File: debian-changes

package info (click to toggle)
scrypt 1.3.1-2
links: PTS, VCS
area: main
in suites: bookworm
size: 2,080 kB
sloc: sh: 5,178; ansic: 4,443; makefile: 166
file content (624 lines) | stat: -rw-r--r-- 23,707 bytes
This is an autogenerated patch header for a single-debian-patch file. The
delta against upstream is either kept as a single patch, or maintained
in some VCS, and exported as a single patch instead of more manageable
atomic patches.

--- /dev/null
+++ scrypt-1.3.1/.autom4te.cfg
@@ -0,0 +1,7 @@
+## ------------------ ##
+## User Preferences.  ##
+## ------------------ ##
+
+begin-language: "Autoconf-without-aclocal-m4"
+args: --no-cache
+end-language: "Autoconf-without-aclocal-m4"
--- /dev/null
+++ scrypt-1.3.1/.travis.yml
@@ -0,0 +1,45 @@
+language: c
+os: linux
+# Ubuntu xenial 16.04 comes with valgrind-3.11, which can't handle the
+# RDRAND instructions and aborts with "Illegal instruction".  This is not a
+# problem with Ubuntu bionic 18.04, which has valgrind-3.13.
+dist: bionic
+addons:
+  apt:
+    packages:
+      - valgrind
+jobs:
+  include:
+    - compiler: gcc
+      env: CFLAGS_STRICT="-Wall -Wextra -Werror -Wpedantic -pedantic-errors -Wno-clobbered"
+    - compiler: clang
+      env: CFLAGS_STRICT="-Wall -Wextra -Werror -Weverything -Wno-#warnings -Wno-pedantic -Wno-padded -Wno-format-nonliteral -Wno-disabled-macro-expansion -Wno-missing-noreturn -Wno-reserved-id-macro -Wno-documentation-unknown-command"
+env:
+  global:
+    # Some projects need -std=c99 to specify library support for ./configure
+    - CFLAGS="-std=c99 -O2"
+    - secure: "FDGqRY+fCRQDkkY5YohCNqecntL6/AV0N4qqrJ1F+FOOOr3SKwt6dH4dJ30CZQWG/0qHNeaCDdE0HNwgCv4xjreh80NPLL6FyHz8mkz/hajKc47LYXvIxv1u8DQyUtSYA+cxEyNtJt8lb4+7ZL2lm6E1UXTjYl+8far1vpI8RjkOFIdLx2cW6LzQ6OZ2vQq5INfW6PIEPdjLD7PreLmEZY385Tjh2C77UAnq7AcG2xVd7SMAjZjkqOyVs0Eo8JD2+xhBIVCQ5H0FUIL8Upp1Th2LhxcYAccj0W5r58D6HWZLzsoNi09eb6ozKZbQRyTqfdRKuVxDZznjHsdkbGme81q7epFxOB+2ushu9lnpvFko7vJ1wstjdCcrs6lAVrCP43gU3DpyGb7BKGPLEX6ty2PWLkj5lQVOiHxxhlHkSGSn79PDOnsJsLkEqw4MEeOtcVPBF+qLLrqntLJnMAr1npdCsLgyfc1bdV6ZpgO6bdW6EOGMwl6L9ZBQgAW+CemZEy5TSAUjHS6VspMKCE2FIkzftKhq2adR0Wi1tJU1OiYVEBSgFzceNVNPQgyLojgXq8VEej7G0loj9ni4t2hd7jMhZKwQjPeYrf4xiw1rpvu64Ro7ZeAlfzqzlg4EaNcqcy+uB2gaeWW74z0j09RZd3HBkAADgbadIvgbly9lW/E="
+    - COVERITY_SCAN_PROJECT_NAME="Tarsnap/scrypt"
+    - COVERITY_SCAN_BRANCH_PATTERN="coverity-scan"
+    - COVERITY_SCAN_NOTIFICATION_EMAIL="cperciva@tarsnap.com"
+    - COVERITY_SCAN_BUILD_COMMAND_PREPEND="autoreconf -i && ./configure"
+    - COVERITY_SCAN_BUILD_COMMAND="make all clean"
+before_install:
+  # Handle Coverity scan
+  - >
+    if [[ "${TRAVIS_BRANCH}" == "coverity-scan" ]]; then
+      if [[ "${TRAVIS_JOB_NUMBER##*.}" == "1" ]]; then
+        curl -s "https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh" | bash || true
+      else
+        echo "Not main job; do nothing."
+      fi
+      echo "Done Coverity scan."
+      sleep 1
+      exit 0
+    fi
+  # Otherwise, act normally.
+  - autoreconf -i
+  - ./configure
+# We can't use strict flags in CFLAGS as a general environment
+# variable, because that messes up ./configure and coverity-scan.
+script: make CFLAGS="$CFLAGS $CFLAGS_STRICT" && make test USE_VALGRIND=1
--- /dev/null
+++ scrypt-1.3.1/Makefile.am
@@ -0,0 +1,192 @@
+bin_PROGRAMS=	scrypt
+noinst_PROGRAMS=	tests/verify-strings/test_scrypt			\
+	tests/valgrind/potential-memleaks
+dist_man_MANS=$(scrypt_man_MANS)
+ACLOCAL_AMFLAGS=	-I m4
+
+# These files fulfill the crypto_scrypt() function, with the exception of
+#     libcperciva/alg/sha256_shani.c
+#     lib/crypto/crypto_scrypt_smix_sse2.c
+# which require special compiler flags and are thus compiled as separate
+# libraries.  See test_scrypt for an example.
+#
+# crypto_scrypt() does not require aesni or rdrand, but we need to include
+# the relevant cpusupport_x86 files so that cpusupport can link to them.
+crypto_scrypt_files=	lib/crypto/crypto_scrypt_smix.c			\
+			lib/crypto/crypto_scrypt_smix.h			\
+			lib/crypto/crypto_scrypt_smix_sse2.h		\
+			lib-platform/platform.h				\
+			lib-platform/crypto/crypto_scrypt.c		\
+			lib-platform/crypto/crypto_scrypt.h		\
+			libcperciva/alg/sha256.c			\
+			libcperciva/alg/sha256.h			\
+			libcperciva/alg/sha256_shani.h			\
+			libcperciva/cpusupport/cpusupport.h		\
+			libcperciva/cpusupport/cpusupport_x86_aesni.c	\
+			libcperciva/cpusupport/cpusupport_x86_rdrand.c	\
+			libcperciva/cpusupport/cpusupport_x86_shani.c	\
+			libcperciva/cpusupport/cpusupport_x86_sse2.c	\
+			libcperciva/cpusupport/cpusupport_x86_ssse3.c	\
+			libcperciva/util/insecure_memzero.c		\
+			libcperciva/util/insecure_memzero.h		\
+			libcperciva/util/warnp.c			\
+			libcperciva/util/warnp.h
+
+scrypt_SOURCES=		main.c					\
+			$(crypto_scrypt_files)			\
+			lib/scryptenc/scryptenc.c		\
+			lib/scryptenc/scryptenc.h		\
+			lib/scryptenc/scryptenc_cpuperf.c	\
+			lib/scryptenc/scryptenc_cpuperf.h	\
+			lib-platform/util/memlimit.c		\
+			lib-platform/util/memlimit.h		\
+			libcperciva/crypto/crypto_aes.c		\
+			libcperciva/crypto/crypto_aes.h		\
+			libcperciva/crypto/crypto_aes_aesni.h	\
+			libcperciva/crypto/crypto_aesctr.c	\
+			libcperciva/crypto/crypto_aesctr.h	\
+			libcperciva/crypto/crypto_entropy.c	\
+			libcperciva/crypto/crypto_entropy.h	\
+			libcperciva/crypto/crypto_entropy_rdrand.h \
+			libcperciva/crypto/crypto_verify_bytes.c \
+			libcperciva/crypto/crypto_verify_bytes.h \
+			libcperciva/util/asprintf.c		\
+			libcperciva/util/asprintf.h		\
+			libcperciva/util/entropy.c		\
+			libcperciva/util/entropy.h		\
+			libcperciva/util/getopt.c		\
+			libcperciva/util/getopt.h		\
+			libcperciva/util/humansize.c		\
+			libcperciva/util/humansize.h		\
+			libcperciva/util/monoclock.c		\
+			libcperciva/util/monoclock.h		\
+			libcperciva/util/parsenum.h		\
+			libcperciva/util/readpass.c		\
+			libcperciva/util/readpass.h		\
+			libcperciva/util/readpass_file.c	\
+			libcperciva/util/sysendian.h
+
+AM_CPPFLAGS=		-I$(srcdir)/lib				\
+			-I$(srcdir)/lib/crypto			\
+			-I$(srcdir)/lib/scryptenc		\
+			-I$(srcdir)/lib-platform		\
+			-I$(srcdir)/lib-platform/crypto		\
+			-I$(srcdir)/lib-platform/util		\
+			-I$(srcdir)/libcperciva/alg		\
+			-I$(srcdir)/libcperciva/cpusupport	\
+			-I$(srcdir)/libcperciva/crypto		\
+			-I$(srcdir)/libcperciva/util		\
+			-DCPUSUPPORT_CONFIG_FILE=\"cpusupport-config.h\" \
+			-D_POSIX_C_SOURCE=200809L		\
+			-D_XOPEN_SOURCE=700			\
+			${CFLAGS_POSIX}
+
+scrypt_LDADD=		libcperciva_aesni.la libcperciva_rdrand.la \
+			libcperciva_shani.la libscrypt_sse2.la	\
+			${LDADD_POSIX}
+scrypt_man_MANS=	scrypt.1
+
+cpusupport-config.h:
+	( export CC="${CC}"; export CFLAGS="${CFLAGS}"; command -p sh $(srcdir)/libcperciva/cpusupport/Build/cpusupport.sh "$$PATH") > cpusupport-config.h.tmp && command -p mv cpusupport-config.h.tmp cpusupport-config.h
+BUILT_SOURCES=	cpusupport-config.h
+CLEANFILES=	cpusupport-config.h cpusupport-config.h.tmp
+
+# Libraries from libcperciva code.
+noinst_LTLIBRARIES=	libcperciva_aesni.la
+libcperciva_aesni_la_SOURCES=	libcperciva/crypto/crypto_aes_aesni.c
+nodist_libcperciva_aesni_la_SOURCES=	cpusupport-config.h
+libcperciva_aesni_la_CFLAGS=`. ./cpusupport-config.h; echo $${CFLAGS_X86_AESNI}`
+
+noinst_LTLIBRARIES+=	libcperciva_rdrand.la
+libcperciva_rdrand_la_SOURCES=	libcperciva/crypto/crypto_entropy_rdrand.c
+nodist_libcperciva_rdrand_la_SOURCES=	cpusupport-config.h
+libcperciva_rdrand_la_CFLAGS=						\
+	`. ./cpusupport-config.h; echo $${CFLAGS_X86_RDRAND}`
+
+noinst_LTLIBRARIES+=	libcperciva_shani.la
+libcperciva_shani_la_SOURCES=	libcperciva/alg/sha256_shani.c
+nodist_libcperciva_shani_la_SOURCES=	cpusupport-config.h
+libcperciva_shani_la_CFLAGS=`. ./cpusupport-config.h; echo $${CFLAGS_X86_SHANI} $${CFLAGS_X86_SSSE3}`
+
+# Library from scrypt code.
+noinst_LTLIBRARIES+=	libscrypt_sse2.la
+libscrypt_sse2_la_SOURCES=	lib/crypto/crypto_scrypt_smix_sse2.c
+nodist_libscrypt_sse2_la_SOURCES=	cpusupport-config.h
+libscrypt_sse2_la_CFLAGS=`. ./cpusupport-config.h; echo $${CFLAGS_X86_SSE2}`
+
+# Install libscrypt-kdf?
+if LIBSCRYPT_KDF
+lib_LTLIBRARIES=		libscrypt-kdf.la
+libscrypt_kdf_la_LDFLAGS=	-version-info 1			\
+	-export-symbols-regex 'crypto_scrypt$$'
+include_HEADERS=		libscrypt-kdf/scrypt-kdf.h
+noinst_PROGRAMS+=		tests/libscrypt-kdf/sample-libscrypt-kdf
+else
+# Allow the user to get a usable library even if they didn't run configure
+# with --enable-libscrypt-kdf.  If we didn't include this, they would get
+# empty libraries if they ran `make libscrypt-kdf.la`.
+EXTRA_LTLIBRARIES=		libscrypt-kdf.la
+endif
+
+# Shared definitions for libscrypt-kdf.
+libscrypt_kdf_la_SOURCES=	$(crypto_scrypt_files)
+libscrypt_kdf_la_LIBADD=	libcperciva_shani.la libscrypt_sse2.la
+# Workaround for "created with both libtool and without"
+libscrypt_kdf_la_CFLAGS=	$(AM_CFLAGS)
+
+# Test libscrypt-kdf compile
+tests_libscrypt_kdf_sample_libscrypt_kdf_SOURCES=	\
+	tests/libscrypt-kdf/sample-libscrypt-kdf.c
+tests_libscrypt_kdf_sample_libscrypt_kdf_CPPFLAGS=	\
+	-I$(srcdir)/libscrypt-kdf/
+tests_libscrypt_kdf_sample_libscrypt_kdf_LDADD=		libscrypt-kdf.la
+
+EXTRA_DIST = \
+	COPYRIGHT						\
+	FORMAT							\
+	README.md						\
+	STYLE							\
+	lib/README						\
+	lib/crypto/crypto_scrypt-ref.c				\
+	libcperciva/POSIX/README				\
+	libcperciva/POSIX/posix-cflags.sh			\
+	libcperciva/POSIX/posix-clock_gettime.c			\
+	libcperciva/POSIX/posix-clock_realtime.c		\
+	libcperciva/POSIX/posix-l.c				\
+	libcperciva/POSIX/posix-l.sh				\
+	libcperciva/POSIX/posix-msg_nosignal.c			\
+	libcperciva/POSIX/posix-restrict.c			\
+	libcperciva/cpusupport/Build/cpusupport-X86-AESNI.c	\
+	libcperciva/cpusupport/Build/cpusupport-X86-CPUID.c	\
+	libcperciva/cpusupport/Build/cpusupport-X86-RDRAND.c	\
+	libcperciva/cpusupport/Build/cpusupport-X86-SHANI.c	\
+	libcperciva/cpusupport/Build/cpusupport-X86-SSE2.c	\
+	libcperciva/cpusupport/Build/cpusupport-X86-SSSE3.c	\
+	libcperciva/cpusupport/Build/cpusupport.sh		\
+	tests/01-known-values.sh				\
+	tests/02-decrypt-reference-file.sh			\
+	tests/03-encrypt-decrypt-file.sh			\
+	tests/04-force-resources.sh				\
+	tests/05-system-scrypt-encrypt-decrypt.sh		\
+	tests/shared_test_functions.sh				\
+	tests/test_scrypt.sh					\
+	tests/verify-strings/test_scrypt.good			\
+	tests/verify-strings/test_scrypt_good.enc
+
+# Binary to test the crypto_scrypt() function.
+tests_verify_strings_test_scrypt_SOURCES =			\
+	tests/verify-strings/test_scrypt.c			\
+	$(crypto_scrypt_files)
+
+tests_verify_strings_test_scrypt_LDADD=	libcperciva_shani.la	\
+	libscrypt_sse2.la					\
+	${LDADD_POSIX}
+
+# Eliminate false positives while memory-checking for the test framework.
+tests_valgrind_potential_memleaks_SOURCES = tests/valgrind/potential-memleaks.c
+
+.PHONY: test
+# we can't only build "scrypt tests/verify-strings/test_scrypt" because that
+# won't build the BUILT_SOURCES.
+test: all
+	$(top_srcdir)/tests/test_scrypt.sh .
--- /dev/null
+++ scrypt-1.3.1/README.md
@@ -0,0 +1,160 @@
+The scrypt key derivation function
+----------------------------------
+
+
+The scrypt key derivation function was originally developed for use in the
+[Tarsnap online backup system](https://www.tarsnap.com/index.html) and is
+designed to be far more secure against hardware brute-force attacks than
+alternative functions such as [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) or
+[bcrypt](https://www.openbsd.org/papers/bcrypt-paper.ps).
+
+We estimate that on modern (2009) hardware, if 5 seconds are spent computing a
+derived key, the cost of a hardware brute-force attack against `scrypt` is
+roughly 4000 times greater than the cost of a similar attack against bcrypt (to
+find the same password), and 20000 times greater than a similar attack against
+PBKDF2.  If the `scrypt` encryption utility is used with default parameters,
+the cost of cracking the password on a file encrypted by `scrypt enc` is
+approximately 100 billion times more than the cost of cracking the same
+password on a file encrypted by `openssl enc`; this means that a five-character
+password using `scrypt` is stronger than a ten-character password using
+`openssl`.
+
+Details of the `scrypt` key derivation function are given in:
+
+* The Internet Engineering Task Force (IETF)
+  [RFC 7914: The scrypt Password-Based Key Derivation Function](
+  https://tools.ietf.org/html/rfc7914).
+* The original conference paper: Colin Percival,
+  [Stronger Key Derivation via Sequential Memory-Hard Functions](
+  https://www.tarsnap.com/scrypt/scrypt.pdf), presented at
+  [BSDCan'09](https://www.bsdcan.org/2009/), May 2009.
+  [Conference presentation slides](
+  https://www.tarsnap.com/scrypt/scrypt-slides.pdf).
+
+Some additional articles may be of interest:
+
+* Filippo Valsorda presented a very well-written explanation about how
+  [the scrypt parameters](https://blog.filippo.io/the-scrypt-parameters/)
+  impact the memory usage and CPU time of the algorithm.
+
+* J. Alwen, B. Chen, K. Pietrzak, L. Reyzin, S. Tessaro,
+  [Scrypt is Maximally Memory-Hard](https://eprint.iacr.org/2016/989),
+  Cryptology ePrint Archive: Report 2016/989.
+
+
+The scrypt encryption utility
+-----------------------------
+
+A simple password-based encryption utility is available as a demonstration of
+the `scrypt` key derivation function.  It can be invoked as `scrypt enc infile
+[outfile]` to encrypt data (if `outfile` is not specified, the encrypted data
+is written to the standard output), or as `scrypt dec infile [outfile]` to
+decrypt data (if outfile is not specified, the decrypted data is written to the
+standard output). `scrypt` also supports three command-line options:
+
+* `-t maxtime` will instruct `scrypt` to spend at most maxtime seconds
+  computing the derived encryption key from the password; for encryption, this
+  value will determine how secure the encrypted data is, while for decryption
+  this value is used as an upper limit (if `scrypt` detects that it would take
+  too long to decrypt the data, it will exit with an error message).
+* `-m maxmemfrac` instructs `scrypt` to use at most the specified fraction of
+  the available RAM for computing the derived encryption key. For encryption,
+  increasing this value might increase the security of the encrypted data,
+  depending on the `maxtime` value; for decryption, this value is used as an
+  upper limit and may `cause` scrypt to exit with an error.
+* `-M maxmem` instructs `scrypt` to use at most the specified number of bytes
+  of RAM when computing the derived encryption key.
+
+If the encrypted data is corrupt, `scrypt dec` will exit with a non-zero
+status.  However, **`scrypt dec` may produce output before it determines that
+the encrypted data was corrupt**, so for applications which require data to be
+authenticated, you must store the output of `scrypt dec` in a temporary
+location and check `scrypt`'s exit code before using the decrypted data.
+
+The `scrypt` utility has been tested on FreeBSD, NetBSD, OpenBSD, Linux
+(Slackware, CentOS, Gentoo, Ubuntu), Solaris, OS X, Cygwin, and GNU Hurd.
+
+* [scrypt version 1.3.1 source tarball](
+  https://www.tarsnap.com/scrypt/scrypt-1.3.1.tgz)
+* [GPG-signed SHA256 for scrypt version 1.3.1](
+  https://www.tarsnap.com/scrypt/scrypt-sigs-1.3.1.asc) (signature
+  generated using Tarsnap [code signing key](
+  https://www.tarsnap.com/tarsnap-signing-key.asc))
+
+  This cleartext signature of the SHA256 output can be verified with:
+
+      gpg --decrypt scrypt-sigs-1.3.1.asc
+
+  You may then compare the displayed hash to the SHA256 hash of
+  `scrypt-1.3.1.gz`.
+
+In addition, `scrypt` is available in the OpenBSD and FreeBSD ports trees and
+in NetBSD pkgsrc as `security/scrypt`.
+
+
+Using scrypt as a KDF
+---------------------
+
+To use scrypt as a [key derivation function](
+https://en.wikipedia.org/wiki/Key_derivation_function) (KDF), take a look at
+the `lib/crypto/crypto_scrypt.h` header, which provides:
+
+```
+/**
+ * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen):
+ * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
+ * p, buflen) and write the result into buf.  The parameters r, p, and buflen
+ * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32.  The parameter N
+ * must be a power of 2 greater than 1.
+ *
+ * Return 0 on success; or -1 on error.
+ */
+int crypto_scrypt(const uint8_t *, size_t, const uint8_t *, size_t, uint64_t,
+    uint32_t, uint32_t, uint8_t *, size_t);
+```
+
+The same function is provided in the optional `libscrypt-kdf` library; there
+is a sample of using it in `tests/libscrypt-kdf`.  If you installed the
+library, you can compile that file and run the binary:
+
+```
+$ cd tests/libscrypt-kdf/
+$ c99 sample-libscrypt-kdf.c -lscrypt-kdf
+$ ./a.out
+crypto_scrypt(): success
+```
+
+
+Building
+--------
+
+:exclamation: We strongly recommend that people use the latest
+official release tarball on https://www.tarsnap.com/scrypt.html
+
+To build scrypt, extract the tarball and run `./configure` && `make`.  See the
+`BUILDING` file for more details (e.g., dealing with OpenSSL on OSX).
+
+
+Testing
+-------
+
+A small test suite can be run with:
+
+    make test
+
+Memory-testing normal operations with valgrind (takes approximately 4 times as
+long as no valgrind tests) can be enabled with:
+
+    make test USE_VALGRIND=1
+
+Memory-testing all tests with valgrind (requires over 1 GB memory, and takes
+approximately 4 times as long as `USE_VALGRIND=1`) can be enabled with:
+
+    make test USE_VALGRIND=2
+
+
+Mailing list
+------------
+
+The scrypt key derivation function and the scrypt encryption utility are
+discussed on the <scrypt@tarsnap.com> mailing list.
--- /dev/null
+++ scrypt-1.3.1/configure.ac
@@ -0,0 +1,77 @@
+AC_PREREQ([2.69])
+AC_INIT([scrypt],[m4_esyscmd([sh get-version.sh])],
+  [https://github.com/Tarsnap/scrypt],[scrypt],[http://www.tarsnap.com/scrypt/])
+AC_CONFIG_SRCDIR([lib/scryptenc/scryptenc.c])
+AC_CONFIG_AUX_DIR([config.aux])
+AC_CONFIG_MACRO_DIR([m4])
+AM_INIT_AUTOMAKE([foreign subdir-objects -Wall])
+
+# Scrypt has some of its own configure functions.
+m4_include([acscrypt.m4])
+
+# Checks for programs.
+AC_PROG_CC_C99
+AM_PROG_AR
+LT_INIT
+
+# Don't rebuild the configure script.  I'm distributing a perfectly good one.
+AM_MAINTAINER_MODE
+
+# Checks for libraries.
+
+AC_SEARCH_LIBS([AES_encrypt], [crypto],,
+    AC_MSG_ERROR([function AES_ENCRYPT not found]))
+
+# Check for a linuxy sysinfo syscall; and while we're doing that, check if
+# struct sysinfo is the old version (total RAM == totalmem) or the new
+# version (total RAM == totalmem * mem_unit).
+AC_CHECK_HEADERS([sys/sysinfo.h])
+AC_CHECK_FUNCS([sysinfo])
+AC_CHECK_TYPES([struct sysinfo], [], [], [[#include <sys/sysinfo.h>]])
+AC_CHECK_MEMBERS([struct sysinfo.totalram, struct sysinfo.mem_unit], [], [],
+    [[#include <sys/sysinfo.h>]])
+
+# Check if we have <sys/param.h>, since some systems require it for sysctl
+# to work.
+AC_CHECK_HEADERS([sys/param.h])
+
+# Check if we have <openssl/aes.h>, to fix the make failing when configure
+# passes.
+AC_CHECK_HEADERS([openssl/aes.h],,
+  [AC_MSG_ERROR([Unable to find the openssl/aes.h header])])
+
+# Check for <sys/sysctl.h>.  If it exists and it defines HW_USERMEM
+# and/or HW_MEMSIZE, we'll try using those as memory limits.
+AC_CHECK_HEADERS([sys/sysctl.h])
+
+# Check for posix_memalign
+AC_CHECK_FUNCS([posix_memalign])
+
+# Check for mmap so we can work around its absence on Minix
+AC_CHECK_FUNCS([mmap])
+
+AC_SYS_LARGEFILE
+
+# Check whether the user has requested to disable compiler warnings
+AC_MSG_CHECKING([compiler_warnings])
+AC_ARG_ENABLE(compiler_warnings,
+   AS_HELP_STRING([--disable-compiler-warnings],
+       [Do not request compiler warnings. @<:@default=enabled@:>@]),
+   [ac_compiler_warnings=$enableval],
+   [ac_compiler_warnings=yes])
+AC_MSG_RESULT([${ac_compiler_warnings}])
+AS_IF([test x${ac_compiler_warnings} = xyes],
+   [AX_CFLAGS_WARN_ALL])
+
+# Check libcperciva POSIX compatibility
+CHECK_POSIX_SH
+CHECK_LIBCPERCIVA_POSIX([${srcdir}/libcperciva])
+
+# Check whether the user wants to install libscrypt-kdf
+AC_ARG_ENABLE(libscrypt-kdf, AS_HELP_STRING([--enable-libscrypt-kdf],
+    [Install libscrypt-kdf and development headers.]))
+AM_CONDITIONAL([LIBSCRYPT_KDF], [test "x${enable_libscrypt_kdf}" = "xyes"])
+
+AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT
--- /dev/null
+++ scrypt-1.3.1/get-version.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+version=1.3.0-head
+
+# This script outputs a version number for this project to stdout.
+# - if $SCRYPT_VERSION is given, it is used.
+# - otherwise, it uses ${version}.
+# - if there is a ".git/" directory, it will attempt to get a version number
+#   from `git describe` in the form 1.2.0-238-g0a25a7c, where the middle value
+#   is the number of commits since the 1.2.0 tag.
+
+# Use $SCRYPT_VERSION if it exists.
+if [ -n "${SCRYPT_VERSION}" ]; then
+	# Do not use \n; that confuses autoconf.
+	printf "${SCRYPT_VERSION}"
+	exit 0
+fi
+
+# Get a version number from git, if it exists.
+if git rev-parse 2>/dev/null; then
+	# Get a version string from the latest git tag.
+	if version_git=$( git describe --tags --match '[[:digit:]].*' ) \
+	    2>/dev/null ; then
+		version_decapitated=$( echo ${version} | sed "s/-head//" )
+		# Check that the beginning of this tag matches the version.
+		case ${version_git} in
+		"${version_decapitated}"*)
+			# If so, use that version string.
+			version=${version_git};;
+		*)
+			printf "git tag does not match version\n" 1>&2
+			exit 1;;
+		esac
+	fi
+fi
+
+# Output the version to stdout.  Do not use \n; that confuses autoconf.
+printf ${version}
--- /dev/null
+++ scrypt-1.3.1/release-tools/create-sign-tarball.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Process command-line arguments
+SCRYPTVERSION=$1
+GNUPG_SIGNING_HOME=$2
+
+# Check for required arguments
+if [ -z "$SCRYPTVERSION" ] || [ -z "$GNUPG_SIGNING_HOME" ]; then
+	echo "Usage: $0 SCRYPTVERSION GNUPG_SIGNING_HOME"
+	exit 1
+fi
+
+# Check for correct OS
+if [ "$(uname)" != "FreeBSD" ]; then
+	echo "Error: This script only works on FreeBSD due to the"
+	echo "    sha256 \${PKGNAME}.tgz"
+	echo "command, which has a different meaning on other OSes."
+	exit 1
+fi
+
+# Constants
+PKGNAME=scrypt-${SCRYPTVERSION}
+PKGSIGS=scrypt-sigs-${SCRYPTVERSION}
+
+# Get directory of script
+dir=$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd -P)
+
+# Create tarball
+sh ${dir}/mktarball.sh $SCRYPTVERSION
+
+# Sign tarball
+sha256 ${PKGNAME}.tgz |			\
+    GNUPGHOME=${GNUPG_SIGNING_HOME} gpg --clearsign \
+    > ${PKGSIGS}.asc
--- /dev/null
+++ scrypt-1.3.1/release-tools/mktarball.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+VERSION=$1
+if [ -z $VERSION ]; then
+	echo "Please specify the version number"
+	exit 1
+fi
+DESTDIR=scrypt-${VERSION}
+RELEASEDATE=$(date "+%B %d, %Y")
+
+# Copy bits in
+mkdir ${DESTDIR} ${DESTDIR}/autotools
+cp main.c FORMAT COPYRIGHT BUILDING STYLE ${DESTDIR}
+cp Makefile.am acscrypt.m4 .autom4te.cfg ${DESTDIR}
+cp Makefile.am ${DESTDIR}/autotools
+mkdir ${DESTDIR}/m4
+cp -R lib lib-platform libcperciva libscrypt-kdf tests ${DESTDIR}
+# Copy with substitution
+sed -e "s/@DATE@/$RELEASEDATE/" < scrypt.1 > ${DESTDIR}/scrypt.1
+sed -e "s/\[m4_esyscmd(\[sh get-version\.sh\])]/${VERSION}/" \
+	< configure.ac > ${DESTDIR}/configure.ac
+cp ${DESTDIR}/configure.ac ${DESTDIR}/autotools
+
+# Generate autotools files
+( cd ${DESTDIR} || exit
+autoreconf -i
+rm .autom4te.cfg Makefile.am aclocal.m4 configure.ac )
+
+# Create tarball
+tar -czf ${DESTDIR}.tgz ${DESTDIR}
+rm -r ${DESTDIR}
--- scrypt-1.3.1.orig/scrypt.1
+++ scrypt-1.3.1/scrypt.1
@@ -21,7 +21,7 @@
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
-.Dd August 27, 2020
+.Dd @DATE@
 .Dt SCRYPT 1
 .Os
 .Sh NAME