In preparation of an implementation of the bcrypt_pbkdf (a
variant of PBKDF2 used by OpenSSH) algorithm,
certain low-level operations of the Blowfish algorithm need to
be generalized and exposed.
The Blowfish.Primitive module has already been extended to
account for the requirements imposed by the BCrypt algorithm,
but the salt length was limited to 16 bytes and the BCrypt
specific key schedule setup has been hard-coded into the Blowfish
module.
This commit makes a clear distintion between the expandKey and
expandKeyWithSalt operation. Both take arbitrary sized salts
and keys now. The specialized operation for 16 byte salts as used
by BCrypt has been preserved and is selected automatically.
Also, the BCrypt specific parts have been move to the BCrypt
module with regard to separation of concern.
A benchmark for generating BCrypt hashes with cost 10 shows a
performance improvement from 158 to 141ms on average (Intel i5-6500)
after this refactoring.
Further experiments suggest that the specialized expandKeyWithSalt128
does not have any advantage over the generalized version
and might be removed in favour of less branches and exceptional
behaviour.
The tens value was wrong for values of 20+, as reported in #230.
It should be 10*costTens not 10^costTens. This wasn't detected because
the values are the same when costTens is 1, and using high cost values
is rare with bcrypt because of the performance hit.
Also added a simple hash and validate test since the KAT tests only do
validation. This doesn't cover this bug since the cost value is too
high to include in the test. It allows similar issues to be tested
locally though.
Makes docs and code consistent - the code now generates hashes
with the "2b" prefix instead of "2a". Shouldn't make any difference
in practice since previously generated hashes should still validate.
* Cleanup argon c files:
* Remove encoded format and base64 encoder
* Remove verification code
* Remove all variants based simple caller
* Add basic hashing function
* Add a simple KAT test
* Define more things at the haskell level
The temporary XY buffer passed to the scrypt_smix C function should be
256r+64 bytes in length, but the Haskell code was only allocating 256r
bytes, causing the additional 64 to be written past the end of the
buffer.
See #91.
use the typeclass for the lowest IO impure C bindings definitions,
and define the pure interface as generic on top of this.
At the same time define an Hash.IO interface to allow mutable manipulations
of hash contextes when necessary.
Use HashAlgorithm instead of HashFunction in the [PubKey] sections
Tweak the HMAC, PBKDF2 functions to be more efficient and use the new interface
