p5_scrypt.c 8.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311
  1. /*
  2. * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/asn1t.h>
  12. #include <openssl/core_names.h>
  13. #include <openssl/err.h>
  14. #include <openssl/evp.h>
  15. #include <openssl/x509.h>
  16. #include <openssl/rand.h>
  17. #include "crypto/evp.h"
  18. #ifndef OPENSSL_NO_SCRYPT
  19. /* PKCS#5 scrypt password based encryption structures */
  20. ASN1_SEQUENCE(SCRYPT_PARAMS) = {
  21. ASN1_SIMPLE(SCRYPT_PARAMS, salt, ASN1_OCTET_STRING),
  22. ASN1_SIMPLE(SCRYPT_PARAMS, costParameter, ASN1_INTEGER),
  23. ASN1_SIMPLE(SCRYPT_PARAMS, blockSize, ASN1_INTEGER),
  24. ASN1_SIMPLE(SCRYPT_PARAMS, parallelizationParameter, ASN1_INTEGER),
  25. ASN1_OPT(SCRYPT_PARAMS, keyLength, ASN1_INTEGER),
  26. } ASN1_SEQUENCE_END(SCRYPT_PARAMS)
  27. IMPLEMENT_ASN1_FUNCTIONS(SCRYPT_PARAMS)
  28. static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen,
  29. size_t keylen, uint64_t N, uint64_t r,
  30. uint64_t p);
  31. /*
  32. * Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm using scrypt
  33. */
  34. X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
  35. const unsigned char *salt, int saltlen,
  36. unsigned char *aiv, uint64_t N, uint64_t r,
  37. uint64_t p)
  38. {
  39. X509_ALGOR *scheme = NULL, *ret = NULL;
  40. int alg_nid;
  41. size_t keylen = 0;
  42. EVP_CIPHER_CTX *ctx = NULL;
  43. unsigned char iv[EVP_MAX_IV_LENGTH];
  44. PBE2PARAM *pbe2 = NULL;
  45. if (!cipher) {
  46. ERR_raise(ERR_LIB_ASN1, ERR_R_PASSED_NULL_PARAMETER);
  47. goto err;
  48. }
  49. if (EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
  50. ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_SCRYPT_PARAMETERS);
  51. goto err;
  52. }
  53. alg_nid = EVP_CIPHER_get_type(cipher);
  54. if (alg_nid == NID_undef) {
  55. ERR_raise(ERR_LIB_ASN1, ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
  56. goto err;
  57. }
  58. pbe2 = PBE2PARAM_new();
  59. if (pbe2 == NULL) {
  60. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  61. goto err;
  62. }
  63. /* Setup the AlgorithmIdentifier for the encryption scheme */
  64. scheme = pbe2->encryption;
  65. scheme->algorithm = OBJ_nid2obj(alg_nid);
  66. scheme->parameter = ASN1_TYPE_new();
  67. if (scheme->parameter == NULL) {
  68. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  69. goto err;
  70. }
  71. /* Create random IV */
  72. if (EVP_CIPHER_get_iv_length(cipher)) {
  73. if (aiv)
  74. memcpy(iv, aiv, EVP_CIPHER_get_iv_length(cipher));
  75. else if (RAND_bytes(iv, EVP_CIPHER_get_iv_length(cipher)) <= 0)
  76. goto err;
  77. }
  78. ctx = EVP_CIPHER_CTX_new();
  79. if (ctx == NULL) {
  80. ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
  81. goto err;
  82. }
  83. /* Dummy cipherinit to just setup the IV */
  84. if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0)
  85. goto err;
  86. if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) {
  87. ERR_raise(ERR_LIB_ASN1, ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
  88. goto err;
  89. }
  90. EVP_CIPHER_CTX_free(ctx);
  91. ctx = NULL;
  92. /* If its RC2 then we'd better setup the key length */
  93. if (alg_nid == NID_rc2_cbc)
  94. keylen = EVP_CIPHER_get_key_length(cipher);
  95. /* Setup keyfunc */
  96. X509_ALGOR_free(pbe2->keyfunc);
  97. pbe2->keyfunc = pkcs5_scrypt_set(salt, saltlen, keylen, N, r, p);
  98. if (pbe2->keyfunc == NULL) {
  99. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  100. goto err;
  101. }
  102. /* Now set up top level AlgorithmIdentifier */
  103. ret = X509_ALGOR_new();
  104. if (ret == NULL) {
  105. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  106. goto err;
  107. }
  108. ret->algorithm = OBJ_nid2obj(NID_pbes2);
  109. /* Encode PBE2PARAM into parameter */
  110. if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBE2PARAM), pbe2,
  111. &ret->parameter) == NULL) {
  112. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  113. goto err;
  114. }
  115. PBE2PARAM_free(pbe2);
  116. pbe2 = NULL;
  117. return ret;
  118. err:
  119. PBE2PARAM_free(pbe2);
  120. X509_ALGOR_free(ret);
  121. EVP_CIPHER_CTX_free(ctx);
  122. return NULL;
  123. }
  124. static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen,
  125. size_t keylen, uint64_t N, uint64_t r,
  126. uint64_t p)
  127. {
  128. X509_ALGOR *keyfunc = NULL;
  129. SCRYPT_PARAMS *sparam = SCRYPT_PARAMS_new();
  130. if (sparam == NULL) {
  131. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  132. goto err;
  133. }
  134. if (!saltlen)
  135. saltlen = PKCS5_DEFAULT_PBE2_SALT_LEN;
  136. /* This will either copy salt or grow the buffer */
  137. if (ASN1_STRING_set(sparam->salt, salt, saltlen) == 0) {
  138. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  139. goto err;
  140. }
  141. if (salt == NULL && RAND_bytes(sparam->salt->data, saltlen) <= 0)
  142. goto err;
  143. if (ASN1_INTEGER_set_uint64(sparam->costParameter, N) == 0) {
  144. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  145. goto err;
  146. }
  147. if (ASN1_INTEGER_set_uint64(sparam->blockSize, r) == 0) {
  148. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  149. goto err;
  150. }
  151. if (ASN1_INTEGER_set_uint64(sparam->parallelizationParameter, p) == 0) {
  152. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  153. goto err;
  154. }
  155. /* If have a key len set it up */
  156. if (keylen > 0) {
  157. sparam->keyLength = ASN1_INTEGER_new();
  158. if (sparam->keyLength == NULL) {
  159. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  160. goto err;
  161. }
  162. if (ASN1_INTEGER_set_int64(sparam->keyLength, keylen) == 0) {
  163. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  164. goto err;
  165. }
  166. }
  167. /* Finally setup the keyfunc structure */
  168. keyfunc = X509_ALGOR_new();
  169. if (keyfunc == NULL) {
  170. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  171. goto err;
  172. }
  173. keyfunc->algorithm = OBJ_nid2obj(NID_id_scrypt);
  174. /* Encode SCRYPT_PARAMS into parameter of pbe2 */
  175. if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), sparam,
  176. &keyfunc->parameter) == NULL) {
  177. ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
  178. goto err;
  179. }
  180. SCRYPT_PARAMS_free(sparam);
  181. return keyfunc;
  182. err:
  183. SCRYPT_PARAMS_free(sparam);
  184. X509_ALGOR_free(keyfunc);
  185. return NULL;
  186. }
  187. int PKCS5_v2_scrypt_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass,
  188. int passlen, ASN1_TYPE *param,
  189. const EVP_CIPHER *c, const EVP_MD *md, int en_de,
  190. OSSL_LIB_CTX *libctx, const char *propq)
  191. {
  192. unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
  193. uint64_t p, r, N;
  194. size_t saltlen;
  195. size_t keylen = 0;
  196. int t, rv = 0;
  197. SCRYPT_PARAMS *sparam = NULL;
  198. if (EVP_CIPHER_CTX_get0_cipher(ctx) == NULL) {
  199. ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
  200. goto err;
  201. }
  202. /* Decode parameter */
  203. sparam = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), param);
  204. if (sparam == NULL) {
  205. ERR_raise(ERR_LIB_EVP, EVP_R_DECODE_ERROR);
  206. goto err;
  207. }
  208. t = EVP_CIPHER_CTX_get_key_length(ctx);
  209. if (t < 0) {
  210. ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
  211. goto err;
  212. }
  213. keylen = t;
  214. /* Now check the parameters of sparam */
  215. if (sparam->keyLength) {
  216. uint64_t spkeylen;
  217. if ((ASN1_INTEGER_get_uint64(&spkeylen, sparam->keyLength) == 0)
  218. || (spkeylen != keylen)) {
  219. ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_KEYLENGTH);
  220. goto err;
  221. }
  222. }
  223. /* Check all parameters fit in uint64_t and are acceptable to scrypt */
  224. if (ASN1_INTEGER_get_uint64(&N, sparam->costParameter) == 0
  225. || ASN1_INTEGER_get_uint64(&r, sparam->blockSize) == 0
  226. || ASN1_INTEGER_get_uint64(&p, sparam->parallelizationParameter) == 0
  227. || EVP_PBE_scrypt_ex(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0,
  228. libctx, propq) == 0) {
  229. ERR_raise(ERR_LIB_EVP, EVP_R_ILLEGAL_SCRYPT_PARAMETERS);
  230. goto err;
  231. }
  232. /* it seems that its all OK */
  233. salt = sparam->salt->data;
  234. saltlen = sparam->salt->length;
  235. if (EVP_PBE_scrypt_ex(pass, passlen, salt, saltlen, N, r, p, 0, key,
  236. keylen, libctx, propq) == 0)
  237. goto err;
  238. rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
  239. err:
  240. if (keylen)
  241. OPENSSL_cleanse(key, keylen);
  242. SCRYPT_PARAMS_free(sparam);
  243. return rv;
  244. }
  245. int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
  246. int passlen, ASN1_TYPE *param,
  247. const EVP_CIPHER *c, const EVP_MD *md, int en_de)
  248. {
  249. return PKCS5_v2_scrypt_keyivgen_ex(ctx, pass, passlen, param, c, md, en_de, NULL, NULL);
  250. }
  251. #endif /* OPENSSL_NO_SCRYPT */