Remove extra passphrase mixing from key derivation.

2017-03-08 10:07:29 -05:00 · 2017-03-08 10:07:29 -05:00 · ff6ac9c7ca
parent 65467d2fe3
commit ff6ac9c7ca
2 changed files with 6 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -124,20 +124,15 @@ of memory (D=29) by default, and protection key derivation requires
 2. Compute `HMAC_SHA256(salt, passphrase)` and write this 32-byte
   result to the beginning of *M*.
 3. For each uninitialized 32-byte chunk in *M*, compute the SHA-256
-   hash of the previous 32-byte chunk concatenated with the
-   passphrase.
+   hash of the previous 32-byte chunk.
 4. Initialize a byte pointer *P* to the last 32-byte chunk of *M*.
-5. Compute the SHA-256 of the 32 bytes at *P* concatenated with the
-   passphrase.
-6. Overwrite the memory at *P* with this new hash value.
-7. Take the first *D* bits of this hash and use this value to set a
-   new *P* pointing elsewhere into *M*.
+5. Compute the SHA-256 hash, *H*, of the 32 bytes at *P*.
+6. Overwrite the memory at *P* with *H*.
+7. Take the first *D* bits of *H* and use this value to set a new *P*
+   pointing into *M*.
 8. Repeat from step 5 `1 << (D - 5)` times.
 9. *P* points to the result.

-The passphrase is always concatenated on the end so that the hash
-context can't be precomputed.
-
 ## Compilation

 To build on any unix-like system, run `make`. The resulting binary has
--- a/src/enchive.c
+++ b/src/enchive.c
@ -374,7 +374,6 @@ static void
 key_derive(const char *passphrase, u8 *buf, int iexp, const u8 *salt)
 {
    static const u8 empty[8] = {0};
-    size_t len = strlen(passphrase);
    SHA256_CTX ctx[1];
    unsigned long i;
    unsigned long memlen = 1UL << iexp;
@ -389,7 +388,7 @@ key_derive(const char *passphrase, u8 *buf, int iexp, const u8 *salt)
    if (!salt)
        salt = empty;
    hmac_init(ctx, salt);
-    sha256_update(ctx, (u8 *)passphrase, len);
+    sha256_update(ctx, (u8 *)passphrase, strlen(passphrase));
    hmac_final(ctx, salt, memory);

    for (p = memory + SHA256_BLOCK_SIZE;
@ -397,7 +396,6 @@ key_derive(const char *passphrase, u8 *buf, int iexp, const u8 *salt)
         p += SHA256_BLOCK_SIZE) {
        sha256_init(ctx);
        sha256_update(ctx, p - SHA256_BLOCK_SIZE, SHA256_BLOCK_SIZE);
-        sha256_update(ctx, (u8 *)passphrase, len);
        sha256_final(ctx, p);
    }

@ -406,7 +404,6 @@ key_derive(const char *passphrase, u8 *buf, int iexp, const u8 *salt)
        unsigned long offset;
        sha256_init(ctx);
        sha256_update(ctx, memptr, SHA256_BLOCK_SIZE);
-        sha256_update(ctx, (u8 *)passphrase, len);
        sha256_final(ctx, memptr);
        offset = ((unsigned long)memptr[3] << 24 |
                  (unsigned long)memptr[2] << 16 |