bcrypt_pbkdf 1.0.0.alpha1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 699545e32ef6f352120451e7fb5ecce89ae3424d
+  data.tar.gz: 70dcdf9aacdb0d5c4e265685bd34b36e14eae42b
+SHA512:
+  metadata.gz: 304e2e63516a315074817731ddd5ae1b70cbc3cc6cdc2ff4cab900d236d1cab8775e6ce573fca717d3dc43c0843e924315fcae6c45314e576f3a5b8abbdb778d
+  data.tar.gz: f1c97087021e5a64e1816b1093550f614c7f003c87e75b98c8ceaa5f0559b334fef40d47d736da5d46a8951b5c6165a2459a0dff5b5eb00ace0b224041f53fff

data/.travis.yml

@@ -0,0 +1,8 @@
+language: ruby
+rvm:
+  - 2.0.0
+  - 2.1.0
+  - 2.2.0
+  - 2.3.0
+  - rbx-2
+script: bundle exec rake

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+# 1.0.0.apha1
+
+  inital version

data/COPYING

@@ -0,0 +1,23 @@
+(The MIT License)
+
+Copyright 2007-2016: Miklós Fazekas <mfazekas@szemafor.com>
+C implementation of bcrypt_pbkdf: OpenBSD: Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/Gemfile.lock

@@ -0,0 +1,36 @@
+PATH
+  remote: .
+  specs:
+    bcrypt_pbkdf (1.0.0.alpha1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ffi (1.9.10)
+    json (1.8.3)
+    minitest (5.8.4)
+    rake (11.1.1)
+    rake-compiler (0.9.7)
+      rake
+    rake-compiler-dock (0.5.2)
+    rbnacl (3.3.0)
+      ffi
+    rbnacl-libsodium (1.0.8)
+      rbnacl (~> 3.0, >= 3.0.1)
+    rdoc (3.12.2)
+      json (~> 1.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bcrypt_pbkdf!
+  minitest (>= 5)
+  rake-compiler (~> 0.9.7)
+  rake-compiler-dock (~> 0.5.0)
+  rbnacl (~> 3.3)
+  rbnacl-libsodium (~> 1.0.8)
+  rdoc (~> 3.12)
+
+BUNDLED WITH
+   1.11.2

data/README.md

@@ -0,0 +1,15 @@
+# bcrypt_pdkfd-ruby
+
+bcrypt_pdkfd is a ruby gem implementing bcrypt_pdkfd from OpenBSD. This is currently used by net-ssh to read password encrypted Ed25519 keys.
+
+[![Build Status](https://travis-ci.org/mfazekas/bcrypt_pbkdf-ruby.png?branch=master)](https://travis-ci.org/mfazekas/bcrypt_pbkdf-ruby)
+
+# Acknowledgements
+
+* The gut of the code is based on OpenBSD's bcrypt_pbkdf.c implementation
+* Some ideas/code were taken adopted bcrypt-ruby: https://github.com/codahale/bcrypt-ruby
+
+# Links:
+
+http://www.tedunangst.com/flak/post/bcrypt-pbkdf
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libutil/bcrypt_pbkdf.c?rev=1.13&content-type=text/x-cvsweb-markup

data/Rakefile

@@ -0,0 +1,68 @@
+require 'rake/testtask'
+require 'rubygems/package_task'
+require 'rake/extensiontask'
+require 'rake/clean'
+require 'rdoc/task'
+require 'benchmark'
+
+CLEAN.include(
+  "tmp",
+  "lib/2.0",
+  "lib/2.1",
+  "lib/2.2",
+  "lib/2.3",
+  "lib/bcrypt_pbkdf_ext.so",
+  "lib/bcrypt_pbkdf_ext.bundle",
+)
+CLOBBER.include(
+  "doc",
+  "pkg"
+)
+
+task 'gem:windows' do
+  require 'rake_compiler_dock'
+  RakeCompilerDock.sh "bundle && rake cross native gem RUBY_CC_VERSION=2.3.0:2.2.2:2.1.6:2.0.0"
+  #:2.2.2:2.1.6:2.0.0
+end
+
+GEMSPEC = Gem::Specification.load("bcrypt_pbkdf.gemspec")
+
+task :default => [:compile, :spec]
+
+desc "Run all tests"
+Rake::TestTask.new do |t|
+  #t.pattern = 
+  t.test_files = FileList['test/**/*_test.rb']
+  t.ruby_opts = ['-w']
+  t.libs << "test"
+  t.verbose = true
+end
+task :spec => :test
+
+desc 'Generate RDoc'
+RDoc::Task.new do |rdoc|
+  rdoc.rdoc_dir = 'doc/rdoc'
+  rdoc.options += GEMSPEC.rdoc_options
+  rdoc.template = ENV['TEMPLATE'] if ENV['TEMPLATE']
+  rdoc.rdoc_files.include(*GEMSPEC.extra_rdoc_files)
+end
+
+Gem::PackageTask.new(GEMSPEC) do |pkg|
+  pkg.need_zip = true
+  pkg.need_tar = true
+end
+
+Rake::ExtensionTask.new("bcrypt_pbkdf_ext", GEMSPEC) do |ext|
+  ext.ext_dir = 'ext/mri'
+  ext.cross_compile = true
+  ext.cross_platform = ['x86-mingw32', 'x64-mingw32']
+  puts "FAT_DIR:#{ENV["FAT_DIR"]}"
+  puts "RUBY_VERSION:#{RUBY_VERSION}"
+  #if RUBY_VERSION=="2.3.0"
+  #  ext.lib_dir = File.join('lib',"2.3")
+  #end
+    #else
+  #  ext.lib_dir = File.join(*['lib', ENV['FAT_DIR']].compact)
+  #ext.cross_platform = ['x86-mingw32', 'x64-mingw32']
+  #ext.cross_platform = ['i386-mingw32', 'x64-mingw32']
+end

data/bcrypt_pbkdf.gemspec

@@ -0,0 +1,30 @@
+Gem::Specification.new do |s|
+  s.name = 'bcrypt_pbkdf'
+  s.version = '1.0.0.alpha1'
+
+  s.summary = "OpenBSD's bcrypt_pdkfd (a variant of PBKDF2 with bcrypt-based PRF)"
+  s.description = <<-EOF
+    This gem implements bcrypt_pdkfd (a variant of PBKDF2 with bcrypt-based PRF)
+  EOF
+
+  s.files = `git ls-files`.split("\n")
+  s.require_path = 'lib'
+
+  s.add_development_dependency 'rake-compiler', '~> 0.9.7'
+  s.add_development_dependency 'minitest', '>= 5'
+  s.add_development_dependency 'rbnacl', '~> 3.3'
+  s.add_development_dependency 'rbnacl-libsodium', '~> 1.0.8'
+  s.add_development_dependency 'rdoc', '~> 3.12'
+  s.add_development_dependency 'rake-compiler-dock', '~> 0.5.0'
+
+  s.has_rdoc = true
+  s.rdoc_options += ['--title', 'bcrypt_pbkdf', '--line-numbers', '--inline-source', '--main', 'README.md']
+  s.extra_rdoc_files += ['README.md', 'COPYING', 'CHANGELOG.md', *Dir['lib/**/*.rb']]
+
+  s.extensions = 'ext/mri/extconf.rb'
+
+  s.authors = ["Miklos Fazekas"]
+  s.email = "mfazekas@szemafor.com"
+  s.homepage = "https://github.com/mfazekas/bcrypt_pbkdf-ruby"
+  s.license = "MIT"
+end

data/ext/mri/bcrypt_pbkdf.c

@@ -0,0 +1,169 @@
+/* $OpenBSD: bcrypt_pbkdf.c,v 1.13 2015/01/12 03:20:04 tedu Exp $ */
+/*
+ * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+
+#include <stdint.h>
+#include <stdlib.h>
+#include "blf.h"
+#include "sha2.h"
+#include <string.h>
+#include "util.h"
+
+#define	MINIMUM(a,b) (((a) < (b)) ? (a) : (b))
+
+/*
+ * pkcs #5 pbkdf2 implementation using the "bcrypt" hash
+ *
+ * The bcrypt hash function is derived from the bcrypt password hashing
+ * function with the following modifications:
+ * 1. The input password and salt are preprocessed with SHA512.
+ * 2. The output length is expanded to 256 bits.
+ * 3. Subsequently the magic string to be encrypted is lengthened and modifed
+ *    to "OxychromaticBlowfishSwatDynamite"
+ * 4. The hash function is defined to perform 64 rounds of initial state
+ *    expansion. (More rounds are performed by iterating the hash.)
+ *
+ * Note that this implementation pulls the SHA512 operations into the caller
+ * as a performance optimization.
+ *
+ * One modification from official pbkdf2. Instead of outputting key material
+ * linearly, we mix it. pbkdf2 has a known weakness where if one uses it to
+ * generate (e.g.) 512 bits of key material for use as two 256 bit keys, an
+ * attacker can merely run once through the outer loop, but the user
+ * always runs it twice. Shuffling output bytes requires computing the
+ * entirety of the key material to assemble any subkey. This is something a
+ * wise caller could do; we just do it for you.
+ */
+
+#define BCRYPT_WORDS 8
+#define BCRYPT_HASHSIZE (BCRYPT_WORDS * 4)
+
+void
+bcrypt_hash(const uint8_t *sha2pass, const uint8_t *sha2salt, uint8_t *out)
+{
+	blf_ctx state;
+	uint8_t ciphertext[BCRYPT_HASHSIZE] =
+	    "OxychromaticBlowfishSwatDynamite";
+	uint32_t cdata[BCRYPT_WORDS];
+	int i;
+	uint16_t j;
+	size_t shalen = SHA512_DIGEST_LENGTH;
+
+	/* key expansion */
+	Blowfish_initstate(&state);
+	Blowfish_expandstate(&state, sha2salt, shalen, sha2pass, shalen);
+	for (i = 0; i < 64; i++) {
+		Blowfish_expand0state(&state, sha2salt, shalen);
+		Blowfish_expand0state(&state, sha2pass, shalen);
+	}
+
+	/* encryption */
+	j = 0;
+	for (i = 0; i < BCRYPT_WORDS; i++)
+		cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext),
+		    &j);
+	for (i = 0; i < 64; i++)
+		blf_enc(&state, cdata, sizeof(cdata) / sizeof(uint64_t));
+
+	/* copy out */
+	for (i = 0; i < BCRYPT_WORDS; i++) {
+		out[4 * i + 3] = (cdata[i] >> 24) & 0xff;
+		out[4 * i + 2] = (cdata[i] >> 16) & 0xff;
+		out[4 * i + 1] = (cdata[i] >> 8) & 0xff;
+		out[4 * i + 0] = cdata[i] & 0xff;
+	}
+
+	/* zap */
+	explicit_bzero(ciphertext, sizeof(ciphertext));
+	explicit_bzero(cdata, sizeof(cdata));
+	explicit_bzero(&state, sizeof(state));
+}
+
+int
+bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltlen,
+    uint8_t *key, size_t keylen, unsigned int rounds)
+{
+	SHA2_CTX ctx;
+	uint8_t sha2pass[SHA512_DIGEST_LENGTH];
+	uint8_t sha2salt[SHA512_DIGEST_LENGTH];
+	uint8_t out[BCRYPT_HASHSIZE];
+	uint8_t tmpout[BCRYPT_HASHSIZE];
+	uint8_t countsalt[4];
+	size_t i, j, amt, stride;
+	uint32_t count;
+	size_t origkeylen = keylen;
+
+	/* nothing crazy */
+	if (rounds < 1)
+		return -1;
+	if (passlen == 0 || saltlen == 0 || keylen == 0 ||
+	    keylen > sizeof(out) * sizeof(out))
+		return -1;
+	stride = (keylen + sizeof(out) - 1) / sizeof(out);
+	amt = (keylen + stride - 1) / stride;
+
+	/* collapse password */
+	SHA512Init(&ctx);
+	SHA512Update(&ctx, pass, passlen);
+	SHA512Final(sha2pass, &ctx);
+
+
+	/* generate key, sizeof(out) at a time */
+	for (count = 1; keylen > 0; count++) {
+		countsalt[0] = (count >> 24) & 0xff;
+		countsalt[1] = (count >> 16) & 0xff;
+		countsalt[2] = (count >> 8) & 0xff;
+		countsalt[3] = count & 0xff;
+
+		/* first round, salt is salt */
+		SHA512Init(&ctx);
+		SHA512Update(&ctx, salt, saltlen);
+		SHA512Update(&ctx, countsalt, sizeof(countsalt));
+		SHA512Final(sha2salt, &ctx);
+		bcrypt_hash(sha2pass, sha2salt, tmpout);
+		memcpy(out, tmpout, sizeof(out));
+
+		for (i = 1; i < rounds; i++) {
+			/* subsequent rounds, salt is previous output */
+			SHA512Init(&ctx);
+			SHA512Update(&ctx, tmpout, sizeof(tmpout));
+			SHA512Final(sha2salt, &ctx);
+			bcrypt_hash(sha2pass, sha2salt, tmpout);
+			for (j = 0; j < sizeof(out); j++)
+				out[j] ^= tmpout[j];
+		}
+
+		/*
+		 * pbkdf2 deviation: output the key material non-linearly.
+		 */
+		amt = MINIMUM(amt, keylen);
+		for (i = 0; i < amt; i++) {
+			size_t dest = i * stride + (count - 1);
+			if (dest >= origkeylen)
+				break;
+			key[dest] = out[i];
+		}
+		keylen -= i;
+	}
+
+	/* zap */
+	explicit_bzero(&ctx, sizeof(ctx));
+	explicit_bzero(out, sizeof(out));
+
+	return 0;
+}

data/ext/mri/bcrypt_pbkdf_ext.c

@@ -0,0 +1,44 @@
+#include "includes.h"
+#include <ruby.h>
+
+static VALUE mBCryptPbkdf;
+static VALUE cBCryptPbkdfEngine;
+
+/* Given a secret and a salt a key and the number of rounds and returns the encrypted secret
+*/
+static VALUE bc_crypt_pbkdf(VALUE self, VALUE pass, VALUE salt, VALUE keylen, VALUE rounds) {
+  size_t okeylen = NUM2UINT(keylen);
+  u_int8_t* okey = xmalloc(keylen);
+  VALUE out;
+
+  int ret = bcrypt_pbkdf(
+    StringValuePtr(pass), RSTRING_LEN(pass),
+    (const u_int8_t*)StringValuePtr(salt), RSTRING_LEN(salt),
+    okey, okeylen,
+    NUM2UINT(rounds));
+  if (ret < 0)
+    return Qnil;
+  out = rb_str_new((const char*)okey, okeylen);
+  xfree(okey);
+  return out;
+}
+
+static VALUE bc_crypt_hash(VALUE self, VALUE pass, VALUE salt) {
+  u_int8_t hash[BCRYPT_HASHSIZE];
+  if (RSTRING_LEN(pass) != 64U)
+    return Qnil;
+  if (RSTRING_LEN(salt) != 64U)
+    return Qnil;
+  bcrypt_hash((const u_int8_t*)StringValuePtr(pass), (const u_int8_t*)StringValuePtr(salt), hash);
+  return rb_str_new((const char*)hash, sizeof(hash));
+}
+
+
+/* Create the BCryptPbkdf and BCryptPbkdf::Engine modules, and populate them with methods. */
+void Init_bcrypt_pbkdf_ext(){
+    mBCryptPbkdf = rb_define_module("BCryptPbkdf");
+    cBCryptPbkdfEngine = rb_define_class_under(mBCryptPbkdf, "Engine", rb_cObject);
+
+    rb_define_singleton_method(cBCryptPbkdfEngine, "__bc_crypt_pbkdf", bc_crypt_pbkdf, 4);
+    rb_define_singleton_method(cBCryptPbkdfEngine, "__bc_crypt_hash", bc_crypt_hash, 2);
+}

data/ext/mri/blf.h

@@ -0,0 +1,90 @@
+/* $OpenBSD: blf.h,v 1.7 2007/03/14 17:59:41 grunk Exp $ */
+/*
+ * Blowfish - a fast block cipher designed by Bruce Schneier
+ *
+ * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Niels Provos.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _BLF_H_
+#define _BLF_H_
+
+#include "includes.h"
+
+#if !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H)
+
+/* Schneier specifies a maximum key length of 56 bytes.
+ * This ensures that every key bit affects every cipher
+ * bit.  However, the subkeys can hold up to 72 bytes.
+ * Warning: For normal blowfish encryption only 56 bytes
+ * of the key affect all cipherbits.
+ */
+
+#define BLF_N	16			/* Number of Subkeys */
+#define BLF_MAXKEYLEN ((BLF_N-2)*4)	/* 448 bits */
+#define BLF_MAXUTILIZED ((BLF_N+2)*4)	/* 576 bits */
+
+/* Blowfish context */
+typedef struct BlowfishContext {
+	u_int32_t S[4][256];	/* S-Boxes */
+	u_int32_t P[BLF_N + 2];	/* Subkeys */
+} blf_ctx;
+
+/* Raw access to customized Blowfish
+ *	blf_key is just:
+ *	Blowfish_initstate( state )
+ *	Blowfish_expand0state( state, key, keylen )
+ */
+
+void Blowfish_encipher(blf_ctx *, u_int32_t *, u_int32_t *);
+void Blowfish_decipher(blf_ctx *, u_int32_t *, u_int32_t *);
+void Blowfish_initstate(blf_ctx *);
+void Blowfish_expand0state(blf_ctx *, const u_int8_t *, u_int16_t);
+void Blowfish_expandstate
+(blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t);
+
+/* Standard Blowfish */
+
+void blf_key(blf_ctx *, const u_int8_t *, u_int16_t);
+void blf_enc(blf_ctx *, u_int32_t *, u_int16_t);
+void blf_dec(blf_ctx *, u_int32_t *, u_int16_t);
+
+void blf_ecb_encrypt(blf_ctx *, u_int8_t *, u_int32_t);
+void blf_ecb_decrypt(blf_ctx *, u_int8_t *, u_int32_t);
+
+void blf_cbc_encrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t);
+void blf_cbc_decrypt(blf_ctx *, u_int8_t *, u_int8_t *, u_int32_t);
+
+/* Converts u_int8_t to u_int32_t */
+u_int32_t Blowfish_stream2word(const u_int8_t *, u_int16_t , u_int16_t *);
+
+#define DEF_WEAK(foo) 
+
+#endif /* !defined(HAVE_BCRYPT_PBKDF) && !defined(HAVE_BLH_H) */
+#endif /* _BLF_H */
+