scrypt.c 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266
  1. /*
  2. * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <openssl/hmac.h>
  12. #include <openssl/kdf.h>
  13. #include <openssl/evp.h>
  14. #include "internal/cryptlib.h"
  15. #include "crypto/evp.h"
  16. #ifndef OPENSSL_NO_SCRYPT
  17. static int atou64(const char *nptr, uint64_t *result);
  18. typedef struct {
  19. unsigned char *pass;
  20. size_t pass_len;
  21. unsigned char *salt;
  22. size_t salt_len;
  23. uint64_t N, r, p;
  24. uint64_t maxmem_bytes;
  25. } SCRYPT_PKEY_CTX;
  26. /* Custom uint64_t parser since we do not have strtoull */
  27. static int atou64(const char *nptr, uint64_t *result)
  28. {
  29. uint64_t value = 0;
  30. while (*nptr) {
  31. unsigned int digit;
  32. uint64_t new_value;
  33. if ((*nptr < '0') || (*nptr > '9')) {
  34. return 0;
  35. }
  36. digit = (unsigned int)(*nptr - '0');
  37. new_value = (value * 10) + digit;
  38. if ((new_value < digit) || ((new_value - digit) / 10 != value)) {
  39. /* Overflow */
  40. return 0;
  41. }
  42. value = new_value;
  43. nptr++;
  44. }
  45. *result = value;
  46. return 1;
  47. }
  48. static int pkey_scrypt_init(EVP_PKEY_CTX *ctx)
  49. {
  50. SCRYPT_PKEY_CTX *kctx;
  51. kctx = OPENSSL_zalloc(sizeof(*kctx));
  52. if (kctx == NULL) {
  53. KDFerr(KDF_F_PKEY_SCRYPT_INIT, ERR_R_MALLOC_FAILURE);
  54. return 0;
  55. }
  56. /* Default values are the most conservative recommendation given in the
  57. * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
  58. * for this parameter choice (approx. 128 * r * (N + p) bytes).
  59. */
  60. kctx->N = 1 << 20;
  61. kctx->r = 8;
  62. kctx->p = 1;
  63. kctx->maxmem_bytes = 1025 * 1024 * 1024;
  64. ctx->data = kctx;
  65. return 1;
  66. }
  67. static void pkey_scrypt_cleanup(EVP_PKEY_CTX *ctx)
  68. {
  69. SCRYPT_PKEY_CTX *kctx = ctx->data;
  70. OPENSSL_clear_free(kctx->salt, kctx->salt_len);
  71. OPENSSL_clear_free(kctx->pass, kctx->pass_len);
  72. OPENSSL_free(kctx);
  73. }
  74. static int pkey_scrypt_set_membuf(unsigned char **buffer, size_t *buflen,
  75. const unsigned char *new_buffer,
  76. const int new_buflen)
  77. {
  78. if (new_buffer == NULL)
  79. return 1;
  80. if (new_buflen < 0)
  81. return 0;
  82. if (*buffer != NULL)
  83. OPENSSL_clear_free(*buffer, *buflen);
  84. if (new_buflen > 0) {
  85. *buffer = OPENSSL_memdup(new_buffer, new_buflen);
  86. } else {
  87. *buffer = OPENSSL_malloc(1);
  88. }
  89. if (*buffer == NULL) {
  90. KDFerr(KDF_F_PKEY_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
  91. return 0;
  92. }
  93. *buflen = new_buflen;
  94. return 1;
  95. }
  96. static int is_power_of_two(uint64_t value)
  97. {
  98. return (value != 0) && ((value & (value - 1)) == 0);
  99. }
  100. static int pkey_scrypt_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
  101. {
  102. SCRYPT_PKEY_CTX *kctx = ctx->data;
  103. uint64_t u64_value;
  104. switch (type) {
  105. case EVP_PKEY_CTRL_PASS:
  106. return pkey_scrypt_set_membuf(&kctx->pass, &kctx->pass_len, p2, p1);
  107. case EVP_PKEY_CTRL_SCRYPT_SALT:
  108. return pkey_scrypt_set_membuf(&kctx->salt, &kctx->salt_len, p2, p1);
  109. case EVP_PKEY_CTRL_SCRYPT_N:
  110. u64_value = *((uint64_t *)p2);
  111. if ((u64_value <= 1) || !is_power_of_two(u64_value))
  112. return 0;
  113. kctx->N = u64_value;
  114. return 1;
  115. case EVP_PKEY_CTRL_SCRYPT_R:
  116. u64_value = *((uint64_t *)p2);
  117. if (u64_value < 1)
  118. return 0;
  119. kctx->r = u64_value;
  120. return 1;
  121. case EVP_PKEY_CTRL_SCRYPT_P:
  122. u64_value = *((uint64_t *)p2);
  123. if (u64_value < 1)
  124. return 0;
  125. kctx->p = u64_value;
  126. return 1;
  127. case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES:
  128. u64_value = *((uint64_t *)p2);
  129. if (u64_value < 1)
  130. return 0;
  131. kctx->maxmem_bytes = u64_value;
  132. return 1;
  133. default:
  134. return -2;
  135. }
  136. }
  137. static int pkey_scrypt_ctrl_uint64(EVP_PKEY_CTX *ctx, int type,
  138. const char *value)
  139. {
  140. uint64_t int_value;
  141. if (!atou64(value, &int_value)) {
  142. KDFerr(KDF_F_PKEY_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR);
  143. return 0;
  144. }
  145. return pkey_scrypt_ctrl(ctx, type, 0, &int_value);
  146. }
  147. static int pkey_scrypt_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
  148. const char *value)
  149. {
  150. if (value == NULL) {
  151. KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING);
  152. return 0;
  153. }
  154. if (strcmp(type, "pass") == 0)
  155. return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_PASS, value);
  156. if (strcmp(type, "hexpass") == 0)
  157. return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_PASS, value);
  158. if (strcmp(type, "salt") == 0)
  159. return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value);
  160. if (strcmp(type, "hexsalt") == 0)
  161. return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value);
  162. if (strcmp(type, "N") == 0)
  163. return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_N, value);
  164. if (strcmp(type, "r") == 0)
  165. return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_R, value);
  166. if (strcmp(type, "p") == 0)
  167. return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_P, value);
  168. if (strcmp(type, "maxmem_bytes") == 0)
  169. return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES,
  170. value);
  171. KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
  172. return -2;
  173. }
  174. static int pkey_scrypt_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
  175. size_t *keylen)
  176. {
  177. SCRYPT_PKEY_CTX *kctx = ctx->data;
  178. if (kctx->pass == NULL) {
  179. KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_PASS);
  180. return 0;
  181. }
  182. if (kctx->salt == NULL) {
  183. KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_SALT);
  184. return 0;
  185. }
  186. return EVP_PBE_scrypt((char *)kctx->pass, kctx->pass_len, kctx->salt,
  187. kctx->salt_len, kctx->N, kctx->r, kctx->p,
  188. kctx->maxmem_bytes, key, *keylen);
  189. }
  190. const EVP_PKEY_METHOD scrypt_pkey_meth = {
  191. EVP_PKEY_SCRYPT,
  192. 0,
  193. pkey_scrypt_init,
  194. 0,
  195. pkey_scrypt_cleanup,
  196. 0, 0,
  197. 0, 0,
  198. 0,
  199. 0,
  200. 0,
  201. 0,
  202. 0, 0,
  203. 0, 0, 0, 0,
  204. 0, 0,
  205. 0, 0,
  206. 0,
  207. pkey_scrypt_derive,
  208. pkey_scrypt_ctrl,
  209. pkey_scrypt_ctrl_str
  210. };
  211. #endif