]>
Commit | Line | Data |
---|---|---|
a95fb9e3 | 1 | /* |
c4d3c19b | 2 | * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. |
a95fb9e3 | 3 | * |
4a8b0c55 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
62867571 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
a95fb9e3 DSH |
8 | */ |
9 | ||
10 | #include <stddef.h> | |
11 | #include <stdio.h> | |
12 | #include <string.h> | |
13 | #include <openssl/evp.h> | |
fef034f8 | 14 | #include <openssl/err.h> |
176db6dc | 15 | #include "internal/numbers.h" |
a95fb9e3 | 16 | |
b0809bc8 RS |
17 | #ifndef OPENSSL_NO_SCRYPT |
18 | ||
a95fb9e3 DSH |
19 | #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) |
20 | static void salsa208_word_specification(uint32_t inout[16]) | |
21 | { | |
22 | int i; | |
23 | uint32_t x[16]; | |
24 | memcpy(x, inout, sizeof(x)); | |
25 | for (i = 8; i > 0; i -= 2) { | |
26 | x[4] ^= R(x[0] + x[12], 7); | |
27 | x[8] ^= R(x[4] + x[0], 9); | |
28 | x[12] ^= R(x[8] + x[4], 13); | |
29 | x[0] ^= R(x[12] + x[8], 18); | |
30 | x[9] ^= R(x[5] + x[1], 7); | |
31 | x[13] ^= R(x[9] + x[5], 9); | |
32 | x[1] ^= R(x[13] + x[9], 13); | |
33 | x[5] ^= R(x[1] + x[13], 18); | |
34 | x[14] ^= R(x[10] + x[6], 7); | |
35 | x[2] ^= R(x[14] + x[10], 9); | |
36 | x[6] ^= R(x[2] + x[14], 13); | |
37 | x[10] ^= R(x[6] + x[2], 18); | |
38 | x[3] ^= R(x[15] + x[11], 7); | |
39 | x[7] ^= R(x[3] + x[15], 9); | |
40 | x[11] ^= R(x[7] + x[3], 13); | |
41 | x[15] ^= R(x[11] + x[7], 18); | |
42 | x[1] ^= R(x[0] + x[3], 7); | |
43 | x[2] ^= R(x[1] + x[0], 9); | |
44 | x[3] ^= R(x[2] + x[1], 13); | |
45 | x[0] ^= R(x[3] + x[2], 18); | |
46 | x[6] ^= R(x[5] + x[4], 7); | |
47 | x[7] ^= R(x[6] + x[5], 9); | |
48 | x[4] ^= R(x[7] + x[6], 13); | |
49 | x[5] ^= R(x[4] + x[7], 18); | |
50 | x[11] ^= R(x[10] + x[9], 7); | |
51 | x[8] ^= R(x[11] + x[10], 9); | |
52 | x[9] ^= R(x[8] + x[11], 13); | |
53 | x[10] ^= R(x[9] + x[8], 18); | |
54 | x[12] ^= R(x[15] + x[14], 7); | |
55 | x[13] ^= R(x[12] + x[15], 9); | |
56 | x[14] ^= R(x[13] + x[12], 13); | |
57 | x[15] ^= R(x[14] + x[13], 18); | |
58 | } | |
59 | for (i = 0; i < 16; ++i) | |
60 | inout[i] += x[i]; | |
61 | OPENSSL_cleanse(x, sizeof(x)); | |
62 | } | |
63 | ||
64 | static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) | |
65 | { | |
66 | uint64_t i, j; | |
67 | uint32_t X[16], *pB; | |
68 | ||
69 | memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); | |
70 | pB = B; | |
71 | for (i = 0; i < r * 2; i++) { | |
72 | for (j = 0; j < 16; j++) | |
73 | X[j] ^= *pB++; | |
74 | salsa208_word_specification(X); | |
75 | memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); | |
76 | } | |
77 | OPENSSL_cleanse(X, sizeof(X)); | |
78 | } | |
79 | ||
80 | static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, | |
81 | uint32_t *X, uint32_t *T, uint32_t *V) | |
82 | { | |
83 | unsigned char *pB; | |
84 | uint32_t *pV; | |
85 | uint64_t i, k; | |
86 | ||
87 | /* Convert from little endian input */ | |
88 | for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) { | |
89 | *pV = *pB++; | |
90 | *pV |= *pB++ << 8; | |
91 | *pV |= *pB++ << 16; | |
3003e0a4 | 92 | *pV |= (uint32_t)*pB++ << 24; |
a95fb9e3 DSH |
93 | } |
94 | ||
95 | for (i = 1; i < N; i++, pV += 32 * r) | |
96 | scryptBlockMix(pV, pV - 32 * r, r); | |
97 | ||
98 | scryptBlockMix(X, V + (N - 1) * 32 * r, r); | |
99 | ||
100 | for (i = 0; i < N; i++) { | |
101 | uint32_t j; | |
102 | j = X[16 * (2 * r - 1)] % N; | |
103 | pV = V + 32 * r * j; | |
104 | for (k = 0; k < 32 * r; k++) | |
105 | T[k] = X[k] ^ *pV++; | |
106 | scryptBlockMix(X, T, r); | |
107 | } | |
108 | /* Convert output to little endian */ | |
109 | for (i = 0, pB = B; i < 32 * r; i++) { | |
110 | uint32_t xtmp = X[i]; | |
111 | *pB++ = xtmp & 0xff; | |
112 | *pB++ = (xtmp >> 8) & 0xff; | |
113 | *pB++ = (xtmp >> 16) & 0xff; | |
114 | *pB++ = (xtmp >> 24) & 0xff; | |
115 | } | |
116 | } | |
117 | ||
118 | #ifndef SIZE_MAX | |
119 | # define SIZE_MAX ((size_t)-1) | |
120 | #endif | |
121 | ||
122 | /* | |
123 | * Maximum power of two that will fit in uint64_t: this should work on | |
124 | * most (all?) platforms. | |
125 | */ | |
126 | ||
127 | #define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) | |
128 | ||
129 | /* | |
130 | * Maximum value of p * r: | |
131 | * p <= ((2^32-1) * hLen) / MFLen => | |
132 | * p <= ((2^32-1) * 32) / (128 * r) => | |
133 | * p * r <= (2^30-1) | |
134 | * | |
135 | */ | |
136 | ||
137 | #define SCRYPT_PR_MAX ((1 << 30) - 1) | |
138 | ||
139 | /* | |
140 | * Maximum permitted memory allow this to be overridden with Configuration | |
141 | * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible. | |
142 | */ | |
143 | ||
144 | #ifdef SCRYPT_MAX_MEM | |
145 | # if SCRYPT_MAX_MEM == 0 | |
146 | # undef SCRYPT_MAX_MEM | |
147 | /* | |
148 | * Although we could theoretically allocate SIZE_MAX memory that would leave | |
149 | * no memory available for anything else so set limit as half that. | |
150 | */ | |
151 | # define SCRYPT_MAX_MEM (SIZE_MAX/2) | |
152 | # endif | |
153 | #else | |
154 | /* Default memory limit: 32 MB */ | |
155 | # define SCRYPT_MAX_MEM (1024 * 1024 * 32) | |
156 | #endif | |
157 | ||
158 | int EVP_PBE_scrypt(const char *pass, size_t passlen, | |
159 | const unsigned char *salt, size_t saltlen, | |
160 | uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, | |
161 | unsigned char *key, size_t keylen) | |
162 | { | |
163 | int rv = 0; | |
164 | unsigned char *B; | |
165 | uint32_t *X, *V, *T; | |
166 | uint64_t i, Blen, Vlen; | |
167 | ||
168 | /* Sanity check parameters */ | |
169 | /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ | |
170 | if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) | |
171 | return 0; | |
172 | /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ | |
3484236d F |
173 | if (p > SCRYPT_PR_MAX / r) { |
174 | EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
a95fb9e3 | 175 | return 0; |
3484236d | 176 | } |
a95fb9e3 DSH |
177 | |
178 | /* | |
179 | * Need to check N: if 2^(128 * r / 8) overflows limit this is | |
180 | * automatically satisfied since N <= UINT64_MAX. | |
181 | */ | |
182 | ||
183 | if (16 * r <= LOG2_UINT64_MAX) { | |
3484236d F |
184 | if (N >= (((uint64_t)1) << (16 * r))) { |
185 | EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
a95fb9e3 | 186 | return 0; |
3484236d | 187 | } |
a95fb9e3 DSH |
188 | } |
189 | ||
190 | /* Memory checks: check total allocated buffer size fits in uint64_t */ | |
191 | ||
192 | /* | |
193 | * B size in section 5 step 1.S | |
194 | * Note: we know p * 128 * r < UINT64_MAX because we already checked | |
195 | * p * r < SCRYPT_PR_MAX | |
196 | */ | |
197 | Blen = p * 128 * r; | |
b4c0e4df AP |
198 | /* |
199 | * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would | |
200 | * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] | |
201 | */ | |
202 | if (Blen > INT_MAX) { | |
203 | EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
204 | return 0; | |
205 | } | |
a95fb9e3 DSH |
206 | |
207 | /* | |
f4eb2483 | 208 | * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t |
a95fb9e3 DSH |
209 | * This is combined size V, X and T (section 4) |
210 | */ | |
211 | i = UINT64_MAX / (32 * sizeof(uint32_t)); | |
3484236d F |
212 | if (N + 2 > i / r) { |
213 | EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
a95fb9e3 | 214 | return 0; |
3484236d | 215 | } |
a95fb9e3 DSH |
216 | Vlen = 32 * r * (N + 2) * sizeof(uint32_t); |
217 | ||
218 | /* check total allocated size fits in uint64_t */ | |
3484236d F |
219 | if (Blen > UINT64_MAX - Vlen) { |
220 | EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
a95fb9e3 | 221 | return 0; |
3484236d | 222 | } |
a95fb9e3 DSH |
223 | |
224 | if (maxmem == 0) | |
225 | maxmem = SCRYPT_MAX_MEM; | |
44589b5d P |
226 | |
227 | /* Check that the maximum memory doesn't exceed a size_t limits */ | |
76b2ae83 P |
228 | if (maxmem > SIZE_MAX) |
229 | maxmem = SIZE_MAX; | |
a95fb9e3 | 230 | |
f4eb2483 | 231 | if (Blen + Vlen > maxmem) { |
fef034f8 | 232 | EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); |
a95fb9e3 | 233 | return 0; |
fef034f8 | 234 | } |
a95fb9e3 DSH |
235 | |
236 | /* If no key return to indicate parameters are OK */ | |
237 | if (key == NULL) | |
238 | return 1; | |
239 | ||
b4c0e4df | 240 | B = OPENSSL_malloc((size_t)(Blen + Vlen)); |
3484236d F |
241 | if (B == NULL) { |
242 | EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE); | |
a95fb9e3 | 243 | return 0; |
3484236d | 244 | } |
a95fb9e3 DSH |
245 | X = (uint32_t *)(B + Blen); |
246 | T = X + 32 * r; | |
247 | V = T + 32 * r; | |
248 | if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(), | |
b4c0e4df | 249 | (int)Blen, B) == 0) |
a95fb9e3 DSH |
250 | goto err; |
251 | ||
252 | for (i = 0; i < p; i++) | |
253 | scryptROMix(B + 128 * r * i, r, N, X, T, V); | |
254 | ||
b4c0e4df | 255 | if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(), |
a95fb9e3 DSH |
256 | keylen, key) == 0) |
257 | goto err; | |
258 | rv = 1; | |
a95fb9e3 | 259 | err: |
3484236d F |
260 | if (rv == 0) |
261 | EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR); | |
262 | ||
b4c0e4df | 263 | OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); |
a95fb9e3 DSH |
264 | return rv; |
265 | } | |
b0809bc8 | 266 | #endif |