]> jfr.im git - irc/rqf/shadowircd.git/blame - libratbox/src/crypt.c
projects / irc / rqf / shadowircd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add blowfish to libratbox crypt.
[irc/rqf/shadowircd.git] / libratbox / src / crypt.c
CommitLineData
b57f37fb
WP		 1/*
2 * crypt.c: Implements unix style crypt() for platforms that don't have it
12e39525
JH		 3 * This version has MD5, DES, and SHA256/SHA512 crypt.
4 * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from
5 * Drepper's public domain implementation.
b57f37fb
WP		 6 */
7
8/*
9 * crypt() for uClibc
10 *
11 * Copyright (C) 2000 by Lineo, inc. and Erik Andersen
12 * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org>
13 * Written by Erik Andersen <andersen@uclibc.org>
14 *
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU Library General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful, but WITHOUT
21 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License
23 * for more details.
24 *
25 * You should have received a copy of the GNU Library General Public License
26 * along with this program; if not, write to the Free Software Foundation,
27 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 */
29
30#include <libratbox_config.h>
31#include <ratbox_lib.h>
32
12e39525
JH		 33static char *rb_md5_crypt(const char *pw, const char *salt);
34static char *rb_des_crypt(const char *pw, const char *salt);
35static char *rb_sha256_crypt(const char *key, const char *salt);
36static char *rb_sha512_crypt(const char *key, const char *salt);
44e6a470 37static char *rb_blowfish_crypt(const char *key, const char *salt);
b57f37fb 38
94b4fbf9 39char *
b57f37fb
WP		 40rb_crypt(const char *key, const char *salt)
41{
12e39525
JH		 42 /* First, check if we are supposed to be using a replacement
43 * hash instead of DES... */
44e6a470 44 if(salt[0] == '$' && (salt[2] == '$' || salt[3] == '$'))
12e39525
JH		 45 {
46 switch(salt[1])
47 {
48 case '1':
49 return rb_md5_crypt(key, salt);
50 break;
44e6a470
EJM		 51 case '2':
52 /* Handles both 2 and 2a --Elizabeth */
53 return rb_blowfish_crypt(key, salt);
54 break;
12e39525
JH		 55 case '5':
56 return rb_sha256_crypt(key, salt);
57 break;
58 case '6':
59 return rb_sha512_crypt(key, salt);
60 break;
61 default:
62 return NULL;
63 break;
64 };
65 }
b57f37fb 66 else
12e39525 67 return rb_des_crypt(key, salt);
b57f37fb
WP		 68}
69
12e39525
JH		 70#define b64_from_24bit(B2, B1, B0, N) \
71 do \
72 { \
73 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
74 int n = (N); \
75 while (n-- > 0 && buflen > 0) \
76 { \
77 *cp++ = ascii64[w & 0x3f]; \
78 --buflen; \
79 w >>= 6; \
80 } \
81 } while (0)
82
83#ifndef MAX
84# define MAX(a,b) (((a) > (b)) ? (a) : (b))
85#endif
86#ifndef MIN
87# define MIN(a,b) (((a) < (b)) ? (a) : (b))
88#endif
89
b57f37fb
WP		 90/* Here is the des crypt() stuff */
91
92/*
93 * FreeSec: libcrypt for NetBSD
94 *
95 * Copyright (c) 1994 David Burren
96 * All rights reserved.
97 *
98 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
99 * this file should now *only* export crypt(), in order to make
100 * binaries of libcrypt exportable from the USA
101 *
102 * Adapted for FreeBSD-4.0 by Mark R V Murray
103 * this file should now *only* export crypt_des(), in order to make
104 * a module that can be optionally included in libcrypt.
105 *
106 * Redistribution and use in source and binary forms, with or without
107 * modification, are permitted provided that the following conditions
108 * are met:
109 * 1. Redistributions of source code must retain the above copyright
110 * notice, this list of conditions and the following disclaimer.
111 * 2. Redistributions in binary form must reproduce the above copyright
112 * notice, this list of conditions and the following disclaimer in the
113 * documentation and/or other materials provided with the distribution.
114 * 3. Neither the name of the author nor the names of other contributors
115 * may be used to endorse or promote products derived from this software
116 * without specific prior written permission.
117 *
118 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
119 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
120 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
121 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
122 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
123 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
124 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
125 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
126 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
127 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
128 * SUCH DAMAGE.
129 *
130 * This is an original implementation of the DES and the crypt(3) interfaces
131 * by David Burren <davidb@werj.com.au>.
132 *
133 * An excellent reference on the underlying algorithm (and related
134 * algorithms) is:
135 *
136 * B. Schneier, Applied Cryptography: protocols, algorithms,
137 * and source code in C, John Wiley & Sons, 1994.
138 *
139 * Note that in that book's description of DES the lookups for the initial,
140 * pbox, and final permutations are inverted (this has been brought to the
141 * attention of the author). A list of errata for this book has been
142 * posted to the sci.crypt newsgroup by the author and is available for FTP.
143 *
144 * ARCHITECTURE ASSUMPTIONS:
145 * It is assumed that the 8-byte arrays passed by reference can be
4414eb3c 146 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
b57f37fb
WP		 147 * alignment).
148 */
149
150
151/* Re-entrantify me -- all this junk needs to be in
152 * struct crypt_data to make this really reentrant... */
94b4fbf9
VY		 153static uint8_t inv_key_perm[64];
154static uint8_t inv_comp_perm[56];
155static uint8_t u_sbox[8][64];
156static uint8_t un_pbox[32];
4414eb3c
VY		 157static uint32_t en_keysl[16], en_keysr[16];
158static uint32_t de_keysl[16], de_keysr[16];
159static uint32_t ip_maskl[8][256], ip_maskr[8][256];
160static uint32_t fp_maskl[8][256], fp_maskr[8][256];
161static uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
162static uint32_t comp_maskl[8][128], comp_maskr[8][128];
163static uint32_t saltbits;
164static uint32_t old_salt;
165static uint32_t old_rawkey0, old_rawkey1;
b57f37fb
WP		 166
167
168/* Static stuff that stays resident and doesn't change after
169 * being initialized, and therefore doesn't need to be made
170 * reentrant. */
94b4fbf9
VY		 171static uint8_t init_perm[64], final_perm[64];
172static uint8_t m_sbox[4][4096];
4414eb3c 173static uint32_t psbox[4][256];
b57f37fb 174
b57f37fb 175/* A pile of data */
94b4fbf9 176static const uint8_t ascii64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
b57f37fb 177
94b4fbf9
VY		 178static const uint8_t IP[64] = {
179 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
180 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
181 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
182 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
b57f37fb
WP		 183};
184
94b4fbf9
VY		 185static const uint8_t key_perm[56] = {
186 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
187 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
188 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
189 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
b57f37fb
WP		 190};
191
94b4fbf9 192static const uint8_t key_shifts[16] = {
b57f37fb
WP		 193 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
194};
195
94b4fbf9
VY		 196static const uint8_t comp_perm[48] = {
197 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
198 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
b57f37fb
WP		 199 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
200 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
201};
202
203/*
204 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
205 */
206
94b4fbf9 207static const uint8_t sbox[8][64] = {
b57f37fb 208 {
94b4fbf9
VY		 209 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
210 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
211 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
212 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
b57f37fb 213 {
94b4fbf9
VY		 214 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
215 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
216 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
217 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
b57f37fb 218 {
94b4fbf9
VY		 219 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
220 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
221 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
222 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
b57f37fb 223 {
94b4fbf9
VY		 224 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
225 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
226 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
227 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
b57f37fb 228 {
94b4fbf9
VY		 229 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
230 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
231 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
232 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
b57f37fb 233 {
94b4fbf9
VY		 234 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
235 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
236 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
237 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
b57f37fb 238 {
94b4fbf9
VY		 239 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
240 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
241 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
242 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
b57f37fb 243 {
94b4fbf9
VY		 244 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
245 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
246 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
247 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
b57f37fb
WP		 248};
249
94b4fbf9
VY		 250static const uint8_t pbox[32] = {
251 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
252 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
b57f37fb
WP		 253};
254
94b4fbf9 255static const uint32_t bits32[32] = {
b57f37fb
WP		 256 0x80000000, 0x40000000, 0x20000000, 0x10000000,
257 0x08000000, 0x04000000, 0x02000000, 0x01000000,
258 0x00800000, 0x00400000, 0x00200000, 0x00100000,
259 0x00080000, 0x00040000, 0x00020000, 0x00010000,
260 0x00008000, 0x00004000, 0x00002000, 0x00001000,
261 0x00000800, 0x00000400, 0x00000200, 0x00000100,
262 0x00000080, 0x00000040, 0x00000020, 0x00000010,
263 0x00000008, 0x00000004, 0x00000002, 0x00000001
264};
265
94b4fbf9
VY		 266static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
267
4414eb3c 268static const uint32_t *bits28, *bits24;
b57f37fb
WP		 269
270
94b4fbf9 271static int
12e39525 272rb_ascii_to_bin(char ch)
b57f37fb 273{
94b4fbf9
VY		 274 if(ch > 'z')
275 return (0);
276 if(ch >= 'a')
277 return (ch - 'a' + 38);
278 if(ch > 'Z')
279 return (0);
280 if(ch >= 'A')
281 return (ch - 'A' + 12);
282 if(ch > '9')
283 return (0);
284 if(ch >= '.')
285 return (ch - '.');
286 return (0);
b57f37fb
WP		 287}
288
289static void
12e39525 290rb_des_init(void)
b57f37fb 291{
94b4fbf9
VY		 292 int i, j, b, k, inbit, obit;
293 uint32_t *p, *il, *ir, *fl, *fr;
12e39525 294 static int rb_des_initialised = 0;
b57f37fb 295
12e39525 296 if(rb_des_initialised == 1)
94b4fbf9 297 return;
b57f37fb
WP		 298
299 old_rawkey0 = old_rawkey1 = 0L;
300 saltbits = 0L;
301 old_salt = 0L;
302 bits24 = (bits28 = bits32 + 4) + 4;
303
304 /*
305 * Invert the S-boxes, reordering the input bits.
306 */
94b4fbf9
VY		 307 for(i = 0; i < 8; i++)
308 for(j = 0; j < 64; j++)
309 {
b57f37fb
WP		 310 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
311 u_sbox[i][j] = sbox[i][b];
312 }
313
314 /*
315 * Convert the inverted S-boxes into 4 arrays of 8 bits.
316 * Each will handle 12 bits of the S-box input.
317 */
94b4fbf9
VY		 318 for(b = 0; b < 4; b++)
319 for(i = 0; i < 64; i++)
320 for(j = 0; j < 64; j++)
b57f37fb 321 m_sbox[b][(i << 6) | j] =
94b4fbf9
VY		 322 (uint8_t)((u_sbox[(b << 1)][i] << 4) |
323 u_sbox[(b << 1) + 1][j]);
b57f37fb
WP		 324
325 /*
326 * Set up the initial & final permutations into a useful form, and
327 * initialise the inverted key permutation.
328 */
94b4fbf9
VY		 329 for(i = 0; i < 64; i++)
330 {
331 init_perm[final_perm[i] = IP[i] - 1] = (uint8_t)i;
b57f37fb
WP		 332 inv_key_perm[i] = 255;
333 }
334
335 /*
336 * Invert the key permutation and initialise the inverted key
337 * compression permutation.
338 */
94b4fbf9
VY		 339 for(i = 0; i < 56; i++)
340 {
341 inv_key_perm[key_perm[i] - 1] = (uint8_t)i;
b57f37fb
WP		 342 inv_comp_perm[i] = 255;
343 }
344
345 /*
346 * Invert the key compression permutation.
347 */
94b4fbf9
VY		 348 for(i = 0; i < 48; i++)
349 {
350 inv_comp_perm[comp_perm[i] - 1] = (uint8_t)i;
b57f37fb
WP		 351 }
352
353 /*
354 * Set up the OR-mask arrays for the initial and final permutations,
355 * and for the key initial and compression permutations.
356 */
94b4fbf9
VY		 357 for(k = 0; k < 8; k++)
358 {
359 for(i = 0; i < 256; i++)
360 {
b57f37fb
WP		 361 *(il = &ip_maskl[k][i]) = 0L;
362 *(ir = &ip_maskr[k][i]) = 0L;
363 *(fl = &fp_maskl[k][i]) = 0L;
364 *(fr = &fp_maskr[k][i]) = 0L;
94b4fbf9
VY		 365 for(j = 0; j < 8; j++)
366 {
b57f37fb 367 inbit = 8 * k + j;
94b4fbf9
VY		 368 if(i & bits8[j])
369 {
370 if((obit = init_perm[inbit]) < 32)
b57f37fb
WP		 371 *il |= bits32[obit];
372 else
94b4fbf9
VY		 373 *ir |= bits32[obit - 32];
374 if((obit = final_perm[inbit]) < 32)
b57f37fb
WP		 375 *fl |= bits32[obit];
376 else
377 *fr |= bits32[obit - 32];
378 }
379 }
380 }
94b4fbf9
VY		 381 for(i = 0; i < 128; i++)
382 {
b57f37fb
WP		 383 *(il = &key_perm_maskl[k][i]) = 0L;
384 *(ir = &key_perm_maskr[k][i]) = 0L;
94b4fbf9
VY		 385 for(j = 0; j < 7; j++)
386 {
b57f37fb 387 inbit = 8 * k + j;
94b4fbf9
VY		 388 if(i & bits8[j + 1])
389 {
390 if((obit = inv_key_perm[inbit]) == 255)
b57f37fb 391 continue;
94b4fbf9 392 if(obit < 28)
b57f37fb
WP		 393 *il |= bits28[obit];
394 else
395 *ir |= bits28[obit - 28];
396 }
397 }
398 *(il = &comp_maskl[k][i]) = 0L;
399 *(ir = &comp_maskr[k][i]) = 0L;
94b4fbf9
VY		 400 for(j = 0; j < 7; j++)
401 {
b57f37fb 402 inbit = 7 * k + j;
94b4fbf9
VY		 403 if(i & bits8[j + 1])
404 {
405 if((obit = inv_comp_perm[inbit]) == 255)
b57f37fb 406 continue;
94b4fbf9 407 if(obit < 24)
b57f37fb
WP		 408 *il |= bits24[obit];
409 else
410 *ir |= bits24[obit - 24];
411 }
412 }
413 }
414 }
415
416 /*
417 * Invert the P-box permutation, and convert into OR-masks for
418 * handling the output of the S-box arrays setup above.
419 */
94b4fbf9
VY		 420 for(i = 0; i < 32; i++)
421 un_pbox[pbox[i] - 1] = (uint8_t)i;
b57f37fb 422
94b4fbf9
VY		 423 for(b = 0; b < 4; b++)
424 for(i = 0; i < 256; i++)
425 {
b57f37fb 426 *(p = &psbox[b][i]) = 0L;
94b4fbf9
VY		 427 for(j = 0; j < 8; j++)
428 {
429 if(i & bits8[j])
b57f37fb
WP		 430 *p |= bits32[un_pbox[8 * b + j]];
431 }
432 }
433
12e39525 434 rb_des_initialised = 1;
b57f37fb
WP		 435}
436
437
438static void
12e39525 439rb_setup_salt(long salt)
b57f37fb 440{
94b4fbf9
VY		 441 uint32_t obit, saltbit;
442 int i;
b57f37fb 443
94b4fbf9 444 if(salt == (long)old_salt)
b57f37fb
WP		 445 return;
446 old_salt = salt;
447
448 saltbits = 0L;
449 saltbit = 1;
450 obit = 0x800000;
94b4fbf9
VY		 451 for(i = 0; i < 24; i++)
452 {
453 if(salt & saltbit)
b57f37fb
WP		 454 saltbits |= obit;
455 saltbit <<= 1;
456 obit >>= 1;
457 }
458}
459
b57f37fb 460static int
12e39525 461rb_des_setkey(const char *key)
b57f37fb 462{
94b4fbf9
VY		 463 uint32_t k0, k1, rawkey0, rawkey1;
464 int shifts, round;
b57f37fb 465
12e39525 466 rb_des_init();
b57f37fb 467
94b4fbf9
VY		 468 rawkey0 = ntohl(*(const uint32_t *)key);
469 rawkey1 = ntohl(*(const uint32_t *)(key + 4));
b57f37fb 470
94b4fbf9
VY		 471 if((rawkey0 | rawkey1) && rawkey0 == old_rawkey0 && rawkey1 == old_rawkey1)
472 {
b57f37fb
WP		 473 /*
474 * Already setup for this key.
475 * This optimisation fails on a zero key (which is weak and
476 * has bad parity anyway) in order to simplify the starting
477 * conditions.
478 */
94b4fbf9 479 return (0);
b57f37fb
WP		 480 }
481 old_rawkey0 = rawkey0;
482 old_rawkey1 = rawkey1;
483
484 /*
94b4fbf9 485 * Do key permutation and split into two 28-bit subkeys.
b57f37fb
WP		 486 */
487 k0 = key_perm_maskl[0][rawkey0 >> 25]
94b4fbf9
VY		 488 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
489 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
490 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
491 | key_perm_maskl[4][rawkey1 >> 25]
492 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
493 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
494 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
b57f37fb 495 k1 = key_perm_maskr[0][rawkey0 >> 25]
94b4fbf9
VY		 496 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
497 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
498 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
499 | key_perm_maskr[4][rawkey1 >> 25]
500 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
501 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
502 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
b57f37fb 503 /*
94b4fbf9 504 * Rotate subkeys and do compression permutation.
b57f37fb
WP		 505 */
506 shifts = 0;
94b4fbf9
VY		 507 for(round = 0; round < 16; round++)
508 {
509 uint32_t t0, t1;
b57f37fb
WP		 510
511 shifts += key_shifts[round];
512
513 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
514 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
515
516 de_keysl[15 - round] =
94b4fbf9
VY		 517 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
518 | comp_maskl[1][(t0 >> 14) & 0x7f]
519 | comp_maskl[2][(t0 >> 7) & 0x7f]
520 | comp_maskl[3][t0 & 0x7f]
521 | comp_maskl[4][(t1 >> 21) & 0x7f]
522 | comp_maskl[5][(t1 >> 14) & 0x7f]
523 | comp_maskl[6][(t1 >> 7) & 0x7f] | comp_maskl[7][t1 & 0x7f];
b57f37fb
WP		 524
525 de_keysr[15 - round] =
94b4fbf9
VY		 526 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
527 | comp_maskr[1][(t0 >> 14) & 0x7f]
528 | comp_maskr[2][(t0 >> 7) & 0x7f]
529 | comp_maskr[3][t0 & 0x7f]
530 | comp_maskr[4][(t1 >> 21) & 0x7f]
531 | comp_maskr[5][(t1 >> 14) & 0x7f]
532 | comp_maskr[6][(t1 >> 7) & 0x7f] | comp_maskr[7][t1 & 0x7f];
b57f37fb 533 }
94b4fbf9 534 return (0);
b57f37fb
WP		 535}
536
b57f37fb 537static int
12e39525 538rb_do_des(uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out, int count)
b57f37fb
WP		 539{
540 /*
94b4fbf9 541 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
b57f37fb 542 */
94b4fbf9
VY		 543 uint32_t l, r, *kl, *kr, *kl1, *kr1;
544 uint32_t f, r48l, r48r;
545 int round;
b57f37fb 546
94b4fbf9
VY		 547 if(count == 0)
548 {
549 return (1);
550 }
551 else if(count > 0)
552 {
b57f37fb
WP		 553 /*
554 * Encrypting
555 */
556 kl1 = en_keysl;
557 kr1 = en_keysr;
94b4fbf9
VY		 558 }
559 else
560 {
b57f37fb
WP		 561 /*
562 * Decrypting
563 */
564 count = -count;
565 kl1 = de_keysl;
566 kr1 = de_keysr;
567 }
568
569 /*
94b4fbf9 570 * Do initial permutation (IP).
b57f37fb
WP		 571 */
572 l = ip_maskl[0][l_in >> 24]
94b4fbf9
VY		 573 | ip_maskl[1][(l_in >> 16) & 0xff]
574 | ip_maskl[2][(l_in >> 8) & 0xff]
575 | ip_maskl[3][l_in & 0xff]
576 | ip_maskl[4][r_in >> 24]
577 | ip_maskl[5][(r_in >> 16) & 0xff]
578 | ip_maskl[6][(r_in >> 8) & 0xff] | ip_maskl[7][r_in & 0xff];
b57f37fb 579 r = ip_maskr[0][l_in >> 24]
94b4fbf9
VY		 580 | ip_maskr[1][(l_in >> 16) & 0xff]
581 | ip_maskr[2][(l_in >> 8) & 0xff]
582 | ip_maskr[3][l_in & 0xff]
583 | ip_maskr[4][r_in >> 24]
584 | ip_maskr[5][(r_in >> 16) & 0xff]
585 | ip_maskr[6][(r_in >> 8) & 0xff] | ip_maskr[7][r_in & 0xff];
586
587 while(count--)
588 {
b57f37fb
WP		 589 /*
590 * Do each round.
591 */
592 kl = kl1;
593 kr = kr1;
594 round = 16;
94b4fbf9
VY		 595 while(round--)
596 {
b57f37fb
WP		 597 /*
598 * Expand R to 48 bits (simulate the E-box).
599 */
94b4fbf9 600 r48l = ((r & 0x00000001) << 23)
b57f37fb
WP		 601 | ((r & 0xf8000000) >> 9)
602 | ((r & 0x1f800000) >> 11)
94b4fbf9 603 | ((r & 0x01f80000) >> 13) | ((r & 0x001f8000) >> 15);
b57f37fb 604
94b4fbf9 605 r48r = ((r & 0x0001f800) << 7)
b57f37fb
WP		 606 | ((r & 0x00001f80) << 5)
607 | ((r & 0x000001f8) << 3)
94b4fbf9 608 | ((r & 0x0000001f) << 1) | ((r & 0x80000000) >> 31);
b57f37fb
WP		 609 /*
610 * Do salting for crypt() and friends, and
611 * XOR with the permuted key.
612 */
613 f = (r48l ^ r48r) & saltbits;
614 r48l ^= f ^ *kl++;
615 r48r ^= f ^ *kr++;
616 /*
617 * Do sbox lookups (which shrink it back to 32 bits)
618 * and do the pbox permutation at the same time.
619 */
620 f = psbox[0][m_sbox[0][r48l >> 12]]
94b4fbf9
VY		 621 | psbox[1][m_sbox[1][r48l & 0xfff]]
622 | psbox[2][m_sbox[2][r48r >> 12]]
623 | psbox[3][m_sbox[3][r48r & 0xfff]];
b57f37fb
WP		 624 /*
625 * Now that we've permuted things, complete f().
626 */
627 f ^= l;
628 l = r;
629 r = f;
630 }
631 r = l;
632 l = f;
633 }
634 /*
635 * Do final permutation (inverse of IP).
636 */
94b4fbf9 637 *l_out = fp_maskl[0][l >> 24]
b57f37fb
WP		 638 | fp_maskl[1][(l >> 16) & 0xff]
639 | fp_maskl[2][(l >> 8) & 0xff]
640 | fp_maskl[3][l & 0xff]
641 | fp_maskl[4][r >> 24]
642 | fp_maskl[5][(r >> 16) & 0xff]
94b4fbf9
VY		 643 | fp_maskl[6][(r >> 8) & 0xff] | fp_maskl[7][r & 0xff];
644 *r_out = fp_maskr[0][l >> 24]
b57f37fb
WP		 645 | fp_maskr[1][(l >> 16) & 0xff]
646 | fp_maskr[2][(l >> 8) & 0xff]
647 | fp_maskr[3][l & 0xff]
648 | fp_maskr[4][r >> 24]
649 | fp_maskr[5][(r >> 16) & 0xff]
94b4fbf9
VY		 650 | fp_maskr[6][(r >> 8) & 0xff] | fp_maskr[7][r & 0xff];
651 return (0);
b57f37fb
WP		 652}
653
b57f37fb 654static char *
12e39525 655rb_des_crypt(const char *key, const char *setting)
b57f37fb 656{
94b4fbf9
VY		 657 uint32_t count, salt, l, r0, r1, keybuf[2];
658 uint8_t *p, *q;
659 static char output[21];
b57f37fb 660
12e39525 661 rb_des_init();
b57f37fb
WP		 662
663 /*
664 * Copy the key, shifting each character up by one bit
665 * and padding with zeros.
666 */
94b4fbf9
VY		 667 q = (uint8_t *)keybuf;
668 while(q - (uint8_t *)keybuf - 8)
669 {
b57f37fb 670 *q++ = *key << 1;
94b4fbf9 671 if(*(q - 1))
b57f37fb
WP		 672 key++;
673 }
12e39525 674 if(rb_des_setkey((char *)keybuf))
94b4fbf9 675 return (NULL);
b57f37fb
WP		 676 {
677 /*
678 * "old"-style:
94b4fbf9
VY		 679 * setting - 2 bytes of salt
680 * key - up to 8 characters
b57f37fb
WP		 681 */
682 count = 25;
683
12e39525 684 salt = (rb_ascii_to_bin(setting[1]) << 6) | rb_ascii_to_bin(setting[0]);
b57f37fb
WP		 685
686 output[0] = setting[0];
687 /*
688 * If the encrypted password that the salt was extracted from
689 * is only 1 character long, the salt will be corrupted. We
690 * need to ensure that the output string doesn't have an extra
691 * NUL in it!
692 */
693 output[1] = setting[1] ? setting[1] : output[0];
694
94b4fbf9 695 p = (uint8_t *)output + 2;
b57f37fb 696 }
12e39525 697 rb_setup_salt(salt);
b57f37fb
WP		 698 /*
699 * Do it.
700 */
12e39525 701 if(rb_do_des(0L, 0L, &r0, &r1, (int)count))
94b4fbf9 702 return (NULL);
b57f37fb
WP		 703 /*
704 * Now encode the result...
705 */
706 l = (r0 >> 8);
707 *p++ = ascii64[(l >> 18) & 0x3f];
708 *p++ = ascii64[(l >> 12) & 0x3f];
709 *p++ = ascii64[(l >> 6) & 0x3f];
710 *p++ = ascii64[l & 0x3f];
711
712 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
713 *p++ = ascii64[(l >> 18) & 0x3f];
714 *p++ = ascii64[(l >> 12) & 0x3f];
715 *p++ = ascii64[(l >> 6) & 0x3f];
716 *p++ = ascii64[l & 0x3f];
717
718 l = r1 << 2;
719 *p++ = ascii64[(l >> 12) & 0x3f];
720 *p++ = ascii64[(l >> 6) & 0x3f];
721 *p++ = ascii64[l & 0x3f];
722 *p = 0;
723
94b4fbf9 724 return (output);
b57f37fb
WP		 725}
726
727/* Now md5 crypt */
b57f37fb
WP		 728/*
729 * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
730 *
731 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
732 * rights reserved.
733 *
734 * License to copy and use this software is granted provided that it
735 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
736 * Algorithm" in all material mentioning or referencing this software
737 * or this function.
738 *
739 * License is also granted to make and use derivative works provided
740 * that such works are identified as "derived from the RSA Data
741 * Security, Inc. MD5 Message-Digest Algorithm" in all material
742 * mentioning or referencing the derived work.
743 *
744 * RSA Data Security, Inc. makes no representations concerning either
745 * the merchantability of this software or the suitability of this
746 * software for any particular purpose. It is provided "as is"
747 * without express or implied warranty of any kind.
748 *
749 * These notices must be retained in any copies of any part of this
750 * documentation and/or software.
751 *
b57f37fb
WP		 752 * This code is the same as the code published by RSA Inc. It has been
753 * edited for clarity and style only.
b57f37fb 754 */
b57f37fb 755
12e39525
JH		 756#define MD5_BLOCK_LENGTH 64
757#define MD5_DIGEST_LENGTH 16
758#define MD5_DIGEST_STRING_LENGTH (MD5_DIGEST_LENGTH * 2 + 1)
759#define MD5_SIZE 16
b57f37fb 760
12e39525
JH		 761static void
762_crypt_to64(char *s, u_long v, int n)
94b4fbf9 763{
12e39525
JH		 764 while (--n >= 0) {
765 *s++ = ascii64[v&0x3f];
766 v >>= 6;
767 }
768}
b57f37fb 769
12e39525
JH		 770/* MD5 context. */
771typedef struct MD5Context {
44e6a470
EJM		 772 uint32_t state[4]; /* state (ABCD) */
773 uint32_t count[2]; /* number of bits, modulo 2^64 (lsb first) */
12e39525
JH		 774 unsigned char buffer[64]; /* input buffer */
775} MD5_CTX;
776
44e6a470 777static void MD5Transform(uint32_t [4], const unsigned char [64]);
12e39525
JH		 778static void MD5Init (MD5_CTX *);
779static void MD5Update (MD5_CTX *, const void *, unsigned int);
780static void MD5Final (unsigned char [16], MD5_CTX *);
781
782#if (BYTE_ORDER == LITTLE_ENDIAN)
783#define Encode memcpy
784#define Decode memcpy
785#else
b57f37fb
WP		 786
787/*
44e6a470 788 * Encodes input (uint32_t) into output (unsigned char). Assumes len is
b57f37fb
WP		 789 * a multiple of 4.
790 */
791
792static void
44e6a470 793Encode (unsigned char *output, uint32_t *input, unsigned int len)
b57f37fb 794{
12e39525 795 unsigned int i;
44e6a470 796 uint32_t *op = (uint32_t *)output;
b57f37fb 797
12e39525
JH		 798 for (i = 0; i < len / 4; i++)
799 op[i] = htole32(input[i]);
b57f37fb
WP		 800}
801
802/*
44e6a470 803 * Decodes input (unsigned char) into output (uint32_t). Assumes len is
b57f37fb
WP		 804 * a multiple of 4.
805 */
806
807static void
44e6a470 808Decode (uint32_t *output, const unsigned char *input, unsigned int len)
b57f37fb 809{
12e39525 810 unsigned int i;
44e6a470 811 const uint32_t *ip = (const uint32_t *)input;
b57f37fb 812
12e39525
JH		 813 for (i = 0; i < len / 4; i++)
814 output[i] = le32toh(ip[i]);
b57f37fb 815}
12e39525
JH		 816#endif
817
818static unsigned char PADDING[64] = {
819 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
820 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
821 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
822};
b57f37fb
WP		 823
824/* F, G, H and I are basic MD5 functions. */
825#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
826#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
827#define H(x, y, z) ((x) ^ (y) ^ (z))
828#define I(x, y, z) ((y) ^ ((x) | (~z)))
829
830/* ROTATE_LEFT rotates x left n bits. */
831#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
832
833/*
834 * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
835 * Rotation is separate from addition to prevent recomputation.
836 */
837#define FF(a, b, c, d, x, s, ac) { \
44e6a470 838 (a) += F ((b), (c), (d)) + (x) + (uint32_t)(ac); \
b57f37fb
WP		 839 (a) = ROTATE_LEFT ((a), (s)); \
840 (a) += (b); \
841 }
842#define GG(a, b, c, d, x, s, ac) { \
44e6a470 843 (a) += G ((b), (c), (d)) + (x) + (uint32_t)(ac); \
b57f37fb
WP		 844 (a) = ROTATE_LEFT ((a), (s)); \
845 (a) += (b); \
846 }
847#define HH(a, b, c, d, x, s, ac) { \
44e6a470 848 (a) += H ((b), (c), (d)) + (x) + (uint32_t)(ac); \
b57f37fb
WP		 849 (a) = ROTATE_LEFT ((a), (s)); \
850 (a) += (b); \
851 }
852#define II(a, b, c, d, x, s, ac) { \
44e6a470 853 (a) += I ((b), (c), (d)) + (x) + (uint32_t)(ac); \
b57f37fb
WP		 854 (a) = ROTATE_LEFT ((a), (s)); \
855 (a) += (b); \
856 }
857
858/* MD5 initialization. Begins an MD5 operation, writing a new context. */
859
94b4fbf9 860static void
12e39525
JH		 861MD5Init (context)
862 MD5_CTX *context;
b57f37fb 863{
12e39525 864
b57f37fb
WP		 865 context->count[0] = context->count[1] = 0;
866
867 /* Load magic initialization constants. */
868 context->state[0] = 0x67452301;
869 context->state[1] = 0xefcdab89;
870 context->state[2] = 0x98badcfe;
871 context->state[3] = 0x10325476;
872}
873
874/*
875 * MD5 block update operation. Continues an MD5 message-digest
876 * operation, processing another message block, and updating the
877 * context.
878 */
879
94b4fbf9 880static void
12e39525
JH		 881MD5Update (context, in, inputLen)
882 MD5_CTX *context;
883 const void *in;
884 unsigned int inputLen;
b57f37fb 885{
12e39525
JH		 886 unsigned int i, idx, partLen;
887 const unsigned char *input = in;
888
b57f37fb 889 /* Compute number of bytes mod 64 */
12e39525 890 idx = (unsigned int)((context->count[0] >> 3) & 0x3F);
b57f37fb
WP		 891
892 /* Update number of bits */
44e6a470
EJM		 893 if ((context->count[0] += ((uint32_t)inputLen << 3))
894 < ((uint32_t)inputLen << 3))
b57f37fb 895 context->count[1]++;
44e6a470 896 context->count[1] += ((uint32_t)inputLen >> 29);
b57f37fb 897
12e39525 898 partLen = 64 - idx;
b57f37fb
WP		 899
900 /* Transform as many times as possible. */
12e39525
JH		 901 if (inputLen >= partLen) {
902 memcpy((void *)&context->buffer[idx], (const void *)input,
903 partLen);
904 MD5Transform (context->state, context->buffer);
b57f37fb 905
12e39525
JH		 906 for (i = partLen; i + 63 < inputLen; i += 64)
907 MD5Transform (context->state, &input[i]);
b57f37fb 908
12e39525 909 idx = 0;
b57f37fb
WP		 910 }
911 else
912 i = 0;
913
914 /* Buffer remaining input */
12e39525
JH		 915 memcpy ((void *)&context->buffer[idx], (const void *)&input[i],
916 inputLen-i);
b57f37fb
WP		 917}
918
919/*
920 * MD5 padding. Adds padding followed by original length.
921 */
922
94b4fbf9 923static void
12e39525
JH		 924MD5Pad (context)
925 MD5_CTX *context;
b57f37fb 926{
12e39525
JH		 927 unsigned char bits[8];
928 unsigned int idx, padLen;
b57f37fb
WP		 929
930 /* Save number of bits */
12e39525 931 Encode (bits, context->count, 8);
b57f37fb
WP		 932
933 /* Pad out to 56 mod 64. */
12e39525
JH		 934 idx = (unsigned int)((context->count[0] >> 3) & 0x3f);
935 padLen = (idx < 56) ? (56 - idx) : (120 - idx);
936 MD5Update (context, PADDING, padLen);
b57f37fb
WP		 937
938 /* Append length (before padding) */
12e39525 939 MD5Update (context, bits, 8);
b57f37fb
WP		 940}
941
942/*
943 * MD5 finalization. Ends an MD5 message-digest operation, writing the
944 * the message digest and zeroizing the context.
945 */
946
94b4fbf9 947static void
12e39525
JH		 948MD5Final (digest, context)
949 unsigned char digest[16];
950 MD5_CTX *context;
b57f37fb 951{
b57f37fb 952 /* Do padding. */
12e39525 953 MD5Pad (context);
b57f37fb
WP		 954
955 /* Store state in digest */
12e39525 956 Encode (digest, context->state, 16);
b57f37fb
WP		 957
958 /* Zeroize sensitive information. */
12e39525 959 memset ((void *)context, 0, sizeof (*context));
b57f37fb
WP		 960}
961
962/* MD5 basic transformation. Transforms state based on block. */
963
964static void
12e39525 965MD5Transform (state, block)
44e6a470 966 uint32_t state[4];
12e39525 967 const unsigned char block[64];
b57f37fb 968{
44e6a470 969 uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];
b57f37fb 970
12e39525 971 Decode (x, block, 64);
b57f37fb
WP		 972
973 /* Round 1 */
b57f37fb
WP		 974#define S11 7
975#define S12 12
976#define S13 17
977#define S14 22
12e39525
JH		 978 FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
979 FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
980 FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
981 FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
982 FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
983 FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
984 FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
985 FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
986 FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
987 FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
988 FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
989 FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
990 FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
991 FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
992 FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
993 FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
b57f37fb
WP		 994
995 /* Round 2 */
996#define S21 5
997#define S22 9
998#define S23 14
999#define S24 20
12e39525
JH		 1000 GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
1001 GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
1002 GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
1003 GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
1004 GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
1005 GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
1006 GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
1007 GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
1008 GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
1009 GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
1010 GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
1011 GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
1012 GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
1013 GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
1014 GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
1015 GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
b57f37fb
WP		 1016
1017 /* Round 3 */
1018#define S31 4
1019#define S32 11
1020#define S33 16
1021#define S34 23
12e39525
JH		 1022 HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
1023 HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
1024 HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
1025 HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
1026 HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
1027 HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
1028 HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
1029 HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
1030 HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
1031 HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
1032 HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
1033 HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
1034 HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
1035 HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
1036 HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
1037 HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
b57f37fb
WP		 1038
1039 /* Round 4 */
1040#define S41 6
1041#define S42 10
1042#define S43 15
1043#define S44 21
12e39525
JH		 1044 II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
1045 II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
1046 II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
1047 II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
1048 II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
1049 II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
1050 II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
1051 II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
1052 II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
1053 II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
1054 II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
1055 II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
1056 II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
1057 II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
1058 II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
1059 II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
b57f37fb
WP		 1060
1061 state[0] += a;
1062 state[1] += b;
1063 state[2] += c;
1064 state[3] += d;
1065
1066 /* Zeroize sensitive information. */
12e39525 1067 memset ((void *)x, 0, sizeof (x));
b57f37fb
WP		 1068}
1069
1070/*
1071 * UNIX password
b57f37fb
WP		 1072 */
1073
94b4fbf9 1074static char *
12e39525 1075rb_md5_crypt(const char *pw, const char *salt)
b57f37fb 1076{
12e39525
JH		 1077 MD5_CTX ctx,ctx1;
1078 unsigned long l;
1079 int sl, pl;
1080 u_int i;
1081 u_char final[MD5_SIZE];
b57f37fb
WP		 1082 static const char *sp, *ep;
1083 static char passwd[120], *p;
12e39525 1084 static const char *magic = "$1$";
b57f37fb
WP		 1085
1086 /* Refine the Salt first */
1087 sp = salt;
1088
1089 /* If it starts with the magic string, then skip that */
12e39525
JH		 1090 if(!strncmp(sp, magic, strlen(magic)))
1091 sp += strlen(magic);
b57f37fb
WP		 1092
1093 /* It stops at the first '$', max 8 chars */
94b4fbf9 1094 for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
b57f37fb
WP		 1095 continue;
1096
1097 /* get the length of the true salt */
1098 sl = ep - sp;
1099
12e39525 1100 MD5Init(&ctx);
b57f37fb
WP		 1101
1102 /* The password first, since that is what is most unknown */
12e39525 1103 MD5Update(&ctx, (const u_char *)pw, strlen(pw));
b57f37fb
WP		 1104
1105 /* Then our magic string */
12e39525 1106 MD5Update(&ctx, (const u_char *)magic, strlen(magic));
b57f37fb
WP		 1107
1108 /* Then the raw salt */
12e39525 1109 MD5Update(&ctx, (const u_char *)sp, (u_int)sl);
b57f37fb
WP		 1110
1111 /* Then just as many characters of the MD5(pw,salt,pw) */
12e39525
JH		 1112 MD5Init(&ctx1);
1113 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
1114 MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
1115 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
1116 MD5Final(final, &ctx1);
1117 for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE)
1118 MD5Update(&ctx, (const u_char *)final,
1119 (u_int)(pl > MD5_SIZE ? MD5_SIZE : pl));
b57f37fb
WP		 1120
1121 /* Don't leave anything around in vm they could use. */
12e39525 1122 memset(final, 0, sizeof(final));
b57f37fb
WP		 1123
1124 /* Then something really weird... */
12e39525
JH		 1125 for (i = strlen(pw); i; i >>= 1)
1126 if(i & 1)
1127 MD5Update(&ctx, (const u_char *)final, 1);
1128 else
1129 MD5Update(&ctx, (const u_char *)pw, 1);
b57f37fb
WP		 1130
1131 /* Now make the output string */
12e39525
JH		 1132 rb_strlcpy(passwd, magic, sizeof(passwd));
1133 strncat(passwd, sp, (u_int)sl);
ad06ad57 1134 rb_strlcat(passwd, "$", sizeof(passwd));
b57f37fb 1135
12e39525 1136 MD5Final(final, &ctx);
b57f37fb
WP		 1137
1138 /*
1139 * and now, just to make sure things don't run too fast
1140 * On a 60 Mhz Pentium this takes 34 msec, so you would
1141 * need 30 seconds to build a 1000 entry dictionary...
1142 */
12e39525
JH		 1143 for(i = 0; i < 1000; i++) {
1144 MD5Init(&ctx1);
b57f37fb 1145 if(i & 1)
12e39525 1146 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
b57f37fb 1147 else
12e39525 1148 MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
b57f37fb
WP		 1149
1150 if(i % 3)
12e39525 1151 MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
b57f37fb
WP		 1152
1153 if(i % 7)
12e39525 1154 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
b57f37fb
WP		 1155
1156 if(i & 1)
12e39525 1157 MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
b57f37fb 1158 else
12e39525
JH		 1159 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
1160 MD5Final(final, &ctx1);
b57f37fb
WP		 1161 }
1162
1163 p = passwd + strlen(passwd);
1164
12e39525
JH		 1165 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
1166 _crypt_to64(p, l, 4); p += 4;
1167 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
1168 _crypt_to64(p, l, 4); p += 4;
1169 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
1170 _crypt_to64(p, l, 4); p += 4;
1171 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
1172 _crypt_to64(p, l, 4); p += 4;
1173 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
1174 _crypt_to64(p, l, 4); p += 4;
b57f37fb 1175 l = final[11];
12e39525 1176 _crypt_to64(p, l, 2); p += 2;
b57f37fb
WP		 1177 *p = '\0';
1178
1179 /* Don't leave anything around in vm they could use. */
12e39525
JH		 1180 memset(final, 0, sizeof(final));
1181
1182 return (passwd);
1183}
1184
1185
1186/* SHA256-based Unix crypt implementation.
1187 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
1188
1189/* Structure to save state of computation between the single steps. */
1190struct sha256_ctx
1191{
1192 uint32_t H[8];
1193
1194 uint32_t total[2];
1195 uint32_t buflen;
1196 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
1197};
1198
1199#if __BYTE_ORDER == __LITTLE_ENDIAN
1200# define SHA256_SWAP(n) \
1201 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
1202#else
1203# define SHA256_SWAP(n) (n)
1204#endif
1205
1206/* This array contains the bytes used to pad the buffer to the next
1207 64-byte boundary. (FIPS 180-2:5.1.1) */
1208static const unsigned char SHA256_fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
1209
1210
1211/* Constants for SHA256 from FIPS 180-2:4.2.2. */
1212static const uint32_t SHA256_K[64] = {
1213 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
1214 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
1215 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
1216 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
1217 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
1218 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
1219 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
1220 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
1221 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
1222 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
1223 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
1224 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
1225 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
1226 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
1227 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
1228 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
1229};
1230
1231
1232/* Process LEN bytes of BUFFER, accumulating context into CTX.
1233 It is assumed that LEN % 64 == 0. */
1234static void rb_sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx)
1235{
1236 const uint32_t *words = buffer;
1237 size_t nwords = len / sizeof(uint32_t);
1238 uint32_t a = ctx->H[0];
1239 uint32_t b = ctx->H[1];
1240 uint32_t c = ctx->H[2];
1241 uint32_t d = ctx->H[3];
1242 uint32_t e = ctx->H[4];
1243 uint32_t f = ctx->H[5];
1244 uint32_t g = ctx->H[6];
1245 uint32_t h = ctx->H[7];
1246
1247 /* First increment the byte count. FIPS 180-2 specifies the possible
1248 length of the file up to 2^64 bits. Here we only compute the
1249 number of bytes. Do a double word increment. */
1250 ctx->total[0] += len;
1251 if (ctx->total[0] < len)
1252 ++ctx->total[1];
1253
1254 /* Process all bytes in the buffer with 64 bytes in each round of
1255 the loop. */
1256 while (nwords > 0)
1257 {
1258 uint32_t W[64];
1259 uint32_t a_save = a;
1260 uint32_t b_save = b;
1261 uint32_t c_save = c;
1262 uint32_t d_save = d;
1263 uint32_t e_save = e;
1264 uint32_t f_save = f;
1265 uint32_t g_save = g;
1266 uint32_t h_save = h;
1267 unsigned int t;
1268
1269 /* Operators defined in FIPS 180-2:4.1.2. */
1270 #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z))
1271 #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1272 #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22))
1273 #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25))
1274 #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3))
1275 #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10))
1276
1277 /* It is unfortunate that C does not provide an operator for
1278 cyclic rotation. Hope the C compiler is smart enough. */
1279 #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
1280
1281 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
1282 for (t = 0; t < 16; ++t)
1283 {
1284 W[t] = SHA256_SWAP(*words);
1285 ++words;
1286 }
1287 for (t = 16; t < 64; ++t)
1288 W[t] = SHA256_R1(W[t - 2]) + W[t - 7] + SHA256_R0(W[t - 15]) + W[t - 16];
1289
1290 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
1291 for (t = 0; t < 64; ++t)
1292 {
1293 uint32_t T1 = h + SHA256_S1(e) + SHA256_Ch(e, f, g) + SHA256_K[t] + W[t];
1294 uint32_t T2 = SHA256_S0(a) + SHA256_Maj(a, b, c);
1295 h = g;
1296 g = f;
1297 f = e;
1298 e = d + T1;
1299 d = c;
1300 c = b;
1301 b = a;
1302 a = T1 + T2;
1303 }
1304
1305 /* Add the starting values of the context according to FIPS 180-2:6.2.2
1306 step 4. */
1307 a += a_save;
1308 b += b_save;
1309 c += c_save;
1310 d += d_save;
1311 e += e_save;
1312 f += f_save;
1313 g += g_save;
1314 h += h_save;
1315
1316 /* Prepare for the next round. */
1317 nwords -= 16;
1318 }
1319
1320 /* Put checksum in context given as argument. */
1321 ctx->H[0] = a;
1322 ctx->H[1] = b;
1323 ctx->H[2] = c;
1324 ctx->H[3] = d;
1325 ctx->H[4] = e;
1326 ctx->H[5] = f;
1327 ctx->H[6] = g;
1328 ctx->H[7] = h;
1329}
1330
1331
1332/* Initialize structure containing state of computation.
1333 (FIPS 180-2:5.3.2) */
1334static void rb_sha256_init_ctx(struct sha256_ctx *ctx)
1335{
1336 ctx->H[0] = 0x6a09e667;
1337 ctx->H[1] = 0xbb67ae85;
1338 ctx->H[2] = 0x3c6ef372;
1339 ctx->H[3] = 0xa54ff53a;
1340 ctx->H[4] = 0x510e527f;
1341 ctx->H[5] = 0x9b05688c;
1342 ctx->H[6] = 0x1f83d9ab;
1343 ctx->H[7] = 0x5be0cd19;
1344
1345 ctx->total[0] = ctx->total[1] = 0;
1346 ctx->buflen = 0;
1347}
1348
1349
1350/* Process the remaining bytes in the internal buffer and the usual
1351 prolog according to the standard and write the result to RESBUF.
1352
1353 IMPORTANT: On some systems it is required that RESBUF is correctly
1354 aligned for a 32 bits value. */
1355static void *rb_sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
1356{
1357 /* Take yet unprocessed bytes into account. */
1358 uint32_t bytes = ctx->buflen;
1359 size_t pad;
1360 unsigned int i;
1361
1362 /* Now count remaining bytes. */
1363 ctx->total[0] += bytes;
1364 if (ctx->total[0] < bytes)
1365 ++ctx->total[1];
1366
1367 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
1368 memcpy(&ctx->buffer[bytes], SHA256_fillbuf, pad);
1369
1370 /* Put the 64-bit file length in *bits* at the end of the buffer. */
1371 *(uint32_t *) & ctx->buffer[bytes + pad + 4] = SHA256_SWAP(ctx->total[0] << 3);
1372 *(uint32_t *) & ctx->buffer[bytes + pad] = SHA256_SWAP((ctx->total[1] << 3) |
1373 (ctx->total[0] >> 29));
1374
1375 /* Process last bytes. */
1376 rb_sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
1377
1378 /* Put result from CTX in first 32 bytes following RESBUF. */
1379 for (i = 0; i < 8; ++i)
1380 ((uint32_t *) resbuf)[i] = SHA256_SWAP(ctx->H[i]);
1381
1382 return resbuf;
1383}
1384
1385
1386static void rb_sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx)
1387{
1388 /* When we already have some bits in our internal buffer concatenate
1389 both inputs first. */
1390 if (ctx->buflen != 0)
1391 {
1392 size_t left_over = ctx->buflen;
1393 size_t add = 128 - left_over > len ? len : 128 - left_over;
1394
1395 memcpy(&ctx->buffer[left_over], buffer, add);
1396 ctx->buflen += add;
1397
1398 if (ctx->buflen > 64)
1399 {
1400 rb_sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
1401
1402 ctx->buflen &= 63;
1403 /* The regions in the following copy operation cannot overlap. */
1404 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], ctx->buflen);
1405 }
1406
1407 buffer = (const char *)buffer + add;
1408 len -= add;
1409 }
1410
1411 /* Process available complete blocks. */
1412 if (len >= 64)
1413 {
1414 /* To check alignment gcc has an appropriate operator. Other
1415 compilers don't. */
1416 #if __GNUC__ >= 2
1417 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
1418 #else
1419 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
1420 #endif
1421 if (SHA256_UNALIGNED_P(buffer))
1422 while (len > 64)
1423 {
1424 rb_sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
1425 buffer = (const char *)buffer + 64;
1426 len -= 64;
1427 }
1428 else
1429 {
1430 rb_sha256_process_block(buffer, len & ~63, ctx);
1431 buffer = (const char *)buffer + (len & ~63);
1432 len &= 63;
1433 }
1434 }
1435
1436 /* Move remaining bytes into internal buffer. */
1437 if (len > 0)
1438 {
1439 size_t left_over = ctx->buflen;
1440
1441 memcpy(&ctx->buffer[left_over], buffer, len);
1442 left_over += len;
1443 if (left_over >= 64)
1444 {
1445 rb_sha256_process_block(ctx->buffer, 64, ctx);
1446 left_over -= 64;
1447 memcpy(ctx->buffer, &ctx->buffer[64], left_over);
1448 }
1449 ctx->buflen = left_over;
1450 }
1451}
1452
1453
1454/* Define our magic string to mark salt for SHA256 "encryption"
1455 replacement. */
1456static const char sha256_salt_prefix[] = "$5$";
1457
1458/* Prefix for optional rounds specification. */
1459static const char sha256_rounds_prefix[] = "rounds=";
1460
1461/* Maximum salt string length. */
1462#define SHA256_SALT_LEN_MAX 16
1463/* Default number of rounds if not explicitly specified. */
1464#define SHA256_ROUNDS_DEFAULT 5000
1465/* Minimum number of rounds. */
1466#define SHA256_ROUNDS_MIN 1000
1467/* Maximum number of rounds. */
1468#define SHA256_ROUNDS_MAX 999999999
1469
1470static char *rb_sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
1471{
1472 unsigned char alt_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1473 unsigned char temp_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1474 struct sha256_ctx ctx;
1475 struct sha256_ctx alt_ctx;
1476 size_t salt_len;
1477 size_t key_len;
1478 size_t cnt;
1479 char *cp;
1480 char *copied_key = NULL;
1481 char *copied_salt = NULL;
1482 char *p_bytes;
1483 char *s_bytes;
1484 /* Default number of rounds. */
1485 size_t rounds = SHA256_ROUNDS_DEFAULT;
1486 int rounds_custom = 0;
1487
1488 /* Find beginning of salt string. The prefix should normally always
1489 be present. Just in case it is not. */
1490 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
1491 /* Skip salt prefix. */
1492 salt += sizeof(sha256_salt_prefix) - 1;
1493
1494 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) == 0)
1495 {
1496 const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
1497 char *endp;
1498 unsigned long int srounds = strtoul(num, &endp, 10);
1499 if (*endp == '$')
1500 {
1501 salt = endp + 1;
1502 rounds = MAX(SHA256_ROUNDS_MIN, MIN(srounds, SHA256_ROUNDS_MAX));
1503 rounds_custom = 1;
1504 }
1505 }
1506
1507 salt_len = MIN(strcspn(salt, "$"), SHA256_SALT_LEN_MAX);
1508 key_len = strlen(key);
1509
1510 if ((key - (char *)0) % __alignof__(uint32_t) != 0)
1511 {
1512 char *tmp = (char *)alloca(key_len + __alignof__(uint32_t));
1513 key = copied_key =
1514 memcpy(tmp + __alignof__(uint32_t)
1515 - (tmp - (char *)0) % __alignof__(uint32_t), key, key_len);
1516 }
1517
1518 if ((salt - (char *)0) % __alignof__(uint32_t) != 0)
1519 {
1520 char *tmp = (char *)alloca(salt_len + __alignof__(uint32_t));
1521 salt = copied_salt =
1522 memcpy(tmp + __alignof__(uint32_t)
1523 - (tmp - (char *)0) % __alignof__(uint32_t), salt, salt_len);
1524 }
1525
1526 /* Prepare for the real work. */
1527 rb_sha256_init_ctx(&ctx);
1528
1529 /* Add the key string. */
1530 rb_sha256_process_bytes(key, key_len, &ctx);
1531
1532 /* The last part is the salt string. This must be at most 16
1533 characters and it ends at the first `$' character (for
1534 compatibility with existing implementations). */
1535 rb_sha256_process_bytes(salt, salt_len, &ctx);
1536
1537
1538 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
1539 final result will be added to the first context. */
1540 rb_sha256_init_ctx(&alt_ctx);
1541
1542 /* Add key. */
1543 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1544
1545 /* Add salt. */
1546 rb_sha256_process_bytes(salt, salt_len, &alt_ctx);
1547
1548 /* Add key again. */
1549 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1550
1551 /* Now get result of this (32 bytes) and add it to the other
1552 context. */
1553 rb_sha256_finish_ctx(&alt_ctx, alt_result);
1554
1555 /* Add for any character in the key one byte of the alternate sum. */
1556 for (cnt = key_len; cnt > 32; cnt -= 32)
1557 rb_sha256_process_bytes(alt_result, 32, &ctx);
1558 rb_sha256_process_bytes(alt_result, cnt, &ctx);
1559
1560 /* Take the binary representation of the length of the key and for every
1561 1 add the alternate sum, for every 0 the key. */
1562 for (cnt = key_len; cnt > 0; cnt >>= 1)
1563 if ((cnt & 1) != 0)
1564 rb_sha256_process_bytes(alt_result, 32, &ctx);
1565 else
1566 rb_sha256_process_bytes(key, key_len, &ctx);
1567
1568 /* Create intermediate result. */
1569 rb_sha256_finish_ctx(&ctx, alt_result);
1570
1571 /* Start computation of P byte sequence. */
1572 rb_sha256_init_ctx(&alt_ctx);
1573
1574 /* For every character in the password add the entire password. */
44e6a470 1575 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
12e39525
JH		 1576 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1577
1578 /* Finish the digest. */
1579 rb_sha256_finish_ctx(&alt_ctx, temp_result);
1580
1581 /* Create byte sequence P. */
1582 cp = p_bytes = alloca(key_len);
1583 for (cnt = key_len; cnt >= 32; cnt -= 32)
1584 {
1585 memcpy(cp, temp_result, 32);
1586 cp += 32;
1587 }
1588 memcpy(cp, temp_result, cnt);
1589
1590 /* Start computation of S byte sequence. */
1591 rb_sha256_init_ctx(&alt_ctx);
1592
1593 /* For every character in the password add the entire password. */
86044bd2 1594 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
12e39525
JH		 1595 rb_sha256_process_bytes(salt, salt_len, &alt_ctx);
1596
1597 /* Finish the digest. */
1598 rb_sha256_finish_ctx(&alt_ctx, temp_result);
1599
1600 /* Create byte sequence S. */
1601 cp = s_bytes = alloca(salt_len);
1602 for (cnt = salt_len; cnt >= 32; cnt -= 32)
1603 {
1604 memcpy(cp, temp_result, 32);
1605 cp += 32;
1606 }
1607 memcpy(cp, temp_result, cnt);
1608
1609 /* Repeatedly run the collected hash value through SHA256 to burn
1610 CPU cycles. */
1611 for (cnt = 0; cnt < rounds; ++cnt)
1612 {
1613 /* New context. */
1614 rb_sha256_init_ctx(&ctx);
1615
1616 /* Add key or last result. */
1617 if ((cnt & 1) != 0)
1618 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1619 else
1620 rb_sha256_process_bytes(alt_result, 32, &ctx);
1621
1622 /* Add salt for numbers not divisible by 3. */
1623 if (cnt % 3 != 0)
1624 rb_sha256_process_bytes(s_bytes, salt_len, &ctx);
1625
1626 /* Add key for numbers not divisible by 7. */
1627 if (cnt % 7 != 0)
1628 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1629
1630 /* Add key or last result. */
1631 if ((cnt & 1) != 0)
1632 rb_sha256_process_bytes(alt_result, 32, &ctx);
1633 else
1634 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1635
1636 /* Create intermediate result. */
1637 rb_sha256_finish_ctx(&ctx, alt_result);
1638 }
1639
1640 /* Now we can construct the result string. It consists of three
1641 parts. */
1642 memset(buffer, '\0', MAX(0, buflen));
1643 strncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
1644 if((cp = strchr(buffer, '\0')) == NULL)
1645 cp = buffer + MAX(0, buflen);
1646 buflen -= sizeof(sha256_salt_prefix) - 1;
1647
1648 if (rounds_custom)
1649 {
1650 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
1651 sha256_rounds_prefix, rounds);
1652 cp += n;
1653 buflen -= n;
1654 }
1655
1656 memset(cp, '\0', salt_len);
1657 strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
1658 if((cp = strchr(buffer, '\0')) == NULL)
1659 cp += salt_len;
1660 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
1661
1662 if (buflen > 0)
1663 {
1664 *cp++ = '$';
1665 --buflen;
1666 }
1667
1668 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
1669 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
1670 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
1671 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
1672 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
1673 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
1674 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
1675 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
1676 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
1677 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
1678 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
1679 if (buflen <= 0)
1680 {
1681 errno = ERANGE;
1682 buffer = NULL;
1683 }
1684 else
1685 *cp = '\0'; /* Terminate the string. */
1686
1687 /* Clear the buffer for the intermediate result so that people
1688 attaching to processes or reading core dumps cannot get any
1689 information. We do it in this way to clear correct_words[]
1690 inside the SHA256 implementation as well. */
1691 rb_sha256_init_ctx(&ctx);
1692 rb_sha256_finish_ctx(&ctx, alt_result);
1693 memset(temp_result, '\0', sizeof(temp_result));
1694 memset(p_bytes, '\0', key_len);
1695 memset(s_bytes, '\0', salt_len);
1696 memset(&ctx, '\0', sizeof(ctx));
1697 memset(&alt_ctx, '\0', sizeof(alt_ctx));
1698 if (copied_key != NULL)
1699 memset(copied_key, '\0', key_len);
1700 if (copied_salt != NULL)
1701 memset(copied_salt, '\0', salt_len);
1702
1703 return buffer;
1704}
1705
1706
1707/* This entry point is equivalent to the `crypt' function in Unix
1708 libcs. */
1709static char *rb_sha256_crypt(const char *key, const char *salt)
1710{
1711 /* We don't want to have an arbitrary limit in the size of the
1712 password. We can compute an upper bound for the size of the
1713 result in advance and so we can prepare the buffer we pass to
1714 `rb_sha256_crypt_r'. */
1715 static char *buffer;
1716 static int buflen;
1717 int needed = (sizeof(sha256_salt_prefix) - 1
1718 + sizeof(sha256_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 43 + 1);
1719
1720 char *new_buffer = (char *)malloc(needed);
1721 if (new_buffer == NULL)
1722 return NULL;
1723
1724 buffer = new_buffer;
1725 buflen = needed;
1726
1727 return rb_sha256_crypt_r(key, salt, buffer, buflen);
1728}
1729
1730/* Structure to save state of computation between the single steps. */
1731struct sha512_ctx
1732{
1733 uint64_t H[8];
1734
1735 uint64_t total[2];
1736 uint64_t buflen;
1737 char buffer[256]; /* NB: always correctly aligned for uint64_t. */
1738};
1739
1740
1741#if __BYTE_ORDER == __LITTLE_ENDIAN
1742# define SHA512_SWAP(n) \
1743 (((n) << 56) \
1744 | (((n) & 0xff00) << 40) \
1745 | (((n) & 0xff0000) << 24) \
1746 | (((n) & 0xff000000) << 8) \
1747 | (((n) >> 8) & 0xff000000) \
1748 | (((n) >> 24) & 0xff0000) \
1749 | (((n) >> 40) & 0xff00) \
1750 | ((n) >> 56))
1751#else
1752# define SHA512_SWAP(n) (n)
1753#endif
1754
1755
1756/* This array contains the bytes used to pad the buffer to the next
1757 64-byte boundary. (FIPS 180-2:5.1.2) */
1758static const unsigned char SHA512_fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
1759
1760
1761/* Constants for SHA512 from FIPS 180-2:4.2.3. */
1762static const uint64_t SHA512_K[80] = {
1763 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
1764 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
1765 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
1766 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
1767 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
1768 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
1769 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
1770 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
1771 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
1772 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
1773 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
1774 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
1775 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
1776 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
1777 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
1778 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
1779 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
1780 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
1781 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
1782 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
1783 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
1784 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
1785 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
1786 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
1787 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
1788 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
1789 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
1790 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
1791 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
1792 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
1793 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
1794 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
1795 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
1796 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
1797 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
1798 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
1799 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
1800 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
1801 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
1802 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
1803};
1804
1805
1806/* Process LEN bytes of BUFFER, accumulating context into CTX.
1807 It is assumed that LEN % 128 == 0. */
1808static void rb_sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx)
1809{
1810 const uint64_t *words = buffer;
1811 size_t nwords = len / sizeof(uint64_t);
1812 uint64_t a = ctx->H[0];
1813 uint64_t b = ctx->H[1];
1814 uint64_t c = ctx->H[2];
1815 uint64_t d = ctx->H[3];
1816 uint64_t e = ctx->H[4];
1817 uint64_t f = ctx->H[5];
1818 uint64_t g = ctx->H[6];
1819 uint64_t h = ctx->H[7];
1820
1821 /* First increment the byte count. FIPS 180-2 specifies the possible
1822 length of the file up to 2^128 bits. Here we only compute the
1823 number of bytes. Do a double word increment. */
1824 ctx->total[0] += len;
1825 if (ctx->total[0] < len)
1826 ++ctx->total[1];
1827
1828 /* Process all bytes in the buffer with 128 bytes in each round of
1829 the loop. */
1830 while (nwords > 0)
1831 {
1832 uint64_t W[80];
1833 uint64_t a_save = a;
1834 uint64_t b_save = b;
1835 uint64_t c_save = c;
1836 uint64_t d_save = d;
1837 uint64_t e_save = e;
1838 uint64_t f_save = f;
1839 uint64_t g_save = g;
1840 uint64_t h_save = h;
1841 unsigned int t;
1842
1843 /* Operators defined in FIPS 180-2:4.1.2. */
1844 #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z))
1845 #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1846 #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39))
1847 #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41))
1848 #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7))
1849 #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6))
1850
1851 /* It is unfortunate that C does not provide an operator for
1852 cyclic rotation. Hope the C compiler is smart enough. */
1853 #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
1854
1855 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
1856 for (t = 0; t < 16; ++t)
1857 {
1858 W[t] = SHA512_SWAP(*words);
1859 ++words;
1860 }
1861 for (t = 16; t < 80; ++t)
1862 W[t] = SHA512_R1(W[t - 2]) + W[t - 7] + SHA512_R0(W[t - 15]) + W[t - 16];
1863
1864 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
1865 for (t = 0; t < 80; ++t)
1866 {
1867 uint64_t T1 = h + SHA512_S1(e) + SHA512_Ch(e, f, g) + SHA512_K[t] + W[t];
1868 uint64_t T2 = SHA512_S0(a) + SHA512_Maj(a, b, c);
1869 h = g;
1870 g = f;
1871 f = e;
1872 e = d + T1;
1873 d = c;
1874 c = b;
1875 b = a;
1876 a = T1 + T2;
1877 }
1878
1879 /* Add the starting values of the context according to FIPS 180-2:6.3.2
1880 step 4. */
1881 a += a_save;
1882 b += b_save;
1883 c += c_save;
1884 d += d_save;
1885 e += e_save;
1886 f += f_save;
1887 g += g_save;
1888 h += h_save;
1889
1890 /* Prepare for the next round. */
1891 nwords -= 16;
1892 }
1893
1894 /* Put checksum in context given as argument. */
1895 ctx->H[0] = a;
1896 ctx->H[1] = b;
1897 ctx->H[2] = c;
1898 ctx->H[3] = d;
1899 ctx->H[4] = e;
1900 ctx->H[5] = f;
1901 ctx->H[6] = g;
1902 ctx->H[7] = h;
1903}
1904
1905
1906/* Initialize structure containing state of computation.
1907 (FIPS 180-2:5.3.3) */
1908static void rb_sha512_init_ctx(struct sha512_ctx *ctx)
1909{
1910 ctx->H[0] = 0x6a09e667f3bcc908ULL;
1911 ctx->H[1] = 0xbb67ae8584caa73bULL;
1912 ctx->H[2] = 0x3c6ef372fe94f82bULL;
1913 ctx->H[3] = 0xa54ff53a5f1d36f1ULL;
1914 ctx->H[4] = 0x510e527fade682d1ULL;
1915 ctx->H[5] = 0x9b05688c2b3e6c1fULL;
1916 ctx->H[6] = 0x1f83d9abfb41bd6bULL;
1917 ctx->H[7] = 0x5be0cd19137e2179ULL;
1918
1919 ctx->total[0] = ctx->total[1] = 0;
1920 ctx->buflen = 0;
1921}
1922
1923
1924/* Process the remaining bytes in the internal buffer and the usual
1925 prolog according to the standard and write the result to RESBUF.
1926
1927 IMPORTANT: On some systems it is required that RESBUF is correctly
1928 aligned for a 32 bits value. */
1929static void *rb_sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf)
1930{
1931 /* Take yet unprocessed bytes into account. */
1932 uint64_t bytes = ctx->buflen;
1933 size_t pad;
1934 unsigned int i;
1935
1936 /* Now count remaining bytes. */
1937 ctx->total[0] += bytes;
1938 if (ctx->total[0] < bytes)
1939 ++ctx->total[1];
1940
1941 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
1942 memcpy(&ctx->buffer[bytes], SHA512_fillbuf, pad);
1943
1944 /* Put the 128-bit file length in *bits* at the end of the buffer. */
1945 *(uint64_t *) & ctx->buffer[bytes + pad + 8] = SHA512_SWAP(ctx->total[0] << 3);
1946 *(uint64_t *) & ctx->buffer[bytes + pad] = SHA512_SWAP((ctx->total[1] << 3) |
1947 (ctx->total[0] >> 61));
1948
1949 /* Process last bytes. */
1950 rb_sha512_process_block(ctx->buffer, bytes + pad + 16, ctx);
1951
1952 /* Put result from CTX in first 64 bytes following RESBUF. */
1953 for (i = 0; i < 8; ++i)
1954 ((uint64_t *) resbuf)[i] = SHA512_SWAP(ctx->H[i]);
1955
1956 return resbuf;
1957}
1958
1959
1960static void rb_sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx)
1961{
1962 /* When we already have some bits in our internal buffer concatenate
1963 both inputs first. */
1964 if (ctx->buflen != 0)
1965 {
1966 size_t left_over = ctx->buflen;
1967 size_t add = 256 - left_over > len ? len : 256 - left_over;
1968
1969 memcpy(&ctx->buffer[left_over], buffer, add);
1970 ctx->buflen += add;
1971
1972 if (ctx->buflen > 128)
1973 {
1974 rb_sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
1975
1976 ctx->buflen &= 127;
1977 /* The regions in the following copy operation cannot overlap. */
1978 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127], ctx->buflen);
1979 }
1980
1981 buffer = (const char *)buffer + add;
1982 len -= add;
1983 }
1984
1985 /* Process available complete blocks. */
1986 if (len >= 128)
1987 {
1988 #if !_STRING_ARCH_unaligned
1989 /* To check alignment gcc has an appropriate operator. Other
1990 compilers don't. */
1991 # if __GNUC__ >= 2
1992 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
1993 # else
1994 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
1995 # endif
1996 if (SHA512_UNALIGNED_P(buffer))
1997 while (len > 128)
1998 {
1999 rb_sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, ctx);
2000 buffer = (const char *)buffer + 128;
2001 len -= 128;
2002 }
2003 else
2004 #endif
2005 {
2006 rb_sha512_process_block(buffer, len & ~127, ctx);
2007 buffer = (const char *)buffer + (len & ~127);
2008 len &= 127;
2009 }
2010 }
2011
2012 /* Move remaining bytes into internal buffer. */
2013 if (len > 0)
2014 {
2015 size_t left_over = ctx->buflen;
2016
2017 memcpy(&ctx->buffer[left_over], buffer, len);
2018 left_over += len;
2019 if (left_over >= 128)
2020 {
2021 rb_sha512_process_block(ctx->buffer, 128, ctx);
2022 left_over -= 128;
2023 memcpy(ctx->buffer, &ctx->buffer[128], left_over);
2024 }
2025 ctx->buflen = left_over;
2026 }
2027}
2028
2029
2030/* Define our magic string to mark salt for SHA512 "encryption"
2031 replacement. */
2032static const char sha512_salt_prefix[] = "$6$";
2033
2034/* Prefix for optional rounds specification. */
2035static const char sha512_rounds_prefix[] = "rounds=";
2036
2037/* Maximum salt string length. */
2038#define SHA512_SALT_LEN_MAX 16
2039/* Default number of rounds if not explicitly specified. */
2040#define SHA512_ROUNDS_DEFAULT 5000
2041/* Minimum number of rounds. */
2042#define SHA512_ROUNDS_MIN 1000
2043/* Maximum number of rounds. */
2044#define SHA512_ROUNDS_MAX 999999999
2045
2046static char *rb_sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
2047{
2048 unsigned char alt_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2049 unsigned char temp_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2050 struct sha512_ctx ctx;
2051 struct sha512_ctx alt_ctx;
2052 size_t salt_len;
2053 size_t key_len;
2054 size_t cnt;
2055 char *cp;
2056 char *copied_key = NULL;
2057 char *copied_salt = NULL;
2058 char *p_bytes;
2059 char *s_bytes;
2060 /* Default number of rounds. */
2061 size_t rounds = SHA512_ROUNDS_DEFAULT;
2062 int rounds_custom = 0;
2063
2064 /* Find beginning of salt string. The prefix should normally always
2065 be present. Just in case it is not. */
2066 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
2067 /* Skip salt prefix. */
2068 salt += sizeof(sha512_salt_prefix) - 1;
2069
2070 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) == 0)
2071 {
2072 const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
2073 char *endp;
2074 unsigned long int srounds = strtoul(num, &endp, 10);
2075 if (*endp == '$')
2076 {
2077 salt = endp + 1;
2078 rounds = MAX(SHA512_ROUNDS_MIN, MIN(srounds, SHA512_ROUNDS_MAX));
2079 rounds_custom = 1;
2080 }
2081 }
2082
2083 salt_len = MIN(strcspn(salt, "$"), SHA512_SALT_LEN_MAX);
2084 key_len = strlen(key);
2085
2086 if ((key - (char *)0) % __alignof__(uint64_t) != 0)
2087 {
2088 char *tmp = (char *)alloca(key_len + __alignof__(uint64_t));
2089 key = copied_key =
2090 memcpy(tmp + __alignof__(uint64_t)
2091 - (tmp - (char *)0) % __alignof__(uint64_t), key, key_len);
2092 }
2093
2094 if ((salt - (char *)0) % __alignof__(uint64_t) != 0)
2095 {
2096 char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t));
2097 salt = copied_salt =
2098 memcpy(tmp + __alignof__(uint64_t)
2099 - (tmp - (char *)0) % __alignof__(uint64_t), salt, salt_len);
2100 }
2101
2102 /* Prepare for the real work. */
2103 rb_sha512_init_ctx(&ctx);
2104
2105 /* Add the key string. */
2106 rb_sha512_process_bytes(key, key_len, &ctx);
2107
2108 /* The last part is the salt string. This must be at most 16
2109 characters and it ends at the first `$' character (for
2110 compatibility with existing implementations). */
2111 rb_sha512_process_bytes(salt, salt_len, &ctx);
2112
2113
2114 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
2115 final result will be added to the first context. */
2116 rb_sha512_init_ctx(&alt_ctx);
2117
2118 /* Add key. */
2119 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2120
2121 /* Add salt. */
2122 rb_sha512_process_bytes(salt, salt_len, &alt_ctx);
2123
2124 /* Add key again. */
2125 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2126
2127 /* Now get result of this (64 bytes) and add it to the other
2128 context. */
2129 rb_sha512_finish_ctx(&alt_ctx, alt_result);
2130
2131 /* Add for any character in the key one byte of the alternate sum. */
2132 for (cnt = key_len; cnt > 64; cnt -= 64)
2133 rb_sha512_process_bytes(alt_result, 64, &ctx);
2134 rb_sha512_process_bytes(alt_result, cnt, &ctx);
2135
2136 /* Take the binary representation of the length of the key and for every
2137 1 add the alternate sum, for every 0 the key. */
2138 for (cnt = key_len; cnt > 0; cnt >>= 1)
2139 if ((cnt & 1) != 0)
2140 rb_sha512_process_bytes(alt_result, 64, &ctx);
2141 else
2142 rb_sha512_process_bytes(key, key_len, &ctx);
2143
2144 /* Create intermediate result. */
2145 rb_sha512_finish_ctx(&ctx, alt_result);
2146
2147 /* Start computation of P byte sequence. */
2148 rb_sha512_init_ctx(&alt_ctx);
2149
2150 /* For every character in the password add the entire password. */
2151 for (cnt = 0; cnt < key_len; ++cnt)
2152 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2153
2154 /* Finish the digest. */
2155 rb_sha512_finish_ctx(&alt_ctx, temp_result);
2156
2157 /* Create byte sequence P. */
2158 cp = p_bytes = alloca(key_len);
2159 for (cnt = key_len; cnt >= 64; cnt -= 64)
2160 {
2161 memcpy(cp, temp_result, 64);
2162 cp += 64;
2163 }
2164 memcpy(cp, temp_result, cnt);
2165
2166 /* Start computation of S byte sequence. */
2167 rb_sha512_init_ctx(&alt_ctx);
2168
2169 /* For every character in the password add the entire password. */
86044bd2 2170 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
12e39525
JH		 2171 rb_sha512_process_bytes(salt, salt_len, &alt_ctx);
2172
2173 /* Finish the digest. */
2174 rb_sha512_finish_ctx(&alt_ctx, temp_result);
2175
2176 /* Create byte sequence S. */
2177 cp = s_bytes = alloca(salt_len);
2178 for (cnt = salt_len; cnt >= 64; cnt -= 64)
2179 {
2180 memcpy(cp, temp_result, 64);
2181 cp += 64;
2182 }
2183 memcpy(cp, temp_result, cnt);
2184
2185 /* Repeatedly run the collected hash value through SHA512 to burn
2186 CPU cycles. */
2187 for (cnt = 0; cnt < rounds; ++cnt)
2188 {
2189 /* New context. */
2190 rb_sha512_init_ctx(&ctx);
2191
2192 /* Add key or last result. */
2193 if ((cnt & 1) != 0)
2194 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2195 else
2196 rb_sha512_process_bytes(alt_result, 64, &ctx);
2197
2198 /* Add salt for numbers not divisible by 3. */
2199 if (cnt % 3 != 0)
2200 rb_sha512_process_bytes(s_bytes, salt_len, &ctx);
2201
2202 /* Add key for numbers not divisible by 7. */
2203 if (cnt % 7 != 0)
2204 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2205
2206 /* Add key or last result. */
2207 if ((cnt & 1) != 0)
2208 rb_sha512_process_bytes(alt_result, 64, &ctx);
2209 else
2210 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2211
2212 /* Create intermediate result. */
2213 rb_sha512_finish_ctx(&ctx, alt_result);
2214 }
2215
2216 /* Now we can construct the result string. It consists of three
2217 parts. */
2218 memset(buffer, '\0', MAX(0, buflen));
2219 strncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
2220 if((cp = strchr(buffer, '\0')) == NULL)
2221 cp = buffer + MAX(0, buflen);
2222 buflen -= sizeof(sha512_salt_prefix) - 1;
2223
2224 if (rounds_custom)
2225 {
2226 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
2227 sha512_rounds_prefix, rounds);
2228 cp += n;
2229 buflen -= n;
2230 }
2231
2232 memset(cp, '\0', MIN((size_t) MAX(0, buflen), salt_len));
2233 strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
2234 if((cp = strchr(buffer, '\0')) == NULL)
2235 cp = buffer + salt_len;
2236 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
2237
2238 if (buflen > 0)
2239 {
2240 *cp++ = '$';
2241 --buflen;
2242 }
2243
2244 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
2245 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
2246 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
2247 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
2248 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
2249 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
2250 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
2251 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
2252 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
2253 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
2254 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
2255 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
2256 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
2257 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
2258 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
2259 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
2260 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
2261 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
2262 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
2263 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
2264 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
2265 b64_from_24bit(0, 0, alt_result[63], 2);
2266
2267 if (buflen <= 0)
2268 {
2269 errno = ERANGE;
2270 buffer = NULL;
2271 }
2272 else
2273 *cp = '\0'; /* Terminate the string. */
2274
2275 /* Clear the buffer for the intermediate result so that people
2276 attaching to processes or reading core dumps cannot get any
2277 information. We do it in this way to clear correct_words[]
2278 inside the SHA512 implementation as well. */
2279 rb_sha512_init_ctx(&ctx);
2280 rb_sha512_finish_ctx(&ctx, alt_result);
2281 memset(temp_result, '\0', sizeof(temp_result));
2282 memset(p_bytes, '\0', key_len);
2283 memset(s_bytes, '\0', salt_len);
2284 memset(&ctx, '\0', sizeof(ctx));
2285 memset(&alt_ctx, '\0', sizeof(alt_ctx));
2286 if (copied_key != NULL)
2287 memset(copied_key, '\0', key_len);
2288 if (copied_salt != NULL)
2289 memset(copied_salt, '\0', salt_len);
2290
2291 return buffer;
2292}
2293
2294
2295/* This entry point is equivalent to the `crypt' function in Unix
2296 libcs. */
2297static char *rb_sha512_crypt(const char *key, const char *salt)
2298{
2299 /* We don't want to have an arbitrary limit in the size of the
2300 password. We can compute an upper bound for the size of the
2301 result in advance and so we can prepare the buffer we pass to
2302 `rb_sha512_crypt_r'. */
2303 static char *buffer;
2304 static int buflen;
2305 int needed = (sizeof(sha512_salt_prefix) - 1
2306 + sizeof(sha512_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 86 + 1);
2307
2308 if (buflen < needed)
2309 {
2310 char *new_buffer = (char *)realloc(buffer, needed);
2311 if (new_buffer == NULL)
2312 return NULL;
2313
2314 buffer = new_buffer;
2315 buflen = needed;
2316 }
b57f37fb 2317
12e39525 2318 return rb_sha512_crypt_r(key, salt, buffer, buflen);
b57f37fb
WP		 2319}
2320
44e6a470
EJM		 2321
2322/* And now blowfish */
2323/*
2324 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
2325 * All rights reserved.
2326 *
2327 * Redistribution and use in source and binary forms, with or without
2328 * modification, are permitted provided that the following conditions
2329 * are met:
2330 * 1. Redistributions of source code must retain the above copyright
2331 * notice, this list of conditions and the following disclaimer.
2332 * 2. Redistributions in binary form must reproduce the above copyright
2333 * notice, this list of conditions and the following disclaimer in the
2334 * documentation and/or other materials provided with the distribution.
2335 * 3. All advertising materials mentioning features or use of this software
2336 * must display the following acknowledgement:
2337 * This product includes software developed by Niels Provos.
2338 * 4. The name of the author may not be used to endorse or promote products
2339 * derived from this software without specific prior written permission.
2340 *
2341 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
2342 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
2343 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
2344 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
2345 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
2346 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
2347 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
2348 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
2349 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
2350 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2351 */
2352
2353/* Schneier states the maximum key length to be 56 bytes.
2354 * The way how the subkeys are initalized by the key up
2355 * to (N+2)*4 i.e. 72 bytes are utilized.
2356 * Warning: For normal blowfish encryption only 56 bytes
2357 * of the key affect all cipherbits.
2358 */
2359
2360#define BLF_N 16 /* Number of Subkeys */
2361
2362/* Blowfish context */
2363typedef struct BlowfishContext {
2364 uint32_t S[4][256]; /* S-Boxes */
2365 uint32_t P[BLF_N + 2]; /* Subkeys */
2366} blf_ctx;
2367
2368/* Raw access to customized Blowfish
2369 * blf_key is just:
2370 * Blowfish_initstate( state )
2371 * Blowfish_expand0state( state, key, keylen )
2372 */
2373
2374void Blowfish_initstate(blf_ctx *);
2375void Blowfish_expand0state(blf_ctx *, const uint8_t *, uint16_t);
2376void Blowfish_expandstate
2377 (blf_ctx *, const uint8_t *, uint16_t, const uint8_t *, uint16_t);
2378uint32_t Blowfish_stream2word(const uint8_t *, uint16_t, uint16_t *);
2379
2380void blf_enc(blf_ctx *, uint32_t *, uint16_t);
2381
2382/*
2383 * This code is derived from section 14.3 and the given source
2384 * in section V of Applied Cryptography, second edition.
2385 * Blowfish is an unpatented fast block cipher designed by
2386 * Bruce Schneier.
2387 */
2388
2389/*
2390 * FreeBSD implementation by Paul Herman <pherman@frenchfries.net>
2391 */
2392
2393/* Function for Feistel Networks */
2394
2395#define _F(s, x) ((((s)[ (((x)>>24)&0xFF)] \
2396 + (s)[0x100 + (((x)>>16)&0xFF)]) \
2397 ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
2398 + (s)[0x300 + ( (x) &0xFF)])
2399
2400#define BLFRND(s, p, i, j, n) (i ^= _F(s, j) ^ (p)[n])
2401
2402static void
2403Blowfish_encipher(blf_ctx *c, uint32_t *xl, uint32_t *xr)
2404{
2405 uint32_t Xl;
2406 uint32_t Xr;
2407 uint32_t *s = c->S[0];
2408 uint32_t *p = c->P;
2409
2410 Xl = *xl;
2411 Xr = *xr;
2412
2413 Xl ^= p[0];
2414 BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
2415 BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
2416 BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
2417 BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
2418 BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
2419 BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
2420 BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
2421 BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
2422
2423 *xl = Xr ^ p[17];
2424 *xr = Xl;
2425}
2426
2427void
2428Blowfish_initstate(blf_ctx *c)
2429{
2430
2431/* P-box and S-box tables initialized with digits of Pi */
2432
2433 const blf_ctx bf_initstate =
2434
2435 { {
2436 {
2437 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
2438 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
2439 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
2440 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
2441 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
2442 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
2443 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
2444 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
2445 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
2446 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
2447 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
2448 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
2449 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
2450 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
2451 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
2452 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
2453 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
2454 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
2455 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
2456 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
2457 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
2458 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
2459 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
2460 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
2461 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
2462 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
2463 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
2464 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
2465 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
2466 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
2467 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
2468 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
2469 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
2470 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
2471 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
2472 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
2473 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
2474 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
2475 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
2476 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
2477 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
2478 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
2479 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
2480 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
2481 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
2482 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
2483 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
2484 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
2485 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
2486 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
2487 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
2488 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
2489 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
2490 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
2491 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
2492 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
2493 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
2494 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
2495 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
2496 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
2497 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
2498 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
2499 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
2500 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
2501 {
2502 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
2503 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
2504 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
2505 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
2506 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
2507 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
2508 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
2509 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
2510 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
2511 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
2512 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
2513 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
2514 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
2515 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
2516 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
2517 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
2518 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
2519 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
2520 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
2521 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
2522 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
2523 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
2524 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
2525 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
2526 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
2527 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
2528 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
2529 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
2530 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
2531 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
2532 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
2533 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
2534 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
2535 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
2536 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
2537 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
2538 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
2539 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
2540 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
2541 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
2542 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
2543 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
2544 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
2545 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
2546 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
2547 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
2548 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
2549 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
2550 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
2551 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
2552 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
2553 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
2554 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
2555 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
2556 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
2557 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
2558 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
2559 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
2560 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
2561 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
2562 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
2563 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
2564 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
2565 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
2566 {
2567 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
2568 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
2569 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
2570 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
2571 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
2572 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
2573 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
2574 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
2575 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
2576 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
2577 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
2578 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
2579 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
2580 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
2581 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
2582 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
2583 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
2584 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
2585 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
2586 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
2587 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
2588 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
2589 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
2590 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
2591 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
2592 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
2593 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
2594 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
2595 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
2596 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
2597 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
2598 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
2599 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
2600 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
2601 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
2602 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
2603 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
2604 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
2605 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
2606 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
2607 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
2608 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
2609 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
2610 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
2611 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
2612 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
2613 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
2614 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
2615 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
2616 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
2617 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
2618 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
2619 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
2620 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
2621 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
2622 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
2623 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
2624 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
2625 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
2626 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
2627 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
2628 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
2629 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
2630 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
2631 {
2632 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
2633 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
2634 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
2635 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
2636 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
2637 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
2638 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
2639 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
2640 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
2641 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
2642 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
2643 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
2644 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
2645 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
2646 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
2647 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
2648 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
2649 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
2650 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
2651 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
2652 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
2653 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
2654 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
2655 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
2656 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
2657 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
2658 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
2659 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
2660 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
2661 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
2662 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
2663 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
2664 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
2665 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
2666 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
2667 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
2668 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
2669 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
2670 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
2671 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
2672 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
2673 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
2674 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
2675 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
2676 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
2677 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
2678 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
2679 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
2680 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
2681 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
2682 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
2683 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
2684 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
2685 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
2686 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
2687 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
2688 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
2689 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
2690 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
2691 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
2692 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
2693 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
2694 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
2695 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
2696 },
2697 {
2698 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
2699 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
2700 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
2701 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
2702 0x9216d5d9, 0x8979fb1b
2703 } };
2704
2705 *c = bf_initstate;
2706
2707}
2708
2709uint32_t
2710Blowfish_stream2word(const uint8_t *data, uint16_t databytes,
2711 uint16_t *current)
2712{
2713 uint8_t i;
2714 uint16_t j;
2715 uint32_t temp;
2716
2717 temp = 0x00000000;
2718 j = *current;
2719
2720 for (i = 0; i < 4; i++, j++) {
2721 if (j >= databytes)
2722 j = 0;
2723 temp = (temp << 8) | data[j];
2724 }
2725
2726 *current = j;
2727 return temp;
2728}
2729
2730void
2731Blowfish_expand0state(blf_ctx *c, const uint8_t *key, uint16_t keybytes)
2732{
2733 uint16_t i;
2734 uint16_t j;
2735 uint16_t k;
2736 uint32_t temp;
2737 uint32_t datal;
2738 uint32_t datar;
2739
2740 j = 0;
2741 for (i = 0; i < BLF_N + 2; i++) {
2742 /* Extract 4 int8 to 1 int32 from keystream */
2743 temp = Blowfish_stream2word(key, keybytes, &j);
2744 c->P[i] = c->P[i] ^ temp;
2745 }
2746
2747 j = 0;
2748 datal = 0x00000000;
2749 datar = 0x00000000;
2750 for (i = 0; i < BLF_N + 2; i += 2) {
2751 Blowfish_encipher(c, &datal, &datar);
2752
2753 c->P[i] = datal;
2754 c->P[i + 1] = datar;
2755 }
2756
2757 for (i = 0; i < 4; i++) {
2758 for (k = 0; k < 256; k += 2) {
2759 Blowfish_encipher(c, &datal, &datar);
2760
2761 c->S[i][k] = datal;
2762 c->S[i][k + 1] = datar;
2763 }
2764 }
2765}
2766
2767void
2768Blowfish_expandstate(blf_ctx *c, const uint8_t *data, uint16_t databytes,
2769 const uint8_t *key, uint16_t keybytes)
2770{
2771 uint16_t i;
2772 uint16_t j;
2773 uint16_t k;
2774 uint32_t temp;
2775 uint32_t datal;
2776 uint32_t datar;
2777
2778 j = 0;
2779 for (i = 0; i < BLF_N + 2; i++) {
2780 /* Extract 4 int8 to 1 int32 from keystream */
2781 temp = Blowfish_stream2word(key, keybytes, &j);
2782 c->P[i] = c->P[i] ^ temp;
2783 }
2784
2785 j = 0;
2786 datal = 0x00000000;
2787 datar = 0x00000000;
2788 for (i = 0; i < BLF_N + 2; i += 2) {
2789 datal ^= Blowfish_stream2word(data, databytes, &j);
2790 datar ^= Blowfish_stream2word(data, databytes, &j);
2791 Blowfish_encipher(c, &datal, &datar);
2792
2793 c->P[i] = datal;
2794 c->P[i + 1] = datar;
2795 }
2796
2797 for (i = 0; i < 4; i++) {
2798 for (k = 0; k < 256; k += 2) {
2799 datal ^= Blowfish_stream2word(data, databytes, &j);
2800 datar ^= Blowfish_stream2word(data, databytes, &j);
2801 Blowfish_encipher(c, &datal, &datar);
2802
2803 c->S[i][k] = datal;
2804 c->S[i][k + 1] = datar;
2805 }
2806 }
2807
2808}
2809
2810void
2811blf_enc(blf_ctx *c, uint32_t *data, uint16_t blocks)
2812{
2813 uint32_t *d;
2814 uint16_t i;
2815
2816 d = data;
2817 for (i = 0; i < blocks; i++) {
2818 Blowfish_encipher(c, d, d + 1);
2819 d += 2;
2820 }
2821}
2822
2823/* This password hashing algorithm was designed by David Mazieres
2824 * <dm@lcs.mit.edu> and works as follows:
2825 *
2826 * 1. state := InitState ()
2827 * 2. state := ExpandKey (state, salt, password) 3.
2828 * REPEAT rounds:
2829 * state := ExpandKey (state, 0, salt)
2830 * state := ExpandKey(state, 0, password)
2831 * 4. ctext := "OrpheanBeholderScryDoubt"
2832 * 5. REPEAT 64:
2833 * ctext := Encrypt_ECB (state, ctext);
2834 * 6. RETURN Concatenate (salt, ctext);
2835 *
2836 */
2837
2838/*
2839 * FreeBSD implementation by Paul Herman
2840 */
2841/* This implementation is adaptable to current computing power.
2842 * You can have up to 2^31 rounds which should be enough for some
2843 * time to come.
2844 */
2845
2846#define BCRYPT_VERSION '2'
2847#define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */
2848#define BCRYPT_BLOCKS 6 /* Ciphertext blocks */
2849#define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */
2850
2851static void encode_base64(uint8_t *, uint8_t *, uint16_t);
2852static void decode_base64(uint8_t *, uint16_t, const uint8_t *);
2853
2854static char encrypted[512]; /* Shouldn't grow more than this */
2855static char error[] = ":";
2856
2857static const uint8_t Base64Code[] =
2858"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
2859
2860static const uint8_t index_64[128] =
2861{
2862 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
2863 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
2864 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
2865 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
2866 255, 255, 255, 255, 255, 255, 0, 1, 54, 55,
2867 56, 57, 58, 59, 60, 61, 62, 63, 255, 255,
2868 255, 255, 255, 255, 255, 2, 3, 4, 5, 6,
2869 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
2870 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27,
2871 255, 255, 255, 255, 255, 255, 28, 29, 30,
2872 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
2873 41, 42, 43, 44, 45, 46, 47, 48, 49, 50,
2874 51, 52, 53, 255, 255, 255, 255, 255
2875};
2876#define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)])
2877
2878static void
2879decode_base64(uint8_t *buffer, uint16_t len, const uint8_t *data)
2880{
2881 uint8_t *bp = buffer;
2882 const uint8_t *p = data;
2883 uint8_t c1, c2, c3, c4;
2884 while (bp < buffer + len) {
2885 c1 = CHAR64(*p);
2886 c2 = CHAR64(*(p + 1));
2887
2888 /* Invalid data */
2889 if (c1 == 255 || c2 == 255)
2890 break;
2891
2892 *bp++ = (uint8_t)((c1 << 2) | ((c2 & 0x30) >> 4));
2893 if (bp >= buffer + len)
2894 break;
2895
2896 c3 = CHAR64(*(p + 2));
2897 if (c3 == 255)
2898 break;
2899
2900 *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
2901 if (bp >= buffer + len)
2902 break;
2903
2904 c4 = CHAR64(*(p + 3));
2905 if (c4 == 255)
2906 break;
2907 *bp++ = ((c3 & 0x03) << 6) | c4;
2908
2909 p += 4;
2910 }
2911}
2912
2913/* We handle $Vers$log2(NumRounds)$salt+passwd$
2914 i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */
2915
2916char *
2917rb_blowfish_crypt(const char *key, const char *salt)
2918{
2919 blf_ctx state;
2920 uint32_t rounds, i, k;
2921 uint16_t j;
2922 uint8_t key_len, salt_len, logr, minr;
2923 uint8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt";
2924 uint8_t csalt[BCRYPT_MAXSALT];
2925 uint32_t cdata[BCRYPT_BLOCKS];
2926 static const char *magic = "$2a$04$";
2927
2928 /* Defaults */
2929 minr = 'a';
2930 logr = 4;
2931 rounds = 1 << logr;
2932
2933 /* If it starts with the magic string, then skip that */
2934 if(!strncmp(salt, magic, strlen(magic))) {
2935 salt += strlen(magic);
2936 }
2937 else if (*salt == '$') {
2938
2939 /* Discard "$" identifier */
2940 salt++;
2941
2942 if (*salt > BCRYPT_VERSION) {
2943 /* How do I handle errors ? Return ':' */
2944 return error;
2945 }
2946
2947 /* Check for minor versions */
2948 if (salt[1] != '$') {
2949 switch (salt[1]) {
2950 case 'a':
2951 /* 'ab' should not yield the same as 'abab' */
2952 minr = (uint8_t)salt[1];
2953 salt++;
2954 break;
2955 default:
2956 return error;
2957 }
2958 } else
2959 minr = 0;
2960
2961 /* Discard version + "$" identifier */
2962 salt += 2;
2963
2964 if (salt[2] != '$')
2965 /* Out of sync with passwd entry */
2966 return error;
2967
2968 /* Computer power doesnt increase linear, 2^x should be fine */
2969 logr = (uint8_t)atoi(salt);
2970 rounds = 1 << logr;
2971 if (rounds < BCRYPT_MINROUNDS)
2972 return error;
2973
2974 /* Discard num rounds + "$" identifier */
2975 salt += 3;
2976 }
2977
2978
2979 /* We dont want the base64 salt but the raw data */
2980 decode_base64(csalt, BCRYPT_MAXSALT, (const uint8_t *)salt);
2981 salt_len = BCRYPT_MAXSALT;
2982 key_len = (uint8_t)(strlen(key) + (minr >= 'a' ? 1 : 0));
2983
2984 /* Setting up S-Boxes and Subkeys */
2985 Blowfish_initstate(&state);
2986 Blowfish_expandstate(&state, csalt, salt_len,
2987 (const uint8_t *) key, key_len);
2988 for (k = 0; k < rounds; k++) {
2989 Blowfish_expand0state(&state, (const uint8_t *) key, key_len);
2990 Blowfish_expand0state(&state, csalt, salt_len);
2991 }
2992
2993 /* This can be precomputed later */
2994 j = 0;
2995 for (i = 0; i < BCRYPT_BLOCKS; i++)
2996 cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_BLOCKS, &j);
2997
2998 /* Now do the encryption */
2999 for (k = 0; k < 64; k++)
3000 blf_enc(&state, cdata, BCRYPT_BLOCKS / 2);
3001
3002 for (i = 0; i < BCRYPT_BLOCKS; i++) {
3003 ciphertext[4 * i + 3] = cdata[i] & 0xff;
3004 cdata[i] = cdata[i] >> 8;
3005 ciphertext[4 * i + 2] = cdata[i] & 0xff;
3006 cdata[i] = cdata[i] >> 8;
3007 ciphertext[4 * i + 1] = cdata[i] & 0xff;
3008 cdata[i] = cdata[i] >> 8;
3009 ciphertext[4 * i + 0] = cdata[i] & 0xff;
3010 }
3011
3012
3013 i = 0;
3014 encrypted[i++] = '$';
3015 encrypted[i++] = BCRYPT_VERSION;
3016 if (minr)
3017 encrypted[i++] = (int8_t)minr;
3018 encrypted[i++] = '$';
3019
3020 snprintf(encrypted + i, 4, "%2.2u$", logr);
3021
3022 encode_base64((uint8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT);
3023 encode_base64((uint8_t *) encrypted + strlen(encrypted), ciphertext,
3024 4 * BCRYPT_BLOCKS - 1);
3025 return encrypted;
3026}
3027
3028static void
3029encode_base64(uint8_t *buffer, uint8_t *data, uint16_t len)
3030{
3031 uint8_t *bp = buffer;
3032 uint8_t *p = data;
3033 uint8_t c1, c2;
3034 while (p < data + len) {
3035 c1 = *p++;
3036 *bp++ = Base64Code[(c1 >> 2)];
3037 c1 = (c1 & 0x03) << 4;
3038 if (p >= data + len) {
3039 *bp++ = Base64Code[c1];
3040 break;
3041 }
3042 c2 = *p++;
3043 c1 |= (c2 >> 4) & 0x0f;
3044 *bp++ = Base64Code[c1];
3045 c1 = (c2 & 0x0f) << 2;
3046 if (p >= data + len) {
3047 *bp++ = Base64Code[c1];
3048 break;
3049 }
3050 c2 = *p++;
3051 c1 |= (c2 >> 6) & 0x03;
3052 *bp++ = Base64Code[c1];
3053 *bp++ = Base64Code[c2 & 0x3f];
3054 }
3055 *bp = '\0';
3056}
Unnamed repository; edit this file 'description' to name the repository.