]>
jfr.im git - solanum.git/blob - librb/src/crypt.c
2 * crypt.c: Implements unix style crypt() for platforms that don't have it
3 * This version has MD5, DES, and SHA256/SHA512 crypt.
4 * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from
5 * Drepper's public domain implementation.
11 * Copyright (C) 2000 by Lineo, inc. and Erik Andersen
12 * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org>
13 * Written by Erik Andersen <andersen@uclibc.org>
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU Library General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version.
20 * This program is distributed in the hope that it will be useful, but WITHOUT
21 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License
25 * You should have received a copy of the GNU Library General Public License
26 * along with this program; if not, write to the Free Software Foundation,
27 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
30 #include <librb_config.h>
33 static char *rb_md5_crypt(const char *pw
, const char *salt
);
34 static char *rb_des_crypt(const char *pw
, const char *salt
);
35 static char *rb_sha256_crypt(const char *key
, const char *salt
);
36 static char *rb_sha512_crypt(const char *key
, const char *salt
);
39 rb_crypt(const char *key
, const char *salt
)
41 /* First, check if we are supposed to be using a replacement
42 * hash instead of DES... */
43 if(salt
[0] == '$' && (salt
[2] == '$' || salt
[3] == '$'))
48 return rb_md5_crypt(key
, salt
);
51 return rb_sha256_crypt(key
, salt
);
54 return rb_sha512_crypt(key
, salt
);
62 return rb_des_crypt(key
, salt
);
65 #define b64_from_24bit(B2, B1, B0, N) \
68 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
70 while (n-- > 0 && buflen > 0) \
72 *cp++ = ascii64[w & 0x3f]; \
79 # define MAX(a,b) (((a) > (b)) ? (a) : (b))
82 # define MIN(a,b) (((a) < (b)) ? (a) : (b))
85 /* Here is the des crypt() stuff */
88 * FreeSec: libcrypt for NetBSD
90 * Copyright (c) 1994 David Burren
91 * All rights reserved.
93 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
94 * this file should now *only* export crypt(), in order to make
95 * binaries of libcrypt exportable from the USA
97 * Adapted for FreeBSD-4.0 by Mark R V Murray
98 * this file should now *only* export crypt_des(), in order to make
99 * a module that can be optionally included in libcrypt.
101 * Redistribution and use in source and binary forms, with or without
102 * modification, are permitted provided that the following conditions
104 * 1. Redistributions of source code must retain the above copyright
105 * notice, this list of conditions and the following disclaimer.
106 * 2. Redistributions in binary form must reproduce the above copyright
107 * notice, this list of conditions and the following disclaimer in the
108 * documentation and/or other materials provided with the distribution.
109 * 3. Neither the name of the author nor the names of other contributors
110 * may be used to endorse or promote products derived from this software
111 * without specific prior written permission.
113 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
114 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
115 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
116 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
117 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
118 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
119 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
120 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
121 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
122 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
125 * This is an original implementation of the DES and the crypt(3) interfaces
126 * by David Burren <davidb@werj.com.au>.
128 * An excellent reference on the underlying algorithm (and related
131 * B. Schneier, Applied Cryptography: protocols, algorithms,
132 * and source code in C, John Wiley & Sons, 1994.
134 * Note that in that book's description of DES the lookups for the initial,
135 * pbox, and final permutations are inverted (this has been brought to the
136 * attention of the author). A list of errata for this book has been
137 * posted to the sci.crypt newsgroup by the author and is available for FTP.
139 * ARCHITECTURE ASSUMPTIONS:
140 * It is assumed that the 8-byte arrays passed by reference can be
141 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
146 /* Re-entrantify me -- all this junk needs to be in
147 * struct crypt_data to make this really reentrant... */
148 static uint8_t inv_key_perm
[64];
149 static uint8_t inv_comp_perm
[56];
150 static uint8_t u_sbox
[8][64];
151 static uint8_t un_pbox
[32];
152 static uint32_t en_keysl
[16], en_keysr
[16];
153 static uint32_t de_keysl
[16], de_keysr
[16];
154 static uint32_t ip_maskl
[8][256], ip_maskr
[8][256];
155 static uint32_t fp_maskl
[8][256], fp_maskr
[8][256];
156 static uint32_t key_perm_maskl
[8][128], key_perm_maskr
[8][128];
157 static uint32_t comp_maskl
[8][128], comp_maskr
[8][128];
158 static uint32_t saltbits
;
159 static uint32_t old_salt
;
160 static uint32_t old_rawkey0
, old_rawkey1
;
163 /* Static stuff that stays resident and doesn't change after
164 * being initialized, and therefore doesn't need to be made
166 static uint8_t init_perm
[64], final_perm
[64];
167 static uint8_t m_sbox
[4][4096];
168 static uint32_t psbox
[4][256];
171 static const uint8_t ascii64
[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
173 static const uint8_t IP
[64] = {
174 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
175 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
176 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
177 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
180 static const uint8_t key_perm
[56] = {
181 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
182 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
183 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
184 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
187 static const uint8_t key_shifts
[16] = {
188 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
191 static const uint8_t comp_perm
[48] = {
192 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
193 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
194 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
195 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
199 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
202 static const uint8_t sbox
[8][64] = {
204 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
205 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
206 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
207 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
209 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
210 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
211 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
212 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
214 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
215 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
216 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
217 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
219 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
220 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
221 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
222 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
224 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
225 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
226 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
227 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
229 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
230 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
231 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
232 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
234 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
235 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
236 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
237 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
239 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
240 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
241 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
242 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
245 static const uint8_t pbox
[32] = {
246 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
247 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
250 static const uint32_t bits32
[32] = {
251 0x80000000, 0x40000000, 0x20000000, 0x10000000,
252 0x08000000, 0x04000000, 0x02000000, 0x01000000,
253 0x00800000, 0x00400000, 0x00200000, 0x00100000,
254 0x00080000, 0x00040000, 0x00020000, 0x00010000,
255 0x00008000, 0x00004000, 0x00002000, 0x00001000,
256 0x00000800, 0x00000400, 0x00000200, 0x00000100,
257 0x00000080, 0x00000040, 0x00000020, 0x00000010,
258 0x00000008, 0x00000004, 0x00000002, 0x00000001
261 static const uint8_t bits8
[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
263 static const uint32_t *bits28
, *bits24
;
267 rb_ascii_to_bin(char ch
)
272 return (ch
- 'a' + 38);
276 return (ch
- 'A' + 12);
287 int i
, j
, b
, k
, inbit
, obit
;
288 uint32_t *p
, *il
, *ir
, *fl
, *fr
;
289 static int rb_des_initialised
= 0;
291 if(rb_des_initialised
== 1)
294 old_rawkey0
= old_rawkey1
= 0L;
297 bits24
= (bits28
= bits32
+ 4) + 4;
300 * Invert the S-boxes, reordering the input bits.
302 for(i
= 0; i
< 8; i
++)
303 for(j
= 0; j
< 64; j
++)
305 b
= (j
& 0x20) | ((j
& 1) << 4) | ((j
>> 1) & 0xf);
306 u_sbox
[i
][j
] = sbox
[i
][b
];
310 * Convert the inverted S-boxes into 4 arrays of 8 bits.
311 * Each will handle 12 bits of the S-box input.
313 for(b
= 0; b
< 4; b
++)
314 for(i
= 0; i
< 64; i
++)
315 for(j
= 0; j
< 64; j
++)
316 m_sbox
[b
][(i
<< 6) | j
] =
317 (uint8_t)((u_sbox
[(b
<< 1)][i
] << 4) |
318 u_sbox
[(b
<< 1) + 1][j
]);
321 * Set up the initial & final permutations into a useful form, and
322 * initialise the inverted key permutation.
324 for(i
= 0; i
< 64; i
++)
326 init_perm
[final_perm
[i
] = IP
[i
] - 1] = (uint8_t)i
;
327 inv_key_perm
[i
] = 255;
331 * Invert the key permutation and initialise the inverted key
332 * compression permutation.
334 for(i
= 0; i
< 56; i
++)
336 inv_key_perm
[key_perm
[i
] - 1] = (uint8_t)i
;
337 inv_comp_perm
[i
] = 255;
341 * Invert the key compression permutation.
343 for(i
= 0; i
< 48; i
++)
345 inv_comp_perm
[comp_perm
[i
] - 1] = (uint8_t)i
;
349 * Set up the OR-mask arrays for the initial and final permutations,
350 * and for the key initial and compression permutations.
352 for(k
= 0; k
< 8; k
++)
354 for(i
= 0; i
< 256; i
++)
356 *(il
= &ip_maskl
[k
][i
]) = 0L;
357 *(ir
= &ip_maskr
[k
][i
]) = 0L;
358 *(fl
= &fp_maskl
[k
][i
]) = 0L;
359 *(fr
= &fp_maskr
[k
][i
]) = 0L;
360 for(j
= 0; j
< 8; j
++)
365 if((obit
= init_perm
[inbit
]) < 32)
368 *ir
|= bits32
[obit
- 32];
369 if((obit
= final_perm
[inbit
]) < 32)
372 *fr
|= bits32
[obit
- 32];
376 for(i
= 0; i
< 128; i
++)
378 *(il
= &key_perm_maskl
[k
][i
]) = 0L;
379 *(ir
= &key_perm_maskr
[k
][i
]) = 0L;
380 for(j
= 0; j
< 7; j
++)
385 if((obit
= inv_key_perm
[inbit
]) == 255)
390 *ir
|= bits28
[obit
- 28];
393 *(il
= &comp_maskl
[k
][i
]) = 0L;
394 *(ir
= &comp_maskr
[k
][i
]) = 0L;
395 for(j
= 0; j
< 7; j
++)
400 if((obit
= inv_comp_perm
[inbit
]) == 255)
405 *ir
|= bits24
[obit
- 24];
412 * Invert the P-box permutation, and convert into OR-masks for
413 * handling the output of the S-box arrays setup above.
415 for(i
= 0; i
< 32; i
++)
416 un_pbox
[pbox
[i
] - 1] = (uint8_t)i
;
418 for(b
= 0; b
< 4; b
++)
419 for(i
= 0; i
< 256; i
++)
421 *(p
= &psbox
[b
][i
]) = 0L;
422 for(j
= 0; j
< 8; j
++)
425 *p
|= bits32
[un_pbox
[8 * b
+ j
]];
429 rb_des_initialised
= 1;
434 rb_setup_salt(long salt
)
436 uint32_t obit
, saltbit
;
439 if(salt
== (long)old_salt
)
446 for(i
= 0; i
< 24; i
++)
456 rb_des_setkey(const char *key
)
458 uint32_t k0
, k1
, rawkey0
, rawkey1
;
463 rawkey0
= ntohl(*(const uint32_t *)key
);
464 rawkey1
= ntohl(*(const uint32_t *)(key
+ 4));
466 if((rawkey0
| rawkey1
) && rawkey0
== old_rawkey0
&& rawkey1
== old_rawkey1
)
469 * Already setup for this key.
470 * This optimisation fails on a zero key (which is weak and
471 * has bad parity anyway) in order to simplify the starting
476 old_rawkey0
= rawkey0
;
477 old_rawkey1
= rawkey1
;
480 * Do key permutation and split into two 28-bit subkeys.
482 k0
= key_perm_maskl
[0][rawkey0
>> 25]
483 | key_perm_maskl
[1][(rawkey0
>> 17) & 0x7f]
484 | key_perm_maskl
[2][(rawkey0
>> 9) & 0x7f]
485 | key_perm_maskl
[3][(rawkey0
>> 1) & 0x7f]
486 | key_perm_maskl
[4][rawkey1
>> 25]
487 | key_perm_maskl
[5][(rawkey1
>> 17) & 0x7f]
488 | key_perm_maskl
[6][(rawkey1
>> 9) & 0x7f]
489 | key_perm_maskl
[7][(rawkey1
>> 1) & 0x7f];
490 k1
= key_perm_maskr
[0][rawkey0
>> 25]
491 | key_perm_maskr
[1][(rawkey0
>> 17) & 0x7f]
492 | key_perm_maskr
[2][(rawkey0
>> 9) & 0x7f]
493 | key_perm_maskr
[3][(rawkey0
>> 1) & 0x7f]
494 | key_perm_maskr
[4][rawkey1
>> 25]
495 | key_perm_maskr
[5][(rawkey1
>> 17) & 0x7f]
496 | key_perm_maskr
[6][(rawkey1
>> 9) & 0x7f]
497 | key_perm_maskr
[7][(rawkey1
>> 1) & 0x7f];
499 * Rotate subkeys and do compression permutation.
502 for(round
= 0; round
< 16; round
++)
506 shifts
+= key_shifts
[round
];
508 t0
= (k0
<< shifts
) | (k0
>> (28 - shifts
));
509 t1
= (k1
<< shifts
) | (k1
>> (28 - shifts
));
511 de_keysl
[15 - round
] =
512 en_keysl
[round
] = comp_maskl
[0][(t0
>> 21) & 0x7f]
513 | comp_maskl
[1][(t0
>> 14) & 0x7f]
514 | comp_maskl
[2][(t0
>> 7) & 0x7f]
515 | comp_maskl
[3][t0
& 0x7f]
516 | comp_maskl
[4][(t1
>> 21) & 0x7f]
517 | comp_maskl
[5][(t1
>> 14) & 0x7f]
518 | comp_maskl
[6][(t1
>> 7) & 0x7f] | comp_maskl
[7][t1
& 0x7f];
520 de_keysr
[15 - round
] =
521 en_keysr
[round
] = comp_maskr
[0][(t0
>> 21) & 0x7f]
522 | comp_maskr
[1][(t0
>> 14) & 0x7f]
523 | comp_maskr
[2][(t0
>> 7) & 0x7f]
524 | comp_maskr
[3][t0
& 0x7f]
525 | comp_maskr
[4][(t1
>> 21) & 0x7f]
526 | comp_maskr
[5][(t1
>> 14) & 0x7f]
527 | comp_maskr
[6][(t1
>> 7) & 0x7f] | comp_maskr
[7][t1
& 0x7f];
533 rb_do_des(uint32_t l_in
, uint32_t r_in
, uint32_t *l_out
, uint32_t *r_out
, int count
)
536 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
538 uint32_t l
, r
, *kl
, *kr
, *kl1
, *kr1
;
539 uint32_t f
, r48l
, r48r
;
565 * Do initial permutation (IP).
567 l
= ip_maskl
[0][l_in
>> 24]
568 | ip_maskl
[1][(l_in
>> 16) & 0xff]
569 | ip_maskl
[2][(l_in
>> 8) & 0xff]
570 | ip_maskl
[3][l_in
& 0xff]
571 | ip_maskl
[4][r_in
>> 24]
572 | ip_maskl
[5][(r_in
>> 16) & 0xff]
573 | ip_maskl
[6][(r_in
>> 8) & 0xff] | ip_maskl
[7][r_in
& 0xff];
574 r
= ip_maskr
[0][l_in
>> 24]
575 | ip_maskr
[1][(l_in
>> 16) & 0xff]
576 | ip_maskr
[2][(l_in
>> 8) & 0xff]
577 | ip_maskr
[3][l_in
& 0xff]
578 | ip_maskr
[4][r_in
>> 24]
579 | ip_maskr
[5][(r_in
>> 16) & 0xff]
580 | ip_maskr
[6][(r_in
>> 8) & 0xff] | ip_maskr
[7][r_in
& 0xff];
593 * Expand R to 48 bits (simulate the E-box).
595 r48l
= ((r
& 0x00000001) << 23)
596 | ((r
& 0xf8000000) >> 9)
597 | ((r
& 0x1f800000) >> 11)
598 | ((r
& 0x01f80000) >> 13) | ((r
& 0x001f8000) >> 15);
600 r48r
= ((r
& 0x0001f800) << 7)
601 | ((r
& 0x00001f80) << 5)
602 | ((r
& 0x000001f8) << 3)
603 | ((r
& 0x0000001f) << 1) | ((r
& 0x80000000) >> 31);
605 * Do salting for crypt() and friends, and
606 * XOR with the permuted key.
608 f
= (r48l
^ r48r
) & saltbits
;
612 * Do sbox lookups (which shrink it back to 32 bits)
613 * and do the pbox permutation at the same time.
615 f
= psbox
[0][m_sbox
[0][r48l
>> 12]]
616 | psbox
[1][m_sbox
[1][r48l
& 0xfff]]
617 | psbox
[2][m_sbox
[2][r48r
>> 12]]
618 | psbox
[3][m_sbox
[3][r48r
& 0xfff]];
620 * Now that we've permuted things, complete f().
630 * Do final permutation (inverse of IP).
632 *l_out
= fp_maskl
[0][l
>> 24]
633 | fp_maskl
[1][(l
>> 16) & 0xff]
634 | fp_maskl
[2][(l
>> 8) & 0xff]
635 | fp_maskl
[3][l
& 0xff]
636 | fp_maskl
[4][r
>> 24]
637 | fp_maskl
[5][(r
>> 16) & 0xff]
638 | fp_maskl
[6][(r
>> 8) & 0xff] | fp_maskl
[7][r
& 0xff];
639 *r_out
= fp_maskr
[0][l
>> 24]
640 | fp_maskr
[1][(l
>> 16) & 0xff]
641 | fp_maskr
[2][(l
>> 8) & 0xff]
642 | fp_maskr
[3][l
& 0xff]
643 | fp_maskr
[4][r
>> 24]
644 | fp_maskr
[5][(r
>> 16) & 0xff]
645 | fp_maskr
[6][(r
>> 8) & 0xff] | fp_maskr
[7][r
& 0xff];
650 rb_des_crypt(const char *key
, const char *setting
)
652 uint32_t count
, salt
, l
, r0
, r1
, keybuf
[2];
654 static char output
[21];
659 * Copy the key, shifting each character up by one bit
660 * and padding with zeros.
662 q
= (uint8_t *)keybuf
;
663 while(q
- (uint8_t *)keybuf
- 8)
669 if(rb_des_setkey((char *)keybuf
))
674 * setting - 2 bytes of salt
675 * key - up to 8 characters
679 salt
= (rb_ascii_to_bin(setting
[1]) << 6) | rb_ascii_to_bin(setting
[0]);
681 output
[0] = setting
[0];
683 * If the encrypted password that the salt was extracted from
684 * is only 1 character long, the salt will be corrupted. We
685 * need to ensure that the output string doesn't have an extra
688 output
[1] = setting
[1] ? setting
[1] : output
[0];
690 p
= (uint8_t *)output
+ 2;
696 if(rb_do_des(0L, 0L, &r0
, &r1
, (int)count
))
699 * Now encode the result...
702 *p
++ = ascii64
[(l
>> 18) & 0x3f];
703 *p
++ = ascii64
[(l
>> 12) & 0x3f];
704 *p
++ = ascii64
[(l
>> 6) & 0x3f];
705 *p
++ = ascii64
[l
& 0x3f];
707 l
= (r0
<< 16) | ((r1
>> 16) & 0xffff);
708 *p
++ = ascii64
[(l
>> 18) & 0x3f];
709 *p
++ = ascii64
[(l
>> 12) & 0x3f];
710 *p
++ = ascii64
[(l
>> 6) & 0x3f];
711 *p
++ = ascii64
[l
& 0x3f];
714 *p
++ = ascii64
[(l
>> 12) & 0x3f];
715 *p
++ = ascii64
[(l
>> 6) & 0x3f];
716 *p
++ = ascii64
[l
& 0x3f];
724 * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
726 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
729 * License to copy and use this software is granted provided that it
730 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
731 * Algorithm" in all material mentioning or referencing this software
734 * License is also granted to make and use derivative works provided
735 * that such works are identified as "derived from the RSA Data
736 * Security, Inc. MD5 Message-Digest Algorithm" in all material
737 * mentioning or referencing the derived work.
739 * RSA Data Security, Inc. makes no representations concerning either
740 * the merchantability of this software or the suitability of this
741 * software for any particular purpose. It is provided "as is"
742 * without express or implied warranty of any kind.
744 * These notices must be retained in any copies of any part of this
745 * documentation and/or software.
747 * This code is the same as the code published by RSA Inc. It has been
748 * edited for clarity and style only.
751 #define MD5_BLOCK_LENGTH 64
752 #define MD5_DIGEST_LENGTH 16
753 #define MD5_DIGEST_STRING_LENGTH (MD5_DIGEST_LENGTH * 2 + 1)
757 _crypt_to64(char *s
, u_long v
, int n
)
760 *s
++ = ascii64
[v
&0x3f];
766 typedef struct MD5Context
{
767 uint32_t state
[4]; /* state (ABCD) */
768 uint32_t count
[2]; /* number of bits, modulo 2^64 (lsb first) */
769 unsigned char buffer
[64]; /* input buffer */
772 static void MD5Transform(uint32_t [4], const unsigned char [64]);
773 static void MD5Init (MD5_CTX
*);
774 static void MD5Update (MD5_CTX
*, const void *, unsigned int);
775 static void MD5Final (unsigned char [16], MD5_CTX
*);
777 #ifndef WORDS_BIGENDIAN
778 #define Encode memcpy
779 #define Decode memcpy
783 * Encodes input (uint32_t) into output (unsigned char). Assumes len is
788 Encode (unsigned char *output
, uint32_t *input
, unsigned int len
)
791 uint32_t *op
= (uint32_t *)output
;
793 for (i
= 0; i
< len
/ 4; i
++)
794 op
[i
] = htole32(input
[i
]);
798 * Decodes input (unsigned char) into output (uint32_t). Assumes len is
803 Decode (uint32_t *output
, const unsigned char *input
, unsigned int len
)
806 const uint32_t *ip
= (const uint32_t *)input
;
808 for (i
= 0; i
< len
/ 4; i
++)
809 output
[i
] = le32toh(ip
[i
]);
813 static unsigned char PADDING
[64] = {
814 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
815 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
816 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
819 /* F, G, H and I are basic MD5 functions. */
820 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
821 #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
822 #define H(x, y, z) ((x) ^ (y) ^ (z))
823 #define I(x, y, z) ((y) ^ ((x) | (~z)))
825 /* ROTATE_LEFT rotates x left n bits. */
826 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
829 * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
830 * Rotation is separate from addition to prevent recomputation.
832 #define FF(a, b, c, d, x, s, ac) { \
833 (a) += F ((b), (c), (d)) + (x) + (uint32_t)(ac); \
834 (a) = ROTATE_LEFT ((a), (s)); \
837 #define GG(a, b, c, d, x, s, ac) { \
838 (a) += G ((b), (c), (d)) + (x) + (uint32_t)(ac); \
839 (a) = ROTATE_LEFT ((a), (s)); \
842 #define HH(a, b, c, d, x, s, ac) { \
843 (a) += H ((b), (c), (d)) + (x) + (uint32_t)(ac); \
844 (a) = ROTATE_LEFT ((a), (s)); \
847 #define II(a, b, c, d, x, s, ac) { \
848 (a) += I ((b), (c), (d)) + (x) + (uint32_t)(ac); \
849 (a) = ROTATE_LEFT ((a), (s)); \
853 /* MD5 initialization. Begins an MD5 operation, writing a new context. */
860 context
->count
[0] = context
->count
[1] = 0;
862 /* Load magic initialization constants. */
863 context
->state
[0] = 0x67452301;
864 context
->state
[1] = 0xefcdab89;
865 context
->state
[2] = 0x98badcfe;
866 context
->state
[3] = 0x10325476;
870 * MD5 block update operation. Continues an MD5 message-digest
871 * operation, processing another message block, and updating the
876 MD5Update (context
, in
, inputLen
)
879 unsigned int inputLen
;
881 unsigned int i
, idx
, partLen
;
882 const unsigned char *input
= in
;
884 /* Compute number of bytes mod 64 */
885 idx
= (unsigned int)((context
->count
[0] >> 3) & 0x3F);
887 /* Update number of bits */
888 if ((context
->count
[0] += ((uint32_t)inputLen
<< 3))
889 < ((uint32_t)inputLen
<< 3))
891 context
->count
[1] += ((uint32_t)inputLen
>> 29);
895 /* Transform as many times as possible. */
896 if (inputLen
>= partLen
) {
897 memcpy((void *)&context
->buffer
[idx
], (const void *)input
,
899 MD5Transform (context
->state
, context
->buffer
);
901 for (i
= partLen
; i
+ 63 < inputLen
; i
+= 64)
902 MD5Transform (context
->state
, &input
[i
]);
909 /* Buffer remaining input */
910 memcpy ((void *)&context
->buffer
[idx
], (const void *)&input
[i
],
915 * MD5 padding. Adds padding followed by original length.
922 unsigned char bits
[8];
923 unsigned int idx
, padLen
;
925 /* Save number of bits */
926 Encode (bits
, context
->count
, 8);
928 /* Pad out to 56 mod 64. */
929 idx
= (unsigned int)((context
->count
[0] >> 3) & 0x3f);
930 padLen
= (idx
< 56) ? (56 - idx
) : (120 - idx
);
931 MD5Update (context
, PADDING
, padLen
);
933 /* Append length (before padding) */
934 MD5Update (context
, bits
, 8);
938 * MD5 finalization. Ends an MD5 message-digest operation, writing the
939 * the message digest and zeroizing the context.
943 MD5Final (digest
, context
)
944 unsigned char digest
[16];
950 /* Store state in digest */
951 Encode (digest
, context
->state
, 16);
953 /* Zeroize sensitive information. */
954 memset ((void *)context
, 0, sizeof (*context
));
957 /* MD5 basic transformation. Transforms state based on block. */
960 MD5Transform (state
, block
)
962 const unsigned char block
[64];
964 uint32_t a
= state
[0], b
= state
[1], c
= state
[2], d
= state
[3], x
[16];
966 Decode (x
, block
, 64);
973 FF (a
, b
, c
, d
, x
[ 0], S11
, 0xd76aa478); /* 1 */
974 FF (d
, a
, b
, c
, x
[ 1], S12
, 0xe8c7b756); /* 2 */
975 FF (c
, d
, a
, b
, x
[ 2], S13
, 0x242070db); /* 3 */
976 FF (b
, c
, d
, a
, x
[ 3], S14
, 0xc1bdceee); /* 4 */
977 FF (a
, b
, c
, d
, x
[ 4], S11
, 0xf57c0faf); /* 5 */
978 FF (d
, a
, b
, c
, x
[ 5], S12
, 0x4787c62a); /* 6 */
979 FF (c
, d
, a
, b
, x
[ 6], S13
, 0xa8304613); /* 7 */
980 FF (b
, c
, d
, a
, x
[ 7], S14
, 0xfd469501); /* 8 */
981 FF (a
, b
, c
, d
, x
[ 8], S11
, 0x698098d8); /* 9 */
982 FF (d
, a
, b
, c
, x
[ 9], S12
, 0x8b44f7af); /* 10 */
983 FF (c
, d
, a
, b
, x
[10], S13
, 0xffff5bb1); /* 11 */
984 FF (b
, c
, d
, a
, x
[11], S14
, 0x895cd7be); /* 12 */
985 FF (a
, b
, c
, d
, x
[12], S11
, 0x6b901122); /* 13 */
986 FF (d
, a
, b
, c
, x
[13], S12
, 0xfd987193); /* 14 */
987 FF (c
, d
, a
, b
, x
[14], S13
, 0xa679438e); /* 15 */
988 FF (b
, c
, d
, a
, x
[15], S14
, 0x49b40821); /* 16 */
995 GG (a
, b
, c
, d
, x
[ 1], S21
, 0xf61e2562); /* 17 */
996 GG (d
, a
, b
, c
, x
[ 6], S22
, 0xc040b340); /* 18 */
997 GG (c
, d
, a
, b
, x
[11], S23
, 0x265e5a51); /* 19 */
998 GG (b
, c
, d
, a
, x
[ 0], S24
, 0xe9b6c7aa); /* 20 */
999 GG (a
, b
, c
, d
, x
[ 5], S21
, 0xd62f105d); /* 21 */
1000 GG (d
, a
, b
, c
, x
[10], S22
, 0x2441453); /* 22 */
1001 GG (c
, d
, a
, b
, x
[15], S23
, 0xd8a1e681); /* 23 */
1002 GG (b
, c
, d
, a
, x
[ 4], S24
, 0xe7d3fbc8); /* 24 */
1003 GG (a
, b
, c
, d
, x
[ 9], S21
, 0x21e1cde6); /* 25 */
1004 GG (d
, a
, b
, c
, x
[14], S22
, 0xc33707d6); /* 26 */
1005 GG (c
, d
, a
, b
, x
[ 3], S23
, 0xf4d50d87); /* 27 */
1006 GG (b
, c
, d
, a
, x
[ 8], S24
, 0x455a14ed); /* 28 */
1007 GG (a
, b
, c
, d
, x
[13], S21
, 0xa9e3e905); /* 29 */
1008 GG (d
, a
, b
, c
, x
[ 2], S22
, 0xfcefa3f8); /* 30 */
1009 GG (c
, d
, a
, b
, x
[ 7], S23
, 0x676f02d9); /* 31 */
1010 GG (b
, c
, d
, a
, x
[12], S24
, 0x8d2a4c8a); /* 32 */
1017 HH (a
, b
, c
, d
, x
[ 5], S31
, 0xfffa3942); /* 33 */
1018 HH (d
, a
, b
, c
, x
[ 8], S32
, 0x8771f681); /* 34 */
1019 HH (c
, d
, a
, b
, x
[11], S33
, 0x6d9d6122); /* 35 */
1020 HH (b
, c
, d
, a
, x
[14], S34
, 0xfde5380c); /* 36 */
1021 HH (a
, b
, c
, d
, x
[ 1], S31
, 0xa4beea44); /* 37 */
1022 HH (d
, a
, b
, c
, x
[ 4], S32
, 0x4bdecfa9); /* 38 */
1023 HH (c
, d
, a
, b
, x
[ 7], S33
, 0xf6bb4b60); /* 39 */
1024 HH (b
, c
, d
, a
, x
[10], S34
, 0xbebfbc70); /* 40 */
1025 HH (a
, b
, c
, d
, x
[13], S31
, 0x289b7ec6); /* 41 */
1026 HH (d
, a
, b
, c
, x
[ 0], S32
, 0xeaa127fa); /* 42 */
1027 HH (c
, d
, a
, b
, x
[ 3], S33
, 0xd4ef3085); /* 43 */
1028 HH (b
, c
, d
, a
, x
[ 6], S34
, 0x4881d05); /* 44 */
1029 HH (a
, b
, c
, d
, x
[ 9], S31
, 0xd9d4d039); /* 45 */
1030 HH (d
, a
, b
, c
, x
[12], S32
, 0xe6db99e5); /* 46 */
1031 HH (c
, d
, a
, b
, x
[15], S33
, 0x1fa27cf8); /* 47 */
1032 HH (b
, c
, d
, a
, x
[ 2], S34
, 0xc4ac5665); /* 48 */
1039 II (a
, b
, c
, d
, x
[ 0], S41
, 0xf4292244); /* 49 */
1040 II (d
, a
, b
, c
, x
[ 7], S42
, 0x432aff97); /* 50 */
1041 II (c
, d
, a
, b
, x
[14], S43
, 0xab9423a7); /* 51 */
1042 II (b
, c
, d
, a
, x
[ 5], S44
, 0xfc93a039); /* 52 */
1043 II (a
, b
, c
, d
, x
[12], S41
, 0x655b59c3); /* 53 */
1044 II (d
, a
, b
, c
, x
[ 3], S42
, 0x8f0ccc92); /* 54 */
1045 II (c
, d
, a
, b
, x
[10], S43
, 0xffeff47d); /* 55 */
1046 II (b
, c
, d
, a
, x
[ 1], S44
, 0x85845dd1); /* 56 */
1047 II (a
, b
, c
, d
, x
[ 8], S41
, 0x6fa87e4f); /* 57 */
1048 II (d
, a
, b
, c
, x
[15], S42
, 0xfe2ce6e0); /* 58 */
1049 II (c
, d
, a
, b
, x
[ 6], S43
, 0xa3014314); /* 59 */
1050 II (b
, c
, d
, a
, x
[13], S44
, 0x4e0811a1); /* 60 */
1051 II (a
, b
, c
, d
, x
[ 4], S41
, 0xf7537e82); /* 61 */
1052 II (d
, a
, b
, c
, x
[11], S42
, 0xbd3af235); /* 62 */
1053 II (c
, d
, a
, b
, x
[ 2], S43
, 0x2ad7d2bb); /* 63 */
1054 II (b
, c
, d
, a
, x
[ 9], S44
, 0xeb86d391); /* 64 */
1061 /* Zeroize sensitive information. */
1062 memset ((void *)x
, 0, sizeof (x
));
1070 rb_md5_crypt(const char *pw
, const char *salt
)
1076 u_char final
[MD5_SIZE
];
1077 static const char *sp
, *ep
;
1078 static char passwd
[120], *p
;
1079 static const char *magic
= "$1$";
1081 /* Refine the Salt first */
1084 /* If it starts with the magic string, then skip that */
1085 if(!strncmp(sp
, magic
, strlen(magic
)))
1086 sp
+= strlen(magic
);
1088 /* It stops at the first '$', max 8 chars */
1089 for(ep
= sp
; *ep
&& *ep
!= '$' && ep
< (sp
+ 8); ep
++)
1092 /* get the length of the true salt */
1097 /* The password first, since that is what is most unknown */
1098 MD5Update(&ctx
, (const u_char
*)pw
, strlen(pw
));
1100 /* Then our magic string */
1101 MD5Update(&ctx
, (const u_char
*)magic
, strlen(magic
));
1103 /* Then the raw salt */
1104 MD5Update(&ctx
, (const u_char
*)sp
, (u_int
)sl
);
1106 /* Then just as many characters of the MD5(pw,salt,pw) */
1108 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1109 MD5Update(&ctx1
, (const u_char
*)sp
, (u_int
)sl
);
1110 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1111 MD5Final(final
, &ctx1
);
1112 for(pl
= (int)strlen(pw
); pl
> 0; pl
-= MD5_SIZE
)
1113 MD5Update(&ctx
, (const u_char
*)final
,
1114 (u_int
)(pl
> MD5_SIZE
? MD5_SIZE
: pl
));
1116 /* Don't leave anything around in vm they could use. */
1117 memset(final
, 0, sizeof(final
));
1119 /* Then something really weird... */
1120 for (i
= strlen(pw
); i
; i
>>= 1)
1122 MD5Update(&ctx
, (const u_char
*)final
, 1);
1124 MD5Update(&ctx
, (const u_char
*)pw
, 1);
1126 /* Now make the output string */
1127 rb_strlcpy(passwd
, magic
, sizeof(passwd
));
1128 strncat(passwd
, sp
, (u_int
)sl
);
1129 rb_strlcat(passwd
, "$", sizeof(passwd
));
1131 MD5Final(final
, &ctx
);
1134 * and now, just to make sure things don't run too fast
1135 * On a 60 Mhz Pentium this takes 34 msec, so you would
1136 * need 30 seconds to build a 1000 entry dictionary...
1138 for(i
= 0; i
< 1000; i
++) {
1141 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1143 MD5Update(&ctx1
, (const u_char
*)final
, MD5_SIZE
);
1146 MD5Update(&ctx1
, (const u_char
*)sp
, (u_int
)sl
);
1149 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1152 MD5Update(&ctx1
, (const u_char
*)final
, MD5_SIZE
);
1154 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1155 MD5Final(final
, &ctx1
);
1158 p
= passwd
+ strlen(passwd
);
1160 l
= (final
[ 0]<<16) | (final
[ 6]<<8) | final
[12];
1161 _crypt_to64(p
, l
, 4); p
+= 4;
1162 l
= (final
[ 1]<<16) | (final
[ 7]<<8) | final
[13];
1163 _crypt_to64(p
, l
, 4); p
+= 4;
1164 l
= (final
[ 2]<<16) | (final
[ 8]<<8) | final
[14];
1165 _crypt_to64(p
, l
, 4); p
+= 4;
1166 l
= (final
[ 3]<<16) | (final
[ 9]<<8) | final
[15];
1167 _crypt_to64(p
, l
, 4); p
+= 4;
1168 l
= (final
[ 4]<<16) | (final
[10]<<8) | final
[ 5];
1169 _crypt_to64(p
, l
, 4); p
+= 4;
1171 _crypt_to64(p
, l
, 2); p
+= 2;
1174 /* Don't leave anything around in vm they could use. */
1175 memset(final
, 0, sizeof(final
));
1181 /* SHA256-based Unix crypt implementation.
1182 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
1184 /* Structure to save state of computation between the single steps. */
1191 char buffer
[128]; /* NB: always correctly aligned for uint32_t. */
1194 #ifndef WORDS_BIGENDIAN
1195 # define SHA256_SWAP(n) \
1196 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
1198 # define SHA256_SWAP(n) (n)
1201 /* This array contains the bytes used to pad the buffer to the next
1202 64-byte boundary. (FIPS 180-2:5.1.1) */
1203 static const unsigned char SHA256_fillbuf
[64] = { 0x80, 0 /* , 0, 0, ... */ };
1206 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
1207 static const uint32_t SHA256_K
[64] = {
1208 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
1209 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
1210 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
1211 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
1212 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
1213 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
1214 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
1215 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
1216 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
1217 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
1218 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
1219 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
1220 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
1221 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
1222 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
1223 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
1227 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1228 It is assumed that LEN % 64 == 0. */
1229 static void rb_sha256_process_block(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
1231 const uint32_t *words
= buffer
;
1232 size_t nwords
= len
/ sizeof(uint32_t);
1233 uint32_t a
= ctx
->H
[0];
1234 uint32_t b
= ctx
->H
[1];
1235 uint32_t c
= ctx
->H
[2];
1236 uint32_t d
= ctx
->H
[3];
1237 uint32_t e
= ctx
->H
[4];
1238 uint32_t f
= ctx
->H
[5];
1239 uint32_t g
= ctx
->H
[6];
1240 uint32_t h
= ctx
->H
[7];
1242 /* First increment the byte count. FIPS 180-2 specifies the possible
1243 length of the file up to 2^64 bits. Here we only compute the
1244 number of bytes. Do a double word increment. */
1245 ctx
->total
[0] += len
;
1246 if (ctx
->total
[0] < len
)
1249 /* Process all bytes in the buffer with 64 bytes in each round of
1254 uint32_t a_save
= a
;
1255 uint32_t b_save
= b
;
1256 uint32_t c_save
= c
;
1257 uint32_t d_save
= d
;
1258 uint32_t e_save
= e
;
1259 uint32_t f_save
= f
;
1260 uint32_t g_save
= g
;
1261 uint32_t h_save
= h
;
1264 /* Operators defined in FIPS 180-2:4.1.2. */
1265 #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z))
1266 #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1267 #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22))
1268 #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25))
1269 #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3))
1270 #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10))
1272 /* It is unfortunate that C does not provide an operator for
1273 cyclic rotation. Hope the C compiler is smart enough. */
1274 #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
1276 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
1277 for (t
= 0; t
< 16; ++t
)
1279 W
[t
] = SHA256_SWAP(*words
);
1282 for (t
= 16; t
< 64; ++t
)
1283 W
[t
] = SHA256_R1(W
[t
- 2]) + W
[t
- 7] + SHA256_R0(W
[t
- 15]) + W
[t
- 16];
1285 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
1286 for (t
= 0; t
< 64; ++t
)
1288 uint32_t T1
= h
+ SHA256_S1(e
) + SHA256_Ch(e
, f
, g
) + SHA256_K
[t
] + W
[t
];
1289 uint32_t T2
= SHA256_S0(a
) + SHA256_Maj(a
, b
, c
);
1300 /* Add the starting values of the context according to FIPS 180-2:6.2.2
1311 /* Prepare for the next round. */
1315 /* Put checksum in context given as argument. */
1327 /* Initialize structure containing state of computation.
1328 (FIPS 180-2:5.3.2) */
1329 static void rb_sha256_init_ctx(struct sha256_ctx
*ctx
)
1331 ctx
->H
[0] = 0x6a09e667;
1332 ctx
->H
[1] = 0xbb67ae85;
1333 ctx
->H
[2] = 0x3c6ef372;
1334 ctx
->H
[3] = 0xa54ff53a;
1335 ctx
->H
[4] = 0x510e527f;
1336 ctx
->H
[5] = 0x9b05688c;
1337 ctx
->H
[6] = 0x1f83d9ab;
1338 ctx
->H
[7] = 0x5be0cd19;
1340 ctx
->total
[0] = ctx
->total
[1] = 0;
1345 /* Process the remaining bytes in the internal buffer and the usual
1346 prolog according to the standard and write the result to RESBUF.
1348 IMPORTANT: On some systems it is required that RESBUF is correctly
1349 aligned for a 32 bits value. */
1350 static void *rb_sha256_finish_ctx(struct sha256_ctx
*ctx
, void *resbuf
)
1352 /* Take yet unprocessed bytes into account. */
1353 uint32_t bytes
= ctx
->buflen
, *ptr
;
1357 /* Now count remaining bytes. */
1358 ctx
->total
[0] += bytes
;
1359 if (ctx
->total
[0] < bytes
)
1362 pad
= bytes
>= 56 ? 64 + 56 - bytes
: 56 - bytes
;
1363 memcpy(&ctx
->buffer
[bytes
], SHA256_fillbuf
, pad
);
1365 /* Put the 64-bit file length in *bits* at the end of the buffer. */
1366 ptr
= (uint32_t *)&ctx
->buffer
[bytes
+ pad
+ 4]; /* Avoid warnings about strict aliasing */
1367 *ptr
= SHA256_SWAP(ctx
->total
[0] << 3);
1369 ptr
= (uint32_t *)&ctx
->buffer
[bytes
+ pad
];
1370 *ptr
= SHA256_SWAP((ctx
->total
[1] << 3) | (ctx
->total
[0] >> 29));
1372 /* Process last bytes. */
1373 rb_sha256_process_block(ctx
->buffer
, bytes
+ pad
+ 8, ctx
);
1375 /* Put result from CTX in first 32 bytes following RESBUF. */
1376 for (i
= 0; i
< 8; ++i
)
1377 ((uint32_t *) resbuf
)[i
] = SHA256_SWAP(ctx
->H
[i
]);
1383 static void rb_sha256_process_bytes(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
1385 /* When we already have some bits in our internal buffer concatenate
1386 both inputs first. */
1387 if (ctx
->buflen
!= 0)
1389 size_t left_over
= ctx
->buflen
;
1390 size_t add
= 128 - left_over
> len
? len
: 128 - left_over
;
1392 memcpy(&ctx
->buffer
[left_over
], buffer
, add
);
1395 if (ctx
->buflen
> 64)
1397 rb_sha256_process_block(ctx
->buffer
, ctx
->buflen
& ~63, ctx
);
1400 /* The regions in the following copy operation cannot overlap. */
1401 memcpy(ctx
->buffer
, &ctx
->buffer
[(left_over
+ add
) & ~63], ctx
->buflen
);
1404 buffer
= (const char *)buffer
+ add
;
1408 /* Process available complete blocks. */
1411 /* To check alignment gcc has an appropriate operator. Other
1414 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
1416 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
1418 if (SHA256_UNALIGNED_P(buffer
))
1421 rb_sha256_process_block(memcpy(ctx
->buffer
, buffer
, 64), 64, ctx
);
1422 buffer
= (const char *)buffer
+ 64;
1427 rb_sha256_process_block(buffer
, len
& ~63, ctx
);
1428 buffer
= (const char *)buffer
+ (len
& ~63);
1433 /* Move remaining bytes into internal buffer. */
1436 size_t left_over
= ctx
->buflen
;
1438 memcpy(&ctx
->buffer
[left_over
], buffer
, len
);
1440 if (left_over
>= 64)
1442 rb_sha256_process_block(ctx
->buffer
, 64, ctx
);
1444 memcpy(ctx
->buffer
, &ctx
->buffer
[64], left_over
);
1446 ctx
->buflen
= left_over
;
1451 /* Define our magic string to mark salt for SHA256 "encryption"
1453 static const char sha256_salt_prefix
[] = "$5$";
1455 /* Prefix for optional rounds specification. */
1456 static const char sha256_rounds_prefix
[] = "rounds=";
1458 /* Maximum salt string length. */
1459 #define SHA256_SALT_LEN_MAX 16
1460 /* Default number of rounds if not explicitly specified. */
1461 #define SHA256_ROUNDS_DEFAULT 5000
1462 /* Minimum number of rounds. */
1463 #define SHA256_ROUNDS_MIN 1000
1464 /* Maximum number of rounds. */
1465 #define SHA256_ROUNDS_MAX 999999999
1467 static char *rb_sha256_crypt_r(const char *key
, const char *salt
, char *buffer
, int buflen
)
1469 unsigned char alt_result
[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1470 unsigned char temp_result
[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1471 struct sha256_ctx ctx
;
1472 struct sha256_ctx alt_ctx
;
1477 char *copied_key
= NULL
;
1478 char *copied_salt
= NULL
;
1481 /* Default number of rounds. */
1482 size_t rounds
= SHA256_ROUNDS_DEFAULT
;
1483 int rounds_custom
= 0;
1485 /* Find beginning of salt string. The prefix should normally always
1486 be present. Just in case it is not. */
1487 if (strncmp(sha256_salt_prefix
, salt
, sizeof(sha256_salt_prefix
) - 1) == 0)
1488 /* Skip salt prefix. */
1489 salt
+= sizeof(sha256_salt_prefix
) - 1;
1491 if (strncmp(salt
, sha256_rounds_prefix
, sizeof(sha256_rounds_prefix
) - 1) == 0)
1493 const char *num
= salt
+ sizeof(sha256_rounds_prefix
) - 1;
1495 unsigned long int srounds
= strtoul(num
, &endp
, 10);
1499 rounds
= MAX(SHA256_ROUNDS_MIN
, MIN(srounds
, SHA256_ROUNDS_MAX
));
1504 salt_len
= MIN(strcspn(salt
, "$"), SHA256_SALT_LEN_MAX
);
1505 key_len
= strlen(key
);
1507 if ((key
- (char *)0) % __alignof__(uint32_t) != 0)
1509 char *tmp
= (char *)alloca(key_len
+ __alignof__(uint32_t));
1511 memcpy(tmp
+ __alignof__(uint32_t)
1512 - (tmp
- (char *)0) % __alignof__(uint32_t), key
, key_len
);
1515 if ((salt
- (char *)0) % __alignof__(uint32_t) != 0)
1517 char *tmp
= (char *)alloca(salt_len
+ __alignof__(uint32_t));
1518 salt
= copied_salt
=
1519 memcpy(tmp
+ __alignof__(uint32_t)
1520 - (tmp
- (char *)0) % __alignof__(uint32_t), salt
, salt_len
);
1523 /* Prepare for the real work. */
1524 rb_sha256_init_ctx(&ctx
);
1526 /* Add the key string. */
1527 rb_sha256_process_bytes(key
, key_len
, &ctx
);
1529 /* The last part is the salt string. This must be at most 16
1530 characters and it ends at the first `$' character (for
1531 compatibility with existing implementations). */
1532 rb_sha256_process_bytes(salt
, salt_len
, &ctx
);
1535 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
1536 final result will be added to the first context. */
1537 rb_sha256_init_ctx(&alt_ctx
);
1540 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1543 rb_sha256_process_bytes(salt
, salt_len
, &alt_ctx
);
1545 /* Add key again. */
1546 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1548 /* Now get result of this (32 bytes) and add it to the other
1550 rb_sha256_finish_ctx(&alt_ctx
, alt_result
);
1552 /* Add for any character in the key one byte of the alternate sum. */
1553 for (cnt
= key_len
; cnt
> 32; cnt
-= 32)
1554 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1555 rb_sha256_process_bytes(alt_result
, cnt
, &ctx
);
1557 /* Take the binary representation of the length of the key and for every
1558 1 add the alternate sum, for every 0 the key. */
1559 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
1561 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1563 rb_sha256_process_bytes(key
, key_len
, &ctx
);
1565 /* Create intermediate result. */
1566 rb_sha256_finish_ctx(&ctx
, alt_result
);
1568 /* Start computation of P byte sequence. */
1569 rb_sha256_init_ctx(&alt_ctx
);
1571 /* For every character in the password add the entire password. */
1572 for (cnt
= 0; cnt
< key_len
; ++cnt
)
1573 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1575 /* Finish the digest. */
1576 rb_sha256_finish_ctx(&alt_ctx
, temp_result
);
1578 /* Create byte sequence P. */
1579 cp
= p_bytes
= alloca(key_len
);
1580 for (cnt
= key_len
; cnt
>= 32; cnt
-= 32)
1582 memcpy(cp
, temp_result
, 32);
1585 memcpy(cp
, temp_result
, cnt
);
1587 /* Start computation of S byte sequence. */
1588 rb_sha256_init_ctx(&alt_ctx
);
1590 /* For every character in the password add the entire password. */
1591 for (cnt
= 0; cnt
< (size_t)(16 + alt_result
[0]); ++cnt
)
1592 rb_sha256_process_bytes(salt
, salt_len
, &alt_ctx
);
1594 /* Finish the digest. */
1595 rb_sha256_finish_ctx(&alt_ctx
, temp_result
);
1597 /* Create byte sequence S. */
1598 cp
= s_bytes
= alloca(salt_len
);
1599 for (cnt
= salt_len
; cnt
>= 32; cnt
-= 32)
1601 memcpy(cp
, temp_result
, 32);
1604 memcpy(cp
, temp_result
, cnt
);
1606 /* Repeatedly run the collected hash value through SHA256 to burn
1608 for (cnt
= 0; cnt
< rounds
; ++cnt
)
1611 rb_sha256_init_ctx(&ctx
);
1613 /* Add key or last result. */
1615 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1617 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1619 /* Add salt for numbers not divisible by 3. */
1621 rb_sha256_process_bytes(s_bytes
, salt_len
, &ctx
);
1623 /* Add key for numbers not divisible by 7. */
1625 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1627 /* Add key or last result. */
1629 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1631 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1633 /* Create intermediate result. */
1634 rb_sha256_finish_ctx(&ctx
, alt_result
);
1637 /* Now we can construct the result string. It consists of three
1639 memset(buffer
, '\0', MAX(0, buflen
));
1640 strncpy(buffer
, sha256_salt_prefix
, MAX(0, buflen
));
1641 if((cp
= strchr(buffer
, '\0')) == NULL
)
1642 cp
= buffer
+ MAX(0, buflen
);
1643 buflen
-= sizeof(sha256_salt_prefix
) - 1;
1647 int n
= snprintf(cp
, MAX(0, buflen
), "%s%zu$",
1648 sha256_rounds_prefix
, rounds
);
1653 memset(cp
, '\0', salt_len
);
1654 strncpy(cp
, salt
, MIN((size_t) MAX(0, buflen
), salt_len
));
1655 if((cp
= strchr(buffer
, '\0')) == NULL
)
1657 buflen
-= MIN((size_t) MAX(0, buflen
), salt_len
);
1665 b64_from_24bit(alt_result
[0], alt_result
[10], alt_result
[20], 4);
1666 b64_from_24bit(alt_result
[21], alt_result
[1], alt_result
[11], 4);
1667 b64_from_24bit(alt_result
[12], alt_result
[22], alt_result
[2], 4);
1668 b64_from_24bit(alt_result
[3], alt_result
[13], alt_result
[23], 4);
1669 b64_from_24bit(alt_result
[24], alt_result
[4], alt_result
[14], 4);
1670 b64_from_24bit(alt_result
[15], alt_result
[25], alt_result
[5], 4);
1671 b64_from_24bit(alt_result
[6], alt_result
[16], alt_result
[26], 4);
1672 b64_from_24bit(alt_result
[27], alt_result
[7], alt_result
[17], 4);
1673 b64_from_24bit(alt_result
[18], alt_result
[28], alt_result
[8], 4);
1674 b64_from_24bit(alt_result
[9], alt_result
[19], alt_result
[29], 4);
1675 b64_from_24bit(0, alt_result
[31], alt_result
[30], 3);
1682 *cp
= '\0'; /* Terminate the string. */
1684 /* Clear the buffer for the intermediate result so that people
1685 attaching to processes or reading core dumps cannot get any
1686 information. We do it in this way to clear correct_words[]
1687 inside the SHA256 implementation as well. */
1688 rb_sha256_init_ctx(&ctx
);
1689 rb_sha256_finish_ctx(&ctx
, alt_result
);
1690 memset(temp_result
, '\0', sizeof(temp_result
));
1691 memset(p_bytes
, '\0', key_len
);
1692 memset(s_bytes
, '\0', salt_len
);
1693 memset(&ctx
, '\0', sizeof(ctx
));
1694 memset(&alt_ctx
, '\0', sizeof(alt_ctx
));
1695 if (copied_key
!= NULL
)
1696 memset(copied_key
, '\0', key_len
);
1697 if (copied_salt
!= NULL
)
1698 memset(copied_salt
, '\0', salt_len
);
1704 /* This entry point is equivalent to the `crypt' function in Unix
1706 static char *rb_sha256_crypt(const char *key
, const char *salt
)
1708 /* We don't want to have an arbitrary limit in the size of the
1709 password. We can compute an upper bound for the size of the
1710 result in advance and so we can prepare the buffer we pass to
1711 `rb_sha256_crypt_r'. */
1712 static char *buffer
;
1714 int needed
= (sizeof(sha256_salt_prefix
) - 1
1715 + sizeof(sha256_rounds_prefix
) + 9 + 1 + strlen(salt
) + 1 + 43 + 1);
1717 char *new_buffer
= (char *)malloc(needed
);
1718 if (new_buffer
== NULL
)
1721 buffer
= new_buffer
;
1724 return rb_sha256_crypt_r(key
, salt
, buffer
, buflen
);
1727 /* Structure to save state of computation between the single steps. */
1734 char buffer
[256]; /* NB: always correctly aligned for uint64_t. */
1738 #ifndef WORDS_BIGENDIAN
1739 # define SHA512_SWAP(n) \
1741 | (((n) & 0xff00) << 40) \
1742 | (((n) & 0xff0000) << 24) \
1743 | (((n) & 0xff000000) << 8) \
1744 | (((n) >> 8) & 0xff000000) \
1745 | (((n) >> 24) & 0xff0000) \
1746 | (((n) >> 40) & 0xff00) \
1749 # define SHA512_SWAP(n) (n)
1753 /* This array contains the bytes used to pad the buffer to the next
1754 64-byte boundary. (FIPS 180-2:5.1.2) */
1755 static const unsigned char SHA512_fillbuf
[128] = { 0x80, 0 /* , 0, 0, ... */ };
1758 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
1759 static const uint64_t SHA512_K
[80] = {
1760 0x428a2f98d728ae22ULL
, 0x7137449123ef65cdULL
,
1761 0xb5c0fbcfec4d3b2fULL
, 0xe9b5dba58189dbbcULL
,
1762 0x3956c25bf348b538ULL
, 0x59f111f1b605d019ULL
,
1763 0x923f82a4af194f9bULL
, 0xab1c5ed5da6d8118ULL
,
1764 0xd807aa98a3030242ULL
, 0x12835b0145706fbeULL
,
1765 0x243185be4ee4b28cULL
, 0x550c7dc3d5ffb4e2ULL
,
1766 0x72be5d74f27b896fULL
, 0x80deb1fe3b1696b1ULL
,
1767 0x9bdc06a725c71235ULL
, 0xc19bf174cf692694ULL
,
1768 0xe49b69c19ef14ad2ULL
, 0xefbe4786384f25e3ULL
,
1769 0x0fc19dc68b8cd5b5ULL
, 0x240ca1cc77ac9c65ULL
,
1770 0x2de92c6f592b0275ULL
, 0x4a7484aa6ea6e483ULL
,
1771 0x5cb0a9dcbd41fbd4ULL
, 0x76f988da831153b5ULL
,
1772 0x983e5152ee66dfabULL
, 0xa831c66d2db43210ULL
,
1773 0xb00327c898fb213fULL
, 0xbf597fc7beef0ee4ULL
,
1774 0xc6e00bf33da88fc2ULL
, 0xd5a79147930aa725ULL
,
1775 0x06ca6351e003826fULL
, 0x142929670a0e6e70ULL
,
1776 0x27b70a8546d22ffcULL
, 0x2e1b21385c26c926ULL
,
1777 0x4d2c6dfc5ac42aedULL
, 0x53380d139d95b3dfULL
,
1778 0x650a73548baf63deULL
, 0x766a0abb3c77b2a8ULL
,
1779 0x81c2c92e47edaee6ULL
, 0x92722c851482353bULL
,
1780 0xa2bfe8a14cf10364ULL
, 0xa81a664bbc423001ULL
,
1781 0xc24b8b70d0f89791ULL
, 0xc76c51a30654be30ULL
,
1782 0xd192e819d6ef5218ULL
, 0xd69906245565a910ULL
,
1783 0xf40e35855771202aULL
, 0x106aa07032bbd1b8ULL
,
1784 0x19a4c116b8d2d0c8ULL
, 0x1e376c085141ab53ULL
,
1785 0x2748774cdf8eeb99ULL
, 0x34b0bcb5e19b48a8ULL
,
1786 0x391c0cb3c5c95a63ULL
, 0x4ed8aa4ae3418acbULL
,
1787 0x5b9cca4f7763e373ULL
, 0x682e6ff3d6b2b8a3ULL
,
1788 0x748f82ee5defb2fcULL
, 0x78a5636f43172f60ULL
,
1789 0x84c87814a1f0ab72ULL
, 0x8cc702081a6439ecULL
,
1790 0x90befffa23631e28ULL
, 0xa4506cebde82bde9ULL
,
1791 0xbef9a3f7b2c67915ULL
, 0xc67178f2e372532bULL
,
1792 0xca273eceea26619cULL
, 0xd186b8c721c0c207ULL
,
1793 0xeada7dd6cde0eb1eULL
, 0xf57d4f7fee6ed178ULL
,
1794 0x06f067aa72176fbaULL
, 0x0a637dc5a2c898a6ULL
,
1795 0x113f9804bef90daeULL
, 0x1b710b35131c471bULL
,
1796 0x28db77f523047d84ULL
, 0x32caab7b40c72493ULL
,
1797 0x3c9ebe0a15c9bebcULL
, 0x431d67c49c100d4cULL
,
1798 0x4cc5d4becb3e42b6ULL
, 0x597f299cfc657e2aULL
,
1799 0x5fcb6fab3ad6faecULL
, 0x6c44198c4a475817ULL
1803 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1804 It is assumed that LEN % 128 == 0. */
1805 static void rb_sha512_process_block(const void *buffer
, size_t len
, struct sha512_ctx
*ctx
)
1807 const uint64_t *words
= buffer
;
1808 size_t nwords
= len
/ sizeof(uint64_t);
1809 uint64_t a
= ctx
->H
[0];
1810 uint64_t b
= ctx
->H
[1];
1811 uint64_t c
= ctx
->H
[2];
1812 uint64_t d
= ctx
->H
[3];
1813 uint64_t e
= ctx
->H
[4];
1814 uint64_t f
= ctx
->H
[5];
1815 uint64_t g
= ctx
->H
[6];
1816 uint64_t h
= ctx
->H
[7];
1818 /* First increment the byte count. FIPS 180-2 specifies the possible
1819 length of the file up to 2^128 bits. Here we only compute the
1820 number of bytes. Do a double word increment. */
1821 ctx
->total
[0] += len
;
1822 if (ctx
->total
[0] < len
)
1825 /* Process all bytes in the buffer with 128 bytes in each round of
1830 uint64_t a_save
= a
;
1831 uint64_t b_save
= b
;
1832 uint64_t c_save
= c
;
1833 uint64_t d_save
= d
;
1834 uint64_t e_save
= e
;
1835 uint64_t f_save
= f
;
1836 uint64_t g_save
= g
;
1837 uint64_t h_save
= h
;
1840 /* Operators defined in FIPS 180-2:4.1.2. */
1841 #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z))
1842 #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1843 #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39))
1844 #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41))
1845 #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7))
1846 #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6))
1848 /* It is unfortunate that C does not provide an operator for
1849 cyclic rotation. Hope the C compiler is smart enough. */
1850 #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
1852 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
1853 for (t
= 0; t
< 16; ++t
)
1855 W
[t
] = SHA512_SWAP(*words
);
1858 for (t
= 16; t
< 80; ++t
)
1859 W
[t
] = SHA512_R1(W
[t
- 2]) + W
[t
- 7] + SHA512_R0(W
[t
- 15]) + W
[t
- 16];
1861 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
1862 for (t
= 0; t
< 80; ++t
)
1864 uint64_t T1
= h
+ SHA512_S1(e
) + SHA512_Ch(e
, f
, g
) + SHA512_K
[t
] + W
[t
];
1865 uint64_t T2
= SHA512_S0(a
) + SHA512_Maj(a
, b
, c
);
1876 /* Add the starting values of the context according to FIPS 180-2:6.3.2
1887 /* Prepare for the next round. */
1891 /* Put checksum in context given as argument. */
1903 /* Initialize structure containing state of computation.
1904 (FIPS 180-2:5.3.3) */
1905 static void rb_sha512_init_ctx(struct sha512_ctx
*ctx
)
1907 ctx
->H
[0] = 0x6a09e667f3bcc908ULL
;
1908 ctx
->H
[1] = 0xbb67ae8584caa73bULL
;
1909 ctx
->H
[2] = 0x3c6ef372fe94f82bULL
;
1910 ctx
->H
[3] = 0xa54ff53a5f1d36f1ULL
;
1911 ctx
->H
[4] = 0x510e527fade682d1ULL
;
1912 ctx
->H
[5] = 0x9b05688c2b3e6c1fULL
;
1913 ctx
->H
[6] = 0x1f83d9abfb41bd6bULL
;
1914 ctx
->H
[7] = 0x5be0cd19137e2179ULL
;
1916 ctx
->total
[0] = ctx
->total
[1] = 0;
1921 /* Process the remaining bytes in the internal buffer and the usual
1922 prolog according to the standard and write the result to RESBUF.
1924 IMPORTANT: On some systems it is required that RESBUF is correctly
1925 aligned for a 32 bits value. */
1926 static void *rb_sha512_finish_ctx(struct sha512_ctx
*ctx
, void *resbuf
)
1928 /* Take yet unprocessed bytes into account. */
1929 uint64_t bytes
= ctx
->buflen
, *ptr
;
1933 /* Now count remaining bytes. */
1934 ctx
->total
[0] += bytes
;
1935 if (ctx
->total
[0] < bytes
)
1938 pad
= bytes
>= 112 ? 128 + 112 - bytes
: 112 - bytes
;
1939 memcpy(&ctx
->buffer
[bytes
], SHA512_fillbuf
, pad
);
1941 /* Put the 128-bit file length in *bits* at the end of the buffer. */
1942 ptr
= (uint64_t *)&ctx
->buffer
[bytes
+ pad
+ 8]; /* Avoid warnings about strict aliasing */
1943 *ptr
= SHA512_SWAP(ctx
->total
[0] << 3);
1945 ptr
= (uint64_t *)&ctx
->buffer
[bytes
+ pad
];
1946 *ptr
= SHA512_SWAP((ctx
->total
[1] << 3) | (ctx
->total
[0] >> 61));
1948 /* Process last bytes. */
1949 rb_sha512_process_block(ctx
->buffer
, bytes
+ pad
+ 16, ctx
);
1951 /* Put result from CTX in first 64 bytes following RESBUF. */
1952 for (i
= 0; i
< 8; ++i
)
1953 ((uint64_t *) resbuf
)[i
] = SHA512_SWAP(ctx
->H
[i
]);
1959 static void rb_sha512_process_bytes(const void *buffer
, size_t len
, struct sha512_ctx
*ctx
)
1961 /* When we already have some bits in our internal buffer concatenate
1962 both inputs first. */
1963 if (ctx
->buflen
!= 0)
1965 size_t left_over
= ctx
->buflen
;
1966 size_t add
= 256 - left_over
> len
? len
: 256 - left_over
;
1968 memcpy(&ctx
->buffer
[left_over
], buffer
, add
);
1971 if (ctx
->buflen
> 128)
1973 rb_sha512_process_block(ctx
->buffer
, ctx
->buflen
& ~127, ctx
);
1976 /* The regions in the following copy operation cannot overlap. */
1977 memcpy(ctx
->buffer
, &ctx
->buffer
[(left_over
+ add
) & ~127], ctx
->buflen
);
1980 buffer
= (const char *)buffer
+ add
;
1984 /* Process available complete blocks. */
1987 #if !_STRING_ARCH_unaligned
1988 /* To check alignment gcc has an appropriate operator. Other
1991 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
1993 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
1995 if (SHA512_UNALIGNED_P(buffer
))
1998 rb_sha512_process_block(memcpy(ctx
->buffer
, buffer
, 128), 128, ctx
);
1999 buffer
= (const char *)buffer
+ 128;
2005 rb_sha512_process_block(buffer
, len
& ~127, ctx
);
2006 buffer
= (const char *)buffer
+ (len
& ~127);
2011 /* Move remaining bytes into internal buffer. */
2014 size_t left_over
= ctx
->buflen
;
2016 memcpy(&ctx
->buffer
[left_over
], buffer
, len
);
2018 if (left_over
>= 128)
2020 rb_sha512_process_block(ctx
->buffer
, 128, ctx
);
2022 memcpy(ctx
->buffer
, &ctx
->buffer
[128], left_over
);
2024 ctx
->buflen
= left_over
;
2029 /* Define our magic string to mark salt for SHA512 "encryption"
2031 static const char sha512_salt_prefix
[] = "$6$";
2033 /* Prefix for optional rounds specification. */
2034 static const char sha512_rounds_prefix
[] = "rounds=";
2036 /* Maximum salt string length. */
2037 #define SHA512_SALT_LEN_MAX 16
2038 /* Default number of rounds if not explicitly specified. */
2039 #define SHA512_ROUNDS_DEFAULT 5000
2040 /* Minimum number of rounds. */
2041 #define SHA512_ROUNDS_MIN 1000
2042 /* Maximum number of rounds. */
2043 #define SHA512_ROUNDS_MAX 999999999
2045 static char *rb_sha512_crypt_r(const char *key
, const char *salt
, char *buffer
, int buflen
)
2047 unsigned char alt_result
[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2048 unsigned char temp_result
[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2049 struct sha512_ctx ctx
;
2050 struct sha512_ctx alt_ctx
;
2055 char *copied_key
= NULL
;
2056 char *copied_salt
= NULL
;
2059 /* Default number of rounds. */
2060 size_t rounds
= SHA512_ROUNDS_DEFAULT
;
2061 int rounds_custom
= 0;
2063 /* Find beginning of salt string. The prefix should normally always
2064 be present. Just in case it is not. */
2065 if (strncmp(sha512_salt_prefix
, salt
, sizeof(sha512_salt_prefix
) - 1) == 0)
2066 /* Skip salt prefix. */
2067 salt
+= sizeof(sha512_salt_prefix
) - 1;
2069 if (strncmp(salt
, sha512_rounds_prefix
, sizeof(sha512_rounds_prefix
) - 1) == 0)
2071 const char *num
= salt
+ sizeof(sha512_rounds_prefix
) - 1;
2073 unsigned long int srounds
= strtoul(num
, &endp
, 10);
2077 rounds
= MAX(SHA512_ROUNDS_MIN
, MIN(srounds
, SHA512_ROUNDS_MAX
));
2082 salt_len
= MIN(strcspn(salt
, "$"), SHA512_SALT_LEN_MAX
);
2083 key_len
= strlen(key
);
2085 if ((key
- (char *)0) % __alignof__(uint64_t) != 0)
2087 char *tmp
= (char *)alloca(key_len
+ __alignof__(uint64_t));
2089 memcpy(tmp
+ __alignof__(uint64_t)
2090 - (tmp
- (char *)0) % __alignof__(uint64_t), key
, key_len
);
2093 if ((salt
- (char *)0) % __alignof__(uint64_t) != 0)
2095 char *tmp
= (char *)alloca(salt_len
+ __alignof__(uint64_t));
2096 salt
= copied_salt
=
2097 memcpy(tmp
+ __alignof__(uint64_t)
2098 - (tmp
- (char *)0) % __alignof__(uint64_t), salt
, salt_len
);
2101 /* Prepare for the real work. */
2102 rb_sha512_init_ctx(&ctx
);
2104 /* Add the key string. */
2105 rb_sha512_process_bytes(key
, key_len
, &ctx
);
2107 /* The last part is the salt string. This must be at most 16
2108 characters and it ends at the first `$' character (for
2109 compatibility with existing implementations). */
2110 rb_sha512_process_bytes(salt
, salt_len
, &ctx
);
2113 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
2114 final result will be added to the first context. */
2115 rb_sha512_init_ctx(&alt_ctx
);
2118 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2121 rb_sha512_process_bytes(salt
, salt_len
, &alt_ctx
);
2123 /* Add key again. */
2124 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2126 /* Now get result of this (64 bytes) and add it to the other
2128 rb_sha512_finish_ctx(&alt_ctx
, alt_result
);
2130 /* Add for any character in the key one byte of the alternate sum. */
2131 for (cnt
= key_len
; cnt
> 64; cnt
-= 64)
2132 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2133 rb_sha512_process_bytes(alt_result
, cnt
, &ctx
);
2135 /* Take the binary representation of the length of the key and for every
2136 1 add the alternate sum, for every 0 the key. */
2137 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
2139 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2141 rb_sha512_process_bytes(key
, key_len
, &ctx
);
2143 /* Create intermediate result. */
2144 rb_sha512_finish_ctx(&ctx
, alt_result
);
2146 /* Start computation of P byte sequence. */
2147 rb_sha512_init_ctx(&alt_ctx
);
2149 /* For every character in the password add the entire password. */
2150 for (cnt
= 0; cnt
< key_len
; ++cnt
)
2151 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2153 /* Finish the digest. */
2154 rb_sha512_finish_ctx(&alt_ctx
, temp_result
);
2156 /* Create byte sequence P. */
2157 cp
= p_bytes
= alloca(key_len
);
2158 for (cnt
= key_len
; cnt
>= 64; cnt
-= 64)
2160 memcpy(cp
, temp_result
, 64);
2163 memcpy(cp
, temp_result
, cnt
);
2165 /* Start computation of S byte sequence. */
2166 rb_sha512_init_ctx(&alt_ctx
);
2168 /* For every character in the password add the entire password. */
2169 for (cnt
= 0; cnt
< (size_t)(16 + alt_result
[0]); ++cnt
)
2170 rb_sha512_process_bytes(salt
, salt_len
, &alt_ctx
);
2172 /* Finish the digest. */
2173 rb_sha512_finish_ctx(&alt_ctx
, temp_result
);
2175 /* Create byte sequence S. */
2176 cp
= s_bytes
= alloca(salt_len
);
2177 for (cnt
= salt_len
; cnt
>= 64; cnt
-= 64)
2179 memcpy(cp
, temp_result
, 64);
2182 memcpy(cp
, temp_result
, cnt
);
2184 /* Repeatedly run the collected hash value through SHA512 to burn
2186 for (cnt
= 0; cnt
< rounds
; ++cnt
)
2189 rb_sha512_init_ctx(&ctx
);
2191 /* Add key or last result. */
2193 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2195 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2197 /* Add salt for numbers not divisible by 3. */
2199 rb_sha512_process_bytes(s_bytes
, salt_len
, &ctx
);
2201 /* Add key for numbers not divisible by 7. */
2203 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2205 /* Add key or last result. */
2207 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2209 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2211 /* Create intermediate result. */
2212 rb_sha512_finish_ctx(&ctx
, alt_result
);
2215 /* Now we can construct the result string. It consists of three
2217 memset(buffer
, '\0', MAX(0, buflen
));
2218 strncpy(buffer
, sha512_salt_prefix
, MAX(0, buflen
));
2219 if((cp
= strchr(buffer
, '\0')) == NULL
)
2220 cp
= buffer
+ MAX(0, buflen
);
2221 buflen
-= sizeof(sha512_salt_prefix
) - 1;
2225 int n
= snprintf(cp
, MAX(0, buflen
), "%s%zu$",
2226 sha512_rounds_prefix
, rounds
);
2231 memset(cp
, '\0', MIN((size_t) MAX(0, buflen
), salt_len
));
2232 strncpy(cp
, salt
, MIN((size_t) MAX(0, buflen
), salt_len
));
2233 if((cp
= strchr(buffer
, '\0')) == NULL
)
2234 cp
= buffer
+ salt_len
;
2235 buflen
-= MIN((size_t) MAX(0, buflen
), salt_len
);
2243 b64_from_24bit(alt_result
[0], alt_result
[21], alt_result
[42], 4);
2244 b64_from_24bit(alt_result
[22], alt_result
[43], alt_result
[1], 4);
2245 b64_from_24bit(alt_result
[44], alt_result
[2], alt_result
[23], 4);
2246 b64_from_24bit(alt_result
[3], alt_result
[24], alt_result
[45], 4);
2247 b64_from_24bit(alt_result
[25], alt_result
[46], alt_result
[4], 4);
2248 b64_from_24bit(alt_result
[47], alt_result
[5], alt_result
[26], 4);
2249 b64_from_24bit(alt_result
[6], alt_result
[27], alt_result
[48], 4);
2250 b64_from_24bit(alt_result
[28], alt_result
[49], alt_result
[7], 4);
2251 b64_from_24bit(alt_result
[50], alt_result
[8], alt_result
[29], 4);
2252 b64_from_24bit(alt_result
[9], alt_result
[30], alt_result
[51], 4);
2253 b64_from_24bit(alt_result
[31], alt_result
[52], alt_result
[10], 4);
2254 b64_from_24bit(alt_result
[53], alt_result
[11], alt_result
[32], 4);
2255 b64_from_24bit(alt_result
[12], alt_result
[33], alt_result
[54], 4);
2256 b64_from_24bit(alt_result
[34], alt_result
[55], alt_result
[13], 4);
2257 b64_from_24bit(alt_result
[56], alt_result
[14], alt_result
[35], 4);
2258 b64_from_24bit(alt_result
[15], alt_result
[36], alt_result
[57], 4);
2259 b64_from_24bit(alt_result
[37], alt_result
[58], alt_result
[16], 4);
2260 b64_from_24bit(alt_result
[59], alt_result
[17], alt_result
[38], 4);
2261 b64_from_24bit(alt_result
[18], alt_result
[39], alt_result
[60], 4);
2262 b64_from_24bit(alt_result
[40], alt_result
[61], alt_result
[19], 4);
2263 b64_from_24bit(alt_result
[62], alt_result
[20], alt_result
[41], 4);
2264 b64_from_24bit(0, 0, alt_result
[63], 2);
2272 *cp
= '\0'; /* Terminate the string. */
2274 /* Clear the buffer for the intermediate result so that people
2275 attaching to processes or reading core dumps cannot get any
2276 information. We do it in this way to clear correct_words[]
2277 inside the SHA512 implementation as well. */
2278 rb_sha512_init_ctx(&ctx
);
2279 rb_sha512_finish_ctx(&ctx
, alt_result
);
2280 memset(temp_result
, '\0', sizeof(temp_result
));
2281 memset(p_bytes
, '\0', key_len
);
2282 memset(s_bytes
, '\0', salt_len
);
2283 memset(&ctx
, '\0', sizeof(ctx
));
2284 memset(&alt_ctx
, '\0', sizeof(alt_ctx
));
2285 if (copied_key
!= NULL
)
2286 memset(copied_key
, '\0', key_len
);
2287 if (copied_salt
!= NULL
)
2288 memset(copied_salt
, '\0', salt_len
);
2294 /* This entry point is equivalent to the `crypt' function in Unix
2296 static char *rb_sha512_crypt(const char *key
, const char *salt
)
2298 /* We don't want to have an arbitrary limit in the size of the
2299 password. We can compute an upper bound for the size of the
2300 result in advance and so we can prepare the buffer we pass to
2301 `rb_sha512_crypt_r'. */
2302 static char *buffer
;
2304 int needed
= (sizeof(sha512_salt_prefix
) - 1
2305 + sizeof(sha512_rounds_prefix
) + 9 + 1 + strlen(salt
) + 1 + 86 + 1);
2307 if (buflen
< needed
)
2309 char *new_buffer
= (char *)realloc(buffer
, needed
);
2310 if (new_buffer
== NULL
)
2313 buffer
= new_buffer
;
2317 return rb_sha512_crypt_r(key
, salt
, buffer
, buflen
);