jabberd2  2.7.0
crypt_blowfish.c
Go to the documentation of this file.
1 /*
2  * The crypt_blowfish homepage is:
3  *
4  * http://www.openwall.com/crypt/
5  *
6  * This code comes from John the Ripper password cracker, with reentrant
7  * and crypt(3) interfaces added, but optimizations specific to password
8  * cracking removed.
9  *
10  * Written by Solar Designer <solar at openwall.com> in 1998-2014.
11  * No copyright is claimed, and the software is hereby placed in the public
12  * domain. In case this attempt to disclaim copyright and place the software
13  * in the public domain is deemed null and void, then the software is
14  * Copyright (c) 1998-2014 Solar Designer and it is hereby released to the
15  * general public under the following terms:
16  *
17  * Redistribution and use in source and binary forms, with or without
18  * modification, are permitted.
19  *
20  * There's ABSOLUTELY NO WARRANTY, express or implied.
21  *
22  * It is my intent that you should be able to use this on your system,
23  * as part of a software package, or anywhere else to improve security,
24  * ensure compatibility, or for any other purpose. I would appreciate
25  * it if you give credit where it is due and keep your modifications in
26  * the public domain as well, but I don't require that in order to let
27  * you place this code and any modifications you make under a license
28  * of your choice.
29  *
30  * This implementation is fully compatible with OpenBSD's bcrypt.c for prefix
31  * "$2b$", originally by Niels Provos <provos at citi.umich.edu>, and it uses
32  * some of his ideas. The password hashing algorithm was designed by David
33  * Mazieres <dm at lcs.mit.edu>. For information on the level of
34  * compatibility for bcrypt hash prefixes other than "$2b$", please refer to
35  * the comments in BF_set_key() below and to the included crypt(3) man page.
36  *
37  * There's a paper on the algorithm that explains its design decisions:
38  *
39  * http://www.usenix.org/events/usenix99/provos.html
40  *
41  * Some of the tricks in BF_ROUND might be inspired by Eric Young's
42  * Blowfish library (I can't be sure if I would think of something if I
43  * hadn't seen his code).
44  */
45 
46 #include <stdlib.h>
47 #include <string.h>
48 
49 #include <errno.h>
50 #ifndef __set_errno
51 #define __set_errno(val) errno = (val)
52 #endif
53 
54 /* Just to make sure the prototypes match the actual definitions */
55 #include "crypt_blowfish.h"
56 
57 #if defined(__i386__) || defined(__x86_64__) || defined(__alpha__) || defined(__hppa__)
58 #define BF_SCALE 1
59 #else
60 #define BF_SCALE 0
61 #endif
62 
63 typedef unsigned int BF_word;
64 typedef signed int BF_word_signed;
65 
66 /* Number of Blowfish rounds, this is also hardcoded into a few places */
67 #define BF_N 16
68 
69 typedef BF_word BF_key[BF_N + 2];
70 
71 typedef struct {
72  BF_word S[4][0x100];
74 } BF_ctx;
75 
76 /*
77  * Magic IV for 64 Blowfish encryptions that we do at the end.
78  * The string is "OrpheanBeholderScryDoubt" on big-endian.
79  */
80 static BF_word BF_magic_w[6] = {
81  0x4F727068, 0x65616E42, 0x65686F6C,
82  0x64657253, 0x63727944, 0x6F756274
83 };
84 
85 /*
86  * P-box and S-box tables initialized with digits of Pi.
87  */
89  {
90  {
91  0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
92  0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
93  0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
94  0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
95  0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
96  0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
97  0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
98  0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
99  0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
100  0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
101  0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
102  0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
103  0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
104  0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
105  0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
106  0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
107  0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
108  0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
109  0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
110  0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
111  0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
112  0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
113  0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
114  0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
115  0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
116  0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
117  0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
118  0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
119  0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
120  0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
121  0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
122  0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
123  0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
124  0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
125  0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
126  0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
127  0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
128  0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
129  0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
130  0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
131  0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
132  0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
133  0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
134  0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
135  0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
136  0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
137  0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
138  0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
139  0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
140  0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
141  0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
142  0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
143  0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
144  0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
145  0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
146  0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
147  0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
148  0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
149  0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
150  0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
151  0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
152  0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
153  0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
154  0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
155  }, {
156  0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
157  0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
158  0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
159  0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
160  0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
161  0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
162  0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
163  0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
164  0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
165  0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
166  0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
167  0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
168  0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
169  0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
170  0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
171  0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
172  0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
173  0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
174  0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
175  0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
176  0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
177  0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
178  0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
179  0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
180  0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
181  0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
182  0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
183  0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
184  0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
185  0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
186  0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
187  0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
188  0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
189  0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
190  0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
191  0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
192  0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
193  0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
194  0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
195  0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
196  0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
197  0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
198  0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
199  0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
200  0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
201  0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
202  0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
203  0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
204  0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
205  0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
206  0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
207  0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
208  0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
209  0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
210  0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
211  0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
212  0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
213  0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
214  0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
215  0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
216  0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
217  0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
218  0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
219  0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
220  }, {
221  0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
222  0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
223  0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
224  0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
225  0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
226  0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
227  0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
228  0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
229  0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
230  0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
231  0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
232  0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
233  0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
234  0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
235  0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
236  0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
237  0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
238  0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
239  0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
240  0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
241  0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
242  0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
243  0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
244  0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
245  0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
246  0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
247  0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
248  0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
249  0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
250  0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
251  0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
252  0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
253  0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
254  0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
255  0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
256  0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
257  0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
258  0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
259  0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
260  0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
261  0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
262  0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
263  0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
264  0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
265  0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
266  0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
267  0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
268  0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
269  0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
270  0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
271  0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
272  0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
273  0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
274  0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
275  0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
276  0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
277  0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
278  0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
279  0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
280  0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
281  0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
282  0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
283  0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
284  0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
285  }, {
286  0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
287  0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
288  0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
289  0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
290  0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
291  0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
292  0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
293  0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
294  0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
295  0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
296  0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
297  0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
298  0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
299  0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
300  0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
301  0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
302  0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
303  0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
304  0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
305  0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
306  0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
307  0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
308  0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
309  0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
310  0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
311  0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
312  0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
313  0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
314  0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
315  0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
316  0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
317  0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
318  0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
319  0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
320  0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
321  0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
322  0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
323  0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
324  0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
325  0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
326  0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
327  0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
328  0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
329  0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
330  0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
331  0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
332  0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
333  0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
334  0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
335  0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
336  0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
337  0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
338  0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
339  0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
340  0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
341  0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
342  0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
343  0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
344  0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
345  0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
346  0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
347  0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
348  0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
349  0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
350  }
351  }, {
352  0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
353  0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
354  0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
355  0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
356  0x9216d5d9, 0x8979fb1b
357  }
358 };
359 
360 static unsigned char BF_itoa64[64 + 1] =
361  "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
362 
363 static unsigned char BF_atoi64[0x60] = {
364  64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
365  54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
366  64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
367  17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
368  64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
369  43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
370 };
371 
372 #define BF_safe_atoi64(dst, src) \
373 { \
374  tmp = (unsigned char)(src); \
375  if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
376  tmp = BF_atoi64[tmp]; \
377  if (tmp > 63) return -1; \
378  (dst) = tmp; \
379 }
380 
381 static int BF_decode(BF_word *dst, const char *src, int size)
382 {
383  unsigned char *dptr = (unsigned char *)dst;
384  unsigned char *end = dptr + size;
385  const unsigned char *sptr = (const unsigned char *)src;
386  unsigned int tmp, c1, c2, c3, c4;
387 
388  do {
389  BF_safe_atoi64(c1, *sptr++);
390  BF_safe_atoi64(c2, *sptr++);
391  *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
392  if (dptr >= end) break;
393 
394  BF_safe_atoi64(c3, *sptr++);
395  *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
396  if (dptr >= end) break;
397 
398  BF_safe_atoi64(c4, *sptr++);
399  *dptr++ = ((c3 & 0x03) << 6) | c4;
400  } while (dptr < end);
401 
402  return 0;
403 }
404 
405 static void BF_encode(char *dst, const BF_word *src, int size)
406 {
407  const unsigned char *sptr = (const unsigned char *)src;
408  const unsigned char *end = sptr + size;
409  unsigned char *dptr = (unsigned char *)dst;
410  unsigned int c1, c2;
411 
412  do {
413  c1 = *sptr++;
414  *dptr++ = BF_itoa64[c1 >> 2];
415  c1 = (c1 & 0x03) << 4;
416  if (sptr >= end) {
417  *dptr++ = BF_itoa64[c1];
418  break;
419  }
420 
421  c2 = *sptr++;
422  c1 |= c2 >> 4;
423  *dptr++ = BF_itoa64[c1];
424  c1 = (c2 & 0x0f) << 2;
425  if (sptr >= end) {
426  *dptr++ = BF_itoa64[c1];
427  break;
428  }
429 
430  c2 = *sptr++;
431  c1 |= c2 >> 6;
432  *dptr++ = BF_itoa64[c1];
433  *dptr++ = BF_itoa64[c2 & 0x3f];
434  } while (sptr < end);
435 }
436 
437 static void BF_swap(BF_word *x, int count)
438 {
439  static int endianness_check = 1;
440  char *is_little_endian = (char *)&endianness_check;
441  BF_word tmp;
442 
443  if (*is_little_endian)
444  do {
445  tmp = *x;
446  tmp = (tmp << 16) | (tmp >> 16);
447  *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
448  } while (--count);
449 }
450 
451 #if BF_SCALE
452 /* Architectures which can shift addresses left by 2 bits with no extra cost */
453 #define BF_ROUND(L, R, N) \
454  tmp1 = L & 0xFF; \
455  tmp2 = L >> 8; \
456  tmp2 &= 0xFF; \
457  tmp3 = L >> 16; \
458  tmp3 &= 0xFF; \
459  tmp4 = L >> 24; \
460  tmp1 = data.ctx.S[3][tmp1]; \
461  tmp2 = data.ctx.S[2][tmp2]; \
462  tmp3 = data.ctx.S[1][tmp3]; \
463  tmp3 += data.ctx.S[0][tmp4]; \
464  tmp3 ^= tmp2; \
465  R ^= data.ctx.P[N + 1]; \
466  tmp3 += tmp1; \
467  R ^= tmp3;
468 #else
469 /* Architectures with no complicated addressing modes supported */
470 #define BF_INDEX(S, i) \
471  (*((BF_word *)(((unsigned char *)S) + (i))))
472 #define BF_ROUND(L, R, N) \
473  tmp1 = L & 0xFF; \
474  tmp1 <<= 2; \
475  tmp2 = L >> 6; \
476  tmp2 &= 0x3FC; \
477  tmp3 = L >> 14; \
478  tmp3 &= 0x3FC; \
479  tmp4 = L >> 22; \
480  tmp4 &= 0x3FC; \
481  tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
482  tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
483  tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
484  tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
485  tmp3 ^= tmp2; \
486  R ^= data.ctx.P[N + 1]; \
487  tmp3 += tmp1; \
488  R ^= tmp3;
489 #endif
490 
491 /*
492  * Encrypt one block, BF_N is hardcoded here.
493  */
494 #define BF_ENCRYPT \
495  L ^= data.ctx.P[0]; \
496  BF_ROUND(L, R, 0); \
497  BF_ROUND(R, L, 1); \
498  BF_ROUND(L, R, 2); \
499  BF_ROUND(R, L, 3); \
500  BF_ROUND(L, R, 4); \
501  BF_ROUND(R, L, 5); \
502  BF_ROUND(L, R, 6); \
503  BF_ROUND(R, L, 7); \
504  BF_ROUND(L, R, 8); \
505  BF_ROUND(R, L, 9); \
506  BF_ROUND(L, R, 10); \
507  BF_ROUND(R, L, 11); \
508  BF_ROUND(L, R, 12); \
509  BF_ROUND(R, L, 13); \
510  BF_ROUND(L, R, 14); \
511  BF_ROUND(R, L, 15); \
512  tmp4 = R; \
513  R = L; \
514  L = tmp4 ^ data.ctx.P[BF_N + 1];
515 
516 #define BF_body() \
517  L = R = 0; \
518  ptr = data.ctx.P; \
519  do { \
520  ptr += 2; \
521  BF_ENCRYPT; \
522  *(ptr - 2) = L; \
523  *(ptr - 1) = R; \
524  } while (ptr < &data.ctx.P[BF_N + 2]); \
525 \
526  ptr = data.ctx.S[0]; \
527  do { \
528  ptr += 2; \
529  BF_ENCRYPT; \
530  *(ptr - 2) = L; \
531  *(ptr - 1) = R; \
532  } while (ptr < &data.ctx.S[3][0xFF]);
533 
534 static void BF_set_key(const char *key, BF_key expanded, BF_key initial,
535  unsigned char flags)
536 {
537  const char *ptr = key;
538  unsigned int bug, i, j;
539  BF_word safety, sign, diff, tmp[2];
540 
541 /*
542  * There was a sign extension bug in older revisions of this function. While
543  * we would have liked to simply fix the bug and move on, we have to provide
544  * a backwards compatibility feature (essentially the bug) for some systems and
545  * a safety measure for some others. The latter is needed because for certain
546  * multiple inputs to the buggy algorithm there exist easily found inputs to
547  * the correct algorithm that produce the same hash. Thus, we optionally
548  * deviate from the correct algorithm just enough to avoid such collisions.
549  * While the bug itself affected the majority of passwords containing
550  * characters with the 8th bit set (although only a percentage of those in a
551  * collision-producing way), the anti-collision safety measure affects
552  * only a subset of passwords containing the '\xff' character (not even all of
553  * those passwords, just some of them). This character is not found in valid
554  * UTF-8 sequences and is rarely used in popular 8-bit character encodings.
555  * Thus, the safety measure is unlikely to cause much annoyance, and is a
556  * reasonable tradeoff to use when authenticating against existing hashes that
557  * are not reliably known to have been computed with the correct algorithm.
558  *
559  * We use an approach that tries to minimize side-channel leaks of password
560  * information - that is, we mostly use fixed-cost bitwise operations instead
561  * of branches or table lookups. (One conditional branch based on password
562  * length remains. It is not part of the bug aftermath, though, and is
563  * difficult and possibly unreasonable to avoid given the use of C strings by
564  * the caller, which results in similar timing leaks anyway.)
565  *
566  * For actual implementation, we set an array index in the variable "bug"
567  * (0 means no bug, 1 means sign extension bug emulation) and a flag in the
568  * variable "safety" (bit 16 is set when the safety measure is requested).
569  * Valid combinations of settings are:
570  *
571  * Prefix "$2a$": bug = 0, safety = 0x10000
572  * Prefix "$2b$": bug = 0, safety = 0
573  * Prefix "$2x$": bug = 1, safety = 0
574  * Prefix "$2y$": bug = 0, safety = 0
575  */
576  bug = (unsigned int)flags & 1;
577  safety = ((BF_word)flags & 2) << 15;
578 
579  sign = diff = 0;
580 
581  for (i = 0; i < BF_N + 2; i++) {
582  tmp[0] = tmp[1] = 0;
583  for (j = 0; j < 4; j++) {
584  tmp[0] <<= 8;
585  tmp[0] |= (unsigned char)*ptr; /* correct */
586  tmp[1] <<= 8;
587  tmp[1] |= (BF_word_signed)(signed char)*ptr; /* bug */
588 /*
589  * Sign extension in the first char has no effect - nothing to overwrite yet,
590  * and those extra 24 bits will be fully shifted out of the 32-bit word. For
591  * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign
592  * extension in tmp[1] occurs. Once this flag is set, it remains set.
593  */
594  if (j)
595  sign |= tmp[1] & 0x80;
596  if (!*ptr)
597  ptr = key;
598  else
599  ptr++;
600  }
601  diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */
602 
603  expanded[i] = tmp[bug];
604  initial[i] = BF_init_state.P[i] ^ tmp[bug];
605  }
606 
607 /*
608  * At this point, "diff" is zero iff the correct and buggy algorithms produced
609  * exactly the same result. If so and if "sign" is non-zero, which indicates
610  * that there was a non-benign sign extension, this means that we have a
611  * collision between the correctly computed hash for this password and a set of
612  * passwords that could be supplied to the buggy algorithm. Our safety measure
613  * is meant to protect from such many-buggy to one-correct collisions, by
614  * deviating from the correct algorithm in such cases. Let's check for this.
615  */
616  diff |= diff >> 16; /* still zero iff exact match */
617  diff &= 0xffff; /* ditto */
618  diff += 0xffff; /* bit 16 set iff "diff" was non-zero (on non-match) */
619  sign <<= 9; /* move the non-benign sign extension flag to bit 16 */
620  sign &= ~diff & safety; /* action needed? */
621 
622 /*
623  * If we have determined that we need to deviate from the correct algorithm,
624  * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but
625  * let's stick to it now. It came out of the approach we used above, and it's
626  * not any worse than any other choice we could make.)
627  *
628  * It is crucial that we don't do the same to the expanded key used in the main
629  * Eksblowfish loop. By doing it to only one of these two, we deviate from a
630  * state that could be directly specified by a password to the buggy algorithm
631  * (and to the fully correct one as well, but that's a side-effect).
632  */
633  initial[0] ^= sign;
634 }
635 
636 static const unsigned char flags_by_subtype[26] =
637  {2, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
638  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0};
639 
640 static char *BF_crypt(const char *key, const char *setting,
641  char *output, int size,
642  BF_word min)
643 {
644  struct {
645  BF_ctx ctx;
646  BF_key expanded_key;
647  union {
648  BF_word salt[4];
649  BF_word output[6];
650  } binary;
651  } data;
652  BF_word L, R;
653  BF_word tmp1, tmp2, tmp3, tmp4;
654  BF_word *ptr;
655  BF_word count;
656  int i;
657 
658  if (size < 7 + 22 + 31 + 1) {
659  __set_errno(ERANGE);
660  return NULL;
661  }
662 
663  if (setting[0] != '$' ||
664  setting[1] != '2' ||
665  setting[2] < 'a' || setting[2] > 'z' ||
666  !flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a'] ||
667  setting[3] != '$' ||
668  setting[4] < '0' || setting[4] > '3' ||
669  setting[5] < '0' || setting[5] > '9' ||
670  (setting[4] == '3' && setting[5] > '1') ||
671  setting[6] != '$') {
672  __set_errno(EINVAL);
673  return NULL;
674  }
675 
676  count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
677  if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
678  __set_errno(EINVAL);
679  return NULL;
680  }
681  BF_swap(data.binary.salt, 4);
682 
683  BF_set_key(key, data.expanded_key, data.ctx.P,
684  flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a']);
685 
686  memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
687 
688  L = R = 0;
689  for (i = 0; i < BF_N + 2; i += 2) {
690  L ^= data.binary.salt[i & 2];
691  R ^= data.binary.salt[(i & 2) + 1];
692  BF_ENCRYPT;
693  data.ctx.P[i] = L;
694  data.ctx.P[i + 1] = R;
695  }
696 
697  ptr = data.ctx.S[0];
698  do {
699  ptr += 4;
700  L ^= data.binary.salt[(BF_N + 2) & 3];
701  R ^= data.binary.salt[(BF_N + 3) & 3];
702  BF_ENCRYPT;
703  *(ptr - 4) = L;
704  *(ptr - 3) = R;
705 
706  L ^= data.binary.salt[(BF_N + 4) & 3];
707  R ^= data.binary.salt[(BF_N + 5) & 3];
708  BF_ENCRYPT;
709  *(ptr - 2) = L;
710  *(ptr - 1) = R;
711  } while (ptr < &data.ctx.S[3][0xFF]);
712 
713  do {
714  int done;
715 
716  for (i = 0; i < BF_N + 2; i += 2) {
717  data.ctx.P[i] ^= data.expanded_key[i];
718  data.ctx.P[i + 1] ^= data.expanded_key[i + 1];
719  }
720 
721  done = 0;
722  do {
723  BF_body();
724  if (done)
725  break;
726  done = 1;
727 
728  tmp1 = data.binary.salt[0];
729  tmp2 = data.binary.salt[1];
730  tmp3 = data.binary.salt[2];
731  tmp4 = data.binary.salt[3];
732  for (i = 0; i < BF_N; i += 4) {
733  data.ctx.P[i] ^= tmp1;
734  data.ctx.P[i + 1] ^= tmp2;
735  data.ctx.P[i + 2] ^= tmp3;
736  data.ctx.P[i + 3] ^= tmp4;
737  }
738  data.ctx.P[16] ^= tmp1;
739  data.ctx.P[17] ^= tmp2;
740  } while (1);
741  } while (--count);
742 
743  for (i = 0; i < 6; i += 2) {
744  L = BF_magic_w[i];
745  R = BF_magic_w[i + 1];
746 
747  count = 64;
748  do {
749  BF_ENCRYPT;
750  } while (--count);
751 
752  data.binary.output[i] = L;
753  data.binary.output[i + 1] = R;
754  }
755 
756  memcpy(output, setting, 7 + 22 - 1);
757  output[7 + 22 - 1] = BF_itoa64[(int)
758  BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
759 
760 /* This has to be bug-compatible with the original implementation, so
761  * only encode 23 of the 24 bytes. :-) */
762  BF_swap(data.binary.output, 6);
763  BF_encode(&output[7 + 22], data.binary.output, 23);
764  output[7 + 22 + 31] = '\0';
765 
766  return output;
767 }
768 
769 int _crypt_output_magic(const char *setting, char *output, int size)
770 {
771  if (size < 3)
772  return -1;
773 
774  output[0] = '*';
775  output[1] = '0';
776  output[2] = '\0';
777 
778  if (setting[0] == '*' && setting[1] == '0')
779  output[1] = '1';
780 
781  return 0;
782 }
783 
784 /*
785  * Please preserve the runtime self-test. It serves two purposes at once:
786  *
787  * 1. We really can't afford the risk of producing incompatible hashes e.g.
788  * when there's something like gcc bug 26587 again, whereas an application or
789  * library integrating this code might not also integrate our external tests or
790  * it might not run them after every build. Even if it does, the miscompile
791  * might only occur on the production build, but not on a testing build (such
792  * as because of different optimization settings). It is painful to recover
793  * from incorrectly-computed hashes - merely fixing whatever broke is not
794  * enough. Thus, a proactive measure like this self-test is needed.
795  *
796  * 2. We don't want to leave sensitive data from our actual password hash
797  * computation on the stack or in registers. Previous revisions of the code
798  * would do explicit cleanups, but simply running the self-test after hash
799  * computation is more reliable.
800  *
801  * The performance cost of this quick self-test is around 0.6% at the "$2a$08"
802  * setting.
803  */
804 char *_crypt_blowfish_rn(const char *key, const char *setting,
805  char *output, int size)
806 {
807  const char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8";
808  const char *test_setting = "$2a$00$abcdefghijklmnopqrstuu";
809  static const char * const test_hashes[2] =
810  {"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55", /* 'a', 'b', 'y' */
811  "VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55"}; /* 'x' */
812  const char *test_hash = test_hashes[0];
813  char *retval;
814  const char *p;
815  int save_errno, ok;
816  struct {
817  char s[7 + 22 + 1];
818  char o[7 + 22 + 31 + 1 + 1 + 1];
819  } buf;
820 
821 /* Hash the supplied password */
822  _crypt_output_magic(setting, output, size);
823  retval = BF_crypt(key, setting, output, size, 16);
824  save_errno = errno;
825 
826 /*
827  * Do a quick self-test. It is important that we make both calls to BF_crypt()
828  * from the same scope such that they likely use the same stack locations,
829  * which makes the second call overwrite the first call's sensitive data on the
830  * stack and makes it more likely that any alignment related issues would be
831  * detected by the self-test.
832  */
833  memcpy(buf.s, test_setting, sizeof(buf.s));
834  if (retval) {
835  unsigned int flags = flags_by_subtype[
836  (unsigned int)(unsigned char)setting[2] - 'a'];
837  test_hash = test_hashes[flags & 1];
838  buf.s[2] = setting[2];
839  }
840  memset(buf.o, 0x55, sizeof(buf.o));
841  buf.o[sizeof(buf.o) - 1] = 0;
842  p = BF_crypt(test_key, buf.s, buf.o, sizeof(buf.o) - (1 + 1), 1);
843 
844  ok = (p == buf.o &&
845  !memcmp(p, buf.s, 7 + 22) &&
846  !memcmp(p + (7 + 22), test_hash, 31 + 1 + 1 + 1));
847 
848  {
849  const char *k = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345";
850  BF_key ae, ai, ye, yi;
851  BF_set_key(k, ae, ai, 2); /* $2a$ */
852  BF_set_key(k, ye, yi, 4); /* $2y$ */
853  ai[0] ^= 0x10000; /* undo the safety (for comparison) */
854  ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 &&
855  !memcmp(ae, ye, sizeof(ae)) &&
856  !memcmp(ai, yi, sizeof(ai));
857  }
858 
859  __set_errno(save_errno);
860  if (ok)
861  return retval;
862 
863 /* Should not happen */
864  _crypt_output_magic(setting, output, size);
865  __set_errno(EINVAL); /* pretend we don't support this hash type */
866  return NULL;
867 }
868 
869 char *_crypt_gensalt_blowfish_rn(const char *prefix, unsigned long count,
870  const char *input, int size, char *output, int output_size)
871 {
872  if (size < 16 || output_size < 7 + 22 + 1 ||
873  (count && (count < 4 || count > 31)) ||
874  prefix[0] != '$' || prefix[1] != '2' ||
875  (prefix[2] != 'a' && prefix[2] != 'b' && prefix[2] != 'y')) {
876  if (output_size > 0) output[0] = '\0';
877  __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
878  return NULL;
879  }
880 
881  if (!count) count = 5;
882 
883  output[0] = '$';
884  output[1] = '2';
885  output[2] = prefix[2];
886  output[3] = '$';
887  output[4] = '0' + count / 10;
888  output[5] = '0' + count % 10;
889  output[6] = '$';
890 
891  BF_encode(&output[7], (const BF_word *)input, 16);
892  output[7 + 22] = '\0';
893 
894  return output;
895 }
896 
897 unsigned char _crypt_itoa64[64 + 1] =
898  "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
899 
900 char *_crypt_gensalt_traditional_rn(const char *prefix, unsigned long count,
901  const char *input, int size, char *output, int output_size)
902 {
903  (void) prefix;
904 
905  if (size < 2 || output_size < 2 + 1 || (count && count != 25)) {
906  if (output_size > 0) output[0] = '\0';
907  __set_errno((output_size < 2 + 1) ? ERANGE : EINVAL);
908  return NULL;
909  }
910 
911  output[0] = _crypt_itoa64[(unsigned int)input[0] & 0x3f];
912  output[1] = _crypt_itoa64[(unsigned int)input[1] & 0x3f];
913  output[2] = '\0';
914 
915  return output;
916 }
917 
918 char *_crypt_gensalt_extended_rn(const char *prefix, unsigned long count,
919  const char *input, int size, char *output, int output_size)
920 {
921  unsigned long value;
922 
923  (void) prefix;
924 
925 /* Even iteration counts make it easier to detect weak DES keys from a look
926  * at the hash, so they should be avoided */
927  if (size < 3 || output_size < 1 + 4 + 4 + 1 ||
928  (count && (count > 0xffffff || !(count & 1)))) {
929  if (output_size > 0) output[0] = '\0';
930  __set_errno((output_size < 1 + 4 + 4 + 1) ? ERANGE : EINVAL);
931  return NULL;
932  }
933 
934  if (!count) count = 725;
935 
936  output[0] = '_';
937  output[1] = _crypt_itoa64[count & 0x3f];
938  output[2] = _crypt_itoa64[(count >> 6) & 0x3f];
939  output[3] = _crypt_itoa64[(count >> 12) & 0x3f];
940  output[4] = _crypt_itoa64[(count >> 18) & 0x3f];
941  value = (unsigned long)(unsigned char)input[0] |
942  ((unsigned long)(unsigned char)input[1] << 8) |
943  ((unsigned long)(unsigned char)input[2] << 16);
944  output[5] = _crypt_itoa64[value & 0x3f];
945  output[6] = _crypt_itoa64[(value >> 6) & 0x3f];
946  output[7] = _crypt_itoa64[(value >> 12) & 0x3f];
947  output[8] = _crypt_itoa64[(value >> 18) & 0x3f];
948  output[9] = '\0';
949 
950  return output;
951 }
952 
953 char *_crypt_gensalt_md5_rn(const char *prefix, unsigned long count,
954  const char *input, int size, char *output, int output_size)
955 {
956  unsigned long value;
957 
958  (void) prefix;
959 
960  if (size < 3 || output_size < 3 + 4 + 1 || (count && count != 1000)) {
961  if (output_size > 0) output[0] = '\0';
962  __set_errno((output_size < 3 + 4 + 1) ? ERANGE : EINVAL);
963  return NULL;
964  }
965 
966  output[0] = '$';
967  output[1] = '1';
968  output[2] = '$';
969  value = (unsigned long)(unsigned char)input[0] |
970  ((unsigned long)(unsigned char)input[1] << 8) |
971  ((unsigned long)(unsigned char)input[2] << 16);
972  output[3] = _crypt_itoa64[value & 0x3f];
973  output[4] = _crypt_itoa64[(value >> 6) & 0x3f];
974  output[5] = _crypt_itoa64[(value >> 12) & 0x3f];
975  output[6] = _crypt_itoa64[(value >> 18) & 0x3f];
976  output[7] = '\0';
977 
978  if (size >= 6 && output_size >= 3 + 4 + 4 + 1) {
979  value = (unsigned long)(unsigned char)input[3] |
980  ((unsigned long)(unsigned char)input[4] << 8) |
981  ((unsigned long)(unsigned char)input[5] << 16);
982  output[7] = _crypt_itoa64[value & 0x3f];
983  output[8] = _crypt_itoa64[(value >> 6) & 0x3f];
984  output[9] = _crypt_itoa64[(value >> 12) & 0x3f];
985  output[10] = _crypt_itoa64[(value >> 18) & 0x3f];
986  output[11] = '\0';
987  }
988 
989  return output;
990 }
991 
992 #define CRYPT_OUTPUT_SIZE (7 + 22 + 31 + 1)
993 #define CRYPT_GENSALT_OUTPUT_SIZE (7 + 22 + 1)
994 
995 static int _crypt_data_alloc(void **data, int *size, int need)
996 {
997  void *updated;
998 
999  if (*data && *size >= need) return 0;
1000 
1001  updated = realloc(*data, need);
1002 
1003  if (!updated) {
1004 #ifndef __GLIBC__
1005  /* realloc(3) on glibc sets errno, so we don't need to bother */
1006  __set_errno(ENOMEM);
1007 #endif
1008  return -1;
1009  }
1010 
1011  *data = updated;
1012  *size = need;
1013 
1014  return 0;
1015 }
1016 
1017 static char *_crypt_retval_magic(char *retval, const char *setting,
1018  char *output, int size)
1019 {
1020  if (retval)
1021  return retval;
1022 
1023  if (_crypt_output_magic(setting, output, size))
1024  return NULL; /* shouldn't happen */
1025 
1026  return output;
1027 }
1028 
1029 #if defined(__GLIBC__) && defined(_LIBC)
1030 /*
1031  * Applications may re-use the same instance of struct crypt_data without
1032  * resetting the initialized field in order to let crypt_r() skip some of
1033  * its initialization code. Thus, it is important that our multiple hashing
1034  * algorithms either don't conflict with each other in their use of the
1035  * data area or reset the initialized field themselves whenever required.
1036  * Currently, the hashing algorithms simply have no conflicts: the first
1037  * field of struct crypt_data is the 128-byte large DES key schedule which
1038  * __des_crypt_r() calculates each time it is called while the two other
1039  * hashing algorithms use less than 128 bytes of the data area.
1040  */
1041 
1042 char *__crypt_rn(__const char *key, __const char *setting,
1043  void *data, int size)
1044 {
1045  if (setting[0] == '$' && setting[1] == '2')
1046  return _crypt_blowfish_rn(key, setting, (char *)data, size);
1047  if (setting[0] == '$' && setting[1] == '1')
1048  return __md5_crypt_r(key, setting, (char *)data, size);
1049  if (setting[0] == '$' || setting[0] == '_') {
1050  __set_errno(EINVAL);
1051  return NULL;
1052  }
1053  if (size >= sizeof(struct crypt_data))
1054  return __des_crypt_r(key, setting, (struct crypt_data *)data);
1055  __set_errno(ERANGE);
1056  return NULL;
1057 }
1058 
1059 char *__crypt_ra(__const char *key, __const char *setting,
1060  void **data, int *size)
1061 {
1062  if (setting[0] == '$' && setting[1] == '2') {
1063  if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE))
1064  return NULL;
1065  return _crypt_blowfish_rn(key, setting, (char *)*data, *size);
1066  }
1067  if (setting[0] == '$' && setting[1] == '1') {
1068  if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE))
1069  return NULL;
1070  return __md5_crypt_r(key, setting, (char *)*data, *size);
1071  }
1072  if (setting[0] == '$' || setting[0] == '_') {
1073  __set_errno(EINVAL);
1074  return NULL;
1075  }
1076  if (_crypt_data_alloc(data, size, sizeof(struct crypt_data)))
1077  return NULL;
1078  return __des_crypt_r(key, setting, (struct crypt_data *)*data);
1079 }
1080 
1081 char *__crypt_r(__const char *key, __const char *setting,
1082  struct crypt_data *data)
1083 {
1084  return _crypt_retval_magic(
1085  __crypt_rn(key, setting, data, sizeof(*data)),
1086  setting, (char *)data, sizeof(*data));
1087 }
1088 
1089 char *__crypt(__const char *key, __const char *setting)
1090 {
1091  return _crypt_retval_magic(
1092  __crypt_rn(key, setting, &_ufc_foobar, sizeof(_ufc_foobar)),
1093  setting, (char *)&_ufc_foobar, sizeof(_ufc_foobar));
1094 }
1095 #else
1096 char *crypt_rn(const char *key, const char *setting, void *data, int size)
1097 {
1098  return _crypt_blowfish_rn(key, setting, (char *)data, size);
1099 }
1100 
1101 char *crypt_ra(const char *key, const char *setting,
1102  void **data, int *size)
1103 {
1104  if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE))
1105  return NULL;
1106  return _crypt_blowfish_rn(key, setting, (char *)*data, *size);
1107 }
1108 
1109 char *crypt_r(const char *key, const char *setting, void *data)
1110 {
1111  return _crypt_retval_magic(
1112  crypt_rn(key, setting, data, CRYPT_OUTPUT_SIZE),
1113  setting, (char *)data, CRYPT_OUTPUT_SIZE);
1114 }
1115 
1116 char *bcrypt(const char *key, const char *setting)
1117 {
1118  static char output[CRYPT_OUTPUT_SIZE];
1119 
1120  return _crypt_retval_magic(
1121  crypt_rn(key, setting, output, sizeof(output)),
1122  setting, output, sizeof(output));
1123 }
1124 
1125 #define __crypt_gensalt_rn crypt_gensalt_rn
1126 #define __crypt_gensalt_ra crypt_gensalt_ra
1127 #define __crypt_gensalt bcrypt_gensalt
1128 #endif
1129 
1130 char *__crypt_gensalt_rn(const char *prefix, unsigned long count,
1131  const char *input, int size, char *output, int output_size)
1132 {
1133  char *(*use)(const char *_prefix, unsigned long _count,
1134  const char *_input, int _size,
1135  char *_output, int _output_size);
1136 
1137  /* This may be supported on some platforms in the future */
1138  if (!input) {
1139  __set_errno(EINVAL);
1140  return NULL;
1141  }
1142 
1143  if (!strncmp(prefix, "$2a$", 4) || !strncmp(prefix, "$2b$", 4) ||
1144  !strncmp(prefix, "$2y$", 4))
1146  else
1147  if (!strncmp(prefix, "$1$", 3))
1148  use = _crypt_gensalt_md5_rn;
1149  else
1150  if (prefix[0] == '_')
1152  else
1153  if (!prefix[0] ||
1154  (prefix[0] && prefix[1] &&
1155  memchr(_crypt_itoa64, prefix[0], 64) &&
1156  memchr(_crypt_itoa64, prefix[1], 64)))
1158  else {
1159  __set_errno(EINVAL);
1160  return NULL;
1161  }
1162 
1163  return use(prefix, count, input, size, output, output_size);
1164 }
1165 
1166 char *__crypt_gensalt_ra(const char *prefix, unsigned long count,
1167  const char *input, int size)
1168 {
1169  char output[CRYPT_GENSALT_OUTPUT_SIZE];
1170  char *retval;
1171 
1172  retval = __crypt_gensalt_rn(prefix, count,
1173  input, size, output, sizeof(output));
1174 
1175  if (retval) {
1176  retval = strdup(retval);
1177 #ifndef __GLIBC__
1178  /* strdup(3) on glibc sets errno, so we don't need to bother */
1179  if (!retval)
1180  __set_errno(ENOMEM);
1181 #endif
1182  }
1183 
1184  return retval;
1185 }
1186 
1187 char *__crypt_gensalt(const char *prefix, unsigned long count,
1188  const char *input, int size)
1189 {
1190  static char output[CRYPT_GENSALT_OUTPUT_SIZE];
1191 
1192  return __crypt_gensalt_rn(prefix, count,
1193  input, size, output, sizeof(output));
1194 }
static void BF_swap(BF_word *x, int count)
BF_word S[4][0x100]
char * _crypt_gensalt_extended_rn(const char *prefix, unsigned long count, const char *input, int size, char *output, int output_size)
char * _crypt_gensalt_blowfish_rn(const char *prefix, unsigned long count, const char *input, int size, char *output, int output_size)
#define BF_N
#define __crypt_gensalt_ra
#define BF_safe_atoi64(dst, src)
unsigned int BF_word
char * _crypt_blowfish_rn(const char *key, const char *setting, char *output, int size)
char * bcrypt(const char *key, const char *setting)
#define __crypt_gensalt_rn
static char * _crypt_retval_magic(char *retval, const char *setting, char *output, int size)
static void BF_encode(char *dst, const BF_word *src, int size)
BF_key P
char * crypt_rn(const char *key, const char *setting, void *data, int size)
unsigned char _crypt_itoa64[64+1]
char * _crypt_gensalt_traditional_rn(const char *prefix, unsigned long count, const char *input, int size, char *output, int output_size)
signed int BF_word_signed
static char * BF_crypt(const char *key, const char *setting, char *output, int size, BF_word min)
#define __set_errno(val)
int _crypt_output_magic(const char *setting, char *output, int size)
#define CRYPT_OUTPUT_SIZE
#define CRYPT_GENSALT_OUTPUT_SIZE
BF_word BF_key[BF_N+2]
static int _crypt_data_alloc(void **data, int *size, int need)
#define BF_body()
static BF_ctx BF_init_state
#define __crypt_gensalt
static int BF_decode(BF_word *dst, const char *src, int size)
char * crypt_r(const char *key, const char *setting, void *data)
#define __const
char * crypt_ra(const char *key, const char *setting, void **data, int *size)
char * _crypt_gensalt_md5_rn(const char *prefix, unsigned long count, const char *input, int size, char *output, int output_size)
static const unsigned char flags_by_subtype[26]
static BF_word BF_magic_w[6]
static unsigned char BF_atoi64[0x60]
#define BF_ENCRYPT
static void BF_set_key(const char *key, BF_key expanded, BF_key initial, unsigned char flags)
static unsigned char BF_itoa64[64+1]