf.h

lib/utils_debug.c

files modified:
AUTHORS

COPYING.LGPL

ChangeLog

Makefile.in

TODO

aclocal.m4

config.h.in

config.sub

configure

debian/README.initramfs

debian/askpass.c

debian/changelog

debian/control

debian/copyright

debian/cryptdisks-early.init

debian/cryptdisks.functions

debian/cryptdisks.upstart

debian/cryptsetup-bin.dirs

debian/cryptsetup.dirs

debian/cryptsetup.docs

debian/doc/crypttab.xml

debian/initramfs/cryptroot-hook

debian/initramfs/cryptroot-script

debian/libcryptsetup-dev.dirs

debian/libcryptsetup4.symbols

debian/passdev.c

debian/rules

debian/scripts/decrypt_ssl

docs/doxygen_index

lib/Makefile.am

lib/Makefile.in

lib/crypt_plain.c

lib/crypto_backend/Makefile.am

lib/crypto_backend/Makefile.in

lib/crypto_backend/crypto_backend.h

lib/crypto_backend/crypto_gcrypt.c

lib/crypto_backend/crypto_kernel.c

lib/crypto_backend/crypto_nettle.c

lib/crypto_backend/crypto_nss.c

lib/crypto_backend/crypto_openssl.c

lib/internal.h

lib/libcryptsetup.h

lib/libcryptsetup.sym

lib/libdevmapper.c

lib/loopaes/Makefile.am

lib/loopaes/Makefile.in

lib/loopaes/loopaes.c

lib/loopaes/loopaes.h

lib/luks1/Makefile.am

lib/luks1/Makefile.in

lib/luks1/af.c

lib/luks1/af.h

lib/luks1/keyencryption.c

lib/luks1/keymanage.c

lib/luks1/luks.h

lib/random.c

lib/setup.c

lib/utils.c

lib/utils_crypt.c

lib/utils_crypt.h

lib/utils_devpath.c

lib/utils_dm.h

lib/utils_fips.c

lib/utils_fips.h

lib/utils_loop.c

lib/utils_loop.h

lib/utils_wipe.c

lib/volumekey.c

ltmain.sh

m4/libtool.m4

man/Makefile.am

man/Makefile.in

man/cryptsetup.8

misc/luks-header-from-active

po/POTFILES.in

po/cryptsetup.pot

po/cs.gmo

po/cs.po

po/de.gmo

po/de.po

po/fi.gmo

po/fi.po

po/fr.gmo

po/fr.po

po/id.gmo

po/id.po

po/it.gmo

po/it.po

po/nl.gmo

po/nl.po

po/pl.gmo

po/pl.po

po/sv.gmo

po/sv.po

po/uk.gmo

po/uk.po

po/vi.gmo

po/vi.po

python/Makefile.am

python/Makefile.in

src/Makefile.am

src/Makefile.in

src/cryptsetup.c

src/cryptsetup.h

tests/Makefile.am

tests/Makefile.in

tests/align-test

tests/api-test.c

tests/compat-test

tests/differ.c

tests/discards-test

tests/evil_hdr-small_luks_device.bz2

tests/loopaes-test

Show diffs side-by-side

added added

removed removed

lib/crypto_backend/pbkdf2_generic.c

* Implementation of Password-Based Cryptography as per PKCS#5

* cryptsetup related changes

* This file is free software; you can redistribute it and/or

* modify it under the terms of the GNU Lesser General Public

* License as published by the Free Software Foundation; either

* version 2.1 of the License, or (at your option) any later version.

* This file is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* Lesser General Public License for more details.

* You should have received a copy of the GNU Lesser General Public

* License along with this file; if not, write to the Free Software

* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

#include <errno.h>

#include <alloca.h>

#include "crypto_backend.h"

* 5.2 PBKDF2

* PBKDF2 applies a pseudorandom function (see Appendix B.1 for an

* example) to derive keys. The length of the derived key is essentially

* unbounded. (However, the maximum effective search space for the

* derived key may be limited by the structure of the underlying

* pseudorandom function. See Appendix B.1 for further discussion.)

* PBKDF2 is recommended for new applications.

* PBKDF2 (P, S, c, dkLen)

* Options: PRF underlying pseudorandom function (hLen

* denotes the length in octets of the

* pseudorandom function output)

* Input: P password, an octet string (ASCII or UTF-8)

* S salt, an octet string

* c iteration count, a positive integer

* dkLen intended length in octets of the derived

* key, a positive integer, at most

* (2^32 - 1) * hLen

* Output: DK derived key, a dkLen-octet string

#define MAX_PRF_BLOCK_LEN 80

int pkcs5_pbkdf2(const char *hash,

const char *P, size_t Plen,

const char *S, size_t Slen,

unsigned int c, unsigned int dkLen,

char *DK)

{

struct crypt_hmac *hmac;

char U[MAX_PRF_BLOCK_LEN];

char T[MAX_PRF_BLOCK_LEN];

int i, k, rc = -EINVAL;

unsigned int u, hLen, l, r;

size_t tmplen = Slen + 4;

char *tmp;

tmp = alloca(tmplen);

if (tmp == NULL)

return -ENOMEM;

hLen = crypt_hmac_size(hash);

if (hLen == 0 || hLen > MAX_PRF_BLOCK_LEN)

return -EINVAL;

if (c == 0)

return -EINVAL;

if (dkLen == 0)

return -EINVAL;

* Steps:

* 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and

* stop.

if (dkLen > 4294967295U)

return -EINVAL;

* 2. Let l be the number of hLen-octet blocks in the derived key,

* rounding up, and let r be the number of octets in the last

* block:

100

101

* l = CEIL (dkLen / hLen) ,

102

* r = dkLen - (l - 1) * hLen .

103

104

* Here, CEIL (x) is the "ceiling" function, i.e. the smallest

105

* integer greater than, or equal to, x.

106

107

108

l = dkLen / hLen;

109

if (dkLen % hLen)

110

l++;

111

r = dkLen - (l - 1) * hLen;

112

113

114

* 3. For each block of the derived key apply the function F defined

115

* below to the password P, the salt S, the iteration count c, and

116

* the block index to compute the block:

117

118

* T_1 = F (P, S, c, 1) ,

119

* T_2 = F (P, S, c, 2) ,

120

* ...

121

* T_l = F (P, S, c, l) ,

122

123

* where the function F is defined as the exclusive-or sum of the

124

* first c iterates of the underlying pseudorandom function PRF

125

* applied to the password P and the concatenation of the salt S

126

* and the block index i:

127

128

* F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c

129

130

* where

131

132

* U_1 = PRF (P, S || INT (i)) ,

133

* U_2 = PRF (P, U_1) ,

134

* ...

135

* U_c = PRF (P, U_{c-1}) .

136

137

* Here, INT (i) is a four-octet encoding of the integer i, most

138

* significant octet first.

139

140

* 4. Concatenate the blocks and extract the first dkLen octets to

141

* produce a derived key DK:

142

143

* DK = T_1 || T_2 || ... || T_l<0..r-1>

144

145

* 5. Output the derived key DK.

146

147

* Note. The construction of the function F follows a "belt-and-

148

* suspenders" approach. The iterates U_i are computed recursively to

149

* remove a degree of parallelism from an opponent; they are exclusive-

150

* ored together to reduce concerns about the recursion degenerating

151

* into a small set of values.

152

153

154

155

if (crypt_hmac_init(&hmac, hash, P, Plen))

156

return -EINVAL;

157

158

for (i = 1; (unsigned int) i <= l; i++) {

159

memset(T, 0, hLen);

160

161

for (u = 1; u <= c ; u++) {

162

if (u == 1) {

163

memcpy(tmp, S, Slen);

164

tmp[Slen + 0] = (i & 0xff000000) >> 24;

165

tmp[Slen + 1] = (i & 0x00ff0000) >> 16;

166

tmp[Slen + 2] = (i & 0x0000ff00) >> 8;

167

tmp[Slen + 3] = (i & 0x000000ff) >> 0;

168

169

if (crypt_hmac_write(hmac, tmp, tmplen))

170

goto out;

171

} else {

172

if (crypt_hmac_write(hmac, U, hLen))

173

goto out;

174

}

175

176

if (crypt_hmac_final(hmac, U, hLen))

177

goto out;

178

179

for (k = 0; (unsigned int) k < hLen; k++)

180

T[k] ^= U[k];

181

}

182

183

memcpy(DK + (i - 1) * hLen, T, (unsigned int) i == l ? r : hLen);

184

}

185

rc = 0;

186

out:

187

crypt_hmac_destroy(hmac);

188

return rc;

189

}

Older »