[thirdparty/openssl.git] / crypto / asn1 / p5_scrypt.c

/*
 * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/rand.h>

#ifndef OPENSSL_NO_SCRYPT
/* PKCS#5 scrypt password based encryption structures */

ASN1_SEQUENCE(SCRYPT_PARAMS) = {
        ASN1_SIMPLE(SCRYPT_PARAMS, salt, ASN1_OCTET_STRING),
        ASN1_SIMPLE(SCRYPT_PARAMS, costParameter, ASN1_INTEGER),
        ASN1_SIMPLE(SCRYPT_PARAMS, blockSize, ASN1_INTEGER),
        ASN1_SIMPLE(SCRYPT_PARAMS, parallelizationParameter, ASN1_INTEGER),
        ASN1_OPT(SCRYPT_PARAMS, keyLength, ASN1_INTEGER),
} ASN1_SEQUENCE_END(SCRYPT_PARAMS)

IMPLEMENT_ASN1_FUNCTIONS(SCRYPT_PARAMS)

static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen,
                                    size_t keylen, uint64_t N, uint64_t r,
                                    uint64_t p);

/*
 * Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm using scrypt
 */

X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
                                  const unsigned char *salt, int saltlen,
                                  unsigned char *aiv, uint64_t N, uint64_t r,
                                  uint64_t p)
{
    X509_ALGOR *scheme = NULL, *ret = NULL;
    int alg_nid;
    size_t keylen = 0;
    EVP_CIPHER_CTX *ctx = NULL;
    unsigned char iv[EVP_MAX_IV_LENGTH];
    PBE2PARAM *pbe2 = NULL;

    if (!cipher) {
        ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ERR_R_PASSED_NULL_PARAMETER);
        goto err;
    }

    if (EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
        ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
                ASN1_R_INVALID_SCRYPT_PARAMETERS);
        goto err;
    }

    alg_nid = EVP_CIPHER_type(cipher);
    if (alg_nid == NID_undef) {
        ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
                ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
        goto err;
    }

    pbe2 = PBE2PARAM_new();
    if (pbe2 == NULL)
        goto merr;

    /* Setup the AlgorithmIdentifier for the encryption scheme */
    scheme = pbe2->encryption;

    scheme->algorithm = OBJ_nid2obj(alg_nid);
    scheme->parameter = ASN1_TYPE_new();
    if (scheme->parameter == NULL)
        goto merr;

    /* Create random IV */
    if (EVP_CIPHER_iv_length(cipher)) {
        if (aiv)
            memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
        else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0)
            goto err;
    }

    ctx = EVP_CIPHER_CTX_new();
    if (ctx == NULL)
        goto merr;

    /* Dummy cipherinit to just setup the IV */
    if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0)
        goto err;
    if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) {
        ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
                ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
        goto err;
    }
    EVP_CIPHER_CTX_free(ctx);
    ctx = NULL;

    /* If its RC2 then we'd better setup the key length */

    if (alg_nid == NID_rc2_cbc)
        keylen = EVP_CIPHER_key_length(cipher);

    /* Setup keyfunc */

    X509_ALGOR_free(pbe2->keyfunc);

    pbe2->keyfunc = pkcs5_scrypt_set(salt, saltlen, keylen, N, r, p);

    if (pbe2->keyfunc == NULL)
        goto merr;

    /* Now set up top level AlgorithmIdentifier */

    ret = X509_ALGOR_new();
    if (ret == NULL)
        goto merr;

    ret->algorithm = OBJ_nid2obj(NID_pbes2);

    /* Encode PBE2PARAM into parameter */

    if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBE2PARAM), pbe2,
                                &ret->parameter) == NULL)
        goto merr;

    PBE2PARAM_free(pbe2);
    pbe2 = NULL;

    return ret;

 merr:
    ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ERR_R_MALLOC_FAILURE);

 err:
    PBE2PARAM_free(pbe2);
    X509_ALGOR_free(ret);
    EVP_CIPHER_CTX_free(ctx);

    return NULL;
}

static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen,
                                    size_t keylen, uint64_t N, uint64_t r,
                                    uint64_t p)
{
    X509_ALGOR *keyfunc = NULL;
    SCRYPT_PARAMS *sparam = SCRYPT_PARAMS_new();

    if (sparam == NULL)
        goto merr;

    if (!saltlen)
        saltlen = PKCS5_SALT_LEN;

    /* This will either copy salt or grow the buffer */
    if (ASN1_STRING_set(sparam->salt, salt, saltlen) == 0)
        goto merr;

    if (salt == NULL && RAND_bytes(sparam->salt->data, saltlen) <= 0)
        goto err;

    if (ASN1_INTEGER_set_uint64(sparam->costParameter, N) == 0)
        goto merr;

    if (ASN1_INTEGER_set_uint64(sparam->blockSize, r) == 0)
        goto merr;

    if (ASN1_INTEGER_set_uint64(sparam->parallelizationParameter, p) == 0)
        goto merr;

    /* If have a key len set it up */

    if (keylen > 0) {
        sparam->keyLength = ASN1_INTEGER_new();
        if (sparam->keyLength == NULL)
            goto merr;
        if (ASN1_INTEGER_set_int64(sparam->keyLength, keylen) == 0)
            goto merr;
    }

    /* Finally setup the keyfunc structure */

    keyfunc = X509_ALGOR_new();
    if (keyfunc == NULL)
        goto merr;

    keyfunc->algorithm = OBJ_nid2obj(NID_id_scrypt);

    /* Encode SCRYPT_PARAMS into parameter of pbe2 */

    if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), sparam,
                                &keyfunc->parameter) == NULL)
        goto merr;

    SCRYPT_PARAMS_free(sparam);
    return keyfunc;

 merr:
    ASN1err(ASN1_F_PKCS5_SCRYPT_SET, ERR_R_MALLOC_FAILURE);
 err:
    SCRYPT_PARAMS_free(sparam);
    X509_ALGOR_free(keyfunc);
    return NULL;
}

int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
                             int passlen, ASN1_TYPE *param,
                             const EVP_CIPHER *c, const EVP_MD *md, int en_de)
{
    unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
    uint64_t p, r, N;
    size_t saltlen;
    size_t keylen = 0;
    int rv = 0;
    SCRYPT_PARAMS *sparam = NULL;

    if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
        EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, EVP_R_NO_CIPHER_SET);
        goto err;
    }

    /* Decode parameter */

    sparam = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), param);

    if (sparam == NULL) {
        EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, EVP_R_DECODE_ERROR);
        goto err;
    }

    keylen = EVP_CIPHER_CTX_key_length(ctx);

    /* Now check the parameters of sparam */

    if (sparam->keyLength) {
        uint64_t spkeylen;
        if ((ASN1_INTEGER_get_uint64(&spkeylen, sparam->keyLength) == 0)
            || (spkeylen != keylen)) {
            EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN,
                   EVP_R_UNSUPPORTED_KEYLENGTH);
            goto err;
        }
    }
    /* Check all parameters fit in uint64_t and are acceptable to scrypt */
    if (ASN1_INTEGER_get_uint64(&N, sparam->costParameter) == 0
        || ASN1_INTEGER_get_uint64(&r, sparam->blockSize) == 0
        || ASN1_INTEGER_get_uint64(&p, sparam->parallelizationParameter) == 0
        || EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
        EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN,
               EVP_R_ILLEGAL_SCRYPT_PARAMETERS);
        goto err;
    }

    /* it seems that its all OK */

    salt = sparam->salt->data;
    saltlen = sparam->salt->length;
    if (EVP_PBE_scrypt(pass, passlen, salt, saltlen, N, r, p, 0, key, keylen)
        == 0)
        goto err;
    rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
 err:
    if (keylen)
        OPENSSL_cleanse(key, keylen);
    SCRYPT_PARAMS_free(sparam);
    return rv;
}
#endif /* OPENSSL_NO_SCRYPT */
Commit	Line	Data
e98aa30d	1	/*
6ec5fce2	2	* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
e98aa30d	3	*
2039c421 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
e98aa30d DSH	8	*/
	9
	10	#include <stdio.h>
	11	#include "internal/cryptlib.h"
	12	#include <openssl/asn1t.h>
	13	#include <openssl/err.h>
	14	#include <openssl/evp.h>
	15	#include <openssl/x509.h>
	16	#include <openssl/rand.h>
	17
b0809bc8	18	#ifndef OPENSSL_NO_SCRYPT
e98aa30d DSH	19	/* PKCS#5 scrypt password based encryption structures */
e98aa30d DSH	20
e98aa30d DSH	21	ASN1_SEQUENCE(SCRYPT_PARAMS) = {
	22	ASN1_SIMPLE(SCRYPT_PARAMS, salt, ASN1_OCTET_STRING),
	23	ASN1_SIMPLE(SCRYPT_PARAMS, costParameter, ASN1_INTEGER),
	24	ASN1_SIMPLE(SCRYPT_PARAMS, blockSize, ASN1_INTEGER),
	25	ASN1_SIMPLE(SCRYPT_PARAMS, parallelizationParameter, ASN1_INTEGER),
	26	ASN1_OPT(SCRYPT_PARAMS, keyLength, ASN1_INTEGER),
e15c95ce	27	} ASN1_SEQUENCE_END(SCRYPT_PARAMS)
e98aa30d	28
e15c95ce	29	IMPLEMENT_ASN1_FUNCTIONS(SCRYPT_PARAMS)
e98aa30d DSH	30
	31	static X509_ALGOR pkcs5_scrypt_set(const unsigned char salt, size_t saltlen,
	32	size_t keylen, uint64_t N, uint64_t r,
	33	uint64_t p);
	34
	35	/*
	36	* Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm using scrypt
	37	*/
	38
	39	X509_ALGOR PKCS5_pbe2_set_scrypt(const EVP_CIPHER cipher,
	40	const unsigned char *salt, int saltlen,
	41	unsigned char *aiv, uint64_t N, uint64_t r,
	42	uint64_t p)
	43	{
2191dc84	44	X509_ALGOR scheme = NULL, ret = NULL;
e98aa30d DSH	45	int alg_nid;
e98aa30d DSH	46	size_t keylen = 0;
846ec07d	47	EVP_CIPHER_CTX *ctx = NULL;
e98aa30d DSH	48	unsigned char iv[EVP_MAX_IV_LENGTH];
e98aa30d DSH	49	PBE2PARAM *pbe2 = NULL;
e98aa30d DSH	50
	51	if (!cipher) {
	52	ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ERR_R_PASSED_NULL_PARAMETER);
	53	goto err;
	54	}
	55
	56	if (EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
	57	ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
	58	ASN1_R_INVALID_SCRYPT_PARAMETERS);
	59	goto err;
	60	}
	61
	62	alg_nid = EVP_CIPHER_type(cipher);
	63	if (alg_nid == NID_undef) {
	64	ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
	65	ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
	66	goto err;
	67	}
2191dc84	68
e98aa30d DSH	69	pbe2 = PBE2PARAM_new();
	70	if (pbe2 == NULL)
	71	goto merr;
	72
	73	/* Setup the AlgorithmIdentifier for the encryption scheme */
	74	scheme = pbe2->encryption;
	75
2191dc84	76	scheme->algorithm = OBJ_nid2obj(alg_nid);
e98aa30d DSH	77	scheme->parameter = ASN1_TYPE_new();
	78	if (scheme->parameter == NULL)
	79	goto merr;
	80
	81	/* Create random IV */
	82	if (EVP_CIPHER_iv_length(cipher)) {
	83	if (aiv)
	84	memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
e62fb0d3	85	else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0)
e98aa30d DSH	86	goto err;
	87	}
	88
846ec07d RL	89	ctx = EVP_CIPHER_CTX_new();
	90	if (ctx == NULL)
	91	goto merr;
e98aa30d DSH	92
e98aa30d DSH	93	/* Dummy cipherinit to just setup the IV */
846ec07d	94	if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0)
e98aa30d	95	goto err;
49c9c1b3	96	if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) {
e98aa30d DSH	97	ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
e98aa30d DSH	98	ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
e98aa30d DSH	99	goto err;
e98aa30d DSH	100	}
846ec07d RL	101	EVP_CIPHER_CTX_free(ctx);
846ec07d RL	102	ctx = NULL;
e98aa30d DSH	103
	104	/* If its RC2 then we'd better setup the key length */
	105
	106	if (alg_nid == NID_rc2_cbc)
	107	keylen = EVP_CIPHER_key_length(cipher);
	108
	109	/* Setup keyfunc */
	110
	111	X509_ALGOR_free(pbe2->keyfunc);
	112
	113	pbe2->keyfunc = pkcs5_scrypt_set(salt, saltlen, keylen, N, r, p);
	114
	115	if (pbe2->keyfunc == NULL)
	116	goto merr;
	117
	118	/* Now set up top level AlgorithmIdentifier */
	119
	120	ret = X509_ALGOR_new();
	121	if (ret == NULL)
	122	goto merr;
	123
	124	ret->algorithm = OBJ_nid2obj(NID_pbes2);
	125
	126	/* Encode PBE2PARAM into parameter */
	127
	128	if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBE2PARAM), pbe2,
	129	&ret->parameter) == NULL)
	130	goto merr;
	131
	132	PBE2PARAM_free(pbe2);
	133	pbe2 = NULL;
	134
	135	return ret;
	136
	137	merr:
	138	ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ERR_R_MALLOC_FAILURE);
	139
	140	err:
	141	PBE2PARAM_free(pbe2);
e98aa30d	142	X509_ALGOR_free(ret);
846ec07d	143	EVP_CIPHER_CTX_free(ctx);
e98aa30d DSH	144
e98aa30d DSH	145	return NULL;
e98aa30d DSH	146	}
	147
	148	static X509_ALGOR pkcs5_scrypt_set(const unsigned char salt, size_t saltlen,
	149	size_t keylen, uint64_t N, uint64_t r,
	150	uint64_t p)
	151	{
	152	X509_ALGOR *keyfunc = NULL;
2191dc84	153	SCRYPT_PARAMS *sparam = SCRYPT_PARAMS_new();
e98aa30d	154
e98aa30d DSH	155	if (sparam == NULL)
	156	goto merr;
	157
	158	if (!saltlen)
	159	saltlen = PKCS5_SALT_LEN;
	160
	161	/* This will either copy salt or grow the buffer */
	162	if (ASN1_STRING_set(sparam->salt, salt, saltlen) == 0)
	163	goto merr;
	164
	165	if (salt == NULL && RAND_bytes(sparam->salt->data, saltlen) <= 0)
	166	goto err;
	167
	168	if (ASN1_INTEGER_set_uint64(sparam->costParameter, N) == 0)
	169	goto merr;
	170
	171	if (ASN1_INTEGER_set_uint64(sparam->blockSize, r) == 0)
	172	goto merr;
	173
	174	if (ASN1_INTEGER_set_uint64(sparam->parallelizationParameter, p) == 0)
	175	goto merr;
	176
	177	/* If have a key len set it up */
	178
	179	if (keylen > 0) {
	180	sparam->keyLength = ASN1_INTEGER_new();
	181	if (sparam->keyLength == NULL)
	182	goto merr;
	183	if (ASN1_INTEGER_set_int64(sparam->keyLength, keylen) == 0)
	184	goto merr;
	185	}
	186
	187	/* Finally setup the keyfunc structure */
	188
	189	keyfunc = X509_ALGOR_new();
90945fa3	190	if (keyfunc == NULL)
e98aa30d DSH	191	goto merr;
	192
	193	keyfunc->algorithm = OBJ_nid2obj(NID_id_scrypt);
	194
	195	/* Encode SCRYPT_PARAMS into parameter of pbe2 */
	196
	197	if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), sparam,
	198	&keyfunc->parameter) == NULL)
	199	goto merr;
	200
	201	SCRYPT_PARAMS_free(sparam);
	202	return keyfunc;
	203
	204	merr:
	205	ASN1err(ASN1_F_PKCS5_SCRYPT_SET, ERR_R_MALLOC_FAILURE);
	206	err:
	207	SCRYPT_PARAMS_free(sparam);
	208	X509_ALGOR_free(keyfunc);
	209	return NULL;
	210	}
	211
	212	int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX ctx, const char pass,
	213	int passlen, ASN1_TYPE *param,
	214	const EVP_CIPHER c, const EVP_MD md, int en_de)
	215	{
	216	unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
	217	uint64_t p, r, N;
	218	size_t saltlen;
	219	size_t keylen = 0;
	220	int rv = 0;
	221	SCRYPT_PARAMS *sparam = NULL;
	222
	223	if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
	224	EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, EVP_R_NO_CIPHER_SET);
	225	goto err;
	226	}
	227
	228	/* Decode parameter */
	229
	230	sparam = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), param);
	231
	232	if (sparam == NULL) {
	233	EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, EVP_R_DECODE_ERROR);
	234	goto err;
	235	}
	236
	237	keylen = EVP_CIPHER_CTX_key_length(ctx);
	238
	239	/* Now check the parameters of sparam */
	240
	241	if (sparam->keyLength) {
	242	uint64_t spkeylen;
	243	if ((ASN1_INTEGER_get_uint64(&spkeylen, sparam->keyLength) == 0)
	244	\|\| (spkeylen != keylen)) {
	245	EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN,
	246	EVP_R_UNSUPPORTED_KEYLENGTH);
	247	goto err;
	248	}
	249	}
	250	/* Check all parameters fit in uint64_t and are acceptable to scrypt */
	251	if (ASN1_INTEGER_get_uint64(&N, sparam->costParameter) == 0
	252	\|\| ASN1_INTEGER_get_uint64(&r, sparam->blockSize) == 0
	253	\|\| ASN1_INTEGER_get_uint64(&p, sparam->parallelizationParameter) == 0
	254	\|\| EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
255	EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN,
256	EVP_R_ILLEGAL_SCRYPT_PARAMETERS);
257	goto err;
258	}
259
260	/* it seems that its all OK */
261
262	salt = sparam->salt->data;
263	saltlen = sparam->salt->length;
264	if (EVP_PBE_scrypt(pass, passlen, salt, saltlen, N, r, p, 0, key, keylen)
265	== 0)
266	goto err;
267	rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
268	err:
269	if (keylen)
270	OPENSSL_cleanse(key, keylen);
271	SCRYPT_PARAMS_free(sparam);
272	return rv;
273	}
b0809bc8	274	#endif /* OPENSSL_NO_SCRYPT */