diff options
author | Damien Miller <djm@mindrot.org> | 2013-07-29 13:54:17 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2013-07-29 13:54:17 +1000 |
commit | b710e4986ec3b7d01213919cb66ecfaac201e7aa (patch) | |
tree | 2049ad49746fd83816f624315b2082ca8696250a | |
parent | e72cf0d46a6afb7b3a38d629ee5968c5e5cf2f3d (diff) | |
download | py-bcrypt-b710e4986ec3b7d01213919cb66ecfaac201e7aa.tar.gz |
bcrypt-based key derivation function support, from OpenBSD libutil
-rw-r--r-- | LICENSE | 54 | ||||
-rw-r--r-- | README | 3 | ||||
-rw-r--r-- | TODO | 4 | ||||
-rw-r--r-- | bcrypt/__init__.py | 16 | ||||
-rw-r--r-- | bcrypt/__pycache__/__init__.cpython-33.pyc | bin | 0 -> 2176 bytes | |||
-rw-r--r-- | bcrypt/bcrypt_pbkdf.c | 160 | ||||
-rw-r--r-- | bcrypt/bcrypt_python.c | 80 | ||||
-rw-r--r-- | bcrypt/pybc_blf.h | 12 | ||||
-rw-r--r-- | bcrypt/pybc_sha2.h | 63 | ||||
-rw-r--r-- | bcrypt/sha2.c | 401 | ||||
-rwxr-xr-x | setup.py | 21 | ||||
-rwxr-xr-x | test/test.py | 99 |
12 files changed, 898 insertions, 15 deletions
@@ -85,3 +85,57 @@ subject to the following license: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +The KDF code is from OpenBSD libutil and is subject to the following licence: + +/* + * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +The SHA512 is from OpenBSD libc and is subject to the following license: + +/* + * FILE: sha2.c + * AUTHOR: Aaron D. Gifford <me@aarongifford.com> + * + * Copyright (c) 2000-2001, Aaron D. Gifford + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the names of contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ + */ + @@ -46,4 +46,7 @@ A simple example that demonstrates most of the features: else: print "It does not match" + # Generate a 256-bit cryptographic key + key = bcrypt.kdf(password, salt, 100, 256/8) + $Id$ @@ -1,5 +1,3 @@ -Python 3 support - -Regress tests (pull from jBCrypt) +Improve regress tests: tests for bad parameters $Id$ diff --git a/bcrypt/__init__.py b/bcrypt/__init__.py index d4f2b2d..8f7ba2f 100644 --- a/bcrypt/__init__.py +++ b/bcrypt/__init__.py @@ -20,6 +20,22 @@ gensalt() function: The parameter "log_rounds" defines the complexity of the hashing. The cost increases as 2**log_rounds. + +Passwords and salts for the hashpw and gensalt functions are text strings +that must not contain embedded nul (ASCII 0) characters. + +This module also operates as a key derivation function (KDF) to transform a +password and salt into bytes suitable for use as cryptographic key material: + + kdf(password, salt, desired_length, rounds) -> key + +This will generate a key of "desired_length" in bytes (NB. not bits). For the +KDF mode the "rounds" parameter is the literal rounds, not the logarithm as +for gensalt. For the KDF case, "salt" and "password" may be binary strings +containing embedded nul characters. + +The KDF mode is recommended for generating symmetric cipher keys, IVs, hash +and MAC keys, etc. It should not be used a keystream for encryption itself. """ import os diff --git a/bcrypt/__pycache__/__init__.cpython-33.pyc b/bcrypt/__pycache__/__init__.cpython-33.pyc Binary files differnew file mode 100644 index 0000000..2c0890e --- /dev/null +++ b/bcrypt/__pycache__/__init__.cpython-33.pyc diff --git a/bcrypt/bcrypt_pbkdf.c b/bcrypt/bcrypt_pbkdf.c new file mode 100644 index 0000000..fd607e6 --- /dev/null +++ b/bcrypt/bcrypt_pbkdf.c @@ -0,0 +1,160 @@ +/* $OpenBSD: bcrypt_pbkdf.c,v 1.3 2013/06/04 15:55:50 tedu Exp $ */ +/* + * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <sys/types.h> +#include <string.h> +#include <stdlib.h> + +#include "pybc_blf.h" +#include "pybc_sha2.h" + +/* + * pkcs #5 pbkdf2 implementation using the "bcrypt" hash + * + * The bcrypt hash function is derived from the bcrypt password hashing + * function with the following modifications: + * 1. The input password and salt are preprocessed with SHA512. + * 2. The output length is expanded to 256 bits. + * 3. Subsequently the magic string to be encrypted is lengthened and modifed + * to "OxychromaticBlowfishSwatDynamite" + * 4. The hash function is defined to perform 64 rounds of initial state + * expansion. (More rounds are performed by iterating the hash.) + * + * Note that this implementation pulls the SHA512 operations into the caller + * as a performance optimization. + * + * One modification from official pbkdf2. Instead of outputting key material + * linearly, we mix it. pbkdf2 has a known weakness where if one uses it to + * generate (i.e.) 512 bits of key material for use as two 256 bit keys, an + * attacker can merely run once through the outer loop below, but the user + * always runs it twice. Shuffling output bytes requires computing the + * entirety of the key material to assemble any subkey. This is something a + * wise caller could do; we just do it for you. + */ + +#define BCRYPT_BLOCKS 8 +#define BCRYPT_HASHSIZE (BCRYPT_BLOCKS * 4) + +static void +bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out) +{ + pybc_blf_ctx state; + u_int8_t ciphertext[BCRYPT_HASHSIZE] = + "OxychromaticBlowfishSwatDynamite"; + u_int32_t cdata[BCRYPT_BLOCKS]; + int i; + u_int16_t j; + size_t shalen = PYBC_SHA512_DIGEST_LENGTH; + + /* key expansion */ + Blowfish_initstate(&state); + Blowfish_expandstate(&state, sha2salt, shalen, sha2pass, shalen); + for (i = 0; i < 64; i++) { + Blowfish_expand0state(&state, sha2salt, shalen); + Blowfish_expand0state(&state, sha2pass, shalen); + } + + /* encryption */ + j = 0; + for (i = 0; i < BCRYPT_BLOCKS; i++) + cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext), + &j); + for (i = 0; i < 64; i++) + blf_enc(&state, cdata, sizeof(cdata) / sizeof(u_int64_t)); + + /* copy out */ + for (i = 0; i < BCRYPT_BLOCKS; i++) { + out[4 * i + 3] = (cdata[i] >> 24) & 0xff; + out[4 * i + 2] = (cdata[i] >> 16) & 0xff; + out[4 * i + 1] = (cdata[i] >> 8) & 0xff; + out[4 * i + 0] = cdata[i] & 0xff; + } + + /* zap */ + memset(ciphertext, 0, sizeof(ciphertext)); + memset(cdata, 0, sizeof(cdata)); + memset(&state, 0, sizeof(state)); +} + +int +bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t saltlen, + u_int8_t *key, size_t keylen, unsigned int rounds) +{ + PYBC_SHA2_CTX ctx; + u_int8_t sha2pass[PYBC_SHA512_DIGEST_LENGTH]; + u_int8_t sha2salt[PYBC_SHA512_DIGEST_LENGTH]; + u_int8_t out[BCRYPT_HASHSIZE]; + u_int8_t tmpout[BCRYPT_HASHSIZE]; + u_int8_t countsalt[4]; + size_t i, j, amt, stride; + u_int32_t count; + + /* nothing crazy */ + if (rounds < 1) + return -1; + if (passlen == 0 || saltlen == 0 || keylen == 0 || + keylen > sizeof(out) * sizeof(out)) + return -1; + stride = (keylen + sizeof(out) - 1) / sizeof(out); + amt = (keylen + stride - 1) / stride; + + /* collapse password */ + PYBC_SHA512Init(&ctx); + PYBC_SHA512Update(&ctx, pass, passlen); + PYBC_SHA512Final(sha2pass, &ctx); + + /* generate key, sizeof(out) at a time */ + for (count = 1; keylen > 0; count++) { + countsalt[0] = (count >> 24) & 0xff; + countsalt[1] = (count >> 16) & 0xff; + countsalt[2] = (count >> 8) & 0xff; + countsalt[3] = count & 0xff; + + /* first round, salt is salt */ + PYBC_SHA512Init(&ctx); + PYBC_SHA512Update(&ctx, salt, saltlen); + PYBC_SHA512Update(&ctx, countsalt, sizeof(countsalt)); + PYBC_SHA512Final(sha2salt, &ctx); + bcrypt_hash(sha2pass, sha2salt, tmpout); + memcpy(out, tmpout, sizeof(out)); + + for (i = 1; i < rounds; i++) { + /* subsequent rounds, salt is previous output */ + PYBC_SHA512Init(&ctx); + PYBC_SHA512Update(&ctx, tmpout, sizeof(tmpout)); + PYBC_SHA512Final(sha2salt, &ctx); + bcrypt_hash(sha2pass, sha2salt, tmpout); + for (j = 0; j < sizeof(out); j++) + out[j] ^= tmpout[j]; + } + + /* + * pbkdf2 deviation: ouput the key material non-linearly. + */ + if (keylen < amt) + amt = keylen; + for (i = 0; i < amt; i++) + key[i * stride + (count - 1)] = out[i]; + keylen -= amt; + } + + /* zap */ + memset(&ctx, 0, sizeof(ctx)); + memset(out, 0, sizeof(out)); + + return 0; +} diff --git a/bcrypt/bcrypt_python.c b/bcrypt/bcrypt_python.c index a41352e..176f4bc 100644 --- a/bcrypt/bcrypt_python.c +++ b/bcrypt/bcrypt_python.c @@ -19,17 +19,11 @@ #if PY_VERSION_HEX < 0x02050000 typedef int Py_ssize_t; +#define bzero(s,l) memset(s, '\0', l) #endif #define PYBCRYPT_VERSION "0.4" -#if defined(_WIN32) -typedef unsigned __int8 u_int8_t; -typedef unsigned __int16 u_int16_t; -typedef unsigned __int32 u_int32_t; -#define bzero(s,n) memset(s, '\0', n) -#endif - /* $Id$ */ /* Import */ @@ -124,6 +118,7 @@ bcrypt_hashpw(PyObject *self, PyObject *args, PyObject *kw_args) if ((salt_copy = checkdup(salt, salt_len)) == NULL) { PyErr_SetString(PyExc_ValueError, "salt must not contain nul characters"); + free(password_copy); return NULL; } Py_BEGIN_ALLOW_THREADS; @@ -145,11 +140,82 @@ bcrypt_hashpw(PyObject *self, PyObject *args, PyObject *kw_args) #endif } +PyDoc_STRVAR(bcrypt_kdf_doc, +"kdf(password, salt, desired_key_bytes, rounds) -> key\n\ + Derive \"desired_key_bytes\" (up to 512) cryptographic key material from\n\ + a password and salt. NB. rounds is linear (not an exponent like\n\ + gensalt). Recommended minimum salt length is 16 bytes\n"); + +#if 0 +static void +xdump(const u_int8_t *s, size_t l) +{ + size_t i; + + for (i = 0; i < l; i++) + printf("\\x%02x", s[i]); +} +#endif + +static PyObject * +bcrypt_kdf(PyObject *self, PyObject *args, PyObject *kw_args) +{ + static char *keywords[] = { + "password", + "salt", + "desired_key_bytes", + "rounds", + NULL + }; + const u_int8_t *password = NULL, *salt = NULL; + Py_ssize_t password_len = -1, salt_len = -1; + long desired_key_bytes = -1, rounds = -1; + u_int8_t *key; + int ret; + PyObject *o = NULL; + + if (!PyArg_ParseTupleAndKeywords(args, kw_args, "s#s#ll:kdf", keywords, + &password, &password_len, &salt, &salt_len, + &desired_key_bytes, &rounds)) + return NULL; + if (password_len <= 0) { + PyErr_SetString(PyExc_ValueError, "Invalid password length"); + return NULL; + } + if (salt_len <= 0) { + PyErr_SetString(PyExc_ValueError, "Invalid salt length"); + return NULL; + } + if (desired_key_bytes <= 0 || desired_key_bytes > 512) { + PyErr_SetString(PyExc_ValueError, "Invalid output length"); + return NULL; + } + if (rounds < 1) { + PyErr_SetString(PyExc_ValueError, "Invalid number of rounds"); + return NULL; + } + if ((key = malloc(desired_key_bytes)) == NULL) + return NULL; + Py_BEGIN_ALLOW_THREADS; + ret = bcrypt_pbkdf(password, password_len, salt, salt_len, + key, desired_key_bytes, rounds); + Py_END_ALLOW_THREADS; + if (ret != 0) + PyErr_SetString(PyExc_ValueError, "kdf failed"); + else + o = PyBytes_FromStringAndSize(key, desired_key_bytes); + bzero(key, desired_key_bytes); + free(key); + return o; +} + static PyMethodDef bcrypt_methods[] = { { "hashpw", (PyCFunction)bcrypt_hashpw, METH_VARARGS|METH_KEYWORDS, bcrypt_hashpw_doc }, { "encode_salt", (PyCFunction)bcrypt_encode_salt, METH_VARARGS|METH_KEYWORDS, bcrypt_encode_salt_doc }, + { "kdf", (PyCFunction)bcrypt_kdf, + METH_VARARGS|METH_KEYWORDS, bcrypt_kdf_doc }, {NULL, NULL} /* sentinel */ }; diff --git a/bcrypt/pybc_blf.h b/bcrypt/pybc_blf.h index 55ac12c..e18f7b6 100644 --- a/bcrypt/pybc_blf.h +++ b/bcrypt/pybc_blf.h @@ -38,6 +38,13 @@ typedef unsigned __int8 u_int8_t; typedef unsigned __int16 u_int16_t; typedef unsigned __int32 u_int32_t; +typedef unsigned __int64 u_int64_t; +#elif __STDC_VERSION__ >= 199901L /* C99 or later */ +include <stdint.h> +typedef uint8_t u_int8_t; +typedef uint16_t u_int16_t; +typedef uint32_t u_int32_t; +typedef uint64_t u_int64_t; #endif /* Schneier specifies a maximum key length of 56 bytes. @@ -74,4 +81,9 @@ void pybc_blf_enc(pybc_blf_ctx *, u_int32_t *, u_int16_t); /* Converts u_int8_t to u_int32_t */ u_int32_t pybc_Blowfish_stream2word(const u_int8_t *, u_int16_t, u_int16_t *); +/* KDF interface */ +int bcrypt_pbkdf(const char *pass, size_t passlen, + const u_int8_t *salt, size_t saltlen, + u_int8_t *key, size_t keylen, unsigned int rounds); + #endif diff --git a/bcrypt/pybc_sha2.h b/bcrypt/pybc_sha2.h new file mode 100644 index 0000000..60ab34f --- /dev/null +++ b/bcrypt/pybc_sha2.h @@ -0,0 +1,63 @@ +/* $OpenBSD: sha2.h,v 1.9 2013/04/15 15:54:17 millert Exp $ */ + +/* + * FILE: sha2.h + * AUTHOR: Aaron D. Gifford <me@aarongifford.com> + * + * Copyright (c) 2000-2001, Aaron D. Gifford + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the names of contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $ + */ + +#ifndef _PYBC_SHA2_H +#define _PYBC_SHA2_H + +/*** SHA-256/384/512 Various Length Definitions ***********************/ +#define PYBC_SHA512_BLOCK_LENGTH 128 +#define PYBC_SHA512_DIGEST_LENGTH 64 +#define PYBC_SHA512_DIGEST_STRING_LENGTH (PYBC_SHA512_DIGEST_LENGTH * 2 + 1) + + +/*** SHA-224/256/384/512 Context Structure *******************************/ +typedef struct _PYBC_SHA2_CTX { + union { + u_int32_t st32[8]; + u_int64_t st64[8]; + } state; + u_int64_t bitcount[2]; + u_int8_t buffer[PYBC_SHA512_BLOCK_LENGTH]; +} PYBC_SHA2_CTX; + +void PYBC_SHA512Init(PYBC_SHA2_CTX *); +void PYBC_SHA512Transform(u_int64_t state[8], const u_int8_t [PYBC_SHA512_BLOCK_LENGTH]); +void PYBC_SHA512Update(PYBC_SHA2_CTX *, const u_int8_t *, size_t); +void PYBC_SHA512Pad(PYBC_SHA2_CTX *); +void PYBC_SHA512Final(u_int8_t [PYBC_SHA512_DIGEST_LENGTH], PYBC_SHA2_CTX *); +char *PYBC_SHA512End(PYBC_SHA2_CTX *, char *); + +#endif /* _PYBC_SHA2_H */ diff --git a/bcrypt/sha2.c b/bcrypt/sha2.c new file mode 100644 index 0000000..c5f0a96 --- /dev/null +++ b/bcrypt/sha2.c @@ -0,0 +1,401 @@ +/* $OpenBSD: sha2.c,v 1.14 2013/04/15 15:54:17 millert Exp $ */ + +/* + * FILE: sha2.c + * AUTHOR: Aaron D. Gifford <me@aarongifford.com> + * + * Copyright (c) 2000-2001, Aaron D. Gifford + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the names of contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ + */ + +#include <sys/types.h> + +#include <string.h> + +#include "pybc_blf.h" +#include "pybc_sha2.h" + +/*** SHA-224/256/384/512 Machine Architecture Definitions *****************/ +/* + * BYTE_ORDER NOTE: + * + * Please make sure that your system defines BYTE_ORDER. If your + * architecture is little-endian, make sure it also defines + * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are + * equivilent. + * + * If your system does not define the above, then you can do so by + * hand like this: + * + * #define LITTLE_ENDIAN 1234 + * #define BIG_ENDIAN 4321 + * + * And for little-endian machines, add: + * + * #define BYTE_ORDER LITTLE_ENDIAN + * + * Or for big-endian machines: + * + * #define BYTE_ORDER BIG_ENDIAN + * + * The FreeBSD machine this was written on defines BYTE_ORDER + * appropriately by including <sys/types.h> (which in turn includes + * <machine/endian.h> where the appropriate definitions are actually + * made). + */ +#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) +#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN +#endif + + +/*** SHA-224/256/384/512 Various Length Definitions ***********************/ +/* NOTE: Most of these are in sha2.h */ +#define PYBC_SHA512_SHORT_BLOCK_LENGTH (PYBC_SHA512_BLOCK_LENGTH - 16) + +/*** ENDIAN SPECIFIC COPY MACROS **************************************/ +#define BE_8_TO_32(dst, cp) do { \ + (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \ + ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \ +} while(0) + +#define BE_8_TO_64(dst, cp) do { \ + (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \ + ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \ + ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \ + ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \ +} while (0) + +#define BE_64_TO_8(cp, src) do { \ + (cp)[0] = (src) >> 56; \ + (cp)[1] = (src) >> 48; \ + (cp)[2] = (src) >> 40; \ + (cp)[3] = (src) >> 32; \ + (cp)[4] = (src) >> 24; \ + (cp)[5] = (src) >> 16; \ + (cp)[6] = (src) >> 8; \ + (cp)[7] = (src); \ +} while (0) + +#define BE_32_TO_8(cp, src) do { \ + (cp)[0] = (src) >> 24; \ + (cp)[1] = (src) >> 16; \ + (cp)[2] = (src) >> 8; \ + (cp)[3] = (src); \ +} while (0) + +/* + * Macro for incrementally adding the unsigned 64-bit integer n to the + * unsigned 128-bit integer (represented using a two-element array of + * 64-bit words): + */ +#define ADDINC128(w,n) do { \ + (w)[0] += (u_int64_t)(n); \ + if ((w)[0] < (n)) { \ + (w)[1]++; \ + } \ +} while (0) + +/*** THE SIX LOGICAL FUNCTIONS ****************************************/ +/* + * Bit shifting and rotation (used by the six SHA-XYZ logical functions: + * + * NOTE: The naming of R and S appears backwards here (R is a SHIFT and + * S is a ROTATION) because the SHA-224/256/384/512 description document + * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this + * same "backwards" definition. + */ +/* Shift-right (used in SHA-224, SHA-256, SHA-384, and SHA-512): */ +#define R(b,x) ((x) >> (b)) +/* 32-bit Rotate-right (used in SHA-224 and SHA-256): */ +#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) +/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ +#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) + +/* Two of six logical functions used in SHA-224, SHA-256, SHA-384, and SHA-512: */ +#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) + +/* Four of six logical functions used in SHA-384 and SHA-512: */ +#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) +#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) +#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) +#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) + + +/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ + +/* Hash constant words K for SHA-384 and SHA-512: */ +const static u_int64_t K512[80] = { + 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, + 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, + 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, + 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, + 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, + 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, + 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, + 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, + 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, + 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, + 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, + 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, + 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, + 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, + 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, + 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, + 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, + 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, + 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, + 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, + 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, + 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, + 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, + 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, + 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, + 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, + 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, + 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, + 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, + 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, + 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, + 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, + 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, + 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, + 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, + 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, + 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, + 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, + 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, + 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL +}; + +/* Initial hash value H for SHA-512 */ +const static u_int64_t sha512_initial_hash_value[8] = { + 0x6a09e667f3bcc908ULL, + 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, + 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, + 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, + 0x5be0cd19137e2179ULL +}; + +/*** PYBC_SHA-512: *********************************************************/ +void +PYBC_SHA512Init(PYBC_SHA2_CTX *context) +{ + if (context == NULL) + return; + memcpy(context->state.st64, sha512_initial_hash_value, + sizeof(sha512_initial_hash_value)); + memset(context->buffer, 0, sizeof(context->buffer)); + context->bitcount[0] = context->bitcount[1] = 0; +} + +void +PYBC_SHA512Transform(u_int64_t state[8], const u_int8_t data[PYBC_SHA512_BLOCK_LENGTH]) +{ + u_int64_t a, b, c, d, e, f, g, h, s0, s1; + u_int64_t T1, T2, W512[16]; + int j; + + /* Initialize registers with the prev. intermediate value */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + f = state[5]; + g = state[6]; + h = state[7]; + + j = 0; + do { + BE_8_TO_64(W512[j], data); + data += 8; + /* Apply the SHA-512 compression function to update a..h */ + T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; + T2 = Sigma0_512(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 16); + + do { + /* Part of the message block expansion: */ + s0 = W512[(j+1)&0x0f]; + s0 = sigma0_512(s0); + s1 = W512[(j+14)&0x0f]; + s1 = sigma1_512(s1); + + /* Apply the SHA-512 compression function to update a..h */ + T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + + (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); + T2 = Sigma0_512(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; + + j++; + } while (j < 80); + + /* Compute the current intermediate hash value */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + state[5] += f; + state[6] += g; + state[7] += h; + + /* Clean up */ + a = b = c = d = e = f = g = h = T1 = T2 = 0; +} + +void +PYBC_SHA512Update(PYBC_SHA2_CTX *context, const u_int8_t *data, size_t len) +{ + size_t freespace, usedspace; + + /* Calling with no data is valid (we do nothing) */ + if (len == 0) + return; + + usedspace = (context->bitcount[0] >> 3) % PYBC_SHA512_BLOCK_LENGTH; + if (usedspace > 0) { + /* Calculate how much free space is available in the buffer */ + freespace = PYBC_SHA512_BLOCK_LENGTH - usedspace; + + if (len >= freespace) { + /* Fill the buffer completely and process it */ + memcpy(&context->buffer[usedspace], data, freespace); + ADDINC128(context->bitcount, freespace << 3); + len -= freespace; + data += freespace; + PYBC_SHA512Transform(context->state.st64, context->buffer); + } else { + /* The buffer is not yet full */ + memcpy(&context->buffer[usedspace], data, len); + ADDINC128(context->bitcount, len << 3); + /* Clean up: */ + usedspace = freespace = 0; + return; + } + } + while (len >= PYBC_SHA512_BLOCK_LENGTH) { + /* Process as many complete blocks as we can */ + PYBC_SHA512Transform(context->state.st64, data); + ADDINC128(context->bitcount, PYBC_SHA512_BLOCK_LENGTH << 3); + len -= PYBC_SHA512_BLOCK_LENGTH; + data += PYBC_SHA512_BLOCK_LENGTH; + } + if (len > 0) { + /* There's left-overs, so save 'em */ + memcpy(context->buffer, data, len); + ADDINC128(context->bitcount, len << 3); + } + /* Clean up: */ + usedspace = freespace = 0; +} + +void +PYBC_SHA512Pad(PYBC_SHA2_CTX *context) +{ + unsigned int usedspace; + + usedspace = (context->bitcount[0] >> 3) % PYBC_SHA512_BLOCK_LENGTH; + if (usedspace > 0) { + /* Begin padding with a 1 bit: */ + context->buffer[usedspace++] = 0x80; + + if (usedspace <= PYBC_SHA512_SHORT_BLOCK_LENGTH) { + /* Set-up for the last transform: */ + memset(&context->buffer[usedspace], 0, PYBC_SHA512_SHORT_BLOCK_LENGTH - usedspace); + } else { + if (usedspace < PYBC_SHA512_BLOCK_LENGTH) { + memset(&context->buffer[usedspace], 0, PYBC_SHA512_BLOCK_LENGTH - usedspace); + } + /* Do second-to-last transform: */ + PYBC_SHA512Transform(context->state.st64, context->buffer); + + /* And set-up for the last transform: */ + memset(context->buffer, 0, PYBC_SHA512_BLOCK_LENGTH - 2); + } + } else { + /* Prepare for final transform: */ + memset(context->buffer, 0, PYBC_SHA512_SHORT_BLOCK_LENGTH); + + /* Begin padding with a 1 bit: */ + *context->buffer = 0x80; + } + /* Store the length of input data (in bits) in big endian format: */ + BE_64_TO_8(&context->buffer[PYBC_SHA512_SHORT_BLOCK_LENGTH], + context->bitcount[1]); + BE_64_TO_8(&context->buffer[PYBC_SHA512_SHORT_BLOCK_LENGTH + 8], + context->bitcount[0]); + + /* Final transform: */ + PYBC_SHA512Transform(context->state.st64, context->buffer); + + /* Clean up: */ + usedspace = 0; +} + +void +PYBC_SHA512Final(u_int8_t digest[PYBC_SHA512_DIGEST_LENGTH], PYBC_SHA2_CTX *context) +{ + PYBC_SHA512Pad(context); + + /* If no digest buffer is passed, we don't bother doing this: */ + if (digest != NULL) { +#if BYTE_ORDER == LITTLE_ENDIAN + int i; + + /* Convert TO host byte order */ + for (i = 0; i < 8; i++) + BE_64_TO_8(digest + i * 8, context->state.st64[i]); +#else + memcpy(digest, context->state.st64, PYBC_SHA512_DIGEST_LENGTH); +#endif + memset(context, 0, sizeof(*context)); + } +} @@ -26,23 +26,34 @@ VERSION = "0.3" if __name__ == '__main__': bcrypt = Extension('bcrypt._bcrypt', - sources = ['bcrypt/bcrypt_python.c', 'bcrypt/blowfish.c', - 'bcrypt/bcrypt.c']) + sources = [ + 'bcrypt/bcrypt_python.c', + 'bcrypt/blowfish.c', + 'bcrypt/bcrypt.c', + 'bcrypt/sha2.c', + 'bcrypt/bcrypt_pbkdf.c', + ], + ) setup( name = "py-bcrypt", version = VERSION, author = "Damien Miller", author_email = "djm@mindrot.org", - url = "http://www.mindrot.org/py-bcrypt.html", - description = "Blowfish password hashing", + url = "https://code.google.com/p/py-bcrypt", + description = "bcrypt password hashing and key derivation", long_description = """\ py-bcrypt is an implementation the OpenBSD Blowfish password hashing algorithm, as described in "A Future-Adaptable Password Scheme" by -Niels Provos and David Mazieres. +Niels Provos and David Mazieres and related bcrypt-based key derivation +function implemented in OpenBSD libutil. This system hashes passwords using a version of Bruce Schneier's Blowfish block cipher with modifications designed to raise the cost of off-line password cracking. The computation cost of the algorithm is parametised, so it can be increased as computers get faster. + +Two interfaces are supported: a classic password hashing interface and +a key derivation function (KDF) intended for generating cryptographic +keys. """, license = "BSD", packages = ['bcrypt'], diff --git a/test/test.py b/test/test.py index 07f7f8d..947e625 100755 --- a/test/test.py +++ b/test/test.py @@ -100,6 +100,105 @@ class TestBcrypt(unittest.TestCase): crypted2 = bcrypt.hashpw(plain, crypted) self.assertEqual(crypted, crypted2) +# rounds, password, salt, expected_key +kdf_test_vectors = [ + [ 4, "password", "salt", + b("\x5b\xbf\x0c\xc2\x93\x58\x7f\x1c\x36\x35\x55\x5c\x27\x79\x65\x98" + "\xd4\x7e\x57\x90\x71\xbf\x42\x7e\x9d\x8f\xbe\x84\x2a\xba\x34\xd9") + ], + [ 4, "password", b("\x00"), + b("\xc1\x2b\x56\x62\x35\xee\xe0\x4c\x21\x25\x98\x97\x0a\x57\x9a\x67") + ], + [ 4, b("\x00"), "salt", + b("\x60\x51\xbe\x18\xc2\xf4\xf8\x2c\xbf\x0e\xfe\xe5\x47\x1b\x4b\xb9") + ], + # nul bytes in password and string + [ 4, "password\x00", "salt\x00", + b("\x74\x10\xe4\x4c\xf4\xfa\x07\xbf\xaa\xc8\xa9\x28\xb1\x72\x7f\xac" + "\x00\x13\x75\xe7\xbf\x73\x84\x37\x0f\x48\xef\xd1\x21\x74\x30\x50") + ], + [ 4, b("pass\x00wor"), b("sa\0l"), + b("\xc2\xbf\xfd\x9d\xb3\x8f\x65\x69\xef\xef\x43\x72\xf4\xde\x83\xc0") + ], + [ 4, b("pass\x00word"), b("sa\0lt"), + b("\x4b\xa4\xac\x39\x25\xc0\xe8\xd7\xf0\xcd\xb6\xbb\x16\x84\xa5\x6f") + ], + # bigger key + [ 8, "password", "salt", + b("\xe1\x36\x7e\xc5\x15\x1a\x33\xfa\xac\x4c\xc1\xc1\x44\xcd\x23\xfa" + "\x15\xd5\x54\x84\x93\xec\xc9\x9b\x9b\x5d\x9c\x0d\x3b\x27\xbe\xc7" + "\x62\x27\xea\x66\x08\x8b\x84\x9b\x20\xab\x7a\xa4\x78\x01\x02\x46" + "\xe7\x4b\xba\x51\x72\x3f\xef\xa9\xf9\x47\x4d\x65\x08\x84\x5e\x8d") + ], + # more rounds + [ 42, "password", "salt", + b("\x83\x3c\xf0\xdc\xf5\x6d\xb6\x56\x08\xe8\xf0\xdc\x0c\xe8\x82\xbd") + ], + # longer password + [ 8, + "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do " + "eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut " + "enim ad minim veniam, quis nostrud exercitation ullamco laboris " + "nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor " + "in reprehenderit in voluptate velit esse cillum dolore eu fugiat " + "nulla pariatur. Excepteur sint occaecat cupidatat non proident, " + "sunt in culpa qui officia deserunt mollit anim id est laborum.", + b("salis\x00"), + b("\x10\x97\x8b\x07\x25\x3d\xf5\x7f\x71\xa1\x62\xeb\x0e\x8a\xd3\x0a") + ], + # "unicode" + [ 8, + b("\x0d\xb3\xac\x94\xb3\xee\x53\x28\x4f\x4a\x22\x89\x3b\x3c\x24\xae"), + b("\x3a\x62\xf0\xf0\xdb\xce\xf8\x23\xcf\xcc\x85\x48\x56\xea\x10\x28"), + b("\x20\x44\x38\x17\x5e\xee\x7c\xe1\x36\xc9\x1b\x49\xa6\x79\x23\xff") + ], + # very large key + [ 8, + b("\x0d\xb3\xac\x94\xb3\xee\x53\x28\x4f\x4a\x22\x89\x3b\x3c\x24\xae"), + b("\x3a\x62\xf0\xf0\xdb\xce\xf8\x23\xcf\xcc\x85\x48\x56\xea\x10\x28"), + b("\x20\x54\xb9\xff\xf3\x4e\x37\x21\x44\x03\x34\x74\x68\x28\xe9\xed" + "\x38\xde\x4b\x72\xe0\xa6\x9a\xdc\x17\x0a\x13\xb5\xe8\xd6\x46\x38" + "\x5e\xa4\x03\x4a\xe6\xd2\x66\x00\xee\x23\x32\xc5\xed\x40\xad\x55" + "\x7c\x86\xe3\x40\x3f\xbb\x30\xe4\xe1\xdc\x1a\xe0\x6b\x99\xa0\x71" + "\x36\x8f\x51\x8d\x2c\x42\x66\x51\xc9\xe7\xe4\x37\xfd\x6c\x91\x5b" + "\x1b\xbf\xc3\xa4\xce\xa7\x14\x91\x49\x0e\xa7\xaf\xb7\xdd\x02\x90" + "\xa6\x78\xa4\xf4\x41\x12\x8d\xb1\x79\x2e\xab\x27\x76\xb2\x1e\xb4" + "\x23\x8e\x07\x15\xad\xd4\x12\x7d\xff\x44\xe4\xb3\xe4\xcc\x4c\x4f" + "\x99\x70\x08\x3f\x3f\x74\xbd\x69\x88\x73\xfd\xf6\x48\x84\x4f\x75" + "\xc9\xbf\x7f\x9e\x0c\x4d\x9e\x5d\x89\xa7\x78\x39\x97\x49\x29\x66" + "\x61\x67\x07\x61\x1c\xb9\x01\xde\x31\xa1\x97\x26\xb6\xe0\x8c\x3a" + "\x80\x01\x66\x1f\x2d\x5c\x9d\xcc\x33\xb4\xaa\x07\x2f\x90\xdd\x0b" + "\x3f\x54\x8d\x5e\xeb\xa4\x21\x13\x97\xe2\xfb\x06\x2e\x52\x6e\x1d" + "\x68\xf4\x6a\x4c\xe2\x56\x18\x5b\x4b\xad\xc2\x68\x5f\xbe\x78\xe1" + "\xc7\x65\x7b\x59\xf8\x3a\xb9\xab\x80\xcf\x93\x18\xd6\xad\xd1\xf5" + "\x93\x3f\x12\xd6\xf3\x61\x82\xc8\xe8\x11\x5f\x68\x03\x0a\x12\x44") + ], + # UTF-8 Greek characters "odysseus" / "telemachos" + [ 8, + b("\xe1\xbd\x88\xce\xb4\xcf\x85\xcf\x83\xcf\x83\xce\xb5\xcf\x8d\xcf" + "\x82"), + b("\xce\xa4\xce\xb7\xce\xbb\xce\xad\xce\xbc\xce\xb1\xcf\x87\xce\xbf" + "\xcf\x82"), + b("\x43\x66\x6c\x9b\x09\xef\x33\xed\x8c\x27\xe8\xe8\xf3\xe2\xd8\xe6") + ], +] + +if PY3: + # Unicode Greek characters "odysseus" / "telemachos" + kdf_test_vectors.append([ + 8, + "\u1f48\u03b4\u03c5\u03c3\u03c3\u03b5\u03cd\u03c2", + "\u03a4\u03b7\u03bb\u03ad\u03bc\u03b1\u03c7\u03bf\u03c2", + b("\x43\x66\x6c\x9b\x09\xef\x33\xed\x8c\x27\xe8\xe8\xf3" + "\xe2\xd8\xe6") + ]) + +class TestKDF(unittest.TestCase): + def test_00__test_vectors(self): + for rounds, password, salt, expected in kdf_test_vectors: + key = bcrypt.kdf(password, salt, len(expected), rounds) + self.assertEqual(key, expected) + def main(): unittest.main() |