| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | package crypto | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	"crypto/rand" | 
					
						
							|  |  |  | 	"time" | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-07-23 14:21:03 +02:00
										 |  |  | 	"github.com/restic/restic/internal/errors" | 
					
						
							| 
									
										
										
										
											2016-09-04 13:24:51 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	sscrypt "github.com/elithrar/simple-scrypt" | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | 	"golang.org/x/crypto/scrypt" | 
					
						
							|  |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | const saltLength = 64 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-10-28 10:28:29 +02:00
										 |  |  | // Params are the default parameters used for the key derivation function KDF(). | 
					
						
							|  |  |  | type Params struct { | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	N int | 
					
						
							|  |  |  | 	R int | 
					
						
							|  |  |  | 	P int | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // DefaultKDFParams are the default parameters used for Calibrate and KDF(). | 
					
						
							| 
									
										
										
										
											2017-10-28 10:28:29 +02:00
										 |  |  | var DefaultKDFParams = Params{ | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	N: sscrypt.DefaultParams.N, | 
					
						
							|  |  |  | 	R: sscrypt.DefaultParams.R, | 
					
						
							|  |  |  | 	P: sscrypt.DefaultParams.P, | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Calibrate determines new KDF parameters for the current hardware. | 
					
						
							| 
									
										
										
										
											2017-10-28 10:28:29 +02:00
										 |  |  | func Calibrate(timeout time.Duration, memory int) (Params, error) { | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	defaultParams := sscrypt.Params{ | 
					
						
							|  |  |  | 		N:       DefaultKDFParams.N, | 
					
						
							|  |  |  | 		R:       DefaultKDFParams.R, | 
					
						
							|  |  |  | 		P:       DefaultKDFParams.P, | 
					
						
							|  |  |  | 		DKLen:   sscrypt.DefaultParams.DKLen, | 
					
						
							|  |  |  | 		SaltLen: sscrypt.DefaultParams.SaltLen, | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	params, err := sscrypt.Calibrate(timeout, memory, defaultParams) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							| 
									
										
										
										
											2016-08-29 22:16:58 +02:00
										 |  |  | 		return DefaultKDFParams, errors.Wrap(err, "scrypt.Calibrate") | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-10-28 10:28:29 +02:00
										 |  |  | 	return Params{ | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 		N: params.N, | 
					
						
							|  |  |  | 		R: params.R, | 
					
						
							|  |  |  | 		P: params.P, | 
					
						
							|  |  |  | 	}, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | // KDF derives encryption and message authentication keys from the password | 
					
						
							|  |  |  | // using the supplied parameters N, R and P and the Salt. | 
					
						
							| 
									
										
										
										
											2017-10-28 10:28:29 +02:00
										 |  |  | func KDF(p Params, salt []byte, password string) (*Key, error) { | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	if len(salt) != saltLength { | 
					
						
							| 
									
										
										
										
											2016-08-21 17:48:36 +02:00
										 |  |  | 		return nil, errors.Errorf("scrypt() called with invalid salt bytes (len %d)", len(salt)) | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// make sure we have valid parameters | 
					
						
							|  |  |  | 	params := sscrypt.Params{ | 
					
						
							|  |  |  | 		N:       p.N, | 
					
						
							|  |  |  | 		R:       p.R, | 
					
						
							|  |  |  | 		P:       p.P, | 
					
						
							|  |  |  | 		DKLen:   sscrypt.DefaultParams.DKLen, | 
					
						
							|  |  |  | 		SaltLen: len(salt), | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if err := params.Check(); err != nil { | 
					
						
							| 
									
										
										
										
											2016-08-29 22:16:58 +02:00
										 |  |  | 		return nil, errors.Wrap(err, "Check") | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	derKeys := &Key{} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	keybytes := macKeySize + aesKeySize | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 	scryptKeys, err := scrypt.Key([]byte(password), salt, p.N, p.R, p.P, keybytes) | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | 	if err != nil { | 
					
						
							| 
									
										
										
										
											2016-08-29 22:16:58 +02:00
										 |  |  | 		return nil, errors.Wrap(err, "scrypt.Key") | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if len(scryptKeys) != keybytes { | 
					
						
							| 
									
										
										
										
											2016-08-21 17:48:36 +02:00
										 |  |  | 		return nil, errors.Errorf("invalid numbers of bytes expanded from scrypt(): %d", len(scryptKeys)) | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// first 32 byte of scrypt output is the encryption key | 
					
						
							| 
									
										
										
										
											2017-06-19 21:12:53 +02:00
										 |  |  | 	copy(derKeys.EncryptionKey[:], scryptKeys[:aesKeySize]) | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	// next 32 byte of scrypt output is the mac key, in the form k||r | 
					
						
							| 
									
										
										
										
											2017-06-19 21:12:53 +02:00
										 |  |  | 	macKeyFromSlice(&derKeys.MACKey, scryptKeys[aesKeySize:]) | 
					
						
							| 
									
										
										
										
											2016-08-21 11:33:46 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	return derKeys, nil | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2016-08-21 12:32:38 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | // NewSalt returns new random salt bytes to use with KDF(). If NewSalt returns | 
					
						
							|  |  |  | // an error, this is a grave situation and the program must abort and terminate. | 
					
						
							|  |  |  | func NewSalt() ([]byte, error) { | 
					
						
							|  |  |  | 	buf := make([]byte, saltLength) | 
					
						
							|  |  |  | 	n, err := rand.Read(buf) | 
					
						
							|  |  |  | 	if n != saltLength || err != nil { | 
					
						
							|  |  |  | 		panic("unable to read enough random bytes for new salt") | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return buf, nil | 
					
						
							|  |  |  | } |