arnaucube
/
derosuite
mirror of https://github.com/arnaucube/derosuite.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14 Commits
1 Branch
0 Tags
68 MiB
Tree: 1306ecda41
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1306ecda41'
${ noResults }
derosuite/vendor/golang.org/x/crypto/argon2/argon2.go

219 lines
6.5 KiB
Raw Normal View History

Status update release 1
6 years ago
  1. // Copyright 2017 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  5. // Package argon2 implements the key derivation function Argon2.
  6. // Argon2 was selected as the winner of the Password Hashing Competition and can
  7. // be used to derive cryptographic keys from passwords.
  8. // Argon2 is specfifed at https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
  9. package argon2
  11. import (
  12. "encoding/binary"
  13. "sync"
  15. "golang.org/x/crypto/blake2b"
  16. )
  18. // The Argon2 version implemented by this package.
  19. const Version = 0x13
  21. const (
  22. argon2d = iota
  23. argon2i
  24. argon2id
  25. )
  27. // Key derives a key from the password, salt, and cost parameters using Argon2i
  28. // returning a byte slice of length keyLen that can be used as cryptographic key.
  29. // The CPU cost and parallism degree must be greater than zero.
  30. //
  31. // For example, you can get a derived key for e.g. AES-256 (which needs a 32-byte key) by doing:
  32. // `key := argon2.Key([]byte("some password"), salt, 4, 32*1024, 4, 32)`
  33. //
  34. // The recommended parameters for interactive logins as of 2017 are time=4, memory=32*1024.
  35. // The number of threads can be adjusted to the numbers of available CPUs.
  36. // The time parameter specifies the number of passes over the memory and the memory
  37. // parameter specifies the size of the memory in KiB. For example memory=32*1024 sets the
  38. // memory cost to ~32 MB.
  39. // The cost parameters should be increased as memory latency and CPU parallelism increases.
  40. // Remember to get a good random salt.
  41. func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte {
  42. return deriveKey(argon2i, password, salt, nil, nil, time, memory, threads, keyLen)
  43. }
  45. func deriveKey(mode int, password, salt, secret, data []byte, time, memory uint32, threads uint8, keyLen uint32) []byte {
  46. if time < 1 {
  47. panic("argon2: number of rounds too small")
  48. }
  49. if threads < 1 {
  50. panic("argon2: paralisim degree too low")
  51. }
  52. mem := memory / (4 * uint32(threads)) * (4 * uint32(threads))
  53. if mem < 8*uint32(threads) {
  54. mem = 8 * uint32(threads)
  55. }
  56. B := initBlocks(password, salt, secret, data, time, mem, uint32(threads), keyLen, mode)
  57. processBlocks(B, time, mem, uint32(threads), mode)
  58. return extractKey(B, mem, uint32(threads), keyLen)
  59. }
  61. const blockLength = 128
  63. type block [blockLength]uint64
  65. func initBlocks(password, salt, key, data []byte, time, memory, threads, keyLen uint32, mode int) []block {
  66. var (
  67. block0 [1024]byte
  68. h0 [blake2b.Size + 8]byte
  69. params [24]byte
  70. tmp [4]byte
  71. )
  73. b2, _ := blake2b.New512(nil)
  74. binary.LittleEndian.PutUint32(params[0:4], threads)
  75. binary.LittleEndian.PutUint32(params[4:8], keyLen)
  76. binary.LittleEndian.PutUint32(params[8:12], memory)
  77. binary.LittleEndian.PutUint32(params[12:16], time)
  78. binary.LittleEndian.PutUint32(params[16:20], uint32(Version))
  79. binary.LittleEndian.PutUint32(params[20:24], uint32(mode))
  80. b2.Write(params[:])
  81. binary.LittleEndian.PutUint32(tmp[:], uint32(len(password)))
  82. b2.Write(tmp[:])
  83. b2.Write(password)
  84. binary.LittleEndian.PutUint32(tmp[:], uint32(len(salt)))
  85. b2.Write(tmp[:])
  86. b2.Write(salt)
  87. binary.LittleEndian.PutUint32(tmp[:], uint32(len(key)))
  88. b2.Write(tmp[:])
  89. b2.Write(key)
  90. binary.LittleEndian.PutUint32(tmp[:], uint32(len(data)))
  91. b2.Write(tmp[:])
  92. b2.Write(data)
  93. b2.Sum(h0[:0])
  95. B := make([]block, memory)
  96. for lane := uint32(0); lane < threads; lane++ {
  97. j := lane * (memory / threads)
  98. binary.LittleEndian.PutUint32(h0[blake2b.Size+4:], lane)
  100. binary.LittleEndian.PutUint32(h0[blake2b.Size:], 0)
  101. blake2bHash(block0[:], h0[:])
  102. for i := range B[0] {
  103. B[j+0][i] = binary.LittleEndian.Uint64(block0[i*8:])
  104. }
  106. binary.LittleEndian.PutUint32(h0[blake2b.Size:], 1)
  107. blake2bHash(block0[:], h0[:])
  108. for i := range B[0] {
  109. B[j+1][i] = binary.LittleEndian.Uint64(block0[i*8:])
  110. }
  111. }
  112. return B
  113. }
  115. func processBlocks(B []block, time, memory, threads uint32, mode int) {
  116. const syncPoints = 4
  117. lanes := memory / threads
  118. segments := lanes / syncPoints
  120. processSegment := func(n, slice, lane uint32, wg *sync.WaitGroup) {
  121. var addresses, in, zero block
  122. if mode == argon2i || (mode == argon2id && n == 0 && slice < syncPoints/2) {
  123. in[0] = uint64(n)
  124. in[1] = uint64(lane)
  125. in[2] = uint64(slice)
  126. in[3] = uint64(memory)
  127. in[4] = uint64(time)
  128. in[5] = uint64(mode)
  129. }
  131. index := uint32(0)
  132. if n == 0 && slice == 0 {
  133. index = 2 // we have already generated the first two blocks
  134. if mode == argon2i || (mode == argon2id && n == 0 && slice < syncPoints/2) {
  135. in[6]++
  136. processBlock(&addresses, &in, &zero)
  137. processBlock(&addresses, &addresses, &zero)
  138. }
  139. }
  141. offset := lane*lanes + slice*segments + index
  142. var random uint64
  143. for index < segments {
  144. prev := offset - 1
  145. if index == 0 && slice == 0 {
  146. prev = lane*lanes + lanes - 1 // last block in lane
  147. }
  148. if mode == argon2i || (mode == argon2id && n == 0 && slice < syncPoints/2) {
  149. if index%blockLength == 0 {
  150. in[6]++
  151. processBlock(&addresses, &in, &zero)
  152. processBlock(&addresses, &addresses, &zero)
  153. }
  154. random = addresses[index%blockLength]
  155. } else {
  156. random = B[prev][0]
  157. }
  158. newOffset := indexAlpha(random, lanes, segments, threads, n, slice, lane, index)
  159. processBlockXOR(&B[offset], &B[prev], &B[newOffset])
  160. index, offset = index+1, offset+1
  161. }
  162. wg.Done()
  163. }
  165. for n := uint32(0); n < time; n++ {
  166. for slice := uint32(0); slice < syncPoints; slice++ {
  167. var wg sync.WaitGroup
  168. for lane := uint32(0); lane < threads; lane++ {
  169. wg.Add(1)
  170. go processSegment(n, slice, lane, &wg)
  171. }
  172. wg.Wait()
  173. }
  174. }
  176. }
  178. func extractKey(B []block, memory, threads, keyLen uint32) []byte {
  179. lanes := memory / threads
  180. for lane := uint32(0); lane < threads-1; lane++ {
  181. for i, v := range B[(lane*lanes)+lanes-1] {
  182. B[memory-1][i] ^= v
  183. }
  184. }
  186. var block [1024]byte
  187. for i, v := range B[memory-1] {
  188. binary.LittleEndian.PutUint64(block[i*8:], v)
  189. }
  190. key := make([]byte, keyLen)
  191. blake2bHash(key, block[:])
  192. return key
  193. }
  195. func indexAlpha(rand uint64, lanes, segments, threads, n, slice, lane, index uint32) uint32 {
  196. refLane := uint32(rand>>32) % threads
  198. m, s := 3*segments, (slice+1)%4*segments
  199. if lane == refLane {
  200. m += index
  201. }
  202. if n == 0 {
  203. m, s = slice*segments, 0
  204. if slice == 0 || lane == refLane {
  205. m += index
  206. }
  207. }
  208. if index == 0 || lane == refLane {
  209. m--
  210. }
  211. return phi(rand, uint64(m), uint64(s), refLane, lanes)
  212. }
  214. func phi(rand, m, s uint64, lane, lanes uint32) uint32 {
  215. p := rand & 0xFFFFFFFF
  216. p = (p * p) >> 32
  217. p = (p * m) >> 32
  218. return lane*lanes + uint32((s+m-(p+1))%uint64(lanes))
  219. }