summaryrefslogtreecommitdiff
path: root/src/lib/libc/crypt
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libc/crypt')
-rw-r--r--src/lib/libc/crypt/Makefile.inc14
-rw-r--r--src/lib/libc/crypt/arc4random.3114
-rw-r--r--src/lib/libc/crypt/arc4random.c236
-rw-r--r--src/lib/libc/crypt/bcrypt.c365
-rw-r--r--src/lib/libc/crypt/blowfish.3106
-rw-r--r--src/lib/libc/crypt/blowfish.c685
-rw-r--r--src/lib/libc/crypt/chacha_private.h222
-rw-r--r--src/lib/libc/crypt/crypt.3318
-rw-r--r--src/lib/libc/crypt/crypt.c696
-rw-r--r--src/lib/libc/crypt/crypt2.c107
-rw-r--r--src/lib/libc/crypt/md5crypt.c160
11 files changed, 3023 insertions, 0 deletions
diff --git a/src/lib/libc/crypt/Makefile.inc b/src/lib/libc/crypt/Makefile.inc
new file mode 100644
index 0000000000..c852523372
--- /dev/null
+++ b/src/lib/libc/crypt/Makefile.inc
@@ -0,0 +1,14 @@
1# $OpenBSD: Makefile.inc,v 1.19 2013/10/21 20:33:23 deraadt Exp $
2
3.PATH: ${LIBCSRCDIR}/arch/${MACHINE_CPU}/crypt ${LIBCSRCDIR}/crypt
4
5SRCS+= crypt.c crypt2.c md5crypt.c arc4random.c blowfish.c bcrypt.c
6
7MAN+= crypt.3 blowfish.3 arc4random.3
8MLINKS+=crypt.3 encrypt.3 crypt.3 setkey.3 crypt.3 des_cipher.3
9MLINKS+=crypt.3 bcrypt_gensalt.3 crypt.3 bcrypt.3 crypt.3 md5crypt.3
10MLINKS+=crypt.3 des_setkey.3 blowfish.3 blf_key.3 blowfish.3 blf_enc.3
11MLINKS+=blowfish.3 blf_dec.3 blowfish.3 blf_ecb_encrypt.3
12MLINKS+=blowfish.3 blf_ecb_decrypt.3 blowfish.3 blf_cbc_encrypt.3
13MLINKS+=blowfish.3 blf_cbc_decrypt.3
14MLINKS+=arc4random.3 arc4random_buf.3 arc4random.3 arc4random_uniform.3
diff --git a/src/lib/libc/crypt/arc4random.3 b/src/lib/libc/crypt/arc4random.3
new file mode 100644
index 0000000000..476bc28017
--- /dev/null
+++ b/src/lib/libc/crypt/arc4random.3
@@ -0,0 +1,114 @@
1.\" $OpenBSD: arc4random.3,v 1.32 2013/10/22 06:51:41 jmc Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\" must display the following acknowledgement:
16.\" This product includes software developed by Niels Provos.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\" derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.\" Manual page, using -mandoc macros
32.\"
33.Dd $Mdocdate: October 22 2013 $
34.Dt ARC4RANDOM 3
35.Os
36.Sh NAME
37.Nm arc4random ,
38.Nm arc4random_buf ,
39.Nm arc4random_uniform
40.Nd random number generator
41.Sh SYNOPSIS
42.In stdlib.h
43.Ft u_int32_t
44.Fn arc4random "void"
45.Ft void
46.Fn arc4random_buf "void *buf" "size_t nbytes"
47.Ft u_int32_t
48.Fn arc4random_uniform "u_int32_t upper_bound"
49.Sh DESCRIPTION
50This family of functions provides higher quality data than those
51described in
52.Xr rand 3 ,
53.Xr random 3 ,
54and
55.Xr drand48 3 .
56.Pp
57Use of these functions is encouraged for almost all random number
58consumption because the other interfaces are deficient in either
59quality, portability, standardization, or availability.
60These functions can be called in almost all coding environments,
61including
62.Xr pthreads 3
63and
64.Xr chroot 2 .
65.Pp
66High quality 32-bit pseudo-random numbers are generated very quickly.
67On each call, a cryptographic pseudo-random number generator is used
68to generate a new result.
69One data pool is used for all consumers in a process, so that consumption
70under program flow can act as additional stirring.
71The subsystem is re-seeded from the kernel random number subsystem using
72.Xr sysctl 3
73on a regular basis, and also upon
74.Xr fork 2 .
75.Pp
76The
77.Fn arc4random
78function returns a single 32-bit value.
79.Pp
80.Fn arc4random_buf
81fills the region
82.Fa buf
83of length
84.Fa nbytes
85with random data.
86.Pp
87.Fn arc4random_uniform
88will return a single 32-bit value, uniformly distributed but less than
89.Fa upper_bound .
90This is recommended over constructions like
91.Dq Li arc4random() % upper_bound
92as it avoids "modulo bias" when the upper bound is not a power of two.
93In the worst case, this function may consume multiple iterations
94to ensure uniformity; see the source code to understand the problem
95and solution.
96.Sh RETURN VALUES
97These functions are always successful, and no return value is
98reserved to indicate an error.
99.Sh SEE ALSO
100.Xr rand 3 ,
101.Xr rand48 3 ,
102.Xr random 3
103.Sh HISTORY
104These functions first appeared in
105.Ox 2.1 .
106.Pp
107The original version of this random number generator used the
108RC4 (also known as ARC4) algorithm.
109In
110.Ox 5.5
111it was replaced with the ChaCha20 cipher, and it may be replaced
112again in the future as cryptographic techniques advance.
113A good mnemonic is
114.Dq A Replacement Call for Random .
diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
new file mode 100644
index 0000000000..e836395803
--- /dev/null
+++ b/src/lib/libc/crypt/arc4random.c
@@ -0,0 +1,236 @@
1/* $OpenBSD: arc4random.c,v 1.26 2013/10/21 20:33:23 deraadt Exp $ */
2
3/*
4 * Copyright (c) 1996, David Mazieres <dm@uun.org>
5 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
6 * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
7 *
8 * Permission to use, copy, modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above
10 * copyright notice and this permission notice appear in all copies.
11 *
12 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 */
20
21/*
22 * ChaCha based random number generator for OpenBSD.
23 */
24
25#include <fcntl.h>
26#include <limits.h>
27#include <stdlib.h>
28#include <string.h>
29#include <unistd.h>
30#include <sys/types.h>
31#include <sys/param.h>
32#include <sys/time.h>
33#include <sys/sysctl.h>
34#include "thread_private.h"
35
36#define KEYSTREAM_ONLY
37#include "chacha_private.h"
38
39#ifdef __GNUC__
40#define inline __inline
41#else /* !__GNUC__ */
42#define inline
43#endif /* !__GNUC__ */
44
45#define KEYSZ 32
46#define IVSZ 8
47#define BLOCKSZ 64
48#define RSBUFSZ (16*BLOCKSZ)
49static int rs_initialized;
50static pid_t rs_stir_pid;
51static chacha_ctx rs; /* chacha context for random keystream */
52static u_char rs_buf[RSBUFSZ]; /* keystream blocks */
53static size_t rs_have; /* valid bytes at end of rs_buf */
54static size_t rs_count; /* bytes till reseed */
55
56static inline void _rs_rekey(u_char *dat, size_t datlen);
57
58static inline void
59_rs_init(u_char *buf, size_t n)
60{
61 if (n < KEYSZ + IVSZ)
62 return;
63 chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
64 chacha_ivsetup(&rs, buf + KEYSZ);
65}
66
67static void
68_rs_stir(void)
69{
70 int mib[2];
71 size_t len;
72 u_char rnd[KEYSZ + IVSZ];
73
74 mib[0] = CTL_KERN;
75 mib[1] = KERN_ARND;
76
77 len = sizeof(rnd);
78 sysctl(mib, 2, rnd, &len, NULL, 0);
79
80 if (!rs_initialized) {
81 rs_initialized = 1;
82 _rs_init(rnd, sizeof(rnd));
83 } else
84 _rs_rekey(rnd, sizeof(rnd));
85 memset(rnd, 0, sizeof(rnd));
86
87 /* invalidate rs_buf */
88 rs_have = 0;
89 memset(rs_buf, 0, RSBUFSZ);
90
91 rs_count = 1600000;
92}
93
94static inline void
95_rs_stir_if_needed(size_t len)
96{
97 pid_t pid = getpid();
98
99 if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) {
100 rs_stir_pid = pid;
101 _rs_stir();
102 } else
103 rs_count -= len;
104}
105
106static inline void
107_rs_rekey(u_char *dat, size_t datlen)
108{
109#ifndef KEYSTREAM_ONLY
110 memset(rs_buf, 0,RSBUFSZ);
111#endif
112 /* fill rs_buf with the keystream */
113 chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ);
114 /* mix in optional user provided data */
115 if (dat) {
116 size_t i, m;
117
118 m = MIN(datlen, KEYSZ + IVSZ);
119 for (i = 0; i < m; i++)
120 rs_buf[i] ^= dat[i];
121 }
122 /* immediately reinit for backtracking resistance */
123 _rs_init(rs_buf, KEYSZ + IVSZ);
124 memset(rs_buf, 0, KEYSZ + IVSZ);
125 rs_have = RSBUFSZ - KEYSZ - IVSZ;
126}
127
128static inline void
129_rs_random_buf(void *_buf, size_t n)
130{
131 u_char *buf = (u_char *)_buf;
132 size_t m;
133
134 _rs_stir_if_needed(n);
135 while (n > 0) {
136 if (rs_have > 0) {
137 m = MIN(n, rs_have);
138 memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
139 memset(rs_buf + RSBUFSZ - rs_have, 0, m);
140 buf += m;
141 n -= m;
142 rs_have -= m;
143 }
144 if (rs_have == 0)
145 _rs_rekey(NULL, 0);
146 }
147}
148
149static inline void
150_rs_random_u32(u_int32_t *val)
151{
152 _rs_stir_if_needed(sizeof(*val));
153 if (rs_have < sizeof(*val))
154 _rs_rekey(NULL, 0);
155 memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
156 memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
157 rs_have -= sizeof(*val);
158 return;
159}
160
161u_int32_t
162arc4random(void)
163{
164 u_int32_t val;
165
166 _ARC4_LOCK();
167 _rs_random_u32(&val);
168 _ARC4_UNLOCK();
169 return val;
170}
171
172void
173arc4random_buf(void *buf, size_t n)
174{
175 _ARC4_LOCK();
176 _rs_random_buf(buf, n);
177 _ARC4_UNLOCK();
178}
179
180/*
181 * Calculate a uniformly distributed random number less than upper_bound
182 * avoiding "modulo bias".
183 *
184 * Uniformity is achieved by generating new random numbers until the one
185 * returned is outside the range [0, 2**32 % upper_bound). This
186 * guarantees the selected random number will be inside
187 * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
188 * after reduction modulo upper_bound.
189 */
190u_int32_t
191arc4random_uniform(u_int32_t upper_bound)
192{
193 u_int32_t r, min;
194
195 if (upper_bound < 2)
196 return 0;
197
198 /* 2**32 % x == (2**32 - x) % x */
199 min = -upper_bound % upper_bound;
200
201 /*
202 * This could theoretically loop forever but each retry has
203 * p > 0.5 (worst case, usually far better) of selecting a
204 * number inside the range we need, so it should rarely need
205 * to re-roll.
206 */
207 for (;;) {
208 r = arc4random();
209 if (r >= min)
210 break;
211 }
212
213 return r % upper_bound;
214}
215
216#if 0
217/*-------- Test code for i386 --------*/
218#include <stdio.h>
219#include <machine/pctr.h>
220int
221main(int argc, char **argv)
222{
223 const int iter = 1000000;
224 int i;
225 pctrval v;
226
227 v = rdtsc();
228 for (i = 0; i < iter; i++)
229 arc4random();
230 v = rdtsc() - v;
231 v /= iter;
232
233 printf("%qd cycles\n", v);
234 exit(0);
235}
236#endif
diff --git a/src/lib/libc/crypt/bcrypt.c b/src/lib/libc/crypt/bcrypt.c
new file mode 100644
index 0000000000..d7af344b97
--- /dev/null
+++ b/src/lib/libc/crypt/bcrypt.c
@@ -0,0 +1,365 @@
1/* $OpenBSD: bcrypt.c,v 1.37 2014/04/08 20:14:25 tedu Exp $ */
2
3/*
4 * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
5 * Copyright (c) 1997 Niels Provos <provos@umich.edu>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19/* This password hashing algorithm was designed by David Mazieres
20 * <dm@lcs.mit.edu> and works as follows:
21 *
22 * 1. state := InitState ()
23 * 2. state := ExpandKey (state, salt, password)
24 * 3. REPEAT rounds:
25 * state := ExpandKey (state, 0, password)
26 * state := ExpandKey (state, 0, salt)
27 * 4. ctext := "OrpheanBeholderScryDoubt"
28 * 5. REPEAT 64:
29 * ctext := Encrypt_ECB (state, ctext);
30 * 6. RETURN Concatenate (salt, ctext);
31 *
32 */
33
34#include <stdio.h>
35#include <stdlib.h>
36#include <sys/types.h>
37#include <string.h>
38#include <pwd.h>
39#include <blf.h>
40
41/* This implementation is adaptable to current computing power.
42 * You can have up to 2^31 rounds which should be enough for some
43 * time to come.
44 */
45
46#define BCRYPT_VERSION '2'
47#define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */
48#define BCRYPT_BLOCKS 6 /* Ciphertext blocks */
49#define BCRYPT_MINLOGROUNDS 4 /* we have log2(rounds) in salt */
50
51#define BCRYPT_SALTSPACE (7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1)
52
53char *bcrypt_gensalt(u_int8_t);
54
55static int encode_base64(char *, const u_int8_t *, size_t);
56static int decode_base64(u_int8_t *, size_t, const char *);
57
58/*
59 * Generates a salt for this version of crypt.
60 */
61static int
62bcrypt_initsalt(int log_rounds, uint8_t *salt, size_t saltbuflen)
63{
64 uint8_t csalt[BCRYPT_MAXSALT];
65
66 if (saltbuflen < BCRYPT_SALTSPACE)
67 return -1;
68
69 arc4random_buf(csalt, sizeof(csalt));
70
71 if (log_rounds < 4)
72 log_rounds = 4;
73 else if (log_rounds > 31)
74 log_rounds = 31;
75
76 snprintf(salt, saltbuflen, "$2a$%2.2u$", log_rounds);
77 encode_base64(salt + 7, csalt, sizeof(csalt));
78
79 return 0;
80}
81
82/*
83 * the core bcrypt function
84 */
85static int
86bcrypt_hashpass(const char *key, const char *salt, char *encrypted,
87 size_t encryptedlen)
88{
89 blf_ctx state;
90 u_int32_t rounds, i, k;
91 u_int16_t j;
92 size_t key_len;
93 u_int8_t salt_len, logr, minor;
94 u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt";
95 u_int8_t csalt[BCRYPT_MAXSALT];
96 u_int32_t cdata[BCRYPT_BLOCKS];
97 char arounds[3];
98
99 /* Discard "$" identifier */
100 salt++;
101
102 if (*salt > BCRYPT_VERSION) {
103 return -1;
104 }
105
106 /* Check for minor versions */
107 if (salt[1] != '$') {
108 switch (salt[1]) {
109 case 'a': /* 'ab' should not yield the same as 'abab' */
110 case 'b': /* cap input length at 72 bytes */
111 minor = salt[1];
112 salt++;
113 break;
114 default:
115 return -1;
116 }
117 } else
118 minor = 0;
119
120 /* Discard version + "$" identifier */
121 salt += 2;
122
123 if (salt[2] != '$')
124 /* Out of sync with passwd entry */
125 return -1;
126
127 memcpy(arounds, salt, sizeof(arounds));
128 if (arounds[sizeof(arounds) - 1] != '$')
129 return -1;
130 arounds[sizeof(arounds) - 1] = 0;
131 logr = strtonum(arounds, BCRYPT_MINLOGROUNDS, 31, NULL);
132 if (logr == 0)
133 return -1;
134 /* Computer power doesn't increase linearly, 2^x should be fine */
135 rounds = 1U << logr;
136
137 /* Discard num rounds + "$" identifier */
138 salt += 3;
139
140 if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT)
141 return -1;
142
143 /* We dont want the base64 salt but the raw data */
144 decode_base64(csalt, BCRYPT_MAXSALT, salt);
145 salt_len = BCRYPT_MAXSALT;
146 if (minor <= 'a')
147 key_len = (u_int8_t)(strlen(key) + (minor >= 'a' ? 1 : 0));
148 else {
149 /* strlen() returns a size_t, but the function calls
150 * below result in implicit casts to a narrower integer
151 * type, so cap key_len at the actual maximum supported
152 * length here to avoid integer wraparound */
153 key_len = strlen(key);
154 if (key_len > 72)
155 key_len = 72;
156 key_len++; /* include the NUL */
157 }
158
159 /* Setting up S-Boxes and Subkeys */
160 Blowfish_initstate(&state);
161 Blowfish_expandstate(&state, csalt, salt_len,
162 (u_int8_t *) key, key_len);
163 for (k = 0; k < rounds; k++) {
164 Blowfish_expand0state(&state, (u_int8_t *) key, key_len);
165 Blowfish_expand0state(&state, csalt, salt_len);
166 }
167
168 /* This can be precomputed later */
169 j = 0;
170 for (i = 0; i < BCRYPT_BLOCKS; i++)
171 cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_BLOCKS, &j);
172
173 /* Now do the encryption */
174 for (k = 0; k < 64; k++)
175 blf_enc(&state, cdata, BCRYPT_BLOCKS / 2);
176
177 for (i = 0; i < BCRYPT_BLOCKS; i++) {
178 ciphertext[4 * i + 3] = cdata[i] & 0xff;
179 cdata[i] = cdata[i] >> 8;
180 ciphertext[4 * i + 2] = cdata[i] & 0xff;
181 cdata[i] = cdata[i] >> 8;
182 ciphertext[4 * i + 1] = cdata[i] & 0xff;
183 cdata[i] = cdata[i] >> 8;
184 ciphertext[4 * i + 0] = cdata[i] & 0xff;
185 }
186
187
188 i = 0;
189 encrypted[i++] = '$';
190 encrypted[i++] = BCRYPT_VERSION;
191 if (minor)
192 encrypted[i++] = minor;
193 encrypted[i++] = '$';
194
195 snprintf(encrypted + i, 4, "%2.2u$", logr);
196
197 encode_base64(encrypted + i + 3, csalt, BCRYPT_MAXSALT);
198 encode_base64(encrypted + strlen(encrypted), ciphertext,
199 4 * BCRYPT_BLOCKS - 1);
200 memset(&state, 0, sizeof(state));
201 memset(ciphertext, 0, sizeof(ciphertext));
202 memset(csalt, 0, sizeof(csalt));
203 memset(cdata, 0, sizeof(cdata));
204 return 0;
205}
206
207/*
208 * user friendly functions
209 */
210int
211bcrypt_newhash(const char *pass, int log_rounds, char *hash, size_t hashlen)
212{
213 char salt[BCRYPT_SALTSPACE];
214
215 if (bcrypt_initsalt(log_rounds, salt, sizeof(salt)) != 0)
216 return -1;
217
218 if (bcrypt_hashpass(pass, salt, hash, hashlen) != 0)
219 return -1;
220
221 explicit_bzero(salt, sizeof(salt));
222 return 0;
223}
224
225int
226bcrypt_checkpass(const char *pass, const char *goodhash)
227{
228 char hash[_PASSWORD_LEN];
229
230 if (bcrypt_hashpass(pass, goodhash, hash, sizeof(hash)) != 0)
231 return -1;
232 if (strlen(hash) != strlen(goodhash) ||
233 timingsafe_bcmp(hash, goodhash, strlen(goodhash)) != 0)
234 return -1;
235
236 explicit_bzero(hash, sizeof(hash));
237 return 0;
238}
239
240/*
241 * internal utilities
242 */
243const static u_int8_t Base64Code[] =
244"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
245
246const static u_int8_t index_64[128] = {
247 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
248 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
249 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
250 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
251 255, 255, 255, 255, 255, 255, 0, 1, 54, 55,
252 56, 57, 58, 59, 60, 61, 62, 63, 255, 255,
253 255, 255, 255, 255, 255, 2, 3, 4, 5, 6,
254 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
255 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27,
256 255, 255, 255, 255, 255, 255, 28, 29, 30,
257 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
258 41, 42, 43, 44, 45, 46, 47, 48, 49, 50,
259 51, 52, 53, 255, 255, 255, 255, 255
260};
261#define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)])
262
263/*
264 * read buflen (after decoding) bytes of data from b64data
265 */
266static int
267decode_base64(u_int8_t *buffer, size_t len, const char *b64data)
268{
269 u_int8_t *bp = buffer;
270 const u_int8_t *p = b64data;
271 u_int8_t c1, c2, c3, c4;
272
273 while (bp < buffer + len) {
274 c1 = CHAR64(*p);
275 c2 = CHAR64(*(p + 1));
276
277 /* Invalid data */
278 if (c1 == 255 || c2 == 255)
279 return -1;
280
281 *bp++ = (c1 << 2) | ((c2 & 0x30) >> 4);
282 if (bp >= buffer + len)
283 break;
284
285 c3 = CHAR64(*(p + 2));
286 if (c3 == 255)
287 break;
288
289 *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
290 if (bp >= buffer + len)
291 break;
292
293 c4 = CHAR64(*(p + 3));
294 if (c4 == 255)
295 break;
296 *bp++ = ((c3 & 0x03) << 6) | c4;
297
298 p += 4;
299 }
300 return 0;
301}
302
303/*
304 * Turn len bytes of data into base64 encoded data.
305 * This works without = padding.
306 */
307static int
308encode_base64(char *b64buffer, const u_int8_t *data, size_t len)
309{
310 u_int8_t *bp = b64buffer;
311 const u_int8_t *p = data;
312 u_int8_t c1, c2;
313
314 while (p < data + len) {
315 c1 = *p++;
316 *bp++ = Base64Code[(c1 >> 2)];
317 c1 = (c1 & 0x03) << 4;
318 if (p >= data + len) {
319 *bp++ = Base64Code[c1];
320 break;
321 }
322 c2 = *p++;
323 c1 |= (c2 >> 4) & 0x0f;
324 *bp++ = Base64Code[c1];
325 c1 = (c2 & 0x0f) << 2;
326 if (p >= data + len) {
327 *bp++ = Base64Code[c1];
328 break;
329 }
330 c2 = *p++;
331 c1 |= (c2 >> 6) & 0x03;
332 *bp++ = Base64Code[c1];
333 *bp++ = Base64Code[c2 & 0x3f];
334 }
335 *bp = '\0';
336 return 0;
337}
338
339/*
340 * classic interface
341 */
342char *
343bcrypt_gensalt(u_int8_t log_rounds)
344{
345 static char gsalt[BCRYPT_SALTSPACE];
346
347 bcrypt_initsalt(log_rounds, gsalt, sizeof(gsalt));
348
349 return gsalt;
350}
351
352char *
353bcrypt(const char *pass, const char *salt)
354{
355 static char gencrypted[_PASSWORD_LEN];
356 static char gerror[2];
357
358 /* How do I handle errors ? Return ':' */
359 strlcpy(gerror, ":", sizeof(gerror));
360 if (bcrypt_hashpass(pass, salt, gencrypted, sizeof(gencrypted)) != 0)
361 return gerror;
362
363 return gencrypted;
364}
365
diff --git a/src/lib/libc/crypt/blowfish.3 b/src/lib/libc/crypt/blowfish.3
new file mode 100644
index 0000000000..d15bc8901d
--- /dev/null
+++ b/src/lib/libc/crypt/blowfish.3
@@ -0,0 +1,106 @@
1.\" $OpenBSD: blowfish.3,v 1.22 2013/07/16 15:21:11 schwarze Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\" must display the following acknowledgement:
16.\" This product includes software developed by Niels Provos.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\" derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.\" Manual page, using -mandoc macros
32.\"
33.Dd $Mdocdate: July 16 2013 $
34.Dt BLOWFISH 3
35.Os
36.Sh NAME
37.Nm blf_key ,
38.Nm blf_enc ,
39.Nm blf_dec ,
40.Nm blf_ecb_encrypt ,
41.Nm blf_ecb_decrypt ,
42.Nm blf_cbc_encrypt ,
43.Nm blf_cbc_decrypt
44.Nd Blowfish encryption
45.Sh SYNOPSIS
46.In blf.h
47.Ft void
48.Fn blf_key "blf_ctx *state" "const u_int8_t *key" "u_int16_t keylen"
49.Ft void
50.Fn blf_enc "blf_ctx *state" "u_int32_t *data" "u_int16_t blocks"
51.Ft void
52.Fn blf_dec "blf_ctx *state" "u_int32_t *data" "u_int16_t blocks"
53.Ft void
54.Fn blf_ecb_encrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
55.Ft void
56.Fn blf_ecb_decrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
57.Ft void
58.Fn blf_cbc_encrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
59.Ft void
60.Fn blf_cbc_decrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
61.Sh DESCRIPTION
62.Em Blowfish
63is a fast unpatented block cipher designed by Bruce Schneier.
64It basically consists of a 16-round Feistel network.
65The block size is 64 bits and the maximum key size is 448 bits.
66.Pp
67The
68.Fn blf_key
69function initializes the 4 8-bit S-boxes and the 18 Subkeys with
70the hexadecimal digits of Pi.
71The key is used for further randomization.
72The first argument to
73.Fn blf_enc
74is the initialized state derived from
75.Fn blf_key .
76The stream of 32-bit words is encrypted in Electronic Codebook
77Mode (ECB) and
78.Fa blocks
79is the number of 64-bit blocks in the stream.
80.Fn blf_dec
81is used for decrypting Blowfish encrypted blocks.
82.Pp
83The functions
84.Fn blf_ecb_encrypt
85and
86.Fn blf_ecb_decrypt
87are used for encrypting and decrypting octet streams in ECB mode.
88The functions
89.Fn blf_cbc_encrypt
90and
91.Fn blf_cbc_decrypt
92are used for encrypting and decrypting octet streams in
93Cipherblock Chaining Mode (CBC).
94For these functions
95.Fa datalen
96specifies the number of octets of data to encrypt or decrypt.
97It must be a multiple of 8 (64-bit block).
98The initialisation vector
99.Fa iv
100points to an 8-byte buffer.
101.Sh SEE ALSO
102.Xr passwd 1 ,
103.Xr crypt 3 ,
104.Xr passwd 5
105.Sh AUTHORS
106.An Niels Provos Aq Mt provos@physnet.uni-hamburg.de
diff --git a/src/lib/libc/crypt/blowfish.c b/src/lib/libc/crypt/blowfish.c
new file mode 100644
index 0000000000..c337df8a0a
--- /dev/null
+++ b/src/lib/libc/crypt/blowfish.c
@@ -0,0 +1,685 @@
1/* $OpenBSD: blowfish.c,v 1.18 2004/11/02 17:23:26 hshoexer Exp $ */
2/*
3 * Blowfish block cipher for OpenBSD
4 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
5 * All rights reserved.
6 *
7 * Implementation advice by David Mazieres <dm@lcs.mit.edu>.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Niels Provos.
20 * 4. The name of the author may not be used to endorse or promote products
21 * derived from this software without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35/*
36 * This code is derived from section 14.3 and the given source
37 * in section V of Applied Cryptography, second edition.
38 * Blowfish is an unpatented fast block cipher designed by
39 * Bruce Schneier.
40 */
41
42#if 0
43#include <stdio.h> /* used for debugging */
44#include <string.h>
45#endif
46
47#include <sys/types.h>
48#include <blf.h>
49
50#undef inline
51#ifdef __GNUC__
52#define inline __inline
53#else /* !__GNUC__ */
54#define inline
55#endif /* !__GNUC__ */
56
57/* Function for Feistel Networks */
58
59#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \
60 + (s)[0x100 + (((x)>>16)&0xFF)]) \
61 ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
62 + (s)[0x300 + ( (x) &0xFF)])
63
64#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n])
65
66void
67Blowfish_encipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
68{
69 u_int32_t Xl;
70 u_int32_t Xr;
71 u_int32_t *s = c->S[0];
72 u_int32_t *p = c->P;
73
74 Xl = *xl;
75 Xr = *xr;
76
77 Xl ^= p[0];
78 BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
79 BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
80 BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
81 BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
82 BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
83 BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
84 BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
85 BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
86
87 *xl = Xr ^ p[17];
88 *xr = Xl;
89}
90
91void
92Blowfish_decipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
93{
94 u_int32_t Xl;
95 u_int32_t Xr;
96 u_int32_t *s = c->S[0];
97 u_int32_t *p = c->P;
98
99 Xl = *xl;
100 Xr = *xr;
101
102 Xl ^= p[17];
103 BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15);
104 BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13);
105 BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11);
106 BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9);
107 BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7);
108 BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5);
109 BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3);
110 BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1);
111
112 *xl = Xr ^ p[0];
113 *xr = Xl;
114}
115
116void
117Blowfish_initstate(blf_ctx *c)
118{
119 /* P-box and S-box tables initialized with digits of Pi */
120
121 static const blf_ctx initstate =
122 { {
123 {
124 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
125 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
126 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
127 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
128 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
129 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
130 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
131 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
132 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
133 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
134 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
135 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
136 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
137 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
138 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
139 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
140 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
141 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
142 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
143 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
144 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
145 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
146 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
147 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
148 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
149 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
150 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
151 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
152 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
153 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
154 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
155 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
156 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
157 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
158 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
159 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
160 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
161 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
162 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
163 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
164 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
165 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
166 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
167 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
168 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
169 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
170 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
171 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
172 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
173 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
174 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
175 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
176 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
177 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
178 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
179 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
180 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
181 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
182 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
183 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
184 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
185 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
186 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
187 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
188 {
189 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
190 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
191 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
192 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
193 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
194 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
195 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
196 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
197 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
198 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
199 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
200 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
201 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
202 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
203 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
204 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
205 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
206 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
207 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
208 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
209 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
210 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
211 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
212 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
213 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
214 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
215 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
216 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
217 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
218 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
219 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
220 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
221 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
222 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
223 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
224 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
225 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
226 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
227 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
228 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
229 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
230 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
231 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
232 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
233 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
234 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
235 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
236 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
237 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
238 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
239 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
240 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
241 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
242 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
243 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
244 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
245 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
246 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
247 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
248 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
249 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
250 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
251 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
252 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
253 {
254 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
255 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
256 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
257 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
258 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
259 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
260 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
261 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
262 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
263 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
264 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
265 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
266 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
267 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
268 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
269 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
270 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
271 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
272 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
273 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
274 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
275 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
276 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
277 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
278 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
279 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
280 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
281 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
282 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
283 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
284 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
285 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
286 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
287 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
288 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
289 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
290 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
291 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
292 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
293 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
294 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
295 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
296 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
297 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
298 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
299 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
300 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
301 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
302 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
303 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
304 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
305 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
306 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
307 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
308 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
309 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
310 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
311 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
312 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
313 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
314 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
315 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
316 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
317 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
318 {
319 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
320 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
321 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
322 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
323 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
324 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
325 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
326 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
327 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
328 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
329 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
330 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
331 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
332 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
333 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
334 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
335 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
336 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
337 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
338 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
339 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
340 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
341 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
342 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
343 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
344 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
345 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
346 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
347 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
348 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
349 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
350 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
351 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
352 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
353 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
354 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
355 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
356 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
357 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
358 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
359 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
360 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
361 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
362 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
363 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
364 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
365 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
366 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
367 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
368 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
369 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
370 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
371 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
372 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
373 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
374 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
375 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
376 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
377 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
378 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
379 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
380 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
381 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
382 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
383 },
384 {
385 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
386 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
387 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
388 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
389 0x9216d5d9, 0x8979fb1b
390 } };
391
392 *c = initstate;
393}
394
395u_int32_t
396Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes,
397 u_int16_t *current)
398{
399 u_int8_t i;
400 u_int16_t j;
401 u_int32_t temp;
402
403 temp = 0x00000000;
404 j = *current;
405
406 for (i = 0; i < 4; i++, j++) {
407 if (j >= databytes)
408 j = 0;
409 temp = (temp << 8) | data[j];
410 }
411
412 *current = j;
413 return temp;
414}
415
416void
417Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes)
418{
419 u_int16_t i;
420 u_int16_t j;
421 u_int16_t k;
422 u_int32_t temp;
423 u_int32_t datal;
424 u_int32_t datar;
425
426 j = 0;
427 for (i = 0; i < BLF_N + 2; i++) {
428 /* Extract 4 int8 to 1 int32 from keystream */
429 temp = Blowfish_stream2word(key, keybytes, &j);
430 c->P[i] = c->P[i] ^ temp;
431 }
432
433 j = 0;
434 datal = 0x00000000;
435 datar = 0x00000000;
436 for (i = 0; i < BLF_N + 2; i += 2) {
437 Blowfish_encipher(c, &datal, &datar);
438
439 c->P[i] = datal;
440 c->P[i + 1] = datar;
441 }
442
443 for (i = 0; i < 4; i++) {
444 for (k = 0; k < 256; k += 2) {
445 Blowfish_encipher(c, &datal, &datar);
446
447 c->S[i][k] = datal;
448 c->S[i][k + 1] = datar;
449 }
450 }
451}
452
453
454void
455Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes,
456 const u_int8_t *key, u_int16_t keybytes)
457{
458 u_int16_t i;
459 u_int16_t j;
460 u_int16_t k;
461 u_int32_t temp;
462 u_int32_t datal;
463 u_int32_t datar;
464
465 j = 0;
466 for (i = 0; i < BLF_N + 2; i++) {
467 /* Extract 4 int8 to 1 int32 from keystream */
468 temp = Blowfish_stream2word(key, keybytes, &j);
469 c->P[i] = c->P[i] ^ temp;
470 }
471
472 j = 0;
473 datal = 0x00000000;
474 datar = 0x00000000;
475 for (i = 0; i < BLF_N + 2; i += 2) {
476 datal ^= Blowfish_stream2word(data, databytes, &j);
477 datar ^= Blowfish_stream2word(data, databytes, &j);
478 Blowfish_encipher(c, &datal, &datar);
479
480 c->P[i] = datal;
481 c->P[i + 1] = datar;
482 }
483
484 for (i = 0; i < 4; i++) {
485 for (k = 0; k < 256; k += 2) {
486 datal ^= Blowfish_stream2word(data, databytes, &j);
487 datar ^= Blowfish_stream2word(data, databytes, &j);
488 Blowfish_encipher(c, &datal, &datar);
489
490 c->S[i][k] = datal;
491 c->S[i][k + 1] = datar;
492 }
493 }
494
495}
496
497void
498blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len)
499{
500 /* Initialize S-boxes and subkeys with Pi */
501 Blowfish_initstate(c);
502
503 /* Transform S-boxes and subkeys with key */
504 Blowfish_expand0state(c, k, len);
505}
506
507void
508blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
509{
510 u_int32_t *d;
511 u_int16_t i;
512
513 d = data;
514 for (i = 0; i < blocks; i++) {
515 Blowfish_encipher(c, d, d + 1);
516 d += 2;
517 }
518}
519
520void
521blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
522{
523 u_int32_t *d;
524 u_int16_t i;
525
526 d = data;
527 for (i = 0; i < blocks; i++) {
528 Blowfish_decipher(c, d, d + 1);
529 d += 2;
530 }
531}
532
533void
534blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
535{
536 u_int32_t l, r;
537 u_int32_t i;
538
539 for (i = 0; i < len; i += 8) {
540 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
541 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
542 Blowfish_encipher(c, &l, &r);
543 data[0] = l >> 24 & 0xff;
544 data[1] = l >> 16 & 0xff;
545 data[2] = l >> 8 & 0xff;
546 data[3] = l & 0xff;
547 data[4] = r >> 24 & 0xff;
548 data[5] = r >> 16 & 0xff;
549 data[6] = r >> 8 & 0xff;
550 data[7] = r & 0xff;
551 data += 8;
552 }
553}
554
555void
556blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
557{
558 u_int32_t l, r;
559 u_int32_t i;
560
561 for (i = 0; i < len; i += 8) {
562 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
563 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
564 Blowfish_decipher(c, &l, &r);
565 data[0] = l >> 24 & 0xff;
566 data[1] = l >> 16 & 0xff;
567 data[2] = l >> 8 & 0xff;
568 data[3] = l & 0xff;
569 data[4] = r >> 24 & 0xff;
570 data[5] = r >> 16 & 0xff;
571 data[6] = r >> 8 & 0xff;
572 data[7] = r & 0xff;
573 data += 8;
574 }
575}
576
577void
578blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len)
579{
580 u_int32_t l, r;
581 u_int32_t i, j;
582
583 for (i = 0; i < len; i += 8) {
584 for (j = 0; j < 8; j++)
585 data[j] ^= iv[j];
586 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
587 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
588 Blowfish_encipher(c, &l, &r);
589 data[0] = l >> 24 & 0xff;
590 data[1] = l >> 16 & 0xff;
591 data[2] = l >> 8 & 0xff;
592 data[3] = l & 0xff;
593 data[4] = r >> 24 & 0xff;
594 data[5] = r >> 16 & 0xff;
595 data[6] = r >> 8 & 0xff;
596 data[7] = r & 0xff;
597 iv = data;
598 data += 8;
599 }
600}
601
602void
603blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len)
604{
605 u_int32_t l, r;
606 u_int8_t *iv;
607 u_int32_t i, j;
608
609 iv = data + len - 16;
610 data = data + len - 8;
611 for (i = len - 8; i >= 8; i -= 8) {
612 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
613 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
614 Blowfish_decipher(c, &l, &r);
615 data[0] = l >> 24 & 0xff;
616 data[1] = l >> 16 & 0xff;
617 data[2] = l >> 8 & 0xff;
618 data[3] = l & 0xff;
619 data[4] = r >> 24 & 0xff;
620 data[5] = r >> 16 & 0xff;
621 data[6] = r >> 8 & 0xff;
622 data[7] = r & 0xff;
623 for (j = 0; j < 8; j++)
624 data[j] ^= iv[j];
625 iv -= 8;
626 data -= 8;
627 }
628 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
629 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
630 Blowfish_decipher(c, &l, &r);
631 data[0] = l >> 24 & 0xff;
632 data[1] = l >> 16 & 0xff;
633 data[2] = l >> 8 & 0xff;
634 data[3] = l & 0xff;
635 data[4] = r >> 24 & 0xff;
636 data[5] = r >> 16 & 0xff;
637 data[6] = r >> 8 & 0xff;
638 data[7] = r & 0xff;
639 for (j = 0; j < 8; j++)
640 data[j] ^= iva[j];
641}
642
643#if 0
644void
645report(u_int32_t data[], u_int16_t len)
646{
647 u_int16_t i;
648 for (i = 0; i < len; i += 2)
649 printf("Block %0hd: %08lx %08lx.\n",
650 i / 2, data[i], data[i + 1]);
651}
652void
653main(void)
654{
655
656 blf_ctx c;
657 char key[] = "AAAAA";
658 char key2[] = "abcdefghijklmnopqrstuvwxyz";
659
660 u_int32_t data[10];
661 u_int32_t data2[] =
662 {0x424c4f57l, 0x46495348l};
663
664 u_int16_t i;
665
666 /* First test */
667 for (i = 0; i < 10; i++)
668 data[i] = i;
669
670 blf_key(&c, (u_int8_t *) key, 5);
671 blf_enc(&c, data, 5);
672 blf_dec(&c, data, 1);
673 blf_dec(&c, data + 2, 4);
674 printf("Should read as 0 - 9.\n");
675 report(data, 10);
676
677 /* Second test */
678 blf_key(&c, (u_int8_t *) key2, strlen(key2));
679 blf_enc(&c, data2, 1);
680 printf("\nShould read as: 0x324ed0fe 0xf413a203.\n");
681 report(data2, 2);
682 blf_dec(&c, data2, 1);
683 report(data2, 2);
684}
685#endif
diff --git a/src/lib/libc/crypt/chacha_private.h b/src/lib/libc/crypt/chacha_private.h
new file mode 100644
index 0000000000..7c3680fa6d
--- /dev/null
+++ b/src/lib/libc/crypt/chacha_private.h
@@ -0,0 +1,222 @@
1/*
2chacha-merged.c version 20080118
3D. J. Bernstein
4Public domain.
5*/
6
7/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
8
9typedef unsigned char u8;
10typedef unsigned int u32;
11
12typedef struct
13{
14 u32 input[16]; /* could be compressed */
15} chacha_ctx;
16
17#define U8C(v) (v##U)
18#define U32C(v) (v##U)
19
20#define U8V(v) ((u8)(v) & U8C(0xFF))
21#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
22
23#define ROTL32(v, n) \
24 (U32V((v) << (n)) | ((v) >> (32 - (n))))
25
26#define U8TO32_LITTLE(p) \
27 (((u32)((p)[0]) ) | \
28 ((u32)((p)[1]) << 8) | \
29 ((u32)((p)[2]) << 16) | \
30 ((u32)((p)[3]) << 24))
31
32#define U32TO8_LITTLE(p, v) \
33 do { \
34 (p)[0] = U8V((v) ); \
35 (p)[1] = U8V((v) >> 8); \
36 (p)[2] = U8V((v) >> 16); \
37 (p)[3] = U8V((v) >> 24); \
38 } while (0)
39
40#define ROTATE(v,c) (ROTL32(v,c))
41#define XOR(v,w) ((v) ^ (w))
42#define PLUS(v,w) (U32V((v) + (w)))
43#define PLUSONE(v) (PLUS((v),1))
44
45#define QUARTERROUND(a,b,c,d) \
46 a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
47 c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
48 a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
49 c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
50
51static const char sigma[16] = "expand 32-byte k";
52static const char tau[16] = "expand 16-byte k";
53
54static void
55chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
56{
57 const char *constants;
58
59 x->input[4] = U8TO32_LITTLE(k + 0);
60 x->input[5] = U8TO32_LITTLE(k + 4);
61 x->input[6] = U8TO32_LITTLE(k + 8);
62 x->input[7] = U8TO32_LITTLE(k + 12);
63 if (kbits == 256) { /* recommended */
64 k += 16;
65 constants = sigma;
66 } else { /* kbits == 128 */
67 constants = tau;
68 }
69 x->input[8] = U8TO32_LITTLE(k + 0);
70 x->input[9] = U8TO32_LITTLE(k + 4);
71 x->input[10] = U8TO32_LITTLE(k + 8);
72 x->input[11] = U8TO32_LITTLE(k + 12);
73 x->input[0] = U8TO32_LITTLE(constants + 0);
74 x->input[1] = U8TO32_LITTLE(constants + 4);
75 x->input[2] = U8TO32_LITTLE(constants + 8);
76 x->input[3] = U8TO32_LITTLE(constants + 12);
77}
78
79static void
80chacha_ivsetup(chacha_ctx *x,const u8 *iv)
81{
82 x->input[12] = 0;
83 x->input[13] = 0;
84 x->input[14] = U8TO32_LITTLE(iv + 0);
85 x->input[15] = U8TO32_LITTLE(iv + 4);
86}
87
88static void
89chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
90{
91 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
92 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
93 u8 *ctarget = NULL;
94 u8 tmp[64];
95 u_int i;
96
97 if (!bytes) return;
98
99 j0 = x->input[0];
100 j1 = x->input[1];
101 j2 = x->input[2];
102 j3 = x->input[3];
103 j4 = x->input[4];
104 j5 = x->input[5];
105 j6 = x->input[6];
106 j7 = x->input[7];
107 j8 = x->input[8];
108 j9 = x->input[9];
109 j10 = x->input[10];
110 j11 = x->input[11];
111 j12 = x->input[12];
112 j13 = x->input[13];
113 j14 = x->input[14];
114 j15 = x->input[15];
115
116 for (;;) {
117 if (bytes < 64) {
118 for (i = 0;i < bytes;++i) tmp[i] = m[i];
119 m = tmp;
120 ctarget = c;
121 c = tmp;
122 }
123 x0 = j0;
124 x1 = j1;
125 x2 = j2;
126 x3 = j3;
127 x4 = j4;
128 x5 = j5;
129 x6 = j6;
130 x7 = j7;
131 x8 = j8;
132 x9 = j9;
133 x10 = j10;
134 x11 = j11;
135 x12 = j12;
136 x13 = j13;
137 x14 = j14;
138 x15 = j15;
139 for (i = 20;i > 0;i -= 2) {
140 QUARTERROUND( x0, x4, x8,x12)
141 QUARTERROUND( x1, x5, x9,x13)
142 QUARTERROUND( x2, x6,x10,x14)
143 QUARTERROUND( x3, x7,x11,x15)
144 QUARTERROUND( x0, x5,x10,x15)
145 QUARTERROUND( x1, x6,x11,x12)
146 QUARTERROUND( x2, x7, x8,x13)
147 QUARTERROUND( x3, x4, x9,x14)
148 }
149 x0 = PLUS(x0,j0);
150 x1 = PLUS(x1,j1);
151 x2 = PLUS(x2,j2);
152 x3 = PLUS(x3,j3);
153 x4 = PLUS(x4,j4);
154 x5 = PLUS(x5,j5);
155 x6 = PLUS(x6,j6);
156 x7 = PLUS(x7,j7);
157 x8 = PLUS(x8,j8);
158 x9 = PLUS(x9,j9);
159 x10 = PLUS(x10,j10);
160 x11 = PLUS(x11,j11);
161 x12 = PLUS(x12,j12);
162 x13 = PLUS(x13,j13);
163 x14 = PLUS(x14,j14);
164 x15 = PLUS(x15,j15);
165
166#ifndef KEYSTREAM_ONLY
167 x0 = XOR(x0,U8TO32_LITTLE(m + 0));
168 x1 = XOR(x1,U8TO32_LITTLE(m + 4));
169 x2 = XOR(x2,U8TO32_LITTLE(m + 8));
170 x3 = XOR(x3,U8TO32_LITTLE(m + 12));
171 x4 = XOR(x4,U8TO32_LITTLE(m + 16));
172 x5 = XOR(x5,U8TO32_LITTLE(m + 20));
173 x6 = XOR(x6,U8TO32_LITTLE(m + 24));
174 x7 = XOR(x7,U8TO32_LITTLE(m + 28));
175 x8 = XOR(x8,U8TO32_LITTLE(m + 32));
176 x9 = XOR(x9,U8TO32_LITTLE(m + 36));
177 x10 = XOR(x10,U8TO32_LITTLE(m + 40));
178 x11 = XOR(x11,U8TO32_LITTLE(m + 44));
179 x12 = XOR(x12,U8TO32_LITTLE(m + 48));
180 x13 = XOR(x13,U8TO32_LITTLE(m + 52));
181 x14 = XOR(x14,U8TO32_LITTLE(m + 56));
182 x15 = XOR(x15,U8TO32_LITTLE(m + 60));
183#endif
184
185 j12 = PLUSONE(j12);
186 if (!j12) {
187 j13 = PLUSONE(j13);
188 /* stopping at 2^70 bytes per nonce is user's responsibility */
189 }
190
191 U32TO8_LITTLE(c + 0,x0);
192 U32TO8_LITTLE(c + 4,x1);
193 U32TO8_LITTLE(c + 8,x2);
194 U32TO8_LITTLE(c + 12,x3);
195 U32TO8_LITTLE(c + 16,x4);
196 U32TO8_LITTLE(c + 20,x5);
197 U32TO8_LITTLE(c + 24,x6);
198 U32TO8_LITTLE(c + 28,x7);
199 U32TO8_LITTLE(c + 32,x8);
200 U32TO8_LITTLE(c + 36,x9);
201 U32TO8_LITTLE(c + 40,x10);
202 U32TO8_LITTLE(c + 44,x11);
203 U32TO8_LITTLE(c + 48,x12);
204 U32TO8_LITTLE(c + 52,x13);
205 U32TO8_LITTLE(c + 56,x14);
206 U32TO8_LITTLE(c + 60,x15);
207
208 if (bytes <= 64) {
209 if (bytes < 64) {
210 for (i = 0;i < bytes;++i) ctarget[i] = c[i];
211 }
212 x->input[12] = j12;
213 x->input[13] = j13;
214 return;
215 }
216 bytes -= 64;
217 c += 64;
218#ifndef KEYSTREAM_ONLY
219 m += 64;
220#endif
221 }
222}
diff --git a/src/lib/libc/crypt/crypt.3 b/src/lib/libc/crypt/crypt.3
new file mode 100644
index 0000000000..f4a78781da
--- /dev/null
+++ b/src/lib/libc/crypt/crypt.3
@@ -0,0 +1,318 @@
1.\" $OpenBSD: crypt.3,v 1.34 2014/03/19 02:34:45 tedu Exp $
2.\"
3.\" FreeSec: libcrypt
4.\"
5.\" Copyright (c) 1994 David Burren
6.\" All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\" notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\" notice, this list of conditions and the following disclaimer in the
15.\" documentation and/or other materials provided with the distribution.
16.\" 4. Neither the name of the author nor the names of other contributors
17.\" may be used to endorse or promote products derived from this software
18.\" without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" Manual page, using -mandoc macros
33.\"
34.Dd $Mdocdate: March 19 2014 $
35.Dt CRYPT 3
36.Os
37.Sh NAME
38.Nm crypt ,
39.Nm setkey ,
40.Nm encrypt ,
41.Nm des_setkey ,
42.Nm des_cipher ,
43.Nm bcrypt_gensalt ,
44.Nm bcrypt ,
45.Nm md5crypt
46.Nd password hashing
47.Sh SYNOPSIS
48.In stdlib.h
49.Ft int
50.Fn setkey "const char *key"
51.Pp
52.In unistd.h
53.Ft char *
54.Fn crypt "const char *key" "const char *setting"
55.Ft int
56.Fn encrypt "char *block" "int flag"
57.Ft int
58.Fn des_setkey "const char *key"
59.Ft int
60.Fn des_cipher "const char *in" "char *out" "int32_t salt" "int count"
61.In pwd.h
62.Ft char *
63.Fn bcrypt_gensalt "u_int8_t log_rounds"
64.Ft char *
65.Fn bcrypt "const char *key" "const char *salt"
66.Ft char *
67.Fn md5crypt "const char *key" "const char *salt"
68.Sh DESCRIPTION
69The
70.Fn crypt
71function performs password hashing based on the
72.Tn NBS
73Data Encryption Standard (DES).
74Additional code has been added to deter key search attempts and to use
75stronger hashing algorithms.
76.Pp
77The first argument to
78.Fn crypt
79is a
80.Dv NUL Ns -terminated
81string, typically a user's typed password.
82The second is in one of three forms:
83if it begins with an underscore
84.Pq Ql _
85then an extended format is used
86in interpreting both the key and the setting, as outlined below.
87If it begins
88with a string character
89.Pq Ql $
90and a number then a different algorithm is used depending on the number.
91At the moment a
92.Ql $1
93chooses MD5 hashing and a
94.Ql $2
95chooses Blowfish hashing; see below for more information.
96.Ss Extended crypt
97The
98.Ar key
99is divided into groups of 8 characters (the last group is null-padded)
100and the low-order 7 bits of each character (56 bits per group) are
101used to form the DES key as follows:
102the first group of 56 bits becomes the initial DES key.
103For each additional group, the XOR of the encryption of the current DES
104key with itself and the group bits becomes the next DES key.
105.Pp
106The setting is a 9-character array consisting of an underscore followed
107by 4 bytes of iteration count and 4 bytes of salt.
108These are encoded as printable characters, 6 bits per character,
109least significant character first.
110The values 0 to 63 are encoded as
111.Dq \&./0-9A-Za-z .
112This allows 24 bits for both
113.Fa count
114and
115.Fa salt .
116.Ss "MD5" crypt
117For
118.Tn MD5
119crypt the version number,
120.Fa salt
121and the hashed password are separated by the
122.Ql $
123character.
124The maximum length of a password is limited by
125the length counter of the MD5 context, which is about
1262**64.
127A valid MD5 password entry looks like this:
128.Pp
129.Dq $1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1 .
130.Pp
131The whole MD5 password string is passed as
132.Fa setting
133for interpretation.
134.Ss "Blowfish" crypt
135The
136.Tn Blowfish
137version of crypt has 128 bits of
138.Fa salt
139in order to make building dictionaries of common passwords space consuming.
140The initial state of the
141.Tn Blowfish
142cipher is expanded using the
143.Fa salt
144and the
145.Fa password
146repeating the process a variable number of rounds, which is encoded in
147the password string.
148The maximum password length is 72.
149The final Blowfish password entry is created by encrypting the string
150.Pp
151.Dq OrpheanBeholderScryDoubt
152.Pp
153with the
154.Tn Blowfish
155state 64 times.
156.Pp
157The version number, the logarithm of the number of rounds and
158the concatenation of salt and hashed password are separated by the
159.Ql $
160character.
161An encoded
162.Sq 8
163would specify 256 rounds.
164A valid Blowfish password looks like this:
165.Pp
166.Dq $2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC .
167.Pp
168The whole Blowfish password string is passed as
169.Fa setting
170for interpretation.
171.Ss "Traditional" crypt
172The first 8 bytes of the key are null-padded, and the low-order 7 bits of
173each character is used to form the 56-bit
174.Tn DES
175key.
176.Pp
177The setting is a 2-character array of the ASCII-encoded salt.
178Thus only 12 bits of
179.Fa salt
180are used.
181.Fa count
182is set to 25.
183.Ss DES Algorithm
184The
185.Fa salt
186introduces disorder in the
187.Tn DES
188algorithm in one of 16777216 or 4096 possible ways
189(i.e., with 24 or 12 bits: if bit
190.Em i
191of the
192.Ar salt
193is set, then bits
194.Em i
195and
196.Em i+24
197are swapped in the
198.Tn DES
199E-box output).
200.Pp
201The DES key is used to encrypt a 64-bit constant using
202.Ar count
203iterations of
204.Tn DES .
205The value returned is a
206.Dv NUL Ns -terminated
207string, 20 or 13 bytes (plus NUL) in length, consisting of the
208.Ar setting
209followed by the encoded 64-bit encryption.
210.Pp
211The functions
212.Fn encrypt ,
213.Fn setkey ,
214.Fn des_setkey ,
215and
216.Fn des_cipher
217provide access to the
218.Tn DES
219algorithm itself.
220.Fn setkey
221is passed a 64-byte array of binary values (numeric 0 or 1).
222A 56-bit key is extracted from this array by dividing the
223array into groups of 8, and ignoring the last bit in each group.
224That bit is reserved for a byte parity check by DES, but is ignored
225by these functions.
226.Pp
227The
228.Fa block
229argument to
230.Fn encrypt
231is also a 64-byte array of binary values.
232If the value of
233.Fa flag
234is 0,
235.Fa block
236is encrypted otherwise it is decrypted.
237The result is returned in the original array
238.Fa block
239after using the key specified by
240.Fn setkey
241to process it.
242.Pp
243The argument to
244.Fn des_setkey
245is a character array of length 8.
246The least significant bit (the parity bit) in each character is ignored,
247and the remaining bits are concatenated to form a 56-bit key.
248The function
249.Fn des_cipher
250encrypts (or decrypts if
251.Fa count
252is negative) the 64-bits stored in the 8 characters at
253.Fa in
254using
255.Xr abs 3
256of
257.Fa count
258iterations of
259.Tn DES
260and stores the 64-bit result in the 8 characters at
261.Fa out
262(which may be the same as
263.Fa in ) .
264The
265.Fa salt
266specifies perturbations to the
267.Tn DES
268E-box output as described above.
269.Pp
270The
271.Fn crypt ,
272.Fn setkey ,
273and
274.Fn des_setkey
275functions all manipulate the same key space.
276.Sh RETURN VALUES
277The function
278.Fn crypt
279returns a pointer to the encrypted value on success, and
280.Dv NULL
281on failure.
282The functions
283.Fn setkey ,
284.Fn encrypt ,
285.Fn des_setkey ,
286and
287.Fn des_cipher
288return 0 on success and 1 on failure.
289.Sh SEE ALSO
290.Xr encrypt 1 ,
291.Xr login 1 ,
292.Xr passwd 1 ,
293.Xr blowfish 3 ,
294.Xr getpass 3 ,
295.Xr md5 3 ,
296.Xr passwd 5
297.Sh HISTORY
298A rotor-based
299.Fn crypt
300function appeared in
301.At v3 .
302The current style
303.Fn crypt
304first appeared in
305.At v7 .
306.Sh AUTHORS
307.An David Burren Aq Mt davidb@werj.com.au
308wrote the original DES functions.
309.Sh BUGS
310The
311.Fn crypt
312function returns a pointer to static data, and subsequent calls to
313.Fn crypt
314will modify the same object.
315.Pp
316With DES hashing, passwords containing the byte 0x80 use less key entropy
317than other passwords.
318This is an implementation bug, not a bug in the DES cipher.
diff --git a/src/lib/libc/crypt/crypt.c b/src/lib/libc/crypt/crypt.c
new file mode 100644
index 0000000000..15a784532d
--- /dev/null
+++ b/src/lib/libc/crypt/crypt.c
@@ -0,0 +1,696 @@
1/* $OpenBSD: crypt.c,v 1.20 2005/08/08 08:05:33 espie Exp $ */
2
3/*
4 * FreeSec: libcrypt
5 *
6 * Copyright (c) 1994 David Burren
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 4. Neither the name of the author nor the names of other contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 *
34 * This is an original implementation of the DES and the crypt(3) interfaces
35 * by David Burren <davidb@werj.com.au>.
36 *
37 * An excellent reference on the underlying algorithm (and related
38 * algorithms) is:
39 *
40 * B. Schneier, Applied Cryptography: protocols, algorithms,
41 * and source code in C, John Wiley & Sons, 1994.
42 *
43 * Note that in that book's description of DES the lookups for the initial,
44 * pbox, and final permutations are inverted (this has been brought to the
45 * attention of the author). A list of errata for this book has been
46 * posted to the sci.crypt newsgroup by the author and is available for FTP.
47 */
48
49#include <sys/types.h>
50#include <sys/param.h>
51#include <pwd.h>
52#include <unistd.h>
53#include <string.h>
54
55#ifdef DEBUG
56# include <stdio.h>
57#endif
58
59static const u_char IP[64] = {
60 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
61 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
62 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
63 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
64};
65
66static u_char inv_key_perm[64];
67static u_char u_key_perm[56];
68static u_char const key_perm[56] = {
69 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
70 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
71 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
72 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
73};
74
75static const u_char key_shifts[16] = {
76 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
77};
78
79static u_char inv_comp_perm[56];
80static const u_char comp_perm[48] = {
81 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
82 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
83 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
84 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
85};
86
87/*
88 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
89 */
90
91static u_char u_sbox[8][64];
92static const u_char sbox[8][64] = {
93 {
94 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
95 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
96 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
97 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
98 },
99 {
100 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
101 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
102 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
103 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
104 },
105 {
106 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
107 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
108 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
109 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
110 },
111 {
112 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
113 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
114 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
115 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
116 },
117 {
118 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
119 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
120 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
121 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
122 },
123 {
124 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
125 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
126 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
127 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
128 },
129 {
130 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
131 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
132 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
133 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
134 },
135 {
136 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
137 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
138 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
139 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
140 }
141};
142
143static u_char un_pbox[32];
144static const u_char pbox[32] = {
145 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
146 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
147};
148
149const u_int32_t _des_bits32[32] =
150{
151 0x80000000, 0x40000000, 0x20000000, 0x10000000,
152 0x08000000, 0x04000000, 0x02000000, 0x01000000,
153 0x00800000, 0x00400000, 0x00200000, 0x00100000,
154 0x00080000, 0x00040000, 0x00020000, 0x00010000,
155 0x00008000, 0x00004000, 0x00002000, 0x00001000,
156 0x00000800, 0x00000400, 0x00000200, 0x00000100,
157 0x00000080, 0x00000040, 0x00000020, 0x00000010,
158 0x00000008, 0x00000004, 0x00000002, 0x00000001
159};
160
161const u_char _des_bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
162
163static u_int32_t saltbits;
164static int32_t old_salt;
165static const u_int32_t *bits28, *bits24;
166static u_char init_perm[64], final_perm[64];
167static u_int32_t en_keysl[16], en_keysr[16];
168static u_int32_t de_keysl[16], de_keysr[16];
169int _des_initialised = 0;
170static u_char m_sbox[4][4096];
171static u_int32_t psbox[4][256];
172static u_int32_t ip_maskl[8][256], ip_maskr[8][256];
173static u_int32_t fp_maskl[8][256], fp_maskr[8][256];
174static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
175static u_int32_t comp_maskl[8][128], comp_maskr[8][128];
176static u_int32_t old_rawkey0, old_rawkey1;
177
178static u_char ascii64[] =
179 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
180/* 0000000000111111111122222222223333333333444444444455555555556666 */
181/* 0123456789012345678901234567890123456789012345678901234567890123 */
182
183static __inline int
184ascii_to_bin(char ch)
185{
186 if (ch > 'z')
187 return(0);
188 if (ch >= 'a')
189 return(ch - 'a' + 38);
190 if (ch > 'Z')
191 return(0);
192 if (ch >= 'A')
193 return(ch - 'A' + 12);
194 if (ch > '9')
195 return(0);
196 if (ch >= '.')
197 return(ch - '.');
198 return(0);
199}
200
201void
202_des_init(void)
203{
204 int i, j, b, k, inbit, obit;
205 u_int32_t *p, *il, *ir, *fl, *fr;
206
207 old_rawkey0 = old_rawkey1 = 0;
208 saltbits = 0;
209 old_salt = 0;
210 bits24 = (bits28 = _des_bits32 + 4) + 4;
211
212 /*
213 * Invert the S-boxes, reordering the input bits.
214 */
215 for (i = 0; i < 8; i++)
216 for (j = 0; j < 64; j++) {
217 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
218 u_sbox[i][j] = sbox[i][b];
219 }
220
221 /*
222 * Convert the inverted S-boxes into 4 arrays of 8 bits.
223 * Each will handle 12 bits of the S-box input.
224 */
225 for (b = 0; b < 4; b++)
226 for (i = 0; i < 64; i++)
227 for (j = 0; j < 64; j++)
228 m_sbox[b][(i << 6) | j] =
229 (u_sbox[(b << 1)][i] << 4) |
230 u_sbox[(b << 1) + 1][j];
231
232 /*
233 * Set up the initial & final permutations into a useful form, and
234 * initialise the inverted key permutation.
235 */
236 for (i = 0; i < 64; i++) {
237 init_perm[final_perm[i] = IP[i] - 1] = i;
238 inv_key_perm[i] = 255;
239 }
240
241 /*
242 * Invert the key permutation and initialise the inverted key
243 * compression permutation.
244 */
245 for (i = 0; i < 56; i++) {
246 u_key_perm[i] = key_perm[i] - 1;
247 inv_key_perm[key_perm[i] - 1] = i;
248 inv_comp_perm[i] = 255;
249 }
250
251 /*
252 * Invert the key compression permutation.
253 */
254 for (i = 0; i < 48; i++) {
255 inv_comp_perm[comp_perm[i] - 1] = i;
256 }
257
258 /*
259 * Set up the OR-mask arrays for the initial and final permutations,
260 * and for the key initial and compression permutations.
261 */
262 for (k = 0; k < 8; k++) {
263 for (i = 0; i < 256; i++) {
264 *(il = &ip_maskl[k][i]) = 0;
265 *(ir = &ip_maskr[k][i]) = 0;
266 *(fl = &fp_maskl[k][i]) = 0;
267 *(fr = &fp_maskr[k][i]) = 0;
268 for (j = 0; j < 8; j++) {
269 inbit = 8 * k + j;
270 if (i & _des_bits8[j]) {
271 if ((obit = init_perm[inbit]) < 32)
272 *il |= _des_bits32[obit];
273 else
274 *ir |= _des_bits32[obit-32];
275 if ((obit = final_perm[inbit]) < 32)
276 *fl |= _des_bits32[obit];
277 else
278 *fr |= _des_bits32[obit - 32];
279 }
280 }
281 }
282 for (i = 0; i < 128; i++) {
283 *(il = &key_perm_maskl[k][i]) = 0;
284 *(ir = &key_perm_maskr[k][i]) = 0;
285 for (j = 0; j < 7; j++) {
286 inbit = 8 * k + j;
287 if (i & _des_bits8[j + 1]) {
288 if ((obit = inv_key_perm[inbit]) == 255)
289 continue;
290 if (obit < 28)
291 *il |= bits28[obit];
292 else
293 *ir |= bits28[obit - 28];
294 }
295 }
296 *(il = &comp_maskl[k][i]) = 0;
297 *(ir = &comp_maskr[k][i]) = 0;
298 for (j = 0; j < 7; j++) {
299 inbit = 7 * k + j;
300 if (i & _des_bits8[j + 1]) {
301 if ((obit=inv_comp_perm[inbit]) == 255)
302 continue;
303 if (obit < 24)
304 *il |= bits24[obit];
305 else
306 *ir |= bits24[obit - 24];
307 }
308 }
309 }
310 }
311
312 /*
313 * Invert the P-box permutation, and convert into OR-masks for
314 * handling the output of the S-box arrays setup above.
315 */
316 for (i = 0; i < 32; i++)
317 un_pbox[pbox[i] - 1] = i;
318
319 for (b = 0; b < 4; b++)
320 for (i = 0; i < 256; i++) {
321 *(p = &psbox[b][i]) = 0;
322 for (j = 0; j < 8; j++) {
323 if (i & _des_bits8[j])
324 *p |= _des_bits32[un_pbox[8 * b + j]];
325 }
326 }
327
328 _des_initialised = 1;
329}
330
331void
332_des_setup_salt(int32_t salt)
333{
334 u_int32_t obit, saltbit;
335 int i;
336
337 if (salt == old_salt)
338 return;
339 old_salt = salt;
340
341 saltbits = 0;
342 saltbit = 1;
343 obit = 0x800000;
344 for (i = 0; i < 24; i++) {
345 if (salt & saltbit)
346 saltbits |= obit;
347 saltbit <<= 1;
348 obit >>= 1;
349 }
350}
351
352int
353des_setkey(const char *key)
354{
355 u_int32_t k0, k1, rawkey0, rawkey1;
356 int shifts, round;
357
358 if (!_des_initialised)
359 _des_init();
360
361 rawkey0 = ntohl(*(u_int32_t *) key);
362 rawkey1 = ntohl(*(u_int32_t *) (key + 4));
363
364 if ((rawkey0 | rawkey1)
365 && rawkey0 == old_rawkey0
366 && rawkey1 == old_rawkey1) {
367 /*
368 * Already setup for this key.
369 * This optimisation fails on a zero key (which is weak and
370 * has bad parity anyway) in order to simplify the starting
371 * conditions.
372 */
373 return(0);
374 }
375 old_rawkey0 = rawkey0;
376 old_rawkey1 = rawkey1;
377
378 /*
379 * Do key permutation and split into two 28-bit subkeys.
380 */
381 k0 = key_perm_maskl[0][rawkey0 >> 25]
382 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
383 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
384 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
385 | key_perm_maskl[4][rawkey1 >> 25]
386 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
387 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
388 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
389 k1 = key_perm_maskr[0][rawkey0 >> 25]
390 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
391 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
392 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
393 | key_perm_maskr[4][rawkey1 >> 25]
394 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
395 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
396 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
397 /*
398 * Rotate subkeys and do compression permutation.
399 */
400 shifts = 0;
401 for (round = 0; round < 16; round++) {
402 u_int32_t t0, t1;
403
404 shifts += key_shifts[round];
405
406 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
407 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
408
409 de_keysl[15 - round] =
410 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
411 | comp_maskl[1][(t0 >> 14) & 0x7f]
412 | comp_maskl[2][(t0 >> 7) & 0x7f]
413 | comp_maskl[3][t0 & 0x7f]
414 | comp_maskl[4][(t1 >> 21) & 0x7f]
415 | comp_maskl[5][(t1 >> 14) & 0x7f]
416 | comp_maskl[6][(t1 >> 7) & 0x7f]
417 | comp_maskl[7][t1 & 0x7f];
418
419 de_keysr[15 - round] =
420 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
421 | comp_maskr[1][(t0 >> 14) & 0x7f]
422 | comp_maskr[2][(t0 >> 7) & 0x7f]
423 | comp_maskr[3][t0 & 0x7f]
424 | comp_maskr[4][(t1 >> 21) & 0x7f]
425 | comp_maskr[5][(t1 >> 14) & 0x7f]
426 | comp_maskr[6][(t1 >> 7) & 0x7f]
427 | comp_maskr[7][t1 & 0x7f];
428 }
429 return(0);
430}
431
432int
433_des_do_des(u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out,
434 int count)
435{
436 /*
437 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
438 */
439 u_int32_t l, r, *kl, *kr, *kl1, *kr1;
440 u_int32_t f, r48l, r48r;
441 int round;
442
443 if (count == 0) {
444 return(1);
445 } else if (count > 0) {
446 /*
447 * Encrypting
448 */
449 kl1 = en_keysl;
450 kr1 = en_keysr;
451 } else {
452 /*
453 * Decrypting
454 */
455 count = -count;
456 kl1 = de_keysl;
457 kr1 = de_keysr;
458 }
459
460 /*
461 * Do initial permutation (IP).
462 */
463 l = ip_maskl[0][l_in >> 24]
464 | ip_maskl[1][(l_in >> 16) & 0xff]
465 | ip_maskl[2][(l_in >> 8) & 0xff]
466 | ip_maskl[3][l_in & 0xff]
467 | ip_maskl[4][r_in >> 24]
468 | ip_maskl[5][(r_in >> 16) & 0xff]
469 | ip_maskl[6][(r_in >> 8) & 0xff]
470 | ip_maskl[7][r_in & 0xff];
471 r = ip_maskr[0][l_in >> 24]
472 | ip_maskr[1][(l_in >> 16) & 0xff]
473 | ip_maskr[2][(l_in >> 8) & 0xff]
474 | ip_maskr[3][l_in & 0xff]
475 | ip_maskr[4][r_in >> 24]
476 | ip_maskr[5][(r_in >> 16) & 0xff]
477 | ip_maskr[6][(r_in >> 8) & 0xff]
478 | ip_maskr[7][r_in & 0xff];
479
480 while (count--) {
481 /*
482 * Do each round.
483 */
484 kl = kl1;
485 kr = kr1;
486 round = 16;
487 while (round--) {
488 /*
489 * Expand R to 48 bits (simulate the E-box).
490 */
491 r48l = ((r & 0x00000001) << 23)
492 | ((r & 0xf8000000) >> 9)
493 | ((r & 0x1f800000) >> 11)
494 | ((r & 0x01f80000) >> 13)
495 | ((r & 0x001f8000) >> 15);
496
497 r48r = ((r & 0x0001f800) << 7)
498 | ((r & 0x00001f80) << 5)
499 | ((r & 0x000001f8) << 3)
500 | ((r & 0x0000001f) << 1)
501 | ((r & 0x80000000) >> 31);
502 /*
503 * Do salting for crypt() and friends, and
504 * XOR with the permuted key.
505 */
506 f = (r48l ^ r48r) & saltbits;
507 r48l ^= f ^ *kl++;
508 r48r ^= f ^ *kr++;
509 /*
510 * Do sbox lookups (which shrink it back to 32 bits)
511 * and do the pbox permutation at the same time.
512 */
513 f = psbox[0][m_sbox[0][r48l >> 12]]
514 | psbox[1][m_sbox[1][r48l & 0xfff]]
515 | psbox[2][m_sbox[2][r48r >> 12]]
516 | psbox[3][m_sbox[3][r48r & 0xfff]];
517 /*
518 * Now that we've permuted things, complete f().
519 */
520 f ^= l;
521 l = r;
522 r = f;
523 }
524 r = l;
525 l = f;
526 }
527 /*
528 * Do final permutation (inverse of IP).
529 */
530 *l_out = fp_maskl[0][l >> 24]
531 | fp_maskl[1][(l >> 16) & 0xff]
532 | fp_maskl[2][(l >> 8) & 0xff]
533 | fp_maskl[3][l & 0xff]
534 | fp_maskl[4][r >> 24]
535 | fp_maskl[5][(r >> 16) & 0xff]
536 | fp_maskl[6][(r >> 8) & 0xff]
537 | fp_maskl[7][r & 0xff];
538 *r_out = fp_maskr[0][l >> 24]
539 | fp_maskr[1][(l >> 16) & 0xff]
540 | fp_maskr[2][(l >> 8) & 0xff]
541 | fp_maskr[3][l & 0xff]
542 | fp_maskr[4][r >> 24]
543 | fp_maskr[5][(r >> 16) & 0xff]
544 | fp_maskr[6][(r >> 8) & 0xff]
545 | fp_maskr[7][r & 0xff];
546 return(0);
547}
548
549int
550des_cipher(const char *in, char *out, int32_t salt, int count)
551{
552 u_int32_t l_out, r_out, rawl, rawr;
553 u_int32_t x[2];
554 int retval;
555
556 if (!_des_initialised)
557 _des_init();
558
559 _des_setup_salt(salt);
560
561 memcpy(x, in, sizeof x);
562 rawl = ntohl(x[0]);
563 rawr = ntohl(x[1]);
564 retval = _des_do_des(rawl, rawr, &l_out, &r_out, count);
565
566 x[0] = htonl(l_out);
567 x[1] = htonl(r_out);
568 memcpy(out, x, sizeof x);
569 return(retval);
570}
571
572char *
573crypt(const char *key, const char *setting)
574{
575 int i;
576 u_int32_t count, salt, l, r0, r1, keybuf[2];
577 u_char *p, *q;
578 static u_char output[21];
579 extern char *md5crypt(const char *, const char *);
580 extern char *bcrypt(const char *, const char *);
581
582 if (setting[0] == '$') {
583 switch (setting[1]) {
584 case '1':
585 return (md5crypt(key, setting));
586 default:
587 return bcrypt(key, setting);
588 }
589 }
590
591 if (!_des_initialised)
592 _des_init();
593
594 /*
595 * Copy the key, shifting each character up by one bit
596 * and padding with zeros.
597 */
598 q = (u_char *) keybuf;
599 while ((q - (u_char *) keybuf) < sizeof(keybuf)) {
600 if ((*q++ = *key << 1))
601 key++;
602 }
603 if (des_setkey((char *) keybuf))
604 return(NULL);
605
606 if (*setting == _PASSWORD_EFMT1) {
607 /*
608 * "new"-style:
609 * setting - underscore, 4 bytes of count, 4 bytes of salt
610 * key - unlimited characters
611 */
612 for (i = 1, count = 0; i < 5; i++)
613 count |= ascii_to_bin(setting[i]) << (i - 1) * 6;
614
615 for (i = 5, salt = 0; i < 9; i++)
616 salt |= ascii_to_bin(setting[i]) << (i - 5) * 6;
617
618 while (*key) {
619 /*
620 * Encrypt the key with itself.
621 */
622 if (des_cipher((char *)keybuf, (char *)keybuf, 0, 1))
623 return(NULL);
624 /*
625 * And XOR with the next 8 characters of the key.
626 */
627 q = (u_char *) keybuf;
628 while (((q - (u_char *) keybuf) < sizeof(keybuf)) &&
629 *key)
630 *q++ ^= *key++ << 1;
631
632 if (des_setkey((char *) keybuf))
633 return(NULL);
634 }
635 strlcpy((char *)output, setting, 10);
636
637 /*
638 * Double check that we weren't given a short setting.
639 * If we were, the above code will probably have created
640 * weird values for count and salt, but we don't really care.
641 * Just make sure the output string doesn't have an extra
642 * NUL in it.
643 */
644 p = output + strlen((const char *)output);
645 } else {
646 /*
647 * "old"-style:
648 * setting - 2 bytes of salt
649 * key - up to 8 characters
650 */
651 count = 25;
652
653 salt = (ascii_to_bin(setting[1]) << 6)
654 | ascii_to_bin(setting[0]);
655
656 output[0] = setting[0];
657 /*
658 * If the encrypted password that the salt was extracted from
659 * is only 1 character long, the salt will be corrupted. We
660 * need to ensure that the output string doesn't have an extra
661 * NUL in it!
662 */
663 output[1] = setting[1] ? setting[1] : output[0];
664
665 p = output + 2;
666 }
667 _des_setup_salt(salt);
668
669 /*
670 * Do it.
671 */
672 if (_des_do_des(0, 0, &r0, &r1, count))
673 return(NULL);
674 /*
675 * Now encode the result...
676 */
677 l = (r0 >> 8);
678 *p++ = ascii64[(l >> 18) & 0x3f];
679 *p++ = ascii64[(l >> 12) & 0x3f];
680 *p++ = ascii64[(l >> 6) & 0x3f];
681 *p++ = ascii64[l & 0x3f];
682
683 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
684 *p++ = ascii64[(l >> 18) & 0x3f];
685 *p++ = ascii64[(l >> 12) & 0x3f];
686 *p++ = ascii64[(l >> 6) & 0x3f];
687 *p++ = ascii64[l & 0x3f];
688
689 l = r1 << 2;
690 *p++ = ascii64[(l >> 12) & 0x3f];
691 *p++ = ascii64[(l >> 6) & 0x3f];
692 *p++ = ascii64[l & 0x3f];
693 *p = 0;
694
695 return((char *)output);
696}
diff --git a/src/lib/libc/crypt/crypt2.c b/src/lib/libc/crypt/crypt2.c
new file mode 100644
index 0000000000..f31818ae2b
--- /dev/null
+++ b/src/lib/libc/crypt/crypt2.c
@@ -0,0 +1,107 @@
1/* $OpenBSD: crypt2.c,v 1.4 2013/04/17 17:40:35 tedu Exp $ */
2
3/*
4 * FreeSec: libcrypt
5 *
6 * Copyright (c) 1994 David Burren
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 4. Neither the name of the author nor the names of other contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 *
34 * This is an original implementation of the DES and the crypt(3) interfaces
35 * by David Burren <davidb@werj.com.au>.
36 *
37 * An excellent reference on the underlying algorithm (and related
38 * algorithms) is:
39 *
40 * B. Schneier, Applied Cryptography: protocols, algorithms,
41 * and source code in C, John Wiley & Sons, 1994.
42 *
43 * Note that in that book's description of DES the lookups for the initial,
44 * pbox, and final permutations are inverted (this has been brought to the
45 * attention of the author). A list of errata for this book has been
46 * posted to the sci.crypt newsgroup by the author and is available for FTP.
47 */
48
49#include <sys/types.h>
50#include <sys/param.h>
51#include <pwd.h>
52#include <unistd.h>
53#include <string.h>
54
55#ifdef DEBUG
56# include <stdio.h>
57#endif
58
59extern const u_char _des_bits8[8];
60extern const u_int32_t _des_bits32[32];
61extern int _des_initialised;
62void _des_init(void);
63void _des_setup_salt(int32_t salt);
64int _des_do_des(u_int32_t , u_int32_t , u_int32_t *, u_int32_t *, int);
65
66int
67setkey(const char *key)
68{
69 int i, j;
70 u_int32_t packed_keys[2];
71 u_char *p;
72
73 p = (u_char *) packed_keys;
74
75 for (i = 0; i < 8; i++) {
76 p[i] = 0;
77 for (j = 0; j < 8; j++)
78 if (*key++ & 1)
79 p[i] |= _des_bits8[j];
80 }
81 return(des_setkey((char *)p));
82}
83
84int
85encrypt(char *block, int flag)
86{
87 u_int32_t io[2];
88 u_char *p;
89 int i, j, retval;
90
91 if (!_des_initialised)
92 _des_init();
93
94 _des_setup_salt(0);
95 p = (u_char *)block;
96 for (i = 0; i < 2; i++) {
97 io[i] = 0L;
98 for (j = 0; j < 32; j++)
99 if (*p++ & 1)
100 io[i] |= _des_bits32[j];
101 }
102 retval = _des_do_des(io[0], io[1], io, io + 1, flag ? -1 : 1);
103 for (i = 0; i < 2; i++)
104 for (j = 0; j < 32; j++)
105 block[(i << 5) | j] = (io[i] & _des_bits32[j]) ? 1 : 0;
106 return(retval);
107}
diff --git a/src/lib/libc/crypt/md5crypt.c b/src/lib/libc/crypt/md5crypt.c
new file mode 100644
index 0000000000..a855835bcc
--- /dev/null
+++ b/src/lib/libc/crypt/md5crypt.c
@@ -0,0 +1,160 @@
1/* $OpenBSD: md5crypt.c,v 1.17 2014/04/03 15:55:29 beck Exp $ */
2
3/*
4 * Copyright (c) 2000 Poul-Henning Kamp <phk@FreeBSD.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19/*
20 * If we meet some day, and you think this stuff is worth it, you
21 * can buy me a beer in return. Poul-Henning Kamp
22 */
23
24#include <unistd.h>
25#include <stdio.h>
26#include <string.h>
27#include <md5.h>
28#include <string.h>
29
30static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
31 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
32
33static void to64(char *, u_int32_t, int);
34
35static void
36to64(char *s, u_int32_t v, int n)
37{
38 while (--n >= 0) {
39 *s++ = itoa64[v&0x3f];
40 v >>= 6;
41 }
42}
43
44/*
45 * UNIX password
46 *
47 * Use MD5 for what it is best at...
48 */
49
50char *md5crypt(const char *pw, const char *salt);
51
52char *
53md5crypt(const char *pw, const char *salt)
54{
55 /*
56 * This string is the magic for this algorithm.
57 * Having it this way, we can get better later on.
58 */
59 static unsigned char *magic = (unsigned char *)"$1$";
60
61 static char passwd[120], *p;
62 static const unsigned char *sp,*ep;
63 unsigned char final[16];
64 int sl,pl,i;
65 MD5_CTX ctx,ctx1;
66 u_int32_t l;
67
68 /* Refine the salt first */
69 sp = (const unsigned char *)salt;
70
71 /* If it starts with the magic string, then skip that */
72 if(!strncmp((const char *)sp,(const char *)magic,strlen((const char *)magic)))
73 sp += strlen((const char *)magic);
74
75 /* It stops at the first '$', max 8 chars */
76 for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++)
77 continue;
78
79 /* get the length of the true salt */
80 sl = ep - sp;
81
82 MD5Init(&ctx);
83
84 /* The password first, since that is what is most unknown */
85 MD5Update(&ctx,(const unsigned char *)pw,strlen(pw));
86
87 /* Then our magic string */
88 MD5Update(&ctx,magic,strlen((const char *)magic));
89
90 /* Then the raw salt */
91 MD5Update(&ctx,sp,sl);
92
93 /* Then just as many characters of the MD5(pw,salt,pw) */
94 MD5Init(&ctx1);
95 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
96 MD5Update(&ctx1,sp,sl);
97 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
98 MD5Final(final,&ctx1);
99 for(pl = strlen(pw); pl > 0; pl -= 16)
100 MD5Update(&ctx,final,pl>16 ? 16 : pl);
101
102 /* Don't leave anything around in vm they could use. */
103 memset(final,0,sizeof final);
104
105 /* Then something really weird... */
106 for (i = strlen(pw); i ; i >>= 1)
107 if(i&1)
108 MD5Update(&ctx, final, 1);
109 else
110 MD5Update(&ctx, (const unsigned char *)pw, 1);
111
112 /* Now make the output string */
113 snprintf(passwd, sizeof(passwd), "%s%.*s$", (char *)magic,
114 sl, (const char *)sp);
115
116 MD5Final(final,&ctx);
117
118 /*
119 * And now, just to make sure things don't run too fast
120 * On a 60 MHz Pentium this takes 34 msec, so you would
121 * need 30 seconds to build a 1000 entry dictionary...
122 * On a modern machine, with possible GPU optimization,
123 * this will run a lot faster than that.
124 */
125 for(i=0;i<1000;i++) {
126 MD5Init(&ctx1);
127 if(i & 1)
128 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
129 else
130 MD5Update(&ctx1,final,16);
131
132 if(i % 3)
133 MD5Update(&ctx1,sp,sl);
134
135 if(i % 7)
136 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
137
138 if(i & 1)
139 MD5Update(&ctx1,final,16);
140 else
141 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
142 MD5Final(final,&ctx1);
143 }
144
145 p = passwd + strlen(passwd);
146
147 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
148 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
149 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
150 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
151 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
152 l = final[11] ; to64(p,l,2); p += 2;
153 *p = '\0';
154
155 /* Don't leave anything around in vm they could use. */
156 memset(final, 0, sizeof final);
157
158 return passwd;
159}
160
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-28 17:28:14 +0000