Anoncoin  0.9.4
P2P Digital Currency
scrypt.cpp
Go to the documentation of this file.
1 /*
2  * Copyright 2009 Colin Percival, 2011 ArtForz, 2012-2013 pooler
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  *
26  * This file was originally written by Colin Percival as part of the Tarsnap
27  * online backup system.
28  */
29 // Copyright (c) 2013-2015 The Anoncoin Core developers
30 
31 #include "scrypt.h"
32 // Anoncoin-config.h has been loaded...
33 
34 #include "util.h"
35 #include <stdlib.h>
36 #include <stdint.h>
37 #include <string.h>
38 #include <openssl/sha.h>
39 
40 #if defined(USE_SSE2) && !defined(USE_SSE2_ALWAYS)
41 #ifdef _MSC_VER
42 // MSVC 64bit is unable to use inline asm
43 #include <intrin.h>
44 #else
45 // GCC Linux or i686-w64-mingw32
46 #include <cpuid.h>
47 #endif
48 #endif
49 
50 static inline uint32_t be32dec(const void *pp)
51 {
52  const uint8_t *p = (uint8_t const *)pp;
53  return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) +
54  ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
55 }
56 
57 static inline void be32enc(void *pp, uint32_t x)
58 {
59  uint8_t *p = (uint8_t *)pp;
60  p[3] = x & 0xff;
61  p[2] = (x >> 8) & 0xff;
62  p[1] = (x >> 16) & 0xff;
63  p[0] = (x >> 24) & 0xff;
64 }
65 
66 typedef struct HMAC_SHA256Context {
67  SHA256_CTX ictx;
68  SHA256_CTX octx;
69 } HMAC_SHA256_CTX;
70 
71 /* Initialize an HMAC-SHA256 operation with the given key. */
72 static void
73 HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const void *_K, size_t Klen)
74 {
75  unsigned char pad[64];
76  unsigned char khash[32];
77  const unsigned char *K = (const unsigned char *)_K;
78  size_t i;
79 
80  /* If Klen > 64, the key is really SHA256(K). */
81  if (Klen > 64) {
82  SHA256_Init(&ctx->ictx);
83  SHA256_Update(&ctx->ictx, K, Klen);
84  SHA256_Final(khash, &ctx->ictx);
85  K = khash;
86  Klen = 32;
87  }
88 
89  /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
90  SHA256_Init(&ctx->ictx);
91  memset(pad, 0x36, 64);
92  for (i = 0; i < Klen; i++)
93  pad[i] ^= K[i];
94  SHA256_Update(&ctx->ictx, pad, 64);
95 
96  /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
97  SHA256_Init(&ctx->octx);
98  memset(pad, 0x5c, 64);
99  for (i = 0; i < Klen; i++)
100  pad[i] ^= K[i];
101  SHA256_Update(&ctx->octx, pad, 64);
102 
103  /* Clean the stack. */
104  memset(khash, 0, 32);
105 }
106 
107 /* Add bytes to the HMAC-SHA256 operation. */
108 static void
109 HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const void *in, size_t len)
110 {
111  /* Feed data to the inner SHA256 operation. */
112  SHA256_Update(&ctx->ictx, in, len);
113 }
114 
115 /* Finish an HMAC-SHA256 operation. */
116 static void
117 HMAC_SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX *ctx)
118 {
119  unsigned char ihash[32];
120 
121  /* Finish the inner SHA256 operation. */
122  SHA256_Final(ihash, &ctx->ictx);
123 
124  /* Feed the inner hash to the outer SHA256 operation. */
125  SHA256_Update(&ctx->octx, ihash, 32);
126 
127  /* Finish the outer SHA256 operation. */
128  SHA256_Final(digest, &ctx->octx);
129 
130  /* Clean the stack. */
131  memset(ihash, 0, 32);
132 }
133 
139 void
140 PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
141  size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
142 {
143  HMAC_SHA256_CTX PShctx, hctx;
144  size_t i;
145  uint8_t ivec[4];
146  uint8_t U[32];
147  uint8_t T[32];
148  uint64_t j;
149  int k;
150  size_t clen;
151 
152  /* Compute HMAC state after processing P and S. */
153  HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
154  HMAC_SHA256_Update(&PShctx, salt, saltlen);
155 
156  /* Iterate through the blocks. */
157  for (i = 0; i * 32 < dkLen; i++) {
158  /* Generate INT(i + 1). */
159  be32enc(ivec, (uint32_t)(i + 1));
160 
161  /* Compute U_1 = PRF(P, S || INT(i)). */
162  memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
163  HMAC_SHA256_Update(&hctx, ivec, 4);
164  HMAC_SHA256_Final(U, &hctx);
165 
166  /* T_i = U_1 ... */
167  memcpy(T, U, 32);
168 
169  for (j = 2; j <= c; j++) {
170  /* Compute U_j. */
171  HMAC_SHA256_Init(&hctx, passwd, passwdlen);
172  HMAC_SHA256_Update(&hctx, U, 32);
173  HMAC_SHA256_Final(U, &hctx);
174 
175  /* ... xor U_j ... */
176  for (k = 0; k < 32; k++)
177  T[k] ^= U[k];
178  }
179 
180  /* Copy as many bytes as necessary into buf. */
181  clen = dkLen - i * 32;
182  if (clen > 32)
183  clen = 32;
184  memcpy(&buf[i * 32], T, clen);
185  }
186 
187  /* Clean PShctx, since we never called _Final on it. */
188  memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
189 }
190 
191 #define ROTL(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
192 
193 static inline void xor_salsa8(uint32_t B[16], const uint32_t Bx[16])
194 {
195  uint32_t x00,x01,x02,x03,x04,x05,x06,x07,x08,x09,x10,x11,x12,x13,x14,x15;
196  int i;
197 
198  x00 = (B[ 0] ^= Bx[ 0]);
199  x01 = (B[ 1] ^= Bx[ 1]);
200  x02 = (B[ 2] ^= Bx[ 2]);
201  x03 = (B[ 3] ^= Bx[ 3]);
202  x04 = (B[ 4] ^= Bx[ 4]);
203  x05 = (B[ 5] ^= Bx[ 5]);
204  x06 = (B[ 6] ^= Bx[ 6]);
205  x07 = (B[ 7] ^= Bx[ 7]);
206  x08 = (B[ 8] ^= Bx[ 8]);
207  x09 = (B[ 9] ^= Bx[ 9]);
208  x10 = (B[10] ^= Bx[10]);
209  x11 = (B[11] ^= Bx[11]);
210  x12 = (B[12] ^= Bx[12]);
211  x13 = (B[13] ^= Bx[13]);
212  x14 = (B[14] ^= Bx[14]);
213  x15 = (B[15] ^= Bx[15]);
214  for (i = 0; i < 8; i += 2) {
215  /* Operate on columns. */
216  x04 ^= ROTL(x00 + x12, 7); x09 ^= ROTL(x05 + x01, 7);
217  x14 ^= ROTL(x10 + x06, 7); x03 ^= ROTL(x15 + x11, 7);
218 
219  x08 ^= ROTL(x04 + x00, 9); x13 ^= ROTL(x09 + x05, 9);
220  x02 ^= ROTL(x14 + x10, 9); x07 ^= ROTL(x03 + x15, 9);
221 
222  x12 ^= ROTL(x08 + x04, 13); x01 ^= ROTL(x13 + x09, 13);
223  x06 ^= ROTL(x02 + x14, 13); x11 ^= ROTL(x07 + x03, 13);
224 
225  x00 ^= ROTL(x12 + x08, 18); x05 ^= ROTL(x01 + x13, 18);
226  x10 ^= ROTL(x06 + x02, 18); x15 ^= ROTL(x11 + x07, 18);
227 
228  /* Operate on rows. */
229  x01 ^= ROTL(x00 + x03, 7); x06 ^= ROTL(x05 + x04, 7);
230  x11 ^= ROTL(x10 + x09, 7); x12 ^= ROTL(x15 + x14, 7);
231 
232  x02 ^= ROTL(x01 + x00, 9); x07 ^= ROTL(x06 + x05, 9);
233  x08 ^= ROTL(x11 + x10, 9); x13 ^= ROTL(x12 + x15, 9);
234 
235  x03 ^= ROTL(x02 + x01, 13); x04 ^= ROTL(x07 + x06, 13);
236  x09 ^= ROTL(x08 + x11, 13); x14 ^= ROTL(x13 + x12, 13);
237 
238  x00 ^= ROTL(x03 + x02, 18); x05 ^= ROTL(x04 + x07, 18);
239  x10 ^= ROTL(x09 + x08, 18); x15 ^= ROTL(x14 + x13, 18);
240  }
241  B[ 0] += x00;
242  B[ 1] += x01;
243  B[ 2] += x02;
244  B[ 3] += x03;
245  B[ 4] += x04;
246  B[ 5] += x05;
247  B[ 6] += x06;
248  B[ 7] += x07;
249  B[ 8] += x08;
250  B[ 9] += x09;
251  B[10] += x10;
252  B[11] += x11;
253  B[12] += x12;
254  B[13] += x13;
255  B[14] += x14;
256  B[15] += x15;
257 }
258 
259 void scrypt_1024_1_1_256_sp_generic(const char *input, char *output, char *scratchpad)
260 {
261  uint8_t B[128];
262  uint32_t X[32];
263  uint32_t *V;
264  uint32_t i, j, k;
265 
266  V = (uint32_t *)(((uintptr_t)(scratchpad) + 63) & ~ (uintptr_t)(63));
267 
268  PBKDF2_SHA256((const uint8_t *)input, 80, (const uint8_t *)input, 80, 1, B, 128);
269 
270  for (k = 0; k < 32; k++)
271  X[k] = le32dec(&B[4 * k]);
272 
273  for (i = 0; i < 1024; i++) {
274  memcpy(&V[i * 32], X, 128);
275  xor_salsa8(&X[0], &X[16]);
276  xor_salsa8(&X[16], &X[0]);
277  }
278  for (i = 0; i < 1024; i++) {
279  j = 32 * (X[16] & 1023);
280  for (k = 0; k < 32; k++)
281  X[k] ^= V[j + k];
282  xor_salsa8(&X[0], &X[16]);
283  xor_salsa8(&X[16], &X[0]);
284  }
285 
286  for (k = 0; k < 32; k++)
287  le32enc(&B[4 * k], X[k]);
288 
289  PBKDF2_SHA256((const uint8_t *)input, 80, B, 128, 1, (uint8_t *)output, 32);
290 }
291 
292 #if defined(USE_SSE2)
293 // By default, set to generic scrypt function. This will prevent crash in case when scrypt_detect_sse2() wasn't called
294 void (*scrypt_1024_1_1_256_sp_detected)(const char *input, char *output, char *scratchpad) = &scrypt_1024_1_1_256_sp_generic;
295 
296 void scrypt_detect_sse2()
297 {
298 #if defined(USE_SSE2_ALWAYS)
299  LogPrintf("scrypt: Powered by scrypt-sse2, as built. Hardware detection disabled.\n");
300 #else // USE_SSE2_ALWAYS
301  // 32bit x86 Linux or Windows, detect cpuid features
302  unsigned int cpuid_edx=0;
303 #if defined(_MSC_VER)
304  // MSVC
305  int x86cpuid[4];
306  __cpuid(x86cpuid, 1);
307  cpuid_edx = (unsigned int)buffer[3];
308 #else // _MSC_VER
309  // Linux or i686-w64-mingw32 (gcc-4.6.3)
310  unsigned int eax, ebx, ecx;
311  __get_cpuid(1, &eax, &ebx, &ecx, &cpuid_edx);
312 #endif // _MSC_VER
313 
314  if (cpuid_edx & 1<<26)
315  {
316  scrypt_1024_1_1_256_sp_detected = &scrypt_1024_1_1_256_sp_sse2;
317  LogPrintf("scrypt: Powered by scrypt-sse2, hardware detected.\n");
318  }
319  else
320  {
321  scrypt_1024_1_1_256_sp_detected = &scrypt_1024_1_1_256_sp_generic;
322  LogPrintf("scrypt: Using scrypt-generic, SSE2 hardware unavailable.\n");
323  }
324 #endif // USE_SSE2_ALWAYS
325 }
326 #endif
327 
328 void scrypt_1024_1_1_256(const char *input, char *output)
329 {
330  char scratchpad[SCRYPT_SCRATCHPAD_SIZE];
331  scrypt_1024_1_1_256_sp(input, output, scratchpad);
332 }
ROTL
#define ROTL(a, b)
Definition: scrypt.cpp:191
HMAC_SHA256Context::ictx
SHA256_CTX ictx
Definition: scrypt.cpp:67
PBKDF2_SHA256
void PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt, size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and write the output to buf.
Definition: scrypt.cpp:140
HMAC_SHA256Context
Definition: scrypt.cpp:66
scrypt_1024_1_1_256_sp
#define scrypt_1024_1_1_256_sp(input, output, scratchpad)
Definition: scrypt.h:36
HMAC_SHA256Context::octx
SHA256_CTX octx
Definition: scrypt.cpp:68
HMAC_SHA256_CTX
struct HMAC_SHA256Context HMAC_SHA256_CTX
LogPrintf
#define LogPrintf(...)
Definition: util.h:118
scrypt_1024_1_1_256_sp_generic
void scrypt_1024_1_1_256_sp_generic(const char *input, char *output, char *scratchpad)
Definition: scrypt.cpp:259
scrypt_1024_1_1_256
void scrypt_1024_1_1_256(const char *input, char *output)
Definition: scrypt.cpp:328
X
#define X(name)
Definition: net.cpp:595
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:18
scrypt_1024_1_1_256_sp_sse2
void scrypt_1024_1_1_256_sp_sse2(const char *input, char *output, char *scratchpad)
Definition: scrypt-sse2.cpp:95
Generated on Fri Feb 6 2015 10:48:16 for Anoncoin by   doxygen 1.8.9.1