Files

ahash

convert.rsfallback_hash.rsfolded_multiply.rslib.rsrandom_state.rs

aho_corasick

packed

teddy

compile.rsmod.rsruntime.rs

api.rsmod.rspattern.rsrabinkarp.rsvector.rs

ahocorasick.rsautomaton.rsbuffer.rsbyte_frequencies.rsclasses.rsdfa.rserror.rslib.rsnfa.rsprefilter.rsstate_id.rs

ansi_term

ansi.rsdebug.rsdifference.rsdisplay.rslib.rsstyle.rsutil.rswindows.rswrite.rs

anyhow

backtrace.rschain.rscontext.rsensure.rserror.rsfmt.rskind.rslib.rsmacros.rsptr.rswrapper.rs

atty

lib.rs

bech32

lib.rs

bincode

config

endian.rsint.rslegacy.rslimit.rsmod.rstrailing.rs

de

mod.rsread.rs

ser

mod.rs

byteorder.rserror.rsinternal.rslib.rs

bit_set

lib.rs

bit_vec

lib.rs

bitcoin

blockdata

block.rsconstants.rsmod.rsopcodes.rsscript.rstransaction.rs

consensus

encode.rsmod.rsparams.rs

network

constants.rsmod.rs

policy

mod.rs

util

psbt

map

global.rsinput.rsmod.rsoutput.rs

error.rsmacros.rsmod.rsraw.rsserialize.rs

address.rsamount.rsbase58.rsbip143.rsbip158.rsbip32.rscontracthash.rsecdsa.rsendian.rshash.rskey.rsmerkleblock.rsmisc.rsmod.rsschnorr.rstaproot.rsuint.rs

hash_types.rsinternal_macros.rslib.rs

bitcoin_hashes

cmp.rserror.rshash160.rshex.rshmac.rsimpls.rslib.rsripemd160.rsserde_macros.rssha1.rssha256.rssha256d.rssha256t.rssha512.rssiphash24.rsutil.rs

bitflags

lib.rs

cfg_if

lib.rs

clap

app

help.rsmeta.rsmod.rsparser.rssettings.rsusage.rsvalidator.rs

args

arg_builder

base.rsflag.rsmod.rsoption.rspositional.rsswitched.rsvalued.rs

any_arg.rsarg.rsarg_matcher.rsarg_matches.rsgroup.rsmacros.rsmatched_arg.rsmod.rssettings.rssubcommand.rs

completions

bash.rselvish.rsfish.rsmacros.rsmod.rspowershell.rsshell.rszsh.rs

errors.rsfmt.rslib.rsmacros.rsmap.rsosstringext.rsstrext.rssuggestions.rsusage_parser.rs

convert_case

case.rsconverter.rslib.rspattern.rssegmentation.rs

core2

io

cursor.rserror.rsimpls.rsmod.rstraits.rsutil.rs

error.rslib.rs

crunchy

lib.rs

cryptoxide

blake2

common.rsmod.rsreference.rs

chacha

mod.rssse2.rs

sha2

impl256

mod.rsreference.rs

impl512

mod.rsreference.rs

eng256.rseng512.rsinitials.rsmod.rs

blake2b.rsblake2s.rschacha20.rschacha20poly1305.rscryptoutil.rscurve25519.rsdigest.rsed25519.rshkdf.rshmac.rslib.rsmac.rspbkdf2.rspoly1305.rssalsa20.rsscrypt.rssha1.rssha3.rssimd.rsutil.rs

enum_primitive

lib.rs

fancy_regex

analyze.rscompile.rserror.rsexpand.rslib.rsparse.rsreplacer.rsvm.rs

hashbrown

external_trait_impls

mod.rs

raw

bitmask.rsmod.rssse2.rs

lib.rsmacros.rsmap.rsscopeguard.rsset.rs

hex

error.rslib.rs

hex_literal

comments.rslib.rs

itoa

lib.rsudiv128.rs

libc

unix

linux_like

linux

arch

generic

mod.rs

mod.rs

gnu

b64

x86_64

align.rsmod.rsnot_x32.rs

mod.rs

align.rsmod.rs

align.rsmod.rsnon_exhaustive.rs

mod.rs

align.rsmod.rs

fixed_width_ints.rslib.rsmacros.rs

libloading

os

unix

mod.rs

mod.rs

changelog.rslib.rsutil.rs

memchr

memchr

x86

avx.rsmod.rssse2.rs

fallback.rsiter.rsmod.rsnaive.rs

memmem

prefilter

x86

avx.rsmod.rssse.rs

fallback.rsgenericsimd.rsmod.rs

x86

avx.rsmod.rssse.rs

byte_frequencies.rsgenericsimd.rsmod.rsrabinkarp.rsrarebytes.rstwoway.rsutil.rsvector.rs

cow.rslib.rs

num

lib.rs

num_bigint

bigint

addition.rsbits.rsconvert.rsdivision.rsmultiplication.rspower.rsshift.rssubtraction.rs

biguint

addition.rsbits.rsconvert.rsdivision.rsiter.rsmonty.rsmultiplication.rspower.rsshift.rssubtraction.rs

bigint.rsbiguint.rslib.rsmacros.rs

num_complex

cast.rslib.rspow.rs

num_integer

average.rslib.rsroots.rs

num_iter

lib.rs

num_rational

lib.rspow.rs

num_traits

ops

checked.rsinv.rsmod.rsmul_add.rsoverflowing.rssaturating.rswrapping.rs

bounds.rscast.rsfloat.rsidentities.rsint.rslib.rsmacros.rspow.rsreal.rssign.rs

ordered_float

lib.rs

paste

attr.rserror.rslib.rssegment.rs

proc_macro2

detection.rsfallback.rslib.rsmarker.rsparse.rswrapper.rs

proc_macro_error

imp

delegate.rs

diagnostic.rsdummy.rslib.rsmacros.rssealed.rs

proc_macro_error_attr

lib.rsparse.rssettings.rs

qimalloc

lib.rs

quote

ext.rsformat.rsident_fragment.rslib.rsruntime.rsspanned.rsto_tokens.rs

regex

literal

imp.rsmod.rs

backtrack.rscompile.rsdfa.rserror.rsexec.rsexpand.rsfind_byte.rsinput.rslib.rspikevm.rspool.rsprog.rsre_builder.rsre_bytes.rsre_set.rsre_trait.rsre_unicode.rssparse.rsutf8.rs

regex_syntax

ast

mod.rsparse.rsprint.rsvisitor.rs

hir

literal

mod.rs

interval.rsmod.rsprint.rstranslate.rsvisitor.rs

unicode_tables

age.rscase_folding_simple.rsgeneral_category.rsgrapheme_cluster_break.rsmod.rsperl_word.rsproperty_bool.rsproperty_names.rsproperty_values.rsscript.rsscript_extension.rssentence_break.rsword_break.rs

either.rserror.rslib.rsparser.rsunicode.rsutf8.rs

remain

atom.rscheck.rscompare.rsemit.rsformat.rslib.rsparse.rsvisit.rs

rust_ssvm

lib.rs

ryu

buffer

mod.rs

pretty

exponent.rsmantissa.rsmod.rs

common.rsd2s.rsd2s_full_table.rsd2s_intrinsics.rsdigit_table.rsf2s.rsf2s_intrinsics.rslib.rs

secp256k1

constants.rscontext.rsecdh.rskey.rslib.rsmacros.rsschnorrsig.rs

secp256k1_sys

lib.rsmacros.rstypes.rs

serde

de

format.rsignored_any.rsimpls.rsmod.rsseed.rsutf8.rsvalue.rs

private

de.rsdoc.rsmod.rsser.rssize_hint.rs

ser

fmt.rsimpls.rsimpossible.rsmod.rs

integer128.rslib.rsmacros.rs

serde_derive

internals

ast.rsattr.rscase.rscheck.rsctxt.rsmod.rsreceiver.rsrespan.rssymbol.rs

bound.rsde.rsdummy.rsfragment.rslib.rspretend.rsser.rstry.rs

serde_json

features_check

mod.rs

io

mod.rs

value

de.rsfrom.rsindex.rsmod.rspartial_eq.rsser.rs

de.rserror.rsiter.rslib.rsmacros.rsmap.rsnumber.rsread.rsser.rs

serde_value

de.rslib.rsser.rs

sewup

kv

traits

key.rsmod.rsvalue.rsvec.rs

bucket.rserrors.rsmod.rs

rdb

db.rserrors.rsmod.rstable.rstraits.rs

runtimes

handler.rsmod.rstest.rstraits.rs

token

erc1155.rserc20.rserc721.rshelpers.rsmod.rs

types

address.rserrors.rsmod.rsraw.rsrow.rssized_str.rs

errors.rslib.rsprimitives.rsutils.rs

sewup_derive

lib.rs

ss_ewasm_api

lib.rsnative.rstypes.rsutils.rs

ssvm_evmc_client

host.rslib.rsloader.rstypes.rs

ssvm_evmc_sys

lib.rs

strsim

lib.rs

syn

gen

clone.rsgen_helper.rsvisit_mut.rs

attr.rsawait.rsbigint.rsbuffer.rscustom_keyword.rscustom_punctuation.rsdata.rsderive.rsdiscouraged.rserror.rsexport.rsexpr.rsext.rsfile.rsgenerics.rsgroup.rsident.rsitem.rslib.rslifetime.rslit.rslookahead.rsmac.rsmacros.rsop.rsparse.rsparse_macro_input.rsparse_quote.rspat.rspath.rsprint.rspunctuated.rsreserved.rssealed.rsspan.rsspanned.rsstmt.rsthread.rstoken.rsty.rsverbatim.rswhitespace.rs

textwrap

indentation.rslib.rssplitting.rs

thiserror

aserror.rsdisplay.rslib.rs

thiserror_impl

ast.rsattr.rsexpand.rsfmt.rsgenerics.rslib.rsprop.rsvalid.rs

tiny_keccak

keccak.rskeccakf.rslib.rssha3.rs

toml

datetime.rsde.rslib.rsmacros.rsmap.rsser.rsspanned.rstokens.rsvalue.rs

unicode_width

lib.rstables.rs

unicode_xid

lib.rstables.rs

vec_map

lib.rs

>

//! Implements the Scrypt key derivation function as [Specification][1].
//!
//! # Examples
//!
//! ```
//! use cryptoxide::scrypt::{scrypt, ScryptParams};
//!
//! let password = b"password";
//! let salt = b"salt";
//! let params = ScryptParams::new(4, 1, 1);
//! let mut out = [0u8; 64];
//! scrypt(password, salt, &params, &mut out);
//! ```
//!
//! # References
//! [1]: <http://www.tarsnap.com/scrypt/scrypt.pdf>
//!

use alloc::vec::Vec;
use core::iter::repeat;
use core::mem::size_of;

use crate::cryptoutil::copy_memory;
use crate::cryptoutil::{read_u32_le, read_u32v_le, write_u32_le};
use crate::hmac::Hmac;
use crate::pbkdf2::pbkdf2;
use crate::sha2::Sha256;

// The salsa20/8 core function.
fn salsa20_8(input: &[u8], output: &mut [u8]) {
    let mut x = [0u32; 16];
    read_u32v_le(&mut x, input);

    let rounds = 8;

    macro_rules! run_round (
        ($($set_idx:expr, $idx_a:expr, $idx_b:expr, $rot:expr);*) => { {
            $( x[$set_idx] ^= x[$idx_a].wrapping_add(x[$idx_b]).rotate_left($rot); )*
        } }
    );

    for _ in 0..rounds / 2 {
        run_round!(
            0x4, 0x0, 0xc, 7;
            0x8, 0x4, 0x0, 9;
            0xc, 0x8, 0x4, 13;
            0x0, 0xc, 0x8, 18;
            0x9, 0x5, 0x1, 7;
            0xd, 0x9, 0x5, 9;
            0x1, 0xd, 0x9, 13;
            0x5, 0x1, 0xd, 18;
            0xe, 0xa, 0x6, 7;
            0x2, 0xe, 0xa, 9;
            0x6, 0x2, 0xe, 13;
            0xa, 0x6, 0x2, 18;
            0x3, 0xf, 0xb, 7;
            0x7, 0x3, 0xf, 9;
            0xb, 0x7, 0x3, 13;
            0xf, 0xb, 0x7, 18;
            0x1, 0x0, 0x3, 7;
            0x2, 0x1, 0x0, 9;
            0x3, 0x2, 0x1, 13;
            0x0, 0x3, 0x2, 18;
            0x6, 0x5, 0x4, 7;
            0x7, 0x6, 0x5, 9;
            0x4, 0x7, 0x6, 13;
            0x5, 0x4, 0x7, 18;
            0xb, 0xa, 0x9, 7;
            0x8, 0xb, 0xa, 9;
            0x9, 0x8, 0xb, 13;
            0xa, 0x9, 0x8, 18;
            0xc, 0xf, 0xe, 7;
            0xd, 0xc, 0xf, 9;
            0xe, 0xd, 0xc, 13;
            0xf, 0xe, 0xd, 18
        )
    }

    for i in 0..16 {
        write_u32_le(
            &mut output[i * 4..(i + 1) * 4],
            x[i].wrapping_add(read_u32_le(&input[i * 4..(i + 1) * 4])),
        );
    }
}

fn xor(x: &[u8], y: &[u8], output: &mut [u8]) {
    for ((out, &x_i), &y_i) in output.iter_mut().zip(x.iter()).zip(y.iter()) {
        *out = x_i ^ y_i;
    }
}

// Execute the BlockMix operation
// input - the input vector. The length must be a multiple of 128.
// output - the output vector. Must be the same length as input.
fn scrypt_block_mix(input: &[u8], output: &mut [u8]) {
    let mut x = [0u8; 64];
    copy_memory(&input[input.len() - 64..], &mut x);

    let mut t = [0u8; 64];

    for (i, chunk) in input.chunks(64).enumerate() {
        xor(&x, chunk, &mut t);
        salsa20_8(&t, &mut x);
        let pos = if i % 2 == 0 {
            (i / 2) * 64
        } else {
            (i / 2) * 64 + input.len() / 2
        };
        copy_memory(&x, &mut output[pos..pos + 64]);
    }
}

// Execute the ROMix operation in-place.
// b - the data to operate on
// v - a temporary variable to store the vector V
// t - a temporary variable to store the result of the xor
// n - the scrypt parameter N
fn scrypt_ro_mix(b: &mut [u8], v: &mut [u8], t: &mut [u8], n: usize) {
    fn integerify(x: &[u8], n: usize) -> usize {
        // n is a power of 2, so n - 1 gives us a bitmask that we can use to perform a calculation
        // mod n using a simple bitwise and.
        let mask = n - 1;
        // This cast is safe since we're going to get the value mod n (which is a power of 2), so we
        // don't have to care about truncating any of the high bits off
        let result = (read_u32_le(&x[x.len() - 64..x.len() - 60]) as usize) & mask;
        result
    }

    let len = b.len();

    for chunk in v.chunks_mut(len) {
        copy_memory(b, chunk);
        scrypt_block_mix(chunk, b);
    }

    for _ in 0..n {
        let j = integerify(b, n);
        xor(b, &v[j * len..(j + 1) * len], t);
        scrypt_block_mix(t, b);
    }
}

/**
 * The Scrypt parameter values.
 */
#[derive(Clone, Copy)]
pub struct ScryptParams {
    log_n: u8,
    r: u32,
    p: u32,
}

impl ScryptParams {
    /**
     * Create a new instance of ScryptParams.
     *
     * # Arguments
     *
     * * log_n - The log2 of the Scrypt parameter N
     * * r - The Scrypt parameter r
     * * p - The Scrypt parameter p
     *
     */
    pub fn new(log_n: u8, r: u32, p: u32) -> ScryptParams {
        assert!(r > 0);
        assert!(p > 0);
        assert!(log_n > 0);
        assert!((log_n as usize) < size_of::<usize>() * 8);
        assert!(
            size_of::<usize>() >= size_of::<u32>()
                || (r <= core::usize::MAX as u32 && p < core::usize::MAX as u32)
        );

        let r = r as usize;
        let p = p as usize;

        let n: usize = 1 << log_n;

        // check that r * 128 doesn't overflow
        let r128 = match r.checked_mul(128) {
            Some(x) => x,
            None => panic!("Invalid Scrypt parameters."),
        };

        // check that n * r * 128 doesn't overflow
        match r128.checked_mul(n) {
            Some(_) => {}
            None => panic!("Invalid Scrypt parameters."),
        };

        // check that p * r * 128 doesn't overflow
        match r128.checked_mul(p) {
            Some(_) => {}
            None => panic!("Invalid Scrypt parameters."),
        };

        // This check required by Scrypt:
        // check: n < 2^(128 * r / 8)
        // r * 16 won't overflow since r128 didn't
        assert!((log_n as usize) < r * 16);

        // This check required by Scrypt:
        // check: p <= ((2^32-1) * 32) / (128 * r)
        // It takes a bit of re-arranging to get the check above into this form, but, it is indeed
        // the same.
        assert!(r * p < 0x40000000);

        ScryptParams {
            log_n: log_n,
            r: r as u32,
            p: p as u32,
        }
    }
}

/**
 * The scrypt key derivation function.
 *
 * # Arguments
 *
 * * password - The password to process as a byte vector
 * * salt - The salt value to use as a byte vector
 * * params - The ScryptParams to use
 * * output - The resulting derived key is returned in this byte vector.
 *
 */
pub fn scrypt(password: &[u8], salt: &[u8], params: &ScryptParams, output: &mut [u8]) {
    // This check required by Scrypt:
    // check output.len() > 0 && output.len() <= (2^32 - 1) * 32
    assert!(output.len() > 0);
    assert!(output.len() / 32 <= 0xffffffff);

    // The checks in the ScryptParams constructor guarantee that the following is safe:
    let n = 1 << params.log_n;
    let r128 = (params.r as usize) * 128;
    let pr128 = (params.p as usize) * r128;
    let nr128 = n * r128;

    let mut mac = Hmac::new(Sha256::new(), password);

    let mut b: Vec<u8> = repeat(0).take(pr128).collect();
    pbkdf2(&mut mac, salt, 1, &mut b);

    let mut v: Vec<u8> = repeat(0).take(nr128).collect();
    let mut t: Vec<u8> = repeat(0).take(r128).collect();

    for chunk in &mut b.chunks_mut(r128) {
        scrypt_ro_mix(chunk, &mut v, &mut t, n);
    }

    pbkdf2(&mut mac, &*b, 1, output);
}

#[cfg(test)]
mod test {
    use alloc::vec::Vec;
    use core::iter::repeat;

    use super::{scrypt, ScryptParams};

    struct Test {
        password: &'static str,
        salt: &'static str,
        log_n: u8,
        r: u32,
        p: u32,
        expected: Vec<u8>,
    }

    // Test vectors from [1]. The last test vector is omitted because it takes too long to run.

    fn tests() -> Vec<Test> {
        vec![
            Test {
                password: "",
                salt: "",
                log_n: 4,
                r: 1,
                p: 1,
                expected: vec![
                    0x77, 0xd6, 0x57, 0x62, 0x38, 0x65, 0x7b, 0x20, 0x3b, 0x19, 0xca, 0x42, 0xc1,
                    0x8a, 0x04, 0x97, 0xf1, 0x6b, 0x48, 0x44, 0xe3, 0x07, 0x4a, 0xe8, 0xdf, 0xdf,
                    0xfa, 0x3f, 0xed, 0xe2, 0x14, 0x42, 0xfc, 0xd0, 0x06, 0x9d, 0xed, 0x09, 0x48,
                    0xf8, 0x32, 0x6a, 0x75, 0x3a, 0x0f, 0xc8, 0x1f, 0x17, 0xe8, 0xd3, 0xe0, 0xfb,
                    0x2e, 0x0d, 0x36, 0x28, 0xcf, 0x35, 0xe2, 0x0c, 0x38, 0xd1, 0x89, 0x06,
                ],
            },
            Test {
                password: "password",
                salt: "NaCl",
                log_n: 10,
                r: 8,
                p: 16,
                expected: vec![
                    0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, 0x78, 0x56, 0xe7, 0x19, 0x0d,
                    0x01, 0xe9, 0xfe, 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, 0xe7, 0x73,
                    0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3,
                    0x88, 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, 0xc7, 0x27, 0xaf, 0xb9,
                    0x4a, 0x83, 0xee, 0x6d, 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40,
                ],
            },
            Test {
                password: "pleaseletmein",
                salt: "SodiumChloride",
                log_n: 14,
                r: 8,
                p: 1,
                expected: vec![
                    0x70, 0x23, 0xbd, 0xcb, 0x3a, 0xfd, 0x73, 0x48, 0x46, 0x1c, 0x06, 0xcd, 0x81,
                    0xfd, 0x38, 0xeb, 0xfd, 0xa8, 0xfb, 0xba, 0x90, 0x4f, 0x8e, 0x3e, 0xa9, 0xb5,
                    0x43, 0xf6, 0x54, 0x5d, 0xa1, 0xf2, 0xd5, 0x43, 0x29, 0x55, 0x61, 0x3f, 0x0f,
                    0xcf, 0x62, 0xd4, 0x97, 0x05, 0x24, 0x2a, 0x9a, 0xf9, 0xe6, 0x1e, 0x85, 0xdc,
                    0x0d, 0x65, 0x1e, 0x40, 0xdf, 0xcf, 0x01, 0x7b, 0x45, 0x57, 0x58, 0x87,
                ],
            },
        ]
    }

    #[test]
    fn test_scrypt() {
        let tests = tests();
        for t in tests.iter() {
            let mut result: Vec<u8> = repeat(0).take(t.expected.len()).collect();
            let params = ScryptParams::new(t.log_n, t.r, t.p);
            scrypt(
                t.password.as_bytes(),
                t.salt.as_bytes(),
                &params,
                &mut result,
            );
            assert!(result == t.expected);
        }
    }
}