Support for pbkdf2.

ChangeLog

+2012-09-19  Niels Möller  <nisse@lysator.liu.se>
+
+	* pbkdf2.h (PBKDF2): New macro.
+	* testsuite/pbkdf2-test.c: Use it.
+
+2012-09-12  Simon Josefsson  <simon@josefsson.org>
+
+	* NEWS: Mention addition of PBKDF2.
+	* pbkdf2.c (pbkdf2): New file and function.
+	* pbkdf2.h: Declare it.
+	* Makefile.in (nettle_SOURCES): Add pbkdf2.c.
+	(HEADERS): Add pbkdf2.h.
+	* nettle.texinfo (Key derivation functions): New section.
+	* testsuite/pbkdf2-test.c: New test case.
+	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add pbkdf2-test.c.
+	* testsuite/.test-rules.make (pbkdf2-test): New target.
+
 2012-09-16  Niels Möller  <nisse@lysator.liu.se>
 
 	* testsuite/: Overhaul of testsuite, affecting almost all files.

Makefile.in

@@ -77,6 +77,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
 		 des3.c des-compat.c \
 		 hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \
 		 hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \
+		 pbkdf2.c \
 		 knuth-lfib.c \
 		 md2.c md2-meta.c md4.c md4-meta.c \
 		 md5.c md5-compress.c md5-compat.c md5-meta.c \
@@ -123,6 +124,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \
 	  cbc.h ctr.h gcm.h \
 	  des.h des-compat.h dsa.h \
 	  hmac.h \
+	  pbkdf2.h \
 	  knuth-lfib.h \
 	  macros.h \
 	  md2.h md4.h \

NEWS

+NEWS for the 2.6 release
+
+	New features:
+
+	* Support for PKCS #5 PBKDF2.  Contributed by Simon Josefsson.
+          Specification in RFC 2898 and test vectors in RFC 6070.
+
 NEWS for the 2.5 release
 
 	This release includes important portability fixes for Windows

nettle.texinfo

@@ -70,6 +70,7 @@ Reference
 * Cipher functions::            
 * Cipher modes::                
 * Keyed hash functions::        
+* Key derivation functions::    
 * Public-key algorithms::       
 * Randomness::                  
 * Ascii encoding::              
@@ -199,6 +200,10 @@ implementation (in the public domain), adapted to Nettle by Simon
 Josefsson, and heavily modified by Niels Möller. Assembly for x86_64 by
 Niels Möller. Released under the LGPL.
 
+@item PBKDF2
+The C implementation of PBKDF2 is based on earlier work for Shishi and
+GnuTLS by Simon Josefsson.  Released under the LGPL.
+
 @item SERPENT
 The implementation of the SERPENT cipher is based on the code in libgcrypt,
 copyright owned by the Free Software Foundation. Adapted to Nettle by
@@ -316,6 +321,7 @@ This chapter describes all the Nettle functions, grouped by family.
 * Cipher functions::            
 * Cipher modes::                
 * Keyed hash functions::        
+* Key derivation functions::    
 * Public-key algorithms::       
 * Randomness::                  
 * Ascii encoding::              
@@ -1852,7 +1858,7 @@ only the first @var{length} octets of the digest are written.
 
 
 
-@node Keyed hash functions, Public-key algorithms, Cipher modes, Reference
+@node Keyed hash functions, Key derivation functions, Cipher modes, Reference
 @comment  node-name,  next,  previous,  up
 @section Keyed Hash Functions
 
@@ -2102,7 +2108,40 @@ This function also resets the context for processing new messages, with
 the same key.
 @end deftypefun
 
-@node Public-key algorithms, Randomness, Keyed hash functions, Reference
+@node Key derivation functions, Public-key algorithms, Keyed hash functions, Reference
+@comment  node-name,  next,  previous,  up
+@section Key derivation Functions
+
+@cindex Key Derivation Function
+@cindex Password Based Key Derivation Function
+@cindex PKCS #5
+@cindex KDF
+@cindex PBKDF
+
+A @dfn{key derivation function} (@acronym{KDF}) is a function that from
+a given symmetric key derives other symmetric keys.  A sub-class of KDFs
+is the @dfn{password-based key derivation functions} (@acronym{PBKDFs}),
+which take as input a password or passphrase, and its purpose is
+typically to strengthen it and protect against certain pre-computation
+attacks by using salting and expensive computation.  The most well known
+PBKDF is the @code{PKCS #5 PBKDF2} described in @cite{RFC 2898} which
+uses a pseudorandom function such as @acronym{HMAC-SHA1}.
+
+Nettle's @acronym{PBKDF2} function is defined in @file{<nettle/pbkdf2.h>}.
+It contains a function:
+
+@deftypefun void pbkdf2 (void *mac_ctx, unsigned digest_size, nettle_hash_update_func *update, nettle_hash_digest_func *digest, unsigned length, uint8_t *dst, unsigned iterations, unsigned salt_length, const uint8_t *salt)
+Derive symmetric key from a password according to PKCS #5 PBKDF2.  The
+PRF is assumed to have been initialized and this function will call the
+@var{update} and @var{digest} functions passing the @var{mac_ctx}
+context parameter as an argument in order to compute digest of size
+@var{digest_size}.  Inputs are the salt @var{salt} of length
+@var{salt_length}, the iteration counter @var{iterations} (> 0), and the
+desired derived output length @var{length}.  The output buffer is
+@var{dst} which must have room for at least @var{length} octets.
+@end deftypefun
+
+@node Public-key algorithms, Randomness, Key derivation functions, Reference
 @comment  node-name,  next,  previous,  up
 @section Public-key algorithms
 

pbkdf2.c

+/* pbkdf2.c
+ *
+ * PKCS #5 password-based key derivation function PBKDF2, see RFC 2898.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2012 Simon Josefsson
+ *
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "pbkdf2.h"
+
+#include "macros.h"
+#include "memxor.h"
+#include "nettle-internal.h"
+
+void
+pbkdf2 (void *mac_ctx, unsigned digest_size,
+	nettle_hash_update_func *update,
+	nettle_hash_digest_func *digest,
+	unsigned length, uint8_t *dst,
+	unsigned iterations,
+	unsigned salt_length, const uint8_t *salt)
+{
+  TMP_DECL(U, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
+  TMP_DECL(T, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE);
+  
+  unsigned int u;
+  unsigned int l;
+  unsigned int r;
+  unsigned int i;
+  char tmp[4];
+
+  if (iterations == 0)
+    return;
+
+  if (length == 0)
+    return;
+
+  l = ((length - 1) / digest_size) + 1;
+  r = length - (l - 1) * digest_size;
+
+  TMP_ALLOC (U, digest_size);
+  TMP_ALLOC (T, digest_size);
+
+  for (i = 1; i <= l; i++)
+    {
+      memset (T, 0, digest_size);
+
+      for (u = 1; u <= iterations; u++)
+	{
+	  if (u == 1)
+	    {
+	      WRITE_UINT32 (tmp, i);
+
+	      update (mac_ctx, salt_length, salt);
+	      update (mac_ctx, 4, tmp);
+	    }
+	  else
+	    {
+	      update (mac_ctx, digest_size, U);
+	    }
+
+	  digest (mac_ctx, digest_size, U);
+
+	  memxor (T, U, digest_size);
+	}
+
+      memcpy (dst + (i - 1) * digest_size, T, i == l ? r : digest_size);
+    }
+}

pbkdf2.h

+/* pbkdf2.c
+ *
+ * PKCS #5 password-based key derivation function PBKDF2, see RFC 2898.
+ */
+
+/* nettle, low-level cryptographics library
+ *
+ * Copyright (C) 2012 Simon Josefsson
+ *
+ * The nettle library is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or (at your
+ * option) any later version.
+ *
+ * The nettle library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with the nettle library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02111-1301, USA.
+ */
+
+#ifndef NETTLE_PBKDF2_H_INCLUDED
+#define NETTLE_PBKDF2_H_INCLUDED
+
+#include "nettle-meta.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/* Namespace mangling */
+#define pbkdf2 nettle_pbkdf2
+
+void
+pbkdf2 (void *mac_ctx, unsigned digest_size,
+	nettle_hash_update_func *update,
+	nettle_hash_digest_func *digest,
+	unsigned length, uint8_t *dst,
+	unsigned iterations,
+	unsigned salt_length, const uint8_t *salt);
+
+#define PBKDF2(ctx, digest_size, update, digest,			\
+	       length, dst, iterations, salt_length, salt)		\
+  (0 ? ((update)((ctx), 0, (const uint8_t *) 0),			\
+	(digest)((ctx), 0, (uint8_t *) 0))				\
+   : pbkdf2 ((ctx), (digest_size),					\
+	     (nettle_hash_update_func *)(update),			\
+	     (nettle_hash_digest_func *)(digest),			\
+	     (length), (dst), (iterations), (salt_length), (salt)))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_PBKDF2_H_INCLUDED */

testsuite/.gitignore

@@ -29,6 +29,7 @@
 /meta-armor-test
 /meta-cipher-test
 /meta-hash-test
+/pbkdf2-test
 /pkcs1-test
 /random-prime-test
 /ripemd160-test

testsuite/.test-rules.make

@@ -88,6 +88,9 @@ gcm-test$(EXEEXT): gcm-test.$(OBJEXT)
 hmac-test$(EXEEXT): hmac-test.$(OBJEXT)
 	$(LINK) hmac-test.$(OBJEXT) $(TEST_OBJS) -o hmac-test$(EXEEXT)
 
+pbkdf2-test$(EXEEXT): pbkdf2-test.$(OBJEXT)
+	$(LINK) pbkdf2-test.$(OBJEXT) $(TEST_OBJS) -o pbkdf2-test$(EXEEXT)
+
 meta-hash-test$(EXEEXT): meta-hash-test.$(OBJEXT)
 	$(LINK) meta-hash-test.$(OBJEXT) $(TEST_OBJS) -o meta-hash-test$(EXEEXT)
 

testsuite/Makefile.in

@@ -25,7 +25,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
 		    knuth-lfib-test.c \
 		    cbc-test.c ctr-test.c gcm-test.c hmac-test.c \
 		    meta-hash-test.c meta-cipher-test.c meta-armor-test.c \
-		    buffer-test.c yarrow-test.c
+		    buffer-test.c yarrow-test.c pbkdf2-test.c
 
 TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \
 		     rsa2sexp-test.c sexp2rsa-test.c \