| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 |
- // Copyright 2012 The Go Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
- /*
- Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
- 2898 / PKCS #5 v2.0.
- A key derivation function is useful when encrypting data based on a password
- or any other not-fully-random data. It uses a pseudorandom function to derive
- a secure encryption key based on the password.
- While v2.0 of the standard defines only one pseudorandom function to use,
- HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
- Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
- choose, you can pass the `New` functions from the different SHA packages to
- pbkdf2.Key.
- */
- package pbkdf2
- import (
- "crypto/hmac"
- "hash"
- )
- // Key derives a key from the password, salt and iteration count, returning a
- // []byte of length keylen that can be used as cryptographic key. The key is
- // derived based on the method described as PBKDF2 with the HMAC variant using
- // the supplied hash function.
- //
- // For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
- // can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
- // doing:
- //
- // dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
- //
- // Remember to get a good random salt. At least 8 bytes is recommended by the
- // RFC.
- //
- // Using a higher iteration count will increase the cost of an exhaustive
- // search but will also make derivation proportionally slower.
- func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
- return Key64(password, salt, int64(iter), int64(keyLen), h)
- }
- // Key64 derives a key from the password, salt and iteration count, returning a
- // []byte of length keylen that can be used as cryptographic key. Key64 uses
- // int64 for the iteration count and key length to allow larger values.
- // The key is derived based on the method described as PBKDF2 with the HMAC
- // variant using the supplied hash function.
- //
- // For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
- // can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
- // doing:
- //
- // dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
- //
- // Remember to get a good random salt. At least 8 bytes is recommended by the
- // RFC.
- //
- // Using a higher iteration count will increase the cost of an exhaustive
- // search but will also make derivation proportionally slower.
- func Key64(password, salt []byte, iter, keyLen int64, h func() hash.Hash) []byte {
- prf := hmac.New(h, password)
- hashLen := int64(prf.Size())
- numBlocks := (keyLen + hashLen - 1) / hashLen
- var buf [4]byte
- dk := make([]byte, 0, numBlocks*hashLen)
- U := make([]byte, hashLen)
- for block := int64(1); block <= numBlocks; block++ {
- // N.B.: || means concatenation, ^ means XOR
- // for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
- // U_1 = PRF(password, salt || uint(i))
- prf.Reset()
- prf.Write(salt)
- buf[0] = byte(block >> 24)
- buf[1] = byte(block >> 16)
- buf[2] = byte(block >> 8)
- buf[3] = byte(block)
- prf.Write(buf[:4])
- dk = prf.Sum(dk)
- T := dk[int64(len(dk))-hashLen:]
- copy(U, T)
- // U_n = PRF(password, U_(n-1))
- for n := int64(2); n <= iter; n++ {
- prf.Reset()
- prf.Write(U)
- U = U[:0]
- U = prf.Sum(U)
- for x := range U {
- T[x] ^= U[x]
- }
- }
- }
- return dk[:keyLen]
- }
|
