You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

244 lines
5.8 KiB

  1. // Copyright 2012 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. // Package scrypt implements the scrypt key derivation function as defined in
  5. // Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard
  6. // Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf).
  7. package scrypt // import "golang.org/x/crypto/scrypt"
  8. import (
  9. "crypto/sha256"
  10. "errors"
  11. "golang.org/x/crypto/pbkdf2"
  12. )
  13. const maxInt = int(^uint(0) >> 1)
  14. // blockCopy copies n numbers from src into dst.
  15. func blockCopy(dst, src []uint32, n int) {
  16. copy(dst, src[:n])
  17. }
  18. // blockXOR XORs numbers from dst with n numbers from src.
  19. func blockXOR(dst, src []uint32, n int) {
  20. for i, v := range src[:n] {
  21. dst[i] ^= v
  22. }
  23. }
  24. // salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in,
  25. // and puts the result into both both tmp and out.
  26. func salsaXOR(tmp *[16]uint32, in, out []uint32) {
  27. w0 := tmp[0] ^ in[0]
  28. w1 := tmp[1] ^ in[1]
  29. w2 := tmp[2] ^ in[2]
  30. w3 := tmp[3] ^ in[3]
  31. w4 := tmp[4] ^ in[4]
  32. w5 := tmp[5] ^ in[5]
  33. w6 := tmp[6] ^ in[6]
  34. w7 := tmp[7] ^ in[7]
  35. w8 := tmp[8] ^ in[8]
  36. w9 := tmp[9] ^ in[9]
  37. w10 := tmp[10] ^ in[10]
  38. w11 := tmp[11] ^ in[11]
  39. w12 := tmp[12] ^ in[12]
  40. w13 := tmp[13] ^ in[13]
  41. w14 := tmp[14] ^ in[14]
  42. w15 := tmp[15] ^ in[15]
  43. x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8
  44. x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15
  45. for i := 0; i < 8; i += 2 {
  46. u := x0 + x12
  47. x4 ^= u<<7 | u>>(32-7)
  48. u = x4 + x0
  49. x8 ^= u<<9 | u>>(32-9)
  50. u = x8 + x4
  51. x12 ^= u<<13 | u>>(32-13)
  52. u = x12 + x8
  53. x0 ^= u<<18 | u>>(32-18)
  54. u = x5 + x1
  55. x9 ^= u<<7 | u>>(32-7)
  56. u = x9 + x5
  57. x13 ^= u<<9 | u>>(32-9)
  58. u = x13 + x9
  59. x1 ^= u<<13 | u>>(32-13)
  60. u = x1 + x13
  61. x5 ^= u<<18 | u>>(32-18)
  62. u = x10 + x6
  63. x14 ^= u<<7 | u>>(32-7)
  64. u = x14 + x10
  65. x2 ^= u<<9 | u>>(32-9)
  66. u = x2 + x14
  67. x6 ^= u<<13 | u>>(32-13)
  68. u = x6 + x2
  69. x10 ^= u<<18 | u>>(32-18)
  70. u = x15 + x11
  71. x3 ^= u<<7 | u>>(32-7)
  72. u = x3 + x15
  73. x7 ^= u<<9 | u>>(32-9)
  74. u = x7 + x3
  75. x11 ^= u<<13 | u>>(32-13)
  76. u = x11 + x7
  77. x15 ^= u<<18 | u>>(32-18)
  78. u = x0 + x3
  79. x1 ^= u<<7 | u>>(32-7)
  80. u = x1 + x0
  81. x2 ^= u<<9 | u>>(32-9)
  82. u = x2 + x1
  83. x3 ^= u<<13 | u>>(32-13)
  84. u = x3 + x2
  85. x0 ^= u<<18 | u>>(32-18)
  86. u = x5 + x4
  87. x6 ^= u<<7 | u>>(32-7)
  88. u = x6 + x5
  89. x7 ^= u<<9 | u>>(32-9)
  90. u = x7 + x6
  91. x4 ^= u<<13 | u>>(32-13)
  92. u = x4 + x7
  93. x5 ^= u<<18 | u>>(32-18)
  94. u = x10 + x9
  95. x11 ^= u<<7 | u>>(32-7)
  96. u = x11 + x10
  97. x8 ^= u<<9 | u>>(32-9)
  98. u = x8 + x11
  99. x9 ^= u<<13 | u>>(32-13)
  100. u = x9 + x8
  101. x10 ^= u<<18 | u>>(32-18)
  102. u = x15 + x14
  103. x12 ^= u<<7 | u>>(32-7)
  104. u = x12 + x15
  105. x13 ^= u<<9 | u>>(32-9)
  106. u = x13 + x12
  107. x14 ^= u<<13 | u>>(32-13)
  108. u = x14 + x13
  109. x15 ^= u<<18 | u>>(32-18)
  110. }
  111. x0 += w0
  112. x1 += w1
  113. x2 += w2
  114. x3 += w3
  115. x4 += w4
  116. x5 += w5
  117. x6 += w6
  118. x7 += w7
  119. x8 += w8
  120. x9 += w9
  121. x10 += w10
  122. x11 += w11
  123. x12 += w12
  124. x13 += w13
  125. x14 += w14
  126. x15 += w15
  127. out[0], tmp[0] = x0, x0
  128. out[1], tmp[1] = x1, x1
  129. out[2], tmp[2] = x2, x2
  130. out[3], tmp[3] = x3, x3
  131. out[4], tmp[4] = x4, x4
  132. out[5], tmp[5] = x5, x5
  133. out[6], tmp[6] = x6, x6
  134. out[7], tmp[7] = x7, x7
  135. out[8], tmp[8] = x8, x8
  136. out[9], tmp[9] = x9, x9
  137. out[10], tmp[10] = x10, x10
  138. out[11], tmp[11] = x11, x11
  139. out[12], tmp[12] = x12, x12
  140. out[13], tmp[13] = x13, x13
  141. out[14], tmp[14] = x14, x14
  142. out[15], tmp[15] = x15, x15
  143. }
  144. func blockMix(tmp *[16]uint32, in, out []uint32, r int) {
  145. blockCopy(tmp[:], in[(2*r-1)*16:], 16)
  146. for i := 0; i < 2*r; i += 2 {
  147. salsaXOR(tmp, in[i*16:], out[i*8:])
  148. salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:])
  149. }
  150. }
  151. func integer(b []uint32, r int) uint64 {
  152. j := (2*r - 1) * 16
  153. return uint64(b[j]) | uint64(b[j+1])<<32
  154. }
  155. func smix(b []byte, r, N int, v, xy []uint32) {
  156. var tmp [16]uint32
  157. x := xy
  158. y := xy[32*r:]
  159. j := 0
  160. for i := 0; i < 32*r; i++ {
  161. x[i] = uint32(b[j]) | uint32(b[j+1])<<8 | uint32(b[j+2])<<16 | uint32(b[j+3])<<24
  162. j += 4
  163. }
  164. for i := 0; i < N; i += 2 {
  165. blockCopy(v[i*(32*r):], x, 32*r)
  166. blockMix(&tmp, x, y, r)
  167. blockCopy(v[(i+1)*(32*r):], y, 32*r)
  168. blockMix(&tmp, y, x, r)
  169. }
  170. for i := 0; i < N; i += 2 {
  171. j := int(integer(x, r) & uint64(N-1))
  172. blockXOR(x, v[j*(32*r):], 32*r)
  173. blockMix(&tmp, x, y, r)
  174. j = int(integer(y, r) & uint64(N-1))
  175. blockXOR(y, v[j*(32*r):], 32*r)
  176. blockMix(&tmp, y, x, r)
  177. }
  178. j = 0
  179. for _, v := range x[:32*r] {
  180. b[j+0] = byte(v >> 0)
  181. b[j+1] = byte(v >> 8)
  182. b[j+2] = byte(v >> 16)
  183. b[j+3] = byte(v >> 24)
  184. j += 4
  185. }
  186. }
  187. // Key derives a key from the password, salt, and cost parameters, returning
  188. // a byte slice of length keyLen that can be used as cryptographic key.
  189. //
  190. // N is a CPU/memory cost parameter, which must be a power of two greater than 1.
  191. // r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the
  192. // limits, the function returns a nil byte slice and an error.
  193. //
  194. // For example, you can get a derived key for e.g. AES-256 (which needs a
  195. // 32-byte key) by doing:
  196. //
  197. // dk, err := scrypt.Key([]byte("some password"), salt, 16384, 8, 1, 32)
  198. //
  199. // The recommended parameters for interactive logins as of 2017 are N=32768, r=8
  200. // and p=1. The parameters N, r, and p should be increased as memory latency and
  201. // CPU parallelism increases; consider setting N to the highest power of 2 you
  202. // can derive within 100 milliseconds. Remember to get a good random salt.
  203. func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) {
  204. if N <= 1 || N&(N-1) != 0 {
  205. return nil, errors.New("scrypt: N must be > 1 and a power of 2")
  206. }
  207. if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
  208. return nil, errors.New("scrypt: parameters are too large")
  209. }
  210. xy := make([]uint32, 64*r)
  211. v := make([]uint32, 32*N*r)
  212. b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New)
  213. for i := 0; i < p; i++ {
  214. smix(b[i*128*r:], r, N, v, xy)
  215. }
  216. return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil
  217. }