~mdw / termux-packages / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
git: Use PCRE (#2350)
[termux-packages] / packages / libcrypt / crypt3.c
CommitLineData
c497a759 1/**************************************************************************
492d2d5a
FF		 2* Implementation of crypt(3) using routines in libcrypto from openssl for
3* use on Android in Termux.
c497a759 4*
492d2d5a
FF		 5* https://www.freebsd.org/cgi/man.cgi?crypt(3)
6* http://man7.org/linux/man-pages/man3/crypt.3.html
c497a759 7*
492d2d5a 8* Relevant code is from FreeBSD with license given below.
c497a759
FF		 9**************************************************************************/
10
492d2d5a
FF		 11/*
12 * Copyright (c) 2011 The FreeBSD Project. All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#include <arpa/inet.h>
37#include <errno.h>
38#include <stdint.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42#include <stdbool.h>
43#include <openssl/sha.h>
44#include <openssl/md5.h>
45
46/* START: Freebsd compat */
47typedef unsigned long u_long;
48#define MIN(a,b) (((a)<(b))?(a):(b))
49#define MAX(a,b) (((a)>(b))?(a):(b))
50#define MD5_SIZE 16
51#define _PASSWORD_EFMT1 '_'
52#define DES_SALT_ALPHABET \
53 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
54#define MD5Init MD5_Init
55#define MD5Update MD5_Update
56#define MD5Final MD5_Final
57/* END: Freebsd compat */
58
59
60/* START: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/misc.c */
61static char itoa64[] = /* 0 ... 63 => ascii - 64 */
62 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
63
64void
65_crypt_to64(char *s, u_long v, int n)
c497a759 66{
492d2d5a
FF		 67 while (--n >= 0) {
68 *s++ = itoa64[v&0x3f];
69 v >>= 6;
70 }
71}
72
73void
74b64_from_24bit(uint8_t B2, uint8_t B1, uint8_t B0, int n, int *buflen, char **cp)
75{
76 uint32_t w;
77 int i;
78
79 w = (B2 << 16) | (B1 << 8) | B0;
80 for (i = 0; i < n; i++) {
81 **cp = itoa64[w&0x3f];
82 (*cp)++;
83 if ((*buflen)-- < 0)
84 break;
85 w >>= 6;
86 }
87}
88/* END: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/misc.c */
89
90
91/* START: https://github.com/freebsd/freebsd/blob/master/secure/lib/libcrypt/crypt-des.c */
92#if defined(__GNUC__) && !defined(lint)
93#define INLINE inline
94#else
95#define INLINE
96#endif
97
98static u_char IP[64] = {
99 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
100 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
101 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
102 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
c497a759
FF		 103};
104
492d2d5a
FF		 105static u_char inv_key_perm[64];
106static u_char key_perm[56] = {
107 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
108 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
109 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
110 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
c497a759
FF		 111};
112
492d2d5a
FF		 113static u_char key_shifts[16] = {
114 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
c497a759
FF		 115};
116
492d2d5a
FF		 117static u_char inv_comp_perm[56];
118static u_char comp_perm[48] = {
119 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
120 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
121 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
122 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
c497a759
FF		 123};
124
492d2d5a
FF		 125/*
126 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
127 */
c497a759 128
492d2d5a
FF		 129static u_char u_sbox[8][64];
130static u_char sbox[8][64] = {
131 {
132 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
133 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
134 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
135 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
136 },
137 {
138 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
139 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
140 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
141 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
142 },
143 {
144 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
145 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
146 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
147 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
148 },
149 {
150 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
151 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
152 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
153 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
154 },
155 {
156 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
157 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
158 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
159 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
160 },
161 {
162 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
163 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
164 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
165 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
166 },
167 {
168 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
169 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
170 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
171 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
172 },
173 {
174 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
175 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
176 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
177 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
178 }
c497a759
FF		 179};
180
492d2d5a
FF		 181static u_char un_pbox[32];
182static u_char pbox[32] = {
183 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
184 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
185};
186
187static u_int32_t bits32[32] =
c497a759 188{
492d2d5a
FF		 189 0x80000000, 0x40000000, 0x20000000, 0x10000000,
190 0x08000000, 0x04000000, 0x02000000, 0x01000000,
191 0x00800000, 0x00400000, 0x00200000, 0x00100000,
192 0x00080000, 0x00040000, 0x00020000, 0x00010000,
193 0x00008000, 0x00004000, 0x00002000, 0x00001000,
194 0x00000800, 0x00000400, 0x00000200, 0x00000100,
195 0x00000080, 0x00000040, 0x00000020, 0x00000010,
196 0x00000008, 0x00000004, 0x00000002, 0x00000001
c497a759
FF		 197};
198
492d2d5a
FF		 199static u_char bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
200
201static u_int32_t saltbits;
202static u_int32_t old_salt;
203static u_int32_t *bits28, *bits24;
204static u_char init_perm[64], final_perm[64];
205static u_int32_t en_keysl[16], en_keysr[16];
206static u_int32_t de_keysl[16], de_keysr[16];
207static int des_initialised = 0;
208static u_char m_sbox[4][4096];
209static u_int32_t psbox[4][256];
210static u_int32_t ip_maskl[8][256], ip_maskr[8][256];
211static u_int32_t fp_maskl[8][256], fp_maskr[8][256];
212static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
213static u_int32_t comp_maskl[8][128], comp_maskr[8][128];
214static u_int32_t old_rawkey0, old_rawkey1;
c497a759 215
492d2d5a
FF		 216static u_char ascii64[] =
217 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
218/* 0000000000111111111122222222223333333333444444444455555555556666 */
219/* 0123456789012345678901234567890123456789012345678901234567890123 */
c497a759 220
492d2d5a
FF		 221static INLINE int
222ascii_to_bin(char ch)
c497a759 223{
492d2d5a
FF		 224 if (ch > 'z')
225 return(0);
226 if (ch >= 'a')
227 return(ch - 'a' + 38);
228 if (ch > 'Z')
229 return(0);
230 if (ch >= 'A')
231 return(ch - 'A' + 12);
232 if (ch > '9')
233 return(0);
234 if (ch >= '.')
235 return(ch - '.');
236 return(0);
237}
c497a759 238
492d2d5a
FF		 239static void
240des_init(void)
c497a759 241{
492d2d5a
FF		 242 int i, j, b, k, inbit, obit;
243 u_int32_t *p, *il, *ir, *fl, *fr;
244
245 old_rawkey0 = old_rawkey1 = 0L;
246 saltbits = 0L;
247 old_salt = 0L;
248 bits24 = (bits28 = bits32 + 4) + 4;
249
250 /*
251 * Invert the S-boxes, reordering the input bits.
252 */
253 for (i = 0; i < 8; i++)
254 for (j = 0; j < 64; j++) {
255 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
256 u_sbox[i][j] = sbox[i][b];
257 }
258
259 /*
260 * Convert the inverted S-boxes into 4 arrays of 8 bits.
261 * Each will handle 12 bits of the S-box input.
262 */
263 for (b = 0; b < 4; b++)
264 for (i = 0; i < 64; i++)
265 for (j = 0; j < 64; j++)
266 m_sbox[b][(i << 6) | j] =
267 (u_char)((u_sbox[(b << 1)][i] << 4) |
268 u_sbox[(b << 1) + 1][j]);
269
270 /*
271 * Set up the initial & final permutations into a useful form, and
272 * initialise the inverted key permutation.
273 */
274 for (i = 0; i < 64; i++) {
275 init_perm[final_perm[i] = IP[i] - 1] = (u_char)i;
276 inv_key_perm[i] = 255;
277 }
278
279 /*
280 * Invert the key permutation and initialise the inverted key
281 * compression permutation.
282 */
283 for (i = 0; i < 56; i++) {
284 inv_key_perm[key_perm[i] - 1] = (u_char)i;
285 inv_comp_perm[i] = 255;
286 }
287
288 /*
289 * Invert the key compression permutation.
290 */
291 for (i = 0; i < 48; i++) {
292 inv_comp_perm[comp_perm[i] - 1] = (u_char)i;
293 }
294
295 /*
296 * Set up the OR-mask arrays for the initial and final permutations,
297 * and for the key initial and compression permutations.
298 */
299 for (k = 0; k < 8; k++) {
300 for (i = 0; i < 256; i++) {
301 *(il = &ip_maskl[k][i]) = 0L;
302 *(ir = &ip_maskr[k][i]) = 0L;
303 *(fl = &fp_maskl[k][i]) = 0L;
304 *(fr = &fp_maskr[k][i]) = 0L;
305 for (j = 0; j < 8; j++) {
306 inbit = 8 * k + j;
307 if (i & bits8[j]) {
308 if ((obit = init_perm[inbit]) < 32)
309 *il |= bits32[obit];
310 else
311 *ir |= bits32[obit-32];
312 if ((obit = final_perm[inbit]) < 32)
313 *fl |= bits32[obit];
314 else
315 *fr |= bits32[obit - 32];
316 }
317 }
318 }
319 for (i = 0; i < 128; i++) {
320 *(il = &key_perm_maskl[k][i]) = 0L;
321 *(ir = &key_perm_maskr[k][i]) = 0L;
322 for (j = 0; j < 7; j++) {
323 inbit = 8 * k + j;
324 if (i & bits8[j + 1]) {
325 if ((obit = inv_key_perm[inbit]) == 255)
326 continue;
327 if (obit < 28)
328 *il |= bits28[obit];
329 else
330 *ir |= bits28[obit - 28];
331 }
332 }
333 *(il = &comp_maskl[k][i]) = 0L;
334 *(ir = &comp_maskr[k][i]) = 0L;
335 for (j = 0; j < 7; j++) {
336 inbit = 7 * k + j;
337 if (i & bits8[j + 1]) {
338 if ((obit=inv_comp_perm[inbit]) == 255)
339 continue;
340 if (obit < 24)
341 *il |= bits24[obit];
342 else
343 *ir |= bits24[obit - 24];
344 }
345 }
346 }
347 }
348
349 /*
350 * Invert the P-box permutation, and convert into OR-masks for
351 * handling the output of the S-box arrays setup above.
352 */
353 for (i = 0; i < 32; i++)
354 un_pbox[pbox[i] - 1] = (u_char)i;
355
356 for (b = 0; b < 4; b++)
357 for (i = 0; i < 256; i++) {
358 *(p = &psbox[b][i]) = 0L;
359 for (j = 0; j < 8; j++) {
360 if (i & bits8[j])
361 *p |= bits32[un_pbox[8 * b + j]];
362 }
363 }
364
365 des_initialised = 1;
c497a759
FF		 366}
367
492d2d5a
FF		 368static void
369setup_salt(u_int32_t salt)
370{
371 u_int32_t obit, saltbit;
372 int i;
c497a759 373
492d2d5a
FF		 374 if (salt == old_salt)
375 return;
376 old_salt = salt;
377
378 saltbits = 0L;
379 saltbit = 1;
380 obit = 0x800000;
381 for (i = 0; i < 24; i++) {
382 if (salt & saltbit)
383 saltbits |= obit;
384 saltbit <<= 1;
385 obit >>= 1;
386 }
387}
388
389static int
390des_setkey(const char *key)
c497a759 391{
492d2d5a
FF		 392 u_int32_t k0, k1, rawkey0, rawkey1;
393 int shifts, round;
c497a759 394
492d2d5a
FF		 395 if (!des_initialised)
396 des_init();
397
398 rawkey0 = ntohl(*(const u_int32_t *) key);
399 rawkey1 = ntohl(*(const u_int32_t *) (key + 4));
400
401 if ((rawkey0 | rawkey1)
402 && rawkey0 == old_rawkey0
403 && rawkey1 == old_rawkey1) {
404 /*
405 * Already setup for this key.
406 * This optimisation fails on a zero key (which is weak and
407 * has bad parity anyway) in order to simplify the starting
408 * conditions.
409 */
410 return(0);
411 }
412 old_rawkey0 = rawkey0;
413 old_rawkey1 = rawkey1;
414
415 /*
416 * Do key permutation and split into two 28-bit subkeys.
417 */
418 k0 = key_perm_maskl[0][rawkey0 >> 25]
419 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
420 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
421 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
422 | key_perm_maskl[4][rawkey1 >> 25]
423 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
424 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
425 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
426 k1 = key_perm_maskr[0][rawkey0 >> 25]
427 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
428 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
429 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
430 | key_perm_maskr[4][rawkey1 >> 25]
431 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
432 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
433 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
434 /*
435 * Rotate subkeys and do compression permutation.
436 */
437 shifts = 0;
438 for (round = 0; round < 16; round++) {
439 u_int32_t t0, t1;
440
441 shifts += key_shifts[round];
442
443 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
444 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
445
446 de_keysl[15 - round] =
447 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
448 | comp_maskl[1][(t0 >> 14) & 0x7f]
449 | comp_maskl[2][(t0 >> 7) & 0x7f]
450 | comp_maskl[3][t0 & 0x7f]
451 | comp_maskl[4][(t1 >> 21) & 0x7f]
452 | comp_maskl[5][(t1 >> 14) & 0x7f]
453 | comp_maskl[6][(t1 >> 7) & 0x7f]
454 | comp_maskl[7][t1 & 0x7f];
455
456 de_keysr[15 - round] =
457 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
458 | comp_maskr[1][(t0 >> 14) & 0x7f]
459 | comp_maskr[2][(t0 >> 7) & 0x7f]
460 | comp_maskr[3][t0 & 0x7f]
461 | comp_maskr[4][(t1 >> 21) & 0x7f]
462 | comp_maskr[5][(t1 >> 14) & 0x7f]
463 | comp_maskr[6][(t1 >> 7) & 0x7f]
464 | comp_maskr[7][t1 & 0x7f];
465 }
466 return(0);
467}
468
469static int
470do_des( u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out, int count)
c497a759 471{
492d2d5a
FF		 472 /*
473 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
474 */
475 u_int32_t l, r, *kl, *kr, *kl1, *kr1;
476 u_int32_t f, r48l, r48r;
477 int round;
c497a759 478
492d2d5a
FF		 479 if (count == 0) {
480 return(1);
481 } else if (count > 0) {
482 /*
483 * Encrypting
484 */
485 kl1 = en_keysl;
486 kr1 = en_keysr;
487 } else {
488 /*
489 * Decrypting
490 */
491 count = -count;
492 kl1 = de_keysl;
493 kr1 = de_keysr;
494 }
c497a759 495
492d2d5a
FF		 496 /*
497 * Do initial permutation (IP).
498 */
499 l = ip_maskl[0][l_in >> 24]
500 | ip_maskl[1][(l_in >> 16) & 0xff]
501 | ip_maskl[2][(l_in >> 8) & 0xff]
502 | ip_maskl[3][l_in & 0xff]
503 | ip_maskl[4][r_in >> 24]
504 | ip_maskl[5][(r_in >> 16) & 0xff]
505 | ip_maskl[6][(r_in >> 8) & 0xff]
506 | ip_maskl[7][r_in & 0xff];
507 r = ip_maskr[0][l_in >> 24]
508 | ip_maskr[1][(l_in >> 16) & 0xff]
509 | ip_maskr[2][(l_in >> 8) & 0xff]
510 | ip_maskr[3][l_in & 0xff]
511 | ip_maskr[4][r_in >> 24]
512 | ip_maskr[5][(r_in >> 16) & 0xff]
513 | ip_maskr[6][(r_in >> 8) & 0xff]
514 | ip_maskr[7][r_in & 0xff];
515
516 while (count--) {
517 /*
518 * Do each round.
519 */
520 kl = kl1;
521 kr = kr1;
522 round = 16;
523 while (round--) {
524 /*
525 * Expand R to 48 bits (simulate the E-box).
526 */
527 r48l = ((r & 0x00000001) << 23)
528 | ((r & 0xf8000000) >> 9)
529 | ((r & 0x1f800000) >> 11)
530 | ((r & 0x01f80000) >> 13)
531 | ((r & 0x001f8000) >> 15);
532
533 r48r = ((r & 0x0001f800) << 7)
534 | ((r & 0x00001f80) << 5)
535 | ((r & 0x000001f8) << 3)
536 | ((r & 0x0000001f) << 1)
537 | ((r & 0x80000000) >> 31);
538 /*
539 * Do salting for crypt() and friends, and
540 * XOR with the permuted key.
541 */
542 f = (r48l ^ r48r) & saltbits;
543 r48l ^= f ^ *kl++;
544 r48r ^= f ^ *kr++;
545 /*
546 * Do sbox lookups (which shrink it back to 32 bits)
547 * and do the pbox permutation at the same time.
548 */
549 f = psbox[0][m_sbox[0][r48l >> 12]]
550 | psbox[1][m_sbox[1][r48l & 0xfff]]
551 | psbox[2][m_sbox[2][r48r >> 12]]
552 | psbox[3][m_sbox[3][r48r & 0xfff]];
553 /*
554 * Now that we've permuted things, complete f().
555 */
556 f ^= l;
557 l = r;
558 r = f;
559 }
560 r = l;
561 l = f;
562 }
563 /*
564 * Do final permutation (inverse of IP).
565 */
566 *l_out = fp_maskl[0][l >> 24]
567 | fp_maskl[1][(l >> 16) & 0xff]
568 | fp_maskl[2][(l >> 8) & 0xff]
569 | fp_maskl[3][l & 0xff]
570 | fp_maskl[4][r >> 24]
571 | fp_maskl[5][(r >> 16) & 0xff]
572 | fp_maskl[6][(r >> 8) & 0xff]
573 | fp_maskl[7][r & 0xff];
574 *r_out = fp_maskr[0][l >> 24]
575 | fp_maskr[1][(l >> 16) & 0xff]
576 | fp_maskr[2][(l >> 8) & 0xff]
577 | fp_maskr[3][l & 0xff]
578 | fp_maskr[4][r >> 24]
579 | fp_maskr[5][(r >> 16) & 0xff]
580 | fp_maskr[6][(r >> 8) & 0xff]
581 | fp_maskr[7][r & 0xff];
582 return(0);
583}
584
585static int
586des_cipher(const char *in, char *out, u_long salt, int count)
c497a759 587{
492d2d5a
FF		 588 u_int32_t l_out, r_out, rawl, rawr;
589 int retval;
590 union {
591 u_int32_t *ui32;
592 const char *c;
593 } trans;
594
595 if (!des_initialised)
596 des_init();
597
598 setup_salt(salt);
599
600 trans.c = in;
601 rawl = ntohl(*trans.ui32++);
602 rawr = ntohl(*trans.ui32);
603
604 retval = do_des(rawl, rawr, &l_out, &r_out, count);
605
606 trans.c = out;
607 *trans.ui32++ = htonl(l_out);
608 *trans.ui32 = htonl(r_out);
609 return(retval);
c497a759
FF		 610}
611
492d2d5a
FF		 612char *
613crypt_des(const char *key, const char *setting)
c497a759 614{
492d2d5a
FF		 615 int i;
616 u_int32_t count, salt, l, r0, r1, keybuf[2];
617 u_char *p, *q;
618 static char output[21];
619
620 if (!des_initialised)
621 des_init();
622
623 /*
624 * Copy the key, shifting each character up by one bit
625 * and padding with zeros.
626 */
627 q = (u_char *)keybuf;
628 while (q - (u_char *)keybuf - 8) {
629 *q++ = *key << 1;
630 if (*key != '\0')
631 key++;
632 }
633 if (des_setkey((char *)keybuf))
634 return(NULL);
635
636 if (*setting == _PASSWORD_EFMT1) {
637 /*
638 * "new"-style:
639 * setting - underscore, 4 bytes of count, 4 bytes of salt
640 * key - unlimited characters
641 */
642 for (i = 1, count = 0L; i < 5; i++)
643 count |= ascii_to_bin(setting[i]) << ((i - 1) * 6);
644
645 for (i = 5, salt = 0L; i < 9; i++)
646 salt |= ascii_to_bin(setting[i]) << ((i - 5) * 6);
647
648 while (*key) {
649 /*
650 * Encrypt the key with itself.
651 */
652 if (des_cipher((char *)keybuf, (char *)keybuf, 0L, 1))
653 return(NULL);
654 /*
655 * And XOR with the next 8 characters of the key.
656 */
657 q = (u_char *)keybuf;
658 while (q - (u_char *)keybuf - 8 && *key)
659 *q++ ^= *key++ << 1;
660
661 if (des_setkey((char *)keybuf))
662 return(NULL);
663 }
664 strncpy(output, setting, 9);
665
666 /*
667 * Double check that we weren't given a short setting.
668 * If we were, the above code will probably have created
669 * wierd values for count and salt, but we don't really care.
670 * Just make sure the output string doesn't have an extra
671 * NUL in it.
672 */
673 output[9] = '\0';
674 p = (u_char *)output + strlen(output);
675 } else {
676 /*
677 * "old"-style:
678 * setting - 2 bytes of salt
679 * key - up to 8 characters
680 */
681 count = 25;
682
683 salt = (ascii_to_bin(setting[1]) << 6)
684 | ascii_to_bin(setting[0]);
685
686 output[0] = setting[0];
687 /*
688 * If the encrypted password that the salt was extracted from
689 * is only 1 character long, the salt will be corrupted. We
690 * need to ensure that the output string doesn't have an extra
691 * NUL in it!
692 */
693 output[1] = setting[1] ? setting[1] : output[0];
694
695 p = (u_char *)output + 2;
696 }
697 setup_salt(salt);
698 /*
699 * Do it.
700 */
701 if (do_des(0L, 0L, &r0, &r1, (int)count))
702 return(NULL);
703 /*
704 * Now encode the result...
705 */
706 l = (r0 >> 8);
707 *p++ = ascii64[(l >> 18) & 0x3f];
708 *p++ = ascii64[(l >> 12) & 0x3f];
709 *p++ = ascii64[(l >> 6) & 0x3f];
710 *p++ = ascii64[l & 0x3f];
711
712 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
713 *p++ = ascii64[(l >> 18) & 0x3f];
714 *p++ = ascii64[(l >> 12) & 0x3f];
715 *p++ = ascii64[(l >> 6) & 0x3f];
716 *p++ = ascii64[l & 0x3f];
717
718 l = r1 << 2;
719 *p++ = ascii64[(l >> 12) & 0x3f];
720 *p++ = ascii64[(l >> 6) & 0x3f];
721 *p++ = ascii64[l & 0x3f];
722 *p = 0;
723
724 return(output);
725}
726/* END: https://github.com/freebsd/freebsd/blob/master/secure/lib/libcrypt/crypt-des.c */
727
728
729/* START: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-md5.c */
730char *
731crypt_md5(const char *pw, const char *salt)
732{
733 MD5_CTX ctx,ctx1;
734 unsigned long l;
735 int sl, pl;
736 u_int i;
737 u_char final[MD5_SIZE];
738 static const char *sp, *ep;
739 static char passwd[120], *p;
740 static const char *magic = "$1$";
741
742 /* Refine the Salt first */
743 sp = salt;
744
745 /* If it starts with the magic string, then skip that */
746 if(!strncmp(sp, magic, strlen(magic)))
747 sp += strlen(magic);
748
749 /* It stops at the first '$', max 8 chars */
750 for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
751 continue;
752
753 /* get the length of the true salt */
754 sl = ep - sp;
755
756 MD5Init(&ctx);
757
758 /* The password first, since that is what is most unknown */
759 MD5Update(&ctx, (const u_char *)pw, strlen(pw));
760
761 /* Then our magic string */
762 MD5Update(&ctx, (const u_char *)magic, strlen(magic));
763
764 /* Then the raw salt */
765 MD5Update(&ctx, (const u_char *)sp, (u_int)sl);
766
767 /* Then just as many characters of the MD5(pw,salt,pw) */
768 MD5Init(&ctx1);
769 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
770 MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
771 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
772 MD5Final(final, &ctx1);
773 for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE)
774 MD5Update(&ctx, (const u_char *)final,
775 (u_int)(pl > MD5_SIZE ? MD5_SIZE : pl));
776
777 /* Don't leave anything around in vm they could use. */
778 memset(final, 0, sizeof(final));
779
780 /* Then something really weird... */
781 for (i = strlen(pw); i; i >>= 1)
782 if(i & 1)
783 MD5Update(&ctx, (const u_char *)final, 1);
784 else
785 MD5Update(&ctx, (const u_char *)pw, 1);
786
787 /* Now make the output string */
788 strcpy(passwd, magic);
789 strncat(passwd, sp, (u_int)sl);
790 strcat(passwd, "$");
791
792 MD5Final(final, &ctx);
793
794 /*
795 * and now, just to make sure things don't run too fast
796 * On a 60 Mhz Pentium this takes 34 msec, so you would
797 * need 30 seconds to build a 1000 entry dictionary...
798 */
799 for(i = 0; i < 1000; i++) {
800 MD5Init(&ctx1);
801 if(i & 1)
802 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
803 else
804 MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
805
806 if(i % 3)
807 MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
808
809 if(i % 7)
810 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
811
812 if(i & 1)
813 MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
814 else
815 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
816 MD5Final(final, &ctx1);
817 }
818
819 p = passwd + strlen(passwd);
820
821 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
822 _crypt_to64(p, l, 4); p += 4;
823 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
824 _crypt_to64(p, l, 4); p += 4;
825 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
826 _crypt_to64(p, l, 4); p += 4;
827 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
828 _crypt_to64(p, l, 4); p += 4;
829 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
830 _crypt_to64(p, l, 4); p += 4;
831 l = final[11];
832 _crypt_to64(p, l, 2); p += 2;
833 *p = '\0';
834
835 /* Don't leave anything around in vm they could use. */
836 memset(final, 0, sizeof(final));
837
838 return (passwd);
839}
840/* END: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-md5.c */
841
842
843/* START: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-sha256.c */
844static const char sha256_salt_prefix[] = "$5$";
845
846/* Prefix for optional rounds specification. */
847static const char sha256_rounds_prefix[] = "rounds=";
848
849/* Maximum salt string length. */
850#define SALT_LEN_MAX 16
851/* Default number of rounds if not explicitly specified. */
852#define ROUNDS_DEFAULT 5000
853/* Minimum number of rounds. */
854#define ROUNDS_MIN 1000
855/* Maximum number of rounds. */
856#define ROUNDS_MAX 999999999
857
858static char *
859crypt_sha256_r(const char *key, const char *salt, char *buffer, int buflen)
860{
861 u_long srounds;
862 int n;
863 uint8_t alt_result[32], temp_result[32];
864 SHA256_CTX ctx, alt_ctx;
865 size_t salt_len, key_len, cnt, rounds;
866 char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp;
867 const char *num;
868 bool rounds_custom;
869
870 copied_key = NULL;
871 copied_salt = NULL;
872
873 /* Default number of rounds. */
874 rounds = ROUNDS_DEFAULT;
875 rounds_custom = false;
876
877 /* Find beginning of salt string. The prefix should normally always
878 * be present. Just in case it is not. */
879 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
880 /* Skip salt prefix. */
881 salt += sizeof(sha256_salt_prefix) - 1;
882
883 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1)
884 == 0) {
885 num = salt + sizeof(sha256_rounds_prefix) - 1;
886 srounds = strtoul(num, &endp, 10);
887
888 if (*endp == '$') {
889 salt = endp + 1;
890 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
891 rounds_custom = true;
892 }
893 }
894
895 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
896 key_len = strlen(key);
897
898 /* Prepare for the real work. */
899 SHA256_Init(&ctx);
900
901 /* Add the key string. */
902 SHA256_Update(&ctx, key, key_len);
903
904 /* The last part is the salt string. This must be at most 8
905 * characters and it ends at the first `$' character (for
906 * compatibility with existing implementations). */
907 SHA256_Update(&ctx, salt, salt_len);
908
909 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
910 * final result will be added to the first context. */
911 SHA256_Init(&alt_ctx);
912
913 /* Add key. */
914 SHA256_Update(&alt_ctx, key, key_len);
915
916 /* Add salt. */
917 SHA256_Update(&alt_ctx, salt, salt_len);
918
919 /* Add key again. */
920 SHA256_Update(&alt_ctx, key, key_len);
921
922 /* Now get result of this (32 bytes) and add it to the other context. */
923 SHA256_Final(alt_result, &alt_ctx);
924
925 /* Add for any character in the key one byte of the alternate sum. */
926 for (cnt = key_len; cnt > 32; cnt -= 32)
927 SHA256_Update(&ctx, alt_result, 32);
928 SHA256_Update(&ctx, alt_result, cnt);
929
930 /* Take the binary representation of the length of the key and for
931 * every 1 add the alternate sum, for every 0 the key. */
932 for (cnt = key_len; cnt > 0; cnt >>= 1)
933 if ((cnt & 1) != 0)
934 SHA256_Update(&ctx, alt_result, 32);
935 else
936 SHA256_Update(&ctx, key, key_len);
937
938 /* Create intermediate result. */
939 SHA256_Final(alt_result, &ctx);
940
941 /* Start computation of P byte sequence. */
942 SHA256_Init(&alt_ctx);
943
944 /* For every character in the password add the entire password. */
945 for (cnt = 0; cnt < key_len; ++cnt)
946 SHA256_Update(&alt_ctx, key, key_len);
947
948 /* Finish the digest. */
949 SHA256_Final(temp_result, &alt_ctx);
950
951 /* Create byte sequence P. */
952 cp = p_bytes = alloca(key_len);
953 for (cnt = key_len; cnt >= 32; cnt -= 32) {
954 memcpy(cp, temp_result, 32);
955 cp += 32;
956 }
957 memcpy(cp, temp_result, cnt);
958
959 /* Start computation of S byte sequence. */
960 SHA256_Init(&alt_ctx);
961
962 /* For every character in the password add the entire password. */
963 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
964 SHA256_Update(&alt_ctx, salt, salt_len);
965
966 /* Finish the digest. */
967 SHA256_Final(temp_result, &alt_ctx);
968
969 /* Create byte sequence S. */
970 cp = s_bytes = alloca(salt_len);
971 for (cnt = salt_len; cnt >= 32; cnt -= 32) {
972 memcpy(cp, temp_result, 32);
973 cp += 32;
974 }
975 memcpy(cp, temp_result, cnt);
976
977 /* Repeatedly run the collected hash value through SHA256 to burn CPU
978 * cycles. */
979 for (cnt = 0; cnt < rounds; ++cnt) {
980 /* New context. */
981 SHA256_Init(&ctx);
982
983 /* Add key or last result. */
984 if ((cnt & 1) != 0)
985 SHA256_Update(&ctx, p_bytes, key_len);
986 else
987 SHA256_Update(&ctx, alt_result, 32);
988
989 /* Add salt for numbers not divisible by 3. */
990 if (cnt % 3 != 0)
991 SHA256_Update(&ctx, s_bytes, salt_len);
992
993 /* Add key for numbers not divisible by 7. */
994 if (cnt % 7 != 0)
995 SHA256_Update(&ctx, p_bytes, key_len);
996
997 /* Add key or last result. */
998 if ((cnt & 1) != 0)
999 SHA256_Update(&ctx, alt_result, 32);
1000 else
1001 SHA256_Update(&ctx, p_bytes, key_len);
1002
1003 /* Create intermediate result. */
1004 SHA256_Final(alt_result, &ctx);
1005 }
1006
1007 /* Now we can construct the result string. It consists of three
1008 * parts. */
1009 cp = stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
1010 buflen -= sizeof(sha256_salt_prefix) - 1;
1011
1012 if (rounds_custom) {
1013 n = snprintf(cp, MAX(0, buflen), "%s%zu$",
1014 sha256_rounds_prefix, rounds);
1015
1016 cp += n;
1017 buflen -= n;
1018 }
1019
1020 cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len));
1021 buflen -= MIN((size_t)MAX(0, buflen), salt_len);
1022
1023 if (buflen > 0) {
1024 *cp++ = '$';
1025 --buflen;
1026 }
1027
1028 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4, &buflen, &cp);
1029 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4, &buflen, &cp);
1030 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4, &buflen, &cp);
1031 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4, &buflen, &cp);
1032 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4, &buflen, &cp);
1033 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4, &buflen, &cp);
1034 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4, &buflen, &cp);
1035 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4, &buflen, &cp);
1036 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4, &buflen, &cp);
1037 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4, &buflen, &cp);
1038 b64_from_24bit(0, alt_result[31], alt_result[30], 3, &buflen, &cp);
1039 if (buflen <= 0) {
1040 errno = ERANGE;
1041 buffer = NULL;
1042 }
1043 else
1044 *cp = '\0'; /* Terminate the string. */
1045
1046 /* Clear the buffer for the intermediate result so that people
1047 * attaching to processes or reading core dumps cannot get any
1048 * information. We do it in this way to clear correct_words[] inside
1049 * the SHA256 implementation as well. */
1050 SHA256_Init(&ctx);
1051 SHA256_Final(alt_result, &ctx);
1052 memset(temp_result, '\0', sizeof(temp_result));
1053 memset(p_bytes, '\0', key_len);
1054 memset(s_bytes, '\0', salt_len);
1055 memset(&ctx, '\0', sizeof(ctx));
1056 memset(&alt_ctx, '\0', sizeof(alt_ctx));
1057 if (copied_key != NULL)
1058 memset(copied_key, '\0', key_len);
1059 if (copied_salt != NULL)
1060 memset(copied_salt, '\0', salt_len);
1061
1062 return buffer;
1063}
1064
1065/* This entry point is equivalent to crypt(3). */
1066char* crypt_sha256(const char *key, const char *salt)
1067{
1068 /* We don't want to have an arbitrary limit in the size of the
1069 * password. We can compute an upper bound for the size of the
1070 * result in advance and so we can prepare the buffer we pass to
1071 * `crypt_sha256_r'. */
1072 static char *buffer;
1073 static int buflen;
1074 int needed;
1075 char *new_buffer;
1076
1077 needed = (sizeof(sha256_salt_prefix) - 1
1078 + sizeof(sha256_rounds_prefix) + 9 + 1
1079 + strlen(salt) + 1 + 43 + 1);
1080
1081 if (buflen < needed) {
1082 new_buffer = (char *)realloc(buffer, needed);
1083
1084 if (new_buffer == NULL)
1085 return NULL;
1086
1087 buffer = new_buffer;
1088 buflen = needed;
1089 }
1090
1091 return crypt_sha256_r(key, salt, buffer, buflen);
1092}
1093/* END: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-sha256.c */
1094
1095
1096/* START: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-sha512.c */
1097/* Define our magic string to mark salt for SHA512 "encryption" replacement. */
1098static const char sha512_salt_prefix[] = "$6$";
1099
1100/* Prefix for optional rounds specification. */
1101static const char sha512_rounds_prefix[] = "rounds=";
1102
1103/* Maximum salt string length. */
1104#define SALT_LEN_MAX 16
1105/* Default number of rounds if not explicitly specified. */
1106#define ROUNDS_DEFAULT 5000
1107/* Minimum number of rounds. */
1108#define ROUNDS_MIN 1000
1109/* Maximum number of rounds. */
1110#define ROUNDS_MAX 999999999
1111
1112static char *
1113crypt_sha512_r(const char *key, const char *salt, char *buffer, int buflen)
1114{
1115 u_long srounds;
1116 int n;
1117 uint8_t alt_result[64], temp_result[64];
1118 SHA512_CTX ctx, alt_ctx;
1119 size_t salt_len, key_len, cnt, rounds;
1120 char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp;
1121 const char *num;
1122 bool rounds_custom;
1123
1124 copied_key = NULL;
1125 copied_salt = NULL;
1126
1127 /* Default number of rounds. */
1128 rounds = ROUNDS_DEFAULT;
1129 rounds_custom = false;
1130
1131 /* Find beginning of salt string. The prefix should normally always
1132 * be present. Just in case it is not. */
1133 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
1134 /* Skip salt prefix. */
1135 salt += sizeof(sha512_salt_prefix) - 1;
1136
1137 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
1138 == 0) {
1139 num = salt + sizeof(sha512_rounds_prefix) - 1;
1140 srounds = strtoul(num, &endp, 10);
1141
1142 if (*endp == '$') {
1143 salt = endp + 1;
1144 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
1145 rounds_custom = true;
1146 }
1147 }
1148
1149 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
1150 key_len = strlen(key);
1151
1152 /* Prepare for the real work. */
1153 SHA512_Init(&ctx);
1154
1155 /* Add the key string. */
1156 SHA512_Update(&ctx, key, key_len);
1157
1158 /* The last part is the salt string. This must be at most 8
1159 * characters and it ends at the first `$' character (for
1160 * compatibility with existing implementations). */
1161 SHA512_Update(&ctx, salt, salt_len);
1162
1163 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
1164 * final result will be added to the first context. */
1165 SHA512_Init(&alt_ctx);
1166
1167 /* Add key. */
1168 SHA512_Update(&alt_ctx, key, key_len);
1169
1170 /* Add salt. */
1171 SHA512_Update(&alt_ctx, salt, salt_len);
1172
1173 /* Add key again. */
1174 SHA512_Update(&alt_ctx, key, key_len);
1175
1176 /* Now get result of this (64 bytes) and add it to the other context. */
1177 SHA512_Final(alt_result, &alt_ctx);
1178
1179 /* Add for any character in the key one byte of the alternate sum. */
1180 for (cnt = key_len; cnt > 64; cnt -= 64)
1181 SHA512_Update(&ctx, alt_result, 64);
1182 SHA512_Update(&ctx, alt_result, cnt);
1183
1184 /* Take the binary representation of the length of the key and for
1185 * every 1 add the alternate sum, for every 0 the key. */
1186 for (cnt = key_len; cnt > 0; cnt >>= 1)
1187 if ((cnt & 1) != 0)
1188 SHA512_Update(&ctx, alt_result, 64);
1189 else
1190 SHA512_Update(&ctx, key, key_len);
1191
1192 /* Create intermediate result. */
1193 SHA512_Final(alt_result, &ctx);
1194
1195 /* Start computation of P byte sequence. */
1196 SHA512_Init(&alt_ctx);
1197
1198 /* For every character in the password add the entire password. */
1199 for (cnt = 0; cnt < key_len; ++cnt)
1200 SHA512_Update(&alt_ctx, key, key_len);
1201
1202 /* Finish the digest. */
1203 SHA512_Final(temp_result, &alt_ctx);
1204
1205 /* Create byte sequence P. */
1206 cp = p_bytes = alloca(key_len);
1207 for (cnt = key_len; cnt >= 64; cnt -= 64) {
1208 memcpy(cp, temp_result, 64);
1209 cp += 64;
1210 }
1211 memcpy(cp, temp_result, cnt);
1212
1213 /* Start computation of S byte sequence. */
1214 SHA512_Init(&alt_ctx);
1215
1216 /* For every character in the password add the entire password. */
1217 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
1218 SHA512_Update(&alt_ctx, salt, salt_len);
1219
1220 /* Finish the digest. */
1221 SHA512_Final(temp_result, &alt_ctx);
1222
1223 /* Create byte sequence S. */
1224 cp = s_bytes = alloca(salt_len);
1225 for (cnt = salt_len; cnt >= 64; cnt -= 64) {
1226 memcpy(cp, temp_result, 64);
1227 cp += 64;
1228 }
1229 memcpy(cp, temp_result, cnt);
1230
1231 /* Repeatedly run the collected hash value through SHA512 to burn CPU
1232 * cycles. */
1233 for (cnt = 0; cnt < rounds; ++cnt) {
1234 /* New context. */
1235 SHA512_Init(&ctx);
1236
1237 /* Add key or last result. */
1238 if ((cnt & 1) != 0)
1239 SHA512_Update(&ctx, p_bytes, key_len);
1240 else
1241 SHA512_Update(&ctx, alt_result, 64);
1242
1243 /* Add salt for numbers not divisible by 3. */
1244 if (cnt % 3 != 0)
1245 SHA512_Update(&ctx, s_bytes, salt_len);
1246
1247 /* Add key for numbers not divisible by 7. */
1248 if (cnt % 7 != 0)
1249 SHA512_Update(&ctx, p_bytes, key_len);
1250
1251 /* Add key or last result. */
1252 if ((cnt & 1) != 0)
1253 SHA512_Update(&ctx, alt_result, 64);
1254 else
1255 SHA512_Update(&ctx, p_bytes, key_len);
1256
1257 /* Create intermediate result. */
1258 SHA512_Final(alt_result, &ctx);
1259 }
1260
1261 /* Now we can construct the result string. It consists of three
1262 * parts. */
1263 cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
1264 buflen -= sizeof(sha512_salt_prefix) - 1;
1265
1266 if (rounds_custom) {
1267 n = snprintf(cp, MAX(0, buflen), "%s%zu$",
1268 sha512_rounds_prefix, rounds);
1269
1270 cp += n;
1271 buflen -= n;
1272 }
1273
1274 cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len));
1275 buflen -= MIN((size_t)MAX(0, buflen), salt_len);
1276
1277 if (buflen > 0) {
1278 *cp++ = '$';
1279 --buflen;
1280 }
1281
1282 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4, &buflen, &cp);
1283 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4, &buflen, &cp);
1284 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4, &buflen, &cp);
1285 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4, &buflen, &cp);
1286 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4, &buflen, &cp);
1287 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4, &buflen, &cp);
1288 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4, &buflen, &cp);
1289 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4, &buflen, &cp);
1290 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4, &buflen, &cp);
1291 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4, &buflen, &cp);
1292 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4, &buflen, &cp);
1293 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4, &buflen, &cp);
1294 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4, &buflen, &cp);
1295 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4, &buflen, &cp);
1296 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4, &buflen, &cp);
1297 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4, &buflen, &cp);
1298 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4, &buflen, &cp);
1299 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4, &buflen, &cp);
1300 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4, &buflen, &cp);
1301 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4, &buflen, &cp);
1302 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4, &buflen, &cp);
1303 b64_from_24bit(0, 0, alt_result[63], 2, &buflen, &cp);
1304
1305 if (buflen <= 0) {
1306 errno = ERANGE;
1307 buffer = NULL;
1308 }
1309 else
1310 *cp = '\0'; /* Terminate the string. */
1311
1312 /* Clear the buffer for the intermediate result so that people
1313 * attaching to processes or reading core dumps cannot get any
1314 * information. We do it in this way to clear correct_words[] inside
1315 * the SHA512 implementation as well. */
1316 SHA512_Init(&ctx);
1317 SHA512_Final(alt_result, &ctx);
1318 memset(temp_result, '\0', sizeof(temp_result));
1319 memset(p_bytes, '\0', key_len);
1320 memset(s_bytes, '\0', salt_len);
1321 memset(&ctx, '\0', sizeof(ctx));
1322 memset(&alt_ctx, '\0', sizeof(alt_ctx));
1323 if (copied_key != NULL)
1324 memset(copied_key, '\0', key_len);
1325 if (copied_salt != NULL)
1326 memset(copied_salt, '\0', salt_len);
1327
1328 return buffer;
1329}
1330
1331/* This entry point is equivalent to crypt(3). */
1332char *
1333crypt_sha512(const char *key, const char *salt)
1334{
1335 /* We don't want to have an arbitrary limit in the size of the
1336 * password. We can compute an upper bound for the size of the
1337 * result in advance and so we can prepare the buffer we pass to
1338 * `crypt_sha512_r'. */
1339 static char *buffer;
1340 static int buflen;
1341 int needed;
1342 char *new_buffer;
1343
1344 needed = (sizeof(sha512_salt_prefix) - 1
1345 + sizeof(sha512_rounds_prefix) + 9 + 1
1346 + strlen(salt) + 1 + 86 + 1);
1347
1348 if (buflen < needed) {
1349 new_buffer = (char *)realloc(buffer, needed);
1350
1351 if (new_buffer == NULL)
1352 return NULL;
1353
1354 buffer = new_buffer;
1355 buflen = needed;
1356 }
1357
1358 return crypt_sha512_r(key, salt, buffer, buflen);
1359}
1360/* END: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-sha512.c */
1361
1362
1363/** From https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt.c */
1364static const struct crypt_format {
1365 const char* const name;
1366 const char* const magic;
1367 char* (*const func)(char const*, char const*);
1368} crypt_formats[] = {
1369 { "des", "_", crypt_des },
1370 { "md5", "$1$", crypt_md5 },
1371 { "sha256", "$5$", crypt_sha256 },
1372 { "sha512", "$6$", crypt_sha512 },
1373 { NULL, NULL, NULL }
1374};
1375
1376
1377char* crypt(const char* key, const char* salt)
1378{
da88951d 1379 size_t len;
492d2d5a
FF		 1380 const struct crypt_format *cf;
1381
1382 for (cf = crypt_formats; cf->name != NULL; ++cf) {
1383 if (cf->magic != NULL && strstr(salt, cf->magic) == salt) {
1384 return cf->func(key, salt);
1385 }
1386 }
1387
1388 len = strlen(salt);
1389 if ((len == 13 || len == 2) && strspn(salt, DES_SALT_ALPHABET) == len) {
1390 return (crypt_des(key, salt));
1391 }
1392
1393 return crypt_formats[0].func(key, salt);
c497a759 1394}
Unnamed repository; edit this file 'description' to name the repository.