crypto_s2k.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525
  1. /* Copyright (c) 2001, Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2018, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file crypto_s2k.c
  8. *
  9. * \brief Functions for deriving keys from human-readable passphrases.
  10. */
  11. #define CRYPTO_S2K_PRIVATE
  12. #include "lib/crypt_ops/crypto_cipher.h"
  13. #include "lib/crypt_ops/crypto_digest.h"
  14. #include "lib/crypt_ops/crypto_hkdf.h"
  15. #include "lib/crypt_ops/crypto_rand.h"
  16. #include "lib/crypt_ops/crypto_s2k.h"
  17. #include "lib/crypt_ops/crypto_util.h"
  18. #include "lib/ctime/di_ops.h"
  19. #include "lib/log/util_bug.h"
  20. #include "lib/intmath/cmp.h"
  21. #ifdef ENABLE_OPENSSL
  22. #include <openssl/evp.h>
  23. #endif
  24. #ifdef ENABLE_NSS
  25. #include <pk11pub.h>
  26. #endif
  27. #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
  28. #define HAVE_SCRYPT
  29. #include <libscrypt.h>
  30. #endif
  31. #include <string.h>
  32. /* Encoded secrets take the form:
  33. u8 type;
  34. u8 salt_and_parameters[depends on type];
  35. u8 key[depends on type];
  36. As a special case, if the encoded secret is exactly 29 bytes long,
  37. type 0 is understood.
  38. Recognized types are:
  39. 00 -- RFC2440. salt_and_parameters is 9 bytes. key is 20 bytes.
  40. salt_and_parameters is 8 bytes random salt,
  41. 1 byte iteration info.
  42. 01 -- PKBDF2_SHA1. salt_and_parameters is 17 bytes. key is 20 bytes.
  43. salt_and_parameters is 16 bytes random salt,
  44. 1 byte iteration info.
  45. 02 -- SCRYPT_SALSA208_SHA256. salt_and_parameters is 18 bytes. key is
  46. 32 bytes.
  47. salt_and_parameters is 18 bytes random salt, 2 bytes iteration
  48. info.
  49. */
  50. #define S2K_TYPE_RFC2440 0
  51. #define S2K_TYPE_PBKDF2 1
  52. #define S2K_TYPE_SCRYPT 2
  53. #define PBKDF2_SPEC_LEN 17
  54. #define PBKDF2_KEY_LEN 20
  55. #define SCRYPT_SPEC_LEN 18
  56. #define SCRYPT_KEY_LEN 32
  57. /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
  58. * specifier part of it, without the prefix type byte. Return -1 if it is not
  59. * a valid algorithm ID. */
  60. static int
  61. secret_to_key_spec_len(uint8_t type)
  62. {
  63. switch (type) {
  64. case S2K_TYPE_RFC2440:
  65. return S2K_RFC2440_SPECIFIER_LEN;
  66. case S2K_TYPE_PBKDF2:
  67. return PBKDF2_SPEC_LEN;
  68. case S2K_TYPE_SCRYPT:
  69. return SCRYPT_SPEC_LEN;
  70. default:
  71. return -1;
  72. }
  73. }
  74. /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
  75. * its preferred output. */
  76. static int
  77. secret_to_key_key_len(uint8_t type)
  78. {
  79. switch (type) {
  80. case S2K_TYPE_RFC2440:
  81. return DIGEST_LEN;
  82. case S2K_TYPE_PBKDF2:
  83. return DIGEST_LEN;
  84. case S2K_TYPE_SCRYPT:
  85. return DIGEST256_LEN;
  86. // LCOV_EXCL_START
  87. default:
  88. tor_fragile_assert();
  89. return -1;
  90. // LCOV_EXCL_STOP
  91. }
  92. }
  93. /** Given a specifier in <b>spec_and_key</b> of length
  94. * <b>spec_and_key_len</b>, along with its prefix algorithm ID byte, and along
  95. * with a key if <b>key_included</b> is true, check whether the whole
  96. * specifier-and-key is of valid length, and return the algorithm type if it
  97. * is. Set *<b>legacy_out</b> to 1 iff this is a legacy password hash or
  98. * legacy specifier. Return an error code on failure.
  99. */
  100. static int
  101. secret_to_key_get_type(const uint8_t *spec_and_key, size_t spec_and_key_len,
  102. int key_included, int *legacy_out)
  103. {
  104. size_t legacy_len = S2K_RFC2440_SPECIFIER_LEN;
  105. uint8_t type;
  106. int total_len;
  107. if (key_included)
  108. legacy_len += DIGEST_LEN;
  109. if (spec_and_key_len == legacy_len) {
  110. *legacy_out = 1;
  111. return S2K_TYPE_RFC2440;
  112. }
  113. *legacy_out = 0;
  114. if (spec_and_key_len == 0)
  115. return S2K_BAD_LEN;
  116. type = spec_and_key[0];
  117. total_len = secret_to_key_spec_len(type);
  118. if (total_len < 0)
  119. return S2K_BAD_ALGORITHM;
  120. if (key_included) {
  121. int keylen = secret_to_key_key_len(type);
  122. if (keylen < 0)
  123. return S2K_BAD_ALGORITHM;
  124. total_len += keylen;
  125. }
  126. if ((size_t)total_len + 1 == spec_and_key_len)
  127. return type;
  128. else
  129. return S2K_BAD_LEN;
  130. }
  131. /**
  132. * Write a new random s2k specifier of type <b>type</b>, without prefixing
  133. * type byte, to <b>spec_out</b>, which must have enough room. May adjust
  134. * parameter choice based on <b>flags</b>.
  135. */
  136. static int
  137. make_specifier(uint8_t *spec_out, uint8_t type, unsigned flags)
  138. {
  139. int speclen = secret_to_key_spec_len(type);
  140. if (speclen < 0)
  141. return S2K_BAD_ALGORITHM;
  142. crypto_rand((char*)spec_out, speclen);
  143. switch (type) {
  144. case S2K_TYPE_RFC2440:
  145. /* Hash 64 k of data. */
  146. spec_out[S2K_RFC2440_SPECIFIER_LEN-1] = 96;
  147. break;
  148. case S2K_TYPE_PBKDF2:
  149. /* 131 K iterations */
  150. spec_out[PBKDF2_SPEC_LEN-1] = 17;
  151. break;
  152. case S2K_TYPE_SCRYPT:
  153. if (flags & S2K_FLAG_LOW_MEM) {
  154. /* N = 1<<12 */
  155. spec_out[SCRYPT_SPEC_LEN-2] = 12;
  156. } else {
  157. /* N = 1<<15 */
  158. spec_out[SCRYPT_SPEC_LEN-2] = 15;
  159. }
  160. /* r = 8; p = 2. */
  161. spec_out[SCRYPT_SPEC_LEN-1] = (3u << 4) | (1u << 0);
  162. break;
  163. // LCOV_EXCL_START - we should have returned above.
  164. default:
  165. tor_fragile_assert();
  166. return S2K_BAD_ALGORITHM;
  167. // LCOV_EXCL_STOP
  168. }
  169. return speclen;
  170. }
  171. /** Implement RFC2440-style iterated-salted S2K conversion: convert the
  172. * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
  173. * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
  174. * are a salt; the 9th byte describes how much iteration to do.
  175. * If <b>key_out_len</b> &gt; DIGEST_LEN, use HDKF to expand the result.
  176. */
  177. void
  178. secret_to_key_rfc2440(char *key_out, size_t key_out_len, const char *secret,
  179. size_t secret_len, const char *s2k_specifier)
  180. {
  181. crypto_digest_t *d;
  182. uint8_t c;
  183. size_t count, tmplen;
  184. char *tmp;
  185. uint8_t buf[DIGEST_LEN];
  186. tor_assert(key_out_len < SIZE_T_CEILING);
  187. #define EXPBIAS 6
  188. c = s2k_specifier[8];
  189. count = ((uint32_t)16 + (c & 15)) << ((c >> 4) + EXPBIAS);
  190. #undef EXPBIAS
  191. d = crypto_digest_new();
  192. tmplen = 8+secret_len;
  193. tmp = tor_malloc(tmplen);
  194. memcpy(tmp,s2k_specifier,8);
  195. memcpy(tmp+8,secret,secret_len);
  196. secret_len += 8;
  197. while (count) {
  198. if (count >= secret_len) {
  199. crypto_digest_add_bytes(d, tmp, secret_len);
  200. count -= secret_len;
  201. } else {
  202. crypto_digest_add_bytes(d, tmp, count);
  203. count = 0;
  204. }
  205. }
  206. crypto_digest_get_digest(d, (char*)buf, sizeof(buf));
  207. if (key_out_len <= sizeof(buf)) {
  208. memcpy(key_out, buf, key_out_len);
  209. } else {
  210. crypto_expand_key_material_rfc5869_sha256(buf, DIGEST_LEN,
  211. (const uint8_t*)s2k_specifier, 8,
  212. (const uint8_t*)"EXPAND", 6,
  213. (uint8_t*)key_out, key_out_len);
  214. }
  215. memwipe(tmp, 0, tmplen);
  216. memwipe(buf, 0, sizeof(buf));
  217. tor_free(tmp);
  218. crypto_digest_free(d);
  219. }
  220. /**
  221. * Helper: given a valid specifier without prefix type byte in <b>spec</b>,
  222. * whose length must be correct, and given a secret passphrase <b>secret</b>
  223. * of length <b>secret_len</b>, compute the key and store it into
  224. * <b>key_out</b>, which must have enough room for secret_to_key_key_len(type)
  225. * bytes. Return the number of bytes written on success and an error code
  226. * on failure.
  227. */
  228. STATIC int
  229. secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len,
  230. const uint8_t *spec, size_t spec_len,
  231. const char *secret, size_t secret_len,
  232. int type)
  233. {
  234. int rv;
  235. if (key_out_len > INT_MAX)
  236. return S2K_BAD_LEN;
  237. switch (type) {
  238. case S2K_TYPE_RFC2440:
  239. secret_to_key_rfc2440((char*)key_out, key_out_len, secret, secret_len,
  240. (const char*)spec);
  241. return (int)key_out_len;
  242. case S2K_TYPE_PBKDF2: {
  243. uint8_t log_iters;
  244. if (spec_len < 1 || secret_len > INT_MAX || spec_len > INT_MAX)
  245. return S2K_BAD_LEN;
  246. log_iters = spec[spec_len-1];
  247. if (log_iters > 31)
  248. return S2K_BAD_PARAMS;
  249. #ifdef ENABLE_OPENSSL
  250. rv = PKCS5_PBKDF2_HMAC_SHA1(secret, (int)secret_len,
  251. spec, (int)spec_len-1,
  252. (1<<log_iters),
  253. (int)key_out_len, key_out);
  254. if (rv < 0)
  255. return S2K_FAILED;
  256. return (int)key_out_len;
  257. #else
  258. SECItem passItem = { .type = siBuffer,
  259. .data = (unsigned char *) secret,
  260. .len = (int)secret_len };
  261. SECItem saltItem = { .type = siBuffer,
  262. .data = (unsigned char *) spec,
  263. .len = (int)spec_len - 1 };
  264. SECAlgorithmID *alg = NULL;
  265. PK11SymKey *key = NULL;
  266. rv = S2K_FAILED;
  267. alg = PK11_CreatePBEV2AlgorithmID(
  268. SEC_OID_PKCS5_PBKDF2, SEC_OID_HMAC_SHA1, SEC_OID_HMAC_SHA1,
  269. (int)key_out_len, (1<<log_iters), &saltItem);
  270. if (alg == NULL)
  271. return S2K_FAILED;
  272. key = PK11_PBEKeyGen(NULL /* slot */,
  273. alg,
  274. &passItem,
  275. false,
  276. NULL);
  277. SECStatus st = PK11_ExtractKeyValue(key);
  278. if (st != SECSuccess)
  279. goto nss_pbkdf_err;
  280. const SECItem *iptr = PK11_GetKeyData(key);
  281. if (iptr == NULL)
  282. goto nss_pbkdf_err;
  283. rv = MIN((int)iptr->len, (int)key_out_len);
  284. memcpy(key_out, iptr->data, rv);
  285. nss_pbkdf_err:
  286. if (key)
  287. PK11_FreeSymKey(key);
  288. if (alg)
  289. SECOID_DestroyAlgorithmID(alg, PR_TRUE);
  290. return rv;
  291. #endif
  292. }
  293. case S2K_TYPE_SCRYPT: {
  294. #ifdef HAVE_SCRYPT
  295. uint8_t log_N, log_r, log_p;
  296. uint64_t N;
  297. uint32_t r, p;
  298. if (spec_len < 2)
  299. return S2K_BAD_LEN;
  300. log_N = spec[spec_len-2];
  301. log_r = (spec[spec_len-1]) >> 4;
  302. log_p = (spec[spec_len-1]) & 15;
  303. if (log_N > 63)
  304. return S2K_BAD_PARAMS;
  305. N = ((uint64_t)1) << log_N;
  306. r = 1u << log_r;
  307. p = 1u << log_p;
  308. rv = libscrypt_scrypt((const uint8_t*)secret, secret_len,
  309. spec, spec_len-2, N, r, p, key_out, key_out_len);
  310. if (rv != 0)
  311. return S2K_FAILED;
  312. return (int)key_out_len;
  313. #else /* !(defined(HAVE_SCRYPT)) */
  314. return S2K_NO_SCRYPT_SUPPORT;
  315. #endif /* defined(HAVE_SCRYPT) */
  316. }
  317. default:
  318. return S2K_BAD_ALGORITHM;
  319. }
  320. }
  321. /**
  322. * Given a specifier previously constructed with secret_to_key_make_specifier
  323. * in <b>spec</b> of length <b>spec_len</b>, and a secret password in
  324. * <b>secret</b> of length <b>secret_len</b>, generate <b>key_out_len</b>
  325. * bytes of cryptographic material in <b>key_out</b>. The native output of
  326. * the secret-to-key function will be truncated if key_out_len is short, and
  327. * expanded with HKDF if key_out_len is long. Returns S2K_OKAY on success,
  328. * and an error code on failure.
  329. */
  330. int
  331. secret_to_key_derivekey(uint8_t *key_out, size_t key_out_len,
  332. const uint8_t *spec, size_t spec_len,
  333. const char *secret, size_t secret_len)
  334. {
  335. int legacy_format = 0;
  336. int type = secret_to_key_get_type(spec, spec_len, 0, &legacy_format);
  337. int r;
  338. if (type < 0)
  339. return type;
  340. #ifndef HAVE_SCRYPT
  341. if (type == S2K_TYPE_SCRYPT)
  342. return S2K_NO_SCRYPT_SUPPORT;
  343. #endif
  344. if (! legacy_format) {
  345. ++spec;
  346. --spec_len;
  347. }
  348. r = secret_to_key_compute_key(key_out, key_out_len, spec, spec_len,
  349. secret, secret_len, type);
  350. if (r < 0)
  351. return r;
  352. else
  353. return S2K_OKAY;
  354. }
  355. /**
  356. * Construct a new s2k algorithm specifier and salt in <b>buf</b>, according
  357. * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>. Up to
  358. * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Return the
  359. * number of bytes used on success and an error code on failure.
  360. */
  361. int
  362. secret_to_key_make_specifier(uint8_t *buf, size_t buf_len, unsigned flags)
  363. {
  364. int rv;
  365. int spec_len;
  366. #ifdef HAVE_SCRYPT
  367. uint8_t type = S2K_TYPE_SCRYPT;
  368. #else
  369. uint8_t type = S2K_TYPE_RFC2440;
  370. #endif
  371. if (flags & S2K_FLAG_NO_SCRYPT)
  372. type = S2K_TYPE_RFC2440;
  373. if (flags & S2K_FLAG_USE_PBKDF2)
  374. type = S2K_TYPE_PBKDF2;
  375. spec_len = secret_to_key_spec_len(type);
  376. if ((int)buf_len < spec_len + 1)
  377. return S2K_TRUNCATED;
  378. buf[0] = type;
  379. rv = make_specifier(buf+1, type, flags);
  380. if (rv < 0)
  381. return rv;
  382. else
  383. return rv + 1;
  384. }
  385. /**
  386. * Hash a passphrase from <b>secret</b> of length <b>secret_len</b>, according
  387. * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>, and store the
  388. * hash along with salt and hashing parameters into <b>buf</b>. Up to
  389. * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Set
  390. * *<b>len_out</b> to the number of bytes used and return S2K_OKAY on success;
  391. * and return an error code on failure.
  392. */
  393. int
  394. secret_to_key_new(uint8_t *buf,
  395. size_t buf_len,
  396. size_t *len_out,
  397. const char *secret, size_t secret_len,
  398. unsigned flags)
  399. {
  400. int key_len;
  401. int spec_len;
  402. int type;
  403. int rv;
  404. spec_len = secret_to_key_make_specifier(buf, buf_len, flags);
  405. if (spec_len < 0)
  406. return spec_len;
  407. type = buf[0];
  408. key_len = secret_to_key_key_len(type);
  409. if (key_len < 0)
  410. return key_len;
  411. if ((int)buf_len < key_len + spec_len)
  412. return S2K_TRUNCATED;
  413. rv = secret_to_key_compute_key(buf + spec_len, key_len,
  414. buf + 1, spec_len-1,
  415. secret, secret_len, type);
  416. if (rv < 0)
  417. return rv;
  418. *len_out = spec_len + key_len;
  419. return S2K_OKAY;
  420. }
  421. /**
  422. * Given a hashed passphrase in <b>spec_and_key</b> of length
  423. * <b>spec_and_key_len</b> as generated by secret_to_key_new(), verify whether
  424. * it is a hash of the passphrase <b>secret</b> of length <b>secret_len</b>.
  425. * Return S2K_OKAY on a match, S2K_BAD_SECRET on a well-formed hash that
  426. * doesn't match this secret, and another error code on other errors.
  427. */
  428. int
  429. secret_to_key_check(const uint8_t *spec_and_key, size_t spec_and_key_len,
  430. const char *secret, size_t secret_len)
  431. {
  432. int is_legacy = 0;
  433. int type = secret_to_key_get_type(spec_and_key, spec_and_key_len,
  434. 1, &is_legacy);
  435. uint8_t buf[32];
  436. int spec_len;
  437. int key_len;
  438. int rv;
  439. if (type < 0)
  440. return type;
  441. if (! is_legacy) {
  442. spec_and_key++;
  443. spec_and_key_len--;
  444. }
  445. spec_len = secret_to_key_spec_len(type);
  446. key_len = secret_to_key_key_len(type);
  447. tor_assert(spec_len > 0);
  448. tor_assert(key_len > 0);
  449. tor_assert(key_len <= (int) sizeof(buf));
  450. tor_assert((int)spec_and_key_len == spec_len + key_len);
  451. rv = secret_to_key_compute_key(buf, key_len,
  452. spec_and_key, spec_len,
  453. secret, secret_len, type);
  454. if (rv < 0)
  455. goto done;
  456. if (tor_memeq(buf, spec_and_key + spec_len, key_len))
  457. rv = S2K_OKAY;
  458. else
  459. rv = S2K_BAD_SECRET;
  460. done:
  461. memwipe(buf, 0, sizeof(buf));
  462. return rv;
  463. }