[authen-passphrase-scrypt.git] / scrypt-1.2.1 / lib / scryptenc / scryptenc.c

/*-
 * Copyright 2009 Colin Percival
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * This file was originally written by Colin Percival as part of the Tarsnap
 * online backup system.
 */
#include "scrypt_platform.h"

#include <assert.h>
#include <inttypes.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "crypto_aes.h"
#include "crypto_aesctr.h"
#include "crypto_entropy.h"
#include "humansize.h"
#include "insecure_memzero.h"
#include "sha256.h"
#include "sysendian.h"

#include "crypto_scrypt.h"
#include "memlimit.h"
#include "scryptenc_cpuperf.h"

#include "scryptenc.h"

#define ENCBLOCK 65536

static int pickparams(size_t, double, double,
    int *, uint32_t *, uint32_t *, int);
static int checkparams(size_t, double, double, int, uint32_t, uint32_t, int,
    int);

static void
display_params(int logN, uint32_t r, uint32_t p, size_t memlimit,
    double opps, double maxtime)
{
	uint64_t N = (uint64_t)(1) << logN;
	uint64_t mem_minimum = 128 * r * N;
	double expected_seconds = 4 * N * p / opps;
	char * human_memlimit = humansize(memlimit);
	char * human_mem_minimum = humansize(mem_minimum);

	fprintf(stderr, "Parameters used: N = %" PRIu64 "; r = %" PRIu32
	    "; p = %" PRIu32 ";\n", N, r, p);
	fprintf(stderr, "    This requires at least %s bytes of memory "
	    "(%s available),\n", human_mem_minimum, human_memlimit);
	fprintf(stderr, "    and will take approximately %.1f seconds "
	    "(limit: %.1f seconds).\n", expected_seconds, maxtime);

	free(human_memlimit);
	free(human_mem_minimum);
}

static int
pickparams(size_t maxmem, double maxmemfrac, double maxtime,
    int * logN, uint32_t * r, uint32_t * p, int verbose)
{
	size_t memlimit;
	double opps;
	double opslimit;
	double maxN, maxrp;
	int rc;

	/* Figure out how much memory to use. */
	if (memtouse(maxmem, maxmemfrac, &memlimit))
		return (1);

	/* Figure out how fast the CPU is. */
	if ((rc = scryptenc_cpuperf(&opps)) != 0)
		return (rc);
	opslimit = opps * maxtime;

	/* Allow a minimum of 2^15 salsa20/8 cores. */
	if (opslimit < 32768)
		opslimit = 32768;

	/* Fix r = 8 for now. */
	*r = 8;

	/*
	 * The memory limit requires that 128Nr <= memlimit, while the CPU
	 * limit requires that 4Nrp <= opslimit.  If opslimit < memlimit/32,
	 * opslimit imposes the stronger limit on N.
	 */
#ifdef DEBUG
	fprintf(stderr, "Requiring 128Nr <= %zu, 4Nrp <= %f\n",
	    memlimit, opslimit);
#endif
	if (opslimit < (double)memlimit / 32) {
		/* Set p = 1 and choose N based on the CPU limit. */
		*p = 1;
		maxN = opslimit / (*r * 4);
		for (*logN = 1; *logN < 63; *logN += 1) {
			if ((uint64_t)(1) << *logN > maxN / 2)
				break;
		}
	} else {
		/* Set N based on the memory limit. */
		maxN = memlimit / (*r * 128);
		for (*logN = 1; *logN < 63; *logN += 1) {
			if ((uint64_t)(1) << *logN > maxN / 2)
				break;
		}

		/* Choose p based on the CPU limit. */
		maxrp = (opslimit / 4) / ((uint64_t)(1) << *logN);
		if (maxrp > 0x3fffffff)
			maxrp = 0x3fffffff;
		*p = (uint32_t)(maxrp) / *r;
	}

	if (verbose)
		display_params(*logN, *r, *p, memlimit, opps, maxtime);

	/* Success! */
	return (0);
}

static int
checkparams(size_t maxmem, double maxmemfrac, double maxtime,
    int logN, uint32_t r, uint32_t p, int verbose, int force)
{
	size_t memlimit;
	double opps;
	double opslimit;
	uint64_t N;
	int rc;

	/* Sanity-check values. */
	if ((logN < 1) || (logN > 63))
		return (7);
	if ((uint64_t)(r) * (uint64_t)(p) >= 0x40000000)
		return (7);

	/* Are we forcing decryption, regardless of resource limits? */
	if (!force) {
		/* Figure out the maximum amount of memory we can use. */
		if (memtouse(maxmem, maxmemfrac, &memlimit))
			return (1);

		/* Figure out how fast the CPU is. */
		if ((rc = scryptenc_cpuperf(&opps)) != 0)
			return (rc);
		opslimit = opps * maxtime;

		/* Check limits. */
		N = (uint64_t)(1) << logN;
		if ((memlimit / N) / r < 128)
			return (9);
		if ((opslimit / N) / (r * p) < 4)
			return (10);
	} else {
		/* We have no limit. */
		memlimit = 0;
		opps = 0;
	}

	if (verbose)
		display_params(logN, r, p, memlimit, opps, maxtime);

	/* Success! */
	return (0);
}

static int
scryptenc_setup(uint8_t header[96], uint8_t dk[64],
    const uint8_t * passwd, size_t passwdlen,
    size_t maxmem, double maxmemfrac, double maxtime, int verbose)
{
	uint8_t salt[32];
	uint8_t hbuf[32];
	int logN;
	uint64_t N;
	uint32_t r;
	uint32_t p;
	SHA256_CTX ctx;
	uint8_t * key_hmac = &dk[32];
	HMAC_SHA256_CTX hctx;
	int rc;

	/* Pick values for N, r, p. */
	if ((rc = pickparams(maxmem, maxmemfrac, maxtime,
	    &logN, &r, &p, verbose)) != 0)
		return (rc);
	N = (uint64_t)(1) << logN;

	/* Sanity check. */
	assert((logN > 0) && (logN < 256));

	/* Get some salt. */
	if (crypto_entropy_read(salt, 32))
		return (4);

	/* Generate the derived keys. */
	if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64))
		return (3);

	/* Construct the file header. */
	memcpy(header, "scrypt", 6);
	header[6] = 0;
	header[7] = logN & 0xff;
	be32enc(&header[8], r);
	be32enc(&header[12], p);
	memcpy(&header[16], salt, 32);

	/* Add header checksum. */
	SHA256_Init(&ctx);
	SHA256_Update(&ctx, header, 48);
	SHA256_Final(hbuf, &ctx);
	memcpy(&header[48], hbuf, 16);

	/* Add header signature (used for verifying password). */
	HMAC_SHA256_Init(&hctx, key_hmac, 32);
	HMAC_SHA256_Update(&hctx, header, 64);
	HMAC_SHA256_Final(hbuf, &hctx);
	memcpy(&header[64], hbuf, 32);

	/* Success! */
	return (0);
}

static int
scryptdec_setup(const uint8_t header[96], uint8_t dk[64],
    const uint8_t * passwd, size_t passwdlen,
    size_t maxmem, double maxmemfrac, double maxtime, int verbose,
    int force)
{
	uint8_t salt[32];
	uint8_t hbuf[32];
	int logN;
	uint32_t r;
	uint32_t p;
	uint64_t N;
	SHA256_CTX ctx;
	uint8_t * key_hmac = &dk[32];
	HMAC_SHA256_CTX hctx;
	int rc;

	/* Parse N, r, p, salt. */
	logN = header[7];
	r = be32dec(&header[8]);
	p = be32dec(&header[12]);
	memcpy(salt, &header[16], 32);

	/* Verify header checksum. */
	SHA256_Init(&ctx);
	SHA256_Update(&ctx, header, 48);
	SHA256_Final(hbuf, &ctx);
	if (memcmp(&header[48], hbuf, 16))
		return (7);

	/*
	 * Check whether the provided parameters are valid and whether the
	 * key derivation function can be computed within the allowed memory
	 * and CPU time, unless the user chose to disable this test.
	 */
	if ((rc = checkparams(maxmem, maxmemfrac, maxtime, logN, r, p,
	    verbose, force)) != 0)
		return (rc);

	/* Compute the derived keys. */
	N = (uint64_t)(1) << logN;
	if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64))
		return (3);

	/* Check header signature (i.e., verify password). */
	HMAC_SHA256_Init(&hctx, key_hmac, 32);
	HMAC_SHA256_Update(&hctx, header, 64);
	HMAC_SHA256_Final(hbuf, &hctx);
	if (memcmp(hbuf, &header[64], 32))
		return (11);

	/* Success! */
	return (0);
}

/**
 * scryptenc_buf(inbuf, inbuflen, outbuf, passwd, passwdlen,
 *     maxmem, maxmemfrac, maxtime, verbose):
 * Encrypt inbuflen bytes from inbuf, writing the resulting inbuflen + 128
 * bytes to outbuf.
 */
int
scryptenc_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf,
    const uint8_t * passwd, size_t passwdlen,
    size_t maxmem, double maxmemfrac, double maxtime, int verbose)
{
	uint8_t dk[64];
	uint8_t hbuf[32];
	uint8_t header[96];
	uint8_t * key_enc = dk;
	uint8_t * key_hmac = &dk[32];
	int rc;
	HMAC_SHA256_CTX hctx;
	struct crypto_aes_key * key_enc_exp;
	struct crypto_aesctr * AES;

	/* Generate the header and derived key. */
	if ((rc = scryptenc_setup(header, dk, passwd, passwdlen,
	    maxmem, maxmemfrac, maxtime, verbose)) != 0)
		return (rc);

	/* Copy header into output buffer. */
	memcpy(outbuf, header, 96);

	/* Encrypt data. */
	if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL)
		return (5);
	if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL)
		return (6);
	crypto_aesctr_stream(AES, inbuf, &outbuf[96], inbuflen);
	crypto_aesctr_free(AES);
	crypto_aes_key_free(key_enc_exp);

	/* Add signature. */
	HMAC_SHA256_Init(&hctx, key_hmac, 32);
	HMAC_SHA256_Update(&hctx, outbuf, 96 + inbuflen);
	HMAC_SHA256_Final(hbuf, &hctx);
	memcpy(&outbuf[96 + inbuflen], hbuf, 32);

	/* Zero sensitive data. */
	insecure_memzero(dk, 64);

	/* Success! */
	return (0);
}

/**
 * scryptdec_buf(inbuf, inbuflen, outbuf, outlen, passwd, passwdlen,
 *     maxmem, maxmemfrac, maxtime, verbose, force):
 * Decrypt inbuflen bytes from inbuf, writing the result into outbuf and the
 * decrypted data length to outlen.  The allocated length of outbuf must
 * be at least inbuflen.  If ${force} is 1, do not check whether
 * decryption will exceed the estimated available memory or time.
 */
int
scryptdec_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf,
    size_t * outlen, const uint8_t * passwd, size_t passwdlen,
    size_t maxmem, double maxmemfrac, double maxtime, int verbose,
    int force)
{
	uint8_t hbuf[32];
	uint8_t dk[64];
	uint8_t * key_enc = dk;
	uint8_t * key_hmac = &dk[32];
	int rc;
	HMAC_SHA256_CTX hctx;
	struct crypto_aes_key * key_enc_exp;
	struct crypto_aesctr * AES;

	/*
	 * All versions of the scrypt format will start with "scrypt" and
	 * have at least 7 bytes of header.
	 */
	if ((inbuflen < 7) || (memcmp(inbuf, "scrypt", 6) != 0))
		return (7);

	/* Check the format. */
	if (inbuf[6] != 0)
		return (8);

	/* We must have at least 128 bytes. */
	if (inbuflen < 128)
		return (7);

	/* Parse the header and generate derived keys. */
	if ((rc = scryptdec_setup(inbuf, dk, passwd, passwdlen,
	    maxmem, maxmemfrac, maxtime, verbose, force)) != 0)
		return (rc);

	/* Decrypt data. */
	if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL)
		return (5);
	if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL)
		return (6);
	crypto_aesctr_stream(AES, &inbuf[96], outbuf, inbuflen - 128);
	crypto_aesctr_free(AES);
	crypto_aes_key_free(key_enc_exp);
	*outlen = inbuflen - 128;

	/* Verify signature. */
	HMAC_SHA256_Init(&hctx, key_hmac, 32);
	HMAC_SHA256_Update(&hctx, inbuf, inbuflen - 32);
	HMAC_SHA256_Final(hbuf, &hctx);
	if (memcmp(hbuf, &inbuf[inbuflen - 32], 32))
		return (7);

	/* Zero sensitive data. */
	insecure_memzero(dk, 64);

	/* Success! */
	return (0);
}

/**
 * scryptenc_file(infile, outfile, passwd, passwdlen,
 *     maxmem, maxmemfrac, maxtime, verbose):
 * Read a stream from infile and encrypt it, writing the resulting stream to
 * outfile.
 */
int
scryptenc_file(FILE * infile, FILE * outfile,
    const uint8_t * passwd, size_t passwdlen,
    size_t maxmem, double maxmemfrac, double maxtime, int verbose)
{
	uint8_t buf[ENCBLOCK];
	uint8_t dk[64];
	uint8_t hbuf[32];
	uint8_t header[96];
	uint8_t * key_enc = dk;
	uint8_t * key_hmac = &dk[32];
	size_t readlen;
	HMAC_SHA256_CTX hctx;
	struct crypto_aes_key * key_enc_exp;
	struct crypto_aesctr * AES;
	int rc;

	/* Generate the header and derived key. */
	if ((rc = scryptenc_setup(header, dk, passwd, passwdlen,
	    maxmem, maxmemfrac, maxtime, verbose)) != 0)
		return (rc);

	/* Hash and write the header. */
	HMAC_SHA256_Init(&hctx, key_hmac, 32);
	HMAC_SHA256_Update(&hctx, header, 96);
	if (fwrite(header, 96, 1, outfile) != 1)
		return (12);

	/*
	 * Read blocks of data, encrypt them, and write them out; hash the
	 * data as it is produced.
	 */
	if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL)
		return (5);
	if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL)
		return (6);
	do {
		if ((readlen = fread(buf, 1, ENCBLOCK, infile)) == 0)
			break;
		crypto_aesctr_stream(AES, buf, buf, readlen);
		HMAC_SHA256_Update(&hctx, buf, readlen);
		if (fwrite(buf, 1, readlen, outfile) < readlen) {
			crypto_aesctr_free(AES);
			return (12);
		}
	} while (1);
	crypto_aesctr_free(AES);
	crypto_aes_key_free(key_enc_exp);

	/* Did we exit the loop due to a read error? */
	if (ferror(infile))
		return (13);

	/* Compute the final HMAC and output it. */
	HMAC_SHA256_Final(hbuf, &hctx);
	if (fwrite(hbuf, 32, 1, outfile) != 1)
		return (12);

	/* Zero sensitive data. */
	insecure_memzero(dk, 64);

	/* Success! */
	return (0);
}

/**
 * scryptdec_file(infile, outfile, passwd, passwdlen,
 *     maxmem, maxmemfrac, maxtime, verbose, force):
 * Read a stream from infile and decrypt it, writing the resulting stream to
 * outfile.  If ${force} is 1, do not check whether decryption
 * will exceed the estimated available memory or time.
 */
int
scryptdec_file(FILE * infile, FILE * outfile,
    const uint8_t * passwd, size_t passwdlen,
    size_t maxmem, double maxmemfrac, double maxtime, int verbose,
    int force)
{
	uint8_t buf[ENCBLOCK + 32];
	uint8_t header[96];
	uint8_t hbuf[32];
	uint8_t dk[64];
	uint8_t * key_enc = dk;
	uint8_t * key_hmac = &dk[32];
	size_t buflen = 0;
	size_t readlen;
	HMAC_SHA256_CTX hctx;
	struct crypto_aes_key * key_enc_exp;
	struct crypto_aesctr * AES;
	int rc;

	/*
	 * Read the first 7 bytes of the file; all future versions of scrypt
	 * are guaranteed to have at least 7 bytes of header.
	 */
	if (fread(header, 7, 1, infile) < 1) {
		if (ferror(infile))
			return (13);
		else
			return (7);
	}

	/* Do we have the right magic? */
	if (memcmp(header, "scrypt", 6))
		return (7);
	if (header[6] != 0)
		return (8);

	/*
	 * Read another 89 bytes of the file; version 0 of the scrypt file
	 * format has a 96-byte header.
	 */
	if (fread(&header[7], 89, 1, infile) < 1) {
		if (ferror(infile))
			return (13);
		else
			return (7);
	}

	/* Parse the header and generate derived keys. */
	if ((rc = scryptdec_setup(header, dk, passwd, passwdlen,
	    maxmem, maxmemfrac, maxtime, verbose, force)) != 0)
		return (rc);

	/* Start hashing with the header. */
	HMAC_SHA256_Init(&hctx, key_hmac, 32);
	HMAC_SHA256_Update(&hctx, header, 96);

	/*
	 * We don't know how long the encrypted data block is (we can't know,
	 * since data can be streamed into 'scrypt enc') so we need to read
	 * data and decrypt all of it except the final 32 bytes, then check
	 * if that final 32 bytes is the correct signature.
	 */
	if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL)
		return (5);
	if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL)
		return (6);
	do {
		/* Read data until we have more than 32 bytes of it. */
		if ((readlen = fread(&buf[buflen], 1,
		    ENCBLOCK + 32 - buflen, infile)) == 0)
			break;
		buflen += readlen;
		if (buflen <= 32)
			continue;

		/*
		 * Decrypt, hash, and output everything except the last 32
		 * bytes out of what we have in our buffer.
		 */
		HMAC_SHA256_Update(&hctx, buf, buflen - 32);
		crypto_aesctr_stream(AES, buf, buf, buflen - 32);
		if (fwrite(buf, 1, buflen - 32, outfile) < buflen - 32) {
			crypto_aesctr_free(AES);
			return (12);
		}

		/* Move the last 32 bytes to the start of the buffer. */
		memmove(buf, &buf[buflen - 32], 32);
		buflen = 32;
	} while (1);
	crypto_aesctr_free(AES);
	crypto_aes_key_free(key_enc_exp);

	/* Did we exit the loop due to a read error? */
	if (ferror(infile))
		return (13);

	/* Did we read enough data that we *might* have a valid signature? */
	if (buflen < 32)
		return (7);

	/* Verify signature. */
	HMAC_SHA256_Final(hbuf, &hctx);
	if (memcmp(hbuf, buf, 32))
		return (7);

	/* Zero sensitive data. */
	insecure_memzero(dk, 64);

	return (0);
}
Commit	Line	Data
0c1f3509 MG	1	/*-
	2	* Copyright 2009 Colin Percival
	3	* All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	15	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	16	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	17	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	18	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	19	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	20	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	21	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	22	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	23	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	24	* SUCH DAMAGE.
	25	*
	26	* This file was originally written by Colin Percival as part of the Tarsnap
	27	* online backup system.
	28	*/
	29	#include "scrypt_platform.h"
	30
	31	#include <assert.h>
	32	#include <inttypes.h>
	33	#include <stdint.h>
	34	#include <stdio.h>
	35	#include <stdlib.h>
	36	#include <string.h>
	37
	38	#include "crypto_aes.h"
	39	#include "crypto_aesctr.h"
	40	#include "crypto_entropy.h"
	41	#include "humansize.h"
	42	#include "insecure_memzero.h"
	43	#include "sha256.h"
	44	#include "sysendian.h"
	45
	46	#include "crypto_scrypt.h"
	47	#include "memlimit.h"
	48	#include "scryptenc_cpuperf.h"
	49
	50	#include "scryptenc.h"
	51
	52	#define ENCBLOCK 65536
	53
	54	static int pickparams(size_t, double, double,
	55	int , uint32_t , uint32_t *, int);
	56	static int checkparams(size_t, double, double, int, uint32_t, uint32_t, int,
	57	int);
	58
	59	static void
	60	display_params(int logN, uint32_t r, uint32_t p, size_t memlimit,
	61	double opps, double maxtime)
	62	{
	63	uint64_t N = (uint64_t)(1) << logN;
	64	uint64_t mem_minimum = 128 * r * N;
65	double expected_seconds = 4 * N * p / opps;
66	char * human_memlimit = humansize(memlimit);
67	char * human_mem_minimum = humansize(mem_minimum);
68
69	fprintf(stderr, "Parameters used: N = %" PRIu64 "; r = %" PRIu32
70	"; p = %" PRIu32 ";\n", N, r, p);
71	fprintf(stderr, " This requires at least %s bytes of memory "
72	"(%s available),\n", human_mem_minimum, human_memlimit);
73	fprintf(stderr, " and will take approximately %.1f seconds "
74	"(limit: %.1f seconds).\n", expected_seconds, maxtime);
75
76	free(human_memlimit);
77	free(human_mem_minimum);
78	}
79
80	static int
81	pickparams(size_t maxmem, double maxmemfrac, double maxtime,
82	int * logN, uint32_t * r, uint32_t * p, int verbose)
83	{
84	size_t memlimit;
85	double opps;
86	double opslimit;
87	double maxN, maxrp;
88	int rc;
89
90	/* Figure out how much memory to use. */
91	if (memtouse(maxmem, maxmemfrac, &memlimit))
92	return (1);
93
94	/* Figure out how fast the CPU is. */
95	if ((rc = scryptenc_cpuperf(&opps)) != 0)
96	return (rc);
97	opslimit = opps * maxtime;
98
99	/* Allow a minimum of 2^15 salsa20/8 cores. */
100	if (opslimit < 32768)
101	opslimit = 32768;
102
103	/* Fix r = 8 for now. */
104	*r = 8;
105
106	/*
107	* The memory limit requires that 128Nr <= memlimit, while the CPU
108	* limit requires that 4Nrp <= opslimit. If opslimit < memlimit/32,
109	* opslimit imposes the stronger limit on N.
110	*/
111	#ifdef DEBUG
112	fprintf(stderr, "Requiring 128Nr <= %zu, 4Nrp <= %f\n",
113	memlimit, opslimit);
114	#endif
115	if (opslimit < (double)memlimit / 32) {
116	/* Set p = 1 and choose N based on the CPU limit. */
117	*p = 1;
118	maxN = opslimit / (r 4);
119	for (logN = 1; logN < 63; *logN += 1) {
120	if ((uint64_t)(1) << *logN > maxN / 2)
121	break;
122	}
123	} else {
124	/* Set N based on the memory limit. */
125	maxN = memlimit / (r 128);
126	for (logN = 1; logN < 63; *logN += 1) {
127	if ((uint64_t)(1) << *logN > maxN / 2)
128	break;
129	}
130
131	/* Choose p based on the CPU limit. */
132	maxrp = (opslimit / 4) / ((uint64_t)(1) << *logN);
133	if (maxrp > 0x3fffffff)
134	maxrp = 0x3fffffff;
135	p = (uint32_t)(maxrp) / r;
136	}
137
138	if (verbose)
139	display_params(logN, r, *p, memlimit, opps, maxtime);
140
141	/* Success! */
142	return (0);
143	}
144
145	static int
146	checkparams(size_t maxmem, double maxmemfrac, double maxtime,
147	int logN, uint32_t r, uint32_t p, int verbose, int force)
148	{
149	size_t memlimit;
150	double opps;
151	double opslimit;
152	uint64_t N;
153	int rc;
154
155	/* Sanity-check values. */
156	if ((logN < 1) \|\| (logN > 63))
157	return (7);
158	if ((uint64_t)(r) * (uint64_t)(p) >= 0x40000000)
159	return (7);
160
161	/* Are we forcing decryption, regardless of resource limits? */
162	if (!force) {
163	/* Figure out the maximum amount of memory we can use. */
164	if (memtouse(maxmem, maxmemfrac, &memlimit))
165	return (1);
166
167	/* Figure out how fast the CPU is. */
168	if ((rc = scryptenc_cpuperf(&opps)) != 0)
169	return (rc);
170	opslimit = opps * maxtime;
171
172	/* Check limits. */
173	N = (uint64_t)(1) << logN;
174	if ((memlimit / N) / r < 128)
175	return (9);
176	if ((opslimit / N) / (r * p) < 4)
177	return (10);
178	} else {
179	/* We have no limit. */
180	memlimit = 0;
181	opps = 0;
182	}
183
184	if (verbose)
185	display_params(logN, r, p, memlimit, opps, maxtime);
186
187	/* Success! */
188	return (0);
189	}
190
191	static int
192	scryptenc_setup(uint8_t header[96], uint8_t dk[64],
193	const uint8_t * passwd, size_t passwdlen,
194	size_t maxmem, double maxmemfrac, double maxtime, int verbose)
195	{
196	uint8_t salt[32];
197	uint8_t hbuf[32];
198	int logN;
199	uint64_t N;
200	uint32_t r;
201	uint32_t p;
202	SHA256_CTX ctx;
203	uint8_t * key_hmac = &dk[32];
204	HMAC_SHA256_CTX hctx;
205	int rc;
206
207	/* Pick values for N, r, p. */
208	if ((rc = pickparams(maxmem, maxmemfrac, maxtime,
209	&logN, &r, &p, verbose)) != 0)
210	return (rc);
211	N = (uint64_t)(1) << logN;
212
213	/* Sanity check. */
214	assert((logN > 0) && (logN < 256));
215
216	/* Get some salt. */
217	if (crypto_entropy_read(salt, 32))
218	return (4);
219
220	/* Generate the derived keys. */
221	if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64))
222	return (3);
223
224	/* Construct the file header. */
225	memcpy(header, "scrypt", 6);
226	header[6] = 0;
227	header[7] = logN & 0xff;
228	be32enc(&header[8], r);
229	be32enc(&header[12], p);
230	memcpy(&header[16], salt, 32);
231
232	/* Add header checksum. */
233	SHA256_Init(&ctx);
234	SHA256_Update(&ctx, header, 48);
235	SHA256_Final(hbuf, &ctx);
236	memcpy(&header[48], hbuf, 16);
237
238	/* Add header signature (used for verifying password). */
239	HMAC_SHA256_Init(&hctx, key_hmac, 32);
240	HMAC_SHA256_Update(&hctx, header, 64);
241	HMAC_SHA256_Final(hbuf, &hctx);
242	memcpy(&header[64], hbuf, 32);
243
244	/* Success! */
245	return (0);
246	}
247
248	static int
249	scryptdec_setup(const uint8_t header[96], uint8_t dk[64],
250	const uint8_t * passwd, size_t passwdlen,
251	size_t maxmem, double maxmemfrac, double maxtime, int verbose,
252	int force)
253	{
254	uint8_t salt[32];
255	uint8_t hbuf[32];
256	int logN;
257	uint32_t r;
258	uint32_t p;
259	uint64_t N;
260	SHA256_CTX ctx;
261	uint8_t * key_hmac = &dk[32];
262	HMAC_SHA256_CTX hctx;
263	int rc;
264
265	/* Parse N, r, p, salt. */
266	logN = header[7];
267	r = be32dec(&header[8]);
268	p = be32dec(&header[12]);
269	memcpy(salt, &header[16], 32);
270
271	/* Verify header checksum. */
272	SHA256_Init(&ctx);
273	SHA256_Update(&ctx, header, 48);
274	SHA256_Final(hbuf, &ctx);
275	if (memcmp(&header[48], hbuf, 16))
276	return (7);
277
278	/*
279	* Check whether the provided parameters are valid and whether the
280	* key derivation function can be computed within the allowed memory
281	* and CPU time, unless the user chose to disable this test.
282	*/
283	if ((rc = checkparams(maxmem, maxmemfrac, maxtime, logN, r, p,
284	verbose, force)) != 0)
285	return (rc);
286
287	/* Compute the derived keys. */
288	N = (uint64_t)(1) << logN;
289	if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64))
290	return (3);
291
292	/* Check header signature (i.e., verify password). */
293	HMAC_SHA256_Init(&hctx, key_hmac, 32);
294	HMAC_SHA256_Update(&hctx, header, 64);
295	HMAC_SHA256_Final(hbuf, &hctx);
296	if (memcmp(hbuf, &header[64], 32))
297	return (11);
298
299	/* Success! */
300	return (0);
301	}
302
303	/**
304	* scryptenc_buf(inbuf, inbuflen, outbuf, passwd, passwdlen,
305	* maxmem, maxmemfrac, maxtime, verbose):
306	* Encrypt inbuflen bytes from inbuf, writing the resulting inbuflen + 128
307	* bytes to outbuf.
308	*/
309	int
310	scryptenc_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf,
311	const uint8_t * passwd, size_t passwdlen,
312	size_t maxmem, double maxmemfrac, double maxtime, int verbose)
313	{
314	uint8_t dk[64];
315	uint8_t hbuf[32];
316	uint8_t header[96];
317	uint8_t * key_enc = dk;
318	uint8_t * key_hmac = &dk[32];
319	int rc;
320	HMAC_SHA256_CTX hctx;
321	struct crypto_aes_key * key_enc_exp;
322	struct crypto_aesctr * AES;
323
324	/* Generate the header and derived key. */
325	if ((rc = scryptenc_setup(header, dk, passwd, passwdlen,
326	maxmem, maxmemfrac, maxtime, verbose)) != 0)
327	return (rc);
328
329	/* Copy header into output buffer. */
330	memcpy(outbuf, header, 96);
331
332	/* Encrypt data. */
333	if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL)
334	return (5);
335	if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL)
336	return (6);
337	crypto_aesctr_stream(AES, inbuf, &outbuf[96], inbuflen);
338	crypto_aesctr_free(AES);
339	crypto_aes_key_free(key_enc_exp);
340
341	/* Add signature. */
342	HMAC_SHA256_Init(&hctx, key_hmac, 32);
343	HMAC_SHA256_Update(&hctx, outbuf, 96 + inbuflen);
344	HMAC_SHA256_Final(hbuf, &hctx);
345	memcpy(&outbuf[96 + inbuflen], hbuf, 32);
346
347	/* Zero sensitive data. */
348	insecure_memzero(dk, 64);
349
350	/* Success! */
351	return (0);
352	}
353
354	/**
355	* scryptdec_buf(inbuf, inbuflen, outbuf, outlen, passwd, passwdlen,
356	* maxmem, maxmemfrac, maxtime, verbose, force):
357	* Decrypt inbuflen bytes from inbuf, writing the result into outbuf and the
358	* decrypted data length to outlen. The allocated length of outbuf must
359	* be at least inbuflen. If ${force} is 1, do not check whether
360	* decryption will exceed the estimated available memory or time.
361	*/
362	int
363	scryptdec_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf,
364	size_t * outlen, const uint8_t * passwd, size_t passwdlen,
365	size_t maxmem, double maxmemfrac, double maxtime, int verbose,
366	int force)
367	{
368	uint8_t hbuf[32];
369	uint8_t dk[64];
370	uint8_t * key_enc = dk;
371	uint8_t * key_hmac = &dk[32];
372	int rc;
373	HMAC_SHA256_CTX hctx;
374	struct crypto_aes_key * key_enc_exp;
375	struct crypto_aesctr * AES;
376
377	/*
378	* All versions of the scrypt format will start with "scrypt" and
379	* have at least 7 bytes of header.
380	*/
381	if ((inbuflen < 7) \|\| (memcmp(inbuf, "scrypt", 6) != 0))
382	return (7);
383
384	/* Check the format. */
385	if (inbuf[6] != 0)
386	return (8);
387
388	/* We must have at least 128 bytes. */
389	if (inbuflen < 128)
390	return (7);
391
392	/* Parse the header and generate derived keys. */
393	if ((rc = scryptdec_setup(inbuf, dk, passwd, passwdlen,
394	maxmem, maxmemfrac, maxtime, verbose, force)) != 0)
395	return (rc);
396
397	/* Decrypt data. */
398	if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL)
399	return (5);
400	if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL)
401	return (6);
402	crypto_aesctr_stream(AES, &inbuf[96], outbuf, inbuflen - 128);
403	crypto_aesctr_free(AES);
404	crypto_aes_key_free(key_enc_exp);
405	*outlen = inbuflen - 128;
406
407	/* Verify signature. */
408	HMAC_SHA256_Init(&hctx, key_hmac, 32);
409	HMAC_SHA256_Update(&hctx, inbuf, inbuflen - 32);
410	HMAC_SHA256_Final(hbuf, &hctx);
411	if (memcmp(hbuf, &inbuf[inbuflen - 32], 32))
412	return (7);
413
414	/* Zero sensitive data. */
415	insecure_memzero(dk, 64);
416
417	/* Success! */
418	return (0);
419	}
420
421	/**
422	* scryptenc_file(infile, outfile, passwd, passwdlen,
423	* maxmem, maxmemfrac, maxtime, verbose):
424	* Read a stream from infile and encrypt it, writing the resulting stream to
425	* outfile.
426	*/
427	int
428	scryptenc_file(FILE * infile, FILE * outfile,
429	const uint8_t * passwd, size_t passwdlen,
430	size_t maxmem, double maxmemfrac, double maxtime, int verbose)
431	{
432	uint8_t buf[ENCBLOCK];
433	uint8_t dk[64];
434	uint8_t hbuf[32];
435	uint8_t header[96];
436	uint8_t * key_enc = dk;
437	uint8_t * key_hmac = &dk[32];
438	size_t readlen;
439	HMAC_SHA256_CTX hctx;
440	struct crypto_aes_key * key_enc_exp;
441	struct crypto_aesctr * AES;
442	int rc;
443
444	/* Generate the header and derived key. */
445	if ((rc = scryptenc_setup(header, dk, passwd, passwdlen,
446	maxmem, maxmemfrac, maxtime, verbose)) != 0)
447	return (rc);
448
449	/* Hash and write the header. */
450	HMAC_SHA256_Init(&hctx, key_hmac, 32);
451	HMAC_SHA256_Update(&hctx, header, 96);
452	if (fwrite(header, 96, 1, outfile) != 1)
453	return (12);
454
455	/*
456	* Read blocks of data, encrypt them, and write them out; hash the
457	* data as it is produced.
458	*/
459	if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL)
460	return (5);
461	if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL)
462	return (6);
463	do {
464	if ((readlen = fread(buf, 1, ENCBLOCK, infile)) == 0)
465	break;
466	crypto_aesctr_stream(AES, buf, buf, readlen);
467	HMAC_SHA256_Update(&hctx, buf, readlen);
468	if (fwrite(buf, 1, readlen, outfile) < readlen) {
469	crypto_aesctr_free(AES);
470	return (12);
471	}
472	} while (1);
473	crypto_aesctr_free(AES);
474	crypto_aes_key_free(key_enc_exp);
475
476	/* Did we exit the loop due to a read error? */
477	if (ferror(infile))
478	return (13);
479
480	/* Compute the final HMAC and output it. */
481	HMAC_SHA256_Final(hbuf, &hctx);
482	if (fwrite(hbuf, 32, 1, outfile) != 1)
483	return (12);
484
485	/* Zero sensitive data. */
486	insecure_memzero(dk, 64);
487
488	/* Success! */
489	return (0);
490	}
491
492	/**
493	* scryptdec_file(infile, outfile, passwd, passwdlen,
494	* maxmem, maxmemfrac, maxtime, verbose, force):
495	* Read a stream from infile and decrypt it, writing the resulting stream to
496	* outfile. If ${force} is 1, do not check whether decryption
497	* will exceed the estimated available memory or time.
498	*/
499	int
500	scryptdec_file(FILE * infile, FILE * outfile,
501	const uint8_t * passwd, size_t passwdlen,
502	size_t maxmem, double maxmemfrac, double maxtime, int verbose,
503	int force)
504	{
505	uint8_t buf[ENCBLOCK + 32];
506	uint8_t header[96];
507	uint8_t hbuf[32];
508	uint8_t dk[64];
509	uint8_t * key_enc = dk;
510	uint8_t * key_hmac = &dk[32];
511	size_t buflen = 0;
512	size_t readlen;
513	HMAC_SHA256_CTX hctx;
514	struct crypto_aes_key * key_enc_exp;
515	struct crypto_aesctr * AES;
516	int rc;
517
518	/*
519	* Read the first 7 bytes of the file; all future versions of scrypt
520	* are guaranteed to have at least 7 bytes of header.
521	*/
522	if (fread(header, 7, 1, infile) < 1) {
523	if (ferror(infile))
524	return (13);
525	else
526	return (7);
527	}
528
529	/* Do we have the right magic? */
530	if (memcmp(header, "scrypt", 6))
531	return (7);
532	if (header[6] != 0)
533	return (8);
534
535	/*
536	* Read another 89 bytes of the file; version 0 of the scrypt file
537	* format has a 96-byte header.
538	*/
539	if (fread(&header[7], 89, 1, infile) < 1) {
540	if (ferror(infile))
541	return (13);
542	else
543	return (7);
544	}
545
546	/* Parse the header and generate derived keys. */
547	if ((rc = scryptdec_setup(header, dk, passwd, passwdlen,
548	maxmem, maxmemfrac, maxtime, verbose, force)) != 0)
549	return (rc);
550
551	/* Start hashing with the header. */
552	HMAC_SHA256_Init(&hctx, key_hmac, 32);
553	HMAC_SHA256_Update(&hctx, header, 96);
554
555	/*
556	* We don't know how long the encrypted data block is (we can't know,
557	* since data can be streamed into 'scrypt enc') so we need to read
558	* data and decrypt all of it except the final 32 bytes, then check
559	* if that final 32 bytes is the correct signature.
560	*/
561	if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL)
562	return (5);
563	if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL)
564	return (6);
565	do {
566	/* Read data until we have more than 32 bytes of it. */
567	if ((readlen = fread(&buf[buflen], 1,
568	ENCBLOCK + 32 - buflen, infile)) == 0)
569	break;
570	buflen += readlen;
571	if (buflen <= 32)
572	continue;
573
574	/*
575	* Decrypt, hash, and output everything except the last 32
576	* bytes out of what we have in our buffer.
577	*/
578	HMAC_SHA256_Update(&hctx, buf, buflen - 32);
579	crypto_aesctr_stream(AES, buf, buf, buflen - 32);
580	if (fwrite(buf, 1, buflen - 32, outfile) < buflen - 32) {
581	crypto_aesctr_free(AES);
582	return (12);
583	}
584
585	/* Move the last 32 bytes to the start of the buffer. */
586	memmove(buf, &buf[buflen - 32], 32);
587	buflen = 32;
588	} while (1);
589	crypto_aesctr_free(AES);
590	crypto_aes_key_free(key_enc_exp);
591
592	/* Did we exit the loop due to a read error? */
593	if (ferror(infile))
594	return (13);
595
596	/* Did we read enough data that we might have a valid signature? */
597	if (buflen < 32)
598	return (7);
599
600	/* Verify signature. */
601	HMAC_SHA256_Final(hbuf, &hctx);
602	if (memcmp(hbuf, buf, 32))
603	return (7);
604
605	/* Zero sensitive data. */
606	insecure_memzero(dk, 64);
607
608	return (0);
609	}