sync bcrypt-related files with OpenBSD

The main change is that Niels Provos kindly agreed to rescind the
BSD license advertising clause, shifting them to the 3-term BSD
license.

This was the last thing in OpenSSH that used the advertising clause.

LICENCE

@@ -307,7 +307,7 @@ OpenSSH contains no GPL code.
 	****************************************************************************/
 
        The Blowfish cipher implementation is licensed by Niels Provis under
-       a 4-clause BSD license:
+       a 3-clause BSD license:
 
          * Blowfish - a fast block cipher designed by Bruce Schneier
          *
@@ -322,10 +322,7 @@ OpenSSH contains no GPL code.
          * 2. Redistributions in binary form must reproduce the above copyright
          *    notice, this list of conditions and the following disclaimer in the
          *    documentation and/or other materials provided with the distribution.
-         * 3. All advertising materials mentioning features or use of this software
+         * 3. The name of the author may not be used to endorse or promote products
-         *    must display the following acknowledgement:
-         *      This product includes software developed by Niels Provos.
-         * 4. The name of the author may not be used to endorse or promote products
          *    derived from this software without specific prior written permission.
          *
          * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

openbsd-compat/bcrypt_pbkdf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bcrypt_pbkdf.c,v 1.13 2015/01/12 03:20:04 tedu Exp $ */
+/* $OpenBSD: bcrypt_pbkdf.c,v 1.16 2020/08/02 18:35:48 tb Exp $ */
 /*
  * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
  *
@@ -48,7 +48,7 @@
  * function with the following modifications:
  * 1. The input password and salt are preprocessed with SHA512.
  * 2. The output length is expanded to 256 bits.
- * 3. Subsequently the magic string to be encrypted is lengthened and modified
+ * 3. Subsequently the magic string to be encrypted is lengthened and modifed
  *    to "OxychromaticBlowfishSwatDynamite"
  * 4. The hash function is defined to perform 64 rounds of initial state
  *    expansion. (More rounds are performed by iterating the hash.)
@@ -69,10 +69,10 @@
 #define BCRYPT_HASHSIZE (BCRYPT_WORDS * 4)
 
 static void
-bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out)
+bcrypt_hash(uint8_t *sha2pass, uint8_t *sha2salt, uint8_t *out)
 {
 	blf_ctx state;
-	u_int8_t ciphertext[BCRYPT_HASHSIZE] =
+	uint8_t ciphertext[BCRYPT_HASHSIZE] =
 	    "OxychromaticBlowfishSwatDynamite";
 	uint32_t cdata[BCRYPT_WORDS];
 	int i;
@@ -93,7 +93,7 @@ bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out)
 		cdata[i] = Blowfish_stream2word(ciphertext, sizeof(ciphertext),
 		    &j);
 	for (i = 0; i < 64; i++)
-		blf_enc(&state, cdata, sizeof(cdata) / (sizeof(uint64_t)));
+		blf_enc(&state, cdata, BCRYPT_WORDS / 2);
 
 	/* copy out */
 	for (i = 0; i < BCRYPT_WORDS; i++) {
@@ -110,40 +110,36 @@ bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out)
 }
 
 int
-bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t saltlen,
+bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltlen,
-    u_int8_t *key, size_t keylen, unsigned int rounds)
+    uint8_t *key, size_t keylen, unsigned int rounds)
 {
-	u_int8_t sha2pass[SHA512_DIGEST_LENGTH];
+	uint8_t sha2pass[SHA512_DIGEST_LENGTH];
-	u_int8_t sha2salt[SHA512_DIGEST_LENGTH];
+	uint8_t sha2salt[SHA512_DIGEST_LENGTH];
-	u_int8_t out[BCRYPT_HASHSIZE];
+	uint8_t out[BCRYPT_HASHSIZE];
-	u_int8_t tmpout[BCRYPT_HASHSIZE];
+	uint8_t tmpout[BCRYPT_HASHSIZE];
-	u_int8_t *countsalt;
+	uint8_t countsalt[4];
 	size_t i, j, amt, stride;
 	uint32_t count;
 	size_t origkeylen = keylen;
 
 	/* nothing crazy */
 	if (rounds < 1)
-		return -1;
+		goto bad;
 	if (passlen == 0 || saltlen == 0 || keylen == 0 ||
-	    keylen > sizeof(out) * sizeof(out) || saltlen > 1<<20)
+	    keylen > sizeof(out) * sizeof(out))
-		return -1;
+		goto bad;
-	if ((countsalt = calloc(1, saltlen + 4)) == NULL)
-		return -1;
 	stride = (keylen + sizeof(out) - 1) / sizeof(out);
 	amt = (keylen + stride - 1) / stride;
 
-	memcpy(countsalt, salt, saltlen);
-
 	/* collapse password */
 	crypto_hash_sha512(sha2pass, pass, passlen);
 
 	/* generate key, sizeof(out) at a time */
 	for (count = 1; keylen > 0; count++) {
-		countsalt[saltlen + 0] = (count >> 24) & 0xff;
+		countsalt[0] = (count >> 24) & 0xff;
-		countsalt[saltlen + 1] = (count >> 16) & 0xff;
+		countsalt[1] = (count >> 16) & 0xff;
-		countsalt[saltlen + 2] = (count >> 8) & 0xff;
+		countsalt[2] = (count >> 8) & 0xff;
-		countsalt[saltlen + 3] = count & 0xff;
+		countsalt[3] = count & 0xff;
 
 		/* first round, salt is salt */
 		crypto_hash_sha512(sha2salt, countsalt, saltlen + 4);
@@ -174,8 +170,13 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t salt
 
 	/* zap */
 	explicit_bzero(out, sizeof(out));
-	free(countsalt);
+	explicit_bzero(tmpout, sizeof(tmpout));
 
 	return 0;
+
+bad:
+	/* overwrite with random in case caller doesn't check return code */
+	arc4random_buf(key, keylen);
+	return -1;
 }
 #endif /* HAVE_BCRYPT_PBKDF */

openbsd-compat/blf.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: blf.h,v 1.7 2007/03/14 17:59:41 grunk Exp $ */
+/* $OpenBSD: blf.h,v 1.8 2021/11/29 01:04:45 djm Exp $ */
 /*
  * Blowfish - a fast block cipher designed by Bruce Schneier
  *
@@ -13,10 +13,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. The name of the author may not be used to endorse or promote products
- *    must display the following acknowledgement:
- *      This product includes software developed by Niels Provos.
- * 4. The name of the author may not be used to endorse or promote products
  *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

openbsd-compat/blowfish.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: blowfish.c,v 1.18 2004/11/02 17:23:26 hshoexer Exp $ */
+/* $OpenBSD: blowfish.c,v 1.20 2021/11/29 01:04:45 djm Exp $ */
 /*
  * Blowfish block cipher for OpenBSD
  * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
@@ -14,10 +14,7 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. The name of the author may not be used to endorse or promote products
- *    must display the following acknowledgement:
- *      This product includes software developed by Niels Provos.
- * 4. The name of the author may not be used to endorse or promote products
  *    derived from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

openbsd-compat/openbsd-compat.h

@@ -315,8 +315,8 @@ int timingsafe_bcmp(const void *, const void *, size_t);
 #endif
 
 #ifndef HAVE_BCRYPT_PBKDF
-int	bcrypt_pbkdf(const char *, size_t, const u_int8_t *, size_t,
+int	bcrypt_pbkdf(const char *, size_t, const uint8_t *, size_t,
-    u_int8_t *, size_t, unsigned int);
+    uint8_t *, size_t, unsigned int);
 #endif
 
 #ifndef HAVE_EXPLICIT_BZERO