kdf: Add experimental Balloon KDF.

* cipher/kdf.c (prng_aes_ctr_init, prng_aes_ctr_get_rand64): New.
(prng_aes_ctr_fini, ballon_context_size): New.
(balloon_open): Implement with SHA-256.
(balloon_xor_block, balloon_compress, balloon_expand): New.
(balloon_compute_fill, balloon_compute_mix, balloon_compute): New.
(balloon_compute_all, balloon_final, balloon_close): New.
(_gcry_kdf_open): Check argument for GCRY_KDF_BALLOON.
(_gcry_kdf_compute): Dispatch for GCRY_KDF_BALLOON.
(_gcry_kdf_final, _gcry_kdf_close): Likewise.
* tests/t-kdf.c (check_balloon): New.
(main): Add check_balloon.

--

GnuPG-bug-id: 5817
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

1 files changed, 118 insertions, 4 deletions

diff --git a/tests/t-kdf.c b/tests/t-kdf.c
index 4c82fed8..234bbac6 100644
--- a/tests/t-kdf.c
+++ b/tests/t-kdf.c
@@ -1451,10 +1451,10 @@ check_argon2 (void)
                        pass, 32, salt, 16, key, 8, ad, 12,
                        32, out);
   if (err)
-    fail ("argon2 test %d failed: %s\n", 0, gpg_strerror (err));
+    fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
   else if (memcmp (out, expected[count], 32))
     {
-      fail ("argon2 test %d failed: mismatch\n", 0);
+      fail ("argon2 test %d failed: mismatch\n", count*2+0);
       fputs ("got:", stderr);
       for (i=0; i < 32; i++)
         fprintf (stderr, " %02x", out[i]);
@@ -1467,10 +1467,10 @@ check_argon2 (void)
                        pass, 32, salt, 16, key, 8, ad, 12,
                        32, out);
   if (err)
-    fail ("argon2 test %d failed: %s\n", 1, gpg_strerror (err));
+    fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
   else if (memcmp (out, expected[count], 32))
     {
-      fail ("argon2 test %d failed: mismatch\n", 1);
+      fail ("argon2 test %d failed: mismatch\n", count*2+1);
       fputs ("got:", stderr);
       for (i=0; i < 32; i++)
         fprintf (stderr, " %02x", out[i]);
@@ -1490,6 +1490,119 @@ check_argon2 (void)
 }
 
 
+static void
+check_balloon (void)
+{
+  /* Two test vectors generated by the research prototype implementation.
+     $ balloon abcdefghijklmno
+     t_cost         = 1
+     s_cost         = 1024
+     p_cost         = 1
+     passwd         = abcdefghijklmno
+     Time total      : 0.0527251
+     Hashes per sec  : 18.9663
+     Output          : $balloon$v=1$s=1024,t=1,p=1
+                       $FRzqOiIuPvuoy55vGfKzyse+2f28F7m9iFHCctnEBwg=
+                       $NxOGNPyTPZzKiJjgj7H6pJDLIgR05HI7VaxJpxEao5Q=
+     $ balloon -t 12 -s 4096 -p 4 Long_sentence_used_as_passphrase
+     t_cost         = 12
+     s_cost         = 4096
+     p_cost         = 4
+     passwd         = Long_sentence_used_as_passphrase
+     Time total      : 3.70399
+     Hashes per sec  : 0.269979
+     Output          : $balloon$v=1$s=4096,t=12,p=4
+                       $8Yor74EqTwBrrdaeYeSVx0VXVAgDrsILAnJWdVUy93s=
+                       $FaNb9ofeWEggzhW9BUSODgZH5/awzNz5Adoub48+BgQ=
+   */
+  gcry_error_t err;
+  const unsigned long param[2][4] = {
+    { 1024,  1, 1 },
+    { 4096, 12, 4 }
+  };
+  const unsigned char *pass[2] = {
+    (const unsigned char *)"abcdefghijklmno",
+    (const unsigned char *)"Long_sentence_used_as_passphrase"
+  };
+  const unsigned char salt[2][32] = {
+    {
+      0x15, 0x1c, 0xea, 0x3a, 0x22, 0x2e, 0x3e, 0xfb,
+      0xa8, 0xcb, 0x9e, 0x6f, 0x19, 0xf2, 0xb3, 0xca,
+      0xc7, 0xbe, 0xd9, 0xfd, 0xbc, 0x17, 0xb9, 0xbd,
+      0x88, 0x51, 0xc2, 0x72, 0xd9, 0xc4, 0x07, 0x08
+    },
+    {
+      0xf1, 0x8a, 0x2b, 0xef, 0x81, 0x2a, 0x4f, 0x00,
+      0x6b, 0xad, 0xd6, 0x9e, 0x61, 0xe4, 0x95, 0xc7,
+      0x45, 0x57, 0x54, 0x08, 0x03, 0xae, 0xc2, 0x0b,
+      0x02, 0x72, 0x56, 0x75, 0x55, 0x32, 0xf7, 0x7b
+    }
+  };
+  const unsigned char expected[2][32] = {
+    {
+      0x37, 0x13, 0x86, 0x34, 0xfc, 0x93, 0x3d, 0x9c,
+      0xca, 0x88, 0x98, 0xe0, 0x8f, 0xb1, 0xfa, 0xa4,
+      0x90, 0xcb, 0x22, 0x04, 0x74, 0xe4, 0x72, 0x3b,
+      0x55, 0xac, 0x49, 0xa7, 0x11, 0x1a, 0xa3, 0x94
+    },
+    {
+      0x15, 0xa3, 0x5b, 0xf6, 0x87, 0xde, 0x58, 0x48,
+      0x20, 0xce, 0x15, 0xbd, 0x05, 0x44, 0x8e, 0x0e,
+      0x06, 0x47, 0xe7, 0xf6, 0xb0, 0xcc, 0xdc, 0xf9,
+      0x01, 0xda, 0x2e, 0x6f, 0x8f, 0x3e, 0x06, 0x04
+    }
+  };
+  unsigned char out[32];
+  int i;
+  int subalgo = GCRY_MD_SHA256;
+  int count = 0;
+
+ again:
+
+  if (verbose)
+    fprintf (stderr, "checking Balloon test vector %d\n", count);
+
+  err = my_kdf_derive (0,
+                       GCRY_KDF_BALLOON, subalgo, param[count], 3,
+                       pass[count], strlen ((char *)pass[count]),
+                       salt[count], 32, NULL, 0, NULL, 0,
+                       32, out);
+  if (err)
+    fail ("balloon test %d failed: %s\n", count*2+0, gpg_strerror (err));
+  else if (memcmp (out, expected[count], 32))
+    {
+      fail ("balloon test %d failed: mismatch\n", count*2+0);
+      fputs ("got:", stderr);
+      for (i=0; i < 32; i++)
+        fprintf (stderr, " %02x", out[i]);
+      putc ('\n', stderr);
+    }
+
+#ifdef HAVE_PTHREAD
+  err = my_kdf_derive (1,
+                       GCRY_KDF_BALLOON, subalgo, param[count], 3,
+                       pass[count], strlen ((char *)pass[count]),
+                       salt[count], 32, NULL, 0, NULL, 0,
+                       32, out);
+  if (err)
+    fail ("balloon test %d failed: %s\n", count*2+1, gpg_strerror (err));
+  else if (memcmp (out, expected[count], 32))
+    {
+      fail ("balloon test %d failed: mismatch\n", count*2+1);
+      fputs ("got:", stderr);
+      for (i=0; i < 32; i++)
+        fprintf (stderr, " %02x", out[i]);
+      putc ('\n', stderr);
+    }
+#endif
+
+  /* Next test vector */
+  count++;
+  if (count < 2)
+    goto again;
+}
+
+
 int
 main (int argc, char **argv)
 {
@@ -1567,6 +1680,7 @@ main (int argc, char **argv)
       check_pbkdf2 ();
       check_scrypt ();
       check_argon2 ();
+      check_balloon ();
     }
 
   return error_count ? 1 : 0;