提交 b0809bc8 编写于 作者: R Rich Salz 提交者: Rich Salz

RT3998: Allow scrypt to be disabled

This does 64-bit division and multiplication, and on 32-bit platforms
pulls in libgcc symbols (and MSVC does similar) which may not be
available.  Mostly done by David Woodhouse.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
上级 a939b0aa
......@@ -68,8 +68,10 @@ typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED,
OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT,
OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P
#ifndef OPENSSL_NO_SCRYPT
OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
#endif
OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT
} OPTION_CHOICE;
OPTIONS pkcs8_options[] = {
......@@ -94,10 +96,12 @@ OPTIONS pkcs8_options[] = {
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
#ifndef OPENSSL_NO_SCRYPT
{"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
{"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
{"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
{"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
#endif
{NULL}
};
......@@ -116,7 +120,9 @@ int pkcs8_main(int argc, char **argv)
int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
int private = 0;
#ifndef OPENSSL_NO_SCRYPT
unsigned long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
#endif
prog = opt_init(argc, argv, pkcs8_options);
while ((o = opt_next()) != OPT_EOF) {
......@@ -195,6 +201,7 @@ int pkcs8_main(int argc, char **argv)
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
#ifndef OPENSSL_NO_SCRYPT
case OPT_SCRYPT:
scrypt_N = 1024;
scrypt_r = 8;
......@@ -214,6 +221,7 @@ int pkcs8_main(int argc, char **argv)
if (!opt_ulong(opt_arg(), &scrypt_p))
goto opthelp;
break;
#endif
}
}
argc = opt_num_rest();
......@@ -260,10 +268,12 @@ int pkcs8_main(int argc, char **argv)
} else {
X509_ALGOR *pbe;
if (cipher) {
#ifndef OPENSSL_NO_SCRYPT
if (scrypt_N && scrypt_r && scrypt_p)
pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL,
scrypt_N, scrypt_r, scrypt_p);
else
#endif
pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL,
pbe_nid);
} else {
......
......@@ -65,6 +65,7 @@
#include <openssl/x509.h>
#include <openssl/rand.h>
#ifndef OPENSSL_NO_SCRYPT
/* PKCS#5 scrypt password based encryption structures */
typedef struct {
......@@ -330,3 +331,4 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
SCRYPT_PARAMS_free(sparam);
return rv;
}
#endif /* OPENSSL_NO_SCRYPT */
......@@ -119,7 +119,9 @@ static const EVP_PBE_CTL builtin_pbe[] = {
{EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0},
{EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0},
{EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
#ifndef OPENSSL_NO_SCRYPT
{EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen}
#endif
};
int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
......
......@@ -64,6 +64,8 @@
#include <openssl/err.h>
#include <internal/numbers.h>
#ifndef OPENSSL_NO_SCRYPT
#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
static void salsa208_word_specification(uint32_t inout[16])
{
......@@ -296,3 +298,4 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen,
OPENSSL_clear_free(B, Blen + Vlen);
return rv;
}
#endif
......@@ -1075,6 +1075,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *cipher,
const EVP_MD *md, int en_de);
#ifndef OPENSSL_NO_SCRYPT
int EVP_PBE_scrypt(const char *pass, size_t passlen,
const unsigned char *salt, size_t saltlen,
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
......@@ -1083,6 +1084,7 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen,
int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
int passlen, ASN1_TYPE *param,
const EVP_CIPHER *c, const EVP_MD *md, int en_de);
#endif
void PKCS5_PBE_add(void);
......
......@@ -1052,10 +1052,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
unsigned char *salt, int saltlen,
unsigned char *aiv, int prf_nid);
#ifndef OPENSSL_NO_SCRYPT
X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
const unsigned char *salt, int saltlen,
unsigned char *aiv, uint64_t N, uint64_t r,
uint64_t p);
#endif
X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
int prf_nid, int keylen);
......
......@@ -295,6 +295,7 @@ $ CONFIG_LOGICALS := AES,-
RFC3779,-
RMD160,-
RSA,-
SCRYPT,-
SCTP,-
SEED,-
SOCK,-
......
......@@ -1311,6 +1311,7 @@ struct pbe_data {
size_t key_len;
};
#ifndef OPENSSL_NO_SCRYPT
static int scrypt_test_parse(struct evp_test *t,
const char *keyword, const char *value)
{
......@@ -1326,6 +1327,7 @@ static int scrypt_test_parse(struct evp_test *t,
return test_uint64(value, &pdata->maxmem);
return 0;
}
#endif
static int pbkdf2_test_parse(struct evp_test *t,
const char *keyword, const char *value)
......@@ -1366,8 +1368,10 @@ static int pbe_test_init(struct evp_test *t, const char *alg)
struct pbe_data *pdat;
int pbe_type = 0;
#ifndef OPENSSL_NO_SCRYPT
if (strcmp(alg, "scrypt") == 0)
pbe_type = PBE_TYPE_SCRYPT;
#endif
else if (strcmp(alg, "pbkdf2") == 0)
pbe_type = PBE_TYPE_PBKDF2;
else if (strcmp(alg, "pkcs12") == 0)
......@@ -1408,12 +1412,14 @@ static int pbe_test_parse(struct evp_test *t,
return test_bin(value, &pdata->salt, &pdata->salt_len);
if (strcmp(keyword, "Key") == 0)
return test_bin(value, &pdata->key, &pdata->key_len);
if (pdata->pbe_type == PBE_TYPE_SCRYPT)
return scrypt_test_parse(t, keyword, value);
else if (pdata->pbe_type == PBE_TYPE_PBKDF2)
if (pdata->pbe_type == PBE_TYPE_PBKDF2)
return pbkdf2_test_parse(t, keyword, value);
else if (pdata->pbe_type == PBE_TYPE_PKCS12)
return pkcs12_test_parse(t, keyword, value);
#ifndef OPENSSL_NO_SCRYPT
else if (pdata->pbe_type == PBE_TYPE_SCRYPT)
return scrypt_test_parse(t, keyword, value);
#endif
return 0;
}
......@@ -1433,6 +1439,7 @@ static int pbe_test_run(struct evp_test *t)
pdata->iter, pdata->md,
pdata->key_len, key) == 0)
goto err;
#ifndef OPENSSL_NO_SCRYPT
} else if (pdata->pbe_type == PBE_TYPE_SCRYPT) {
err = "SCRYPT_ERROR";
if (EVP_PBE_scrypt((const char *)pdata->pass, pdata->pass_len,
......@@ -1440,6 +1447,7 @@ static int pbe_test_run(struct evp_test *t)
pdata->N, pdata->r, pdata->p, pdata->maxmem,
key, pdata->key_len) == 0)
goto err;
#endif
} else if (pdata->pbe_type == PBE_TYPE_PKCS12) {
err = "PKCS12_ERROR";
if (PKCS12_key_gen_uni(pdata->pass, pdata->pass_len,
......
......@@ -4563,13 +4563,13 @@ COMP_get_name 4921 EXIST::FUNCTION:
COMP_get_type 4922 EXIST::FUNCTION:
ASN1_INTEGER_get_int64 4923 EXIST::FUNCTION:
ASN1_ENUMERATED_set_int64 4924 EXIST::FUNCTION:
EVP_PBE_scrypt 4925 EXIST::FUNCTION:
EVP_PBE_scrypt 4925 EXIST::FUNCTION:SCRYPT
ASN1_INTEGER_set_int64 4926 EXIST::FUNCTION:
ASN1_ENUMERATED_get_int64 4927 EXIST::FUNCTION:
PKCS5_v2_scrypt_keyivgen 4928 EXIST::FUNCTION:
PKCS5_v2_scrypt_keyivgen 4928 EXIST::FUNCTION:SCRYPT
ASN1_INTEGER_get_uint64 4929 EXIST::FUNCTION:
ASN1_INTEGER_set_uint64 4930 EXIST::FUNCTION:
PKCS5_pbe2_set_scrypt 4931 EXIST::FUNCTION:
PKCS5_pbe2_set_scrypt 4931 EXIST::FUNCTION:SCRYPT
PKCS8_set0_pbe 4932 EXIST::FUNCTION:
DH_bits 4933 EXIST::FUNCTION:DH
RSA_bits 4934 EXIST::FUNCTION:RSA
......
......@@ -69,6 +69,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
"SHA256", "SHA512", "RMD160",
"MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "EC2M",
"HMAC", "AES", "CAMELLIA", "SEED", "GOST",
"SCRYPT",
# EC_NISTP_64_GCC_128
"EC_NISTP_64_GCC_128",
# Envelope "algorithms"
......@@ -123,7 +124,7 @@ close(IN);
my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
my $no_cast; my $no_whirlpool; my $no_camellia; my $no_seed;
my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
my $no_rsa; my $no_dsa; my $no_dh; my $no_aes;
my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; my $no_scrypt;
my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
my $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng;
......@@ -203,6 +204,7 @@ foreach (@ARGV, split(/ /, $options))
elsif (/^no-aes$/) { $no_aes=1; }
elsif (/^no-camellia$/) { $no_camellia=1; }
elsif (/^no-seed$/) { $no_seed=1; }
elsif (/^no-scrypt$/) { $no_scrypt=1; }
elsif (/^no-evp$/) { $no_evp=1; }
elsif (/^no-lhash$/) { $no_lhash=1; }
elsif (/^no-stack$/) { $no_stack=1; }
......@@ -1187,6 +1189,7 @@ sub is_valid
if ($keyword eq "AES" && $no_aes) { return 0; }
if ($keyword eq "CAMELLIA" && $no_camellia) { return 0; }
if ($keyword eq "SEED" && $no_seed) { return 0; }
if ($keyword eq "SCRYPT" && $no_scrypt) { return 0; }
if ($keyword eq "EVP" && $no_evp) { return 0; }
if ($keyword eq "LHASH" && $no_lhash) { return 0; }
if ($keyword eq "STACK" && $no_stack) { return 0; }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册