/* * FreeSec: libcrypt for NetBSD * * Copyright (c) 1994 David Burren * All rights reserved. * * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet * this file should now *only* export crypt(), in order to make * binaries of libcrypt exportable from the USA * * Adapted for FreeBSD-4.0 by Mark R V Murray * this file should now *only* export crypt_des(), in order to make * a module that can be optionally included in libcrypt. * * Adapted for libxcrypt by Zack Weinberg, 2017 * see notes in des.c * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the author nor the names of other contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * This is an original implementation of the DES and the crypt(3) interfaces * by David Burren . */ #include "crypt-port.h" #include "crypt-private.h" #include "alg-des.h" #include #if INCLUDE_des || INCLUDE_des_xbsd || INCLUDE_des_big #define DES_TRD_OUTPUT_LEN 14 /* SShhhhhhhhhhh0 */ #define DES_EXT_OUTPUT_LEN 21 /* _CCCCSSSShhhhhhhhhhh0 */ #define DES_BIG_OUTPUT_LEN ((16*11) + 2 + 1) /* SS (hhhhhhhhhhh){1,16} 0 */ #define DES_MAX_OUTPUT_LEN \ MAX (DES_TRD_OUTPUT_LEN, MAX (DES_EXT_OUTPUT_LEN, DES_BIG_OUTPUT_LEN)) static_assert (DES_MAX_OUTPUT_LEN <= CRYPT_OUTPUT_SIZE, "CRYPT_OUTPUT_SIZE is too small for DES"); /* A des_buffer holds all of the sensitive intermediate data used by crypt_des_*. */ struct des_buffer { struct des_ctx ctx; uint8_t keybuf[8]; uint8_t pkbuf[8]; }; static_assert (sizeof (struct des_buffer) <= ALG_SPECIFIC_SIZE, "ALG_SPECIFIC_SIZE is too small for DES"); static const uint8_t ascii64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; /* 0000000000111111111122222222223333333333444444444455555555556666 */ /* 0123456789012345678901234567890123456789012345678901234567890123 */ static inline int ascii_to_bin(char ch) { if (ch > 'z') return -1; if (ch >= 'a') return ch - 'a' + 38; if (ch > 'Z') return -1; if (ch >= 'A') return ch - 'A' + 12; if (ch > '9') return -1; if (ch >= '.') return ch - '.'; return -1; } /* Generate an 11-character DES password hash into the buffer at OUTPUT, and nul-terminate it. The salt and key have already been set. The plaintext is 64 bits of zeroes, and the raw ciphertext is written to cbuf[]. */ static void des_gen_hash (struct des_ctx *ctx, uint32_t count, uint8_t *output, uint8_t cbuf[8]) { uint8_t plaintext[8]; XCRYPT_SECURE_MEMSET (plaintext, 8); des_crypt_block (ctx, cbuf, plaintext, count, false); /* Now encode the result. */ const uint8_t *sptr = cbuf; const uint8_t *end = sptr + 8; unsigned int c1, c2; do { c1 = *sptr++; *output++ = ascii64[c1 >> 2]; c1 = (c1 & 0x03) << 4; if (sptr >= end) { *output++ = ascii64[c1]; break; } c2 = *sptr++; c1 |= c2 >> 4; *output++ = ascii64[c1]; c1 = (c2 & 0x0f) << 2; if (sptr >= end) { *output++ = ascii64[c1]; break; } c2 = *sptr++; c1 |= c2 >> 6; *output++ = ascii64[c1]; *output++ = ascii64[c2 & 0x3f]; } while (sptr < end); *output = '\0'; } #endif #if INCLUDE_des /* The original UNIX DES-based password hash, no extensions. */ void crypt_des_rn (const char *phrase, size_t ARG_UNUSED (phr_size), const char *setting, size_t ARG_UNUSED (set_size), uint8_t *output, size_t out_size, void *scratch, size_t scr_size) { /* This shouldn't ever happen, but... */ if (out_size < DES_TRD_OUTPUT_LEN || scr_size < sizeof (struct des_buffer)) { errno = ERANGE; return; } struct des_buffer *buf = scratch; struct des_ctx *ctx = &buf->ctx; uint32_t salt = 0; uint8_t *keybuf = buf->keybuf, *pkbuf = buf->pkbuf; uint8_t *cp = output; int i; /* "old"-style: setting - 2 bytes of salt, phrase - up to 8 characters. Note: ascii_to_bin maps all byte values outside the ascii64 alphabet to -1. Do not read past the end of the string. */ i = ascii_to_bin (setting[0]); if (i < 0) { errno = EINVAL; return; } salt = (unsigned int)i; i = ascii_to_bin (setting[1]); if (i < 0) { errno = EINVAL; return; } salt |= ((unsigned int)i << 6); /* Write the canonical form of the salt to the output buffer. We do this instead of copying from the setting because the setting might be catastrophically malformed (e.g. a 0- or 1-byte string; this could plausibly happen if e.g. login(8) doesn't special-case "*" or "!" in the password database). */ *cp++ = ascii64[salt & 0x3f]; *cp++ = ascii64[(salt >> 6) & 0x3f]; /* Copy the first 8 characters of the password into keybuf, shifting each character up by 1 bit and padding on the right with zeroes. */ for (i = 0; i < 8; i++) { keybuf[i] = (uint8_t)(*phrase << 1); if (*phrase) phrase++; } des_set_key (ctx, keybuf); des_set_salt (ctx, salt); des_gen_hash (ctx, 25, cp, pkbuf); } #endif #if INCLUDE_des_big /* This algorithm is algorithm 0 (default) shipped with the C2 secure implementation of Digital UNIX. Disclaimer: This work is not based on the source code to Digital UNIX, nor am I (Andy Phillips) connected to Digital Equipment Corp, in any way other than as a customer. This code is based on published interfaces and reasonable guesswork. Description: The cleartext is divided into blocks of 8 characters or less. Each block is encrypted using the standard UNIX libc crypt function. The result of the encryption for one block provides the salt for the suceeding block. The output is simply the concatenation of all the blocks. Up to 16 blocks are supported (that is, the password can be no more than 128 characters long). Andy Phillips */ void crypt_des_big_rn (const char *phrase, size_t phr_size, const char *setting, size_t set_size, uint8_t *output, size_t out_size, void *scratch, size_t scr_size) { #if INCLUDE_des /* For backward compatibility, if the setting string is short enough to have been generated by the traditional DES algorithm, forward to traditional DES (which means that only the first 8 characters of 'phrase' are significant). */ if (strlen (setting) <= 13) { crypt_des_rn (phrase, phr_size, setting, set_size, output, out_size, scratch, scr_size); return; } #endif /* This shouldn't ever happen, but... */ if (out_size < DES_BIG_OUTPUT_LEN || scr_size < sizeof (struct des_buffer)) { errno = ERANGE; return; } struct des_buffer *buf = scratch; struct des_ctx *ctx = &buf->ctx; uint32_t salt = 0; uint8_t *keybuf = buf->keybuf, *pkbuf = buf->pkbuf; uint8_t *cp = output; int i, seg; /* The setting string is exactly the same as for a traditional DES hash. */ i = ascii_to_bin (setting[0]); if (i < 0) { errno = EINVAL; return; } salt = (unsigned int)i; i = ascii_to_bin (setting[1]); if (i < 0) { errno = EINVAL; return; } salt |= ((unsigned int)i << 6); *cp++ = ascii64[salt & 0x3f]; *cp++ = ascii64[(salt >> 6) & 0x3f]; for (seg = 0; seg < 16; seg++) { /* Copy and shift each block as for the traditional DES. */ for (i = 0; i < 8; i++) { keybuf[i] = (uint8_t)(*phrase << 1); if (*phrase) phrase++; } des_set_key (ctx, keybuf); des_set_salt (ctx, salt); des_gen_hash (ctx, 25, cp, pkbuf); if (*phrase == 0) break; /* change the salt (1st 2 chars of previous block) - this was found by dowsing - no need to check for invalid characters here */ salt = (unsigned int)ascii_to_bin ((char)cp[0]); salt |= (unsigned int)ascii_to_bin ((char)cp[1]) << 6; cp += 11; } } #endif #if INCLUDE_des_xbsd /* crypt_rn() entry point for BSD-style extended DES hashes. These permit long passwords and have more salt and a controllable iteration count, but are still unacceptably weak by modern standards. */ void crypt_des_xbsd_rn (const char *phrase, size_t ARG_UNUSED (phr_size), const char *setting, size_t set_size, uint8_t *output, size_t out_size, void *scratch, size_t scr_size) { /* This shouldn't ever happen, but... */ if (out_size < DES_EXT_OUTPUT_LEN || scr_size < sizeof (struct des_buffer)) { errno = ERANGE; return; } /* If this is true, this function shouldn't have been called. Setting must be at least 9 bytes long, byte 10+ is ignored. */ if (*setting != '_' || set_size < 9) { errno = EINVAL; return; } struct des_buffer *buf = scratch; struct des_ctx *ctx = &buf->ctx; uint32_t count = 0, salt = 0; uint8_t *keybuf = buf->keybuf, *pkbuf = buf->pkbuf; uint8_t *cp = output; int i, x; /* "new"-style DES hash: setting - underscore, 4 bytes of count, 4 bytes of salt phrase - unlimited characters */ for (i = 1; i < 5; i++) { x = ascii_to_bin(setting[i]); if (x < 0) { errno = EINVAL; return; } count |= (unsigned int)x << ((i - 1) * 6); } for (i = 5; i < 9; i++) { x = ascii_to_bin(setting[i]); if (x < 0) { errno = EINVAL; return; } salt |= (unsigned int)x << ((i - 5) * 6); } memcpy (cp, setting, 9); cp += 9; /* Fold passwords longer than 8 bytes into a single DES key using a procedure similar to a Merkle-Dåmgard hash construction. Each block is shifted and padded, as for the traditional hash, then XORed with the output of the previous round (IV all bits zero), set as the DES key, and encrypted to produce the round output. The salt is zero throughout this procedure. */ des_set_salt (ctx, 0); XCRYPT_SECURE_MEMSET (pkbuf, 8); for (;;) { for (i = 0; i < 8; i++) { keybuf[i] = (uint8_t)(pkbuf[i] ^ (*phrase << 1)); if (*phrase) phrase++; } des_set_key (ctx, keybuf); if (*phrase == 0) break; des_crypt_block (ctx, pkbuf, keybuf, 1, false); } /* Proceed as for the traditional DES hash. */ des_set_salt (ctx, salt); des_gen_hash (ctx, count, cp, pkbuf); } #endif #if INCLUDE_des || INCLUDE_des_big void gensalt_des_rn (unsigned long count, const uint8_t *rbytes, size_t nrbytes, uint8_t *output, size_t output_size) { if (output_size < 3) { errno = ERANGE; return; } if (nrbytes < 2 || (count != 0 && count != 25)) { errno = EINVAL; return; } output[0] = ascii64[(unsigned int) rbytes[0] & 0x3f]; output[1] = ascii64[(unsigned int) rbytes[1] & 0x3f]; output[2] = '\0'; } #if INCLUDE_des_big strong_alias (gensalt_des_rn, gensalt_des_big_rn); #endif #endif #if INCLUDE_des_xbsd void gensalt_des_xbsd_rn (unsigned long count, const uint8_t *rbytes, size_t nrbytes, uint8_t *output, size_t output_size) { if (output_size < 1 + 4 + 4 + 1) { errno = ERANGE; return; } if (count == 0) count = 725; /* Even iteration counts make it easier to detect weak DES keys from a look at the hash, so they should be avoided. */ if (nrbytes < 3 || count > 0xffffff || count % 2 == 0) { errno = EINVAL; return; } unsigned long value = ((unsigned long) (unsigned char) rbytes[0] << 0) | ((unsigned long) (unsigned char) rbytes[1] << 8) | ((unsigned long) (unsigned char) rbytes[2] << 16); output[0] = '_'; output[1] = ascii64[(count >> 0) & 0x3f]; output[2] = ascii64[(count >> 6) & 0x3f]; output[3] = ascii64[(count >> 12) & 0x3f]; output[4] = ascii64[(count >> 18) & 0x3f]; output[5] = ascii64[(value >> 0) & 0x3f]; output[6] = ascii64[(value >> 6) & 0x3f]; output[7] = ascii64[(value >> 12) & 0x3f]; output[8] = ascii64[(value >> 18) & 0x3f]; output[9] = '\0'; } #endif