pbkdf.go 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
  1. // Copyright 2015 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package pkcs12
  5. import (
  6. "bytes"
  7. "crypto/sha1"
  8. "math/big"
  9. )
  10. var (
  11. one = big.NewInt(1)
  12. )
  13. // sha1Sum returns the SHA-1 hash of in.
  14. func sha1Sum(in []byte) []byte {
  15. sum := sha1.Sum(in)
  16. return sum[:]
  17. }
  18. // fillWithRepeats returns v*ceiling(len(pattern) / v) bytes consisting of
  19. // repeats of pattern.
  20. func fillWithRepeats(pattern []byte, v int) []byte {
  21. if len(pattern) == 0 {
  22. return nil
  23. }
  24. outputLen := v * ((len(pattern) + v - 1) / v)
  25. return bytes.Repeat(pattern, (outputLen+len(pattern)-1)/len(pattern))[:outputLen]
  26. }
  27. func pbkdf(hash func([]byte) []byte, u, v int, salt, password []byte, r int, ID byte, size int) (key []byte) {
  28. // implementation of https://tools.ietf.org/html/rfc7292#appendix-B.2 , RFC text verbatim in comments
  29. // Let H be a hash function built around a compression function f:
  30. // Z_2^u x Z_2^v -> Z_2^u
  31. // (that is, H has a chaining variable and output of length u bits, and
  32. // the message input to the compression function of H is v bits). The
  33. // values for u and v are as follows:
  34. // HASH FUNCTION VALUE u VALUE v
  35. // MD2, MD5 128 512
  36. // SHA-1 160 512
  37. // SHA-224 224 512
  38. // SHA-256 256 512
  39. // SHA-384 384 1024
  40. // SHA-512 512 1024
  41. // SHA-512/224 224 1024
  42. // SHA-512/256 256 1024
  43. // Furthermore, let r be the iteration count.
  44. // We assume here that u and v are both multiples of 8, as are the
  45. // lengths of the password and salt strings (which we denote by p and s,
  46. // respectively) and the number n of pseudorandom bits required. In
  47. // addition, u and v are of course non-zero.
  48. // For information on security considerations for MD5 [19], see [25] and
  49. // [1], and on those for MD2, see [18].
  50. // The following procedure can be used to produce pseudorandom bits for
  51. // a particular "purpose" that is identified by a byte called "ID".
  52. // This standard specifies 3 different values for the ID byte:
  53. // 1. If ID=1, then the pseudorandom bits being produced are to be used
  54. // as key material for performing encryption or decryption.
  55. // 2. If ID=2, then the pseudorandom bits being produced are to be used
  56. // as an IV (Initial Value) for encryption or decryption.
  57. // 3. If ID=3, then the pseudorandom bits being produced are to be used
  58. // as an integrity key for MACing.
  59. // 1. Construct a string, D (the "diversifier"), by concatenating v/8
  60. // copies of ID.
  61. var D []byte
  62. for i := 0; i < v; i++ {
  63. D = append(D, ID)
  64. }
  65. // 2. Concatenate copies of the salt together to create a string S of
  66. // length v(ceiling(s/v)) bits (the final copy of the salt may be
  67. // truncated to create S). Note that if the salt is the empty
  68. // string, then so is S.
  69. S := fillWithRepeats(salt, v)
  70. // 3. Concatenate copies of the password together to create a string P
  71. // of length v(ceiling(p/v)) bits (the final copy of the password
  72. // may be truncated to create P). Note that if the password is the
  73. // empty string, then so is P.
  74. P := fillWithRepeats(password, v)
  75. // 4. Set I=S||P to be the concatenation of S and P.
  76. I := append(S, P...)
  77. // 5. Set c=ceiling(n/u).
  78. c := (size + u - 1) / u
  79. // 6. For i=1, 2, ..., c, do the following:
  80. A := make([]byte, c*20)
  81. var IjBuf []byte
  82. for i := 0; i < c; i++ {
  83. // A. Set A2=H^r(D||I). (i.e., the r-th hash of D||1,
  84. // H(H(H(... H(D||I))))
  85. Ai := hash(append(D, I...))
  86. for j := 1; j < r; j++ {
  87. Ai = hash(Ai)
  88. }
  89. copy(A[i*20:], Ai[:])
  90. if i < c-1 { // skip on last iteration
  91. // B. Concatenate copies of Ai to create a string B of length v
  92. // bits (the final copy of Ai may be truncated to create B).
  93. var B []byte
  94. for len(B) < v {
  95. B = append(B, Ai[:]...)
  96. }
  97. B = B[:v]
  98. // C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit
  99. // blocks, where k=ceiling(s/v)+ceiling(p/v), modify I by
  100. // setting I_j=(I_j+B+1) mod 2^v for each j.
  101. {
  102. Bbi := new(big.Int).SetBytes(B)
  103. Ij := new(big.Int)
  104. for j := 0; j < len(I)/v; j++ {
  105. Ij.SetBytes(I[j*v : (j+1)*v])
  106. Ij.Add(Ij, Bbi)
  107. Ij.Add(Ij, one)
  108. Ijb := Ij.Bytes()
  109. // We expect Ijb to be exactly v bytes,
  110. // if it is longer or shorter we must
  111. // adjust it accordingly.
  112. if len(Ijb) > v {
  113. Ijb = Ijb[len(Ijb)-v:]
  114. }
  115. if len(Ijb) < v {
  116. if IjBuf == nil {
  117. IjBuf = make([]byte, v)
  118. }
  119. bytesShort := v - len(Ijb)
  120. for i := 0; i < bytesShort; i++ {
  121. IjBuf[i] = 0
  122. }
  123. copy(IjBuf[bytesShort:], Ijb)
  124. Ijb = IjBuf
  125. }
  126. copy(I[j*v:(j+1)*v], Ijb)
  127. }
  128. }
  129. }
  130. }
  131. // 7. Concatenate A_1, A_2, ..., A_c together to form a pseudorandom
  132. // bit string, A.
  133. // 8. Use the first n bits of A as the output of this entire process.
  134. return A[:size]
  135. // If the above process is being used to generate a DES key, the process
  136. // should be used to create 64 random bits, and the key's parity bits
  137. // should be set after the 64 bits have been produced. Similar concerns
  138. // hold for 2-key and 3-key triple-DES keys, for CDMF keys, and for any
  139. // similar keys with parity bits "built into them".
  140. }