Merge pull request #669 from SparkiDev/scrypt

Implementation of scrypt
2016-12-16 15:53:48 -08:00 · 2016-12-16 15:53:48 -08:00 · 50cf1df8da
commit 50cf1df8da
parent c73ddf3f8a 20887a8c35
5 changed files with 391 additions and 1 deletions
--- a/configure.ac
+++ b/configure.ac
@ -2427,6 +2427,24 @@ fi
 AM_CONDITIONAL([BUILD_PWDBASED], [test "x$ENABLED_PWDBASED" = "xyes"])


+AC_ARG_ENABLE([scrypt],
+    [  --enable-scrypt         Enable SCRYPT (default: disabled)],
+    [ ENABLED_SCRYPT=$enableval ],
+    [ ENABLED_SCRYPT=no ]
+    )
+
+if test "$ENABLED_SCRYPT" = "yes"
+then
+    if test "$ENABLED_PWDBASED" = "no"
+    then
+        AC_MSG_ERROR([cannot enable scrypt without enabling pwdbased.])
+    fi
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_SCRYPT"
+fi
+
+AM_CONDITIONAL([BUILD_SCRYPT], [test "x$ENABLED_SCRYPT" = "xyes"])
+
+
 # wolfCrypt Only Build
 AC_ARG_ENABLE([cryptonly],
    [AS_HELP_STRING([--enable-cryptonly],[Enable wolfCrypt Only build (default: disabled)])],
@ -3299,6 +3317,7 @@ echo "   * RABBIT:                     $ENABLED_RABBIT"
 echo "   * CHACHA:                     $ENABLED_CHACHA"
 echo "   * Hash DRBG:                  $ENABLED_HASHDRBG"
 echo "   * PWDBASED:                   $ENABLED_PWDBASED"
+echo "   * scrypt:                     $ENABLED_SCRYPT"
 echo "   * wolfCrypt Only:             $ENABLED_CRYPTONLY"
 echo "   * HKDF:                       $ENABLED_HKDF"
 echo "   * X9.63 KDF:                  $ENABLED_X963KDF"
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@ -70,6 +70,9 @@
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/ripemd.h>
 #include <wolfssl/wolfcrypt/cmac.h>
+#ifndef NO_PWDBASED
+    #include <wolfssl/wolfcrypt/pwdbased.h>
+#endif
 #ifdef HAVE_ECC
    #include <wolfssl/wolfcrypt/ecc.h>
 #endif
@ -197,6 +200,7 @@ void bench_sha384(void);
 void bench_sha512(void);
 void bench_ripemd(void);
 void bench_cmac(void);
+void bench_scrypt(void);

 void bench_rsa(void);
 #ifdef WOLFSSL_ASYNC_CRYPT
@ -422,6 +426,12 @@ int benchmark_test(void *args)

    printf("\n");

+#ifdef HAVE_SCRYPT
+    bench_scrypt();
+#endif
+
+    printf("\n");
+
 #ifndef NO_RSA
    bench_rsa();
    #ifdef WOLFSSL_ASYNC_CRYPT
@ -490,6 +500,7 @@ int benchmark_test(void *args)
 #ifdef BENCH_EMBEDDED
 enum BenchmarkBounds {
    numBlocks  = 25, /* how many kB to test (en/de)cryption */
+    scryptCnt  = 1,
    ntimes     = 1,
    genTimes   = 5,  /* public key iterations */
    agreeTimes = 5
@ -498,6 +509,7 @@ static const char blockType[] = "kB";   /* used in printf output */
 #else
 enum BenchmarkBounds {
    numBlocks  = 50,  /* how many megs to test (en/de)cryption */
+    scryptCnt  = 10,
 #ifdef WOLFSSL_ASYNC_CRYPT
    ntimes     = 1000,
    genTimes   = 1000,
@ -1474,6 +1486,32 @@ void bench_cmac(void)

 #endif /* WOLFSSL_CMAC */

+#ifdef HAVE_SCRYPT
+
+void bench_scrypt(void)
+{
+    byte   derived[64];
+    double start, total, each, milliEach;
+    int    ret, i;
+
+    start = current_time(1);
+    for (i = 0; i < scryptCnt; i++) {
+        ret = wc_scrypt(derived, (byte*)"pleaseletmein", 13,
+                        (byte*)"SodiumChloride", 14, 14, 8, 1, sizeof(derived));
+        if (ret != 0) {
+            printf("scrypt failed, ret = %d\n", ret);
+            return;
+        }
+    }
+    total = current_time(0) - start;
+    each  = total / scryptCnt;   /* per second   */
+    milliEach = each * 1000; /* milliseconds */
+
+    printf("scrypt   %6.3f milliseconds, avg over %d"
+           " iterations\n", milliEach, scryptCnt);
+}
+
+#endif /* HAVE_SCRYPT */

 #ifndef NO_RSA

--- a/wolfcrypt/src/pwdbased.c
+++ b/wolfcrypt/src/pwdbased.c
@ -569,6 +569,243 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
    return ret;
 }

+#ifdef HAVE_SCRYPT
+/* Rotate the 32-bit value a by b bits to the left.
+ *
+ * a  32-bit value.
+ * b  Number of bits to rotate.
+ * returns rotated value.
+ */
+#define R(a, b) rotlFixed(a, b)
+
+/* One round of Salsa20/8.
+ * Code taken from RFC 7914: scrypt PBKDF.
+ *
+ * out  Output buffer.
+ * in   Input data to hash.
+ */
+static void scryptSalsa(word32* out, word32* in)
+{
+    int    i;
+    word32 x[16];
+
+#ifdef LITTLE_ENDIAN_ORDER
+    for (i = 0; i < 16; ++i)
+        x[i] = in[i];
+#else
+    for (i = 0; i < 16; i++)
+        x[i] = ByteReverseWord32(in[i]);
+#endif
+    for (i = 8; i > 0; i -= 2) {
+        x[ 4] ^= R(x[ 0] + x[12],  7);  x[ 8] ^= R(x[ 4] + x[ 0],  9);
+        x[12] ^= R(x[ 8] + x[ 4], 13);  x[ 0] ^= R(x[12] + x[ 8], 18);
+        x[ 9] ^= R(x[ 5] + x[ 1],  7);  x[13] ^= R(x[ 9] + x[ 5],  9);
+        x[ 1] ^= R(x[13] + x[ 9], 13);  x[ 5] ^= R(x[ 1] + x[13], 18);
+        x[14] ^= R(x[10] + x[ 6],  7);  x[ 2] ^= R(x[14] + x[10],  9);
+        x[ 6] ^= R(x[ 2] + x[14], 13);  x[10] ^= R(x[ 6] + x[ 2], 18);
+        x[ 3] ^= R(x[15] + x[11],  7);  x[ 7] ^= R(x[ 3] + x[15],  9);
+        x[11] ^= R(x[ 7] + x[ 3], 13);  x[15] ^= R(x[11] + x[ 7], 18);
+        x[ 1] ^= R(x[ 0] + x[ 3],  7);  x[ 2] ^= R(x[ 1] + x[ 0],  9);
+        x[ 3] ^= R(x[ 2] + x[ 1], 13);  x[ 0] ^= R(x[ 3] + x[ 2], 18);
+        x[ 6] ^= R(x[ 5] + x[ 4],  7);  x[ 7] ^= R(x[ 6] + x[ 5],  9);
+        x[ 4] ^= R(x[ 7] + x[ 6], 13);  x[ 5] ^= R(x[ 4] + x[ 7], 18);
+        x[11] ^= R(x[10] + x[ 9],  7);  x[ 8] ^= R(x[11] + x[10],  9);
+        x[ 9] ^= R(x[ 8] + x[11], 13);  x[10] ^= R(x[ 9] + x[ 8], 18);
+        x[12] ^= R(x[15] + x[14],  7);  x[13] ^= R(x[12] + x[15],  9);
+        x[14] ^= R(x[13] + x[12], 13);  x[15] ^= R(x[14] + x[13], 18);
+    }
+#ifdef LITTLE_ENDIAN_ORDER
+    for (i = 0; i < 16; ++i)
+        out[i] = in[i] + x[i];
+#else
+    for (i = 0; i < 16; i++)
+        out[i] = ByteReverseWord32(in[i] + x[i]);
+#endif
+}
+
+/* Mix a block using Salsa20/8.
+ * Based on RFC 7914: scrypt PBKDF.
+ *
+ * b  Blocks to mix.
+ * y  Temporary storage.
+ * r  Size of the block.
+ */
+static void scryptBlockMix(byte* b, byte* y, int r)
+{
+    byte x[64];
+#ifdef WORD64_AVAILABLE
+    word64* b64 = (word64*)b;
+    word64* y64 = (word64*)y;
+    word64* x64 = (word64*)x;
+#else
+    word32* b32 = (word32*)b;
+    word32* y32 = (word32*)y;
+    word32* x32 = (word32*)x;
+#endif
+    int  i;
+    int  j;
+
+    /* Step 1. */
+    XMEMCPY(x, b + (2 * r - 1) * 64, sizeof(x));
+    /* Step 2. */
+    for (i = 0; i < 2 * r; i++)
+    {
+#ifdef WORD64_AVAILABLE
+        for (j = 0; j < 8; j++)
+            x64[j] ^= b64[i * 8 + j];
+#else
+        for (j = 0; j < 16; j++)
+            x32[j] ^= b32[i * 16 + j];
+#endif
+        scryptSalsa((word32*)x, (word32*)x);
+        XMEMCPY(y + i * 64, x, sizeof(x));
+    }
+    /* Step 3. */
+    for (i = 0; i < r; i++) {
+#ifdef WORD64_AVAILABLE
+        for (j = 0; j < 8; j++) {
+            b64[i * 8 + j] = y64[2 * i * 8 + j];
+            b64[(r + i) * 8 + j] = y64[(2 * i + 1) * 8 + j];
+        }
+#else
+        for (j = 0; j < 16; j++) {
+            b32[i * 16 + j] = y32[2 * i * 16 + j];
+            b32[(r + i) * 16 + j] = y32[(2 * i + 1) * 16 + j];
+        }
+#endif
+    }
+}
+
+/* Random oracles mix.
+ * Based on RFC 7914: scrypt PBKDF.
+ *
+ * x  Data to mix.
+ * v  Temporary buffer.
+ * y  Temporary buffer for the block mix.
+ * r  Block size parameter.
+ * n  CPU/Memory cost parameter.
+ */
+static void scryptROMix(byte* x, byte* v, byte* y, int r, word32 n)
+{
+    word32 i;
+    word32 j;
+    word32 k;
+    word32 bSz = 128 * r;
+#ifdef WORD64_AVAILABLE
+    word64* x64 = (word64*)x;
+    word64* v64 = (word64*)v;
+#else
+    word32* x32 = (word32*)x;
+    word32* v32 = (word32*)v;
+#endif
+
+    /* Step 1. X = B (B not needed therefore not implemented) */
+    /* Step 2. */
+    for (i = 0; i < n; i++)
+    {
+        XMEMCPY(v + i * bSz, x, bSz);
+        scryptBlockMix(x, y, r);
+    }
+
+    /* Step 3. */
+    for (i = 0; i < n; i++)
+    {
+#ifdef LITTLE_ENDIAN_ORDER
+#ifdef WORD64_AVAILABLE
+        j = *(word64*)(x + (2*r - 1) * 64) & (n-1);
+#else
+        j = *(word32*)(x + (2*r - 1) * 64) & (n-1);
+#endif
+#else
+        byte* t = x + (2*r - 1) * 64;
+        j = (t[0] | (t[1] << 8) | (t[2] << 16) | (t[3] << 24)) & (n-1);
+#endif
+#ifdef WORD64_AVAILABLE
+        for (k = 0; k < bSz / 8; k++)
+            x64[k] ^= v64[j * bSz / 8 + k];
+#else
+        for (k = 0; k < bSz / 4; k++)
+            x32[k] ^= v32[j * bSz / 4 + k];
+#endif
+        scryptBlockMix(x, y, r);
+    }
+    /* Step 4. B' = X (B = X = B' so not needed, therefore not implemented) */
+}
+
+/* Generates an key derived from a password and salt using a memory hard
+ * algorithm.
+ * Implements RFC 7914: scrypt PBKDF.
+ *
+ * output     The derived key.
+ * passwd     The password to derive key from.
+ * passLen    The length of the password.
+ * salt       The key specific data.
+ * saltLen    The length of the salt data.
+ * cost       The CPU/memory cost parameter. Range: 1..(128*r/8-1)
+ *            (Iterations = 2^cost)
+ * blockSize  The number of 128 byte octets in a working block.
+ * parallel   The number of parallel mix operations to perform.
+ *            (Note: this implementation does not use threads.)
+ * dkLen      The length of the derived key in bytes.
+ * returns BAD_FUNC_ARG when: parallel not 1, blockSize is too large for cost.
+ */
+int wc_scrypt(byte* output, const byte* passwd, int passLen,
+              const byte* salt, int saltLen, int cost, int blockSize,
+              int parallel, int dkLen)
+{
+    int    ret = 0;
+    int    i;
+    byte*  v = NULL;
+    byte*  y = NULL;
+    byte*  blocks = NULL;
+    word32 blocksSz;
+    word32 bSz;
+
+    if (blockSize > 8)
+        return BAD_FUNC_ARG;
+
+    if (cost < 1 || cost >= 128 * blockSize / 8)
+        return BAD_FUNC_ARG;
+
+    bSz = 128 * blockSize;
+    blocksSz = bSz * parallel;
+    blocks = XMALLOC(blocksSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (blocks == NULL)
+        goto end;
+    /* Temporary for scryptROMix. */
+    v = XMALLOC((1 << cost) * bSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (v == NULL)
+        goto end;
+    /* Temporary for scryptBlockMix. */
+    y = XMALLOC(blockSize * 128, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (y == NULL)
+        goto end;
+
+    /* Step 1. */
+    ret = wc_PBKDF2(blocks, passwd, passLen, salt, saltLen, 1, blocksSz,
+                    SHA256);
+    if (ret != 0)
+        goto end;
+
+    /* Step 2. */
+    for (i = 0; i < parallel; i++)
+        scryptROMix(blocks + i * bSz, v, y, blockSize, 1 << cost);
+
+    /* Step 3. */
+    ret = wc_PBKDF2(output, passwd, passLen, blocks, blocksSz, 1, dkLen,
+                    SHA256);
+end:
+    if (blocks != NULL)
+        XFREE(blocks, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (v != NULL)
+        XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (y != NULL)
+        XFREE(y, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+#endif
+
 #undef PBKDF_DIGEST_SIZE

 #endif /* NO_PWDBASED */
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -214,6 +214,7 @@ int  openssl_test(void);   /* test mini api */
 int pbkdf1_test(void);
 int pkcs12_test(void);
 int pbkdf2_test(void);
+int scrypt_test(void);
 #ifdef HAVE_ECC
    int  ecc_test(void);
    #ifdef HAVE_ECC_ENCRYPT
@ -6929,6 +6930,91 @@ int openssl_test(void)


 #ifndef NO_PWDBASED
+#ifdef HAVE_SCRYPT
+/* Test vectors taken from RFC 7914: scrypt PBKDF - Section 12. */
+int scrypt_test(void)
+{
+    int   ret;
+    byte  derived[64];
+
+    const byte verify1[] = {
+        0x77, 0xd6, 0x57, 0x62, 0x38, 0x65, 0x7b, 0x20,
+        0x3b, 0x19, 0xca, 0x42, 0xc1, 0x8a, 0x04, 0x97,
+        0xf1, 0x6b, 0x48, 0x44, 0xe3, 0x07, 0x4a, 0xe8,
+        0xdf, 0xdf, 0xfa, 0x3f, 0xed, 0xe2, 0x14, 0x42,
+        0xfc, 0xd0, 0x06, 0x9d, 0xed, 0x09, 0x48, 0xf8,
+        0x32, 0x6a, 0x75, 0x3a, 0x0f, 0xc8, 0x1f, 0x17,
+        0xe8, 0xd3, 0xe0, 0xfb, 0x2e, 0x0d, 0x36, 0x28,
+        0xcf, 0x35, 0xe2, 0x0c, 0x38, 0xd1, 0x89, 0x06
+    };
+    const byte verify2[] = {
+        0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
+        0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
+        0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
+        0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
+        0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
+        0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
+        0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
+        0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
+    };
+    const byte verify3[] = {
+        0x70, 0x23, 0xbd, 0xcb, 0x3a, 0xfd, 0x73, 0x48,
+        0x46, 0x1c, 0x06, 0xcd, 0x81, 0xfd, 0x38, 0xeb,
+        0xfd, 0xa8, 0xfb, 0xba, 0x90, 0x4f, 0x8e, 0x3e,
+        0xa9, 0xb5, 0x43, 0xf6, 0x54, 0x5d, 0xa1, 0xf2,
+        0xd5, 0x43, 0x29, 0x55, 0x61, 0x3f, 0x0f, 0xcf,
+        0x62, 0xd4, 0x97, 0x05, 0x24, 0x2a, 0x9a, 0xf9,
+        0xe6, 0x1e, 0x85, 0xdc, 0x0d, 0x65, 0x1e, 0x40,
+        0xdf, 0xcf, 0x01, 0x7b, 0x45, 0x57, 0x58, 0x87
+    };
+#ifdef SCRYPT_TEST_ALL
+    /* Test case is very slow.
+     * Use for confirmation after code change or new platform.
+     */
+    const byte verify4[] = {
+        0x21, 0x01, 0xcb, 0x9b, 0x6a, 0x51, 0x1a, 0xae,
+        0xad, 0xdb, 0xbe, 0x09, 0xcf, 0x70, 0xf8, 0x81,
+        0xec, 0x56, 0x8d, 0x57, 0x4a, 0x2f, 0xfd, 0x4d,
+        0xab, 0xe5, 0xee, 0x98, 0x20, 0xad, 0xaa, 0x47,
+        0x8e, 0x56, 0xfd, 0x8f, 0x4b, 0xa5, 0xd0, 0x9f,
+        0xfa, 0x1c, 0x6d, 0x92, 0x7c, 0x40, 0xf4, 0xc3,
+        0x37, 0x30, 0x40, 0x49, 0xe8, 0xa9, 0x52, 0xfb,
+        0xcb, 0xf4, 0x5c, 0x6f, 0xa7, 0x7a, 0x41, 0xa4
+    };
+#endif
+
+    ret = wc_scrypt(derived, NULL, 0, NULL, 0, 4, 1, 1, sizeof(verify1));
+    if (ret != 0)
+        return -108;
+    if (XMEMCMP(derived, verify1, sizeof(verify1)) != 0)
+        return -109;
+
+    ret = wc_scrypt(derived, (byte*)"password", 8, (byte*)"NaCl", 4, 10, 8, 16,
+                    sizeof(verify2));
+    if (ret != 0)
+        return -110;
+    if (XMEMCMP(derived, verify2, sizeof(verify2)) != 0)
+        return -111;
+
+    ret = wc_scrypt(derived, (byte*)"pleaseletmein", 13,
+                    (byte*)"SodiumChloride", 14, 14, 8, 1, sizeof(verify3));
+    if (ret != 0)
+        return -112;
+    if (XMEMCMP(derived, verify3, sizeof(verify3)) != 0)
+        return -113;
+
+#ifdef SCRYPT_TEST_ALL
+    ret = wc_scrypt(derived, (byte*)"pleaseletmein", 13,
+                    (byte*)"SodiumChloride", 14, 20, 8, 1, sizeof(verify4));
+    if (ret != 0)
+        return -114;
+    if (XMEMCMP(derived, verify4, sizeof(verify4)) != 0)
+        return -115;
+#endif
+
+    return 0;
+}
+#endif

 int pkcs12_test(void)
 {
@ -7040,8 +7126,12 @@ int pwdbased_test(void)
   ret += pbkdf1_test();
 #endif
   ret += pbkdf2_test();
+   ret += pkcs12_test();
+#ifdef HAVE_SCRYPT
+   ret += scrypt_test();
+#endif

-   return ret + pkcs12_test();
+   return ret;
 }

 #endif /* NO_PWDBASED */
--- a/wolfssl/wolfcrypt/pwdbased.h
+++ b/wolfssl/wolfcrypt/pwdbased.h
@ -54,6 +54,12 @@ WOLFSSL_API int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd,int passLen,
                       const byte* salt, int saltLen, int iterations, int kLen,
                       int hashType, int id, void* heap);

+#ifdef HAVE_SCRYPT
+WOLFSSL_API int wc_scrypt(byte* output, const byte* passwd, int passLen,
+                          const byte* salt, int saltLen, int cost,
+                          int blockSize, int parallel, int dkLen);
+#endif
+
 /* helper functions */
 WOLFSSL_LOCAL int GetDigestSize(int typeH);
 WOLFSSL_LOCAL int GetPKCS12HashSizes(int typeH, word32* v, word32* u);