1 /* 2 * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stddef.h> 11 #include <stdio.h> 12 #include <string.h> 13 #include <openssl/evp.h> 14 #include <openssl/err.h> 15 #include "internal/numbers.h" 16 17 #ifndef OPENSSL_NO_SCRYPT 18 19 #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) 20 static void salsa208_word_specification(uint32_t inout[16]) 21 { 22 int i; 23 uint32_t x[16]; 24 memcpy(x, inout, sizeof(x)); 25 for (i = 8; i > 0; i -= 2) { 26 x[4] ^= R(x[0] + x[12], 7); 27 x[8] ^= R(x[4] + x[0], 9); 28 x[12] ^= R(x[8] + x[4], 13); 29 x[0] ^= R(x[12] + x[8], 18); 30 x[9] ^= R(x[5] + x[1], 7); 31 x[13] ^= R(x[9] + x[5], 9); 32 x[1] ^= R(x[13] + x[9], 13); 33 x[5] ^= R(x[1] + x[13], 18); 34 x[14] ^= R(x[10] + x[6], 7); 35 x[2] ^= R(x[14] + x[10], 9); 36 x[6] ^= R(x[2] + x[14], 13); 37 x[10] ^= R(x[6] + x[2], 18); 38 x[3] ^= R(x[15] + x[11], 7); 39 x[7] ^= R(x[3] + x[15], 9); 40 x[11] ^= R(x[7] + x[3], 13); 41 x[15] ^= R(x[11] + x[7], 18); 42 x[1] ^= R(x[0] + x[3], 7); 43 x[2] ^= R(x[1] + x[0], 9); 44 x[3] ^= R(x[2] + x[1], 13); 45 x[0] ^= R(x[3] + x[2], 18); 46 x[6] ^= R(x[5] + x[4], 7); 47 x[7] ^= R(x[6] + x[5], 9); 48 x[4] ^= R(x[7] + x[6], 13); 49 x[5] ^= R(x[4] + x[7], 18); 50 x[11] ^= R(x[10] + x[9], 7); 51 x[8] ^= R(x[11] + x[10], 9); 52 x[9] ^= R(x[8] + x[11], 13); 53 x[10] ^= R(x[9] + x[8], 18); 54 x[12] ^= R(x[15] + x[14], 7); 55 x[13] ^= R(x[12] + x[15], 9); 56 x[14] ^= R(x[13] + x[12], 13); 57 x[15] ^= R(x[14] + x[13], 18); 58 } 59 for (i = 0; i < 16; ++i) 60 inout[i] += x[i]; 61 OPENSSL_cleanse(x, sizeof(x)); 62 } 63 64 static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) 65 { 66 uint64_t i, j; 67 uint32_t X[16], *pB; 68 69 memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); 70 pB = B; 71 for (i = 0; i < r * 2; i++) { 72 for (j = 0; j < 16; j++) 73 X[j] ^= *pB++; 74 salsa208_word_specification(X); 75 memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); 76 } 77 OPENSSL_cleanse(X, sizeof(X)); 78 } 79 80 static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, 81 uint32_t *X, uint32_t *T, uint32_t *V) 82 { 83 unsigned char *pB; 84 uint32_t *pV; 85 uint64_t i, k; 86 87 /* Convert from little endian input */ 88 for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) { 89 *pV = *pB++; 90 *pV |= *pB++ << 8; 91 *pV |= *pB++ << 16; 92 *pV |= (uint32_t)*pB++ << 24; 93 } 94 95 for (i = 1; i < N; i++, pV += 32 * r) 96 scryptBlockMix(pV, pV - 32 * r, r); 97 98 scryptBlockMix(X, V + (N - 1) * 32 * r, r); 99 100 for (i = 0; i < N; i++) { 101 uint32_t j; 102 j = X[16 * (2 * r - 1)] % N; 103 pV = V + 32 * r * j; 104 for (k = 0; k < 32 * r; k++) 105 T[k] = X[k] ^ *pV++; 106 scryptBlockMix(X, T, r); 107 } 108 /* Convert output to little endian */ 109 for (i = 0, pB = B; i < 32 * r; i++) { 110 uint32_t xtmp = X[i]; 111 *pB++ = xtmp & 0xff; 112 *pB++ = (xtmp >> 8) & 0xff; 113 *pB++ = (xtmp >> 16) & 0xff; 114 *pB++ = (xtmp >> 24) & 0xff; 115 } 116 } 117 118 #ifndef SIZE_MAX 119 # define SIZE_MAX ((size_t)-1) 120 #endif 121 122 /* 123 * Maximum power of two that will fit in uint64_t: this should work on 124 * most (all?) platforms. 125 */ 126 127 #define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) 128 129 /* 130 * Maximum value of p * r: 131 * p <= ((2^32-1) * hLen) / MFLen => 132 * p <= ((2^32-1) * 32) / (128 * r) => 133 * p * r <= (2^30-1) 134 * 135 */ 136 137 #define SCRYPT_PR_MAX ((1 << 30) - 1) 138 139 /* 140 * Maximum permitted memory allow this to be overridden with Configuration 141 * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible. 142 */ 143 144 #ifdef SCRYPT_MAX_MEM 145 # if SCRYPT_MAX_MEM == 0 146 # undef SCRYPT_MAX_MEM 147 /* 148 * Although we could theoretically allocate SIZE_MAX memory that would leave 149 * no memory available for anything else so set limit as half that. 150 */ 151 # define SCRYPT_MAX_MEM (SIZE_MAX/2) 152 # endif 153 #else 154 /* Default memory limit: 32 MB */ 155 # define SCRYPT_MAX_MEM (1024 * 1024 * 32) 156 #endif 157 158 int EVP_PBE_scrypt(const char *pass, size_t passlen, 159 const unsigned char *salt, size_t saltlen, 160 uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, 161 unsigned char *key, size_t keylen) 162 { 163 int rv = 0; 164 unsigned char *B; 165 uint32_t *X, *V, *T; 166 uint64_t i, Blen, Vlen; 167 168 /* Sanity check parameters */ 169 /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ 170 if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) 171 return 0; 172 /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ 173 if (p > SCRYPT_PR_MAX / r) { 174 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); 175 return 0; 176 } 177 178 /* 179 * Need to check N: if 2^(128 * r / 8) overflows limit this is 180 * automatically satisfied since N <= UINT64_MAX. 181 */ 182 183 if (16 * r <= LOG2_UINT64_MAX) { 184 if (N >= (((uint64_t)1) << (16 * r))) { 185 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); 186 return 0; 187 } 188 } 189 190 /* Memory checks: check total allocated buffer size fits in uint64_t */ 191 192 /* 193 * B size in section 5 step 1.S 194 * Note: we know p * 128 * r < UINT64_MAX because we already checked 195 * p * r < SCRYPT_PR_MAX 196 */ 197 Blen = p * 128 * r; 198 /* 199 * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would 200 * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] 201 */ 202 if (Blen > INT_MAX) { 203 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); 204 return 0; 205 } 206 207 /* 208 * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t 209 * This is combined size V, X and T (section 4) 210 */ 211 i = UINT64_MAX / (32 * sizeof(uint32_t)); 212 if (N + 2 > i / r) { 213 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); 214 return 0; 215 } 216 Vlen = 32 * r * (N + 2) * sizeof(uint32_t); 217 218 /* check total allocated size fits in uint64_t */ 219 if (Blen > UINT64_MAX - Vlen) { 220 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); 221 return 0; 222 } 223 224 if (maxmem == 0) 225 maxmem = SCRYPT_MAX_MEM; 226 227 /* Check that the maximum memory doesn't exceed a size_t limits */ 228 if (maxmem > SIZE_MAX) 229 maxmem = SIZE_MAX; 230 231 if (Blen + Vlen > maxmem) { 232 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); 233 return 0; 234 } 235 236 /* If no key return to indicate parameters are OK */ 237 if (key == NULL) 238 return 1; 239 240 B = OPENSSL_malloc((size_t)(Blen + Vlen)); 241 if (B == NULL) { 242 EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE); 243 return 0; 244 } 245 X = (uint32_t *)(B + Blen); 246 T = X + 32 * r; 247 V = T + 32 * r; 248 if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(), 249 (int)Blen, B) == 0) 250 goto err; 251 252 for (i = 0; i < p; i++) 253 scryptROMix(B + 128 * r * i, r, N, X, T, V); 254 255 if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(), 256 keylen, key) == 0) 257 goto err; 258 rv = 1; 259 err: 260 if (rv == 0) 261 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR); 262 263 OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); 264 return rv; 265 } 266 #endif 267