In preparation of an implementation of the bcrypt_pbkdf (a
variant of PBKDF2 used by OpenSSH) algorithm,
certain low-level operations of the Blowfish algorithm need to
be generalized and exposed.
The Blowfish.Primitive module has already been extended to
account for the requirements imposed by the BCrypt algorithm,
but the salt length was limited to 16 bytes and the BCrypt
specific key schedule setup has been hard-coded into the Blowfish
module.
This commit makes a clear distintion between the expandKey and
expandKeyWithSalt operation. Both take arbitrary sized salts
and keys now. The specialized operation for 16 byte salts as used
by BCrypt has been preserved and is selected automatically.
Also, the BCrypt specific parts have been move to the BCrypt
module with regard to separation of concern.
A benchmark for generating BCrypt hashes with cost 10 shows a
performance improvement from 158 to 141ms on average (Intel i5-6500)
after this refactoring.
Further experiments suggest that the specialized expandKeyWithSalt128
does not have any advantage over the generalized version
and might be removed in favour of less branches and exceptional
behaviour.
The tens value was wrong for values of 20+, as reported in #230.
It should be 10*costTens not 10^costTens. This wasn't detected because
the values are the same when costTens is 1, and using high cost values
is rare with bcrypt because of the performance hit.
Also added a simple hash and validate test since the KAT tests only do
validation. This doesn't cover this bug since the cost value is too
high to include in the test. It allows similar issues to be tested
locally though.
Makes docs and code consistent - the code now generates hashes
with the "2b" prefix instead of "2a". Shouldn't make any difference
in practice since previously generated hashes should still validate.
The types do not say whether it is necessary to apply pad/unpad to
the input/output of the PKCS15 encrypt/decrypt functions. Add
comments to clarify that it is not necessary to manually pad/unpad
the message.
How to reproduce:
```
$ cabal configure -f-support_deepseq
Resolving dependencies...
Configuring cryptonite-0.23...
$ cabal build
Building cryptonite-0.23...
Preprocessing library cryptonite-0.23...
[114 of 120] Compiling Crypto.PubKey.RSA.Types ( Crypto/PubKey/RSA/Types.hs, dist/build/Crypto/PubKey/RSA/Types
Crypto/PubKey/RSA/Types.hs:48:30: error:
• No instance for (NFData Integer) arising from a use of ‘rnf’
• In the first argument of ‘seq’, namely ‘rnf n’
In the expression: rnf n `seq` rnf e `seq` sz `seq` ()
In an equation for ‘rnf’:
rnf (PublicKey sz n e) = rnf n `seq` rnf e `seq` sz `seq` ()
```
The fix is to inctoruce 'NFData Integer' instance to `Crypto/Internal/DeepSeq`.
Closes: https://github.com/haskell-crypto/cryptonite/issues/171
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
This is actually a lie: the condition is tested in both curve
implementations but not returned by the Haskell API. Will be a reminder to
add this in the future. A function 'allocRetAndFreeze' could be useful.
Other algorithms define Show instances for their secrets.
Here ScrubbedBytes will obfuscate the content anyway.
Will be useful for X509.PrivKey, which requires a Show instance.
currently sign/verify works on message directly, it would be nice if PSS could sign/verify digest directly. This is useful for:
1) for some signing server it only has a digest (without message)
2) message could be very large, for cases when client need request a singing server to sign, it may make more sense for the client to compute digest, then ask server to (PSS) sign the digest
3) openSSL pkeyutl (PSS) sign operation signs with digest only, not the message, it would be nice to work with openSSL more easily
*openSSL command line:
```shell
openssl pkeyutl -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:sha256 -sign -inkey "pri.key" -in hmac.bin > sig.bin
openssl pkeyutl -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:sha256 -verify -inkey "pri.key" -in hmac.bin -sigfile sig.bin
```
Need to use ordinary comments instead of nested comments
because LANGUAGE pragmas were removed otherwise.
Also adds a table of contents. We may have other examples
in the future.
* Cleanup argon c files:
* Remove encoded format and base64 encoder
* Remove verification code
* Remove all variants based simple caller
* Add basic hashing function
* Add a simple KAT test
* Define more things at the haskell level
Fix bug in isProbablyPrime where too many iterations were specified for numbers less than 100
Add clause to isProbablyPrime to use hardcoded values <= 2903
Add check for size in generatePrime
Add size test in generateSafePrime
Require only that top bit is set, instead of top 2
This is the general standard, see e.g. OpenSSL
Add an error for too few bits being supplied to prime generator, and add documentation
Add some documentation and require highest two bits set
Simplify return syntax in generatePrime and generateSafePrime
Switch exponent to bit-shift for small performance boost
Now there's no type created by associated type, it just become a routing type class,
however this has a cost, since the associated type are not injective,
requiring more witness for the curve than before.
