[thirdparty/openssl.git] / providers / implementations / kdfs / scrypt.c

/*
 * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
#include <openssl/err.h>
#include <openssl/core_names.h>
#include <openssl/proverr.h>
#include "crypto/evp.h"
#include "internal/numbers.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
#include "prov/provider_util.h"

#ifndef OPENSSL_NO_SCRYPT

static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new;
static OSSL_FUNC_kdf_dupctx_fn kdf_scrypt_dup;
static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free;
static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset;
static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive;
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_scrypt_set_ctx_params;
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_scrypt_get_ctx_params;

static int scrypt_alg(const char *pass, size_t passlen,
                      const unsigned char *salt, size_t saltlen,
                      uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
                      unsigned char *key, size_t keylen, EVP_MD *sha256,
                      OSSL_LIB_CTX *libctx, const char *propq);

typedef struct {
    OSSL_LIB_CTX *libctx;
    char *propq;
    unsigned char *pass;
    size_t pass_len;
    unsigned char *salt;
    size_t salt_len;
    uint64_t N;
    uint64_t r, p;
    uint64_t maxmem_bytes;
    EVP_MD *sha256;
} KDF_SCRYPT;

static void kdf_scrypt_init(KDF_SCRYPT *ctx);

static void *kdf_scrypt_new_inner(OSSL_LIB_CTX *libctx)
{
    KDF_SCRYPT *ctx;

    if (!ossl_prov_is_running())
        return NULL;

    ctx = OPENSSL_zalloc(sizeof(*ctx));
    if (ctx == NULL) {
        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
        return NULL;
    }
    ctx->libctx = libctx;
    kdf_scrypt_init(ctx);
    return ctx;
}

static void *kdf_scrypt_new(void *provctx)
{
    return kdf_scrypt_new_inner(PROV_LIBCTX_OF(provctx));
}

static void kdf_scrypt_free(void *vctx)
{
    KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;

    if (ctx != NULL) {
        OPENSSL_free(ctx->propq);
        EVP_MD_free(ctx->sha256);
        kdf_scrypt_reset(ctx);
        OPENSSL_free(ctx);
    }
}

static void kdf_scrypt_reset(void *vctx)
{
    KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;

    OPENSSL_free(ctx->salt);
    OPENSSL_clear_free(ctx->pass, ctx->pass_len);
    kdf_scrypt_init(ctx);
}

static void *kdf_scrypt_dup(void *vctx)
{
    const KDF_SCRYPT *src = (const KDF_SCRYPT *)vctx;
    KDF_SCRYPT *dest;

    dest = kdf_scrypt_new_inner(src->libctx);
    if (dest != NULL) {
        if (src->sha256 != NULL && !EVP_MD_up_ref(src->sha256))
            goto err;
        if (src->propq != NULL) {
            dest->propq = OPENSSL_strdup(src->propq);
            if (dest->propq == NULL)
                goto err;
        }
        if (!ossl_prov_memdup(src->salt, src->salt_len,
                              &dest->salt, &dest->salt_len)
                || !ossl_prov_memdup(src->pass, src->pass_len,
                                     &dest->pass , &dest->pass_len))
            goto err;
        dest->N = src->N;
        dest->r = src->r;
        dest->p = src->p;
        dest->maxmem_bytes = src->maxmem_bytes;
        dest->sha256 = src->sha256;
    }
    return dest;

 err:
    kdf_scrypt_free(dest);
    return NULL;
}

static void kdf_scrypt_init(KDF_SCRYPT *ctx)
{
    /* Default values are the most conservative recommendation given in the
     * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
     * for this parameter choice (approx. 128 * r * N * p bytes).
     */
    ctx->N = 1 << 20;
    ctx->r = 8;
    ctx->p = 1;
    ctx->maxmem_bytes = 1025 * 1024 * 1024;
}

static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen,
                             const OSSL_PARAM *p)
{
    OPENSSL_clear_free(*buffer, *buflen);
    *buffer = NULL;
    *buflen = 0;

    if (p->data_size == 0) {
        if ((*buffer = OPENSSL_malloc(1)) == NULL) {
            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
            return 0;
        }
    } else if (p->data != NULL) {
        if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
            return 0;
    }
    return 1;
}

static int set_digest(KDF_SCRYPT *ctx)
{
    EVP_MD_free(ctx->sha256);
    ctx->sha256 = EVP_MD_fetch(ctx->libctx, "sha256", ctx->propq);
    if (ctx->sha256 == NULL) {
        OPENSSL_free(ctx);
        ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOAD_SHA256);
        return 0;
    }
    return 1;
}

static int set_property_query(KDF_SCRYPT *ctx, const char *propq)
{
    OPENSSL_free(ctx->propq);
    ctx->propq = NULL;
    if (propq != NULL) {
        ctx->propq = OPENSSL_strdup(propq);
        if (ctx->propq == NULL) {
            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
            return 0;
        }
    }
    return 1;
}

static int kdf_scrypt_derive(void *vctx, unsigned char *key, size_t keylen,
                             const OSSL_PARAM params[])
{
    KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;

    if (!ossl_prov_is_running() || !kdf_scrypt_set_ctx_params(ctx, params))
        return 0;

    if (ctx->pass == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
        return 0;
    }

    if (ctx->salt == NULL) {
        ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
        return 0;
    }

    if (ctx->sha256 == NULL && !set_digest(ctx))
        return 0;

    return scrypt_alg((char *)ctx->pass, ctx->pass_len, ctx->salt,
                      ctx->salt_len, ctx->N, ctx->r, ctx->p,
                      ctx->maxmem_bytes, key, keylen, ctx->sha256,
                      ctx->libctx, ctx->propq);
}

static int is_power_of_two(uint64_t value)
{
    return (value != 0) && ((value & (value - 1)) == 0);
}

static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    const OSSL_PARAM *p;
    KDF_SCRYPT *ctx = vctx;
    uint64_t u64_value;

    if (params == NULL)
        return 1;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
        if (!scrypt_set_membuf(&ctx->pass, &ctx->pass_len, p))
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
        if (!scrypt_set_membuf(&ctx->salt, &ctx->salt_len, p))
            return 0;

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_N))
        != NULL) {
        if (!OSSL_PARAM_get_uint64(p, &u64_value)
            || u64_value <= 1
            || !is_power_of_two(u64_value))
            return 0;
        ctx->N = u64_value;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_R))
        != NULL) {
        if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
            return 0;
        ctx->r = u64_value;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_P))
        != NULL) {
        if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
            return 0;
        ctx->p = u64_value;
    }

    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_MAXMEM))
        != NULL) {
        if (!OSSL_PARAM_get_uint64(p, &u64_value) || u64_value < 1)
            return 0;
        ctx->maxmem_bytes = u64_value;
    }

    p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES);
    if (p != NULL) {
        if (p->data_type != OSSL_PARAM_UTF8_STRING
            || !set_property_query(ctx, p->data)
            || !set_digest(ctx))
            return 0;
    }
    return 1;
}

static const OSSL_PARAM *kdf_scrypt_settable_ctx_params(ossl_unused void *ctx,
                                                        ossl_unused void *p_ctx)
{
    static const OSSL_PARAM known_settable_ctx_params[] = {
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
        OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_N, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_R, NULL),
        OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_P, NULL),
        OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_MAXMEM, NULL),
        OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
        OSSL_PARAM_END
    };
    return known_settable_ctx_params;
}

static int kdf_scrypt_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    OSSL_PARAM *p;

    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
    return -2;
}

static const OSSL_PARAM *kdf_scrypt_gettable_ctx_params(ossl_unused void *ctx,
                                                        ossl_unused void *p_ctx)
{
    static const OSSL_PARAM known_gettable_ctx_params[] = {
        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
        OSSL_PARAM_END
    };
    return known_gettable_ctx_params;
}

const OSSL_DISPATCH ossl_kdf_scrypt_functions[] = {
    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_scrypt_new },
    { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_scrypt_dup },
    { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_scrypt_free },
    { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_scrypt_reset },
    { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_scrypt_derive },
    { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_scrypt_settable_ctx_params },
    { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_scrypt_set_ctx_params },
    { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
      (void(*)(void))kdf_scrypt_gettable_ctx_params },
    { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_scrypt_get_ctx_params },
    { 0, NULL }
};

#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
static void salsa208_word_specification(uint32_t inout[16])
{
    int i;
    uint32_t x[16];

    memcpy(x, inout, sizeof(x));
    for (i = 8; i > 0; i -= 2) {
        x[4] ^= R(x[0] + x[12], 7);
        x[8] ^= R(x[4] + x[0], 9);
        x[12] ^= R(x[8] + x[4], 13);
        x[0] ^= R(x[12] + x[8], 18);
        x[9] ^= R(x[5] + x[1], 7);
        x[13] ^= R(x[9] + x[5], 9);
        x[1] ^= R(x[13] + x[9], 13);
        x[5] ^= R(x[1] + x[13], 18);
        x[14] ^= R(x[10] + x[6], 7);
        x[2] ^= R(x[14] + x[10], 9);
        x[6] ^= R(x[2] + x[14], 13);
        x[10] ^= R(x[6] + x[2], 18);
        x[3] ^= R(x[15] + x[11], 7);
        x[7] ^= R(x[3] + x[15], 9);
        x[11] ^= R(x[7] + x[3], 13);
        x[15] ^= R(x[11] + x[7], 18);
        x[1] ^= R(x[0] + x[3], 7);
        x[2] ^= R(x[1] + x[0], 9);
        x[3] ^= R(x[2] + x[1], 13);
        x[0] ^= R(x[3] + x[2], 18);
        x[6] ^= R(x[5] + x[4], 7);
        x[7] ^= R(x[6] + x[5], 9);
        x[4] ^= R(x[7] + x[6], 13);
        x[5] ^= R(x[4] + x[7], 18);
        x[11] ^= R(x[10] + x[9], 7);
        x[8] ^= R(x[11] + x[10], 9);
        x[9] ^= R(x[8] + x[11], 13);
        x[10] ^= R(x[9] + x[8], 18);
        x[12] ^= R(x[15] + x[14], 7);
        x[13] ^= R(x[12] + x[15], 9);
        x[14] ^= R(x[13] + x[12], 13);
        x[15] ^= R(x[14] + x[13], 18);
    }
    for (i = 0; i < 16; ++i)
        inout[i] += x[i];
    OPENSSL_cleanse(x, sizeof(x));
}

static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
{
    uint64_t i, j;
    uint32_t X[16], *pB;

    memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
    pB = B;
    for (i = 0; i < r * 2; i++) {
        for (j = 0; j < 16; j++)
            X[j] ^= *pB++;
        salsa208_word_specification(X);
        memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
    }
    OPENSSL_cleanse(X, sizeof(X));
}

static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
                        uint32_t *X, uint32_t *T, uint32_t *V)
{
    unsigned char *pB;
    uint32_t *pV;
    uint64_t i, k;

    /* Convert from little endian input */
    for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
        *pV = *pB++;
        *pV |= *pB++ << 8;
        *pV |= *pB++ << 16;
        *pV |= (uint32_t)*pB++ << 24;
    }

    for (i = 1; i < N; i++, pV += 32 * r)
        scryptBlockMix(pV, pV - 32 * r, r);

    scryptBlockMix(X, V + (N - 1) * 32 * r, r);

    for (i = 0; i < N; i++) {
        uint32_t j;
        j = X[16 * (2 * r - 1)] % N;
        pV = V + 32 * r * j;
        for (k = 0; k < 32 * r; k++)
            T[k] = X[k] ^ *pV++;
        scryptBlockMix(X, T, r);
    }
    /* Convert output to little endian */
    for (i = 0, pB = B; i < 32 * r; i++) {
        uint32_t xtmp = X[i];
        *pB++ = xtmp & 0xff;
        *pB++ = (xtmp >> 8) & 0xff;
        *pB++ = (xtmp >> 16) & 0xff;
        *pB++ = (xtmp >> 24) & 0xff;
    }
}

#ifndef SIZE_MAX
# define SIZE_MAX    ((size_t)-1)
#endif

/*
 * Maximum power of two that will fit in uint64_t: this should work on
 * most (all?) platforms.
 */

#define LOG2_UINT64_MAX         (sizeof(uint64_t) * 8 - 1)

/*
 * Maximum value of p * r:
 * p <= ((2^32-1) * hLen) / MFLen =>
 * p <= ((2^32-1) * 32) / (128 * r) =>
 * p * r <= (2^30-1)
 */

#define SCRYPT_PR_MAX   ((1 << 30) - 1)

static int scrypt_alg(const char *pass, size_t passlen,
                      const unsigned char *salt, size_t saltlen,
                      uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
                      unsigned char *key, size_t keylen, EVP_MD *sha256,
                      OSSL_LIB_CTX *libctx, const char *propq)
{
    int rv = 0;
    unsigned char *B;
    uint32_t *X, *V, *T;
    uint64_t i, Blen, Vlen;

    /* Sanity check parameters */
    /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
    if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
        return 0;
    /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
    if (p > SCRYPT_PR_MAX / r) {
        ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }

    /*
     * Need to check N: if 2^(128 * r / 8) overflows limit this is
     * automatically satisfied since N <= UINT64_MAX.
     */

    if (16 * r <= LOG2_UINT64_MAX) {
        if (N >= (((uint64_t)1) << (16 * r))) {
            ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
            return 0;
        }
    }

    /* Memory checks: check total allocated buffer size fits in uint64_t */

    /*
     * B size in section 5 step 1.S
     * Note: we know p * 128 * r < UINT64_MAX because we already checked
     * p * r < SCRYPT_PR_MAX
     */
    Blen = p * 128 * r;
    /*
     * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
     * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
     */
    if (Blen > INT_MAX) {
        ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }

    /*
     * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
     * This is combined size V, X and T (section 4)
     */
    i = UINT64_MAX / (32 * sizeof(uint32_t));
    if (N + 2 > i / r) {
        ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }
    Vlen = 32 * r * (N + 2) * sizeof(uint32_t);

    /* check total allocated size fits in uint64_t */
    if (Blen > UINT64_MAX - Vlen) {
        ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }

    /* Check that the maximum memory doesn't exceed a size_t limits */
    if (maxmem > SIZE_MAX)
        maxmem = SIZE_MAX;

    if (Blen + Vlen > maxmem) {
        ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
        return 0;
    }

    /* If no key return to indicate parameters are OK */
    if (key == NULL)
        return 1;

    B = OPENSSL_malloc((size_t)(Blen + Vlen));
    if (B == NULL) {
        ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    X = (uint32_t *)(B + Blen);
    T = X + 32 * r;
    V = T + 32 * r;
    if (ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, 1, sha256,
                                  (int)Blen, B, libctx, propq) == 0)
        goto err;

    for (i = 0; i < p; i++)
        scryptROMix(B + 128 * r * i, r, N, X, T, V);

    if (ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, B, (int)Blen, 1, sha256,
                                  keylen, key, libctx, propq) == 0)
        goto err;
    rv = 1;
 err:
    if (rv == 0)
        ERR_raise(ERR_LIB_EVP, EVP_R_PBKDF2_ERROR);

    OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
    return rv;
}

#endif
Commit	Line	Data
cefa762e	1	/*
fecb3aae	2	* Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
cefa762e	3	*
7bb803e8	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
cefa762e JB	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <stdlib.h>
5a285add	11	#include <stdarg.h>
cefa762e	12	#include <string.h>
cefa762e	13	#include <openssl/evp.h>
5a285add DM	14	#include <openssl/kdf.h>
5a285add DM	15	#include <openssl/err.h>
e3405a4a	16	#include <openssl/core_names.h>
2741128e	17	#include <openssl/proverr.h>
25f2138b	18	#include "crypto/evp.h"
5a285add	19	#include "internal/numbers.h"
af3e7e1b	20	#include "prov/implementations.h"
ddd21319	21	#include "prov/provider_ctx.h"
2b9e4e95	22	#include "prov/providercommon.h"
af3e7e1b	23	#include "prov/implementations.h"
cdcdcf5c	24	#include "prov/provider_util.h"
cefa762e	25
402f26e6 JB	26	#ifndef OPENSSL_NO_SCRYPT
402f26e6 JB	27
363b1e5d	28	static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new;
cdcdcf5c	29	static OSSL_FUNC_kdf_dupctx_fn kdf_scrypt_dup;
363b1e5d DMSP	30	static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free;
	31	static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset;
	32	static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive;
	33	static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
	34	static OSSL_FUNC_kdf_set_ctx_params_fn kdf_scrypt_set_ctx_params;
af5e1e85 P	35	static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
af5e1e85 P	36	static OSSL_FUNC_kdf_get_ctx_params_fn kdf_scrypt_get_ctx_params;
e3405a4a	37
5a285add DM	38	static int scrypt_alg(const char *pass, size_t passlen,
	39	const unsigned char *salt, size_t saltlen,
	40	uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
5ccada09	41	unsigned char key, size_t keylen, EVP_MD sha256,
b4250010	42	OSSL_LIB_CTX libctx, const char propq);
cefa762e	43
e3405a4a	44	typedef struct {
b4250010	45	OSSL_LIB_CTX *libctx;
26496f5a	46	char *propq;
cefa762e JB	47	unsigned char *pass;
	48	size_t pass_len;
	49	unsigned char *salt;
	50	size_t salt_len;
5a285add	51	uint64_t N;
e3405a4a	52	uint64_t r, p;
cefa762e	53	uint64_t maxmem_bytes;
e3405a4a P	54	EVP_MD *sha256;
e3405a4a P	55	} KDF_SCRYPT;
cefa762e	56
e3405a4a	57	static void kdf_scrypt_init(KDF_SCRYPT *ctx);
cefa762e	58
e04c2c02	59	static void kdf_scrypt_new_inner(OSSL_LIB_CTX libctx)
cefa762e	60	{
e3405a4a	61	KDF_SCRYPT *ctx;
cefa762e	62
2b9e4e95 P	63	if (!ossl_prov_is_running())
	64	return NULL;
	65
e3405a4a P	66	ctx = OPENSSL_zalloc(sizeof(*ctx));
	67	if (ctx == NULL) {
	68	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	69	return NULL;
	70	}
e04c2c02	71	ctx->libctx = libctx;
e3405a4a P	72	kdf_scrypt_init(ctx);
e3405a4a P	73	return ctx;
5a285add	74	}
cefa762e	75
e04c2c02 HL	76	static void kdf_scrypt_new(void provctx)
	77	{
	78	return kdf_scrypt_new_inner(PROV_LIBCTX_OF(provctx));
	79	}
	80
e3405a4a	81	static void kdf_scrypt_free(void *vctx)
5a285add	82	{
e3405a4a P	83	KDF_SCRYPT ctx = (KDF_SCRYPT )vctx;
e3405a4a P	84
3c659415	85	if (ctx != NULL) {
26496f5a	86	OPENSSL_free(ctx->propq);
4a0a9e57	87	EVP_MD_free(ctx->sha256);
3c659415 P	88	kdf_scrypt_reset(ctx);
	89	OPENSSL_free(ctx);
	90	}
cefa762e JB	91	}
cefa762e JB	92
e3405a4a	93	static void kdf_scrypt_reset(void *vctx)
cefa762e	94	{
e3405a4a P	95	KDF_SCRYPT ctx = (KDF_SCRYPT )vctx;
	96
	97	OPENSSL_free(ctx->salt);
	98	OPENSSL_clear_free(ctx->pass, ctx->pass_len);
e3405a4a	99	kdf_scrypt_init(ctx);
5a285add	100	}
cefa762e	101
cdcdcf5c P	102	static void kdf_scrypt_dup(void vctx)
	103	{
	104	const KDF_SCRYPT src = (const KDF_SCRYPT )vctx;
	105	KDF_SCRYPT *dest;
	106
e04c2c02	107	dest = kdf_scrypt_new_inner(src->libctx);
cdcdcf5c P	108	if (dest != NULL) {
	109	if (src->sha256 != NULL && !EVP_MD_up_ref(src->sha256))
	110	goto err;
	111	if (src->propq != NULL) {
	112	dest->propq = OPENSSL_strdup(src->propq);
	113	if (dest->propq == NULL)
	114	goto err;
	115	}
	116	if (!ossl_prov_memdup(src->salt, src->salt_len,
	117	&dest->salt, &dest->salt_len)
	118	\|\| !ossl_prov_memdup(src->pass, src->pass_len,
	119	&dest->pass , &dest->pass_len))
	120	goto err;
	121	dest->N = src->N;
	122	dest->r = src->r;
	123	dest->p = src->p;
	124	dest->maxmem_bytes = src->maxmem_bytes;
	125	dest->sha256 = src->sha256;
	126	}
	127	return dest;
	128
	129	err:
	130	kdf_scrypt_free(dest);
	131	return NULL;
	132	}
	133
e3405a4a	134	static void kdf_scrypt_init(KDF_SCRYPT *ctx)
5a285add DM	135	{
	136	/* Default values are the most conservative recommendation given in the
	137	* original paper of C. Percival. Derivation uses roughly 1 GiB of memory
	138	* for this parameter choice (approx. 128 * r * N * p bytes).
	139	*/
e3405a4a P	140	ctx->N = 1 << 20;
	141	ctx->r = 8;
	142	ctx->p = 1;
	143	ctx->maxmem_bytes = 1025 * 1024 * 1024;
cefa762e JB	144	}
cefa762e JB	145
5a285add	146	static int scrypt_set_membuf(unsigned char *buffer, size_t buflen,
e3405a4a	147	const OSSL_PARAM *p)
cefa762e	148	{
5a285add	149	OPENSSL_clear_free(buffer, buflen);
d2217c88 TM	150	*buffer = NULL;
	151	*buflen = 0;
	152
e3405a4a P	153	if (p->data_size == 0) {
	154	if ((*buffer = OPENSSL_malloc(1)) == NULL) {
	155	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	156	return 0;
	157	}
	158	} else if (p->data != NULL) {
e3405a4a P	159	if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
	160	return 0;
	161	}
	162	return 1;
	163	}
	164
26496f5a SL	165	static int set_digest(KDF_SCRYPT *ctx)
	166	{
	167	EVP_MD_free(ctx->sha256);
	168	ctx->sha256 = EVP_MD_fetch(ctx->libctx, "sha256", ctx->propq);
	169	if (ctx->sha256 == NULL) {
	170	OPENSSL_free(ctx);
	171	ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOAD_SHA256);
	172	return 0;
	173	}
	174	return 1;
	175	}
	176
	177	static int set_property_query(KDF_SCRYPT ctx, const char propq)
	178	{
	179	OPENSSL_free(ctx->propq);
	180	ctx->propq = NULL;
	181	if (propq != NULL) {
	182	ctx->propq = OPENSSL_strdup(propq);
	183	if (ctx->propq == NULL) {
	184	ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
	185	return 0;
	186	}
	187	}
	188	return 1;
	189	}
	190
3469b388 P	191	static int kdf_scrypt_derive(void vctx, unsigned char key, size_t keylen,
3469b388 P	192	const OSSL_PARAM params[])
e3405a4a P	193	{
e3405a4a P	194	KDF_SCRYPT ctx = (KDF_SCRYPT )vctx;
cefa762e	195
3469b388	196	if (!ossl_prov_is_running() \|\| !kdf_scrypt_set_ctx_params(ctx, params))
2b9e4e95 P	197	return 0;
2b9e4e95 P	198
e3405a4a P	199	if (ctx->pass == NULL) {
	200	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
	201	return 0;
cefa762e	202	}
e3405a4a P	203
	204	if (ctx->salt == NULL) {
	205	ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT);
cefa762e	206	return 0;
3484236d	207	}
cefa762e	208
26496f5a SL	209	if (ctx->sha256 == NULL && !set_digest(ctx))
	210	return 0;
	211
e3405a4a P	212	return scrypt_alg((char *)ctx->pass, ctx->pass_len, ctx->salt,
e3405a4a P	213	ctx->salt_len, ctx->N, ctx->r, ctx->p,
5ccada09	214	ctx->maxmem_bytes, key, keylen, ctx->sha256,
26496f5a	215	ctx->libctx, ctx->propq);
cefa762e JB	216	}
	217
	218	static int is_power_of_two(uint64_t value)
	219	{
	220	return (value != 0) && ((value & (value - 1)) == 0);
	221	}
	222
e3405a4a	223	static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[])
cefa762e	224	{
e3405a4a P	225	const OSSL_PARAM *p;
e3405a4a P	226	KDF_SCRYPT *ctx = vctx;
cefa762e	227	uint64_t u64_value;
5a285add	228
c983a0e5 P	229	if (params == NULL)
	230	return 1;
	231
e3405a4a P	232	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
e3405a4a P	233	if (!scrypt_set_membuf(&ctx->pass, &ctx->pass_len, p))
cefa762e	234	return 0;
5a285add	235
e3405a4a P	236	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL)
e3405a4a P	237	if (!scrypt_set_membuf(&ctx->salt, &ctx->salt_len, p))
cefa762e	238	return 0;
5a285add	239
e3405a4a P	240	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_N))
	241	!= NULL) {
	242	if (!OSSL_PARAM_get_uint64(p, &u64_value)
	243	\|\| u64_value <= 1
	244	\|\| !is_power_of_two(u64_value))
cefa762e	245	return 0;
e3405a4a P	246	ctx->N = u64_value;
e3405a4a P	247	}
5a285add	248
e3405a4a P	249	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_R))
	250	!= NULL) {
	251	if (!OSSL_PARAM_get_uint64(p, &u64_value) \|\| u64_value < 1)
	252	return 0;
	253	ctx->r = u64_value;
5a285add	254	}
5a285add	255
e3405a4a P	256	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_P))
	257	!= NULL) {
	258	if (!OSSL_PARAM_get_uint64(p, &u64_value) \|\| u64_value < 1)
	259	return 0;
	260	ctx->p = u64_value;
	261	}
cefa762e	262
e3405a4a P	263	if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SCRYPT_MAXMEM))
	264	!= NULL) {
	265	if (!OSSL_PARAM_get_uint64(p, &u64_value) \|\| u64_value < 1)
	266	return 0;
	267	ctx->maxmem_bytes = u64_value;
cefa762e	268	}
26496f5a SL	269
	270	p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PROPERTIES);
	271	if (p != NULL) {
	272	if (p->data_type != OSSL_PARAM_UTF8_STRING
	273	\|\| !set_property_query(ctx, p->data)
	274	\|\| !set_digest(ctx))
	275	return 0;
	276	}
e3405a4a	277	return 1;
cefa762e JB	278	}
cefa762e JB	279
1e8e5c60 P	280	static const OSSL_PARAM kdf_scrypt_settable_ctx_params(ossl_unused void ctx,
1e8e5c60 P	281	ossl_unused void *p_ctx)
cefa762e	282	{
e3405a4a P	283	static const OSSL_PARAM known_settable_ctx_params[] = {
	284	OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0),
	285	OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0),
	286	OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_N, NULL),
	287	OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_R, NULL),
	288	OSSL_PARAM_uint32(OSSL_KDF_PARAM_SCRYPT_P, NULL),
	289	OSSL_PARAM_uint64(OSSL_KDF_PARAM_SCRYPT_MAXMEM, NULL),
26496f5a	290	OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
e3405a4a P	291	OSSL_PARAM_END
	292	};
	293	return known_settable_ctx_params;
cefa762e JB	294	}
cefa762e JB	295
e3405a4a	296	static int kdf_scrypt_get_ctx_params(void *vctx, OSSL_PARAM params[])
cefa762e	297	{
e3405a4a	298	OSSL_PARAM *p;
cefa762e	299
e3405a4a P	300	if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
e3405a4a P	301	return OSSL_PARAM_set_size_t(p, SIZE_MAX);
cefa762e JB	302	return -2;
	303	}
	304
1e8e5c60 P	305	static const OSSL_PARAM kdf_scrypt_gettable_ctx_params(ossl_unused void ctx,
1e8e5c60 P	306	ossl_unused void *p_ctx)
cefa762e	307	{
e3405a4a P	308	static const OSSL_PARAM known_gettable_ctx_params[] = {
	309	OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
	310	OSSL_PARAM_END
	311	};
	312	return known_gettable_ctx_params;
5a285add DM	313	}
5a285add DM	314
1be63951	315	const OSSL_DISPATCH ossl_kdf_scrypt_functions[] = {
e3405a4a	316	{ OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_scrypt_new },
cdcdcf5c	317	{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_scrypt_dup },
e3405a4a P	318	{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_scrypt_free },
	319	{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_scrypt_reset },
	320	{ OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_scrypt_derive },
	321	{ OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS,
	322	(void(*)(void))kdf_scrypt_settable_ctx_params },
	323	{ OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_scrypt_set_ctx_params },
	324	{ OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS,
	325	(void(*)(void))kdf_scrypt_gettable_ctx_params },
	326	{ OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_scrypt_get_ctx_params },
	327	{ 0, NULL }
5a285add DM	328	};
	329
	330	#define R(a,b) (((a) << (b)) \| ((a) >> (32 - (b))))
	331	static void salsa208_word_specification(uint32_t inout[16])
	332	{
	333	int i;
	334	uint32_t x[16];
	335
	336	memcpy(x, inout, sizeof(x));
	337	for (i = 8; i > 0; i -= 2) {
	338	x[4] ^= R(x[0] + x[12], 7);
	339	x[8] ^= R(x[4] + x[0], 9);
	340	x[12] ^= R(x[8] + x[4], 13);
	341	x[0] ^= R(x[12] + x[8], 18);
	342	x[9] ^= R(x[5] + x[1], 7);
	343	x[13] ^= R(x[9] + x[5], 9);
	344	x[1] ^= R(x[13] + x[9], 13);
	345	x[5] ^= R(x[1] + x[13], 18);
	346	x[14] ^= R(x[10] + x[6], 7);
	347	x[2] ^= R(x[14] + x[10], 9);
	348	x[6] ^= R(x[2] + x[14], 13);
	349	x[10] ^= R(x[6] + x[2], 18);
	350	x[3] ^= R(x[15] + x[11], 7);
	351	x[7] ^= R(x[3] + x[15], 9);
	352	x[11] ^= R(x[7] + x[3], 13);
	353	x[15] ^= R(x[11] + x[7], 18);
	354	x[1] ^= R(x[0] + x[3], 7);
	355	x[2] ^= R(x[1] + x[0], 9);
	356	x[3] ^= R(x[2] + x[1], 13);
	357	x[0] ^= R(x[3] + x[2], 18);
	358	x[6] ^= R(x[5] + x[4], 7);
	359	x[7] ^= R(x[6] + x[5], 9);
	360	x[4] ^= R(x[7] + x[6], 13);
	361	x[5] ^= R(x[4] + x[7], 18);
	362	x[11] ^= R(x[10] + x[9], 7);
	363	x[8] ^= R(x[11] + x[10], 9);
	364	x[9] ^= R(x[8] + x[11], 13);
	365	x[10] ^= R(x[9] + x[8], 18);
	366	x[12] ^= R(x[15] + x[14], 7);
	367	x[13] ^= R(x[12] + x[15], 9);
	368	x[14] ^= R(x[13] + x[12], 13);
	369	x[15] ^= R(x[14] + x[13], 18);
	370	}
	371	for (i = 0; i < 16; ++i)
	372	inout[i] += x[i];
	373	OPENSSL_cleanse(x, sizeof(x));
	374	}
	375
	376	static void scryptBlockMix(uint32_t B_, uint32_t B, uint64_t r)
	377	{
	378	uint64_t i, j;
	379	uint32_t X[16], *pB;
	380
	381	memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
	382	pB = B;
	383	for (i = 0; i < r * 2; i++) {
	384	for (j = 0; j < 16; j++)
	385	X[j] ^= *pB++;
	386	salsa208_word_specification(X);
	387	memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
	388	}
	389	OPENSSL_cleanse(X, sizeof(X));
	390	}
	391
392	static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
393	uint32_t X, uint32_t T, uint32_t *V)
394	{
395	unsigned char *pB;
396	uint32_t *pV;
397	uint64_t i, k;
398
399	/* Convert from little endian input */
400	for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
401	pV = pB++;
402	pV \|= pB++ << 8;
403	pV \|= pB++ << 16;
404	pV \|= (uint32_t)pB++ << 24;
405	}
406
407	for (i = 1; i < N; i++, pV += 32 * r)
408	scryptBlockMix(pV, pV - 32 * r, r);
409
410	scryptBlockMix(X, V + (N - 1) * 32 * r, r);
411
412	for (i = 0; i < N; i++) {
413	uint32_t j;
414	j = X[16 * (2 * r - 1)] % N;
415	pV = V + 32 * r * j;
416	for (k = 0; k < 32 * r; k++)
417	T[k] = X[k] ^ *pV++;
418	scryptBlockMix(X, T, r);
419	}
420	/* Convert output to little endian */
421	for (i = 0, pB = B; i < 32 * r; i++) {
422	uint32_t xtmp = X[i];
423	*pB++ = xtmp & 0xff;
424	*pB++ = (xtmp >> 8) & 0xff;
425	*pB++ = (xtmp >> 16) & 0xff;
426	*pB++ = (xtmp >> 24) & 0xff;
427	}
cefa762e JB	428	}
cefa762e JB	429
5a285add DM	430	#ifndef SIZE_MAX
	431	# define SIZE_MAX ((size_t)-1)
	432	#endif
cefa762e	433
5a285add DM	434	/*
	435	* Maximum power of two that will fit in uint64_t: this should work on
	436	* most (all?) platforms.
	437	*/
cefa762e	438
5a285add	439	#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)
cefa762e	440
5a285add DM	441	/*
	442	* Maximum value of p * r:
	443	* p <= ((2^32-1) * hLen) / MFLen =>
	444	* p <= ((2^32-1) * 32) / (128 * r) =>
	445	* p * r <= (2^30-1)
	446	*/
cefa762e	447
5a285add	448	#define SCRYPT_PR_MAX ((1 << 30) - 1)
cefa762e	449
5a285add DM	450	static int scrypt_alg(const char *pass, size_t passlen,
	451	const unsigned char *salt, size_t saltlen,
	452	uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
5ccada09	453	unsigned char key, size_t keylen, EVP_MD sha256,
b4250010	454	OSSL_LIB_CTX libctx, const char propq)
5a285add DM	455	{
	456	int rv = 0;
	457	unsigned char *B;
	458	uint32_t X, V, *T;
	459	uint64_t i, Blen, Vlen;
	460
	461	/* Sanity check parameters */
	462	/* initial check, r,p must be non zero, N >= 2 and a power of 2 */
	463	if (r == 0 \|\| p == 0 \|\| N < 2 \|\| (N & (N - 1)))
	464	return 0;
	465	/* Check p * r < SCRYPT_PR_MAX avoiding overflow */
	466	if (p > SCRYPT_PR_MAX / r) {
6debc6ab	467	ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
5a285add DM	468	return 0;
5a285add DM	469	}
cefa762e	470
5a285add DM	471	/*
	472	* Need to check N: if 2^(128 * r / 8) overflows limit this is
	473	* automatically satisfied since N <= UINT64_MAX.
	474	*/
cefa762e	475
5a285add DM	476	if (16 * r <= LOG2_UINT64_MAX) {
5a285add DM	477	if (N >= (((uint64_t)1) << (16 * r))) {
6debc6ab	478	ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
5a285add DM	479	return 0;
	480	}
	481	}
cefa762e	482
5a285add DM	483	/* Memory checks: check total allocated buffer size fits in uint64_t */
	484
	485	/*
	486	* B size in section 5 step 1.S
	487	* Note: we know p * 128 * r < UINT64_MAX because we already checked
	488	* p * r < SCRYPT_PR_MAX
	489	*/
	490	Blen = p * 128 * r;
	491	/*
	492	* Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
	493	* have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
	494	*/
	495	if (Blen > INT_MAX) {
6debc6ab	496	ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
5a285add DM	497	return 0;
	498	}
	499
	500	/*
	501	* Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
	502	* This is combined size V, X and T (section 4)
	503	*/
	504	i = UINT64_MAX / (32 * sizeof(uint32_t));
	505	if (N + 2 > i / r) {
6debc6ab	506	ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
5a285add DM	507	return 0;
	508	}
	509	Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
	510
	511	/* check total allocated size fits in uint64_t */
	512	if (Blen > UINT64_MAX - Vlen) {
6debc6ab	513	ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
5a285add DM	514	return 0;
	515	}
	516
	517	/* Check that the maximum memory doesn't exceed a size_t limits */
	518	if (maxmem > SIZE_MAX)
	519	maxmem = SIZE_MAX;
	520
	521	if (Blen + Vlen > maxmem) {
6debc6ab	522	ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
5a285add DM	523	return 0;
	524	}
	525
	526	/* If no key return to indicate parameters are OK */
	527	if (key == NULL)
	528	return 1;
	529
	530	B = OPENSSL_malloc((size_t)(Blen + Vlen));
	531	if (B == NULL) {
6debc6ab	532	ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
5a285add DM	533	return 0;
	534	}
	535	X = (uint32_t *)(B + Blen);
	536	T = X + 32 * r;
	537	V = T + 32 * r;
4e17fb00 SL	538	if (ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, 1, sha256,
4e17fb00 SL	539	(int)Blen, B, libctx, propq) == 0)
5a285add DM	540	goto err;
	541
	542	for (i = 0; i < p; i++)
	543	scryptROMix(B + 128 * r * i, r, N, X, T, V);
	544
4e17fb00 SL	545	if (ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, B, (int)Blen, 1, sha256,
4e17fb00 SL	546	keylen, key, libctx, propq) == 0)
5a285add DM	547	goto err;
	548	rv = 1;
	549	err:
	550	if (rv == 0)
6debc6ab	551	ERR_raise(ERR_LIB_EVP, EVP_R_PBKDF2_ERROR);
5a285add DM	552
	553	OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
	554	return rv;
	555	}
402f26e6 JB	556
402f26e6 JB	557	#endif