]> git.proxmox.com Git - efi-boot-shim.git/blame - crypt_blowfish.c
projects / efi-boot-shim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fix nit
[efi-boot-shim.git] / crypt_blowfish.c
CommitLineData
2b283bb0 1// SPDX-License-Identifier: BSD-2-Clause-Patent
83d1c306
GCPL		 2/*
3 * The crypt_blowfish homepage is:
4 *
5 * http://www.openwall.com/crypt/
6 *
7 * This code comes from John the Ripper password cracker, with reentrant
8 * and crypt(3) interfaces added, but optimizations specific to password
9 * cracking removed.
10 *
11 * Written by Solar Designer <solar at openwall.com> in 1998-2011.
12 * No copyright is claimed, and the software is hereby placed in the public
13 * domain. In case this attempt to disclaim copyright and place the software
14 * in the public domain is deemed null and void, then the software is
15 * Copyright (c) 1998-2011 Solar Designer and it is hereby released to the
16 * general public under the following terms:
17 *
18 * Redistribution and use in source and binary forms, with or without
19 * modification, are permitted.
20 *
21 * There's ABSOLUTELY NO WARRANTY, express or implied.
22 *
23 * It is my intent that you should be able to use this on your system,
24 * as part of a software package, or anywhere else to improve security,
25 * ensure compatibility, or for any other purpose. I would appreciate
26 * it if you give credit where it is due and keep your modifications in
27 * the public domain as well, but I don't require that in order to let
28 * you place this code and any modifications you make under a license
29 * of your choice.
30 *
31 * This implementation is mostly compatible with OpenBSD's bcrypt.c (prefix
32 * "$2a$") by Niels Provos <provos at citi.umich.edu>, and uses some of his
33 * ideas. The password hashing algorithm was designed by David Mazieres
34 * <dm at lcs.mit.edu>. For more information on the level of compatibility,
35 * prefer refer to the comments in BF_set_key() below and to the included
36 * crypt(3) man page.
37 *
38 * There's a paper on the algorithm that explains its design decisions:
39 *
40 * http://www.usenix.org/events/usenix99/provos.html
41 *
42 * Some of the tricks in BF_ROUND might be inspired by Eric Young's
43 * Blowfish library (I can't be sure if I would think of something if I
44 * hadn't seen his code).
45 */
46
47#include <efi.h>
48#include <efilib.h>
49
50/* Just to make sure the prototypes match the actual definitions */
dc62a3c4 51#include "shim.h"
83d1c306
GCPL		 52
53typedef unsigned int BF_word;
54typedef signed int BF_word_signed;
55
56/* Number of Blowfish rounds, this is also hardcoded into a few places */
57#define BF_N 16
58
59typedef BF_word BF_key[BF_N + 2];
60
61typedef struct {
62 BF_word S[4][0x100];
63 BF_key P;
64} BF_ctx;
65
66/*
67 * Magic IV for 64 Blowfish encryptions that we do at the end.
68 * The string is "OrpheanBeholderScryDoubt" on big-endian.
69 */
70static BF_word BF_magic_w[6] = {
71 0x4F727068, 0x65616E42, 0x65686F6C,
72 0x64657253, 0x63727944, 0x6F756274
73};
74
75/*
76 * P-box and S-box tables initialized with digits of Pi.
77 */
78static BF_ctx BF_init_state = {
79 {
80 {
81 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
82 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
83 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
84 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
85 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
86 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
87 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
88 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
89 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
90 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
91 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
92 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
93 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
94 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
95 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
96 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
97 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
98 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
99 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
100 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
101 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
102 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
103 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
104 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
105 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
106 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
107 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
108 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
109 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
110 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
111 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
112 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
113 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
114 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
115 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
116 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
117 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
118 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
119 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
120 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
121 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
122 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
123 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
124 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
125 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
126 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
127 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
128 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
129 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
130 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
131 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
132 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
133 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
134 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
135 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
136 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
137 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
138 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
139 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
140 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
141 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
142 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
143 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
144 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
145 }, {
146 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
147 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
148 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
149 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
150 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
151 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
152 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
153 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
154 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
155 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
156 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
157 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
158 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
159 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
160 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
161 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
162 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
163 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
164 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
165 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
166 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
167 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
168 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
169 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
170 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
171 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
172 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
173 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
174 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
175 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
176 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
177 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
178 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
179 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
180 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
181 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
182 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
183 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
184 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
185 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
186 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
187 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
188 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
189 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
190 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
191 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
192 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
193 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
194 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
195 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
196 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
197 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
198 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
199 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
200 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
201 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
202 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
203 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
204 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
205 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
206 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
207 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
208 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
209 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
210 }, {
211 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
212 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
213 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
214 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
215 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
216 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
217 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
218 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
219 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
220 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
221 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
222 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
223 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
224 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
225 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
226 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
227 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
228 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
229 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
230 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
231 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
232 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
233 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
234 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
235 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
236 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
237 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
238 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
239 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
240 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
241 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
242 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
243 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
244 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
245 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
246 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
247 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
248 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
249 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
250 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
251 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
252 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
253 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
254 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
255 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
256 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
257 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
258 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
259 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
260 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
261 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
262 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
263 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
264 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
265 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
266 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
267 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
268 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
269 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
270 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
271 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
272 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
273 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
274 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
275 }, {
276 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
277 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
278 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
279 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
280 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
281 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
282 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
283 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
284 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
285 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
286 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
287 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
288 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
289 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
290 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
291 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
292 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
293 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
294 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
295 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
296 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
297 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
298 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
299 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
300 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
301 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
302 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
303 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
304 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
305 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
306 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
307 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
308 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
309 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
310 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
311 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
312 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
313 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
314 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
315 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
316 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
317 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
318 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
319 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
320 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
321 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
322 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
323 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
324 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
325 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
326 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
327 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
328 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
329 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
330 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
331 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
332 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
333 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
334 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
335 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
336 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
337 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
338 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
339 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
340 }
341 }, {
342 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
343 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
344 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
345 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
346 0x9216d5d9, 0x8979fb1b
347 }
348};
349
350static unsigned char BF_itoa64[64 + 1] =
351 "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
352
353static unsigned char BF_atoi64[0x60] = {
354 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
355 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
356 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
357 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
358 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
359 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
360};
361
362#define BF_safe_atoi64(dst, src) \
363{ \
364 tmp = (unsigned char)(src); \
365 if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
366 tmp = BF_atoi64[tmp]; \
367 if (tmp > 63) return -1; \
368 (dst) = tmp; \
369}
370
371static int BF_decode(BF_word *dst, const char *src, int size)
372{
373 unsigned char *dptr = (unsigned char *)dst;
374 unsigned char *end = dptr + size;
375 const unsigned char *sptr = (const unsigned char *)src;
376 unsigned int tmp, c1, c2, c3, c4;
377
378 do {
379 BF_safe_atoi64(c1, *sptr++);
380 BF_safe_atoi64(c2, *sptr++);
381 *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
382 if (dptr >= end) break;
383
384 BF_safe_atoi64(c3, *sptr++);
385 *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
386 if (dptr >= end) break;
387
388 BF_safe_atoi64(c4, *sptr++);
389 *dptr++ = ((c3 & 0x03) << 6) | c4;
390 } while (dptr < end);
391
392 return 0;
393}
394
395static void BF_encode(char *dst, const BF_word *src, int size)
396{
397 const unsigned char *sptr = (const unsigned char *)src;
398 const unsigned char *end = sptr + size;
399 unsigned char *dptr = (unsigned char *)dst;
400 unsigned int c1, c2;
401
402 do {
403 c1 = *sptr++;
404 *dptr++ = BF_itoa64[c1 >> 2];
405 c1 = (c1 & 0x03) << 4;
406 if (sptr >= end) {
407 *dptr++ = BF_itoa64[c1];
408 break;
409 }
410
411 c2 = *sptr++;
412 c1 |= c2 >> 4;
413 *dptr++ = BF_itoa64[c1];
414 c1 = (c2 & 0x0f) << 2;
415 if (sptr >= end) {
416 *dptr++ = BF_itoa64[c1];
417 break;
418 }
419
420 c2 = *sptr++;
421 c1 |= c2 >> 6;
422 *dptr++ = BF_itoa64[c1];
423 *dptr++ = BF_itoa64[c2 & 0x3f];
424 } while (sptr < end);
425}
426
427static void BF_swap(BF_word *x, int count)
428{
429 static int endianness_check = 1;
430 char *is_little_endian = (char *)&endianness_check;
431 BF_word tmp;
432
433 if (*is_little_endian)
434 do {
435 tmp = *x;
436 tmp = (tmp << 16) | (tmp >> 16);
437 *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
438 } while (--count);
439}
440
441/* Architectures which can shift addresses left by 2 bits with no extra cost */
442#define BF_ROUND(L, R, N) \
443 tmp1 = L & 0xFF; \
444 tmp2 = L >> 8; \
445 tmp2 &= 0xFF; \
446 tmp3 = L >> 16; \
447 tmp3 &= 0xFF; \
448 tmp4 = L >> 24; \
449 tmp1 = data.ctx.S[3][tmp1]; \
450 tmp2 = data.ctx.S[2][tmp2]; \
451 tmp3 = data.ctx.S[1][tmp3]; \
452 tmp3 += data.ctx.S[0][tmp4]; \
453 tmp3 ^= tmp2; \
454 R ^= data.ctx.P[N + 1]; \
455 tmp3 += tmp1; \
456 R ^= tmp3;
457
458/*
459 * Encrypt one block, BF_N is hardcoded here.
460 */
461#define BF_ENCRYPT \
462 L ^= data.ctx.P[0]; \
463 BF_ROUND(L, R, 0); \
464 BF_ROUND(R, L, 1); \
465 BF_ROUND(L, R, 2); \
466 BF_ROUND(R, L, 3); \
467 BF_ROUND(L, R, 4); \
468 BF_ROUND(R, L, 5); \
469 BF_ROUND(L, R, 6); \
470 BF_ROUND(R, L, 7); \
471 BF_ROUND(L, R, 8); \
472 BF_ROUND(R, L, 9); \
473 BF_ROUND(L, R, 10); \
474 BF_ROUND(R, L, 11); \
475 BF_ROUND(L, R, 12); \
476 BF_ROUND(R, L, 13); \
477 BF_ROUND(L, R, 14); \
478 BF_ROUND(R, L, 15); \
479 tmp4 = R; \
480 R = L; \
481 L = tmp4 ^ data.ctx.P[BF_N + 1];
482
483#define BF_body() \
484 L = R = 0; \
485 ptr = data.ctx.P; \
486 do { \
487 ptr += 2; \
488 BF_ENCRYPT; \
489 *(ptr - 2) = L; \
490 *(ptr - 1) = R; \
491 } while (ptr < &data.ctx.P[BF_N + 2]); \
492\
493 ptr = data.ctx.S[0]; \
494 do { \
495 ptr += 2; \
496 BF_ENCRYPT; \
497 *(ptr - 2) = L; \
498 *(ptr - 1) = R; \
499 } while (ptr < &data.ctx.S[3][0xFF]);
500
501static void BF_set_key(const char *key, BF_key expanded, BF_key initial,
502 unsigned char flags)
503{
504 const char *ptr = key;
505 unsigned int bug, i, j;
506 BF_word safety, sign, diff, tmp[2];
507
508/*
509 * There was a sign extension bug in older revisions of this function. While
510 * we would have liked to simply fix the bug and move on, we have to provide
511 * a backwards compatibility feature (essentially the bug) for some systems and
512 * a safety measure for some others. The latter is needed because for certain
513 * multiple inputs to the buggy algorithm there exist easily found inputs to
514 * the correct algorithm that produce the same hash. Thus, we optionally
515 * deviate from the correct algorithm just enough to avoid such collisions.
516 * While the bug itself affected the majority of passwords containing
517 * characters with the 8th bit set (although only a percentage of those in a
518 * collision-producing way), the anti-collision safety measure affects
519 * only a subset of passwords containing the '\xff' character (not even all of
520 * those passwords, just some of them). This character is not found in valid
521 * UTF-8 sequences and is rarely used in popular 8-bit character encodings.
522 * Thus, the safety measure is unlikely to cause much annoyance, and is a
523 * reasonable tradeoff to use when authenticating against existing hashes that
524 * are not reliably known to have been computed with the correct algorithm.
525 *
526 * We use an approach that tries to minimize side-channel leaks of password
527 * information - that is, we mostly use fixed-cost bitwise operations instead
528 * of branches or table lookups. (One conditional branch based on password
529 * length remains. It is not part of the bug aftermath, though, and is
530 * difficult and possibly unreasonable to avoid given the use of C strings by
531 * the caller, which results in similar timing leaks anyway.)
532 *
533 * For actual implementation, we set an array index in the variable "bug"
534 * (0 means no bug, 1 means sign extension bug emulation) and a flag in the
535 * variable "safety" (bit 16 is set when the safety measure is requested).
536 * Valid combinations of settings are:
537 *
538 * Prefix "$2a$": bug = 0, safety = 0x10000
539 * Prefix "$2x$": bug = 1, safety = 0
540 * Prefix "$2y$": bug = 0, safety = 0
541 */
542 bug = (unsigned int)flags & 1;
543 safety = ((BF_word)flags & 2) << 15;
544
545 sign = diff = 0;
546
547 for (i = 0; i < BF_N + 2; i++) {
548 tmp[0] = tmp[1] = 0;
549 for (j = 0; j < 4; j++) {
550 tmp[0] <<= 8;
551 tmp[0] |= (unsigned char)*ptr; /* correct */
552 tmp[1] <<= 8;
553 tmp[1] |= (BF_word_signed)(signed char)*ptr; /* bug */
554/*
555 * Sign extension in the first char has no effect - nothing to overwrite yet,
556 * and those extra 24 bits will be fully shifted out of the 32-bit word. For
557 * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign
558 * extension in tmp[1] occurs. Once this flag is set, it remains set.
559 */
560 if (j)
561 sign |= tmp[1] & 0x80;
562 if (!*ptr)
563 ptr = key;
564 else
565 ptr++;
566 }
567 diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */
568
569 expanded[i] = tmp[bug];
570 initial[i] = BF_init_state.P[i] ^ tmp[bug];
571 }
572
573/*
574 * At this point, "diff" is zero iff the correct and buggy algorithms produced
575 * exactly the same result. If so and if "sign" is non-zero, which indicates
576 * that there was a non-benign sign extension, this means that we have a
577 * collision between the correctly computed hash for this password and a set of
578 * passwords that could be supplied to the buggy algorithm. Our safety measure
579 * is meant to protect from such many-buggy to one-correct collisions, by
580 * deviating from the correct algorithm in such cases. Let's check for this.
581 */
582 diff |= diff >> 16; /* still zero iff exact match */
583 diff &= 0xffff; /* ditto */
584 diff += 0xffff; /* bit 16 set iff "diff" was non-zero (on non-match) */
585 sign <<= 9; /* move the non-benign sign extension flag to bit 16 */
586 sign &= ~diff & safety; /* action needed? */
587
588/*
589 * If we have determined that we need to deviate from the correct algorithm,
590 * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but
591 * let's stick to it now. It came out of the approach we used above, and it's
592 * not any worse than any other choice we could make.)
593 *
594 * It is crucial that we don't do the same to the expanded key used in the main
595 * Eksblowfish loop. By doing it to only one of these two, we deviate from a
596 * state that could be directly specified by a password to the buggy algorithm
597 * (and to the fully correct one as well, but that's a side-effect).
598 */
599 initial[0] ^= sign;
600}
601
602static char *BF_crypt(const char *key, const char *setting,
603 char *output, int size,
604 BF_word min)
605{
606 static const unsigned char flags_by_subtype[26] =
607 {2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
608 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0};
609 struct {
610 BF_ctx ctx;
611 BF_key expanded_key;
612 union {
613 BF_word salt[4];
614 BF_word output[6];
615 } binary;
616 } data;
617 BF_word L, R;
618 BF_word tmp1, tmp2, tmp3, tmp4;
619 BF_word *ptr;
620 BF_word count;
621 int i;
622
623 if (size < 7 + 22 + 31 + 1) {
624 return NULL;
625 }
626
627 if (setting[0] != '$' ||
628 setting[1] != '2' ||
629 setting[2] < 'a' || setting[2] > 'z' ||
630 !flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a'] ||
631 setting[3] != '$' ||
632 setting[4] < '0' || setting[4] > '3' ||
633 setting[5] < '0' || setting[5] > '9' ||
634 (setting[4] == '3' && setting[5] > '1') ||
635 setting[6] != '$') {
636 return NULL;
637 }
638
639 count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
640 if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
641 return NULL;
642 }
643 BF_swap(data.binary.salt, 4);
644
645 BF_set_key(key, data.expanded_key, data.ctx.P,
646 flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a']);
647
648 CopyMem(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
649
650 L = R = 0;
651 for (i = 0; i < BF_N + 2; i += 2) {
652 L ^= data.binary.salt[i & 2];
653 R ^= data.binary.salt[(i & 2) + 1];
654 BF_ENCRYPT;
655 data.ctx.P[i] = L;
656 data.ctx.P[i + 1] = R;
657 }
658
659 ptr = data.ctx.S[0];
660 do {
661 ptr += 4;
662 L ^= data.binary.salt[(BF_N + 2) & 3];
663 R ^= data.binary.salt[(BF_N + 3) & 3];
664 BF_ENCRYPT;
665 *(ptr - 4) = L;
666 *(ptr - 3) = R;
667
668 L ^= data.binary.salt[(BF_N + 4) & 3];
669 R ^= data.binary.salt[(BF_N + 5) & 3];
670 BF_ENCRYPT;
671 *(ptr - 2) = L;
672 *(ptr - 1) = R;
673 } while (ptr < &data.ctx.S[3][0xFF]);
674
675 do {
676 int done;
677
678 for (i = 0; i < BF_N + 2; i += 2) {
679 data.ctx.P[i] ^= data.expanded_key[i];
680 data.ctx.P[i + 1] ^= data.expanded_key[i + 1];
681 }
682
683 done = 0;
684 do {
685 BF_body();
686 if (done)
687 break;
688 done = 1;
689
690 tmp1 = data.binary.salt[0];
691 tmp2 = data.binary.salt[1];
692 tmp3 = data.binary.salt[2];
693 tmp4 = data.binary.salt[3];
694 for (i = 0; i < BF_N; i += 4) {
695 data.ctx.P[i] ^= tmp1;
696 data.ctx.P[i + 1] ^= tmp2;
697 data.ctx.P[i + 2] ^= tmp3;
698 data.ctx.P[i + 3] ^= tmp4;
699 }
700 data.ctx.P[16] ^= tmp1;
701 data.ctx.P[17] ^= tmp2;
702 } while (1);
703 } while (--count);
704
705 for (i = 0; i < 6; i += 2) {
706 L = BF_magic_w[i];
707 R = BF_magic_w[i + 1];
708
709 count = 64;
710 do {
711 BF_ENCRYPT;
712 } while (--count);
713
714 data.binary.output[i] = L;
715 data.binary.output[i + 1] = R;
716 }
717
718 CopyMem(output, (void *)setting, 7 + 22 - 1);
719 output[7 + 22 - 1] = BF_itoa64[(int)
720 BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
721
722/* This has to be bug-compatible with the original implementation, so
723 * only encode 23 of the 24 bytes. :-) */
724 BF_swap(data.binary.output, 6);
725 BF_encode(&output[7 + 22], data.binary.output, 23);
726 output[7 + 22 + 31] = '\0';
727
728 return output;
729}
730
731int _crypt_output_magic(const char *setting, char *output, int size)
732{
733 if (size < 3)
734 return -1;
735
736 output[0] = '*';
737 output[1] = '0';
738 output[2] = '\0';
739
740 if (setting[0] == '*' && setting[1] == '0')
741 output[1] = '1';
742
743 return 0;
744}
745
746/*
747 * Please preserve the runtime self-test. It serves two purposes at once:
748 *
749 * 1. We really can't afford the risk of producing incompatible hashes e.g.
750 * when there's something like gcc bug 26587 again, whereas an application or
751 * library integrating this code might not also integrate our external tests or
752 * it might not run them after every build. Even if it does, the miscompile
753 * might only occur on the production build, but not on a testing build (such
754 * as because of different optimization settings). It is painful to recover
755 * from incorrectly-computed hashes - merely fixing whatever broke is not
756 * enough. Thus, a proactive measure like this self-test is needed.
757 *
758 * 2. We don't want to leave sensitive data from our actual password hash
759 * computation on the stack or in registers. Previous revisions of the code
760 * would do explicit cleanups, but simply running the self-test after hash
761 * computation is more reliable.
762 *
763 * The performance cost of this quick self-test is around 0.6% at the "$2a$08"
764 * setting.
765 */
766char *crypt_blowfish_rn(const char *key, const char *setting,
767 char *output, int size)
768{
769 const char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8";
770 const char *test_setting = "$2a$00$abcdefghijklmnopqrstuu";
771 static const char * const test_hash[2] =
772 {"VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55", /* $2x$ */
773 "i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55"}; /* $2a$, $2y$ */
774 char *retval;
775 const char *p;
776 int ok;
777 struct {
778 char s[7 + 22 + 1];
779 char o[7 + 22 + 31 + 1 + 1 + 1];
780 } buf;
781
782/* Hash the supplied password */
783 _crypt_output_magic(setting, output, size);
784 retval = BF_crypt(key, setting, output, size, 16);
785
786/*
787 * Do a quick self-test. It is important that we make both calls to BF_crypt()
788 * from the same scope such that they likely use the same stack locations,
789 * which makes the second call overwrite the first call's sensitive data on the
790 * stack and makes it more likely that any alignment related issues would be
791 * detected by the self-test.
792 */
793 CopyMem(buf.s, (void *)test_setting, sizeof(buf.s));
794 if (retval)
795 buf.s[2] = setting[2];
796 SetMem(buf.o, sizeof(buf.o), 0x55);
797 buf.o[sizeof(buf.o) - 1] = 0;
798 p = BF_crypt(test_key, buf.s, buf.o, sizeof(buf.o) - (1 + 1), 1);
799
800 ok = (p == buf.o &&
801 !CompareMem((void *)p, (void *)buf.s, 7 + 22) &&
802 !CompareMem((void *)(p + (7 + 22)),
803 (void *)test_hash[(unsigned int)(unsigned char)buf.s[2] & 1],
804 31 + 1 + 1 + 1));
805
806 {
807 const char *k = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345";
808 BF_key ae, ai, ye, yi;
809 BF_set_key(k, ae, ai, 2); /* $2a$ */
810 BF_set_key(k, ye, yi, 4); /* $2y$ */
811 ai[0] ^= 0x10000; /* undo the safety (for comparison) */
812 ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 &&
813 !CompareMem(ae, ye, sizeof(ae)) &&
814 !CompareMem(ai, yi, sizeof(ai));
815 }
816
817 if (ok)
818 return retval;
819
820/* Should not happen */
821 _crypt_output_magic(setting, output, size);
822 return NULL;
823}
shim, a first-stage UEFI bootloader adapted for Proxmox projects