Merge pull request #1148 from restic/update-simple-scrypt

Lock simple-scrypt library to master branch
2024-11-09 14:50:56 +00:00 · 2017-08-05 20:04:33 +02:00 · 2017-08-05 20:04:33 +02:00 · 6724b9a583
commit 6724b9a583
parent 4477d76f03 41c35b2218
7 changed files with 148 additions and 20 deletions
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -14,10 +14,10 @@
  version = "v1.0.6"

 [[projects]]
+  branch = "master"
  name = "github.com/elithrar/simple-scrypt"
  packages = ["."]
-  revision = "47767683c6c880a9f89e48d376c70de7f5268951"
-  version = "v1.1"
+  revision = "6724715de445c2e70cdafb7a1a14c8cfe0984210"

 [[projects]]
  name = "github.com/go-ini/ini"
@ -142,6 +142,6 @@
 [solve-meta]
  analyzer-name = "dep"
  analyzer-version = 1
-  inputs-digest = "10287830033309dd91c5e7e381e1a56cd3bf135fd4e776954232c404c39be210"
+  inputs-digest = "0783f6c5ff3952c10a8ea9ba5e80dcc816e95f9934983b772764b867d9be7eb8"
  solver-name = "gps-cdcl"
  solver-version = 1
--- a/Gopkg.toml
+++ b/Gopkg.toml
@ -27,7 +27,7 @@

 [[constraint]]
  name = "github.com/elithrar/simple-scrypt"
-  version = "1.1.0"
+  branch = "master"

 [[constraint]]
  name = "github.com/kurin/blazer"
--- a/vendor/github.com/elithrar/simple-scrypt/.travis.yml
+++ b/vendor/github.com/elithrar/simple-scrypt/.travis.yml
@ -1,13 +1,16 @@
 language: go
+
 sudo: false
+
 go:
  - 1.2
  - 1.3
  - 1.4
  - 1.5
+  - 1.6
+  - 1.7
  - tip
-install:
-  - go get golang.org/x/tools/cmd/vet
+
 script:
  - go get -t -v ./...
  - diff -u <(echo -n) <(gofmt -d -s .)
--- a/vendor/github.com/elithrar/simple-scrypt/README.md
+++ b/vendor/github.com/elithrar/simple-scrypt/README.md
@ -16,6 +16,14 @@ The API closely mirrors Go's [bcrypt](https://golang.org/x/crypto/bcrypt)
 library in an effort to make it easy to migrate—and because it's an easy to grok
 API.

+## Installation
+
+With a [working Go toolchain](https://golang.org/doc/code.html):
+
+```sh
+go get -u github.com/elithrar/simple-scrypt
+```
+
 ## Example

 simple-scrypt doesn't try to re-invent the wheel or do anything "special". It
@ -95,14 +103,51 @@ func main() {
 }
 ```

-## TO-DO:
+## Automatically Determining Parameters

-The following features are planned. PRs are welcome.
+Thanks to the work by [tgulacsi](https://github.com/tgulacsi), you can have simple-scrypt
+automatically determine the optimal parameters for you (time vs. memory). You should run this once
+on program startup, as calibrating parameters can be an expensive operation.

- [x] Tag a release build.
- [x] Automatically calculate "optimal" values for N, r, p similar [to the Ruby scrypt library](https://github.com/pbhogan/scrypt/blob/master/lib/scrypt.rb#L97-L146)
-   e.g. `func Calibrate(duration int, mem int, fallback Params) (Params, error)`
-   - contributed thanks to @tgulacsi.
+```go
+var params scrypt.Params
+
+func main() {
+    var err error
+    // 500ms, 64MB of RAM per hash.
+    params, err = scrypt.Calibrate(500*time.Millisecond, 64, Params{})
+    if err != nil {
+        return nil, err
+    }
+
+    ...
+}
+
+func RegisterUserHandler(w http.ResponseWriter, r *http.Request) {
+    err := r.ParseForm()
+    if err != nil {
+        http.Error(w, err.Error(), http.StatusBadRequest)
+        return
+    }
+
+    // Make sure you validate: not empty, not too long, etc.
+    email := r.PostFormValue("email")
+    pass := r.PostFormValue("password")
+
+    // Use our calibrated parameters
+    hash, err := scrypt.GenerateFromPassword([]byte(pass), params)
+    if err != nil {
+        http.Error(w, err.Error(), http.StatusBadRequest)
+        return
+    }
+
+    // Save to DB, etc.
+}
+```
+
+Be aware that increasing these, whilst making it harder to brute-force the resulting hash, also
+increases the risk of a denial-of-service attack against your server. A surge in authenticate
+attempts (even if legitimate!) could consume all available resources.

 ## License

--- a/vendor/github.com/elithrar/simple-scrypt/compositor.json
+++ b/vendor/github.com/elithrar/simple-scrypt/compositor.json
--- a/vendor/github.com/elithrar/simple-scrypt/scrypt.go
+++ b/vendor/github.com/elithrar/simple-scrypt/scrypt.go
@ -260,7 +260,7 @@ func Calibrate(timeout time.Duration, memMiBytes int, params Params) (Params, er
 	var again bool
 	memBytes := memMiBytes << 20
 	// If we'd use more memory then the allowed, we can tune the memory usage
-	for 128*p.R*p.N > memBytes {
+	for 128*int64(p.R)*int64(p.N) > int64(memBytes) {
 		if p.R > 1 {
 			// by lowering r
 			p.R--
--- a/vendor/github.com/elithrar/simple-scrypt/scrypt_test.go
+++ b/vendor/github.com/elithrar/simple-scrypt/scrypt_test.go
@ -23,11 +23,11 @@ var testParams = []struct {
 	{true, Params{1048576, 8, 2, 64, 128}},
 	{false, Params{-1, 8, 1, 16, 32}},          // invalid N
 	{false, Params{0, 8, 1, 16, 32}},           // invalid N
-	{false, Params{1 << 31, 8, 1, 16, 32}},     // invalid N
+	{false, Params{1<<31 - 1, 8, 1, 16, 32}},   // invalid N
 	{false, Params{16384, 0, 12, 16, 32}},      // invalid R
 	{false, Params{16384, 8, 0, 16, 32}},       // invalid R > maxInt/128/P
 	{false, Params{16384, 1 << 24, 1, 16, 32}}, // invalid R > maxInt/256
-	{false, Params{1 << 31, 8, 0, 16, 32}},     // invalid p < 0
+	{false, Params{1<<31 - 1, 8, 0, 16, 32}},   // invalid p < 0
 	{false, Params{4096, 8, 1, 5, 32}},         // invalid SaltLen
 	{false, Params{4096, 8, 1, 16, 2}},         // invalid DKLen
 }