2 * 'bcrypt' password hash function, for PuTTY's import/export of
3 * OpenSSH encrypted private key files.
5 * This is not really the same as the original bcrypt; OpenSSH has
6 * modified it in various ways, and of course we have to do the same.
14 BlowfishContext *bcrypt_setup(const unsigned char *key, int keybytes,
15 const unsigned char *salt, int saltbytes)
20 ctx = blowfish_make_context();
21 blowfish_initkey(ctx);
22 blowfish_expandkey(ctx, key, keybytes, salt, saltbytes);
24 /* Original bcrypt replaces this fixed loop count with the
25 * variable cost. OpenSSH instead iterates the whole thing more
26 * than once if it wants extra rounds. */
27 for (i = 0; i < 64; i++) {
28 blowfish_expandkey(ctx, salt, saltbytes, NULL, 0);
29 blowfish_expandkey(ctx, key, keybytes, NULL, 0);
35 void bcrypt_hash(const unsigned char *key, int keybytes,
36 const unsigned char *salt, int saltbytes,
37 unsigned char output[32])
42 ctx = bcrypt_setup(key, keybytes, salt, saltbytes);
43 /* This was quite a nice starting string until it ran into
44 * little-endian Blowfish :-/ */
45 memcpy(output, "cyxOmorhcitawolBhsiftawSanyDetim", 32);
46 for (i = 0; i < 64; i++) {
47 blowfish_lsb_encrypt_ecb(output, 32, ctx);
49 blowfish_free_context(ctx);
52 void bcrypt_genblock(int counter,
53 const unsigned char hashed_passphrase[64],
54 const unsigned char *salt, int saltbytes,
55 unsigned char output[32])
57 SHA512_State shastate;
58 unsigned char hashed_salt[64];
59 unsigned char countbuf[4];
61 /* Hash the input salt with the counter value optionally suffixed
62 * to get our real 32-byte salt */
63 SHA512_Init(&shastate);
64 SHA512_Bytes(&shastate, salt, saltbytes);
66 PUT_32BIT_MSB_FIRST(countbuf, counter);
67 SHA512_Bytes(&shastate, countbuf, 4);
69 SHA512_Final(&shastate, hashed_salt);
71 bcrypt_hash(hashed_passphrase, 64, hashed_salt, 64, output);
73 smemclr(&shastate, sizeof(shastate));
74 smemclr(&hashed_salt, sizeof(hashed_salt));
77 void openssh_bcrypt(const char *passphrase,
78 const unsigned char *salt, int saltbytes,
79 int rounds, unsigned char *out, int outbytes)
81 unsigned char hashed_passphrase[64];
82 unsigned char block[32], outblock[32];
83 const unsigned char *thissalt;
85 int modulus, residue, i, j, round;
87 /* Hash the passphrase to get the bcrypt key material */
88 SHA512_Simple(passphrase, strlen(passphrase), hashed_passphrase);
90 /* We output key bytes in a scattered fashion to meld all output
91 * key blocks into all parts of the output. To do this, we pick a
92 * modulus, and we output the key bytes to indices of out[] in the
93 * following order: first the indices that are multiples of the
94 * modulus, then the ones congruent to 1 mod modulus, etc. Each of
95 * those passes consumes exactly one block output from
96 * bcrypt_genblock, so we must pick a modulus large enough that at
97 * most 32 bytes are used in the pass. */
98 modulus = (outbytes + 31) / 32;
100 for (residue = 0; residue < modulus; residue++) {
101 /* Our output block of data is the XOR of all blocks generated
102 * by bcrypt in the following loop */
103 memset(outblock, 0, sizeof(outblock));
106 thissaltbytes = saltbytes;
107 for (round = 0; round < rounds; round++) {
108 bcrypt_genblock(round == 0 ? residue+1 : 0,
110 thissalt, thissaltbytes, block);
111 /* Each subsequent bcrypt call reuses the previous one's
112 * output as its salt */
116 for (i = 0; i < 32; i++)
117 outblock[i] ^= block[i];
120 for (i = residue, j = 0; i < outbytes; i += modulus, j++)
121 out[i] = outblock[j];
123 smemclr(&hashed_passphrase, sizeof(hashed_passphrase));
projects / PuTTY.git / blob