scrypt 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/README.md +33 -13
- data/Rakefile +37 -17
- data/ext/scrypt/Rakefile +9 -0
- data/ext/{mri → scrypt}/crypto_scrypt-sse.c +3 -2
- data/ext/{mri → scrypt}/crypto_scrypt.h +2 -1
- data/ext/{mri → scrypt}/memlimit.c +0 -0
- data/ext/{mri → scrypt}/memlimit.h +0 -0
- data/ext/{mri → scrypt}/scrypt_calibrate.c +0 -0
- data/ext/{mri → scrypt}/scrypt_calibrate.h +0 -0
- data/ext/scrypt/scrypt_ext.c +16 -0
- data/ext/scrypt/scrypt_ext.h +13 -0
- data/ext/{mri → scrypt}/scrypt_platform.h +0 -0
- data/ext/{mri → scrypt}/scryptenc_cpuperf.c +1 -1
- data/ext/{mri → scrypt}/scryptenc_cpuperf.h +0 -0
- data/ext/{mri → scrypt}/sha256.c +0 -0
- data/ext/{mri → scrypt}/sha256.h +0 -0
- data/ext/{mri → scrypt}/sysendian.h +0 -0
- data/lib/scrypt.rb +50 -5
- data/lib/scrypt/scrypt_ext.rb +9 -0
- data/lib/scrypt/version.rb +1 -1
- data/scrypt.gemspec +6 -6
- data/spec/scrypt/engine_spec.rb +2 -2
- data/spec/scrypt/password_spec.rb +3 -3
- metadata +61 -69
- data/.gitignore +0 -9
- data/.rspec +0 -2
- data/.rvmrc +0 -1
- data/.travis.yml +0 -4
- data/Gemfile +0 -4
- data/Gemfile.lock +0 -32
- data/ext/mri/alt-impl/crypto_scrypt-nosse.c +0 -340
- data/ext/mri/alt-impl/crypto_scrypt-ref.c +0 -284
- data/ext/mri/extconf.rb +0 -5
- data/ext/mri/scrypt_ext.c +0 -70
- data/kdf-comparison.png +0 -0
data/.gitignore
DELETED
data/.rspec
DELETED
data/.rvmrc
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
rvm use --create 1.9.3@scrypt
|
data/.travis.yml
DELETED
data/Gemfile
DELETED
data/Gemfile.lock
DELETED
@@ -1,32 +0,0 @@
|
|
1
|
-
PATH
|
2
|
-
remote: .
|
3
|
-
specs:
|
4
|
-
scrypt (1.1.0)
|
5
|
-
|
6
|
-
GEM
|
7
|
-
remote: http://rubygems.org/
|
8
|
-
specs:
|
9
|
-
awesome_print (1.0.2)
|
10
|
-
diff-lcs (1.1.3)
|
11
|
-
json (1.7.0)
|
12
|
-
rake (0.9.2.2)
|
13
|
-
rdoc (3.12)
|
14
|
-
json (~> 1.4)
|
15
|
-
rspec (2.9.0)
|
16
|
-
rspec-core (~> 2.9.0)
|
17
|
-
rspec-expectations (~> 2.9.0)
|
18
|
-
rspec-mocks (~> 2.9.0)
|
19
|
-
rspec-core (2.9.0)
|
20
|
-
rspec-expectations (2.9.1)
|
21
|
-
diff-lcs (~> 1.1.3)
|
22
|
-
rspec-mocks (2.9.0)
|
23
|
-
|
24
|
-
PLATFORMS
|
25
|
-
ruby
|
26
|
-
|
27
|
-
DEPENDENCIES
|
28
|
-
awesome_print
|
29
|
-
rake (~> 0.9.2)
|
30
|
-
rdoc
|
31
|
-
rspec
|
32
|
-
scrypt!
|
@@ -1,340 +0,0 @@
|
|
1
|
-
/*-
|
2
|
-
* Copyright 2009 Colin Percival
|
3
|
-
* All rights reserved.
|
4
|
-
*
|
5
|
-
* Redistribution and use in source and binary forms, with or without
|
6
|
-
* modification, are permitted provided that the following conditions
|
7
|
-
* are met:
|
8
|
-
* 1. Redistributions of source code must retain the above copyright
|
9
|
-
* notice, this list of conditions and the following disclaimer.
|
10
|
-
* 2. Redistributions in binary form must reproduce the above copyright
|
11
|
-
* notice, this list of conditions and the following disclaimer in the
|
12
|
-
* documentation and/or other materials provided with the distribution.
|
13
|
-
*
|
14
|
-
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
15
|
-
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
16
|
-
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
17
|
-
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
18
|
-
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
19
|
-
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
20
|
-
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
21
|
-
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
22
|
-
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
23
|
-
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
24
|
-
* SUCH DAMAGE.
|
25
|
-
*
|
26
|
-
* This file was originally written by Colin Percival as part of the Tarsnap
|
27
|
-
* online backup system.
|
28
|
-
*/
|
29
|
-
#include "scrypt_platform.h"
|
30
|
-
|
31
|
-
#include <sys/types.h>
|
32
|
-
#ifndef __MINGW32__
|
33
|
-
#include <sys/mman.h>
|
34
|
-
#endif
|
35
|
-
|
36
|
-
#include <errno.h>
|
37
|
-
#include <stdint.h>
|
38
|
-
#include <stdlib.h>
|
39
|
-
#include <string.h>
|
40
|
-
|
41
|
-
#include "sha256.h"
|
42
|
-
#include "sysendian.h"
|
43
|
-
|
44
|
-
#include "crypto_scrypt.h"
|
45
|
-
|
46
|
-
static void blkcpy(void *, void *, size_t);
|
47
|
-
static void blkxor(void *, void *, size_t);
|
48
|
-
static void salsa20_8(uint32_t[16]);
|
49
|
-
static void blockmix_salsa8(uint32_t *, uint32_t *, uint32_t *, size_t);
|
50
|
-
static uint64_t integerify(void *, size_t);
|
51
|
-
static void smix(uint8_t *, size_t, uint64_t, uint32_t *, uint32_t *);
|
52
|
-
|
53
|
-
static void
|
54
|
-
blkcpy(void * dest, void * src, size_t len)
|
55
|
-
{
|
56
|
-
size_t * D = dest;
|
57
|
-
size_t * S = src;
|
58
|
-
size_t L = len / sizeof(size_t);
|
59
|
-
size_t i;
|
60
|
-
|
61
|
-
for (i = 0; i < L; i++)
|
62
|
-
D[i] = S[i];
|
63
|
-
}
|
64
|
-
|
65
|
-
static void
|
66
|
-
blkxor(void * dest, void * src, size_t len)
|
67
|
-
{
|
68
|
-
size_t * D = dest;
|
69
|
-
size_t * S = src;
|
70
|
-
size_t L = len / sizeof(size_t);
|
71
|
-
size_t i;
|
72
|
-
|
73
|
-
for (i = 0; i < L; i++)
|
74
|
-
D[i] ^= S[i];
|
75
|
-
}
|
76
|
-
|
77
|
-
/**
|
78
|
-
* salsa20_8(B):
|
79
|
-
* Apply the salsa20/8 core to the provided block.
|
80
|
-
*/
|
81
|
-
static void
|
82
|
-
salsa20_8(uint32_t B[16])
|
83
|
-
{
|
84
|
-
uint32_t x[16];
|
85
|
-
size_t i;
|
86
|
-
|
87
|
-
blkcpy(x, B, 64);
|
88
|
-
for (i = 0; i < 8; i += 2) {
|
89
|
-
#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
|
90
|
-
/* Operate on columns. */
|
91
|
-
x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9);
|
92
|
-
x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18);
|
93
|
-
|
94
|
-
x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9);
|
95
|
-
x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18);
|
96
|
-
|
97
|
-
x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9);
|
98
|
-
x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18);
|
99
|
-
|
100
|
-
x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9);
|
101
|
-
x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18);
|
102
|
-
|
103
|
-
/* Operate on rows. */
|
104
|
-
x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9);
|
105
|
-
x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18);
|
106
|
-
|
107
|
-
x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9);
|
108
|
-
x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18);
|
109
|
-
|
110
|
-
x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9);
|
111
|
-
x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18);
|
112
|
-
|
113
|
-
x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9);
|
114
|
-
x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18);
|
115
|
-
#undef R
|
116
|
-
}
|
117
|
-
for (i = 0; i < 16; i++)
|
118
|
-
B[i] += x[i];
|
119
|
-
}
|
120
|
-
|
121
|
-
/**
|
122
|
-
* blockmix_salsa8(Bin, Bout, X, r):
|
123
|
-
* Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r
|
124
|
-
* bytes in length; the output Bout must also be the same size. The
|
125
|
-
* temporary space X must be 64 bytes.
|
126
|
-
*/
|
127
|
-
static void
|
128
|
-
blockmix_salsa8(uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r)
|
129
|
-
{
|
130
|
-
size_t i;
|
131
|
-
|
132
|
-
/* 1: X <-- B_{2r - 1} */
|
133
|
-
blkcpy(X, &Bin[(2 * r - 1) * 16], 64);
|
134
|
-
|
135
|
-
/* 2: for i = 0 to 2r - 1 do */
|
136
|
-
for (i = 0; i < 2 * r; i += 2) {
|
137
|
-
/* 3: X <-- H(X \xor B_i) */
|
138
|
-
blkxor(X, &Bin[i * 16], 64);
|
139
|
-
salsa20_8(X);
|
140
|
-
|
141
|
-
/* 4: Y_i <-- X */
|
142
|
-
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
|
143
|
-
blkcpy(&Bout[i * 8], X, 64);
|
144
|
-
|
145
|
-
/* 3: X <-- H(X \xor B_i) */
|
146
|
-
blkxor(X, &Bin[i * 16 + 16], 64);
|
147
|
-
salsa20_8(X);
|
148
|
-
|
149
|
-
/* 4: Y_i <-- X */
|
150
|
-
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
|
151
|
-
blkcpy(&Bout[i * 8 + r * 16], X, 64);
|
152
|
-
}
|
153
|
-
}
|
154
|
-
|
155
|
-
/**
|
156
|
-
* integerify(B, r):
|
157
|
-
* Return the result of parsing B_{2r-1} as a little-endian integer.
|
158
|
-
*/
|
159
|
-
static uint64_t
|
160
|
-
integerify(void * B, size_t r)
|
161
|
-
{
|
162
|
-
uint32_t * X = (void *)((uintptr_t)(B) + (2 * r - 1) * 64);
|
163
|
-
|
164
|
-
return (((uint64_t)(X[1]) << 32) + X[0]);
|
165
|
-
}
|
166
|
-
|
167
|
-
/**
|
168
|
-
* smix(B, r, N, V, XY):
|
169
|
-
* Compute B = SMix_r(B, N). The input B must be 128r bytes in length;
|
170
|
-
* the temporary storage V must be 128rN bytes in length; the temporary
|
171
|
-
* storage XY must be 256r + 64 bytes in length. The value N must be a
|
172
|
-
* power of 2 greater than 1. The arrays B, V, and XY must be aligned to a
|
173
|
-
* multiple of 64 bytes.
|
174
|
-
*/
|
175
|
-
static void
|
176
|
-
smix(uint8_t * B, size_t r, uint64_t N, uint32_t * V, uint32_t * XY)
|
177
|
-
{
|
178
|
-
uint32_t * X = XY;
|
179
|
-
uint32_t * Y = &XY[32 * r];
|
180
|
-
uint32_t * Z = &XY[64 * r];
|
181
|
-
uint64_t i;
|
182
|
-
uint64_t j;
|
183
|
-
size_t k;
|
184
|
-
|
185
|
-
/* 1: X <-- B */
|
186
|
-
for (k = 0; k < 32 * r; k++)
|
187
|
-
X[k] = le32dec(&B[4 * k]);
|
188
|
-
|
189
|
-
/* 2: for i = 0 to N - 1 do */
|
190
|
-
for (i = 0; i < N; i += 2) {
|
191
|
-
/* 3: V_i <-- X */
|
192
|
-
blkcpy(&V[i * (32 * r)], X, 128 * r);
|
193
|
-
|
194
|
-
/* 4: X <-- H(X) */
|
195
|
-
blockmix_salsa8(X, Y, Z, r);
|
196
|
-
|
197
|
-
/* 3: V_i <-- X */
|
198
|
-
blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r);
|
199
|
-
|
200
|
-
/* 4: X <-- H(X) */
|
201
|
-
blockmix_salsa8(Y, X, Z, r);
|
202
|
-
}
|
203
|
-
|
204
|
-
/* 6: for i = 0 to N - 1 do */
|
205
|
-
for (i = 0; i < N; i += 2) {
|
206
|
-
/* 7: j <-- Integerify(X) mod N */
|
207
|
-
j = integerify(X, r) & (N - 1);
|
208
|
-
|
209
|
-
/* 8: X <-- H(X \xor V_j) */
|
210
|
-
blkxor(X, &V[j * (32 * r)], 128 * r);
|
211
|
-
blockmix_salsa8(X, Y, Z, r);
|
212
|
-
|
213
|
-
/* 7: j <-- Integerify(X) mod N */
|
214
|
-
j = integerify(Y, r) & (N - 1);
|
215
|
-
|
216
|
-
/* 8: X <-- H(X \xor V_j) */
|
217
|
-
blkxor(Y, &V[j * (32 * r)], 128 * r);
|
218
|
-
blockmix_salsa8(Y, X, Z, r);
|
219
|
-
}
|
220
|
-
|
221
|
-
/* 10: B' <-- X */
|
222
|
-
for (k = 0; k < 32 * r; k++)
|
223
|
-
le32enc(&B[4 * k], X[k]);
|
224
|
-
}
|
225
|
-
|
226
|
-
/**
|
227
|
-
* crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
|
228
|
-
* Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
|
229
|
-
* p, buflen) and write the result into buf. The parameters r, p, and buflen
|
230
|
-
* must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N
|
231
|
-
* must be a power of 2 greater than 1.
|
232
|
-
*
|
233
|
-
* Return 0 on success; or -1 on error.
|
234
|
-
*/
|
235
|
-
int
|
236
|
-
crypto_scrypt(const uint8_t * passwd, size_t passwdlen,
|
237
|
-
const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t r, uint32_t p,
|
238
|
-
uint8_t * buf, size_t buflen)
|
239
|
-
{
|
240
|
-
void * B0, * V0, * XY0;
|
241
|
-
uint8_t * B;
|
242
|
-
uint32_t * V;
|
243
|
-
uint32_t * XY;
|
244
|
-
uint32_t i;
|
245
|
-
|
246
|
-
/* Sanity-check parameters. */
|
247
|
-
#if SIZE_MAX > UINT32_MAX
|
248
|
-
if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
|
249
|
-
errno = EFBIG;
|
250
|
-
goto err0;
|
251
|
-
}
|
252
|
-
#endif
|
253
|
-
if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
|
254
|
-
errno = EFBIG;
|
255
|
-
goto err0;
|
256
|
-
}
|
257
|
-
if (((N & (N - 1)) != 0) || (N == 0)) {
|
258
|
-
errno = EINVAL;
|
259
|
-
goto err0;
|
260
|
-
}
|
261
|
-
if ((r > SIZE_MAX / 128 / p) ||
|
262
|
-
#if SIZE_MAX / 256 <= UINT32_MAX
|
263
|
-
(r > SIZE_MAX / 256) ||
|
264
|
-
#endif
|
265
|
-
(N > SIZE_MAX / 128 / r)) {
|
266
|
-
errno = ENOMEM;
|
267
|
-
goto err0;
|
268
|
-
}
|
269
|
-
|
270
|
-
/* Allocate memory. */
|
271
|
-
#ifdef HAVE_POSIX_MEMALIGN
|
272
|
-
if ((errno = posix_memalign(&B0, 64, 128 * r * p)) != 0)
|
273
|
-
goto err0;
|
274
|
-
B = (uint8_t *)(B0);
|
275
|
-
if ((errno = posix_memalign(&XY0, 64, 256 * r + 64)) != 0)
|
276
|
-
goto err1;
|
277
|
-
XY = (uint32_t *)(XY0);
|
278
|
-
#ifndef MAP_ANON
|
279
|
-
if ((errno = posix_memalign(&V0, 64, 128 * r * N)) != 0)
|
280
|
-
goto err2;
|
281
|
-
V = (uint32_t *)(V0);
|
282
|
-
#endif
|
283
|
-
#else
|
284
|
-
if ((B0 = malloc(128 * r * p + 63)) == NULL)
|
285
|
-
goto err0;
|
286
|
-
B = (uint8_t *)(((uintptr_t)(B0) + 63) & ~ (uintptr_t)(63));
|
287
|
-
if ((XY0 = malloc(256 * r + 64 + 63)) == NULL)
|
288
|
-
goto err1;
|
289
|
-
XY = (uint32_t *)(((uintptr_t)(XY0) + 63) & ~ (uintptr_t)(63));
|
290
|
-
#ifndef MAP_ANON
|
291
|
-
if ((V0 = malloc(128 * r * N + 63)) == NULL)
|
292
|
-
goto err2;
|
293
|
-
V = (uint32_t *)(((uintptr_t)(V0) + 63) & ~ (uintptr_t)(63));
|
294
|
-
#endif
|
295
|
-
#endif
|
296
|
-
#ifdef MAP_ANON
|
297
|
-
if ((V0 = mmap(NULL, 128 * r * N, PROT_READ | PROT_WRITE,
|
298
|
-
#ifdef MAP_NOCORE
|
299
|
-
MAP_ANON | MAP_PRIVATE | MAP_NOCORE,
|
300
|
-
#else
|
301
|
-
MAP_ANON | MAP_PRIVATE,
|
302
|
-
#endif
|
303
|
-
-1, 0)) == MAP_FAILED)
|
304
|
-
goto err2;
|
305
|
-
V = (uint32_t *)(V0);
|
306
|
-
#endif
|
307
|
-
|
308
|
-
/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
|
309
|
-
PBKDF2_scrypt_SHA256(passwd, passwdlen, salt, saltlen, 1, B, p * 128 * r);
|
310
|
-
|
311
|
-
/* 2: for i = 0 to p - 1 do */
|
312
|
-
for (i = 0; i < p; i++) {
|
313
|
-
/* 3: B_i <-- MF(B_i, N) */
|
314
|
-
smix(&B[i * 128 * r], r, N, V, XY);
|
315
|
-
}
|
316
|
-
|
317
|
-
/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
|
318
|
-
PBKDF2_scrypt_SHA256(passwd, passwdlen, B, p * 128 * r, 1, buf, buflen);
|
319
|
-
|
320
|
-
/* Free memory. */
|
321
|
-
#ifdef MAP_ANON
|
322
|
-
if (munmap(V0, 128 * r * N))
|
323
|
-
goto err2;
|
324
|
-
#else
|
325
|
-
free(V0);
|
326
|
-
#endif
|
327
|
-
free(XY0);
|
328
|
-
free(B0);
|
329
|
-
|
330
|
-
/* Success! */
|
331
|
-
return (0);
|
332
|
-
|
333
|
-
err2:
|
334
|
-
free(XY0);
|
335
|
-
err1:
|
336
|
-
free(B0);
|
337
|
-
err0:
|
338
|
-
/* Failure! */
|
339
|
-
return (-1);
|
340
|
-
}
|
@@ -1,284 +0,0 @@
|
|
1
|
-
/*-
|
2
|
-
* Copyright 2009 Colin Percival
|
3
|
-
* All rights reserved.
|
4
|
-
*
|
5
|
-
* Redistribution and use in source and binary forms, with or without
|
6
|
-
* modification, are permitted provided that the following conditions
|
7
|
-
* are met:
|
8
|
-
* 1. Redistributions of source code must retain the above copyright
|
9
|
-
* notice, this list of conditions and the following disclaimer.
|
10
|
-
* 2. Redistributions in binary form must reproduce the above copyright
|
11
|
-
* notice, this list of conditions and the following disclaimer in the
|
12
|
-
* documentation and/or other materials provided with the distribution.
|
13
|
-
*
|
14
|
-
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
15
|
-
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
16
|
-
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
17
|
-
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
18
|
-
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
19
|
-
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
20
|
-
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
21
|
-
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
22
|
-
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
23
|
-
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
24
|
-
* SUCH DAMAGE.
|
25
|
-
*
|
26
|
-
* This file was originally written by Colin Percival as part of the Tarsnap
|
27
|
-
* online backup system.
|
28
|
-
*/
|
29
|
-
#include "scrypt_platform.h"
|
30
|
-
|
31
|
-
#include <errno.h>
|
32
|
-
#include <stdint.h>
|
33
|
-
#include <stdlib.h>
|
34
|
-
#include <string.h>
|
35
|
-
|
36
|
-
#include "sha256.h"
|
37
|
-
#include "sysendian.h"
|
38
|
-
|
39
|
-
#include "crypto_scrypt.h"
|
40
|
-
|
41
|
-
static void blkcpy(uint8_t *, uint8_t *, size_t);
|
42
|
-
static void blkxor(uint8_t *, uint8_t *, size_t);
|
43
|
-
static void salsa20_8(uint8_t[64]);
|
44
|
-
static void blockmix_salsa8(uint8_t *, uint8_t *, size_t);
|
45
|
-
static uint64_t integerify(uint8_t *, size_t);
|
46
|
-
static void smix(uint8_t *, size_t, uint64_t, uint8_t *, uint8_t *);
|
47
|
-
|
48
|
-
static void
|
49
|
-
blkcpy(uint8_t * dest, uint8_t * src, size_t len)
|
50
|
-
{
|
51
|
-
size_t i;
|
52
|
-
|
53
|
-
for (i = 0; i < len; i++)
|
54
|
-
dest[i] = src[i];
|
55
|
-
}
|
56
|
-
|
57
|
-
static void
|
58
|
-
blkxor(uint8_t * dest, uint8_t * src, size_t len)
|
59
|
-
{
|
60
|
-
size_t i;
|
61
|
-
|
62
|
-
for (i = 0; i < len; i++)
|
63
|
-
dest[i] ^= src[i];
|
64
|
-
}
|
65
|
-
|
66
|
-
/**
|
67
|
-
* salsa20_8(B):
|
68
|
-
* Apply the salsa20/8 core to the provided block.
|
69
|
-
*/
|
70
|
-
static void
|
71
|
-
salsa20_8(uint8_t B[64])
|
72
|
-
{
|
73
|
-
uint32_t B32[16];
|
74
|
-
uint32_t x[16];
|
75
|
-
size_t i;
|
76
|
-
|
77
|
-
/* Convert little-endian values in. */
|
78
|
-
for (i = 0; i < 16; i++)
|
79
|
-
B32[i] = le32dec(&B[i * 4]);
|
80
|
-
|
81
|
-
/* Compute x = doubleround^4(B32). */
|
82
|
-
for (i = 0; i < 16; i++)
|
83
|
-
x[i] = B32[i];
|
84
|
-
for (i = 0; i < 8; i += 2) {
|
85
|
-
#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
|
86
|
-
/* Operate on columns. */
|
87
|
-
x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9);
|
88
|
-
x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18);
|
89
|
-
|
90
|
-
x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9);
|
91
|
-
x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18);
|
92
|
-
|
93
|
-
x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9);
|
94
|
-
x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18);
|
95
|
-
|
96
|
-
x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9);
|
97
|
-
x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18);
|
98
|
-
|
99
|
-
/* Operate on rows. */
|
100
|
-
x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9);
|
101
|
-
x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18);
|
102
|
-
|
103
|
-
x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9);
|
104
|
-
x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18);
|
105
|
-
|
106
|
-
x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9);
|
107
|
-
x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18);
|
108
|
-
|
109
|
-
x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9);
|
110
|
-
x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18);
|
111
|
-
#undef R
|
112
|
-
}
|
113
|
-
|
114
|
-
/* Compute B32 = B32 + x. */
|
115
|
-
for (i = 0; i < 16; i++)
|
116
|
-
B32[i] += x[i];
|
117
|
-
|
118
|
-
/* Convert little-endian values out. */
|
119
|
-
for (i = 0; i < 16; i++)
|
120
|
-
le32enc(&B[4 * i], B32[i]);
|
121
|
-
}
|
122
|
-
|
123
|
-
/**
|
124
|
-
* blockmix_salsa8(B, Y, r):
|
125
|
-
* Compute B = BlockMix_{salsa20/8, r}(B). The input B must be 128r bytes in
|
126
|
-
* length; the temporary space Y must also be the same size.
|
127
|
-
*/
|
128
|
-
static void
|
129
|
-
blockmix_salsa8(uint8_t * B, uint8_t * Y, size_t r)
|
130
|
-
{
|
131
|
-
uint8_t X[64];
|
132
|
-
size_t i;
|
133
|
-
|
134
|
-
/* 1: X <-- B_{2r - 1} */
|
135
|
-
blkcpy(X, &B[(2 * r - 1) * 64], 64);
|
136
|
-
|
137
|
-
/* 2: for i = 0 to 2r - 1 do */
|
138
|
-
for (i = 0; i < 2 * r; i++) {
|
139
|
-
/* 3: X <-- H(X \xor B_i) */
|
140
|
-
blkxor(X, &B[i * 64], 64);
|
141
|
-
salsa20_8(X);
|
142
|
-
|
143
|
-
/* 4: Y_i <-- X */
|
144
|
-
blkcpy(&Y[i * 64], X, 64);
|
145
|
-
}
|
146
|
-
|
147
|
-
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
|
148
|
-
for (i = 0; i < r; i++)
|
149
|
-
blkcpy(&B[i * 64], &Y[(i * 2) * 64], 64);
|
150
|
-
for (i = 0; i < r; i++)
|
151
|
-
blkcpy(&B[(i + r) * 64], &Y[(i * 2 + 1) * 64], 64);
|
152
|
-
}
|
153
|
-
|
154
|
-
/**
|
155
|
-
* integerify(B, r):
|
156
|
-
* Return the result of parsing B_{2r-1} as a little-endian integer.
|
157
|
-
*/
|
158
|
-
static uint64_t
|
159
|
-
integerify(uint8_t * B, size_t r)
|
160
|
-
{
|
161
|
-
uint8_t * X = &B[(2 * r - 1) * 64];
|
162
|
-
|
163
|
-
return (le64dec(X));
|
164
|
-
}
|
165
|
-
|
166
|
-
/**
|
167
|
-
* smix(B, r, N, V, XY):
|
168
|
-
* Compute B = SMix_r(B, N). The input B must be 128r bytes in length; the
|
169
|
-
* temporary storage V must be 128rN bytes in length; the temporary storage
|
170
|
-
* XY must be 256r bytes in length. The value N must be a power of 2.
|
171
|
-
*/
|
172
|
-
static void
|
173
|
-
smix(uint8_t * B, size_t r, uint64_t N, uint8_t * V, uint8_t * XY)
|
174
|
-
{
|
175
|
-
uint8_t * X = XY;
|
176
|
-
uint8_t * Y = &XY[128 * r];
|
177
|
-
uint64_t i;
|
178
|
-
uint64_t j;
|
179
|
-
|
180
|
-
/* 1: X <-- B */
|
181
|
-
blkcpy(X, B, 128 * r);
|
182
|
-
|
183
|
-
/* 2: for i = 0 to N - 1 do */
|
184
|
-
for (i = 0; i < N; i++) {
|
185
|
-
/* 3: V_i <-- X */
|
186
|
-
blkcpy(&V[i * (128 * r)], X, 128 * r);
|
187
|
-
|
188
|
-
/* 4: X <-- H(X) */
|
189
|
-
blockmix_salsa8(X, Y, r);
|
190
|
-
}
|
191
|
-
|
192
|
-
/* 6: for i = 0 to N - 1 do */
|
193
|
-
for (i = 0; i < N; i++) {
|
194
|
-
/* 7: j <-- Integerify(X) mod N */
|
195
|
-
j = integerify(X, r) & (N - 1);
|
196
|
-
|
197
|
-
/* 8: X <-- H(X \xor V_j) */
|
198
|
-
blkxor(X, &V[j * (128 * r)], 128 * r);
|
199
|
-
blockmix_salsa8(X, Y, r);
|
200
|
-
}
|
201
|
-
|
202
|
-
/* 10: B' <-- X */
|
203
|
-
blkcpy(B, X, 128 * r);
|
204
|
-
}
|
205
|
-
|
206
|
-
/**
|
207
|
-
* crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
|
208
|
-
* Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
|
209
|
-
* p, buflen) and write the result into buf. The parameters r, p, and buflen
|
210
|
-
* must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N
|
211
|
-
* must be a power of 2.
|
212
|
-
*
|
213
|
-
* Return 0 on success; or -1 on error.
|
214
|
-
*/
|
215
|
-
int
|
216
|
-
crypto_scrypt(const uint8_t * passwd, size_t passwdlen,
|
217
|
-
const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t r, uint32_t p,
|
218
|
-
uint8_t * buf, size_t buflen)
|
219
|
-
{
|
220
|
-
uint8_t * B;
|
221
|
-
uint8_t * V;
|
222
|
-
uint8_t * XY;
|
223
|
-
uint32_t i;
|
224
|
-
|
225
|
-
/* Sanity-check parameters. */
|
226
|
-
#if SIZE_MAX > UINT32_MAX
|
227
|
-
if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
|
228
|
-
errno = EFBIG;
|
229
|
-
goto err0;
|
230
|
-
}
|
231
|
-
#endif
|
232
|
-
if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
|
233
|
-
errno = EFBIG;
|
234
|
-
goto err0;
|
235
|
-
}
|
236
|
-
if (((N & (N - 1)) != 0) || (N == 0)) {
|
237
|
-
errno = EINVAL;
|
238
|
-
goto err0;
|
239
|
-
}
|
240
|
-
if ((r > SIZE_MAX / 128 / p) ||
|
241
|
-
#if SIZE_MAX / 256 <= UINT32_MAX
|
242
|
-
(r > SIZE_MAX / 256) ||
|
243
|
-
#endif
|
244
|
-
(N > SIZE_MAX / 128 / r)) {
|
245
|
-
errno = ENOMEM;
|
246
|
-
goto err0;
|
247
|
-
}
|
248
|
-
|
249
|
-
/* Allocate memory. */
|
250
|
-
if ((B = malloc(128 * r * p)) == NULL)
|
251
|
-
goto err0;
|
252
|
-
if ((XY = malloc(256 * r)) == NULL)
|
253
|
-
goto err1;
|
254
|
-
if ((V = malloc(128 * r * N)) == NULL)
|
255
|
-
goto err2;
|
256
|
-
|
257
|
-
/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
|
258
|
-
PBKDF2_scrypt_SHA256(passwd, passwdlen, salt, saltlen, 1, B, p * 128 * r);
|
259
|
-
|
260
|
-
/* 2: for i = 0 to p - 1 do */
|
261
|
-
for (i = 0; i < p; i++) {
|
262
|
-
/* 3: B_i <-- MF(B_i, N) */
|
263
|
-
smix(&B[i * 128 * r], r, N, V, XY);
|
264
|
-
}
|
265
|
-
|
266
|
-
/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
|
267
|
-
PBKDF2_scrypt_SHA256(passwd, passwdlen, B, p * 128 * r, 1, buf, buflen);
|
268
|
-
|
269
|
-
/* Free memory. */
|
270
|
-
free(V);
|
271
|
-
free(XY);
|
272
|
-
free(B);
|
273
|
-
|
274
|
-
/* Success! */
|
275
|
-
return (0);
|
276
|
-
|
277
|
-
err2:
|
278
|
-
free(XY);
|
279
|
-
err1:
|
280
|
-
free(B);
|
281
|
-
err0:
|
282
|
-
/* Failure! */
|
283
|
-
return (-1);
|
284
|
-
}
|