]> jfr.im git - irc/rqf/shadowircd.git/blob - libratbox/src/crypt.c
projects / irc / rqf / shadowircd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix compiler warnings.
[irc/rqf/shadowircd.git] / libratbox / src / crypt.c
1 /*
2 * crypt.c: Implements unix style crypt() for platforms that don't have it
3 * This version has MD5, DES, and SHA256/SHA512 crypt.
4 * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from
5 * Drepper's public domain implementation.
6 */
7
8 /*
9 * crypt() for uClibc
10 *
11 * Copyright (C) 2000 by Lineo, inc. and Erik Andersen
12 * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org>
13 * Written by Erik Andersen <andersen@uclibc.org>
14 *
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU Library General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful, but WITHOUT
21 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License
23 * for more details.
24 *
25 * You should have received a copy of the GNU Library General Public License
26 * along with this program; if not, write to the Free Software Foundation,
27 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 */
29
30 #include <libratbox_config.h>
31 #include <ratbox_lib.h>
32
33 static char *rb_md5_crypt(const char *pw, const char *salt);
34 static char *rb_des_crypt(const char *pw, const char *salt);
35 static char *rb_sha256_crypt(const char *key, const char *salt);
36 static char *rb_sha512_crypt(const char *key, const char *salt);
37
38 char *
39 rb_crypt(const char *key, const char *salt)
40 {
41 /* First, check if we are supposed to be using a replacement
42 * hash instead of DES... */
43 if(salt[0] == '$' && salt[2] == '$')
44 {
45 switch(salt[1])
46 {
47 case '1':
48 return rb_md5_crypt(key, salt);
49 break;
50 case '5':
51 return rb_sha256_crypt(key, salt);
52 break;
53 case '6':
54 return rb_sha512_crypt(key, salt);
55 break;
56 default:
57 return NULL;
58 break;
59 };
60 }
61 else
62 return rb_des_crypt(key, salt);
63 }
64
65 #define b64_from_24bit(B2, B1, B0, N) \
66 do \
67 { \
68 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
69 int n = (N); \
70 while (n-- > 0 && buflen > 0) \
71 { \
72 *cp++ = ascii64[w & 0x3f]; \
73 --buflen; \
74 w >>= 6; \
75 } \
76 } while (0)
77
78 #ifndef MAX
79 # define MAX(a,b) (((a) > (b)) ? (a) : (b))
80 #endif
81 #ifndef MIN
82 # define MIN(a,b) (((a) < (b)) ? (a) : (b))
83 #endif
84
85 /* Here is the des crypt() stuff */
86
87 /*
88 * FreeSec: libcrypt for NetBSD
89 *
90 * Copyright (c) 1994 David Burren
91 * All rights reserved.
92 *
93 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
94 * this file should now *only* export crypt(), in order to make
95 * binaries of libcrypt exportable from the USA
96 *
97 * Adapted for FreeBSD-4.0 by Mark R V Murray
98 * this file should now *only* export crypt_des(), in order to make
99 * a module that can be optionally included in libcrypt.
100 *
101 * Redistribution and use in source and binary forms, with or without
102 * modification, are permitted provided that the following conditions
103 * are met:
104 * 1. Redistributions of source code must retain the above copyright
105 * notice, this list of conditions and the following disclaimer.
106 * 2. Redistributions in binary form must reproduce the above copyright
107 * notice, this list of conditions and the following disclaimer in the
108 * documentation and/or other materials provided with the distribution.
109 * 3. Neither the name of the author nor the names of other contributors
110 * may be used to endorse or promote products derived from this software
111 * without specific prior written permission.
112 *
113 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
114 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
115 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
116 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
117 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
118 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
119 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
120 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
121 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
122 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
123 * SUCH DAMAGE.
124 *
125 * This is an original implementation of the DES and the crypt(3) interfaces
126 * by David Burren <davidb@werj.com.au>.
127 *
128 * An excellent reference on the underlying algorithm (and related
129 * algorithms) is:
130 *
131 * B. Schneier, Applied Cryptography: protocols, algorithms,
132 * and source code in C, John Wiley & Sons, 1994.
133 *
134 * Note that in that book's description of DES the lookups for the initial,
135 * pbox, and final permutations are inverted (this has been brought to the
136 * attention of the author). A list of errata for this book has been
137 * posted to the sci.crypt newsgroup by the author and is available for FTP.
138 *
139 * ARCHITECTURE ASSUMPTIONS:
140 * It is assumed that the 8-byte arrays passed by reference can be
141 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
142 * alignment).
143 */
144
145
146 /* Re-entrantify me -- all this junk needs to be in
147 * struct crypt_data to make this really reentrant... */
148 static uint8_t inv_key_perm[64];
149 static uint8_t inv_comp_perm[56];
150 static uint8_t u_sbox[8][64];
151 static uint8_t un_pbox[32];
152 static uint32_t en_keysl[16], en_keysr[16];
153 static uint32_t de_keysl[16], de_keysr[16];
154 static uint32_t ip_maskl[8][256], ip_maskr[8][256];
155 static uint32_t fp_maskl[8][256], fp_maskr[8][256];
156 static uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
157 static uint32_t comp_maskl[8][128], comp_maskr[8][128];
158 static uint32_t saltbits;
159 static uint32_t old_salt;
160 static uint32_t old_rawkey0, old_rawkey1;
161
162
163 /* Static stuff that stays resident and doesn't change after
164 * being initialized, and therefore doesn't need to be made
165 * reentrant. */
166 static uint8_t init_perm[64], final_perm[64];
167 static uint8_t m_sbox[4][4096];
168 static uint32_t psbox[4][256];
169
170 /* A pile of data */
171 static const uint8_t ascii64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
172
173 static const uint8_t IP[64] = {
174 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
175 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
176 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
177 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
178 };
179
180 static const uint8_t key_perm[56] = {
181 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
182 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
183 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
184 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
185 };
186
187 static const uint8_t key_shifts[16] = {
188 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
189 };
190
191 static const uint8_t comp_perm[48] = {
192 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
193 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
194 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
195 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
196 };
197
198 /*
199 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
200 */
201
202 static const uint8_t sbox[8][64] = {
203 {
204 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
205 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
206 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
207 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
208 {
209 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
210 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
211 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
212 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
213 {
214 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
215 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
216 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
217 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
218 {
219 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
220 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
221 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
222 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
223 {
224 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
225 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
226 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
227 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
228 {
229 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
230 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
231 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
232 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
233 {
234 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
235 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
236 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
237 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
238 {
239 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
240 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
241 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
242 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
243 };
244
245 static const uint8_t pbox[32] = {
246 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
247 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
248 };
249
250 static const uint32_t bits32[32] = {
251 0x80000000, 0x40000000, 0x20000000, 0x10000000,
252 0x08000000, 0x04000000, 0x02000000, 0x01000000,
253 0x00800000, 0x00400000, 0x00200000, 0x00100000,
254 0x00080000, 0x00040000, 0x00020000, 0x00010000,
255 0x00008000, 0x00004000, 0x00002000, 0x00001000,
256 0x00000800, 0x00000400, 0x00000200, 0x00000100,
257 0x00000080, 0x00000040, 0x00000020, 0x00000010,
258 0x00000008, 0x00000004, 0x00000002, 0x00000001
259 };
260
261 static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
262
263 static const uint32_t *bits28, *bits24;
264
265
266 static int
267 rb_ascii_to_bin(char ch)
268 {
269 if(ch > 'z')
270 return (0);
271 if(ch >= 'a')
272 return (ch - 'a' + 38);
273 if(ch > 'Z')
274 return (0);
275 if(ch >= 'A')
276 return (ch - 'A' + 12);
277 if(ch > '9')
278 return (0);
279 if(ch >= '.')
280 return (ch - '.');
281 return (0);
282 }
283
284 static void
285 rb_des_init(void)
286 {
287 int i, j, b, k, inbit, obit;
288 uint32_t *p, *il, *ir, *fl, *fr;
289 static int rb_des_initialised = 0;
290
291 if(rb_des_initialised == 1)
292 return;
293
294 old_rawkey0 = old_rawkey1 = 0L;
295 saltbits = 0L;
296 old_salt = 0L;
297 bits24 = (bits28 = bits32 + 4) + 4;
298
299 /*
300 * Invert the S-boxes, reordering the input bits.
301 */
302 for(i = 0; i < 8; i++)
303 for(j = 0; j < 64; j++)
304 {
305 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
306 u_sbox[i][j] = sbox[i][b];
307 }
308
309 /*
310 * Convert the inverted S-boxes into 4 arrays of 8 bits.
311 * Each will handle 12 bits of the S-box input.
312 */
313 for(b = 0; b < 4; b++)
314 for(i = 0; i < 64; i++)
315 for(j = 0; j < 64; j++)
316 m_sbox[b][(i << 6) | j] =
317 (uint8_t)((u_sbox[(b << 1)][i] << 4) |
318 u_sbox[(b << 1) + 1][j]);
319
320 /*
321 * Set up the initial & final permutations into a useful form, and
322 * initialise the inverted key permutation.
323 */
324 for(i = 0; i < 64; i++)
325 {
326 init_perm[final_perm[i] = IP[i] - 1] = (uint8_t)i;
327 inv_key_perm[i] = 255;
328 }
329
330 /*
331 * Invert the key permutation and initialise the inverted key
332 * compression permutation.
333 */
334 for(i = 0; i < 56; i++)
335 {
336 inv_key_perm[key_perm[i] - 1] = (uint8_t)i;
337 inv_comp_perm[i] = 255;
338 }
339
340 /*
341 * Invert the key compression permutation.
342 */
343 for(i = 0; i < 48; i++)
344 {
345 inv_comp_perm[comp_perm[i] - 1] = (uint8_t)i;
346 }
347
348 /*
349 * Set up the OR-mask arrays for the initial and final permutations,
350 * and for the key initial and compression permutations.
351 */
352 for(k = 0; k < 8; k++)
353 {
354 for(i = 0; i < 256; i++)
355 {
356 *(il = &ip_maskl[k][i]) = 0L;
357 *(ir = &ip_maskr[k][i]) = 0L;
358 *(fl = &fp_maskl[k][i]) = 0L;
359 *(fr = &fp_maskr[k][i]) = 0L;
360 for(j = 0; j < 8; j++)
361 {
362 inbit = 8 * k + j;
363 if(i & bits8[j])
364 {
365 if((obit = init_perm[inbit]) < 32)
366 *il |= bits32[obit];
367 else
368 *ir |= bits32[obit - 32];
369 if((obit = final_perm[inbit]) < 32)
370 *fl |= bits32[obit];
371 else
372 *fr |= bits32[obit - 32];
373 }
374 }
375 }
376 for(i = 0; i < 128; i++)
377 {
378 *(il = &key_perm_maskl[k][i]) = 0L;
379 *(ir = &key_perm_maskr[k][i]) = 0L;
380 for(j = 0; j < 7; j++)
381 {
382 inbit = 8 * k + j;
383 if(i & bits8[j + 1])
384 {
385 if((obit = inv_key_perm[inbit]) == 255)
386 continue;
387 if(obit < 28)
388 *il |= bits28[obit];
389 else
390 *ir |= bits28[obit - 28];
391 }
392 }
393 *(il = &comp_maskl[k][i]) = 0L;
394 *(ir = &comp_maskr[k][i]) = 0L;
395 for(j = 0; j < 7; j++)
396 {
397 inbit = 7 * k + j;
398 if(i & bits8[j + 1])
399 {
400 if((obit = inv_comp_perm[inbit]) == 255)
401 continue;
402 if(obit < 24)
403 *il |= bits24[obit];
404 else
405 *ir |= bits24[obit - 24];
406 }
407 }
408 }
409 }
410
411 /*
412 * Invert the P-box permutation, and convert into OR-masks for
413 * handling the output of the S-box arrays setup above.
414 */
415 for(i = 0; i < 32; i++)
416 un_pbox[pbox[i] - 1] = (uint8_t)i;
417
418 for(b = 0; b < 4; b++)
419 for(i = 0; i < 256; i++)
420 {
421 *(p = &psbox[b][i]) = 0L;
422 for(j = 0; j < 8; j++)
423 {
424 if(i & bits8[j])
425 *p |= bits32[un_pbox[8 * b + j]];
426 }
427 }
428
429 rb_des_initialised = 1;
430 }
431
432
433 static void
434 rb_setup_salt(long salt)
435 {
436 uint32_t obit, saltbit;
437 int i;
438
439 if(salt == (long)old_salt)
440 return;
441 old_salt = salt;
442
443 saltbits = 0L;
444 saltbit = 1;
445 obit = 0x800000;
446 for(i = 0; i < 24; i++)
447 {
448 if(salt & saltbit)
449 saltbits |= obit;
450 saltbit <<= 1;
451 obit >>= 1;
452 }
453 }
454
455 static int
456 rb_des_setkey(const char *key)
457 {
458 uint32_t k0, k1, rawkey0, rawkey1;
459 int shifts, round;
460
461 rb_des_init();
462
463 rawkey0 = ntohl(*(const uint32_t *)key);
464 rawkey1 = ntohl(*(const uint32_t *)(key + 4));
465
466 if((rawkey0 | rawkey1) && rawkey0 == old_rawkey0 && rawkey1 == old_rawkey1)
467 {
468 /*
469 * Already setup for this key.
470 * This optimisation fails on a zero key (which is weak and
471 * has bad parity anyway) in order to simplify the starting
472 * conditions.
473 */
474 return (0);
475 }
476 old_rawkey0 = rawkey0;
477 old_rawkey1 = rawkey1;
478
479 /*
480 * Do key permutation and split into two 28-bit subkeys.
481 */
482 k0 = key_perm_maskl[0][rawkey0 >> 25]
483 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
484 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
485 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
486 | key_perm_maskl[4][rawkey1 >> 25]
487 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
488 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
489 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
490 k1 = key_perm_maskr[0][rawkey0 >> 25]
491 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
492 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
493 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
494 | key_perm_maskr[4][rawkey1 >> 25]
495 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
496 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
497 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
498 /*
499 * Rotate subkeys and do compression permutation.
500 */
501 shifts = 0;
502 for(round = 0; round < 16; round++)
503 {
504 uint32_t t0, t1;
505
506 shifts += key_shifts[round];
507
508 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
509 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
510
511 de_keysl[15 - round] =
512 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
513 | comp_maskl[1][(t0 >> 14) & 0x7f]
514 | comp_maskl[2][(t0 >> 7) & 0x7f]
515 | comp_maskl[3][t0 & 0x7f]
516 | comp_maskl[4][(t1 >> 21) & 0x7f]
517 | comp_maskl[5][(t1 >> 14) & 0x7f]
518 | comp_maskl[6][(t1 >> 7) & 0x7f] | comp_maskl[7][t1 & 0x7f];
519
520 de_keysr[15 - round] =
521 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
522 | comp_maskr[1][(t0 >> 14) & 0x7f]
523 | comp_maskr[2][(t0 >> 7) & 0x7f]
524 | comp_maskr[3][t0 & 0x7f]
525 | comp_maskr[4][(t1 >> 21) & 0x7f]
526 | comp_maskr[5][(t1 >> 14) & 0x7f]
527 | comp_maskr[6][(t1 >> 7) & 0x7f] | comp_maskr[7][t1 & 0x7f];
528 }
529 return (0);
530 }
531
532 static int
533 rb_do_des(uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out, int count)
534 {
535 /*
536 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
537 */
538 uint32_t l, r, *kl, *kr, *kl1, *kr1;
539 uint32_t f, r48l, r48r;
540 int round;
541
542 if(count == 0)
543 {
544 return (1);
545 }
546 else if(count > 0)
547 {
548 /*
549 * Encrypting
550 */
551 kl1 = en_keysl;
552 kr1 = en_keysr;
553 }
554 else
555 {
556 /*
557 * Decrypting
558 */
559 count = -count;
560 kl1 = de_keysl;
561 kr1 = de_keysr;
562 }
563
564 /*
565 * Do initial permutation (IP).
566 */
567 l = ip_maskl[0][l_in >> 24]
568 | ip_maskl[1][(l_in >> 16) & 0xff]
569 | ip_maskl[2][(l_in >> 8) & 0xff]
570 | ip_maskl[3][l_in & 0xff]
571 | ip_maskl[4][r_in >> 24]
572 | ip_maskl[5][(r_in >> 16) & 0xff]
573 | ip_maskl[6][(r_in >> 8) & 0xff] | ip_maskl[7][r_in & 0xff];
574 r = ip_maskr[0][l_in >> 24]
575 | ip_maskr[1][(l_in >> 16) & 0xff]
576 | ip_maskr[2][(l_in >> 8) & 0xff]
577 | ip_maskr[3][l_in & 0xff]
578 | ip_maskr[4][r_in >> 24]
579 | ip_maskr[5][(r_in >> 16) & 0xff]
580 | ip_maskr[6][(r_in >> 8) & 0xff] | ip_maskr[7][r_in & 0xff];
581
582 while(count--)
583 {
584 /*
585 * Do each round.
586 */
587 kl = kl1;
588 kr = kr1;
589 round = 16;
590 while(round--)
591 {
592 /*
593 * Expand R to 48 bits (simulate the E-box).
594 */
595 r48l = ((r & 0x00000001) << 23)
596 | ((r & 0xf8000000) >> 9)
597 | ((r & 0x1f800000) >> 11)
598 | ((r & 0x01f80000) >> 13) | ((r & 0x001f8000) >> 15);
599
600 r48r = ((r & 0x0001f800) << 7)
601 | ((r & 0x00001f80) << 5)
602 | ((r & 0x000001f8) << 3)
603 | ((r & 0x0000001f) << 1) | ((r & 0x80000000) >> 31);
604 /*
605 * Do salting for crypt() and friends, and
606 * XOR with the permuted key.
607 */
608 f = (r48l ^ r48r) & saltbits;
609 r48l ^= f ^ *kl++;
610 r48r ^= f ^ *kr++;
611 /*
612 * Do sbox lookups (which shrink it back to 32 bits)
613 * and do the pbox permutation at the same time.
614 */
615 f = psbox[0][m_sbox[0][r48l >> 12]]
616 | psbox[1][m_sbox[1][r48l & 0xfff]]
617 | psbox[2][m_sbox[2][r48r >> 12]]
618 | psbox[3][m_sbox[3][r48r & 0xfff]];
619 /*
620 * Now that we've permuted things, complete f().
621 */
622 f ^= l;
623 l = r;
624 r = f;
625 }
626 r = l;
627 l = f;
628 }
629 /*
630 * Do final permutation (inverse of IP).
631 */
632 *l_out = fp_maskl[0][l >> 24]
633 | fp_maskl[1][(l >> 16) & 0xff]
634 | fp_maskl[2][(l >> 8) & 0xff]
635 | fp_maskl[3][l & 0xff]
636 | fp_maskl[4][r >> 24]
637 | fp_maskl[5][(r >> 16) & 0xff]
638 | fp_maskl[6][(r >> 8) & 0xff] | fp_maskl[7][r & 0xff];
639 *r_out = fp_maskr[0][l >> 24]
640 | fp_maskr[1][(l >> 16) & 0xff]
641 | fp_maskr[2][(l >> 8) & 0xff]
642 | fp_maskr[3][l & 0xff]
643 | fp_maskr[4][r >> 24]
644 | fp_maskr[5][(r >> 16) & 0xff]
645 | fp_maskr[6][(r >> 8) & 0xff] | fp_maskr[7][r & 0xff];
646 return (0);
647 }
648
649 static char *
650 rb_des_crypt(const char *key, const char *setting)
651 {
652 uint32_t count, salt, l, r0, r1, keybuf[2];
653 uint8_t *p, *q;
654 static char output[21];
655
656 rb_des_init();
657
658 /*
659 * Copy the key, shifting each character up by one bit
660 * and padding with zeros.
661 */
662 q = (uint8_t *)keybuf;
663 while(q - (uint8_t *)keybuf - 8)
664 {
665 *q++ = *key << 1;
666 if(*(q - 1))
667 key++;
668 }
669 if(rb_des_setkey((char *)keybuf))
670 return (NULL);
671 {
672 /*
673 * "old"-style:
674 * setting - 2 bytes of salt
675 * key - up to 8 characters
676 */
677 count = 25;
678
679 salt = (rb_ascii_to_bin(setting[1]) << 6) | rb_ascii_to_bin(setting[0]);
680
681 output[0] = setting[0];
682 /*
683 * If the encrypted password that the salt was extracted from
684 * is only 1 character long, the salt will be corrupted. We
685 * need to ensure that the output string doesn't have an extra
686 * NUL in it!
687 */
688 output[1] = setting[1] ? setting[1] : output[0];
689
690 p = (uint8_t *)output + 2;
691 }
692 rb_setup_salt(salt);
693 /*
694 * Do it.
695 */
696 if(rb_do_des(0L, 0L, &r0, &r1, (int)count))
697 return (NULL);
698 /*
699 * Now encode the result...
700 */
701 l = (r0 >> 8);
702 *p++ = ascii64[(l >> 18) & 0x3f];
703 *p++ = ascii64[(l >> 12) & 0x3f];
704 *p++ = ascii64[(l >> 6) & 0x3f];
705 *p++ = ascii64[l & 0x3f];
706
707 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
708 *p++ = ascii64[(l >> 18) & 0x3f];
709 *p++ = ascii64[(l >> 12) & 0x3f];
710 *p++ = ascii64[(l >> 6) & 0x3f];
711 *p++ = ascii64[l & 0x3f];
712
713 l = r1 << 2;
714 *p++ = ascii64[(l >> 12) & 0x3f];
715 *p++ = ascii64[(l >> 6) & 0x3f];
716 *p++ = ascii64[l & 0x3f];
717 *p = 0;
718
719 return (output);
720 }
721
722 /* Now md5 crypt */
723 /*
724 * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
725 *
726 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
727 * rights reserved.
728 *
729 * License to copy and use this software is granted provided that it
730 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
731 * Algorithm" in all material mentioning or referencing this software
732 * or this function.
733 *
734 * License is also granted to make and use derivative works provided
735 * that such works are identified as "derived from the RSA Data
736 * Security, Inc. MD5 Message-Digest Algorithm" in all material
737 * mentioning or referencing the derived work.
738 *
739 * RSA Data Security, Inc. makes no representations concerning either
740 * the merchantability of this software or the suitability of this
741 * software for any particular purpose. It is provided "as is"
742 * without express or implied warranty of any kind.
743 *
744 * These notices must be retained in any copies of any part of this
745 * documentation and/or software.
746 *
747 * This code is the same as the code published by RSA Inc. It has been
748 * edited for clarity and style only.
749 */
750
751 #define MD5_BLOCK_LENGTH 64
752 #define MD5_DIGEST_LENGTH 16
753 #define MD5_DIGEST_STRING_LENGTH (MD5_DIGEST_LENGTH * 2 + 1)
754 #define MD5_SIZE 16
755
756 static void
757 _crypt_to64(char *s, u_long v, int n)
758 {
759 while (--n >= 0) {
760 *s++ = ascii64[v&0x3f];
761 v >>= 6;
762 }
763 }
764
765 /* MD5 context. */
766 typedef struct MD5Context {
767 u_int32_t state[4]; /* state (ABCD) */
768 u_int32_t count[2]; /* number of bits, modulo 2^64 (lsb first) */
769 unsigned char buffer[64]; /* input buffer */
770 } MD5_CTX;
771
772 static void MD5Transform(u_int32_t [4], const unsigned char [64]);
773 static void MD5Init (MD5_CTX *);
774 static void MD5Update (MD5_CTX *, const void *, unsigned int);
775 static void MD5Final (unsigned char [16], MD5_CTX *);
776
777 #if (BYTE_ORDER == LITTLE_ENDIAN)
778 #define Encode memcpy
779 #define Decode memcpy
780 #else
781
782 /*
783 * Encodes input (u_int32_t) into output (unsigned char). Assumes len is
784 * a multiple of 4.
785 */
786
787 static void
788 Encode (unsigned char *output, u_int32_t *input, unsigned int len)
789 {
790 unsigned int i;
791 u_int32_t *op = (u_int32_t *)output;
792
793 for (i = 0; i < len / 4; i++)
794 op[i] = htole32(input[i]);
795 }
796
797 /*
798 * Decodes input (unsigned char) into output (u_int32_t). Assumes len is
799 * a multiple of 4.
800 */
801
802 static void
803 Decode (u_int32_t *output, const unsigned char *input, unsigned int len)
804 {
805 unsigned int i;
806 const u_int32_t *ip = (const u_int32_t *)input;
807
808 for (i = 0; i < len / 4; i++)
809 output[i] = le32toh(ip[i]);
810 }
811 #endif
812
813 static unsigned char PADDING[64] = {
814 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
815 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
816 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
817 };
818
819 /* F, G, H and I are basic MD5 functions. */
820 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
821 #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
822 #define H(x, y, z) ((x) ^ (y) ^ (z))
823 #define I(x, y, z) ((y) ^ ((x) | (~z)))
824
825 /* ROTATE_LEFT rotates x left n bits. */
826 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
827
828 /*
829 * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
830 * Rotation is separate from addition to prevent recomputation.
831 */
832 #define FF(a, b, c, d, x, s, ac) { \
833 (a) += F ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
834 (a) = ROTATE_LEFT ((a), (s)); \
835 (a) += (b); \
836 }
837 #define GG(a, b, c, d, x, s, ac) { \
838 (a) += G ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
839 (a) = ROTATE_LEFT ((a), (s)); \
840 (a) += (b); \
841 }
842 #define HH(a, b, c, d, x, s, ac) { \
843 (a) += H ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
844 (a) = ROTATE_LEFT ((a), (s)); \
845 (a) += (b); \
846 }
847 #define II(a, b, c, d, x, s, ac) { \
848 (a) += I ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
849 (a) = ROTATE_LEFT ((a), (s)); \
850 (a) += (b); \
851 }
852
853 /* MD5 initialization. Begins an MD5 operation, writing a new context. */
854
855 static void
856 MD5Init (context)
857 MD5_CTX *context;
858 {
859
860 context->count[0] = context->count[1] = 0;
861
862 /* Load magic initialization constants. */
863 context->state[0] = 0x67452301;
864 context->state[1] = 0xefcdab89;
865 context->state[2] = 0x98badcfe;
866 context->state[3] = 0x10325476;
867 }
868
869 /*
870 * MD5 block update operation. Continues an MD5 message-digest
871 * operation, processing another message block, and updating the
872 * context.
873 */
874
875 static void
876 MD5Update (context, in, inputLen)
877 MD5_CTX *context;
878 const void *in;
879 unsigned int inputLen;
880 {
881 unsigned int i, idx, partLen;
882 const unsigned char *input = in;
883
884 /* Compute number of bytes mod 64 */
885 idx = (unsigned int)((context->count[0] >> 3) & 0x3F);
886
887 /* Update number of bits */
888 if ((context->count[0] += ((u_int32_t)inputLen << 3))
889 < ((u_int32_t)inputLen << 3))
890 context->count[1]++;
891 context->count[1] += ((u_int32_t)inputLen >> 29);
892
893 partLen = 64 - idx;
894
895 /* Transform as many times as possible. */
896 if (inputLen >= partLen) {
897 memcpy((void *)&context->buffer[idx], (const void *)input,
898 partLen);
899 MD5Transform (context->state, context->buffer);
900
901 for (i = partLen; i + 63 < inputLen; i += 64)
902 MD5Transform (context->state, &input[i]);
903
904 idx = 0;
905 }
906 else
907 i = 0;
908
909 /* Buffer remaining input */
910 memcpy ((void *)&context->buffer[idx], (const void *)&input[i],
911 inputLen-i);
912 }
913
914 /*
915 * MD5 padding. Adds padding followed by original length.
916 */
917
918 static void
919 MD5Pad (context)
920 MD5_CTX *context;
921 {
922 unsigned char bits[8];
923 unsigned int idx, padLen;
924
925 /* Save number of bits */
926 Encode (bits, context->count, 8);
927
928 /* Pad out to 56 mod 64. */
929 idx = (unsigned int)((context->count[0] >> 3) & 0x3f);
930 padLen = (idx < 56) ? (56 - idx) : (120 - idx);
931 MD5Update (context, PADDING, padLen);
932
933 /* Append length (before padding) */
934 MD5Update (context, bits, 8);
935 }
936
937 /*
938 * MD5 finalization. Ends an MD5 message-digest operation, writing the
939 * the message digest and zeroizing the context.
940 */
941
942 static void
943 MD5Final (digest, context)
944 unsigned char digest[16];
945 MD5_CTX *context;
946 {
947 /* Do padding. */
948 MD5Pad (context);
949
950 /* Store state in digest */
951 Encode (digest, context->state, 16);
952
953 /* Zeroize sensitive information. */
954 memset ((void *)context, 0, sizeof (*context));
955 }
956
957 /* MD5 basic transformation. Transforms state based on block. */
958
959 static void
960 MD5Transform (state, block)
961 u_int32_t state[4];
962 const unsigned char block[64];
963 {
964 u_int32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];
965
966 Decode (x, block, 64);
967
968 /* Round 1 */
969 #define S11 7
970 #define S12 12
971 #define S13 17
972 #define S14 22
973 FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
974 FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
975 FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
976 FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
977 FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
978 FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
979 FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
980 FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
981 FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
982 FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
983 FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
984 FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
985 FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
986 FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
987 FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
988 FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
989
990 /* Round 2 */
991 #define S21 5
992 #define S22 9
993 #define S23 14
994 #define S24 20
995 GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
996 GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
997 GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
998 GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
999 GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
1000 GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
1001 GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
1002 GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
1003 GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
1004 GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
1005 GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
1006 GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
1007 GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
1008 GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
1009 GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
1010 GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
1011
1012 /* Round 3 */
1013 #define S31 4
1014 #define S32 11
1015 #define S33 16
1016 #define S34 23
1017 HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
1018 HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
1019 HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
1020 HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
1021 HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
1022 HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
1023 HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
1024 HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
1025 HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
1026 HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
1027 HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
1028 HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
1029 HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
1030 HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
1031 HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
1032 HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
1033
1034 /* Round 4 */
1035 #define S41 6
1036 #define S42 10
1037 #define S43 15
1038 #define S44 21
1039 II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
1040 II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
1041 II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
1042 II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
1043 II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
1044 II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
1045 II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
1046 II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
1047 II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
1048 II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
1049 II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
1050 II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
1051 II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
1052 II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
1053 II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
1054 II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
1055
1056 state[0] += a;
1057 state[1] += b;
1058 state[2] += c;
1059 state[3] += d;
1060
1061 /* Zeroize sensitive information. */
1062 memset ((void *)x, 0, sizeof (x));
1063 }
1064
1065 /*
1066 * UNIX password
1067 */
1068
1069 static char *
1070 rb_md5_crypt(const char *pw, const char *salt)
1071 {
1072 MD5_CTX ctx,ctx1;
1073 unsigned long l;
1074 int sl, pl;
1075 u_int i;
1076 u_char final[MD5_SIZE];
1077 static const char *sp, *ep;
1078 static char passwd[120], *p;
1079 static const char *magic = "$1$";
1080
1081 /* Refine the Salt first */
1082 sp = salt;
1083
1084 /* If it starts with the magic string, then skip that */
1085 if(!strncmp(sp, magic, strlen(magic)))
1086 sp += strlen(magic);
1087
1088 /* It stops at the first '$', max 8 chars */
1089 for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
1090 continue;
1091
1092 /* get the length of the true salt */
1093 sl = ep - sp;
1094
1095 MD5Init(&ctx);
1096
1097 /* The password first, since that is what is most unknown */
1098 MD5Update(&ctx, (const u_char *)pw, strlen(pw));
1099
1100 /* Then our magic string */
1101 MD5Update(&ctx, (const u_char *)magic, strlen(magic));
1102
1103 /* Then the raw salt */
1104 MD5Update(&ctx, (const u_char *)sp, (u_int)sl);
1105
1106 /* Then just as many characters of the MD5(pw,salt,pw) */
1107 MD5Init(&ctx1);
1108 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
1109 MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
1110 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
1111 MD5Final(final, &ctx1);
1112 for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE)
1113 MD5Update(&ctx, (const u_char *)final,
1114 (u_int)(pl > MD5_SIZE ? MD5_SIZE : pl));
1115
1116 /* Don't leave anything around in vm they could use. */
1117 memset(final, 0, sizeof(final));
1118
1119 /* Then something really weird... */
1120 for (i = strlen(pw); i; i >>= 1)
1121 if(i & 1)
1122 MD5Update(&ctx, (const u_char *)final, 1);
1123 else
1124 MD5Update(&ctx, (const u_char *)pw, 1);
1125
1126 /* Now make the output string */
1127 rb_strlcpy(passwd, magic, sizeof(passwd));
1128 strncat(passwd, sp, (u_int)sl);
1129 rb_strlcat(passwd, "$", sizeof(passwd));
1130
1131 MD5Final(final, &ctx);
1132
1133 /*
1134 * and now, just to make sure things don't run too fast
1135 * On a 60 Mhz Pentium this takes 34 msec, so you would
1136 * need 30 seconds to build a 1000 entry dictionary...
1137 */
1138 for(i = 0; i < 1000; i++) {
1139 MD5Init(&ctx1);
1140 if(i & 1)
1141 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
1142 else
1143 MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
1144
1145 if(i % 3)
1146 MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
1147
1148 if(i % 7)
1149 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
1150
1151 if(i & 1)
1152 MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
1153 else
1154 MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
1155 MD5Final(final, &ctx1);
1156 }
1157
1158 p = passwd + strlen(passwd);
1159
1160 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
1161 _crypt_to64(p, l, 4); p += 4;
1162 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
1163 _crypt_to64(p, l, 4); p += 4;
1164 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
1165 _crypt_to64(p, l, 4); p += 4;
1166 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
1167 _crypt_to64(p, l, 4); p += 4;
1168 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
1169 _crypt_to64(p, l, 4); p += 4;
1170 l = final[11];
1171 _crypt_to64(p, l, 2); p += 2;
1172 *p = '\0';
1173
1174 /* Don't leave anything around in vm they could use. */
1175 memset(final, 0, sizeof(final));
1176
1177 return (passwd);
1178 }
1179
1180
1181 /* SHA256-based Unix crypt implementation.
1182 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
1183
1184 /* Structure to save state of computation between the single steps. */
1185 struct sha256_ctx
1186 {
1187 uint32_t H[8];
1188
1189 uint32_t total[2];
1190 uint32_t buflen;
1191 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
1192 };
1193
1194 #if __BYTE_ORDER == __LITTLE_ENDIAN
1195 # define SHA256_SWAP(n) \
1196 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
1197 #else
1198 # define SHA256_SWAP(n) (n)
1199 #endif
1200
1201 /* This array contains the bytes used to pad the buffer to the next
1202 64-byte boundary. (FIPS 180-2:5.1.1) */
1203 static const unsigned char SHA256_fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
1204
1205
1206 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
1207 static const uint32_t SHA256_K[64] = {
1208 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
1209 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
1210 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
1211 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
1212 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
1213 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
1214 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
1215 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
1216 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
1217 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
1218 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
1219 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
1220 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
1221 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
1222 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
1223 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
1224 };
1225
1226
1227 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1228 It is assumed that LEN % 64 == 0. */
1229 static void rb_sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx)
1230 {
1231 const uint32_t *words = buffer;
1232 size_t nwords = len / sizeof(uint32_t);
1233 uint32_t a = ctx->H[0];
1234 uint32_t b = ctx->H[1];
1235 uint32_t c = ctx->H[2];
1236 uint32_t d = ctx->H[3];
1237 uint32_t e = ctx->H[4];
1238 uint32_t f = ctx->H[5];
1239 uint32_t g = ctx->H[6];
1240 uint32_t h = ctx->H[7];
1241
1242 /* First increment the byte count. FIPS 180-2 specifies the possible
1243 length of the file up to 2^64 bits. Here we only compute the
1244 number of bytes. Do a double word increment. */
1245 ctx->total[0] += len;
1246 if (ctx->total[0] < len)
1247 ++ctx->total[1];
1248
1249 /* Process all bytes in the buffer with 64 bytes in each round of
1250 the loop. */
1251 while (nwords > 0)
1252 {
1253 uint32_t W[64];
1254 uint32_t a_save = a;
1255 uint32_t b_save = b;
1256 uint32_t c_save = c;
1257 uint32_t d_save = d;
1258 uint32_t e_save = e;
1259 uint32_t f_save = f;
1260 uint32_t g_save = g;
1261 uint32_t h_save = h;
1262 unsigned int t;
1263
1264 /* Operators defined in FIPS 180-2:4.1.2. */
1265 #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z))
1266 #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1267 #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22))
1268 #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25))
1269 #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3))
1270 #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10))
1271
1272 /* It is unfortunate that C does not provide an operator for
1273 cyclic rotation. Hope the C compiler is smart enough. */
1274 #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
1275
1276 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
1277 for (t = 0; t < 16; ++t)
1278 {
1279 W[t] = SHA256_SWAP(*words);
1280 ++words;
1281 }
1282 for (t = 16; t < 64; ++t)
1283 W[t] = SHA256_R1(W[t - 2]) + W[t - 7] + SHA256_R0(W[t - 15]) + W[t - 16];
1284
1285 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
1286 for (t = 0; t < 64; ++t)
1287 {
1288 uint32_t T1 = h + SHA256_S1(e) + SHA256_Ch(e, f, g) + SHA256_K[t] + W[t];
1289 uint32_t T2 = SHA256_S0(a) + SHA256_Maj(a, b, c);
1290 h = g;
1291 g = f;
1292 f = e;
1293 e = d + T1;
1294 d = c;
1295 c = b;
1296 b = a;
1297 a = T1 + T2;
1298 }
1299
1300 /* Add the starting values of the context according to FIPS 180-2:6.2.2
1301 step 4. */
1302 a += a_save;
1303 b += b_save;
1304 c += c_save;
1305 d += d_save;
1306 e += e_save;
1307 f += f_save;
1308 g += g_save;
1309 h += h_save;
1310
1311 /* Prepare for the next round. */
1312 nwords -= 16;
1313 }
1314
1315 /* Put checksum in context given as argument. */
1316 ctx->H[0] = a;
1317 ctx->H[1] = b;
1318 ctx->H[2] = c;
1319 ctx->H[3] = d;
1320 ctx->H[4] = e;
1321 ctx->H[5] = f;
1322 ctx->H[6] = g;
1323 ctx->H[7] = h;
1324 }
1325
1326
1327 /* Initialize structure containing state of computation.
1328 (FIPS 180-2:5.3.2) */
1329 static void rb_sha256_init_ctx(struct sha256_ctx *ctx)
1330 {
1331 ctx->H[0] = 0x6a09e667;
1332 ctx->H[1] = 0xbb67ae85;
1333 ctx->H[2] = 0x3c6ef372;
1334 ctx->H[3] = 0xa54ff53a;
1335 ctx->H[4] = 0x510e527f;
1336 ctx->H[5] = 0x9b05688c;
1337 ctx->H[6] = 0x1f83d9ab;
1338 ctx->H[7] = 0x5be0cd19;
1339
1340 ctx->total[0] = ctx->total[1] = 0;
1341 ctx->buflen = 0;
1342 }
1343
1344
1345 /* Process the remaining bytes in the internal buffer and the usual
1346 prolog according to the standard and write the result to RESBUF.
1347
1348 IMPORTANT: On some systems it is required that RESBUF is correctly
1349 aligned for a 32 bits value. */
1350 static void *rb_sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
1351 {
1352 /* Take yet unprocessed bytes into account. */
1353 uint32_t bytes = ctx->buflen;
1354 size_t pad;
1355 unsigned int i;
1356
1357 /* Now count remaining bytes. */
1358 ctx->total[0] += bytes;
1359 if (ctx->total[0] < bytes)
1360 ++ctx->total[1];
1361
1362 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
1363 memcpy(&ctx->buffer[bytes], SHA256_fillbuf, pad);
1364
1365 /* Put the 64-bit file length in *bits* at the end of the buffer. */
1366 *(uint32_t *) & ctx->buffer[bytes + pad + 4] = SHA256_SWAP(ctx->total[0] << 3);
1367 *(uint32_t *) & ctx->buffer[bytes + pad] = SHA256_SWAP((ctx->total[1] << 3) |
1368 (ctx->total[0] >> 29));
1369
1370 /* Process last bytes. */
1371 rb_sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
1372
1373 /* Put result from CTX in first 32 bytes following RESBUF. */
1374 for (i = 0; i < 8; ++i)
1375 ((uint32_t *) resbuf)[i] = SHA256_SWAP(ctx->H[i]);
1376
1377 return resbuf;
1378 }
1379
1380
1381 static void rb_sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx)
1382 {
1383 /* When we already have some bits in our internal buffer concatenate
1384 both inputs first. */
1385 if (ctx->buflen != 0)
1386 {
1387 size_t left_over = ctx->buflen;
1388 size_t add = 128 - left_over > len ? len : 128 - left_over;
1389
1390 memcpy(&ctx->buffer[left_over], buffer, add);
1391 ctx->buflen += add;
1392
1393 if (ctx->buflen > 64)
1394 {
1395 rb_sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
1396
1397 ctx->buflen &= 63;
1398 /* The regions in the following copy operation cannot overlap. */
1399 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], ctx->buflen);
1400 }
1401
1402 buffer = (const char *)buffer + add;
1403 len -= add;
1404 }
1405
1406 /* Process available complete blocks. */
1407 if (len >= 64)
1408 {
1409 /* To check alignment gcc has an appropriate operator. Other
1410 compilers don't. */
1411 #if __GNUC__ >= 2
1412 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
1413 #else
1414 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
1415 #endif
1416 if (SHA256_UNALIGNED_P(buffer))
1417 while (len > 64)
1418 {
1419 rb_sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
1420 buffer = (const char *)buffer + 64;
1421 len -= 64;
1422 }
1423 else
1424 {
1425 rb_sha256_process_block(buffer, len & ~63, ctx);
1426 buffer = (const char *)buffer + (len & ~63);
1427 len &= 63;
1428 }
1429 }
1430
1431 /* Move remaining bytes into internal buffer. */
1432 if (len > 0)
1433 {
1434 size_t left_over = ctx->buflen;
1435
1436 memcpy(&ctx->buffer[left_over], buffer, len);
1437 left_over += len;
1438 if (left_over >= 64)
1439 {
1440 rb_sha256_process_block(ctx->buffer, 64, ctx);
1441 left_over -= 64;
1442 memcpy(ctx->buffer, &ctx->buffer[64], left_over);
1443 }
1444 ctx->buflen = left_over;
1445 }
1446 }
1447
1448
1449 /* Define our magic string to mark salt for SHA256 "encryption"
1450 replacement. */
1451 static const char sha256_salt_prefix[] = "$5$";
1452
1453 /* Prefix for optional rounds specification. */
1454 static const char sha256_rounds_prefix[] = "rounds=";
1455
1456 /* Maximum salt string length. */
1457 #define SHA256_SALT_LEN_MAX 16
1458 /* Default number of rounds if not explicitly specified. */
1459 #define SHA256_ROUNDS_DEFAULT 5000
1460 /* Minimum number of rounds. */
1461 #define SHA256_ROUNDS_MIN 1000
1462 /* Maximum number of rounds. */
1463 #define SHA256_ROUNDS_MAX 999999999
1464
1465 static char *rb_sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
1466 {
1467 unsigned char alt_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1468 unsigned char temp_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1469 struct sha256_ctx ctx;
1470 struct sha256_ctx alt_ctx;
1471 size_t salt_len;
1472 size_t key_len;
1473 size_t cnt;
1474 char *cp;
1475 char *copied_key = NULL;
1476 char *copied_salt = NULL;
1477 char *p_bytes;
1478 char *s_bytes;
1479 /* Default number of rounds. */
1480 size_t rounds = SHA256_ROUNDS_DEFAULT;
1481 int rounds_custom = 0;
1482
1483 /* Find beginning of salt string. The prefix should normally always
1484 be present. Just in case it is not. */
1485 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
1486 /* Skip salt prefix. */
1487 salt += sizeof(sha256_salt_prefix) - 1;
1488
1489 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) == 0)
1490 {
1491 const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
1492 char *endp;
1493 unsigned long int srounds = strtoul(num, &endp, 10);
1494 if (*endp == '$')
1495 {
1496 salt = endp + 1;
1497 rounds = MAX(SHA256_ROUNDS_MIN, MIN(srounds, SHA256_ROUNDS_MAX));
1498 rounds_custom = 1;
1499 }
1500 }
1501
1502 salt_len = MIN(strcspn(salt, "$"), SHA256_SALT_LEN_MAX);
1503 key_len = strlen(key);
1504
1505 if ((key - (char *)0) % __alignof__(uint32_t) != 0)
1506 {
1507 char *tmp = (char *)alloca(key_len + __alignof__(uint32_t));
1508 key = copied_key =
1509 memcpy(tmp + __alignof__(uint32_t)
1510 - (tmp - (char *)0) % __alignof__(uint32_t), key, key_len);
1511 }
1512
1513 if ((salt - (char *)0) % __alignof__(uint32_t) != 0)
1514 {
1515 char *tmp = (char *)alloca(salt_len + __alignof__(uint32_t));
1516 salt = copied_salt =
1517 memcpy(tmp + __alignof__(uint32_t)
1518 - (tmp - (char *)0) % __alignof__(uint32_t), salt, salt_len);
1519 }
1520
1521 /* Prepare for the real work. */
1522 rb_sha256_init_ctx(&ctx);
1523
1524 /* Add the key string. */
1525 rb_sha256_process_bytes(key, key_len, &ctx);
1526
1527 /* The last part is the salt string. This must be at most 16
1528 characters and it ends at the first `$' character (for
1529 compatibility with existing implementations). */
1530 rb_sha256_process_bytes(salt, salt_len, &ctx);
1531
1532
1533 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
1534 final result will be added to the first context. */
1535 rb_sha256_init_ctx(&alt_ctx);
1536
1537 /* Add key. */
1538 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1539
1540 /* Add salt. */
1541 rb_sha256_process_bytes(salt, salt_len, &alt_ctx);
1542
1543 /* Add key again. */
1544 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1545
1546 /* Now get result of this (32 bytes) and add it to the other
1547 context. */
1548 rb_sha256_finish_ctx(&alt_ctx, alt_result);
1549
1550 /* Add for any character in the key one byte of the alternate sum. */
1551 for (cnt = key_len; cnt > 32; cnt -= 32)
1552 rb_sha256_process_bytes(alt_result, 32, &ctx);
1553 rb_sha256_process_bytes(alt_result, cnt, &ctx);
1554
1555 /* Take the binary representation of the length of the key and for every
1556 1 add the alternate sum, for every 0 the key. */
1557 for (cnt = key_len; cnt > 0; cnt >>= 1)
1558 if ((cnt & 1) != 0)
1559 rb_sha256_process_bytes(alt_result, 32, &ctx);
1560 else
1561 rb_sha256_process_bytes(key, key_len, &ctx);
1562
1563 /* Create intermediate result. */
1564 rb_sha256_finish_ctx(&ctx, alt_result);
1565
1566 /* Start computation of P byte sequence. */
1567 rb_sha256_init_ctx(&alt_ctx);
1568
1569 /* For every character in the password add the entire password. */
1570 for (cnt = 0; cnt < key_len; ++cnt)
1571 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1572
1573 /* Finish the digest. */
1574 rb_sha256_finish_ctx(&alt_ctx, temp_result);
1575
1576 /* Create byte sequence P. */
1577 cp = p_bytes = alloca(key_len);
1578 for (cnt = key_len; cnt >= 32; cnt -= 32)
1579 {
1580 memcpy(cp, temp_result, 32);
1581 cp += 32;
1582 }
1583 memcpy(cp, temp_result, cnt);
1584
1585 /* Start computation of S byte sequence. */
1586 rb_sha256_init_ctx(&alt_ctx);
1587
1588 /* For every character in the password add the entire password. */
1589 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
1590 rb_sha256_process_bytes(salt, salt_len, &alt_ctx);
1591
1592 /* Finish the digest. */
1593 rb_sha256_finish_ctx(&alt_ctx, temp_result);
1594
1595 /* Create byte sequence S. */
1596 cp = s_bytes = alloca(salt_len);
1597 for (cnt = salt_len; cnt >= 32; cnt -= 32)
1598 {
1599 memcpy(cp, temp_result, 32);
1600 cp += 32;
1601 }
1602 memcpy(cp, temp_result, cnt);
1603
1604 /* Repeatedly run the collected hash value through SHA256 to burn
1605 CPU cycles. */
1606 for (cnt = 0; cnt < rounds; ++cnt)
1607 {
1608 /* New context. */
1609 rb_sha256_init_ctx(&ctx);
1610
1611 /* Add key or last result. */
1612 if ((cnt & 1) != 0)
1613 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1614 else
1615 rb_sha256_process_bytes(alt_result, 32, &ctx);
1616
1617 /* Add salt for numbers not divisible by 3. */
1618 if (cnt % 3 != 0)
1619 rb_sha256_process_bytes(s_bytes, salt_len, &ctx);
1620
1621 /* Add key for numbers not divisible by 7. */
1622 if (cnt % 7 != 0)
1623 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1624
1625 /* Add key or last result. */
1626 if ((cnt & 1) != 0)
1627 rb_sha256_process_bytes(alt_result, 32, &ctx);
1628 else
1629 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1630
1631 /* Create intermediate result. */
1632 rb_sha256_finish_ctx(&ctx, alt_result);
1633 }
1634
1635 /* Now we can construct the result string. It consists of three
1636 parts. */
1637 memset(buffer, '\0', MAX(0, buflen));
1638 strncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
1639 if((cp = strchr(buffer, '\0')) == NULL)
1640 cp = buffer + MAX(0, buflen);
1641 buflen -= sizeof(sha256_salt_prefix) - 1;
1642
1643 if (rounds_custom)
1644 {
1645 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
1646 sha256_rounds_prefix, rounds);
1647 cp += n;
1648 buflen -= n;
1649 }
1650
1651 memset(cp, '\0', salt_len);
1652 strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
1653 if((cp = strchr(buffer, '\0')) == NULL)
1654 cp += salt_len;
1655 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
1656
1657 if (buflen > 0)
1658 {
1659 *cp++ = '$';
1660 --buflen;
1661 }
1662
1663 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
1664 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
1665 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
1666 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
1667 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
1668 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
1669 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
1670 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
1671 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
1672 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
1673 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
1674 if (buflen <= 0)
1675 {
1676 errno = ERANGE;
1677 buffer = NULL;
1678 }
1679 else
1680 *cp = '\0'; /* Terminate the string. */
1681
1682 /* Clear the buffer for the intermediate result so that people
1683 attaching to processes or reading core dumps cannot get any
1684 information. We do it in this way to clear correct_words[]
1685 inside the SHA256 implementation as well. */
1686 rb_sha256_init_ctx(&ctx);
1687 rb_sha256_finish_ctx(&ctx, alt_result);
1688 memset(temp_result, '\0', sizeof(temp_result));
1689 memset(p_bytes, '\0', key_len);
1690 memset(s_bytes, '\0', salt_len);
1691 memset(&ctx, '\0', sizeof(ctx));
1692 memset(&alt_ctx, '\0', sizeof(alt_ctx));
1693 if (copied_key != NULL)
1694 memset(copied_key, '\0', key_len);
1695 if (copied_salt != NULL)
1696 memset(copied_salt, '\0', salt_len);
1697
1698 return buffer;
1699 }
1700
1701
1702 /* This entry point is equivalent to the `crypt' function in Unix
1703 libcs. */
1704 static char *rb_sha256_crypt(const char *key, const char *salt)
1705 {
1706 /* We don't want to have an arbitrary limit in the size of the
1707 password. We can compute an upper bound for the size of the
1708 result in advance and so we can prepare the buffer we pass to
1709 `rb_sha256_crypt_r'. */
1710 static char *buffer;
1711 static int buflen;
1712 int needed = (sizeof(sha256_salt_prefix) - 1
1713 + sizeof(sha256_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 43 + 1);
1714
1715 char *new_buffer = (char *)malloc(needed);
1716 if (new_buffer == NULL)
1717 return NULL;
1718
1719 buffer = new_buffer;
1720 buflen = needed;
1721
1722 return rb_sha256_crypt_r(key, salt, buffer, buflen);
1723 }
1724
1725 /* Structure to save state of computation between the single steps. */
1726 struct sha512_ctx
1727 {
1728 uint64_t H[8];
1729
1730 uint64_t total[2];
1731 uint64_t buflen;
1732 char buffer[256]; /* NB: always correctly aligned for uint64_t. */
1733 };
1734
1735
1736 #if __BYTE_ORDER == __LITTLE_ENDIAN
1737 # define SHA512_SWAP(n) \
1738 (((n) << 56) \
1739 | (((n) & 0xff00) << 40) \
1740 | (((n) & 0xff0000) << 24) \
1741 | (((n) & 0xff000000) << 8) \
1742 | (((n) >> 8) & 0xff000000) \
1743 | (((n) >> 24) & 0xff0000) \
1744 | (((n) >> 40) & 0xff00) \
1745 | ((n) >> 56))
1746 #else
1747 # define SHA512_SWAP(n) (n)
1748 #endif
1749
1750
1751 /* This array contains the bytes used to pad the buffer to the next
1752 64-byte boundary. (FIPS 180-2:5.1.2) */
1753 static const unsigned char SHA512_fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
1754
1755
1756 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
1757 static const uint64_t SHA512_K[80] = {
1758 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
1759 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
1760 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
1761 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
1762 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
1763 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
1764 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
1765 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
1766 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
1767 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
1768 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
1769 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
1770 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
1771 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
1772 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
1773 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
1774 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
1775 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
1776 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
1777 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
1778 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
1779 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
1780 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
1781 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
1782 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
1783 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
1784 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
1785 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
1786 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
1787 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
1788 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
1789 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
1790 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
1791 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
1792 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
1793 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
1794 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
1795 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
1796 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
1797 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
1798 };
1799
1800
1801 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1802 It is assumed that LEN % 128 == 0. */
1803 static void rb_sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx)
1804 {
1805 const uint64_t *words = buffer;
1806 size_t nwords = len / sizeof(uint64_t);
1807 uint64_t a = ctx->H[0];
1808 uint64_t b = ctx->H[1];
1809 uint64_t c = ctx->H[2];
1810 uint64_t d = ctx->H[3];
1811 uint64_t e = ctx->H[4];
1812 uint64_t f = ctx->H[5];
1813 uint64_t g = ctx->H[6];
1814 uint64_t h = ctx->H[7];
1815
1816 /* First increment the byte count. FIPS 180-2 specifies the possible
1817 length of the file up to 2^128 bits. Here we only compute the
1818 number of bytes. Do a double word increment. */
1819 ctx->total[0] += len;
1820 if (ctx->total[0] < len)
1821 ++ctx->total[1];
1822
1823 /* Process all bytes in the buffer with 128 bytes in each round of
1824 the loop. */
1825 while (nwords > 0)
1826 {
1827 uint64_t W[80];
1828 uint64_t a_save = a;
1829 uint64_t b_save = b;
1830 uint64_t c_save = c;
1831 uint64_t d_save = d;
1832 uint64_t e_save = e;
1833 uint64_t f_save = f;
1834 uint64_t g_save = g;
1835 uint64_t h_save = h;
1836 unsigned int t;
1837
1838 /* Operators defined in FIPS 180-2:4.1.2. */
1839 #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z))
1840 #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1841 #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39))
1842 #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41))
1843 #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7))
1844 #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6))
1845
1846 /* It is unfortunate that C does not provide an operator for
1847 cyclic rotation. Hope the C compiler is smart enough. */
1848 #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
1849
1850 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
1851 for (t = 0; t < 16; ++t)
1852 {
1853 W[t] = SHA512_SWAP(*words);
1854 ++words;
1855 }
1856 for (t = 16; t < 80; ++t)
1857 W[t] = SHA512_R1(W[t - 2]) + W[t - 7] + SHA512_R0(W[t - 15]) + W[t - 16];
1858
1859 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
1860 for (t = 0; t < 80; ++t)
1861 {
1862 uint64_t T1 = h + SHA512_S1(e) + SHA512_Ch(e, f, g) + SHA512_K[t] + W[t];
1863 uint64_t T2 = SHA512_S0(a) + SHA512_Maj(a, b, c);
1864 h = g;
1865 g = f;
1866 f = e;
1867 e = d + T1;
1868 d = c;
1869 c = b;
1870 b = a;
1871 a = T1 + T2;
1872 }
1873
1874 /* Add the starting values of the context according to FIPS 180-2:6.3.2
1875 step 4. */
1876 a += a_save;
1877 b += b_save;
1878 c += c_save;
1879 d += d_save;
1880 e += e_save;
1881 f += f_save;
1882 g += g_save;
1883 h += h_save;
1884
1885 /* Prepare for the next round. */
1886 nwords -= 16;
1887 }
1888
1889 /* Put checksum in context given as argument. */
1890 ctx->H[0] = a;
1891 ctx->H[1] = b;
1892 ctx->H[2] = c;
1893 ctx->H[3] = d;
1894 ctx->H[4] = e;
1895 ctx->H[5] = f;
1896 ctx->H[6] = g;
1897 ctx->H[7] = h;
1898 }
1899
1900
1901 /* Initialize structure containing state of computation.
1902 (FIPS 180-2:5.3.3) */
1903 static void rb_sha512_init_ctx(struct sha512_ctx *ctx)
1904 {
1905 ctx->H[0] = 0x6a09e667f3bcc908ULL;
1906 ctx->H[1] = 0xbb67ae8584caa73bULL;
1907 ctx->H[2] = 0x3c6ef372fe94f82bULL;
1908 ctx->H[3] = 0xa54ff53a5f1d36f1ULL;
1909 ctx->H[4] = 0x510e527fade682d1ULL;
1910 ctx->H[5] = 0x9b05688c2b3e6c1fULL;
1911 ctx->H[6] = 0x1f83d9abfb41bd6bULL;
1912 ctx->H[7] = 0x5be0cd19137e2179ULL;
1913
1914 ctx->total[0] = ctx->total[1] = 0;
1915 ctx->buflen = 0;
1916 }
1917
1918
1919 /* Process the remaining bytes in the internal buffer and the usual
1920 prolog according to the standard and write the result to RESBUF.
1921
1922 IMPORTANT: On some systems it is required that RESBUF is correctly
1923 aligned for a 32 bits value. */
1924 static void *rb_sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf)
1925 {
1926 /* Take yet unprocessed bytes into account. */
1927 uint64_t bytes = ctx->buflen;
1928 size_t pad;
1929 unsigned int i;
1930
1931 /* Now count remaining bytes. */
1932 ctx->total[0] += bytes;
1933 if (ctx->total[0] < bytes)
1934 ++ctx->total[1];
1935
1936 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
1937 memcpy(&ctx->buffer[bytes], SHA512_fillbuf, pad);
1938
1939 /* Put the 128-bit file length in *bits* at the end of the buffer. */
1940 *(uint64_t *) & ctx->buffer[bytes + pad + 8] = SHA512_SWAP(ctx->total[0] << 3);
1941 *(uint64_t *) & ctx->buffer[bytes + pad] = SHA512_SWAP((ctx->total[1] << 3) |
1942 (ctx->total[0] >> 61));
1943
1944 /* Process last bytes. */
1945 rb_sha512_process_block(ctx->buffer, bytes + pad + 16, ctx);
1946
1947 /* Put result from CTX in first 64 bytes following RESBUF. */
1948 for (i = 0; i < 8; ++i)
1949 ((uint64_t *) resbuf)[i] = SHA512_SWAP(ctx->H[i]);
1950
1951 return resbuf;
1952 }
1953
1954
1955 static void rb_sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx)
1956 {
1957 /* When we already have some bits in our internal buffer concatenate
1958 both inputs first. */
1959 if (ctx->buflen != 0)
1960 {
1961 size_t left_over = ctx->buflen;
1962 size_t add = 256 - left_over > len ? len : 256 - left_over;
1963
1964 memcpy(&ctx->buffer[left_over], buffer, add);
1965 ctx->buflen += add;
1966
1967 if (ctx->buflen > 128)
1968 {
1969 rb_sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
1970
1971 ctx->buflen &= 127;
1972 /* The regions in the following copy operation cannot overlap. */
1973 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127], ctx->buflen);
1974 }
1975
1976 buffer = (const char *)buffer + add;
1977 len -= add;
1978 }
1979
1980 /* Process available complete blocks. */
1981 if (len >= 128)
1982 {
1983 #if !_STRING_ARCH_unaligned
1984 /* To check alignment gcc has an appropriate operator. Other
1985 compilers don't. */
1986 # if __GNUC__ >= 2
1987 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
1988 # else
1989 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
1990 # endif
1991 if (SHA512_UNALIGNED_P(buffer))
1992 while (len > 128)
1993 {
1994 rb_sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, ctx);
1995 buffer = (const char *)buffer + 128;
1996 len -= 128;
1997 }
1998 else
1999 #endif
2000 {
2001 rb_sha512_process_block(buffer, len & ~127, ctx);
2002 buffer = (const char *)buffer + (len & ~127);
2003 len &= 127;
2004 }
2005 }
2006
2007 /* Move remaining bytes into internal buffer. */
2008 if (len > 0)
2009 {
2010 size_t left_over = ctx->buflen;
2011
2012 memcpy(&ctx->buffer[left_over], buffer, len);
2013 left_over += len;
2014 if (left_over >= 128)
2015 {
2016 rb_sha512_process_block(ctx->buffer, 128, ctx);
2017 left_over -= 128;
2018 memcpy(ctx->buffer, &ctx->buffer[128], left_over);
2019 }
2020 ctx->buflen = left_over;
2021 }
2022 }
2023
2024
2025 /* Define our magic string to mark salt for SHA512 "encryption"
2026 replacement. */
2027 static const char sha512_salt_prefix[] = "$6$";
2028
2029 /* Prefix for optional rounds specification. */
2030 static const char sha512_rounds_prefix[] = "rounds=";
2031
2032 /* Maximum salt string length. */
2033 #define SHA512_SALT_LEN_MAX 16
2034 /* Default number of rounds if not explicitly specified. */
2035 #define SHA512_ROUNDS_DEFAULT 5000
2036 /* Minimum number of rounds. */
2037 #define SHA512_ROUNDS_MIN 1000
2038 /* Maximum number of rounds. */
2039 #define SHA512_ROUNDS_MAX 999999999
2040
2041 static char *rb_sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
2042 {
2043 unsigned char alt_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2044 unsigned char temp_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2045 struct sha512_ctx ctx;
2046 struct sha512_ctx alt_ctx;
2047 size_t salt_len;
2048 size_t key_len;
2049 size_t cnt;
2050 char *cp;
2051 char *copied_key = NULL;
2052 char *copied_salt = NULL;
2053 char *p_bytes;
2054 char *s_bytes;
2055 /* Default number of rounds. */
2056 size_t rounds = SHA512_ROUNDS_DEFAULT;
2057 int rounds_custom = 0;
2058
2059 /* Find beginning of salt string. The prefix should normally always
2060 be present. Just in case it is not. */
2061 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
2062 /* Skip salt prefix. */
2063 salt += sizeof(sha512_salt_prefix) - 1;
2064
2065 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) == 0)
2066 {
2067 const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
2068 char *endp;
2069 unsigned long int srounds = strtoul(num, &endp, 10);
2070 if (*endp == '$')
2071 {
2072 salt = endp + 1;
2073 rounds = MAX(SHA512_ROUNDS_MIN, MIN(srounds, SHA512_ROUNDS_MAX));
2074 rounds_custom = 1;
2075 }
2076 }
2077
2078 salt_len = MIN(strcspn(salt, "$"), SHA512_SALT_LEN_MAX);
2079 key_len = strlen(key);
2080
2081 if ((key - (char *)0) % __alignof__(uint64_t) != 0)
2082 {
2083 char *tmp = (char *)alloca(key_len + __alignof__(uint64_t));
2084 key = copied_key =
2085 memcpy(tmp + __alignof__(uint64_t)
2086 - (tmp - (char *)0) % __alignof__(uint64_t), key, key_len);
2087 }
2088
2089 if ((salt - (char *)0) % __alignof__(uint64_t) != 0)
2090 {
2091 char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t));
2092 salt = copied_salt =
2093 memcpy(tmp + __alignof__(uint64_t)
2094 - (tmp - (char *)0) % __alignof__(uint64_t), salt, salt_len);
2095 }
2096
2097 /* Prepare for the real work. */
2098 rb_sha512_init_ctx(&ctx);
2099
2100 /* Add the key string. */
2101 rb_sha512_process_bytes(key, key_len, &ctx);
2102
2103 /* The last part is the salt string. This must be at most 16
2104 characters and it ends at the first `$' character (for
2105 compatibility with existing implementations). */
2106 rb_sha512_process_bytes(salt, salt_len, &ctx);
2107
2108
2109 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
2110 final result will be added to the first context. */
2111 rb_sha512_init_ctx(&alt_ctx);
2112
2113 /* Add key. */
2114 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2115
2116 /* Add salt. */
2117 rb_sha512_process_bytes(salt, salt_len, &alt_ctx);
2118
2119 /* Add key again. */
2120 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2121
2122 /* Now get result of this (64 bytes) and add it to the other
2123 context. */
2124 rb_sha512_finish_ctx(&alt_ctx, alt_result);
2125
2126 /* Add for any character in the key one byte of the alternate sum. */
2127 for (cnt = key_len; cnt > 64; cnt -= 64)
2128 rb_sha512_process_bytes(alt_result, 64, &ctx);
2129 rb_sha512_process_bytes(alt_result, cnt, &ctx);
2130
2131 /* Take the binary representation of the length of the key and for every
2132 1 add the alternate sum, for every 0 the key. */
2133 for (cnt = key_len; cnt > 0; cnt >>= 1)
2134 if ((cnt & 1) != 0)
2135 rb_sha512_process_bytes(alt_result, 64, &ctx);
2136 else
2137 rb_sha512_process_bytes(key, key_len, &ctx);
2138
2139 /* Create intermediate result. */
2140 rb_sha512_finish_ctx(&ctx, alt_result);
2141
2142 /* Start computation of P byte sequence. */
2143 rb_sha512_init_ctx(&alt_ctx);
2144
2145 /* For every character in the password add the entire password. */
2146 for (cnt = 0; cnt < key_len; ++cnt)
2147 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2148
2149 /* Finish the digest. */
2150 rb_sha512_finish_ctx(&alt_ctx, temp_result);
2151
2152 /* Create byte sequence P. */
2153 cp = p_bytes = alloca(key_len);
2154 for (cnt = key_len; cnt >= 64; cnt -= 64)
2155 {
2156 memcpy(cp, temp_result, 64);
2157 cp += 64;
2158 }
2159 memcpy(cp, temp_result, cnt);
2160
2161 /* Start computation of S byte sequence. */
2162 rb_sha512_init_ctx(&alt_ctx);
2163
2164 /* For every character in the password add the entire password. */
2165 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
2166 rb_sha512_process_bytes(salt, salt_len, &alt_ctx);
2167
2168 /* Finish the digest. */
2169 rb_sha512_finish_ctx(&alt_ctx, temp_result);
2170
2171 /* Create byte sequence S. */
2172 cp = s_bytes = alloca(salt_len);
2173 for (cnt = salt_len; cnt >= 64; cnt -= 64)
2174 {
2175 memcpy(cp, temp_result, 64);
2176 cp += 64;
2177 }
2178 memcpy(cp, temp_result, cnt);
2179
2180 /* Repeatedly run the collected hash value through SHA512 to burn
2181 CPU cycles. */
2182 for (cnt = 0; cnt < rounds; ++cnt)
2183 {
2184 /* New context. */
2185 rb_sha512_init_ctx(&ctx);
2186
2187 /* Add key or last result. */
2188 if ((cnt & 1) != 0)
2189 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2190 else
2191 rb_sha512_process_bytes(alt_result, 64, &ctx);
2192
2193 /* Add salt for numbers not divisible by 3. */
2194 if (cnt % 3 != 0)
2195 rb_sha512_process_bytes(s_bytes, salt_len, &ctx);
2196
2197 /* Add key for numbers not divisible by 7. */
2198 if (cnt % 7 != 0)
2199 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2200
2201 /* Add key or last result. */
2202 if ((cnt & 1) != 0)
2203 rb_sha512_process_bytes(alt_result, 64, &ctx);
2204 else
2205 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2206
2207 /* Create intermediate result. */
2208 rb_sha512_finish_ctx(&ctx, alt_result);
2209 }
2210
2211 /* Now we can construct the result string. It consists of three
2212 parts. */
2213 memset(buffer, '\0', MAX(0, buflen));
2214 strncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
2215 if((cp = strchr(buffer, '\0')) == NULL)
2216 cp = buffer + MAX(0, buflen);
2217 buflen -= sizeof(sha512_salt_prefix) - 1;
2218
2219 if (rounds_custom)
2220 {
2221 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
2222 sha512_rounds_prefix, rounds);
2223 cp += n;
2224 buflen -= n;
2225 }
2226
2227 memset(cp, '\0', MIN((size_t) MAX(0, buflen), salt_len));
2228 strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
2229 if((cp = strchr(buffer, '\0')) == NULL)
2230 cp = buffer + salt_len;
2231 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
2232
2233 if (buflen > 0)
2234 {
2235 *cp++ = '$';
2236 --buflen;
2237 }
2238
2239 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
2240 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
2241 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
2242 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
2243 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
2244 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
2245 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
2246 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
2247 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
2248 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
2249 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
2250 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
2251 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
2252 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
2253 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
2254 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
2255 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
2256 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
2257 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
2258 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
2259 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
2260 b64_from_24bit(0, 0, alt_result[63], 2);
2261
2262 if (buflen <= 0)
2263 {
2264 errno = ERANGE;
2265 buffer = NULL;
2266 }
2267 else
2268 *cp = '\0'; /* Terminate the string. */
2269
2270 /* Clear the buffer for the intermediate result so that people
2271 attaching to processes or reading core dumps cannot get any
2272 information. We do it in this way to clear correct_words[]
2273 inside the SHA512 implementation as well. */
2274 rb_sha512_init_ctx(&ctx);
2275 rb_sha512_finish_ctx(&ctx, alt_result);
2276 memset(temp_result, '\0', sizeof(temp_result));
2277 memset(p_bytes, '\0', key_len);
2278 memset(s_bytes, '\0', salt_len);
2279 memset(&ctx, '\0', sizeof(ctx));
2280 memset(&alt_ctx, '\0', sizeof(alt_ctx));
2281 if (copied_key != NULL)
2282 memset(copied_key, '\0', key_len);
2283 if (copied_salt != NULL)
2284 memset(copied_salt, '\0', salt_len);
2285
2286 return buffer;
2287 }
2288
2289
2290 /* This entry point is equivalent to the `crypt' function in Unix
2291 libcs. */
2292 static char *rb_sha512_crypt(const char *key, const char *salt)
2293 {
2294 /* We don't want to have an arbitrary limit in the size of the
2295 password. We can compute an upper bound for the size of the
2296 result in advance and so we can prepare the buffer we pass to
2297 `rb_sha512_crypt_r'. */
2298 static char *buffer;
2299 static int buflen;
2300 int needed = (sizeof(sha512_salt_prefix) - 1
2301 + sizeof(sha512_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 86 + 1);
2302
2303 if (buflen < needed)
2304 {
2305 char *new_buffer = (char *)realloc(buffer, needed);
2306 if (new_buffer == NULL)
2307 return NULL;
2308
2309 buffer = new_buffer;
2310 buflen = needed;
2311 }
2312
2313 return rb_sha512_crypt_r(key, salt, buffer, buflen);
2314 }
2315
Unnamed repository; edit this file 'description' to name the repository.