]>
Commit | Line | Data |
---|---|---|
db137867 AC |
1 | /* |
2 | * crypt.c: Implements unix style crypt() for platforms that don't have it | |
08c2568c EM |
3 | * This version has MD5, DES, and SHA256/SHA512 crypt. |
4 | * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from | |
5 | * Drepper's public domain implementation. | |
db137867 AC |
6 | */ |
7 | ||
8 | /* | |
9 | * crypt() for uClibc | |
10 | * | |
11 | * Copyright (C) 2000 by Lineo, inc. and Erik Andersen | |
12 | * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org> | |
13 | * Written by Erik Andersen <andersen@uclibc.org> | |
14 | * | |
15 | * This program is free software; you can redistribute it and/or modify it | |
16 | * under the terms of the GNU Library General Public License as published by | |
17 | * the Free Software Foundation; either version 2 of the License, or (at your | |
18 | * option) any later version. | |
19 | * | |
20 | * This program is distributed in the hope that it will be useful, but WITHOUT | |
21 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
22 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License | |
23 | * for more details. | |
24 | * | |
25 | * You should have received a copy of the GNU Library General Public License | |
26 | * along with this program; if not, write to the Free Software Foundation, | |
27 | * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
28 | */ | |
29 | ||
30 | #include <libratbox_config.h> | |
31 | #include <ratbox_lib.h> | |
32 | ||
08c2568c EM |
33 | static char *rb_md5_crypt(const char *pw, const char *salt); |
34 | static char *rb_des_crypt(const char *pw, const char *salt); | |
35 | static char *rb_sha256_crypt(const char *key, const char *salt); | |
36 | static char *rb_sha512_crypt(const char *key, const char *salt); | |
db137867 | 37 | |
3202e249 | 38 | char * |
db137867 AC |
39 | rb_crypt(const char *key, const char *salt) |
40 | { | |
08c2568c EM |
41 | /* First, check if we are supposed to be using a replacement |
42 | * hash instead of DES... */ | |
48dc39f7 | 43 | if(salt[0] == '$' && (salt[2] == '$' || salt[3] == '$')) |
08c2568c EM |
44 | { |
45 | switch(salt[1]) | |
46 | { | |
47 | case '1': | |
48 | return rb_md5_crypt(key, salt); | |
49 | break; | |
50 | case '5': | |
51 | return rb_sha256_crypt(key, salt); | |
52 | break; | |
53 | case '6': | |
54 | return rb_sha512_crypt(key, salt); | |
55 | break; | |
56 | default: | |
57 | return NULL; | |
58 | break; | |
59 | }; | |
60 | } | |
db137867 | 61 | else |
08c2568c | 62 | return rb_des_crypt(key, salt); |
db137867 AC |
63 | } |
64 | ||
08c2568c EM |
65 | #define b64_from_24bit(B2, B1, B0, N) \ |
66 | do \ | |
67 | { \ | |
68 | unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \ | |
69 | int n = (N); \ | |
70 | while (n-- > 0 && buflen > 0) \ | |
71 | { \ | |
72 | *cp++ = ascii64[w & 0x3f]; \ | |
73 | --buflen; \ | |
74 | w >>= 6; \ | |
75 | } \ | |
76 | } while (0) | |
77 | ||
78 | #ifndef MAX | |
79 | # define MAX(a,b) (((a) > (b)) ? (a) : (b)) | |
80 | #endif | |
81 | #ifndef MIN | |
82 | # define MIN(a,b) (((a) < (b)) ? (a) : (b)) | |
83 | #endif | |
84 | ||
db137867 AC |
85 | /* Here is the des crypt() stuff */ |
86 | ||
87 | /* | |
88 | * FreeSec: libcrypt for NetBSD | |
89 | * | |
90 | * Copyright (c) 1994 David Burren | |
91 | * All rights reserved. | |
92 | * | |
93 | * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet | |
94 | * this file should now *only* export crypt(), in order to make | |
95 | * binaries of libcrypt exportable from the USA | |
96 | * | |
97 | * Adapted for FreeBSD-4.0 by Mark R V Murray | |
98 | * this file should now *only* export crypt_des(), in order to make | |
99 | * a module that can be optionally included in libcrypt. | |
100 | * | |
101 | * Redistribution and use in source and binary forms, with or without | |
102 | * modification, are permitted provided that the following conditions | |
103 | * are met: | |
104 | * 1. Redistributions of source code must retain the above copyright | |
105 | * notice, this list of conditions and the following disclaimer. | |
106 | * 2. Redistributions in binary form must reproduce the above copyright | |
107 | * notice, this list of conditions and the following disclaimer in the | |
108 | * documentation and/or other materials provided with the distribution. | |
109 | * 3. Neither the name of the author nor the names of other contributors | |
110 | * may be used to endorse or promote products derived from this software | |
111 | * without specific prior written permission. | |
112 | * | |
113 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
114 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
115 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
116 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
117 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
118 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
119 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
120 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
121 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
122 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
123 | * SUCH DAMAGE. | |
124 | * | |
125 | * This is an original implementation of the DES and the crypt(3) interfaces | |
126 | * by David Burren <davidb@werj.com.au>. | |
127 | * | |
128 | * An excellent reference on the underlying algorithm (and related | |
129 | * algorithms) is: | |
130 | * | |
131 | * B. Schneier, Applied Cryptography: protocols, algorithms, | |
132 | * and source code in C, John Wiley & Sons, 1994. | |
133 | * | |
134 | * Note that in that book's description of DES the lookups for the initial, | |
135 | * pbox, and final permutations are inverted (this has been brought to the | |
136 | * attention of the author). A list of errata for this book has been | |
137 | * posted to the sci.crypt newsgroup by the author and is available for FTP. | |
138 | * | |
139 | * ARCHITECTURE ASSUMPTIONS: | |
140 | * It is assumed that the 8-byte arrays passed by reference can be | |
a9fb3ed0 | 141 | * addressed as arrays of uint32_t's (ie. the CPU is not picky about |
db137867 AC |
142 | * alignment). |
143 | */ | |
144 | ||
145 | ||
55abcbb2 | 146 | /* Re-entrantify me -- all this junk needs to be in |
db137867 | 147 | * struct crypt_data to make this really reentrant... */ |
3202e249 VY |
148 | static uint8_t inv_key_perm[64]; |
149 | static uint8_t inv_comp_perm[56]; | |
150 | static uint8_t u_sbox[8][64]; | |
151 | static uint8_t un_pbox[32]; | |
a9fb3ed0 VY |
152 | static uint32_t en_keysl[16], en_keysr[16]; |
153 | static uint32_t de_keysl[16], de_keysr[16]; | |
154 | static uint32_t ip_maskl[8][256], ip_maskr[8][256]; | |
155 | static uint32_t fp_maskl[8][256], fp_maskr[8][256]; | |
156 | static uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128]; | |
157 | static uint32_t comp_maskl[8][128], comp_maskr[8][128]; | |
158 | static uint32_t saltbits; | |
159 | static uint32_t old_salt; | |
160 | static uint32_t old_rawkey0, old_rawkey1; | |
db137867 AC |
161 | |
162 | ||
55abcbb2 KB |
163 | /* Static stuff that stays resident and doesn't change after |
164 | * being initialized, and therefore doesn't need to be made | |
db137867 | 165 | * reentrant. */ |
3202e249 VY |
166 | static uint8_t init_perm[64], final_perm[64]; |
167 | static uint8_t m_sbox[4][4096]; | |
a9fb3ed0 | 168 | static uint32_t psbox[4][256]; |
db137867 | 169 | |
db137867 | 170 | /* A pile of data */ |
3202e249 | 171 | static const uint8_t ascii64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; |
db137867 | 172 | |
3202e249 VY |
173 | static const uint8_t IP[64] = { |
174 | 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, | |
175 | 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, | |
176 | 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, | |
177 | 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7 | |
db137867 AC |
178 | }; |
179 | ||
3202e249 VY |
180 | static const uint8_t key_perm[56] = { |
181 | 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, | |
182 | 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, | |
183 | 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, | |
184 | 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4 | |
db137867 AC |
185 | }; |
186 | ||
3202e249 | 187 | static const uint8_t key_shifts[16] = { |
db137867 AC |
188 | 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 |
189 | }; | |
190 | ||
3202e249 VY |
191 | static const uint8_t comp_perm[48] = { |
192 | 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, | |
193 | 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, | |
db137867 AC |
194 | 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, |
195 | 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32 | |
196 | }; | |
197 | ||
198 | /* | |
199 | * No E box is used, as it's replaced by some ANDs, shifts, and ORs. | |
200 | */ | |
201 | ||
3202e249 | 202 | static const uint8_t sbox[8][64] = { |
db137867 | 203 | { |
3202e249 VY |
204 | 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, |
205 | 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, | |
206 | 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, | |
207 | 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}, | |
db137867 | 208 | { |
3202e249 VY |
209 | 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, |
210 | 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, | |
211 | 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, | |
212 | 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}, | |
db137867 | 213 | { |
3202e249 VY |
214 | 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, |
215 | 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, | |
216 | 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, | |
217 | 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}, | |
db137867 | 218 | { |
3202e249 VY |
219 | 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, |
220 | 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, | |
221 | 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, | |
222 | 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}, | |
db137867 | 223 | { |
3202e249 VY |
224 | 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, |
225 | 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, | |
226 | 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, | |
227 | 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}, | |
db137867 | 228 | { |
3202e249 VY |
229 | 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, |
230 | 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, | |
231 | 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, | |
232 | 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}, | |
db137867 | 233 | { |
3202e249 VY |
234 | 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, |
235 | 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, | |
236 | 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, | |
237 | 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}, | |
db137867 | 238 | { |
3202e249 VY |
239 | 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, |
240 | 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, | |
241 | 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, | |
242 | 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11} | |
db137867 AC |
243 | }; |
244 | ||
3202e249 VY |
245 | static const uint8_t pbox[32] = { |
246 | 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, | |
247 | 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25 | |
db137867 AC |
248 | }; |
249 | ||
3202e249 | 250 | static const uint32_t bits32[32] = { |
db137867 AC |
251 | 0x80000000, 0x40000000, 0x20000000, 0x10000000, |
252 | 0x08000000, 0x04000000, 0x02000000, 0x01000000, | |
253 | 0x00800000, 0x00400000, 0x00200000, 0x00100000, | |
254 | 0x00080000, 0x00040000, 0x00020000, 0x00010000, | |
255 | 0x00008000, 0x00004000, 0x00002000, 0x00001000, | |
256 | 0x00000800, 0x00000400, 0x00000200, 0x00000100, | |
257 | 0x00000080, 0x00000040, 0x00000020, 0x00000010, | |
258 | 0x00000008, 0x00000004, 0x00000002, 0x00000001 | |
259 | }; | |
260 | ||
3202e249 VY |
261 | static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 }; |
262 | ||
a9fb3ed0 | 263 | static const uint32_t *bits28, *bits24; |
db137867 AC |
264 | |
265 | ||
3202e249 | 266 | static int |
08c2568c | 267 | rb_ascii_to_bin(char ch) |
db137867 | 268 | { |
3202e249 VY |
269 | if(ch > 'z') |
270 | return (0); | |
271 | if(ch >= 'a') | |
272 | return (ch - 'a' + 38); | |
273 | if(ch > 'Z') | |
274 | return (0); | |
275 | if(ch >= 'A') | |
276 | return (ch - 'A' + 12); | |
277 | if(ch > '9') | |
278 | return (0); | |
279 | if(ch >= '.') | |
280 | return (ch - '.'); | |
281 | return (0); | |
db137867 AC |
282 | } |
283 | ||
284 | static void | |
08c2568c | 285 | rb_des_init(void) |
db137867 | 286 | { |
3202e249 VY |
287 | int i, j, b, k, inbit, obit; |
288 | uint32_t *p, *il, *ir, *fl, *fr; | |
08c2568c | 289 | static int rb_des_initialised = 0; |
db137867 | 290 | |
08c2568c | 291 | if(rb_des_initialised == 1) |
3202e249 | 292 | return; |
db137867 AC |
293 | |
294 | old_rawkey0 = old_rawkey1 = 0L; | |
295 | saltbits = 0L; | |
296 | old_salt = 0L; | |
297 | bits24 = (bits28 = bits32 + 4) + 4; | |
298 | ||
299 | /* | |
300 | * Invert the S-boxes, reordering the input bits. | |
301 | */ | |
3202e249 VY |
302 | for(i = 0; i < 8; i++) |
303 | for(j = 0; j < 64; j++) | |
304 | { | |
db137867 AC |
305 | b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf); |
306 | u_sbox[i][j] = sbox[i][b]; | |
307 | } | |
308 | ||
309 | /* | |
310 | * Convert the inverted S-boxes into 4 arrays of 8 bits. | |
311 | * Each will handle 12 bits of the S-box input. | |
312 | */ | |
3202e249 VY |
313 | for(b = 0; b < 4; b++) |
314 | for(i = 0; i < 64; i++) | |
315 | for(j = 0; j < 64; j++) | |
db137867 | 316 | m_sbox[b][(i << 6) | j] = |
3202e249 VY |
317 | (uint8_t)((u_sbox[(b << 1)][i] << 4) | |
318 | u_sbox[(b << 1) + 1][j]); | |
db137867 AC |
319 | |
320 | /* | |
321 | * Set up the initial & final permutations into a useful form, and | |
322 | * initialise the inverted key permutation. | |
323 | */ | |
3202e249 VY |
324 | for(i = 0; i < 64; i++) |
325 | { | |
326 | init_perm[final_perm[i] = IP[i] - 1] = (uint8_t)i; | |
db137867 AC |
327 | inv_key_perm[i] = 255; |
328 | } | |
329 | ||
330 | /* | |
331 | * Invert the key permutation and initialise the inverted key | |
332 | * compression permutation. | |
333 | */ | |
3202e249 VY |
334 | for(i = 0; i < 56; i++) |
335 | { | |
336 | inv_key_perm[key_perm[i] - 1] = (uint8_t)i; | |
db137867 AC |
337 | inv_comp_perm[i] = 255; |
338 | } | |
339 | ||
340 | /* | |
341 | * Invert the key compression permutation. | |
342 | */ | |
3202e249 VY |
343 | for(i = 0; i < 48; i++) |
344 | { | |
345 | inv_comp_perm[comp_perm[i] - 1] = (uint8_t)i; | |
db137867 AC |
346 | } |
347 | ||
348 | /* | |
349 | * Set up the OR-mask arrays for the initial and final permutations, | |
350 | * and for the key initial and compression permutations. | |
351 | */ | |
3202e249 VY |
352 | for(k = 0; k < 8; k++) |
353 | { | |
354 | for(i = 0; i < 256; i++) | |
355 | { | |
db137867 AC |
356 | *(il = &ip_maskl[k][i]) = 0L; |
357 | *(ir = &ip_maskr[k][i]) = 0L; | |
358 | *(fl = &fp_maskl[k][i]) = 0L; | |
359 | *(fr = &fp_maskr[k][i]) = 0L; | |
3202e249 VY |
360 | for(j = 0; j < 8; j++) |
361 | { | |
db137867 | 362 | inbit = 8 * k + j; |
3202e249 VY |
363 | if(i & bits8[j]) |
364 | { | |
365 | if((obit = init_perm[inbit]) < 32) | |
db137867 AC |
366 | *il |= bits32[obit]; |
367 | else | |
3202e249 VY |
368 | *ir |= bits32[obit - 32]; |
369 | if((obit = final_perm[inbit]) < 32) | |
db137867 AC |
370 | *fl |= bits32[obit]; |
371 | else | |
372 | *fr |= bits32[obit - 32]; | |
373 | } | |
374 | } | |
375 | } | |
3202e249 VY |
376 | for(i = 0; i < 128; i++) |
377 | { | |
db137867 AC |
378 | *(il = &key_perm_maskl[k][i]) = 0L; |
379 | *(ir = &key_perm_maskr[k][i]) = 0L; | |
3202e249 VY |
380 | for(j = 0; j < 7; j++) |
381 | { | |
db137867 | 382 | inbit = 8 * k + j; |
3202e249 VY |
383 | if(i & bits8[j + 1]) |
384 | { | |
385 | if((obit = inv_key_perm[inbit]) == 255) | |
db137867 | 386 | continue; |
3202e249 | 387 | if(obit < 28) |
db137867 AC |
388 | *il |= bits28[obit]; |
389 | else | |
390 | *ir |= bits28[obit - 28]; | |
391 | } | |
392 | } | |
393 | *(il = &comp_maskl[k][i]) = 0L; | |
394 | *(ir = &comp_maskr[k][i]) = 0L; | |
3202e249 VY |
395 | for(j = 0; j < 7; j++) |
396 | { | |
db137867 | 397 | inbit = 7 * k + j; |
3202e249 VY |
398 | if(i & bits8[j + 1]) |
399 | { | |
400 | if((obit = inv_comp_perm[inbit]) == 255) | |
db137867 | 401 | continue; |
3202e249 | 402 | if(obit < 24) |
db137867 AC |
403 | *il |= bits24[obit]; |
404 | else | |
405 | *ir |= bits24[obit - 24]; | |
406 | } | |
407 | } | |
408 | } | |
409 | } | |
410 | ||
411 | /* | |
412 | * Invert the P-box permutation, and convert into OR-masks for | |
413 | * handling the output of the S-box arrays setup above. | |
414 | */ | |
3202e249 VY |
415 | for(i = 0; i < 32; i++) |
416 | un_pbox[pbox[i] - 1] = (uint8_t)i; | |
db137867 | 417 | |
3202e249 VY |
418 | for(b = 0; b < 4; b++) |
419 | for(i = 0; i < 256; i++) | |
420 | { | |
db137867 | 421 | *(p = &psbox[b][i]) = 0L; |
3202e249 VY |
422 | for(j = 0; j < 8; j++) |
423 | { | |
424 | if(i & bits8[j]) | |
db137867 AC |
425 | *p |= bits32[un_pbox[8 * b + j]]; |
426 | } | |
427 | } | |
428 | ||
08c2568c | 429 | rb_des_initialised = 1; |
db137867 AC |
430 | } |
431 | ||
432 | ||
433 | static void | |
08c2568c | 434 | rb_setup_salt(long salt) |
db137867 | 435 | { |
3202e249 VY |
436 | uint32_t obit, saltbit; |
437 | int i; | |
db137867 | 438 | |
3202e249 | 439 | if(salt == (long)old_salt) |
db137867 AC |
440 | return; |
441 | old_salt = salt; | |
442 | ||
443 | saltbits = 0L; | |
444 | saltbit = 1; | |
445 | obit = 0x800000; | |
3202e249 VY |
446 | for(i = 0; i < 24; i++) |
447 | { | |
448 | if(salt & saltbit) | |
db137867 AC |
449 | saltbits |= obit; |
450 | saltbit <<= 1; | |
451 | obit >>= 1; | |
452 | } | |
453 | } | |
454 | ||
db137867 | 455 | static int |
08c2568c | 456 | rb_des_setkey(const char *key) |
db137867 | 457 | { |
3202e249 VY |
458 | uint32_t k0, k1, rawkey0, rawkey1; |
459 | int shifts, round; | |
db137867 | 460 | |
08c2568c | 461 | rb_des_init(); |
db137867 | 462 | |
3202e249 VY |
463 | rawkey0 = ntohl(*(const uint32_t *)key); |
464 | rawkey1 = ntohl(*(const uint32_t *)(key + 4)); | |
db137867 | 465 | |
3202e249 VY |
466 | if((rawkey0 | rawkey1) && rawkey0 == old_rawkey0 && rawkey1 == old_rawkey1) |
467 | { | |
db137867 AC |
468 | /* |
469 | * Already setup for this key. | |
470 | * This optimisation fails on a zero key (which is weak and | |
471 | * has bad parity anyway) in order to simplify the starting | |
472 | * conditions. | |
473 | */ | |
3202e249 | 474 | return (0); |
db137867 AC |
475 | } |
476 | old_rawkey0 = rawkey0; | |
477 | old_rawkey1 = rawkey1; | |
478 | ||
479 | /* | |
3202e249 | 480 | * Do key permutation and split into two 28-bit subkeys. |
db137867 AC |
481 | */ |
482 | k0 = key_perm_maskl[0][rawkey0 >> 25] | |
3202e249 VY |
483 | | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f] |
484 | | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f] | |
485 | | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f] | |
486 | | key_perm_maskl[4][rawkey1 >> 25] | |
487 | | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f] | |
488 | | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f] | |
489 | | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f]; | |
db137867 | 490 | k1 = key_perm_maskr[0][rawkey0 >> 25] |
3202e249 VY |
491 | | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f] |
492 | | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f] | |
493 | | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f] | |
494 | | key_perm_maskr[4][rawkey1 >> 25] | |
495 | | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f] | |
496 | | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f] | |
497 | | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f]; | |
db137867 | 498 | /* |
3202e249 | 499 | * Rotate subkeys and do compression permutation. |
db137867 AC |
500 | */ |
501 | shifts = 0; | |
3202e249 VY |
502 | for(round = 0; round < 16; round++) |
503 | { | |
504 | uint32_t t0, t1; | |
db137867 AC |
505 | |
506 | shifts += key_shifts[round]; | |
507 | ||
508 | t0 = (k0 << shifts) | (k0 >> (28 - shifts)); | |
509 | t1 = (k1 << shifts) | (k1 >> (28 - shifts)); | |
510 | ||
511 | de_keysl[15 - round] = | |
3202e249 VY |
512 | en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f] |
513 | | comp_maskl[1][(t0 >> 14) & 0x7f] | |
514 | | comp_maskl[2][(t0 >> 7) & 0x7f] | |
515 | | comp_maskl[3][t0 & 0x7f] | |
516 | | comp_maskl[4][(t1 >> 21) & 0x7f] | |
517 | | comp_maskl[5][(t1 >> 14) & 0x7f] | |
518 | | comp_maskl[6][(t1 >> 7) & 0x7f] | comp_maskl[7][t1 & 0x7f]; | |
db137867 AC |
519 | |
520 | de_keysr[15 - round] = | |
3202e249 VY |
521 | en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f] |
522 | | comp_maskr[1][(t0 >> 14) & 0x7f] | |
523 | | comp_maskr[2][(t0 >> 7) & 0x7f] | |
524 | | comp_maskr[3][t0 & 0x7f] | |
525 | | comp_maskr[4][(t1 >> 21) & 0x7f] | |
526 | | comp_maskr[5][(t1 >> 14) & 0x7f] | |
527 | | comp_maskr[6][(t1 >> 7) & 0x7f] | comp_maskr[7][t1 & 0x7f]; | |
db137867 | 528 | } |
3202e249 | 529 | return (0); |
db137867 AC |
530 | } |
531 | ||
db137867 | 532 | static int |
08c2568c | 533 | rb_do_des(uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out, int count) |
db137867 AC |
534 | { |
535 | /* | |
3202e249 | 536 | * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format. |
db137867 | 537 | */ |
3202e249 VY |
538 | uint32_t l, r, *kl, *kr, *kl1, *kr1; |
539 | uint32_t f, r48l, r48r; | |
540 | int round; | |
db137867 | 541 | |
3202e249 VY |
542 | if(count == 0) |
543 | { | |
544 | return (1); | |
545 | } | |
546 | else if(count > 0) | |
547 | { | |
db137867 AC |
548 | /* |
549 | * Encrypting | |
550 | */ | |
551 | kl1 = en_keysl; | |
552 | kr1 = en_keysr; | |
3202e249 VY |
553 | } |
554 | else | |
555 | { | |
db137867 AC |
556 | /* |
557 | * Decrypting | |
558 | */ | |
559 | count = -count; | |
560 | kl1 = de_keysl; | |
561 | kr1 = de_keysr; | |
562 | } | |
563 | ||
564 | /* | |
3202e249 | 565 | * Do initial permutation (IP). |
db137867 AC |
566 | */ |
567 | l = ip_maskl[0][l_in >> 24] | |
3202e249 VY |
568 | | ip_maskl[1][(l_in >> 16) & 0xff] |
569 | | ip_maskl[2][(l_in >> 8) & 0xff] | |
570 | | ip_maskl[3][l_in & 0xff] | |
571 | | ip_maskl[4][r_in >> 24] | |
572 | | ip_maskl[5][(r_in >> 16) & 0xff] | |
573 | | ip_maskl[6][(r_in >> 8) & 0xff] | ip_maskl[7][r_in & 0xff]; | |
db137867 | 574 | r = ip_maskr[0][l_in >> 24] |
3202e249 VY |
575 | | ip_maskr[1][(l_in >> 16) & 0xff] |
576 | | ip_maskr[2][(l_in >> 8) & 0xff] | |
577 | | ip_maskr[3][l_in & 0xff] | |
578 | | ip_maskr[4][r_in >> 24] | |
579 | | ip_maskr[5][(r_in >> 16) & 0xff] | |
580 | | ip_maskr[6][(r_in >> 8) & 0xff] | ip_maskr[7][r_in & 0xff]; | |
581 | ||
582 | while(count--) | |
583 | { | |
db137867 AC |
584 | /* |
585 | * Do each round. | |
586 | */ | |
587 | kl = kl1; | |
588 | kr = kr1; | |
589 | round = 16; | |
3202e249 VY |
590 | while(round--) |
591 | { | |
db137867 AC |
592 | /* |
593 | * Expand R to 48 bits (simulate the E-box). | |
594 | */ | |
3202e249 | 595 | r48l = ((r & 0x00000001) << 23) |
db137867 AC |
596 | | ((r & 0xf8000000) >> 9) |
597 | | ((r & 0x1f800000) >> 11) | |
3202e249 | 598 | | ((r & 0x01f80000) >> 13) | ((r & 0x001f8000) >> 15); |
db137867 | 599 | |
3202e249 | 600 | r48r = ((r & 0x0001f800) << 7) |
db137867 AC |
601 | | ((r & 0x00001f80) << 5) |
602 | | ((r & 0x000001f8) << 3) | |
3202e249 | 603 | | ((r & 0x0000001f) << 1) | ((r & 0x80000000) >> 31); |
db137867 AC |
604 | /* |
605 | * Do salting for crypt() and friends, and | |
606 | * XOR with the permuted key. | |
607 | */ | |
608 | f = (r48l ^ r48r) & saltbits; | |
609 | r48l ^= f ^ *kl++; | |
610 | r48r ^= f ^ *kr++; | |
611 | /* | |
612 | * Do sbox lookups (which shrink it back to 32 bits) | |
613 | * and do the pbox permutation at the same time. | |
614 | */ | |
615 | f = psbox[0][m_sbox[0][r48l >> 12]] | |
3202e249 VY |
616 | | psbox[1][m_sbox[1][r48l & 0xfff]] |
617 | | psbox[2][m_sbox[2][r48r >> 12]] | |
618 | | psbox[3][m_sbox[3][r48r & 0xfff]]; | |
db137867 AC |
619 | /* |
620 | * Now that we've permuted things, complete f(). | |
621 | */ | |
622 | f ^= l; | |
623 | l = r; | |
624 | r = f; | |
625 | } | |
626 | r = l; | |
627 | l = f; | |
628 | } | |
629 | /* | |
630 | * Do final permutation (inverse of IP). | |
631 | */ | |
3202e249 | 632 | *l_out = fp_maskl[0][l >> 24] |
db137867 AC |
633 | | fp_maskl[1][(l >> 16) & 0xff] |
634 | | fp_maskl[2][(l >> 8) & 0xff] | |
635 | | fp_maskl[3][l & 0xff] | |
636 | | fp_maskl[4][r >> 24] | |
637 | | fp_maskl[5][(r >> 16) & 0xff] | |
3202e249 VY |
638 | | fp_maskl[6][(r >> 8) & 0xff] | fp_maskl[7][r & 0xff]; |
639 | *r_out = fp_maskr[0][l >> 24] | |
db137867 AC |
640 | | fp_maskr[1][(l >> 16) & 0xff] |
641 | | fp_maskr[2][(l >> 8) & 0xff] | |
642 | | fp_maskr[3][l & 0xff] | |
643 | | fp_maskr[4][r >> 24] | |
644 | | fp_maskr[5][(r >> 16) & 0xff] | |
3202e249 VY |
645 | | fp_maskr[6][(r >> 8) & 0xff] | fp_maskr[7][r & 0xff]; |
646 | return (0); | |
db137867 AC |
647 | } |
648 | ||
db137867 | 649 | static char * |
08c2568c | 650 | rb_des_crypt(const char *key, const char *setting) |
db137867 | 651 | { |
3202e249 VY |
652 | uint32_t count, salt, l, r0, r1, keybuf[2]; |
653 | uint8_t *p, *q; | |
654 | static char output[21]; | |
db137867 | 655 | |
08c2568c | 656 | rb_des_init(); |
db137867 AC |
657 | |
658 | /* | |
659 | * Copy the key, shifting each character up by one bit | |
660 | * and padding with zeros. | |
661 | */ | |
3202e249 VY |
662 | q = (uint8_t *)keybuf; |
663 | while(q - (uint8_t *)keybuf - 8) | |
664 | { | |
db137867 | 665 | *q++ = *key << 1; |
3202e249 | 666 | if(*(q - 1)) |
db137867 AC |
667 | key++; |
668 | } | |
08c2568c | 669 | if(rb_des_setkey((char *)keybuf)) |
3202e249 | 670 | return (NULL); |
db137867 AC |
671 | { |
672 | /* | |
673 | * "old"-style: | |
3202e249 VY |
674 | * setting - 2 bytes of salt |
675 | * key - up to 8 characters | |
db137867 AC |
676 | */ |
677 | count = 25; | |
678 | ||
08c2568c | 679 | salt = (rb_ascii_to_bin(setting[1]) << 6) | rb_ascii_to_bin(setting[0]); |
db137867 AC |
680 | |
681 | output[0] = setting[0]; | |
682 | /* | |
683 | * If the encrypted password that the salt was extracted from | |
684 | * is only 1 character long, the salt will be corrupted. We | |
685 | * need to ensure that the output string doesn't have an extra | |
686 | * NUL in it! | |
687 | */ | |
688 | output[1] = setting[1] ? setting[1] : output[0]; | |
689 | ||
3202e249 | 690 | p = (uint8_t *)output + 2; |
db137867 | 691 | } |
08c2568c | 692 | rb_setup_salt(salt); |
db137867 AC |
693 | /* |
694 | * Do it. | |
695 | */ | |
08c2568c | 696 | if(rb_do_des(0L, 0L, &r0, &r1, (int)count)) |
3202e249 | 697 | return (NULL); |
db137867 AC |
698 | /* |
699 | * Now encode the result... | |
700 | */ | |
701 | l = (r0 >> 8); | |
702 | *p++ = ascii64[(l >> 18) & 0x3f]; | |
703 | *p++ = ascii64[(l >> 12) & 0x3f]; | |
704 | *p++ = ascii64[(l >> 6) & 0x3f]; | |
705 | *p++ = ascii64[l & 0x3f]; | |
706 | ||
707 | l = (r0 << 16) | ((r1 >> 16) & 0xffff); | |
708 | *p++ = ascii64[(l >> 18) & 0x3f]; | |
709 | *p++ = ascii64[(l >> 12) & 0x3f]; | |
710 | *p++ = ascii64[(l >> 6) & 0x3f]; | |
711 | *p++ = ascii64[l & 0x3f]; | |
712 | ||
713 | l = r1 << 2; | |
714 | *p++ = ascii64[(l >> 12) & 0x3f]; | |
715 | *p++ = ascii64[(l >> 6) & 0x3f]; | |
716 | *p++ = ascii64[l & 0x3f]; | |
717 | *p = 0; | |
718 | ||
3202e249 | 719 | return (output); |
db137867 AC |
720 | } |
721 | ||
722 | /* Now md5 crypt */ | |
db137867 AC |
723 | /* |
724 | * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm | |
725 | * | |
726 | * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All | |
727 | * rights reserved. | |
728 | * | |
729 | * License to copy and use this software is granted provided that it | |
730 | * is identified as the "RSA Data Security, Inc. MD5 Message-Digest | |
731 | * Algorithm" in all material mentioning or referencing this software | |
732 | * or this function. | |
733 | * | |
734 | * License is also granted to make and use derivative works provided | |
735 | * that such works are identified as "derived from the RSA Data | |
736 | * Security, Inc. MD5 Message-Digest Algorithm" in all material | |
737 | * mentioning or referencing the derived work. | |
738 | * | |
739 | * RSA Data Security, Inc. makes no representations concerning either | |
740 | * the merchantability of this software or the suitability of this | |
741 | * software for any particular purpose. It is provided "as is" | |
742 | * without express or implied warranty of any kind. | |
743 | * | |
744 | * These notices must be retained in any copies of any part of this | |
745 | * documentation and/or software. | |
746 | * | |
db137867 AC |
747 | * This code is the same as the code published by RSA Inc. It has been |
748 | * edited for clarity and style only. | |
db137867 | 749 | */ |
db137867 | 750 | |
08c2568c EM |
751 | #define MD5_BLOCK_LENGTH 64 |
752 | #define MD5_DIGEST_LENGTH 16 | |
753 | #define MD5_DIGEST_STRING_LENGTH (MD5_DIGEST_LENGTH * 2 + 1) | |
754 | #define MD5_SIZE 16 | |
db137867 | 755 | |
08c2568c EM |
756 | static void |
757 | _crypt_to64(char *s, u_long v, int n) | |
3202e249 | 758 | { |
08c2568c EM |
759 | while (--n >= 0) { |
760 | *s++ = ascii64[v&0x3f]; | |
761 | v >>= 6; | |
762 | } | |
763 | } | |
db137867 | 764 | |
08c2568c EM |
765 | /* MD5 context. */ |
766 | typedef struct MD5Context { | |
48dc39f7 EM |
767 | uint32_t state[4]; /* state (ABCD) */ |
768 | uint32_t count[2]; /* number of bits, modulo 2^64 (lsb first) */ | |
08c2568c EM |
769 | unsigned char buffer[64]; /* input buffer */ |
770 | } MD5_CTX; | |
771 | ||
48dc39f7 | 772 | static void MD5Transform(uint32_t [4], const unsigned char [64]); |
08c2568c EM |
773 | static void MD5Init (MD5_CTX *); |
774 | static void MD5Update (MD5_CTX *, const void *, unsigned int); | |
775 | static void MD5Final (unsigned char [16], MD5_CTX *); | |
776 | ||
f171dafb | 777 | #ifndef WORDS_BIGENDIAN |
08c2568c EM |
778 | #define Encode memcpy |
779 | #define Decode memcpy | |
55abcbb2 | 780 | #else |
db137867 AC |
781 | |
782 | /* | |
48dc39f7 | 783 | * Encodes input (uint32_t) into output (unsigned char). Assumes len is |
db137867 AC |
784 | * a multiple of 4. |
785 | */ | |
786 | ||
787 | static void | |
48dc39f7 | 788 | Encode (unsigned char *output, uint32_t *input, unsigned int len) |
db137867 | 789 | { |
08c2568c | 790 | unsigned int i; |
48dc39f7 | 791 | uint32_t *op = (uint32_t *)output; |
db137867 | 792 | |
08c2568c EM |
793 | for (i = 0; i < len / 4; i++) |
794 | op[i] = htole32(input[i]); | |
db137867 AC |
795 | } |
796 | ||
797 | /* | |
48dc39f7 | 798 | * Decodes input (unsigned char) into output (uint32_t). Assumes len is |
db137867 AC |
799 | * a multiple of 4. |
800 | */ | |
801 | ||
802 | static void | |
48dc39f7 | 803 | Decode (uint32_t *output, const unsigned char *input, unsigned int len) |
db137867 | 804 | { |
08c2568c | 805 | unsigned int i; |
48dc39f7 | 806 | const uint32_t *ip = (const uint32_t *)input; |
db137867 | 807 | |
08c2568c EM |
808 | for (i = 0; i < len / 4; i++) |
809 | output[i] = le32toh(ip[i]); | |
db137867 | 810 | } |
08c2568c EM |
811 | #endif |
812 | ||
813 | static unsigned char PADDING[64] = { | |
814 | 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | |
815 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | |
816 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 | |
817 | }; | |
db137867 AC |
818 | |
819 | /* F, G, H and I are basic MD5 functions. */ | |
820 | #define F(x, y, z) (((x) & (y)) | ((~x) & (z))) | |
821 | #define G(x, y, z) (((x) & (z)) | ((y) & (~z))) | |
822 | #define H(x, y, z) ((x) ^ (y) ^ (z)) | |
823 | #define I(x, y, z) ((y) ^ ((x) | (~z))) | |
824 | ||
825 | /* ROTATE_LEFT rotates x left n bits. */ | |
826 | #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) | |
827 | ||
828 | /* | |
829 | * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. | |
830 | * Rotation is separate from addition to prevent recomputation. | |
831 | */ | |
832 | #define FF(a, b, c, d, x, s, ac) { \ | |
48dc39f7 | 833 | (a) += F ((b), (c), (d)) + (x) + (uint32_t)(ac); \ |
db137867 AC |
834 | (a) = ROTATE_LEFT ((a), (s)); \ |
835 | (a) += (b); \ | |
836 | } | |
837 | #define GG(a, b, c, d, x, s, ac) { \ | |
48dc39f7 | 838 | (a) += G ((b), (c), (d)) + (x) + (uint32_t)(ac); \ |
db137867 AC |
839 | (a) = ROTATE_LEFT ((a), (s)); \ |
840 | (a) += (b); \ | |
841 | } | |
842 | #define HH(a, b, c, d, x, s, ac) { \ | |
48dc39f7 | 843 | (a) += H ((b), (c), (d)) + (x) + (uint32_t)(ac); \ |
db137867 AC |
844 | (a) = ROTATE_LEFT ((a), (s)); \ |
845 | (a) += (b); \ | |
846 | } | |
847 | #define II(a, b, c, d, x, s, ac) { \ | |
48dc39f7 | 848 | (a) += I ((b), (c), (d)) + (x) + (uint32_t)(ac); \ |
db137867 AC |
849 | (a) = ROTATE_LEFT ((a), (s)); \ |
850 | (a) += (b); \ | |
851 | } | |
852 | ||
853 | /* MD5 initialization. Begins an MD5 operation, writing a new context. */ | |
854 | ||
3202e249 | 855 | static void |
08c2568c EM |
856 | MD5Init (context) |
857 | MD5_CTX *context; | |
db137867 | 858 | { |
08c2568c | 859 | |
db137867 AC |
860 | context->count[0] = context->count[1] = 0; |
861 | ||
862 | /* Load magic initialization constants. */ | |
863 | context->state[0] = 0x67452301; | |
864 | context->state[1] = 0xefcdab89; | |
865 | context->state[2] = 0x98badcfe; | |
866 | context->state[3] = 0x10325476; | |
867 | } | |
868 | ||
55abcbb2 | 869 | /* |
db137867 AC |
870 | * MD5 block update operation. Continues an MD5 message-digest |
871 | * operation, processing another message block, and updating the | |
872 | * context. | |
873 | */ | |
874 | ||
3202e249 | 875 | static void |
08c2568c EM |
876 | MD5Update (context, in, inputLen) |
877 | MD5_CTX *context; | |
878 | const void *in; | |
879 | unsigned int inputLen; | |
db137867 | 880 | { |
08c2568c EM |
881 | unsigned int i, idx, partLen; |
882 | const unsigned char *input = in; | |
883 | ||
db137867 | 884 | /* Compute number of bytes mod 64 */ |
08c2568c | 885 | idx = (unsigned int)((context->count[0] >> 3) & 0x3F); |
db137867 AC |
886 | |
887 | /* Update number of bits */ | |
48dc39f7 EM |
888 | if ((context->count[0] += ((uint32_t)inputLen << 3)) |
889 | < ((uint32_t)inputLen << 3)) | |
db137867 | 890 | context->count[1]++; |
48dc39f7 | 891 | context->count[1] += ((uint32_t)inputLen >> 29); |
db137867 | 892 | |
08c2568c | 893 | partLen = 64 - idx; |
db137867 AC |
894 | |
895 | /* Transform as many times as possible. */ | |
08c2568c EM |
896 | if (inputLen >= partLen) { |
897 | memcpy((void *)&context->buffer[idx], (const void *)input, | |
898 | partLen); | |
899 | MD5Transform (context->state, context->buffer); | |
db137867 | 900 | |
08c2568c EM |
901 | for (i = partLen; i + 63 < inputLen; i += 64) |
902 | MD5Transform (context->state, &input[i]); | |
db137867 | 903 | |
08c2568c | 904 | idx = 0; |
db137867 AC |
905 | } |
906 | else | |
907 | i = 0; | |
908 | ||
909 | /* Buffer remaining input */ | |
08c2568c EM |
910 | memcpy ((void *)&context->buffer[idx], (const void *)&input[i], |
911 | inputLen-i); | |
db137867 AC |
912 | } |
913 | ||
914 | /* | |
915 | * MD5 padding. Adds padding followed by original length. | |
916 | */ | |
917 | ||
3202e249 | 918 | static void |
08c2568c EM |
919 | MD5Pad (context) |
920 | MD5_CTX *context; | |
db137867 | 921 | { |
08c2568c EM |
922 | unsigned char bits[8]; |
923 | unsigned int idx, padLen; | |
db137867 AC |
924 | |
925 | /* Save number of bits */ | |
08c2568c | 926 | Encode (bits, context->count, 8); |
db137867 AC |
927 | |
928 | /* Pad out to 56 mod 64. */ | |
08c2568c EM |
929 | idx = (unsigned int)((context->count[0] >> 3) & 0x3f); |
930 | padLen = (idx < 56) ? (56 - idx) : (120 - idx); | |
931 | MD5Update (context, PADDING, padLen); | |
db137867 AC |
932 | |
933 | /* Append length (before padding) */ | |
08c2568c | 934 | MD5Update (context, bits, 8); |
db137867 AC |
935 | } |
936 | ||
937 | /* | |
938 | * MD5 finalization. Ends an MD5 message-digest operation, writing the | |
939 | * the message digest and zeroizing the context. | |
940 | */ | |
941 | ||
3202e249 | 942 | static void |
08c2568c EM |
943 | MD5Final (digest, context) |
944 | unsigned char digest[16]; | |
945 | MD5_CTX *context; | |
db137867 | 946 | { |
db137867 | 947 | /* Do padding. */ |
08c2568c | 948 | MD5Pad (context); |
db137867 AC |
949 | |
950 | /* Store state in digest */ | |
08c2568c | 951 | Encode (digest, context->state, 16); |
db137867 AC |
952 | |
953 | /* Zeroize sensitive information. */ | |
08c2568c | 954 | memset ((void *)context, 0, sizeof (*context)); |
db137867 AC |
955 | } |
956 | ||
957 | /* MD5 basic transformation. Transforms state based on block. */ | |
958 | ||
959 | static void | |
08c2568c | 960 | MD5Transform (state, block) |
48dc39f7 | 961 | uint32_t state[4]; |
08c2568c | 962 | const unsigned char block[64]; |
db137867 | 963 | { |
48dc39f7 | 964 | uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16]; |
db137867 | 965 | |
08c2568c | 966 | Decode (x, block, 64); |
db137867 AC |
967 | |
968 | /* Round 1 */ | |
db137867 AC |
969 | #define S11 7 |
970 | #define S12 12 | |
971 | #define S13 17 | |
972 | #define S14 22 | |
08c2568c EM |
973 | FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ |
974 | FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ | |
975 | FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ | |
976 | FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ | |
977 | FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ | |
978 | FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ | |
979 | FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ | |
980 | FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ | |
981 | FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ | |
982 | FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ | |
983 | FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ | |
984 | FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ | |
985 | FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ | |
986 | FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ | |
987 | FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ | |
988 | FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ | |
db137867 AC |
989 | |
990 | /* Round 2 */ | |
991 | #define S21 5 | |
992 | #define S22 9 | |
993 | #define S23 14 | |
994 | #define S24 20 | |
08c2568c EM |
995 | GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ |
996 | GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ | |
997 | GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ | |
998 | GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ | |
999 | GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ | |
1000 | GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ | |
1001 | GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ | |
1002 | GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ | |
1003 | GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ | |
1004 | GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ | |
1005 | GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ | |
1006 | GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ | |
1007 | GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ | |
1008 | GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ | |
1009 | GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ | |
1010 | GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ | |
db137867 AC |
1011 | |
1012 | /* Round 3 */ | |
1013 | #define S31 4 | |
1014 | #define S32 11 | |
1015 | #define S33 16 | |
1016 | #define S34 23 | |
08c2568c EM |
1017 | HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ |
1018 | HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ | |
1019 | HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ | |
1020 | HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ | |
1021 | HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ | |
1022 | HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ | |
1023 | HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ | |
1024 | HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ | |
1025 | HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ | |
1026 | HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ | |
1027 | HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ | |
1028 | HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ | |
1029 | HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ | |
1030 | HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ | |
1031 | HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ | |
1032 | HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ | |
db137867 AC |
1033 | |
1034 | /* Round 4 */ | |
1035 | #define S41 6 | |
1036 | #define S42 10 | |
1037 | #define S43 15 | |
1038 | #define S44 21 | |
08c2568c EM |
1039 | II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ |
1040 | II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ | |
1041 | II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ | |
1042 | II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ | |
1043 | II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ | |
1044 | II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ | |
1045 | II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ | |
1046 | II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ | |
1047 | II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ | |
1048 | II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ | |
1049 | II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ | |
1050 | II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ | |
1051 | II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ | |
1052 | II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ | |
1053 | II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ | |
1054 | II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ | |
db137867 AC |
1055 | |
1056 | state[0] += a; | |
1057 | state[1] += b; | |
1058 | state[2] += c; | |
1059 | state[3] += d; | |
1060 | ||
1061 | /* Zeroize sensitive information. */ | |
08c2568c | 1062 | memset ((void *)x, 0, sizeof (x)); |
db137867 AC |
1063 | } |
1064 | ||
1065 | /* | |
1066 | * UNIX password | |
db137867 AC |
1067 | */ |
1068 | ||
3202e249 | 1069 | static char * |
08c2568c | 1070 | rb_md5_crypt(const char *pw, const char *salt) |
db137867 | 1071 | { |
08c2568c EM |
1072 | MD5_CTX ctx,ctx1; |
1073 | unsigned long l; | |
1074 | int sl, pl; | |
1075 | u_int i; | |
1076 | u_char final[MD5_SIZE]; | |
db137867 AC |
1077 | static const char *sp, *ep; |
1078 | static char passwd[120], *p; | |
08c2568c | 1079 | static const char *magic = "$1$"; |
db137867 AC |
1080 | |
1081 | /* Refine the Salt first */ | |
1082 | sp = salt; | |
1083 | ||
1084 | /* If it starts with the magic string, then skip that */ | |
08c2568c EM |
1085 | if(!strncmp(sp, magic, strlen(magic))) |
1086 | sp += strlen(magic); | |
db137867 AC |
1087 | |
1088 | /* It stops at the first '$', max 8 chars */ | |
3202e249 | 1089 | for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++) |
db137867 AC |
1090 | continue; |
1091 | ||
1092 | /* get the length of the true salt */ | |
1093 | sl = ep - sp; | |
1094 | ||
08c2568c | 1095 | MD5Init(&ctx); |
db137867 AC |
1096 | |
1097 | /* The password first, since that is what is most unknown */ | |
08c2568c | 1098 | MD5Update(&ctx, (const u_char *)pw, strlen(pw)); |
db137867 AC |
1099 | |
1100 | /* Then our magic string */ | |
08c2568c | 1101 | MD5Update(&ctx, (const u_char *)magic, strlen(magic)); |
db137867 AC |
1102 | |
1103 | /* Then the raw salt */ | |
08c2568c | 1104 | MD5Update(&ctx, (const u_char *)sp, (u_int)sl); |
db137867 AC |
1105 | |
1106 | /* Then just as many characters of the MD5(pw,salt,pw) */ | |
08c2568c EM |
1107 | MD5Init(&ctx1); |
1108 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); | |
1109 | MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); | |
1110 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); | |
1111 | MD5Final(final, &ctx1); | |
1112 | for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE) | |
1113 | MD5Update(&ctx, (const u_char *)final, | |
1114 | (u_int)(pl > MD5_SIZE ? MD5_SIZE : pl)); | |
db137867 AC |
1115 | |
1116 | /* Don't leave anything around in vm they could use. */ | |
08c2568c | 1117 | memset(final, 0, sizeof(final)); |
db137867 AC |
1118 | |
1119 | /* Then something really weird... */ | |
08c2568c EM |
1120 | for (i = strlen(pw); i; i >>= 1) |
1121 | if(i & 1) | |
1122 | MD5Update(&ctx, (const u_char *)final, 1); | |
1123 | else | |
1124 | MD5Update(&ctx, (const u_char *)pw, 1); | |
db137867 AC |
1125 | |
1126 | /* Now make the output string */ | |
08c2568c EM |
1127 | rb_strlcpy(passwd, magic, sizeof(passwd)); |
1128 | strncat(passwd, sp, (u_int)sl); | |
56c1612f | 1129 | rb_strlcat(passwd, "$", sizeof(passwd)); |
db137867 | 1130 | |
08c2568c | 1131 | MD5Final(final, &ctx); |
db137867 AC |
1132 | |
1133 | /* | |
1134 | * and now, just to make sure things don't run too fast | |
1135 | * On a 60 Mhz Pentium this takes 34 msec, so you would | |
1136 | * need 30 seconds to build a 1000 entry dictionary... | |
1137 | */ | |
08c2568c EM |
1138 | for(i = 0; i < 1000; i++) { |
1139 | MD5Init(&ctx1); | |
db137867 | 1140 | if(i & 1) |
08c2568c | 1141 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); |
db137867 | 1142 | else |
08c2568c | 1143 | MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); |
db137867 AC |
1144 | |
1145 | if(i % 3) | |
08c2568c | 1146 | MD5Update(&ctx1, (const u_char *)sp, (u_int)sl); |
db137867 AC |
1147 | |
1148 | if(i % 7) | |
08c2568c | 1149 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); |
db137867 AC |
1150 | |
1151 | if(i & 1) | |
08c2568c | 1152 | MD5Update(&ctx1, (const u_char *)final, MD5_SIZE); |
db137867 | 1153 | else |
08c2568c EM |
1154 | MD5Update(&ctx1, (const u_char *)pw, strlen(pw)); |
1155 | MD5Final(final, &ctx1); | |
db137867 AC |
1156 | } |
1157 | ||
1158 | p = passwd + strlen(passwd); | |
1159 | ||
08c2568c EM |
1160 | l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; |
1161 | _crypt_to64(p, l, 4); p += 4; | |
1162 | l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; | |
1163 | _crypt_to64(p, l, 4); p += 4; | |
1164 | l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; | |
1165 | _crypt_to64(p, l, 4); p += 4; | |
1166 | l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; | |
1167 | _crypt_to64(p, l, 4); p += 4; | |
1168 | l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; | |
1169 | _crypt_to64(p, l, 4); p += 4; | |
db137867 | 1170 | l = final[11]; |
08c2568c | 1171 | _crypt_to64(p, l, 2); p += 2; |
db137867 AC |
1172 | *p = '\0'; |
1173 | ||
1174 | /* Don't leave anything around in vm they could use. */ | |
08c2568c EM |
1175 | memset(final, 0, sizeof(final)); |
1176 | ||
1177 | return (passwd); | |
1178 | } | |
1179 | ||
1180 | ||
1181 | /* SHA256-based Unix crypt implementation. | |
1182 | Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */ | |
1183 | ||
1184 | /* Structure to save state of computation between the single steps. */ | |
1185 | struct sha256_ctx | |
1186 | { | |
1187 | uint32_t H[8]; | |
1188 | ||
1189 | uint32_t total[2]; | |
1190 | uint32_t buflen; | |
1191 | char buffer[128]; /* NB: always correctly aligned for uint32_t. */ | |
1192 | }; | |
1193 | ||
f171dafb | 1194 | #ifndef WORDS_BIGENDIAN |
08c2568c EM |
1195 | # define SHA256_SWAP(n) \ |
1196 | (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) | |
1197 | #else | |
1198 | # define SHA256_SWAP(n) (n) | |
1199 | #endif | |
1200 | ||
1201 | /* This array contains the bytes used to pad the buffer to the next | |
1202 | 64-byte boundary. (FIPS 180-2:5.1.1) */ | |
1203 | static const unsigned char SHA256_fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; | |
1204 | ||
1205 | ||
1206 | /* Constants for SHA256 from FIPS 180-2:4.2.2. */ | |
1207 | static const uint32_t SHA256_K[64] = { | |
1208 | 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, | |
1209 | 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, | |
1210 | 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, | |
1211 | 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, | |
1212 | 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, | |
1213 | 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, | |
1214 | 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, | |
1215 | 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, | |
1216 | 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, | |
1217 | 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, | |
1218 | 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, | |
1219 | 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, | |
1220 | 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, | |
1221 | 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, | |
1222 | 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, | |
1223 | 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 | |
1224 | }; | |
1225 | ||
1226 | ||
1227 | /* Process LEN bytes of BUFFER, accumulating context into CTX. | |
1228 | It is assumed that LEN % 64 == 0. */ | |
1229 | static void rb_sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx) | |
1230 | { | |
1231 | const uint32_t *words = buffer; | |
1232 | size_t nwords = len / sizeof(uint32_t); | |
1233 | uint32_t a = ctx->H[0]; | |
1234 | uint32_t b = ctx->H[1]; | |
1235 | uint32_t c = ctx->H[2]; | |
1236 | uint32_t d = ctx->H[3]; | |
1237 | uint32_t e = ctx->H[4]; | |
1238 | uint32_t f = ctx->H[5]; | |
1239 | uint32_t g = ctx->H[6]; | |
1240 | uint32_t h = ctx->H[7]; | |
1241 | ||
1242 | /* First increment the byte count. FIPS 180-2 specifies the possible | |
1243 | length of the file up to 2^64 bits. Here we only compute the | |
1244 | number of bytes. Do a double word increment. */ | |
1245 | ctx->total[0] += len; | |
1246 | if (ctx->total[0] < len) | |
1247 | ++ctx->total[1]; | |
1248 | ||
1249 | /* Process all bytes in the buffer with 64 bytes in each round of | |
1250 | the loop. */ | |
1251 | while (nwords > 0) | |
1252 | { | |
1253 | uint32_t W[64]; | |
1254 | uint32_t a_save = a; | |
1255 | uint32_t b_save = b; | |
1256 | uint32_t c_save = c; | |
1257 | uint32_t d_save = d; | |
1258 | uint32_t e_save = e; | |
1259 | uint32_t f_save = f; | |
1260 | uint32_t g_save = g; | |
1261 | uint32_t h_save = h; | |
1262 | unsigned int t; | |
1263 | ||
1264 | /* Operators defined in FIPS 180-2:4.1.2. */ | |
1265 | #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z)) | |
1266 | #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) | |
1267 | #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22)) | |
1268 | #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25)) | |
1269 | #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3)) | |
1270 | #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10)) | |
1271 | ||
1272 | /* It is unfortunate that C does not provide an operator for | |
1273 | cyclic rotation. Hope the C compiler is smart enough. */ | |
1274 | #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s))) | |
1275 | ||
1276 | /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */ | |
1277 | for (t = 0; t < 16; ++t) | |
1278 | { | |
1279 | W[t] = SHA256_SWAP(*words); | |
1280 | ++words; | |
1281 | } | |
1282 | for (t = 16; t < 64; ++t) | |
1283 | W[t] = SHA256_R1(W[t - 2]) + W[t - 7] + SHA256_R0(W[t - 15]) + W[t - 16]; | |
1284 | ||
1285 | /* The actual computation according to FIPS 180-2:6.2.2 step 3. */ | |
1286 | for (t = 0; t < 64; ++t) | |
1287 | { | |
1288 | uint32_t T1 = h + SHA256_S1(e) + SHA256_Ch(e, f, g) + SHA256_K[t] + W[t]; | |
1289 | uint32_t T2 = SHA256_S0(a) + SHA256_Maj(a, b, c); | |
1290 | h = g; | |
1291 | g = f; | |
1292 | f = e; | |
1293 | e = d + T1; | |
1294 | d = c; | |
1295 | c = b; | |
1296 | b = a; | |
1297 | a = T1 + T2; | |
1298 | } | |
1299 | ||
1300 | /* Add the starting values of the context according to FIPS 180-2:6.2.2 | |
1301 | step 4. */ | |
1302 | a += a_save; | |
1303 | b += b_save; | |
1304 | c += c_save; | |
1305 | d += d_save; | |
1306 | e += e_save; | |
1307 | f += f_save; | |
1308 | g += g_save; | |
1309 | h += h_save; | |
1310 | ||
1311 | /* Prepare for the next round. */ | |
1312 | nwords -= 16; | |
1313 | } | |
1314 | ||
1315 | /* Put checksum in context given as argument. */ | |
1316 | ctx->H[0] = a; | |
1317 | ctx->H[1] = b; | |
1318 | ctx->H[2] = c; | |
1319 | ctx->H[3] = d; | |
1320 | ctx->H[4] = e; | |
1321 | ctx->H[5] = f; | |
1322 | ctx->H[6] = g; | |
1323 | ctx->H[7] = h; | |
1324 | } | |
1325 | ||
1326 | ||
1327 | /* Initialize structure containing state of computation. | |
1328 | (FIPS 180-2:5.3.2) */ | |
1329 | static void rb_sha256_init_ctx(struct sha256_ctx *ctx) | |
1330 | { | |
1331 | ctx->H[0] = 0x6a09e667; | |
1332 | ctx->H[1] = 0xbb67ae85; | |
1333 | ctx->H[2] = 0x3c6ef372; | |
1334 | ctx->H[3] = 0xa54ff53a; | |
1335 | ctx->H[4] = 0x510e527f; | |
1336 | ctx->H[5] = 0x9b05688c; | |
1337 | ctx->H[6] = 0x1f83d9ab; | |
1338 | ctx->H[7] = 0x5be0cd19; | |
1339 | ||
1340 | ctx->total[0] = ctx->total[1] = 0; | |
1341 | ctx->buflen = 0; | |
1342 | } | |
1343 | ||
1344 | ||
1345 | /* Process the remaining bytes in the internal buffer and the usual | |
1346 | prolog according to the standard and write the result to RESBUF. | |
1347 | ||
1348 | IMPORTANT: On some systems it is required that RESBUF is correctly | |
1349 | aligned for a 32 bits value. */ | |
1350 | static void *rb_sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf) | |
1351 | { | |
1352 | /* Take yet unprocessed bytes into account. */ | |
1353 | uint32_t bytes = ctx->buflen; | |
1354 | size_t pad; | |
1355 | unsigned int i; | |
1356 | ||
1357 | /* Now count remaining bytes. */ | |
1358 | ctx->total[0] += bytes; | |
1359 | if (ctx->total[0] < bytes) | |
1360 | ++ctx->total[1]; | |
1361 | ||
1362 | pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes; | |
1363 | memcpy(&ctx->buffer[bytes], SHA256_fillbuf, pad); | |
1364 | ||
1365 | /* Put the 64-bit file length in *bits* at the end of the buffer. */ | |
1366 | *(uint32_t *) & ctx->buffer[bytes + pad + 4] = SHA256_SWAP(ctx->total[0] << 3); | |
1367 | *(uint32_t *) & ctx->buffer[bytes + pad] = SHA256_SWAP((ctx->total[1] << 3) | | |
1368 | (ctx->total[0] >> 29)); | |
1369 | ||
1370 | /* Process last bytes. */ | |
1371 | rb_sha256_process_block(ctx->buffer, bytes + pad + 8, ctx); | |
1372 | ||
1373 | /* Put result from CTX in first 32 bytes following RESBUF. */ | |
1374 | for (i = 0; i < 8; ++i) | |
1375 | ((uint32_t *) resbuf)[i] = SHA256_SWAP(ctx->H[i]); | |
1376 | ||
1377 | return resbuf; | |
1378 | } | |
1379 | ||
1380 | ||
1381 | static void rb_sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx) | |
1382 | { | |
1383 | /* When we already have some bits in our internal buffer concatenate | |
1384 | both inputs first. */ | |
1385 | if (ctx->buflen != 0) | |
1386 | { | |
1387 | size_t left_over = ctx->buflen; | |
1388 | size_t add = 128 - left_over > len ? len : 128 - left_over; | |
1389 | ||
1390 | memcpy(&ctx->buffer[left_over], buffer, add); | |
1391 | ctx->buflen += add; | |
1392 | ||
1393 | if (ctx->buflen > 64) | |
1394 | { | |
1395 | rb_sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx); | |
1396 | ||
1397 | ctx->buflen &= 63; | |
1398 | /* The regions in the following copy operation cannot overlap. */ | |
1399 | memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], ctx->buflen); | |
1400 | } | |
1401 | ||
1402 | buffer = (const char *)buffer + add; | |
1403 | len -= add; | |
1404 | } | |
1405 | ||
1406 | /* Process available complete blocks. */ | |
1407 | if (len >= 64) | |
1408 | { | |
1409 | /* To check alignment gcc has an appropriate operator. Other | |
1410 | compilers don't. */ | |
1411 | #if __GNUC__ >= 2 | |
1412 | # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0) | |
1413 | #else | |
1414 | # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0) | |
1415 | #endif | |
1416 | if (SHA256_UNALIGNED_P(buffer)) | |
1417 | while (len > 64) | |
1418 | { | |
1419 | rb_sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx); | |
1420 | buffer = (const char *)buffer + 64; | |
1421 | len -= 64; | |
1422 | } | |
1423 | else | |
1424 | { | |
1425 | rb_sha256_process_block(buffer, len & ~63, ctx); | |
1426 | buffer = (const char *)buffer + (len & ~63); | |
1427 | len &= 63; | |
1428 | } | |
1429 | } | |
1430 | ||
1431 | /* Move remaining bytes into internal buffer. */ | |
1432 | if (len > 0) | |
1433 | { | |
1434 | size_t left_over = ctx->buflen; | |
1435 | ||
1436 | memcpy(&ctx->buffer[left_over], buffer, len); | |
1437 | left_over += len; | |
1438 | if (left_over >= 64) | |
1439 | { | |
1440 | rb_sha256_process_block(ctx->buffer, 64, ctx); | |
1441 | left_over -= 64; | |
1442 | memcpy(ctx->buffer, &ctx->buffer[64], left_over); | |
1443 | } | |
1444 | ctx->buflen = left_over; | |
1445 | } | |
1446 | } | |
1447 | ||
1448 | ||
1449 | /* Define our magic string to mark salt for SHA256 "encryption" | |
1450 | replacement. */ | |
1451 | static const char sha256_salt_prefix[] = "$5$"; | |
1452 | ||
1453 | /* Prefix for optional rounds specification. */ | |
1454 | static const char sha256_rounds_prefix[] = "rounds="; | |
1455 | ||
1456 | /* Maximum salt string length. */ | |
1457 | #define SHA256_SALT_LEN_MAX 16 | |
1458 | /* Default number of rounds if not explicitly specified. */ | |
1459 | #define SHA256_ROUNDS_DEFAULT 5000 | |
1460 | /* Minimum number of rounds. */ | |
1461 | #define SHA256_ROUNDS_MIN 1000 | |
1462 | /* Maximum number of rounds. */ | |
1463 | #define SHA256_ROUNDS_MAX 999999999 | |
1464 | ||
1465 | static char *rb_sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen) | |
1466 | { | |
1467 | unsigned char alt_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t)))); | |
1468 | unsigned char temp_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t)))); | |
1469 | struct sha256_ctx ctx; | |
1470 | struct sha256_ctx alt_ctx; | |
1471 | size_t salt_len; | |
1472 | size_t key_len; | |
1473 | size_t cnt; | |
1474 | char *cp; | |
1475 | char *copied_key = NULL; | |
1476 | char *copied_salt = NULL; | |
1477 | char *p_bytes; | |
1478 | char *s_bytes; | |
1479 | /* Default number of rounds. */ | |
1480 | size_t rounds = SHA256_ROUNDS_DEFAULT; | |
1481 | int rounds_custom = 0; | |
1482 | ||
1483 | /* Find beginning of salt string. The prefix should normally always | |
1484 | be present. Just in case it is not. */ | |
1485 | if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0) | |
1486 | /* Skip salt prefix. */ | |
1487 | salt += sizeof(sha256_salt_prefix) - 1; | |
1488 | ||
1489 | if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) == 0) | |
1490 | { | |
1491 | const char *num = salt + sizeof(sha256_rounds_prefix) - 1; | |
1492 | char *endp; | |
1493 | unsigned long int srounds = strtoul(num, &endp, 10); | |
1494 | if (*endp == '$') | |
1495 | { | |
1496 | salt = endp + 1; | |
1497 | rounds = MAX(SHA256_ROUNDS_MIN, MIN(srounds, SHA256_ROUNDS_MAX)); | |
1498 | rounds_custom = 1; | |
1499 | } | |
1500 | } | |
1501 | ||
1502 | salt_len = MIN(strcspn(salt, "$"), SHA256_SALT_LEN_MAX); | |
1503 | key_len = strlen(key); | |
1504 | ||
1505 | if ((key - (char *)0) % __alignof__(uint32_t) != 0) | |
1506 | { | |
1507 | char *tmp = (char *)alloca(key_len + __alignof__(uint32_t)); | |
1508 | key = copied_key = | |
1509 | memcpy(tmp + __alignof__(uint32_t) | |
1510 | - (tmp - (char *)0) % __alignof__(uint32_t), key, key_len); | |
1511 | } | |
1512 | ||
1513 | if ((salt - (char *)0) % __alignof__(uint32_t) != 0) | |
1514 | { | |
1515 | char *tmp = (char *)alloca(salt_len + __alignof__(uint32_t)); | |
1516 | salt = copied_salt = | |
1517 | memcpy(tmp + __alignof__(uint32_t) | |
1518 | - (tmp - (char *)0) % __alignof__(uint32_t), salt, salt_len); | |
1519 | } | |
1520 | ||
1521 | /* Prepare for the real work. */ | |
1522 | rb_sha256_init_ctx(&ctx); | |
1523 | ||
1524 | /* Add the key string. */ | |
1525 | rb_sha256_process_bytes(key, key_len, &ctx); | |
1526 | ||
1527 | /* The last part is the salt string. This must be at most 16 | |
1528 | characters and it ends at the first `$' character (for | |
1529 | compatibility with existing implementations). */ | |
1530 | rb_sha256_process_bytes(salt, salt_len, &ctx); | |
1531 | ||
1532 | ||
1533 | /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The | |
1534 | final result will be added to the first context. */ | |
1535 | rb_sha256_init_ctx(&alt_ctx); | |
1536 | ||
1537 | /* Add key. */ | |
1538 | rb_sha256_process_bytes(key, key_len, &alt_ctx); | |
1539 | ||
1540 | /* Add salt. */ | |
1541 | rb_sha256_process_bytes(salt, salt_len, &alt_ctx); | |
1542 | ||
1543 | /* Add key again. */ | |
1544 | rb_sha256_process_bytes(key, key_len, &alt_ctx); | |
1545 | ||
1546 | /* Now get result of this (32 bytes) and add it to the other | |
1547 | context. */ | |
1548 | rb_sha256_finish_ctx(&alt_ctx, alt_result); | |
1549 | ||
1550 | /* Add for any character in the key one byte of the alternate sum. */ | |
1551 | for (cnt = key_len; cnt > 32; cnt -= 32) | |
1552 | rb_sha256_process_bytes(alt_result, 32, &ctx); | |
1553 | rb_sha256_process_bytes(alt_result, cnt, &ctx); | |
1554 | ||
1555 | /* Take the binary representation of the length of the key and for every | |
1556 | 1 add the alternate sum, for every 0 the key. */ | |
1557 | for (cnt = key_len; cnt > 0; cnt >>= 1) | |
1558 | if ((cnt & 1) != 0) | |
1559 | rb_sha256_process_bytes(alt_result, 32, &ctx); | |
1560 | else | |
1561 | rb_sha256_process_bytes(key, key_len, &ctx); | |
1562 | ||
1563 | /* Create intermediate result. */ | |
1564 | rb_sha256_finish_ctx(&ctx, alt_result); | |
1565 | ||
1566 | /* Start computation of P byte sequence. */ | |
1567 | rb_sha256_init_ctx(&alt_ctx); | |
1568 | ||
1569 | /* For every character in the password add the entire password. */ | |
320d34a6 | 1570 | for (cnt = 0; cnt < key_len; ++cnt) |
08c2568c EM |
1571 | rb_sha256_process_bytes(key, key_len, &alt_ctx); |
1572 | ||
1573 | /* Finish the digest. */ | |
1574 | rb_sha256_finish_ctx(&alt_ctx, temp_result); | |
1575 | ||
1576 | /* Create byte sequence P. */ | |
1577 | cp = p_bytes = alloca(key_len); | |
1578 | for (cnt = key_len; cnt >= 32; cnt -= 32) | |
1579 | { | |
1580 | memcpy(cp, temp_result, 32); | |
1581 | cp += 32; | |
1582 | } | |
1583 | memcpy(cp, temp_result, cnt); | |
1584 | ||
1585 | /* Start computation of S byte sequence. */ | |
1586 | rb_sha256_init_ctx(&alt_ctx); | |
1587 | ||
1588 | /* For every character in the password add the entire password. */ | |
af9e5b5e | 1589 | for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt) |
08c2568c EM |
1590 | rb_sha256_process_bytes(salt, salt_len, &alt_ctx); |
1591 | ||
1592 | /* Finish the digest. */ | |
1593 | rb_sha256_finish_ctx(&alt_ctx, temp_result); | |
1594 | ||
1595 | /* Create byte sequence S. */ | |
1596 | cp = s_bytes = alloca(salt_len); | |
1597 | for (cnt = salt_len; cnt >= 32; cnt -= 32) | |
1598 | { | |
1599 | memcpy(cp, temp_result, 32); | |
1600 | cp += 32; | |
1601 | } | |
1602 | memcpy(cp, temp_result, cnt); | |
1603 | ||
1604 | /* Repeatedly run the collected hash value through SHA256 to burn | |
1605 | CPU cycles. */ | |
1606 | for (cnt = 0; cnt < rounds; ++cnt) | |
1607 | { | |
1608 | /* New context. */ | |
1609 | rb_sha256_init_ctx(&ctx); | |
1610 | ||
1611 | /* Add key or last result. */ | |
1612 | if ((cnt & 1) != 0) | |
1613 | rb_sha256_process_bytes(p_bytes, key_len, &ctx); | |
1614 | else | |
1615 | rb_sha256_process_bytes(alt_result, 32, &ctx); | |
1616 | ||
1617 | /* Add salt for numbers not divisible by 3. */ | |
1618 | if (cnt % 3 != 0) | |
1619 | rb_sha256_process_bytes(s_bytes, salt_len, &ctx); | |
1620 | ||
1621 | /* Add key for numbers not divisible by 7. */ | |
1622 | if (cnt % 7 != 0) | |
1623 | rb_sha256_process_bytes(p_bytes, key_len, &ctx); | |
1624 | ||
1625 | /* Add key or last result. */ | |
1626 | if ((cnt & 1) != 0) | |
1627 | rb_sha256_process_bytes(alt_result, 32, &ctx); | |
1628 | else | |
1629 | rb_sha256_process_bytes(p_bytes, key_len, &ctx); | |
1630 | ||
1631 | /* Create intermediate result. */ | |
1632 | rb_sha256_finish_ctx(&ctx, alt_result); | |
1633 | } | |
1634 | ||
1635 | /* Now we can construct the result string. It consists of three | |
1636 | parts. */ | |
1637 | memset(buffer, '\0', MAX(0, buflen)); | |
1638 | strncpy(buffer, sha256_salt_prefix, MAX(0, buflen)); | |
1639 | if((cp = strchr(buffer, '\0')) == NULL) | |
1640 | cp = buffer + MAX(0, buflen); | |
1641 | buflen -= sizeof(sha256_salt_prefix) - 1; | |
1642 | ||
1643 | if (rounds_custom) | |
1644 | { | |
1645 | int n = snprintf(cp, MAX(0, buflen), "%s%zu$", | |
1646 | sha256_rounds_prefix, rounds); | |
1647 | cp += n; | |
1648 | buflen -= n; | |
1649 | } | |
1650 | ||
1651 | memset(cp, '\0', salt_len); | |
1652 | strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len)); | |
1653 | if((cp = strchr(buffer, '\0')) == NULL) | |
1654 | cp += salt_len; | |
1655 | buflen -= MIN((size_t) MAX(0, buflen), salt_len); | |
1656 | ||
1657 | if (buflen > 0) | |
1658 | { | |
1659 | *cp++ = '$'; | |
1660 | --buflen; | |
1661 | } | |
1662 | ||
1663 | b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4); | |
1664 | b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4); | |
1665 | b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4); | |
1666 | b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4); | |
1667 | b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4); | |
1668 | b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4); | |
1669 | b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4); | |
1670 | b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4); | |
1671 | b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4); | |
1672 | b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4); | |
1673 | b64_from_24bit(0, alt_result[31], alt_result[30], 3); | |
1674 | if (buflen <= 0) | |
1675 | { | |
1676 | errno = ERANGE; | |
1677 | buffer = NULL; | |
1678 | } | |
1679 | else | |
1680 | *cp = '\0'; /* Terminate the string. */ | |
1681 | ||
1682 | /* Clear the buffer for the intermediate result so that people | |
1683 | attaching to processes or reading core dumps cannot get any | |
1684 | information. We do it in this way to clear correct_words[] | |
1685 | inside the SHA256 implementation as well. */ | |
1686 | rb_sha256_init_ctx(&ctx); | |
1687 | rb_sha256_finish_ctx(&ctx, alt_result); | |
1688 | memset(temp_result, '\0', sizeof(temp_result)); | |
1689 | memset(p_bytes, '\0', key_len); | |
1690 | memset(s_bytes, '\0', salt_len); | |
1691 | memset(&ctx, '\0', sizeof(ctx)); | |
1692 | memset(&alt_ctx, '\0', sizeof(alt_ctx)); | |
1693 | if (copied_key != NULL) | |
1694 | memset(copied_key, '\0', key_len); | |
1695 | if (copied_salt != NULL) | |
1696 | memset(copied_salt, '\0', salt_len); | |
1697 | ||
1698 | return buffer; | |
1699 | } | |
1700 | ||
1701 | ||
1702 | /* This entry point is equivalent to the `crypt' function in Unix | |
1703 | libcs. */ | |
1704 | static char *rb_sha256_crypt(const char *key, const char *salt) | |
1705 | { | |
1706 | /* We don't want to have an arbitrary limit in the size of the | |
1707 | password. We can compute an upper bound for the size of the | |
1708 | result in advance and so we can prepare the buffer we pass to | |
1709 | `rb_sha256_crypt_r'. */ | |
1710 | static char *buffer; | |
1711 | static int buflen; | |
1712 | int needed = (sizeof(sha256_salt_prefix) - 1 | |
1713 | + sizeof(sha256_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 43 + 1); | |
1714 | ||
1715 | char *new_buffer = (char *)malloc(needed); | |
1716 | if (new_buffer == NULL) | |
1717 | return NULL; | |
1718 | ||
1719 | buffer = new_buffer; | |
1720 | buflen = needed; | |
1721 | ||
1722 | return rb_sha256_crypt_r(key, salt, buffer, buflen); | |
1723 | } | |
1724 | ||
1725 | /* Structure to save state of computation between the single steps. */ | |
1726 | struct sha512_ctx | |
1727 | { | |
1728 | uint64_t H[8]; | |
1729 | ||
1730 | uint64_t total[2]; | |
1731 | uint64_t buflen; | |
1732 | char buffer[256]; /* NB: always correctly aligned for uint64_t. */ | |
1733 | }; | |
1734 | ||
1735 | ||
f171dafb | 1736 | #ifndef WORDS_BIGENDIAN |
08c2568c EM |
1737 | # define SHA512_SWAP(n) \ |
1738 | (((n) << 56) \ | |
1739 | | (((n) & 0xff00) << 40) \ | |
1740 | | (((n) & 0xff0000) << 24) \ | |
1741 | | (((n) & 0xff000000) << 8) \ | |
1742 | | (((n) >> 8) & 0xff000000) \ | |
1743 | | (((n) >> 24) & 0xff0000) \ | |
1744 | | (((n) >> 40) & 0xff00) \ | |
1745 | | ((n) >> 56)) | |
1746 | #else | |
1747 | # define SHA512_SWAP(n) (n) | |
1748 | #endif | |
1749 | ||
1750 | ||
1751 | /* This array contains the bytes used to pad the buffer to the next | |
1752 | 64-byte boundary. (FIPS 180-2:5.1.2) */ | |
1753 | static const unsigned char SHA512_fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ }; | |
1754 | ||
1755 | ||
1756 | /* Constants for SHA512 from FIPS 180-2:4.2.3. */ | |
1757 | static const uint64_t SHA512_K[80] = { | |
1758 | 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, | |
1759 | 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, | |
1760 | 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, | |
1761 | 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, | |
1762 | 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, | |
1763 | 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, | |
1764 | 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, | |
1765 | 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, | |
1766 | 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, | |
1767 | 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, | |
1768 | 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, | |
1769 | 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, | |
1770 | 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, | |
1771 | 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, | |
1772 | 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, | |
1773 | 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, | |
1774 | 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, | |
1775 | 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, | |
1776 | 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, | |
1777 | 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, | |
1778 | 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, | |
1779 | 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, | |
1780 | 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, | |
1781 | 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, | |
1782 | 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, | |
1783 | 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, | |
1784 | 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, | |
1785 | 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, | |
1786 | 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, | |
1787 | 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, | |
1788 | 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, | |
1789 | 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, | |
1790 | 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, | |
1791 | 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, | |
1792 | 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, | |
1793 | 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, | |
1794 | 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, | |
1795 | 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, | |
1796 | 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, | |
1797 | 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL | |
1798 | }; | |
1799 | ||
1800 | ||
1801 | /* Process LEN bytes of BUFFER, accumulating context into CTX. | |
1802 | It is assumed that LEN % 128 == 0. */ | |
1803 | static void rb_sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx) | |
1804 | { | |
1805 | const uint64_t *words = buffer; | |
1806 | size_t nwords = len / sizeof(uint64_t); | |
1807 | uint64_t a = ctx->H[0]; | |
1808 | uint64_t b = ctx->H[1]; | |
1809 | uint64_t c = ctx->H[2]; | |
1810 | uint64_t d = ctx->H[3]; | |
1811 | uint64_t e = ctx->H[4]; | |
1812 | uint64_t f = ctx->H[5]; | |
1813 | uint64_t g = ctx->H[6]; | |
1814 | uint64_t h = ctx->H[7]; | |
1815 | ||
1816 | /* First increment the byte count. FIPS 180-2 specifies the possible | |
1817 | length of the file up to 2^128 bits. Here we only compute the | |
1818 | number of bytes. Do a double word increment. */ | |
1819 | ctx->total[0] += len; | |
1820 | if (ctx->total[0] < len) | |
1821 | ++ctx->total[1]; | |
1822 | ||
1823 | /* Process all bytes in the buffer with 128 bytes in each round of | |
1824 | the loop. */ | |
1825 | while (nwords > 0) | |
1826 | { | |
1827 | uint64_t W[80]; | |
1828 | uint64_t a_save = a; | |
1829 | uint64_t b_save = b; | |
1830 | uint64_t c_save = c; | |
1831 | uint64_t d_save = d; | |
1832 | uint64_t e_save = e; | |
1833 | uint64_t f_save = f; | |
1834 | uint64_t g_save = g; | |
1835 | uint64_t h_save = h; | |
1836 | unsigned int t; | |
1837 | ||
1838 | /* Operators defined in FIPS 180-2:4.1.2. */ | |
1839 | #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z)) | |
1840 | #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) | |
1841 | #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39)) | |
1842 | #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41)) | |
1843 | #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7)) | |
1844 | #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6)) | |
1845 | ||
1846 | /* It is unfortunate that C does not provide an operator for | |
1847 | cyclic rotation. Hope the C compiler is smart enough. */ | |
1848 | #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s))) | |
1849 | ||
1850 | /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */ | |
1851 | for (t = 0; t < 16; ++t) | |
1852 | { | |
1853 | W[t] = SHA512_SWAP(*words); | |
1854 | ++words; | |
1855 | } | |
1856 | for (t = 16; t < 80; ++t) | |
1857 | W[t] = SHA512_R1(W[t - 2]) + W[t - 7] + SHA512_R0(W[t - 15]) + W[t - 16]; | |
1858 | ||
1859 | /* The actual computation according to FIPS 180-2:6.3.2 step 3. */ | |
1860 | for (t = 0; t < 80; ++t) | |
1861 | { | |
1862 | uint64_t T1 = h + SHA512_S1(e) + SHA512_Ch(e, f, g) + SHA512_K[t] + W[t]; | |
1863 | uint64_t T2 = SHA512_S0(a) + SHA512_Maj(a, b, c); | |
1864 | h = g; | |
1865 | g = f; | |
1866 | f = e; | |
1867 | e = d + T1; | |
1868 | d = c; | |
1869 | c = b; | |
1870 | b = a; | |
1871 | a = T1 + T2; | |
1872 | } | |
1873 | ||
1874 | /* Add the starting values of the context according to FIPS 180-2:6.3.2 | |
1875 | step 4. */ | |
1876 | a += a_save; | |
1877 | b += b_save; | |
1878 | c += c_save; | |
1879 | d += d_save; | |
1880 | e += e_save; | |
1881 | f += f_save; | |
1882 | g += g_save; | |
1883 | h += h_save; | |
1884 | ||
1885 | /* Prepare for the next round. */ | |
1886 | nwords -= 16; | |
1887 | } | |
1888 | ||
1889 | /* Put checksum in context given as argument. */ | |
1890 | ctx->H[0] = a; | |
1891 | ctx->H[1] = b; | |
1892 | ctx->H[2] = c; | |
1893 | ctx->H[3] = d; | |
1894 | ctx->H[4] = e; | |
1895 | ctx->H[5] = f; | |
1896 | ctx->H[6] = g; | |
1897 | ctx->H[7] = h; | |
1898 | } | |
1899 | ||
1900 | ||
1901 | /* Initialize structure containing state of computation. | |
1902 | (FIPS 180-2:5.3.3) */ | |
1903 | static void rb_sha512_init_ctx(struct sha512_ctx *ctx) | |
1904 | { | |
1905 | ctx->H[0] = 0x6a09e667f3bcc908ULL; | |
1906 | ctx->H[1] = 0xbb67ae8584caa73bULL; | |
1907 | ctx->H[2] = 0x3c6ef372fe94f82bULL; | |
1908 | ctx->H[3] = 0xa54ff53a5f1d36f1ULL; | |
1909 | ctx->H[4] = 0x510e527fade682d1ULL; | |
1910 | ctx->H[5] = 0x9b05688c2b3e6c1fULL; | |
1911 | ctx->H[6] = 0x1f83d9abfb41bd6bULL; | |
1912 | ctx->H[7] = 0x5be0cd19137e2179ULL; | |
1913 | ||
1914 | ctx->total[0] = ctx->total[1] = 0; | |
1915 | ctx->buflen = 0; | |
1916 | } | |
1917 | ||
1918 | ||
1919 | /* Process the remaining bytes in the internal buffer and the usual | |
1920 | prolog according to the standard and write the result to RESBUF. | |
1921 | ||
1922 | IMPORTANT: On some systems it is required that RESBUF is correctly | |
1923 | aligned for a 32 bits value. */ | |
1924 | static void *rb_sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf) | |
1925 | { | |
1926 | /* Take yet unprocessed bytes into account. */ | |
1927 | uint64_t bytes = ctx->buflen; | |
1928 | size_t pad; | |
1929 | unsigned int i; | |
1930 | ||
1931 | /* Now count remaining bytes. */ | |
1932 | ctx->total[0] += bytes; | |
1933 | if (ctx->total[0] < bytes) | |
1934 | ++ctx->total[1]; | |
1935 | ||
1936 | pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes; | |
1937 | memcpy(&ctx->buffer[bytes], SHA512_fillbuf, pad); | |
1938 | ||
1939 | /* Put the 128-bit file length in *bits* at the end of the buffer. */ | |
1940 | *(uint64_t *) & ctx->buffer[bytes + pad + 8] = SHA512_SWAP(ctx->total[0] << 3); | |
1941 | *(uint64_t *) & ctx->buffer[bytes + pad] = SHA512_SWAP((ctx->total[1] << 3) | | |
1942 | (ctx->total[0] >> 61)); | |
1943 | ||
1944 | /* Process last bytes. */ | |
1945 | rb_sha512_process_block(ctx->buffer, bytes + pad + 16, ctx); | |
1946 | ||
1947 | /* Put result from CTX in first 64 bytes following RESBUF. */ | |
1948 | for (i = 0; i < 8; ++i) | |
1949 | ((uint64_t *) resbuf)[i] = SHA512_SWAP(ctx->H[i]); | |
1950 | ||
1951 | return resbuf; | |
1952 | } | |
1953 | ||
1954 | ||
1955 | static void rb_sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx) | |
1956 | { | |
1957 | /* When we already have some bits in our internal buffer concatenate | |
1958 | both inputs first. */ | |
1959 | if (ctx->buflen != 0) | |
1960 | { | |
1961 | size_t left_over = ctx->buflen; | |
1962 | size_t add = 256 - left_over > len ? len : 256 - left_over; | |
1963 | ||
1964 | memcpy(&ctx->buffer[left_over], buffer, add); | |
1965 | ctx->buflen += add; | |
1966 | ||
1967 | if (ctx->buflen > 128) | |
1968 | { | |
1969 | rb_sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx); | |
1970 | ||
1971 | ctx->buflen &= 127; | |
1972 | /* The regions in the following copy operation cannot overlap. */ | |
1973 | memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127], ctx->buflen); | |
1974 | } | |
1975 | ||
1976 | buffer = (const char *)buffer + add; | |
1977 | len -= add; | |
1978 | } | |
1979 | ||
1980 | /* Process available complete blocks. */ | |
1981 | if (len >= 128) | |
1982 | { | |
1983 | #if !_STRING_ARCH_unaligned | |
1984 | /* To check alignment gcc has an appropriate operator. Other | |
1985 | compilers don't. */ | |
1986 | # if __GNUC__ >= 2 | |
1987 | # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0) | |
1988 | # else | |
1989 | # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0) | |
1990 | # endif | |
1991 | if (SHA512_UNALIGNED_P(buffer)) | |
1992 | while (len > 128) | |
1993 | { | |
1994 | rb_sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, ctx); | |
1995 | buffer = (const char *)buffer + 128; | |
1996 | len -= 128; | |
1997 | } | |
1998 | else | |
1999 | #endif | |
2000 | { | |
2001 | rb_sha512_process_block(buffer, len & ~127, ctx); | |
2002 | buffer = (const char *)buffer + (len & ~127); | |
2003 | len &= 127; | |
2004 | } | |
2005 | } | |
2006 | ||
2007 | /* Move remaining bytes into internal buffer. */ | |
2008 | if (len > 0) | |
2009 | { | |
2010 | size_t left_over = ctx->buflen; | |
2011 | ||
2012 | memcpy(&ctx->buffer[left_over], buffer, len); | |
2013 | left_over += len; | |
2014 | if (left_over >= 128) | |
2015 | { | |
2016 | rb_sha512_process_block(ctx->buffer, 128, ctx); | |
2017 | left_over -= 128; | |
2018 | memcpy(ctx->buffer, &ctx->buffer[128], left_over); | |
2019 | } | |
2020 | ctx->buflen = left_over; | |
2021 | } | |
2022 | } | |
2023 | ||
2024 | ||
2025 | /* Define our magic string to mark salt for SHA512 "encryption" | |
2026 | replacement. */ | |
2027 | static const char sha512_salt_prefix[] = "$6$"; | |
2028 | ||
2029 | /* Prefix for optional rounds specification. */ | |
2030 | static const char sha512_rounds_prefix[] = "rounds="; | |
2031 | ||
2032 | /* Maximum salt string length. */ | |
2033 | #define SHA512_SALT_LEN_MAX 16 | |
2034 | /* Default number of rounds if not explicitly specified. */ | |
2035 | #define SHA512_ROUNDS_DEFAULT 5000 | |
2036 | /* Minimum number of rounds. */ | |
2037 | #define SHA512_ROUNDS_MIN 1000 | |
2038 | /* Maximum number of rounds. */ | |
2039 | #define SHA512_ROUNDS_MAX 999999999 | |
2040 | ||
2041 | static char *rb_sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen) | |
2042 | { | |
2043 | unsigned char alt_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t)))); | |
2044 | unsigned char temp_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t)))); | |
2045 | struct sha512_ctx ctx; | |
2046 | struct sha512_ctx alt_ctx; | |
2047 | size_t salt_len; | |
2048 | size_t key_len; | |
2049 | size_t cnt; | |
2050 | char *cp; | |
2051 | char *copied_key = NULL; | |
2052 | char *copied_salt = NULL; | |
2053 | char *p_bytes; | |
2054 | char *s_bytes; | |
2055 | /* Default number of rounds. */ | |
2056 | size_t rounds = SHA512_ROUNDS_DEFAULT; | |
2057 | int rounds_custom = 0; | |
2058 | ||
2059 | /* Find beginning of salt string. The prefix should normally always | |
2060 | be present. Just in case it is not. */ | |
2061 | if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0) | |
2062 | /* Skip salt prefix. */ | |
2063 | salt += sizeof(sha512_salt_prefix) - 1; | |
2064 | ||
2065 | if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) == 0) | |
2066 | { | |
2067 | const char *num = salt + sizeof(sha512_rounds_prefix) - 1; | |
2068 | char *endp; | |
2069 | unsigned long int srounds = strtoul(num, &endp, 10); | |
2070 | if (*endp == '$') | |
2071 | { | |
2072 | salt = endp + 1; | |
2073 | rounds = MAX(SHA512_ROUNDS_MIN, MIN(srounds, SHA512_ROUNDS_MAX)); | |
2074 | rounds_custom = 1; | |
2075 | } | |
2076 | } | |
2077 | ||
2078 | salt_len = MIN(strcspn(salt, "$"), SHA512_SALT_LEN_MAX); | |
2079 | key_len = strlen(key); | |
2080 | ||
2081 | if ((key - (char *)0) % __alignof__(uint64_t) != 0) | |
2082 | { | |
2083 | char *tmp = (char *)alloca(key_len + __alignof__(uint64_t)); | |
2084 | key = copied_key = | |
2085 | memcpy(tmp + __alignof__(uint64_t) | |
2086 | - (tmp - (char *)0) % __alignof__(uint64_t), key, key_len); | |
2087 | } | |
2088 | ||
2089 | if ((salt - (char *)0) % __alignof__(uint64_t) != 0) | |
2090 | { | |
2091 | char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t)); | |
2092 | salt = copied_salt = | |
2093 | memcpy(tmp + __alignof__(uint64_t) | |
2094 | - (tmp - (char *)0) % __alignof__(uint64_t), salt, salt_len); | |
2095 | } | |
2096 | ||
2097 | /* Prepare for the real work. */ | |
2098 | rb_sha512_init_ctx(&ctx); | |
2099 | ||
2100 | /* Add the key string. */ | |
2101 | rb_sha512_process_bytes(key, key_len, &ctx); | |
2102 | ||
2103 | /* The last part is the salt string. This must be at most 16 | |
2104 | characters and it ends at the first `$' character (for | |
2105 | compatibility with existing implementations). */ | |
2106 | rb_sha512_process_bytes(salt, salt_len, &ctx); | |
2107 | ||
2108 | ||
2109 | /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The | |
2110 | final result will be added to the first context. */ | |
2111 | rb_sha512_init_ctx(&alt_ctx); | |
2112 | ||
2113 | /* Add key. */ | |
2114 | rb_sha512_process_bytes(key, key_len, &alt_ctx); | |
2115 | ||
2116 | /* Add salt. */ | |
2117 | rb_sha512_process_bytes(salt, salt_len, &alt_ctx); | |
2118 | ||
2119 | /* Add key again. */ | |
2120 | rb_sha512_process_bytes(key, key_len, &alt_ctx); | |
2121 | ||
2122 | /* Now get result of this (64 bytes) and add it to the other | |
2123 | context. */ | |
2124 | rb_sha512_finish_ctx(&alt_ctx, alt_result); | |
2125 | ||
2126 | /* Add for any character in the key one byte of the alternate sum. */ | |
2127 | for (cnt = key_len; cnt > 64; cnt -= 64) | |
2128 | rb_sha512_process_bytes(alt_result, 64, &ctx); | |
2129 | rb_sha512_process_bytes(alt_result, cnt, &ctx); | |
2130 | ||
2131 | /* Take the binary representation of the length of the key and for every | |
2132 | 1 add the alternate sum, for every 0 the key. */ | |
2133 | for (cnt = key_len; cnt > 0; cnt >>= 1) | |
2134 | if ((cnt & 1) != 0) | |
2135 | rb_sha512_process_bytes(alt_result, 64, &ctx); | |
2136 | else | |
2137 | rb_sha512_process_bytes(key, key_len, &ctx); | |
2138 | ||
2139 | /* Create intermediate result. */ | |
2140 | rb_sha512_finish_ctx(&ctx, alt_result); | |
2141 | ||
2142 | /* Start computation of P byte sequence. */ | |
2143 | rb_sha512_init_ctx(&alt_ctx); | |
2144 | ||
2145 | /* For every character in the password add the entire password. */ | |
2146 | for (cnt = 0; cnt < key_len; ++cnt) | |
2147 | rb_sha512_process_bytes(key, key_len, &alt_ctx); | |
2148 | ||
2149 | /* Finish the digest. */ | |
2150 | rb_sha512_finish_ctx(&alt_ctx, temp_result); | |
2151 | ||
2152 | /* Create byte sequence P. */ | |
2153 | cp = p_bytes = alloca(key_len); | |
2154 | for (cnt = key_len; cnt >= 64; cnt -= 64) | |
2155 | { | |
2156 | memcpy(cp, temp_result, 64); | |
2157 | cp += 64; | |
2158 | } | |
2159 | memcpy(cp, temp_result, cnt); | |
2160 | ||
2161 | /* Start computation of S byte sequence. */ | |
2162 | rb_sha512_init_ctx(&alt_ctx); | |
2163 | ||
2164 | /* For every character in the password add the entire password. */ | |
af9e5b5e | 2165 | for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt) |
08c2568c EM |
2166 | rb_sha512_process_bytes(salt, salt_len, &alt_ctx); |
2167 | ||
2168 | /* Finish the digest. */ | |
2169 | rb_sha512_finish_ctx(&alt_ctx, temp_result); | |
2170 | ||
2171 | /* Create byte sequence S. */ | |
2172 | cp = s_bytes = alloca(salt_len); | |
2173 | for (cnt = salt_len; cnt >= 64; cnt -= 64) | |
2174 | { | |
2175 | memcpy(cp, temp_result, 64); | |
2176 | cp += 64; | |
2177 | } | |
2178 | memcpy(cp, temp_result, cnt); | |
2179 | ||
2180 | /* Repeatedly run the collected hash value through SHA512 to burn | |
2181 | CPU cycles. */ | |
2182 | for (cnt = 0; cnt < rounds; ++cnt) | |
2183 | { | |
2184 | /* New context. */ | |
2185 | rb_sha512_init_ctx(&ctx); | |
2186 | ||
2187 | /* Add key or last result. */ | |
2188 | if ((cnt & 1) != 0) | |
2189 | rb_sha512_process_bytes(p_bytes, key_len, &ctx); | |
2190 | else | |
2191 | rb_sha512_process_bytes(alt_result, 64, &ctx); | |
2192 | ||
2193 | /* Add salt for numbers not divisible by 3. */ | |
2194 | if (cnt % 3 != 0) | |
2195 | rb_sha512_process_bytes(s_bytes, salt_len, &ctx); | |
2196 | ||
2197 | /* Add key for numbers not divisible by 7. */ | |
2198 | if (cnt % 7 != 0) | |
2199 | rb_sha512_process_bytes(p_bytes, key_len, &ctx); | |
2200 | ||
2201 | /* Add key or last result. */ | |
2202 | if ((cnt & 1) != 0) | |
2203 | rb_sha512_process_bytes(alt_result, 64, &ctx); | |
2204 | else | |
2205 | rb_sha512_process_bytes(p_bytes, key_len, &ctx); | |
2206 | ||
2207 | /* Create intermediate result. */ | |
2208 | rb_sha512_finish_ctx(&ctx, alt_result); | |
2209 | } | |
2210 | ||
2211 | /* Now we can construct the result string. It consists of three | |
2212 | parts. */ | |
2213 | memset(buffer, '\0', MAX(0, buflen)); | |
2214 | strncpy(buffer, sha512_salt_prefix, MAX(0, buflen)); | |
2215 | if((cp = strchr(buffer, '\0')) == NULL) | |
2216 | cp = buffer + MAX(0, buflen); | |
2217 | buflen -= sizeof(sha512_salt_prefix) - 1; | |
2218 | ||
2219 | if (rounds_custom) | |
2220 | { | |
2221 | int n = snprintf(cp, MAX(0, buflen), "%s%zu$", | |
2222 | sha512_rounds_prefix, rounds); | |
2223 | cp += n; | |
2224 | buflen -= n; | |
2225 | } | |
2226 | ||
2227 | memset(cp, '\0', MIN((size_t) MAX(0, buflen), salt_len)); | |
2228 | strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len)); | |
2229 | if((cp = strchr(buffer, '\0')) == NULL) | |
2230 | cp = buffer + salt_len; | |
2231 | buflen -= MIN((size_t) MAX(0, buflen), salt_len); | |
2232 | ||
2233 | if (buflen > 0) | |
2234 | { | |
2235 | *cp++ = '$'; | |
2236 | --buflen; | |
2237 | } | |
2238 | ||
2239 | b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4); | |
2240 | b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4); | |
2241 | b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4); | |
2242 | b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4); | |
2243 | b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4); | |
2244 | b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4); | |
2245 | b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4); | |
2246 | b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4); | |
2247 | b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4); | |
2248 | b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4); | |
2249 | b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4); | |
2250 | b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4); | |
2251 | b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4); | |
2252 | b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4); | |
2253 | b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4); | |
2254 | b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4); | |
2255 | b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4); | |
2256 | b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4); | |
2257 | b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4); | |
2258 | b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4); | |
2259 | b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4); | |
2260 | b64_from_24bit(0, 0, alt_result[63], 2); | |
2261 | ||
2262 | if (buflen <= 0) | |
2263 | { | |
2264 | errno = ERANGE; | |
2265 | buffer = NULL; | |
2266 | } | |
2267 | else | |
2268 | *cp = '\0'; /* Terminate the string. */ | |
2269 | ||
2270 | /* Clear the buffer for the intermediate result so that people | |
2271 | attaching to processes or reading core dumps cannot get any | |
2272 | information. We do it in this way to clear correct_words[] | |
2273 | inside the SHA512 implementation as well. */ | |
2274 | rb_sha512_init_ctx(&ctx); | |
2275 | rb_sha512_finish_ctx(&ctx, alt_result); | |
2276 | memset(temp_result, '\0', sizeof(temp_result)); | |
2277 | memset(p_bytes, '\0', key_len); | |
2278 | memset(s_bytes, '\0', salt_len); | |
2279 | memset(&ctx, '\0', sizeof(ctx)); | |
2280 | memset(&alt_ctx, '\0', sizeof(alt_ctx)); | |
2281 | if (copied_key != NULL) | |
2282 | memset(copied_key, '\0', key_len); | |
2283 | if (copied_salt != NULL) | |
2284 | memset(copied_salt, '\0', salt_len); | |
2285 | ||
2286 | return buffer; | |
2287 | } | |
2288 | ||
2289 | ||
2290 | /* This entry point is equivalent to the `crypt' function in Unix | |
2291 | libcs. */ | |
2292 | static char *rb_sha512_crypt(const char *key, const char *salt) | |
2293 | { | |
2294 | /* We don't want to have an arbitrary limit in the size of the | |
2295 | password. We can compute an upper bound for the size of the | |
2296 | result in advance and so we can prepare the buffer we pass to | |
2297 | `rb_sha512_crypt_r'. */ | |
2298 | static char *buffer; | |
2299 | static int buflen; | |
2300 | int needed = (sizeof(sha512_salt_prefix) - 1 | |
2301 | + sizeof(sha512_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 86 + 1); | |
2302 | ||
2303 | if (buflen < needed) | |
2304 | { | |
2305 | char *new_buffer = (char *)realloc(buffer, needed); | |
2306 | if (new_buffer == NULL) | |
2307 | return NULL; | |
2308 | ||
2309 | buffer = new_buffer; | |
2310 | buflen = needed; | |
2311 | } | |
db137867 | 2312 | |
08c2568c | 2313 | return rb_sha512_crypt_r(key, salt, buffer, buflen); |
db137867 | 2314 | } |