Ruby  3.1.0dev(2021-09-10revisionb76ad15ed0da636161de0243c547ee1e6fc95681)
ossl_kdf.c
Go to the documentation of this file.
1 /*
2  * Ruby/OpenSSL Project
3  * Copyright (C) 2007, 2017 Ruby/OpenSSL Project Authors
4  */
5 #include "ossl.h"
6 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
7 # include <openssl/kdf.h>
8 #endif
9 
10 static VALUE mKDF, eKDF;
11 
12 /*
13  * call-seq:
14  * KDF.pbkdf2_hmac(pass, salt:, iterations:, length:, hash:) -> aString
15  *
16  * PKCS #5 PBKDF2 (Password-Based Key Derivation Function 2) in combination
17  * with HMAC. Takes _pass_, _salt_ and _iterations_, and then derives a key
18  * of _length_ bytes.
19  *
20  * For more information about PBKDF2, see RFC 2898 Section 5.2
21  * (https://tools.ietf.org/html/rfc2898#section-5.2).
22  *
23  * === Parameters
24  * pass :: The passphrase.
25  * salt :: The salt. Salts prevent attacks based on dictionaries of common
26  * passwords and attacks based on rainbow tables. It is a public
27  * value that can be safely stored along with the password (e.g.
28  * if the derived value is used for password storage).
29  * iterations :: The iteration count. This provides the ability to tune the
30  * algorithm. It is better to use the highest count possible for
31  * the maximum resistance to brute-force attacks.
32  * length :: The desired length of the derived key in octets.
33  * hash :: The hash algorithm used with HMAC for the PRF. May be a String
34  * representing the algorithm name, or an instance of
35  * OpenSSL::Digest.
36  */
37 static VALUE
38 kdf_pbkdf2_hmac(int argc, VALUE *argv, VALUE self)
39 {
40  VALUE pass, salt, opts, kwargs[4], str;
41  static ID kwargs_ids[4];
42  int iters, len;
43  const EVP_MD *md;
44 
45  if (!kwargs_ids[0]) {
46  kwargs_ids[0] = rb_intern_const("salt");
47  kwargs_ids[1] = rb_intern_const("iterations");
48  kwargs_ids[2] = rb_intern_const("length");
49  kwargs_ids[3] = rb_intern_const("hash");
50  }
51  rb_scan_args(argc, argv, "1:", &pass, &opts);
52  rb_get_kwargs(opts, kwargs_ids, 4, 0, kwargs);
53 
54  StringValue(pass);
55  salt = StringValue(kwargs[0]);
56  iters = NUM2INT(kwargs[1]);
57  len = NUM2INT(kwargs[2]);
58  md = ossl_evp_get_digestbyname(kwargs[3]);
59 
60  str = rb_str_new(0, len);
61  if (!PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LENINT(pass),
62  (unsigned char *)RSTRING_PTR(salt),
63  RSTRING_LENINT(salt), iters, md, len,
64  (unsigned char *)RSTRING_PTR(str)))
65  ossl_raise(eKDF, "PKCS5_PBKDF2_HMAC");
66 
67  return str;
68 }
69 
70 #if defined(HAVE_EVP_PBE_SCRYPT)
71 /*
72  * call-seq:
73  * KDF.scrypt(pass, salt:, N:, r:, p:, length:) -> aString
74  *
75  * Derives a key from _pass_ using given parameters with the scrypt
76  * password-based key derivation function. The result can be used for password
77  * storage.
78  *
79  * scrypt is designed to be memory-hard and more secure against brute-force
80  * attacks using custom hardwares than alternative KDFs such as PBKDF2 or
81  * bcrypt.
82  *
83  * The keyword arguments _N_, _r_ and _p_ can be used to tune scrypt. RFC 7914
84  * (published on 2016-08, https://tools.ietf.org/html/rfc7914#section-2) states
85  * that using values r=8 and p=1 appears to yield good results.
86  *
87  * See RFC 7914 (https://tools.ietf.org/html/rfc7914) for more information.
88  *
89  * === Parameters
90  * pass :: Passphrase.
91  * salt :: Salt.
92  * N :: CPU/memory cost parameter. This must be a power of 2.
93  * r :: Block size parameter.
94  * p :: Parallelization parameter.
95  * length :: Length in octets of the derived key.
96  *
97  * === Example
98  * pass = "password"
99  * salt = SecureRandom.random_bytes(16)
100  * dk = OpenSSL::KDF.scrypt(pass, salt: salt, N: 2**14, r: 8, p: 1, length: 32)
101  * p dk #=> "\xDA\xE4\xE2...\x7F\xA1\x01T"
102  */
103 static VALUE
104 kdf_scrypt(int argc, VALUE *argv, VALUE self)
105 {
106  VALUE pass, salt, opts, kwargs[5], str;
107  static ID kwargs_ids[5];
108  size_t len;
109  uint64_t N, r, p, maxmem;
110 
111  if (!kwargs_ids[0]) {
112  kwargs_ids[0] = rb_intern_const("salt");
113  kwargs_ids[1] = rb_intern_const("N");
114  kwargs_ids[2] = rb_intern_const("r");
115  kwargs_ids[3] = rb_intern_const("p");
116  kwargs_ids[4] = rb_intern_const("length");
117  }
118  rb_scan_args(argc, argv, "1:", &pass, &opts);
119  rb_get_kwargs(opts, kwargs_ids, 5, 0, kwargs);
120 
121  StringValue(pass);
122  salt = StringValue(kwargs[0]);
123  N = NUM2UINT64T(kwargs[1]);
124  r = NUM2UINT64T(kwargs[2]);
125  p = NUM2UINT64T(kwargs[3]);
126  len = NUM2LONG(kwargs[4]);
127  /*
128  * OpenSSL uses 32MB by default (if zero is specified), which is too small.
129  * Let's not limit memory consumption but just let malloc() fail inside
130  * OpenSSL. The amount is controllable by other parameters.
131  */
132  maxmem = SIZE_MAX;
133 
134  str = rb_str_new(0, len);
135  if (!EVP_PBE_scrypt(RSTRING_PTR(pass), RSTRING_LEN(pass),
136  (unsigned char *)RSTRING_PTR(salt), RSTRING_LEN(salt),
137  N, r, p, maxmem, (unsigned char *)RSTRING_PTR(str), len))
138  ossl_raise(eKDF, "EVP_PBE_scrypt");
139 
140  return str;
141 }
142 #endif
143 
144 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
145 /*
146  * call-seq:
147  * KDF.hkdf(ikm, salt:, info:, length:, hash:) -> String
148  *
149  * HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as specified in
150  * {RFC 5869}[https://tools.ietf.org/html/rfc5869].
151  *
152  * New in OpenSSL 1.1.0.
153  *
154  * === Parameters
155  * _ikm_::
156  * The input keying material.
157  * _salt_::
158  * The salt.
159  * _info_::
160  * The context and application specific information.
161  * _length_::
162  * The output length in octets. Must be <= <tt>255 * HashLen</tt>, where
163  * HashLen is the length of the hash function output in octets.
164  * _hash_::
165  * The hash function.
166  *
167  * === Example
168  * # The values from https://datatracker.ietf.org/doc/html/rfc5869#appendix-A.1
169  * ikm = ["0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"].pack("H*")
170  * salt = ["000102030405060708090a0b0c"].pack("H*")
171  * info = ["f0f1f2f3f4f5f6f7f8f9"].pack("H*")
172  * p OpenSSL::KDF.hkdf(ikm, salt: salt, info: info, length: 42, hash: "SHA256").unpack1("H*")
173  * # => "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
174  */
175 static VALUE
176 kdf_hkdf(int argc, VALUE *argv, VALUE self)
177 {
178  VALUE ikm, salt, info, opts, kwargs[4], str;
179  static ID kwargs_ids[4];
180  int saltlen, ikmlen, infolen;
181  size_t len;
182  const EVP_MD *md;
183  EVP_PKEY_CTX *pctx;
184 
185  if (!kwargs_ids[0]) {
186  kwargs_ids[0] = rb_intern_const("salt");
187  kwargs_ids[1] = rb_intern_const("info");
188  kwargs_ids[2] = rb_intern_const("length");
189  kwargs_ids[3] = rb_intern_const("hash");
190  }
191  rb_scan_args(argc, argv, "1:", &ikm, &opts);
192  rb_get_kwargs(opts, kwargs_ids, 4, 0, kwargs);
193 
194  StringValue(ikm);
195  ikmlen = RSTRING_LENINT(ikm);
196  salt = StringValue(kwargs[0]);
197  saltlen = RSTRING_LENINT(salt);
198  info = StringValue(kwargs[1]);
199  infolen = RSTRING_LENINT(info);
200  len = (size_t)NUM2LONG(kwargs[2]);
201  if (len > LONG_MAX)
202  rb_raise(rb_eArgError, "length must be non-negative");
203  md = ossl_evp_get_digestbyname(kwargs[3]);
204 
205  str = rb_str_new(NULL, (long)len);
206  pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
207  if (!pctx)
208  ossl_raise(eKDF, "EVP_PKEY_CTX_new_id");
209  if (EVP_PKEY_derive_init(pctx) <= 0) {
210  EVP_PKEY_CTX_free(pctx);
211  ossl_raise(eKDF, "EVP_PKEY_derive_init");
212  }
213  if (EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0) {
214  EVP_PKEY_CTX_free(pctx);
215  ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_md");
216  }
217  if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, (unsigned char *)RSTRING_PTR(salt),
218  saltlen) <= 0) {
219  EVP_PKEY_CTX_free(pctx);
220  ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_salt");
221  }
222  if (EVP_PKEY_CTX_set1_hkdf_key(pctx, (unsigned char *)RSTRING_PTR(ikm),
223  ikmlen) <= 0) {
224  EVP_PKEY_CTX_free(pctx);
225  ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_key");
226  }
227  if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (unsigned char *)RSTRING_PTR(info),
228  infolen) <= 0) {
229  EVP_PKEY_CTX_free(pctx);
230  ossl_raise(eKDF, "EVP_PKEY_CTX_set_hkdf_info");
231  }
232  if (EVP_PKEY_derive(pctx, (unsigned char *)RSTRING_PTR(str), &len) <= 0) {
233  EVP_PKEY_CTX_free(pctx);
234  ossl_raise(eKDF, "EVP_PKEY_derive");
235  }
236  rb_str_set_len(str, (long)len);
237  EVP_PKEY_CTX_free(pctx);
238 
239  return str;
240 }
241 #endif
242 
243 void
244 Init_ossl_kdf(void)
245 {
246 #if 0
247  mOSSL = rb_define_module("OpenSSL");
248  eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
249 #endif
250 
251  /*
252  * Document-module: OpenSSL::KDF
253  *
254  * Provides functionality of various KDFs (key derivation function).
255  *
256  * KDF is typically used for securely deriving arbitrary length symmetric
257  * keys to be used with an OpenSSL::Cipher from passwords. Another use case
258  * is for storing passwords: Due to the ability to tweak the effort of
259  * computation by increasing the iteration count, computation can be slowed
260  * down artificially in order to render possible attacks infeasible.
261  *
262  * Currently, OpenSSL::KDF provides implementations for the following KDF:
263  *
264  * * PKCS #5 PBKDF2 (Password-Based Key Derivation Function 2) in
265  * combination with HMAC
266  * * scrypt
267  * * HKDF
268  *
269  * == Examples
270  * === Generating a 128 bit key for a Cipher (e.g. AES)
271  * pass = "secret"
272  * salt = OpenSSL::Random.random_bytes(16)
273  * iter = 20_000
274  * key_len = 16
275  * key = OpenSSL::KDF.pbkdf2_hmac(pass, salt: salt, iterations: iter,
276  * length: key_len, hash: "sha1")
277  *
278  * === Storing Passwords
279  * pass = "secret"
280  * # store this with the generated value
281  * salt = OpenSSL::Random.random_bytes(16)
282  * iter = 20_000
283  * hash = OpenSSL::Digest.new('SHA256')
284  * len = hash.digest_length
285  * # the final value to be stored
286  * value = OpenSSL::KDF.pbkdf2_hmac(pass, salt: salt, iterations: iter,
287  * length: len, hash: hash)
288  *
289  * == Important Note on Checking Passwords
290  * When comparing passwords provided by the user with previously stored
291  * values, a common mistake made is comparing the two values using "==".
292  * Typically, "==" short-circuits on evaluation, and is therefore
293  * vulnerable to timing attacks. The proper way is to use a method that
294  * always takes the same amount of time when comparing two values, thus
295  * not leaking any information to potential attackers. To do this, use
296  * +OpenSSL.fixed_length_secure_compare+.
297  */
298  mKDF = rb_define_module_under(mOSSL, "KDF");
299  /*
300  * Generic exception class raised if an error occurs in OpenSSL::KDF module.
301  */
302  eKDF = rb_define_class_under(mKDF, "KDFError", eOSSLError);
303 
304  rb_define_module_function(mKDF, "pbkdf2_hmac", kdf_pbkdf2_hmac, -1);
305 #if defined(HAVE_EVP_PBE_SCRYPT)
306  rb_define_module_function(mKDF, "scrypt", kdf_scrypt, -1);
307 #endif
308 #if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
309  rb_define_module_function(mKDF, "hkdf", kdf_hkdf, -1);
310 #endif
311 }
rb_get_kwargs
int rb_get_kwargs(VALUE keyword_hash, const ID *table, int required, int optional, VALUE *values)
Definition: class.c:2136
StringValue
#define StringValue(v)
Definition: rstring.h:50
rb_define_module_under
VALUE rb_define_module_under(VALUE outer, const char *name)
Definition: class.c:914
LONG_MAX
#define LONG_MAX
Definition: limits.h:36
rb_eArgError
VALUE rb_eArgError
Definition: error.c:1094
rb_define_module
VALUE rb_define_module(const char *name)
Definition: class.c:887
uint64_t
unsigned long long uint64_t
Definition: sha2.h:102
ossl.h
rb_str_set_len
void rb_str_set_len(VALUE, long)
Definition: string.c:2833
argv
char ** argv
Definition: ruby.c:243
ID
unsigned long ID
Definition: value.h:39
NUM2INT
#define NUM2INT
Definition: int.h:44
RSTRING_LEN
#define RSTRING_LEN(string)
Definition: fbuffer.h:22
rb_str_new
#define rb_str_new(str, len)
Definition: string.h:213
rb_raise
void rb_raise(VALUE exc, const char *fmt,...)
Definition: error.c:3022
mOSSL
VALUE mOSSL
Definition: ossl.c:237
len
uint8_t len
Definition: escape.c:17
ossl_raise
void ossl_raise(VALUE exc, const char *fmt,...)
Definition: ossl.c:299
NULL
#define NULL
Definition: regenc.h:69
rb_scan_args
int rb_scan_args(int argc, const VALUE *argv, const char *fmt,...)
Definition: class.c:2347
N
#define N
Definition: lgamma_r.c:20
SIZE_MAX
#define SIZE_MAX
Definition: limits.h:71
VALUE
unsigned long VALUE
Definition: value.h:38
RSTRING_PTR
#define RSTRING_PTR(string)
Definition: fbuffer.h:19
str
char str[HTML_ESCAPE_MAX_LEN+1]
Definition: escape.c:18
NUM2LONG
#define NUM2LONG
Definition: long.h:51
argc
int argc
Definition: ruby.c:242
Init_ossl_kdf
void Init_ossl_kdf(void)
Definition: ossl_kdf.c:244
eOSSLError
VALUE eOSSLError
Definition: ossl.c:242
rb_define_class_under
VALUE rb_define_class_under(VALUE outer, const char *name, VALUE super)
Defines a class under the namespace of outer.
Definition: class.c:809
rb_define_module_function
#define rb_define_module_function(klass, mid, func, arity)
Defines klass#mid and makes it a module function.
Definition: cxxanyargs.hpp:674
ossl_evp_get_digestbyname
const EVP_MD * ossl_evp_get_digestbyname(VALUE obj)
Definition: ossl_digest.c:45
rb_eStandardError
VALUE rb_eStandardError
Definition: error.c:1090
Generated by   doxygen 1.8.17