mirror of
https://github.com/ziglang/zig.git
synced 2024-11-26 15:12:31 +00:00
std.crypto.bcrypt: implement the actual OpenSSH KDF (#22027)
Some checks are pending
ci / x86_64-linux-debug (push) Waiting to run
ci / x86_64-linux-release (push) Waiting to run
ci / aarch64-linux-debug (push) Waiting to run
ci / aarch64-linux-release (push) Waiting to run
ci / x86_64-macos-release (push) Waiting to run
ci / aarch64-macos-debug (push) Waiting to run
ci / aarch64-macos-release (push) Waiting to run
ci / x86_64-windows-debug (push) Waiting to run
ci / x86_64-windows-release (push) Waiting to run
ci / aarch64-windows (push) Waiting to run
Some checks are pending
ci / x86_64-linux-debug (push) Waiting to run
ci / x86_64-linux-release (push) Waiting to run
ci / aarch64-linux-debug (push) Waiting to run
ci / aarch64-linux-release (push) Waiting to run
ci / x86_64-macos-release (push) Waiting to run
ci / aarch64-macos-debug (push) Waiting to run
ci / aarch64-macos-release (push) Waiting to run
ci / x86_64-windows-debug (push) Waiting to run
ci / x86_64-windows-release (push) Waiting to run
ci / aarch64-windows (push) Waiting to run
They way OpenSSH does key derivation to protect keys using a password is not the standard PBKDF2, but something funky, picking key material non-linearly.
This commit is contained in:
parent
636308a17d
commit
73dcd19140
@ -563,15 +563,57 @@ const pbkdf_prf = struct {
|
||||
};
|
||||
|
||||
/// bcrypt-pbkdf is a key derivation function based on bcrypt.
|
||||
/// This is the function used in OpenSSH to derive encryption keys from passphrases.
|
||||
///
|
||||
/// This implementation is compatible with the OpenBSD implementation (https://github.com/openbsd/src/blob/master/lib/libutil/bcrypt_pbkdf.c).
|
||||
///
|
||||
/// Unlike the password hashing function `bcrypt`, this function doesn't silently truncate passwords longer than 72 bytes.
|
||||
pub fn pbkdf(pass: []const u8, salt: []const u8, key: []u8, rounds: u32) !void {
|
||||
try crypto.pwhash.pbkdf2(key, pass, salt, rounds, pbkdf_prf);
|
||||
}
|
||||
|
||||
/// The function used in OpenSSH to derive encryption keys from passphrases.
|
||||
///
|
||||
/// This implementation is compatible with the OpenBSD implementation (https://github.com/openbsd/src/blob/master/lib/libutil/bcrypt_pbkdf.c).
|
||||
pub fn opensshKdf(pass: []const u8, salt: []const u8, key: []u8, rounds: u32) !void {
|
||||
var tmp: [32]u8 = undefined;
|
||||
var tmp2: [32]u8 = undefined;
|
||||
if (rounds < 1 or pass.len == 0 or salt.len == 0 or key.len == 0 or key.len > tmp.len * tmp.len) {
|
||||
return error.InvalidInput;
|
||||
}
|
||||
var sha2pass: [Sha512.digest_length]u8 = undefined;
|
||||
Sha512.hash(pass, &sha2pass, .{});
|
||||
const stride = (key.len + tmp.len - 1) / tmp.len;
|
||||
var amt = (key.len + stride - 1) / stride;
|
||||
if (math.shr(usize, key.len, 32) >= amt) {
|
||||
return error.InvalidInput;
|
||||
}
|
||||
var key_remainder = key.len;
|
||||
var count: u32 = 1;
|
||||
while (key_remainder > 0) : (count += 1) {
|
||||
var count_salt: [4]u8 = undefined;
|
||||
std.mem.writeInt(u32, count_salt[0..], count, .big);
|
||||
var sha2salt: [Sha512.digest_length]u8 = undefined;
|
||||
var h = Sha512.init(.{});
|
||||
h.update(salt);
|
||||
h.update(&count_salt);
|
||||
h.final(&sha2salt);
|
||||
tmp2 = pbkdf_prf.hash(sha2pass, sha2salt);
|
||||
tmp = tmp2;
|
||||
for (1..rounds) |_| {
|
||||
Sha512.hash(&tmp2, &sha2salt, .{});
|
||||
tmp2 = pbkdf_prf.hash(sha2pass, sha2salt);
|
||||
for (&tmp, tmp2) |*o, t| o.* ^= t;
|
||||
}
|
||||
amt = @min(amt, key_remainder);
|
||||
key_remainder -= for (0..amt) |i| {
|
||||
const dest = i * stride + (count - 1);
|
||||
if (dest >= key.len) break i;
|
||||
key[dest] = tmp[i];
|
||||
} else amt;
|
||||
}
|
||||
crypto.secureZero(u8, &tmp);
|
||||
crypto.secureZero(u8, &tmp2);
|
||||
crypto.secureZero(u8, &sha2pass);
|
||||
}
|
||||
|
||||
const crypt_format = struct {
|
||||
/// String prefix for bcrypt
|
||||
pub const prefix = "$2";
|
||||
@ -847,3 +889,13 @@ test "bcrypt phc format" {
|
||||
verify_options,
|
||||
);
|
||||
}
|
||||
|
||||
test "openssh kdf" {
|
||||
var key: [100]u8 = undefined;
|
||||
const pass = "password";
|
||||
const salt = "salt";
|
||||
const rounds = 5;
|
||||
try opensshKdf(pass, salt, &key, rounds);
|
||||
const expected = [_]u8{ 65, 207, 68, 58, 55, 252, 114, 141, 255, 65, 216, 175, 5, 92, 235, 68, 220, 92, 118, 161, 40, 13, 241, 190, 56, 152, 69, 136, 41, 214, 51, 205, 37, 221, 101, 59, 105, 73, 133, 36, 14, 59, 94, 212, 111, 107, 109, 237, 213, 235, 246, 119, 59, 76, 45, 130, 142, 81, 178, 231, 161, 158, 138, 108, 18, 162, 26, 50, 218, 251, 23, 66, 2, 232, 20, 202, 216, 46, 12, 250, 247, 246, 252, 23, 155, 74, 77, 195, 120, 113, 57, 88, 126, 81, 9, 249, 72, 18, 208, 160 };
|
||||
try testing.expectEqualSlices(u8, &key, &expected);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user