scrypt.go

Documentation: golang.org/x/crypto/scrypt

     1  // Copyright 2012 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package scrypt implements the scrypt key derivation function as defined in
     6  // Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard
     7  // Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf).
     8  package scrypt // import "golang.org/x/crypto/scrypt"
     9  
    10  import (
    11  	"crypto/sha256"
    12  	"encoding/binary"
    13  	"errors"
    14  	"math/bits"
    15  
    16  	"golang.org/x/crypto/pbkdf2"
    17  )
    18  
    19  const maxInt = int(^uint(0) >> 1)
    20  
    21  // blockCopy copies n numbers from src into dst.
    22  func blockCopy(dst, src []uint32, n int) {
    23  	copy(dst, src[:n])
    24  }
    25  
    26  // blockXOR XORs numbers from dst with n numbers from src.
    27  func blockXOR(dst, src []uint32, n int) {
    28  	for i, v := range src[:n] {
    29  		dst[i] ^= v
    30  	}
    31  }
    32  
    33  // salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in,
    34  // and puts the result into both tmp and out.
    35  func salsaXOR(tmp *[16]uint32, in, out []uint32) {
    36  	w0 := tmp[0] ^ in[0]
    37  	w1 := tmp[1] ^ in[1]
    38  	w2 := tmp[2] ^ in[2]
    39  	w3 := tmp[3] ^ in[3]
    40  	w4 := tmp[4] ^ in[4]
    41  	w5 := tmp[5] ^ in[5]
    42  	w6 := tmp[6] ^ in[6]
    43  	w7 := tmp[7] ^ in[7]
    44  	w8 := tmp[8] ^ in[8]
    45  	w9 := tmp[9] ^ in[9]
    46  	w10 := tmp[10] ^ in[10]
    47  	w11 := tmp[11] ^ in[11]
    48  	w12 := tmp[12] ^ in[12]
    49  	w13 := tmp[13] ^ in[13]
    50  	w14 := tmp[14] ^ in[14]
    51  	w15 := tmp[15] ^ in[15]
    52  
    53  	x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8
    54  	x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15
    55  
    56  	for i := 0; i < 8; i += 2 {
    57  		x4 ^= bits.RotateLeft32(x0+x12, 7)
    58  		x8 ^= bits.RotateLeft32(x4+x0, 9)
    59  		x12 ^= bits.RotateLeft32(x8+x4, 13)
    60  		x0 ^= bits.RotateLeft32(x12+x8, 18)
    61  
    62  		x9 ^= bits.RotateLeft32(x5+x1, 7)
    63  		x13 ^= bits.RotateLeft32(x9+x5, 9)
    64  		x1 ^= bits.RotateLeft32(x13+x9, 13)
    65  		x5 ^= bits.RotateLeft32(x1+x13, 18)
    66  
    67  		x14 ^= bits.RotateLeft32(x10+x6, 7)
    68  		x2 ^= bits.RotateLeft32(x14+x10, 9)
    69  		x6 ^= bits.RotateLeft32(x2+x14, 13)
    70  		x10 ^= bits.RotateLeft32(x6+x2, 18)
    71  
    72  		x3 ^= bits.RotateLeft32(x15+x11, 7)
    73  		x7 ^= bits.RotateLeft32(x3+x15, 9)
    74  		x11 ^= bits.RotateLeft32(x7+x3, 13)
    75  		x15 ^= bits.RotateLeft32(x11+x7, 18)
    76  
    77  		x1 ^= bits.RotateLeft32(x0+x3, 7)
    78  		x2 ^= bits.RotateLeft32(x1+x0, 9)
    79  		x3 ^= bits.RotateLeft32(x2+x1, 13)
    80  		x0 ^= bits.RotateLeft32(x3+x2, 18)
    81  
    82  		x6 ^= bits.RotateLeft32(x5+x4, 7)
    83  		x7 ^= bits.RotateLeft32(x6+x5, 9)
    84  		x4 ^= bits.RotateLeft32(x7+x6, 13)
    85  		x5 ^= bits.RotateLeft32(x4+x7, 18)
    86  
    87  		x11 ^= bits.RotateLeft32(x10+x9, 7)
    88  		x8 ^= bits.RotateLeft32(x11+x10, 9)
    89  		x9 ^= bits.RotateLeft32(x8+x11, 13)
    90  		x10 ^= bits.RotateLeft32(x9+x8, 18)
    91  
    92  		x12 ^= bits.RotateLeft32(x15+x14, 7)
    93  		x13 ^= bits.RotateLeft32(x12+x15, 9)
    94  		x14 ^= bits.RotateLeft32(x13+x12, 13)
    95  		x15 ^= bits.RotateLeft32(x14+x13, 18)
    96  	}
    97  	x0 += w0
    98  	x1 += w1
    99  	x2 += w2
   100  	x3 += w3
   101  	x4 += w4
   102  	x5 += w5
   103  	x6 += w6
   104  	x7 += w7
   105  	x8 += w8
   106  	x9 += w9
   107  	x10 += w10
   108  	x11 += w11
   109  	x12 += w12
   110  	x13 += w13
   111  	x14 += w14
   112  	x15 += w15
   113  
   114  	out[0], tmp[0] = x0, x0
   115  	out[1], tmp[1] = x1, x1
   116  	out[2], tmp[2] = x2, x2
   117  	out[3], tmp[3] = x3, x3
   118  	out[4], tmp[4] = x4, x4
   119  	out[5], tmp[5] = x5, x5
   120  	out[6], tmp[6] = x6, x6
   121  	out[7], tmp[7] = x7, x7
   122  	out[8], tmp[8] = x8, x8
   123  	out[9], tmp[9] = x9, x9
   124  	out[10], tmp[10] = x10, x10
   125  	out[11], tmp[11] = x11, x11
   126  	out[12], tmp[12] = x12, x12
   127  	out[13], tmp[13] = x13, x13
   128  	out[14], tmp[14] = x14, x14
   129  	out[15], tmp[15] = x15, x15
   130  }
   131  
   132  func blockMix(tmp *[16]uint32, in, out []uint32, r int) {
   133  	blockCopy(tmp[:], in[(2*r-1)*16:], 16)
   134  	for i := 0; i < 2*r; i += 2 {
   135  		salsaXOR(tmp, in[i*16:], out[i*8:])
   136  		salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:])
   137  	}
   138  }
   139  
   140  func integer(b []uint32, r int) uint64 {
   141  	j := (2*r - 1) * 16
   142  	return uint64(b[j]) | uint64(b[j+1])<<32
   143  }
   144  
   145  func smix(b []byte, r, N int, v, xy []uint32) {
   146  	var tmp [16]uint32
   147  	R := 32 * r
   148  	x := xy
   149  	y := xy[R:]
   150  
   151  	j := 0
   152  	for i := 0; i < R; i++ {
   153  		x[i] = binary.LittleEndian.Uint32(b[j:])
   154  		j += 4
   155  	}
   156  	for i := 0; i < N; i += 2 {
   157  		blockCopy(v[i*R:], x, R)
   158  		blockMix(&tmp, x, y, r)
   159  
   160  		blockCopy(v[(i+1)*R:], y, R)
   161  		blockMix(&tmp, y, x, r)
   162  	}
   163  	for i := 0; i < N; i += 2 {
   164  		j := int(integer(x, r) & uint64(N-1))
   165  		blockXOR(x, v[j*R:], R)
   166  		blockMix(&tmp, x, y, r)
   167  
   168  		j = int(integer(y, r) & uint64(N-1))
   169  		blockXOR(y, v[j*R:], R)
   170  		blockMix(&tmp, y, x, r)
   171  	}
   172  	j = 0
   173  	for _, v := range x[:R] {
   174  		binary.LittleEndian.PutUint32(b[j:], v)
   175  		j += 4
   176  	}
   177  }
   178  
   179  // Key derives a key from the password, salt, and cost parameters, returning
   180  // a byte slice of length keyLen that can be used as cryptographic key.
   181  //
   182  // N is a CPU/memory cost parameter, which must be a power of two greater than 1.
   183  // r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the
   184  // limits, the function returns a nil byte slice and an error.
   185  //
   186  // For example, you can get a derived key for e.g. AES-256 (which needs a
   187  // 32-byte key) by doing:
   188  //
   189  //	dk, err := scrypt.Key([]byte("some password"), salt, 32768, 8, 1, 32)
   190  //
   191  // The recommended parameters for interactive logins as of 2017 are N=32768, r=8
   192  // and p=1. The parameters N, r, and p should be increased as memory latency and
   193  // CPU parallelism increases; consider setting N to the highest power of 2 you
   194  // can derive within 100 milliseconds. Remember to get a good random salt.
   195  func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) {
   196  	if N <= 1 || N&(N-1) != 0 {
   197  		return nil, errors.New("scrypt: N must be > 1 and a power of 2")
   198  	}
   199  	if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
   200  		return nil, errors.New("scrypt: parameters are too large")
   201  	}
   202  
   203  	xy := make([]uint32, 64*r)
   204  	v := make([]uint32, 32*N*r)
   205  	b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New)
   206  
   207  	for i := 0; i < p; i++ {
   208  		smix(b[i*128*r:], r, N, v, xy)
   209  	}
   210  
   211  	return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil
   212  }
   213
View as plain text