2020-09-11 22:10:27 +01:00
|
|
|
const std = @import("std");
|
|
|
|
const mem = std.mem;
|
2020-09-13 20:39:54 +01:00
|
|
|
const maxInt = std.math.maxInt;
|
2021-04-20 18:57:27 +01:00
|
|
|
const OutputTooLongError = std.crypto.errors.OutputTooLongError;
|
|
|
|
const WeakParametersError = std.crypto.errors.WeakParametersError;
|
2020-09-13 16:15:28 +01:00
|
|
|
|
2020-09-11 22:10:27 +01:00
|
|
|
// RFC 2898 Section 5.2
|
|
|
|
//
|
|
|
|
// FromSpec:
|
|
|
|
//
|
|
|
|
// PBKDF2 applies a pseudorandom function (see Appendix B.1 for an
|
|
|
|
// example) to derive keys. The length of the derived key is essentially
|
|
|
|
// unbounded. (However, the maximum effective search space for the
|
|
|
|
// derived key may be limited by the structure of the underlying
|
|
|
|
// pseudorandom function. See Appendix B.1 for further discussion.)
|
|
|
|
// PBKDF2 is recommended for new applications.
|
|
|
|
//
|
2021-03-16 18:08:38 +00:00
|
|
|
// PBKDF2 (P, S, c, dk_len)
|
2020-09-11 22:10:27 +01:00
|
|
|
//
|
2021-03-16 18:08:38 +00:00
|
|
|
// Options: PRF underlying pseudorandom function (h_len
|
2020-09-11 22:10:27 +01:00
|
|
|
// denotes the length in octets of the
|
|
|
|
// pseudorandom function output)
|
|
|
|
//
|
|
|
|
// Input: P password, an octet string
|
|
|
|
// S salt, an octet string
|
|
|
|
// c iteration count, a positive integer
|
2021-03-16 18:08:38 +00:00
|
|
|
// dk_len intended length in octets of the derived
|
2020-09-11 22:10:27 +01:00
|
|
|
// key, a positive integer, at most
|
2021-03-16 18:08:38 +00:00
|
|
|
// (2^32 - 1) * h_len
|
2020-09-11 22:10:27 +01:00
|
|
|
//
|
2021-03-16 18:08:38 +00:00
|
|
|
// Output: DK derived key, a dk_len-octet string
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
// Based on Apple's CommonKeyDerivation, based originally on code by Damien Bergamini.
|
|
|
|
|
2020-09-13 14:59:36 +01:00
|
|
|
/// Apply PBKDF2 to generate a key from a password.
|
2020-09-12 23:17:04 +01:00
|
|
|
///
|
2020-09-13 15:50:46 +01:00
|
|
|
/// PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132.
|
|
|
|
///
|
2021-03-16 18:08:38 +00:00
|
|
|
/// dk: Slice of appropriate size for generated key. Generally 16 or 32 bytes in length.
|
2020-09-13 20:39:54 +01:00
|
|
|
/// May be uninitialized. All bytes will be overwritten.
|
|
|
|
/// Maximum size is `maxInt(u32) * Hash.digest_length`
|
2020-09-12 23:17:04 +01:00
|
|
|
/// It is a programming error to pass buffer longer than the maximum size.
|
|
|
|
///
|
|
|
|
/// password: Arbitrary sequence of bytes of any length, including empty.
|
|
|
|
///
|
|
|
|
/// salt: Arbitrary sequence of bytes of any length, including empty. A common length is 8 bytes.
|
|
|
|
///
|
|
|
|
/// rounds: Iteration count. Must be greater than 0. Common values range from 1,000 to 100,000.
|
2020-09-12 23:33:53 +01:00
|
|
|
/// Larger iteration counts improve security by increasing the time required to compute
|
2021-03-16 18:08:38 +00:00
|
|
|
/// the dk. It is common to tune this parameter to achieve approximately 100ms.
|
2020-09-12 23:17:04 +01:00
|
|
|
///
|
2023-05-01 17:57:05 +01:00
|
|
|
/// Prf: Pseudo-random function to use. A common choice is `std.crypto.auth.hmac.sha2.HmacSha256`.
|
2021-04-20 18:57:27 +01:00
|
|
|
pub fn pbkdf2(dk: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) (WeakParametersError || OutputTooLongError)!void {
|
2021-03-13 14:11:35 +00:00
|
|
|
if (rounds < 1) return error.WeakParameters;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
const dk_len = dk.len;
|
|
|
|
const h_len = Prf.mac_length;
|
|
|
|
comptime std.debug.assert(h_len >= 1);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
// FromSpec:
|
|
|
|
//
|
2021-03-16 18:08:38 +00:00
|
|
|
// 1. If dk_len > maxInt(u32) * h_len, output "derived key too long" and
|
2020-09-11 22:10:27 +01:00
|
|
|
// stop.
|
|
|
|
//
|
2021-03-16 18:08:38 +00:00
|
|
|
if (dk_len / h_len >= maxInt(u32)) {
|
2021-03-16 17:34:02 +00:00
|
|
|
// Counter starts at 1 and is 32 bit, so if we have to return more blocks, we would overflow
|
2021-03-13 14:11:35 +00:00
|
|
|
return error.OutputTooLong;
|
2020-09-13 20:39:54 +01:00
|
|
|
}
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
// FromSpec:
|
|
|
|
//
|
2021-03-16 18:08:38 +00:00
|
|
|
// 2. Let l be the number of h_len-long blocks of bytes in the derived key,
|
2020-09-13 20:39:54 +01:00
|
|
|
// rounding up, and let r be the number of bytes in the last
|
2020-09-11 22:10:27 +01:00
|
|
|
// block
|
|
|
|
//
|
2020-09-13 20:39:54 +01:00
|
|
|
|
2023-06-22 18:46:56 +01:00
|
|
|
const blocks_count = @as(u32, @intCast(std.math.divCeil(usize, dk_len, h_len) catch unreachable));
|
2021-03-16 18:08:38 +00:00
|
|
|
var r = dk_len % h_len;
|
|
|
|
if (r == 0) {
|
|
|
|
r = h_len;
|
|
|
|
}
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
// FromSpec:
|
|
|
|
//
|
|
|
|
// 3. For each block of the derived key apply the function F defined
|
|
|
|
// below to the password P, the salt S, the iteration count c, and
|
|
|
|
// the block index to compute the block:
|
|
|
|
//
|
|
|
|
// T_1 = F (P, S, c, 1) ,
|
|
|
|
// T_2 = F (P, S, c, 2) ,
|
|
|
|
// ...
|
|
|
|
// T_l = F (P, S, c, l) ,
|
|
|
|
//
|
|
|
|
// where the function F is defined as the exclusive-or sum of the
|
|
|
|
// first c iterates of the underlying pseudorandom function PRF
|
|
|
|
// applied to the password P and the concatenation of the salt S
|
|
|
|
// and the block index i:
|
|
|
|
//
|
|
|
|
// F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
|
|
|
|
//
|
|
|
|
// where
|
|
|
|
//
|
|
|
|
// U_1 = PRF (P, S || INT (i)) ,
|
|
|
|
// U_2 = PRF (P, U_1) ,
|
|
|
|
// ...
|
|
|
|
// U_c = PRF (P, U_{c-1}) .
|
|
|
|
//
|
|
|
|
// Here, INT (i) is a four-octet encoding of the integer i, most
|
|
|
|
// significant octet first.
|
|
|
|
//
|
2021-03-16 18:08:38 +00:00
|
|
|
// 4. Concatenate the blocks and extract the first dk_len octets to
|
2020-09-11 22:10:27 +01:00
|
|
|
// produce a derived key DK:
|
|
|
|
//
|
|
|
|
// DK = T_1 || T_2 || ... || T_l<0..r-1>
|
2021-03-16 18:08:38 +00:00
|
|
|
|
|
|
|
var block: u32 = 0;
|
|
|
|
while (block < blocks_count) : (block += 1) {
|
|
|
|
var prev_block: [h_len]u8 = undefined;
|
|
|
|
var new_block: [h_len]u8 = undefined;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
// U_1 = PRF (P, S || INT (i))
|
2021-03-16 18:08:38 +00:00
|
|
|
const block_index = mem.toBytes(mem.nativeToBig(u32, block + 1)); // Block index starts at 0001
|
2020-09-11 22:10:27 +01:00
|
|
|
var ctx = Prf.init(password);
|
|
|
|
ctx.update(salt);
|
2021-03-16 18:08:38 +00:00
|
|
|
ctx.update(block_index[0..]);
|
|
|
|
ctx.final(prev_block[0..]);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
// Choose portion of DK to write into (T_n) and initialize
|
2021-03-16 18:08:38 +00:00
|
|
|
const offset = block * h_len;
|
|
|
|
const block_len = if (block != blocks_count - 1) h_len else r;
|
|
|
|
const dk_block: []u8 = dk[offset..][0..block_len];
|
2023-04-26 21:57:08 +01:00
|
|
|
@memcpy(dk_block, prev_block[0..dk_block.len]);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
var i: u32 = 1;
|
|
|
|
while (i < rounds) : (i += 1) {
|
|
|
|
// U_c = PRF (P, U_{c-1})
|
2021-03-16 18:08:38 +00:00
|
|
|
Prf.create(&new_block, prev_block[0..], password);
|
2023-04-26 21:57:08 +01:00
|
|
|
prev_block = new_block;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
// F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
|
2023-02-18 16:02:57 +00:00
|
|
|
for (dk_block, 0..) |_, j| {
|
2021-03-16 18:08:38 +00:00
|
|
|
dk_block[j] ^= new_block[j];
|
2020-09-11 22:10:27 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const htest = @import("test.zig");
|
2020-09-13 20:39:54 +01:00
|
|
|
const HmacSha1 = std.crypto.auth.hmac.HmacSha1;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
// RFC 6070 PBKDF2 HMAC-SHA1 Test Vectors
|
2021-03-16 18:08:38 +00:00
|
|
|
|
2020-09-11 22:10:27 +01:00
|
|
|
test "RFC 6070 one iteration" {
|
|
|
|
const p = "password";
|
|
|
|
const s = "salt";
|
|
|
|
const c = 1;
|
2021-03-16 18:08:38 +00:00
|
|
|
const dk_len = 20;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
var dk: [dk_len]u8 = undefined;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
try pbkdf2(&dk, p, s, c, HmacSha1);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6";
|
|
|
|
|
2021-05-04 18:47:26 +01:00
|
|
|
try htest.assertEqual(expected, dk[0..]);
|
2020-09-11 22:10:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
test "RFC 6070 two iterations" {
|
|
|
|
const p = "password";
|
|
|
|
const s = "salt";
|
|
|
|
const c = 2;
|
2021-03-16 18:08:38 +00:00
|
|
|
const dk_len = 20;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
var dk: [dk_len]u8 = undefined;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
try pbkdf2(&dk, p, s, c, HmacSha1);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
const expected = "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957";
|
|
|
|
|
2021-05-04 18:47:26 +01:00
|
|
|
try htest.assertEqual(expected, dk[0..]);
|
2020-09-11 22:10:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
test "RFC 6070 4096 iterations" {
|
|
|
|
const p = "password";
|
|
|
|
const s = "salt";
|
|
|
|
const c = 4096;
|
2021-03-16 18:08:38 +00:00
|
|
|
const dk_len = 20;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
var dk: [dk_len]u8 = undefined;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
try pbkdf2(&dk, p, s, c, HmacSha1);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
const expected = "4b007901b765489abead49d926f721d065a429c1";
|
|
|
|
|
2021-05-04 18:47:26 +01:00
|
|
|
try htest.assertEqual(expected, dk[0..]);
|
2020-09-11 22:10:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
test "RFC 6070 16,777,216 iterations" {
|
|
|
|
// These iteration tests are slow so we always skip them. Results have been verified.
|
|
|
|
if (true) {
|
|
|
|
return error.SkipZigTest;
|
|
|
|
}
|
|
|
|
|
|
|
|
const p = "password";
|
|
|
|
const s = "salt";
|
|
|
|
const c = 16777216;
|
2021-03-16 18:08:38 +00:00
|
|
|
const dk_len = 20;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
var dk = [_]u8{0} ** dk_len;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
try pbkdf2(&dk, p, s, c, HmacSha1);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
const expected = "eefe3d61cd4da4e4e9945b3d6ba2158c2634e984";
|
|
|
|
|
2021-05-04 18:47:26 +01:00
|
|
|
try htest.assertEqual(expected, dk[0..]);
|
2020-09-11 22:10:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
test "RFC 6070 multi-block salt and password" {
|
|
|
|
const p = "passwordPASSWORDpassword";
|
|
|
|
const s = "saltSALTsaltSALTsaltSALTsaltSALTsalt";
|
|
|
|
const c = 4096;
|
2021-03-16 18:08:38 +00:00
|
|
|
const dk_len = 25;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
var dk: [dk_len]u8 = undefined;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
try pbkdf2(&dk, p, s, c, HmacSha1);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
const expected = "3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038";
|
|
|
|
|
2021-05-04 18:47:26 +01:00
|
|
|
try htest.assertEqual(expected, dk[0..]);
|
2020-09-11 22:10:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
test "RFC 6070 embedded NUL" {
|
|
|
|
const p = "pass\x00word";
|
|
|
|
const s = "sa\x00lt";
|
|
|
|
const c = 4096;
|
2021-03-16 18:08:38 +00:00
|
|
|
const dk_len = 16;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
var dk: [dk_len]u8 = undefined;
|
2020-09-11 22:10:27 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
try pbkdf2(&dk, p, s, c, HmacSha1);
|
2020-09-11 22:10:27 +01:00
|
|
|
|
|
|
|
const expected = "56fa6aa75548099dcc37d7f03425e0c3";
|
|
|
|
|
2021-05-04 18:47:26 +01:00
|
|
|
try htest.assertEqual(expected, dk[0..]);
|
2020-09-11 22:10:27 +01:00
|
|
|
}
|
2020-09-12 20:02:00 +01:00
|
|
|
|
2021-03-16 18:08:38 +00:00
|
|
|
test "Very large dk_len" {
|
2020-09-12 23:17:04 +01:00
|
|
|
// This test allocates 8GB of memory and is expected to take several hours to run.
|
2020-09-12 20:02:00 +01:00
|
|
|
if (true) {
|
|
|
|
return error.SkipZigTest;
|
|
|
|
}
|
|
|
|
const p = "password";
|
|
|
|
const s = "salt";
|
|
|
|
const c = 1;
|
2021-03-16 18:08:38 +00:00
|
|
|
const dk_len = 1 << 33;
|
2020-09-12 20:02:00 +01:00
|
|
|
|
2023-11-10 05:27:17 +00:00
|
|
|
const dk = try std.testing.allocator.alloc(u8, dk_len);
|
|
|
|
defer std.testing.allocator.free(dk);
|
2020-09-12 20:02:00 +01:00
|
|
|
|
2020-09-12 23:33:53 +01:00
|
|
|
// Just verify this doesn't crash with an overflow
|
2021-03-16 18:08:38 +00:00
|
|
|
try pbkdf2(dk, p, s, c, HmacSha1);
|
2020-09-12 20:02:00 +01:00
|
|
|
}
|