[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Fri Sep 4 18:09:41 UTC 2015
The branch master has been updated
via b0809bc8ffb34bf89de9e68d8caeb4d8c2aa08f9 (commit)
from a939b0aab5deb3678308df804d25a340240deee5 (commit)
- Log -----------------------------------------------------------------
commit b0809bc8ffb34bf89de9e68d8caeb4d8c2aa08f9
Author: Rich Salz <rsalz at akamai.com>
Date: Fri Sep 4 13:07:10 2015 -0400
RT3998: Allow scrypt to be disabled
This does 64-bit division and multiplication, and on 32-bit platforms
pulls in libgcc symbols (and MSVC does similar) which may not be
available. Mostly done by David Woodhouse.
Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/pkcs8.c | 14 ++++++++++++--
crypto/asn1/p5_scrypt.c | 2 ++
crypto/evp/evp_pbe.c | 2 ++
crypto/evp/scrypt.c | 3 +++
include/openssl/evp.h | 2 ++
include/openssl/x509.h | 2 ++
makevms.com | 1 +
test/evp_test.c | 14 +++++++++++---
util/libeay.num | 6 +++---
util/mkdef.pl | 5 ++++-
10 files changed, 42 insertions(+), 9 deletions(-)
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index 919b8f1..b120b93 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -68,8 +68,10 @@ typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED,
- OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT,
- OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P
+#ifndef OPENSSL_NO_SCRYPT
+ OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
+#endif
+ OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT
} OPTION_CHOICE;
OPTIONS pkcs8_options[] = {
@@ -94,10 +96,12 @@ OPTIONS pkcs8_options[] = {
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
+#ifndef OPENSSL_NO_SCRYPT
{"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
{"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
{"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
{"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
+#endif
{NULL}
};
@@ -116,7 +120,9 @@ int pkcs8_main(int argc, char **argv)
int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
int private = 0;
+#ifndef OPENSSL_NO_SCRYPT
unsigned long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
+#endif
prog = opt_init(argc, argv, pkcs8_options);
while ((o = opt_next()) != OPT_EOF) {
@@ -195,6 +201,7 @@ int pkcs8_main(int argc, char **argv)
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
+#ifndef OPENSSL_NO_SCRYPT
case OPT_SCRYPT:
scrypt_N = 1024;
scrypt_r = 8;
@@ -214,6 +221,7 @@ int pkcs8_main(int argc, char **argv)
if (!opt_ulong(opt_arg(), &scrypt_p))
goto opthelp;
break;
+#endif
}
}
argc = opt_num_rest();
@@ -260,10 +268,12 @@ int pkcs8_main(int argc, char **argv)
} else {
X509_ALGOR *pbe;
if (cipher) {
+#ifndef OPENSSL_NO_SCRYPT
if (scrypt_N && scrypt_r && scrypt_p)
pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL,
scrypt_N, scrypt_r, scrypt_p);
else
+#endif
pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL,
pbe_nid);
} else {
diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c
index 5c4de79..35ff396 100644
--- a/crypto/asn1/p5_scrypt.c
+++ b/crypto/asn1/p5_scrypt.c
@@ -65,6 +65,7 @@
#include <openssl/x509.h>
#include <openssl/rand.h>
+#ifndef OPENSSL_NO_SCRYPT
/* PKCS#5 scrypt password based encryption structures */
typedef struct {
@@ -330,3 +331,4 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
SCRYPT_PARAMS_free(sparam);
return rv;
}
+#endif /* OPENSSL_NO_SCRYPT */
diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c
index b9330f5..6172d95 100644
--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@@ -119,7 +119,9 @@ static const EVP_PBE_CTL builtin_pbe[] = {
{EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0},
{EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0},
{EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
+#ifndef OPENSSL_NO_SCRYPT
{EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen}
+#endif
};
int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
diff --git a/crypto/evp/scrypt.c b/crypto/evp/scrypt.c
index 09dfdf2..380e1fa 100644
--- a/crypto/evp/scrypt.c
+++ b/crypto/evp/scrypt.c
@@ -64,6 +64,8 @@
#include <openssl/err.h>
#include <internal/numbers.h>
+#ifndef OPENSSL_NO_SCRYPT
+
#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
static void salsa208_word_specification(uint32_t inout[16])
{
@@ -296,3 +298,4 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen,
OPENSSL_clear_free(B, Blen + Vlen);
return rv;
}
+#endif
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index d5333e2..374c926 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1075,6 +1075,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *cipher,
const EVP_MD *md, int en_de);
+#ifndef OPENSSL_NO_SCRYPT
int EVP_PBE_scrypt(const char *pass, size_t passlen,
const unsigned char *salt, size_t saltlen,
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
@@ -1083,6 +1084,7 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen,
int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
int passlen, ASN1_TYPE *param,
const EVP_CIPHER *c, const EVP_MD *md, int en_de);
+#endif
void PKCS5_PBE_add(void);
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 02138cb..da6514d 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1052,10 +1052,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
unsigned char *salt, int saltlen,
unsigned char *aiv, int prf_nid);
+#ifndef OPENSSL_NO_SCRYPT
X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
const unsigned char *salt, int saltlen,
unsigned char *aiv, uint64_t N, uint64_t r,
uint64_t p);
+#endif
X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
int prf_nid, int keylen);
diff --git a/makevms.com b/makevms.com
index 35c44ec..4b9a3d7 100755
--- a/makevms.com
+++ b/makevms.com
@@ -295,6 +295,7 @@ $ CONFIG_LOGICALS := AES,-
RFC3779,-
RMD160,-
RSA,-
+ SCRYPT,-
SCTP,-
SEED,-
SOCK,-
diff --git a/test/evp_test.c b/test/evp_test.c
index 90441f3..c5c6e07 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1311,6 +1311,7 @@ struct pbe_data {
size_t key_len;
};
+#ifndef OPENSSL_NO_SCRYPT
static int scrypt_test_parse(struct evp_test *t,
const char *keyword, const char *value)
{
@@ -1326,6 +1327,7 @@ static int scrypt_test_parse(struct evp_test *t,
return test_uint64(value, &pdata->maxmem);
return 0;
}
+#endif
static int pbkdf2_test_parse(struct evp_test *t,
const char *keyword, const char *value)
@@ -1366,8 +1368,10 @@ static int pbe_test_init(struct evp_test *t, const char *alg)
struct pbe_data *pdat;
int pbe_type = 0;
+#ifndef OPENSSL_NO_SCRYPT
if (strcmp(alg, "scrypt") == 0)
pbe_type = PBE_TYPE_SCRYPT;
+#endif
else if (strcmp(alg, "pbkdf2") == 0)
pbe_type = PBE_TYPE_PBKDF2;
else if (strcmp(alg, "pkcs12") == 0)
@@ -1408,12 +1412,14 @@ static int pbe_test_parse(struct evp_test *t,
return test_bin(value, &pdata->salt, &pdata->salt_len);
if (strcmp(keyword, "Key") == 0)
return test_bin(value, &pdata->key, &pdata->key_len);
- if (pdata->pbe_type == PBE_TYPE_SCRYPT)
- return scrypt_test_parse(t, keyword, value);
- else if (pdata->pbe_type == PBE_TYPE_PBKDF2)
+ if (pdata->pbe_type == PBE_TYPE_PBKDF2)
return pbkdf2_test_parse(t, keyword, value);
else if (pdata->pbe_type == PBE_TYPE_PKCS12)
return pkcs12_test_parse(t, keyword, value);
+#ifndef OPENSSL_NO_SCRYPT
+ else if (pdata->pbe_type == PBE_TYPE_SCRYPT)
+ return scrypt_test_parse(t, keyword, value);
+#endif
return 0;
}
@@ -1433,6 +1439,7 @@ static int pbe_test_run(struct evp_test *t)
pdata->iter, pdata->md,
pdata->key_len, key) == 0)
goto err;
+#ifndef OPENSSL_NO_SCRYPT
} else if (pdata->pbe_type == PBE_TYPE_SCRYPT) {
err = "SCRYPT_ERROR";
if (EVP_PBE_scrypt((const char *)pdata->pass, pdata->pass_len,
@@ -1440,6 +1447,7 @@ static int pbe_test_run(struct evp_test *t)
pdata->N, pdata->r, pdata->p, pdata->maxmem,
key, pdata->key_len) == 0)
goto err;
+#endif
} else if (pdata->pbe_type == PBE_TYPE_PKCS12) {
err = "PKCS12_ERROR";
if (PKCS12_key_gen_uni(pdata->pass, pdata->pass_len,
diff --git a/util/libeay.num b/util/libeay.num
index d7d4049..612fff6 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4563,13 +4563,13 @@ COMP_get_name 4921 EXIST::FUNCTION:
COMP_get_type 4922 EXIST::FUNCTION:
ASN1_INTEGER_get_int64 4923 EXIST::FUNCTION:
ASN1_ENUMERATED_set_int64 4924 EXIST::FUNCTION:
-EVP_PBE_scrypt 4925 EXIST::FUNCTION:
+EVP_PBE_scrypt 4925 EXIST::FUNCTION:SCRYPT
ASN1_INTEGER_set_int64 4926 EXIST::FUNCTION:
ASN1_ENUMERATED_get_int64 4927 EXIST::FUNCTION:
-PKCS5_v2_scrypt_keyivgen 4928 EXIST::FUNCTION:
+PKCS5_v2_scrypt_keyivgen 4928 EXIST::FUNCTION:SCRYPT
ASN1_INTEGER_get_uint64 4929 EXIST::FUNCTION:
ASN1_INTEGER_set_uint64 4930 EXIST::FUNCTION:
-PKCS5_pbe2_set_scrypt 4931 EXIST::FUNCTION:
+PKCS5_pbe2_set_scrypt 4931 EXIST::FUNCTION:SCRYPT
PKCS8_set0_pbe 4932 EXIST::FUNCTION:
DH_bits 4933 EXIST::FUNCTION:DH
RSA_bits 4934 EXIST::FUNCTION:RSA
diff --git a/util/mkdef.pl b/util/mkdef.pl
index 26fa209..c07a3c6 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -69,6 +69,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
"SHA256", "SHA512", "RMD160",
"MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "EC2M",
"HMAC", "AES", "CAMELLIA", "SEED", "GOST",
+ "SCRYPT",
# EC_NISTP_64_GCC_128
"EC_NISTP_64_GCC_128",
# Envelope "algorithms"
@@ -123,7 +124,7 @@ close(IN);
my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
my $no_cast; my $no_whirlpool; my $no_camellia; my $no_seed;
my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
-my $no_rsa; my $no_dsa; my $no_dh; my $no_aes;
+my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; my $no_scrypt;
my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
my $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng;
@@ -203,6 +204,7 @@ foreach (@ARGV, split(/ /, $options))
elsif (/^no-aes$/) { $no_aes=1; }
elsif (/^no-camellia$/) { $no_camellia=1; }
elsif (/^no-seed$/) { $no_seed=1; }
+ elsif (/^no-scrypt$/) { $no_scrypt=1; }
elsif (/^no-evp$/) { $no_evp=1; }
elsif (/^no-lhash$/) { $no_lhash=1; }
elsif (/^no-stack$/) { $no_stack=1; }
@@ -1187,6 +1189,7 @@ sub is_valid
if ($keyword eq "AES" && $no_aes) { return 0; }
if ($keyword eq "CAMELLIA" && $no_camellia) { return 0; }
if ($keyword eq "SEED" && $no_seed) { return 0; }
+ if ($keyword eq "SCRYPT" && $no_scrypt) { return 0; }
if ($keyword eq "EVP" && $no_evp) { return 0; }
if ($keyword eq "LHASH" && $no_lhash) { return 0; }
if ($keyword eq "STACK" && $no_stack) { return 0; }
More information about the openssl-commits
mailing list