[thirdparty/openssl.git] / providers / implementations / kdfs / scrypt.c

/*
 * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
#include <openssl/err.h>
#include <openssl/core_names.h>
#include "crypto/evp.h"
#include "internal/numbers.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/providercommonerr.h"
#include "prov/implementations.h"

#ifndef OPENSSL_NO_SCRYPT

static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new;
static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free;
static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset;
static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive;
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_scrypt_set_ctx_params;
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_scrypt_get_ctx_params;

static int scrypt_alg(const char *pass, size_t passlen,
                      const unsigned char *salt, size_t saltlen,
                      uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
                      unsigned char *key, size_t keylen, EVP_MD *sha256,
                      OPENSSL_CTX *libctx, const char *propq);

typedef struct {
    OPENSSL_CTX *libctx;
    char *propq;
    unsigned char *pass;
    size_t pass_len;
    unsigned char *salt;
    size_t salt_len;
    uint64_t N;
    uint64_t r, p;
    uint64_t maxmem_bytes;
    EVP_MD *sha256;
} KDF_SCRYPT;

static void kdf_scrypt_init(KDF_SCRYPT *ctx);

static void *kdf_scrypt_new(void *provctx)
{
    KDF_SCRYPT *ctx;

    if (!ossl_prov_is_running())
        return NULL;

    ctx = OPENSSL_zalloc(sizeof(*ctx));
    if (ctx == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return NULL;
    }
    ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
    kdf_scrypt_init(ctx);
    return ctx;
}

static void kdf_scrypt_free(void *vctx)
{
    KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;

    if (ctx != NULL) {
        OPENSSL_free(ctx->propq);
        EVP_MD_free(ctx->sha256);
        kdf_scrypt_reset(ctx);
        OPENSSL_free(ctx);
    }
}

static void kdf_scrypt_reset(void *vctx)
{
    KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;

    OPENSSL_free(ctx->salt);
    OPENSSL_clear_free(ctx->pass, ctx->pass_len);
    kdf_scrypt_init(ctx);
}

static void kdf_scrypt_init(KDF_SCRYPT *ctx)
{
    /* Default values are the most conservative recommendation given in the
     * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
     * for this parameter choice (approx. 128 * r * N * p bytes).
     */
    ctx->N = 1 << 20;
    ctx->r = 8;
    ctx->p = 1;
    ctx->maxmem_bytes = 1025 * 1024 * 1024;
}

static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen,
                             const OSSL_PARAM *p)
{
    OPENSSL_clear_free(*buffer, *buflen);
    if (p->data_size == 0) {
        if ((*buffer = OPENSSL_malloc(1)) == NULL) {
            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
            return 0;
        }
    } else if (p->data != NULL) {
        *buffer = NULL;
        if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
            return 0;
    }
    return 1;
}

static int set_digest(KDF_SCRYPT *ctx)
{
    EVP_MD_free(ctx->sha256);
    ctx->sha256 = EVP_MD_fetch(ctx->libctx, "sha256", ctx->propq);
    if (ctx->sha256 == NULL) {
        OPENSSL_free(ctx);
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOAD_SHA256);
        return 0;
    }
    return 1;
}

static int set_property_query(KDF_SCRYPT *ctx, const char *propq)
{
    OPENSSL_free(ctx->propq);
    ctx->propq = NULL;
    if (propq != NULL) {
        ctx->propq = OPENSSL_strdup(propq);
        if (ctx->propq == NULL) {
            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
            return 0;
        }
    }
    return 1;
}

static int kdf_scrypt_derive(void *vctx, unsigned char *key,
                             size_t keylen)
{
    KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;

    if (!ossl_prov_is_running())
        return 0;

    if (ctx->pass == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
        return 0;
    }

    if (ctx->salt == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
        return 0;
    }

    if (ctx->sha256 == NULL && !set_digest(ctx))
        return 0;

    return scrypt_alg((char *)ctx->pass, ctx->pass_len, ctx->salt,
                      ctx->salt_len, ctx->N, ctx->r, ctx->p,
                      ctx->maxmem_bytes, key, keylen, ctx->sha256,
                      ctx->libctx, ctx->propq);
}

static int is_power_of_two(uint64_t value)
{
    return (value != 0) && ((value & (value - 1)) == 0);
}

static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    const OSSL_PARAM *p;
    KDF_SCRYPT *ctx = vctx;
    uint64_t u64_value;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
        if (!scrypt_set_membuf(&ctx->pass, &ctx->pass_len, p))
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
        if (!scrypt_set_membuf(&ctx->salt, &ctx->salt_len, p))
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_N))
        != NULL) {
        if (!OSSL_PARAM_get_uint64(p, &u64_value)
            || u64_value <= 1
            || !is_power_of_two(u64_value))
            return 0;
        ctx->N = u64_value;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_R))
        != NULL) {
        if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
            return 0;
        ctx->r = u64_value;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_P))
        != NULL) {
        if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
            return 0;
        ctx->p = u64_value;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_MAXMEM))
        != NULL) {
        if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
            return 0;
        ctx->maxmem_bytes = u64_value;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES);
    if (p != NULL) {
        if (p->data_type != OSSL_PARAM_UTF8_STRING
            || !set_property_query(ctx, p->data)
            || !set_digest(ctx))
            return 0;
    }
    return 1;
}

static const OSSL_PARAM *kdf_scrypt_settable_ctx_params(ossl_unused void *p_ctx)
{
    static const OSSL_PARAM known_settable_ctx_params[] = {
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
        OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_N, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_R, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_P, NULL),
        OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_MAXMEM, NULL),
        OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
        OSSL_PARAM_END
    };
    return known_settable_ctx_params;
}

static int kdf_scrypt_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    OSSL_PARAM *p;

    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
    return -2;
}

static const OSSL_PARAM *kdf_scrypt_gettable_ctx_params(ossl_unused void *p_ctx)
{
    static const OSSL_PARAM known_gettable_ctx_params[] = {
        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
        OSSL_PARAM_END
    };
    return known_gettable_ctx_params;
}

const OSSL_DISPATCH ossl_kdf_scrypt_functions[] = {
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_scrypt_new },
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_scrypt_free },
    { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_scrypt_reset },
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_scrypt_derive },
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_scrypt_settable_ctx_params },
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_scrypt_set_ctx_params },
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_scrypt_gettable_ctx_params },
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_scrypt_get_ctx_params },
    { 0, NULL }
};

#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
static void salsa208_word_specification(uint32_t inout[16])
{
    int i;
    uint32_t x[16];

    memcpy(x, inout, sizeof(x));
    for (i = 8; i > 0; i -= 2) {
        x[4] ^= R(x[0] + x[12], 7);
        x[8] ^= R(x[4] + x[0], 9);
        x[12] ^= R(x[8] + x[4], 13);
        x[0] ^= R(x[12] + x[8], 18);
        x[9] ^= R(x[5] + x[1], 7);
        x[13] ^= R(x[9] + x[5], 9);
        x[1] ^= R(x[13] + x[9], 13);
        x[5] ^= R(x[1] + x[13], 18);
        x[14] ^= R(x[10] + x[6], 7);
        x[2] ^= R(x[14] + x[10], 9);
        x[6] ^= R(x[2] + x[14], 13);
        x[10] ^= R(x[6] + x[2], 18);
        x[3] ^= R(x[15] + x[11], 7);
        x[7] ^= R(x[3] + x[15], 9);
        x[11] ^= R(x[7] + x[3], 13);
        x[15] ^= R(x[11] + x[7], 18);
        x[1] ^= R(x[0] + x[3], 7);
        x[2] ^= R(x[1] + x[0], 9);
        x[3] ^= R(x[2] + x[1], 13);
        x[0] ^= R(x[3] + x[2], 18);
        x[6] ^= R(x[5] + x[4], 7);
        x[7] ^= R(x[6] + x[5], 9);
        x[4] ^= R(x[7] + x[6], 13);
        x[5] ^= R(x[4] + x[7], 18);
        x[11] ^= R(x[10] + x[9], 7);
        x[8] ^= R(x[11] + x[10], 9);
        x[9] ^= R(x[8] + x[11], 13);
        x[10] ^= R(x[9] + x[8], 18);
        x[12] ^= R(x[15] + x[14], 7);
        x[13] ^= R(x[12] + x[15], 9);
        x[14] ^= R(x[13] + x[12], 13);
        x[15] ^= R(x[14] + x[13], 18);
    }
    for (i = 0; i < 16; ++i)
        inout[i] += x[i];
    OPENSSL_cleanse(x, sizeof(x));
}

static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
{
    uint64_t i, j;
    uint32_t X[16], *pB;

    memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
    pB = B;
    for (i = 0; i < r * 2; i++) {
        for (j = 0; j < 16; j++)
            X[j] ^= *pB++;
        salsa208_word_specification(X);
        memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
    }
    OPENSSL_cleanse(X, sizeof(X));
}

static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
                        uint32_t *X, uint32_t *T, uint32_t *V)
{
    unsigned char *pB;
    uint32_t *pV;
    uint64_t i, k;

    /* Convert from little endian input */
    for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
        *pV = *pB++;
        *pV |= *pB++ << 8;
        *pV |= *pB++ << 16;
        *pV |= (uint32_t)*pB++ << 24;
    }

    for (i = 1; i < N; i++, pV += 32 * r)
        scryptBlockMix(pV, pV - 32 * r, r);

    scryptBlockMix(X, V + (N - 1) * 32 * r, r);

    for (i = 0; i < N; i++) {
        uint32_t j;
        j = X[16 * (2 * r - 1)] % N;
        pV = V + 32 * r * j;
        for (k = 0; k < 32 * r; k++)
            T[k] = X[k] ^ *pV++;
        scryptBlockMix(X, T, r);
    }
    /* Convert output to little endian */
    for (i = 0, pB = B; i < 32 * r; i++) {
        uint32_t xtmp = X[i];
        *pB++ = xtmp & 0xff;
        *pB++ = (xtmp >> 8) & 0xff;
        *pB++ = (xtmp >> 16) & 0xff;
        *pB++ = (xtmp >> 24) & 0xff;
    }
}

#ifndef SIZE_MAX
# define SIZE_MAX    ((size_t)-1)
#endif

/*
 * Maximum power of two that will fit in uint64_t: this should work on
 * most (all?) platforms.
 */

#define LOG2_UINT64_MAX         (sizeof(uint64_t) * 8 - 1)

/*
 * Maximum value of p * r:
 * p <= ((2^32-1) * hLen) / MFLen =>
 * p <= ((2^32-1) * 32) / (128 * r) =>
 * p * r <= (2^30-1)
 */

#define SCRYPT_PR_MAX   ((1 << 30) - 1)

static int scrypt_alg(const char *pass, size_t passlen,
                      const unsigned char *salt, size_t saltlen,
                      uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
                      unsigned char *key, size_t keylen, EVP_MD *sha256,
                      OPENSSL_CTX *libctx, const char *propq)
{
    int rv = 0;
    unsigned char *B;
    uint32_t *X, *V, *T;
    uint64_t i, Blen, Vlen;

    /* Sanity check parameters */
    /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
    if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
        return 0;
    /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
    if (p > SCRYPT_PR_MAX / r) {
        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }

    /*
     * Need to check N: if 2^(128 * r / 8) overflows limit this is
     * automatically satisfied since N <= UINT64_MAX.
     */

    if (16 * r <= LOG2_UINT64_MAX) {
        if (N >= (((uint64_t)1) << (16 * r))) {
            EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
            return 0;
        }
    }

    /* Memory checks: check total allocated buffer size fits in uint64_t */

    /*
     * B size in section 5 step 1.S
     * Note: we know p * 128 * r < UINT64_MAX because we already checked
     * p * r < SCRYPT_PR_MAX
     */
    Blen = p * 128 * r;
    /*
     * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
     * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
     */
    if (Blen > INT_MAX) {
        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }

    /*
     * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
     * This is combined size V, X and T (section 4)
     */
    i = UINT64_MAX / (32 * sizeof(uint32_t));
    if (N + 2 > i / r) {
        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }
    Vlen = 32 * r * (N + 2) * sizeof(uint32_t);

    /* check total allocated size fits in uint64_t */
    if (Blen > UINT64_MAX - Vlen) {
        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }

    /* Check that the maximum memory doesn't exceed a size_t limits */
    if (maxmem > SIZE_MAX)
        maxmem = SIZE_MAX;

    if (Blen + Vlen > maxmem) {
        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }

    /* If no key return to indicate parameters are OK */
    if (key == NULL)
        return 1;

    B = OPENSSL_malloc((size_t)(Blen + Vlen));
    if (B == NULL) {
        EVPerr(EVP_F_SCRYPT_ALG, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    X = (uint32_t *)(B + Blen);
    T = X + 32 * r;
    V = T + 32 * r;
    if (pkcs5_pbkdf2_hmac_with_libctx(pass, passlen, salt, saltlen, 1, sha256,
                                      (int)Blen, B, libctx, propq) == 0)
        goto err;

    for (i = 0; i < p; i++)
        scryptROMix(B + 128 * r * i, r, N, X, T, V);

    if (pkcs5_pbkdf2_hmac_with_libctx(pass, passlen, B, (int)Blen, 1, sha256,
                                      keylen, key, libctx, propq) == 0)
        goto err;
    rv = 1;
 err:
    if (rv == 0)
        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_PBKDF2_ERROR);

    OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
    return rv;
}

#endif
Commit	Line	Data
cefa762e	1	/*
33388b44	2	* Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
cefa762e	3	*
7bb803e8	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
cefa762e JB	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <stdlib.h>
5a285add	11	#include <stdarg.h>
cefa762e	12	#include <string.h>
cefa762e	13	#include <openssl/evp.h>
5a285add DM	14	#include <openssl/kdf.h>
5a285add DM	15	#include <openssl/err.h>
e3405a4a	16	#include <openssl/core_names.h>
25f2138b	17	#include "crypto/evp.h"
5a285add	18	#include "internal/numbers.h"
af3e7e1b	19	#include "prov/implementations.h"
ddd21319	20	#include "prov/provider_ctx.h"
2b9e4e95	21	#include "prov/providercommon.h"
ddd21319	22	#include "prov/providercommonerr.h"
af3e7e1b	23	#include "prov/implementations.h"
cefa762e	24
402f26e6 JB	25	#ifndef OPENSSL_NO_SCRYPT
402f26e6 JB	26
363b1e5d DMSP	27	static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new;
	28	static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free;
	29	static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset;
	30	static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive;
	31	static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
	32	static OSSL_FUNC_kdf_set_ctx_params_fn kdf_scrypt_set_ctx_params;
af5e1e85 P	33	static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
af5e1e85 P	34	static OSSL_FUNC_kdf_get_ctx_params_fn kdf_scrypt_get_ctx_params;
e3405a4a	35
5a285add DM	36	static int scrypt_alg(const char *pass, size_t passlen,
	37	const unsigned char *salt, size_t saltlen,
	38	uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
5ccada09 SL	39	unsigned char key, size_t keylen, EVP_MD sha256,
5ccada09 SL	40	OPENSSL_CTX libctx, const char propq);
cefa762e	41
e3405a4a	42	typedef struct {
26496f5a SL	43	OPENSSL_CTX *libctx;
26496f5a SL	44	char *propq;
cefa762e JB	45	unsigned char *pass;
	46	size_t pass_len;
	47	unsigned char *salt;
	48	size_t salt_len;
5a285add	49	uint64_t N;
e3405a4a	50	uint64_t r, p;
cefa762e	51	uint64_t maxmem_bytes;
e3405a4a P	52	EVP_MD *sha256;
e3405a4a P	53	} KDF_SCRYPT;
cefa762e	54
e3405a4a	55	static void kdf_scrypt_init(KDF_SCRYPT *ctx);
cefa762e	56
e3405a4a	57	static void kdf_scrypt_new(void provctx)
cefa762e	58	{
e3405a4a	59	KDF_SCRYPT *ctx;
cefa762e	60
2b9e4e95 P	61	if (!ossl_prov_is_running())
	62	return NULL;
	63
e3405a4a P	64	ctx = OPENSSL_zalloc(sizeof(*ctx));
	65	if (ctx == NULL) {
	66	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	67	return NULL;
	68	}
26496f5a	69	ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
e3405a4a P	70	kdf_scrypt_init(ctx);
e3405a4a P	71	return ctx;
5a285add	72	}
cefa762e	73
e3405a4a	74	static void kdf_scrypt_free(void *vctx)
5a285add	75	{
e3405a4a P	76	KDF_SCRYPT ctx = (KDF_SCRYPT )vctx;
e3405a4a P	77
3c659415	78	if (ctx != NULL) {
26496f5a	79	OPENSSL_free(ctx->propq);
4a0a9e57	80	EVP_MD_free(ctx->sha256);
3c659415 P	81	kdf_scrypt_reset(ctx);
	82	OPENSSL_free(ctx);
	83	}
cefa762e JB	84	}
cefa762e JB	85
e3405a4a	86	static void kdf_scrypt_reset(void *vctx)
cefa762e	87	{
e3405a4a P	88	KDF_SCRYPT ctx = (KDF_SCRYPT )vctx;
	89
	90	OPENSSL_free(ctx->salt);
	91	OPENSSL_clear_free(ctx->pass, ctx->pass_len);
e3405a4a	92	kdf_scrypt_init(ctx);
5a285add	93	}
cefa762e	94
e3405a4a	95	static void kdf_scrypt_init(KDF_SCRYPT *ctx)
5a285add DM	96	{
	97	/* Default values are the most conservative recommendation given in the
	98	* original paper of C. Percival. Derivation uses roughly 1 GiB of memory
	99	* for this parameter choice (approx. 128 * r * N * p bytes).
	100	*/
e3405a4a P	101	ctx->N = 1 << 20;
	102	ctx->r = 8;
	103	ctx->p = 1;
	104	ctx->maxmem_bytes = 1025 * 1024 * 1024;
cefa762e JB	105	}
cefa762e JB	106
5a285add	107	static int scrypt_set_membuf(unsigned char *buffer, size_t buflen,
e3405a4a	108	const OSSL_PARAM *p)
cefa762e	109	{
5a285add	110	OPENSSL_clear_free(buffer, buflen);
e3405a4a P	111	if (p->data_size == 0) {
	112	if ((*buffer = OPENSSL_malloc(1)) == NULL) {
	113	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	114	return 0;
	115	}
	116	} else if (p->data != NULL) {
	117	*buffer = NULL;
	118	if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
	119	return 0;
	120	}
	121	return 1;
	122	}
	123
26496f5a SL	124	static int set_digest(KDF_SCRYPT *ctx)
	125	{
	126	EVP_MD_free(ctx->sha256);
	127	ctx->sha256 = EVP_MD_fetch(ctx->libctx, "sha256", ctx->propq);
	128	if (ctx->sha256 == NULL) {
	129	OPENSSL_free(ctx);
	130	ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOAD_SHA256);
	131	return 0;
	132	}
	133	return 1;
	134	}
	135
	136	static int set_property_query(KDF_SCRYPT ctx, const char propq)
	137	{
	138	OPENSSL_free(ctx->propq);
	139	ctx->propq = NULL;
	140	if (propq != NULL) {
	141	ctx->propq = OPENSSL_strdup(propq);
	142	if (ctx->propq == NULL) {
	143	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	144	return 0;
	145	}
	146	}
	147	return 1;
	148	}
	149
e3405a4a P	150	static int kdf_scrypt_derive(void vctx, unsigned char key,
	151	size_t keylen)
	152	{
	153	KDF_SCRYPT ctx = (KDF_SCRYPT )vctx;
cefa762e	154
2b9e4e95 P	155	if (!ossl_prov_is_running())
	156	return 0;
	157
e3405a4a P	158	if (ctx->pass == NULL) {
	159	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
	160	return 0;
cefa762e	161	}
e3405a4a P	162
	163	if (ctx->salt == NULL) {
	164	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
cefa762e	165	return 0;
3484236d	166	}
cefa762e	167
26496f5a SL	168	if (ctx->sha256 == NULL && !set_digest(ctx))
	169	return 0;
	170
e3405a4a P	171	return scrypt_alg((char *)ctx->pass, ctx->pass_len, ctx->salt,
e3405a4a P	172	ctx->salt_len, ctx->N, ctx->r, ctx->p,
5ccada09	173	ctx->maxmem_bytes, key, keylen, ctx->sha256,
26496f5a	174	ctx->libctx, ctx->propq);
cefa762e JB	175	}
	176
	177	static int is_power_of_two(uint64_t value)
	178	{
	179	return (value != 0) && ((value & (value - 1)) == 0);
	180	}
	181
e3405a4a	182	static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[])
cefa762e	183	{
e3405a4a P	184	const OSSL_PARAM *p;
e3405a4a P	185	KDF_SCRYPT *ctx = vctx;
cefa762e	186	uint64_t u64_value;
5a285add	187
e3405a4a P	188	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
e3405a4a P	189	if (!scrypt_set_membuf(&ctx->pass, &ctx->pass_len, p))
cefa762e	190	return 0;
5a285add	191
e3405a4a P	192	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
e3405a4a P	193	if (!scrypt_set_membuf(&ctx->salt, &ctx->salt_len, p))
cefa762e	194	return 0;
5a285add	195
e3405a4a P	196	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_N))
	197	!= NULL) {
	198	if (!OSSL_PARAM_get_uint64(p, &u64_value)
	199	\|\| u64_value <= 1
	200	\|\| !is_power_of_two(u64_value))
cefa762e	201	return 0;
e3405a4a P	202	ctx->N = u64_value;
e3405a4a P	203	}
5a285add	204
e3405a4a P	205	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_R))
	206	!= NULL) {
	207	if (!OSSL_PARAM_get_uint64(p, &u64_value) \|\| u64_value < 1)
	208	return 0;
	209	ctx->r = u64_value;
5a285add	210	}
5a285add	211
e3405a4a P	212	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_P))
	213	!= NULL) {
	214	if (!OSSL_PARAM_get_uint64(p, &u64_value) \|\| u64_value < 1)
	215	return 0;
	216	ctx->p = u64_value;
	217	}
cefa762e	218
e3405a4a P	219	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_MAXMEM))
	220	!= NULL) {
	221	if (!OSSL_PARAM_get_uint64(p, &u64_value) \|\| u64_value < 1)
	222	return 0;
	223	ctx->maxmem_bytes = u64_value;
cefa762e	224	}
26496f5a SL	225
	226	p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES);
	227	if (p != NULL) {
	228	if (p->data_type != OSSL_PARAM_UTF8_STRING
	229	\|\| !set_property_query(ctx, p->data)
	230	\|\| !set_digest(ctx))
	231	return 0;
	232	}
e3405a4a	233	return 1;
cefa762e JB	234	}
cefa762e JB	235
1017ab21	236	static const OSSL_PARAM kdf_scrypt_settable_ctx_params(ossl_unused void p_ctx)
cefa762e	237	{
e3405a4a P	238	static const OSSL_PARAM known_settable_ctx_params[] = {
	239	OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
	240	OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
	241	OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_N, NULL),
	242	OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_R, NULL),
	243	OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_P, NULL),
	244	OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_MAXMEM, NULL),
26496f5a	245	OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
e3405a4a P	246	OSSL_PARAM_END
	247	};
	248	return known_settable_ctx_params;
cefa762e JB	249	}
cefa762e JB	250
e3405a4a	251	static int kdf_scrypt_get_ctx_params(void *vctx, OSSL_PARAM params[])
cefa762e	252	{
e3405a4a	253	OSSL_PARAM *p;
cefa762e	254
e3405a4a P	255	if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
e3405a4a P	256	return OSSL_PARAM_set_size_t(p, SIZE_MAX);
cefa762e JB	257	return -2;
	258	}
	259
1017ab21	260	static const OSSL_PARAM kdf_scrypt_gettable_ctx_params(ossl_unused void p_ctx)
cefa762e	261	{
e3405a4a P	262	static const OSSL_PARAM known_gettable_ctx_params[] = {
	263	OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
	264	OSSL_PARAM_END
	265	};
	266	return known_gettable_ctx_params;
5a285add DM	267	}
5a285add DM	268
1be63951	269	const OSSL_DISPATCH ossl_kdf_scrypt_functions[] = {
e3405a4a P	270	{ OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_scrypt_new },
	271	{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_scrypt_free },
	272	{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_scrypt_reset },
	273	{ OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_scrypt_derive },
	274	{ OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
	275	(void(*)(void))kdf_scrypt_settable_ctx_params },
	276	{ OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_scrypt_set_ctx_params },
	277	{ OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
	278	(void(*)(void))kdf_scrypt_gettable_ctx_params },
	279	{ OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_scrypt_get_ctx_params },
	280	{ 0, NULL }
5a285add DM	281	};
	282
	283	#define R(a,b) (((a) << (b)) \| ((a) >> (32 - (b))))
	284	static void salsa208_word_specification(uint32_t inout[16])
	285	{
	286	int i;
	287	uint32_t x[16];
	288
	289	memcpy(x, inout, sizeof(x));
	290	for (i = 8; i > 0; i -= 2) {
	291	x[4] ^= R(x[0] + x[12], 7);
	292	x[8] ^= R(x[4] + x[0], 9);
	293	x[12] ^= R(x[8] + x[4], 13);
	294	x[0] ^= R(x[12] + x[8], 18);
	295	x[9] ^= R(x[5] + x[1], 7);
	296	x[13] ^= R(x[9] + x[5], 9);
	297	x[1] ^= R(x[13] + x[9], 13);
	298	x[5] ^= R(x[1] + x[13], 18);
	299	x[14] ^= R(x[10] + x[6], 7);
	300	x[2] ^= R(x[14] + x[10], 9);
	301	x[6] ^= R(x[2] + x[14], 13);
	302	x[10] ^= R(x[6] + x[2], 18);
	303	x[3] ^= R(x[15] + x[11], 7);
	304	x[7] ^= R(x[3] + x[15], 9);
	305	x[11] ^= R(x[7] + x[3], 13);
	306	x[15] ^= R(x[11] + x[7], 18);
	307	x[1] ^= R(x[0] + x[3], 7);
	308	x[2] ^= R(x[1] + x[0], 9);
	309	x[3] ^= R(x[2] + x[1], 13);
	310	x[0] ^= R(x[3] + x[2], 18);
	311	x[6] ^= R(x[5] + x[4], 7);
	312	x[7] ^= R(x[6] + x[5], 9);
	313	x[4] ^= R(x[7] + x[6], 13);
	314	x[5] ^= R(x[4] + x[7], 18);
	315	x[11] ^= R(x[10] + x[9], 7);
	316	x[8] ^= R(x[11] + x[10], 9);
	317	x[9] ^= R(x[8] + x[11], 13);
	318	x[10] ^= R(x[9] + x[8], 18);
	319	x[12] ^= R(x[15] + x[14], 7);
	320	x[13] ^= R(x[12] + x[15], 9);
	321	x[14] ^= R(x[13] + x[12], 13);
	322	x[15] ^= R(x[14] + x[13], 18);
	323	}
	324	for (i = 0; i < 16; ++i)
	325	inout[i] += x[i];
	326	OPENSSL_cleanse(x, sizeof(x));
	327	}
	328
	329	static void scryptBlockMix(uint32_t B_, uint32_t B, uint64_t r)
	330	{
	331	uint64_t i, j;
	332	uint32_t X[16], *pB;
	333
	334	memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
	335	pB = B;
	336	for (i = 0; i < r * 2; i++) {
	337	for (j = 0; j < 16; j++)
	338	X[j] ^= *pB++;
	339	salsa208_word_specification(X);
	340	memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
	341	}
	342	OPENSSL_cleanse(X, sizeof(X));
	343	}
	344
345	static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
346	uint32_t X, uint32_t T, uint32_t *V)
347	{
348	unsigned char *pB;
349	uint32_t *pV;
350	uint64_t i, k;
351
352	/* Convert from little endian input */
353	for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
354	pV = pB++;
355	pV \|= pB++ << 8;
356	pV \|= pB++ << 16;
357	pV \|= (uint32_t)pB++ << 24;
358	}
359
360	for (i = 1; i < N; i++, pV += 32 * r)
361	scryptBlockMix(pV, pV - 32 * r, r);
362
363	scryptBlockMix(X, V + (N - 1) * 32 * r, r);
364
365	for (i = 0; i < N; i++) {
366	uint32_t j;
367	j = X[16 * (2 * r - 1)] % N;
368	pV = V + 32 * r * j;
369	for (k = 0; k < 32 * r; k++)
370	T[k] = X[k] ^ *pV++;
371	scryptBlockMix(X, T, r);
372	}
373	/* Convert output to little endian */
374	for (i = 0, pB = B; i < 32 * r; i++) {
375	uint32_t xtmp = X[i];
376	*pB++ = xtmp & 0xff;
377	*pB++ = (xtmp >> 8) & 0xff;
378	*pB++ = (xtmp >> 16) & 0xff;
379	*pB++ = (xtmp >> 24) & 0xff;
380	}
cefa762e JB	381	}
cefa762e JB	382
5a285add DM	383	#ifndef SIZE_MAX
	384	# define SIZE_MAX ((size_t)-1)
	385	#endif
cefa762e	386
5a285add DM	387	/*
	388	* Maximum power of two that will fit in uint64_t: this should work on
	389	* most (all?) platforms.
	390	*/
cefa762e	391
5a285add	392	#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)
cefa762e	393
5a285add DM	394	/*
	395	* Maximum value of p * r:
	396	* p <= ((2^32-1) * hLen) / MFLen =>
	397	* p <= ((2^32-1) * 32) / (128 * r) =>
	398	* p * r <= (2^30-1)
	399	*/
cefa762e	400
5a285add	401	#define SCRYPT_PR_MAX ((1 << 30) - 1)
cefa762e	402
5a285add DM	403	static int scrypt_alg(const char *pass, size_t passlen,
	404	const unsigned char *salt, size_t saltlen,
	405	uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
5ccada09 SL	406	unsigned char key, size_t keylen, EVP_MD sha256,
5ccada09 SL	407	OPENSSL_CTX libctx, const char propq)
5a285add DM	408	{
	409	int rv = 0;
	410	unsigned char *B;
	411	uint32_t X, V, *T;
	412	uint64_t i, Blen, Vlen;
	413
	414	/* Sanity check parameters */
	415	/* initial check, r,p must be non zero, N >= 2 and a power of 2 */
	416	if (r == 0 \|\| p == 0 \|\| N < 2 \|\| (N & (N - 1)))
	417	return 0;
	418	/* Check p * r < SCRYPT_PR_MAX avoiding overflow */
	419	if (p > SCRYPT_PR_MAX / r) {
	420	EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
	421	return 0;
	422	}
cefa762e	423
5a285add DM	424	/*
	425	* Need to check N: if 2^(128 * r / 8) overflows limit this is
	426	* automatically satisfied since N <= UINT64_MAX.
	427	*/
cefa762e	428
5a285add DM	429	if (16 * r <= LOG2_UINT64_MAX) {
	430	if (N >= (((uint64_t)1) << (16 * r))) {
	431	EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
	432	return 0;
	433	}
	434	}
cefa762e	435
5a285add DM	436	/* Memory checks: check total allocated buffer size fits in uint64_t */
	437
	438	/*
	439	* B size in section 5 step 1.S
	440	* Note: we know p * 128 * r < UINT64_MAX because we already checked
	441	* p * r < SCRYPT_PR_MAX
	442	*/
	443	Blen = p * 128 * r;
	444	/*
	445	* Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
	446	* have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
	447	*/
	448	if (Blen > INT_MAX) {
	449	EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
	450	return 0;
	451	}
	452
	453	/*
	454	* Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
	455	* This is combined size V, X and T (section 4)
	456	*/
	457	i = UINT64_MAX / (32 * sizeof(uint32_t));
	458	if (N + 2 > i / r) {
	459	EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
	460	return 0;
	461	}
	462	Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
	463
	464	/* check total allocated size fits in uint64_t */
	465	if (Blen > UINT64_MAX - Vlen) {
	466	EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
	467	return 0;
	468	}
	469
	470	/* Check that the maximum memory doesn't exceed a size_t limits */
	471	if (maxmem > SIZE_MAX)
	472	maxmem = SIZE_MAX;
	473
	474	if (Blen + Vlen > maxmem) {
	475	EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
	476	return 0;
	477	}
	478
	479	/* If no key return to indicate parameters are OK */
	480	if (key == NULL)
	481	return 1;
	482
	483	B = OPENSSL_malloc((size_t)(Blen + Vlen));
	484	if (B == NULL) {
	485	EVPerr(EVP_F_SCRYPT_ALG, ERR_R_MALLOC_FAILURE);
	486	return 0;
	487	}
	488	X = (uint32_t *)(B + Blen);
	489	T = X + 32 * r;
	490	V = T + 32 * r;
5ccada09 SL	491	if (pkcs5_pbkdf2_hmac_with_libctx(pass, passlen, salt, saltlen, 1, sha256,
5ccada09 SL	492	(int)Blen, B, libctx, propq) == 0)
5a285add DM	493	goto err;
	494
	495	for (i = 0; i < p; i++)
	496	scryptROMix(B + 128 * r * i, r, N, X, T, V);
	497
5ccada09 SL	498	if (pkcs5_pbkdf2_hmac_with_libctx(pass, passlen, B, (int)Blen, 1, sha256,
5ccada09 SL	499	keylen, key, libctx, propq) == 0)
5a285add DM	500	goto err;
	501	rv = 1;
	502	err:
	503	if (rv == 0)
	504	EVPerr(EVP_F_SCRYPT_ALG, EVP_R_PBKDF2_ERROR);
	505
	506	OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
	507	return rv;
	508	}
402f26e6 JB	509
402f26e6 JB	510	#endif