/* * Copyright (c) 2008-2021 Jonathan Schleifer <js@nil.im> * * All rights reserved. * * This file is part of ObjFW. It may be distributed under the terms of the * Q Public License 1.0, which can be found in the file LICENSE.QPL included in * the packaging of this file. * * Alternatively, it may be distributed under the terms of the GNU General * Public License, either version 2 or 3, which can be found in the file * LICENSE.GPLv2 or LICENSE.GPLv3 respectively included in the packaging of this * file. */ #include "config.h" #import "OFHMAC.h" #import "OFSHA256Hash.h" #import "OFSecureData.h" #import "OFInvalidArgumentException.h" #import "OFOutOfMemoryException.h" #import "OFOutOfRangeException.h" #import "scrypt.h" #import "pbkdf2.h" void of_salsa20_8_core(uint32_t buffer[16]) { uint32_t tmp[16]; for (uint_fast8_t i = 0; i < 16; i++) tmp[i] = OF_BSWAP32_IF_BE(buffer[i]); for (uint_fast8_t i = 0; i < 8; i += 2) { tmp[ 4] ^= OF_ROL(tmp[ 0] + tmp[12], 7); tmp[ 8] ^= OF_ROL(tmp[ 4] + tmp[ 0], 9); tmp[12] ^= OF_ROL(tmp[ 8] + tmp[ 4], 13); tmp[ 0] ^= OF_ROL(tmp[12] + tmp[ 8], 18); tmp[ 9] ^= OF_ROL(tmp[ 5] + tmp[ 1], 7); tmp[13] ^= OF_ROL(tmp[ 9] + tmp[ 5], 9); tmp[ 1] ^= OF_ROL(tmp[13] + tmp[ 9], 13); tmp[ 5] ^= OF_ROL(tmp[ 1] + tmp[13], 18); tmp[14] ^= OF_ROL(tmp[10] + tmp[ 6], 7); tmp[ 2] ^= OF_ROL(tmp[14] + tmp[10], 9); tmp[ 6] ^= OF_ROL(tmp[ 2] + tmp[14], 13); tmp[10] ^= OF_ROL(tmp[ 6] + tmp[ 2], 18); tmp[ 3] ^= OF_ROL(tmp[15] + tmp[11], 7); tmp[ 7] ^= OF_ROL(tmp[ 3] + tmp[15], 9); tmp[11] ^= OF_ROL(tmp[ 7] + tmp[ 3], 13); tmp[15] ^= OF_ROL(tmp[11] + tmp[ 7], 18); tmp[ 1] ^= OF_ROL(tmp[ 0] + tmp[ 3], 7); tmp[ 2] ^= OF_ROL(tmp[ 1] + tmp[ 0], 9); tmp[ 3] ^= OF_ROL(tmp[ 2] + tmp[ 1], 13); tmp[ 0] ^= OF_ROL(tmp[ 3] + tmp[ 2], 18); tmp[ 6] ^= OF_ROL(tmp[ 5] + tmp[ 4], 7); tmp[ 7] ^= OF_ROL(tmp[ 6] + tmp[ 5], 9); tmp[ 4] ^= OF_ROL(tmp[ 7] + tmp[ 6], 13); tmp[ 5] ^= OF_ROL(tmp[ 4] + tmp[ 7], 18); tmp[11] ^= OF_ROL(tmp[10] + tmp[ 9], 7); tmp[ 8] ^= OF_ROL(tmp[11] + tmp[10], 9); tmp[ 9] ^= OF_ROL(tmp[ 8] + tmp[11], 13); tmp[10] ^= OF_ROL(tmp[ 9] + tmp[ 8], 18); tmp[12] ^= OF_ROL(tmp[15] + tmp[14], 7); tmp[13] ^= OF_ROL(tmp[12] + tmp[15], 9); tmp[14] ^= OF_ROL(tmp[13] + tmp[12], 13); tmp[15] ^= OF_ROL(tmp[14] + tmp[13], 18); } for (uint_fast8_t i = 0; i < 16; i++) buffer[i] = OF_BSWAP32_IF_BE(OF_BSWAP32_IF_BE(buffer[i]) + tmp[i]); of_explicit_memset(tmp, 0, sizeof(tmp)); } void of_scrypt_block_mix(uint32_t *output, const uint32_t *input, size_t blockSize) { uint32_t tmp[16]; /* Check defined here and executed in of_scrypt() */ #define OVERFLOW_CHECK_1 \ if (param.blockSize > SIZE_MAX / 2 || \ 2 * param.blockSize - 1 > SIZE_MAX / 16) \ @throw [OFOutOfRangeException exception]; memcpy(tmp, input + (2 * blockSize - 1) * 16, 64); for (size_t i = 0; i < 2 * blockSize; i++) { for (size_t j = 0; j < 16; j++) tmp[j] ^= input[i * 16 + j]; of_salsa20_8_core(tmp); /* * Even indices are stored in the first half and odd ones in * the second. */ memcpy(output + ((i / 2) + (i & 1) * blockSize) * 16, tmp, 64); } of_explicit_memset(tmp, 0, sizeof(tmp)); } void of_scrypt_romix(uint32_t *buffer, size_t blockSize, size_t costFactor, uint32_t *tmp) { /* Check defined here and executed in of_scrypt() */ #define OVERFLOW_CHECK_2 \ if (param.blockSize > SIZE_MAX / 128 / param.costFactor) \ @throw [OFOutOfRangeException exception]; uint32_t *tmp2 = tmp + 32 * blockSize; memcpy(tmp, buffer, 128 * blockSize); for (size_t i = 0; i < costFactor; i++) { memcpy(tmp2 + i * 32 * blockSize, tmp, 128 * blockSize); of_scrypt_block_mix(tmp, tmp2 + i * 32 * blockSize, blockSize); } for (size_t i = 0; i < costFactor; i++) { uint32_t j = OF_BSWAP32_IF_BE(tmp[(2 * blockSize - 1) * 16]) & (costFactor - 1); for (size_t k = 0; k < 32 * blockSize; k++) tmp[k] ^= tmp2[j * 32 * blockSize + k]; of_scrypt_block_mix(buffer, tmp, blockSize); if (i < costFactor - 1) memcpy(tmp, buffer, 128 * blockSize); } } void of_scrypt(of_scrypt_parameters_t param) { OFSecureData *tmp = nil, *buffer = nil; OFHMAC *HMAC = nil; if (param.blockSize == 0 || param.costFactor <= 1 || (param.costFactor & (param.costFactor - 1)) != 0 || param.parallelization == 0) @throw [OFInvalidArgumentException exception]; /* * These are defined by the functions above. They are defined there so * that the check is next to the code and easy to verify, but actually * checked here for performance. */ OVERFLOW_CHECK_1 OVERFLOW_CHECK_2 @try { uint32_t *tmpItems, *bufferItems; if (param.costFactor > SIZE_MAX - 1 || (param.costFactor + 1) > SIZE_MAX / 128) @throw [OFOutOfRangeException exception]; tmp = [[OFSecureData alloc] initWithCount: (param.costFactor + 1) * 128 itemSize: param.blockSize allowsSwappableMemory: param.allowsSwappableMemory]; tmpItems = tmp.mutableItems; if (param.parallelization > SIZE_MAX / 128) @throw [OFOutOfRangeException exception]; buffer = [[OFSecureData alloc] initWithCount: param.parallelization * 128 itemSize: param.blockSize allowsSwappableMemory: param.allowsSwappableMemory]; bufferItems = buffer.mutableItems; HMAC = [[OFHMAC alloc] initWithHashClass: [OFSHA256Hash class] allowsSwappableMemory: param.allowsSwappableMemory]; of_pbkdf2((of_pbkdf2_parameters_t){ .HMAC = HMAC, .iterations = 1, .salt = param.salt, .saltLength = param.saltLength, .password = param.password, .passwordLength = param.passwordLength, .key = (unsigned char *)bufferItems, .keyLength = param.parallelization * 128 * param.blockSize, .allowsSwappableMemory = param.allowsSwappableMemory }); for (size_t i = 0; i < param.parallelization; i++) of_scrypt_romix(bufferItems + i * 32 * param.blockSize, param.blockSize, param.costFactor, tmpItems); of_pbkdf2((of_pbkdf2_parameters_t){ .HMAC = HMAC, .iterations = 1, .salt = (unsigned char *)bufferItems, .saltLength = param.parallelization * 128 * param.blockSize, .password = param.password, .passwordLength = param.passwordLength, .key = param.key, .keyLength = param.keyLength, .allowsSwappableMemory = param.allowsSwappableMemory }); } @finally { [tmp release]; [buffer release]; [HMAC release]; } }