go.crypto/blowfish: support salts larger than 16 bytes.
Supporting larger salts makes it possible to implement bcrypt-pbkdf
(http://www.tedunangst.com/flak/post/bcrypt-pbkdf), which is used in
the latest OpenSSH versions to encrypt key files.
This change makes expandKeyWithSalt (and thus NewSaltedCipher) about
20% slower, but since it isn't used in the "heavy" phase of computation
in bcrypt (it uses ExpandKey, which didn't change), the effect on
bcrypt performance is negligible.
The 16-byte limit was an artifact of optimization and due to the fact
that it was enough for bcrypt; Eksblowfish spec or other
implementations don't limit the salt size.
Additionally, there was a bug in the previous implementation: it only
generated correct results for salts consisting of 4, 8, or 16 bytes, and panicked if salt had zero length.
LGTM=agl
R=golang-codereviews, gobot, agl
CC=golang-codereviews
https://golang.org/cl/102720045
diff --git a/blowfish/cipher.go b/blowfish/cipher.go
index 9f2c104..5019658 100644
--- a/blowfish/cipher.go
+++ b/blowfish/cipher.go
@@ -40,8 +40,11 @@
// NewSaltedCipher creates a returns a Cipher that folds a salt into its key
// schedule. For most purposes, NewCipher, instead of NewSaltedCipher, is
// sufficient and desirable. For bcrypt compatiblity, the key can be over 56
-// bytes. Only the first 16 bytes of salt are used.
+// bytes.
func NewSaltedCipher(key, salt []byte) (*Cipher, error) {
+ if len(salt) == 0 {
+ return NewCipher(key)
+ }
var result Cipher
if k := len(key); k < 1 {
return nil, KeySizeError(k)
