1// Copyright 2010 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Package blowfish implements Bruce Schneier's Blowfish encryption algorithm. 6// 7// Blowfish is a legacy cipher and its short block size makes it vulnerable to 8// birthday bound attacks (see https://sweet32.info). It should only be used 9// where compatibility with legacy systems, not security, is the goal. 10// 11// Deprecated: any new system should use AES (from crypto/aes, if necessary in 12// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from 13// golang.org/x/crypto/chacha20poly1305). 14package blowfish // import "golang.org/x/crypto/blowfish" 15 16// The code is a port of Bruce Schneier's C implementation. 17// See https://www.schneier.com/blowfish.html. 18 19import "strconv" 20 21// The Blowfish block size in bytes. 22const BlockSize = 8 23 24// A Cipher is an instance of Blowfish encryption using a particular key. 25type Cipher struct { 26 p [18]uint32 27 s0, s1, s2, s3 [256]uint32 28} 29 30type KeySizeError int 31 32func (k KeySizeError) Error() string { 33 return "crypto/blowfish: invalid key size " + strconv.Itoa(int(k)) 34} 35 36// NewCipher creates and returns a Cipher. 37// The key argument should be the Blowfish key, from 1 to 56 bytes. 38func NewCipher(key []byte) (*Cipher, error) { 39 var result Cipher 40 if k := len(key); k < 1 || k > 56 { 41 return nil, KeySizeError(k) 42 } 43 initCipher(&result) 44 ExpandKey(key, &result) 45 return &result, nil 46} 47 48// NewSaltedCipher creates a returns a Cipher that folds a salt into its key 49// schedule. For most purposes, NewCipher, instead of NewSaltedCipher, is 50// sufficient and desirable. For bcrypt compatibility, the key can be over 56 51// bytes. 52func NewSaltedCipher(key, salt []byte) (*Cipher, error) { 53 if len(salt) == 0 { 54 return NewCipher(key) 55 } 56 var result Cipher 57 if k := len(key); k < 1 { 58 return nil, KeySizeError(k) 59 } 60 initCipher(&result) 61 expandKeyWithSalt(key, salt, &result) 62 return &result, nil 63} 64 65// BlockSize returns the Blowfish block size, 8 bytes. 66// It is necessary to satisfy the Block interface in the 67// package "crypto/cipher". 68func (c *Cipher) BlockSize() int { return BlockSize } 69 70// Encrypt encrypts the 8-byte buffer src using the key k 71// and stores the result in dst. 72// Note that for amounts of data larger than a block, 73// it is not safe to just call Encrypt on successive blocks; 74// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go). 75func (c *Cipher) Encrypt(dst, src []byte) { 76 l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) 77 r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) 78 l, r = encryptBlock(l, r, c) 79 dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l) 80 dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r) 81} 82 83// Decrypt decrypts the 8-byte buffer src using the key k 84// and stores the result in dst. 85func (c *Cipher) Decrypt(dst, src []byte) { 86 l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) 87 r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) 88 l, r = decryptBlock(l, r, c) 89 dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l) 90 dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r) 91} 92 93func initCipher(c *Cipher) { 94 copy(c.p[0:], p[0:]) 95 copy(c.s0[0:], s0[0:]) 96 copy(c.s1[0:], s1[0:]) 97 copy(c.s2[0:], s2[0:]) 98 copy(c.s3[0:], s3[0:]) 99} 100