]>
Commit | Line | Data |
---|---|---|
0c1f3509 MG |
1 | /*- |
2 | * Copyright 2009 Colin Percival | |
3 | * All rights reserved. | |
4 | * | |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions | |
7 | * are met: | |
8 | * 1. Redistributions of source code must retain the above copyright | |
9 | * notice, this list of conditions and the following disclaimer. | |
10 | * 2. Redistributions in binary form must reproduce the above copyright | |
11 | * notice, this list of conditions and the following disclaimer in the | |
12 | * documentation and/or other materials provided with the distribution. | |
13 | * | |
14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
24 | * SUCH DAMAGE. | |
25 | * | |
26 | * This file was originally written by Colin Percival as part of the Tarsnap | |
27 | * online backup system. | |
28 | */ | |
29 | #include "scrypt_platform.h" | |
30 | ||
31 | #include <assert.h> | |
32 | #include <inttypes.h> | |
33 | #include <stdint.h> | |
34 | #include <stdio.h> | |
35 | #include <stdlib.h> | |
36 | #include <string.h> | |
37 | ||
38 | #include "crypto_aes.h" | |
39 | #include "crypto_aesctr.h" | |
40 | #include "crypto_entropy.h" | |
41 | #include "humansize.h" | |
42 | #include "insecure_memzero.h" | |
43 | #include "sha256.h" | |
44 | #include "sysendian.h" | |
45 | ||
46 | #include "crypto_scrypt.h" | |
47 | #include "memlimit.h" | |
48 | #include "scryptenc_cpuperf.h" | |
49 | ||
50 | #include "scryptenc.h" | |
51 | ||
52 | #define ENCBLOCK 65536 | |
53 | ||
54 | static int pickparams(size_t, double, double, | |
55 | int *, uint32_t *, uint32_t *, int); | |
56 | static int checkparams(size_t, double, double, int, uint32_t, uint32_t, int, | |
57 | int); | |
58 | ||
59 | static void | |
60 | display_params(int logN, uint32_t r, uint32_t p, size_t memlimit, | |
61 | double opps, double maxtime) | |
62 | { | |
63 | uint64_t N = (uint64_t)(1) << logN; | |
64 | uint64_t mem_minimum = 128 * r * N; | |
65 | double expected_seconds = 4 * N * p / opps; | |
66 | char * human_memlimit = humansize(memlimit); | |
67 | char * human_mem_minimum = humansize(mem_minimum); | |
68 | ||
69 | fprintf(stderr, "Parameters used: N = %" PRIu64 "; r = %" PRIu32 | |
70 | "; p = %" PRIu32 ";\n", N, r, p); | |
71 | fprintf(stderr, " This requires at least %s bytes of memory " | |
72 | "(%s available),\n", human_mem_minimum, human_memlimit); | |
73 | fprintf(stderr, " and will take approximately %.1f seconds " | |
74 | "(limit: %.1f seconds).\n", expected_seconds, maxtime); | |
75 | ||
76 | free(human_memlimit); | |
77 | free(human_mem_minimum); | |
78 | } | |
79 | ||
80 | static int | |
81 | pickparams(size_t maxmem, double maxmemfrac, double maxtime, | |
82 | int * logN, uint32_t * r, uint32_t * p, int verbose) | |
83 | { | |
84 | size_t memlimit; | |
85 | double opps; | |
86 | double opslimit; | |
87 | double maxN, maxrp; | |
88 | int rc; | |
89 | ||
90 | /* Figure out how much memory to use. */ | |
91 | if (memtouse(maxmem, maxmemfrac, &memlimit)) | |
92 | return (1); | |
93 | ||
94 | /* Figure out how fast the CPU is. */ | |
95 | if ((rc = scryptenc_cpuperf(&opps)) != 0) | |
96 | return (rc); | |
97 | opslimit = opps * maxtime; | |
98 | ||
99 | /* Allow a minimum of 2^15 salsa20/8 cores. */ | |
100 | if (opslimit < 32768) | |
101 | opslimit = 32768; | |
102 | ||
103 | /* Fix r = 8 for now. */ | |
104 | *r = 8; | |
105 | ||
106 | /* | |
107 | * The memory limit requires that 128Nr <= memlimit, while the CPU | |
108 | * limit requires that 4Nrp <= opslimit. If opslimit < memlimit/32, | |
109 | * opslimit imposes the stronger limit on N. | |
110 | */ | |
111 | #ifdef DEBUG | |
112 | fprintf(stderr, "Requiring 128Nr <= %zu, 4Nrp <= %f\n", | |
113 | memlimit, opslimit); | |
114 | #endif | |
115 | if (opslimit < (double)memlimit / 32) { | |
116 | /* Set p = 1 and choose N based on the CPU limit. */ | |
117 | *p = 1; | |
118 | maxN = opslimit / (*r * 4); | |
119 | for (*logN = 1; *logN < 63; *logN += 1) { | |
120 | if ((uint64_t)(1) << *logN > maxN / 2) | |
121 | break; | |
122 | } | |
123 | } else { | |
124 | /* Set N based on the memory limit. */ | |
125 | maxN = memlimit / (*r * 128); | |
126 | for (*logN = 1; *logN < 63; *logN += 1) { | |
127 | if ((uint64_t)(1) << *logN > maxN / 2) | |
128 | break; | |
129 | } | |
130 | ||
131 | /* Choose p based on the CPU limit. */ | |
132 | maxrp = (opslimit / 4) / ((uint64_t)(1) << *logN); | |
133 | if (maxrp > 0x3fffffff) | |
134 | maxrp = 0x3fffffff; | |
135 | *p = (uint32_t)(maxrp) / *r; | |
136 | } | |
137 | ||
138 | if (verbose) | |
139 | display_params(*logN, *r, *p, memlimit, opps, maxtime); | |
140 | ||
141 | /* Success! */ | |
142 | return (0); | |
143 | } | |
144 | ||
145 | static int | |
146 | checkparams(size_t maxmem, double maxmemfrac, double maxtime, | |
147 | int logN, uint32_t r, uint32_t p, int verbose, int force) | |
148 | { | |
149 | size_t memlimit; | |
150 | double opps; | |
151 | double opslimit; | |
152 | uint64_t N; | |
153 | int rc; | |
154 | ||
155 | /* Sanity-check values. */ | |
156 | if ((logN < 1) || (logN > 63)) | |
157 | return (7); | |
158 | if ((uint64_t)(r) * (uint64_t)(p) >= 0x40000000) | |
159 | return (7); | |
160 | ||
161 | /* Are we forcing decryption, regardless of resource limits? */ | |
162 | if (!force) { | |
163 | /* Figure out the maximum amount of memory we can use. */ | |
164 | if (memtouse(maxmem, maxmemfrac, &memlimit)) | |
165 | return (1); | |
166 | ||
167 | /* Figure out how fast the CPU is. */ | |
168 | if ((rc = scryptenc_cpuperf(&opps)) != 0) | |
169 | return (rc); | |
170 | opslimit = opps * maxtime; | |
171 | ||
172 | /* Check limits. */ | |
173 | N = (uint64_t)(1) << logN; | |
174 | if ((memlimit / N) / r < 128) | |
175 | return (9); | |
176 | if ((opslimit / N) / (r * p) < 4) | |
177 | return (10); | |
178 | } else { | |
179 | /* We have no limit. */ | |
180 | memlimit = 0; | |
181 | opps = 0; | |
182 | } | |
183 | ||
184 | if (verbose) | |
185 | display_params(logN, r, p, memlimit, opps, maxtime); | |
186 | ||
187 | /* Success! */ | |
188 | return (0); | |
189 | } | |
190 | ||
191 | static int | |
192 | scryptenc_setup(uint8_t header[96], uint8_t dk[64], | |
193 | const uint8_t * passwd, size_t passwdlen, | |
194 | size_t maxmem, double maxmemfrac, double maxtime, int verbose) | |
195 | { | |
196 | uint8_t salt[32]; | |
197 | uint8_t hbuf[32]; | |
198 | int logN; | |
199 | uint64_t N; | |
200 | uint32_t r; | |
201 | uint32_t p; | |
202 | SHA256_CTX ctx; | |
203 | uint8_t * key_hmac = &dk[32]; | |
204 | HMAC_SHA256_CTX hctx; | |
205 | int rc; | |
206 | ||
207 | /* Pick values for N, r, p. */ | |
208 | if ((rc = pickparams(maxmem, maxmemfrac, maxtime, | |
209 | &logN, &r, &p, verbose)) != 0) | |
210 | return (rc); | |
211 | N = (uint64_t)(1) << logN; | |
212 | ||
213 | /* Sanity check. */ | |
214 | assert((logN > 0) && (logN < 256)); | |
215 | ||
216 | /* Get some salt. */ | |
217 | if (crypto_entropy_read(salt, 32)) | |
218 | return (4); | |
219 | ||
220 | /* Generate the derived keys. */ | |
221 | if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64)) | |
222 | return (3); | |
223 | ||
224 | /* Construct the file header. */ | |
225 | memcpy(header, "scrypt", 6); | |
226 | header[6] = 0; | |
227 | header[7] = logN & 0xff; | |
228 | be32enc(&header[8], r); | |
229 | be32enc(&header[12], p); | |
230 | memcpy(&header[16], salt, 32); | |
231 | ||
232 | /* Add header checksum. */ | |
233 | SHA256_Init(&ctx); | |
234 | SHA256_Update(&ctx, header, 48); | |
235 | SHA256_Final(hbuf, &ctx); | |
236 | memcpy(&header[48], hbuf, 16); | |
237 | ||
238 | /* Add header signature (used for verifying password). */ | |
239 | HMAC_SHA256_Init(&hctx, key_hmac, 32); | |
240 | HMAC_SHA256_Update(&hctx, header, 64); | |
241 | HMAC_SHA256_Final(hbuf, &hctx); | |
242 | memcpy(&header[64], hbuf, 32); | |
243 | ||
244 | /* Success! */ | |
245 | return (0); | |
246 | } | |
247 | ||
248 | static int | |
249 | scryptdec_setup(const uint8_t header[96], uint8_t dk[64], | |
250 | const uint8_t * passwd, size_t passwdlen, | |
251 | size_t maxmem, double maxmemfrac, double maxtime, int verbose, | |
252 | int force) | |
253 | { | |
254 | uint8_t salt[32]; | |
255 | uint8_t hbuf[32]; | |
256 | int logN; | |
257 | uint32_t r; | |
258 | uint32_t p; | |
259 | uint64_t N; | |
260 | SHA256_CTX ctx; | |
261 | uint8_t * key_hmac = &dk[32]; | |
262 | HMAC_SHA256_CTX hctx; | |
263 | int rc; | |
264 | ||
265 | /* Parse N, r, p, salt. */ | |
266 | logN = header[7]; | |
267 | r = be32dec(&header[8]); | |
268 | p = be32dec(&header[12]); | |
269 | memcpy(salt, &header[16], 32); | |
270 | ||
271 | /* Verify header checksum. */ | |
272 | SHA256_Init(&ctx); | |
273 | SHA256_Update(&ctx, header, 48); | |
274 | SHA256_Final(hbuf, &ctx); | |
275 | if (memcmp(&header[48], hbuf, 16)) | |
276 | return (7); | |
277 | ||
278 | /* | |
279 | * Check whether the provided parameters are valid and whether the | |
280 | * key derivation function can be computed within the allowed memory | |
281 | * and CPU time, unless the user chose to disable this test. | |
282 | */ | |
283 | if ((rc = checkparams(maxmem, maxmemfrac, maxtime, logN, r, p, | |
284 | verbose, force)) != 0) | |
285 | return (rc); | |
286 | ||
287 | /* Compute the derived keys. */ | |
288 | N = (uint64_t)(1) << logN; | |
289 | if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64)) | |
290 | return (3); | |
291 | ||
292 | /* Check header signature (i.e., verify password). */ | |
293 | HMAC_SHA256_Init(&hctx, key_hmac, 32); | |
294 | HMAC_SHA256_Update(&hctx, header, 64); | |
295 | HMAC_SHA256_Final(hbuf, &hctx); | |
296 | if (memcmp(hbuf, &header[64], 32)) | |
297 | return (11); | |
298 | ||
299 | /* Success! */ | |
300 | return (0); | |
301 | } | |
302 | ||
303 | /** | |
304 | * scryptenc_buf(inbuf, inbuflen, outbuf, passwd, passwdlen, | |
305 | * maxmem, maxmemfrac, maxtime, verbose): | |
306 | * Encrypt inbuflen bytes from inbuf, writing the resulting inbuflen + 128 | |
307 | * bytes to outbuf. | |
308 | */ | |
309 | int | |
310 | scryptenc_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf, | |
311 | const uint8_t * passwd, size_t passwdlen, | |
312 | size_t maxmem, double maxmemfrac, double maxtime, int verbose) | |
313 | { | |
314 | uint8_t dk[64]; | |
315 | uint8_t hbuf[32]; | |
316 | uint8_t header[96]; | |
317 | uint8_t * key_enc = dk; | |
318 | uint8_t * key_hmac = &dk[32]; | |
319 | int rc; | |
320 | HMAC_SHA256_CTX hctx; | |
321 | struct crypto_aes_key * key_enc_exp; | |
322 | struct crypto_aesctr * AES; | |
323 | ||
324 | /* Generate the header and derived key. */ | |
325 | if ((rc = scryptenc_setup(header, dk, passwd, passwdlen, | |
326 | maxmem, maxmemfrac, maxtime, verbose)) != 0) | |
327 | return (rc); | |
328 | ||
329 | /* Copy header into output buffer. */ | |
330 | memcpy(outbuf, header, 96); | |
331 | ||
332 | /* Encrypt data. */ | |
333 | if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL) | |
334 | return (5); | |
335 | if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL) | |
336 | return (6); | |
337 | crypto_aesctr_stream(AES, inbuf, &outbuf[96], inbuflen); | |
338 | crypto_aesctr_free(AES); | |
339 | crypto_aes_key_free(key_enc_exp); | |
340 | ||
341 | /* Add signature. */ | |
342 | HMAC_SHA256_Init(&hctx, key_hmac, 32); | |
343 | HMAC_SHA256_Update(&hctx, outbuf, 96 + inbuflen); | |
344 | HMAC_SHA256_Final(hbuf, &hctx); | |
345 | memcpy(&outbuf[96 + inbuflen], hbuf, 32); | |
346 | ||
347 | /* Zero sensitive data. */ | |
348 | insecure_memzero(dk, 64); | |
349 | ||
350 | /* Success! */ | |
351 | return (0); | |
352 | } | |
353 | ||
354 | /** | |
355 | * scryptdec_buf(inbuf, inbuflen, outbuf, outlen, passwd, passwdlen, | |
356 | * maxmem, maxmemfrac, maxtime, verbose, force): | |
357 | * Decrypt inbuflen bytes from inbuf, writing the result into outbuf and the | |
358 | * decrypted data length to outlen. The allocated length of outbuf must | |
359 | * be at least inbuflen. If ${force} is 1, do not check whether | |
360 | * decryption will exceed the estimated available memory or time. | |
361 | */ | |
362 | int | |
363 | scryptdec_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf, | |
364 | size_t * outlen, const uint8_t * passwd, size_t passwdlen, | |
365 | size_t maxmem, double maxmemfrac, double maxtime, int verbose, | |
366 | int force) | |
367 | { | |
368 | uint8_t hbuf[32]; | |
369 | uint8_t dk[64]; | |
370 | uint8_t * key_enc = dk; | |
371 | uint8_t * key_hmac = &dk[32]; | |
372 | int rc; | |
373 | HMAC_SHA256_CTX hctx; | |
374 | struct crypto_aes_key * key_enc_exp; | |
375 | struct crypto_aesctr * AES; | |
376 | ||
377 | /* | |
378 | * All versions of the scrypt format will start with "scrypt" and | |
379 | * have at least 7 bytes of header. | |
380 | */ | |
381 | if ((inbuflen < 7) || (memcmp(inbuf, "scrypt", 6) != 0)) | |
382 | return (7); | |
383 | ||
384 | /* Check the format. */ | |
385 | if (inbuf[6] != 0) | |
386 | return (8); | |
387 | ||
388 | /* We must have at least 128 bytes. */ | |
389 | if (inbuflen < 128) | |
390 | return (7); | |
391 | ||
392 | /* Parse the header and generate derived keys. */ | |
393 | if ((rc = scryptdec_setup(inbuf, dk, passwd, passwdlen, | |
394 | maxmem, maxmemfrac, maxtime, verbose, force)) != 0) | |
395 | return (rc); | |
396 | ||
397 | /* Decrypt data. */ | |
398 | if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL) | |
399 | return (5); | |
400 | if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL) | |
401 | return (6); | |
402 | crypto_aesctr_stream(AES, &inbuf[96], outbuf, inbuflen - 128); | |
403 | crypto_aesctr_free(AES); | |
404 | crypto_aes_key_free(key_enc_exp); | |
405 | *outlen = inbuflen - 128; | |
406 | ||
407 | /* Verify signature. */ | |
408 | HMAC_SHA256_Init(&hctx, key_hmac, 32); | |
409 | HMAC_SHA256_Update(&hctx, inbuf, inbuflen - 32); | |
410 | HMAC_SHA256_Final(hbuf, &hctx); | |
411 | if (memcmp(hbuf, &inbuf[inbuflen - 32], 32)) | |
412 | return (7); | |
413 | ||
414 | /* Zero sensitive data. */ | |
415 | insecure_memzero(dk, 64); | |
416 | ||
417 | /* Success! */ | |
418 | return (0); | |
419 | } | |
420 | ||
421 | /** | |
422 | * scryptenc_file(infile, outfile, passwd, passwdlen, | |
423 | * maxmem, maxmemfrac, maxtime, verbose): | |
424 | * Read a stream from infile and encrypt it, writing the resulting stream to | |
425 | * outfile. | |
426 | */ | |
427 | int | |
428 | scryptenc_file(FILE * infile, FILE * outfile, | |
429 | const uint8_t * passwd, size_t passwdlen, | |
430 | size_t maxmem, double maxmemfrac, double maxtime, int verbose) | |
431 | { | |
432 | uint8_t buf[ENCBLOCK]; | |
433 | uint8_t dk[64]; | |
434 | uint8_t hbuf[32]; | |
435 | uint8_t header[96]; | |
436 | uint8_t * key_enc = dk; | |
437 | uint8_t * key_hmac = &dk[32]; | |
438 | size_t readlen; | |
439 | HMAC_SHA256_CTX hctx; | |
440 | struct crypto_aes_key * key_enc_exp; | |
441 | struct crypto_aesctr * AES; | |
442 | int rc; | |
443 | ||
444 | /* Generate the header and derived key. */ | |
445 | if ((rc = scryptenc_setup(header, dk, passwd, passwdlen, | |
446 | maxmem, maxmemfrac, maxtime, verbose)) != 0) | |
447 | return (rc); | |
448 | ||
449 | /* Hash and write the header. */ | |
450 | HMAC_SHA256_Init(&hctx, key_hmac, 32); | |
451 | HMAC_SHA256_Update(&hctx, header, 96); | |
452 | if (fwrite(header, 96, 1, outfile) != 1) | |
453 | return (12); | |
454 | ||
455 | /* | |
456 | * Read blocks of data, encrypt them, and write them out; hash the | |
457 | * data as it is produced. | |
458 | */ | |
459 | if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL) | |
460 | return (5); | |
461 | if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL) | |
462 | return (6); | |
463 | do { | |
464 | if ((readlen = fread(buf, 1, ENCBLOCK, infile)) == 0) | |
465 | break; | |
466 | crypto_aesctr_stream(AES, buf, buf, readlen); | |
467 | HMAC_SHA256_Update(&hctx, buf, readlen); | |
468 | if (fwrite(buf, 1, readlen, outfile) < readlen) { | |
469 | crypto_aesctr_free(AES); | |
470 | return (12); | |
471 | } | |
472 | } while (1); | |
473 | crypto_aesctr_free(AES); | |
474 | crypto_aes_key_free(key_enc_exp); | |
475 | ||
476 | /* Did we exit the loop due to a read error? */ | |
477 | if (ferror(infile)) | |
478 | return (13); | |
479 | ||
480 | /* Compute the final HMAC and output it. */ | |
481 | HMAC_SHA256_Final(hbuf, &hctx); | |
482 | if (fwrite(hbuf, 32, 1, outfile) != 1) | |
483 | return (12); | |
484 | ||
485 | /* Zero sensitive data. */ | |
486 | insecure_memzero(dk, 64); | |
487 | ||
488 | /* Success! */ | |
489 | return (0); | |
490 | } | |
491 | ||
492 | /** | |
493 | * scryptdec_file(infile, outfile, passwd, passwdlen, | |
494 | * maxmem, maxmemfrac, maxtime, verbose, force): | |
495 | * Read a stream from infile and decrypt it, writing the resulting stream to | |
496 | * outfile. If ${force} is 1, do not check whether decryption | |
497 | * will exceed the estimated available memory or time. | |
498 | */ | |
499 | int | |
500 | scryptdec_file(FILE * infile, FILE * outfile, | |
501 | const uint8_t * passwd, size_t passwdlen, | |
502 | size_t maxmem, double maxmemfrac, double maxtime, int verbose, | |
503 | int force) | |
504 | { | |
505 | uint8_t buf[ENCBLOCK + 32]; | |
506 | uint8_t header[96]; | |
507 | uint8_t hbuf[32]; | |
508 | uint8_t dk[64]; | |
509 | uint8_t * key_enc = dk; | |
510 | uint8_t * key_hmac = &dk[32]; | |
511 | size_t buflen = 0; | |
512 | size_t readlen; | |
513 | HMAC_SHA256_CTX hctx; | |
514 | struct crypto_aes_key * key_enc_exp; | |
515 | struct crypto_aesctr * AES; | |
516 | int rc; | |
517 | ||
518 | /* | |
519 | * Read the first 7 bytes of the file; all future versions of scrypt | |
520 | * are guaranteed to have at least 7 bytes of header. | |
521 | */ | |
522 | if (fread(header, 7, 1, infile) < 1) { | |
523 | if (ferror(infile)) | |
524 | return (13); | |
525 | else | |
526 | return (7); | |
527 | } | |
528 | ||
529 | /* Do we have the right magic? */ | |
530 | if (memcmp(header, "scrypt", 6)) | |
531 | return (7); | |
532 | if (header[6] != 0) | |
533 | return (8); | |
534 | ||
535 | /* | |
536 | * Read another 89 bytes of the file; version 0 of the scrypt file | |
537 | * format has a 96-byte header. | |
538 | */ | |
539 | if (fread(&header[7], 89, 1, infile) < 1) { | |
540 | if (ferror(infile)) | |
541 | return (13); | |
542 | else | |
543 | return (7); | |
544 | } | |
545 | ||
546 | /* Parse the header and generate derived keys. */ | |
547 | if ((rc = scryptdec_setup(header, dk, passwd, passwdlen, | |
548 | maxmem, maxmemfrac, maxtime, verbose, force)) != 0) | |
549 | return (rc); | |
550 | ||
551 | /* Start hashing with the header. */ | |
552 | HMAC_SHA256_Init(&hctx, key_hmac, 32); | |
553 | HMAC_SHA256_Update(&hctx, header, 96); | |
554 | ||
555 | /* | |
556 | * We don't know how long the encrypted data block is (we can't know, | |
557 | * since data can be streamed into 'scrypt enc') so we need to read | |
558 | * data and decrypt all of it except the final 32 bytes, then check | |
559 | * if that final 32 bytes is the correct signature. | |
560 | */ | |
561 | if ((key_enc_exp = crypto_aes_key_expand(key_enc, 32)) == NULL) | |
562 | return (5); | |
563 | if ((AES = crypto_aesctr_init(key_enc_exp, 0)) == NULL) | |
564 | return (6); | |
565 | do { | |
566 | /* Read data until we have more than 32 bytes of it. */ | |
567 | if ((readlen = fread(&buf[buflen], 1, | |
568 | ENCBLOCK + 32 - buflen, infile)) == 0) | |
569 | break; | |
570 | buflen += readlen; | |
571 | if (buflen <= 32) | |
572 | continue; | |
573 | ||
574 | /* | |
575 | * Decrypt, hash, and output everything except the last 32 | |
576 | * bytes out of what we have in our buffer. | |
577 | */ | |
578 | HMAC_SHA256_Update(&hctx, buf, buflen - 32); | |
579 | crypto_aesctr_stream(AES, buf, buf, buflen - 32); | |
580 | if (fwrite(buf, 1, buflen - 32, outfile) < buflen - 32) { | |
581 | crypto_aesctr_free(AES); | |
582 | return (12); | |
583 | } | |
584 | ||
585 | /* Move the last 32 bytes to the start of the buffer. */ | |
586 | memmove(buf, &buf[buflen - 32], 32); | |
587 | buflen = 32; | |
588 | } while (1); | |
589 | crypto_aesctr_free(AES); | |
590 | crypto_aes_key_free(key_enc_exp); | |
591 | ||
592 | /* Did we exit the loop due to a read error? */ | |
593 | if (ferror(infile)) | |
594 | return (13); | |
595 | ||
596 | /* Did we read enough data that we *might* have a valid signature? */ | |
597 | if (buflen < 32) | |
598 | return (7); | |
599 | ||
600 | /* Verify signature. */ | |
601 | HMAC_SHA256_Final(hbuf, &hctx); | |
602 | if (memcmp(hbuf, buf, 32)) | |
603 | return (7); | |
604 | ||
605 | /* Zero sensitive data. */ | |
606 | insecure_memzero(dk, 64); | |
607 | ||
608 | return (0); | |
609 | } |