diff options
Diffstat (limited to 'lib/libcrypt')
| -rw-r--r-- | lib/libcrypt/Makefile | 44 | ||||
| -rw-r--r-- | lib/libcrypt/crypt-md5.c | 153 | ||||
| -rw-r--r-- | lib/libcrypt/crypt-nthash.c | 88 | ||||
| -rw-r--r-- | lib/libcrypt/crypt-sha256.c | 477 | ||||
| -rw-r--r-- | lib/libcrypt/crypt-sha512.c | 500 | ||||
| -rw-r--r-- | lib/libcrypt/crypt.3 | 310 | ||||
| -rw-r--r-- | lib/libcrypt/crypt.c | 141 | ||||
| -rw-r--r-- | lib/libcrypt/crypt.h | 43 | ||||
| -rw-r--r-- | lib/libcrypt/misc.c | 63 |
9 files changed, 1819 insertions, 0 deletions
diff --git a/lib/libcrypt/Makefile b/lib/libcrypt/Makefile new file mode 100644 index 0000000..eea5572 --- /dev/null +++ b/lib/libcrypt/Makefile @@ -0,0 +1,44 @@ +# +# $FreeBSD$ +# + +SHLIBDIR?= /lib + +.include <bsd.own.mk> + +SHLIB_MAJOR= 5 +LIB= crypt + +.PATH: ${.CURDIR}/../libmd +SRCS= crypt.c misc.c \ + crypt-md5.c md5c.c \ + crypt-nthash.c md4c.c \ + crypt-sha256.c sha256c.c \ + crypt-sha512.c sha512c.c +MAN= crypt.3 +MLINKS= crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3 +CFLAGS+= -I${.CURDIR}/../libmd -I${.CURDIR}/../libutil + +# Pull in the strong crypto, if it is present. +.if exists(${.CURDIR}/../../secure/lib/libcrypt) && ${MK_CRYPT} != "no" +.PATH: ${.CURDIR}/../../secure/lib/libcrypt +SRCS+= crypt-des.c crypt-blowfish.c blowfish.c +CFLAGS+= -I${.CURDIR} -DHAS_DES -DHAS_BLOWFISH +.endif + +# And the auth_getval() code and support. +.PATH: ${.CURDIR}/../libutil +SRCS+= auth.c property.c +.for sym in auth_getval property_find properties_read properties_free \ + MD4Init MD4Final MD4Update MD4Pad \ + MD5Init MD5Final MD5Update MD5Pad \ + SHA256_Init SHA256_Final SHA256_Update \ + SHA512_Init SHA512_Final SHA512_Update +CFLAGS+= -D${sym}=__${sym} +.endfor + +WARNS?= 2 + +PRECIOUSLIB= + +.include <bsd.lib.mk> diff --git a/lib/libcrypt/crypt-md5.c b/lib/libcrypt/crypt-md5.c new file mode 100644 index 0000000..33186cd --- /dev/null +++ b/lib/libcrypt/crypt-md5.c @@ -0,0 +1,153 @@ +/*- + * Copyright (c) 2003 Poul-Henning Kamp + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/types.h> + +#include <err.h> +#include <md5.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +#include "crypt.h" + +/* + * UNIX password + */ + +char * +crypt_md5(const char *pw, const char *salt) +{ + MD5_CTX ctx,ctx1; + unsigned long l; + int sl, pl; + u_int i; + u_char final[MD5_SIZE]; + static const char *sp, *ep; + static char passwd[120], *p; + static const char *magic = "$1$"; + + /* Refine the Salt first */ + sp = salt; + + /* If it starts with the magic string, then skip that */ + if(!strncmp(sp, magic, strlen(magic))) + sp += strlen(magic); + + /* It stops at the first '$', max 8 chars */ + for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++) + continue; + + /* get the length of the true salt */ + sl = ep - sp; + + MD5Init(&ctx); + + /* The password first, since that is what is most unknown */ + MD5Update(&ctx, (const u_char *)pw, strlen(pw)); + + /* Then our magic string */ + MD5Update(&ctx, (const u_char *)magic, strlen(magic)); + + /* Then the raw salt */ + MD5Update(&ctx, (const u_char *)sp, (u_int)sl); + + /* Then just as many characters of the MD5(pw,salt,pw) */ + MD5Init(&ctx1); + MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); + MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); + MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); + MD5Final(final, &ctx1); + for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE) + MD5Update(&ctx, (const u_char *)final, + (u_int)(pl > MD5_SIZE ? MD5_SIZE : pl)); + + /* Don't leave anything around in vm they could use. */ + memset(final, 0, sizeof(final)); + + /* Then something really weird... */ + for (i = strlen(pw); i; i >>= 1) + if(i & 1) + MD5Update(&ctx, (const u_char *)final, 1); + else + MD5Update(&ctx, (const u_char *)pw, 1); + + /* Now make the output string */ + strcpy(passwd, magic); + strncat(passwd, sp, (u_int)sl); + strcat(passwd, "$"); + + MD5Final(final, &ctx); + + /* + * and now, just to make sure things don't run too fast + * On a 60 Mhz Pentium this takes 34 msec, so you would + * need 30 seconds to build a 1000 entry dictionary... + */ + for(i = 0; i < 1000; i++) { + MD5Init(&ctx1); + if(i & 1) + MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); + else + MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); + + if(i % 3) + MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); + + if(i % 7) + MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); + + if(i & 1) + MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); + else + MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); + MD5Final(final, &ctx1); + } + + p = passwd + strlen(passwd); + + l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; + _crypt_to64(p, l, 4); p += 4; + l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; + _crypt_to64(p, l, 4); p += 4; + l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; + _crypt_to64(p, l, 4); p += 4; + l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; + _crypt_to64(p, l, 4); p += 4; + l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; + _crypt_to64(p, l, 4); p += 4; + l = final[11]; + _crypt_to64(p, l, 2); p += 2; + *p = '\0'; + + /* Don't leave anything around in vm they could use. */ + memset(final, 0, sizeof(final)); + + return (passwd); +} diff --git a/lib/libcrypt/crypt-nthash.c b/lib/libcrypt/crypt-nthash.c new file mode 100644 index 0000000..19b84ce --- /dev/null +++ b/lib/libcrypt/crypt-nthash.c @@ -0,0 +1,88 @@ +/*- + * Copyright (c) 2003 Michael Bretterklieber + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/types.h> + +#include <netinet/in.h> + +#include <ctype.h> +#include <err.h> +#include <md4.h> +#include <stdarg.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +#include "crypt.h" + +/* + * NT HASH = md4(str2unicode(pw)) + */ + +/* ARGSUSED */ +char * +crypt_nthash(const char *pw, const char *salt __unused) +{ + size_t unipwLen; + int i, j; + static char hexconvtab[] = "0123456789abcdef"; + static const char *magic = "$3$"; + static char passwd[120]; + u_int16_t unipw[128]; + char final[MD4_SIZE*2 + 1]; + u_char hash[MD4_SIZE]; + const char *s; + MD4_CTX ctx; + + bzero(unipw, sizeof(unipw)); + /* convert to unicode (thanx Archie) */ + unipwLen = 0; + for (s = pw; unipwLen < sizeof(unipw) / 2 && *s; s++) + unipw[unipwLen++] = htons(*s << 8); + + /* Compute MD4 of Unicode password */ + MD4Init(&ctx); + MD4Update(&ctx, (u_char *)unipw, unipwLen*sizeof(u_int16_t)); + MD4Final(hash, &ctx); + + for (i = j = 0; i < MD4_SIZE; i++) { + final[j++] = hexconvtab[hash[i] >> 4]; + final[j++] = hexconvtab[hash[i] & 15]; + } + final[j] = '\0'; + + strcpy(passwd, magic); + strcat(passwd, "$"); + strncat(passwd, final, MD4_SIZE*2); + + /* Don't leave anything around in vm they could use. */ + memset(final, 0, sizeof(final)); + + return (passwd); +} diff --git a/lib/libcrypt/crypt-sha256.c b/lib/libcrypt/crypt-sha256.c new file mode 100644 index 0000000..cab7405 --- /dev/null +++ b/lib/libcrypt/crypt-sha256.c @@ -0,0 +1,477 @@ +/* + * Copyright (c) 2011 The FreeBSD Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* Based on: + * SHA256-based Unix crypt implementation. Released into the Public Domain by + * Ulrich Drepper <drepper@redhat.com>. */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/endian.h> +#include <sys/param.h> + +#include <errno.h> +#include <limits.h> +#include <sha256.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "crypt.h" + +/* Define our magic string to mark salt for SHA256 "encryption" replacement. */ +static const char sha256_salt_prefix[] = "$5$"; + +/* Prefix for optional rounds specification. */ +static const char sha256_rounds_prefix[] = "rounds="; + +/* Maximum salt string length. */ +#define SALT_LEN_MAX 16 +/* Default number of rounds if not explicitly specified. */ +#define ROUNDS_DEFAULT 5000 +/* Minimum number of rounds. */ +#define ROUNDS_MIN 1000 +/* Maximum number of rounds. */ +#define ROUNDS_MAX 999999999 + +static char * +crypt_sha256_r(const char *key, const char *salt, char *buffer, int buflen) +{ + u_long srounds; + int n; + uint8_t alt_result[32], temp_result[32]; + SHA256_CTX ctx, alt_ctx; + size_t salt_len, key_len, cnt, rounds; + char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp; + const char *num; + bool rounds_custom; + + copied_key = NULL; + copied_salt = NULL; + + /* Default number of rounds. */ + rounds = ROUNDS_DEFAULT; + rounds_custom = false; + + /* Find beginning of salt string. The prefix should normally always + * be present. Just in case it is not. */ + if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0) + /* Skip salt prefix. */ + salt += sizeof(sha256_salt_prefix) - 1; + + if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) + == 0) { + num = salt + sizeof(sha256_rounds_prefix) - 1; + srounds = strtoul(num, &endp, 10); + + if (*endp == '$') { + salt = endp + 1; + rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX)); + rounds_custom = true; + } + } + + salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); + key_len = strlen(key); + + /* Prepare for the real work. */ + SHA256_Init(&ctx); + + /* Add the key string. */ + SHA256_Update(&ctx, key, key_len); + + /* The last part is the salt string. This must be at most 8 + * characters and it ends at the first `$' character (for + * compatibility with existing implementations). */ + SHA256_Update(&ctx, salt, salt_len); + + /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The + * final result will be added to the first context. */ + SHA256_Init(&alt_ctx); + + /* Add key. */ + SHA256_Update(&alt_ctx, key, key_len); + + /* Add salt. */ + SHA256_Update(&alt_ctx, salt, salt_len); + + /* Add key again. */ + SHA256_Update(&alt_ctx, key, key_len); + + /* Now get result of this (32 bytes) and add it to the other context. */ + SHA256_Final(alt_result, &alt_ctx); + + /* Add for any character in the key one byte of the alternate sum. */ + for (cnt = key_len; cnt > 32; cnt -= 32) + SHA256_Update(&ctx, alt_result, 32); + SHA256_Update(&ctx, alt_result, cnt); + + /* Take the binary representation of the length of the key and for + * every 1 add the alternate sum, for every 0 the key. */ + for (cnt = key_len; cnt > 0; cnt >>= 1) + if ((cnt & 1) != 0) + SHA256_Update(&ctx, alt_result, 32); + else + SHA256_Update(&ctx, key, key_len); + + /* Create intermediate result. */ + SHA256_Final(alt_result, &ctx); + + /* Start computation of P byte sequence. */ + SHA256_Init(&alt_ctx); + + /* For every character in the password add the entire password. */ + for (cnt = 0; cnt < key_len; ++cnt) + SHA256_Update(&alt_ctx, key, key_len); + + /* Finish the digest. */ + SHA256_Final(temp_result, &alt_ctx); + + /* Create byte sequence P. */ + cp = p_bytes = alloca(key_len); + for (cnt = key_len; cnt >= 32; cnt -= 32) { + memcpy(cp, temp_result, 32); + cp += 32; + } + memcpy(cp, temp_result, cnt); + + /* Start computation of S byte sequence. */ + SHA256_Init(&alt_ctx); + + /* For every character in the password add the entire password. */ + for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + SHA256_Update(&alt_ctx, salt, salt_len); + + /* Finish the digest. */ + SHA256_Final(temp_result, &alt_ctx); + + /* Create byte sequence S. */ + cp = s_bytes = alloca(salt_len); + for (cnt = salt_len; cnt >= 32; cnt -= 32) { + memcpy(cp, temp_result, 32); + cp += 32; + } + memcpy(cp, temp_result, cnt); + + /* Repeatedly run the collected hash value through SHA256 to burn CPU + * cycles. */ + for (cnt = 0; cnt < rounds; ++cnt) { + /* New context. */ + SHA256_Init(&ctx); + + /* Add key or last result. */ + if ((cnt & 1) != 0) + SHA256_Update(&ctx, p_bytes, key_len); + else + SHA256_Update(&ctx, alt_result, 32); + + /* Add salt for numbers not divisible by 3. */ + if (cnt % 3 != 0) + SHA256_Update(&ctx, s_bytes, salt_len); + + /* Add key for numbers not divisible by 7. */ + if (cnt % 7 != 0) + SHA256_Update(&ctx, p_bytes, key_len); + + /* Add key or last result. */ + if ((cnt & 1) != 0) + SHA256_Update(&ctx, alt_result, 32); + else + SHA256_Update(&ctx, p_bytes, key_len); + + /* Create intermediate result. */ + SHA256_Final(alt_result, &ctx); + } + + /* Now we can construct the result string. It consists of three + * parts. */ + cp = stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen)); + buflen -= sizeof(sha256_salt_prefix) - 1; + + if (rounds_custom) { + n = snprintf(cp, MAX(0, buflen), "%s%zu$", + sha256_rounds_prefix, rounds); + + cp += n; + buflen -= n; + } + + cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len)); + buflen -= MIN((size_t)MAX(0, buflen), salt_len); + + if (buflen > 0) { + *cp++ = '$'; + --buflen; + } + + b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4, &buflen, &cp); + b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4, &buflen, &cp); + b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4, &buflen, &cp); + b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4, &buflen, &cp); + b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4, &buflen, &cp); + b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4, &buflen, &cp); + b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4, &buflen, &cp); + b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4, &buflen, &cp); + b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4, &buflen, &cp); + b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4, &buflen, &cp); + b64_from_24bit(0, alt_result[31], alt_result[30], 3, &buflen, &cp); + if (buflen <= 0) { + errno = ERANGE; + buffer = NULL; + } + else + *cp = '\0'; /* Terminate the string. */ + + /* Clear the buffer for the intermediate result so that people + * attaching to processes or reading core dumps cannot get any + * information. We do it in this way to clear correct_words[] inside + * the SHA256 implementation as well. */ + SHA256_Init(&ctx); + SHA256_Final(alt_result, &ctx); + memset(temp_result, '\0', sizeof(temp_result)); + memset(p_bytes, '\0', key_len); + memset(s_bytes, '\0', salt_len); + memset(&ctx, '\0', sizeof(ctx)); + memset(&alt_ctx, '\0', sizeof(alt_ctx)); + if (copied_key != NULL) + memset(copied_key, '\0', key_len); + if (copied_salt != NULL) + memset(copied_salt, '\0', salt_len); + + return buffer; +} + +/* This entry point is equivalent to crypt(3). */ +char * +crypt_sha256(const char *key, const char *salt) +{ + /* We don't want to have an arbitrary limit in the size of the + * password. We can compute an upper bound for the size of the + * result in advance and so we can prepare the buffer we pass to + * `crypt_sha256_r'. */ + static char *buffer; + static int buflen; + int needed; + char *new_buffer; + + needed = (sizeof(sha256_salt_prefix) - 1 + + sizeof(sha256_rounds_prefix) + 9 + 1 + + strlen(salt) + 1 + 43 + 1); + + if (buflen < needed) { + new_buffer = (char *)realloc(buffer, needed); + + if (new_buffer == NULL) + return NULL; + + buffer = new_buffer; + buflen = needed; + } + + return crypt_sha256_r(key, salt, buffer, buflen); +} + +#ifdef TEST + +static const struct { + const char *input; + const char result[32]; +} tests[] = +{ + /* Test vectors from FIPS 180-2: appendix B.1. */ + { + "abc", + "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23" + "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" + }, + /* Test vectors from FIPS 180-2: appendix B.2. */ + { + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", + "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" + "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" + }, + /* Test vectors from the NESSIE project. */ + { + "", + "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24" + "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" + }, + { + "a", + "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d" + "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" + }, + { + "message digest", + "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad" + "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" + }, + { + "abcdefghijklmnopqrstuvwxyz", + "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52" + "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" + }, + { + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", + "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" + "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" + }, + { + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80" + "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" + }, + { + "123456789012345678901234567890123456789012345678901234567890" + "12345678901234567890", + "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e" + "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" + } +}; + +#define ntests (sizeof (tests) / sizeof (tests[0])) + +static const struct { + const char *salt; + const char *input; + const char *expected; +} tests2[] = +{ + { + "$5$saltstring", "Hello world!", + "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" + }, + { + "$5$rounds=10000$saltstringsaltstring", "Hello world!", + "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2." + "opqey6IcA" + }, + { + "$5$rounds=5000$toolongsaltstring", "This is just a test", + "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8" + "mGRcvxa5" + }, + { + "$5$rounds=1400$anotherlongsaltstring", + "a very much longer text to encrypt. This one even stretches over more" + "than one line.", + "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12" + "oP84Bnq1" + }, + { + "$5$rounds=77777$short", + "we have a short salt string but not a short password", + "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" + }, + { + "$5$rounds=123456$asaltof16chars..", "a short string", + "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/" + "cZKmF/wJvD" + }, + { + "$5$rounds=10$roundstoolow", "the minimum number is still observed", + "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97" + "2bIC" + }, +}; + +#define ntests2 (sizeof (tests2) / sizeof (tests2[0])) + +int +main(void) +{ + SHA256_CTX ctx; + uint8_t sum[32]; + int result = 0; + int i, cnt; + + for (cnt = 0; cnt < (int)ntests; ++cnt) { + SHA256_Init(&ctx); + SHA256_Update(&ctx, tests[cnt].input, strlen(tests[cnt].input)); + SHA256_Final(sum, &ctx); + if (memcmp(tests[cnt].result, sum, 32) != 0) { + for (i = 0; i < 32; i++) + printf("%02X", tests[cnt].result[i]); + printf("\n"); + for (i = 0; i < 32; i++) + printf("%02X", sum[i]); + printf("\n"); + printf("test %d run %d failed\n", cnt, 1); + result = 1; + } + + SHA256_Init(&ctx); + for (i = 0; tests[cnt].input[i] != '\0'; ++i) + SHA256_Update(&ctx, &tests[cnt].input[i], 1); + SHA256_Final(sum, &ctx); + if (memcmp(tests[cnt].result, sum, 32) != 0) { + for (i = 0; i < 32; i++) + printf("%02X", tests[cnt].result[i]); + printf("\n"); + for (i = 0; i < 32; i++) + printf("%02X", sum[i]); + printf("\n"); + printf("test %d run %d failed\n", cnt, 2); + result = 1; + } + } + + /* Test vector from FIPS 180-2: appendix B.3. */ + char buf[1000]; + + memset(buf, 'a', sizeof(buf)); + SHA256_Init(&ctx); + for (i = 0; i < 1000; ++i) + SHA256_Update(&ctx, buf, sizeof(buf)); + SHA256_Final(sum, &ctx); + static const char expected[32] = + "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67" + "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0"; + + if (memcmp(expected, sum, 32) != 0) { + printf("test %d failed\n", cnt); + result = 1; + } + + for (cnt = 0; cnt < ntests2; ++cnt) { + char *cp = crypt_sha256(tests2[cnt].input, tests2[cnt].salt); + + if (strcmp(cp, tests2[cnt].expected) != 0) { + printf("test %d: expected \"%s\", got \"%s\"\n", + cnt, tests2[cnt].expected, cp); + result = 1; + } + } + + if (result == 0) + puts("all tests OK"); + + return result; +} + +#endif /* TEST */ diff --git a/lib/libcrypt/crypt-sha512.c b/lib/libcrypt/crypt-sha512.c new file mode 100644 index 0000000..8e0054f --- /dev/null +++ b/lib/libcrypt/crypt-sha512.c @@ -0,0 +1,500 @@ +/* + * Copyright (c) 2011 The FreeBSD Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* Based on: + * SHA512-based Unix crypt implementation. Released into the Public Domain by + * Ulrich Drepper <drepper@redhat.com>. */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/endian.h> +#include <sys/param.h> + +#include <errno.h> +#include <limits.h> +#include <sha512.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "crypt.h" + +/* Define our magic string to mark salt for SHA512 "encryption" replacement. */ +static const char sha512_salt_prefix[] = "$6$"; + +/* Prefix for optional rounds specification. */ +static const char sha512_rounds_prefix[] = "rounds="; + +/* Maximum salt string length. */ +#define SALT_LEN_MAX 16 +/* Default number of rounds if not explicitly specified. */ +#define ROUNDS_DEFAULT 5000 +/* Minimum number of rounds. */ +#define ROUNDS_MIN 1000 +/* Maximum number of rounds. */ +#define ROUNDS_MAX 999999999 + +static char * +crypt_sha512_r(const char *key, const char *salt, char *buffer, int buflen) +{ + u_long srounds; + int n; + uint8_t alt_result[64], temp_result[64]; + SHA512_CTX ctx, alt_ctx; + size_t salt_len, key_len, cnt, rounds; + char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp; + const char *num; + bool rounds_custom; + + copied_key = NULL; + copied_salt = NULL; + + /* Default number of rounds. */ + rounds = ROUNDS_DEFAULT; + rounds_custom = false; + + /* Find beginning of salt string. The prefix should normally always + * be present. Just in case it is not. */ + if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0) + /* Skip salt prefix. */ + salt += sizeof(sha512_salt_prefix) - 1; + + if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) + == 0) { + num = salt + sizeof(sha512_rounds_prefix) - 1; + srounds = strtoul(num, &endp, 10); + + if (*endp == '$') { + salt = endp + 1; + rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX)); + rounds_custom = true; + } + } + + salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); + key_len = strlen(key); + + /* Prepare for the real work. */ + SHA512_Init(&ctx); + + /* Add the key string. */ + SHA512_Update(&ctx, key, key_len); + + /* The last part is the salt string. This must be at most 8 + * characters and it ends at the first `$' character (for + * compatibility with existing implementations). */ + SHA512_Update(&ctx, salt, salt_len); + + /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The + * final result will be added to the first context. */ + SHA512_Init(&alt_ctx); + + /* Add key. */ + SHA512_Update(&alt_ctx, key, key_len); + + /* Add salt. */ + SHA512_Update(&alt_ctx, salt, salt_len); + + /* Add key again. */ + SHA512_Update(&alt_ctx, key, key_len); + + /* Now get result of this (64 bytes) and add it to the other context. */ + SHA512_Final(alt_result, &alt_ctx); + + /* Add for any character in the key one byte of the alternate sum. */ + for (cnt = key_len; cnt > 64; cnt -= 64) + SHA512_Update(&ctx, alt_result, 64); + SHA512_Update(&ctx, alt_result, cnt); + + /* Take the binary representation of the length of the key and for + * every 1 add the alternate sum, for every 0 the key. */ + for (cnt = key_len; cnt > 0; cnt >>= 1) + if ((cnt & 1) != 0) + SHA512_Update(&ctx, alt_result, 64); + else + SHA512_Update(&ctx, key, key_len); + + /* Create intermediate result. */ + SHA512_Final(alt_result, &ctx); + + /* Start computation of P byte sequence. */ + SHA512_Init(&alt_ctx); + + /* For every character in the password add the entire password. */ + for (cnt = 0; cnt < key_len; ++cnt) + SHA512_Update(&alt_ctx, key, key_len); + + /* Finish the digest. */ + SHA512_Final(temp_result, &alt_ctx); + + /* Create byte sequence P. */ + cp = p_bytes = alloca(key_len); + for (cnt = key_len; cnt >= 64; cnt -= 64) { + memcpy(cp, temp_result, 64); + cp += 64; + } + memcpy(cp, temp_result, cnt); + + /* Start computation of S byte sequence. */ + SHA512_Init(&alt_ctx); + + /* For every character in the password add the entire password. */ + for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + SHA512_Update(&alt_ctx, salt, salt_len); + + /* Finish the digest. */ + SHA512_Final(temp_result, &alt_ctx); + + /* Create byte sequence S. */ + cp = s_bytes = alloca(salt_len); + for (cnt = salt_len; cnt >= 64; cnt -= 64) { + memcpy(cp, temp_result, 64); + cp += 64; + } + memcpy(cp, temp_result, cnt); + + /* Repeatedly run the collected hash value through SHA512 to burn CPU + * cycles. */ + for (cnt = 0; cnt < rounds; ++cnt) { + /* New context. */ + SHA512_Init(&ctx); + + /* Add key or last result. */ + if ((cnt & 1) != 0) + SHA512_Update(&ctx, p_bytes, key_len); + else + SHA512_Update(&ctx, alt_result, 64); + + /* Add salt for numbers not divisible by 3. */ + if (cnt % 3 != 0) + SHA512_Update(&ctx, s_bytes, salt_len); + + /* Add key for numbers not divisible by 7. */ + if (cnt % 7 != 0) + SHA512_Update(&ctx, p_bytes, key_len); + + /* Add key or last result. */ + if ((cnt & 1) != 0) + SHA512_Update(&ctx, alt_result, 64); + else + SHA512_Update(&ctx, p_bytes, key_len); + + /* Create intermediate result. */ + SHA512_Final(alt_result, &ctx); + } + + /* Now we can construct the result string. It consists of three + * parts. */ + cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen)); + buflen -= sizeof(sha512_salt_prefix) - 1; + + if (rounds_custom) { + n = snprintf(cp, MAX(0, buflen), "%s%zu$", + sha512_rounds_prefix, rounds); + + cp += n; + buflen -= n; + } + + cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len)); + buflen -= MIN((size_t)MAX(0, buflen), salt_len); + + if (buflen > 0) { + *cp++ = '$'; + --buflen; + } + + b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4, &buflen, &cp); + b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4, &buflen, &cp); + b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4, &buflen, &cp); + b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4, &buflen, &cp); + b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4, &buflen, &cp); + b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4, &buflen, &cp); + b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4, &buflen, &cp); + b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4, &buflen, &cp); + b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4, &buflen, &cp); + b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4, &buflen, &cp); + b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4, &buflen, &cp); + b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4, &buflen, &cp); + b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4, &buflen, &cp); + b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4, &buflen, &cp); + b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4, &buflen, &cp); + b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4, &buflen, &cp); + b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4, &buflen, &cp); + b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4, &buflen, &cp); + b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4, &buflen, &cp); + b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4, &buflen, &cp); + b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4, &buflen, &cp); + b64_from_24bit(0, 0, alt_result[63], 2, &buflen, &cp); + + if (buflen <= 0) { + errno = ERANGE; + buffer = NULL; + } + else + *cp = '\0'; /* Terminate the string. */ + + /* Clear the buffer for the intermediate result so that people + * attaching to processes or reading core dumps cannot get any + * information. We do it in this way to clear correct_words[] inside + * the SHA512 implementation as well. */ + SHA512_Init(&ctx); + SHA512_Final(alt_result, &ctx); + memset(temp_result, '\0', sizeof(temp_result)); + memset(p_bytes, '\0', key_len); + memset(s_bytes, '\0', salt_len); + memset(&ctx, '\0', sizeof(ctx)); + memset(&alt_ctx, '\0', sizeof(alt_ctx)); + if (copied_key != NULL) + memset(copied_key, '\0', key_len); + if (copied_salt != NULL) + memset(copied_salt, '\0', salt_len); + + return buffer; +} + +/* This entry point is equivalent to crypt(3). */ +char * +crypt_sha512(const char *key, const char *salt) +{ + /* We don't want to have an arbitrary limit in the size of the + * password. We can compute an upper bound for the size of the + * result in advance and so we can prepare the buffer we pass to + * `crypt_sha512_r'. */ + static char *buffer; + static int buflen; + int needed; + char *new_buffer; + + needed = (sizeof(sha512_salt_prefix) - 1 + + sizeof(sha512_rounds_prefix) + 9 + 1 + + strlen(salt) + 1 + 86 + 1); + + if (buflen < needed) { + new_buffer = (char *)realloc(buffer, needed); + + if (new_buffer == NULL) + return NULL; + + buffer = new_buffer; + buflen = needed; + } + + return crypt_sha512_r(key, salt, buffer, buflen); +} + +#ifdef TEST + +static const struct { + const char *input; + const char result[64]; +} tests[] = +{ + /* Test vectors from FIPS 180-2: appendix C.1. */ + { + "abc", + "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31" + "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a" + "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd" + "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f" + }, + /* Test vectors from FIPS 180-2: appendix C.2. */ + { + "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" + "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", + "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f" + "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18" + "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a" + "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09" + }, + /* Test vectors from the NESSIE project. */ + { + "", + "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07" + "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce" + "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f" + "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e" + }, + { + "a", + "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2" + "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53" + "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46" + "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75" + }, + { + "message digest", + "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51" + "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33" + "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20" + "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c" + }, + { + "abcdefghijklmnopqrstuvwxyz", + "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81" + "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29" + "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59" + "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1" + }, + { + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", + "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16" + "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35" + "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0" + "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45" + }, + { + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93" + "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4" + "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab" + "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94" + }, + { + "123456789012345678901234567890123456789012345678901234567890" + "12345678901234567890", + "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95" + "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a" + "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1" + "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43" + } +}; + +#define ntests (sizeof (tests) / sizeof (tests[0])) + +static const struct { + const char *salt; + const char *input; + const char *expected; +} tests2[] = +{ + { + "$6$saltstring", "Hello world!", + "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" + "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" + }, + { + "$6$rounds=10000$saltstringsaltstring", "Hello world!", + "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb" + "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." + }, + { + "$6$rounds=5000$toolongsaltstring", "This is just a test", + "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ" + "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0" + }, + { + "$6$rounds=1400$anotherlongsaltstring", + "a very much longer text to encrypt. This one even stretches over more" + "than one line.", + "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP" + "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1" + }, + { + "$6$rounds=77777$short", + "we have a short salt string but not a short password", + "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g" + "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0" + }, + { + "$6$rounds=123456$asaltof16chars..", "a short string", + "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc" + "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1" + }, + { + "$6$rounds=10$roundstoolow", "the minimum number is still observed", + "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x" + "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX." + }, +}; + +#define ntests2 (sizeof (tests2) / sizeof (tests2[0])) + +int +main(void) +{ + SHA512_CTX ctx; + uint8_t sum[64]; + int result = 0; + int i, cnt; + + for (cnt = 0; cnt < (int)ntests; ++cnt) { + SHA512_Init(&ctx); + SHA512_Update(&ctx, tests[cnt].input, strlen(tests[cnt].input)); + SHA512_Final(sum, &ctx); + if (memcmp(tests[cnt].result, sum, 64) != 0) { + printf("test %d run %d failed\n", cnt, 1); + result = 1; + } + + SHA512_Init(&ctx); + for (i = 0; tests[cnt].input[i] != '\0'; ++i) + SHA512_Update(&ctx, &tests[cnt].input[i], 1); + SHA512_Final(sum, &ctx); + if (memcmp(tests[cnt].result, sum, 64) != 0) { + printf("test %d run %d failed\n", cnt, 2); + result = 1; + } + } + + /* Test vector from FIPS 180-2: appendix C.3. */ + char buf[1000]; + + memset(buf, 'a', sizeof(buf)); + SHA512_Init(&ctx); + for (i = 0; i < 1000; ++i) + SHA512_Update(&ctx, buf, sizeof(buf)); + SHA512_Final(sum, &ctx); + static const char expected[64] = + "\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63" + "\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb" + "\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b" + "\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b"; + + if (memcmp(expected, sum, 64) != 0) { + printf("test %d failed\n", cnt); + result = 1; + } + + for (cnt = 0; cnt < ntests2; ++cnt) { + char *cp = crypt_sha512(tests2[cnt].input, tests2[cnt].salt); + + if (strcmp(cp, tests2[cnt].expected) != 0) { + printf("test %d: expected \"%s\", got \"%s\"\n", + cnt, tests2[cnt].expected, cp); + result = 1; + } + } + + if (result == 0) + puts("all tests OK"); + + return result; +} + +#endif /* TEST */ diff --git a/lib/libcrypt/crypt.3 b/lib/libcrypt/crypt.3 new file mode 100644 index 0000000..949a7a7 --- /dev/null +++ b/lib/libcrypt/crypt.3 @@ -0,0 +1,310 @@ +.\" FreeSec: libcrypt for NetBSD +.\" +.\" Copyright (c) 1994 David Burren +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 4. Neither the name of the author nor the names of other contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd April 9, 2011 +.Dt CRYPT 3 +.Os +.Sh NAME +.Nm crypt +.Nd Trapdoor encryption +.Sh LIBRARY +.Lb libcrypt +.Sh SYNOPSIS +.In unistd.h +.Ft char * +.Fn crypt "const char *key" "const char *salt" +.Ft const char * +.Fn crypt_get_format "void" +.Ft int +.Fn crypt_set_format "const char *string" +.Sh DESCRIPTION +The +.Fn crypt +function performs password hashing with additional code added to +deter key search attempts. +Different algorithms can be used to +in the hash. +.\" +.\" NOTICE: +.\" If you add more algorithms, make sure to update this list +.\" and the default used for the Traditional format, below. +.\" +Currently these include the +.Tn NBS +.Tn Data Encryption Standard (DES) , +.Tn MD5 +hash, +.Tn NT-Hash +(compatible with Microsoft's NT scheme) +and +.Tn Blowfish . +The algorithm used will depend upon the format of the Salt (following +the Modular Crypt Format (MCF)), if +.Tn DES +and/or +.Tn Blowfish +is installed or not, and whether +.Fn crypt_set_format +has been called to change the default. +.Pp +The first argument to +.Nm +is the data to hash (usually a password), in a +.Dv null Ns -terminated +string. +The second is the salt, in one of three forms: +.Pp +.Bl -tag -width Traditional -compact -offset indent +.It Extended +If it begins with an underscore +.Pq Dq _ +then the +.Tn DES +Extended Format +is used in interpreting both the key and the salt, as outlined below. +.It Modular +If it begins with the string +.Dq $digit$ +then the Modular Crypt Format is used, as outlined below. +.It Traditional +If neither of the above is true, it assumes the Traditional Format, +using the entire string as the salt (or the first portion). +.El +.Pp +All routines are designed to be time-consuming. +A brief test on a +.Tn Pentium +166/MMX shows the +.Tn DES +crypt to do approximately 2640 crypts +a CPU second and MD5 to do about 62 crypts a CPU second. +.Ss DES Extended Format: +The +.Ar key +is divided into groups of 8 characters (the last group is null-padded) +and the low-order 7 bits of each character (56 bits per group) are +used to form the +.Tn DES +key as follows: +the first group of 56 bits becomes the initial +.Tn DES +key. +For each additional group, the XOR of the encryption of the current +.Tn DES +key with itself and the group bits becomes the next +.Tn DES +key. +.Pp +The salt is a 9-character array consisting of an underscore followed +by 4 bytes of iteration count and 4 bytes of salt. +These are encoded as printable characters, 6 bits per character, +least significant character first. +The values 0 to 63 are encoded as ``./0-9A-Za-z''. +This allows 24 bits for both +.Fa count +and +.Fa salt . +.Pp +The +.Fa salt +introduces disorder in the +.Tn DES +algorithm in one of 16777216 or 4096 possible ways +(i.e., with 24 or 12 bits: if bit +.Em i +of the +.Ar salt +is set, then bits +.Em i +and +.Em i+24 +are swapped in the +.Tn DES +E-box output). +.Pp +The +.Tn DES +key is used to encrypt a 64-bit constant using +.Ar count +iterations of +.Tn DES . +The value returned is a +.Dv null Ns -terminated +string, 20 or 13 bytes (plus null) in length, consisting of the +.Ar salt +followed by the encoded 64-bit encryption. +.Ss "Modular" crypt: +If the salt begins with the string +.Fa $digit$ +then the Modular Crypt Format is used. +The +.Fa digit +represents which algorithm is used in encryption. +Following the token is +the actual salt to use in the encryption. +The length of the salt is limited +to 8 characters--because the length of the returned output is also limited +(_PASSWORD_LEN). +The salt must be terminated with the end of the string +(NULL) or a dollar sign. +Any characters after the dollar sign are ignored. +.Pp +Currently supported algorithms are: +.Pp +.Bl -enum -compact -offset indent +.It +MD5 +.It +Blowfish +.It +NT-Hash +.It +(unused) +.It +SHA-256 +.It +SHA-512 +.El +.Pp +Other crypt formats may be easily added. +An example salt would be: +.Bl -tag -offset indent +.It Cm "$4$thesalt$rest" +.El +.Ss "Traditional" crypt: +The algorithm used will depend upon whether +.Fn crypt_set_format +has been called and whether a global default format has been specified. +Unless a global default has been specified or +.Fn crypt_set_format +has set the format to something else, the built-in default format is +used. +This is currently +.\" +.\" NOTICE: Also make sure to update this +.\" +DES +if it is available, or MD5 if not. +.Pp +How the salt is used will depend upon the algorithm for the hash. +For +best results, specify at least two characters of salt. +.Pp +The +.Fn crypt_get_format +function returns a constant string that represents the name of the +algorithm currently used. +Valid values are +.\" +.\" NOTICE: Also make sure to update this, too, as well +.\" +.Ql des , +.Ql blf , +.Ql md5 , +.Ql sha256 , +.Ql sha512 +and +.Ql nth . +.Pp +The +.Fn crypt_set_format +function sets the default encoding format according to the supplied +.Fa string . +.Pp +The global default format can be set using the +.Pa /etc/auth.conf +file using the +.Va crypt_default +property. +.Sh RETURN VALUES +The +.Fn crypt +function returns a pointer to the encrypted value on success, and NULL on +failure. +Note: this is not a standard behaviour, AT&T +.Fn crypt +will always return a pointer to a string. +.Pp +The +.Fn crypt_set_format +function will return 1 if the supplied encoding format was valid. +Otherwise, a value of 0 is returned. +.Sh SEE ALSO +.Xr login 1 , +.Xr passwd 1 , +.Xr auth_getval 3 , +.Xr getpass 3 , +.Xr auth.conf 5 , +.Xr passwd 5 +.Sh HISTORY +A rotor-based +.Fn crypt +function appeared in +.At v6 . +The current style +.Fn crypt +first appeared in +.At v7 . +.Pp +The +.Tn DES +section of the code (FreeSec 1.0) was developed outside the United +States of America as an unencumbered replacement for the U.S.-only +.Nx +libcrypt encryption library. +.Sh AUTHORS +.An -nosplit +Originally written by +.An David Burren Aq davidb@werj.com.au , +later additions and changes by +.An Poul-Henning Kamp , +.An Mark R V Murray , +.An Michael Bretterklieber , +.An Kris Kennaway , +.An Brian Feldman , +.An Paul Herman +and +.An Niels Provos . +.Sh BUGS +The +.Fn crypt +function returns a pointer to static data, and subsequent calls to +.Fn crypt +will modify the same data. +Likewise, +.Fn crypt_set_format +modifies static data. +.Pp +The NT-hash scheme does not use a salt, +and is not hard +for a competent attacker +to break. +Its use is not recommended. diff --git a/lib/libcrypt/crypt.c b/lib/libcrypt/crypt.c new file mode 100644 index 0000000..b949a48 --- /dev/null +++ b/lib/libcrypt/crypt.c @@ -0,0 +1,141 @@ +/* + * Copyright (c) 1999 + * Mark Murray. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY MARK MURRAY AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL MARK MURRAY OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/types.h> +#include <string.h> +#include <libutil.h> +#include <unistd.h> +#include "crypt.h" + +static const struct { + const char *const name; + char *(*const func)(const char *, const char *); + const char *const magic; +} crypt_types[] = { +#ifdef HAS_DES + { + "des", + crypt_des, + NULL + }, +#endif + { + "md5", + crypt_md5, + "$1$" + }, +#ifdef HAS_BLOWFISH + { + "blf", + crypt_blowfish, + "$2" + }, +#endif + { + "nth", + crypt_nthash, + "$3$" + }, + { + "sha256", + crypt_sha256, + "$5$" + }, + { + "sha512", + crypt_sha512, + "$6$" + }, + { + NULL, + NULL, + NULL + } +}; + +static int crypt_type = -1; + +static void +crypt_setdefault(void) +{ + char *def; + size_t i; + + if (crypt_type != -1) + return; + def = auth_getval("crypt_default"); + if (def == NULL) { + crypt_type = 0; + return; + } + for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) { + if (strcmp(def, crypt_types[i].name) == 0) { + crypt_type = (int)i; + return; + } + } + crypt_type = 0; +} + +const char * +crypt_get_format(void) +{ + + crypt_setdefault(); + return (crypt_types[crypt_type].name); +} + +int +crypt_set_format(const char *type) +{ + size_t i; + + crypt_setdefault(); + for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) { + if (strcmp(type, crypt_types[i].name) == 0) { + crypt_type = (int)i; + return (1); + } + } + return (0); +} + +char * +crypt(const char *passwd, const char *salt) +{ + size_t i; + + crypt_setdefault(); + for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) { + if (crypt_types[i].magic != NULL && strncmp(salt, + crypt_types[i].magic, strlen(crypt_types[i].magic)) == 0) + return (crypt_types[i].func(passwd, salt)); + } + return (crypt_types[crypt_type].func(passwd, salt)); +} diff --git a/lib/libcrypt/crypt.h b/lib/libcrypt/crypt.h new file mode 100644 index 0000000..b33ad09 --- /dev/null +++ b/lib/libcrypt/crypt.h @@ -0,0 +1,43 @@ +/* LINTLIBRARY */ +/* + * Copyright (c) 1999 + * Mark Murray. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY MARK MURRAY AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL MARK MURRAY OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + * + */ + +/* magic sizes */ +#define MD4_SIZE 16 +#define MD5_SIZE 16 + +char *crypt_des(const char *pw, const char *salt); +char *crypt_md5(const char *pw, const char *salt); +char *crypt_nthash(const char *pw, const char *salt); +char *crypt_blowfish(const char *pw, const char *salt); +char *crypt_sha256 (const char *pw, const char *salt); +char *crypt_sha512 (const char *pw, const char *salt); + +extern void _crypt_to64(char *s, u_long v, int n); +extern void b64_from_24bit(uint8_t B2, uint8_t B1, uint8_t B0, int n, int *buflen, char **cp); diff --git a/lib/libcrypt/misc.c b/lib/libcrypt/misc.c new file mode 100644 index 0000000..0f63ce0 --- /dev/null +++ b/lib/libcrypt/misc.c @@ -0,0 +1,63 @@ +/* + * Copyright (c) 1999 + * University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the author nor the names of any co-contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY CONTRIBUTORS ``AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE + * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER + * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/types.h> + +#include "crypt.h" + +static char itoa64[] = /* 0 ... 63 => ascii - 64 */ + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +void +_crypt_to64(char *s, u_long v, int n) +{ + while (--n >= 0) { + *s++ = itoa64[v&0x3f]; + v >>= 6; + } +} + +void +b64_from_24bit(uint8_t B2, uint8_t B1, uint8_t B0, int n, int *buflen, char **cp) +{ + uint32_t w; + int i; + + w = (B2 << 16) | (B1 << 8) | B0; + for (i = 0; i < n; i++) { + **cp = itoa64[w&0x3f]; + (*cp)++; + if ((*buflen)-- < 0) + break; + w >>= 6; + } +} |
