scrypt.go raw
1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 // Package scrypt implements the scrypt key derivation function as defined in
6 // Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard
7 // Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf).
8 package scrypt
9
10 import (
11 "crypto/sha256"
12 "encoding/binary"
13 "errors"
14 "math/bits"
15
16 "golang.org/x/crypto/pbkdf2"
17 )
18
19 const maxInt = int(^uint(0) >> 1)
20
21 // blockCopy copies n numbers from src into dst.
22 func blockCopy(dst, src []uint32, n int) {
23 copy(dst, src[:n])
24 }
25
26 // blockXOR XORs numbers from dst with n numbers from src.
27 func blockXOR(dst, src []uint32, n int) {
28 for i, v := range src[:n] {
29 dst[i] ^= v
30 }
31 }
32
33 // salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in,
34 // and puts the result into both tmp and out.
35 func salsaXOR(tmp *[16]uint32, in, out []uint32) {
36 w0 := tmp[0] ^ in[0]
37 w1 := tmp[1] ^ in[1]
38 w2 := tmp[2] ^ in[2]
39 w3 := tmp[3] ^ in[3]
40 w4 := tmp[4] ^ in[4]
41 w5 := tmp[5] ^ in[5]
42 w6 := tmp[6] ^ in[6]
43 w7 := tmp[7] ^ in[7]
44 w8 := tmp[8] ^ in[8]
45 w9 := tmp[9] ^ in[9]
46 w10 := tmp[10] ^ in[10]
47 w11 := tmp[11] ^ in[11]
48 w12 := tmp[12] ^ in[12]
49 w13 := tmp[13] ^ in[13]
50 w14 := tmp[14] ^ in[14]
51 w15 := tmp[15] ^ in[15]
52
53 x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8
54 x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15
55
56 for i := 0; i < 8; i += 2 {
57 x4 ^= bits.RotateLeft32(x0+x12, 7)
58 x8 ^= bits.RotateLeft32(x4+x0, 9)
59 x12 ^= bits.RotateLeft32(x8+x4, 13)
60 x0 ^= bits.RotateLeft32(x12+x8, 18)
61
62 x9 ^= bits.RotateLeft32(x5+x1, 7)
63 x13 ^= bits.RotateLeft32(x9+x5, 9)
64 x1 ^= bits.RotateLeft32(x13+x9, 13)
65 x5 ^= bits.RotateLeft32(x1+x13, 18)
66
67 x14 ^= bits.RotateLeft32(x10+x6, 7)
68 x2 ^= bits.RotateLeft32(x14+x10, 9)
69 x6 ^= bits.RotateLeft32(x2+x14, 13)
70 x10 ^= bits.RotateLeft32(x6+x2, 18)
71
72 x3 ^= bits.RotateLeft32(x15+x11, 7)
73 x7 ^= bits.RotateLeft32(x3+x15, 9)
74 x11 ^= bits.RotateLeft32(x7+x3, 13)
75 x15 ^= bits.RotateLeft32(x11+x7, 18)
76
77 x1 ^= bits.RotateLeft32(x0+x3, 7)
78 x2 ^= bits.RotateLeft32(x1+x0, 9)
79 x3 ^= bits.RotateLeft32(x2+x1, 13)
80 x0 ^= bits.RotateLeft32(x3+x2, 18)
81
82 x6 ^= bits.RotateLeft32(x5+x4, 7)
83 x7 ^= bits.RotateLeft32(x6+x5, 9)
84 x4 ^= bits.RotateLeft32(x7+x6, 13)
85 x5 ^= bits.RotateLeft32(x4+x7, 18)
86
87 x11 ^= bits.RotateLeft32(x10+x9, 7)
88 x8 ^= bits.RotateLeft32(x11+x10, 9)
89 x9 ^= bits.RotateLeft32(x8+x11, 13)
90 x10 ^= bits.RotateLeft32(x9+x8, 18)
91
92 x12 ^= bits.RotateLeft32(x15+x14, 7)
93 x13 ^= bits.RotateLeft32(x12+x15, 9)
94 x14 ^= bits.RotateLeft32(x13+x12, 13)
95 x15 ^= bits.RotateLeft32(x14+x13, 18)
96 }
97 x0 += w0
98 x1 += w1
99 x2 += w2
100 x3 += w3
101 x4 += w4
102 x5 += w5
103 x6 += w6
104 x7 += w7
105 x8 += w8
106 x9 += w9
107 x10 += w10
108 x11 += w11
109 x12 += w12
110 x13 += w13
111 x14 += w14
112 x15 += w15
113
114 out[0], tmp[0] = x0, x0
115 out[1], tmp[1] = x1, x1
116 out[2], tmp[2] = x2, x2
117 out[3], tmp[3] = x3, x3
118 out[4], tmp[4] = x4, x4
119 out[5], tmp[5] = x5, x5
120 out[6], tmp[6] = x6, x6
121 out[7], tmp[7] = x7, x7
122 out[8], tmp[8] = x8, x8
123 out[9], tmp[9] = x9, x9
124 out[10], tmp[10] = x10, x10
125 out[11], tmp[11] = x11, x11
126 out[12], tmp[12] = x12, x12
127 out[13], tmp[13] = x13, x13
128 out[14], tmp[14] = x14, x14
129 out[15], tmp[15] = x15, x15
130 }
131
132 func blockMix(tmp *[16]uint32, in, out []uint32, r int) {
133 blockCopy(tmp[:], in[(2*r-1)*16:], 16)
134 for i := 0; i < 2*r; i += 2 {
135 salsaXOR(tmp, in[i*16:], out[i*8:])
136 salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:])
137 }
138 }
139
140 func integer(b []uint32, r int) uint64 {
141 j := (2*r - 1) * 16
142 return uint64(b[j]) | uint64(b[j+1])<<32
143 }
144
145 func smix(b []byte, r, N int, v, xy []uint32) {
146 var tmp [16]uint32
147 R := 32 * r
148 x := xy
149 y := xy[R:]
150
151 j := 0
152 for i := 0; i < R; i++ {
153 x[i] = binary.LittleEndian.Uint32(b[j:])
154 j += 4
155 }
156 for i := 0; i < N; i += 2 {
157 blockCopy(v[i*R:], x, R)
158 blockMix(&tmp, x, y, r)
159
160 blockCopy(v[(i+1)*R:], y, R)
161 blockMix(&tmp, y, x, r)
162 }
163 for i := 0; i < N; i += 2 {
164 j := int(integer(x, r) & uint64(N-1))
165 blockXOR(x, v[j*R:], R)
166 blockMix(&tmp, x, y, r)
167
168 j = int(integer(y, r) & uint64(N-1))
169 blockXOR(y, v[j*R:], R)
170 blockMix(&tmp, y, x, r)
171 }
172 j = 0
173 for _, v := range x[:R] {
174 binary.LittleEndian.PutUint32(b[j:], v)
175 j += 4
176 }
177 }
178
179 // Key derives a key from the password, salt, and cost parameters, returning
180 // a byte slice of length keyLen that can be used as cryptographic key.
181 //
182 // N is a CPU/memory cost parameter, which must be a power of two greater than 1.
183 // r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the
184 // limits, the function returns a nil byte slice and an error.
185 //
186 // For example, you can get a derived key for e.g. AES-256 (which needs a
187 // 32-byte key) by doing:
188 //
189 // dk, err := scrypt.Key([]byte("some password"), salt, 32768, 8, 1, 32)
190 //
191 // The recommended parameters for interactive logins as of 2017 are N=32768, r=8
192 // and p=1. The parameters N, r, and p should be increased as memory latency and
193 // CPU parallelism increases; consider setting N to the highest power of 2 you
194 // can derive within 100 milliseconds. Remember to get a good random salt.
195 func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) {
196 if N <= 1 || N&(N-1) != 0 {
197 return nil, errors.New("scrypt: N must be > 1 and a power of 2")
198 }
199 if r <= 0 || p <= 0 {
200 return nil, errors.New("scrypt: parameters must be > 0")
201 }
202 if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
203 return nil, errors.New("scrypt: parameters are too large")
204 }
205
206 xy := make([]uint32, 64*r)
207 v := make([]uint32, 32*N*r)
208 b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New)
209
210 for i := 0; i < p; i++ {
211 smix(b[i*128*r:], r, N, v, xy)
212 }
213
214 return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil
215 }
216