[331] | 1 | /*
|
---|
| 2 | * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <stddef.h>
|
---|
| 11 | #include <stdio.h>
|
---|
| 12 | #include <string.h>
|
---|
| 13 | #include <openssl/evp.h>
|
---|
| 14 | #include <openssl/err.h>
|
---|
| 15 | #include <internal/numbers.h>
|
---|
| 16 |
|
---|
| 17 | #ifndef OPENSSL_NO_SCRYPT
|
---|
| 18 |
|
---|
| 19 | #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
|
---|
| 20 | static void salsa208_word_specification(uint32_t inout[16])
|
---|
| 21 | {
|
---|
| 22 | int i;
|
---|
| 23 | uint32_t x[16];
|
---|
| 24 | memcpy(x, inout, sizeof(x));
|
---|
| 25 | for (i = 8; i > 0; i -= 2) {
|
---|
| 26 | x[4] ^= R(x[0] + x[12], 7);
|
---|
| 27 | x[8] ^= R(x[4] + x[0], 9);
|
---|
| 28 | x[12] ^= R(x[8] + x[4], 13);
|
---|
| 29 | x[0] ^= R(x[12] + x[8], 18);
|
---|
| 30 | x[9] ^= R(x[5] + x[1], 7);
|
---|
| 31 | x[13] ^= R(x[9] + x[5], 9);
|
---|
| 32 | x[1] ^= R(x[13] + x[9], 13);
|
---|
| 33 | x[5] ^= R(x[1] + x[13], 18);
|
---|
| 34 | x[14] ^= R(x[10] + x[6], 7);
|
---|
| 35 | x[2] ^= R(x[14] + x[10], 9);
|
---|
| 36 | x[6] ^= R(x[2] + x[14], 13);
|
---|
| 37 | x[10] ^= R(x[6] + x[2], 18);
|
---|
| 38 | x[3] ^= R(x[15] + x[11], 7);
|
---|
| 39 | x[7] ^= R(x[3] + x[15], 9);
|
---|
| 40 | x[11] ^= R(x[7] + x[3], 13);
|
---|
| 41 | x[15] ^= R(x[11] + x[7], 18);
|
---|
| 42 | x[1] ^= R(x[0] + x[3], 7);
|
---|
| 43 | x[2] ^= R(x[1] + x[0], 9);
|
---|
| 44 | x[3] ^= R(x[2] + x[1], 13);
|
---|
| 45 | x[0] ^= R(x[3] + x[2], 18);
|
---|
| 46 | x[6] ^= R(x[5] + x[4], 7);
|
---|
| 47 | x[7] ^= R(x[6] + x[5], 9);
|
---|
| 48 | x[4] ^= R(x[7] + x[6], 13);
|
---|
| 49 | x[5] ^= R(x[4] + x[7], 18);
|
---|
| 50 | x[11] ^= R(x[10] + x[9], 7);
|
---|
| 51 | x[8] ^= R(x[11] + x[10], 9);
|
---|
| 52 | x[9] ^= R(x[8] + x[11], 13);
|
---|
| 53 | x[10] ^= R(x[9] + x[8], 18);
|
---|
| 54 | x[12] ^= R(x[15] + x[14], 7);
|
---|
| 55 | x[13] ^= R(x[12] + x[15], 9);
|
---|
| 56 | x[14] ^= R(x[13] + x[12], 13);
|
---|
| 57 | x[15] ^= R(x[14] + x[13], 18);
|
---|
| 58 | }
|
---|
| 59 | for (i = 0; i < 16; ++i)
|
---|
| 60 | inout[i] += x[i];
|
---|
| 61 | OPENSSL_cleanse(x, sizeof(x));
|
---|
| 62 | }
|
---|
| 63 |
|
---|
| 64 | static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
|
---|
| 65 | {
|
---|
| 66 | uint64_t i, j;
|
---|
| 67 | uint32_t X[16], *pB;
|
---|
| 68 |
|
---|
| 69 | memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
|
---|
| 70 | pB = B;
|
---|
| 71 | for (i = 0; i < r * 2; i++) {
|
---|
| 72 | for (j = 0; j < 16; j++)
|
---|
| 73 | X[j] ^= *pB++;
|
---|
| 74 | salsa208_word_specification(X);
|
---|
| 75 | memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
|
---|
| 76 | }
|
---|
| 77 | OPENSSL_cleanse(X, sizeof(X));
|
---|
| 78 | }
|
---|
| 79 |
|
---|
| 80 | static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
|
---|
| 81 | uint32_t *X, uint32_t *T, uint32_t *V)
|
---|
| 82 | {
|
---|
| 83 | unsigned char *pB;
|
---|
| 84 | uint32_t *pV;
|
---|
| 85 | uint64_t i, k;
|
---|
| 86 |
|
---|
| 87 | /* Convert from little endian input */
|
---|
| 88 | for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
|
---|
| 89 | *pV = *pB++;
|
---|
| 90 | *pV |= *pB++ << 8;
|
---|
| 91 | *pV |= *pB++ << 16;
|
---|
| 92 | *pV |= (uint32_t)*pB++ << 24;
|
---|
| 93 | }
|
---|
| 94 |
|
---|
| 95 | for (i = 1; i < N; i++, pV += 32 * r)
|
---|
| 96 | scryptBlockMix(pV, pV - 32 * r, r);
|
---|
| 97 |
|
---|
| 98 | scryptBlockMix(X, V + (N - 1) * 32 * r, r);
|
---|
| 99 |
|
---|
| 100 | for (i = 0; i < N; i++) {
|
---|
| 101 | uint32_t j;
|
---|
| 102 | j = X[16 * (2 * r - 1)] % N;
|
---|
| 103 | pV = V + 32 * r * j;
|
---|
| 104 | for (k = 0; k < 32 * r; k++)
|
---|
| 105 | T[k] = X[k] ^ *pV++;
|
---|
| 106 | scryptBlockMix(X, T, r);
|
---|
| 107 | }
|
---|
| 108 | /* Convert output to little endian */
|
---|
| 109 | for (i = 0, pB = B; i < 32 * r; i++) {
|
---|
| 110 | uint32_t xtmp = X[i];
|
---|
| 111 | *pB++ = xtmp & 0xff;
|
---|
| 112 | *pB++ = (xtmp >> 8) & 0xff;
|
---|
| 113 | *pB++ = (xtmp >> 16) & 0xff;
|
---|
| 114 | *pB++ = (xtmp >> 24) & 0xff;
|
---|
| 115 | }
|
---|
| 116 | }
|
---|
| 117 |
|
---|
| 118 | #ifndef SIZE_MAX
|
---|
| 119 | # define SIZE_MAX ((size_t)-1)
|
---|
| 120 | #endif
|
---|
| 121 |
|
---|
| 122 | /*
|
---|
| 123 | * Maximum power of two that will fit in uint64_t: this should work on
|
---|
| 124 | * most (all?) platforms.
|
---|
| 125 | */
|
---|
| 126 |
|
---|
| 127 | #define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1)
|
---|
| 128 |
|
---|
| 129 | /*
|
---|
| 130 | * Maximum value of p * r:
|
---|
| 131 | * p <= ((2^32-1) * hLen) / MFLen =>
|
---|
| 132 | * p <= ((2^32-1) * 32) / (128 * r) =>
|
---|
| 133 | * p * r <= (2^30-1)
|
---|
| 134 | *
|
---|
| 135 | */
|
---|
| 136 |
|
---|
| 137 | #define SCRYPT_PR_MAX ((1 << 30) - 1)
|
---|
| 138 |
|
---|
| 139 | /*
|
---|
| 140 | * Maximum permitted memory allow this to be overridden with Configuration
|
---|
| 141 | * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible.
|
---|
| 142 | */
|
---|
| 143 |
|
---|
| 144 | #ifdef SCRYPT_MAX_MEM
|
---|
| 145 | # if SCRYPT_MAX_MEM == 0
|
---|
| 146 | # undef SCRYPT_MAX_MEM
|
---|
| 147 | /*
|
---|
| 148 | * Although we could theoretically allocate SIZE_MAX memory that would leave
|
---|
| 149 | * no memory available for anything else so set limit as half that.
|
---|
| 150 | */
|
---|
| 151 | # define SCRYPT_MAX_MEM (SIZE_MAX/2)
|
---|
| 152 | # endif
|
---|
| 153 | #else
|
---|
| 154 | /* Default memory limit: 32 MB */
|
---|
| 155 | # define SCRYPT_MAX_MEM (1024 * 1024 * 32)
|
---|
| 156 | #endif
|
---|
| 157 |
|
---|
| 158 | int EVP_PBE_scrypt(const char *pass, size_t passlen,
|
---|
| 159 | const unsigned char *salt, size_t saltlen,
|
---|
| 160 | uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
|
---|
| 161 | unsigned char *key, size_t keylen)
|
---|
| 162 | {
|
---|
| 163 | int rv = 0;
|
---|
| 164 | unsigned char *B;
|
---|
| 165 | uint32_t *X, *V, *T;
|
---|
| 166 | uint64_t i, Blen, Vlen;
|
---|
| 167 | size_t allocsize;
|
---|
| 168 |
|
---|
| 169 | /* Sanity check parameters */
|
---|
| 170 | /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
|
---|
| 171 | if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
|
---|
| 172 | return 0;
|
---|
| 173 | /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
|
---|
| 174 | if (p > SCRYPT_PR_MAX / r)
|
---|
| 175 | return 0;
|
---|
| 176 |
|
---|
| 177 | /*
|
---|
| 178 | * Need to check N: if 2^(128 * r / 8) overflows limit this is
|
---|
| 179 | * automatically satisfied since N <= UINT64_MAX.
|
---|
| 180 | */
|
---|
| 181 |
|
---|
| 182 | if (16 * r <= LOG2_UINT64_MAX) {
|
---|
| 183 | if (N >= (((uint64_t)1) << (16 * r)))
|
---|
| 184 | return 0;
|
---|
| 185 | }
|
---|
| 186 |
|
---|
| 187 | /* Memory checks: check total allocated buffer size fits in uint64_t */
|
---|
| 188 |
|
---|
| 189 | /*
|
---|
| 190 | * B size in section 5 step 1.S
|
---|
| 191 | * Note: we know p * 128 * r < UINT64_MAX because we already checked
|
---|
| 192 | * p * r < SCRYPT_PR_MAX
|
---|
| 193 | */
|
---|
| 194 | Blen = p * 128 * r;
|
---|
| 195 |
|
---|
| 196 | /*
|
---|
| 197 | * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in
|
---|
| 198 | * uint64_t and also size_t (their sizes are unrelated).
|
---|
| 199 | * This is combined size V, X and T (section 4)
|
---|
| 200 | */
|
---|
| 201 | i = UINT64_MAX / (32 * sizeof(uint32_t));
|
---|
| 202 | if (N + 2 > i / r)
|
---|
| 203 | return 0;
|
---|
| 204 | Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
|
---|
| 205 |
|
---|
| 206 | /* check total allocated size fits in uint64_t */
|
---|
| 207 | if (Blen > UINT64_MAX - Vlen)
|
---|
| 208 | return 0;
|
---|
| 209 | /* check total allocated size fits in size_t */
|
---|
| 210 | if (Blen > SIZE_MAX - Vlen)
|
---|
| 211 | return 0;
|
---|
| 212 |
|
---|
| 213 | allocsize = (size_t)(Blen + Vlen);
|
---|
| 214 |
|
---|
| 215 | if (maxmem == 0)
|
---|
| 216 | maxmem = SCRYPT_MAX_MEM;
|
---|
| 217 |
|
---|
| 218 | if (allocsize > maxmem) {
|
---|
| 219 | EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
|
---|
| 220 | return 0;
|
---|
| 221 | }
|
---|
| 222 |
|
---|
| 223 | /* If no key return to indicate parameters are OK */
|
---|
| 224 | if (key == NULL)
|
---|
| 225 | return 1;
|
---|
| 226 |
|
---|
| 227 | B = OPENSSL_malloc(allocsize);
|
---|
| 228 | if (B == NULL)
|
---|
| 229 | return 0;
|
---|
| 230 | X = (uint32_t *)(B + Blen);
|
---|
| 231 | T = X + 32 * r;
|
---|
| 232 | V = T + 32 * r;
|
---|
| 233 | if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),
|
---|
| 234 | Blen, B) == 0)
|
---|
| 235 | goto err;
|
---|
| 236 |
|
---|
| 237 | for (i = 0; i < p; i++)
|
---|
| 238 | scryptROMix(B + 128 * r * i, r, N, X, T, V);
|
---|
| 239 |
|
---|
| 240 | if (PKCS5_PBKDF2_HMAC(pass, passlen, B, Blen, 1, EVP_sha256(),
|
---|
| 241 | keylen, key) == 0)
|
---|
| 242 | goto err;
|
---|
| 243 | rv = 1;
|
---|
| 244 | err:
|
---|
| 245 | OPENSSL_clear_free(B, allocsize);
|
---|
| 246 | return rv;
|
---|
| 247 | }
|
---|
| 248 | #endif
|
---|