Feathercoin  0.5.0
P2P Digital Currency
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Properties Friends Macros
scrypt.cpp
Go to the documentation of this file.
1 /*
2  * Copyright 2009 Colin Percival, 2011 ArtForz, 2012-2013 pooler
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  *
26  * This file was originally written by Colin Percival as part of the Tarsnap
27  * online backup system.
28  */
29 
30 #include "scrypt.h"
31 #include "util.h"
32 #include <stdlib.h>
33 #include <stdint.h>
34 #include <string.h>
35 #include <openssl/sha.h>
36 
37 #if defined(USE_SSE2) && !defined(USE_SSE2_ALWAYS)
38 #ifdef _MSC_VER
39 // MSVC 64bit is unable to use inline asm
40 #include <intrin.h>
41 #else
42 // GCC Linux or i686-w64-mingw32
43 #include <cpuid.h>
44 #endif
45 #endif
46 
47 static inline uint32_t be32dec(const void *pp)
48 {
49  const uint8_t *p = (uint8_t const *)pp;
50  return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) +
51  ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
52 }
53 
54 static inline void be32enc(void *pp, uint32_t x)
55 {
56  uint8_t *p = (uint8_t *)pp;
57  p[3] = x & 0xff;
58  p[2] = (x >> 8) & 0xff;
59  p[1] = (x >> 16) & 0xff;
60  p[0] = (x >> 24) & 0xff;
61 }
62 
63 typedef struct HMAC_SHA256Context {
64  SHA256_CTX ictx;
65  SHA256_CTX octx;
66 } HMAC_SHA256_CTX;
67 
68 /* Initialize an HMAC-SHA256 operation with the given key. */
69 static void
70 HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const void *_K, size_t Klen)
71 {
72  unsigned char pad[64];
73  unsigned char khash[32];
74  const unsigned char *K = (const unsigned char *)_K;
75  size_t i;
76 
77  /* If Klen > 64, the key is really SHA256(K). */
78  if (Klen > 64) {
79  SHA256_Init(&ctx->ictx);
80  SHA256_Update(&ctx->ictx, K, Klen);
81  SHA256_Final(khash, &ctx->ictx);
82  K = khash;
83  Klen = 32;
84  }
85 
86  /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
87  SHA256_Init(&ctx->ictx);
88  memset(pad, 0x36, 64);
89  for (i = 0; i < Klen; i++)
90  pad[i] ^= K[i];
91  SHA256_Update(&ctx->ictx, pad, 64);
92 
93  /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
94  SHA256_Init(&ctx->octx);
95  memset(pad, 0x5c, 64);
96  for (i = 0; i < Klen; i++)
97  pad[i] ^= K[i];
98  SHA256_Update(&ctx->octx, pad, 64);
99 
100  /* Clean the stack. */
101  memset(khash, 0, 32);
102 }
103 
104 /* Add bytes to the HMAC-SHA256 operation. */
105 static void
106 HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const void *in, size_t len)
107 {
108  /* Feed data to the inner SHA256 operation. */
109  SHA256_Update(&ctx->ictx, in, len);
110 }
111 
112 /* Finish an HMAC-SHA256 operation. */
113 static void
114 HMAC_SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX *ctx)
115 {
116  unsigned char ihash[32];
117 
118  /* Finish the inner SHA256 operation. */
119  SHA256_Final(ihash, &ctx->ictx);
120 
121  /* Feed the inner hash to the outer SHA256 operation. */
122  SHA256_Update(&ctx->octx, ihash, 32);
123 
124  /* Finish the outer SHA256 operation. */
125  SHA256_Final(digest, &ctx->octx);
126 
127  /* Clean the stack. */
128  memset(ihash, 0, 32);
129 }
130 
136 void
137 PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
138  size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
139 {
140  HMAC_SHA256_CTX PShctx, hctx;
141  size_t i;
142  uint8_t ivec[4];
143  uint8_t U[32];
144  uint8_t T[32];
145  uint64_t j;
146  int k;
147  size_t clen;
148 
149  /* Compute HMAC state after processing P and S. */
150  HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
151  HMAC_SHA256_Update(&PShctx, salt, saltlen);
152 
153  /* Iterate through the blocks. */
154  for (i = 0; i * 32 < dkLen; i++) {
155  /* Generate INT(i + 1). */
156  be32enc(ivec, (uint32_t)(i + 1));
157 
158  /* Compute U_1 = PRF(P, S || INT(i)). */
159  memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
160  HMAC_SHA256_Update(&hctx, ivec, 4);
161  HMAC_SHA256_Final(U, &hctx);
162 
163  /* T_i = U_1 ... */
164  memcpy(T, U, 32);
165 
166  for (j = 2; j <= c; j++) {
167  /* Compute U_j. */
168  HMAC_SHA256_Init(&hctx, passwd, passwdlen);
169  HMAC_SHA256_Update(&hctx, U, 32);
170  HMAC_SHA256_Final(U, &hctx);
171 
172  /* ... xor U_j ... */
173  for (k = 0; k < 32; k++)
174  T[k] ^= U[k];
175  }
176 
177  /* Copy as many bytes as necessary into buf. */
178  clen = dkLen - i * 32;
179  if (clen > 32)
180  clen = 32;
181  memcpy(&buf[i * 32], T, clen);
182  }
183 
184  /* Clean PShctx, since we never called _Final on it. */
185  memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
186 }
187 
188 #define ROTL(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
189 
190 static inline void xor_salsa8(uint32_t B[16], const uint32_t Bx[16])
191 {
192  uint32_t x00,x01,x02,x03,x04,x05,x06,x07,x08,x09,x10,x11,x12,x13,x14,x15;
193  int i;
194 
195  x00 = (B[ 0] ^= Bx[ 0]);
196  x01 = (B[ 1] ^= Bx[ 1]);
197  x02 = (B[ 2] ^= Bx[ 2]);
198  x03 = (B[ 3] ^= Bx[ 3]);
199  x04 = (B[ 4] ^= Bx[ 4]);
200  x05 = (B[ 5] ^= Bx[ 5]);
201  x06 = (B[ 6] ^= Bx[ 6]);
202  x07 = (B[ 7] ^= Bx[ 7]);
203  x08 = (B[ 8] ^= Bx[ 8]);
204  x09 = (B[ 9] ^= Bx[ 9]);
205  x10 = (B[10] ^= Bx[10]);
206  x11 = (B[11] ^= Bx[11]);
207  x12 = (B[12] ^= Bx[12]);
208  x13 = (B[13] ^= Bx[13]);
209  x14 = (B[14] ^= Bx[14]);
210  x15 = (B[15] ^= Bx[15]);
211  for (i = 0; i < 8; i += 2) {
212  /* Operate on columns. */
213  x04 ^= ROTL(x00 + x12, 7); x09 ^= ROTL(x05 + x01, 7);
214  x14 ^= ROTL(x10 + x06, 7); x03 ^= ROTL(x15 + x11, 7);
215 
216  x08 ^= ROTL(x04 + x00, 9); x13 ^= ROTL(x09 + x05, 9);
217  x02 ^= ROTL(x14 + x10, 9); x07 ^= ROTL(x03 + x15, 9);
218 
219  x12 ^= ROTL(x08 + x04, 13); x01 ^= ROTL(x13 + x09, 13);
220  x06 ^= ROTL(x02 + x14, 13); x11 ^= ROTL(x07 + x03, 13);
221 
222  x00 ^= ROTL(x12 + x08, 18); x05 ^= ROTL(x01 + x13, 18);
223  x10 ^= ROTL(x06 + x02, 18); x15 ^= ROTL(x11 + x07, 18);
224 
225  /* Operate on rows. */
226  x01 ^= ROTL(x00 + x03, 7); x06 ^= ROTL(x05 + x04, 7);
227  x11 ^= ROTL(x10 + x09, 7); x12 ^= ROTL(x15 + x14, 7);
228 
229  x02 ^= ROTL(x01 + x00, 9); x07 ^= ROTL(x06 + x05, 9);
230  x08 ^= ROTL(x11 + x10, 9); x13 ^= ROTL(x12 + x15, 9);
231 
232  x03 ^= ROTL(x02 + x01, 13); x04 ^= ROTL(x07 + x06, 13);
233  x09 ^= ROTL(x08 + x11, 13); x14 ^= ROTL(x13 + x12, 13);
234 
235  x00 ^= ROTL(x03 + x02, 18); x05 ^= ROTL(x04 + x07, 18);
236  x10 ^= ROTL(x09 + x08, 18); x15 ^= ROTL(x14 + x13, 18);
237  }
238  B[ 0] += x00;
239  B[ 1] += x01;
240  B[ 2] += x02;
241  B[ 3] += x03;
242  B[ 4] += x04;
243  B[ 5] += x05;
244  B[ 6] += x06;
245  B[ 7] += x07;
246  B[ 8] += x08;
247  B[ 9] += x09;
248  B[10] += x10;
249  B[11] += x11;
250  B[12] += x12;
251  B[13] += x13;
252  B[14] += x14;
253  B[15] += x15;
254 }
255 
256 void scrypt_1024_1_1_256_sp_generic(const char *input, char *output, char *scratchpad)
257 {
258  uint8_t B[128];
259  uint32_t X[32];
260  uint32_t *V;
261  uint32_t i, j, k;
262 
263  V = (uint32_t *)(((uintptr_t)(scratchpad) + 63) & ~ (uintptr_t)(63));
264 
265  PBKDF2_SHA256((const uint8_t *)input, 80, (const uint8_t *)input, 80, 1, B, 128);
266 
267  for (k = 0; k < 32; k++)
268  X[k] = le32dec(&B[4 * k]);
269 
270  for (i = 0; i < 1024; i++) {
271  memcpy(&V[i * 32], X, 128);
272  xor_salsa8(&X[0], &X[16]);
273  xor_salsa8(&X[16], &X[0]);
274  }
275  for (i = 0; i < 1024; i++) {
276  j = 32 * (X[16] & 1023);
277  for (k = 0; k < 32; k++)
278  X[k] ^= V[j + k];
279  xor_salsa8(&X[0], &X[16]);
280  xor_salsa8(&X[16], &X[0]);
281  }
282 
283  for (k = 0; k < 32; k++)
284  le32enc(&B[4 * k], X[k]);
285 
286  PBKDF2_SHA256((const uint8_t *)input, 80, B, 128, 1, (uint8_t *)output, 32);
287 }
288 
289 #if defined(USE_SSE2)
290 // By default, set to generic scrypt function. This will prevent crash in case when scrypt_detect_sse2() wasn't called
291 void (*scrypt_1024_1_1_256_sp_detected)(const char *input, char *output, char *scratchpad) = &scrypt_1024_1_1_256_sp_generic;
292 
293 void scrypt_detect_sse2()
294 {
295 #if defined(USE_SSE2_ALWAYS)
296  printf("scrypt: using scrypt-sse2 as built.\n");
297 #else // USE_SSE2_ALWAYS
298  // 32bit x86 Linux or Windows, detect cpuid features
299  unsigned int cpuid_edx=0;
300 #if defined(_MSC_VER)
301  // MSVC
302  int x86cpuid[4];
303  __cpuid(x86cpuid, 1);
304  cpuid_edx = (unsigned int)buffer[3];
305 #else // _MSC_VER
306  // Linux or i686-w64-mingw32 (gcc-4.6.3)
307  unsigned int eax, ebx, ecx;
308  __get_cpuid(1, &eax, &ebx, &ecx, &cpuid_edx);
309 #endif // _MSC_VER
310 
311  if (cpuid_edx & 1<<26)
312  {
313  scrypt_1024_1_1_256_sp_detected = &scrypt_1024_1_1_256_sp_sse2;
314  printf("scrypt: using scrypt-sse2 as detected.\n");
315  }
316  else
317  {
318  scrypt_1024_1_1_256_sp_detected = &scrypt_1024_1_1_256_sp_generic;
319  printf("scrypt: using scrypt-generic, SSE2 unavailable.\n");
320  }
321 #endif // USE_SSE2_ALWAYS
322 }
323 #endif
324 
325 void scrypt_1024_1_1_256(const char *input, char *output)
326 {
327  char scratchpad[SCRYPT_SCRATCHPAD_SIZE];
328  scrypt_1024_1_1_256_sp(input, output, scratchpad);
329 }
ROTL
#define ROTL(a, b)
Definition: scrypt.cpp:188
HMAC_SHA256Context::ictx
SHA256_CTX ictx
Definition: scrypt.cpp:64
PBKDF2_SHA256
void PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt, size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and write the output to buf.
Definition: scrypt.cpp:137
HMAC_SHA256Context
Definition: scrypt.cpp:63
scrypt_1024_1_1_256_sp
#define scrypt_1024_1_1_256_sp(input, output, scratchpad)
Definition: scrypt.h:23
uint8_t
unsigned char uint8_t
Definition: stdint.h:19
HMAC_SHA256Context::octx
SHA256_CTX octx
Definition: scrypt.cpp:65
HMAC_SHA256_CTX
struct HMAC_SHA256Context HMAC_SHA256_CTX
printf
#define printf
Definition: rpcdump.cpp:12
uint32_t
unsigned int uint32_t
Definition: stdint.h:21
scrypt_1024_1_1_256_sp_generic
void scrypt_1024_1_1_256_sp_generic(const char *input, char *output, char *scratchpad)
Definition: scrypt.cpp:256
uint64_t
unsigned long long uint64_t
Definition: stdint.h:22
scrypt_1024_1_1_256
void scrypt_1024_1_1_256(const char *input, char *output)
Definition: scrypt.cpp:325
X
#define X(name)
Definition: net.cpp:606
scrypt_1024_1_1_256_sp_sse2
void scrypt_1024_1_1_256_sp_sse2(const char *input, char *output, char *scratchpad)
Definition: scrypt-sse2.cpp:95
Generated on Thu Sep 11 2014 10:57:08 for Feathercoin by   doxygen 1.8.8