Merge pull request RIOT-OS#15199 from fjmolinas/pbkdf2-sha256

sys/hashes/pbkdf2: Add PBKDF2-sha256 implementation. [TAKEOVER]
Ollrogge · Nov 4, 2020 · 568e1e3 · 568e1e3
2 parents 09a4571 + bc8ce92
commit 568e1e3
Show file tree

Hide file tree

Showing 10 changed files with 517 additions and 0 deletions.
diff --git a/sys/Makefile.dep b/sys/Makefile.dep
@@ -738,6 +738,10 @@ ifneq (,$(filter random,$(USEMODULE)))
   USEMODULE += luid
 endif
 
+ifneq (,$(filter hashes,$(USEMODULE)))
+  USEMODULE += crypto
+endif
+
 ifneq (,$(filter asymcute,$(USEMODULE)))
   USEMODULE += sock_udp
   USEMODULE += sock_util

diff --git a/sys/hashes/pbkdf2.c b/sys/hashes/pbkdf2.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2019 Freie Universität Berlin
+ *
+ * This file is subject to the terms and conditions of the GNU Lesser
+ * General Public License v2.1. See the file LICENSE in the top level
+ * directory for more details.
+ */
+/**
+ * @ingroup     examples
+ * @{
+ *
+ * @file
+ * @brief       PBKDF2 key derivation implementation- only sha256 is supported
+ *              at the moment, and the key size is fixed.
+ *
+ * @author      Juan I Carrano <j.carrano@fu-berlin.de>
+ *
+ * @}
+ */
+
+#include <string.h>
+
+#include "hashes/sha256.h"
+#include "hashes/pbkdf2.h"
+#include "crypto/helper.h"
+
+static void inplace_xor_scalar(uint8_t *bytes, size_t len, uint8_t c)
+{
+    while (len--) {
+        *bytes ^= c;
+        bytes++;
+    }
+}
+
+static void inplace_xor_digests(uint8_t *d1, const uint8_t *d2)
+{
+    int len = SHA256_DIGEST_LENGTH;
+
+    while (len--) {
+        *d1 ^= *d2;
+        d1++;
+        d2++;
+    }
+}
+
+void pbkdf2_sha256(const uint8_t *password, size_t password_len,
+                   const uint8_t *salt, size_t salt_len,
+                   int iterations,
+                   uint8_t *output)
+{
+    sha256_context_t inner;
+    sha256_context_t outer;
+    uint8_t tmp_digest[SHA256_DIGEST_LENGTH];
+    int first_iter = 1;
+
+    {
+        uint8_t processed_pass[SHA256_INTERNAL_BLOCK_SIZE] = {0};
+
+        if (password_len > sizeof(processed_pass)) {
+            sha256_init(&inner);
+            sha256_update(&inner, password, password_len);
+            sha256_final(&inner, processed_pass);
+        } else {
+            memcpy(processed_pass, password, password_len);
+        }
+
+        sha256_init(&inner);
+        sha256_init(&outer);
+
+        /* Trick: doing inner.update(processed_pass XOR 0x36) followed by
+         * inner.update(processed_pass XOR 0x5C) requires remembering
+         * processed_pass. Instead undo the first XOR while doing the second.
+         */
+        inplace_xor_scalar(processed_pass, sizeof(processed_pass), 0x36);
+        sha256_update(&inner, processed_pass, sizeof(processed_pass));
+
+        inplace_xor_scalar(processed_pass, sizeof(processed_pass), 0x36 ^ 0x5C);
+        sha256_update(&outer, processed_pass, sizeof(processed_pass));
+
+        crypto_secure_wipe(&processed_pass, sizeof(processed_pass));
+    }
+
+    memset(output, 0, SHA256_DIGEST_LENGTH);
+
+    while (iterations--) {
+        sha256_context_t inner_copy = inner, outer_copy = outer;
+
+        if (first_iter) {
+            sha256_update(&inner_copy, salt, salt_len);
+            sha256_update(&inner_copy, "\x00\x00\x00\x01", 4);
+            first_iter = 0;
+        } else {
+            sha256_update(&inner_copy, tmp_digest, sizeof(tmp_digest));
+        }
+
+        sha256_final(&inner_copy, tmp_digest);
+
+        sha256_update(&outer_copy, tmp_digest, sizeof(tmp_digest));
+        sha256_final(&outer_copy, tmp_digest);
+
+        inplace_xor_digests(output, tmp_digest);
+
+        if (iterations == 0) {
+            crypto_secure_wipe(&inner_copy, sizeof(inner_copy));
+            crypto_secure_wipe(&outer_copy, sizeof(outer_copy));
+        }
+    }
+
+    crypto_secure_wipe(&inner, sizeof(inner));
+    crypto_secure_wipe(&outer, sizeof(outer));
+    crypto_secure_wipe(&tmp_digest, sizeof(tmp_digest));
+}
diff --git a/sys/include/hashes/pbkdf2.h b/sys/include/hashes/pbkdf2.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2019 Freie Universität Berlin
+ *
+ * This file is subject to the terms and conditions of the GNU Lesser
+ * General Public License v2.1. See the file LICENSE in the top level
+ * directory for more details.
+ */
+/**
+ * @defgroup    sys_hashes_pbkdf2 PBKDF2
+ * @ingroup     sys_hashes
+ * @brief       PBKDF2 key derivation implementation.
+ * @{
+ *
+ * @file
+ * @brief       PBKDF2 key derivation implementation.
+ *
+ * @author      Juan I Carrano <j.carrano@fu-berlin.de>
+ *
+ * @}
+ */
+
+#ifndef HASHES_PBKDF2_H
+#define HASHES_PBKDF2_H
+
+#include "hashes/sha256.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief   PBKDF2 key size length
+ *
+ * @note Currently only one derived key length is supported (32)
+ */
+#define PBKDF2_KEY_SIZE SHA256_DIGEST_LENGTH
+
+/**
+ * @brief Create a key from a password and hash using PBKDF2.
+ *
+ * @param[in]   password        password pointer
+ * @param[in]   password_len    length of password
+ * @param[in]   salt            salt pointer
+ * @param[in]   salt_len        salt length, recommended 64bit
+ * @param[in]   iterations      number of rounds. Must be >1.
+ *                              NIST’s detailed guide (Appendix A.2.2),
+ *                              recommended 10000
+ * @param[out]  output          array of size PBKDF2_KEY_SIZE
+ */
+void pbkdf2_sha256(const uint8_t *password, size_t password_len,
+                   const uint8_t *salt, size_t salt_len,
+                   int iterations,
+                   uint8_t *output);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* HASHES_PBKDF2_H */
diff --git a/tests/pbkdf2/Makefile b/tests/pbkdf2/Makefile
@@ -0,0 +1,11 @@
+include ../Makefile.tests_common
+
+# This application uses getchar and thus expects input from stdio
+USEMODULE += stdin
+USEMODULE += hashes
+USEMODULE += base64
+
+# Use a terminal that does not introduce extra characters into the stream.
+RIOT_TERMINAL ?= socat
+
+include $(RIOTBASE)/Makefile.include
diff --git a/tests/pbkdf2/Makefile.ci b/tests/pbkdf2/Makefile.ci
@@ -0,0 +1,7 @@
+BOARD_INSUFFICIENT_MEMORY := \
+    arduino-duemilanove \
+    arduino-nano \
+    arduino-uno \
+    atmega328p \
+    nucleo-l011k4 \
+    #
diff --git a/tests/pbkdf2/README b/tests/pbkdf2/README
@@ -0,0 +1,11 @@
+Test PBKDF2 implementation
+==========================
+
+This test evaluates the RIOT implementation against a reference. The objective
+is flexibility and clarity, and for this reason there are no hard coded vectors,
+but instead the test is interactive, with the DUT processing vectors given
+through the serial interface.
+
+This means that the test is slower, but more complete and trustworthy.
+
+The test is completely automated.
diff --git a/tests/pbkdf2/main.c b/tests/pbkdf2/main.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2019 Freie Universität Berlin.
+ *
+ * This file is subject to the terms and conditions of the GNU Lesser
+ * General Public License v2.1. See the file LICENSE in the top level
+ * directory for more details.
+ */
+
+/**
+ * @{
+ *
+ * @file
+ * @brief       Test PBKDF2-sha256 implementation.
+ *
+ * @author      Juan Carrano <j.carrano@fu-berlin.de>
+ *
+ * This application reads (password, salt, iterations) tuples from the
+ * standard input and outputs the derived key.
+ *
+ * The salt must be base64 encoded. The key is printed as base64.
+ * @}
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#include "base64.h"
+#include "hashes/pbkdf2.h"
+
+const char error_message[] = "{error}";
+const char input_message[] = "{ready}";
+
+#define LINEBUF_SZ (128)
+
+enum TEST_STATE {
+    TEST_READ_PASS,
+    TEST_READ_SALT,
+    TEST_READ_ITERS,
+    TEST_COMPUTE,
+    TEST_ERROR
+};
+
+
+static void _clear_input(void)
+{
+    /* clear input buffer */
+    int c;
+    while ( (c = getchar()) != '\n' && c != EOF ) { }
+}
+
+int main(void)
+{
+    static char linebuf[LINEBUF_SZ];
+
+    /* There will be a few bytes wasted here */
+    static char password[LINEBUF_SZ];
+    static uint8_t salt[LINEBUF_SZ];
+    static uint8_t key[PBKDF2_KEY_SIZE];
+
+    size_t passwd_len = 0, salt_len = 0;
+    int iterations = 0;
+
+    enum TEST_STATE state = TEST_READ_PASS;
+
+    _clear_input();
+
+    while ((puts(input_message), fgets(linebuf, LINEBUF_SZ, stdin) != NULL)) {
+        char *s_end;
+        int conversion_status, line_len = strlen(linebuf)-1;
+        size_t b64_buff_size;
+
+        linebuf[line_len] = '\0';
+
+        switch (state) {
+            case TEST_READ_PASS:
+                strcpy(password, linebuf);
+                passwd_len = line_len;
+                state++;
+
+                break;
+            case TEST_READ_SALT:
+                /* work around bug in base64_decode */
+                if (line_len == 0) {
+                    salt_len = 0;
+                    conversion_status = BASE64_SUCCESS;
+                } else {
+                    salt_len = sizeof(salt);
+                    conversion_status = base64_decode((uint8_t*)linebuf,
+                                                      line_len+1,
+                                                      salt, &salt_len);
+                }
+
+                if (conversion_status == BASE64_SUCCESS) {
+                    state++;
+                } else {
+                    state = TEST_ERROR;
+                }
+
+                break;
+            case TEST_READ_ITERS:
+                iterations = strtol(linebuf, &s_end, 10);
+
+                if (*s_end != '\0') {
+                    state = TEST_ERROR;
+                } else {
+                    state++;
+                }
+
+                break;
+            default:
+                assert(1);
+                break;
+        }
+
+        switch (state) {
+            case TEST_COMPUTE:
+                pbkdf2_sha256((uint8_t*)password, passwd_len, salt, salt_len,
+                              iterations, key);
+
+                b64_buff_size = sizeof(linebuf);
+                conversion_status = base64_encode(key, sizeof(key),
+                                                  (uint8_t*)linebuf,
+                                                  &b64_buff_size);
+
+                if (conversion_status == BASE64_SUCCESS) {
+                    linebuf[b64_buff_size] = 0;
+                    puts(linebuf);
+                } else {
+                    puts(error_message);
+                }
+
+                state = TEST_READ_PASS;
+                break;
+            case TEST_ERROR:
+                puts(error_message);
+                state = TEST_READ_PASS;
+                break;
+            default:
+                break;
+        }
+    }
+
+    return 0;
+}