]>
jfr.im git - solanum.git/blob - libratbox/src/crypt.c
2 * crypt.c: Implements unix style crypt() for platforms that don't have it
3 * This version has MD5, DES, and SHA256/SHA512 crypt.
4 * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from
5 * Drepper's public domain implementation.
11 * Copyright (C) 2000 by Lineo, inc. and Erik Andersen
12 * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org>
13 * Written by Erik Andersen <andersen@uclibc.org>
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU Library General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version.
20 * This program is distributed in the hope that it will be useful, but WITHOUT
21 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License
25 * You should have received a copy of the GNU Library General Public License
26 * along with this program; if not, write to the Free Software Foundation,
27 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
30 #include <libratbox_config.h>
31 #include <ratbox_lib.h>
33 static char *rb_md5_crypt(const char *pw
, const char *salt
);
34 static char *rb_des_crypt(const char *pw
, const char *salt
);
35 static char *rb_sha256_crypt(const char *key
, const char *salt
);
36 static char *rb_sha512_crypt(const char *key
, const char *salt
);
39 rb_crypt(const char *key
, const char *salt
)
41 /* First, check if we are supposed to be using a replacement
42 * hash instead of DES... */
43 if(salt
[0] == '$' && (salt
[2] == '$' || salt
[3] == '$'))
48 return rb_md5_crypt(key
, salt
);
51 return rb_sha256_crypt(key
, salt
);
54 return rb_sha512_crypt(key
, salt
);
62 return rb_des_crypt(key
, salt
);
65 #define b64_from_24bit(B2, B1, B0, N) \
68 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
70 while (n-- > 0 && buflen > 0) \
72 *cp++ = ascii64[w & 0x3f]; \
79 # define MAX(a,b) (((a) > (b)) ? (a) : (b))
82 # define MIN(a,b) (((a) < (b)) ? (a) : (b))
85 /* Here is the des crypt() stuff */
88 * FreeSec: libcrypt for NetBSD
90 * Copyright (c) 1994 David Burren
91 * All rights reserved.
93 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
94 * this file should now *only* export crypt(), in order to make
95 * binaries of libcrypt exportable from the USA
97 * Adapted for FreeBSD-4.0 by Mark R V Murray
98 * this file should now *only* export crypt_des(), in order to make
99 * a module that can be optionally included in libcrypt.
101 * Redistribution and use in source and binary forms, with or without
102 * modification, are permitted provided that the following conditions
104 * 1. Redistributions of source code must retain the above copyright
105 * notice, this list of conditions and the following disclaimer.
106 * 2. Redistributions in binary form must reproduce the above copyright
107 * notice, this list of conditions and the following disclaimer in the
108 * documentation and/or other materials provided with the distribution.
109 * 3. Neither the name of the author nor the names of other contributors
110 * may be used to endorse or promote products derived from this software
111 * without specific prior written permission.
113 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
114 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
115 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
116 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
117 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
118 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
119 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
120 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
121 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
122 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
125 * This is an original implementation of the DES and the crypt(3) interfaces
126 * by David Burren <davidb@werj.com.au>.
128 * An excellent reference on the underlying algorithm (and related
131 * B. Schneier, Applied Cryptography: protocols, algorithms,
132 * and source code in C, John Wiley & Sons, 1994.
134 * Note that in that book's description of DES the lookups for the initial,
135 * pbox, and final permutations are inverted (this has been brought to the
136 * attention of the author). A list of errata for this book has been
137 * posted to the sci.crypt newsgroup by the author and is available for FTP.
139 * ARCHITECTURE ASSUMPTIONS:
140 * It is assumed that the 8-byte arrays passed by reference can be
141 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
146 /* Re-entrantify me -- all this junk needs to be in
147 * struct crypt_data to make this really reentrant... */
148 static uint8_t inv_key_perm
[64];
149 static uint8_t inv_comp_perm
[56];
150 static uint8_t u_sbox
[8][64];
151 static uint8_t un_pbox
[32];
152 static uint32_t en_keysl
[16], en_keysr
[16];
153 static uint32_t de_keysl
[16], de_keysr
[16];
154 static uint32_t ip_maskl
[8][256], ip_maskr
[8][256];
155 static uint32_t fp_maskl
[8][256], fp_maskr
[8][256];
156 static uint32_t key_perm_maskl
[8][128], key_perm_maskr
[8][128];
157 static uint32_t comp_maskl
[8][128], comp_maskr
[8][128];
158 static uint32_t saltbits
;
159 static uint32_t old_salt
;
160 static uint32_t old_rawkey0
, old_rawkey1
;
163 /* Static stuff that stays resident and doesn't change after
164 * being initialized, and therefore doesn't need to be made
166 static uint8_t init_perm
[64], final_perm
[64];
167 static uint8_t m_sbox
[4][4096];
168 static uint32_t psbox
[4][256];
171 static const uint8_t ascii64
[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
173 static const uint8_t IP
[64] = {
174 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
175 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
176 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
177 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
180 static const uint8_t key_perm
[56] = {
181 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
182 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
183 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
184 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
187 static const uint8_t key_shifts
[16] = {
188 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
191 static const uint8_t comp_perm
[48] = {
192 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
193 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
194 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
195 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
199 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
202 static const uint8_t sbox
[8][64] = {
204 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
205 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
206 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
207 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
209 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
210 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
211 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
212 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
214 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
215 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
216 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
217 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
219 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
220 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
221 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
222 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
224 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
225 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
226 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
227 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
229 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
230 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
231 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
232 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
234 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
235 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
236 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
237 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
239 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
240 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
241 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
242 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
245 static const uint8_t pbox
[32] = {
246 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
247 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
250 static const uint32_t bits32
[32] = {
251 0x80000000, 0x40000000, 0x20000000, 0x10000000,
252 0x08000000, 0x04000000, 0x02000000, 0x01000000,
253 0x00800000, 0x00400000, 0x00200000, 0x00100000,
254 0x00080000, 0x00040000, 0x00020000, 0x00010000,
255 0x00008000, 0x00004000, 0x00002000, 0x00001000,
256 0x00000800, 0x00000400, 0x00000200, 0x00000100,
257 0x00000080, 0x00000040, 0x00000020, 0x00000010,
258 0x00000008, 0x00000004, 0x00000002, 0x00000001
261 static const uint8_t bits8
[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
263 static const uint32_t *bits28
, *bits24
;
267 rb_ascii_to_bin(char ch
)
272 return (ch
- 'a' + 38);
276 return (ch
- 'A' + 12);
287 int i
, j
, b
, k
, inbit
, obit
;
288 uint32_t *p
, *il
, *ir
, *fl
, *fr
;
289 static int rb_des_initialised
= 0;
291 if(rb_des_initialised
== 1)
294 old_rawkey0
= old_rawkey1
= 0L;
297 bits24
= (bits28
= bits32
+ 4) + 4;
300 * Invert the S-boxes, reordering the input bits.
302 for(i
= 0; i
< 8; i
++)
303 for(j
= 0; j
< 64; j
++)
305 b
= (j
& 0x20) | ((j
& 1) << 4) | ((j
>> 1) & 0xf);
306 u_sbox
[i
][j
] = sbox
[i
][b
];
310 * Convert the inverted S-boxes into 4 arrays of 8 bits.
311 * Each will handle 12 bits of the S-box input.
313 for(b
= 0; b
< 4; b
++)
314 for(i
= 0; i
< 64; i
++)
315 for(j
= 0; j
< 64; j
++)
316 m_sbox
[b
][(i
<< 6) | j
] =
317 (uint8_t)((u_sbox
[(b
<< 1)][i
] << 4) |
318 u_sbox
[(b
<< 1) + 1][j
]);
321 * Set up the initial & final permutations into a useful form, and
322 * initialise the inverted key permutation.
324 for(i
= 0; i
< 64; i
++)
326 init_perm
[final_perm
[i
] = IP
[i
] - 1] = (uint8_t)i
;
327 inv_key_perm
[i
] = 255;
331 * Invert the key permutation and initialise the inverted key
332 * compression permutation.
334 for(i
= 0; i
< 56; i
++)
336 inv_key_perm
[key_perm
[i
] - 1] = (uint8_t)i
;
337 inv_comp_perm
[i
] = 255;
341 * Invert the key compression permutation.
343 for(i
= 0; i
< 48; i
++)
345 inv_comp_perm
[comp_perm
[i
] - 1] = (uint8_t)i
;
349 * Set up the OR-mask arrays for the initial and final permutations,
350 * and for the key initial and compression permutations.
352 for(k
= 0; k
< 8; k
++)
354 for(i
= 0; i
< 256; i
++)
356 *(il
= &ip_maskl
[k
][i
]) = 0L;
357 *(ir
= &ip_maskr
[k
][i
]) = 0L;
358 *(fl
= &fp_maskl
[k
][i
]) = 0L;
359 *(fr
= &fp_maskr
[k
][i
]) = 0L;
360 for(j
= 0; j
< 8; j
++)
365 if((obit
= init_perm
[inbit
]) < 32)
368 *ir
|= bits32
[obit
- 32];
369 if((obit
= final_perm
[inbit
]) < 32)
372 *fr
|= bits32
[obit
- 32];
376 for(i
= 0; i
< 128; i
++)
378 *(il
= &key_perm_maskl
[k
][i
]) = 0L;
379 *(ir
= &key_perm_maskr
[k
][i
]) = 0L;
380 for(j
= 0; j
< 7; j
++)
385 if((obit
= inv_key_perm
[inbit
]) == 255)
390 *ir
|= bits28
[obit
- 28];
393 *(il
= &comp_maskl
[k
][i
]) = 0L;
394 *(ir
= &comp_maskr
[k
][i
]) = 0L;
395 for(j
= 0; j
< 7; j
++)
400 if((obit
= inv_comp_perm
[inbit
]) == 255)
405 *ir
|= bits24
[obit
- 24];
412 * Invert the P-box permutation, and convert into OR-masks for
413 * handling the output of the S-box arrays setup above.
415 for(i
= 0; i
< 32; i
++)
416 un_pbox
[pbox
[i
] - 1] = (uint8_t)i
;
418 for(b
= 0; b
< 4; b
++)
419 for(i
= 0; i
< 256; i
++)
421 *(p
= &psbox
[b
][i
]) = 0L;
422 for(j
= 0; j
< 8; j
++)
425 *p
|= bits32
[un_pbox
[8 * b
+ j
]];
429 rb_des_initialised
= 1;
434 rb_setup_salt(long salt
)
436 uint32_t obit
, saltbit
;
439 if(salt
== (long)old_salt
)
446 for(i
= 0; i
< 24; i
++)
456 rb_des_setkey(const char *key
)
458 uint32_t k0
, k1
, rawkey0
, rawkey1
;
463 rawkey0
= ntohl(*(const uint32_t *)key
);
464 rawkey1
= ntohl(*(const uint32_t *)(key
+ 4));
466 if((rawkey0
| rawkey1
) && rawkey0
== old_rawkey0
&& rawkey1
== old_rawkey1
)
469 * Already setup for this key.
470 * This optimisation fails on a zero key (which is weak and
471 * has bad parity anyway) in order to simplify the starting
476 old_rawkey0
= rawkey0
;
477 old_rawkey1
= rawkey1
;
480 * Do key permutation and split into two 28-bit subkeys.
482 k0
= key_perm_maskl
[0][rawkey0
>> 25]
483 | key_perm_maskl
[1][(rawkey0
>> 17) & 0x7f]
484 | key_perm_maskl
[2][(rawkey0
>> 9) & 0x7f]
485 | key_perm_maskl
[3][(rawkey0
>> 1) & 0x7f]
486 | key_perm_maskl
[4][rawkey1
>> 25]
487 | key_perm_maskl
[5][(rawkey1
>> 17) & 0x7f]
488 | key_perm_maskl
[6][(rawkey1
>> 9) & 0x7f]
489 | key_perm_maskl
[7][(rawkey1
>> 1) & 0x7f];
490 k1
= key_perm_maskr
[0][rawkey0
>> 25]
491 | key_perm_maskr
[1][(rawkey0
>> 17) & 0x7f]
492 | key_perm_maskr
[2][(rawkey0
>> 9) & 0x7f]
493 | key_perm_maskr
[3][(rawkey0
>> 1) & 0x7f]
494 | key_perm_maskr
[4][rawkey1
>> 25]
495 | key_perm_maskr
[5][(rawkey1
>> 17) & 0x7f]
496 | key_perm_maskr
[6][(rawkey1
>> 9) & 0x7f]
497 | key_perm_maskr
[7][(rawkey1
>> 1) & 0x7f];
499 * Rotate subkeys and do compression permutation.
502 for(round
= 0; round
< 16; round
++)
506 shifts
+= key_shifts
[round
];
508 t0
= (k0
<< shifts
) | (k0
>> (28 - shifts
));
509 t1
= (k1
<< shifts
) | (k1
>> (28 - shifts
));
511 de_keysl
[15 - round
] =
512 en_keysl
[round
] = comp_maskl
[0][(t0
>> 21) & 0x7f]
513 | comp_maskl
[1][(t0
>> 14) & 0x7f]
514 | comp_maskl
[2][(t0
>> 7) & 0x7f]
515 | comp_maskl
[3][t0
& 0x7f]
516 | comp_maskl
[4][(t1
>> 21) & 0x7f]
517 | comp_maskl
[5][(t1
>> 14) & 0x7f]
518 | comp_maskl
[6][(t1
>> 7) & 0x7f] | comp_maskl
[7][t1
& 0x7f];
520 de_keysr
[15 - round
] =
521 en_keysr
[round
] = comp_maskr
[0][(t0
>> 21) & 0x7f]
522 | comp_maskr
[1][(t0
>> 14) & 0x7f]
523 | comp_maskr
[2][(t0
>> 7) & 0x7f]
524 | comp_maskr
[3][t0
& 0x7f]
525 | comp_maskr
[4][(t1
>> 21) & 0x7f]
526 | comp_maskr
[5][(t1
>> 14) & 0x7f]
527 | comp_maskr
[6][(t1
>> 7) & 0x7f] | comp_maskr
[7][t1
& 0x7f];
533 rb_do_des(uint32_t l_in
, uint32_t r_in
, uint32_t *l_out
, uint32_t *r_out
, int count
)
536 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
538 uint32_t l
, r
, *kl
, *kr
, *kl1
, *kr1
;
539 uint32_t f
, r48l
, r48r
;
565 * Do initial permutation (IP).
567 l
= ip_maskl
[0][l_in
>> 24]
568 | ip_maskl
[1][(l_in
>> 16) & 0xff]
569 | ip_maskl
[2][(l_in
>> 8) & 0xff]
570 | ip_maskl
[3][l_in
& 0xff]
571 | ip_maskl
[4][r_in
>> 24]
572 | ip_maskl
[5][(r_in
>> 16) & 0xff]
573 | ip_maskl
[6][(r_in
>> 8) & 0xff] | ip_maskl
[7][r_in
& 0xff];
574 r
= ip_maskr
[0][l_in
>> 24]
575 | ip_maskr
[1][(l_in
>> 16) & 0xff]
576 | ip_maskr
[2][(l_in
>> 8) & 0xff]
577 | ip_maskr
[3][l_in
& 0xff]
578 | ip_maskr
[4][r_in
>> 24]
579 | ip_maskr
[5][(r_in
>> 16) & 0xff]
580 | ip_maskr
[6][(r_in
>> 8) & 0xff] | ip_maskr
[7][r_in
& 0xff];
593 * Expand R to 48 bits (simulate the E-box).
595 r48l
= ((r
& 0x00000001) << 23)
596 | ((r
& 0xf8000000) >> 9)
597 | ((r
& 0x1f800000) >> 11)
598 | ((r
& 0x01f80000) >> 13) | ((r
& 0x001f8000) >> 15);
600 r48r
= ((r
& 0x0001f800) << 7)
601 | ((r
& 0x00001f80) << 5)
602 | ((r
& 0x000001f8) << 3)
603 | ((r
& 0x0000001f) << 1) | ((r
& 0x80000000) >> 31);
605 * Do salting for crypt() and friends, and
606 * XOR with the permuted key.
608 f
= (r48l
^ r48r
) & saltbits
;
612 * Do sbox lookups (which shrink it back to 32 bits)
613 * and do the pbox permutation at the same time.
615 f
= psbox
[0][m_sbox
[0][r48l
>> 12]]
616 | psbox
[1][m_sbox
[1][r48l
& 0xfff]]
617 | psbox
[2][m_sbox
[2][r48r
>> 12]]
618 | psbox
[3][m_sbox
[3][r48r
& 0xfff]];
620 * Now that we've permuted things, complete f().
630 * Do final permutation (inverse of IP).
632 *l_out
= fp_maskl
[0][l
>> 24]
633 | fp_maskl
[1][(l
>> 16) & 0xff]
634 | fp_maskl
[2][(l
>> 8) & 0xff]
635 | fp_maskl
[3][l
& 0xff]
636 | fp_maskl
[4][r
>> 24]
637 | fp_maskl
[5][(r
>> 16) & 0xff]
638 | fp_maskl
[6][(r
>> 8) & 0xff] | fp_maskl
[7][r
& 0xff];
639 *r_out
= fp_maskr
[0][l
>> 24]
640 | fp_maskr
[1][(l
>> 16) & 0xff]
641 | fp_maskr
[2][(l
>> 8) & 0xff]
642 | fp_maskr
[3][l
& 0xff]
643 | fp_maskr
[4][r
>> 24]
644 | fp_maskr
[5][(r
>> 16) & 0xff]
645 | fp_maskr
[6][(r
>> 8) & 0xff] | fp_maskr
[7][r
& 0xff];
650 rb_des_crypt(const char *key
, const char *setting
)
652 uint32_t count
, salt
, l
, r0
, r1
, keybuf
[2];
654 static char output
[21];
659 * Copy the key, shifting each character up by one bit
660 * and padding with zeros.
662 q
= (uint8_t *)keybuf
;
663 while(q
- (uint8_t *)keybuf
- 8)
669 if(rb_des_setkey((char *)keybuf
))
674 * setting - 2 bytes of salt
675 * key - up to 8 characters
679 salt
= (rb_ascii_to_bin(setting
[1]) << 6) | rb_ascii_to_bin(setting
[0]);
681 output
[0] = setting
[0];
683 * If the encrypted password that the salt was extracted from
684 * is only 1 character long, the salt will be corrupted. We
685 * need to ensure that the output string doesn't have an extra
688 output
[1] = setting
[1] ? setting
[1] : output
[0];
690 p
= (uint8_t *)output
+ 2;
696 if(rb_do_des(0L, 0L, &r0
, &r1
, (int)count
))
699 * Now encode the result...
702 *p
++ = ascii64
[(l
>> 18) & 0x3f];
703 *p
++ = ascii64
[(l
>> 12) & 0x3f];
704 *p
++ = ascii64
[(l
>> 6) & 0x3f];
705 *p
++ = ascii64
[l
& 0x3f];
707 l
= (r0
<< 16) | ((r1
>> 16) & 0xffff);
708 *p
++ = ascii64
[(l
>> 18) & 0x3f];
709 *p
++ = ascii64
[(l
>> 12) & 0x3f];
710 *p
++ = ascii64
[(l
>> 6) & 0x3f];
711 *p
++ = ascii64
[l
& 0x3f];
714 *p
++ = ascii64
[(l
>> 12) & 0x3f];
715 *p
++ = ascii64
[(l
>> 6) & 0x3f];
716 *p
++ = ascii64
[l
& 0x3f];
724 * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
726 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
729 * License to copy and use this software is granted provided that it
730 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
731 * Algorithm" in all material mentioning or referencing this software
734 * License is also granted to make and use derivative works provided
735 * that such works are identified as "derived from the RSA Data
736 * Security, Inc. MD5 Message-Digest Algorithm" in all material
737 * mentioning or referencing the derived work.
739 * RSA Data Security, Inc. makes no representations concerning either
740 * the merchantability of this software or the suitability of this
741 * software for any particular purpose. It is provided "as is"
742 * without express or implied warranty of any kind.
744 * These notices must be retained in any copies of any part of this
745 * documentation and/or software.
747 * This code is the same as the code published by RSA Inc. It has been
748 * edited for clarity and style only.
751 #define MD5_BLOCK_LENGTH 64
752 #define MD5_DIGEST_LENGTH 16
753 #define MD5_DIGEST_STRING_LENGTH (MD5_DIGEST_LENGTH * 2 + 1)
757 _crypt_to64(char *s
, u_long v
, int n
)
760 *s
++ = ascii64
[v
&0x3f];
766 typedef struct MD5Context
{
767 uint32_t state
[4]; /* state (ABCD) */
768 uint32_t count
[2]; /* number of bits, modulo 2^64 (lsb first) */
769 unsigned char buffer
[64]; /* input buffer */
772 static void MD5Transform(uint32_t [4], const unsigned char [64]);
773 static void MD5Init (MD5_CTX
*);
774 static void MD5Update (MD5_CTX
*, const void *, unsigned int);
775 static void MD5Final (unsigned char [16], MD5_CTX
*);
777 #ifndef WORDS_BIGENDIAN
778 #define Encode memcpy
779 #define Decode memcpy
783 * Encodes input (uint32_t) into output (unsigned char). Assumes len is
788 Encode (unsigned char *output
, uint32_t *input
, unsigned int len
)
791 uint32_t *op
= (uint32_t *)output
;
793 for (i
= 0; i
< len
/ 4; i
++)
794 op
[i
] = htole32(input
[i
]);
798 * Decodes input (unsigned char) into output (uint32_t). Assumes len is
803 Decode (uint32_t *output
, const unsigned char *input
, unsigned int len
)
806 const uint32_t *ip
= (const uint32_t *)input
;
808 for (i
= 0; i
< len
/ 4; i
++)
809 output
[i
] = le32toh(ip
[i
]);
813 static unsigned char PADDING
[64] = {
814 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
815 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
816 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
819 /* F, G, H and I are basic MD5 functions. */
820 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
821 #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
822 #define H(x, y, z) ((x) ^ (y) ^ (z))
823 #define I(x, y, z) ((y) ^ ((x) | (~z)))
825 /* ROTATE_LEFT rotates x left n bits. */
826 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
829 * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
830 * Rotation is separate from addition to prevent recomputation.
832 #define FF(a, b, c, d, x, s, ac) { \
833 (a) += F ((b), (c), (d)) + (x) + (uint32_t)(ac); \
834 (a) = ROTATE_LEFT ((a), (s)); \
837 #define GG(a, b, c, d, x, s, ac) { \
838 (a) += G ((b), (c), (d)) + (x) + (uint32_t)(ac); \
839 (a) = ROTATE_LEFT ((a), (s)); \
842 #define HH(a, b, c, d, x, s, ac) { \
843 (a) += H ((b), (c), (d)) + (x) + (uint32_t)(ac); \
844 (a) = ROTATE_LEFT ((a), (s)); \
847 #define II(a, b, c, d, x, s, ac) { \
848 (a) += I ((b), (c), (d)) + (x) + (uint32_t)(ac); \
849 (a) = ROTATE_LEFT ((a), (s)); \
853 /* MD5 initialization. Begins an MD5 operation, writing a new context. */
860 context
->count
[0] = context
->count
[1] = 0;
862 /* Load magic initialization constants. */
863 context
->state
[0] = 0x67452301;
864 context
->state
[1] = 0xefcdab89;
865 context
->state
[2] = 0x98badcfe;
866 context
->state
[3] = 0x10325476;
870 * MD5 block update operation. Continues an MD5 message-digest
871 * operation, processing another message block, and updating the
876 MD5Update (context
, in
, inputLen
)
879 unsigned int inputLen
;
881 unsigned int i
, idx
, partLen
;
882 const unsigned char *input
= in
;
884 /* Compute number of bytes mod 64 */
885 idx
= (unsigned int)((context
->count
[0] >> 3) & 0x3F);
887 /* Update number of bits */
888 if ((context
->count
[0] += ((uint32_t)inputLen
<< 3))
889 < ((uint32_t)inputLen
<< 3))
891 context
->count
[1] += ((uint32_t)inputLen
>> 29);
895 /* Transform as many times as possible. */
896 if (inputLen
>= partLen
) {
897 memcpy((void *)&context
->buffer
[idx
], (const void *)input
,
899 MD5Transform (context
->state
, context
->buffer
);
901 for (i
= partLen
; i
+ 63 < inputLen
; i
+= 64)
902 MD5Transform (context
->state
, &input
[i
]);
909 /* Buffer remaining input */
910 memcpy ((void *)&context
->buffer
[idx
], (const void *)&input
[i
],
915 * MD5 padding. Adds padding followed by original length.
922 unsigned char bits
[8];
923 unsigned int idx
, padLen
;
925 /* Save number of bits */
926 Encode (bits
, context
->count
, 8);
928 /* Pad out to 56 mod 64. */
929 idx
= (unsigned int)((context
->count
[0] >> 3) & 0x3f);
930 padLen
= (idx
< 56) ? (56 - idx
) : (120 - idx
);
931 MD5Update (context
, PADDING
, padLen
);
933 /* Append length (before padding) */
934 MD5Update (context
, bits
, 8);
938 * MD5 finalization. Ends an MD5 message-digest operation, writing the
939 * the message digest and zeroizing the context.
943 MD5Final (digest
, context
)
944 unsigned char digest
[16];
950 /* Store state in digest */
951 Encode (digest
, context
->state
, 16);
953 /* Zeroize sensitive information. */
954 memset ((void *)context
, 0, sizeof (*context
));
957 /* MD5 basic transformation. Transforms state based on block. */
960 MD5Transform (state
, block
)
962 const unsigned char block
[64];
964 uint32_t a
= state
[0], b
= state
[1], c
= state
[2], d
= state
[3], x
[16];
966 Decode (x
, block
, 64);
973 FF (a
, b
, c
, d
, x
[ 0], S11
, 0xd76aa478); /* 1 */
974 FF (d
, a
, b
, c
, x
[ 1], S12
, 0xe8c7b756); /* 2 */
975 FF (c
, d
, a
, b
, x
[ 2], S13
, 0x242070db); /* 3 */
976 FF (b
, c
, d
, a
, x
[ 3], S14
, 0xc1bdceee); /* 4 */
977 FF (a
, b
, c
, d
, x
[ 4], S11
, 0xf57c0faf); /* 5 */
978 FF (d
, a
, b
, c
, x
[ 5], S12
, 0x4787c62a); /* 6 */
979 FF (c
, d
, a
, b
, x
[ 6], S13
, 0xa8304613); /* 7 */
980 FF (b
, c
, d
, a
, x
[ 7], S14
, 0xfd469501); /* 8 */
981 FF (a
, b
, c
, d
, x
[ 8], S11
, 0x698098d8); /* 9 */
982 FF (d
, a
, b
, c
, x
[ 9], S12
, 0x8b44f7af); /* 10 */
983 FF (c
, d
, a
, b
, x
[10], S13
, 0xffff5bb1); /* 11 */
984 FF (b
, c
, d
, a
, x
[11], S14
, 0x895cd7be); /* 12 */
985 FF (a
, b
, c
, d
, x
[12], S11
, 0x6b901122); /* 13 */
986 FF (d
, a
, b
, c
, x
[13], S12
, 0xfd987193); /* 14 */
987 FF (c
, d
, a
, b
, x
[14], S13
, 0xa679438e); /* 15 */
988 FF (b
, c
, d
, a
, x
[15], S14
, 0x49b40821); /* 16 */
995 GG (a
, b
, c
, d
, x
[ 1], S21
, 0xf61e2562); /* 17 */
996 GG (d
, a
, b
, c
, x
[ 6], S22
, 0xc040b340); /* 18 */
997 GG (c
, d
, a
, b
, x
[11], S23
, 0x265e5a51); /* 19 */
998 GG (b
, c
, d
, a
, x
[ 0], S24
, 0xe9b6c7aa); /* 20 */
999 GG (a
, b
, c
, d
, x
[ 5], S21
, 0xd62f105d); /* 21 */
1000 GG (d
, a
, b
, c
, x
[10], S22
, 0x2441453); /* 22 */
1001 GG (c
, d
, a
, b
, x
[15], S23
, 0xd8a1e681); /* 23 */
1002 GG (b
, c
, d
, a
, x
[ 4], S24
, 0xe7d3fbc8); /* 24 */
1003 GG (a
, b
, c
, d
, x
[ 9], S21
, 0x21e1cde6); /* 25 */
1004 GG (d
, a
, b
, c
, x
[14], S22
, 0xc33707d6); /* 26 */
1005 GG (c
, d
, a
, b
, x
[ 3], S23
, 0xf4d50d87); /* 27 */
1006 GG (b
, c
, d
, a
, x
[ 8], S24
, 0x455a14ed); /* 28 */
1007 GG (a
, b
, c
, d
, x
[13], S21
, 0xa9e3e905); /* 29 */
1008 GG (d
, a
, b
, c
, x
[ 2], S22
, 0xfcefa3f8); /* 30 */
1009 GG (c
, d
, a
, b
, x
[ 7], S23
, 0x676f02d9); /* 31 */
1010 GG (b
, c
, d
, a
, x
[12], S24
, 0x8d2a4c8a); /* 32 */
1017 HH (a
, b
, c
, d
, x
[ 5], S31
, 0xfffa3942); /* 33 */
1018 HH (d
, a
, b
, c
, x
[ 8], S32
, 0x8771f681); /* 34 */
1019 HH (c
, d
, a
, b
, x
[11], S33
, 0x6d9d6122); /* 35 */
1020 HH (b
, c
, d
, a
, x
[14], S34
, 0xfde5380c); /* 36 */
1021 HH (a
, b
, c
, d
, x
[ 1], S31
, 0xa4beea44); /* 37 */
1022 HH (d
, a
, b
, c
, x
[ 4], S32
, 0x4bdecfa9); /* 38 */
1023 HH (c
, d
, a
, b
, x
[ 7], S33
, 0xf6bb4b60); /* 39 */
1024 HH (b
, c
, d
, a
, x
[10], S34
, 0xbebfbc70); /* 40 */
1025 HH (a
, b
, c
, d
, x
[13], S31
, 0x289b7ec6); /* 41 */
1026 HH (d
, a
, b
, c
, x
[ 0], S32
, 0xeaa127fa); /* 42 */
1027 HH (c
, d
, a
, b
, x
[ 3], S33
, 0xd4ef3085); /* 43 */
1028 HH (b
, c
, d
, a
, x
[ 6], S34
, 0x4881d05); /* 44 */
1029 HH (a
, b
, c
, d
, x
[ 9], S31
, 0xd9d4d039); /* 45 */
1030 HH (d
, a
, b
, c
, x
[12], S32
, 0xe6db99e5); /* 46 */
1031 HH (c
, d
, a
, b
, x
[15], S33
, 0x1fa27cf8); /* 47 */
1032 HH (b
, c
, d
, a
, x
[ 2], S34
, 0xc4ac5665); /* 48 */
1039 II (a
, b
, c
, d
, x
[ 0], S41
, 0xf4292244); /* 49 */
1040 II (d
, a
, b
, c
, x
[ 7], S42
, 0x432aff97); /* 50 */
1041 II (c
, d
, a
, b
, x
[14], S43
, 0xab9423a7); /* 51 */
1042 II (b
, c
, d
, a
, x
[ 5], S44
, 0xfc93a039); /* 52 */
1043 II (a
, b
, c
, d
, x
[12], S41
, 0x655b59c3); /* 53 */
1044 II (d
, a
, b
, c
, x
[ 3], S42
, 0x8f0ccc92); /* 54 */
1045 II (c
, d
, a
, b
, x
[10], S43
, 0xffeff47d); /* 55 */
1046 II (b
, c
, d
, a
, x
[ 1], S44
, 0x85845dd1); /* 56 */
1047 II (a
, b
, c
, d
, x
[ 8], S41
, 0x6fa87e4f); /* 57 */
1048 II (d
, a
, b
, c
, x
[15], S42
, 0xfe2ce6e0); /* 58 */
1049 II (c
, d
, a
, b
, x
[ 6], S43
, 0xa3014314); /* 59 */
1050 II (b
, c
, d
, a
, x
[13], S44
, 0x4e0811a1); /* 60 */
1051 II (a
, b
, c
, d
, x
[ 4], S41
, 0xf7537e82); /* 61 */
1052 II (d
, a
, b
, c
, x
[11], S42
, 0xbd3af235); /* 62 */
1053 II (c
, d
, a
, b
, x
[ 2], S43
, 0x2ad7d2bb); /* 63 */
1054 II (b
, c
, d
, a
, x
[ 9], S44
, 0xeb86d391); /* 64 */
1061 /* Zeroize sensitive information. */
1062 memset ((void *)x
, 0, sizeof (x
));
1070 rb_md5_crypt(const char *pw
, const char *salt
)
1076 u_char final
[MD5_SIZE
];
1077 static const char *sp
, *ep
;
1078 static char passwd
[120], *p
;
1079 static const char *magic
= "$1$";
1081 /* Refine the Salt first */
1084 /* If it starts with the magic string, then skip that */
1085 if(!strncmp(sp
, magic
, strlen(magic
)))
1086 sp
+= strlen(magic
);
1088 /* It stops at the first '$', max 8 chars */
1089 for(ep
= sp
; *ep
&& *ep
!= '$' && ep
< (sp
+ 8); ep
++)
1092 /* get the length of the true salt */
1097 /* The password first, since that is what is most unknown */
1098 MD5Update(&ctx
, (const u_char
*)pw
, strlen(pw
));
1100 /* Then our magic string */
1101 MD5Update(&ctx
, (const u_char
*)magic
, strlen(magic
));
1103 /* Then the raw salt */
1104 MD5Update(&ctx
, (const u_char
*)sp
, (u_int
)sl
);
1106 /* Then just as many characters of the MD5(pw,salt,pw) */
1108 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1109 MD5Update(&ctx1
, (const u_char
*)sp
, (u_int
)sl
);
1110 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1111 MD5Final(final
, &ctx1
);
1112 for(pl
= (int)strlen(pw
); pl
> 0; pl
-= MD5_SIZE
)
1113 MD5Update(&ctx
, (const u_char
*)final
,
1114 (u_int
)(pl
> MD5_SIZE
? MD5_SIZE
: pl
));
1116 /* Don't leave anything around in vm they could use. */
1117 memset(final
, 0, sizeof(final
));
1119 /* Then something really weird... */
1120 for (i
= strlen(pw
); i
; i
>>= 1)
1122 MD5Update(&ctx
, (const u_char
*)final
, 1);
1124 MD5Update(&ctx
, (const u_char
*)pw
, 1);
1126 /* Now make the output string */
1127 rb_strlcpy(passwd
, magic
, sizeof(passwd
));
1128 strncat(passwd
, sp
, (u_int
)sl
);
1129 rb_strlcat(passwd
, "$", sizeof(passwd
));
1131 MD5Final(final
, &ctx
);
1134 * and now, just to make sure things don't run too fast
1135 * On a 60 Mhz Pentium this takes 34 msec, so you would
1136 * need 30 seconds to build a 1000 entry dictionary...
1138 for(i
= 0; i
< 1000; i
++) {
1141 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1143 MD5Update(&ctx1
, (const u_char
*)final
, MD5_SIZE
);
1146 MD5Update(&ctx1
, (const u_char
*)sp
, (u_int
)sl
);
1149 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1152 MD5Update(&ctx1
, (const u_char
*)final
, MD5_SIZE
);
1154 MD5Update(&ctx1
, (const u_char
*)pw
, strlen(pw
));
1155 MD5Final(final
, &ctx1
);
1158 p
= passwd
+ strlen(passwd
);
1160 l
= (final
[ 0]<<16) | (final
[ 6]<<8) | final
[12];
1161 _crypt_to64(p
, l
, 4); p
+= 4;
1162 l
= (final
[ 1]<<16) | (final
[ 7]<<8) | final
[13];
1163 _crypt_to64(p
, l
, 4); p
+= 4;
1164 l
= (final
[ 2]<<16) | (final
[ 8]<<8) | final
[14];
1165 _crypt_to64(p
, l
, 4); p
+= 4;
1166 l
= (final
[ 3]<<16) | (final
[ 9]<<8) | final
[15];
1167 _crypt_to64(p
, l
, 4); p
+= 4;
1168 l
= (final
[ 4]<<16) | (final
[10]<<8) | final
[ 5];
1169 _crypt_to64(p
, l
, 4); p
+= 4;
1171 _crypt_to64(p
, l
, 2); p
+= 2;
1174 /* Don't leave anything around in vm they could use. */
1175 memset(final
, 0, sizeof(final
));
1181 /* SHA256-based Unix crypt implementation.
1182 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
1184 /* Structure to save state of computation between the single steps. */
1191 char buffer
[128]; /* NB: always correctly aligned for uint32_t. */
1194 #ifndef WORDS_BIGENDIAN
1195 # define SHA256_SWAP(n) \
1196 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
1198 # define SHA256_SWAP(n) (n)
1201 /* This array contains the bytes used to pad the buffer to the next
1202 64-byte boundary. (FIPS 180-2:5.1.1) */
1203 static const unsigned char SHA256_fillbuf
[64] = { 0x80, 0 /* , 0, 0, ... */ };
1206 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
1207 static const uint32_t SHA256_K
[64] = {
1208 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
1209 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
1210 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
1211 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
1212 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
1213 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
1214 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
1215 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
1216 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
1217 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
1218 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
1219 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
1220 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
1221 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
1222 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
1223 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
1227 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1228 It is assumed that LEN % 64 == 0. */
1229 static void rb_sha256_process_block(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
1231 const uint32_t *words
= buffer
;
1232 size_t nwords
= len
/ sizeof(uint32_t);
1233 uint32_t a
= ctx
->H
[0];
1234 uint32_t b
= ctx
->H
[1];
1235 uint32_t c
= ctx
->H
[2];
1236 uint32_t d
= ctx
->H
[3];
1237 uint32_t e
= ctx
->H
[4];
1238 uint32_t f
= ctx
->H
[5];
1239 uint32_t g
= ctx
->H
[6];
1240 uint32_t h
= ctx
->H
[7];
1242 /* First increment the byte count. FIPS 180-2 specifies the possible
1243 length of the file up to 2^64 bits. Here we only compute the
1244 number of bytes. Do a double word increment. */
1245 ctx
->total
[0] += len
;
1246 if (ctx
->total
[0] < len
)
1249 /* Process all bytes in the buffer with 64 bytes in each round of
1254 uint32_t a_save
= a
;
1255 uint32_t b_save
= b
;
1256 uint32_t c_save
= c
;
1257 uint32_t d_save
= d
;
1258 uint32_t e_save
= e
;
1259 uint32_t f_save
= f
;
1260 uint32_t g_save
= g
;
1261 uint32_t h_save
= h
;
1264 /* Operators defined in FIPS 180-2:4.1.2. */
1265 #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z))
1266 #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1267 #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22))
1268 #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25))
1269 #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3))
1270 #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10))
1272 /* It is unfortunate that C does not provide an operator for
1273 cyclic rotation. Hope the C compiler is smart enough. */
1274 #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
1276 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
1277 for (t
= 0; t
< 16; ++t
)
1279 W
[t
] = SHA256_SWAP(*words
);
1282 for (t
= 16; t
< 64; ++t
)
1283 W
[t
] = SHA256_R1(W
[t
- 2]) + W
[t
- 7] + SHA256_R0(W
[t
- 15]) + W
[t
- 16];
1285 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
1286 for (t
= 0; t
< 64; ++t
)
1288 uint32_t T1
= h
+ SHA256_S1(e
) + SHA256_Ch(e
, f
, g
) + SHA256_K
[t
] + W
[t
];
1289 uint32_t T2
= SHA256_S0(a
) + SHA256_Maj(a
, b
, c
);
1300 /* Add the starting values of the context according to FIPS 180-2:6.2.2
1311 /* Prepare for the next round. */
1315 /* Put checksum in context given as argument. */
1327 /* Initialize structure containing state of computation.
1328 (FIPS 180-2:5.3.2) */
1329 static void rb_sha256_init_ctx(struct sha256_ctx
*ctx
)
1331 ctx
->H
[0] = 0x6a09e667;
1332 ctx
->H
[1] = 0xbb67ae85;
1333 ctx
->H
[2] = 0x3c6ef372;
1334 ctx
->H
[3] = 0xa54ff53a;
1335 ctx
->H
[4] = 0x510e527f;
1336 ctx
->H
[5] = 0x9b05688c;
1337 ctx
->H
[6] = 0x1f83d9ab;
1338 ctx
->H
[7] = 0x5be0cd19;
1340 ctx
->total
[0] = ctx
->total
[1] = 0;
1345 /* Process the remaining bytes in the internal buffer and the usual
1346 prolog according to the standard and write the result to RESBUF.
1348 IMPORTANT: On some systems it is required that RESBUF is correctly
1349 aligned for a 32 bits value. */
1350 static void *rb_sha256_finish_ctx(struct sha256_ctx
*ctx
, void *resbuf
)
1352 /* Take yet unprocessed bytes into account. */
1353 uint32_t bytes
= ctx
->buflen
;
1357 /* Now count remaining bytes. */
1358 ctx
->total
[0] += bytes
;
1359 if (ctx
->total
[0] < bytes
)
1362 pad
= bytes
>= 56 ? 64 + 56 - bytes
: 56 - bytes
;
1363 memcpy(&ctx
->buffer
[bytes
], SHA256_fillbuf
, pad
);
1365 /* Put the 64-bit file length in *bits* at the end of the buffer. */
1366 *(uint32_t *) & ctx
->buffer
[bytes
+ pad
+ 4] = SHA256_SWAP(ctx
->total
[0] << 3);
1367 *(uint32_t *) & ctx
->buffer
[bytes
+ pad
] = SHA256_SWAP((ctx
->total
[1] << 3) |
1368 (ctx
->total
[0] >> 29));
1370 /* Process last bytes. */
1371 rb_sha256_process_block(ctx
->buffer
, bytes
+ pad
+ 8, ctx
);
1373 /* Put result from CTX in first 32 bytes following RESBUF. */
1374 for (i
= 0; i
< 8; ++i
)
1375 ((uint32_t *) resbuf
)[i
] = SHA256_SWAP(ctx
->H
[i
]);
1381 static void rb_sha256_process_bytes(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
1383 /* When we already have some bits in our internal buffer concatenate
1384 both inputs first. */
1385 if (ctx
->buflen
!= 0)
1387 size_t left_over
= ctx
->buflen
;
1388 size_t add
= 128 - left_over
> len
? len
: 128 - left_over
;
1390 memcpy(&ctx
->buffer
[left_over
], buffer
, add
);
1393 if (ctx
->buflen
> 64)
1395 rb_sha256_process_block(ctx
->buffer
, ctx
->buflen
& ~63, ctx
);
1398 /* The regions in the following copy operation cannot overlap. */
1399 memcpy(ctx
->buffer
, &ctx
->buffer
[(left_over
+ add
) & ~63], ctx
->buflen
);
1402 buffer
= (const char *)buffer
+ add
;
1406 /* Process available complete blocks. */
1409 /* To check alignment gcc has an appropriate operator. Other
1412 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
1414 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
1416 if (SHA256_UNALIGNED_P(buffer
))
1419 rb_sha256_process_block(memcpy(ctx
->buffer
, buffer
, 64), 64, ctx
);
1420 buffer
= (const char *)buffer
+ 64;
1425 rb_sha256_process_block(buffer
, len
& ~63, ctx
);
1426 buffer
= (const char *)buffer
+ (len
& ~63);
1431 /* Move remaining bytes into internal buffer. */
1434 size_t left_over
= ctx
->buflen
;
1436 memcpy(&ctx
->buffer
[left_over
], buffer
, len
);
1438 if (left_over
>= 64)
1440 rb_sha256_process_block(ctx
->buffer
, 64, ctx
);
1442 memcpy(ctx
->buffer
, &ctx
->buffer
[64], left_over
);
1444 ctx
->buflen
= left_over
;
1449 /* Define our magic string to mark salt for SHA256 "encryption"
1451 static const char sha256_salt_prefix
[] = "$5$";
1453 /* Prefix for optional rounds specification. */
1454 static const char sha256_rounds_prefix
[] = "rounds=";
1456 /* Maximum salt string length. */
1457 #define SHA256_SALT_LEN_MAX 16
1458 /* Default number of rounds if not explicitly specified. */
1459 #define SHA256_ROUNDS_DEFAULT 5000
1460 /* Minimum number of rounds. */
1461 #define SHA256_ROUNDS_MIN 1000
1462 /* Maximum number of rounds. */
1463 #define SHA256_ROUNDS_MAX 999999999
1465 static char *rb_sha256_crypt_r(const char *key
, const char *salt
, char *buffer
, int buflen
)
1467 unsigned char alt_result
[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1468 unsigned char temp_result
[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1469 struct sha256_ctx ctx
;
1470 struct sha256_ctx alt_ctx
;
1475 char *copied_key
= NULL
;
1476 char *copied_salt
= NULL
;
1479 /* Default number of rounds. */
1480 size_t rounds
= SHA256_ROUNDS_DEFAULT
;
1481 int rounds_custom
= 0;
1483 /* Find beginning of salt string. The prefix should normally always
1484 be present. Just in case it is not. */
1485 if (strncmp(sha256_salt_prefix
, salt
, sizeof(sha256_salt_prefix
) - 1) == 0)
1486 /* Skip salt prefix. */
1487 salt
+= sizeof(sha256_salt_prefix
) - 1;
1489 if (strncmp(salt
, sha256_rounds_prefix
, sizeof(sha256_rounds_prefix
) - 1) == 0)
1491 const char *num
= salt
+ sizeof(sha256_rounds_prefix
) - 1;
1493 unsigned long int srounds
= strtoul(num
, &endp
, 10);
1497 rounds
= MAX(SHA256_ROUNDS_MIN
, MIN(srounds
, SHA256_ROUNDS_MAX
));
1502 salt_len
= MIN(strcspn(salt
, "$"), SHA256_SALT_LEN_MAX
);
1503 key_len
= strlen(key
);
1505 if ((key
- (char *)0) % __alignof__(uint32_t) != 0)
1507 char *tmp
= (char *)alloca(key_len
+ __alignof__(uint32_t));
1509 memcpy(tmp
+ __alignof__(uint32_t)
1510 - (tmp
- (char *)0) % __alignof__(uint32_t), key
, key_len
);
1513 if ((salt
- (char *)0) % __alignof__(uint32_t) != 0)
1515 char *tmp
= (char *)alloca(salt_len
+ __alignof__(uint32_t));
1516 salt
= copied_salt
=
1517 memcpy(tmp
+ __alignof__(uint32_t)
1518 - (tmp
- (char *)0) % __alignof__(uint32_t), salt
, salt_len
);
1521 /* Prepare for the real work. */
1522 rb_sha256_init_ctx(&ctx
);
1524 /* Add the key string. */
1525 rb_sha256_process_bytes(key
, key_len
, &ctx
);
1527 /* The last part is the salt string. This must be at most 16
1528 characters and it ends at the first `$' character (for
1529 compatibility with existing implementations). */
1530 rb_sha256_process_bytes(salt
, salt_len
, &ctx
);
1533 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
1534 final result will be added to the first context. */
1535 rb_sha256_init_ctx(&alt_ctx
);
1538 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1541 rb_sha256_process_bytes(salt
, salt_len
, &alt_ctx
);
1543 /* Add key again. */
1544 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1546 /* Now get result of this (32 bytes) and add it to the other
1548 rb_sha256_finish_ctx(&alt_ctx
, alt_result
);
1550 /* Add for any character in the key one byte of the alternate sum. */
1551 for (cnt
= key_len
; cnt
> 32; cnt
-= 32)
1552 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1553 rb_sha256_process_bytes(alt_result
, cnt
, &ctx
);
1555 /* Take the binary representation of the length of the key and for every
1556 1 add the alternate sum, for every 0 the key. */
1557 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
1559 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1561 rb_sha256_process_bytes(key
, key_len
, &ctx
);
1563 /* Create intermediate result. */
1564 rb_sha256_finish_ctx(&ctx
, alt_result
);
1566 /* Start computation of P byte sequence. */
1567 rb_sha256_init_ctx(&alt_ctx
);
1569 /* For every character in the password add the entire password. */
1570 for (cnt
= 0; cnt
< key_len
; ++cnt
)
1571 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1573 /* Finish the digest. */
1574 rb_sha256_finish_ctx(&alt_ctx
, temp_result
);
1576 /* Create byte sequence P. */
1577 cp
= p_bytes
= alloca(key_len
);
1578 for (cnt
= key_len
; cnt
>= 32; cnt
-= 32)
1580 memcpy(cp
, temp_result
, 32);
1583 memcpy(cp
, temp_result
, cnt
);
1585 /* Start computation of S byte sequence. */
1586 rb_sha256_init_ctx(&alt_ctx
);
1588 /* For every character in the password add the entire password. */
1589 for (cnt
= 0; cnt
< (size_t)(16 + alt_result
[0]); ++cnt
)
1590 rb_sha256_process_bytes(salt
, salt_len
, &alt_ctx
);
1592 /* Finish the digest. */
1593 rb_sha256_finish_ctx(&alt_ctx
, temp_result
);
1595 /* Create byte sequence S. */
1596 cp
= s_bytes
= alloca(salt_len
);
1597 for (cnt
= salt_len
; cnt
>= 32; cnt
-= 32)
1599 memcpy(cp
, temp_result
, 32);
1602 memcpy(cp
, temp_result
, cnt
);
1604 /* Repeatedly run the collected hash value through SHA256 to burn
1606 for (cnt
= 0; cnt
< rounds
; ++cnt
)
1609 rb_sha256_init_ctx(&ctx
);
1611 /* Add key or last result. */
1613 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1615 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1617 /* Add salt for numbers not divisible by 3. */
1619 rb_sha256_process_bytes(s_bytes
, salt_len
, &ctx
);
1621 /* Add key for numbers not divisible by 7. */
1623 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1625 /* Add key or last result. */
1627 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1629 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1631 /* Create intermediate result. */
1632 rb_sha256_finish_ctx(&ctx
, alt_result
);
1635 /* Now we can construct the result string. It consists of three
1637 memset(buffer
, '\0', MAX(0, buflen
));
1638 strncpy(buffer
, sha256_salt_prefix
, MAX(0, buflen
));
1639 if((cp
= strchr(buffer
, '\0')) == NULL
)
1640 cp
= buffer
+ MAX(0, buflen
);
1641 buflen
-= sizeof(sha256_salt_prefix
) - 1;
1645 int n
= snprintf(cp
, MAX(0, buflen
), "%s%zu$",
1646 sha256_rounds_prefix
, rounds
);
1651 memset(cp
, '\0', salt_len
);
1652 strncpy(cp
, salt
, MIN((size_t) MAX(0, buflen
), salt_len
));
1653 if((cp
= strchr(buffer
, '\0')) == NULL
)
1655 buflen
-= MIN((size_t) MAX(0, buflen
), salt_len
);
1663 b64_from_24bit(alt_result
[0], alt_result
[10], alt_result
[20], 4);
1664 b64_from_24bit(alt_result
[21], alt_result
[1], alt_result
[11], 4);
1665 b64_from_24bit(alt_result
[12], alt_result
[22], alt_result
[2], 4);
1666 b64_from_24bit(alt_result
[3], alt_result
[13], alt_result
[23], 4);
1667 b64_from_24bit(alt_result
[24], alt_result
[4], alt_result
[14], 4);
1668 b64_from_24bit(alt_result
[15], alt_result
[25], alt_result
[5], 4);
1669 b64_from_24bit(alt_result
[6], alt_result
[16], alt_result
[26], 4);
1670 b64_from_24bit(alt_result
[27], alt_result
[7], alt_result
[17], 4);
1671 b64_from_24bit(alt_result
[18], alt_result
[28], alt_result
[8], 4);
1672 b64_from_24bit(alt_result
[9], alt_result
[19], alt_result
[29], 4);
1673 b64_from_24bit(0, alt_result
[31], alt_result
[30], 3);
1680 *cp
= '\0'; /* Terminate the string. */
1682 /* Clear the buffer for the intermediate result so that people
1683 attaching to processes or reading core dumps cannot get any
1684 information. We do it in this way to clear correct_words[]
1685 inside the SHA256 implementation as well. */
1686 rb_sha256_init_ctx(&ctx
);
1687 rb_sha256_finish_ctx(&ctx
, alt_result
);
1688 memset(temp_result
, '\0', sizeof(temp_result
));
1689 memset(p_bytes
, '\0', key_len
);
1690 memset(s_bytes
, '\0', salt_len
);
1691 memset(&ctx
, '\0', sizeof(ctx
));
1692 memset(&alt_ctx
, '\0', sizeof(alt_ctx
));
1693 if (copied_key
!= NULL
)
1694 memset(copied_key
, '\0', key_len
);
1695 if (copied_salt
!= NULL
)
1696 memset(copied_salt
, '\0', salt_len
);
1702 /* This entry point is equivalent to the `crypt' function in Unix
1704 static char *rb_sha256_crypt(const char *key
, const char *salt
)
1706 /* We don't want to have an arbitrary limit in the size of the
1707 password. We can compute an upper bound for the size of the
1708 result in advance and so we can prepare the buffer we pass to
1709 `rb_sha256_crypt_r'. */
1710 static char *buffer
;
1712 int needed
= (sizeof(sha256_salt_prefix
) - 1
1713 + sizeof(sha256_rounds_prefix
) + 9 + 1 + strlen(salt
) + 1 + 43 + 1);
1715 char *new_buffer
= (char *)malloc(needed
);
1716 if (new_buffer
== NULL
)
1719 buffer
= new_buffer
;
1722 return rb_sha256_crypt_r(key
, salt
, buffer
, buflen
);
1725 /* Structure to save state of computation between the single steps. */
1732 char buffer
[256]; /* NB: always correctly aligned for uint64_t. */
1736 #ifndef WORDS_BIGENDIAN
1737 # define SHA512_SWAP(n) \
1739 | (((n) & 0xff00) << 40) \
1740 | (((n) & 0xff0000) << 24) \
1741 | (((n) & 0xff000000) << 8) \
1742 | (((n) >> 8) & 0xff000000) \
1743 | (((n) >> 24) & 0xff0000) \
1744 | (((n) >> 40) & 0xff00) \
1747 # define SHA512_SWAP(n) (n)
1751 /* This array contains the bytes used to pad the buffer to the next
1752 64-byte boundary. (FIPS 180-2:5.1.2) */
1753 static const unsigned char SHA512_fillbuf
[128] = { 0x80, 0 /* , 0, 0, ... */ };
1756 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
1757 static const uint64_t SHA512_K
[80] = {
1758 0x428a2f98d728ae22ULL
, 0x7137449123ef65cdULL
,
1759 0xb5c0fbcfec4d3b2fULL
, 0xe9b5dba58189dbbcULL
,
1760 0x3956c25bf348b538ULL
, 0x59f111f1b605d019ULL
,
1761 0x923f82a4af194f9bULL
, 0xab1c5ed5da6d8118ULL
,
1762 0xd807aa98a3030242ULL
, 0x12835b0145706fbeULL
,
1763 0x243185be4ee4b28cULL
, 0x550c7dc3d5ffb4e2ULL
,
1764 0x72be5d74f27b896fULL
, 0x80deb1fe3b1696b1ULL
,
1765 0x9bdc06a725c71235ULL
, 0xc19bf174cf692694ULL
,
1766 0xe49b69c19ef14ad2ULL
, 0xefbe4786384f25e3ULL
,
1767 0x0fc19dc68b8cd5b5ULL
, 0x240ca1cc77ac9c65ULL
,
1768 0x2de92c6f592b0275ULL
, 0x4a7484aa6ea6e483ULL
,
1769 0x5cb0a9dcbd41fbd4ULL
, 0x76f988da831153b5ULL
,
1770 0x983e5152ee66dfabULL
, 0xa831c66d2db43210ULL
,
1771 0xb00327c898fb213fULL
, 0xbf597fc7beef0ee4ULL
,
1772 0xc6e00bf33da88fc2ULL
, 0xd5a79147930aa725ULL
,
1773 0x06ca6351e003826fULL
, 0x142929670a0e6e70ULL
,
1774 0x27b70a8546d22ffcULL
, 0x2e1b21385c26c926ULL
,
1775 0x4d2c6dfc5ac42aedULL
, 0x53380d139d95b3dfULL
,
1776 0x650a73548baf63deULL
, 0x766a0abb3c77b2a8ULL
,
1777 0x81c2c92e47edaee6ULL
, 0x92722c851482353bULL
,
1778 0xa2bfe8a14cf10364ULL
, 0xa81a664bbc423001ULL
,
1779 0xc24b8b70d0f89791ULL
, 0xc76c51a30654be30ULL
,
1780 0xd192e819d6ef5218ULL
, 0xd69906245565a910ULL
,
1781 0xf40e35855771202aULL
, 0x106aa07032bbd1b8ULL
,
1782 0x19a4c116b8d2d0c8ULL
, 0x1e376c085141ab53ULL
,
1783 0x2748774cdf8eeb99ULL
, 0x34b0bcb5e19b48a8ULL
,
1784 0x391c0cb3c5c95a63ULL
, 0x4ed8aa4ae3418acbULL
,
1785 0x5b9cca4f7763e373ULL
, 0x682e6ff3d6b2b8a3ULL
,
1786 0x748f82ee5defb2fcULL
, 0x78a5636f43172f60ULL
,
1787 0x84c87814a1f0ab72ULL
, 0x8cc702081a6439ecULL
,
1788 0x90befffa23631e28ULL
, 0xa4506cebde82bde9ULL
,
1789 0xbef9a3f7b2c67915ULL
, 0xc67178f2e372532bULL
,
1790 0xca273eceea26619cULL
, 0xd186b8c721c0c207ULL
,
1791 0xeada7dd6cde0eb1eULL
, 0xf57d4f7fee6ed178ULL
,
1792 0x06f067aa72176fbaULL
, 0x0a637dc5a2c898a6ULL
,
1793 0x113f9804bef90daeULL
, 0x1b710b35131c471bULL
,
1794 0x28db77f523047d84ULL
, 0x32caab7b40c72493ULL
,
1795 0x3c9ebe0a15c9bebcULL
, 0x431d67c49c100d4cULL
,
1796 0x4cc5d4becb3e42b6ULL
, 0x597f299cfc657e2aULL
,
1797 0x5fcb6fab3ad6faecULL
, 0x6c44198c4a475817ULL
1801 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1802 It is assumed that LEN % 128 == 0. */
1803 static void rb_sha512_process_block(const void *buffer
, size_t len
, struct sha512_ctx
*ctx
)
1805 const uint64_t *words
= buffer
;
1806 size_t nwords
= len
/ sizeof(uint64_t);
1807 uint64_t a
= ctx
->H
[0];
1808 uint64_t b
= ctx
->H
[1];
1809 uint64_t c
= ctx
->H
[2];
1810 uint64_t d
= ctx
->H
[3];
1811 uint64_t e
= ctx
->H
[4];
1812 uint64_t f
= ctx
->H
[5];
1813 uint64_t g
= ctx
->H
[6];
1814 uint64_t h
= ctx
->H
[7];
1816 /* First increment the byte count. FIPS 180-2 specifies the possible
1817 length of the file up to 2^128 bits. Here we only compute the
1818 number of bytes. Do a double word increment. */
1819 ctx
->total
[0] += len
;
1820 if (ctx
->total
[0] < len
)
1823 /* Process all bytes in the buffer with 128 bytes in each round of
1828 uint64_t a_save
= a
;
1829 uint64_t b_save
= b
;
1830 uint64_t c_save
= c
;
1831 uint64_t d_save
= d
;
1832 uint64_t e_save
= e
;
1833 uint64_t f_save
= f
;
1834 uint64_t g_save
= g
;
1835 uint64_t h_save
= h
;
1838 /* Operators defined in FIPS 180-2:4.1.2. */
1839 #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z))
1840 #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1841 #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39))
1842 #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41))
1843 #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7))
1844 #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6))
1846 /* It is unfortunate that C does not provide an operator for
1847 cyclic rotation. Hope the C compiler is smart enough. */
1848 #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
1850 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
1851 for (t
= 0; t
< 16; ++t
)
1853 W
[t
] = SHA512_SWAP(*words
);
1856 for (t
= 16; t
< 80; ++t
)
1857 W
[t
] = SHA512_R1(W
[t
- 2]) + W
[t
- 7] + SHA512_R0(W
[t
- 15]) + W
[t
- 16];
1859 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
1860 for (t
= 0; t
< 80; ++t
)
1862 uint64_t T1
= h
+ SHA512_S1(e
) + SHA512_Ch(e
, f
, g
) + SHA512_K
[t
] + W
[t
];
1863 uint64_t T2
= SHA512_S0(a
) + SHA512_Maj(a
, b
, c
);
1874 /* Add the starting values of the context according to FIPS 180-2:6.3.2
1885 /* Prepare for the next round. */
1889 /* Put checksum in context given as argument. */
1901 /* Initialize structure containing state of computation.
1902 (FIPS 180-2:5.3.3) */
1903 static void rb_sha512_init_ctx(struct sha512_ctx
*ctx
)
1905 ctx
->H
[0] = 0x6a09e667f3bcc908ULL
;
1906 ctx
->H
[1] = 0xbb67ae8584caa73bULL
;
1907 ctx
->H
[2] = 0x3c6ef372fe94f82bULL
;
1908 ctx
->H
[3] = 0xa54ff53a5f1d36f1ULL
;
1909 ctx
->H
[4] = 0x510e527fade682d1ULL
;
1910 ctx
->H
[5] = 0x9b05688c2b3e6c1fULL
;
1911 ctx
->H
[6] = 0x1f83d9abfb41bd6bULL
;
1912 ctx
->H
[7] = 0x5be0cd19137e2179ULL
;
1914 ctx
->total
[0] = ctx
->total
[1] = 0;
1919 /* Process the remaining bytes in the internal buffer and the usual
1920 prolog according to the standard and write the result to RESBUF.
1922 IMPORTANT: On some systems it is required that RESBUF is correctly
1923 aligned for a 32 bits value. */
1924 static void *rb_sha512_finish_ctx(struct sha512_ctx
*ctx
, void *resbuf
)
1926 /* Take yet unprocessed bytes into account. */
1927 uint64_t bytes
= ctx
->buflen
;
1931 /* Now count remaining bytes. */
1932 ctx
->total
[0] += bytes
;
1933 if (ctx
->total
[0] < bytes
)
1936 pad
= bytes
>= 112 ? 128 + 112 - bytes
: 112 - bytes
;
1937 memcpy(&ctx
->buffer
[bytes
], SHA512_fillbuf
, pad
);
1939 /* Put the 128-bit file length in *bits* at the end of the buffer. */
1940 *(uint64_t *) & ctx
->buffer
[bytes
+ pad
+ 8] = SHA512_SWAP(ctx
->total
[0] << 3);
1941 *(uint64_t *) & ctx
->buffer
[bytes
+ pad
] = SHA512_SWAP((ctx
->total
[1] << 3) |
1942 (ctx
->total
[0] >> 61));
1944 /* Process last bytes. */
1945 rb_sha512_process_block(ctx
->buffer
, bytes
+ pad
+ 16, ctx
);
1947 /* Put result from CTX in first 64 bytes following RESBUF. */
1948 for (i
= 0; i
< 8; ++i
)
1949 ((uint64_t *) resbuf
)[i
] = SHA512_SWAP(ctx
->H
[i
]);
1955 static void rb_sha512_process_bytes(const void *buffer
, size_t len
, struct sha512_ctx
*ctx
)
1957 /* When we already have some bits in our internal buffer concatenate
1958 both inputs first. */
1959 if (ctx
->buflen
!= 0)
1961 size_t left_over
= ctx
->buflen
;
1962 size_t add
= 256 - left_over
> len
? len
: 256 - left_over
;
1964 memcpy(&ctx
->buffer
[left_over
], buffer
, add
);
1967 if (ctx
->buflen
> 128)
1969 rb_sha512_process_block(ctx
->buffer
, ctx
->buflen
& ~127, ctx
);
1972 /* The regions in the following copy operation cannot overlap. */
1973 memcpy(ctx
->buffer
, &ctx
->buffer
[(left_over
+ add
) & ~127], ctx
->buflen
);
1976 buffer
= (const char *)buffer
+ add
;
1980 /* Process available complete blocks. */
1983 #if !_STRING_ARCH_unaligned
1984 /* To check alignment gcc has an appropriate operator. Other
1987 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
1989 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
1991 if (SHA512_UNALIGNED_P(buffer
))
1994 rb_sha512_process_block(memcpy(ctx
->buffer
, buffer
, 128), 128, ctx
);
1995 buffer
= (const char *)buffer
+ 128;
2001 rb_sha512_process_block(buffer
, len
& ~127, ctx
);
2002 buffer
= (const char *)buffer
+ (len
& ~127);
2007 /* Move remaining bytes into internal buffer. */
2010 size_t left_over
= ctx
->buflen
;
2012 memcpy(&ctx
->buffer
[left_over
], buffer
, len
);
2014 if (left_over
>= 128)
2016 rb_sha512_process_block(ctx
->buffer
, 128, ctx
);
2018 memcpy(ctx
->buffer
, &ctx
->buffer
[128], left_over
);
2020 ctx
->buflen
= left_over
;
2025 /* Define our magic string to mark salt for SHA512 "encryption"
2027 static const char sha512_salt_prefix
[] = "$6$";
2029 /* Prefix for optional rounds specification. */
2030 static const char sha512_rounds_prefix
[] = "rounds=";
2032 /* Maximum salt string length. */
2033 #define SHA512_SALT_LEN_MAX 16
2034 /* Default number of rounds if not explicitly specified. */
2035 #define SHA512_ROUNDS_DEFAULT 5000
2036 /* Minimum number of rounds. */
2037 #define SHA512_ROUNDS_MIN 1000
2038 /* Maximum number of rounds. */
2039 #define SHA512_ROUNDS_MAX 999999999
2041 static char *rb_sha512_crypt_r(const char *key
, const char *salt
, char *buffer
, int buflen
)
2043 unsigned char alt_result
[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2044 unsigned char temp_result
[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2045 struct sha512_ctx ctx
;
2046 struct sha512_ctx alt_ctx
;
2051 char *copied_key
= NULL
;
2052 char *copied_salt
= NULL
;
2055 /* Default number of rounds. */
2056 size_t rounds
= SHA512_ROUNDS_DEFAULT
;
2057 int rounds_custom
= 0;
2059 /* Find beginning of salt string. The prefix should normally always
2060 be present. Just in case it is not. */
2061 if (strncmp(sha512_salt_prefix
, salt
, sizeof(sha512_salt_prefix
) - 1) == 0)
2062 /* Skip salt prefix. */
2063 salt
+= sizeof(sha512_salt_prefix
) - 1;
2065 if (strncmp(salt
, sha512_rounds_prefix
, sizeof(sha512_rounds_prefix
) - 1) == 0)
2067 const char *num
= salt
+ sizeof(sha512_rounds_prefix
) - 1;
2069 unsigned long int srounds
= strtoul(num
, &endp
, 10);
2073 rounds
= MAX(SHA512_ROUNDS_MIN
, MIN(srounds
, SHA512_ROUNDS_MAX
));
2078 salt_len
= MIN(strcspn(salt
, "$"), SHA512_SALT_LEN_MAX
);
2079 key_len
= strlen(key
);
2081 if ((key
- (char *)0) % __alignof__(uint64_t) != 0)
2083 char *tmp
= (char *)alloca(key_len
+ __alignof__(uint64_t));
2085 memcpy(tmp
+ __alignof__(uint64_t)
2086 - (tmp
- (char *)0) % __alignof__(uint64_t), key
, key_len
);
2089 if ((salt
- (char *)0) % __alignof__(uint64_t) != 0)
2091 char *tmp
= (char *)alloca(salt_len
+ __alignof__(uint64_t));
2092 salt
= copied_salt
=
2093 memcpy(tmp
+ __alignof__(uint64_t)
2094 - (tmp
- (char *)0) % __alignof__(uint64_t), salt
, salt_len
);
2097 /* Prepare for the real work. */
2098 rb_sha512_init_ctx(&ctx
);
2100 /* Add the key string. */
2101 rb_sha512_process_bytes(key
, key_len
, &ctx
);
2103 /* The last part is the salt string. This must be at most 16
2104 characters and it ends at the first `$' character (for
2105 compatibility with existing implementations). */
2106 rb_sha512_process_bytes(salt
, salt_len
, &ctx
);
2109 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
2110 final result will be added to the first context. */
2111 rb_sha512_init_ctx(&alt_ctx
);
2114 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2117 rb_sha512_process_bytes(salt
, salt_len
, &alt_ctx
);
2119 /* Add key again. */
2120 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2122 /* Now get result of this (64 bytes) and add it to the other
2124 rb_sha512_finish_ctx(&alt_ctx
, alt_result
);
2126 /* Add for any character in the key one byte of the alternate sum. */
2127 for (cnt
= key_len
; cnt
> 64; cnt
-= 64)
2128 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2129 rb_sha512_process_bytes(alt_result
, cnt
, &ctx
);
2131 /* Take the binary representation of the length of the key and for every
2132 1 add the alternate sum, for every 0 the key. */
2133 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
2135 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2137 rb_sha512_process_bytes(key
, key_len
, &ctx
);
2139 /* Create intermediate result. */
2140 rb_sha512_finish_ctx(&ctx
, alt_result
);
2142 /* Start computation of P byte sequence. */
2143 rb_sha512_init_ctx(&alt_ctx
);
2145 /* For every character in the password add the entire password. */
2146 for (cnt
= 0; cnt
< key_len
; ++cnt
)
2147 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2149 /* Finish the digest. */
2150 rb_sha512_finish_ctx(&alt_ctx
, temp_result
);
2152 /* Create byte sequence P. */
2153 cp
= p_bytes
= alloca(key_len
);
2154 for (cnt
= key_len
; cnt
>= 64; cnt
-= 64)
2156 memcpy(cp
, temp_result
, 64);
2159 memcpy(cp
, temp_result
, cnt
);
2161 /* Start computation of S byte sequence. */
2162 rb_sha512_init_ctx(&alt_ctx
);
2164 /* For every character in the password add the entire password. */
2165 for (cnt
= 0; cnt
< (size_t)(16 + alt_result
[0]); ++cnt
)
2166 rb_sha512_process_bytes(salt
, salt_len
, &alt_ctx
);
2168 /* Finish the digest. */
2169 rb_sha512_finish_ctx(&alt_ctx
, temp_result
);
2171 /* Create byte sequence S. */
2172 cp
= s_bytes
= alloca(salt_len
);
2173 for (cnt
= salt_len
; cnt
>= 64; cnt
-= 64)
2175 memcpy(cp
, temp_result
, 64);
2178 memcpy(cp
, temp_result
, cnt
);
2180 /* Repeatedly run the collected hash value through SHA512 to burn
2182 for (cnt
= 0; cnt
< rounds
; ++cnt
)
2185 rb_sha512_init_ctx(&ctx
);
2187 /* Add key or last result. */
2189 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2191 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2193 /* Add salt for numbers not divisible by 3. */
2195 rb_sha512_process_bytes(s_bytes
, salt_len
, &ctx
);
2197 /* Add key for numbers not divisible by 7. */
2199 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2201 /* Add key or last result. */
2203 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2205 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2207 /* Create intermediate result. */
2208 rb_sha512_finish_ctx(&ctx
, alt_result
);
2211 /* Now we can construct the result string. It consists of three
2213 memset(buffer
, '\0', MAX(0, buflen
));
2214 strncpy(buffer
, sha512_salt_prefix
, MAX(0, buflen
));
2215 if((cp
= strchr(buffer
, '\0')) == NULL
)
2216 cp
= buffer
+ MAX(0, buflen
);
2217 buflen
-= sizeof(sha512_salt_prefix
) - 1;
2221 int n
= snprintf(cp
, MAX(0, buflen
), "%s%zu$",
2222 sha512_rounds_prefix
, rounds
);
2227 memset(cp
, '\0', MIN((size_t) MAX(0, buflen
), salt_len
));
2228 strncpy(cp
, salt
, MIN((size_t) MAX(0, buflen
), salt_len
));
2229 if((cp
= strchr(buffer
, '\0')) == NULL
)
2230 cp
= buffer
+ salt_len
;
2231 buflen
-= MIN((size_t) MAX(0, buflen
), salt_len
);
2239 b64_from_24bit(alt_result
[0], alt_result
[21], alt_result
[42], 4);
2240 b64_from_24bit(alt_result
[22], alt_result
[43], alt_result
[1], 4);
2241 b64_from_24bit(alt_result
[44], alt_result
[2], alt_result
[23], 4);
2242 b64_from_24bit(alt_result
[3], alt_result
[24], alt_result
[45], 4);
2243 b64_from_24bit(alt_result
[25], alt_result
[46], alt_result
[4], 4);
2244 b64_from_24bit(alt_result
[47], alt_result
[5], alt_result
[26], 4);
2245 b64_from_24bit(alt_result
[6], alt_result
[27], alt_result
[48], 4);
2246 b64_from_24bit(alt_result
[28], alt_result
[49], alt_result
[7], 4);
2247 b64_from_24bit(alt_result
[50], alt_result
[8], alt_result
[29], 4);
2248 b64_from_24bit(alt_result
[9], alt_result
[30], alt_result
[51], 4);
2249 b64_from_24bit(alt_result
[31], alt_result
[52], alt_result
[10], 4);
2250 b64_from_24bit(alt_result
[53], alt_result
[11], alt_result
[32], 4);
2251 b64_from_24bit(alt_result
[12], alt_result
[33], alt_result
[54], 4);
2252 b64_from_24bit(alt_result
[34], alt_result
[55], alt_result
[13], 4);
2253 b64_from_24bit(alt_result
[56], alt_result
[14], alt_result
[35], 4);
2254 b64_from_24bit(alt_result
[15], alt_result
[36], alt_result
[57], 4);
2255 b64_from_24bit(alt_result
[37], alt_result
[58], alt_result
[16], 4);
2256 b64_from_24bit(alt_result
[59], alt_result
[17], alt_result
[38], 4);
2257 b64_from_24bit(alt_result
[18], alt_result
[39], alt_result
[60], 4);
2258 b64_from_24bit(alt_result
[40], alt_result
[61], alt_result
[19], 4);
2259 b64_from_24bit(alt_result
[62], alt_result
[20], alt_result
[41], 4);
2260 b64_from_24bit(0, 0, alt_result
[63], 2);
2268 *cp
= '\0'; /* Terminate the string. */
2270 /* Clear the buffer for the intermediate result so that people
2271 attaching to processes or reading core dumps cannot get any
2272 information. We do it in this way to clear correct_words[]
2273 inside the SHA512 implementation as well. */
2274 rb_sha512_init_ctx(&ctx
);
2275 rb_sha512_finish_ctx(&ctx
, alt_result
);
2276 memset(temp_result
, '\0', sizeof(temp_result
));
2277 memset(p_bytes
, '\0', key_len
);
2278 memset(s_bytes
, '\0', salt_len
);
2279 memset(&ctx
, '\0', sizeof(ctx
));
2280 memset(&alt_ctx
, '\0', sizeof(alt_ctx
));
2281 if (copied_key
!= NULL
)
2282 memset(copied_key
, '\0', key_len
);
2283 if (copied_salt
!= NULL
)
2284 memset(copied_salt
, '\0', salt_len
);
2290 /* This entry point is equivalent to the `crypt' function in Unix
2292 static char *rb_sha512_crypt(const char *key
, const char *salt
)
2294 /* We don't want to have an arbitrary limit in the size of the
2295 password. We can compute an upper bound for the size of the
2296 result in advance and so we can prepare the buffer we pass to
2297 `rb_sha512_crypt_r'. */
2298 static char *buffer
;
2300 int needed
= (sizeof(sha512_salt_prefix
) - 1
2301 + sizeof(sha512_rounds_prefix
) + 9 + 1 + strlen(salt
) + 1 + 86 + 1);
2303 if (buflen
< needed
)
2305 char *new_buffer
= (char *)realloc(buffer
, needed
);
2306 if (new_buffer
== NULL
)
2309 buffer
= new_buffer
;
2313 return rb_sha512_crypt_r(key
, salt
, buffer
, buflen
);