summaryrefslogtreecommitdiff
path: root/src/lib/libc/crypt
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2022-05-04 18:02:08 +0000
committercvs2svn <admin@example.com>2022-05-04 18:02:08 +0000
commit3c94dc45dfb15483d76c47a128ec352cc0b655ac (patch)
treea7cfb4512c784e9518f1b1c2f4009295b8766ef4 /src/lib/libc/crypt
parentf32cca700e59c0fd1ddd8f1fd4b35a5401be28fe (diff)
downloadopenbsd-tb_20220504.tar.gz
openbsd-tb_20220504.tar.bz2
openbsd-tb_20220504.zip
This commit was manufactured by cvs2git to create tag 'tb_20220504'.tb_20220504
Diffstat (limited to '')
-rw-r--r--src/lib/libc/crypt/Makefile.inc8
-rw-r--r--src/lib/libc/crypt/arc4random.3116
-rw-r--r--src/lib/libc/crypt/arc4random.c198
-rw-r--r--src/lib/libc/crypt/arc4random.h61
-rw-r--r--src/lib/libc/crypt/arc4random_uniform.c57
-rw-r--r--src/lib/libc/crypt/bcrypt.c397
-rw-r--r--src/lib/libc/crypt/blowfish.3103
-rw-r--r--src/lib/libc/crypt/blowfish.c695
-rw-r--r--src/lib/libc/crypt/chacha_private.h222
-rw-r--r--src/lib/libc/crypt/crypt.3144
-rw-r--r--src/lib/libc/crypt/crypt.c22
-rw-r--r--src/lib/libc/crypt/crypt_checkpass.3113
-rw-r--r--src/lib/libc/crypt/cryptutil.c97
13 files changed, 0 insertions, 2233 deletions
diff --git a/src/lib/libc/crypt/Makefile.inc b/src/lib/libc/crypt/Makefile.inc
deleted file mode 100644
index e9263b09fe..0000000000
--- a/src/lib/libc/crypt/Makefile.inc
+++ /dev/null
@@ -1,8 +0,0 @@
1# $OpenBSD: Makefile.inc,v 1.27 2016/03/30 06:38:41 jmc Exp $
2
3.PATH: ${LIBCSRCDIR}/arch/${MACHINE_CPU}/crypt ${LIBCSRCDIR}/crypt
4
5SRCS+= crypt.c cryptutil.c arc4random.c arc4random_uniform.c \
6 blowfish.c bcrypt.c
7
8MAN+= crypt.3 crypt_checkpass.3 blowfish.3 arc4random.3
diff --git a/src/lib/libc/crypt/arc4random.3 b/src/lib/libc/crypt/arc4random.3
deleted file mode 100644
index 411860c28f..0000000000
--- a/src/lib/libc/crypt/arc4random.3
+++ /dev/null
@@ -1,116 +0,0 @@
1.\" $OpenBSD: arc4random.3,v 1.37 2019/09/29 16:30:35 jmc Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\" must display the following acknowledgement:
16.\" This product includes software developed by Niels Provos.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\" derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.\" Manual page, using -mandoc macros
32.\"
33.Dd $Mdocdate: September 29 2019 $
34.Dt ARC4RANDOM 3
35.Os
36.Sh NAME
37.Nm arc4random ,
38.Nm arc4random_buf ,
39.Nm arc4random_uniform
40.Nd random number generator
41.Sh SYNOPSIS
42.In stdlib.h
43.Ft uint32_t
44.Fn arc4random "void"
45.Ft void
46.Fn arc4random_buf "void *buf" "size_t nbytes"
47.Ft uint32_t
48.Fn arc4random_uniform "uint32_t upper_bound"
49.Sh DESCRIPTION
50This family of functions provides higher quality data than those
51described in
52.Xr rand 3 ,
53.Xr random 3 ,
54and
55.Xr rand48 3 .
56.Pp
57Use of these functions is encouraged for almost all random number
58consumption because the other interfaces are deficient in either
59quality, portability, standardization, or availability.
60These functions can be called in almost all coding environments,
61including
62.Xr pthreads 3
63and
64.Xr chroot 2 .
65.Pp
66High quality 32-bit pseudo-random numbers are generated very quickly.
67On each call, a cryptographic pseudo-random number generator is used
68to generate a new result.
69One data pool is used for all consumers in a process, so that consumption
70under program flow can act as additional stirring.
71The subsystem is re-seeded from the kernel
72.Xr random 4
73subsystem using
74.Xr getentropy 2
75on a regular basis, and also upon
76.Xr fork 2 .
77.Pp
78The
79.Fn arc4random
80function returns a single 32-bit value.
81.Pp
82.Fn arc4random_buf
83fills the region
84.Fa buf
85of length
86.Fa nbytes
87with random data.
88.Pp
89.Fn arc4random_uniform
90will return a single 32-bit value, uniformly distributed but less than
91.Fa upper_bound .
92This is recommended over constructions like
93.Dq Li arc4random() % upper_bound
94as it avoids "modulo bias" when the upper bound is not a power of two.
95In the worst case, this function may consume multiple iterations
96to ensure uniformity; see the source code to understand the problem
97and solution.
98.Sh RETURN VALUES
99These functions are always successful, and no return value is
100reserved to indicate an error.
101.Sh SEE ALSO
102.Xr rand 3 ,
103.Xr rand48 3 ,
104.Xr random 3
105.Sh HISTORY
106These functions first appeared in
107.Ox 2.1 .
108.Pp
109The original version of this random number generator used the
110RC4 (also known as ARC4) algorithm.
111In
112.Ox 5.5
113it was replaced with the ChaCha20 cipher, and it may be replaced
114again in the future as cryptographic techniques advance.
115A good mnemonic is
116.Dq A Replacement Call for Random .
diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
deleted file mode 100644
index 6cbab6e79b..0000000000
--- a/src/lib/libc/crypt/arc4random.c
+++ /dev/null
@@ -1,198 +0,0 @@
1/* $OpenBSD: arc4random.c,v 1.56 2022/02/28 21:56:29 dtucker Exp $ */
2
3/*
4 * Copyright (c) 1996, David Mazieres <dm@uun.org>
5 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
6 * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
7 * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21
22/*
23 * ChaCha based random number generator for OpenBSD.
24 */
25
26#include <fcntl.h>
27#include <limits.h>
28#include <signal.h>
29#include <stdint.h>
30#include <stdlib.h>
31#include <string.h>
32#include <unistd.h>
33#include <sys/types.h>
34#include <sys/time.h>
35
36#define KEYSTREAM_ONLY
37#include "chacha_private.h"
38
39#define minimum(a, b) ((a) < (b) ? (a) : (b))
40
41#if defined(__GNUC__) || defined(_MSC_VER)
42#define inline __inline
43#else /* __GNUC__ || _MSC_VER */
44#define inline
45#endif /* !__GNUC__ && !_MSC_VER */
46
47#define KEYSZ 32
48#define IVSZ 8
49#define BLOCKSZ 64
50#define RSBUFSZ (16*BLOCKSZ)
51
52/* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
53static struct _rs {
54 size_t rs_have; /* valid bytes at end of rs_buf */
55 size_t rs_count; /* bytes till reseed */
56} *rs;
57
58/* Maybe be preserved in fork children, if _rs_allocate() decides. */
59static struct _rsx {
60 chacha_ctx rs_chacha; /* chacha context for random keystream */
61 u_char rs_buf[RSBUFSZ]; /* keystream blocks */
62} *rsx;
63
64static inline int _rs_allocate(struct _rs **, struct _rsx **);
65static inline void _rs_forkdetect(void);
66#include "arc4random.h"
67
68static inline void _rs_rekey(u_char *dat, size_t datlen);
69
70static inline void
71_rs_init(u_char *buf, size_t n)
72{
73 if (n < KEYSZ + IVSZ)
74 return;
75
76 if (rs == NULL) {
77 if (_rs_allocate(&rs, &rsx) == -1)
78 _exit(1);
79 }
80
81 chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8);
82 chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
83}
84
85static void
86_rs_stir(void)
87{
88 u_char rnd[KEYSZ + IVSZ];
89
90 if (getentropy(rnd, sizeof rnd) == -1)
91 _getentropy_fail();
92
93 if (!rs)
94 _rs_init(rnd, sizeof(rnd));
95 else
96 _rs_rekey(rnd, sizeof(rnd));
97 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
98
99 /* invalidate rs_buf */
100 rs->rs_have = 0;
101 memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
102
103 rs->rs_count = 1600000;
104}
105
106static inline void
107_rs_stir_if_needed(size_t len)
108{
109 _rs_forkdetect();
110 if (!rs || rs->rs_count <= len)
111 _rs_stir();
112 if (rs->rs_count <= len)
113 rs->rs_count = 0;
114 else
115 rs->rs_count -= len;
116}
117
118static inline void
119_rs_rekey(u_char *dat, size_t datlen)
120{
121#ifndef KEYSTREAM_ONLY
122 memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
123#endif
124 /* fill rs_buf with the keystream */
125 chacha_encrypt_bytes(&rsx->rs_chacha, rsx->rs_buf,
126 rsx->rs_buf, sizeof(rsx->rs_buf));
127 /* mix in optional user provided data */
128 if (dat) {
129 size_t i, m;
130
131 m = minimum(datlen, KEYSZ + IVSZ);
132 for (i = 0; i < m; i++)
133 rsx->rs_buf[i] ^= dat[i];
134 }
135 /* immediately reinit for backtracking resistance */
136 _rs_init(rsx->rs_buf, KEYSZ + IVSZ);
137 memset(rsx->rs_buf, 0, KEYSZ + IVSZ);
138 rs->rs_have = sizeof(rsx->rs_buf) - KEYSZ - IVSZ;
139}
140
141static inline void
142_rs_random_buf(void *_buf, size_t n)
143{
144 u_char *buf = (u_char *)_buf;
145 u_char *keystream;
146 size_t m;
147
148 _rs_stir_if_needed(n);
149 while (n > 0) {
150 if (rs->rs_have > 0) {
151 m = minimum(n, rs->rs_have);
152 keystream = rsx->rs_buf + sizeof(rsx->rs_buf)
153 - rs->rs_have;
154 memcpy(buf, keystream, m);
155 memset(keystream, 0, m);
156 buf += m;
157 n -= m;
158 rs->rs_have -= m;
159 }
160 if (rs->rs_have == 0)
161 _rs_rekey(NULL, 0);
162 }
163}
164
165static inline void
166_rs_random_u32(uint32_t *val)
167{
168 u_char *keystream;
169
170 _rs_stir_if_needed(sizeof(*val));
171 if (rs->rs_have < sizeof(*val))
172 _rs_rekey(NULL, 0);
173 keystream = rsx->rs_buf + sizeof(rsx->rs_buf) - rs->rs_have;
174 memcpy(val, keystream, sizeof(*val));
175 memset(keystream, 0, sizeof(*val));
176 rs->rs_have -= sizeof(*val);
177}
178
179uint32_t
180arc4random(void)
181{
182 uint32_t val;
183
184 _ARC4_LOCK();
185 _rs_random_u32(&val);
186 _ARC4_UNLOCK();
187 return val;
188}
189DEF_WEAK(arc4random);
190
191void
192arc4random_buf(void *buf, size_t n)
193{
194 _ARC4_LOCK();
195 _rs_random_buf(buf, n);
196 _ARC4_UNLOCK();
197}
198DEF_WEAK(arc4random_buf);
diff --git a/src/lib/libc/crypt/arc4random.h b/src/lib/libc/crypt/arc4random.h
deleted file mode 100644
index 4abd15321a..0000000000
--- a/src/lib/libc/crypt/arc4random.h
+++ /dev/null
@@ -1,61 +0,0 @@
1/* $OpenBSD: arc4random.h,v 1.4 2015/01/15 06:57:18 deraadt Exp $ */
2
3/*
4 * Copyright (c) 1996, David Mazieres <dm@uun.org>
5 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
6 * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
7 * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21
22/*
23 * Stub functions for portability.
24 */
25#include <sys/mman.h>
26
27#include <signal.h>
28
29#include "thread_private.h"
30
31static inline void
32_getentropy_fail(void)
33{
34 raise(SIGKILL);
35}
36
37static inline int
38_rs_allocate(struct _rs **rsp, struct _rsx **rsxp)
39{
40 struct {
41 struct _rs rs;
42 struct _rsx rsx;
43 } *p;
44
45 if ((p = mmap(NULL, sizeof(*p), PROT_READ|PROT_WRITE,
46 MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
47 return (-1);
48 if (minherit(p, sizeof(*p), MAP_INHERIT_ZERO) == -1) {
49 munmap(p, sizeof(*p));
50 return (-1);
51 }
52
53 *rsp = &p->rs;
54 *rsxp = &p->rsx;
55 return (0);
56}
57
58static inline void
59_rs_forkdetect(void)
60{
61}
diff --git a/src/lib/libc/crypt/arc4random_uniform.c b/src/lib/libc/crypt/arc4random_uniform.c
deleted file mode 100644
index a18b5b1238..0000000000
--- a/src/lib/libc/crypt/arc4random_uniform.c
+++ /dev/null
@@ -1,57 +0,0 @@
1/* $OpenBSD: arc4random_uniform.c,v 1.3 2019/01/20 02:59:07 bcook Exp $ */
2
3/*
4 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include <stdint.h>
20#include <stdlib.h>
21
22/*
23 * Calculate a uniformly distributed random number less than upper_bound
24 * avoiding "modulo bias".
25 *
26 * Uniformity is achieved by generating new random numbers until the one
27 * returned is outside the range [0, 2**32 % upper_bound). This
28 * guarantees the selected random number will be inside
29 * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
30 * after reduction modulo upper_bound.
31 */
32uint32_t
33arc4random_uniform(uint32_t upper_bound)
34{
35 uint32_t r, min;
36
37 if (upper_bound < 2)
38 return 0;
39
40 /* 2**32 % x == (2**32 - x) % x */
41 min = -upper_bound % upper_bound;
42
43 /*
44 * This could theoretically loop forever but each retry has
45 * p > 0.5 (worst case, usually far better) of selecting a
46 * number inside the range we need, so it should rarely need
47 * to re-roll.
48 */
49 for (;;) {
50 r = arc4random();
51 if (r >= min)
52 break;
53 }
54
55 return r % upper_bound;
56}
57DEF_WEAK(arc4random_uniform);
diff --git a/src/lib/libc/crypt/bcrypt.c b/src/lib/libc/crypt/bcrypt.c
deleted file mode 100644
index ba45b104ed..0000000000
--- a/src/lib/libc/crypt/bcrypt.c
+++ /dev/null
@@ -1,397 +0,0 @@
1/* $OpenBSD: bcrypt.c,v 1.58 2020/07/06 13:33:05 pirofti Exp $ */
2
3/*
4 * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
5 * Copyright (c) 1997 Niels Provos <provos@umich.edu>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19/* This password hashing algorithm was designed by David Mazieres
20 * <dm@lcs.mit.edu> and works as follows:
21 *
22 * 1. state := InitState ()
23 * 2. state := ExpandKey (state, salt, password)
24 * 3. REPEAT rounds:
25 * state := ExpandKey (state, 0, password)
26 * state := ExpandKey (state, 0, salt)
27 * 4. ctext := "OrpheanBeholderScryDoubt"
28 * 5. REPEAT 64:
29 * ctext := Encrypt_ECB (state, ctext);
30 * 6. RETURN Concatenate (salt, ctext);
31 *
32 */
33
34#include <sys/types.h>
35#include <blf.h>
36#include <ctype.h>
37#include <errno.h>
38#include <pwd.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42#include <time.h>
43
44/* This implementation is adaptable to current computing power.
45 * You can have up to 2^31 rounds which should be enough for some
46 * time to come.
47 */
48
49#define BCRYPT_VERSION '2'
50#define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */
51#define BCRYPT_WORDS 6 /* Ciphertext words */
52#define BCRYPT_MINLOGROUNDS 4 /* we have log2(rounds) in salt */
53
54#define BCRYPT_SALTSPACE (7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1)
55#define BCRYPT_HASHSPACE 61
56
57char *bcrypt_gensalt(u_int8_t);
58
59static int encode_base64(char *, const u_int8_t *, size_t);
60static int decode_base64(u_int8_t *, size_t, const char *);
61
62/*
63 * Generates a salt for this version of crypt.
64 */
65static int
66bcrypt_initsalt(int log_rounds, uint8_t *salt, size_t saltbuflen)
67{
68 uint8_t csalt[BCRYPT_MAXSALT];
69
70 if (saltbuflen < BCRYPT_SALTSPACE) {
71 errno = EINVAL;
72 return -1;
73 }
74
75 arc4random_buf(csalt, sizeof(csalt));
76
77 if (log_rounds < 4)
78 log_rounds = 4;
79 else if (log_rounds > 31)
80 log_rounds = 31;
81
82 snprintf(salt, saltbuflen, "$2b$%2.2u$", log_rounds);
83 encode_base64(salt + 7, csalt, sizeof(csalt));
84
85 return 0;
86}
87
88/*
89 * the core bcrypt function
90 */
91static int
92bcrypt_hashpass(const char *key, const char *salt, char *encrypted,
93 size_t encryptedlen)
94{
95 blf_ctx state;
96 u_int32_t rounds, i, k;
97 u_int16_t j;
98 size_t key_len;
99 u_int8_t salt_len, logr, minor;
100 u_int8_t ciphertext[4 * BCRYPT_WORDS] = "OrpheanBeholderScryDoubt";
101 u_int8_t csalt[BCRYPT_MAXSALT];
102 u_int32_t cdata[BCRYPT_WORDS];
103
104 if (encryptedlen < BCRYPT_HASHSPACE)
105 goto inval;
106
107 /* Check and discard "$" identifier */
108 if (salt[0] != '$')
109 goto inval;
110 salt += 1;
111
112 if (salt[0] != BCRYPT_VERSION)
113 goto inval;
114
115 /* Check for minor versions */
116 switch ((minor = salt[1])) {
117 case 'a':
118 key_len = (u_int8_t)(strlen(key) + 1);
119 break;
120 case 'b':
121 /* strlen() returns a size_t, but the function calls
122 * below result in implicit casts to a narrower integer
123 * type, so cap key_len at the actual maximum supported
124 * length here to avoid integer wraparound */
125 key_len = strlen(key);
126 if (key_len > 72)
127 key_len = 72;
128 key_len++; /* include the NUL */
129 break;
130 default:
131 goto inval;
132 }
133 if (salt[2] != '$')
134 goto inval;
135 /* Discard version + "$" identifier */
136 salt += 3;
137
138 /* Check and parse num rounds */
139 if (!isdigit((unsigned char)salt[0]) ||
140 !isdigit((unsigned char)salt[1]) || salt[2] != '$')
141 goto inval;
142 logr = (salt[1] - '0') + ((salt[0] - '0') * 10);
143 if (logr < BCRYPT_MINLOGROUNDS || logr > 31)
144 goto inval;
145 /* Computer power doesn't increase linearly, 2^x should be fine */
146 rounds = 1U << logr;
147
148 /* Discard num rounds + "$" identifier */
149 salt += 3;
150
151 if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT)
152 goto inval;
153
154 /* We dont want the base64 salt but the raw data */
155 if (decode_base64(csalt, BCRYPT_MAXSALT, salt))
156 goto inval;
157 salt_len = BCRYPT_MAXSALT;
158
159 /* Setting up S-Boxes and Subkeys */
160 Blowfish_initstate(&state);
161 Blowfish_expandstate(&state, csalt, salt_len,
162 (u_int8_t *) key, key_len);
163 for (k = 0; k < rounds; k++) {
164 Blowfish_expand0state(&state, (u_int8_t *) key, key_len);
165 Blowfish_expand0state(&state, csalt, salt_len);
166 }
167
168 /* This can be precomputed later */
169 j = 0;
170 for (i = 0; i < BCRYPT_WORDS; i++)
171 cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_WORDS, &j);
172
173 /* Now do the encryption */
174 for (k = 0; k < 64; k++)
175 blf_enc(&state, cdata, BCRYPT_WORDS / 2);
176
177 for (i = 0; i < BCRYPT_WORDS; i++) {
178 ciphertext[4 * i + 3] = cdata[i] & 0xff;
179 cdata[i] = cdata[i] >> 8;
180 ciphertext[4 * i + 2] = cdata[i] & 0xff;
181 cdata[i] = cdata[i] >> 8;
182 ciphertext[4 * i + 1] = cdata[i] & 0xff;
183 cdata[i] = cdata[i] >> 8;
184 ciphertext[4 * i + 0] = cdata[i] & 0xff;
185 }
186
187
188 snprintf(encrypted, 8, "$2%c$%2.2u$", minor, logr);
189 encode_base64(encrypted + 7, csalt, BCRYPT_MAXSALT);
190 encode_base64(encrypted + 7 + 22, ciphertext, 4 * BCRYPT_WORDS - 1);
191 explicit_bzero(&state, sizeof(state));
192 explicit_bzero(ciphertext, sizeof(ciphertext));
193 explicit_bzero(csalt, sizeof(csalt));
194 explicit_bzero(cdata, sizeof(cdata));
195 return 0;
196
197inval:
198 errno = EINVAL;
199 return -1;
200}
201
202/*
203 * user friendly functions
204 */
205int
206bcrypt_newhash(const char *pass, int log_rounds, char *hash, size_t hashlen)
207{
208 char salt[BCRYPT_SALTSPACE];
209
210 if (bcrypt_initsalt(log_rounds, salt, sizeof(salt)) != 0)
211 return -1;
212
213 if (bcrypt_hashpass(pass, salt, hash, hashlen) != 0)
214 return -1;
215
216 explicit_bzero(salt, sizeof(salt));
217 return 0;
218}
219DEF_WEAK(bcrypt_newhash);
220
221int
222bcrypt_checkpass(const char *pass, const char *goodhash)
223{
224 char hash[BCRYPT_HASHSPACE];
225
226 if (bcrypt_hashpass(pass, goodhash, hash, sizeof(hash)) != 0)
227 return -1;
228 if (strlen(hash) != strlen(goodhash) ||
229 timingsafe_bcmp(hash, goodhash, strlen(goodhash)) != 0) {
230 errno = EACCES;
231 return -1;
232 }
233
234 explicit_bzero(hash, sizeof(hash));
235 return 0;
236}
237DEF_WEAK(bcrypt_checkpass);
238
239/*
240 * Measure this system's performance by measuring the time for 8 rounds.
241 * We are aiming for something that takes around 0.1s, but not too much over.
242 */
243int
244_bcrypt_autorounds(void)
245{
246 struct timespec before, after;
247 int r = 8;
248 char buf[_PASSWORD_LEN];
249 int duration;
250
251 WRAP(clock_gettime)(CLOCK_THREAD_CPUTIME_ID, &before);
252 bcrypt_newhash("testpassword", r, buf, sizeof(buf));
253 WRAP(clock_gettime)(CLOCK_THREAD_CPUTIME_ID, &after);
254
255 duration = after.tv_sec - before.tv_sec;
256 duration *= 1000000;
257 duration += (after.tv_nsec - before.tv_nsec) / 1000;
258
259 /* too quick? slow it down. */
260 while (r < 16 && duration <= 60000) {
261 r += 1;
262 duration *= 2;
263 }
264 /* too slow? speed it up. */
265 while (r > 6 && duration > 120000) {
266 r -= 1;
267 duration /= 2;
268 }
269
270 return r;
271}
272
273/*
274 * internal utilities
275 */
276static const u_int8_t Base64Code[] =
277"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
278
279static const u_int8_t index_64[128] = {
280 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
281 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
282 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
283 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
284 255, 255, 255, 255, 255, 255, 0, 1, 54, 55,
285 56, 57, 58, 59, 60, 61, 62, 63, 255, 255,
286 255, 255, 255, 255, 255, 2, 3, 4, 5, 6,
287 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
288 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27,
289 255, 255, 255, 255, 255, 255, 28, 29, 30,
290 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
291 41, 42, 43, 44, 45, 46, 47, 48, 49, 50,
292 51, 52, 53, 255, 255, 255, 255, 255
293};
294#define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)])
295
296/*
297 * read buflen (after decoding) bytes of data from b64data
298 */
299static int
300decode_base64(u_int8_t *buffer, size_t len, const char *b64data)
301{
302 u_int8_t *bp = buffer;
303 const u_int8_t *p = b64data;
304 u_int8_t c1, c2, c3, c4;
305
306 while (bp < buffer + len) {
307 c1 = CHAR64(*p);
308 /* Invalid data */
309 if (c1 == 255)
310 return -1;
311
312 c2 = CHAR64(*(p + 1));
313 if (c2 == 255)
314 return -1;
315
316 *bp++ = (c1 << 2) | ((c2 & 0x30) >> 4);
317 if (bp >= buffer + len)
318 break;
319
320 c3 = CHAR64(*(p + 2));
321 if (c3 == 255)
322 return -1;
323
324 *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
325 if (bp >= buffer + len)
326 break;
327
328 c4 = CHAR64(*(p + 3));
329 if (c4 == 255)
330 return -1;
331 *bp++ = ((c3 & 0x03) << 6) | c4;
332
333 p += 4;
334 }
335 return 0;
336}
337
338/*
339 * Turn len bytes of data into base64 encoded data.
340 * This works without = padding.
341 */
342static int
343encode_base64(char *b64buffer, const u_int8_t *data, size_t len)
344{
345 u_int8_t *bp = b64buffer;
346 const u_int8_t *p = data;
347 u_int8_t c1, c2;
348
349 while (p < data + len) {
350 c1 = *p++;
351 *bp++ = Base64Code[(c1 >> 2)];
352 c1 = (c1 & 0x03) << 4;
353 if (p >= data + len) {
354 *bp++ = Base64Code[c1];
355 break;
356 }
357 c2 = *p++;
358 c1 |= (c2 >> 4) & 0x0f;
359 *bp++ = Base64Code[c1];
360 c1 = (c2 & 0x0f) << 2;
361 if (p >= data + len) {
362 *bp++ = Base64Code[c1];
363 break;
364 }
365 c2 = *p++;
366 c1 |= (c2 >> 6) & 0x03;
367 *bp++ = Base64Code[c1];
368 *bp++ = Base64Code[c2 & 0x3f];
369 }
370 *bp = '\0';
371 return 0;
372}
373
374/*
375 * classic interface
376 */
377char *
378bcrypt_gensalt(u_int8_t log_rounds)
379{
380 static char gsalt[BCRYPT_SALTSPACE];
381
382 bcrypt_initsalt(log_rounds, gsalt, sizeof(gsalt));
383
384 return gsalt;
385}
386
387char *
388bcrypt(const char *pass, const char *salt)
389{
390 static char gencrypted[BCRYPT_HASHSPACE];
391
392 if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0)
393 return NULL;
394
395 return gencrypted;
396}
397DEF_WEAK(bcrypt);
diff --git a/src/lib/libc/crypt/blowfish.3 b/src/lib/libc/crypt/blowfish.3
deleted file mode 100644
index c64ccb684b..0000000000
--- a/src/lib/libc/crypt/blowfish.3
+++ /dev/null
@@ -1,103 +0,0 @@
1.\" $OpenBSD: blowfish.3,v 1.24 2021/11/29 01:04:45 djm Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\" derived from this software without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.\" Manual page, using -mandoc macros
29.\"
30.Dd $Mdocdate: November 29 2021 $
31.Dt BLF_KEY 3
32.Os
33.Sh NAME
34.Nm blf_key ,
35.Nm blf_enc ,
36.Nm blf_dec ,
37.Nm blf_ecb_encrypt ,
38.Nm blf_ecb_decrypt ,
39.Nm blf_cbc_encrypt ,
40.Nm blf_cbc_decrypt
41.Nd Blowfish encryption
42.Sh SYNOPSIS
43.In blf.h
44.Ft void
45.Fn blf_key "blf_ctx *state" "const u_int8_t *key" "u_int16_t keylen"
46.Ft void
47.Fn blf_enc "blf_ctx *state" "u_int32_t *data" "u_int16_t blocks"
48.Ft void
49.Fn blf_dec "blf_ctx *state" "u_int32_t *data" "u_int16_t blocks"
50.Ft void
51.Fn blf_ecb_encrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
52.Ft void
53.Fn blf_ecb_decrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
54.Ft void
55.Fn blf_cbc_encrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
56.Ft void
57.Fn blf_cbc_decrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
58.Sh DESCRIPTION
59.Em Blowfish
60is a fast unpatented block cipher designed by Bruce Schneier.
61It basically consists of a 16-round Feistel network.
62The block size is 64 bits and the maximum key size is 448 bits.
63.Pp
64The
65.Fn blf_key
66function initializes the 4 8-bit S-boxes and the 18 Subkeys with
67the hexadecimal digits of Pi.
68The key is used for further randomization.
69The first argument to
70.Fn blf_enc
71is the initialized state derived from
72.Fn blf_key .
73The stream of 32-bit words is encrypted in Electronic Codebook
74Mode (ECB) and
75.Fa blocks
76is the number of 64-bit blocks in the stream.
77.Fn blf_dec
78is used for decrypting Blowfish encrypted blocks.
79.Pp
80The functions
81.Fn blf_ecb_encrypt
82and
83.Fn blf_ecb_decrypt
84are used for encrypting and decrypting octet streams in ECB mode.
85The functions
86.Fn blf_cbc_encrypt
87and
88.Fn blf_cbc_decrypt
89are used for encrypting and decrypting octet streams in
90Cipherblock Chaining Mode (CBC).
91For these functions
92.Fa datalen
93specifies the number of octets of data to encrypt or decrypt.
94It must be a multiple of 8 (64-bit block).
95The initialisation vector
96.Fa iv
97points to an 8-byte buffer.
98.Sh SEE ALSO
99.Xr passwd 1 ,
100.Xr crypt 3 ,
101.Xr passwd 5
102.Sh AUTHORS
103.An Niels Provos Aq Mt provos@physnet.uni-hamburg.de
diff --git a/src/lib/libc/crypt/blowfish.c b/src/lib/libc/crypt/blowfish.c
deleted file mode 100644
index e66d9befa6..0000000000
--- a/src/lib/libc/crypt/blowfish.c
+++ /dev/null
@@ -1,695 +0,0 @@
1/* $OpenBSD: blowfish.c,v 1.20 2021/11/29 01:04:45 djm Exp $ */
2/*
3 * Blowfish block cipher for OpenBSD
4 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
5 * All rights reserved.
6 *
7 * Implementation advice by David Mazieres <dm@lcs.mit.edu>.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of the author may not be used to endorse or promote products
18 * derived from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32/*
33 * This code is derived from section 14.3 and the given source
34 * in section V of Applied Cryptography, second edition.
35 * Blowfish is an unpatented fast block cipher designed by
36 * Bruce Schneier.
37 */
38
39#if 0
40#include <stdio.h> /* used for debugging */
41#include <string.h>
42#endif
43
44#include <sys/types.h>
45#include <blf.h>
46
47#undef inline
48#ifdef __GNUC__
49#define inline __inline
50#else /* !__GNUC__ */
51#define inline
52#endif /* !__GNUC__ */
53
54/* Function for Feistel Networks */
55
56#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \
57 + (s)[0x100 + (((x)>>16)&0xFF)]) \
58 ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
59 + (s)[0x300 + ( (x) &0xFF)])
60
61#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n])
62
63void
64Blowfish_encipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
65{
66 u_int32_t Xl;
67 u_int32_t Xr;
68 u_int32_t *s = c->S[0];
69 u_int32_t *p = c->P;
70
71 Xl = *xl;
72 Xr = *xr;
73
74 Xl ^= p[0];
75 BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
76 BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
77 BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
78 BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
79 BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
80 BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
81 BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
82 BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
83
84 *xl = Xr ^ p[17];
85 *xr = Xl;
86}
87DEF_WEAK(Blowfish_encipher);
88
89void
90Blowfish_decipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
91{
92 u_int32_t Xl;
93 u_int32_t Xr;
94 u_int32_t *s = c->S[0];
95 u_int32_t *p = c->P;
96
97 Xl = *xl;
98 Xr = *xr;
99
100 Xl ^= p[17];
101 BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15);
102 BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13);
103 BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11);
104 BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9);
105 BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7);
106 BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5);
107 BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3);
108 BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1);
109
110 *xl = Xr ^ p[0];
111 *xr = Xl;
112}
113DEF_WEAK(Blowfish_decipher);
114
115void
116Blowfish_initstate(blf_ctx *c)
117{
118 /* P-box and S-box tables initialized with digits of Pi */
119
120 static const blf_ctx initstate =
121 { {
122 {
123 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
124 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
125 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
126 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
127 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
128 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
129 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
130 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
131 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
132 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
133 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
134 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
135 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
136 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
137 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
138 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
139 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
140 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
141 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
142 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
143 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
144 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
145 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
146 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
147 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
148 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
149 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
150 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
151 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
152 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
153 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
154 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
155 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
156 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
157 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
158 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
159 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
160 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
161 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
162 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
163 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
164 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
165 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
166 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
167 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
168 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
169 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
170 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
171 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
172 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
173 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
174 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
175 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
176 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
177 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
178 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
179 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
180 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
181 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
182 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
183 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
184 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
185 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
186 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
187 {
188 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
189 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
190 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
191 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
192 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
193 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
194 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
195 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
196 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
197 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
198 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
199 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
200 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
201 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
202 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
203 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
204 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
205 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
206 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
207 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
208 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
209 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
210 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
211 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
212 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
213 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
214 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
215 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
216 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
217 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
218 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
219 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
220 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
221 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
222 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
223 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
224 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
225 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
226 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
227 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
228 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
229 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
230 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
231 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
232 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
233 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
234 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
235 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
236 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
237 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
238 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
239 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
240 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
241 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
242 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
243 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
244 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
245 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
246 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
247 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
248 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
249 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
250 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
251 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
252 {
253 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
254 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
255 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
256 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
257 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
258 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
259 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
260 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
261 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
262 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
263 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
264 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
265 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
266 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
267 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
268 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
269 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
270 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
271 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
272 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
273 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
274 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
275 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
276 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
277 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
278 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
279 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
280 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
281 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
282 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
283 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
284 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
285 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
286 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
287 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
288 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
289 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
290 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
291 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
292 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
293 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
294 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
295 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
296 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
297 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
298 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
299 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
300 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
301 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
302 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
303 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
304 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
305 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
306 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
307 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
308 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
309 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
310 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
311 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
312 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
313 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
314 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
315 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
316 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
317 {
318 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
319 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
320 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
321 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
322 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
323 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
324 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
325 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
326 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
327 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
328 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
329 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
330 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
331 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
332 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
333 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
334 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
335 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
336 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
337 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
338 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
339 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
340 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
341 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
342 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
343 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
344 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
345 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
346 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
347 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
348 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
349 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
350 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
351 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
352 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
353 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
354 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
355 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
356 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
357 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
358 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
359 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
360 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
361 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
362 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
363 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
364 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
365 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
366 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
367 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
368 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
369 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
370 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
371 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
372 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
373 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
374 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
375 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
376 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
377 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
378 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
379 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
380 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
381 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
382 },
383 {
384 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
385 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
386 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
387 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
388 0x9216d5d9, 0x8979fb1b
389 } };
390
391 *c = initstate;
392}
393DEF_WEAK(Blowfish_initstate);
394
395u_int32_t
396Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes,
397 u_int16_t *current)
398{
399 u_int8_t i;
400 u_int16_t j;
401 u_int32_t temp;
402
403 temp = 0x00000000;
404 j = *current;
405
406 for (i = 0; i < 4; i++, j++) {
407 if (j >= databytes)
408 j = 0;
409 temp = (temp << 8) | data[j];
410 }
411
412 *current = j;
413 return temp;
414}
415DEF_WEAK(Blowfish_stream2word);
416
417void
418Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes)
419{
420 u_int16_t i;
421 u_int16_t j;
422 u_int16_t k;
423 u_int32_t temp;
424 u_int32_t datal;
425 u_int32_t datar;
426
427 j = 0;
428 for (i = 0; i < BLF_N + 2; i++) {
429 /* Extract 4 int8 to 1 int32 from keystream */
430 temp = Blowfish_stream2word(key, keybytes, &j);
431 c->P[i] = c->P[i] ^ temp;
432 }
433
434 j = 0;
435 datal = 0x00000000;
436 datar = 0x00000000;
437 for (i = 0; i < BLF_N + 2; i += 2) {
438 Blowfish_encipher(c, &datal, &datar);
439
440 c->P[i] = datal;
441 c->P[i + 1] = datar;
442 }
443
444 for (i = 0; i < 4; i++) {
445 for (k = 0; k < 256; k += 2) {
446 Blowfish_encipher(c, &datal, &datar);
447
448 c->S[i][k] = datal;
449 c->S[i][k + 1] = datar;
450 }
451 }
452}
453DEF_WEAK(Blowfish_expand0state);
454
455
456void
457Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes,
458 const u_int8_t *key, u_int16_t keybytes)
459{
460 u_int16_t i;
461 u_int16_t j;
462 u_int16_t k;
463 u_int32_t temp;
464 u_int32_t datal;
465 u_int32_t datar;
466
467 j = 0;
468 for (i = 0; i < BLF_N + 2; i++) {
469 /* Extract 4 int8 to 1 int32 from keystream */
470 temp = Blowfish_stream2word(key, keybytes, &j);
471 c->P[i] = c->P[i] ^ temp;
472 }
473
474 j = 0;
475 datal = 0x00000000;
476 datar = 0x00000000;
477 for (i = 0; i < BLF_N + 2; i += 2) {
478 datal ^= Blowfish_stream2word(data, databytes, &j);
479 datar ^= Blowfish_stream2word(data, databytes, &j);
480 Blowfish_encipher(c, &datal, &datar);
481
482 c->P[i] = datal;
483 c->P[i + 1] = datar;
484 }
485
486 for (i = 0; i < 4; i++) {
487 for (k = 0; k < 256; k += 2) {
488 datal ^= Blowfish_stream2word(data, databytes, &j);
489 datar ^= Blowfish_stream2word(data, databytes, &j);
490 Blowfish_encipher(c, &datal, &datar);
491
492 c->S[i][k] = datal;
493 c->S[i][k + 1] = datar;
494 }
495 }
496
497}
498DEF_WEAK(Blowfish_expandstate);
499
500void
501blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len)
502{
503 /* Initialize S-boxes and subkeys with Pi */
504 Blowfish_initstate(c);
505
506 /* Transform S-boxes and subkeys with key */
507 Blowfish_expand0state(c, k, len);
508}
509DEF_WEAK(blf_key);
510
511void
512blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
513{
514 u_int32_t *d;
515 u_int16_t i;
516
517 d = data;
518 for (i = 0; i < blocks; i++) {
519 Blowfish_encipher(c, d, d + 1);
520 d += 2;
521 }
522}
523DEF_WEAK(blf_enc);
524
525void
526blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
527{
528 u_int32_t *d;
529 u_int16_t i;
530
531 d = data;
532 for (i = 0; i < blocks; i++) {
533 Blowfish_decipher(c, d, d + 1);
534 d += 2;
535 }
536}
537DEF_WEAK(blf_dec);
538
539void
540blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
541{
542 u_int32_t l, r;
543 u_int32_t i;
544
545 for (i = 0; i < len; i += 8) {
546 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
547 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
548 Blowfish_encipher(c, &l, &r);
549 data[0] = l >> 24 & 0xff;
550 data[1] = l >> 16 & 0xff;
551 data[2] = l >> 8 & 0xff;
552 data[3] = l & 0xff;
553 data[4] = r >> 24 & 0xff;
554 data[5] = r >> 16 & 0xff;
555 data[6] = r >> 8 & 0xff;
556 data[7] = r & 0xff;
557 data += 8;
558 }
559}
560DEF_WEAK(blf_ecb_encrypt);
561
562void
563blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
564{
565 u_int32_t l, r;
566 u_int32_t i;
567
568 for (i = 0; i < len; i += 8) {
569 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
570 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
571 Blowfish_decipher(c, &l, &r);
572 data[0] = l >> 24 & 0xff;
573 data[1] = l >> 16 & 0xff;
574 data[2] = l >> 8 & 0xff;
575 data[3] = l & 0xff;
576 data[4] = r >> 24 & 0xff;
577 data[5] = r >> 16 & 0xff;
578 data[6] = r >> 8 & 0xff;
579 data[7] = r & 0xff;
580 data += 8;
581 }
582}
583DEF_WEAK(blf_ecb_decrypt);
584
585void
586blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len)
587{
588 u_int32_t l, r;
589 u_int32_t i, j;
590
591 for (i = 0; i < len; i += 8) {
592 for (j = 0; j < 8; j++)
593 data[j] ^= iv[j];
594 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
595 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
596 Blowfish_encipher(c, &l, &r);
597 data[0] = l >> 24 & 0xff;
598 data[1] = l >> 16 & 0xff;
599 data[2] = l >> 8 & 0xff;
600 data[3] = l & 0xff;
601 data[4] = r >> 24 & 0xff;
602 data[5] = r >> 16 & 0xff;
603 data[6] = r >> 8 & 0xff;
604 data[7] = r & 0xff;
605 iv = data;
606 data += 8;
607 }
608}
609DEF_WEAK(blf_cbc_encrypt);
610
611void
612blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len)
613{
614 u_int32_t l, r;
615 u_int8_t *iv;
616 u_int32_t i, j;
617
618 iv = data + len - 16;
619 data = data + len - 8;
620 for (i = len - 8; i >= 8; i -= 8) {
621 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
622 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
623 Blowfish_decipher(c, &l, &r);
624 data[0] = l >> 24 & 0xff;
625 data[1] = l >> 16 & 0xff;
626 data[2] = l >> 8 & 0xff;
627 data[3] = l & 0xff;
628 data[4] = r >> 24 & 0xff;
629 data[5] = r >> 16 & 0xff;
630 data[6] = r >> 8 & 0xff;
631 data[7] = r & 0xff;
632 for (j = 0; j < 8; j++)
633 data[j] ^= iv[j];
634 iv -= 8;
635 data -= 8;
636 }
637 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
638 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
639 Blowfish_decipher(c, &l, &r);
640 data[0] = l >> 24 & 0xff;
641 data[1] = l >> 16 & 0xff;
642 data[2] = l >> 8 & 0xff;
643 data[3] = l & 0xff;
644 data[4] = r >> 24 & 0xff;
645 data[5] = r >> 16 & 0xff;
646 data[6] = r >> 8 & 0xff;
647 data[7] = r & 0xff;
648 for (j = 0; j < 8; j++)
649 data[j] ^= iva[j];
650}
651DEF_WEAK(blf_cbc_decrypt);
652
653#if 0
654void
655report(u_int32_t data[], u_int16_t len)
656{
657 u_int16_t i;
658 for (i = 0; i < len; i += 2)
659 printf("Block %0hd: %08lx %08lx.\n",
660 i / 2, data[i], data[i + 1]);
661}
662void
663main(void)
664{
665
666 blf_ctx c;
667 char key[] = "AAAAA";
668 char key2[] = "abcdefghijklmnopqrstuvwxyz";
669
670 u_int32_t data[10];
671 u_int32_t data2[] =
672 {0x424c4f57l, 0x46495348l};
673
674 u_int16_t i;
675
676 /* First test */
677 for (i = 0; i < 10; i++)
678 data[i] = i;
679
680 blf_key(&c, (u_int8_t *) key, 5);
681 blf_enc(&c, data, 5);
682 blf_dec(&c, data, 1);
683 blf_dec(&c, data + 2, 4);
684 printf("Should read as 0 - 9.\n");
685 report(data, 10);
686
687 /* Second test */
688 blf_key(&c, (u_int8_t *) key2, strlen(key2));
689 blf_enc(&c, data2, 1);
690 printf("\nShould read as: 0x324ed0fe 0xf413a203.\n");
691 report(data2, 2);
692 blf_dec(&c, data2, 1);
693 report(data2, 2);
694}
695#endif
diff --git a/src/lib/libc/crypt/chacha_private.h b/src/lib/libc/crypt/chacha_private.h
deleted file mode 100644
index b0427b6b3e..0000000000
--- a/src/lib/libc/crypt/chacha_private.h
+++ /dev/null
@@ -1,222 +0,0 @@
1/*
2chacha-merged.c version 20080118
3D. J. Bernstein
4Public domain.
5*/
6
7/* $OpenBSD: chacha_private.h,v 1.3 2022/02/28 21:56:29 dtucker Exp $ */
8
9typedef unsigned char u8;
10typedef unsigned int u32;
11
12typedef struct
13{
14 u32 input[16]; /* could be compressed */
15} chacha_ctx;
16
17#define U8C(v) (v##U)
18#define U32C(v) (v##U)
19
20#define U8V(v) ((u8)(v) & U8C(0xFF))
21#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
22
23#define ROTL32(v, n) \
24 (U32V((v) << (n)) | ((v) >> (32 - (n))))
25
26#define U8TO32_LITTLE(p) \
27 (((u32)((p)[0]) ) | \
28 ((u32)((p)[1]) << 8) | \
29 ((u32)((p)[2]) << 16) | \
30 ((u32)((p)[3]) << 24))
31
32#define U32TO8_LITTLE(p, v) \
33 do { \
34 (p)[0] = U8V((v) ); \
35 (p)[1] = U8V((v) >> 8); \
36 (p)[2] = U8V((v) >> 16); \
37 (p)[3] = U8V((v) >> 24); \
38 } while (0)
39
40#define ROTATE(v,c) (ROTL32(v,c))
41#define XOR(v,w) ((v) ^ (w))
42#define PLUS(v,w) (U32V((v) + (w)))
43#define PLUSONE(v) (PLUS((v),1))
44
45#define QUARTERROUND(a,b,c,d) \
46 a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
47 c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
48 a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
49 c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
50
51static const char sigma[16] = "expand 32-byte k";
52static const char tau[16] = "expand 16-byte k";
53
54static void
55chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
56{
57 const char *constants;
58
59 x->input[4] = U8TO32_LITTLE(k + 0);
60 x->input[5] = U8TO32_LITTLE(k + 4);
61 x->input[6] = U8TO32_LITTLE(k + 8);
62 x->input[7] = U8TO32_LITTLE(k + 12);
63 if (kbits == 256) { /* recommended */
64 k += 16;
65 constants = sigma;
66 } else { /* kbits == 128 */
67 constants = tau;
68 }
69 x->input[8] = U8TO32_LITTLE(k + 0);
70 x->input[9] = U8TO32_LITTLE(k + 4);
71 x->input[10] = U8TO32_LITTLE(k + 8);
72 x->input[11] = U8TO32_LITTLE(k + 12);
73 x->input[0] = U8TO32_LITTLE(constants + 0);
74 x->input[1] = U8TO32_LITTLE(constants + 4);
75 x->input[2] = U8TO32_LITTLE(constants + 8);
76 x->input[3] = U8TO32_LITTLE(constants + 12);
77}
78
79static void
80chacha_ivsetup(chacha_ctx *x,const u8 *iv)
81{
82 x->input[12] = 0;
83 x->input[13] = 0;
84 x->input[14] = U8TO32_LITTLE(iv + 0);
85 x->input[15] = U8TO32_LITTLE(iv + 4);
86}
87
88static void
89chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
90{
91 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
92 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
93 u8 *ctarget = NULL;
94 u8 tmp[64];
95 u_int i;
96
97 if (!bytes) return;
98
99 j0 = x->input[0];
100 j1 = x->input[1];
101 j2 = x->input[2];
102 j3 = x->input[3];
103 j4 = x->input[4];
104 j5 = x->input[5];
105 j6 = x->input[6];
106 j7 = x->input[7];
107 j8 = x->input[8];
108 j9 = x->input[9];
109 j10 = x->input[10];
110 j11 = x->input[11];
111 j12 = x->input[12];
112 j13 = x->input[13];
113 j14 = x->input[14];
114 j15 = x->input[15];
115
116 for (;;) {
117 if (bytes < 64) {
118 for (i = 0;i < bytes;++i) tmp[i] = m[i];
119 m = tmp;
120 ctarget = c;
121 c = tmp;
122 }
123 x0 = j0;
124 x1 = j1;
125 x2 = j2;
126 x3 = j3;
127 x4 = j4;
128 x5 = j5;
129 x6 = j6;
130 x7 = j7;
131 x8 = j8;
132 x9 = j9;
133 x10 = j10;
134 x11 = j11;
135 x12 = j12;
136 x13 = j13;
137 x14 = j14;
138 x15 = j15;
139 for (i = 20;i > 0;i -= 2) {
140 QUARTERROUND( x0, x4, x8,x12)
141 QUARTERROUND( x1, x5, x9,x13)
142 QUARTERROUND( x2, x6,x10,x14)
143 QUARTERROUND( x3, x7,x11,x15)
144 QUARTERROUND( x0, x5,x10,x15)
145 QUARTERROUND( x1, x6,x11,x12)
146 QUARTERROUND( x2, x7, x8,x13)
147 QUARTERROUND( x3, x4, x9,x14)
148 }
149 x0 = PLUS(x0,j0);
150 x1 = PLUS(x1,j1);
151 x2 = PLUS(x2,j2);
152 x3 = PLUS(x3,j3);
153 x4 = PLUS(x4,j4);
154 x5 = PLUS(x5,j5);
155 x6 = PLUS(x6,j6);
156 x7 = PLUS(x7,j7);
157 x8 = PLUS(x8,j8);
158 x9 = PLUS(x9,j9);
159 x10 = PLUS(x10,j10);
160 x11 = PLUS(x11,j11);
161 x12 = PLUS(x12,j12);
162 x13 = PLUS(x13,j13);
163 x14 = PLUS(x14,j14);
164 x15 = PLUS(x15,j15);
165
166#ifndef KEYSTREAM_ONLY
167 x0 = XOR(x0,U8TO32_LITTLE(m + 0));
168 x1 = XOR(x1,U8TO32_LITTLE(m + 4));
169 x2 = XOR(x2,U8TO32_LITTLE(m + 8));
170 x3 = XOR(x3,U8TO32_LITTLE(m + 12));
171 x4 = XOR(x4,U8TO32_LITTLE(m + 16));
172 x5 = XOR(x5,U8TO32_LITTLE(m + 20));
173 x6 = XOR(x6,U8TO32_LITTLE(m + 24));
174 x7 = XOR(x7,U8TO32_LITTLE(m + 28));
175 x8 = XOR(x8,U8TO32_LITTLE(m + 32));
176 x9 = XOR(x9,U8TO32_LITTLE(m + 36));
177 x10 = XOR(x10,U8TO32_LITTLE(m + 40));
178 x11 = XOR(x11,U8TO32_LITTLE(m + 44));
179 x12 = XOR(x12,U8TO32_LITTLE(m + 48));
180 x13 = XOR(x13,U8TO32_LITTLE(m + 52));
181 x14 = XOR(x14,U8TO32_LITTLE(m + 56));
182 x15 = XOR(x15,U8TO32_LITTLE(m + 60));
183#endif
184
185 j12 = PLUSONE(j12);
186 if (!j12) {
187 j13 = PLUSONE(j13);
188 /* stopping at 2^70 bytes per nonce is user's responsibility */
189 }
190
191 U32TO8_LITTLE(c + 0,x0);
192 U32TO8_LITTLE(c + 4,x1);
193 U32TO8_LITTLE(c + 8,x2);
194 U32TO8_LITTLE(c + 12,x3);
195 U32TO8_LITTLE(c + 16,x4);
196 U32TO8_LITTLE(c + 20,x5);
197 U32TO8_LITTLE(c + 24,x6);
198 U32TO8_LITTLE(c + 28,x7);
199 U32TO8_LITTLE(c + 32,x8);
200 U32TO8_LITTLE(c + 36,x9);
201 U32TO8_LITTLE(c + 40,x10);
202 U32TO8_LITTLE(c + 44,x11);
203 U32TO8_LITTLE(c + 48,x12);
204 U32TO8_LITTLE(c + 52,x13);
205 U32TO8_LITTLE(c + 56,x14);
206 U32TO8_LITTLE(c + 60,x15);
207
208 if (bytes <= 64) {
209 if (bytes < 64) {
210 for (i = 0;i < bytes;++i) ctarget[i] = c[i];
211 }
212 x->input[12] = j12;
213 x->input[13] = j13;
214 return;
215 }
216 bytes -= 64;
217 c += 64;
218#ifndef KEYSTREAM_ONLY
219 m += 64;
220#endif
221 }
222}
diff --git a/src/lib/libc/crypt/crypt.3 b/src/lib/libc/crypt/crypt.3
deleted file mode 100644
index c8ebf9861d..0000000000
--- a/src/lib/libc/crypt/crypt.3
+++ /dev/null
@@ -1,144 +0,0 @@
1.\" $OpenBSD: crypt.3,v 1.45 2015/04/06 20:49:41 tedu Exp $
2.\"
3.\" FreeSec: libcrypt
4.\"
5.\" Copyright (c) 1994 David Burren
6.\" All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\" notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\" notice, this list of conditions and the following disclaimer in the
15.\" documentation and/or other materials provided with the distribution.
16.\" 4. Neither the name of the author nor the names of other contributors
17.\" may be used to endorse or promote products derived from this software
18.\" without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" Manual page, using -mandoc macros
33.\"
34.Dd $Mdocdate: April 6 2015 $
35.Dt CRYPT 3
36.Os
37.Sh NAME
38.Nm crypt ,
39.Nm bcrypt_gensalt ,
40.Nm bcrypt
41.Nd password hashing
42.Sh SYNOPSIS
43.In stdlib.h
44.Pp
45.In unistd.h
46.Ft char *
47.Fn crypt "const char *key" "const char *setting"
48.In pwd.h
49.Ft char *
50.Fn bcrypt_gensalt "u_int8_t log_rounds"
51.Ft char *
52.Fn bcrypt "const char *key" "const char *salt"
53.Sh DESCRIPTION
54These functions are deprecated in favor of
55.Xr crypt_checkpass 3
56and
57.Xr crypt_newhash 3 .
58.Pp
59The
60.Fn crypt
61function performs password hashing.
62Additional code has been added to deter key search attempts and to use
63stronger hashing algorithms.
64.Pp
65The first argument to
66.Fn crypt
67is a NUL-terminated
68string
69.Fa key ,
70typically a user's typed password.
71The second,
72.Fa setting ,
73currently supports a single form.
74If it begins
75with a string character
76.Pq Ql $
77and a number then a different algorithm is used depending on the number.
78At the moment
79.Ql $2
80chooses Blowfish hashing; see below for more information.
81.Ss Blowfish crypt
82The Blowfish version of crypt has 128 bits of
83.Fa salt
84in order to make building dictionaries of common passwords space consuming.
85The initial state of the
86Blowfish cipher is expanded using the
87.Fa salt
88and the
89.Fa password
90repeating the process a variable number of rounds, which is encoded in
91the password string.
92The maximum password length is 72.
93The final Blowfish password entry is created by encrypting the string
94.Pp
95.Dq OrpheanBeholderScryDoubt
96.Pp
97with the Blowfish state 64 times.
98.Pp
99The version number, the logarithm of the number of rounds and
100the concatenation of salt and hashed password are separated by the
101.Ql $
102character.
103An encoded
104.Sq 8
105would specify 256 rounds.
106A valid Blowfish password looks like this:
107.Pp
108.Dq $2b$12$FPWWO2RJ3CK4FINTw0Hi8OiPKJcX653gzSS.jqltHFMxyDmmQ0Hqq .
109.Pp
110The whole Blowfish password string is passed as
111.Fa setting
112for interpretation.
113.Sh RETURN VALUES
114The function
115.Fn crypt
116returns a pointer to the encrypted value on success, and
117.Dv NULL
118on failure.
119.Sh SEE ALSO
120.Xr encrypt 1 ,
121.Xr login 1 ,
122.Xr passwd 1 ,
123.Xr blowfish 3 ,
124.Xr crypt_checkpass 3 ,
125.Xr getpass 3 ,
126.Xr passwd 5
127.Sh HISTORY
128A rotor-based
129.Fn crypt
130function appeared in
131.At v3 .
132A DES-based
133.Fn crypt
134first appeared in
135.At v7 .
136.Fn bcrypt
137first appeared in
138.Ox 2.1 .
139.Sh BUGS
140The
141.Fn crypt
142function returns a pointer to static data, and subsequent calls to
143.Fn crypt
144will modify the same object.
diff --git a/src/lib/libc/crypt/crypt.c b/src/lib/libc/crypt/crypt.c
deleted file mode 100644
index 40d5503544..0000000000
--- a/src/lib/libc/crypt/crypt.c
+++ /dev/null
@@ -1,22 +0,0 @@
1/* $OpenBSD: crypt.c,v 1.31 2015/09/12 14:56:50 guenther Exp $ */
2
3#include <errno.h>
4#include <pwd.h>
5#include <unistd.h>
6
7char *
8crypt(const char *key, const char *setting)
9{
10 if (setting[0] == '$') {
11 switch (setting[1]) {
12 case '2':
13 return bcrypt(key, setting);
14 default:
15 errno = EINVAL;
16 return (NULL);
17 }
18 }
19 errno = EINVAL;
20 return (NULL);
21}
22DEF_WEAK(crypt);
diff --git a/src/lib/libc/crypt/crypt_checkpass.3 b/src/lib/libc/crypt/crypt_checkpass.3
deleted file mode 100644
index 07a77ae7c0..0000000000
--- a/src/lib/libc/crypt/crypt_checkpass.3
+++ /dev/null
@@ -1,113 +0,0 @@
1.\" $OpenBSD: crypt_checkpass.3,v 1.13 2021/10/29 10:54:33 deraadt Exp $
2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\"
5.\" Permission to use, copy, modify, and distribute this software for any
6.\" purpose with or without fee is hereby granted, provided that the above
7.\" copyright notice and this permission notice appear in all copies.
8.\"
9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\"
17.Dd $Mdocdate: October 29 2021 $
18.Dt CRYPT_CHECKPASS 3
19.Os
20.Sh NAME
21.Nm crypt_checkpass ,
22.Nm crypt_newhash
23.Nd password hashing
24.Sh SYNOPSIS
25.In pwd.h
26.In unistd.h
27.Ft int
28.Fn crypt_checkpass "const char *password" "const char *hash"
29.Ft int
30.Fn crypt_newhash "const char *password" "const char *pref" "char *hash" "size_t hashsize"
31.Sh DESCRIPTION
32The
33.Fn crypt_checkpass
34function simplifies checking a user's password.
35If both the
36.Fa hash
37and the
38.Fa password
39are the empty string, authentication
40is a success.
41Otherwise, the
42.Fa password
43is hashed and compared to the provided
44.Fa hash .
45If the
46.Fa hash
47is
48.Dv NULL ,
49authentication will always fail, but a default
50amount of work is performed to simulate the hashing operation.
51A successful match will return 0.
52A failure will return \-1 and set
53.Xr errno 2 .
54.Pp
55The
56.Fn crypt_newhash
57function simplifies the creation of new password hashes.
58The provided
59.Fa password
60is randomly salted and hashed and stored in
61.Fa hash .
62The size of the available space is specified by
63.Fa hashsize ,
64which should be
65.Dv _PASSWORD_LEN .
66The
67.Fa pref
68argument identifies the preferred hashing algorithm and parameters.
69Possible values are:
70.Bl -tag -width Ds
71.It Dq bcrypt,<rounds>
72The bcrypt algorithm, where the value of rounds can be between 4 and 31 and
73specifies the base 2 logarithm of the number of rounds.
74If rounds is omitted or the special value
75.Sq a ,
76an appropriate number of rounds is automatically selected based on system
77performance.
78.El
79.Sh RETURN VALUES
80.Rv -std crypt_checkpass crypt_newhash
81.Sh ERRORS
82The
83.Fn crypt_checkpass
84function sets
85.Va errno
86to
87.Er EACCES
88when authentication fails.
89.Pp
90The
91.Fn crypt_newhash
92function sets
93.Va errno
94to
95.Er EINVAL
96if
97.Fa pref
98is unsupported or insufficient space is provided.
99.Sh SEE ALSO
100.Xr crypt 3 ,
101.Xr login.conf 5 ,
102.Xr passwd 5
103.Sh HISTORY
104The function
105.Fn crypt_checkpass
106first appeared in
107.Ox 5.6 ,
108and
109.Fn crypt_newhash
110in
111.Ox 5.7 .
112.Sh AUTHORS
113.An Ted Unangst Aq Mt tedu@openbsd.org
diff --git a/src/lib/libc/crypt/cryptutil.c b/src/lib/libc/crypt/cryptutil.c
deleted file mode 100644
index f48ba1af2c..0000000000
--- a/src/lib/libc/crypt/cryptutil.c
+++ /dev/null
@@ -1,97 +0,0 @@
1/* $OpenBSD: cryptutil.c,v 1.12 2015/09/13 15:33:48 guenther Exp $ */
2/*
3 * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17#include <stdlib.h>
18#include <unistd.h>
19#include <string.h>
20#include <pwd.h>
21#include <login_cap.h>
22#include <errno.h>
23
24int
25crypt_checkpass(const char *pass, const char *goodhash)
26{
27 char dummy[_PASSWORD_LEN];
28
29 if (goodhash == NULL) {
30 /* fake it */
31 goto fake;
32 }
33
34 /* empty password */
35 if (strlen(goodhash) == 0 && strlen(pass) == 0)
36 return 0;
37
38 if (goodhash[0] == '$' && goodhash[1] == '2') {
39 if (bcrypt_checkpass(pass, goodhash))
40 goto fail;
41 return 0;
42 }
43
44 /* unsupported. fake it. */
45fake:
46 bcrypt_newhash(pass, 8, dummy, sizeof(dummy));
47fail:
48 errno = EACCES;
49 return -1;
50}
51DEF_WEAK(crypt_checkpass);
52
53int
54crypt_newhash(const char *pass, const char *pref, char *hash, size_t hashlen)
55{
56 int rv = -1;
57 const char *defaultpref = "blowfish,8";
58 const char *errstr;
59 const char *choices[] = { "blowfish", "bcrypt" };
60 size_t maxchoice = sizeof(choices) / sizeof(choices[0]);
61 int i;
62 int rounds;
63
64 if (pref == NULL)
65 pref = defaultpref;
66
67 for (i = 0; i < maxchoice; i++) {
68 const char *choice = choices[i];
69 size_t len = strlen(choice);
70 if (strcmp(pref, choice) == 0) {
71 rounds = _bcrypt_autorounds();
72 break;
73 } else if (strncmp(pref, choice, len) == 0 &&
74 pref[len] == ',') {
75 if (strcmp(pref + len + 1, "a") == 0) {
76 rounds = _bcrypt_autorounds();
77 } else {
78 rounds = strtonum(pref + len + 1, 4, 31, &errstr);
79 if (errstr) {
80 errno = EINVAL;
81 goto err;
82 }
83 }
84 break;
85 }
86 }
87 if (i == maxchoice) {
88 errno = EINVAL;
89 goto err;
90 }
91
92 rv = bcrypt_newhash(pass, rounds, hash, hashlen);
93
94err:
95 return rv;
96}
97DEF_WEAK(crypt_newhash);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-13 08:02:18 +0000