/* Password hasher for the LPC crypt() function. * * The hasher is based on the MD5 message digest algorithm. * In this module MD5 is implemented from scratch using RFC 1321. * RFC 1321 is ``The MD5 Message-Digest Algorithm'', by R. Rivest. * * Implemented by Fermat@Equilibria for MudOS. * * 970125: First version. * 970131: Added crunchbuffer() to allow the crypting of passwords * of (practically) arbitrary length -- custom_crypt() should now * never return NULL. * 970205: Added fix for little-endian systems (well, fix for 486 actually), * plus `reference results'. * * * Note: * * This should work equally on little- and big-endian, 16, 32 and 64 bit * systems alike (well, everywhere really), but I can't test it everywhere. * Please mail me if you can't reproduce any of the following results (and * are prepared to work out the fixes with me): * * key: "thing" * salt: "anhlklck!" * result: "anhlklck!ggddl`l`lg`bjblodlfcljdcnhffib`c" * * key: "this is a ridiculously long PW that nobody would really use" * salt: "saltstring" * result: "nahhdhfc!dhbeclbjk`llmhifc`jedo`adbdboc`k" * * key: "" * salt: "" * salt: "" * result: "ijegehja!j`kacklajkljde`od`ogdmlnbfl`bjfo" * * This doesn't apply, of course, if you change any of the settings * or any other code before trying this. * * =Fermat * */ #include "std.h" #include "port.h" #include "crypt.h" #ifdef CUSTOM_CRYPT #ifndef min #define min(a,b) ((a) < (b) ? (a) : (b)) #endif /* Can we cheat and just use network byte order (and htonl/ntohl) here? * -Beek */ /* MIRROR: inverts the order of bytes in a 32-bit quantity, if * necessary. * Define this to be empty on big-endian systems: * #define MIRROR(l) * And for little-endian systems something like: * #define MIRROR(l) ( (l) = ( ((l) << 24) | (((l) & 0x0000ff00) << 8) | (((l) & 0x00ff0000) >> 8) | ((l) >> 24) ) ) */ #ifdef BIGENDIAN #define MIRROR(l) #else #define MIRROR(l) ( (l) = ( ((l) << 24) | (((l) & 0x0000ff00) << 8) | (((l) & 0x00ff0000) >> 8) | ((l) >> 24) ) ) #endif /* Functions F, G, H and I as mentioned in RFC, section 3.4. */ #define F(X, Y, Z) (((X)&(Y))|((~(X))&(Z))) #define G(X, Y, Z) (((X)&(Z))|((~(Z))&(Y))) #define H(X, Y, Z) ((X)^(Y)^(Z)) #define I(X, Y, Z) ((Y)^((X)|(~(Z)))) /* Left rotation. */ #define RLEFT(a, n) (a) = (((a) << (n)) | ((a) >> (32-(n)))) /* Table T constructed from a sine function, mentioned in RFC, section 3.4. * Table T[i], 1 <= i <= 64, = trunc (4294967296 * |sin i|). */ UINT32 T[64] = { 0xd76aa478,0xe8c7b756,0x242070db,0xc1bdceee,0xf57c0faf,0x4787c62a, 0xa8304613,0xfd469501,0x698098d8,0x8b44f7af,0xffff5bb1,0x895cd7be, 0x6b901122,0xfd987193,0xa679438e,0x49b40821,0xf61e2562,0xc040b340, 0x265e5a51,0xe9b6c7aa,0xd62f105d,0x02441453,0xd8a1e681,0xe7d3fbc8, 0x21e1cde6,0xc33707d6,0xf4d50d87,0x455a14ed,0xa9e3e905,0xfcefa3f8, 0x676f02d9,0x8d2a4c8a,0xfffa3942,0x8771f681,0x6d9d6122,0xfde5380c, 0xa4beea44,0x4bdecfa9,0xf6bb4b60,0xbebfbc70,0x289b7ec6,0xeaa127fa, 0xd4ef3085,0x04881d05,0xd9d4d039,0xe6db99e5,0x1fa27cf8,0xc4ac5665, 0xf4292244,0x432aff97,0xab9423a7,0xfc93a039,0x655b59c3,0x8f0ccc92, 0xffeff47d,0x85845dd1,0x6fa87e4f,0xfe2ce6e0,0xa3014314,0x4e0811a1, 0xf7537e82,0xbd3af235,0x2ad7d2bb,0xeb86d391 }; /* This function returns success, i.e. 0 on error. */ int MD5Digest( BytE *buf, /* Buffer to be digested. */ unsigned long buflen, /* Length of the buffer in bytes. */ BytE *Digest /* Output area: 16 raw bytes. */ ) { #define OA 0x67452301 /* Per RFC, section 3.3. */ #define OB 0xefcdab89 #define OC 0x98badcfe #define OD 0x10325476 UINT32 A = OA, B = OB, C = OC, D = OD; static UINT32 Block[16]; /* One block: 512 bits. */ if(buflen > MD5_MAXLEN) return 0; /* Too large. */ /* Create the block we're going to digest: padded. */ memset(Block, 0, sizeof(Block)); memcpy(Block, buf, buflen); { int i; for(i = 0; i <= buflen/4; i++) { MIRROR(Block[i]); } } Block[buflen>>2] |= 0x00000080 << (8 * (buflen % 4)); Block[14] = buflen << 3; /* Number of bits in original data. */ /* MD5 Transformation. */ #define Tr(a, b, c, d, k, s, i, x) (a) += x(b,c,d) + Block[k] + T[(i)-1]; RLEFT(a, s); (a) += (b); /* Round 1 */ Tr(A,B,C,D, 0, 7, 1,F); Tr(D,A,B,C, 1,12, 2,F); Tr(C,D,A,B, 2,17, 3,F); Tr(B,C,D,A, 3,22, 4,F); Tr(A,B,C,D, 4, 7, 5,F); Tr(D,A,B,C, 5,12, 6,F); Tr(C,D,A,B, 6,17, 7,F); Tr(B,C,D,A, 7,22, 8,F); Tr(A,B,C,D, 8, 7, 9,F); Tr(D,A,B,C, 9,12,10,F); Tr(C,D,A,B,10,17,11,F); Tr(B,C,D,A,11,22,12,F); Tr(A,B,C,D,12, 7,13,F); Tr(D,A,B,C,13,12,14,F); Tr(C,D,A,B,14,17,15,F); Tr(B,C,D,A,15,22,16,F); /* Round 2 */ Tr(A,B,C,D, 1, 5,17,G); Tr(D,A,B,C, 6, 9,18,G); Tr(C,D,A,B,11,14,19,G); Tr(B,C,D,A, 0,20,20,G); Tr(A,B,C,D, 5, 5,21,G); Tr(D,A,B,C,10, 9,22,G); Tr(C,D,A,B,15,14,23,G); Tr(B,C,D,A, 4,20,24,G); Tr(A,B,C,D, 9, 5,25,G); Tr(D,A,B,C,14, 9,26,G); Tr(C,D,A,B, 3,14,27,G); Tr(B,C,D,A, 8,20,28,G); Tr(A,B,C,D,13, 5,29,G); Tr(D,A,B,C, 2, 9,30,G); Tr(C,D,A,B, 7,14,31,G); Tr(B,C,D,A,12,20,32,G); /* Round 3 */ Tr(A,B,C,D, 5, 4,33,H); Tr(D,A,B,C, 8,11,34,H); Tr(C,D,A,B,11,16,35,H); Tr(B,C,D,A,14,23,36,H); Tr(A,B,C,D, 1, 4,37,H); Tr(D,A,B,C, 4,11,38,H); Tr(C,D,A,B, 7,16,39,H); Tr(B,C,D,A,10,23,40,H); Tr(A,B,C,D,13, 4,41,H); Tr(D,A,B,C, 0,11,42,H); Tr(C,D,A,B, 3,16,43,H); Tr(B,C,D,A, 6,23,44,H); Tr(A,B,C,D, 9, 4,45,H); Tr(D,A,B,C,12,11,46,H); Tr(C,D,A,B,15,16,47,H); Tr(B,C,D,A, 2,23,48,H); /* Round 4 */ Tr(A,B,C,D, 0, 6,49,I); Tr(D,A,B,C, 7,10,50,I); Tr(C,D,A,B,14,15,51,I); Tr(B,C,D,A, 5,21,52,I); Tr(A,B,C,D,12, 6,53,I); Tr(D,A,B,C, 3,10,54,I); Tr(C,D,A,B,10,15,55,I); Tr(B,C,D,A, 1,21,56,I); Tr(A,B,C,D, 8, 6,57,I); Tr(D,A,B,C,15,10,58,I); Tr(C,D,A,B, 6,15,59,I); Tr(B,C,D,A,13,21,60,I); Tr(A,B,C,D, 4, 6,61,I); Tr(D,A,B,C,11,10,62,I); Tr(C,D,A,B, 2,15,63,I); Tr(B,C,D,A, 9,21,64,I); /* Final adjustment of registers. */ A += OA; B += OB; C += OC; D += OD; /* Store output. */ MIRROR(A); memcpy( Digest, &A, sizeof(A)); MIRROR(B); memcpy(&(Digest[ 4]), &B, sizeof(B)); MIRROR(C); memcpy(&(Digest[ 8]), &C, sizeof(C)); MIRROR(D); memcpy(&(Digest[12]), &D, sizeof(D)); /* Burn; earlier registers are more useful in attacks. */ A = B = C = D = 195952365; /* Ok. */ return 1; } /* Encode in a printable manner the raw input data. Return written bytes. * The number of bytes required is always double the number of input * bytes. * * It's pretty simple-minded encoding, but we're not scraping * for bytes here. Besides, the only other possibilities are 5 or 6 * bits encoding per byte (instead of 4, as here), which look really * messy, when implemented, compared to this. * * Hell, perhaps sprintf (printing in hex) should be used.. */ int encode(unsigned char *whEre, BytE *data, int inputbytes) { int i, w = 0; /* This number has to leave the 4 low-end bits free. */ #define ENCODER_OFFSET 96 for(i = 0; i < inputbytes; i++) { whEre[i*2] = ENCODER_OFFSET + ( data[i] & 0x0f); whEre[1+(i*2)] = ENCODER_OFFSET + ((data[i] >> 4) & 0x0f); w += 2; } return w; } /* Gets raw data from printable string; opposite of encode(). */ void decode(BytE *whEre, BytE *string, int stringbytes) { int i; for(i = 0; i < stringbytes; i+=2) whEre[i/2] = (string[i] & 0x0f) | ((string[i+1] & 0x0f) << 4); } /* If there is a valid salt in the input, copy it. Otherwise, * generate a new one. */ void getsalt(BytE *to, BytE *from) { int i; /* This character seperates the salt encoding from the password encoding * in the string returned by custom_crypt(). Configurable. */ #define MAGIC_SALTSEP '!' if(from) { BytE Digest[16]; if(strlen((char *)from) > MD5_SALTLEN * 2) { if(from[2 * MD5_SALTLEN] == MAGIC_SALTSEP) { /* It is possible, by a big fluke, * that this string is not generated by custom_crypt() * and encode(), and the MAGIC_SALTSEP * is there by coincedence. That doesn't really * matter, as long as we get consistently * the same salt out of here, always. decode() * takes care of this. */ decode(to, from, MD5_SALTLEN * 2); return; } } /* We have a salt value, but it's not generated by * this function. Well, suit yourself, we'll /get/ a salt * out of there.. However, we can't do any straightforward * copying, because the `salt' is likely to be (also) the * plain text, to be mashed up. So to generate a salt from * any string, we digest it first, to avoid people being able * to pry information from the salt. * * It is vital, for fairly obvious reasons, that MD5_VALID_SALT * is indeed a valid, immediately accepted salt value (as above), * otherwise we'll end up right here again. */ custom_crypt((char *) from, MD5_VALID_SALT, Digest); memset(to, strlen((char *)from), MD5_SALTLEN); for(i = 0; i < sizeof(Digest); i++) to[i % MD5_SALTLEN] += Digest[i]; return; } /* We have to generate a random salt. */ for(i = 0; i < MD5_SALTLEN; i++) to[i] = random_number(256); /* port.c */ return; } void crunchbuffer(BytE *buf, /* Buffer to be crunched. */ SIGNED int *len, /* Length now used in buf. */ char *addition, /* What to add to buf. */ SIGNED int addlen, /* Length of addition. */ int maxlen /* How many bytes in buf. */ ) { int used; used = *len; while(addlen > 0) { BytE Digest[16]; int crunched; /* Reduce `buf' by digesting it. */ if(used > sizeof(Digest)) { MD5Digest(buf, used, Digest); memcpy(buf, Digest, sizeof(Digest)); used = sizeof(Digest); } /* Work out how many bytes we can add to `buf', and do it. */ crunched = min((maxlen - used), addlen); memcpy(&(buf[used]), addition, crunched); /* Update counters and pointers. */ used += crunched; addition += crunched; addlen -= crunched; } *len = used; return; } /* Return hash of buffer `key' using salt `salt', which * must both be null-terminated strings if given. * - `key' must be given. This is the basic string to be hashed. * - `salt' is optional. It can be NULL (in which case a random * salt will be used), it can be output from a previous * custom_crypt() call (in which case the salt used in that call * will be used), or it can be any other string, in which case * a salt derived from that string will be used. * - `rawout' is optional. If non-NULL, the raw digest value * (without any salt) is written to that buffer (16 bytes). * * At this point, custom_crypt() should never return NULL. * */ char *custom_crypt(const char *key, const char *salt, unsigned char *rawout) { BytE Digest[16]; static BytE buffer[MD5_MAXLEN], abuffer[MD5_MAXLEN], thesalt[MD5_SALTLEN]; SIGNED int used = 0, len, i; static BytE /* encode()d salt, encode()d digest, salt seperator * and null terminating byte: */ ret[(MD5_SALTLEN*2) + 1 + (sizeof(Digest)*2) + 1]; /* Obtain the salt we have to use (either given in salt * arg or randomly generated one). */ getsalt(thesalt, (BytE *)salt); #define ADDBUFFER(b, l) if(used + (l) > sizeof(buffer)) \ crunchbuffer(buffer, &used, (char *)(b), (l), sizeof(buffer)); \ else { memcpy(&(buffer[used]), (b), (l)); \ used += (l); } memset(buffer, 0, sizeof(buffer)); /* It's important the 0 byte is copied too. */ len = strlen(key) + 1; ADDBUFFER(key, len); len = strlen(MD5_MAGIC) + 1; ADDBUFFER(MD5_MAGIC, len); ADDBUFFER(thesalt, sizeof(thesalt)); memcpy(abuffer, buffer, sizeof(abuffer)); /* The iteration count should be high to thwart * brute-force guessers. The choice of 3000 is * fairly arbitrary, but you shouldn't set it much * lower; but it's configurable. * * Here a `digest' value is generated to be included * in the final to-be-digested buffer, along with the * actual data. * * Make sure to make it length-dependant. */ len = strlen(key); for(i = 3000+(11*len); i > 0; i--) { if(!MD5Digest(abuffer, sizeof(abuffer), Digest)) return NULL; memcpy(&(abuffer[(i + len) % (MD5_MAXLEN - sizeof(Digest))]), Digest, sizeof(Digest)); } ADDBUFFER(Digest, sizeof(Digest)); /* Use this generated buffer to do the actual digesting. */ if(!MD5Digest(buffer, sizeof(buffer), Digest)) return NULL; /* Pyre! */ memset(buffer, 0, sizeof(buffer)); /* Now code the salt and the digest into the return string. */ len = encode(ret, thesalt, sizeof(thesalt)); ret[len++] = MAGIC_SALTSEP; len += encode(&(ret[len]), Digest, sizeof(Digest)); ret[len] = 0; /* Give raw output (without salt info) if requested. */ if(rawout) memcpy(rawout, Digest, sizeof(Digest)); return (char *)ret; } #endif