From 371974ed4a6414002536c6784526ed5198dbcf6f Mon Sep 17 00:00:00 2001 From: stelar7 Date: Wed, 5 Apr 2023 15:58:25 +0200 Subject: [PATCH] LibCrypto: Add PBKDF2 --- Tests/LibCrypto/CMakeLists.txt | 1 + Tests/LibCrypto/TestPBKDF2.cpp | 166 +++++++++++++++++++++ Userland/Libraries/LibCrypto/Hash/PBKDF2.h | 84 +++++++++++ 3 files changed, 251 insertions(+) create mode 100644 Tests/LibCrypto/TestPBKDF2.cpp create mode 100644 Userland/Libraries/LibCrypto/Hash/PBKDF2.h diff --git a/Tests/LibCrypto/CMakeLists.txt b/Tests/LibCrypto/CMakeLists.txt index c1c56c2e863..190335243de 100644 --- a/Tests/LibCrypto/CMakeLists.txt +++ b/Tests/LibCrypto/CMakeLists.txt @@ -8,6 +8,7 @@ set(TEST_SOURCES TestEd25519.cpp TestHash.cpp TestHMAC.cpp + TestPBKDF2.cpp TestPoly1305.cpp TestRSA.cpp ) diff --git a/Tests/LibCrypto/TestPBKDF2.cpp b/Tests/LibCrypto/TestPBKDF2.cpp new file mode 100644 index 00000000000..be3400c4148 --- /dev/null +++ b/Tests/LibCrypto/TestPBKDF2.cpp @@ -0,0 +1,166 @@ +/* + * Copyright (c) 2023, stelar7 + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +#include +#include +#include +#include +#include + +// https://www.rfc-editor.org/rfc/rfc6070#section-2 +TEST_CASE(test_vector_1_sha1) +{ + Array const password { + 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + Array const salt { + 0x73, 0x61, 0x6c, 0x74 + }; + Array const expected { + 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71, + 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06, + 0x2f, 0xe0, 0x37, 0xa6 + }; + u32 iterations = 1; + u32 derived_key_length_bytes = 20; + + auto result = MUST(Crypto::Hash::PBKDF2::derive_key>(password, salt, iterations, derived_key_length_bytes)); + + EXPECT_EQ(result, expected.span()); +} + +TEST_CASE(test_vector_2_sha1) +{ + Array const password { + 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + Array const salt { + 0x73, 0x61, 0x6c, 0x74 + }; + Array const expected { + 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c, + 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0, + 0xd8, 0xde, 0x89, 0x57 + }; + u32 iterations = 2; + u32 derived_key_length_bytes = 20; + + auto result = MUST(Crypto::Hash::PBKDF2::derive_key>(password, salt, iterations, derived_key_length_bytes)); + + EXPECT_EQ(result, expected.span()); +} + +TEST_CASE(test_vector_1_sha256) +{ + Array const password { + 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + Array const salt { + 0x73, 0x61, 0x6c, 0x74 + }; + Array const expected { + 0x12, 0x0f, 0xb6, 0xcf, 0xfc, 0xf8, 0xb3, 0x2c, + 0x43, 0xe7, 0x22, 0x52, 0x56, 0xc4, 0xf8, 0x37, + 0xa8, 0x65, 0x48, 0xc9 + }; + u32 iterations = 1; + u32 derived_key_length_bytes = 20; + + auto result = MUST(Crypto::Hash::PBKDF2::derive_key>(password, salt, iterations, derived_key_length_bytes)); + + EXPECT_EQ(result, expected.span()); +} + +TEST_CASE(test_vector_2_sha256) +{ + Array const password { + 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + Array const salt { + 0x73, 0x61, 0x6c, 0x74 + }; + Array const expected { + 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, + 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, + 0x2a, 0x30, 0x3f, 0x8e + }; + u32 iterations = 2; + u32 derived_key_length_bytes = 20; + + auto result = MUST(Crypto::Hash::PBKDF2::derive_key>(password, salt, iterations, derived_key_length_bytes)); + + EXPECT_EQ(result, expected.span()); +} + +TEST_CASE(test_vector_3_sha256) +{ + Array const password { + 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + Array const salt { + 0x73, 0x61, 0x6c, 0x74 + }; + Array const expected { + 0xc5, 0xe4, 0x78, 0xd5, 0x92, 0x88, 0xc8, 0x41, + 0xaa, 0x53, 0x0d, 0xb6, 0x84, 0x5c, 0x4c, 0x8d, + 0x96, 0x28, 0x93, 0xa0 + }; + u32 iterations = 4096; + u32 derived_key_length_bytes = 20; + + auto result = MUST(Crypto::Hash::PBKDF2::derive_key>(password, salt, iterations, derived_key_length_bytes)); + + EXPECT_EQ(result, expected.span()); +} + +TEST_CASE(test_vector_4_sha256) +{ + Array const password { + 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, + 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44, + 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + Array const salt { + 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, + 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, + 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, + 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, + 0x73, 0x61, 0x6c, 0x74 + }; + Array const expected { + 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, + 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, + 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, + 0x1c + }; + u32 iterations = 4096; + u32 derived_key_length_bytes = 25; + + auto result = MUST(Crypto::Hash::PBKDF2::derive_key>(password, salt, iterations, derived_key_length_bytes)); + + EXPECT_EQ(result, expected.span()); +} + +TEST_CASE(test_vector_5_sha256) +{ + Array const password { + 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, + 0x64 + }; + Array const salt { + 0x73, 0x61, 0x00, 0x6c, 0x74 + }; + Array const expected { + 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89, + 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87 + }; + u32 iterations = 4096; + u32 derived_key_length_bytes = 16; + + auto result = MUST(Crypto::Hash::PBKDF2::derive_key>(password, salt, iterations, derived_key_length_bytes)); + + EXPECT_EQ(result, expected.span()); +} diff --git a/Userland/Libraries/LibCrypto/Hash/PBKDF2.h b/Userland/Libraries/LibCrypto/Hash/PBKDF2.h new file mode 100644 index 00000000000..ae940eb31a5 --- /dev/null +++ b/Userland/Libraries/LibCrypto/Hash/PBKDF2.h @@ -0,0 +1,84 @@ +/* + * Copyright (c) 2023, stelar7 + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +#pragma once + +#include +#include + +namespace Crypto::Hash { + +// https://www.rfc-editor.org/rfc/rfc2898#section-5.2 +class PBKDF2 { +public: + template + static ErrorOr derive_key(ReadonlyBytes password, ReadonlyBytes salt, u32 iterations, u32 key_length_bytes) + requires requires(PRF t) { + t.digest_size(); + } + { + PRF prf(password); + + // Note: hLen denotes the length in octets of the pseudorandom function output + u32 h_len = prf.digest_size(); + + // 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop. + if (key_length_bytes > (AK::pow(2.0, 32.0) - 1) * h_len) + return Error::from_string_view("derived key too long"sv); + + // 2 . Let l be the number of hLen-octet blocks in the derived key rounding up, + // and let r be the number of octets in the last block + u32 l = AK::ceil_div(key_length_bytes, h_len); + u32 r = key_length_bytes - (l - 1) * h_len; + + // 3. For each block of the derived key apply the function F defined + // below to the password P, the salt S, the iteration count c, and + // the block index to compute the block: + + ByteBuffer ui = TRY(ByteBuffer::create_zeroed(h_len)); + ByteBuffer ti = TRY(ByteBuffer::create_zeroed(h_len)); + ByteBuffer key = TRY(ByteBuffer::create_zeroed(key_length_bytes)); + + // T_i = F (P, S, c, i) + u8 iteration_bytes[4]; + for (u32 i = 1; i <= l; i++) { + iteration_bytes[3] = i; + iteration_bytes[2] = ((i >> 8) & 0xff); + iteration_bytes[1] = ((i >> 16) & 0xff); + iteration_bytes[0] = ((i >> 24) & 0xff); + + prf.update(salt); + prf.update(ReadonlyBytes { iteration_bytes, 4 }); + auto digest = prf.digest(); + ui.overwrite(0, digest.immutable_data(), h_len); + ti.overwrite(0, digest.immutable_data(), h_len); + + // U_1 = PRF (P, S || INT (i)) + // U_j = PRF (P, U_{j-1}) + + // F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c + for (u32 j = 2; j <= iterations; j++) { + prf.update(ui.bytes()); + auto digest_inner = prf.digest(); + ui.overwrite(0, digest_inner.immutable_data(), h_len); + + UnsignedBigInteger ti_temp = UnsignedBigInteger::import_data(ti.data(), ti.size()); + UnsignedBigInteger ui_temp = UnsignedBigInteger::import_data(ui.data(), ui.size()); + UnsignedBigInteger r_temp = ti_temp.bitwise_xor(ui_temp); + + r_temp.export_data(ti.bytes()); + } + + // 4. Concatenate the blocks and extract the first dkLen octets to produce a derived key DK: + key.overwrite((i - 1) * h_len, ti.data(), i == l ? r : h_len); + } + + // 5. Output the derived key DK + return key; + } +}; + +}