1 // Copyright 2010 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
7 // getNextWord returns the next big-endian uint32 value from the byte slice
8 // at the given position in a circular manner, updating the position.
9 func getNextWord(b []byte, pos *int) uint32 {
12 for i := 0; i < 4; i++ {
13 w = w<<8 | uint32(b[j])
23 // ExpandKey performs a key expansion on the given *Cipher. Specifically, it
24 // performs the Blowfish algorithm's key schedule which sets up the *Cipher's
25 // pi and substitution tables for calls to Encrypt. This is used, primarily,
26 // by the bcrypt package to reuse the Blowfish key schedule during its
27 // set up. It's unlikely that you need to use this directly.
28 func ExpandKey(key []byte, c *Cipher) {
30 for i := 0; i < 18; i++ {
31 // Using inlined getNextWord for performance.
33 for k := 0; k < 4; k++ {
34 d = d<<8 | uint32(key[j])
44 for i := 0; i < 18; i += 2 {
45 l, r = encryptBlock(l, r, c)
46 c.p[i], c.p[i+1] = l, r
49 for i := 0; i < 256; i += 2 {
50 l, r = encryptBlock(l, r, c)
51 c.s0[i], c.s0[i+1] = l, r
53 for i := 0; i < 256; i += 2 {
54 l, r = encryptBlock(l, r, c)
55 c.s1[i], c.s1[i+1] = l, r
57 for i := 0; i < 256; i += 2 {
58 l, r = encryptBlock(l, r, c)
59 c.s2[i], c.s2[i+1] = l, r
61 for i := 0; i < 256; i += 2 {
62 l, r = encryptBlock(l, r, c)
63 c.s3[i], c.s3[i+1] = l, r
67 // This is similar to ExpandKey, but folds the salt during the key
68 // schedule. While ExpandKey is essentially expandKeyWithSalt with an all-zero
69 // salt passed in, reusing ExpandKey turns out to be a place of inefficiency
70 // and specializing it here is useful.
71 func expandKeyWithSalt(key []byte, salt []byte, c *Cipher) {
73 for i := 0; i < 18; i++ {
74 c.p[i] ^= getNextWord(key, &j)
79 for i := 0; i < 18; i += 2 {
80 l ^= getNextWord(salt, &j)
81 r ^= getNextWord(salt, &j)
82 l, r = encryptBlock(l, r, c)
83 c.p[i], c.p[i+1] = l, r
86 for i := 0; i < 256; i += 2 {
87 l ^= getNextWord(salt, &j)
88 r ^= getNextWord(salt, &j)
89 l, r = encryptBlock(l, r, c)
90 c.s0[i], c.s0[i+1] = l, r
93 for i := 0; i < 256; i += 2 {
94 l ^= getNextWord(salt, &j)
95 r ^= getNextWord(salt, &j)
96 l, r = encryptBlock(l, r, c)
97 c.s1[i], c.s1[i+1] = l, r
100 for i := 0; i < 256; i += 2 {
101 l ^= getNextWord(salt, &j)
102 r ^= getNextWord(salt, &j)
103 l, r = encryptBlock(l, r, c)
104 c.s2[i], c.s2[i+1] = l, r
107 for i := 0; i < 256; i += 2 {
108 l ^= getNextWord(salt, &j)
109 r ^= getNextWord(salt, &j)
110 l, r = encryptBlock(l, r, c)
111 c.s3[i], c.s3[i+1] = l, r
115 func encryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
118 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[1]
119 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[2]
120 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[3]
121 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[4]
122 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[5]
123 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[6]
124 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[7]
125 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[8]
126 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[9]
127 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[10]
128 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[11]
129 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[12]
130 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[13]
131 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[14]
132 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[15]
133 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[16]
138 func decryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
141 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[16]
142 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[15]
143 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[14]
144 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[13]
145 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[12]
146 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[11]
147 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[10]
148 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[9]
149 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[8]
150 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[7]
151 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[6]
152 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[5]
153 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[4]
154 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[3]
155 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[2]
156 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[1]