search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
install.sh and uninstall.sh
[rofl0r-kripto.git] / lib / scrypt.c
bloba21659ac0558b6a7d4a176679c3e56f331fcec24
1 /*
2 * Written in 2013 by Gregor Pintar <grpintar@gmail.com>
3 *
4 * To the extent possible under law, the author(s) have dedicated
5 * all copyright and related and neighboring rights to this software
6 * to the public domain worldwide.
7 *
8 * This software is distributed without any warranty.
9 *
10 * You should have received a copy of the CC0 Public Domain Dedication.
11 * If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12 */
13
14 #include <stdint.h>
15 #include <stdlib.h>
16 #include <string.h>
17 #include <assert.h>
18
19 #include <kripto/memwipe.h>
20 #include <kripto/cast.h>
21 #include <kripto/loadstore.h>
22 #include <kripto/rotate.h>
23 #include <kripto/mac.h>
24 #include <kripto/pbkdf2.h>
25
26 #include <kripto/scrypt.h>
27
28 #define QR(A, B, C, D) \
29 { \
30 B ^= ROL32_07(A + D); \
31 C ^= ROL32_09(B + A); \
32 D ^= ROL32_13(C + B); \
33 A ^= ROL32_18(D + C); \
34 }
35
36 static void salsa20_core(uint32_t *x)
37 {
38 uint32_t x0 = x[0];
39 uint32_t x1 = x[1];
40 uint32_t x2 = x[2];
41 uint32_t x3 = x[3];
42 uint32_t x4 = x[4];
43 uint32_t x5 = x[5];
44 uint32_t x6 = x[6];
45 uint32_t x7 = x[7];
46 uint32_t x8 = x[8];
47 uint32_t x9 = x[9];
48 uint32_t x10 = x[10];
49 uint32_t x11 = x[11];
50 uint32_t x12 = x[12];
51 uint32_t x13 = x[13];
52 uint32_t x14 = x[14];
53 uint32_t x15 = x[15];
54
55 /* columnround 1 */
56 QR(x0, x4, x8, x12);
57 QR(x5, x9, x13, x1);
58 QR(x10, x14, x2, x6);
59 QR(x15, x3, x7, x11);
60
61 /* rowround 2 */
62 QR(x0, x1, x2, x3);
63 QR(x5, x6, x7, x4);
64 QR(x10, x11, x8, x9);
65 QR(x15, x12, x13, x14);
66
67 /* columnround 3 */
68 QR(x0, x4, x8, x12);
69 QR(x5, x9, x13, x1);
70 QR(x10, x14, x2, x6);
71 QR(x15, x3, x7, x11);
72
73 /* rowround 4 */
74 QR(x0, x1, x2, x3);
75 QR(x5, x6, x7, x4);
76 QR(x10, x11, x8, x9);
77 QR(x15, x12, x13, x14);
78
79 /* columnround 5 */
80 QR(x0, x4, x8, x12);
81 QR(x5, x9, x13, x1);
82 QR(x10, x14, x2, x6);
83 QR(x15, x3, x7, x11);
84
85 /* rowround 6 */
86 QR(x0, x1, x2, x3);
87 QR(x5, x6, x7, x4);
88 QR(x10, x11, x8, x9);
89 QR(x15, x12, x13, x14);
90
91 /* columnround 7 */
92 QR(x0, x4, x8, x12);
93 QR(x5, x9, x13, x1);
94 QR(x10, x14, x2, x6);
95 QR(x15, x3, x7, x11);
96
97 /* rowround 8 */
98 QR(x0, x1, x2, x3);
99 QR(x5, x6, x7, x4);
100 QR(x10, x11, x8, x9);
101 QR(x15, x12, x13, x14);
102
103 x[0] += x0;
104 x[1] += x1;
105 x[2] += x2;
106 x[3] += x3;
107 x[4] += x4;
108 x[5] += x5;
109 x[6] += x6;
110 x[7] += x7;
111 x[8] += x8;
112 x[9] += x9;
113 x[10] += x10;
114 x[11] += x11;
115 x[12] += x12;
116 x[13] += x13;
117 x[14] += x14;
118 x[15] += x15;
119 }
120
121 static void blockmix(uint32_t *b, uint32_t *t, const size_t r)
122 {
123 uint32_t x[16];
124 size_t i;
125
126 memcpy(x, b + (r << 5) - 16, 64);
127
128 for(i = 0; i < (r << 5);)
129 {
130 x[0] ^= b[i++];
131 x[1] ^= b[i++];
132 x[2] ^= b[i++];
133 x[3] ^= b[i++];
134 x[4] ^= b[i++];
135 x[5] ^= b[i++];
136 x[6] ^= b[i++];
137 x[7] ^= b[i++];
138 x[8] ^= b[i++];
139 x[9] ^= b[i++];
140 x[10] ^= b[i++];
141 x[11] ^= b[i++];
142 x[12] ^= b[i++];
143 x[13] ^= b[i++];
144 x[14] ^= b[i++];
145 x[15] ^= b[i++];
146
147 salsa20_core(x);
148 memcpy(t + i - 16, x, 64);
149 }
150
151 for(i = 0; i < r; i++)
152 {
153 memcpy(b + (i << 4), t + (i << 5), 64);
154 memcpy(b + ((i + r) << 4), t + (i << 5) + 16, 64);
155 }
156 }
157
158 static void smix
159 (
160 uint8_t *b,
161 const size_t r,
162 uint64_t n,
163 uint32_t *t0,
164 uint32_t *t1,
165 uint32_t *t2
166 )
167 {
168 uint64_t i;
169 uint64_t tn;
170 uint64_t j;
171
172 for(i = 0; i < (r << 5); i++)
173 t1[i] = LOAD32L(b + (i << 2));
174
175 for(i = 0; i < n; i++)
176 {
177 memcpy(t0 + (r << 5) * i, t1, r << 7);
178 blockmix(t1, t2, r);
179 }
180
181 for(i = 0; i < n; i++)
182 {
183 /* integrify */
184 tn = (((uint64_t)t1[(r << 5) - 15] << 32)
185 | t1[(r << 5) - 16])
186 & (n - 1);
187
188 for(j = 0; j < (r << 5); j++)
189 t1[j] ^= t0[(r << 5) * tn + j];
190
191 blockmix(t1, t2, r);
192 }
193
194 for(i = 0; i < (r << 5); i++)
195 STORE32L(t1[i], b + (i << 2));
196 }
197
198 int kripto_scrypt
199 (
200 const kripto_mac_desc *mac,
201 unsigned int mac_rounds,
202 uint64_t n,
203 uint32_t r,
204 uint32_t p,
205 const void *pass,
206 unsigned int pass_len,
207 const void *salt,
208 unsigned int salt_len,
209 void *out,
210 size_t out_len
211 )
212 {
213 uint8_t *b;
214 uint32_t *t0;
215 uint32_t *t1;
216 uint32_t *t2;
217 uint32_t i;
218
219 b = malloc((r << 7) * p + (r << 7) * n + (r << 8));
220 if(!b) return -1;
221
222 t0 = (uint32_t *)(b + (r << 7) * p);
223 t1 = t0 + (r << 5);
224 t2 = t1 + (r << 5);
225
226 if(kripto_pbkdf2
227 (
228 mac,
229 mac_rounds,
230 1,
231 pass,
232 pass_len,
233 salt,
234 salt_len,
235 b,
236 p * (r << 7)
237 )) goto err;
238
239 for(i = 0; i < p; i++)
240 smix(b + (r << 7) * i, r, n, t0, t1, t2);
241
242 if(kripto_pbkdf2
243 (
244 mac,
245 mac_rounds,
246 1,
247 pass,
248 pass_len,
249 b,
250 p * (r << 7),
251 out,
252 out_len
253 )) goto err;
254
255 kripto_memwipe(b, (r << 7) * p + (r << 7) * n + (r << 8));
256 free(b);
257
258 return 0;
259
260 err:
261 kripto_memwipe(b, (r << 7) * p + (r << 7) * n + (r << 8));
262 free(b);
263
264 return -1;
265 }