Skip to content

sys/hashes/pbkdf2: Add PBKDF2-sha256 implementation. [TAKEOVER]#15199

Merged
benpicco merged 2 commits intoRIOT-OS:masterfrom
fjmolinas:pbkdf2-sha256
Nov 4, 2020
Merged

sys/hashes/pbkdf2: Add PBKDF2-sha256 implementation. [TAKEOVER]#15199
benpicco merged 2 commits intoRIOT-OS:masterfrom
fjmolinas:pbkdf2-sha256

Conversation

@fjmolinas
Copy link
Contributor

@fjmolinas fjmolinas commented Oct 9, 2020

Contribution description

This PR rebases and fixes murdock complaints for #12211, I also fixed some issues when running the test on hardware. I took over since I can't push to the archived repository.

This add an implementation of PBKDF2 using sha256 hmac. Only one derived key length is supported (32) though it should not be hard to extend it.

Testing procedure

The testing is done with both random (with fixed seed) vectors and vectors from rfc7914.

BOARD=native make -C tests/pbkdf2/ all test -j3 --no-print-directory 
Building application "tests_pbkdf2" for "native" with MCU "native".

"make" -C /home/francisco/workspace/RIOT3/boards/native
"make" -C /home/francisco/workspace/RIOT3/boards/native/drivers
"make" -C /home/francisco/workspace/RIOT3/core
"make" -C /home/francisco/workspace/RIOT3/cpu/native
"make" -C /home/francisco/workspace/RIOT3/cpu/native/periph
"make" -C /home/francisco/workspace/RIOT3/drivers
"make" -C /home/francisco/workspace/RIOT3/drivers/periph_common
"make" -C /home/francisco/workspace/RIOT3/cpu/native/stdio_native
"make" -C /home/francisco/workspace/RIOT3/sys
"make" -C /home/francisco/workspace/RIOT3/sys/auto_init
"make" -C /home/francisco/workspace/RIOT3/sys/base64
"make" -C /home/francisco/workspace/RIOT3/sys/crypto
"make" -C /home/francisco/workspace/RIOT3/sys/hashes
"make" -C /home/francisco/workspace/RIOT3/sys/test_utils/interactive_sync
   text    data     bss     dec     hex filename
  35234     708   48228   84170   148ca /home/francisco/workspace/RIOT3/tests/pbkdf2/bin/native/tests_pbkdf2.elf
r
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
/home/francisco/workspace/RIOT3/tests/pbkdf2/bin/native/tests_pbkdf2.elf
RIOT native interrupts/signals initialized.
LED_RED_OFF
LED_GREEN_ON
RIOT native board initialized.
RIOT native hardware initialization complete.

Help: Press s to start test, r to print it is ready
READY
s
START
main(): This is RIOT! (Version: 2021.01-devel-84-gb2295-pbkdf2-sha256)
{ready}
passwd
{ready}
c2FsdA==
{ready}
1
VawEblbjCJ/sFpHCJUS2BflBhSFt3gRl5oudV8INrLw=
{ready}
Password
{ready}
TmFDbA==
{ready}
80000
TdzY9guYviGDDO5e8icB+WQaRBjQTAQUrv8Ih2s0q1Y=
{ready}

r
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
/home/francisco/workspace/RIOT3/tests/pbkdf2/bin/native/tests_pbkdf2.elf
RIOT native interrupts/signals initialized.
LED_RED_OFF
LED_GREEN_ON
RIOT native board initialized.
RIOT native hardware initialization complete.

Help: Press s to start test, r to print it is ready
READY
s
START
main(): This is RIOT! (Version: 2021.01-devel-84-g4875a-pbkdf2-sha256)
{ready}

{ready}
vdZA+wZnGtEcgDF/o7F5nQ==
{ready}
10
mkkhkWNNxh8SRegffJ3jT+/INJDwceUQ/JGGAXZJ1mg=
{ready}
:5e`t(H"
{ready}

{ready}
10
HJ8E5DsSemPdwcEcdiWsXNHUNK7FpfL6NPqE2Zl0Qho=
{ready}
4P"2]S4Wl
{ready}
YULqfRe+MREaKnPtVisPecN0We71C+pjNx7NeyfNgTBHIpOJVxqodmwwdRGyuUN6KN9uxM5KK73CQTMLAannHw==
{ready}
1
7/kTA8PIj0TXUHE4i5VCbre7T5b0sDI8JizsR8cH3Wg=
{ready}
)pYleR|CTnZqVb$5;'6):\BC39x]Y0e/D~\Tapi5#=94ys=^EvK97U8WuE4~P($*[
{ready}
d9L/Ac+ZmIwkyWGxzSJigBxFEENaEJiuQzRsEqzorjQEVMrFtow=
{ready}
20
LVbkmVr4rwFkBWxVg76nwLSh6dYmdOCuw2KTgYRkZfE=
{ready}
R|q!d`S9\*IKzs9O0vr<\Y.hSiR >!xs
{ready}
PUy/Trk+/86Iyy3U6Ag5
{ready}
12
Y2T4na5rpTpEsIViaVnINwG0R9CwhPl0ta6myAaBtIs=
{ready}
%sy(N&hh,MT9rH4Se3=~]IQ+5@W54&[5vq&6_4,xVLjl2)HH
{ready}
pWwJQfvyQFCnSNvPrGGeYw3eKaa6pLca3SRnrHeO7bM=
{ready}
15
txemIhZNx1TYOd+Z1UIpCrtPy469VTitUNNO+QX8YFU=
{ready}
BOARD=nrf52840-mdk make -C tests/pbkdf2/ flash test -j3 --no-print-directory 
main(): This is RIOT! (Version: 2021.01-devel-84-g4875a-pbkdf2-sha256)
{ready}
passwd
{ready}
c2FsdA==
{ready}
1
VawEblbjCJ/sFpHCJUS2BflBhSFt3gRl5oudV8INrLw=
{read
r
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
socat - open:/dev/riot/tty-nrf52840-mdk,b115200,echo=0,raw
Help: Press s to start test, r to print it is ready
READY
s
START
main(): This is RIOT! (Version: 2021.01-devel-84-g4875a-pbkdf2-sha256)
{ready}

{ready}
vdZA+wZnGtEcgDF/o7F5nQ==
{ready}
10
mkkhkWNNxh8SRegffJ3jT+/INJDwceUQ/JGGAXZJ1mg=
{ready}
:5e`t(H"
{ready}

{ready}
10
HJ8E5DsSemPdwcEcdiWsXNHUNK7FpfL6NPqE2Zl0Qho=
{ready}
4P"2]S4Wl
{ready}
YULqfRe+MREaKnPtVisPecN0We71C+pjNx7NeyfNgTBHIpOJVxqodmwwdRGyuUN6KN9uxM5KK73CQTMLAannHw==
{ready}
1
7/kTA8PIj0TXUHE4i5VCbre7T5b0sDI8JizsR8cH3Wg=
{ready}
)pYleR|CTnZqVb$5;'6):\BC39x]Y0e/D~\Tapi5#=94ys=^EvK97U8WuE4~P($*[
{ready}
d9L/Ac+ZmIwkyWGxzSJigBxFEENaEJiuQzRsEqzorjQEVMrFtow=
{ready}
20
LVbkmVr4rwFkBWxVg76nwLSh6dYmdOCuw2KTgYRkZfE=
{ready}
R|q!d`S9\*IKzs9O0vr<\Y.hSiR >!xs
{ready}
PUy/Trk+/86Iyy3U6Ag5
{ready}
12
Y2T4na5rpTpEsIViaVnINwG0R9CwhPl0ta6myAaBtIs=
{ready}
%sy(N&hh,MT9rH4Se3=~]IQ+5@W54&[5vq&6_4,xVLjl2)HH
{ready}
pWwJQfvyQFCnSNvPrGGeYw3eKaa6pLca3SRnrHeO7bM=
{ready}
15
txemIhZNx1TYOd+Z1UIpCrtPy469VTitUNNO+QX8YFU=
{ready}

Issues/PRs references

Taken from #12191 .
Closes #12211

@fjmolinas fjmolinas added Type: new feature The issue requests / The PR implemements a new feature for RIOT CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Area: security Area: Security-related libraries and subsystems CI: run tests If set, CI server will run tests on hardware for the labeled PR labels Oct 9, 2020
@fjmolinas fjmolinas changed the title sys/hashes/pbkdf2: Add PBKDF2-sha256 implementation. [takeover] sys/hashes/pbkdf2: Add PBKDF2-sha256 implementation. [TAKEOVER] Oct 9, 2020
@fjmolinas fjmolinas force-pushed the pbkdf2-sha256 branch 2 times, most recently from 7e718c2 to 9e5579b Compare October 9, 2020 16:33
@fjmolinas fjmolinas requested a review from HendrikVE October 9, 2020 16:33
benpicco
benpicco reviewed Oct 11, 2020
View reviewed changes
Copy link
Contributor

@benpicco benpicco left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, you want to add those four atmega328p boards to Makefile.ci.

Also the automatic test failed on CI. Does it work locally?

@fjmolinas
Copy link
Contributor Author

fjmolinas commented Oct 21, 2020

Also the automatic test failed on CI. Does it work locally?

It did... I'll take a look..

@fjmolinas
Copy link
Contributor Author

fjmolinas commented Oct 21, 2020

It did... I'll take a look..

Ahh its a python version issue.

fjmolinas
fjmolinas commented Oct 21, 2020
View reviewed changes
@fjmolinas
Copy link
Contributor Author

fjmolinas commented Nov 4, 2020

This time the test passed, there where only some unrelated failures

--- run_test job results (2 failed, 230 passed, 232 total):
    failed:
    tests/mtd_flashpage/samr21-xpro:llvm
    tests/pkg_libhydrogen/samr21-xpro:llvm

There was some boards that needed to be added to the insufficient memory list, as well as a typo to be fixed. Is it OK to squash @benpicco ?

@benpicco
Copy link
Contributor

benpicco commented Nov 4, 2020

Sure, please squash - but also go recommend some parameter lengths in the doc so it's clear how to use this properly

@jcarrano @fjmolinas
sys/hashes/pbkdf2: Add PBKDF2-sha256 implementation.
6266784 
This add an implementation of PBKDF2 using sha256 hmac. Only one derived
key length is supported (32) though it should not be hard to extend it.

The testing is done with both random (with fixed seed) vectors amd vectors
from rfc7914.
@jcarrano @fjmolinas
sys/hashes/pbkdf2: wipe local variables, prevents leaks.
bc8ce92 
Wipe temporary buffers and sha256 contexts so that no remnants of the
password is left on the stack

This ensures that the password is not leaked if some function reads
the stack afterwards.
@benpicco
Copy link
Contributor

benpicco commented Nov 4, 2020

Only run_test/tests/pkg_libhydrogen/samr21-xpro:llvm failed as expected.

@benpicco benpicco added CI: skip compile test If set, CI server will run only non-compile jobs, but no compile jobs or their dependent jobs CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR and removed CI: run tests If set, CI server will run tests on hardware for the labeled PR CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR labels Nov 4, 2020
@benpicco benpicco merged commit 568e1e3 into RIOT-OS:master Nov 4, 2020
@fjmolinas fjmolinas deleted the pbkdf2-sha256 branch November 4, 2020 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benpicco benpicco benpicco approved these changes

@aabadie aabadie Awaiting requested review from aabadie aabadie is a code owner

@leandrolanzieri leandrolanzieri Awaiting requested review from leandrolanzieri leandrolanzieri is a code owner

@MichelRottleuthner MichelRottleuthner Awaiting requested review from MichelRottleuthner MichelRottleuthner is a code owner

@miri64 miri64 Awaiting requested review from miri64 miri64 is a code owner

@smlng smlng Awaiting requested review from smlng

@HendrikVE HendrikVE Awaiting requested review from HendrikVE

Assignees

No one assigned

Labels

Area: security Area: Security-related libraries and subsystems CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR CI: skip compile test If set, CI server will run only non-compile jobs, but no compile jobs or their dependent jobs Type: new feature The issue requests / The PR implemements a new feature for RIOT

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fjmolinas @benpicco @jcarrano