You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
211 lines
5.7 KiB
211 lines
5.7 KiB
/** |
|
* Password-Based Key-Derivation Function #2 implementation. |
|
* |
|
* See RFC 2898 for details. |
|
* |
|
* @author Dave Longley |
|
* |
|
* Copyright (c) 2010-2013 Digital Bazaar, Inc. |
|
*/ |
|
var forge = require('./forge'); |
|
require('./hmac'); |
|
require('./md'); |
|
require('./util'); |
|
|
|
var pkcs5 = forge.pkcs5 = forge.pkcs5 || {}; |
|
|
|
var crypto; |
|
if(forge.util.isNodejs && !forge.options.usePureJavaScript) { |
|
crypto = require('crypto'); |
|
} |
|
|
|
/** |
|
* Derives a key from a password. |
|
* |
|
* @param p the password as a binary-encoded string of bytes. |
|
* @param s the salt as a binary-encoded string of bytes. |
|
* @param c the iteration count, a positive integer. |
|
* @param dkLen the intended length, in bytes, of the derived key, |
|
* (max: 2^32 - 1) * hash length of the PRF. |
|
* @param [md] the message digest (or algorithm identifier as a string) to use |
|
* in the PRF, defaults to SHA-1. |
|
* @param [callback(err, key)] presence triggers asynchronous version, called |
|
* once the operation completes. |
|
* |
|
* @return the derived key, as a binary-encoded string of bytes, for the |
|
* synchronous version (if no callback is specified). |
|
*/ |
|
module.exports = forge.pbkdf2 = pkcs5.pbkdf2 = function( |
|
p, s, c, dkLen, md, callback) { |
|
if(typeof md === 'function') { |
|
callback = md; |
|
md = null; |
|
} |
|
|
|
// use native implementation if possible and not disabled, note that |
|
// some node versions only support SHA-1, others allow digest to be changed |
|
if(forge.util.isNodejs && !forge.options.usePureJavaScript && |
|
crypto.pbkdf2 && (md === null || typeof md !== 'object') && |
|
(crypto.pbkdf2Sync.length > 4 || (!md || md === 'sha1'))) { |
|
if(typeof md !== 'string') { |
|
// default prf to SHA-1 |
|
md = 'sha1'; |
|
} |
|
p = Buffer.from(p, 'binary'); |
|
s = Buffer.from(s, 'binary'); |
|
if(!callback) { |
|
if(crypto.pbkdf2Sync.length === 4) { |
|
return crypto.pbkdf2Sync(p, s, c, dkLen).toString('binary'); |
|
} |
|
return crypto.pbkdf2Sync(p, s, c, dkLen, md).toString('binary'); |
|
} |
|
if(crypto.pbkdf2Sync.length === 4) { |
|
return crypto.pbkdf2(p, s, c, dkLen, function(err, key) { |
|
if(err) { |
|
return callback(err); |
|
} |
|
callback(null, key.toString('binary')); |
|
}); |
|
} |
|
return crypto.pbkdf2(p, s, c, dkLen, md, function(err, key) { |
|
if(err) { |
|
return callback(err); |
|
} |
|
callback(null, key.toString('binary')); |
|
}); |
|
} |
|
|
|
if(typeof md === 'undefined' || md === null) { |
|
// default prf to SHA-1 |
|
md = 'sha1'; |
|
} |
|
if(typeof md === 'string') { |
|
if(!(md in forge.md.algorithms)) { |
|
throw new Error('Unknown hash algorithm: ' + md); |
|
} |
|
md = forge.md[md].create(); |
|
} |
|
|
|
var hLen = md.digestLength; |
|
|
|
/* 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and |
|
stop. */ |
|
if(dkLen > (0xFFFFFFFF * hLen)) { |
|
var err = new Error('Derived key is too long.'); |
|
if(callback) { |
|
return callback(err); |
|
} |
|
throw err; |
|
} |
|
|
|
/* 2. Let len be the number of hLen-octet blocks in the derived key, |
|
rounding up, and let r be the number of octets in the last |
|
block: |
|
|
|
len = CEIL(dkLen / hLen), |
|
r = dkLen - (len - 1) * hLen. */ |
|
var len = Math.ceil(dkLen / hLen); |
|
var r = dkLen - (len - 1) * hLen; |
|
|
|
/* 3. For each block of the derived key apply the function F defined |
|
below to the password P, the salt S, the iteration count c, and |
|
the block index to compute the block: |
|
|
|
T_1 = F(P, S, c, 1), |
|
T_2 = F(P, S, c, 2), |
|
... |
|
T_len = F(P, S, c, len), |
|
|
|
where the function F is defined as the exclusive-or sum of the |
|
first c iterates of the underlying pseudorandom function PRF |
|
applied to the password P and the concatenation of the salt S |
|
and the block index i: |
|
|
|
F(P, S, c, i) = u_1 XOR u_2 XOR ... XOR u_c |
|
|
|
where |
|
|
|
u_1 = PRF(P, S || INT(i)), |
|
u_2 = PRF(P, u_1), |
|
... |
|
u_c = PRF(P, u_{c-1}). |
|
|
|
Here, INT(i) is a four-octet encoding of the integer i, most |
|
significant octet first. */ |
|
var prf = forge.hmac.create(); |
|
prf.start(md, p); |
|
var dk = ''; |
|
var xor, u_c, u_c1; |
|
|
|
// sync version |
|
if(!callback) { |
|
for(var i = 1; i <= len; ++i) { |
|
// PRF(P, S || INT(i)) (first iteration) |
|
prf.start(null, null); |
|
prf.update(s); |
|
prf.update(forge.util.int32ToBytes(i)); |
|
xor = u_c1 = prf.digest().getBytes(); |
|
|
|
// PRF(P, u_{c-1}) (other iterations) |
|
for(var j = 2; j <= c; ++j) { |
|
prf.start(null, null); |
|
prf.update(u_c1); |
|
u_c = prf.digest().getBytes(); |
|
// F(p, s, c, i) |
|
xor = forge.util.xorBytes(xor, u_c, hLen); |
|
u_c1 = u_c; |
|
} |
|
|
|
/* 4. Concatenate the blocks and extract the first dkLen octets to |
|
produce a derived key DK: |
|
|
|
DK = T_1 || T_2 || ... || T_len<0..r-1> */ |
|
dk += (i < len) ? xor : xor.substr(0, r); |
|
} |
|
/* 5. Output the derived key DK. */ |
|
return dk; |
|
} |
|
|
|
// async version |
|
var i = 1, j; |
|
function outer() { |
|
if(i > len) { |
|
// done |
|
return callback(null, dk); |
|
} |
|
|
|
// PRF(P, S || INT(i)) (first iteration) |
|
prf.start(null, null); |
|
prf.update(s); |
|
prf.update(forge.util.int32ToBytes(i)); |
|
xor = u_c1 = prf.digest().getBytes(); |
|
|
|
// PRF(P, u_{c-1}) (other iterations) |
|
j = 2; |
|
inner(); |
|
} |
|
|
|
function inner() { |
|
if(j <= c) { |
|
prf.start(null, null); |
|
prf.update(u_c1); |
|
u_c = prf.digest().getBytes(); |
|
// F(p, s, c, i) |
|
xor = forge.util.xorBytes(xor, u_c, hLen); |
|
u_c1 = u_c; |
|
++j; |
|
return forge.util.setImmediate(inner); |
|
} |
|
|
|
/* 4. Concatenate the blocks and extract the first dkLen octets to |
|
produce a derived key DK: |
|
|
|
DK = T_1 || T_2 || ... || T_len<0..r-1> */ |
|
dk += (i < len) ? xor : xor.substr(0, r); |
|
|
|
++i; |
|
outer(); |
|
} |
|
|
|
outer(); |
|
};
|
|
|