1/* 2 * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9{- 10use OpenSSL::paramnames qw(produce_param_decoder); 11-} 12 13#include <stdlib.h> 14#include <stdarg.h> 15#include <string.h> 16#include <openssl/evp.h> 17#include <openssl/kdf.h> 18#include <openssl/err.h> 19#include <openssl/core_names.h> 20#include <openssl/proverr.h> 21#include "crypto/evp.h" 22#include "internal/common.h" 23#include "internal/numbers.h" 24#include "prov/implementations.h" 25#include "prov/provider_ctx.h" 26#include "prov/providercommon.h" 27#include "prov/provider_util.h" 28 29#ifndef OPENSSL_NO_SCRYPT 30 31static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new; 32static OSSL_FUNC_kdf_dupctx_fn kdf_scrypt_dup; 33static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free; 34static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset; 35static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive; 36static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_scrypt_settable_ctx_params; 37static OSSL_FUNC_kdf_set_ctx_params_fn kdf_scrypt_set_ctx_params; 38static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params; 39static OSSL_FUNC_kdf_get_ctx_params_fn kdf_scrypt_get_ctx_params; 40 41static int scrypt_alg(const char *pass, size_t passlen, 42 const unsigned char *salt, size_t saltlen, 43 uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, 44 unsigned char *key, size_t keylen, EVP_MD *sha256, 45 OSSL_LIB_CTX *libctx, const char *propq); 46 47typedef struct { 48 OSSL_LIB_CTX *libctx; 49 char *propq; 50 unsigned char *pass; 51 size_t pass_len; 52 unsigned char *salt; 53 size_t salt_len; 54 uint64_t N; 55 uint64_t r, p; 56 uint64_t maxmem_bytes; 57 EVP_MD *sha256; 58} KDF_SCRYPT; 59 60static void kdf_scrypt_init(KDF_SCRYPT *ctx); 61 62static void *kdf_scrypt_new_inner(OSSL_LIB_CTX *libctx) 63{ 64 KDF_SCRYPT *ctx; 65 66 if (!ossl_prov_is_running()) 67 return NULL; 68 69 ctx = OPENSSL_zalloc(sizeof(*ctx)); 70 if (ctx == NULL) 71 return NULL; 72 ctx->libctx = libctx; 73 kdf_scrypt_init(ctx); 74 return ctx; 75} 76 77static void *kdf_scrypt_new(void *provctx) 78{ 79 return kdf_scrypt_new_inner(PROV_LIBCTX_OF(provctx)); 80} 81 82static void kdf_scrypt_free(void *vctx) 83{ 84 KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; 85 86 if (ctx != NULL) { 87 OPENSSL_free(ctx->propq); 88 EVP_MD_free(ctx->sha256); 89 kdf_scrypt_reset(ctx); 90 OPENSSL_free(ctx); 91 } 92} 93 94static void kdf_scrypt_reset(void *vctx) 95{ 96 KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; 97 98 OPENSSL_free(ctx->salt); 99 ctx->salt = NULL; 100 OPENSSL_clear_free(ctx->pass, ctx->pass_len); 101 ctx->pass = NULL; 102 kdf_scrypt_init(ctx); 103} 104 105static void *kdf_scrypt_dup(void *vctx) 106{ 107 const KDF_SCRYPT *src = (const KDF_SCRYPT *)vctx; 108 KDF_SCRYPT *dest; 109 110 dest = kdf_scrypt_new_inner(src->libctx); 111 if (dest != NULL) { 112 if (src->sha256 != NULL && !EVP_MD_up_ref(src->sha256)) 113 goto err; 114 if (src->propq != NULL) { 115 dest->propq = OPENSSL_strdup(src->propq); 116 if (dest->propq == NULL) 117 goto err; 118 } 119 if (!ossl_prov_memdup(src->salt, src->salt_len, 120 &dest->salt, &dest->salt_len) 121 || !ossl_prov_memdup(src->pass, src->pass_len, 122 &dest->pass , &dest->pass_len)) 123 goto err; 124 dest->N = src->N; 125 dest->r = src->r; 126 dest->p = src->p; 127 dest->maxmem_bytes = src->maxmem_bytes; 128 dest->sha256 = src->sha256; 129 } 130 return dest; 131 132 err: 133 kdf_scrypt_free(dest); 134 return NULL; 135} 136 137static void kdf_scrypt_init(KDF_SCRYPT *ctx) 138{ 139 /* Default values are the most conservative recommendation given in the 140 * original paper of C. Percival. Derivation uses roughly 1 GiB of memory 141 * for this parameter choice (approx. 128 * r * N * p bytes). 142 */ 143 ctx->N = 1 << 20; 144 ctx->r = 8; 145 ctx->p = 1; 146 ctx->maxmem_bytes = 1025 * 1024 * 1024; 147} 148 149static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, 150 const OSSL_PARAM *p) 151{ 152 OPENSSL_clear_free(*buffer, *buflen); 153 *buffer = NULL; 154 *buflen = 0; 155 156 if (p->data_size == 0) { 157 if ((*buffer = OPENSSL_malloc(1)) == NULL) 158 return 0; 159 } else if (p->data != NULL) { 160 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) 161 return 0; 162 } 163 return 1; 164} 165 166static int set_digest(KDF_SCRYPT *ctx) 167{ 168 EVP_MD_free(ctx->sha256); 169 ctx->sha256 = EVP_MD_fetch(ctx->libctx, "sha256", ctx->propq); 170 if (ctx->sha256 == NULL) { 171 ERR_raise(ERR_LIB_PROV, PROV_R_UNABLE_TO_LOAD_SHA256); 172 return 0; 173 } 174 return 1; 175} 176 177static int set_property_query(KDF_SCRYPT *ctx, const char *propq) 178{ 179 OPENSSL_free(ctx->propq); 180 ctx->propq = NULL; 181 if (propq != NULL) { 182 ctx->propq = OPENSSL_strdup(propq); 183 if (ctx->propq == NULL) 184 return 0; 185 } 186 return 1; 187} 188 189static int kdf_scrypt_derive(void *vctx, unsigned char *key, size_t keylen, 190 const OSSL_PARAM params[]) 191{ 192 KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; 193 194 if (!ossl_prov_is_running() || !kdf_scrypt_set_ctx_params(ctx, params)) 195 return 0; 196 197 if (ctx->pass == NULL) { 198 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS); 199 return 0; 200 } 201 202 if (ctx->salt == NULL) { 203 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT); 204 return 0; 205 } 206 207 if (ctx->sha256 == NULL && !set_digest(ctx)) 208 return 0; 209 210 return scrypt_alg((char *)ctx->pass, ctx->pass_len, ctx->salt, 211 ctx->salt_len, ctx->N, ctx->r, ctx->p, 212 ctx->maxmem_bytes, key, keylen, ctx->sha256, 213 ctx->libctx, ctx->propq); 214} 215 216static int is_power_of_two(uint64_t value) 217{ 218 return (value != 0) && ((value & (value - 1)) == 0); 219} 220 221{- produce_param_decoder('scrypt_set_ctx_params', 222 (['KDF_PARAM_PASSWORD', 'pw', 'octet_string'], 223 ['KDF_PARAM_SALT', 'salt', 'octet_string'], 224 ['KDF_PARAM_SCRYPT_N', 'n', 'uint64'], 225 ['KDF_PARAM_SCRYPT_R', 'r', 'uint32'], 226 ['KDF_PARAM_SCRYPT_P', 'p', 'uint32'], 227 ['KDF_PARAM_SCRYPT_MAXMEM', 'maxmem', 'uint64'], 228 ['KDF_PARAM_PROPERTIES', 'propq', 'utf8_string'], 229 )); -} 230 231static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[]) 232{ 233 struct scrypt_set_ctx_params_st p; 234 KDF_SCRYPT *ctx = vctx; 235 uint64_t u64_value; 236 237 if (ctx == NULL || !scrypt_set_ctx_params_decoder(params, &p)) 238 return 0; 239 240 if (p.pw != NULL && !scrypt_set_membuf(&ctx->pass, &ctx->pass_len, p.pw)) 241 return 0; 242 243 if (p.salt != NULL && !scrypt_set_membuf(&ctx->salt, &ctx->salt_len, p.salt)) 244 return 0; 245 246 if (p.n != NULL) { 247 if (!OSSL_PARAM_get_uint64(p.n, &u64_value) 248 || u64_value <= 1 249 || !is_power_of_two(u64_value)) 250 return 0; 251 ctx->N = u64_value; 252 } 253 254 if (p.r != NULL) { 255 if (!OSSL_PARAM_get_uint64(p.r, &u64_value) || u64_value < 1) 256 return 0; 257 ctx->r = u64_value; 258 } 259 260 if (p.p != NULL) { 261 if (!OSSL_PARAM_get_uint64(p.p, &u64_value) || u64_value < 1) 262 return 0; 263 ctx->p = u64_value; 264 } 265 266 if (p.maxmem != NULL) { 267 if (!OSSL_PARAM_get_uint64(p.maxmem, &u64_value) || u64_value < 1) 268 return 0; 269 ctx->maxmem_bytes = u64_value; 270 } 271 272 if (p.propq != NULL) { 273 if (p.propq->data_type != OSSL_PARAM_UTF8_STRING 274 || !set_property_query(ctx, p.propq->data) 275 || !set_digest(ctx)) 276 return 0; 277 } 278 return 1; 279} 280 281static const OSSL_PARAM *kdf_scrypt_settable_ctx_params(ossl_unused void *ctx, 282 ossl_unused void *p_ctx) 283{ 284 return scrypt_set_ctx_params_list; 285} 286 287{- produce_param_decoder('scrypt_get_ctx_params', 288 (['KDF_PARAM_SIZE', 'size', 'size_t'], 289 )); -} 290 291static int kdf_scrypt_get_ctx_params(void *vctx, OSSL_PARAM params[]) 292{ 293 struct scrypt_get_ctx_params_st p; 294 KDF_SCRYPT *ctx = vctx; 295 296 if (ctx == NULL || !scrypt_get_ctx_params_decoder(params, &p)) 297 return 0; 298 299 if (p.size != NULL && !OSSL_PARAM_set_size_t(p.size, SIZE_MAX)) 300 return 0; 301 return 1; 302} 303 304static const OSSL_PARAM *kdf_scrypt_gettable_ctx_params(ossl_unused void *ctx, 305 ossl_unused void *p_ctx) 306{ 307 return scrypt_get_ctx_params_list; 308} 309 310const OSSL_DISPATCH ossl_kdf_scrypt_functions[] = { 311 { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_scrypt_new }, 312 { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_scrypt_dup }, 313 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_scrypt_free }, 314 { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_scrypt_reset }, 315 { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_scrypt_derive }, 316 { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, 317 (void(*)(void))kdf_scrypt_settable_ctx_params }, 318 { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_scrypt_set_ctx_params }, 319 { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, 320 (void(*)(void))kdf_scrypt_gettable_ctx_params }, 321 { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_scrypt_get_ctx_params }, 322 OSSL_DISPATCH_END 323}; 324 325#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) 326static void salsa208_word_specification(uint32_t inout[16]) 327{ 328 int i; 329 uint32_t x[16]; 330 331 memcpy(x, inout, sizeof(x)); 332 for (i = 8; i > 0; i -= 2) { 333 x[4] ^= R(x[0] + x[12], 7); 334 x[8] ^= R(x[4] + x[0], 9); 335 x[12] ^= R(x[8] + x[4], 13); 336 x[0] ^= R(x[12] + x[8], 18); 337 x[9] ^= R(x[5] + x[1], 7); 338 x[13] ^= R(x[9] + x[5], 9); 339 x[1] ^= R(x[13] + x[9], 13); 340 x[5] ^= R(x[1] + x[13], 18); 341 x[14] ^= R(x[10] + x[6], 7); 342 x[2] ^= R(x[14] + x[10], 9); 343 x[6] ^= R(x[2] + x[14], 13); 344 x[10] ^= R(x[6] + x[2], 18); 345 x[3] ^= R(x[15] + x[11], 7); 346 x[7] ^= R(x[3] + x[15], 9); 347 x[11] ^= R(x[7] + x[3], 13); 348 x[15] ^= R(x[11] + x[7], 18); 349 x[1] ^= R(x[0] + x[3], 7); 350 x[2] ^= R(x[1] + x[0], 9); 351 x[3] ^= R(x[2] + x[1], 13); 352 x[0] ^= R(x[3] + x[2], 18); 353 x[6] ^= R(x[5] + x[4], 7); 354 x[7] ^= R(x[6] + x[5], 9); 355 x[4] ^= R(x[7] + x[6], 13); 356 x[5] ^= R(x[4] + x[7], 18); 357 x[11] ^= R(x[10] + x[9], 7); 358 x[8] ^= R(x[11] + x[10], 9); 359 x[9] ^= R(x[8] + x[11], 13); 360 x[10] ^= R(x[9] + x[8], 18); 361 x[12] ^= R(x[15] + x[14], 7); 362 x[13] ^= R(x[12] + x[15], 9); 363 x[14] ^= R(x[13] + x[12], 13); 364 x[15] ^= R(x[14] + x[13], 18); 365 } 366 for (i = 0; i < 16; ++i) 367 inout[i] += x[i]; 368 OPENSSL_cleanse(x, sizeof(x)); 369} 370 371static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) 372{ 373 uint64_t i, j; 374 uint32_t X[16], *pB; 375 376 memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); 377 pB = B; 378 for (i = 0; i < r * 2; i++) { 379 for (j = 0; j < 16; j++) 380 X[j] ^= *pB++; 381 salsa208_word_specification(X); 382 memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); 383 } 384 OPENSSL_cleanse(X, sizeof(X)); 385} 386 387static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, 388 uint32_t *X, uint32_t *T, uint32_t *V) 389{ 390 unsigned char *pB; 391 uint32_t *pV; 392 uint64_t i, k; 393 394 /* Convert from little endian input */ 395 for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) { 396 *pV = *pB++; 397 *pV |= *pB++ << 8; 398 *pV |= *pB++ << 16; 399 *pV |= (uint32_t)*pB++ << 24; 400 } 401 402 for (i = 1; i < N; i++, pV += 32 * r) 403 scryptBlockMix(pV, pV - 32 * r, r); 404 405 scryptBlockMix(X, V + (N - 1) * 32 * r, r); 406 407 for (i = 0; i < N; i++) { 408 uint32_t j; 409 j = X[16 * (2 * r - 1)] % N; 410 pV = V + 32 * r * j; 411 for (k = 0; k < 32 * r; k++) 412 T[k] = X[k] ^ *pV++; 413 scryptBlockMix(X, T, r); 414 } 415 /* Convert output to little endian */ 416 for (i = 0, pB = B; i < 32 * r; i++) { 417 uint32_t xtmp = X[i]; 418 *pB++ = xtmp & 0xff; 419 *pB++ = (xtmp >> 8) & 0xff; 420 *pB++ = (xtmp >> 16) & 0xff; 421 *pB++ = (xtmp >> 24) & 0xff; 422 } 423} 424 425#ifndef SIZE_MAX 426# define SIZE_MAX ((size_t)-1) 427#endif 428 429/* 430 * Maximum power of two that will fit in uint64_t: this should work on 431 * most (all?) platforms. 432 */ 433 434#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) 435 436/* 437 * Maximum value of p * r: 438 * p <= ((2^32-1) * hLen) / MFLen => 439 * p <= ((2^32-1) * 32) / (128 * r) => 440 * p * r <= (2^30-1) 441 */ 442 443#define SCRYPT_PR_MAX ((1 << 30) - 1) 444 445static int scrypt_alg(const char *pass, size_t passlen, 446 const unsigned char *salt, size_t saltlen, 447 uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, 448 unsigned char *key, size_t keylen, EVP_MD *sha256, 449 OSSL_LIB_CTX *libctx, const char *propq) 450{ 451 int rv = 0; 452 unsigned char *B; 453 uint32_t *X, *V, *T; 454 uint64_t i, Blen, Vlen; 455 456 /* Sanity check parameters */ 457 /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ 458 if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) 459 return 0; 460 /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ 461 if (p > SCRYPT_PR_MAX / r) { 462 ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); 463 return 0; 464 } 465 466 /* 467 * Need to check N: if 2^(128 * r / 8) overflows limit this is 468 * automatically satisfied since N <= UINT64_MAX. 469 */ 470 471 if (16 * r <= LOG2_UINT64_MAX) { 472 if (N >= (((uint64_t)1) << (16 * r))) { 473 ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); 474 return 0; 475 } 476 } 477 478 /* Memory checks: check total allocated buffer size fits in uint64_t */ 479 480 /* 481 * B size in section 5 step 1.S 482 * Note: we know p * 128 * r < UINT64_MAX because we already checked 483 * p * r < SCRYPT_PR_MAX 484 */ 485 Blen = p * 128 * r; 486 /* 487 * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would 488 * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] 489 */ 490 if (Blen > INT_MAX) { 491 ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); 492 return 0; 493 } 494 495 /* 496 * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t 497 * This is combined size V, X and T (section 4) 498 */ 499 i = UINT64_MAX / (32 * sizeof(uint32_t)); 500 if (N + 2 > i / r) { 501 ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); 502 return 0; 503 } 504 Vlen = 32 * r * (N + 2) * sizeof(uint32_t); 505 506 /* check total allocated size fits in uint64_t */ 507 if (Blen > UINT64_MAX - Vlen) { 508 ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); 509 return 0; 510 } 511 512 /* Check that the maximum memory doesn't exceed a size_t limits */ 513 if (maxmem > SIZE_MAX) 514 maxmem = SIZE_MAX; 515 516 if (Blen + Vlen > maxmem) { 517 ERR_raise(ERR_LIB_EVP, EVP_R_MEMORY_LIMIT_EXCEEDED); 518 return 0; 519 } 520 521 /* If no key return to indicate parameters are OK */ 522 if (key == NULL) 523 return 1; 524 525 B = OPENSSL_malloc((size_t)(Blen + Vlen)); 526 if (B == NULL) 527 return 0; 528 X = (uint32_t *)(B + Blen); 529 T = X + 32 * r; 530 V = T + 32 * r; 531 if (ossl_pkcs5_pbkdf2_hmac_ex(pass, (int)passlen, salt, (int)saltlen, 1, 532 sha256, (int)Blen, B, libctx, propq) == 0) 533 goto err; 534 535 for (i = 0; i < p; i++) 536 scryptROMix(B + 128 * r * i, r, N, X, T, V); 537 538 if (ossl_pkcs5_pbkdf2_hmac_ex(pass, (int)passlen, B, (int)Blen, 1, sha256, 539 (int)keylen, key, libctx, propq) == 0) 540 goto err; 541 rv = 1; 542 err: 543 if (rv == 0) 544 ERR_raise(ERR_LIB_EVP, EVP_R_PBKDF2_ERROR); 545 546 OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); 547 return rv; 548} 549 550#endif 551