From c9b4592dbf10aacdcf988ae4ff2c36c345de5d3c Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Fri, 18 May 2018 11:05:20 +0200
Subject: [PATCH] crypto: add scrypt() and scryptSync() methods
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Scrypt is a password-based key derivation function that is designed to
be expensive both computationally and memory-wise in order to make
brute-force attacks unrewarding.

OpenSSL has had support for the scrypt algorithm since v1.1.0.  Add a
Node.js API modeled after `crypto.pbkdf2()` and `crypto.pbkdf2Sync()`.

Changes:

* Introduce helpers for copying buffers, collecting openssl errors, etc.

* Add new infrastructure for offloading crypto to a worker thread.

* Add a `AsyncWrap` JS class to simplify pbkdf2(), randomBytes() and
  scrypt().

Fixes: https://github.com/nodejs/node/issues/8417
PR-URL: https://github.com/nodejs/node/pull/20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
---
 doc/api/crypto.md                             | 106 +++++++-
 doc/api/errors.md                             |  14 +
 lib/crypto.js                                 |   6 +
 lib/internal/crypto/scrypt.js                 |  97 +++++++
 lib/internal/errors.js                        |   3 +-
 node.gyp                                      |   1 +
 src/async_wrap.cc                             |  31 +++
 src/async_wrap.h                              |   1 +
 src/env.h                                     |   1 +
 src/node_crypto.cc                            | 241 ++++++++++++++----
 src/node_internals.h                          |   2 +
 test/parallel/test-crypto-scrypt.js           | 165 ++++++++++++
 test/sequential/test-async-wrap-getasyncid.js |   6 +
 13 files changed, 617 insertions(+), 57 deletions(-)
 create mode 100644 lib/internal/crypto/scrypt.js
 create mode 100644 test/parallel/test-crypto-scrypt.js

diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 70f910e11b7975..a75d19610a3dae 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -1356,9 +1356,9 @@ password always creates the same key. The low iteration count and
 non-cryptographically secure hash algorithm allow passwords to be tested very
 rapidly.
 
-In line with OpenSSL's recommendation to use PBKDF2 instead of
+In line with OpenSSL's recommendation to use a more modern algorithm instead of
 [`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on
-their own using [`crypto.pbkdf2()`][] and to use [`crypto.createCipheriv()`][]
+their own using [`crypto.scrypt()`][] and to use [`crypto.createCipheriv()`][]
 to create the `Cipher` object. Users should not use ciphers with counter mode
 (e.g. CTR, GCM, or CCM) in `crypto.createCipher()`. A warning is emitted when
 they are used in order to avoid the risk of IV reuse that causes
@@ -1458,9 +1458,9 @@ password always creates the same key. The low iteration count and
 non-cryptographically secure hash algorithm allow passwords to be tested very
 rapidly.
 
-In line with OpenSSL's recommendation to use PBKDF2 instead of
+In line with OpenSSL's recommendation to use a more modern algorithm instead of
 [`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on
-their own using [`crypto.pbkdf2()`][] and to use [`crypto.createDecipheriv()`][]
+their own using [`crypto.scrypt()`][] and to use [`crypto.createDecipheriv()`][]
 to create the `Decipher` object.
 
 ### crypto.createDecipheriv(algorithm, key, iv[, options])
@@ -1796,9 +1796,8 @@ The `iterations` argument must be a number set as high as possible. The
 higher the number of iterations, the more secure the derived key will be,
 but will take a longer amount of time to complete.
 
-The `salt` should also be as unique as possible. It is recommended that the
-salts are random and their lengths are at least 16 bytes. See
-[NIST SP 800-132][] for details.
+The `salt` should be as unique as possible. It is recommended that a salt is
+random and at least 16 bytes long. See [NIST SP 800-132][] for details.
 
 Example:
 
@@ -1862,9 +1861,8 @@ The `iterations` argument must be a number set as high as possible. The
 higher the number of iterations, the more secure the derived key will be,
 but will take a longer amount of time to complete.
 
-The `salt` should also be as unique as possible. It is recommended that the
-salts are random and their lengths are at least 16 bytes. See
-[NIST SP 800-132][] for details.
+The `salt` should be as unique as possible. It is recommended that a salt is
+random and at least 16 bytes long. See [NIST SP 800-132][] for details.
 
 Example:
 
@@ -2138,6 +2136,91 @@ threadpool request. To minimize threadpool task length variation, partition
 large `randomFill` requests when doing so as part of fulfilling a client
 request.
 
+### crypto.scrypt(password, salt, keylen[, options], callback)
+<!-- YAML
+added: REPLACEME
+-->
+- `password` {string|Buffer|TypedArray}
+- `salt` {string|Buffer|TypedArray}
+- `keylen` {number}
+- `options` {Object}
+  - `N` {number} CPU/memory cost parameter. Must be a power of two greater
+                 than one. **Default:** `16384`.
+  - `r` {number} Block size parameter. **Default:** `8`.
+  - `p` {number} Parallelization parameter. **Default:** `1`.
+  - `maxmem` {number} Memory upper bound. It is an error when (approximately)
+                      `128*N*r > maxmem` **Default:** `32 * 1024 * 1024`.
+- `callback` {Function}
+  - `err` {Error}
+  - `derivedKey` {Buffer}
+
+Provides an asynchronous [scrypt][] implementation. Scrypt is a password-based
+key derivation function that is designed to be expensive computationally and
+memory-wise in order to make brute-force attacks unrewarding.
+
+The `salt` should be as unique as possible. It is recommended that a salt is
+random and at least 16 bytes long. See [NIST SP 800-132][] for details.
+
+The `callback` function is called with two arguments: `err` and `derivedKey`.
+`err` is an exception object when key derivation fails, otherwise `err` is
+`null`. `derivedKey` is passed to the callback as a [`Buffer`][].
+
+An exception is thrown when any of the input arguments specify invalid values
+or types.
+
+```js
+const crypto = require('crypto');
+// Using the factory defaults.
+crypto.scrypt('secret', 'salt', 64, (err, derivedKey) => {
+  if (err) throw err;
+  console.log(derivedKey.toString('hex'));  // '3745e48...08d59ae'
+});
+// Using a custom N parameter. Must be a power of two.
+crypto.scrypt('secret', 'salt', 64, { N: 1024 }, (err, derivedKey) => {
+  if (err) throw err;
+  console.log(derivedKey.toString('hex'));  // '3745e48...aa39b34'
+});
+```
+
+### crypto.scryptSync(password, salt, keylen[, options])
+<!-- YAML
+added: REPLACEME
+-->
+- `password` {string|Buffer|TypedArray}
+- `salt` {string|Buffer|TypedArray}
+- `keylen` {number}
+- `options` {Object}
+  - `N` {number} CPU/memory cost parameter. Must be a power of two greater
+                 than one. **Default:** `16384`.
+  - `r` {number} Block size parameter. **Default:** `8`.
+  - `p` {number} Parallelization parameter. **Default:** `1`.
+  - `maxmem` {number} Memory upper bound. It is an error when (approximately)
+                      `128*N*r > maxmem` **Default:** `32 * 1024 * 1024`.
+- Returns: {Buffer}
+
+Provides a synchronous [scrypt][] implementation. Scrypt is a password-based
+key derivation function that is designed to be expensive computationally and
+memory-wise in order to make brute-force attacks unrewarding.
+
+The `salt` should be as unique as possible. It is recommended that a salt is
+random and at least 16 bytes long. See [NIST SP 800-132][] for details.
+
+An exception is thrown when key derivation fails, otherwise the derived key is
+returned as a [`Buffer`][].
+
+An exception is thrown when any of the input arguments specify invalid values
+or types.
+
+```js
+const crypto = require('crypto');
+// Using the factory defaults.
+const key1 = crypto.scryptSync('secret', 'salt', 64);
+console.log(key1.toString('hex'));  // '3745e48...08d59ae'
+// Using a custom N parameter. Must be a power of two.
+const key2 = crypto.scryptSync('secret', 'salt', 64, { N: 1024 });
+console.log(key2.toString('hex'));  // '3745e48...aa39b34'
+```
+
 ### crypto.setEngine(engine[, flags])
 <!-- YAML
 added: v0.11.11
@@ -2645,9 +2728,9 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
 [`crypto.createVerify()`]: #crypto_crypto_createverify_algorithm_options
 [`crypto.getCurves()`]: #crypto_crypto_getcurves
 [`crypto.getHashes()`]: #crypto_crypto_gethashes
-[`crypto.pbkdf2()`]: #crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback
 [`crypto.randomBytes()`]: #crypto_crypto_randombytes_size_callback
 [`crypto.randomFill()`]: #crypto_crypto_randomfill_buffer_offset_size_callback
+[`crypto.scrypt()`]: #crypto_crypto_scrypt_password_salt_keylen_options_callback
 [`decipher.final()`]: #crypto_decipher_final_outputencoding
 [`decipher.update()`]: #crypto_decipher_update_data_inputencoding_outputencoding
 [`diffieHellman.setPublicKey()`]: #crypto_diffiehellman_setpublickey_publickey_encoding
@@ -2681,5 +2764,6 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
 [RFC 3610]: https://www.rfc-editor.org/rfc/rfc3610.txt
 [RFC 4055]: https://www.rfc-editor.org/rfc/rfc4055.txt
 [initialization vector]: https://en.wikipedia.org/wiki/Initialization_vector
+[scrypt]: https://en.wikipedia.org/wiki/Scrypt
 [stream-writable-write]: stream.html#stream_writable_write_chunk_encoding_callback
 [stream]: stream.html
diff --git a/doc/api/errors.md b/doc/api/errors.md
index ac489accdb1c51..b69d6c0d603752 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -739,6 +739,18 @@ An invalid [crypto digest algorithm][] was specified.
 A crypto method was used on an object that was in an invalid state. For
 instance, calling [`cipher.getAuthTag()`][] before calling `cipher.final()`.
 
+<a id="ERR_CRYPTO_SCRYPT_INVALID_PARAMETER"></a>
+### ERR_CRYPTO_SCRYPT_INVALID_PARAMETER
+
+One or more [`crypto.scrypt()`][] or [`crypto.scryptSync()`][] parameters are
+outside their legal range.
+
+<a id="ERR_CRYPTO_SCRYPT_NOT_SUPPORTED"></a>
+### ERR_CRYPTO_SCRYPT_NOT_SUPPORTED
+
+Node.js was compiled without `scrypt` support. Not possible with the official
+release binaries but can happen with custom builds, including distro builds.
+
 <a id="ERR_CRYPTO_SIGN_KEY_REQUIRED"></a>
 ### ERR_CRYPTO_SIGN_KEY_REQUIRED
 
@@ -1750,6 +1762,8 @@ Creation of a [`zlib`][] object failed due to incorrect configuration.
 [`child_process`]: child_process.html
 [`cipher.getAuthTag()`]: crypto.html#crypto_cipher_getauthtag
 [`Class: assert.AssertionError`]: assert.html#assert_class_assert_assertionerror
+[`crypto.scrypt()`]: crypto.html#crypto_crypto_scrypt_password_salt_keylen_options_callback
+[`crypto.scryptSync()`]: crypto.html#crypto_crypto_scryptSync_password_salt_keylen_options
 [`crypto.timingSafeEqual()`]: crypto.html#crypto_crypto_timingsafeequal_a_b
 [`dgram.createSocket()`]: dgram.html#dgram_dgram_createsocket_options_callback
 [`ERR_INVALID_ARG_TYPE`]: #ERR_INVALID_ARG_TYPE
diff --git a/lib/crypto.js b/lib/crypto.js
index d22ffea9700ee6..281a30c2cfa8f2 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -52,6 +52,10 @@ const {
   pbkdf2,
   pbkdf2Sync
 } = require('internal/crypto/pbkdf2');
+const {
+  scrypt,
+  scryptSync
+} = require('internal/crypto/scrypt');
 const {
   DiffieHellman,
   DiffieHellmanGroup,
@@ -163,6 +167,8 @@ module.exports = exports = {
   randomFill,
   randomFillSync,
   rng: randomBytes,
+  scrypt,
+  scryptSync,
   setEngine,
   timingSafeEqual,
   getFips: !fipsMode ? getFipsDisabled :
diff --git a/lib/internal/crypto/scrypt.js b/lib/internal/crypto/scrypt.js
new file mode 100644
index 00000000000000..09771455ac2d9d
--- /dev/null
+++ b/lib/internal/crypto/scrypt.js
@@ -0,0 +1,97 @@
+'use strict';
+
+const { AsyncWrap, Providers } = process.binding('async_wrap');
+const { Buffer } = require('buffer');
+const { scrypt: _scrypt } = process.binding('crypto');
+const {
+  ERR_CRYPTO_SCRYPT_INVALID_PARAMETER,
+  ERR_CRYPTO_SCRYPT_NOT_SUPPORTED,
+  ERR_INVALID_CALLBACK,
+} = require('internal/errors').codes;
+const {
+  checkIsArrayBufferView,
+  checkIsUint,
+  getDefaultEncoding,
+} = require('internal/crypto/util');
+
+const defaults = {
+  N: 16384,
+  r: 8,
+  p: 1,
+  maxmem: 32 << 20,  // 32 MB, matches SCRYPT_MAX_MEM.
+};
+
+function scrypt(password, salt, keylen, options, callback = defaults) {
+  if (callback === defaults) {
+    callback = options;
+    options = defaults;
+  }
+
+  options = check(password, salt, keylen, options);
+  const { N, r, p, maxmem } = options;
+  ({ password, salt, keylen } = options);
+
+  if (typeof callback !== 'function')
+    throw new ERR_INVALID_CALLBACK();
+
+  const encoding = getDefaultEncoding();
+  const keybuf = Buffer.alloc(keylen);
+
+  const wrap = new AsyncWrap(Providers.SCRYPTREQUEST);
+  wrap.ondone = (ex) => {  // Retains keybuf while request is in flight.
+    if (ex) return callback.call(wrap, ex);
+    if (encoding === 'buffer') return callback.call(wrap, null, keybuf);
+    callback.call(wrap, null, keybuf.toString(encoding));
+  };
+
+  handleError(keybuf, password, salt, N, r, p, maxmem, wrap);
+}
+
+function scryptSync(password, salt, keylen, options = defaults) {
+  options = check(password, salt, keylen, options);
+  const { N, r, p, maxmem } = options;
+  ({ password, salt, keylen } = options);
+  const keybuf = Buffer.alloc(keylen);
+  handleError(keybuf, password, salt, N, r, p, maxmem);
+  const encoding = getDefaultEncoding();
+  if (encoding === 'buffer') return keybuf;
+  return keybuf.toString(encoding);
+}
+
+function handleError(keybuf, password, salt, N, r, p, maxmem, wrap) {
+  const ex = _scrypt(keybuf, password, salt, N, r, p, maxmem, wrap);
+
+  if (ex === undefined)
+    return;
+
+  if (ex === null)
+    throw new ERR_CRYPTO_SCRYPT_INVALID_PARAMETER();  // Bad N, r, p, or maxmem.
+
+  throw ex;  // Scrypt operation failed, exception object contains details.
+}
+
+function check(password, salt, keylen, options, callback) {
+  if (_scrypt === undefined)
+    throw new ERR_CRYPTO_SCRYPT_NOT_SUPPORTED();
+
+  password = checkIsArrayBufferView('password', password);
+  salt = checkIsArrayBufferView('salt', salt);
+  keylen = checkIsUint('keylen', keylen);
+
+  let { N, r, p, maxmem } = defaults;
+  if (options && options !== defaults) {
+    if (options.hasOwnProperty('N')) N = checkIsUint('N', options.N);
+    if (options.hasOwnProperty('r')) r = checkIsUint('r', options.r);
+    if (options.hasOwnProperty('p')) p = checkIsUint('p', options.p);
+    if (options.hasOwnProperty('maxmem'))
+      maxmem = checkIsUint('maxmem', options.maxmem);
+    if (N === 0) N = defaults.N;
+    if (r === 0) r = defaults.r;
+    if (p === 0) p = defaults.p;
+    if (maxmem === 0) maxmem = defaults.maxmem;
+  }
+
+  return { password, salt, keylen, N, r, p, maxmem };
+}
+
+module.exports = { scrypt, scryptSync };
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index 59838f2e6adbf8..7123f1bf2c454d 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -503,7 +503,8 @@ E('ERR_CRYPTO_HASH_FINALIZED', 'Digest already called', Error);
 E('ERR_CRYPTO_HASH_UPDATE_FAILED', 'Hash update failed', Error);
 E('ERR_CRYPTO_INVALID_DIGEST', 'Invalid digest: %s', TypeError);
 E('ERR_CRYPTO_INVALID_STATE', 'Invalid state for operation %s', Error);
-
+E('ERR_CRYPTO_SCRYPT_INVALID_PARAMETER', 'Invalid scrypt parameter', Error);
+E('ERR_CRYPTO_SCRYPT_NOT_SUPPORTED', 'Scrypt algorithm not supported', Error);
 // Switch to TypeError. The current implementation does not seem right.
 E('ERR_CRYPTO_SIGN_KEY_REQUIRED', 'No key provided to sign', Error);
 E('ERR_CRYPTO_TIMING_SAFE_EQUAL_LENGTH',
diff --git a/node.gyp b/node.gyp
index 2f3c342a74e3c0..00a3e6b1a0d402 100644
--- a/node.gyp
+++ b/node.gyp
@@ -97,6 +97,7 @@
       'lib/internal/crypto/hash.js',
       'lib/internal/crypto/pbkdf2.js',
       'lib/internal/crypto/random.js',
+      'lib/internal/crypto/scrypt.js',
       'lib/internal/crypto/sig.js',
       'lib/internal/crypto/util.js',
       'lib/internal/constants.js',
diff --git a/src/async_wrap.cc b/src/async_wrap.cc
index 87c50950faadcc..7734c1b1017a89 100644
--- a/src/async_wrap.cc
+++ b/src/async_wrap.cc
@@ -45,6 +45,7 @@ using v8::PromiseHookType;
 using v8::PropertyCallbackInfo;
 using v8::RetainedObjectInfo;
 using v8::String;
+using v8::Uint32;
 using v8::Undefined;
 using v8::Value;
 
@@ -133,6 +134,23 @@ RetainedObjectInfo* WrapperInfo(uint16_t class_id, Local<Value> wrapper) {
 // end RetainedAsyncInfo
 
 
+struct AsyncWrapObject : public AsyncWrap {
+  static inline void New(const FunctionCallbackInfo<Value>& args) {
+    Environment* env = Environment::GetCurrent(args);
+    CHECK(args.IsConstructCall());
+    CHECK(env->async_wrap_constructor_template()->HasInstance(args.This()));
+    CHECK(args[0]->IsUint32());
+    auto type = static_cast<ProviderType>(args[0].As<Uint32>()->Value());
+    new AsyncWrapObject(env, args.This(), type);
+  }
+
+  inline AsyncWrapObject(Environment* env, Local<Object> object,
+                         ProviderType type) : AsyncWrap(env, object, type) {}
+
+  inline size_t self_size() const override { return sizeof(*this); }
+};
+
+
 static void DestroyAsyncIdsCallback(Environment* env, void* data) {
   Local<Function> fn = env->async_hooks_destroy_function();
 
@@ -569,6 +587,19 @@ void AsyncWrap::Initialize(Local<Object> target,
   env->set_async_hooks_destroy_function(Local<Function>());
   env->set_async_hooks_promise_resolve_function(Local<Function>());
   env->set_async_hooks_binding(target);
+
+  {
+    auto class_name = FIXED_ONE_BYTE_STRING(env->isolate(), "AsyncWrap");
+    auto function_template = env->NewFunctionTemplate(AsyncWrapObject::New);
+    function_template->SetClassName(class_name);
+    AsyncWrap::AddWrapMethods(env, function_template);
+    auto instance_template = function_template->InstanceTemplate();
+    instance_template->SetInternalFieldCount(1);
+    auto function =
+        function_template->GetFunction(env->context()).ToLocalChecked();
+    target->Set(env->context(), class_name, function).FromJust();
+    env->set_async_wrap_constructor_template(function_template);
+  }
 }
 
 
diff --git a/src/async_wrap.h b/src/async_wrap.h
index b2f96477b490e0..f696facd485188 100644
--- a/src/async_wrap.h
+++ b/src/async_wrap.h
@@ -75,6 +75,7 @@ namespace node {
 #define NODE_ASYNC_CRYPTO_PROVIDER_TYPES(V)                                   \
   V(PBKDF2REQUEST)                                                            \
   V(RANDOMBYTESREQUEST)                                                       \
+  V(SCRYPTREQUEST)                                                            \
   V(TLSWRAP)
 #else
 #define NODE_ASYNC_CRYPTO_PROVIDER_TYPES(V)
diff --git a/src/env.h b/src/env.h
index 12cf5b8855b4c1..266ef76647fc8b 100644
--- a/src/env.h
+++ b/src/env.h
@@ -319,6 +319,7 @@ struct PackageConfig {
   V(async_hooks_destroy_function, v8::Function)                               \
   V(async_hooks_init_function, v8::Function)                                  \
   V(async_hooks_promise_resolve_function, v8::Function)                       \
+  V(async_wrap_constructor_template, v8::FunctionTemplate)                    \
   V(buffer_prototype_object, v8::Object)                                      \
   V(context, v8::Context)                                                     \
   V(domain_callback, v8::Function)                                            \
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 87ef4e2f25fc10..2d468b1cdc40b5 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -78,6 +78,7 @@ using v8::Isolate;
 using v8::Local;
 using v8::Maybe;
 using v8::MaybeLocal;
+using v8::NewStringType;
 using v8::Null;
 using v8::Object;
 using v8::ObjectTemplate;
@@ -204,57 +205,75 @@ static int NoPasswordCallback(char* buf, int size, int rwflag, void* u) {
 }
 
 
-void ThrowCryptoError(Environment* env,
-                      unsigned long err,  // NOLINT(runtime/int)
-                      const char* default_message = nullptr) {
-  HandleScope scope(env->isolate());
-  Local<String> message;
+struct CryptoErrorVector : public std::vector<std::string> {
+  inline void Capture() {
+    clear();
+    while (auto err = ERR_get_error()) {
+      char buf[256];
+      ERR_error_string_n(err, buf, sizeof(buf));
+      push_back(buf);
+    }
+    std::reverse(begin(), end());
+  }
+
+  inline Local<Value> ToException(
+      Environment* env,
+      Local<String> exception_string = Local<String>()) const {
+    if (exception_string.IsEmpty()) {
+      CryptoErrorVector copy(*this);
+      if (copy.empty()) copy.push_back("no error");  // But possibly a bug...
+      // Use last element as the error message, everything else goes
+      // into the .opensslErrorStack property on the exception object.
+      auto exception_string =
+          String::NewFromUtf8(env->isolate(), copy.back().data(),
+                              NewStringType::kNormal, copy.back().size())
+          .ToLocalChecked();
+      copy.pop_back();
+      return copy.ToException(env, exception_string);
+    }
 
-  if (err != 0 || default_message == nullptr) {
-    char errmsg[128] = { 0 };
-    ERR_error_string_n(err, errmsg, sizeof(errmsg));
-    message = String::NewFromUtf8(env->isolate(), errmsg,
-                                  v8::NewStringType::kNormal)
-                                      .ToLocalChecked();
-  } else {
-    message = String::NewFromUtf8(env->isolate(), default_message,
-                                  v8::NewStringType::kNormal)
-                                      .ToLocalChecked();
-  }
+    Local<Value> exception_v = Exception::Error(exception_string);
+    CHECK(!exception_v.IsEmpty());
 
-  Local<Value> exception_v = Exception::Error(message);
-  CHECK(!exception_v.IsEmpty());
-  Local<Object> exception = exception_v.As<Object>();
+    if (!empty()) {
+      Local<Array> array = Array::New(env->isolate(), size());
+      CHECK(!array.IsEmpty());
 
-  std::vector<Local<String>> errors;
-  for (;;) {
-    unsigned long err = ERR_get_error();  // NOLINT(runtime/int)
-    if (err == 0) {
-      break;
-    }
-    char tmp_str[256];
-    ERR_error_string_n(err, tmp_str, sizeof(tmp_str));
-    errors.push_back(String::NewFromUtf8(env->isolate(), tmp_str,
-                                         v8::NewStringType::kNormal)
-                     .ToLocalChecked());
-  }
-
-  // ERR_get_error returns errors in order of most specific to least
-  // specific. We wish to have the reverse ordering:
-  // opensslErrorStack: [
-  // 'error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib',
-  // 'error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 err'
-  // ]
-  if (!errors.empty()) {
-    std::reverse(errors.begin(), errors.end());
-    Local<Array> errors_array = Array::New(env->isolate(), errors.size());
-    for (size_t i = 0; i < errors.size(); i++) {
-      errors_array->Set(env->context(), i, errors[i]).FromJust();
+      for (const std::string& string : *this) {
+        const size_t index = &string - &front();
+        Local<String> value =
+            String::NewFromUtf8(env->isolate(), string.data(),
+                                NewStringType::kNormal, string.size())
+            .ToLocalChecked();
+        array->Set(env->context(), index, value).FromJust();
+      }
+
+      CHECK(exception_v->IsObject());
+      Local<Object> exception = exception_v.As<Object>();
+      exception->Set(env->context(),
+                     env->openssl_error_stack(), array).FromJust();
     }
-    exception->Set(env->context(), env->openssl_error_stack(), errors_array)
-        .FromJust();
+
+    return exception_v;
   }
+};
+
 
+void ThrowCryptoError(Environment* env,
+                      unsigned long err,  // NOLINT(runtime/int)
+                      const char* message = nullptr) {
+  char message_buffer[128] = {0};
+  if (err != 0 || message == nullptr) {
+    ERR_error_string_n(err, message_buffer, sizeof(message_buffer));
+    message = message_buffer;
+  }
+  HandleScope scope(env->isolate());
+  auto exception_string =
+      String::NewFromUtf8(env->isolate(), message, NewStringType::kNormal)
+      .ToLocalChecked();
+  CryptoErrorVector errors;
+  errors.Capture();
+  auto exception = errors.ToException(env, exception_string);
   env->isolate()->ThrowException(exception);
 }
 
@@ -4532,6 +4551,43 @@ bool ECDH::IsKeyPairValid() {
 }
 
 
+struct CryptoJob : public ThreadPoolWork {
+  Environment* const env;
+  std::unique_ptr<AsyncWrap> async_wrap;
+  inline explicit CryptoJob(Environment* env) : ThreadPoolWork(env), env(env) {}
+  inline void AfterThreadPoolWork(int status) final;
+  virtual void AfterThreadPoolWork() = 0;
+  static inline void Run(std::unique_ptr<CryptoJob> job, Local<Value> wrap);
+};
+
+
+void CryptoJob::AfterThreadPoolWork(int status) {
+  CHECK(status == 0 || status == UV_ECANCELED);
+  std::unique_ptr<CryptoJob> job(this);
+  if (status == UV_ECANCELED) return;
+  HandleScope handle_scope(env->isolate());
+  Context::Scope context_scope(env->context());
+  CHECK_EQ(false, async_wrap->persistent().IsWeak());
+  AfterThreadPoolWork();
+}
+
+
+void CryptoJob::Run(std::unique_ptr<CryptoJob> job, Local<Value> wrap) {
+  CHECK(wrap->IsObject());
+  CHECK_EQ(nullptr, job->async_wrap);
+  job->async_wrap.reset(Unwrap<AsyncWrap>(wrap.As<Object>()));
+  CHECK_EQ(false, job->async_wrap->persistent().IsWeak());
+  job->ScheduleWork();
+  job.release();  // Run free, little job!
+}
+
+
+inline void CopyBuffer(Local<Value> buf, std::vector<char>* vec) {
+  vec->clear();
+  if (auto p = Buffer::Data(buf)) vec->assign(p, p + Buffer::Length(buf));
+}
+
+
 class PBKDF2Request : public AsyncWrap, public ThreadPoolWork {
  public:
   PBKDF2Request(Environment* env,
@@ -4873,6 +4929,98 @@ void RandomBytesBuffer(const FunctionCallbackInfo<Value>& args) {
 }
 
 
+#ifndef OPENSSL_NO_SCRYPT
+struct ScryptJob : public CryptoJob {
+  unsigned char* keybuf_data;
+  size_t keybuf_size;
+  std::vector<char> pass;
+  std::vector<char> salt;
+  uint32_t N;
+  uint32_t r;
+  uint32_t p;
+  uint32_t maxmem;
+  CryptoErrorVector errors;
+
+  inline explicit ScryptJob(Environment* env) : CryptoJob(env) {}
+
+  inline ~ScryptJob() override {
+    Cleanse();
+  }
+
+  inline bool Validate() {
+    if (1 == EVP_PBE_scrypt(nullptr, 0, nullptr, 0, N, r, p, maxmem,
+                            nullptr, 0)) {
+      return true;
+    } else {
+      // Note: EVP_PBE_scrypt() does not always put errors on the error stack.
+      errors.Capture();
+      return false;
+    }
+  }
+
+  inline void DoThreadPoolWork() override {
+    auto salt_data = reinterpret_cast<const unsigned char*>(salt.data());
+    if (1 != EVP_PBE_scrypt(pass.data(), pass.size(), salt_data, salt.size(),
+                            N, r, p, maxmem, keybuf_data, keybuf_size)) {
+      errors.Capture();
+    }
+  }
+
+  inline void AfterThreadPoolWork() override {
+    Local<Value> arg = ToResult();
+    async_wrap->MakeCallback(env->ondone_string(), 1, &arg);
+  }
+
+  inline Local<Value> ToResult() const {
+    if (errors.empty()) return Undefined(env->isolate());
+    return errors.ToException(env);
+  }
+
+  inline void Cleanse() {
+    OPENSSL_cleanse(pass.data(), pass.size());
+    OPENSSL_cleanse(salt.data(), salt.size());
+    pass.clear();
+    salt.clear();
+  }
+};
+
+
+void Scrypt(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  CHECK(args[0]->IsArrayBufferView());  // keybuf; wrap object retains ref.
+  CHECK(args[1]->IsArrayBufferView());  // pass
+  CHECK(args[2]->IsArrayBufferView());  // salt
+  CHECK(args[3]->IsUint32());  // N
+  CHECK(args[4]->IsUint32());  // r
+  CHECK(args[5]->IsUint32());  // p
+  CHECK(args[6]->IsUint32());  // maxmem
+  CHECK(args[7]->IsObject() || args[7]->IsUndefined());  // wrap object
+  std::unique_ptr<ScryptJob> job(new ScryptJob(env));
+  job->keybuf_data = reinterpret_cast<unsigned char*>(Buffer::Data(args[0]));
+  job->keybuf_size = Buffer::Length(args[0]);
+  CopyBuffer(args[1], &job->pass);
+  CopyBuffer(args[2], &job->salt);
+  job->N = args[3].As<Uint32>()->Value();
+  job->r = args[4].As<Uint32>()->Value();
+  job->p = args[5].As<Uint32>()->Value();
+  job->maxmem = args[6].As<Uint32>()->Value();
+  if (!job->Validate()) {
+    // EVP_PBE_scrypt() does not always put errors on the error stack
+    // and therefore ToResult() may or may not return an exception
+    // object.  Return a sentinel value to inform JS land it should
+    // throw an ERR_CRYPTO_SCRYPT_PARAMETER_ERROR on our behalf.
+    auto result = job->ToResult();
+    if (result->IsUndefined()) result = Null(args.GetIsolate());
+    return args.GetReturnValue().Set(result);
+  }
+  if (args[7]->IsObject()) return ScryptJob::Run(std::move(job), args[7]);
+  env->PrintSyncTrace();
+  job->DoThreadPoolWork();
+  args.GetReturnValue().Set(job->ToResult());
+}
+#endif  // OPENSSL_NO_SCRYPT
+
+
 void GetSSLCiphers(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
 
@@ -5296,6 +5444,9 @@ void Initialize(Local<Object> target,
                  PublicKeyCipher::Cipher<PublicKeyCipher::kPublic,
                                          EVP_PKEY_verify_recover_init,
                                          EVP_PKEY_verify_recover>);
+#ifndef OPENSSL_NO_SCRYPT
+  env->SetMethod(target, "scrypt", Scrypt);
+#endif  // OPENSSL_NO_SCRYPT
 
   Local<FunctionTemplate> pb = FunctionTemplate::New(env->isolate());
   pb->SetClassName(FIXED_ONE_BYTE_STRING(env->isolate(), "PBKDF2"));
diff --git a/src/node_internals.h b/src/node_internals.h
index 49f1d4f230b6d7..9b161ef43111fb 100644
--- a/src/node_internals.h
+++ b/src/node_internals.h
@@ -523,6 +523,8 @@ class InternalCallbackScope {
 class ThreadPoolWork {
  public:
   explicit inline ThreadPoolWork(Environment* env) : env_(env) {}
+  inline virtual ~ThreadPoolWork() = default;
+
   inline void ScheduleWork();
   inline int CancelWork();
 
diff --git a/test/parallel/test-crypto-scrypt.js b/test/parallel/test-crypto-scrypt.js
new file mode 100644
index 00000000000000..9d0e495881f186
--- /dev/null
+++ b/test/parallel/test-crypto-scrypt.js
@@ -0,0 +1,165 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const crypto = require('crypto');
+
+if (typeof process.binding('crypto').scrypt !== 'function')
+  common.skip('no scrypt support');
+
+const good = [
+  // Zero-length key is legal, functions as a parameter validation check.
+  {
+    pass: '',
+    salt: '',
+    keylen: 0,
+    N: 16,
+    p: 1,
+    r: 1,
+    expected: '',
+  },
+  // Test vectors from https://tools.ietf.org/html/rfc7914#page-13 that
+  // should pass.  Note that the test vector with N=1048576 is omitted
+  // because it takes too long to complete and uses over 1 GB of memory.
+  {
+    pass: '',
+    salt: '',
+    keylen: 64,
+    N: 16,
+    p: 1,
+    r: 1,
+    expected:
+        '77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442' +
+        'fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906',
+  },
+  {
+    pass: 'password',
+    salt: 'NaCl',
+    keylen: 64,
+    N: 1024,
+    p: 16,
+    r: 8,
+    expected:
+        'fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b373162' +
+        '2eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640',
+  },
+  {
+    pass: 'pleaseletmein',
+    salt: 'SodiumChloride',
+    keylen: 64,
+    N: 16384,
+    p: 1,
+    r: 8,
+    expected:
+        '7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2' +
+        'd5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887',
+  },
+];
+
+// Test vectors that should fail.
+const bad = [
+  { N: 1, p: 1, r: 1 },        // N < 2
+  { N: 3, p: 1, r: 1 },        // Not power of 2.
+  { N: 2 ** 16, p: 1, r: 1 },  // N >= 2**(r*16)
+  { N: 2, p: 2 ** 30, r: 1 },  // p > (2**30-1)/r
+];
+
+// Test vectors where 128*N*r exceeds maxmem.
+const toobig = [
+  { N: 2 ** 20, p: 1, r: 8 },
+  { N: 2 ** 10, p: 1, r: 8, maxmem: 2 ** 20 },
+];
+
+const badargs = [
+  {
+    args: [],
+    expected: { code: 'ERR_INVALID_ARG_TYPE', message: /"password"/ },
+  },
+  {
+    args: [null],
+    expected: { code: 'ERR_INVALID_ARG_TYPE', message: /"password"/ },
+  },
+  {
+    args: [''],
+    expected: { code: 'ERR_INVALID_ARG_TYPE', message: /"salt"/ },
+  },
+  {
+    args: ['', null],
+    expected: { code: 'ERR_INVALID_ARG_TYPE', message: /"salt"/ },
+  },
+  {
+    args: ['', ''],
+    expected: { code: 'ERR_INVALID_ARG_TYPE', message: /"keylen"/ },
+  },
+  {
+    args: ['', '', null],
+    expected: { code: 'ERR_INVALID_ARG_TYPE', message: /"keylen"/ },
+  },
+  {
+    args: ['', '', .42],
+    expected: { code: 'ERR_OUT_OF_RANGE', message: /"keylen"/ },
+  },
+  {
+    args: ['', '', -42],
+    expected: { code: 'ERR_OUT_OF_RANGE', message: /"keylen"/ },
+  },
+];
+
+for (const options of good) {
+  const { pass, salt, keylen, expected } = options;
+  const actual = crypto.scryptSync(pass, salt, keylen, options);
+  assert.strictEqual(actual.toString('hex'), expected);
+  crypto.scrypt(pass, salt, keylen, options, common.mustCall((err, actual) => {
+    assert.ifError(err);
+    assert.strictEqual(actual.toString('hex'), expected);
+  }));
+}
+
+for (const options of bad) {
+  const expected = {
+    code: 'ERR_CRYPTO_SCRYPT_INVALID_PARAMETER',
+    message: 'Invalid scrypt parameter',
+    type: Error,
+  };
+  common.expectsError(() => crypto.scrypt('pass', 'salt', 1, options, () => {}),
+                      expected);
+  common.expectsError(() => crypto.scryptSync('pass', 'salt', 1, options),
+                      expected);
+}
+
+for (const options of toobig) {
+  const expected = {
+    message: /error:[^:]+:digital envelope routines:EVP_PBE_scrypt:memory limit exceeded/,
+    type: Error,
+  };
+  common.expectsError(() => crypto.scrypt('pass', 'salt', 1, options, () => {}),
+                      expected);
+  common.expectsError(() => crypto.scryptSync('pass', 'salt', 1, options),
+                      expected);
+}
+
+{
+  const defaults = { N: 16384, p: 1, r: 8 };
+  const expected = crypto.scryptSync('pass', 'salt', 1, defaults);
+  const actual = crypto.scryptSync('pass', 'salt', 1);
+  assert.deepStrictEqual(actual.toString('hex'), expected.toString('hex'));
+  crypto.scrypt('pass', 'salt', 1, common.mustCall((err, actual) => {
+    assert.ifError(err);
+    assert.deepStrictEqual(actual.toString('hex'), expected.toString('hex'));
+  }));
+}
+
+for (const { args, expected } of badargs) {
+  common.expectsError(() => crypto.scrypt(...args), expected);
+  common.expectsError(() => crypto.scryptSync(...args), expected);
+}
+
+{
+  const expected = { code: 'ERR_INVALID_CALLBACK' };
+  common.expectsError(() => crypto.scrypt('', '', 42, null), expected);
+  common.expectsError(() => crypto.scrypt('', '', 42, {}, null), expected);
+  common.expectsError(() => crypto.scrypt('', '', 42, {}), expected);
+  common.expectsError(() => crypto.scrypt('', '', 42, {}, {}), expected);
+}
diff --git a/test/sequential/test-async-wrap-getasyncid.js b/test/sequential/test-async-wrap-getasyncid.js
index 60309ecb2d49b8..a17f509294a9ed 100644
--- a/test/sequential/test-async-wrap-getasyncid.js
+++ b/test/sequential/test-async-wrap-getasyncid.js
@@ -122,6 +122,12 @@ if (common.hasCrypto) { // eslint-disable-line node-core/crypto-check
   crypto.randomBytes(1, common.mustCall(function rb() {
     testInitialized(this, 'RandomBytes');
   }));
+
+  if (typeof process.binding('crypto').scrypt === 'function') {
+    crypto.scrypt('password', 'salt', 8, common.mustCall(function() {
+      testInitialized(this, 'AsyncWrap');
+    }));
+  }
 }