Home Explore Help
Register Sign In
Apq
/
winscp
mirror of https://github.com/winscp/winscp.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 3b02c96452
Branches Tags
winscp
/
source
/
putty
/
sshbcrypt.c

sshbcrypt.c 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124 
  1. /*
    2. 

  2.  * 'bcrypt' password hash function, for PuTTY's import/export of
    3. 

  3.  * OpenSSH encrypted private key files.
    4. 

  4.  *
    5. 

  5.  * This is not really the same as the original bcrypt; OpenSSH has
    6. 

  6.  * modified it in various ways, and of course we have to do the same.
    7. 

  7.  */
    8. 

  8. 

  9. #include <stddef.h>
    10. 

  10. #include <string.h>
    11. 

  11. #include "ssh.h"
    12. 

  12. #include "sshblowf.h"
    13. 

  13. 

  14. BlowfishContext *bcrypt_setup(const unsigned char *key, int keybytes,
    15. 

  15.                               const unsigned char *salt, int saltbytes)
    16. 

  16. {
    17. 

  17.     int i;
    18. 

  18.     BlowfishContext *ctx;
    19. 

  19. 

  20.     ctx = blowfish_make_context();
    21. 

  21.     blowfish_initkey(ctx);
    22. 

  22.     blowfish_expandkey(ctx, key, keybytes, salt, saltbytes);
    23. 

  23. 

  24.     /* Original bcrypt replaces this fixed loop count with the
    25. 

  25.      * variable cost. OpenSSH instead iterates the whole thing more
    26. 

  26.      * than once if it wants extra rounds. */
    27. 

  27.     for (i = 0; i < 64; i++) {
    28. 

  28.         blowfish_expandkey(ctx, salt, saltbytes, NULL, 0);
    29. 

  29.         blowfish_expandkey(ctx, key, keybytes, NULL, 0);
    30. 

  30.     }
    31. 

  31. 

  32.     return ctx;
    33. 

  33. }
    34. 

  34. 

  35. void bcrypt_hash(const unsigned char *key, int keybytes,
    36. 

  36.                  const unsigned char *salt, int saltbytes,
    37. 

  37.                  unsigned char output[32])
    38. 

  38. {
    39. 

  39.     BlowfishContext *ctx;
    40. 

  40.     int i;
    41. 

  41. 

  42.     ctx = bcrypt_setup(key, keybytes, salt, saltbytes);
    43. 

  43.     /* This was quite a nice starting string until it ran into
    44. 

  44.      * little-endian Blowfish :-/ */
    45. 

  45.     memcpy(output, "cyxOmorhcitawolBhsiftawSanyDetim", 32);
    46. 

  46.     for (i = 0; i < 64; i++) {
    47. 

  47.         blowfish_lsb_encrypt_ecb(output, 32, ctx);
    48. 

  48.     }
    49. 

  49.     blowfish_free_context(ctx);
    50. 

  50. }
    51. 

  51. 

  52. void bcrypt_genblock(int counter,
    53. 

  53.                      const unsigned char hashed_passphrase[64],
    54. 

  54.                      const unsigned char *salt, int saltbytes,
    55. 

  55.                      unsigned char output[32])
    56. 

  56. {
    57. 

  57.     SHA512_State shastate;
    58. 

  58.     unsigned char hashed_salt[64];
    59. 

  59.     unsigned char countbuf[4];
    60. 

  60. 

  61.     /* Hash the input salt with the counter value optionally suffixed
    62. 

  62.      * to get our real 32-byte salt */
    63. 

  63.     SHA512_Init(&shastate);
    64. 

  64.     SHA512_Bytes(&shastate, salt, saltbytes);
    65. 

  65.     if (counter) {
    66. 

  66.         PUT_32BIT_MSB_FIRST(countbuf, counter);
    67. 

  67.         SHA512_Bytes(&shastate, countbuf, 4);
    68. 

  68.     }
    69. 

  69.     SHA512_Final(&shastate, hashed_salt);
    70. 

  70. 

  71.     bcrypt_hash(hashed_passphrase, 64, hashed_salt, 64, output);
    72. 

  72. 

  73.     smemclr(&shastate, sizeof(shastate));
    74. 

  74.     smemclr(&hashed_salt, sizeof(hashed_salt));
    75. 

  75. }
    76. 

  76. 

  77. void openssh_bcrypt(const char *passphrase,
    78. 

  78.                     const unsigned char *salt, int saltbytes,
    79. 

  79.                     int rounds, unsigned char *out, int outbytes)
    80. 

  80. {
    81. 

  81.     unsigned char hashed_passphrase[64];
    82. 

  82.     unsigned char block[32], outblock[32];
    83. 

  83.     const unsigned char *thissalt;
    84. 

  84.     int thissaltbytes;
    85. 

  85.     int modulus, residue, i, j, round;
    86. 

  86. 

  87.     /* Hash the passphrase to get the bcrypt key material */
    88. 

  88.     SHA512_Simple(passphrase, strlen(passphrase), hashed_passphrase);
    89. 

  89. 

  90.     /* We output key bytes in a scattered fashion to meld all output
    91. 

  91.      * key blocks into all parts of the output. To do this, we pick a
    92. 

  92.      * modulus, and we output the key bytes to indices of out[] in the
    93. 

  93.      * following order: first the indices that are multiples of the
    94. 

  94.      * modulus, then the ones congruent to 1 mod modulus, etc. Each of
    95. 

  95.      * those passes consumes exactly one block output from
    96. 

  96.      * bcrypt_genblock, so we must pick a modulus large enough that at
    97. 

  97.      * most 32 bytes are used in the pass. */
    98. 

  98.     modulus = (outbytes + 31) / 32;
    99. 

  99. 

  100.     for (residue = 0; residue < modulus; residue++) {
    101. 

  101.         /* Our output block of data is the XOR of all blocks generated
    102. 

  102.          * by bcrypt in the following loop */
    103. 

  103.         memset(outblock, 0, sizeof(outblock));
    104. 

  104. 

  105.         thissalt = salt;
    106. 

  106.         thissaltbytes = saltbytes;
    107. 

  107.         for (round = 0; round < rounds; round++) {
    108. 

  108.             bcrypt_genblock(round == 0 ? residue+1 : 0,
    109. 

  109.                             hashed_passphrase,
    110. 

  110.                             thissalt, thissaltbytes, block);
    111. 

  111.             /* Each subsequent bcrypt call reuses the previous one's
    112. 

  112.              * output as its salt */
    113. 

  113.             thissalt = block;
    114. 

  114.             thissaltbytes = 32;
    115. 

  115. 

  116.             for (i = 0; i < 32; i++)
    117. 

  117.                 outblock[i] ^= block[i];
    118. 

  118.         }
    119. 

  119. 

  120.         for (i = residue, j = 0; i < outbytes; i += modulus, j++)
    121. 

  121.             out[i] = outblock[j];
    122. 

  122.     }
    123. 

  123.     smemclr(&hashed_passphrase, sizeof(hashed_passphrase));
    124. 

  124. }
    125.