From 1ae25914588221ece76da2d39ddece16de0c7712 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Sun, 1 Mar 2020 14:26:24 +0100 Subject: [PATCH] core: add function secure_hash_pbkdf2 --- src/core/wee-secure.c | 54 +++++++++++++ src/core/wee-secure.h | 5 ++ tests/unit/core/test-core-secure.cpp | 114 ++++++++++++++++++++++++--- tests/unit/core/test-core.h | 15 ++++ 4 files changed, 179 insertions(+), 9 deletions(-) diff --git a/src/core/wee-secure.c b/src/core/wee-secure.c index 97a007631..4a6b918aa 100644 --- a/src/core/wee-secure.c +++ b/src/core/wee-secure.c @@ -163,6 +163,60 @@ hash_end: return result; } +/* + * Computes PKCS#5 Passphrase Based Key Derivation Function number 2 (PBKDF2) + * hash of data, as binary buffer. + * + * Returns 1 if OK, 0 if error. + * + * Note: if OK, "*hash" must be freed after use. + */ + +int +secure_hash_pbkdf2 (const char *data, int length_data, int hash_subalgo, + const char *salt, int length_salt, int iterations, + char **hash, int *length_hash) +{ + int rc; + + rc = 0; + + if (!hash || !length_hash) + goto hash_pbkdf2_end; + + *hash = NULL; + *length_hash = 0; + + if (!data || (length_data < 1) || !salt || (length_salt < 1) + || (iterations < 1)) + { + goto hash_pbkdf2_end; + } + + *length_hash = gcry_md_get_algo_dlen (hash_subalgo); + *hash = malloc (*length_hash); + if (!*hash) + { + *length_hash = 0; + goto hash_pbkdf2_end; + } + + if (gcry_kdf_derive (data, length_data, GCRY_KDF_PBKDF2, hash_subalgo, + salt, length_salt, iterations, + *length_hash, *hash) != 0) + { + free (*hash); + *hash = NULL; + *length_hash = 0; + goto hash_pbkdf2_end; + } + + rc = 1; + +hash_pbkdf2_end: + return rc; +} + /* * Derives a key from salt + passphrase (using a hash). * diff --git a/src/core/wee-secure.h b/src/core/wee-secure.h index 303e0c9e5..ff468b3f7 100644 --- a/src/core/wee-secure.h +++ b/src/core/wee-secure.h @@ -58,6 +58,11 @@ extern char *secure_decrypt_error[]; extern void secure_hash_binary (const char *data, int length_data, int hash_algo, char **hash, int *length_hash); extern char *secure_hash (const char *data, int length_data, int hash_algo); +extern int secure_hash_pbkdf2 (const char *data, int length_data, + int hash_subalgo, + const char *salt, int length_salt, + int iterations, + char **hash, int *length_hash); extern int secure_encrypt_data (const char *data, int length_data, int hash_algo, int cipher, const char *passphrase, char **encrypted, diff --git a/tests/unit/core/test-core-secure.cpp b/tests/unit/core/test-core-secure.cpp index 1ae802fe9..a0cf86056 100644 --- a/tests/unit/core/test-core-secure.cpp +++ b/tests/unit/core/test-core-secure.cpp @@ -33,11 +33,12 @@ extern "C" #define SECURE_PASSWORD "this_is_a_secret_password" #define TOTP_SECRET "secretpasswordbase32" -#define WEE_CHECK_HASH_BIN(__result, __buffer, __length, __hash_algo) \ - if (__result) \ +#define WEE_CHECK_HASH_BIN(__result_hash, __data, __length_data, \ + __hash_algo) \ + if (__result_hash) \ { \ result_bin = (char *)malloc (4096); \ - length_bin = string_base16_decode (__result, \ + length_bin = string_base16_decode (__result_hash, \ (char *)result_bin); \ } \ else \ @@ -45,9 +46,11 @@ extern "C" result_bin = NULL; \ length_bin = 0; \ } \ - secure_hash_binary (__buffer, __length, __hash_algo, \ + hash_bin = NULL; \ + length_hash_bin = -1; \ + secure_hash_binary (__data, __length_data, __hash_algo, \ &hash_bin, &length_hash_bin); \ - if (__result == NULL) \ + if (__result_hash == NULL) \ { \ POINTERS_EQUAL(NULL, hash_bin); \ } \ @@ -61,19 +64,57 @@ extern "C" if (hash_bin) \ free (hash_bin); -#define WEE_CHECK_HASH_HEX(__result, __buffer, __length, __hash_algo) \ - hash = secure_hash (__buffer, __length, __hash_algo); \ - if (__result == NULL) \ +#define WEE_CHECK_HASH_HEX(__result_hash, __data, __length_data, \ + __hash_algo) \ + hash = secure_hash (__data, __length_data, __hash_algo); \ + if (__result_hash == NULL) \ { \ POINTERS_EQUAL(NULL, hash); \ } \ else \ { \ - STRCMP_EQUAL(__result, hash); \ + STRCMP_EQUAL(__result_hash, hash); \ } \ if (hash) \ free (hash); +#define WEE_CHECK_HASH_PBKDF2(__result_code, __result_hash, \ + __data, __length_data, \ + __hash_subalgo, __salt, __length_salt, \ + __iterations) \ + if (__result_hash) \ + { \ + result_bin = (char *)malloc (4096); \ + length_bin = string_base16_decode (__result_hash, \ + (char *)result_bin); \ + } \ + else \ + { \ + result_bin = NULL; \ + length_bin = 0; \ + } \ + hash_bin = NULL; \ + length_hash_bin = -1; \ + LONGS_EQUAL(__result_code, \ + secure_hash_pbkdf2 (__data, __length_data, \ + __hash_subalgo, \ + __salt, __length_salt, \ + __iterations, \ + &hash_bin, &length_hash_bin)); \ + if (__result_hash == NULL) \ + { \ + POINTERS_EQUAL(NULL, hash_bin); \ + } \ + else \ + { \ + MEMCMP_EQUAL(result_bin, hash_bin, length_hash_bin); \ + } \ + LONGS_EQUAL(length_bin, length_hash_bin); \ + if (result_bin) \ + free (result_bin); \ + if (hash_bin) \ + free (hash_bin); + #define WEE_CHECK_TOTP_GENERATE(__result, __secret, __time, __digits) \ totp = secure_totp_generate (__secret, __time, __digits); \ if (__result == NULL) \ @@ -154,6 +195,61 @@ TEST(CoreSecure, Hash) WEE_CHECK_HASH_HEX(DATA_HASH_SHA3_512, data, length, GCRY_MD_SHA3_512); } +/* + * Tests functions: + * secure_hash_pbkdf2 + */ + +TEST(CoreSecure, HashPbkdf2) +{ + const char *data = DATA_HASH, *salt = DATA_HASH_SALT; + char *result_bin, *hash_bin; + int length, length_salt, length_bin, length_hash_bin; + + length = strlen (data); + length_salt = strlen (salt); + + WEE_CHECK_HASH_PBKDF2(0, NULL, NULL, 0, 0, NULL, 0, 0); + WEE_CHECK_HASH_PBKDF2(0, NULL, "test", 0, 0, NULL, 0, 0); + WEE_CHECK_HASH_PBKDF2(0, NULL, "test", 4, GCRY_MD_SHA1, "salt", 4, 0); + + /* SHA1 */ + WEE_CHECK_HASH_PBKDF2(1, DATA_HASH_PBKDF2_SHA1_1000, + data, length, + GCRY_MD_SHA1, + DATA_HASH_SALT, length_salt, + 1000); + WEE_CHECK_HASH_PBKDF2(1, DATA_HASH_PBKDF2_SHA1_100000, + data, length, + GCRY_MD_SHA1, + DATA_HASH_SALT, length_salt, + 100000); + + /* SHA256 */ + WEE_CHECK_HASH_PBKDF2(1, DATA_HASH_PBKDF2_SHA256_1000, + data, length, + GCRY_MD_SHA256, + DATA_HASH_SALT, length_salt, + 1000); + WEE_CHECK_HASH_PBKDF2(1, DATA_HASH_PBKDF2_SHA256_100000, + data, length, + GCRY_MD_SHA256, + DATA_HASH_SALT, length_salt, + 100000); + + /* SHA512 */ + WEE_CHECK_HASH_PBKDF2(1, DATA_HASH_PBKDF2_SHA512_1000, + data, length, + GCRY_MD_SHA512, + DATA_HASH_SALT, length_salt, + 1000); + WEE_CHECK_HASH_PBKDF2(1, DATA_HASH_PBKDF2_SHA512_100000, + data, length, + GCRY_MD_SHA512, + DATA_HASH_SALT, length_salt, + 100000); +} + /* * Tests functions: * secure_derive_key diff --git a/tests/unit/core/test-core.h b/tests/unit/core/test-core.h index edf5bc35f..173829dfe 100644 --- a/tests/unit/core/test-core.h +++ b/tests/unit/core/test-core.h @@ -42,5 +42,20 @@ #define DATA_HASH_SHA3_512 "31dfb5fc8f30ac7007acddc4fce562d408706833d0d2af2" \ "e5f61a179099592927ff7d100e278406c7f98d42575001e26e153b135c21f7ef5b00c8" \ "cef93ca048d" +#define DATA_HASH_SALT "this is a salt of 32 bytes xxxxx" +#define DATA_HASH_PBKDF2_SHA1_1000 "85ce23c8873830df8f0a96aa82ae7d7635dad12" \ + "7" +#define DATA_HASH_PBKDF2_SHA1_100000 "f2c2a079007523df3a5a5c7b578073dff06ba" \ + "49f" +#define DATA_HASH_PBKDF2_SHA256_1000 "0eb0a795537a8c37a2d7d7e50a076e07c9a8e" \ + "e9aa281669381af99fad198997c" +#define DATA_HASH_PBKDF2_SHA256_100000 "b243ef60f9d9e7a6315f874053802cfb3b7" \ + "b5a3502d47cf7fd76b3ee5661fcff" +#define DATA_HASH_PBKDF2_SHA512_1000 "03d8e9e86f3bbe20b88a600a5aa15f8cfbee0" \ + "a402af301e1714c25467a32489c773c71eddf5aa39f42823ecc54c9e9b015517b5f3c0" \ + "19bae9463a2d8fe527882" +#define DATA_HASH_PBKDF2_SHA512_100000 "286cca5521b00a7398530fbf11a570401a8" \ + "0c901f1584cb493fcb75c49e5c30613c331ce318b34615a08be2fdcb9a3b4d3e9a5b62" \ + "e119db6941010533cdf73d3" #endif /* WEECHAT_TEST_UNIT_CORE_H */