1 1.22 nia /* $NetBSD: bcrypt.c,v 1.22 2021/10/16 10:53:33 nia Exp $ */ 2 1.1 itojun /* $OpenBSD: bcrypt.c,v 1.16 2002/02/19 19:39:36 millert Exp $ */ 3 1.1 itojun 4 1.1 itojun /* 5 1.1 itojun * Copyright 1997 Niels Provos <provos (at) physnet.uni-hamburg.de> 6 1.1 itojun * All rights reserved. 7 1.1 itojun * 8 1.1 itojun * Redistribution and use in source and binary forms, with or without 9 1.1 itojun * modification, are permitted provided that the following conditions 10 1.1 itojun * are met: 11 1.1 itojun * 1. Redistributions of source code must retain the above copyright 12 1.1 itojun * notice, this list of conditions and the following disclaimer. 13 1.1 itojun * 2. Redistributions in binary form must reproduce the above copyright 14 1.1 itojun * notice, this list of conditions and the following disclaimer in the 15 1.1 itojun * documentation and/or other materials provided with the distribution. 16 1.1 itojun * 3. All advertising materials mentioning features or use of this software 17 1.1 itojun * must display the following acknowledgement: 18 1.1 itojun * This product includes software developed by Niels Provos. 19 1.1 itojun * 4. The name of the author may not be used to endorse or promote products 20 1.1 itojun * derived from this software without specific prior written permission. 21 1.1 itojun * 22 1.1 itojun * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 1.1 itojun * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 1.1 itojun * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 1.1 itojun * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 1.1 itojun * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 1.1 itojun * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 1.1 itojun * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 1.1 itojun * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 1.1 itojun * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 1.1 itojun * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 1.1 itojun */ 33 1.1 itojun 34 1.1 itojun /* This password hashing algorithm was designed by David Mazieres 35 1.1 itojun * <dm (at) lcs.mit.edu> and works as follows: 36 1.1 itojun * 37 1.1 itojun * 1. state := InitState () 38 1.1 itojun * 2. state := ExpandKey (state, salt, password) 3. 39 1.1 itojun * REPEAT rounds: 40 1.1 itojun * state := ExpandKey (state, 0, salt) 41 1.1 itojun * state := ExpandKey(state, 0, password) 42 1.1 itojun * 4. ctext := "OrpheanBeholderScryDoubt" 43 1.1 itojun * 5. REPEAT 64: 44 1.1 itojun * ctext := Encrypt_ECB (state, ctext); 45 1.1 itojun * 6. RETURN Concatenate (salt, ctext); 46 1.1 itojun * 47 1.1 itojun */ 48 1.3 jdolecek #include <sys/cdefs.h> 49 1.22 nia __RCSID("$NetBSD: bcrypt.c,v 1.22 2021/10/16 10:53:33 nia Exp $"); 50 1.1 itojun 51 1.1 itojun #include <stdio.h> 52 1.1 itojun #include <stdlib.h> 53 1.1 itojun #include <sys/types.h> 54 1.1 itojun #include <string.h> 55 1.1 itojun #include <pwd.h> 56 1.4 christos #include <errno.h> 57 1.7 christos #include <limits.h> 58 1.1 itojun 59 1.4 christos #include "crypt.h" 60 1.2 thorpej #include "blowfish.c" 61 1.1 itojun 62 1.1 itojun /* This implementation is adaptable to current computing power. 63 1.1 itojun * You can have up to 2^31 rounds which should be enough for some 64 1.1 itojun * time to come. 65 1.1 itojun */ 66 1.1 itojun 67 1.1 itojun #define BCRYPT_VERSION '2' 68 1.1 itojun #define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */ 69 1.21 christos #define BCRYPT_MAXSALTLEN (7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1) 70 1.1 itojun #define BCRYPT_BLOCKS 6 /* Ciphertext blocks */ 71 1.1 itojun #define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */ 72 1.1 itojun 73 1.1 itojun static void encode_salt(char *, u_int8_t *, u_int16_t, u_int8_t); 74 1.21 christos static void encode_base64(u_int8_t *, u_int8_t *, u_int16_t); 75 1.7 christos static void decode_base64(u_int8_t *, u_int16_t, const u_int8_t *); 76 1.1 itojun 77 1.22 nia crypt_private char *__bcrypt(const char *, const char *); /* XXX */ 78 1.1 itojun 79 1.1 itojun static char encrypted[_PASSWORD_LEN]; 80 1.1 itojun 81 1.9 drochner static const u_int8_t Base64Code[] = 82 1.1 itojun "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; 83 1.1 itojun 84 1.5 christos char *bcrypt_gensalt(u_int8_t); 85 1.5 christos 86 1.9 drochner static const u_int8_t index_64[128] = 87 1.1 itojun { 88 1.1 itojun 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 89 1.1 itojun 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 90 1.1 itojun 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 91 1.1 itojun 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 92 1.1 itojun 255, 255, 255, 255, 255, 255, 0, 1, 54, 55, 93 1.1 itojun 56, 57, 58, 59, 60, 61, 62, 63, 255, 255, 94 1.1 itojun 255, 255, 255, 255, 255, 2, 3, 4, 5, 6, 95 1.1 itojun 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 96 1.1 itojun 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 97 1.1 itojun 255, 255, 255, 255, 255, 255, 28, 29, 30, 98 1.1 itojun 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 99 1.1 itojun 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 100 1.1 itojun 51, 52, 53, 255, 255, 255, 255, 255 101 1.1 itojun }; 102 1.1 itojun #define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)]) 103 1.1 itojun 104 1.1 itojun static void 105 1.7 christos decode_base64(u_int8_t *buffer, u_int16_t len, const u_int8_t *data) 106 1.1 itojun { 107 1.1 itojun u_int8_t *bp = buffer; 108 1.7 christos const u_int8_t *p = data; 109 1.1 itojun u_int8_t c1, c2, c3, c4; 110 1.1 itojun while (bp < buffer + len) { 111 1.1 itojun c1 = CHAR64(*p); 112 1.1 itojun c2 = CHAR64(*(p + 1)); 113 1.1 itojun 114 1.1 itojun /* Invalid data */ 115 1.1 itojun if (c1 == 255 || c2 == 255) 116 1.1 itojun break; 117 1.1 itojun 118 1.7 christos *bp++ = ((u_int32_t)c1 << 2) | (((u_int32_t)c2 & 0x30) >> 4); 119 1.1 itojun if (bp >= buffer + len) 120 1.1 itojun break; 121 1.1 itojun 122 1.1 itojun c3 = CHAR64(*(p + 2)); 123 1.1 itojun if (c3 == 255) 124 1.1 itojun break; 125 1.1 itojun 126 1.7 christos *bp++ = (((u_int32_t)c2 & 0x0f) << 4) | (((uint32_t)c3 & 0x3c) >> 2); 127 1.1 itojun if (bp >= buffer + len) 128 1.1 itojun break; 129 1.1 itojun 130 1.1 itojun c4 = CHAR64(*(p + 3)); 131 1.1 itojun if (c4 == 255) 132 1.1 itojun break; 133 1.1 itojun *bp++ = ((c3 & 0x03) << 6) | c4; 134 1.1 itojun 135 1.1 itojun p += 4; 136 1.1 itojun } 137 1.1 itojun } 138 1.1 itojun 139 1.1 itojun static void 140 1.1 itojun encode_salt(char *salt, u_int8_t *csalt, u_int16_t clen, u_int8_t logr) 141 1.1 itojun { 142 1.1 itojun salt[0] = '$'; 143 1.1 itojun salt[1] = BCRYPT_VERSION; 144 1.1 itojun salt[2] = 'a'; 145 1.1 itojun salt[3] = '$'; 146 1.1 itojun 147 1.1 itojun snprintf(salt + 4, 4, "%2.2u$", logr); 148 1.1 itojun 149 1.21 christos encode_base64((u_int8_t *) salt + 7, csalt, clen); 150 1.1 itojun } 151 1.1 itojun 152 1.22 nia crypt_private int 153 1.6 christos __gensalt_blowfish(char *salt, size_t saltlen, const char *option) 154 1.1 itojun { 155 1.4 christos size_t i; 156 1.4 christos u_int32_t seed = 0; 157 1.1 itojun u_int8_t csalt[BCRYPT_MAXSALT]; 158 1.7 christos unsigned long nrounds; 159 1.7 christos char *ep; 160 1.4 christos 161 1.4 christos if (saltlen < BCRYPT_MAXSALTLEN) { 162 1.4 christos errno = ENOSPC; 163 1.4 christos return -1; 164 1.4 christos } 165 1.8 mlelstv if (option == NULL) { 166 1.8 mlelstv errno = EINVAL; 167 1.8 mlelstv return -1; 168 1.8 mlelstv } 169 1.7 christos nrounds = strtoul(option, &ep, 0); 170 1.7 christos if (option == ep || *ep) { 171 1.7 christos errno = EINVAL; 172 1.7 christos return -1; 173 1.7 christos } 174 1.7 christos if (errno == ERANGE && nrounds == ULONG_MAX) 175 1.7 christos return -1; 176 1.4 christos 177 1.4 christos if (nrounds < 4) 178 1.4 christos nrounds = 4; 179 1.10 drochner else if (nrounds > 31) 180 1.10 drochner nrounds = 31; 181 1.1 itojun 182 1.1 itojun for (i = 0; i < BCRYPT_MAXSALT; i++) { 183 1.1 itojun if (i % 4 == 0) 184 1.1 itojun seed = arc4random(); 185 1.1 itojun csalt[i] = seed & 0xff; 186 1.1 itojun seed = seed >> 8; 187 1.1 itojun } 188 1.7 christos encode_salt(salt, csalt, BCRYPT_MAXSALT, (u_int8_t)nrounds); 189 1.4 christos return 0; 190 1.4 christos } 191 1.1 itojun 192 1.4 christos /* Generates a salt for this version of crypt. 193 1.4 christos Since versions may change. Keeping this here 194 1.4 christos seems sensible. 195 1.4 christos XXX: compat. 196 1.4 christos */ 197 1.4 christos char * 198 1.4 christos bcrypt_gensalt(u_int8_t log_rounds) 199 1.4 christos { 200 1.4 christos static char gsalt[BCRYPT_MAXSALTLEN]; 201 1.6 christos char num[10]; 202 1.6 christos 203 1.6 christos (void)snprintf(num, sizeof(num), "%d", log_rounds); 204 1.6 christos if (__gensalt_blowfish(gsalt, sizeof(gsalt), num) == -1) 205 1.4 christos return NULL; 206 1.1 itojun return gsalt; 207 1.1 itojun } 208 1.1 itojun 209 1.1 itojun /* We handle $Vers$log2(NumRounds)$salt+passwd$ 210 1.1 itojun i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */ 211 1.1 itojun 212 1.22 nia crypt_private char * 213 1.16 matt __bcrypt(const char *key, const char *salt) 214 1.1 itojun { 215 1.1 itojun blf_ctx state; 216 1.1 itojun u_int32_t rounds, i, k; 217 1.1 itojun u_int16_t j; 218 1.1 itojun u_int8_t key_len, salt_len, logr, minor; 219 1.1 itojun u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt"; 220 1.1 itojun u_int8_t csalt[BCRYPT_MAXSALT]; 221 1.1 itojun u_int32_t cdata[BCRYPT_BLOCKS]; 222 1.10 drochner int n; 223 1.14 christos size_t len; 224 1.1 itojun 225 1.1 itojun /* Discard "$" identifier */ 226 1.1 itojun salt++; 227 1.1 itojun 228 1.14 christos if (*salt > BCRYPT_VERSION) 229 1.14 christos return NULL; 230 1.1 itojun 231 1.1 itojun /* Check for minor versions */ 232 1.1 itojun if (salt[1] != '$') { 233 1.12 christos switch (salt[1]) { 234 1.12 christos case 'a': 235 1.12 christos /* 'ab' should not yield the same as 'abab' */ 236 1.12 christos minor = salt[1]; 237 1.12 christos salt++; 238 1.12 christos break; 239 1.12 christos default: 240 1.14 christos return NULL; 241 1.12 christos } 242 1.1 itojun } else 243 1.1 itojun minor = 0; 244 1.1 itojun 245 1.1 itojun /* Discard version + "$" identifier */ 246 1.1 itojun salt += 2; 247 1.1 itojun 248 1.1 itojun if (salt[2] != '$') 249 1.1 itojun /* Out of sync with passwd entry */ 250 1.14 christos return NULL; 251 1.1 itojun 252 1.1 itojun /* Computer power doesn't increase linear, 2^x should be fine */ 253 1.10 drochner n = atoi(salt); 254 1.10 drochner if (n > 31 || n < 0) 255 1.14 christos return NULL; 256 1.10 drochner logr = (u_int8_t)n; 257 1.10 drochner if ((rounds = (u_int32_t) 1 << logr) < BCRYPT_MINROUNDS) 258 1.14 christos return NULL; 259 1.1 itojun 260 1.1 itojun /* Discard num rounds + "$" identifier */ 261 1.1 itojun salt += 3; 262 1.1 itojun 263 1.1 itojun if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT) 264 1.14 christos return NULL; 265 1.1 itojun 266 1.1 itojun /* We dont want the base64 salt but the raw data */ 267 1.7 christos decode_base64(csalt, BCRYPT_MAXSALT, (const u_int8_t *)salt); 268 1.1 itojun salt_len = BCRYPT_MAXSALT; 269 1.14 christos len = strlen(key); 270 1.15 christos if (len > 72) 271 1.15 christos key_len = 72; 272 1.15 christos else 273 1.15 christos key_len = (uint8_t)len; 274 1.15 christos key_len += minor >= 'a' ? 1 : 0; 275 1.1 itojun 276 1.1 itojun /* Setting up S-Boxes and Subkeys */ 277 1.1 itojun Blowfish_initstate(&state); 278 1.1 itojun Blowfish_expandstate(&state, csalt, salt_len, 279 1.7 christos (const u_int8_t *) key, key_len); 280 1.1 itojun for (k = 0; k < rounds; k++) { 281 1.7 christos Blowfish_expand0state(&state, (const u_int8_t *) key, key_len); 282 1.1 itojun Blowfish_expand0state(&state, csalt, salt_len); 283 1.1 itojun } 284 1.1 itojun 285 1.1 itojun /* This can be precomputed later */ 286 1.1 itojun j = 0; 287 1.1 itojun for (i = 0; i < BCRYPT_BLOCKS; i++) 288 1.1 itojun cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_BLOCKS, &j); 289 1.1 itojun 290 1.1 itojun /* Now do the encryption */ 291 1.1 itojun for (k = 0; k < 64; k++) 292 1.1 itojun blf_enc(&state, cdata, BCRYPT_BLOCKS / 2); 293 1.1 itojun 294 1.1 itojun for (i = 0; i < BCRYPT_BLOCKS; i++) { 295 1.1 itojun ciphertext[4 * i + 3] = cdata[i] & 0xff; 296 1.1 itojun cdata[i] = cdata[i] >> 8; 297 1.1 itojun ciphertext[4 * i + 2] = cdata[i] & 0xff; 298 1.1 itojun cdata[i] = cdata[i] >> 8; 299 1.1 itojun ciphertext[4 * i + 1] = cdata[i] & 0xff; 300 1.1 itojun cdata[i] = cdata[i] >> 8; 301 1.1 itojun ciphertext[4 * i + 0] = cdata[i] & 0xff; 302 1.1 itojun } 303 1.1 itojun 304 1.1 itojun 305 1.1 itojun i = 0; 306 1.1 itojun encrypted[i++] = '$'; 307 1.1 itojun encrypted[i++] = BCRYPT_VERSION; 308 1.1 itojun if (minor) 309 1.1 itojun encrypted[i++] = minor; 310 1.1 itojun encrypted[i++] = '$'; 311 1.1 itojun 312 1.1 itojun snprintf(encrypted + i, 4, "%2.2u$", logr); 313 1.1 itojun 314 1.1 itojun encode_base64((u_int8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT); 315 1.1 itojun encode_base64((u_int8_t *) encrypted + strlen(encrypted), ciphertext, 316 1.1 itojun 4 * BCRYPT_BLOCKS - 1); 317 1.19 riastrad explicit_memset(&state, 0, sizeof(state)); 318 1.1 itojun return encrypted; 319 1.1 itojun } 320 1.1 itojun 321 1.21 christos static void 322 1.1 itojun encode_base64(u_int8_t *buffer, u_int8_t *data, u_int16_t len) 323 1.1 itojun { 324 1.1 itojun u_int8_t *bp = buffer; 325 1.1 itojun u_int8_t *p = data; 326 1.1 itojun u_int8_t c1, c2; 327 1.1 itojun while (p < data + len) { 328 1.1 itojun c1 = *p++; 329 1.7 christos *bp++ = Base64Code[((u_int32_t)c1 >> 2)]; 330 1.1 itojun c1 = (c1 & 0x03) << 4; 331 1.1 itojun if (p >= data + len) { 332 1.1 itojun *bp++ = Base64Code[c1]; 333 1.1 itojun break; 334 1.1 itojun } 335 1.1 itojun c2 = *p++; 336 1.7 christos c1 |= ((u_int32_t)c2 >> 4) & 0x0f; 337 1.1 itojun *bp++ = Base64Code[c1]; 338 1.1 itojun c1 = (c2 & 0x0f) << 2; 339 1.1 itojun if (p >= data + len) { 340 1.1 itojun *bp++ = Base64Code[c1]; 341 1.1 itojun break; 342 1.1 itojun } 343 1.1 itojun c2 = *p++; 344 1.7 christos c1 |= ((u_int32_t)c2 >> 6) & 0x03; 345 1.1 itojun *bp++ = Base64Code[c1]; 346 1.1 itojun *bp++ = Base64Code[c2 & 0x3f]; 347 1.1 itojun } 348 1.1 itojun *bp = '\0'; 349 1.1 itojun } 350 1.1 itojun #if 0 351 1.1 itojun void 352 1.1 itojun main() 353 1.1 itojun { 354 1.1 itojun char blubber[73]; 355 1.1 itojun char salt[100]; 356 1.1 itojun char *p; 357 1.1 itojun salt[0] = '$'; 358 1.1 itojun salt[1] = BCRYPT_VERSION; 359 1.1 itojun salt[2] = '$'; 360 1.1 itojun 361 1.1 itojun snprintf(salt + 3, 4, "%2.2u$", 5); 362 1.1 itojun 363 1.1 itojun printf("24 bytes of salt: "); 364 1.1 itojun fgets(salt + 6, 94, stdin); 365 1.1 itojun salt[99] = 0; 366 1.1 itojun printf("72 bytes of password: "); 367 1.1 itojun fpurge(stdin); 368 1.1 itojun fgets(blubber, 73, stdin); 369 1.1 itojun blubber[72] = 0; 370 1.1 itojun 371 1.1 itojun p = crypt(blubber, salt); 372 1.1 itojun printf("Passwd entry: %s\n\n", p); 373 1.1 itojun 374 1.1 itojun p = bcrypt_gensalt(5); 375 1.1 itojun printf("Generated salt: %s\n", p); 376 1.1 itojun p = crypt(blubber, p); 377 1.1 itojun printf("Passwd entry: %s\n", p); 378 1.1 itojun } 379 1.1 itojun #endif 380
Indexes created Wed Sep 24 05:09:52 GMT 2025