/src/boringssl/crypto/evp/scrypt.cc
Line | Count | Source |
1 | | // Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/evp.h> |
16 | | |
17 | | #include <assert.h> |
18 | | |
19 | | #include <openssl/err.h> |
20 | | #include <openssl/mem.h> |
21 | | |
22 | | #include "../internal.h" |
23 | | |
24 | | |
25 | | // This file implements scrypt, described in RFC 7914. |
26 | | // |
27 | | // Note scrypt refers to both "blocks" and a "block size" parameter, r. These |
28 | | // are two different notions of blocks. A Salsa20 block is 64 bytes long, |
29 | | // represented in this implementation by 16 |uint32_t|s. |r| determines the |
30 | | // number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r| |
31 | | // Salsa20 blocks. This implementation refers to them as Salsa20 blocks and |
32 | | // scrypt blocks, respectively. |
33 | | |
34 | | using namespace bssl; |
35 | | |
36 | | // A block_t is a Salsa20 block. |
37 | | typedef struct { |
38 | | uint32_t words[16]; |
39 | | } block_t; |
40 | | |
41 | | static_assert(sizeof(block_t) == 64, "block_t has padding"); |
42 | | |
43 | | // salsa208_word_specification implements the Salsa20/8 core function, also |
44 | | // described in RFC 7914, section 3. It modifies the block at |inout| |
45 | | // in-place. |
46 | 0 | static void salsa208_word_specification(block_t *inout) { |
47 | 0 | block_t x; |
48 | 0 | OPENSSL_memcpy(&x, inout, sizeof(x)); |
49 | |
|
50 | 0 | for (int i = 8; i > 0; i -= 2) { |
51 | 0 | x.words[4] ^= CRYPTO_rotl_u32(x.words[0] + x.words[12], 7); |
52 | 0 | x.words[8] ^= CRYPTO_rotl_u32(x.words[4] + x.words[0], 9); |
53 | 0 | x.words[12] ^= CRYPTO_rotl_u32(x.words[8] + x.words[4], 13); |
54 | 0 | x.words[0] ^= CRYPTO_rotl_u32(x.words[12] + x.words[8], 18); |
55 | 0 | x.words[9] ^= CRYPTO_rotl_u32(x.words[5] + x.words[1], 7); |
56 | 0 | x.words[13] ^= CRYPTO_rotl_u32(x.words[9] + x.words[5], 9); |
57 | 0 | x.words[1] ^= CRYPTO_rotl_u32(x.words[13] + x.words[9], 13); |
58 | 0 | x.words[5] ^= CRYPTO_rotl_u32(x.words[1] + x.words[13], 18); |
59 | 0 | x.words[14] ^= CRYPTO_rotl_u32(x.words[10] + x.words[6], 7); |
60 | 0 | x.words[2] ^= CRYPTO_rotl_u32(x.words[14] + x.words[10], 9); |
61 | 0 | x.words[6] ^= CRYPTO_rotl_u32(x.words[2] + x.words[14], 13); |
62 | 0 | x.words[10] ^= CRYPTO_rotl_u32(x.words[6] + x.words[2], 18); |
63 | 0 | x.words[3] ^= CRYPTO_rotl_u32(x.words[15] + x.words[11], 7); |
64 | 0 | x.words[7] ^= CRYPTO_rotl_u32(x.words[3] + x.words[15], 9); |
65 | 0 | x.words[11] ^= CRYPTO_rotl_u32(x.words[7] + x.words[3], 13); |
66 | 0 | x.words[15] ^= CRYPTO_rotl_u32(x.words[11] + x.words[7], 18); |
67 | 0 | x.words[1] ^= CRYPTO_rotl_u32(x.words[0] + x.words[3], 7); |
68 | 0 | x.words[2] ^= CRYPTO_rotl_u32(x.words[1] + x.words[0], 9); |
69 | 0 | x.words[3] ^= CRYPTO_rotl_u32(x.words[2] + x.words[1], 13); |
70 | 0 | x.words[0] ^= CRYPTO_rotl_u32(x.words[3] + x.words[2], 18); |
71 | 0 | x.words[6] ^= CRYPTO_rotl_u32(x.words[5] + x.words[4], 7); |
72 | 0 | x.words[7] ^= CRYPTO_rotl_u32(x.words[6] + x.words[5], 9); |
73 | 0 | x.words[4] ^= CRYPTO_rotl_u32(x.words[7] + x.words[6], 13); |
74 | 0 | x.words[5] ^= CRYPTO_rotl_u32(x.words[4] + x.words[7], 18); |
75 | 0 | x.words[11] ^= CRYPTO_rotl_u32(x.words[10] + x.words[9], 7); |
76 | 0 | x.words[8] ^= CRYPTO_rotl_u32(x.words[11] + x.words[10], 9); |
77 | 0 | x.words[9] ^= CRYPTO_rotl_u32(x.words[8] + x.words[11], 13); |
78 | 0 | x.words[10] ^= CRYPTO_rotl_u32(x.words[9] + x.words[8], 18); |
79 | 0 | x.words[12] ^= CRYPTO_rotl_u32(x.words[15] + x.words[14], 7); |
80 | 0 | x.words[13] ^= CRYPTO_rotl_u32(x.words[12] + x.words[15], 9); |
81 | 0 | x.words[14] ^= CRYPTO_rotl_u32(x.words[13] + x.words[12], 13); |
82 | 0 | x.words[15] ^= CRYPTO_rotl_u32(x.words[14] + x.words[13], 18); |
83 | 0 | } |
84 | |
|
85 | 0 | for (int i = 0; i < 16; ++i) { |
86 | 0 | inout->words[i] += x.words[i]; |
87 | 0 | } |
88 | 0 | } |
89 | | |
90 | | // xor_block sets |*out| to be |*a| XOR |*b|. |
91 | 0 | static void xor_block(block_t *out, const block_t *a, const block_t *b) { |
92 | 0 | for (size_t i = 0; i < 16; i++) { |
93 | 0 | out->words[i] = a->words[i] ^ b->words[i]; |
94 | 0 | } |
95 | 0 | } |
96 | | |
97 | | // scryptBlockMix implements the function described in RFC 7914, section 4. B' |
98 | | // is written to |out|. |out| and |B| may not alias and must be each one scrypt |
99 | | // block (2 * |r| Salsa20 blocks) long. |
100 | 0 | static void scryptBlockMix(block_t *out, const block_t *B, uint64_t r) { |
101 | 0 | assert(out != B); |
102 | | |
103 | 0 | block_t X; |
104 | 0 | OPENSSL_memcpy(&X, &B[r * 2 - 1], sizeof(X)); |
105 | 0 | for (uint64_t i = 0; i < r * 2; i++) { |
106 | 0 | xor_block(&X, &X, &B[i]); |
107 | 0 | salsa208_word_specification(&X); |
108 | | |
109 | | // This implements the permutation in step 3. |
110 | 0 | OPENSSL_memcpy(&out[i / 2 + (i & 1) * r], &X, sizeof(X)); |
111 | 0 | } |
112 | 0 | } |
113 | | |
114 | | // scryptROMix implements the function described in RFC 7914, section 5. |B| is |
115 | | // an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and |
116 | | // |V| are scratch space allocated by the caller. |T| must have space for one |
117 | | // scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt |
118 | | // blocks (2 * |r| * |N| Salsa20 blocks). |
119 | | static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T, |
120 | 0 | block_t *V) { |
121 | | // Steps 1 and 2. |
122 | 0 | OPENSSL_memcpy(V, B, 2 * r * sizeof(block_t)); |
123 | 0 | for (uint64_t i = 1; i < N; i++) { |
124 | 0 | scryptBlockMix(&V[2 * r * i /* scrypt block i */], |
125 | 0 | &V[2 * r * (i - 1) /* scrypt block i-1 */], r); |
126 | 0 | } |
127 | 0 | scryptBlockMix(B, &V[2 * r * (N - 1) /* scrypt block N-1 */], r); |
128 | | |
129 | | // Step 3. |
130 | 0 | for (uint64_t i = 0; i < N; i++) { |
131 | | // Note this assumes |N| <= 2^32 and is a power of 2. |
132 | 0 | uint32_t j = B[2 * r - 1].words[0] & (N - 1); |
133 | 0 | for (size_t k = 0; k < 2 * r; k++) { |
134 | 0 | xor_block(&T[k], &B[k], &V[2 * r * j + k]); |
135 | 0 | } |
136 | 0 | scryptBlockMix(B, T, r); |
137 | 0 | } |
138 | 0 | } |
139 | | |
140 | | // SCRYPT_PR_MAX is the maximum value of p * r. This is equivalent to the |
141 | | // bounds on p in section 6: |
142 | | // |
143 | | // p <= ((2^32-1) * hLen) / MFLen iff |
144 | | // p <= ((2^32-1) * 32) / (128 * r) iff |
145 | | // p * r <= (2^30-1) |
146 | 0 | #define SCRYPT_PR_MAX ((1 << 30) - 1) |
147 | | |
148 | | // SCRYPT_MAX_MEM is the default maximum memory that may be allocated by |
149 | | // |EVP_PBE_scrypt|. |
150 | 0 | #define SCRYPT_MAX_MEM (1024 * 1024 * 65) |
151 | | |
152 | | int EVP_PBE_scrypt(const char *password, size_t password_len, |
153 | | const uint8_t *salt, size_t salt_len, uint64_t N, uint64_t r, |
154 | | uint64_t p, size_t max_mem, uint8_t *out_key, |
155 | 0 | size_t key_len) { |
156 | 0 | if (r == 0 || p == 0 || p > SCRYPT_PR_MAX / r || |
157 | | // |N| must be a power of two. |
158 | 0 | N < 2 || (N & (N - 1)) || |
159 | | // We only support |N| <= 2^32 in |scryptROMix|. |
160 | 0 | N > UINT64_C(1) << 32 || |
161 | | // Check that |N| < 2^(128×r / 8). |
162 | 0 | (16 * r <= 63 && N >= UINT64_C(1) << (16 * r))) { |
163 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS); |
164 | 0 | return 0; |
165 | 0 | } |
166 | | |
167 | | // Determine the amount of memory needed. B, T, and V are |p|, 1, and |N| |
168 | | // scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s. |
169 | 0 | if (max_mem == 0) { |
170 | 0 | max_mem = SCRYPT_MAX_MEM; |
171 | 0 | } |
172 | |
|
173 | 0 | size_t max_scrypt_blocks = max_mem / (2 * r * sizeof(block_t)); |
174 | 0 | if (max_scrypt_blocks < p + 1 || max_scrypt_blocks - p - 1 < N) { |
175 | 0 | OPENSSL_PUT_ERROR(EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); |
176 | 0 | return 0; |
177 | 0 | } |
178 | | |
179 | | // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which |
180 | | // is no bigger than uint64_t, so none of these operations may overflow. |
181 | 0 | static_assert(UINT64_MAX >= SIZE_MAX, "size_t exceeds uint64_t"); |
182 | 0 | size_t B_blocks = p * 2 * r; |
183 | 0 | size_t B_bytes = B_blocks * sizeof(block_t); |
184 | 0 | size_t T_blocks = 2 * r; |
185 | 0 | size_t V_blocks = N * 2 * r; |
186 | 0 | block_t *B = reinterpret_cast<block_t *>( |
187 | 0 | OPENSSL_calloc(B_blocks + T_blocks + V_blocks, sizeof(block_t))); |
188 | 0 | if (B == nullptr) { |
189 | 0 | return 0; |
190 | 0 | } |
191 | | |
192 | 0 | int ret = 0; |
193 | 0 | block_t *T = B + B_blocks; |
194 | 0 | block_t *V = T + T_blocks; |
195 | | |
196 | | // NOTE: PKCS5_PBKDF2_HMAC can only fail due to allocation failure |
197 | | // or |iterations| of 0 (we pass 1 here). This is consistent with |
198 | | // the documented failure conditions of EVP_PBE_scrypt. |
199 | 0 | if (!PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, 1, |
200 | 0 | EVP_sha256(), B_bytes, (uint8_t *)B)) { |
201 | 0 | goto err; |
202 | 0 | } |
203 | | |
204 | 0 | for (uint64_t i = 0; i < p; i++) { |
205 | 0 | scryptROMix(B + 2 * r * i, r, N, T, V); |
206 | 0 | } |
207 | |
|
208 | 0 | if (!PKCS5_PBKDF2_HMAC(password, password_len, (const uint8_t *)B, B_bytes, 1, |
209 | 0 | EVP_sha256(), key_len, out_key)) { |
210 | 0 | goto err; |
211 | 0 | } |
212 | | |
213 | 0 | ret = 1; |
214 | |
|
215 | 0 | err: |
216 | 0 | OPENSSL_free(B); |
217 | 0 | return ret; |
218 | 0 | } |