2 * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/hmac.h>
13 #include <openssl/kdf.h>
14 #include <openssl/evp.h>
15 #include "internal/cryptlib.h"
16 #include "internal/evp_int.h"
18 #ifndef OPENSSL_NO_SCRYPT
20 static int atou64(const char *nptr
, uint64_t *result
);
28 uint64_t maxmem_bytes
;
31 /* Custom uint64_t parser since we do not have strtoull */
32 static int atou64(const char *nptr
, uint64_t *result
)
40 if ((*nptr
< '0') || (*nptr
> '9')) {
43 digit
= (unsigned int)(*nptr
- '0');
44 new_value
= (value
* 10) + digit
;
45 if ((new_value
< digit
) || ((new_value
- digit
) / 10 != value
)) {
56 static int pkey_scrypt_init(EVP_PKEY_CTX
*ctx
)
58 SCRYPT_PKEY_CTX
*kctx
;
60 kctx
= OPENSSL_zalloc(sizeof(*kctx
));
62 KDFerr(KDF_F_PKEY_SCRYPT_INIT
, ERR_R_MALLOC_FAILURE
);
66 /* Default values are the most conservative recommendation given in the
67 * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
68 * for this parameter choice (approx. 128 * r * (N + p) bytes).
73 kctx
->maxmem_bytes
= 1025 * 1024 * 1024;
80 static void pkey_scrypt_cleanup(EVP_PKEY_CTX
*ctx
)
82 SCRYPT_PKEY_CTX
*kctx
= ctx
->data
;
84 OPENSSL_clear_free(kctx
->salt
, kctx
->salt_len
);
85 OPENSSL_clear_free(kctx
->pass
, kctx
->pass_len
);
89 static int pkey_scrypt_set_membuf(unsigned char **buffer
, size_t *buflen
,
90 const unsigned char *new_buffer
,
93 if (new_buffer
== NULL
)
100 OPENSSL_clear_free(*buffer
, *buflen
);
102 if (new_buflen
> 0) {
103 *buffer
= OPENSSL_memdup(new_buffer
, new_buflen
);
105 *buffer
= OPENSSL_malloc(1);
107 if (*buffer
== NULL
) {
108 KDFerr(KDF_F_PKEY_SCRYPT_SET_MEMBUF
, ERR_R_MALLOC_FAILURE
);
112 *buflen
= new_buflen
;
116 static int is_power_of_two(uint64_t value
)
118 return (value
!= 0) && ((value
& (value
- 1)) == 0);
121 static int pkey_scrypt_ctrl(EVP_PKEY_CTX
*ctx
, int type
, int p1
, void *p2
)
123 SCRYPT_PKEY_CTX
*kctx
= ctx
->data
;
127 case EVP_PKEY_CTRL_PASS
:
128 return pkey_scrypt_set_membuf(&kctx
->pass
, &kctx
->pass_len
, p2
, p1
);
130 case EVP_PKEY_CTRL_SCRYPT_SALT
:
131 return pkey_scrypt_set_membuf(&kctx
->salt
, &kctx
->salt_len
, p2
, p1
);
133 case EVP_PKEY_CTRL_SCRYPT_N
:
134 u64_value
= *((uint64_t *)p2
);
135 if ((u64_value
<= 1) || !is_power_of_two(u64_value
))
140 case EVP_PKEY_CTRL_SCRYPT_R
:
141 u64_value
= *((uint64_t *)p2
);
147 case EVP_PKEY_CTRL_SCRYPT_P
:
148 u64_value
= *((uint64_t *)p2
);
154 case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES
:
155 u64_value
= *((uint64_t *)p2
);
158 kctx
->maxmem_bytes
= u64_value
;
167 static int pkey_scrypt_ctrl_uint64(EVP_PKEY_CTX
*ctx
, int type
,
172 if (!atou64(value
, &int_value
)) {
173 KDFerr(KDF_F_PKEY_SCRYPT_CTRL_UINT64
, KDF_R_VALUE_ERROR
);
176 return pkey_scrypt_ctrl(ctx
, type
, 0, &int_value
);
179 static int pkey_scrypt_ctrl_str(EVP_PKEY_CTX
*ctx
, const char *type
,
183 KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR
, KDF_R_VALUE_MISSING
);
187 if (strcmp(type
, "pass") == 0)
188 return EVP_PKEY_CTX_str2ctrl(ctx
, EVP_PKEY_CTRL_PASS
, value
);
190 if (strcmp(type
, "hexpass") == 0)
191 return EVP_PKEY_CTX_hex2ctrl(ctx
, EVP_PKEY_CTRL_PASS
, value
);
193 if (strcmp(type
, "salt") == 0)
194 return EVP_PKEY_CTX_str2ctrl(ctx
, EVP_PKEY_CTRL_SCRYPT_SALT
, value
);
196 if (strcmp(type
, "hexsalt") == 0)
197 return EVP_PKEY_CTX_hex2ctrl(ctx
, EVP_PKEY_CTRL_SCRYPT_SALT
, value
);
199 if (strcmp(type
, "N") == 0)
200 return pkey_scrypt_ctrl_uint64(ctx
, EVP_PKEY_CTRL_SCRYPT_N
, value
);
202 if (strcmp(type
, "r") == 0)
203 return pkey_scrypt_ctrl_uint64(ctx
, EVP_PKEY_CTRL_SCRYPT_R
, value
);
205 if (strcmp(type
, "p") == 0)
206 return pkey_scrypt_ctrl_uint64(ctx
, EVP_PKEY_CTRL_SCRYPT_P
, value
);
208 if (strcmp(type
, "maxmem_bytes") == 0)
209 return pkey_scrypt_ctrl_uint64(ctx
, EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES
,
212 KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR
, KDF_R_UNKNOWN_PARAMETER_TYPE
);
216 static int pkey_scrypt_derive(EVP_PKEY_CTX
*ctx
, unsigned char *key
,
219 SCRYPT_PKEY_CTX
*kctx
= ctx
->data
;
221 if (kctx
->pass
== NULL
) {
222 KDFerr(KDF_F_PKEY_SCRYPT_DERIVE
, KDF_R_MISSING_PASS
);
226 if (kctx
->salt
== NULL
) {
227 KDFerr(KDF_F_PKEY_SCRYPT_DERIVE
, KDF_R_MISSING_SALT
);
231 return EVP_PBE_scrypt((char *)kctx
->pass
, kctx
->pass_len
, kctx
->salt
,
232 kctx
->salt_len
, kctx
->N
, kctx
->r
, kctx
->p
,
233 kctx
->maxmem_bytes
, key
, *keylen
);
236 const EVP_PKEY_METHOD scrypt_pkey_meth
= {