summaryrefslogtreecommitdiffstats
path: root/secure
diff options
context:
space:
mode:
authordelphij <delphij@FreeBSD.org>2014-03-27 00:23:44 +0000
committerdelphij <delphij@FreeBSD.org>2014-03-27 00:23:44 +0000
commit800e1a055eb2aa0735f76ba7a1b57e3404129a69 (patch)
tree59739e114a530abebe65cd12ce65344bb945daa3 /secure
parent9c78ab8bb85259c01860f7c82a6e01c0718b0c5e (diff)
downloadFreeBSD-src-800e1a055eb2aa0735f76ba7a1b57e3404129a69.zip
FreeBSD-src-800e1a055eb2aa0735f76ba7a1b57e3404129a69.tar.gz
MFC r262501:
Refresh our implementation of OpenBSD's Blowfish password format. Notable changes: - Support of $2b$ password format to address a problem where very long passwords (more than 256 characters, when an integer overflow would happen and cause the length to wrap at 256). - Updated pseudo code in comments to reflect the reality. - Removed our local shortcut of processing magic string and rely on the centralized and tigntened validation. - Diff reduction from upstream. For now we are still generating the older $2a$ format of password but we will migrate to the new format once the format is formally finalized.
Diffstat (limited to 'secure')
-rw-r--r--secure/lib/libcrypt/crypt-blowfish.c85
1 files changed, 52 insertions, 33 deletions
diff --git a/secure/lib/libcrypt/crypt-blowfish.c b/secure/lib/libcrypt/crypt-blowfish.c
index 984a6d1..47d6a16 100644
--- a/secure/lib/libcrypt/crypt-blowfish.c
+++ b/secure/lib/libcrypt/crypt-blowfish.c
@@ -1,3 +1,5 @@
+/* $OpenBSD: bcrypt.c,v 1.29 2014/02/24 19:45:43 tedu Exp $ */
+
/*
* Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
* All rights reserved.
@@ -35,10 +37,10 @@ __FBSDID("$FreeBSD$");
* <dm@lcs.mit.edu> and works as follows:
*
* 1. state := InitState ()
- * 2. state := ExpandKey (state, salt, password) 3.
- * REPEAT rounds:
+ * 2. state := ExpandKey (state, salt, password)
+ * 3. REPEAT rounds:
+ * state := ExpandKey (state, 0, password)
* state := ExpandKey (state, 0, salt)
- * state := ExpandKey(state, 0, password)
* 4. ctext := "OrpheanBeholderScryDoubt"
* 5. REPEAT 64:
* ctext := Encrypt_ECB (state, ctext);
@@ -48,6 +50,7 @@ __FBSDID("$FreeBSD$");
/*
* FreeBSD implementation by Paul Herman <pherman@frenchfries.net>
+ * and updated by Xin Li <delphij@FreeBSD.org>
*/
#include <stdio.h>
@@ -66,18 +69,18 @@ __FBSDID("$FreeBSD$");
#define BCRYPT_VERSION '2'
#define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */
#define BCRYPT_BLOCKS 6 /* Ciphertext blocks */
-#define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */
+#define BCRYPT_MINLOGROUNDS 4 /* we have log2(rounds) in salt */
+
static void encode_base64(u_int8_t *, u_int8_t *, u_int16_t);
static void decode_base64(u_int8_t *, u_int16_t, const u_int8_t *);
static char encrypted[_PASSWORD_LEN];
-static const u_int8_t Base64Code[] =
+const static u_int8_t Base64Code[] =
"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-static const u_int8_t index_64[128] =
-{
+const static u_int8_t index_64[128] = {
255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
@@ -108,7 +111,7 @@ decode_base64(u_int8_t *buffer, u_int16_t len, const u_int8_t *data)
if (c1 == 255 || c2 == 255)
break;
- *bp++ = (u_int8_t)((c1 << 2) | ((c2 & 0x30) >> 4));
+ *bp++ = (c1 << 2) | ((c2 & 0x30) >> 4);
if (bp >= buffer + len)
break;
@@ -138,23 +141,19 @@ crypt_blowfish(const char *key, const char *salt)
blf_ctx state;
u_int32_t rounds, i, k;
u_int16_t j;
- u_int8_t key_len, salt_len, logr, minr;
+ size_t key_len;
+ u_int8_t salt_len, logr, minr;
u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt";
u_int8_t csalt[BCRYPT_MAXSALT];
u_int32_t cdata[BCRYPT_BLOCKS];
- static const char *magic = "$2a$04$";
-
- /* Defaults */
- minr = 'a';
- logr = 4;
- rounds = 1 << logr;
+ char arounds[3];
- /* If it starts with the magic string, then skip that */
- if(!strncmp(salt, magic, strlen(magic))) {
- salt += strlen(magic);
- }
- else if (*salt == '$') {
+ /* Defaults */
+ minr = 'a';
+ logr = BCRYPT_MINLOGROUNDS;
+ rounds = 1U << logr;
+ if (*salt == '$') {
/* Discard "$" identifier */
salt++;
@@ -166,9 +165,9 @@ crypt_blowfish(const char *key, const char *salt)
/* Check for minor versions */
if (salt[1] != '$') {
switch (salt[1]) {
- case 'a':
- /* 'ab' should not yield the same as 'abab' */
- minr = (u_int8_t)salt[1];
+ case 'a': /* 'ab' should not yield the same as 'abab' */
+ case 'b': /* cap input length at 72 bytes */
+ minr = salt[1];
salt++;
break;
default:
@@ -184,21 +183,38 @@ crypt_blowfish(const char *key, const char *salt)
/* Out of sync with passwd entry */
return NULL;
- /* Computer power doesnt increase linear, 2^x should be fine */
- logr = (u_int8_t)atoi(salt);
- rounds = 1 << logr;
- if (rounds < BCRYPT_MINROUNDS)
+ memcpy(arounds, salt, sizeof(arounds));
+ if (arounds[sizeof(arounds) - 1] != '$')
+ return NULL;
+ arounds[sizeof(arounds) - 1] = 0;
+ logr = strtonum(arounds, BCRYPT_MINLOGROUNDS, 31, NULL);
+ if (logr == 0)
return NULL;
+ /* Computer power doesn't increase linearly, 2^x should be fine */
+ rounds = 1U << logr;
/* Discard num rounds + "$" identifier */
salt += 3;
}
+ if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT)
+ return NULL;
/* We dont want the base64 salt but the raw data */
- decode_base64(csalt, BCRYPT_MAXSALT, (const u_int8_t *)salt);
+ decode_base64(csalt, BCRYPT_MAXSALT, (const u_int8_t *) salt);
salt_len = BCRYPT_MAXSALT;
- key_len = (u_int8_t)(strlen(key) + (minr >= 'a' ? 1 : 0));
+ if (minr <= 'a')
+ key_len = (u_int8_t)(strlen(key) + (minr >= 'a' ? 1 : 0));
+ else {
+ /* strlen() returns a size_t, but the function calls
+ * below result in implicit casts to a narrower integer
+ * type, so cap key_len at the actual maximum supported
+ * length here to avoid integer wraparound */
+ key_len = strlen(key);
+ if (key_len > 72)
+ key_len = 72;
+ key_len++; /* include the NUL */
+ }
/* Setting up S-Boxes and Subkeys */
Blowfish_initstate(&state);
@@ -233,7 +249,7 @@ crypt_blowfish(const char *key, const char *salt)
encrypted[i++] = '$';
encrypted[i++] = BCRYPT_VERSION;
if (minr)
- encrypted[i++] = (int8_t)minr;
+ encrypted[i++] = minr;
encrypted[i++] = '$';
snprintf(encrypted + i, 4, "%2.2u$", logr);
@@ -241,6 +257,10 @@ crypt_blowfish(const char *key, const char *salt)
encode_base64((u_int8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT);
encode_base64((u_int8_t *) encrypted + strlen(encrypted), ciphertext,
4 * BCRYPT_BLOCKS - 1);
+ memset(&state, 0, sizeof(state));
+ memset(ciphertext, 0, sizeof(ciphertext));
+ memset(csalt, 0, sizeof(csalt));
+ memset(cdata, 0, sizeof(cdata));
return encrypted;
}
@@ -273,7 +293,6 @@ encode_base64(u_int8_t *buffer, u_int8_t *data, u_int16_t len)
}
*bp = '\0';
}
-
#if 0
void
main()
@@ -288,11 +307,11 @@ main()
snprintf(salt + 3, 4, "%2.2u$", 5);
printf("24 bytes of salt: ");
- fgets(salt + 6, 94, stdin);
+ fgets(salt + 6, sizeof(salt) - 6, stdin);
salt[99] = 0;
printf("72 bytes of password: ");
fpurge(stdin);
- fgets(blubber, 73, stdin);
+ fgets(blubber, sizeof(blubber), stdin);
blubber[72] = 0;
p = crypt(blubber, salt);
OpenPOWER on IntegriCloud