/* * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include <openssl/evp.h> #include <assert.h> #include <openssl/err.h> #include <openssl/mem.h> #include "../internal.h" // This file implements scrypt, described in RFC 7914. // // Note scrypt refers to both "blocks" and a "block size" parameter, r. These // are two different notions of blocks. A Salsa20 block is 64 bytes long, // represented in this implementation by 16 |uint32_t|s. |r| determines the // number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r| // Salsa20 blocks. This implementation refers to them as Salsa20 blocks and // scrypt blocks, respectively. // A block_t is a Salsa20 block. block_t; static_assert; // salsa208_word_specification implements the Salsa20/8 core function, also // described in RFC 7914, section 3. It modifies the block at |inout| // in-place. static void salsa208_word_specification(block_t *inout) { … } // xor_block sets |*out| to be |*a| XOR |*b|. static void xor_block(block_t *out, const block_t *a, const block_t *b) { … } // scryptBlockMix implements the function described in RFC 7914, section 4. B' // is written to |out|. |out| and |B| may not alias and must be each one scrypt // block (2 * |r| Salsa20 blocks) long. static void scryptBlockMix(block_t *out, const block_t *B, uint64_t r) { … } // scryptROMix implements the function described in RFC 7914, section 5. |B| is // an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and // |V| are scratch space allocated by the caller. |T| must have space for one // scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt // blocks (2 * |r| * |N| Salsa20 blocks). static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T, block_t *V) { … } // SCRYPT_PR_MAX is the maximum value of p * r. This is equivalent to the // bounds on p in section 6: // // p <= ((2^32-1) * hLen) / MFLen iff // p <= ((2^32-1) * 32) / (128 * r) iff // p * r <= (2^30-1) #define SCRYPT_PR_MAX … // SCRYPT_MAX_MEM is the default maximum memory that may be allocated by // |EVP_PBE_scrypt|. #define SCRYPT_MAX_MEM … int EVP_PBE_scrypt(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, uint64_t N, uint64_t r, uint64_t p, size_t max_mem, uint8_t *out_key, size_t key_len) { … }