scrypt 2.0.2 → 3.0.3

data/ext/scrypt/{crypto_scrypt-sse.c → crypto_scrypt_smix_sse2.c}

@@ -26,36 +26,27 @@
  * This file was originally written by Colin Percival as part of the Tarsnap
  * online backup system.
  */
-#include "scrypt_platform.h"
-
-#include <sys/types.h>
-#ifndef __MINGW32__
-#include <sys/mman.h>
-#endif
+#include "cpusupport.h"
+#ifdef CPUSUPPORT_X86_SSE2
 
 #include <emmintrin.h>
-#include <errno.h>
 #include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
 
-#include "sha256.h"
 #include "sysendian.h"
 
-#include "crypto_scrypt.h"
+#include "crypto_scrypt_smix_sse2.h"
 
-static void blkcpy(void *, void *, size_t);
-static void blkxor(void *, void *, size_t);
+static void blkcpy(void *, const void *, size_t);
+static void blkxor(void *, const void *, size_t);
 static void salsa20_8(__m128i *);
-static void blockmix_salsa8(__m128i *, __m128i *, __m128i *, size_t);
-static uint64_t integerify(void *, size_t);
-static void smix(uint8_t *, size_t, uint64_t, void *, void *);
+static void blockmix_salsa8(const __m128i *, __m128i *, __m128i *, size_t);
+static uint64_t integerify(const void *, size_t);
 
 static void
-blkcpy(void * dest, void * src, size_t len)
+blkcpy(void * dest, const void * src, size_t len)
 {
 	__m128i * D = dest;
-	__m128i * S = src;
+	const __m128i * S = src;
 	size_t L = len / 16;
 	size_t i;
 
@@ -64,10 +55,10 @@ blkcpy(void * dest, void * src, size_t len)
 }
 
 static void
-blkxor(void * dest, void * src, size_t len)
+blkxor(void * dest, const void * src, size_t len)
 {
 	__m128i * D = dest;
-	__m128i * S = src;
+	const __m128i * S = src;
 	size_t L = len / 16;
 	size_t i;
 
@@ -144,7 +135,7 @@ salsa20_8(__m128i B[4])
  * temporary space X must be 64 bytes.
  */
 static void
-blockmix_salsa8(__m128i * Bin, __m128i * Bout, __m128i * X, size_t r)
+blockmix_salsa8(const __m128i * Bin, __m128i * Bout, __m128i * X, size_t r)
 {
 	size_t i;
 
@@ -174,25 +165,28 @@ blockmix_salsa8(__m128i * Bin, __m128i * Bout, __m128i * X, size_t r)
 /**
  * integerify(B, r):
  * Return the result of parsing B_{2r-1} as a little-endian integer.
+ * Note that B's layout is permuted compared to the generic implementation.
  */
 static uint64_t
-integerify(void * B, size_t r)
+integerify(const void * B, size_t r)
 {
-	uint32_t * X = (void *)((uintptr_t)(B) + (2 * r - 1) * 64);
+	const uint32_t * X = (const void *)((uintptr_t)(B) + (2 * r - 1) * 64);
 
 	return (((uint64_t)(X[13]) << 32) + X[0]);
 }
 
 /**
- * smix(B, r, N, V, XY):
+ * crypto_scrypt_smix_sse2(B, r, N, V, XY):
  * Compute B = SMix_r(B, N).  The input B must be 128r bytes in length;
  * the temporary storage V must be 128rN bytes in length; the temporary
  * storage XY must be 256r + 64 bytes in length.  The value N must be a
  * power of 2 greater than 1.  The arrays B, V, and XY must be aligned to a
  * multiple of 64 bytes.
+ *
+ * Use SSE2 instructions.
  */
-static void
-smix(uint8_t * B, size_t r, uint64_t N, void * V, void * XY)
+void
+crypto_scrypt_smix_sse2(uint8_t * B, size_t r, uint64_t N, void * V, void * XY)
 {
 	__m128i * X = XY;
 	__m128i * Y = (void *)((uintptr_t)(XY) + 128 * r);
@@ -251,119 +245,4 @@ smix(uint8_t * B, size_t r, uint64_t N, void * V, void * XY)
 	}
 }
 
-/**
- * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
- * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
- * p, buflen) and write the result into buf.  The parameters r, p, and buflen
- * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
- * must be a power of 2 greater than 1.
- *
- * Return 0 on success; or -1 on error.
- */
-int
-crypto_scrypt(const uint8_t * passwd, size_t passwdlen,
-    const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t _r, uint32_t _p,
-    uint8_t * buf, size_t buflen)
-{
-	void * B0, * V0, * XY0;
-	uint8_t * B;
-	uint32_t * V;
-	uint32_t * XY;
-	size_t r = _r, p = _p;
-	uint32_t i;
-
-	/* Sanity-check parameters. */
-#if SIZE_MAX > UINT32_MAX
-	if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
-		errno = EFBIG;
-		goto err0;
-	}
-#endif
-	if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
-		errno = EFBIG;
-		goto err0;
-	}
-	if (((N & (N - 1)) != 0) || (N < 2)) {
-		errno = EINVAL;
-		goto err0;
-	}
-	if ((r > SIZE_MAX / 128 / p) ||
-#if SIZE_MAX / 256 <= UINT32_MAX
-	    (r > (SIZE_MAX - 64) / 256) ||
-#endif
-	    (N > SIZE_MAX / 128 / r)) {
-		errno = ENOMEM;
-		goto err0;
-	}
-
-	/* Allocate memory. */
-#ifdef HAVE_POSIX_MEMALIGN
-	if ((errno = posix_memalign(&B0, 64, 128 * r * p)) != 0)
-		goto err0;
-	B = (uint8_t *)(B0);
-	if ((errno = posix_memalign(&XY0, 64, 256 * r + 64)) != 0)
-		goto err1;
-	XY = (uint32_t *)(XY0);
-#ifndef MAP_ANON
-	if ((errno = posix_memalign(&V0, 64, 128 * r * N)) != 0)
-		goto err2;
-	V = (uint32_t *)(V0);
-#endif
-#else
-	if ((B0 = malloc(128 * r * p + 63)) == NULL)
-		goto err0;
-	B = (uint8_t *)(((uintptr_t)(B0) + 63) & ~ (uintptr_t)(63));
-	if ((XY0 = malloc(256 * r + 64 + 63)) == NULL)
-		goto err1;
-	XY = (uint32_t *)(((uintptr_t)(XY0) + 63) & ~ (uintptr_t)(63));
-#ifndef MAP_ANON
-	if ((V0 = malloc(128 * r * N + 63)) == NULL)
-		goto err2;
-	V = (uint32_t *)(((uintptr_t)(V0) + 63) & ~ (uintptr_t)(63));
-#endif
-#endif
-#ifdef MAP_ANON
-	if ((V0 = mmap(NULL, 128 * r * N, PROT_READ | PROT_WRITE,
-#ifdef MAP_NOCORE
-	    MAP_ANON | MAP_PRIVATE | MAP_NOCORE,
-#else
-	    MAP_ANON | MAP_PRIVATE,
-#endif
-	    -1, 0)) == MAP_FAILED)
-		goto err2;
-	V = (uint32_t *)(V0);
-#endif
-
-	/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
-	PBKDF2_scrypt_SHA256(passwd, passwdlen, salt, saltlen, 1, B, p * 128 * r);
-
-	/* 2: for i = 0 to p - 1 do */
-	for (i = 0; i < p; i++) {
-		/* 3: B_i <-- MF(B_i, N) */
-		smix(&B[i * 128 * r], r, N, V, XY);
-	}
-
-	/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
-	PBKDF2_scrypt_SHA256(passwd, passwdlen, B, p * 128 * r, 1, buf, buflen);
-
-	/* Free memory. */
-#ifdef MAP_ANON
-	if (munmap(V0, 128 * r * N))
-		goto err2;
-#else
-	free(V0);
-#endif
-	free(XY0);
-	free(B0);
-
-	/* Success! */
-	return (0);
-
-err2:
-	free(XY0);
-err1:
-	free(B0);
-err0:
-	/* Failure! */
-	return (-1);
-}
+#endif /* CPUSUPPORT_X86_SSE2 */

data/ext/scrypt/crypto_scrypt_smix_sse2.h

@@ -0,0 +1,16 @@
+#ifndef _CRYPTO_SCRYPT_SMIX_SSE2_H_
+#define _CRYPTO_SCRYPT_SMIX_SSE2_H_
+
+/**
+ * crypto_scrypt_smix_sse2(B, r, N, V, XY):
+ * Compute B = SMix_r(B, N).  The input B must be 128r bytes in length;
+ * the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 256r + 64 bytes in length.  The value N must be a
+ * power of 2 greater than 1.  The arrays B, V, and XY must be aligned to a
+ * multiple of 64 bytes.
+ *
+ * Use SSE2 instructions.
+ */
+void crypto_scrypt_smix_sse2(uint8_t *, size_t, uint64_t, void *, void *);
+
+#endif /* !_CRYPTO_SCRYPT_SMIX_SSE2_H_ */

data/ext/scrypt/insecure_memzero.c

@@ -0,0 +1,19 @@
+#include <stddef.h>
+#include <stdint.h>
+
+#include "insecure_memzero.h"
+
+/* Function which does the zeroing. */
+static void
+insecure_memzero_func(volatile void * buf, size_t len)
+{
+	volatile uint8_t * _buf = buf;
+	size_t i;
+
+	for (i = 0; i < len; i++)
+		_buf[i] = 0;
+}
+
+/* Pointer to memory-zeroing function. */
+void (* volatile insecure_memzero_ptr)(volatile void *, size_t) =
+    insecure_memzero_func;

data/ext/scrypt/insecure_memzero.h

@@ -0,0 +1,37 @@
+#ifndef _INSECURE_MEMZERO_H_
+#define _INSECURE_MEMZERO_H_
+
+#include <stddef.h>
+
+/* Pointer to memory-zeroing function. */
+extern void (* volatile insecure_memzero_ptr)(volatile void *, size_t);
+
+/**
+ * insecure_memzero(buf, len):
+ * Attempt to zero ${len} bytes at ${buf} in spite of optimizing compilers'
+ * best (standards-compliant) attempts to remove the buffer-zeroing.  In
+ * particular, to avoid performing the zeroing, a compiler would need to
+ * use optimistic devirtualization; recognize that non-volatile objects do not
+ * need to be treated as volatile, even if they are accessed via volatile
+ * qualified pointers; and perform link-time optimization; in addition to the
+ * dead-code elimination which often causes buffer-zeroing to be elided.
+ *
+ * Note however that zeroing a buffer does not guarantee that the data held
+ * in the buffer is not stored elsewhere; in particular, there may be copies
+ * held in CPU registers or in anonymous allocations on the stack, even if
+ * every named variable is successfully sanitized.  Solving the "wipe data
+ * from the system" problem will require a C language extension which does not
+ * yet exist.
+ *
+ * For more information, see:
+ * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
+ * http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html
+ */
+static inline void
+insecure_memzero(volatile void * buf, size_t len)
+{
+
+	(insecure_memzero_ptr)(buf, len);
+}
+
+#endif /* !_INSECURE_MEMZERO_H_ */