| 1 | /*- |
| 2 | * Copyright 2009 Colin Percival |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions |
| 7 | * are met: |
| 8 | * 1. Redistributions of source code must retain the above copyright |
| 9 | * notice, this list of conditions and the following disclaimer. |
| 10 | * 2. Redistributions in binary form must reproduce the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer in the |
| 12 | * documentation and/or other materials provided with the distribution. |
| 13 | * |
| 14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
| 15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 24 | * SUCH DAMAGE. |
| 25 | * |
| 26 | * This file was originally written by Colin Percival as part of the Tarsnap |
| 27 | * online backup system. |
| 28 | */ |
| 29 | #include "scrypt_platform.h" |
| 30 | |
| 31 | #include <assert.h> |
| 32 | #include <inttypes.h> |
| 33 | #include <stdint.h> |
| 34 | #include <stdio.h> |
| 35 | #include <stdlib.h> |
| 36 | #include <string.h> |
| 37 | |
| 38 | #include "crypto_aes.h" |
| 39 | #include "crypto_aesctr.h" |
| 40 | #include "crypto_entropy.h" |
| 41 | #include "humansize.h" |
| 42 | #include "insecure_memzero.h" |
| 43 | #include "sha256.h" |
| 44 | #include "sysendian.h" |
| 45 | |
| 46 | #include "crypto_scrypt.h" |
| 47 | #include "memlimit.h" |
| 48 | #include "scryptenc_cpuperf.h" |
| 49 | |
| 50 | #include "scryptenc.h" |
| 51 | |
| 52 | #define ENCBLOCK 65536 |
| 53 | |
| 54 | static int pickparams(size_t, double, double, |
| 55 | int *, uint32_t *, uint32_t *, int); |
| 56 | static int checkparams(size_t, double, double, int, uint32_t, uint32_t, int, |
| 57 | int); |
| 58 | |
| 59 | static void |
| 60 | display_params(int logN, uint32_t r, uint32_t p, size_t memlimit, |
| 61 | double opps, double maxtime) |
| 62 | { |
| 63 | uint64_t N = (uint64_t)(1) << logN; |
| 64 | uint64_t mem_minimum = 128 * r * N; |
| 65 | double expected_seconds = 4 * N * p / opps; |
| 66 | char * human_memlimit = humansize(memlimit); |
| 67 | char * human_mem_minimum = humansize(mem_minimum); |
| 68 | |
| 69 | fprintf(stderr, "Parameters used: N = %" PRIu64 "; r = %" PRIu32 |
| 70 | "; p = %" PRIu32 ";\n", N, r, p); |
| 71 | fprintf(stderr, " This requires at least %s bytes of memory " |
| 72 | "(%s available),\n", human_mem_minimum, human_memlimit); |
| 73 | fprintf(stderr, " and will take approximately %.1f seconds " |
| 74 | "(limit: %.1f seconds).\n", expected_seconds, maxtime); |
| 75 | |
| 76 | free(human_memlimit); |
| 77 | free(human_mem_minimum); |
| 78 | } |
| 79 | |
| 80 | static int |
| 81 | pickparams(size_t maxmem, double maxmemfrac, double maxtime, |
| 82 | int * logN, uint32_t * r, uint32_t * p, int verbose) |
| 83 | { |
| 84 | size_t memlimit; |
| 85 | double opps; |
| 86 | double opslimit; |
| 87 | double maxN, maxrp; |
| 88 | int rc; |
| 89 | |
| 90 | /* Figure out how much memory to use. */ |
| 91 | if (memtouse(maxmem, maxmemfrac, &memlimit)) |
| 92 | return (1); |
| 93 | |
| 94 | /* Figure out how fast the CPU is. */ |
| 95 | if ((rc = scryptenc_cpuperf(&opps)) != 0) |
| 96 | return (rc); |
| 97 | opslimit = opps * maxtime; |
| 98 | |
| 99 | /* Allow a minimum of 2^15 salsa20/8 cores. */ |
| 100 | if (opslimit < 32768) |
| 101 | opslimit = 32768; |
| 102 | |
| 103 | /* Fix r = 8 for now. */ |
| 104 | *r = 8; |
| 105 | |
| 106 | /* |
| 107 | * The memory limit requires that 128Nr <= memlimit, while the CPU |
| 108 | * limit requires that 4Nrp <= opslimit. If opslimit < memlimit/32, |
| 109 | * opslimit imposes the stronger limit on N. |
| 110 | */ |
| 111 | #ifdef DEBUG |
| 112 | fprintf(stderr, "Requiring 128Nr <= %zu, 4Nrp <= %f\n", |
| 113 | memlimit, opslimit); |
| 114 | #endif |
| 115 | if (opslimit < (double)memlimit / 32) { |
| 116 | /* Set p = 1 and choose N based on the CPU limit. */ |
| 117 | *p = 1; |
| 118 | maxN = opslimit / (*r * 4); |
| 119 | for (*logN = 1; *logN < 63; *logN += 1) { |
| 120 | if ((uint64_t)(1) << *logN > maxN / 2) |
| 121 | break; |
| 122 | } |
| 123 | } else { |
| 124 | /* Set N based on the memory limit. */ |
| 125 | maxN = memlimit / (*r * 128); |
| 126 | for (*logN = 1; *logN < 63; *logN += 1) { |
| 127 | if ((uint64_t)(1) << *logN > maxN / 2) |
| 128 | break; |
| 129 | } |
| 130 | |
| 131 | /* Choose p based on the CPU limit. */ |
| 132 | maxrp = (opslimit / 4) / ((uint64_t)(1) << *logN); |
| 133 | if (maxrp > 0x3fffffff) |
| 134 | maxrp = 0x3fffffff; |
| 135 | *p = (uint32_t)(maxrp) / *r; |
| 136 | } |
| 137 | |
| 138 | if (verbose) |
| 139 | display_params(*logN, *r, *p, memlimit, opps, maxtime); |
| 140 | |
| 141 | /* Success! */ |
| 142 | return (0); |
| 143 | } |
| 144 | |
| 145 | static int |
| 146 | checkparams(size_t maxmem, double maxmemfrac, double maxtime, |
| 147 | int logN, uint32_t r, uint32_t p, int verbose, int force) |
| 148 | { |
| 149 | size_t memlimit; |
| 150 | double opps; |
| 151 | double opslimit; |
| 152 | uint64_t N; |
| 153 | int rc; |
| 154 | |
| 155 | /* Sanity-check values. */ |
| 156 | if ((logN < 1) || (logN > 63)) |
| 157 | return (7); |
| 158 | if ((uint64_t)(r) * (uint64_t)(p) >= 0x40000000) |
| 159 | return (7); |
| 160 | |
| 161 | /* Are we forcing decryption, regardless of resource limits? */ |
| 162 | if (!force) { |
| 163 | /* Figure out the maximum amount of memory we can use. */ |
| 164 | if (memtouse(maxmem, maxmemfrac, &memlimit)) |
| 165 | return (1); |
| 166 | |
| 167 | /* Figure out how fast the CPU is. */ |
| 168 | if ((rc = scryptenc_cpuperf(&opps)) != 0) |
| 169 | return (rc); |
| 170 | opslimit = opps * maxtime; |
| 171 | |
| 172 | /* Check limits. */ |
| 173 | N = (uint64_t)(1) << logN; |
| 174 | if ((memlimit / N) / r < 128) |
| 175 | return (9); |
| 176 | if ((opslimit / N) / (r * p) < 4) |
| 177 | return (10); |
| 178 | } else { |
| 179 | /* We have no limit. */ |
| 180 | memlimit = 0; |
| 181 | opps = 0; |
| 182 | } |
| 183 | |
| 184 | if (verbose) |
| 185 | display_params(logN, r, p, memlimit, opps, maxtime); |
| 186 | |
| 187 | /* Success! */ |
| 188 | return (0); |
| 189 | } |
| 190 | |
| 191 | static int |
| 192 | scryptenc_setup(uint8_t header[96], uint8_t dk[64], |
| 193 | const uint8_t * passwd, size_t passwdlen, |
| 194 | size_t maxmem, double maxmemfrac, double maxtime, int verbose) |
| 195 | { |
| 196 | uint8_t salt[32]; |
| 197 | uint8_t hbuf[32]; |
| 198 | int logN; |
| 199 | uint64_t N; |
| 200 | uint32_t r; |
| 201 | uint32_t p; |
| 202 | SHA256_CTX ctx; |
| 203 | uint8_t * key_hmac = &dk[32]; |
| 204 | HMAC_SHA256_CTX hctx; |
| 205 | int rc; |
| 206 | |
| 207 | /* Pick values for N, r, p. */ |
| 208 | if ((rc = pickparams(maxmem, maxmemfrac, maxtime, |
| 209 | &logN, &r, &p, verbose)) != 0) |
| 210 | return (rc); |
| 211 | N = (uint64_t)(1) << logN; |
| 212 | |
| 213 | /* Sanity check. */ |
| 214 | assert((logN > 0) && (logN < 256)); |
| 215 | |
| 216 | /* Get some salt. */ |
| 217 | if (crypto_entropy_read(salt, 32)) |
| 218 | return (4); |
| 219 | |
| 220 | /* Generate the derived keys. */ |
| 221 | if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64)) |
| 222 | return (3); |
| 223 | |
| 224 | /* Construct the file header. */ |
| 225 | memcpy(header, "scrypt", 6); |
| 226 | header[6] = 0; |
| 227 | header[7] = logN & 0xff; |
| 228 | be32enc(&header[8], r); |
| 229 | be32enc(&header[12], p); |
| 230 | memcpy(&header[16], salt, 32); |
| 231 | |
| 232 | /* Add header checksum. */ |
| 233 | SHA256_Init(&ctx); |
| 234 | SHA256_Update(&ctx, header, 48); |
| 235 | SHA256_Final(hbuf, &ctx); |
| 236 | memcpy(&header[48], hbuf, 16); |
| 237 | |
| 238 | /* Add header signature (used for verifying password). */ |
| 239 | HMAC_SHA256_Init(&hctx, key_hmac, 32); |
| 240 | HMAC_SHA256_Update(&hctx, header, 64); |
| 241 | HMAC_SHA256_Final(hbuf, &hctx); |
| 242 | memcpy(&header[64], hbuf, 32); |
| 243 | |
| 244 | /* Success! */ |
| 245 | return (0); |
| 246 | } |
| 247 | |
| 248 | static int |
| 249 | scryptdec_setup(const uint8_t header[96], uint8_t dk[64], |
| 250 | const uint8_t * passwd, size_t passwdlen, |
| 251 | size_t maxmem, double maxmemfrac, double maxtime, int verbose, |
| 252 | int force) |
| 253 | { |
| 254 | uint8_t salt[32]; |
| 255 | uint8_t hbuf[32]; |
| 256 | int logN; |
| 257 | uint32_t r; |
| 258 | uint32_t p; |
| 259 | uint64_t N; |
| 260 | SHA256_CTX ctx; |
| 261 | uint8_t * key_hmac = &dk[32]; |
| 262 | HMAC_SHA256_CTX hctx; |
| 263 | int rc; |
| 264 | |
| 265 | /* Parse N, r, p, salt. */ |
| 266 | logN = header[7]; |
| 267 | r = be32dec(&header[8]); |
| 268 | p = be32dec(&header[12]); |
| 269 | memcpy(salt, &header[16], 32); |
| 270 | |
| 271 | /* Verify header checksum. */ |
| 272 | SHA256_Init(&ctx); |
| 273 | SHA256_Update(&ctx, header, 48); |
| 274 | SHA256_Final(hbuf, &ctx); |
| 275 | if (memcmp(&header[48], hbuf, 16)) |
| 276 | return (7); |
| 277 | |
| 278 | /* |
| 279 | * Check whether the provided parameters are valid and whether the |
| 280 | * key derivation function can be computed within the allowed memory |
| 281 | * and CPU time, unless the user chose to disable this test. |
| 282 | */ |
| 283 | if ((rc = checkparams(maxmem, maxmemfrac, maxtime, logN, r, p, |
| 284 | verbose, force)) != 0) |
| 285 | return (rc); |
| 286 | |
| 287 | /* Compute the derived keys. */ |
| 288 | N = (uint64_t)(1) << logN; |
| 289 | if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64)) |
| 290 | return (3); |
| 291 | |
| 292 | /* Check header signature (i.e., verify password). */ |
| 293 | HMAC_SHA256_Init(&hctx, key_hmac, 32); |
| 294 | HMAC_SHA256_Update(&hctx, header, 64); |
| 295 | HMAC_SHA256_Final(hbuf, &hctx); |
| 296 | if (memcmp(hbuf, &header[64], 32)) |
| 297 | return (11); |
| 298 | |
| 299 | /* Success! */ |
| 300 | return (0); |
| 301 | } |
| 302 | |
| 303 | /** |
| 304 | * scryptenc_buf(inbuf, inbuflen, outbuf, passwd, passwdlen, |
| 305 | * maxmem, maxmemfrac, maxtime, verbose): |
| 306 | * Encrypt inbuflen bytes from inbuf, writing the resulting inbuflen + 128 |
| 307 | * bytes to outbuf. |
| 308 | */ |
| 309 | int |
| 310 | scryptenc_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf, |
| 311 | const uint8_t * passwd, size_t passwdlen, |
| 312 | size_t maxmem, double maxmemfrac, double maxtime, int verbose) |
| 313 | { |
| 314 | uint8_t dk[64]; |
| 315 | uint8_t hbuf[32]; |
| 316 | uint8_t header[96]; |
| 317 | uint8_t * key_enc = dk; |
| 318 | uint8_t * key_hmac = &dk[32]; |
| 319 | int rc; |
| 320 | HMAC_SHA256_CTX hctx; |
| 321 | struct crypto_aes_key * key_enc_exp; |
| 322 | struct crypto_aesctr * AES; |
| 323 | |
| 324 | /* Generate the header and derived key. */ |
| 325 | if ((rc = scryptenc_setup(header, dk, passwd, passwdlen, |
| 326 | maxmem, maxmemfrac, maxtime, verbose)) != 0) |
| 327 | return (rc); |
| 328 | |
| 329 | /* Copy header into output buffer. */ |
| 330 | memcpy(outbuf, header, 96); |
| 331 | |
| 332 | /* Encrypt data. */ |
| 333 | if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL) |
| 334 | return (5); |
| 335 | if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL) |
| 336 | return (6); |
| 337 | crypto_aesctr_stream(AES, inbuf, &outbuf[96], inbuflen); |
| 338 | crypto_aesctr_free(AES); |
| 339 | crypto_aes_key_free(key_enc_exp); |
| 340 | |
| 341 | /* Add signature. */ |
| 342 | HMAC_SHA256_Init(&hctx, key_hmac, 32); |
| 343 | HMAC_SHA256_Update(&hctx, outbuf, 96 + inbuflen); |
| 344 | HMAC_SHA256_Final(hbuf, &hctx); |
| 345 | memcpy(&outbuf[96 + inbuflen], hbuf, 32); |
| 346 | |
| 347 | /* Zero sensitive data. */ |
| 348 | insecure_memzero(dk, 64); |
| 349 | |
| 350 | /* Success! */ |
| 351 | return (0); |
| 352 | } |
| 353 | |
| 354 | /** |
| 355 | * scryptdec_buf(inbuf, inbuflen, outbuf, outlen, passwd, passwdlen, |
| 356 | * maxmem, maxmemfrac, maxtime, verbose, force): |
| 357 | * Decrypt inbuflen bytes from inbuf, writing the result into outbuf and the |
| 358 | * decrypted data length to outlen. The allocated length of outbuf must |
| 359 | * be at least inbuflen. If ${force} is 1, do not check whether |
| 360 | * decryption will exceed the estimated available memory or time. |
| 361 | */ |
| 362 | int |
| 363 | scryptdec_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf, |
| 364 | size_t * outlen, const uint8_t * passwd, size_t passwdlen, |
| 365 | size_t maxmem, double maxmemfrac, double maxtime, int verbose, |
| 366 | int force) |
| 367 | { |
| 368 | uint8_t hbuf[32]; |
| 369 | uint8_t dk[64]; |
| 370 | uint8_t * key_enc = dk; |
| 371 | uint8_t * key_hmac = &dk[32]; |
| 372 | int rc; |
| 373 | HMAC_SHA256_CTX hctx; |
| 374 | struct crypto_aes_key * key_enc_exp; |
| 375 | struct crypto_aesctr * AES; |
| 376 | |
| 377 | /* |
| 378 | * All versions of the scrypt format will start with "scrypt" and |
| 379 | * have at least 7 bytes of header. |
| 380 | */ |
| 381 | if ((inbuflen < 7) || (memcmp(inbuf, "scrypt", 6) != 0)) |
| 382 | return (7); |
| 383 | |
| 384 | /* Check the format. */ |
| 385 | if (inbuf[6] != 0) |
| 386 | return (8); |
| 387 | |
| 388 | /* We must have at least 128 bytes. */ |
| 389 | if (inbuflen < 128) |
| 390 | return (7); |
| 391 | |
| 392 | /* Parse the header and generate derived keys. */ |
| 393 | if ((rc = scryptdec_setup(inbuf, dk, passwd, passwdlen, |
| 394 | maxmem, maxmemfrac, maxtime, verbose, force)) != 0) |
| 395 | return (rc); |
| 396 | |
| 397 | /* Decrypt data. */ |
| 398 | if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL) |
| 399 | return (5); |
| 400 | if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL) |
| 401 | return (6); |
| 402 | crypto_aesctr_stream(AES, &inbuf[96], outbuf, inbuflen - 128); |
| 403 | crypto_aesctr_free(AES); |
| 404 | crypto_aes_key_free(key_enc_exp); |
| 405 | *outlen = inbuflen - 128; |
| 406 | |
| 407 | /* Verify signature. */ |
| 408 | HMAC_SHA256_Init(&hctx, key_hmac, 32); |
| 409 | HMAC_SHA256_Update(&hctx, inbuf, inbuflen - 32); |
| 410 | HMAC_SHA256_Final(hbuf, &hctx); |
| 411 | if (memcmp(hbuf, &inbuf[inbuflen - 32], 32)) |
| 412 | return (7); |
| 413 | |
| 414 | /* Zero sensitive data. */ |
| 415 | insecure_memzero(dk, 64); |
| 416 | |
| 417 | /* Success! */ |
| 418 | return (0); |
| 419 | } |
| 420 | |
| 421 | /** |
| 422 | * scryptenc_file(infile, outfile, passwd, passwdlen, |
| 423 | * maxmem, maxmemfrac, maxtime, verbose): |
| 424 | * Read a stream from infile and encrypt it, writing the resulting stream to |
| 425 | * outfile. |
| 426 | */ |
| 427 | int |
| 428 | scryptenc_file(FILE * infile, FILE * outfile, |
| 429 | const uint8_t * passwd, size_t passwdlen, |
| 430 | size_t maxmem, double maxmemfrac, double maxtime, int verbose) |
| 431 | { |
| 432 | uint8_t buf[ENCBLOCK]; |
| 433 | uint8_t dk[64]; |
| 434 | uint8_t hbuf[32]; |
| 435 | uint8_t header[96]; |
| 436 | uint8_t * key_enc = dk; |
| 437 | uint8_t * key_hmac = &dk[32]; |
| 438 | size_t readlen; |
| 439 | HMAC_SHA256_CTX hctx; |
| 440 | struct crypto_aes_key * key_enc_exp; |
| 441 | struct crypto_aesctr * AES; |
| 442 | int rc; |
| 443 | |
| 444 | /* Generate the header and derived key. */ |
| 445 | if ((rc = scryptenc_setup(header, dk, passwd, passwdlen, |
| 446 | maxmem, maxmemfrac, maxtime, verbose)) != 0) |
| 447 | return (rc); |
| 448 | |
| 449 | /* Hash and write the header. */ |
| 450 | HMAC_SHA256_Init(&hctx, key_hmac, 32); |
| 451 | HMAC_SHA256_Update(&hctx, header, 96); |
| 452 | if (fwrite(header, 96, 1, outfile) != 1) |
| 453 | return (12); |
| 454 | |
| 455 | /* |
| 456 | * Read blocks of data, encrypt them, and write them out; hash the |
| 457 | * data as it is produced. |
| 458 | */ |
| 459 | if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL) |
| 460 | return (5); |
| 461 | if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL) |
| 462 | return (6); |
| 463 | do { |
| 464 | if ((readlen = fread(buf, 1, ENCBLOCK, infile)) == 0) |
| 465 | break; |
| 466 | crypto_aesctr_stream(AES, buf, buf, readlen); |
| 467 | HMAC_SHA256_Update(&hctx, buf, readlen); |
| 468 | if (fwrite(buf, 1, readlen, outfile) < readlen) { |
| 469 | crypto_aesctr_free(AES); |
| 470 | return (12); |
| 471 | } |
| 472 | } while (1); |
| 473 | crypto_aesctr_free(AES); |
| 474 | crypto_aes_key_free(key_enc_exp); |
| 475 | |
| 476 | /* Did we exit the loop due to a read error? */ |
| 477 | if (ferror(infile)) |
| 478 | return (13); |
| 479 | |
| 480 | /* Compute the final HMAC and output it. */ |
| 481 | HMAC_SHA256_Final(hbuf, &hctx); |
| 482 | if (fwrite(hbuf, 32, 1, outfile) != 1) |
| 483 | return (12); |
| 484 | |
| 485 | /* Zero sensitive data. */ |
| 486 | insecure_memzero(dk, 64); |
| 487 | |
| 488 | /* Success! */ |
| 489 | return (0); |
| 490 | } |
| 491 | |
| 492 | /** |
| 493 | * scryptdec_file(infile, outfile, passwd, passwdlen, |
| 494 | * maxmem, maxmemfrac, maxtime, verbose, force): |
| 495 | * Read a stream from infile and decrypt it, writing the resulting stream to |
| 496 | * outfile. If ${force} is 1, do not check whether decryption |
| 497 | * will exceed the estimated available memory or time. |
| 498 | */ |
| 499 | int |
| 500 | scryptdec_file(FILE * infile, FILE * outfile, |
| 501 | const uint8_t * passwd, size_t passwdlen, |
| 502 | size_t maxmem, double maxmemfrac, double maxtime, int verbose, |
| 503 | int force) |
| 504 | { |
| 505 | uint8_t buf[ENCBLOCK + 32]; |
| 506 | uint8_t header[96]; |
| 507 | uint8_t hbuf[32]; |
| 508 | uint8_t dk[64]; |
| 509 | uint8_t * key_enc = dk; |
| 510 | uint8_t * key_hmac = &dk[32]; |
| 511 | size_t buflen = 0; |
| 512 | size_t readlen; |
| 513 | HMAC_SHA256_CTX hctx; |
| 514 | struct crypto_aes_key * key_enc_exp; |
| 515 | struct crypto_aesctr * AES; |
| 516 | int rc; |
| 517 | |
| 518 | /* |
| 519 | * Read the first 7 bytes of the file; all future versions of scrypt |
| 520 | * are guaranteed to have at least 7 bytes of header. |
| 521 | */ |
| 522 | if (fread(header, 7, 1, infile) < 1) { |
| 523 | if (ferror(infile)) |
| 524 | return (13); |
| 525 | else |
| 526 | return (7); |
| 527 | } |
| 528 | |
| 529 | /* Do we have the right magic? */ |
| 530 | if (memcmp(header, "scrypt", 6)) |
| 531 | return (7); |
| 532 | if (header[6] != 0) |
| 533 | return (8); |
| 534 | |
| 535 | /* |
| 536 | * Read another 89 bytes of the file; version 0 of the scrypt file |
| 537 | * format has a 96-byte header. |
| 538 | */ |
| 539 | if (fread(&header[7], 89, 1, infile) < 1) { |
| 540 | if (ferror(infile)) |
| 541 | return (13); |
| 542 | else |
| 543 | return (7); |
| 544 | } |
| 545 | |
| 546 | /* Parse the header and generate derived keys. */ |
| 547 | if ((rc = scryptdec_setup(header, dk, passwd, passwdlen, |
| 548 | maxmem, maxmemfrac, maxtime, verbose, force)) != 0) |
| 549 | return (rc); |
| 550 | |
| 551 | /* Start hashing with the header. */ |
| 552 | HMAC_SHA256_Init(&hctx, key_hmac, 32); |
| 553 | HMAC_SHA256_Update(&hctx, header, 96); |
| 554 | |
| 555 | /* |
| 556 | * We don't know how long the encrypted data block is (we can't know, |
| 557 | * since data can be streamed into 'scrypt enc') so we need to read |
| 558 | * data and decrypt all of it except the final 32 bytes, then check |
| 559 | * if that final 32 bytes is the correct signature. |
| 560 | */ |
| 561 | if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL) |
| 562 | return (5); |
| 563 | if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL) |
| 564 | return (6); |
| 565 | do { |
| 566 | /* Read data until we have more than 32 bytes of it. */ |
| 567 | if ((readlen = fread(&buf[buflen], 1, |
| 568 | ENCBLOCK + 32 - buflen, infile)) == 0) |
| 569 | break; |
| 570 | buflen += readlen; |
| 571 | if (buflen <= 32) |
| 572 | continue; |
| 573 | |
| 574 | /* |
| 575 | * Decrypt, hash, and output everything except the last 32 |
| 576 | * bytes out of what we have in our buffer. |
| 577 | */ |
| 578 | HMAC_SHA256_Update(&hctx, buf, buflen - 32); |
| 579 | crypto_aesctr_stream(AES, buf, buf, buflen - 32); |
| 580 | if (fwrite(buf, 1, buflen - 32, outfile) < buflen - 32) { |
| 581 | crypto_aesctr_free(AES); |
| 582 | return (12); |
| 583 | } |
| 584 | |
| 585 | /* Move the last 32 bytes to the start of the buffer. */ |
| 586 | memmove(buf, &buf[buflen - 32], 32); |
| 587 | buflen = 32; |
| 588 | } while (1); |
| 589 | crypto_aesctr_free(AES); |
| 590 | crypto_aes_key_free(key_enc_exp); |
| 591 | |
| 592 | /* Did we exit the loop due to a read error? */ |
| 593 | if (ferror(infile)) |
| 594 | return (13); |
| 595 | |
| 596 | /* Did we read enough data that we *might* have a valid signature? */ |
| 597 | if (buflen < 32) |
| 598 | return (7); |
| 599 | |
| 600 | /* Verify signature. */ |
| 601 | HMAC_SHA256_Final(hbuf, &hctx); |
| 602 | if (memcmp(hbuf, buf, 32)) |
| 603 | return (7); |
| 604 | |
| 605 | /* Zero sensitive data. */ |
| 606 | insecure_memzero(dk, 64); |
| 607 | |
| 608 | return (0); |
| 609 | } |