propagate from branch 'net.randombit.botan' (head dd068808e5bf87c982765a8bcc314996053a5bdd)

to branch 'net.randombit.botan.c++0x' (head 34696d52a8148d64f7021b3e193fc56f051b9dd2)
author: lloyd <[email protected]> 2011-03-08 22:18:37 +0000
committer: lloyd <[email protected]> 2011-03-08 22:18:37 +0000
commit: e8ae96510f3d87e3b142df81b51c3b15e30e77f9 (patch)
tree: 4f61ddba33a8e06b85ba2edc1b74d1a02e7c4739 /src/block
parent: 5f4aafe005d1031b955718fbb94d6beec3e6ea48 (diff)
parent: 41da07c02a36add833965be5ddc60ef1cf089beb (diff)
4 files changed, 76 insertions, 14 deletions
diff --git a/src/block/aes/aes.cpp b/src/block/aes/aes.cpp
index 7f32d243c..9fb12cd11 100644
--- a/src/block/aes/aes.cpp
+++ b/src/block/aes/aes.cpp
@@ -457,7 +457,7 @@ void aes_encrypt_n(const byte in[], byte out[],
                   rotate_right(TE[get_byte(2, T1)], 16) ^
                   rotate_right(TE[get_byte(3, T2)], 24) ^ EK[7];
 
-      for(u32bit r = 2*4; r < EK.size(); r += 2*4)
+      for(size_t r = 2*4; r < EK.size(); r += 2*4)
          {
          T0 = TE0[get_byte(0, B0)] ^ TE1[get_byte(1, B1)] ^
               TE2[get_byte(2, B2)] ^ TE3[get_byte(3, B3)] ^ EK[r];
@@ -560,7 +560,7 @@ void aes_decrypt_n(const byte in[], byte out[], size_t blocks,
                   rotate_right(TD[get_byte(2, T1)], 16) ^
                   rotate_right(TD[get_byte(3, T0)], 24) ^ DK[7];
 
-      for(u32bit r = 2*4; r < DK.size(); r += 2*4)
+      for(size_t r = 2*4; r < DK.size(); r += 2*4)
          {
          T0 = TD0[get_byte(0, B0)] ^ TD1[get_byte(1, B3)] ^
               TD2[get_byte(2, B2)] ^ TD3[get_byte(3, B1)] ^ DK[r];
diff --git a/src/block/blowfish/blowfish.cpp b/src/block/blowfish/blowfish.cpp
index ea227e93e..b6319eec0 100644
--- a/src/block/blowfish/blowfish.cpp
+++ b/src/block/blowfish/blowfish.cpp
@@ -1,6 +1,6 @@
 /*
 * Blowfish
-* (C) 1999-2009 Jack Lloyd
+* (C) 1999-2011 Jack Lloyd
 *
 * Distributed under the terms of the Botan license
 */
@@ -87,20 +87,66 @@ void Blowfish::key_schedule(const byte key[], size_t length)
    {
    clear();
 
+   const byte null_salt[16] = { 0 };
+
+   key_expansion(key, length, null_salt);
+   }
+
+void Blowfish::key_expansion(const byte key[],
+                             size_t length,
+                             const byte salt[16])
+   {
    for(size_t i = 0, j = 0; i != 18; ++i, j += 4)
       P[i] ^= make_u32bit(key[(j  ) % length], key[(j+1) % length],
                           key[(j+2) % length], key[(j+3) % length]);
 
    u32bit L = 0, R = 0;
-   generate_sbox(P, L, R);
-   generate_sbox(S, L, R);
+   generate_sbox(P, L, R, salt, 0);
+   generate_sbox(S, L, R, salt, 2);
+   }
+
+/*
+* Modified key schedule used for bcrypt password hashing
+*/
+void Blowfish::eks_key_schedule(const byte key[], size_t length,
+                                const byte salt[16], size_t workfactor)
+   {
+   if(length == 0 || length >= 56)
+      throw Invalid_Key_Length("EKSBlowfish", length);
+
+   if(workfactor == 0)
+      throw std::invalid_argument("Bcrypt work factor must be at least 1");
+
+   /*
+   * On a 2.8 GHz Core-i7, workfactor == 18 takes about 25 seconds to
+   * hash a password. This seems like a reasonable upper bound for the
+   * time being.
+   */
+   if(workfactor > 18)
+      throw std::invalid_argument("Requested Bcrypt work factor too large");
+
+   clear();
+
+   const byte null_salt[16] = { 0 };
+
+   key_expansion(key, length, salt);
+
+   const size_t rounds = 1 << workfactor;
+
+   for(size_t r = 0; r != rounds; ++r)
+      {
+      key_expansion(key, length, null_salt);
+      key_expansion(salt, 16, null_salt);
+      }
    }
 
 /*
 * Generate one of the Sboxes
 */
 void Blowfish::generate_sbox(MemoryRegion<u32bit>& box,
-                             u32bit& L, u32bit& R) const
+                             u32bit& L, u32bit& R,
+                             const byte salt[16],
+                             size_t salt_off) const
    {
    const u32bit* S1 = &S[0];
    const u32bit* S2 = &S[256];
@@ -109,6 +155,9 @@ void Blowfish::generate_sbox(MemoryRegion<u32bit>& box,
 
    for(size_t i = 0; i != box.size(); i += 2)
       {
+      L ^= load_be<u32bit>(salt, (i + salt_off) % 4);
+      R ^= load_be<u32bit>(salt, (i + salt_off + 1) % 4);
+
       for(size_t j = 0; j != 16; j += 2)
          {
          L ^= P[j];
diff --git a/src/block/blowfish/blowfish.h b/src/block/blowfish/blowfish.h
index b89ffcaaa..13706d21e 100644
--- a/src/block/blowfish/blowfish.h
+++ b/src/block/blowfish/blowfish.h
@@ -1,6 +1,6 @@
 /*
 * Blowfish
-* (C) 1999-2009 Jack Lloyd
+* (C) 1999-2011 Jack Lloyd
 *
 * Distributed under the terms of the Botan license
 */
@@ -21,15 +21,28 @@ class BOTAN_DLL Blowfish : public Block_Cipher_Fixed_Params<8, 1, 56>
       void encrypt_n(const byte in[], byte out[], size_t blocks) const;
       void decrypt_n(const byte in[], byte out[], size_t blocks) const;
 
+      /**
+      * Modified EKSBlowfish key schedule, used for bcrypt password hashing
+      */
+      void eks_key_schedule(const byte key[], size_t key_length,
+                            const byte salt[16], size_t workfactor);
+
       void clear();
       std::string name() const { return "Blowfish"; }
       BlockCipher* clone() const { return new Blowfish; }
 
       Blowfish() : S(1024), P(18) {}
    private:
-      void key_schedule(const byte[], size_t);
+      void key_schedule(const byte key[], size_t length);
+
+      void key_expansion(const byte key[],
+                         size_t key_length,
+                         const byte salt[16]);
+
       void generate_sbox(MemoryRegion<u32bit>& box,
-                         u32bit& L, u32bit& R) const;
+                         u32bit& L, u32bit& R,
+                         const byte salt[16],
+                         size_t salt_off) const;
 
       static const u32bit P_INIT[18];
       static const u32bit S_INIT[1024];
diff --git a/src/block/mars/mars.cpp b/src/block/mars/mars.cpp
index 5ee5b0f19..171ce2945 100644
--- a/src/block/mars/mars.cpp
+++ b/src/block/mars/mars.cpp
@@ -110,7 +110,7 @@ const u32bit SBOX[512] = {
 inline void encrypt_round(u32bit& A, u32bit& B, u32bit& C, u32bit& D,
                           u32bit EK1, u32bit EK2)
    {
-   u32bit X = A + EK1;
+   const u32bit X = A + EK1;
    A  = rotate_left(A, 13);
    u32bit Y = A * EK2;
    u32bit Z = SBOX[X % 512];
@@ -132,7 +132,7 @@ inline void decrypt_round(u32bit& A, u32bit& B, u32bit& C, u32bit& D,
    {
    u32bit Y = A * EK1;
    A = rotate_right(A, 13);
-   u32bit X = A + EK2;
+   const u32bit X = A + EK2;
    u32bit Z = SBOX[X % 512];
 
    Y  = rotate_left(Y, 5);
@@ -204,7 +204,7 @@ u32bit gen_mask(u32bit input)
 
    for(u32bit j = 2; j != 31; ++j)
       {
-      u32bit region = (input >> (j-1)) & 0x07;
+      const u32bit region = (input >> (j-1)) & 0x07;
 
       if(region == 0x00 || region == 0x07)
          {
@@ -213,7 +213,7 @@ u32bit gen_mask(u32bit input)
 
          for(u32bit k = low; k != high; ++k)
             {
-            u32bit value = (input >> k) & 0x3FF;
+            const u32bit value = (input >> k) & 0x3FF;
 
             if(value == 0 || value == 0x3FF)
                {
@@ -377,7 +377,7 @@ void MARS::key_schedule(const byte key[], size_t length)
 
    for(size_t i = 5; i != 37; i += 2)
       {
-      u32bit key3 = EK[i] & 3;
+      const u32bit key3 = EK[i] & 3;
       EK[i] |= 3;
       EK[i] ^= rotate_left(SBOX[265 + key3], EK[i-1] % 32) & gen_mask(EK[i]);
       }
author	lloyd <[email protected]>	2011-03-08 22:18:37 +0000
committer	lloyd <[email protected]>	2011-03-08 22:18:37 +0000
commit	e8ae96510f3d87e3b142df81b51c3b15e30e77f9 (patch)
tree	4f61ddba33a8e06b85ba2edc1b74d1a02e7c4739 /src/block
parent	5f4aafe005d1031b955718fbb94d6beec3e6ea48 (diff)
parent	41da07c02a36add833965be5ddc60ef1cf089beb (diff)