| blob | 0ee3bf601d57ea2ffab9b97e8e7899663621dfca |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2019, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto_s2k.c
9 *
10 * \brief Functions for deriving keys from human-readable passphrases.
11 */
13 #define CRYPTO_S2K_PRIVATE
25 #ifdef ENABLE_OPENSSL
26 #include <openssl/evp.h>
27 #endif
28 #ifdef ENABLE_NSS
29 #include <pk11pub.h>
30 #endif
32 #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
33 #define HAVE_SCRYPT
34 #include <libscrypt.h>
35 #endif
37 #include <string.h>
39 /* Encoded secrets take the form:
41 u8 type;
42 u8 salt_and_parameters[depends on type];
43 u8 key[depends on type];
45 As a special case, if the encoded secret is exactly 29 bytes long,
46 type 0 is understood.
48 Recognized types are:
49 00 -- RFC2440. salt_and_parameters is 9 bytes. key is 20 bytes.
50 salt_and_parameters is 8 bytes random salt,
51 1 byte iteration info.
52 01 -- PKBDF2_SHA1. salt_and_parameters is 17 bytes. key is 20 bytes.
53 salt_and_parameters is 16 bytes random salt,
54 1 byte iteration info.
55 02 -- SCRYPT_SALSA208_SHA256. salt_and_parameters is 18 bytes. key is
56 32 bytes.
57 salt_and_parameters is 18 bytes random salt, 2 bytes iteration
58 info.
59 */
61 #define S2K_TYPE_RFC2440 0
62 #define S2K_TYPE_PBKDF2 1
63 #define S2K_TYPE_SCRYPT 2
65 #define PBKDF2_SPEC_LEN 17
66 #define PBKDF2_KEY_LEN 20
68 #define SCRYPT_SPEC_LEN 18
69 #define SCRYPT_KEY_LEN 32
71 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
72 * specifier part of it, without the prefix type byte. Return -1 if it is not
73 * a valid algorithm ID. */
74 static int
76 {
86 }
87 }
89 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
90 * its preferred output. */
91 static int
93 {
101 // LCOV_EXCL_START
105 // LCOV_EXCL_STOP
106 }
107 }
109 /** Given a specifier in <b>spec_and_key</b> of length
110 * <b>spec_and_key_len</b>, along with its prefix algorithm ID byte, and along
111 * with a key if <b>key_included</b> is true, check whether the whole
112 * specifier-and-key is of valid length, and return the algorithm type if it
113 * is. Set *<b>legacy_out</b> to 1 iff this is a legacy password hash or
114 * legacy specifier. Return an error code on failure.
115 */
116 static int
119 {
130 }
145 }
149 else
151 }
153 /**
154 * Write a new random s2k specifier of type <b>type</b>, without prefixing
155 * type byte, to <b>spec_out</b>, which must have enough room. May adjust
156 * parameter choice based on <b>flags</b>.
157 */
158 static int
160 {
168 /* Hash 64 k of data. */
172 /* 131 K iterations */
177 /* N = 1<<12 */
180 /* N = 1<<15 */
182 }
183 /* r = 8; p = 2. */
186 // LCOV_EXCL_START - we should have returned above.
190 // LCOV_EXCL_STOP
191 }
194 }
196 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
197 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
198 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
199 * are a salt; the 9th byte describes how much iteration to do.
200 * If <b>key_out_len</b> > DIGEST_LEN, use HDKF to expand the result.
201 */
202 void
205 {
213 #define EXPBIAS 6
216 #undef EXPBIAS
231 }
232 }
242 }
247 }
249 /**
250 * Helper: given a valid specifier without prefix type byte in <b>spec</b>,
251 * whose length must be correct, and given a secret passphrase <b>secret</b>
252 * of length <b>secret_len</b>, compute the key and store it into
253 * <b>key_out</b>, which must have enough room for secret_to_key_key_len(type)
254 * bytes. Return the number of bytes written on success and an error code
255 * on failure.
256 */
257 STATIC int
262 {
280 #ifdef ENABLE_OPENSSL
306 alg,
309 NULL);
322 nss_pbkdf_err:
329 }
332 #ifdef HAVE_SCRYPT
354 }
357 }
358 }
360 /**
361 * Given a specifier previously constructed with secret_to_key_make_specifier
362 * in <b>spec</b> of length <b>spec_len</b>, and a secret password in
363 * <b>secret</b> of length <b>secret_len</b>, generate <b>key_out_len</b>
364 * bytes of cryptographic material in <b>key_out</b>. The native output of
365 * the secret-to-key function will be truncated if key_out_len is short, and
366 * expanded with HKDF if key_out_len is long. Returns S2K_OKAY on success,
367 * and an error code on failure.
368 */
369 int
373 {
380 #ifndef HAVE_SCRYPT
383 #endif
388 }
394 else
396 }
398 /**
399 * Construct a new s2k algorithm specifier and salt in <b>buf</b>, according
400 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>. Up to
401 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Return the
402 * number of bytes used on success and an error code on failure.
403 */
404 int
406 {
409 #ifdef HAVE_SCRYPT
411 #else
413 #endif
429 else
431 }
433 /**
434 * Hash a passphrase from <b>secret</b> of length <b>secret_len</b>, according
435 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>, and store the
436 * hash along with salt and hashing parameters into <b>buf</b>. Up to
437 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Set
438 * *<b>len_out</b> to the number of bytes used and return S2K_OKAY on success;
439 * and return an error code on failure.
440 */
441 int
447 {
476 }
478 /**
479 * Given a hashed passphrase in <b>spec_and_key</b> of length
480 * <b>spec_and_key_len</b> as generated by secret_to_key_new(), verify whether
481 * it is a hash of the passphrase <b>secret</b> of length <b>secret_len</b>.
482 * Return S2K_OKAY on a match, S2K_BAD_SECRET on a well-formed hash that
483 * doesn't match this secret, and another error code on other errors.
484 */
485 int
488 {
501 spec_and_key++;
502 spec_and_key_len--;
503 }
519 else
522 done:
525 }