PIVX Core  5.6.99
P2P Digital Currency
scrypt.cpp
Go to the documentation of this file.
1 /*
2  * Copyright 2009 Colin Percival, 2011 ArtForz, 2012-2013 pooler
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  *
26  * This file was originally written by Colin Percival as part of the Tarsnap
27  * online backup system.
28  */
29 
30 #include "crypto/scrypt.h"
31 
32 #include "crypto/hmac_sha256.h"
33 #include "crypto/sha256.h"
34 #include "uint256.h"
35 #include "utilstrencodings.h"
36 
37 #include <string>
38 
39 #include <string.h>
40 #include <stdint.h>
41 
42 #ifndef __FreeBSD__
43 static inline void be32enc(void *pp, uint32_t x)
44 {
45  uint8_t *p = (uint8_t *)pp;
46  p[3] = x & 0xff;
47  p[2] = (x >> 8) & 0xff;
48  p[1] = (x >> 16) & 0xff;
49  p[0] = (x >> 24) & 0xff;
50 }
51 #endif
52 
53 
59 void
60 PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
61  size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
62 {
63  size_t i;
64  uint8_t ivec[4];
65  uint8_t U[32];
66  uint8_t T[32];
67  uint64_t j;
68  int k;
69  size_t clen;
70 
71  /* Compute HMAC state after processing P and S. */
72  CHMAC_SHA256 PShctx = CHMAC_SHA256(passwd, passwdlen).Write(salt, saltlen);
73 
74  /* Iterate through the blocks. */
75  for (i = 0; i * 32 < dkLen; i++) {
76  /* Generate INT(i + 1). */
77  be32enc(ivec, (uint32_t)(i + 1));
78 
79  /* Compute U_1 = PRF(P, S || INT(i)). */
80  CHMAC_SHA256(PShctx).Write(ivec, 4).Finalize(U);
81 
82  /* T_i = U_1 ... */
83  memcpy(T, U, 32);
84 
85  for (j = 2; j <= c; j++) {
86  /* Compute U_j. */
87  CHMAC_SHA256(passwd, passwdlen).Write(U, 32).Finalize(U);
88 
89  /* ... xor U_j ... */
90  for (k = 0; k < 32; k++)
91  T[k] ^= U[k];
92  }
93 
94  /* Copy as many bytes as necessary into buf. */
95  clen = dkLen - i * 32;
96  if (clen > 32)
97  clen = 32;
98  memcpy(&buf[i * 32], T, clen);
99  }
100 
101 }
102 
103 static inline uint32_t
104 le32dec_2(const void * pp)
105 {
106  const uint8_t * p = (uint8_t const *)pp;
107 
108  return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) +
109  ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24));
110 }
111 
112 static inline void
113 le32enc_2(void * pp, uint32_t x)
114 {
115  uint8_t * p = (uint8_t *)pp;
116 
117  p[0] = x & 0xff;
118  p[1] = (x >> 8) & 0xff;
119  p[2] = (x >> 16) & 0xff;
120  p[3] = (x >> 24) & 0xff;
121 }
122 
123 static void
124 blkcpy(void * dest, const void * src, size_t len)
125 {
126  size_t * D = (size_t*)dest;
127  const size_t * S = (size_t*)src;
128  size_t L = len / sizeof(size_t);
129  size_t i;
130 
131  for (i = 0; i < L; i++)
132  D[i] = S[i];
133 }
134 
135 static void
136 blkxor(void * dest, const void * src, size_t len)
137 {
138  size_t * D = (size_t*)dest;
139  const size_t* S = (size_t*)src;
140  size_t L = len / sizeof(size_t);
141  size_t i;
142 
143  for (i = 0; i < L; i++)
144  D[i] ^= S[i];
145 }
146 
151 static void
152 salsa20_8(uint32_t B[16])
153 {
154  uint32_t x[16];
155  size_t i;
156 
157  blkcpy(x, B, 64);
158  for (i = 0; i < 8; i += 2) {
159 #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
160  /* Operate on columns. */
161  x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9);
162  x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18);
163 
164  x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9);
165  x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18);
166 
167  x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9);
168  x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18);
169 
170  x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9);
171  x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18);
172 
173  /* Operate on rows. */
174  x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9);
175  x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18);
176 
177  x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9);
178  x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18);
179 
180  x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9);
181  x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18);
182 
183  x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9);
184  x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18);
185 #undef R
186  }
187  for (i = 0; i < 16; i++)
188  B[i] += x[i];
189 }
190 
197 static void
198 blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r)
199 {
200  size_t i;
201 
202  /* 1: X <-- B_{2r - 1} */
203  blkcpy(X, &Bin[(2 * r - 1) * 16], 64);
204 
205  /* 2: for i = 0 to 2r - 1 do */
206  for (i = 0; i < 2 * r; i += 2) {
207  /* 3: X <-- H(X \xor B_i) */
208  blkxor(X, &Bin[i * 16], 64);
209  salsa20_8(X);
210 
211  /* 4: Y_i <-- X */
212  /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
213  blkcpy(&Bout[i * 8], X, 64);
214 
215  /* 3: X <-- H(X \xor B_i) */
216  blkxor(X, &Bin[i * 16 + 16], 64);
217  salsa20_8(X);
218 
219  /* 4: Y_i <-- X */
220  /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
221  blkcpy(&Bout[i * 8 + r * 16], X, 64);
222  }
223 }
224 
229 static uint64_t
230 integerify(const void * B, size_t r)
231 {
232  const uint32_t * X = (const uint32_t*)((uintptr_t)(B) + (2 * r - 1) * 64);
233 
234  return (((uint64_t)(X[1]) << 32) + X[0]);
235 }
236 
237 void SMix(uint8_t *B, unsigned int r, unsigned int N, void* _V, void* XY)
238 {
239  //new
240  uint32_t* X = (uint32_t*)XY;
241  uint32_t* Y = (uint32_t*)((uint8_t*)(XY) + 128 * r);
242  uint32_t* Z = (uint32_t*)((uint8_t *)(XY) + 256 * r);
243  uint32_t * V = (uint32_t*)_V;
244 
245  uint32_t j, k;
246 
247  /* 1: X <-- B */
248  for (k = 0; k < 32 * r; k++)
249  X[k] = le32dec_2(&B[4 * k]);
250 
251  /* 2: for i = 0 to N - 1 do */
252  for (unsigned int i = 0; i < N; i += 2)
253  {
254  /* 3: V_i <-- X */
255  blkcpy(&V[i * (32 * r)], X, 128 * r);
256 
257  /* 4: X <-- H(X) */
258  blockmix_salsa8(X, Y, Z, r);
259 
260  /* 3: V_i <-- X */
261  blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r);
262 
263  /* 4: X <-- H(X) */
264  blockmix_salsa8(Y, X, Z, r);
265  }
266 
267  /* 6: for i = 0 to N - 1 do */
268  for (unsigned int i = 0; i < N; i += 2)
269  {
270  /* 7: j <-- Integerify(X) mod N */
271  j = integerify(X, r) & (N - 1);
272 
273  /* 8: X <-- H(X \xor V_j) */
274  blkxor(X, &V[j * (32 * r)], 128 * r);
275  blockmix_salsa8(X, Y, Z, r);
276 
277  /* 7: j <-- Integerify(X) mod N */
278  j = integerify(Y, r) & (N - 1);
279 
280  /* 8: X <-- H(X \xor V_j) */
281  blkxor(Y, &V[j * (32 * r)], 128 * r);
282  blockmix_salsa8(Y, X, Z, r);
283  }
284 
285  /* 10: B' <-- X */
286  for (k = 0; k < 32 * r; k++)
287  le32enc_2(&B[4 * k], X[k]);
288 }
289 
290 void scrypt(const char* pass, unsigned int pLen, const char* salt, unsigned int sLen, char *output, unsigned int N, unsigned int r, unsigned int p, unsigned int dkLen)
291 {
292  //containers
293  void* V0 = malloc(128 * r * N + 63);
294  void* XY0 = malloc(256 * r + 64 + 63);
295  void* B1 = malloc(128 * r * p + 63);
296  uint8_t* B = (uint8_t *)(((uintptr_t)(B1) + 63) & ~ (uintptr_t)(63));
297  uint32_t* V = (uint32_t *)(((uintptr_t)(V0) + 63) & ~ (uintptr_t)(63));
298  uint32_t* XY = (uint32_t *)(((uintptr_t)(XY0) + 63) & ~ (uintptr_t)(63));
299 
300  PBKDF2_SHA256((const uint8_t *)pass, pLen, (const uint8_t *)salt, sLen, 1, B, p * 128 * r);
301 
302  for(unsigned int i = 0; i < p; i++)
303  {
304  SMix(&B[i * 128 * r], r, N, V, XY);
305  }
306 
307  PBKDF2_SHA256((const uint8_t *)pass, pLen, B, p * 128 * r, 1, (uint8_t *)output, dkLen);
308 
309  free(V0);
310  free(XY0);
311  free(B1);
312 }
CHMAC_SHA256
A hasher class for HMAC-SHA-256.
Definition: hmac_sha256.h:15
CHMAC_SHA256::Finalize
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: hmac_sha256.cpp:29
CHMAC_SHA256::Write
CHMAC_SHA256 & Write(const unsigned char *data, size_t len)
Definition: hmac_sha256.h:24
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:18
T
#define T(expected, seed, data)
hmac_sha256.h
S
#define S(x0, x1, x2, x3, cb, r)
Definition: jh.c:494
L
#define L(x0, x1, x2, x3, x4, x5, x6, x7)
Definition: jh.c:501
X
#define X(name)
Definition: net.cpp:664
scrypt
void scrypt(const char *pass, unsigned int pLen, const char *salt, unsigned int sLen, char *output, unsigned int N, unsigned int r, unsigned int p, unsigned int dkLen)
Definition: scrypt.cpp:290
R
#define R(a, b)
SMix
void SMix(uint8_t *B, unsigned int r, unsigned int N, void *_V, void *XY)
Definition: scrypt.cpp:237
PBKDF2_SHA256
void PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt, size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): Compute PBKDF2(passwd,...
Definition: scrypt.cpp:60
B
#define B
Definition: util_tests.cpp:688
Generated on Wed Apr 2 2025 00:40:27 for PIVX Core by doxygen 1.9.1