crypto_s2k.c (15238B)
1 /* Copyright (c) 2001, Matej Pfajfar. 2 * Copyright (c) 2001-2004, Roger Dingledine. 3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. 4 * Copyright (c) 2007-2021, The Tor Project, Inc. */ 5 /* See LICENSE for licensing information */ 6 7 /** 8 * \file crypto_s2k.c 9 * 10 * \brief Functions for deriving keys from human-readable passphrases. 11 */ 12 13 #define CRYPTO_S2K_PRIVATE 14 15 #include "lib/crypt_ops/crypto_cipher.h" 16 #include "lib/crypt_ops/crypto_digest.h" 17 #include "lib/crypt_ops/crypto_hkdf.h" 18 #include "lib/crypt_ops/crypto_rand.h" 19 #include "lib/crypt_ops/crypto_s2k.h" 20 #include "lib/crypt_ops/crypto_util.h" 21 #include "lib/ctime/di_ops.h" 22 #include "lib/log/util_bug.h" 23 #include "lib/intmath/cmp.h" 24 25 #ifdef ENABLE_OPENSSL 26 #include <openssl/evp.h> 27 #endif 28 #ifdef ENABLE_NSS 29 DISABLE_GCC_WARNING("-Wstrict-prototypes") 30 #include <pk11pub.h> 31 ENABLE_GCC_WARNING("-Wstrict-prototypes") 32 #endif 33 34 #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT) 35 #define HAVE_SCRYPT 36 #include <libscrypt.h> 37 #endif 38 39 #include <string.h> 40 41 /* Encoded secrets take the form: 42 43 u8 type; 44 u8 salt_and_parameters[depends on type]; 45 u8 key[depends on type]; 46 47 As a special case, if the encoded secret is exactly 29 bytes long, 48 type 0 is understood. 49 50 Recognized types are: 51 00 -- RFC2440. salt_and_parameters is 9 bytes. key is 20 bytes. 52 salt_and_parameters is 8 bytes random salt, 53 1 byte iteration info. 54 01 -- PKBDF2_SHA1. salt_and_parameters is 17 bytes. key is 20 bytes. 55 salt_and_parameters is 16 bytes random salt, 56 1 byte iteration info. 57 02 -- SCRYPT_SALSA208_SHA256. salt_and_parameters is 18 bytes. key is 58 32 bytes. 59 salt_and_parameters is 18 bytes random salt, 2 bytes iteration 60 info. 61 */ 62 63 #define S2K_TYPE_RFC2440 0 64 #define S2K_TYPE_PBKDF2 1 65 #define S2K_TYPE_SCRYPT 2 66 67 #define PBKDF2_SPEC_LEN 17 68 #define PBKDF2_KEY_LEN 20 69 70 #define SCRYPT_SPEC_LEN 18 71 #define SCRYPT_KEY_LEN 32 72 73 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the 74 * specifier part of it, without the prefix type byte. Return -1 if it is not 75 * a valid algorithm ID. */ 76 static int 77 secret_to_key_spec_len(uint8_t type) 78 { 79 switch (type) { 80 case S2K_TYPE_RFC2440: 81 return S2K_RFC2440_SPECIFIER_LEN; 82 case S2K_TYPE_PBKDF2: 83 return PBKDF2_SPEC_LEN; 84 case S2K_TYPE_SCRYPT: 85 return SCRYPT_SPEC_LEN; 86 default: 87 return -1; 88 } 89 } 90 91 /** Given an algorithm ID (one of S2K_TYPE_*), return the length of the 92 * its preferred output. */ 93 static int 94 secret_to_key_key_len(uint8_t type) 95 { 96 switch (type) { 97 case S2K_TYPE_RFC2440: 98 return DIGEST_LEN; 99 case S2K_TYPE_PBKDF2: 100 return DIGEST_LEN; 101 case S2K_TYPE_SCRYPT: 102 return DIGEST256_LEN; 103 // LCOV_EXCL_START 104 default: 105 tor_fragile_assert(); 106 return -1; 107 // LCOV_EXCL_STOP 108 } 109 } 110 111 /** Given a specifier in <b>spec_and_key</b> of length 112 * <b>spec_and_key_len</b>, along with its prefix algorithm ID byte, and along 113 * with a key if <b>key_included</b> is true, check whether the whole 114 * specifier-and-key is of valid length, and return the algorithm type if it 115 * is. Set *<b>legacy_out</b> to 1 iff this is a legacy password hash or 116 * legacy specifier. Return an error code on failure. 117 */ 118 static int 119 secret_to_key_get_type(const uint8_t *spec_and_key, size_t spec_and_key_len, 120 int key_included, int *legacy_out) 121 { 122 size_t legacy_len = S2K_RFC2440_SPECIFIER_LEN; 123 uint8_t type; 124 int total_len; 125 126 if (key_included) 127 legacy_len += DIGEST_LEN; 128 129 if (spec_and_key_len == legacy_len) { 130 *legacy_out = 1; 131 return S2K_TYPE_RFC2440; 132 } 133 134 *legacy_out = 0; 135 if (spec_and_key_len == 0) 136 return S2K_BAD_LEN; 137 138 type = spec_and_key[0]; 139 total_len = secret_to_key_spec_len(type); 140 if (total_len < 0) 141 return S2K_BAD_ALGORITHM; 142 if (key_included) { 143 int keylen = secret_to_key_key_len(type); 144 if (keylen < 0) 145 return S2K_BAD_ALGORITHM; 146 total_len += keylen; 147 } 148 149 if ((size_t)total_len + 1 == spec_and_key_len) 150 return type; 151 else 152 return S2K_BAD_LEN; 153 } 154 155 /** 156 * Write a new random s2k specifier of type <b>type</b>, without prefixing 157 * type byte, to <b>spec_out</b>, which must have enough room. May adjust 158 * parameter choice based on <b>flags</b>. 159 */ 160 static int 161 make_specifier(uint8_t *spec_out, uint8_t type, unsigned flags) 162 { 163 int speclen = secret_to_key_spec_len(type); 164 if (speclen < 0) 165 return S2K_BAD_ALGORITHM; 166 167 crypto_rand((char*)spec_out, speclen); 168 switch (type) { 169 case S2K_TYPE_RFC2440: 170 /* Hash 64 k of data. */ 171 spec_out[S2K_RFC2440_SPECIFIER_LEN-1] = 96; 172 break; 173 case S2K_TYPE_PBKDF2: 174 /* 131 K iterations */ 175 spec_out[PBKDF2_SPEC_LEN-1] = 17; 176 break; 177 case S2K_TYPE_SCRYPT: 178 if (flags & S2K_FLAG_LOW_MEM) { 179 /* N = 1<<12 */ 180 spec_out[SCRYPT_SPEC_LEN-2] = 12; 181 } else { 182 /* N = 1<<15 */ 183 spec_out[SCRYPT_SPEC_LEN-2] = 15; 184 } 185 /* r = 8; p = 2. */ 186 spec_out[SCRYPT_SPEC_LEN-1] = (3u << 4) | (1u << 0); 187 break; 188 // LCOV_EXCL_START - we should have returned above. 189 default: 190 tor_fragile_assert(); 191 return S2K_BAD_ALGORITHM; 192 // LCOV_EXCL_STOP 193 } 194 195 return speclen; 196 } 197 198 /** Implement RFC2440-style iterated-salted S2K conversion: convert the 199 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte 200 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier 201 * are a salt; the 9th byte describes how much iteration to do. 202 * If <b>key_out_len</b> > DIGEST_LEN, use HDKF to expand the result. 203 */ 204 void 205 secret_to_key_rfc2440(char *key_out, size_t key_out_len, const char *secret, 206 size_t secret_len, const char *s2k_specifier) 207 { 208 crypto_digest_t *d; 209 uint8_t c; 210 size_t count, tmplen; 211 char *tmp; 212 uint8_t buf[DIGEST_LEN]; 213 tor_assert(key_out_len < SIZE_T_CEILING); 214 215 #define EXPBIAS 6 216 c = s2k_specifier[8]; 217 count = ((uint32_t)16 + (c & 15)) << ((c >> 4) + EXPBIAS); 218 #undef EXPBIAS 219 220 d = crypto_digest_new(); 221 tmplen = 8+secret_len; 222 tmp = tor_malloc(tmplen); 223 memcpy(tmp,s2k_specifier,8); 224 memcpy(tmp+8,secret,secret_len); 225 secret_len += 8; 226 while (count) { 227 if (count >= secret_len) { 228 crypto_digest_add_bytes(d, tmp, secret_len); 229 count -= secret_len; 230 } else { 231 crypto_digest_add_bytes(d, tmp, count); 232 count = 0; 233 } 234 } 235 crypto_digest_get_digest(d, (char*)buf, sizeof(buf)); 236 237 if (key_out_len <= sizeof(buf)) { 238 memcpy(key_out, buf, key_out_len); 239 } else { 240 crypto_expand_key_material_rfc5869_sha256(buf, DIGEST_LEN, 241 (const uint8_t*)s2k_specifier, 8, 242 (const uint8_t*)"EXPAND", 6, 243 (uint8_t*)key_out, key_out_len); 244 } 245 memwipe(tmp, 0, tmplen); 246 memwipe(buf, 0, sizeof(buf)); 247 tor_free(tmp); 248 crypto_digest_free(d); 249 } 250 251 /** 252 * Helper: given a valid specifier without prefix type byte in <b>spec</b>, 253 * whose length must be correct, and given a secret passphrase <b>secret</b> 254 * of length <b>secret_len</b>, compute the key and store it into 255 * <b>key_out</b>, which must have enough room for secret_to_key_key_len(type) 256 * bytes. Return the number of bytes written on success and an error code 257 * on failure. 258 */ 259 STATIC int 260 secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len, 261 const uint8_t *spec, size_t spec_len, 262 const char *secret, size_t secret_len, 263 int type) 264 { 265 int rv; 266 if (key_out_len > INT_MAX) 267 return S2K_BAD_LEN; 268 269 switch (type) { 270 case S2K_TYPE_RFC2440: 271 secret_to_key_rfc2440((char*)key_out, key_out_len, secret, secret_len, 272 (const char*)spec); 273 return (int)key_out_len; 274 275 case S2K_TYPE_PBKDF2: { 276 uint8_t log_iters; 277 if (spec_len < 1 || secret_len > INT_MAX || spec_len > INT_MAX) 278 return S2K_BAD_LEN; 279 log_iters = spec[spec_len-1]; 280 if (log_iters > 31) 281 return S2K_BAD_PARAMS; 282 #ifdef ENABLE_OPENSSL 283 rv = PKCS5_PBKDF2_HMAC_SHA1(secret, (int)secret_len, 284 spec, (int)spec_len-1, 285 (1<<log_iters), 286 (int)key_out_len, key_out); 287 if (rv < 0) 288 return S2K_FAILED; 289 return (int)key_out_len; 290 #else /* !defined(ENABLE_OPENSSL) */ 291 SECItem passItem = { .type = siBuffer, 292 .data = (unsigned char *) secret, 293 .len = (int)secret_len }; 294 SECItem saltItem = { .type = siBuffer, 295 .data = (unsigned char *) spec, 296 .len = (int)spec_len - 1 }; 297 SECAlgorithmID *alg = NULL; 298 PK11SymKey *key = NULL; 299 300 rv = S2K_FAILED; 301 alg = PK11_CreatePBEV2AlgorithmID( 302 SEC_OID_PKCS5_PBKDF2, SEC_OID_HMAC_SHA1, SEC_OID_HMAC_SHA1, 303 (int)key_out_len, (1<<log_iters), &saltItem); 304 if (alg == NULL) 305 return S2K_FAILED; 306 307 key = PK11_PBEKeyGen(NULL /* slot */, 308 alg, 309 &passItem, 310 false, 311 NULL); 312 313 SECStatus st = PK11_ExtractKeyValue(key); 314 if (st != SECSuccess) 315 goto nss_pbkdf_err; 316 317 const SECItem *iptr = PK11_GetKeyData(key); 318 if (iptr == NULL) 319 goto nss_pbkdf_err; 320 321 rv = MIN((int)iptr->len, (int)key_out_len); 322 memcpy(key_out, iptr->data, rv); 323 324 nss_pbkdf_err: 325 if (key) 326 PK11_FreeSymKey(key); 327 if (alg) 328 SECOID_DestroyAlgorithmID(alg, PR_TRUE); 329 return rv; 330 #endif /* defined(ENABLE_OPENSSL) */ 331 } 332 333 case S2K_TYPE_SCRYPT: { 334 #ifdef HAVE_SCRYPT 335 uint8_t log_N, log_r, log_p; 336 uint64_t N; 337 uint32_t r, p; 338 if (spec_len < 2) 339 return S2K_BAD_LEN; 340 log_N = spec[spec_len-2]; 341 log_r = (spec[spec_len-1]) >> 4; 342 log_p = (spec[spec_len-1]) & 15; 343 if (log_N > 63) 344 return S2K_BAD_PARAMS; 345 N = ((uint64_t)1) << log_N; 346 r = 1u << log_r; 347 p = 1u << log_p; 348 rv = libscrypt_scrypt((const uint8_t*)secret, secret_len, 349 spec, spec_len-2, N, r, p, key_out, key_out_len); 350 if (rv != 0) 351 return S2K_FAILED; 352 return (int)key_out_len; 353 #else /* !defined(HAVE_SCRYPT) */ 354 return S2K_NO_SCRYPT_SUPPORT; 355 #endif /* defined(HAVE_SCRYPT) */ 356 } 357 default: 358 return S2K_BAD_ALGORITHM; 359 } 360 } 361 362 /** 363 * Given a specifier previously constructed with secret_to_key_make_specifier 364 * in <b>spec</b> of length <b>spec_len</b>, and a secret password in 365 * <b>secret</b> of length <b>secret_len</b>, generate <b>key_out_len</b> 366 * bytes of cryptographic material in <b>key_out</b>. The native output of 367 * the secret-to-key function will be truncated if key_out_len is short, and 368 * expanded with HKDF if key_out_len is long. Returns S2K_OKAY on success, 369 * and an error code on failure. 370 */ 371 int 372 secret_to_key_derivekey(uint8_t *key_out, size_t key_out_len, 373 const uint8_t *spec, size_t spec_len, 374 const char *secret, size_t secret_len) 375 { 376 int legacy_format = 0; 377 int type = secret_to_key_get_type(spec, spec_len, 0, &legacy_format); 378 int r; 379 380 if (type < 0) 381 return type; 382 #ifndef HAVE_SCRYPT 383 if (type == S2K_TYPE_SCRYPT) 384 return S2K_NO_SCRYPT_SUPPORT; 385 #endif 386 387 if (! legacy_format) { 388 ++spec; 389 --spec_len; 390 } 391 392 r = secret_to_key_compute_key(key_out, key_out_len, spec, spec_len, 393 secret, secret_len, type); 394 if (r < 0) 395 return r; 396 else 397 return S2K_OKAY; 398 } 399 400 /** 401 * Construct a new s2k algorithm specifier and salt in <b>buf</b>, according 402 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>. Up to 403 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Return the 404 * number of bytes used on success and an error code on failure. 405 */ 406 int 407 secret_to_key_make_specifier(uint8_t *buf, size_t buf_len, unsigned flags) 408 { 409 int rv; 410 int spec_len; 411 #ifdef HAVE_SCRYPT 412 uint8_t type = S2K_TYPE_SCRYPT; 413 #else 414 uint8_t type = S2K_TYPE_RFC2440; 415 #endif 416 417 if (flags & S2K_FLAG_NO_SCRYPT) 418 type = S2K_TYPE_RFC2440; 419 if (flags & S2K_FLAG_USE_PBKDF2) 420 type = S2K_TYPE_PBKDF2; 421 422 spec_len = secret_to_key_spec_len(type); 423 424 if ((int)buf_len < spec_len + 1) 425 return S2K_TRUNCATED; 426 427 buf[0] = type; 428 rv = make_specifier(buf+1, type, flags); 429 if (rv < 0) 430 return rv; 431 else 432 return rv + 1; 433 } 434 435 /** 436 * Hash a passphrase from <b>secret</b> of length <b>secret_len</b>, according 437 * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>, and store the 438 * hash along with salt and hashing parameters into <b>buf</b>. Up to 439 * <b>buf_len</b> bytes of storage may be used in <b>buf</b>. Set 440 * *<b>len_out</b> to the number of bytes used and return S2K_OKAY on success; 441 * and return an error code on failure. 442 */ 443 int 444 secret_to_key_new(uint8_t *buf, 445 size_t buf_len, 446 size_t *len_out, 447 const char *secret, size_t secret_len, 448 unsigned flags) 449 { 450 int key_len; 451 int spec_len; 452 int type; 453 int rv; 454 455 spec_len = secret_to_key_make_specifier(buf, buf_len, flags); 456 457 if (spec_len < 0) 458 return spec_len; 459 460 type = buf[0]; 461 key_len = secret_to_key_key_len(type); 462 463 if (key_len < 0) 464 return key_len; 465 466 if ((int)buf_len < key_len + spec_len) 467 return S2K_TRUNCATED; 468 469 rv = secret_to_key_compute_key(buf + spec_len, key_len, 470 buf + 1, spec_len-1, 471 secret, secret_len, type); 472 if (rv < 0) 473 return rv; 474 475 *len_out = spec_len + key_len; 476 477 return S2K_OKAY; 478 } 479 480 /** 481 * Given a hashed passphrase in <b>spec_and_key</b> of length 482 * <b>spec_and_key_len</b> as generated by secret_to_key_new(), verify whether 483 * it is a hash of the passphrase <b>secret</b> of length <b>secret_len</b>. 484 * Return S2K_OKAY on a match, S2K_BAD_SECRET on a well-formed hash that 485 * doesn't match this secret, and another error code on other errors. 486 */ 487 int 488 secret_to_key_check(const uint8_t *spec_and_key, size_t spec_and_key_len, 489 const char *secret, size_t secret_len) 490 { 491 int is_legacy = 0; 492 int type = secret_to_key_get_type(spec_and_key, spec_and_key_len, 493 1, &is_legacy); 494 uint8_t buf[32]; 495 int spec_len; 496 int key_len; 497 int rv; 498 499 if (type < 0) 500 return type; 501 502 if (! is_legacy) { 503 spec_and_key++; 504 spec_and_key_len--; 505 } 506 507 spec_len = secret_to_key_spec_len(type); 508 key_len = secret_to_key_key_len(type); 509 tor_assert(spec_len > 0); 510 tor_assert(key_len > 0); 511 tor_assert(key_len <= (int) sizeof(buf)); 512 tor_assert((int)spec_and_key_len == spec_len + key_len); 513 rv = secret_to_key_compute_key(buf, key_len, 514 spec_and_key, spec_len, 515 secret, secret_len, type); 516 if (rv < 0) 517 goto done; 518 519 if (tor_memeq(buf, spec_and_key + spec_len, key_len)) 520 rv = S2K_OKAY; 521 else 522 rv = S2K_BAD_SECRET; 523 524 done: 525 memwipe(buf, 0, sizeof(buf)); 526 return rv; 527 }