1 use libc::c_int;
2 use std::ptr;
3
4 use crate::cvt;
5 use crate::error::ErrorStack;
6 use crate::hash::MessageDigest;
7 use crate::symm::Cipher;
8
9 #[derive(Clone, Eq, PartialEq, Hash, Debug)]
10 pub struct KeyIvPair {
11 pub key: Vec<u8>,
12 pub iv: Option<Vec<u8>>,
13 }
14
15 /// Derives a key and an IV from various parameters.
16 ///
17 /// If specified, `salt` must be 8 bytes in length.
18 ///
19 /// If the total key and IV length is less than 16 bytes and MD5 is used then
20 /// the algorithm is compatible with the key derivation algorithm from PKCS#5
21 /// v1.5 or PBKDF1 from PKCS#5 v2.0.
22 ///
23 /// New applications should not use this and instead use
24 /// `pbkdf2_hmac` or another more modern key derivation algorithm.
25 #[allow(clippy::useless_conversion)]
bytes_to_key( cipher: Cipher, digest: MessageDigest, data: &[u8], salt: Option<&[u8]>, count: i32, ) -> Result<KeyIvPair, ErrorStack>26 pub fn bytes_to_key(
27 cipher: Cipher,
28 digest: MessageDigest,
29 data: &[u8],
30 salt: Option<&[u8]>,
31 count: i32,
32 ) -> Result<KeyIvPair, ErrorStack> {
33 unsafe {
34 assert!(data.len() <= c_int::max_value() as usize);
35 let salt_ptr = match salt {
36 Some(salt) => {
37 assert_eq!(salt.len(), ffi::PKCS5_SALT_LEN as usize);
38 salt.as_ptr()
39 }
40 None => ptr::null(),
41 };
42
43 ffi::init();
44
45 let mut iv = cipher.iv_len().map(|l| vec![0; l]);
46
47 let cipher = cipher.as_ptr();
48 let digest = digest.as_ptr();
49
50 let len = cvt(ffi::EVP_BytesToKey(
51 cipher,
52 digest,
53 salt_ptr,
54 ptr::null(),
55 data.len() as c_int,
56 count.into(),
57 ptr::null_mut(),
58 ptr::null_mut(),
59 ))?;
60
61 let mut key = vec![0; len as usize];
62 let iv_ptr = iv
63 .as_mut()
64 .map(|v| v.as_mut_ptr())
65 .unwrap_or(ptr::null_mut());
66
67 cvt(ffi::EVP_BytesToKey(
68 cipher,
69 digest,
70 salt_ptr,
71 data.as_ptr(),
72 data.len() as c_int,
73 count as c_int,
74 key.as_mut_ptr(),
75 iv_ptr,
76 ))?;
77
78 Ok(KeyIvPair { key, iv })
79 }
80 }
81
82 /// Derives a key from a password and salt using the PBKDF2-HMAC algorithm with a digest function.
pbkdf2_hmac( pass: &[u8], salt: &[u8], iter: usize, hash: MessageDigest, key: &mut [u8], ) -> Result<(), ErrorStack>83 pub fn pbkdf2_hmac(
84 pass: &[u8],
85 salt: &[u8],
86 iter: usize,
87 hash: MessageDigest,
88 key: &mut [u8],
89 ) -> Result<(), ErrorStack> {
90 unsafe {
91 assert!(pass.len() <= c_int::max_value() as usize);
92 assert!(salt.len() <= c_int::max_value() as usize);
93 assert!(key.len() <= c_int::max_value() as usize);
94
95 ffi::init();
96 cvt(ffi::PKCS5_PBKDF2_HMAC(
97 pass.as_ptr() as *const _,
98 pass.len() as c_int,
99 salt.as_ptr(),
100 salt.len() as c_int,
101 iter as c_int,
102 hash.as_ptr(),
103 key.len() as c_int,
104 key.as_mut_ptr(),
105 ))
106 .map(|_| ())
107 }
108 }
109
110 /// Derives a key from a password and salt using the scrypt algorithm.
111 ///
112 /// Requires OpenSSL 1.1.0 or newer.
113 #[cfg(any(ossl110))]
scrypt( pass: &[u8], salt: &[u8], n: u64, r: u64, p: u64, maxmem: u64, key: &mut [u8], ) -> Result<(), ErrorStack>114 pub fn scrypt(
115 pass: &[u8],
116 salt: &[u8],
117 n: u64,
118 r: u64,
119 p: u64,
120 maxmem: u64,
121 key: &mut [u8],
122 ) -> Result<(), ErrorStack> {
123 unsafe {
124 ffi::init();
125 cvt(ffi::EVP_PBE_scrypt(
126 pass.as_ptr() as *const _,
127 pass.len(),
128 salt.as_ptr() as *const _,
129 salt.len(),
130 n,
131 r,
132 p,
133 maxmem,
134 key.as_mut_ptr() as *mut _,
135 key.len(),
136 ))
137 .map(|_| ())
138 }
139 }
140
141 #[cfg(test)]
142 mod tests {
143 use crate::hash::MessageDigest;
144 use crate::symm::Cipher;
145
146 // Test vectors from
147 // https://git.lysator.liu.se/nettle/nettle/blob/nettle_3.1.1_release_20150424/testsuite/pbkdf2-test.c
148 #[test]
pbkdf2_hmac_sha256()149 fn pbkdf2_hmac_sha256() {
150 let mut buf = [0; 16];
151
152 super::pbkdf2_hmac(b"passwd", b"salt", 1, MessageDigest::sha256(), &mut buf).unwrap();
153 assert_eq!(
154 buf,
155 &[
156 0x55_u8, 0xac_u8, 0x04_u8, 0x6e_u8, 0x56_u8, 0xe3_u8, 0x08_u8, 0x9f_u8, 0xec_u8,
157 0x16_u8, 0x91_u8, 0xc2_u8, 0x25_u8, 0x44_u8, 0xb6_u8, 0x05_u8,
158 ][..]
159 );
160
161 super::pbkdf2_hmac(
162 b"Password",
163 b"NaCl",
164 80000,
165 MessageDigest::sha256(),
166 &mut buf,
167 )
168 .unwrap();
169 assert_eq!(
170 buf,
171 &[
172 0x4d_u8, 0xdc_u8, 0xd8_u8, 0xf6_u8, 0x0b_u8, 0x98_u8, 0xbe_u8, 0x21_u8, 0x83_u8,
173 0x0c_u8, 0xee_u8, 0x5e_u8, 0xf2_u8, 0x27_u8, 0x01_u8, 0xf9_u8,
174 ][..]
175 );
176 }
177
178 // Test vectors from
179 // https://git.lysator.liu.se/nettle/nettle/blob/nettle_3.1.1_release_20150424/testsuite/pbkdf2-test.c
180 #[test]
pbkdf2_hmac_sha512()181 fn pbkdf2_hmac_sha512() {
182 let mut buf = [0; 64];
183
184 super::pbkdf2_hmac(b"password", b"NaCL", 1, MessageDigest::sha512(), &mut buf).unwrap();
185 assert_eq!(
186 &buf[..],
187 &[
188 0x73_u8, 0xde_u8, 0xcf_u8, 0xa5_u8, 0x8a_u8, 0xa2_u8, 0xe8_u8, 0x4f_u8, 0x94_u8,
189 0x77_u8, 0x1a_u8, 0x75_u8, 0x73_u8, 0x6b_u8, 0xb8_u8, 0x8b_u8, 0xd3_u8, 0xc7_u8,
190 0xb3_u8, 0x82_u8, 0x70_u8, 0xcf_u8, 0xb5_u8, 0x0c_u8, 0xb3_u8, 0x90_u8, 0xed_u8,
191 0x78_u8, 0xb3_u8, 0x05_u8, 0x65_u8, 0x6a_u8, 0xf8_u8, 0x14_u8, 0x8e_u8, 0x52_u8,
192 0x45_u8, 0x2b_u8, 0x22_u8, 0x16_u8, 0xb2_u8, 0xb8_u8, 0x09_u8, 0x8b_u8, 0x76_u8,
193 0x1f_u8, 0xc6_u8, 0x33_u8, 0x60_u8, 0x60_u8, 0xa0_u8, 0x9f_u8, 0x76_u8, 0x41_u8,
194 0x5e_u8, 0x9f_u8, 0x71_u8, 0xea_u8, 0x47_u8, 0xf9_u8, 0xe9_u8, 0x06_u8, 0x43_u8,
195 0x06_u8,
196 ][..]
197 );
198
199 super::pbkdf2_hmac(
200 b"pass\0word",
201 b"sa\0lt",
202 1,
203 MessageDigest::sha512(),
204 &mut buf,
205 )
206 .unwrap();
207 assert_eq!(
208 &buf[..],
209 &[
210 0x71_u8, 0xa0_u8, 0xec_u8, 0x84_u8, 0x2a_u8, 0xbd_u8, 0x5c_u8, 0x67_u8, 0x8b_u8,
211 0xcf_u8, 0xd1_u8, 0x45_u8, 0xf0_u8, 0x9d_u8, 0x83_u8, 0x52_u8, 0x2f_u8, 0x93_u8,
212 0x36_u8, 0x15_u8, 0x60_u8, 0x56_u8, 0x3c_u8, 0x4d_u8, 0x0d_u8, 0x63_u8, 0xb8_u8,
213 0x83_u8, 0x29_u8, 0x87_u8, 0x10_u8, 0x90_u8, 0xe7_u8, 0x66_u8, 0x04_u8, 0xa4_u8,
214 0x9a_u8, 0xf0_u8, 0x8f_u8, 0xe7_u8, 0xc9_u8, 0xf5_u8, 0x71_u8, 0x56_u8, 0xc8_u8,
215 0x79_u8, 0x09_u8, 0x96_u8, 0xb2_u8, 0x0f_u8, 0x06_u8, 0xbc_u8, 0x53_u8, 0x5e_u8,
216 0x5a_u8, 0xb5_u8, 0x44_u8, 0x0d_u8, 0xf7_u8, 0xe8_u8, 0x78_u8, 0x29_u8, 0x6f_u8,
217 0xa7_u8,
218 ][..]
219 );
220
221 super::pbkdf2_hmac(
222 b"passwordPASSWORDpassword",
223 b"salt\0\0\0",
224 50,
225 MessageDigest::sha512(),
226 &mut buf,
227 )
228 .unwrap();
229 assert_eq!(
230 &buf[..],
231 &[
232 0x01_u8, 0x68_u8, 0x71_u8, 0xa4_u8, 0xc4_u8, 0xb7_u8, 0x5f_u8, 0x96_u8, 0x85_u8,
233 0x7f_u8, 0xd2_u8, 0xb9_u8, 0xf8_u8, 0xca_u8, 0x28_u8, 0x02_u8, 0x3b_u8, 0x30_u8,
234 0xee_u8, 0x2a_u8, 0x39_u8, 0xf5_u8, 0xad_u8, 0xca_u8, 0xc8_u8, 0xc9_u8, 0x37_u8,
235 0x5f_u8, 0x9b_u8, 0xda_u8, 0x1c_u8, 0xcd_u8, 0x1b_u8, 0x6f_u8, 0x0b_u8, 0x2f_u8,
236 0xc3_u8, 0xad_u8, 0xda_u8, 0x50_u8, 0x54_u8, 0x12_u8, 0xe7_u8, 0x9d_u8, 0x89_u8,
237 0x00_u8, 0x56_u8, 0xc6_u8, 0x2e_u8, 0x52_u8, 0x4c_u8, 0x7d_u8, 0x51_u8, 0x15_u8,
238 0x4b_u8, 0x1a_u8, 0x85_u8, 0x34_u8, 0x57_u8, 0x5b_u8, 0xd0_u8, 0x2d_u8, 0xee_u8,
239 0x39_u8,
240 ][..]
241 );
242 }
243
244 #[test]
bytes_to_key()245 fn bytes_to_key() {
246 let salt = [16_u8, 34_u8, 19_u8, 23_u8, 141_u8, 4_u8, 207_u8, 221_u8];
247
248 let data = [
249 143_u8, 210_u8, 75_u8, 63_u8, 214_u8, 179_u8, 155_u8, 241_u8, 242_u8, 31_u8, 154_u8,
250 56_u8, 198_u8, 145_u8, 192_u8, 64_u8, 2_u8, 245_u8, 167_u8, 220_u8, 55_u8, 119_u8,
251 233_u8, 136_u8, 139_u8, 27_u8, 71_u8, 242_u8, 119_u8, 175_u8, 65_u8, 207_u8,
252 ];
253
254 let expected_key = vec![
255 249_u8, 115_u8, 114_u8, 97_u8, 32_u8, 213_u8, 165_u8, 146_u8, 58_u8, 87_u8, 234_u8,
256 3_u8, 43_u8, 250_u8, 97_u8, 114_u8, 26_u8, 98_u8, 245_u8, 246_u8, 238_u8, 177_u8,
257 229_u8, 161_u8, 183_u8, 224_u8, 174_u8, 3_u8, 6_u8, 244_u8, 236_u8, 255_u8,
258 ];
259 let expected_iv = vec![
260 4_u8, 223_u8, 153_u8, 219_u8, 28_u8, 142_u8, 234_u8, 68_u8, 227_u8, 69_u8, 98_u8,
261 107_u8, 208_u8, 14_u8, 236_u8, 60_u8,
262 ];
263
264 assert_eq!(
265 super::bytes_to_key(
266 Cipher::aes_256_cbc(),
267 MessageDigest::sha1(),
268 &data,
269 Some(&salt),
270 1,
271 )
272 .unwrap(),
273 super::KeyIvPair {
274 key: expected_key,
275 iv: Some(expected_iv),
276 }
277 );
278 }
279
280 #[test]
281 #[cfg(any(ossl110))]
scrypt()282 fn scrypt() {
283 let pass = "pleaseletmein";
284 let salt = "SodiumChloride";
285 let expected =
286 "7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613\
287 f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887";
288
289 let mut actual = [0; 64];
290 super::scrypt(
291 pass.as_bytes(),
292 salt.as_bytes(),
293 16384,
294 8,
295 1,
296 0,
297 &mut actual,
298 )
299 .unwrap();
300 assert_eq!(hex::encode(&actual[..]), expected);
301 }
302 }
303