rbnacl-libsodium 0.4.5 → 0.5.0

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256_nosse.c

@@ -0,0 +1,302 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * Copyright 2013 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "../pbkdf2-sha256.h"
+#include "../sysendian.h"
+#include "../crypto_scrypt.h"
+
+static inline void
+blkcpy(void * dest, const void * src, size_t len)
+{
+	size_t * D = (size_t *) dest;
+	const size_t * S = (const size_t *) src;
+	size_t L = len / sizeof(size_t);
+	size_t i;
+
+	for (i = 0; i < L; i++)
+		D[i] = S[i];
+}
+
+static inline void
+blkxor(void * dest, const void * src, size_t len)
+{
+	size_t * D = (size_t *) dest;
+	const size_t * S = (const size_t *) src;
+	size_t L = len / sizeof(size_t);
+	size_t i;
+
+	for (i = 0; i < L; i++)
+		D[i] ^= S[i];
+}
+
+/**
+ * salsa20_8(B):
+ * Apply the salsa20/8 core to the provided block.
+ */
+static void
+salsa20_8(uint32_t B[16])
+{
+	uint32_t x[16];
+	size_t i;
+
+	blkcpy(x, B, 64);
+	for (i = 0; i < 8; i += 2) {
+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
+		/* Operate on columns. */
+		x[ 4] ^= R(x[ 0]+x[12], 7);  x[ 8] ^= R(x[ 4]+x[ 0], 9);
+		x[12] ^= R(x[ 8]+x[ 4],13);  x[ 0] ^= R(x[12]+x[ 8],18);
+
+		x[ 9] ^= R(x[ 5]+x[ 1], 7);  x[13] ^= R(x[ 9]+x[ 5], 9);
+		x[ 1] ^= R(x[13]+x[ 9],13);  x[ 5] ^= R(x[ 1]+x[13],18);
+
+		x[14] ^= R(x[10]+x[ 6], 7);  x[ 2] ^= R(x[14]+x[10], 9);
+		x[ 6] ^= R(x[ 2]+x[14],13);  x[10] ^= R(x[ 6]+x[ 2],18);
+
+		x[ 3] ^= R(x[15]+x[11], 7);  x[ 7] ^= R(x[ 3]+x[15], 9);
+		x[11] ^= R(x[ 7]+x[ 3],13);  x[15] ^= R(x[11]+x[ 7],18);
+
+		/* Operate on rows. */
+		x[ 1] ^= R(x[ 0]+x[ 3], 7);  x[ 2] ^= R(x[ 1]+x[ 0], 9);
+		x[ 3] ^= R(x[ 2]+x[ 1],13);  x[ 0] ^= R(x[ 3]+x[ 2],18);
+
+		x[ 6] ^= R(x[ 5]+x[ 4], 7);  x[ 7] ^= R(x[ 6]+x[ 5], 9);
+		x[ 4] ^= R(x[ 7]+x[ 6],13);  x[ 5] ^= R(x[ 4]+x[ 7],18);
+
+		x[11] ^= R(x[10]+x[ 9], 7);  x[ 8] ^= R(x[11]+x[10], 9);
+		x[ 9] ^= R(x[ 8]+x[11],13);  x[10] ^= R(x[ 9]+x[ 8],18);
+
+		x[12] ^= R(x[15]+x[14], 7);  x[13] ^= R(x[12]+x[15], 9);
+		x[14] ^= R(x[13]+x[12],13);  x[15] ^= R(x[14]+x[13],18);
+#undef R
+	}
+	for (i = 0; i < 16; i++)
+		B[i] += x[i];
+}
+
+/**
+ * blockmix_salsa8(Bin, Bout, X, r):
+ * Compute Bout = BlockMix_{salsa20/8, r}(Bin).  The input Bin must be 128r
+ * bytes in length; the output Bout must also be the same size.  The
+ * temporary space X must be 64 bytes.
+ */
+static void
+blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r)
+{
+	size_t i;
+
+	/* 1: X <-- B_{2r - 1} */
+	blkcpy(X, &Bin[(2 * r - 1) * 16], 64);
+
+	/* 2: for i = 0 to 2r - 1 do */
+	for (i = 0; i < 2 * r; i += 2) {
+		/* 3: X <-- H(X \xor B_i) */
+		blkxor(X, &Bin[i * 16], 64);
+		salsa20_8(X);
+
+		/* 4: Y_i <-- X */
+		/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
+		blkcpy(&Bout[i * 8], X, 64);
+
+		/* 3: X <-- H(X \xor B_i) */
+		blkxor(X, &Bin[i * 16 + 16], 64);
+		salsa20_8(X);
+
+		/* 4: Y_i <-- X */
+		/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
+		blkcpy(&Bout[i * 8 + r * 16], X, 64);
+	}
+}
+
+/**
+ * integerify(B, r):
+ * Return the result of parsing B_{2r-1} as a little-endian integer.
+ */
+static inline uint64_t
+integerify(const void * B, size_t r)
+{
+	const uint32_t * X = (const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64);
+
+	return (((uint64_t)(X[1]) << 32) + X[0]);
+}
+
+/**
+ * smix(B, r, N, V, XY):
+ * Compute B = SMix_r(B, N).  The input B must be 128r bytes in length;
+ * the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 256r + 64 bytes in length.  The value N must be a
+ * power of 2 greater than 1.  The arrays B, V, and XY must be aligned to a
+ * multiple of 64 bytes.
+ */
+static void
+smix(uint8_t * B, size_t r, uint64_t N, uint32_t * V, uint32_t * XY)
+{
+	uint32_t * X = XY;
+	uint32_t * Y = &XY[32 * r];
+	uint32_t * Z = &XY[64 * r];
+	uint64_t i;
+	uint64_t j;
+	size_t k;
+
+	/* 1: X <-- B */
+	for (k = 0; k < 32 * r; k++)
+		X[k] = le32dec(&B[4 * k]);
+
+	/* 2: for i = 0 to N - 1 do */
+	for (i = 0; i < N; i += 2) {
+		/* 3: V_i <-- X */
+		blkcpy(&V[i * (32 * r)], X, 128 * r);
+
+		/* 4: X <-- H(X) */
+		blockmix_salsa8(X, Y, Z, r);
+
+		/* 3: V_i <-- X */
+		blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r);
+
+		/* 4: X <-- H(X) */
+		blockmix_salsa8(Y, X, Z, r);
+	}
+
+	/* 6: for i = 0 to N - 1 do */
+	for (i = 0; i < N; i += 2) {
+		/* 7: j <-- Integerify(X) mod N */
+		j = integerify(X, r) & (N - 1);
+
+		/* 8: X <-- H(X \xor V_j) */
+		blkxor(X, &V[j * (32 * r)], 128 * r);
+		blockmix_salsa8(X, Y, Z, r);
+
+		/* 7: j <-- Integerify(X) mod N */
+		j = integerify(Y, r) & (N - 1);
+
+		/* 8: X <-- H(X \xor V_j) */
+		blkxor(Y, &V[j * (32 * r)], 128 * r);
+		blockmix_salsa8(Y, X, Z, r);
+	}
+	/* 10: B' <-- X */
+	for (k = 0; k < 32 * r; k++)
+		le32enc(&B[4 * k], X[k]);
+}
+
+/**
+ * escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
+ *     N, r, p, buf, buflen):
+ * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
+ * p, buflen) and write the result into buf.  The parameters r, p, and buflen
+ * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
+ * must be a power of 2 greater than 1.
+ *
+ * Return 0 on success; or -1 on error.
+ */
+int
+escrypt_kdf_nosse(escrypt_local_t * local,
+    const uint8_t * passwd, size_t passwdlen,
+    const uint8_t * salt, size_t saltlen,
+    uint64_t N, uint32_t _r, uint32_t _p,
+    uint8_t * buf, size_t buflen)
+{
+	size_t B_size, V_size, XY_size, need;
+	uint8_t * B;
+	uint32_t * V, * XY;
+    size_t r = _r, p = _p;
+	uint32_t i;
+
+	/* Sanity-check parameters. */
+#if SIZE_MAX > UINT32_MAX
+	if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
+		errno = EFBIG;
+		return -1;
+	}
+#endif
+	if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
+		errno = EFBIG;
+		return -1;
+	}
+	if (((N & (N - 1)) != 0) || (N < 2)) {
+		errno = EINVAL;
+		return -1;
+	}
+	if (r == 0 || p == 0) {
+		errno = EINVAL;
+		return -1;
+	}
+	if ((r > SIZE_MAX / 128 / p) ||
+#if SIZE_MAX / 256 <= UINT32_MAX
+	    (r > SIZE_MAX / 256) ||
+#endif
+	    (N > SIZE_MAX / 128 / r)) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	/* Allocate memory. */
+	B_size = (size_t)128 * r * p;
+	V_size = (size_t)128 * r * N;
+	need = B_size + V_size;
+	if (need < V_size) {
+		errno = ENOMEM;
+		return -1;
+	}
+	XY_size = (size_t)256 * r + 64;
+	need += XY_size;
+	if (need < XY_size) {
+		errno = ENOMEM;
+		return -1;
+	}
+	if (local->size < need) {
+		if (free_region(local))
+			return -1;
+		if (!alloc_region(local, need))
+			return -1;
+	}
+	B = (uint8_t *)local->aligned;
+	V = (uint32_t *)((uint8_t *)B + B_size);
+	XY = (uint32_t *)((uint8_t *)V + V_size);
+
+	/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
+	PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
+
+	/* 2: for i = 0 to p - 1 do */
+	for (i = 0; i < p; i++) {
+		/* 3: B_i <-- MF(B_i, N) */
+		smix(&B[(size_t)128 * i * r], r, N, V, XY);
+	}
+
+	/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
+	PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
+
+	/* Success! */
+	return 0;
+}

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.c

@@ -0,0 +1,94 @@
+/*-
+ * Copyright 2005,2007,2009 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "crypto_auth_hmacsha256.h"
+#include "pbkdf2-sha256.h"
+#include "utils.h"
+
+static inline void
+be32enc(void *pp, uint32_t x)
+{
+    uint8_t * p = (uint8_t *)pp;
+
+    p[3] = x & 0xff;
+    p[2] = (x >> 8) & 0xff;
+    p[1] = (x >> 16) & 0xff;
+    p[0] = (x >> 24) & 0xff;
+}
+
+/**
+ * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
+ * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
+ */
+void
+PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
+              size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
+{
+        crypto_auth_hmacsha256_state PShctx, hctx;
+        size_t          i;
+        uint8_t         ivec[4];
+        uint8_t         U[32];
+        uint8_t         T[32];
+        uint64_t        j;
+        int             k;
+        size_t          clen;
+
+    crypto_auth_hmacsha256_init(&PShctx, passwd, passwdlen);
+    crypto_auth_hmacsha256_update(&PShctx, salt, saltlen);
+
+        for (i = 0; i * 32 < dkLen; i++) {
+                be32enc(ivec, (uint32_t)(i + 1));
+                memcpy(&hctx, &PShctx, sizeof(crypto_auth_hmacsha256_state));
+                crypto_auth_hmacsha256_update(&hctx, ivec, 4);
+                crypto_auth_hmacsha256_final(&hctx, U);
+
+                memcpy(T, U, 32);
+
+                for (j = 2; j <= c; j++) {
+                        crypto_auth_hmacsha256_init(&hctx, passwd, passwdlen);
+                        crypto_auth_hmacsha256_update(&hctx, U, 32);
+                        crypto_auth_hmacsha256_final(&hctx, U);
+
+                        for (k = 0; k < 32; k++) {
+                                T[k] ^= U[k];
+            }
+                }
+
+                clen = dkLen - i * 32;
+                if (clen > 32) {
+                        clen = 32;
+        }
+                memcpy(&buf[i * 32], T, clen);
+        }
+    sodium_memzero((void *) &PShctx, sizeof PShctx);
+}

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.h

@@ -0,0 +1,45 @@
+/*-
+ * Copyright 2005,2007,2009 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifndef _SHA256_H_
+#define _SHA256_H_
+
+#include <sys/types.h>
+
+#include <stdint.h>
+
+#include "crypto_auth_hmacsha256.h"
+
+/**
+ * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
+ * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
+ */
+void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t,
+                   uint64_t, uint8_t *, size_t);
+
+#endif /* !_SHA256_H_ */

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pwhash_scryptxsalsa208sha256.c

@@ -0,0 +1,172 @@
+
+#include <errno.h>
+#include <limits.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "crypto_pwhash_scryptxsalsa208sha256.h"
+#include "crypto_scrypt.h"
+#include "randombytes.h"
+#include "utils.h"
+
+#define SETTING_SIZE(saltbytes) \
+    (sizeof "$7$" - 1U) + \
+    (1U /* N_log2 */) + (5U /* r */) + (5U /* p */) + BYTES2CHARS(saltbytes)
+
+static int
+pickparams(unsigned long long opslimit, const size_t memlimit,
+           uint32_t * const N_log2, uint32_t * const p, uint32_t * const r)
+{
+    unsigned long long maxN;
+    unsigned long long maxrp;
+
+    if (opslimit < 32768) {
+        opslimit = 32768;
+    }
+    *r = 8;
+    if (opslimit < memlimit / 32) {
+        *p = 1;
+        maxN = opslimit / (*r * 4);
+        for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) {
+            if ((uint64_t)(1) << *N_log2 > maxN / 2) {
+                break;
+            }
+        }
+    } else {
+        maxN = memlimit / (*r * 128);
+        for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) {
+            if ((uint64_t) (1) << *N_log2 > maxN / 2) {
+                break;
+            }
+        }
+        maxrp = (opslimit / 4) / ((uint64_t) (1) << *N_log2);
+        if (maxrp > 0x3fffffff) {
+            maxrp = 0x3fffffff;
+        }
+        *p = (uint32_t) (maxrp) / *r;
+    }
+    return 0;
+}
+
+size_t
+crypto_pwhash_scryptxsalsa208sha256_saltbytes(void)
+{
+    return crypto_pwhash_scryptxsalsa208sha256_SALTBYTES;
+}
+
+size_t
+crypto_pwhash_scryptxsalsa208sha256_strbytes(void)
+{
+    return crypto_pwhash_scryptxsalsa208sha256_STRBYTES;
+}
+
+int
+crypto_pwhash_scryptxsalsa208sha256(unsigned char * const out,
+                                    unsigned long long outlen,
+                                    const char * const passwd,
+                                    unsigned long long passwdlen,
+                                    const unsigned char * const salt,
+                                    unsigned long long opslimit,
+                                    size_t memlimit)
+{
+    uint32_t N_log2;
+    uint32_t p;
+    uint32_t r;
+
+    memset(out, 0, outlen);
+    if (passwdlen > SIZE_MAX || outlen > SIZE_MAX) {
+        errno = EFBIG;
+        return -1;
+    }
+    if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) {
+        errno = EINVAL;
+        return -1;
+    }
+    return crypto_scrypt_compat((const uint8_t *) passwd, (size_t) passwdlen,
+                                (const uint8_t *) salt,
+                                crypto_pwhash_scryptxsalsa208sha256_SALTBYTES,
+                                (uint64_t) (1) << N_log2, r, p,
+                                out, (size_t) outlen);
+}
+
+int
+crypto_pwhash_scryptxsalsa208sha256_str(char out[crypto_pwhash_scryptxsalsa208sha256_STRBYTES],
+                                        const char * const passwd,
+                                        unsigned long long passwdlen,
+                                        unsigned long long opslimit,
+                                        size_t memlimit)
+{
+    uint8_t         salt[crypto_pwhash_scryptxsalsa208sha256_STRSALTBYTES];
+    char            setting[crypto_pwhash_scryptxsalsa208sha256_STRSETTINGBYTES + 1U];
+    escrypt_local_t escrypt_local;
+    uint32_t        N_log2;
+    uint32_t        p;
+    uint32_t        r;
+
+    memset(out, 0, crypto_pwhash_scryptxsalsa208sha256_STRBYTES);
+    if (passwdlen > SIZE_MAX) {
+        errno = EFBIG;
+        return -1;
+    }
+    if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) {
+        errno = EINVAL;
+        return -1;
+    }
+    randombytes_buf(salt, sizeof salt);
+    if (escrypt_gensalt_r(N_log2, r, p, salt, sizeof salt,
+                          (uint8_t *) setting, sizeof setting) == NULL) {
+        errno = EINVAL;
+        return -1;
+    }
+    if (escrypt_init_local(&escrypt_local) != 0) {
+        return -1;
+    }
+    if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen,
+                  (const uint8_t *) setting, (uint8_t *) out,
+                  crypto_pwhash_scryptxsalsa208sha256_STRBYTES) == NULL) {
+        escrypt_free_local(&escrypt_local);
+        errno = EINVAL;
+        return -1;
+    }
+    escrypt_free_local(&escrypt_local);
+
+    (void) sizeof
+        (int[SETTING_SIZE(crypto_pwhash_scryptxsalsa208sha256_STRSALTBYTES)
+            == crypto_pwhash_scryptxsalsa208sha256_STRSETTINGBYTES ? 1 : -1]);
+    (void) sizeof
+        (int[crypto_pwhash_scryptxsalsa208sha256_STRSETTINGBYTES + 1U +
+             crypto_pwhash_scryptxsalsa208sha256_STRHASHBYTES_ENCODED + 1U
+             == crypto_pwhash_scryptxsalsa208sha256_STRBYTES ? 1 : -1]);
+
+    return 0;
+}
+
+int
+crypto_pwhash_scryptxsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptxsalsa208sha256_STRBYTES],
+                                               const char * const passwd,
+                                               unsigned long long passwdlen)
+{
+    char            wanted[crypto_pwhash_scryptxsalsa208sha256_STRBYTES];
+    escrypt_local_t escrypt_local;
+    int             ret = -1;
+
+    if (memchr(str, 0, crypto_pwhash_scryptxsalsa208sha256_STRBYTES) !=
+        &str[crypto_pwhash_scryptxsalsa208sha256_STRBYTES - 1U]) {
+        return -1;
+    }
+    if (escrypt_init_local(&escrypt_local) != 0) {
+        return -1;
+    }
+    if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen,
+                  (const uint8_t *) str, (uint8_t *) wanted,
+                  sizeof wanted) == NULL) {
+        escrypt_free_local(&escrypt_local);
+        return -1;
+    }
+    escrypt_free_local(&escrypt_local);
+    ret = sodium_memcmp(wanted, str, sizeof wanted);
+    sodium_memzero(wanted, sizeof wanted);
+
+    return ret;
+}