1*1323ec57SEd Maste /* $OpenBSD: bcrypt_pbkdf.c,v 1.16 2020/08/02 18:35:48 tb Exp $ */
2f7167e0eSDag-Erling Smørgrav /*
3f7167e0eSDag-Erling Smørgrav * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
4f7167e0eSDag-Erling Smørgrav *
5f7167e0eSDag-Erling Smørgrav * Permission to use, copy, modify, and distribute this software for any
6f7167e0eSDag-Erling Smørgrav * purpose with or without fee is hereby granted, provided that the above
7f7167e0eSDag-Erling Smørgrav * copyright notice and this permission notice appear in all copies.
8f7167e0eSDag-Erling Smørgrav *
9f7167e0eSDag-Erling Smørgrav * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10f7167e0eSDag-Erling Smørgrav * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11f7167e0eSDag-Erling Smørgrav * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12f7167e0eSDag-Erling Smørgrav * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13f7167e0eSDag-Erling Smørgrav * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14f7167e0eSDag-Erling Smørgrav * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15f7167e0eSDag-Erling Smørgrav * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16f7167e0eSDag-Erling Smørgrav */
17f7167e0eSDag-Erling Smørgrav
1819261079SEd Maste /* OPENBSD ORIGINAL: lib/libutil/bcrypt_pbkdf.c */
1919261079SEd Maste
20*1323ec57SEd Maste /* This version has been modified to use SHA512 from SUPERCOP */
21*1323ec57SEd Maste
22f7167e0eSDag-Erling Smørgrav #include "includes.h"
23f7167e0eSDag-Erling Smørgrav
24f7167e0eSDag-Erling Smørgrav #ifndef HAVE_BCRYPT_PBKDF
25f7167e0eSDag-Erling Smørgrav
26f7167e0eSDag-Erling Smørgrav #include <sys/types.h>
27f7167e0eSDag-Erling Smørgrav
28f7167e0eSDag-Erling Smørgrav #ifdef HAVE_STDLIB_H
29f7167e0eSDag-Erling Smørgrav # include <stdlib.h>
30f7167e0eSDag-Erling Smørgrav #endif
31f7167e0eSDag-Erling Smørgrav #include <string.h>
32f7167e0eSDag-Erling Smørgrav
33f7167e0eSDag-Erling Smørgrav #ifdef HAVE_BLF_H
34f7167e0eSDag-Erling Smørgrav # include <blf.h>
35f7167e0eSDag-Erling Smørgrav #endif
36f7167e0eSDag-Erling Smørgrav
37f7167e0eSDag-Erling Smørgrav #include "crypto_api.h"
38bc5531deSDag-Erling Smørgrav #ifdef SHA512_DIGEST_LENGTH
39bc5531deSDag-Erling Smørgrav # undef SHA512_DIGEST_LENGTH
40bc5531deSDag-Erling Smørgrav #endif
41f7167e0eSDag-Erling Smørgrav #define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES
42f7167e0eSDag-Erling Smørgrav
43557f75e5SDag-Erling Smørgrav #define MINIMUM(a,b) (((a) < (b)) ? (a) : (b))
44557f75e5SDag-Erling Smørgrav
45f7167e0eSDag-Erling Smørgrav /*
46f7167e0eSDag-Erling Smørgrav * pkcs #5 pbkdf2 implementation using the "bcrypt" hash
47f7167e0eSDag-Erling Smørgrav *
48f7167e0eSDag-Erling Smørgrav * The bcrypt hash function is derived from the bcrypt password hashing
49f7167e0eSDag-Erling Smørgrav * function with the following modifications:
50f7167e0eSDag-Erling Smørgrav * 1. The input password and salt are preprocessed with SHA512.
51f7167e0eSDag-Erling Smørgrav * 2. The output length is expanded to 256 bits.
52*1323ec57SEd Maste * 3. Subsequently the magic string to be encrypted is lengthened and modifed
53f7167e0eSDag-Erling Smørgrav * to "OxychromaticBlowfishSwatDynamite"
54f7167e0eSDag-Erling Smørgrav * 4. The hash function is defined to perform 64 rounds of initial state
55f7167e0eSDag-Erling Smørgrav * expansion. (More rounds are performed by iterating the hash.)
56f7167e0eSDag-Erling Smørgrav *
57f7167e0eSDag-Erling Smørgrav * Note that this implementation pulls the SHA512 operations into the caller
58f7167e0eSDag-Erling Smørgrav * as a performance optimization.
59f7167e0eSDag-Erling Smørgrav *
60f7167e0eSDag-Erling Smørgrav * One modification from official pbkdf2. Instead of outputting key material
61f7167e0eSDag-Erling Smørgrav * linearly, we mix it. pbkdf2 has a known weakness where if one uses it to
62bc5531deSDag-Erling Smørgrav * generate (e.g.) 512 bits of key material for use as two 256 bit keys, an
63bc5531deSDag-Erling Smørgrav * attacker can merely run once through the outer loop, but the user
64f7167e0eSDag-Erling Smørgrav * always runs it twice. Shuffling output bytes requires computing the
65f7167e0eSDag-Erling Smørgrav * entirety of the key material to assemble any subkey. This is something a
66f7167e0eSDag-Erling Smørgrav * wise caller could do; we just do it for you.
67f7167e0eSDag-Erling Smørgrav */
68f7167e0eSDag-Erling Smørgrav
69557f75e5SDag-Erling Smørgrav #define BCRYPT_WORDS 8
70557f75e5SDag-Erling Smørgrav #define BCRYPT_HASHSIZE (BCRYPT_WORDS * 4)
71f7167e0eSDag-Erling Smørgrav
72f7167e0eSDag-Erling Smørgrav static void
bcrypt_hash(uint8_t * sha2pass,uint8_t * sha2salt,uint8_t * out)73*1323ec57SEd Maste bcrypt_hash(uint8_t *sha2pass, uint8_t *sha2salt, uint8_t *out)
74f7167e0eSDag-Erling Smørgrav {
75f7167e0eSDag-Erling Smørgrav blf_ctx state;
76*1323ec57SEd Maste uint8_t ciphertext[BCRYPT_HASHSIZE] =
77f7167e0eSDag-Erling Smørgrav "OxychromaticBlowfishSwatDynamite";
78557f75e5SDag-Erling Smørgrav uint32_t cdata[BCRYPT_WORDS];
79f7167e0eSDag-Erling Smørgrav int i;
80f7167e0eSDag-Erling Smørgrav uint16_t j;
81f7167e0eSDag-Erling Smørgrav size_t shalen = SHA512_DIGEST_LENGTH;
82f7167e0eSDag-Erling Smørgrav
83f7167e0eSDag-Erling Smørgrav /* key expansion */
84f7167e0eSDag-Erling Smørgrav Blowfish_initstate(&state);
85f7167e0eSDag-Erling Smørgrav Blowfish_expandstate(&state, sha2salt, shalen, sha2pass, shalen);
86f7167e0eSDag-Erling Smørgrav for (i = 0; i < 64; i++) {
87f7167e0eSDag-Erling Smørgrav Blowfish_expand0state(&state, sha2salt, shalen);
88f7167e0eSDag-Erling Smørgrav Blowfish_expand0state(&state, sha2pass, shalen);
89f7167e0eSDag-Erling Smørgrav }
90f7167e0eSDag-Erling Smørgrav
91f7167e0eSDag-Erling Smørgrav /* encryption */
92f7167e0eSDag-Erling Smørgrav j = 0;
93557f75e5SDag-Erling Smørgrav for (i = 0; i < BCRYPT_WORDS; i++)
94f7167e0eSDag-Erling Smørgrav cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext),
95f7167e0eSDag-Erling Smørgrav &j);
96f7167e0eSDag-Erling Smørgrav for (i = 0; i < 64; i++)
97*1323ec57SEd Maste blf_enc(&state, cdata, BCRYPT_WORDS / 2);
98f7167e0eSDag-Erling Smørgrav
99f7167e0eSDag-Erling Smørgrav /* copy out */
100557f75e5SDag-Erling Smørgrav for (i = 0; i < BCRYPT_WORDS; i++) {
101f7167e0eSDag-Erling Smørgrav out[4 * i + 3] = (cdata[i] >> 24) & 0xff;
102f7167e0eSDag-Erling Smørgrav out[4 * i + 2] = (cdata[i] >> 16) & 0xff;
103f7167e0eSDag-Erling Smørgrav out[4 * i + 1] = (cdata[i] >> 8) & 0xff;
104f7167e0eSDag-Erling Smørgrav out[4 * i + 0] = cdata[i] & 0xff;
105f7167e0eSDag-Erling Smørgrav }
106f7167e0eSDag-Erling Smørgrav
107f7167e0eSDag-Erling Smørgrav /* zap */
108bc5531deSDag-Erling Smørgrav explicit_bzero(ciphertext, sizeof(ciphertext));
109bc5531deSDag-Erling Smørgrav explicit_bzero(cdata, sizeof(cdata));
110bc5531deSDag-Erling Smørgrav explicit_bzero(&state, sizeof(state));
111f7167e0eSDag-Erling Smørgrav }
112f7167e0eSDag-Erling Smørgrav
113f7167e0eSDag-Erling Smørgrav int
bcrypt_pbkdf(const char * pass,size_t passlen,const uint8_t * salt,size_t saltlen,uint8_t * key,size_t keylen,unsigned int rounds)114*1323ec57SEd Maste bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltlen,
115*1323ec57SEd Maste uint8_t *key, size_t keylen, unsigned int rounds)
116f7167e0eSDag-Erling Smørgrav {
117*1323ec57SEd Maste uint8_t sha2pass[SHA512_DIGEST_LENGTH];
118*1323ec57SEd Maste uint8_t sha2salt[SHA512_DIGEST_LENGTH];
119*1323ec57SEd Maste uint8_t out[BCRYPT_HASHSIZE];
120*1323ec57SEd Maste uint8_t tmpout[BCRYPT_HASHSIZE];
121*1323ec57SEd Maste uint8_t *countsalt;
122f7167e0eSDag-Erling Smørgrav size_t i, j, amt, stride;
123f7167e0eSDag-Erling Smørgrav uint32_t count;
124bc5531deSDag-Erling Smørgrav size_t origkeylen = keylen;
125f7167e0eSDag-Erling Smørgrav
126f7167e0eSDag-Erling Smørgrav /* nothing crazy */
127f7167e0eSDag-Erling Smørgrav if (rounds < 1)
128*1323ec57SEd Maste goto bad;
129f7167e0eSDag-Erling Smørgrav if (passlen == 0 || saltlen == 0 || keylen == 0 ||
130f7167e0eSDag-Erling Smørgrav keylen > sizeof(out) * sizeof(out) || saltlen > 1<<20)
131*1323ec57SEd Maste goto bad;
132f7167e0eSDag-Erling Smørgrav if ((countsalt = calloc(1, saltlen + 4)) == NULL)
133*1323ec57SEd Maste goto bad;
134f7167e0eSDag-Erling Smørgrav stride = (keylen + sizeof(out) - 1) / sizeof(out);
135f7167e0eSDag-Erling Smørgrav amt = (keylen + stride - 1) / stride;
136f7167e0eSDag-Erling Smørgrav
137f7167e0eSDag-Erling Smørgrav memcpy(countsalt, salt, saltlen);
138f7167e0eSDag-Erling Smørgrav
139f7167e0eSDag-Erling Smørgrav /* collapse password */
140f7167e0eSDag-Erling Smørgrav crypto_hash_sha512(sha2pass, pass, passlen);
141f7167e0eSDag-Erling Smørgrav
142f7167e0eSDag-Erling Smørgrav /* generate key, sizeof(out) at a time */
143f7167e0eSDag-Erling Smørgrav for (count = 1; keylen > 0; count++) {
144f7167e0eSDag-Erling Smørgrav countsalt[saltlen + 0] = (count >> 24) & 0xff;
145f7167e0eSDag-Erling Smørgrav countsalt[saltlen + 1] = (count >> 16) & 0xff;
146f7167e0eSDag-Erling Smørgrav countsalt[saltlen + 2] = (count >> 8) & 0xff;
147f7167e0eSDag-Erling Smørgrav countsalt[saltlen + 3] = count & 0xff;
148f7167e0eSDag-Erling Smørgrav
149f7167e0eSDag-Erling Smørgrav /* first round, salt is salt */
150f7167e0eSDag-Erling Smørgrav crypto_hash_sha512(sha2salt, countsalt, saltlen + 4);
151f7167e0eSDag-Erling Smørgrav
152f7167e0eSDag-Erling Smørgrav bcrypt_hash(sha2pass, sha2salt, tmpout);
153f7167e0eSDag-Erling Smørgrav memcpy(out, tmpout, sizeof(out));
154f7167e0eSDag-Erling Smørgrav
155f7167e0eSDag-Erling Smørgrav for (i = 1; i < rounds; i++) {
156f7167e0eSDag-Erling Smørgrav /* subsequent rounds, salt is previous output */
157f7167e0eSDag-Erling Smørgrav crypto_hash_sha512(sha2salt, tmpout, sizeof(tmpout));
158f7167e0eSDag-Erling Smørgrav bcrypt_hash(sha2pass, sha2salt, tmpout);
159f7167e0eSDag-Erling Smørgrav for (j = 0; j < sizeof(out); j++)
160f7167e0eSDag-Erling Smørgrav out[j] ^= tmpout[j];
161f7167e0eSDag-Erling Smørgrav }
162f7167e0eSDag-Erling Smørgrav
163f7167e0eSDag-Erling Smørgrav /*
164557f75e5SDag-Erling Smørgrav * pbkdf2 deviation: output the key material non-linearly.
165f7167e0eSDag-Erling Smørgrav */
166557f75e5SDag-Erling Smørgrav amt = MINIMUM(amt, keylen);
167bc5531deSDag-Erling Smørgrav for (i = 0; i < amt; i++) {
168bc5531deSDag-Erling Smørgrav size_t dest = i * stride + (count - 1);
169bc5531deSDag-Erling Smørgrav if (dest >= origkeylen)
170bc5531deSDag-Erling Smørgrav break;
171bc5531deSDag-Erling Smørgrav key[dest] = out[i];
172bc5531deSDag-Erling Smørgrav }
173bc5531deSDag-Erling Smørgrav keylen -= i;
174f7167e0eSDag-Erling Smørgrav }
175f7167e0eSDag-Erling Smørgrav
176f7167e0eSDag-Erling Smørgrav /* zap */
177*1323ec57SEd Maste freezero(countsalt, saltlen + 4);
178bc5531deSDag-Erling Smørgrav explicit_bzero(out, sizeof(out));
179*1323ec57SEd Maste explicit_bzero(tmpout, sizeof(tmpout));
180f7167e0eSDag-Erling Smørgrav
181f7167e0eSDag-Erling Smørgrav return 0;
182*1323ec57SEd Maste
183*1323ec57SEd Maste bad:
184*1323ec57SEd Maste /* overwrite with random in case caller doesn't check return code */
185*1323ec57SEd Maste arc4random_buf(key, keylen);
186*1323ec57SEd Maste return -1;
187f7167e0eSDag-Erling Smørgrav }
188f7167e0eSDag-Erling Smørgrav #endif /* HAVE_BCRYPT_PBKDF */
189