Skip to content

scrypt: LuaJIT FFI-based scrypt library for nginx-module-lua

Installation

If you haven't set up RPM repository subscription, sign up. Then you can proceed with the following steps.

CentOS/RHEL 7 or Amazon Linux 2

yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install lua-resty-scrypt

CentOS/RHEL 8+, Fedora Linux, Amazon Linux 2023

yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install lua5.1-resty-scrypt

To use this Lua library with NGINX, ensure that nginx-module-lua is installed.

This document describes lua-resty-scrypt v1.0 released on Oct 09 2014.

lua-resty-scrypt is a scrypt (password) hashing library for OpenResty.

Hello World with lua-resty-scrypt

local scrypt = require "resty.scrypt"
local hash   = scrypt.crypt "My Secret"         -- returns a hash that can be stored in db
local valid  = scrypt.check("My Secret", hash)  -- valid holds true
local valid  = scrypt.check("My Guess",  hash)  -- valid holds false

local n,r,p  = scrypt.calibrate()               -- returns n,r,p calibration values

Lua API

string scrypt.crypt(opts)

Uses scrypt algorithm to generate hash from the input. Input parameter opts can either be string (a secret) or a table. If it is a table you may pass in some configuration parameters as well. Available table options (defaults are as follows):

local opts = {
    secret   = "",
    keysize  = 32,
    n        = 32768
    r        = 8,
    p        = 1,
    salt     = "random (saltsize) bytes generated with OpenSSL",
    saltsize = 8
}

If you pass opts anything other than a table, it will be tostringified and used as a secret. keysize can be between 16 and 512, saltsize can be between 8 and 32.

This function returns string that looks like this:

n$r$p$salt$hash

All parts present a hex dump of their values.

Example
local h1 = scrypt.crypt "My Secret"
local h2 = scrypt.crypt{
    secret  = "My Secret",
    keysize = 512 
}

boolean scrypt.check(secret, hash)

With this function you can check if the secret really matches with the hash that was generated with scrypt.crypt from the same secret. The hash contains also the configuration parameters like n, r, p and salt.

Example
local b1 = scrypt.check("My Secret", scrypt.crypt "My Secret") -- returns true
local b2 = scrypt.check("My Secret", scrypt.crypt "No Secret") -- returns false

n, r, p scrypt.calibrate(maxmem, maxmemfrac, maxtime)

This function can be used to count n, r, and p configuration values from maxmem, maxmemfrac and maxtime parameters. These are the defaults for those:

maxmem     = 1048576
maxmemfrac = 0.5
maxtime    = 0.2

The results may change depending on your computer's processing power.

Example
local n,r,p = scrypt.calibrate()
local hash  = scrypt.crypt{
    secret  = "My Secret",
    n = n,
    r = r,
    p = p
}

number scrypt.memoryuse(n, r, p)

Counts the memory use of scrypt-algorigth with the provided n, r, and p arguments.

Example
local memoryuse = scrypt.memoryuse(scrypt.calibrate())

Default parameters for n, r, and p are:

n = 32768
r = 8
p = 1

License

lua-resty-scrypt uses two clause BSD license.

Copyright (c) 2014, Aapo Talvensaari
All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this
  list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this
  list of conditions and the following disclaimer in the documentation and/or
  other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

GitHub

You may find additional configuration tips and documentation for this module in the GitHub repository for nginx-module-scrypt.