1 /* 2 * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 12 #include "apps.h" 13 #include "progs.h" 14 15 #include <openssl/bio.h> 16 #include <openssl/err.h> 17 #include <openssl/evp.h> 18 #include <openssl/rand.h> 19 #ifndef OPENSSL_NO_DES 20 # include <openssl/des.h> 21 #endif 22 #include <openssl/md5.h> 23 #include <openssl/sha.h> 24 25 static unsigned const char cov_2char[64] = { 26 /* from crypto/des/fcrypt.c */ 27 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 28 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, 29 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 30 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 31 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 32 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 33 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 34 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A 35 }; 36 37 static const char ascii_dollar[] = { 0x24, 0x00 }; 38 39 typedef enum { 40 passwd_unset = 0, 41 passwd_crypt, 42 passwd_md5, 43 passwd_apr1, 44 passwd_sha256, 45 passwd_sha512, 46 passwd_aixmd5 47 } passwd_modes; 48 49 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, 50 char *passwd, BIO *out, int quiet, int table, 51 int reverse, size_t pw_maxlen, passwd_modes mode); 52 53 typedef enum OPTION_choice { 54 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 55 OPT_IN, 56 OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1, 57 OPT_1, OPT_5, OPT_6, OPT_CRYPT, OPT_AIXMD5, OPT_SALT, OPT_STDIN, 58 OPT_R_ENUM 59 } OPTION_CHOICE; 60 61 const OPTIONS passwd_options[] = { 62 {"help", OPT_HELP, '-', "Display this summary"}, 63 {"in", OPT_IN, '<', "Read passwords from file"}, 64 {"noverify", OPT_NOVERIFY, '-', 65 "Never verify when reading password from terminal"}, 66 {"quiet", OPT_QUIET, '-', "No warnings"}, 67 {"table", OPT_TABLE, '-', "Format output as table"}, 68 {"reverse", OPT_REVERSE, '-', "Switch table columns"}, 69 {"salt", OPT_SALT, 's', "Use provided salt"}, 70 {"stdin", OPT_STDIN, '-', "Read passwords from stdin"}, 71 {"6", OPT_6, '-', "SHA512-based password algorithm"}, 72 {"5", OPT_5, '-', "SHA256-based password algorithm"}, 73 {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"}, 74 {"1", OPT_1, '-', "MD5-based password algorithm"}, 75 {"aixmd5", OPT_AIXMD5, '-', "AIX MD5-based password algorithm"}, 76 #ifndef OPENSSL_NO_DES 77 {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"}, 78 #endif 79 OPT_R_OPTIONS, 80 {NULL} 81 }; 82 83 int passwd_main(int argc, char **argv) 84 { 85 BIO *in = NULL; 86 char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL; 87 char *salt_malloc = NULL, *passwd_malloc = NULL, *prog; 88 OPTION_CHOICE o; 89 int in_stdin = 0, pw_source_defined = 0; 90 #ifndef OPENSSL_NO_UI_CONSOLE 91 int in_noverify = 0; 92 #endif 93 int passed_salt = 0, quiet = 0, table = 0, reverse = 0; 94 int ret = 1; 95 passwd_modes mode = passwd_unset; 96 size_t passwd_malloc_size = 0; 97 size_t pw_maxlen = 256; /* arbitrary limit, should be enough for most 98 * passwords */ 99 100 prog = opt_init(argc, argv, passwd_options); 101 while ((o = opt_next()) != OPT_EOF) { 102 switch (o) { 103 case OPT_EOF: 104 case OPT_ERR: 105 opthelp: 106 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 107 goto end; 108 case OPT_HELP: 109 opt_help(passwd_options); 110 ret = 0; 111 goto end; 112 case OPT_IN: 113 if (pw_source_defined) 114 goto opthelp; 115 infile = opt_arg(); 116 pw_source_defined = 1; 117 break; 118 case OPT_NOVERIFY: 119 #ifndef OPENSSL_NO_UI_CONSOLE 120 in_noverify = 1; 121 #endif 122 break; 123 case OPT_QUIET: 124 quiet = 1; 125 break; 126 case OPT_TABLE: 127 table = 1; 128 break; 129 case OPT_REVERSE: 130 reverse = 1; 131 break; 132 case OPT_1: 133 if (mode != passwd_unset) 134 goto opthelp; 135 mode = passwd_md5; 136 break; 137 case OPT_5: 138 if (mode != passwd_unset) 139 goto opthelp; 140 mode = passwd_sha256; 141 break; 142 case OPT_6: 143 if (mode != passwd_unset) 144 goto opthelp; 145 mode = passwd_sha512; 146 break; 147 case OPT_APR1: 148 if (mode != passwd_unset) 149 goto opthelp; 150 mode = passwd_apr1; 151 break; 152 case OPT_AIXMD5: 153 if (mode != passwd_unset) 154 goto opthelp; 155 mode = passwd_aixmd5; 156 break; 157 case OPT_CRYPT: 158 #ifndef OPENSSL_NO_DES 159 if (mode != passwd_unset) 160 goto opthelp; 161 mode = passwd_crypt; 162 #endif 163 break; 164 case OPT_SALT: 165 passed_salt = 1; 166 salt = opt_arg(); 167 break; 168 case OPT_STDIN: 169 if (pw_source_defined) 170 goto opthelp; 171 in_stdin = 1; 172 pw_source_defined = 1; 173 break; 174 case OPT_R_CASES: 175 if (!opt_rand(o)) 176 goto end; 177 break; 178 } 179 } 180 argc = opt_num_rest(); 181 argv = opt_rest(); 182 183 if (*argv != NULL) { 184 if (pw_source_defined) 185 goto opthelp; 186 pw_source_defined = 1; 187 passwds = argv; 188 } 189 190 if (mode == passwd_unset) { 191 /* use default */ 192 mode = passwd_crypt; 193 } 194 195 #ifdef OPENSSL_NO_DES 196 if (mode == passwd_crypt) 197 goto opthelp; 198 #endif 199 200 if (infile != NULL && in_stdin) { 201 BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog); 202 goto end; 203 } 204 205 if (infile != NULL || in_stdin) { 206 /* 207 * If in_stdin is true, we know that infile is NULL, and that 208 * bio_open_default() will give us back an alias for stdin. 209 */ 210 in = bio_open_default(infile, 'r', FORMAT_TEXT); 211 if (in == NULL) 212 goto end; 213 } 214 215 if (mode == passwd_crypt) 216 pw_maxlen = 8; 217 218 if (passwds == NULL) { 219 /* no passwords on the command line */ 220 221 passwd_malloc_size = pw_maxlen + 2; 222 /* longer than necessary so that we can warn about truncation */ 223 passwd = passwd_malloc = 224 app_malloc(passwd_malloc_size, "password buffer"); 225 } 226 227 if ((in == NULL) && (passwds == NULL)) { 228 /* 229 * we use the following method to make sure what 230 * in the 'else' section is always compiled, to 231 * avoid rot of not-frequently-used code. 232 */ 233 if (1) { 234 #ifndef OPENSSL_NO_UI_CONSOLE 235 /* build a null-terminated list */ 236 static char *passwds_static[2] = { NULL, NULL }; 237 238 passwds = passwds_static; 239 if (in == NULL) { 240 if (EVP_read_pw_string 241 (passwd_malloc, passwd_malloc_size, "Password: ", 242 !(passed_salt || in_noverify)) != 0) 243 goto end; 244 } 245 passwds[0] = passwd_malloc; 246 } else { 247 #endif 248 BIO_printf(bio_err, "password required\n"); 249 goto end; 250 } 251 } 252 253 if (in == NULL) { 254 assert(passwds != NULL); 255 assert(*passwds != NULL); 256 257 do { /* loop over list of passwords */ 258 passwd = *passwds++; 259 if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out, 260 quiet, table, reverse, pw_maxlen, mode)) 261 goto end; 262 } while (*passwds != NULL); 263 } else { 264 /* in != NULL */ 265 int done; 266 267 assert(passwd != NULL); 268 do { 269 int r = BIO_gets(in, passwd, pw_maxlen + 1); 270 if (r > 0) { 271 char *c = (strchr(passwd, '\n')); 272 if (c != NULL) { 273 *c = 0; /* truncate at newline */ 274 } else { 275 /* ignore rest of line */ 276 char trash[BUFSIZ]; 277 do 278 r = BIO_gets(in, trash, sizeof(trash)); 279 while ((r > 0) && (!strchr(trash, '\n'))); 280 } 281 282 if (!do_passwd 283 (passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet, 284 table, reverse, pw_maxlen, mode)) 285 goto end; 286 } 287 done = (r <= 0); 288 } while (!done); 289 } 290 ret = 0; 291 292 end: 293 #if 0 294 ERR_print_errors(bio_err); 295 #endif 296 OPENSSL_free(salt_malloc); 297 OPENSSL_free(passwd_malloc); 298 BIO_free(in); 299 return ret; 300 } 301 302 /* 303 * MD5-based password algorithm (should probably be available as a library 304 * function; then the static buffer would not be acceptable). For magic 305 * string "1", this should be compatible to the MD5-based BSD password 306 * algorithm. For 'magic' string "apr1", this is compatible to the MD5-based 307 * Apache password algorithm. (Apparently, the Apache password algorithm is 308 * identical except that the 'magic' string was changed -- the laziest 309 * application of the NIH principle I've ever encountered.) 310 */ 311 static char *md5crypt(const char *passwd, const char *magic, const char *salt) 312 { 313 /* "$apr1$..salt..$.......md5hash..........\0" */ 314 static char out_buf[6 + 9 + 24 + 2]; 315 unsigned char buf[MD5_DIGEST_LENGTH]; 316 char ascii_magic[5]; /* "apr1" plus '\0' */ 317 char ascii_salt[9]; /* Max 8 chars plus '\0' */ 318 char *ascii_passwd = NULL; 319 char *salt_out; 320 int n; 321 unsigned int i; 322 EVP_MD_CTX *md = NULL, *md2 = NULL; 323 size_t passwd_len, salt_len, magic_len; 324 325 passwd_len = strlen(passwd); 326 327 out_buf[0] = 0; 328 magic_len = strlen(magic); 329 OPENSSL_strlcpy(ascii_magic, magic, sizeof(ascii_magic)); 330 #ifdef CHARSET_EBCDIC 331 if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */ 332 ebcdic2ascii(ascii_magic, ascii_magic, magic_len); 333 #endif 334 335 /* The salt gets truncated to 8 chars */ 336 OPENSSL_strlcpy(ascii_salt, salt, sizeof(ascii_salt)); 337 salt_len = strlen(ascii_salt); 338 #ifdef CHARSET_EBCDIC 339 ebcdic2ascii(ascii_salt, ascii_salt, salt_len); 340 #endif 341 342 #ifdef CHARSET_EBCDIC 343 ascii_passwd = OPENSSL_strdup(passwd); 344 if (ascii_passwd == NULL) 345 return NULL; 346 ebcdic2ascii(ascii_passwd, ascii_passwd, passwd_len); 347 passwd = ascii_passwd; 348 #endif 349 350 if (magic_len > 0) { 351 OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf)); 352 353 if (magic_len > 4) /* assert it's "1" or "apr1" */ 354 goto err; 355 356 OPENSSL_strlcat(out_buf, ascii_magic, sizeof(out_buf)); 357 OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf)); 358 } 359 360 OPENSSL_strlcat(out_buf, ascii_salt, sizeof(out_buf)); 361 362 if (strlen(out_buf) > 6 + 8) /* assert "$apr1$..salt.." */ 363 goto err; 364 365 salt_out = out_buf; 366 if (magic_len > 0) 367 salt_out += 2 + magic_len; 368 369 if (salt_len > 8) 370 goto err; 371 372 md = EVP_MD_CTX_new(); 373 if (md == NULL 374 || !EVP_DigestInit_ex(md, EVP_md5(), NULL) 375 || !EVP_DigestUpdate(md, passwd, passwd_len)) 376 goto err; 377 378 if (magic_len > 0) 379 if (!EVP_DigestUpdate(md, ascii_dollar, 1) 380 || !EVP_DigestUpdate(md, ascii_magic, magic_len) 381 || !EVP_DigestUpdate(md, ascii_dollar, 1)) 382 goto err; 383 384 if (!EVP_DigestUpdate(md, ascii_salt, salt_len)) 385 goto err; 386 387 md2 = EVP_MD_CTX_new(); 388 if (md2 == NULL 389 || !EVP_DigestInit_ex(md2, EVP_md5(), NULL) 390 || !EVP_DigestUpdate(md2, passwd, passwd_len) 391 || !EVP_DigestUpdate(md2, ascii_salt, salt_len) 392 || !EVP_DigestUpdate(md2, passwd, passwd_len) 393 || !EVP_DigestFinal_ex(md2, buf, NULL)) 394 goto err; 395 396 for (i = passwd_len; i > sizeof(buf); i -= sizeof(buf)) { 397 if (!EVP_DigestUpdate(md, buf, sizeof(buf))) 398 goto err; 399 } 400 if (!EVP_DigestUpdate(md, buf, i)) 401 goto err; 402 403 n = passwd_len; 404 while (n) { 405 if (!EVP_DigestUpdate(md, (n & 1) ? "\0" : passwd, 1)) 406 goto err; 407 n >>= 1; 408 } 409 if (!EVP_DigestFinal_ex(md, buf, NULL)) 410 goto err; 411 412 for (i = 0; i < 1000; i++) { 413 if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL)) 414 goto err; 415 if (!EVP_DigestUpdate(md2, 416 (i & 1) ? (unsigned const char *)passwd : buf, 417 (i & 1) ? passwd_len : sizeof(buf))) 418 goto err; 419 if (i % 3) { 420 if (!EVP_DigestUpdate(md2, ascii_salt, salt_len)) 421 goto err; 422 } 423 if (i % 7) { 424 if (!EVP_DigestUpdate(md2, passwd, passwd_len)) 425 goto err; 426 } 427 if (!EVP_DigestUpdate(md2, 428 (i & 1) ? buf : (unsigned const char *)passwd, 429 (i & 1) ? sizeof(buf) : passwd_len)) 430 goto err; 431 if (!EVP_DigestFinal_ex(md2, buf, NULL)) 432 goto err; 433 } 434 EVP_MD_CTX_free(md2); 435 EVP_MD_CTX_free(md); 436 md2 = NULL; 437 md = NULL; 438 439 { 440 /* transform buf into output string */ 441 unsigned char buf_perm[sizeof(buf)]; 442 int dest, source; 443 char *output; 444 445 /* silly output permutation */ 446 for (dest = 0, source = 0; dest < 14; 447 dest++, source = (source + 6) % 17) 448 buf_perm[dest] = buf[source]; 449 buf_perm[14] = buf[5]; 450 buf_perm[15] = buf[11]; 451 # ifndef PEDANTIC /* Unfortunately, this generates a "no 452 * effect" warning */ 453 assert(16 == sizeof(buf_perm)); 454 # endif 455 456 output = salt_out + salt_len; 457 assert(output == out_buf + strlen(out_buf)); 458 459 *output++ = ascii_dollar[0]; 460 461 for (i = 0; i < 15; i += 3) { 462 *output++ = cov_2char[buf_perm[i + 2] & 0x3f]; 463 *output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) | 464 (buf_perm[i + 2] >> 6)]; 465 *output++ = cov_2char[((buf_perm[i] & 3) << 4) | 466 (buf_perm[i + 1] >> 4)]; 467 *output++ = cov_2char[buf_perm[i] >> 2]; 468 } 469 assert(i == 15); 470 *output++ = cov_2char[buf_perm[i] & 0x3f]; 471 *output++ = cov_2char[buf_perm[i] >> 6]; 472 *output = 0; 473 assert(strlen(out_buf) < sizeof(out_buf)); 474 #ifdef CHARSET_EBCDIC 475 ascii2ebcdic(out_buf, out_buf, strlen(out_buf)); 476 #endif 477 } 478 479 return out_buf; 480 481 err: 482 OPENSSL_free(ascii_passwd); 483 EVP_MD_CTX_free(md2); 484 EVP_MD_CTX_free(md); 485 return NULL; 486 } 487 488 /* 489 * SHA based password algorithm, describe by Ulrich Drepper here: 490 * https://www.akkadia.org/drepper/SHA-crypt.txt 491 * (note that it's in the public domain) 492 */ 493 static char *shacrypt(const char *passwd, const char *magic, const char *salt) 494 { 495 /* Prefix for optional rounds specification. */ 496 static const char rounds_prefix[] = "rounds="; 497 /* Maximum salt string length. */ 498 # define SALT_LEN_MAX 16 499 /* Default number of rounds if not explicitly specified. */ 500 # define ROUNDS_DEFAULT 5000 501 /* Minimum number of rounds. */ 502 # define ROUNDS_MIN 1000 503 /* Maximum number of rounds. */ 504 # define ROUNDS_MAX 999999999 505 506 /* "$6$rounds=<N>$......salt......$...shahash(up to 86 chars)...\0" */ 507 static char out_buf[3 + 17 + 17 + 86 + 1]; 508 unsigned char buf[SHA512_DIGEST_LENGTH]; 509 unsigned char temp_buf[SHA512_DIGEST_LENGTH]; 510 size_t buf_size = 0; 511 char ascii_magic[2]; 512 char ascii_salt[17]; /* Max 16 chars plus '\0' */ 513 char *ascii_passwd = NULL; 514 size_t n; 515 EVP_MD_CTX *md = NULL, *md2 = NULL; 516 const EVP_MD *sha = NULL; 517 size_t passwd_len, salt_len, magic_len; 518 unsigned int rounds = 5000; /* Default */ 519 char rounds_custom = 0; 520 char *p_bytes = NULL; 521 char *s_bytes = NULL; 522 char *cp = NULL; 523 524 passwd_len = strlen(passwd); 525 magic_len = strlen(magic); 526 527 /* assert it's "5" or "6" */ 528 if (magic_len != 1) 529 return NULL; 530 531 switch (magic[0]) { 532 case '5': 533 sha = EVP_sha256(); 534 buf_size = 32; 535 break; 536 case '6': 537 sha = EVP_sha512(); 538 buf_size = 64; 539 break; 540 default: 541 return NULL; 542 } 543 544 if (strncmp(salt, rounds_prefix, sizeof(rounds_prefix) - 1) == 0) { 545 const char *num = salt + sizeof(rounds_prefix) - 1; 546 char *endp; 547 unsigned long int srounds = strtoul (num, &endp, 10); 548 if (*endp == '$') { 549 salt = endp + 1; 550 if (srounds > ROUNDS_MAX) 551 rounds = ROUNDS_MAX; 552 else if (srounds < ROUNDS_MIN) 553 rounds = ROUNDS_MIN; 554 else 555 rounds = (unsigned int)srounds; 556 rounds_custom = 1; 557 } else { 558 return NULL; 559 } 560 } 561 562 OPENSSL_strlcpy(ascii_magic, magic, sizeof(ascii_magic)); 563 #ifdef CHARSET_EBCDIC 564 if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */ 565 ebcdic2ascii(ascii_magic, ascii_magic, magic_len); 566 #endif 567 568 /* The salt gets truncated to 16 chars */ 569 OPENSSL_strlcpy(ascii_salt, salt, sizeof(ascii_salt)); 570 salt_len = strlen(ascii_salt); 571 #ifdef CHARSET_EBCDIC 572 ebcdic2ascii(ascii_salt, ascii_salt, salt_len); 573 #endif 574 575 #ifdef CHARSET_EBCDIC 576 ascii_passwd = OPENSSL_strdup(passwd); 577 if (ascii_passwd == NULL) 578 return NULL; 579 ebcdic2ascii(ascii_passwd, ascii_passwd, passwd_len); 580 passwd = ascii_passwd; 581 #endif 582 583 out_buf[0] = 0; 584 OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf)); 585 OPENSSL_strlcat(out_buf, ascii_magic, sizeof(out_buf)); 586 OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf)); 587 if (rounds_custom) { 588 char tmp_buf[80]; /* "rounds=999999999" */ 589 sprintf(tmp_buf, "rounds=%u", rounds); 590 #ifdef CHARSET_EBCDIC 591 /* In case we're really on a ASCII based platform and just pretend */ 592 if (tmp_buf[0] != 0x72) /* ASCII 'r' */ 593 ebcdic2ascii(tmp_buf, tmp_buf, strlen(tmp_buf)); 594 #endif 595 OPENSSL_strlcat(out_buf, tmp_buf, sizeof(out_buf)); 596 OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf)); 597 } 598 OPENSSL_strlcat(out_buf, ascii_salt, sizeof(out_buf)); 599 600 /* assert "$5$rounds=999999999$......salt......" */ 601 if (strlen(out_buf) > 3 + 17 * rounds_custom + salt_len ) 602 goto err; 603 604 md = EVP_MD_CTX_new(); 605 if (md == NULL 606 || !EVP_DigestInit_ex(md, sha, NULL) 607 || !EVP_DigestUpdate(md, passwd, passwd_len) 608 || !EVP_DigestUpdate(md, ascii_salt, salt_len)) 609 goto err; 610 611 md2 = EVP_MD_CTX_new(); 612 if (md2 == NULL 613 || !EVP_DigestInit_ex(md2, sha, NULL) 614 || !EVP_DigestUpdate(md2, passwd, passwd_len) 615 || !EVP_DigestUpdate(md2, ascii_salt, salt_len) 616 || !EVP_DigestUpdate(md2, passwd, passwd_len) 617 || !EVP_DigestFinal_ex(md2, buf, NULL)) 618 goto err; 619 620 for (n = passwd_len; n > buf_size; n -= buf_size) { 621 if (!EVP_DigestUpdate(md, buf, buf_size)) 622 goto err; 623 } 624 if (!EVP_DigestUpdate(md, buf, n)) 625 goto err; 626 627 n = passwd_len; 628 while (n) { 629 if (!EVP_DigestUpdate(md, 630 (n & 1) ? buf : (unsigned const char *)passwd, 631 (n & 1) ? buf_size : passwd_len)) 632 goto err; 633 n >>= 1; 634 } 635 if (!EVP_DigestFinal_ex(md, buf, NULL)) 636 goto err; 637 638 /* P sequence */ 639 if (!EVP_DigestInit_ex(md2, sha, NULL)) 640 goto err; 641 642 for (n = passwd_len; n > 0; n--) 643 if (!EVP_DigestUpdate(md2, passwd, passwd_len)) 644 goto err; 645 646 if (!EVP_DigestFinal_ex(md2, temp_buf, NULL)) 647 goto err; 648 649 if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL) 650 goto err; 651 for (cp = p_bytes, n = passwd_len; n > buf_size; n -= buf_size, cp += buf_size) 652 memcpy(cp, temp_buf, buf_size); 653 memcpy(cp, temp_buf, n); 654 655 /* S sequence */ 656 if (!EVP_DigestInit_ex(md2, sha, NULL)) 657 goto err; 658 659 for (n = 16 + buf[0]; n > 0; n--) 660 if (!EVP_DigestUpdate(md2, ascii_salt, salt_len)) 661 goto err; 662 663 if (!EVP_DigestFinal_ex(md2, temp_buf, NULL)) 664 goto err; 665 666 if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL) 667 goto err; 668 for (cp = s_bytes, n = salt_len; n > buf_size; n -= buf_size, cp += buf_size) 669 memcpy(cp, temp_buf, buf_size); 670 memcpy(cp, temp_buf, n); 671 672 for (n = 0; n < rounds; n++) { 673 if (!EVP_DigestInit_ex(md2, sha, NULL)) 674 goto err; 675 if (!EVP_DigestUpdate(md2, 676 (n & 1) ? (unsigned const char *)p_bytes : buf, 677 (n & 1) ? passwd_len : buf_size)) 678 goto err; 679 if (n % 3) { 680 if (!EVP_DigestUpdate(md2, s_bytes, salt_len)) 681 goto err; 682 } 683 if (n % 7) { 684 if (!EVP_DigestUpdate(md2, p_bytes, passwd_len)) 685 goto err; 686 } 687 if (!EVP_DigestUpdate(md2, 688 (n & 1) ? buf : (unsigned const char *)p_bytes, 689 (n & 1) ? buf_size : passwd_len)) 690 goto err; 691 if (!EVP_DigestFinal_ex(md2, buf, NULL)) 692 goto err; 693 } 694 EVP_MD_CTX_free(md2); 695 EVP_MD_CTX_free(md); 696 md2 = NULL; 697 md = NULL; 698 OPENSSL_free(p_bytes); 699 OPENSSL_free(s_bytes); 700 p_bytes = NULL; 701 s_bytes = NULL; 702 703 cp = out_buf + strlen(out_buf); 704 *cp++ = ascii_dollar[0]; 705 706 # define b64_from_24bit(B2, B1, B0, N) \ 707 do { \ 708 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \ 709 int i = (N); \ 710 while (i-- > 0) \ 711 { \ 712 *cp++ = cov_2char[w & 0x3f]; \ 713 w >>= 6; \ 714 } \ 715 } while (0) 716 717 switch (magic[0]) { 718 case '5': 719 b64_from_24bit (buf[0], buf[10], buf[20], 4); 720 b64_from_24bit (buf[21], buf[1], buf[11], 4); 721 b64_from_24bit (buf[12], buf[22], buf[2], 4); 722 b64_from_24bit (buf[3], buf[13], buf[23], 4); 723 b64_from_24bit (buf[24], buf[4], buf[14], 4); 724 b64_from_24bit (buf[15], buf[25], buf[5], 4); 725 b64_from_24bit (buf[6], buf[16], buf[26], 4); 726 b64_from_24bit (buf[27], buf[7], buf[17], 4); 727 b64_from_24bit (buf[18], buf[28], buf[8], 4); 728 b64_from_24bit (buf[9], buf[19], buf[29], 4); 729 b64_from_24bit (0, buf[31], buf[30], 3); 730 break; 731 case '6': 732 b64_from_24bit (buf[0], buf[21], buf[42], 4); 733 b64_from_24bit (buf[22], buf[43], buf[1], 4); 734 b64_from_24bit (buf[44], buf[2], buf[23], 4); 735 b64_from_24bit (buf[3], buf[24], buf[45], 4); 736 b64_from_24bit (buf[25], buf[46], buf[4], 4); 737 b64_from_24bit (buf[47], buf[5], buf[26], 4); 738 b64_from_24bit (buf[6], buf[27], buf[48], 4); 739 b64_from_24bit (buf[28], buf[49], buf[7], 4); 740 b64_from_24bit (buf[50], buf[8], buf[29], 4); 741 b64_from_24bit (buf[9], buf[30], buf[51], 4); 742 b64_from_24bit (buf[31], buf[52], buf[10], 4); 743 b64_from_24bit (buf[53], buf[11], buf[32], 4); 744 b64_from_24bit (buf[12], buf[33], buf[54], 4); 745 b64_from_24bit (buf[34], buf[55], buf[13], 4); 746 b64_from_24bit (buf[56], buf[14], buf[35], 4); 747 b64_from_24bit (buf[15], buf[36], buf[57], 4); 748 b64_from_24bit (buf[37], buf[58], buf[16], 4); 749 b64_from_24bit (buf[59], buf[17], buf[38], 4); 750 b64_from_24bit (buf[18], buf[39], buf[60], 4); 751 b64_from_24bit (buf[40], buf[61], buf[19], 4); 752 b64_from_24bit (buf[62], buf[20], buf[41], 4); 753 b64_from_24bit (0, 0, buf[63], 2); 754 break; 755 default: 756 goto err; 757 } 758 *cp = '\0'; 759 #ifdef CHARSET_EBCDIC 760 ascii2ebcdic(out_buf, out_buf, strlen(out_buf)); 761 #endif 762 763 return out_buf; 764 765 err: 766 EVP_MD_CTX_free(md2); 767 EVP_MD_CTX_free(md); 768 OPENSSL_free(p_bytes); 769 OPENSSL_free(s_bytes); 770 OPENSSL_free(ascii_passwd); 771 return NULL; 772 } 773 774 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, 775 char *passwd, BIO *out, int quiet, int table, 776 int reverse, size_t pw_maxlen, passwd_modes mode) 777 { 778 char *hash = NULL; 779 780 assert(salt_p != NULL); 781 assert(salt_malloc_p != NULL); 782 783 /* first make sure we have a salt */ 784 if (!passed_salt) { 785 size_t saltlen = 0; 786 size_t i; 787 788 #ifndef OPENSSL_NO_DES 789 if (mode == passwd_crypt) 790 saltlen = 2; 791 #endif /* !OPENSSL_NO_DES */ 792 793 if (mode == passwd_md5 || mode == passwd_apr1 || mode == passwd_aixmd5) 794 saltlen = 8; 795 796 if (mode == passwd_sha256 || mode == passwd_sha512) 797 saltlen = 16; 798 799 assert(saltlen != 0); 800 801 if (*salt_malloc_p == NULL) 802 *salt_p = *salt_malloc_p = app_malloc(saltlen + 1, "salt buffer"); 803 if (RAND_bytes((unsigned char *)*salt_p, saltlen) <= 0) 804 goto end; 805 806 for (i = 0; i < saltlen; i++) 807 (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */ 808 (*salt_p)[i] = 0; 809 # ifdef CHARSET_EBCDIC 810 /* The password encryption function will convert back to ASCII */ 811 ascii2ebcdic(*salt_p, *salt_p, saltlen); 812 # endif 813 } 814 815 assert(*salt_p != NULL); 816 817 /* truncate password if necessary */ 818 if ((strlen(passwd) > pw_maxlen)) { 819 if (!quiet) 820 /* 821 * XXX: really we should know how to print a size_t, not cast it 822 */ 823 BIO_printf(bio_err, 824 "Warning: truncating password to %u characters\n", 825 (unsigned)pw_maxlen); 826 passwd[pw_maxlen] = 0; 827 } 828 assert(strlen(passwd) <= pw_maxlen); 829 830 /* now compute password hash */ 831 #ifndef OPENSSL_NO_DES 832 if (mode == passwd_crypt) 833 hash = DES_crypt(passwd, *salt_p); 834 #endif 835 if (mode == passwd_md5 || mode == passwd_apr1) 836 hash = md5crypt(passwd, (mode == passwd_md5 ? "1" : "apr1"), *salt_p); 837 if (mode == passwd_aixmd5) 838 hash = md5crypt(passwd, "", *salt_p); 839 if (mode == passwd_sha256 || mode == passwd_sha512) 840 hash = shacrypt(passwd, (mode == passwd_sha256 ? "5" : "6"), *salt_p); 841 assert(hash != NULL); 842 843 if (table && !reverse) 844 BIO_printf(out, "%s\t%s\n", passwd, hash); 845 else if (table && reverse) 846 BIO_printf(out, "%s\t%s\n", hash, passwd); 847 else 848 BIO_printf(out, "%s\n", hash); 849 return 1; 850 851 end: 852 return 0; 853 } 854