scrypt 2.1.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 97e4aa9bd943a970d5809dec76392d57b80b86ab
-  data.tar.gz: d4ed6d6695db090fa341ffaae1f050d0d0ff6301
+  metadata.gz: cfb68eca4a9da928746e910f6102bfcc5aa6930e
+  data.tar.gz: a8a5b75ac77e99bdc4600f5d33006855ee1abd8b
 SHA512:
-  metadata.gz: e73b9d972111d155c7b75e8f84317a8dfa6995f6103be3c03e8c430feead8694c41cc96dfbc12ce5234e34916c7f7261abd5658c7428eca0236d68b3feb0bfab
-  data.tar.gz: fd8b8d3934186ae12ed492e14e66b078e5c3e56c44960e15cb5c197f76fc909671bbbc2c69e826f62c3b887bee6ecfa958f3fe8a8fb6662b52ffd3f1380e1796
+  metadata.gz: e8bf255e9a3ade2a4b6386d0cda4cf25d6026cef9aaf554634a22c3e1b04bdfcd7320df33f6a50c6660363123e43cfff579ce7b82220757a0ed55010e9f83af7
+  data.tar.gz: 4a6d07b2914c43fe9f98f7c8ade8dda6296f4e62e517f15c21ca175046df1cef451de373ed8fbef042d35ffed013606c3b9315ab3c0365cdcb2651311f2e696f

checksums.yaml.gz.sig

@@ -1,2 +1,6 @@
-�ԸR؎��R�(id{��dj���J�*3ylZw�~g��N�$�p(G�ƪ����o7������vs5�X�Q��0P�$�	�\E���p�!h�ʹ
-�''�r���!4��eE��|��K`��t������X��H�J:�����it:1���i��w�kP2�#����[vc��6�,9�>lcQ����2g�/�	ݰUP����׊�9��.�Q�b�,�2Y.R�h��]���sC�6f�e�����u7�h�h�Ϣ��
+
+vS��]F	�c�(ì\�
+�T��X�>�L3�T�<�=<�!�pأ[Q*`�͠3ѵ`�<e[G#$��ͲP
+��[M�H���m��q
+�e��p�~*�C{����Iܭ�)H��
+���>4��b���Rz3B���2!��S�ԧO�؇�ӻ��ۡ6�9~��3��������&PwFz������%�ާ�Ewp��0�D'(�8b���E�p�	8_k]YK�:}

data.tar.gz.sig

@@ -1,2 +1 @@
-��8���kv���.4��J��/T}qȖ����S�����t�KO3�Q\�t�XSg��"[�)l�-��v�vi��N�7���8�������t�G����̿7
-(�a�S~E2IJ�7�	����y��4
+\��=��*1�

data/Rakefile

@@ -24,7 +24,8 @@ end
 desc "FFI compiler"
 namespace "ffi-compiler" do
   FFI::Compiler::CompileTask.new('ext/scrypt/scrypt_ext') do |t|
-    t.cflags << "-Wall -msse -msse2"
+    t.cflags << "-Wall -std=c99"
+    t.cflags << "-msse -msse2" if t.platform.arch.include? "86"
     t.cflags << "-D_GNU_SOURCE=1" if RbConfig::CONFIG["host_os"].downcase =~ /mingw/
     t.cflags << "-arch x86_64 -arch i386" if t.platform.mac?
     t.ldflags << "-arch x86_64 -arch i386" if t.platform.mac?

data/ext/scrypt/Rakefile

@@ -1,7 +1,8 @@
 require 'ffi-compiler/compile_task'
 
 FFI::Compiler::CompileTask.new('scrypt_ext') do |t|
-  t.cflags << "-Wall -msse -msse2"
+  t.cflags << "-Wall -std=c99"
+  t.cflags << "-msse -msse2" if t.platform.arch.include? "86"
   t.cflags << "-D_GNU_SOURCE=1" if RbConfig::CONFIG["host_os"].downcase =~ /mingw/
   t.cflags << "-arch x86_64 -arch i386" if t.platform.mac?
   t.ldflags << "-arch x86_64 -arch i386" if t.platform.mac?

data/ext/scrypt/cpusupport.h

@@ -0,0 +1,105 @@
+#ifndef _CPUSUPPORT_H_
+#define _CPUSUPPORT_H_
+
+/*
+ * To enable support for non-portable CPU features at compile time, one or
+ * more CPUSUPPORT_ARCH_FEATURE macros should be defined.  This can be done
+ * directly on the compiler command line via -D CPUSUPPORT_ARCH_FEATURE or
+ * -D CPUSUPPORT_ARCH_FEATURE=1; or a file can be created with the
+ * necessary #define lines and then -D CPUSUPPORT_CONFIG_FILE=cpuconfig.h
+ * (or similar) can be provided to include that file here.
+ */
+#ifdef CPUSUPPORT_CONFIG_FILE
+#include CPUSUPPORT_CONFIG_FILE
+#endif
+
+/**
+ * The CPUSUPPORT_FEATURE macro declares the necessary variables and
+ * functions for detecting CPU feature support at run time.  The function
+ * defined in the macro acts to cache the result of the ..._detect function
+ * using the ..._present and ..._init variables.  The _detect function and the
+ * _present and _init variables are turn defined by CPUSUPPORT_FEATURE_DECL in
+ * appropriate cpusupport_foo_bar.c file.
+ *
+ * In order to allow CPUSUPPORT_FEATURE to be used for features which do not
+ * have corresponding CPUSUPPORT_FEATURE_DECL blocks in another source file,
+ * we abuse the C preprocessor: If CPUSUPPORT_${enabler} is defined to 1, then
+ * we access _present_1, _init_1, and _detect_1; but if it is not defined, we
+ * access _present_CPUSUPPORT_${enabler} etc., which we define as static, thus
+ * preventing the compiler from emitting a reference to an external symbol.
+ *
+ * In this way, it becomes possible to issue CPUSUPPORT_FEATURE invocations
+ * for nonexistent features without running afoul of the requirement that
+ * "If an identifier declared with external linkage is used... in the entire
+ * program there shall be exactly one external definition" (C99 standard, 6.9
+ * paragraph 5).  In practice, this means that users of the cpusupport code
+ * can omit build and runtime detection files without changing the framework
+ * code.
+ */
+#define CPUSUPPORT_FEATURE__(arch_feature, enabler, enabled)					\
+	static int cpusupport_ ## arch_feature ## _present ## _CPUSUPPORT_ ## enabler;		\
+	static int cpusupport_ ## arch_feature ## _init ## _CPUSUPPORT_ ## enabler;		\
+	static inline int cpusupport_ ## arch_feature ## _detect ## _CPUSUPPORT_ ## enabler(void) { return (0); }	\
+	extern int cpusupport_ ## arch_feature ## _present_ ## enabled;				\
+	extern int cpusupport_ ## arch_feature ## _init_ ## enabled;				\
+	int cpusupport_ ## arch_feature ## _detect_ ## enabled(void);				\
+												\
+	static inline int									\
+	cpusupport_ ## arch_feature(void)							\
+	{											\
+												\
+		if (cpusupport_ ## arch_feature ## _present_ ## enabled)			\
+			return (1);								\
+		else if (cpusupport_ ## arch_feature ## _init_ ## enabled)			\
+			return (0);								\
+		cpusupport_ ## arch_feature ## _present_ ## enabled = 				\
+		    cpusupport_ ## arch_feature ## _detect_ ## enabled();			\
+		cpusupport_ ## arch_feature ## _init_ ## enabled = 1;				\
+		return (cpusupport_ ## arch_feature ## _present_ ## enabled); 			\
+	}											\
+	static void (* cpusupport_ ## arch_feature ## _dummyptr)(void);				\
+	static inline void									\
+	cpusupport_ ## arch_feature ## _dummyfunc(void)						\
+	{											\
+												\
+		(void)cpusupport_ ## arch_feature ## _present ## _CPUSUPPORT_ ## enabler;	\
+		(void)cpusupport_ ## arch_feature ## _init ## _CPUSUPPORT_ ## enabler;		\
+		(void)cpusupport_ ## arch_feature ## _detect ## _CPUSUPPORT_ ## enabler;	\
+		(void)cpusupport_ ## arch_feature ## _present_ ## enabled;			\
+		(void)cpusupport_ ## arch_feature ## _init_ ## enabled;				\
+		(void)cpusupport_ ## arch_feature ## _detect_ ## enabled;			\
+		(void)cpusupport_ ## arch_feature ## _dummyptr;					\
+	}											\
+	static void (* cpusupport_ ## arch_feature ## _dummyptr)(void) = cpusupport_ ## arch_feature ## _dummyfunc;	\
+	struct cpusupport_ ## arch_feature ## _dummy
+#define CPUSUPPORT_FEATURE_(arch_feature, enabler, enabled)	\
+	CPUSUPPORT_FEATURE__(arch_feature, enabler, enabled)
+#define CPUSUPPORT_FEATURE(arch, feature, enabler)				\
+	CPUSUPPORT_FEATURE_(arch ## _ ## feature, enabler, CPUSUPPORT_ ## enabler)
+
+/*
+ * CPUSUPPORT_FEATURE_DECL(arch, feature):
+ * Macro which defines variables and provides a function declaration for
+ * detecting the presence of "feature" on the "arch" architecture.  The
+ * function body following this macro expansion must return nonzero if the
+ * feature is present, or zero if the feature is not present or the detection
+ * fails for any reason.
+ */
+#define CPUSUPPORT_FEATURE_DECL(arch, feature)				\
+	int cpusupport_ ## arch ## _ ## feature ## _present_1 = 0;	\
+	int cpusupport_ ## arch ## _ ## feature ## _init_1 = 0;		\
+	int								\
+	cpusupport_ ## arch ## _ ## feature ## _detect_1(void)
+
+/*
+ * List of features.  If a feature here is not enabled by the appropriate
+ * CPUSUPPORT_ARCH_FEATURE macro being defined, it has no effect; but if the
+ * relevant macro may be defined (e.g., by Build/cpusupport.sh successfully
+ * compiling Build/cpusupport-ARCH-FEATURE.c) then the C file containing the
+ * corresponding run-time detection code (cpusupport_arch_feature.c) must be
+ * compiled and linked in.
+ */
+CPUSUPPORT_FEATURE(x86, aesni, X86_AESNI);
+CPUSUPPORT_FEATURE(x86, sse2, X86_SSE2);
+
+#endif /* !_CPUSUPPORT_H_ */

data/ext/scrypt/crypto_scrypt.c

@@ -0,0 +1,253 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+/* #include "bsdtar_platform.h" */
+
+#include <sys/types.h>
+#include <sys/mman.h>
+
+#include <errno.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "cpusupport.h"
+#include "sha256.h"
+//#include "warnp.h"
+
+#include "crypto_scrypt_smix.h"
+#include "crypto_scrypt_smix_sse2.h"
+
+#include "crypto_scrypt.h"
+#include "warnp.h"
+
+static void (*smix_func)(uint8_t *, size_t, uint64_t, void *, void *) = NULL;
+
+/**
+ * _crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen, smix):
+ * Perform the requested scrypt computation, using ${smix} as the smix routine.
+ */
+static int
+_crypto_scrypt(const uint8_t * passwd, size_t passwdlen,
+    const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t _r, uint32_t _p,
+    uint8_t * buf, size_t buflen,
+    void (*smix)(uint8_t *, size_t, uint64_t, void *, void *))
+{
+	void * B0, * V0, * XY0;
+	uint8_t * B;
+	uint32_t * V;
+	uint32_t * XY;
+	size_t r = _r, p = _p;
+	uint32_t i;
+
+	/* Sanity-check parameters. */
+#if SIZE_MAX > UINT32_MAX
+	if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
+		errno = EFBIG;
+		goto err0;
+	}
+#endif
+	if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
+		errno = EFBIG;
+		goto err0;
+	}
+	if (((N & (N - 1)) != 0) || (N < 2)) {
+		errno = EINVAL;
+		goto err0;
+	}
+	if ((r > SIZE_MAX / 128 / p) ||
+#if SIZE_MAX / 256 <= UINT32_MAX
+	    (r > (SIZE_MAX - 64) / 256) ||
+#endif
+	    (N > SIZE_MAX / 128 / r)) {
+		errno = ENOMEM;
+		goto err0;
+	}
+
+	/* Allocate memory. */
+#ifdef HAVE_POSIX_MEMALIGN
+	if ((errno = posix_memalign(&B0, 64, 128 * r * p)) != 0)
+		goto err0;
+	B = (uint8_t *)(B0);
+	if ((errno = posix_memalign(&XY0, 64, 256 * r + 64)) != 0)
+		goto err1;
+	XY = (uint32_t *)(XY0);
+#if !defined(MAP_ANON) || !defined(HAVE_MMAP)
+	if ((errno = posix_memalign(&V0, 64, 128 * r * N)) != 0)
+		goto err2;
+	V = (uint32_t *)(V0);
+#endif
+#else
+	if ((B0 = malloc(128 * r * p + 63)) == NULL)
+		goto err0;
+	B = (uint8_t *)(((uintptr_t)(B0) + 63) & ~ (uintptr_t)(63));
+	if ((XY0 = malloc(256 * r + 64 + 63)) == NULL)
+		goto err1;
+	XY = (uint32_t *)(((uintptr_t)(XY0) + 63) & ~ (uintptr_t)(63));
+#if !defined(MAP_ANON) || !defined(HAVE_MMAP)
+	if ((V0 = malloc(128 * r * N + 63)) == NULL)
+		goto err2;
+	V = (uint32_t *)(((uintptr_t)(V0) + 63) & ~ (uintptr_t)(63));
+#endif
+#endif
+#if defined(MAP_ANON) && defined(HAVE_MMAP)
+	if ((V0 = mmap(NULL, 128 * r * N, PROT_READ | PROT_WRITE,
+#ifdef MAP_NOCORE
+	    MAP_ANON | MAP_PRIVATE | MAP_NOCORE,
+#else
+	    MAP_ANON | MAP_PRIVATE,
+#endif
+	    -1, 0)) == MAP_FAILED)
+		goto err2;
+	V = (uint32_t *)(V0);
+#endif
+
+	/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
+	PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, p * 128 * r);
+
+	/* 2: for i = 0 to p - 1 do */
+	for (i = 0; i < p; i++) {
+		/* 3: B_i <-- MF(B_i, N) */
+		(smix)(&B[i * 128 * r], r, N, V, XY);
+	}
+
+	/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
+	PBKDF2_SHA256(passwd, passwdlen, B, p * 128 * r, 1, buf, buflen);
+
+	/* Free memory. */
+#if defined(MAP_ANON) && defined(HAVE_MMAP)
+	if (munmap(V0, 128 * r * N))
+		goto err2;
+#else
+	free(V0);
+#endif
+	free(XY0);
+	free(B0);
+
+	/* Success! */
+	return (0);
+
+err2:
+	free(XY0);
+err1:
+	free(B0);
+err0:
+	/* Failure! */
+	return (-1);
+}
+
+#define TESTLEN 64
+static struct scrypt_test {
+	const char * passwd;
+	const char * salt;
+	uint64_t N;
+	uint32_t r;
+	uint32_t p;
+	uint8_t result[TESTLEN];
+} testcase = {
+	.passwd = "pleaseletmein",
+	.salt = "SodiumChloride",
+	.N = 16,
+	.r = 8,
+	.p = 1,
+	.result = {
+		0x25, 0xa9, 0xfa, 0x20, 0x7f, 0x87, 0xca, 0x09,
+		0xa4, 0xef, 0x8b, 0x9f, 0x77, 0x7a, 0xca, 0x16,
+		0xbe, 0xb7, 0x84, 0xae, 0x18, 0x30, 0xbf, 0xbf,
+		0xd3, 0x83, 0x25, 0xaa, 0xbb, 0x93, 0x77, 0xdf,
+		0x1b, 0xa7, 0x84, 0xd7, 0x46, 0xea, 0x27, 0x3b,
+		0xf5, 0x16, 0xa4, 0x6f, 0xbf, 0xac, 0xf5, 0x11,
+		0xc5, 0xbe, 0xba, 0x4c, 0x4a, 0xb3, 0xac, 0xc7,
+		0xfa, 0x6f, 0x46, 0x0b, 0x6c, 0x0f, 0x47, 0x7b,
+	}
+};
+
+static int
+testsmix(void (*smix)(uint8_t *, size_t, uint64_t, void *, void *))
+{
+	uint8_t hbuf[TESTLEN];
+
+	/* Perform the computation. */
+	if (_crypto_scrypt(
+	    (const uint8_t *)testcase.passwd, strlen(testcase.passwd),
+	    (const uint8_t *)testcase.salt, strlen(testcase.salt),
+	    testcase.N, testcase.r, testcase.p, hbuf, TESTLEN, smix))
+		return (-1);
+
+	/* Does it match? */
+	return (memcmp(testcase.result, hbuf, TESTLEN));
+}
+
+static void
+selectsmix(void)
+{
+
+#ifdef CPUSUPPORT_X86_SSE2
+	/* If we're running on an SSE2-capable CPU, try that code. */
+	if (cpusupport_x86_sse2()) {
+		/* If SSE2ized smix works, use it. */
+		if (!testsmix(crypto_scrypt_smix_sse2)) {
+			smix_func = crypto_scrypt_smix_sse2;
+			return;
+		}
+		warn0("Disabling broken SSE2 scrypt support - please report bug!");
+	}
+#endif
+
+	/* If generic smix works, use it. */
+	if (!testsmix(crypto_scrypt_smix)) {
+		smix_func = crypto_scrypt_smix;
+		return;
+	}
+	warn0("Generic scrypt code is broken - please report bug!");
+
+	/* If we get here, something really bad happened. */
+	abort();
+}
+
+/**
+ * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
+ * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
+ * p, buflen) and write the result into buf.  The parameters r, p, and buflen
+ * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
+ * must be a power of 2 greater than 1.
+ *
+ * Return 0 on success; or -1 on error.
+ */
+int
+crypto_scrypt(const uint8_t * passwd, size_t passwdlen,
+    const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t _r, uint32_t _p,
+    uint8_t * buf, size_t buflen)
+{
+
+	if (smix_func == NULL)
+		selectsmix();
+
+	return (_crypto_scrypt(passwd, passwdlen, salt, saltlen, N, _r, _p,
+	    buf, buflen, smix_func));
+}

data/ext/scrypt/crypto_scrypt.h

@@ -30,6 +30,7 @@
 #define _CRYPTO_SCRYPT_H_
 
 #include <stdint.h>
+#include <unistd.h>
 
 /**
  * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):

data/ext/scrypt/crypto_scrypt_smix.c

@@ -0,0 +1,214 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+#include <stdint.h>
+#include <string.h>
+
+#include "sysendian.h"
+
+#include "crypto_scrypt_smix.h"
+
+static void blkcpy(void *, const void *, size_t);
+static void blkxor(void *, const void *, size_t);
+static void salsa20_8(uint32_t[16]);
+static void blockmix_salsa8(const uint32_t *, uint32_t *, uint32_t *, size_t);
+static uint64_t integerify(const void *, size_t);
+
+static void
+blkcpy(void * dest, const void * src, size_t len)
+{
+	size_t * D = dest;
+	const size_t * S = src;
+	size_t L = len / sizeof(size_t);
+	size_t i;
+
+	for (i = 0; i < L; i++)
+		D[i] = S[i];
+}
+
+static void
+blkxor(void * dest, const void * src, size_t len)
+{
+	size_t * D = dest;
+	const size_t * S = src;
+	size_t L = len / sizeof(size_t);
+	size_t i;
+
+	for (i = 0; i < L; i++)
+		D[i] ^= S[i];
+}
+
+/**
+ * salsa20_8(B):
+ * Apply the salsa20/8 core to the provided block.
+ */
+static void
+salsa20_8(uint32_t B[16])
+{
+	uint32_t x[16];
+	size_t i;
+
+	blkcpy(x, B, 64);
+	for (i = 0; i < 8; i += 2) {
+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
+		/* Operate on columns. */
+		x[ 4] ^= R(x[ 0]+x[12], 7);  x[ 8] ^= R(x[ 4]+x[ 0], 9);
+		x[12] ^= R(x[ 8]+x[ 4],13);  x[ 0] ^= R(x[12]+x[ 8],18);
+
+		x[ 9] ^= R(x[ 5]+x[ 1], 7);  x[13] ^= R(x[ 9]+x[ 5], 9);
+		x[ 1] ^= R(x[13]+x[ 9],13);  x[ 5] ^= R(x[ 1]+x[13],18);
+
+		x[14] ^= R(x[10]+x[ 6], 7);  x[ 2] ^= R(x[14]+x[10], 9);
+		x[ 6] ^= R(x[ 2]+x[14],13);  x[10] ^= R(x[ 6]+x[ 2],18);
+
+		x[ 3] ^= R(x[15]+x[11], 7);  x[ 7] ^= R(x[ 3]+x[15], 9);
+		x[11] ^= R(x[ 7]+x[ 3],13);  x[15] ^= R(x[11]+x[ 7],18);
+
+		/* Operate on rows. */
+		x[ 1] ^= R(x[ 0]+x[ 3], 7);  x[ 2] ^= R(x[ 1]+x[ 0], 9);
+		x[ 3] ^= R(x[ 2]+x[ 1],13);  x[ 0] ^= R(x[ 3]+x[ 2],18);
+
+		x[ 6] ^= R(x[ 5]+x[ 4], 7);  x[ 7] ^= R(x[ 6]+x[ 5], 9);
+		x[ 4] ^= R(x[ 7]+x[ 6],13);  x[ 5] ^= R(x[ 4]+x[ 7],18);
+
+		x[11] ^= R(x[10]+x[ 9], 7);  x[ 8] ^= R(x[11]+x[10], 9);
+		x[ 9] ^= R(x[ 8]+x[11],13);  x[10] ^= R(x[ 9]+x[ 8],18);
+
+		x[12] ^= R(x[15]+x[14], 7);  x[13] ^= R(x[12]+x[15], 9);
+		x[14] ^= R(x[13]+x[12],13);  x[15] ^= R(x[14]+x[13],18);
+#undef R
+	}
+	for (i = 0; i < 16; i++)
+		B[i] += x[i];
+}
+
+/**
+ * blockmix_salsa8(Bin, Bout, X, r):
+ * Compute Bout = BlockMix_{salsa20/8, r}(Bin).  The input Bin must be 128r
+ * bytes in length; the output Bout must also be the same size.  The
+ * temporary space X must be 64 bytes.
+ */
+static void
+blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r)
+{
+	size_t i;
+
+	/* 1: X <-- B_{2r - 1} */
+	blkcpy(X, &Bin[(2 * r - 1) * 16], 64);
+
+	/* 2: for i = 0 to 2r - 1 do */
+	for (i = 0; i < 2 * r; i += 2) {
+		/* 3: X <-- H(X \xor B_i) */
+		blkxor(X, &Bin[i * 16], 64);
+		salsa20_8(X);
+
+		/* 4: Y_i <-- X */
+		/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
+		blkcpy(&Bout[i * 8], X, 64);
+
+		/* 3: X <-- H(X \xor B_i) */
+		blkxor(X, &Bin[i * 16 + 16], 64);
+		salsa20_8(X);
+
+		/* 4: Y_i <-- X */
+		/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
+		blkcpy(&Bout[i * 8 + r * 16], X, 64);
+	}
+}
+
+/**
+ * integerify(B, r):
+ * Return the result of parsing B_{2r-1} as a little-endian integer.
+ */
+static uint64_t
+integerify(const void * B, size_t r)
+{
+	const uint32_t * X = (const void *)((uintptr_t)(B) + (2 * r - 1) * 64);
+
+	return (((uint64_t)(X[1]) << 32) + X[0]);
+}
+
+/**
+ * crypto_scrypt_smix(B, r, N, V, XY):
+ * Compute B = SMix_r(B, N).  The input B must be 128r bytes in length;
+ * the temporary storage V must be 128rN bytes in length; the temporary
+ * storage XY must be 256r + 64 bytes in length.  The value N must be a
+ * power of 2 greater than 1.  The arrays B, V, and XY must be aligned to a
+ * multiple of 64 bytes.
+ */
+void
+crypto_scrypt_smix(uint8_t * B, size_t r, uint64_t N, void * _V, void * XY)
+{
+	uint32_t * X = XY;
+	uint32_t * Y = (void *)((uint8_t *)(XY) + 128 * r);
+	uint32_t * Z = (void *)((uint8_t *)(XY) + 256 * r);
+	uint32_t * V = _V;
+	uint64_t i;
+	uint64_t j;
+	size_t k;
+
+	/* 1: X <-- B */
+	for (k = 0; k < 32 * r; k++)
+		X[k] = le32dec(&B[4 * k]);
+
+	/* 2: for i = 0 to N - 1 do */
+	for (i = 0; i < N; i += 2) {
+		/* 3: V_i <-- X */
+		blkcpy(&V[i * (32 * r)], X, 128 * r);
+
+		/* 4: X <-- H(X) */
+		blockmix_salsa8(X, Y, Z, r);
+
+		/* 3: V_i <-- X */
+		blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r);
+
+		/* 4: X <-- H(X) */
+		blockmix_salsa8(Y, X, Z, r);
+	}
+
+	/* 6: for i = 0 to N - 1 do */
+	for (i = 0; i < N; i += 2) {
+		/* 7: j <-- Integerify(X) mod N */
+		j = integerify(X, r) & (N - 1);
+
+		/* 8: X <-- H(X \xor V_j) */
+		blkxor(X, &V[j * (32 * r)], 128 * r);
+		blockmix_salsa8(X, Y, Z, r);
+
+		/* 7: j <-- Integerify(X) mod N */
+		j = integerify(Y, r) & (N - 1);
+
+		/* 8: X <-- H(X \xor V_j) */
+		blkxor(Y, &V[j * (32 * r)], 128 * r);
+		blockmix_salsa8(Y, X, Z, r);
+	}
+
+	/* 10: B' <-- X */
+	for (k = 0; k < 32 * r; k++)
+		le32enc(&B[4 * k], X[k]);
+}