Switch to SHA1 from libgcrypt and remove hardcoded SHA1 from source. Signed-off-by: Milan Broz --- luks/Makefile.am | 9 - luks/af.c | 70 +++++----- luks/keymanage.c | 18 +- luks/pbkdf.c | 310 +++++++++++++++++++++++++++++++++----------- luks/pbkdf.h | 6 luks/sha/hmac.c | 145 -------------------- luks/sha/hmac.h | 101 -------------- luks/sha/hmac_sha1.c | 2 luks/sha/hmac_sha1.h | 2 luks/sha/sha1.c | 355 --------------------------------------------------- luks/sha/sha1.h | 85 ------------ 11 files changed, 290 insertions(+), 813 deletions(-) Index: cryptsetup.upstream/luks/af.c =================================================================== --- cryptsetup.upstream.orig/luks/af.c 2008-09-16 17:11:28.000000000 +0200 +++ cryptsetup.upstream/luks/af.c 2009-02-11 13:57:00.000000000 +0100 @@ -1,6 +1,7 @@ /* * AFsplitter - Anti forensic information splitter * Copyright 2004, Clemens Fruhwirth + * Copyright (C) 2009 Red Hat, Inc. All rights reserved. * * AFsplitter diffuses information over a large stripe of data, * therefor supporting secure data destruction. @@ -28,43 +29,50 @@ #include #include #include -#include "sha1.h" #include "XORblock.h" #include "random.h" +#include + +#define SHA1_DIGEST_SIZE 20 + +static void sha1_buf(char *src, char *dst, + uint32_t iv, int len) +{ + gcry_md_hd_t hd; + unsigned char *digest; + + iv = htonl(iv); + gcry_md_open(&hd, GCRY_MD_SHA1, 0); + gcry_md_write(hd, (unsigned char *)&iv, sizeof(iv)); + gcry_md_write(hd, src, len); + digest = gcry_md_read(hd, GCRY_MD_SHA1); + memcpy(dst, digest, len); + gcry_md_close(hd); +} /* diffuse: Information spreading over the whole dataset with - * the help of sha512. + * the help of sha512. */ -static void diffuse(unsigned char *src, unsigned char *dst, size_t size) +static void diffuse(char *src, char *dst, size_t size) { - sha1_ctx ctx; - uint32_t i; - uint32_t IV; /* host byte order independend hash IV */ - - unsigned int fullblocks = size / SHA1_DIGEST_SIZE; - unsigned int padding = size % SHA1_DIGEST_SIZE; - unsigned char final[SHA1_DIGEST_SIZE]; - - /* hash block the whole data set with different IVs to produce - * more than just a single data block - */ - for (i=0; i < fullblocks; i++) { - sha1_begin(&ctx); - IV = htonl(i); - sha1_hash((const unsigned char *) &IV, sizeof(IV), &ctx); - sha1_hash(src + SHA1_DIGEST_SIZE * i, SHA1_DIGEST_SIZE, &ctx); - sha1_end(dst + SHA1_DIGEST_SIZE * i, &ctx); - } + unsigned int i, blocks, padding; - if(padding) { - sha1_begin(&ctx); - IV = htonl(i); - sha1_hash((const unsigned char *) &IV, sizeof(IV), &ctx); - sha1_hash(src + SHA1_DIGEST_SIZE * i, padding, &ctx); - sha1_end(final, &ctx); - memcpy(dst + SHA1_DIGEST_SIZE * i, final, padding); - } + blocks = size / SHA1_DIGEST_SIZE; + padding = size % SHA1_DIGEST_SIZE; + + if (gcry_md_get_algo_dlen (GCRY_MD_SHA1) != SHA1_DIGEST_SIZE) + return; + + for (i = 0; i < blocks; i++) + sha1_buf(src + SHA1_DIGEST_SIZE * i, + dst + SHA1_DIGEST_SIZE * i, + i, SHA1_DIGEST_SIZE); + + if(padding) + sha1_buf(src + SHA1_DIGEST_SIZE * i, + dst + SHA1_DIGEST_SIZE * i, + i, padding); } /* @@ -87,7 +95,7 @@ int AF_split(char *src, char *dst, size_ if(r < 0) goto out; XORblock(dst+(blocksize*i),bufblock,bufblock,blocksize); - diffuse((unsigned char *) bufblock, (unsigned char *) bufblock, blocksize); + diffuse(bufblock, bufblock, blocksize); } /* the last block is computed */ XORblock(src,bufblock,dst+(i*blocksize),blocksize); @@ -107,7 +115,7 @@ int AF_merge(char *src, char *dst, size_ memset(bufblock,0,blocksize); for(i=0; i @@ -184,10 +183,11 @@ int LUKS_generate_phdr(struct luks_phdr /* Compute master key digest */ header->mkDigestIterations = LUKS_MKD_ITER; - PBKDF2_HMAC_SHA1(mk->key,mk->keyLength, + r = PBKDF2_HMAC_SHA1(mk->key,mk->keyLength, header->mkDigestSalt,LUKS_SALTSIZE, header->mkDigestIterations, header->mkDigest,LUKS_DIGESTSIZE); + if(r < 0) return r; currentSector = round_up_modulo(LUKS_PHDR_SIZE, alignSectors); for(i = 0; i < LUKS_NUMKEYS; ++i) { @@ -230,10 +230,12 @@ int LUKS_set_key(const char *device, uns // assert((mk->keyLength % TWOFISH_BLOCKSIZE) == 0); FIXME - PBKDF2_HMAC_SHA1(password,passwordLen, + r = PBKDF2_HMAC_SHA1(password,passwordLen, hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE, hdr->keyblock[keyIndex].passwordIterations, derivedKey, hdr->keyBytes); + if(r < 0) return r; + /* * AF splitting, the masterkey stored in mk->key is splitted to AfMK */ @@ -297,11 +299,12 @@ int LUKS_open_key(const char *device, AFEKSize = hdr->keyblock[keyIndex].stripes*mk->keyLength; AfKey = (char *)malloc(AFEKSize); if(AfKey == NULL) return -ENOMEM; - - PBKDF2_HMAC_SHA1(password,passwordLen, + + r = PBKDF2_HMAC_SHA1(password,passwordLen, hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE, hdr->keyblock[keyIndex].passwordIterations, derivedKey, hdr->keyBytes); + if(r < 0) return r; r = LUKS_decrypt_from_storage(AfKey, AFEKSize, @@ -319,11 +322,12 @@ int LUKS_open_key(const char *device, r = AF_merge(AfKey,mk->key,mk->keyLength,hdr->keyblock[keyIndex].stripes); if(r < 0) goto out; - - PBKDF2_HMAC_SHA1(mk->key,mk->keyLength, + + r = PBKDF2_HMAC_SHA1(mk->key,mk->keyLength, hdr->mkDigestSalt,LUKS_SALTSIZE, hdr->mkDigestIterations, checkHashBuf,LUKS_DIGESTSIZE); + if(r < 0) goto out; r = (memcmp(checkHashBuf,hdr->mkDigest, LUKS_DIGESTSIZE) == 0)?0:-EPERM; out: Index: cryptsetup.upstream/luks/Makefile.am =================================================================== --- cryptsetup.upstream.orig/luks/Makefile.am 2008-09-16 17:11:28.000000000 +0200 +++ cryptsetup.upstream/luks/Makefile.am 2009-02-11 13:47:33.000000000 +0100 @@ -2,7 +2,7 @@ moduledir = $(libdir)/cryptsetup noinst_LTLIBRARIES = libluks.la -libluks_la_CFLAGS = -I sha -Wall +libluks_la_CFLAGS = -Wall libluks_la_SOURCES = \ af.c \ @@ -11,11 +11,6 @@ libluks_la_SOURCES = \ keyencryption.c \ hexprint.c \ random.c \ - sha/sha1.c \ - sha/hmac_sha1.h \ - sha/hmac.h \ - sha/hmac_sha1.c \ - sha/sha1.h \ XORblock.h \ pbkdf.h \ random.h \ @@ -27,7 +22,7 @@ INCLUDES = -D_GNU_SOURCE \ -D_FILE_OFFSET_BITS=64 \ -I$(top_srcdir)/lib -EXTRA_DIST = sha/hmac.c testing/fileDiffer.py testing/compatimage.bz2 +EXTRA_DIST = testing/fileDiffer.py testing/compatimage.bz2 ORIG_IMG = /tmp/luks-test-orig IMG = /tmp/luks-test Index: cryptsetup.upstream/luks/pbkdf.c =================================================================== --- cryptsetup.upstream.orig/luks/pbkdf.c 2008-09-16 17:11:28.000000000 +0200 +++ cryptsetup.upstream/luks/pbkdf.c 2009-02-11 13:47:10.000000000 +0100 @@ -1,91 +1,250 @@ -/* - * Copyright 2004 Clemens Fruhwirth - * Implementation of PBKDF2-HMAC-SHA1 according to RFC 2898. +/* Implementation of Password-Based Cryptography as per PKCS#5 + * Copyright (C) 2002,2003 Simon Josefsson + * Copyright (C) 2004 Free Software Foundation + * + * LUKS code + * Copyright (C) 2004 Clemens Fruhwirth + * Copyright (C) 2009 Red Hat, Inc. All rights reserved. * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. * - * This program is distributed in the hope that it will be useful, + * This file is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Library General Public License for more details. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - + #include #include #include +#include #include +#include -#include "hmac_sha1.h" -#include "XORblock.h" -#include +static volatile unsigned int __PBKDF2_global_j = 0; +static volatile unsigned int __PBKDF2_performance = 0; -static unsigned int *__PBKDF2_global_j; -static unsigned int __PBKDF2_performance=0; +static int init_crypto(void) +{ + if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) { + if (!gcry_check_version (GCRYPT_VERSION)) + return -ENOSYS; + gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); + gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + gcry_control (GCRYCTL_RESUME_SECMEM_WARN); + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + } -void PBKDF2_HMAC_SHA1(const char *password, size_t passwordLen, - const char *salt, size_t saltLen, unsigned int iterations, - char *dKey, size_t dKeyLen) + return 0; +} + +/* + * 5.2 PBKDF2 + * + * PBKDF2 applies a pseudorandom function (see Appendix B.1 for an + * example) to derive keys. The length of the derived key is essentially + * unbounded. (However, the maximum effective search space for the + * derived key may be limited by the structure of the underlying + * pseudorandom function. See Appendix B.1 for further discussion.) + * PBKDF2 is recommended for new applications. + * + * PBKDF2 (P, S, c, dkLen) + * + * Options: PRF underlying pseudorandom function (hLen + * denotes the length in octets of the + * pseudorandom function output) + * + * Input: P password, an octet string (ASCII or UTF-8) + * S salt, an octet string + * c iteration count, a positive integer + * dkLen intended length in octets of the derived + * key, a positive integer, at most + * (2^32 - 1) * hLen + * + * Output: DK derived key, a dkLen-octet string + */ + +#define MAX_PRF_BLOCK_LEN 80 + +static int pkcs5_pbkdf2(int PRF, + const char *P, + size_t Plen, + const char *S, + size_t Slen, unsigned int c, unsigned int dkLen, + char *DK, int perfcheck) { - uint32_t i=1; - unsigned int j; - /* U_n is the buffer for U_n values */ - unsigned char U_n[SHA1_DIGEST_SIZE]; - /* F_buf is the XOR buffer for F function */ - char F_buf[SHA1_DIGEST_SIZE]; - hmac_ctx templateCtx; - - /* We need a global pointer for signal handlers */ - __PBKDF2_global_j = &j; - - /* Make a template context initialized with password as key */ - hmac_sha_begin(&templateCtx); - hmac_sha_key((unsigned char *) password,passwordLen,&templateCtx); - -#define HMAC_REINIT(__ctx) memcpy(&__ctx,&templateCtx,sizeof(__ctx)) - - /* The first hash iteration is done different, therefor - we reduce iterations to conveniently use it as a loop - counter */ - assert(iterations != 0); - iterations--; - - while(dKeyLen > 0) { - hmac_ctx ctx; - uint32_t iNetworkOrdered; - unsigned int blocksize = dKeyLen MAX_PRF_BLOCK_LEN) + return -EINVAL; + + if (c == 0) + return -EINVAL; + + if (dkLen == 0) + return -EINVAL; + + /* + * + * Steps: + * + * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and + * stop. + */ + + if (dkLen > 4294967295U) + return -EINVAL; + + /* + * 2. Let l be the number of hLen-octet blocks in the derived key, + * rounding up, and let r be the number of octets in the last + * block: + * + * l = CEIL (dkLen / hLen) , + * r = dkLen - (l - 1) * hLen . + * + * Here, CEIL (x) is the "ceiling" function, i.e. the smallest + * integer greater than, or equal to, x. + */ + + l = dkLen / hLen; + if (dkLen % hLen) + l++; + r = dkLen - (l - 1) * hLen; + + /* + * 3. For each block of the derived key apply the function F defined + * below to the password P, the salt S, the iteration count c, and + * the block index to compute the block: + * + * T_1 = F (P, S, c, 1) , + * T_2 = F (P, S, c, 2) , + * ... + * T_l = F (P, S, c, l) , + * + * where the function F is defined as the exclusive-or sum of the + * first c iterates of the underlying pseudorandom function PRF + * applied to the password P and the concatenation of the salt S + * and the block index i: + * + * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c + * + * where + * + * U_1 = PRF (P, S || INT (i)) , + * U_2 = PRF (P, U_1) , + * ... + * U_c = PRF (P, U_{c-1}) . + * + * Here, INT (i) is a four-octet encoding of the integer i, most + * significant octet first. + * + * 4. Concatenate the blocks and extract the first dkLen octets to + * produce a derived key DK: + * + * DK = T_1 || T_2 || ... || T_l<0..r-1> + * + * 5. Output the derived key DK. + * + * Note. The construction of the function F follows a "belt-and- + * suspenders" approach. The iterates U_i are computed recursively to + * remove a degree of parallelism from an opponent; they are exclusive- + * ored together to reduce concerns about the recursion degenerating + * into a small set of values. + * + */ + + err = gcry_md_open(&prf, PRF, GCRY_MD_FLAG_HMAC); + if (err) + return -EINVAL; + + for (i = 1; (uint) i <= l; i++) { + memset(T, 0, hLen); + + for (u = 1; u <= c ; u++) { + gcry_md_reset(prf); + + rc = gcry_md_setkey(prf, P, Plen); + if (rc) + return -EINVAL; + + if (u == 1) { + char *tmp; + size_t tmplen = Slen + 4; + + tmp = alloca(tmplen); + if (tmp == NULL) + return -ENOMEM; + + memcpy(tmp, S, Slen); + tmp[Slen + 0] = (i & 0xff000000) >> 24; + tmp[Slen + 1] = (i & 0x00ff0000) >> 16; + tmp[Slen + 2] = (i & 0x0000ff00) >> 8; + tmp[Slen + 3] = (i & 0x000000ff) >> 0; + + gcry_md_write(prf, tmp, tmplen); + } else { + gcry_md_write(prf, U, hLen); + } + + p = gcry_md_read(prf, PRF); + if (p == NULL) + return -EINVAL; + + memcpy(U, p, hLen); + + for (k = 0; (uint) k < hLen; k++) + T[k] ^= U[k]; + + if (perfcheck && __PBKDF2_performance) + goto out; + + if (perfcheck) + __PBKDF2_global_j--; } - memcpy(dKey,F_buf,blocksize); - dKey+=blocksize; dKeyLen-=blocksize; i++; + + memcpy(DK + (i - 1) * hLen, T, (uint) i == l ? r : hLen); } -#undef HMAC_REINIT +out: + gcry_md_close(prf); + + return 0; +} + +int PBKDF2_HMAC_SHA1(const char *password, size_t passwordLen, + const char *salt, size_t saltLen, unsigned int iterations, + char *dKey, size_t dKeyLen) +{ + return pkcs5_pbkdf2(GCRY_MD_SHA1, password, passwordLen, salt, saltLen, + iterations, (unsigned int)dKeyLen, dKey, 0); } static void sigvtalarm(int foo) { - __PBKDF2_performance = ~(0U) - *__PBKDF2_global_j; - *__PBKDF2_global_j = 0; + __PBKDF2_performance = ~(0U) - __PBKDF2_global_j; + __PBKDF2_global_j = 0; } unsigned int PBKDF2_performance_check() @@ -96,7 +255,8 @@ unsigned int PBKDF2_performance_check() char buf; struct itimerval it; - if(__PBKDF2_performance != 0) return __PBKDF2_performance; + if(__PBKDF2_performance != 0) + return __PBKDF2_performance; signal(SIGVTALRM,sigvtalarm); it.it_interval.tv_usec = 0; @@ -104,11 +264,11 @@ unsigned int PBKDF2_performance_check() it.it_value.tv_usec = 0; it.it_value.tv_sec = 1; if (setitimer (ITIMER_VIRTUAL, &it, NULL) < 0) - return 0; + return 0; + + pkcs5_pbkdf2(GCRY_MD_SHA1, "foo", 3, "bar", 3, ~(0U), 1, &buf, 1); + + __PBKDF2_global_j = 0; - PBKDF2_HMAC_SHA1("foo", 3, - "bar", 3, ~(0U), - &buf, 1); - return __PBKDF2_performance; } Index: cryptsetup.upstream/luks/sha/hmac.c =================================================================== --- cryptsetup.upstream.orig/luks/sha/hmac.c 2008-09-16 17:11:27.000000000 +0200 +++ /dev/null 1970-01-01 00:00:00.000000000 +0000 @@ -1,145 +0,0 @@ -/* - --------------------------------------------------------------------------- - Copyright (c) 2002, Dr Brian Gladman, Worcester, UK. All rights reserved. - - LICENSE TERMS - - The free distribution and use of this software in both source and binary - form is allowed (with or without changes) provided that: - - 1. distributions of this source code include the above copyright - notice, this list of conditions and the following disclaimer; - - 2. distributions in binary form include the above copyright - notice, this list of conditions and the following disclaimer - in the documentation and/or other associated materials; - - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. - - ALTERNATIVELY, provided that this notice is retained in full, this product - may be distributed under the terms of the GNU General Public License (GPL), - in which case the provisions of the GPL apply INSTEAD OF those given above. - - DISCLAIMER - - This software is provided 'as is' with no explicit or implied warranties - in respect of its properties, including, but not limited to, correctness - and/or fitness for purpose. - --------------------------------------------------------------------------- - Issue Date: 26/08/2003 - - This is an implementation of HMAC, the FIPS standard keyed hash function -*/ - -#include -#include "hmac.h" - -#if defined(__cplusplus) -extern "C" -{ -#endif - -/* initialise the HMAC context to zero */ -void hmac_sha_begin(hmac_ctx cx[1]) -{ - memset(cx, 0, sizeof(hmac_ctx)); -} - -/* input the HMAC key (can be called multiple times) */ -int hmac_sha_key(const unsigned char key[], size_t key_len, hmac_ctx cx[1]) -{ - if(cx->klen == HMAC_IN_DATA) /* error if further key input */ - return HMAC_BAD_MODE; /* is attempted in data mode */ - - if(cx->klen + key_len > HASH_INPUT_SIZE) /* if the key has to be hashed */ - { - if(cx->klen <= HASH_INPUT_SIZE) /* if the hash has not yet been */ - { /* started, initialise it and */ - sha_begin(cx->ctx); /* hash stored key characters */ - sha_hash(cx->key, cx->klen, cx->ctx); - } - - sha_hash(key, key_len, cx->ctx); /* hash long key data into hash */ - } - else /* otherwise store key data */ - memcpy(cx->key + cx->klen, key, key_len); - - cx->klen += key_len; /* update the key length count */ - return HMAC_OK; -} - -/* input the HMAC data (can be called multiple times) - */ -/* note that this call terminates the key input phase */ -void hmac_sha_data(const unsigned char data[], size_t data_len, hmac_ctx cx[1]) -{ unsigned int i; - - if(cx->klen != HMAC_IN_DATA) /* if not yet in data phase */ - { - if(cx->klen > HASH_INPUT_SIZE) /* if key is being hashed */ - { /* complete the hash and */ - sha_end(cx->key, cx->ctx); /* store the result as the */ - cx->klen = HASH_OUTPUT_SIZE; /* key and set new length */ - } - - /* pad the key if necessary */ - memset(cx->key + cx->klen, 0, HASH_INPUT_SIZE - cx->klen); - - /* xor ipad into key value */ - for(i = 0; i < (HASH_INPUT_SIZE >> 2); ++i) - ((uint32_t*)cx->key)[i] ^= 0x36363636; - - /* and start hash operation */ - sha_begin(cx->ctx); - sha_hash(cx->key, HASH_INPUT_SIZE, cx->ctx); - - /* mark as now in data mode */ - cx->klen = HMAC_IN_DATA; - } - - /* hash the data (if any) */ - if(data_len) - sha_hash(data, data_len, cx->ctx); -} - -/* compute and output the MAC value */ -void hmac_sha_end(unsigned char mac[], size_t mac_len, hmac_ctx cx[1]) -{ unsigned char dig[HASH_OUTPUT_SIZE]; - unsigned int i; - - /* if no data has been entered perform a null data phase */ - if(cx->klen != HMAC_IN_DATA) - hmac_sha_data((const unsigned char*)0, 0, cx); - - sha_end(dig, cx->ctx); /* complete the inner hash */ - - /* set outer key value using opad and removing ipad */ - for(i = 0; i < (HASH_INPUT_SIZE >> 2); ++i) - ((uint32_t*)cx->key)[i] ^= 0x36363636 ^ 0x5c5c5c5c; - - /* perform the outer hash operation */ - sha_begin(cx->ctx); - sha_hash(cx->key, HASH_INPUT_SIZE, cx->ctx); - sha_hash(dig, HASH_OUTPUT_SIZE, cx->ctx); - sha_end(dig, cx->ctx); - - /* output the hash value */ - for(i = 0; i < mac_len; ++i) - mac[i] = dig[i]; -} - -/* 'do it all in one go' subroutine */ -void hmac_sha(const unsigned char key[], size_t key_len, - const unsigned char data[], size_t data_len, - unsigned char mac[], size_t mac_len) -{ hmac_ctx cx[1]; - - hmac_sha_begin(cx); - hmac_sha_key(key, key_len, cx); - hmac_sha_data(data, data_len, cx); - hmac_sha_end(mac, mac_len, cx); -} - -#if defined(__cplusplus) -} -#endif Index: cryptsetup.upstream/luks/sha/hmac.h =================================================================== --- cryptsetup.upstream.orig/luks/sha/hmac.h 2008-09-16 17:11:27.000000000 +0200 +++ /dev/null 1970-01-01 00:00:00.000000000 +0000 @@ -1,101 +0,0 @@ -/* - --------------------------------------------------------------------------- - Copyright (c) 2002, Dr Brian Gladman, Worcester, UK. All rights reserved. - - LICENSE TERMS - - The free distribution and use of this software in both source and binary - form is allowed (with or without changes) provided that: - - 1. distributions of this source code include the above copyright - notice, this list of conditions and the following disclaimer; - - 2. distributions in binary form include the above copyright - notice, this list of conditions and the following disclaimer - in the documentation and/or other associated materials; - - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. - - ALTERNATIVELY, provided that this notice is retained in full, this product - may be distributed under the terms of the GNU General Public License (GPL), - in which case the provisions of the GPL apply INSTEAD OF those given above. - - DISCLAIMER - - This software is provided 'as is' with no explicit or implied warranties - in respect of its properties, including, but not limited to, correctness - and/or fitness for purpose. - --------------------------------------------------------------------------- - Issue Date: 26/08/2003 - - This is an implementation of HMAC, the FIPS standard keyed hash function -*/ - -#ifndef _HMAC_H -#define _HMAC_H - -#include - -#if defined(__cplusplus) -extern "C" -{ -#endif - -#if !defined(USE_SHA1) && !defined(USE_SHA256) -#error define USE_SHA1 or USE_SHA256 to set the HMAC hash algorithm -#endif - -#ifdef USE_SHA1 - -#include "sha1.h" - -#define HASH_INPUT_SIZE SHA1_BLOCK_SIZE -#define HASH_OUTPUT_SIZE SHA1_DIGEST_SIZE -#define sha_ctx sha1_ctx -#define sha_begin sha1_begin -#define sha_hash sha1_hash -#define sha_end sha1_end - -#endif - -#ifdef USE_SHA256 - -#include "sha2.h" - -#define HASH_INPUT_SIZE SHA256_BLOCK_SIZE -#define HASH_OUTPUT_SIZE SHA256_DIGEST_SIZE -#define sha_ctx sha256_ctx -#define sha_begin sha256_begin -#define sha_hash sha256_hash -#define sha_end sha256_end - -#endif - -#define HMAC_OK 0 -#define HMAC_BAD_MODE -1 -#define HMAC_IN_DATA 0xffffffff - -typedef struct -{ unsigned char key[HASH_INPUT_SIZE]; - sha_ctx ctx[1]; - unsigned long klen; -} hmac_ctx; - -void hmac_sha_begin(hmac_ctx cx[1]); - -int hmac_sha_key(const unsigned char key[], size_t key_len, hmac_ctx cx[1]); - -void hmac_sha_data(const unsigned char data[], size_t data_len, hmac_ctx cx[1]); - -void hmac_sha_end(unsigned char mac[], size_t mac_len, hmac_ctx cx[1]); - -void hmac_sha(const unsigned char key[], size_t key_len, - const unsigned char data[], size_t data_len, - unsigned char mac[], size_t mac_len); - -#if defined(__cplusplus) -} -#endif - -#endif Index: cryptsetup.upstream/luks/sha/hmac_sha1.c =================================================================== --- cryptsetup.upstream.orig/luks/sha/hmac_sha1.c 2008-09-16 17:11:27.000000000 +0200 +++ /dev/null 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -#define USE_SHA1 -#include "hmac.c" Index: cryptsetup.upstream/luks/sha/hmac_sha1.h =================================================================== --- cryptsetup.upstream.orig/luks/sha/hmac_sha1.h 2008-09-16 17:11:27.000000000 +0200 +++ /dev/null 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -#define USE_SHA1 -#include "hmac.h" Index: cryptsetup.upstream/luks/sha/sha1.c =================================================================== --- cryptsetup.upstream.orig/luks/sha/sha1.c 2008-09-16 17:11:27.000000000 +0200 +++ /dev/null 1970-01-01 00:00:00.000000000 +0000 @@ -1,355 +0,0 @@ -/* - --------------------------------------------------------------------------- - Copyright (c) 2002, Dr Brian Gladman, Worcester, UK. All rights reserved. - - LICENSE TERMS - - The free distribution and use of this software in both source and binary - form is allowed (with or without changes) provided that: - - 1. distributions of this source code include the above copyright - notice, this list of conditions and the following disclaimer; - - 2. distributions in binary form include the above copyright - notice, this list of conditions and the following disclaimer - in the documentation and/or other associated materials; - - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. - - ALTERNATIVELY, provided that this notice is retained in full, this product - may be distributed under the terms of the GNU General Public License (GPL), - in which case the provisions of the GPL apply INSTEAD OF those given above. - - DISCLAIMER - - This software is provided 'as is' with no explicit or implied warranties - in respect of its properties, including, but not limited to, correctness - and/or fitness for purpose. - --------------------------------------------------------------------------- - Issue Date: 16/01/2004 - - This is a byte oriented version of SHA1 that operates on arrays of bytes - stored in memory. It runs at 22 cycles per byte on a Pentium P4 processor -*/ - -#include /* for memcpy() etc. */ -#include /* for _lrotl with VC++ */ - -#include "sha1.h" - -#if defined(__cplusplus) -extern "C" -{ -#endif - -/* - To obtain the highest speed on processors with 32-bit words, this code - needs to determine the order in which bytes are packed into such words. - The following block of code is an attempt to capture the most obvious - ways in which various environemnts specify their endian definitions. - It may well fail, in which case the definitions will need to be set by - editing at the points marked **** EDIT HERE IF NECESSARY **** below. -*/ - -/* PLATFORM SPECIFIC INCLUDES */ - -#define BRG_LITTLE_ENDIAN 1234 /* byte 0 is least significant (i386) */ -#define BRG_BIG_ENDIAN 4321 /* byte 0 is most significant (mc68k) */ - -#if defined(__GNUC__) || defined(__GNU_LIBRARY__) -# if defined(__FreeBSD__) || defined(__OpenBSD__) -# include -# elif defined( BSD ) && ( BSD >= 199103 ) -# include -# elif defined(__APPLE__) -# if defined(__BIG_ENDIAN__) && !defined( BIG_ENDIAN ) -# define BIG_ENDIAN -# elif defined(__LITTLE_ENDIAN__) && !defined( LITTLE_ENDIAN ) -# define LITTLE_ENDIAN -# endif -# else -# include -# if !defined(__BEOS__) -# include -# endif -# endif -#endif - -#if !defined(PLATFORM_BYTE_ORDER) -# if defined(LITTLE_ENDIAN) || defined(BIG_ENDIAN) -# if defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) -# define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN -# elif !defined(LITTLE_ENDIAN) && defined(BIG_ENDIAN) -# define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN -# elif defined(BYTE_ORDER) && (BYTE_ORDER == LITTLE_ENDIAN) -# define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN -# elif defined(BYTE_ORDER) && (BYTE_ORDER == BIG_ENDIAN) -# define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN -# endif -# elif defined(_LITTLE_ENDIAN) || defined(_BIG_ENDIAN) -# if defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN) -# define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN -# elif !defined(_LITTLE_ENDIAN) && defined(_BIG_ENDIAN) -# define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN -# elif defined(_BYTE_ORDER) && (_BYTE_ORDER == _LITTLE_ENDIAN) -# define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN -# elif defined(_BYTE_ORDER) && (_BYTE_ORDER == _BIG_ENDIAN) -# define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN -# endif -# elif defined(__LITTLE_ENDIAN__) || defined(__BIG_ENDIAN__) -# if defined(__LITTLE_ENDIAN__) && !defined(__BIG_ENDIAN__) -# define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN -# elif !defined(__LITTLE_ENDIAN__) && defined(__BIG_ENDIAN__) -# define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN -# elif defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __LITTLE_ENDIAN__) -# define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN -# elif defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __BIG_ENDIAN__) -# define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN -# endif -# endif -#endif - -/* if the platform is still unknown, try to find its byte order */ -/* from commonly used machine defines */ - -#if !defined(PLATFORM_BYTE_ORDER) - -#if defined( __alpha__ ) || defined( __alpha ) || defined( i386 ) || \ - defined( __i386__ ) || defined( _M_I86 ) || defined( _M_IX86 ) || \ - defined( __OS2__ ) || defined( sun386 ) || defined( __TURBOC__ ) || \ - defined( vax ) || defined( vms ) || defined( VMS ) || \ - defined( __VMS ) -# define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN - -#elif defined( AMIGA ) || defined( applec ) || defined( __AS400__ ) || \ - defined( _CRAY ) || defined( __hppa ) || defined( __hp9000 ) || \ - defined( ibm370 ) || defined( mc68000 ) || defined( m68k ) || \ - defined( __MRC__ ) || defined( __MVS__ ) || defined( __MWERKS__ ) || \ - defined( sparc ) || defined( __sparc) || defined( SYMANTEC_C ) || \ - defined( __TANDEM ) || defined( THINK_C ) || defined( __VMCMS__ ) -# define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN - -#elif 0 /* **** EDIT HERE IF NECESSARY **** */ -# define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN -#elif 0 /* **** EDIT HERE IF NECESSARY **** */ -# define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN -#else -# error Please edit sha1.c (line 134 or 136) to set the platform byte order -#endif - -#endif - -#ifdef _MSC_VER -#pragma intrinsic(memcpy) -#endif - -#if 0 && defined(_MSC_VER) -#define rotl32 _lrotl -#define rotr32 _lrotr -#else -#define rotl32(x,n) (((x) << n) | ((x) >> (32 - n))) -#define rotr32(x,n) (((x) >> n) | ((x) << (32 - n))) -#endif - -#if !defined(bswap_32) -#define bswap_32(x) (rotr32((x), 24) & 0x00ff00ff | rotr32((x), 8) & 0xff00ff00) -#endif - -#if (PLATFORM_BYTE_ORDER == BRG_LITTLE_ENDIAN) -#define SWAP_BYTES -#else -#undef SWAP_BYTES -#endif - -#if defined(SWAP_BYTES) -#define bsw_32(p,n) \ - { int _i = (n); while(_i--) ((sha1_32t*)p)[_i] = bswap_32(((sha1_32t*)p)[_i]); } -#else -#define bsw_32(p,n) -#endif - -#define SHA1_MASK (SHA1_BLOCK_SIZE - 1) - -#if 0 - -#define ch(x,y,z) (((x) & (y)) ^ (~(x) & (z))) -#define parity(x,y,z) ((x) ^ (y) ^ (z)) -#define maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) - -#else /* Discovered by Rich Schroeppel and Colin Plumb */ - -#define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) -#define parity(x,y,z) ((x) ^ (y) ^ (z)) -#define maj(x,y,z) (((x) & (y)) | ((z) & ((x) ^ (y)))) - -#endif - -/* Compile 64 bytes of hash data into SHA1 context. Note */ -/* that this routine assumes that the byte order in the */ -/* ctx->wbuf[] at this point is in such an order that low */ -/* address bytes in the ORIGINAL byte stream in this buffer */ -/* will go to the high end of 32-bit words on BOTH big and */ -/* little endian systems */ - -#ifdef ARRAY -#define q(v,n) v[n] -#else -#define q(v,n) v##n -#endif - -#define one_cycle(v,a,b,c,d,e,f,k,h) \ - q(v,e) += rotr32(q(v,a),27) + \ - f(q(v,b),q(v,c),q(v,d)) + k + h; \ - q(v,b) = rotr32(q(v,b), 2) - -#define five_cycle(v,f,k,i) \ - one_cycle(v, 0,1,2,3,4, f,k,hf(i )); \ - one_cycle(v, 4,0,1,2,3, f,k,hf(i+1)); \ - one_cycle(v, 3,4,0,1,2, f,k,hf(i+2)); \ - one_cycle(v, 2,3,4,0,1, f,k,hf(i+3)); \ - one_cycle(v, 1,2,3,4,0, f,k,hf(i+4)) - -void sha1_compile(sha1_ctx ctx[1]) -{ sha1_32t *w = ctx->wbuf; - -#ifdef ARRAY - sha1_32t v[5]; - memcpy(v, ctx->hash, 5 * sizeof(sha1_32t)); -#else - sha1_32t v0, v1, v2, v3, v4; - v0 = ctx->hash[0]; v1 = ctx->hash[1]; - v2 = ctx->hash[2]; v3 = ctx->hash[3]; - v4 = ctx->hash[4]; -#endif - -#define hf(i) w[i] - - five_cycle(v, ch, 0x5a827999, 0); - five_cycle(v, ch, 0x5a827999, 5); - five_cycle(v, ch, 0x5a827999, 10); - one_cycle(v,0,1,2,3,4, ch, 0x5a827999, hf(15)); \ - -#undef hf -#define hf(i) (w[(i) & 15] = rotl32( \ - w[((i) + 13) & 15] ^ w[((i) + 8) & 15] \ - ^ w[((i) + 2) & 15] ^ w[(i) & 15], 1)) - - one_cycle(v,4,0,1,2,3, ch, 0x5a827999, hf(16)); - one_cycle(v,3,4,0,1,2, ch, 0x5a827999, hf(17)); - one_cycle(v,2,3,4,0,1, ch, 0x5a827999, hf(18)); - one_cycle(v,1,2,3,4,0, ch, 0x5a827999, hf(19)); - - five_cycle(v, parity, 0x6ed9eba1, 20); - five_cycle(v, parity, 0x6ed9eba1, 25); - five_cycle(v, parity, 0x6ed9eba1, 30); - five_cycle(v, parity, 0x6ed9eba1, 35); - - five_cycle(v, maj, 0x8f1bbcdc, 40); - five_cycle(v, maj, 0x8f1bbcdc, 45); - five_cycle(v, maj, 0x8f1bbcdc, 50); - five_cycle(v, maj, 0x8f1bbcdc, 55); - - five_cycle(v, parity, 0xca62c1d6, 60); - five_cycle(v, parity, 0xca62c1d6, 65); - five_cycle(v, parity, 0xca62c1d6, 70); - five_cycle(v, parity, 0xca62c1d6, 75); - -#ifdef ARRAY - ctx->hash[0] += v[0]; ctx->hash[1] += v[1]; - ctx->hash[2] += v[2]; ctx->hash[3] += v[3]; - ctx->hash[4] += v[4]; -#else - ctx->hash[0] += v0; ctx->hash[1] += v1; - ctx->hash[2] += v2; ctx->hash[3] += v3; - ctx->hash[4] += v4; -#endif -} - -void sha1_begin(sha1_ctx ctx[1]) -{ - ctx->count[0] = ctx->count[1] = 0; - ctx->hash[0] = 0x67452301; - ctx->hash[1] = 0xefcdab89; - ctx->hash[2] = 0x98badcfe; - ctx->hash[3] = 0x10325476; - ctx->hash[4] = 0xc3d2e1f0; -} - -/* SHA1 hash data in an array of bytes into hash buffer and */ -/* call the hash_compile function as required. */ - -void sha1_hash(const unsigned char data[], size_t len, sha1_ctx ctx[1]) -{ sha1_32t pos = (sha1_32t)(ctx->count[0] & SHA1_MASK), - space = SHA1_BLOCK_SIZE - pos; - const unsigned char *sp = data; - - if((ctx->count[0] += len) < len) - ++(ctx->count[1]); - - while(len >= space) /* tranfer whole blocks if possible */ - { - memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space); - sp += space; len -= space; space = SHA1_BLOCK_SIZE; pos = 0; - bsw_32(ctx->wbuf, SHA1_BLOCK_SIZE >> 2); - sha1_compile(ctx); - } - - memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len); -} - -/* SHA1 final padding and digest calculation */ - -void sha1_end(unsigned char hval[], sha1_ctx ctx[1]) -{ sha1_32t i = (sha1_32t)(ctx->count[0] & SHA1_MASK); - - /* put bytes in the buffer in an order in which references to */ - /* 32-bit words will put bytes with lower addresses into the */ - /* top of 32 bit words on BOTH big and little endian machines */ - bsw_32(ctx->wbuf, (i + 3) >> 2); - - /* we now need to mask valid bytes and add the padding which is */ - /* a single 1 bit and as many zero bits as necessary. Note that */ - /* we can always add the first padding byte here because the */ - /* buffer always has at least one empty slot */ - ctx->wbuf[i >> 2] &= 0xffffff80 << 8 * (~i & 3); - ctx->wbuf[i >> 2] |= 0x00000080 << 8 * (~i & 3); - - /* we need 9 or more empty positions, one for the padding byte */ - /* (above) and eight for the length count. If there is not */ - /* enough space, pad and empty the buffer */ - if(i > SHA1_BLOCK_SIZE - 9) - { - if(i < 60) ctx->wbuf[15] = 0; - sha1_compile(ctx); - i = 0; - } - else /* compute a word index for the empty buffer positions */ - i = (i >> 2) + 1; - - while(i < 14) /* and zero pad all but last two positions */ - ctx->wbuf[i++] = 0; - - /* the following 32-bit length fields are assembled in the */ - /* wrong byte order on little endian machines but this is */ - /* corrected later since they are only ever used as 32-bit */ - /* word values. */ - ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 29); - ctx->wbuf[15] = ctx->count[0] << 3; - sha1_compile(ctx); - - /* extract the hash value as bytes in case the hash buffer is */ - /* misaligned for 32-bit words */ - for(i = 0; i < SHA1_DIGEST_SIZE; ++i) - hval[i] = (unsigned char)(ctx->hash[i >> 2] >> (8 * (~i & 3))); -} - -void sha1(unsigned char hval[], const unsigned char data[], size_t len) -{ sha1_ctx cx[1]; - - sha1_begin(cx); sha1_hash(data, len, cx); sha1_end(hval, cx); -} - -#if defined(__cplusplus) -} -#endif Index: cryptsetup.upstream/luks/sha/sha1.h =================================================================== --- cryptsetup.upstream.orig/luks/sha/sha1.h 2008-09-16 17:11:27.000000000 +0200 +++ /dev/null 1970-01-01 00:00:00.000000000 +0000 @@ -1,85 +0,0 @@ -/* - --------------------------------------------------------------------------- - Copyright (c) 2002, Dr Brian Gladman, Worcester, UK. All rights reserved. - - LICENSE TERMS - - The free distribution and use of this software in both source and binary - form is allowed (with or without changes) provided that: - - 1. distributions of this source code include the above copyright - notice, this list of conditions and the following disclaimer; - - 2. distributions in binary form include the above copyright - notice, this list of conditions and the following disclaimer - in the documentation and/or other associated materials; - - 3. the copyright holder's name is not used to endorse products - built using this software without specific written permission. - - ALTERNATIVELY, provided that this notice is retained in full, this product - may be distributed under the terms of the GNU General Public License (GPL), - in which case the provisions of the GPL apply INSTEAD OF those given above. - - DISCLAIMER - - This software is provided 'as is' with no explicit or implied warranties - in respect of its properties, including, but not limited to, correctness - and/or fitness for purpose. - --------------------------------------------------------------------------- - Issue Date: 26/08/2003 -*/ - -#ifndef _SHA1_H -#define _SHA1_H - -#include -#include - -#define SHA1_BLOCK_SIZE 64 -#define SHA1_DIGEST_SIZE 20 - -#if defined(__cplusplus) -extern "C" -{ -#endif - -/* define an unsigned 32-bit type */ - -#if defined(_MSC_VER) - typedef unsigned long sha1_32t; -#elif defined(ULONG_MAX) && ULONG_MAX == 0xfffffffful - typedef unsigned long sha1_32t; -#elif defined(UINT_MAX) && UINT_MAX == 0xffffffff - typedef unsigned int sha1_32t; -#else -# error Please define sha1_32t as an unsigned 32 bit type in sha1.h -#endif - -/* type to hold the SHA256 context */ - -typedef struct -{ sha1_32t count[2]; - sha1_32t hash[5]; - sha1_32t wbuf[16]; -} sha1_ctx; - -/* Note that these prototypes are the same for both bit and */ -/* byte oriented implementations. However the length fields */ -/* are in bytes or bits as appropriate for the version used */ -/* and bit sequences are input as arrays of bytes in which */ -/* bit sequences run from the most to the least significant */ -/* end of each byte */ - -void sha1_compile(sha1_ctx ctx[1]); - -void sha1_begin(sha1_ctx ctx[1]); -void sha1_hash(const unsigned char data[], size_t len, sha1_ctx ctx[1]); -void sha1_end(unsigned char hval[], sha1_ctx ctx[1]); -void sha1(unsigned char hval[], const unsigned char data[], size_t len); - -#if defined(__cplusplus) -} -#endif - -#endif Index: cryptsetup.upstream/luks/pbkdf.h =================================================================== --- cryptsetup.upstream.orig/luks/pbkdf.h 2008-09-16 17:11:28.000000000 +0200 +++ cryptsetup.upstream/luks/pbkdf.h 2009-02-11 13:47:10.000000000 +0100 @@ -5,9 +5,9 @@ /* */ -void PBKDF2_HMAC_SHA1(const char *password, size_t passwordLen, - const char *salt, size_t saltLen, unsigned int iterations, - char *dKey, size_t dKeyLen); +int PBKDF2_HMAC_SHA1(const char *password, size_t passwordLen, + const char *salt, size_t saltLen, unsigned int iterations, + char *dKey, size_t dKeyLen); unsigned int PBKDF2_performance_check();