/* Generates an key derived from a password and salt using a memory hard * algorithm. * Implements RFC 7914: scrypt PBKDF. * * output The derived key. * passwd The password to derive key from. * passLen The length of the password. * salt The key specific data. * saltLen The length of the salt data. * cost The CPU/memory cost parameter. Range: 1..(128*r/8-1) * (Iterations = 2^cost) * blockSize The number of 128 byte octets in a working block. * parallel The number of parallel mix operations to perform. * (Note: this implementation does not use threads.) * dkLen The length of the derived key in bytes. * returns BAD_FUNC_ARG when: parallel not 1, blockSize is too large for cost. */ int wc_scrypt(byte* output, const byte* passwd, int passLen, const byte* salt, int saltLen, int cost, int blockSize, int parallel, int dkLen) { int ret = 0; int i; byte* v = NULL; byte* y = NULL; byte* blocks = NULL; word32 blocksSz; word32 bSz; if (blockSize > 8) return BAD_FUNC_ARG; if (cost < 1 || cost >= 128 * blockSize / 8) return BAD_FUNC_ARG; bSz = 128 * blockSize; blocksSz = bSz * parallel; blocks = XMALLOC(blocksSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (blocks == NULL) goto end; /* Temporary for scryptROMix. */ v = XMALLOC((1 << cost) * bSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (v == NULL) goto end; /* Temporary for scryptBlockMix. */ y = XMALLOC(blockSize * 128, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (y == NULL) goto end; /* Step 1. */ ret = wc_PBKDF2(blocks, passwd, passLen, salt, saltLen, 1, blocksSz, SHA256); if (ret != 0) goto end; /* Step 2. */ for (i = 0; i < parallel; i++) scryptROMix(blocks + i * bSz, v, y, blockSize, 1 << cost); /* Step 3. */ ret = wc_PBKDF2(output, passwd, passLen, blocks, blocksSz, 1, dkLen, SHA256); end: if (blocks != NULL) XFREE(blocks, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (v != NULL) XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (y != NULL) XFREE(y, NULL, DYNAMIC_TYPE_TMP_BUFFER); return ret; }
int EVP_PBE_scrypt(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, uint64_t N, uint64_t r, uint64_t p, size_t max_mem, uint8_t *out_key, size_t key_len) { if (r == 0 || p == 0 || p > SCRYPT_PR_MAX / r || // |N| must be a power of two. N < 2 || (N & (N - 1)) || // We only support |N| <= 2^32 in |scryptROMix|. N > UINT64_C(1) << 32 || // Check that |N| < 2^(128×r / 8). (16 * r <= 63 && N >= UINT64_C(1) << (16 * r))) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS); return 0; } // Determine the amount of memory needed. B, T, and V are |p|, 1, and |N| // scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s. if (max_mem == 0) { max_mem = SCRYPT_MAX_MEM; } size_t max_scrypt_blocks = max_mem / (2 * r * sizeof(block_t)); if (max_scrypt_blocks < p + 1 || max_scrypt_blocks - p - 1 < N) { OPENSSL_PUT_ERROR(EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which // is no bigger than uint64_t, so none of these operations may overflow. OPENSSL_COMPILE_ASSERT(UINT64_MAX >= ((size_t)-1), size_t_exceeds_u64); size_t B_blocks = p * 2 * r; size_t B_bytes = B_blocks * sizeof(block_t); size_t T_blocks = 2 * r; size_t V_blocks = N * 2 * r; block_t *B = OPENSSL_malloc((B_blocks + T_blocks + V_blocks) * sizeof(block_t)); if (B == NULL) { OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE); return 0; } int ret = 0; block_t *T = B + B_blocks; block_t *V = T + T_blocks; // NOTE: PKCS5_PBKDF2_HMAC can only fail due to allocation failure // or |iterations| of 0 (we pass 1 here). This is consistent with // the documented failure conditions of EVP_PBE_scrypt. if (!PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, 1, EVP_sha256(), B_bytes, (uint8_t *)B)) { goto err; } for (uint64_t i = 0; i < p; i++) { scryptROMix(B + 2 * r * i, r, N, T, V); } if (!PKCS5_PBKDF2_HMAC(password, password_len, (const uint8_t *)B, B_bytes, 1, EVP_sha256(), key_len, out_key)) { goto err; } ret = 1; err: OPENSSL_free(B); return ret; }
int EVP_PBE_scrypt(const char *pass, size_t passlen, const unsigned char *salt, size_t saltlen, uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, unsigned char *key, size_t keylen) { int rv = 0; unsigned char *B; uint32_t *X, *V, *T; uint64_t i, Blen, Vlen; /* Sanity check parameters */ /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) return 0; /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ if (p > SCRYPT_PR_MAX / r) return 0; /* * Need to check N: if 2^(128 * r / 8) overflows limit this is * automatically satisfied since N <= UINT64_MAX. */ if (16 * r <= LOG2_UINT64_MAX) { if (N >= (1UL << (16 * r))) return 0; } /* Memory checks: check total allocated buffer size fits in uint64_t */ /* * B size in section 5 step 1.S * Note: we know p * 128 * r < UINT64_MAX because we already checked * p * r < SCRYPT_PR_MAX */ Blen = p * 128 * r; /* * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t. * This is combined size V, X and T (section 4) */ i = UINT64_MAX / (32 * sizeof(uint32_t)); if (N + 2 > i / r) return 0; Vlen = 32 * r * (N + 2) * sizeof(uint32_t); /* check total allocated size fits in uint64_t */ if (Blen > UINT64_MAX - Vlen) return 0; if (maxmem == 0) maxmem = SCRYPT_MAX_MEM; if (Blen + Vlen > maxmem) { EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } /* If no key return to indicate parameters are OK */ if (key == NULL) return 1; B = OPENSSL_malloc(Blen + Vlen); if (B == NULL) return 0; X = (uint32_t *)(B + Blen); T = X + 32 * r; V = T + 32 * r; if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(), Blen, B) == 0) goto err; for (i = 0; i < p; i++) scryptROMix(B + 128 * r * i, r, N, X, T, V); if (PKCS5_PBKDF2_HMAC(pass, passlen, B, Blen, 1, EVP_sha256(), keylen, key) == 0) goto err; rv = 1; #ifdef SCRYPT_DEBUG fprintf(stderr, "scrypt parameters:\n"); fprintf(stderr, "N=%lu, p=%lu, r=%lu\n", N, p, r); fprintf(stderr, "Salt:\n"); BIO_dump_fp(stderr, (char *)salt, saltlen); fprintf(stderr, "Password:\n"); BIO_dump_fp(stderr, (char *)pass, passlen); fprintf(stderr, "Key:\n"); BIO_dump_fp(stderr, (char *)key, keylen); #endif err: OPENSSL_clear_free(B, Blen + Vlen); return rv; }
int EVP_PBE_scrypt(const char *pass, size_t passlen, const unsigned char *salt, size_t saltlen, uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, unsigned char *key, size_t keylen) { int rv = 0; unsigned char *B; uint32_t *X, *V, *T; uint64_t i, Blen, Vlen; /* Sanity check parameters */ /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) return 0; /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ if (p > SCRYPT_PR_MAX / r) { EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } /* * Need to check N: if 2^(128 * r / 8) overflows limit this is * automatically satisfied since N <= UINT64_MAX. */ if (16 * r <= LOG2_UINT64_MAX) { if (N >= (((uint64_t)1) << (16 * r))) { EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } } /* Memory checks: check total allocated buffer size fits in uint64_t */ /* * B size in section 5 step 1.S * Note: we know p * 128 * r < UINT64_MAX because we already checked * p * r < SCRYPT_PR_MAX */ Blen = p * 128 * r; /* * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] */ if (Blen > INT_MAX) { EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } /* * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t * This is combined size V, X and T (section 4) */ i = UINT64_MAX / (32 * sizeof(uint32_t)); if (N + 2 > i / r) { EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } Vlen = 32 * r * (N + 2) * sizeof(uint32_t); /* check total allocated size fits in uint64_t */ if (Blen > UINT64_MAX - Vlen) { EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } if (maxmem == 0) maxmem = SCRYPT_MAX_MEM; /* Check that the maximum memory doesn't exceed a size_t limits */ if (maxmem > SIZE_MAX) maxmem = SIZE_MAX; if (Blen + Vlen > maxmem) { EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } /* If no key return to indicate parameters are OK */ if (key == NULL) return 1; B = OPENSSL_malloc((size_t)(Blen + Vlen)); if (B == NULL) { EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE); return 0; } X = (uint32_t *)(B + Blen); T = X + 32 * r; V = T + 32 * r; if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(), (int)Blen, B) == 0) goto err; for (i = 0; i < p; i++) scryptROMix(B + 128 * r * i, r, N, X, T, V); if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(), keylen, key) == 0) goto err; rv = 1; err: if (rv == 0) EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR); OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); return rv; }
int EVP_PBE_scrypt(const char *pass, size_t passlen, const unsigned char *salt, size_t saltlen, uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, unsigned char *key, size_t keylen) { int rv = 0; unsigned char *B; uint32_t *X, *V, *T; uint64_t i, Blen, Vlen; size_t allocsize; const EVP_MD *md; #ifndef OPENSSL_NO_SHA md = EVP_sha256(); #elif !defined(OPENSSL_NO_SM3) md = EVP_sm3(); #else EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_NO_AVAIABLE_DIGEST); return 0; #endif /* Sanity check parameters */ /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) return 0; /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ if (p > SCRYPT_PR_MAX / r) return 0; /* * Need to check N: if 2^(128 * r / 8) overflows limit this is * automatically satisfied since N <= UINT64_MAX. */ if (16 * r <= LOG2_UINT64_MAX) { if (N >= (((uint64_t)1) << (16 * r))) return 0; } /* Memory checks: check total allocated buffer size fits in uint64_t */ /* * B size in section 5 step 1.S * Note: we know p * 128 * r < UINT64_MAX because we already checked * p * r < SCRYPT_PR_MAX */ Blen = p * 128 * r; /* * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in * uint64_t and also size_t (their sizes are unrelated). * This is combined size V, X and T (section 4) */ i = UINT64_MAX / (32 * sizeof(uint32_t)); if (N + 2 > i / r) return 0; Vlen = 32 * r * (N + 2) * sizeof(uint32_t); /* check total allocated size fits in uint64_t */ if (Blen > UINT64_MAX - Vlen) return 0; /* check total allocated size fits in size_t */ if (Blen > SIZE_MAX - Vlen) return 0; allocsize = (size_t)(Blen + Vlen); if (maxmem == 0) maxmem = SCRYPT_MAX_MEM; if (allocsize > maxmem) { EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; } /* If no key return to indicate parameters are OK */ if (key == NULL) return 1; B = OPENSSL_malloc(allocsize); if (B == NULL) return 0; X = (uint32_t *)(B + Blen); T = X + 32 * r; V = T + 32 * r; if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, md, Blen, B) == 0) goto err; for (i = 0; i < p; i++) scryptROMix(B + 128 * r * i, r, N, X, T, V); if (PKCS5_PBKDF2_HMAC(pass, passlen, B, Blen, 1, md, keylen, key) == 0) goto err; rv = 1; err: OPENSSL_clear_free(B, allocsize); return rv; }