1// Copyright 2012 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Package scrypt implements the scrypt key derivation function as defined in 6// Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard 7// Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf). 8package scrypt // import "golang.org/x/crypto/scrypt" 9 10import ( 11 "crypto/sha256" 12 "errors" 13 "math/bits" 14 15 "golang.org/x/crypto/pbkdf2" 16) 17 18const maxInt = int(^uint(0) >> 1) 19 20// blockCopy copies n numbers from src into dst. 21func blockCopy(dst, src []uint32, n int) { 22 copy(dst, src[:n]) 23} 24 25// blockXOR XORs numbers from dst with n numbers from src. 26func blockXOR(dst, src []uint32, n int) { 27 for i, v := range src[:n] { 28 dst[i] ^= v 29 } 30} 31 32// salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in, 33// and puts the result into both tmp and out. 34func salsaXOR(tmp *[16]uint32, in, out []uint32) { 35 w0 := tmp[0] ^ in[0] 36 w1 := tmp[1] ^ in[1] 37 w2 := tmp[2] ^ in[2] 38 w3 := tmp[3] ^ in[3] 39 w4 := tmp[4] ^ in[4] 40 w5 := tmp[5] ^ in[5] 41 w6 := tmp[6] ^ in[6] 42 w7 := tmp[7] ^ in[7] 43 w8 := tmp[8] ^ in[8] 44 w9 := tmp[9] ^ in[9] 45 w10 := tmp[10] ^ in[10] 46 w11 := tmp[11] ^ in[11] 47 w12 := tmp[12] ^ in[12] 48 w13 := tmp[13] ^ in[13] 49 w14 := tmp[14] ^ in[14] 50 w15 := tmp[15] ^ in[15] 51 52 x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8 53 x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15 54 55 for i := 0; i < 8; i += 2 { 56 x4 ^= bits.RotateLeft32(x0+x12, 7) 57 x8 ^= bits.RotateLeft32(x4+x0, 9) 58 x12 ^= bits.RotateLeft32(x8+x4, 13) 59 x0 ^= bits.RotateLeft32(x12+x8, 18) 60 61 x9 ^= bits.RotateLeft32(x5+x1, 7) 62 x13 ^= bits.RotateLeft32(x9+x5, 9) 63 x1 ^= bits.RotateLeft32(x13+x9, 13) 64 x5 ^= bits.RotateLeft32(x1+x13, 18) 65 66 x14 ^= bits.RotateLeft32(x10+x6, 7) 67 x2 ^= bits.RotateLeft32(x14+x10, 9) 68 x6 ^= bits.RotateLeft32(x2+x14, 13) 69 x10 ^= bits.RotateLeft32(x6+x2, 18) 70 71 x3 ^= bits.RotateLeft32(x15+x11, 7) 72 x7 ^= bits.RotateLeft32(x3+x15, 9) 73 x11 ^= bits.RotateLeft32(x7+x3, 13) 74 x15 ^= bits.RotateLeft32(x11+x7, 18) 75 76 x1 ^= bits.RotateLeft32(x0+x3, 7) 77 x2 ^= bits.RotateLeft32(x1+x0, 9) 78 x3 ^= bits.RotateLeft32(x2+x1, 13) 79 x0 ^= bits.RotateLeft32(x3+x2, 18) 80 81 x6 ^= bits.RotateLeft32(x5+x4, 7) 82 x7 ^= bits.RotateLeft32(x6+x5, 9) 83 x4 ^= bits.RotateLeft32(x7+x6, 13) 84 x5 ^= bits.RotateLeft32(x4+x7, 18) 85 86 x11 ^= bits.RotateLeft32(x10+x9, 7) 87 x8 ^= bits.RotateLeft32(x11+x10, 9) 88 x9 ^= bits.RotateLeft32(x8+x11, 13) 89 x10 ^= bits.RotateLeft32(x9+x8, 18) 90 91 x12 ^= bits.RotateLeft32(x15+x14, 7) 92 x13 ^= bits.RotateLeft32(x12+x15, 9) 93 x14 ^= bits.RotateLeft32(x13+x12, 13) 94 x15 ^= bits.RotateLeft32(x14+x13, 18) 95 } 96 x0 += w0 97 x1 += w1 98 x2 += w2 99 x3 += w3 100 x4 += w4 101 x5 += w5 102 x6 += w6 103 x7 += w7 104 x8 += w8 105 x9 += w9 106 x10 += w10 107 x11 += w11 108 x12 += w12 109 x13 += w13 110 x14 += w14 111 x15 += w15 112 113 out[0], tmp[0] = x0, x0 114 out[1], tmp[1] = x1, x1 115 out[2], tmp[2] = x2, x2 116 out[3], tmp[3] = x3, x3 117 out[4], tmp[4] = x4, x4 118 out[5], tmp[5] = x5, x5 119 out[6], tmp[6] = x6, x6 120 out[7], tmp[7] = x7, x7 121 out[8], tmp[8] = x8, x8 122 out[9], tmp[9] = x9, x9 123 out[10], tmp[10] = x10, x10 124 out[11], tmp[11] = x11, x11 125 out[12], tmp[12] = x12, x12 126 out[13], tmp[13] = x13, x13 127 out[14], tmp[14] = x14, x14 128 out[15], tmp[15] = x15, x15 129} 130 131func blockMix(tmp *[16]uint32, in, out []uint32, r int) { 132 blockCopy(tmp[:], in[(2*r-1)*16:], 16) 133 for i := 0; i < 2*r; i += 2 { 134 salsaXOR(tmp, in[i*16:], out[i*8:]) 135 salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:]) 136 } 137} 138 139func integer(b []uint32, r int) uint64 { 140 j := (2*r - 1) * 16 141 return uint64(b[j]) | uint64(b[j+1])<<32 142} 143 144func smix(b []byte, r, N int, v, xy []uint32) { 145 var tmp [16]uint32 146 x := xy 147 y := xy[32*r:] 148 149 j := 0 150 for i := 0; i < 32*r; i++ { 151 x[i] = uint32(b[j]) | uint32(b[j+1])<<8 | uint32(b[j+2])<<16 | uint32(b[j+3])<<24 152 j += 4 153 } 154 for i := 0; i < N; i += 2 { 155 blockCopy(v[i*(32*r):], x, 32*r) 156 blockMix(&tmp, x, y, r) 157 158 blockCopy(v[(i+1)*(32*r):], y, 32*r) 159 blockMix(&tmp, y, x, r) 160 } 161 for i := 0; i < N; i += 2 { 162 j := int(integer(x, r) & uint64(N-1)) 163 blockXOR(x, v[j*(32*r):], 32*r) 164 blockMix(&tmp, x, y, r) 165 166 j = int(integer(y, r) & uint64(N-1)) 167 blockXOR(y, v[j*(32*r):], 32*r) 168 blockMix(&tmp, y, x, r) 169 } 170 j = 0 171 for _, v := range x[:32*r] { 172 b[j+0] = byte(v >> 0) 173 b[j+1] = byte(v >> 8) 174 b[j+2] = byte(v >> 16) 175 b[j+3] = byte(v >> 24) 176 j += 4 177 } 178} 179 180// Key derives a key from the password, salt, and cost parameters, returning 181// a byte slice of length keyLen that can be used as cryptographic key. 182// 183// N is a CPU/memory cost parameter, which must be a power of two greater than 1. 184// r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the 185// limits, the function returns a nil byte slice and an error. 186// 187// For example, you can get a derived key for e.g. AES-256 (which needs a 188// 32-byte key) by doing: 189// 190// dk, err := scrypt.Key([]byte("some password"), salt, 32768, 8, 1, 32) 191// 192// The recommended parameters for interactive logins as of 2017 are N=32768, r=8 193// and p=1. The parameters N, r, and p should be increased as memory latency and 194// CPU parallelism increases; consider setting N to the highest power of 2 you 195// can derive within 100 milliseconds. Remember to get a good random salt. 196func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) { 197 if N <= 1 || N&(N-1) != 0 { 198 return nil, errors.New("scrypt: N must be > 1 and a power of 2") 199 } 200 if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r { 201 return nil, errors.New("scrypt: parameters are too large") 202 } 203 204 xy := make([]uint32, 64*r) 205 v := make([]uint32, 32*N*r) 206 b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New) 207 208 for i := 0; i < p; i++ { 209 smix(b[i*128*r:], r, N, v, xy) 210 } 211 212 return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil 213} 214