Apologies, previous patch was incomplete. This one actually builds *and* I committed the last changes and included them this time.
-- David Woodhouse Open Source Technology Centre [email protected] Intel Corporation
>From d83c175afc768c4ce75601f28c3eba786ade44f2 Mon Sep 17 00:00:00 2001 From: David Woodhouse <[email protected]> Date: Fri, 7 Aug 2015 16:47:10 +0100 Subject: [PATCH] RT3998: Allow scrypt to be disabled This does 64-bit division and multiplication, and on 32-bit platforms pulls in libgcc symbols (and MSVC does similar) which may not be available. --- apps/pkcs8.c | 12 +++++++++++- crypto/asn1/p5_scrypt.c | 2 ++ crypto/evp/evp_pbe.c | 2 ++ crypto/evp/scrypt.c | 3 +++ include/openssl/evp.h | 2 ++ include/openssl/x509.h | 3 ++- makevms.com | 1 + test/evp_test.c | 20 ++++++++++++++------ util/mkdef.pl | 6 +++++- 9 files changed, 42 insertions(+), 9 deletions(-) diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 919b8f1..9f689f1 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -69,7 +69,9 @@ typedef enum OPTION_choice { OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED, OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT, - OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P +#ifndef OPENSSL_NO_SCRYPT + OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P, +#endif } OPTION_CHOICE; OPTIONS pkcs8_options[] = { @@ -94,10 +96,12 @@ OPTIONS pkcs8_options[] = { #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif +#ifndef OPENSSL_NO_SCRYPT {"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"}, {"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"}, {"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"}, {"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"}, +#endif {NULL} }; @@ -116,7 +120,9 @@ int pkcs8_main(int argc, char **argv) int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK; int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1; int private = 0; +#ifndef OPENSSL_NO_SCRYPT unsigned long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0; +#endif prog = opt_init(argc, argv, pkcs8_options); while ((o = opt_next()) != OPT_EOF) { @@ -195,6 +201,7 @@ int pkcs8_main(int argc, char **argv) case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; +#ifndef OPENSSL_NO_SCRYPT case OPT_SCRYPT: scrypt_N = 1024; scrypt_r = 8; @@ -214,6 +221,7 @@ int pkcs8_main(int argc, char **argv) if (!opt_ulong(opt_arg(), &scrypt_p)) goto opthelp; break; +#endif } } argc = opt_num_rest(); @@ -260,10 +268,12 @@ int pkcs8_main(int argc, char **argv) } else { X509_ALGOR *pbe; if (cipher) { +#ifndef OPENSSL_NO_SCRYPT if (scrypt_N && scrypt_r && scrypt_p) pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL, scrypt_N, scrypt_r, scrypt_p); else +#endif pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL, pbe_nid); } else { diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 5c4de79..35ff396 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -65,6 +65,7 @@ #include <openssl/x509.h> #include <openssl/rand.h> +#ifndef OPENSSL_NO_SCRYPT /* PKCS#5 scrypt password based encryption structures */ typedef struct { @@ -330,3 +331,4 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, SCRYPT_PARAMS_free(sparam); return rv; } +#endif /* OPENSSL_NO_SCRYPT */ diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 13d9658..f84973e 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -119,7 +119,9 @@ static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0}, {EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0}, {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen}, +#ifndef OPENSSL_NO_SCRYPT {EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen} +#endif }; #ifdef TEST diff --git a/crypto/evp/scrypt.c b/crypto/evp/scrypt.c index 4254abf..fb26e14 100644 --- a/crypto/evp/scrypt.c +++ b/crypto/evp/scrypt.c @@ -64,6 +64,7 @@ #include <openssl/err.h> #include <internal/numbers.h> +#ifndef OPENSSL_NO_SCRYPT #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) static void salsa208_word_specification(uint32_t inout[16]) { @@ -296,3 +297,5 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, OPENSSL_clear_free(B, Blen + Vlen); return rv; } + +#endif /* OPENSSL_NO_SCRYPT */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index dff81b0..63eb85a 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1067,6 +1067,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de); +#ifndef OPENSSL_NO_SCRYPT int EVP_PBE_scrypt(const char *pass, size_t passlen, const unsigned char *salt, size_t saltlen, uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, @@ -1075,6 +1076,7 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de); +#endif void PKCS5_PBE_add(void); diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 3b186a4..b253b29 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -1109,11 +1109,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, unsigned char *salt, int saltlen, unsigned char *aiv, int prf_nid); +#ifndef OPENSSL_NO_SCRYPT X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, const unsigned char *salt, int saltlen, unsigned char *aiv, uint64_t N, uint64_t r, uint64_t p); - +#endif X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid, int keylen); diff --git a/makevms.com b/makevms.com index 500b191..ef80eb2 100755 --- a/makevms.com +++ b/makevms.com @@ -295,6 +295,7 @@ $ CONFIG_LOGICALS := AES,- RFC3779,- RMD160,- RSA,- + SCRYPT,- SCT,- SCTP,- SEED,- diff --git a/test/evp_test.c b/test/evp_test.c index 90441f3..05bee1d 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1311,6 +1311,7 @@ struct pbe_data { size_t key_len; }; +#ifndef OPENSSL_NO_SCRYPT static int scrypt_test_parse(struct evp_test *t, const char *keyword, const char *value) { @@ -1326,6 +1327,7 @@ static int scrypt_test_parse(struct evp_test *t, return test_uint64(value, &pdata->maxmem); return 0; } +#endif static int pbkdf2_test_parse(struct evp_test *t, const char *keyword, const char *value) @@ -1366,12 +1368,14 @@ static int pbe_test_init(struct evp_test *t, const char *alg) struct pbe_data *pdat; int pbe_type = 0; - if (strcmp(alg, "scrypt") == 0) - pbe_type = PBE_TYPE_SCRYPT; - else if (strcmp(alg, "pbkdf2") == 0) + if (strcmp(alg, "pbkdf2") == 0) pbe_type = PBE_TYPE_PBKDF2; else if (strcmp(alg, "pkcs12") == 0) pbe_type = PBE_TYPE_PKCS12; +#ifndef OPENSSL_NO_SCRYPT + else if (strcmp(alg, "scrypt") == 0) + pbe_type = PBE_TYPE_SCRYPT; +#endif else fprintf(stderr, "Unknown pbe algorithm %s\n", alg); pdat = OPENSSL_malloc(sizeof(*pdat)); @@ -1408,12 +1412,14 @@ static int pbe_test_parse(struct evp_test *t, return test_bin(value, &pdata->salt, &pdata->salt_len); if (strcmp(keyword, "Key") == 0) return test_bin(value, &pdata->key, &pdata->key_len); - if (pdata->pbe_type == PBE_TYPE_SCRYPT) - return scrypt_test_parse(t, keyword, value); - else if (pdata->pbe_type == PBE_TYPE_PBKDF2) + if (pdata->pbe_type == PBE_TYPE_PBKDF2) return pbkdf2_test_parse(t, keyword, value); else if (pdata->pbe_type == PBE_TYPE_PKCS12) return pkcs12_test_parse(t, keyword, value); +#ifndef OPENSSL_NO_SCRYPT + else if (pdata->pbe_type == PBE_TYPE_SCRYPT) + return scrypt_test_parse(t, keyword, value); +#endif return 0; } @@ -1433,6 +1439,7 @@ static int pbe_test_run(struct evp_test *t) pdata->iter, pdata->md, pdata->key_len, key) == 0) goto err; +#ifndef OPENSSL_NO_SCRYPT } else if (pdata->pbe_type == PBE_TYPE_SCRYPT) { err = "SCRYPT_ERROR"; if (EVP_PBE_scrypt((const char *)pdata->pass, pdata->pass_len, @@ -1440,6 +1447,7 @@ static int pbe_test_run(struct evp_test *t) pdata->N, pdata->r, pdata->p, pdata->maxmem, key, pdata->key_len) == 0) goto err; +#endif } else if (pdata->pbe_type == PBE_TYPE_PKCS12) { err = "PKCS12_ERROR"; if (PKCS12_key_gen_uni(pdata->pass, pdata->pass_len, diff --git a/util/mkdef.pl b/util/mkdef.pl index 3147856..10cfffa 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -69,6 +69,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "SHA256", "SHA512", "RMD160", "MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "EC2M", "HMAC", "AES", "CAMELLIA", "SEED", "GOST", + # SCRYPT KDF + "SCRYPT", # EC_NISTP_64_GCC_128 "EC_NISTP_64_GCC_128", # Envelope "algorithms" @@ -125,7 +127,7 @@ close(IN); my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf; my $no_cast; my $no_whirlpool; my $no_camellia; my $no_seed; my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; -my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; +my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; my $no_scrypt; my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; my $no_sct; my $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng; @@ -205,6 +207,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-aes$/) { $no_aes=1; } elsif (/^no-camellia$/) { $no_camellia=1; } elsif (/^no-seed$/) { $no_seed=1; } + elsif (/^no-scrypt$/) { $no_scrypt=1; } elsif (/^no-evp$/) { $no_evp=1; } elsif (/^no-lhash$/) { $no_lhash=1; } elsif (/^no-stack$/) { $no_stack=1; } @@ -1190,6 +1193,7 @@ sub is_valid if ($keyword eq "AES" && $no_aes) { return 0; } if ($keyword eq "CAMELLIA" && $no_camellia) { return 0; } if ($keyword eq "SEED" && $no_seed) { return 0; } + if ($keyword eq "SCRYPT" && $no_scrypt) { return 0; } if ($keyword eq "EVP" && $no_evp) { return 0; } if ($keyword eq "LHASH" && $no_lhash) { return 0; } if ($keyword eq "STACK" && $no_stack) { return 0; } -- 2.4.3
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
