2 * Copyright 2009 Colin Percival
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * This file was originally written by Colin Percival as part of the Tarsnap
27 * online backup system.
29 #include "scrypt_platform.h"
38 #include <openssl/aes.h>
40 #include "crypto_aesctr.h"
41 #include "crypto_scrypt.h"
43 #include "scryptenc_cpuperf.h"
45 #include "sysendian.h"
47 #include "scryptenc.h"
49 #define ENCBLOCK 65536
51 static int pickparams(size_t, double, double,
52 int *, uint32_t *, uint32_t *);
53 static int checkparams(size_t, double, double, int, uint32_t, uint32_t);
54 static int getsalt(uint8_t[32]);
57 pickparams(size_t maxmem, double maxmemfrac, double maxtime,
58 int * logN, uint32_t * r, uint32_t * p)
66 /* Figure out how much memory to use. */
67 if (memtouse(maxmem, maxmemfrac, &memlimit))
70 /* Figure out how fast the CPU is. */
71 if ((rc = scryptenc_cpuperf(&opps)) != 0)
73 opslimit = opps * maxtime;
75 /* Allow a minimum of 2^15 salsa20/8 cores. */
79 /* Fix r = 8 for now. */
83 * The memory limit requires that 128Nr <= memlimit, while the CPU
84 * limit requires that 4Nrp <= opslimit. If opslimit < memlimit/32,
85 * opslimit imposes the stronger limit on N.
88 fprintf(stderr, "Requiring 128Nr <= %zu, 4Nrp <= %f\n",
91 if (opslimit < memlimit/32) {
92 /* Set p = 1 and choose N based on the CPU limit. */
94 maxN = opslimit / (*r * 4);
95 for (*logN = 1; *logN < 63; *logN += 1) {
96 if ((uint64_t)(1) << *logN > maxN / 2)
100 /* Set N based on the memory limit. */
101 maxN = memlimit / (*r * 128);
102 for (*logN = 1; *logN < 63; *logN += 1) {
103 if ((uint64_t)(1) << *logN > maxN / 2)
107 /* Choose p based on the CPU limit. */
108 maxrp = (opslimit / 4) / ((uint64_t)(1) << *logN);
109 if (maxrp > 0x3fffffff)
111 *p = (uint32_t)(maxrp) / *r;
115 fprintf(stderr, "N = %zu r = %d p = %d\n",
116 (size_t)(1) << *logN, (int)(*r), (int)(*p));
124 checkparams(size_t maxmem, double maxmemfrac, double maxtime,
125 int logN, uint32_t r, uint32_t p)
133 /* Figure out the maximum amount of memory we can use. */
134 if (memtouse(maxmem, maxmemfrac, &memlimit))
137 /* Figure out how fast the CPU is. */
138 if ((rc = scryptenc_cpuperf(&opps)) != 0)
140 opslimit = opps * maxtime;
142 /* Sanity-check values. */
143 if ((logN < 1) || (logN > 63))
145 if ((uint64_t)(r) * (uint64_t)(p) >= 0x40000000)
149 N = (uint64_t)(1) << logN;
150 if ((memlimit / N) / r < 128)
152 if ((opslimit / N) / (r * p) < 4)
160 getsalt(uint8_t salt[32])
164 uint8_t * buf = salt;
167 /* Open /dev/urandom. */
168 if ((fd = open("/dev/urandom", O_RDONLY)) == -1)
171 /* Read bytes until we have filled the buffer. */
173 if ((lenread = read(fd, buf, buflen)) == -1)
176 /* The random device should never EOF. */
180 /* We're partly done. */
185 /* Close the device. */
186 while (close(fd) == -1) {
202 scryptenc_setup(uint8_t header[96], uint8_t dk[64],
203 const uint8_t * passwd, size_t passwdlen,
204 size_t maxmem, double maxmemfrac, double maxtime)
213 uint8_t * key_hmac = &dk[32];
214 HMAC_SHA256_CTX hctx;
217 /* Pick values for N, r, p. */
218 if ((rc = pickparams(maxmem, maxmemfrac, maxtime,
219 &logN, &r, &p)) != 0)
221 N = (uint64_t)(1) << logN;
224 if ((rc = getsalt(salt)) != 0)
227 /* Generate the derived keys. */
228 if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64))
231 /* Construct the file header. */
232 memcpy(header, "scrypt", 6);
235 be32enc(&header[8], r);
236 be32enc(&header[12], p);
237 memcpy(&header[16], salt, 32);
239 /* Add header checksum. */
241 SHA256_Update(&ctx, header, 48);
242 SHA256_Final(hbuf, &ctx);
243 memcpy(&header[48], hbuf, 16);
245 /* Add header signature (used for verifying password). */
246 HMAC_SHA256_Init(&hctx, key_hmac, 32);
247 HMAC_SHA256_Update(&hctx, header, 64);
248 HMAC_SHA256_Final(hbuf, &hctx);
249 memcpy(&header[64], hbuf, 32);
256 scryptdec_setup(const uint8_t header[96], uint8_t dk[64],
257 const uint8_t * passwd, size_t passwdlen,
258 size_t maxmem, double maxmemfrac, double maxtime)
267 uint8_t * key_hmac = &dk[32];
268 HMAC_SHA256_CTX hctx;
271 /* Parse N, r, p, salt. */
273 r = be32dec(&header[8]);
274 p = be32dec(&header[12]);
275 memcpy(salt, &header[16], 32);
277 /* Verify header checksum. */
279 SHA256_Update(&ctx, header, 48);
280 SHA256_Final(hbuf, &ctx);
281 if (memcmp(&header[48], hbuf, 16))
285 * Check whether the provided parameters are valid and whether the
286 * key derivation function can be computed within the allowed memory
289 if ((rc = checkparams(maxmem, maxmemfrac, maxtime, logN, r, p)) != 0)
292 /* Compute the derived keys. */
293 N = (uint64_t)(1) << logN;
294 if (crypto_scrypt(passwd, passwdlen, salt, 32, N, r, p, dk, 64))
297 /* Check header signature (i.e., verify password). */
298 HMAC_SHA256_Init(&hctx, key_hmac, 32);
299 HMAC_SHA256_Update(&hctx, header, 64);
300 HMAC_SHA256_Final(hbuf, &hctx);
301 if (memcmp(hbuf, &header[64], 32))
309 * scryptenc_buf(inbuf, inbuflen, outbuf, passwd, passwdlen,
310 * maxmem, maxmemfrac, maxtime):
311 * Encrypt inbuflen bytes from inbuf, writing the resulting inbuflen + 128
315 scryptenc_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf,
316 const uint8_t * passwd, size_t passwdlen,
317 size_t maxmem, double maxmemfrac, double maxtime)
322 uint8_t * key_enc = dk;
323 uint8_t * key_hmac = &dk[32];
325 HMAC_SHA256_CTX hctx;
327 struct crypto_aesctr * AES;
329 /* Generate the header and derived key. */
330 if ((rc = scryptenc_setup(header, dk, passwd, passwdlen,
331 maxmem, maxmemfrac, maxtime)) != 0)
334 /* Copy header into output buffer. */
335 memcpy(outbuf, header, 96);
338 if (AES_set_encrypt_key(key_enc, 256, &key_enc_exp))
340 if ((AES = crypto_aesctr_init(&key_enc_exp, 0)) == NULL)
342 crypto_aesctr_stream(AES, inbuf, &outbuf[96], inbuflen);
343 crypto_aesctr_free(AES);
346 HMAC_SHA256_Init(&hctx, key_hmac, 32);
347 HMAC_SHA256_Update(&hctx, outbuf, 96 + inbuflen);
348 HMAC_SHA256_Final(hbuf, &hctx);
349 memcpy(&outbuf[96 + inbuflen], hbuf, 32);
351 /* Zero sensitive data. */
353 memset(&key_enc_exp, 0, sizeof(AES_KEY));
360 * scryptdec_buf(inbuf, inbuflen, outbuf, outlen, passwd, passwdlen,
361 * maxmem, maxmemfrac, maxtime):
362 * Decrypt inbuflen bytes fro inbuf, writing the result into outbuf and the
363 * decrypted data length to outlen. The allocated length of outbuf must
364 * be at least inbuflen.
367 scryptdec_buf(const uint8_t * inbuf, size_t inbuflen, uint8_t * outbuf,
368 size_t * outlen, const uint8_t * passwd, size_t passwdlen,
369 size_t maxmem, double maxmemfrac, double maxtime)
373 uint8_t * key_enc = dk;
374 uint8_t * key_hmac = &dk[32];
376 HMAC_SHA256_CTX hctx;
378 struct crypto_aesctr * AES;
381 * All versions of the scrypt format will start with "scrypt" and
382 * have at least 7 bytes of header.
384 if ((inbuflen < 7) || (memcmp(inbuf, "scrypt", 6) != 0))
387 /* Check the format. */
391 /* We must have at least 128 bytes. */
395 /* Parse the header and generate derived keys. */
396 if ((rc = scryptdec_setup(inbuf, dk, passwd, passwdlen,
397 maxmem, maxmemfrac, maxtime)) != 0)
401 if (AES_set_encrypt_key(key_enc, 256, &key_enc_exp))
403 if ((AES = crypto_aesctr_init(&key_enc_exp, 0)) == NULL)
405 crypto_aesctr_stream(AES, &inbuf[96], outbuf, inbuflen - 128);
406 crypto_aesctr_free(AES);
407 *outlen = inbuflen - 128;
409 /* Verify signature. */
410 HMAC_SHA256_Init(&hctx, key_hmac, 32);
411 HMAC_SHA256_Update(&hctx, inbuf, inbuflen - 32);
412 HMAC_SHA256_Final(hbuf, &hctx);
413 if (memcmp(hbuf, &inbuf[inbuflen - 32], 32))
416 /* Zero sensitive data. */
418 memset(&key_enc_exp, 0, sizeof(AES_KEY));
425 * scryptenc_file(infile, outfile, passwd, passwdlen,
426 * maxmem, maxmemfrac, maxtime):
427 * Read a stream from infile and encrypt it, writing the resulting stream to
431 scryptenc_file(FILE * infile, FILE * outfile,
432 const uint8_t * passwd, size_t passwdlen,
433 size_t maxmem, double maxmemfrac, double maxtime)
435 uint8_t buf[ENCBLOCK];
439 uint8_t * key_enc = dk;
440 uint8_t * key_hmac = &dk[32];
442 HMAC_SHA256_CTX hctx;
444 struct crypto_aesctr * AES;
447 /* Generate the header and derived key. */
448 if ((rc = scryptenc_setup(header, dk, passwd, passwdlen,
449 maxmem, maxmemfrac, maxtime)) != 0)
452 /* Hash and write the header. */
453 HMAC_SHA256_Init(&hctx, key_hmac, 32);
454 HMAC_SHA256_Update(&hctx, header, 96);
455 if (fwrite(header, 96, 1, outfile) != 1)
459 * Read blocks of data, encrypt them, and write them out; hash the
460 * data as it is produced.
462 if (AES_set_encrypt_key(key_enc, 256, &key_enc_exp))
464 if ((AES = crypto_aesctr_init(&key_enc_exp, 0)) == NULL)
467 if ((readlen = fread(buf, 1, ENCBLOCK, infile)) == 0)
469 crypto_aesctr_stream(AES, buf, buf, readlen);
470 HMAC_SHA256_Update(&hctx, buf, readlen);
471 if (fwrite(buf, 1, readlen, outfile) < readlen)
474 crypto_aesctr_free(AES);
476 /* Did we exit the loop due to a read error? */
480 /* Compute the final HMAC and output it. */
481 HMAC_SHA256_Final(hbuf, &hctx);
482 if (fwrite(hbuf, 32, 1, outfile) != 1)
485 /* Zero sensitive data. */
487 memset(&key_enc_exp, 0, sizeof(AES_KEY));
494 * scryptdec_file(infile, outfile, passwd, passwdlen,
495 * maxmem, maxmemfrac, maxtime):
496 * Read a stream from infile and decrypt it, writing the resulting stream to
500 scryptdec_file(FILE * infile, FILE * outfile,
501 const uint8_t * passwd, size_t passwdlen,
502 size_t maxmem, double maxmemfrac, double maxtime)
504 uint8_t buf[ENCBLOCK + 32];
508 uint8_t * key_enc = dk;
509 uint8_t * key_hmac = &dk[32];
512 HMAC_SHA256_CTX hctx;
514 struct crypto_aesctr * AES;
518 * Read the first 7 bytes of the file; all future version of scrypt
519 * are guaranteed to have at least 7 bytes of header.
521 if (fread(header, 7, 1, infile) < 1) {
528 /* Do we have the right magic? */
529 if (memcmp(header, "scrypt", 6))
535 * Read another 89 bytes of the file; version 0 of the srypt file
536 * format has a 96-byte header.
538 if (fread(&header[7], 89, 1, infile) < 1) {
545 /* Parse the header and generate derived keys. */
546 if ((rc = scryptdec_setup(header, dk, passwd, passwdlen,
547 maxmem, maxmemfrac, maxtime)) != 0)
550 /* Start hashing with the header. */
551 HMAC_SHA256_Init(&hctx, key_hmac, 32);
552 HMAC_SHA256_Update(&hctx, header, 96);
555 * We don't know how long the encrypted data block is (we can't know,
556 * since data can be streamed into 'scrypt enc') so we need to read
557 * data and decrypt all of it except the final 32 bytes, then check
558 * if that final 32 bytes is the correct signature.
560 if (AES_set_encrypt_key(key_enc, 256, &key_enc_exp))
562 if ((AES = crypto_aesctr_init(&key_enc_exp, 0)) == NULL)
565 /* Read data until we have more than 32 bytes of it. */
566 if ((readlen = fread(&buf[buflen], 1,
567 ENCBLOCK + 32 - buflen, infile)) == 0)
574 * Decrypt, hash, and output everything except the last 32
575 * bytes out of what we have in our buffer.
577 HMAC_SHA256_Update(&hctx, buf, buflen - 32);
578 crypto_aesctr_stream(AES, buf, buf, buflen - 32);
579 if (fwrite(buf, 1, buflen - 32, outfile) < buflen - 32)
582 /* Move the last 32 bytes to the start of the buffer. */
583 memmove(buf, &buf[buflen - 32], 32);
586 crypto_aesctr_free(AES);
588 /* Did we exit the loop due to a read error? */
592 /* Did we read enough data that we *might* have a valid signature? */
596 /* Verify signature. */
597 HMAC_SHA256_Final(hbuf, &hctx);
598 if (memcmp(hbuf, buf, 32))
601 /* Zero sensitive data. */
603 memset(&key_enc_exp, 0, sizeof(AES_KEY));