]>
Commit | Line | Data |
---|---|---|
b57f37fb WP |
1 | /* |
2 | * crypt.c: Implements unix style crypt() for platforms that don't have it | |
12e39525 JH |
3 | * This version has MD5, DES, and SHA256/SHA512 crypt. |
4 | * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from | |
5 | * Drepper's public domain implementation. | |
b57f37fb WP |
6 | */ |
7 | ||
8 | /* | |
9 | * crypt() for uClibc | |
10 | * | |
11 | * Copyright (C) 2000 by Lineo, inc. and Erik Andersen | |
12 | * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org> | |
13 | * Written by Erik Andersen <andersen@uclibc.org> | |
14 | * | |
15 | * This program is free software; you can redistribute it and/or modify it | |
16 | * under the terms of the GNU Library General Public License as published by | |
17 | * the Free Software Foundation; either version 2 of the License, or (at your | |
18 | * option) any later version. | |
19 | * | |
20 | * This program is distributed in the hope that it will be useful, but WITHOUT | |
21 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
22 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License | |
23 | * for more details. | |
24 | * | |
25 | * You should have received a copy of the GNU Library General Public License | |
26 | * along with this program; if not, write to the Free Software Foundation, | |
27 | * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
28 | */ | |
29 | ||
30 | #include <libratbox_config.h> | |
31 | #include <ratbox_lib.h> | |
32 | ||
12e39525 JH |
33 | static char *rb_md5_crypt(const char *pw, const char *salt); |
34 | static char *rb_des_crypt(const char *pw, const char *salt); | |
35 | static char *rb_sha256_crypt(const char *key, const char *salt); | |
36 | static char *rb_sha512_crypt(const char *key, const char *salt); | |
44e6a470 | 37 | static char *rb_blowfish_crypt(const char *key, const char *salt); |
b57f37fb | 38 | |
94b4fbf9 | 39 | char * |
b57f37fb WP |
40 | rb_crypt(const char *key, const char *salt) |
41 | { | |
12e39525 JH |
42 | /* First, check if we are supposed to be using a replacement |
43 | * hash instead of DES... */ | |
44e6a470 | 44 | if(salt[0] == '$' && (salt[2] == '$' || salt[3] == '$')) |
12e39525 JH |
45 | { |
46 | switch(salt[1]) | |
47 | { | |
48 | case '1': | |
49 | return rb_md5_crypt(key, salt); | |
50 | break; | |
44e6a470 EJM |
51 | case '2': |
52 | /* Handles both 2 and 2a --Elizabeth */ | |
53 | return rb_blowfish_crypt(key, salt); | |
54 | break; | |
12e39525 JH |
55 | case '5': |
56 | return rb_sha256_crypt(key, salt); | |
57 | break; | |
58 | case '6': | |
59 | return rb_sha512_crypt(key, salt); | |
60 | break; | |
61 | default: | |
62 | return NULL; | |
63 | break; | |
64 | }; | |
65 | } | |
b57f37fb | 66 | else |
12e39525 | 67 | return rb_des_crypt(key, salt); |
b57f37fb WP |
68 | } |
69 | ||
12e39525 JH |
70 | #define b64_from_24bit(B2, B1, B0, N) \ |
71 | do \ | |
72 | { \ | |
73 | unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \ | |
74 | int n = (N); \ | |
75 | while (n-- > 0 && buflen > 0) \ | |
76 | { \ | |
77 | *cp++ = ascii64[w & 0x3f]; \ | |
78 | --buflen; \ | |
79 | w >>= 6; \ | |
80 | } \ | |
81 | } while (0) | |
82 | ||
83 | #ifndef MAX | |
84 | # define MAX(a,b) (((a) > (b)) ? (a) : (b)) | |
85 | #endif | |
86 | #ifndef MIN | |
87 | # define MIN(a,b) (((a) < (b)) ? (a) : (b)) | |
88 | #endif | |
89 | ||
b57f37fb WP |
90 | /* Here is the des crypt() stuff */ |
91 | ||
92 | /* | |
93 | * FreeSec: libcrypt for NetBSD | |
94 | * | |
95 | * Copyright (c) 1994 David Burren | |
96 | * All rights reserved. | |
97 | * | |
98 | * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet | |
99 | * this file should now *only* export crypt(), in order to make | |
100 | * binaries of libcrypt exportable from the USA | |
101 | * | |
102 | * Adapted for FreeBSD-4.0 by Mark R V Murray | |
103 | * this file should now *only* export crypt_des(), in order to make | |
104 | * a module that can be optionally included in libcrypt. | |
105 | * | |
106 | * Redistribution and use in source and binary forms, with or without | |
107 | * modification, are permitted provided that the following conditions | |
108 | * are met: | |
109 | * 1. Redistributions of source code must retain the above copyright | |
110 | * notice, this list of conditions and the following disclaimer. | |
111 | * 2. Redistributions in binary form must reproduce the above copyright | |
112 | * notice, this list of conditions and the following disclaimer in the | |
113 | * documentation and/or other materials provided with the distribution. | |
114 | * 3. Neither the name of the author nor the names of other contributors | |
115 | * may be used to endorse or promote products derived from this software | |
116 | * without specific prior written permission. | |
117 | * | |
118 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
119 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
120 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
121 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
122 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
123 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
124 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
125 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
126 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
127 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
128 | * SUCH DAMAGE. | |
129 | * | |
130 | * This is an original implementation of the DES and the crypt(3) interfaces | |
131 | * by David Burren <davidb@werj.com.au>. | |
132 | * | |
133 | * An excellent reference on the underlying algorithm (and related | |
134 | * algorithms) is: | |
135 | * | |
136 | * B. Schneier, Applied Cryptography: protocols, algorithms, | |
137 | * and source code in C, John Wiley & Sons, 1994. | |
138 | * | |
139 | * Note that in that book's description of DES the lookups for the initial, | |
140 | * pbox, and final permutations are inverted (this has been brought to the | |
141 | * attention of the author). A list of errata for this book has been | |
142 | * posted to the sci.crypt newsgroup by the author and is available for FTP. | |
143 | * | |
144 | * ARCHITECTURE ASSUMPTIONS: | |
145 | * It is assumed that the 8-byte arrays passed by reference can be | |
4414eb3c | 146 | * addressed as arrays of uint32_t's (ie. the CPU is not picky about |
b57f37fb WP |
147 | * alignment). |
148 | */ | |
149 | ||
150 | ||
151 | /* Re-entrantify me -- all this junk needs to be in | |
152 | * struct crypt_data to make this really reentrant... */ | |
94b4fbf9 VY |
153 | static uint8_t inv_key_perm[64]; |
154 | static uint8_t inv_comp_perm[56]; | |
155 | static uint8_t u_sbox[8][64]; | |
156 | static uint8_t un_pbox[32]; | |
4414eb3c VY |
157 | static uint32_t en_keysl[16], en_keysr[16]; |
158 | static uint32_t de_keysl[16], de_keysr[16]; | |
159 | static uint32_t ip_maskl[8][256], ip_maskr[8][256]; | |
160 | static uint32_t fp_maskl[8][256], fp_maskr[8][256]; | |
161 | static uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128]; | |
162 | static uint32_t comp_maskl[8][128], comp_maskr[8][128]; | |
163 | static uint32_t saltbits; | |
164 | static uint32_t old_salt; | |
165 | static uint32_t old_rawkey0, old_rawkey1; | |
b57f37fb WP |
166 | |
167 | ||
168 | /* Static stuff that stays resident and doesn't change after | |
169 | * being initialized, and therefore doesn't need to be made | |
170 | * reentrant. */ | |
94b4fbf9 VY |
171 | static uint8_t init_perm[64], final_perm[64]; |
172 | static uint8_t m_sbox[4][4096]; | |
4414eb3c | 173 | static uint32_t psbox[4][256]; |
b57f37fb | 174 | |
b57f37fb | 175 | /* A pile of data */ |
94b4fbf9 | 176 | static const uint8_t ascii64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; |
b57f37fb | 177 | |
94b4fbf9 VY |
178 | static const uint8_t IP[64] = { |
179 | 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, | |
180 | 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, | |
181 | 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, | |
182 | 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7 | |
b57f37fb WP |
183 | }; |
184 | ||
94b4fbf9 VY |
185 | static const uint8_t key_perm[56] = { |
186 | 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, | |
187 | 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, | |
188 | 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, | |
189 | 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4 | |
b57f37fb WP |
190 | }; |
191 | ||
94b4fbf9 | 192 | static const uint8_t key_shifts[16] = { |
b57f37fb WP |
193 | 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 |
194 | }; | |
195 | ||
94b4fbf9 VY |
196 | static const uint8_t comp_perm[48] = { |
197 | 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, | |
198 | 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, | |
b57f37fb WP |
199 | 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, |
200 | 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32 | |
201 | }; | |
202 | ||
203 | /* | |
204 | * No E box is used, as it's replaced by some ANDs, shifts, and ORs. | |
205 | */ | |
206 | ||
94b4fbf9 | 207 | static const uint8_t sbox[8][64] = { |
b57f37fb | 208 | { |
94b4fbf9 VY |
209 | 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, |
210 | 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, | |
211 | 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, | |
212 | 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}, | |
b57f37fb | 213 | { |
94b4fbf9 VY |
214 | 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, |
215 | 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, | |
216 | 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, | |
217 | 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}, | |
b57f37fb | 218 | { |
94b4fbf9 VY |
219 | 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, |
220 | 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, | |
221 | 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, | |
222 | 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}, | |
b57f37fb | 223 | { |
94b4fbf9 VY |
224 | 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, |
225 | 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, | |
226 | 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, | |
227 | 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}, | |
b57f37fb | 228 | { |
94b4fbf9 VY |
229 | 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, |
230 | 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, | |
231 | 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, | |
232 | 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}, | |
b57f37fb | 233 | { |
94b4fbf9 VY |
234 | 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, |
235 | 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, | |
236 | 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, | |
237 | 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}, | |
b57f37fb | 238 | { |
94b4fbf9 VY |
239 | 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, |
240 | 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, | |
241 | 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, | |
242 | 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}, | |
b57f37fb | 243 | { |
94b4fbf9 VY |
244 | 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, |
245 | 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, | |
246 | 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, | |
247 | 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11} | |
b57f37fb WP |
248 | }; |
249 | ||
94b4fbf9 VY |
250 | static const uint8_t pbox[32] = { |
251 | 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, | |
252 | 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25 | |
b57f37fb WP |
253 | }; |
254 | ||
94b4fbf9 | 255 | static const uint32_t bits32[32] = { |
b57f37fb WP |
256 | 0x80000000, 0x40000000, 0x20000000, 0x10000000, |
257 | 0x08000000, 0x04000000, 0x02000000, 0x01000000, | |
258 | 0x00800000, 0x00400000, 0x00200000, 0x00100000, | |
259 | 0x00080000, 0x00040000, 0x00020000, 0x00010000, | |
260 | 0x00008000, 0x00004000, 0x00002000, 0x00001000, | |
261 | 0x00000800, 0x00000400, 0x00000200, 0x00000100, | |
262 | 0x00000080, 0x00000040, 0x00000020, 0x00000010, | |
263 | 0x00000008, 0x00000004, 0x00000002, 0x00000001 | |
264 | }; | |
265 | ||
94b4fbf9 VY |
266 | static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 }; |
267 | ||
4414eb3c | 268 | static const uint32_t *bits28, *bits24; |
b57f37fb WP |
269 | |
270 | ||
94b4fbf9 | 271 | static int |
12e39525 | 272 | rb_ascii_to_bin(char ch) |
b57f37fb | 273 | { |
94b4fbf9 VY |
274 | if(ch > 'z') |
275 | return (0); | |
276 | if(ch >= 'a') | |
277 | return (ch - 'a' + 38); | |
278 | if(ch > 'Z') | |
279 | return (0); | |
280 | if(ch >= 'A') | |
281 | return (ch - 'A' + 12); | |
282 | if(ch > '9') | |
283 | return (0); | |
284 | if(ch >= '.') | |
285 | return (ch - '.'); | |
286 | return (0); | |
b57f37fb WP |
287 | } |
288 | ||
289 | static void | |
12e39525 | 290 | rb_des_init(void) |
b57f37fb | 291 | { |
94b4fbf9 VY |
292 | int i, j, b, k, inbit, obit; |
293 | uint32_t *p, *il, *ir, *fl, *fr; | |
12e39525 | 294 | static int rb_des_initialised = 0; |
b57f37fb | 295 | |
12e39525 | 296 | if(rb_des_initialised == 1) |
94b4fbf9 | 297 | return; |
b57f37fb WP |
298 | |
299 | old_rawkey0 = old_rawkey1 = 0L; | |
300 | saltbits = 0L; | |
301 | old_salt = 0L; | |
302 | bits24 = (bits28 = bits32 + 4) + 4; | |
303 | ||
304 | /* | |
305 | * Invert the S-boxes, reordering the input bits. | |
306 | */ | |
94b4fbf9 VY |
307 | for(i = 0; i < 8; i++) |
308 | for(j = 0; j < 64; j++) | |
309 | { | |
b57f37fb WP |
310 | b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf); |
311 | u_sbox[i][j] = sbox[i][b]; | |
312 | } | |
313 | ||
314 | /* | |
315 | * Convert the inverted S-boxes into 4 arrays of 8 bits. | |
316 | * Each will handle 12 bits of the S-box input. | |
317 | */ | |
94b4fbf9 VY |
318 | for(b = 0; b < 4; b++) |
319 | for(i = 0; i < 64; i++) | |
320 | for(j = 0; j < 64; j++) | |
b57f37fb | 321 | m_sbox[b][(i << 6) | j] = |
94b4fbf9 VY |
322 | (uint8_t)((u_sbox[(b << 1)][i] << 4) | |
323 | u_sbox[(b << 1) + 1][j]); | |
b57f37fb WP |
324 | |
325 | /* | |
326 | * Set up the initial & final permutations into a useful form, and | |
327 | * initialise the inverted key permutation. | |
328 | */ | |
94b4fbf9 VY |
329 | for(i = 0; i < 64; i++) |
330 | { | |
331 | init_perm[final_perm[i] = IP[i] - 1] = (uint8_t)i; | |
b57f37fb WP |
332 | inv_key_perm[i] = 255; |
333 | } | |
334 | ||
335 | /* | |
336 | * Invert the key permutation and initialise the inverted key | |
337 | * compression permutation. | |
338 | */ | |
94b4fbf9 VY |
339 | for(i = 0; i < 56; i++) |
340 | { | |
341 | inv_key_perm[key_perm[i] - 1] = (uint8_t)i; | |
b57f37fb WP |
342 | inv_comp_perm[i] = 255; |
343 | } | |
344 | ||
345 | /* | |
346 | * Invert the key compression permutation. | |
347 | */ | |
94b4fbf9 VY |
348 | for(i = 0; i < 48; i++) |
349 | { | |
350 | inv_comp_perm[comp_perm[i] - 1] = (uint8_t)i; | |
b57f37fb WP |
351 | } |
352 | ||
353 | /* | |
354 | * Set up the OR-mask arrays for the initial and final permutations, | |
355 | * and for the key initial and compression permutations. | |
356 | */ | |
94b4fbf9 VY |
357 | for(k = 0; k < 8; k++) |
358 | { | |
359 | for(i = 0; i < 256; i++) | |
360 | { | |
b57f37fb WP |
361 | *(il = &ip_maskl[k][i]) = 0L; |
362 | *(ir = &ip_maskr[k][i]) = 0L; | |
363 | *(fl = &fp_maskl[k][i]) = 0L; | |
364 | *(fr = &fp_maskr[k][i]) = 0L; | |
94b4fbf9 VY |
365 | for(j = 0; j < 8; j++) |
366 | { | |
b57f37fb | 367 | inbit = 8 * k + j; |
94b4fbf9 VY |
368 | if(i & bits8[j]) |
369 | { | |
370 | if((obit = init_perm[inbit]) < 32) | |
b57f37fb WP |
371 | *il |= bits32[obit]; |
372 | else | |
94b4fbf9 VY |
373 | *ir |= bits32[obit - 32]; |
374 | if((obit = final_perm[inbit]) < 32) | |
b57f37fb WP |
375 | *fl |= bits32[obit]; |
376 | else | |
377 | *fr |= bits32[obit - 32]; | |
378 | } | |
379 | } | |
380 | } | |
94b4fbf9 VY |
381 | for(i = 0; i < 128; i++) |
382 | { | |
b57f37fb WP |
383 | *(il = &key_perm_maskl[k][i]) = 0L; |
384 | *(ir = &key_perm_maskr[k][i]) = 0L; | |
94b4fbf9 VY |
385 | for(j = 0; j < 7; j++) |
386 | { | |
b57f37fb | 387 | inbit = 8 * k + j; |
94b4fbf9 VY |
388 | if(i & bits8[j + 1]) |
389 | { | |
390 | if((obit = inv_key_perm[inbit]) == 255) | |
b57f37fb | 391 | continue; |
94b4fbf9 | 392 | if(obit < 28) |
b57f37fb WP |
393 | *il |= bits28[obit]; |
394 | else | |
395 | *ir |= bits28[obit - 28]; | |
396 | } | |
397 | } | |
398 | *(il = &comp_maskl[k][i]) = 0L; | |
399 | *(ir = &comp_maskr[k][i]) = 0L; | |
94b4fbf9 VY |
400 | for(j = 0; j < 7; j++) |
401 | { | |
b57f37fb | 402 | inbit = 7 * k + j; |
94b4fbf9 VY |
403 | if(i & bits8[j + 1]) |
404 | { | |
405 | if((obit = inv_comp_perm[inbit]) == 255) | |
b57f37fb | 406 | continue; |
94b4fbf9 | 407 | if(obit < 24) |
b57f37fb WP |
408 | *il |= bits24[obit]; |
409 | else | |
410 | *ir |= bits24[obit - 24]; | |
411 | } | |
412 | } | |
413 | } | |
414 | } | |
415 | ||
416 | /* | |
417 | * Invert the P-box permutation, and convert into OR-masks for | |
418 | * handling the output of the S-box arrays setup above. | |
419 | */ | |
94b4fbf9 VY |
420 | for(i = 0; i < 32; i++) |
421 | un_pbox[pbox[i] - 1] = (uint8_t)i; | |
b57f37fb | 422 | |
94b4fbf9 VY |
423 | for(b = 0; b < 4; b++) |
424 | for(i = 0; i < 256; i++) | |
425 | { | |
b57f37fb | 426 | *(p = &psbox[b][i]) = 0L; |
94b4fbf9 VY |
427 | for(j = 0; j < 8; j++) |
428 | { | |
429 | if(i & bits8[j]) | |
b57f37fb WP |
430 | *p |= bits32[un_pbox[8 * b + j]]; |
431 | } | |
432 | } | |
433 | ||
12e39525 | 434 | rb_des_initialised = 1; |
b57f37fb WP |
435 | } |
436 | ||
437 | ||
438 | static void | |
12e39525 | 439 | rb_setup_salt(long salt) |
b57f37fb | 440 | { |
94b4fbf9 VY |
441 | uint32_t obit, saltbit; |
442 | int i; | |
b57f37fb | 443 | |
94b4fbf9 | 444 | if(salt == (long)old_salt) |
b57f37fb WP |
445 | return; |
446 | old_salt = salt; | |
447 | ||
448 | saltbits = 0L; | |
449 | saltbit = 1; | |
450 | obit = 0x800000; | |
94b4fbf9 VY |
451 | for(i = 0; i < 24; i++) |
452 | { | |
453 | if(salt & saltbit) | |
b57f37fb WP |
454 | saltbits |= obit; |
455 | saltbit <<= 1; | |
456 | obit >>= 1; | |
457 | } | |
458 | } | |
459 | ||
b57f37fb | 460 | static int |
12e39525 | 461 | rb_des_setkey(const char *key) |
b57f37fb | 462 | { |
94b4fbf9 VY |
463 | uint32_t k0, k1, rawkey0, rawkey1; |
464 | int shifts, round; | |
b57f37fb | 465 | |
12e39525 | 466 | rb_des_init(); |
b57f37fb | 467 | |
94b4fbf9 VY |
468 | rawkey0 = ntohl(*(const uint32_t *)key); |
469 | rawkey1 = ntohl(*(const uint32_t *)(key + 4)); | |
b57f37fb | 470 | |
94b4fbf9 VY |
471 | if((rawkey0 | rawkey1) && rawkey0 == old_rawkey0 && rawkey1 == old_rawkey1) |
472 | { | |
b57f37fb WP |
473 | /* |
474 | * Already setup for this key. | |
475 | * This optimisation fails on a zero key (which is weak and | |
476 | * has bad parity anyway) in order to simplify the starting | |
477 | * conditions. | |
478 | */ | |
94b4fbf9 | 479 | return (0); |
b57f37fb WP |
480 | } |
481 | old_rawkey0 = rawkey0; | |
482 | old_rawkey1 = rawkey1; | |
483 | ||
484 | /* | |
94b4fbf9 | 485 | * Do key permutation and split into two 28-bit subkeys. |
b57f37fb WP |
486 | */ |
487 | k0 = key_perm_maskl[0][rawkey0 >> 25] | |
94b4fbf9 VY |
488 | | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f] |
489 | | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f] | |
490 | | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f] | |
491 | | key_perm_maskl[4][rawkey1 >> 25] | |
492 | | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f] | |
493 | | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f] | |
494 | | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f]; | |
b57f37fb | 495 | k1 = key_perm_maskr[0][rawkey0 >> 25] |
94b4fbf9 VY |
496 | | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f] |
497 | | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f] | |
498 | | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f] | |
499 | | key_perm_maskr[4][rawkey1 >> 25] | |
500 | | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f] | |
501 | | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f] | |
502 | | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f]; | |
b57f37fb | 503 | /* |
94b4fbf9 | 504 | * Rotate subkeys and do compression permutation. |
b57f37fb WP |
505 | */ |
506 | shifts = 0; | |
94b4fbf9 VY |
507 | for(round = 0; round < 16; round++) |
508 | { | |
509 | uint32_t t0, t1; | |
b57f37fb WP |
510 | |
511 | shifts += key_shifts[round]; | |
512 | ||
513 | t0 = (k0 << shifts) | (k0 >> (28 - shifts)); | |
514 | t1 = (k1 << shifts) | (k1 >> (28 - shifts)); | |
515 | ||
516 | de_keysl[15 - round] = | |
94b4fbf9 VY |
517 | en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f] |
518 | | comp_maskl[1][(t0 >> 14) & 0x7f] | |
519 | | comp_maskl[2][(t0 >> 7) & 0x7f] | |
520 | | comp_maskl[3][t0 & 0x7f] | |
521 | | comp_maskl[4][(t1 >> 21) & 0x7f] | |
522 | | comp_maskl[5][(t1 >> 14) & 0x7f] | |
523 | | comp_maskl[6][(t1 >> 7) & 0x7f] | comp_maskl[7][t1 & 0x7f]; | |
b57f37fb WP |
524 | |
525 | de_keysr[15 - round] = | |
94b4fbf9 VY |
526 | en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f] |
527 | | comp_maskr[1][(t0 >> 14) & 0x7f] | |
528 | | comp_maskr[2][(t0 >> 7) & 0x7f] | |
529 | | comp_maskr[3][t0 & 0x7f] | |
530 | | comp_maskr[4][(t1 >> 21) & 0x7f] | |
531 | | comp_maskr[5][(t1 >> 14) & 0x7f] | |
532 | | comp_maskr[6][(t1 >> 7) & 0x7f] | comp_maskr[7][t1 & 0x7f]; | |
b57f37fb | 533 | } |
94b4fbf9 | 534 | return (0); |
b57f37fb WP |
535 | } |
536 | ||
b57f37fb | 537 | static int |
12e39525 | 538 | rb_do_des(uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out, int count) |
b57f37fb WP |
539 | { |
540 | /* | |
94b4fbf9 | 541 | * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format. |
b57f37fb | 542 | */ |
94b4fbf9 VY |
543 | uint32_t l, r, *kl, *kr, *kl1, *kr1; |
544 | uint32_t f, r48l, r48r; | |
545 | int round; | |
b57f37fb | 546 | |
94b4fbf9 VY |
547 | if(count == 0) |
548 | { | |
549 | return (1); | |
550 | } | |
551 | else if(count > 0) | |
552 | { | |
b57f37fb WP |
553 | /* |
554 | * Encrypting | |
555 | */ | |
556 | kl1 = en_keysl; | |
557 | kr1 = en_keysr; | |
94b4fbf9 VY |
558 | } |
559 | else | |
560 | { | |
b57f37fb WP |
561 | /* |
562 | * Decrypting | |
563 | */ | |
564 | count = -count; | |
565 | kl1 = de_keysl; | |
566 | kr1 = de_keysr; | |
567 | } | |
568 | ||
569 | /* | |
94b4fbf9 | 570 | * Do initial permutation (IP). |
b57f37fb WP |
571 | */ |
572 | l = ip_maskl[0][l_in >> 24] | |
94b4fbf9 VY |
573 | | ip_maskl[1][(l_in >> 16) & 0xff] |
574 | | ip_maskl[2][(l_in >> 8) & 0xff] | |
575 | | ip_maskl[3][l_in & 0xff] | |
576 | | ip_maskl[4][r_in >> 24] | |
577 | | ip_maskl[5][(r_in >> 16) & 0xff] | |
578 | | ip_maskl[6][(r_in >> 8) & 0xff] | ip_maskl[7][r_in & 0xff]; | |
b57f37fb | 579 | r = ip_maskr[0][l_in >> 24] |
94b4fbf9 VY |
580 | | ip_maskr[1][(l_in >> 16) & 0xff] |
581 | | ip_maskr[2][(l_in >> 8) & 0xff] | |
582 | | ip_maskr[3][l_in & 0xff] | |
583 | | ip_maskr[4][r_in >> 24] | |
584 | | ip_maskr[5][(r_in >> 16) & 0xff] | |
585 | | ip_maskr[6][(r_in >> 8) & 0xff] | ip_maskr[7][r_in & 0xff]; | |
586 | ||
587 | while(count--) | |
588 | { | |
b57f37fb WP |
589 | /* |
590 | * Do each round. | |
591 | */ | |
592 | kl = kl1; | |
593 | kr = kr1; | |
594 | round = 16; | |
94b4fbf9 VY |
595 | while(round--) |
596 | { | |
b57f37fb WP |
597 | /* |
598 | * Expand R to 48 bits (simulate the E-box). | |
599 | */ | |
94b4fbf9 | 600 | r48l = ((r & 0x00000001) << 23) |
b57f37fb WP |
601 | | ((r & 0xf8000000) >> 9) |
602 | | ((r & 0x1f800000) >> 11) | |
94b4fbf9 | 603 | | ((r & 0x01f80000) >> 13) | ((r & 0x001f8000) >> 15); |
b57f37fb | 604 | |
94b4fbf9 | 605 | r48r = ((r & 0x0001f800) << 7) |
b57f37fb WP |
606 | | ((r & 0x00001f80) << 5) |
607 | | ((r & 0x000001f8) << 3) | |
94b4fbf9 | 608 | | ((r & 0x0000001f) << 1) | ((r & 0x80000000) >> 31); |
b57f37fb WP |
609 | /* |
610 | * Do salting for crypt() and friends, and | |
611 | * XOR with the permuted key. | |
612 | */ | |
613 | f = (r48l ^ r48r) & saltbits; | |
614 | r48l ^= f ^ *kl++; | |
615 | r48r ^= f ^ *kr++; | |
616 | /* | |
617 | * Do sbox lookups (which shrink it back to 32 bits) | |
618 | * and do the pbox permutation at the same time. | |
619 | */ | |
620 | f = psbox[0][m_sbox[0][r48l >> 12]] | |
94b4fbf9 VY |
621 | | psbox[1][m_sbox[1][r48l & 0xfff]] |
622 | | psbox[2][m_sbox[2][r48r >> 12]] | |
623 | | psbox[3][m_sbox[3][r48r & 0xfff]]; | |
b57f37fb WP |
624 | /* |
625 | * Now that we've permuted things, complete f(). | |
626 | */ | |
627 | f ^= l; | |
628 | l = r; | |
629 | r = f; | |
630 | } | |
631 | r = l; | |
632 | l = f; | |
633 | } | |
634 | /* | |
635 | * Do final permutation (inverse of IP). | |
636 | */ | |
94b4fbf9 | 637 | *l_out = fp_maskl[0][l >> 24] |
b57f37fb WP |
638 | | fp_maskl[1][(l >> 16) & 0xff] |
639 | | fp_maskl[2][(l >> 8) & 0xff] | |
640 | | fp_maskl[3][l & 0xff] | |
641 | | fp_maskl[4][r >> 24] | |
642 | | fp_maskl[5][(r >> 16) & 0xff] | |
94b4fbf9 VY |
643 | | fp_maskl[6][(r >> 8) & 0xff] | fp_maskl[7][r & 0xff]; |
644 | *r_out = fp_maskr[0][l >> 24] | |
b57f37fb WP |
645 | | fp_maskr[1][(l >> 16) & 0xff] |
646 | | fp_maskr[2][(l >> 8) & 0xff] | |
647 | | fp_maskr[3][l & 0xff] | |
648 | | fp_maskr[4][r >> 24] | |
649 | | fp_maskr[5][(r >> 16) & 0xff] | |
94b4fbf9 VY |
650 | | fp_maskr[6][(r >> 8) & 0xff] | fp_maskr[7][r & 0xff]; |
651 | return (0); | |
b57f37fb WP |
652 | } |
653 | ||
b57f37fb | 654 | static char * |
12e39525 | 655 | rb_des_crypt(const char *key, const char *setting) |
b57f37fb | 656 | { |
94b4fbf9 VY |
657 | uint32_t count, salt, l, r0, r1, keybuf[2]; |
658 | uint8_t *p, *q; | |
659 | static char output[21]; | |
b57f37fb | 660 | |
12e39525 | 661 | rb_des_init(); |
b57f37fb WP |
662 | |
663 | /* | |
664 | * Copy the key, shifting each character up by one bit | |
665 | * and padding with zeros. | |
666 | */ | |
94b4fbf9 VY |
667 | q = (uint8_t *)keybuf; |
668 | while(q - (uint8_t *)keybuf - 8) | |
669 | { | |
b57f37fb | 670 | *q++ = *key << 1; |
94b4fbf9 | 671 | if(*(q - 1)) |
b57f37fb WP |
672 | key++; |
673 | } | |
12e39525 | 674 | if(rb_des_setkey((char *)keybuf)) |
94b4fbf9 | 675 | return (NULL); |
b57f37fb WP |
676 | { |
677 | /* | |
678 | * "old"-style: | |
94b4fbf9 VY |
679 | * setting - 2 bytes of salt |
680 | * key - up to 8 characters | |
b57f37fb WP |
681 | */ |
682 | count = 25; | |
683 | ||
12e39525 | 684 | salt = (rb_ascii_to_bin(setting[1]) << 6) | rb_ascii_to_bin(setting[0]); |
b57f37fb WP |
685 | |
686 | output[0] = setting[0]; | |
687 | /* | |
688 | * If the encrypted password that the salt was extracted from | |
689 | * is only 1 character long, the salt will be corrupted. We | |
690 | * need to ensure that the output string doesn't have an extra | |
691 | * NUL in it! | |
692 | */ | |
693 | output[1] = setting[1] ? setting[1] : output[0]; | |
694 | ||
94b4fbf9 | 695 | p = (uint8_t *)output + 2; |
b57f37fb | 696 | } |
12e39525 | 697 | rb_setup_salt(salt); |
b57f37fb WP |
698 | /* |
699 | * Do it. | |
700 | */ | |
12e39525 | 701 | if(rb_do_des(0L, 0L, &r0, &r1, (int)count)) |
94b4fbf9 | 702 | return (NULL); |
b57f37fb WP |
703 | /* |
704 | * Now encode the result... | |
705 | */ | |
706 | l = (r0 >> 8); | |
707 | *p++ = ascii64[(l >> 18) & 0x3f]; | |
708 | *p++ = ascii64[(l >> 12) & 0x3f]; | |
709 | *p++ = ascii64[(l >> 6) & 0x3f]; | |
710 | *p++ = ascii64[l & 0x3f]; | |
711 | ||
712 | l = (r0 << 16) | ((r1 >> 16) & 0xffff); | |
713 | *p++ = ascii64[(l >> 18) & 0x3f]; | |
714 | *p++ = ascii64[(l >> 12) & 0x3f]; | |
715 | *p++ = ascii64[(l >> 6) & 0x3f]; | |
716 | *p++ = ascii64[l & 0x3f]; | |
717 | ||
718 | l = r1 << 2; | |
719 | *p++ = ascii64[(l >> 12) & 0x3f]; | |
720 | *p++ = ascii64[(l >> 6) & 0x3f]; | |
721 | *p++ = ascii64[l & 0x3f]; | |
722 | *p = 0; | |
723 | ||
94b4fbf9 | 724 | return (output); |
b57f37fb WP |
725 | } |
726 | ||
727 | /* Now md5 crypt */ | |
b57f37fb WP |
728 | /* |
729 | * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm | |
730 | * | |
731 | * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All | |
732 | * rights reserved. | |
733 | * | |
734 | * License to copy and use this software is granted provided that it | |
735 | * is identified as the "RSA Data Security, Inc. MD5 Message-Digest | |
736 | * Algorithm" in all material mentioning or referencing this software | |
737 | * or this function. | |
738 | * | |
739 | * License is also granted to make and use derivative works provided | |
740 | * that such works are identified as "derived from the RSA Data | |
741 | * Security, Inc. MD5 Message-Digest Algorithm" in all material | |
742 | * mentioning or referencing the derived work. | |
743 | * | |
744 | * RSA Data Security, Inc. makes no representations concerning either | |
745 | * the merchantability of this software or the suitability of this | |
746 | * software for any particular purpose. It is provided "as is" | |
747 | * without express or implied warranty of any kind. | |
748 | * | |
749 | * These notices must be retained in any copies of any part of this | |
750 | * documentation and/or software. | |
751 | * | |
b57f37fb WP |
752 | * This code is the same as the code published by RSA Inc. It has been |
753 | * edited for clarity and style only. | |
b57f37fb | 754 | */ |
b57f37fb | 755 | |
12e39525 JH |
756 | #define MD5_BLOCK_LENGTH 64 |
757 | #define MD5_DIGEST_LENGTH 16 | |
758 | #define MD5_DIGEST_STRING_LENGTH (MD5_DIGEST_LENGTH * 2 + 1) | |
759 | #define MD5_SIZE 16 | |
b57f37fb | 760 | |
12e39525 JH |
761 | static void |
762 | _crypt_to64(char *s, u_long v, int n) | |
94b4fbf9 | 763 | { |
12e39525 JH |
764 | while (--n >= 0) { |
765 | *s++ = ascii64[v&0x3f]; | |
766 | v >>= 6; | |
767 | } | |
768 | } | |
b57f37fb | 769 | |
12e39525 JH |
770 | /* MD5 context. */ |
771 | typedef struct MD5Context { | |
44e6a470 EJM |
772 | uint32_t state[4]; /* state (ABCD) */ |
773 | uint32_t count[2]; /* number of bits, modulo 2^64 (lsb first) */ | |
12e39525 JH |
774 | unsigned char buffer[64]; /* input buffer */ |
775 | } MD5_CTX; | |
776 | ||
44e6a470 | 777 | static void MD5Transform(uint32_t [4], const unsigned char [64]); |
12e39525 JH |
778 | static void MD5Init (MD5_CTX *); |
779 | static void MD5Update (MD5_CTX *, const void *, unsigned int); | |
780 | static void MD5Final (unsigned char [16], MD5_CTX *); | |
781 | ||
782 | #if (BYTE_ORDER == LITTLE_ENDIAN) | |
783 | #define Encode memcpy | |
784 | #define Decode memcpy | |
785 | #else | |
b57f37fb WP |
786 | |
787 | /* | |
44e6a470 | 788 | * Encodes input (uint32_t) into output (unsigned char). Assumes len is |
b57f37fb WP |
789 | * a multiple of 4. |
790 | */ | |
791 | ||
792 | static void | |
44e6a470 | 793 | Encode (unsigned char *output, uint32_t *input, unsigned int len) |
b57f37fb | 794 | { |
12e39525 | 795 | unsigned int i; |
44e6a470 | 796 | uint32_t *op = (uint32_t *)output; |
b57f37fb | 797 | |
12e39525 JH |
798 | for (i = 0; i < len / 4; i++) |
799 | op[i] = htole32(input[i]); | |
b57f37fb WP |
800 | } |
801 | ||
802 | /* | |
44e6a470 | 803 | * Decodes input (unsigned char) into output (uint32_t). Assumes len is |
b57f37fb WP |
804 | * a multiple of 4. |
805 | */ | |
806 | ||
807 | static void | |
44e6a470 | 808 | Decode (uint32_t *output, const unsigned char *input, unsigned int len) |
b57f37fb | 809 | { |
12e39525 | 810 | unsigned int i; |
44e6a470 | 811 | const uint32_t *ip = (const uint32_t *)input; |
b57f37fb | 812 | |
12e39525 JH |
813 | for (i = 0; i < len / 4; i++) |
814 | output[i] = le32toh(ip[i]); | |
b57f37fb | 815 | } |
12e39525 JH |
816 | #endif |
817 | ||
818 | static unsigned char PADDING[64] = { | |
819 | 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | |
820 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | |
821 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 | |
822 | }; | |
b57f37fb WP |
823 | |
824 | /* F, G, H and I are basic MD5 functions. */ | |
825 | #define F(x, y, z) (((x) & (y)) | ((~x) & (z))) | |
826 | #define G(x, y, z) (((x) & (z)) | ((y) & (~z))) | |
827 | #define H(x, y, z) ((x) ^ (y) ^ (z)) | |
828 | #define I(x, y, z) ((y) ^ ((x) | (~z))) | |
829 | ||
830 | /* ROTATE_LEFT rotates x left n bits. */ | |
831 | #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) | |
832 | ||
833 | /* | |
834 | * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. | |
835 | * Rotation is separate from addition to prevent recomputation. | |
836 | */ | |
837 | #define FF(a, b, c, d, x, s, ac) { \ | |
44e6a470 | 838 | (a) += F ((b), (c), (d)) + (x) + (uint32_t)(ac); \ |
b57f37fb WP |
839 | (a) = ROTATE_LEFT ((a), (s)); \ |
840 | (a) += (b); \ | |
841 | } | |
842 | #define GG(a, b, c, d, x, s, ac) { \ | |
44e6a470 | 843 | (a) += G ((b), (c), (d)) + (x) + (uint32_t)(ac); \ |
b57f37fb WP |
844 | (a) = ROTATE_LEFT ((a), (s)); \ |
845 | (a) += (b); \ | |
846 | } | |
847 | #define HH(a, b, c, d, x, s, ac) { \ | |
44e6a470 | 848 | (a) += H ((b), (c), (d)) + (x) + (uint32_t)(ac); \ |
b57f37fb WP |
849 | (a) = ROTATE_LEFT ((a), (s)); \ |
850 | (a) += (b); \ | |
851 | } | |
852 | #define II(a, b, c, d, x, s, ac) { \ | |
44e6a470 | 853 | (a) += I ((b), (c), (d)) + (x) + (uint32_t)(ac); \ |
b57f37fb WP |
854 | (a) = ROTATE_LEFT ((a), (s)); \ |
855 | (a) += (b); \ | |
856 | } | |
857 | ||
858 | /* MD5 initialization. Begins an MD5 operation, writing a new context. */ | |
859 | ||
94b4fbf9 | 860 | static void |
12e39525 JH |
861 | MD5Init (context) |
862 | MD5_CTX *context; | |
b57f37fb | 863 | { |
12e39525 | 864 | |
b57f37fb WP |
865 | context->count[0] = context->count[1] = 0; |
866 | ||
867 | /* Load magic initialization constants. */ | |
868 | context->state[0] = 0x67452301; | |
869 | context->state[1] = 0xefcdab89; | |
870 | context->state[2] = 0x98badcfe; | |
871 | context->state[3] = 0x10325476; | |
872 | } | |
873 | ||
874 | /* | |
875 | * MD5 block update operation. Continues an MD5 message-digest | |
876 | * operation, processing another message block, and updating the | |
877 | * context. | |
878 | */ | |
879 | ||
94b4fbf9 | 880 | static void |
12e39525 JH |
881 | MD5Update (context, in, inputLen) |
882 | MD5_CTX *context; | |
883 | const void *in; | |
884 | unsigned int inputLen; | |
b57f37fb | 885 | { |
12e39525 JH |
886 | unsigned int i, idx, partLen; |
887 | const unsigned char *input = in; | |
888 | ||
b57f37fb | 889 | /* Compute number of bytes mod 64 */ |
12e39525 | 890 | idx = (unsigned int)((context->count[0] >> 3) & 0x3F); |
b57f37fb WP |
891 | |
892 | /* Update number of bits */ | |
44e6a470 EJM |
893 | if ((context->count[0] += ((uint32_t)inputLen << 3)) |
894 | < ((uint32_t)inputLen << 3)) | |
b57f37fb | 895 | context->count[1]++; |
44e6a470 | 896 | context->count[1] += ((uint32_t)inputLen >> 29); |
b57f37fb | 897 | |
12e39525 | 898 | partLen = 64 - idx; |
b57f37fb WP |
899 | |
900 | /* Transform as many times as possible. */ | |
12e39525 JH |
901 | if (inputLen >= partLen) { |
902 | memcpy((void *)&context->buffer[idx], (const void *)input, | |
903 | partLen); | |
904 | MD5Transform (context->state, context->buffer); | |
b57f37fb | 905 | |
12e39525 JH |
906 | for (i = partLen; i + 63 < inputLen; i += 64) |
907 | MD5Transform (context->state, &input[i]); | |
b57f37fb | 908 | |
12e39525 | 909 | idx = 0; |
b57f37fb WP |
910 | } |
911 | else | |
912 | i = 0; | |
913 | ||
914 | /* Buffer remaining input */ | |
12e39525 JH |
915 | memcpy ((void *)&context->buffer[idx], (const void *)&input[i], |
916 | inputLen-i); | |
b57f37fb WP |
917 | } |
918 | ||
919 | /* | |
920 | * MD5 padding. Adds padding followed by original length. | |
921 | */ | |
922 | ||
94b4fbf9 | 923 | static void |
12e39525 JH |
924 | MD5Pad (context) |
925 | MD5_CTX *context; | |
b57f37fb | 926 | { |
12e39525 JH |
927 | unsigned char bits[8]; |
928 | unsigned int idx, padLen; | |
b57f37fb WP |
929 | |
930 | /* Save number of bits */ | |
12e39525 | 931 | Encode (bits, context->count, 8); |
b57f37fb WP |
932 | |
933 | /* Pad out to 56 mod 64. */ | |
12e39525 JH |
934 | idx = (unsigned int)((context->count[0] >> 3) & 0x3f); |
935 | padLen = (idx < 56) ? (56 - idx) : (120 - idx); | |
936 | MD5Update (context, PADDING, padLen); | |
b57f37fb WP |
937 | |
938 | /* Append length (before padding) */ | |
12e39525 | 939 | MD5Update (context, bits, 8); |
b57f37fb WP |
940 | } |
941 | ||
942 | /* | |
943 | * MD5 finalization. Ends an MD5 message-digest operation, writing the | |
944 | * the message digest and zeroizing the context. | |
945 | */ | |
946 | ||
94b4fbf9 | 947 | static void |
12e39525 JH |
948 | MD5Final (digest, context) |
949 | unsigned char digest[16]; | |
950 | MD5_CTX *context; | |
b57f37fb | 951 | { |
b57f37fb | 952 | /* Do padding. */ |
12e39525 | 953 | MD5Pad (context); |
b57f37fb WP |
954 | |
955 | /* Store state in digest */ | |
12e39525 | 956 | Encode (digest, context->state, 16); |
b57f37fb WP |
957 | |
958 | /* Zeroize sensitive information. */ | |
12e39525 | 959 | memset ((void *)context, 0, sizeof (*context)); |
b57f37fb WP |
960 | } |
961 | ||
962 | /* MD5 basic transformation. Transforms state based on block. */ | |
963 | ||
964 | static void | |
12e39525 | 965 | MD5Transform (state, block) |
44e6a470 | 966 | uint32_t state[4]; |
12e39525 | 967 | const unsigned char block[64]; |
b57f37fb | 968 | { |
44e6a470 | 969 | uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16]; |
b57f37fb | 970 | |
12e39525 | 971 | Decode (x, block, 64); |
b57f37fb WP |
972 | |
973 | /* Round 1 */ | |
b57f37fb WP |
974 | #define S11 7 |
975 | #define S12 12 | |
976 | #define S13 17 | |
977 | #define S14 22 | |
12e39525 JH |
978 | FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ |
979 | FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ | |
980 | FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ | |
981 | FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ | |
982 | FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ | |
983 | FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ | |
984 | FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ | |
985 | FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ | |
986 | FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ | |
987 | FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ | |
988 | FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ | |
989 | FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ | |
990 | FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ | |
991 | FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ | |
992 | FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ | |
993 | FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ | |
b57f37fb WP |
994 | |
995 | /* Round 2 */ | |
996 | #define S21 5 | |
997 | #define S22 9 | |
998 | #define S23 14 | |
999 | #define S24 20 | |
12e39525 JH |
1000 | GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ |
1001 | GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ | |
1002 | GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ | |
1003 | GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ | |
1004 | GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ | |
1005 | GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ | |
1006 | GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ | |
1007 | GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ | |
1008 | GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ | |
1009 | GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ | |
1010 | GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ | |
1011 | GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ | |
1012 | GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ | |
1013 | GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ | |
1014 | GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ | |
1015 | GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ | |
b57f37fb WP |
1016 | |
1017 | /* Round 3 */ | |
1018 | #define S31 4 | |
1019 | #define S32 11 | |
1020 | #define S33 16 | |
1021 | #define S34 23 | |
12e39525 JH |
1022 | HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ |
1023 | HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ | |
1024 | HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ | |
1025 | HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ | |
1026 | HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ | |
1027 | HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ | |
1028 | HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ | |
1029 | HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ | |
1030 | HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ | |
1031 | HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ | |
1032 | HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ | |
1033 | HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ | |
1034 | HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ | |
1035 | HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ | |
1036 | HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ | |
1037 | HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ | |
b57f37fb WP |
1038 | |
1039 | /* Round 4 */ | |
1040 | #define S41 6 | |
1041 | #define S42 10 | |
1042 | #define S43 15 | |
1043 | #define S44 21 | |
12e39525 JH |
1044 | II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ |
1045 | II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ | |
1046 | II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ | |
1047 | II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ | |
1048 | II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ | |
1049 | II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ | |
1050 | II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ | |
1051 | II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ | |
1052 | II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ | |
1053 | II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ | |
1054 | II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ | |
1055 | II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ | |
1056 | II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ | |
1057 | II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ | |
1058 | II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ | |
1059 | II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ | |
b57f37fb WP |
1060 | |
1061 | state[0] += a; | |
1062 | state[1] += b; | |
1063 | state[2] += c; | |
1064 | state[3] += d; | |
1065 | ||
1066 | /* Zeroize sensitive information. */ | |
12e39525 | 1067 | memset ((void *)x, 0, sizeof (x)); |
b57f37fb WP |
1068 | } |
1069 | ||
1070 | /* | |
1071 | * UNIX password | |
b57f37fb WP |
1072 | */ |
1073 | ||
94b4fbf9 | 1074 | static char * |
12e39525 | 1075 | rb_md5_crypt(const char *pw, const char *salt) |
b57f37fb | 1076 | { |
12e39525 JH |
1077 | MD5_CTX ctx,ctx1; |
1078 | unsigned long l; | |
1079 | int sl, pl; | |
1080 | u_int i; | |
1081 | u_char final[MD5_SIZE]; | |
b57f37fb WP |
1082 | static const char *sp, *ep; |
1083 | static char passwd[120], *p; | |
12e39525 | 1084 | static const char *magic = "$1$"; |
b57f37fb WP |
1085 | |
1086 | /* Refine the Salt first */ | |
1087 | sp = salt; | |
1088 | ||
1089 | /* If it starts with the magic string, then skip that */ | |
12e39525 JH |
1090 | if(!strncmp(sp, magic, strlen(magic))) |
1091 | sp += strlen(magic); | |
b57f37fb WP |
1092 | |
1093 | /* It stops at the first '$', max 8 chars */ | |
94b4fbf9 | 1094 | for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++) |
b57f37fb WP |
1095 | continue; |
1096 | ||
1097 | /* get the length of the true salt */ | |
1098 | sl = ep - sp; | |
1099 | ||
12e39525 | 1100 | MD5Init(&ctx); |
b57f37fb WP |
1101 | |
1102 | /* The password first, since that is what is most unknown */ | |
12e39525 | 1103 | MD5Update(&ctx, (const u_char *)pw, strlen(pw)); |
b57f37fb WP |
1104 | |
1105 | /* Then our magic string */ | |
12e39525 | 1106 | MD5Update(&ctx, (const u_char *)magic, strlen(magic)); |
b57f37fb WP |
1107 | |
1108 | /* Then the raw salt */ | |
12e39525 | 1109 | MD5Update(&ctx, (const u_char *)sp, (u_int)sl); |
b57f37fb WP |
1110 | |
1111 | /* Then just as many characters of the MD5(pw,salt,pw) */ | |
12e39525 JH |
1112 | MD5Init(&ctx1); |
1113 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); | |
1114 | MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); | |
1115 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); | |
1116 | MD5Final(final, &ctx1); | |
1117 | for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE) | |
1118 | MD5Update(&ctx, (const u_char *)final, | |
1119 | (u_int)(pl > MD5_SIZE ? MD5_SIZE : pl)); | |
b57f37fb WP |
1120 | |
1121 | /* Don't leave anything around in vm they could use. */ | |
12e39525 | 1122 | memset(final, 0, sizeof(final)); |
b57f37fb WP |
1123 | |
1124 | /* Then something really weird... */ | |
12e39525 JH |
1125 | for (i = strlen(pw); i; i >>= 1) |
1126 | if(i & 1) | |
1127 | MD5Update(&ctx, (const u_char *)final, 1); | |
1128 | else | |
1129 | MD5Update(&ctx, (const u_char *)pw, 1); | |
b57f37fb WP |
1130 | |
1131 | /* Now make the output string */ | |
12e39525 JH |
1132 | rb_strlcpy(passwd, magic, sizeof(passwd)); |
1133 | strncat(passwd, sp, (u_int)sl); | |
ad06ad57 | 1134 | rb_strlcat(passwd, "$", sizeof(passwd)); |
b57f37fb | 1135 | |
12e39525 | 1136 | MD5Final(final, &ctx); |
b57f37fb WP |
1137 | |
1138 | /* | |
1139 | * and now, just to make sure things don't run too fast | |
1140 | * On a 60 Mhz Pentium this takes 34 msec, so you would | |
1141 | * need 30 seconds to build a 1000 entry dictionary... | |
1142 | */ | |
12e39525 JH |
1143 | for(i = 0; i < 1000; i++) { |
1144 | MD5Init(&ctx1); | |
b57f37fb | 1145 | if(i & 1) |
12e39525 | 1146 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); |
b57f37fb | 1147 | else |
12e39525 | 1148 | MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); |
b57f37fb WP |
1149 | |
1150 | if(i % 3) | |
12e39525 | 1151 | MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); |
b57f37fb WP |
1152 | |
1153 | if(i % 7) | |
12e39525 | 1154 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); |
b57f37fb WP |
1155 | |
1156 | if(i & 1) | |
12e39525 | 1157 | MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); |
b57f37fb | 1158 | else |
12e39525 JH |
1159 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); |
1160 | MD5Final(final, &ctx1); | |
b57f37fb WP |
1161 | } |
1162 | ||
1163 | p = passwd + strlen(passwd); | |
1164 | ||
12e39525 JH |
1165 | l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; |
1166 | _crypt_to64(p, l, 4); p += 4; | |
1167 | l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; | |
1168 | _crypt_to64(p, l, 4); p += 4; | |
1169 | l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; | |
1170 | _crypt_to64(p, l, 4); p += 4; | |
1171 | l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; | |
1172 | _crypt_to64(p, l, 4); p += 4; | |
1173 | l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; | |
1174 | _crypt_to64(p, l, 4); p += 4; | |
b57f37fb | 1175 | l = final[11]; |
12e39525 | 1176 | _crypt_to64(p, l, 2); p += 2; |
b57f37fb WP |
1177 | *p = '\0'; |
1178 | ||
1179 | /* Don't leave anything around in vm they could use. */ | |
12e39525 JH |
1180 | memset(final, 0, sizeof(final)); |
1181 | ||
1182 | return (passwd); | |
1183 | } | |
1184 | ||
1185 | ||
1186 | /* SHA256-based Unix crypt implementation. | |
1187 | Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */ | |
1188 | ||
1189 | /* Structure to save state of computation between the single steps. */ | |
1190 | struct sha256_ctx | |
1191 | { | |
1192 | uint32_t H[8]; | |
1193 | ||
1194 | uint32_t total[2]; | |
1195 | uint32_t buflen; | |
1196 | char buffer[128]; /* NB: always correctly aligned for uint32_t. */ | |
1197 | }; | |
1198 | ||
1199 | #if __BYTE_ORDER == __LITTLE_ENDIAN | |
1200 | # define SHA256_SWAP(n) \ | |
1201 | (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) | |
1202 | #else | |
1203 | # define SHA256_SWAP(n) (n) | |
1204 | #endif | |
1205 | ||
1206 | /* This array contains the bytes used to pad the buffer to the next | |
1207 | 64-byte boundary. (FIPS 180-2:5.1.1) */ | |
1208 | static const unsigned char SHA256_fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; | |
1209 | ||
1210 | ||
1211 | /* Constants for SHA256 from FIPS 180-2:4.2.2. */ | |
1212 | static const uint32_t SHA256_K[64] = { | |
1213 | 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, | |
1214 | 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, | |
1215 | 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, | |
1216 | 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, | |
1217 | 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, | |
1218 | 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, | |
1219 | 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, | |
1220 | 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, | |
1221 | 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, | |
1222 | 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, | |
1223 | 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, | |
1224 | 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, | |
1225 | 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, | |
1226 | 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, | |
1227 | 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, | |
1228 | 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 | |
1229 | }; | |
1230 | ||
1231 | ||
1232 | /* Process LEN bytes of BUFFER, accumulating context into CTX. | |
1233 | It is assumed that LEN % 64 == 0. */ | |
1234 | static void rb_sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx) | |
1235 | { | |
1236 | const uint32_t *words = buffer; | |
1237 | size_t nwords = len / sizeof(uint32_t); | |
1238 | uint32_t a = ctx->H[0]; | |
1239 | uint32_t b = ctx->H[1]; | |
1240 | uint32_t c = ctx->H[2]; | |
1241 | uint32_t d = ctx->H[3]; | |
1242 | uint32_t e = ctx->H[4]; | |
1243 | uint32_t f = ctx->H[5]; | |
1244 | uint32_t g = ctx->H[6]; | |
1245 | uint32_t h = ctx->H[7]; | |
1246 | ||
1247 | /* First increment the byte count. FIPS 180-2 specifies the possible | |
1248 | length of the file up to 2^64 bits. Here we only compute the | |
1249 | number of bytes. Do a double word increment. */ | |
1250 | ctx->total[0] += len; | |
1251 | if (ctx->total[0] < len) | |
1252 | ++ctx->total[1]; | |
1253 | ||
1254 | /* Process all bytes in the buffer with 64 bytes in each round of | |
1255 | the loop. */ | |
1256 | while (nwords > 0) | |
1257 | { | |
1258 | uint32_t W[64]; | |
1259 | uint32_t a_save = a; | |
1260 | uint32_t b_save = b; | |
1261 | uint32_t c_save = c; | |
1262 | uint32_t d_save = d; | |
1263 | uint32_t e_save = e; | |
1264 | uint32_t f_save = f; | |
1265 | uint32_t g_save = g; | |
1266 | uint32_t h_save = h; | |
1267 | unsigned int t; | |
1268 | ||
1269 | /* Operators defined in FIPS 180-2:4.1.2. */ | |
1270 | #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z)) | |
1271 | #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) | |
1272 | #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22)) | |
1273 | #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25)) | |
1274 | #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3)) | |
1275 | #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10)) | |
1276 | ||
1277 | /* It is unfortunate that C does not provide an operator for | |
1278 | cyclic rotation. Hope the C compiler is smart enough. */ | |
1279 | #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s))) | |
1280 | ||
1281 | /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */ | |
1282 | for (t = 0; t < 16; ++t) | |
1283 | { | |
1284 | W[t] = SHA256_SWAP(*words); | |
1285 | ++words; | |
1286 | } | |
1287 | for (t = 16; t < 64; ++t) | |
1288 | W[t] = SHA256_R1(W[t - 2]) + W[t - 7] + SHA256_R0(W[t - 15]) + W[t - 16]; | |
1289 | ||
1290 | /* The actual computation according to FIPS 180-2:6.2.2 step 3. */ | |
1291 | for (t = 0; t < 64; ++t) | |
1292 | { | |
1293 | uint32_t T1 = h + SHA256_S1(e) + SHA256_Ch(e, f, g) + SHA256_K[t] + W[t]; | |
1294 | uint32_t T2 = SHA256_S0(a) + SHA256_Maj(a, b, c); | |
1295 | h = g; | |
1296 | g = f; | |
1297 | f = e; | |
1298 | e = d + T1; | |
1299 | d = c; | |
1300 | c = b; | |
1301 | b = a; | |
1302 | a = T1 + T2; | |
1303 | } | |
1304 | ||
1305 | /* Add the starting values of the context according to FIPS 180-2:6.2.2 | |
1306 | step 4. */ | |
1307 | a += a_save; | |
1308 | b += b_save; | |
1309 | c += c_save; | |
1310 | d += d_save; | |
1311 | e += e_save; | |
1312 | f += f_save; | |
1313 | g += g_save; | |
1314 | h += h_save; | |
1315 | ||
1316 | /* Prepare for the next round. */ | |
1317 | nwords -= 16; | |
1318 | } | |
1319 | ||
1320 | /* Put checksum in context given as argument. */ | |
1321 | ctx->H[0] = a; | |
1322 | ctx->H[1] = b; | |
1323 | ctx->H[2] = c; | |
1324 | ctx->H[3] = d; | |
1325 | ctx->H[4] = e; | |
1326 | ctx->H[5] = f; | |
1327 | ctx->H[6] = g; | |
1328 | ctx->H[7] = h; | |
1329 | } | |
1330 | ||
1331 | ||
1332 | /* Initialize structure containing state of computation. | |
1333 | (FIPS 180-2:5.3.2) */ | |
1334 | static void rb_sha256_init_ctx(struct sha256_ctx *ctx) | |
1335 | { | |
1336 | ctx->H[0] = 0x6a09e667; | |
1337 | ctx->H[1] = 0xbb67ae85; | |
1338 | ctx->H[2] = 0x3c6ef372; | |
1339 | ctx->H[3] = 0xa54ff53a; | |
1340 | ctx->H[4] = 0x510e527f; | |
1341 | ctx->H[5] = 0x9b05688c; | |
1342 | ctx->H[6] = 0x1f83d9ab; | |
1343 | ctx->H[7] = 0x5be0cd19; | |
1344 | ||
1345 | ctx->total[0] = ctx->total[1] = 0; | |
1346 | ctx->buflen = 0; | |
1347 | } | |
1348 | ||
1349 | ||
1350 | /* Process the remaining bytes in the internal buffer and the usual | |
1351 | prolog according to the standard and write the result to RESBUF. | |
1352 | ||
1353 | IMPORTANT: On some systems it is required that RESBUF is correctly | |
1354 | aligned for a 32 bits value. */ | |
1355 | static void *rb_sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf) | |
1356 | { | |
1357 | /* Take yet unprocessed bytes into account. */ | |
1358 | uint32_t bytes = ctx->buflen; | |
1359 | size_t pad; | |
1360 | unsigned int i; | |
1361 | ||
1362 | /* Now count remaining bytes. */ | |
1363 | ctx->total[0] += bytes; | |
1364 | if (ctx->total[0] < bytes) | |
1365 | ++ctx->total[1]; | |
1366 | ||
1367 | pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes; | |
1368 | memcpy(&ctx->buffer[bytes], SHA256_fillbuf, pad); | |
1369 | ||
1370 | /* Put the 64-bit file length in *bits* at the end of the buffer. */ | |
1371 | *(uint32_t *) & ctx->buffer[bytes + pad + 4] = SHA256_SWAP(ctx->total[0] << 3); | |
1372 | *(uint32_t *) & ctx->buffer[bytes + pad] = SHA256_SWAP((ctx->total[1] << 3) | | |
1373 | (ctx->total[0] >> 29)); | |
1374 | ||
1375 | /* Process last bytes. */ | |
1376 | rb_sha256_process_block(ctx->buffer, bytes + pad + 8, ctx); | |
1377 | ||
1378 | /* Put result from CTX in first 32 bytes following RESBUF. */ | |
1379 | for (i = 0; i < 8; ++i) | |
1380 | ((uint32_t *) resbuf)[i] = SHA256_SWAP(ctx->H[i]); | |
1381 | ||
1382 | return resbuf; | |
1383 | } | |
1384 | ||
1385 | ||
1386 | static void rb_sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx) | |
1387 | { | |
1388 | /* When we already have some bits in our internal buffer concatenate | |
1389 | both inputs first. */ | |
1390 | if (ctx->buflen != 0) | |
1391 | { | |
1392 | size_t left_over = ctx->buflen; | |
1393 | size_t add = 128 - left_over > len ? len : 128 - left_over; | |
1394 | ||
1395 | memcpy(&ctx->buffer[left_over], buffer, add); | |
1396 | ctx->buflen += add; | |
1397 | ||
1398 | if (ctx->buflen > 64) | |
1399 | { | |
1400 | rb_sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx); | |
1401 | ||
1402 | ctx->buflen &= 63; | |
1403 | /* The regions in the following copy operation cannot overlap. */ | |
1404 | memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], ctx->buflen); | |
1405 | } | |
1406 | ||
1407 | buffer = (const char *)buffer + add; | |
1408 | len -= add; | |
1409 | } | |
1410 | ||
1411 | /* Process available complete blocks. */ | |
1412 | if (len >= 64) | |
1413 | { | |
1414 | /* To check alignment gcc has an appropriate operator. Other | |
1415 | compilers don't. */ | |
1416 | #if __GNUC__ >= 2 | |
1417 | # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0) | |
1418 | #else | |
1419 | # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0) | |
1420 | #endif | |
1421 | if (SHA256_UNALIGNED_P(buffer)) | |
1422 | while (len > 64) | |
1423 | { | |
1424 | rb_sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx); | |
1425 | buffer = (const char *)buffer + 64; | |
1426 | len -= 64; | |
1427 | } | |
1428 | else | |
1429 | { | |
1430 | rb_sha256_process_block(buffer, len & ~63, ctx); | |
1431 | buffer = (const char *)buffer + (len & ~63); | |
1432 | len &= 63; | |
1433 | } | |
1434 | } | |
1435 | ||
1436 | /* Move remaining bytes into internal buffer. */ | |
1437 | if (len > 0) | |
1438 | { | |
1439 | size_t left_over = ctx->buflen; | |
1440 | ||
1441 | memcpy(&ctx->buffer[left_over], buffer, len); | |
1442 | left_over += len; | |
1443 | if (left_over >= 64) | |
1444 | { | |
1445 | rb_sha256_process_block(ctx->buffer, 64, ctx); | |
1446 | left_over -= 64; | |
1447 | memcpy(ctx->buffer, &ctx->buffer[64], left_over); | |
1448 | } | |
1449 | ctx->buflen = left_over; | |
1450 | } | |
1451 | } | |
1452 | ||
1453 | ||
1454 | /* Define our magic string to mark salt for SHA256 "encryption" | |
1455 | replacement. */ | |
1456 | static const char sha256_salt_prefix[] = "$5$"; | |
1457 | ||
1458 | /* Prefix for optional rounds specification. */ | |
1459 | static const char sha256_rounds_prefix[] = "rounds="; | |
1460 | ||
1461 | /* Maximum salt string length. */ | |
1462 | #define SHA256_SALT_LEN_MAX 16 | |
1463 | /* Default number of rounds if not explicitly specified. */ | |
1464 | #define SHA256_ROUNDS_DEFAULT 5000 | |
1465 | /* Minimum number of rounds. */ | |
1466 | #define SHA256_ROUNDS_MIN 1000 | |
1467 | /* Maximum number of rounds. */ | |
1468 | #define SHA256_ROUNDS_MAX 999999999 | |
1469 | ||
1470 | static char *rb_sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen) | |
1471 | { | |
1472 | unsigned char alt_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t)))); | |
1473 | unsigned char temp_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t)))); | |
1474 | struct sha256_ctx ctx; | |
1475 | struct sha256_ctx alt_ctx; | |
1476 | size_t salt_len; | |
1477 | size_t key_len; | |
1478 | size_t cnt; | |
1479 | char *cp; | |
1480 | char *copied_key = NULL; | |
1481 | char *copied_salt = NULL; | |
1482 | char *p_bytes; | |
1483 | char *s_bytes; | |
1484 | /* Default number of rounds. */ | |
1485 | size_t rounds = SHA256_ROUNDS_DEFAULT; | |
1486 | int rounds_custom = 0; | |
1487 | ||
1488 | /* Find beginning of salt string. The prefix should normally always | |
1489 | be present. Just in case it is not. */ | |
1490 | if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0) | |
1491 | /* Skip salt prefix. */ | |
1492 | salt += sizeof(sha256_salt_prefix) - 1; | |
1493 | ||
1494 | if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) == 0) | |
1495 | { | |
1496 | const char *num = salt + sizeof(sha256_rounds_prefix) - 1; | |
1497 | char *endp; | |
1498 | unsigned long int srounds = strtoul(num, &endp, 10); | |
1499 | if (*endp == '$') | |
1500 | { | |
1501 | salt = endp + 1; | |
1502 | rounds = MAX(SHA256_ROUNDS_MIN, MIN(srounds, SHA256_ROUNDS_MAX)); | |
1503 | rounds_custom = 1; | |
1504 | } | |
1505 | } | |
1506 | ||
1507 | salt_len = MIN(strcspn(salt, "$"), SHA256_SALT_LEN_MAX); | |
1508 | key_len = strlen(key); | |
1509 | ||
1510 | if ((key - (char *)0) % __alignof__(uint32_t) != 0) | |
1511 | { | |
1512 | char *tmp = (char *)alloca(key_len + __alignof__(uint32_t)); | |
1513 | key = copied_key = | |
1514 | memcpy(tmp + __alignof__(uint32_t) | |
1515 | - (tmp - (char *)0) % __alignof__(uint32_t), key, key_len); | |
1516 | } | |
1517 | ||
1518 | if ((salt - (char *)0) % __alignof__(uint32_t) != 0) | |
1519 | { | |
1520 | char *tmp = (char *)alloca(salt_len + __alignof__(uint32_t)); | |
1521 | salt = copied_salt = | |
1522 | memcpy(tmp + __alignof__(uint32_t) | |
1523 | - (tmp - (char *)0) % __alignof__(uint32_t), salt, salt_len); | |
1524 | } | |
1525 | ||
1526 | /* Prepare for the real work. */ | |
1527 | rb_sha256_init_ctx(&ctx); | |
1528 | ||
1529 | /* Add the key string. */ | |
1530 | rb_sha256_process_bytes(key, key_len, &ctx); | |
1531 | ||
1532 | /* The last part is the salt string. This must be at most 16 | |
1533 | characters and it ends at the first `$' character (for | |
1534 | compatibility with existing implementations). */ | |
1535 | rb_sha256_process_bytes(salt, salt_len, &ctx); | |
1536 | ||
1537 | ||
1538 | /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The | |
1539 | final result will be added to the first context. */ | |
1540 | rb_sha256_init_ctx(&alt_ctx); | |
1541 | ||
1542 | /* Add key. */ | |
1543 | rb_sha256_process_bytes(key, key_len, &alt_ctx); | |
1544 | ||
1545 | /* Add salt. */ | |
1546 | rb_sha256_process_bytes(salt, salt_len, &alt_ctx); | |
1547 | ||
1548 | /* Add key again. */ | |
1549 | rb_sha256_process_bytes(key, key_len, &alt_ctx); | |
1550 | ||
1551 | /* Now get result of this (32 bytes) and add it to the other | |
1552 | context. */ | |
1553 | rb_sha256_finish_ctx(&alt_ctx, alt_result); | |
1554 | ||
1555 | /* Add for any character in the key one byte of the alternate sum. */ | |
1556 | for (cnt = key_len; cnt > 32; cnt -= 32) | |
1557 | rb_sha256_process_bytes(alt_result, 32, &ctx); | |
1558 | rb_sha256_process_bytes(alt_result, cnt, &ctx); | |
1559 | ||
1560 | /* Take the binary representation of the length of the key and for every | |
1561 | 1 add the alternate sum, for every 0 the key. */ | |
1562 | for (cnt = key_len; cnt > 0; cnt >>= 1) | |
1563 | if ((cnt & 1) != 0) | |
1564 | rb_sha256_process_bytes(alt_result, 32, &ctx); | |
1565 | else | |
1566 | rb_sha256_process_bytes(key, key_len, &ctx); | |
1567 | ||
1568 | /* Create intermediate result. */ | |
1569 | rb_sha256_finish_ctx(&ctx, alt_result); | |
1570 | ||
1571 | /* Start computation of P byte sequence. */ | |
1572 | rb_sha256_init_ctx(&alt_ctx); | |
1573 | ||
1574 | /* For every character in the password add the entire password. */ | |
44e6a470 | 1575 | for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt) |
12e39525 JH |
1576 | rb_sha256_process_bytes(key, key_len, &alt_ctx); |
1577 | ||
1578 | /* Finish the digest. */ | |
1579 | rb_sha256_finish_ctx(&alt_ctx, temp_result); | |
1580 | ||
1581 | /* Create byte sequence P. */ | |
1582 | cp = p_bytes = alloca(key_len); | |
1583 | for (cnt = key_len; cnt >= 32; cnt -= 32) | |
1584 | { | |
1585 | memcpy(cp, temp_result, 32); | |
1586 | cp += 32; | |
1587 | } | |
1588 | memcpy(cp, temp_result, cnt); | |
1589 | ||
1590 | /* Start computation of S byte sequence. */ | |
1591 | rb_sha256_init_ctx(&alt_ctx); | |
1592 | ||
1593 | /* For every character in the password add the entire password. */ | |
86044bd2 | 1594 | for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt) |
12e39525 JH |
1595 | rb_sha256_process_bytes(salt, salt_len, &alt_ctx); |
1596 | ||
1597 | /* Finish the digest. */ | |
1598 | rb_sha256_finish_ctx(&alt_ctx, temp_result); | |
1599 | ||
1600 | /* Create byte sequence S. */ | |
1601 | cp = s_bytes = alloca(salt_len); | |
1602 | for (cnt = salt_len; cnt >= 32; cnt -= 32) | |
1603 | { | |
1604 | memcpy(cp, temp_result, 32); | |
1605 | cp += 32; | |
1606 | } | |
1607 | memcpy(cp, temp_result, cnt); | |
1608 | ||
1609 | /* Repeatedly run the collected hash value through SHA256 to burn | |
1610 | CPU cycles. */ | |
1611 | for (cnt = 0; cnt < rounds; ++cnt) | |
1612 | { | |
1613 | /* New context. */ | |
1614 | rb_sha256_init_ctx(&ctx); | |
1615 | ||
1616 | /* Add key or last result. */ | |
1617 | if ((cnt & 1) != 0) | |
1618 | rb_sha256_process_bytes(p_bytes, key_len, &ctx); | |
1619 | else | |
1620 | rb_sha256_process_bytes(alt_result, 32, &ctx); | |
1621 | ||
1622 | /* Add salt for numbers not divisible by 3. */ | |
1623 | if (cnt % 3 != 0) | |
1624 | rb_sha256_process_bytes(s_bytes, salt_len, &ctx); | |
1625 | ||
1626 | /* Add key for numbers not divisible by 7. */ | |
1627 | if (cnt % 7 != 0) | |
1628 | rb_sha256_process_bytes(p_bytes, key_len, &ctx); | |
1629 | ||
1630 | /* Add key or last result. */ | |
1631 | if ((cnt & 1) != 0) | |
1632 | rb_sha256_process_bytes(alt_result, 32, &ctx); | |
1633 | else | |
1634 | rb_sha256_process_bytes(p_bytes, key_len, &ctx); | |
1635 | ||
1636 | /* Create intermediate result. */ | |
1637 | rb_sha256_finish_ctx(&ctx, alt_result); | |
1638 | } | |
1639 | ||
1640 | /* Now we can construct the result string. It consists of three | |
1641 | parts. */ | |
1642 | memset(buffer, '\0', MAX(0, buflen)); | |
1643 | strncpy(buffer, sha256_salt_prefix, MAX(0, buflen)); | |
1644 | if((cp = strchr(buffer, '\0')) == NULL) | |
1645 | cp = buffer + MAX(0, buflen); | |
1646 | buflen -= sizeof(sha256_salt_prefix) - 1; | |
1647 | ||
1648 | if (rounds_custom) | |
1649 | { | |
1650 | int n = snprintf(cp, MAX(0, buflen), "%s%zu$", | |
1651 | sha256_rounds_prefix, rounds); | |
1652 | cp += n; | |
1653 | buflen -= n; | |
1654 | } | |
1655 | ||
1656 | memset(cp, '\0', salt_len); | |
1657 | strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len)); | |
1658 | if((cp = strchr(buffer, '\0')) == NULL) | |
1659 | cp += salt_len; | |
1660 | buflen -= MIN((size_t) MAX(0, buflen), salt_len); | |
1661 | ||
1662 | if (buflen > 0) | |
1663 | { | |
1664 | *cp++ = '$'; | |
1665 | --buflen; | |
1666 | } | |
1667 | ||
1668 | b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4); | |
1669 | b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4); | |
1670 | b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4); | |
1671 | b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4); | |
1672 | b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4); | |
1673 | b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4); | |
1674 | b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4); | |
1675 | b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4); | |
1676 | b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4); | |
1677 | b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4); | |
1678 | b64_from_24bit(0, alt_result[31], alt_result[30], 3); | |
1679 | if (buflen <= 0) | |
1680 | { | |
1681 | errno = ERANGE; | |
1682 | buffer = NULL; | |
1683 | } | |
1684 | else | |
1685 | *cp = '\0'; /* Terminate the string. */ | |
1686 | ||
1687 | /* Clear the buffer for the intermediate result so that people | |
1688 | attaching to processes or reading core dumps cannot get any | |
1689 | information. We do it in this way to clear correct_words[] | |
1690 | inside the SHA256 implementation as well. */ | |
1691 | rb_sha256_init_ctx(&ctx); | |
1692 | rb_sha256_finish_ctx(&ctx, alt_result); | |
1693 | memset(temp_result, '\0', sizeof(temp_result)); | |
1694 | memset(p_bytes, '\0', key_len); | |
1695 | memset(s_bytes, '\0', salt_len); | |
1696 | memset(&ctx, '\0', sizeof(ctx)); | |
1697 | memset(&alt_ctx, '\0', sizeof(alt_ctx)); | |
1698 | if (copied_key != NULL) | |
1699 | memset(copied_key, '\0', key_len); | |
1700 | if (copied_salt != NULL) | |
1701 | memset(copied_salt, '\0', salt_len); | |
1702 | ||
1703 | return buffer; | |
1704 | } | |
1705 | ||
1706 | ||
1707 | /* This entry point is equivalent to the `crypt' function in Unix | |
1708 | libcs. */ | |
1709 | static char *rb_sha256_crypt(const char *key, const char *salt) | |
1710 | { | |
1711 | /* We don't want to have an arbitrary limit in the size of the | |
1712 | password. We can compute an upper bound for the size of the | |
1713 | result in advance and so we can prepare the buffer we pass to | |
1714 | `rb_sha256_crypt_r'. */ | |
1715 | static char *buffer; | |
1716 | static int buflen; | |
1717 | int needed = (sizeof(sha256_salt_prefix) - 1 | |
1718 | + sizeof(sha256_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 43 + 1); | |
1719 | ||
1720 | char *new_buffer = (char *)malloc(needed); | |
1721 | if (new_buffer == NULL) | |
1722 | return NULL; | |
1723 | ||
1724 | buffer = new_buffer; | |
1725 | buflen = needed; | |
1726 | ||
1727 | return rb_sha256_crypt_r(key, salt, buffer, buflen); | |
1728 | } | |
1729 | ||
1730 | /* Structure to save state of computation between the single steps. */ | |
1731 | struct sha512_ctx | |
1732 | { | |
1733 | uint64_t H[8]; | |
1734 | ||
1735 | uint64_t total[2]; | |
1736 | uint64_t buflen; | |
1737 | char buffer[256]; /* NB: always correctly aligned for uint64_t. */ | |
1738 | }; | |
1739 | ||
1740 | ||
1741 | #if __BYTE_ORDER == __LITTLE_ENDIAN | |
1742 | # define SHA512_SWAP(n) \ | |
1743 | (((n) << 56) \ | |
1744 | | (((n) & 0xff00) << 40) \ | |
1745 | | (((n) & 0xff0000) << 24) \ | |
1746 | | (((n) & 0xff000000) << 8) \ | |
1747 | | (((n) >> 8) & 0xff000000) \ | |
1748 | | (((n) >> 24) & 0xff0000) \ | |
1749 | | (((n) >> 40) & 0xff00) \ | |
1750 | | ((n) >> 56)) | |
1751 | #else | |
1752 | # define SHA512_SWAP(n) (n) | |
1753 | #endif | |
1754 | ||
1755 | ||
1756 | /* This array contains the bytes used to pad the buffer to the next | |
1757 | 64-byte boundary. (FIPS 180-2:5.1.2) */ | |
1758 | static const unsigned char SHA512_fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ }; | |
1759 | ||
1760 | ||
1761 | /* Constants for SHA512 from FIPS 180-2:4.2.3. */ | |
1762 | static const uint64_t SHA512_K[80] = { | |
1763 | 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, | |
1764 | 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, | |
1765 | 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, | |
1766 | 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, | |
1767 | 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, | |
1768 | 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, | |
1769 | 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, | |
1770 | 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, | |
1771 | 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, | |
1772 | 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, | |
1773 | 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, | |
1774 | 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, | |
1775 | 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, | |
1776 | 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, | |
1777 | 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, | |
1778 | 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, | |
1779 | 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, | |
1780 | 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, | |
1781 | 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, | |
1782 | 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, | |
1783 | 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, | |
1784 | 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, | |
1785 | 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, | |
1786 | 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, | |
1787 | 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, | |
1788 | 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, | |
1789 | 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, | |
1790 | 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, | |
1791 | 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, | |
1792 | 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, | |
1793 | 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, | |
1794 | 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, | |
1795 | 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, | |
1796 | 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, | |
1797 | 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, | |
1798 | 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, | |
1799 | 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, | |
1800 | 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, | |
1801 | 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, | |
1802 | 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL | |
1803 | }; | |
1804 | ||
1805 | ||
1806 | /* Process LEN bytes of BUFFER, accumulating context into CTX. | |
1807 | It is assumed that LEN % 128 == 0. */ | |
1808 | static void rb_sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx) | |
1809 | { | |
1810 | const uint64_t *words = buffer; | |
1811 | size_t nwords = len / sizeof(uint64_t); | |
1812 | uint64_t a = ctx->H[0]; | |
1813 | uint64_t b = ctx->H[1]; | |
1814 | uint64_t c = ctx->H[2]; | |
1815 | uint64_t d = ctx->H[3]; | |
1816 | uint64_t e = ctx->H[4]; | |
1817 | uint64_t f = ctx->H[5]; | |
1818 | uint64_t g = ctx->H[6]; | |
1819 | uint64_t h = ctx->H[7]; | |
1820 | ||
1821 | /* First increment the byte count. FIPS 180-2 specifies the possible | |
1822 | length of the file up to 2^128 bits. Here we only compute the | |
1823 | number of bytes. Do a double word increment. */ | |
1824 | ctx->total[0] += len; | |
1825 | if (ctx->total[0] < len) | |
1826 | ++ctx->total[1]; | |
1827 | ||
1828 | /* Process all bytes in the buffer with 128 bytes in each round of | |
1829 | the loop. */ | |
1830 | while (nwords > 0) | |
1831 | { | |
1832 | uint64_t W[80]; | |
1833 | uint64_t a_save = a; | |
1834 | uint64_t b_save = b; | |
1835 | uint64_t c_save = c; | |
1836 | uint64_t d_save = d; | |
1837 | uint64_t e_save = e; | |
1838 | uint64_t f_save = f; | |
1839 | uint64_t g_save = g; | |
1840 | uint64_t h_save = h; | |
1841 | unsigned int t; | |
1842 | ||
1843 | /* Operators defined in FIPS 180-2:4.1.2. */ | |
1844 | #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z)) | |
1845 | #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) | |
1846 | #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39)) | |
1847 | #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41)) | |
1848 | #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7)) | |
1849 | #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6)) | |
1850 | ||
1851 | /* It is unfortunate that C does not provide an operator for | |
1852 | cyclic rotation. Hope the C compiler is smart enough. */ | |
1853 | #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s))) | |
1854 | ||
1855 | /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */ | |
1856 | for (t = 0; t < 16; ++t) | |
1857 | { | |
1858 | W[t] = SHA512_SWAP(*words); | |
1859 | ++words; | |
1860 | } | |
1861 | for (t = 16; t < 80; ++t) | |
1862 | W[t] = SHA512_R1(W[t - 2]) + W[t - 7] + SHA512_R0(W[t - 15]) + W[t - 16]; | |
1863 | ||
1864 | /* The actual computation according to FIPS 180-2:6.3.2 step 3. */ | |
1865 | for (t = 0; t < 80; ++t) | |
1866 | { | |
1867 | uint64_t T1 = h + SHA512_S1(e) + SHA512_Ch(e, f, g) + SHA512_K[t] + W[t]; | |
1868 | uint64_t T2 = SHA512_S0(a) + SHA512_Maj(a, b, c); | |
1869 | h = g; | |
1870 | g = f; | |
1871 | f = e; | |
1872 | e = d + T1; | |
1873 | d = c; | |
1874 | c = b; | |
1875 | b = a; | |
1876 | a = T1 + T2; | |
1877 | } | |
1878 | ||
1879 | /* Add the starting values of the context according to FIPS 180-2:6.3.2 | |
1880 | step 4. */ | |
1881 | a += a_save; | |
1882 | b += b_save; | |
1883 | c += c_save; | |
1884 | d += d_save; | |
1885 | e += e_save; | |
1886 | f += f_save; | |
1887 | g += g_save; | |
1888 | h += h_save; | |
1889 | ||
1890 | /* Prepare for the next round. */ | |
1891 | nwords -= 16; | |
1892 | } | |
1893 | ||
1894 | /* Put checksum in context given as argument. */ | |
1895 | ctx->H[0] = a; | |
1896 | ctx->H[1] = b; | |
1897 | ctx->H[2] = c; | |
1898 | ctx->H[3] = d; | |
1899 | ctx->H[4] = e; | |
1900 | ctx->H[5] = f; | |
1901 | ctx->H[6] = g; | |
1902 | ctx->H[7] = h; | |
1903 | } | |
1904 | ||
1905 | ||
1906 | /* Initialize structure containing state of computation. | |
1907 | (FIPS 180-2:5.3.3) */ | |
1908 | static void rb_sha512_init_ctx(struct sha512_ctx *ctx) | |
1909 | { | |
1910 | ctx->H[0] = 0x6a09e667f3bcc908ULL; | |
1911 | ctx->H[1] = 0xbb67ae8584caa73bULL; | |
1912 | ctx->H[2] = 0x3c6ef372fe94f82bULL; | |
1913 | ctx->H[3] = 0xa54ff53a5f1d36f1ULL; | |
1914 | ctx->H[4] = 0x510e527fade682d1ULL; | |
1915 | ctx->H[5] = 0x9b05688c2b3e6c1fULL; | |
1916 | ctx->H[6] = 0x1f83d9abfb41bd6bULL; | |
1917 | ctx->H[7] = 0x5be0cd19137e2179ULL; | |
1918 | ||
1919 | ctx->total[0] = ctx->total[1] = 0; | |
1920 | ctx->buflen = 0; | |
1921 | } | |
1922 | ||
1923 | ||
1924 | /* Process the remaining bytes in the internal buffer and the usual | |
1925 | prolog according to the standard and write the result to RESBUF. | |
1926 | ||
1927 | IMPORTANT: On some systems it is required that RESBUF is correctly | |
1928 | aligned for a 32 bits value. */ | |
1929 | static void *rb_sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf) | |
1930 | { | |
1931 | /* Take yet unprocessed bytes into account. */ | |
1932 | uint64_t bytes = ctx->buflen; | |
1933 | size_t pad; | |
1934 | unsigned int i; | |
1935 | ||
1936 | /* Now count remaining bytes. */ | |
1937 | ctx->total[0] += bytes; | |
1938 | if (ctx->total[0] < bytes) | |
1939 | ++ctx->total[1]; | |
1940 | ||
1941 | pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes; | |
1942 | memcpy(&ctx->buffer[bytes], SHA512_fillbuf, pad); | |
1943 | ||
1944 | /* Put the 128-bit file length in *bits* at the end of the buffer. */ | |
1945 | *(uint64_t *) & ctx->buffer[bytes + pad + 8] = SHA512_SWAP(ctx->total[0] << 3); | |
1946 | *(uint64_t *) & ctx->buffer[bytes + pad] = SHA512_SWAP((ctx->total[1] << 3) | | |
1947 | (ctx->total[0] >> 61)); | |
1948 | ||
1949 | /* Process last bytes. */ | |
1950 | rb_sha512_process_block(ctx->buffer, bytes + pad + 16, ctx); | |
1951 | ||
1952 | /* Put result from CTX in first 64 bytes following RESBUF. */ | |
1953 | for (i = 0; i < 8; ++i) | |
1954 | ((uint64_t *) resbuf)[i] = SHA512_SWAP(ctx->H[i]); | |
1955 | ||
1956 | return resbuf; | |
1957 | } | |
1958 | ||
1959 | ||
1960 | static void rb_sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx) | |
1961 | { | |
1962 | /* When we already have some bits in our internal buffer concatenate | |
1963 | both inputs first. */ | |
1964 | if (ctx->buflen != 0) | |
1965 | { | |
1966 | size_t left_over = ctx->buflen; | |
1967 | size_t add = 256 - left_over > len ? len : 256 - left_over; | |
1968 | ||
1969 | memcpy(&ctx->buffer[left_over], buffer, add); | |
1970 | ctx->buflen += add; | |
1971 | ||
1972 | if (ctx->buflen > 128) | |
1973 | { | |
1974 | rb_sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx); | |
1975 | ||
1976 | ctx->buflen &= 127; | |
1977 | /* The regions in the following copy operation cannot overlap. */ | |
1978 | memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127], ctx->buflen); | |
1979 | } | |
1980 | ||
1981 | buffer = (const char *)buffer + add; | |
1982 | len -= add; | |
1983 | } | |
1984 | ||
1985 | /* Process available complete blocks. */ | |
1986 | if (len >= 128) | |
1987 | { | |
1988 | #if !_STRING_ARCH_unaligned | |
1989 | /* To check alignment gcc has an appropriate operator. Other | |
1990 | compilers don't. */ | |
1991 | # if __GNUC__ >= 2 | |
1992 | # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0) | |
1993 | # else | |
1994 | # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0) | |
1995 | # endif | |
1996 | if (SHA512_UNALIGNED_P(buffer)) | |
1997 | while (len > 128) | |
1998 | { | |
1999 | rb_sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, ctx); | |
2000 | buffer = (const char *)buffer + 128; | |
2001 | len -= 128; | |
2002 | } | |
2003 | else | |
2004 | #endif | |
2005 | { | |
2006 | rb_sha512_process_block(buffer, len & ~127, ctx); | |
2007 | buffer = (const char *)buffer + (len & ~127); | |
2008 | len &= 127; | |
2009 | } | |
2010 | } | |
2011 | ||
2012 | /* Move remaining bytes into internal buffer. */ | |
2013 | if (len > 0) | |
2014 | { | |
2015 | size_t left_over = ctx->buflen; | |
2016 | ||
2017 | memcpy(&ctx->buffer[left_over], buffer, len); | |
2018 | left_over += len; | |
2019 | if (left_over >= 128) | |
2020 | { | |
2021 | rb_sha512_process_block(ctx->buffer, 128, ctx); | |
2022 | left_over -= 128; | |
2023 | memcpy(ctx->buffer, &ctx->buffer[128], left_over); | |
2024 | } | |
2025 | ctx->buflen = left_over; | |
2026 | } | |
2027 | } | |
2028 | ||
2029 | ||
2030 | /* Define our magic string to mark salt for SHA512 "encryption" | |
2031 | replacement. */ | |
2032 | static const char sha512_salt_prefix[] = "$6$"; | |
2033 | ||
2034 | /* Prefix for optional rounds specification. */ | |
2035 | static const char sha512_rounds_prefix[] = "rounds="; | |
2036 | ||
2037 | /* Maximum salt string length. */ | |
2038 | #define SHA512_SALT_LEN_MAX 16 | |
2039 | /* Default number of rounds if not explicitly specified. */ | |
2040 | #define SHA512_ROUNDS_DEFAULT 5000 | |
2041 | /* Minimum number of rounds. */ | |
2042 | #define SHA512_ROUNDS_MIN 1000 | |
2043 | /* Maximum number of rounds. */ | |
2044 | #define SHA512_ROUNDS_MAX 999999999 | |
2045 | ||
2046 | static char *rb_sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen) | |
2047 | { | |
2048 | unsigned char alt_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t)))); | |
2049 | unsigned char temp_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t)))); | |
2050 | struct sha512_ctx ctx; | |
2051 | struct sha512_ctx alt_ctx; | |
2052 | size_t salt_len; | |
2053 | size_t key_len; | |
2054 | size_t cnt; | |
2055 | char *cp; | |
2056 | char *copied_key = NULL; | |
2057 | char *copied_salt = NULL; | |
2058 | char *p_bytes; | |
2059 | char *s_bytes; | |
2060 | /* Default number of rounds. */ | |
2061 | size_t rounds = SHA512_ROUNDS_DEFAULT; | |
2062 | int rounds_custom = 0; | |
2063 | ||
2064 | /* Find beginning of salt string. The prefix should normally always | |
2065 | be present. Just in case it is not. */ | |
2066 | if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0) | |
2067 | /* Skip salt prefix. */ | |
2068 | salt += sizeof(sha512_salt_prefix) - 1; | |
2069 | ||
2070 | if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) == 0) | |
2071 | { | |
2072 | const char *num = salt + sizeof(sha512_rounds_prefix) - 1; | |
2073 | char *endp; | |
2074 | unsigned long int srounds = strtoul(num, &endp, 10); | |
2075 | if (*endp == '$') | |
2076 | { | |
2077 | salt = endp + 1; | |
2078 | rounds = MAX(SHA512_ROUNDS_MIN, MIN(srounds, SHA512_ROUNDS_MAX)); | |
2079 | rounds_custom = 1; | |
2080 | } | |
2081 | } | |
2082 | ||
2083 | salt_len = MIN(strcspn(salt, "$"), SHA512_SALT_LEN_MAX); | |
2084 | key_len = strlen(key); | |
2085 | ||
2086 | if ((key - (char *)0) % __alignof__(uint64_t) != 0) | |
2087 | { | |
2088 | char *tmp = (char *)alloca(key_len + __alignof__(uint64_t)); | |
2089 | key = copied_key = | |
2090 | memcpy(tmp + __alignof__(uint64_t) | |
2091 | - (tmp - (char *)0) % __alignof__(uint64_t), key, key_len); | |
2092 | } | |
2093 | ||
2094 | if ((salt - (char *)0) % __alignof__(uint64_t) != 0) | |
2095 | { | |
2096 | char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t)); | |
2097 | salt = copied_salt = | |
2098 | memcpy(tmp + __alignof__(uint64_t) | |
2099 | - (tmp - (char *)0) % __alignof__(uint64_t), salt, salt_len); | |
2100 | } | |
2101 | ||
2102 | /* Prepare for the real work. */ | |
2103 | rb_sha512_init_ctx(&ctx); | |
2104 | ||
2105 | /* Add the key string. */ | |
2106 | rb_sha512_process_bytes(key, key_len, &ctx); | |
2107 | ||
2108 | /* The last part is the salt string. This must be at most 16 | |
2109 | characters and it ends at the first `$' character (for | |
2110 | compatibility with existing implementations). */ | |
2111 | rb_sha512_process_bytes(salt, salt_len, &ctx); | |
2112 | ||
2113 | ||
2114 | /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The | |
2115 | final result will be added to the first context. */ | |
2116 | rb_sha512_init_ctx(&alt_ctx); | |
2117 | ||
2118 | /* Add key. */ | |
2119 | rb_sha512_process_bytes(key, key_len, &alt_ctx); | |
2120 | ||
2121 | /* Add salt. */ | |
2122 | rb_sha512_process_bytes(salt, salt_len, &alt_ctx); | |
2123 | ||
2124 | /* Add key again. */ | |
2125 | rb_sha512_process_bytes(key, key_len, &alt_ctx); | |
2126 | ||
2127 | /* Now get result of this (64 bytes) and add it to the other | |
2128 | context. */ | |
2129 | rb_sha512_finish_ctx(&alt_ctx, alt_result); | |
2130 | ||
2131 | /* Add for any character in the key one byte of the alternate sum. */ | |
2132 | for (cnt = key_len; cnt > 64; cnt -= 64) | |
2133 | rb_sha512_process_bytes(alt_result, 64, &ctx); | |
2134 | rb_sha512_process_bytes(alt_result, cnt, &ctx); | |
2135 | ||
2136 | /* Take the binary representation of the length of the key and for every | |
2137 | 1 add the alternate sum, for every 0 the key. */ | |
2138 | for (cnt = key_len; cnt > 0; cnt >>= 1) | |
2139 | if ((cnt & 1) != 0) | |
2140 | rb_sha512_process_bytes(alt_result, 64, &ctx); | |
2141 | else | |
2142 | rb_sha512_process_bytes(key, key_len, &ctx); | |
2143 | ||
2144 | /* Create intermediate result. */ | |
2145 | rb_sha512_finish_ctx(&ctx, alt_result); | |
2146 | ||
2147 | /* Start computation of P byte sequence. */ | |
2148 | rb_sha512_init_ctx(&alt_ctx); | |
2149 | ||
2150 | /* For every character in the password add the entire password. */ | |
2151 | for (cnt = 0; cnt < key_len; ++cnt) | |
2152 | rb_sha512_process_bytes(key, key_len, &alt_ctx); | |
2153 | ||
2154 | /* Finish the digest. */ | |
2155 | rb_sha512_finish_ctx(&alt_ctx, temp_result); | |
2156 | ||
2157 | /* Create byte sequence P. */ | |
2158 | cp = p_bytes = alloca(key_len); | |
2159 | for (cnt = key_len; cnt >= 64; cnt -= 64) | |
2160 | { | |
2161 | memcpy(cp, temp_result, 64); | |
2162 | cp += 64; | |
2163 | } | |
2164 | memcpy(cp, temp_result, cnt); | |
2165 | ||
2166 | /* Start computation of S byte sequence. */ | |
2167 | rb_sha512_init_ctx(&alt_ctx); | |
2168 | ||
2169 | /* For every character in the password add the entire password. */ | |
86044bd2 | 2170 | for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt) |
12e39525 JH |
2171 | rb_sha512_process_bytes(salt, salt_len, &alt_ctx); |
2172 | ||
2173 | /* Finish the digest. */ | |
2174 | rb_sha512_finish_ctx(&alt_ctx, temp_result); | |
2175 | ||
2176 | /* Create byte sequence S. */ | |
2177 | cp = s_bytes = alloca(salt_len); | |
2178 | for (cnt = salt_len; cnt >= 64; cnt -= 64) | |
2179 | { | |
2180 | memcpy(cp, temp_result, 64); | |
2181 | cp += 64; | |
2182 | } | |
2183 | memcpy(cp, temp_result, cnt); | |
2184 | ||
2185 | /* Repeatedly run the collected hash value through SHA512 to burn | |
2186 | CPU cycles. */ | |
2187 | for (cnt = 0; cnt < rounds; ++cnt) | |
2188 | { | |
2189 | /* New context. */ | |
2190 | rb_sha512_init_ctx(&ctx); | |
2191 | ||
2192 | /* Add key or last result. */ | |
2193 | if ((cnt & 1) != 0) | |
2194 | rb_sha512_process_bytes(p_bytes, key_len, &ctx); | |
2195 | else | |
2196 | rb_sha512_process_bytes(alt_result, 64, &ctx); | |
2197 | ||
2198 | /* Add salt for numbers not divisible by 3. */ | |
2199 | if (cnt % 3 != 0) | |
2200 | rb_sha512_process_bytes(s_bytes, salt_len, &ctx); | |
2201 | ||
2202 | /* Add key for numbers not divisible by 7. */ | |
2203 | if (cnt % 7 != 0) | |
2204 | rb_sha512_process_bytes(p_bytes, key_len, &ctx); | |
2205 | ||
2206 | /* Add key or last result. */ | |
2207 | if ((cnt & 1) != 0) | |
2208 | rb_sha512_process_bytes(alt_result, 64, &ctx); | |
2209 | else | |
2210 | rb_sha512_process_bytes(p_bytes, key_len, &ctx); | |
2211 | ||
2212 | /* Create intermediate result. */ | |
2213 | rb_sha512_finish_ctx(&ctx, alt_result); | |
2214 | } | |
2215 | ||
2216 | /* Now we can construct the result string. It consists of three | |
2217 | parts. */ | |
2218 | memset(buffer, '\0', MAX(0, buflen)); | |
2219 | strncpy(buffer, sha512_salt_prefix, MAX(0, buflen)); | |
2220 | if((cp = strchr(buffer, '\0')) == NULL) | |
2221 | cp = buffer + MAX(0, buflen); | |
2222 | buflen -= sizeof(sha512_salt_prefix) - 1; | |
2223 | ||
2224 | if (rounds_custom) | |
2225 | { | |
2226 | int n = snprintf(cp, MAX(0, buflen), "%s%zu$", | |
2227 | sha512_rounds_prefix, rounds); | |
2228 | cp += n; | |
2229 | buflen -= n; | |
2230 | } | |
2231 | ||
2232 | memset(cp, '\0', MIN((size_t) MAX(0, buflen), salt_len)); | |
2233 | strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len)); | |
2234 | if((cp = strchr(buffer, '\0')) == NULL) | |
2235 | cp = buffer + salt_len; | |
2236 | buflen -= MIN((size_t) MAX(0, buflen), salt_len); | |
2237 | ||
2238 | if (buflen > 0) | |
2239 | { | |
2240 | *cp++ = '$'; | |
2241 | --buflen; | |
2242 | } | |
2243 | ||
2244 | b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4); | |
2245 | b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4); | |
2246 | b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4); | |
2247 | b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4); | |
2248 | b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4); | |
2249 | b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4); | |
2250 | b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4); | |
2251 | b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4); | |
2252 | b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4); | |
2253 | b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4); | |
2254 | b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4); | |
2255 | b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4); | |
2256 | b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4); | |
2257 | b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4); | |
2258 | b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4); | |
2259 | b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4); | |
2260 | b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4); | |
2261 | b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4); | |
2262 | b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4); | |
2263 | b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4); | |
2264 | b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4); | |
2265 | b64_from_24bit(0, 0, alt_result[63], 2); | |
2266 | ||
2267 | if (buflen <= 0) | |
2268 | { | |
2269 | errno = ERANGE; | |
2270 | buffer = NULL; | |
2271 | } | |
2272 | else | |
2273 | *cp = '\0'; /* Terminate the string. */ | |
2274 | ||
2275 | /* Clear the buffer for the intermediate result so that people | |
2276 | attaching to processes or reading core dumps cannot get any | |
2277 | information. We do it in this way to clear correct_words[] | |
2278 | inside the SHA512 implementation as well. */ | |
2279 | rb_sha512_init_ctx(&ctx); | |
2280 | rb_sha512_finish_ctx(&ctx, alt_result); | |
2281 | memset(temp_result, '\0', sizeof(temp_result)); | |
2282 | memset(p_bytes, '\0', key_len); | |
2283 | memset(s_bytes, '\0', salt_len); | |
2284 | memset(&ctx, '\0', sizeof(ctx)); | |
2285 | memset(&alt_ctx, '\0', sizeof(alt_ctx)); | |
2286 | if (copied_key != NULL) | |
2287 | memset(copied_key, '\0', key_len); | |
2288 | if (copied_salt != NULL) | |
2289 | memset(copied_salt, '\0', salt_len); | |
2290 | ||
2291 | return buffer; | |
2292 | } | |
2293 | ||
2294 | ||
2295 | /* This entry point is equivalent to the `crypt' function in Unix | |
2296 | libcs. */ | |
2297 | static char *rb_sha512_crypt(const char *key, const char *salt) | |
2298 | { | |
2299 | /* We don't want to have an arbitrary limit in the size of the | |
2300 | password. We can compute an upper bound for the size of the | |
2301 | result in advance and so we can prepare the buffer we pass to | |
2302 | `rb_sha512_crypt_r'. */ | |
2303 | static char *buffer; | |
2304 | static int buflen; | |
2305 | int needed = (sizeof(sha512_salt_prefix) - 1 | |
2306 | + sizeof(sha512_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 86 + 1); | |
2307 | ||
2308 | if (buflen < needed) | |
2309 | { | |
2310 | char *new_buffer = (char *)realloc(buffer, needed); | |
2311 | if (new_buffer == NULL) | |
2312 | return NULL; | |
2313 | ||
2314 | buffer = new_buffer; | |
2315 | buflen = needed; | |
2316 | } | |
b57f37fb | 2317 | |
12e39525 | 2318 | return rb_sha512_crypt_r(key, salt, buffer, buflen); |
b57f37fb WP |
2319 | } |
2320 | ||
44e6a470 EJM |
2321 | |
2322 | /* And now blowfish */ | |
2323 | /* | |
2324 | * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> | |
2325 | * All rights reserved. | |
2326 | * | |
2327 | * Redistribution and use in source and binary forms, with or without | |
2328 | * modification, are permitted provided that the following conditions | |
2329 | * are met: | |
2330 | * 1. Redistributions of source code must retain the above copyright | |
2331 | * notice, this list of conditions and the following disclaimer. | |
2332 | * 2. Redistributions in binary form must reproduce the above copyright | |
2333 | * notice, this list of conditions and the following disclaimer in the | |
2334 | * documentation and/or other materials provided with the distribution. | |
2335 | * 3. All advertising materials mentioning features or use of this software | |
2336 | * must display the following acknowledgement: | |
2337 | * This product includes software developed by Niels Provos. | |
2338 | * 4. The name of the author may not be used to endorse or promote products | |
2339 | * derived from this software without specific prior written permission. | |
2340 | * | |
2341 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
2342 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
2343 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
2344 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
2345 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
2346 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
2347 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
2348 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
2349 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
2350 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
2351 | */ | |
2352 | ||
2353 | /* Schneier states the maximum key length to be 56 bytes. | |
2354 | * The way how the subkeys are initalized by the key up | |
2355 | * to (N+2)*4 i.e. 72 bytes are utilized. | |
2356 | * Warning: For normal blowfish encryption only 56 bytes | |
2357 | * of the key affect all cipherbits. | |
2358 | */ | |
2359 | ||
2360 | #define BLF_N 16 /* Number of Subkeys */ | |
2361 | ||
2362 | /* Blowfish context */ | |
2363 | typedef struct BlowfishContext { | |
2364 | uint32_t S[4][256]; /* S-Boxes */ | |
2365 | uint32_t P[BLF_N + 2]; /* Subkeys */ | |
2366 | } blf_ctx; | |
2367 | ||
2368 | /* Raw access to customized Blowfish | |
2369 | * blf_key is just: | |
2370 | * Blowfish_initstate( state ) | |
2371 | * Blowfish_expand0state( state, key, keylen ) | |
2372 | */ | |
2373 | ||
2374 | void Blowfish_initstate(blf_ctx *); | |
2375 | void Blowfish_expand0state(blf_ctx *, const uint8_t *, uint16_t); | |
2376 | void Blowfish_expandstate | |
2377 | (blf_ctx *, const uint8_t *, uint16_t, const uint8_t *, uint16_t); | |
2378 | uint32_t Blowfish_stream2word(const uint8_t *, uint16_t, uint16_t *); | |
2379 | ||
2380 | void blf_enc(blf_ctx *, uint32_t *, uint16_t); | |
2381 | ||
2382 | /* | |
2383 | * This code is derived from section 14.3 and the given source | |
2384 | * in section V of Applied Cryptography, second edition. | |
2385 | * Blowfish is an unpatented fast block cipher designed by | |
2386 | * Bruce Schneier. | |
2387 | */ | |
2388 | ||
2389 | /* | |
2390 | * FreeBSD implementation by Paul Herman <pherman@frenchfries.net> | |
2391 | */ | |
2392 | ||
2393 | /* Function for Feistel Networks */ | |
2394 | ||
2395 | #define _F(s, x) ((((s)[ (((x)>>24)&0xFF)] \ | |
2396 | + (s)[0x100 + (((x)>>16)&0xFF)]) \ | |
2397 | ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \ | |
2398 | + (s)[0x300 + ( (x) &0xFF)]) | |
2399 | ||
2400 | #define BLFRND(s, p, i, j, n) (i ^= _F(s, j) ^ (p)[n]) | |
2401 | ||
2402 | static void | |
2403 | Blowfish_encipher(blf_ctx *c, uint32_t *xl, uint32_t *xr) | |
2404 | { | |
2405 | uint32_t Xl; | |
2406 | uint32_t Xr; | |
2407 | uint32_t *s = c->S[0]; | |
2408 | uint32_t *p = c->P; | |
2409 | ||
2410 | Xl = *xl; | |
2411 | Xr = *xr; | |
2412 | ||
2413 | Xl ^= p[0]; | |
2414 | BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2); | |
2415 | BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4); | |
2416 | BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6); | |
2417 | BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8); | |
2418 | BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10); | |
2419 | BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12); | |
2420 | BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14); | |
2421 | BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16); | |
2422 | ||
2423 | *xl = Xr ^ p[17]; | |
2424 | *xr = Xl; | |
2425 | } | |
2426 | ||
2427 | void | |
2428 | Blowfish_initstate(blf_ctx *c) | |
2429 | { | |
2430 | ||
2431 | /* P-box and S-box tables initialized with digits of Pi */ | |
2432 | ||
2433 | const blf_ctx bf_initstate = | |
2434 | ||
2435 | { { | |
2436 | { | |
2437 | 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, | |
2438 | 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, | |
2439 | 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, | |
2440 | 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, | |
2441 | 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, | |
2442 | 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, | |
2443 | 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, | |
2444 | 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, | |
2445 | 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, | |
2446 | 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, | |
2447 | 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, | |
2448 | 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, | |
2449 | 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, | |
2450 | 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, | |
2451 | 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, | |
2452 | 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, | |
2453 | 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, | |
2454 | 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, | |
2455 | 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, | |
2456 | 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, | |
2457 | 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, | |
2458 | 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, | |
2459 | 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, | |
2460 | 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, | |
2461 | 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, | |
2462 | 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, | |
2463 | 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, | |
2464 | 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, | |
2465 | 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, | |
2466 | 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, | |
2467 | 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, | |
2468 | 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, | |
2469 | 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, | |
2470 | 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, | |
2471 | 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, | |
2472 | 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, | |
2473 | 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, | |
2474 | 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, | |
2475 | 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, | |
2476 | 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, | |
2477 | 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, | |
2478 | 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, | |
2479 | 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, | |
2480 | 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, | |
2481 | 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, | |
2482 | 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, | |
2483 | 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, | |
2484 | 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, | |
2485 | 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, | |
2486 | 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, | |
2487 | 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, | |
2488 | 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, | |
2489 | 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, | |
2490 | 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, | |
2491 | 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, | |
2492 | 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, | |
2493 | 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, | |
2494 | 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, | |
2495 | 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, | |
2496 | 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, | |
2497 | 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, | |
2498 | 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, | |
2499 | 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, | |
2500 | 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a}, | |
2501 | { | |
2502 | 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, | |
2503 | 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, | |
2504 | 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, | |
2505 | 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, | |
2506 | 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, | |
2507 | 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, | |
2508 | 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, | |
2509 | 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, | |
2510 | 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, | |
2511 | 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, | |
2512 | 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, | |
2513 | 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, | |
2514 | 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, | |
2515 | 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, | |
2516 | 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, | |
2517 | 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, | |
2518 | 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, | |
2519 | 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, | |
2520 | 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, | |
2521 | 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, | |
2522 | 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, | |
2523 | 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, | |
2524 | 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, | |
2525 | 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, | |
2526 | 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, | |
2527 | 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, | |
2528 | 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, | |
2529 | 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, | |
2530 | 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, | |
2531 | 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, | |
2532 | 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, | |
2533 | 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, | |
2534 | 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, | |
2535 | 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, | |
2536 | 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, | |
2537 | 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, | |
2538 | 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, | |
2539 | 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, | |
2540 | 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, | |
2541 | 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, | |
2542 | 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, | |
2543 | 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, | |
2544 | 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, | |
2545 | 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, | |
2546 | 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, | |
2547 | 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, | |
2548 | 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, | |
2549 | 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, | |
2550 | 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, | |
2551 | 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, | |
2552 | 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, | |
2553 | 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, | |
2554 | 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, | |
2555 | 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, | |
2556 | 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, | |
2557 | 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, | |
2558 | 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, | |
2559 | 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, | |
2560 | 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, | |
2561 | 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, | |
2562 | 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, | |
2563 | 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, | |
2564 | 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, | |
2565 | 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7}, | |
2566 | { | |
2567 | 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, | |
2568 | 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, | |
2569 | 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, | |
2570 | 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, | |
2571 | 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, | |
2572 | 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, | |
2573 | 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, | |
2574 | 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, | |
2575 | 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, | |
2576 | 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, | |
2577 | 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, | |
2578 | 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, | |
2579 | 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, | |
2580 | 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, | |
2581 | 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, | |
2582 | 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, | |
2583 | 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, | |
2584 | 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, | |
2585 | 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, | |
2586 | 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, | |
2587 | 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, | |
2588 | 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, | |
2589 | 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, | |
2590 | 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, | |
2591 | 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, | |
2592 | 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, | |
2593 | 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, | |
2594 | 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, | |
2595 | 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, | |
2596 | 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, | |
2597 | 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, | |
2598 | 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, | |
2599 | 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, | |
2600 | 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, | |
2601 | 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, | |
2602 | 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, | |
2603 | 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, | |
2604 | 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, | |
2605 | 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, | |
2606 | 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, | |
2607 | 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, | |
2608 | 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, | |
2609 | 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, | |
2610 | 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, | |
2611 | 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, | |
2612 | 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, | |
2613 | 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, | |
2614 | 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, | |
2615 | 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, | |
2616 | 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, | |
2617 | 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, | |
2618 | 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, | |
2619 | 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, | |
2620 | 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, | |
2621 | 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, | |
2622 | 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, | |
2623 | 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, | |
2624 | 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, | |
2625 | 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, | |
2626 | 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, | |
2627 | 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, | |
2628 | 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, | |
2629 | 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, | |
2630 | 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0}, | |
2631 | { | |
2632 | 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, | |
2633 | 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, | |
2634 | 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, | |
2635 | 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, | |
2636 | 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, | |
2637 | 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, | |
2638 | 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, | |
2639 | 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, | |
2640 | 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, | |
2641 | 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, | |
2642 | 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, | |
2643 | 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, | |
2644 | 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, | |
2645 | 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, | |
2646 | 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, | |
2647 | 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, | |
2648 | 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, | |
2649 | 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, | |
2650 | 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, | |
2651 | 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, | |
2652 | 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, | |
2653 | 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, | |
2654 | 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, | |
2655 | 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, | |
2656 | 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, | |
2657 | 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, | |
2658 | 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, | |
2659 | 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, | |
2660 | 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, | |
2661 | 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, | |
2662 | 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, | |
2663 | 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, | |
2664 | 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, | |
2665 | 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, | |
2666 | 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, | |
2667 | 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, | |
2668 | 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, | |
2669 | 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, | |
2670 | 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, | |
2671 | 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, | |
2672 | 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, | |
2673 | 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, | |
2674 | 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, | |
2675 | 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, | |
2676 | 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, | |
2677 | 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, | |
2678 | 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, | |
2679 | 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, | |
2680 | 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, | |
2681 | 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, | |
2682 | 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, | |
2683 | 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, | |
2684 | 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, | |
2685 | 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, | |
2686 | 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, | |
2687 | 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, | |
2688 | 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, | |
2689 | 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, | |
2690 | 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, | |
2691 | 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, | |
2692 | 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, | |
2693 | 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, | |
2694 | 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, | |
2695 | 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6} | |
2696 | }, | |
2697 | { | |
2698 | 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, | |
2699 | 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, | |
2700 | 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, | |
2701 | 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, | |
2702 | 0x9216d5d9, 0x8979fb1b | |
2703 | } }; | |
2704 | ||
2705 | *c = bf_initstate; | |
2706 | ||
2707 | } | |
2708 | ||
2709 | uint32_t | |
2710 | Blowfish_stream2word(const uint8_t *data, uint16_t databytes, | |
2711 | uint16_t *current) | |
2712 | { | |
2713 | uint8_t i; | |
2714 | uint16_t j; | |
2715 | uint32_t temp; | |
2716 | ||
2717 | temp = 0x00000000; | |
2718 | j = *current; | |
2719 | ||
2720 | for (i = 0; i < 4; i++, j++) { | |
2721 | if (j >= databytes) | |
2722 | j = 0; | |
2723 | temp = (temp << 8) | data[j]; | |
2724 | } | |
2725 | ||
2726 | *current = j; | |
2727 | return temp; | |
2728 | } | |
2729 | ||
2730 | void | |
2731 | Blowfish_expand0state(blf_ctx *c, const uint8_t *key, uint16_t keybytes) | |
2732 | { | |
2733 | uint16_t i; | |
2734 | uint16_t j; | |
2735 | uint16_t k; | |
2736 | uint32_t temp; | |
2737 | uint32_t datal; | |
2738 | uint32_t datar; | |
2739 | ||
2740 | j = 0; | |
2741 | for (i = 0; i < BLF_N + 2; i++) { | |
2742 | /* Extract 4 int8 to 1 int32 from keystream */ | |
2743 | temp = Blowfish_stream2word(key, keybytes, &j); | |
2744 | c->P[i] = c->P[i] ^ temp; | |
2745 | } | |
2746 | ||
2747 | j = 0; | |
2748 | datal = 0x00000000; | |
2749 | datar = 0x00000000; | |
2750 | for (i = 0; i < BLF_N + 2; i += 2) { | |
2751 | Blowfish_encipher(c, &datal, &datar); | |
2752 | ||
2753 | c->P[i] = datal; | |
2754 | c->P[i + 1] = datar; | |
2755 | } | |
2756 | ||
2757 | for (i = 0; i < 4; i++) { | |
2758 | for (k = 0; k < 256; k += 2) { | |
2759 | Blowfish_encipher(c, &datal, &datar); | |
2760 | ||
2761 | c->S[i][k] = datal; | |
2762 | c->S[i][k + 1] = datar; | |
2763 | } | |
2764 | } | |
2765 | } | |
2766 | ||
2767 | void | |
2768 | Blowfish_expandstate(blf_ctx *c, const uint8_t *data, uint16_t databytes, | |
2769 | const uint8_t *key, uint16_t keybytes) | |
2770 | { | |
2771 | uint16_t i; | |
2772 | uint16_t j; | |
2773 | uint16_t k; | |
2774 | uint32_t temp; | |
2775 | uint32_t datal; | |
2776 | uint32_t datar; | |
2777 | ||
2778 | j = 0; | |
2779 | for (i = 0; i < BLF_N + 2; i++) { | |
2780 | /* Extract 4 int8 to 1 int32 from keystream */ | |
2781 | temp = Blowfish_stream2word(key, keybytes, &j); | |
2782 | c->P[i] = c->P[i] ^ temp; | |
2783 | } | |
2784 | ||
2785 | j = 0; | |
2786 | datal = 0x00000000; | |
2787 | datar = 0x00000000; | |
2788 | for (i = 0; i < BLF_N + 2; i += 2) { | |
2789 | datal ^= Blowfish_stream2word(data, databytes, &j); | |
2790 | datar ^= Blowfish_stream2word(data, databytes, &j); | |
2791 | Blowfish_encipher(c, &datal, &datar); | |
2792 | ||
2793 | c->P[i] = datal; | |
2794 | c->P[i + 1] = datar; | |
2795 | } | |
2796 | ||
2797 | for (i = 0; i < 4; i++) { | |
2798 | for (k = 0; k < 256; k += 2) { | |
2799 | datal ^= Blowfish_stream2word(data, databytes, &j); | |
2800 | datar ^= Blowfish_stream2word(data, databytes, &j); | |
2801 | Blowfish_encipher(c, &datal, &datar); | |
2802 | ||
2803 | c->S[i][k] = datal; | |
2804 | c->S[i][k + 1] = datar; | |
2805 | } | |
2806 | } | |
2807 | ||
2808 | } | |
2809 | ||
2810 | void | |
2811 | blf_enc(blf_ctx *c, uint32_t *data, uint16_t blocks) | |
2812 | { | |
2813 | uint32_t *d; | |
2814 | uint16_t i; | |
2815 | ||
2816 | d = data; | |
2817 | for (i = 0; i < blocks; i++) { | |
2818 | Blowfish_encipher(c, d, d + 1); | |
2819 | d += 2; | |
2820 | } | |
2821 | } | |
2822 | ||
2823 | /* This password hashing algorithm was designed by David Mazieres | |
2824 | * <dm@lcs.mit.edu> and works as follows: | |
2825 | * | |
2826 | * 1. state := InitState () | |
2827 | * 2. state := ExpandKey (state, salt, password) 3. | |
2828 | * REPEAT rounds: | |
2829 | * state := ExpandKey (state, 0, salt) | |
2830 | * state := ExpandKey(state, 0, password) | |
2831 | * 4. ctext := "OrpheanBeholderScryDoubt" | |
2832 | * 5. REPEAT 64: | |
2833 | * ctext := Encrypt_ECB (state, ctext); | |
2834 | * 6. RETURN Concatenate (salt, ctext); | |
2835 | * | |
2836 | */ | |
2837 | ||
2838 | /* | |
2839 | * FreeBSD implementation by Paul Herman | |
2840 | */ | |
2841 | /* This implementation is adaptable to current computing power. | |
2842 | * You can have up to 2^31 rounds which should be enough for some | |
2843 | * time to come. | |
2844 | */ | |
2845 | ||
2846 | #define BCRYPT_VERSION '2' | |
2847 | #define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */ | |
2848 | #define BCRYPT_BLOCKS 6 /* Ciphertext blocks */ | |
2849 | #define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */ | |
2850 | ||
2851 | static void encode_base64(uint8_t *, uint8_t *, uint16_t); | |
2852 | static void decode_base64(uint8_t *, uint16_t, const uint8_t *); | |
2853 | ||
2854 | static char encrypted[512]; /* Shouldn't grow more than this */ | |
2855 | static char error[] = ":"; | |
2856 | ||
2857 | static const uint8_t Base64Code[] = | |
2858 | "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; | |
2859 | ||
2860 | static const uint8_t index_64[128] = | |
2861 | { | |
2862 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, | |
2863 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, | |
2864 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, | |
2865 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, | |
2866 | 255, 255, 255, 255, 255, 255, 0, 1, 54, 55, | |
2867 | 56, 57, 58, 59, 60, 61, 62, 63, 255, 255, | |
2868 | 255, 255, 255, 255, 255, 2, 3, 4, 5, 6, | |
2869 | 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, | |
2870 | 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, | |
2871 | 255, 255, 255, 255, 255, 255, 28, 29, 30, | |
2872 | 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, | |
2873 | 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, | |
2874 | 51, 52, 53, 255, 255, 255, 255, 255 | |
2875 | }; | |
2876 | #define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)]) | |
2877 | ||
2878 | static void | |
2879 | decode_base64(uint8_t *buffer, uint16_t len, const uint8_t *data) | |
2880 | { | |
2881 | uint8_t *bp = buffer; | |
2882 | const uint8_t *p = data; | |
2883 | uint8_t c1, c2, c3, c4; | |
2884 | while (bp < buffer + len) { | |
2885 | c1 = CHAR64(*p); | |
2886 | c2 = CHAR64(*(p + 1)); | |
2887 | ||
2888 | /* Invalid data */ | |
2889 | if (c1 == 255 || c2 == 255) | |
2890 | break; | |
2891 | ||
2892 | *bp++ = (uint8_t)((c1 << 2) | ((c2 & 0x30) >> 4)); | |
2893 | if (bp >= buffer + len) | |
2894 | break; | |
2895 | ||
2896 | c3 = CHAR64(*(p + 2)); | |
2897 | if (c3 == 255) | |
2898 | break; | |
2899 | ||
2900 | *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2); | |
2901 | if (bp >= buffer + len) | |
2902 | break; | |
2903 | ||
2904 | c4 = CHAR64(*(p + 3)); | |
2905 | if (c4 == 255) | |
2906 | break; | |
2907 | *bp++ = ((c3 & 0x03) << 6) | c4; | |
2908 | ||
2909 | p += 4; | |
2910 | } | |
2911 | } | |
2912 | ||
2913 | /* We handle $Vers$log2(NumRounds)$salt+passwd$ | |
2914 | i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */ | |
2915 | ||
2916 | char * | |
2917 | rb_blowfish_crypt(const char *key, const char *salt) | |
2918 | { | |
2919 | blf_ctx state; | |
2920 | uint32_t rounds, i, k; | |
2921 | uint16_t j; | |
2922 | uint8_t key_len, salt_len, logr, minr; | |
2923 | uint8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt"; | |
2924 | uint8_t csalt[BCRYPT_MAXSALT]; | |
2925 | uint32_t cdata[BCRYPT_BLOCKS]; | |
2926 | static const char *magic = "$2a$04$"; | |
2927 | ||
2928 | /* Defaults */ | |
2929 | minr = 'a'; | |
2930 | logr = 4; | |
2931 | rounds = 1 << logr; | |
2932 | ||
2933 | /* If it starts with the magic string, then skip that */ | |
2934 | if(!strncmp(salt, magic, strlen(magic))) { | |
2935 | salt += strlen(magic); | |
2936 | } | |
2937 | else if (*salt == '$') { | |
2938 | ||
2939 | /* Discard "$" identifier */ | |
2940 | salt++; | |
2941 | ||
2942 | if (*salt > BCRYPT_VERSION) { | |
2943 | /* How do I handle errors ? Return ':' */ | |
2944 | return error; | |
2945 | } | |
2946 | ||
2947 | /* Check for minor versions */ | |
2948 | if (salt[1] != '$') { | |
2949 | switch (salt[1]) { | |
2950 | case 'a': | |
2951 | /* 'ab' should not yield the same as 'abab' */ | |
2952 | minr = (uint8_t)salt[1]; | |
2953 | salt++; | |
2954 | break; | |
2955 | default: | |
2956 | return error; | |
2957 | } | |
2958 | } else | |
2959 | minr = 0; | |
2960 | ||
2961 | /* Discard version + "$" identifier */ | |
2962 | salt += 2; | |
2963 | ||
2964 | if (salt[2] != '$') | |
2965 | /* Out of sync with passwd entry */ | |
2966 | return error; | |
2967 | ||
2968 | /* Computer power doesnt increase linear, 2^x should be fine */ | |
2969 | logr = (uint8_t)atoi(salt); | |
2970 | rounds = 1 << logr; | |
2971 | if (rounds < BCRYPT_MINROUNDS) | |
2972 | return error; | |
2973 | ||
2974 | /* Discard num rounds + "$" identifier */ | |
2975 | salt += 3; | |
2976 | } | |
2977 | ||
2978 | ||
2979 | /* We dont want the base64 salt but the raw data */ | |
2980 | decode_base64(csalt, BCRYPT_MAXSALT, (const uint8_t *)salt); | |
2981 | salt_len = BCRYPT_MAXSALT; | |
2982 | key_len = (uint8_t)(strlen(key) + (minr >= 'a' ? 1 : 0)); | |
2983 | ||
2984 | /* Setting up S-Boxes and Subkeys */ | |
2985 | Blowfish_initstate(&state); | |
2986 | Blowfish_expandstate(&state, csalt, salt_len, | |
2987 | (const uint8_t *) key, key_len); | |
2988 | for (k = 0; k < rounds; k++) { | |
2989 | Blowfish_expand0state(&state, (const uint8_t *) key, key_len); | |
2990 | Blowfish_expand0state(&state, csalt, salt_len); | |
2991 | } | |
2992 | ||
2993 | /* This can be precomputed later */ | |
2994 | j = 0; | |
2995 | for (i = 0; i < BCRYPT_BLOCKS; i++) | |
2996 | cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_BLOCKS, &j); | |
2997 | ||
2998 | /* Now do the encryption */ | |
2999 | for (k = 0; k < 64; k++) | |
3000 | blf_enc(&state, cdata, BCRYPT_BLOCKS / 2); | |
3001 | ||
3002 | for (i = 0; i < BCRYPT_BLOCKS; i++) { | |
3003 | ciphertext[4 * i + 3] = cdata[i] & 0xff; | |
3004 | cdata[i] = cdata[i] >> 8; | |
3005 | ciphertext[4 * i + 2] = cdata[i] & 0xff; | |
3006 | cdata[i] = cdata[i] >> 8; | |
3007 | ciphertext[4 * i + 1] = cdata[i] & 0xff; | |
3008 | cdata[i] = cdata[i] >> 8; | |
3009 | ciphertext[4 * i + 0] = cdata[i] & 0xff; | |
3010 | } | |
3011 | ||
3012 | ||
3013 | i = 0; | |
3014 | encrypted[i++] = '$'; | |
3015 | encrypted[i++] = BCRYPT_VERSION; | |
3016 | if (minr) | |
3017 | encrypted[i++] = (int8_t)minr; | |
3018 | encrypted[i++] = '$'; | |
3019 | ||
3020 | snprintf(encrypted + i, 4, "%2.2u$", logr); | |
3021 | ||
3022 | encode_base64((uint8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT); | |
3023 | encode_base64((uint8_t *) encrypted + strlen(encrypted), ciphertext, | |
3024 | 4 * BCRYPT_BLOCKS - 1); | |
3025 | return encrypted; | |
3026 | } | |
3027 | ||
3028 | static void | |
3029 | encode_base64(uint8_t *buffer, uint8_t *data, uint16_t len) | |
3030 | { | |
3031 | uint8_t *bp = buffer; | |
3032 | uint8_t *p = data; | |
3033 | uint8_t c1, c2; | |
3034 | while (p < data + len) { | |
3035 | c1 = *p++; | |
3036 | *bp++ = Base64Code[(c1 >> 2)]; | |
3037 | c1 = (c1 & 0x03) << 4; | |
3038 | if (p >= data + len) { | |
3039 | *bp++ = Base64Code[c1]; | |
3040 | break; | |
3041 | } | |
3042 | c2 = *p++; | |
3043 | c1 |= (c2 >> 4) & 0x0f; | |
3044 | *bp++ = Base64Code[c1]; | |
3045 | c1 = (c2 & 0x0f) << 2; | |
3046 | if (p >= data + len) { | |
3047 | *bp++ = Base64Code[c1]; | |
3048 | break; | |
3049 | } | |
3050 | c2 = *p++; | |
3051 | c1 |= (c2 >> 6) & 0x03; | |
3052 | *bp++ = Base64Code[c1]; | |
3053 | *bp++ = Base64Code[c2 & 0x3f]; | |
3054 | } | |
3055 | *bp = '\0'; | |
3056 | } |