1 /* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
10 * \brief Functions for deriving keys from human-readable passphrases.
13 #define CRYPTO_S2K_PRIVATE
15 #include "lib/crypt_ops/crypto_cipher.h"
16 #include "lib/crypt_ops/crypto_digest.h"
17 #include "lib/crypt_ops/crypto_hkdf.h"
18 #include "lib/crypt_ops/crypto_rand.h"
19 #include "lib/crypt_ops/crypto_s2k.h"
20 #include "lib/crypt_ops/crypto_util.h"
21 #include "lib/ctime/di_ops.h"
22 #include "lib/log/util_bug.h"
23 #include "lib/intmath/cmp.h"
26 #include <openssl/evp.h>
29 DISABLE_GCC_WARNING("-Wstrict-prototypes")
31 ENABLE_GCC_WARNING("-Wstrict-prototypes")
34 #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
36 #include <libscrypt.h>
41 /* Encoded secrets take the form:
44 u8 salt_and_parameters[depends on type];
45 u8 key[depends on type];
47 As a special case, if the encoded secret is exactly 29 bytes long,
51 00 -- RFC2440. salt_and_parameters is 9 bytes. key is 20 bytes.
52 salt_and_parameters is 8 bytes random salt,
53 1 byte iteration info.
54 01 -- PKBDF2_SHA1. salt_and_parameters is 17 bytes. key is 20 bytes.
55 salt_and_parameters is 16 bytes random salt,
56 1 byte iteration info.
57 02 -- SCRYPT_SALSA208_SHA256. salt_and_parameters is 18 bytes. key is
59 salt_and_parameters is 18 bytes random salt, 2 bytes iteration
63 #define S2K_TYPE_RFC2440 0
64 #define S2K_TYPE_PBKDF2 1
65 #define S2K_TYPE_SCRYPT 2
67 #define PBKDF2_SPEC_LEN 17
68 #define PBKDF2_KEY_LEN 20
70 #define SCRYPT_SPEC_LEN 18
71 #define SCRYPT_KEY_LEN 32
73 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
74 * specifier part of it, without the prefix type byte. Return -1 if it is not
75 * a valid algorithm ID. */
77 secret_to_key_spec_len(uint8_t type
)
80 case S2K_TYPE_RFC2440
:
81 return S2K_RFC2440_SPECIFIER_LEN
;
83 return PBKDF2_SPEC_LEN
;
85 return SCRYPT_SPEC_LEN
;
91 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
92 * its preferred output. */
94 secret_to_key_key_len(uint8_t type
)
97 case S2K_TYPE_RFC2440
:
101 case S2K_TYPE_SCRYPT
:
102 return DIGEST256_LEN
;
105 tor_fragile_assert();
111 /** Given a specifier in <b>spec_and_key</b> of length
112 * <b>spec_and_key_len</b>, along with its prefix algorithm ID byte, and along
113 * with a key if <b>key_included</b> is true, check whether the whole
114 * specifier-and-key is of valid length, and return the algorithm type if it
115 * is. Set *<b>legacy_out</b> to 1 iff this is a legacy password hash or
116 * legacy specifier. Return an error code on failure.
119 secret_to_key_get_type(const uint8_t *spec_and_key
, size_t spec_and_key_len
,
120 int key_included
, int *legacy_out
)
122 size_t legacy_len
= S2K_RFC2440_SPECIFIER_LEN
;
127 legacy_len
+= DIGEST_LEN
;
129 if (spec_and_key_len
== legacy_len
) {
131 return S2K_TYPE_RFC2440
;
135 if (spec_and_key_len
== 0)
138 type
= spec_and_key
[0];
139 total_len
= secret_to_key_spec_len(type
);
141 return S2K_BAD_ALGORITHM
;
143 int keylen
= secret_to_key_key_len(type
);
145 return S2K_BAD_ALGORITHM
;
149 if ((size_t)total_len
+ 1 == spec_and_key_len
)
156 * Write a new random s2k specifier of type <b>type</b>, without prefixing
157 * type byte, to <b>spec_out</b>, which must have enough room. May adjust
158 * parameter choice based on <b>flags</b>.
161 make_specifier(uint8_t *spec_out
, uint8_t type
, unsigned flags
)
163 int speclen
= secret_to_key_spec_len(type
);
165 return S2K_BAD_ALGORITHM
;
167 crypto_rand((char*)spec_out
, speclen
);
169 case S2K_TYPE_RFC2440
:
170 /* Hash 64 k of data. */
171 spec_out
[S2K_RFC2440_SPECIFIER_LEN
-1] = 96;
173 case S2K_TYPE_PBKDF2
:
174 /* 131 K iterations */
175 spec_out
[PBKDF2_SPEC_LEN
-1] = 17;
177 case S2K_TYPE_SCRYPT
:
178 if (flags
& S2K_FLAG_LOW_MEM
) {
180 spec_out
[SCRYPT_SPEC_LEN
-2] = 12;
183 spec_out
[SCRYPT_SPEC_LEN
-2] = 15;
186 spec_out
[SCRYPT_SPEC_LEN
-1] = (3u << 4) | (1u << 0);
188 // LCOV_EXCL_START - we should have returned above.
190 tor_fragile_assert();
191 return S2K_BAD_ALGORITHM
;
198 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
199 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
200 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
201 * are a salt; the 9th byte describes how much iteration to do.
202 * If <b>key_out_len</b> > DIGEST_LEN, use HDKF to expand the result.
205 secret_to_key_rfc2440(char *key_out
, size_t key_out_len
, const char *secret
,
206 size_t secret_len
, const char *s2k_specifier
)
210 size_t count
, tmplen
;
212 uint8_t buf
[DIGEST_LEN
];
213 tor_assert(key_out_len
< SIZE_T_CEILING
);
216 c
= s2k_specifier
[8];
217 count
= ((uint32_t)16 + (c
& 15)) << ((c
>> 4) + EXPBIAS
);
220 d
= crypto_digest_new();
221 tmplen
= 8+secret_len
;
222 tmp
= tor_malloc(tmplen
);
223 memcpy(tmp
,s2k_specifier
,8);
224 memcpy(tmp
+8,secret
,secret_len
);
227 if (count
>= secret_len
) {
228 crypto_digest_add_bytes(d
, tmp
, secret_len
);
231 crypto_digest_add_bytes(d
, tmp
, count
);
235 crypto_digest_get_digest(d
, (char*)buf
, sizeof(buf
));
237 if (key_out_len
<= sizeof(buf
)) {
238 memcpy(key_out
, buf
, key_out_len
);
240 crypto_expand_key_material_rfc5869_sha256(buf
, DIGEST_LEN
,
241 (const uint8_t*)s2k_specifier
, 8,
242 (const uint8_t*)"EXPAND", 6,
243 (uint8_t*)key_out
, key_out_len
);
245 memwipe(tmp
, 0, tmplen
);
246 memwipe(buf
, 0, sizeof(buf
));
248 crypto_digest_free(d
);
252 * Helper: given a valid specifier without prefix type byte in <b>spec</b>,
253 * whose length must be correct, and given a secret passphrase <b>secret</b>
254 * of length <b>secret_len</b>, compute the key and store it into
255 * <b>key_out</b>, which must have enough room for secret_to_key_key_len(type)
256 * bytes. Return the number of bytes written on success and an error code
260 secret_to_key_compute_key(uint8_t *key_out
, size_t key_out_len
,
261 const uint8_t *spec
, size_t spec_len
,
262 const char *secret
, size_t secret_len
,
266 if (key_out_len
> INT_MAX
)
270 case S2K_TYPE_RFC2440
:
271 secret_to_key_rfc2440((char*)key_out
, key_out_len
, secret
, secret_len
,
273 return (int)key_out_len
;
275 case S2K_TYPE_PBKDF2
: {
277 if (spec_len
< 1 || secret_len
> INT_MAX
|| spec_len
> INT_MAX
)
279 log_iters
= spec
[spec_len
-1];
281 return S2K_BAD_PARAMS
;
282 #ifdef ENABLE_OPENSSL
283 rv
= PKCS5_PBKDF2_HMAC_SHA1(secret
, (int)secret_len
,
284 spec
, (int)spec_len
-1,
286 (int)key_out_len
, key_out
);
289 return (int)key_out_len
;
290 #else /* !defined(ENABLE_OPENSSL) */
291 SECItem passItem
= { .type
= siBuffer
,
292 .data
= (unsigned char *) secret
,
293 .len
= (int)secret_len
};
294 SECItem saltItem
= { .type
= siBuffer
,
295 .data
= (unsigned char *) spec
,
296 .len
= (int)spec_len
- 1 };
297 SECAlgorithmID
*alg
= NULL
;
298 PK11SymKey
*key
= NULL
;
301 alg
= PK11_CreatePBEV2AlgorithmID(
302 SEC_OID_PKCS5_PBKDF2
, SEC_OID_HMAC_SHA1
, SEC_OID_HMAC_SHA1
,
303 (int)key_out_len
, (1<<log_iters
), &saltItem
);
307 key
= PK11_PBEKeyGen(NULL
/* slot */,
313 SECStatus st
= PK11_ExtractKeyValue(key
);
314 if (st
!= SECSuccess
)
317 const SECItem
*iptr
= PK11_GetKeyData(key
);
321 rv
= MIN((int)iptr
->len
, (int)key_out_len
);
322 memcpy(key_out
, iptr
->data
, rv
);
326 PK11_FreeSymKey(key
);
328 SECOID_DestroyAlgorithmID(alg
, PR_TRUE
);
330 #endif /* defined(ENABLE_OPENSSL) */
333 case S2K_TYPE_SCRYPT
: {
335 uint8_t log_N
, log_r
, log_p
;
340 log_N
= spec
[spec_len
-2];
341 log_r
= (spec
[spec_len
-1]) >> 4;
342 log_p
= (spec
[spec_len
-1]) & 15;
344 return S2K_BAD_PARAMS
;
345 N
= ((uint64_t)1) << log_N
;
348 rv
= libscrypt_scrypt((const uint8_t*)secret
, secret_len
,
349 spec
, spec_len
-2, N
, r
, p
, key_out
, key_out_len
);
352 return (int)key_out_len
;
353 #else /* !defined(HAVE_SCRYPT) */
354 return S2K_NO_SCRYPT_SUPPORT
;
355 #endif /* defined(HAVE_SCRYPT) */
358 return S2K_BAD_ALGORITHM
;
363 * Given a specifier previously constructed with secret_to_key_make_specifier
364 * in <b>spec</b> of length <b>spec_len</b>, and a secret password in
365 * <b>secret</b> of length <b>secret_len</b>, generate <b>key_out_len</b>
366 * bytes of cryptographic material in <b>key_out</b>. The native output of
367 * the secret-to-key function will be truncated if key_out_len is short, and
368 * expanded with HKDF if key_out_len is long. Returns S2K_OKAY on success,
369 * and an error code on failure.
372 secret_to_key_derivekey(uint8_t *key_out
, size_t key_out_len
,
373 const uint8_t *spec
, size_t spec_len
,
374 const char *secret
, size_t secret_len
)
376 int legacy_format
= 0;
377 int type
= secret_to_key_get_type(spec
, spec_len
, 0, &legacy_format
);
383 if (type
== S2K_TYPE_SCRYPT
)
384 return S2K_NO_SCRYPT_SUPPORT
;
387 if (! legacy_format
) {
392 r
= secret_to_key_compute_key(key_out
, key_out_len
, spec
, spec_len
,
393 secret
, secret_len
, type
);
401 * Construct a new s2k algorithm specifier and salt in <b>buf</b>, according
402 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>. Up to
403 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Return the
404 * number of bytes used on success and an error code on failure.
407 secret_to_key_make_specifier(uint8_t *buf
, size_t buf_len
, unsigned flags
)
412 uint8_t type
= S2K_TYPE_SCRYPT
;
414 uint8_t type
= S2K_TYPE_RFC2440
;
417 if (flags
& S2K_FLAG_NO_SCRYPT
)
418 type
= S2K_TYPE_RFC2440
;
419 if (flags
& S2K_FLAG_USE_PBKDF2
)
420 type
= S2K_TYPE_PBKDF2
;
422 spec_len
= secret_to_key_spec_len(type
);
424 if ((int)buf_len
< spec_len
+ 1)
425 return S2K_TRUNCATED
;
428 rv
= make_specifier(buf
+1, type
, flags
);
436 * Hash a passphrase from <b>secret</b> of length <b>secret_len</b>, according
437 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>, and store the
438 * hash along with salt and hashing parameters into <b>buf</b>. Up to
439 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Set
440 * *<b>len_out</b> to the number of bytes used and return S2K_OKAY on success;
441 * and return an error code on failure.
444 secret_to_key_new(uint8_t *buf
,
447 const char *secret
, size_t secret_len
,
455 spec_len
= secret_to_key_make_specifier(buf
, buf_len
, flags
);
461 key_len
= secret_to_key_key_len(type
);
466 if ((int)buf_len
< key_len
+ spec_len
)
467 return S2K_TRUNCATED
;
469 rv
= secret_to_key_compute_key(buf
+ spec_len
, key_len
,
471 secret
, secret_len
, type
);
475 *len_out
= spec_len
+ key_len
;
481 * Given a hashed passphrase in <b>spec_and_key</b> of length
482 * <b>spec_and_key_len</b> as generated by secret_to_key_new(), verify whether
483 * it is a hash of the passphrase <b>secret</b> of length <b>secret_len</b>.
484 * Return S2K_OKAY on a match, S2K_BAD_SECRET on a well-formed hash that
485 * doesn't match this secret, and another error code on other errors.
488 secret_to_key_check(const uint8_t *spec_and_key
, size_t spec_and_key_len
,
489 const char *secret
, size_t secret_len
)
492 int type
= secret_to_key_get_type(spec_and_key
, spec_and_key_len
,
507 spec_len
= secret_to_key_spec_len(type
);
508 key_len
= secret_to_key_key_len(type
);
509 tor_assert(spec_len
> 0);
510 tor_assert(key_len
> 0);
511 tor_assert(key_len
<= (int) sizeof(buf
));
512 tor_assert((int)spec_and_key_len
== spec_len
+ key_len
);
513 rv
= secret_to_key_compute_key(buf
, key_len
,
514 spec_and_key
, spec_len
,
515 secret
, secret_len
, type
);
519 if (tor_memeq(buf
, spec_and_key
+ spec_len
, key_len
))
525 memwipe(buf
, 0, sizeof(buf
));