2 * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
13 #include <openssl/evp.h>
14 #include <openssl/err.h>
15 #include <internal/numbers.h>
17 #ifndef OPENSSL_NO_SCRYPT
19 #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
20 static void salsa208_word_specification(uint32_t inout
[16])
24 memcpy(x
, inout
, sizeof(x
));
25 for (i
= 8; i
> 0; i
-= 2) {
26 x
[4] ^= R(x
[0] + x
[12], 7);
27 x
[8] ^= R(x
[4] + x
[0], 9);
28 x
[12] ^= R(x
[8] + x
[4], 13);
29 x
[0] ^= R(x
[12] + x
[8], 18);
30 x
[9] ^= R(x
[5] + x
[1], 7);
31 x
[13] ^= R(x
[9] + x
[5], 9);
32 x
[1] ^= R(x
[13] + x
[9], 13);
33 x
[5] ^= R(x
[1] + x
[13], 18);
34 x
[14] ^= R(x
[10] + x
[6], 7);
35 x
[2] ^= R(x
[14] + x
[10], 9);
36 x
[6] ^= R(x
[2] + x
[14], 13);
37 x
[10] ^= R(x
[6] + x
[2], 18);
38 x
[3] ^= R(x
[15] + x
[11], 7);
39 x
[7] ^= R(x
[3] + x
[15], 9);
40 x
[11] ^= R(x
[7] + x
[3], 13);
41 x
[15] ^= R(x
[11] + x
[7], 18);
42 x
[1] ^= R(x
[0] + x
[3], 7);
43 x
[2] ^= R(x
[1] + x
[0], 9);
44 x
[3] ^= R(x
[2] + x
[1], 13);
45 x
[0] ^= R(x
[3] + x
[2], 18);
46 x
[6] ^= R(x
[5] + x
[4], 7);
47 x
[7] ^= R(x
[6] + x
[5], 9);
48 x
[4] ^= R(x
[7] + x
[6], 13);
49 x
[5] ^= R(x
[4] + x
[7], 18);
50 x
[11] ^= R(x
[10] + x
[9], 7);
51 x
[8] ^= R(x
[11] + x
[10], 9);
52 x
[9] ^= R(x
[8] + x
[11], 13);
53 x
[10] ^= R(x
[9] + x
[8], 18);
54 x
[12] ^= R(x
[15] + x
[14], 7);
55 x
[13] ^= R(x
[12] + x
[15], 9);
56 x
[14] ^= R(x
[13] + x
[12], 13);
57 x
[15] ^= R(x
[14] + x
[13], 18);
59 for (i
= 0; i
< 16; ++i
)
61 OPENSSL_cleanse(x
, sizeof(x
));
64 static void scryptBlockMix(uint32_t *B_
, uint32_t *B
, uint64_t r
)
69 memcpy(X
, B
+ (r
* 2 - 1) * 16, sizeof(X
));
71 for (i
= 0; i
< r
* 2; i
++) {
72 for (j
= 0; j
< 16; j
++)
74 salsa208_word_specification(X
);
75 memcpy(B_
+ (i
/ 2 + (i
& 1) * r
) * 16, X
, sizeof(X
));
77 OPENSSL_cleanse(X
, sizeof(X
));
80 static void scryptROMix(unsigned char *B
, uint64_t r
, uint64_t N
,
81 uint32_t *X
, uint32_t *T
, uint32_t *V
)
87 /* Convert from little endian input */
88 for (pV
= V
, i
= 0, pB
= B
; i
< 32 * r
; i
++, pV
++) {
92 *pV
|= (uint32_t)*pB
++ << 24;
95 for (i
= 1; i
< N
; i
++, pV
+= 32 * r
)
96 scryptBlockMix(pV
, pV
- 32 * r
, r
);
98 scryptBlockMix(X
, V
+ (N
- 1) * 32 * r
, r
);
100 for (i
= 0; i
< N
; i
++) {
102 j
= X
[16 * (2 * r
- 1)] % N
;
104 for (k
= 0; k
< 32 * r
; k
++)
106 scryptBlockMix(X
, T
, r
);
108 /* Convert output to little endian */
109 for (i
= 0, pB
= B
; i
< 32 * r
; i
++) {
110 uint32_t xtmp
= X
[i
];
112 *pB
++ = (xtmp
>> 8) & 0xff;
113 *pB
++ = (xtmp
>> 16) & 0xff;
114 *pB
++ = (xtmp
>> 24) & 0xff;
119 # define SIZE_MAX ((size_t)-1)
123 * Maximum power of two that will fit in uint64_t: this should work on
124 * most (all?) platforms.
127 #define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)
130 * Maximum value of p * r:
131 * p <= ((2^32-1) * hLen) / MFLen =>
132 * p <= ((2^32-1) * 32) / (128 * r) =>
137 #define SCRYPT_PR_MAX ((1 << 30) - 1)
140 * Maximum permitted memory allow this to be overridden with Configuration
141 * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible.
144 #ifdef SCRYPT_MAX_MEM
145 # if SCRYPT_MAX_MEM == 0
146 # undef SCRYPT_MAX_MEM
148 * Although we could theoretically allocate SIZE_MAX memory that would leave
149 * no memory available for anything else so set limit as half that.
151 # define SCRYPT_MAX_MEM (SIZE_MAX/2)
154 /* Default memory limit: 32 MB */
155 # define SCRYPT_MAX_MEM (1024 * 1024 * 32)
158 int EVP_PBE_scrypt(const char *pass
, size_t passlen
,
159 const unsigned char *salt
, size_t saltlen
,
160 uint64_t N
, uint64_t r
, uint64_t p
, uint64_t maxmem
,
161 unsigned char *key
, size_t keylen
)
166 uint64_t i
, Blen
, Vlen
;
169 /* Sanity check parameters */
170 /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
171 if (r
== 0 || p
== 0 || N
< 2 || (N
& (N
- 1)))
173 /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
174 if (p
> SCRYPT_PR_MAX
/ r
)
178 * Need to check N: if 2^(128 * r / 8) overflows limit this is
179 * automatically satisfied since N <= UINT64_MAX.
182 if (16 * r
<= LOG2_UINT64_MAX
) {
183 if (N
>= (((uint64_t)1) << (16 * r
)))
187 /* Memory checks: check total allocated buffer size fits in uint64_t */
190 * B size in section 5 step 1.S
191 * Note: we know p * 128 * r < UINT64_MAX because we already checked
192 * p * r < SCRYPT_PR_MAX
197 * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in
198 * uint64_t and also size_t (their sizes are unrelated).
199 * This is combined size V, X and T (section 4)
201 i
= UINT64_MAX
/ (32 * sizeof(uint32_t));
204 Vlen
= 32 * r
* (N
+ 2) * sizeof(uint32_t);
206 /* check total allocated size fits in uint64_t */
207 if (Blen
> UINT64_MAX
- Vlen
)
209 /* check total allocated size fits in size_t */
210 if (Blen
> SIZE_MAX
- Vlen
)
213 allocsize
= (size_t)(Blen
+ Vlen
);
216 maxmem
= SCRYPT_MAX_MEM
;
218 if (allocsize
> maxmem
) {
219 EVPerr(EVP_F_EVP_PBE_SCRYPT
, EVP_R_MEMORY_LIMIT_EXCEEDED
);
223 /* If no key return to indicate parameters are OK */
227 B
= OPENSSL_malloc(allocsize
);
230 X
= (uint32_t *)(B
+ Blen
);
233 if (PKCS5_PBKDF2_HMAC(pass
, passlen
, salt
, saltlen
, 1, EVP_sha256(),
237 for (i
= 0; i
< p
; i
++)
238 scryptROMix(B
+ 128 * r
* i
, r
, N
, X
, T
, V
);
240 if (PKCS5_PBKDF2_HMAC(pass
, passlen
, B
, Blen
, 1, EVP_sha256(),
245 OPENSSL_clear_free(B
, allocsize
);