kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5611 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 17d553d299
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '17d553d299'
${ noResults }
boringssl/crypto/evp/scrypt.c

214 lines
7.5 KiB
Raw Blame History 

  1. /*

  2.  * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.

  3.  *

  4.  * Licensed under the OpenSSL license (the "License").  You may not use

  5.  * this file except in compliance with the License.  You can obtain a copy

  6.  * in the file LICENSE in the source distribution or at

  7.  * https://www.openssl.org/source/license.html

  8.  */

  9. 

  10. #include <openssl/evp.h>

  11. 

  12. #include <assert.h>

  13. 

  14. #include <openssl/err.h>

  15. #include <openssl/mem.h>

  16. #include <openssl/type_check.h>

  17. 

  18. #include "../internal.h"

  19. 

  20. 

  21. // This file implements scrypt, described in RFC 7914.

  22. //

  23. // Note scrypt refers to both "blocks" and a "block size" parameter, r. These

  24. // are two different notions of blocks. A Salsa20 block is 64 bytes long,

  25. // represented in this implementation by 16 |uint32_t|s. |r| determines the

  26. // number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r|

  27. // Salsa20 blocks. This implementation refers to them as Salsa20 blocks and

  28. // scrypt blocks, respectively.

  29. 

  30. // A block_t is a Salsa20 block.

  31. typedef struct { uint32_t words[16]; } block_t;

  32. 

  33. OPENSSL_STATIC_ASSERT(sizeof(block_t) == 64, "block_t has padding");

  34. 

  35. #define R(a, b) (((a) << (b)) | ((a) >> (32 - (b))))

  36. 

  37. // salsa208_word_specification implements the Salsa20/8 core function, also

  38. // described in RFC 7914, section 3. It modifies the block at |inout|

  39. // in-place.

  40. static void salsa208_word_specification(block_t *inout) {

  41.   block_t x;

  42.   OPENSSL_memcpy(&x, inout, sizeof(x));

  43. 

  44.   for (int i = 8; i > 0; i -= 2) {

  45.     x.words[4] ^= R(x.words[0] + x.words[12], 7);

  46.     x.words[8] ^= R(x.words[4] + x.words[0], 9);

  47.     x.words[12] ^= R(x.words[8] + x.words[4], 13);

  48.     x.words[0] ^= R(x.words[12] + x.words[8], 18);

  49.     x.words[9] ^= R(x.words[5] + x.words[1], 7);

  50.     x.words[13] ^= R(x.words[9] + x.words[5], 9);

  51.     x.words[1] ^= R(x.words[13] + x.words[9], 13);

  52.     x.words[5] ^= R(x.words[1] + x.words[13], 18);

  53.     x.words[14] ^= R(x.words[10] + x.words[6], 7);

  54.     x.words[2] ^= R(x.words[14] + x.words[10], 9);

  55.     x.words[6] ^= R(x.words[2] + x.words[14], 13);

  56.     x.words[10] ^= R(x.words[6] + x.words[2], 18);

  57.     x.words[3] ^= R(x.words[15] + x.words[11], 7);

  58.     x.words[7] ^= R(x.words[3] + x.words[15], 9);

  59.     x.words[11] ^= R(x.words[7] + x.words[3], 13);

  60.     x.words[15] ^= R(x.words[11] + x.words[7], 18);

  61.     x.words[1] ^= R(x.words[0] + x.words[3], 7);

  62.     x.words[2] ^= R(x.words[1] + x.words[0], 9);

  63.     x.words[3] ^= R(x.words[2] + x.words[1], 13);

  64.     x.words[0] ^= R(x.words[3] + x.words[2], 18);

  65.     x.words[6] ^= R(x.words[5] + x.words[4], 7);

  66.     x.words[7] ^= R(x.words[6] + x.words[5], 9);

  67.     x.words[4] ^= R(x.words[7] + x.words[6], 13);

  68.     x.words[5] ^= R(x.words[4] + x.words[7], 18);

  69.     x.words[11] ^= R(x.words[10] + x.words[9], 7);

  70.     x.words[8] ^= R(x.words[11] + x.words[10], 9);

  71.     x.words[9] ^= R(x.words[8] + x.words[11], 13);

  72.     x.words[10] ^= R(x.words[9] + x.words[8], 18);

  73.     x.words[12] ^= R(x.words[15] + x.words[14], 7);

  74.     x.words[13] ^= R(x.words[12] + x.words[15], 9);

  75.     x.words[14] ^= R(x.words[13] + x.words[12], 13);

  76.     x.words[15] ^= R(x.words[14] + x.words[13], 18);

  77.   }

  78. 

  79.   for (int i = 0; i < 16; ++i) {

  80.     inout->words[i] += x.words[i];

  81.   }

  82. }

  83. 

  84. // xor_block sets |*out| to be |*a| XOR |*b|.

  85. static void xor_block(block_t *out, const block_t *a, const block_t *b) {

  86.   for (size_t i = 0; i < 16; i++) {

  87.     out->words[i] = a->words[i] ^ b->words[i];

  88.   }

  89. }

  90. 

  91. // scryptBlockMix implements the function described in RFC 7914, section 4. B'

  92. // is written to |out|. |out| and |B| may not alias and must be each one scrypt

  93. // block (2 * |r| Salsa20 blocks) long.

  94. static void scryptBlockMix(block_t *out, const block_t *B, uint64_t r) {

  95.   assert(out != B);

  96. 

  97.   block_t X;

  98.   OPENSSL_memcpy(&X, &B[r * 2 - 1], sizeof(X));

  99.   for (uint64_t i = 0; i < r * 2; i++) {

  100.     xor_block(&X, &X, &B[i]);

  101.     salsa208_word_specification(&X);

  102. 

  103.     // This implements the permutation in step 3.

  104.     OPENSSL_memcpy(&out[i / 2 + (i & 1) * r], &X, sizeof(X));

  105.   }

  106. }

  107. 

  108. // scryptROMix implements the function described in RFC 7914, section 5.  |B| is

  109. // an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and

  110. // |V| are scratch space allocated by the caller. |T| must have space for one

  111. // scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt

  112. // blocks (2 * |r| * |N| Salsa20 blocks).

  113. static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T,

  114.                         block_t *V) {

  115.   // Steps 1 and 2.

  116.   OPENSSL_memcpy(V, B, 2 * r * sizeof(block_t));

  117.   for (uint64_t i = 1; i < N; i++) {

  118.     scryptBlockMix(&V[2 * r * i /* scrypt block i */],

  119.                    &V[2 * r * (i - 1) /* scrypt block i-1 */], r);

  120.   }

  121.   scryptBlockMix(B, &V[2 * r * (N - 1) /* scrypt block N-1 */], r);

  122. 

  123.   // Step 3.

  124.   for (uint64_t i = 0; i < N; i++) {

  125.     // Note this assumes |N| <= 2^32 and is a power of 2.

  126.     uint32_t j = B[2 * r - 1].words[0] & (N - 1);

  127.     for (size_t k = 0; k < 2 * r; k++) {

  128.       xor_block(&T[k], &B[k], &V[2 * r * j + k]);

  129.     }

  130.     scryptBlockMix(B, T, r);

  131.   }

  132. }

  133. 

  134. // SCRYPT_PR_MAX is the maximum value of p * r. This is equivalent to the

  135. // bounds on p in section 6:

  136. //

  137. //   p <= ((2^32-1) * hLen) / MFLen iff

  138. //   p <= ((2^32-1) * 32) / (128 * r) iff

  139. //   p * r <= (2^30-1)

  140. #define SCRYPT_PR_MAX ((1 << 30) - 1)

  141. 

  142. // SCRYPT_MAX_MEM is the default maximum memory that may be allocated by

  143. // |EVP_PBE_scrypt|.

  144. #define SCRYPT_MAX_MEM (1024 * 1024 * 32)

  145. 

  146. int EVP_PBE_scrypt(const char *password, size_t password_len,

  147.                    const uint8_t *salt, size_t salt_len, uint64_t N, uint64_t r,

  148.                    uint64_t p, size_t max_mem, uint8_t *out_key,

  149.                    size_t key_len) {

  150.   if (r == 0 || p == 0 || p > SCRYPT_PR_MAX / r ||

  151.       // |N| must be a power of two.

  152.       N < 2 || (N & (N - 1)) ||

  153.       // We only support |N| <= 2^32 in |scryptROMix|.

  154.       N > UINT64_C(1) << 32 ||

  155.       // Check that |N| < 2^(128×r / 8).

  156.       (16 * r <= 63 && N >= UINT64_C(1) << (16 * r))) {

  157.     OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS);

  158.     return 0;

  159.   }

  160. 

  161.   // Determine the amount of memory needed. B, T, and V are |p|, 1, and |N|

  162.   // scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s.

  163.   if (max_mem == 0) {

  164.     max_mem = SCRYPT_MAX_MEM;

  165.   }

  166. 

  167.   size_t max_scrypt_blocks = max_mem / (2 * r * sizeof(block_t));

  168.   if (max_scrypt_blocks < p + 1 ||

  169.       max_scrypt_blocks - p - 1 < N) {

  170.     OPENSSL_PUT_ERROR(EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);

  171.     return 0;

  172.   }

  173. 

  174.   // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which

  175.   // is no bigger than uint64_t, so none of these operations may overflow.

  176.   OPENSSL_STATIC_ASSERT(UINT64_MAX >= ((size_t)-1), "size_t exceeds uint64_t");

  177.   size_t B_blocks = p * 2 * r;

  178.   size_t B_bytes = B_blocks * sizeof(block_t);

  179.   size_t T_blocks = 2 * r;

  180.   size_t V_blocks = N * 2 * r;

  181.   block_t *B = OPENSSL_malloc((B_blocks + T_blocks + V_blocks) * sizeof(block_t));

  182.   if (B == NULL) {

  183.     OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);

  184.     return 0;

  185.   }

  186. 

  187.   int ret = 0;

  188.   block_t *T = B + B_blocks;

  189.   block_t *V = T + T_blocks;

  190. 

  191.   // NOTE: PKCS5_PBKDF2_HMAC can only fail due to allocation failure

  192.   // or |iterations| of 0 (we pass 1 here). This is consistent with

  193.   // the documented failure conditions of EVP_PBE_scrypt.

  194.   if (!PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, 1,

  195.                          EVP_sha256(), B_bytes, (uint8_t *)B)) {

  196.     goto err;

  197.   }

  198. 

  199.   for (uint64_t i = 0; i < p; i++) {

  200.     scryptROMix(B + 2 * r * i, r, N, T, V);

  201.   }

  202. 

  203.   if (!PKCS5_PBKDF2_HMAC(password, password_len, (const uint8_t *)B, B_bytes, 1,

  204.                          EVP_sha256(), key_len, out_key)) {

  205.     goto err;

  206.   }

  207. 

  208.   ret = 1;

  209. 

  210. err:

  211.   OPENSSL_free(B);

  212.   return ret;

  213. }