]>
Commit | Line | Data |
---|---|---|
cefa762e | 1 | /* |
33388b44 | 2 | * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. |
cefa762e | 3 | * |
7bb803e8 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
cefa762e JB |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <stdlib.h> | |
5a285add | 11 | #include <stdarg.h> |
cefa762e | 12 | #include <string.h> |
cefa762e | 13 | #include <openssl/evp.h> |
5a285add DM |
14 | #include <openssl/kdf.h> |
15 | #include <openssl/err.h> | |
e3405a4a | 16 | #include <openssl/core_names.h> |
25f2138b | 17 | #include "crypto/evp.h" |
5a285add | 18 | #include "internal/numbers.h" |
af3e7e1b | 19 | #include "prov/implementations.h" |
ddd21319 | 20 | #include "prov/provider_ctx.h" |
2b9e4e95 | 21 | #include "prov/providercommon.h" |
ddd21319 | 22 | #include "prov/providercommonerr.h" |
af3e7e1b | 23 | #include "prov/implementations.h" |
cefa762e | 24 | |
402f26e6 JB |
25 | #ifndef OPENSSL_NO_SCRYPT |
26 | ||
363b1e5d DMSP |
27 | static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new; |
28 | static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free; | |
29 | static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset; | |
30 | static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive; | |
31 | static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_scrypt_settable_ctx_params; | |
32 | static OSSL_FUNC_kdf_set_ctx_params_fn kdf_scrypt_set_ctx_params; | |
af5e1e85 P |
33 | static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params; |
34 | static OSSL_FUNC_kdf_get_ctx_params_fn kdf_scrypt_get_ctx_params; | |
e3405a4a | 35 | |
5a285add DM |
36 | static int scrypt_alg(const char *pass, size_t passlen, |
37 | const unsigned char *salt, size_t saltlen, | |
38 | uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, | |
5ccada09 SL |
39 | unsigned char *key, size_t keylen, EVP_MD *sha256, |
40 | OPENSSL_CTX *libctx, const char *propq); | |
cefa762e | 41 | |
e3405a4a | 42 | typedef struct { |
26496f5a SL |
43 | OPENSSL_CTX *libctx; |
44 | char *propq; | |
cefa762e JB |
45 | unsigned char *pass; |
46 | size_t pass_len; | |
47 | unsigned char *salt; | |
48 | size_t salt_len; | |
5a285add | 49 | uint64_t N; |
e3405a4a | 50 | uint64_t r, p; |
cefa762e | 51 | uint64_t maxmem_bytes; |
e3405a4a P |
52 | EVP_MD *sha256; |
53 | } KDF_SCRYPT; | |
cefa762e | 54 | |
e3405a4a | 55 | static void kdf_scrypt_init(KDF_SCRYPT *ctx); |
cefa762e | 56 | |
e3405a4a | 57 | static void *kdf_scrypt_new(void *provctx) |
cefa762e | 58 | { |
e3405a4a | 59 | KDF_SCRYPT *ctx; |
cefa762e | 60 | |
2b9e4e95 P |
61 | if (!ossl_prov_is_running()) |
62 | return NULL; | |
63 | ||
e3405a4a P |
64 | ctx = OPENSSL_zalloc(sizeof(*ctx)); |
65 | if (ctx == NULL) { | |
66 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); | |
67 | return NULL; | |
68 | } | |
26496f5a | 69 | ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx); |
e3405a4a P |
70 | kdf_scrypt_init(ctx); |
71 | return ctx; | |
5a285add | 72 | } |
cefa762e | 73 | |
e3405a4a | 74 | static void kdf_scrypt_free(void *vctx) |
5a285add | 75 | { |
e3405a4a P |
76 | KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; |
77 | ||
3c659415 | 78 | if (ctx != NULL) { |
26496f5a | 79 | OPENSSL_free(ctx->propq); |
4a0a9e57 | 80 | EVP_MD_free(ctx->sha256); |
3c659415 P |
81 | kdf_scrypt_reset(ctx); |
82 | OPENSSL_free(ctx); | |
83 | } | |
cefa762e JB |
84 | } |
85 | ||
e3405a4a | 86 | static void kdf_scrypt_reset(void *vctx) |
cefa762e | 87 | { |
e3405a4a P |
88 | KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; |
89 | ||
90 | OPENSSL_free(ctx->salt); | |
91 | OPENSSL_clear_free(ctx->pass, ctx->pass_len); | |
e3405a4a | 92 | kdf_scrypt_init(ctx); |
5a285add | 93 | } |
cefa762e | 94 | |
e3405a4a | 95 | static void kdf_scrypt_init(KDF_SCRYPT *ctx) |
5a285add DM |
96 | { |
97 | /* Default values are the most conservative recommendation given in the | |
98 | * original paper of C. Percival. Derivation uses roughly 1 GiB of memory | |
99 | * for this parameter choice (approx. 128 * r * N * p bytes). | |
100 | */ | |
e3405a4a P |
101 | ctx->N = 1 << 20; |
102 | ctx->r = 8; | |
103 | ctx->p = 1; | |
104 | ctx->maxmem_bytes = 1025 * 1024 * 1024; | |
cefa762e JB |
105 | } |
106 | ||
5a285add | 107 | static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, |
e3405a4a | 108 | const OSSL_PARAM *p) |
cefa762e | 109 | { |
5a285add | 110 | OPENSSL_clear_free(*buffer, *buflen); |
e3405a4a P |
111 | if (p->data_size == 0) { |
112 | if ((*buffer = OPENSSL_malloc(1)) == NULL) { | |
113 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); | |
114 | return 0; | |
115 | } | |
116 | } else if (p->data != NULL) { | |
117 | *buffer = NULL; | |
118 | if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) | |
119 | return 0; | |
120 | } | |
121 | return 1; | |
122 | } | |
123 | ||
26496f5a SL |
124 | static int set_digest(KDF_SCRYPT *ctx) |
125 | { | |
126 | EVP_MD_free(ctx->sha256); | |
127 | ctx->sha256 = EVP_MD_fetch(ctx->libctx, "sha256", ctx->propq); | |
128 | if (ctx->sha256 == NULL) { | |
129 | OPENSSL_free(ctx); | |
130 | ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOAD_SHA256); | |
131 | return 0; | |
132 | } | |
133 | return 1; | |
134 | } | |
135 | ||
136 | static int set_property_query(KDF_SCRYPT *ctx, const char *propq) | |
137 | { | |
138 | OPENSSL_free(ctx->propq); | |
139 | ctx->propq = NULL; | |
140 | if (propq != NULL) { | |
141 | ctx->propq = OPENSSL_strdup(propq); | |
142 | if (ctx->propq == NULL) { | |
143 | ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); | |
144 | return 0; | |
145 | } | |
146 | } | |
147 | return 1; | |
148 | } | |
149 | ||
e3405a4a P |
150 | static int kdf_scrypt_derive(void *vctx, unsigned char *key, |
151 | size_t keylen) | |
152 | { | |
153 | KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; | |
cefa762e | 154 | |
2b9e4e95 P |
155 | if (!ossl_prov_is_running()) |
156 | return 0; | |
157 | ||
e3405a4a P |
158 | if (ctx->pass == NULL) { |
159 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS); | |
160 | return 0; | |
cefa762e | 161 | } |
e3405a4a P |
162 | |
163 | if (ctx->salt == NULL) { | |
164 | ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT); | |
cefa762e | 165 | return 0; |
3484236d | 166 | } |
cefa762e | 167 | |
26496f5a SL |
168 | if (ctx->sha256 == NULL && !set_digest(ctx)) |
169 | return 0; | |
170 | ||
e3405a4a P |
171 | return scrypt_alg((char *)ctx->pass, ctx->pass_len, ctx->salt, |
172 | ctx->salt_len, ctx->N, ctx->r, ctx->p, | |
5ccada09 | 173 | ctx->maxmem_bytes, key, keylen, ctx->sha256, |
26496f5a | 174 | ctx->libctx, ctx->propq); |
cefa762e JB |
175 | } |
176 | ||
177 | static int is_power_of_two(uint64_t value) | |
178 | { | |
179 | return (value != 0) && ((value & (value - 1)) == 0); | |
180 | } | |
181 | ||
e3405a4a | 182 | static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[]) |
cefa762e | 183 | { |
e3405a4a P |
184 | const OSSL_PARAM *p; |
185 | KDF_SCRYPT *ctx = vctx; | |
cefa762e | 186 | uint64_t u64_value; |
5a285add | 187 | |
e3405a4a P |
188 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) |
189 | if (!scrypt_set_membuf(&ctx->pass, &ctx->pass_len, p)) | |
cefa762e | 190 | return 0; |
5a285add | 191 | |
e3405a4a P |
192 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) |
193 | if (!scrypt_set_membuf(&ctx->salt, &ctx->salt_len, p)) | |
cefa762e | 194 | return 0; |
5a285add | 195 | |
e3405a4a P |
196 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_N)) |
197 | != NULL) { | |
198 | if (!OSSL_PARAM_get_uint64(p, &u64_value) | |
199 | || u64_value <= 1 | |
200 | || !is_power_of_two(u64_value)) | |
cefa762e | 201 | return 0; |
e3405a4a P |
202 | ctx->N = u64_value; |
203 | } | |
5a285add | 204 | |
e3405a4a P |
205 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_R)) |
206 | != NULL) { | |
207 | if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1) | |
208 | return 0; | |
209 | ctx->r = u64_value; | |
5a285add | 210 | } |
5a285add | 211 | |
e3405a4a P |
212 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_P)) |
213 | != NULL) { | |
214 | if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1) | |
215 | return 0; | |
216 | ctx->p = u64_value; | |
217 | } | |
cefa762e | 218 | |
e3405a4a P |
219 | if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_MAXMEM)) |
220 | != NULL) { | |
221 | if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1) | |
222 | return 0; | |
223 | ctx->maxmem_bytes = u64_value; | |
cefa762e | 224 | } |
26496f5a SL |
225 | |
226 | p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES); | |
227 | if (p != NULL) { | |
228 | if (p->data_type != OSSL_PARAM_UTF8_STRING | |
229 | || !set_property_query(ctx, p->data) | |
230 | || !set_digest(ctx)) | |
231 | return 0; | |
232 | } | |
e3405a4a | 233 | return 1; |
cefa762e JB |
234 | } |
235 | ||
1017ab21 | 236 | static const OSSL_PARAM *kdf_scrypt_settable_ctx_params(ossl_unused void *p_ctx) |
cefa762e | 237 | { |
e3405a4a P |
238 | static const OSSL_PARAM known_settable_ctx_params[] = { |
239 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0), | |
240 | OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), | |
241 | OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_N, NULL), | |
242 | OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_R, NULL), | |
243 | OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_P, NULL), | |
244 | OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_MAXMEM, NULL), | |
26496f5a | 245 | OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), |
e3405a4a P |
246 | OSSL_PARAM_END |
247 | }; | |
248 | return known_settable_ctx_params; | |
cefa762e JB |
249 | } |
250 | ||
e3405a4a | 251 | static int kdf_scrypt_get_ctx_params(void *vctx, OSSL_PARAM params[]) |
cefa762e | 252 | { |
e3405a4a | 253 | OSSL_PARAM *p; |
cefa762e | 254 | |
e3405a4a P |
255 | if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) |
256 | return OSSL_PARAM_set_size_t(p, SIZE_MAX); | |
cefa762e JB |
257 | return -2; |
258 | } | |
259 | ||
1017ab21 | 260 | static const OSSL_PARAM *kdf_scrypt_gettable_ctx_params(ossl_unused void *p_ctx) |
cefa762e | 261 | { |
e3405a4a P |
262 | static const OSSL_PARAM known_gettable_ctx_params[] = { |
263 | OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), | |
264 | OSSL_PARAM_END | |
265 | }; | |
266 | return known_gettable_ctx_params; | |
5a285add DM |
267 | } |
268 | ||
1be63951 | 269 | const OSSL_DISPATCH ossl_kdf_scrypt_functions[] = { |
e3405a4a P |
270 | { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_scrypt_new }, |
271 | { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_scrypt_free }, | |
272 | { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_scrypt_reset }, | |
273 | { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_scrypt_derive }, | |
274 | { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, | |
275 | (void(*)(void))kdf_scrypt_settable_ctx_params }, | |
276 | { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_scrypt_set_ctx_params }, | |
277 | { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, | |
278 | (void(*)(void))kdf_scrypt_gettable_ctx_params }, | |
279 | { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_scrypt_get_ctx_params }, | |
280 | { 0, NULL } | |
5a285add DM |
281 | }; |
282 | ||
283 | #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) | |
284 | static void salsa208_word_specification(uint32_t inout[16]) | |
285 | { | |
286 | int i; | |
287 | uint32_t x[16]; | |
288 | ||
289 | memcpy(x, inout, sizeof(x)); | |
290 | for (i = 8; i > 0; i -= 2) { | |
291 | x[4] ^= R(x[0] + x[12], 7); | |
292 | x[8] ^= R(x[4] + x[0], 9); | |
293 | x[12] ^= R(x[8] + x[4], 13); | |
294 | x[0] ^= R(x[12] + x[8], 18); | |
295 | x[9] ^= R(x[5] + x[1], 7); | |
296 | x[13] ^= R(x[9] + x[5], 9); | |
297 | x[1] ^= R(x[13] + x[9], 13); | |
298 | x[5] ^= R(x[1] + x[13], 18); | |
299 | x[14] ^= R(x[10] + x[6], 7); | |
300 | x[2] ^= R(x[14] + x[10], 9); | |
301 | x[6] ^= R(x[2] + x[14], 13); | |
302 | x[10] ^= R(x[6] + x[2], 18); | |
303 | x[3] ^= R(x[15] + x[11], 7); | |
304 | x[7] ^= R(x[3] + x[15], 9); | |
305 | x[11] ^= R(x[7] + x[3], 13); | |
306 | x[15] ^= R(x[11] + x[7], 18); | |
307 | x[1] ^= R(x[0] + x[3], 7); | |
308 | x[2] ^= R(x[1] + x[0], 9); | |
309 | x[3] ^= R(x[2] + x[1], 13); | |
310 | x[0] ^= R(x[3] + x[2], 18); | |
311 | x[6] ^= R(x[5] + x[4], 7); | |
312 | x[7] ^= R(x[6] + x[5], 9); | |
313 | x[4] ^= R(x[7] + x[6], 13); | |
314 | x[5] ^= R(x[4] + x[7], 18); | |
315 | x[11] ^= R(x[10] + x[9], 7); | |
316 | x[8] ^= R(x[11] + x[10], 9); | |
317 | x[9] ^= R(x[8] + x[11], 13); | |
318 | x[10] ^= R(x[9] + x[8], 18); | |
319 | x[12] ^= R(x[15] + x[14], 7); | |
320 | x[13] ^= R(x[12] + x[15], 9); | |
321 | x[14] ^= R(x[13] + x[12], 13); | |
322 | x[15] ^= R(x[14] + x[13], 18); | |
323 | } | |
324 | for (i = 0; i < 16; ++i) | |
325 | inout[i] += x[i]; | |
326 | OPENSSL_cleanse(x, sizeof(x)); | |
327 | } | |
328 | ||
329 | static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) | |
330 | { | |
331 | uint64_t i, j; | |
332 | uint32_t X[16], *pB; | |
333 | ||
334 | memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); | |
335 | pB = B; | |
336 | for (i = 0; i < r * 2; i++) { | |
337 | for (j = 0; j < 16; j++) | |
338 | X[j] ^= *pB++; | |
339 | salsa208_word_specification(X); | |
340 | memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); | |
341 | } | |
342 | OPENSSL_cleanse(X, sizeof(X)); | |
343 | } | |
344 | ||
345 | static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, | |
346 | uint32_t *X, uint32_t *T, uint32_t *V) | |
347 | { | |
348 | unsigned char *pB; | |
349 | uint32_t *pV; | |
350 | uint64_t i, k; | |
351 | ||
352 | /* Convert from little endian input */ | |
353 | for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) { | |
354 | *pV = *pB++; | |
355 | *pV |= *pB++ << 8; | |
356 | *pV |= *pB++ << 16; | |
357 | *pV |= (uint32_t)*pB++ << 24; | |
358 | } | |
359 | ||
360 | for (i = 1; i < N; i++, pV += 32 * r) | |
361 | scryptBlockMix(pV, pV - 32 * r, r); | |
362 | ||
363 | scryptBlockMix(X, V + (N - 1) * 32 * r, r); | |
364 | ||
365 | for (i = 0; i < N; i++) { | |
366 | uint32_t j; | |
367 | j = X[16 * (2 * r - 1)] % N; | |
368 | pV = V + 32 * r * j; | |
369 | for (k = 0; k < 32 * r; k++) | |
370 | T[k] = X[k] ^ *pV++; | |
371 | scryptBlockMix(X, T, r); | |
372 | } | |
373 | /* Convert output to little endian */ | |
374 | for (i = 0, pB = B; i < 32 * r; i++) { | |
375 | uint32_t xtmp = X[i]; | |
376 | *pB++ = xtmp & 0xff; | |
377 | *pB++ = (xtmp >> 8) & 0xff; | |
378 | *pB++ = (xtmp >> 16) & 0xff; | |
379 | *pB++ = (xtmp >> 24) & 0xff; | |
380 | } | |
cefa762e JB |
381 | } |
382 | ||
5a285add DM |
383 | #ifndef SIZE_MAX |
384 | # define SIZE_MAX ((size_t)-1) | |
385 | #endif | |
cefa762e | 386 | |
5a285add DM |
387 | /* |
388 | * Maximum power of two that will fit in uint64_t: this should work on | |
389 | * most (all?) platforms. | |
390 | */ | |
cefa762e | 391 | |
5a285add | 392 | #define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) |
cefa762e | 393 | |
5a285add DM |
394 | /* |
395 | * Maximum value of p * r: | |
396 | * p <= ((2^32-1) * hLen) / MFLen => | |
397 | * p <= ((2^32-1) * 32) / (128 * r) => | |
398 | * p * r <= (2^30-1) | |
399 | */ | |
cefa762e | 400 | |
5a285add | 401 | #define SCRYPT_PR_MAX ((1 << 30) - 1) |
cefa762e | 402 | |
5a285add DM |
403 | static int scrypt_alg(const char *pass, size_t passlen, |
404 | const unsigned char *salt, size_t saltlen, | |
405 | uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, | |
5ccada09 SL |
406 | unsigned char *key, size_t keylen, EVP_MD *sha256, |
407 | OPENSSL_CTX *libctx, const char *propq) | |
5a285add DM |
408 | { |
409 | int rv = 0; | |
410 | unsigned char *B; | |
411 | uint32_t *X, *V, *T; | |
412 | uint64_t i, Blen, Vlen; | |
413 | ||
414 | /* Sanity check parameters */ | |
415 | /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ | |
416 | if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) | |
417 | return 0; | |
418 | /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ | |
419 | if (p > SCRYPT_PR_MAX / r) { | |
420 | EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
421 | return 0; | |
422 | } | |
cefa762e | 423 | |
5a285add DM |
424 | /* |
425 | * Need to check N: if 2^(128 * r / 8) overflows limit this is | |
426 | * automatically satisfied since N <= UINT64_MAX. | |
427 | */ | |
cefa762e | 428 | |
5a285add DM |
429 | if (16 * r <= LOG2_UINT64_MAX) { |
430 | if (N >= (((uint64_t)1) << (16 * r))) { | |
431 | EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
432 | return 0; | |
433 | } | |
434 | } | |
cefa762e | 435 | |
5a285add DM |
436 | /* Memory checks: check total allocated buffer size fits in uint64_t */ |
437 | ||
438 | /* | |
439 | * B size in section 5 step 1.S | |
440 | * Note: we know p * 128 * r < UINT64_MAX because we already checked | |
441 | * p * r < SCRYPT_PR_MAX | |
442 | */ | |
443 | Blen = p * 128 * r; | |
444 | /* | |
445 | * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would | |
446 | * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] | |
447 | */ | |
448 | if (Blen > INT_MAX) { | |
449 | EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
450 | return 0; | |
451 | } | |
452 | ||
453 | /* | |
454 | * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t | |
455 | * This is combined size V, X and T (section 4) | |
456 | */ | |
457 | i = UINT64_MAX / (32 * sizeof(uint32_t)); | |
458 | if (N + 2 > i / r) { | |
459 | EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
460 | return 0; | |
461 | } | |
462 | Vlen = 32 * r * (N + 2) * sizeof(uint32_t); | |
463 | ||
464 | /* check total allocated size fits in uint64_t */ | |
465 | if (Blen > UINT64_MAX - Vlen) { | |
466 | EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
467 | return 0; | |
468 | } | |
469 | ||
470 | /* Check that the maximum memory doesn't exceed a size_t limits */ | |
471 | if (maxmem > SIZE_MAX) | |
472 | maxmem = SIZE_MAX; | |
473 | ||
474 | if (Blen + Vlen > maxmem) { | |
475 | EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); | |
476 | return 0; | |
477 | } | |
478 | ||
479 | /* If no key return to indicate parameters are OK */ | |
480 | if (key == NULL) | |
481 | return 1; | |
482 | ||
483 | B = OPENSSL_malloc((size_t)(Blen + Vlen)); | |
484 | if (B == NULL) { | |
485 | EVPerr(EVP_F_SCRYPT_ALG, ERR_R_MALLOC_FAILURE); | |
486 | return 0; | |
487 | } | |
488 | X = (uint32_t *)(B + Blen); | |
489 | T = X + 32 * r; | |
490 | V = T + 32 * r; | |
5ccada09 SL |
491 | if (pkcs5_pbkdf2_hmac_with_libctx(pass, passlen, salt, saltlen, 1, sha256, |
492 | (int)Blen, B, libctx, propq) == 0) | |
5a285add DM |
493 | goto err; |
494 | ||
495 | for (i = 0; i < p; i++) | |
496 | scryptROMix(B + 128 * r * i, r, N, X, T, V); | |
497 | ||
5ccada09 SL |
498 | if (pkcs5_pbkdf2_hmac_with_libctx(pass, passlen, B, (int)Blen, 1, sha256, |
499 | keylen, key, libctx, propq) == 0) | |
5a285add DM |
500 | goto err; |
501 | rv = 1; | |
502 | err: | |
503 | if (rv == 0) | |
504 | EVPerr(EVP_F_SCRYPT_ALG, EVP_R_PBKDF2_ERROR); | |
505 | ||
506 | OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); | |
507 | return rv; | |
508 | } | |
402f26e6 JB |
509 | |
510 | #endif |