diff options
| author | lloyd <[email protected]> | 2010-08-21 20:02:19 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2010-08-21 20:02:19 +0000 |
| commit | d34c9569af1c230c3ee52cef18aadf7d10bdf563 (patch) | |
| tree | 51554cedf99989c5bb59e64a9d35f4af712dad17 | |
| parent | 50a545ebbfb9695159fbd607372a28798db1f413 (diff) | |
Turns out OpenSSL's implementation of PBKDF2 allows empty passphrases,
so for compatability with keys that were encrypted with an empty
passphrase we probably want to support it as well.
In PBKDF2, don't reject empty passphrases out of hand; simply call
set_key and if the underlying MAC cannot use the key, throw an
informative exception. This will also be more helpful in the case that
someone tries using another MAC (say, CMAC) with a block cipher that
only supports keys of specific sizes.
In HMAC, allow zero-length keys. This is not really optimal in the
sense of allowing the user to do something dumb, but a 1 byte key
would be pretty dumb as well and we already allowed that.
Add a test vector using an empty passphrase generated by OpenSSL
| -rw-r--r-- | checks/validate.dat | 4 | ||||
| -rw-r--r-- | doc/log.txt | 1 | ||||
| -rw-r--r-- | src/mac/hmac/hmac.cpp | 2 | ||||
| -rw-r--r-- | src/pbkdf/pbkdf2/pbkdf2.cpp | 15 |
4 files changed, 16 insertions, 6 deletions
diff --git a/checks/validate.dat b/checks/validate.dat index cea1f18fc..594f7ed2f 100644 --- a/checks/validate.dat +++ b/checks/validate.dat @@ -60624,6 +60624,10 @@ CCFC44C09339040E55D3F7F76CA6EF838FDE928717241DEB9AC1A4EF45A27711:20:2001 BC8BC53D4604977C3ADB1D19C15E87B77A84C2F6:14:10000 [PBKDF2(SHA-1)] +:\ +59B2B1143B4CB1059EC58D9722FB1C72471E0D85C6F7543BA5228526375B0127:\ +0001020304050607:32:10000 + 6A79756571677872736367676C707864796B6366:\ DF6D9D72872404BF73E708CF3B7D:\ 9B56E55328A4C97A250738F8DBA1B992E8A1B508:14:10000 diff --git a/doc/log.txt b/doc/log.txt index 7f7076a4b..f0982039d 100644 --- a/doc/log.txt +++ b/doc/log.txt @@ -2,6 +2,7 @@ * 1.9.11-dev, ????-??-?? - Switch default PKCS #8 encryption algorithm from AES-128 to AES-256 - Use smaller tables in the first round of AES + - Allow using PBKDF2 with empty passphrases * 1.9.10, 2010-08-12 - Add a constant time AES implementation using SSSE3 diff --git a/src/mac/hmac/hmac.cpp b/src/mac/hmac/hmac.cpp index f69504c82..0d5c99702 100644 --- a/src/mac/hmac/hmac.cpp +++ b/src/mac/hmac/hmac.cpp @@ -86,7 +86,7 @@ MessageAuthenticationCode* HMAC::clone() const */ HMAC::HMAC(HashFunction* hash_in) : MessageAuthenticationCode(hash_in->OUTPUT_LENGTH, - 1, 2*hash_in->HASH_BLOCK_SIZE), + 0, 2*hash_in->HASH_BLOCK_SIZE), hash(hash_in) { if(hash->HASH_BLOCK_SIZE == 0) diff --git a/src/pbkdf/pbkdf2/pbkdf2.cpp b/src/pbkdf/pbkdf2/pbkdf2.cpp index e88a5749a..6f6a514f8 100644 --- a/src/pbkdf/pbkdf2/pbkdf2.cpp +++ b/src/pbkdf/pbkdf2/pbkdf2.cpp @@ -22,11 +22,16 @@ OctetString PKCS5_PBKDF2::derive_key(u32bit key_len, if(iterations == 0) throw Invalid_Argument("PKCS#5 PBKDF2: Invalid iteration count"); - if(passphrase.length() == 0) - throw Invalid_Argument("PKCS#5 PBKDF2: Empty passphrase is invalid"); - - mac->set_key(reinterpret_cast<const byte*>(passphrase.data()), - passphrase.length()); + try + { + mac->set_key(reinterpret_cast<const byte*>(passphrase.data()), + passphrase.length()); + } + catch(Invalid_Key_Length) + { + throw Exception(name() + " cannot accept passphrases of length " + + to_string(passphrase.length())); + } SecureVector<byte> key(key_len); |