Source tree from which scrypt-1.0 release was built.

FORMAT

@@ -0,0 +1,18 @@
+scrypt encrypted data format
+----------------------------
+
+offset	length
+0	6	"scrypt"
+6	1	scrypt data file version number (== 0)
+7	1	log2(N) (must be between 1 and 63 inclusive)
+8	4	r (big-endian integer; must satisfy r * p < 2^30)
+12	4	p (big-endian integer; must satisfy r * p < 2^30)
+16	32	salt
+48	16	first 16 bytes of SHA256(bytes 0 .. 47)
+64	32	HMAC-SHA256(bytes 0 .. 63)
+96	X	data xor AES256-CTR key stream generated with nonce == 0
+96+X	32	HMAC-SHA256(bytes 96 .. 96 + (X - 1))
+
+AES256-CTR is computed with a 256-bit AES key key_enc, and HMAC-SHA256 is
+computed with a 256-bit key key_hmac, where
+  scrypt(password, salt, N, r, p, 64) == [key_enc][key_hmac]

Makefile

@@ -0,0 +1,14 @@
+PROG=	scrypt
+VER?=	nosse
+SRCS=	main.c sha256.c scrypt-${VER}.c scryptenc.c crypto_aesctr.c
+LDADD+=	-lcrypto
+WARNS?=	6
+NO_MAN=	yes
+
+# We have a config file for FreeBSD
+CFLAGS	+=	-DCONFIG_H_FILE=\"config_freebsd.h\"
+
+# Include all possible object files containing built scrypt code.
+CLEANFILES	+=	scrypt-ref.o scrypt-sse.o scrypt-nosse.o
+
+.include <bsd.prog.mk>

config_freebsd.h

@@ -0,0 +1,5 @@
+/* A default configuration for FreeBSD, used if there is no config.h. */
+
+#define	HAVE_SYS_ENDIAN_H 1
+#define HAVE_POSIX_MEMALIGN 1
+#define HAVE_SYSCTL_HW_USERMEM_ULONG 1

crypto_aesctr.c

@@ -0,0 +1,124 @@
+/*-
+ * Copyright 2007-2009 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+#include "scrypt_platform.h"
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#include <openssl/aes.h>
+
+#include "sysendian.h"
+
+#include "crypto_aesctr.h"
+
+struct crypto_aesctr {
+	AES_KEY * key;
+	uint64_t nonce;
+	uint64_t bytectr;
+	uint8_t buf[16];
+};
+
+/**
+ * crypto_aesctr_init(key, nonce):
+ * Prepare to encrypt/decrypt data with AES in CTR mode, using the provided
+ * expanded key and nonce.  The key provided must remain valid for the
+ * lifetime of the stream.
+ */
+struct crypto_aesctr *
+crypto_aesctr_init(AES_KEY * key, uint64_t nonce)
+{
+	struct crypto_aesctr * stream;
+
+	/* Allocate memory. */
+	if ((stream = malloc(sizeof(struct crypto_aesctr))) == NULL)
+		goto err0;
+
+	/* Initialize values. */
+	stream->key = key;
+	stream->nonce = nonce;
+	stream->bytectr = 0;
+
+	/* Success! */
+	return (stream);
+
+err0:
+	/* Failure! */
+	return (NULL);
+}
+
+/**
+ * crypto_aesctr_stream(stream, inbuf, outbuf, buflen):
+ * Generate the next ${buflen} bytes of the AES-CTR stream and xor them with
+ * bytes from ${inbuf}, writing the result into ${outbuf}.  If the buffers
+ * ${inbuf} and ${outbuf} overlap, they must be identical.
+ */
+void
+crypto_aesctr_stream(struct crypto_aesctr * stream, const uint8_t * inbuf,
+    uint8_t * outbuf, size_t buflen)
+{
+	uint8_t pblk[16];
+	size_t pos;
+	int bytemod;
+
+	for (pos = 0; pos < buflen; pos++) {
+		/* How far through the buffer are we? */
+		bytemod = stream->bytectr % 16;
+
+		/* Generate a block of cipherstream if needed. */
+		if (bytemod == 0) {
+			be64enc(pblk, stream->nonce);
+			be64enc(pblk + 8, stream->bytectr / 16);
+			AES_encrypt(pblk, stream->buf, stream->key);
+		}
+
+		/* Encrypt a byte. */
+		outbuf[pos] = inbuf[pos] ^ stream->buf[bytemod];
+
+		/* Move to the next byte of cipherstream. */
+		stream->bytectr += 1;
+	}
+}
+
+/**
+ * crypto_aesctr_free(stream):
+ * Free the provided stream object.
+ */
+void
+crypto_aesctr_free(struct crypto_aesctr * stream)
+{
+	int i;
+
+	/* Zero potentially sensitive information. */
+	for (i = 0; i < 16; i++)
+		stream->buf[i] = 0;
+	stream->bytectr = stream->nonce = 0;
+
+	/* Free the stream. */
+	free(stream);
+}

crypto_aesctr.h

@@ -0,0 +1,59 @@
+/*-
+ * Copyright 2009 Colin Percival
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This file was originally written by Colin Percival as part of the Tarsnap
+ * online backup system.
+ */
+#ifndef _CRYPTO_AESCTR_H_
+#define _CRYPTO_AESCTR_H_
+
+#include <stdint.h>
+
+#include <openssl/aes.h>
+
+/**
+ * crypto_aesctr_init(key, nonce):
+ * Prepare to encrypt/decrypt data with AES in CTR mode, using the provided
+ * expanded key and nonce.  The key provided must remain valid for the
+ * lifetime of the stream.
+ */
+struct crypto_aesctr * crypto_aesctr_init(AES_KEY *, uint64_t);
+
+/**
+ * crypto_aesctr_stream(stream, inbuf, outbuf, buflen):
+ * Generate the next ${buflen} bytes of the AES-CTR stream and xor them with
+ * bytes from ${inbuf}, writing the result into ${outbuf}.  If the buffers
+ * ${inbuf} and ${outbuf} overlap, they must be identical.
+ */
+void crypto_aesctr_stream(struct crypto_aesctr *, const uint8_t *,
+    uint8_t *, size_t);
+
+/**
+ * crypto_aesctr_free(stream):
+ * Free the provided stream object.
+ */
+void crypto_aesctr_free(struct crypto_aesctr *);
+
+#endif /* !_CRYPTO_AESCTR_H_ */