1
/*-
2
 * Copyright 2009 Colin Percival
3
 * Copyright 2013,2014 Alexander Peslyak
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in the
13
 *    documentation and/or other materials provided with the distribution.
14
 *
15
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25
 * SUCH DAMAGE.
26
 *
27
 * This file was originally written by Colin Percival as part of the Tarsnap
28
 * online backup system.
29
 */
30

31
#ifndef YESCRYPT_H
32
#define YESCRYPT_H
33

34
#ifdef __cplusplus
35
extern "C" {
36
#endif
37

38
#include <stdint.h>
39
#include <stdlib.h> /* for size_t */
40

41
void yescrypt_hash(const char* input, char* output, uint32_t len);
42
void yescrypt_hash_r8(const char* input, char* output, uint32_t len);
43
void yescrypt_hash_r16(const char* input, char* output, uint32_t len);
44
void yescrypt_hash_r32(const char* input, char* output, uint32_t len);
45

46

47
/**
48
 * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
49
 * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
50
 * p, buflen) and write the result into buf.  The parameters r, p, and buflen
51
 * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
52
 * must be a power of 2 greater than 1.
53
 *
54
 * Return 0 on success; or -1 on error.
55
 *
56
 * MT-safe as long as buf is local to the thread.
57
 */
58
extern int crypto_scrypt(const uint8_t * __passwd, size_t __passwdlen,
59
    const uint8_t * __salt, size_t __saltlen,
60
    uint64_t __N, uint32_t __r, uint32_t __p,
61
    uint8_t * __buf, size_t __buflen);
62

63
/**
64
 * Internal type used by the memory allocator.  Please do not use it directly.
65
 * Use yescrypt_shared_t and yescrypt_local_t as appropriate instead, since
66
 * they might differ from each other in a future version.
67
 */
68
typedef struct {
69
	void * base, * aligned;
70
	size_t base_size, aligned_size;
71
} yescrypt_region_t;
72

73
/**
74
 * Types for shared (ROM) and thread-local (RAM) data structures.
75
 */
76
typedef yescrypt_region_t yescrypt_shared1_t;
77
typedef struct {
78
	yescrypt_shared1_t shared1;
79
	uint32_t mask1;
80
} yescrypt_shared_t;
81
typedef yescrypt_region_t yescrypt_local_t;
82

83
/**
84
 * Possible values for yescrypt_init_shared()'s flags argument.
85
 */
86
typedef enum {
87
	YESCRYPT_SHARED_DEFAULTS = 0,
88
	YESCRYPT_SHARED_PREALLOCATED = 0x100
89
} yescrypt_init_shared_flags_t;
90

91
/**
92
 * Possible values for the flags argument of yescrypt_kdf(),
93
 * yescrypt_gensalt_r(), yescrypt_gensalt().  These may be OR'ed together,
94
 * except that YESCRYPT_WORM and YESCRYPT_RW are mutually exclusive.
95
 * Please refer to the description of yescrypt_kdf() below for the meaning of
96
 * these flags.
97
 */
98
typedef enum {
99
/* public */
100
	YESCRYPT_WORM = 0,
101
	YESCRYPT_RW = 1,
102
	YESCRYPT_PARALLEL_SMIX = 2,
103
	YESCRYPT_PWXFORM = 4,
104
/* private */
105
	__YESCRYPT_INIT_SHARED_1 = 0x10000,
106
	__YESCRYPT_INIT_SHARED_2 = 0x20000,
107
	__YESCRYPT_INIT_SHARED = 0x30000
108
} yescrypt_flags_t;
109

110
#define YESCRYPT_KNOWN_FLAGS \
111
	(YESCRYPT_RW | YESCRYPT_PARALLEL_SMIX | YESCRYPT_PWXFORM | \
112
	__YESCRYPT_INIT_SHARED)
113

114
/**
115
 * yescrypt_init_shared(shared, param, paramlen, N, r, p, flags, mask,
116
 *     buf, buflen):
117
 * Optionally allocate memory for and initialize the shared (ROM) data
118
 * structure.  The parameters N, r, and p must satisfy the same conditions as
119
 * with crypto_scrypt().  param and paramlen specify a local parameter with
120
 * which the ROM is seeded.  If buf is not NULL, then it is used to return
121
 * buflen bytes of message digest for the initialized ROM (the caller may use
122
 * this to verify that the ROM has been computed in the same way that it was on
123
 * a previous run).
124
 *
125
 * Return 0 on success; or -1 on error.
126
 *
127
 * If bit YESCRYPT_SHARED_PREALLOCATED in flags is set, then memory for the
128
 * ROM is assumed to have been preallocated by the caller, with
129
 * shared->shared1.aligned being the start address of the ROM and
130
 * shared->shared1.aligned_size being its size (which must be consistent with
131
 * N, r, and p).  This may be used e.g. when the ROM is to be placed in a SysV
132
 * shared memory segment allocated by the caller.
133
 *
134
 * mask controls the frequency of ROM accesses by yescrypt_kdf().  Normally it
135
 * should be set to 1, to interleave RAM and ROM accesses, which works well
136
 * when both regions reside in the machine's RAM anyway.  Other values may be
137
 * used e.g. when the ROM is memory-mapped from a disk file.  Recommended mask
138
 * values are powers of 2 minus 1 or minus 2.  Here's the effect of some mask
139
 * values:
140
 * mask	value	ROM accesses in SMix 1st loop	ROM accesses in SMix 2nd loop
141
 *	0		0				1/2
142
 *	1		1/2				1/2
143
 *	2		0				1/4
144
 *	3		1/4				1/4
145
 *	6		0				1/8
146
 *	7		1/8				1/8
147
 *	14		0				1/16
148
 *	15		1/16				1/16
149
 *	1022		0				1/1024
150
 *	1023		1/1024				1/1024
151
 *
152
 * Actual computation of the ROM contents may be avoided, if you don't intend
153
 * to use a ROM but need a dummy shared structure, by calling this function
154
 * with NULL, 0, 0, 0, 0, YESCRYPT_SHARED_DEFAULTS, 0, NULL, 0 for the
155
 * arguments starting with param and on.
156
 *
157
 * MT-safe as long as shared is local to the thread.
158
 */
159
extern int yescrypt_init_shared(yescrypt_shared_t * __shared,
160
    const uint8_t * __param, size_t __paramlen,
161
    uint64_t __N, uint32_t __r, uint32_t __p,
162
    yescrypt_init_shared_flags_t __flags, uint32_t __mask,
163
    uint8_t * __buf, size_t __buflen);
164

165
/**
166
 * yescrypt_free_shared(shared):
167
 * Free memory that had been allocated with yescrypt_init_shared().
168
 *
169
 * Return 0 on success; or -1 on error.
170
 *
171
 * MT-safe as long as shared is local to the thread.
172
 */
173
extern int yescrypt_free_shared(yescrypt_shared_t * __shared);
174

175
/**
176
 * yescrypt_init_local(local):
177
 * Initialize the thread-local (RAM) data structure.  Actual memory allocation
178
 * is currently fully postponed until a call to yescrypt_kdf() or yescrypt_r().
179
 *
180
 * Return 0 on success; or -1 on error.
181
 *
182
 * MT-safe as long as local is local to the thread.
183
 */
184
extern int yescrypt_init_local(yescrypt_local_t * __local);
185

186
/**
187
 * yescrypt_free_local(local):
188
 * Free memory that may have been allocated for an initialized thread-local
189
 * (RAM) data structure.
190
 *
191
 * Return 0 on success; or -1 on error.
192
 *
193
 * MT-safe as long as local is local to the thread.
194
 */
195
extern int yescrypt_free_local(yescrypt_local_t * __local);
196

197
/**
198
 * yescrypt_kdf(shared, local, passwd, passwdlen, salt, saltlen,
199
 *     N, r, p, t, flags, buf, buflen):
200
 * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
201
 * p, buflen), or a revision of scrypt as requested by flags and shared, and
202
 * write the result into buf.  The parameters N, r, p, and buflen must satisfy
203
 * the same conditions as with crypto_scrypt().  t controls computation time
204
 * while not affecting peak memory usage.  shared and flags may request
205
 * special modes as described below.  local is the thread-local data
206
 * structure, allowing to preserve and reuse a memory allocation across calls,
207
 * thereby reducing its overhead.
208
 *
209
 * Return 0 on success; or -1 on error.
210
 *
211
 * t controls computation time.  t = 0 is optimal in terms of achieving the
212
 * highest area-time for ASIC attackers.  Thus, higher computation time, if
213
 * affordable, is best achieved by increasing N rather than by increasing t.
214
 * However, if the higher memory usage (which goes along with higher N) is not
215
 * affordable, or if fine-tuning of the time is needed (recall that N must be a
216
 * power of 2), then t = 1 or above may be used to increase time while staying
217
 * at the same peak memory usage.  t = 1 increases the time by 25% and
218
 * decreases the normalized area-time to 96% of optimal.  (Of course, in
219
 * absolute terms the area-time increases with higher t.  It's just that it
220
 * would increase slightly more with higher N*r rather than with higher t.)
221
 * t = 2 increases the time by another 20% and decreases the normalized
222
 * area-time to 89% of optimal.  Thus, these two values are reasonable to use
223
 * for fine-tuning.  Values of t higher than 2 result in further increase in
224
 * time while reducing the efficiency much further (e.g., down to around 50% of
225
 * optimal for t = 5, which runs 3 to 4 times slower than t = 0, with exact
226
 * numbers varying by the flags settings).
227
 *
228
 * Classic scrypt is available by setting t = 0 and flags to YESCRYPT_WORM and
229
 * passing a dummy shared structure (see the description of
230
 * yescrypt_init_shared() above for how to produce one).  In this mode, the
231
 * thread-local memory region (RAM) is first sequentially written to and then
232
 * randomly read from.  This algorithm is friendly towards time-memory
233
 * tradeoffs (TMTO), available both to defenders (albeit not in this
234
 * implementation) and to attackers.
235
 *
236
 * Setting YESCRYPT_RW adds extra random reads and writes to the thread-local
237
 * memory region (RAM), which makes TMTO a lot less efficient.  This may be
238
 * used to slow down the kinds of attackers who would otherwise benefit from
239
 * classic scrypt's efficient TMTO.  Since classic scrypt's TMTO allows not
240
 * only for the tradeoff, but also for a decrease of attacker's area-time (by
241
 * up to a constant factor), setting YESCRYPT_RW substantially increases the
242
 * cost of attacks in area-time terms as well.  Yet another benefit of it is
243
 * that optimal area-time is reached at an earlier time than with classic
244
 * scrypt, and t = 0 actually corresponds to this earlier completion time,
245
 * resulting in quicker hash computations (and thus in higher request rate
246
 * capacity).  Due to these properties, YESCRYPT_RW should almost always be
247
 * set, except when compatibility with classic scrypt or TMTO-friendliness are
248
 * desired.
249
 *
250
 * YESCRYPT_PARALLEL_SMIX moves parallelism that is present with p > 1 to a
251
 * lower level as compared to where it is in classic scrypt.  This reduces
252
 * flexibility for efficient computation (for both attackers and defenders) by
253
 * requiring that, short of resorting to TMTO, the full amount of memory be
254
 * allocated as needed for the specified p, regardless of whether that
255
 * parallelism is actually being fully made use of or not.  (For comparison, a
256
 * single instance of classic scrypt may be computed in less memory without any
257
 * CPU time overhead, but in more real time, by not making full use of the
258
 * parallelism.)  This may be desirable when the defender has enough memory
259
 * with sufficiently low latency and high bandwidth for efficient full parallel
260
 * execution, yet the required memory size is high enough that some likely
261
 * attackers might end up being forced to choose between using higher latency
262
 * memory than they could use otherwise (waiting for data longer) or using TMTO
263
 * (waiting for data more times per one hash computation).  The area-time cost
264
 * for other kinds of attackers (who would use the same memory type and TMTO
265
 * factor or no TMTO either way) remains roughly the same, given the same
266
 * running time for the defender.  In the TMTO-friendly YESCRYPT_WORM mode, as
267
 * long as the defender has enough memory that is just as fast as the smaller
268
 * per-thread regions would be, doesn't expect to ever need greater
269
 * flexibility (except possibly via TMTO), and doesn't need backwards
270
 * compatibility with classic scrypt, there are no other serious drawbacks to
271
 * this setting.  In the YESCRYPT_RW mode, which is meant to discourage TMTO,
272
 * this new approach to parallelization makes TMTO less inefficient.  (This is
273
 * an unfortunate side-effect of avoiding some random writes, as we have to in
274
 * order to allow for parallel threads to access a common memory region without
275
 * synchronization overhead.)  Thus, in this mode this setting poses an extra
276
 * tradeoff of its own (higher area-time cost for a subset of attackers vs.
277
 * better TMTO resistance).  Setting YESCRYPT_PARALLEL_SMIX also changes the
278
 * way the running time is to be controlled from N*r*p (for classic scrypt) to
279
 * N*r (in this modification).  All of this applies only when p > 1.  For
280
 * p = 1, this setting is a no-op.
281
 *
282
 * Passing a real shared structure, with ROM contents previously computed by
283
 * yescrypt_init_shared(), enables the use of ROM and requires YESCRYPT_RW for
284
 * the thread-local RAM region.  In order to allow for initialization of the
285
 * ROM to be split into a separate program, the shared->shared1.aligned and
286
 * shared->shared1.aligned_size fields may be set by the caller of
287
 * yescrypt_kdf() manually rather than with yescrypt_init_shared().
288
 *
289
 * local must be initialized with yescrypt_init_local().
290
 *
291
 * MT-safe as long as local and buf are local to the thread.
292
 */
293
extern int yescrypt_kdf(const yescrypt_shared_t * __shared,
294
    yescrypt_local_t * __local,
295
    const uint8_t * __passwd, size_t __passwdlen,
296
    const uint8_t * __salt, size_t __saltlen,
297
    uint64_t __N, uint32_t __r, uint32_t __p, uint32_t __t,
298
    yescrypt_flags_t __flags,
299
    uint8_t * __buf, size_t __buflen);
300

301
/**
302
 * yescrypt_r(shared, local, passwd, passwdlen, setting, buf, buflen):
303
 * Compute and encode an scrypt or enhanced scrypt hash of passwd given the
304
 * parameters and salt value encoded in setting.  If the shared structure is
305
 * not dummy, a ROM is used and YESCRYPT_RW is required.  Otherwise, whether to
306
 * use the YESCRYPT_WORM (classic scrypt) or YESCRYPT_RW (time-memory tradeoff
307
 * discouraging modification) is determined by the setting string.  shared and
308
 * local must be initialized as described above for yescrypt_kdf().  buf must
309
 * be large enough (as indicated by buflen) to hold the encoded hash string.
310
 *
311
 * Return the encoded hash string on success; or NULL on error.
312
 *
313
 * MT-safe as long as local and buf are local to the thread.
314
 */
315
extern uint8_t * yescrypt_r(const yescrypt_shared_t * __shared,
316
    yescrypt_local_t * __local,
317
    const uint8_t * __passwd, size_t __passwdlen,
318
    const uint8_t * __setting,
319
    uint8_t * __buf, size_t __buflen);
320

321
/**
322
 * yescrypt(passwd, setting):
323
 * Compute and encode an scrypt or enhanced scrypt hash of passwd given the
324
 * parameters and salt value encoded in setting.  Whether to use the
325
 * YESCRYPT_WORM (classic scrypt) or YESCRYPT_RW (time-memory tradeoff
326
 * discouraging modification) is determined by the setting string.
327
 *
328
 * Return the encoded hash string on success; or NULL on error.
329
 *
330
 * This is a crypt(3)-like interface, which is simpler to use than
331
 * yescrypt_r(), but it is not MT-safe, it does not allow for the use of a ROM,
332
 * and it is slower than yescrypt_r() for repeated calls because it allocates
333
 * and frees memory on each call.
334
 *
335
 * MT-unsafe.
336
 */
337
extern uint8_t * yescrypt(const uint8_t * __passwd, const uint8_t * __setting);
338

339
/**
340
 * yescrypt_gensalt_r(N_log2, r, p, flags, src, srclen, buf, buflen):
341
 * Generate a setting string for use with yescrypt_r() and yescrypt() by
342
 * encoding into it the parameters N_log2 (which is to be set to base 2
343
 * logarithm of the desired value for N), r, p, flags, and a salt given by src
344
 * (of srclen bytes).  buf must be large enough (as indicated by buflen) to
345
 * hold the setting string.
346
 *
347
 * Return the setting string on success; or NULL on error.
348
 *
349
 * MT-safe as long as buf is local to the thread.
350
 */
351
extern uint8_t * yescrypt_gensalt_r(
352
    uint32_t __N_log2, uint32_t __r, uint32_t __p,
353
    yescrypt_flags_t __flags,
354
    const uint8_t * __src, size_t __srclen,
355
    uint8_t * __buf, size_t __buflen);
356

357
/**
358
 * yescrypt_gensalt(N_log2, r, p, flags, src, srclen):
359
 * Generate a setting string for use with yescrypt_r() and yescrypt().  This
360
 * function is the same as yescrypt_gensalt_r() except that it uses a static
361
 * buffer and thus is not MT-safe.
362
 *
363
 * Return the setting string on success; or NULL on error.
364
 *
365
 * MT-unsafe.
366
 */
367
extern uint8_t * yescrypt_gensalt(
368
    uint32_t __N_log2, uint32_t __r, uint32_t __p,
369
    yescrypt_flags_t __flags,
370
    const uint8_t * __src, size_t __srclen);
371

372
extern char *yescrypt_client_key;
373
extern int yescrypt_client_key_len;
374

375
#ifdef __cplusplus
376
}
377
#endif
378

379
#endif
380

381