diff options
Diffstat (limited to 'src/Common/Pkcs5.c')
| -rw-r--r-- | src/Common/Pkcs5.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/src/Common/Pkcs5.c b/src/Common/Pkcs5.c index 7892a38a..7b78767e 100644 --- a/src/Common/Pkcs5.c +++ b/src/Common/Pkcs5.c @@ -118,112 +118,112 @@ void hmac_sha256 for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x36); memset (&buf[lk], 0x36, SHA256_BLOCKSIZE - lk); sha256_hash (buf, SHA256_BLOCKSIZE, ctx); /**** Precompute HMAC Outer Digest ****/ ctx = &(hmac.outer_digest_ctx); sha256_begin (ctx); for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x5C); memset (&buf[lk], 0x5C, SHA256_BLOCKSIZE - lk); sha256_hash (buf, SHA256_BLOCKSIZE, ctx); hmac_sha256_internal(d, ld, &hmac); #if defined (DEVICE_DRIVER) && !defined(_M_ARM64) if (NT_SUCCESS (saveStatus)) KeRestoreExtendedProcessorStateVC(&SaveState); #endif /* Prevent leaks */ burn(&hmac, sizeof(hmac)); burn(key, sizeof(key)); } #endif -static void derive_u_sha256 (unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_sha256_ctx* hmac) +static void derive_u_sha256 (const unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_sha256_ctx* hmac) { unsigned char* k = hmac->k; unsigned char* u = hmac->u; uint32 c; int i; #ifdef TC_WINDOWS_BOOT /* In bootloader mode, least significant bit of iterations is a boolean (TRUE for boot derivation mode, FALSE otherwise) * and the most significant 16 bits hold the pim value * This enables us to save code space needed for implementing other features. */ c = iterations >> 16; i = ((int) iterations) & 0x01; if (i) c = (c == 0)? 200000 : c << 11; else c = (c == 0)? 500000 : 15000 + c * 1000; #else c = iterations; #endif /* iteration 1 */ memcpy (k, salt, salt_len); /* salt */ /* big-endian block number */ #ifdef TC_WINDOWS_BOOT /* specific case of 16-bit bootloader: b is a 16-bit integer that is always < 256 */ memset (&k[salt_len], 0, 3); k[salt_len + 3] = (unsigned char) b; #else b = bswap_32 (b); memcpy (&k[salt_len], &b, 4); #endif hmac_sha256_internal (k, salt_len + 4, hmac); memcpy (u, k, SHA256_DIGESTSIZE); /* remaining iterations */ while (c > 1) { hmac_sha256_internal (k, SHA256_DIGESTSIZE, hmac); for (i = 0; i < SHA256_DIGESTSIZE; i++) { u[i] ^= k[i]; } c--; } } -void derive_key_sha256 (unsigned char *pwd, int pwd_len, unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) +void derive_key_sha256 (const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) { hmac_sha256_ctx hmac; sha256_ctx* ctx; unsigned char* buf = hmac.k; int b, l, r; #ifndef TC_WINDOWS_BOOT unsigned char key[SHA256_DIGESTSIZE]; #if defined (DEVICE_DRIVER) && !defined(_M_ARM64) NTSTATUS saveStatus = STATUS_INVALID_PARAMETER; XSTATE_SAVE SaveState; if (IsCpuIntel() && HasSAVX()) saveStatus = KeSaveExtendedProcessorStateVC(XSTATE_MASK_GSSE, &SaveState); #endif /* If the password is longer than the hash algorithm block size, let pwd = sha256(pwd), as per HMAC specifications. */ if (pwd_len > SHA256_BLOCKSIZE) { sha256_ctx tctx; sha256_begin (&tctx); sha256_hash (pwd, pwd_len, &tctx); sha256_end (key, &tctx); pwd = key; pwd_len = SHA256_DIGESTSIZE; burn (&tctx, sizeof(tctx)); // Prevent leaks } #endif @@ -368,88 +368,88 @@ void hmac_sha512 /* Pad the key for inner digest */ for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x36); memset (&buf[lk], 0x36, SHA512_BLOCKSIZE - lk); sha512_hash (buf, SHA512_BLOCKSIZE, ctx); /**** Precompute HMAC Outer Digest ****/ ctx = &(hmac.outer_digest_ctx); sha512_begin (ctx); for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x5C); memset (&buf[lk], 0x5C, SHA512_BLOCKSIZE - lk); sha512_hash (buf, SHA512_BLOCKSIZE, ctx); hmac_sha512_internal (d, ld, &hmac); #if defined (DEVICE_DRIVER) && !defined(_M_ARM64) if (NT_SUCCESS (saveStatus)) KeRestoreExtendedProcessorStateVC(&SaveState); #endif /* Prevent leaks */ burn (&hmac, sizeof(hmac)); burn (key, sizeof(key)); } -static void derive_u_sha512 (unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_sha512_ctx* hmac) +static void derive_u_sha512 (const unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_sha512_ctx* hmac) { unsigned char* k = hmac->k; unsigned char* u = hmac->u; uint32 c, i; /* iteration 1 */ memcpy (k, salt, salt_len); /* salt */ /* big-endian block number */ b = bswap_32 (b); memcpy (&k[salt_len], &b, 4); hmac_sha512_internal (k, salt_len + 4, hmac); memcpy (u, k, SHA512_DIGESTSIZE); /* remaining iterations */ for (c = 1; c < iterations; c++) { hmac_sha512_internal (k, SHA512_DIGESTSIZE, hmac); for (i = 0; i < SHA512_DIGESTSIZE; i++) { u[i] ^= k[i]; } } } -void derive_key_sha512 (unsigned char *pwd, int pwd_len, unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) +void derive_key_sha512 (const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) { hmac_sha512_ctx hmac; sha512_ctx* ctx; unsigned char* buf = hmac.k; int b, l, r; unsigned char key[SHA512_DIGESTSIZE]; #if defined (DEVICE_DRIVER) && !defined(_M_ARM64) NTSTATUS saveStatus = STATUS_INVALID_PARAMETER; XSTATE_SAVE SaveState; if (IsCpuIntel() && HasSAVX()) saveStatus = KeSaveExtendedProcessorStateVC(XSTATE_MASK_GSSE, &SaveState); #endif /* If the password is longer than the hash algorithm block size, let pwd = sha512(pwd), as per HMAC specifications. */ if (pwd_len > SHA512_BLOCKSIZE) { sha512_ctx tctx; sha512_begin (&tctx); sha512_hash (pwd, pwd_len, &tctx); sha512_end (key, &tctx); pwd = key; pwd_len = SHA512_DIGESTSIZE; burn (&tctx, sizeof(tctx)); // Prevent leaks } if (dklen % SHA512_DIGESTSIZE) @@ -592,112 +592,112 @@ void hmac_blake2s for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x36); memset (&buf[lk], 0x36, BLAKE2S_BLOCKSIZE - lk); blake2s_update (ctx, buf, BLAKE2S_BLOCKSIZE); /**** Precompute HMAC Outer Digest ****/ ctx = &(hmac.outer_digest_ctx); blake2s_init (ctx); for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x5C); memset (&buf[lk], 0x5C, BLAKE2S_BLOCKSIZE - lk); blake2s_update (ctx, buf, BLAKE2S_BLOCKSIZE); hmac_blake2s_internal(d, ld, &hmac); #if defined (DEVICE_DRIVER) && !defined(_M_ARM64) if (NT_SUCCESS (saveStatus)) KeRestoreExtendedProcessorStateVC(&SaveState); #endif /* Prevent leaks */ burn(&hmac, sizeof(hmac)); burn(key, sizeof(key)); } #endif -static void derive_u_blake2s (unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_blake2s_ctx* hmac) +static void derive_u_blake2s (const unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_blake2s_ctx* hmac) { unsigned char* k = hmac->k; unsigned char* u = hmac->u; uint32 c; int i; #ifdef TC_WINDOWS_BOOT /* In bootloader mode, least significant bit of iterations is a boolean (TRUE for boot derivation mode, FALSE otherwise) * and the most significant 16 bits hold the pim value * This enables us to save code space needed for implementing other features. */ c = iterations >> 16; i = ((int) iterations) & 0x01; if (i) c = (c == 0)? 200000 : c << 11; else c = (c == 0)? 500000 : 15000 + c * 1000; #else c = iterations; #endif /* iteration 1 */ memcpy (k, salt, salt_len); /* salt */ /* big-endian block number */ #ifdef TC_WINDOWS_BOOT /* specific case of 16-bit bootloader: b is a 16-bit integer that is always < 256 */ memset (&k[salt_len], 0, 3); k[salt_len + 3] = (unsigned char) b; #else b = bswap_32 (b); memcpy (&k[salt_len], &b, 4); #endif hmac_blake2s_internal (k, salt_len + 4, hmac); memcpy (u, k, BLAKE2S_DIGESTSIZE); /* remaining iterations */ while (c > 1) { hmac_blake2s_internal (k, BLAKE2S_DIGESTSIZE, hmac); for (i = 0; i < BLAKE2S_DIGESTSIZE; i++) { u[i] ^= k[i]; } c--; } } -void derive_key_blake2s (unsigned char *pwd, int pwd_len, unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) +void derive_key_blake2s (const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) { hmac_blake2s_ctx hmac; blake2s_state* ctx; unsigned char* buf = hmac.k; int b, l, r; #ifndef TC_WINDOWS_BOOT unsigned char key[BLAKE2S_DIGESTSIZE]; #if defined (DEVICE_DRIVER) && !defined(_M_ARM64) NTSTATUS saveStatus = STATUS_INVALID_PARAMETER; XSTATE_SAVE SaveState; if (IsCpuIntel() && HasSAVX()) saveStatus = KeSaveExtendedProcessorStateVC(XSTATE_MASK_GSSE, &SaveState); KFLOATING_SAVE floatingPointState; if (HasSSE2()) saveStatus = KeSaveFloatingPointState (&floatingPointState); #endif /* If the password is longer than the hash algorithm block size, let pwd = blake2s(pwd), as per HMAC specifications. */ if (pwd_len > BLAKE2S_BLOCKSIZE) { blake2s_state tctx; blake2s_init (&tctx); blake2s_update (&tctx, pwd, pwd_len); blake2s_final (&tctx, key); pwd = key; pwd_len = BLAKE2S_DIGESTSIZE; burn (&tctx, sizeof(tctx)); // Prevent leaks @@ -832,87 +832,87 @@ void hmac_whirlpool /**** Precompute HMAC Inner Digest ****/ ctx = &(hmac.inner_digest_ctx); WHIRLPOOL_init (ctx); /* Pad the key for inner digest */ for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x36); memset (&buf[lk], 0x36, WHIRLPOOL_BLOCKSIZE - lk); WHIRLPOOL_add (buf, WHIRLPOOL_BLOCKSIZE, ctx); /**** Precompute HMAC Outer Digest ****/ ctx = &(hmac.outer_digest_ctx); WHIRLPOOL_init (ctx); for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x5C); memset (&buf[lk], 0x5C, WHIRLPOOL_BLOCKSIZE - lk); WHIRLPOOL_add (buf, WHIRLPOOL_BLOCKSIZE, ctx); hmac_whirlpool_internal(d, ld, &hmac); /* Prevent leaks */ burn(&hmac, sizeof(hmac)); } -static void derive_u_whirlpool (unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_whirlpool_ctx* hmac) +static void derive_u_whirlpool (const unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_whirlpool_ctx* hmac) { unsigned char* u = hmac->u; unsigned char* k = hmac->k; uint32 c, i; /* iteration 1 */ memcpy (k, salt, salt_len); /* salt */ /* big-endian block number */ b = bswap_32 (b); memcpy (&k[salt_len], &b, 4); hmac_whirlpool_internal (k, salt_len + 4, hmac); memcpy (u, k, WHIRLPOOL_DIGESTSIZE); /* remaining iterations */ for (c = 1; c < iterations; c++) { hmac_whirlpool_internal (k, WHIRLPOOL_DIGESTSIZE, hmac); for (i = 0; i < WHIRLPOOL_DIGESTSIZE; i++) { u[i] ^= k[i]; } } } -void derive_key_whirlpool (unsigned char *pwd, int pwd_len, unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) +void derive_key_whirlpool (const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) { hmac_whirlpool_ctx hmac; WHIRLPOOL_CTX* ctx; unsigned char* buf = hmac.k; unsigned char key[WHIRLPOOL_DIGESTSIZE]; int b, l, r; /* If the password is longer than the hash algorithm block size, let pwd = whirlpool(pwd), as per HMAC specifications. */ if (pwd_len > WHIRLPOOL_BLOCKSIZE) { WHIRLPOOL_CTX tctx; WHIRLPOOL_init (&tctx); WHIRLPOOL_add (pwd, pwd_len, &tctx); WHIRLPOOL_finalize (&tctx, key); pwd = key; pwd_len = WHIRLPOOL_DIGESTSIZE; burn (&tctx, sizeof(tctx)); // Prevent leaks } if (dklen % WHIRLPOOL_DIGESTSIZE) { l = 1 + dklen / WHIRLPOOL_DIGESTSIZE; } else { l = dklen / WHIRLPOOL_DIGESTSIZE; } @@ -1026,87 +1026,87 @@ void hmac_streebog /**** Precompute HMAC Inner Digest ****/ ctx = &(hmac.inner_digest_ctx); STREEBOG_init (ctx); /* Pad the key for inner digest */ for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x36); memset (&buf[lk], 0x36, STREEBOG_BLOCKSIZE - lk); STREEBOG_add (ctx, buf, STREEBOG_BLOCKSIZE); /**** Precompute HMAC Outer Digest ****/ ctx = &(hmac.outer_digest_ctx); STREEBOG_init (ctx); for (b = 0; b < lk; ++b) buf[b] = (unsigned char) (k[b] ^ 0x5C); memset (&buf[lk], 0x5C, STREEBOG_BLOCKSIZE - lk); STREEBOG_add (ctx, buf, STREEBOG_BLOCKSIZE); hmac_streebog_internal(d, ld, &hmac); /* Prevent leaks */ burn(&hmac, sizeof(hmac)); } -static void derive_u_streebog (unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_streebog_ctx* hmac) +static void derive_u_streebog (const unsigned char *salt, int salt_len, uint32 iterations, int b, hmac_streebog_ctx* hmac) { unsigned char* u = hmac->u; unsigned char* k = hmac->k; uint32 c, i; /* iteration 1 */ memcpy (k, salt, salt_len); /* salt */ /* big-endian block number */ b = bswap_32 (b); memcpy (&k[salt_len], &b, 4); hmac_streebog_internal (k, salt_len + 4, hmac); memcpy (u, k, STREEBOG_DIGESTSIZE); /* remaining iterations */ for (c = 1; c < iterations; c++) { hmac_streebog_internal (k, STREEBOG_DIGESTSIZE, hmac); for (i = 0; i < STREEBOG_DIGESTSIZE; i++) { u[i] ^= k[i]; } } } -void derive_key_streebog (unsigned char *pwd, int pwd_len, unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) +void derive_key_streebog (const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) { hmac_streebog_ctx hmac; STREEBOG_CTX* ctx; unsigned char* buf = hmac.k; unsigned char key[STREEBOG_DIGESTSIZE]; int b, l, r; /* If the password is longer than the hash algorithm block size, let pwd = streebog(pwd), as per HMAC specifications. */ if (pwd_len > STREEBOG_BLOCKSIZE) { STREEBOG_CTX tctx; STREEBOG_init (&tctx); STREEBOG_add (&tctx, pwd, pwd_len); STREEBOG_finalize (&tctx, key); pwd = key; pwd_len = STREEBOG_DIGESTSIZE; burn (&tctx, sizeof(tctx)); // Prevent leaks } if (dklen % STREEBOG_DIGESTSIZE) { l = 1 + dklen / STREEBOG_DIGESTSIZE; } else { l = dklen / STREEBOG_DIGESTSIZE; } |