p5_scrypt.c 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274
  1. /*
  2. * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/asn1t.h>
  12. #include <openssl/err.h>
  13. #include <openssl/evp.h>
  14. #include <openssl/x509.h>
  15. #include <openssl/rand.h>
  16. #ifndef OPENSSL_NO_SCRYPT
  17. /* PKCS#5 scrypt password based encryption structures */
  18. ASN1_SEQUENCE(SCRYPT_PARAMS) = {
  19. ASN1_SIMPLE(SCRYPT_PARAMS, salt, ASN1_OCTET_STRING),
  20. ASN1_SIMPLE(SCRYPT_PARAMS, costParameter, ASN1_INTEGER),
  21. ASN1_SIMPLE(SCRYPT_PARAMS, blockSize, ASN1_INTEGER),
  22. ASN1_SIMPLE(SCRYPT_PARAMS, parallelizationParameter, ASN1_INTEGER),
  23. ASN1_OPT(SCRYPT_PARAMS, keyLength, ASN1_INTEGER),
  24. } ASN1_SEQUENCE_END(SCRYPT_PARAMS)
  25. IMPLEMENT_ASN1_FUNCTIONS(SCRYPT_PARAMS)
  26. static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen,
  27. size_t keylen, uint64_t N, uint64_t r,
  28. uint64_t p);
  29. /*
  30. * Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm using scrypt
  31. */
  32. X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
  33. const unsigned char *salt, int saltlen,
  34. unsigned char *aiv, uint64_t N, uint64_t r,
  35. uint64_t p)
  36. {
  37. X509_ALGOR *scheme = NULL, *ret = NULL;
  38. int alg_nid;
  39. size_t keylen = 0;
  40. EVP_CIPHER_CTX *ctx = NULL;
  41. unsigned char iv[EVP_MAX_IV_LENGTH];
  42. PBE2PARAM *pbe2 = NULL;
  43. if (!cipher) {
  44. ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ERR_R_PASSED_NULL_PARAMETER);
  45. goto err;
  46. }
  47. if (EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
  48. ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
  49. ASN1_R_INVALID_SCRYPT_PARAMETERS);
  50. goto err;
  51. }
  52. alg_nid = EVP_CIPHER_type(cipher);
  53. if (alg_nid == NID_undef) {
  54. ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
  55. ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
  56. goto err;
  57. }
  58. pbe2 = PBE2PARAM_new();
  59. if (pbe2 == NULL)
  60. goto merr;
  61. /* Setup the AlgorithmIdentifier for the encryption scheme */
  62. scheme = pbe2->encryption;
  63. scheme->algorithm = OBJ_nid2obj(alg_nid);
  64. scheme->parameter = ASN1_TYPE_new();
  65. if (scheme->parameter == NULL)
  66. goto merr;
  67. /* Create random IV */
  68. if (EVP_CIPHER_iv_length(cipher)) {
  69. if (aiv)
  70. memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
  71. else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0)
  72. goto err;
  73. }
  74. ctx = EVP_CIPHER_CTX_new();
  75. if (ctx == NULL)
  76. goto merr;
  77. /* Dummy cipherinit to just setup the IV */
  78. if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0)
  79. goto err;
  80. if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) {
  81. ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
  82. ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
  83. goto err;
  84. }
  85. EVP_CIPHER_CTX_free(ctx);
  86. ctx = NULL;
  87. /* If its RC2 then we'd better setup the key length */
  88. if (alg_nid == NID_rc2_cbc)
  89. keylen = EVP_CIPHER_key_length(cipher);
  90. /* Setup keyfunc */
  91. X509_ALGOR_free(pbe2->keyfunc);
  92. pbe2->keyfunc = pkcs5_scrypt_set(salt, saltlen, keylen, N, r, p);
  93. if (pbe2->keyfunc == NULL)
  94. goto merr;
  95. /* Now set up top level AlgorithmIdentifier */
  96. ret = X509_ALGOR_new();
  97. if (ret == NULL)
  98. goto merr;
  99. ret->algorithm = OBJ_nid2obj(NID_pbes2);
  100. /* Encode PBE2PARAM into parameter */
  101. if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBE2PARAM), pbe2,
  102. &ret->parameter) == NULL)
  103. goto merr;
  104. PBE2PARAM_free(pbe2);
  105. pbe2 = NULL;
  106. return ret;
  107. merr:
  108. ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ERR_R_MALLOC_FAILURE);
  109. err:
  110. PBE2PARAM_free(pbe2);
  111. X509_ALGOR_free(ret);
  112. EVP_CIPHER_CTX_free(ctx);
  113. return NULL;
  114. }
  115. static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen,
  116. size_t keylen, uint64_t N, uint64_t r,
  117. uint64_t p)
  118. {
  119. X509_ALGOR *keyfunc = NULL;
  120. SCRYPT_PARAMS *sparam = SCRYPT_PARAMS_new();
  121. if (sparam == NULL)
  122. goto merr;
  123. if (!saltlen)
  124. saltlen = PKCS5_SALT_LEN;
  125. /* This will either copy salt or grow the buffer */
  126. if (ASN1_STRING_set(sparam->salt, salt, saltlen) == 0)
  127. goto merr;
  128. if (salt == NULL && RAND_bytes(sparam->salt->data, saltlen) <= 0)
  129. goto err;
  130. if (ASN1_INTEGER_set_uint64(sparam->costParameter, N) == 0)
  131. goto merr;
  132. if (ASN1_INTEGER_set_uint64(sparam->blockSize, r) == 0)
  133. goto merr;
  134. if (ASN1_INTEGER_set_uint64(sparam->parallelizationParameter, p) == 0)
  135. goto merr;
  136. /* If have a key len set it up */
  137. if (keylen > 0) {
  138. sparam->keyLength = ASN1_INTEGER_new();
  139. if (sparam->keyLength == NULL)
  140. goto merr;
  141. if (ASN1_INTEGER_set_int64(sparam->keyLength, keylen) == 0)
  142. goto merr;
  143. }
  144. /* Finally setup the keyfunc structure */
  145. keyfunc = X509_ALGOR_new();
  146. if (keyfunc == NULL)
  147. goto merr;
  148. keyfunc->algorithm = OBJ_nid2obj(NID_id_scrypt);
  149. /* Encode SCRYPT_PARAMS into parameter of pbe2 */
  150. if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), sparam,
  151. &keyfunc->parameter) == NULL)
  152. goto merr;
  153. SCRYPT_PARAMS_free(sparam);
  154. return keyfunc;
  155. merr:
  156. ASN1err(ASN1_F_PKCS5_SCRYPT_SET, ERR_R_MALLOC_FAILURE);
  157. err:
  158. SCRYPT_PARAMS_free(sparam);
  159. X509_ALGOR_free(keyfunc);
  160. return NULL;
  161. }
  162. int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
  163. int passlen, ASN1_TYPE *param,
  164. const EVP_CIPHER *c, const EVP_MD *md, int en_de)
  165. {
  166. unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
  167. uint64_t p, r, N;
  168. size_t saltlen;
  169. size_t keylen = 0;
  170. int rv = 0;
  171. SCRYPT_PARAMS *sparam = NULL;
  172. if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
  173. EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, EVP_R_NO_CIPHER_SET);
  174. goto err;
  175. }
  176. /* Decode parameter */
  177. sparam = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), param);
  178. if (sparam == NULL) {
  179. EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, EVP_R_DECODE_ERROR);
  180. goto err;
  181. }
  182. keylen = EVP_CIPHER_CTX_key_length(ctx);
  183. /* Now check the parameters of sparam */
  184. if (sparam->keyLength) {
  185. uint64_t spkeylen;
  186. if ((ASN1_INTEGER_get_uint64(&spkeylen, sparam->keyLength) == 0)
  187. || (spkeylen != keylen)) {
  188. EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN,
  189. EVP_R_UNSUPPORTED_KEYLENGTH);
  190. goto err;
  191. }
  192. }
  193. /* Check all parameters fit in uint64_t and are acceptable to scrypt */
  194. if (ASN1_INTEGER_get_uint64(&N, sparam->costParameter) == 0
  195. || ASN1_INTEGER_get_uint64(&r, sparam->blockSize) == 0
  196. || ASN1_INTEGER_get_uint64(&p, sparam->parallelizationParameter) == 0
  197. || EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
  198. EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN,
  199. EVP_R_ILLEGAL_SCRYPT_PARAMETERS);
  200. goto err;
  201. }
  202. /* it seems that its all OK */
  203. salt = sparam->salt->data;
  204. saltlen = sparam->salt->length;
  205. if (EVP_PBE_scrypt(pass, passlen, salt, saltlen, N, r, p, 0, key, keylen)
  206. == 0)
  207. goto err;
  208. rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
  209. err:
  210. if (keylen)
  211. OPENSSL_cleanse(key, keylen);
  212. SCRYPT_PARAMS_free(sparam);
  213. return rv;
  214. }
  215. #endif /* OPENSSL_NO_SCRYPT */