From 9ad1a518574b9afed3e66a1e1658ead1d3d7ce54 Mon Sep 17 00:00:00 2001
From: "Wladimir J. van der Laan" <laanwj@gmail.com>
Date: Sat, 9 Apr 2016 07:39:35 +0200
Subject: crypto: bytes counts are 64 bit

Byte counts for SHA256, SHA512, SHA1 and RIPEMD160 must be 64 bits.
`size_t` has a different size per platform, causing divergent results
when hashing more than 4GB of data.
---
 src/crypto/ripemd160.h | 2 +-
 src/crypto/sha1.h      | 2 +-
 src/crypto/sha256.h    | 2 +-
 src/crypto/sha512.h    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/crypto')

diff --git a/src/crypto/ripemd160.h b/src/crypto/ripemd160.h
index 687204fda..bd41f0250 100644
--- a/src/crypto/ripemd160.h
+++ b/src/crypto/ripemd160.h
@@ -14,7 +14,7 @@ class CRIPEMD160
 private:
     uint32_t s[5];
     unsigned char buf[64];
-    size_t bytes;
+    uint64_t bytes;
 
 public:
     static const size_t OUTPUT_SIZE = 20;
diff --git a/src/crypto/sha1.h b/src/crypto/sha1.h
index 7b2a21bc6..8fb20810b 100644
--- a/src/crypto/sha1.h
+++ b/src/crypto/sha1.h
@@ -14,7 +14,7 @@ class CSHA1
 private:
     uint32_t s[5];
     unsigned char buf[64];
-    size_t bytes;
+    uint64_t bytes;
 
 public:
     static const size_t OUTPUT_SIZE = 20;
diff --git a/src/crypto/sha256.h b/src/crypto/sha256.h
index 85cf33739..5b15b6a23 100644
--- a/src/crypto/sha256.h
+++ b/src/crypto/sha256.h
@@ -14,7 +14,7 @@ class CSHA256
 private:
     uint32_t s[8];
     unsigned char buf[64];
-    size_t bytes;
+    uint64_t bytes;
 
 public:
     static const size_t OUTPUT_SIZE = 32;
diff --git a/src/crypto/sha512.h b/src/crypto/sha512.h
index f1f17caf9..614681fae 100644
--- a/src/crypto/sha512.h
+++ b/src/crypto/sha512.h
@@ -14,7 +14,7 @@ class CSHA512
 private:
     uint64_t s[8];
     unsigned char buf[128];
-    size_t bytes;
+    uint64_t bytes;
 
 public:
     static const size_t OUTPUT_SIZE = 64;
-- 
cgit v1.2.3


From 6bec172eb95e195847bb6dd6d4e62ada79c98c6d Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Wed, 30 Mar 2016 15:37:41 +0200
Subject: Add ctaes-based constant time AES implementation

---
 src/crypto/aes.cpp | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/crypto/aes.h   | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 139 insertions(+)
 create mode 100644 src/crypto/aes.cpp
 create mode 100644 src/crypto/aes.h

(limited to 'src/crypto')

diff --git a/src/crypto/aes.cpp b/src/crypto/aes.cpp
new file mode 100644
index 000000000..035abd75b
--- /dev/null
+++ b/src/crypto/aes.cpp
@@ -0,0 +1,73 @@
+// Copyright (c) 2016 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include "aes.h"
+#include "crypto/common.h"
+
+#include <assert.h>
+#include <string.h>
+
+extern "C" {
+#include "crypto/ctaes/ctaes.c"
+}
+
+AES128Encrypt::AES128Encrypt(const unsigned char key[16])
+{
+    AES128_init(&ctx, key);
+}
+
+AES128Encrypt::~AES128Encrypt()
+{
+    memset(&ctx, 0, sizeof(ctx));
+}
+
+void AES128Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const
+{
+    AES128_encrypt(&ctx, 1, ciphertext, plaintext);
+}
+
+AES128Decrypt::AES128Decrypt(const unsigned char key[16])
+{
+    AES128_init(&ctx, key);
+}
+
+AES128Decrypt::~AES128Decrypt()
+{
+    memset(&ctx, 0, sizeof(ctx));
+}
+
+void AES128Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const
+{
+    AES128_decrypt(&ctx, 1, plaintext, ciphertext);
+}
+
+AES256Encrypt::AES256Encrypt(const unsigned char key[32])
+{
+    AES256_init(&ctx, key);
+}
+
+AES256Encrypt::~AES256Encrypt()
+{
+    memset(&ctx, 0, sizeof(ctx));
+}
+
+void AES256Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const
+{
+    AES256_encrypt(&ctx, 1, ciphertext, plaintext);
+}
+
+AES256Decrypt::AES256Decrypt(const unsigned char key[32])
+{
+    AES256_init(&ctx, key);
+}
+
+AES256Decrypt::~AES256Decrypt()
+{
+    memset(&ctx, 0, sizeof(ctx));
+}
+
+void AES256Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const
+{
+    AES256_decrypt(&ctx, 1, plaintext, ciphertext);
+}
diff --git a/src/crypto/aes.h b/src/crypto/aes.h
new file mode 100644
index 000000000..4bf17a33e
--- /dev/null
+++ b/src/crypto/aes.h
@@ -0,0 +1,66 @@
+// Copyright (c) 2015 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+//
+// C++ wrapper around ctaes, a constant-time AES implementation
+
+#ifndef BITCOIN_CRYPTO_AES_H
+#define BITCOIN_CRYPTO_AES_H
+
+extern "C" {
+#include "crypto/ctaes/ctaes.h"
+}
+
+static const int AES_BLOCKSIZE = 16;
+static const int AES128_KEYSIZE = 16;
+static const int AES256_KEYSIZE = 32;
+
+/** An encryption class for AES-128. */
+class AES128Encrypt
+{
+private:
+    AES128_ctx ctx;
+
+public:
+    AES128Encrypt(const unsigned char key[16]);
+    ~AES128Encrypt();
+    void Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const;
+};
+
+/** A decryption class for AES-128. */
+class AES128Decrypt
+{
+private:
+    AES128_ctx ctx;
+
+public:
+    AES128Decrypt(const unsigned char key[16]);
+    ~AES128Decrypt();
+    void Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const;
+};
+
+/** An encryption class for AES-256. */
+class AES256Encrypt
+{
+private:
+    AES256_ctx ctx;
+
+public:
+    AES256Encrypt(const unsigned char key[32]);
+    ~AES256Encrypt();
+    void Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const;
+};
+
+/** A decryption class for AES-256. */
+class AES256Decrypt
+{
+private:
+    AES256_ctx ctx;
+
+public:
+    AES256Decrypt(const unsigned char key[32]);
+    ~AES256Decrypt();
+    void Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const;
+};
+
+#endif // BITCOIN_CRYPTO_AES_H
-- 
cgit v1.2.3


From 27a212dcb4fe842ead77d01b98f2c1a58ecca609 Mon Sep 17 00:00:00 2001
From: Cory Fields <cory-nospam-@coryfields.com>
Date: Fri, 20 Mar 2015 00:49:13 -0400
Subject: crypto: add AES 128/256 CBC classes

The output should always match openssl's, even for failed operations. Even for
a decrypt with broken padding, the output is always deterministic (and attemtps
to be constant-time).
---
 src/crypto/aes.cpp | 144 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/crypto/aes.h   |  52 +++++++++++++++++++
 2 files changed, 196 insertions(+)

(limited to 'src/crypto')

diff --git a/src/crypto/aes.cpp b/src/crypto/aes.cpp
index 035abd75b..1d469d0fb 100644
--- a/src/crypto/aes.cpp
+++ b/src/crypto/aes.cpp
@@ -71,3 +71,147 @@ void AES256Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char cip
 {
     AES256_decrypt(&ctx, 1, plaintext, ciphertext);
 }
+
+
+template <typename T>
+static int CBCEncrypt(const T& enc, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)
+{
+    int written = 0;
+    int padsize = size % AES_BLOCKSIZE;
+    unsigned char mixed[AES_BLOCKSIZE];
+
+    if (!data || !size || !out)
+        return 0;
+
+    if (!pad && padsize != 0)
+        return 0;
+
+    memcpy(mixed, iv, AES_BLOCKSIZE);
+
+    // Write all but the last block
+    while (written + AES_BLOCKSIZE <= size) {
+        for (int i = 0; i != AES_BLOCKSIZE; i++)
+            mixed[i] ^= *data++;
+        enc.Encrypt(out + written, mixed);
+        memcpy(mixed, out + written, AES_BLOCKSIZE);
+        written += AES_BLOCKSIZE;
+    }
+    if (pad) {
+        // For all that remains, pad each byte with the value of the remaining
+        // space. If there is none, pad by a full block.
+        for (int i = 0; i != padsize; i++)
+            mixed[i] ^= *data++;
+        for (int i = padsize; i != AES_BLOCKSIZE; i++)
+            mixed[i] ^= AES_BLOCKSIZE - padsize;
+        enc.Encrypt(out + written, mixed);
+        written += AES_BLOCKSIZE;
+    }
+    return written;
+}
+
+template <typename T>
+static int CBCDecrypt(const T& dec, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)
+{
+    unsigned char padsize = 0;
+    int written = 0;
+    bool fail = false;
+    const unsigned char* prev = iv;
+
+    if (!data || !size || !out)
+        return 0;
+
+    if (size % AES_BLOCKSIZE != 0)
+        return 0;
+
+    // Decrypt all data. Padding will be checked in the output.
+    while (written != size) {
+        dec.Decrypt(out, data + written);
+        for (int i = 0; i != AES_BLOCKSIZE; i++)
+            *out++ ^= prev[i];
+        prev = data + written;
+        written += AES_BLOCKSIZE;
+    }
+
+    // When decrypting padding, attempt to run in constant-time
+    if (pad) {
+        // If used, padding size is the value of the last decrypted byte. For
+        // it to be valid, It must be between 1 and AES_BLOCKSIZE.
+        padsize = *--out;
+        fail = !padsize | (padsize > AES_BLOCKSIZE);
+
+        // If not well-formed, treat it as though there's no padding.
+        padsize *= !fail;
+
+        // All padding must equal the last byte otherwise it's not well-formed
+        for (int i = AES_BLOCKSIZE; i != 0; i--)
+            fail |= ((i > AES_BLOCKSIZE - padsize) & (*out-- != padsize));
+
+        written -= padsize;
+    }
+    return written * !fail;
+}
+
+AES256CBCEncrypt::AES256CBCEncrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
+    : enc(key), pad(padIn)
+{
+    memcpy(iv, ivIn, AES_BLOCKSIZE);
+}
+
+int AES256CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const
+{
+    return CBCEncrypt(enc, iv, data, size, pad, out);
+}
+
+AES256CBCEncrypt::~AES256CBCEncrypt()
+{
+    memset(iv, 0, sizeof(iv));
+}
+
+AES256CBCDecrypt::AES256CBCDecrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
+    : dec(key), pad(padIn)
+{
+    memcpy(iv, ivIn, AES_BLOCKSIZE);
+}
+
+
+int AES256CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const
+{
+    return CBCDecrypt(dec, iv, data, size, pad, out);
+}
+
+AES256CBCDecrypt::~AES256CBCDecrypt()
+{
+    memset(iv, 0, sizeof(iv));
+}
+
+AES128CBCEncrypt::AES128CBCEncrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
+    : enc(key), pad(padIn)
+{
+    memcpy(iv, ivIn, AES_BLOCKSIZE);
+}
+
+AES128CBCEncrypt::~AES128CBCEncrypt()
+{
+    memset(iv, 0, AES_BLOCKSIZE);
+}
+
+int AES128CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const
+{
+    return CBCEncrypt(enc, iv, data, size, pad, out);
+}
+
+AES128CBCDecrypt::AES128CBCDecrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
+    : dec(key), pad(padIn)
+{
+    memcpy(iv, ivIn, AES_BLOCKSIZE);
+}
+
+AES128CBCDecrypt::~AES128CBCDecrypt()
+{
+    memset(iv, 0, AES_BLOCKSIZE);
+}
+
+int AES128CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const
+{
+    return CBCDecrypt(dec, iv, data, size, pad, out);
+}
diff --git a/src/crypto/aes.h b/src/crypto/aes.h
index 4bf17a33e..8cae357c1 100644
--- a/src/crypto/aes.h
+++ b/src/crypto/aes.h
@@ -63,4 +63,56 @@ public:
     void Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const;
 };
 
+class AES256CBCEncrypt
+{
+public:
+    AES256CBCEncrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn);
+    ~AES256CBCEncrypt();
+    int Encrypt(const unsigned char* data, int size, unsigned char* out) const;
+
+private:
+    const AES256Encrypt enc;
+    const bool pad;
+    unsigned char iv[AES_BLOCKSIZE];
+};
+
+class AES256CBCDecrypt
+{
+public:
+    AES256CBCDecrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn);
+    ~AES256CBCDecrypt();
+    int Decrypt(const unsigned char* data, int size, unsigned char* out) const;
+
+private:
+    const AES256Decrypt dec;
+    const bool pad;
+    unsigned char iv[AES_BLOCKSIZE];
+};
+
+class AES128CBCEncrypt
+{
+public:
+    AES128CBCEncrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn);
+    ~AES128CBCEncrypt();
+    int Encrypt(const unsigned char* data, int size, unsigned char* out) const;
+
+private:
+    const AES128Encrypt enc;
+    const bool pad;
+    unsigned char iv[AES_BLOCKSIZE];
+};
+
+class AES128CBCDecrypt
+{
+public:
+    AES128CBCDecrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn);
+    ~AES128CBCDecrypt();
+    int Decrypt(const unsigned char* data, int size, unsigned char* out) const;
+
+private:
+    const AES128Decrypt dec;
+    const bool pad;
+    unsigned char iv[AES_BLOCKSIZE];
+};
+
 #endif // BITCOIN_CRYPTO_AES_H
-- 
cgit v1.2.3


From 15fa95d7e576041a20d47907356a2be5a327b4ca Mon Sep 17 00:00:00 2001
From: fsb4000 <fsb4000@yandex.ru>
Date: Mon, 28 Nov 2016 15:19:05 +0700
Subject: Fix some typos

---
 src/crypto/ctaes/test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/crypto')

diff --git a/src/crypto/ctaes/test.c b/src/crypto/ctaes/test.c
index fce1696ac..21439a16f 100644
--- a/src/crypto/ctaes/test.c
+++ b/src/crypto/ctaes/test.c
@@ -102,7 +102,7 @@ int main(void) {
         }
     }
     if (fail == 0) {
-        fprintf(stderr, "All tests succesful\n");
+        fprintf(stderr, "All tests successful\n");
     } else {
         fprintf(stderr, "%i tests failed\n", fail);
     }
-- 
cgit v1.2.3


From 27765b6403cece54320374b37afb01a0cfe571c3 Mon Sep 17 00:00:00 2001
From: isle2983 <isle2983@yahoo.com>
Date: Sat, 31 Dec 2016 11:01:21 -0700
Subject: Increment MIT Licence copyright header year on files modified in 2016

Edited via:

$ contrib/devtools/copyright_header.py update .
---
 src/crypto/aes.h       | 2 +-
 src/crypto/ripemd160.h | 2 +-
 src/crypto/sha1.h      | 2 +-
 src/crypto/sha256.h    | 2 +-
 src/crypto/sha512.h    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/crypto')

diff --git a/src/crypto/aes.h b/src/crypto/aes.h
index 8cae357c1..e9f1b52e7 100644
--- a/src/crypto/aes.h
+++ b/src/crypto/aes.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Bitcoin Core developers
+// Copyright (c) 2015-2016 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 //
diff --git a/src/crypto/ripemd160.h b/src/crypto/ripemd160.h
index bd41f0250..38ea375c1 100644
--- a/src/crypto/ripemd160.h
+++ b/src/crypto/ripemd160.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Bitcoin Core developers
+// Copyright (c) 2014-2016 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
diff --git a/src/crypto/sha1.h b/src/crypto/sha1.h
index 8fb20810b..8b4568ee1 100644
--- a/src/crypto/sha1.h
+++ b/src/crypto/sha1.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Bitcoin Core developers
+// Copyright (c) 2014-2016 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
diff --git a/src/crypto/sha256.h b/src/crypto/sha256.h
index 5b15b6a23..127e62a22 100644
--- a/src/crypto/sha256.h
+++ b/src/crypto/sha256.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Bitcoin Core developers
+// Copyright (c) 2014-2016 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
diff --git a/src/crypto/sha512.h b/src/crypto/sha512.h
index 614681fae..cd1023bc8 100644
--- a/src/crypto/sha512.h
+++ b/src/crypto/sha512.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Bitcoin Core developers
+// Copyright (c) 2014-2016 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
-- 
cgit v1.2.3


From 843c560003b288a073f528ef16b83541f7a9b0ac Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Tue, 10 Jan 2017 14:14:01 -0800
Subject: Avoid unaligned access in crypto i/o

---
 src/crypto/common.h | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

(limited to 'src/crypto')

diff --git a/src/crypto/common.h b/src/crypto/common.h
index 580c72f5a..4a9d1150b 100644
--- a/src/crypto/common.h
+++ b/src/crypto/common.h
@@ -10,57 +10,73 @@
 #endif
 
 #include <stdint.h>
+#include <string.h>
 
 #include "compat/endian.h"
 
 uint16_t static inline ReadLE16(const unsigned char* ptr)
 {
-    return le16toh(*((uint16_t*)ptr));
+    uint16_t x;
+    memcpy((char*)&x, ptr, 2);
+    return le16toh(x);
 }
 
 uint32_t static inline ReadLE32(const unsigned char* ptr)
 {
-    return le32toh(*((uint32_t*)ptr));
+    uint32_t x;
+    memcpy((char*)&x, ptr, 4);
+    return le32toh(x);
 }
 
 uint64_t static inline ReadLE64(const unsigned char* ptr)
 {
-    return le64toh(*((uint64_t*)ptr));
+    uint64_t x;
+    memcpy((char*)&x, ptr, 8);
+    return le64toh(x);
 }
 
 void static inline WriteLE16(unsigned char* ptr, uint16_t x)
 {
-    *((uint16_t*)ptr) = htole16(x);
+    uint16_t v = htole16(x);
+    memcpy(ptr, (char*)&v, 2);
 }
 
 void static inline WriteLE32(unsigned char* ptr, uint32_t x)
 {
-    *((uint32_t*)ptr) = htole32(x);
+    uint32_t v = htole32(x);
+    memcpy(ptr, (char*)&v, 4);
 }
 
 void static inline WriteLE64(unsigned char* ptr, uint64_t x)
 {
-    *((uint64_t*)ptr) = htole64(x);
+    uint64_t v = htole64(x);
+    memcpy(ptr, (char*)&v, 8);
 }
 
 uint32_t static inline ReadBE32(const unsigned char* ptr)
 {
-    return be32toh(*((uint32_t*)ptr));
+    uint32_t x;
+    memcpy((char*)&x, ptr, 4);
+    return be32toh(x);
 }
 
 uint64_t static inline ReadBE64(const unsigned char* ptr)
 {
-    return be64toh(*((uint64_t*)ptr));
+    uint64_t x;
+    memcpy((char*)&x, ptr, 8);
+    return be64toh(x);
 }
 
 void static inline WriteBE32(unsigned char* ptr, uint32_t x)
 {
-    *((uint32_t*)ptr) = htobe32(x);
+    uint32_t v = htobe32(x);
+    memcpy(ptr, (char*)&v, 4);
 }
 
 void static inline WriteBE64(unsigned char* ptr, uint64_t x)
 {
-    *((uint64_t*)ptr) = htobe64(x);
+    uint64_t v = htobe64(x);
+    memcpy(ptr, (char*)&v, 8);
 }
 
 #endif // BITCOIN_CRYPTO_COMMON_H
-- 
cgit v1.2.3


From b506efbe747ba31ee1f41be14cdbc0c30dfcf67f Mon Sep 17 00:00:00 2001
From: Warren Togami <wtogami@gmail.com>
Date: Wed, 21 May 2014 20:24:15 +0100
Subject: Litecoin: Scrypt n=1024 Pow hash based upon Colin Percival's Tarnsnap
 (2009) Modified by Artforz, coblee, pooler, wtogami, Nikolay Belikov, Adrian
 Gallagher

---
 src/crypto/scrypt-sse2.cpp | 136 +++++++++++++++++++
 src/crypto/scrypt.cpp      | 329 +++++++++++++++++++++++++++++++++++++++++++++
 src/crypto/scrypt.h        |  45 +++++++
 3 files changed, 510 insertions(+)
 create mode 100644 src/crypto/scrypt-sse2.cpp
 create mode 100644 src/crypto/scrypt.cpp
 create mode 100644 src/crypto/scrypt.h

(limited to 'src/crypto')

diff --git a/src/crypto/scrypt-sse2.cpp b/src/crypto/scrypt-sse2.cpp
new file mode 100644
index 000000000..d9e7ffccc
--- /dev/null
+++ b/src/crypto/scrypt-sse2.cpp
@@ -0,0 +1,136 @@
+/*
+ * Copyright 2009 Colin Percival, 2011 ArtForz, 2012-2013 pooler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+
+#include "crypto/scrypt.h"
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <openssl/sha.h>
+
+#include <emmintrin.h>
+
+static inline void xor_salsa8_sse2(__m128i B[4], const __m128i Bx[4])
+{
+	__m128i X0, X1, X2, X3;
+	__m128i T;
+	int i;
+
+	X0 = B[0] = _mm_xor_si128(B[0], Bx[0]);
+	X1 = B[1] = _mm_xor_si128(B[1], Bx[1]);
+	X2 = B[2] = _mm_xor_si128(B[2], Bx[2]);
+	X3 = B[3] = _mm_xor_si128(B[3], Bx[3]);
+
+	for (i = 0; i < 8; i += 2) {
+		/* Operate on "columns". */
+		T = _mm_add_epi32(X0, X3);
+		X1 = _mm_xor_si128(X1, _mm_slli_epi32(T, 7));
+		X1 = _mm_xor_si128(X1, _mm_srli_epi32(T, 25));
+		T = _mm_add_epi32(X1, X0);
+		X2 = _mm_xor_si128(X2, _mm_slli_epi32(T, 9));
+		X2 = _mm_xor_si128(X2, _mm_srli_epi32(T, 23));
+		T = _mm_add_epi32(X2, X1);
+		X3 = _mm_xor_si128(X3, _mm_slli_epi32(T, 13));
+		X3 = _mm_xor_si128(X3, _mm_srli_epi32(T, 19));
+		T = _mm_add_epi32(X3, X2);
+		X0 = _mm_xor_si128(X0, _mm_slli_epi32(T, 18));
+		X0 = _mm_xor_si128(X0, _mm_srli_epi32(T, 14));
+
+		/* Rearrange data. */
+		X1 = _mm_shuffle_epi32(X1, 0x93);
+		X2 = _mm_shuffle_epi32(X2, 0x4E);
+		X3 = _mm_shuffle_epi32(X3, 0x39);
+
+		/* Operate on "rows". */
+		T = _mm_add_epi32(X0, X1);
+		X3 = _mm_xor_si128(X3, _mm_slli_epi32(T, 7));
+		X3 = _mm_xor_si128(X3, _mm_srli_epi32(T, 25));
+		T = _mm_add_epi32(X3, X0);
+		X2 = _mm_xor_si128(X2, _mm_slli_epi32(T, 9));
+		X2 = _mm_xor_si128(X2, _mm_srli_epi32(T, 23));
+		T = _mm_add_epi32(X2, X3);
+		X1 = _mm_xor_si128(X1, _mm_slli_epi32(T, 13));
+		X1 = _mm_xor_si128(X1, _mm_srli_epi32(T, 19));
+		T = _mm_add_epi32(X1, X2);
+		X0 = _mm_xor_si128(X0, _mm_slli_epi32(T, 18));
+		X0 = _mm_xor_si128(X0, _mm_srli_epi32(T, 14));
+
+		/* Rearrange data. */
+		X1 = _mm_shuffle_epi32(X1, 0x39);
+		X2 = _mm_shuffle_epi32(X2, 0x4E);
+		X3 = _mm_shuffle_epi32(X3, 0x93);
+	}
+
+	B[0] = _mm_add_epi32(B[0], X0);
+	B[1] = _mm_add_epi32(B[1], X1);
+	B[2] = _mm_add_epi32(B[2], X2);
+	B[3] = _mm_add_epi32(B[3], X3);
+}
+
+void scrypt_1024_1_1_256_sp_sse2(const char *input, char *output, char *scratchpad)
+{
+	uint8_t B[128];
+	union {
+		__m128i i128[8];
+		uint32_t u32[32];
+	} X;
+	__m128i *V;
+	uint32_t i, j, k;
+
+	V = (__m128i *)(((uintptr_t)(scratchpad) + 63) & ~ (uintptr_t)(63));
+
+	PBKDF2_SHA256((const uint8_t *)input, 80, (const uint8_t *)input, 80, 1, B, 128);
+
+	for (k = 0; k < 2; k++) {
+		for (i = 0; i < 16; i++) {
+			X.u32[k * 16 + i] = le32dec(&B[(k * 16 + (i * 5 % 16)) * 4]);
+		}
+	}
+
+	for (i = 0; i < 1024; i++) {
+		for (k = 0; k < 8; k++)
+			V[i * 8 + k] = X.i128[k];
+		xor_salsa8_sse2(&X.i128[0], &X.i128[4]);
+		xor_salsa8_sse2(&X.i128[4], &X.i128[0]);
+	}
+	for (i = 0; i < 1024; i++) {
+		j = 8 * (X.u32[16] & 1023);
+		for (k = 0; k < 8; k++)
+			X.i128[k] = _mm_xor_si128(X.i128[k], V[j + k]);
+		xor_salsa8_sse2(&X.i128[0], &X.i128[4]);
+		xor_salsa8_sse2(&X.i128[4], &X.i128[0]);
+	}
+
+	for (k = 0; k < 2; k++) {
+		for (i = 0; i < 16; i++) {
+			le32enc(&B[(k * 16 + (i * 5 % 16)) * 4], X.u32[k * 16 + i]);
+		}
+	}
+
+	PBKDF2_SHA256((const uint8_t *)input, 80, B, 128, 1, (uint8_t *)output, 32);
+}
diff --git a/src/crypto/scrypt.cpp b/src/crypto/scrypt.cpp
new file mode 100644
index 000000000..887f58770
--- /dev/null
+++ b/src/crypto/scrypt.cpp
@@ -0,0 +1,329 @@
+/*
+ * Copyright 2009 Colin Percival, 2011 ArtForz, 2012-2013 pooler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+
+#include "crypto/scrypt.h"
+//#include "util.h"
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <openssl/sha.h>
+
+#if defined(USE_SSE2) && !defined(USE_SSE2_ALWAYS)
+#ifdef _MSC_VER
+// MSVC 64bit is unable to use inline asm
+#include <intrin.h>
+#else
+// GCC Linux or i686-w64-mingw32
+#include <cpuid.h>
+#endif
+#endif
+
+static inline uint32_t be32dec(const void *pp)
+{
+	const uint8_t *p = (uint8_t const *)pp;
+	return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) +
+	    ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
+}
+
+static inline void be32enc(void *pp, uint32_t x)
+{
+	uint8_t *p = (uint8_t *)pp;
+	p[3] = x & 0xff;
+	p[2] = (x >> 8) & 0xff;
+	p[1] = (x >> 16) & 0xff;
+	p[0] = (x >> 24) & 0xff;
+}
+
+typedef struct HMAC_SHA256Context {
+	SHA256_CTX ictx;
+	SHA256_CTX octx;
+} HMAC_SHA256_CTX;
+
+/* Initialize an HMAC-SHA256 operation with the given key. */
+static void
+HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const void *_K, size_t Klen)
+{
+	unsigned char pad[64];
+	unsigned char khash[32];
+	const unsigned char *K = (const unsigned char *)_K;
+	size_t i;
+
+	/* If Klen > 64, the key is really SHA256(K). */
+	if (Klen > 64) {
+		SHA256_Init(&ctx->ictx);
+		SHA256_Update(&ctx->ictx, K, Klen);
+		SHA256_Final(khash, &ctx->ictx);
+		K = khash;
+		Klen = 32;
+	}
+
+	/* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
+	SHA256_Init(&ctx->ictx);
+	memset(pad, 0x36, 64);
+	for (i = 0; i < Klen; i++)
+		pad[i] ^= K[i];
+	SHA256_Update(&ctx->ictx, pad, 64);
+
+	/* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
+	SHA256_Init(&ctx->octx);
+	memset(pad, 0x5c, 64);
+	for (i = 0; i < Klen; i++)
+		pad[i] ^= K[i];
+	SHA256_Update(&ctx->octx, pad, 64);
+
+	/* Clean the stack. */
+	memset(khash, 0, 32);
+}
+
+/* Add bytes to the HMAC-SHA256 operation. */
+static void
+HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const void *in, size_t len)
+{
+	/* Feed data to the inner SHA256 operation. */
+	SHA256_Update(&ctx->ictx, in, len);
+}
+
+/* Finish an HMAC-SHA256 operation. */
+static void
+HMAC_SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX *ctx)
+{
+	unsigned char ihash[32];
+
+	/* Finish the inner SHA256 operation. */
+	SHA256_Final(ihash, &ctx->ictx);
+
+	/* Feed the inner hash to the outer SHA256 operation. */
+	SHA256_Update(&ctx->octx, ihash, 32);
+
+	/* Finish the outer SHA256 operation. */
+	SHA256_Final(digest, &ctx->octx);
+
+	/* Clean the stack. */
+	memset(ihash, 0, 32);
+}
+
+/**
+ * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
+ * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
+ */
+void
+PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
+    size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
+{
+	HMAC_SHA256_CTX PShctx, hctx;
+	size_t i;
+	uint8_t ivec[4];
+	uint8_t U[32];
+	uint8_t T[32];
+	uint64_t j;
+	int k;
+	size_t clen;
+
+	/* Compute HMAC state after processing P and S. */
+	HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
+	HMAC_SHA256_Update(&PShctx, salt, saltlen);
+
+	/* Iterate through the blocks. */
+	for (i = 0; i * 32 < dkLen; i++) {
+		/* Generate INT(i + 1). */
+		be32enc(ivec, (uint32_t)(i + 1));
+
+		/* Compute U_1 = PRF(P, S || INT(i)). */
+		memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
+		HMAC_SHA256_Update(&hctx, ivec, 4);
+		HMAC_SHA256_Final(U, &hctx);
+
+		/* T_i = U_1 ... */
+		memcpy(T, U, 32);
+
+		for (j = 2; j <= c; j++) {
+			/* Compute U_j. */
+			HMAC_SHA256_Init(&hctx, passwd, passwdlen);
+			HMAC_SHA256_Update(&hctx, U, 32);
+			HMAC_SHA256_Final(U, &hctx);
+
+			/* ... xor U_j ... */
+			for (k = 0; k < 32; k++)
+				T[k] ^= U[k];
+		}
+
+		/* Copy as many bytes as necessary into buf. */
+		clen = dkLen - i * 32;
+		if (clen > 32)
+			clen = 32;
+		memcpy(&buf[i * 32], T, clen);
+	}
+
+	/* Clean PShctx, since we never called _Final on it. */
+	memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
+}
+
+#define ROTL(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
+
+static inline void xor_salsa8(uint32_t B[16], const uint32_t Bx[16])
+{
+	uint32_t x00,x01,x02,x03,x04,x05,x06,x07,x08,x09,x10,x11,x12,x13,x14,x15;
+	int i;
+
+	x00 = (B[ 0] ^= Bx[ 0]);
+	x01 = (B[ 1] ^= Bx[ 1]);
+	x02 = (B[ 2] ^= Bx[ 2]);
+	x03 = (B[ 3] ^= Bx[ 3]);
+	x04 = (B[ 4] ^= Bx[ 4]);
+	x05 = (B[ 5] ^= Bx[ 5]);
+	x06 = (B[ 6] ^= Bx[ 6]);
+	x07 = (B[ 7] ^= Bx[ 7]);
+	x08 = (B[ 8] ^= Bx[ 8]);
+	x09 = (B[ 9] ^= Bx[ 9]);
+	x10 = (B[10] ^= Bx[10]);
+	x11 = (B[11] ^= Bx[11]);
+	x12 = (B[12] ^= Bx[12]);
+	x13 = (B[13] ^= Bx[13]);
+	x14 = (B[14] ^= Bx[14]);
+	x15 = (B[15] ^= Bx[15]);
+	for (i = 0; i < 8; i += 2) {
+		/* Operate on columns. */
+		x04 ^= ROTL(x00 + x12,  7);  x09 ^= ROTL(x05 + x01,  7);
+		x14 ^= ROTL(x10 + x06,  7);  x03 ^= ROTL(x15 + x11,  7);
+
+		x08 ^= ROTL(x04 + x00,  9);  x13 ^= ROTL(x09 + x05,  9);
+		x02 ^= ROTL(x14 + x10,  9);  x07 ^= ROTL(x03 + x15,  9);
+
+		x12 ^= ROTL(x08 + x04, 13);  x01 ^= ROTL(x13 + x09, 13);
+		x06 ^= ROTL(x02 + x14, 13);  x11 ^= ROTL(x07 + x03, 13);
+
+		x00 ^= ROTL(x12 + x08, 18);  x05 ^= ROTL(x01 + x13, 18);
+		x10 ^= ROTL(x06 + x02, 18);  x15 ^= ROTL(x11 + x07, 18);
+
+		/* Operate on rows. */
+		x01 ^= ROTL(x00 + x03,  7);  x06 ^= ROTL(x05 + x04,  7);
+		x11 ^= ROTL(x10 + x09,  7);  x12 ^= ROTL(x15 + x14,  7);
+
+		x02 ^= ROTL(x01 + x00,  9);  x07 ^= ROTL(x06 + x05,  9);
+		x08 ^= ROTL(x11 + x10,  9);  x13 ^= ROTL(x12 + x15,  9);
+
+		x03 ^= ROTL(x02 + x01, 13);  x04 ^= ROTL(x07 + x06, 13);
+		x09 ^= ROTL(x08 + x11, 13);  x14 ^= ROTL(x13 + x12, 13);
+
+		x00 ^= ROTL(x03 + x02, 18);  x05 ^= ROTL(x04 + x07, 18);
+		x10 ^= ROTL(x09 + x08, 18);  x15 ^= ROTL(x14 + x13, 18);
+	}
+	B[ 0] += x00;
+	B[ 1] += x01;
+	B[ 2] += x02;
+	B[ 3] += x03;
+	B[ 4] += x04;
+	B[ 5] += x05;
+	B[ 6] += x06;
+	B[ 7] += x07;
+	B[ 8] += x08;
+	B[ 9] += x09;
+	B[10] += x10;
+	B[11] += x11;
+	B[12] += x12;
+	B[13] += x13;
+	B[14] += x14;
+	B[15] += x15;
+}
+
+void scrypt_1024_1_1_256_sp_generic(const char *input, char *output, char *scratchpad)
+{
+	uint8_t B[128];
+	uint32_t X[32];
+	uint32_t *V;
+	uint32_t i, j, k;
+
+	V = (uint32_t *)(((uintptr_t)(scratchpad) + 63) & ~ (uintptr_t)(63));
+
+	PBKDF2_SHA256((const uint8_t *)input, 80, (const uint8_t *)input, 80, 1, B, 128);
+
+	for (k = 0; k < 32; k++)
+		X[k] = le32dec(&B[4 * k]);
+
+	for (i = 0; i < 1024; i++) {
+		memcpy(&V[i * 32], X, 128);
+		xor_salsa8(&X[0], &X[16]);
+		xor_salsa8(&X[16], &X[0]);
+	}
+	for (i = 0; i < 1024; i++) {
+		j = 32 * (X[16] & 1023);
+		for (k = 0; k < 32; k++)
+			X[k] ^= V[j + k];
+		xor_salsa8(&X[0], &X[16]);
+		xor_salsa8(&X[16], &X[0]);
+	}
+
+	for (k = 0; k < 32; k++)
+		le32enc(&B[4 * k], X[k]);
+
+	PBKDF2_SHA256((const uint8_t *)input, 80, B, 128, 1, (uint8_t *)output, 32);
+}
+
+#if defined(USE_SSE2)
+// By default, set to generic scrypt function. This will prevent crash in case when scrypt_detect_sse2() wasn't called
+void (*scrypt_1024_1_1_256_sp_detected)(const char *input, char *output, char *scratchpad) = &scrypt_1024_1_1_256_sp_generic;
+
+void scrypt_detect_sse2()
+{
+#if defined(USE_SSE2_ALWAYS)
+    printf("scrypt: using scrypt-sse2 as built.\n");
+#else // USE_SSE2_ALWAYS
+    // 32bit x86 Linux or Windows, detect cpuid features
+    unsigned int cpuid_edx=0;
+#if defined(_MSC_VER)
+    // MSVC
+    int x86cpuid[4];
+    __cpuid(x86cpuid, 1);
+    cpuid_edx = (unsigned int)buffer[3];
+#else // _MSC_VER
+    // Linux or i686-w64-mingw32 (gcc-4.6.3)
+    unsigned int eax, ebx, ecx;
+    __get_cpuid(1, &eax, &ebx, &ecx, &cpuid_edx);
+#endif // _MSC_VER
+
+    if (cpuid_edx & 1<<26)
+    {
+        scrypt_1024_1_1_256_sp_detected = &scrypt_1024_1_1_256_sp_sse2;
+        printf("scrypt: using scrypt-sse2 as detected.\n");
+    }
+    else
+    {
+        scrypt_1024_1_1_256_sp_detected = &scrypt_1024_1_1_256_sp_generic;
+        printf("scrypt: using scrypt-generic, SSE2 unavailable.\n");
+    }
+#endif // USE_SSE2_ALWAYS
+}
+#endif
+
+void scrypt_1024_1_1_256(const char *input, char *output)
+{
+	char scratchpad[SCRYPT_SCRATCHPAD_SIZE];
+    scrypt_1024_1_1_256_sp(input, output, scratchpad);
+}
diff --git a/src/crypto/scrypt.h b/src/crypto/scrypt.h
new file mode 100644
index 000000000..5431fb67c
--- /dev/null
+++ b/src/crypto/scrypt.h
@@ -0,0 +1,45 @@
+#ifndef SCRYPT_H
+#define SCRYPT_H
+#include <stdlib.h>
+#include <stdint.h>
+
+static const int SCRYPT_SCRATCHPAD_SIZE = 131072 + 63;
+
+void scrypt_1024_1_1_256(const char *input, char *output);
+void scrypt_1024_1_1_256_sp_generic(const char *input, char *output, char *scratchpad);
+
+#if defined(USE_SSE2)
+#if defined(_M_X64) || defined(__x86_64__) || defined(_M_AMD64) || (defined(MAC_OSX) && defined(__i386__))
+#define USE_SSE2_ALWAYS 1
+#define scrypt_1024_1_1_256_sp(input, output, scratchpad) scrypt_1024_1_1_256_sp_sse2((input), (output), (scratchpad))
+#else
+#define scrypt_1024_1_1_256_sp(input, output, scratchpad) scrypt_1024_1_1_256_sp_detected((input), (output), (scratchpad))
+#endif
+
+void scrypt_detect_sse2();
+void scrypt_1024_1_1_256_sp_sse2(const char *input, char *output, char *scratchpad);
+extern void (*scrypt_1024_1_1_256_sp_detected)(const char *input, char *output, char *scratchpad);
+#else
+#define scrypt_1024_1_1_256_sp(input, output, scratchpad) scrypt_1024_1_1_256_sp_generic((input), (output), (scratchpad))
+#endif
+
+void
+PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
+    size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen);
+
+static inline uint32_t le32dec(const void *pp)
+{
+        const uint8_t *p = (uint8_t const *)pp;
+        return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) +
+            ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24));
+}
+
+static inline void le32enc(void *pp, uint32_t x)
+{
+        uint8_t *p = (uint8_t *)pp;
+        p[0] = x & 0xff;
+        p[1] = (x >> 8) & 0xff;
+        p[2] = (x >> 16) & 0xff;
+        p[3] = (x >> 24) & 0xff;
+}
+#endif
-- 
cgit v1.2.3


From 57dae15a77410684126a9dfbcc6a72faff827906 Mon Sep 17 00:00:00 2001
From: Ross Nicoll <jrn@jrn.me.uk>
Date: Sat, 20 Jan 2018 17:51:39 +0000
Subject: Replace HMAC_SHA256 with Bitcoin's version (#1438)

---
 src/crypto/hmac_sha256.h |   5 +++
 src/crypto/scrypt.cpp    | 110 +++++++++--------------------------------------
 2 files changed, 25 insertions(+), 90 deletions(-)

(limited to 'src/crypto')

diff --git a/src/crypto/hmac_sha256.h b/src/crypto/hmac_sha256.h
index 1519c1457..18f20d232 100644
--- a/src/crypto/hmac_sha256.h
+++ b/src/crypto/hmac_sha256.h
@@ -9,6 +9,7 @@
 
 #include <stdint.h>
 #include <stdlib.h>
+#include <string.h>
 
 /** A hasher class for HMAC-SHA-512. */
 class CHMAC_SHA256
@@ -21,6 +22,10 @@ public:
     static const size_t OUTPUT_SIZE = 32;
 
     CHMAC_SHA256(const unsigned char* key, size_t keylen);
+    void Copy(CHMAC_SHA256* dest)
+    {
+        memcpy(dest, this, sizeof(CHMAC_SHA256));
+    }
     CHMAC_SHA256& Write(const unsigned char* data, size_t len)
     {
         inner.Write(data, len);
diff --git a/src/crypto/scrypt.cpp b/src/crypto/scrypt.cpp
index 887f58770..900154a39 100644
--- a/src/crypto/scrypt.cpp
+++ b/src/crypto/scrypt.cpp
@@ -28,7 +28,7 @@
  */
 
 #include "crypto/scrypt.h"
-//#include "util.h"
+#include "crypto/hmac_sha256.h"
 #include <stdlib.h>
 #include <stdint.h>
 #include <string.h>
@@ -60,74 +60,6 @@ static inline void be32enc(void *pp, uint32_t x)
 	p[0] = (x >> 24) & 0xff;
 }
 
-typedef struct HMAC_SHA256Context {
-	SHA256_CTX ictx;
-	SHA256_CTX octx;
-} HMAC_SHA256_CTX;
-
-/* Initialize an HMAC-SHA256 operation with the given key. */
-static void
-HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const void *_K, size_t Klen)
-{
-	unsigned char pad[64];
-	unsigned char khash[32];
-	const unsigned char *K = (const unsigned char *)_K;
-	size_t i;
-
-	/* If Klen > 64, the key is really SHA256(K). */
-	if (Klen > 64) {
-		SHA256_Init(&ctx->ictx);
-		SHA256_Update(&ctx->ictx, K, Klen);
-		SHA256_Final(khash, &ctx->ictx);
-		K = khash;
-		Klen = 32;
-	}
-
-	/* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */
-	SHA256_Init(&ctx->ictx);
-	memset(pad, 0x36, 64);
-	for (i = 0; i < Klen; i++)
-		pad[i] ^= K[i];
-	SHA256_Update(&ctx->ictx, pad, 64);
-
-	/* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */
-	SHA256_Init(&ctx->octx);
-	memset(pad, 0x5c, 64);
-	for (i = 0; i < Klen; i++)
-		pad[i] ^= K[i];
-	SHA256_Update(&ctx->octx, pad, 64);
-
-	/* Clean the stack. */
-	memset(khash, 0, 32);
-}
-
-/* Add bytes to the HMAC-SHA256 operation. */
-static void
-HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const void *in, size_t len)
-{
-	/* Feed data to the inner SHA256 operation. */
-	SHA256_Update(&ctx->ictx, in, len);
-}
-
-/* Finish an HMAC-SHA256 operation. */
-static void
-HMAC_SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX *ctx)
-{
-	unsigned char ihash[32];
-
-	/* Finish the inner SHA256 operation. */
-	SHA256_Final(ihash, &ctx->ictx);
-
-	/* Feed the inner hash to the outer SHA256 operation. */
-	SHA256_Update(&ctx->octx, ihash, 32);
-
-	/* Finish the outer SHA256 operation. */
-	SHA256_Final(digest, &ctx->octx);
-
-	/* Clean the stack. */
-	memset(ihash, 0, 32);
-}
-
 /**
  * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
  * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
@@ -137,18 +69,19 @@ void
 PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
     size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
 {
-	HMAC_SHA256_CTX PShctx, hctx;
+	CHMAC_SHA256 baseCtx = CHMAC_SHA256(passwd, passwdlen);
+	CHMAC_SHA256 PShctx = CHMAC_SHA256(passwd, passwdlen);
+	CHMAC_SHA256 hctx = CHMAC_SHA256(passwd, passwdlen);
 	size_t i;
 	uint8_t ivec[4];
-	uint8_t U[32];
-	uint8_t T[32];
+	uint8_t U[CHMAC_SHA256::OUTPUT_SIZE];
+	uint8_t T[CHMAC_SHA256::OUTPUT_SIZE];
 	uint64_t j;
-	int k;
+	unsigned int k;
 	size_t clen;
 
 	/* Compute HMAC state after processing P and S. */
-	HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
-	HMAC_SHA256_Update(&PShctx, salt, saltlen);
+	PShctx.Write(salt, saltlen);
 
 	/* Iterate through the blocks. */
 	for (i = 0; i * 32 < dkLen; i++) {
@@ -156,33 +89,30 @@ PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
 		be32enc(ivec, (uint32_t)(i + 1));
 
 		/* Compute U_1 = PRF(P, S || INT(i)). */
-		memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
-		HMAC_SHA256_Update(&hctx, ivec, 4);
-		HMAC_SHA256_Final(U, &hctx);
+		PShctx.Copy(&hctx);
+		hctx.Write(ivec, 4);
+		hctx.Finalize(U);
 
 		/* T_i = U_1 ... */
-		memcpy(T, U, 32);
+		memcpy(T, U, CHMAC_SHA256::OUTPUT_SIZE);
 
 		for (j = 2; j <= c; j++) {
 			/* Compute U_j. */
-			HMAC_SHA256_Init(&hctx, passwd, passwdlen);
-			HMAC_SHA256_Update(&hctx, U, 32);
-			HMAC_SHA256_Final(U, &hctx);
+			baseCtx.Copy(&hctx);
+			hctx.Write(U, CHMAC_SHA256::OUTPUT_SIZE);
+			hctx.Finalize(U);
 
 			/* ... xor U_j ... */
-			for (k = 0; k < 32; k++)
+			for (k = 0; k < CHMAC_SHA256::OUTPUT_SIZE; k++)
 				T[k] ^= U[k];
 		}
 
 		/* Copy as many bytes as necessary into buf. */
-		clen = dkLen - i * 32;
-		if (clen > 32)
-			clen = 32;
-		memcpy(&buf[i * 32], T, clen);
+		clen = dkLen - i * CHMAC_SHA256::OUTPUT_SIZE;
+		if (clen > CHMAC_SHA256::OUTPUT_SIZE)
+			clen = CHMAC_SHA256::OUTPUT_SIZE;
+		memcpy(&buf[i * CHMAC_SHA256::OUTPUT_SIZE], T, clen);
 	}
-
-	/* Clean PShctx, since we never called _Final on it. */
-	memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
 }
 
 #define ROTL(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
-- 
cgit v1.2.3