This function adds one more HSalsa key derivation to an XSalsa context
that has previously been initialized. It allows multi-level cascades
like the 2-level done by NaCl crypto_box.
In preparation of an implementation of the bcrypt_pbkdf (a
variant of PBKDF2 used by OpenSSH) algorithm,
certain low-level operations of the Blowfish algorithm need to
be generalized and exposed.
The Blowfish.Primitive module has already been extended to
account for the requirements imposed by the BCrypt algorithm,
but the salt length was limited to 16 bytes and the BCrypt
specific key schedule setup has been hard-coded into the Blowfish
module.
This commit makes a clear distintion between the expandKey and
expandKeyWithSalt operation. Both take arbitrary sized salts
and keys now. The specialized operation for 16 byte salts as used
by BCrypt has been preserved and is selected automatically.
Also, the BCrypt specific parts have been move to the BCrypt
module with regard to separation of concern.
A benchmark for generating BCrypt hashes with cost 10 shows a
performance improvement from 158 to 141ms on average (Intel i5-6500)
after this refactoring.
Further experiments suggest that the specialized expandKeyWithSalt128
does not have any advantage over the generalized version
and might be removed in favour of less branches and exceptional
behaviour.
Raises an error (as the original doc claimed) if the salt is not the
required length of 16 bytes.
validatePasswordEither doesn't require separate checking since the hash
length as a whole is checked, implicitly ensuring the salt is the right
length. Therefore it shouldn't be possible to trigger the error by
calling this function.
Fixes#93.
The example code had a type mismatch.
Couldn't match expected type ‘State’
with actual type ‘CryptoFailable State’
In the second argument of ‘appendAAD’, namely ‘st1’
In the second argument of ‘($)’, namely ‘appendAAD hdr st1’
This is due to the following part:
let st1 = ChaChaPoly1305.initialize key nonce
st2 = ChaChaPoly1305.finalizeAAD $ ChaChaPoly1305.appendAAD hdr st1
`initialize` returns `CryptoFailable State`, not `State`.
This commit fixes the type mismatch, changes the return type of the
example function to `CryptoFailable ByteString`, and makes the code
to be immediately copy-and-paste-able.
This modifies the standard blowfish key schedule function to accept an
optional salt and cost as used in bcrypt and modifies the algorithm
accordingly to implement the "expensive" version.
The standard blowfish version is just the same but with a salt value of
zero and a single call to the expandKey function. See the original
bcrypt paper for more details.
The code for initializing different AEAD modes is now encapsulated in
the BlockCipher type and the individual mode encryption and decryption
functions have been replaced by generalized versions, so are no longer
used.
