| blob | ae781f24ef5385b5cd12e63e9d2900c196598b9e |
1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file crypto_s2k.c
9 *
10 * \brief Functions for deriving keys from human-readable passphrases.
11 */
13 #define CRYPTO_S2K_PRIVATE
25 #ifdef ENABLE_OPENSSL
26 #include <openssl/evp.h>
27 #endif
28 #ifdef ENABLE_NSS
30 #include <pk11pub.h>
32 #endif
34 #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
35 #define HAVE_SCRYPT
36 #include <libscrypt.h>
37 #endif
39 #include <string.h>
41 /* Encoded secrets take the form:
43 u8 type;
44 u8 salt_and_parameters[depends on type];
45 u8 key[depends on type];
47 As a special case, if the encoded secret is exactly 29 bytes long,
48 type 0 is understood.
50 Recognized types are:
51 00 -- RFC2440. salt_and_parameters is 9 bytes. key is 20 bytes.
52 salt_and_parameters is 8 bytes random salt,
53 1 byte iteration info.
54 01 -- PKBDF2_SHA1. salt_and_parameters is 17 bytes. key is 20 bytes.
55 salt_and_parameters is 16 bytes random salt,
56 1 byte iteration info.
57 02 -- SCRYPT_SALSA208_SHA256. salt_and_parameters is 18 bytes. key is
58 32 bytes.
59 salt_and_parameters is 18 bytes random salt, 2 bytes iteration
60 info.
61 */
63 #define S2K_TYPE_RFC2440 0
64 #define S2K_TYPE_PBKDF2 1
65 #define S2K_TYPE_SCRYPT 2
67 #define PBKDF2_SPEC_LEN 17
68 #define PBKDF2_KEY_LEN 20
70 #define SCRYPT_SPEC_LEN 18
71 #define SCRYPT_KEY_LEN 32
73 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
74 * specifier part of it, without the prefix type byte. Return -1 if it is not
75 * a valid algorithm ID. */
76 static int
78 {
88 }
89 }
91 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
92 * its preferred output. */
93 static int
95 {
103 // LCOV_EXCL_START
107 // LCOV_EXCL_STOP
108 }
109 }
111 /** Given a specifier in <b>spec_and_key</b> of length
112 * <b>spec_and_key_len</b>, along with its prefix algorithm ID byte, and along
113 * with a key if <b>key_included</b> is true, check whether the whole
114 * specifier-and-key is of valid length, and return the algorithm type if it
115 * is. Set *<b>legacy_out</b> to 1 iff this is a legacy password hash or
116 * legacy specifier. Return an error code on failure.
117 */
118 static int
121 {
132 }
147 }
151 else
153 }
155 /**
156 * Write a new random s2k specifier of type <b>type</b>, without prefixing
157 * type byte, to <b>spec_out</b>, which must have enough room. May adjust
158 * parameter choice based on <b>flags</b>.
159 */
160 static int
162 {
170 /* Hash 64 k of data. */
174 /* 131 K iterations */
179 /* N = 1<<12 */
182 /* N = 1<<15 */
184 }
185 /* r = 8; p = 2. */
188 // LCOV_EXCL_START - we should have returned above.
192 // LCOV_EXCL_STOP
193 }
196 }
198 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
199 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
200 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
201 * are a salt; the 9th byte describes how much iteration to do.
202 * If <b>key_out_len</b> > DIGEST_LEN, use HDKF to expand the result.
203 */
204 void
207 {
215 #define EXPBIAS 6
218 #undef EXPBIAS
233 }
234 }
244 }
249 }
251 /**
252 * Helper: given a valid specifier without prefix type byte in <b>spec</b>,
253 * whose length must be correct, and given a secret passphrase <b>secret</b>
254 * of length <b>secret_len</b>, compute the key and store it into
255 * <b>key_out</b>, which must have enough room for secret_to_key_key_len(type)
256 * bytes. Return the number of bytes written on success and an error code
257 * on failure.
258 */
259 STATIC int
264 {
282 #ifdef ENABLE_OPENSSL
308 alg,
311 NULL);
324 nss_pbkdf_err:
331 }
334 #ifdef HAVE_SCRYPT
356 }
359 }
360 }
362 /**
363 * Given a specifier previously constructed with secret_to_key_make_specifier
364 * in <b>spec</b> of length <b>spec_len</b>, and a secret password in
365 * <b>secret</b> of length <b>secret_len</b>, generate <b>key_out_len</b>
366 * bytes of cryptographic material in <b>key_out</b>. The native output of
367 * the secret-to-key function will be truncated if key_out_len is short, and
368 * expanded with HKDF if key_out_len is long. Returns S2K_OKAY on success,
369 * and an error code on failure.
370 */
371 int
375 {
382 #ifndef HAVE_SCRYPT
385 #endif
390 }
396 else
398 }
400 /**
401 * Construct a new s2k algorithm specifier and salt in <b>buf</b>, according
402 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>. Up to
403 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Return the
404 * number of bytes used on success and an error code on failure.
405 */
406 int
408 {
411 #ifdef HAVE_SCRYPT
413 #else
415 #endif
431 else
433 }
435 /**
436 * Hash a passphrase from <b>secret</b> of length <b>secret_len</b>, according
437 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>, and store the
438 * hash along with salt and hashing parameters into <b>buf</b>. Up to
439 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Set
440 * *<b>len_out</b> to the number of bytes used and return S2K_OKAY on success;
441 * and return an error code on failure.
442 */
443 int
449 {
478 }
480 /**
481 * Given a hashed passphrase in <b>spec_and_key</b> of length
482 * <b>spec_and_key_len</b> as generated by secret_to_key_new(), verify whether
483 * it is a hash of the passphrase <b>secret</b> of length <b>secret_len</b>.
484 * Return S2K_OKAY on a match, S2K_BAD_SECRET on a well-formed hash that
485 * doesn't match this secret, and another error code on other errors.
486 */
487 int
490 {
503 spec_and_key++;
504 spec_and_key_len--;
505 }
521 else
524 done:
527 }