1 /*
2 * This version is derived from the original implementation of FreeSec
3 * (release 1.1) by David Burren. I've reviewed the changes made in
4 * OpenBSD (as of 2.7) and modified the original code in a similar way
5 * where applicable. I've also made it reentrant and made a number of
6 * other changes.
7 * - Solar Designer <solar at openwall.com>
8 */
9
10 /*
11 * FreeSec: libcrypt for NetBSD
12 *
13 * Copyright (c) 1994 David Burren
14 * All rights reserved.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
18 * are met:
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in the
23 * documentation and/or other materials provided with the distribution.
24 * 3. Neither the name of the author nor the names of other contributors
25 * may be used to endorse or promote products derived from this software
26 * without specific prior written permission.
27 *
28 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 *
40 * $Owl: Owl/packages/glibc/crypt_freesec.c,v 1.4 2005/11/16 13:08:32 solar Exp $
41 *
42 * This is an original implementation of the DES and the crypt(3) interfaces
43 * by David Burren <davidb at werj.com.au>.
44 *
45 * An excellent reference on the underlying algorithm (and related
46 * algorithms) is:
47 *
48 * B. Schneier, Applied Cryptography: protocols, algorithms,
49 * and source code in C, John Wiley & Sons, 1994.
50 *
51 * Note that in that book's description of DES the lookups for the initial,
52 * pbox, and final permutations are inverted (this has been brought to the
53 * attention of the author). A list of errata for this book has been
54 * posted to the sci.crypt newsgroup by the author and is available for FTP.
55 *
56 * ARCHITECTURE ASSUMPTIONS:
57 * This code used to have some nasty ones, but these have been removed
58 * by now. The code requires a 32-bit integer type, though.
59 */
60
61 #include <sys/types.h>
62 #include <string.h>
63
64 #ifdef TEST
65 #include <stdio.h>
66 #endif
67
68 #include "crypt_freesec.h"
69
70 #define _PASSWORD_EFMT1 '_'
71
72 static const uint8_t IP[64] = {
73 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
74 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
75 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
76 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
77 };
78
79 static const uint8_t key_perm[56] = {
80 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
81 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
82 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
83 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
84 };
85
86 static const uint8_t key_shifts[16] = {
87 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
88 };
89
90 static const uint8_t comp_perm[48] = {
91 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
92 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
93 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
94 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
95 };
96
97 /*
98 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
99 */
100
101 static const uint8_t sbox[8][64] = {
102 {
103 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
104 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
105 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
106 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
107 },
108 {
109 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
110 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
111 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
112 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
113 },
114 {
115 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
116 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
117 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
118 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
119 },
120 {
121 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
122 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
123 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
124 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
125 },
126 {
127 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
128 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
129 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
130 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
131 },
132 {
133 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
134 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
135 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
136 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
137 },
138 {
139 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
140 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
141 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
142 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
143 },
144 {
145 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
146 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
147 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
148 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
149 }
150 };
151
152 static const uint8_t pbox[32] = {
153 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
154 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
155 };
156
157 static const uint32_t bits32[32] =
158 {
159 0x80000000, 0x40000000, 0x20000000, 0x10000000,
160 0x08000000, 0x04000000, 0x02000000, 0x01000000,
161 0x00800000, 0x00400000, 0x00200000, 0x00100000,
162 0x00080000, 0x00040000, 0x00020000, 0x00010000,
163 0x00008000, 0x00004000, 0x00002000, 0x00001000,
164 0x00000800, 0x00000400, 0x00000200, 0x00000100,
165 0x00000080, 0x00000040, 0x00000020, 0x00000010,
166 0x00000008, 0x00000004, 0x00000002, 0x00000001
167 };
168
169 static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
170
171 static const unsigned char ascii64[] =
172 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
173
174 static uint8_t m_sbox[4][4096];
175 static uint32_t psbox[4][256];
176 static uint32_t ip_maskl[8][256], ip_maskr[8][256];
177 static uint32_t fp_maskl[8][256], fp_maskr[8][256];
178 static uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
179 static uint32_t comp_maskl[8][128], comp_maskr[8][128];
180
181 static inline int
ascii_to_bin(char ch)182 ascii_to_bin(char ch)
183 {
184 signed char sch = ch;
185 int retval;
186
187 retval = sch - '.';
188 if (sch >= 'A') {
189 retval = sch - ('A' - 12);
190 if (sch >= 'a')
191 retval = sch - ('a' - 38);
192 }
193 retval &= 0x3f;
194
195 return(retval);
196 }
197
198 /*
199 * When we choose to "support" invalid salts, nevertheless disallow those
200 * containing characters that would violate the passwd file format.
201 */
202 static inline int
ascii_is_unsafe(char ch)203 ascii_is_unsafe(char ch)
204 {
205 return !ch || ch == '\n' || ch == ':';
206 }
207
208 void
_crypt_extended_init(void)209 _crypt_extended_init(void)
210 {
211 int i, j, b, k, inbit, obit;
212 uint32_t *p, *il, *ir, *fl, *fr;
213 const uint32_t *bits28, *bits24;
214 uint8_t inv_key_perm[64];
215 uint8_t inv_comp_perm[56];
216 uint8_t init_perm[64], final_perm[64];
217 uint8_t u_sbox[8][64];
218 uint8_t un_pbox[32];
219
220 bits24 = (bits28 = bits32 + 4) + 4;
221
222 /*
223 * Invert the S-boxes, reordering the input bits.
224 */
225 for (i = 0; i < 8; i++)
226 for (j = 0; j < 64; j++) {
227 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
228 u_sbox[i][j] = sbox[i][b];
229 }
230
231 /*
232 * Convert the inverted S-boxes into 4 arrays of 8 bits.
233 * Each will handle 12 bits of the S-box input.
234 */
235 for (b = 0; b < 4; b++)
236 for (i = 0; i < 64; i++)
237 for (j = 0; j < 64; j++)
238 m_sbox[b][(i << 6) | j] =
239 (u_sbox[(b << 1)][i] << 4) |
240 u_sbox[(b << 1) + 1][j];
241
242 /*
243 * Set up the initial & final permutations into a useful form, and
244 * initialise the inverted key permutation.
245 */
246 for (i = 0; i < 64; i++) {
247 init_perm[final_perm[i] = IP[i] - 1] = i;
248 inv_key_perm[i] = 255;
249 }
250
251 /*
252 * Invert the key permutation and initialise the inverted key
253 * compression permutation.
254 */
255 for (i = 0; i < 56; i++) {
256 inv_key_perm[key_perm[i] - 1] = i;
257 inv_comp_perm[i] = 255;
258 }
259
260 /*
261 * Invert the key compression permutation.
262 */
263 for (i = 0; i < 48; i++) {
264 inv_comp_perm[comp_perm[i] - 1] = i;
265 }
266
267 /*
268 * Set up the OR-mask arrays for the initial and final permutations,
269 * and for the key initial and compression permutations.
270 */
271 for (k = 0; k < 8; k++) {
272 for (i = 0; i < 256; i++) {
273 *(il = &ip_maskl[k][i]) = 0;
274 *(ir = &ip_maskr[k][i]) = 0;
275 *(fl = &fp_maskl[k][i]) = 0;
276 *(fr = &fp_maskr[k][i]) = 0;
277 for (j = 0; j < 8; j++) {
278 inbit = 8 * k + j;
279 if (i & bits8[j]) {
280 if ((obit = init_perm[inbit]) < 32)
281 *il |= bits32[obit];
282 else
283 *ir |= bits32[obit-32];
284 if ((obit = final_perm[inbit]) < 32)
285 *fl |= bits32[obit];
286 else
287 *fr |= bits32[obit - 32];
288 }
289 }
290 }
291 for (i = 0; i < 128; i++) {
292 *(il = &key_perm_maskl[k][i]) = 0;
293 *(ir = &key_perm_maskr[k][i]) = 0;
294 for (j = 0; j < 7; j++) {
295 inbit = 8 * k + j;
296 if (i & bits8[j + 1]) {
297 if ((obit = inv_key_perm[inbit]) == 255)
298 continue;
299 if (obit < 28)
300 *il |= bits28[obit];
301 else
302 *ir |= bits28[obit - 28];
303 }
304 }
305 *(il = &comp_maskl[k][i]) = 0;
306 *(ir = &comp_maskr[k][i]) = 0;
307 for (j = 0; j < 7; j++) {
308 inbit = 7 * k + j;
309 if (i & bits8[j + 1]) {
310 if ((obit=inv_comp_perm[inbit]) == 255)
311 continue;
312 if (obit < 24)
313 *il |= bits24[obit];
314 else
315 *ir |= bits24[obit - 24];
316 }
317 }
318 }
319 }
320
321 /*
322 * Invert the P-box permutation, and convert into OR-masks for
323 * handling the output of the S-box arrays setup above.
324 */
325 for (i = 0; i < 32; i++)
326 un_pbox[pbox[i] - 1] = i;
327
328 for (b = 0; b < 4; b++)
329 for (i = 0; i < 256; i++) {
330 *(p = &psbox[b][i]) = 0;
331 for (j = 0; j < 8; j++) {
332 if (i & bits8[j])
333 *p |= bits32[un_pbox[8 * b + j]];
334 }
335 }
336 }
337
338 static void
des_init_local(struct php_crypt_extended_data * data)339 des_init_local(struct php_crypt_extended_data *data)
340 {
341 data->old_rawkey0 = data->old_rawkey1 = 0;
342 data->saltbits = 0;
343 data->old_salt = 0;
344
345 data->initialized = 1;
346 }
347
348 static void
setup_salt(uint32_t salt,struct php_crypt_extended_data * data)349 setup_salt(uint32_t salt, struct php_crypt_extended_data *data)
350 {
351 uint32_t obit, saltbit, saltbits;
352 int i;
353
354 if (salt == data->old_salt)
355 return;
356 data->old_salt = salt;
357
358 saltbits = 0;
359 saltbit = 1;
360 obit = 0x800000;
361 for (i = 0; i < 24; i++) {
362 if (salt & saltbit)
363 saltbits |= obit;
364 saltbit <<= 1;
365 obit >>= 1;
366 }
367 data->saltbits = saltbits;
368 }
369
370 static int
des_setkey(const char * key,struct php_crypt_extended_data * data)371 des_setkey(const char *key, struct php_crypt_extended_data *data)
372 {
373 uint32_t k0, k1, rawkey0, rawkey1;
374 int shifts, round;
375
376 rawkey0 =
377 (uint32_t)(uint8_t)key[3] |
378 ((uint32_t)(uint8_t)key[2] << 8) |
379 ((uint32_t)(uint8_t)key[1] << 16) |
380 ((uint32_t)(uint8_t)key[0] << 24);
381 rawkey1 =
382 (uint32_t)(uint8_t)key[7] |
383 ((uint32_t)(uint8_t)key[6] << 8) |
384 ((uint32_t)(uint8_t)key[5] << 16) |
385 ((uint32_t)(uint8_t)key[4] << 24);
386
387 if ((rawkey0 | rawkey1)
388 && rawkey0 == data->old_rawkey0
389 && rawkey1 == data->old_rawkey1) {
390 /*
391 * Already setup for this key.
392 * This optimisation fails on a zero key (which is weak and
393 * has bad parity anyway) in order to simplify the starting
394 * conditions.
395 */
396 return(0);
397 }
398 data->old_rawkey0 = rawkey0;
399 data->old_rawkey1 = rawkey1;
400
401 /*
402 * Do key permutation and split into two 28-bit subkeys.
403 */
404 k0 = key_perm_maskl[0][rawkey0 >> 25]
405 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
406 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
407 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
408 | key_perm_maskl[4][rawkey1 >> 25]
409 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
410 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
411 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
412 k1 = key_perm_maskr[0][rawkey0 >> 25]
413 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
414 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
415 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
416 | key_perm_maskr[4][rawkey1 >> 25]
417 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
418 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
419 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
420 /*
421 * Rotate subkeys and do compression permutation.
422 */
423 shifts = 0;
424 for (round = 0; round < 16; round++) {
425 uint32_t t0, t1;
426
427 shifts += key_shifts[round];
428
429 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
430 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
431
432 data->de_keysl[15 - round] =
433 data->en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
434 | comp_maskl[1][(t0 >> 14) & 0x7f]
435 | comp_maskl[2][(t0 >> 7) & 0x7f]
436 | comp_maskl[3][t0 & 0x7f]
437 | comp_maskl[4][(t1 >> 21) & 0x7f]
438 | comp_maskl[5][(t1 >> 14) & 0x7f]
439 | comp_maskl[6][(t1 >> 7) & 0x7f]
440 | comp_maskl[7][t1 & 0x7f];
441
442 data->de_keysr[15 - round] =
443 data->en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
444 | comp_maskr[1][(t0 >> 14) & 0x7f]
445 | comp_maskr[2][(t0 >> 7) & 0x7f]
446 | comp_maskr[3][t0 & 0x7f]
447 | comp_maskr[4][(t1 >> 21) & 0x7f]
448 | comp_maskr[5][(t1 >> 14) & 0x7f]
449 | comp_maskr[6][(t1 >> 7) & 0x7f]
450 | comp_maskr[7][t1 & 0x7f];
451 }
452 return(0);
453 }
454
455 static int
do_des(uint32_t l_in,uint32_t r_in,uint32_t * l_out,uint32_t * r_out,int count,struct php_crypt_extended_data * data)456 do_des(uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out,
457 int count, struct php_crypt_extended_data *data)
458 {
459 /*
460 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
461 */
462 uint32_t l, r, *kl, *kr, *kl1, *kr1;
463 uint32_t f, r48l, r48r, saltbits;
464 int round;
465
466 if (count == 0) {
467 return(1);
468 } else if (count > 0) {
469 /*
470 * Encrypting
471 */
472 kl1 = data->en_keysl;
473 kr1 = data->en_keysr;
474 } else {
475 /*
476 * Decrypting
477 */
478 count = -count;
479 kl1 = data->de_keysl;
480 kr1 = data->de_keysr;
481 }
482
483 /*
484 * Do initial permutation (IP).
485 */
486 l = ip_maskl[0][l_in >> 24]
487 | ip_maskl[1][(l_in >> 16) & 0xff]
488 | ip_maskl[2][(l_in >> 8) & 0xff]
489 | ip_maskl[3][l_in & 0xff]
490 | ip_maskl[4][r_in >> 24]
491 | ip_maskl[5][(r_in >> 16) & 0xff]
492 | ip_maskl[6][(r_in >> 8) & 0xff]
493 | ip_maskl[7][r_in & 0xff];
494 r = ip_maskr[0][l_in >> 24]
495 | ip_maskr[1][(l_in >> 16) & 0xff]
496 | ip_maskr[2][(l_in >> 8) & 0xff]
497 | ip_maskr[3][l_in & 0xff]
498 | ip_maskr[4][r_in >> 24]
499 | ip_maskr[5][(r_in >> 16) & 0xff]
500 | ip_maskr[6][(r_in >> 8) & 0xff]
501 | ip_maskr[7][r_in & 0xff];
502
503 saltbits = data->saltbits;
504 while (count--) {
505 /*
506 * Do each round.
507 */
508 kl = kl1;
509 kr = kr1;
510 round = 16;
511 while (round--) {
512 /*
513 * Expand R to 48 bits (simulate the E-box).
514 */
515 r48l = ((r & 0x00000001) << 23)
516 | ((r & 0xf8000000) >> 9)
517 | ((r & 0x1f800000) >> 11)
518 | ((r & 0x01f80000) >> 13)
519 | ((r & 0x001f8000) >> 15);
520
521 r48r = ((r & 0x0001f800) << 7)
522 | ((r & 0x00001f80) << 5)
523 | ((r & 0x000001f8) << 3)
524 | ((r & 0x0000001f) << 1)
525 | ((r & 0x80000000) >> 31);
526 /*
527 * Do salting for crypt() and friends, and
528 * XOR with the permuted key.
529 */
530 f = (r48l ^ r48r) & saltbits;
531 r48l ^= f ^ *kl++;
532 r48r ^= f ^ *kr++;
533 /*
534 * Do sbox lookups (which shrink it back to 32 bits)
535 * and do the pbox permutation at the same time.
536 */
537 f = psbox[0][m_sbox[0][r48l >> 12]]
538 | psbox[1][m_sbox[1][r48l & 0xfff]]
539 | psbox[2][m_sbox[2][r48r >> 12]]
540 | psbox[3][m_sbox[3][r48r & 0xfff]];
541 /*
542 * Now that we've permuted things, complete f().
543 */
544 f ^= l;
545 l = r;
546 r = f;
547 }
548 r = l;
549 l = f;
550 }
551 /*
552 * Do final permutation (inverse of IP).
553 */
554 *l_out = fp_maskl[0][l >> 24]
555 | fp_maskl[1][(l >> 16) & 0xff]
556 | fp_maskl[2][(l >> 8) & 0xff]
557 | fp_maskl[3][l & 0xff]
558 | fp_maskl[4][r >> 24]
559 | fp_maskl[5][(r >> 16) & 0xff]
560 | fp_maskl[6][(r >> 8) & 0xff]
561 | fp_maskl[7][r & 0xff];
562 *r_out = fp_maskr[0][l >> 24]
563 | fp_maskr[1][(l >> 16) & 0xff]
564 | fp_maskr[2][(l >> 8) & 0xff]
565 | fp_maskr[3][l & 0xff]
566 | fp_maskr[4][r >> 24]
567 | fp_maskr[5][(r >> 16) & 0xff]
568 | fp_maskr[6][(r >> 8) & 0xff]
569 | fp_maskr[7][r & 0xff];
570 return(0);
571 }
572
573 static int
des_cipher(const char * in,char * out,uint32_t salt,int count,struct php_crypt_extended_data * data)574 des_cipher(const char *in, char *out, uint32_t salt, int count,
575 struct php_crypt_extended_data *data)
576 {
577 uint32_t l_out = 0, r_out = 0, rawl, rawr;
578 int retval;
579
580 setup_salt(salt, data);
581
582 rawl =
583 (uint32_t)(uint8_t)in[3] |
584 ((uint32_t)(uint8_t)in[2] << 8) |
585 ((uint32_t)(uint8_t)in[1] << 16) |
586 ((uint32_t)(uint8_t)in[0] << 24);
587 rawr =
588 (uint32_t)(uint8_t)in[7] |
589 ((uint32_t)(uint8_t)in[6] << 8) |
590 ((uint32_t)(uint8_t)in[5] << 16) |
591 ((uint32_t)(uint8_t)in[4] << 24);
592
593 retval = do_des(rawl, rawr, &l_out, &r_out, count, data);
594
595 out[0] = l_out >> 24;
596 out[1] = l_out >> 16;
597 out[2] = l_out >> 8;
598 out[3] = l_out;
599 out[4] = r_out >> 24;
600 out[5] = r_out >> 16;
601 out[6] = r_out >> 8;
602 out[7] = r_out;
603
604 return(retval);
605 }
606
607 char *
_crypt_extended_r(const unsigned char * key,const char * setting,struct php_crypt_extended_data * data)608 _crypt_extended_r(const unsigned char *key, const char *setting,
609 struct php_crypt_extended_data *data)
610 {
611 int i;
612 uint32_t count, salt, l, r0, r1, keybuf[2];
613 uint8_t *p, *q;
614
615 if (!data->initialized)
616 des_init_local(data);
617
618 /*
619 * Copy the key, shifting each character up by one bit
620 * and padding with zeros.
621 */
622 q = (uint8_t *) keybuf;
623 while ((size_t)(q - (uint8_t *) keybuf) < sizeof(keybuf)) {
624 *q++ = *key << 1;
625 if (*key)
626 key++;
627 }
628 if (des_setkey((char *) keybuf, data))
629 return(NULL);
630
631 if (*setting == _PASSWORD_EFMT1) {
632 /*
633 * "new"-style:
634 * setting - underscore, 4 chars of count, 4 chars of salt
635 * key - unlimited characters
636 */
637 for (i = 1, count = 0; i < 5; i++) {
638 int value = ascii_to_bin(setting[i]);
639 if (ascii64[value] != setting[i])
640 return(NULL);
641 count |= value << (i - 1) * 6;
642 }
643 if (!count)
644 return(NULL);
645
646 for (i = 5, salt = 0; i < 9; i++) {
647 int value = ascii_to_bin(setting[i]);
648 if (ascii64[value] != setting[i])
649 return(NULL);
650 salt |= value << (i - 5) * 6;
651 }
652
653 while (*key) {
654 /*
655 * Encrypt the key with itself.
656 */
657 if (des_cipher((char *) keybuf, (char *) keybuf,
658 0, 1, data))
659 return(NULL);
660 /*
661 * And XOR with the next 8 characters of the key.
662 */
663 q = (uint8_t *) keybuf;
664 while ((size_t)(q - (uint8_t *) keybuf) < sizeof(keybuf) && *key)
665 *q++ ^= *key++ << 1;
666
667 if (des_setkey((char *) keybuf, data))
668 return(NULL);
669 }
670 memcpy(data->output, setting, 9);
671 data->output[9] = '\0';
672 p = (uint8_t *) data->output + 9;
673 } else {
674 /*
675 * "old"-style:
676 * setting - 2 chars of salt
677 * key - up to 8 characters
678 */
679 count = 25;
680
681 if (ascii_is_unsafe(setting[0]) || ascii_is_unsafe(setting[1]))
682 return(NULL);
683
684 salt = (ascii_to_bin(setting[1]) << 6)
685 | ascii_to_bin(setting[0]);
686
687 data->output[0] = setting[0];
688 data->output[1] = setting[1];
689 p = (uint8_t *) data->output + 2;
690 }
691 setup_salt(salt, data);
692 /*
693 * Do it.
694 */
695 if (do_des(0, 0, &r0, &r1, count, data))
696 return(NULL);
697 /*
698 * Now encode the result...
699 */
700 l = (r0 >> 8);
701 *p++ = ascii64[(l >> 18) & 0x3f];
702 *p++ = ascii64[(l >> 12) & 0x3f];
703 *p++ = ascii64[(l >> 6) & 0x3f];
704 *p++ = ascii64[l & 0x3f];
705
706 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
707 *p++ = ascii64[(l >> 18) & 0x3f];
708 *p++ = ascii64[(l >> 12) & 0x3f];
709 *p++ = ascii64[(l >> 6) & 0x3f];
710 *p++ = ascii64[l & 0x3f];
711
712 l = r1 << 2;
713 *p++ = ascii64[(l >> 12) & 0x3f];
714 *p++ = ascii64[(l >> 6) & 0x3f];
715 *p++ = ascii64[l & 0x3f];
716 *p = 0;
717
718 return(data->output);
719 }
720
721 #ifdef TEST
722 static char *
_crypt_extended(const char * key,const char * setting)723 _crypt_extended(const char *key, const char *setting)
724 {
725 static int initialized = 0;
726 static struct php_crypt_extended_data data;
727
728 if (!initialized) {
729 _crypt_extended_init();
730 initialized = 1;
731 data.initialized = 0;
732 }
733 return _crypt_extended_r(key, setting, &data);
734 }
735
736 #define crypt _crypt_extended
737
738 static const struct {
739 const char *hash;
740 const char *pw;
741 } tests[] = {
742 /* "new"-style */
743 {"_J9..CCCCXBrJUJV154M", "U*U*U*U*"},
744 {"_J9..CCCCXUhOBTXzaiE", "U*U***U"},
745 {"_J9..CCCC4gQ.mB/PffM", "U*U***U*"},
746 {"_J9..XXXXvlzQGqpPPdk", "*U*U*U*U"},
747 {"_J9..XXXXsqM/YSSP..Y", "*U*U*U*U*"},
748 {"_J9..XXXXVL7qJCnku0I", "*U*U*U*U*U*U*U*U"},
749 {"_J9..XXXXAj8cFbP5scI", "*U*U*U*U*U*U*U*U*"},
750 {"_J9..SDizh.vll5VED9g", "ab1234567"},
751 {"_J9..SDizRjWQ/zePPHc", "cr1234567"},
752 {"_J9..SDizxmRI1GjnQuE", "zxyDPWgydbQjgq"},
753 {"_K9..SaltNrQgIYUAeoY", "726 even"},
754 {"_J9..SDSD5YGyRCr4W4c", ""},
755 /* "old"-style, valid salts */
756 {"CCNf8Sbh3HDfQ", "U*U*U*U*"},
757 {"CCX.K.MFy4Ois", "U*U***U"},
758 {"CC4rMpbg9AMZ.", "U*U***U*"},
759 {"XXxzOu6maQKqQ", "*U*U*U*U"},
760 {"SDbsugeBiC58A", ""},
761 {"./xZjzHv5vzVE", "password"},
762 {"0A2hXM1rXbYgo", "password"},
763 {"A9RXdR23Y.cY6", "password"},
764 {"ZziFATVXHo2.6", "password"},
765 {"zZDDIZ0NOlPzw", "password"},
766 /* "old"-style, "reasonable" invalid salts, UFC-crypt behavior expected */
767 {"\001\002wyd0KZo65Jo", "password"},
768 {"a_C10Dk/ExaG.", "password"},
769 {"~\377.5OTsRVjwLo", "password"},
770 /* The below are erroneous inputs, so NULL return is expected/required */
771 {"", ""}, /* no salt */
772 {" ", ""}, /* setting string is too short */
773 {"a:", ""}, /* unsafe character */
774 {"\na", ""}, /* unsafe character */
775 {"_/......", ""}, /* setting string is too short for its type */
776 {"_........", ""}, /* zero iteration count */
777 {"_/!......", ""}, /* invalid character in count */
778 {"_/......!", ""}, /* invalid character in salt */
779 {NULL}
780 };
781
main(void)782 int main(void)
783 {
784 int i;
785
786 for (i = 0; tests[i].hash; i++) {
787 char *hash = crypt(tests[i].pw, tests[i].hash);
788 if (!hash && strlen(tests[i].hash) < 13)
789 continue; /* expected failure */
790 if (!strcmp(hash, tests[i].hash))
791 continue; /* expected success */
792 puts("FAILED");
793 return 1;
794 }
795
796 puts("PASSED");
797
798 return 0;
799 }
800 #endif
801
