libtom
diff --git a/‎doc/crypt.tex‎
Lines changed: 32 additions & 2 deletions b/‎doc/crypt.tex‎
Lines changed: 32 additions & 2 deletions
diff --git a/‎src/headers/tomcrypt_custom.h‎
Lines changed: 10 additions & 0 deletions b/‎src/headers/tomcrypt_custom.h‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/headers/tomcrypt_misc.h‎
Lines changed: 7 additions & 0 deletions b/‎src/headers/tomcrypt_misc.h‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/misc/bcrypt/bcrypt.c‎
Lines changed: 201 additions & 0 deletions b/‎src/misc/bcrypt/bcrypt.c‎
Lines changed: 201 additions & 0 deletions
diff --git a/‎src/misc/crypt/crypt.c‎
Lines changed: 4 additions & 0 deletions b/‎src/misc/crypt/crypt.c‎
Lines changed: 4 additions & 0 deletions
@@ -7002,7 +7002,7 @@ \subsection{PKCS \#5}
 
 The OpenSSL project implemented an extension to Algorithm One that allows for arbitrary keylengths; we have a compatible implementation described below.
 
-\subsection{Algorithm One}
+\subsubsection{Algorithm One}
 Algorithm One accepts as input a password, an 8--byte salt, and an iteration counter.  The iteration counter is meant to act as delay for
 people trying to brute force guess the password.  The higher the iteration counter the longer the delay.  This algorithm also requires a hash
 algorithm and produces an output no longer than the output of the hash.
@@ -7035,7 +7035,7 @@ \subsection{Algorithm One}
                       unsigned long *outlen)
 \end{alltt}
 As above, but we generate as many bytes as requested in outlen per the OpenSSL extension to Algorithm One.  If you are trying to be compatible with OpenSSL's EVP\_BytesToKey() or the "openssl enc" command line (or variants such as perl's Crypt::CBC), then use this function with MD5 as your hash (ick!) and iteration\_count=1 (double-ick!!).
-\subsection{Algorithm Two}
+\subsubsection{Algorithm Two}
 
 Algorithm Two is the recommended algorithm for this task.  It allows variable length salts, and can produce outputs larger than the
 hash functions output.  As such, it can easily be used to derive session keys for ciphers and MACs as well initialization vectors as required
@@ -7091,6 +7091,35 @@ \subsection{Algorithm Two}
 }
 \end{verbatim}
 
+
+\subsection{bcrypt}
+\index{bcrypt}
+
+bcrypt is a password hashing function, similar to PKCS \#5, but it is based on the blowfish symmetric cipher.
+It is widely used in e.g. OpenBSD as default password hash algorithm, or in encrypted OpenSSH key files.
+
+This implementation provides the PBKDF version as used in OpenSSH key files.
+
+The OpenBSD implementation is fixed to SHA512 as hashing algorithm, but this generalized implementation works with any hashing algorithm.
+
+To hash a password with the bcrypt PBKDF algorithm, the following API function is provided.
+
+\index{bcrypt()}
+\begin{alltt}
+int bcrypt_pbkdf_openbsd(const          char *password, unsigned long password_len,
+                         const unsigned char *salt,     unsigned long salt_len,
+                               unsigned int  rounds,              int hash_idx,
+                               unsigned char *out,      unsigned long *outlen);
+\end{alltt}
+
+The \textit{password} parameter is the utf-8 encoded user password of length \textit{password\_len}.
+The \textit{salt} parameter is a pointer to the array of octets of length \textit{salt\_len} containing the salt.
+The \textit{rounds} parameter defines the number of iterations of the expensive key setup that shall be executed.
+The \textit{hash\_idx} parameter defines the hash algorithm that shall be used. 
+The \textit{out} parameter shall be a pointer to a buffer of at least 32 octets,
+where \textit{outlen} contains the available buffer size on input and the written size after the invocation.
+
+
 \mysection{PKCS \#8}
 \index{PKCS \#8}
 
@@ -7127,6 +7156,7 @@ \subsection{Algorithm Two}
 The PKCS \#8 import has no direct API endpoints, but it is available through Public Key Algorithm-specific
 \textit{pkaX\_import\_pkcs8()} functions.
 
+
 \mysection{Key Derviation Functions}
 \subsection{HKDF}
 \index{HKDF}
 
@@ -490,6 +490,12 @@
 /* Base16/hex encoding/decoding */
 #define LTC_BASE16
 
+#define LTC_BCRYPT
+
+#ifndef LTC_BCRYPT_DEFAULT_ROUNDS
+#define LTC_BCRYPT_DEFAULT_ROUNDS 10
+#endif
+
 /* Keep LTC_NO_HKDF for compatibility reasons
  * superseeded by LTC_NO_MISC*/
 #ifndef LTC_NO_HKDF
@@ -601,6 +607,10 @@
    #error PK requires ASN.1 DER functionality, make sure LTC_DER is enabled
 #endif
 
+#if defined(LTC_BCRYPT) && !defined(LTC_BLOWFISH)
+   #error LTC_BCRYPT requires LTC_BLOWFISH
+#endif
+
 #if defined(LTC_CHACHA20POLY1305_MODE) && (!defined(LTC_CHACHA) || !defined(LTC_POLY1305))
    #error LTC_CHACHA20POLY1305_MODE requires LTC_CHACHA + LTC_POLY1305
 #endif
 
@@ -59,6 +59,13 @@ int base16_decode(const          char *in,  unsigned long  inlen,
                         unsigned char *out, unsigned long *outlen);
 #endif
 
+#ifdef LTC_BCRYPT
+int bcrypt_pbkdf_openbsd(const          char *password, unsigned long password_len,
+                         const unsigned char *salt,     unsigned long salt_len,
+                               unsigned int  rounds,              int hash_idx,
+                               unsigned char *out,      unsigned long *outlen);
+#endif
+
 /* ===> LTC_HKDF -- RFC5869 HMAC-based Key Derivation Function <=== */
 #ifdef LTC_HKDF
 
 
@@ -0,0 +1,201 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+   @file bcrypt.c
+   bcrypt pbkdf, Steffen Jaeckel
+*/
+#ifdef LTC_BCRYPT
+
+#define BCRYPT_WORDS 8
+#define BCRYPT_HASHSIZE (BCRYPT_WORDS * 4)
+
+static int _bcrypt_hash(const unsigned char *pt,
+                        const unsigned char *pass, unsigned long passlen,
+                        const unsigned char *salt, unsigned long saltlen,
+                              unsigned char *out,  unsigned long *outlen)
+{
+   symmetric_key key;
+   int err, n;
+   ulong32 ct[BCRYPT_WORDS];
+
+   if ((err = blowfish_setup_with_data(pass, passlen, salt, saltlen, &key)) != CRYPT_OK) {
+      return err;
+   }
+   for (n = 0; n < 64; ++n) {
+      if ((err = blowfish_expand(salt, saltlen, NULL, 0, &key)) != CRYPT_OK) {
+         return err;
+      }
+      if ((err = blowfish_expand(pass, passlen, NULL, 0, &key)) != CRYPT_OK) {
+         return err;
+      }
+   }
+
+   for (n = 0; n < BCRYPT_WORDS; ++n) {
+      LOAD32H(ct[n], &pt[n*4]);
+   }
+
+   for (n = 0; n < 64; ++n) {
+      blowfish_enc(ct, BCRYPT_WORDS/2, &key);
+   }
+
+   for (n = 0; n < BCRYPT_WORDS; ++n) {
+      STORE32L(ct[n], &out[4 * n]);
+   }
+   *outlen = sizeof(ct);
+#ifdef LTC_CLEAN_STACK
+   zeromem(&key, sizeof(key));
+   zeromem(ct, sizeof(ct));
+#endif
+
+   return CRYPT_OK;
+}
+
+static int _bcrypt_pbkdf_hash(const unsigned char *pass, unsigned long passlen,
+                         const unsigned char *salt, unsigned long saltlen,
+                               unsigned char *out,  unsigned long *outlen)
+{
+   const unsigned char pt[] = "OxychromaticBlowfishSwatDynamite";
+   return _bcrypt_hash(pt, pass, passlen, salt, saltlen, out, outlen);
+}
+
+/**
+   Compatible to bcrypt_pbkdf() as provided in OpenBSD
+   @param password          The input password (or key)
+   @param password_len      The length of the password (octets)
+   @param salt              The salt (or nonce)
+   @param salt_len          The length of the salt (octets)
+   @param rounds            # of iterations desired [read specs for more]
+   @param hash_idx          The index of the hash desired
+   @param out               [out] The destination for this algorithm
+   @param outlen            [in/out] The desired size of the algorithm output
+   @return CRYPT_OK if successful
+*/
+int bcrypt_pbkdf_openbsd(const          char *password, unsigned long password_len,
+                         const unsigned char *salt,     unsigned long salt_len,
+                               unsigned int  rounds,              int hash_idx,
+                               unsigned char *out,      unsigned long *outlen)
+{
+   int err;
+   ulong32 blkno;
+   unsigned long left, itts, x, y, hashed_pass_len, step_size, steps, dest, used_rounds;
+   unsigned char *buf[3], blkbuf[4];
+   unsigned char *hashed_pass;
+
+   LTC_ARGCHK(password != NULL);
+   LTC_ARGCHK(salt     != NULL);
+   LTC_ARGCHK(out      != NULL);
+   LTC_ARGCHK(outlen   != NULL);
+
+   if ((password_len == 0) || (salt_len == 0) || (*outlen == 0)) {
+      return CRYPT_INVALID_ARG;
+   }
+   /* test hash IDX */
+   if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
+      return err;
+   }
+   /* set default value for rounds if not given */
+   if (rounds == 0) {
+      used_rounds = LTC_BCRYPT_DEFAULT_ROUNDS;
+   } else {
+      used_rounds = rounds;
+   }
+
+   buf[0]      = XMALLOC(MAXBLOCKSIZE * 3);
+   hashed_pass = XMALLOC(MAXBLOCKSIZE);
+   if (buf[0] == NULL || hashed_pass == NULL) {
+      if (hashed_pass != NULL) {
+         XFREE(hashed_pass);
+      }
+      if (buf[0] != NULL) {
+         XFREE(buf[0]);
+      }
+      return CRYPT_MEM;
+   }
+   /* buf[1] points to the second block of MAXBLOCKSIZE bytes */
+   buf[1] = buf[0] + MAXBLOCKSIZE;
+   buf[2] = buf[1] + MAXBLOCKSIZE;
+
+   step_size = (*outlen + BCRYPT_HASHSIZE - 1) / BCRYPT_HASHSIZE;
+   steps = (*outlen + step_size - 1) / step_size;
+
+   hashed_pass_len = MAXBLOCKSIZE;
+   if ((err = hash_memory(hash_idx, (unsigned char*)password, password_len, hashed_pass, &hashed_pass_len)) != CRYPT_OK) {
+      goto LBL_ERR;
+   }
+
+   left   = *outlen;
+   blkno  = 0;
+   while (left != 0) {
+       /* increment and store current block number */
+       ++blkno;
+       STORE32H(blkno, blkbuf);
+
+       /* process block number blkno */
+       zeromem(buf[0], MAXBLOCKSIZE*2);
+
+       x = MAXBLOCKSIZE;
+       if ((err = hash_memory_multi(hash_idx, buf[0], &x,
+                                    salt, salt_len,
+                                    blkbuf, 4,
+                                    NULL, 0)) != CRYPT_OK) {
+          goto LBL_ERR;
+       }
+       y = MAXBLOCKSIZE;
+       if ((err = _bcrypt_pbkdf_hash(hashed_pass, hashed_pass_len, buf[0], x, buf[1], &y)) != CRYPT_OK) {
+          goto LBL_ERR;
+       }
+       XMEMCPY(buf[2], buf[1], y);
+
+       /* now compute repeated and XOR it in buf[2] */
+       for (itts = 1; itts < used_rounds; ++itts) {
+          x = MAXBLOCKSIZE;
+          if ((err = hash_memory(hash_idx, buf[1], y, buf[0], &x)) != CRYPT_OK) {
+             goto LBL_ERR;
+          }
+          y = MAXBLOCKSIZE;
+          if ((err = _bcrypt_pbkdf_hash(hashed_pass, hashed_pass_len, buf[0], x, buf[1], &y)) != CRYPT_OK) {
+             goto LBL_ERR;
+          }
+           for (x = 0; x < y; x++) {
+               buf[2][x] ^= buf[1][x];
+           }
+       }
+
+       /* now emit upto `steps` bytes of buf[2] to output */
+       steps = MIN(steps, left);
+       for (y = 0; y < steps; ++y) {
+          dest = y * step_size + (blkno - 1);
+          if (dest >= *outlen)
+             break;
+          out[dest] = buf[2][y];
+       }
+       left -= y;
+   }
+
+   err = CRYPT_OK;
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+   zeromem(buf[0], MAXBLOCKSIZE*3);
+   zeromem(hashed_pass, MAXBLOCKSIZE);
+#endif
+
+   XFREE(hashed_pass);
+   XFREE(buf[0]);
+
+   return err;
+}
+
+#endif
+
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */
@@ -434,6 +434,10 @@ const char *crypt_build_settings =
 #if defined(LTC_BASE16)
     " BASE16 "
 #endif
+#if defined(LTC_BCRYPT)
+    " BCRYPT "
+    " " NAME_VALUE(LTC_BCRYPT_DEFAULT_ROUNDS) " "
+#endif
 #if defined(LTC_CRC32)
     " CRC32 "
 #endif