More generic passphrase hashing code, including scrypt support

Uses libscrypt when found; otherwise, we don't have scrypt and we
only support openpgp rfc2440 s2k hashing, or pbkdf2.

Includes documentation and unit tests; coverage around 95%. Remaining
uncovered code is sanity-checks that shouldn't be reachable fwict.

1 files changed, 405 insertions, 0 deletions

diff --git a/src/common/crypto_s2k.c b/src/common/crypto_s2k.c
index 669ee5301b..8f08a22825 100644
--- a/src/common/crypto_s2k.c
+++ b/src/common/crypto_s2k.c
@@ -7,6 +7,165 @@
 #include "crypto.h"
 #include "util.h"
 #include "compat.h"
+#include "crypto_s2k.h"
+
+#include <openssl/evp.h>
+
+#ifdef HAVE_LIBSCRYPT_H
+#define HAVE_SCRYPT
+#include <libscrypt.h>
+#endif
+
+/* Encoded secrets take the form:
+
+     u8 type;
+     u8 salt_and_parameters[depends on type];
+     u8 key[depends on type];
+
+   As a special case, if the encoded secret is exactly 29 bytes long,
+   type 0 is understood.
+
+   Recognized types are:
+       00 -- RFC2440. salt_and_parameters is 9 bytes. key is 20 bytes.
+                salt_and_parameters is 8 bytes random salt,
+                1 byte iteration info.
+       01 -- PKBDF2_SHA1. salt_and_parameters is 17 bytes. key is 20 bytes.
+                salt_and_parameters is 16 bytes random salt,
+                1 byte iteration info.
+       02 -- SCRYPT_SALSA208_SHA256. salt_and_parameters is 18 bytes. key is
+             32 bytes.
+                salt_and_parameters is 18 bytes random salt, 2 bytes iteration
+                info.
+*/
+
+#define S2K_TYPE_RFC2440 0
+#define S2K_TYPE_PBKDF2  1
+#define S2K_TYPE_SCRYPT  2
+
+#define PBKDF2_SPEC_LEN 17
+#define PBKDF2_KEY_LEN 20
+
+#define SCRYPT_SPEC_LEN 18
+#define SCRYPT_KEY_LEN 32
+
+/** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
+ * specifier part of it, without the prefix type byte. */
+static int
+secret_to_key_spec_len(uint8_t type)
+{
+  switch (type) {
+    case S2K_TYPE_RFC2440:
+      return S2K_RFC2440_SPECIFIER_LEN;
+    case S2K_TYPE_PBKDF2:
+      return PBKDF2_SPEC_LEN;
+    case S2K_TYPE_SCRYPT:
+      return SCRYPT_SPEC_LEN;
+    default:
+      return -1;
+  }
+}
+
+/** Given an algorithm ID (one of S2K_TYPE_*), return the length of the
+ * its preferred output. */
+static int
+secret_to_key_key_len(uint8_t type)
+{
+  switch (type) {
+    case S2K_TYPE_RFC2440:
+      return DIGEST_LEN;
+    case S2K_TYPE_PBKDF2:
+      return DIGEST_LEN;
+    case S2K_TYPE_SCRYPT:
+      return DIGEST256_LEN;
+    default:
+      return -1;
+  }
+}
+
+/** Given a specifier in <b>spec_and_key</b> of length
+ * <b>spec_and_key_len</b>, along with its prefix algorithm ID byte, and along
+ * with a key if <b>key_included</b> is true, check whether the whole
+ * specifier-and-key is of valid length, and return the algorithm type if it
+ * is.  Set *<b>legacy_out</b> to 1 iff this is a legacy password hash or
+ * legacy specifier.  Return an error code on failure.
+ */
+static int
+secret_to_key_get_type(const uint8_t *spec_and_key, size_t spec_and_key_len,
+                       int key_included, int *legacy_out)
+{
+  size_t legacy_len = S2K_RFC2440_SPECIFIER_LEN;
+  uint8_t type;
+  int total_len;
+
+  if (key_included)
+    legacy_len += DIGEST_LEN;
+
+  if (spec_and_key_len == legacy_len) {
+    *legacy_out = 1;
+    return S2K_TYPE_RFC2440;
+  }
+
+  *legacy_out = 0;
+  if (spec_and_key_len == 0)
+    return S2K_BAD_LEN;
+
+  type = spec_and_key[0];
+  total_len = secret_to_key_spec_len(type);
+  if (total_len < 0)
+    return S2K_BAD_ALGORITHM;
+  if (key_included) {
+    int keylen = secret_to_key_key_len(type);
+    if (keylen < 0)
+      return S2K_BAD_ALGORITHM;
+    total_len += keylen;
+  }
+
+  if ((size_t)total_len + 1 == spec_and_key_len)
+    return type;
+  else
+    return S2K_BAD_LEN;
+}
+
+/**
+ * Write a new random s2k specifier of type <b>type</b>, without prefixing
+ * type byte, to <b>spec_out</b>, which must have enough room.  May adjust
+ * parameter choice based on <b>flags</b>.
+ */
+static int
+make_specifier(uint8_t *spec_out, uint8_t type, unsigned flags)
+{
+  int speclen = secret_to_key_spec_len(type);
+  if (speclen < 0)
+      return S2K_BAD_ALGORITHM;
+
+  crypto_rand((char*)spec_out, speclen);
+  switch (type) {
+    case S2K_TYPE_RFC2440:
+      /* Hash 64 k of data. */
+      spec_out[S2K_RFC2440_SPECIFIER_LEN-1] = 96;
+      break;
+    case S2K_TYPE_PBKDF2:
+      /* 131 K iterations */
+      spec_out[PBKDF2_SPEC_LEN-1] = 17;
+      break;
+    case S2K_TYPE_SCRYPT:
+      if (flags & S2K_FLAG_LOW_MEM) {
+        /* N = 1<<12 */
+        spec_out[SCRYPT_SPEC_LEN-2] = 12;
+      } else {
+        /* N = 1<<15 */
+        spec_out[SCRYPT_SPEC_LEN-2] = 15;
+      }
+      /* r = 8; p = 2. */
+      spec_out[SCRYPT_SPEC_LEN-1] = (3u << 4) | (1u << 0);
+      break;
+    default:
+      tor_fragile_assert();
+      return S2K_BAD_ALGORITHM;
+  }
+
+  return speclen;
+}
 
 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
  * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
@@ -51,3 +210,249 @@ secret_to_key_rfc2440(char *key_out, size_t key_out_len, const char *secret,
   tor_free(tmp);
   crypto_digest_free(d);
 }
+
+/**
+ * Helper: given a valid specifier without prefix type byte in <b>spec</b>,
+ * whose length must be correct, and given a secret passphrase <b>secret</b>
+ * of length <b>secret_len</b>, compute the key and store it into
+ * <b>key_out</b>, which must have enough room for secret_to_key_key_len(type)
+ * bytes.  Return the number of bytes written on success and an error code
+ * on failure.
+ */
+static int
+secret_to_key_compute_key(uint8_t *key_out, const uint8_t *spec,
+                          const char *secret, size_t secret_len,
+                          int type)
+{
+  int rv;
+
+  switch (type) {
+    case S2K_TYPE_RFC2440:
+      secret_to_key_rfc2440((char*)key_out, DIGEST_LEN, secret, secret_len,
+                            (const char*)spec);
+      return DIGEST_LEN;
+
+    case S2K_TYPE_PBKDF2: {
+      int iters;
+      if (spec[16] > 31)
+        return S2K_BAD_PARAMS;
+      if (secret_len > INT_MAX)
+        return S2K_BAD_LEN;
+      iters = 1 << spec[16];
+      rv = PKCS5_PBKDF2_HMAC_SHA1(secret, (int)secret_len,
+                                 spec, 16,
+                                 1<<spec[16],
+                                 DIGEST_LEN, key_out);
+
+      if (rv < 0)
+        return S2K_FAILED;
+      return DIGEST_LEN;
+    }
+
+    case S2K_TYPE_SCRYPT: {
+#ifdef HAVE_SCRYPT
+      uint64_t N;
+      uint32_t r, p;
+      if (spec[16] > 63)
+        return S2K_BAD_PARAMS;
+      N = ((uint64_t)1) << spec[16];
+      r = 1u << (spec[17] >> 4);
+      p = 1u << (spec[17] & 15);
+      rv = libscrypt_scrypt((const uint8_t*)secret, secret_len,
+                            spec, 16, N, r, p, key_out, 32);
+      if (rv < 0)
+        return S2K_FAILED;
+      return DIGEST256_LEN;
+#else
+      return S2K_NO_SCRYPT_SUPPORT;
+#endif
+    }
+    default:
+      return S2K_BAD_ALGORITHM;
+  }
+}
+
+/**
+ * Given a specifier previously constructed with secret_to_key_make_specifier
+ * in <b>spec</b> of length <b>spec_len</b>, and a secret password in
+ * <b>secret</b> of length <b>secret_len</b>, generate <b>key_out_len</b>
+ * bytes of cryptographic material in <b>key_out</b>.  The native output of
+ * the secret-to-key function will be truncated if key_out_len is short, and
+ * expanded with HKDF if key_out_len is long.  Returns S2K_OKAY on success,
+ * and an error code on failure.
+ */
+int
+secret_to_key_derivekey(uint8_t *key_out, size_t key_out_len,
+                        const uint8_t *spec, size_t spec_len,
+                        const char *secret, size_t secret_len)
+{
+  int legacy_format = 0;
+  int type = secret_to_key_get_type(spec, spec_len, 0, &legacy_format);
+  int keylen, r;
+  uint8_t buf[32];
+
+  if (type < 0)
+    return type;
+#ifndef HAVE_SCRYPT
+  if (type == S2K_TYPE_SCRYPT)
+    return S2K_NO_SCRYPT_SUPPORT;
+ #endif
+
+  if (! legacy_format) {
+    ++spec;
+    --spec_len;
+  }
+
+  keylen = secret_to_key_key_len(type);
+  tor_assert(keylen > 0);
+  tor_assert(keylen <= (int)sizeof(buf));
+
+  r = secret_to_key_compute_key(buf, spec, secret, secret_len, type);
+  if (r < 0)
+    return r;
+
+  tor_assert(r == keylen);
+  if (key_out_len <= sizeof(buf)) {
+    memcpy(key_out, buf, key_out_len);
+    r = S2K_OKAY;
+  } else {
+    r = crypto_expand_key_material_rfc5869_sha256(buf, keylen,
+                                                spec, spec_len,
+                                                (const uint8_t*)"EXPAND", 6,
+                                                key_out, key_out_len);
+    if (r < 0)
+      r = S2K_FAILED;
+    else
+      r = S2K_OKAY;
+  }
+
+  memwipe(buf, 0, sizeof(buf));
+
+  return r;
+}
+
+/**
+ * Construct a new s2k algorithm specifier and salt in <b>buf</b>, according
+ * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>.  Up to
+ * <b>buf_len</b> bytes of storage may be used in <b>buf</b>.  Return the
+ * number of bytes used on success and an error code on failure.
+ */
+int
+secret_to_key_make_specifier(uint8_t *buf, size_t buf_len, unsigned flags)
+{
+  int rv;
+  int spec_len;
+#ifdef HAVE_SCRYPT
+  uint8_t type = S2K_TYPE_SCRYPT;
+#else
+  uint8_t type = S2K_TYPE_RFC2440;
+#endif
+
+  if (flags & S2K_FLAG_NO_SCRYPT)
+    type = S2K_TYPE_RFC2440;
+  if (flags & S2K_FLAG_USE_PBKDF2)
+    type = S2K_TYPE_PBKDF2;
+
+  spec_len = secret_to_key_spec_len(type);
+
+  if ((int)buf_len < spec_len + 1)
+    return S2K_TRUNCATED;
+
+  buf[0] = type;
+  rv = make_specifier(buf+1, type, flags);
+  if (rv < 0)
+    return rv;
+  else
+    return rv + 1;
+}
+
+/**
+ * Hash a passphrase from <b>secret</b> of length <b>secret_len</b>, according
+ * to the bitwise-or of some S2K_FLAG_* options in <b>flags</b>, and store the
+ * hash along with salt and hashing parameters into <b>buf</b>.  Up to
+ * <b>buf_len</b> bytes of storage may be used in <b>buf</b>.  Set
+ * *<b>len_out</b> to the number of bytes used and return S2K_OKAY on success;
+ * and return an error code on failure.
+ */
+int
+secret_to_key_new(uint8_t *buf,
+                  size_t buf_len,
+                  size_t *len_out,
+                  const char *secret, size_t secret_len,
+                  unsigned flags)
+{
+  int key_len;
+  int spec_len;
+  int type;
+  int rv;
+
+  spec_len = secret_to_key_make_specifier(buf, buf_len, flags);
+
+  if (spec_len < 0)
+    return spec_len;
+
+  type = buf[0];
+  key_len = secret_to_key_key_len(type);
+
+  if ((int)buf_len < key_len + spec_len)
+    return S2K_TRUNCATED;
+
+  rv = secret_to_key_compute_key(buf + spec_len, buf + 1,
+                                 secret, secret_len, type);
+  if (rv < 0)
+    return rv;
+
+  *len_out = spec_len + key_len;
+
+  return S2K_OKAY;
+}
+
+/**
+ * Given a hashed passphrase in <b>spec_and_key</b> of length
+ * <b>spec_and_key_len</b> as generated by secret_to_key_new(), verify whether
+ * it is a hash of the passphrase <b>secret</b> of length <b>secret_len</b>.
+ * Return S2K_OKAY on a match, S2K_BAD_SECRET on a well-formed hash that
+ * doesn't match this secret, and another error code on other errors.
+ */
+int
+secret_to_key_check(const uint8_t *spec_and_key, size_t spec_and_key_len,
+                    const char *secret, size_t secret_len)
+{
+  int is_legacy = 0;
+  int type = secret_to_key_get_type(spec_and_key, spec_and_key_len,
+                                    1, &is_legacy);
+  uint8_t buf[32];
+  int spec_len;
+  int key_len;
+  int rv;
+
+  if (type < 0)
+    return type;
+
+  if (! is_legacy) {
+    spec_and_key++;
+    spec_and_key_len--;
+  }
+
+  spec_len = secret_to_key_spec_len(type);
+  key_len = secret_to_key_key_len(type);
+  tor_assert(spec_len > 0);
+  tor_assert(key_len > 0);
+  tor_assert(key_len <= (int) sizeof(buf));
+  tor_assert((int)spec_and_key_len == spec_len + key_len);
+  rv = secret_to_key_compute_key(buf,
+                                 spec_and_key,
+                                 secret, secret_len, type);
+  if (rv < 0)
+    goto done;
+
+  if (tor_memeq(buf, spec_and_key + spec_len, key_len))
+    rv = S2K_OKAY;
+  else
+    rv = S2K_BAD_SECRET;
+
+ done:
+  memwipe(buf, 0, sizeof(buf));
+  return rv;
+}
+