xcrypt 0.1.0

data/ext/libxcrypt/lib/alg-gost3411-2012-ref.h

@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2013, Alexey Degtyarev <alexey@renatasystems.org>.
+ * All rights reserved.
+ *
+ * Portable and simple (thus sometimes slow) implementation of core functions.
+ *
+ * $Id$
+ */
+
+#ifdef __GOST3411_HAS_SSE2__
+#error "portable implementation disabled in config.h"
+#endif
+
+#ifdef __GOST3411_HAS_MMX__
+#error "portable implementation disabled in config.h"
+#endif
+
+#define X(x, y, z) { \
+    z->QWORD[0] = x->QWORD[0] ^ y->QWORD[0]; \
+    z->QWORD[1] = x->QWORD[1] ^ y->QWORD[1]; \
+    z->QWORD[2] = x->QWORD[2] ^ y->QWORD[2]; \
+    z->QWORD[3] = x->QWORD[3] ^ y->QWORD[3]; \
+    z->QWORD[4] = x->QWORD[4] ^ y->QWORD[4]; \
+    z->QWORD[5] = x->QWORD[5] ^ y->QWORD[5]; \
+    z->QWORD[6] = x->QWORD[6] ^ y->QWORD[6]; \
+    z->QWORD[7] = x->QWORD[7] ^ y->QWORD[7]; \
+}
+
+#ifndef __GOST3411_BIG_ENDIAN__
+#define __XLPS_FOR for (_i = 0; _i <= 7; _i++)
+#define _datai _i
+#else
+#define __XLPS_FOR for (_i = 7; _i >= 0; _i--)
+#define _datai 7 - _i
+#endif
+
+#define XLPS(x, y, data) { \
+    register unsigned long long r0, r1, r2, r3, r4, r5, r6, r7; \
+    int _i; \
+    \
+    r0 = x->QWORD[0] ^ y->QWORD[0]; \
+    r1 = x->QWORD[1] ^ y->QWORD[1]; \
+    r2 = x->QWORD[2] ^ y->QWORD[2]; \
+    r3 = x->QWORD[3] ^ y->QWORD[3]; \
+    r4 = x->QWORD[4] ^ y->QWORD[4]; \
+    r5 = x->QWORD[5] ^ y->QWORD[5]; \
+    r6 = x->QWORD[6] ^ y->QWORD[6]; \
+    r7 = x->QWORD[7] ^ y->QWORD[7]; \
+    \
+    \
+    __XLPS_FOR \
+    {\
+        data->QWORD[_datai]  = Ax[0][(r0 >> (_i << 3)) & 0xFF]; \
+        data->QWORD[_datai] ^= Ax[1][(r1 >> (_i << 3)) & 0xFF]; \
+        data->QWORD[_datai] ^= Ax[2][(r2 >> (_i << 3)) & 0xFF]; \
+        data->QWORD[_datai] ^= Ax[3][(r3 >> (_i << 3)) & 0xFF]; \
+        data->QWORD[_datai] ^= Ax[4][(r4 >> (_i << 3)) & 0xFF]; \
+        data->QWORD[_datai] ^= Ax[5][(r5 >> (_i << 3)) & 0xFF]; \
+        data->QWORD[_datai] ^= Ax[6][(r6 >> (_i << 3)) & 0xFF]; \
+        data->QWORD[_datai] ^= Ax[7][(r7 >> (_i << 3)) & 0xFF]; \
+    }\
+}
+
+#define ROUND(i, Ki, data) { \
+    XLPS(Ki, (&C[i]), Ki); \
+    XLPS(Ki, data, data); \
+}

data/ext/libxcrypt/lib/alg-hmac-sha1.c

@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2017, Björn Esser <besser82@fedoraproject.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Implement HMAC as described in RFC 2104
+ *
+ */
+
+#include "crypt-port.h"
+#include "alg-hmac-sha1.h"
+#include "alg-sha1.h"
+
+#include <stdlib.h>
+
+#if INCLUDE_sha1crypt
+
+/* Don't change these */
+#define HMAC_IPAD 0x36
+#define HMAC_OPAD 0x5c
+
+/* Nor this */
+#ifndef HMAC_BLOCKSZ
+# define HMAC_BLOCKSZ 64
+# define HASH_LENGTH  20
+#endif
+
+/*
+ * The logic here is lifted straight from RFC 2104 except that
+ * rather than filling the pads with 0, copying in the key and then
+ * XOR with the pad byte, we just fill with the pad byte and
+ * XOR with the key.
+ */
+void
+hmac_sha1_process_data (const uint8_t *text, size_t text_len,
+                        const uint8_t *key, size_t key_len,
+                        void *resbuf)
+{
+  struct sha1_ctx ctx;
+  /* Inner padding key XOR'd with ipad */
+  uint8_t k_ipad[HMAC_BLOCKSZ];
+  /* Outer padding key XOR'd with opad */
+  uint8_t k_opad[HMAC_BLOCKSZ];
+  /* HASH(key) if needed */
+  unsigned char tk[HASH_LENGTH];
+  size_t i;
+
+  /*
+   * If key is longer than HMAC_BLOCKSZ bytes
+   * reset it to key=HASH(key)
+   */
+  if (key_len > HMAC_BLOCKSZ)
+    {
+      struct sha1_ctx tctx;
+
+      sha1_init_ctx (&tctx);
+      sha1_process_bytes (key, &tctx, key_len);
+      sha1_finish_ctx(&tctx, &tk);
+
+      key = tk;
+      key_len = HASH_LENGTH;
+    }
+
+  /*
+   * The HMAC_ transform looks like:
+   *
+   * HASH(K XOR opad, HASH(K XOR ipad, text))
+   *
+   * where K is an n byte key
+   * ipad is the byte HMAC_IPAD repeated HMAC_BLOCKSZ times
+   * opad is the byte HMAC_OPAD repeated HMAC_BLOCKSZ times
+   * and text is the data being protected
+   */
+
+  /*
+   * Fill the pads and XOR in the key
+   */
+  memset (k_ipad, HMAC_IPAD, sizeof k_ipad);
+  memset (k_opad, HMAC_OPAD, sizeof k_opad);
+  for (i = 0; i < key_len; i++)
+    {
+      k_ipad[i] ^= key[i];
+      k_opad[i] ^= key[i];
+    }
+
+  /* Clean the stack. */
+  explicit_bzero (tk, HASH_LENGTH);
+
+  /*
+   * Perform inner HASH.
+   * Start with inner pad,
+   * then the text.
+   */
+  sha1_init_ctx (&ctx);
+  sha1_process_bytes (k_ipad, &ctx, HMAC_BLOCKSZ);
+  sha1_process_bytes (text, &ctx, text_len);
+  sha1_finish_ctx(&ctx, resbuf);
+
+  /* Clean the stack. */
+  explicit_bzero (k_ipad, HMAC_BLOCKSZ);
+
+  /*
+   * Perform outer HASH.
+   * Start with the outer pad,
+   * then the result of the inner hash.
+   */
+  sha1_init_ctx (&ctx);
+  sha1_process_bytes (k_opad, &ctx, HMAC_BLOCKSZ);
+  sha1_process_bytes (resbuf, &ctx, HASH_LENGTH);
+  sha1_finish_ctx(&ctx, resbuf);
+
+  /* Clean the stack. */
+  explicit_bzero (k_opad, HMAC_BLOCKSZ);
+}
+
+#endif

data/ext/libxcrypt/lib/alg-hmac-sha1.h

@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2017, Björn Esser <besser82@fedoraproject.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* Generate the keyed-hash message authentication code of TEXT and KEY.
+   The resulting HMAC is written into RESBUF, which should point to 20
+   bytes of storage.  */
+extern void
+hmac_sha1_process_data (const uint8_t *text, size_t text_len,
+                        const uint8_t *key, size_t key_len,
+                        void *resbuf);

data/ext/libxcrypt/lib/alg-md4.c

@@ -0,0 +1,270 @@
+/*
+ * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc.
+ * MD4 Message-Digest Algorithm (RFC 1320).
+ *
+ * Homepage:
+ * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4
+ *
+ * Author:
+ * Alexander Peslyak, better known as Solar Designer <solar at openwall.com>
+ *
+ * This software was written by Alexander Peslyak in 2001.  No copyright is
+ * claimed, and the software is hereby placed in the public domain.
+ * In case this attempt to disclaim copyright and place the software in the
+ * public domain is deemed null and void, then the software is
+ * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the
+ * general public under the following terms:
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * There's ABSOLUTELY NO WARRANTY, express or implied.
+ *
+ * (This is a heavily cut-down "BSD license".)
+ *
+ * This differs from Colin Plumb's older public domain implementation in that
+ * no exactly 32-bit integer data type is required (any 32-bit or wider
+ * unsigned integer data type will do), there's no compile-time endianness
+ * configuration, and the function prototypes match OpenSSL's.  No code from
+ * Colin Plumb's implementation has been reused; this comment merely compares
+ * the properties of the two independent implementations.
+ *
+ * The primary goals of this implementation are portability and ease of use.
+ * It is meant to be fast, but not as fast as possible.  Some known
+ * optimizations are not included to reduce source code size and avoid
+ * compile-time configuration.
+ */
+
+#include "crypt-port.h"
+
+#if INCLUDE_nt
+
+#include "alg-md4.h"
+
+/*
+ * The basic MD4 functions.
+ *
+ * F and G are optimized compared to their RFC 1320 definitions, with the
+ * optimization for F borrowed from Colin Plumb's MD5 implementation.
+ */
+#define F(x, y, z)			((z) ^ ((x) & ((y) ^ (z))))
+#define G(x, y, z)			(((x) & ((y) | (z))) | ((y) & (z)))
+#define H(x, y, z)			((x) ^ (y) ^ (z))
+
+/*
+ * The MD4 transformation for all three rounds.
+ */
+#define STEP(f, a, b, c, d, x, s) \
+	(a) += f((b), (c), (d)) + (x); \
+	(a) = (((a) << (s)) | (((a) & 0xffffffff) >> (32 - (s))));
+
+/*
+ * SET reads 4 input bytes in little-endian byte order and stores them in a
+ * properly aligned word in host byte order.
+ *
+ * The check for little-endian architectures that tolerate unaligned memory
+ * accesses is just an optimization.  Nothing will break if it fails to detect
+ * a suitable architecture.
+ *
+ * Unfortunately, this optimization may be a C strict aliasing rules violation
+ * if the caller's data buffer has effective type that cannot be aliased by
+ * MD4_u32plus.  In practice, this problem may occur if these MD4 routines are
+ * inlined into a calling function, or with future and dangerously advanced
+ * link-time optimizations.  For the time being, keeping these MD4 routines in
+ * their own translation unit avoids the problem.
+ */
+#if 0 /* defined(__i386__) || defined(__x86_64__) || defined(__vax__) */
+#define SET(n) \
+	(*(const MD4_u32plus *)&ptr[(n) * 4])
+#define GET(n) \
+	SET(n)
+#else
+#define SET(n) \
+	(ctx->block[(n)] = \
+	(MD4_u32plus)ptr[(n) * 4] | \
+	((MD4_u32plus)ptr[(n) * 4 + 1] << 8) | \
+	((MD4_u32plus)ptr[(n) * 4 + 2] << 16) | \
+	((MD4_u32plus)ptr[(n) * 4 + 3] << 24))
+#define GET(n) \
+	(ctx->block[(n)])
+#endif
+
+/*
+ * This processes one or more 64-byte data blocks, but does NOT update the bit
+ * counters.  There are no alignment requirements.
+ */
+static const void *body(MD4_CTX *ctx, const void *data, unsigned long size)
+{
+	const unsigned char *ptr;
+	MD4_u32plus a, b, c, d;
+	MD4_u32plus saved_a, saved_b, saved_c, saved_d;
+	const MD4_u32plus ac1 = 0x5a827999, ac2 = 0x6ed9eba1;
+
+	ptr = (const unsigned char *)data;
+
+	a = ctx->a;
+	b = ctx->b;
+	c = ctx->c;
+	d = ctx->d;
+
+	do {
+		saved_a = a;
+		saved_b = b;
+		saved_c = c;
+		saved_d = d;
+
+/* Round 1 */
+		STEP(F, a, b, c, d, SET(0), 3)
+		STEP(F, d, a, b, c, SET(1), 7)
+		STEP(F, c, d, a, b, SET(2), 11)
+		STEP(F, b, c, d, a, SET(3), 19)
+		STEP(F, a, b, c, d, SET(4), 3)
+		STEP(F, d, a, b, c, SET(5), 7)
+		STEP(F, c, d, a, b, SET(6), 11)
+		STEP(F, b, c, d, a, SET(7), 19)
+		STEP(F, a, b, c, d, SET(8), 3)
+		STEP(F, d, a, b, c, SET(9), 7)
+		STEP(F, c, d, a, b, SET(10), 11)
+		STEP(F, b, c, d, a, SET(11), 19)
+		STEP(F, a, b, c, d, SET(12), 3)
+		STEP(F, d, a, b, c, SET(13), 7)
+		STEP(F, c, d, a, b, SET(14), 11)
+		STEP(F, b, c, d, a, SET(15), 19)
+
+/* Round 2 */
+		STEP(G, a, b, c, d, GET(0) + ac1, 3)
+		STEP(G, d, a, b, c, GET(4) + ac1, 5)
+		STEP(G, c, d, a, b, GET(8) + ac1, 9)
+		STEP(G, b, c, d, a, GET(12) + ac1, 13)
+		STEP(G, a, b, c, d, GET(1) + ac1, 3)
+		STEP(G, d, a, b, c, GET(5) + ac1, 5)
+		STEP(G, c, d, a, b, GET(9) + ac1, 9)
+		STEP(G, b, c, d, a, GET(13) + ac1, 13)
+		STEP(G, a, b, c, d, GET(2) + ac1, 3)
+		STEP(G, d, a, b, c, GET(6) + ac1, 5)
+		STEP(G, c, d, a, b, GET(10) + ac1, 9)
+		STEP(G, b, c, d, a, GET(14) + ac1, 13)
+		STEP(G, a, b, c, d, GET(3) + ac1, 3)
+		STEP(G, d, a, b, c, GET(7) + ac1, 5)
+		STEP(G, c, d, a, b, GET(11) + ac1, 9)
+		STEP(G, b, c, d, a, GET(15) + ac1, 13)
+
+/* Round 3 */
+		STEP(H, a, b, c, d, GET(0) + ac2, 3)
+		STEP(H, d, a, b, c, GET(8) + ac2, 9)
+		STEP(H, c, d, a, b, GET(4) + ac2, 11)
+		STEP(H, b, c, d, a, GET(12) + ac2, 15)
+		STEP(H, a, b, c, d, GET(2) + ac2, 3)
+		STEP(H, d, a, b, c, GET(10) + ac2, 9)
+		STEP(H, c, d, a, b, GET(6) + ac2, 11)
+		STEP(H, b, c, d, a, GET(14) + ac2, 15)
+		STEP(H, a, b, c, d, GET(1) + ac2, 3)
+		STEP(H, d, a, b, c, GET(9) + ac2, 9)
+		STEP(H, c, d, a, b, GET(5) + ac2, 11)
+		STEP(H, b, c, d, a, GET(13) + ac2, 15)
+		STEP(H, a, b, c, d, GET(3) + ac2, 3)
+		STEP(H, d, a, b, c, GET(11) + ac2, 9)
+		STEP(H, c, d, a, b, GET(7) + ac2, 11)
+		STEP(H, b, c, d, a, GET(15) + ac2, 15)
+
+		a += saved_a;
+		b += saved_b;
+		c += saved_c;
+		d += saved_d;
+
+		ptr += 64;
+	} while (size -= 64);
+
+	ctx->a = a;
+	ctx->b = b;
+	ctx->c = c;
+	ctx->d = d;
+
+	return ptr;
+}
+
+void MD4_Init(MD4_CTX *ctx)
+{
+	ctx->a = 0x67452301;
+	ctx->b = 0xefcdab89;
+	ctx->c = 0x98badcfe;
+	ctx->d = 0x10325476;
+
+	ctx->lo = 0;
+	ctx->hi = 0;
+}
+
+void MD4_Update(MD4_CTX *ctx, const void *data, size_t size)
+{
+	MD4_u32plus saved_lo;
+	unsigned long used, available;
+
+	saved_lo = ctx->lo;
+	if ((ctx->lo = (saved_lo + size) & 0x1fffffff) < saved_lo)
+		ctx->hi++;
+	ctx->hi += (MD4_u32plus) size >> 29;
+
+	used = saved_lo & 0x3f;
+
+	if (used) {
+		available = 64 - used;
+
+		if (size < available) {
+			memcpy(&ctx->buffer[used], data, size);
+			return;
+		}
+
+		memcpy(&ctx->buffer[used], data, available);
+		data = (const unsigned char *)data + available;
+		size -= available;
+		body(ctx, ctx->buffer, 64);
+	}
+
+	if (size >= 64) {
+		data = body(ctx, data, size & ~(unsigned long)0x3f);
+		size &= 0x3f;
+	}
+
+	memcpy(ctx->buffer, data, size);
+}
+
+#define OUT(dst, src) \
+	(dst)[0] = (unsigned char)(src); \
+	(dst)[1] = (unsigned char)((src) >> 8); \
+	(dst)[2] = (unsigned char)((src) >> 16); \
+	(dst)[3] = (unsigned char)((src) >> 24);
+
+void MD4_Final(uint8_t result[16], MD4_CTX *ctx)
+{
+	unsigned long used, available;
+
+	used = ctx->lo & 0x3f;
+
+	ctx->buffer[used++] = 0x80;
+
+	available = 64 - used;
+
+	if (available < 8) {
+		memset(&ctx->buffer[used], 0, available);
+		body(ctx, ctx->buffer, 64);
+		used = 0;
+		available = 64;
+	}
+
+	memset(&ctx->buffer[used], 0, available - 8);
+
+	ctx->lo <<= 3;
+	OUT(&ctx->buffer[56], ctx->lo)
+	OUT(&ctx->buffer[60], ctx->hi)
+
+	body(ctx, ctx->buffer, 64);
+
+	OUT(&result[0], ctx->a)
+	OUT(&result[4], ctx->b)
+	OUT(&result[8], ctx->c)
+	OUT(&result[12], ctx->d)
+
+	explicit_bzero(ctx, sizeof(*ctx));
+}
+
+#endif

data/ext/libxcrypt/lib/alg-md4.h

@@ -0,0 +1,43 @@
+/*
+ * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc.
+ * MD4 Message-Digest Algorithm (RFC 1320).
+ *
+ * Homepage:
+ * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4
+ *
+ * Author:
+ * Alexander Peslyak, better known as Solar Designer <solar at openwall.com>
+ *
+ * This software was written by Alexander Peslyak in 2001.  No copyright is
+ * claimed, and the software is hereby placed in the public domain.
+ * In case this attempt to disclaim copyright and place the software in the
+ * public domain is deemed null and void, then the software is
+ * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the
+ * general public under the following terms:
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * There's ABSOLUTELY NO WARRANTY, express or implied.
+ *
+ * See md4.c for more information.
+ */
+
+#ifndef _CRYPT_ALG_MD4_H
+#define _CRYPT_ALG_MD4_H 1
+
+/* Any 32-bit or wider unsigned integer data type will do */
+typedef uint32_t MD4_u32plus;
+
+typedef struct {
+	MD4_u32plus lo, hi;
+	MD4_u32plus a, b, c, d;
+	uint8_t buffer[64];
+	MD4_u32plus block[16];
+} MD4_CTX;
+
+extern void MD4_Init(MD4_CTX *ctx);
+extern void MD4_Update(MD4_CTX *ctx, const void *data, size_t size);
+extern void MD4_Final(uint8_t result[16], MD4_CTX *ctx);
+
+#endif /* alg-md4.h */