[openssl-dev] [openssl.org #3998] [PATCH] Allow scrypt to be disabled
David Woodhouse via RT
rt at openssl.org
Fri Aug 7 16:37:20 UTC 2015
>From a15e06fa9600aecfee8fead41c2f47e052958d12 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse at intel.com>
Date: Fri, 7 Aug 2015 16:47:10 +0100
Subject: [PATCH] Allow scrypt to be disabled
This does 64-bit division and multiplication, and on 32-bit platforms
pulls in libgcc symbols (and MSVC does similar) which may not be
available.
---
apps/pkcs8.c | 12 +++++++++++-
crypto/asn1/p5_scrypt.c | 2 ++
crypto/evp/evp_pbe.c | 2 ++
crypto/evp/scrypt.c | 3 +++
include/openssl/evp.h | 2 ++
include/openssl/x509.h | 3 ++-
6 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index 919b8f1..9f689f1 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -69,7 +69,9 @@ typedef enum OPTION_choice {
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED,
OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT,
- OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P
+#ifndef OPENSSL_NO_SCRYPT
+ OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
+#endif
} OPTION_CHOICE;
OPTIONS pkcs8_options[] = {
@@ -94,10 +96,12 @@ OPTIONS pkcs8_options[] = {
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
+#ifndef OPENSSL_NO_SCRYPT
{"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
{"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
{"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
{"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
+#endif
{NULL}
};
@@ -116,7 +120,9 @@ int pkcs8_main(int argc, char **argv)
int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
int private = 0;
+#ifndef OPENSSL_NO_SCRYPT
unsigned long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
+#endif
prog = opt_init(argc, argv, pkcs8_options);
while ((o = opt_next()) != OPT_EOF) {
@@ -195,6 +201,7 @@ int pkcs8_main(int argc, char **argv)
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
+#ifndef OPENSSL_NO_SCRYPT
case OPT_SCRYPT:
scrypt_N = 1024;
scrypt_r = 8;
@@ -214,6 +221,7 @@ int pkcs8_main(int argc, char **argv)
if (!opt_ulong(opt_arg(), &scrypt_p))
goto opthelp;
break;
+#endif
}
}
argc = opt_num_rest();
@@ -260,10 +268,12 @@ int pkcs8_main(int argc, char **argv)
} else {
X509_ALGOR *pbe;
if (cipher) {
+#ifndef OPENSSL_NO_SCRYPT
if (scrypt_N && scrypt_r && scrypt_p)
pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL,
scrypt_N, scrypt_r, scrypt_p);
else
+#endif
pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL,
pbe_nid);
} else {
diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c
index 5c4de79..35ff396 100644
--- a/crypto/asn1/p5_scrypt.c
+++ b/crypto/asn1/p5_scrypt.c
@@ -65,6 +65,7 @@
#include <openssl/x509.h>
#include <openssl/rand.h>
+#ifndef OPENSSL_NO_SCRYPT
/* PKCS#5 scrypt password based encryption structures */
typedef struct {
@@ -330,3 +331,4 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
SCRYPT_PARAMS_free(sparam);
return rv;
}
+#endif /* OPENSSL_NO_SCRYPT */
diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c
index 13d9658..f84973e 100644
--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@@ -119,7 +119,9 @@ static const EVP_PBE_CTL builtin_pbe[] = {
{EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0},
{EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0},
{EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
+#ifndef OPENSSL_NO_SCRYPT
{EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen}
+#endif
};
#ifdef TEST
diff --git a/crypto/evp/scrypt.c b/crypto/evp/scrypt.c
index 4254abf..fb26e14 100644
--- a/crypto/evp/scrypt.c
+++ b/crypto/evp/scrypt.c
@@ -64,6 +64,7 @@
#include <openssl/err.h>
#include <internal/numbers.h>
+#ifndef OPENSSL_NO_SCRYPT
#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
static void salsa208_word_specification(uint32_t inout[16])
{
@@ -296,3 +297,5 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen,
OPENSSL_clear_free(B, Blen + Vlen);
return rv;
}
+
+#endif /* OPENSSL_NO_SCRYPT */
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index dff81b0..68306a1 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1067,10 +1067,12 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *cipher,
const EVP_MD *md, int en_de);
+#ifndef OPENSSL_NO_SCRYPT
int EVP_PBE_scrypt(const char *pass, size_t passlen,
const unsigned char *salt, size_t saltlen,
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
unsigned char *key, size_t keylen);
+#endif
int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
int passlen, ASN1_TYPE *param,
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 3b186a4..b253b29 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1109,11 +1109,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
unsigned char *salt, int saltlen,
unsigned char *aiv, int prf_nid);
+#ifndef OPENSSL_NO_SCRYPT
X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
const unsigned char *salt, int saltlen,
unsigned char *aiv, uint64_t N, uint64_t r,
uint64_t p);
-
+#endif
X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
int prf_nid, int keylen);
--
2.4.3
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150807/d91fa8f3/attachment.bin>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list