1 /*
2 * The crypt_blowfish homepage is:
3 *
4 * http://www.openwall.com/crypt/
5 *
6 * This code comes from John the Ripper password cracker, with reentrant
7 * and crypt(3) interfaces added, but optimizations specific to password
8 * cracking removed.
9 *
10 * Written by Solar Designer <solar at openwall.com> in 1998-2014.
11 * No copyright is claimed, and the software is hereby placed in the public
12 * domain. In case this attempt to disclaim copyright and place the software
13 * in the public domain is deemed null and void, then the software is
14 * Copyright (c) 1998-2014 Solar Designer and it is hereby released to the
15 * general public under the following terms:
16 *
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted.
19 *
20 * There's ABSOLUTELY NO WARRANTY, express or implied.
21 *
22 * It is my intent that you should be able to use this on your system,
23 * as part of a software package, or anywhere else to improve security,
24 * ensure compatibility, or for any other purpose. I would appreciate
25 * it if you give credit where it is due and keep your modifications in
26 * the public domain as well, but I don't require that in order to let
27 * you place this code and any modifications you make under a license
28 * of your choice.
29 *
30 * This implementation is fully compatible with OpenBSD's bcrypt.c for prefix
31 * "$2b$", originally by Niels Provos <provos at citi.umich.edu>, and it uses
32 * some of his ideas. The password hashing algorithm was designed by David
33 * Mazieres <dm at lcs.mit.edu>. For information on the level of
34 * compatibility for bcrypt hash prefixes other than "$2b$", please refer to
35 * the comments in BF_set_key() below and to the included crypt(3) man page.
36 *
37 * There's a paper on the algorithm that explains its design decisions:
38 *
39 * http://www.usenix.org/events/usenix99/provos.html
40 *
41 * Some of the tricks in BF_ROUND might be inspired by Eric Young's
42 * Blowfish library (I can't be sure if I would think of something if I
43 * hadn't seen his code).
44 */
45
46 #include <stdlib.h>
47 #include <string.h>
48
49 #include <errno.h>
50 #ifndef __set_errno
51 #define __set_errno(val) errno = (val)
52 #endif
53
54 /* Just to make sure the prototypes match the actual definitions */
55 #include "crypt_blowfish.h"
56
57 #if defined(__i386__) || defined(__x86_64__) || defined(__alpha__) || defined(__hppa__)
58 #define BF_SCALE 1
59 #else
60 #define BF_SCALE 0
61 #endif
62
63 typedef unsigned int BF_word;
64 typedef signed int BF_word_signed;
65
66 /* Number of Blowfish rounds, this is also hardcoded into a few places */
67 #define BF_N 16
68
69 typedef BF_word BF_key[BF_N + 2];
70
71 typedef struct {
72 BF_word S[4][0x100];
73 BF_key P;
74 } BF_ctx;
75
76 /*
77 * Magic IV for 64 Blowfish encryptions that we do at the end.
78 * The string is "OrpheanBeholderScryDoubt" on big-endian.
79 */
80 static BF_word BF_magic_w[6] = {
81 0x4F727068, 0x65616E42, 0x65686F6C,
82 0x64657253, 0x63727944, 0x6F756274
83 };
84
85 /*
86 * P-box and S-box tables initialized with digits of Pi.
87 */
88 static BF_ctx BF_init_state = {
89 {
90 {
91 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
92 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
93 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
94 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
95 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
96 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
97 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
98 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
99 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
100 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
101 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
102 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
103 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
104 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
105 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
106 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
107 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
108 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
109 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
110 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
111 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
112 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
113 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
114 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
115 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
116 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
117 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
118 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
119 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
120 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
121 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
122 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
123 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
124 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
125 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
126 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
127 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
128 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
129 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
130 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
131 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
132 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
133 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
134 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
135 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
136 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
137 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
138 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
139 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
140 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
141 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
142 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
143 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
144 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
145 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
146 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
147 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
148 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
149 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
150 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
151 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
152 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
153 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
154 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
155 }, {
156 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
157 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
158 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
159 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
160 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
161 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
162 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
163 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
164 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
165 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
166 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
167 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
168 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
169 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
170 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
171 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
172 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
173 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
174 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
175 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
176 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
177 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
178 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
179 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
180 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
181 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
182 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
183 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
184 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
185 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
186 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
187 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
188 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
189 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
190 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
191 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
192 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
193 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
194 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
195 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
196 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
197 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
198 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
199 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
200 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
201 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
202 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
203 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
204 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
205 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
206 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
207 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
208 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
209 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
210 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
211 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
212 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
213 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
214 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
215 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
216 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
217 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
218 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
219 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
220 }, {
221 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
222 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
223 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
224 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
225 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
226 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
227 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
228 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
229 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
230 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
231 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
232 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
233 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
234 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
235 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
236 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
237 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
238 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
239 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
240 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
241 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
242 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
243 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
244 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
245 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
246 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
247 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
248 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
249 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
250 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
251 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
252 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
253 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
254 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
255 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
256 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
257 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
258 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
259 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
260 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
261 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
262 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
263 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
264 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
265 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
266 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
267 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
268 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
269 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
270 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
271 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
272 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
273 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
274 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
275 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
276 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
277 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
278 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
279 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
280 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
281 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
282 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
283 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
284 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
285 }, {
286 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
287 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
288 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
289 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
290 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
291 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
292 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
293 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
294 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
295 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
296 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
297 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
298 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
299 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
300 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
301 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
302 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
303 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
304 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
305 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
306 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
307 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
308 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
309 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
310 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
311 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
312 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
313 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
314 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
315 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
316 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
317 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
318 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
319 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
320 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
321 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
322 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
323 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
324 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
325 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
326 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
327 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
328 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
329 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
330 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
331 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
332 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
333 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
334 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
335 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
336 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
337 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
338 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
339 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
340 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
341 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
342 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
343 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
344 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
345 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
346 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
347 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
348 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
349 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
350 }
351 }, {
352 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
353 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
354 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
355 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
356 0x9216d5d9, 0x8979fb1b
357 }
358 };
359
360 static unsigned char BF_itoa64[64 + 1] =
361 "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
362
363 static unsigned char BF_atoi64[0x60] = {
364 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
365 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
366 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
367 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
368 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
369 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
370 };
371
372 #define BF_safe_atoi64(dst, src) \
373 { \
374 tmp = (unsigned char)(src); \
375 if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
376 tmp = BF_atoi64[tmp]; \
377 if (tmp > 63) return -1; \
378 (dst) = tmp; \
379 }
380
BF_decode(BF_word * dst,const char * src,int size)381 static int BF_decode(BF_word *dst, const char *src, int size)
382 {
383 unsigned char *dptr = (unsigned char *)dst;
384 unsigned char *end = dptr + size;
385 const unsigned char *sptr = (const unsigned char *)src;
386 unsigned int tmp, c1, c2, c3, c4;
387
388 do {
389 BF_safe_atoi64(c1, *sptr++);
390 BF_safe_atoi64(c2, *sptr++);
391 *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
392 if (dptr >= end) break;
393
394 BF_safe_atoi64(c3, *sptr++);
395 *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
396 if (dptr >= end) break;
397
398 BF_safe_atoi64(c4, *sptr++);
399 *dptr++ = ((c3 & 0x03) << 6) | c4;
400 } while (dptr < end);
401
402 return 0;
403 }
404
BF_encode(char * dst,const BF_word * src,int size)405 static void BF_encode(char *dst, const BF_word *src, int size)
406 {
407 const unsigned char *sptr = (const unsigned char *)src;
408 const unsigned char *end = sptr + size;
409 unsigned char *dptr = (unsigned char *)dst;
410 unsigned int c1, c2;
411
412 do {
413 c1 = *sptr++;
414 *dptr++ = BF_itoa64[c1 >> 2];
415 c1 = (c1 & 0x03) << 4;
416 if (sptr >= end) {
417 *dptr++ = BF_itoa64[c1];
418 break;
419 }
420
421 c2 = *sptr++;
422 c1 |= c2 >> 4;
423 *dptr++ = BF_itoa64[c1];
424 c1 = (c2 & 0x0f) << 2;
425 if (sptr >= end) {
426 *dptr++ = BF_itoa64[c1];
427 break;
428 }
429
430 c2 = *sptr++;
431 c1 |= c2 >> 6;
432 *dptr++ = BF_itoa64[c1];
433 *dptr++ = BF_itoa64[c2 & 0x3f];
434 } while (sptr < end);
435 }
436
BF_swap(BF_word * x,int count)437 static void BF_swap(BF_word *x, int count)
438 {
439 static int endianness_check = 1;
440 char *is_little_endian = (char *)&endianness_check;
441 BF_word tmp;
442
443 if (*is_little_endian)
444 do {
445 tmp = *x;
446 tmp = (tmp << 16) | (tmp >> 16);
447 *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
448 } while (--count);
449 }
450
451 #if BF_SCALE
452 /* Architectures which can shift addresses left by 2 bits with no extra cost */
453 #define BF_ROUND(L, R, N) \
454 tmp1 = L & 0xFF; \
455 tmp2 = L >> 8; \
456 tmp2 &= 0xFF; \
457 tmp3 = L >> 16; \
458 tmp3 &= 0xFF; \
459 tmp4 = L >> 24; \
460 tmp1 = data.ctx.S[3][tmp1]; \
461 tmp2 = data.ctx.S[2][tmp2]; \
462 tmp3 = data.ctx.S[1][tmp3]; \
463 tmp3 += data.ctx.S[0][tmp4]; \
464 tmp3 ^= tmp2; \
465 R ^= data.ctx.P[N + 1]; \
466 tmp3 += tmp1; \
467 R ^= tmp3;
468 #else
469 /* Architectures with no complicated addressing modes supported */
470 #define BF_INDEX(S, i) \
471 (*((BF_word *)(((unsigned char *)S) + (i))))
472 #define BF_ROUND(L, R, N) \
473 tmp1 = L & 0xFF; \
474 tmp1 <<= 2; \
475 tmp2 = L >> 6; \
476 tmp2 &= 0x3FC; \
477 tmp3 = L >> 14; \
478 tmp3 &= 0x3FC; \
479 tmp4 = L >> 22; \
480 tmp4 &= 0x3FC; \
481 tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
482 tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
483 tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
484 tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
485 tmp3 ^= tmp2; \
486 R ^= data.ctx.P[N + 1]; \
487 tmp3 += tmp1; \
488 R ^= tmp3;
489 #endif
490
491 /*
492 * Encrypt one block, BF_N is hardcoded here.
493 */
494 #define BF_ENCRYPT \
495 L ^= data.ctx.P[0]; \
496 BF_ROUND(L, R, 0); \
497 BF_ROUND(R, L, 1); \
498 BF_ROUND(L, R, 2); \
499 BF_ROUND(R, L, 3); \
500 BF_ROUND(L, R, 4); \
501 BF_ROUND(R, L, 5); \
502 BF_ROUND(L, R, 6); \
503 BF_ROUND(R, L, 7); \
504 BF_ROUND(L, R, 8); \
505 BF_ROUND(R, L, 9); \
506 BF_ROUND(L, R, 10); \
507 BF_ROUND(R, L, 11); \
508 BF_ROUND(L, R, 12); \
509 BF_ROUND(R, L, 13); \
510 BF_ROUND(L, R, 14); \
511 BF_ROUND(R, L, 15); \
512 tmp4 = R; \
513 R = L; \
514 L = tmp4 ^ data.ctx.P[BF_N + 1];
515
516 #define BF_body() \
517 L = R = 0; \
518 ptr = data.ctx.P; \
519 do { \
520 ptr += 2; \
521 BF_ENCRYPT; \
522 *(ptr - 2) = L; \
523 *(ptr - 1) = R; \
524 } while (ptr < &data.ctx.P[BF_N + 2]); \
525 \
526 ptr = data.ctx.S[0]; \
527 do { \
528 ptr += 2; \
529 BF_ENCRYPT; \
530 *(ptr - 2) = L; \
531 *(ptr - 1) = R; \
532 } while (ptr < &data.ctx.S[3][0xFF]);
533
BF_set_key(const char * key,BF_key expanded,BF_key initial,unsigned char flags)534 static void BF_set_key(const char *key, BF_key expanded, BF_key initial,
535 unsigned char flags)
536 {
537 const char *ptr = key;
538 unsigned int bug, i, j;
539 BF_word safety, sign, diff, tmp[2];
540
541 /*
542 * There was a sign extension bug in older revisions of this function. While
543 * we would have liked to simply fix the bug and move on, we have to provide
544 * a backwards compatibility feature (essentially the bug) for some systems and
545 * a safety measure for some others. The latter is needed because for certain
546 * multiple inputs to the buggy algorithm there exist easily found inputs to
547 * the correct algorithm that produce the same hash. Thus, we optionally
548 * deviate from the correct algorithm just enough to avoid such collisions.
549 * While the bug itself affected the majority of passwords containing
550 * characters with the 8th bit set (although only a percentage of those in a
551 * collision-producing way), the anti-collision safety measure affects
552 * only a subset of passwords containing the '\xff' character (not even all of
553 * those passwords, just some of them). This character is not found in valid
554 * UTF-8 sequences and is rarely used in popular 8-bit character encodings.
555 * Thus, the safety measure is unlikely to cause much annoyance, and is a
556 * reasonable tradeoff to use when authenticating against existing hashes that
557 * are not reliably known to have been computed with the correct algorithm.
558 *
559 * We use an approach that tries to minimize side-channel leaks of password
560 * information - that is, we mostly use fixed-cost bitwise operations instead
561 * of branches or table lookups. (One conditional branch based on password
562 * length remains. It is not part of the bug aftermath, though, and is
563 * difficult and possibly unreasonable to avoid given the use of C strings by
564 * the caller, which results in similar timing leaks anyway.)
565 *
566 * For actual implementation, we set an array index in the variable "bug"
567 * (0 means no bug, 1 means sign extension bug emulation) and a flag in the
568 * variable "safety" (bit 16 is set when the safety measure is requested).
569 * Valid combinations of settings are:
570 *
571 * Prefix "$2a$": bug = 0, safety = 0x10000
572 * Prefix "$2b$": bug = 0, safety = 0
573 * Prefix "$2x$": bug = 1, safety = 0
574 * Prefix "$2y$": bug = 0, safety = 0
575 */
576 bug = (unsigned int)flags & 1;
577 safety = ((BF_word)flags & 2) << 15;
578
579 sign = diff = 0;
580
581 for (i = 0; i < BF_N + 2; i++) {
582 tmp[0] = tmp[1] = 0;
583 for (j = 0; j < 4; j++) {
584 tmp[0] <<= 8;
585 tmp[0] |= (unsigned char)*ptr; /* correct */
586 tmp[1] <<= 8;
587 tmp[1] |= (BF_word_signed)(signed char)*ptr; /* bug */
588 /*
589 * Sign extension in the first char has no effect - nothing to overwrite yet,
590 * and those extra 24 bits will be fully shifted out of the 32-bit word. For
591 * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign
592 * extension in tmp[1] occurs. Once this flag is set, it remains set.
593 */
594 if (j)
595 sign |= tmp[1] & 0x80;
596 if (!*ptr)
597 ptr = key;
598 else
599 ptr++;
600 }
601 diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */
602
603 expanded[i] = tmp[bug];
604 initial[i] = BF_init_state.P[i] ^ tmp[bug];
605 }
606
607 /*
608 * At this point, "diff" is zero iff the correct and buggy algorithms produced
609 * exactly the same result. If so and if "sign" is non-zero, which indicates
610 * that there was a non-benign sign extension, this means that we have a
611 * collision between the correctly computed hash for this password and a set of
612 * passwords that could be supplied to the buggy algorithm. Our safety measure
613 * is meant to protect from such many-buggy to one-correct collisions, by
614 * deviating from the correct algorithm in such cases. Let's check for this.
615 */
616 diff |= diff >> 16; /* still zero iff exact match */
617 diff &= 0xffff; /* ditto */
618 diff += 0xffff; /* bit 16 set iff "diff" was non-zero (on non-match) */
619 sign <<= 9; /* move the non-benign sign extension flag to bit 16 */
620 sign &= ~diff & safety; /* action needed? */
621
622 /*
623 * If we have determined that we need to deviate from the correct algorithm,
624 * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but
625 * let's stick to it now. It came out of the approach we used above, and it's
626 * not any worse than any other choice we could make.)
627 *
628 * It is crucial that we don't do the same to the expanded key used in the main
629 * Eksblowfish loop. By doing it to only one of these two, we deviate from a
630 * state that could be directly specified by a password to the buggy algorithm
631 * (and to the fully correct one as well, but that's a side-effect).
632 */
633 initial[0] ^= sign;
634 }
635
636 static const unsigned char flags_by_subtype[26] =
637 {2, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
638 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0};
639
BF_crypt(const char * key,const char * setting,char * output,int size,BF_word min)640 static char *BF_crypt(const char *key, const char *setting,
641 char *output, int size,
642 BF_word min)
643 {
644 struct {
645 BF_ctx ctx;
646 BF_key expanded_key;
647 union {
648 BF_word salt[4];
649 BF_word output[6];
650 } binary;
651 } data;
652 BF_word L, R;
653 BF_word tmp1, tmp2, tmp3, tmp4;
654 BF_word *ptr;
655 BF_word count;
656 int i;
657
658 if (size < 7 + 22 + 31 + 1) {
659 __set_errno(ERANGE);
660 return NULL;
661 }
662
663 if (setting[0] != '$' ||
664 setting[1] != '2' ||
665 setting[2] < 'a' || setting[2] > 'z' ||
666 !flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a'] ||
667 setting[3] != '$' ||
668 setting[4] < '0' || setting[4] > '3' ||
669 setting[5] < '0' || setting[5] > '9' ||
670 (setting[4] == '3' && setting[5] > '1') ||
671 setting[6] != '$') {
672 __set_errno(EINVAL);
673 return NULL;
674 }
675
676 count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
677 if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
678 __set_errno(EINVAL);
679 return NULL;
680 }
681 BF_swap(data.binary.salt, 4);
682
683 BF_set_key(key, data.expanded_key, data.ctx.P,
684 flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a']);
685
686 memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
687
688 L = R = 0;
689 for (i = 0; i < BF_N + 2; i += 2) {
690 L ^= data.binary.salt[i & 2];
691 R ^= data.binary.salt[(i & 2) + 1];
692 BF_ENCRYPT;
693 data.ctx.P[i] = L;
694 data.ctx.P[i + 1] = R;
695 }
696
697 ptr = data.ctx.S[0];
698 do {
699 ptr += 4;
700 L ^= data.binary.salt[(BF_N + 2) & 3];
701 R ^= data.binary.salt[(BF_N + 3) & 3];
702 BF_ENCRYPT;
703 *(ptr - 4) = L;
704 *(ptr - 3) = R;
705
706 L ^= data.binary.salt[(BF_N + 4) & 3];
707 R ^= data.binary.salt[(BF_N + 5) & 3];
708 BF_ENCRYPT;
709 *(ptr - 2) = L;
710 *(ptr - 1) = R;
711 } while (ptr < &data.ctx.S[3][0xFF]);
712
713 do {
714 int done;
715
716 for (i = 0; i < BF_N + 2; i += 2) {
717 data.ctx.P[i] ^= data.expanded_key[i];
718 data.ctx.P[i + 1] ^= data.expanded_key[i + 1];
719 }
720
721 done = 0;
722 do {
723 BF_body();
724 if (done)
725 break;
726 done = 1;
727
728 tmp1 = data.binary.salt[0];
729 tmp2 = data.binary.salt[1];
730 tmp3 = data.binary.salt[2];
731 tmp4 = data.binary.salt[3];
732 for (i = 0; i < BF_N; i += 4) {
733 data.ctx.P[i] ^= tmp1;
734 data.ctx.P[i + 1] ^= tmp2;
735 data.ctx.P[i + 2] ^= tmp3;
736 data.ctx.P[i + 3] ^= tmp4;
737 }
738 data.ctx.P[16] ^= tmp1;
739 data.ctx.P[17] ^= tmp2;
740 } while (1);
741 } while (--count);
742
743 for (i = 0; i < 6; i += 2) {
744 L = BF_magic_w[i];
745 R = BF_magic_w[i + 1];
746
747 count = 64;
748 do {
749 BF_ENCRYPT;
750 } while (--count);
751
752 data.binary.output[i] = L;
753 data.binary.output[i + 1] = R;
754 }
755
756 memcpy(output, setting, 7 + 22 - 1);
757 output[7 + 22 - 1] = BF_itoa64[(int)
758 BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
759
760 /* This has to be bug-compatible with the original implementation, so
761 * only encode 23 of the 24 bytes. :-) */
762 BF_swap(data.binary.output, 6);
763 BF_encode(&output[7 + 22], data.binary.output, 23);
764 output[7 + 22 + 31] = '\0';
765
766 return output;
767 }
768
_crypt_output_magic(const char * setting,char * output,int size)769 int _crypt_output_magic(const char *setting, char *output, int size)
770 {
771 if (size < 3)
772 return -1;
773
774 output[0] = '*';
775 output[1] = '0';
776 output[2] = '\0';
777
778 if (setting[0] == '*' && setting[1] == '0')
779 output[1] = '1';
780
781 return 0;
782 }
783
784 /*
785 * Please preserve the runtime self-test. It serves two purposes at once:
786 *
787 * 1. We really can't afford the risk of producing incompatible hashes e.g.
788 * when there's something like gcc bug 26587 again, whereas an application or
789 * library integrating this code might not also integrate our external tests or
790 * it might not run them after every build. Even if it does, the miscompile
791 * might only occur on the production build, but not on a testing build (such
792 * as because of different optimization settings). It is painful to recover
793 * from incorrectly-computed hashes - merely fixing whatever broke is not
794 * enough. Thus, a proactive measure like this self-test is needed.
795 *
796 * 2. We don't want to leave sensitive data from our actual password hash
797 * computation on the stack or in registers. Previous revisions of the code
798 * would do explicit cleanups, but simply running the self-test after hash
799 * computation is more reliable.
800 *
801 * The performance cost of this quick self-test is around 0.6% at the "$2a$08"
802 * setting.
803 */
_crypt_blowfish_rn(const char * key,const char * setting,char * output,int size)804 char *_crypt_blowfish_rn(const char *key, const char *setting,
805 char *output, int size)
806 {
807 const char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8";
808 const char *test_setting = "$2a$00$abcdefghijklmnopqrstuu";
809 static const char * const test_hashes[2] =
810 {"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55", /* 'a', 'b', 'y' */
811 "VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55"}; /* 'x' */
812 const char *test_hash = test_hashes[0];
813 char *retval;
814 const char *p;
815 int save_errno, ok;
816 struct {
817 char s[7 + 22 + 1];
818 char o[7 + 22 + 31 + 1 + 1 + 1];
819 } buf;
820
821 /* Hash the supplied password */
822 _crypt_output_magic(setting, output, size);
823 retval = BF_crypt(key, setting, output, size, 16);
824 save_errno = errno;
825
826 /*
827 * Do a quick self-test. It is important that we make both calls to BF_crypt()
828 * from the same scope such that they likely use the same stack locations,
829 * which makes the second call overwrite the first call's sensitive data on the
830 * stack and makes it more likely that any alignment related issues would be
831 * detected by the self-test.
832 */
833 memcpy(buf.s, test_setting, sizeof(buf.s));
834 if (retval) {
835 unsigned int flags = flags_by_subtype[
836 (unsigned int)(unsigned char)setting[2] - 'a'];
837 test_hash = test_hashes[flags & 1];
838 buf.s[2] = setting[2];
839 }
840 memset(buf.o, 0x55, sizeof(buf.o));
841 buf.o[sizeof(buf.o) - 1] = 0;
842 p = BF_crypt(test_key, buf.s, buf.o, sizeof(buf.o) - (1 + 1), 1);
843
844 ok = (p == buf.o &&
845 !memcmp(p, buf.s, 7 + 22) &&
846 !memcmp(p + (7 + 22), test_hash, 31 + 1 + 1 + 1));
847
848 {
849 const char *k = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345";
850 BF_key ae, ai, ye, yi;
851 BF_set_key(k, ae, ai, 2); /* $2a$ */
852 BF_set_key(k, ye, yi, 4); /* $2y$ */
853 ai[0] ^= 0x10000; /* undo the safety (for comparison) */
854 ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 &&
855 !memcmp(ae, ye, sizeof(ae)) &&
856 !memcmp(ai, yi, sizeof(ai));
857 }
858
859 __set_errno(save_errno);
860 if (ok)
861 return retval;
862
863 /* Should not happen */
864 _crypt_output_magic(setting, output, size);
865 __set_errno(EINVAL); /* pretend we don't support this hash type */
866 return NULL;
867 }
868
_crypt_gensalt_blowfish_rn(const char * prefix,unsigned long count,const char * input,int size,char * output,int output_size)869 char *_crypt_gensalt_blowfish_rn(const char *prefix, unsigned long count,
870 const char *input, int size, char *output, int output_size)
871 {
872 if (size < 16 || output_size < 7 + 22 + 1 ||
873 (count && (count < 4 || count > 31)) ||
874 prefix[0] != '$' || prefix[1] != '2' ||
875 (prefix[2] != 'a' && prefix[2] != 'b' && prefix[2] != 'y')) {
876 if (output_size > 0) output[0] = '\0';
877 __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
878 return NULL;
879 }
880
881 if (!count) count = 5;
882
883 output[0] = '$';
884 output[1] = '2';
885 output[2] = prefix[2];
886 output[3] = '$';
887 output[4] = '0' + count / 10;
888 output[5] = '0' + count % 10;
889 output[6] = '$';
890
891 BF_encode(&output[7], (const BF_word *)input, 16);
892 output[7 + 22] = '\0';
893
894 return output;
895 }
896
897 unsigned char _crypt_itoa64[64 + 1] =
898 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
899
_crypt_gensalt_traditional_rn(const char * prefix,unsigned long count,const char * input,int size,char * output,int output_size)900 char *_crypt_gensalt_traditional_rn(const char *prefix, unsigned long count,
901 const char *input, int size, char *output, int output_size)
902 {
903 (void) prefix;
904
905 if (size < 2 || output_size < 2 + 1 || (count && count != 25)) {
906 if (output_size > 0) output[0] = '\0';
907 __set_errno((output_size < 2 + 1) ? ERANGE : EINVAL);
908 return NULL;
909 }
910
911 output[0] = _crypt_itoa64[(unsigned int)input[0] & 0x3f];
912 output[1] = _crypt_itoa64[(unsigned int)input[1] & 0x3f];
913 output[2] = '\0';
914
915 return output;
916 }
917
_crypt_gensalt_extended_rn(const char * prefix,unsigned long count,const char * input,int size,char * output,int output_size)918 char *_crypt_gensalt_extended_rn(const char *prefix, unsigned long count,
919 const char *input, int size, char *output, int output_size)
920 {
921 unsigned long value;
922
923 (void) prefix;
924
925 /* Even iteration counts make it easier to detect weak DES keys from a look
926 * at the hash, so they should be avoided */
927 if (size < 3 || output_size < 1 + 4 + 4 + 1 ||
928 (count && (count > 0xffffff || !(count & 1)))) {
929 if (output_size > 0) output[0] = '\0';
930 __set_errno((output_size < 1 + 4 + 4 + 1) ? ERANGE : EINVAL);
931 return NULL;
932 }
933
934 if (!count) count = 725;
935
936 output[0] = '_';
937 output[1] = _crypt_itoa64[count & 0x3f];
938 output[2] = _crypt_itoa64[(count >> 6) & 0x3f];
939 output[3] = _crypt_itoa64[(count >> 12) & 0x3f];
940 output[4] = _crypt_itoa64[(count >> 18) & 0x3f];
941 value = (unsigned long)(unsigned char)input[0] |
942 ((unsigned long)(unsigned char)input[1] << 8) |
943 ((unsigned long)(unsigned char)input[2] << 16);
944 output[5] = _crypt_itoa64[value & 0x3f];
945 output[6] = _crypt_itoa64[(value >> 6) & 0x3f];
946 output[7] = _crypt_itoa64[(value >> 12) & 0x3f];
947 output[8] = _crypt_itoa64[(value >> 18) & 0x3f];
948 output[9] = '\0';
949
950 return output;
951 }
952
_crypt_gensalt_md5_rn(const char * prefix,unsigned long count,const char * input,int size,char * output,int output_size)953 char *_crypt_gensalt_md5_rn(const char *prefix, unsigned long count,
954 const char *input, int size, char *output, int output_size)
955 {
956 unsigned long value;
957
958 (void) prefix;
959
960 if (size < 3 || output_size < 3 + 4 + 1 || (count && count != 1000)) {
961 if (output_size > 0) output[0] = '\0';
962 __set_errno((output_size < 3 + 4 + 1) ? ERANGE : EINVAL);
963 return NULL;
964 }
965
966 output[0] = '$';
967 output[1] = '1';
968 output[2] = '$';
969 value = (unsigned long)(unsigned char)input[0] |
970 ((unsigned long)(unsigned char)input[1] << 8) |
971 ((unsigned long)(unsigned char)input[2] << 16);
972 output[3] = _crypt_itoa64[value & 0x3f];
973 output[4] = _crypt_itoa64[(value >> 6) & 0x3f];
974 output[5] = _crypt_itoa64[(value >> 12) & 0x3f];
975 output[6] = _crypt_itoa64[(value >> 18) & 0x3f];
976 output[7] = '\0';
977
978 if (size >= 6 && output_size >= 3 + 4 + 4 + 1) {
979 value = (unsigned long)(unsigned char)input[3] |
980 ((unsigned long)(unsigned char)input[4] << 8) |
981 ((unsigned long)(unsigned char)input[5] << 16);
982 output[7] = _crypt_itoa64[value & 0x3f];
983 output[8] = _crypt_itoa64[(value >> 6) & 0x3f];
984 output[9] = _crypt_itoa64[(value >> 12) & 0x3f];
985 output[10] = _crypt_itoa64[(value >> 18) & 0x3f];
986 output[11] = '\0';
987 }
988
989 return output;
990 }
991
992 #define CRYPT_OUTPUT_SIZE (7 + 22 + 31 + 1)
993 #define CRYPT_GENSALT_OUTPUT_SIZE (7 + 22 + 1)
994
_crypt_data_alloc(void ** data,int * size,int need)995 static int _crypt_data_alloc(void **data, int *size, int need)
996 {
997 void *updated;
998
999 if (*data && *size >= need) return 0;
1000
1001 updated = realloc(*data, need);
1002
1003 if (!updated) {
1004 #ifndef __GLIBC__
1005 /* realloc(3) on glibc sets errno, so we don't need to bother */
1006 __set_errno(ENOMEM);
1007 #endif
1008 return -1;
1009 }
1010
1011 *data = updated;
1012 *size = need;
1013
1014 return 0;
1015 }
1016
_crypt_retval_magic(char * retval,const char * setting,char * output,int size)1017 static char *_crypt_retval_magic(char *retval, const char *setting,
1018 char *output, int size)
1019 {
1020 if (retval)
1021 return retval;
1022
1023 if (_crypt_output_magic(setting, output, size))
1024 return NULL; /* shouldn't happen */
1025
1026 return output;
1027 }
1028
1029 #if defined(__GLIBC__) && defined(_LIBC)
1030 /*
1031 * Applications may re-use the same instance of struct crypt_data without
1032 * resetting the initialized field in order to let crypt_r() skip some of
1033 * its initialization code. Thus, it is important that our multiple hashing
1034 * algorithms either don't conflict with each other in their use of the
1035 * data area or reset the initialized field themselves whenever required.
1036 * Currently, the hashing algorithms simply have no conflicts: the first
1037 * field of struct crypt_data is the 128-byte large DES key schedule which
1038 * __des_crypt_r() calculates each time it is called while the two other
1039 * hashing algorithms use less than 128 bytes of the data area.
1040 */
1041
__crypt_rn(__const char * key,__const char * setting,void * data,int size)1042 char *__crypt_rn(__const char *key, __const char *setting,
1043 void *data, int size)
1044 {
1045 if (setting[0] == '$' && setting[1] == '2')
1046 return _crypt_blowfish_rn(key, setting, (char *)data, size);
1047 if (setting[0] == '$' && setting[1] == '1')
1048 return __md5_crypt_r(key, setting, (char *)data, size);
1049 if (setting[0] == '$' || setting[0] == '_') {
1050 __set_errno(EINVAL);
1051 return NULL;
1052 }
1053 if (size >= sizeof(struct crypt_data))
1054 return __des_crypt_r(key, setting, (struct crypt_data *)data);
1055 __set_errno(ERANGE);
1056 return NULL;
1057 }
1058
__crypt_ra(__const char * key,__const char * setting,void ** data,int * size)1059 char *__crypt_ra(__const char *key, __const char *setting,
1060 void **data, int *size)
1061 {
1062 if (setting[0] == '$' && setting[1] == '2') {
1063 if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE))
1064 return NULL;
1065 return _crypt_blowfish_rn(key, setting, (char *)*data, *size);
1066 }
1067 if (setting[0] == '$' && setting[1] == '1') {
1068 if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE))
1069 return NULL;
1070 return __md5_crypt_r(key, setting, (char *)*data, *size);
1071 }
1072 if (setting[0] == '$' || setting[0] == '_') {
1073 __set_errno(EINVAL);
1074 return NULL;
1075 }
1076 if (_crypt_data_alloc(data, size, sizeof(struct crypt_data)))
1077 return NULL;
1078 return __des_crypt_r(key, setting, (struct crypt_data *)*data);
1079 }
1080
__crypt_r(__const char * key,__const char * setting,struct crypt_data * data)1081 char *__crypt_r(__const char *key, __const char *setting,
1082 struct crypt_data *data)
1083 {
1084 return _crypt_retval_magic(
1085 __crypt_rn(key, setting, data, sizeof(*data)),
1086 setting, (char *)data, sizeof(*data));
1087 }
1088
__crypt(__const char * key,__const char * setting)1089 char *__crypt(__const char *key, __const char *setting)
1090 {
1091 return _crypt_retval_magic(
1092 __crypt_rn(key, setting, &_ufc_foobar, sizeof(_ufc_foobar)),
1093 setting, (char *)&_ufc_foobar, sizeof(_ufc_foobar));
1094 }
1095 #else
crypt_rn(const char * key,const char * setting,void * data,int size)1096 char *crypt_rn(const char *key, const char *setting, void *data, int size)
1097 {
1098 return _crypt_blowfish_rn(key, setting, (char *)data, size);
1099 }
1100
crypt_ra(const char * key,const char * setting,void ** data,int * size)1101 char *crypt_ra(const char *key, const char *setting,
1102 void **data, int *size)
1103 {
1104 if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE))
1105 return NULL;
1106 return _crypt_blowfish_rn(key, setting, (char *)*data, *size);
1107 }
1108
_crypt_r(const char * key,const char * setting,void * data)1109 char *_crypt_r(const char *key, const char *setting, void *data)
1110 {
1111 return _crypt_retval_magic(
1112 crypt_rn(key, setting, data, CRYPT_OUTPUT_SIZE),
1113 setting, (char *)data, CRYPT_OUTPUT_SIZE);
1114 }
1115
bcrypt(const char * key,const char * setting)1116 char *bcrypt(const char *key, const char *setting)
1117 {
1118 static char output[CRYPT_OUTPUT_SIZE];
1119
1120 return _crypt_retval_magic(
1121 crypt_rn(key, setting, output, sizeof(output)),
1122 setting, output, sizeof(output));
1123 }
1124
1125 #define __crypt_gensalt_rn crypt_gensalt_rn
1126 #define __crypt_gensalt_ra crypt_gensalt_ra
1127 #define __crypt_gensalt bcrypt_gensalt
1128 #endif
1129
__crypt_gensalt_rn(const char * prefix,unsigned long count,const char * input,int size,char * output,int output_size)1130 char *__crypt_gensalt_rn(const char *prefix, unsigned long count,
1131 const char *input, int size, char *output, int output_size)
1132 {
1133 char *(*use)(const char *_prefix, unsigned long _count,
1134 const char *_input, int _size,
1135 char *_output, int _output_size);
1136
1137 /* This may be supported on some platforms in the future */
1138 if (!input) {
1139 __set_errno(EINVAL);
1140 return NULL;
1141 }
1142
1143 if (!strncmp(prefix, "$2a$", 4) || !strncmp(prefix, "$2b$", 4) ||
1144 !strncmp(prefix, "$2y$", 4))
1145 use = _crypt_gensalt_blowfish_rn;
1146 else
1147 if (!strncmp(prefix, "$1$", 3))
1148 use = _crypt_gensalt_md5_rn;
1149 else
1150 if (prefix[0] == '_')
1151 use = _crypt_gensalt_extended_rn;
1152 else
1153 if (!prefix[0] ||
1154 (prefix[0] && prefix[1] &&
1155 memchr(_crypt_itoa64, prefix[0], 64) &&
1156 memchr(_crypt_itoa64, prefix[1], 64)))
1157 use = _crypt_gensalt_traditional_rn;
1158 else {
1159 __set_errno(EINVAL);
1160 return NULL;
1161 }
1162
1163 return use(prefix, count, input, size, output, output_size);
1164 }
1165
__crypt_gensalt_ra(const char * prefix,unsigned long count,const char * input,int size)1166 char *__crypt_gensalt_ra(const char *prefix, unsigned long count,
1167 const char *input, int size)
1168 {
1169 char output[CRYPT_GENSALT_OUTPUT_SIZE];
1170 char *retval;
1171
1172 retval = __crypt_gensalt_rn(prefix, count,
1173 input, size, output, sizeof(output));
1174
1175 if (retval) {
1176 retval = strdup(retval);
1177 #ifndef __GLIBC__
1178 /* strdup(3) on glibc sets errno, so we don't need to bother */
1179 if (!retval)
1180 __set_errno(ENOMEM);
1181 #endif
1182 }
1183
1184 return retval;
1185 }
1186
__crypt_gensalt(const char * prefix,unsigned long count,const char * input,int size)1187 char *__crypt_gensalt(const char *prefix, unsigned long count,
1188 const char *input, int size)
1189 {
1190 static char output[CRYPT_GENSALT_OUTPUT_SIZE];
1191
1192 return __crypt_gensalt_rn(prefix, count,
1193 input, size, output, sizeof(output));
1194 }
1195