diff --git a/Gopkg.lock b/Gopkg.lock index f5da50a3d..686eddf01 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -14,10 +14,10 @@ version = "v1.0.6" [[projects]] + branch = "master" name = "github.com/elithrar/simple-scrypt" packages = ["."] - revision = "47767683c6c880a9f89e48d376c70de7f5268951" - version = "v1.1" + revision = "6724715de445c2e70cdafb7a1a14c8cfe0984210" [[projects]] name = "github.com/go-ini/ini" @@ -142,6 +142,6 @@ [solve-meta] analyzer-name = "dep" analyzer-version = 1 - inputs-digest = "10287830033309dd91c5e7e381e1a56cd3bf135fd4e776954232c404c39be210" + inputs-digest = "0783f6c5ff3952c10a8ea9ba5e80dcc816e95f9934983b772764b867d9be7eb8" solver-name = "gps-cdcl" solver-version = 1 diff --git a/Gopkg.toml b/Gopkg.toml index e0715fadf..4c1f37c82 100644 --- a/Gopkg.toml +++ b/Gopkg.toml @@ -27,7 +27,7 @@ [[constraint]] name = "github.com/elithrar/simple-scrypt" - version = "1.1.0" + branch = "master" [[constraint]] name = "github.com/kurin/blazer" diff --git a/vendor/github.com/elithrar/simple-scrypt/.travis.yml b/vendor/github.com/elithrar/simple-scrypt/.travis.yml index 9fdc47dc6..b495da936 100644 --- a/vendor/github.com/elithrar/simple-scrypt/.travis.yml +++ b/vendor/github.com/elithrar/simple-scrypt/.travis.yml @@ -1,13 +1,16 @@ language: go + sudo: false + go: -- 1.2 -- 1.3 -- 1.4 -- 1.5 -- tip -install: - - go get golang.org/x/tools/cmd/vet + - 1.2 + - 1.3 + - 1.4 + - 1.5 + - 1.6 + - 1.7 + - tip + script: - go get -t -v ./... - diff -u <(echo -n) <(gofmt -d -s .) diff --git a/vendor/github.com/elithrar/simple-scrypt/README.md b/vendor/github.com/elithrar/simple-scrypt/README.md index 45fb82d98..4a093e186 100644 --- a/vendor/github.com/elithrar/simple-scrypt/README.md +++ b/vendor/github.com/elithrar/simple-scrypt/README.md @@ -16,6 +16,14 @@ The API closely mirrors Go's [bcrypt](https://golang.org/x/crypto/bcrypt) library in an effort to make it easy to migrate—and because it's an easy to grok API. +## Installation + +With a [working Go toolchain](https://golang.org/doc/code.html): + +```sh +go get -u github.com/elithrar/simple-scrypt +``` + ## Example simple-scrypt doesn't try to re-invent the wheel or do anything "special". It @@ -95,14 +103,51 @@ func main() { } ``` -## TO-DO: +## Automatically Determining Parameters -The following features are planned. PRs are welcome. +Thanks to the work by [tgulacsi](https://github.com/tgulacsi), you can have simple-scrypt +automatically determine the optimal parameters for you (time vs. memory). You should run this once +on program startup, as calibrating parameters can be an expensive operation. -- [x] Tag a release build. -- [x] Automatically calculate "optimal" values for N, r, p similar [to the Ruby scrypt library](https://github.com/pbhogan/scrypt/blob/master/lib/scrypt.rb#L97-L146) - e.g. `func Calibrate(duration int, mem int, fallback Params) (Params, error)` - - contributed thanks to @tgulacsi. +```go +var params scrypt.Params + +func main() { + var err error + // 500ms, 64MB of RAM per hash. + params, err = scrypt.Calibrate(500*time.Millisecond, 64, Params{}) + if err != nil { + return nil, err + } + + ... +} + +func RegisterUserHandler(w http.ResponseWriter, r *http.Request) { + err := r.ParseForm() + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) + return + } + + // Make sure you validate: not empty, not too long, etc. + email := r.PostFormValue("email") + pass := r.PostFormValue("password") + + // Use our calibrated parameters + hash, err := scrypt.GenerateFromPassword([]byte(pass), params) + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) + return + } + + // Save to DB, etc. +} +``` + +Be aware that increasing these, whilst making it harder to brute-force the resulting hash, also +increases the risk of a denial-of-service attack against your server. A surge in authenticate +attempts (even if legitimate!) could consume all available resources. ## License diff --git a/vendor/github.com/elithrar/simple-scrypt/compositor.json b/vendor/github.com/elithrar/simple-scrypt/compositor.json new file mode 100644 index 000000000..2f6b01ff1 --- /dev/null +++ b/vendor/github.com/elithrar/simple-scrypt/compositor.json @@ -0,0 +1,80 @@ +{ + "name": "elithrar/simple-scrypt", + "version": "0.1.4", + "libraries": { + "xv": "^1.1.25" + }, + "title": "simple-scrypt", + "branch": "", + "style": { + "name": "Williamsburg", + "componentSet": { + "nav": "nav/BasicNav", + "header": "header/LightBannerHeader", + "article": "article/ReaderArticle", + "footer": "footer/BasicFooter" + }, + "fontFamily": "Montserrat, sans-serif", + "heading": { + "fontWeight": 600, + "letterSpacing": "0.1em" + }, + "colors": { + "text": "#666666", + "background": "#fff", + "primary": "#0099e0", + "secondary": "#ab61ff", + "highlight": "#f7b", + "muted": "#2b2d70", + "border": "#ccd" + } + }, + "content": [ + { + "component": "nav", + "links": [ + { + "href": "https://github.com/elithrar/simple-scrypt", + "text": "GitHub" + } + ] + }, + { + "component": "header", + "heading": "simple-scrypt", + "subhead": "A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go.", + "children": [ + { + "component": "ui/TweetButton", + "text": "simple-scrypt: A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go.", + "url": null + }, + { + "component": "ui/GithubButton", + "user": "elithrar", + "repo": "simple-scrypt" + } + ] + }, + { + "component": "article", + "metadata": { + "source": "github.readme" + }, + "html": "\n

\n

simple-scrypt provides a convenience wrapper around Go's existing\nscrypt package that makes it easier to\nsecurely derive strong keys ("hash user passwords"). This library allows you to:

\n\n

The API closely mirrors Go's bcrypt\nlibrary in an effort to make it easy to migrate—and because it's an easy to grok\nAPI.

\n

Installation

\n

With a working Go toolchain:

\n
go get -u github.com/elithrar/simple-scrypt

Example

\n

simple-scrypt doesn't try to re-invent the wheel or do anything "special". It\nwraps the scrypt.Key function as thinly as possible, generates a\ncrytographically secure salt for you using Go's crypto/rand package, and\nreturns the derived key with the parameters prepended:

\n
package main\n\nimport(\n    "fmt"\n    "log"\n\n    "github.com/elithrar/simple-scrypt"\n)\n\nfunc main() {\n    // e.g. r.PostFormValue("password")\n    passwordFromForm := "prew8fid9hick6c"\n\n    // Generates a derived key of the form "N$r$p$salt$dk" where N, r and p are defined as per\n    // Colin Percival's scrypt paper: http://www.tarsnap.com/scrypt/scrypt.pdf\n    // scrypt.Defaults (N=16384, r=8, p=1) makes it easy to provide these parameters, and\n    // (should you wish) provide your own values via the scrypt.Params type.\n    hash, err := scrypt.GenerateFromPassword([]byte(passwordFromForm), scrypt.DefaultParams)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    // Print the derived key with its parameters prepended.\n    fmt.Printf("%s\\n", hash)\n\n    // Uses the parameters from the existing derived key. Return an error if they don't match.\n    err := scrypt.CompareHashAndPassword(hash, []byte(passwordFromForm))\n    if err != nil {\n        log.Fatal(err)\n    }\n}

Upgrading Parameters

\n

Upgrading derived keys from a set of parameters to a "stronger" set of parameters\nas hardware improves, or as you scale (and move your auth process to separate\nhardware), can be pretty useful. Here's how to do it with simple-scrypt:

\n
func main() {\n    // SCENE: We've successfully authenticated a user, compared their submitted\n    // (cleartext) password against the derived key stored in our database, and\n    // now want to upgrade the parameters (more rounds, more parallelism) to\n    // reflect some shiny new hardware we just purchased. As the user is logging\n    // in, we can retrieve the parameters used to generate their key, and if\n    // they don't match our "new" parameters, we can re-generate the key while\n    // we still have the cleartext password in memory\n    // (e.g. before the HTTP request ends).\n    current, err := scrypt.Cost(hash)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    // Now to check them against our own Params struct (e.g. using reflect.DeepEquals)\n    // and determine whether we want to generate a new key with our "upgraded" parameters.\n    slower := scrypt.Params{\n        N: 32768,\n        R: 8,\n        P: 2,\n        SaltLen: 16,\n        DKLen: 32,\n    }\n\n    if !reflect.DeepEqual(current, slower) {\n        // Re-generate the key with the slower parameters\n        // here using scrypt.GenerateFromPassword\n    }\n}

Automatically Determining Parameters

\n

Thanks to the work by tgulacsi, you can have simple-scrypt\nautomatically determine the optimal parameters for you (time vs. memory). You should run this once\non program startup, as calibrating parameters can be an expensive operation.

\n
var params scrypt.Params\n\nfunc main() {\n    var err error\n    // 500ms, 64MB of RAM per hash.\n    params, err = scrypt.Calibrate(500*time.Millisecond, 64, Params{})\n    if err != nil {\n        return nil, err\n    }\n\n    ...\n}\n\nfunc RegisterUserHandler(w http.ResponseWriter, r *http.Request) {\n    err := r.ParseForm()\n    if err != nil {\n        http.Error(w, err.Error(), http.StatusBadRequest)\n        return\n    }\n\n    // Make sure you validate: not empty, not too long, etc.\n    email := r.PostFormValue("email")\n    pass := r.PostFormValue("password")\n\n    // Use our calibrated parameters\n    hash, err := scrypt.GenerateFromPassword([]byte(pass), params)\n    if err != nil {\n        http.Error(w, err.Error(), http.StatusBadRequest)\n        return\n    }\n\n    // Save to DB, etc.\n}

Be aware that increasing these, whilst making it harder to brute-force the resulting hash, also\nincreases the risk of a denial-of-service attack against your server. A surge in authenticate\nattempts (even if legitimate!) could consume all available resources.

\n

License

\n

MIT Licensed. See LICENSE file for details.

\n" + }, + { + "component": "footer", + "links": [ + { + "href": "https://github.com/elithrar/simple-scrypt", + "text": "GitHub" + }, + { + "href": "https://github.com/elithrar", + "text": "elithrar" + } + ] + } + ] +} \ No newline at end of file diff --git a/vendor/github.com/elithrar/simple-scrypt/scrypt.go b/vendor/github.com/elithrar/simple-scrypt/scrypt.go index 1f1c085b6..4e3570ccb 100644 --- a/vendor/github.com/elithrar/simple-scrypt/scrypt.go +++ b/vendor/github.com/elithrar/simple-scrypt/scrypt.go @@ -260,7 +260,7 @@ func Calibrate(timeout time.Duration, memMiBytes int, params Params) (Params, er var again bool memBytes := memMiBytes << 20 // If we'd use more memory then the allowed, we can tune the memory usage - for 128*p.R*p.N > memBytes { + for 128*int64(p.R)*int64(p.N) > int64(memBytes) { if p.R > 1 { // by lowering r p.R-- diff --git a/vendor/github.com/elithrar/simple-scrypt/scrypt_test.go b/vendor/github.com/elithrar/simple-scrypt/scrypt_test.go index bf438b190..dbb9bdb28 100644 --- a/vendor/github.com/elithrar/simple-scrypt/scrypt_test.go +++ b/vendor/github.com/elithrar/simple-scrypt/scrypt_test.go @@ -23,11 +23,11 @@ var testParams = []struct { {true, Params{1048576, 8, 2, 64, 128}}, {false, Params{-1, 8, 1, 16, 32}}, // invalid N {false, Params{0, 8, 1, 16, 32}}, // invalid N - {false, Params{1 << 31, 8, 1, 16, 32}}, // invalid N + {false, Params{1<<31 - 1, 8, 1, 16, 32}}, // invalid N {false, Params{16384, 0, 12, 16, 32}}, // invalid R {false, Params{16384, 8, 0, 16, 32}}, // invalid R > maxInt/128/P {false, Params{16384, 1 << 24, 1, 16, 32}}, // invalid R > maxInt/256 - {false, Params{1 << 31, 8, 0, 16, 32}}, // invalid p < 0 + {false, Params{1<<31 - 1, 8, 0, 16, 32}}, // invalid p < 0 {false, Params{4096, 8, 1, 5, 32}}, // invalid SaltLen {false, Params{4096, 8, 1, 16, 2}}, // invalid DKLen }