author | Jon Tibble <meths@btinternet.com> |
Thu, 09 Dec 2010 22:32:39 +0100 | |
changeset 13255 | 4afa820d78b9 |
parent 11411 | c2fe1bf96826 |
permissions | -rw-r--r-- |
0 | 1 |
/* |
2 |
* CDDL HEADER START |
|
3 |
* |
|
4 |
* The contents of this file are subject to the terms of the |
|
1914
8a8c5f225b1b
4916205 libcmd should not use file operation routines from C library
casper
parents:
0
diff
changeset
|
5 |
* Common Development and Distribution License (the "License"). |
8a8c5f225b1b
4916205 libcmd should not use file operation routines from C library
casper
parents:
0
diff
changeset
|
6 |
* You may not use this file except in compliance with the License. |
0 | 7 |
* |
8 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 |
* or http://www.opensolaris.org/os/licensing. |
|
10 |
* See the License for the specific language governing permissions |
|
11 |
* and limitations under the License. |
|
12 |
* |
|
13 |
* When distributing Covered Code, include this CDDL HEADER in each |
|
14 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 |
* If applicable, add the following below this CDDL HEADER, with the |
|
16 |
* fields enclosed by brackets "[]" replaced with your own identifying |
|
17 |
* information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 |
* |
|
19 |
* CDDL HEADER END |
|
20 |
*/ |
|
3864 | 21 |
|
0 | 22 |
/* |
11411
c2fe1bf96826
6894056 libc is not clean
Surya Prakki <Surya.Prakki@Sun.COM>
parents:
6812
diff
changeset
|
23 |
* Copyright 2009 Sun Microsystems, Inc. All rights reserved. |
0 | 24 |
* Use is subject to license terms. |
25 |
*/ |
|
26 |
||
6812 | 27 |
#pragma weak _crypt = crypt |
28 |
#pragma weak _encrypt = encrypt |
|
29 |
#pragma weak _setkey = setkey |
|
0 | 30 |
|
6812 | 31 |
#include "lint.h" |
0 | 32 |
#include "mtlib.h" |
33 |
#include <synch.h> |
|
34 |
#include <thread.h> |
|
35 |
#include <ctype.h> |
|
36 |
#include <dlfcn.h> |
|
37 |
#include <errno.h> |
|
38 |
#include <stdio.h> |
|
39 |
#include <strings.h> |
|
40 |
#include <stdlib.h> |
|
41 |
#include <sys/time.h> |
|
42 |
#include <limits.h> |
|
43 |
#include <sys/types.h> |
|
44 |
#include <sys/stat.h> |
|
45 |
#include <fcntl.h> |
|
46 |
#include <syslog.h> |
|
47 |
#include <unistd.h> |
|
3864 | 48 |
#include <atomic.h> |
0 | 49 |
|
50 |
#include <crypt.h> |
|
51 |
#include <libc.h> |
|
52 |
#include "tsd.h" |
|
53 |
||
54 |
#define CRYPT_ALGORITHMS_ALLOW "CRYPT_ALGORITHMS_ALLOW" |
|
55 |
#define CRYPT_ALGORITHMS_DEPRECATE "CRYPT_ALGORITHMS_DEPRECATE" |
|
56 |
#define CRYPT_DEFAULT "CRYPT_DEFAULT" |
|
57 |
#define CRYPT_UNIX "__unix__" |
|
58 |
||
59 |
#define CRYPT_CONFFILE "/etc/security/crypt.conf" |
|
60 |
#define POLICY_CONF_FILE "/etc/security/policy.conf" |
|
61 |
||
62 |
#define CRYPT_CONFLINELENGTH 1024 |
|
63 |
||
64 |
#define CRYPT_MODULE_ISA "/$ISA/" |
|
65 |
#ifdef _LP64 |
|
66 |
#define CRYPT_MODULE_DIR "/usr/lib/security/64/" |
|
67 |
#define CRYPT_ISA_DIR "/64/" |
|
68 |
#else /* !_LP64 */ |
|
69 |
#define CRYPT_MODULE_DIR "/usr/lib/security/" |
|
70 |
#define CRYPT_ISA_DIR "/" |
|
71 |
#endif /* _LP64 */ |
|
72 |
||
73 |
/* |
|
74 |
* MAX_ALGNAME_LEN: |
|
75 |
* |
|
76 |
* In practical terms this is probably never any bigger than about 10, but... |
|
77 |
* |
|
78 |
* It has to fix the encrypted password filed of struct spwd it is |
|
79 |
* theoretically the maximum length of the cipher minus the magic $ sign. |
|
80 |
* Though that would be unexpected. |
|
81 |
* Since it also has to fit in crypt.conf it is CRYPT_CONFLINELENGTH |
|
82 |
* minus the path to the module and the minimum white space. |
|
83 |
* |
|
84 |
* CRYPT_MAXCIPHERTEXTLEN is defined in crypt.h and is smaller than |
|
85 |
* CRYPT_CONFLINELENGTH, and probably always will be. |
|
86 |
*/ |
|
87 |
#define MAX_ALGNAME_LEN (CRYPT_MAXCIPHERTEXTLEN - 1) |
|
88 |
||
89 |
struct crypt_alg_s { |
|
90 |
void *a_libhandle; |
|
91 |
char *(*a_genhash)(char *, const size_t, const char *, |
|
92 |
const char *, const char **); |
|
93 |
char *(*a_gensalt)(char *, const size_t, |
|
94 |
const char *, const struct passwd *, const char **); |
|
95 |
char **a_params; |
|
96 |
int a_nparams; |
|
97 |
}; |
|
98 |
||
99 |
struct crypt_policy_s { |
|
100 |
char *cp_default; |
|
101 |
char *cp_allow; |
|
102 |
char *cp_deny; |
|
103 |
}; |
|
104 |
||
105 |
enum crypt_policy_error_e { |
|
106 |
CPE_BOTH = 1, |
|
107 |
CPE_MULTI |
|
108 |
}; |
|
109 |
||
110 |
static struct crypt_policy_s *getcryptpolicy(void); |
|
111 |
static void free_crypt_policy(struct crypt_policy_s *policy); |
|
112 |
static struct crypt_alg_s *getalgbyname(const char *algname, boolean_t *found); |
|
113 |
static void free_crypt_alg(struct crypt_alg_s *alg); |
|
114 |
static char *getalgfromsalt(const char *salt); |
|
115 |
static boolean_t alg_valid(const char *algname, |
|
116 |
const struct crypt_policy_s *policy); |
|
117 |
static char *isa_path(const char *path); |
|
118 |
||
119 |
static char *_unix_crypt(const char *pw, const char *salt, char *iobuf); |
|
120 |
static char *_unix_crypt_gensalt(char *gsbuffer, size_t gsbufflen, |
|
121 |
const char *oldpuresalt, const struct passwd *userinfo, |
|
122 |
const char *params[]); |
|
123 |
||
124 |
||
125 |
/* |
|
126 |
* crypt - string encoding function |
|
127 |
* |
|
128 |
* This function encodes strings in a suitable for for secure storage |
|
129 |
* as passwords. It generates the password hash given the plaintext and salt. |
|
130 |
* |
|
131 |
* If the first character of salt is "$" then we use crypt.conf(4) to |
|
132 |
* determine which plugin to use and run the crypt_genhash_impl(3c) function |
|
133 |
* from it. |
|
134 |
* Otherwise we use the old unix algorithm. |
|
135 |
* |
|
136 |
* RETURN VALUES |
|
137 |
* On Success we return a pointer to the encoded string. The |
|
138 |
* return value points to thread specific static data and should NOT |
|
139 |
* be passed free(3c). |
|
140 |
* On failure we return NULL and set errno to one of: |
|
141 |
* EINVAL, ELIBACC, ENOMEM, ENOSYS. |
|
142 |
*/ |
|
143 |
char * |
|
144 |
crypt(const char *plaintext, const char *salt) |
|
145 |
{ |
|
146 |
struct crypt_alg_s *alg; |
|
147 |
char *ctbuffer; |
|
148 |
char *ciphertext; |
|
149 |
char *algname; |
|
150 |
boolean_t found; |
|
151 |
||
152 |
ctbuffer = tsdalloc(_T_CRYPT, CRYPT_MAXCIPHERTEXTLEN, NULL); |
|
153 |
if (ctbuffer == NULL) |
|
154 |
return (NULL); |
|
155 |
bzero(ctbuffer, CRYPT_MAXCIPHERTEXTLEN); |
|
156 |
||
157 |
/* |
|
158 |
* '$' is never a possible salt char with the traditional unix |
|
159 |
* algorithm. If the salt passed in is NULL or the first char |
|
160 |
* of the salt isn't a $ then do the traditional thing. |
|
161 |
* We also do the traditional thing if the salt is only 1 char. |
|
162 |
*/ |
|
163 |
if (salt == NULL || salt[0] != '$' || strlen(salt) == 1) { |
|
164 |
return (_unix_crypt(plaintext, salt, ctbuffer)); |
|
165 |
} |
|
166 |
||
167 |
/* |
|
168 |
* Find the algorithm name from the salt and look it up in |
|
169 |
* crypt.conf(4) to find out what shared object to use. |
|
170 |
* If we can't find it in crypt.conf then getalgbyname would |
|
171 |
* have returned with found = B_FALSE so we use the unix algorithm. |
|
172 |
* If alg is NULL but found = B_TRUE then there is a problem with |
|
173 |
* the plugin so we fail leaving errno set to what getalgbyname() |
|
174 |
* set it to or EINVAL it if wasn't set. |
|
175 |
*/ |
|
176 |
if ((algname = getalgfromsalt(salt)) == NULL) { |
|
177 |
return (NULL); |
|
178 |
} |
|
179 |
||
180 |
errno = 0; |
|
181 |
alg = getalgbyname(algname, &found); |
|
182 |
if ((alg == NULL) || !found) { |
|
183 |
if (errno == 0) |
|
184 |
errno = EINVAL; |
|
185 |
ciphertext = NULL; |
|
186 |
goto cleanup; |
|
187 |
} else if (!found) { |
|
188 |
ciphertext = _unix_crypt(plaintext, salt, ctbuffer); |
|
189 |
} else { |
|
190 |
ciphertext = alg->a_genhash(ctbuffer, CRYPT_MAXCIPHERTEXTLEN, |
|
191 |
plaintext, salt, (const char **)alg->a_params); |
|
192 |
} |
|
193 |
||
194 |
cleanup: |
|
195 |
free_crypt_alg(alg); |
|
196 |
if (algname != NULL) |
|
197 |
free(algname); |
|
198 |
||
199 |
return (ciphertext); |
|
200 |
} |
|
201 |
||
202 |
/* |
|
203 |
* crypt_gensalt - generate salt string for string encoding |
|
204 |
* |
|
205 |
* This function generates the salt string pased to crypt(3c). |
|
206 |
* If oldsalt is NULL, the use the default algorithm. |
|
207 |
* Other wise check the policy in policy.conf to ensure that it is |
|
208 |
* either still allowed or not deprecated. |
|
209 |
* |
|
210 |
* RETURN VALUES |
|
211 |
* Return a pointer to the new salt, the caller is responsible |
|
212 |
* for using free(3c) on the return value. |
|
213 |
* Returns NULL on error and sets errno to one of: |
|
214 |
* EINVAL, ELIBACC, ENOMEM |
|
215 |
*/ |
|
216 |
char * |
|
217 |
crypt_gensalt(const char *oldsalt, const struct passwd *userinfo) |
|
218 |
{ |
|
219 |
struct crypt_alg_s *alg = NULL; |
|
220 |
struct crypt_policy_s *policy = NULL; |
|
221 |
char *newsalt = NULL; |
|
222 |
char *gsbuffer; |
|
223 |
char *algname = NULL; |
|
224 |
boolean_t found; |
|
225 |
||
226 |
gsbuffer = calloc(CRYPT_MAXCIPHERTEXTLEN, sizeof (char *)); |
|
227 |
if (gsbuffer == NULL) { |
|
228 |
errno = ENOMEM; |
|
229 |
goto cleanup; |
|
230 |
} |
|
231 |
||
232 |
policy = getcryptpolicy(); |
|
233 |
if (policy == NULL) { |
|
234 |
errno = EINVAL; |
|
235 |
goto cleanup; |
|
236 |
} |
|
237 |
||
238 |
algname = getalgfromsalt(oldsalt); |
|
239 |
if (!alg_valid(algname, policy)) { |
|
240 |
free(algname); |
|
241 |
algname = strdup(policy->cp_default); |
|
242 |
} |
|
243 |
||
244 |
if (strcmp(algname, CRYPT_UNIX) == 0) { |
|
245 |
newsalt = _unix_crypt_gensalt(gsbuffer, CRYPT_MAXCIPHERTEXTLEN, |
|
246 |
oldsalt, userinfo, NULL); |
|
247 |
} else { |
|
248 |
errno = 0; |
|
249 |
alg = getalgbyname(algname, &found); |
|
250 |
if (alg == NULL || !found) { |
|
251 |
if (errno == 0) |
|
252 |
errno = EINVAL; |
|
253 |
goto cleanup; |
|
254 |
} |
|
255 |
newsalt = alg->a_gensalt(gsbuffer, CRYPT_MAXCIPHERTEXTLEN, |
|
256 |
oldsalt, userinfo, (const char **)alg->a_params); |
|
257 |
} |
|
258 |
||
259 |
cleanup: |
|
260 |
free_crypt_policy(policy); |
|
261 |
free_crypt_alg(alg); |
|
262 |
if (newsalt == NULL && gsbuffer != NULL) |
|
263 |
free(gsbuffer); |
|
264 |
if (algname != NULL) |
|
265 |
free(algname); |
|
266 |
||
267 |
return (newsalt); |
|
268 |
} |
|
269 |
||
270 |
/* |
|
271 |
* =========================================================================== |
|
272 |
* The remainder of this file contains internal interfaces for |
|
273 |
* the implementation of crypt(3c) and crypt_gensalt(3c) |
|
274 |
* =========================================================================== |
|
275 |
*/ |
|
276 |
||
277 |
||
278 |
/* |
|
279 |
* getalgfromsalt - extract the algorithm name from the salt string |
|
280 |
*/ |
|
281 |
static char * |
|
282 |
getalgfromsalt(const char *salt) |
|
283 |
{ |
|
284 |
char algname[CRYPT_MAXCIPHERTEXTLEN]; |
|
285 |
int i; |
|
286 |
int j; |
|
287 |
||
288 |
if (salt == NULL || strlen(salt) > CRYPT_MAXCIPHERTEXTLEN) |
|
289 |
return (NULL); |
|
290 |
/* |
|
291 |
* Salts are in this format: |
|
292 |
* $<algname>[,var=val,[var=val ...][$puresalt]$<ciphertext> |
|
293 |
* |
|
294 |
* The only bit we need to worry about here is extracting the |
|
295 |
* name which is the string between the first "$" and the first |
|
296 |
* of "," or second "$". |
|
297 |
*/ |
|
298 |
if (salt[0] != '$') { |
|
299 |
return (strdup(CRYPT_UNIX)); |
|
300 |
} |
|
301 |
||
302 |
i = 1; |
|
303 |
j = 0; |
|
304 |
while (salt[i] != '\0' && salt[i] != '$' && salt[i] != ',') { |
|
305 |
algname[j] = salt[i]; |
|
306 |
i++; |
|
307 |
j++; |
|
308 |
} |
|
309 |
if (j == 0) |
|
310 |
return (NULL); |
|
311 |
||
312 |
algname[j] = '\0'; |
|
313 |
||
314 |
return (strdup(algname)); |
|
315 |
} |
|
316 |
||
317 |
||
318 |
/* |
|
319 |
* log_invalid_policy - syslog helper |
|
320 |
*/ |
|
321 |
static void |
|
322 |
log_invalid_policy(enum crypt_policy_error_e error, char *value) |
|
323 |
{ |
|
324 |
switch (error) { |
|
325 |
case CPE_BOTH: |
|
326 |
syslog(LOG_AUTH | LOG_ERR, |
|
327 |
"crypt(3c): %s contains both %s and %s; only one may be " |
|
328 |
"specified, using first entry in file.", POLICY_CONF_FILE, |
|
329 |
CRYPT_ALGORITHMS_ALLOW, CRYPT_ALGORITHMS_DEPRECATE); |
|
330 |
break; |
|
331 |
case CPE_MULTI: |
|
332 |
syslog(LOG_AUTH | LOG_ERR, |
|
333 |
"crypt(3c): %s contains multiple %s entries;" |
|
334 |
"using first entry file.", POLICY_CONF_FILE, value); |
|
335 |
break; |
|
336 |
} |
|
337 |
} |
|
338 |
||
339 |
static char * |
|
340 |
getval(const char *ival) |
|
341 |
{ |
|
342 |
char *tmp; |
|
343 |
char *oval; |
|
344 |
int off; |
|
345 |
||
346 |
if (ival == NULL) |
|
347 |
return (NULL); |
|
348 |
||
349 |
if ((tmp = strchr(ival, '=')) == NULL) |
|
350 |
return (NULL); |
|
351 |
||
352 |
oval = strdup(tmp + 1); /* everything after the "=" */ |
|
353 |
if (oval == NULL) |
|
354 |
return (NULL); |
|
355 |
off = strlen(oval) - 1; |
|
356 |
if (off < 0) { |
|
357 |
free(oval); |
|
358 |
return (NULL); |
|
359 |
} |
|
360 |
if (oval[off] == '\n') |
|
361 |
oval[off] = '\0'; |
|
362 |
||
363 |
return (oval); |
|
364 |
} |
|
365 |
||
366 |
/* |
|
367 |
* getcryptpolicy - read /etc/security/policy.conf into a crypt_policy_s |
|
368 |
*/ |
|
369 |
static struct crypt_policy_s * |
|
370 |
getcryptpolicy(void) |
|
371 |
{ |
|
372 |
FILE *pconf; |
|
373 |
char line[BUFSIZ]; |
|
374 |
struct crypt_policy_s *policy; |
|
375 |
||
1914
8a8c5f225b1b
4916205 libcmd should not use file operation routines from C library
casper
parents:
0
diff
changeset
|
376 |
if ((pconf = fopen(POLICY_CONF_FILE, "rF")) == NULL) { |
0 | 377 |
return (NULL); |
378 |
} |
|
379 |
||
380 |
policy = malloc(sizeof (struct crypt_policy_s)); |
|
381 |
if (policy == NULL) { |
|
382 |
return (NULL); |
|
383 |
} |
|
384 |
policy->cp_default = NULL; |
|
385 |
policy->cp_allow = NULL; |
|
386 |
policy->cp_deny = NULL; |
|
387 |
||
388 |
while (!feof(pconf) && |
|
389 |
(fgets(line, sizeof (line), pconf) != NULL)) { |
|
390 |
if (strncasecmp(CRYPT_DEFAULT, line, |
|
391 |
strlen(CRYPT_DEFAULT)) == 0) { |
|
392 |
if (policy->cp_default != NULL) { |
|
393 |
log_invalid_policy(CPE_MULTI, CRYPT_DEFAULT); |
|
394 |
} else { |
|
395 |
policy->cp_default = getval(line); |
|
396 |
} |
|
397 |
} |
|
398 |
if (strncasecmp(CRYPT_ALGORITHMS_ALLOW, line, |
|
399 |
strlen(CRYPT_ALGORITHMS_ALLOW)) == 0) { |
|
400 |
if (policy->cp_deny != NULL) { |
|
401 |
log_invalid_policy(CPE_BOTH, NULL); |
|
402 |
} else if (policy->cp_allow != NULL) { |
|
403 |
log_invalid_policy(CPE_MULTI, |
|
404 |
CRYPT_ALGORITHMS_ALLOW); |
|
405 |
} else { |
|
406 |
policy->cp_allow = getval(line); |
|
407 |
} |
|
408 |
} |
|
409 |
if (strncasecmp(CRYPT_ALGORITHMS_DEPRECATE, line, |
|
410 |
strlen(CRYPT_ALGORITHMS_DEPRECATE)) == 0) { |
|
411 |
if (policy->cp_allow != NULL) { |
|
412 |
log_invalid_policy(CPE_BOTH, NULL); |
|
413 |
} else if (policy->cp_deny != NULL) { |
|
414 |
log_invalid_policy(CPE_MULTI, |
|
415 |
CRYPT_ALGORITHMS_DEPRECATE); |
|
416 |
} else { |
|
417 |
policy->cp_deny = getval(line); |
|
418 |
} |
|
419 |
} |
|
420 |
} |
|
421 |
(void) fclose(pconf); |
|
422 |
||
423 |
if (policy->cp_default == NULL) { |
|
424 |
policy->cp_default = strdup(CRYPT_UNIX); |
|
425 |
if (policy->cp_default == NULL) |
|
426 |
free_crypt_policy(policy); |
|
427 |
} |
|
428 |
||
429 |
return (policy); |
|
430 |
} |
|
431 |
||
432 |
||
433 |
/* |
|
434 |
* alg_valid - is this algorithm valid given the policy ? |
|
435 |
*/ |
|
436 |
static boolean_t |
|
437 |
alg_valid(const char *algname, const struct crypt_policy_s *policy) |
|
438 |
{ |
|
439 |
char *lasts; |
|
440 |
char *list; |
|
441 |
char *entry; |
|
442 |
boolean_t allowed = B_FALSE; |
|
443 |
||
444 |
if ((algname == NULL) || (policy == NULL)) { |
|
445 |
return (B_FALSE); |
|
446 |
} |
|
447 |
||
448 |
if (strcmp(algname, policy->cp_default) == 0) { |
|
449 |
return (B_TRUE); |
|
450 |
} |
|
451 |
||
452 |
if (policy->cp_deny != NULL) { |
|
453 |
list = policy->cp_deny; |
|
454 |
allowed = B_FALSE; |
|
455 |
} else if (policy->cp_allow != NULL) { |
|
456 |
list = policy->cp_allow; |
|
457 |
allowed = B_TRUE; |
|
458 |
} else { |
|
459 |
/* |
|
460 |
* Neither of allow or deny policies are set so anything goes. |
|
461 |
*/ |
|
462 |
return (B_TRUE); |
|
463 |
} |
|
464 |
lasts = list; |
|
465 |
while ((entry = strtok_r(NULL, ",", &lasts)) != NULL) { |
|
466 |
if (strcmp(entry, algname) == 0) { |
|
467 |
return (allowed); |
|
468 |
} |
|
469 |
} |
|
470 |
||
471 |
return (!allowed); |
|
472 |
} |
|
473 |
||
474 |
/* |
|
475 |
* getalgbyname - read crypt.conf(4) looking for algname |
|
476 |
* |
|
477 |
* RETURN VALUES |
|
478 |
* On error NULL and errno is set |
|
479 |
* On success the alg details including an open handle to the lib |
|
480 |
* If crypt.conf(4) is okay but algname doesn't exist in it then |
|
481 |
* return NULL the caller should then use the default algorithm |
|
482 |
* as per the policy. |
|
483 |
*/ |
|
484 |
static struct crypt_alg_s * |
|
485 |
getalgbyname(const char *algname, boolean_t *found) |
|
486 |
{ |
|
487 |
struct stat stb; |
|
488 |
int configfd; |
|
489 |
FILE *fconf = NULL; |
|
490 |
struct crypt_alg_s *alg = NULL; |
|
491 |
char line[CRYPT_CONFLINELENGTH]; |
|
492 |
int linelen = 0; |
|
493 |
int lineno = 0; |
|
494 |
char *pathname = NULL; |
|
495 |
char *lasts = NULL; |
|
496 |
char *token = NULL; |
|
497 |
||
498 |
*found = B_FALSE; |
|
499 |
if ((algname == NULL) || (strcmp(algname, CRYPT_UNIX) == 0)) { |
|
500 |
return (NULL); |
|
501 |
} |
|
502 |
||
503 |
if ((configfd = open(CRYPT_CONFFILE, O_RDONLY)) == -1) { |
|
504 |
syslog(LOG_ALERT, "crypt: open(%s) failed: %s", |
|
6812 | 505 |
CRYPT_CONFFILE, strerror(errno)); |
0 | 506 |
return (NULL); |
507 |
} |
|
508 |
||
509 |
/* |
|
510 |
* Stat the file so we can check modes and ownerships |
|
511 |
*/ |
|
512 |
if (fstat(configfd, &stb) < 0) { |
|
513 |
syslog(LOG_ALERT, "crypt: stat(%s) failed: %s", |
|
6812 | 514 |
CRYPT_CONFFILE, strerror(errno)); |
0 | 515 |
goto cleanup; |
516 |
} |
|
517 |
||
518 |
/* |
|
519 |
* Check the ownership of the file |
|
520 |
*/ |
|
521 |
if (stb.st_uid != (uid_t)0) { |
|
522 |
syslog(LOG_ALERT, |
|
523 |
"crypt: Owner of %s is not root", CRYPT_CONFFILE); |
|
524 |
goto cleanup; |
|
525 |
} |
|
526 |
||
527 |
/* |
|
528 |
* Check the modes on the file |
|
529 |
*/ |
|
530 |
if (stb.st_mode & S_IWGRP) { |
|
531 |
syslog(LOG_ALERT, |
|
532 |
"crypt: %s writable by group", CRYPT_CONFFILE); |
|
533 |
goto cleanup; |
|
534 |
} |
|
535 |
if (stb.st_mode & S_IWOTH) { |
|
536 |
syslog(LOG_ALERT, |
|
6812 | 537 |
"crypt: %s writable by world", CRYPT_CONFFILE); |
0 | 538 |
goto cleanup; |
539 |
} |
|
540 |
||
1914
8a8c5f225b1b
4916205 libcmd should not use file operation routines from C library
casper
parents:
0
diff
changeset
|
541 |
if ((fconf = fdopen(configfd, "rF")) == NULL) { |
0 | 542 |
syslog(LOG_ALERT, "crypt: fdopen(%d) failed: %s", |
6812 | 543 |
configfd, strerror(errno)); |
0 | 544 |
goto cleanup; |
545 |
} |
|
546 |
||
547 |
/* |
|
548 |
* /etc/security/crypt.conf has 3 fields: |
|
549 |
* <algname> <pathname> [<name[=val]>[<name[=val]>]] |
|
550 |
*/ |
|
551 |
errno = 0; |
|
552 |
while (!(*found) && |
|
553 |
((fgets(line, sizeof (line), fconf) != NULL) && !feof(fconf))) { |
|
554 |
lineno++; |
|
555 |
/* |
|
556 |
* Skip over comments |
|
557 |
*/ |
|
558 |
if ((line[0] == '#') || (line[0] == '\n')) { |
|
559 |
continue; |
|
560 |
} |
|
561 |
||
562 |
linelen = strlen(line); |
|
563 |
line[--linelen] = '\0'; /* chop the trailing \n */ |
|
564 |
||
565 |
token = strtok_r(line, " \t", &lasts); |
|
566 |
if (token == NULL) { |
|
567 |
continue; |
|
568 |
} |
|
569 |
if (strcmp(token, algname) == 0) { |
|
570 |
*found = B_TRUE; |
|
571 |
} |
|
572 |
} |
|
573 |
if (!found) { |
|
574 |
errno = EINVAL; |
|
575 |
goto cleanup; |
|
576 |
} |
|
577 |
||
578 |
token = strtok_r(NULL, " \t", &lasts); |
|
579 |
if (token == NULL) { |
|
580 |
/* |
|
581 |
* Broken config file |
|
582 |
*/ |
|
583 |
syslog(LOG_ALERT, "crypt(3c): %s may be corrupt at line %d", |
|
584 |
CRYPT_CONFFILE, lineno); |
|
585 |
*found = B_FALSE; |
|
586 |
errno = EINVAL; |
|
587 |
goto cleanup; |
|
588 |
} |
|
589 |
||
590 |
if ((pathname = isa_path(token)) == NULL) { |
|
591 |
if (errno != ENOMEM) |
|
592 |
errno = EINVAL; |
|
593 |
*found = B_FALSE; |
|
594 |
goto cleanup; |
|
595 |
} |
|
596 |
||
597 |
if ((alg = malloc(sizeof (struct crypt_alg_s))) == NULL) { |
|
598 |
*found = B_FALSE; |
|
599 |
goto cleanup; |
|
600 |
} |
|
601 |
alg->a_libhandle = NULL; |
|
602 |
alg->a_genhash = NULL; |
|
603 |
alg->a_gensalt = NULL; |
|
604 |
alg->a_params = NULL; |
|
605 |
alg->a_nparams = 0; |
|
606 |
||
607 |
/* |
|
608 |
* The rest of the line is module specific params, space |
|
609 |
* seprated. We wait until after we have checked the module is |
|
610 |
* valid before parsing them into a_params, this saves us |
|
611 |
* having to free them later if there is a problem. |
|
612 |
*/ |
|
613 |
if ((alg->a_libhandle = dlopen(pathname, RTLD_NOW)) == NULL) { |
|
614 |
syslog(LOG_ERR, "crypt(3c) unable to dlopen %s: %s", |
|
615 |
pathname, dlerror()); |
|
616 |
errno = ELIBACC; |
|
617 |
*found = B_FALSE; |
|
618 |
goto cleanup; |
|
619 |
} |
|
620 |
||
621 |
alg->a_genhash = |
|
622 |
(char *(*)())dlsym(alg->a_libhandle, "crypt_genhash_impl"); |
|
623 |
if (alg->a_genhash == NULL) { |
|
624 |
syslog(LOG_ERR, "crypt(3c) unable to find cryp_genhash_impl" |
|
625 |
"symbol in %s: %s", pathname, dlerror()); |
|
626 |
errno = ELIBACC; |
|
627 |
*found = B_FALSE; |
|
628 |
goto cleanup; |
|
629 |
} |
|
630 |
alg->a_gensalt = |
|
631 |
(char *(*)())dlsym(alg->a_libhandle, "crypt_gensalt_impl"); |
|
632 |
if (alg->a_gensalt == NULL) { |
|
633 |
syslog(LOG_ERR, "crypt(3c) unable to find crypt_gensalt_impl" |
|
634 |
"symbol in %s: %s", pathname, dlerror()); |
|
635 |
errno = ELIBACC; |
|
636 |
*found = B_FALSE; |
|
637 |
goto cleanup; |
|
638 |
} |
|
639 |
||
640 |
/* |
|
641 |
* We have a good module so build the a_params if we have any. |
|
642 |
* Count how much space we need first and then allocate an array |
|
643 |
* to hold that many module params. |
|
644 |
*/ |
|
645 |
if (lasts != NULL) { |
|
646 |
int nparams = 0; |
|
647 |
char *tparams; |
|
648 |
char *tplasts; |
|
649 |
||
650 |
if ((tparams = strdup(lasts)) == NULL) { |
|
651 |
*found = B_FALSE; |
|
652 |
goto cleanup; |
|
653 |
} |
|
654 |
||
655 |
(void) strtok_r(tparams, " \t", &tplasts); |
|
656 |
do { |
|
657 |
nparams++; |
|
658 |
} while (strtok_r(NULL, " \t", &tplasts) != NULL); |
|
659 |
free(tparams); |
|
660 |
||
661 |
alg->a_params = calloc(nparams + 1, sizeof (char *)); |
|
662 |
if (alg->a_params == NULL) { |
|
663 |
*found = B_FALSE; |
|
664 |
goto cleanup; |
|
665 |
} |
|
666 |
||
667 |
while ((token = strtok_r(NULL, " \t", &lasts)) != NULL) { |
|
668 |
alg->a_params[alg->a_nparams++] = token; |
|
669 |
} |
|
670 |
} |
|
671 |
||
672 |
cleanup: |
|
673 |
if (*found == B_FALSE) { |
|
674 |
free_crypt_alg(alg); |
|
675 |
alg = NULL; |
|
676 |
} |
|
677 |
||
678 |
if (pathname != NULL) { |
|
679 |
free(pathname); |
|
680 |
} |
|
681 |
||
682 |
if (fconf != NULL) { |
|
683 |
(void) fclose(fconf); |
|
684 |
} else { |
|
685 |
(void) close(configfd); |
|
686 |
} |
|
687 |
||
688 |
return (alg); |
|
689 |
} |
|
690 |
||
691 |
static void |
|
692 |
free_crypt_alg(struct crypt_alg_s *alg) |
|
693 |
{ |
|
694 |
if (alg == NULL) |
|
695 |
return; |
|
696 |
||
697 |
if (alg->a_libhandle != NULL) { |
|
698 |
(void) dlclose(alg->a_libhandle); |
|
699 |
} |
|
700 |
if (alg->a_nparams != NULL) { |
|
701 |
free(alg->a_params); |
|
702 |
} |
|
703 |
free(alg); |
|
704 |
} |
|
705 |
||
706 |
static void |
|
707 |
free_crypt_policy(struct crypt_policy_s *policy) |
|
708 |
{ |
|
709 |
if (policy == NULL) |
|
710 |
return; |
|
711 |
||
712 |
if (policy->cp_default != NULL) { |
|
713 |
bzero(policy->cp_default, strlen(policy->cp_default)); |
|
714 |
free(policy->cp_default); |
|
715 |
policy->cp_default = NULL; |
|
716 |
} |
|
717 |
||
718 |
if (policy->cp_allow != NULL) { |
|
719 |
bzero(policy->cp_allow, strlen(policy->cp_allow)); |
|
720 |
free(policy->cp_allow); |
|
721 |
policy->cp_allow = NULL; |
|
722 |
} |
|
723 |
||
724 |
if (policy->cp_deny != NULL) { |
|
725 |
bzero(policy->cp_deny, strlen(policy->cp_deny)); |
|
726 |
free(policy->cp_deny); |
|
727 |
policy->cp_deny = NULL; |
|
728 |
} |
|
729 |
||
730 |
free(policy); |
|
731 |
} |
|
732 |
||
733 |
||
734 |
/* |
|
735 |
* isa_path - prepend the default dir or patch up the $ISA in path |
|
736 |
* Caller is responsible for calling free(3c) on the result. |
|
737 |
*/ |
|
738 |
static char * |
|
739 |
isa_path(const char *path) |
|
740 |
{ |
|
741 |
char *ret = NULL; |
|
742 |
||
743 |
if ((path == NULL) || (strlen(path) > PATH_MAX)) { |
|
744 |
return (NULL); |
|
745 |
} |
|
746 |
||
747 |
ret = calloc(PATH_MAX, sizeof (char)); |
|
748 |
||
749 |
/* |
|
750 |
* Module path doesn't start with "/" then prepend |
|
751 |
* the default search path CRYPT_MODULE_DIR (/usr/lib/security/$ISA) |
|
752 |
*/ |
|
753 |
if (path[0] != '/') { |
|
754 |
if (snprintf(ret, PATH_MAX, "%s%s", CRYPT_MODULE_DIR, |
|
755 |
path) > PATH_MAX) { |
|
756 |
free(ret); |
|
757 |
return (NULL); |
|
758 |
} |
|
759 |
} else { /* patch up $ISA */ |
|
760 |
char *isa; |
|
761 |
||
762 |
if ((isa = strstr(path, CRYPT_MODULE_ISA)) != NULL) { |
|
763 |
*isa = '\0'; |
|
764 |
isa += strlen(CRYPT_MODULE_ISA); |
|
765 |
if (snprintf(ret, PATH_MAX, "%s%s%s", path, |
|
766 |
CRYPT_ISA_DIR, isa) > PATH_MAX) { |
|
767 |
free(ret); |
|
768 |
return (NULL); |
|
769 |
} |
|
770 |
} else { |
|
771 |
free(ret); |
|
772 |
ret = strdup(path); |
|
773 |
} |
|
774 |
} |
|
775 |
||
776 |
return (ret); |
|
777 |
} |
|
778 |
||
779 |
||
780 |
/*ARGSUSED*/ |
|
781 |
static char * |
|
782 |
_unix_crypt_gensalt(char *gsbuffer, |
|
783 |
size_t gsbufflen, |
|
784 |
const char *oldpuresalt, |
|
785 |
const struct passwd *userinfo, |
|
786 |
const char *argv[]) |
|
787 |
{ |
|
788 |
static const char saltchars[] = |
|
789 |
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; |
|
790 |
struct timeval tv; |
|
791 |
||
11411
c2fe1bf96826
6894056 libc is not clean
Surya Prakki <Surya.Prakki@Sun.COM>
parents:
6812
diff
changeset
|
792 |
(void) gettimeofday(&tv, (void *) 0); |
0 | 793 |
srand48(tv.tv_sec ^ tv.tv_usec); |
794 |
gsbuffer[0] = saltchars[lrand48() % 64]; /* lrand48() is MT-SAFE */ |
|
795 |
gsbuffer[1] = saltchars[lrand48() % 64]; /* lrand48() is MT-SAFE */ |
|
796 |
gsbuffer[2] = '\0'; |
|
797 |
||
798 |
return (gsbuffer); |
|
799 |
} |
|
800 |
||
801 |
/* |
|
802 |
* The rest of the code below comes from the old crypt.c and is the |
|
803 |
* implementation of the hardwired/fallback traditional algorithm |
|
804 |
* It has been otimized to take better advantage of MT features. |
|
805 |
* |
|
806 |
* It is included here to reduce the overhead of dlopen() |
|
807 |
* for the common case. |
|
808 |
*/ |
|
809 |
||
810 |
||
811 |
/* Copyright (c) 1988 AT&T */ |
|
812 |
/* All Rights Reserved */ |
|
813 |
||
814 |
||
815 |
||
816 |
/* |
|
817 |
* This program implements a data encryption algorithm to encrypt passwords. |
|
818 |
*/ |
|
819 |
||
820 |
static mutex_t crypt_lock = DEFAULTMUTEX; |
|
821 |
#define TSDBUFSZ (66 + 16) |
|
822 |
||
823 |
static const char IP[] = { |
|
824 |
58, 50, 42, 34, 26, 18, 10, 2, |
|
825 |
60, 52, 44, 36, 28, 20, 12, 4, |
|
826 |
62, 54, 46, 38, 30, 22, 14, 6, |
|
827 |
64, 56, 48, 40, 32, 24, 16, 8, |
|
828 |
57, 49, 41, 33, 25, 17, 9, 1, |
|
829 |
59, 51, 43, 35, 27, 19, 11, 3, |
|
830 |
61, 53, 45, 37, 29, 21, 13, 5, |
|
831 |
63, 55, 47, 39, 31, 23, 15, 7, |
|
832 |
}; |
|
833 |
||
834 |
static const char FP[] = { |
|
835 |
40, 8, 48, 16, 56, 24, 64, 32, |
|
836 |
39, 7, 47, 15, 55, 23, 63, 31, |
|
837 |
38, 6, 46, 14, 54, 22, 62, 30, |
|
838 |
37, 5, 45, 13, 53, 21, 61, 29, |
|
839 |
36, 4, 44, 12, 52, 20, 60, 28, |
|
840 |
35, 3, 43, 11, 51, 19, 59, 27, |
|
841 |
34, 2, 42, 10, 50, 18, 58, 26, |
|
842 |
33, 1, 41, 9, 49, 17, 57, 25, |
|
843 |
}; |
|
844 |
||
845 |
static const char PC1_C[] = { |
|
846 |
57, 49, 41, 33, 25, 17, 9, |
|
847 |
1, 58, 50, 42, 34, 26, 18, |
|
848 |
10, 2, 59, 51, 43, 35, 27, |
|
849 |
19, 11, 3, 60, 52, 44, 36, |
|
850 |
}; |
|
851 |
||
852 |
static const char PC1_D[] = { |
|
853 |
63, 55, 47, 39, 31, 23, 15, |
|
854 |
7, 62, 54, 46, 38, 30, 22, |
|
855 |
14, 6, 61, 53, 45, 37, 29, |
|
856 |
21, 13, 5, 28, 20, 12, 4, |
|
857 |
}; |
|
858 |
||
859 |
static const char shifts[] = { |
|
860 |
1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1, |
|
861 |
}; |
|
862 |
||
863 |
static const char PC2_C[] = { |
|
864 |
14, 17, 11, 24, 1, 5, |
|
865 |
3, 28, 15, 6, 21, 10, |
|
866 |
23, 19, 12, 4, 26, 8, |
|
867 |
16, 7, 27, 20, 13, 2, |
|
868 |
}; |
|
869 |
||
870 |
static const char PC2_D[] = { |
|
871 |
41, 52, 31, 37, 47, 55, |
|
872 |
30, 40, 51, 45, 33, 48, |
|
873 |
44, 49, 39, 56, 34, 53, |
|
874 |
46, 42, 50, 36, 29, 32, |
|
875 |
}; |
|
876 |
||
877 |
static char C[28]; |
|
878 |
static char D[28]; |
|
879 |
static char *KS; |
|
880 |
||
881 |
static char E[48]; |
|
882 |
static const char e2[] = { |
|
883 |
32, 1, 2, 3, 4, 5, |
|
884 |
4, 5, 6, 7, 8, 9, |
|
885 |
8, 9, 10, 11, 12, 13, |
|
886 |
12, 13, 14, 15, 16, 17, |
|
887 |
16, 17, 18, 19, 20, 21, |
|
888 |
20, 21, 22, 23, 24, 25, |
|
889 |
24, 25, 26, 27, 28, 29, |
|
890 |
28, 29, 30, 31, 32, 1, |
|
891 |
}; |
|
892 |
||
893 |
/* |
|
894 |
* The KS array (768 bytes) is allocated once, and only if |
|
895 |
* one of _unix_crypt(), encrypt() or setkey() is called. |
|
896 |
* The complexity below is due to the fact that calloc() |
|
897 |
* must not be called while holding any locks. |
|
898 |
*/ |
|
899 |
static int |
|
900 |
allocate_KS(void) |
|
901 |
{ |
|
902 |
char *ks; |
|
903 |
int failed; |
|
904 |
int assigned; |
|
905 |
||
3864 | 906 |
if (KS != NULL) { /* already allocated */ |
907 |
membar_consumer(); |
|
0 | 908 |
return (0); |
3864 | 909 |
} |
0 | 910 |
|
911 |
ks = calloc(16, 48 * sizeof (char)); |
|
912 |
failed = 0; |
|
913 |
lmutex_lock(&crypt_lock); |
|
914 |
if (KS != NULL) { /* someone else got here first */ |
|
915 |
assigned = 0; |
|
916 |
} else { |
|
917 |
assigned = 1; |
|
3864 | 918 |
membar_producer(); |
0 | 919 |
if ((KS = ks) == NULL) /* calloc() failed */ |
920 |
failed = 1; |
|
921 |
} |
|
922 |
lmutex_unlock(&crypt_lock); |
|
923 |
if (!assigned) |
|
924 |
free(ks); |
|
925 |
return (failed); |
|
926 |
} |
|
927 |
||
928 |
static void |
|
929 |
unlocked_setkey(const char *key) |
|
930 |
{ |
|
931 |
int i, j, k; |
|
932 |
char t; |
|
933 |
||
934 |
for (i = 0; i < 28; i++) { |
|
935 |
C[i] = key[PC1_C[i]-1]; |
|
936 |
D[i] = key[PC1_D[i]-1]; |
|
937 |
} |
|
938 |
for (i = 0; i < 16; i++) { |
|
939 |
for (k = 0; k < shifts[i]; k++) { |
|
940 |
t = C[0]; |
|
941 |
for (j = 0; j < 28-1; j++) |
|
942 |
C[j] = C[j+1]; |
|
943 |
C[27] = t; |
|
944 |
t = D[0]; |
|
945 |
for (j = 0; j < 28-1; j++) |
|
946 |
D[j] = D[j+1]; |
|
947 |
D[27] = t; |
|
948 |
} |
|
949 |
for (j = 0; j < 24; j++) { |
|
950 |
int index = i * 48; |
|
951 |
||
952 |
*(KS+index+j) = C[PC2_C[j]-1]; |
|
953 |
*(KS+index+j+24) = D[PC2_D[j]-28-1]; |
|
954 |
} |
|
955 |
} |
|
956 |
for (i = 0; i < 48; i++) |
|
957 |
E[i] = e2[i]; |
|
958 |
} |
|
959 |
||
960 |
static const char S[8][64] = { |
|
961 |
14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, |
|
962 |
0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, |
|
963 |
4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, |
|
964 |
15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13, |
|
965 |
||
966 |
15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, |
|
967 |
3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, |
|
968 |
0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, |
|
969 |
13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9, |
|
970 |
||
971 |
10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, |
|
972 |
13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, |
|
973 |
13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, |
|
974 |
1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12, |
|
975 |
||
976 |
7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, |
|
977 |
13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, |
|
978 |
10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, |
|
979 |
3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14, |
|
980 |
||
981 |
2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, |
|
982 |
14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, |
|
983 |
4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, |
|
984 |
11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3, |
|
985 |
||
986 |
12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, |
|
987 |
10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, |
|
988 |
9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, |
|
989 |
4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13, |
|
990 |
||
991 |
4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, |
|
992 |
13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, |
|
993 |
1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, |
|
994 |
6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12, |
|
995 |
||
996 |
13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, |
|
997 |
1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, |
|
998 |
7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, |
|
999 |
2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11, |
|
1000 |
}; |
|
1001 |
||
1002 |
static const char P[] = { |
|
1003 |
16, 7, 20, 21, |
|
1004 |
29, 12, 28, 17, |
|
1005 |
1, 15, 23, 26, |
|
1006 |
5, 18, 31, 10, |
|
1007 |
2, 8, 24, 14, |
|
1008 |
32, 27, 3, 9, |
|
1009 |
19, 13, 30, 6, |
|
1010 |
22, 11, 4, 25, |
|
1011 |
}; |
|
1012 |
||
1013 |
static char L[64]; |
|
1014 |
static char tempL[32]; |
|
1015 |
static char f[32]; |
|
1016 |
||
1017 |
static char preS[48]; |
|
1018 |
||
1019 |
/*ARGSUSED*/ |
|
1020 |
static void |
|
1021 |
unlocked_encrypt(char *block, int fake) |
|
1022 |
{ |
|
1023 |
int i; |
|
1024 |
int t, j, k; |
|
1025 |
char *R = &L[32]; |
|
1026 |
||
1027 |
for (j = 0; j < 64; j++) |
|
1028 |
L[j] = block[IP[j]-1]; |
|
1029 |
for (i = 0; i < 16; i++) { |
|
1030 |
int index = i * 48; |
|
1031 |
||
1032 |
for (j = 0; j < 32; j++) |
|
1033 |
tempL[j] = R[j]; |
|
1034 |
for (j = 0; j < 48; j++) |
|
1035 |
preS[j] = R[E[j]-1] ^ *(KS+index+j); |
|
1036 |
for (j = 0; j < 8; j++) { |
|
1037 |
t = 6 * j; |
|
6812 | 1038 |
k = S[j][(preS[t+0]<<5) + |
1039 |
(preS[t+1]<<3) + |
|
1040 |
(preS[t+2]<<2) + |
|
1041 |
(preS[t+3]<<1) + |
|
1042 |
(preS[t+4]<<0) + |
|
1043 |
(preS[t+5]<<4)]; |
|
0 | 1044 |
t = 4*j; |
1045 |
f[t+0] = (k>>3)&01; |
|
1046 |
f[t+1] = (k>>2)&01; |
|
1047 |
f[t+2] = (k>>1)&01; |
|
1048 |
f[t+3] = (k>>0)&01; |
|
1049 |
} |
|
1050 |
for (j = 0; j < 32; j++) |
|
1051 |
R[j] = L[j] ^ f[P[j]-1]; |
|
1052 |
for (j = 0; j < 32; j++) |
|
1053 |
L[j] = tempL[j]; |
|
1054 |
} |
|
1055 |
for (j = 0; j < 32; j++) { |
|
1056 |
t = L[j]; |
|
1057 |
L[j] = R[j]; |
|
1058 |
R[j] = (char)t; |
|
1059 |
} |
|
1060 |
for (j = 0; j < 64; j++) |
|
1061 |
block[j] = L[FP[j]-1]; |
|
1062 |
} |
|
1063 |
||
1064 |
char * |
|
1065 |
_unix_crypt(const char *pw, const char *salt, char *iobuf) |
|
1066 |
{ |
|
1067 |
int c, i, j; |
|
1068 |
char temp; |
|
1069 |
char *block; |
|
1070 |
||
1071 |
block = iobuf + 16; |
|
1072 |
||
1073 |
if (iobuf == 0) { |
|
1074 |
errno = ENOMEM; |
|
1075 |
return (NULL); |
|
1076 |
} |
|
1077 |
if (allocate_KS() != 0) |
|
1078 |
return (NULL); |
|
1079 |
lmutex_lock(&crypt_lock); |
|
1080 |
for (i = 0; i < 66; i++) |
|
1081 |
block[i] = 0; |
|
1082 |
for (i = 0; (c = *pw) != '\0' && i < 64; pw++) { |
|
1083 |
for (j = 0; j < 7; j++, i++) |
|
1084 |
block[i] = (c>>(6-j)) & 01; |
|
1085 |
i++; |
|
1086 |
} |
|
1087 |
||
1088 |
unlocked_setkey(block); |
|
1089 |
||
1090 |
for (i = 0; i < 66; i++) |
|
1091 |
block[i] = 0; |
|
1092 |
||
1093 |
for (i = 0; i < 2; i++) { |
|
1094 |
c = *salt++; |
|
1095 |
iobuf[i] = (char)c; |
|
1096 |
if (c > 'Z') |
|
1097 |
c -= 6; |
|
1098 |
if (c > '9') |
|
1099 |
c -= 7; |
|
1100 |
c -= '.'; |
|
1101 |
for (j = 0; j < 6; j++) { |
|
1102 |
if ((c>>j) & 01) { |
|
1103 |
temp = E[6*i+j]; |
|
1104 |
E[6*i+j] = E[6*i+j+24]; |
|
1105 |
E[6*i+j+24] = temp; |
|
1106 |
} |
|
1107 |
} |
|
1108 |
} |
|
1109 |
||
1110 |
for (i = 0; i < 25; i++) |
|
1111 |
unlocked_encrypt(block, 0); |
|
1112 |
||
1113 |
lmutex_unlock(&crypt_lock); |
|
1114 |
for (i = 0; i < 11; i++) { |
|
1115 |
c = 0; |
|
1116 |
for (j = 0; j < 6; j++) { |
|
1117 |
c <<= 1; |
|
1118 |
c |= block[6*i+j]; |
|
1119 |
} |
|
1120 |
c += '.'; |
|
1121 |
if (c > '9') |
|
1122 |
c += 7; |
|
1123 |
if (c > 'Z') |
|
1124 |
c += 6; |
|
1125 |
iobuf[i+2] = (char)c; |
|
1126 |
} |
|
1127 |
iobuf[i+2] = 0; |
|
1128 |
if (iobuf[1] == 0) |
|
1129 |
iobuf[1] = iobuf[0]; |
|
1130 |
return (iobuf); |
|
1131 |
} |
|
1132 |
||
1133 |
||
1134 |
/*ARGSUSED*/ |
|
1135 |
void |
|
1136 |
encrypt(char *block, int fake) |
|
1137 |
{ |
|
1138 |
if (fake != 0) { |
|
1139 |
errno = ENOSYS; |
|
1140 |
return; |
|
1141 |
} |
|
1142 |
if (allocate_KS() != 0) |
|
1143 |
return; |
|
1144 |
lmutex_lock(&crypt_lock); |
|
1145 |
unlocked_encrypt(block, fake); |
|
1146 |
lmutex_unlock(&crypt_lock); |
|
1147 |
} |
|
1148 |
||
1149 |
||
1150 |
void |
|
1151 |
setkey(const char *key) |
|
1152 |
{ |
|
1153 |
if (allocate_KS() != 0) |
|
1154 |
return; |
|
1155 |
lmutex_lock(&crypt_lock); |
|
1156 |
unlocked_setkey(key); |
|
1157 |
lmutex_unlock(&crypt_lock); |
|
1158 |
} |