1 | /**
|
2 | * Password-Based Key-Derivation Function #2 implementation.
|
3 | *
|
4 | * See RFC 2898 for details.
|
5 | *
|
6 | * @author Dave Longley
|
7 | *
|
8 | * Copyright (c) 2010-2013 Digital Bazaar, Inc.
|
9 | */
|
10 | var forge = require('./forge');
|
11 | require('./hmac');
|
12 | require('./md');
|
13 | require('./util');
|
14 |
|
15 | var pkcs5 = forge.pkcs5 = forge.pkcs5 || {};
|
16 |
|
17 | var crypto;
|
18 | if(forge.util.isNodejs && !forge.options.usePureJavaScript) {
|
19 | crypto = require('crypto');
|
20 | }
|
21 |
|
22 | /**
|
23 | * Derives a key from a password.
|
24 | *
|
25 | * @param p the password as a binary-encoded string of bytes.
|
26 | * @param s the salt as a binary-encoded string of bytes.
|
27 | * @param c the iteration count, a positive integer.
|
28 | * @param dkLen the intended length, in bytes, of the derived key,
|
29 | * (max: 2^32 - 1) * hash length of the PRF.
|
30 | * @param [md] the message digest (or algorithm identifier as a string) to use
|
31 | * in the PRF, defaults to SHA-1.
|
32 | * @param [callback(err, key)] presence triggers asynchronous version, called
|
33 | * once the operation completes.
|
34 | *
|
35 | * @return the derived key, as a binary-encoded string of bytes, for the
|
36 | * synchronous version (if no callback is specified).
|
37 | */
|
38 | module.exports = forge.pbkdf2 = pkcs5.pbkdf2 = function(
|
39 | p, s, c, dkLen, md, callback) {
|
40 | if(typeof md === 'function') {
|
41 | callback = md;
|
42 | md = null;
|
43 | }
|
44 |
|
45 | // use native implementation if possible and not disabled, note that
|
46 | // some node versions only support SHA-1, others allow digest to be changed
|
47 | if(forge.util.isNodejs && !forge.options.usePureJavaScript &&
|
48 | crypto.pbkdf2 && (md === null || typeof md !== 'object') &&
|
49 | (crypto.pbkdf2Sync.length > 4 || (!md || md === 'sha1'))) {
|
50 | if(typeof md !== 'string') {
|
51 | // default prf to SHA-1
|
52 | md = 'sha1';
|
53 | }
|
54 | p = Buffer.from(p, 'binary');
|
55 | s = Buffer.from(s, 'binary');
|
56 | if(!callback) {
|
57 | if(crypto.pbkdf2Sync.length === 4) {
|
58 | return crypto.pbkdf2Sync(p, s, c, dkLen).toString('binary');
|
59 | }
|
60 | return crypto.pbkdf2Sync(p, s, c, dkLen, md).toString('binary');
|
61 | }
|
62 | if(crypto.pbkdf2Sync.length === 4) {
|
63 | return crypto.pbkdf2(p, s, c, dkLen, function(err, key) {
|
64 | if(err) {
|
65 | return callback(err);
|
66 | }
|
67 | callback(null, key.toString('binary'));
|
68 | });
|
69 | }
|
70 | return crypto.pbkdf2(p, s, c, dkLen, md, function(err, key) {
|
71 | if(err) {
|
72 | return callback(err);
|
73 | }
|
74 | callback(null, key.toString('binary'));
|
75 | });
|
76 | }
|
77 |
|
78 | if(typeof md === 'undefined' || md === null) {
|
79 | // default prf to SHA-1
|
80 | md = 'sha1';
|
81 | }
|
82 | if(typeof md === 'string') {
|
83 | if(!(md in forge.md.algorithms)) {
|
84 | throw new Error('Unknown hash algorithm: ' + md);
|
85 | }
|
86 | md = forge.md[md].create();
|
87 | }
|
88 |
|
89 | var hLen = md.digestLength;
|
90 |
|
91 | /* 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
|
92 | stop. */
|
93 | if(dkLen > (0xFFFFFFFF * hLen)) {
|
94 | var err = new Error('Derived key is too long.');
|
95 | if(callback) {
|
96 | return callback(err);
|
97 | }
|
98 | throw err;
|
99 | }
|
100 |
|
101 | /* 2. Let len be the number of hLen-octet blocks in the derived key,
|
102 | rounding up, and let r be the number of octets in the last
|
103 | block:
|
104 |
|
105 | len = CEIL(dkLen / hLen),
|
106 | r = dkLen - (len - 1) * hLen. */
|
107 | var len = Math.ceil(dkLen / hLen);
|
108 | var r = dkLen - (len - 1) * hLen;
|
109 |
|
110 | /* 3. For each block of the derived key apply the function F defined
|
111 | below to the password P, the salt S, the iteration count c, and
|
112 | the block index to compute the block:
|
113 |
|
114 | T_1 = F(P, S, c, 1),
|
115 | T_2 = F(P, S, c, 2),
|
116 | ...
|
117 | T_len = F(P, S, c, len),
|
118 |
|
119 | where the function F is defined as the exclusive-or sum of the
|
120 | first c iterates of the underlying pseudorandom function PRF
|
121 | applied to the password P and the concatenation of the salt S
|
122 | and the block index i:
|
123 |
|
124 | F(P, S, c, i) = u_1 XOR u_2 XOR ... XOR u_c
|
125 |
|
126 | where
|
127 |
|
128 | u_1 = PRF(P, S || INT(i)),
|
129 | u_2 = PRF(P, u_1),
|
130 | ...
|
131 | u_c = PRF(P, u_{c-1}).
|
132 |
|
133 | Here, INT(i) is a four-octet encoding of the integer i, most
|
134 | significant octet first. */
|
135 | var prf = forge.hmac.create();
|
136 | prf.start(md, p);
|
137 | var dk = '';
|
138 | var xor, u_c, u_c1;
|
139 |
|
140 | // sync version
|
141 | if(!callback) {
|
142 | for(var i = 1; i <= len; ++i) {
|
143 | // PRF(P, S || INT(i)) (first iteration)
|
144 | prf.start(null, null);
|
145 | prf.update(s);
|
146 | prf.update(forge.util.int32ToBytes(i));
|
147 | xor = u_c1 = prf.digest().getBytes();
|
148 |
|
149 | // PRF(P, u_{c-1}) (other iterations)
|
150 | for(var j = 2; j <= c; ++j) {
|
151 | prf.start(null, null);
|
152 | prf.update(u_c1);
|
153 | u_c = prf.digest().getBytes();
|
154 | // F(p, s, c, i)
|
155 | xor = forge.util.xorBytes(xor, u_c, hLen);
|
156 | u_c1 = u_c;
|
157 | }
|
158 |
|
159 | /* 4. Concatenate the blocks and extract the first dkLen octets to
|
160 | produce a derived key DK:
|
161 |
|
162 | DK = T_1 || T_2 || ... || T_len<0..r-1> */
|
163 | dk += (i < len) ? xor : xor.substr(0, r);
|
164 | }
|
165 | /* 5. Output the derived key DK. */
|
166 | return dk;
|
167 | }
|
168 |
|
169 | // async version
|
170 | var i = 1, j;
|
171 | function outer() {
|
172 | if(i > len) {
|
173 | // done
|
174 | return callback(null, dk);
|
175 | }
|
176 |
|
177 | // PRF(P, S || INT(i)) (first iteration)
|
178 | prf.start(null, null);
|
179 | prf.update(s);
|
180 | prf.update(forge.util.int32ToBytes(i));
|
181 | xor = u_c1 = prf.digest().getBytes();
|
182 |
|
183 | // PRF(P, u_{c-1}) (other iterations)
|
184 | j = 2;
|
185 | inner();
|
186 | }
|
187 |
|
188 | function inner() {
|
189 | if(j <= c) {
|
190 | prf.start(null, null);
|
191 | prf.update(u_c1);
|
192 | u_c = prf.digest().getBytes();
|
193 | // F(p, s, c, i)
|
194 | xor = forge.util.xorBytes(xor, u_c, hLen);
|
195 | u_c1 = u_c;
|
196 | ++j;
|
197 | return forge.util.setImmediate(inner);
|
198 | }
|
199 |
|
200 | /* 4. Concatenate the blocks and extract the first dkLen octets to
|
201 | produce a derived key DK:
|
202 |
|
203 | DK = T_1 || T_2 || ... || T_len<0..r-1> */
|
204 | dk += (i < len) ? xor : xor.substr(0, r);
|
205 |
|
206 | ++i;
|
207 | outer();
|
208 | }
|
209 |
|
210 | outer();
|
211 | };
|