bcrypt-based key derivation function support, from OpenBSD libutil

12 files changed, 898 insertions, 15 deletions

diff --git a/LICENSE b/LICENSE
index b4b5e51..c31acb9 100644
--- a/LICENSE
+++ b/LICENSE
@@ -85,3 +85,57 @@ subject to the following license:
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+The KDF code is from OpenBSD libutil and is subject to the following licence:
+
+/*
+ * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+The SHA512 is from OpenBSD libc and is subject to the following license:
+
+/*
+ * FILE:	sha2.c
+ * AUTHOR:	Aaron D. Gifford <me@aarongifford.com>
+ * 
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
+ */
+
diff --git a/README b/README
index a7b12a4..5067c40 100644
--- a/README
+++ b/README
@@ -46,4 +46,7 @@ A simple example that demonstrates most of the features:
 	else:
 		print "It does not match"
 
+	# Generate a 256-bit cryptographic key
+	key = bcrypt.kdf(password, salt, 100, 256/8)
+
 $Id$
diff --git a/TODO b/TODO
index 65565a4..e59859b 100644
--- a/TODO
+++ b/TODO
@@ -1,5 +1,3 @@
-Python 3 support
-
-Regress tests (pull from jBCrypt)
+Improve regress tests: tests for bad parameters
 
 $Id$
diff --git a/bcrypt/__init__.py b/bcrypt/__init__.py
index d4f2b2d..8f7ba2f 100644
--- a/bcrypt/__init__.py
+++ b/bcrypt/__init__.py
@@ -20,6 +20,22 @@ gensalt() function:
 
 The parameter "log_rounds" defines the complexity of the hashing. The
 cost increases as 2**log_rounds.
+
+Passwords and salts for the hashpw and gensalt functions are text strings
+that must not contain embedded nul (ASCII 0) characters.
+
+This module also operates as a key derivation function (KDF) to transform a
+password and salt into bytes suitable for use as cryptographic key material:
+
+  kdf(password, salt, desired_length, rounds) -> key
+
+This will generate a key of "desired_length" in bytes (NB. not bits). For the
+KDF mode the "rounds" parameter is the literal rounds, not the logarithm as
+for gensalt. For the KDF case, "salt" and "password" may be binary strings
+containing embedded nul characters.
+
+The KDF mode is recommended for generating symmetric cipher keys, IVs, hash
+and MAC keys, etc. It should not be used a keystream for encryption itself.
 """
 
 import os
diff --git a/bcrypt/__pycache__/__init__.cpython-33.pyc b/bcrypt/__pycache__/__init__.cpython-33.pyc
new file mode 100644
index 0000000..2c0890e
--- /dev/null
+++ b/bcrypt/__pycache__/__init__.cpython-33.pyc
diff --git a/bcrypt/bcrypt_pbkdf.c b/bcrypt/bcrypt_pbkdf.c
new file mode 100644
index 0000000..fd607e6
--- /dev/null
+++ b/bcrypt/bcrypt_pbkdf.c
@@ -0,0 +1,160 @@
+/* $OpenBSD: bcrypt_pbkdf.c,v 1.3 2013/06/04 15:55:50 tedu Exp $ */
+/*
+ * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "pybc_blf.h"
+#include "pybc_sha2.h"
+
+/*
+ * pkcs #5 pbkdf2 implementation using the "bcrypt" hash
+ *
+ * The bcrypt hash function is derived from the bcrypt password hashing
+ * function with the following modifications:
+ * 1. The input password and salt are preprocessed with SHA512.
+ * 2. The output length is expanded to 256 bits.
+ * 3. Subsequently the magic string to be encrypted is lengthened and modifed
+ *    to "OxychromaticBlowfishSwatDynamite"
+ * 4. The hash function is defined to perform 64 rounds of initial state
+ *    expansion. (More rounds are performed by iterating the hash.)
+ *
+ * Note that this implementation pulls the SHA512 operations into the caller
+ * as a performance optimization.
+ *
+ * One modification from official pbkdf2. Instead of outputting key material
+ * linearly, we mix it. pbkdf2 has a known weakness where if one uses it to
+ * generate (i.e.) 512 bits of key material for use as two 256 bit keys, an
+ * attacker can merely run once through the outer loop below, but the user
+ * always runs it twice. Shuffling output bytes requires computing the
+ * entirety of the key material to assemble any subkey. This is something a
+ * wise caller could do; we just do it for you.
+ */
+
+#define BCRYPT_BLOCKS 8
+#define BCRYPT_HASHSIZE (BCRYPT_BLOCKS * 4)
+
+static void
+bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out)
+{
+	pybc_blf_ctx state;
+	u_int8_t ciphertext[BCRYPT_HASHSIZE] =
+	    "OxychromaticBlowfishSwatDynamite";
+	u_int32_t cdata[BCRYPT_BLOCKS];
+	int i;
+	u_int16_t j;
+	size_t shalen = PYBC_SHA512_DIGEST_LENGTH;
+
+	/* key expansion */
+	Blowfish_initstate(&state);
+	Blowfish_expandstate(&state, sha2salt, shalen, sha2pass, shalen);
+	for (i = 0; i < 64; i++) {
+		Blowfish_expand0state(&state, sha2salt, shalen);
+		Blowfish_expand0state(&state, sha2pass, shalen);
+	}
+
+	/* encryption */
+	j = 0;
+	for (i = 0; i < BCRYPT_BLOCKS; i++)
+		cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext),
+		    &j);
+	for (i = 0; i < 64; i++)
+		blf_enc(&state, cdata, sizeof(cdata) / sizeof(u_int64_t));
+
+	/* copy out */
+	for (i = 0; i < BCRYPT_BLOCKS; i++) {
+		out[4 * i + 3] = (cdata[i] >> 24) & 0xff;
+		out[4 * i + 2] = (cdata[i] >> 16) & 0xff;
+		out[4 * i + 1] = (cdata[i] >> 8) & 0xff;
+		out[4 * i + 0] = cdata[i] & 0xff;
+	}
+
+	/* zap */
+	memset(ciphertext, 0, sizeof(ciphertext));
+	memset(cdata, 0, sizeof(cdata));
+	memset(&state, 0, sizeof(state));
+}
+
+int
+bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t saltlen,
+    u_int8_t *key, size_t keylen, unsigned int rounds)
+{
+	PYBC_SHA2_CTX ctx;
+	u_int8_t sha2pass[PYBC_SHA512_DIGEST_LENGTH];
+	u_int8_t sha2salt[PYBC_SHA512_DIGEST_LENGTH];
+	u_int8_t out[BCRYPT_HASHSIZE];
+	u_int8_t tmpout[BCRYPT_HASHSIZE];
+	u_int8_t countsalt[4];
+	size_t i, j, amt, stride;
+	u_int32_t count;
+
+	/* nothing crazy */
+	if (rounds < 1)
+		return -1;
+	if (passlen == 0 || saltlen == 0 || keylen == 0 ||
+	    keylen > sizeof(out) * sizeof(out))
+		return -1;
+	stride = (keylen + sizeof(out) - 1) / sizeof(out);
+	amt = (keylen + stride - 1) / stride;
+
+	/* collapse password */
+	PYBC_SHA512Init(&ctx);
+	PYBC_SHA512Update(&ctx, pass, passlen);
+	PYBC_SHA512Final(sha2pass, &ctx);
+
+	/* generate key, sizeof(out) at a time */
+	for (count = 1; keylen > 0; count++) {
+		countsalt[0] = (count >> 24) & 0xff;
+		countsalt[1] = (count >> 16) & 0xff;
+		countsalt[2] = (count >> 8) & 0xff;
+		countsalt[3] = count & 0xff;
+
+		/* first round, salt is salt */
+		PYBC_SHA512Init(&ctx);
+		PYBC_SHA512Update(&ctx, salt, saltlen);
+		PYBC_SHA512Update(&ctx, countsalt, sizeof(countsalt));
+		PYBC_SHA512Final(sha2salt, &ctx);
+		bcrypt_hash(sha2pass, sha2salt, tmpout);
+		memcpy(out, tmpout, sizeof(out));
+
+		for (i = 1; i < rounds; i++) {
+			/* subsequent rounds, salt is previous output */
+			PYBC_SHA512Init(&ctx);
+			PYBC_SHA512Update(&ctx, tmpout, sizeof(tmpout));
+			PYBC_SHA512Final(sha2salt, &ctx);
+			bcrypt_hash(sha2pass, sha2salt, tmpout);
+			for (j = 0; j < sizeof(out); j++)
+				out[j] ^= tmpout[j];
+		}
+
+		/*
+		 * pbkdf2 deviation: ouput the key material non-linearly.
+		 */
+		if (keylen < amt)
+			amt = keylen;
+		for (i = 0; i < amt; i++)
+			key[i * stride + (count - 1)] = out[i];
+		keylen -= amt;
+	}
+
+	/* zap */
+	memset(&ctx, 0, sizeof(ctx));
+	memset(out, 0, sizeof(out));
+
+	return 0;
+}
diff --git a/bcrypt/bcrypt_python.c b/bcrypt/bcrypt_python.c
index a41352e..176f4bc 100644
--- a/bcrypt/bcrypt_python.c
+++ b/bcrypt/bcrypt_python.c
@@ -19,17 +19,11 @@
 
 #if PY_VERSION_HEX < 0x02050000
 typedef int Py_ssize_t;
+#define bzero(s,l) memset(s, '\0', l)
 #endif
 
 #define PYBCRYPT_VERSION "0.4"
 
-#if defined(_WIN32)
-typedef unsigned __int8		u_int8_t;
-typedef unsigned __int16	u_int16_t;
-typedef unsigned __int32	u_int32_t;
-#define bzero(s,n) memset(s, '\0', n)
-#endif
-
 /* $Id$ */
 
 /* Import */
@@ -124,6 +118,7 @@ bcrypt_hashpw(PyObject *self, PyObject *args, PyObject *kw_args)
 	if ((salt_copy = checkdup(salt, salt_len)) == NULL) {
 		PyErr_SetString(PyExc_ValueError,
 		    "salt must not contain nul characters");
+		free(password_copy);
 		return NULL;
 	}
 	Py_BEGIN_ALLOW_THREADS;
@@ -145,11 +140,82 @@ bcrypt_hashpw(PyObject *self, PyObject *args, PyObject *kw_args)
 #endif
 }
 
+PyDoc_STRVAR(bcrypt_kdf_doc,
+"kdf(password, salt, desired_key_bytes, rounds) -> key\n\
+    Derive \"desired_key_bytes\" (up to 512) cryptographic key material from\n\
+    a password and salt. NB. rounds is linear (not an exponent like\n\
+    gensalt). Recommended minimum salt length is 16 bytes\n");
+
+#if 0
+static void
+xdump(const u_int8_t *s, size_t l)
+{
+	size_t i;
+
+	for (i = 0; i < l; i++)
+		printf("\\x%02x", s[i]);
+}
+#endif
+
+static PyObject *
+bcrypt_kdf(PyObject *self, PyObject *args, PyObject *kw_args)
+{
+	static char *keywords[] = {
+		"password",
+		"salt",
+		"desired_key_bytes",
+		"rounds",
+		NULL
+	};
+	const u_int8_t *password = NULL, *salt = NULL;
+	Py_ssize_t password_len = -1, salt_len = -1;
+	long desired_key_bytes = -1, rounds = -1;
+	u_int8_t *key;
+	int ret;
+	PyObject *o = NULL;
+
+	if (!PyArg_ParseTupleAndKeywords(args, kw_args, "s#s#ll:kdf", keywords,
+	    &password, &password_len, &salt, &salt_len,
+	    &desired_key_bytes, &rounds))
+                return NULL;
+	if (password_len <= 0) {
+		PyErr_SetString(PyExc_ValueError, "Invalid password length");
+		return NULL;
+	}
+	if (salt_len <= 0) {
+		PyErr_SetString(PyExc_ValueError, "Invalid salt length");
+		return NULL;
+	}
+	if (desired_key_bytes <= 0 || desired_key_bytes > 512) {
+		PyErr_SetString(PyExc_ValueError, "Invalid output length");
+		return NULL;
+	}
+	if (rounds < 1) {
+		PyErr_SetString(PyExc_ValueError, "Invalid number of rounds");
+		return NULL;
+	}
+	if ((key = malloc(desired_key_bytes)) == NULL)
+		return NULL;
+	Py_BEGIN_ALLOW_THREADS;
+	ret = bcrypt_pbkdf(password, password_len, salt, salt_len,
+	    key, desired_key_bytes, rounds);
+	Py_END_ALLOW_THREADS;
+	if (ret != 0)
+		PyErr_SetString(PyExc_ValueError, "kdf failed");
+	else
+		o = PyBytes_FromStringAndSize(key, desired_key_bytes);
+	bzero(key, desired_key_bytes);
+	free(key);
+	return o;
+}
+
 static PyMethodDef bcrypt_methods[] = {
 	{	"hashpw",	(PyCFunction)bcrypt_hashpw,
 		METH_VARARGS|METH_KEYWORDS,	bcrypt_hashpw_doc	},
 	{	"encode_salt",	(PyCFunction)bcrypt_encode_salt,
 		METH_VARARGS|METH_KEYWORDS,	bcrypt_encode_salt_doc	},
+	{	"kdf",		(PyCFunction)bcrypt_kdf,
+		METH_VARARGS|METH_KEYWORDS,	bcrypt_kdf_doc	},
 	{NULL,		NULL}		/* sentinel */
 };
 
diff --git a/bcrypt/pybc_blf.h b/bcrypt/pybc_blf.h
index 55ac12c..e18f7b6 100644
--- a/bcrypt/pybc_blf.h
+++ b/bcrypt/pybc_blf.h
@@ -38,6 +38,13 @@
 typedef unsigned __int8		u_int8_t;
 typedef unsigned __int16	u_int16_t;
 typedef unsigned __int32	u_int32_t;
+typedef unsigned __int64	u_int64_t;
+#elif __STDC_VERSION__ >= 199901L /* C99 or later */
+include <stdint.h>
+typedef uint8_t u_int8_t;
+typedef uint16_t u_int16_t;
+typedef uint32_t u_int32_t;
+typedef uint64_t u_int64_t;
 #endif
 
 /* Schneier specifies a maximum key length of 56 bytes.
@@ -74,4 +81,9 @@ void pybc_blf_enc(pybc_blf_ctx *, u_int32_t *, u_int16_t);
 /* Converts u_int8_t to u_int32_t */
 u_int32_t pybc_Blowfish_stream2word(const u_int8_t *, u_int16_t, u_int16_t *);
 
+/* KDF interface */
+int bcrypt_pbkdf(const char *pass, size_t passlen,
+    const u_int8_t *salt, size_t saltlen,
+    u_int8_t *key, size_t keylen, unsigned int rounds);
+
 #endif
diff --git a/bcrypt/pybc_sha2.h b/bcrypt/pybc_sha2.h
new file mode 100644
index 0000000..60ab34f
--- /dev/null
+++ b/bcrypt/pybc_sha2.h
@@ -0,0 +1,63 @@
+/*	$OpenBSD: sha2.h,v 1.9 2013/04/15 15:54:17 millert Exp $	*/
+
+/*
+ * FILE:	sha2.h
+ * AUTHOR:	Aaron D. Gifford <me@aarongifford.com>
+ * 
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
+ */
+
+#ifndef _PYBC_SHA2_H
+#define _PYBC_SHA2_H
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+#define PYBC_SHA512_BLOCK_LENGTH		128
+#define PYBC_SHA512_DIGEST_LENGTH		64
+#define PYBC_SHA512_DIGEST_STRING_LENGTH	(PYBC_SHA512_DIGEST_LENGTH * 2 + 1)
+
+
+/*** SHA-224/256/384/512 Context Structure *******************************/
+typedef struct _PYBC_SHA2_CTX {
+	union {
+		u_int32_t	st32[8];
+		u_int64_t	st64[8];
+	} state;
+	u_int64_t	bitcount[2];
+	u_int8_t	buffer[PYBC_SHA512_BLOCK_LENGTH];
+} PYBC_SHA2_CTX;
+
+void PYBC_SHA512Init(PYBC_SHA2_CTX *);
+void PYBC_SHA512Transform(u_int64_t state[8], const u_int8_t [PYBC_SHA512_BLOCK_LENGTH]);
+void PYBC_SHA512Update(PYBC_SHA2_CTX *, const u_int8_t *, size_t);
+void PYBC_SHA512Pad(PYBC_SHA2_CTX *);
+void PYBC_SHA512Final(u_int8_t [PYBC_SHA512_DIGEST_LENGTH], PYBC_SHA2_CTX *);
+char *PYBC_SHA512End(PYBC_SHA2_CTX *, char *);
+
+#endif /* _PYBC_SHA2_H */
diff --git a/bcrypt/sha2.c b/bcrypt/sha2.c
new file mode 100644
index 0000000..c5f0a96
--- /dev/null
+++ b/bcrypt/sha2.c
@@ -0,0 +1,401 @@
+/*	$OpenBSD: sha2.c,v 1.14 2013/04/15 15:54:17 millert Exp $	*/
+
+/*
+ * FILE:	sha2.c
+ * AUTHOR:	Aaron D. Gifford <me@aarongifford.com>
+ * 
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
+ */
+
+#include <sys/types.h>
+
+#include <string.h>
+
+#include "pybc_blf.h"
+#include "pybc_sha2.h"
+
+/*** SHA-224/256/384/512 Machine Architecture Definitions *****************/
+/*
+ * BYTE_ORDER NOTE:
+ *
+ * Please make sure that your system defines BYTE_ORDER.  If your
+ * architecture is little-endian, make sure it also defines
+ * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
+ * equivilent.
+ *
+ * If your system does not define the above, then you can do so by
+ * hand like this:
+ *
+ *   #define LITTLE_ENDIAN 1234
+ *   #define BIG_ENDIAN    4321
+ *
+ * And for little-endian machines, add:
+ *
+ *   #define BYTE_ORDER LITTLE_ENDIAN 
+ *
+ * Or for big-endian machines:
+ *
+ *   #define BYTE_ORDER BIG_ENDIAN
+ *
+ * The FreeBSD machine this was written on defines BYTE_ORDER
+ * appropriately by including <sys/types.h> (which in turn includes
+ * <machine/endian.h> where the appropriate definitions are actually
+ * made).
+ */
+#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
+#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
+#endif
+
+
+/*** SHA-224/256/384/512 Various Length Definitions ***********************/
+/* NOTE: Most of these are in sha2.h */
+#define PYBC_SHA512_SHORT_BLOCK_LENGTH	(PYBC_SHA512_BLOCK_LENGTH - 16)
+
+/*** ENDIAN SPECIFIC COPY MACROS **************************************/
+#define BE_8_TO_32(dst, cp) do {					\
+	(dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) |	\
+	    ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24);	\
+} while(0)
+
+#define BE_8_TO_64(dst, cp) do {					\
+	(dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) |	\
+	    ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) |	\
+	    ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) |	\
+	    ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56);	\
+} while (0)
+
+#define BE_64_TO_8(cp, src) do {					\
+	(cp)[0] = (src) >> 56;						\
+        (cp)[1] = (src) >> 48;						\
+	(cp)[2] = (src) >> 40;						\
+	(cp)[3] = (src) >> 32;						\
+	(cp)[4] = (src) >> 24;						\
+	(cp)[5] = (src) >> 16;						\
+	(cp)[6] = (src) >> 8;						\
+	(cp)[7] = (src);						\
+} while (0)
+
+#define BE_32_TO_8(cp, src) do {					\
+	(cp)[0] = (src) >> 24;						\
+	(cp)[1] = (src) >> 16;						\
+	(cp)[2] = (src) >> 8;						\
+	(cp)[3] = (src);						\
+} while (0)
+
+/*
+ * Macro for incrementally adding the unsigned 64-bit integer n to the
+ * unsigned 128-bit integer (represented using a two-element array of
+ * 64-bit words):
+ */
+#define ADDINC128(w,n) do {						\
+	(w)[0] += (u_int64_t)(n);					\
+	if ((w)[0] < (n)) {						\
+		(w)[1]++;						\
+	}								\
+} while (0)
+
+/*** THE SIX LOGICAL FUNCTIONS ****************************************/
+/*
+ * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
+ *
+ *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
+ *   S is a ROTATION) because the SHA-224/256/384/512 description document
+ *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
+ *   same "backwards" definition.
+ */
+/* Shift-right (used in SHA-224, SHA-256, SHA-384, and SHA-512): */
+#define R(b,x) 		((x) >> (b))
+/* 32-bit Rotate-right (used in SHA-224 and SHA-256): */
+#define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
+/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
+#define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
+
+/* Two of six logical functions used in SHA-224, SHA-256, SHA-384, and SHA-512: */
+#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+/* Four of six logical functions used in SHA-384 and SHA-512: */
+#define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
+#define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
+#define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
+#define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
+
+
+/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
+
+/* Hash constant words K for SHA-384 and SHA-512: */
+const static u_int64_t K512[80] = {
+	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
+	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
+	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
+	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
+	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
+	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
+	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
+	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
+	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
+	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
+	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
+	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
+	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
+	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+
+/* Initial hash value H for SHA-512 */
+const static u_int64_t sha512_initial_hash_value[8] = {
+	0x6a09e667f3bcc908ULL,
+	0xbb67ae8584caa73bULL,
+	0x3c6ef372fe94f82bULL,
+	0xa54ff53a5f1d36f1ULL,
+	0x510e527fade682d1ULL,
+	0x9b05688c2b3e6c1fULL,
+	0x1f83d9abfb41bd6bULL,
+	0x5be0cd19137e2179ULL
+};
+
+/*** PYBC_SHA-512: *********************************************************/
+void
+PYBC_SHA512Init(PYBC_SHA2_CTX *context)
+{
+	if (context == NULL)
+		return;
+	memcpy(context->state.st64, sha512_initial_hash_value,
+	    sizeof(sha512_initial_hash_value));
+	memset(context->buffer, 0, sizeof(context->buffer));
+	context->bitcount[0] = context->bitcount[1] =  0;
+}
+
+void
+PYBC_SHA512Transform(u_int64_t state[8], const u_int8_t data[PYBC_SHA512_BLOCK_LENGTH])
+{
+	u_int64_t	a, b, c, d, e, f, g, h, s0, s1;
+	u_int64_t	T1, T2, W512[16];
+	int		j;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = state[0];
+	b = state[1];
+	c = state[2];
+	d = state[3];
+	e = state[4];
+	f = state[5];
+	g = state[6];
+	h = state[7];
+
+	j = 0;
+	do {
+		BE_8_TO_64(W512[j], data);
+		data += 8;
+		/* Apply the SHA-512 compression function to update a..h */
+		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
+		T2 = Sigma0_512(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 16);
+
+	do {
+		/* Part of the message block expansion: */
+		s0 = W512[(j+1)&0x0f];
+		s0 = sigma0_512(s0);
+		s1 = W512[(j+14)&0x0f];
+		s1 =  sigma1_512(s1);
+
+		/* Apply the SHA-512 compression function to update a..h */
+		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
+		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
+		T2 = Sigma0_512(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 80);
+
+	/* Compute the current intermediate hash value */
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+	state[4] += e;
+	state[5] += f;
+	state[6] += g;
+	state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+void
+PYBC_SHA512Update(PYBC_SHA2_CTX *context, const u_int8_t *data, size_t len)
+{
+	size_t	freespace, usedspace;
+
+	/* Calling with no data is valid (we do nothing) */
+	if (len == 0)
+		return;
+
+	usedspace = (context->bitcount[0] >> 3) % PYBC_SHA512_BLOCK_LENGTH;
+	if (usedspace > 0) {
+		/* Calculate how much free space is available in the buffer */
+		freespace = PYBC_SHA512_BLOCK_LENGTH - usedspace;
+
+		if (len >= freespace) {
+			/* Fill the buffer completely and process it */
+			memcpy(&context->buffer[usedspace], data, freespace);
+			ADDINC128(context->bitcount, freespace << 3);
+			len -= freespace;
+			data += freespace;
+			PYBC_SHA512Transform(context->state.st64, context->buffer);
+		} else {
+			/* The buffer is not yet full */
+			memcpy(&context->buffer[usedspace], data, len);
+			ADDINC128(context->bitcount, len << 3);
+			/* Clean up: */
+			usedspace = freespace = 0;
+			return;
+		}
+	}
+	while (len >= PYBC_SHA512_BLOCK_LENGTH) {
+		/* Process as many complete blocks as we can */
+		PYBC_SHA512Transform(context->state.st64, data);
+		ADDINC128(context->bitcount, PYBC_SHA512_BLOCK_LENGTH << 3);
+		len -= PYBC_SHA512_BLOCK_LENGTH;
+		data += PYBC_SHA512_BLOCK_LENGTH;
+	}
+	if (len > 0) {
+		/* There's left-overs, so save 'em */
+		memcpy(context->buffer, data, len);
+		ADDINC128(context->bitcount, len << 3);
+	}
+	/* Clean up: */
+	usedspace = freespace = 0;
+}
+
+void
+PYBC_SHA512Pad(PYBC_SHA2_CTX *context)
+{
+	unsigned int	usedspace;
+
+	usedspace = (context->bitcount[0] >> 3) % PYBC_SHA512_BLOCK_LENGTH;
+	if (usedspace > 0) {
+		/* Begin padding with a 1 bit: */
+		context->buffer[usedspace++] = 0x80;
+
+		if (usedspace <= PYBC_SHA512_SHORT_BLOCK_LENGTH) {
+			/* Set-up for the last transform: */
+			memset(&context->buffer[usedspace], 0, PYBC_SHA512_SHORT_BLOCK_LENGTH - usedspace);
+		} else {
+			if (usedspace < PYBC_SHA512_BLOCK_LENGTH) {
+				memset(&context->buffer[usedspace], 0, PYBC_SHA512_BLOCK_LENGTH - usedspace);
+			}
+			/* Do second-to-last transform: */
+			PYBC_SHA512Transform(context->state.st64, context->buffer);
+
+			/* And set-up for the last transform: */
+			memset(context->buffer, 0, PYBC_SHA512_BLOCK_LENGTH - 2);
+		}
+	} else {
+		/* Prepare for final transform: */
+		memset(context->buffer, 0, PYBC_SHA512_SHORT_BLOCK_LENGTH);
+
+		/* Begin padding with a 1 bit: */
+		*context->buffer = 0x80;
+	}
+	/* Store the length of input data (in bits) in big endian format: */
+	BE_64_TO_8(&context->buffer[PYBC_SHA512_SHORT_BLOCK_LENGTH],
+	    context->bitcount[1]);
+	BE_64_TO_8(&context->buffer[PYBC_SHA512_SHORT_BLOCK_LENGTH + 8],
+	    context->bitcount[0]);
+
+	/* Final transform: */
+	PYBC_SHA512Transform(context->state.st64, context->buffer);
+
+	/* Clean up: */
+	usedspace = 0;
+}
+
+void
+PYBC_SHA512Final(u_int8_t digest[PYBC_SHA512_DIGEST_LENGTH], PYBC_SHA2_CTX *context)
+{
+	PYBC_SHA512Pad(context);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != NULL) {
+#if BYTE_ORDER == LITTLE_ENDIAN
+		int	i;
+
+		/* Convert TO host byte order */
+		for (i = 0; i < 8; i++)
+			BE_64_TO_8(digest + i * 8, context->state.st64[i]);
+#else
+		memcpy(digest, context->state.st64, PYBC_SHA512_DIGEST_LENGTH);
+#endif
+		memset(context, 0, sizeof(*context));
+	}
+}
diff --git a/setup.py b/setup.py
index 61f9058..be61b94 100755
--- a/setup.py
+++ b/setup.py
@@ -26,23 +26,34 @@ VERSION = "0.3"
  
 if __name__ == '__main__':
 	bcrypt = Extension('bcrypt._bcrypt',
-		sources = ['bcrypt/bcrypt_python.c', 'bcrypt/blowfish.c',
-		    'bcrypt/bcrypt.c'])
+		sources = [
+			'bcrypt/bcrypt_python.c',
+			'bcrypt/blowfish.c',
+			'bcrypt/bcrypt.c',
+			'bcrypt/sha2.c',
+			'bcrypt/bcrypt_pbkdf.c',
+		],
+	)
 	setup(	name = "py-bcrypt",
 		version = VERSION,
 		author = "Damien Miller",
 		author_email = "djm@mindrot.org",
-		url = "http://www.mindrot.org/py-bcrypt.html",
-		description = "Blowfish password hashing",
+		url = "https://code.google.com/p/py-bcrypt",
+		description = "bcrypt password hashing and key derivation",
 		long_description = """\
 py-bcrypt is an implementation the OpenBSD Blowfish password hashing
 algorithm, as described in "A Future-Adaptable Password Scheme" by 
-Niels Provos and David Mazieres.
+Niels Provos and David Mazieres and related bcrypt-based key derivation
+function implemented in OpenBSD libutil.
 
 This system hashes passwords using a version of Bruce Schneier's
 Blowfish block cipher with modifications designed to raise the cost
 of off-line password cracking. The computation cost of the algorithm 
 is parametised, so it can be increased as computers get faster.
+
+Two interfaces are supported: a classic password hashing interface and
+a key derivation function (KDF) intended for generating cryptographic
+keys.
 """,
 		license = "BSD",
 		packages = ['bcrypt'],
diff --git a/test/test.py b/test/test.py
index 07f7f8d..947e625 100755
--- a/test/test.py
+++ b/test/test.py
@@ -100,6 +100,105 @@ class TestBcrypt(unittest.TestCase):
 				crypted2 = bcrypt.hashpw(plain, crypted)
 				self.assertEqual(crypted, crypted2)
 
+# rounds, password, salt, expected_key
+kdf_test_vectors = [
+	[ 4, "password", "salt",
+	b("\x5b\xbf\x0c\xc2\x93\x58\x7f\x1c\x36\x35\x55\x5c\x27\x79\x65\x98"
+	"\xd4\x7e\x57\x90\x71\xbf\x42\x7e\x9d\x8f\xbe\x84\x2a\xba\x34\xd9")
+	],
+	[ 4, "password", b("\x00"),
+	b("\xc1\x2b\x56\x62\x35\xee\xe0\x4c\x21\x25\x98\x97\x0a\x57\x9a\x67")
+	],
+	[ 4, b("\x00"), "salt",
+	b("\x60\x51\xbe\x18\xc2\xf4\xf8\x2c\xbf\x0e\xfe\xe5\x47\x1b\x4b\xb9")
+	],
+	# nul bytes in password and string
+	[ 4, "password\x00", "salt\x00",
+	b("\x74\x10\xe4\x4c\xf4\xfa\x07\xbf\xaa\xc8\xa9\x28\xb1\x72\x7f\xac"
+	"\x00\x13\x75\xe7\xbf\x73\x84\x37\x0f\x48\xef\xd1\x21\x74\x30\x50")
+	],
+	[ 4, b("pass\x00wor"), b("sa\0l"),
+	b("\xc2\xbf\xfd\x9d\xb3\x8f\x65\x69\xef\xef\x43\x72\xf4\xde\x83\xc0")
+	],
+	[ 4, b("pass\x00word"), b("sa\0lt"),
+	b("\x4b\xa4\xac\x39\x25\xc0\xe8\xd7\xf0\xcd\xb6\xbb\x16\x84\xa5\x6f")
+	],
+	# bigger key
+	[ 8, "password", "salt",
+	b("\xe1\x36\x7e\xc5\x15\x1a\x33\xfa\xac\x4c\xc1\xc1\x44\xcd\x23\xfa"
+	"\x15\xd5\x54\x84\x93\xec\xc9\x9b\x9b\x5d\x9c\x0d\x3b\x27\xbe\xc7"
+	"\x62\x27\xea\x66\x08\x8b\x84\x9b\x20\xab\x7a\xa4\x78\x01\x02\x46"
+	"\xe7\x4b\xba\x51\x72\x3f\xef\xa9\xf9\x47\x4d\x65\x08\x84\x5e\x8d")
+	],
+	# more rounds
+	[ 42, "password", "salt",
+	b("\x83\x3c\xf0\xdc\xf5\x6d\xb6\x56\x08\xe8\xf0\xdc\x0c\xe8\x82\xbd")
+	],
+	# longer password
+	[ 8,
+	"Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do "
+	"eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut "
+	"enim ad minim veniam, quis nostrud exercitation ullamco laboris "
+	"nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor "
+	"in reprehenderit in voluptate velit esse cillum dolore eu fugiat "
+	"nulla pariatur. Excepteur sint occaecat cupidatat non proident, "
+	"sunt in culpa qui officia deserunt mollit anim id est laborum.",
+	b("salis\x00"),
+	b("\x10\x97\x8b\x07\x25\x3d\xf5\x7f\x71\xa1\x62\xeb\x0e\x8a\xd3\x0a")
+	],
+	# "unicode"
+	[ 8,
+	b("\x0d\xb3\xac\x94\xb3\xee\x53\x28\x4f\x4a\x22\x89\x3b\x3c\x24\xae"),
+	b("\x3a\x62\xf0\xf0\xdb\xce\xf8\x23\xcf\xcc\x85\x48\x56\xea\x10\x28"),
+	b("\x20\x44\x38\x17\x5e\xee\x7c\xe1\x36\xc9\x1b\x49\xa6\x79\x23\xff")
+	],
+	# very large key
+	[ 8,
+	b("\x0d\xb3\xac\x94\xb3\xee\x53\x28\x4f\x4a\x22\x89\x3b\x3c\x24\xae"),
+	b("\x3a\x62\xf0\xf0\xdb\xce\xf8\x23\xcf\xcc\x85\x48\x56\xea\x10\x28"),
+	b("\x20\x54\xb9\xff\xf3\x4e\x37\x21\x44\x03\x34\x74\x68\x28\xe9\xed"
+	"\x38\xde\x4b\x72\xe0\xa6\x9a\xdc\x17\x0a\x13\xb5\xe8\xd6\x46\x38"
+	"\x5e\xa4\x03\x4a\xe6\xd2\x66\x00\xee\x23\x32\xc5\xed\x40\xad\x55"
+	"\x7c\x86\xe3\x40\x3f\xbb\x30\xe4\xe1\xdc\x1a\xe0\x6b\x99\xa0\x71"
+	"\x36\x8f\x51\x8d\x2c\x42\x66\x51\xc9\xe7\xe4\x37\xfd\x6c\x91\x5b"
+	"\x1b\xbf\xc3\xa4\xce\xa7\x14\x91\x49\x0e\xa7\xaf\xb7\xdd\x02\x90"
+	"\xa6\x78\xa4\xf4\x41\x12\x8d\xb1\x79\x2e\xab\x27\x76\xb2\x1e\xb4"
+	"\x23\x8e\x07\x15\xad\xd4\x12\x7d\xff\x44\xe4\xb3\xe4\xcc\x4c\x4f"
+	"\x99\x70\x08\x3f\x3f\x74\xbd\x69\x88\x73\xfd\xf6\x48\x84\x4f\x75"
+	"\xc9\xbf\x7f\x9e\x0c\x4d\x9e\x5d\x89\xa7\x78\x39\x97\x49\x29\x66"
+	"\x61\x67\x07\x61\x1c\xb9\x01\xde\x31\xa1\x97\x26\xb6\xe0\x8c\x3a"
+	"\x80\x01\x66\x1f\x2d\x5c\x9d\xcc\x33\xb4\xaa\x07\x2f\x90\xdd\x0b"
+	"\x3f\x54\x8d\x5e\xeb\xa4\x21\x13\x97\xe2\xfb\x06\x2e\x52\x6e\x1d"
+	"\x68\xf4\x6a\x4c\xe2\x56\x18\x5b\x4b\xad\xc2\x68\x5f\xbe\x78\xe1"
+	"\xc7\x65\x7b\x59\xf8\x3a\xb9\xab\x80\xcf\x93\x18\xd6\xad\xd1\xf5"
+	"\x93\x3f\x12\xd6\xf3\x61\x82\xc8\xe8\x11\x5f\x68\x03\x0a\x12\x44")
+	],
+	# UTF-8 Greek characters "odysseus" / "telemachos"
+	[ 8,
+	b("\xe1\xbd\x88\xce\xb4\xcf\x85\xcf\x83\xcf\x83\xce\xb5\xcf\x8d\xcf"
+	"\x82"),
+	b("\xce\xa4\xce\xb7\xce\xbb\xce\xad\xce\xbc\xce\xb1\xcf\x87\xce\xbf"
+	"\xcf\x82"),
+	b("\x43\x66\x6c\x9b\x09\xef\x33\xed\x8c\x27\xe8\xe8\xf3\xe2\xd8\xe6")
+	],
+]
+
+if PY3:
+	# Unicode Greek characters "odysseus" / "telemachos"
+	kdf_test_vectors.append([
+		8,
+		"\u1f48\u03b4\u03c5\u03c3\u03c3\u03b5\u03cd\u03c2",
+		"\u03a4\u03b7\u03bb\u03ad\u03bc\u03b1\u03c7\u03bf\u03c2",
+		b("\x43\x66\x6c\x9b\x09\xef\x33\xed\x8c\x27\xe8\xe8\xf3"
+		"\xe2\xd8\xe6")
+	])
+
+class TestKDF(unittest.TestCase):
+	def test_00__test_vectors(self):
+		for rounds, password, salt, expected in kdf_test_vectors:
+			key = bcrypt.kdf(password, salt, len(expected), rounds)
+			self.assertEqual(key, expected)
+
 def main():
 	unittest.main()