]>
Commit | Line | Data |
---|---|---|
9b12e4fe JC |
1 | // Copyright 2010 The Go Authors. All rights reserved. |
2 | // Use of this source code is governed by a BSD-style | |
3 | // license that can be found in the LICENSE file. | |
4 | ||
5 | // Package blowfish implements Bruce Schneier's Blowfish encryption algorithm. | |
107c1cdb ND |
6 | // |
7 | // Blowfish is a legacy cipher and its short block size makes it vulnerable to | |
8 | // birthday bound attacks (see https://sweet32.info). It should only be used | |
9 | // where compatibility with legacy systems, not security, is the goal. | |
10 | // | |
11 | // Deprecated: any new system should use AES (from crypto/aes, if necessary in | |
12 | // an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from | |
13 | // golang.org/x/crypto/chacha20poly1305). | |
9b12e4fe JC |
14 | package blowfish // import "golang.org/x/crypto/blowfish" |
15 | ||
16 | // The code is a port of Bruce Schneier's C implementation. | |
07971ca3 | 17 | // See https://www.schneier.com/blowfish.html. |
9b12e4fe JC |
18 | |
19 | import "strconv" | |
20 | ||
21 | // The Blowfish block size in bytes. | |
22 | const BlockSize = 8 | |
23 | ||
24 | // A Cipher is an instance of Blowfish encryption using a particular key. | |
25 | type Cipher struct { | |
26 | p [18]uint32 | |
27 | s0, s1, s2, s3 [256]uint32 | |
28 | } | |
29 | ||
30 | type KeySizeError int | |
31 | ||
32 | func (k KeySizeError) Error() string { | |
33 | return "crypto/blowfish: invalid key size " + strconv.Itoa(int(k)) | |
34 | } | |
35 | ||
36 | // NewCipher creates and returns a Cipher. | |
37 | // The key argument should be the Blowfish key, from 1 to 56 bytes. | |
38 | func NewCipher(key []byte) (*Cipher, error) { | |
39 | var result Cipher | |
40 | if k := len(key); k < 1 || k > 56 { | |
41 | return nil, KeySizeError(k) | |
42 | } | |
43 | initCipher(&result) | |
44 | ExpandKey(key, &result) | |
45 | return &result, nil | |
46 | } | |
47 | ||
48 | // NewSaltedCipher creates a returns a Cipher that folds a salt into its key | |
49 | // schedule. For most purposes, NewCipher, instead of NewSaltedCipher, is | |
50 | // sufficient and desirable. For bcrypt compatibility, the key can be over 56 | |
51 | // bytes. | |
52 | func NewSaltedCipher(key, salt []byte) (*Cipher, error) { | |
53 | if len(salt) == 0 { | |
54 | return NewCipher(key) | |
55 | } | |
56 | var result Cipher | |
57 | if k := len(key); k < 1 { | |
58 | return nil, KeySizeError(k) | |
59 | } | |
60 | initCipher(&result) | |
61 | expandKeyWithSalt(key, salt, &result) | |
62 | return &result, nil | |
63 | } | |
64 | ||
65 | // BlockSize returns the Blowfish block size, 8 bytes. | |
66 | // It is necessary to satisfy the Block interface in the | |
67 | // package "crypto/cipher". | |
68 | func (c *Cipher) BlockSize() int { return BlockSize } | |
69 | ||
70 | // Encrypt encrypts the 8-byte buffer src using the key k | |
71 | // and stores the result in dst. | |
72 | // Note that for amounts of data larger than a block, | |
73 | // it is not safe to just call Encrypt on successive blocks; | |
74 | // instead, use an encryption mode like CBC (see crypto/cipher/cbc.go). | |
75 | func (c *Cipher) Encrypt(dst, src []byte) { | |
76 | l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) | |
77 | r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) | |
78 | l, r = encryptBlock(l, r, c) | |
79 | dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l) | |
80 | dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r) | |
81 | } | |
82 | ||
83 | // Decrypt decrypts the 8-byte buffer src using the key k | |
84 | // and stores the result in dst. | |
85 | func (c *Cipher) Decrypt(dst, src []byte) { | |
86 | l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) | |
87 | r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) | |
88 | l, r = decryptBlock(l, r, c) | |
89 | dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l) | |
90 | dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r) | |
91 | } | |
92 | ||
93 | func initCipher(c *Cipher) { | |
94 | copy(c.p[0:], p[0:]) | |
95 | copy(c.s0[0:], s0[0:]) | |
96 | copy(c.s1[0:], s1[0:]) | |
97 | copy(c.s2[0:], s2[0:]) | |
98 | copy(c.s3[0:], s3[0:]) | |
99 | } |