| blob | 99f3b2ebbcaf3697fd4d5357e614556bfdec0915 |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2015, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 #define CRYPTO_S2K_PRIVATE
14 #include <openssl/evp.h>
16 #ifdef HAVE_LIBSCRYPT_H
17 #define HAVE_SCRYPT
18 #include <libscrypt.h>
19 #endif
21 /* Encoded secrets take the form:
23 u8 type;
24 u8 salt_and_parameters[depends on type];
25 u8 key[depends on type];
27 As a special case, if the encoded secret is exactly 29 bytes long,
28 type 0 is understood.
30 Recognized types are:
31 00 -- RFC2440. salt_and_parameters is 9 bytes. key is 20 bytes.
32 salt_and_parameters is 8 bytes random salt,
33 1 byte iteration info.
34 01 -- PKBDF2_SHA1. salt_and_parameters is 17 bytes. key is 20 bytes.
35 salt_and_parameters is 16 bytes random salt,
36 1 byte iteration info.
37 02 -- SCRYPT_SALSA208_SHA256. salt_and_parameters is 18 bytes. key is
38 32 bytes.
39 salt_and_parameters is 18 bytes random salt, 2 bytes iteration
40 info.
41 */
43 #define S2K_TYPE_RFC2440 0
44 #define S2K_TYPE_PBKDF2 1
45 #define S2K_TYPE_SCRYPT 2
47 #define PBKDF2_SPEC_LEN 17
48 #define PBKDF2_KEY_LEN 20
50 #define SCRYPT_SPEC_LEN 18
51 #define SCRYPT_KEY_LEN 32
53 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
54 * specifier part of it, without the prefix type byte. */
55 static int
57 {
67 }
68 }
70 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
71 * its preferred output. */
72 static int
74 {
84 }
85 }
87 /** Given a specifier in <b>spec_and_key</b> of length
88 * <b>spec_and_key_len</b>, along with its prefix algorithm ID byte, and along
89 * with a key if <b>key_included</b> is true, check whether the whole
90 * specifier-and-key is of valid length, and return the algorithm type if it
91 * is. Set *<b>legacy_out</b> to 1 iff this is a legacy password hash or
92 * legacy specifier. Return an error code on failure.
93 */
94 static int
97 {
108 }
123 }
127 else
129 }
131 /**
132 * Write a new random s2k specifier of type <b>type</b>, without prefixing
133 * type byte, to <b>spec_out</b>, which must have enough room. May adjust
134 * parameter choice based on <b>flags</b>.
135 */
136 static int
138 {
146 /* Hash 64 k of data. */
150 /* 131 K iterations */
155 /* N = 1<<12 */
158 /* N = 1<<15 */
160 }
161 /* r = 8; p = 2. */
167 }
170 }
172 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
173 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
174 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
175 * are a salt; the 9th byte describes how much iteration to do.
176 * If <b>key_out_len</b> > DIGEST_LEN, use HDKF to expand the result.
177 */
178 void
181 {
189 #define EXPBIAS 6
192 #undef EXPBIAS
207 }
208 }
218 }
223 }
225 /**
226 * Helper: given a valid specifier without prefix type byte in <b>spec</b>,
227 * whose length must be correct, and given a secret passphrase <b>secret</b>
228 * of length <b>secret_len</b>, compute the key and store it into
229 * <b>key_out</b>, which must have enough room for secret_to_key_key_len(type)
230 * bytes. Return the number of bytes written on success and an error code
231 * on failure.
232 */
233 STATIC int
238 {
263 }
266 #ifdef HAVE_SCRYPT
285 #else
287 #endif
288 }
291 }
292 }
294 /**
295 * Given a specifier previously constructed with secret_to_key_make_specifier
296 * in <b>spec</b> of length <b>spec_len</b>, and a secret password in
297 * <b>secret</b> of length <b>secret_len</b>, generate <b>key_out_len</b>
298 * bytes of cryptographic material in <b>key_out</b>. The native output of
299 * the secret-to-key function will be truncated if key_out_len is short, and
300 * expanded with HKDF if key_out_len is long. Returns S2K_OKAY on success,
301 * and an error code on failure.
302 */
303 int
307 {
314 #ifndef HAVE_SCRYPT
317 #endif
322 }
328 else
330 }
332 /**
333 * Construct a new s2k algorithm specifier and salt in <b>buf</b>, according
334 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>. Up to
335 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Return the
336 * number of bytes used on success and an error code on failure.
337 */
338 int
340 {
343 #ifdef HAVE_SCRYPT
345 #else
347 #endif
363 else
365 }
367 /**
368 * Hash a passphrase from <b>secret</b> of length <b>secret_len</b>, according
369 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>, and store the
370 * hash along with salt and hashing parameters into <b>buf</b>. Up to
371 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Set
372 * *<b>len_out</b> to the number of bytes used and return S2K_OKAY on success;
373 * and return an error code on failure.
374 */
375 int
381 {
410 }
412 /**
413 * Given a hashed passphrase in <b>spec_and_key</b> of length
414 * <b>spec_and_key_len</b> as generated by secret_to_key_new(), verify whether
415 * it is a hash of the passphrase <b>secret</b> of length <b>secret_len</b>.
416 * Return S2K_OKAY on a match, S2K_BAD_SECRET on a well-formed hash that
417 * doesn't match this secret, and another error code on other errors.
418 */
419 int
422 {
435 spec_and_key++;
436 spec_and_key_len--;
437 }
453 else
456 done:
459 }