24 #if CRYPTOPP_GCC_DIAGNOSTIC_AVAILABLE
25 # if defined(__clang__)
26 # pragma GCC diagnostic ignored "-Wtautological-compare"
27 # elif defined(__GNUC__)
28 # pragma GCC diagnostic ignored "-Wtype-limits"
32 ANONYMOUS_NAMESPACE_BEGIN
35 using CryptoPP::word32;
36 using CryptoPP::word64;
42 using CryptoPP::AlignedSecByteBlock;
44 inline void LE32ENC(
byte* out, word32 in)
49 inline word32 LE32DEC(
const byte* in)
54 inline word64 LE64DEC(
const byte* in)
59 inline void BlockCopy(
byte* dest,
byte* src,
size_t len)
64 for (
size_t i = 0; i < len; ++i)
67 for (
size_t i = 0; i < len; ++i)
72 inline void BlockXOR(
byte* dest,
byte* src,
size_t len)
77 for (
size_t i = 0; i < len; ++i)
80 for (
size_t i = 0; i < len; ++i)
85 inline void PBKDF2_SHA256(
byte* buf,
size_t dkLen,
86 const byte* passwd,
size_t passwdlen,
87 const byte* salt,
size_t saltlen,
byte count)
89 using CryptoPP::SHA256;
90 using CryptoPP::PKCS5_PBKDF2_HMAC;
93 pbkdf.
DeriveKey(buf, dkLen, 0, passwd, passwdlen, salt, saltlen, count, 0.0f);
96 inline void Salsa20_8(
byte B[64])
100 for (
size_t i = 0; i < 16; ++i)
101 B32[i] = LE32DEC(&B[i * 4]);
105 for (
size_t i = 0; i < 16; ++i)
106 LE32ENC(&B[4 * i], B32[i]);
109 inline void BlockMix(
byte* B,
byte* Y,
size_t r)
114 BlockCopy(X, &B[(2 * r - 1) * 64], 64);
117 for (
size_t i = 0; i < 2 * r; ++i)
120 BlockXOR(X, &B[i * 64], 64);
124 BlockCopy(&Y[i * 64], X, 64);
128 for (
size_t i = 0; i < r; ++i)
129 BlockCopy(&B[i * 64], &Y[(i * 2) * 64], 64);
131 for (
size_t i = 0; i < r; ++i)
132 BlockCopy(&B[(i + r) * 64], &Y[(i * 2 + 1) * 64], 64);
135 inline word64 Integerify(
byte* B,
size_t r)
137 byte* X = &B[(2 * r - 1) * 64];
141 inline void Smix(
byte* B,
size_t r, word64 N,
byte* V,
byte* XY)
147 BlockCopy(X, B, 128 * r);
150 for (word64 i = 0; i < N; ++i)
153 BlockCopy(&V[i * (128 * r)], X, 128 * r);
160 for (word64 i = 0; i < N; ++i)
163 word64 j = Integerify(X, r) & (N - 1);
166 BlockXOR(X, &V[j * (128 * r)], 128 * r);
171 BlockCopy(B, X, 128 * r);
174 ANONYMOUS_NAMESPACE_END
178 size_t
Scrypt::GetValidDerivedLength(
size_t keylength)
const
180 if (keylength > MaxDerivedLength())
181 return MaxDerivedLength();
185 void Scrypt::ValidateParameters(
size_t derivedLen, word64 cost, word64 blockSize, word64 parallelization)
const
188 if (std::numeric_limits<size_t>::max() > std::numeric_limits<word32>::max())
190 const word64 maxLen = ((
static_cast<word64
>(1) << 32) - 1) * 32;
191 if (derivedLen > maxLen) {
192 std::ostringstream oss;
193 oss <<
"derivedLen " << derivedLen <<
" is larger than " << maxLen;
200 if (parallelization >
static_cast<word64
>(std::numeric_limits<int>::max()))
202 std::ostringstream oss;
203 oss <<
" parallelization " << parallelization <<
" is larger than ";
204 oss << std::numeric_limits<int>::max();
212 const word64 prod =
static_cast<word64
>(blockSize) * parallelization;
215 if (prod >= (1U << 30)) {
216 std::ostringstream oss;
217 oss <<
"r*p " << prod <<
" is larger than " << (1U << 30);
227 #if defined(CRYPTOPP_WORD128_AVAILABLE)
228 const word128 maxElems =
static_cast<word128
>(
SIZE_MAX);
229 bool bLimit = (maxElems >=
static_cast<word128
>(cost) * blockSize * 128U);
230 bool xyLimit = (maxElems >=
static_cast<word128
>(parallelization) * blockSize * 128U);
231 bool vLimit = (maxElems >=
static_cast<word128
>(blockSize) * 256U + 64U);
233 const word64 maxElems =
static_cast<word64
>(
SIZE_MAX);
234 bool bLimit = (blockSize < maxElems / 128U / cost);
235 bool xyLimit = (blockSize < maxElems / 128U / parallelization);
236 bool vLimit = (blockSize < (maxElems - 64U) / 256U);
240 if (!bLimit || !xyLimit || !vLimit)
241 throw std::bad_alloc();
245 const byte*secret,
size_t secretLen,
const NameValuePairs& params)
const
251 word64 cost=0, blockSize=0, parallelization=0;
252 if(params.
GetValue(
"Cost", cost) ==
false)
255 if(params.
GetValue(
"BlockSize", blockSize) ==
false)
256 blockSize = defaultBlockSize;
258 if(params.
GetValue(
"Parallelization", parallelization) ==
false)
259 parallelization = defaultParallelization;
262 (void)params.
GetValue(
"Salt", salt);
264 return DeriveKey(derived, derivedLen, secret, secretLen, salt.
begin(), salt.
size(), cost, blockSize, parallelization);
268 const byte*salt,
size_t saltLen, word64 cost, word64 blockSize, word64 parallel)
const
274 ThrowIfInvalidDerivedLength(derivedLen);
275 ValidateParameters(derivedLen, cost, blockSize, parallel);
280 PBKDF2_SHA256(B, B.
size(), secret, secretLen, salt, saltLen, 1);
285 maxParallel = std::numeric_limits<int>::max();
288 int threads =
STDMIN(omp_get_max_threads(), maxParallel);
292 #pragma omp parallel num_threads(threads)
300 for (
int i = 0; i < maxParallel; ++i)
303 const ptrdiff_t offset =
static_cast<ptrdiff_t
>(blockSize*i*128);
304 Smix(B+offset,
static_cast<size_t>(blockSize), cost, V, XY);
309 PBKDF2_SHA256(derived, derivedLen, secret, secretLen, B, B.
size(), 1);