crypto_s2k.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472
  1. /* Copyright (c) 2001, Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file crypto_s2k.c
  8. *
  9. * \brief Functions for deriving keys from human-readable passphrases.
  10. */
  11. #define CRYPTO_S2K_PRIVATE
  12. #include "crypto.h"
  13. #include "util.h"
  14. #include "compat.h"
  15. #include "crypto_s2k.h"
  16. #include <openssl/evp.h>
  17. #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
  18. #define HAVE_SCRYPT
  19. #include <libscrypt.h>
  20. #endif
  21. /* Encoded secrets take the form:
  22. u8 type;
  23. u8 salt_and_parameters[depends on type];
  24. u8 key[depends on type];
  25. As a special case, if the encoded secret is exactly 29 bytes long,
  26. type 0 is understood.
  27. Recognized types are:
  28. 00 -- RFC2440. salt_and_parameters is 9 bytes. key is 20 bytes.
  29. salt_and_parameters is 8 bytes random salt,
  30. 1 byte iteration info.
  31. 01 -- PKBDF2_SHA1. salt_and_parameters is 17 bytes. key is 20 bytes.
  32. salt_and_parameters is 16 bytes random salt,
  33. 1 byte iteration info.
  34. 02 -- SCRYPT_SALSA208_SHA256. salt_and_parameters is 18 bytes. key is
  35. 32 bytes.
  36. salt_and_parameters is 18 bytes random salt, 2 bytes iteration
  37. info.
  38. */
  39. #define S2K_TYPE_RFC2440 0
  40. #define S2K_TYPE_PBKDF2 1
  41. #define S2K_TYPE_SCRYPT 2
  42. #define PBKDF2_SPEC_LEN 17
  43. #define PBKDF2_KEY_LEN 20
  44. #define SCRYPT_SPEC_LEN 18
  45. #define SCRYPT_KEY_LEN 32
  46. /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
  47. * specifier part of it, without the prefix type byte. Return -1 if it is not
  48. * a valid algorithm ID. */
  49. static int
  50. secret_to_key_spec_len(uint8_t type)
  51. {
  52. switch (type) {
  53. case S2K_TYPE_RFC2440:
  54. return S2K_RFC2440_SPECIFIER_LEN;
  55. case S2K_TYPE_PBKDF2:
  56. return PBKDF2_SPEC_LEN;
  57. case S2K_TYPE_SCRYPT:
  58. return SCRYPT_SPEC_LEN;
  59. default:
  60. return -1;
  61. }
  62. }
  63. /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
  64. * its preferred output. */
  65. static int
  66. secret_to_key_key_len(uint8_t type)
  67. {
  68. switch (type) {
  69. case S2K_TYPE_RFC2440:
  70. return DIGEST_LEN;
  71. case S2K_TYPE_PBKDF2:
  72. return DIGEST_LEN;
  73. case S2K_TYPE_SCRYPT:
  74. return DIGEST256_LEN;
  75. // LCOV_EXCL_START
  76. default:
  77. tor_fragile_assert();
  78. return -1;
  79. // LCOV_EXCL_STOP
  80. }
  81. }
  82. /** Given a specifier in <b>spec_and_key</b> of length
  83. * <b>spec_and_key_len</b>, along with its prefix algorithm ID byte, and along
  84. * with a key if <b>key_included</b> is true, check whether the whole
  85. * specifier-and-key is of valid length, and return the algorithm type if it
  86. * is. Set *<b>legacy_out</b> to 1 iff this is a legacy password hash or
  87. * legacy specifier. Return an error code on failure.
  88. */
  89. static int
  90. secret_to_key_get_type(const uint8_t *spec_and_key, size_t spec_and_key_len,
  91. int key_included, int *legacy_out)
  92. {
  93. size_t legacy_len = S2K_RFC2440_SPECIFIER_LEN;
  94. uint8_t type;
  95. int total_len;
  96. if (key_included)
  97. legacy_len += DIGEST_LEN;
  98. if (spec_and_key_len == legacy_len) {
  99. *legacy_out = 1;
  100. return S2K_TYPE_RFC2440;
  101. }
  102. *legacy_out = 0;
  103. if (spec_and_key_len == 0)
  104. return S2K_BAD_LEN;
  105. type = spec_and_key[0];
  106. total_len = secret_to_key_spec_len(type);
  107. if (total_len < 0)
  108. return S2K_BAD_ALGORITHM;
  109. if (key_included) {
  110. int keylen = secret_to_key_key_len(type);
  111. if (keylen < 0)
  112. return S2K_BAD_ALGORITHM;
  113. total_len += keylen;
  114. }
  115. if ((size_t)total_len + 1 == spec_and_key_len)
  116. return type;
  117. else
  118. return S2K_BAD_LEN;
  119. }
  120. /**
  121. * Write a new random s2k specifier of type <b>type</b>, without prefixing
  122. * type byte, to <b>spec_out</b>, which must have enough room. May adjust
  123. * parameter choice based on <b>flags</b>.
  124. */
  125. static int
  126. make_specifier(uint8_t *spec_out, uint8_t type, unsigned flags)
  127. {
  128. int speclen = secret_to_key_spec_len(type);
  129. if (speclen < 0)
  130. return S2K_BAD_ALGORITHM;
  131. crypto_rand((char*)spec_out, speclen);
  132. switch (type) {
  133. case S2K_TYPE_RFC2440:
  134. /* Hash 64 k of data. */
  135. spec_out[S2K_RFC2440_SPECIFIER_LEN-1] = 96;
  136. break;
  137. case S2K_TYPE_PBKDF2:
  138. /* 131 K iterations */
  139. spec_out[PBKDF2_SPEC_LEN-1] = 17;
  140. break;
  141. case S2K_TYPE_SCRYPT:
  142. if (flags & S2K_FLAG_LOW_MEM) {
  143. /* N = 1<<12 */
  144. spec_out[SCRYPT_SPEC_LEN-2] = 12;
  145. } else {
  146. /* N = 1<<15 */
  147. spec_out[SCRYPT_SPEC_LEN-2] = 15;
  148. }
  149. /* r = 8; p = 2. */
  150. spec_out[SCRYPT_SPEC_LEN-1] = (3u << 4) | (1u << 0);
  151. break;
  152. // LCOV_EXCL_START - we should have returned above.
  153. default:
  154. tor_fragile_assert();
  155. return S2K_BAD_ALGORITHM;
  156. // LCOV_EXCL_STOP
  157. }
  158. return speclen;
  159. }
  160. /** Implement RFC2440-style iterated-salted S2K conversion: convert the
  161. * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
  162. * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
  163. * are a salt; the 9th byte describes how much iteration to do.
  164. * If <b>key_out_len</b> &gt; DIGEST_LEN, use HDKF to expand the result.
  165. */
  166. void
  167. secret_to_key_rfc2440(char *key_out, size_t key_out_len, const char *secret,
  168. size_t secret_len, const char *s2k_specifier)
  169. {
  170. crypto_digest_t *d;
  171. uint8_t c;
  172. size_t count, tmplen;
  173. char *tmp;
  174. uint8_t buf[DIGEST_LEN];
  175. tor_assert(key_out_len < SIZE_T_CEILING);
  176. #define EXPBIAS 6
  177. c = s2k_specifier[8];
  178. count = ((uint32_t)16 + (c & 15)) << ((c >> 4) + EXPBIAS);
  179. #undef EXPBIAS
  180. d = crypto_digest_new();
  181. tmplen = 8+secret_len;
  182. tmp = tor_malloc(tmplen);
  183. memcpy(tmp,s2k_specifier,8);
  184. memcpy(tmp+8,secret,secret_len);
  185. secret_len += 8;
  186. while (count) {
  187. if (count >= secret_len) {
  188. crypto_digest_add_bytes(d, tmp, secret_len);
  189. count -= secret_len;
  190. } else {
  191. crypto_digest_add_bytes(d, tmp, count);
  192. count = 0;
  193. }
  194. }
  195. crypto_digest_get_digest(d, (char*)buf, sizeof(buf));
  196. if (key_out_len <= sizeof(buf)) {
  197. memcpy(key_out, buf, key_out_len);
  198. } else {
  199. crypto_expand_key_material_rfc5869_sha256(buf, DIGEST_LEN,
  200. (const uint8_t*)s2k_specifier, 8,
  201. (const uint8_t*)"EXPAND", 6,
  202. (uint8_t*)key_out, key_out_len);
  203. }
  204. memwipe(tmp, 0, tmplen);
  205. memwipe(buf, 0, sizeof(buf));
  206. tor_free(tmp);
  207. crypto_digest_free(d);
  208. }
  209. /**
  210. * Helper: given a valid specifier without prefix type byte in <b>spec</b>,
  211. * whose length must be correct, and given a secret passphrase <b>secret</b>
  212. * of length <b>secret_len</b>, compute the key and store it into
  213. * <b>key_out</b>, which must have enough room for secret_to_key_key_len(type)
  214. * bytes. Return the number of bytes written on success and an error code
  215. * on failure.
  216. */
  217. STATIC int
  218. secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len,
  219. const uint8_t *spec, size_t spec_len,
  220. const char *secret, size_t secret_len,
  221. int type)
  222. {
  223. int rv;
  224. if (key_out_len > INT_MAX)
  225. return S2K_BAD_LEN;
  226. switch (type) {
  227. case S2K_TYPE_RFC2440:
  228. secret_to_key_rfc2440((char*)key_out, key_out_len, secret, secret_len,
  229. (const char*)spec);
  230. return (int)key_out_len;
  231. case S2K_TYPE_PBKDF2: {
  232. uint8_t log_iters;
  233. if (spec_len < 1 || secret_len > INT_MAX || spec_len > INT_MAX)
  234. return S2K_BAD_LEN;
  235. log_iters = spec[spec_len-1];
  236. if (log_iters > 31)
  237. return S2K_BAD_PARAMS;
  238. rv = PKCS5_PBKDF2_HMAC_SHA1(secret, (int)secret_len,
  239. spec, (int)spec_len-1,
  240. (1<<log_iters),
  241. (int)key_out_len, key_out);
  242. if (rv < 0)
  243. return S2K_FAILED;
  244. return (int)key_out_len;
  245. }
  246. case S2K_TYPE_SCRYPT: {
  247. #ifdef HAVE_SCRYPT
  248. uint8_t log_N, log_r, log_p;
  249. uint64_t N;
  250. uint32_t r, p;
  251. if (spec_len < 2)
  252. return S2K_BAD_LEN;
  253. log_N = spec[spec_len-2];
  254. log_r = (spec[spec_len-1]) >> 4;
  255. log_p = (spec[spec_len-1]) & 15;
  256. if (log_N > 63)
  257. return S2K_BAD_PARAMS;
  258. N = ((uint64_t)1) << log_N;
  259. r = 1u << log_r;
  260. p = 1u << log_p;
  261. rv = libscrypt_scrypt((const uint8_t*)secret, secret_len,
  262. spec, spec_len-2, N, r, p, key_out, key_out_len);
  263. if (rv != 0)
  264. return S2K_FAILED;
  265. return (int)key_out_len;
  266. #else /* !(defined(HAVE_SCRYPT)) */
  267. return S2K_NO_SCRYPT_SUPPORT;
  268. #endif /* defined(HAVE_SCRYPT) */
  269. }
  270. default:
  271. return S2K_BAD_ALGORITHM;
  272. }
  273. }
  274. /**
  275. * Given a specifier previously constructed with secret_to_key_make_specifier
  276. * in <b>spec</b> of length <b>spec_len</b>, and a secret password in
  277. * <b>secret</b> of length <b>secret_len</b>, generate <b>key_out_len</b>
  278. * bytes of cryptographic material in <b>key_out</b>. The native output of
  279. * the secret-to-key function will be truncated if key_out_len is short, and
  280. * expanded with HKDF if key_out_len is long. Returns S2K_OKAY on success,
  281. * and an error code on failure.
  282. */
  283. int
  284. secret_to_key_derivekey(uint8_t *key_out, size_t key_out_len,
  285. const uint8_t *spec, size_t spec_len,
  286. const char *secret, size_t secret_len)
  287. {
  288. int legacy_format = 0;
  289. int type = secret_to_key_get_type(spec, spec_len, 0, &legacy_format);
  290. int r;
  291. if (type < 0)
  292. return type;
  293. #ifndef HAVE_SCRYPT
  294. if (type == S2K_TYPE_SCRYPT)
  295. return S2K_NO_SCRYPT_SUPPORT;
  296. #endif
  297. if (! legacy_format) {
  298. ++spec;
  299. --spec_len;
  300. }
  301. r = secret_to_key_compute_key(key_out, key_out_len, spec, spec_len,
  302. secret, secret_len, type);
  303. if (r < 0)
  304. return r;
  305. else
  306. return S2K_OKAY;
  307. }
  308. /**
  309. * Construct a new s2k algorithm specifier and salt in <b>buf</b>, according
  310. * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>. Up to
  311. * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Return the
  312. * number of bytes used on success and an error code on failure.
  313. */
  314. int
  315. secret_to_key_make_specifier(uint8_t *buf, size_t buf_len, unsigned flags)
  316. {
  317. int rv;
  318. int spec_len;
  319. #ifdef HAVE_SCRYPT
  320. uint8_t type = S2K_TYPE_SCRYPT;
  321. #else
  322. uint8_t type = S2K_TYPE_RFC2440;
  323. #endif
  324. if (flags & S2K_FLAG_NO_SCRYPT)
  325. type = S2K_TYPE_RFC2440;
  326. if (flags & S2K_FLAG_USE_PBKDF2)
  327. type = S2K_TYPE_PBKDF2;
  328. spec_len = secret_to_key_spec_len(type);
  329. if ((int)buf_len < spec_len + 1)
  330. return S2K_TRUNCATED;
  331. buf[0] = type;
  332. rv = make_specifier(buf+1, type, flags);
  333. if (rv < 0)
  334. return rv;
  335. else
  336. return rv + 1;
  337. }
  338. /**
  339. * Hash a passphrase from <b>secret</b> of length <b>secret_len</b>, according
  340. * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>, and store the
  341. * hash along with salt and hashing parameters into <b>buf</b>. Up to
  342. * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Set
  343. * *<b>len_out</b> to the number of bytes used and return S2K_OKAY on success;
  344. * and return an error code on failure.
  345. */
  346. int
  347. secret_to_key_new(uint8_t *buf,
  348. size_t buf_len,
  349. size_t *len_out,
  350. const char *secret, size_t secret_len,
  351. unsigned flags)
  352. {
  353. int key_len;
  354. int spec_len;
  355. int type;
  356. int rv;
  357. spec_len = secret_to_key_make_specifier(buf, buf_len, flags);
  358. if (spec_len < 0)
  359. return spec_len;
  360. type = buf[0];
  361. key_len = secret_to_key_key_len(type);
  362. if (key_len < 0)
  363. return key_len;
  364. if ((int)buf_len < key_len + spec_len)
  365. return S2K_TRUNCATED;
  366. rv = secret_to_key_compute_key(buf + spec_len, key_len,
  367. buf + 1, spec_len-1,
  368. secret, secret_len, type);
  369. if (rv < 0)
  370. return rv;
  371. *len_out = spec_len + key_len;
  372. return S2K_OKAY;
  373. }
  374. /**
  375. * Given a hashed passphrase in <b>spec_and_key</b> of length
  376. * <b>spec_and_key_len</b> as generated by secret_to_key_new(), verify whether
  377. * it is a hash of the passphrase <b>secret</b> of length <b>secret_len</b>.
  378. * Return S2K_OKAY on a match, S2K_BAD_SECRET on a well-formed hash that
  379. * doesn't match this secret, and another error code on other errors.
  380. */
  381. int
  382. secret_to_key_check(const uint8_t *spec_and_key, size_t spec_and_key_len,
  383. const char *secret, size_t secret_len)
  384. {
  385. int is_legacy = 0;
  386. int type = secret_to_key_get_type(spec_and_key, spec_and_key_len,
  387. 1, &is_legacy);
  388. uint8_t buf[32];
  389. int spec_len;
  390. int key_len;
  391. int rv;
  392. if (type < 0)
  393. return type;
  394. if (! is_legacy) {
  395. spec_and_key++;
  396. spec_and_key_len--;
  397. }
  398. spec_len = secret_to_key_spec_len(type);
  399. key_len = secret_to_key_key_len(type);
  400. tor_assert(spec_len > 0);
  401. tor_assert(key_len > 0);
  402. tor_assert(key_len <= (int) sizeof(buf));
  403. tor_assert((int)spec_and_key_len == spec_len + key_len);
  404. rv = secret_to_key_compute_key(buf, key_len,
  405. spec_and_key, spec_len,
  406. secret, secret_len, type);
  407. if (rv < 0)
  408. goto done;
  409. if (tor_memeq(buf, spec_and_key + spec_len, key_len))
  410. rv = S2K_OKAY;
  411. else
  412. rv = S2K_BAD_SECRET;
  413. done:
  414. memwipe(buf, 0, sizeof(buf));
  415. return rv;
  416. }