1
// Copyright 2010 The Go Authors. All rights reserved.
2
// Use of this source code is governed by a BSD-style
3
// license that can be found in the LICENSE file.
7
// getNextWord returns the next big-endian uint32 value from the byte slice
8
// at the given position in a circular manner, updating the position.
9
func getNextWord(b []byte, pos *int) uint32 {
12
for i := 0; i < 4; i++ {
13
w = w<<8 | uint32(b[j])
23
// ExpandKey performs a key expansion on the given *Cipher. Specifically, it
24
// performs the Blowfish algorithm's key schedule which sets up the *Cipher's
25
// pi and substitution tables for calls to Encrypt. This is used, primarily,
26
// by the bcrypt package to reuse the Blowfish key schedule during its
27
// set up. It's unlikely that you need to use this directly.
28
func ExpandKey(key []byte, c *Cipher) {
30
for i := 0; i < 18; i++ {
31
// Using inlined getNextWord for performance.
33
for k := 0; k < 4; k++ {
34
d = d<<8 | uint32(key[j])
44
for i := 0; i < 18; i += 2 {
45
l, r = encryptBlock(l, r, c)
46
c.p[i], c.p[i+1] = l, r
49
for i := 0; i < 256; i += 2 {
50
l, r = encryptBlock(l, r, c)
51
c.s0[i], c.s0[i+1] = l, r
53
for i := 0; i < 256; i += 2 {
54
l, r = encryptBlock(l, r, c)
55
c.s1[i], c.s1[i+1] = l, r
57
for i := 0; i < 256; i += 2 {
58
l, r = encryptBlock(l, r, c)
59
c.s2[i], c.s2[i+1] = l, r
61
for i := 0; i < 256; i += 2 {
62
l, r = encryptBlock(l, r, c)
63
c.s3[i], c.s3[i+1] = l, r
67
// This is similar to ExpandKey, but folds the salt during the key
68
// schedule. While ExpandKey is essentially expandKeyWithSalt with an all-zero
69
// salt passed in, reusing ExpandKey turns out to be a place of inefficiency
70
// and specializing it here is useful.
71
func expandKeyWithSalt(key []byte, salt []byte, c *Cipher) {
73
for i := 0; i < 18; i++ {
74
c.p[i] ^= getNextWord(key, &j)
79
for i := 0; i < 18; i += 2 {
80
l ^= getNextWord(salt, &j)
81
r ^= getNextWord(salt, &j)
82
l, r = encryptBlock(l, r, c)
83
c.p[i], c.p[i+1] = l, r
86
for i := 0; i < 256; i += 2 {
87
l ^= getNextWord(salt, &j)
88
r ^= getNextWord(salt, &j)
89
l, r = encryptBlock(l, r, c)
90
c.s0[i], c.s0[i+1] = l, r
93
for i := 0; i < 256; i += 2 {
94
l ^= getNextWord(salt, &j)
95
r ^= getNextWord(salt, &j)
96
l, r = encryptBlock(l, r, c)
97
c.s1[i], c.s1[i+1] = l, r
100
for i := 0; i < 256; i += 2 {
101
l ^= getNextWord(salt, &j)
102
r ^= getNextWord(salt, &j)
103
l, r = encryptBlock(l, r, c)
104
c.s2[i], c.s2[i+1] = l, r
107
for i := 0; i < 256; i += 2 {
108
l ^= getNextWord(salt, &j)
109
r ^= getNextWord(salt, &j)
110
l, r = encryptBlock(l, r, c)
111
c.s3[i], c.s3[i+1] = l, r
115
func encryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
118
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[1]
119
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[2]
120
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[3]
121
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[4]
122
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[5]
123
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[6]
124
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[7]
125
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[8]
126
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[9]
127
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[10]
128
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[11]
129
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[12]
130
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[13]
131
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[14]
132
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[15]
133
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[16]
138
func decryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
141
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[16]
142
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[15]
143
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[14]
144
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[13]
145
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[12]
146
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[11]
147
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[10]
148
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[9]
149
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[8]
150
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[7]
151
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[6]
152
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[5]
153
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[4]
154
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[3]
155
xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[2]
156
xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[1]