bcrypt-ruby 2.1.4 → 3.0.0

data/ext/mri/crypt.c

@@ -0,0 +1,57 @@
+#include <ruby.h>
+#include <ow-crypt.h>
+
+VALUE mCrypt;
+
+static VALUE crypt_salt(VALUE self, VALUE prefix, VALUE count, VALUE input)
+{
+  char * salt;
+  VALUE str_salt;
+
+  salt = crypt_gensalt_ra(
+      StringValuePtr(prefix),
+      NUM2ULONG(count),
+      NIL_P(input) ? NULL : StringValuePtr(input),
+      NIL_P(input) ? 0 : RSTRING_LEN(input));
+
+  if(!salt) return Qnil;
+
+  str_salt = rb_str_new2(salt);
+  free(salt);
+
+  return str_salt;
+}
+
+static VALUE ra(VALUE self, VALUE key, VALUE setting)
+{
+  char * value;
+  void * data;
+  int size;
+  VALUE out;
+
+  data = NULL;
+  size = 0xDEADBEEF;
+
+  if(NIL_P(key) || NIL_P(setting)) return Qnil;
+
+  value = crypt_ra(
+      NIL_P(key) ? NULL : StringValuePtr(key),
+      NIL_P(setting) ? NULL : StringValuePtr(setting),
+      &data,
+      &size);
+
+  if(!value) return Qnil;
+
+  out = rb_str_new(data, size - 1);
+
+  free(data);
+
+  return out;
+}
+
+void Init_crypt()
+{
+  mCrypt = rb_define_module("Crypt");
+  rb_define_singleton_method(mCrypt, "salt", crypt_salt, 3);
+  rb_define_singleton_method(mCrypt, "crypt", ra, 2);
+}

data/ext/mri/crypt.h

@@ -0,0 +1,13 @@
+/*
+ * Written by Solar Designer and placed in the public domain.
+ * See crypt_blowfish.c for more information.
+ */
+
+#include <gnu-crypt.h>
+
+#if defined(_OW_SOURCE) || defined(__USE_OW)
+#define __SKIP_GNU
+#undef __SKIP_OW
+#include <ow-crypt.h>
+#undef __SKIP_GNU
+#endif

data/ext/mri/{blowfish.c → crypt_blowfish.c}

@@ -1,119 +1,92 @@
-/* $OpenBSD: blowfish.c,v 1.18 2004/11/02 17:23:26 hshoexer Exp $ */
 /*
- * Blowfish block cipher for OpenBSD
- * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
- * All rights reserved.
+ * This code comes from John the Ripper password cracker, with reentrant
+ * and crypt(3) interfaces added, but optimizations specific to password
+ * cracking removed.
  *
- * Implementation advice by David Mazieres <dm@lcs.mit.edu>.
+ * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
+ * placed in the public domain.  Quick self-test added in 2011 and also
+ * placed in the public domain.
  *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Niels Provos.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
+ * There's absolutely no warranty.
  *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * It is my intent that you should be able to use this on your system,
+ * as a part of a software package, or anywhere else to improve security,
+ * ensure compatibility, or for any other purpose.  I would appreciate
+ * it if you give credit where it is due and keep your modifications in
+ * the public domain as well, but I don't require that in order to let
+ * you place this code and any modifications you make under a license
+ * of your choice.
+ *
+ * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
+ * by Niels Provos <provos at citi.umich.edu>, and uses some of his
+ * ideas.  The password hashing algorithm was designed by David Mazieres
+ * <dm at lcs.mit.edu>.
+ *
+ * There's a paper on the algorithm that explains its design decisions:
+ *
+ *	http://www.usenix.org/events/usenix99/provos.html
+ *
+ * Some of the tricks in BF_ROUND might be inspired by Eric Young's
+ * Blowfish library (I can't be sure if I would think of something if I
+ * hadn't seen his code).
  */
 
-/*
- * This code is derived from section 14.3 and the given source
- * in section V of Applied Cryptography, second edition.
- * Blowfish is an unpatented fast block cipher designed by
- * Bruce Schneier.
- */
+#include <string.h>
 
-#include "blf.h"
+#include <errno.h>
+#ifndef __set_errno
+#define __set_errno(val) errno = (val)
+#endif
 
-#undef inline
+#undef __CONST
 #ifdef __GNUC__
-#define inline __inline
-#else				/* !__GNUC__ */
-#define inline
-#endif				/* !__GNUC__ */
+#define __CONST __const
+#else
+#define __CONST
+#endif
 
-/* Function for Feistel Networks */
+/*
+ * Please keep this enabled.  We really don't want incompatible hashes to be
+ * produced.  The performance cost of this quick self-test is around 0.6% at
+ * the "$2a$08" setting.
+ */
+#define BF_SELF_TEST
 
-#define F(s, x) ((((s)[        (((x)>>24)&0xFF)]  \
-		 + (s)[0x100 + (((x)>>16)&0xFF)]) \
-		 ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
-		 + (s)[0x300 + ( (x)     &0xFF)])
+#if defined(__x86_64__) || defined(__alpha__) || defined(__hppa__)
+#define BF_ASM				0
+#define BF_SCALE			1
+#else
+#define BF_ASM				0
+#define BF_SCALE			0
+#endif
 
-#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n])
+typedef unsigned int BF_word;
+typedef signed int BF_word_signed;
 
-void
-Blowfish_encipher(blf_ctx *c, uint32_t *xl, uint32_t *xr)
-{
-	uint32_t Xl;
-	uint32_t Xr;
-	uint32_t *s = c->S[0];
-	uint32_t *p = c->P;
-
-	Xl = *xl;
-	Xr = *xr;
-
-	Xl ^= p[0];
-	BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
-	BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
-	BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
-	BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
-	BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
-	BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
-	BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
-	BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
-
-	*xl = Xr ^ p[17];
-	*xr = Xl;
-}
+/* Number of Blowfish rounds, this is also hardcoded into a few places */
+#define BF_N				16
 
-void
-Blowfish_decipher(blf_ctx *c, uint32_t *xl, uint32_t *xr)
-{
-	uint32_t Xl;
-	uint32_t Xr;
-	uint32_t *s = c->S[0];
-	uint32_t *p = c->P;
-
-	Xl = *xl;
-	Xr = *xr;
-
-	Xl ^= p[17];
-	BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15);
-	BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13);
-	BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11);
-	BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9);
-	BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7);
-	BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5);
-	BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3);
-	BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1);
-
-	*xl = Xr ^ p[0];
-	*xr = Xl;
-}
+typedef BF_word BF_key[BF_N + 2];
 
-void
-Blowfish_initstate(blf_ctx *c)
-{
-	/* P-box and S-box tables initialized with digits of Pi */
+typedef struct {
+	BF_word S[4][0x100];
+	BF_key P;
+} BF_ctx;
 
-	static const blf_ctx initstate =
-	{ {
+/*
+ * Magic IV for 64 Blowfish encryptions that we do at the end.
+ * The string is "OrpheanBeholderScryDoubt" on big-endian.
+ */
+static BF_word BF_magic_w[6] = {
+	0x4F727068, 0x65616E42, 0x65686F6C,
+	0x64657253, 0x63727944, 0x6F756274
+};
+
+/*
+ * P-box and S-box tables initialized with digits of Pi.
+ */
+static BF_ctx BF_init_state = {
+	{
 		{
 			0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
 			0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
@@ -178,8 +151,8 @@ Blowfish_initstate(blf_ctx *c)
 			0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
 			0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
 			0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
-		0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
-		{
+			0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
+		}, {
 			0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
 			0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
 			0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
@@ -243,8 +216,8 @@ Blowfish_initstate(blf_ctx *c)
 			0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
 			0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
 			0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
-		0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
-		{
+			0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
+		}, {
 			0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
 			0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
 			0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
@@ -308,8 +281,8 @@ Blowfish_initstate(blf_ctx *c)
 			0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
 			0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
 			0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
-		0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
-		{
+			0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
+		}, {
 			0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
 			0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
 			0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
@@ -373,263 +346,441 @@ Blowfish_initstate(blf_ctx *c)
 			0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
 			0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
 			0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
-		0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
-	},
-	{
+			0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
+		}
+	}, {
 		0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
 		0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
 		0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
 		0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
 		0x9216d5d9, 0x8979fb1b
-	} };
+	}
+};
 
-	*c = initstate;
-}
+static unsigned char BF_itoa64[64 + 1] =
+	"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 
-uint32_t
-Blowfish_stream2word(const uint8_t *data, uint16_t databytes,
-    uint16_t *current)
-{
-	uint8_t i;
-	uint16_t j;
-	uint32_t temp;
+static unsigned char BF_atoi64[0x60] = {
+	64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
+	54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
+	64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
+	17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
+	64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
+	43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
+};
 
-	temp = 0x00000000;
-	j = *current;
+/*
+ * This may be optimized out if built with function inlining and no BF_ASM.
+ */
+static void clean(void *data, int size)
+{
+	memset(data, 0, size);
+}
 
-	for (i = 0; i < 4; i++, j++) {
-		if (j >= databytes)
-			j = 0;
-		temp = (temp << 8) | data[j];
-	}
+#define BF_safe_atoi64(dst, src) \
+{ \
+	tmp = (unsigned char)(src); \
+	if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
+	tmp = BF_atoi64[tmp]; \
+	if (tmp > 63) return -1; \
+	(dst) = tmp; \
+}
 
-	*current = j;
-	return temp;
+static int BF_decode(BF_word *dst, __CONST char *src, int size)
+{
+	unsigned char *dptr = (unsigned char *)dst;
+	unsigned char *end = dptr + size;
+	unsigned char *sptr = (unsigned char *)src;
+	unsigned int tmp, c1, c2, c3, c4;
+
+	do {
+		BF_safe_atoi64(c1, *sptr++);
+		BF_safe_atoi64(c2, *sptr++);
+		*dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
+		if (dptr >= end) break;
+
+		BF_safe_atoi64(c3, *sptr++);
+		*dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
+		if (dptr >= end) break;
+
+		BF_safe_atoi64(c4, *sptr++);
+		*dptr++ = ((c3 & 0x03) << 6) | c4;
+	} while (dptr < end);
+
+	return 0;
 }
 
-void
-Blowfish_expand0state(blf_ctx *c, const uint8_t *key, uint16_t keybytes)
+static void BF_encode(char *dst, __CONST BF_word *src, int size)
 {
-	uint16_t i;
-	uint16_t j;
-	uint16_t k;
-	uint32_t temp;
-	uint32_t datal;
-	uint32_t datar;
-
-	j = 0;
-	for (i = 0; i < BLF_N + 2; i++) {
-		/* Extract 4 int8 to 1 int32 from keystream */
-		temp = Blowfish_stream2word(key, keybytes, &j);
-		c->P[i] = c->P[i] ^ temp;
-	}
+	unsigned char *sptr = (unsigned char *)src;
+	unsigned char *end = sptr + size;
+	unsigned char *dptr = (unsigned char *)dst;
+	unsigned int c1, c2;
+
+	do {
+		c1 = *sptr++;
+		*dptr++ = BF_itoa64[c1 >> 2];
+		c1 = (c1 & 0x03) << 4;
+		if (sptr >= end) {
+			*dptr++ = BF_itoa64[c1];
+			break;
+		}
 
-	j = 0;
-	datal = 0x00000000;
-	datar = 0x00000000;
-	for (i = 0; i < BLF_N + 2; i += 2) {
-		Blowfish_encipher(c, &datal, &datar);
+		c2 = *sptr++;
+		c1 |= c2 >> 4;
+		*dptr++ = BF_itoa64[c1];
+		c1 = (c2 & 0x0f) << 2;
+		if (sptr >= end) {
+			*dptr++ = BF_itoa64[c1];
+			break;
+		}
 
-		c->P[i] = datal;
-		c->P[i + 1] = datar;
-	}
+		c2 = *sptr++;
+		c1 |= c2 >> 6;
+		*dptr++ = BF_itoa64[c1];
+		*dptr++ = BF_itoa64[c2 & 0x3f];
+	} while (sptr < end);
+}
 
-	for (i = 0; i < 4; i++) {
-		for (k = 0; k < 256; k += 2) {
-			Blowfish_encipher(c, &datal, &datar);
+static void BF_swap(BF_word *x, int count)
+{
+	static int endianness_check = 1;
+	char *is_little_endian = (char *)&endianness_check;
+	BF_word tmp;
+
+	if (*is_little_endian)
+	do {
+		tmp = *x;
+		tmp = (tmp << 16) | (tmp >> 16);
+		*x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
+	} while (--count);
+}
 
-			c->S[i][k] = datal;
-			c->S[i][k + 1] = datar;
+#if BF_SCALE
+/* Architectures which can shift addresses left by 2 bits with no extra cost */
+#define BF_ROUND(L, R, N) \
+	tmp1 = L & 0xFF; \
+	tmp2 = L >> 8; \
+	tmp2 &= 0xFF; \
+	tmp3 = L >> 16; \
+	tmp3 &= 0xFF; \
+	tmp4 = L >> 24; \
+	tmp1 = data.ctx.S[3][tmp1]; \
+	tmp2 = data.ctx.S[2][tmp2]; \
+	tmp3 = data.ctx.S[1][tmp3]; \
+	tmp3 += data.ctx.S[0][tmp4]; \
+	tmp3 ^= tmp2; \
+	R ^= data.ctx.P[N + 1]; \
+	tmp3 += tmp1; \
+	R ^= tmp3;
+#else
+/* Architectures with no complicated addressing modes supported */
+#define BF_INDEX(S, i) \
+	(*((BF_word *)(((unsigned char *)S) + (i))))
+#define BF_ROUND(L, R, N) \
+	tmp1 = L & 0xFF; \
+	tmp1 <<= 2; \
+	tmp2 = L >> 6; \
+	tmp2 &= 0x3FC; \
+	tmp3 = L >> 14; \
+	tmp3 &= 0x3FC; \
+	tmp4 = L >> 22; \
+	tmp4 &= 0x3FC; \
+	tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
+	tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
+	tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
+	tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
+	tmp3 ^= tmp2; \
+	R ^= data.ctx.P[N + 1]; \
+	tmp3 += tmp1; \
+	R ^= tmp3;
+#endif
+
+/*
+ * Encrypt one block, BF_N is hardcoded here.
+ */
+#define BF_ENCRYPT \
+	L ^= data.ctx.P[0]; \
+	BF_ROUND(L, R, 0); \
+	BF_ROUND(R, L, 1); \
+	BF_ROUND(L, R, 2); \
+	BF_ROUND(R, L, 3); \
+	BF_ROUND(L, R, 4); \
+	BF_ROUND(R, L, 5); \
+	BF_ROUND(L, R, 6); \
+	BF_ROUND(R, L, 7); \
+	BF_ROUND(L, R, 8); \
+	BF_ROUND(R, L, 9); \
+	BF_ROUND(L, R, 10); \
+	BF_ROUND(R, L, 11); \
+	BF_ROUND(L, R, 12); \
+	BF_ROUND(R, L, 13); \
+	BF_ROUND(L, R, 14); \
+	BF_ROUND(R, L, 15); \
+	tmp4 = R; \
+	R = L; \
+	L = tmp4 ^ data.ctx.P[BF_N + 1];
+
+#define BF_body() \
+	L = R = 0; \
+	ptr = data.ctx.P; \
+	do { \
+		ptr += 2; \
+		BF_ENCRYPT; \
+		*(ptr - 2) = L; \
+		*(ptr - 1) = R; \
+	} while (ptr < &data.ctx.P[BF_N + 2]); \
+\
+	ptr = data.ctx.S[0]; \
+	do { \
+		ptr += 2; \
+		BF_ENCRYPT; \
+		*(ptr - 2) = L; \
+		*(ptr - 1) = R; \
+	} while (ptr < &data.ctx.S[3][0xFF]);
+
+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial,
+    int sign_extension_bug)
+{
+	__CONST char *ptr = key;
+	int i, j;
+	BF_word tmp;
+
+	for (i = 0; i < BF_N + 2; i++) {
+		tmp = 0;
+		for (j = 0; j < 4; j++) {
+			tmp <<= 8;
+			if (sign_extension_bug)
+				tmp |= (BF_word_signed)(signed char)*ptr;
+			else
+				tmp |= (unsigned char)*ptr;
+
+			if (!*ptr) ptr = key; else ptr++;
 		}
+
+		expanded[i] = tmp;
+		initial[i] = BF_init_state.P[i] ^ tmp;
 	}
 }
 
-
-void
-Blowfish_expandstate(blf_ctx *c, const uint8_t *data, uint16_t databytes,
-    const uint8_t *key, uint16_t keybytes)
+static char *BF_crypt(__CONST char *key, __CONST char *setting,
+	char *output, int size,
+	BF_word min)
 {
-	uint16_t i;
-	uint16_t j;
-	uint16_t k;
-	uint32_t temp;
-	uint32_t datal;
-	uint32_t datar;
-
-	j = 0;
-	for (i = 0; i < BLF_N + 2; i++) {
-		/* Extract 4 int8 to 1 int32 from keystream */
-		temp = Blowfish_stream2word(key, keybytes, &j);
-		c->P[i] = c->P[i] ^ temp;
+	struct {
+		BF_ctx ctx;
+		BF_key expanded_key;
+		union {
+			BF_word salt[4];
+			BF_word output[6];
+		} binary;
+	} data;
+	BF_word L, R;
+	BF_word tmp1, tmp2, tmp3, tmp4;
+	BF_word *ptr;
+	BF_word count;
+	int i;
+
+	if (size < 7 + 22 + 31 + 1) {
+		__set_errno(ERANGE);
+		return NULL;
 	}
 
-	j = 0;
-	datal = 0x00000000;
-	datar = 0x00000000;
-	for (i = 0; i < BLF_N + 2; i += 2) {
-		datal ^= Blowfish_stream2word(data, databytes, &j);
-		datar ^= Blowfish_stream2word(data, databytes, &j);
-		Blowfish_encipher(c, &datal, &datar);
+	if (setting[0] != '$' ||
+	    setting[1] != '2' ||
+	    (setting[2] != 'a' && setting[2] != 'x') ||
+	    setting[3] != '$' ||
+	    setting[4] < '0' || setting[4] > '3' ||
+	    setting[5] < '0' || setting[5] > '9' ||
+	    (setting[4] == '3' && setting[5] > '1') ||
+	    setting[6] != '$') {
+		__set_errno(EINVAL);
+		return NULL;
+	}
 
-		c->P[i] = datal;
-		c->P[i + 1] = datar;
+	count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
+	if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
+		clean(data.binary.salt, sizeof(data.binary.salt));
+		__set_errno(EINVAL);
+		return NULL;
 	}
+	BF_swap(data.binary.salt, 4);
 
-	for (i = 0; i < 4; i++) {
-		for (k = 0; k < 256; k += 2) {
-			datal ^= Blowfish_stream2word(data, databytes, &j);
-			datar ^= Blowfish_stream2word(data, databytes, &j);
-			Blowfish_encipher(c, &datal, &datar);
+	BF_set_key(key, data.expanded_key, data.ctx.P, setting[2] == 'x');
 
-			c->S[i][k] = datal;
-			c->S[i][k + 1] = datar;
-		}
+	memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
+
+	L = R = 0;
+	for (i = 0; i < BF_N + 2; i += 2) {
+		L ^= data.binary.salt[i & 2];
+		R ^= data.binary.salt[(i & 2) + 1];
+		BF_ENCRYPT;
+		data.ctx.P[i] = L;
+		data.ctx.P[i + 1] = R;
 	}
 
-}
+	ptr = data.ctx.S[0];
+	do {
+		ptr += 4;
+		L ^= data.binary.salt[(BF_N + 2) & 3];
+		R ^= data.binary.salt[(BF_N + 3) & 3];
+		BF_ENCRYPT;
+		*(ptr - 4) = L;
+		*(ptr - 3) = R;
+
+		L ^= data.binary.salt[(BF_N + 4) & 3];
+		R ^= data.binary.salt[(BF_N + 5) & 3];
+		BF_ENCRYPT;
+		*(ptr - 2) = L;
+		*(ptr - 1) = R;
+	} while (ptr < &data.ctx.S[3][0xFF]);
+
+	do {
+		data.ctx.P[0] ^= data.expanded_key[0];
+		data.ctx.P[1] ^= data.expanded_key[1];
+		data.ctx.P[2] ^= data.expanded_key[2];
+		data.ctx.P[3] ^= data.expanded_key[3];
+		data.ctx.P[4] ^= data.expanded_key[4];
+		data.ctx.P[5] ^= data.expanded_key[5];
+		data.ctx.P[6] ^= data.expanded_key[6];
+		data.ctx.P[7] ^= data.expanded_key[7];
+		data.ctx.P[8] ^= data.expanded_key[8];
+		data.ctx.P[9] ^= data.expanded_key[9];
+		data.ctx.P[10] ^= data.expanded_key[10];
+		data.ctx.P[11] ^= data.expanded_key[11];
+		data.ctx.P[12] ^= data.expanded_key[12];
+		data.ctx.P[13] ^= data.expanded_key[13];
+		data.ctx.P[14] ^= data.expanded_key[14];
+		data.ctx.P[15] ^= data.expanded_key[15];
+		data.ctx.P[16] ^= data.expanded_key[16];
+		data.ctx.P[17] ^= data.expanded_key[17];
+
+		BF_body();
+
+		tmp1 = data.binary.salt[0];
+		tmp2 = data.binary.salt[1];
+		tmp3 = data.binary.salt[2];
+		tmp4 = data.binary.salt[3];
+		data.ctx.P[0] ^= tmp1;
+		data.ctx.P[1] ^= tmp2;
+		data.ctx.P[2] ^= tmp3;
+		data.ctx.P[3] ^= tmp4;
+		data.ctx.P[4] ^= tmp1;
+		data.ctx.P[5] ^= tmp2;
+		data.ctx.P[6] ^= tmp3;
+		data.ctx.P[7] ^= tmp4;
+		data.ctx.P[8] ^= tmp1;
+		data.ctx.P[9] ^= tmp2;
+		data.ctx.P[10] ^= tmp3;
+		data.ctx.P[11] ^= tmp4;
+		data.ctx.P[12] ^= tmp1;
+		data.ctx.P[13] ^= tmp2;
+		data.ctx.P[14] ^= tmp3;
+		data.ctx.P[15] ^= tmp4;
+		data.ctx.P[16] ^= tmp1;
+		data.ctx.P[17] ^= tmp2;
+
+		BF_body();
+	} while (--count);
+
+	for (i = 0; i < 6; i += 2) {
+		L = BF_magic_w[i];
+		R = BF_magic_w[i + 1];
+
+		count = 64;
+		do {
+			BF_ENCRYPT;
+		} while (--count);
+
+		data.binary.output[i] = L;
+		data.binary.output[i + 1] = R;
+	}
 
-void
-blf_key(blf_ctx *c, const uint8_t *k, uint16_t len)
-{
-	/* Initialize S-boxes and subkeys with Pi */
-	Blowfish_initstate(c);
+	memcpy(output, setting, 7 + 22 - 1);
+	output[7 + 22 - 1] = BF_itoa64[(int)
+		BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
 
-	/* Transform S-boxes and subkeys with key */
-	Blowfish_expand0state(c, k, len);
-}
+/* This has to be bug-compatible with the original implementation, so
+ * only encode 23 of the 24 bytes. :-) */
+	BF_swap(data.binary.output, 6);
+	BF_encode(&output[7 + 22], data.binary.output, 23);
+	output[7 + 22 + 31] = '\0';
 
-void
-blf_enc(blf_ctx *c, uint32_t *data, uint16_t blocks)
-{
-	uint32_t *d;
-	uint16_t i;
+#ifndef BF_SELF_TEST
+/* Overwrite the most obvious sensitive data we have on the stack.  Note
+ * that this does not guarantee there's no sensitive data left on the
+ * stack and/or in registers; I'm not aware of portable code that does. */
+	clean(&data, sizeof(data));
+#endif
 
-	d = data;
-	for (i = 0; i < blocks; i++) {
-		Blowfish_encipher(c, d, d + 1);
-		d += 2;
-	}
+	return output;
 }
 
-void
-blf_dec(blf_ctx *c, uint32_t *data, uint16_t blocks)
+char *_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
+	char *output, int size)
 {
-	uint32_t *d;
-	uint16_t i;
-
-	d = data;
-	for (i = 0; i < blocks; i++) {
-		Blowfish_decipher(c, d, d + 1);
-		d += 2;
-	}
+#ifdef BF_SELF_TEST
+	__CONST char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8";
+	__CONST char *test_2a =
+	    "$2a$00$abcdefghijklmnopqrstuui1D709vfamulimlGcq0qq3UvuUasvEa"
+	    "\0"
+	    "canary";
+	__CONST char *test_2x =
+	    "$2x$00$abcdefghijklmnopqrstuuVUrPmXD6q/nVSSp7pNDhCR9071IfIRe"
+	    "\0"
+	    "canary";
+	__CONST char *test_hash, *p;
+	int ok;
+	char buf[7 + 22 + 31 + 1 + 6 + 1];
+
+	output = BF_crypt(key, setting, output, size, 16);
+
+/* Do a quick self-test.  This also happens to overwrite BF_crypt()'s data. */
+	test_hash = (setting[2] == 'x') ? test_2x : test_2a;
+	memcpy(buf, test_hash, sizeof(buf));
+	memset(buf, -1, sizeof(buf) - (6 + 1)); /* keep "canary" only */
+	p = BF_crypt(test_key, test_hash, buf, sizeof(buf) - 6, 1);
+
+	ok = (p == buf && !memcmp(p, test_hash, sizeof(buf)));
+
+/* This could reveal what hash type we were using last.  Unfortunately, we
+ * can't reliably clean the test_hash pointer. */
+	clean(&buf, sizeof(buf));
+
+	if (ok)
+		return output;
+
+/* Should not happen */
+	__set_errno(EINVAL); /* pretend we don't support this hash type */
+	return NULL;
+#else
+#warning Self-test is disabled, please enable
+	return BF_crypt(key, setting, output, size, 16);
+#endif
 }
 
-void
-blf_ecb_encrypt(blf_ctx *c, uint8_t *data, uint32_t len)
+char *_crypt_gensalt_blowfish_rn(unsigned long count,
+	__CONST char *input, int size, char *output, int output_size)
 {
-	uint32_t l, r;
-	uint32_t i;
-
-	for (i = 0; i < len; i += 8) {
-		l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
-		r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
-		Blowfish_encipher(c, &l, &r);
-		data[0] = l >> 24 & 0xff;
-		data[1] = l >> 16 & 0xff;
-		data[2] = l >> 8 & 0xff;
-		data[3] = l & 0xff;
-		data[4] = r >> 24 & 0xff;
-		data[5] = r >> 16 & 0xff;
-		data[6] = r >> 8 & 0xff;
-		data[7] = r & 0xff;
-		data += 8;
+	if (size < 16 || output_size < 7 + 22 + 1 ||
+	    (count && (count < 4 || count > 31))) {
+		if (output_size > 0) output[0] = '\0';
+		__set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
+		return NULL;
 	}
-}
 
-void
-blf_ecb_decrypt(blf_ctx *c, uint8_t *data, uint32_t len)
-{
-	uint32_t l, r;
-	uint32_t i;
-
-	for (i = 0; i < len; i += 8) {
-		l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
-		r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
-		Blowfish_decipher(c, &l, &r);
-		data[0] = l >> 24 & 0xff;
-		data[1] = l >> 16 & 0xff;
-		data[2] = l >> 8 & 0xff;
-		data[3] = l & 0xff;
-		data[4] = r >> 24 & 0xff;
-		data[5] = r >> 16 & 0xff;
-		data[6] = r >> 8 & 0xff;
-		data[7] = r & 0xff;
-		data += 8;
-	}
-}
+	if (!count) count = 5;
 
-void
-blf_cbc_encrypt(blf_ctx *c, uint8_t *iv, uint8_t *data, uint32_t len)
-{
-	uint32_t l, r;
-	uint32_t i, j;
-
-	for (i = 0; i < len; i += 8) {
-		for (j = 0; j < 8; j++)
-			data[j] ^= iv[j];
-		l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
-		r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
-		Blowfish_encipher(c, &l, &r);
-		data[0] = l >> 24 & 0xff;
-		data[1] = l >> 16 & 0xff;
-		data[2] = l >> 8 & 0xff;
-		data[3] = l & 0xff;
-		data[4] = r >> 24 & 0xff;
-		data[5] = r >> 16 & 0xff;
-		data[6] = r >> 8 & 0xff;
-		data[7] = r & 0xff;
-		iv = data;
-		data += 8;
-	}
-}
+	output[0] = '$';
+	output[1] = '2';
+	output[2] = 'a';
+	output[3] = '$';
+	output[4] = '0' + count / 10;
+	output[5] = '0' + count % 10;
+	output[6] = '$';
 
-void
-blf_cbc_decrypt(blf_ctx *c, uint8_t *iva, uint8_t *data, uint32_t len)
-{
-	uint32_t l, r;
-	uint8_t *iv;
-	uint32_t i, j;
-
-	iv = data + len - 16;
-	data = data + len - 8;
-	for (i = len - 8; i >= 8; i -= 8) {
-		l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
-		r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
-		Blowfish_decipher(c, &l, &r);
-		data[0] = l >> 24 & 0xff;
-		data[1] = l >> 16 & 0xff;
-		data[2] = l >> 8 & 0xff;
-		data[3] = l & 0xff;
-		data[4] = r >> 24 & 0xff;
-		data[5] = r >> 16 & 0xff;
-		data[6] = r >> 8 & 0xff;
-		data[7] = r & 0xff;
-		for (j = 0; j < 8; j++)
-			data[j] ^= iv[j];
-		iv -= 8;
-		data -= 8;
-	}
-	l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
-	r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
-	Blowfish_decipher(c, &l, &r);
-	data[0] = l >> 24 & 0xff;
-	data[1] = l >> 16 & 0xff;
-	data[2] = l >> 8 & 0xff;
-	data[3] = l & 0xff;
-	data[4] = r >> 24 & 0xff;
-	data[5] = r >> 16 & 0xff;
-	data[6] = r >> 8 & 0xff;
-	data[7] = r & 0xff;
-	for (j = 0; j < 8; j++)
-		data[j] ^= iva[j];
+	BF_encode(&output[7], (BF_word *)input, 16);
+	output[7 + 22] = '\0';
+
+	return output;
 }