mirror of
https://github.com/octoleo/restic.git
synced 2024-11-01 03:12:31 +00:00
171 lines
5.5 KiB
Go
171 lines
5.5 KiB
Go
// Copyright 2015 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package pkcs12
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha1"
|
|
"math/big"
|
|
)
|
|
|
|
var (
|
|
one = big.NewInt(1)
|
|
)
|
|
|
|
// sha1Sum returns the SHA-1 hash of in.
|
|
func sha1Sum(in []byte) []byte {
|
|
sum := sha1.Sum(in)
|
|
return sum[:]
|
|
}
|
|
|
|
// fillWithRepeats returns v*ceiling(len(pattern) / v) bytes consisting of
|
|
// repeats of pattern.
|
|
func fillWithRepeats(pattern []byte, v int) []byte {
|
|
if len(pattern) == 0 {
|
|
return nil
|
|
}
|
|
outputLen := v * ((len(pattern) + v - 1) / v)
|
|
return bytes.Repeat(pattern, (outputLen+len(pattern)-1)/len(pattern))[:outputLen]
|
|
}
|
|
|
|
func pbkdf(hash func([]byte) []byte, u, v int, salt, password []byte, r int, ID byte, size int) (key []byte) {
|
|
// implementation of https://tools.ietf.org/html/rfc7292#appendix-B.2 , RFC text verbatim in comments
|
|
|
|
// Let H be a hash function built around a compression function f:
|
|
|
|
// Z_2^u x Z_2^v -> Z_2^u
|
|
|
|
// (that is, H has a chaining variable and output of length u bits, and
|
|
// the message input to the compression function of H is v bits). The
|
|
// values for u and v are as follows:
|
|
|
|
// HASH FUNCTION VALUE u VALUE v
|
|
// MD2, MD5 128 512
|
|
// SHA-1 160 512
|
|
// SHA-224 224 512
|
|
// SHA-256 256 512
|
|
// SHA-384 384 1024
|
|
// SHA-512 512 1024
|
|
// SHA-512/224 224 1024
|
|
// SHA-512/256 256 1024
|
|
|
|
// Furthermore, let r be the iteration count.
|
|
|
|
// We assume here that u and v are both multiples of 8, as are the
|
|
// lengths of the password and salt strings (which we denote by p and s,
|
|
// respectively) and the number n of pseudorandom bits required. In
|
|
// addition, u and v are of course non-zero.
|
|
|
|
// For information on security considerations for MD5 [19], see [25] and
|
|
// [1], and on those for MD2, see [18].
|
|
|
|
// The following procedure can be used to produce pseudorandom bits for
|
|
// a particular "purpose" that is identified by a byte called "ID".
|
|
// This standard specifies 3 different values for the ID byte:
|
|
|
|
// 1. If ID=1, then the pseudorandom bits being produced are to be used
|
|
// as key material for performing encryption or decryption.
|
|
|
|
// 2. If ID=2, then the pseudorandom bits being produced are to be used
|
|
// as an IV (Initial Value) for encryption or decryption.
|
|
|
|
// 3. If ID=3, then the pseudorandom bits being produced are to be used
|
|
// as an integrity key for MACing.
|
|
|
|
// 1. Construct a string, D (the "diversifier"), by concatenating v/8
|
|
// copies of ID.
|
|
var D []byte
|
|
for i := 0; i < v; i++ {
|
|
D = append(D, ID)
|
|
}
|
|
|
|
// 2. Concatenate copies of the salt together to create a string S of
|
|
// length v(ceiling(s/v)) bits (the final copy of the salt may be
|
|
// truncated to create S). Note that if the salt is the empty
|
|
// string, then so is S.
|
|
|
|
S := fillWithRepeats(salt, v)
|
|
|
|
// 3. Concatenate copies of the password together to create a string P
|
|
// of length v(ceiling(p/v)) bits (the final copy of the password
|
|
// may be truncated to create P). Note that if the password is the
|
|
// empty string, then so is P.
|
|
|
|
P := fillWithRepeats(password, v)
|
|
|
|
// 4. Set I=S||P to be the concatenation of S and P.
|
|
I := append(S, P...)
|
|
|
|
// 5. Set c=ceiling(n/u).
|
|
c := (size + u - 1) / u
|
|
|
|
// 6. For i=1, 2, ..., c, do the following:
|
|
A := make([]byte, c*20)
|
|
var IjBuf []byte
|
|
for i := 0; i < c; i++ {
|
|
// A. Set A2=H^r(D||I). (i.e., the r-th hash of D||1,
|
|
// H(H(H(... H(D||I))))
|
|
Ai := hash(append(D, I...))
|
|
for j := 1; j < r; j++ {
|
|
Ai = hash(Ai)
|
|
}
|
|
copy(A[i*20:], Ai[:])
|
|
|
|
if i < c-1 { // skip on last iteration
|
|
// B. Concatenate copies of Ai to create a string B of length v
|
|
// bits (the final copy of Ai may be truncated to create B).
|
|
var B []byte
|
|
for len(B) < v {
|
|
B = append(B, Ai[:]...)
|
|
}
|
|
B = B[:v]
|
|
|
|
// C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit
|
|
// blocks, where k=ceiling(s/v)+ceiling(p/v), modify I by
|
|
// setting I_j=(I_j+B+1) mod 2^v for each j.
|
|
{
|
|
Bbi := new(big.Int).SetBytes(B)
|
|
Ij := new(big.Int)
|
|
|
|
for j := 0; j < len(I)/v; j++ {
|
|
Ij.SetBytes(I[j*v : (j+1)*v])
|
|
Ij.Add(Ij, Bbi)
|
|
Ij.Add(Ij, one)
|
|
Ijb := Ij.Bytes()
|
|
// We expect Ijb to be exactly v bytes,
|
|
// if it is longer or shorter we must
|
|
// adjust it accordingly.
|
|
if len(Ijb) > v {
|
|
Ijb = Ijb[len(Ijb)-v:]
|
|
}
|
|
if len(Ijb) < v {
|
|
if IjBuf == nil {
|
|
IjBuf = make([]byte, v)
|
|
}
|
|
bytesShort := v - len(Ijb)
|
|
for i := 0; i < bytesShort; i++ {
|
|
IjBuf[i] = 0
|
|
}
|
|
copy(IjBuf[bytesShort:], Ijb)
|
|
Ijb = IjBuf
|
|
}
|
|
copy(I[j*v:(j+1)*v], Ijb)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
// 7. Concatenate A_1, A_2, ..., A_c together to form a pseudorandom
|
|
// bit string, A.
|
|
|
|
// 8. Use the first n bits of A as the output of this entire process.
|
|
return A[:size]
|
|
|
|
// If the above process is being used to generate a DES key, the process
|
|
// should be used to create 64 random bits, and the key's parity bits
|
|
// should be set after the 64 bits have been produced. Similar concerns
|
|
// hold for 2-key and 3-key triple-DES keys, for CDMF keys, and for any
|
|
// similar keys with parity bits "built into them".
|
|
}
|