/* Generates an key derived from a password and salt using a memory hard
* algorithm.
* Implements RFC 7914: scrypt PBKDF.
*
* output The derived key.
* passwd The password to derive key from.
* passLen The length of the password.
* salt The key specific data.
* saltLen The length of the salt data.
* cost The CPU/memory cost parameter. Range: 1..(128*r/8-1)
* (Iterations = 2^cost)
* blockSize The number of 128 byte octets in a working block.
* parallel The number of parallel mix operations to perform.
* (Note: this implementation does not use threads.)
* dkLen The length of the derived key in bytes.
* returns BAD_FUNC_ARG when: parallel not 1, blockSize is too large for cost.
*/
int wc_scrypt(byte* output, const byte* passwd, int passLen,
const byte* salt, int saltLen, int cost, int blockSize,
int parallel, int dkLen)
{
int ret = 0;
int i;
byte* v = NULL;
byte* y = NULL;
byte* blocks = NULL;
word32 blocksSz;
word32 bSz;
if (blockSize > 8)
return BAD_FUNC_ARG;
if (cost < 1 || cost >= 128 * blockSize / 8)
return BAD_FUNC_ARG;
bSz = 128 * blockSize;
blocksSz = bSz * parallel;
blocks = XMALLOC(blocksSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (blocks == NULL)
goto end;
/* Temporary for scryptROMix. */
v = XMALLOC((1 << cost) * bSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (v == NULL)
goto end;
/* Temporary for scryptBlockMix. */
y = XMALLOC(blockSize * 128, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (y == NULL)
goto end;
/* Step 1. */
ret = wc_PBKDF2(blocks, passwd, passLen, salt, saltLen, 1, blocksSz,
SHA256);
if (ret != 0)
goto end;
/* Step 2. */
for (i = 0; i < parallel; i++)
scryptROMix(blocks + i * bSz, v, y, blockSize, 1 << cost);
/* Step 3. */
ret = wc_PBKDF2(output, passwd, passLen, blocks, blocksSz, 1, dkLen,
SHA256);
end:
if (blocks != NULL)
XFREE(blocks, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (v != NULL)
XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (y != NULL)
XFREE(y, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
int EVP_PBE_scrypt(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len, uint64_t N, uint64_t r,
uint64_t p, size_t max_mem, uint8_t *out_key,
size_t key_len) {
if (r == 0 || p == 0 || p > SCRYPT_PR_MAX / r ||
// |N| must be a power of two.
N < 2 || (N & (N - 1)) ||
// We only support |N| <= 2^32 in |scryptROMix|.
N > UINT64_C(1) << 32 ||
// Check that |N| < 2^(128×r / 8).
(16 * r <= 63 && N >= UINT64_C(1) << (16 * r))) {
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS);
return 0;
}
// Determine the amount of memory needed. B, T, and V are |p|, 1, and |N|
// scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s.
if (max_mem == 0) {
max_mem = SCRYPT_MAX_MEM;
}
size_t max_scrypt_blocks = max_mem / (2 * r * sizeof(block_t));
if (max_scrypt_blocks < p + 1 ||
max_scrypt_blocks - p - 1 < N) {
OPENSSL_PUT_ERROR(EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
// Allocate and divide up the scratch space. |max_mem| fits in a size_t, which
// is no bigger than uint64_t, so none of these operations may overflow.
OPENSSL_COMPILE_ASSERT(UINT64_MAX >= ((size_t)-1), size_t_exceeds_u64);
size_t B_blocks = p * 2 * r;
size_t B_bytes = B_blocks * sizeof(block_t);
size_t T_blocks = 2 * r;
size_t V_blocks = N * 2 * r;
block_t *B = OPENSSL_malloc((B_blocks + T_blocks + V_blocks) * sizeof(block_t));
if (B == NULL) {
OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
return 0;
}
int ret = 0;
block_t *T = B + B_blocks;
block_t *V = T + T_blocks;
// NOTE: PKCS5_PBKDF2_HMAC can only fail due to allocation failure
// or |iterations| of 0 (we pass 1 here). This is consistent with
// the documented failure conditions of EVP_PBE_scrypt.
if (!PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, 1,
EVP_sha256(), B_bytes, (uint8_t *)B)) {
goto err;
}
for (uint64_t i = 0; i < p; i++) {
scryptROMix(B + 2 * r * i, r, N, T, V);
}
if (!PKCS5_PBKDF2_HMAC(password, password_len, (const uint8_t *)B, B_bytes, 1,
EVP_sha256(), key_len, out_key)) {
goto err;
}
ret = 1;
err:
OPENSSL_free(B);
return ret;
}
int EVP_PBE_scrypt(const char *pass, size_t passlen,
const unsigned char *salt, size_t saltlen,
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
unsigned char *key, size_t keylen)
{
int rv = 0;
unsigned char *B;
uint32_t *X, *V, *T;
uint64_t i, Blen, Vlen;
/* Sanity check parameters */
/* initial check, r,p must be non zero, N >= 2 and a power of 2 */
if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
return 0;
/* Check p * r < SCRYPT_PR_MAX avoiding overflow */
if (p > SCRYPT_PR_MAX / r)
return 0;
/*
* Need to check N: if 2^(128 * r / 8) overflows limit this is
* automatically satisfied since N <= UINT64_MAX.
*/
if (16 * r <= LOG2_UINT64_MAX) {
if (N >= (1UL << (16 * r)))
return 0;
}
/* Memory checks: check total allocated buffer size fits in uint64_t */
/*
* B size in section 5 step 1.S
* Note: we know p * 128 * r < UINT64_MAX because we already checked
* p * r < SCRYPT_PR_MAX
*/
Blen = p * 128 * r;
/*
* Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t.
* This is combined size V, X and T (section 4)
*/
i = UINT64_MAX / (32 * sizeof(uint32_t));
if (N + 2 > i / r)
return 0;
Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
/* check total allocated size fits in uint64_t */
if (Blen > UINT64_MAX - Vlen)
return 0;
if (maxmem == 0)
maxmem = SCRYPT_MAX_MEM;
if (Blen + Vlen > maxmem) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
/* If no key return to indicate parameters are OK */
if (key == NULL)
return 1;
B = OPENSSL_malloc(Blen + Vlen);
if (B == NULL)
return 0;
X = (uint32_t *)(B + Blen);
T = X + 32 * r;
V = T + 32 * r;
if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),
Blen, B) == 0)
goto err;
for (i = 0; i < p; i++)
scryptROMix(B + 128 * r * i, r, N, X, T, V);
if (PKCS5_PBKDF2_HMAC(pass, passlen, B, Blen, 1, EVP_sha256(),
keylen, key) == 0)
goto err;
rv = 1;
#ifdef SCRYPT_DEBUG
fprintf(stderr, "scrypt parameters:\n");
fprintf(stderr, "N=%lu, p=%lu, r=%lu\n", N, p, r);
fprintf(stderr, "Salt:\n");
BIO_dump_fp(stderr, (char *)salt, saltlen);
fprintf(stderr, "Password:\n");
BIO_dump_fp(stderr, (char *)pass, passlen);
fprintf(stderr, "Key:\n");
BIO_dump_fp(stderr, (char *)key, keylen);
#endif
err:
OPENSSL_clear_free(B, Blen + Vlen);
return rv;
}
int EVP_PBE_scrypt(const char *pass, size_t passlen,
const unsigned char *salt, size_t saltlen,
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
unsigned char *key, size_t keylen)
{
int rv = 0;
unsigned char *B;
uint32_t *X, *V, *T;
uint64_t i, Blen, Vlen;
/* Sanity check parameters */
/* initial check, r,p must be non zero, N >= 2 and a power of 2 */
if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
return 0;
/* Check p * r < SCRYPT_PR_MAX avoiding overflow */
if (p > SCRYPT_PR_MAX / r) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
/*
* Need to check N: if 2^(128 * r / 8) overflows limit this is
* automatically satisfied since N <= UINT64_MAX.
*/
if (16 * r <= LOG2_UINT64_MAX) {
if (N >= (((uint64_t)1) << (16 * r))) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
}
/* Memory checks: check total allocated buffer size fits in uint64_t */
/*
* B size in section 5 step 1.S
* Note: we know p * 128 * r < UINT64_MAX because we already checked
* p * r < SCRYPT_PR_MAX
*/
Blen = p * 128 * r;
/*
* Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
* have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
*/
if (Blen > INT_MAX) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
/*
* Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
* This is combined size V, X and T (section 4)
*/
i = UINT64_MAX / (32 * sizeof(uint32_t));
if (N + 2 > i / r) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
/* check total allocated size fits in uint64_t */
if (Blen > UINT64_MAX - Vlen) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
if (maxmem == 0)
maxmem = SCRYPT_MAX_MEM;
/* Check that the maximum memory doesn't exceed a size_t limits */
if (maxmem > SIZE_MAX)
maxmem = SIZE_MAX;
if (Blen + Vlen > maxmem) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
/* If no key return to indicate parameters are OK */
if (key == NULL)
return 1;
B = OPENSSL_malloc((size_t)(Blen + Vlen));
if (B == NULL) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE);
return 0;
}
X = (uint32_t *)(B + Blen);
T = X + 32 * r;
V = T + 32 * r;
if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),
(int)Blen, B) == 0)
goto err;
for (i = 0; i < p; i++)
scryptROMix(B + 128 * r * i, r, N, X, T, V);
if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(),
keylen, key) == 0)
goto err;
rv = 1;
err:
if (rv == 0)
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR);
OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
return rv;
}
int EVP_PBE_scrypt(const char *pass, size_t passlen,
const unsigned char *salt, size_t saltlen,
uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
unsigned char *key, size_t keylen)
{
int rv = 0;
unsigned char *B;
uint32_t *X, *V, *T;
uint64_t i, Blen, Vlen;
size_t allocsize;
const EVP_MD *md;
#ifndef OPENSSL_NO_SHA
md = EVP_sha256();
#elif !defined(OPENSSL_NO_SM3)
md = EVP_sm3();
#else
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_NO_AVAIABLE_DIGEST);
return 0;
#endif
/* Sanity check parameters */
/* initial check, r,p must be non zero, N >= 2 and a power of 2 */
if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
return 0;
/* Check p * r < SCRYPT_PR_MAX avoiding overflow */
if (p > SCRYPT_PR_MAX / r)
return 0;
/*
* Need to check N: if 2^(128 * r / 8) overflows limit this is
* automatically satisfied since N <= UINT64_MAX.
*/
if (16 * r <= LOG2_UINT64_MAX) {
if (N >= (((uint64_t)1) << (16 * r)))
return 0;
}
/* Memory checks: check total allocated buffer size fits in uint64_t */
/*
* B size in section 5 step 1.S
* Note: we know p * 128 * r < UINT64_MAX because we already checked
* p * r < SCRYPT_PR_MAX
*/
Blen = p * 128 * r;
/*
* Check 32 * r * (N + 2) * sizeof(uint32_t) fits in
* uint64_t and also size_t (their sizes are unrelated).
* This is combined size V, X and T (section 4)
*/
i = UINT64_MAX / (32 * sizeof(uint32_t));
if (N + 2 > i / r)
return 0;
Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
/* check total allocated size fits in uint64_t */
if (Blen > UINT64_MAX - Vlen)
return 0;
/* check total allocated size fits in size_t */
if (Blen > SIZE_MAX - Vlen)
return 0;
allocsize = (size_t)(Blen + Vlen);
if (maxmem == 0)
maxmem = SCRYPT_MAX_MEM;
if (allocsize > maxmem) {
EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
return 0;
}
/* If no key return to indicate parameters are OK */
if (key == NULL)
return 1;
B = OPENSSL_malloc(allocsize);
if (B == NULL)
return 0;
X = (uint32_t *)(B + Blen);
T = X + 32 * r;
V = T + 32 * r;
if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, md,
Blen, B) == 0)
goto err;
for (i = 0; i < p; i++)
scryptROMix(B + 128 * r * i, r, N, X, T, V);
if (PKCS5_PBKDF2_HMAC(pass, passlen, B, Blen, 1, md,
keylen, key) == 0)
goto err;
rv = 1;
err:
OPENSSL_clear_free(B, allocsize);
return rv;
}
