You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

278 lines
9.5 KiB

9 years ago
/*-
* Copyright 2009 Colin Percival, 2011 ArtForz, 2011 pooler, 2013 Balthazar
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* This file was originally written by Colin Percival as part of the Tarsnap
* online backup system.
*/
#include "../includes/curve25519.h"
#define SCRYPT_BUFFER_SIZE (131072 + 63)
/*
static inline uint32_t be32dec(const void *pp)
{
const uint8_t *p = (uint8_t const *)pp;
return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
}
static inline void be32enc(void *pp,uint32_t x)
{
uint8_t *p = (uint8_t *)pp;
p[3] = x & 0xff;
p[2] = (x >> 8) & 0xff;
p[1] = (x >> 16) & 0xff;
p[0] = (x >> 24) & 0xff;
}
void HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx,const void * _K,size_t Klen)
{
size_t i; uint8_t pad[64],khash[32]; const uint8_t * K = (const uint8_t *)_K;
// If Klen > 64, the key is really SHA256(K).
if ( Klen > 64 )
{
SHA256_Init(&ctx->ictx);
SHA256_Update(&ctx->ictx, K, Klen);
SHA256_Final(khash, &ctx->ictx);
K = khash;
Klen = 32;
}
// Inner SHA256 operation is SHA256(K xor [block of 0x36] || data).
SHA256_Init(&ctx->ictx);
memset(pad, 0x36, 64);
for (i = 0; i < Klen; i++)
pad[i] ^= K[i];
SHA256_Update(&ctx->ictx, pad, 64);
// Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash).
SHA256_Init(&ctx->octx);
memset(pad, 0x5c, 64);
for (i = 0; i < Klen; i++)
pad[i] ^= K[i];
SHA256_Update(&ctx->octx, pad, 64);
// Clean the stack.
memset(khash,0,32);
}
// Add bytes to the HMAC-SHA256 operation.
void HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx,const void *in,size_t len)
{
SHA256_Update(&ctx->ictx,in,len);
}
// Finish an HMAC-SHA256 operation.
void HMAC_SHA256_Final(uint8_t digest[32],HMAC_SHA256_CTX *ctx)
{
uint8_t ihash[32];
SHA256_Final(ihash,&ctx->ictx);
SHA256_Update(&ctx->octx,ihash,32);
SHA256_Final(digest,&ctx->octx);
memset(ihash,0,32);
}
// PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and write the output to buf. The value dkLen must be at most 32 * (2^32 - 1)
void PBKDF2_SHA256(const uint8_t *passwd,size_t passwdlen,const uint8_t *salt,size_t saltlen,uint64_t c,uint8_t *buf,size_t dkLen)
{
HMAC_SHA256_CTX PShctx, hctx;
size_t i,clen; uint8_t ivec[4],U[32],T[32]; uint64_t j; int32_t k;
// Compute HMAC state after processing P and S.
HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
HMAC_SHA256_Update(&PShctx, salt, saltlen);
// Iterate through the blocks.
for (i=0; i*32<dkLen; i++)
{
// Generate INT(i + 1).
be32enc(ivec,(uint32_t)(i + 1));
// Compute U_1 = PRF(P, S || INT(i)).
memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
HMAC_SHA256_Update(&hctx, ivec, 4);
HMAC_SHA256_Final(U, &hctx);
// T_i = U_1 ...
memcpy(T,U,32);
for (j=2; j<=c; j++)
{
// Compute U_j.
HMAC_SHA256_Init(&hctx, passwd, passwdlen);
HMAC_SHA256_Update(&hctx, U, 32);
HMAC_SHA256_Final(U, &hctx);
// ... xor U_j ...
for (k=0; k<32; k++)
T[k] ^= U[k];
}
// Copy as many bytes as necessary into buf
clen = dkLen - i * 32;
if (clen > 32)
clen = 32;
memcpy(&buf[i * 32],T,clen);
}
}*/
// Generic scrypt_core implementation
static inline void xor_salsa8(uint32_t B[16], const uint32_t Bx[16])
{
int32_t i; uint32_t x00,x01,x02,x03,x04,x05,x06,x07,x08,x09,x10,x11,x12,x13,x14,x15;
x00 = (B[0] ^= Bx[0]);
x01 = (B[1] ^= Bx[1]);
x02 = (B[2] ^= Bx[2]);
x03 = (B[3] ^= Bx[3]);
x04 = (B[4] ^= Bx[4]);
x05 = (B[5] ^= Bx[5]);
x06 = (B[6] ^= Bx[6]);
x07 = (B[7] ^= Bx[7]);
x08 = (B[8] ^= Bx[8]);
x09 = (B[9] ^= Bx[9]);
x10 = (B[10] ^= Bx[10]);
x11 = (B[11] ^= Bx[11]);
x12 = (B[12] ^= Bx[12]);
x13 = (B[13] ^= Bx[13]);
x14 = (B[14] ^= Bx[14]);
x15 = (B[15] ^= Bx[15]);
for (i = 0; i < 8; i += 2) {
#define R(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
/* Operate on columns. */
x04 ^= R(x00+x12, 7); x09 ^= R(x05+x01, 7);
x14 ^= R(x10+x06, 7); x03 ^= R(x15+x11, 7);
x08 ^= R(x04+x00, 9); x13 ^= R(x09+x05, 9);
x02 ^= R(x14+x10, 9); x07 ^= R(x03+x15, 9);
x12 ^= R(x08+x04,13); x01 ^= R(x13+x09,13);
x06 ^= R(x02+x14,13); x11 ^= R(x07+x03,13);
x00 ^= R(x12+x08,18); x05 ^= R(x01+x13,18);
x10 ^= R(x06+x02,18); x15 ^= R(x11+x07,18);
/* Operate on rows. */
x01 ^= R(x00+x03, 7); x06 ^= R(x05+x04, 7);
x11 ^= R(x10+x09, 7); x12 ^= R(x15+x14, 7);
x02 ^= R(x01+x00, 9); x07 ^= R(x06+x05, 9);
x08 ^= R(x11+x10, 9); x13 ^= R(x12+x15, 9);
x03 ^= R(x02+x01,13); x04 ^= R(x07+x06,13);
x09 ^= R(x08+x11,13); x14 ^= R(x13+x12,13);
x00 ^= R(x03+x02,18); x05 ^= R(x04+x07,18);
x10 ^= R(x09+x08,18); x15 ^= R(x14+x13,18);
#undef R
}
B[0] += x00;
B[1] += x01;
B[2] += x02;
B[3] += x03;
B[4] += x04;
B[5] += x05;
B[6] += x06;
B[7] += x07;
B[8] += x08;
B[9] += x09;
B[10] += x10;
B[11] += x11;
B[12] += x12;
B[13] += x13;
B[14] += x14;
B[15] += x15;
}
static inline void scrypt_core(uint32_t *X,uint32_t *V)
{
uint32_t i,j,k;
for (i=0; i<1024; i++)
{
memcpy(&V[i * 32],X,128);
xor_salsa8(&X[0],&X[16]);
xor_salsa8(&X[16],&X[0]);
}
for (i=0; i<1024; i++)
{
j = 32 * (X[16] & 1023);
for (k = 0; k < 32; k++)
X[k] ^= V[j + k];
xor_salsa8(&X[0],&X[16]);
xor_salsa8(&X[16],&X[0]);
}
}
/* cpu and memory intensive function to transform a 80 byte buffer into a 32 byte output
scratchpad size needs to be at least 63 + (128 * r * p) + (256 * r + 64) + (128 * r * N) bytes
r = 1, p = 1, N = 1024
*/
bits256 scrypt_nosalt(const void *input,size_t inputlen,void *scratchpad)
{
uint32_t *V; uint32_t X[32]; bits256 result;
memset(result.bytes,0,sizeof(result));
V = (uint32_t *)(((uintptr_t)(scratchpad) + 63) & ~ (uintptr_t)(63));
calc_hmac_sha256((void *)X,128,(void *)input,(int32_t)inputlen,(void *)input,(int32_t)inputlen);
//PBKDF2_SHA256((const uint8_t *)input,inputlen,(const uint8_t *)input,inputlen,1,(uint8_t *)X,128);
scrypt_core(X,V);
calc_hmac_sha256((void *)result.bytes,sizeof(result),(void *)input,(int32_t)inputlen,(void *)X,128);
//PBKDF2_SHA256((const uint8_t *)input,inputlen,(uint8_t *)X,128,1,(uint8_t*)&result,32);
return result;
}
bits256 scrypt(const void *data,size_t datalen,const void *salt,size_t saltlen,void *scratchpad)
{
uint32_t *V; uint32_t X[32]; bits256 result;
memset(result.bytes,0,sizeof(result));
V = (uint32_t *)(((uintptr_t)(scratchpad) + 63) & ~ (uintptr_t)(63));
calc_hmac_sha256((void *)X,128,(void *)data,(int32_t)datalen,(void *)salt,(int32_t)saltlen);
//PBKDF2_SHA256((const uint8_t *)data,datalen,(const uint8_t *)salt,saltlen,1,(uint8_t *)X,128);
scrypt_core(X,V);
calc_hmac_sha256((void *)result.bytes,sizeof(result),(void *)data,(int32_t)datalen,(void *)X,128);
//PBKDF2_SHA256((const uint8_t *)data,datalen,(uint8_t *)X,128,1,(uint8_t *)&result,32);
return result;
}
bits256 scrypt_hash(const void *input,size_t inputlen)
{
uint8_t scratchpad[SCRYPT_BUFFER_SIZE];
return scrypt_nosalt(input,inputlen,scratchpad);
}
bits256 scrypt_salted_hash(const void *input,size_t inputlen,const void *salt,size_t saltlen)
{
uint8_t scratchpad[SCRYPT_BUFFER_SIZE];
return scrypt(input,inputlen,salt,saltlen,scratchpad);
}
bits256 scrypt_salted_multiround_hash(const void *input,size_t inputlen,const void *salt,size_t saltlen,const uint32_t nRounds)
{
uint32_t i; bits256 resultHash = scrypt_salted_hash(input,inputlen,salt,saltlen);
bits256 transitionalHash = resultHash;
for(i=1; i<nRounds; i++)
{
resultHash = scrypt_salted_hash(input,inputlen,(const void *)&transitionalHash,32);
transitionalHash = resultHash;
}
return resultHash;
}
bits256 scrypt_blockhash(const void *input)
{
uint8_t scratchpad[SCRYPT_BUFFER_SIZE];
return scrypt_nosalt(input,80,scratchpad);
}