1 /*
2  *  Copyright (c) 2016, The OpenThread Authors.
3  *  All rights reserved.
4  *
5  *  Redistribution and use in source and binary forms, with or without
6  *  modification, are permitted provided that the following conditions are met:
7  *  1. Redistributions of source code must retain the above copyright
8  *     notice, this list of conditions and the following disclaimer.
9  *  2. Redistributions in binary form must reproduce the above copyright
10  *     notice, this list of conditions and the following disclaimer in the
11  *     documentation and/or other materials provided with the distribution.
12  *  3. Neither the name of the copyright holder nor the
13  *     names of its contributors may be used to endorse or promote products
14  *     derived from this software without specific prior written permission.
15  *
16  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26  *  POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 /**
30  * @file
31  *   This file implements PBKDF2 using AES-CMAC-PRF-128
32  */
33 
34 #include "pbkdf2_cmac.hpp"
35 
36 #include <mbedtls/cmac.h>
37 #include <string.h>
38 
39 #include "common/debug.hpp"
40 
41 namespace ot {
42 namespace Crypto {
43 namespace Pbkdf2 {
44 
45 #if OPENTHREAD_FTD
46 
GenerateKey(const uint8_t * aPassword,uint16_t aPasswordLen,const uint8_t * aSalt,uint16_t aSaltLen,uint32_t aIterationCounter,uint16_t aKeyLen,uint8_t * aKey)47 void GenerateKey(const uint8_t *aPassword,
48                  uint16_t       aPasswordLen,
49                  const uint8_t *aSalt,
50                  uint16_t       aSaltLen,
51                  uint32_t       aIterationCounter,
52                  uint16_t       aKeyLen,
53                  uint8_t *      aKey)
54 {
55     const size_t kBlockSize = MBEDTLS_CIPHER_BLKSIZE_MAX;
56     uint8_t      prfInput[kMaxSaltLength + 4]; // Salt || INT(), for U1 calculation
57     long         prfOne[kBlockSize / sizeof(long)];
58     long         prfTwo[kBlockSize / sizeof(long)];
59     long         keyBlock[kBlockSize / sizeof(long)];
60     uint32_t     blockCounter = 0;
61     uint8_t *    key          = aKey;
62     uint16_t     keyLen       = aKeyLen;
63     uint16_t     useLen       = 0;
64 
65     memcpy(prfInput, aSalt, aSaltLen);
66     OT_ASSERT(aIterationCounter % 2 == 0);
67     aIterationCounter /= 2;
68 
69 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
70     // limit iterations to avoid OSS-Fuzz timeouts
71     aIterationCounter = 2;
72 #endif
73 
74     while (keyLen)
75     {
76         ++blockCounter;
77         prfInput[aSaltLen + 0] = static_cast<uint8_t>(blockCounter >> 24);
78         prfInput[aSaltLen + 1] = static_cast<uint8_t>(blockCounter >> 16);
79         prfInput[aSaltLen + 2] = static_cast<uint8_t>(blockCounter >> 8);
80         prfInput[aSaltLen + 3] = static_cast<uint8_t>(blockCounter);
81 
82         // Calculate U_1
83         mbedtls_aes_cmac_prf_128(aPassword, aPasswordLen, prfInput, aSaltLen + 4,
84                                  reinterpret_cast<uint8_t *>(keyBlock));
85 
86         // Calculate U_2
87         mbedtls_aes_cmac_prf_128(aPassword, aPasswordLen, reinterpret_cast<const uint8_t *>(keyBlock), kBlockSize,
88                                  reinterpret_cast<uint8_t *>(prfOne));
89 
90         for (uint32_t j = 0; j < kBlockSize / sizeof(long); ++j)
91         {
92             keyBlock[j] ^= prfOne[j];
93         }
94 
95         for (uint32_t i = 1; i < aIterationCounter; ++i)
96         {
97             // Calculate U_{2 * i - 1}
98             mbedtls_aes_cmac_prf_128(aPassword, aPasswordLen, reinterpret_cast<const uint8_t *>(prfOne), kBlockSize,
99                                      reinterpret_cast<uint8_t *>(prfTwo));
100             // Calculate U_{2 * i}
101             mbedtls_aes_cmac_prf_128(aPassword, aPasswordLen, reinterpret_cast<const uint8_t *>(prfTwo), kBlockSize,
102                                      reinterpret_cast<uint8_t *>(prfOne));
103 
104             for (uint32_t j = 0; j < kBlockSize / sizeof(long); ++j)
105             {
106                 keyBlock[j] ^= prfOne[j] ^ prfTwo[j];
107             }
108         }
109 
110         useLen = (keyLen < kBlockSize) ? keyLen : kBlockSize;
111         memcpy(key, keyBlock, useLen);
112         key += useLen;
113         keyLen -= useLen;
114     }
115 }
116 
117 #endif // OPENTHREAD_FTD
118 
119 } // namespace Pbkdf2
120 } // namespace Crypto
121 } // namespace ot
122