expand bcrypt discussion

terrafrost · terrafrost · commit 351e84c6cb25 · 2024-06-19T22:39:08.000-05:00
diff --git a/docs/bcrypt.md b/docs/bcrypt.md
@@ -52,6 +52,7 @@ $cdata = array_values(unpack('N*', 'OrpheanBeholderScryDoubt'));
     for ($j = 0; $j < 6; $j += 2) { // count($cdata) == 6
 #
 #-----[ FIND ]------------------------------------------
+# in 3.0.39+ this'll be V* - not L*
 #
 return pack('L*', ...$cdata);
 #
@@ -108,4 +109,193 @@ function encodeBase64($input)
     return $output;
 }
 ```
-The two key takeaways from this are: (1) `Blowfish::bcrypt_hash()` expects 64 byte inputs whereas the normal bcrypt uses 8 byte salts and variable length passwords and (2) the last byte of `Blowfish::bcrypt_hash()` need to be removed.
+The two key takeaways from this are: (1) `Blowfish::bcrypt_hash()` expects 64 byte inputs whereas the normal bcrypt uses 16 byte salts and variable length passwords and (2) the last byte of `Blowfish::bcrypt_hash()` need to be removed.
+
+If one wanted to make `Blowfish::bcrypt_hash()` support variable length passwords and 16 byte salts the following additional changes would need to be made:
+
+```
+#
+#-----[ FIND ]------------------------------------------
+# in bcrypt_hash()
+#
+        $sha2pass = array_values(unpack('N*', $sha2pass));
+#
+#-----[ BEFORE, ADD ]-----------------------------------
+#
+        // per the $2a$ bit we append a null byte and then "treat the password as cyclic"
+        $sha2pass.= "\0";
+        while (strlen($sha2pass) < 72) {
+            $sha2pass.= $sha2pass;
+        }
+        $sha2pass = substr($sha2pass, 0, 72);
+#
+#-----[ FIND ]------------------------------------------
+# in expand0state()
+#
+        $p = [
+            $p[0] ^ $key[0],
+            $p[1] ^ $key[1],
+            $p[2] ^ $key[2],
+            $p[3] ^ $key[3],
+            $p[4] ^ $key[4],
+            $p[5] ^ $key[5],
+            $p[6] ^ $key[6],
+            $p[7] ^ $key[7],
+            $p[8] ^ $key[8],
+            $p[9] ^ $key[9],
+            $p[10] ^ $key[10],
+            $p[11] ^ $key[11],
+            $p[12] ^ $key[12],
+            $p[13] ^ $key[13],
+            $p[14] ^ $key[14],
+            $p[15] ^ $key[15],
+            $p[16] ^ $key[0],
+            $p[17] ^ $key[1]
+        ];
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is a documented change; we can't keep the loop unrolled version
+# unless we expand the salt out to 72 bytes as well to match the password
+# size
+#
+        for ($i = 0; $i < 18; $i++) {
+            $p[$i]^= $key[$i % count($key)];
+        }
+#
+#-----[ FIND ]------------------------------------------
+# in expandstate()
+#
+            $p[16] ^ $key[0],
+            $p[17] ^ $key[1]
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is a documented change
+#
+            $p[16] ^ $key[16],
+            $p[17] ^ $key[17]
+#
+#-----[ FIND ]------------------------------------------
+# in expandstate()
+#
+        // @codingStandardsIgnoreStart
+        list( $p[0],  $p[1]) = self::encryptBlockHelperFast($data[ 0]         , $data[ 1]         , $sbox, $p);
+        list( $p[2],  $p[3]) = self::encryptBlockHelperFast($data[ 2] ^ $p[ 0], $data[ 3] ^ $p[ 1], $sbox, $p);
+        list( $p[4],  $p[5]) = self::encryptBlockHelperFast($data[ 4] ^ $p[ 2], $data[ 5] ^ $p[ 3], $sbox, $p);
+        list( $p[6],  $p[7]) = self::encryptBlockHelperFast($data[ 6] ^ $p[ 4], $data[ 7] ^ $p[ 5], $sbox, $p);
+        list( $p[8],  $p[9]) = self::encryptBlockHelperFast($data[ 8] ^ $p[ 6], $data[ 9] ^ $p[ 7], $sbox, $p);
+        list($p[10], $p[11]) = self::encryptBlockHelperFast($data[10] ^ $p[ 8], $data[11] ^ $p[ 9], $sbox, $p);
+        list($p[12], $p[13]) = self::encryptBlockHelperFast($data[12] ^ $p[10], $data[13] ^ $p[11], $sbox, $p);
+        list($p[14], $p[15]) = self::encryptBlockHelperFast($data[14] ^ $p[12], $data[15] ^ $p[13], $sbox, $p);
+        list($p[16], $p[17]) = self::encryptBlockHelperFast($data[ 0] ^ $p[14], $data[ 1] ^ $p[15], $sbox, $p);
+        // @codingStandardsIgnoreEnd
+
+        list($sbox[0], $sbox[1]) = self::encryptBlockHelperFast($data[2] ^ $p[16], $data[3] ^ $p[17], $sbox, $p);
+        for ($i = 2, $j = 4; $i < 1024; $i += 2, $j = ($j + 2) % 16) { // instead of 16 maybe count($data) would be better?
+            list($sbox[$i], $sbox[$i + 1]) = self::encryptBlockHelperFast($data[$j] ^ $sbox[$i - 2], $data[$j + 1] ^ $sbox[$i - 1], $sbox, $p);
+        }
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is a documented change; instead of doing $data[0]..$data[15] we're doing $data[0]..$data[3] cyclically
+#
+        // @codingStandardsIgnoreStart
+        list( $p[0],  $p[1]) = self::encryptBlockHelperFast($data[ 0]         , $data[ 1]         , $sbox, $p);
+        list( $p[2],  $p[3]) = self::encryptBlockHelperFast($data[ 2] ^ $p[ 0], $data[ 3] ^ $p[ 1], $sbox, $p);
+        list( $p[4],  $p[5]) = self::encryptBlockHelperFast($data[ 0] ^ $p[ 2], $data[ 1] ^ $p[ 3], $sbox, $p);
+        list( $p[6],  $p[7]) = self::encryptBlockHelperFast($data[ 2] ^ $p[ 4], $data[ 3] ^ $p[ 5], $sbox, $p);
+        list( $p[8],  $p[9]) = self::encryptBlockHelperFast($data[ 0] ^ $p[ 6], $data[ 1] ^ $p[ 7], $sbox, $p);
+        list($p[10], $p[11]) = self::encryptBlockHelperFast($data[ 2] ^ $p[ 8], $data[ 3] ^ $p[ 9], $sbox, $p);
+        list($p[12], $p[13]) = self::encryptBlockHelperFast($data[ 0] ^ $p[10], $data[ 1] ^ $p[11], $sbox, $p);
+        list($p[14], $p[15]) = self::encryptBlockHelperFast($data[ 2] ^ $p[12], $data[ 3] ^ $p[13], $sbox, $p);
+        list($p[16], $p[17]) = self::encryptBlockHelperFast($data[ 0] ^ $p[14], $data[ 1] ^ $p[15], $sbox, $p);
+        // @codingStandardsIgnoreEnd
+
+        list($sbox[0], $sbox[1]) = self::encryptBlockHelperFast($data[2] ^ $p[16], $data[3] ^ $p[17], $sbox, $p);
+        for ($i = 2, $j = 0; $i < 1024; $i += 2, $j%= 4) { // instead of 16 maybe count($data) would be better?
+            list($sbox[$i], $sbox[$i + 1]) = self::encryptBlockHelperFast($data[$j++] ^ $sbox[$i - 2], $data[$j++] ^ $sbox[$i - 1], $sbox, $p);
+        }
+```
+
+## Making Wikipedia match OpenSSH
+
+The following changes (notated using the [phpBB MOD Text Template](phpbb.md#actions)) are for [revision 08:07, 14 May 2024 of wikipedia's bcrypt article](https://en.wikipedia.org/w/index.php?title=Bcrypt&oldid=1223800920#Algorithm). They may or may not work on other revision.
+
+```
+#
+#-----[ FIND ]------------------------------------------
+# in Function bcrypt
+#
+   Input:
+      password: array of Bytes (1..72 bytes)   UTF-8 encoded password
+      salt:     array of Bytes (16 bytes)      random salt
+      cost:     Number (4..31)                 log2(Iterations). e.g. 12 ==> 2**12 = 4,096 iterations
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is a documented change; well, the cost isn't, but everything else is
+#
+   Input:
+      password: array of Bytes (64 bytes)   UTF-8 encoded password
+      salt:     array of Bytes (64 bytes)   random salt
+      cost:     Number (6)                  64 iterations
+#
+#-----[ FIND ]------------------------------------------
+# in Function bcrypt
+#
+   ctext ← "OrpheanBeholderScryDoubt"  //24 bytes ==> three 64-bit blocks
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is a documented change
+#
+   ctext ← "OxychromaticBlowfishSwatDynamite"  //32 bytes ==> four 64-bit blocks
+#
+#-----[ FIND ]------------------------------------------
+# in Function EksBlowfishSetup
+#
+      P, S ← ExpandKey(P, S, password, 0)
+      P, S ← ExpandKey(P, S, salt, 0)
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is an undocumented change; we're just swapping the order
+#
+      P, S ← ExpandKey(P, S, salt, 0)
+      P, S ← ExpandKey(P, S, password, 0)
+#
+#-----[ FIND ]------------------------------------------
+# in Function ExpandKey
+#
+   //Treat the 128-bit salt as two 64-bit halves (the Blowfish block size).
+   saltHalf[0] ← salt[0..63]  //Lower 64-bits of salt
+   saltHalf[1] ← salt[64..127]  //Upper 64-bits of salt
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is a documented change
+#
+   saltChunk[0] ← salt[0..63]
+   saltChunk[1] ← salt[64..127]
+   saltChunk[2] ← salt[128..191]
+   saltChunk[3] ← salt[192..255]
+   saltChunk[4] ← salt[256..319]
+   saltChunk[5] ← salt[320..383]
+   saltChunk[6] ← salt[384..447]
+   saltChunk[7] ← salt[448..511]
+#
+#-----[ FIND ]------------------------------------------
+# in Function ExpandKey
+#
+      block ← block xor saltHalf[(n-1) mod 2] //each iteration alternating between saltHalf[0], and saltHalf[1]
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is a documented change
+#
+      block ← block xor saltChunk[n-1]
+#
+#-----[ FIND ]------------------------------------------
+# in Function ExpandKey
+#
+         block ← Encrypt(state, block xor saltHalf[(n-1) mod 2]) //as above
+#
+#-----[ REPLACE WITH ]----------------------------------
+# this is a documented change
+#
+         block ← Encrypt(state, block xor saltChunk[(n-1) mod 8])
+```
+Being pseudo code this doesn't quite capture everything. For example it doesn't capture the change in endianness.
