1 /* $NetBSD: bcrypt.c,v 1.23 2025/12/31 13:02:20 nia Exp $ */ 2 /* $OpenBSD: bcrypt.c,v 1.16 2002/02/19 19:39:36 millert Exp $ */ 3 4 /* 5 * Copyright 1997 Niels Provos <provos (at) physnet.uni-hamburg.de> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. The name of the author may not be used to endorse or promote products 17 * derived from this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 /* This password hashing algorithm was designed by David Mazieres 32 * <dm (at) lcs.mit.edu> and works as follows: 33 * 34 * 1. state := InitState () 35 * 2. state := ExpandKey (state, salt, password) 3. 36 * REPEAT rounds: 37 * state := ExpandKey (state, 0, salt) 38 * state := ExpandKey(state, 0, password) 39 * 4. ctext := "OrpheanBeholderScryDoubt" 40 * 5. REPEAT 64: 41 * ctext := Encrypt_ECB (state, ctext); 42 * 6. RETURN Concatenate (salt, ctext); 43 * 44 */ 45 #include <sys/cdefs.h> 46 __RCSID("$NetBSD: bcrypt.c,v 1.23 2025/12/31 13:02:20 nia Exp $"); 47 48 #include <stdio.h> 49 #include <stdlib.h> 50 #include <sys/types.h> 51 #include <string.h> 52 #include <pwd.h> 53 #include <errno.h> 54 #include <limits.h> 55 56 #include "crypt.h" 57 #include "blowfish.c" 58 59 /* This implementation is adaptable to current computing power. 60 * You can have up to 2^31 rounds which should be enough for some 61 * time to come. 62 */ 63 64 #define BCRYPT_VERSION '2' 65 #define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */ 66 #define BCRYPT_MAXSALTLEN (7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1) 67 #define BCRYPT_BLOCKS 6 /* Ciphertext blocks */ 68 #define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */ 69 70 static void encode_salt(char *, u_int8_t *, u_int16_t, u_int8_t); 71 static void encode_base64(u_int8_t *, u_int8_t *, u_int16_t); 72 static void decode_base64(u_int8_t *, u_int16_t, const u_int8_t *); 73 74 crypt_private char *__bcrypt(const char *, const char *); /* XXX */ 75 76 static char encrypted[_PASSWORD_LEN]; 77 78 static const u_int8_t Base64Code[] = 79 "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; 80 81 char *bcrypt_gensalt(u_int8_t); 82 83 static const u_int8_t index_64[128] = 84 { 85 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 86 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 87 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 88 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 89 255, 255, 255, 255, 255, 255, 0, 1, 54, 55, 90 56, 57, 58, 59, 60, 61, 62, 63, 255, 255, 91 255, 255, 255, 255, 255, 2, 3, 4, 5, 6, 92 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 93 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 94 255, 255, 255, 255, 255, 255, 28, 29, 30, 95 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 96 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 97 51, 52, 53, 255, 255, 255, 255, 255 98 }; 99 #define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)]) 100 101 static void 102 decode_base64(u_int8_t *buffer, u_int16_t len, const u_int8_t *data) 103 { 104 u_int8_t *bp = buffer; 105 const u_int8_t *p = data; 106 u_int8_t c1, c2, c3, c4; 107 while (bp < buffer + len) { 108 c1 = CHAR64(*p); 109 c2 = CHAR64(*(p + 1)); 110 111 /* Invalid data */ 112 if (c1 == 255 || c2 == 255) 113 break; 114 115 *bp++ = ((u_int32_t)c1 << 2) | (((u_int32_t)c2 & 0x30) >> 4); 116 if (bp >= buffer + len) 117 break; 118 119 c3 = CHAR64(*(p + 2)); 120 if (c3 == 255) 121 break; 122 123 *bp++ = (((u_int32_t)c2 & 0x0f) << 4) | (((uint32_t)c3 & 0x3c) >> 2); 124 if (bp >= buffer + len) 125 break; 126 127 c4 = CHAR64(*(p + 3)); 128 if (c4 == 255) 129 break; 130 *bp++ = ((c3 & 0x03) << 6) | c4; 131 132 p += 4; 133 } 134 } 135 136 static void 137 encode_salt(char *salt, u_int8_t *csalt, u_int16_t clen, u_int8_t logr) 138 { 139 salt[0] = '$'; 140 salt[1] = BCRYPT_VERSION; 141 salt[2] = 'a'; 142 salt[3] = '$'; 143 144 snprintf(salt + 4, 4, "%2.2u$", logr); 145 146 encode_base64((u_int8_t *) salt + 7, csalt, clen); 147 } 148 149 crypt_private int 150 __gensalt_blowfish(char *salt, size_t saltlen, const char *option) 151 { 152 size_t i; 153 u_int32_t seed = 0; 154 u_int8_t csalt[BCRYPT_MAXSALT]; 155 unsigned long nrounds; 156 char *ep; 157 158 if (saltlen < BCRYPT_MAXSALTLEN) { 159 errno = ENOSPC; 160 return -1; 161 } 162 if (option == NULL) { 163 errno = EINVAL; 164 return -1; 165 } 166 nrounds = strtoul(option, &ep, 0); 167 if (option == ep || *ep) { 168 errno = EINVAL; 169 return -1; 170 } 171 if (errno == ERANGE && nrounds == ULONG_MAX) 172 return -1; 173 174 if (nrounds < 4) 175 nrounds = 4; 176 else if (nrounds > 31) 177 nrounds = 31; 178 179 for (i = 0; i < BCRYPT_MAXSALT; i++) { 180 if (i % 4 == 0) 181 seed = arc4random(); 182 csalt[i] = seed & 0xff; 183 seed = seed >> 8; 184 } 185 encode_salt(salt, csalt, BCRYPT_MAXSALT, (u_int8_t)nrounds); 186 return 0; 187 } 188 189 /* Generates a salt for this version of crypt. 190 Since versions may change. Keeping this here 191 seems sensible. 192 XXX: compat. 193 */ 194 char * 195 bcrypt_gensalt(u_int8_t log_rounds) 196 { 197 static char gsalt[BCRYPT_MAXSALTLEN]; 198 char num[10]; 199 200 (void)snprintf(num, sizeof(num), "%d", log_rounds); 201 if (__gensalt_blowfish(gsalt, sizeof(gsalt), num) == -1) 202 return NULL; 203 return gsalt; 204 } 205 206 /* We handle $Vers$log2(NumRounds)$salt+passwd$ 207 i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */ 208 209 crypt_private char * 210 __bcrypt(const char *key, const char *salt) 211 { 212 blf_ctx state; 213 u_int32_t rounds, i, k; 214 u_int16_t j; 215 u_int8_t key_len, salt_len, logr, minor; 216 u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt"; 217 u_int8_t csalt[BCRYPT_MAXSALT]; 218 u_int32_t cdata[BCRYPT_BLOCKS]; 219 int n; 220 size_t len; 221 222 /* Discard "$" identifier */ 223 salt++; 224 225 if (*salt > BCRYPT_VERSION) 226 return NULL; 227 228 /* Check for minor versions */ 229 if (salt[1] != '$') { 230 switch (salt[1]) { 231 case 'a': 232 /* 'ab' should not yield the same as 'abab' */ 233 minor = salt[1]; 234 salt++; 235 break; 236 default: 237 return NULL; 238 } 239 } else 240 minor = 0; 241 242 /* Discard version + "$" identifier */ 243 salt += 2; 244 245 if (salt[2] != '$') 246 /* Out of sync with passwd entry */ 247 return NULL; 248 249 /* Computer power doesn't increase linear, 2^x should be fine */ 250 n = atoi(salt); 251 if (n > 31 || n < 0) 252 return NULL; 253 logr = (u_int8_t)n; 254 if ((rounds = (u_int32_t) 1 << logr) < BCRYPT_MINROUNDS) 255 return NULL; 256 257 /* Discard num rounds + "$" identifier */ 258 salt += 3; 259 260 if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT) 261 return NULL; 262 263 /* We dont want the base64 salt but the raw data */ 264 decode_base64(csalt, BCRYPT_MAXSALT, (const u_int8_t *)salt); 265 salt_len = BCRYPT_MAXSALT; 266 len = strlen(key); 267 if (len > 72) 268 key_len = 72; 269 else 270 key_len = (uint8_t)len; 271 key_len += minor >= 'a' ? 1 : 0; 272 273 /* Setting up S-Boxes and Subkeys */ 274 Blowfish_initstate(&state); 275 Blowfish_expandstate(&state, csalt, salt_len, 276 (const u_int8_t *) key, key_len); 277 for (k = 0; k < rounds; k++) { 278 Blowfish_expand0state(&state, (const u_int8_t *) key, key_len); 279 Blowfish_expand0state(&state, csalt, salt_len); 280 } 281 282 /* This can be precomputed later */ 283 j = 0; 284 for (i = 0; i < BCRYPT_BLOCKS; i++) 285 cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_BLOCKS, &j); 286 287 /* Now do the encryption */ 288 for (k = 0; k < 64; k++) 289 blf_enc(&state, cdata, BCRYPT_BLOCKS / 2); 290 291 for (i = 0; i < BCRYPT_BLOCKS; i++) { 292 ciphertext[4 * i + 3] = cdata[i] & 0xff; 293 cdata[i] = cdata[i] >> 8; 294 ciphertext[4 * i + 2] = cdata[i] & 0xff; 295 cdata[i] = cdata[i] >> 8; 296 ciphertext[4 * i + 1] = cdata[i] & 0xff; 297 cdata[i] = cdata[i] >> 8; 298 ciphertext[4 * i + 0] = cdata[i] & 0xff; 299 } 300 301 302 i = 0; 303 encrypted[i++] = '$'; 304 encrypted[i++] = BCRYPT_VERSION; 305 if (minor) 306 encrypted[i++] = minor; 307 encrypted[i++] = '$'; 308 309 snprintf(encrypted + i, 4, "%2.2u$", logr); 310 311 encode_base64((u_int8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT); 312 encode_base64((u_int8_t *) encrypted + strlen(encrypted), ciphertext, 313 4 * BCRYPT_BLOCKS - 1); 314 explicit_memset(&state, 0, sizeof(state)); 315 return encrypted; 316 } 317 318 static void 319 encode_base64(u_int8_t *buffer, u_int8_t *data, u_int16_t len) 320 { 321 u_int8_t *bp = buffer; 322 u_int8_t *p = data; 323 u_int8_t c1, c2; 324 while (p < data + len) { 325 c1 = *p++; 326 *bp++ = Base64Code[((u_int32_t)c1 >> 2)]; 327 c1 = (c1 & 0x03) << 4; 328 if (p >= data + len) { 329 *bp++ = Base64Code[c1]; 330 break; 331 } 332 c2 = *p++; 333 c1 |= ((u_int32_t)c2 >> 4) & 0x0f; 334 *bp++ = Base64Code[c1]; 335 c1 = (c2 & 0x0f) << 2; 336 if (p >= data + len) { 337 *bp++ = Base64Code[c1]; 338 break; 339 } 340 c2 = *p++; 341 c1 |= ((u_int32_t)c2 >> 6) & 0x03; 342 *bp++ = Base64Code[c1]; 343 *bp++ = Base64Code[c2 & 0x3f]; 344 } 345 *bp = '\0'; 346 } 347 #if 0 348 void 349 main() 350 { 351 char blubber[73]; 352 char salt[100]; 353 char *p; 354 salt[0] = '$'; 355 salt[1] = BCRYPT_VERSION; 356 salt[2] = '$'; 357 358 snprintf(salt + 3, 4, "%2.2u$", 5); 359 360 printf("24 bytes of salt: "); 361 fgets(salt + 6, 94, stdin); 362 salt[99] = 0; 363 printf("72 bytes of password: "); 364 fpurge(stdin); 365 fgets(blubber, 73, stdin); 366 blubber[72] = 0; 367 368 p = crypt(blubber, salt); 369 printf("Passwd entry: %s\n\n", p); 370 371 p = bcrypt_gensalt(5); 372 printf("Generated salt: %s\n", p); 373 p = crypt(blubber, p); 374 printf("Passwd entry: %s\n", p); 375 } 376 #endif 377
Indexes created Sun Feb 22 16:20:20 UTC 2026