scrypt 2.0.2 → 3.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2c836e8c175f08a62b2dd0fc2732874265aab163
-  data.tar.gz: a022b4b68060d2dd28b5ee469883ac666bb819f6
+  metadata.gz: 981c040787ad037c2e3dfcabc394b7b3c0cacb81
+  data.tar.gz: f82dfc646bfee4356d66c6cecfbc6dc2e03e7e7f
 SHA512:
-  metadata.gz: b6d28a4faf27640f452966df5a925b5f1aa2aba6364714c236632e88dcf132af2a3c1a9092ff6f1f9487d7f3fcd6ed600129af957fdd8656fa6a20d36dad438e
-  data.tar.gz: 41c2e4894c9ebbd533449fd10cab5f7e3f49e8bc9bf1675667787f5ffc685e8ecde2dcbdd7122c9627d70bc116cc9830fb46c20b095c23195e1e8b7b27669258
+  metadata.gz: 98879e9b989ac3ad638cd00393164d89a228c6c162c36e8eee12d6d0931eab2454bc50dd94b702742801333e0beb6fa94ebbc321db16024ffadf856fc98fb328
+  data.tar.gz: f6860d45961fe7c6cf23eae1d62c8382750aa772077ffd88f03a038f54f57c122980803420abf6a3e490821fad396e0ca826d4c5dfc68705b2a6cc8c9110f6cb

checksums.yaml.gz.sig

@@ -1,2 +1,3 @@
-)$e����0b���a8=�����AP;�Ff9kN����t�f9*��R&5
-3}<.�)�|�\�*z<���9�3�#�'�+�|&G!����ُb��+'=����[㚍�z�T
��<���H�-�������کb@�l��g�F�T�W9��e���vÛ�5|��ԺI���S����'	{�b����հ���J<a����l��ƸUv�/l��
+(~;��0u|p�
+hXy(r�*�3��yKF
+zؼP�m-�E��@���DJ����ˑ?Et'bT+���y�O<z��#��"�K4g�&(v��n^����y�z���7�B�+7��%��:r0J����2��!n�t�����7�K\�z�G�

data/README.md

@@ -1,4 +1,4 @@
-scrypt [![Build Status](https://secure.travis-ci.org/pbhogan/scrypt.png)](http://travis-ci.org/pbhogan/scrypt)
+scrypt [![Build Status](https://secure.travis-ci.org/pbhogan/scrypt.svg)](http://travis-ci.org/pbhogan/scrypt)
 ======
 
 The scrypt key derivation function is designed to be far more secure against hardware brute-force attacks than alternative functions such as PBKDF2 or bcrypt.
@@ -37,13 +37,13 @@ password == "a paltry guess"  # => false
 Password.create takes five options which will determine the key length and salt size, as well as the cost limits of the computation:
 
 * `:key_len` specifies the length in bytes of the key you want to generate. The default is 32 bytes (256 bits). Minimum is 16 bytes (128 bits). Maximum is 512 bytes (4096 bits).
-* `:salt_size` specifies the size in bytes of the random salt you want to generate. The default and minimum is 8 bytes (64 bits). Maximum is 32 bytes (256 bits).
+* `:salt_size` specifies the size in bytes of the random salt you want to generate. The default and maximum is 32 bytes (256 bits). Minimum is 8 bytes (64 bits).
 * `:max_time` specifies the maximum number of seconds the computation should take.
 * `:max_mem` specifies the maximum number of bytes the computation should take. A value of 0 specifies no upper limit. The minimum is always 1 MB.
 * `:max_memfrac` specifies the maximum memory in a fraction of available resources to use. Any value equal to 0 or greater than 0.5 will result in 0.5 being used.
 * `:cost` specifies a cost string (e.g. `'400$8$19$'`) from the `calibrate` method.  The `:max_*` options will be ignored if this option is given, or if `calibrate!` has been called.
 
-Default options will result in calculation time of approx. 200 ms with 1 MB memory use.
+Default options will result in calculation time of approx. 200 ms with 16 MB memory use.
 
 ## Other things you can do
 

data/Rakefile

@@ -24,10 +24,14 @@ end
 desc "FFI compiler"
 namespace "ffi-compiler" do
   FFI::Compiler::CompileTask.new('ext/scrypt/scrypt_ext') do |t|
-    t.cflags << "-Wall -msse -msse2"
+    t.cflags << "-Wall -std=c99"
+    t.cflags << "-msse -msse2" if t.platform.arch.include? "86"
     t.cflags << "-D_GNU_SOURCE=1" if RbConfig::CONFIG["host_os"].downcase =~ /mingw/
+    t.cflags << "-D__need_timespec" if RbConfig::CONFIG['host_os'].downcase =~ /linux/
     t.cflags << "-arch x86_64 -arch i386" if t.platform.mac?
     t.ldflags << "-arch x86_64 -arch i386" if t.platform.mac?
+
+    t.add_define 'WINDOWS_OS' if FFI::Platform.windows?
   end
 end
 task :compile_ffi => ["ffi-compiler:default"]
@@ -58,5 +62,3 @@ Gem::PackageTask.new(gem_spec) do |pkg|
   pkg.need_tar = true
   pkg.package_dir = 'pkg'
 end
-
-

data/ext/scrypt/Rakefile

@@ -1,9 +1,13 @@
 require 'ffi-compiler/compile_task'
 
 FFI::Compiler::CompileTask.new('scrypt_ext') do |t|
-  t.cflags << "-Wall -msse -msse2"
+  t.cflags << "-Wall -std=c99"
+  t.cflags << "-msse -msse2" if t.platform.arch.include? "86"
   t.cflags << "-D_GNU_SOURCE=1" if RbConfig::CONFIG["host_os"].downcase =~ /mingw/
+  t.cflags << "-D__need_timespec" if RbConfig::CONFIG['host_os'].downcase =~ /linux/
   t.cflags << "-arch x86_64 -arch i386" if t.platform.mac?
   t.ldflags << "-arch x86_64 -arch i386" if t.platform.mac?
   t.export '../../lib/scrypt/scrypt_ext.rb'
+
+  t.add_define 'WINDOWS_OS' if FFI::Platform.windows?
 end

data/ext/scrypt/cpusupport.h

@@ -0,0 +1,105 @@
+#ifndef _CPUSUPPORT_H_
+#define _CPUSUPPORT_H_
+
+/*
+ * To enable support for non-portable CPU features at compile time, one or
+ * more CPUSUPPORT_ARCH_FEATURE macros should be defined.  This can be done
+ * directly on the compiler command line via -D CPUSUPPORT_ARCH_FEATURE or
+ * -D CPUSUPPORT_ARCH_FEATURE=1; or a file can be created with the
+ * necessary #define lines and then -D CPUSUPPORT_CONFIG_FILE=cpuconfig.h
+ * (or similar) can be provided to include that file here.
+ */
+#ifdef CPUSUPPORT_CONFIG_FILE
+#include CPUSUPPORT_CONFIG_FILE
+#endif
+
+/**
+ * The CPUSUPPORT_FEATURE macro declares the necessary variables and
+ * functions for detecting CPU feature support at run time.  The function
+ * defined in the macro acts to cache the result of the ..._detect function
+ * using the ..._present and ..._init variables.  The _detect function and the
+ * _present and _init variables are turn defined by CPUSUPPORT_FEATURE_DECL in
+ * appropriate cpusupport_foo_bar.c file.
+ *
+ * In order to allow CPUSUPPORT_FEATURE to be used for features which do not
+ * have corresponding CPUSUPPORT_FEATURE_DECL blocks in another source file,
+ * we abuse the C preprocessor: If CPUSUPPORT_${enabler} is defined to 1, then
+ * we access _present_1, _init_1, and _detect_1; but if it is not defined, we
+ * access _present_CPUSUPPORT_${enabler} etc., which we define as static, thus
+ * preventing the compiler from emitting a reference to an external symbol.
+ *
+ * In this way, it becomes possible to issue CPUSUPPORT_FEATURE invocations
+ * for nonexistent features without running afoul of the requirement that
+ * "If an identifier declared with external linkage is used... in the entire
+ * program there shall be exactly one external definition" (C99 standard, 6.9
+ * paragraph 5).  In practice, this means that users of the cpusupport code
+ * can omit build and runtime detection files without changing the framework
+ * code.
+ */
+#define CPUSUPPORT_FEATURE__(arch_feature, enabler, enabled)					\
+	static int cpusupport_ ## arch_feature ## _present ## _CPUSUPPORT_ ## enabler;		\
+	static int cpusupport_ ## arch_feature ## _init ## _CPUSUPPORT_ ## enabler;		\
+	static inline int cpusupport_ ## arch_feature ## _detect ## _CPUSUPPORT_ ## enabler(void) { return (0); }	\
+	extern int cpusupport_ ## arch_feature ## _present_ ## enabled;				\
+	extern int cpusupport_ ## arch_feature ## _init_ ## enabled;				\
+	int cpusupport_ ## arch_feature ## _detect_ ## enabled(void);				\
+												\
+	static inline int									\
+	cpusupport_ ## arch_feature(void)							\
+	{											\
+												\
+		if (cpusupport_ ## arch_feature ## _present_ ## enabled)			\
+			return (1);								\
+		else if (cpusupport_ ## arch_feature ## _init_ ## enabled)			\
+			return (0);								\
+		cpusupport_ ## arch_feature ## _present_ ## enabled = 				\
+		    cpusupport_ ## arch_feature ## _detect_ ## enabled();			\
+		cpusupport_ ## arch_feature ## _init_ ## enabled = 1;				\
+		return (cpusupport_ ## arch_feature ## _present_ ## enabled); 			\
+	}											\
+	static void (* cpusupport_ ## arch_feature ## _dummyptr)(void);				\
+	static inline void									\
+	cpusupport_ ## arch_feature ## _dummyfunc(void)						\
+	{											\
+												\
+		(void)cpusupport_ ## arch_feature ## _present ## _CPUSUPPORT_ ## enabler;	\
+		(void)cpusupport_ ## arch_feature ## _init ## _CPUSUPPORT_ ## enabler;		\
+		(void)cpusupport_ ## arch_feature ## _detect ## _CPUSUPPORT_ ## enabler;	\
+		(void)cpusupport_ ## arch_feature ## _present_ ## enabled;			\
+		(void)cpusupport_ ## arch_feature ## _init_ ## enabled;				\
+		(void)cpusupport_ ## arch_feature ## _detect_ ## enabled;			\
+		(void)cpusupport_ ## arch_feature ## _dummyptr;					\
+	}											\
+	static void (* cpusupport_ ## arch_feature ## _dummyptr)(void) = cpusupport_ ## arch_feature ## _dummyfunc;	\
+	struct cpusupport_ ## arch_feature ## _dummy
+#define CPUSUPPORT_FEATURE_(arch_feature, enabler, enabled)	\
+	CPUSUPPORT_FEATURE__(arch_feature, enabler, enabled)
+#define CPUSUPPORT_FEATURE(arch, feature, enabler)				\
+	CPUSUPPORT_FEATURE_(arch ## _ ## feature, enabler, CPUSUPPORT_ ## enabler)
+
+/*
+ * CPUSUPPORT_FEATURE_DECL(arch, feature):
+ * Macro which defines variables and provides a function declaration for
+ * detecting the presence of "feature" on the "arch" architecture.  The
+ * function body following this macro expansion must return nonzero if the
+ * feature is present, or zero if the feature is not present or the detection
+ * fails for any reason.
+ */
+#define CPUSUPPORT_FEATURE_DECL(arch, feature)				\
+	int cpusupport_ ## arch ## _ ## feature ## _present_1 = 0;	\
+	int cpusupport_ ## arch ## _ ## feature ## _init_1 = 0;		\
+	int								\
+	cpusupport_ ## arch ## _ ## feature ## _detect_1(void)
+
+/*
+ * List of features.  If a feature here is not enabled by the appropriate
+ * CPUSUPPORT_ARCH_FEATURE macro being defined, it has no effect; but if the
+ * relevant macro may be defined (e.g., by Build/cpusupport.sh successfully
+ * compiling Build/cpusupport-ARCH-FEATURE.c) then the C file containing the
+ * corresponding run-time detection code (cpusupport_arch_feature.c) must be
+ * compiled and linked in.
+ */
+CPUSUPPORT_FEATURE(x86, aesni, X86_AESNI);
+CPUSUPPORT_FEATURE(x86, sse2, X86_SSE2);
+
+#endif /* !_CPUSUPPORT_H_ */

data/ext/scrypt/crypto_scrypt.c

@@ -0,0 +1,257 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+/* #include "bsdtar_platform.h" */
+
+#include <sys/types.h>
+#if !defined(WINDOWS_OS)
+ 	#include <sys/mman.h>
+ 	#ifndef HAVE_MMAP
+		#define HAVE_MMAP 1
+ 	#endif
+#endif
+#include <errno.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "cpusupport.h"
+#include "sha256.h"
+//#include "warnp.h"
+
+#include "crypto_scrypt_smix.h"
+#include "crypto_scrypt_smix_sse2.h"
+
+#include "crypto_scrypt.h"
+#include "warnp.h"
+
+static void (*smix_func)(uint8_t *, size_t, uint64_t, void *, void *) = NULL;
+
+/**
+ * _crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen, smix):
+ * Perform the requested scrypt computation, using ${smix} as the smix routine.
+ */
+static int
+_crypto_scrypt(const uint8_t * passwd, size_t passwdlen,
+    const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t _r, uint32_t _p,
+    uint8_t * buf, size_t buflen,
+    void (*smix)(uint8_t *, size_t, uint64_t, void *, void *))
+{
+	void * B0, * V0, * XY0;
+	uint8_t * B;
+	uint32_t * V;
+	uint32_t * XY;
+	size_t r = _r, p = _p;
+	uint32_t i;
+
+	/* Sanity-check parameters. */
+#if SIZE_MAX > UINT32_MAX
+	if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
+		errno = EFBIG;
+		goto err0;
+	}
+#endif
+	if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
+		errno = EFBIG;
+		goto err0;
+	}
+	if (((N & (N - 1)) != 0) || (N < 2)) {
+		errno = EINVAL;
+		goto err0;
+	}
+	if ((r > SIZE_MAX / 128 / p) ||
+#if SIZE_MAX / 256 <= UINT32_MAX
+	    (r > (SIZE_MAX - 64) / 256) ||
+#endif
+	    (N > SIZE_MAX / 128 / r)) {
+		errno = ENOMEM;
+		goto err0;
+	}
+
+	/* Allocate memory. */
+#ifdef HAVE_POSIX_MEMALIGN
+	if ((errno = posix_memalign(&B0, 64, 128 * r * p)) != 0)
+		goto err0;
+	B = (uint8_t *)(B0);
+	if ((errno = posix_memalign(&XY0, 64, 256 * r + 64)) != 0)
+		goto err1;
+	XY = (uint32_t *)(XY0);
+#if !defined(MAP_ANON) || !defined(HAVE_MMAP)
+	if ((errno = posix_memalign(&V0, 64, 128 * r * N)) != 0)
+		goto err2;
+	V = (uint32_t *)(V0);
+#endif
+#else
+	if ((B0 = malloc(128 * r * p + 63)) == NULL)
+		goto err0;
+	B = (uint8_t *)(((uintptr_t)(B0) + 63) & ~ (uintptr_t)(63));
+	if ((XY0 = malloc(256 * r + 64 + 63)) == NULL)
+		goto err1;
+	XY = (uint32_t *)(((uintptr_t)(XY0) + 63) & ~ (uintptr_t)(63));
+#if !defined(MAP_ANON) || !defined(HAVE_MMAP)
+	if ((V0 = malloc(128 * r * N + 63)) == NULL)
+		goto err2;
+	V = (uint32_t *)(((uintptr_t)(V0) + 63) & ~ (uintptr_t)(63));
+#endif
+#endif
+#if defined(MAP_ANON) && defined(HAVE_MMAP)
+	if ((V0 = mmap(NULL, 128 * r * N, PROT_READ | PROT_WRITE,
+#ifdef MAP_NOCORE
+	    MAP_ANON | MAP_PRIVATE | MAP_NOCORE,
+#else
+	    MAP_ANON | MAP_PRIVATE,
+#endif
+	    -1, 0)) == MAP_FAILED)
+		goto err2;
+	V = (uint32_t *)(V0);
+#endif
+
+	/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
+	PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, p * 128 * r);
+
+	/* 2: for i = 0 to p - 1 do */
+	for (i = 0; i < p; i++) {
+		/* 3: B_i <-- MF(B_i, N) */
+		(smix)(&B[i * 128 * r], r, N, V, XY);
+	}
+
+	/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
+	PBKDF2_SHA256(passwd, passwdlen, B, p * 128 * r, 1, buf, buflen);
+
+	/* Free memory. */
+#if defined(MAP_ANON) && defined(HAVE_MMAP)
+	if (munmap(V0, 128 * r * N))
+		goto err2;
+#else
+	free(V0);
+#endif
+	free(XY0);
+	free(B0);
+
+	/* Success! */
+	return (0);
+
+err2:
+	free(XY0);
+err1:
+	free(B0);
+err0:
+	/* Failure! */
+	return (-1);
+}
+
+#define TESTLEN 64
+static struct scrypt_test {
+	const char * passwd;
+	const char * salt;
+	uint64_t N;
+	uint32_t r;
+	uint32_t p;
+	uint8_t result[TESTLEN];
+} testcase = {
+	.passwd = "pleaseletmein",
+	.salt = "SodiumChloride",
+	.N = 16,
+	.r = 8,
+	.p = 1,
+	.result = {
+		0x25, 0xa9, 0xfa, 0x20, 0x7f, 0x87, 0xca, 0x09,
+		0xa4, 0xef, 0x8b, 0x9f, 0x77, 0x7a, 0xca, 0x16,
+		0xbe, 0xb7, 0x84, 0xae, 0x18, 0x30, 0xbf, 0xbf,
+		0xd3, 0x83, 0x25, 0xaa, 0xbb, 0x93, 0x77, 0xdf,
+		0x1b, 0xa7, 0x84, 0xd7, 0x46, 0xea, 0x27, 0x3b,
+		0xf5, 0x16, 0xa4, 0x6f, 0xbf, 0xac, 0xf5, 0x11,
+		0xc5, 0xbe, 0xba, 0x4c, 0x4a, 0xb3, 0xac, 0xc7,
+		0xfa, 0x6f, 0x46, 0x0b, 0x6c, 0x0f, 0x47, 0x7b,
+	}
+};
+
+static int
+testsmix(void (*smix)(uint8_t *, size_t, uint64_t, void *, void *))
+{
+	uint8_t hbuf[TESTLEN];
+
+	/* Perform the computation. */
+	if (_crypto_scrypt(
+	    (const uint8_t *)testcase.passwd, strlen(testcase.passwd),
+	    (const uint8_t *)testcase.salt, strlen(testcase.salt),
+	    testcase.N, testcase.r, testcase.p, hbuf, TESTLEN, smix))
+		return (-1);
+
+	/* Does it match? */
+	return (memcmp(testcase.result, hbuf, TESTLEN));
+}
+
+static void
+selectsmix(void)
+{
+
+#ifdef CPUSUPPORT_X86_SSE2
+	/* If we're running on an SSE2-capable CPU, try that code. */
+	if (cpusupport_x86_sse2()) {
+		/* If SSE2ized smix works, use it. */
+		if (!testsmix(crypto_scrypt_smix_sse2)) {
+			smix_func = crypto_scrypt_smix_sse2;
+			return;
+		}
+		warn0("Disabling broken SSE2 scrypt support - please report bug!");
+	}
+#endif
+
+	/* If generic smix works, use it. */
+	if (!testsmix(crypto_scrypt_smix)) {
+		smix_func = crypto_scrypt_smix;
+		return;
+	}
+	warn0("Generic scrypt code is broken - please report bug!");
+
+	/* If we get here, something really bad happened. */
+	abort();
+}
+
+/**
+ * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
+ * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
+ * p, buflen) and write the result into buf.  The parameters r, p, and buflen
+ * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
+ * must be a power of 2 greater than 1.
+ *
+ * Return 0 on success; or -1 on error.
+ */
+int
+crypto_scrypt(const uint8_t * passwd, size_t passwdlen,
+    const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t _r, uint32_t _p,
+    uint8_t * buf, size_t buflen)
+{
+
+	if (smix_func == NULL)
+		selectsmix();
+
+	return (_crypto_scrypt(passwd, passwdlen, salt, saltlen, N, _r, _p,
+	    buf, buflen, smix_func));
+}

data/ext/scrypt/crypto_scrypt.h

@@ -30,6 +30,7 @@
 #define _CRYPTO_SCRYPT_H_
 
 #include <stdint.h>
+#include <unistd.h>
 
 /**
  * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):

data/ext/scrypt/crypto_scrypt_smix.c

@@ -0,0 +1,214 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+#include <stdint.h>
+#include <string.h>
+
+#include "sysendian.h"
+
+#include "crypto_scrypt_smix.h"
+
+static void blkcpy(void *, const void *, size_t);
+static void blkxor(void *, const void *, size_t);
+static void salsa20_8(uint32_t[16]);
+static void blockmix_salsa8(const uint32_t *, uint32_t *, uint32_t *, size_t);
+static uint64_t integerify(const void *, size_t);
+
+static void
+blkcpy(void * dest, const void * src, size_t len)
+{
+	size_t * D = dest;
+	const size_t * S = src;
+	size_t L = len / sizeof(size_t);
+	size_t i;
+
+	for (i = 0; i < L; i++)
+		D[i] = S[i];
+}
+
+static void
+blkxor(void * dest, const void * src, size_t len)
+{
+	size_t * D = dest;
+	const size_t * S = src;
+	size_t L = len / sizeof(size_t);
+	size_t i;
+
+	for (i = 0; i < L; i++)
+		D[i] ^= S[i];
+}
+
+/**
+ * salsa20_8(B):
+ * Apply the salsa20/8 core to the provided block.
+ */
+static void
+salsa20_8(uint32_t B[16])
+{
+	uint32_t x[16];
+	size_t i;
+
+	blkcpy(x, B, 64);
+	for (i = 0; i < 8; i += 2) {
+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
+		/* Operate on columns. */
+		x[ 4] ^= R(x[ 0]+x[12], 7);  x[ 8] ^= R(x[ 4]+x[ 0], 9);
+		x[12] ^= R(x[ 8]+x[ 4],13);  x[ 0] ^= R(x[12]+x[ 8],18);
+
+		x[ 9] ^= R(x[ 5]+x[ 1], 7);  x[13] ^= R(x[ 9]+x[ 5], 9);
+		x[ 1] ^= R(x[13]+x[ 9],13);  x[ 5] ^= R(x[ 1]+x[13],18);
+
+		x[14] ^= R(x[10]+x[ 6], 7);  x[ 2] ^= R(x[14]+x[10], 9);
+		x[ 6] ^= R(x[ 2]+x[14],13);  x[10] ^= R(x[ 6]+x[ 2],18);
+
+		x[ 3] ^= R(x[15]+x[11], 7);  x[ 7] ^= R(x[ 3]+x[15], 9);
+		x[11] ^= R(x[ 7]+x[ 3],13);  x[15] ^= R(x[11]+x[ 7],18);
+
+		/* Operate on rows. */
+		x[ 1] ^= R(x[ 0]+x[ 3], 7);  x[ 2] ^= R(x[ 1]+x[ 0], 9);
+		x[ 3] ^= R(x[ 2]+x[ 1],13);  x[ 0] ^= R(x[ 3]+x[ 2],18);
+
+		x[ 6] ^= R(x[ 5]+x[ 4], 7);  x[ 7] ^= R(x[ 6]+x[ 5], 9);
+		x[ 4] ^= R(x[ 7]+x[ 6],13);  x[ 5] ^= R(x[ 4]+x[ 7],18);
+
+		x[11] ^= R(x[10]+x[ 9], 7);  x[ 8] ^= R(x[11]+x[10], 9);
+		x[ 9] ^= R(x[ 8]+x[11],13);  x[10] ^= R(x[ 9]+x[ 8],18);
+
+		x[12] ^= R(x[15]+x[14], 7);  x[13] ^= R(x[12]+x[15], 9);
+		x[14] ^= R(x[13]+x[12],13);  x[15] ^= R(x[14]+x[13],18);
+#undef R
+	}
+	for (i = 0; i < 16; i++)
+		B[i] += x[i];
+}
+
+/**
+ * blockmix_salsa8(Bin, Bout, X, r):
+ * Compute Bout = BlockMix_{salsa20/8, r}(Bin).  The input Bin must be 128r
+ * bytes in length; the output Bout must also be the same size.  The
+ * temporary space X must be 64 bytes.
+ */
+static void
+blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r)
+{
+	size_t i;
+
+	/* 1: X <-- B_{2r - 1} */
+	blkcpy(X, &Bin[(2 * r - 1) * 16], 64);
+
+	/* 2: for i = 0 to 2r - 1 do */
+	for (i = 0; i < 2 * r; i += 2) {
+		/* 3: X <-- H(X \xor B_i) */
+		blkxor(X, &Bin[i * 16], 64);
+		salsa20_8(X);
+
+		/* 4: Y_i <-- X */
+		/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
+		blkcpy(&Bout[i * 8], X, 64);
+
+		/* 3: X <-- H(X \xor B_i) */
+		blkxor(X, &Bin[i * 16 + 16], 64);
+		salsa20_8(X);
+
+		/* 4: Y_i <-- X */
+		/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
+		blkcpy(&Bout[i * 8 + r * 16], X, 64);
+	}
+}
+
+/**
+ * integerify(B, r):
+ * Return the result of parsing B_{2r-1} as a little-endian integer.
+ */
+static uint64_t
+integerify(const void * B, size_t r)
+{
+	const uint32_t * X = (const void *)((uintptr_t)(B) + (2 * r - 1) * 64);
+
+	return (((uint64_t)(X[1]) << 32) + X[0]);
+}
+
+/**
+ * crypto_scrypt_smix(B, r, N, V, XY):
+ * Compute B = SMix_r(B, N).  The input B must be 128r bytes in length;
+ * the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 256r + 64 bytes in length.  The value N must be a
+ * power of 2 greater than 1.  The arrays B, V, and XY must be aligned to a
+ * multiple of 64 bytes.
+ */
+void
+crypto_scrypt_smix(uint8_t * B, size_t r, uint64_t N, void * _V, void * XY)
+{
+	uint32_t * X = XY;
+	uint32_t * Y = (void *)((uint8_t *)(XY) + 128 * r);
+	uint32_t * Z = (void *)((uint8_t *)(XY) + 256 * r);
+	uint32_t * V = _V;
+	uint64_t i;
+	uint64_t j;
+	size_t k;
+
+	/* 1: X <-- B */
+	for (k = 0; k < 32 * r; k++)
+		X[k] = le32dec(&B[4 * k]);
+
+	/* 2: for i = 0 to N - 1 do */
+	for (i = 0; i < N; i += 2) {
+		/* 3: V_i <-- X */
+		blkcpy(&V[i * (32 * r)], X, 128 * r);
+
+		/* 4: X <-- H(X) */
+		blockmix_salsa8(X, Y, Z, r);
+
+		/* 3: V_i <-- X */
+		blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r);
+
+		/* 4: X <-- H(X) */
+		blockmix_salsa8(Y, X, Z, r);
+	}
+
+	/* 6: for i = 0 to N - 1 do */
+	for (i = 0; i < N; i += 2) {
+		/* 7: j <-- Integerify(X) mod N */
+		j = integerify(X, r) & (N - 1);
+
+		/* 8: X <-- H(X \xor V_j) */
+		blkxor(X, &V[j * (32 * r)], 128 * r);
+		blockmix_salsa8(X, Y, Z, r);
+
+		/* 7: j <-- Integerify(X) mod N */
+		j = integerify(Y, r) & (N - 1);
+
+		/* 8: X <-- H(X \xor V_j) */
+		blkxor(Y, &V[j * (32 * r)], 128 * r);
+		blockmix_salsa8(Y, X, Z, r);
+	}
+
+	/* 10: B' <-- X */
+	for (k = 0; k < 32 * r; k++)
+		le32enc(&B[4 * k], X[k]);
+}

data/ext/scrypt/crypto_scrypt_smix.h

@@ -0,0 +1,14 @@
+#ifndef _CRYPTO_SCRYPT_SMIX_H_
+#define _CRYPTO_SCRYPT_SMIX_H_
+
+/**
+ * crypto_scrypt_smix(B, r, N, V, XY):
+ * Compute B = SMix_r(B, N).  The input B must be 128r bytes in length;
+ * the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 256r + 64 bytes in length.  The value N must be a
+ * power of 2 greater than 1.  The arrays B, V, and XY must be aligned to a
+ * multiple of 64 bytes.
+ */
+void crypto_scrypt_smix(uint8_t *, size_t, uint64_t, void *, void *);
+
+#endif /* !_CRYPTO_SCRYPT_SMIX_H_ */