1 /**************************************************************************
2 * Implementation of crypt(3) using routines in libcrypto from openssl for
3 * use on Android in Termux.
5 * https://www.freebsd.org/cgi/man.cgi?crypt(3)
6 * http://man7.org/linux/man-pages/man3/crypt.3.html
8 * Relevant code is from FreeBSD with license given below.
9 **************************************************************************/
12 * Copyright (c) 2011 The FreeBSD Project. All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include <arpa/inet.h>
43 #include <openssl/sha.h>
44 #include <openssl/md5.h>
46 /* START: Freebsd compat */
47 typedef unsigned long u_long;
48 #define MIN(a,b) (((a)<(b))?(a):(b))
49 #define MAX(a,b) (((a)>(b))?(a):(b))
51 #define _PASSWORD_EFMT1 '_'
52 #define DES_SALT_ALPHABET \
53 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
54 #define MD5Init MD5_Init
55 #define MD5Update MD5_Update
56 #define MD5Final MD5_Final
57 /* END: Freebsd compat */
60 /* START: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/misc.c */
61 static char itoa64[] = /* 0 ... 63 => ascii - 64 */
62 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
65 _crypt_to64(char *s, u_long v, int n)
68 *s++ = itoa64[v&0x3f];
74 b64_from_24bit(uint8_t B2, uint8_t B1, uint8_t B0, int n, int *buflen, char **cp)
79 w = (B2 << 16) | (B1 << 8) | B0;
80 for (i = 0; i < n; i++) {
81 **cp = itoa64[w&0x3f];
88 /* END: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/misc.c */
91 /* START: https://github.com/freebsd/freebsd/blob/master/secure/lib/libcrypt/crypt-des.c */
92 #if defined(__GNUC__) && !defined(lint)
98 static u_char IP[64] = {
99 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
100 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
101 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
102 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
105 static u_char inv_key_perm[64];
106 static u_char key_perm[56] = {
107 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
108 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
109 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
110 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
113 static u_char key_shifts[16] = {
114 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
117 static u_char inv_comp_perm[56];
118 static u_char comp_perm[48] = {
119 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
120 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
121 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
122 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
126 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
129 static u_char u_sbox[8][64];
130 static u_char sbox[8][64] = {
132 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
133 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
134 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
135 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
138 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
139 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
140 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
141 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
144 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
145 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
146 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
147 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
150 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
151 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
152 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
153 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
156 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
157 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
158 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
159 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
162 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
163 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
164 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
165 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
168 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
169 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
170 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
171 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
174 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
175 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
176 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
177 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
181 static u_char un_pbox[32];
182 static u_char pbox[32] = {
183 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
184 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
187 static u_int32_t bits32[32] =
189 0x80000000, 0x40000000, 0x20000000, 0x10000000,
190 0x08000000, 0x04000000, 0x02000000, 0x01000000,
191 0x00800000, 0x00400000, 0x00200000, 0x00100000,
192 0x00080000, 0x00040000, 0x00020000, 0x00010000,
193 0x00008000, 0x00004000, 0x00002000, 0x00001000,
194 0x00000800, 0x00000400, 0x00000200, 0x00000100,
195 0x00000080, 0x00000040, 0x00000020, 0x00000010,
196 0x00000008, 0x00000004, 0x00000002, 0x00000001
199 static u_char bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
201 static u_int32_t saltbits;
202 static u_int32_t old_salt;
203 static u_int32_t *bits28, *bits24;
204 static u_char init_perm[64], final_perm[64];
205 static u_int32_t en_keysl[16], en_keysr[16];
206 static u_int32_t de_keysl[16], de_keysr[16];
207 static int des_initialised = 0;
208 static u_char m_sbox[4][4096];
209 static u_int32_t psbox[4][256];
210 static u_int32_t ip_maskl[8][256], ip_maskr[8][256];
211 static u_int32_t fp_maskl[8][256], fp_maskr[8][256];
212 static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
213 static u_int32_t comp_maskl[8][128], comp_maskr[8][128];
214 static u_int32_t old_rawkey0, old_rawkey1;
216 static u_char ascii64[] =
217 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
218 /* 0000000000111111111122222222223333333333444444444455555555556666 */
219 /* 0123456789012345678901234567890123456789012345678901234567890123 */
222 ascii_to_bin(char ch)
227 return(ch - 'a' + 38);
231 return(ch - 'A' + 12);
242 int i, j, b, k, inbit, obit;
243 u_int32_t *p, *il, *ir, *fl, *fr;
245 old_rawkey0 = old_rawkey1 = 0L;
248 bits24 = (bits28 = bits32 + 4) + 4;
251 * Invert the S-boxes, reordering the input bits.
253 for (i = 0; i < 8; i++)
254 for (j = 0; j < 64; j++) {
255 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
256 u_sbox[i][j] = sbox[i][b];
260 * Convert the inverted S-boxes into 4 arrays of 8 bits.
261 * Each will handle 12 bits of the S-box input.
263 for (b = 0; b < 4; b++)
264 for (i = 0; i < 64; i++)
265 for (j = 0; j < 64; j++)
266 m_sbox[b][(i << 6) | j] =
267 (u_char)((u_sbox[(b << 1)][i] << 4) |
268 u_sbox[(b << 1) + 1][j]);
271 * Set up the initial & final permutations into a useful form, and
272 * initialise the inverted key permutation.
274 for (i = 0; i < 64; i++) {
275 init_perm[final_perm[i] = IP[i] - 1] = (u_char)i;
276 inv_key_perm[i] = 255;
280 * Invert the key permutation and initialise the inverted key
281 * compression permutation.
283 for (i = 0; i < 56; i++) {
284 inv_key_perm[key_perm[i] - 1] = (u_char)i;
285 inv_comp_perm[i] = 255;
289 * Invert the key compression permutation.
291 for (i = 0; i < 48; i++) {
292 inv_comp_perm[comp_perm[i] - 1] = (u_char)i;
296 * Set up the OR-mask arrays for the initial and final permutations,
297 * and for the key initial and compression permutations.
299 for (k = 0; k < 8; k++) {
300 for (i = 0; i < 256; i++) {
301 *(il = &ip_maskl[k][i]) = 0L;
302 *(ir = &ip_maskr[k][i]) = 0L;
303 *(fl = &fp_maskl[k][i]) = 0L;
304 *(fr = &fp_maskr[k][i]) = 0L;
305 for (j = 0; j < 8; j++) {
308 if ((obit = init_perm[inbit]) < 32)
311 *ir |= bits32[obit-32];
312 if ((obit = final_perm[inbit]) < 32)
315 *fr |= bits32[obit - 32];
319 for (i = 0; i < 128; i++) {
320 *(il = &key_perm_maskl[k][i]) = 0L;
321 *(ir = &key_perm_maskr[k][i]) = 0L;
322 for (j = 0; j < 7; j++) {
324 if (i & bits8[j + 1]) {
325 if ((obit = inv_key_perm[inbit]) == 255)
330 *ir |= bits28[obit - 28];
333 *(il = &comp_maskl[k][i]) = 0L;
334 *(ir = &comp_maskr[k][i]) = 0L;
335 for (j = 0; j < 7; j++) {
337 if (i & bits8[j + 1]) {
338 if ((obit=inv_comp_perm[inbit]) == 255)
343 *ir |= bits24[obit - 24];
350 * Invert the P-box permutation, and convert into OR-masks for
351 * handling the output of the S-box arrays setup above.
353 for (i = 0; i < 32; i++)
354 un_pbox[pbox[i] - 1] = (u_char)i;
356 for (b = 0; b < 4; b++)
357 for (i = 0; i < 256; i++) {
358 *(p = &psbox[b][i]) = 0L;
359 for (j = 0; j < 8; j++) {
361 *p |= bits32[un_pbox[8 * b + j]];
369 setup_salt(u_int32_t salt)
371 u_int32_t obit, saltbit;
374 if (salt == old_salt)
381 for (i = 0; i < 24; i++) {
390 des_setkey(const char *key)
392 u_int32_t k0, k1, rawkey0, rawkey1;
395 if (!des_initialised)
398 rawkey0 = ntohl(*(const u_int32_t *) key);
399 rawkey1 = ntohl(*(const u_int32_t *) (key + 4));
401 if ((rawkey0 | rawkey1)
402 && rawkey0 == old_rawkey0
403 && rawkey1 == old_rawkey1) {
405 * Already setup for this key.
406 * This optimisation fails on a zero key (which is weak and
407 * has bad parity anyway) in order to simplify the starting
412 old_rawkey0 = rawkey0;
413 old_rawkey1 = rawkey1;
416 * Do key permutation and split into two 28-bit subkeys.
418 k0 = key_perm_maskl[0][rawkey0 >> 25]
419 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
420 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
421 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
422 | key_perm_maskl[4][rawkey1 >> 25]
423 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
424 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
425 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
426 k1 = key_perm_maskr[0][rawkey0 >> 25]
427 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
428 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
429 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
430 | key_perm_maskr[4][rawkey1 >> 25]
431 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
432 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
433 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
435 * Rotate subkeys and do compression permutation.
438 for (round = 0; round < 16; round++) {
441 shifts += key_shifts[round];
443 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
444 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
446 de_keysl[15 - round] =
447 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
448 | comp_maskl[1][(t0 >> 14) & 0x7f]
449 | comp_maskl[2][(t0 >> 7) & 0x7f]
450 | comp_maskl[3][t0 & 0x7f]
451 | comp_maskl[4][(t1 >> 21) & 0x7f]
452 | comp_maskl[5][(t1 >> 14) & 0x7f]
453 | comp_maskl[6][(t1 >> 7) & 0x7f]
454 | comp_maskl[7][t1 & 0x7f];
456 de_keysr[15 - round] =
457 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
458 | comp_maskr[1][(t0 >> 14) & 0x7f]
459 | comp_maskr[2][(t0 >> 7) & 0x7f]
460 | comp_maskr[3][t0 & 0x7f]
461 | comp_maskr[4][(t1 >> 21) & 0x7f]
462 | comp_maskr[5][(t1 >> 14) & 0x7f]
463 | comp_maskr[6][(t1 >> 7) & 0x7f]
464 | comp_maskr[7][t1 & 0x7f];
470 do_des( u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out, int count)
473 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
475 u_int32_t l, r, *kl, *kr, *kl1, *kr1;
476 u_int32_t f, r48l, r48r;
481 } else if (count > 0) {
497 * Do initial permutation (IP).
499 l = ip_maskl[0][l_in >> 24]
500 | ip_maskl[1][(l_in >> 16) & 0xff]
501 | ip_maskl[2][(l_in >> 8) & 0xff]
502 | ip_maskl[3][l_in & 0xff]
503 | ip_maskl[4][r_in >> 24]
504 | ip_maskl[5][(r_in >> 16) & 0xff]
505 | ip_maskl[6][(r_in >> 8) & 0xff]
506 | ip_maskl[7][r_in & 0xff];
507 r = ip_maskr[0][l_in >> 24]
508 | ip_maskr[1][(l_in >> 16) & 0xff]
509 | ip_maskr[2][(l_in >> 8) & 0xff]
510 | ip_maskr[3][l_in & 0xff]
511 | ip_maskr[4][r_in >> 24]
512 | ip_maskr[5][(r_in >> 16) & 0xff]
513 | ip_maskr[6][(r_in >> 8) & 0xff]
514 | ip_maskr[7][r_in & 0xff];
525 * Expand R to 48 bits (simulate the E-box).
527 r48l = ((r & 0x00000001) << 23)
528 | ((r & 0xf8000000) >> 9)
529 | ((r & 0x1f800000) >> 11)
530 | ((r & 0x01f80000) >> 13)
531 | ((r & 0x001f8000) >> 15);
533 r48r = ((r & 0x0001f800) << 7)
534 | ((r & 0x00001f80) << 5)
535 | ((r & 0x000001f8) << 3)
536 | ((r & 0x0000001f) << 1)
537 | ((r & 0x80000000) >> 31);
539 * Do salting for crypt() and friends, and
540 * XOR with the permuted key.
542 f = (r48l ^ r48r) & saltbits;
546 * Do sbox lookups (which shrink it back to 32 bits)
547 * and do the pbox permutation at the same time.
549 f = psbox[0][m_sbox[0][r48l >> 12]]
550 | psbox[1][m_sbox[1][r48l & 0xfff]]
551 | psbox[2][m_sbox[2][r48r >> 12]]
552 | psbox[3][m_sbox[3][r48r & 0xfff]];
554 * Now that we've permuted things, complete f().
564 * Do final permutation (inverse of IP).
566 *l_out = fp_maskl[0][l >> 24]
567 | fp_maskl[1][(l >> 16) & 0xff]
568 | fp_maskl[2][(l >> 8) & 0xff]
569 | fp_maskl[3][l & 0xff]
570 | fp_maskl[4][r >> 24]
571 | fp_maskl[5][(r >> 16) & 0xff]
572 | fp_maskl[6][(r >> 8) & 0xff]
573 | fp_maskl[7][r & 0xff];
574 *r_out = fp_maskr[0][l >> 24]
575 | fp_maskr[1][(l >> 16) & 0xff]
576 | fp_maskr[2][(l >> 8) & 0xff]
577 | fp_maskr[3][l & 0xff]
578 | fp_maskr[4][r >> 24]
579 | fp_maskr[5][(r >> 16) & 0xff]
580 | fp_maskr[6][(r >> 8) & 0xff]
581 | fp_maskr[7][r & 0xff];
586 des_cipher(const char *in, char *out, u_long salt, int count)
588 u_int32_t l_out, r_out, rawl, rawr;
595 if (!des_initialised)
601 rawl = ntohl(*trans.ui32++);
602 rawr = ntohl(*trans.ui32);
604 retval = do_des(rawl, rawr, &l_out, &r_out, count);
607 *trans.ui32++ = htonl(l_out);
608 *trans.ui32 = htonl(r_out);
613 crypt_des(const char *key, const char *setting)
616 u_int32_t count, salt, l, r0, r1, keybuf[2];
618 static char output[21];
620 if (!des_initialised)
624 * Copy the key, shifting each character up by one bit
625 * and padding with zeros.
627 q = (u_char *)keybuf;
628 while (q - (u_char *)keybuf - 8) {
633 if (des_setkey((char *)keybuf))
636 if (*setting == _PASSWORD_EFMT1) {
639 * setting - underscore, 4 bytes of count, 4 bytes of salt
640 * key - unlimited characters
642 for (i = 1, count = 0L; i < 5; i++)
643 count |= ascii_to_bin(setting[i]) << ((i - 1) * 6);
645 for (i = 5, salt = 0L; i < 9; i++)
646 salt |= ascii_to_bin(setting[i]) << ((i - 5) * 6);
650 * Encrypt the key with itself.
652 if (des_cipher((char *)keybuf, (char *)keybuf, 0L, 1))
655 * And XOR with the next 8 characters of the key.
657 q = (u_char *)keybuf;
658 while (q - (u_char *)keybuf - 8 && *key)
661 if (des_setkey((char *)keybuf))
664 strncpy(output, setting, 9);
667 * Double check that we weren't given a short setting.
668 * If we were, the above code will probably have created
669 * wierd values for count and salt, but we don't really care.
670 * Just make sure the output string doesn't have an extra
674 p = (u_char *)output + strlen(output);
678 * setting - 2 bytes of salt
679 * key - up to 8 characters
683 salt = (ascii_to_bin(setting[1]) << 6)
684 | ascii_to_bin(setting[0]);
686 output[0] = setting[0];
688 * If the encrypted password that the salt was extracted from
689 * is only 1 character long, the salt will be corrupted. We
690 * need to ensure that the output string doesn't have an extra
693 output[1] = setting[1] ? setting[1] : output[0];
695 p = (u_char *)output + 2;
701 if (do_des(0L, 0L, &r0, &r1, (int)count))
704 * Now encode the result...
707 *p++ = ascii64[(l >> 18) & 0x3f];
708 *p++ = ascii64[(l >> 12) & 0x3f];
709 *p++ = ascii64[(l >> 6) & 0x3f];
710 *p++ = ascii64[l & 0x3f];
712 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
713 *p++ = ascii64[(l >> 18) & 0x3f];
714 *p++ = ascii64[(l >> 12) & 0x3f];
715 *p++ = ascii64[(l >> 6) & 0x3f];
716 *p++ = ascii64[l & 0x3f];
719 *p++ = ascii64[(l >> 12) & 0x3f];
720 *p++ = ascii64[(l >> 6) & 0x3f];
721 *p++ = ascii64[l & 0x3f];
726 /* END: https://github.com/freebsd/freebsd/blob/master/secure/lib/libcrypt/crypt-des.c */
729 /* START: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-md5.c */
731 crypt_md5(const char *pw, const char *salt)
737 u_char final[MD5_SIZE];
738 static const char *sp, *ep;
739 static char passwd[120], *p;
740 static const char *magic = "$1$";
742 /* Refine the Salt first */
745 /* If it starts with the magic string, then skip that */
746 if(!strncmp(sp, magic, strlen(magic)))
749 /* It stops at the first '$', max 8 chars */
750 for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
753 /* get the length of the true salt */
758 /* The password first, since that is what is most unknown */
759 MD5Update(&ctx, (const u_char *)pw, strlen(pw));
761 /* Then our magic string */
762 MD5Update(&ctx, (const u_char *)magic, strlen(magic));
764 /* Then the raw salt */
765 MD5Update(&ctx, (const u_char *)sp, (u_int)sl);
767 /* Then just as many characters of the MD5(pw,salt,pw) */
769 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
770 MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
771 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
772 MD5Final(final, &ctx1);
773 for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE)
774 MD5Update(&ctx, (const u_char *)final,
775 (u_int)(pl > MD5_SIZE ? MD5_SIZE : pl));
777 /* Don't leave anything around in vm they could use. */
778 memset(final, 0, sizeof(final));
780 /* Then something really weird... */
781 for (i = strlen(pw); i; i >>= 1)
783 MD5Update(&ctx, (const u_char *)final, 1);
785 MD5Update(&ctx, (const u_char *)pw, 1);
787 /* Now make the output string */
788 strcpy(passwd, magic);
789 strncat(passwd, sp, (u_int)sl);
792 MD5Final(final, &ctx);
795 * and now, just to make sure things don't run too fast
796 * On a 60 Mhz Pentium this takes 34 msec, so you would
797 * need 30 seconds to build a 1000 entry dictionary...
799 for(i = 0; i < 1000; i++) {
802 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
804 MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
807 MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
810 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
813 MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
815 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
816 MD5Final(final, &ctx1);
819 p = passwd + strlen(passwd);
821 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
822 _crypt_to64(p, l, 4); p += 4;
823 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
824 _crypt_to64(p, l, 4); p += 4;
825 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
826 _crypt_to64(p, l, 4); p += 4;
827 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
828 _crypt_to64(p, l, 4); p += 4;
829 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
830 _crypt_to64(p, l, 4); p += 4;
832 _crypt_to64(p, l, 2); p += 2;
835 /* Don't leave anything around in vm they could use. */
836 memset(final, 0, sizeof(final));
840 /* END: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-md5.c */
843 /* START: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-sha256.c */
844 static const char sha256_salt_prefix[] = "$5$";
846 /* Prefix for optional rounds specification. */
847 static const char sha256_rounds_prefix[] = "rounds=";
849 /* Maximum salt string length. */
850 #define SALT_LEN_MAX 16
851 /* Default number of rounds if not explicitly specified. */
852 #define ROUNDS_DEFAULT 5000
853 /* Minimum number of rounds. */
854 #define ROUNDS_MIN 1000
855 /* Maximum number of rounds. */
856 #define ROUNDS_MAX 999999999
859 crypt_sha256_r(const char *key, const char *salt, char *buffer, int buflen)
863 uint8_t alt_result[32], temp_result[32];
864 SHA256_CTX ctx, alt_ctx;
865 size_t salt_len, key_len, cnt, rounds;
866 char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp;
873 /* Default number of rounds. */
874 rounds = ROUNDS_DEFAULT;
875 rounds_custom = false;
877 /* Find beginning of salt string. The prefix should normally always
878 * be present. Just in case it is not. */
879 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
880 /* Skip salt prefix. */
881 salt += sizeof(sha256_salt_prefix) - 1;
883 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1)
885 num = salt + sizeof(sha256_rounds_prefix) - 1;
886 srounds = strtoul(num, &endp, 10);
890 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
891 rounds_custom = true;
895 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
896 key_len = strlen(key);
898 /* Prepare for the real work. */
901 /* Add the key string. */
902 SHA256_Update(&ctx, key, key_len);
904 /* The last part is the salt string. This must be at most 8
905 * characters and it ends at the first `$' character (for
906 * compatibility with existing implementations). */
907 SHA256_Update(&ctx, salt, salt_len);
909 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
910 * final result will be added to the first context. */
911 SHA256_Init(&alt_ctx);
914 SHA256_Update(&alt_ctx, key, key_len);
917 SHA256_Update(&alt_ctx, salt, salt_len);
920 SHA256_Update(&alt_ctx, key, key_len);
922 /* Now get result of this (32 bytes) and add it to the other context. */
923 SHA256_Final(alt_result, &alt_ctx);
925 /* Add for any character in the key one byte of the alternate sum. */
926 for (cnt = key_len; cnt > 32; cnt -= 32)
927 SHA256_Update(&ctx, alt_result, 32);
928 SHA256_Update(&ctx, alt_result, cnt);
930 /* Take the binary representation of the length of the key and for
931 * every 1 add the alternate sum, for every 0 the key. */
932 for (cnt = key_len; cnt > 0; cnt >>= 1)
934 SHA256_Update(&ctx, alt_result, 32);
936 SHA256_Update(&ctx, key, key_len);
938 /* Create intermediate result. */
939 SHA256_Final(alt_result, &ctx);
941 /* Start computation of P byte sequence. */
942 SHA256_Init(&alt_ctx);
944 /* For every character in the password add the entire password. */
945 for (cnt = 0; cnt < key_len; ++cnt)
946 SHA256_Update(&alt_ctx, key, key_len);
948 /* Finish the digest. */
949 SHA256_Final(temp_result, &alt_ctx);
951 /* Create byte sequence P. */
952 cp = p_bytes = alloca(key_len);
953 for (cnt = key_len; cnt >= 32; cnt -= 32) {
954 memcpy(cp, temp_result, 32);
957 memcpy(cp, temp_result, cnt);
959 /* Start computation of S byte sequence. */
960 SHA256_Init(&alt_ctx);
962 /* For every character in the password add the entire password. */
963 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
964 SHA256_Update(&alt_ctx, salt, salt_len);
966 /* Finish the digest. */
967 SHA256_Final(temp_result, &alt_ctx);
969 /* Create byte sequence S. */
970 cp = s_bytes = alloca(salt_len);
971 for (cnt = salt_len; cnt >= 32; cnt -= 32) {
972 memcpy(cp, temp_result, 32);
975 memcpy(cp, temp_result, cnt);
977 /* Repeatedly run the collected hash value through SHA256 to burn CPU
979 for (cnt = 0; cnt < rounds; ++cnt) {
983 /* Add key or last result. */
985 SHA256_Update(&ctx, p_bytes, key_len);
987 SHA256_Update(&ctx, alt_result, 32);
989 /* Add salt for numbers not divisible by 3. */
991 SHA256_Update(&ctx, s_bytes, salt_len);
993 /* Add key for numbers not divisible by 7. */
995 SHA256_Update(&ctx, p_bytes, key_len);
997 /* Add key or last result. */
999 SHA256_Update(&ctx, alt_result, 32);
1001 SHA256_Update(&ctx, p_bytes, key_len);
1003 /* Create intermediate result. */
1004 SHA256_Final(alt_result, &ctx);
1007 /* Now we can construct the result string. It consists of three
1009 cp = stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
1010 buflen -= sizeof(sha256_salt_prefix) - 1;
1012 if (rounds_custom) {
1013 n = snprintf(cp, MAX(0, buflen), "%s%zu$",
1014 sha256_rounds_prefix, rounds);
1020 cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len));
1021 buflen -= MIN((size_t)MAX(0, buflen), salt_len);
1028 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4, &buflen, &cp);
1029 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4, &buflen, &cp);
1030 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4, &buflen, &cp);
1031 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4, &buflen, &cp);
1032 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4, &buflen, &cp);
1033 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4, &buflen, &cp);
1034 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4, &buflen, &cp);
1035 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4, &buflen, &cp);
1036 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4, &buflen, &cp);
1037 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4, &buflen, &cp);
1038 b64_from_24bit(0, alt_result[31], alt_result[30], 3, &buflen, &cp);
1044 *cp = '\0'; /* Terminate the string. */
1046 /* Clear the buffer for the intermediate result so that people
1047 * attaching to processes or reading core dumps cannot get any
1048 * information. We do it in this way to clear correct_words[] inside
1049 * the SHA256 implementation as well. */
1051 SHA256_Final(alt_result, &ctx);
1052 memset(temp_result, '\0', sizeof(temp_result));
1053 memset(p_bytes, '\0', key_len);
1054 memset(s_bytes, '\0', salt_len);
1055 memset(&ctx, '\0', sizeof(ctx));
1056 memset(&alt_ctx, '\0', sizeof(alt_ctx));
1057 if (copied_key != NULL)
1058 memset(copied_key, '\0', key_len);
1059 if (copied_salt != NULL)
1060 memset(copied_salt, '\0', salt_len);
1065 /* This entry point is equivalent to crypt(3). */
1066 char* crypt_sha256(const char *key, const char *salt)
1068 /* We don't want to have an arbitrary limit in the size of the
1069 * password. We can compute an upper bound for the size of the
1070 * result in advance and so we can prepare the buffer we pass to
1071 * `crypt_sha256_r'. */
1072 static char *buffer;
1077 needed = (sizeof(sha256_salt_prefix) - 1
1078 + sizeof(sha256_rounds_prefix) + 9 + 1
1079 + strlen(salt) + 1 + 43 + 1);
1081 if (buflen < needed) {
1082 new_buffer = (char *)realloc(buffer, needed);
1084 if (new_buffer == NULL)
1087 buffer = new_buffer;
1091 return crypt_sha256_r(key, salt, buffer, buflen);
1093 /* END: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-sha256.c */
1096 /* START: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-sha512.c */
1097 /* Define our magic string to mark salt for SHA512 "encryption" replacement. */
1098 static const char sha512_salt_prefix[] = "$6$";
1100 /* Prefix for optional rounds specification. */
1101 static const char sha512_rounds_prefix[] = "rounds=";
1103 /* Maximum salt string length. */
1104 #define SALT_LEN_MAX 16
1105 /* Default number of rounds if not explicitly specified. */
1106 #define ROUNDS_DEFAULT 5000
1107 /* Minimum number of rounds. */
1108 #define ROUNDS_MIN 1000
1109 /* Maximum number of rounds. */
1110 #define ROUNDS_MAX 999999999
1113 crypt_sha512_r(const char *key, const char *salt, char *buffer, int buflen)
1117 uint8_t alt_result[64], temp_result[64];
1118 SHA512_CTX ctx, alt_ctx;
1119 size_t salt_len, key_len, cnt, rounds;
1120 char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp;
1127 /* Default number of rounds. */
1128 rounds = ROUNDS_DEFAULT;
1129 rounds_custom = false;
1131 /* Find beginning of salt string. The prefix should normally always
1132 * be present. Just in case it is not. */
1133 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
1134 /* Skip salt prefix. */
1135 salt += sizeof(sha512_salt_prefix) - 1;
1137 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
1139 num = salt + sizeof(sha512_rounds_prefix) - 1;
1140 srounds = strtoul(num, &endp, 10);
1144 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
1145 rounds_custom = true;
1149 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
1150 key_len = strlen(key);
1152 /* Prepare for the real work. */
1155 /* Add the key string. */
1156 SHA512_Update(&ctx, key, key_len);
1158 /* The last part is the salt string. This must be at most 8
1159 * characters and it ends at the first `$' character (for
1160 * compatibility with existing implementations). */
1161 SHA512_Update(&ctx, salt, salt_len);
1163 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
1164 * final result will be added to the first context. */
1165 SHA512_Init(&alt_ctx);
1168 SHA512_Update(&alt_ctx, key, key_len);
1171 SHA512_Update(&alt_ctx, salt, salt_len);
1173 /* Add key again. */
1174 SHA512_Update(&alt_ctx, key, key_len);
1176 /* Now get result of this (64 bytes) and add it to the other context. */
1177 SHA512_Final(alt_result, &alt_ctx);
1179 /* Add for any character in the key one byte of the alternate sum. */
1180 for (cnt = key_len; cnt > 64; cnt -= 64)
1181 SHA512_Update(&ctx, alt_result, 64);
1182 SHA512_Update(&ctx, alt_result, cnt);
1184 /* Take the binary representation of the length of the key and for
1185 * every 1 add the alternate sum, for every 0 the key. */
1186 for (cnt = key_len; cnt > 0; cnt >>= 1)
1188 SHA512_Update(&ctx, alt_result, 64);
1190 SHA512_Update(&ctx, key, key_len);
1192 /* Create intermediate result. */
1193 SHA512_Final(alt_result, &ctx);
1195 /* Start computation of P byte sequence. */
1196 SHA512_Init(&alt_ctx);
1198 /* For every character in the password add the entire password. */
1199 for (cnt = 0; cnt < key_len; ++cnt)
1200 SHA512_Update(&alt_ctx, key, key_len);
1202 /* Finish the digest. */
1203 SHA512_Final(temp_result, &alt_ctx);
1205 /* Create byte sequence P. */
1206 cp = p_bytes = alloca(key_len);
1207 for (cnt = key_len; cnt >= 64; cnt -= 64) {
1208 memcpy(cp, temp_result, 64);
1211 memcpy(cp, temp_result, cnt);
1213 /* Start computation of S byte sequence. */
1214 SHA512_Init(&alt_ctx);
1216 /* For every character in the password add the entire password. */
1217 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
1218 SHA512_Update(&alt_ctx, salt, salt_len);
1220 /* Finish the digest. */
1221 SHA512_Final(temp_result, &alt_ctx);
1223 /* Create byte sequence S. */
1224 cp = s_bytes = alloca(salt_len);
1225 for (cnt = salt_len; cnt >= 64; cnt -= 64) {
1226 memcpy(cp, temp_result, 64);
1229 memcpy(cp, temp_result, cnt);
1231 /* Repeatedly run the collected hash value through SHA512 to burn CPU
1233 for (cnt = 0; cnt < rounds; ++cnt) {
1237 /* Add key or last result. */
1239 SHA512_Update(&ctx, p_bytes, key_len);
1241 SHA512_Update(&ctx, alt_result, 64);
1243 /* Add salt for numbers not divisible by 3. */
1245 SHA512_Update(&ctx, s_bytes, salt_len);
1247 /* Add key for numbers not divisible by 7. */
1249 SHA512_Update(&ctx, p_bytes, key_len);
1251 /* Add key or last result. */
1253 SHA512_Update(&ctx, alt_result, 64);
1255 SHA512_Update(&ctx, p_bytes, key_len);
1257 /* Create intermediate result. */
1258 SHA512_Final(alt_result, &ctx);
1261 /* Now we can construct the result string. It consists of three
1263 cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
1264 buflen -= sizeof(sha512_salt_prefix) - 1;
1266 if (rounds_custom) {
1267 n = snprintf(cp, MAX(0, buflen), "%s%zu$",
1268 sha512_rounds_prefix, rounds);
1274 cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len));
1275 buflen -= MIN((size_t)MAX(0, buflen), salt_len);
1282 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4, &buflen, &cp);
1283 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4, &buflen, &cp);
1284 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4, &buflen, &cp);
1285 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4, &buflen, &cp);
1286 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4, &buflen, &cp);
1287 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4, &buflen, &cp);
1288 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4, &buflen, &cp);
1289 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4, &buflen, &cp);
1290 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4, &buflen, &cp);
1291 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4, &buflen, &cp);
1292 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4, &buflen, &cp);
1293 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4, &buflen, &cp);
1294 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4, &buflen, &cp);
1295 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4, &buflen, &cp);
1296 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4, &buflen, &cp);
1297 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4, &buflen, &cp);
1298 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4, &buflen, &cp);
1299 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4, &buflen, &cp);
1300 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4, &buflen, &cp);
1301 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4, &buflen, &cp);
1302 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4, &buflen, &cp);
1303 b64_from_24bit(0, 0, alt_result[63], 2, &buflen, &cp);
1310 *cp = '\0'; /* Terminate the string. */
1312 /* Clear the buffer for the intermediate result so that people
1313 * attaching to processes or reading core dumps cannot get any
1314 * information. We do it in this way to clear correct_words[] inside
1315 * the SHA512 implementation as well. */
1317 SHA512_Final(alt_result, &ctx);
1318 memset(temp_result, '\0', sizeof(temp_result));
1319 memset(p_bytes, '\0', key_len);
1320 memset(s_bytes, '\0', salt_len);
1321 memset(&ctx, '\0', sizeof(ctx));
1322 memset(&alt_ctx, '\0', sizeof(alt_ctx));
1323 if (copied_key != NULL)
1324 memset(copied_key, '\0', key_len);
1325 if (copied_salt != NULL)
1326 memset(copied_salt, '\0', salt_len);
1331 /* This entry point is equivalent to crypt(3). */
1333 crypt_sha512(const char *key, const char *salt)
1335 /* We don't want to have an arbitrary limit in the size of the
1336 * password. We can compute an upper bound for the size of the
1337 * result in advance and so we can prepare the buffer we pass to
1338 * `crypt_sha512_r'. */
1339 static char *buffer;
1344 needed = (sizeof(sha512_salt_prefix) - 1
1345 + sizeof(sha512_rounds_prefix) + 9 + 1
1346 + strlen(salt) + 1 + 86 + 1);
1348 if (buflen < needed) {
1349 new_buffer = (char *)realloc(buffer, needed);
1351 if (new_buffer == NULL)
1354 buffer = new_buffer;
1358 return crypt_sha512_r(key, salt, buffer, buflen);
1360 /* END: https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt-sha512.c */
1363 /** From https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/crypt.c */
1364 static const struct crypt_format {
1365 const char* const name;
1366 const char* const magic;
1367 char* (*const func)(char const*, char const*);
1368 } crypt_formats[] = {
1369 { "des", "_", crypt_des },
1370 { "md5", "$1$", crypt_md5 },
1371 { "sha256", "$5$", crypt_sha256 },
1372 { "sha512", "$6$", crypt_sha512 },
1373 { NULL, NULL, NULL }
1377 char* crypt(const char* key, const char* salt)
1380 const struct crypt_format *cf;
1382 for (cf = crypt_formats; cf->name != NULL; ++cf) {
1383 if (cf->magic != NULL && strstr(salt, cf->magic) == salt) {
1384 return cf->func(key, salt);
1389 if ((len == 13 || len == 2) && strspn(salt, DES_SALT_ALPHABET) == len) {
1390 return (crypt_des(key, salt));
1393 return crypt_formats[0].func(key, salt);
~mdw / termux-packages / blob