xref: /haiku/src/system/libroot/posix/crypt/crypto_scrypt.cpp (revision ed24eb5ff12640d052171c6a7feba37fab8a75d1) 
1 /*-
2  * Copyright 2009 Colin Percival
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  *
26  * This file was originally written by Colin Percival as part of the Tarsnap
27  * online backup system.
28  */
29 #include <sys/types.h>
30 #include <sys/mman.h>
31 
32 #include <errno.h>
33 #include <stdint.h>
34 #include <stdlib.h>
35 #include <string.h>
36 
37 #include "pbkdf2.h"
38 
39 #include "crypto_scrypt_smix.h"
40 
41 #include "crypto_scrypt.h"
42 
43 /**
44  * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
45  * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
46  * p, buflen) and write the result into buf.  The parameters r, p, and buflen
47  * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
48  * must be a power of 2 greater than 1.
49  *
50  * Return 0 on success; or -1 on error.
51  */
52 int
53 crypto_scrypt(const uint8_t * passwd, size_t passwdlen,
54     const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t _r, uint32_t _p,
55     uint8_t * buf, size_t buflen)
56 {
57 	void * B0, * V0, * XY0;
58 	uint8_t * B;
59 	uint32_t * V;
60 	uint32_t * XY;
61 	size_t r = _r, p = _p;
62 	uint32_t i;
63 
64 	/* Sanity-check parameters. */
65 #if SIZE_MAX > UINT32_MAX
66 	if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
67 		errno = EFBIG;
68 		goto err0;
69 	}
70 #endif
71 	if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
72 		errno = EFBIG;
73 		goto err0;
74 	}
75 	if (((N & (N - 1)) != 0) || (N < 2)) {
76 		errno = EINVAL;
77 		goto err0;
78 	}
79 	if ((r > SIZE_MAX / 128 / p) ||
80 #if SIZE_MAX / 256 <= UINT32_MAX
81 	    (r > (SIZE_MAX - 64) / 256) ||
82 #endif
83 	    (N > SIZE_MAX / 128 / r)) {
84 		errno = ENOMEM;
85 		goto err0;
86 	}
87 
88 	/* Allocate memory. */
89 #ifdef HAVE_POSIX_MEMALIGN
90 	if ((errno = posix_memalign(&B0, 64, 128 * r * p)) != 0)
91 		goto err0;
92 	B = (uint8_t *)(B0);
93 	if ((errno = posix_memalign(&XY0, 64, 256 * r + 64)) != 0)
94 		goto err1;
95 	XY = (uint32_t *)(XY0);
96 #if !defined(MAP_ANON) || !defined(HAVE_MMAP)
97 	if ((errno = posix_memalign(&V0, 64, 128 * r * N)) != 0)
98 		goto err2;
99 	V = (uint32_t *)(V0);
100 #endif
101 #else
102 	if ((B0 = malloc(128 * r * p + 63)) == NULL)
103 		goto err0;
104 	B = (uint8_t *)(((uintptr_t)(B0) + 63) & ~ (uintptr_t)(63));
105 	if ((XY0 = malloc(256 * r + 64 + 63)) == NULL)
106 		goto err1;
107 	XY = (uint32_t *)(((uintptr_t)(XY0) + 63) & ~ (uintptr_t)(63));
108 #if !defined(MAP_ANON) || !defined(HAVE_MMAP)
109 	if ((V0 = malloc(128 * r * N + 63)) == NULL)
110 		goto err2;
111 	V = (uint32_t *)(((uintptr_t)(V0) + 63) & ~ (uintptr_t)(63));
112 #endif
113 #endif
114 #if defined(MAP_ANON) && defined(HAVE_MMAP)
115 	if ((V0 = mmap(NULL, 128 * r * N, PROT_READ | PROT_WRITE,
116 #ifdef MAP_NOCORE
117 	    MAP_ANON | MAP_PRIVATE | MAP_NOCORE,
118 #else
119 	    MAP_ANON | MAP_PRIVATE,
120 #endif
121 	    -1, 0)) == MAP_FAILED)
122 		goto err2;
123 	V = (uint32_t *)(V0);
124 #endif
125 
126 	/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
127 	PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, p * 128 * r);
128 
129 	/* 2: for i = 0 to p - 1 do */
130 	for (i = 0; i < p; i++) {
131 		/* 3: B_i <-- MF(B_i, N) */
132 		crypto_scrypt_smix(&B[i * 128 * r], r, N, V, XY);
133 	}
134 
135 	/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
136 	PBKDF2_SHA256(passwd, passwdlen, B, p * 128 * r, 1, buf, buflen);
137 
138 	/* Free memory. */
139 #if defined(MAP_ANON) && defined(HAVE_MMAP)
140 	if (munmap(V0, 128 * r * N))
141 		goto err2;
142 #else
143 	free(V0);
144 #endif
145 	free(XY0);
146 	free(B0);
147 
148 	/* Success! */
149 	return (0);
150 
151 err2:
152 	free(XY0);
153 err1:
154 	free(B0);
155 err0:
156 	/* Failure! */
157 	return (-1);
158 }
159