OpenCoverage

pbe_scrypt.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/evp/pbe_scrypt.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* -

3 * -

4 * Licensed under the OpenSSL license (the "License"). You may not use -

5 * this file except in compliance with the License. You can obtain a copy -

6 * in the file LICENSE in the source distribution or at -

7 * https://www.openssl.org/source/license.html -

8 */ -

9 -

10 #include <stddef.h> -

11 #include <stdio.h> -

12 #include <string.h> -

13 #include <openssl/evp.h> -

14 #include <openssl/err.h> -

15 #include "internal/numbers.h" -

16 -

17 #ifndef OPENSSL_NO_SCRYPT -

18 -

19 #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) -

20 static void salsa208_word_specification(uint32_t inout[16]) -

21 { -

22 int i; -

23 uint32_t x[16]; -

24 memcpy(x, inout, sizeof(x)); -

for (i = 8; i > 0; i -= 2) {

i > 0	Description
TRUE	evaluated 14680576 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3670144 times by 1 test Evaluated by: libcrypto.so.1.1

3670144-14680576

26 x[4] ^= R(x[0] + x[12], 7); -

27 x[8] ^= R(x[4] + x[0], 9); -

28 x[12] ^= R(x[8] + x[4], 13); -

29 x[0] ^= R(x[12] + x[8], 18); -

30 x[9] ^= R(x[5] + x[1], 7); -

31 x[13] ^= R(x[9] + x[5], 9); -

32 x[1] ^= R(x[13] + x[9], 13); -

33 x[5] ^= R(x[1] + x[13], 18); -

34 x[14] ^= R(x[10] + x[6], 7); -

35 x[2] ^= R(x[14] + x[10], 9); -

36 x[6] ^= R(x[2] + x[14], 13); -

37 x[10] ^= R(x[6] + x[2], 18); -

38 x[3] ^= R(x[15] + x[11], 7); -

39 x[7] ^= R(x[3] + x[15], 9); -

40 x[11] ^= R(x[7] + x[3], 13); -

41 x[15] ^= R(x[11] + x[7], 18); -

42 x[1] ^= R(x[0] + x[3], 7); -

43 x[2] ^= R(x[1] + x[0], 9); -

44 x[3] ^= R(x[2] + x[1], 13); -

45 x[0] ^= R(x[3] + x[2], 18); -

46 x[6] ^= R(x[5] + x[4], 7); -

47 x[7] ^= R(x[6] + x[5], 9); -

48 x[4] ^= R(x[7] + x[6], 13); -

49 x[5] ^= R(x[4] + x[7], 18); -

50 x[11] ^= R(x[10] + x[9], 7); -

51 x[8] ^= R(x[11] + x[10], 9); -

52 x[9] ^= R(x[8] + x[11], 13); -

53 x[10] ^= R(x[9] + x[8], 18); -

54 x[12] ^= R(x[15] + x[14], 7); -

55 x[13] ^= R(x[12] + x[15], 9); -

56 x[14] ^= R(x[13] + x[12], 13); -

57 x[15] ^= R(x[14] + x[13], 18); -

}

executed 14680576 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

14680576

for (i = 0; i < 16; ++i)

i < 16	Description
TRUE	evaluated 58722304 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3670144 times by 1 test Evaluated by: libcrypto.so.1.1

3670144-58722304

inout[i] += x[i];

executed 58722304 times by 1 test: inout[i] += x[i];

Executed by:

libcrypto.so.1.1

58722304

61 OPENSSL_cleanse(x, sizeof(x)); -

}

executed 3670144 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

3670144

63 -

64 static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) -

65 { -

66 uint64_t i, j; -

67 uint32_t X[16], *pB; -

68 -

69 memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); -

70 pB = B; -

for (i = 0; i < r * 2; i++) {

i < r * 2	Description
TRUE	evaluated 3670144 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 229440 times by 1 test Evaluated by: libcrypto.so.1.1

229440-3670144

for (j = 0; j < 16; j++)

j < 16	Description
TRUE	evaluated 58722304 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3670144 times by 1 test Evaluated by: libcrypto.so.1.1

3670144-58722304

X[j] ^= *pB++;

executed 58722304 times by 1 test: X[j] ^= *pB++;

Executed by:

libcrypto.so.1.1

58722304

74 salsa208_word_specification(X); -

75 memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); -

}

executed 3670144 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

3670144

77 OPENSSL_cleanse(X, sizeof(X)); -

}

executed 229440 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

229440

79 -

80 static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, -

81 uint32_t *X, uint32_t *T, uint32_t *V) -

82 { -

83 unsigned char *pB; -

84 uint32_t *pV; -

85 uint64_t i, k; -

86 -

87 /* Convert from little endian input */ -

for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {

i < 32 * r	Description
TRUE	evaluated 21056 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 84 times by 1 test Evaluated by: libcrypto.so.1.1

84-21056

89 *pV = *pB++; -

90 *pV |= *pB++ << 8; -

91 *pV |= *pB++ << 16; -

92 *pV |= (uint32_t)*pB++ << 24; -

}

executed 21056 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

21056

94 -

for (i = 1; i < N; i++, pV += 32 * r)

i < N	Description
TRUE	evaluated 114636 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 84 times by 1 test Evaluated by: libcrypto.so.1.1

84-114636

scryptBlockMix(pV, pV - 32 * r, r);

executed 114636 times by 1 test: scryptBlockMix(pV, pV - 32 * r, r);

Executed by:

libcrypto.so.1.1

114636

97 -

98 scryptBlockMix(X, V + (N - 1) * 32 * r, r); -

99 -

100

for (i = 0; i < N; i++) {

i < N	Description
TRUE	evaluated 114720 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 84 times by 1 test Evaluated by: libcrypto.so.1.1

84-114720

101 uint32_t j; -

102 j = X[16 * (2 * r - 1)] % N; -

103 pV = V + 32 * r * j; -

104

for (k = 0; k < 32 * r; k++)

k < 32 * r	Description
TRUE	evaluated 29361152 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 114720 times by 1 test Evaluated by: libcrypto.so.1.1

114720-29361152

105

T[k] = X[k] ^ *pV++;

executed 29361152 times by 1 test: T[k] = X[k] ^ *pV++;

Executed by:

libcrypto.so.1.1

29361152

106 scryptBlockMix(X, T, r); -

107

}

executed 114720 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

114720

108 /* Convert output to little endian */ -

109

for (i = 0, pB = B; i < 32 * r; i++) {

i < 32 * r	Description
TRUE	evaluated 21056 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 84 times by 1 test Evaluated by: libcrypto.so.1.1

84-21056

110 uint32_t xtmp = X[i]; -

111 *pB++ = xtmp & 0xff; -

112 *pB++ = (xtmp >> 8) & 0xff; -

113 *pB++ = (xtmp >> 16) & 0xff; -

114 *pB++ = (xtmp >> 24) & 0xff; -

115

}

executed 21056 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

21056

116

}

executed 84 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

117 -

118 #ifndef SIZE_MAX -

119 # define SIZE_MAX ((size_t)-1) -

120 #endif -

121 -

122 /* -

123 * Maximum power of two that will fit in uint64_t: this should work on -

124 * most (all?) platforms. -

125 */ -

126 -

127 #define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) -

128 -

129 /* -

130 * Maximum value of p * r: -

131 * p <= ((2^32-1) * hLen) / MFLen => -

132 * p <= ((2^32-1) * 32) / (128 * r) => -

133 * p * r <= (2^30-1) -

134 * -

135 */ -

136 -

137 #define SCRYPT_PR_MAX ((1 << 30) - 1) -

138 -

139 /* -

140 * Maximum permitted memory allow this to be overridden with Configuration -

141 * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible. -

142 */ -

143 -

144 #ifdef SCRYPT_MAX_MEM -

145 # if SCRYPT_MAX_MEM == 0 -

146 # undef SCRYPT_MAX_MEM -

147 /* -

148 * Although we could theoretically allocate SIZE_MAX memory that would leave -

149 * no memory available for anything else so set limit as half that. -

150 */ -

151 # define SCRYPT_MAX_MEM (SIZE_MAX/2) -

152 # endif -

153 #else -

154 /* Default memory limit: 32 MB */ -

155 # define SCRYPT_MAX_MEM (1024 * 1024 * 32) -

156 #endif -

157 -

158 int EVP_PBE_scrypt(const char *pass, size_t passlen, -

159 const unsigned char *salt, size_t saltlen, -

160 uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, -

161 unsigned char *key, size_t keylen) -

162 { -

163 int rv = 0; -

164 unsigned char *B; -

165 uint32_t *X, *V, *T; -

166 uint64_t i, Blen, Vlen; -

167 -

168 /* Sanity check parameters */ -

169 /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ -

170

if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))

r == 0	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

p == 0	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

N < 2	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

(N & (N - 1))	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

0-11

171

return 0;

never executed: return 0;

172 /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ -

173

if (p > SCRYPT_PR_MAX / r) {

p > ((1 << 30) - 1) / r	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

0-11

174 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -

175

return 0;

never executed: return 0;

176 } -

177 -

178 /* -

179 * Need to check N: if 2^(128 * r / 8) overflows limit this is -

180 * automatically satisfied since N <= UINT64_MAX. -

181 */ -

182 -

183

if (16 * r <= LOG2_UINT64_MAX) {

16 * r <= (siz...64_t) * 8 - 1)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

2-9

184

if (N >= (((uint64_t)1) << (16 * r))) {

N >= (((uint64...) << (16 * r))	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

185 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -

186

return 0;

never executed: return 0;

187 } -

188

}

executed 2 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

189 -

190 /* Memory checks: check total allocated buffer size fits in uint64_t */ -

191 -

192 /* -

193 * B size in section 5 step 1.S -

194 * Note: we know p * 128 * r < UINT64_MAX because we already checked -

195 * p * r < SCRYPT_PR_MAX -

196 */ -

197 Blen = p * 128 * r; -

198 /* -

199 * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would -

200 * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] -

201 */ -

202

if (Blen > INT_MAX) {

Blen > 0x7fffffff	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

0-11

203 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -

204

return 0;

never executed: return 0;

205 } -

206 -

207 /* -

208 * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t -

209 * This is combined size V, X and T (section 4) -

210 */ -

211 i = UINT64_MAX / (32 * sizeof(uint32_t)); -

212

if (N + 2 > i / r) {

N + 2 > i / r	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

0-11

213 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -

214

return 0;

never executed: return 0;

215 } -

216 Vlen = 32 * r * (N + 2) * sizeof(uint32_t); -

217 -

218 /* check total allocated size fits in uint64_t */ -

219

if (Blen > UINT64_MAX - Vlen) {

Blen > (184467...1615UL) - Vlen	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

0-11

220 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -

221

return 0;

never executed: return 0;

222 } -

223 -

224

if (maxmem == 0)

maxmem == 0	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

4-7

225

maxmem = SCRYPT_MAX_MEM;

executed 4 times by 1 test: maxmem = (1024 * 1024 * 32);

Executed by:

libcrypto.so.1.1

226 -

227 /* Check that the maximum memory doesn't exceed a size_t limits */ -

228

if (maxmem > SIZE_MAX)

maxmem > (1844...73709551615UL)	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

0-11

229

maxmem = SIZE_MAX;

never executed: maxmem = (18446744073709551615UL) ;

230 -

231

if (Blen + Vlen > maxmem) {

Blen + Vlen > maxmem	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

2-9

232 EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -

233

return 0;

executed 2 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

234 } -

235 -

236 /* If no key return to indicate parameters are OK */ -

237

if (key == NULL)

key == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

0-9

238

return 1;

never executed: return 1;

239 -

240 B = OPENSSL_malloc((size_t)(Blen + Vlen)); -

241

if (B == NULL) {

B == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

0-9

242 EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE); -

243

return 0;

never executed: return 0;

244 } -

245 X = (uint32_t *)(B + Blen); -

246 T = X + 32 * r; -

247 V = T + 32 * r; -

248

if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),

PKCS5_PBKDF2_H...)Blen, B) == 0	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

0-9

249

(int)Blen, B) == 0)

PKCS5_PBKDF2_H...)Blen, B) == 0	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

0-9

250

goto err;

never executed: goto err;

251 -

252

for (i = 0; i < p; i++)

i < p	Description
TRUE	evaluated 84 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

9-84

253

scryptROMix(B + 128 * r * i, r, N, X, T, V);

executed 84 times by 1 test: scryptROMix(B + 128 * r * i, r, N, X, T, V);

Executed by:

libcrypto.so.1.1

254 -

255

if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(),

PKCS5_PBKDF2_H...len, key) == 0	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

0-9

256

keylen, key) == 0)

PKCS5_PBKDF2_H...len, key) == 0	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

0-9

257

goto err;

never executed: goto err;

258 rv = 1; -

259

err:

code before this statement executed 9 times by 1 test: err:

Executed by:

libcrypto.so.1.1

260

if (rv == 0)

rv == 0	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

0-9

261

EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR);

never executed: ERR_put_error(6,(181),(181),__FILE__,261);

262 -

263 OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); -

264

return rv;

executed 9 times by 1 test: return rv;

Executed by:

libcrypto.so.1.1

265 } -

266 #endif -

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2