summaryrefslogtreecommitdiff
path: root/src/lib/libc/crypt
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
committercvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
commitb1ddde874c215cc8891531ed92876f091b7eb83e (patch)
treeedb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libc/crypt
parentf0a36529837a161734c802ae4c42e84e42347be2 (diff)
downloadopenbsd-tb_20250414.tar.gz
openbsd-tb_20250414.tar.bz2
openbsd-tb_20250414.zip
This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414
Diffstat (limited to 'src/lib/libc/crypt')
-rw-r--r--src/lib/libc/crypt/Makefile.inc8
-rw-r--r--src/lib/libc/crypt/arc4random.3116
-rw-r--r--src/lib/libc/crypt/arc4random.c204
-rw-r--r--src/lib/libc/crypt/arc4random.h61
-rw-r--r--src/lib/libc/crypt/arc4random_uniform.c57
-rw-r--r--src/lib/libc/crypt/bcrypt.c397
-rw-r--r--src/lib/libc/crypt/blowfish.3103
-rw-r--r--src/lib/libc/crypt/blowfish.c688
-rw-r--r--src/lib/libc/crypt/chacha_private.h222
-rw-r--r--src/lib/libc/crypt/crypt.3144
-rw-r--r--src/lib/libc/crypt/crypt.c22
-rw-r--r--src/lib/libc/crypt/crypt_checkpass.3113
-rw-r--r--src/lib/libc/crypt/cryptutil.c97
13 files changed, 0 insertions, 2232 deletions
diff --git a/src/lib/libc/crypt/Makefile.inc b/src/lib/libc/crypt/Makefile.inc
deleted file mode 100644
index e9263b09fe..0000000000
--- a/src/lib/libc/crypt/Makefile.inc
+++ /dev/null
@@ -1,8 +0,0 @@
1# $OpenBSD: Makefile.inc,v 1.27 2016/03/30 06:38:41 jmc Exp $
2
3.PATH: ${LIBCSRCDIR}/arch/${MACHINE_CPU}/crypt ${LIBCSRCDIR}/crypt
4
5SRCS+= crypt.c cryptutil.c arc4random.c arc4random_uniform.c \
6 blowfish.c bcrypt.c
7
8MAN+= crypt.3 crypt_checkpass.3 blowfish.3 arc4random.3
diff --git a/src/lib/libc/crypt/arc4random.3 b/src/lib/libc/crypt/arc4random.3
deleted file mode 100644
index 411860c28f..0000000000
--- a/src/lib/libc/crypt/arc4random.3
+++ /dev/null
@@ -1,116 +0,0 @@
1.\" $OpenBSD: arc4random.3,v 1.37 2019/09/29 16:30:35 jmc Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\" must display the following acknowledgement:
16.\" This product includes software developed by Niels Provos.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\" derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.\" Manual page, using -mandoc macros
32.\"
33.Dd $Mdocdate: September 29 2019 $
34.Dt ARC4RANDOM 3
35.Os
36.Sh NAME
37.Nm arc4random ,
38.Nm arc4random_buf ,
39.Nm arc4random_uniform
40.Nd random number generator
41.Sh SYNOPSIS
42.In stdlib.h
43.Ft uint32_t
44.Fn arc4random "void"
45.Ft void
46.Fn arc4random_buf "void *buf" "size_t nbytes"
47.Ft uint32_t
48.Fn arc4random_uniform "uint32_t upper_bound"
49.Sh DESCRIPTION
50This family of functions provides higher quality data than those
51described in
52.Xr rand 3 ,
53.Xr random 3 ,
54and
55.Xr rand48 3 .
56.Pp
57Use of these functions is encouraged for almost all random number
58consumption because the other interfaces are deficient in either
59quality, portability, standardization, or availability.
60These functions can be called in almost all coding environments,
61including
62.Xr pthreads 3
63and
64.Xr chroot 2 .
65.Pp
66High quality 32-bit pseudo-random numbers are generated very quickly.
67On each call, a cryptographic pseudo-random number generator is used
68to generate a new result.
69One data pool is used for all consumers in a process, so that consumption
70under program flow can act as additional stirring.
71The subsystem is re-seeded from the kernel
72.Xr random 4
73subsystem using
74.Xr getentropy 2
75on a regular basis, and also upon
76.Xr fork 2 .
77.Pp
78The
79.Fn arc4random
80function returns a single 32-bit value.
81.Pp
82.Fn arc4random_buf
83fills the region
84.Fa buf
85of length
86.Fa nbytes
87with random data.
88.Pp
89.Fn arc4random_uniform
90will return a single 32-bit value, uniformly distributed but less than
91.Fa upper_bound .
92This is recommended over constructions like
93.Dq Li arc4random() % upper_bound
94as it avoids "modulo bias" when the upper bound is not a power of two.
95In the worst case, this function may consume multiple iterations
96to ensure uniformity; see the source code to understand the problem
97and solution.
98.Sh RETURN VALUES
99These functions are always successful, and no return value is
100reserved to indicate an error.
101.Sh SEE ALSO
102.Xr rand 3 ,
103.Xr rand48 3 ,
104.Xr random 3
105.Sh HISTORY
106These functions first appeared in
107.Ox 2.1 .
108.Pp
109The original version of this random number generator used the
110RC4 (also known as ARC4) algorithm.
111In
112.Ox 5.5
113it was replaced with the ChaCha20 cipher, and it may be replaced
114again in the future as cryptographic techniques advance.
115A good mnemonic is
116.Dq A Replacement Call for Random .
diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
deleted file mode 100644
index 2da8e010ad..0000000000
--- a/src/lib/libc/crypt/arc4random.c
+++ /dev/null
@@ -1,204 +0,0 @@
1/* $OpenBSD: arc4random.c,v 1.58 2022/07/31 13:41:45 tb Exp $ */
2
3/*
4 * Copyright (c) 1996, David Mazieres <dm@uun.org>
5 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
6 * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
7 * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21
22/*
23 * ChaCha based random number generator for OpenBSD.
24 */
25
26#include <fcntl.h>
27#include <limits.h>
28#include <signal.h>
29#include <stdint.h>
30#include <stdlib.h>
31#include <string.h>
32#include <unistd.h>
33#include <sys/types.h>
34#include <sys/time.h>
35
36#define KEYSTREAM_ONLY
37#include "chacha_private.h"
38
39#define minimum(a, b) ((a) < (b) ? (a) : (b))
40
41#if defined(__GNUC__) || defined(_MSC_VER)
42#define inline __inline
43#else /* __GNUC__ || _MSC_VER */
44#define inline
45#endif /* !__GNUC__ && !_MSC_VER */
46
47#define KEYSZ 32
48#define IVSZ 8
49#define BLOCKSZ 64
50#define RSBUFSZ (16*BLOCKSZ)
51
52#define REKEY_BASE (1024*1024) /* NB. should be a power of 2 */
53
54/* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
55static struct _rs {
56 size_t rs_have; /* valid bytes at end of rs_buf */
57 size_t rs_count; /* bytes till reseed */
58} *rs;
59
60/* Maybe be preserved in fork children, if _rs_allocate() decides. */
61static struct _rsx {
62 chacha_ctx rs_chacha; /* chacha context for random keystream */
63 u_char rs_buf[RSBUFSZ]; /* keystream blocks */
64} *rsx;
65
66static inline int _rs_allocate(struct _rs **, struct _rsx **);
67static inline void _rs_forkdetect(void);
68#include "arc4random.h"
69
70static inline void _rs_rekey(u_char *dat, size_t datlen);
71
72static inline void
73_rs_init(u_char *buf, size_t n)
74{
75 if (n < KEYSZ + IVSZ)
76 return;
77
78 if (rs == NULL) {
79 if (_rs_allocate(&rs, &rsx) == -1)
80 _exit(1);
81 }
82
83 chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8);
84 chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
85}
86
87static void
88_rs_stir(void)
89{
90 u_char rnd[KEYSZ + IVSZ];
91 uint32_t rekey_fuzz = 0;
92
93 if (getentropy(rnd, sizeof rnd) == -1)
94 _getentropy_fail();
95
96 if (!rs)
97 _rs_init(rnd, sizeof(rnd));
98 else
99 _rs_rekey(rnd, sizeof(rnd));
100 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
101
102 /* invalidate rs_buf */
103 rs->rs_have = 0;
104 memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
105
106 /* rekey interval should not be predictable */
107 chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz,
108 (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz));
109 rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE);
110}
111
112static inline void
113_rs_stir_if_needed(size_t len)
114{
115 _rs_forkdetect();
116 if (!rs || rs->rs_count <= len)
117 _rs_stir();
118 if (rs->rs_count <= len)
119 rs->rs_count = 0;
120 else
121 rs->rs_count -= len;
122}
123
124static inline void
125_rs_rekey(u_char *dat, size_t datlen)
126{
127#ifndef KEYSTREAM_ONLY
128 memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
129#endif
130 /* fill rs_buf with the keystream */
131 chacha_encrypt_bytes(&rsx->rs_chacha, rsx->rs_buf,
132 rsx->rs_buf, sizeof(rsx->rs_buf));
133 /* mix in optional user provided data */
134 if (dat) {
135 size_t i, m;
136
137 m = minimum(datlen, KEYSZ + IVSZ);
138 for (i = 0; i < m; i++)
139 rsx->rs_buf[i] ^= dat[i];
140 }
141 /* immediately reinit for backtracking resistance */
142 _rs_init(rsx->rs_buf, KEYSZ + IVSZ);
143 memset(rsx->rs_buf, 0, KEYSZ + IVSZ);
144 rs->rs_have = sizeof(rsx->rs_buf) - KEYSZ - IVSZ;
145}
146
147static inline void
148_rs_random_buf(void *_buf, size_t n)
149{
150 u_char *buf = (u_char *)_buf;
151 u_char *keystream;
152 size_t m;
153
154 _rs_stir_if_needed(n);
155 while (n > 0) {
156 if (rs->rs_have > 0) {
157 m = minimum(n, rs->rs_have);
158 keystream = rsx->rs_buf + sizeof(rsx->rs_buf)
159 - rs->rs_have;
160 memcpy(buf, keystream, m);
161 memset(keystream, 0, m);
162 buf += m;
163 n -= m;
164 rs->rs_have -= m;
165 }
166 if (rs->rs_have == 0)
167 _rs_rekey(NULL, 0);
168 }
169}
170
171static inline void
172_rs_random_u32(uint32_t *val)
173{
174 u_char *keystream;
175
176 _rs_stir_if_needed(sizeof(*val));
177 if (rs->rs_have < sizeof(*val))
178 _rs_rekey(NULL, 0);
179 keystream = rsx->rs_buf + sizeof(rsx->rs_buf) - rs->rs_have;
180 memcpy(val, keystream, sizeof(*val));
181 memset(keystream, 0, sizeof(*val));
182 rs->rs_have -= sizeof(*val);
183}
184
185uint32_t
186arc4random(void)
187{
188 uint32_t val;
189
190 _ARC4_LOCK();
191 _rs_random_u32(&val);
192 _ARC4_UNLOCK();
193 return val;
194}
195DEF_WEAK(arc4random);
196
197void
198arc4random_buf(void *buf, size_t n)
199{
200 _ARC4_LOCK();
201 _rs_random_buf(buf, n);
202 _ARC4_UNLOCK();
203}
204DEF_WEAK(arc4random_buf);
diff --git a/src/lib/libc/crypt/arc4random.h b/src/lib/libc/crypt/arc4random.h
deleted file mode 100644
index 4abd15321a..0000000000
--- a/src/lib/libc/crypt/arc4random.h
+++ /dev/null
@@ -1,61 +0,0 @@
1/* $OpenBSD: arc4random.h,v 1.4 2015/01/15 06:57:18 deraadt Exp $ */
2
3/*
4 * Copyright (c) 1996, David Mazieres <dm@uun.org>
5 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
6 * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
7 * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
8 *
9 * Permission to use, copy, modify, and distribute this software for any
10 * purpose with or without fee is hereby granted, provided that the above
11 * copyright notice and this permission notice appear in all copies.
12 *
13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 */
21
22/*
23 * Stub functions for portability.
24 */
25#include <sys/mman.h>
26
27#include <signal.h>
28
29#include "thread_private.h"
30
31static inline void
32_getentropy_fail(void)
33{
34 raise(SIGKILL);
35}
36
37static inline int
38_rs_allocate(struct _rs **rsp, struct _rsx **rsxp)
39{
40 struct {
41 struct _rs rs;
42 struct _rsx rsx;
43 } *p;
44
45 if ((p = mmap(NULL, sizeof(*p), PROT_READ|PROT_WRITE,
46 MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
47 return (-1);
48 if (minherit(p, sizeof(*p), MAP_INHERIT_ZERO) == -1) {
49 munmap(p, sizeof(*p));
50 return (-1);
51 }
52
53 *rsp = &p->rs;
54 *rsxp = &p->rsx;
55 return (0);
56}
57
58static inline void
59_rs_forkdetect(void)
60{
61}
diff --git a/src/lib/libc/crypt/arc4random_uniform.c b/src/lib/libc/crypt/arc4random_uniform.c
deleted file mode 100644
index a18b5b1238..0000000000
--- a/src/lib/libc/crypt/arc4random_uniform.c
+++ /dev/null
@@ -1,57 +0,0 @@
1/* $OpenBSD: arc4random_uniform.c,v 1.3 2019/01/20 02:59:07 bcook Exp $ */
2
3/*
4 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include <stdint.h>
20#include <stdlib.h>
21
22/*
23 * Calculate a uniformly distributed random number less than upper_bound
24 * avoiding "modulo bias".
25 *
26 * Uniformity is achieved by generating new random numbers until the one
27 * returned is outside the range [0, 2**32 % upper_bound). This
28 * guarantees the selected random number will be inside
29 * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
30 * after reduction modulo upper_bound.
31 */
32uint32_t
33arc4random_uniform(uint32_t upper_bound)
34{
35 uint32_t r, min;
36
37 if (upper_bound < 2)
38 return 0;
39
40 /* 2**32 % x == (2**32 - x) % x */
41 min = -upper_bound % upper_bound;
42
43 /*
44 * This could theoretically loop forever but each retry has
45 * p > 0.5 (worst case, usually far better) of selecting a
46 * number inside the range we need, so it should rarely need
47 * to re-roll.
48 */
49 for (;;) {
50 r = arc4random();
51 if (r >= min)
52 break;
53 }
54
55 return r % upper_bound;
56}
57DEF_WEAK(arc4random_uniform);
diff --git a/src/lib/libc/crypt/bcrypt.c b/src/lib/libc/crypt/bcrypt.c
deleted file mode 100644
index ba45b104ed..0000000000
--- a/src/lib/libc/crypt/bcrypt.c
+++ /dev/null
@@ -1,397 +0,0 @@
1/* $OpenBSD: bcrypt.c,v 1.58 2020/07/06 13:33:05 pirofti Exp $ */
2
3/*
4 * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
5 * Copyright (c) 1997 Niels Provos <provos@umich.edu>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19/* This password hashing algorithm was designed by David Mazieres
20 * <dm@lcs.mit.edu> and works as follows:
21 *
22 * 1. state := InitState ()
23 * 2. state := ExpandKey (state, salt, password)
24 * 3. REPEAT rounds:
25 * state := ExpandKey (state, 0, password)
26 * state := ExpandKey (state, 0, salt)
27 * 4. ctext := "OrpheanBeholderScryDoubt"
28 * 5. REPEAT 64:
29 * ctext := Encrypt_ECB (state, ctext);
30 * 6. RETURN Concatenate (salt, ctext);
31 *
32 */
33
34#include <sys/types.h>
35#include <blf.h>
36#include <ctype.h>
37#include <errno.h>
38#include <pwd.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42#include <time.h>
43
44/* This implementation is adaptable to current computing power.
45 * You can have up to 2^31 rounds which should be enough for some
46 * time to come.
47 */
48
49#define BCRYPT_VERSION '2'
50#define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */
51#define BCRYPT_WORDS 6 /* Ciphertext words */
52#define BCRYPT_MINLOGROUNDS 4 /* we have log2(rounds) in salt */
53
54#define BCRYPT_SALTSPACE (7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1)
55#define BCRYPT_HASHSPACE 61
56
57char *bcrypt_gensalt(u_int8_t);
58
59static int encode_base64(char *, const u_int8_t *, size_t);
60static int decode_base64(u_int8_t *, size_t, const char *);
61
62/*
63 * Generates a salt for this version of crypt.
64 */
65static int
66bcrypt_initsalt(int log_rounds, uint8_t *salt, size_t saltbuflen)
67{
68 uint8_t csalt[BCRYPT_MAXSALT];
69
70 if (saltbuflen < BCRYPT_SALTSPACE) {
71 errno = EINVAL;
72 return -1;
73 }
74
75 arc4random_buf(csalt, sizeof(csalt));
76
77 if (log_rounds < 4)
78 log_rounds = 4;
79 else if (log_rounds > 31)
80 log_rounds = 31;
81
82 snprintf(salt, saltbuflen, "$2b$%2.2u$", log_rounds);
83 encode_base64(salt + 7, csalt, sizeof(csalt));
84
85 return 0;
86}
87
88/*
89 * the core bcrypt function
90 */
91static int
92bcrypt_hashpass(const char *key, const char *salt, char *encrypted,
93 size_t encryptedlen)
94{
95 blf_ctx state;
96 u_int32_t rounds, i, k;
97 u_int16_t j;
98 size_t key_len;
99 u_int8_t salt_len, logr, minor;
100 u_int8_t ciphertext[4 * BCRYPT_WORDS] = "OrpheanBeholderScryDoubt";
101 u_int8_t csalt[BCRYPT_MAXSALT];
102 u_int32_t cdata[BCRYPT_WORDS];
103
104 if (encryptedlen < BCRYPT_HASHSPACE)
105 goto inval;
106
107 /* Check and discard "$" identifier */
108 if (salt[0] != '$')
109 goto inval;
110 salt += 1;
111
112 if (salt[0] != BCRYPT_VERSION)
113 goto inval;
114
115 /* Check for minor versions */
116 switch ((minor = salt[1])) {
117 case 'a':
118 key_len = (u_int8_t)(strlen(key) + 1);
119 break;
120 case 'b':
121 /* strlen() returns a size_t, but the function calls
122 * below result in implicit casts to a narrower integer
123 * type, so cap key_len at the actual maximum supported
124 * length here to avoid integer wraparound */
125 key_len = strlen(key);
126 if (key_len > 72)
127 key_len = 72;
128 key_len++; /* include the NUL */
129 break;
130 default:
131 goto inval;
132 }
133 if (salt[2] != '$')
134 goto inval;
135 /* Discard version + "$" identifier */
136 salt += 3;
137
138 /* Check and parse num rounds */
139 if (!isdigit((unsigned char)salt[0]) ||
140 !isdigit((unsigned char)salt[1]) || salt[2] != '$')
141 goto inval;
142 logr = (salt[1] - '0') + ((salt[0] - '0') * 10);
143 if (logr < BCRYPT_MINLOGROUNDS || logr > 31)
144 goto inval;
145 /* Computer power doesn't increase linearly, 2^x should be fine */
146 rounds = 1U << logr;
147
148 /* Discard num rounds + "$" identifier */
149 salt += 3;
150
151 if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT)
152 goto inval;
153
154 /* We dont want the base64 salt but the raw data */
155 if (decode_base64(csalt, BCRYPT_MAXSALT, salt))
156 goto inval;
157 salt_len = BCRYPT_MAXSALT;
158
159 /* Setting up S-Boxes and Subkeys */
160 Blowfish_initstate(&state);
161 Blowfish_expandstate(&state, csalt, salt_len,
162 (u_int8_t *) key, key_len);
163 for (k = 0; k < rounds; k++) {
164 Blowfish_expand0state(&state, (u_int8_t *) key, key_len);
165 Blowfish_expand0state(&state, csalt, salt_len);
166 }
167
168 /* This can be precomputed later */
169 j = 0;
170 for (i = 0; i < BCRYPT_WORDS; i++)
171 cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_WORDS, &j);
172
173 /* Now do the encryption */
174 for (k = 0; k < 64; k++)
175 blf_enc(&state, cdata, BCRYPT_WORDS / 2);
176
177 for (i = 0; i < BCRYPT_WORDS; i++) {
178 ciphertext[4 * i + 3] = cdata[i] & 0xff;
179 cdata[i] = cdata[i] >> 8;
180 ciphertext[4 * i + 2] = cdata[i] & 0xff;
181 cdata[i] = cdata[i] >> 8;
182 ciphertext[4 * i + 1] = cdata[i] & 0xff;
183 cdata[i] = cdata[i] >> 8;
184 ciphertext[4 * i + 0] = cdata[i] & 0xff;
185 }
186
187
188 snprintf(encrypted, 8, "$2%c$%2.2u$", minor, logr);
189 encode_base64(encrypted + 7, csalt, BCRYPT_MAXSALT);
190 encode_base64(encrypted + 7 + 22, ciphertext, 4 * BCRYPT_WORDS - 1);
191 explicit_bzero(&state, sizeof(state));
192 explicit_bzero(ciphertext, sizeof(ciphertext));
193 explicit_bzero(csalt, sizeof(csalt));
194 explicit_bzero(cdata, sizeof(cdata));
195 return 0;
196
197inval:
198 errno = EINVAL;
199 return -1;
200}
201
202/*
203 * user friendly functions
204 */
205int
206bcrypt_newhash(const char *pass, int log_rounds, char *hash, size_t hashlen)
207{
208 char salt[BCRYPT_SALTSPACE];
209
210 if (bcrypt_initsalt(log_rounds, salt, sizeof(salt)) != 0)
211 return -1;
212
213 if (bcrypt_hashpass(pass, salt, hash, hashlen) != 0)
214 return -1;
215
216 explicit_bzero(salt, sizeof(salt));
217 return 0;
218}
219DEF_WEAK(bcrypt_newhash);
220
221int
222bcrypt_checkpass(const char *pass, const char *goodhash)
223{
224 char hash[BCRYPT_HASHSPACE];
225
226 if (bcrypt_hashpass(pass, goodhash, hash, sizeof(hash)) != 0)
227 return -1;
228 if (strlen(hash) != strlen(goodhash) ||
229 timingsafe_bcmp(hash, goodhash, strlen(goodhash)) != 0) {
230 errno = EACCES;
231 return -1;
232 }
233
234 explicit_bzero(hash, sizeof(hash));
235 return 0;
236}
237DEF_WEAK(bcrypt_checkpass);
238
239/*
240 * Measure this system's performance by measuring the time for 8 rounds.
241 * We are aiming for something that takes around 0.1s, but not too much over.
242 */
243int
244_bcrypt_autorounds(void)
245{
246 struct timespec before, after;
247 int r = 8;
248 char buf[_PASSWORD_LEN];
249 int duration;
250
251 WRAP(clock_gettime)(CLOCK_THREAD_CPUTIME_ID, &before);
252 bcrypt_newhash("testpassword", r, buf, sizeof(buf));
253 WRAP(clock_gettime)(CLOCK_THREAD_CPUTIME_ID, &after);
254
255 duration = after.tv_sec - before.tv_sec;
256 duration *= 1000000;
257 duration += (after.tv_nsec - before.tv_nsec) / 1000;
258
259 /* too quick? slow it down. */
260 while (r < 16 && duration <= 60000) {
261 r += 1;
262 duration *= 2;
263 }
264 /* too slow? speed it up. */
265 while (r > 6 && duration > 120000) {
266 r -= 1;
267 duration /= 2;
268 }
269
270 return r;
271}
272
273/*
274 * internal utilities
275 */
276static const u_int8_t Base64Code[] =
277"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
278
279static const u_int8_t index_64[128] = {
280 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
281 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
282 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
283 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
284 255, 255, 255, 255, 255, 255, 0, 1, 54, 55,
285 56, 57, 58, 59, 60, 61, 62, 63, 255, 255,
286 255, 255, 255, 255, 255, 2, 3, 4, 5, 6,
287 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
288 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27,
289 255, 255, 255, 255, 255, 255, 28, 29, 30,
290 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
291 41, 42, 43, 44, 45, 46, 47, 48, 49, 50,
292 51, 52, 53, 255, 255, 255, 255, 255
293};
294#define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)])
295
296/*
297 * read buflen (after decoding) bytes of data from b64data
298 */
299static int
300decode_base64(u_int8_t *buffer, size_t len, const char *b64data)
301{
302 u_int8_t *bp = buffer;
303 const u_int8_t *p = b64data;
304 u_int8_t c1, c2, c3, c4;
305
306 while (bp < buffer + len) {
307 c1 = CHAR64(*p);
308 /* Invalid data */
309 if (c1 == 255)
310 return -1;
311
312 c2 = CHAR64(*(p + 1));
313 if (c2 == 255)
314 return -1;
315
316 *bp++ = (c1 << 2) | ((c2 & 0x30) >> 4);
317 if (bp >= buffer + len)
318 break;
319
320 c3 = CHAR64(*(p + 2));
321 if (c3 == 255)
322 return -1;
323
324 *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
325 if (bp >= buffer + len)
326 break;
327
328 c4 = CHAR64(*(p + 3));
329 if (c4 == 255)
330 return -1;
331 *bp++ = ((c3 & 0x03) << 6) | c4;
332
333 p += 4;
334 }
335 return 0;
336}
337
338/*
339 * Turn len bytes of data into base64 encoded data.
340 * This works without = padding.
341 */
342static int
343encode_base64(char *b64buffer, const u_int8_t *data, size_t len)
344{
345 u_int8_t *bp = b64buffer;
346 const u_int8_t *p = data;
347 u_int8_t c1, c2;
348
349 while (p < data + len) {
350 c1 = *p++;
351 *bp++ = Base64Code[(c1 >> 2)];
352 c1 = (c1 & 0x03) << 4;
353 if (p >= data + len) {
354 *bp++ = Base64Code[c1];
355 break;
356 }
357 c2 = *p++;
358 c1 |= (c2 >> 4) & 0x0f;
359 *bp++ = Base64Code[c1];
360 c1 = (c2 & 0x0f) << 2;
361 if (p >= data + len) {
362 *bp++ = Base64Code[c1];
363 break;
364 }
365 c2 = *p++;
366 c1 |= (c2 >> 6) & 0x03;
367 *bp++ = Base64Code[c1];
368 *bp++ = Base64Code[c2 & 0x3f];
369 }
370 *bp = '\0';
371 return 0;
372}
373
374/*
375 * classic interface
376 */
377char *
378bcrypt_gensalt(u_int8_t log_rounds)
379{
380 static char gsalt[BCRYPT_SALTSPACE];
381
382 bcrypt_initsalt(log_rounds, gsalt, sizeof(gsalt));
383
384 return gsalt;
385}
386
387char *
388bcrypt(const char *pass, const char *salt)
389{
390 static char gencrypted[BCRYPT_HASHSPACE];
391
392 if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0)
393 return NULL;
394
395 return gencrypted;
396}
397DEF_WEAK(bcrypt);
diff --git a/src/lib/libc/crypt/blowfish.3 b/src/lib/libc/crypt/blowfish.3
deleted file mode 100644
index c64ccb684b..0000000000
--- a/src/lib/libc/crypt/blowfish.3
+++ /dev/null
@@ -1,103 +0,0 @@
1.\" $OpenBSD: blowfish.3,v 1.24 2021/11/29 01:04:45 djm Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\" derived from this software without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.\" Manual page, using -mandoc macros
29.\"
30.Dd $Mdocdate: November 29 2021 $
31.Dt BLF_KEY 3
32.Os
33.Sh NAME
34.Nm blf_key ,
35.Nm blf_enc ,
36.Nm blf_dec ,
37.Nm blf_ecb_encrypt ,
38.Nm blf_ecb_decrypt ,
39.Nm blf_cbc_encrypt ,
40.Nm blf_cbc_decrypt
41.Nd Blowfish encryption
42.Sh SYNOPSIS
43.In blf.h
44.Ft void
45.Fn blf_key "blf_ctx *state" "const u_int8_t *key" "u_int16_t keylen"
46.Ft void
47.Fn blf_enc "blf_ctx *state" "u_int32_t *data" "u_int16_t blocks"
48.Ft void
49.Fn blf_dec "blf_ctx *state" "u_int32_t *data" "u_int16_t blocks"
50.Ft void
51.Fn blf_ecb_encrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
52.Ft void
53.Fn blf_ecb_decrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
54.Ft void
55.Fn blf_cbc_encrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
56.Ft void
57.Fn blf_cbc_decrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
58.Sh DESCRIPTION
59.Em Blowfish
60is a fast unpatented block cipher designed by Bruce Schneier.
61It basically consists of a 16-round Feistel network.
62The block size is 64 bits and the maximum key size is 448 bits.
63.Pp
64The
65.Fn blf_key
66function initializes the 4 8-bit S-boxes and the 18 Subkeys with
67the hexadecimal digits of Pi.
68The key is used for further randomization.
69The first argument to
70.Fn blf_enc
71is the initialized state derived from
72.Fn blf_key .
73The stream of 32-bit words is encrypted in Electronic Codebook
74Mode (ECB) and
75.Fa blocks
76is the number of 64-bit blocks in the stream.
77.Fn blf_dec
78is used for decrypting Blowfish encrypted blocks.
79.Pp
80The functions
81.Fn blf_ecb_encrypt
82and
83.Fn blf_ecb_decrypt
84are used for encrypting and decrypting octet streams in ECB mode.
85The functions
86.Fn blf_cbc_encrypt
87and
88.Fn blf_cbc_decrypt
89are used for encrypting and decrypting octet streams in
90Cipherblock Chaining Mode (CBC).
91For these functions
92.Fa datalen
93specifies the number of octets of data to encrypt or decrypt.
94It must be a multiple of 8 (64-bit block).
95The initialisation vector
96.Fa iv
97points to an 8-byte buffer.
98.Sh SEE ALSO
99.Xr passwd 1 ,
100.Xr crypt 3 ,
101.Xr passwd 5
102.Sh AUTHORS
103.An Niels Provos Aq Mt provos@physnet.uni-hamburg.de
diff --git a/src/lib/libc/crypt/blowfish.c b/src/lib/libc/crypt/blowfish.c
deleted file mode 100644
index 05ad00d7a1..0000000000
--- a/src/lib/libc/crypt/blowfish.c
+++ /dev/null
@@ -1,688 +0,0 @@
1/* $OpenBSD: blowfish.c,v 1.21 2022/08/28 11:11:25 jsg Exp $ */
2/*
3 * Blowfish block cipher for OpenBSD
4 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
5 * All rights reserved.
6 *
7 * Implementation advice by David Mazieres <dm@lcs.mit.edu>.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of the author may not be used to endorse or promote products
18 * derived from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32/*
33 * This code is derived from section 14.3 and the given source
34 * in section V of Applied Cryptography, second edition.
35 * Blowfish is an unpatented fast block cipher designed by
36 * Bruce Schneier.
37 */
38
39#if 0
40#include <stdio.h> /* used for debugging */
41#include <string.h>
42#endif
43
44#include <sys/types.h>
45#include <blf.h>
46
47/* Function for Feistel Networks */
48
49#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \
50 + (s)[0x100 + (((x)>>16)&0xFF)]) \
51 ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
52 + (s)[0x300 + ( (x) &0xFF)])
53
54#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n])
55
56void
57Blowfish_encipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
58{
59 u_int32_t Xl;
60 u_int32_t Xr;
61 u_int32_t *s = c->S[0];
62 u_int32_t *p = c->P;
63
64 Xl = *xl;
65 Xr = *xr;
66
67 Xl ^= p[0];
68 BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
69 BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
70 BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
71 BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
72 BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
73 BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
74 BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
75 BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
76
77 *xl = Xr ^ p[17];
78 *xr = Xl;
79}
80DEF_WEAK(Blowfish_encipher);
81
82void
83Blowfish_decipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
84{
85 u_int32_t Xl;
86 u_int32_t Xr;
87 u_int32_t *s = c->S[0];
88 u_int32_t *p = c->P;
89
90 Xl = *xl;
91 Xr = *xr;
92
93 Xl ^= p[17];
94 BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15);
95 BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13);
96 BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11);
97 BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9);
98 BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7);
99 BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5);
100 BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3);
101 BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1);
102
103 *xl = Xr ^ p[0];
104 *xr = Xl;
105}
106DEF_WEAK(Blowfish_decipher);
107
108void
109Blowfish_initstate(blf_ctx *c)
110{
111 /* P-box and S-box tables initialized with digits of Pi */
112
113 static const blf_ctx initstate =
114 { {
115 {
116 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
117 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
118 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
119 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
120 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
121 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
122 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
123 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
124 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
125 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
126 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
127 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
128 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
129 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
130 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
131 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
132 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
133 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
134 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
135 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
136 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
137 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
138 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
139 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
140 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
141 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
142 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
143 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
144 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
145 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
146 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
147 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
148 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
149 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
150 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
151 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
152 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
153 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
154 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
155 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
156 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
157 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
158 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
159 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
160 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
161 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
162 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
163 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
164 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
165 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
166 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
167 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
168 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
169 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
170 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
171 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
172 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
173 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
174 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
175 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
176 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
177 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
178 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
179 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
180 {
181 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
182 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
183 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
184 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
185 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
186 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
187 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
188 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
189 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
190 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
191 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
192 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
193 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
194 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
195 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
196 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
197 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
198 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
199 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
200 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
201 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
202 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
203 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
204 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
205 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
206 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
207 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
208 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
209 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
210 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
211 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
212 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
213 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
214 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
215 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
216 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
217 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
218 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
219 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
220 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
221 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
222 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
223 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
224 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
225 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
226 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
227 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
228 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
229 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
230 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
231 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
232 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
233 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
234 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
235 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
236 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
237 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
238 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
239 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
240 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
241 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
242 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
243 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
244 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
245 {
246 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
247 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
248 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
249 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
250 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
251 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
252 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
253 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
254 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
255 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
256 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
257 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
258 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
259 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
260 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
261 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
262 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
263 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
264 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
265 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
266 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
267 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
268 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
269 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
270 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
271 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
272 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
273 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
274 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
275 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
276 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
277 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
278 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
279 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
280 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
281 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
282 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
283 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
284 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
285 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
286 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
287 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
288 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
289 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
290 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
291 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
292 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
293 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
294 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
295 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
296 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
297 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
298 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
299 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
300 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
301 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
302 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
303 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
304 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
305 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
306 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
307 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
308 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
309 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
310 {
311 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
312 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
313 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
314 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
315 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
316 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
317 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
318 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
319 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
320 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
321 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
322 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
323 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
324 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
325 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
326 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
327 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
328 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
329 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
330 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
331 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
332 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
333 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
334 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
335 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
336 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
337 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
338 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
339 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
340 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
341 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
342 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
343 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
344 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
345 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
346 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
347 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
348 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
349 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
350 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
351 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
352 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
353 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
354 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
355 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
356 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
357 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
358 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
359 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
360 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
361 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
362 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
363 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
364 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
365 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
366 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
367 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
368 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
369 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
370 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
371 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
372 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
373 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
374 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
375 },
376 {
377 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
378 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
379 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
380 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
381 0x9216d5d9, 0x8979fb1b
382 } };
383
384 *c = initstate;
385}
386DEF_WEAK(Blowfish_initstate);
387
388u_int32_t
389Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes,
390 u_int16_t *current)
391{
392 u_int8_t i;
393 u_int16_t j;
394 u_int32_t temp;
395
396 temp = 0x00000000;
397 j = *current;
398
399 for (i = 0; i < 4; i++, j++) {
400 if (j >= databytes)
401 j = 0;
402 temp = (temp << 8) | data[j];
403 }
404
405 *current = j;
406 return temp;
407}
408DEF_WEAK(Blowfish_stream2word);
409
410void
411Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes)
412{
413 u_int16_t i;
414 u_int16_t j;
415 u_int16_t k;
416 u_int32_t temp;
417 u_int32_t datal;
418 u_int32_t datar;
419
420 j = 0;
421 for (i = 0; i < BLF_N + 2; i++) {
422 /* Extract 4 int8 to 1 int32 from keystream */
423 temp = Blowfish_stream2word(key, keybytes, &j);
424 c->P[i] = c->P[i] ^ temp;
425 }
426
427 j = 0;
428 datal = 0x00000000;
429 datar = 0x00000000;
430 for (i = 0; i < BLF_N + 2; i += 2) {
431 Blowfish_encipher(c, &datal, &datar);
432
433 c->P[i] = datal;
434 c->P[i + 1] = datar;
435 }
436
437 for (i = 0; i < 4; i++) {
438 for (k = 0; k < 256; k += 2) {
439 Blowfish_encipher(c, &datal, &datar);
440
441 c->S[i][k] = datal;
442 c->S[i][k + 1] = datar;
443 }
444 }
445}
446DEF_WEAK(Blowfish_expand0state);
447
448
449void
450Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes,
451 const u_int8_t *key, u_int16_t keybytes)
452{
453 u_int16_t i;
454 u_int16_t j;
455 u_int16_t k;
456 u_int32_t temp;
457 u_int32_t datal;
458 u_int32_t datar;
459
460 j = 0;
461 for (i = 0; i < BLF_N + 2; i++) {
462 /* Extract 4 int8 to 1 int32 from keystream */
463 temp = Blowfish_stream2word(key, keybytes, &j);
464 c->P[i] = c->P[i] ^ temp;
465 }
466
467 j = 0;
468 datal = 0x00000000;
469 datar = 0x00000000;
470 for (i = 0; i < BLF_N + 2; i += 2) {
471 datal ^= Blowfish_stream2word(data, databytes, &j);
472 datar ^= Blowfish_stream2word(data, databytes, &j);
473 Blowfish_encipher(c, &datal, &datar);
474
475 c->P[i] = datal;
476 c->P[i + 1] = datar;
477 }
478
479 for (i = 0; i < 4; i++) {
480 for (k = 0; k < 256; k += 2) {
481 datal ^= Blowfish_stream2word(data, databytes, &j);
482 datar ^= Blowfish_stream2word(data, databytes, &j);
483 Blowfish_encipher(c, &datal, &datar);
484
485 c->S[i][k] = datal;
486 c->S[i][k + 1] = datar;
487 }
488 }
489
490}
491DEF_WEAK(Blowfish_expandstate);
492
493void
494blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len)
495{
496 /* Initialize S-boxes and subkeys with Pi */
497 Blowfish_initstate(c);
498
499 /* Transform S-boxes and subkeys with key */
500 Blowfish_expand0state(c, k, len);
501}
502DEF_WEAK(blf_key);
503
504void
505blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
506{
507 u_int32_t *d;
508 u_int16_t i;
509
510 d = data;
511 for (i = 0; i < blocks; i++) {
512 Blowfish_encipher(c, d, d + 1);
513 d += 2;
514 }
515}
516DEF_WEAK(blf_enc);
517
518void
519blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
520{
521 u_int32_t *d;
522 u_int16_t i;
523
524 d = data;
525 for (i = 0; i < blocks; i++) {
526 Blowfish_decipher(c, d, d + 1);
527 d += 2;
528 }
529}
530DEF_WEAK(blf_dec);
531
532void
533blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
534{
535 u_int32_t l, r;
536 u_int32_t i;
537
538 for (i = 0; i < len; i += 8) {
539 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
540 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
541 Blowfish_encipher(c, &l, &r);
542 data[0] = l >> 24 & 0xff;
543 data[1] = l >> 16 & 0xff;
544 data[2] = l >> 8 & 0xff;
545 data[3] = l & 0xff;
546 data[4] = r >> 24 & 0xff;
547 data[5] = r >> 16 & 0xff;
548 data[6] = r >> 8 & 0xff;
549 data[7] = r & 0xff;
550 data += 8;
551 }
552}
553DEF_WEAK(blf_ecb_encrypt);
554
555void
556blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
557{
558 u_int32_t l, r;
559 u_int32_t i;
560
561 for (i = 0; i < len; i += 8) {
562 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
563 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
564 Blowfish_decipher(c, &l, &r);
565 data[0] = l >> 24 & 0xff;
566 data[1] = l >> 16 & 0xff;
567 data[2] = l >> 8 & 0xff;
568 data[3] = l & 0xff;
569 data[4] = r >> 24 & 0xff;
570 data[5] = r >> 16 & 0xff;
571 data[6] = r >> 8 & 0xff;
572 data[7] = r & 0xff;
573 data += 8;
574 }
575}
576DEF_WEAK(blf_ecb_decrypt);
577
578void
579blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len)
580{
581 u_int32_t l, r;
582 u_int32_t i, j;
583
584 for (i = 0; i < len; i += 8) {
585 for (j = 0; j < 8; j++)
586 data[j] ^= iv[j];
587 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
588 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
589 Blowfish_encipher(c, &l, &r);
590 data[0] = l >> 24 & 0xff;
591 data[1] = l >> 16 & 0xff;
592 data[2] = l >> 8 & 0xff;
593 data[3] = l & 0xff;
594 data[4] = r >> 24 & 0xff;
595 data[5] = r >> 16 & 0xff;
596 data[6] = r >> 8 & 0xff;
597 data[7] = r & 0xff;
598 iv = data;
599 data += 8;
600 }
601}
602DEF_WEAK(blf_cbc_encrypt);
603
604void
605blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len)
606{
607 u_int32_t l, r;
608 u_int8_t *iv;
609 u_int32_t i, j;
610
611 iv = data + len - 16;
612 data = data + len - 8;
613 for (i = len - 8; i >= 8; i -= 8) {
614 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
615 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
616 Blowfish_decipher(c, &l, &r);
617 data[0] = l >> 24 & 0xff;
618 data[1] = l >> 16 & 0xff;
619 data[2] = l >> 8 & 0xff;
620 data[3] = l & 0xff;
621 data[4] = r >> 24 & 0xff;
622 data[5] = r >> 16 & 0xff;
623 data[6] = r >> 8 & 0xff;
624 data[7] = r & 0xff;
625 for (j = 0; j < 8; j++)
626 data[j] ^= iv[j];
627 iv -= 8;
628 data -= 8;
629 }
630 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
631 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
632 Blowfish_decipher(c, &l, &r);
633 data[0] = l >> 24 & 0xff;
634 data[1] = l >> 16 & 0xff;
635 data[2] = l >> 8 & 0xff;
636 data[3] = l & 0xff;
637 data[4] = r >> 24 & 0xff;
638 data[5] = r >> 16 & 0xff;
639 data[6] = r >> 8 & 0xff;
640 data[7] = r & 0xff;
641 for (j = 0; j < 8; j++)
642 data[j] ^= iva[j];
643}
644DEF_WEAK(blf_cbc_decrypt);
645
646#if 0
647void
648report(u_int32_t data[], u_int16_t len)
649{
650 u_int16_t i;
651 for (i = 0; i < len; i += 2)
652 printf("Block %0hd: %08lx %08lx.\n",
653 i / 2, data[i], data[i + 1]);
654}
655void
656main(void)
657{
658
659 blf_ctx c;
660 char key[] = "AAAAA";
661 char key2[] = "abcdefghijklmnopqrstuvwxyz";
662
663 u_int32_t data[10];
664 u_int32_t data2[] =
665 {0x424c4f57l, 0x46495348l};
666
667 u_int16_t i;
668
669 /* First test */
670 for (i = 0; i < 10; i++)
671 data[i] = i;
672
673 blf_key(&c, (u_int8_t *) key, 5);
674 blf_enc(&c, data, 5);
675 blf_dec(&c, data, 1);
676 blf_dec(&c, data + 2, 4);
677 printf("Should read as 0 - 9.\n");
678 report(data, 10);
679
680 /* Second test */
681 blf_key(&c, (u_int8_t *) key2, strlen(key2));
682 blf_enc(&c, data2, 1);
683 printf("\nShould read as: 0x324ed0fe 0xf413a203.\n");
684 report(data2, 2);
685 blf_dec(&c, data2, 1);
686 report(data2, 2);
687}
688#endif
diff --git a/src/lib/libc/crypt/chacha_private.h b/src/lib/libc/crypt/chacha_private.h
deleted file mode 100644
index b0427b6b3e..0000000000
--- a/src/lib/libc/crypt/chacha_private.h
+++ /dev/null
@@ -1,222 +0,0 @@
1/*
2chacha-merged.c version 20080118
3D. J. Bernstein
4Public domain.
5*/
6
7/* $OpenBSD: chacha_private.h,v 1.3 2022/02/28 21:56:29 dtucker Exp $ */
8
9typedef unsigned char u8;
10typedef unsigned int u32;
11
12typedef struct
13{
14 u32 input[16]; /* could be compressed */
15} chacha_ctx;
16
17#define U8C(v) (v##U)
18#define U32C(v) (v##U)
19
20#define U8V(v) ((u8)(v) & U8C(0xFF))
21#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
22
23#define ROTL32(v, n) \
24 (U32V((v) << (n)) | ((v) >> (32 - (n))))
25
26#define U8TO32_LITTLE(p) \
27 (((u32)((p)[0]) ) | \
28 ((u32)((p)[1]) << 8) | \
29 ((u32)((p)[2]) << 16) | \
30 ((u32)((p)[3]) << 24))
31
32#define U32TO8_LITTLE(p, v) \
33 do { \
34 (p)[0] = U8V((v) ); \
35 (p)[1] = U8V((v) >> 8); \
36 (p)[2] = U8V((v) >> 16); \
37 (p)[3] = U8V((v) >> 24); \
38 } while (0)
39
40#define ROTATE(v,c) (ROTL32(v,c))
41#define XOR(v,w) ((v) ^ (w))
42#define PLUS(v,w) (U32V((v) + (w)))
43#define PLUSONE(v) (PLUS((v),1))
44
45#define QUARTERROUND(a,b,c,d) \
46 a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
47 c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
48 a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
49 c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
50
51static const char sigma[16] = "expand 32-byte k";
52static const char tau[16] = "expand 16-byte k";
53
54static void
55chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
56{
57 const char *constants;
58
59 x->input[4] = U8TO32_LITTLE(k + 0);
60 x->input[5] = U8TO32_LITTLE(k + 4);
61 x->input[6] = U8TO32_LITTLE(k + 8);
62 x->input[7] = U8TO32_LITTLE(k + 12);
63 if (kbits == 256) { /* recommended */
64 k += 16;
65 constants = sigma;
66 } else { /* kbits == 128 */
67 constants = tau;
68 }
69 x->input[8] = U8TO32_LITTLE(k + 0);
70 x->input[9] = U8TO32_LITTLE(k + 4);
71 x->input[10] = U8TO32_LITTLE(k + 8);
72 x->input[11] = U8TO32_LITTLE(k + 12);
73 x->input[0] = U8TO32_LITTLE(constants + 0);
74 x->input[1] = U8TO32_LITTLE(constants + 4);
75 x->input[2] = U8TO32_LITTLE(constants + 8);
76 x->input[3] = U8TO32_LITTLE(constants + 12);
77}
78
79static void
80chacha_ivsetup(chacha_ctx *x,const u8 *iv)
81{
82 x->input[12] = 0;
83 x->input[13] = 0;
84 x->input[14] = U8TO32_LITTLE(iv + 0);
85 x->input[15] = U8TO32_LITTLE(iv + 4);
86}
87
88static void
89chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
90{
91 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
92 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
93 u8 *ctarget = NULL;
94 u8 tmp[64];
95 u_int i;
96
97 if (!bytes) return;
98
99 j0 = x->input[0];
100 j1 = x->input[1];
101 j2 = x->input[2];
102 j3 = x->input[3];
103 j4 = x->input[4];
104 j5 = x->input[5];
105 j6 = x->input[6];
106 j7 = x->input[7];
107 j8 = x->input[8];
108 j9 = x->input[9];
109 j10 = x->input[10];
110 j11 = x->input[11];
111 j12 = x->input[12];
112 j13 = x->input[13];
113 j14 = x->input[14];
114 j15 = x->input[15];
115
116 for (;;) {
117 if (bytes < 64) {
118 for (i = 0;i < bytes;++i) tmp[i] = m[i];
119 m = tmp;
120 ctarget = c;
121 c = tmp;
122 }
123 x0 = j0;
124 x1 = j1;
125 x2 = j2;
126 x3 = j3;
127 x4 = j4;
128 x5 = j5;
129 x6 = j6;
130 x7 = j7;
131 x8 = j8;
132 x9 = j9;
133 x10 = j10;
134 x11 = j11;
135 x12 = j12;
136 x13 = j13;
137 x14 = j14;
138 x15 = j15;
139 for (i = 20;i > 0;i -= 2) {
140 QUARTERROUND( x0, x4, x8,x12)
141 QUARTERROUND( x1, x5, x9,x13)
142 QUARTERROUND( x2, x6,x10,x14)
143 QUARTERROUND( x3, x7,x11,x15)
144 QUARTERROUND( x0, x5,x10,x15)
145 QUARTERROUND( x1, x6,x11,x12)
146 QUARTERROUND( x2, x7, x8,x13)
147 QUARTERROUND( x3, x4, x9,x14)
148 }
149 x0 = PLUS(x0,j0);
150 x1 = PLUS(x1,j1);
151 x2 = PLUS(x2,j2);
152 x3 = PLUS(x3,j3);
153 x4 = PLUS(x4,j4);
154 x5 = PLUS(x5,j5);
155 x6 = PLUS(x6,j6);
156 x7 = PLUS(x7,j7);
157 x8 = PLUS(x8,j8);
158 x9 = PLUS(x9,j9);
159 x10 = PLUS(x10,j10);
160 x11 = PLUS(x11,j11);
161 x12 = PLUS(x12,j12);
162 x13 = PLUS(x13,j13);
163 x14 = PLUS(x14,j14);
164 x15 = PLUS(x15,j15);
165
166#ifndef KEYSTREAM_ONLY
167 x0 = XOR(x0,U8TO32_LITTLE(m + 0));
168 x1 = XOR(x1,U8TO32_LITTLE(m + 4));
169 x2 = XOR(x2,U8TO32_LITTLE(m + 8));
170 x3 = XOR(x3,U8TO32_LITTLE(m + 12));
171 x4 = XOR(x4,U8TO32_LITTLE(m + 16));
172 x5 = XOR(x5,U8TO32_LITTLE(m + 20));
173 x6 = XOR(x6,U8TO32_LITTLE(m + 24));
174 x7 = XOR(x7,U8TO32_LITTLE(m + 28));
175 x8 = XOR(x8,U8TO32_LITTLE(m + 32));
176 x9 = XOR(x9,U8TO32_LITTLE(m + 36));
177 x10 = XOR(x10,U8TO32_LITTLE(m + 40));
178 x11 = XOR(x11,U8TO32_LITTLE(m + 44));
179 x12 = XOR(x12,U8TO32_LITTLE(m + 48));
180 x13 = XOR(x13,U8TO32_LITTLE(m + 52));
181 x14 = XOR(x14,U8TO32_LITTLE(m + 56));
182 x15 = XOR(x15,U8TO32_LITTLE(m + 60));
183#endif
184
185 j12 = PLUSONE(j12);
186 if (!j12) {
187 j13 = PLUSONE(j13);
188 /* stopping at 2^70 bytes per nonce is user's responsibility */
189 }
190
191 U32TO8_LITTLE(c + 0,x0);
192 U32TO8_LITTLE(c + 4,x1);
193 U32TO8_LITTLE(c + 8,x2);
194 U32TO8_LITTLE(c + 12,x3);
195 U32TO8_LITTLE(c + 16,x4);
196 U32TO8_LITTLE(c + 20,x5);
197 U32TO8_LITTLE(c + 24,x6);
198 U32TO8_LITTLE(c + 28,x7);
199 U32TO8_LITTLE(c + 32,x8);
200 U32TO8_LITTLE(c + 36,x9);
201 U32TO8_LITTLE(c + 40,x10);
202 U32TO8_LITTLE(c + 44,x11);
203 U32TO8_LITTLE(c + 48,x12);
204 U32TO8_LITTLE(c + 52,x13);
205 U32TO8_LITTLE(c + 56,x14);
206 U32TO8_LITTLE(c + 60,x15);
207
208 if (bytes <= 64) {
209 if (bytes < 64) {
210 for (i = 0;i < bytes;++i) ctarget[i] = c[i];
211 }
212 x->input[12] = j12;
213 x->input[13] = j13;
214 return;
215 }
216 bytes -= 64;
217 c += 64;
218#ifndef KEYSTREAM_ONLY
219 m += 64;
220#endif
221 }
222}
diff --git a/src/lib/libc/crypt/crypt.3 b/src/lib/libc/crypt/crypt.3
deleted file mode 100644
index 6a21571ddb..0000000000
--- a/src/lib/libc/crypt/crypt.3
+++ /dev/null
@@ -1,144 +0,0 @@
1.\" $OpenBSD: crypt.3,v 1.46 2025/01/09 23:18:08 jsg Exp $
2.\"
3.\" FreeSec: libcrypt
4.\"
5.\" Copyright (c) 1994 David Burren
6.\" All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\" notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\" notice, this list of conditions and the following disclaimer in the
15.\" documentation and/or other materials provided with the distribution.
16.\" 4. Neither the name of the author nor the names of other contributors
17.\" may be used to endorse or promote products derived from this software
18.\" without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" Manual page, using -mandoc macros
33.\"
34.Dd $Mdocdate: January 9 2025 $
35.Dt CRYPT 3
36.Os
37.Sh NAME
38.Nm crypt ,
39.Nm bcrypt_gensalt ,
40.Nm bcrypt
41.Nd password hashing
42.Sh SYNOPSIS
43.In stdlib.h
44.Pp
45.In unistd.h
46.Ft char *
47.Fn crypt "const char *key" "const char *setting"
48.In pwd.h
49.Ft char *
50.Fn bcrypt_gensalt "u_int8_t log_rounds"
51.Ft char *
52.Fn bcrypt "const char *key" "const char *salt"
53.Sh DESCRIPTION
54These functions are deprecated in favor of
55.Xr crypt_checkpass 3
56and
57.Xr crypt_newhash 3 .
58.Pp
59The
60.Fn crypt
61function performs password hashing.
62Additional code has been added to deter key search attempts and to use
63stronger hashing algorithms.
64.Pp
65The first argument to
66.Fn crypt
67is a NUL-terminated
68string
69.Fa key ,
70typically a user's typed password.
71The second,
72.Fa setting ,
73currently supports a single form.
74If it begins
75with a string character
76.Pq Ql $
77and a number then a different algorithm is used depending on the number.
78At the moment
79.Ql $2
80chooses Blowfish hashing; see below for more information.
81.Ss Blowfish crypt
82The Blowfish version of crypt has 128 bits of
83.Fa salt
84in order to make building dictionaries of common passwords space consuming.
85The initial state of the
86Blowfish cipher is expanded using the
87.Fa salt
88and the
89.Fa password
90repeating the process a variable number of rounds, which is encoded in
91the password string.
92The maximum password length is 72.
93The final Blowfish password entry is created by encrypting the string
94.Pp
95.Dq OrpheanBeholderScryDoubt
96.Pp
97with the Blowfish state 64 times.
98.Pp
99The version number, the logarithm of the number of rounds and
100the concatenation of salt and hashed password are separated by the
101.Ql $
102character.
103An encoded
104.Sq 8
105would specify 256 rounds.
106A valid Blowfish password looks like this:
107.Pp
108.Dq $2b$12$FPWWO2RJ3CK4FINTw0Hi8OiPKJcX653gzSS.jqltHFMxyDmmQ0Hqq .
109.Pp
110The whole Blowfish password string is passed as
111.Fa setting
112for interpretation.
113.Sh RETURN VALUES
114The function
115.Fn crypt
116returns a pointer to the encrypted value on success, and
117.Dv NULL
118on failure.
119.Sh SEE ALSO
120.Xr encrypt 1 ,
121.Xr login 1 ,
122.Xr passwd 1 ,
123.Xr blowfish 3 ,
124.Xr crypt_checkpass 3 ,
125.Xr getpass 3 ,
126.Xr passwd 5
127.Sh HISTORY
128An M-209 based
129.Fn crypt
130function appeared in
131.At v3 .
132A DES-based
133.Fn crypt
134first appeared in
135.At v7 .
136.Fn bcrypt
137first appeared in
138.Ox 2.1 .
139.Sh BUGS
140The
141.Fn crypt
142function returns a pointer to static data, and subsequent calls to
143.Fn crypt
144will modify the same object.
diff --git a/src/lib/libc/crypt/crypt.c b/src/lib/libc/crypt/crypt.c
deleted file mode 100644
index 40d5503544..0000000000
--- a/src/lib/libc/crypt/crypt.c
+++ /dev/null
@@ -1,22 +0,0 @@
1/* $OpenBSD: crypt.c,v 1.31 2015/09/12 14:56:50 guenther Exp $ */
2
3#include <errno.h>
4#include <pwd.h>
5#include <unistd.h>
6
7char *
8crypt(const char *key, const char *setting)
9{
10 if (setting[0] == '$') {
11 switch (setting[1]) {
12 case '2':
13 return bcrypt(key, setting);
14 default:
15 errno = EINVAL;
16 return (NULL);
17 }
18 }
19 errno = EINVAL;
20 return (NULL);
21}
22DEF_WEAK(crypt);
diff --git a/src/lib/libc/crypt/crypt_checkpass.3 b/src/lib/libc/crypt/crypt_checkpass.3
deleted file mode 100644
index 07a77ae7c0..0000000000
--- a/src/lib/libc/crypt/crypt_checkpass.3
+++ /dev/null
@@ -1,113 +0,0 @@
1.\" $OpenBSD: crypt_checkpass.3,v 1.13 2021/10/29 10:54:33 deraadt Exp $
2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\"
5.\" Permission to use, copy, modify, and distribute this software for any
6.\" purpose with or without fee is hereby granted, provided that the above
7.\" copyright notice and this permission notice appear in all copies.
8.\"
9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\"
17.Dd $Mdocdate: October 29 2021 $
18.Dt CRYPT_CHECKPASS 3
19.Os
20.Sh NAME
21.Nm crypt_checkpass ,
22.Nm crypt_newhash
23.Nd password hashing
24.Sh SYNOPSIS
25.In pwd.h
26.In unistd.h
27.Ft int
28.Fn crypt_checkpass "const char *password" "const char *hash"
29.Ft int
30.Fn crypt_newhash "const char *password" "const char *pref" "char *hash" "size_t hashsize"
31.Sh DESCRIPTION
32The
33.Fn crypt_checkpass
34function simplifies checking a user's password.
35If both the
36.Fa hash
37and the
38.Fa password
39are the empty string, authentication
40is a success.
41Otherwise, the
42.Fa password
43is hashed and compared to the provided
44.Fa hash .
45If the
46.Fa hash
47is
48.Dv NULL ,
49authentication will always fail, but a default
50amount of work is performed to simulate the hashing operation.
51A successful match will return 0.
52A failure will return \-1 and set
53.Xr errno 2 .
54.Pp
55The
56.Fn crypt_newhash
57function simplifies the creation of new password hashes.
58The provided
59.Fa password
60is randomly salted and hashed and stored in
61.Fa hash .
62The size of the available space is specified by
63.Fa hashsize ,
64which should be
65.Dv _PASSWORD_LEN .
66The
67.Fa pref
68argument identifies the preferred hashing algorithm and parameters.
69Possible values are:
70.Bl -tag -width Ds
71.It Dq bcrypt,<rounds>
72The bcrypt algorithm, where the value of rounds can be between 4 and 31 and
73specifies the base 2 logarithm of the number of rounds.
74If rounds is omitted or the special value
75.Sq a ,
76an appropriate number of rounds is automatically selected based on system
77performance.
78.El
79.Sh RETURN VALUES
80.Rv -std crypt_checkpass crypt_newhash
81.Sh ERRORS
82The
83.Fn crypt_checkpass
84function sets
85.Va errno
86to
87.Er EACCES
88when authentication fails.
89.Pp
90The
91.Fn crypt_newhash
92function sets
93.Va errno
94to
95.Er EINVAL
96if
97.Fa pref
98is unsupported or insufficient space is provided.
99.Sh SEE ALSO
100.Xr crypt 3 ,
101.Xr login.conf 5 ,
102.Xr passwd 5
103.Sh HISTORY
104The function
105.Fn crypt_checkpass
106first appeared in
107.Ox 5.6 ,
108and
109.Fn crypt_newhash
110in
111.Ox 5.7 .
112.Sh AUTHORS
113.An Ted Unangst Aq Mt tedu@openbsd.org
diff --git a/src/lib/libc/crypt/cryptutil.c b/src/lib/libc/crypt/cryptutil.c
deleted file mode 100644
index f5fdb29589..0000000000
--- a/src/lib/libc/crypt/cryptutil.c
+++ /dev/null
@@ -1,97 +0,0 @@
1/* $OpenBSD: cryptutil.c,v 1.13 2024/01/22 19:26:55 deraadt Exp $ */
2/*
3 * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17#include <stdlib.h>
18#include <unistd.h>
19#include <string.h>
20#include <pwd.h>
21#include <login_cap.h>
22#include <errno.h>
23
24int
25crypt_checkpass(const char *pass, const char *goodhash)
26{
27 char dummy[_PASSWORD_LEN];
28
29 if (goodhash == NULL) {
30 /* fake it */
31 goto fake;
32 }
33
34 /* empty password */
35 if (strlen(goodhash) == 0 && strlen(pass) == 0)
36 return 0;
37
38 if (goodhash[0] == '$' && goodhash[1] == '2') {
39 if (bcrypt_checkpass(pass, goodhash))
40 goto fail;
41 return 0;
42 }
43
44 /* unsupported. fake it. */
45fake:
46 bcrypt_newhash(pass, 8, dummy, sizeof(dummy));
47fail:
48 errno = EACCES;
49 return -1;
50}
51DEF_WEAK(crypt_checkpass);
52
53int
54crypt_newhash(const char *pass, const char *pref, char *hash, size_t hashlen)
55{
56 int rv = -1;
57 const char *defaultpref = "bcrypt,8";
58 const char *errstr;
59 const char *choices[] = { "blowfish", "bcrypt" };
60 size_t maxchoice = sizeof(choices) / sizeof(choices[0]);
61 int i;
62 int rounds;
63
64 if (pref == NULL)
65 pref = defaultpref;
66
67 for (i = 0; i < maxchoice; i++) {
68 const char *choice = choices[i];
69 size_t len = strlen(choice);
70 if (strcmp(pref, choice) == 0) {
71 rounds = _bcrypt_autorounds();
72 break;
73 } else if (strncmp(pref, choice, len) == 0 &&
74 pref[len] == ',') {
75 if (strcmp(pref + len + 1, "a") == 0) {
76 rounds = _bcrypt_autorounds();
77 } else {
78 rounds = strtonum(pref + len + 1, 4, 31, &errstr);
79 if (errstr) {
80 errno = EINVAL;
81 goto err;
82 }
83 }
84 break;
85 }
86 }
87 if (i == maxchoice) {
88 errno = EINVAL;
89 goto err;
90 }
91
92 rv = bcrypt_newhash(pass, rounds, hash, hashlen);
93
94err:
95 return rv;
96}
97DEF_WEAK(crypt_newhash);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-24 13:05:09 +0000