2 * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/evp.h>
14 #include <openssl/kdf.h>
15 #include <openssl/err.h>
16 #include <openssl/core_names.h>
17 #include <openssl/proverr.h>
18 #include "crypto/evp.h"
19 #include "internal/numbers.h"
20 #include "prov/implementations.h"
21 #include "prov/provider_ctx.h"
22 #include "prov/providercommon.h"
23 #include "prov/provider_util.h"
25 #ifndef OPENSSL_NO_SCRYPT
27 static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new
;
28 static OSSL_FUNC_kdf_dupctx_fn kdf_scrypt_dup
;
29 static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free
;
30 static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset
;
31 static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive
;
32 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_scrypt_settable_ctx_params
;
33 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_scrypt_set_ctx_params
;
34 static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params
;
35 static OSSL_FUNC_kdf_get_ctx_params_fn kdf_scrypt_get_ctx_params
;
37 static int scrypt_alg(const char *pass
, size_t passlen
,
38 const unsigned char *salt
, size_t saltlen
,
39 uint64_t N
, uint64_t r
, uint64_t p
, uint64_t maxmem
,
40 unsigned char *key
, size_t keylen
, EVP_MD
*sha256
,
41 OSSL_LIB_CTX
*libctx
, const char *propq
);
52 uint64_t maxmem_bytes
;
56 static void kdf_scrypt_init(KDF_SCRYPT
*ctx
);
58 static void *kdf_scrypt_new_inner(OSSL_LIB_CTX
*libctx
)
62 if (!ossl_prov_is_running())
65 ctx
= OPENSSL_zalloc(sizeof(*ctx
));
67 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
75 static void *kdf_scrypt_new(void *provctx
)
77 return kdf_scrypt_new_inner(PROV_LIBCTX_OF(provctx
));
80 static void kdf_scrypt_free(void *vctx
)
82 KDF_SCRYPT
*ctx
= (KDF_SCRYPT
*)vctx
;
85 OPENSSL_free(ctx
->propq
);
86 EVP_MD_free(ctx
->sha256
);
87 kdf_scrypt_reset(ctx
);
92 static void kdf_scrypt_reset(void *vctx
)
94 KDF_SCRYPT
*ctx
= (KDF_SCRYPT
*)vctx
;
96 OPENSSL_free(ctx
->salt
);
97 OPENSSL_clear_free(ctx
->pass
, ctx
->pass_len
);
101 static void *kdf_scrypt_dup(void *vctx
)
103 const KDF_SCRYPT
*src
= (const KDF_SCRYPT
*)vctx
;
106 dest
= kdf_scrypt_new_inner(src
->libctx
);
108 if (src
->sha256
!= NULL
&& !EVP_MD_up_ref(src
->sha256
))
110 if (src
->propq
!= NULL
) {
111 dest
->propq
= OPENSSL_strdup(src
->propq
);
112 if (dest
->propq
== NULL
)
115 if (!ossl_prov_memdup(src
->salt
, src
->salt_len
,
116 &dest
->salt
, &dest
->salt_len
)
117 || !ossl_prov_memdup(src
->pass
, src
->pass_len
,
118 &dest
->pass
, &dest
->pass_len
))
123 dest
->maxmem_bytes
= src
->maxmem_bytes
;
124 dest
->sha256
= src
->sha256
;
129 kdf_scrypt_free(dest
);
133 static void kdf_scrypt_init(KDF_SCRYPT
*ctx
)
135 /* Default values are the most conservative recommendation given in the
136 * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
137 * for this parameter choice (approx. 128 * r * N * p bytes).
142 ctx
->maxmem_bytes
= 1025 * 1024 * 1024;
145 static int scrypt_set_membuf(unsigned char **buffer
, size_t *buflen
,
148 OPENSSL_clear_free(*buffer
, *buflen
);
152 if (p
->data_size
== 0) {
153 if ((*buffer
= OPENSSL_malloc(1)) == NULL
) {
154 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
157 } else if (p
->data
!= NULL
) {
158 if (!OSSL_PARAM_get_octet_string(p
, (void **)buffer
, 0, buflen
))
164 static int set_digest(KDF_SCRYPT
*ctx
)
166 EVP_MD_free(ctx
->sha256
);
167 ctx
->sha256
= EVP_MD_fetch(ctx
->libctx
, "sha256", ctx
->propq
);
168 if (ctx
->sha256
== NULL
) {
170 ERR_raise(ERR_LIB_PROV
, PROV_R_UNABLE_TO_LOAD_SHA256
);
176 static int set_property_query(KDF_SCRYPT
*ctx
, const char *propq
)
178 OPENSSL_free(ctx
->propq
);
181 ctx
->propq
= OPENSSL_strdup(propq
);
182 if (ctx
->propq
== NULL
) {
183 ERR_raise(ERR_LIB_PROV
, ERR_R_MALLOC_FAILURE
);
190 static int kdf_scrypt_derive(void *vctx
, unsigned char *key
, size_t keylen
,
191 const OSSL_PARAM params
[])
193 KDF_SCRYPT
*ctx
= (KDF_SCRYPT
*)vctx
;
195 if (!ossl_prov_is_running() || !kdf_scrypt_set_ctx_params(ctx
, params
))
198 if (ctx
->pass
== NULL
) {
199 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_PASS
);
203 if (ctx
->salt
== NULL
) {
204 ERR_raise(ERR_LIB_PROV
, PROV_R_MISSING_SALT
);
208 if (ctx
->sha256
== NULL
&& !set_digest(ctx
))
211 return scrypt_alg((char *)ctx
->pass
, ctx
->pass_len
, ctx
->salt
,
212 ctx
->salt_len
, ctx
->N
, ctx
->r
, ctx
->p
,
213 ctx
->maxmem_bytes
, key
, keylen
, ctx
->sha256
,
214 ctx
->libctx
, ctx
->propq
);
217 static int is_power_of_two(uint64_t value
)
219 return (value
!= 0) && ((value
& (value
- 1)) == 0);
222 static int kdf_scrypt_set_ctx_params(void *vctx
, const OSSL_PARAM params
[])
225 KDF_SCRYPT
*ctx
= vctx
;
231 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_PASSWORD
)) != NULL
)
232 if (!scrypt_set_membuf(&ctx
->pass
, &ctx
->pass_len
, p
))
235 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SALT
)) != NULL
)
236 if (!scrypt_set_membuf(&ctx
->salt
, &ctx
->salt_len
, p
))
239 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SCRYPT_N
))
241 if (!OSSL_PARAM_get_uint64(p
, &u64_value
)
243 || !is_power_of_two(u64_value
))
248 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SCRYPT_R
))
250 if (!OSSL_PARAM_get_uint64(p
, &u64_value
) || u64_value
< 1)
255 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SCRYPT_P
))
257 if (!OSSL_PARAM_get_uint64(p
, &u64_value
) || u64_value
< 1)
262 if ((p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_SCRYPT_MAXMEM
))
264 if (!OSSL_PARAM_get_uint64(p
, &u64_value
) || u64_value
< 1)
266 ctx
->maxmem_bytes
= u64_value
;
269 p
= OSSL_PARAM_locate_const(params
, OSSL_KDF_PARAM_PROPERTIES
);
271 if (p
->data_type
!= OSSL_PARAM_UTF8_STRING
272 || !set_property_query(ctx
, p
->data
)
279 static const OSSL_PARAM
*kdf_scrypt_settable_ctx_params(ossl_unused
void *ctx
,
280 ossl_unused
void *p_ctx
)
282 static const OSSL_PARAM known_settable_ctx_params
[] = {
283 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD
, NULL
, 0),
284 OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT
, NULL
, 0),
285 OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_N
, NULL
),
286 OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_R
, NULL
),
287 OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_P
, NULL
),
288 OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_MAXMEM
, NULL
),
289 OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES
, NULL
, 0),
292 return known_settable_ctx_params
;
295 static int kdf_scrypt_get_ctx_params(void *vctx
, OSSL_PARAM params
[])
299 if ((p
= OSSL_PARAM_locate(params
, OSSL_KDF_PARAM_SIZE
)) != NULL
)
300 return OSSL_PARAM_set_size_t(p
, SIZE_MAX
);
304 static const OSSL_PARAM
*kdf_scrypt_gettable_ctx_params(ossl_unused
void *ctx
,
305 ossl_unused
void *p_ctx
)
307 static const OSSL_PARAM known_gettable_ctx_params
[] = {
308 OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE
, NULL
),
311 return known_gettable_ctx_params
;
314 const OSSL_DISPATCH ossl_kdf_scrypt_functions
[] = {
315 { OSSL_FUNC_KDF_NEWCTX
, (void(*)(void))kdf_scrypt_new
},
316 { OSSL_FUNC_KDF_DUPCTX
, (void(*)(void))kdf_scrypt_dup
},
317 { OSSL_FUNC_KDF_FREECTX
, (void(*)(void))kdf_scrypt_free
},
318 { OSSL_FUNC_KDF_RESET
, (void(*)(void))kdf_scrypt_reset
},
319 { OSSL_FUNC_KDF_DERIVE
, (void(*)(void))kdf_scrypt_derive
},
320 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
,
321 (void(*)(void))kdf_scrypt_settable_ctx_params
},
322 { OSSL_FUNC_KDF_SET_CTX_PARAMS
, (void(*)(void))kdf_scrypt_set_ctx_params
},
323 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS
,
324 (void(*)(void))kdf_scrypt_gettable_ctx_params
},
325 { OSSL_FUNC_KDF_GET_CTX_PARAMS
, (void(*)(void))kdf_scrypt_get_ctx_params
},
329 #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
330 static void salsa208_word_specification(uint32_t inout
[16])
335 memcpy(x
, inout
, sizeof(x
));
336 for (i
= 8; i
> 0; i
-= 2) {
337 x
[4] ^= R(x
[0] + x
[12], 7);
338 x
[8] ^= R(x
[4] + x
[0], 9);
339 x
[12] ^= R(x
[8] + x
[4], 13);
340 x
[0] ^= R(x
[12] + x
[8], 18);
341 x
[9] ^= R(x
[5] + x
[1], 7);
342 x
[13] ^= R(x
[9] + x
[5], 9);
343 x
[1] ^= R(x
[13] + x
[9], 13);
344 x
[5] ^= R(x
[1] + x
[13], 18);
345 x
[14] ^= R(x
[10] + x
[6], 7);
346 x
[2] ^= R(x
[14] + x
[10], 9);
347 x
[6] ^= R(x
[2] + x
[14], 13);
348 x
[10] ^= R(x
[6] + x
[2], 18);
349 x
[3] ^= R(x
[15] + x
[11], 7);
350 x
[7] ^= R(x
[3] + x
[15], 9);
351 x
[11] ^= R(x
[7] + x
[3], 13);
352 x
[15] ^= R(x
[11] + x
[7], 18);
353 x
[1] ^= R(x
[0] + x
[3], 7);
354 x
[2] ^= R(x
[1] + x
[0], 9);
355 x
[3] ^= R(x
[2] + x
[1], 13);
356 x
[0] ^= R(x
[3] + x
[2], 18);
357 x
[6] ^= R(x
[5] + x
[4], 7);
358 x
[7] ^= R(x
[6] + x
[5], 9);
359 x
[4] ^= R(x
[7] + x
[6], 13);
360 x
[5] ^= R(x
[4] + x
[7], 18);
361 x
[11] ^= R(x
[10] + x
[9], 7);
362 x
[8] ^= R(x
[11] + x
[10], 9);
363 x
[9] ^= R(x
[8] + x
[11], 13);
364 x
[10] ^= R(x
[9] + x
[8], 18);
365 x
[12] ^= R(x
[15] + x
[14], 7);
366 x
[13] ^= R(x
[12] + x
[15], 9);
367 x
[14] ^= R(x
[13] + x
[12], 13);
368 x
[15] ^= R(x
[14] + x
[13], 18);
370 for (i
= 0; i
< 16; ++i
)
372 OPENSSL_cleanse(x
, sizeof(x
));
375 static void scryptBlockMix(uint32_t *B_
, uint32_t *B
, uint64_t r
)
380 memcpy(X
, B
+ (r
* 2 - 1) * 16, sizeof(X
));
382 for (i
= 0; i
< r
* 2; i
++) {
383 for (j
= 0; j
< 16; j
++)
385 salsa208_word_specification(X
);
386 memcpy(B_
+ (i
/ 2 + (i
& 1) * r
) * 16, X
, sizeof(X
));
388 OPENSSL_cleanse(X
, sizeof(X
));
391 static void scryptROMix(unsigned char *B
, uint64_t r
, uint64_t N
,
392 uint32_t *X
, uint32_t *T
, uint32_t *V
)
398 /* Convert from little endian input */
399 for (pV
= V
, i
= 0, pB
= B
; i
< 32 * r
; i
++, pV
++) {
403 *pV
|= (uint32_t)*pB
++ << 24;
406 for (i
= 1; i
< N
; i
++, pV
+= 32 * r
)
407 scryptBlockMix(pV
, pV
- 32 * r
, r
);
409 scryptBlockMix(X
, V
+ (N
- 1) * 32 * r
, r
);
411 for (i
= 0; i
< N
; i
++) {
413 j
= X
[16 * (2 * r
- 1)] % N
;
415 for (k
= 0; k
< 32 * r
; k
++)
417 scryptBlockMix(X
, T
, r
);
419 /* Convert output to little endian */
420 for (i
= 0, pB
= B
; i
< 32 * r
; i
++) {
421 uint32_t xtmp
= X
[i
];
423 *pB
++ = (xtmp
>> 8) & 0xff;
424 *pB
++ = (xtmp
>> 16) & 0xff;
425 *pB
++ = (xtmp
>> 24) & 0xff;
430 # define SIZE_MAX ((size_t)-1)
434 * Maximum power of two that will fit in uint64_t: this should work on
435 * most (all?) platforms.
438 #define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)
441 * Maximum value of p * r:
442 * p <= ((2^32-1) * hLen) / MFLen =>
443 * p <= ((2^32-1) * 32) / (128 * r) =>
447 #define SCRYPT_PR_MAX ((1 << 30) - 1)
449 static int scrypt_alg(const char *pass
, size_t passlen
,
450 const unsigned char *salt
, size_t saltlen
,
451 uint64_t N
, uint64_t r
, uint64_t p
, uint64_t maxmem
,
452 unsigned char *key
, size_t keylen
, EVP_MD
*sha256
,
453 OSSL_LIB_CTX
*libctx
, const char *propq
)
458 uint64_t i
, Blen
, Vlen
;
460 /* Sanity check parameters */
461 /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
462 if (r
== 0 || p
== 0 || N
< 2 || (N
& (N
- 1)))
464 /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
465 if (p
> SCRYPT_PR_MAX
/ r
) {
466 ERR_raise(ERR_LIB_EVP
, EVP_R_MEMORY_LIMIT_EXCEEDED
);
471 * Need to check N: if 2^(128 * r / 8) overflows limit this is
472 * automatically satisfied since N <= UINT64_MAX.
475 if (16 * r
<= LOG2_UINT64_MAX
) {
476 if (N
>= (((uint64_t)1) << (16 * r
))) {
477 ERR_raise(ERR_LIB_EVP
, EVP_R_MEMORY_LIMIT_EXCEEDED
);
482 /* Memory checks: check total allocated buffer size fits in uint64_t */
485 * B size in section 5 step 1.S
486 * Note: we know p * 128 * r < UINT64_MAX because we already checked
487 * p * r < SCRYPT_PR_MAX
491 * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
492 * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
494 if (Blen
> INT_MAX
) {
495 ERR_raise(ERR_LIB_EVP
, EVP_R_MEMORY_LIMIT_EXCEEDED
);
500 * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
501 * This is combined size V, X and T (section 4)
503 i
= UINT64_MAX
/ (32 * sizeof(uint32_t));
505 ERR_raise(ERR_LIB_EVP
, EVP_R_MEMORY_LIMIT_EXCEEDED
);
508 Vlen
= 32 * r
* (N
+ 2) * sizeof(uint32_t);
510 /* check total allocated size fits in uint64_t */
511 if (Blen
> UINT64_MAX
- Vlen
) {
512 ERR_raise(ERR_LIB_EVP
, EVP_R_MEMORY_LIMIT_EXCEEDED
);
516 /* Check that the maximum memory doesn't exceed a size_t limits */
517 if (maxmem
> SIZE_MAX
)
520 if (Blen
+ Vlen
> maxmem
) {
521 ERR_raise(ERR_LIB_EVP
, EVP_R_MEMORY_LIMIT_EXCEEDED
);
525 /* If no key return to indicate parameters are OK */
529 B
= OPENSSL_malloc((size_t)(Blen
+ Vlen
));
531 ERR_raise(ERR_LIB_EVP
, ERR_R_MALLOC_FAILURE
);
534 X
= (uint32_t *)(B
+ Blen
);
537 if (ossl_pkcs5_pbkdf2_hmac_ex(pass
, passlen
, salt
, saltlen
, 1, sha256
,
538 (int)Blen
, B
, libctx
, propq
) == 0)
541 for (i
= 0; i
< p
; i
++)
542 scryptROMix(B
+ 128 * r
* i
, r
, N
, X
, T
, V
);
544 if (ossl_pkcs5_pbkdf2_hmac_ex(pass
, passlen
, B
, (int)Blen
, 1, sha256
,
545 keylen
, key
, libctx
, propq
) == 0)
550 ERR_raise(ERR_LIB_EVP
, EVP_R_PBKDF2_ERROR
);
552 OPENSSL_clear_free(B
, (size_t)(Blen
+ Vlen
));