aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.in2
-rw-r--r--cryptech.h52
-rw-r--r--hash.c53
-rw-r--r--pbkdf2.c171
-rw-r--r--tests/Makefile.in2
-rw-r--r--tests/test-hash.c74
-rw-r--r--tests/test-pbkdf2.c218
7 files changed, 497 insertions, 75 deletions
diff --git a/Makefile.in b/Makefile.in
index 45c77e3..ac3663d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -29,7 +29,7 @@
INC = cryptech.h
LIB = libcryptech.a
-OBJ = ${IO_OBJ} csprng.o hash.o aes_keywrap.o errorstrings.o
+OBJ = ${IO_OBJ} csprng.o hash.o aes_keywrap.o pbkdf2.o errorstrings.o
IO_OBJ = ${IO_OBJ_@FPGA_BUS@}
IO_OBJ_EIM = hal_io_eim.o novena-eim.o
diff --git a/cryptech.h b/cryptech.h
index 5353201..03d3476 100644
--- a/cryptech.h
+++ b/cryptech.h
@@ -476,9 +476,22 @@ extern hal_error_t hal_io_wait_valid(off_t offset);
* Higher level public API.
*/
+/*
+ * Get random bytes from the CSPRNG.
+ */
+
extern hal_error_t hal_get_random(void *buffer, const size_t length);
-extern void hal_hash_set_debug(int onoff);
+/*
+ * Hash and HMAC API.
+ */
+
+/*
+ * Longest hash block and digest we support at the moment.
+ */
+
+#define HAL_MAX_HASH_BLOCK_LENGTH SHA512_BLOCK_LEN
+#define HAL_MAX_HASH_DIGEST_LENGTH SHA512_DIGEST_LEN
/*
* Public information about a digest algorithm.
@@ -505,15 +518,22 @@ typedef struct { void *state; } hal_hash_state_t;
typedef struct { void *state; } hal_hmac_state_t;
/*
- * Supported digest algorithms.
+ * Supported digest algorithms. These are one-element arrays so that
+ * they can be used as constant pointers.
*/
-extern const hal_hash_descriptor_t hal_hash_sha1;
-extern const hal_hash_descriptor_t hal_hash_sha256;
-extern const hal_hash_descriptor_t hal_hash_sha512_224;
-extern const hal_hash_descriptor_t hal_hash_sha512_256;
-extern const hal_hash_descriptor_t hal_hash_sha384;
-extern const hal_hash_descriptor_t hal_hash_sha512;
+extern const hal_hash_descriptor_t hal_hash_sha1[1];
+extern const hal_hash_descriptor_t hal_hash_sha256[1];
+extern const hal_hash_descriptor_t hal_hash_sha512_224[1];
+extern const hal_hash_descriptor_t hal_hash_sha512_256[1];
+extern const hal_hash_descriptor_t hal_hash_sha384[1];
+extern const hal_hash_descriptor_t hal_hash_sha512[1];
+
+/*
+ * Hash and HMAC functions.
+ */
+
+extern void hal_hash_set_debug(int onoff);
extern hal_error_t hal_hash_core_present(const hal_hash_descriptor_t * const descriptor);
@@ -538,15 +558,31 @@ extern hal_error_t hal_hmac_update(const hal_hmac_state_t state,
extern hal_error_t hal_hmac_finalize(const hal_hmac_state_t state,
uint8_t *hmac, const size_t length);
+/*
+ * AES key wrap functions.
+ */
extern hal_error_t hal_aes_keywrap(const uint8_t *kek, const size_t kek_length,
const uint8_t *plaintext, const size_t plaintext_length,
uint8_t *cyphertext, size_t *ciphertext_length);
+
extern hal_error_t hal_aes_keyunwrap(const uint8_t *kek, const size_t kek_length,
const uint8_t *ciphertext, const size_t ciphertext_length,
unsigned char *plaintext, size_t *plaintext_length);
+
extern size_t hal_aes_keywrap_ciphertext_length(const size_t plaintext_length);
+/*
+ * PBKDF2 function. Uses HMAC with the specified digest algorithm as
+ * the pseudo-random function (PRF).
+ */
+
+extern hal_error_t hal_pbkdf2(const hal_hash_descriptor_t * const descriptor,
+ const uint8_t * const password, const size_t password_length,
+ const uint8_t * const salt, const size_t salt_length,
+ uint8_t * derived_key, const size_t derived_key_length,
+ unsigned iterations_desired);
+
#endif /* _CRYPTECH_H_ */
/*
diff --git a/hash.c b/hash.c
index cdb68eb..e0445f5 100644
--- a/hash.c
+++ b/hash.c
@@ -45,13 +45,6 @@
#include "cryptech.h"
/*
- * Longest block and digest we support at the moment.
- */
-
-#define MAX_BLOCK_LEN SHA512_BLOCK_LEN
-#define MAX_DIGEST_LEN SHA512_DIGEST_LEN
-
-/*
* HMAC magic numbers.
*/
@@ -89,20 +82,24 @@ typedef struct {
typedef struct {
const hal_hash_descriptor_t *descriptor;
const driver_t *driver;
- uint64_t msg_length_high; /* Total data hashed in this message */
- uint64_t msg_length_low; /* (128 bits in SHA-512 cases) */
- uint8_t block[MAX_BLOCK_LEN]; /* Block we're accumulating */
- size_t block_used; /* How much of the block we've used */
- unsigned block_count; /* Blocks sent */
+ uint64_t msg_length_high; /* Total data hashed in this message */
+ uint64_t msg_length_low; /* (128 bits in SHA-512 cases) */
+ uint8_t block[HAL_MAX_HASH_BLOCK_LENGTH]; /* Block we're accumulating */
+ size_t block_used; /* How much of the block we've used */
+ unsigned block_count; /* Blocks sent */
} internal_hash_state_t;
/*
- * HMAC state.
+ * HMAC state. Right now this just holds the key block and a hash
+ * context; if and when we figure out how PCLSR the hash cores, we
+ * might want to save a lot more than that, and may also want to
+ * reorder certain operations during HMAC initialization to get a
+ * performance boost for things like PBKDF2.
*/
typedef struct {
- internal_hash_state_t hash_state; /* Hash state */
- uint8_t keybuf[MAX_BLOCK_LEN]; /* HMAC key */
+ internal_hash_state_t hash_state; /* Hash state */
+ uint8_t keybuf[HAL_MAX_HASH_BLOCK_LENGTH]; /* HMAC key */
} internal_hmac_state_t;
/*
@@ -162,41 +159,41 @@ static const driver_t sha512_driver = {
* assumption, so it's simplest to be explicit.
*/
-const hal_hash_descriptor_t hal_hash_sha1 = {
+const hal_hash_descriptor_t hal_hash_sha1[1] = {{
SHA1_BLOCK_LEN, SHA1_DIGEST_LEN,
sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
&sha1_driver
-};
+}};
-const hal_hash_descriptor_t hal_hash_sha256 = {
+const hal_hash_descriptor_t hal_hash_sha256[1] = {{
SHA256_BLOCK_LEN, SHA256_DIGEST_LEN,
sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
&sha256_driver
-};
+}};
-const hal_hash_descriptor_t hal_hash_sha512_224 = {
+const hal_hash_descriptor_t hal_hash_sha512_224[1] = {{
SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
&sha512_224_driver
-};
+}};
-const hal_hash_descriptor_t hal_hash_sha512_256 = {
+const hal_hash_descriptor_t hal_hash_sha512_256[1] = {{
SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
&sha512_256_driver
-};
+}};
-const hal_hash_descriptor_t hal_hash_sha384 = {
+const hal_hash_descriptor_t hal_hash_sha384[1] = {{
SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
&sha384_driver
-};
+}};
-const hal_hash_descriptor_t hal_hash_sha512 = {
+const hal_hash_descriptor_t hal_hash_sha512[1] = {{
SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
&sha512_driver
-};
+}};
/*
* Debugging control.
@@ -559,7 +556,7 @@ hal_error_t hal_hmac_finalize(const hal_hmac_state_t opaque_state,
internal_hash_state_t *h = &state->hash_state;
const hal_hash_descriptor_t *descriptor;
hal_hash_state_t oh = { h };
- uint8_t d[MAX_DIGEST_LEN];
+ uint8_t d[HAL_MAX_HASH_DIGEST_LENGTH];
hal_error_t err;
if (state == NULL || hmac == NULL)
diff --git a/pbkdf2.c b/pbkdf2.c
new file mode 100644
index 0000000..5b70201
--- /dev/null
+++ b/pbkdf2.c
@@ -0,0 +1,171 @@
+/*
+ * pbkdf2.c
+ * --------
+ * PBKDF2 (RFC 2898) on top of HAL interface to Cryptech hash cores.
+ *
+ * Authors: Rob Austein
+ * Copyright (c) 2015, SUNET
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <assert.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+
+#include "cryptech.h"
+
+/*
+ * Utility to encapsulate the HMAC operations. May need refactoring
+ * if and when we get clever about reusing HMAC state for speed.
+ */
+
+static hal_error_t do_hmac(const hal_hash_descriptor_t * const d,
+ const uint8_t * const pw, const size_t pw_len,
+ const uint8_t * const data, const size_t data_len,
+ const uint32_t block,
+ uint8_t * mac, const size_t mac_len)
+{
+ assert(d != NULL && pw != NULL && data != NULL && mac != NULL);
+
+ uint8_t sb[d->hmac_state_length];
+ hal_hmac_state_t s;
+ hal_error_t err;
+
+ if ((err = hal_hmac_initialize(d, &s, sb, sizeof(sb), pw, pw_len)) != HAL_OK)
+ return err;
+
+ if ((err = hal_hmac_update(s, data, data_len)) != HAL_OK)
+ return err;
+
+ if (block > 0) {
+ uint8_t b[4] = { (block >> 24) & 0xFF, (block >> 16) & 0xFF, (block >> 8) & 0xFF, (block >> 0) & 0xFF };
+ if ((err = hal_hmac_update(s, b, sizeof(b))) != HAL_OK)
+ return err;
+ }
+
+ return hal_hmac_finalize(s, mac, mac_len);
+}
+
+/*
+ * Derive a key from a passphrase using the PBKDF2 algorithm.
+ */
+
+hal_error_t hal_pbkdf2(const hal_hash_descriptor_t * const descriptor,
+ const uint8_t * const password, const size_t password_length,
+ const uint8_t * const salt, const size_t salt_length,
+ uint8_t * derived_key, size_t derived_key_length,
+ unsigned iterations_desired)
+{
+ uint8_t statebuf[1024]; /* C99 may let us clean this up */
+ uint32_t block_count;
+
+ if (descriptor == NULL || password == NULL || salt == NULL ||
+ derived_key == NULL || derived_key_length == 0 ||
+ iterations_desired == 0)
+ return HAL_ERROR_BAD_ARGUMENTS;
+
+ assert(sizeof(statebuf) >= descriptor->hmac_state_length);
+
+ /* Output length check per RFC 2989 5.2. */
+ if ((uint64_t) derived_key_length > ((uint64_t) 0xFFFFFFFF) * descriptor->block_length)
+ return HAL_ERROR_UNSUPPORTED_KEY;
+
+ /*
+ * We probably should check here to see whether the password is
+ * longer than the HMAC block size, and, if so, we should hash the
+ * password here to avoid having recomputing that every time through
+ * the loops below. There are other optimizations we'd like to
+ * make, but this one doesn't require being able to save and restore
+ * the hash state.
+ */
+
+ /*
+ * Generate output blocks until we reach the requested length.
+ */
+
+ for (block_count = 1; ; block_count++) {
+
+ uint8_t accumulator[HAL_MAX_HASH_DIGEST_LENGTH], mac[HAL_MAX_HASH_DIGEST_LENGTH];
+ unsigned iteration;
+ hal_error_t err;
+ int i;
+
+ /*
+ * Initialize the accumulator with the HMAC of the salt
+ * concatenated with the block count.
+ */
+
+ if ((err = do_hmac(descriptor, password, password_length, salt, salt_length,
+ block_count, accumulator, sizeof(accumulator))) != HAL_OK)
+ return err;
+
+ /*
+ * Now iterate however many times the caller requested, XORing the
+ * result back into the accumulator on each iteration.
+ * Initializing the accumulator counts as iteration 1, so we start
+ * with iteration 2.
+ */
+
+ for (iteration = 2; iteration <= iterations_desired; iteration++) {
+
+ if ((err = do_hmac(descriptor, password, password_length,
+ accumulator, descriptor->digest_length,
+ 0, mac, sizeof(mac))) != HAL_OK)
+ return err;
+
+ for (i = 0; i < descriptor->digest_length; i++)
+ accumulator[i] ^= mac[i];
+ }
+
+ /*
+ * Accumulator holds the generated block. Save it, then exit or
+ * loop for another block.
+ */
+
+ if (derived_key_length > descriptor->digest_length) {
+ memcpy(derived_key, accumulator, descriptor->digest_length);
+ derived_key += descriptor->digest_length;
+ derived_key_length -= descriptor->digest_length;
+ }
+ else {
+ memcpy(derived_key, accumulator, derived_key_length);
+ return HAL_OK;
+ }
+ }
+}
+
+/*
+ * Local variables:
+ * indent-tabs-mode: nil
+ * End:
+ */
diff --git a/tests/Makefile.in b/tests/Makefile.in
index 9a7dfec..757624a 100644
--- a/tests/Makefile.in
+++ b/tests/Makefile.in
@@ -29,7 +29,7 @@
INC = ../cryptech.h
LIB = ../libcryptech.a
-BIN = test-aes-key-wrap test-hash test-rsa
+BIN = test-aes-key-wrap test-hash test-pbkdf2 test-rsa
CC = @CC@
CFLAGS = @CFLAGS@ -I..
diff --git a/tests/test-hash.c b/tests/test-hash.c
index 81e6010..5ae040b 100644
--- a/tests/test-hash.c
+++ b/tests/test-hash.c
@@ -664,38 +664,38 @@ int main (int argc, char *argv[])
{
int ok = 1;
- ok &= test_hash(&hal_hash_sha1, nist_512_single, sha1_single_digest, "SHA-1 single block");
- ok &= test_hash(&hal_hash_sha1, nist_512_double, sha1_double_digest, "SHA-1 double block");
+ ok &= test_hash(hal_hash_sha1, nist_512_single, sha1_single_digest, "SHA-1 single block");
+ ok &= test_hash(hal_hash_sha1, nist_512_double, sha1_double_digest, "SHA-1 double block");
- ok &= test_hash(&hal_hash_sha256, nist_512_single, sha256_single_digest, "SHA-256 single block");
- ok &= test_hash(&hal_hash_sha256, nist_512_double, sha256_double_digest, "SHA-256 double block");
+ ok &= test_hash(hal_hash_sha256, nist_512_single, sha256_single_digest, "SHA-256 single block");
+ ok &= test_hash(hal_hash_sha256, nist_512_double, sha256_double_digest, "SHA-256 double block");
- ok &= test_hash(&hal_hash_sha512_224, nist_1024_single, sha512_224_single_digest, "SHA-512/224 single block");
- ok &= test_hash(&hal_hash_sha512_224, nist_1024_double, sha512_224_double_digest, "SHA-512/224 double block");
+ ok &= test_hash(hal_hash_sha512_224, nist_1024_single, sha512_224_single_digest, "SHA-512/224 single block");
+ ok &= test_hash(hal_hash_sha512_224, nist_1024_double, sha512_224_double_digest, "SHA-512/224 double block");
- ok &= test_hash(&hal_hash_sha512_256, nist_1024_single, sha512_256_single_digest, "SHA-512/256 single block");
- ok &= test_hash(&hal_hash_sha512_256, nist_1024_double, sha512_256_double_digest, "SHA-512/256 double block");
+ ok &= test_hash(hal_hash_sha512_256, nist_1024_single, sha512_256_single_digest, "SHA-512/256 single block");
+ ok &= test_hash(hal_hash_sha512_256, nist_1024_double, sha512_256_double_digest, "SHA-512/256 double block");
- ok &= test_hash(&hal_hash_sha384, nist_1024_single, sha384_single_digest, "SHA-384 single block");
- ok &= test_hash(&hal_hash_sha384, nist_1024_double, sha384_double_digest, "SHA-384 double block");
+ ok &= test_hash(hal_hash_sha384, nist_1024_single, sha384_single_digest, "SHA-384 single block");
+ ok &= test_hash(hal_hash_sha384, nist_1024_double, sha384_double_digest, "SHA-384 double block");
- ok &= test_hash(&hal_hash_sha512, nist_1024_single, sha512_single_digest, "SHA-512 single block");
- ok &= test_hash(&hal_hash_sha512, nist_1024_double, sha512_double_digest, "SHA-512 double block");
+ ok &= test_hash(hal_hash_sha512, nist_1024_single, sha512_single_digest, "SHA-512 single block");
+ ok &= test_hash(hal_hash_sha512, nist_1024_double, sha512_double_digest, "SHA-512 double block");
- ok &= test_hmac(&hal_hash_sha1, hmac_sha1_tc_1_key, hmac_sha1_tc_1_data, hmac_sha1_tc_1_result_sha1, "HMAC-SHA-1 test case 1");
- ok &= test_hmac(&hal_hash_sha1, hmac_sha1_tc_2_key, hmac_sha1_tc_2_data, hmac_sha1_tc_2_result_sha1, "HMAC-SHA-1 test case 2");
- ok &= test_hmac(&hal_hash_sha1, hmac_sha1_tc_3_key, hmac_sha1_tc_3_data, hmac_sha1_tc_3_result_sha1, "HMAC-SHA-1 test case 3");
- ok &= test_hmac(&hal_hash_sha1, hmac_sha1_tc_4_key, hmac_sha1_tc_4_data, hmac_sha1_tc_4_result_sha1, "HMAC-SHA-1 test case 4");
- ok &= test_hmac(&hal_hash_sha1, hmac_sha1_tc_5_key, hmac_sha1_tc_5_data, hmac_sha1_tc_5_result_sha1, "HMAC-SHA-1 test case 5");
- ok &= test_hmac(&hal_hash_sha1, hmac_sha1_tc_6_key, hmac_sha1_tc_6_data, hmac_sha1_tc_6_result_sha1, "HMAC-SHA-1 test case 6");
- ok &= test_hmac(&hal_hash_sha1, hmac_sha1_tc_7_key, hmac_sha1_tc_7_data, hmac_sha1_tc_7_result_sha1, "HMAC-SHA-1 test case 7");
+ ok &= test_hmac(hal_hash_sha1, hmac_sha1_tc_1_key, hmac_sha1_tc_1_data, hmac_sha1_tc_1_result_sha1, "HMAC-SHA-1 test case 1");
+ ok &= test_hmac(hal_hash_sha1, hmac_sha1_tc_2_key, hmac_sha1_tc_2_data, hmac_sha1_tc_2_result_sha1, "HMAC-SHA-1 test case 2");
+ ok &= test_hmac(hal_hash_sha1, hmac_sha1_tc_3_key, hmac_sha1_tc_3_data, hmac_sha1_tc_3_result_sha1, "HMAC-SHA-1 test case 3");
+ ok &= test_hmac(hal_hash_sha1, hmac_sha1_tc_4_key, hmac_sha1_tc_4_data, hmac_sha1_tc_4_result_sha1, "HMAC-SHA-1 test case 4");
+ ok &= test_hmac(hal_hash_sha1, hmac_sha1_tc_5_key, hmac_sha1_tc_5_data, hmac_sha1_tc_5_result_sha1, "HMAC-SHA-1 test case 5");
+ ok &= test_hmac(hal_hash_sha1, hmac_sha1_tc_6_key, hmac_sha1_tc_6_data, hmac_sha1_tc_6_result_sha1, "HMAC-SHA-1 test case 6");
+ ok &= test_hmac(hal_hash_sha1, hmac_sha1_tc_7_key, hmac_sha1_tc_7_data, hmac_sha1_tc_7_result_sha1, "HMAC-SHA-1 test case 7");
- ok &= test_hmac(&hal_hash_sha256, hmac_sha2_tc_1_key, hmac_sha2_tc_1_data, hmac_sha2_tc_1_result_sha256, "HMAC-SHA-256 test case 1");
- ok &= test_hmac(&hal_hash_sha256, hmac_sha2_tc_2_key, hmac_sha2_tc_2_data, hmac_sha2_tc_2_result_sha256, "HMAC-SHA-256 test case 2");
- ok &= test_hmac(&hal_hash_sha256, hmac_sha2_tc_3_key, hmac_sha2_tc_3_data, hmac_sha2_tc_3_result_sha256, "HMAC-SHA-256 test case 3");
- ok &= test_hmac(&hal_hash_sha256, hmac_sha2_tc_4_key, hmac_sha2_tc_4_data, hmac_sha2_tc_4_result_sha256, "HMAC-SHA-256 test case 4");
- ok &= test_hmac(&hal_hash_sha256, hmac_sha2_tc_6_key, hmac_sha2_tc_6_data, hmac_sha2_tc_6_result_sha256, "HMAC-SHA-256 test case 6");
- ok &= test_hmac(&hal_hash_sha256, hmac_sha2_tc_7_key, hmac_sha2_tc_7_data, hmac_sha2_tc_7_result_sha256, "HMAC-SHA-256 test case 7");
+ ok &= test_hmac(hal_hash_sha256, hmac_sha2_tc_1_key, hmac_sha2_tc_1_data, hmac_sha2_tc_1_result_sha256, "HMAC-SHA-256 test case 1");
+ ok &= test_hmac(hal_hash_sha256, hmac_sha2_tc_2_key, hmac_sha2_tc_2_data, hmac_sha2_tc_2_result_sha256, "HMAC-SHA-256 test case 2");
+ ok &= test_hmac(hal_hash_sha256, hmac_sha2_tc_3_key, hmac_sha2_tc_3_data, hmac_sha2_tc_3_result_sha256, "HMAC-SHA-256 test case 3");
+ ok &= test_hmac(hal_hash_sha256, hmac_sha2_tc_4_key, hmac_sha2_tc_4_data, hmac_sha2_tc_4_result_sha256, "HMAC-SHA-256 test case 4");
+ ok &= test_hmac(hal_hash_sha256, hmac_sha2_tc_6_key, hmac_sha2_tc_6_data, hmac_sha2_tc_6_result_sha256, "HMAC-SHA-256 test case 6");
+ ok &= test_hmac(hal_hash_sha256, hmac_sha2_tc_7_key, hmac_sha2_tc_7_data, hmac_sha2_tc_7_result_sha256, "HMAC-SHA-256 test case 7");
#if 0
/*
@@ -707,20 +707,20 @@ int main (int argc, char *argv[])
* for now I'm just declaring HMAC-SHA-384 unsupported and disabling
* these tests until somebody has time to sort this out.
*/
- ok &= test_hmac(&hal_hash_sha384, hmac_sha2_tc_1_key, hmac_sha2_tc_1_data, hmac_sha2_tc_1_result_sha384, "HMAC-SHA-384 test case 1");
- ok &= test_hmac(&hal_hash_sha384, hmac_sha2_tc_2_key, hmac_sha2_tc_2_data, hmac_sha2_tc_2_result_sha384, "HMAC-SHA-384 test case 2");
- ok &= test_hmac(&hal_hash_sha384, hmac_sha2_tc_3_key, hmac_sha2_tc_3_data, hmac_sha2_tc_3_result_sha384, "HMAC-SHA-384 test case 3");
- ok &= test_hmac(&hal_hash_sha384, hmac_sha2_tc_4_key, hmac_sha2_tc_4_data, hmac_sha2_tc_4_result_sha384, "HMAC-SHA-384 test case 4");
- ok &= test_hmac(&hal_hash_sha384, hmac_sha2_tc_6_key, hmac_sha2_tc_6_data, hmac_sha2_tc_6_result_sha384, "HMAC-SHA-384 test case 6");
- ok &= test_hmac(&hal_hash_sha384, hmac_sha2_tc_7_key, hmac_sha2_tc_7_data, hmac_sha2_tc_7_result_sha384, "HMAC-SHA-384 test case 7");
+ ok &= test_hmac(hal_hash_sha384, hmac_sha2_tc_1_key, hmac_sha2_tc_1_data, hmac_sha2_tc_1_result_sha384, "HMAC-SHA-384 test case 1");
+ ok &= test_hmac(hal_hash_sha384, hmac_sha2_tc_2_key, hmac_sha2_tc_2_data, hmac_sha2_tc_2_result_sha384, "HMAC-SHA-384 test case 2");
+ ok &= test_hmac(hal_hash_sha384, hmac_sha2_tc_3_key, hmac_sha2_tc_3_data, hmac_sha2_tc_3_result_sha384, "HMAC-SHA-384 test case 3");
+ ok &= test_hmac(hal_hash_sha384, hmac_sha2_tc_4_key, hmac_sha2_tc_4_data, hmac_sha2_tc_4_result_sha384, "HMAC-SHA-384 test case 4");
+ ok &= test_hmac(hal_hash_sha384, hmac_sha2_tc_6_key, hmac_sha2_tc_6_data, hmac_sha2_tc_6_result_sha384, "HMAC-SHA-384 test case 6");
+ ok &= test_hmac(hal_hash_sha384, hmac_sha2_tc_7_key, hmac_sha2_tc_7_data, hmac_sha2_tc_7_result_sha384, "HMAC-SHA-384 test case 7");
#endif
- ok &= test_hmac(&hal_hash_sha512, hmac_sha2_tc_1_key, hmac_sha2_tc_1_data, hmac_sha2_tc_1_result_sha512, "HMAC-SHA-512 test case 1");
- ok &= test_hmac(&hal_hash_sha512, hmac_sha2_tc_2_key, hmac_sha2_tc_2_data, hmac_sha2_tc_2_result_sha512, "HMAC-SHA-512 test case 2");
- ok &= test_hmac(&hal_hash_sha512, hmac_sha2_tc_3_key, hmac_sha2_tc_3_data, hmac_sha2_tc_3_result_sha512, "HMAC-SHA-512 test case 3");
- ok &= test_hmac(&hal_hash_sha512, hmac_sha2_tc_4_key, hmac_sha2_tc_4_data, hmac_sha2_tc_4_result_sha512, "HMAC-SHA-512 test case 4");
- ok &= test_hmac(&hal_hash_sha512, hmac_sha2_tc_6_key, hmac_sha2_tc_6_data, hmac_sha2_tc_6_result_sha512, "HMAC-SHA-512 test case 6");
- ok &= test_hmac(&hal_hash_sha512, hmac_sha2_tc_7_key, hmac_sha2_tc_7_data, hmac_sha2_tc_7_result_sha512, "HMAC-SHA-512 test case 7");
+ ok &= test_hmac(hal_hash_sha512, hmac_sha2_tc_1_key, hmac_sha2_tc_1_data, hmac_sha2_tc_1_result_sha512, "HMAC-SHA-512 test case 1");
+ ok &= test_hmac(hal_hash_sha512, hmac_sha2_tc_2_key, hmac_sha2_tc_2_data, hmac_sha2_tc_2_result_sha512, "HMAC-SHA-512 test case 2");
+ ok &= test_hmac(hal_hash_sha512, hmac_sha2_tc_3_key, hmac_sha2_tc_3_data, hmac_sha2_tc_3_result_sha512, "HMAC-SHA-512 test case 3");
+ ok &= test_hmac(hal_hash_sha512, hmac_sha2_tc_4_key, hmac_sha2_tc_4_data, hmac_sha2_tc_4_result_sha512, "HMAC-SHA-512 test case 4");
+ ok &= test_hmac(hal_hash_sha512, hmac_sha2_tc_6_key, hmac_sha2_tc_6_data, hmac_sha2_tc_6_result_sha512, "HMAC-SHA-512 test case 6");
+ ok &= test_hmac(hal_hash_sha512, hmac_sha2_tc_7_key, hmac_sha2_tc_7_data, hmac_sha2_tc_7_result_sha512, "HMAC-SHA-512 test case 7");
return !ok;
}
diff --git a/tests/test-pbkdf2.c b/tests/test-pbkdf2.c
new file mode 100644
index 0000000..67940b4
--- /dev/null
+++ b/tests/test-pbkdf2.c
@@ -0,0 +1,218 @@
+/*
+ * test-pbkdf2.c
+ * -------------
+ * Test program for PBKDF2.
+ *
+ * Authors: Rob Austein
+ * Copyright (c) 2015, SUNET
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <assert.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+
+#include "cryptech.h"
+
+/* PBKDF2 HMAC-SHA-1 test cases from RFC 6070. */
+
+/* 'password' */
+static const uint8_t pbkdf2_tc_1_password[] = { /* 8 bytes */
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
+};
+
+/* 'salt' */
+static const uint8_t pbkdf2_tc_1_salt[] = { /* 4 bytes */
+ 0x73, 0x61, 0x6c, 0x74
+};
+
+static const unsigned pbkdf2_tc_1_count = 1;
+
+static const uint8_t pbkdf2_tc_1_DK[] = { /* 20 bytes */
+ 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71, 0xf3, 0xa9, 0xb5, 0x24,
+ 0xaf, 0x60, 0x12, 0x06, 0x2f, 0xe0, 0x37, 0xa6
+};
+
+/* 'password' */
+static const uint8_t pbkdf2_tc_2_password[] = { /* 8 bytes */
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
+};
+
+/* 'salt' */
+static const uint8_t pbkdf2_tc_2_salt[] = { /* 4 bytes */
+ 0x73, 0x61, 0x6c, 0x74
+};
+
+static const unsigned pbkdf2_tc_2_count = 2;
+
+static const uint8_t pbkdf2_tc_2_DK[] = { /* 20 bytes */
+ 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c, 0xcd, 0x1e, 0xd9, 0x2a,
+ 0xce, 0x1d, 0x41, 0xf0, 0xd8, 0xde, 0x89, 0x57
+};
+
+/* 'password' */
+static const uint8_t pbkdf2_tc_3_password[] = { /* 8 bytes */
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
+};
+
+/* 'salt' */
+static const uint8_t pbkdf2_tc_3_salt[] = { /* 4 bytes */
+ 0x73, 0x61, 0x6c, 0x74
+};
+
+static const unsigned pbkdf2_tc_3_count = 4096;
+
+static const uint8_t pbkdf2_tc_3_DK[] = { /* 20 bytes */
+ 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a, 0xbe, 0xad, 0x49, 0xd9,
+ 0x26, 0xf7, 0x21, 0xd0, 0x65, 0xa4, 0x29, 0xc1
+};
+
+/* 'password' */
+static const uint8_t pbkdf2_tc_4_password[] = { /* 8 bytes */
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
+};
+
+/* 'salt' */
+static const uint8_t pbkdf2_tc_4_salt[] = { /* 4 bytes */
+ 0x73, 0x61, 0x6c, 0x74
+};
+
+static const unsigned pbkdf2_tc_4_count = 16777216;
+
+static const uint8_t pbkdf2_tc_4_DK[] = { /* 20 bytes */
+ 0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4, 0xe9, 0x94, 0x5b, 0x3d,
+ 0x6b, 0xa2, 0x15, 0x8c, 0x26, 0x34, 0xe9, 0x84
+};
+
+/* 'passwordPASSWORDpassword' */
+static const uint8_t pbkdf2_tc_5_password[] = { /* 24 bytes */
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53,
+ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
+};
+
+/* 'saltSALTsaltSALTsaltSALTsaltSALTsalt' */
+static const uint8_t pbkdf2_tc_5_salt[] = { /* 36 bytes */
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74,
+ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54,
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74
+};
+
+static const unsigned pbkdf2_tc_5_count = 4096;
+
+static const uint8_t pbkdf2_tc_5_DK[] = { /* 25 bytes */
+ 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, 0x80, 0xc8, 0xd8, 0x36,
+ 0x62, 0xc0, 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, 0x38
+};
+
+/* 'pass\x00word' */
+static const uint8_t pbkdf2_tc_6_password[] = { /* 9 bytes */
+ 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, 0x64
+};
+
+/* 'sa\x00lt' */
+static const uint8_t pbkdf2_tc_6_salt[] = { /* 5 bytes */
+ 0x73, 0x61, 0x00, 0x6c, 0x74
+};
+
+static const unsigned pbkdf2_tc_6_count = 4096;
+
+static const uint8_t pbkdf2_tc_6_DK[] = { /* 16 bytes */
+ 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d, 0xcc, 0x37, 0xd7, 0xf0,
+ 0x34, 0x25, 0xe0, 0xc3
+};
+
+static void print_hex(const uint8_t * const val, const size_t len)
+{
+ for (size_t i = 0; i < len; i++)
+ printf(" %02x", val[i]);
+}
+
+static int _test_pbkdf2(const uint8_t * const pwd, const size_t pwd_len,
+ const uint8_t * const salt, const size_t salt_len,
+ const uint8_t * const dk, const size_t dk_len,
+ const unsigned count, const char * const label)
+{
+ printf("Starting test case %s\n", label);
+
+ uint8_t result[dk_len];
+
+ hal_error_t err = hal_pbkdf2(hal_hash_sha1, pwd, pwd_len, salt, salt_len,
+ result, dk_len, count);
+
+ if (err != HAL_OK) {
+ printf("hal_pbkdf2() failed: %s\n", hal_error_string(err));
+ return 0;
+ }
+
+ printf("Comparing result with known value\n");
+
+ if (memcmp(dk, result, dk_len)) {
+ printf("MISMATCH\nExpected:");
+ print_hex(dk, dk_len);
+ printf("\nGot: ");
+ print_hex(result, dk_len);
+ printf("\n");
+ return 0;
+ }
+
+ else {
+ printf("OK\n");
+ return 1;
+ }
+}
+
+#define test_pbkdf2(_n_) \
+ _test_pbkdf2(pbkdf2_tc_##_n_##_password, sizeof(pbkdf2_tc_##_n_##_password), \
+ pbkdf2_tc_##_n_##_salt, sizeof(pbkdf2_tc_##_n_##_salt), \
+ pbkdf2_tc_##_n_##_DK, sizeof(pbkdf2_tc_##_n_##_DK), \
+ pbkdf2_tc_##_n_##_count, #_n_)
+
+int main (int argc, char *argv[])
+{
+ int ok = 1;
+
+ ok &= test_pbkdf2(1);
+ ok &= test_pbkdf2(2);
+ ok &= test_pbkdf2(3);
+ ok &= test_pbkdf2(4);
+ ok &= test_pbkdf2(5);
+ ok &= test_pbkdf2(6);
+
+ return !ok;
+}
+
+/*
+ * Local variables:
+ * indent-tabs-mode: nil
+ * End:
+ */