Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

pwdbased.c@ 457

Last change on this file since 457 was 457, checked in by coas-nagasima, 4 years ago
ファイルを追加
Property svn:eol-style set to `native` Property svn:mime-type set to `text/x-csrc;charset=UTF-8`
File size: 21.3 KB

Line
1	/* pwdbased.c
2	*
3	* Copyright (C) 2006-2020 wolfSSL Inc.
4	*
5	* This file is part of wolfSSL.
6	*
7	* wolfSSL is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; either version 2 of the License, or
10	* (at your option) any later version.
11	*
12	* wolfSSL is distributed in the hope that it will be useful,
13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	* GNU General Public License for more details.
16	*
17	* You should have received a copy of the GNU General Public License
18	* along with this program; if not, write to the Free Software
19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20	*/
21
22
23	#ifdef HAVE_CONFIG_H
24	#include <config.h>
25	#endif
26
27	#include <wolfssl/wolfcrypt/settings.h>
28
29	#ifndef NO_PWDBASED
30
31	#include <wolfssl/wolfcrypt/pwdbased.h>
32	#include <wolfssl/wolfcrypt/hmac.h>
33	#include <wolfssl/wolfcrypt/hash.h>
34	#include <wolfssl/wolfcrypt/integer.h>
35	#include <wolfssl/wolfcrypt/error-crypt.h>
36
37	#ifdef NO_INLINE
38	#include <wolfssl/wolfcrypt/misc.h>
39	#else
40	#define WOLFSSL_MISC_INCLUDED
41	#include <wolfcrypt/src/misc.c>
42	#endif
43
44
45	#ifdef HAVE_PBKDF1
46
47	/* PKCS#5 v1.5 with non standard extension to optionally derive the extra data (IV) */
48	int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
49	const byte* passwd, int passwdLen, const byte* salt, int saltLen,
50	int iterations, int hashType, void* heap)
51	{
52	int err;
53	int keyLeft, ivLeft, i;
54	int digestLeft, store;
55	int keyOutput = 0;
56	int diestLen;
57	byte digest[WC_MAX_DIGEST_SIZE];
58	#ifdef WOLFSSL_SMALL_STACK
59	wc_HashAlg* hash = NULL;
60	#else
61	wc_HashAlg hash[1];
62	#endif
63	enum wc_HashType hashT;
64
65	(void)heap;
66
67	if (key == NULL \|\| keyLen < 0 \|\| passwdLen < 0 \|\| saltLen < 0 \|\| ivLen < 0){
68	return BAD_FUNC_ARG;
69	}
70
71	if (iterations <= 0)
72	iterations = 1;
73
74	hashT = wc_HashTypeConvert(hashType);
75	err = wc_HashGetDigestSize(hashT);
76	if (err < 0)
77	return err;
78	diestLen = err;
79
80	/* initialize hash */
81	#ifdef WOLFSSL_SMALL_STACK
82	hash = (wc_HashAlg*)XMALLOC(sizeof(wc_HashAlg), heap,
83	DYNAMIC_TYPE_HASHCTX);
84	if (hash == NULL)
85	return MEMORY_E;
86	#endif
87
88	err = wc_HashInit_ex(hash, hashT, heap, INVALID_DEVID);
89	if (err != 0) {
90	#ifdef WOLFSSL_SMALL_STACK
91	XFREE(hash, heap, DYNAMIC_TYPE_HASHCTX);
92	#endif
93	return err;
94	}
95
96	keyLeft = keyLen;
97	ivLeft = ivLen;
98	while (keyOutput < (keyLen + ivLen)) {
99	digestLeft = diestLen;
100	/* D_(i - 1) */
101	if (keyOutput) { /* first time D_0 is empty */
102	err = wc_HashUpdate(hash, hashT, digest, diestLen);
103	if (err != 0) break;
104	}
105
106	/* data */
107	err = wc_HashUpdate(hash, hashT, passwd, passwdLen);
108	if (err != 0) break;
109
110	/* salt */
111	if (salt) {
112	err = wc_HashUpdate(hash, hashT, salt, saltLen);
113	if (err != 0) break;
114	}
115
116	err = wc_HashFinal(hash, hashT, digest);
117	if (err != 0) break;
118
119	/* count */
120	for (i = 1; i < iterations; i++) {
121	err = wc_HashUpdate(hash, hashT, digest, diestLen);
122	if (err != 0) break;
123
124	err = wc_HashFinal(hash, hashT, digest);
125	if (err != 0) break;
126	}
127
128	if (keyLeft) {
129	store = min(keyLeft, diestLen);
130	XMEMCPY(&key[keyLen - keyLeft], digest, store);
131
132	keyOutput += store;
133	keyLeft -= store;
134	digestLeft -= store;
135	}
136
137	if (ivLeft && digestLeft) {
138	store = min(ivLeft, digestLeft);
139	if (iv != NULL)
140	XMEMCPY(&iv[ivLen - ivLeft],
141	&digest[diestLen - digestLeft], store);
142	keyOutput += store;
143	ivLeft -= store;
144	}
145	}
146
147	wc_HashFree(hash, hashT);
148
149	#ifdef WOLFSSL_SMALL_STACK
150	XFREE(hash, heap, DYNAMIC_TYPE_HASHCTX);
151	#endif
152
153	if (err != 0)
154	return err;
155
156	if (keyOutput != (keyLen + ivLen))
157	return BUFFER_E;
158
159	return err;
160	}
161
162	/* PKCS#5 v1.5 */
163	int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt,
164	int sLen, int iterations, int kLen, int hashType)
165	{
166	return wc_PBKDF1_ex(output, kLen, NULL, 0,
167	passwd, pLen, salt, sLen, iterations, hashType, NULL);
168	}
169
170	#endif /* HAVE_PKCS5 */
171
172	#ifdef HAVE_PBKDF2
173
174	int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
175	int sLen, int iterations, int kLen, int hashType, void* heap, int devId)
176	{
177	word32 i = 1;
178	int hLen;
179	int j, ret;
180	#ifdef WOLFSSL_SMALL_STACK
181	byte* buffer;
182	Hmac* hmac;
183	#else
184	byte buffer[WC_MAX_DIGEST_SIZE];
185	Hmac hmac[1];
186	#endif
187	enum wc_HashType hashT;
188
189	if (output == NULL \|\| pLen < 0 \|\| sLen < 0 \|\| kLen < 0) {
190	return BAD_FUNC_ARG;
191	}
192
193	if (iterations <= 0)
194	iterations = 1;
195
196	hashT = wc_HashTypeConvert(hashType);
197	hLen = wc_HashGetDigestSize(hashT);
198	if (hLen < 0)
199	return BAD_FUNC_ARG;
200
201	#ifdef WOLFSSL_SMALL_STACK
202	buffer = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER);
203	if (buffer == NULL)
204	return MEMORY_E;
205	hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap, DYNAMIC_TYPE_HMAC);
206	if (hmac == NULL) {
207	XFREE(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER);
208	return MEMORY_E;
209	}
210	#endif
211
212	ret = wc_HmacInit(hmac, heap, devId);
213	if (ret == 0) {
214	/* use int hashType here, since HMAC FIPS uses the old unique value */
215	ret = wc_HmacSetKey(hmac, hashType, passwd, pLen);
216
217	while (ret == 0 && kLen) {
218	int currentLen;
219
220	ret = wc_HmacUpdate(hmac, salt, sLen);
221	if (ret != 0)
222	break;
223
224	/* encode i */
225	for (j = 0; j < 4; j++) {
226	byte b = (byte)(i >> ((3-j) * 8));
227
228	ret = wc_HmacUpdate(hmac, &b, 1);
229	if (ret != 0)
230	break;
231	}
232
233	/* check ret from inside for loop */
234	if (ret != 0)
235	break;
236
237	ret = wc_HmacFinal(hmac, buffer);
238	if (ret != 0)
239	break;
240
241	currentLen = min(kLen, hLen);
242	XMEMCPY(output, buffer, currentLen);
243
244	for (j = 1; j < iterations; j++) {
245	ret = wc_HmacUpdate(hmac, buffer, hLen);
246	if (ret != 0)
247	break;
248	ret = wc_HmacFinal(hmac, buffer);
249	if (ret != 0)
250	break;
251	xorbuf(output, buffer, currentLen);
252	}
253
254	/* check ret from inside for loop */
255	if (ret != 0)
256	break;
257
258	output += currentLen;
259	kLen -= currentLen;
260	i++;
261	}
262	wc_HmacFree(hmac);
263	}
264
265	#ifdef WOLFSSL_SMALL_STACK
266	XFREE(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER);
267	XFREE(hmac, heap, DYNAMIC_TYPE_HMAC);
268	#endif
269
270	return ret;
271	}
272
273	int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
274	int sLen, int iterations, int kLen, int hashType)
275	{
276	return wc_PBKDF2_ex(output, passwd, pLen, salt, sLen, iterations, kLen,
277	hashType, NULL, INVALID_DEVID);
278	}
279
280	#endif /* HAVE_PBKDF2 */
281
282	#ifdef HAVE_PKCS12
283
284	/* helper for PKCS12_PBKDF(), does hash operation */
285	static int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen,
286	byte* Ai, word32 u, int iterations)
287	{
288	int i;
289	int ret = 0;
290	#ifdef WOLFSSL_SMALL_STACK
291	wc_HashAlg* hash = NULL;
292	#else
293	wc_HashAlg hash[1];
294	#endif
295	enum wc_HashType hashT;
296
297	if (buffer == NULL \|\| Ai == NULL) {
298	return BAD_FUNC_ARG;
299	}
300
301	hashT = wc_HashTypeConvert(hashType);
302
303	/* initialize hash */
304	#ifdef WOLFSSL_SMALL_STACK
305	hash = (wc_HashAlg*)XMALLOC(sizeof(wc_HashAlg), NULL,
306	DYNAMIC_TYPE_HASHCTX);
307	if (hash == NULL)
308	return MEMORY_E;
309	#endif
310
311	ret = wc_HashInit(hash, hashT);
312	if (ret != 0) {
313	#ifdef WOLFSSL_SMALL_STACK
314	XFREE(hash, NULL, DYNAMIC_TYPE_HASHCTX);
315	#endif
316	return ret;
317	}
318
319	ret = wc_HashUpdate(hash, hashT, buffer, totalLen);
320
321	if (ret == 0)
322	ret = wc_HashFinal(hash, hashT, Ai);
323
324	for (i = 1; i < iterations; i++) {
325	if (ret == 0)
326	ret = wc_HashUpdate(hash, hashT, Ai, u);
327	if (ret == 0)
328	ret = wc_HashFinal(hash, hashT, Ai);
329	}
330
331	wc_HashFree(hash, hashT);
332
333	#ifdef WOLFSSL_SMALL_STACK
334	XFREE(hash, NULL, DYNAMIC_TYPE_HASHCTX);
335	#endif
336
337	return ret;
338	}
339
340
341	int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,
342	const byte* salt, int saltLen, int iterations, int kLen, int hashType,
343	int id)
344	{
345	return wc_PKCS12_PBKDF_ex(output, passwd, passLen, salt, saltLen,
346	iterations, kLen, hashType, id, NULL);
347	}
348
349
350	/* extended API that allows a heap hint to be used */
351	int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
352	const byte* salt, int saltLen, int iterations, int kLen,
353	int hashType, int id, void* heap)
354	{
355	/* all in bytes instead of bits */
356	word32 u, v, dLen, pLen, iLen, sLen, totalLen;
357	int dynamic = 0;
358	int ret = 0;
359	int i;
360	byte D, S, P, I;
361	#ifdef WOLFSSL_SMALL_STACK
362	byte staticBuffer[1]; /* force dynamic usage */
363	#else
364	byte staticBuffer[1024];
365	#endif
366	byte* buffer = staticBuffer;
367
368	#ifdef WOLFSSL_SMALL_STACK
369	byte* Ai;
370	byte* B;
371	#else
372	byte Ai[WC_MAX_DIGEST_SIZE];
373	byte B[WC_MAX_BLOCK_SIZE];
374	#endif
375	enum wc_HashType hashT;
376
377	(void)heap;
378
379	if (output == NULL \|\| passLen < 0 \|\| saltLen < 0 \|\| kLen < 0) {
380	return BAD_FUNC_ARG;
381	}
382
383	if (iterations <= 0)
384	iterations = 1;
385
386	hashT = wc_HashTypeConvert(hashType);
387	ret = wc_HashGetDigestSize(hashT);
388	if (ret < 0)
389	return ret;
390	u = ret;
391
392	ret = wc_HashGetBlockSize(hashT);
393	if (ret < 0)
394	return ret;
395	v = ret;
396
397	#ifdef WOLFSSL_SMALL_STACK
398	Ai = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER);
399	if (Ai == NULL)
400	return MEMORY_E;
401
402	B = (byte*)XMALLOC(WC_MAX_BLOCK_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER);
403	if (B == NULL) {
404	XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER);
405	return MEMORY_E;
406	}
407	#endif
408
409	XMEMSET(Ai, 0, WC_MAX_DIGEST_SIZE);
410	XMEMSET(B, 0, WC_MAX_BLOCK_SIZE);
411
412	dLen = v;
413	sLen = v * ((saltLen + v - 1) / v);
414	if (passLen)
415	pLen = v * ((passLen + v - 1) / v);
416	else
417	pLen = 0;
418	iLen = sLen + pLen;
419
420	totalLen = dLen + sLen + pLen;
421
422	if (totalLen > sizeof(staticBuffer)) {
423	buffer = (byte*)XMALLOC(totalLen, heap, DYNAMIC_TYPE_KEY);
424	if (buffer == NULL) {
425	#ifdef WOLFSSL_SMALL_STACK
426	XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER);
427	XFREE(B, heap, DYNAMIC_TYPE_TMP_BUFFER);
428	#endif
429	return MEMORY_E;
430	}
431	dynamic = 1;
432	}
433
434	D = buffer;
435	S = D + dLen;
436	P = S + sLen;
437	I = S;
438
439	XMEMSET(D, id, dLen);
440
441	for (i = 0; i < (int)sLen; i++)
442	S[i] = salt[i % saltLen];
443	for (i = 0; i < (int)pLen; i++)
444	P[i] = passwd[i % passLen];
445
446	while (kLen > 0) {
447	word32 currentLen;
448	mp_int B1;
449
450	ret = DoPKCS12Hash(hashType, buffer, totalLen, Ai, u, iterations);
451	if (ret < 0)
452	break;
453
454	for (i = 0; i < (int)v; i++)
455	B[i] = Ai[i % u];
456
457	if (mp_init(&B1) != MP_OKAY)
458	ret = MP_INIT_E;
459	else if (mp_read_unsigned_bin(&B1, B, v) != MP_OKAY)
460	ret = MP_READ_E;
461	else if (mp_add_d(&B1, (mp_digit)1, &B1) != MP_OKAY)
462	ret = MP_ADD_E;
463
464	if (ret != 0) {
465	mp_clear(&B1);
466	break;
467	}
468
469	for (i = 0; i < (int)iLen; i += v) {
470	int outSz;
471	mp_int i1;
472	mp_int res;
473
474	if (mp_init_multi(&i1, &res, NULL, NULL, NULL, NULL) != MP_OKAY) {
475	ret = MP_INIT_E;
476	break;
477	}
478	if (mp_read_unsigned_bin(&i1, I + i, v) != MP_OKAY)
479	ret = MP_READ_E;
480	else if (mp_add(&i1, &B1, &res) != MP_OKAY)
481	ret = MP_ADD_E;
482	else if ( (outSz = mp_unsigned_bin_size(&res)) < 0)
483	ret = MP_TO_E;
484	else {
485	if (outSz > (int)v) {
486	/* take off MSB */
487	byte tmp[WC_MAX_BLOCK_SIZE + 1];
488	ret = mp_to_unsigned_bin(&res, tmp);
489	XMEMCPY(I + i, tmp + 1, v);
490	}
491	else if (outSz < (int)v) {
492	XMEMSET(I + i, 0, v - outSz);
493	ret = mp_to_unsigned_bin(&res, I + i + v - outSz);
494	}
495	else
496	ret = mp_to_unsigned_bin(&res, I + i);
497	}
498
499	mp_clear(&i1);
500	mp_clear(&res);
501	if (ret < 0) break;
502	}
503
504	currentLen = min(kLen, (int)u);
505	XMEMCPY(output, Ai, currentLen);
506	output += currentLen;
507	kLen -= currentLen;
508	mp_clear(&B1);
509	}
510
511	if (dynamic) XFREE(buffer, heap, DYNAMIC_TYPE_KEY);
512
513	#ifdef WOLFSSL_SMALL_STACK
514	XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER);
515	XFREE(B, heap, DYNAMIC_TYPE_TMP_BUFFER);
516	#endif
517
518	return ret;
519	}
520
521	#endif /* HAVE_PKCS12 */
522
523	#ifdef HAVE_SCRYPT
524	/* Rotate the 32-bit value a by b bits to the left.
525	*
526	* a 32-bit value.
527	* b Number of bits to rotate.
528	* returns rotated value.
529	*/
530	#define R(a, b) rotlFixed(a, b)
531
532	/* One round of Salsa20/8.
533	* Code taken from RFC 7914: scrypt PBKDF.
534	*
535	* out Output buffer.
536	* in Input data to hash.
537	*/
538	static void scryptSalsa(word32* out, word32* in)
539	{
540	int i;
541	word32 x[16];
542
543	#ifdef LITTLE_ENDIAN_ORDER
544	for (i = 0; i < 16; ++i)
545	x[i] = in[i];
546	#else
547	for (i = 0; i < 16; i++)
548	x[i] = ByteReverseWord32(in[i]);
549	#endif
550	for (i = 8; i > 0; i -= 2) {
551	x[ 4] ^= R(x[ 0] + x[12], 7); x[ 8] ^= R(x[ 4] + x[ 0], 9);
552	x[12] ^= R(x[ 8] + x[ 4], 13); x[ 0] ^= R(x[12] + x[ 8], 18);
553	x[ 9] ^= R(x[ 5] + x[ 1], 7); x[13] ^= R(x[ 9] + x[ 5], 9);
554	x[ 1] ^= R(x[13] + x[ 9], 13); x[ 5] ^= R(x[ 1] + x[13], 18);
555	x[14] ^= R(x[10] + x[ 6], 7); x[ 2] ^= R(x[14] + x[10], 9);
556	x[ 6] ^= R(x[ 2] + x[14], 13); x[10] ^= R(x[ 6] + x[ 2], 18);
557	x[ 3] ^= R(x[15] + x[11], 7); x[ 7] ^= R(x[ 3] + x[15], 9);
558	x[11] ^= R(x[ 7] + x[ 3], 13); x[15] ^= R(x[11] + x[ 7], 18);
559	x[ 1] ^= R(x[ 0] + x[ 3], 7); x[ 2] ^= R(x[ 1] + x[ 0], 9);
560	x[ 3] ^= R(x[ 2] + x[ 1], 13); x[ 0] ^= R(x[ 3] + x[ 2], 18);
561	x[ 6] ^= R(x[ 5] + x[ 4], 7); x[ 7] ^= R(x[ 6] + x[ 5], 9);
562	x[ 4] ^= R(x[ 7] + x[ 6], 13); x[ 5] ^= R(x[ 4] + x[ 7], 18);
563	x[11] ^= R(x[10] + x[ 9], 7); x[ 8] ^= R(x[11] + x[10], 9);
564	x[ 9] ^= R(x[ 8] + x[11], 13); x[10] ^= R(x[ 9] + x[ 8], 18);
565	x[12] ^= R(x[15] + x[14], 7); x[13] ^= R(x[12] + x[15], 9);
566	x[14] ^= R(x[13] + x[12], 13); x[15] ^= R(x[14] + x[13], 18);
567	}
568	#ifdef LITTLE_ENDIAN_ORDER
569	for (i = 0; i < 16; ++i)
570	out[i] = in[i] + x[i];
571	#else
572	for (i = 0; i < 16; i++)
573	out[i] = ByteReverseWord32(ByteReverseWord32(in[i]) + x[i]);
574	#endif
575	}
576
577	/* Mix a block using Salsa20/8.
578	* Based on RFC 7914: scrypt PBKDF.
579	*
580	* b Blocks to mix.
581	* y Temporary storage.
582	* r Size of the block.
583	*/
584	static void scryptBlockMix(byte* b, byte* y, int r)
585	{
586	byte x[64];
587	#ifdef WORD64_AVAILABLE
588	word64* b64 = (word64*)b;
589	word64* y64 = (word64*)y;
590	word64* x64 = (word64*)x;
591	#else
592	word32* b32 = (word32*)b;
593	word32* y32 = (word32*)y;
594	word32* x32 = (word32*)x;
595	#endif
596	int i;
597	int j;
598
599	/* Step 1. */
600	XMEMCPY(x, b + (2 * r - 1) * 64, sizeof(x));
601	/* Step 2. */
602	for (i = 0; i < 2 * r; i++)
603	{
604	#ifdef WORD64_AVAILABLE
605	for (j = 0; j < 8; j++)
606	x64[j] ^= b64[i * 8 + j];
607	#else
608	for (j = 0; j < 16; j++)
609	x32[j] ^= b32[i * 16 + j];
610	#endif
611	scryptSalsa((word32)x, (word32)x);
612	XMEMCPY(y + i * 64, x, sizeof(x));
613	}
614	/* Step 3. */
615	for (i = 0; i < r; i++) {
616	#ifdef WORD64_AVAILABLE
617	for (j = 0; j < 8; j++) {
618	b64[i * 8 + j] = y64[2 * i * 8 + j];
619	b64[(r + i) * 8 + j] = y64[(2 * i + 1) * 8 + j];
620	}
621	#else
622	for (j = 0; j < 16; j++) {
623	b32[i * 16 + j] = y32[2 * i * 16 + j];
624	b32[(r + i) * 16 + j] = y32[(2 * i + 1) * 16 + j];
625	}
626	#endif
627	}
628	}
629
630	/* Random oracles mix.
631	* Based on RFC 7914: scrypt PBKDF.
632	*
633	* x Data to mix.
634	* v Temporary buffer.
635	* y Temporary buffer for the block mix.
636	* r Block size parameter.
637	* n CPU/Memory cost parameter.
638	*/
639	static void scryptROMix(byte* x, byte* v, byte* y, int r, word32 n)
640	{
641	word32 i;
642	word32 j;
643	word32 k;
644	word32 bSz = 128 * r;
645	#ifdef WORD64_AVAILABLE
646	word64* x64 = (word64*)x;
647	word64* v64 = (word64*)v;
648	#else
649	word32* x32 = (word32*)x;
650	word32* v32 = (word32*)v;
651	#endif
652
653	/* Step 1. X = B (B not needed therefore not implemented) */
654	/* Step 2. */
655	for (i = 0; i < n; i++)
656	{
657	XMEMCPY(v + i * bSz, x, bSz);
658	scryptBlockMix(x, y, r);
659	}
660
661	/* Step 3. */
662	for (i = 0; i < n; i++)
663	{
664	#ifdef LITTLE_ENDIAN_ORDER
665	#ifdef WORD64_AVAILABLE
666	j = (word64)(x + (2r - 1) 64) & (n-1);
667	#else
668	j = (word32)(x + (2r - 1) 64) & (n-1);
669	#endif
670	#else
671	byte* t = x + (2r - 1) 64;
672	j = (t[0] \| (t[1] << 8) \| (t[2] << 16) \| ((word32)t[3] << 24)) & (n-1);
673	#endif
674	#ifdef WORD64_AVAILABLE
675	for (k = 0; k < bSz / 8; k++)
676	x64[k] ^= v64[j * bSz / 8 + k];
677	#else
678	for (k = 0; k < bSz / 4; k++)
679	x32[k] ^= v32[j * bSz / 4 + k];
680	#endif
681	scryptBlockMix(x, y, r);
682	}
683	/* Step 4. B' = X (B = X = B' so not needed, therefore not implemented) */
684	}
685
686	/* Generates an key derived from a password and salt using a memory hard
687	* algorithm.
688	* Implements RFC 7914: scrypt PBKDF.
689	*
690	* output The derived key.
691	* passwd The password to derive key from.
692	* passLen The length of the password.
693	* salt The key specific data.
694	* saltLen The length of the salt data.
695	* cost The CPU/memory cost parameter. Range: 1..(128*r/8-1)
696	* (Iterations = 2^cost)
697	* blockSize The number of 128 byte octets in a working block.
698	* parallel The number of parallel mix operations to perform.
699	* (Note: this implementation does not use threads.)
700	* dkLen The length of the derived key in bytes.
701	* returns BAD_FUNC_ARG when: blockSize is too large for cost.
702	*/
703	int wc_scrypt(byte* output, const byte* passwd, int passLen,
704	const byte* salt, int saltLen, int cost, int blockSize,
705	int parallel, int dkLen)
706	{
707	int ret = 0;
708	int i;
709	byte* v = NULL;
710	byte* y = NULL;
711	byte* blocks = NULL;
712	word32 blocksSz;
713	word32 bSz;
714
715	if (blockSize > 8)
716	return BAD_FUNC_ARG;
717
718	if (cost < 1 \|\| cost >= 128 * blockSize / 8 \|\| parallel < 1 \|\| dkLen < 1)
719	return BAD_FUNC_ARG;
720
721	bSz = 128 * blockSize;
722	blocksSz = bSz * parallel;
723	blocks = (byte*)XMALLOC(blocksSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
724	if (blocks == NULL)
725	goto end;
726	/* Temporary for scryptROMix. */
727	v = (byte)XMALLOC((1 << cost) bSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
728	if (v == NULL)
729	goto end;
730	/* Temporary for scryptBlockMix. */
731	y = (byte)XMALLOC(blockSize 128, NULL, DYNAMIC_TYPE_TMP_BUFFER);
732	if (y == NULL)
733	goto end;
734
735	/* Step 1. */
736	ret = wc_PBKDF2(blocks, passwd, passLen, salt, saltLen, 1, blocksSz,
737	WC_SHA256);
738	if (ret != 0)
739	goto end;
740
741	/* Step 2. */
742	for (i = 0; i < parallel; i++)
743	scryptROMix(blocks + i * bSz, v, y, blockSize, 1 << cost);
744
745	/* Step 3. */
746	ret = wc_PBKDF2(output, passwd, passLen, blocks, blocksSz, 1, dkLen,
747	WC_SHA256);
748	end:
749	if (blocks != NULL)
750	XFREE(blocks, NULL, DYNAMIC_TYPE_TMP_BUFFER);
751	if (v != NULL)
752	XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER);
753	if (y != NULL)
754	XFREE(y, NULL, DYNAMIC_TYPE_TMP_BUFFER);
755
756	return ret;
757	}
758
759	/* Generates an key derived from a password and salt using a memory hard
760	* algorithm.
761	* Implements RFC 7914: scrypt PBKDF.
762	*
763	* output Derived key.
764	* passwd Password to derive key from.
765	* passLen Length of the password.
766	* salt Key specific data.
767	* saltLen Length of the salt data.
768	* iterations Number of iterations to perform. Range: 1 << (1..(128*r/8-1))
769	* blockSize Number of 128 byte octets in a working block.
770	* parallel Number of parallel mix operations to perform.
771	* (Note: this implementation does not use threads.)
772	* dkLen Length of the derived key in bytes.
773	* returns BAD_FUNC_ARG when: iterations is not a power of 2 or blockSize is too
774	* large for iterations.
775	*/
776	int wc_scrypt_ex(byte* output, const byte* passwd, int passLen,
777	const byte* salt, int saltLen, word32 iterations,
778	int blockSize, int parallel, int dkLen)
779	{
780	int cost;
781
782	/* Iterations must be a power of 2. */
783	if ((iterations & (iterations - 1)) != 0)
784	return BAD_FUNC_ARG;
785
786	for (cost = -1; iterations != 0; cost++) {
787	iterations >>= 1;
788	}
789
790	return wc_scrypt(output, passwd, passLen, salt, saltLen, cost, blockSize,
791	parallel, dkLen);
792	}
793	#endif /* HAVE_SCRYPT */
794
795	#endif /* NO_PWDBASED */

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: azure_iot_hub_f767zi/trunk/wolfssl-4.4.0/wolfcrypt/src/pwdbased.c@ 457

Download in other formats: