123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 |
- // Copyright 2012 The Go Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
- // Package scrypt implements the scrypt key derivation function as defined in
- // Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard
- // Functions" (http://www.tarsnap.com/scrypt/scrypt.pdf).
- package scrypt // import "golang.org/x/crypto/scrypt"
- import (
- "crypto/sha256"
- "errors"
- "golang.org/x/crypto/pbkdf2"
- )
- const maxInt = int(^uint(0) >> 1)
- // blockCopy copies n numbers from src into dst.
- func blockCopy(dst, src []uint32, n int) {
- copy(dst, src[:n])
- }
- // blockXOR XORs numbers from dst with n numbers from src.
- func blockXOR(dst, src []uint32, n int) {
- for i, v := range src[:n] {
- dst[i] ^= v
- }
- }
- // salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in,
- // and puts the result into both both tmp and out.
- func salsaXOR(tmp *[16]uint32, in, out []uint32) {
- w0 := tmp[0] ^ in[0]
- w1 := tmp[1] ^ in[1]
- w2 := tmp[2] ^ in[2]
- w3 := tmp[3] ^ in[3]
- w4 := tmp[4] ^ in[4]
- w5 := tmp[5] ^ in[5]
- w6 := tmp[6] ^ in[6]
- w7 := tmp[7] ^ in[7]
- w8 := tmp[8] ^ in[8]
- w9 := tmp[9] ^ in[9]
- w10 := tmp[10] ^ in[10]
- w11 := tmp[11] ^ in[11]
- w12 := tmp[12] ^ in[12]
- w13 := tmp[13] ^ in[13]
- w14 := tmp[14] ^ in[14]
- w15 := tmp[15] ^ in[15]
- x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8
- x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15
- for i := 0; i < 8; i += 2 {
- u := x0 + x12
- x4 ^= u<<7 | u>>(32-7)
- u = x4 + x0
- x8 ^= u<<9 | u>>(32-9)
- u = x8 + x4
- x12 ^= u<<13 | u>>(32-13)
- u = x12 + x8
- x0 ^= u<<18 | u>>(32-18)
- u = x5 + x1
- x9 ^= u<<7 | u>>(32-7)
- u = x9 + x5
- x13 ^= u<<9 | u>>(32-9)
- u = x13 + x9
- x1 ^= u<<13 | u>>(32-13)
- u = x1 + x13
- x5 ^= u<<18 | u>>(32-18)
- u = x10 + x6
- x14 ^= u<<7 | u>>(32-7)
- u = x14 + x10
- x2 ^= u<<9 | u>>(32-9)
- u = x2 + x14
- x6 ^= u<<13 | u>>(32-13)
- u = x6 + x2
- x10 ^= u<<18 | u>>(32-18)
- u = x15 + x11
- x3 ^= u<<7 | u>>(32-7)
- u = x3 + x15
- x7 ^= u<<9 | u>>(32-9)
- u = x7 + x3
- x11 ^= u<<13 | u>>(32-13)
- u = x11 + x7
- x15 ^= u<<18 | u>>(32-18)
- u = x0 + x3
- x1 ^= u<<7 | u>>(32-7)
- u = x1 + x0
- x2 ^= u<<9 | u>>(32-9)
- u = x2 + x1
- x3 ^= u<<13 | u>>(32-13)
- u = x3 + x2
- x0 ^= u<<18 | u>>(32-18)
- u = x5 + x4
- x6 ^= u<<7 | u>>(32-7)
- u = x6 + x5
- x7 ^= u<<9 | u>>(32-9)
- u = x7 + x6
- x4 ^= u<<13 | u>>(32-13)
- u = x4 + x7
- x5 ^= u<<18 | u>>(32-18)
- u = x10 + x9
- x11 ^= u<<7 | u>>(32-7)
- u = x11 + x10
- x8 ^= u<<9 | u>>(32-9)
- u = x8 + x11
- x9 ^= u<<13 | u>>(32-13)
- u = x9 + x8
- x10 ^= u<<18 | u>>(32-18)
- u = x15 + x14
- x12 ^= u<<7 | u>>(32-7)
- u = x12 + x15
- x13 ^= u<<9 | u>>(32-9)
- u = x13 + x12
- x14 ^= u<<13 | u>>(32-13)
- u = x14 + x13
- x15 ^= u<<18 | u>>(32-18)
- }
- x0 += w0
- x1 += w1
- x2 += w2
- x3 += w3
- x4 += w4
- x5 += w5
- x6 += w6
- x7 += w7
- x8 += w8
- x9 += w9
- x10 += w10
- x11 += w11
- x12 += w12
- x13 += w13
- x14 += w14
- x15 += w15
- out[0], tmp[0] = x0, x0
- out[1], tmp[1] = x1, x1
- out[2], tmp[2] = x2, x2
- out[3], tmp[3] = x3, x3
- out[4], tmp[4] = x4, x4
- out[5], tmp[5] = x5, x5
- out[6], tmp[6] = x6, x6
- out[7], tmp[7] = x7, x7
- out[8], tmp[8] = x8, x8
- out[9], tmp[9] = x9, x9
- out[10], tmp[10] = x10, x10
- out[11], tmp[11] = x11, x11
- out[12], tmp[12] = x12, x12
- out[13], tmp[13] = x13, x13
- out[14], tmp[14] = x14, x14
- out[15], tmp[15] = x15, x15
- }
- func blockMix(tmp *[16]uint32, in, out []uint32, r int) {
- blockCopy(tmp[:], in[(2*r-1)*16:], 16)
- for i := 0; i < 2*r; i += 2 {
- salsaXOR(tmp, in[i*16:], out[i*8:])
- salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:])
- }
- }
- func integer(b []uint32, r int) uint64 {
- j := (2*r - 1) * 16
- return uint64(b[j]) | uint64(b[j+1])<<32
- }
- func smix(b []byte, r, N int, v, xy []uint32) {
- var tmp [16]uint32
- x := xy
- y := xy[32*r:]
- j := 0
- for i := 0; i < 32*r; i++ {
- x[i] = uint32(b[j]) | uint32(b[j+1])<<8 | uint32(b[j+2])<<16 | uint32(b[j+3])<<24
- j += 4
- }
- for i := 0; i < N; i += 2 {
- blockCopy(v[i*(32*r):], x, 32*r)
- blockMix(&tmp, x, y, r)
- blockCopy(v[(i+1)*(32*r):], y, 32*r)
- blockMix(&tmp, y, x, r)
- }
- for i := 0; i < N; i += 2 {
- j := int(integer(x, r) & uint64(N-1))
- blockXOR(x, v[j*(32*r):], 32*r)
- blockMix(&tmp, x, y, r)
- j = int(integer(y, r) & uint64(N-1))
- blockXOR(y, v[j*(32*r):], 32*r)
- blockMix(&tmp, y, x, r)
- }
- j = 0
- for _, v := range x[:32*r] {
- b[j+0] = byte(v >> 0)
- b[j+1] = byte(v >> 8)
- b[j+2] = byte(v >> 16)
- b[j+3] = byte(v >> 24)
- j += 4
- }
- }
- // Key derives a key from the password, salt, and cost parameters, returning
- // a byte slice of length keyLen that can be used as cryptographic key.
- //
- // N is a CPU/memory cost parameter, which must be a power of two greater than 1.
- // r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the
- // limits, the function returns a nil byte slice and an error.
- //
- // For example, you can get a derived key for e.g. AES-256 (which needs a
- // 32-byte key) by doing:
- //
- // dk, err := scrypt.Key([]byte("some password"), salt, 16384, 8, 1, 32)
- //
- // The recommended parameters for interactive logins as of 2009 are N=16384,
- // r=8, p=1. They should be increased as memory latency and CPU parallelism
- // increases. Remember to get a good random salt.
- func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) {
- if N <= 1 || N&(N-1) != 0 {
- return nil, errors.New("scrypt: N must be > 1 and a power of 2")
- }
- if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
- return nil, errors.New("scrypt: parameters are too large")
- }
- xy := make([]uint32, 64*r)
- v := make([]uint32, 32*N*r)
- b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New)
- for i := 0; i < p; i++ {
- smix(b[i*128*r:], r, N, v, xy)
- }
- return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil
- }
|