1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
#![no_std]
#[cfg(feature = "std")]
extern crate std;
use core::fmt;
#[cfg(test)]
mod tests;
pub const KEY_SIZE_MAX: usize = 72;
pub const SALT_SIZE: usize = 16;
pub const HASH_SIZE: usize = 23;
#[derive(Clone, Copy, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
pub struct WorkFactor(u32);
#[derive(Clone, Copy, Debug, Eq, Hash, PartialEq)]
pub enum BcryptError {
Length,
ZeroByte,
}
impl fmt::Display for BcryptError {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "{}", match self {
BcryptError::Length => "password too long",
BcryptError::ZeroByte => "password contains a NUL character",
})
}
}
#[cfg(feature = "std")]
impl std::error::Error for BcryptError {}
#[derive(Clone, Debug)]
pub struct Salt {
be: [u32; 4],
}
impl Salt {
pub fn from_bytes(bytes: &[u8; SALT_SIZE]) -> Self {
let mut be = [0_u32; 4];
for i in 0..4 {
be[i] = u32::from_be_bytes([
bytes[4 * i],
bytes[4 * i + 1],
bytes[4 * i + 2],
bytes[4 * i + 3],
]);
}
Self { be }
}
pub fn to_bytes(&self) -> [u8; SALT_SIZE] {
let mut bytes = [0_u8; 16];
for (b, w) in bytes.chunks_exact_mut(4).zip(self.be.iter().copied()) {
b.copy_from_slice(&w.to_be_bytes());
}
bytes
}
}
impl WorkFactor {
pub const EXP4: Self = Self(4);
pub const EXP5: Self = Self(5);
pub const EXP6: Self = Self(6);
pub const EXP7: Self = Self(7);
pub const EXP8: Self = Self(8);
pub const EXP9: Self = Self(9);
pub const EXP10: Self = Self(10);
pub const EXP11: Self = Self(11);
pub const EXP12: Self = Self(12);
pub const EXP13: Self = Self(13);
pub const EXP14: Self = Self(14);
pub const EXP15: Self = Self(15);
pub const EXP16: Self = Self(16);
pub const EXP17: Self = Self(17);
pub const EXP18: Self = Self(18);
pub const EXP19: Self = Self(19);
pub const EXP20: Self = Self(20);
pub const EXP21: Self = Self(21);
pub const EXP22: Self = Self(22);
pub const EXP23: Self = Self(23);
pub const EXP24: Self = Self(24);
pub const EXP25: Self = Self(25);
pub const EXP26: Self = Self(26);
pub const EXP27: Self = Self(27);
pub const EXP28: Self = Self(28);
pub const EXP29: Self = Self(29);
pub const EXP30: Self = Self(30);
pub const EXP31: Self = Self(31);
pub fn exp(log_rounds: u32) -> Option<Self> {
if log_rounds >= 4 && log_rounds <= 31 {
Some(Self(log_rounds))
} else {
None
}
}
pub const fn log_rounds(self) -> u32 {
self.0
}
pub const fn linear_rounds(self) -> u32 {
1 << self.0
}
}
const BLF_N: usize = 16;
const BLOWFISH_INITIAL: BlowfishContext = BlowfishContext {
s: include!("sbox-init.in"),
p: [
0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
0x9216d5d9, 0x8979fb1b,
],
};
const BCRYPT_MESSAGE: [u32; 6] = {
const fn u32_from_be_bytes(bytes: [u8; 4]) -> u32 {
(bytes[0] as u32) << 24
| (bytes[1] as u32) << 16
| (bytes[2] as u32) << 8
| (bytes[3] as u32)
}
[
u32_from_be_bytes(*b"Orph"),
u32_from_be_bytes(*b"eanB"),
u32_from_be_bytes(*b"ehol"),
u32_from_be_bytes(*b"derS"),
u32_from_be_bytes(*b"cryD"),
u32_from_be_bytes(*b"oubt"),
]
};
#[derive(Clone)]
struct BlowfishContext {
s: [[u32; 256]; 4],
p: [u32; BLF_N + 2],
}
fn read_u32_be<T: Iterator<Item = u8>>(bytes: &mut T) -> u32 {
u32::from(bytes.next().unwrap()) << 24
| u32::from(bytes.next().unwrap()) << 16
| u32::from(bytes.next().unwrap()) << 8
| u32::from(bytes.next().unwrap())
}
fn f(c: &BlowfishContext, x: u32) -> u32 {
let [b0, b1, b2, b3] = x.to_be_bytes();
let h = c.s[0][usize::from(b0)].wrapping_add(c.s[1][usize::from(b1)]);
(h ^ c.s[2][usize::from(b2)]).wrapping_add(c.s[3][usize::from(b3)])
}
fn blowfish_encipher(c: &BlowfishContext, mut l: u32, mut r: u32) -> (u32, u32) {
for i in (0..16).step_by(2) {
l ^= c.p[i];
r ^= f(c, l);
r ^= c.p[i + 1];
l ^= f(c, r);
}
l ^= c.p[16];
r ^= c.p[17];
(r, l)
}
struct KeyCycle<'a> {
key: &'a [u8],
index: usize,
}
impl<'a> Iterator for KeyCycle<'a> {
type Item = u8;
fn next(&mut self) -> Option<u8> {
if self.index == self.key.len() {
self.index = 0;
return Some(0);
}
let result = self.key[self.index];
self.index += 1;
Some(result)
}
}
fn blowfish_expandstate_key(c: &mut BlowfishContext, key: &[u8]) {
let mut key_cycle = KeyCycle { key, index: 0 };
for pi in &mut c.p {
let temp = read_u32_be(&mut key_cycle);
*pi ^= temp;
}
}
fn blowfish_expandstate_data(c: &mut BlowfishContext, data: &[u32; 4]) {
let mut datal = 0_u32;
let mut datar = 0_u32;
for i in (0..BLF_N + 2).step_by(2) {
datal ^= data[i % 4];
datar ^= data[i % 4 + 1];
let (nextl, nextr) = blowfish_encipher(c, datal, datar);
datal = nextl;
datar = nextr;
c.p[i] = datal;
c.p[i + 1] = datar;
}
for i in 0..4 {
for k in (0..256).step_by(2) {
datal ^= data[(k + 2) % 4];
datar ^= data[(k + 2) % 4 + 1];
let (nextl, nextr) = blowfish_encipher(c, datal, datar);
datal = nextl;
datar = nextr;
c.s[i][k] = datal;
c.s[i][k + 1] = datar;
}
}
}
fn blowfish_expandstate_data0(c: &mut BlowfishContext) {
let mut datal = 0_u32;
let mut datar = 0_u32;
for i in (0..BLF_N + 2).step_by(2) {
let (nextl, nextr) = blowfish_encipher(c, datal, datar);
datal = nextl;
datar = nextr;
c.p[i] = datal;
c.p[i + 1] = datar;
}
for i in 0..4 {
for k in (0..256).step_by(2) {
let (nextl, nextr) = blowfish_encipher(c, datal, datar);
datal = nextl;
datar = nextr;
c.s[i][k] = datal;
c.s[i][k + 1] = datar;
}
}
}
pub fn bcrypt(key: &[u8], salt: &Salt, work_factor: WorkFactor) -> Result<[u8; HASH_SIZE], BcryptError> {
if key.len() > KEY_SIZE_MAX {
return Err(BcryptError::Length);
}
if key.contains(&b'\0') {
return Err(BcryptError::ZeroByte);
}
let mut state = BLOWFISH_INITIAL;
blowfish_expandstate_key(&mut state, key);
blowfish_expandstate_data(&mut state, &salt.be);
for _ in 0..work_factor.linear_rounds() {
blowfish_expandstate_key(&mut state, key);
blowfish_expandstate_data0(&mut state);
for i in 0..(BLF_N + 2) {
state.p[i] ^= salt.be[i % 4];
}
blowfish_expandstate_data0(&mut state);
}
let mut cdata = BCRYPT_MESSAGE;
for _ in 0..64 {
for i in (0..BCRYPT_MESSAGE.len()).step_by(2) {
let (l, r) = blowfish_encipher(&state, cdata[i], cdata[i + 1]);
cdata[i] = l;
cdata[i + 1] = r;
}
}
let mut result = [0_u8; 23];
for (b, w) in result.chunks_exact_mut(4).zip(cdata.iter().copied()) {
b.copy_from_slice(&w.to_be_bytes());
}
result[20..].copy_from_slice(&cdata[5].to_be_bytes()[0..3]);
Ok(result)
}