I tried to implement bcrypt-hash password verification using the existing Nettle library. As it seems, that is impossible without messing with the internal state of the Blowfish encryption engine.
If I were to contribute some code that supports this, what are my chances of getting it included in the Nettle library proper?
I just submitted a patch for bcrypt support to Nettle. Can this be included in Nettle? If not, do I need to change anything in the patch to make it more acceptable?
I need something like this in Nettle in order to be able to add code to the standard libs of Pike which will support decoding of bcrypt-hashed passwords.
P.S. I tried putting the code in a different C file; but then there are some slight issues because the bcrypt code does refer to some (two) internal identifiers in blowfish.c. In order for this to work, the two identifiers would need to be made externally visible; I considered it namespace pollution and decided not to do it that way.
"Stephen R. van den Berg" srb@cuci.nl writes:
I just submitted a patch for bcrypt support to Nettle. Can this be included in Nettle?
Thanks. What's the main interface? How is it going to be used, in particular, where will the code be to check the "$2b$ "prefix and invke this code? The interface needs some documentation (for a start, comments in the header file) before it can be reviewed.
If not, do I need to change anything in the patch to make it more acceptable?
I think it needs some changes to fit better in Nettle. My initial comments, after only a quick look:
Put it in a separate .c file. If it needs access to blowfish internals, add a new header file blowfish-internal.h with declarations, and arrange so that any internal symbols visibile to the linker has the prefix _nettle. It's not clear what internals it is using, but if it can be arranged to only use the public blowfish functions that would be nice.
The new files can use the standard nettle copyright notice + a comment saying "Based on public domain code by ..." where appropriate.
See if there's a way to reuse Nettle's base64 functions (it's not entirely clear to me what BF_decode really is doing).
Use macros like READ_UINT32/LE_READ_UNINT32 (macros.h) to convert bytes to integers. For any other endian-dependent code, use WORDS_BIGENDIAN, provided by configure.
Don't set errno. If any function really needs to distinguish between different types of failures, rather than just a success/fail indication, that should be reported without using any globals.
Regards, /Niels
nettle-bugs@lists.lysator.liu.se
-
nisse@lysator.liu.se -
Stephen R. van den Berg