1*43e30386SXin LI /* $OpenBSD: bcrypt.c,v 1.29 2014/02/24 19:45:43 tedu Exp $ */ 2*43e30386SXin LI 35c129616SMark Murray /* 45c129616SMark Murray * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> 55c129616SMark Murray * All rights reserved. 65c129616SMark Murray * 75c129616SMark Murray * Redistribution and use in source and binary forms, with or without 85c129616SMark Murray * modification, are permitted provided that the following conditions 95c129616SMark Murray * are met: 105c129616SMark Murray * 1. Redistributions of source code must retain the above copyright 115c129616SMark Murray * notice, this list of conditions and the following disclaimer. 125c129616SMark Murray * 2. Redistributions in binary form must reproduce the above copyright 135c129616SMark Murray * notice, this list of conditions and the following disclaimer in the 145c129616SMark Murray * documentation and/or other materials provided with the distribution. 155c129616SMark Murray * 3. All advertising materials mentioning features or use of this software 165c129616SMark Murray * must display the following acknowledgement: 175c129616SMark Murray * This product includes software developed by Niels Provos. 185c129616SMark Murray * 4. The name of the author may not be used to endorse or promote products 195c129616SMark Murray * derived from this software without specific prior written permission. 205c129616SMark Murray * 215c129616SMark Murray * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 225c129616SMark Murray * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 235c129616SMark Murray * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 245c129616SMark Murray * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 255c129616SMark Murray * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 265c129616SMark Murray * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 275c129616SMark Murray * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 285c129616SMark Murray * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 295c129616SMark Murray * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 305c129616SMark Murray * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 315c129616SMark Murray */ 325c129616SMark Murray 3368344a95SPeter Wemm #include <sys/cdefs.h> 3468344a95SPeter Wemm __FBSDID("$FreeBSD$"); 3568344a95SPeter Wemm 365c129616SMark Murray /* This password hashing algorithm was designed by David Mazieres 375c129616SMark Murray * <dm@lcs.mit.edu> and works as follows: 385c129616SMark Murray * 395c129616SMark Murray * 1. state := InitState () 40*43e30386SXin LI * 2. state := ExpandKey (state, salt, password) 41*43e30386SXin LI * 3. REPEAT rounds: 425c129616SMark Murray * state := ExpandKey (state, 0, password) 43*43e30386SXin LI * state := ExpandKey (state, 0, salt) 445c129616SMark Murray * 4. ctext := "OrpheanBeholderScryDoubt" 455c129616SMark Murray * 5. REPEAT 64: 465c129616SMark Murray * ctext := Encrypt_ECB (state, ctext); 475c129616SMark Murray * 6. RETURN Concatenate (salt, ctext); 485c129616SMark Murray * 495c129616SMark Murray */ 505c129616SMark Murray 515c129616SMark Murray /* 525c129616SMark Murray * FreeBSD implementation by Paul Herman <pherman@frenchfries.net> 53*43e30386SXin LI * and updated by Xin Li <delphij@FreeBSD.org> 545c129616SMark Murray */ 555c129616SMark Murray 565c129616SMark Murray #include <stdio.h> 575c129616SMark Murray #include <stdlib.h> 585c129616SMark Murray #include <sys/types.h> 595c129616SMark Murray #include <string.h> 605c129616SMark Murray #include <pwd.h> 615c129616SMark Murray #include "blowfish.h" 62f2ac424aSMark Murray #include "crypt.h" 635c129616SMark Murray 645c129616SMark Murray /* This implementation is adaptable to current computing power. 655c129616SMark Murray * You can have up to 2^31 rounds which should be enough for some 665c129616SMark Murray * time to come. 675c129616SMark Murray */ 685c129616SMark Murray 695c129616SMark Murray #define BCRYPT_VERSION '2' 705c129616SMark Murray #define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */ 715c129616SMark Murray #define BCRYPT_BLOCKS 6 /* Ciphertext blocks */ 72*43e30386SXin LI #define BCRYPT_MINLOGROUNDS 4 /* we have log2(rounds) in salt */ 73*43e30386SXin LI 745c129616SMark Murray 75f2ac424aSMark Murray static void encode_base64(u_int8_t *, u_int8_t *, u_int16_t); 76f2ac424aSMark Murray static void decode_base64(u_int8_t *, u_int16_t, const u_int8_t *); 775c129616SMark Murray 785c129616SMark Murray static char encrypted[_PASSWORD_LEN]; 795c129616SMark Murray 80*43e30386SXin LI const static u_int8_t Base64Code[] = 815c129616SMark Murray "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; 825c129616SMark Murray 83*43e30386SXin LI const static u_int8_t index_64[128] = { 845c129616SMark Murray 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 855c129616SMark Murray 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 865c129616SMark Murray 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 875c129616SMark Murray 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 885c129616SMark Murray 255, 255, 255, 255, 255, 255, 0, 1, 54, 55, 895c129616SMark Murray 56, 57, 58, 59, 60, 61, 62, 63, 255, 255, 905c129616SMark Murray 255, 255, 255, 255, 255, 2, 3, 4, 5, 6, 915c129616SMark Murray 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 925c129616SMark Murray 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 935c129616SMark Murray 255, 255, 255, 255, 255, 255, 28, 29, 30, 945c129616SMark Murray 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 955c129616SMark Murray 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 965c129616SMark Murray 51, 52, 53, 255, 255, 255, 255, 255 975c129616SMark Murray }; 985c129616SMark Murray #define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)]) 995c129616SMark Murray 1005c129616SMark Murray static void 101f2ac424aSMark Murray decode_base64(u_int8_t *buffer, u_int16_t len, const u_int8_t *data) 1025c129616SMark Murray { 1035c129616SMark Murray u_int8_t *bp = buffer; 104f2ac424aSMark Murray const u_int8_t *p = data; 1055c129616SMark Murray u_int8_t c1, c2, c3, c4; 1065c129616SMark Murray while (bp < buffer + len) { 1075c129616SMark Murray c1 = CHAR64(*p); 1085c129616SMark Murray c2 = CHAR64(*(p + 1)); 1095c129616SMark Murray 1105c129616SMark Murray /* Invalid data */ 1115c129616SMark Murray if (c1 == 255 || c2 == 255) 1125c129616SMark Murray break; 1135c129616SMark Murray 114*43e30386SXin LI *bp++ = (c1 << 2) | ((c2 & 0x30) >> 4); 1155c129616SMark Murray if (bp >= buffer + len) 1165c129616SMark Murray break; 1175c129616SMark Murray 1185c129616SMark Murray c3 = CHAR64(*(p + 2)); 1195c129616SMark Murray if (c3 == 255) 1205c129616SMark Murray break; 1215c129616SMark Murray 1225c129616SMark Murray *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); 1235c129616SMark Murray if (bp >= buffer + len) 1245c129616SMark Murray break; 1255c129616SMark Murray 1265c129616SMark Murray c4 = CHAR64(*(p + 3)); 1275c129616SMark Murray if (c4 == 255) 1285c129616SMark Murray break; 1295c129616SMark Murray *bp++ = ((c3 & 0x03) << 6) | c4; 1305c129616SMark Murray 1315c129616SMark Murray p += 4; 1325c129616SMark Murray } 1335c129616SMark Murray } 1345c129616SMark Murray 1355c129616SMark Murray /* We handle $Vers$log2(NumRounds)$salt+passwd$ 1365c129616SMark Murray i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */ 1375c129616SMark Murray 1385c129616SMark Murray char * 139f2ac424aSMark Murray crypt_blowfish(const char *key, const char *salt) 1405c129616SMark Murray { 1415c129616SMark Murray blf_ctx state; 1425c129616SMark Murray u_int32_t rounds, i, k; 1435c129616SMark Murray u_int16_t j; 144*43e30386SXin LI size_t key_len; 145*43e30386SXin LI u_int8_t salt_len, logr, minr; 1465c129616SMark Murray u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt"; 1475c129616SMark Murray u_int8_t csalt[BCRYPT_MAXSALT]; 1485c129616SMark Murray u_int32_t cdata[BCRYPT_BLOCKS]; 149*43e30386SXin LI char arounds[3]; 1505c129616SMark Murray 1515c129616SMark Murray /* Defaults */ 152f2ac424aSMark Murray minr = 'a'; 153*43e30386SXin LI logr = BCRYPT_MINLOGROUNDS; 154*43e30386SXin LI rounds = 1U << logr; 1555c129616SMark Murray 156*43e30386SXin LI if (*salt == '$') { 1575c129616SMark Murray /* Discard "$" identifier */ 1585c129616SMark Murray salt++; 1595c129616SMark Murray 1605c129616SMark Murray if (*salt > BCRYPT_VERSION) { 16119ab58bfSKevin Lo /* How do I handle errors ? Return NULL */ 16219ab58bfSKevin Lo return NULL; 1635c129616SMark Murray } 1645c129616SMark Murray 1655c129616SMark Murray /* Check for minor versions */ 1665c129616SMark Murray if (salt[1] != '$') { 1675c129616SMark Murray switch (salt[1]) { 168*43e30386SXin LI case 'a': /* 'ab' should not yield the same as 'abab' */ 169*43e30386SXin LI case 'b': /* cap input length at 72 bytes */ 170*43e30386SXin LI minr = salt[1]; 1715c129616SMark Murray salt++; 1725c129616SMark Murray break; 1735c129616SMark Murray default: 17419ab58bfSKevin Lo return NULL; 1755c129616SMark Murray } 1765c129616SMark Murray } else 177f2ac424aSMark Murray minr = 0; 1785c129616SMark Murray 1795c129616SMark Murray /* Discard version + "$" identifier */ 1805c129616SMark Murray salt += 2; 1815c129616SMark Murray 1825c129616SMark Murray if (salt[2] != '$') 1835c129616SMark Murray /* Out of sync with passwd entry */ 18419ab58bfSKevin Lo return NULL; 1855c129616SMark Murray 186*43e30386SXin LI memcpy(arounds, salt, sizeof(arounds)); 187*43e30386SXin LI if (arounds[sizeof(arounds) - 1] != '$') 18819ab58bfSKevin Lo return NULL; 189*43e30386SXin LI arounds[sizeof(arounds) - 1] = 0; 190*43e30386SXin LI logr = strtonum(arounds, BCRYPT_MINLOGROUNDS, 31, NULL); 191*43e30386SXin LI if (logr == 0) 192*43e30386SXin LI return NULL; 193*43e30386SXin LI /* Computer power doesn't increase linearly, 2^x should be fine */ 194*43e30386SXin LI rounds = 1U << logr; 1955c129616SMark Murray 1965c129616SMark Murray /* Discard num rounds + "$" identifier */ 1975c129616SMark Murray salt += 3; 1985c129616SMark Murray } 1995c129616SMark Murray 200*43e30386SXin LI if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT) 201*43e30386SXin LI return NULL; 2025c129616SMark Murray 2035c129616SMark Murray /* We dont want the base64 salt but the raw data */ 204c8fa8e25SMark Murray decode_base64(csalt, BCRYPT_MAXSALT, (const u_int8_t *) salt); 2055c129616SMark Murray salt_len = BCRYPT_MAXSALT; 206*43e30386SXin LI if (minr <= 'a') 207f2ac424aSMark Murray key_len = (u_int8_t)(strlen(key) + (minr >= 'a' ? 1 : 0)); 208*43e30386SXin LI else { 209*43e30386SXin LI /* strlen() returns a size_t, but the function calls 210*43e30386SXin LI * below result in implicit casts to a narrower integer 211*43e30386SXin LI * type, so cap key_len at the actual maximum supported 212*43e30386SXin LI * length here to avoid integer wraparound */ 213*43e30386SXin LI key_len = strlen(key); 214*43e30386SXin LI if (key_len > 72) 215*43e30386SXin LI key_len = 72; 216*43e30386SXin LI key_len++; /* include the NUL */ 217*43e30386SXin LI } 2185c129616SMark Murray 2195c129616SMark Murray /* Setting up S-Boxes and Subkeys */ 2205c129616SMark Murray Blowfish_initstate(&state); 2215c129616SMark Murray Blowfish_expandstate(&state, csalt, salt_len, 222f2ac424aSMark Murray (const u_int8_t *) key, key_len); 2235c129616SMark Murray for (k = 0; k < rounds; k++) { 224f2ac424aSMark Murray Blowfish_expand0state(&state, (const u_int8_t *) key, key_len); 2255c129616SMark Murray Blowfish_expand0state(&state, csalt, salt_len); 2265c129616SMark Murray } 2275c129616SMark Murray 2285c129616SMark Murray /* This can be precomputed later */ 2295c129616SMark Murray j = 0; 2305c129616SMark Murray for (i = 0; i < BCRYPT_BLOCKS; i++) 2315c129616SMark Murray cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_BLOCKS, &j); 2325c129616SMark Murray 2335c129616SMark Murray /* Now do the encryption */ 2345c129616SMark Murray for (k = 0; k < 64; k++) 2355c129616SMark Murray blf_enc(&state, cdata, BCRYPT_BLOCKS / 2); 2365c129616SMark Murray 2375c129616SMark Murray for (i = 0; i < BCRYPT_BLOCKS; i++) { 2385c129616SMark Murray ciphertext[4 * i + 3] = cdata[i] & 0xff; 2395c129616SMark Murray cdata[i] = cdata[i] >> 8; 2405c129616SMark Murray ciphertext[4 * i + 2] = cdata[i] & 0xff; 2415c129616SMark Murray cdata[i] = cdata[i] >> 8; 2425c129616SMark Murray ciphertext[4 * i + 1] = cdata[i] & 0xff; 2435c129616SMark Murray cdata[i] = cdata[i] >> 8; 2445c129616SMark Murray ciphertext[4 * i + 0] = cdata[i] & 0xff; 2455c129616SMark Murray } 2465c129616SMark Murray 2475c129616SMark Murray 2485c129616SMark Murray i = 0; 2495c129616SMark Murray encrypted[i++] = '$'; 2505c129616SMark Murray encrypted[i++] = BCRYPT_VERSION; 251f2ac424aSMark Murray if (minr) 252*43e30386SXin LI encrypted[i++] = minr; 2535c129616SMark Murray encrypted[i++] = '$'; 2545c129616SMark Murray 2555c129616SMark Murray snprintf(encrypted + i, 4, "%2.2u$", logr); 2565c129616SMark Murray 2575c129616SMark Murray encode_base64((u_int8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT); 2585c129616SMark Murray encode_base64((u_int8_t *) encrypted + strlen(encrypted), ciphertext, 2595c129616SMark Murray 4 * BCRYPT_BLOCKS - 1); 260*43e30386SXin LI memset(&state, 0, sizeof(state)); 261*43e30386SXin LI memset(ciphertext, 0, sizeof(ciphertext)); 262*43e30386SXin LI memset(csalt, 0, sizeof(csalt)); 263*43e30386SXin LI memset(cdata, 0, sizeof(cdata)); 2645c129616SMark Murray return encrypted; 2655c129616SMark Murray } 2665c129616SMark Murray 2675c129616SMark Murray static void 2685c129616SMark Murray encode_base64(u_int8_t *buffer, u_int8_t *data, u_int16_t len) 2695c129616SMark Murray { 2705c129616SMark Murray u_int8_t *bp = buffer; 2715c129616SMark Murray u_int8_t *p = data; 2725c129616SMark Murray u_int8_t c1, c2; 2735c129616SMark Murray while (p < data + len) { 2745c129616SMark Murray c1 = *p++; 2755c129616SMark Murray *bp++ = Base64Code[(c1 >> 2)]; 2765c129616SMark Murray c1 = (c1 & 0x03) << 4; 2775c129616SMark Murray if (p >= data + len) { 2785c129616SMark Murray *bp++ = Base64Code[c1]; 2795c129616SMark Murray break; 2805c129616SMark Murray } 2815c129616SMark Murray c2 = *p++; 2825c129616SMark Murray c1 |= (c2 >> 4) & 0x0f; 2835c129616SMark Murray *bp++ = Base64Code[c1]; 2845c129616SMark Murray c1 = (c2 & 0x0f) << 2; 2855c129616SMark Murray if (p >= data + len) { 2865c129616SMark Murray *bp++ = Base64Code[c1]; 2875c129616SMark Murray break; 2885c129616SMark Murray } 2895c129616SMark Murray c2 = *p++; 2905c129616SMark Murray c1 |= (c2 >> 6) & 0x03; 2915c129616SMark Murray *bp++ = Base64Code[c1]; 2925c129616SMark Murray *bp++ = Base64Code[c2 & 0x3f]; 2935c129616SMark Murray } 2945c129616SMark Murray *bp = '\0'; 2955c129616SMark Murray } 2965c129616SMark Murray #if 0 2975c129616SMark Murray void 2985c129616SMark Murray main() 2995c129616SMark Murray { 3005c129616SMark Murray char blubber[73]; 3015c129616SMark Murray char salt[100]; 3025c129616SMark Murray char *p; 3035c129616SMark Murray salt[0] = '$'; 3045c129616SMark Murray salt[1] = BCRYPT_VERSION; 3055c129616SMark Murray salt[2] = '$'; 3065c129616SMark Murray 3075c129616SMark Murray snprintf(salt + 3, 4, "%2.2u$", 5); 3085c129616SMark Murray 3095c129616SMark Murray printf("24 bytes of salt: "); 310*43e30386SXin LI fgets(salt + 6, sizeof(salt) - 6, stdin); 3115c129616SMark Murray salt[99] = 0; 3125c129616SMark Murray printf("72 bytes of password: "); 3135c129616SMark Murray fpurge(stdin); 314*43e30386SXin LI fgets(blubber, sizeof(blubber), stdin); 3155c129616SMark Murray blubber[72] = 0; 3165c129616SMark Murray 3175c129616SMark Murray p = crypt(blubber, salt); 3185c129616SMark Murray printf("Passwd entry: %s\n\n", p); 3195c129616SMark Murray 3205c129616SMark Murray p = bcrypt_gensalt(5); 3215c129616SMark Murray printf("Generated salt: %s\n", p); 3225c129616SMark Murray p = crypt(blubber, p); 3235c129616SMark Murray printf("Passwd entry: %s\n", p); 3245c129616SMark Murray } 3255c129616SMark Murray #endif 326