1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2015, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
7 #define CRYPTO_S2K_PRIVATE
10 #include "crypto_s2k.h"
11 #include "crypto_pwbox.h"
13 #if defined(HAVE_LIBSCRYPT_H)
14 #include <libscrypt.h>
17 #include <openssl/evp.h>
19 /** Run unit tests for our secret-to-key passphrase hashing functionality. */
21 test_crypto_s2k_rfc2440(void *arg
)
29 memset(buf
, 0, sizeof(buf
));
30 memset(buf2
, 0, sizeof(buf2
));
31 buf3
= tor_malloc(65536);
32 memset(buf3
, 0, 65536);
34 secret_to_key_rfc2440(buf
+9, 20, "", 0, buf
);
35 crypto_digest(buf2
+9, buf3
, 1024);
36 tt_mem_op(buf
,OP_EQ
, buf2
, 29);
38 memcpy(buf
,"vrbacrda",8);
39 memcpy(buf2
,"vrbacrda",8);
42 secret_to_key_rfc2440(buf
+9, 20, "12345678", 8, buf
);
43 for (i
= 0; i
< 65536; i
+= 16) {
44 memcpy(buf3
+i
, "vrbacrda12345678", 16);
46 crypto_digest(buf2
+9, buf3
, 65536);
47 tt_mem_op(buf
,OP_EQ
, buf2
, 29);
54 run_s2k_tests(const unsigned flags
, const unsigned type
,
55 int speclen
, const int keylen
, int legacy
)
57 uint8_t buf
[S2K_MAXLEN
], buf2
[S2K_MAXLEN
], buf3
[S2K_MAXLEN
];
60 const char pw1
[] = "You can't come in here unless you say swordfish!";
61 const char pw2
[] = "Now, I give you one more guess.";
63 r
= secret_to_key_new(buf
, sizeof(buf
), &sz
,
64 pw1
, strlen(pw1
), flags
);
65 tt_int_op(r
, OP_EQ
, S2K_OKAY
);
66 tt_int_op(buf
[0], OP_EQ
, type
);
68 tt_int_op(sz
, OP_EQ
, keylen
+ speclen
);
71 memmove(buf
, buf
+1, sz
-1);
76 tt_int_op(S2K_OKAY
, OP_EQ
,
77 secret_to_key_check(buf
, sz
, pw1
, strlen(pw1
)));
79 tt_int_op(S2K_BAD_SECRET
, OP_EQ
,
80 secret_to_key_check(buf
, sz
, pw2
, strlen(pw2
)));
82 /* Move key to buf2, and clear it. */
83 memset(buf3
, 0, sizeof(buf3
));
84 memcpy(buf2
, buf
+speclen
, keylen
);
85 memset(buf
+speclen
, 0, sz
- speclen
);
87 /* Derivekey should produce the same results. */
88 tt_int_op(S2K_OKAY
, OP_EQ
,
89 secret_to_key_derivekey(buf3
, keylen
, buf
, speclen
, pw1
, strlen(pw1
)));
91 tt_mem_op(buf2
, OP_EQ
, buf3
, keylen
);
93 /* Derivekey with a longer output should fill the output. */
94 memset(buf2
, 0, sizeof(buf2
));
95 tt_int_op(S2K_OKAY
, OP_EQ
,
96 secret_to_key_derivekey(buf2
, sizeof(buf2
), buf
, speclen
,
99 tt_mem_op(buf2
, OP_NE
, buf3
, sizeof(buf2
));
101 memset(buf3
, 0, sizeof(buf3
));
102 tt_int_op(S2K_OKAY
, OP_EQ
,
103 secret_to_key_derivekey(buf3
, sizeof(buf3
), buf
, speclen
,
105 tt_mem_op(buf2
, OP_EQ
, buf3
, sizeof(buf3
));
106 tt_assert(!tor_mem_is_zero((char*)buf2
+keylen
, sizeof(buf2
)-keylen
));
113 test_crypto_s2k_general(void *arg
)
115 const char *which
= arg
;
117 if (!strcmp(which
, "scrypt")) {
118 run_s2k_tests(0, 2, 19, 32, 0);
119 } else if (!strcmp(which
, "scrypt-low")) {
120 run_s2k_tests(S2K_FLAG_LOW_MEM
, 2, 19, 32, 0);
121 } else if (!strcmp(which
, "pbkdf2")) {
122 run_s2k_tests(S2K_FLAG_USE_PBKDF2
, 1, 18, 20, 0);
123 } else if (!strcmp(which
, "rfc2440")) {
124 run_s2k_tests(S2K_FLAG_NO_SCRYPT
, 0, 10, 20, 0);
125 } else if (!strcmp(which
, "rfc2440-legacy")) {
126 run_s2k_tests(S2K_FLAG_NO_SCRYPT
, 0, 10, 20, 1);
132 #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_EVP_PBE_SCRYPT)
134 test_libscrypt_eq_openssl(void *arg
)
140 uint64_t maxmem
= 0; // --> SCRYPT_MAX_MEM in OpenSSL.
142 int libscrypt_retval
, openssl_retval
;
151 /* NOTE: we're using N,r the way OpenSSL and libscrypt define them,
152 * not the way draft-josefsson-scrypt-kdf-00.txt define them.
159 libscrypt_scrypt((const uint8_t *)"", 0, (const uint8_t *)"", 0,
160 N
, r
, p
, buf1
, dk_len
);
162 EVP_PBE_scrypt((const char *)"", 0, (const unsigned char *)"", 0,
163 N
, r
, p
, maxmem
, buf2
, dk_len
);
165 tt_int_op(libscrypt_retval
, ==, 0);
166 tt_int_op(openssl_retval
, ==, 1);
168 tt_mem_op(buf1
, ==, buf2
, 64);
178 libscrypt_scrypt((const uint8_t *)"password", strlen("password"),
179 (const uint8_t *)"NaCl", strlen("NaCl"),
180 N
, r
, p
, buf1
, dk_len
);
182 EVP_PBE_scrypt((const char *)"password", strlen("password"),
183 (const unsigned char *)"NaCl", strlen("NaCl"),
184 N
, r
, p
, maxmem
, buf2
, dk_len
);
186 tt_int_op(libscrypt_retval
, ==, 0);
187 tt_int_op(openssl_retval
, ==, 1);
189 tt_mem_op(buf1
, ==, buf2
, 64);
199 libscrypt_scrypt((const uint8_t *)"pleaseletmein",
200 strlen("pleaseletmein"),
201 (const uint8_t *)"SodiumChloride",
202 strlen("SodiumChloride"),
203 N
, r
, p
, buf1
, dk_len
);
205 EVP_PBE_scrypt((const char *)"pleaseletmein",
206 strlen("pleaseletmein"),
207 (const unsigned char *)"SodiumChloride",
208 strlen("SodiumChloride"),
209 N
, r
, p
, maxmem
, buf2
, dk_len
);
211 tt_int_op(libscrypt_retval
, ==, 0);
212 tt_int_op(openssl_retval
, ==, 1);
214 tt_mem_op(buf1
, ==, buf2
, 64);
220 maxmem
= 2 * 1024 * 1024 * (uint64_t)1024; // 2 GB
223 libscrypt_scrypt((const uint8_t *)"pleaseletmein",
224 strlen("pleaseletmein"),
225 (const uint8_t *)"SodiumChloride",
226 strlen("SodiumChloride"),
227 N
, r
, p
, buf1
, dk_len
);
229 EVP_PBE_scrypt((const char *)"pleaseletmein",
230 strlen("pleaseletmein"),
231 (const unsigned char *)"SodiumChloride",
232 strlen("SodiumChloride"),
233 N
, r
, p
, maxmem
, buf2
, dk_len
);
235 tt_int_op(libscrypt_retval
, ==, 0);
236 tt_int_op(openssl_retval
, ==, 1);
238 tt_mem_op(buf1
, ==, buf2
, 64);
246 test_crypto_s2k_errors(void *arg
)
248 uint8_t buf
[S2K_MAXLEN
], buf2
[S2K_MAXLEN
];
253 /* Bogus specifiers: simple */
254 tt_int_op(S2K_BAD_LEN
, OP_EQ
,
255 secret_to_key_derivekey(buf
, sizeof(buf
),
256 (const uint8_t*)"", 0, "ABC", 3));
257 tt_int_op(S2K_BAD_ALGORITHM
, OP_EQ
,
258 secret_to_key_derivekey(buf
, sizeof(buf
),
259 (const uint8_t*)"\x10", 1, "ABC", 3));
260 tt_int_op(S2K_BAD_LEN
, OP_EQ
,
261 secret_to_key_derivekey(buf
, sizeof(buf
),
262 (const uint8_t*)"\x01\x02", 2, "ABC", 3));
264 tt_int_op(S2K_BAD_LEN
, OP_EQ
,
265 secret_to_key_check((const uint8_t*)"", 0, "ABC", 3));
266 tt_int_op(S2K_BAD_ALGORITHM
, OP_EQ
,
267 secret_to_key_check((const uint8_t*)"\x10", 1, "ABC", 3));
268 tt_int_op(S2K_BAD_LEN
, OP_EQ
,
269 secret_to_key_check((const uint8_t*)"\x01\x02", 2, "ABC", 3));
271 /* too long gets "BAD_LEN" too */
272 memset(buf
, 0, sizeof(buf
));
274 tt_int_op(S2K_BAD_LEN
, OP_EQ
,
275 secret_to_key_derivekey(buf2
, sizeof(buf2
),
276 buf
, sizeof(buf
), "ABC", 3));
278 /* Truncated output */
279 #ifdef HAVE_LIBSCRYPT_H
280 tt_int_op(S2K_TRUNCATED
, OP_EQ
, secret_to_key_new(buf
, 50, &sz
,
282 tt_int_op(S2K_TRUNCATED
, OP_EQ
, secret_to_key_new(buf
, 50, &sz
,
283 "ABC", 3, S2K_FLAG_LOW_MEM
));
285 tt_int_op(S2K_TRUNCATED
, OP_EQ
, secret_to_key_new(buf
, 37, &sz
,
286 "ABC", 3, S2K_FLAG_USE_PBKDF2
));
287 tt_int_op(S2K_TRUNCATED
, OP_EQ
, secret_to_key_new(buf
, 29, &sz
,
288 "ABC", 3, S2K_FLAG_NO_SCRYPT
));
290 #ifdef HAVE_LIBSCRYPT_H
291 tt_int_op(S2K_TRUNCATED
, OP_EQ
, secret_to_key_make_specifier(buf
, 18, 0));
292 tt_int_op(S2K_TRUNCATED
, OP_EQ
, secret_to_key_make_specifier(buf
, 18,
295 tt_int_op(S2K_TRUNCATED
, OP_EQ
, secret_to_key_make_specifier(buf
, 17,
296 S2K_FLAG_USE_PBKDF2
));
297 tt_int_op(S2K_TRUNCATED
, OP_EQ
, secret_to_key_make_specifier(buf
, 9,
298 S2K_FLAG_NO_SCRYPT
));
300 /* Now try using type-specific bogus specifiers. */
302 /* It's a bad pbkdf2 buffer if it has an iteration count that would overflow
304 memset(buf
, 0, sizeof(buf
));
305 buf
[0] = 1; /* pbkdf2 */
306 buf
[17] = 100; /* 1<<100 is much bigger than INT32_MAX */
307 tt_int_op(S2K_BAD_PARAMS
, OP_EQ
,
308 secret_to_key_derivekey(buf2
, sizeof(buf2
),
311 #ifdef HAVE_LIBSCRYPT_H
312 /* It's a bad scrypt buffer if N would overflow uint64 */
313 memset(buf
, 0, sizeof(buf
));
314 buf
[0] = 2; /* scrypt */
315 buf
[17] = 100; /* 1<<100 is much bigger than UINT64_MAX */
316 tt_int_op(S2K_BAD_PARAMS
, OP_EQ
,
317 secret_to_key_derivekey(buf2
, sizeof(buf2
),
326 test_crypto_scrypt_vectors(void *arg
)
328 char *mem_op_hex_tmp
= NULL
;
329 uint8_t spec
[64], out
[64];
332 #ifndef HAVE_LIBSCRYPT_H
338 http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-00 section 11.
340 Note that the names of 'r' and 'N' are switched in that section. Or
341 possibly in libscrypt.
344 base16_decode((char*)spec
, sizeof(spec
),
346 memset(out
, 0x00, sizeof(out
));
348 secret_to_key_compute_key(out
, 64, spec
, 2, "", 0, 2));
350 "77d6576238657b203b19ca42c18a0497"
351 "f16b4844e3074ae8dfdffa3fede21442"
352 "fcd0069ded0948f8326a753a0fc81f17"
353 "e8d3e0fb2e0d3628cf35e20c38d18906");
355 base16_decode((char*)spec
, sizeof(spec
),
356 "4e61436c" "0A34", 12);
357 memset(out
, 0x00, sizeof(out
));
359 secret_to_key_compute_key(out
, 64, spec
, 6, "password", 8, 2));
361 "fdbabe1c9d3472007856e7190d01e9fe"
362 "7c6ad7cbc8237830e77376634b373162"
363 "2eaf30d92e22a3886ff109279d9830da"
364 "c727afb94a83ee6d8360cbdfa2cc0640");
366 base16_decode((char*)spec
, sizeof(spec
),
367 "536f6469756d43686c6f72696465" "0e30", 32);
368 memset(out
, 0x00, sizeof(out
));
370 secret_to_key_compute_key(out
, 64, spec
, 16,
371 "pleaseletmein", 13, 2));
373 "7023bdcb3afd7348461c06cd81fd38eb"
374 "fda8fbba904f8e3ea9b543f6545da1f2"
375 "d5432955613f0fcf62d49705242a9af9"
376 "e61e85dc0d651e40dfcf017b45575887");
378 base16_decode((char*)spec
, sizeof(spec
),
379 "536f6469756d43686c6f72696465" "1430", 32);
380 memset(out
, 0x00, sizeof(out
));
382 secret_to_key_compute_key(out
, 64, spec
, 16,
383 "pleaseletmein", 13, 2));
385 "2101cb9b6a511aaeaddbbe09cf70f881"
386 "ec568d574a2ffd4dabe5ee9820adaa47"
387 "8e56fd8f4ba5d09ffa1c6d927c40f4c3"
388 "37304049e8a952fbcbf45c6fa77a41a4");
391 tor_free(mem_op_hex_tmp
);
395 test_crypto_pbkdf2_vectors(void *arg
)
397 char *mem_op_hex_tmp
= NULL
;
398 uint8_t spec
[64], out
[64];
401 /* Test vectors from RFC6070, section 2 */
402 base16_decode((char*)spec
, sizeof(spec
),
403 "73616c74" "00" , 10);
404 memset(out
, 0x00, sizeof(out
));
406 secret_to_key_compute_key(out
, 20, spec
, 5, "password", 8, 1));
407 test_memeq_hex(out
, "0c60c80f961f0e71f3a9b524af6012062fe037a6");
409 base16_decode((char*)spec
, sizeof(spec
),
410 "73616c74" "01" , 10);
411 memset(out
, 0x00, sizeof(out
));
413 secret_to_key_compute_key(out
, 20, spec
, 5, "password", 8, 1));
414 test_memeq_hex(out
, "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957");
416 base16_decode((char*)spec
, sizeof(spec
),
417 "73616c74" "0C" , 10);
418 memset(out
, 0x00, sizeof(out
));
420 secret_to_key_compute_key(out
, 20, spec
, 5, "password", 8, 1));
421 test_memeq_hex(out
, "4b007901b765489abead49d926f721d065a429c1");
423 base16_decode((char*)spec
, sizeof(spec
),
424 "73616c74" "18" , 10);
425 memset(out
, 0x00, sizeof(out
));
427 secret_to_key_compute_key(out
, 20, spec
, 5, "password", 8, 1));
428 test_memeq_hex(out
, "eefe3d61cd4da4e4e9945b3d6ba2158c2634e984");
430 base16_decode((char*)spec
, sizeof(spec
),
431 "73616c7453414c5473616c7453414c5473616c745"
432 "3414c5473616c7453414c5473616c74" "0C" , 74);
433 memset(out
, 0x00, sizeof(out
));
435 secret_to_key_compute_key(out
, 25, spec
, 37,
436 "passwordPASSWORDpassword", 24, 1));
437 test_memeq_hex(out
, "3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038");
439 base16_decode((char*)spec
, sizeof(spec
),
440 "7361006c74" "0c" , 12);
441 memset(out
, 0x00, sizeof(out
));
443 secret_to_key_compute_key(out
, 16, spec
, 6, "pass\0word", 9, 1));
444 test_memeq_hex(out
, "56fa6aa75548099dcc37d7f03425e0c3");
447 tor_free(mem_op_hex_tmp
);
451 test_crypto_pwbox(void *arg
)
453 uint8_t *boxed
=NULL
, *decoded
=NULL
;
456 const char msg
[] = "This bunny reminds you that you still have a "
457 "salamander in your sylladex. She is holding the bunny Dave got you. "
458 "It’s sort of uncanny how similar they are, aside from the knitted "
459 "enhancements. Seriously, what are the odds?? So weird.";
460 const char pw
[] = "I'm a night owl and a wise bird too";
462 const unsigned flags
[] = { 0,
465 S2K_FLAG_NO_SCRYPT
|S2K_FLAG_LOW_MEM
,
466 S2K_FLAG_USE_PBKDF2
};
469 for (i
= 0; i
< ARRAY_LENGTH(flags
); ++i
) {
470 tt_int_op(0, OP_EQ
, crypto_pwbox(&boxed
, &len
,
471 (const uint8_t*)msg
, strlen(msg
),
472 pw
, strlen(pw
), flags
[i
]));
474 tt_assert(len
> 128+32);
476 tt_int_op(0, OP_EQ
, crypto_unpwbox(&decoded
, &dlen
, boxed
, len
,
480 tt_uint_op(dlen
, OP_EQ
, strlen(msg
));
481 tt_mem_op(decoded
, OP_EQ
, msg
, dlen
);
485 tt_int_op(UNPWBOX_BAD_SECRET
, OP_EQ
, crypto_unpwbox(&decoded
, &dlen
,
489 tt_int_op(UNPWBOX_BAD_SECRET
, OP_EQ
, crypto_unpwbox(&decoded
, &dlen
,
493 tt_int_op(UNPWBOX_CORRUPTED
, OP_EQ
, crypto_unpwbox(&decoded
, &dlen
,
505 #define CRYPTO_LEGACY(name) \
506 { #name, test_crypto_ ## name , 0, NULL, NULL }
508 struct testcase_t slow_crypto_tests
[] = {
509 CRYPTO_LEGACY(s2k_rfc2440
),
510 #ifdef HAVE_LIBSCRYPT_H
511 { "s2k_scrypt", test_crypto_s2k_general
, 0, &passthrough_setup
,
513 { "s2k_scrypt_low", test_crypto_s2k_general
, 0, &passthrough_setup
,
514 (void*)"scrypt-low" },
515 #ifdef HAVE_EVP_PBE_SCRYPT
516 { "libscrypt_eq_openssl", test_libscrypt_eq_openssl
, 0, NULL
, NULL
},
519 { "s2k_pbkdf2", test_crypto_s2k_general
, 0, &passthrough_setup
,
521 { "s2k_rfc2440_general", test_crypto_s2k_general
, 0, &passthrough_setup
,
523 { "s2k_rfc2440_legacy", test_crypto_s2k_general
, 0, &passthrough_setup
,
524 (void*)"rfc2440-legacy" },
525 { "s2k_errors", test_crypto_s2k_errors
, 0, NULL
, NULL
},
526 { "scrypt_vectors", test_crypto_scrypt_vectors
, 0, NULL
, NULL
},
527 { "pbkdf2_vectors", test_crypto_pbkdf2_vectors
, 0, NULL
, NULL
},
528 { "pwbox", test_crypto_pwbox
, 0, NULL
, NULL
},