yescrypt 0.1.0

data/ext/yescrypt/yescrypt-opt.c

@@ -0,0 +1,358 @@
+/*
+ * yescrypt optimized implementation.
+ *
+ * Based on the scrypt algorithm by Colin Percival and the yescrypt
+ * extensions by Alexander Peslyak.
+ *
+ * Copyright (c) 2009 Colin Percival
+ * Copyright (c) 2013-2021 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include "yescrypt.h"
+#include "sha256.h"
+#include "insecure_memzero.h"
+
+/* Defined in yescrypt-common.c */
+extern int yescrypt_ensure_local(yescrypt_local_t *local, size_t need);
+
+static inline uint32_t le32dec(const void *pp)
+{
+    const uint8_t *p = (const uint8_t *)pp;
+    return (uint32_t)p[0] | ((uint32_t)p[1] << 8) |
+           ((uint32_t)p[2] << 16) | ((uint32_t)p[3] << 24);
+}
+
+static inline void le32enc(void *pp, uint32_t x)
+{
+    uint8_t *p = (uint8_t *)pp;
+    p[0] = x & 0xff;
+    p[1] = (x >> 8) & 0xff;
+    p[2] = (x >> 16) & 0xff;
+    p[3] = (x >> 24) & 0xff;
+}
+
+#define ROTL32(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
+
+/* Salsa20/8 core */
+static void salsa20_8(uint32_t B[16])
+{
+    uint32_t x[16];
+    int i;
+
+    memcpy(x, B, sizeof(x));
+
+    for (i = 0; i < 8; i += 2) {
+        /* Odd round */
+        x[ 4] ^= ROTL32(x[ 0] + x[12],  7);
+        x[ 8] ^= ROTL32(x[ 4] + x[ 0],  9);
+        x[12] ^= ROTL32(x[ 8] + x[ 4], 13);
+        x[ 0] ^= ROTL32(x[12] + x[ 8], 18);
+        x[ 9] ^= ROTL32(x[ 5] + x[ 1],  7);
+        x[13] ^= ROTL32(x[ 9] + x[ 5],  9);
+        x[ 1] ^= ROTL32(x[13] + x[ 9], 13);
+        x[ 5] ^= ROTL32(x[ 1] + x[13], 18);
+        x[14] ^= ROTL32(x[10] + x[ 6],  7);
+        x[ 2] ^= ROTL32(x[14] + x[10],  9);
+        x[ 6] ^= ROTL32(x[ 2] + x[14], 13);
+        x[10] ^= ROTL32(x[ 6] + x[ 2], 18);
+        x[ 3] ^= ROTL32(x[15] + x[11],  7);
+        x[ 7] ^= ROTL32(x[ 3] + x[15],  9);
+        x[11] ^= ROTL32(x[ 7] + x[ 3], 13);
+        x[15] ^= ROTL32(x[11] + x[ 7], 18);
+        /* Even round */
+        x[ 1] ^= ROTL32(x[ 0] + x[ 3],  7);
+        x[ 2] ^= ROTL32(x[ 1] + x[ 0],  9);
+        x[ 3] ^= ROTL32(x[ 2] + x[ 1], 13);
+        x[ 0] ^= ROTL32(x[ 3] + x[ 2], 18);
+        x[ 6] ^= ROTL32(x[ 5] + x[ 4],  7);
+        x[ 7] ^= ROTL32(x[ 6] + x[ 5],  9);
+        x[ 4] ^= ROTL32(x[ 7] + x[ 6], 13);
+        x[ 5] ^= ROTL32(x[ 4] + x[ 7], 18);
+        x[11] ^= ROTL32(x[10] + x[ 9],  7);
+        x[ 8] ^= ROTL32(x[11] + x[10],  9);
+        x[ 9] ^= ROTL32(x[ 8] + x[11], 13);
+        x[10] ^= ROTL32(x[ 9] + x[ 8], 18);
+        x[12] ^= ROTL32(x[15] + x[14],  7);
+        x[13] ^= ROTL32(x[12] + x[15],  9);
+        x[14] ^= ROTL32(x[13] + x[12], 13);
+        x[15] ^= ROTL32(x[14] + x[13], 18);
+    }
+
+    for (i = 0; i < 16; i++)
+        B[i] += x[i];
+}
+
+/* scrypt BlockMix using Salsa20/8 */
+static void blockmix_salsa8(const uint32_t *Bin, uint32_t *Bout, uint32_t *X, size_t r)
+{
+    size_t i;
+    size_t r2 = 2 * r;
+
+    /* X = B[2r - 1] */
+    memcpy(X, &Bin[(r2 - 1) * 16], 64);
+
+    for (i = 0; i < r2; i++) {
+        /* X = X xor B[i] */
+        size_t k;
+        for (k = 0; k < 16; k++)
+            X[k] ^= Bin[i * 16 + k];
+
+        salsa20_8(X);
+
+        /* Y[i] = X */
+        /* Place even blocks at start, odd at end */
+        if (i % 2 == 0)
+            memcpy(&Bout[(i / 2) * 16], X, 64);
+        else
+            memcpy(&Bout[(r + i / 2) * 16], X, 64);
+    }
+}
+
+/* Integerify: extract a 64-bit integer from block B */
+static inline uint64_t integerify(const uint32_t *B, size_t r)
+{
+    const uint32_t *X = &B[(2 * r - 1) * 16];
+    return (uint64_t)X[0] | ((uint64_t)X[13] << 32);
+}
+
+/*
+ * pwxform: password-dependent computation for yescrypt.
+ * This makes time-memory tradeoff attacks more expensive.
+ *
+ * PWXgather/PWXround/PWXloop simplified for the default parameters.
+ */
+
+/* PWXform parameters for YESCRYPT_DEFAULTS */
+#define PWXSIMPLE  2
+#define PWXGATHER  4
+#define PWXROUNDS  6
+#define PWXBYTES   (PWXGATHER * PWXSIMPLE * 8)
+#define PWXWORDS   (PWXBYTES / sizeof(uint32_t))
+
+/* S-box size: 2 * PWXGATHER * PWXSIMPLE * 8 * (PWXROUNDS + 2) */
+#define SWORDS     (2 * PWXGATHER * PWXSIMPLE * (PWXROUNDS + 2))
+
+static void pwxform(uint32_t *B, const uint32_t *S)
+{
+    int i, j;
+    uint32_t (*X)[PWXSIMPLE * 2] = (void *)B;
+    const uint32_t *S0 = S;
+    const uint32_t *S1 = S + SWORDS / 2;
+
+    for (i = 0; i < PWXROUNDS; i++) {
+        for (j = 0; j < PWXGATHER; j++) {
+            uint32_t xl = X[j][0];
+            uint32_t xh = X[j][1];
+
+            /* Lookup in S-boxes */
+            const uint32_t *p0 = S0 + (xl & ((SWORDS / 4 - 1) & ~1));
+            const uint32_t *p1 = S1 + (xh & ((SWORDS / 4 - 1) & ~1));
+
+            /* Multiply and add */
+            uint64_t x = (uint64_t)xh * xl;
+            X[j][0] = (uint32_t)x + p0[0];
+            X[j][1] = (uint32_t)(x >> 32) + p1[1];
+
+            if (PWXSIMPLE > 1) {
+                xl = X[j][2];
+                xh = X[j][3];
+                p0 = S0 + (xl & ((SWORDS / 4 - 1) & ~1));
+                p1 = S1 + (xh & ((SWORDS / 4 - 1) & ~1));
+                x = (uint64_t)xh * xl;
+                X[j][2] = (uint32_t)x + p0[0];
+                X[j][3] = (uint32_t)(x >> 32) + p1[1];
+            }
+        }
+    }
+}
+
+/* BlockMix using pwxform (yescrypt-specific) */
+static void blockmix_pwxform(const uint32_t *Bin, uint32_t *Bout,
+    uint32_t *S, size_t r)
+{
+    size_t r1 = 128 * r / PWXBYTES;
+    size_t i, k;
+    uint32_t X[PWXWORDS];
+
+    /* X = B[r1 - 1] */
+    memcpy(X, &Bin[(r1 - 1) * PWXWORDS], PWXBYTES);
+
+    for (i = 0; i < r1; i++) {
+        /* X = X xor B[i] */
+        for (k = 0; k < PWXWORDS; k++)
+            X[k] ^= Bin[i * PWXWORDS + k];
+
+        pwxform(X, S);
+
+        memcpy(&Bout[i * PWXWORDS], X, PWXBYTES);
+    }
+
+    /* Final Salsa20/8 on last block */
+    i = (r1 - 1) * PWXWORDS;
+    salsa20_8(&Bout[i > 15 ? i : 0]);
+}
+
+/*
+ * SMix - the core sequential memory-hard function.
+ *
+ * For YESCRYPT_WORM (classic scrypt):
+ *   1. Expand: V[i] = BlockMix(V[i-1]) for i = 0..N-1
+ *   2. Mix:    for i = 0..N-1: j = Integerify(X) % N; X = BlockMix(X xor V[j])
+ *
+ * For YESCRYPT_RW (yescrypt):
+ *   Uses pwxform-based BlockMix and updates V entries during mixing.
+ */
+static void smix(uint8_t *B, size_t r, uint64_t N, uint32_t t,
+    yescrypt_flags_t flags,
+    uint32_t *V, uint32_t *XY, uint32_t *S,
+    const yescrypt_shared_t *shared)
+{
+    (void)shared;
+    size_t s = 32 * r;
+    uint32_t *X = XY;
+    uint32_t *Y = &XY[s];
+    uint32_t *Z = &XY[2 * s];
+    uint64_t i, j;
+    size_t k;
+    int use_pwxform = (flags & YESCRYPT_RW) || (flags >= YESCRYPT_DEFAULTS);
+
+    /* Convert B from bytes to uint32 (little-endian) */
+    for (k = 0; k < s; k++)
+        X[k] = le32dec(&B[k * 4]);
+
+    /* Step 1: Expand - fill V */
+    if (use_pwxform && S) {
+        /* Initialize S-boxes from X */
+        uint32_t *src = X;
+        uint32_t *Sp = S;
+        for (k = 0; k < SWORDS; k += PWXWORDS) {
+            size_t m;
+            for (m = 0; m < PWXWORDS && m < s; m++)
+                Sp[k + m] = src[m % s];
+            /* Simple mixing */
+            if (k + PWXWORDS <= SWORDS)
+                salsa20_8(&Sp[k > 0 ? k : 0]);
+        }
+    }
+
+    for (i = 0; i < N; i++) {
+        /* V[i] = X */
+        memcpy(&V[i * s], X, s * sizeof(uint32_t));
+
+        if (use_pwxform && S)
+            blockmix_pwxform(X, Y, S, r);
+        else
+            blockmix_salsa8(X, Y, Z, r);
+
+        /* Swap X and Y */
+        uint32_t *tmp = X; X = Y; Y = tmp;
+    }
+
+    /* Step 2: Mix */
+    uint64_t Nloop = N; /* default iterations */
+    if (t > 0) {
+        /* Extra time cost: more iterations */
+        Nloop = N * (t + 1);
+    }
+
+    for (i = 0; i < Nloop; i++) {
+        j = integerify(X, r) & (N - 1);
+
+        /* X = X xor V[j] */
+        for (k = 0; k < s; k++)
+            X[k] ^= V[j * s + k];
+
+        /* If RW mode, update V[j] */
+        if (use_pwxform) {
+            memcpy(&V[j * s], X, s * sizeof(uint32_t));
+        }
+
+        if (use_pwxform && S)
+            blockmix_pwxform(X, Y, S, r);
+        else
+            blockmix_salsa8(X, Y, Z, r);
+
+        uint32_t *tmp = X; X = Y; Y = tmp;
+    }
+
+    /* Convert X back to bytes */
+    for (k = 0; k < s; k++)
+        le32enc(&B[k * 4], X[k]);
+}
+
+/*
+ * yescrypt KDF - the main entry point.
+ */
+int yescrypt_kdf(
+    const yescrypt_shared_t *shared,
+    yescrypt_local_t *local,
+    const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *salt, size_t saltlen,
+    const yescrypt_params_t *params,
+    uint8_t *buf, size_t buflen)
+{
+    yescrypt_flags_t flags = params->flags;
+    uint64_t N = params->N;
+    uint32_t r = params->r;
+    uint32_t p = params->p;
+    uint32_t t = params->t;
+    size_t B_size, V_size, XY_size, S_size, need;
+    uint8_t *B;
+    uint32_t *V, *XY, *S;
+    uint32_t i;
+
+    /* Validate parameters */
+    if (N < 2 || (N & (N - 1)) != 0) /* N must be power of 2, >= 2 */
+        return -1;
+    if (r < 1 || p < 1)
+        return -1;
+    if (buflen < 1)
+        return -1;
+
+    /* Calculate memory requirements with overflow checks */
+    B_size = (size_t)128 * r * p;
+    V_size = (size_t)128 * r * N;
+    XY_size = (size_t)256 * r + 64;
+    S_size = SWORDS * sizeof(uint32_t);
+
+    /* Guard against size_t overflow (critical on 32-bit platforms) */
+    if (r != 0 && V_size / r / 128 != N)
+        return -1;
+    if (V_size > SIZE_MAX - B_size - XY_size - S_size)
+        return -1;
+
+    need = B_size + V_size + XY_size + S_size;
+
+    /* Allocate working memory */
+    if (yescrypt_ensure_local(local, need))
+        return -1;
+
+    B = (uint8_t *)local->aligned;
+    V = (uint32_t *)(B + B_size);
+    XY = (uint32_t *)((uint8_t *)V + V_size);
+    S = (uint32_t *)((uint8_t *)XY + XY_size);
+
+    /* Step 1: PBKDF2-HMAC-SHA256 to generate initial B */
+    PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
+
+    /* Step 2: Apply SMix to each block */
+    for (i = 0; i < p; i++) {
+        smix(&B[(size_t)128 * i * r], r, N, t, flags, V, XY, S, shared);
+    }
+
+    /* Step 3: PBKDF2-HMAC-SHA256 to generate output */
+    PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
+
+    /* Clean up */
+    insecure_memzero(B, B_size);
+
+    return 0;
+}

data/ext/yescrypt/yescrypt.h

@@ -0,0 +1,124 @@
+/*
+ * yescrypt API header.
+ *
+ * Copyright (c) 2013-2021 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.
+ */
+
+#ifndef YESCRYPT_H
+#define YESCRYPT_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* yescrypt flavor flags */
+typedef enum {
+    /* Classic scrypt */
+    YESCRYPT_WORM = 0,
+    /* yescrypt with read-write access (stronger) */
+    YESCRYPT_RW = 1,
+    /* Recommended defaults (includes YESCRYPT_RW) */
+    YESCRYPT_DEFAULTS = 2,
+    /* Flags for backwards compatibility modes */
+    YESCRYPT_ROUNDS_3 = 0x000,
+    YESCRYPT_ROUNDS_6 = 0x004,
+    YESCRYPT_GATHER_1 = 0x000,
+    YESCRYPT_GATHER_2 = 0x008,
+    YESCRYPT_GATHER_4 = 0x010,
+    YESCRYPT_GATHER_8 = 0x018,
+    YESCRYPT_SIMPLE_1 = 0x000,
+    YESCRYPT_SIMPLE_2 = 0x020,
+    YESCRYPT_SIMPLE_4 = 0x040,
+    YESCRYPT_SIMPLE_8 = 0x060
+} yescrypt_flags_t;
+
+/* Parameter structure */
+typedef struct {
+    yescrypt_flags_t flags;
+    uint64_t N;     /* block count (must be a power of 2) */
+    uint32_t r;     /* block size parameter */
+    uint32_t p;     /* parallelism parameter */
+    uint32_t t;     /* time parameter (extra rounds) */
+    uint32_t g;     /* ROM generation count */
+} yescrypt_params_t;
+
+/* Thread-local working memory */
+typedef struct {
+    void *base;
+    size_t aligned_size;
+    void *aligned;
+} yescrypt_region_t;
+
+typedef yescrypt_region_t yescrypt_local_t;
+
+/* Shared ROM (optional) */
+typedef struct {
+    yescrypt_region_t region;
+    uint64_t mask1;
+    uint64_t N;
+    int dummy;
+} yescrypt_shared_t;
+
+/* Hash output buffer size */
+#define YESCRYPT_HASH_SIZE 32
+
+/* Maximum encoded hash length */
+#define YESCRYPT_MAX_ENCODED 512
+
+/* Initialize thread-local storage */
+int yescrypt_init_local(yescrypt_local_t *local);
+
+/* Free thread-local storage */
+int yescrypt_free_local(yescrypt_local_t *local);
+
+/* Initialize shared memory (no ROM) */
+int yescrypt_init_shared(yescrypt_shared_t *shared);
+
+/* Free shared memory */
+int yescrypt_free_shared(yescrypt_shared_t *shared);
+
+/* The main KDF function */
+int yescrypt_kdf(
+    const yescrypt_shared_t *shared,
+    yescrypt_local_t *local,
+    const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *salt, size_t saltlen,
+    const yescrypt_params_t *params,
+    uint8_t *buf, size_t buflen);
+
+/* Crypt-style interface: generate a setting string */
+uint8_t *yescrypt_gensalt(
+    uint32_t N_log2, uint32_t r, uint32_t p, uint32_t t,
+    yescrypt_flags_t flags,
+    const uint8_t *src, size_t srclen,
+    uint8_t *buf, size_t buflen);
+
+/* Decode params from a setting string (no salt output) */
+const uint8_t *yescrypt_decode_params_ext(
+    const uint8_t *setting,
+    uint32_t *N_log2, uint32_t *r, uint32_t *p, uint32_t *t,
+    yescrypt_flags_t *flags);
+
+/* Crypt-style interface: hash a password */
+uint8_t *yescrypt_r(
+    const yescrypt_shared_t *shared,
+    yescrypt_local_t *local,
+    const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *setting,
+    uint8_t *buf, size_t buflen);
+
+#endif /* YESCRYPT_H */