diff options
| author | Pauli <paul.dale@oracle.com> | 2019-08-21 08:00:12 +1000 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2019-09-06 19:27:57 +1000 |
| commit | 5eb43d382b3eb3fb6950cc8e0dce82886e23e984 (patch) | |
| tree | b32e637f7349322afae2edaca63690b6b7d59d69 /providers | |
| parent | dc5bcb88d819de55eb37460c122e02fec91c6d86 (diff) | |
Move KDFs to the provider.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)
Diffstat (limited to 'providers')
| -rw-r--r-- | providers/common/kdfs/build.info | 13 | ||||
| -rw-r--r-- | providers/common/kdfs/hkdf.c | 440 | ||||
| -rw-r--r-- | providers/common/kdfs/pbkdf2.c | 324 | ||||
| -rw-r--r-- | providers/common/kdfs/scrypt.c | 506 | ||||
| -rw-r--r-- | providers/common/kdfs/sshkdf.c | 292 | ||||
| -rw-r--r-- | providers/common/kdfs/sskdf.c | 558 | ||||
| -rw-r--r-- | providers/common/kdfs/tls1_prf.c | 377 | ||||
| -rw-r--r-- | providers/common/kdfs/x942kdf.c | 407 |
8 files changed, 2917 insertions, 0 deletions
diff --git a/providers/common/kdfs/build.info b/providers/common/kdfs/build.info new file mode 100644 index 0000000000..422cf7471e --- /dev/null +++ b/providers/common/kdfs/build.info @@ -0,0 +1,13 @@ +$COMMON=tls1_prf.c hkdf.c scrypt.c pbkdf2.c sskdf.c + +LIBS=../../../libcrypto +SOURCE[../../../libcrypto]=$COMMON sshkdf.c x942kdf.c +INCLUDE[../../../libcrypto]=. ../../../crypto + +IF[{- !$disabled{fips} -}] + MODULES=../../fips + SOURCE[../../fips]=$COMMON + INCLUDE[../../fips]=. ../../../crypto +ENDIF + + diff --git a/providers/common/kdfs/hkdf.c b/providers/common/kdfs/hkdf.c new file mode 100644 index 0000000000..33c74da86a --- /dev/null +++ b/providers/common/kdfs/hkdf.c @@ -0,0 +1,440 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdlib.h> +#include <stdarg.h> +#include <string.h> +#include <openssl/hmac.h> +#include <openssl/evp.h> +#include <openssl/kdf.h> +#include "internal/cryptlib.h" +#include "internal/numbers.h" +#include "internal/evp_int.h" +#include "kdf_local.h" + +#define HKDF_MAXBUF 1024 + +static void kdf_hkdf_reset(EVP_KDF_IMPL *impl); +static int HKDF(const EVP_MD *evp_md, + const unsigned char *salt, size_t salt_len, + const unsigned char *key, size_t key_len, + const unsigned char *info, size_t info_len, + unsigned char *okm, size_t okm_len); +static int HKDF_Extract(const EVP_MD *evp_md, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + unsigned char *prk, size_t prk_len); +static int HKDF_Expand(const EVP_MD *evp_md, + const unsigned char *prk, size_t prk_len, + const unsigned char *info, size_t info_len, + unsigned char *okm, size_t okm_len); + +struct evp_kdf_impl_st { + int mode; + const EVP_MD *md; + unsigned char *salt; + size_t salt_len; + unsigned char *key; + size_t key_len; + unsigned char info[HKDF_MAXBUF]; + size_t info_len; +}; + +static EVP_KDF_IMPL *kdf_hkdf_new(void) +{ + EVP_KDF_IMPL *impl; + + if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) + KDFerr(KDF_F_KDF_HKDF_NEW, ERR_R_MALLOC_FAILURE); + return impl; +} + +static void kdf_hkdf_free(EVP_KDF_IMPL *impl) +{ + kdf_hkdf_reset(impl); + OPENSSL_free(impl); +} + +static void kdf_hkdf_reset(EVP_KDF_IMPL *impl) +{ + OPENSSL_free(impl->salt); + OPENSSL_clear_free(impl->key, impl->key_len); + OPENSSL_cleanse(impl->info, impl->info_len); + memset(impl, 0, sizeof(*impl)); +} + +static int kdf_hkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) +{ + const unsigned char *p; + size_t len; + const EVP_MD *md; + + switch (cmd) { + case EVP_KDF_CTRL_SET_MD: + md = va_arg(args, const EVP_MD *); + if (md == NULL) + return 0; + + impl->md = md; + return 1; + + case EVP_KDF_CTRL_SET_HKDF_MODE: + impl->mode = va_arg(args, int); + return 1; + + case EVP_KDF_CTRL_SET_SALT: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + if (len == 0 || p == NULL) + return 1; + + OPENSSL_free(impl->salt); + impl->salt = OPENSSL_memdup(p, len); + if (impl->salt == NULL) + return 0; + + impl->salt_len = len; + return 1; + + case EVP_KDF_CTRL_SET_KEY: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + OPENSSL_clear_free(impl->key, impl->key_len); + impl->key = OPENSSL_memdup(p, len); + if (impl->key == NULL) + return 0; + + impl->key_len = len; + return 1; + + case EVP_KDF_CTRL_RESET_HKDF_INFO: + OPENSSL_cleanse(impl->info, impl->info_len); + impl->info_len = 0; + return 1; + + case EVP_KDF_CTRL_ADD_HKDF_INFO: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + if (len == 0 || p == NULL) + return 1; + + if (len > (HKDF_MAXBUF - impl->info_len)) + return 0; + + memcpy(impl->info + impl->info_len, p, len); + impl->info_len += len; + return 1; + + default: + return -2; + } +} + +static int kdf_hkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, + const char *value) +{ + if (strcmp(type, "mode") == 0) { + int mode; + + if (strcmp(value, "EXTRACT_AND_EXPAND") == 0) + mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND; + else if (strcmp(value, "EXTRACT_ONLY") == 0) + mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; + else if (strcmp(value, "EXPAND_ONLY") == 0) + mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY; + else + return 0; + + return call_ctrl(kdf_hkdf_ctrl, impl, EVP_KDF_CTRL_SET_HKDF_MODE, mode); + } + + if (strcmp(type, "digest") == 0) + return kdf_md2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); + + if (strcmp(type, "salt") == 0) + return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value); + + if (strcmp(type, "hexsalt") == 0) + return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value); + + if (strcmp(type, "key") == 0) + return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value); + + if (strcmp(type, "hexkey") == 0) + return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value); + + if (strcmp(type, "info") == 0) + return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO, + value); + + if (strcmp(type, "hexinfo") == 0) + return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO, + value); + + return -2; +} + +static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl) +{ + int sz; + + if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) + return SIZE_MAX; + + if (impl->md == NULL) { + KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } + sz = EVP_MD_size(impl->md); + if (sz < 0) + return 0; + + return sz; +} + +static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, + size_t keylen) +{ + if (impl->md == NULL) { + KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } + if (impl->key == NULL) { + KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_KEY); + return 0; + } + + switch (impl->mode) { + case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: + return HKDF(impl->md, impl->salt, impl->salt_len, impl->key, + impl->key_len, impl->info, impl->info_len, key, + keylen); + + case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: + return HKDF_Extract(impl->md, impl->salt, impl->salt_len, impl->key, + impl->key_len, key, keylen); + + case EVP_KDF_HKDF_MODE_EXPAND_ONLY: + return HKDF_Expand(impl->md, impl->key, impl->key_len, impl->info, + impl->info_len, key, keylen); + + default: + return 0; + } +} + +const EVP_KDF hkdf_kdf_meth = { + EVP_KDF_HKDF, + kdf_hkdf_new, + kdf_hkdf_free, + kdf_hkdf_reset, + kdf_hkdf_ctrl, + kdf_hkdf_ctrl_str, + kdf_hkdf_size, + kdf_hkdf_derive +}; + +/* + * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" + * Section 2 (https://tools.ietf.org/html/rfc5869#section-2) and + * "Cryptographic Extraction and Key Derivation: The HKDF Scheme" + * Section 4.2 (https://eprint.iacr.org/2010/264.pdf). + * + * From the paper: + * The scheme HKDF is specified as: + * HKDF(XTS, SKM, CTXinfo, L) = K(1) | K(2) | ... | K(t) + * + * where: + * SKM is source key material + * XTS is extractor salt (which may be null or constant) + * CTXinfo is context information (may be null) + * L is the number of key bits to be produced by KDF + * k is the output length in bits of the hash function used with HMAC + * t = ceil(L/k) + * the value K(t) is truncated to its first d = L mod k bits. + * + * From RFC 5869: + * 2.2. Step 1: Extract + * HKDF-Extract(salt, IKM) -> PRK + * 2.3. Step 2: Expand + * HKDF-Expand(PRK, info, L) -> OKM + */ +static int HKDF(const EVP_MD *evp_md, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + unsigned char *okm, size_t okm_len) +{ + unsigned char prk[EVP_MAX_MD_SIZE]; + int ret, sz; + size_t prk_len; + + sz = EVP_MD_size(evp_md); + if (sz < 0) + return 0; + prk_len = (size_t)sz; + + /* Step 1: HKDF-Extract(salt, IKM) -> PRK */ + if (!HKDF_Extract(evp_md, salt, salt_len, ikm, ikm_len, prk, prk_len)) + return 0; + + /* Step 2: HKDF-Expand(PRK, info, L) -> OKM */ + ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len); + OPENSSL_cleanse(prk, sizeof(prk)); + + return ret; +} + +/* + * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" + * Section 2.2 (https://tools.ietf.org/html/rfc5869#section-2.2). + * + * 2.2. Step 1: Extract + * + * HKDF-Extract(salt, IKM) -> PRK + * + * Options: + * Hash a hash function; HashLen denotes the length of the + * hash function output in octets + * + * Inputs: + * salt optional salt value (a non-secret random value); + * if not provided, it is set to a string of HashLen zeros. + * IKM input keying material + * + * Output: + * PRK a pseudorandom key (of HashLen octets) + * + * The output PRK is calculated as follows: + * + * PRK = HMAC-Hash(salt, IKM) + */ +static int HKDF_Extract(const EVP_MD *evp_md, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + unsigned char *prk, size_t prk_len) +{ + int sz = EVP_MD_size(evp_md); + + if (sz < 0) + return 0; + if (prk_len != (size_t)sz) { + KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE); + return 0; + } + /* calc: PRK = HMAC-Hash(salt, IKM) */ + return HMAC(evp_md, salt, salt_len, ikm, ikm_len, prk, NULL) != NULL; +} + +/* + * Refer to "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" + * Section 2.3 (https://tools.ietf.org/html/rfc5869#section-2.3). + * + * 2.3. Step 2: Expand + * + * HKDF-Expand(PRK, info, L) -> OKM + * + * Options: + * Hash a hash function; HashLen denotes the length of the + * hash function output in octets + * + * Inputs: + * PRK a pseudorandom key of at least HashLen octets + * (usually, the output from the extract step) + * info optional context and application specific information + * (can be a zero-length string) + * L length of output keying material in octets + * (<= 255*HashLen) + * + * Output: + * OKM output keying material (of L octets) + * + * The output OKM is calculated as follows: + * + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L octets of T + * + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * + * (where the constant concatenated to the end of each T(n) is a + * single octet.) + */ +static int HKDF_Expand(const EVP_MD *evp_md, + const unsigned char *prk, size_t prk_len, + const unsigned char *info, size_t info_len, + unsigned char *okm, size_t okm_len) +{ + HMAC_CTX *hmac; + int ret = 0, sz; + unsigned int i; + unsigned char prev[EVP_MAX_MD_SIZE]; + size_t done_len = 0, dig_len, n; + + sz = EVP_MD_size(evp_md); + if (sz <= 0) + return 0; + dig_len = (size_t)sz; + + /* calc: N = ceil(L/HashLen) */ + n = okm_len / dig_len; + if (okm_len % dig_len) + n++; + + if (n > 255 || okm == NULL) + return 0; + + if ((hmac = HMAC_CTX_new()) == NULL) + return 0; + + if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL)) + goto err; + + for (i = 1; i <= n; i++) { + size_t copy_len; + const unsigned char ctr = i; + + /* calc: T(i) = HMAC-Hash(PRK, T(i - 1) | info | i) */ + if (i > 1) { + if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL)) + goto err; + + if (!HMAC_Update(hmac, prev, dig_len)) + goto err; + } + + if (!HMAC_Update(hmac, info, info_len)) + goto err; + + if (!HMAC_Update(hmac, &ctr, 1)) + goto err; + + if (!HMAC_Final(hmac, prev, NULL)) + goto err; + + copy_len = (done_len + dig_len > okm_len) ? + okm_len - done_len : + dig_len; + + memcpy(okm + done_len, prev, copy_len); + + done_len += copy_len; + } + ret = 1; + + err: + OPENSSL_cleanse(prev, sizeof(prev)); + HMAC_CTX_free(hmac); + return ret; +} diff --git a/providers/common/kdfs/pbkdf2.c b/providers/common/kdfs/pbkdf2.c new file mode 100644 index 0000000000..d41689773c --- /dev/null +++ b/providers/common/kdfs/pbkdf2.c @@ -0,0 +1,324 @@ +/* + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdlib.h> +#include <stdarg.h> +#include <string.h> +#include <openssl/hmac.h> +#include <openssl/evp.h> +#include <openssl/kdf.h> +#include "internal/cryptlib.h" +#include "internal/evp_int.h" +#include "kdf_local.h" + +/* Constants specified in SP800-132 */ +#define KDF_PBKDF2_MIN_KEY_LEN_BITS 112 +#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF +#define KDF_PBKDF2_MIN_ITERATIONS 1000 +#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) +/* + * For backwards compatibility reasons, + * Extra checks are done by default in fips mode only. + */ +#ifdef FIPS_MODE +# define KDF_PBKDF2_DEFAULT_CHECKS 1 +#else +# define KDF_PBKDF2_DEFAULT_CHECKS 0 +#endif /* FIPS_MODE */ + +static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl); +static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl); +static int pbkdf2_derive(const char *pass, size_t passlen, + const unsigned char *salt, int saltlen, int iter, + const EVP_MD *digest, unsigned char *key, + size_t keylen, int extra_checks); + +struct evp_kdf_impl_st { + unsigned char *pass; + size_t pass_len; + unsigned char *salt; + size_t salt_len; + int iter; + const EVP_MD *md; + int lower_bound_checks; +}; + +static EVP_KDF_IMPL *kdf_pbkdf2_new(void) +{ + EVP_KDF_IMPL *impl; + + impl = OPENSSL_zalloc(sizeof(*impl)); + if (impl == NULL) { + KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } + kdf_pbkdf2_init(impl); + return impl; +} + +static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl) +{ + kdf_pbkdf2_reset(impl); + OPENSSL_free(impl); +} + +static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl) +{ + OPENSSL_free(impl->salt); + OPENSSL_clear_free(impl->pass, impl->pass_len); + memset(impl, 0, sizeof(*impl)); + kdf_pbkdf2_init(impl); +} + +static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl) +{ + impl->iter = PKCS5_DEFAULT_ITER; + impl->md = EVP_sha1(); + impl->lower_bound_checks = KDF_PBKDF2_DEFAULT_CHECKS; +} + +static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, + const unsigned char *new_buffer, + size_t new_buflen) +{ + if (new_buffer == NULL) + return 1; + + OPENSSL_clear_free(*buffer, *buflen); + + if (new_buflen > 0) { + *buffer = OPENSSL_memdup(new_buffer, new_buflen); + } else { + *buffer = OPENSSL_malloc(1); + } + if (*buffer == NULL) { + KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE); + return 0; + } + + *buflen = new_buflen; + return 1; +} + +static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) +{ + int iter, pkcs5, min_iter; + const unsigned char *p; + size_t len; + const EVP_MD *md; + + switch (cmd) { + case EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE: + pkcs5 = va_arg(args, int); + impl->lower_bound_checks = (pkcs5 == 0) ? 1 : 0; + return 1; + case EVP_KDF_CTRL_SET_PASS: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len); + + case EVP_KDF_CTRL_SET_SALT: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + if (impl->lower_bound_checks != 0 && len < KDF_PBKDF2_MIN_SALT_LEN) { + KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_INVALID_SALT_LEN); + return 0; + } + return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len); + + case EVP_KDF_CTRL_SET_ITER: + iter = va_arg(args, int); + min_iter = impl->lower_bound_checks != 0 ? KDF_PBKDF2_MIN_ITERATIONS : 1; + if (iter < min_iter) { + KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_INVALID_ITERATION_COUNT); + return 0; + } + impl->iter = iter; + return 1; + + case EVP_KDF_CTRL_SET_MD: + md = va_arg(args, const EVP_MD *); + if (md == NULL) { + KDFerr(KDF_F_KDF_PBKDF2_CTRL, KDF_R_VALUE_MISSING); + return 0; + } + + impl->md = md; + return 1; + + default: + return -2; + } +} + +static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type, + const char *value) +{ + if (value == NULL) { + KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING); + return 0; + } + + if (strcmp(type, "pass") == 0) + return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS, + value); + + if (strcmp(type, "hexpass") == 0) + return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS, + value); + + if (strcmp(type, "salt") == 0) + return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT, + value); + + if (strcmp(type, "hexsalt") == 0) + return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT, + value); + + if (strcmp(type, "iter") == 0) + return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER, + atoi(value)); + + if (strcmp(type, "digest") == 0) + return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value); + + if (strcmp(type, "pkcs5") == 0) + return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, + EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE, value); + return -2; +} + +static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key, + size_t keylen) +{ + if (impl->pass == NULL) { + KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS); + return 0; + } + + if (impl->salt == NULL) { + KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT); + return 0; + } + + return pbkdf2_derive((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen, impl->lower_bound_checks); +} + +const EVP_KDF pbkdf2_kdf_meth = { + EVP_KDF_PBKDF2, + kdf_pbkdf2_new, + kdf_pbkdf2_free, + kdf_pbkdf2_reset, + kdf_pbkdf2_ctrl, + kdf_pbkdf2_ctrl_str, + NULL, + kdf_pbkdf2_derive +}; + +/* + * This is an implementation of PKCS#5 v2.0 password based encryption key + * derivation function PBKDF2. SHA1 version verified against test vectors + * posted by Peter Gutmann to the PKCS-TNG mailing list. + * + * The constraints specified by SP800-132 have been added i.e. + * - Check the range of the key length. + * - Minimum iteration count of 1000. + * - Randomly-generated portion of the salt shall be at least 128 bits. + */ +static int pbkdf2_derive(const char *pass, size_t passlen, + const unsigned char *salt, int saltlen, int iter, + const EVP_MD *digest, unsigned char *key, + size_t keylen, int lower_bound_checks) +{ + int ret = 0; + unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; + int cplen, j, k, tkeylen, mdlen; + unsigned long i = 1; + HMAC_CTX *hctx_tpl = NULL, *hctx = NULL; + + mdlen = EVP_MD_size(digest); + if (mdlen <= 0) + return 0; + + /* + * This check should always be done because keylen / mdlen >= (2^32 - 1) + * results in an overflow of the loop counter 'i'. + */ + if ((keylen / mdlen) >= KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO) { + KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_KEY_LEN); + return 0; + } + + if (lower_bound_checks) { + if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { + KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_KEY_LEN); + return 0; + } + if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) { + KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_SALT_LEN); + return 0; + } + if (iter < KDF_PBKDF2_MIN_ITERATIONS) { + KDFerr(KDF_F_PBKDF2_DERIVE, KDF_R_INVALID_ITERATION_COUNT); + return 0; + } + } + + hctx_tpl = HMAC_CTX_new(); + if (hctx_tpl == NULL) + return 0; + p = key; + tkeylen = keylen; + if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) + goto err; + hctx = HMAC_CTX_new(); + if (hctx == NULL) + goto err; + while (tkeylen) { + if (tkeylen > mdlen) + cplen = mdlen; + else + cplen = tkeylen; + /* + * We are unlikely to ever use more than 256 blocks (5120 bits!) but + * just in case... + */ + itmp[0] = (unsigned char)((i >> 24) & 0xff); + itmp[1] = (unsigned char)((i >> 16) & 0xff); + itmp[2] = (unsigned char)((i >> 8) & 0xff); + itmp[3] = (unsigned char)(i & 0xff); + if (!HMAC_CTX_copy(hctx, hctx_tpl)) + goto err; + if (!HMAC_Update(hctx, salt, saltlen) + || !HMAC_Update(hctx, itmp, 4) + || !HMAC_Final(hctx, digtmp, NULL)) + goto err; + memcpy(p, digtmp, cplen); + for (j = 1; j < iter; j++) { + if (!HMAC_CTX_copy(hctx, hctx_tpl)) + goto err; + if (!HMAC_Update(hctx, digtmp, mdlen) + || !HMAC_Final(hctx, digtmp, NULL)) + goto err; + for (k = 0; k < cplen; k++) + p[k] ^= digtmp[k]; + } + tkeylen -= cplen; + i++; + p += cplen; + } + ret = 1; + +err: + HMAC_CTX_free(hctx); + HMAC_CTX_free(hctx_tpl); + return ret; +} diff --git a/providers/common/kdfs/scrypt.c b/providers/common/kdfs/scrypt.c new file mode 100644 index 0000000000..29ceeb3ad9 --- /dev/null +++ b/providers/common/kdfs/scrypt.c @@ -0,0 +1,506 @@ +/* + * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdlib.h> +#include <stdarg.h> +#include <string.h> +#include <openssl/evp.h> +#include <openssl/kdf.h> +#include <openssl/err.h> +#include "internal/evp_int.h" +#include "internal/numbers.h" +#include "kdf_local.h" + +#ifndef OPENSSL_NO_SCRYPT + +static void kdf_scrypt_reset(EVP_KDF_IMPL *impl); +static void kdf_scrypt_init(EVP_KDF_IMPL *impl); +static int atou64(const char *nptr, uint64_t *result); +static int scrypt_alg(const char *pass, size_t passlen, + const unsigned char *salt, size_t saltlen, + uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, + unsigned char *key, size_t keylen); + +struct evp_kdf_impl_st { + unsigned char *pass; + size_t pass_len; + unsigned char *salt; + size_t salt_len; + uint64_t N; + uint32_t r, p; + uint64_t maxmem_bytes; +}; + +/* Custom uint64_t parser since we do not have strtoull */ +static int atou64(const char *nptr, uint64_t *result) +{ + uint64_t value = 0; + + while (*nptr) { + unsigned int digit; + uint64_t new_value; + + if ((*nptr < '0') || (*nptr > '9')) { + return 0; + } + digit = (unsigned int)(*nptr - '0'); + new_value = (value * 10) + digit; + if ((new_value < digit) || ((new_value - digit) / 10 != value)) { + /* Overflow */ + return 0; + } + value = new_value; + nptr++; + } + *result = value; + return 1; +} + +static EVP_KDF_IMPL *kdf_scrypt_new(void) +{ + EVP_KDF_IMPL *impl; + + impl = OPENSSL_zalloc(sizeof(*impl)); + if (impl == NULL) { + KDFerr(KDF_F_KDF_SCRYPT_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } + kdf_scrypt_init(impl); + return impl; +} + +static void kdf_scrypt_free(EVP_KDF_IMPL *impl) +{ + kdf_scrypt_reset(impl); + OPENSSL_free(impl); +} + +static void kdf_scrypt_reset(EVP_KDF_IMPL *impl) +{ + OPENSSL_free(impl->salt); + OPENSSL_clear_free(impl->pass, impl->pass_len); + memset(impl, 0, sizeof(*impl)); + kdf_scrypt_init(impl); +} + +static void kdf_scrypt_init(EVP_KDF_IMPL *impl) +{ + /* Default values are the most conservative recommendation given in the + * original paper of C. Percival. Derivation uses roughly 1 GiB of memory + * for this parameter choice (approx. 128 * r * N * p bytes). + */ + impl->N = 1 << 20; + impl->r = 8; + impl->p = 1; + impl->maxmem_bytes = 1025 * 1024 * 1024; +} + +static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, + const unsigned char *new_buffer, + size_t new_buflen) +{ + if (new_buffer == NULL) + return 1; + + OPENSSL_clear_free(*buffer, *buflen); + + if (new_buflen > 0) { + *buffer = OPENSSL_memdup(new_buffer, new_buflen); + } else { + *buffer = OPENSSL_malloc(1); + } + if (*buffer == NULL) { + KDFerr(KDF_F_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE); + return 0; + } + + *buflen = new_buflen; + return 1; +} + +static int is_power_of_two(uint64_t value) +{ + return (value != 0) && ((value & (value - 1)) == 0); +} + +static int kdf_scrypt_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) +{ + uint64_t u64_value; + uint32_t value; + const unsigned char *p; + size_t len; + + switch (cmd) { + case EVP_KDF_CTRL_SET_PASS: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + return scrypt_set_membuf(&impl->pass, &impl->pass_len, p, len); + + case EVP_KDF_CTRL_SET_SALT: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + return scrypt_set_membuf(&impl->salt, &impl->salt_len, p, len); + + case EVP_KDF_CTRL_SET_SCRYPT_N: + u64_value = va_arg(args, uint64_t); + if ((u64_value <= 1) || !is_power_of_two(u64_value)) + return 0; + + impl->N = u64_value; + return 1; + + case EVP_KDF_CTRL_SET_SCRYPT_R: + value = va_arg(args, uint32_t); + if (value < 1) + return 0; + + impl->r = value; + return 1; + + case EVP_KDF_CTRL_SET_SCRYPT_P: + value = va_arg(args, uint32_t); + if (value < 1) + return 0; + + impl->p = value; + return 1; + + case EVP_KDF_CTRL_SET_MAXMEM_BYTES: + u64_value = va_arg(args, uint64_t); + if (u64_value < 1) + return 0; + + impl->maxmem_bytes = u64_value; + return 1; + + default: + return -2; + } +} + +static int kdf_scrypt_ctrl_uint32(EVP_KDF_IMPL *impl, int cmd, + const char *value) +{ + int int_value = atoi(value); + + if (int_value < 0 || (uint64_t)int_value > UINT32_MAX) { + KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT32, KDF_R_VALUE_ERROR); + return 0; + } + return call_ctrl(kdf_scrypt_ctrl, impl, cmd, (uint32_t)int_value); +} + +static int kdf_scrypt_ctrl_uint64(EVP_KDF_IMPL *impl, int cmd, + const char *value) +{ + uint64_t u64_value; + + if (!atou64(value, &u64_value)) { + KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR); + return 0; + } + return call_ctrl(kdf_scrypt_ctrl, impl, cmd, u64_value); +} + +static int kdf_scrypt_ctrl_str(EVP_KDF_IMPL *impl, const char *type, + const char *value) +{ + if (value == NULL) { + KDFerr(KDF_F_KDF_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING); + return 0; + } + + if (strcmp(type, "pass") == 0) + return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS, + value); + + if (strcmp(type, "hexpass") == 0) + return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS, + value); + + if (strcmp(type, "salt") == 0) + return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT, + value); + + if (strcmp(type, "hexsalt") == 0) + return kdf_hex2ctrl(impl, kdf_scry |