pbkdf2.c (10067B)
1 #include <stdlib.h> 2 #include <string.h> 3 4 #include "pbkdf2.h" 5 6 #define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b)))) 7 #define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b)))) 8 9 #define SHA1_HASH_SIZE 20 10 #define SHA256_HASH_SIZE 32 11 12 static void sha1_transform(struct sha1_ctx *ctx) { 13 uint32_t a, b, c, d, e, m[80], j; 14 15 for (j = 0; j < 16; j++) { 16 m[j] = (ctx->buffer[j*4] << 24) | (ctx->buffer[j*4+1] << 16) | 17 (ctx->buffer[j*4+2] << 8) | ctx->buffer[j*4+3]; 18 } 19 for ( ; j < 80; j++) { 20 m[j] = (m[j-3] ^ m[j-8] ^ m[j-14] ^ m[j-16]); 21 m[j] = (m[j] << 1) | (m[j] >> 31); 22 } 23 24 a = ctx->state[0]; 25 b = ctx->state[1]; 26 c = ctx->state[2]; 27 d = ctx->state[3]; 28 e = ctx->state[4]; 29 30 for (j = 0; j < 20; j++) { 31 uint32_t t = ROTLEFT(a, 5) + ((b & c) ^ (~b & d)) + e + 0x5a827999 + m[j]; 32 e = d; d = c; c = ROTLEFT(b, 30); b = a; a = t; 33 } 34 for ( ; j < 40; j++) { 35 uint32_t t = ROTLEFT(a, 5) + (b ^ c ^ d) + e + 0x6ed9eba1 + m[j]; 36 e = d; d = c; c = ROTLEFT(b, 30); b = a; a = t; 37 } 38 for ( ; j < 60; j++) { 39 uint32_t t = ROTLEFT(a, 5) + ((b & c) ^ (b & d) ^ (c & d)) + e + 0x8f1bbcdc + m[j]; 40 e = d; d = c; c = ROTLEFT(b, 30); b = a; a = t; 41 } 42 for ( ; j < 80; j++) { 43 uint32_t t = ROTLEFT(a, 5) + (b ^ c ^ d) + e + 0xca62c1d6 + m[j]; 44 e = d; d = c; c = ROTLEFT(b, 30); b = a; a = t; 45 } 46 47 ctx->state[0] += a; 48 ctx->state[1] += b; 49 ctx->state[2] += c; 50 ctx->state[3] += d; 51 ctx->state[4] += e; 52 } 53 54 void sha1_init(struct sha1_ctx *ctx) { 55 ctx->datalen = 0; 56 ctx->bitlen = 0; 57 ctx->state[0] = 0x67452301; 58 ctx->state[1] = 0xEFCDAB89; 59 ctx->state[2] = 0x98BADCFE; 60 ctx->state[3] = 0x10325476; 61 ctx->state[4] = 0xC3D2E1F0; 62 } 63 64 void sha1_update(struct sha1_ctx *ctx, const uint8_t *data, size_t len) { 65 size_t i; 66 for (i = 0; i < len; i++) { 67 ctx->buffer[ctx->datalen] = data[i]; 68 ctx->datalen++; 69 if (ctx->datalen == 64) { 70 sha1_transform(ctx); 71 ctx->bitlen += 512; 72 ctx->datalen = 0; 73 } 74 } 75 } 76 77 void sha1_final(struct sha1_ctx *ctx, uint8_t *hash) { 78 size_t i = ctx->datalen; 79 80 ctx->buffer[i++] = 0x80; 81 if (i > 56) { 82 while (i < 64) ctx->buffer[i++] = 0; 83 sha1_transform(ctx); 84 memset(ctx->buffer, 0, 56); 85 } else { 86 while (i < 56) ctx->buffer[i++] = 0; 87 } 88 89 ctx->bitlen += ctx->datalen * 8; 90 ctx->buffer[63] = (uint8_t)(ctx->bitlen); 91 ctx->buffer[62] = (uint8_t)(ctx->bitlen >> 8); 92 ctx->buffer[61] = (uint8_t)(ctx->bitlen >> 16); 93 ctx->buffer[60] = (uint8_t)(ctx->bitlen >> 24); 94 ctx->buffer[59] = (uint8_t)(ctx->bitlen >> 32); 95 ctx->buffer[58] = (uint8_t)(ctx->bitlen >> 40); 96 ctx->buffer[57] = (uint8_t)(ctx->bitlen >> 48); 97 ctx->buffer[56] = (uint8_t)(ctx->bitlen >> 56); 98 sha1_transform(ctx); 99 100 for (i = 0; i < 4; i++) { 101 hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0xff; 102 hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0xff; 103 hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0xff; 104 hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0xff; 105 hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0xff; 106 } 107 } 108 109 #define SHA256_CH(x,y,z) (((x) & (y)) ^ (~(x) & (z))) 110 #define SHA256_MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 111 #define SHA256_EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22)) 112 #define SHA256_EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25)) 113 #define SHA256_SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3)) 114 #define SHA256_SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10)) 115 116 static const uint32_t sha256_k[64] = { 117 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 118 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 119 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 120 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 121 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 122 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 123 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 124 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 125 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 126 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 127 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 128 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 129 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 130 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 131 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 132 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 133 }; 134 135 static void sha256_transform(struct sha256_ctx *ctx) { 136 uint32_t a, b, c, d, e, f, g, h, j, t1, t2, m[64]; 137 138 for (j = 0; j < 16; j++) { 139 m[j] = (ctx->buffer[j*4] << 24) | (ctx->buffer[j*4+1] << 16) | 140 (ctx->buffer[j*4+2] << 8) | ctx->buffer[j*4+3]; 141 } 142 for ( ; j < 64; j++) { 143 m[j] = SHA256_SIG1(m[j-2]) + m[j-7] + SHA256_SIG0(m[j-15]) + m[j-16]; 144 } 145 146 a = ctx->state[0]; 147 b = ctx->state[1]; 148 c = ctx->state[2]; 149 d = ctx->state[3]; 150 e = ctx->state[4]; 151 f = ctx->state[5]; 152 g = ctx->state[6]; 153 h = ctx->state[7]; 154 155 for (j = 0; j < 64; j++) { 156 t1 = h + SHA256_EP1(e) + SHA256_CH(e, f, g) + sha256_k[j] + m[j]; 157 t2 = SHA256_EP0(a) + SHA256_MAJ(a, b, c); 158 h = g; g = f; f = e; e = d + t1; 159 d = c; c = b; b = a; a = t1 + t2; 160 } 161 162 ctx->state[0] += a; 163 ctx->state[1] += b; 164 ctx->state[2] += c; 165 ctx->state[3] += d; 166 ctx->state[4] += e; 167 ctx->state[5] += f; 168 ctx->state[6] += g; 169 ctx->state[7] += h; 170 } 171 172 void sha256_init(struct sha256_ctx *ctx) { 173 ctx->datalen = 0; 174 ctx->bitlen = 0; 175 ctx->state[0] = 0x6a09e667; 176 ctx->state[1] = 0xbb67ae85; 177 ctx->state[2] = 0x3c6ef372; 178 ctx->state[3] = 0xa54ff53a; 179 ctx->state[4] = 0x510e527f; 180 ctx->state[5] = 0x9b05688c; 181 ctx->state[6] = 0x1f83d9ab; 182 ctx->state[7] = 0x5be0cd19; 183 } 184 185 void sha256_update(struct sha256_ctx *ctx, const uint8_t *data, size_t len) { 186 size_t i; 187 for (i = 0; i < len; i++) { 188 ctx->buffer[ctx->datalen] = data[i]; 189 ctx->datalen++; 190 if (ctx->datalen == 64) { 191 sha256_transform(ctx); 192 ctx->bitlen += 512; 193 ctx->datalen = 0; 194 } 195 } 196 } 197 198 void sha256_final(struct sha256_ctx *ctx, uint8_t *hash) { 199 size_t i = ctx->datalen; 200 201 ctx->buffer[i++] = 0x80; 202 if (i > 56) { 203 while (i < 64) ctx->buffer[i++] = 0; 204 sha256_transform(ctx); 205 memset(ctx->buffer, 0, 56); 206 } else { 207 while (i < 56) ctx->buffer[i++] = 0; 208 } 209 210 ctx->bitlen += ctx->datalen * 8; 211 ctx->buffer[63] = (uint8_t)(ctx->bitlen); 212 ctx->buffer[62] = (uint8_t)(ctx->bitlen >> 8); 213 ctx->buffer[61] = (uint8_t)(ctx->bitlen >> 16); 214 ctx->buffer[60] = (uint8_t)(ctx->bitlen >> 24); 215 ctx->buffer[59] = (uint8_t)(ctx->bitlen >> 32); 216 ctx->buffer[58] = (uint8_t)(ctx->bitlen >> 40); 217 ctx->buffer[57] = (uint8_t)(ctx->bitlen >> 48); 218 ctx->buffer[56] = (uint8_t)(ctx->bitlen >> 56); 219 sha256_transform(ctx); 220 221 for (i = 0; i < 4; i++) { 222 hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0xff; 223 hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0xff; 224 hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0xff; 225 hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0xff; 226 hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0xff; 227 hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0xff; 228 hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0xff; 229 hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0xff; 230 } 231 } 232 233 void hmac_sha1( 234 const uint8_t *key, size_t key_len, 235 const uint8_t *data, size_t data_len, 236 uint8_t *output 237 ) { 238 uint8_t k_ipad[64], k_opad[64], tk[20]; 239 struct sha1_ctx ctx; 240 size_t i; 241 242 if (key_len > 64) { 243 sha1_init(&ctx); 244 sha1_update(&ctx, key, key_len); 245 sha1_final(&ctx, tk); 246 key = tk; 247 key_len = 20; 248 } 249 250 memset(k_ipad, 0x36, 64); 251 memset(k_opad, 0x5c, 64); 252 for (i = 0; i < key_len; i++) { 253 k_ipad[i] ^= key[i]; 254 k_opad[i] ^= key[i]; 255 } 256 257 sha1_init(&ctx); 258 sha1_update(&ctx, k_ipad, 64); 259 sha1_update(&ctx, data, data_len); 260 sha1_final(&ctx, output); 261 262 sha1_init(&ctx); 263 sha1_update(&ctx, k_opad, 64); 264 sha1_update(&ctx, output, 20); 265 sha1_final(&ctx, output); 266 } 267 268 void hmac_sha256( 269 const uint8_t *key, size_t key_len, 270 const uint8_t *data, size_t data_len, 271 uint8_t *output 272 ) { 273 uint8_t k_ipad[64], k_opad[64], tk[32]; 274 struct sha256_ctx ctx; 275 size_t i; 276 277 if (key_len > 64) { 278 sha256_init(&ctx); 279 sha256_update(&ctx, key, key_len); 280 sha256_final(&ctx, tk); 281 key = tk; 282 key_len = 32; 283 } 284 285 memset(k_ipad, 0x36, 64); 286 memset(k_opad, 0x5c, 64); 287 for (i = 0; i < key_len; i++) { 288 k_ipad[i] ^= key[i]; 289 k_opad[i] ^= key[i]; 290 } 291 292 sha256_init(&ctx); 293 sha256_update(&ctx, k_ipad, 64); 294 sha256_update(&ctx, data, data_len); 295 sha256_final(&ctx, output); 296 297 sha256_init(&ctx); 298 sha256_update(&ctx, k_opad, 64); 299 sha256_update(&ctx, output, 32); 300 sha256_final(&ctx, output); 301 } 302 303 void pbkdf2( 304 const uint8_t *password, size_t password_len, 305 const uint8_t *salt, size_t salt_len, 306 uint64_t iterations, 307 enum pbkdf2_hash hash, 308 uint8_t *output, size_t output_len 309 ) { 310 size_t hash_len = (hash == PBKDF2_SHA1) ? SHA1_HASH_SIZE : SHA256_HASH_SIZE; 311 size_t l = (output_len + hash_len - 1) / hash_len; 312 size_t r = output_len - (l - 1) * hash_len; 313 314 uint8_t *salt_block = (uint8_t *)malloc(salt_len + 4); 315 uint8_t *u = (uint8_t *)malloc(hash_len); 316 uint8_t *t = (uint8_t *)malloc(hash_len); 317 uint8_t *result = output; 318 size_t i, j; 319 320 for (i = 1; i <= l; i++) { 321 memcpy(salt_block, salt, salt_len); 322 salt_block[salt_len] = (uint8_t)(i >> 24); 323 salt_block[salt_len + 1] = (uint8_t)(i >> 16); 324 salt_block[salt_len + 2] = (uint8_t)(i >> 8); 325 salt_block[salt_len + 3] = (uint8_t)i; 326 327 if (hash == PBKDF2_SHA1) { 328 hmac_sha1(password, password_len, salt_block, salt_len + 4, t); 329 } else { 330 hmac_sha256(password, password_len, salt_block, salt_len + 4, t); 331 } 332 memcpy(u, t, hash_len); 333 334 for (j = 1; j < iterations; j++) { 335 if (hash == PBKDF2_SHA1) { 336 hmac_sha1(password, password_len, u, hash_len, u); 337 } else { 338 hmac_sha256(password, password_len, u, hash_len, u); 339 } 340 for (size_t k = 0; k < hash_len; k++) { 341 t[k] ^= u[k]; 342 } 343 } 344 345 size_t copy_len = (i == l) ? r : hash_len; 346 memcpy(result, t, copy_len); 347 result += copy_len; 348 } 349 350 free(salt_block); 351 free(u); 352 free(t); 353 }