├── .gitignore ├── Makefile ├── crypt_blowfish ├── crypt.h ├── LINKS ├── crypt_blowfish.h ├── crypt_gensalt.h ├── PERFORMANCE ├── ow-crypt.h ├── glibc-2.3.6-crypt.diff ├── glibc-2.1.3-crypt.diff ├── glibc-2.14-crypt.diff ├── Makefile ├── README ├── crypt_gensalt.c ├── x86.S ├── wrapper.c ├── crypt.3 └── crypt_blowfish.c ├── README ├── bcrypt.h ├── bcrypt.c └── COPYING /.gitignore: -------------------------------------------------------------------------------- 1 | *.o 2 | *.a 3 | *.3 4 | !crypt_blowfish/crypt.3 5 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | CFLAGS = $(shell grep '^CFLAGS = ' crypt_blowfish/Makefile | cut -d= -f2-) 3 | .PHONY: crypt_blowfish 4 | 5 | all: bcrypt.a 6 | 7 | test: bcrypt.c crypt_blowfish 8 | $(CC) $(CFLAGS) -DTEST_BCRYPT -c bcrypt.c 9 | $(CC) -o bcrypt_test bcrypt.o crypt_blowfish/*.o 10 | 11 | bcrypt.a: bcrypt.o crypt_blowfish 12 | ar r bcrypt.a bcrypt.o crypt_blowfish/*.o 13 | 14 | bcrypt.o: bcrypt.c 15 | $(CC) $(CFLAGS) -c bcrypt.c 16 | 17 | crypt_blowfish: 18 | $(MAKE) -C crypt_blowfish 19 | 20 | clean: 21 | rm -f *.o bcrypt_test bcrypt.a *~ core 22 | $(MAKE) -C crypt_blowfish clean 23 | -------------------------------------------------------------------------------- /crypt_blowfish/crypt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Written by Solar Designer in 2000-2002. 3 | * No copyright is claimed, and the software is hereby placed in the public 4 | * domain. In case this attempt to disclaim copyright and place the software 5 | * in the public domain is deemed null and void, then the software is 6 | * Copyright (c) 2000-2002 Solar Designer and it is hereby released to the 7 | * general public under the following terms: 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted. 11 | * 12 | * There's ABSOLUTELY NO WARRANTY, express or implied. 13 | * 14 | * See crypt_blowfish.c for more information. 15 | */ 16 | 17 | #include 18 | 19 | #if defined(_OW_SOURCE) || defined(__USE_OW) 20 | #define __SKIP_GNU 21 | #undef __SKIP_OW 22 | #include 23 | #undef __SKIP_GNU 24 | #endif 25 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | This library is a simple wrapper providing a convenient reentrant interface for 2 | the bcrypt password hashing algorithm implementation as provided by Solar 3 | Designer at http://www.openwall.com/crypt/. An exact copy of that source code 4 | is included in the crypt_blowfish subdirectory. 5 | 6 | The provided C interface is inspired in the bcrypt Python module that can be 7 | found at http://code.google.com/p/py-bcrypt/, and consists of a function to 8 | generate salts with the characteristic work factor parameter, one to generate 9 | password hashes which can also used to verify passwords and one designed 10 | specifically to verify passwords and avoid timing attacks. Please check the 11 | header bcrypt.h. It contains the prototypes and lots of comments with examples. 12 | 13 | All this code is released to the public domain under the terms of CC0. See the 14 | COPYING file for the legal text. 15 | -------------------------------------------------------------------------------- /crypt_blowfish/LINKS: -------------------------------------------------------------------------------- 1 | New versions of this package (crypt_blowfish): 2 | 3 | http://www.openwall.com/crypt/ 4 | 5 | A paper on the algorithm that explains its design decisions: 6 | 7 | http://www.usenix.org/events/usenix99/provos.html 8 | 9 | Unix Seventh Edition Manual, Volume 2: the password scheme (1978): 10 | 11 | http://plan9.bell-labs.com/7thEdMan/vol2/password 12 | 13 | The Openwall GNU/*/Linux (Owl) tcb suite implementing the alternative 14 | password shadowing scheme. This includes a PAM module which 15 | supersedes pam_unix and uses the password hashing framework provided 16 | with crypt_blowfish when setting new passwords. 17 | 18 | http://www.openwall.com/tcb/ 19 | 20 | pam_passwdqc, a password strength checking and policy enforcement 21 | module for PAM-aware password changing programs: 22 | 23 | http://www.openwall.com/passwdqc/ 24 | 25 | John the Ripper password cracker: 26 | 27 | http://www.openwall.com/john/ 28 | 29 | $Owl: Owl/packages/glibc/crypt_blowfish/LINKS,v 1.4 2005/11/16 13:09:47 solar Exp $ 30 | -------------------------------------------------------------------------------- /crypt_blowfish/crypt_blowfish.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Written by Solar Designer in 2000-2011. 3 | * No copyright is claimed, and the software is hereby placed in the public 4 | * domain. In case this attempt to disclaim copyright and place the software 5 | * in the public domain is deemed null and void, then the software is 6 | * Copyright (c) 2000-2011 Solar Designer and it is hereby released to the 7 | * general public under the following terms: 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted. 11 | * 12 | * There's ABSOLUTELY NO WARRANTY, express or implied. 13 | * 14 | * See crypt_blowfish.c for more information. 15 | */ 16 | 17 | #ifndef _CRYPT_BLOWFISH_H 18 | #define _CRYPT_BLOWFISH_H 19 | 20 | extern int _crypt_output_magic(const char *setting, char *output, int size); 21 | extern char *_crypt_blowfish_rn(const char *key, const char *setting, 22 | char *output, int size); 23 | extern char *_crypt_gensalt_blowfish_rn(const char *prefix, 24 | unsigned long count, 25 | const char *input, int size, char *output, int output_size); 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /crypt_blowfish/crypt_gensalt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Written by Solar Designer in 2000-2011. 3 | * No copyright is claimed, and the software is hereby placed in the public 4 | * domain. In case this attempt to disclaim copyright and place the software 5 | * in the public domain is deemed null and void, then the software is 6 | * Copyright (c) 2000-2011 Solar Designer and it is hereby released to the 7 | * general public under the following terms: 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted. 11 | * 12 | * There's ABSOLUTELY NO WARRANTY, express or implied. 13 | * 14 | * See crypt_blowfish.c for more information. 15 | */ 16 | 17 | #ifndef _CRYPT_GENSALT_H 18 | #define _CRYPT_GENSALT_H 19 | 20 | extern unsigned char _crypt_itoa64[]; 21 | extern char *_crypt_gensalt_traditional_rn(const char *prefix, 22 | unsigned long count, 23 | const char *input, int size, char *output, int output_size); 24 | extern char *_crypt_gensalt_extended_rn(const char *prefix, 25 | unsigned long count, 26 | const char *input, int size, char *output, int output_size); 27 | extern char *_crypt_gensalt_md5_rn(const char *prefix, unsigned long count, 28 | const char *input, int size, char *output, int output_size); 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /crypt_blowfish/PERFORMANCE: -------------------------------------------------------------------------------- 1 | These numbers are for 32 iterations ("$2a$05"): 2 | 3 | OpenBSD 3.0 bcrypt(*) crypt_blowfish 0.4.4 4 | Pentium III, 840 MHz 99 c/s 121 c/s (+22%) 5 | Alpha 21164PC, 533 MHz 55.5 c/s 76.9 c/s (+38%) 6 | UltraSparc IIi, 400 MHz 49.9 c/s 52.5 c/s (+5%) 7 | Pentium, 120 MHz 8.8 c/s 20.1 c/s (+128%) 8 | PA-RISC 7100LC, 80 MHz 8.5 c/s 16.3 c/s (+92%) 9 | 10 | (*) built with -fomit-frame-pointer -funroll-loops, which I don't 11 | think happens for libcrypt. 12 | 13 | Starting with version 1.1 released in June 2011, default builds of 14 | crypt_blowfish invoke a quick self-test on every hash computation. 15 | This has roughly a 4.8% performance impact at "$2a$05", but only a 0.6% 16 | impact at a more typical setting of "$2a$08". 17 | 18 | The large speedup for the original Pentium is due to the assembly 19 | code and the weird optimizations this processor requires. 20 | 21 | The numbers for password cracking are 2 to 10% higher than those for 22 | crypt_blowfish as certain things may be done out of the loop and the 23 | code doesn't need to be reentrant. 24 | 25 | Recent versions of John the Ripper (1.6.25-dev and newer) achieve an 26 | additional 15% speedup on the Pentium Pro family of processors (which 27 | includes Pentium III) with a separate version of the assembly code and 28 | run-time CPU detection. 29 | 30 | $Owl: Owl/packages/glibc/crypt_blowfish/PERFORMANCE,v 1.6 2011/06/21 12:09:20 solar Exp $ 31 | -------------------------------------------------------------------------------- /crypt_blowfish/ow-crypt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Written by Solar Designer in 2000-2011. 3 | * No copyright is claimed, and the software is hereby placed in the public 4 | * domain. In case this attempt to disclaim copyright and place the software 5 | * in the public domain is deemed null and void, then the software is 6 | * Copyright (c) 2000-2011 Solar Designer and it is hereby released to the 7 | * general public under the following terms: 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted. 11 | * 12 | * There's ABSOLUTELY NO WARRANTY, express or implied. 13 | * 14 | * See crypt_blowfish.c for more information. 15 | */ 16 | 17 | #ifndef _OW_CRYPT_H 18 | #define _OW_CRYPT_H 19 | 20 | #ifndef __GNUC__ 21 | #undef __const 22 | #define __const const 23 | #endif 24 | 25 | #ifndef __SKIP_GNU 26 | extern char *crypt(__const char *key, __const char *setting); 27 | extern char *crypt_r(__const char *key, __const char *setting, void *data); 28 | #endif 29 | 30 | #ifndef __SKIP_OW 31 | extern char *crypt_rn(__const char *key, __const char *setting, 32 | void *data, int size); 33 | extern char *crypt_ra(__const char *key, __const char *setting, 34 | void **data, int *size); 35 | extern char *crypt_gensalt(__const char *prefix, unsigned long count, 36 | __const char *input, int size); 37 | extern char *crypt_gensalt_rn(__const char *prefix, unsigned long count, 38 | __const char *input, int size, char *output, int output_size); 39 | extern char *crypt_gensalt_ra(__const char *prefix, unsigned long count, 40 | __const char *input, int size); 41 | #endif 42 | 43 | #endif 44 | -------------------------------------------------------------------------------- /crypt_blowfish/glibc-2.3.6-crypt.diff: -------------------------------------------------------------------------------- 1 | --- glibc-2.3.6.orig/crypt/Makefile 2001-07-06 04:54:45 +0000 2 | +++ glibc-2.3.6/crypt/Makefile 2004-02-27 00:23:48 +0000 3 | @@ -21,14 +21,14 @@ 4 | # 5 | subdir := crypt 6 | 7 | -headers := crypt.h 8 | +headers := crypt.h gnu-crypt.h ow-crypt.h 9 | 10 | distribute := md5.h 11 | 12 | extra-libs := libcrypt 13 | extra-libs-others := $(extra-libs) 14 | 15 | -libcrypt-routines := crypt-entry md5-crypt md5 crypt crypt_util 16 | +libcrypt-routines := crypt-entry md5-crypt md5 crypt crypt_util crypt_blowfish x86 crypt_gensalt wrapper 17 | 18 | tests = cert md5test md5c-test 19 | 20 | --- glibc-2.3.6.orig/crypt/Versions 2000-03-04 00:47:30 +0000 21 | +++ glibc-2.3.6/crypt/Versions 2004-02-27 00:25:15 +0000 22 | @@ -1,5 +1,6 @@ 23 | libcrypt { 24 | GLIBC_2.0 { 25 | crypt; crypt_r; encrypt; encrypt_r; fcrypt; setkey; setkey_r; 26 | + crypt_rn; crypt_ra; crypt_gensalt; crypt_gensalt_rn; crypt_gensalt_ra; 27 | } 28 | } 29 | --- glibc-2.3.6.orig/crypt/crypt-entry.c 2001-07-06 05:18:49 +0000 30 | +++ glibc-2.3.6/crypt/crypt-entry.c 2004-02-27 00:12:32 +0000 31 | @@ -70,7 +70,7 @@ extern struct crypt_data _ufc_foobar; 32 | */ 33 | 34 | char * 35 | -__crypt_r (key, salt, data) 36 | +__des_crypt_r (key, salt, data) 37 | const char *key; 38 | const char *salt; 39 | struct crypt_data * __restrict data; 40 | @@ -115,6 +115,7 @@ __crypt_r (key, salt, data) 41 | _ufc_output_conversion_r (res[0], res[1], salt, data); 42 | return data->crypt_3_buf; 43 | } 44 | +#if 0 45 | weak_alias (__crypt_r, crypt_r) 46 | 47 | char * 48 | @@ -147,3 +148,4 @@ __fcrypt (key, salt) 49 | return crypt (key, salt); 50 | } 51 | #endif 52 | +#endif 53 | -------------------------------------------------------------------------------- /crypt_blowfish/glibc-2.1.3-crypt.diff: -------------------------------------------------------------------------------- 1 | --- glibc-2.1.3.orig/crypt/sysdeps/unix/Makefile 1997-03-05 00:33:59 +0000 2 | +++ glibc-2.1.3/crypt/sysdeps/unix/Makefile 2000-06-11 03:13:41 +0000 3 | @@ -1,4 +1,4 @@ 4 | ifeq ($(subdir),md5-crypt) 5 | -libcrypt-routines += crypt crypt_util 6 | -dont_distribute += crypt.c crypt_util.c 7 | +libcrypt-routines += crypt crypt_util crypt_blowfish x86 crypt_gensalt wrapper 8 | +dont_distribute += crypt.c crypt_util.c crypt_blowfish.c x86.S crypt_gensalt.c wrapper.c 9 | endif 10 | --- glibc-2.1.3.orig/crypt/sysdeps/unix/crypt-entry.c 1998-12-10 12:49:04 +0000 11 | +++ glibc-2.1.3/crypt/sysdeps/unix/crypt-entry.c 2000-06-11 03:14:57 +0000 12 | @@ -70,7 +70,7 @@ extern struct crypt_data _ufc_foobar; 13 | */ 14 | 15 | char * 16 | -__crypt_r (key, salt, data) 17 | +__des_crypt_r (key, salt, data) 18 | const char *key; 19 | const char *salt; 20 | struct crypt_data * __restrict data; 21 | @@ -115,6 +115,7 @@ __crypt_r (key, salt, data) 22 | _ufc_output_conversion_r (res[0], res[1], salt, data); 23 | return data->crypt_3_buf; 24 | } 25 | +#if 0 26 | weak_alias (__crypt_r, crypt_r) 27 | 28 | char * 29 | @@ -147,3 +148,4 @@ __fcrypt (key, salt) 30 | return crypt (key, salt); 31 | } 32 | #endif 33 | +#endif 34 | --- glibc-2.1.3.orig/md5-crypt/Makefile 1998-07-02 22:46:47 +0000 35 | +++ glibc-2.1.3/md5-crypt/Makefile 2000-06-11 03:12:34 +0000 36 | @@ -21,7 +21,7 @@ 37 | # 38 | subdir := md5-crypt 39 | 40 | -headers := crypt.h 41 | +headers := crypt.h gnu-crypt.h ow-crypt.h 42 | 43 | distribute := md5.h 44 | 45 | --- glibc-2.1.3.orig/md5-crypt/Versions 1998-07-02 22:32:07 +0000 46 | +++ glibc-2.1.3/md5-crypt/Versions 2000-06-11 09:11:03 +0000 47 | @@ -1,5 +1,6 @@ 48 | libcrypt { 49 | GLIBC_2.0 { 50 | crypt; crypt_r; encrypt; encrypt_r; fcrypt; setkey; setkey_r; 51 | + crypt_rn; crypt_ra; crypt_gensalt; crypt_gensalt_rn; crypt_gensalt_ra; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /crypt_blowfish/glibc-2.14-crypt.diff: -------------------------------------------------------------------------------- 1 | diff -urp glibc-2.14.orig/crypt/Makefile glibc-2.14/crypt/Makefile 2 | --- glibc-2.14.orig/crypt/Makefile 2011-05-31 04:12:33 +0000 3 | +++ glibc-2.14/crypt/Makefile 2011-07-16 21:40:56 +0000 4 | @@ -22,6 +22,7 @@ 5 | subdir := crypt 6 | 7 | headers := crypt.h 8 | +headers += gnu-crypt.h ow-crypt.h 9 | 10 | extra-libs := libcrypt 11 | extra-libs-others := $(extra-libs) 12 | @@ -29,6 +30,8 @@ extra-libs-others := $(extra-libs) 13 | libcrypt-routines := crypt-entry md5-crypt sha256-crypt sha512-crypt crypt \ 14 | crypt_util 15 | 16 | +libcrypt-routines += crypt_blowfish x86 crypt_gensalt wrapper 17 | + 18 | tests := cert md5c-test sha256c-test sha512c-test 19 | 20 | distribute := ufc-crypt.h crypt-private.h ufc.c speeds.c README.ufc-crypt \ 21 | diff -urp glibc-2.14.orig/crypt/Versions glibc-2.14/crypt/Versions 22 | --- glibc-2.14.orig/crypt/Versions 2011-05-31 04:12:33 +0000 23 | +++ glibc-2.14/crypt/Versions 2011-07-16 21:40:56 +0000 24 | @@ -1,5 +1,6 @@ 25 | libcrypt { 26 | GLIBC_2.0 { 27 | crypt; crypt_r; encrypt; encrypt_r; fcrypt; setkey; setkey_r; 28 | + crypt_rn; crypt_ra; crypt_gensalt; crypt_gensalt_rn; crypt_gensalt_ra; 29 | } 30 | } 31 | diff -urp glibc-2.14.orig/crypt/crypt-entry.c glibc-2.14/crypt/crypt-entry.c 32 | --- glibc-2.14.orig/crypt/crypt-entry.c 2011-05-31 04:12:33 +0000 33 | +++ glibc-2.14/crypt/crypt-entry.c 2011-07-16 21:40:56 +0000 34 | @@ -82,7 +82,7 @@ extern struct crypt_data _ufc_foobar; 35 | */ 36 | 37 | char * 38 | -__crypt_r (key, salt, data) 39 | +__des_crypt_r (key, salt, data) 40 | const char *key; 41 | const char *salt; 42 | struct crypt_data * __restrict data; 43 | @@ -137,6 +137,7 @@ __crypt_r (key, salt, data) 44 | _ufc_output_conversion_r (res[0], res[1], salt, data); 45 | return data->crypt_3_buf; 46 | } 47 | +#if 0 48 | weak_alias (__crypt_r, crypt_r) 49 | 50 | char * 51 | @@ -177,3 +178,4 @@ __fcrypt (key, salt) 52 | return crypt (key, salt); 53 | } 54 | #endif 55 | +#endif 56 | -------------------------------------------------------------------------------- /crypt_blowfish/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Written and revised by Solar Designer in 2000-2011. 3 | # No copyright is claimed, and the software is hereby placed in the public 4 | # domain. In case this attempt to disclaim copyright and place the software 5 | # in the public domain is deemed null and void, then the software is 6 | # Copyright (c) 2000-2011 Solar Designer and it is hereby released to the 7 | # general public under the following terms: 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted. 11 | # 12 | # There's ABSOLUTELY NO WARRANTY, express or implied. 13 | # 14 | # See crypt_blowfish.c for more information. 15 | # 16 | 17 | CC = gcc 18 | AS = $(CC) 19 | LD = $(CC) 20 | RM = rm -f 21 | CFLAGS = -W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wundef -Wpointer-arith -O2 -fomit-frame-pointer -funroll-loops 22 | ASFLAGS = -c 23 | LDFLAGS = -s 24 | 25 | BLOWFISH_OBJS = \ 26 | crypt_blowfish.o x86.o 27 | 28 | CRYPT_OBJS = \ 29 | $(BLOWFISH_OBJS) crypt_gensalt.o wrapper.o 30 | 31 | TEST_OBJS = \ 32 | $(BLOWFISH_OBJS) crypt_gensalt.o crypt_test.o 33 | 34 | TEST_THREADS_OBJS = \ 35 | $(BLOWFISH_OBJS) crypt_gensalt.o crypt_test_threads.o 36 | 37 | EXTRA_MANS = \ 38 | crypt_r.3 crypt_rn.3 crypt_ra.3 \ 39 | crypt_gensalt.3 crypt_gensalt_rn.3 crypt_gensalt_ra.3 40 | 41 | all: $(CRYPT_OBJS) man 42 | 43 | check: crypt_test 44 | ./crypt_test 45 | 46 | crypt_test: $(TEST_OBJS) 47 | $(LD) $(LDFLAGS) $(TEST_OBJS) -o $@ 48 | 49 | crypt_test.o: wrapper.c ow-crypt.h crypt_blowfish.h crypt_gensalt.h 50 | $(CC) -c $(CFLAGS) wrapper.c -DTEST -o $@ 51 | 52 | check_threads: crypt_test_threads 53 | ./crypt_test_threads 54 | 55 | crypt_test_threads: $(TEST_THREADS_OBJS) 56 | $(LD) $(LDFLAGS) $(TEST_THREADS_OBJS) -lpthread -o $@ 57 | 58 | crypt_test_threads.o: wrapper.c ow-crypt.h crypt_blowfish.h crypt_gensalt.h 59 | $(CC) -c $(CFLAGS) wrapper.c -DTEST -DTEST_THREADS=4 -o $@ 60 | 61 | man: $(EXTRA_MANS) 62 | 63 | $(EXTRA_MANS): 64 | echo '.so man3/crypt.3' > $@ 65 | 66 | crypt_blowfish.o: crypt_blowfish.h 67 | crypt_gensalt.o: crypt_gensalt.h 68 | wrapper.o: crypt.h ow-crypt.h crypt_blowfish.h crypt_gensalt.h 69 | 70 | .c.o: 71 | $(CC) -c $(CFLAGS) $*.c 72 | 73 | .S.o: 74 | $(AS) $(ASFLAGS) $*.S 75 | 76 | clean: 77 | $(RM) crypt_test crypt_test_threads *.o $(EXTRA_MANS) core 78 | -------------------------------------------------------------------------------- /bcrypt.h: -------------------------------------------------------------------------------- 1 | #ifndef BCRYPT_H_ 2 | #define BCRYPT_H_ 3 | /* 4 | * bcrypt wrapper library 5 | * 6 | * Written in 2011, 2013, 2014, 2015 by Ricardo Garcia 7 | * 8 | * To the extent possible under law, the author(s) have dedicated all copyright 9 | * and related and neighboring rights to this software to the public domain 10 | * worldwide. This software is distributed without any warranty. 11 | * 12 | * You should have received a copy of the CC0 Public Domain Dedication along 13 | * with this software. If not, see 14 | * . 15 | */ 16 | 17 | #define BCRYPT_HASHSIZE (64) 18 | 19 | #ifdef __cplusplus 20 | extern "C" { 21 | #endif 22 | 23 | /* 24 | * This function expects a work factor between 4 and 31 and a char array to 25 | * store the resulting generated salt. The char array should typically have 26 | * BCRYPT_HASHSIZE bytes at least. If the provided work factor is not in the 27 | * previous range, it will default to 12. 28 | * 29 | * The return value is zero if the salt could be correctly generated and 30 | * nonzero otherwise. 31 | * 32 | */ 33 | int bcrypt_gensalt(int workfactor, char salt[BCRYPT_HASHSIZE]); 34 | 35 | /* 36 | * This function expects a password to be hashed, a salt to hash the password 37 | * with and a char array to leave the result. Both the salt and the hash 38 | * parameters should have room for BCRYPT_HASHSIZE characters at least. 39 | * 40 | * It can also be used to verify a hashed password. In that case, provide the 41 | * expected hash in the salt parameter and verify the output hash is the same 42 | * as the input hash. However, to avoid timing attacks, it's better to use 43 | * bcrypt_checkpw when verifying a password. 44 | * 45 | * The return value is zero if the password could be hashed and nonzero 46 | * otherwise. 47 | */ 48 | int bcrypt_hashpw(const char *passwd, const char salt[BCRYPT_HASHSIZE], 49 | char hash[BCRYPT_HASHSIZE]); 50 | 51 | /* 52 | * This function expects a password and a hash to verify the password against. 53 | * The internal implementation is tuned to avoid timing attacks. 54 | * 55 | * The return value will be -1 in case of errors, zero if the provided password 56 | * matches the given hash and greater than zero if no errors are found and the 57 | * passwords don't match. 58 | * 59 | */ 60 | int bcrypt_checkpw(const char *passwd, const char hash[BCRYPT_HASHSIZE]); 61 | 62 | /* 63 | * Brief Example 64 | * ------------- 65 | * 66 | * Hashing a password: 67 | * 68 | * char salt[BCRYPT_HASHSIZE]; 69 | * char hash[BCRYPT_HASHSIZE]; 70 | * int ret; 71 | * 72 | * ret = bcrypt_gensalt(12, salt); 73 | * assert(ret == 0); 74 | * ret = bcrypt_hashpw("thepassword", salt, hash); 75 | * assert(ret == 0); 76 | * 77 | * 78 | * Verifying a password: 79 | * 80 | * int ret; 81 | * 82 | * ret = bcrypt_checkpw("thepassword", "expectedhash"); 83 | * assert(ret != -1); 84 | * 85 | * if (ret == 0) { 86 | * printf("The password matches\n"); 87 | * } else { 88 | * printf("The password does NOT match\n"); 89 | * } 90 | * 91 | */ 92 | 93 | #ifdef __cplusplus 94 | } 95 | #endif 96 | 97 | #endif 98 | -------------------------------------------------------------------------------- /crypt_blowfish/README: -------------------------------------------------------------------------------- 1 | This is an implementation of a password hashing method, provided via the 2 | crypt(3) and a reentrant interface. It is fully compatible with 3 | OpenBSD's bcrypt.c for prefix "$2b$", originally by Niels Provos and 4 | David Mazieres. (Please refer to the included crypt(3) man page for 5 | information on minor compatibility issues for other bcrypt prefixes.) 6 | 7 | I've placed this code in the public domain, with fallback to a 8 | permissive license. Please see the comment in crypt_blowfish.c for 9 | more information. 10 | 11 | You can use the provided routines in your own packages, or link them 12 | into a C library. I've provided hooks for linking into GNU libc, but 13 | it shouldn't be too hard to get this into another C library. Note 14 | that simply adding this code into your libc is probably not enough to 15 | make your system use the new password hashing algorithm. Changes to 16 | passwd(1), PAM modules, or whatever else your system uses will likely 17 | be needed as well. These are not a part of this package, but see 18 | LINKS for a pointer to our tcb suite. 19 | 20 | Instructions on using the routines in one of the two common ways are 21 | given below. It is recommended that you test the routines on your 22 | system before you start. Type "make check" or "make check_threads" 23 | (if you have the POSIX threads library), then "make clean". 24 | 25 | 26 | 1. Using the routines in your programs. 27 | 28 | The available interfaces are in ow-crypt.h, and this is the file you 29 | should include. You won't need crypt.h. When linking, add all of the 30 | C files and x86.S (you can compile and link it even on a non-x86, it 31 | will produce no code in this case). 32 | 33 | 34 | 2. Building the routines into GNU C library. 35 | 36 | For versions 2.13 and 2.14 (and likely other nearby ones), extract the 37 | library sources as usual. Apply the patch for glibc 2.14 provided in 38 | this package. Enter crypt/ and rename crypt.h to gnu-crypt.h within 39 | that directory. Copy the C sources, header, and assembly (x86.S) files 40 | from this package in there as well (but be sure you don't overwrite the 41 | Makefile). Configure, build, and install the library as usual. 42 | 43 | For versions 2.2 to 2.3.6 (and likely also for some newer ones), 44 | extract the library sources and maybe its optional add-ons as usual. 45 | Apply the patch for glibc 2.3.6 provided in this package. Enter 46 | crypt/ and rename crypt.h to gnu-crypt.h within that directory. Copy 47 | the C sources, header, and assembly (x86.S) files from this package in 48 | there as well (but be sure you don't overwrite the Makefile). 49 | Configure, build, and install the library as usual. 50 | 51 | For versions 2.1 to 2.1.3, extract the library sources and the crypt 52 | and linuxthreads add-ons as usual. Apply the patch for glibc 2.1.3 53 | provided in this package. Enter crypt/sysdeps/unix/, and rename 54 | crypt.h to gnu-crypt.h within that directory. Copy C sources, header, 55 | and assembly (x86.S) files from this package in there as well (but be 56 | sure you don't overwrite the Makefile). Configure, build, and install 57 | the library as usual. 58 | 59 | Programs that want to use the provided interfaces will need to include 60 | crypt.h (but not ow-crypt.h directly). By default, prototypes for the 61 | new routines aren't defined (but the extra functionality of crypt(3) 62 | is indeed available). You need to define _OW_SOURCE to obtain the new 63 | routines as well. 64 | 65 | -- 66 | Solar Designer 67 | 68 | $Owl: Owl/packages/glibc/crypt_blowfish/README,v 1.10 2014/07/07 15:19:04 solar Exp $ 69 | -------------------------------------------------------------------------------- /crypt_blowfish/crypt_gensalt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Written by Solar Designer in 2000-2011. 3 | * No copyright is claimed, and the software is hereby placed in the public 4 | * domain. In case this attempt to disclaim copyright and place the software 5 | * in the public domain is deemed null and void, then the software is 6 | * Copyright (c) 2000-2011 Solar Designer and it is hereby released to the 7 | * general public under the following terms: 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted. 11 | * 12 | * There's ABSOLUTELY NO WARRANTY, express or implied. 13 | * 14 | * See crypt_blowfish.c for more information. 15 | * 16 | * This file contains salt generation functions for the traditional and 17 | * other common crypt(3) algorithms, except for bcrypt which is defined 18 | * entirely in crypt_blowfish.c. 19 | */ 20 | 21 | #include 22 | 23 | #include 24 | #ifndef __set_errno 25 | #define __set_errno(val) errno = (val) 26 | #endif 27 | 28 | /* Just to make sure the prototypes match the actual definitions */ 29 | #include "crypt_gensalt.h" 30 | 31 | unsigned char _crypt_itoa64[64 + 1] = 32 | "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 33 | 34 | char *_crypt_gensalt_traditional_rn(const char *prefix, unsigned long count, 35 | const char *input, int size, char *output, int output_size) 36 | { 37 | (void) prefix; 38 | 39 | if (size < 2 || output_size < 2 + 1 || (count && count != 25)) { 40 | if (output_size > 0) output[0] = '\0'; 41 | __set_errno((output_size < 2 + 1) ? ERANGE : EINVAL); 42 | return NULL; 43 | } 44 | 45 | output[0] = _crypt_itoa64[(unsigned int)input[0] & 0x3f]; 46 | output[1] = _crypt_itoa64[(unsigned int)input[1] & 0x3f]; 47 | output[2] = '\0'; 48 | 49 | return output; 50 | } 51 | 52 | char *_crypt_gensalt_extended_rn(const char *prefix, unsigned long count, 53 | const char *input, int size, char *output, int output_size) 54 | { 55 | unsigned long value; 56 | 57 | (void) prefix; 58 | 59 | /* Even iteration counts make it easier to detect weak DES keys from a look 60 | * at the hash, so they should be avoided */ 61 | if (size < 3 || output_size < 1 + 4 + 4 + 1 || 62 | (count && (count > 0xffffff || !(count & 1)))) { 63 | if (output_size > 0) output[0] = '\0'; 64 | __set_errno((output_size < 1 + 4 + 4 + 1) ? ERANGE : EINVAL); 65 | return NULL; 66 | } 67 | 68 | if (!count) count = 725; 69 | 70 | output[0] = '_'; 71 | output[1] = _crypt_itoa64[count & 0x3f]; 72 | output[2] = _crypt_itoa64[(count >> 6) & 0x3f]; 73 | output[3] = _crypt_itoa64[(count >> 12) & 0x3f]; 74 | output[4] = _crypt_itoa64[(count >> 18) & 0x3f]; 75 | value = (unsigned long)(unsigned char)input[0] | 76 | ((unsigned long)(unsigned char)input[1] << 8) | 77 | ((unsigned long)(unsigned char)input[2] << 16); 78 | output[5] = _crypt_itoa64[value & 0x3f]; 79 | output[6] = _crypt_itoa64[(value >> 6) & 0x3f]; 80 | output[7] = _crypt_itoa64[(value >> 12) & 0x3f]; 81 | output[8] = _crypt_itoa64[(value >> 18) & 0x3f]; 82 | output[9] = '\0'; 83 | 84 | return output; 85 | } 86 | 87 | char *_crypt_gensalt_md5_rn(const char *prefix, unsigned long count, 88 | const char *input, int size, char *output, int output_size) 89 | { 90 | unsigned long value; 91 | 92 | (void) prefix; 93 | 94 | if (size < 3 || output_size < 3 + 4 + 1 || (count && count != 1000)) { 95 | if (output_size > 0) output[0] = '\0'; 96 | __set_errno((output_size < 3 + 4 + 1) ? ERANGE : EINVAL); 97 | return NULL; 98 | } 99 | 100 | output[0] = '$'; 101 | output[1] = '1'; 102 | output[2] = '$'; 103 | value = (unsigned long)(unsigned char)input[0] | 104 | ((unsigned long)(unsigned char)input[1] << 8) | 105 | ((unsigned long)(unsigned char)input[2] << 16); 106 | output[3] = _crypt_itoa64[value & 0x3f]; 107 | output[4] = _crypt_itoa64[(value >> 6) & 0x3f]; 108 | output[5] = _crypt_itoa64[(value >> 12) & 0x3f]; 109 | output[6] = _crypt_itoa64[(value >> 18) & 0x3f]; 110 | output[7] = '\0'; 111 | 112 | if (size >= 6 && output_size >= 3 + 4 + 4 + 1) { 113 | value = (unsigned long)(unsigned char)input[3] | 114 | ((unsigned long)(unsigned char)input[4] << 8) | 115 | ((unsigned long)(unsigned char)input[5] << 16); 116 | output[7] = _crypt_itoa64[value & 0x3f]; 117 | output[8] = _crypt_itoa64[(value >> 6) & 0x3f]; 118 | output[9] = _crypt_itoa64[(value >> 12) & 0x3f]; 119 | output[10] = _crypt_itoa64[(value >> 18) & 0x3f]; 120 | output[11] = '\0'; 121 | } 122 | 123 | return output; 124 | } 125 | -------------------------------------------------------------------------------- /crypt_blowfish/x86.S: -------------------------------------------------------------------------------- 1 | /* 2 | * Written by Solar Designer in 1998-2010. 3 | * No copyright is claimed, and the software is hereby placed in the public 4 | * domain. In case this attempt to disclaim copyright and place the software 5 | * in the public domain is deemed null and void, then the software is 6 | * Copyright (c) 1998-2010 Solar Designer and it is hereby released to the 7 | * general public under the following terms: 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted. 11 | * 12 | * There's ABSOLUTELY NO WARRANTY, express or implied. 13 | * 14 | * See crypt_blowfish.c for more information. 15 | */ 16 | 17 | #ifdef __i386__ 18 | 19 | #if defined(__OpenBSD__) && !defined(__ELF__) 20 | #define UNDERSCORES 21 | #define ALIGN_LOG 22 | #endif 23 | 24 | #if defined(__CYGWIN32__) || defined(__MINGW32__) 25 | #define UNDERSCORES 26 | #endif 27 | 28 | #ifdef __DJGPP__ 29 | #define UNDERSCORES 30 | #define ALIGN_LOG 31 | #endif 32 | 33 | #ifdef UNDERSCORES 34 | #define _BF_body_r __BF_body_r 35 | #endif 36 | 37 | #ifdef ALIGN_LOG 38 | #define DO_ALIGN(log) .align (log) 39 | #elif defined(DUMBAS) 40 | #define DO_ALIGN(log) .align 1 << log 41 | #else 42 | #define DO_ALIGN(log) .align (1 << (log)) 43 | #endif 44 | 45 | #define BF_FRAME 0x200 46 | #define ctx %esp 47 | 48 | #define BF_ptr (ctx) 49 | 50 | #define S(N, r) N+BF_FRAME(ctx,r,4) 51 | #ifdef DUMBAS 52 | #define P(N) 0x1000+N+N+N+N+BF_FRAME(ctx) 53 | #else 54 | #define P(N) 0x1000+4*N+BF_FRAME(ctx) 55 | #endif 56 | 57 | /* 58 | * This version of the assembly code is optimized primarily for the original 59 | * Intel Pentium but is also careful to avoid partial register stalls on the 60 | * Pentium Pro family of processors (tested up to Pentium III Coppermine). 61 | * 62 | * It is possible to do 15% faster on the Pentium Pro family and probably on 63 | * many non-Intel x86 processors, but, unfortunately, that would make things 64 | * twice slower for the original Pentium. 65 | * 66 | * An additional 2% speedup may be achieved with non-reentrant code. 67 | */ 68 | 69 | #define L %esi 70 | #define R %edi 71 | #define tmp1 %eax 72 | #define tmp1_lo %al 73 | #define tmp2 %ecx 74 | #define tmp2_hi %ch 75 | #define tmp3 %edx 76 | #define tmp3_lo %dl 77 | #define tmp4 %ebx 78 | #define tmp4_hi %bh 79 | #define tmp5 %ebp 80 | 81 | .text 82 | 83 | #define BF_ROUND(L, R, N) \ 84 | xorl L,tmp2; \ 85 | xorl tmp1,tmp1; \ 86 | movl tmp2,L; \ 87 | shrl $16,tmp2; \ 88 | movl L,tmp4; \ 89 | movb tmp2_hi,tmp1_lo; \ 90 | andl $0xFF,tmp2; \ 91 | movb tmp4_hi,tmp3_lo; \ 92 | andl $0xFF,tmp4; \ 93 | movl S(0,tmp1),tmp1; \ 94 | movl S(0x400,tmp2),tmp5; \ 95 | addl tmp5,tmp1; \ 96 | movl S(0x800,tmp3),tmp5; \ 97 | xorl tmp5,tmp1; \ 98 | movl S(0xC00,tmp4),tmp5; \ 99 | addl tmp1,tmp5; \ 100 | movl 4+P(N),tmp2; \ 101 | xorl tmp5,R 102 | 103 | #define BF_ENCRYPT_START \ 104 | BF_ROUND(L, R, 0); \ 105 | BF_ROUND(R, L, 1); \ 106 | BF_ROUND(L, R, 2); \ 107 | BF_ROUND(R, L, 3); \ 108 | BF_ROUND(L, R, 4); \ 109 | BF_ROUND(R, L, 5); \ 110 | BF_ROUND(L, R, 6); \ 111 | BF_ROUND(R, L, 7); \ 112 | BF_ROUND(L, R, 8); \ 113 | BF_ROUND(R, L, 9); \ 114 | BF_ROUND(L, R, 10); \ 115 | BF_ROUND(R, L, 11); \ 116 | BF_ROUND(L, R, 12); \ 117 | BF_ROUND(R, L, 13); \ 118 | BF_ROUND(L, R, 14); \ 119 | BF_ROUND(R, L, 15); \ 120 | movl BF_ptr,tmp5; \ 121 | xorl L,tmp2; \ 122 | movl P(17),L 123 | 124 | #define BF_ENCRYPT_END \ 125 | xorl R,L; \ 126 | movl tmp2,R 127 | 128 | DO_ALIGN(5) 129 | .globl _BF_body_r 130 | _BF_body_r: 131 | movl 4(%esp),%eax 132 | pushl %ebp 133 | pushl %ebx 134 | pushl %esi 135 | pushl %edi 136 | subl $BF_FRAME-8,%eax 137 | xorl L,L 138 | cmpl %esp,%eax 139 | ja BF_die 140 | xchgl %eax,%esp 141 | xorl R,R 142 | pushl %eax 143 | leal 0x1000+BF_FRAME-4(ctx),%eax 144 | movl 0x1000+BF_FRAME-4(ctx),tmp2 145 | pushl %eax 146 | xorl tmp3,tmp3 147 | BF_loop_P: 148 | BF_ENCRYPT_START 149 | addl $8,tmp5 150 | BF_ENCRYPT_END 151 | leal 0x1000+18*4+BF_FRAME(ctx),tmp1 152 | movl tmp5,BF_ptr 153 | cmpl tmp5,tmp1 154 | movl L,-8(tmp5) 155 | movl R,-4(tmp5) 156 | movl P(0),tmp2 157 | ja BF_loop_P 158 | leal BF_FRAME(ctx),tmp5 159 | xorl tmp3,tmp3 160 | movl tmp5,BF_ptr 161 | BF_loop_S: 162 | BF_ENCRYPT_START 163 | BF_ENCRYPT_END 164 | movl P(0),tmp2 165 | movl L,(tmp5) 166 | movl R,4(tmp5) 167 | BF_ENCRYPT_START 168 | BF_ENCRYPT_END 169 | movl P(0),tmp2 170 | movl L,8(tmp5) 171 | movl R,12(tmp5) 172 | BF_ENCRYPT_START 173 | BF_ENCRYPT_END 174 | movl P(0),tmp2 175 | movl L,16(tmp5) 176 | movl R,20(tmp5) 177 | BF_ENCRYPT_START 178 | addl $32,tmp5 179 | BF_ENCRYPT_END 180 | leal 0x1000+BF_FRAME(ctx),tmp1 181 | movl tmp5,BF_ptr 182 | cmpl tmp5,tmp1 183 | movl P(0),tmp2 184 | movl L,-8(tmp5) 185 | movl R,-4(tmp5) 186 | ja BF_loop_S 187 | movl 4(%esp),%esp 188 | popl %edi 189 | popl %esi 190 | popl %ebx 191 | popl %ebp 192 | ret 193 | 194 | BF_die: 195 | /* Oops, need to re-compile with a larger BF_FRAME. */ 196 | hlt 197 | jmp BF_die 198 | 199 | #endif 200 | 201 | #if defined(__ELF__) && defined(__linux__) 202 | .section .note.GNU-stack,"",@progbits 203 | #endif 204 | -------------------------------------------------------------------------------- /bcrypt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * bcrypt wrapper library 3 | * 4 | * Written in 2011, 2013, 2014, 2015 by Ricardo Garcia 5 | * 6 | * To the extent possible under law, the author(s) have dedicated all copyright 7 | * and related and neighboring rights to this software to the public domain 8 | * worldwide. This software is distributed without any warranty. 9 | * 10 | * You should have received a copy of the CC0 Public Domain Dedication along 11 | * with this software. If not, see 12 | * . 13 | */ 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "bcrypt.h" 22 | #include "crypt_blowfish/ow-crypt.h" 23 | 24 | #define RANDBYTES (16) 25 | 26 | static int try_close(int fd) 27 | { 28 | int ret; 29 | for (;;) { 30 | errno = 0; 31 | ret = close(fd); 32 | if (ret == -1 && errno == EINTR) 33 | continue; 34 | break; 35 | } 36 | return ret; 37 | } 38 | 39 | static int try_read(int fd, char *out, size_t count) 40 | { 41 | size_t total; 42 | ssize_t partial; 43 | 44 | total = 0; 45 | while (total < count) 46 | { 47 | for (;;) { 48 | errno = 0; 49 | partial = read(fd, out + total, count - total); 50 | if (partial == -1 && errno == EINTR) 51 | continue; 52 | break; 53 | } 54 | 55 | if (partial < 1) 56 | return -1; 57 | 58 | total += partial; 59 | } 60 | 61 | return 0; 62 | } 63 | 64 | /* 65 | * This is a best effort implementation. Nothing prevents a compiler from 66 | * optimizing this function and making it vulnerable to timing attacks, but 67 | * this method is commonly used in crypto libraries like NaCl. 68 | * 69 | * Return value is zero if both strings are equal and nonzero otherwise. 70 | */ 71 | static int timing_safe_strcmp(const char *str1, const char *str2) 72 | { 73 | const unsigned char *u1; 74 | const unsigned char *u2; 75 | int ret; 76 | int i; 77 | 78 | int len1 = strlen(str1); 79 | int len2 = strlen(str2); 80 | 81 | /* In our context both strings should always have the same length 82 | * because they will be hashed passwords. */ 83 | if (len1 != len2) 84 | return 1; 85 | 86 | /* Force unsigned for bitwise operations. */ 87 | u1 = (const unsigned char *)str1; 88 | u2 = (const unsigned char *)str2; 89 | 90 | ret = 0; 91 | for (i = 0; i < len1; ++i) 92 | ret |= (u1[i] ^ u2[i]); 93 | 94 | return ret; 95 | } 96 | 97 | int bcrypt_gensalt(int factor, char salt[BCRYPT_HASHSIZE]) 98 | { 99 | int fd; 100 | char input[RANDBYTES]; 101 | int workf; 102 | char *aux; 103 | 104 | fd = open("/dev/urandom", O_RDONLY); 105 | if (fd == -1) 106 | return 1; 107 | 108 | if (try_read(fd, input, RANDBYTES) != 0) { 109 | if (try_close(fd) != 0) 110 | return 4; 111 | return 2; 112 | } 113 | 114 | if (try_close(fd) != 0) 115 | return 3; 116 | 117 | /* Generate salt. */ 118 | workf = (factor < 4 || factor > 31)?12:factor; 119 | aux = crypt_gensalt_rn("$2a$", workf, input, RANDBYTES, 120 | salt, BCRYPT_HASHSIZE); 121 | return (aux == NULL)?5:0; 122 | } 123 | 124 | int bcrypt_hashpw(const char *passwd, const char salt[BCRYPT_HASHSIZE], char hash[BCRYPT_HASHSIZE]) 125 | { 126 | char *aux; 127 | aux = crypt_rn(passwd, salt, hash, BCRYPT_HASHSIZE); 128 | return (aux == NULL)?1:0; 129 | } 130 | 131 | int bcrypt_checkpw(const char *passwd, const char hash[BCRYPT_HASHSIZE]) 132 | { 133 | int ret; 134 | char outhash[BCRYPT_HASHSIZE]; 135 | 136 | ret = bcrypt_hashpw(passwd, hash, outhash); 137 | if (ret != 0) 138 | return -1; 139 | 140 | return timing_safe_strcmp(hash, outhash); 141 | } 142 | 143 | #ifdef TEST_BCRYPT 144 | #include 145 | #include 146 | #include 147 | #include 148 | 149 | int main(void) 150 | { 151 | clock_t before; 152 | clock_t after; 153 | char salt[BCRYPT_HASHSIZE]; 154 | char hash[BCRYPT_HASHSIZE]; 155 | int ret; 156 | 157 | const char pass[] = "hi,mom"; 158 | const char hash1[] = "$2a$10$VEVmGHy4F4XQMJ3eOZJAUeb.MedU0W10pTPCuf53eHdKJPiSE8sMK"; 159 | const char hash2[] = "$2a$10$3F0BVk5t8/aoS.3ddaB3l.fxg5qvafQ9NybxcpXLzMeAt.nVWn.NO"; 160 | 161 | ret = bcrypt_gensalt(12, salt); 162 | assert(ret == 0); 163 | printf("Generated salt: %s\n", salt); 164 | before = clock(); 165 | ret = bcrypt_hashpw("testtesttest", salt, hash); 166 | assert(ret == 0); 167 | after = clock(); 168 | printf("Hashed password: %s\n", hash); 169 | printf("Time taken: %f seconds\n", 170 | (double)(after - before) / CLOCKS_PER_SEC); 171 | 172 | ret = bcrypt_hashpw(pass, hash1, hash); 173 | assert(ret == 0); 174 | printf("First hash check: %s\n", (strcmp(hash1, hash) == 0)?"OK":"FAIL"); 175 | ret = bcrypt_hashpw(pass, hash2, hash); 176 | assert(ret == 0); 177 | printf("Second hash check: %s\n", (strcmp(hash2, hash) == 0)?"OK":"FAIL"); 178 | 179 | before = clock(); 180 | ret = (bcrypt_checkpw(pass, hash1) == 0); 181 | after = clock(); 182 | printf("First hash check with bcrypt_checkpw: %s\n", ret?"OK":"FAIL"); 183 | printf("Time taken: %f seconds\n", 184 | (double)(after - before) / CLOCKS_PER_SEC); 185 | 186 | before = clock(); 187 | ret = (bcrypt_checkpw(pass, hash2) == 0); 188 | after = clock(); 189 | printf("Second hash check with bcrypt_checkpw: %s\n", ret?"OK":"FAIL"); 190 | printf("Time taken: %f seconds\n", 191 | (double)(after - before) / CLOCKS_PER_SEC); 192 | 193 | return 0; 194 | } 195 | #endif 196 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /crypt_blowfish/wrapper.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Written by Solar Designer in 2000-2014. 3 | * No copyright is claimed, and the software is hereby placed in the public 4 | * domain. In case this attempt to disclaim copyright and place the software 5 | * in the public domain is deemed null and void, then the software is 6 | * Copyright (c) 2000-2014 Solar Designer and it is hereby released to the 7 | * general public under the following terms: 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted. 11 | * 12 | * There's ABSOLUTELY NO WARRANTY, express or implied. 13 | * 14 | * See crypt_blowfish.c for more information. 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | #include 21 | #ifndef __set_errno 22 | #define __set_errno(val) errno = (val) 23 | #endif 24 | 25 | #ifdef TEST 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #ifdef TEST_THREADS 33 | #include 34 | #endif 35 | #endif 36 | 37 | #define CRYPT_OUTPUT_SIZE (7 + 22 + 31 + 1) 38 | #define CRYPT_GENSALT_OUTPUT_SIZE (7 + 22 + 1) 39 | 40 | #if defined(__GLIBC__) && defined(_LIBC) 41 | #define __SKIP_GNU 42 | #endif 43 | #include "ow-crypt.h" 44 | 45 | #include "crypt_blowfish.h" 46 | #include "crypt_gensalt.h" 47 | 48 | #if defined(__GLIBC__) && defined(_LIBC) 49 | /* crypt.h from glibc-crypt-2.1 will define struct crypt_data for us */ 50 | #include "crypt.h" 51 | extern char *__md5_crypt_r(const char *key, const char *salt, 52 | char *buffer, int buflen); 53 | /* crypt-entry.c needs to be patched to define __des_crypt_r rather than 54 | * __crypt_r, and not define crypt_r and crypt at all */ 55 | extern char *__des_crypt_r(const char *key, const char *salt, 56 | struct crypt_data *data); 57 | extern struct crypt_data _ufc_foobar; 58 | #endif 59 | 60 | static int _crypt_data_alloc(void **data, int *size, int need) 61 | { 62 | void *updated; 63 | 64 | if (*data && *size >= need) return 0; 65 | 66 | updated = realloc(*data, need); 67 | 68 | if (!updated) { 69 | #ifndef __GLIBC__ 70 | /* realloc(3) on glibc sets errno, so we don't need to bother */ 71 | __set_errno(ENOMEM); 72 | #endif 73 | return -1; 74 | } 75 | 76 | #if defined(__GLIBC__) && defined(_LIBC) 77 | if (need >= sizeof(struct crypt_data)) 78 | ((struct crypt_data *)updated)->initialized = 0; 79 | #endif 80 | 81 | *data = updated; 82 | *size = need; 83 | 84 | return 0; 85 | } 86 | 87 | static char *_crypt_retval_magic(char *retval, const char *setting, 88 | char *output, int size) 89 | { 90 | if (retval) 91 | return retval; 92 | 93 | if (_crypt_output_magic(setting, output, size)) 94 | return NULL; /* shouldn't happen */ 95 | 96 | return output; 97 | } 98 | 99 | #if defined(__GLIBC__) && defined(_LIBC) 100 | /* 101 | * Applications may re-use the same instance of struct crypt_data without 102 | * resetting the initialized field in order to let crypt_r() skip some of 103 | * its initialization code. Thus, it is important that our multiple hashing 104 | * algorithms either don't conflict with each other in their use of the 105 | * data area or reset the initialized field themselves whenever required. 106 | * Currently, the hashing algorithms simply have no conflicts: the first 107 | * field of struct crypt_data is the 128-byte large DES key schedule which 108 | * __des_crypt_r() calculates each time it is called while the two other 109 | * hashing algorithms use less than 128 bytes of the data area. 110 | */ 111 | 112 | char *__crypt_rn(__const char *key, __const char *setting, 113 | void *data, int size) 114 | { 115 | if (setting[0] == '$' && setting[1] == '2') 116 | return _crypt_blowfish_rn(key, setting, (char *)data, size); 117 | if (setting[0] == '$' && setting[1] == '1') 118 | return __md5_crypt_r(key, setting, (char *)data, size); 119 | if (setting[0] == '$' || setting[0] == '_') { 120 | __set_errno(EINVAL); 121 | return NULL; 122 | } 123 | if (size >= sizeof(struct crypt_data)) 124 | return __des_crypt_r(key, setting, (struct crypt_data *)data); 125 | __set_errno(ERANGE); 126 | return NULL; 127 | } 128 | 129 | char *__crypt_ra(__const char *key, __const char *setting, 130 | void **data, int *size) 131 | { 132 | if (setting[0] == '$' && setting[1] == '2') { 133 | if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE)) 134 | return NULL; 135 | return _crypt_blowfish_rn(key, setting, (char *)*data, *size); 136 | } 137 | if (setting[0] == '$' && setting[1] == '1') { 138 | if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE)) 139 | return NULL; 140 | return __md5_crypt_r(key, setting, (char *)*data, *size); 141 | } 142 | if (setting[0] == '$' || setting[0] == '_') { 143 | __set_errno(EINVAL); 144 | return NULL; 145 | } 146 | if (_crypt_data_alloc(data, size, sizeof(struct crypt_data))) 147 | return NULL; 148 | return __des_crypt_r(key, setting, (struct crypt_data *)*data); 149 | } 150 | 151 | char *__crypt_r(__const char *key, __const char *setting, 152 | struct crypt_data *data) 153 | { 154 | return _crypt_retval_magic( 155 | __crypt_rn(key, setting, data, sizeof(*data)), 156 | setting, (char *)data, sizeof(*data)); 157 | } 158 | 159 | char *__crypt(__const char *key, __const char *setting) 160 | { 161 | return _crypt_retval_magic( 162 | __crypt_rn(key, setting, &_ufc_foobar, sizeof(_ufc_foobar)), 163 | setting, (char *)&_ufc_foobar, sizeof(_ufc_foobar)); 164 | } 165 | #else 166 | char *crypt_rn(const char *key, const char *setting, void *data, int size) 167 | { 168 | return _crypt_blowfish_rn(key, setting, (char *)data, size); 169 | } 170 | 171 | char *crypt_ra(const char *key, const char *setting, 172 | void **data, int *size) 173 | { 174 | if (_crypt_data_alloc(data, size, CRYPT_OUTPUT_SIZE)) 175 | return NULL; 176 | return _crypt_blowfish_rn(key, setting, (char *)*data, *size); 177 | } 178 | 179 | char *crypt_r(const char *key, const char *setting, void *data) 180 | { 181 | return _crypt_retval_magic( 182 | crypt_rn(key, setting, data, CRYPT_OUTPUT_SIZE), 183 | setting, (char *)data, CRYPT_OUTPUT_SIZE); 184 | } 185 | 186 | char *crypt(const char *key, const char *setting) 187 | { 188 | static char output[CRYPT_OUTPUT_SIZE]; 189 | 190 | return _crypt_retval_magic( 191 | crypt_rn(key, setting, output, sizeof(output)), 192 | setting, output, sizeof(output)); 193 | } 194 | 195 | #define __crypt_gensalt_rn crypt_gensalt_rn 196 | #define __crypt_gensalt_ra crypt_gensalt_ra 197 | #define __crypt_gensalt crypt_gensalt 198 | #endif 199 | 200 | char *__crypt_gensalt_rn(const char *prefix, unsigned long count, 201 | const char *input, int size, char *output, int output_size) 202 | { 203 | char *(*use)(const char *_prefix, unsigned long _count, 204 | const char *_input, int _size, 205 | char *_output, int _output_size); 206 | 207 | /* This may be supported on some platforms in the future */ 208 | if (!input) { 209 | __set_errno(EINVAL); 210 | return NULL; 211 | } 212 | 213 | if (!strncmp(prefix, "$2a$", 4) || !strncmp(prefix, "$2b$", 4) || 214 | !strncmp(prefix, "$2y$", 4)) 215 | use = _crypt_gensalt_blowfish_rn; 216 | else 217 | if (!strncmp(prefix, "$1$", 3)) 218 | use = _crypt_gensalt_md5_rn; 219 | else 220 | if (prefix[0] == '_') 221 | use = _crypt_gensalt_extended_rn; 222 | else 223 | if (!prefix[0] || 224 | (prefix[0] && prefix[1] && 225 | memchr(_crypt_itoa64, prefix[0], 64) && 226 | memchr(_crypt_itoa64, prefix[1], 64))) 227 | use = _crypt_gensalt_traditional_rn; 228 | else { 229 | __set_errno(EINVAL); 230 | return NULL; 231 | } 232 | 233 | return use(prefix, count, input, size, output, output_size); 234 | } 235 | 236 | char *__crypt_gensalt_ra(const char *prefix, unsigned long count, 237 | const char *input, int size) 238 | { 239 | char output[CRYPT_GENSALT_OUTPUT_SIZE]; 240 | char *retval; 241 | 242 | retval = __crypt_gensalt_rn(prefix, count, 243 | input, size, output, sizeof(output)); 244 | 245 | if (retval) { 246 | retval = strdup(retval); 247 | #ifndef __GLIBC__ 248 | /* strdup(3) on glibc sets errno, so we don't need to bother */ 249 | if (!retval) 250 | __set_errno(ENOMEM); 251 | #endif 252 | } 253 | 254 | return retval; 255 | } 256 | 257 | char *__crypt_gensalt(const char *prefix, unsigned long count, 258 | const char *input, int size) 259 | { 260 | static char output[CRYPT_GENSALT_OUTPUT_SIZE]; 261 | 262 | return __crypt_gensalt_rn(prefix, count, 263 | input, size, output, sizeof(output)); 264 | } 265 | 266 | #if defined(__GLIBC__) && defined(_LIBC) 267 | weak_alias(__crypt_rn, crypt_rn) 268 | weak_alias(__crypt_ra, crypt_ra) 269 | weak_alias(__crypt_r, crypt_r) 270 | weak_alias(__crypt, crypt) 271 | weak_alias(__crypt_gensalt_rn, crypt_gensalt_rn) 272 | weak_alias(__crypt_gensalt_ra, crypt_gensalt_ra) 273 | weak_alias(__crypt_gensalt, crypt_gensalt) 274 | weak_alias(crypt, fcrypt) 275 | #endif 276 | 277 | #ifdef TEST 278 | static const char *tests[][3] = { 279 | {"$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW", 280 | "U*U"}, 281 | {"$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK", 282 | "U*U*"}, 283 | {"$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a", 284 | "U*U*U"}, 285 | {"$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui", 286 | "0123456789abcdefghijklmnopqrstuvwxyz" 287 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 288 | "chars after 72 are ignored"}, 289 | {"$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e", 290 | "\xa3"}, 291 | {"$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e", 292 | "\xff\xff\xa3"}, 293 | {"$2y$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e", 294 | "\xff\xff\xa3"}, 295 | {"$2a$05$/OK.fbVrR/bpIqNJ5ianF.nqd1wy.pTMdcvrRWxyiGL2eMz.2a85.", 296 | "\xff\xff\xa3"}, 297 | {"$2b$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e", 298 | "\xff\xff\xa3"}, 299 | {"$2y$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq", 300 | "\xa3"}, 301 | {"$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq", 302 | "\xa3"}, 303 | {"$2b$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq", 304 | "\xa3"}, 305 | {"$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi", 306 | "1\xa3" "345"}, 307 | {"$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi", 308 | "\xff\xa3" "345"}, 309 | {"$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi", 310 | "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"}, 311 | {"$2y$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi", 312 | "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"}, 313 | {"$2a$05$/OK.fbVrR/bpIqNJ5ianF.ZC1JEJ8Z4gPfpe1JOr/oyPXTWl9EFd.", 314 | "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"}, 315 | {"$2y$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e", 316 | "\xff\xa3" "345"}, 317 | {"$2a$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e", 318 | "\xff\xa3" "345"}, 319 | {"$2a$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS", 320 | "\xa3" "ab"}, 321 | {"$2x$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS", 322 | "\xa3" "ab"}, 323 | {"$2y$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS", 324 | "\xa3" "ab"}, 325 | {"$2x$05$6bNw2HLQYeqHYyBfLMsv/OiwqTymGIGzFsA4hOTWebfehXHNprcAS", 326 | "\xd1\x91"}, 327 | {"$2x$05$6bNw2HLQYeqHYyBfLMsv/O9LIGgn8OMzuDoHfof8AQimSGfcSWxnS", 328 | "\xd0\xc1\xd2\xcf\xcc\xd8"}, 329 | {"$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6", 330 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 331 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 332 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 333 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 334 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 335 | "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 336 | "chars after 72 are ignored as usual"}, 337 | {"$2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy", 338 | "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55" 339 | "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55" 340 | "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55" 341 | "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55" 342 | "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55" 343 | "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"}, 344 | {"$2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe", 345 | "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff" 346 | "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff" 347 | "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff" 348 | "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff" 349 | "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff" 350 | "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"}, 351 | {"$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy", 352 | ""}, 353 | {"*0", "", "$2a$03$CCCCCCCCCCCCCCCCCCCCC."}, 354 | {"*0", "", "$2a$32$CCCCCCCCCCCCCCCCCCCCC."}, 355 | {"*0", "", "$2c$05$CCCCCCCCCCCCCCCCCCCCC."}, 356 | {"*0", "", "$2z$05$CCCCCCCCCCCCCCCCCCCCC."}, 357 | {"*0", "", "$2`$05$CCCCCCCCCCCCCCCCCCCCC."}, 358 | {"*0", "", "$2{$05$CCCCCCCCCCCCCCCCCCCCC."}, 359 | {"*1", "", "*0"}, 360 | {NULL} 361 | }; 362 | 363 | #define which tests[0] 364 | 365 | static volatile sig_atomic_t running; 366 | 367 | static void handle_timer(int signum) 368 | { 369 | (void) signum; 370 | running = 0; 371 | } 372 | 373 | static void *run(void *arg) 374 | { 375 | unsigned long count = 0; 376 | int i = 0; 377 | void *data = NULL; 378 | int size = 0x12345678; 379 | 380 | do { 381 | const char *hash = tests[i][0]; 382 | const char *key = tests[i][1]; 383 | const char *setting = tests[i][2]; 384 | 385 | if (!tests[++i][0]) 386 | i = 0; 387 | 388 | if (setting && strlen(hash) < 30) /* not for benchmark */ 389 | continue; 390 | 391 | if (strcmp(crypt_ra(key, hash, &data, &size), hash)) { 392 | printf("%d: FAILED (crypt_ra/%d/%lu)\n", 393 | (int)((char *)arg - (char *)0), i, count); 394 | free(data); 395 | return NULL; 396 | } 397 | count++; 398 | } while (running); 399 | 400 | free(data); 401 | return count + (char *)0; 402 | } 403 | 404 | int main(void) 405 | { 406 | struct itimerval it; 407 | struct tms buf; 408 | clock_t clk_tck, start_real, start_virtual, end_real, end_virtual; 409 | unsigned long count; 410 | void *data; 411 | int size; 412 | char *setting1, *setting2; 413 | int i; 414 | #ifdef TEST_THREADS 415 | pthread_t t[TEST_THREADS]; 416 | void *t_retval; 417 | #endif 418 | 419 | data = NULL; 420 | size = 0x12345678; 421 | 422 | for (i = 0; tests[i][0]; i++) { 423 | const char *hash = tests[i][0]; 424 | const char *key = tests[i][1]; 425 | const char *setting = tests[i][2]; 426 | const char *p; 427 | int ok = !setting || strlen(hash) >= 30; 428 | int o_size; 429 | char s_buf[30], o_buf[61]; 430 | if (!setting) { 431 | memcpy(s_buf, hash, sizeof(s_buf) - 1); 432 | s_buf[sizeof(s_buf) - 1] = 0; 433 | setting = s_buf; 434 | } 435 | 436 | __set_errno(0); 437 | p = crypt(key, setting); 438 | if ((!ok && !errno) || strcmp(p, hash)) { 439 | printf("FAILED (crypt/%d)\n", i); 440 | return 1; 441 | } 442 | 443 | if (ok && strcmp(crypt(key, hash), hash)) { 444 | printf("FAILED (crypt/%d)\n", i); 445 | return 1; 446 | } 447 | 448 | for (o_size = -1; o_size <= (int)sizeof(o_buf); o_size++) { 449 | int ok_n = ok && o_size == (int)sizeof(o_buf); 450 | const char *x = "abc"; 451 | strcpy(o_buf, x); 452 | if (o_size >= 3) { 453 | x = "*0"; 454 | if (setting[0] == '*' && setting[1] == '0') 455 | x = "*1"; 456 | } 457 | __set_errno(0); 458 | p = crypt_rn(key, setting, o_buf, o_size); 459 | if ((ok_n && (!p || strcmp(p, hash))) || 460 | (!ok_n && (!errno || p || strcmp(o_buf, x)))) { 461 | printf("FAILED (crypt_rn/%d)\n", i); 462 | return 1; 463 | } 464 | } 465 | 466 | __set_errno(0); 467 | p = crypt_ra(key, setting, &data, &size); 468 | if ((ok && (!p || strcmp(p, hash))) || 469 | (!ok && (!errno || p || strcmp((char *)data, hash)))) { 470 | printf("FAILED (crypt_ra/%d)\n", i); 471 | return 1; 472 | } 473 | } 474 | 475 | setting1 = crypt_gensalt(which[0], 12, data, size); 476 | if (!setting1 || strncmp(setting1, "$2a$12$", 7)) { 477 | puts("FAILED (crypt_gensalt)\n"); 478 | return 1; 479 | } 480 | 481 | setting2 = crypt_gensalt_ra(setting1, 12, data, size); 482 | if (strcmp(setting1, setting2)) { 483 | puts("FAILED (crypt_gensalt_ra/1)\n"); 484 | return 1; 485 | } 486 | 487 | (*(char *)data)++; 488 | setting1 = crypt_gensalt_ra(setting2, 12, data, size); 489 | if (!strcmp(setting1, setting2)) { 490 | puts("FAILED (crypt_gensalt_ra/2)\n"); 491 | return 1; 492 | } 493 | 494 | free(setting1); 495 | free(setting2); 496 | free(data); 497 | 498 | #if defined(_SC_CLK_TCK) || !defined(CLK_TCK) 499 | clk_tck = sysconf(_SC_CLK_TCK); 500 | #else 501 | clk_tck = CLK_TCK; 502 | #endif 503 | 504 | running = 1; 505 | signal(SIGALRM, handle_timer); 506 | 507 | memset(&it, 0, sizeof(it)); 508 | it.it_value.tv_sec = 5; 509 | setitimer(ITIMER_REAL, &it, NULL); 510 | 511 | start_real = times(&buf); 512 | start_virtual = buf.tms_utime + buf.tms_stime; 513 | 514 | count = (char *)run((char *)0) - (char *)0; 515 | 516 | end_real = times(&buf); 517 | end_virtual = buf.tms_utime + buf.tms_stime; 518 | if (end_virtual == start_virtual) end_virtual++; 519 | 520 | printf("%.1f c/s real, %.1f c/s virtual\n", 521 | (float)count * clk_tck / (end_real - start_real), 522 | (float)count * clk_tck / (end_virtual - start_virtual)); 523 | 524 | #ifdef TEST_THREADS 525 | running = 1; 526 | it.it_value.tv_sec = 60; 527 | setitimer(ITIMER_REAL, &it, NULL); 528 | start_real = times(&buf); 529 | 530 | for (i = 0; i < TEST_THREADS; i++) 531 | if (pthread_create(&t[i], NULL, run, i + (char *)0)) { 532 | perror("pthread_create"); 533 | return 1; 534 | } 535 | 536 | for (i = 0; i < TEST_THREADS; i++) { 537 | if (pthread_join(t[i], &t_retval)) { 538 | perror("pthread_join"); 539 | continue; 540 | } 541 | if (!t_retval) continue; 542 | count = (char *)t_retval - (char *)0; 543 | end_real = times(&buf); 544 | printf("%d: %.1f c/s real\n", i, 545 | (float)count * clk_tck / (end_real - start_real)); 546 | } 547 | #endif 548 | 549 | return 0; 550 | } 551 | #endif 552 | -------------------------------------------------------------------------------- /crypt_blowfish/crypt.3: -------------------------------------------------------------------------------- 1 | .\" Written and revised by Solar Designer in 2000-2011. 2 | .\" No copyright is claimed, and this man page is hereby placed in the public 3 | .\" domain. In case this attempt to disclaim copyright and place the man page 4 | .\" in the public domain is deemed null and void, then the man page is 5 | .\" Copyright (c) 2000-2011 Solar Designer and it is hereby released to the 6 | .\" general public under the following terms: 7 | .\" 8 | .\" Redistribution and use in source and binary forms, with or without 9 | .\" modification, are permitted. 10 | .\" 11 | .\" There's ABSOLUTELY NO WARRANTY, express or implied. 12 | .\" 13 | .\" This manual page in its current form is intended for use on systems 14 | .\" based on the GNU C Library with crypt_blowfish patched into libcrypt. 15 | .\" 16 | .TH CRYPT 3 "July 7, 2014" "Openwall Project" "Library functions" 17 | .ad l 18 | .\" No macros in NAME to keep makewhatis happy. 19 | .SH NAME 20 | \fBcrypt\fR, \fBcrypt_r\fR, \fBcrypt_rn\fR, \fBcrypt_ra\fR, 21 | \fBcrypt_gensalt\fR, \fBcrypt_gensalt_rn\fR, \fBcrypt_gensalt_ra\fR 22 | \- password hashing 23 | .SH SYNOPSIS 24 | .B #define _XOPEN_SOURCE 25 | .br 26 | .B #include 27 | .sp 28 | .in +8 29 | .ti -8 30 | .BI "char *crypt(const char *" key ", const char *" setting ); 31 | .in -8 32 | .sp 33 | .B #define _GNU_SOURCE 34 | .br 35 | .B #include 36 | .sp 37 | .in +8 38 | .ti -8 39 | .BI "char *crypt_r(const char *" key ", const char *" setting ", struct crypt_data *" data ); 40 | .in -8 41 | .sp 42 | .B #define _OW_SOURCE 43 | .br 44 | .B #include 45 | .sp 46 | .in +8 47 | .ti -8 48 | .BI "char *crypt_rn(const char *" key ", const char *" setting ", void *" data ", int " size ); 49 | .ti -8 50 | .BI "char *crypt_ra(const char *" key ", const char *" setting ", void **" data ", int *" size ); 51 | .ti -8 52 | .BI "char *crypt_gensalt(const char *" prefix ", unsigned long " count ", const char *" input ", int " size ); 53 | .ti -8 54 | .BI "char *crypt_gensalt_rn(const char *" prefix ", unsigned long " count ", const char *" input ", int " size ", char *" output ", int " output_size ); 55 | .ti -8 56 | .BI "char *crypt_gensalt_ra(const char *" prefix ", unsigned long " count ", const char *" input ", int " size ); 57 | .ad b 58 | .de crypt 59 | .BR crypt , 60 | .BR crypt_r , 61 | .BR crypt_rn ", \\$1" 62 | .ie "\\$2"" .B crypt_ra 63 | .el .BR crypt_ra "\\$2" 64 | .. 65 | .de crypt_gensalt 66 | .BR crypt_gensalt , 67 | .BR crypt_gensalt_rn ", \\$1" 68 | .ie "\\$2"" .B crypt_gensalt_ra 69 | .el .BR crypt_gensalt_ra "\\$2" 70 | .. 71 | .SH DESCRIPTION 72 | The 73 | .crypt and 74 | functions calculate a cryptographic hash function of 75 | .I key 76 | with one of a number of supported methods as requested with 77 | .IR setting , 78 | which is also used to pass a salt and possibly other parameters to 79 | the chosen method. 80 | The hashing methods are explained below. 81 | .PP 82 | Unlike 83 | .BR crypt , 84 | the functions 85 | .BR crypt_r , 86 | .BR crypt_rn " and" 87 | .B crypt_ra 88 | are reentrant. 89 | They place their result and possibly their private data in a 90 | .I data 91 | area of 92 | .I size 93 | bytes as passed to them by an application and/or in memory they 94 | allocate dynamically. Some hashing algorithms may use the data area to 95 | cache precomputed intermediate values across calls. Thus, applications 96 | must properly initialize the data area before its first use. 97 | .B crypt_r 98 | requires that only 99 | .I data->initialized 100 | be reset to zero; 101 | .BR crypt_rn " and " crypt_ra 102 | require that either the entire data area is zeroed or, in the case of 103 | .BR crypt_ra , 104 | .I *data 105 | is NULL. When called with a NULL 106 | .I *data 107 | or insufficient 108 | .I *size 109 | for the requested hashing algorithm, 110 | .B crypt_ra 111 | uses 112 | .BR realloc (3) 113 | to allocate the required amount of memory dynamically. Thus, 114 | .B crypt_ra 115 | has the additional requirement that 116 | .IR *data , 117 | when non-NULL, must point to an area allocated either with a previous 118 | call to 119 | .B crypt_ra 120 | or with a 121 | .BR malloc (3) 122 | family call. 123 | The memory allocated by 124 | .B crypt_ra 125 | should be freed with 126 | .BR free "(3)." 127 | .PP 128 | The 129 | .crypt_gensalt and 130 | functions compile a string for use as 131 | .I setting 132 | \- with the given 133 | .I prefix 134 | (used to choose a hashing method), the iteration 135 | .I count 136 | (if supported by the chosen method) and up to 137 | .I size 138 | cryptographically random 139 | .I input 140 | bytes for use as the actual salt. 141 | If 142 | .I count 143 | is 0, a low default will be picked. 144 | The random bytes may be obtained from 145 | .BR /dev/urandom . 146 | Unlike 147 | .BR crypt_gensalt , 148 | the functions 149 | .BR crypt_gensalt_rn " and " crypt_gensalt_ra 150 | are reentrant. 151 | .B crypt_gensalt_rn 152 | places its result in the 153 | .I output 154 | buffer of 155 | .I output_size 156 | bytes. 157 | .B crypt_gensalt_ra 158 | allocates memory for its result dynamically. The memory should be 159 | freed with 160 | .BR free "(3)." 161 | .SH RETURN VALUE 162 | Upon successful completion, the functions 163 | .crypt and 164 | return a pointer to a string containing the setting that was actually used 165 | and a printable encoding of the hash function value. 166 | The entire string is directly usable as 167 | .I setting 168 | with other calls to 169 | .crypt and 170 | and as 171 | .I prefix 172 | with calls to 173 | .crypt_gensalt and . 174 | .PP 175 | The behavior of 176 | .B crypt 177 | on errors isn't well standardized. Some implementations simply can't fail 178 | (unless the process dies, in which case they obviously can't return), 179 | others return NULL or a fixed string. Most implementations don't set 180 | .IR errno , 181 | but some do. SUSv2 specifies only returning NULL and setting 182 | .I errno 183 | as a valid behavior, and defines only one possible error 184 | .RB "(" ENOSYS , 185 | "The functionality is not supported on this implementation.") 186 | Unfortunately, most existing applications aren't prepared to handle 187 | NULL returns from 188 | .BR crypt . 189 | The description below corresponds to this implementation of 190 | .BR crypt " and " crypt_r 191 | only, and to 192 | .BR crypt_rn " and " crypt_ra . 193 | The behavior may change to match standards, other implementations or 194 | existing applications. 195 | .PP 196 | .BR crypt " and " crypt_r 197 | may only fail (and return) when passed an invalid or unsupported 198 | .IR setting , 199 | in which case they return a pointer to a magic string that is 200 | shorter than 13 characters and is guaranteed to differ from 201 | .IR setting . 202 | This behavior is safe for older applications which assume that 203 | .B crypt 204 | can't fail, when both setting new passwords and authenticating against 205 | existing password hashes. 206 | .BR crypt_rn " and " crypt_ra 207 | return NULL to indicate failure. All four functions set 208 | .I errno 209 | when they fail. 210 | .PP 211 | The functions 212 | .crypt_gensalt and 213 | return a pointer to the compiled string for 214 | .IR setting , 215 | or NULL on error in which case 216 | .I errno 217 | is set. 218 | .SH ERRORS 219 | .TP 220 | .B EINVAL 221 | .crypt "" : 222 | .I setting 223 | is invalid or not supported by this implementation; 224 | .sp 225 | .crypt_gensalt "" : 226 | .I prefix 227 | is invalid or not supported by this implementation; 228 | .I count 229 | is invalid for the requested 230 | .IR prefix ; 231 | the input 232 | .I size 233 | is insufficient for the smallest valid salt with the requested 234 | .IR prefix ; 235 | .I input 236 | is NULL. 237 | .TP 238 | .B ERANGE 239 | .BR crypt_rn : 240 | the provided data area 241 | .I size 242 | is insufficient for the requested hashing algorithm; 243 | .sp 244 | .BR crypt_gensalt_rn : 245 | .I output_size 246 | is too small to hold the compiled 247 | .I setting 248 | string. 249 | .TP 250 | .B ENOMEM 251 | .B crypt 252 | (original glibc only): 253 | failed to allocate memory for the output buffer (which subsequent calls 254 | would re-use); 255 | .sp 256 | .BR crypt_ra : 257 | .I *data 258 | is NULL or 259 | .I *size 260 | is insufficient for the requested hashing algorithm and 261 | .BR realloc (3) 262 | failed; 263 | .sp 264 | .BR crypt_gensalt_ra : 265 | failed to allocate memory for the compiled 266 | .I setting 267 | string. 268 | .TP 269 | .B ENOSYS 270 | .B crypt 271 | (SUSv2): 272 | the functionality is not supported on this implementation; 273 | .sp 274 | .BR crypt , 275 | .B crypt_r 276 | (glibc 2.0 to 2.0.1 only): 277 | .de no-crypt-add-on 278 | the crypt add-on is not compiled in and 279 | .I setting 280 | requests something other than the MD5-based algorithm. 281 | .. 282 | .no-crypt-add-on 283 | .TP 284 | .B EOPNOTSUPP 285 | .BR crypt , 286 | .B crypt_r 287 | (glibc 2.0.2 to 2.1.3 only): 288 | .no-crypt-add-on 289 | .SH HASHING METHODS 290 | The implemented hashing methods are intended specifically for processing 291 | user passwords for storage and authentication; 292 | they are at best inefficient for most other purposes. 293 | .PP 294 | It is important to understand that password hashing is not a replacement 295 | for strong passwords. 296 | It is always possible for an attacker with access to password hashes 297 | to try guessing candidate passwords against the hashes. 298 | There are, however, certain properties a password hashing method may have 299 | which make these key search attacks somewhat harder. 300 | .PP 301 | All of the hashing methods use salts such that the same 302 | .I key 303 | may produce many possible hashes. 304 | Proper use of salts may defeat a number of attacks, including: 305 | .TP 306 | 1. 307 | The ability to try candidate passwords against multiple hashes at the 308 | price of one. 309 | .TP 310 | 2. 311 | The use of pre-hashed lists of candidate passwords. 312 | .TP 313 | 3. 314 | The ability to determine whether two users (or two accounts of one user) 315 | have the same or different passwords without actually having to guess 316 | one of the passwords. 317 | .PP 318 | The key search attacks depend on computing hashes of large numbers of 319 | candidate passwords. 320 | Thus, the computational cost of a good password hashing method must be 321 | high \- but of course not too high to render it impractical. 322 | .PP 323 | All hashing methods implemented within the 324 | .crypt and 325 | interfaces use multiple iterations of an underlying cryptographic 326 | primitive specifically in order to increase the cost of trying a 327 | candidate password. 328 | Unfortunately, due to hardware improvements, the hashing methods which 329 | have a fixed cost become increasingly less secure over time. 330 | .PP 331 | In addition to salts, modern password hashing methods accept a variable 332 | iteration 333 | .IR count . 334 | This makes it possible to adapt their cost to the hardware improvements 335 | while still maintaining compatibility. 336 | .PP 337 | The following hashing methods are or may be implemented within the 338 | described interfaces: 339 | .PP 340 | .de hash 341 | .ad l 342 | .TP 343 | .I prefix 344 | .ie "\\$1"" \{\ 345 | "" (empty string); 346 | .br 347 | a string matching ^[./0-9A-Za-z]{2} (see 348 | .BR regex (7)) 349 | .\} 350 | .el "\\$1" 351 | .TP 352 | .B Encoding syntax 353 | \\$2 354 | .TP 355 | .B Maximum password length 356 | \\$3 (uses \\$4-bit characters) 357 | .TP 358 | .B Effective key size 359 | .ie "\\$5"" limited by the hash size only 360 | .el up to \\$5 bits 361 | .TP 362 | .B Hash size 363 | \\$6 bits 364 | .TP 365 | .B Salt size 366 | \\$7 bits 367 | .TP 368 | .B Iteration count 369 | \\$8 370 | .ad b 371 | .. 372 | .ti -2 373 | .B Traditional DES-based 374 | .br 375 | This method is supported by almost all implementations of 376 | .BR crypt . 377 | Unfortunately, it no longer offers adequate security because of its many 378 | limitations. 379 | Thus, it should not be used for new passwords unless you absolutely have 380 | to be able to migrate the password hashes to other systems. 381 | .hash "" "[./0-9A-Za-z]{13}" 8 7 56 64 12 25 382 | .PP 383 | .ti -2 384 | .B Extended BSDI-style DES-based 385 | .br 386 | This method is used on BSDI and is also available on at least NetBSD, 387 | OpenBSD, and FreeBSD due to the use of David Burren's FreeSec library. 388 | .hash _ "_[./0-9A-Za-z]{19}" unlimited 7 56 64 24 "1 to 2**24-1 (must be odd)" 389 | .PP 390 | .ti -2 391 | .B FreeBSD-style MD5-based 392 | .br 393 | This is Poul-Henning Kamp's MD5-based password hashing method originally 394 | developed for FreeBSD. 395 | It is currently supported on many free Unix-like systems, on Solaris 10 396 | and newer, and it is part of the official glibc. 397 | Its main disadvantage is the fixed iteration count, which is already 398 | too low for the currently available hardware. 399 | .hash "$1$" "\e$1\e$[^$]{1,8}\e$[./0-9A-Za-z]{22}" unlimited 8 "" 128 "6 to 48" 1000 400 | .PP 401 | .ti -2 402 | .BR "OpenBSD-style Blowfish-based" " (" bcrypt ) 403 | .br 404 | .B bcrypt 405 | was originally developed by Niels Provos and David Mazieres for OpenBSD 406 | and is also supported on recent versions of FreeBSD and NetBSD, 407 | on Solaris 10 and newer, and on several GNU/*/Linux distributions. 408 | It is, however, not part of the official glibc. 409 | .PP 410 | While both 411 | .B bcrypt 412 | and the BSDI-style DES-based hashing offer a variable iteration count, 413 | .B bcrypt 414 | may scale to even faster hardware, doesn't allow for certain optimizations 415 | specific to password cracking only, doesn't have the effective key size 416 | limitation, and uses 8-bit characters in passwords. 417 | .hash "$2b$" "\e$2[abxy]\e$[0-9]{2}\e$[./A-Za-z0-9]{53}" 72 8 "" 184 128 "2**4 to 2**99 (current implementations are limited to 2**31 iterations)" 418 | .PP 419 | With 420 | .BR bcrypt , 421 | the 422 | .I count 423 | passed to 424 | .crypt_gensalt and 425 | is the base-2 logarithm of the actual iteration count. 426 | .PP 427 | .B bcrypt 428 | hashes used the "$2a$" prefix since 1997. 429 | However, in 2011 an implementation bug was discovered in crypt_blowfish 430 | (versions up to 1.0.4 inclusive) affecting handling of password characters with 431 | the 8th bit set. 432 | Besides fixing the bug, 433 | to provide for upgrade strategies for existing systems, two new prefixes were 434 | introduced: "$2x$", which fully re-introduces the bug, and "$2y$", which 435 | guarantees correct handling of both 7- and 8-bit characters. 436 | OpenBSD 5.5 introduced the "$2b$" prefix for behavior that exactly matches 437 | crypt_blowfish's "$2y$", and current crypt_blowfish supports it as well. 438 | Unfortunately, the behavior of "$2a$" on password characters with the 8th bit 439 | set has to be considered system-specific. 440 | When generating new password hashes, the "$2b$" or "$2y$" prefix should be used. 441 | (If such hashes ever need to be migrated to a system that does not yet support 442 | these new prefixes, the prefix in migrated copies of the already-generated 443 | hashes may be changed to "$2a$".) 444 | .PP 445 | .crypt_gensalt and 446 | support the "$2b$", "$2y$", and "$2a$" prefixes (the latter for legacy programs 447 | or configurations), but not "$2x$" (which must not be used for new hashes). 448 | .crypt and 449 | support all four of these prefixes. 450 | .SH PORTABILITY NOTES 451 | Programs using any of these functions on a glibc 2.x system must be 452 | linked against 453 | .BR libcrypt . 454 | However, many Unix-like operating systems and older versions of the 455 | GNU C Library include the 456 | .BR crypt " function in " libc . 457 | .PP 458 | The 459 | .BR crypt_r , 460 | .BR crypt_rn , 461 | .BR crypt_ra , 462 | .crypt_gensalt and 463 | functions are very non-portable. 464 | .PP 465 | The set of supported hashing methods is implementation-dependent. 466 | .SH CONFORMING TO 467 | The 468 | .B crypt 469 | function conforms to SVID, X/OPEN, and is available on BSD 4.3. 470 | The strings returned by 471 | .B crypt 472 | are not required to be portable among conformant systems. 473 | .PP 474 | .B crypt_r 475 | is a GNU extension. 476 | There's also a 477 | .B crypt_r 478 | function on HP-UX and MKS Toolkit, but the prototypes and semantics differ. 479 | .PP 480 | .B crypt_gensalt 481 | is an Openwall extension. 482 | There's also a 483 | .B crypt_gensalt 484 | function on Solaris 10 and newer, but the prototypes and semantics differ. 485 | .PP 486 | .BR crypt_rn , 487 | .BR crypt_ra , 488 | .BR crypt_gensalt_rn , 489 | and 490 | .B crypt_gensalt_ra 491 | are Openwall extensions. 492 | .SH HISTORY 493 | A rotor-based 494 | .B crypt 495 | function appeared in Version 6 AT&T UNIX. 496 | The "traditional" 497 | .B crypt 498 | first appeared in Version 7 AT&T UNIX. 499 | .PP 500 | The 501 | .B crypt_r 502 | function was introduced during glibc 2.0 development. 503 | .SH BUGS 504 | The return values of 505 | .BR crypt " and " crypt_gensalt 506 | point to static buffers that are overwritten by subsequent calls. 507 | These functions are not thread-safe. 508 | .RB ( crypt 509 | on recent versions of Solaris uses thread-specific data and actually is 510 | thread-safe.) 511 | .PP 512 | The strings returned by certain other implementations of 513 | .B crypt 514 | on error may be stored in read-only locations or only initialized once, 515 | which makes it unsafe to always attempt to zero out the buffer normally 516 | pointed to by the 517 | .B crypt 518 | return value as it would otherwise be preferable for security reasons. 519 | The problem could be avoided with the use of 520 | .BR crypt_r , 521 | .BR crypt_rn , 522 | or 523 | .B crypt_ra 524 | where the application has full control over output buffers of these functions 525 | (and often over some of their private data as well). 526 | Unfortunately, the functions aren't (yet?) available on platforms where 527 | .B crypt 528 | has this undesired property. 529 | .PP 530 | Applications using the thread-safe 531 | .B crypt_r 532 | need to allocate address space for the large (over 128 KB) 533 | .I struct crypt_data 534 | structure. Each thread needs a separate instance of the structure. The 535 | .B crypt_r 536 | interface makes it impossible to implement a hashing algorithm which 537 | would need to keep an even larger amount of private data, without breaking 538 | binary compatibility. 539 | .B crypt_ra 540 | allows for dynamically increasing the allocation size as required by the 541 | hashing algorithm that is actually used. Unfortunately, 542 | .B crypt_ra 543 | is even more non-portable than 544 | .BR crypt_r . 545 | .PP 546 | Multi-threaded applications or library functions which are meant to be 547 | thread-safe should use 548 | .BR crypt_gensalt_rn " or " crypt_gensalt_ra 549 | rather than 550 | .BR crypt_gensalt . 551 | .SH SEE ALSO 552 | .BR login (1), 553 | .BR passwd (1), 554 | .BR crypto (3), 555 | .BR encrypt (3), 556 | .BR free (3), 557 | .BR getpass (3), 558 | .BR getpwent (3), 559 | .BR malloc (3), 560 | .BR realloc (3), 561 | .BR shadow (3), 562 | .BR passwd (5), 563 | .BR shadow (5), 564 | .BR regex (7), 565 | .BR pam (8) 566 | .sp 567 | Niels Provos and David Mazieres. A Future-Adaptable Password Scheme. 568 | Proceedings of the 1999 USENIX Annual Technical Conference, June 1999. 569 | .br 570 | http://www.usenix.org/events/usenix99/provos.html 571 | .sp 572 | Robert Morris and Ken Thompson. Password Security: A Case History. 573 | Unix Seventh Edition Manual, Volume 2, April 1978. 574 | .br 575 | http://plan9.bell-labs.com/7thEdMan/vol2/password 576 | -------------------------------------------------------------------------------- /crypt_blowfish/crypt_blowfish.c: -------------------------------------------------------------------------------- 1 | /* 2 | * The crypt_blowfish homepage is: 3 | * 4 | * http://www.openwall.com/crypt/ 5 | * 6 | * This code comes from John the Ripper password cracker, with reentrant 7 | * and crypt(3) interfaces added, but optimizations specific to password 8 | * cracking removed. 9 | * 10 | * Written by Solar Designer in 1998-2014. 11 | * No copyright is claimed, and the software is hereby placed in the public 12 | * domain. In case this attempt to disclaim copyright and place the software 13 | * in the public domain is deemed null and void, then the software is 14 | * Copyright (c) 1998-2014 Solar Designer and it is hereby released to the 15 | * general public under the following terms: 16 | * 17 | * Redistribution and use in source and binary forms, with or without 18 | * modification, are permitted. 19 | * 20 | * There's ABSOLUTELY NO WARRANTY, express or implied. 21 | * 22 | * It is my intent that you should be able to use this on your system, 23 | * as part of a software package, or anywhere else to improve security, 24 | * ensure compatibility, or for any other purpose. I would appreciate 25 | * it if you give credit where it is due and keep your modifications in 26 | * the public domain as well, but I don't require that in order to let 27 | * you place this code and any modifications you make under a license 28 | * of your choice. 29 | * 30 | * This implementation is fully compatible with OpenBSD's bcrypt.c for prefix 31 | * "$2b$", originally by Niels Provos , and it uses 32 | * some of his ideas. The password hashing algorithm was designed by David 33 | * Mazieres . For information on the level of 34 | * compatibility for bcrypt hash prefixes other than "$2b$", please refer to 35 | * the comments in BF_set_key() below and to the included crypt(3) man page. 36 | * 37 | * There's a paper on the algorithm that explains its design decisions: 38 | * 39 | * http://www.usenix.org/events/usenix99/provos.html 40 | * 41 | * Some of the tricks in BF_ROUND might be inspired by Eric Young's 42 | * Blowfish library (I can't be sure if I would think of something if I 43 | * hadn't seen his code). 44 | */ 45 | 46 | #include 47 | 48 | #include 49 | #ifndef __set_errno 50 | #define __set_errno(val) errno = (val) 51 | #endif 52 | 53 | /* Just to make sure the prototypes match the actual definitions */ 54 | #include "crypt_blowfish.h" 55 | 56 | #ifdef __i386__ 57 | #define BF_ASM 1 58 | #define BF_SCALE 1 59 | #elif defined(__x86_64__) || defined(__alpha__) || defined(__hppa__) 60 | #define BF_ASM 0 61 | #define BF_SCALE 1 62 | #else 63 | #define BF_ASM 0 64 | #define BF_SCALE 0 65 | #endif 66 | 67 | typedef unsigned int BF_word; 68 | typedef signed int BF_word_signed; 69 | 70 | /* Number of Blowfish rounds, this is also hardcoded into a few places */ 71 | #define BF_N 16 72 | 73 | typedef BF_word BF_key[BF_N + 2]; 74 | 75 | typedef struct { 76 | BF_word S[4][0x100]; 77 | BF_key P; 78 | } BF_ctx; 79 | 80 | /* 81 | * Magic IV for 64 Blowfish encryptions that we do at the end. 82 | * The string is "OrpheanBeholderScryDoubt" on big-endian. 83 | */ 84 | static BF_word BF_magic_w[6] = { 85 | 0x4F727068, 0x65616E42, 0x65686F6C, 86 | 0x64657253, 0x63727944, 0x6F756274 87 | }; 88 | 89 | /* 90 | * P-box and S-box tables initialized with digits of Pi. 91 | */ 92 | static BF_ctx BF_init_state = { 93 | { 94 | { 95 | 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, 96 | 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, 97 | 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, 98 | 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, 99 | 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, 100 | 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, 101 | 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, 102 | 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, 103 | 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, 104 | 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, 105 | 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, 106 | 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, 107 | 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, 108 | 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, 109 | 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, 110 | 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, 111 | 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, 112 | 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, 113 | 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, 114 | 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, 115 | 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, 116 | 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, 117 | 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, 118 | 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, 119 | 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, 120 | 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, 121 | 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, 122 | 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, 123 | 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, 124 | 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, 125 | 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, 126 | 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, 127 | 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, 128 | 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, 129 | 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, 130 | 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, 131 | 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, 132 | 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, 133 | 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, 134 | 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, 135 | 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, 136 | 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, 137 | 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, 138 | 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, 139 | 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, 140 | 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, 141 | 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, 142 | 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, 143 | 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, 144 | 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, 145 | 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, 146 | 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, 147 | 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, 148 | 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, 149 | 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, 150 | 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, 151 | 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, 152 | 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, 153 | 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, 154 | 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, 155 | 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, 156 | 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, 157 | 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, 158 | 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a 159 | }, { 160 | 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, 161 | 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, 162 | 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, 163 | 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, 164 | 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, 165 | 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, 166 | 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, 167 | 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, 168 | 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, 169 | 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, 170 | 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, 171 | 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, 172 | 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, 173 | 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, 174 | 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, 175 | 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, 176 | 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, 177 | 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, 178 | 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, 179 | 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, 180 | 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, 181 | 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, 182 | 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, 183 | 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, 184 | 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, 185 | 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, 186 | 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, 187 | 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, 188 | 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, 189 | 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, 190 | 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, 191 | 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, 192 | 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, 193 | 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, 194 | 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, 195 | 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, 196 | 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, 197 | 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, 198 | 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, 199 | 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, 200 | 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, 201 | 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, 202 | 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, 203 | 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, 204 | 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, 205 | 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, 206 | 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, 207 | 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, 208 | 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, 209 | 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, 210 | 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, 211 | 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, 212 | 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, 213 | 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, 214 | 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, 215 | 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, 216 | 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, 217 | 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, 218 | 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, 219 | 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, 220 | 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, 221 | 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, 222 | 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, 223 | 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7 224 | }, { 225 | 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, 226 | 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, 227 | 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, 228 | 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, 229 | 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, 230 | 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, 231 | 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, 232 | 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, 233 | 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, 234 | 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, 235 | 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, 236 | 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, 237 | 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, 238 | 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, 239 | 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, 240 | 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, 241 | 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, 242 | 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, 243 | 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, 244 | 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, 245 | 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, 246 | 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, 247 | 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, 248 | 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, 249 | 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, 250 | 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, 251 | 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, 252 | 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, 253 | 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, 254 | 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, 255 | 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, 256 | 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, 257 | 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, 258 | 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, 259 | 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, 260 | 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, 261 | 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, 262 | 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, 263 | 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, 264 | 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, 265 | 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, 266 | 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, 267 | 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, 268 | 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, 269 | 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, 270 | 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, 271 | 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, 272 | 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, 273 | 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, 274 | 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, 275 | 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, 276 | 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, 277 | 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, 278 | 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, 279 | 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, 280 | 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, 281 | 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, 282 | 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, 283 | 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, 284 | 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, 285 | 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, 286 | 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, 287 | 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, 288 | 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0 289 | }, { 290 | 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, 291 | 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, 292 | 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, 293 | 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, 294 | 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, 295 | 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, 296 | 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, 297 | 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, 298 | 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, 299 | 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, 300 | 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, 301 | 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, 302 | 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, 303 | 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, 304 | 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, 305 | 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, 306 | 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, 307 | 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, 308 | 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, 309 | 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, 310 | 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, 311 | 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, 312 | 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, 313 | 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, 314 | 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, 315 | 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, 316 | 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, 317 | 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, 318 | 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, 319 | 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, 320 | 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, 321 | 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, 322 | 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, 323 | 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, 324 | 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, 325 | 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, 326 | 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, 327 | 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, 328 | 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, 329 | 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, 330 | 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, 331 | 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, 332 | 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, 333 | 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, 334 | 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, 335 | 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, 336 | 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, 337 | 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, 338 | 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, 339 | 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, 340 | 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, 341 | 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, 342 | 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, 343 | 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, 344 | 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, 345 | 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, 346 | 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, 347 | 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, 348 | 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, 349 | 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, 350 | 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, 351 | 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, 352 | 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, 353 | 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6 354 | } 355 | }, { 356 | 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, 357 | 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, 358 | 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, 359 | 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, 360 | 0x9216d5d9, 0x8979fb1b 361 | } 362 | }; 363 | 364 | static unsigned char BF_itoa64[64 + 1] = 365 | "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; 366 | 367 | static unsigned char BF_atoi64[0x60] = { 368 | 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1, 369 | 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64, 370 | 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 371 | 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64, 372 | 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 373 | 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64 374 | }; 375 | 376 | #define BF_safe_atoi64(dst, src) \ 377 | { \ 378 | tmp = (unsigned char)(src); \ 379 | if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ 380 | tmp = BF_atoi64[tmp]; \ 381 | if (tmp > 63) return -1; \ 382 | (dst) = tmp; \ 383 | } 384 | 385 | static int BF_decode(BF_word *dst, const char *src, int size) 386 | { 387 | unsigned char *dptr = (unsigned char *)dst; 388 | unsigned char *end = dptr + size; 389 | const unsigned char *sptr = (const unsigned char *)src; 390 | unsigned int tmp, c1, c2, c3, c4; 391 | 392 | do { 393 | BF_safe_atoi64(c1, *sptr++); 394 | BF_safe_atoi64(c2, *sptr++); 395 | *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4); 396 | if (dptr >= end) break; 397 | 398 | BF_safe_atoi64(c3, *sptr++); 399 | *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2); 400 | if (dptr >= end) break; 401 | 402 | BF_safe_atoi64(c4, *sptr++); 403 | *dptr++ = ((c3 & 0x03) << 6) | c4; 404 | } while (dptr < end); 405 | 406 | return 0; 407 | } 408 | 409 | static void BF_encode(char *dst, const BF_word *src, int size) 410 | { 411 | const unsigned char *sptr = (const unsigned char *)src; 412 | const unsigned char *end = sptr + size; 413 | unsigned char *dptr = (unsigned char *)dst; 414 | unsigned int c1, c2; 415 | 416 | do { 417 | c1 = *sptr++; 418 | *dptr++ = BF_itoa64[c1 >> 2]; 419 | c1 = (c1 & 0x03) << 4; 420 | if (sptr >= end) { 421 | *dptr++ = BF_itoa64[c1]; 422 | break; 423 | } 424 | 425 | c2 = *sptr++; 426 | c1 |= c2 >> 4; 427 | *dptr++ = BF_itoa64[c1]; 428 | c1 = (c2 & 0x0f) << 2; 429 | if (sptr >= end) { 430 | *dptr++ = BF_itoa64[c1]; 431 | break; 432 | } 433 | 434 | c2 = *sptr++; 435 | c1 |= c2 >> 6; 436 | *dptr++ = BF_itoa64[c1]; 437 | *dptr++ = BF_itoa64[c2 & 0x3f]; 438 | } while (sptr < end); 439 | } 440 | 441 | static void BF_swap(BF_word *x, int count) 442 | { 443 | static int endianness_check = 1; 444 | char *is_little_endian = (char *)&endianness_check; 445 | BF_word tmp; 446 | 447 | if (*is_little_endian) 448 | do { 449 | tmp = *x; 450 | tmp = (tmp << 16) | (tmp >> 16); 451 | *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF); 452 | } while (--count); 453 | } 454 | 455 | #if BF_SCALE 456 | /* Architectures which can shift addresses left by 2 bits with no extra cost */ 457 | #define BF_ROUND(L, R, N) \ 458 | tmp1 = L & 0xFF; \ 459 | tmp2 = L >> 8; \ 460 | tmp2 &= 0xFF; \ 461 | tmp3 = L >> 16; \ 462 | tmp3 &= 0xFF; \ 463 | tmp4 = L >> 24; \ 464 | tmp1 = data.ctx.S[3][tmp1]; \ 465 | tmp2 = data.ctx.S[2][tmp2]; \ 466 | tmp3 = data.ctx.S[1][tmp3]; \ 467 | tmp3 += data.ctx.S[0][tmp4]; \ 468 | tmp3 ^= tmp2; \ 469 | R ^= data.ctx.P[N + 1]; \ 470 | tmp3 += tmp1; \ 471 | R ^= tmp3; 472 | #else 473 | /* Architectures with no complicated addressing modes supported */ 474 | #define BF_INDEX(S, i) \ 475 | (*((BF_word *)(((unsigned char *)S) + (i)))) 476 | #define BF_ROUND(L, R, N) \ 477 | tmp1 = L & 0xFF; \ 478 | tmp1 <<= 2; \ 479 | tmp2 = L >> 6; \ 480 | tmp2 &= 0x3FC; \ 481 | tmp3 = L >> 14; \ 482 | tmp3 &= 0x3FC; \ 483 | tmp4 = L >> 22; \ 484 | tmp4 &= 0x3FC; \ 485 | tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \ 486 | tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \ 487 | tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \ 488 | tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \ 489 | tmp3 ^= tmp2; \ 490 | R ^= data.ctx.P[N + 1]; \ 491 | tmp3 += tmp1; \ 492 | R ^= tmp3; 493 | #endif 494 | 495 | /* 496 | * Encrypt one block, BF_N is hardcoded here. 497 | */ 498 | #define BF_ENCRYPT \ 499 | L ^= data.ctx.P[0]; \ 500 | BF_ROUND(L, R, 0); \ 501 | BF_ROUND(R, L, 1); \ 502 | BF_ROUND(L, R, 2); \ 503 | BF_ROUND(R, L, 3); \ 504 | BF_ROUND(L, R, 4); \ 505 | BF_ROUND(R, L, 5); \ 506 | BF_ROUND(L, R, 6); \ 507 | BF_ROUND(R, L, 7); \ 508 | BF_ROUND(L, R, 8); \ 509 | BF_ROUND(R, L, 9); \ 510 | BF_ROUND(L, R, 10); \ 511 | BF_ROUND(R, L, 11); \ 512 | BF_ROUND(L, R, 12); \ 513 | BF_ROUND(R, L, 13); \ 514 | BF_ROUND(L, R, 14); \ 515 | BF_ROUND(R, L, 15); \ 516 | tmp4 = R; \ 517 | R = L; \ 518 | L = tmp4 ^ data.ctx.P[BF_N + 1]; 519 | 520 | #if BF_ASM 521 | #define BF_body() \ 522 | _BF_body_r(&data.ctx); 523 | #else 524 | #define BF_body() \ 525 | L = R = 0; \ 526 | ptr = data.ctx.P; \ 527 | do { \ 528 | ptr += 2; \ 529 | BF_ENCRYPT; \ 530 | *(ptr - 2) = L; \ 531 | *(ptr - 1) = R; \ 532 | } while (ptr < &data.ctx.P[BF_N + 2]); \ 533 | \ 534 | ptr = data.ctx.S[0]; \ 535 | do { \ 536 | ptr += 2; \ 537 | BF_ENCRYPT; \ 538 | *(ptr - 2) = L; \ 539 | *(ptr - 1) = R; \ 540 | } while (ptr < &data.ctx.S[3][0xFF]); 541 | #endif 542 | 543 | static void BF_set_key(const char *key, BF_key expanded, BF_key initial, 544 | unsigned char flags) 545 | { 546 | const char *ptr = key; 547 | unsigned int bug, i, j; 548 | BF_word safety, sign, diff, tmp[2]; 549 | 550 | /* 551 | * There was a sign extension bug in older revisions of this function. While 552 | * we would have liked to simply fix the bug and move on, we have to provide 553 | * a backwards compatibility feature (essentially the bug) for some systems and 554 | * a safety measure for some others. The latter is needed because for certain 555 | * multiple inputs to the buggy algorithm there exist easily found inputs to 556 | * the correct algorithm that produce the same hash. Thus, we optionally 557 | * deviate from the correct algorithm just enough to avoid such collisions. 558 | * While the bug itself affected the majority of passwords containing 559 | * characters with the 8th bit set (although only a percentage of those in a 560 | * collision-producing way), the anti-collision safety measure affects 561 | * only a subset of passwords containing the '\xff' character (not even all of 562 | * those passwords, just some of them). This character is not found in valid 563 | * UTF-8 sequences and is rarely used in popular 8-bit character encodings. 564 | * Thus, the safety measure is unlikely to cause much annoyance, and is a 565 | * reasonable tradeoff to use when authenticating against existing hashes that 566 | * are not reliably known to have been computed with the correct algorithm. 567 | * 568 | * We use an approach that tries to minimize side-channel leaks of password 569 | * information - that is, we mostly use fixed-cost bitwise operations instead 570 | * of branches or table lookups. (One conditional branch based on password 571 | * length remains. It is not part of the bug aftermath, though, and is 572 | * difficult and possibly unreasonable to avoid given the use of C strings by 573 | * the caller, which results in similar timing leaks anyway.) 574 | * 575 | * For actual implementation, we set an array index in the variable "bug" 576 | * (0 means no bug, 1 means sign extension bug emulation) and a flag in the 577 | * variable "safety" (bit 16 is set when the safety measure is requested). 578 | * Valid combinations of settings are: 579 | * 580 | * Prefix "$2a$": bug = 0, safety = 0x10000 581 | * Prefix "$2b$": bug = 0, safety = 0 582 | * Prefix "$2x$": bug = 1, safety = 0 583 | * Prefix "$2y$": bug = 0, safety = 0 584 | */ 585 | bug = (unsigned int)flags & 1; 586 | safety = ((BF_word)flags & 2) << 15; 587 | 588 | sign = diff = 0; 589 | 590 | for (i = 0; i < BF_N + 2; i++) { 591 | tmp[0] = tmp[1] = 0; 592 | for (j = 0; j < 4; j++) { 593 | tmp[0] <<= 8; 594 | tmp[0] |= (unsigned char)*ptr; /* correct */ 595 | tmp[1] <<= 8; 596 | tmp[1] |= (BF_word_signed)(signed char)*ptr; /* bug */ 597 | /* 598 | * Sign extension in the first char has no effect - nothing to overwrite yet, 599 | * and those extra 24 bits will be fully shifted out of the 32-bit word. For 600 | * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign 601 | * extension in tmp[1] occurs. Once this flag is set, it remains set. 602 | */ 603 | if (j) 604 | sign |= tmp[1] & 0x80; 605 | if (!*ptr) 606 | ptr = key; 607 | else 608 | ptr++; 609 | } 610 | diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */ 611 | 612 | expanded[i] = tmp[bug]; 613 | initial[i] = BF_init_state.P[i] ^ tmp[bug]; 614 | } 615 | 616 | /* 617 | * At this point, "diff" is zero iff the correct and buggy algorithms produced 618 | * exactly the same result. If so and if "sign" is non-zero, which indicates 619 | * that there was a non-benign sign extension, this means that we have a 620 | * collision between the correctly computed hash for this password and a set of 621 | * passwords that could be supplied to the buggy algorithm. Our safety measure 622 | * is meant to protect from such many-buggy to one-correct collisions, by 623 | * deviating from the correct algorithm in such cases. Let's check for this. 624 | */ 625 | diff |= diff >> 16; /* still zero iff exact match */ 626 | diff &= 0xffff; /* ditto */ 627 | diff += 0xffff; /* bit 16 set iff "diff" was non-zero (on non-match) */ 628 | sign <<= 9; /* move the non-benign sign extension flag to bit 16 */ 629 | sign &= ~diff & safety; /* action needed? */ 630 | 631 | /* 632 | * If we have determined that we need to deviate from the correct algorithm, 633 | * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but 634 | * let's stick to it now. It came out of the approach we used above, and it's 635 | * not any worse than any other choice we could make.) 636 | * 637 | * It is crucial that we don't do the same to the expanded key used in the main 638 | * Eksblowfish loop. By doing it to only one of these two, we deviate from a 639 | * state that could be directly specified by a password to the buggy algorithm 640 | * (and to the fully correct one as well, but that's a side-effect). 641 | */ 642 | initial[0] ^= sign; 643 | } 644 | 645 | static const unsigned char flags_by_subtype[26] = 646 | {2, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 647 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0}; 648 | 649 | static char *BF_crypt(const char *key, const char *setting, 650 | char *output, int size, 651 | BF_word min) 652 | { 653 | #if BF_ASM 654 | extern void _BF_body_r(BF_ctx *ctx); 655 | #endif 656 | struct { 657 | BF_ctx ctx; 658 | BF_key expanded_key; 659 | union { 660 | BF_word salt[4]; 661 | BF_word output[6]; 662 | } binary; 663 | } data; 664 | BF_word L, R; 665 | BF_word tmp1, tmp2, tmp3, tmp4; 666 | BF_word *ptr; 667 | BF_word count; 668 | int i; 669 | 670 | if (size < 7 + 22 + 31 + 1) { 671 | __set_errno(ERANGE); 672 | return NULL; 673 | } 674 | 675 | if (setting[0] != '$' || 676 | setting[1] != '2' || 677 | setting[2] < 'a' || setting[2] > 'z' || 678 | !flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a'] || 679 | setting[3] != '$' || 680 | setting[4] < '0' || setting[4] > '3' || 681 | setting[5] < '0' || setting[5] > '9' || 682 | (setting[4] == '3' && setting[5] > '1') || 683 | setting[6] != '$') { 684 | __set_errno(EINVAL); 685 | return NULL; 686 | } 687 | 688 | count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0')); 689 | if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) { 690 | __set_errno(EINVAL); 691 | return NULL; 692 | } 693 | BF_swap(data.binary.salt, 4); 694 | 695 | BF_set_key(key, data.expanded_key, data.ctx.P, 696 | flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a']); 697 | 698 | memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S)); 699 | 700 | L = R = 0; 701 | for (i = 0; i < BF_N + 2; i += 2) { 702 | L ^= data.binary.salt[i & 2]; 703 | R ^= data.binary.salt[(i & 2) + 1]; 704 | BF_ENCRYPT; 705 | data.ctx.P[i] = L; 706 | data.ctx.P[i + 1] = R; 707 | } 708 | 709 | ptr = data.ctx.S[0]; 710 | do { 711 | ptr += 4; 712 | L ^= data.binary.salt[(BF_N + 2) & 3]; 713 | R ^= data.binary.salt[(BF_N + 3) & 3]; 714 | BF_ENCRYPT; 715 | *(ptr - 4) = L; 716 | *(ptr - 3) = R; 717 | 718 | L ^= data.binary.salt[(BF_N + 4) & 3]; 719 | R ^= data.binary.salt[(BF_N + 5) & 3]; 720 | BF_ENCRYPT; 721 | *(ptr - 2) = L; 722 | *(ptr - 1) = R; 723 | } while (ptr < &data.ctx.S[3][0xFF]); 724 | 725 | do { 726 | int done; 727 | 728 | for (i = 0; i < BF_N + 2; i += 2) { 729 | data.ctx.P[i] ^= data.expanded_key[i]; 730 | data.ctx.P[i + 1] ^= data.expanded_key[i + 1]; 731 | } 732 | 733 | done = 0; 734 | do { 735 | BF_body(); 736 | if (done) 737 | break; 738 | done = 1; 739 | 740 | tmp1 = data.binary.salt[0]; 741 | tmp2 = data.binary.salt[1]; 742 | tmp3 = data.binary.salt[2]; 743 | tmp4 = data.binary.salt[3]; 744 | for (i = 0; i < BF_N; i += 4) { 745 | data.ctx.P[i] ^= tmp1; 746 | data.ctx.P[i + 1] ^= tmp2; 747 | data.ctx.P[i + 2] ^= tmp3; 748 | data.ctx.P[i + 3] ^= tmp4; 749 | } 750 | data.ctx.P[16] ^= tmp1; 751 | data.ctx.P[17] ^= tmp2; 752 | } while (1); 753 | } while (--count); 754 | 755 | for (i = 0; i < 6; i += 2) { 756 | L = BF_magic_w[i]; 757 | R = BF_magic_w[i + 1]; 758 | 759 | count = 64; 760 | do { 761 | BF_ENCRYPT; 762 | } while (--count); 763 | 764 | data.binary.output[i] = L; 765 | data.binary.output[i + 1] = R; 766 | } 767 | 768 | memcpy(output, setting, 7 + 22 - 1); 769 | output[7 + 22 - 1] = BF_itoa64[(int) 770 | BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30]; 771 | 772 | /* This has to be bug-compatible with the original implementation, so 773 | * only encode 23 of the 24 bytes. :-) */ 774 | BF_swap(data.binary.output, 6); 775 | BF_encode(&output[7 + 22], data.binary.output, 23); 776 | output[7 + 22 + 31] = '\0'; 777 | 778 | return output; 779 | } 780 | 781 | int _crypt_output_magic(const char *setting, char *output, int size) 782 | { 783 | if (size < 3) 784 | return -1; 785 | 786 | output[0] = '*'; 787 | output[1] = '0'; 788 | output[2] = '\0'; 789 | 790 | if (setting[0] == '*' && setting[1] == '0') 791 | output[1] = '1'; 792 | 793 | return 0; 794 | } 795 | 796 | /* 797 | * Please preserve the runtime self-test. It serves two purposes at once: 798 | * 799 | * 1. We really can't afford the risk of producing incompatible hashes e.g. 800 | * when there's something like gcc bug 26587 again, whereas an application or 801 | * library integrating this code might not also integrate our external tests or 802 | * it might not run them after every build. Even if it does, the miscompile 803 | * might only occur on the production build, but not on a testing build (such 804 | * as because of different optimization settings). It is painful to recover 805 | * from incorrectly-computed hashes - merely fixing whatever broke is not 806 | * enough. Thus, a proactive measure like this self-test is needed. 807 | * 808 | * 2. We don't want to leave sensitive data from our actual password hash 809 | * computation on the stack or in registers. Previous revisions of the code 810 | * would do explicit cleanups, but simply running the self-test after hash 811 | * computation is more reliable. 812 | * 813 | * The performance cost of this quick self-test is around 0.6% at the "$2a$08" 814 | * setting. 815 | */ 816 | char *_crypt_blowfish_rn(const char *key, const char *setting, 817 | char *output, int size) 818 | { 819 | const char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8"; 820 | const char *test_setting = "$2a$00$abcdefghijklmnopqrstuu"; 821 | static const char * const test_hashes[2] = 822 | {"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55", /* 'a', 'b', 'y' */ 823 | "VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55"}; /* 'x' */ 824 | const char *test_hash = test_hashes[0]; 825 | char *retval; 826 | const char *p; 827 | int save_errno, ok; 828 | struct { 829 | char s[7 + 22 + 1]; 830 | char o[7 + 22 + 31 + 1 + 1 + 1]; 831 | } buf; 832 | 833 | /* Hash the supplied password */ 834 | _crypt_output_magic(setting, output, size); 835 | retval = BF_crypt(key, setting, output, size, 16); 836 | save_errno = errno; 837 | 838 | /* 839 | * Do a quick self-test. It is important that we make both calls to BF_crypt() 840 | * from the same scope such that they likely use the same stack locations, 841 | * which makes the second call overwrite the first call's sensitive data on the 842 | * stack and makes it more likely that any alignment related issues would be 843 | * detected by the self-test. 844 | */ 845 | memcpy(buf.s, test_setting, sizeof(buf.s)); 846 | if (retval) { 847 | unsigned int flags = flags_by_subtype[ 848 | (unsigned int)(unsigned char)setting[2] - 'a']; 849 | test_hash = test_hashes[flags & 1]; 850 | buf.s[2] = setting[2]; 851 | } 852 | memset(buf.o, 0x55, sizeof(buf.o)); 853 | buf.o[sizeof(buf.o) - 1] = 0; 854 | p = BF_crypt(test_key, buf.s, buf.o, sizeof(buf.o) - (1 + 1), 1); 855 | 856 | ok = (p == buf.o && 857 | !memcmp(p, buf.s, 7 + 22) && 858 | !memcmp(p + (7 + 22), test_hash, 31 + 1 + 1 + 1)); 859 | 860 | { 861 | const char *k = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"; 862 | BF_key ae, ai, ye, yi; 863 | BF_set_key(k, ae, ai, 2); /* $2a$ */ 864 | BF_set_key(k, ye, yi, 4); /* $2y$ */ 865 | ai[0] ^= 0x10000; /* undo the safety (for comparison) */ 866 | ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 && 867 | !memcmp(ae, ye, sizeof(ae)) && 868 | !memcmp(ai, yi, sizeof(ai)); 869 | } 870 | 871 | __set_errno(save_errno); 872 | if (ok) 873 | return retval; 874 | 875 | /* Should not happen */ 876 | _crypt_output_magic(setting, output, size); 877 | __set_errno(EINVAL); /* pretend we don't support this hash type */ 878 | return NULL; 879 | } 880 | 881 | char *_crypt_gensalt_blowfish_rn(const char *prefix, unsigned long count, 882 | const char *input, int size, char *output, int output_size) 883 | { 884 | if (size < 16 || output_size < 7 + 22 + 1 || 885 | (count && (count < 4 || count > 31)) || 886 | prefix[0] != '$' || prefix[1] != '2' || 887 | (prefix[2] != 'a' && prefix[2] != 'b' && prefix[2] != 'y')) { 888 | if (output_size > 0) output[0] = '\0'; 889 | __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL); 890 | return NULL; 891 | } 892 | 893 | if (!count) count = 5; 894 | 895 | output[0] = '$'; 896 | output[1] = '2'; 897 | output[2] = prefix[2]; 898 | output[3] = '$'; 899 | output[4] = '0' + count / 10; 900 | output[5] = '0' + count % 10; 901 | output[6] = '$'; 902 | 903 | BF_encode(&output[7], (const BF_word *)input, 16); 904 | output[7 + 22] = '\0'; 905 | 906 | return output; 907 | } 908 | --------------------------------------------------------------------------------