]>
iEval git - authen-passphrase-scrypt.git/blob - scrypt-1.2.1/lib/scryptenc/scryptenc.c
2 * Copyright 2009 Colin Percival
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * This file was originally written by Colin Percival as part of the Tarsnap
27 * online backup system.
29 #include "scrypt_platform.h"
38 #include "crypto_aes.h"
39 #include "crypto_aesctr.h"
40 #include "crypto_entropy.h"
41 #include "humansize.h"
42 #include "insecure_memzero.h"
44 #include "sysendian.h"
46 #include "crypto_scrypt.h"
48 #include "scryptenc_cpuperf.h"
50 #include "scryptenc.h"
52 #define ENCBLOCK 65536
54 static int pickparams(size_t, double, double,
55 int *, uint32_t *, uint32_t *, int);
56 static int checkparams(size_t, double, double, int, uint32_t, uint32_t, int,
60 display_params(int logN
, uint32_t r
, uint32_t p
, size_t memlimit
,
61 double opps
, double maxtime
)
63 uint64_t N
= (uint64_t)(1) << logN
;
64 uint64_t mem_minimum
= 128 * r
* N
;
65 double expected_seconds
= 4 * N
* p
/ opps
;
66 char * human_memlimit
= humansize(memlimit
);
67 char * human_mem_minimum
= humansize(mem_minimum
);
69 fprintf(stderr
, "Parameters used: N = %" PRIu64
"; r = %" PRIu32
70 "; p = %" PRIu32
";\n", N
, r
, p
);
71 fprintf(stderr
, " This requires at least %s bytes of memory "
72 "(%s available),\n", human_mem_minimum
, human_memlimit
);
73 fprintf(stderr
, " and will take approximately %.1f seconds "
74 "(limit: %.1f seconds).\n", expected_seconds
, maxtime
);
77 free(human_mem_minimum
);
81 pickparams(size_t maxmem
, double maxmemfrac
, double maxtime
,
82 int * logN
, uint32_t * r
, uint32_t * p
, int verbose
)
90 /* Figure out how much memory to use. */
91 if (memtouse(maxmem
, maxmemfrac
, &memlimit
))
94 /* Figure out how fast the CPU is. */
95 if ((rc
= scryptenc_cpuperf(&opps
)) != 0)
97 opslimit
= opps
* maxtime
;
99 /* Allow a minimum of 2^15 salsa20/8 cores. */
100 if (opslimit
< 32768)
103 /* Fix r = 8 for now. */
107 * The memory limit requires that 128Nr <= memlimit, while the CPU
108 * limit requires that 4Nrp <= opslimit. If opslimit < memlimit/32,
109 * opslimit imposes the stronger limit on N.
112 fprintf(stderr
, "Requiring 128Nr <= %zu, 4Nrp <= %f\n",
115 if (opslimit
< (double)memlimit
/ 32) {
116 /* Set p = 1 and choose N based on the CPU limit. */
118 maxN
= opslimit
/ (*r
* 4);
119 for (*logN
= 1; *logN
< 63; *logN
+= 1) {
120 if ((uint64_t)(1) << *logN
> maxN
/ 2)
124 /* Set N based on the memory limit. */
125 maxN
= memlimit
/ (*r
* 128);
126 for (*logN
= 1; *logN
< 63; *logN
+= 1) {
127 if ((uint64_t)(1) << *logN
> maxN
/ 2)
131 /* Choose p based on the CPU limit. */
132 maxrp
= (opslimit
/ 4) / ((uint64_t)(1) << *logN
);
133 if (maxrp
> 0x3fffffff)
135 *p
= (uint32_t)(maxrp
) / *r
;
139 display_params(*logN
, *r
, *p
, memlimit
, opps
, maxtime
);
146 checkparams(size_t maxmem
, double maxmemfrac
, double maxtime
,
147 int logN
, uint32_t r
, uint32_t p
, int verbose
, int force
)
155 /* Sanity-check values. */
156 if ((logN
< 1) || (logN
> 63))
158 if ((uint64_t)(r
) * (uint64_t)(p
) >= 0x40000000)
161 /* Are we forcing decryption, regardless of resource limits? */
163 /* Figure out the maximum amount of memory we can use. */
164 if (memtouse(maxmem
, maxmemfrac
, &memlimit
))
167 /* Figure out how fast the CPU is. */
168 if ((rc
= scryptenc_cpuperf(&opps
)) != 0)
170 opslimit
= opps
* maxtime
;
173 N
= (uint64_t)(1) << logN
;
174 if ((memlimit
/ N
) / r
< 128)
176 if ((opslimit
/ N
) / (r
* p
) < 4)
179 /* We have no limit. */
185 display_params(logN
, r
, p
, memlimit
, opps
, maxtime
);
192 scryptenc_setup(uint8_t header
[96], uint8_t dk
[64],
193 const uint8_t * passwd
, size_t passwdlen
,
194 size_t maxmem
, double maxmemfrac
, double maxtime
, int verbose
)
203 uint8_t * key_hmac
= &dk
[32];
204 HMAC_SHA256_CTX hctx
;
207 /* Pick values for N, r, p. */
208 if ((rc
= pickparams(maxmem
, maxmemfrac
, maxtime
,
209 &logN
, &r
, &p
, verbose
)) != 0)
211 N
= (uint64_t)(1) << logN
;
214 assert((logN
> 0) && (logN
< 256));
217 if (crypto_entropy_read(salt
, 32))
220 /* Generate the derived keys. */
221 if (crypto_scrypt(passwd
, passwdlen
, salt
, 32, N
, r
, p
, dk
, 64))
224 /* Construct the file header. */
225 memcpy(header
, "scrypt", 6);
227 header
[7] = logN
& 0xff;
228 be32enc(&header
[8], r
);
229 be32enc(&header
[12], p
);
230 memcpy(&header
[16], salt
, 32);
232 /* Add header checksum. */
234 SHA256_Update(&ctx
, header
, 48);
235 SHA256_Final(hbuf
, &ctx
);
236 memcpy(&header
[48], hbuf
, 16);
238 /* Add header signature (used for verifying password). */
239 HMAC_SHA256_Init(&hctx
, key_hmac
, 32);
240 HMAC_SHA256_Update(&hctx
, header
, 64);
241 HMAC_SHA256_Final(hbuf
, &hctx
);
242 memcpy(&header
[64], hbuf
, 32);
249 scryptdec_setup(const uint8_t header
[96], uint8_t dk
[64],
250 const uint8_t * passwd
, size_t passwdlen
,
251 size_t maxmem
, double maxmemfrac
, double maxtime
, int verbose
,
261 uint8_t * key_hmac
= &dk
[32];
262 HMAC_SHA256_CTX hctx
;
265 /* Parse N, r, p, salt. */
267 r
= be32dec(&header
[8]);
268 p
= be32dec(&header
[12]);
269 memcpy(salt
, &header
[16], 32);
271 /* Verify header checksum. */
273 SHA256_Update(&ctx
, header
, 48);
274 SHA256_Final(hbuf
, &ctx
);
275 if (memcmp(&header
[48], hbuf
, 16))
279 * Check whether the provided parameters are valid and whether the
280 * key derivation function can be computed within the allowed memory
281 * and CPU time, unless the user chose to disable this test.
283 if ((rc
= checkparams(maxmem
, maxmemfrac
, maxtime
, logN
, r
, p
,
284 verbose
, force
)) != 0)
287 /* Compute the derived keys. */
288 N
= (uint64_t)(1) << logN
;
289 if (crypto_scrypt(passwd
, passwdlen
, salt
, 32, N
, r
, p
, dk
, 64))
292 /* Check header signature (i.e., verify password). */
293 HMAC_SHA256_Init(&hctx
, key_hmac
, 32);
294 HMAC_SHA256_Update(&hctx
, header
, 64);
295 HMAC_SHA256_Final(hbuf
, &hctx
);
296 if (memcmp(hbuf
, &header
[64], 32))
304 * scryptenc_buf(inbuf, inbuflen, outbuf, passwd, passwdlen,
305 * maxmem, maxmemfrac, maxtime, verbose):
306 * Encrypt inbuflen bytes from inbuf, writing the resulting inbuflen + 128
310 scryptenc_buf(const uint8_t * inbuf
, size_t inbuflen
, uint8_t * outbuf
,
311 const uint8_t * passwd
, size_t passwdlen
,
312 size_t maxmem
, double maxmemfrac
, double maxtime
, int verbose
)
317 uint8_t * key_enc
= dk
;
318 uint8_t * key_hmac
= &dk
[32];
320 HMAC_SHA256_CTX hctx
;
321 struct crypto_aes_key
* key_enc_exp
;
322 struct crypto_aesctr
* AES
;
324 /* Generate the header and derived key. */
325 if ((rc
= scryptenc_setup(header
, dk
, passwd
, passwdlen
,
326 maxmem
, maxmemfrac
, maxtime
, verbose
)) != 0)
329 /* Copy header into output buffer. */
330 memcpy(outbuf
, header
, 96);
333 if ((key_enc_exp
= crypto_aes_key_expand(key_enc
, 32)) == NULL
)
335 if ((AES
= crypto_aesctr_init(key_enc_exp
, 0)) == NULL
)
337 crypto_aesctr_stream(AES
, inbuf
, &outbuf
[96], inbuflen
);
338 crypto_aesctr_free(AES
);
339 crypto_aes_key_free(key_enc_exp
);
342 HMAC_SHA256_Init(&hctx
, key_hmac
, 32);
343 HMAC_SHA256_Update(&hctx
, outbuf
, 96 + inbuflen
);
344 HMAC_SHA256_Final(hbuf
, &hctx
);
345 memcpy(&outbuf
[96 + inbuflen
], hbuf
, 32);
347 /* Zero sensitive data. */
348 insecure_memzero(dk
, 64);
355 * scryptdec_buf(inbuf, inbuflen, outbuf, outlen, passwd, passwdlen,
356 * maxmem, maxmemfrac, maxtime, verbose, force):
357 * Decrypt inbuflen bytes from inbuf, writing the result into outbuf and the
358 * decrypted data length to outlen. The allocated length of outbuf must
359 * be at least inbuflen. If ${force} is 1, do not check whether
360 * decryption will exceed the estimated available memory or time.
363 scryptdec_buf(const uint8_t * inbuf
, size_t inbuflen
, uint8_t * outbuf
,
364 size_t * outlen
, const uint8_t * passwd
, size_t passwdlen
,
365 size_t maxmem
, double maxmemfrac
, double maxtime
, int verbose
,
370 uint8_t * key_enc
= dk
;
371 uint8_t * key_hmac
= &dk
[32];
373 HMAC_SHA256_CTX hctx
;
374 struct crypto_aes_key
* key_enc_exp
;
375 struct crypto_aesctr
* AES
;
378 * All versions of the scrypt format will start with "scrypt" and
379 * have at least 7 bytes of header.
381 if ((inbuflen
< 7) || (memcmp(inbuf
, "scrypt", 6) != 0))
384 /* Check the format. */
388 /* We must have at least 128 bytes. */
392 /* Parse the header and generate derived keys. */
393 if ((rc
= scryptdec_setup(inbuf
, dk
, passwd
, passwdlen
,
394 maxmem
, maxmemfrac
, maxtime
, verbose
, force
)) != 0)
398 if ((key_enc_exp
= crypto_aes_key_expand(key_enc
, 32)) == NULL
)
400 if ((AES
= crypto_aesctr_init(key_enc_exp
, 0)) == NULL
)
402 crypto_aesctr_stream(AES
, &inbuf
[96], outbuf
, inbuflen
- 128);
403 crypto_aesctr_free(AES
);
404 crypto_aes_key_free(key_enc_exp
);
405 *outlen
= inbuflen
- 128;
407 /* Verify signature. */
408 HMAC_SHA256_Init(&hctx
, key_hmac
, 32);
409 HMAC_SHA256_Update(&hctx
, inbuf
, inbuflen
- 32);
410 HMAC_SHA256_Final(hbuf
, &hctx
);
411 if (memcmp(hbuf
, &inbuf
[inbuflen
- 32], 32))
414 /* Zero sensitive data. */
415 insecure_memzero(dk
, 64);
422 * scryptenc_file(infile, outfile, passwd, passwdlen,
423 * maxmem, maxmemfrac, maxtime, verbose):
424 * Read a stream from infile and encrypt it, writing the resulting stream to
428 scryptenc_file(FILE * infile
, FILE * outfile
,
429 const uint8_t * passwd
, size_t passwdlen
,
430 size_t maxmem
, double maxmemfrac
, double maxtime
, int verbose
)
432 uint8_t buf
[ENCBLOCK
];
436 uint8_t * key_enc
= dk
;
437 uint8_t * key_hmac
= &dk
[32];
439 HMAC_SHA256_CTX hctx
;
440 struct crypto_aes_key
* key_enc_exp
;
441 struct crypto_aesctr
* AES
;
444 /* Generate the header and derived key. */
445 if ((rc
= scryptenc_setup(header
, dk
, passwd
, passwdlen
,
446 maxmem
, maxmemfrac
, maxtime
, verbose
)) != 0)
449 /* Hash and write the header. */
450 HMAC_SHA256_Init(&hctx
, key_hmac
, 32);
451 HMAC_SHA256_Update(&hctx
, header
, 96);
452 if (fwrite(header
, 96, 1, outfile
) != 1)
456 * Read blocks of data, encrypt them, and write them out; hash the
457 * data as it is produced.
459 if ((key_enc_exp
= crypto_aes_key_expand(key_enc
, 32)) == NULL
)
461 if ((AES
= crypto_aesctr_init(key_enc_exp
, 0)) == NULL
)
464 if ((readlen
= fread(buf
, 1, ENCBLOCK
, infile
)) == 0)
466 crypto_aesctr_stream(AES
, buf
, buf
, readlen
);
467 HMAC_SHA256_Update(&hctx
, buf
, readlen
);
468 if (fwrite(buf
, 1, readlen
, outfile
) < readlen
) {
469 crypto_aesctr_free(AES
);
473 crypto_aesctr_free(AES
);
474 crypto_aes_key_free(key_enc_exp
);
476 /* Did we exit the loop due to a read error? */
480 /* Compute the final HMAC and output it. */
481 HMAC_SHA256_Final(hbuf
, &hctx
);
482 if (fwrite(hbuf
, 32, 1, outfile
) != 1)
485 /* Zero sensitive data. */
486 insecure_memzero(dk
, 64);
493 * scryptdec_file(infile, outfile, passwd, passwdlen,
494 * maxmem, maxmemfrac, maxtime, verbose, force):
495 * Read a stream from infile and decrypt it, writing the resulting stream to
496 * outfile. If ${force} is 1, do not check whether decryption
497 * will exceed the estimated available memory or time.
500 scryptdec_file(FILE * infile
, FILE * outfile
,
501 const uint8_t * passwd
, size_t passwdlen
,
502 size_t maxmem
, double maxmemfrac
, double maxtime
, int verbose
,
505 uint8_t buf
[ENCBLOCK
+ 32];
509 uint8_t * key_enc
= dk
;
510 uint8_t * key_hmac
= &dk
[32];
513 HMAC_SHA256_CTX hctx
;
514 struct crypto_aes_key
* key_enc_exp
;
515 struct crypto_aesctr
* AES
;
519 * Read the first 7 bytes of the file; all future versions of scrypt
520 * are guaranteed to have at least 7 bytes of header.
522 if (fread(header
, 7, 1, infile
) < 1) {
529 /* Do we have the right magic? */
530 if (memcmp(header
, "scrypt", 6))
536 * Read another 89 bytes of the file; version 0 of the scrypt file
537 * format has a 96-byte header.
539 if (fread(&header
[7], 89, 1, infile
) < 1) {
546 /* Parse the header and generate derived keys. */
547 if ((rc
= scryptdec_setup(header
, dk
, passwd
, passwdlen
,
548 maxmem
, maxmemfrac
, maxtime
, verbose
, force
)) != 0)
551 /* Start hashing with the header. */
552 HMAC_SHA256_Init(&hctx
, key_hmac
, 32);
553 HMAC_SHA256_Update(&hctx
, header
, 96);
556 * We don't know how long the encrypted data block is (we can't know,
557 * since data can be streamed into 'scrypt enc') so we need to read
558 * data and decrypt all of it except the final 32 bytes, then check
559 * if that final 32 bytes is the correct signature.
561 if ((key_enc_exp
= crypto_aes_key_expand(key_enc
, 32)) == NULL
)
563 if ((AES
= crypto_aesctr_init(key_enc_exp
, 0)) == NULL
)
566 /* Read data until we have more than 32 bytes of it. */
567 if ((readlen
= fread(&buf
[buflen
], 1,
568 ENCBLOCK
+ 32 - buflen
, infile
)) == 0)
575 * Decrypt, hash, and output everything except the last 32
576 * bytes out of what we have in our buffer.
578 HMAC_SHA256_Update(&hctx
, buf
, buflen
- 32);
579 crypto_aesctr_stream(AES
, buf
, buf
, buflen
- 32);
580 if (fwrite(buf
, 1, buflen
- 32, outfile
) < buflen
- 32) {
581 crypto_aesctr_free(AES
);
585 /* Move the last 32 bytes to the start of the buffer. */
586 memmove(buf
, &buf
[buflen
- 32], 32);
589 crypto_aesctr_free(AES
);
590 crypto_aes_key_free(key_enc_exp
);
592 /* Did we exit the loop due to a read error? */
596 /* Did we read enough data that we *might* have a valid signature? */
600 /* Verify signature. */
601 HMAC_SHA256_Final(hbuf
, &hctx
);
602 if (memcmp(hbuf
, buf
, 32))
605 /* Zero sensitive data. */
606 insecure_memzero(dk
, 64);
This page took 0.087998 seconds and 4 git commands to generate.