PRCYCoin  2.0.0.7rc1
P2P Digital Currency
scrypt.cpp
Go to the documentation of this file.
1 /*
2  * Copyright 2009 Colin Percival, 2011 ArtForz, 2012-2013 pooler
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  *
26  * This file was originally written by Colin Percival as part of the Tarsnap
27  * online backup system.
28  */
29 
30 #include "crypto/scrypt.h"
31 #include "uint256.h"
32 #include "utilstrencodings.h"
33 #include <openssl/sha.h>
34 #include <string>
35 
36 #include <string.h>
37 #include <stdint.h>
38 
39 #ifndef __FreeBSD__
40 static inline void be32enc(void *pp, uint32_t x)
41 {
42  uint8_t *p = (uint8_t *)pp;
43  p[3] = x & 0xff;
44  p[2] = (x >> 8) & 0xff;
45  p[1] = (x >> 16) & 0xff;
46  p[0] = (x >> 24) & 0xff;
47 }
48 #endif
49 
50 typedef struct HMAC_SHA256Context {
51  SHA256_CTX ictx;
52  SHA256_CTX octx;
53 } HMAC_SHA256_CTX;
54 
55 /* Initialize an HMAC-SHA256 operation with the given key. */
56 static void
57 HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const void *_K, size_t Klen)
58 {
59  unsigned char pad[64];
60  unsigned char khash[32];
61  const unsigned char *K = (const unsigned char *)_K;
62  size_t i;
63 
64  /* If Klen > 64, the key is really SHA256(K). */
65  if (Klen > 64) {
66  SHA256_Init(&ctx->ictx);
67  SHA256_Update(&ctx->ictx, K, Klen);
68  SHA256_Final(khash, &ctx->ictx);
69  K = khash;
70  Klen = 32;
71  }
72 
73  /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
74  SHA256_Init(&ctx->ictx);
75  memset(pad, 0x36, 64);
76  for (i = 0; i < Klen; i++)
77  pad[i] ^= K[i];
78  SHA256_Update(&ctx->ictx, pad, 64);
79 
80  /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
81  SHA256_Init(&ctx->octx);
82  memset(pad, 0x5c, 64);
83  for (i = 0; i < Klen; i++)
84  pad[i] ^= K[i];
85  SHA256_Update(&ctx->octx, pad, 64);
86 
87  /* Clean the stack. */
88  memset(khash, 0, 32);
89 }
90 
91 /* Add bytes to the HMAC-SHA256 operation. */
92 static void
93 HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const void *in, size_t len)
94 {
95  /* Feed data to the inner SHA256 operation. */
96  SHA256_Update(&ctx->ictx, in, len);
97 }
98 
99 /* Finish an HMAC-SHA256 operation. */
100 static void
101 HMAC_SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX *ctx)
102 {
103  unsigned char ihash[32];
104 
105  /* Finish the inner SHA256 operation. */
106  SHA256_Final(ihash, &ctx->ictx);
107 
108  /* Feed the inner hash to the outer SHA256 operation. */
109  SHA256_Update(&ctx->octx, ihash, 32);
110 
111  /* Finish the outer SHA256 operation. */
112  SHA256_Final(digest, &ctx->octx);
113 
114  /* Clean the stack. */
115  memset(ihash, 0, 32);
116 }
117 
123 void
124 PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
125  size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
126 {
127  HMAC_SHA256_CTX PShctx, hctx;
128  size_t i;
129  uint8_t ivec[4];
130  uint8_t U[32];
131  uint8_t T[32];
132  uint64_t j;
133  int k;
134  size_t clen;
135 
136  /* Compute HMAC state after processing P and S. */
137  HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
138  HMAC_SHA256_Update(&PShctx, salt, saltlen);
139 
140  /* Iterate through the blocks. */
141  for (i = 0; i * 32 < dkLen; i++) {
142  /* Generate INT(i + 1). */
143  be32enc(ivec, (uint32_t)(i + 1));
144 
145  /* Compute U_1 = PRF(P, S || INT(i)). */
146  memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
147  HMAC_SHA256_Update(&hctx, ivec, 4);
148  HMAC_SHA256_Final(U, &hctx);
149 
150  /* T_i = U_1 ... */
151  memcpy(T, U, 32);
152 
153  for (j = 2; j <= c; j++) {
154  /* Compute U_j. */
155  HMAC_SHA256_Init(&hctx, passwd, passwdlen);
156  HMAC_SHA256_Update(&hctx, U, 32);
157  HMAC_SHA256_Final(U, &hctx);
158 
159  /* ... xor U_j ... */
160  for (k = 0; k < 32; k++)
161  T[k] ^= U[k];
162  }
163 
164  /* Copy as many bytes as necessary into buf. */
165  clen = dkLen - i * 32;
166  if (clen > 32)
167  clen = 32;
168  memcpy(&buf[i * 32], T, clen);
169  }
170 
171  /* Clean PShctx, since we never called _Final on it. */
172  memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
173 }
174 
175 static inline uint32_t
176 le32dec_2(const void * pp)
177 {
178  const uint8_t * p = (uint8_t const *)pp;
179 
180  return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) +
181  ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24));
182 }
183 
184 static inline void
185 le32enc_2(void * pp, uint32_t x)
186 {
187  uint8_t * p = (uint8_t *)pp;
188 
189  p[0] = x & 0xff;
190  p[1] = (x >> 8) & 0xff;
191  p[2] = (x >> 16) & 0xff;
192  p[3] = (x >> 24) & 0xff;
193 }
194 
195 static void
196 blkcpy(void * dest, const void * src, size_t len)
197 {
198  size_t * D = (size_t*)dest;
199  const size_t * S = (size_t*)src;
200  size_t L = len / sizeof(size_t);
201  size_t i;
202 
203  for (i = 0; i < L; i++)
204  D[i] = S[i];
205 }
206 
207 static void
208 blkxor(void * dest, const void * src, size_t len)
209 {
210  size_t * D = (size_t*)dest;
211  const size_t* S = (size_t*)src;
212  size_t L = len / sizeof(size_t);
213  size_t i;
214 
215  for (i = 0; i < L; i++)
216  D[i] ^= S[i];
217 }
218 
223 static void
224 salsa20_8(uint32_t B[16])
225 {
226  uint32_t x[16];
227  size_t i;
228 
229  blkcpy(x, B, 64);
230  for (i = 0; i < 8; i += 2) {
231 #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
232  /* Operate on columns. */
233  x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9);
234  x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18);
235 
236  x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9);
237  x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18);
238 
239  x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9);
240  x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18);
241 
242  x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9);
243  x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18);
244 
245  /* Operate on rows. */
246  x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9);
247  x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18);
248 
249  x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9);
250  x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18);
251 
252  x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9);
253  x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18);
254 
255  x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9);
256  x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18);
257 #undef R
258  }
259  for (i = 0; i < 16; i++)
260  B[i] += x[i];
261 }
262 
269 static void
270 blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r)
271 {
272  size_t i;
273 
274  /* 1: X <-- B_{2r - 1} */
275  blkcpy(X, &Bin[(2 * r - 1) * 16], 64);
276 
277  /* 2: for i = 0 to 2r - 1 do */
278  for (i = 0; i < 2 * r; i += 2) {
279  /* 3: X <-- H(X \xor B_i) */
280  blkxor(X, &Bin[i * 16], 64);
281  salsa20_8(X);
282 
283  /* 4: Y_i <-- X */
284  /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
285  blkcpy(&Bout[i * 8], X, 64);
286 
287  /* 3: X <-- H(X \xor B_i) */
288  blkxor(X, &Bin[i * 16 + 16], 64);
289  salsa20_8(X);
290 
291  /* 4: Y_i <-- X */
292  /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
293  blkcpy(&Bout[i * 8 + r * 16], X, 64);
294  }
295 }
296 
301 static uint64_t
302 integerify(const void * B, size_t r)
303 {
304  const uint32_t * X = (const uint32_t*)((uintptr_t)(B) + (2 * r - 1) * 64);
305 
306  return (((uint64_t)(X[1]) << 32) + X[0]);
307 }
308 
309 void SMix(uint8_t *B, unsigned int r, unsigned int N, void* _V, void* XY)
310 {
311  //new
312  uint32_t* X = (uint32_t*)XY;
313  uint32_t* Y = (uint32_t*)((uint8_t*)(XY) + 128 * r);
314  uint32_t* Z = (uint32_t*)((uint8_t *)(XY) + 256 * r);
315  uint32_t * V = (uint32_t*)_V;
316 
317  uint32_t j, k;
318 
319  /* 1: X <-- B */
320  for (k = 0; k < 32 * r; k++)
321  X[k] = le32dec_2(&B[4 * k]);
322 
323  /* 2: for i = 0 to N - 1 do */
324  for (unsigned int i = 0; i < N; i += 2)
325  {
326  /* 3: V_i <-- X */
327  blkcpy(&V[i * (32 * r)], X, 128 * r);
328 
329  /* 4: X <-- H(X) */
330  blockmix_salsa8(X, Y, Z, r);
331 
332  /* 3: V_i <-- X */
333  blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r);
334 
335  /* 4: X <-- H(X) */
336  blockmix_salsa8(Y, X, Z, r);
337  }
338 
339  /* 6: for i = 0 to N - 1 do */
340  for (unsigned int i = 0; i < N; i += 2)
341  {
342  /* 7: j <-- Integerify(X) mod N */
343  j = integerify(X, r) & (N - 1);
344 
345  /* 8: X <-- H(X \xor V_j) */
346  blkxor(X, &V[j * (32 * r)], 128 * r);
347  blockmix_salsa8(X, Y, Z, r);
348 
349  /* 7: j <-- Integerify(X) mod N */
350  j = integerify(Y, r) & (N - 1);
351 
352  /* 8: X <-- H(X \xor V_j) */
353  blkxor(Y, &V[j * (32 * r)], 128 * r);
354  blockmix_salsa8(Y, X, Z, r);
355  }
356 
357  /* 10: B' <-- X */
358  for (k = 0; k < 32 * r; k++)
359  le32enc_2(&B[4 * k], X[k]);
360 }
361 
362 void scrypt(const char* pass, unsigned int pLen, const char* salt, unsigned int sLen, char *output, unsigned int N, unsigned int r, unsigned int p, unsigned int dkLen)
363 {
364  //containers
365  void* V0 = malloc(128 * r * N + 63);
366  void* XY0 = malloc(256 * r + 64 + 63);
367  void* B1 = malloc(128 * r * p + 63);
368  uint8_t* B = (uint8_t *)(((uintptr_t)(B1) + 63) & ~ (uintptr_t)(63));
369  uint32_t* V = (uint32_t *)(((uintptr_t)(V0) + 63) & ~ (uintptr_t)(63));
370  uint32_t* XY = (uint32_t *)(((uintptr_t)(XY0) + 63) & ~ (uintptr_t)(63));
371 
372  PBKDF2_SHA256((const uint8_t *)pass, pLen, (const uint8_t *)salt, sLen, 1, B, p * 128 * r);
373 
374  for(unsigned int i = 0; i < p; i++)
375  {
376  SMix(&B[i * 128 * r], r, N, V, XY);
377  }
378 
379  PBKDF2_SHA256((const uint8_t *)pass, pLen, B, p * 128 * r, 1, (uint8_t *)output, dkLen);
380 
381  free(V0);
382  free(XY0);
383  free(B1);
384 }
PBKDF2_SHA256
void PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt, size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): Compute PBKDF2(passwd,...
Definition: scrypt.cpp:124
scrypt
void scrypt(const char *pass, unsigned int pLen, const char *salt, unsigned int sLen, char *output, unsigned int N, unsigned int r, unsigned int p, unsigned int dkLen)
Definition: scrypt.cpp:362
uint256.h
scrypt.h
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:15
HMAC_SHA256Context::octx
SHA256_CTX octx
Definition: scrypt.cpp:52
r
void const uint64_t uint64_t * r
Definition: field_5x52_asm_impl.h:10
HMAC_SHA256_CTX
struct HMAC_SHA256Context HMAC_SHA256_CTX
HMAC_SHA256Context
Definition: scrypt.cpp:50
R
#define R(a, b)
X
#define X(name)
Definition: net.cpp:639
L
#define L(x0, x1, x2, x3, x4, x5, x6, x7)
Definition: jh.c:501
utilstrencodings.h
SMix
void SMix(uint8_t *B, unsigned int r, unsigned int N, void *_V, void *XY)
Definition: scrypt.cpp:309
HMAC_SHA256Context::ictx
SHA256_CTX ictx
Definition: scrypt.cpp:51
S
#define S(x0, x1, x2, x3, cb, r)
Definition: jh.c:494
Generated on Tue Apr 28 2026 00:02:50 for PRCYCoin by   doxygen 1.8.17