diff options
| author | Pauli <paul.dale@oracle.com> | 2019-08-21 08:00:12 +1000 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2019-09-06 19:27:57 +1000 |
| commit | 5eb43d382b3eb3fb6950cc8e0dce82886e23e984 (patch) | |
| tree | b32e637f7349322afae2edaca63690b6b7d59d69 /crypto/kdf | |
| parent | dc5bcb88d819de55eb37460c122e02fec91c6d86 (diff) | |
Move KDFs to the provider.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
Diffstat (limited to 'crypto/kdf')
| -rw-r--r-- | crypto/kdf/hkdf.c | 440 | ||||
| -rw-r--r-- | crypto/kdf/pbkdf2.c | 324 | ||||
| -rw-r--r-- | crypto/kdf/scrypt.c | 506 | ||||
| -rw-r--r-- | crypto/kdf/sshkdf.c | 292 | ||||
| -rw-r--r-- | crypto/kdf/sskdf.c | 558 | ||||
| -rw-r--r-- | crypto/kdf/tls1_prf.c | 375 | ||||
| -rw-r--r-- | crypto/kdf/x942kdf.c | 407 |
7 files changed, 0 insertions, 2902 deletions
diff --git a/crypto/kdf/hkdf.c b/crypto/kdf/hkdf.c deleted file mode 100644 index 33c74da86a..0000000000 --- a/crypto/kdf/hkdf.c +++ /dev/null @@ -1,440 +0,0 @@ -/* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdlib.h> -#include <stdarg.h> -#include <string.h> -#include <openssl/hmac.h> -#include <openssl/evp.h> -#include <openssl/kdf.h> -#include "internal/cryptlib.h" -#include "internal/numbers.h" -#include "internal/evp_int.h" -#include "kdf_local.h" - -#define HKDF_MAXBUF 1024 - -static void kdf_hkdf_reset(EVP_KDF_IMPL *impl); -static int HKDF(const EVP_MD *evp_md, - const unsigned char *salt, size_t salt_len, - const unsigned char *key, size_t key_len, - const unsigned char *info, size_t info_len, - unsigned char *okm, size_t okm_len); -static int HKDF_Extract(const EVP_MD *evp_md, - const unsigned char *salt, size_t salt_len, - const unsigned char *ikm, size_t ikm_len, - unsigned char *prk, size_t prk_len); -static int HKDF_Expand(const EVP_MD *evp_md, - const unsigned char *prk, size_t prk_len, - const unsigned char *info, size_t info_len, - unsigned char *okm, size_t okm_len); - -struct evp_kdf_impl_st { - int mode; - const EVP_MD *md; - unsigned char *salt; - size_t salt_len; - unsigned char *key; - size_t key_len; - unsigned char info[HKDF_MAXBUF]; - size_t info_len; -}; - -static EVP_KDF_IMPL *kdf_hkdf_new(void) -{ - EVP_KDF_IMPL *impl; - - if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) - KDFerr(KDF_F_KDF_HKDF_NEW, ERR_R_MALLOC_FAILURE); - return impl; -} - -static void kdf_hkdf_free(EVP_KDF_IMPL *impl) -{ - kdf_hkdf_reset(impl); - OPENSSL_free(impl); -} - -static void kdf_hkdf_reset(EVP_KDF_IMPL *impl) -{ - OPENSSL_free(impl->salt); - OPENSSL_clear_free(impl->key, impl->key_len); - OPENSSL_cleanse(impl->info, impl->info_len); - memset(impl, 0, sizeof(*impl)); -} - -static int kdf_hkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) -{ - const unsigned char *p; - size_t len; - const EVP_MD *md; - - switch (cmd) { - case EVP_KDF_CTRL_SET_MD: - md = va_arg(args, const EVP_MD *); - if (md == NULL) - return 0; - - impl->md = md; - return 1; - - case EVP_KDF_CTRL_SET_HKDF_MODE: - impl->mode = va_arg(args, int); - return 1; - - case EVP_KDF_CTRL_SET_SALT: - p = va_arg(args, const unsigned char *); - len = va_arg(args, size_t); - if (len == 0 || p == NULL) - return 1; - - OPENSSL_free(impl->salt); - impl->salt = OPENSSL_memdup(p, len); - if (impl->salt == NULL) - return 0; - - impl->salt_len = len; - return 1; - - case EVP_KDF_CTRL_SET_KEY: - p = va_arg(args, const unsigned char *); - len = va_arg(args, size_t); - OPENSSL_clear_free(impl->key, impl->key_len); - impl->key = OPENSSL_memdup(p, len); - if (impl->key == NULL) - return 0; - - impl->key_len = len; - return 1; - - case EVP_KDF_CTRL_RESET_HKDF_INFO: - OPENSSL_cleanse(impl->info, impl->info_len); - impl->info_len = 0; - return 1; - - case EVP_KDF_CTRL_ADD_HKDF_INFO: - p = va_arg(args, const unsigned char *); - len = va_arg(args, size_t); - if (len == 0 || p == NULL) - return 1; - - if (len > (HKDF_MAXBUF - impl->info_len)) - return 0; - - memcpy(impl->info + impl->info_len, p, len); - impl->info_len += len; - return 1; - - default: - return -2; - } -} - -static int kdf_hkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, - const char *value) -{ - if (strcmp(type, "mode") == 0) { - int mode; - - if (strcmp(value, "EXTRACT_AND_EXPAND") == 0) - mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND; - else if (strcmp(value, "EXTRACT_ONLY") == 0) - mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; - else if (strcmp(value, "EXPAND_ONLY") == 0) - mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY; - else - return 0; - - return call_ctrl(kdf_hkdf_ctrl, impl, EVP_KDF_CTRL_SET_HKDF_MODE, mode); - } - - if (strcmp(type, "digest") == 0) - return kdf_md2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); - - if (strcmp(type, "salt") == 0) - return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value); - - if (strcmp(type, "hexsalt") == 0) - return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value); - - if (strcmp(type, "key") == 0) - return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value); - - if (strcmp(type, "hexkey") == 0) - return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value); - - if (strcmp(type, "info") == 0) - return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO, - value); - - if (strcmp(type, "hexinfo") == 0) - return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO, - value); - - return -2; -} - -static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl) -{ - int sz; - - if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) - return SIZE_MAX; - - if (impl->md == NULL) { - KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST); - return 0; - } - sz = EVP_MD_size(impl->md); - if (sz < 0) - return 0; - - return sz; -} - -static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, - size_t keylen) -{ - if (impl->md == NULL) { - KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); - return 0; - } - if (impl->key == NULL) { - KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_KEY); - return 0; - } - - switch (impl->mode) { - case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: - return HKDF(impl->md, impl->salt, impl->salt_len, impl->key, - impl->key_len, impl->info, impl->info_len, key, - keylen); - - case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: - return HKDF_Extract(impl->md, impl->salt, impl->salt_len, impl->key, - impl->key_len, key, keylen); - - case EVP_KDF_HKDF_MODE_EXPAND_ONLY: - return HKDF_Expand(impl->md, impl->key, impl->key_len, impl->info, - impl->info_len, key, keylen); - - default: - return 0; - } -} - -const EVP_KDF hkdf_kdf_meth = { - EVP_KDF_HKDF, - kdf_hkdf_new, - kdf_hkdf_free, - kdf_hkdf_reset, - kdf_hkdf_ctrl, - kdf_hkdf_ctrl_str, - kdf_hkdf_size, - kdf_hkdf_derive -}; - -/* - * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" - * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and - * "Cryptographic Extraction and Key Derivation: The HKDF Scheme" - * Section 4.2 (https://eprint.iacr.org/2010/264.pdf). - * - * From the paper: - * The scheme HKDF is specified as: - * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t) - * - * where: - * SKM is source key material - * XTS is extractor salt (which may be null or constant) - * CTXinfo is context information (may be null) - * L is the number of key bits to be produced by KDF - * k is the output length in bits of the hash function used with HMAC - * t = ceil(L/k) - * the value K(t) is truncated to its first d = L mod k bits. - * - * From RFC 5869: - * 2.2. Step 1: Extract - * HKDF-Extract(salt, IKM) -> PRK - * 2.3. Step 2: Expand - * HKDF-Expand(PRK, info, L) -> OKM - */ -static int HKDF(const EVP_MD *evp_md, - const unsigned char *salt, size_t salt_len, - const unsigned char *ikm, size_t ikm_len, - const unsigned char *info, size_t info_len, - unsigned char *okm, size_t okm_len) -{ - unsigned char prk[EVP_MAX_MD_SIZE]; - int ret, sz; - size_t prk_len; - - sz = EVP_MD_size(evp_md); - if (sz < 0) - return 0; - prk_len = (size_t)sz; - - /* Step 1: HKDF-Extract(salt, IKM) -> PRK */ - if (!HKDF_Extract(evp_md, salt, salt_len, ikm, ikm_len, prk, prk_len)) - return 0; - - /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */ - ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len); - OPENSSL_cleanse(prk, sizeof(prk)); - - return ret; -} - -/* - * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" - * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2). - * - * 2.2. Step 1: Extract - * - * HKDF-Extract(salt, IKM) -> PRK - * - * Options: - * Hash a hash function; HashLen denotes the length of the - * hash function output in octets - * - * Inputs: - * salt optional salt value (a non-secret random value); - * if not provided, it is set to a string of HashLen zeros. - * IKM input keying material - * - * Output: - * PRK a pseudorandom key (of HashLen octets) - * - * The output PRK is calculated as follows: - * - * PRK = HMAC-Hash(salt, IKM) - */ -static int HKDF_Extract(const EVP_MD *evp_md, - const unsigned char *salt, size_t salt_len, - const unsigned char *ikm, size_t ikm_len, - unsigned char *prk, size_t prk_len) -{ - int sz = EVP_MD_size(evp_md); - - if (sz < 0) - return 0; - if (prk_len != (size_t)sz) { - KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE); - return 0; - } - /* calc: PRK = HMAC-Hash(salt, IKM) */ - return HMAC(evp_md, salt, salt_len, ikm, ikm_len, prk, NULL) != NULL; -} - -/* - * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" - * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3). - * - * 2.3. Step 2: Expand - * - * HKDF-Expand(PRK, info, L) -> OKM - * - * Options: - * Hash a hash function; HashLen denotes the length of the - * hash function output in octets - * - * Inputs: - * PRK a pseudorandom key of at least HashLen octets - * (usually, the output from the extract step) - * info optional context and application specific information - * (can be a zero-length string) - * L length of output keying material in octets - * (<= 255*HashLen) - * - * Output: - * OKM output keying material (of L octets) - * - * The output OKM is calculated as follows: - * - * N = ceil(L/HashLen) - * T = T(1) | T(2) | T(3) | ... | T(N) - * OKM = first L octets of T - * - * where: - * T(0) = empty string (zero length) - * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) - * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) - * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) - * ... - * - * (where the constant concatenated to the end of each T(n) is a - * single octet.) - */ -static int HKDF_Expand(const EVP_MD *evp_md, - const unsigned char *prk, size_t prk_len, - const unsigned char *info, size_t info_len, - unsigned char *okm, size_t okm_len) -{ - HMAC_CTX *hmac; - int ret = 0, sz; - unsigned int i; - unsigned char prev[EVP_MAX_MD_SIZE]; - size_t done_len = 0, dig_len, n; - - sz = EVP_MD_size(evp_md); - if (sz <= 0) - return 0; - dig_len = (size_t)sz; - - /* calc: N = ceil(L/HashLen) */ - n = okm_len / dig_len; - if (okm_len % dig_len) - n++; - - if (n > 255 || okm == NULL) - return 0; - - if ((hmac = HMAC_CTX_new()) == NULL) - return 0; - - if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL)) - goto err; - - for (i = 1; i <= n; i++) { - size_t copy_len; - const unsigned char ctr = i; - - /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */ - if (i > 1) { - if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL)) - goto err; - - if (!HMAC_Update(hmac, prev, dig_len)) - goto err; - } - - if (!HMAC_Update(hmac, info, info_len)) - goto err; - - if (!HMAC_Update(hmac, &ctr, 1)) - goto err; - - if (!HMAC_Final(hmac, prev, NULL)) - goto err; - - copy_len = (done_len + dig_len > okm_len) ? - okm_len - done_len : - dig_len; - - memcpy(okm + done_len, prev, copy_len); - - done_len += copy_len; - } - ret = 1; - - err: - OPENSSL_cleanse(prev, sizeof(prev)); - HMAC_CTX_free(hmac); - return ret; -} diff --git a/crypto/kdf/pbkdf2.c b/crypto/kdf/pbkdf2.c deleted file mode 100644 index d41689773c..0000000000 --- a/crypto/kdf/pbkdf2.c +++ /dev/null @@ -1,324 +0,0 @@ -/* - * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdlib.h> -#include <stdarg.h> -#include <string.h> -#include <openssl/hmac.h> -#include <openssl/evp.h> -#include <openssl/kdf.h> -#include "internal/cryptlib.h" -#include "internal/evp_int.h" -#include "kdf_local.h" - -/* Constants specified in SP800-132 */ -#define KDF_PBKDF2_MIN_KEY_LEN_BITS 112 -#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF -#define KDF_PBKDF2_MIN_ITERATIONS 1000 -#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) -/* - * For backwards compatibility reasons, - * Extra checks are done by default in fips mode only. - */ -#ifdef FIPS_MODE -# define KDF_PBKDF2_DEFAULT_CHECKS 1 -#else -# define KDF_PBKDF2_DEFAULT_CHECKS 0 -#endif /* FIPS_MODE */ - -static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl); -static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl); -static int pbkdf2_derive(const char *pass, size_t passlen, - const unsigned char *salt, int saltlen, int iter, - const EVP_MD *digest, unsigned char *key, - size_t keylen, int extra_checks); - -struct evp_kdf_impl_st { - unsigned char *pass; - size_t pass_len; - unsigned char *salt; - size_t salt_len; - int iter; - const EVP_MD *md; - int lower_bound_checks; -}; - -static EVP_KDF_IMPL *kdf_pbkdf2_new(void) -{ - EVP_KDF_IMPL *impl; - - impl = OPENSSL_zalloc(sizeof(*impl)); - if (impl == NULL) { - KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE); - return NULL; - } - kdf_pbkdf2_init(impl); - return impl; -} - -static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl) -{ - kdf_pbkdf2_reset(impl); - OPENSSL_free(impl); -} - -static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl) -{ - OPENSSL_free(impl->salt); - OPENSSL_clear_free(impl->pass, impl->pass_len); - memset(impl, 0, sizeof(*impl)); - kdf_pbkdf2_init(impl); -} - -static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl) -{ - impl->iter = PKCS5_DEFAULT_ITER; - impl->md = EVP_sha1(); - impl->lower_bound_checks = KDF_PBKDF2_DEFAULT_CHECKS; -} - -static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, - const unsigned char *new_buffer, - size_t new_buflen) -{ - if (new_buffer == NULL) - return 1; - - OPENSSL_clear_free(*buffer, *buflen); - - if (new_buflen > 0) { - *buffer = OPENSSL_memdup(new_buffer, new_buflen); - } else { - *buffer = OPENSSL_malloc(1); - } - if (*buffer == NULL) { - KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE); - return 0; - } - - *buflen = new_buflen; - return 1; -} - -static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) -{ - int iter, pkcs5, min_iter; - const unsigned char *p; - size_t len; - const EVP_MD *md; - - switch (cmd) { - case EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE: - pkcs5 = va_arg(args, int); - impl->lower_bound_checks = (pkcs5 == 0) ? 1 : 0; - return 1; - case EVP_KDF_CTRL_SET_PASS: - p = va_arg(args, const unsigned char *); - len = va_arg(args, size_t); - return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len); - - case EVP_KDF_CTRL_SET_SALT: - p = va_arg(args, const unsigned char *); - len = va_arg(args, size_t); - if (impl->lower_bound_checks != 0 && len < KDF_PBKDF2_MIN_SALT_LEN) { - KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_INVALID_SALT_LEN); - return 0; - } - return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len); - - case EVP_KDF_CTRL_SET_ITER: - iter = va_arg(args, int); - min_iter = impl->lower_bound_checks != 0 ? KDF_PBKDF2_MIN_ITERATIONS : 1; - if (iter < min_iter) { - KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_INVALID_ITERATION_COUNT); - return 0; - } - impl->iter = iter; - return 1; - - case EVP_KDF_CTRL_SET_MD: - md = va_arg(args, const EVP_MD *); - if (md == NULL) { - KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_VALUE_MISSING); - return 0; - } - - impl->md = md; - return 1; - - default: - return -2; - } -} - -static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type, - const char *value) -{ - if (value == NULL) { - KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING); - return 0; - } - - if (strcmp(type, "pass") == 0) - return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS, - value); - - if (strcmp(type, "hexpass") == 0) - return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS, - value); - - if (strcmp(type, "salt") == 0) - return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT, - value); - - if (strcmp(type, "hexsalt") == 0) - return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT, - value); - - if (strcmp(type, "iter") == 0) - return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER, - atoi(value)); - - if (strcmp(type, "digest") == 0) - return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value); - - if (strcmp(type, "pkcs5") == 0) - return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, - EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE, value); - return -2; -} - -static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key, - size_t keylen) -{ - if (impl->pass == NULL) { - KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS); - return 0; - } - - if (impl->salt == NULL) { - KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT); - return 0; - } - - return pbkdf2_derive((char *)impl->pass, impl->pass_len, - impl->salt, impl->salt_len, impl->iter, - impl->md, key, keylen, impl->lower_bound_checks); -} - -const EVP_KDF pbkdf2_kdf_meth = { - EVP_KDF_PBKDF2, - kdf_pbkdf2_new, - kdf_pbkdf2_free, - kdf_pbkdf2_reset, - kdf_pbkdf2_ctrl, - kdf_pbkdf2_ctrl_str, - NULL, - kdf_pbkdf2_derive -}; - -/* - * This is an implementation of PKCS#5 v2.0 password based encryption key - * derivation function PBKDF2. SHA1 version verified against test vectors - * posted by Peter Gutmann to the PKCS-TNG mailing list. - * - * The constraints specified by SP800-132 have been added i.e. - * - Check the range of the key length. - * - Minimum iteration count of 1000. - * - Randomly-generated portion of the salt shall be at least 128 bits. - */ -static int pbkdf2_derive(const char *pass, size_t passlen, - const unsigned char *salt, int saltlen, int iter, - const EVP_MD *digest, unsigned char *key, - size_t keylen, int lower_bound_checks) -{ - int ret = 0; - unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; - int cplen, j, k, tkeylen, mdlen; - unsigned long i = 1; - HMAC_CTX *hctx_tpl = NULL, *hctx = NULL; - - mdlen = EVP_MD_size(digest); - if (mdlen <= 0) - return 0; - - /* - * This check should always be done because keylen / mdlen >= (2^32 - 1) - * results in an overflow of the loop counter 'i'. - */ - if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) { - KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_KEY_LEN); - return 0; - } - - if (lower_bound_checks) { - if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { - KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_KEY_LEN); - return 0; - } - if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) { - KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_SALT_LEN); - return 0; - } - if (iter < KDF_PBKDF2_MIN_ITERATIONS) { - KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_ITERATION_COUNT); - return 0; - } - } - - hctx_tpl = HMAC_CTX_new(); - if (hctx_tpl == NULL) - return 0; - p = key; - tkeylen = keylen; - if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) - goto err; - hctx = HMAC_CTX_new(); - if (hctx == NULL) - goto err; - while (tkeylen) { - if (tkeylen > mdlen) - cplen = mdlen; - else - cplen = tkeylen; - /* - * We are unlikely to ever use more than 256 blocks (5120 bits!) but - * just in case... - */ - itmp[0] = (unsigned char)((i >> 24) & 0xff); - itmp[1] = (unsigned char)((i >> 16) & 0xff); - itmp[2] = (unsigned char)((i >> 8) & 0xff); - itmp[3] = (unsigned char)(i & 0xff); - if (!HMAC_CTX_copy(hctx, hctx_tpl)) - goto err; - if (!HMAC_Update(hctx, salt, saltlen) - || !HMAC_Update(hctx, itmp, 4) - || !HMAC_Final(hctx, digtmp, NULL)) - goto err; - memcpy(p, digtmp, cplen); - for (j = 1; j < iter; j++) { - if (!HMAC_CTX_copy(hctx, hctx_tpl)) - goto err; - if (!HMAC_Update(hctx, digtmp, mdlen) - || !HMAC_Final(hctx, digtmp, NULL)) - goto err; - for (k = 0; k < cplen; k++) - p[k] ^= digtmp[k]; - } - tkeylen -= cplen; - i++; - p += cplen; - } - ret = 1; - -err: - HMAC_CTX_free(hctx); - HMAC_CTX_free(hctx_tpl); - return ret; -} diff --git a/crypto/kdf/scrypt.c b/crypto/kdf/scrypt.c deleted file mode 100644 index 29ceeb3ad9..0000000000 --- a/crypto/kdf/scrypt.c +++ /dev/null @@ -1,506 +0,0 @@ -/* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdlib.h> -#include <stdarg.h> -#include <string.h> -#include <openssl/evp.h> -#include <openssl/kdf.h> -#include <openssl/err.h> -#include "internal/evp_int.h" -#include "internal/numbers.h" -#include "kdf_local.h" - -#ifndef OPENSSL_NO_SCRYPT - -static void kdf_scrypt_reset(EVP_KDF_IMPL *impl); -static void kdf_scrypt_init(EVP_KDF_IMPL *impl); -static int atou64(const char *nptr, uint64_t *result); -static int scrypt_alg(const char *pass, size_t passlen, - const unsigned char *salt, size_t saltlen, - uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, - unsigned char *key, size_t keylen); - -struct evp_kdf_impl_st { - unsigned char *pass; - size_t pass_len; - unsigned char *salt; - size_t salt_len; - uint64_t N; - uint32_t r, p; - uint64_t maxmem_bytes; -}; - -/* Custom uint64_t parser since we do not have strtoull */ -static int atou64(const char *nptr, uint64_t *result) -{ - uint64_t value = 0; - - while (*nptr) { - unsigned int digit; - uint64_t new_value; - - if ((*nptr < '0') || (*nptr > '9')) { - return 0; - } - digit = (unsigned int)(*nptr - '0'); - new_value = (value * 10) + digit; - if ((new_value < digit) || ((new_value - digit) / 10 != value)) { - /* Overflow */ - return 0; - } - value = new_value; - nptr++; - } - *result = value; - return 1; -} - -static EVP_KDF_IMPL *kdf_scrypt_new(void) -{ - EVP_KDF_IMPL *impl; - - impl = OPENSSL_zalloc(sizeof(*impl)); - if (impl == NULL) { - KDFerr(KDF_F_KDF_SCRYPT_NEW, ERR_R_MALLOC_FAILURE); - return NULL; - } - kdf_scrypt_init(impl); - return impl; -} - -static void kdf_scrypt_free(EVP_KDF_IMPL *impl) -{ - kdf_scrypt_reset(impl); - OPENSSL_free(impl); -} - -static void kdf_scrypt_reset(EVP_KDF_IMPL *impl) -{ - OPENSSL_free(impl->salt); - OPENSSL_clear_free(impl->pass, impl->pass_len); - memset(impl, 0, sizeof(*impl)); - kdf_scrypt_init(impl); -} - -static void kdf_scrypt_init(EVP_KDF_IMPL *impl) -{ - /* Default values are the most conservative recommendation given in the - * original paper of C. Percival. Derivation uses roughly 1 GiB of memory - * for this parameter choice (approx. 128 * r * N * p bytes). - */ - impl->N = 1 << 20; - impl->r = 8; - impl->p = 1; - impl->maxmem_bytes = 1025 * 1024 * 1024; -} - -static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, - const unsigned char *new_buffer, - size_t new_buflen) -{ - if (new_buffer == NULL) - return 1; - - OPENSSL_clear_free(*buffer, *buflen); - - if (new_buflen > 0) { - *buffer = OPENSSL_memdup(new_buffer, new_buflen); - } else { - *buffer = OPENSSL_malloc(1); - } - if (*buffer == NULL) { - KDFerr(KDF_F_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE); - return 0; - } - - *buflen = new_buflen; - return 1; -} - -static int is_power_of_two(uint64_t value) -{ - return (value != 0) && ((value & (value - 1)) == 0); -} - -static int kdf_scrypt_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) -{ - uint64_t u64_value; - uint32_t value; - const unsigned char *p; - size_t len; - - switch (cmd) { - case EVP_KDF_CTRL_SET_PASS: - p = va_arg(args, const unsigned char *); - len = va_arg(args, size_t); - return scrypt_set_membuf(&impl->pass, &impl->pass_len, p, len); - - case EVP_KDF_CTRL_SET_SALT: - p = va_arg(args, const unsigned char *); - len = va_arg(args, size_t); - return scrypt_set_membuf(&impl->salt, &impl->salt_len, p, len); - - case EVP_KDF_CTRL_SET_SCRYPT_N: - u64_value = va_arg(args, uint64_t); - if ((u64_value <= 1) || !is_power_of_two(u64_value)) - return 0; - - impl->N = u64_value; - return 1; - - case EVP_KDF_CTRL_SET_SCRYPT_R: - value = va_arg(args, uint32_t); - if (value < 1) - return 0; - - impl->r = value; - return 1; - - case EVP_KDF_CTRL_SET_SCRYPT_P: - value = va_arg(args, uint32_t); - if (value < 1) - return 0; - - impl->p = value; - return 1; - - case EVP_KDF_CTRL_SET_MAXMEM_BYTES: - u64_value = va_arg(args, uint64_t); - if (u64_value < 1) - return 0; - - impl->maxmem_bytes = u64_value; - return 1; - - default: - return -2; - } -} - -static int kdf_scrypt_ctrl_uint32(EVP_KDF_IMPL *impl, int cmd, - const char *value) -{ - int int_value = atoi(value); - - if (int_value < 0 || (uint64_t)int_value > UINT32_MAX) { - KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT32, KDF_R_VALUE_ERROR); - return 0; - } - return call_ctrl(kdf_scrypt_ctrl, impl, cmd, (uint32_t)int_value); -} - -static int kdf_scrypt_ctrl_uint64(EVP_KDF_IMPL *impl, int cmd, - const char *value) -{ - uint64_t u64_value; - - if (!atou64(value, &u64_value)) { - KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR); - return 0; - } - return call_ctrl(kdf_scrypt_ctrl, impl, cmd, u64_value); -} - -static int kdf_scrypt_ctrl_str(EVP_KDF_IMPL *impl, const char *type, - const char *value) -{ - if (value == NULL) { - KDFerr(KDF_F_KDF_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING); - return 0; - } - - if (strcmp(type, "pass") == 0) - return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS, - value); - - if (strcmp(type, "hexpass") == 0) - return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS, - value); - - if (strcmp(type, "salt") == 0) - return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT, - value); - - if (strcmp(type, "hexsalt") == 0) - return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT, - value); - - if (strcmp(type, "N") == 0) - return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_SCRYPT_N, value); - - if (strcmp(type, "r") == 0) - return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_R, value); - - if (strcmp(type, "p") == 0) - return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_P, value); - - if (strcmp(type, "maxmem_bytes") == 0) - return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_MAXMEM_BYTES, - value); - - return -2; -} - -static int kdf_scrypt_derive(EVP_KDF_IMPL *impl, unsigned char *key, - size_t keylen) -{ - if (impl->pass == NULL) { - KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_PASS); - return 0; - } - - if (impl->salt == NULL) { - KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSI |