]>
jfr.im git - solanum.git/blob - librb/src/crypt.c
2 * crypt.c: Implements unix style crypt() for platforms that don't have it
3 * This version has MD5, DES, and SHA256/SHA512 crypt.
4 * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from
5 * Drepper's public domain implementation.
11 * Copyright (C) 2000 by Lineo, inc. and Erik Andersen
12 * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org>
13 * Written by Erik Andersen <andersen@uclibc.org>
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU Library General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version.
20 * This program is distributed in the hope that it will be useful, but WITHOUT
21 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License
25 * You should have received a copy of the GNU Library General Public License
26 * along with this program; if not, write to the Free Software Foundation,
27 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
30 #include <librb_config.h>
33 static char *rb_md5_crypt(const char *pw
, const char *salt
);
34 static char *rb_des_crypt(const char *pw
, const char *salt
);
35 static char *rb_sha256_crypt(const char *key
, const char *salt
);
36 static char *rb_sha512_crypt(const char *key
, const char *salt
);
39 rb_crypt(const char *key
, const char *salt
)
41 /* First, check if we are supposed to be using a replacement
42 * hash instead of DES... */
43 if(salt
[0] == '$' && (salt
[2] == '$' || salt
[3] == '$'))
48 return rb_md5_crypt(key
, salt
);
50 return rb_sha256_crypt(key
, salt
);
52 return rb_sha512_crypt(key
, salt
);
58 return rb_des_crypt(key
, salt
);
61 #define b64_from_24bit(B2, B1, B0, N) \
64 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
66 while (n-- > 0 && buflen > 0) \
68 *cp++ = ascii64[w & 0x3f]; \
75 # define MAX(a,b) (((a) > (b)) ? (a) : (b))
78 # define MIN(a,b) (((a) < (b)) ? (a) : (b))
81 /* Here is the des crypt() stuff */
84 * FreeSec: libcrypt for NetBSD
86 * Copyright (c) 1994 David Burren
87 * All rights reserved.
89 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
90 * this file should now *only* export crypt(), in order to make
91 * binaries of libcrypt exportable from the USA
93 * Adapted for FreeBSD-4.0 by Mark R V Murray
94 * this file should now *only* export crypt_des(), in order to make
95 * a module that can be optionally included in libcrypt.
97 * Redistribution and use in source and binary forms, with or without
98 * modification, are permitted provided that the following conditions
100 * 1. Redistributions of source code must retain the above copyright
101 * notice, this list of conditions and the following disclaimer.
102 * 2. Redistributions in binary form must reproduce the above copyright
103 * notice, this list of conditions and the following disclaimer in the
104 * documentation and/or other materials provided with the distribution.
105 * 3. Neither the name of the author nor the names of other contributors
106 * may be used to endorse or promote products derived from this software
107 * without specific prior written permission.
109 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
110 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
111 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
112 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
113 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
114 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
115 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
116 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
117 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
118 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
121 * This is an original implementation of the DES and the crypt(3) interfaces
122 * by David Burren <davidb@werj.com.au>.
124 * An excellent reference on the underlying algorithm (and related
127 * B. Schneier, Applied Cryptography: protocols, algorithms,
128 * and source code in C, John Wiley & Sons, 1994.
130 * Note that in that book's description of DES the lookups for the initial,
131 * pbox, and final permutations are inverted (this has been brought to the
132 * attention of the author). A list of errata for this book has been
133 * posted to the sci.crypt newsgroup by the author and is available for FTP.
135 * ARCHITECTURE ASSUMPTIONS:
136 * It is assumed that the 8-byte arrays passed by reference can be
137 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
142 /* Re-entrantify me -- all this junk needs to be in
143 * struct crypt_data to make this really reentrant... */
144 static uint8_t inv_key_perm
[64];
145 static uint8_t inv_comp_perm
[56];
146 static uint8_t u_sbox
[8][64];
147 static uint8_t un_pbox
[32];
148 static uint32_t en_keysl
[16], en_keysr
[16];
149 static uint32_t de_keysl
[16], de_keysr
[16];
150 static uint32_t ip_maskl
[8][256], ip_maskr
[8][256];
151 static uint32_t fp_maskl
[8][256], fp_maskr
[8][256];
152 static uint32_t key_perm_maskl
[8][128], key_perm_maskr
[8][128];
153 static uint32_t comp_maskl
[8][128], comp_maskr
[8][128];
154 static uint32_t saltbits
;
155 static uint32_t old_salt
;
156 static uint32_t old_rawkey0
, old_rawkey1
;
159 /* Static stuff that stays resident and doesn't change after
160 * being initialized, and therefore doesn't need to be made
162 static uint8_t init_perm
[64], final_perm
[64];
163 static uint8_t m_sbox
[4][4096];
164 static uint32_t psbox
[4][256];
167 static const uint8_t ascii64
[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
169 static const uint8_t IP
[64] = {
170 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
171 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
172 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
173 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
176 static const uint8_t key_perm
[56] = {
177 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
178 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
179 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
180 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
183 static const uint8_t key_shifts
[16] = {
184 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
187 static const uint8_t comp_perm
[48] = {
188 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
189 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
190 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
191 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
195 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
198 static const uint8_t sbox
[8][64] = {
200 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
201 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
202 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
203 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
205 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
206 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
207 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
208 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
210 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
211 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
212 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
213 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
215 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
216 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
217 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
218 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
220 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
221 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
222 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
223 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
225 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
226 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
227 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
228 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
230 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
231 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
232 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
233 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
235 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
236 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
237 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
238 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
241 static const uint8_t pbox
[32] = {
242 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
243 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
246 static const uint32_t bits32
[32] = {
247 0x80000000, 0x40000000, 0x20000000, 0x10000000,
248 0x08000000, 0x04000000, 0x02000000, 0x01000000,
249 0x00800000, 0x00400000, 0x00200000, 0x00100000,
250 0x00080000, 0x00040000, 0x00020000, 0x00010000,
251 0x00008000, 0x00004000, 0x00002000, 0x00001000,
252 0x00000800, 0x00000400, 0x00000200, 0x00000100,
253 0x00000080, 0x00000040, 0x00000020, 0x00000010,
254 0x00000008, 0x00000004, 0x00000002, 0x00000001
257 static const uint8_t bits8
[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
259 static const uint32_t *bits28
, *bits24
;
263 rb_ascii_to_bin(char ch
)
268 return (ch
- 'a' + 38);
272 return (ch
- 'A' + 12);
283 int i
, j
, b
, k
, inbit
, obit
;
284 uint32_t *p
, *il
, *ir
, *fl
, *fr
;
285 static int rb_des_initialised
= 0;
287 if(rb_des_initialised
== 1)
290 old_rawkey0
= old_rawkey1
= 0L;
293 bits24
= (bits28
= bits32
+ 4) + 4;
296 * Invert the S-boxes, reordering the input bits.
298 for(i
= 0; i
< 8; i
++)
299 for(j
= 0; j
< 64; j
++)
301 b
= (j
& 0x20) | ((j
& 1) << 4) | ((j
>> 1) & 0xf);
302 u_sbox
[i
][j
] = sbox
[i
][b
];
306 * Convert the inverted S-boxes into 4 arrays of 8 bits.
307 * Each will handle 12 bits of the S-box input.
309 for(b
= 0; b
< 4; b
++)
310 for(i
= 0; i
< 64; i
++)
311 for(j
= 0; j
< 64; j
++)
312 m_sbox
[b
][(i
<< 6) | j
] =
313 (uint8_t)((u_sbox
[(b
<< 1)][i
] << 4) |
314 u_sbox
[(b
<< 1) + 1][j
]);
317 * Set up the initial & final permutations into a useful form, and
318 * initialise the inverted key permutation.
320 for(i
= 0; i
< 64; i
++)
322 init_perm
[final_perm
[i
] = IP
[i
] - 1] = (uint8_t)i
;
323 inv_key_perm
[i
] = 255;
327 * Invert the key permutation and initialise the inverted key
328 * compression permutation.
330 for(i
= 0; i
< 56; i
++)
332 inv_key_perm
[key_perm
[i
] - 1] = (uint8_t)i
;
333 inv_comp_perm
[i
] = 255;
337 * Invert the key compression permutation.
339 for(i
= 0; i
< 48; i
++)
341 inv_comp_perm
[comp_perm
[i
] - 1] = (uint8_t)i
;
345 * Set up the OR-mask arrays for the initial and final permutations,
346 * and for the key initial and compression permutations.
348 for(k
= 0; k
< 8; k
++)
350 for(i
= 0; i
< 256; i
++)
352 *(il
= &ip_maskl
[k
][i
]) = 0L;
353 *(ir
= &ip_maskr
[k
][i
]) = 0L;
354 *(fl
= &fp_maskl
[k
][i
]) = 0L;
355 *(fr
= &fp_maskr
[k
][i
]) = 0L;
356 for(j
= 0; j
< 8; j
++)
361 if((obit
= init_perm
[inbit
]) < 32)
364 *ir
|= bits32
[obit
- 32];
365 if((obit
= final_perm
[inbit
]) < 32)
368 *fr
|= bits32
[obit
- 32];
372 for(i
= 0; i
< 128; i
++)
374 *(il
= &key_perm_maskl
[k
][i
]) = 0L;
375 *(ir
= &key_perm_maskr
[k
][i
]) = 0L;
376 for(j
= 0; j
< 7; j
++)
381 if((obit
= inv_key_perm
[inbit
]) == 255)
386 *ir
|= bits28
[obit
- 28];
389 *(il
= &comp_maskl
[k
][i
]) = 0L;
390 *(ir
= &comp_maskr
[k
][i
]) = 0L;
391 for(j
= 0; j
< 7; j
++)
396 if((obit
= inv_comp_perm
[inbit
]) == 255)
401 *ir
|= bits24
[obit
- 24];
408 * Invert the P-box permutation, and convert into OR-masks for
409 * handling the output of the S-box arrays setup above.
411 for(i
= 0; i
< 32; i
++)
412 un_pbox
[pbox
[i
] - 1] = (uint8_t)i
;
414 for(b
= 0; b
< 4; b
++)
415 for(i
= 0; i
< 256; i
++)
417 *(p
= &psbox
[b
][i
]) = 0L;
418 for(j
= 0; j
< 8; j
++)
421 *p
|= bits32
[un_pbox
[8 * b
+ j
]];
425 rb_des_initialised
= 1;
430 rb_setup_salt(long salt
)
432 uint32_t obit
, saltbit
;
435 if(salt
== (long)old_salt
)
442 for(i
= 0; i
< 24; i
++)
452 rb_des_setkey(const char *key
)
454 uint32_t k0
, k1
, rawkey0
, rawkey1
;
459 rawkey0
= ntohl(*(const uint32_t *)key
);
460 rawkey1
= ntohl(*(const uint32_t *)(key
+ 4));
462 if((rawkey0
| rawkey1
) && rawkey0
== old_rawkey0
&& rawkey1
== old_rawkey1
)
465 * Already setup for this key.
466 * This optimisation fails on a zero key (which is weak and
467 * has bad parity anyway) in order to simplify the starting
472 old_rawkey0
= rawkey0
;
473 old_rawkey1
= rawkey1
;
476 * Do key permutation and split into two 28-bit subkeys.
478 k0
= key_perm_maskl
[0][rawkey0
>> 25]
479 | key_perm_maskl
[1][(rawkey0
>> 17) & 0x7f]
480 | key_perm_maskl
[2][(rawkey0
>> 9) & 0x7f]
481 | key_perm_maskl
[3][(rawkey0
>> 1) & 0x7f]
482 | key_perm_maskl
[4][rawkey1
>> 25]
483 | key_perm_maskl
[5][(rawkey1
>> 17) & 0x7f]
484 | key_perm_maskl
[6][(rawkey1
>> 9) & 0x7f]
485 | key_perm_maskl
[7][(rawkey1
>> 1) & 0x7f];
486 k1
= key_perm_maskr
[0][rawkey0
>> 25]
487 | key_perm_maskr
[1][(rawkey0
>> 17) & 0x7f]
488 | key_perm_maskr
[2][(rawkey0
>> 9) & 0x7f]
489 | key_perm_maskr
[3][(rawkey0
>> 1) & 0x7f]
490 | key_perm_maskr
[4][rawkey1
>> 25]
491 | key_perm_maskr
[5][(rawkey1
>> 17) & 0x7f]
492 | key_perm_maskr
[6][(rawkey1
>> 9) & 0x7f]
493 | key_perm_maskr
[7][(rawkey1
>> 1) & 0x7f];
495 * Rotate subkeys and do compression permutation.
498 for(round
= 0; round
< 16; round
++)
502 shifts
+= key_shifts
[round
];
504 t0
= (k0
<< shifts
) | (k0
>> (28 - shifts
));
505 t1
= (k1
<< shifts
) | (k1
>> (28 - shifts
));
507 de_keysl
[15 - round
] =
508 en_keysl
[round
] = comp_maskl
[0][(t0
>> 21) & 0x7f]
509 | comp_maskl
[1][(t0
>> 14) & 0x7f]
510 | comp_maskl
[2][(t0
>> 7) & 0x7f]
511 | comp_maskl
[3][t0
& 0x7f]
512 | comp_maskl
[4][(t1
>> 21) & 0x7f]
513 | comp_maskl
[5][(t1
>> 14) & 0x7f]
514 | comp_maskl
[6][(t1
>> 7) & 0x7f] | comp_maskl
[7][t1
& 0x7f];
516 de_keysr
[15 - round
] =
517 en_keysr
[round
] = comp_maskr
[0][(t0
>> 21) & 0x7f]
518 | comp_maskr
[1][(t0
>> 14) & 0x7f]
519 | comp_maskr
[2][(t0
>> 7) & 0x7f]
520 | comp_maskr
[3][t0
& 0x7f]
521 | comp_maskr
[4][(t1
>> 21) & 0x7f]
522 | comp_maskr
[5][(t1
>> 14) & 0x7f]
523 | comp_maskr
[6][(t1
>> 7) & 0x7f] | comp_maskr
[7][t1
& 0x7f];
529 rb_do_des(uint32_t l_in
, uint32_t r_in
, uint32_t *l_out
, uint32_t *r_out
, int count
)
532 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
534 uint32_t l
, r
, *kl
, *kr
, *kl1
, *kr1
;
535 uint32_t f
= 0, r48l
, r48r
;
561 * Do initial permutation (IP).
563 l
= ip_maskl
[0][l_in
>> 24]
564 | ip_maskl
[1][(l_in
>> 16) & 0xff]
565 | ip_maskl
[2][(l_in
>> 8) & 0xff]
566 | ip_maskl
[3][l_in
& 0xff]
567 | ip_maskl
[4][r_in
>> 24]
568 | ip_maskl
[5][(r_in
>> 16) & 0xff]
569 | ip_maskl
[6][(r_in
>> 8) & 0xff] | ip_maskl
[7][r_in
& 0xff];
570 r
= ip_maskr
[0][l_in
>> 24]
571 | ip_maskr
[1][(l_in
>> 16) & 0xff]
572 | ip_maskr
[2][(l_in
>> 8) & 0xff]
573 | ip_maskr
[3][l_in
& 0xff]
574 | ip_maskr
[4][r_in
>> 24]
575 | ip_maskr
[5][(r_in
>> 16) & 0xff]
576 | ip_maskr
[6][(r_in
>> 8) & 0xff] | ip_maskr
[7][r_in
& 0xff];
589 * Expand R to 48 bits (simulate the E-box).
591 r48l
= ((r
& 0x00000001) << 23)
592 | ((r
& 0xf8000000) >> 9)
593 | ((r
& 0x1f800000) >> 11)
594 | ((r
& 0x01f80000) >> 13) | ((r
& 0x001f8000) >> 15);
596 r48r
= ((r
& 0x0001f800) << 7)
597 | ((r
& 0x00001f80) << 5)
598 | ((r
& 0x000001f8) << 3)
599 | ((r
& 0x0000001f) << 1) | ((r
& 0x80000000) >> 31);
601 * Do salting for crypt() and friends, and
602 * XOR with the permuted key.
604 f
= (r48l
^ r48r
) & saltbits
;
608 * Do sbox lookups (which shrink it back to 32 bits)
609 * and do the pbox permutation at the same time.
611 f
= psbox
[0][m_sbox
[0][r48l
>> 12]]
612 | psbox
[1][m_sbox
[1][r48l
& 0xfff]]
613 | psbox
[2][m_sbox
[2][r48r
>> 12]]
614 | psbox
[3][m_sbox
[3][r48r
& 0xfff]];
616 * Now that we've permuted things, complete f().
626 * Do final permutation (inverse of IP).
628 *l_out
= fp_maskl
[0][l
>> 24]
629 | fp_maskl
[1][(l
>> 16) & 0xff]
630 | fp_maskl
[2][(l
>> 8) & 0xff]
631 | fp_maskl
[3][l
& 0xff]
632 | fp_maskl
[4][r
>> 24]
633 | fp_maskl
[5][(r
>> 16) & 0xff]
634 | fp_maskl
[6][(r
>> 8) & 0xff] | fp_maskl
[7][r
& 0xff];
635 *r_out
= fp_maskr
[0][l
>> 24]
636 | fp_maskr
[1][(l
>> 16) & 0xff]
637 | fp_maskr
[2][(l
>> 8) & 0xff]
638 | fp_maskr
[3][l
& 0xff]
639 | fp_maskr
[4][r
>> 24]
640 | fp_maskr
[5][(r
>> 16) & 0xff]
641 | fp_maskr
[6][(r
>> 8) & 0xff] | fp_maskr
[7][r
& 0xff];
646 rb_des_crypt(const char *key
, const char *setting
)
648 uint32_t count
, salt
, l
, r0
, r1
, keybuf
[2];
650 static char output
[21];
655 * Copy the key, shifting each character up by one bit
656 * and padding with zeros.
658 q
= (uint8_t *)keybuf
;
659 while(q
- (uint8_t *)keybuf
- 8)
665 if(rb_des_setkey((char *)keybuf
))
670 * setting - 2 bytes of salt
671 * key - up to 8 characters
675 salt
= (rb_ascii_to_bin(setting
[1]) << 6) | rb_ascii_to_bin(setting
[0]);
677 output
[0] = setting
[0];
679 * If the encrypted password that the salt was extracted from
680 * is only 1 character long, the salt will be corrupted. We
681 * need to ensure that the output string doesn't have an extra
684 output
[1] = setting
[1] ? setting
[1] : output
[0];
686 p
= (uint8_t *)output
+ 2;
692 if(rb_do_des(0L, 0L, &r0
, &r1
, (int)count
))
695 * Now encode the result...
698 *p
++ = ascii64
[(l
>> 18) & 0x3f];
699 *p
++ = ascii64
[(l
>> 12) & 0x3f];
700 *p
++ = ascii64
[(l
>> 6) & 0x3f];
701 *p
++ = ascii64
[l
& 0x3f];
703 l
= (r0
<< 16) | ((r1
>> 16) & 0xffff);
704 *p
++ = ascii64
[(l
>> 18) & 0x3f];
705 *p
++ = ascii64
[(l
>> 12) & 0x3f];
706 *p
++ = ascii64
[(l
>> 6) & 0x3f];
707 *p
++ = ascii64
[l
& 0x3f];
710 *p
++ = ascii64
[(l
>> 12) & 0x3f];
711 *p
++ = ascii64
[(l
>> 6) & 0x3f];
712 *p
++ = ascii64
[l
& 0x3f];
720 * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
722 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
725 * License to copy and use this software is granted provided that it
726 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
727 * Algorithm" in all material mentioning or referencing this software
730 * License is also granted to make and use derivative works provided
731 * that such works are identified as "derived from the RSA Data
732 * Security, Inc. MD5 Message-Digest Algorithm" in all material
733 * mentioning or referencing the derived work.
735 * RSA Data Security, Inc. makes no representations concerning either
736 * the merchantability of this software or the suitability of this
737 * software for any particular purpose. It is provided "as is"
738 * without express or implied warranty of any kind.
740 * These notices must be retained in any copies of any part of this
741 * documentation and/or software.
743 * This code is the same as the code published by RSA Inc. It has been
744 * edited for clarity and style only.
750 _crypt_to64(char *s
, unsigned long v
, int n
)
753 *s
++ = ascii64
[v
&0x3f];
759 typedef struct MD5Context
{
760 uint32_t state
[4]; /* state (ABCD) */
761 uint32_t count
[2]; /* number of bits, modulo 2^64 (lsb first) */
762 unsigned char buffer
[64]; /* input buffer */
765 static void MD5Transform(uint32_t [4], const unsigned char [64]);
766 static void MD5Init (MD5_CTX
*);
767 static void MD5Update (MD5_CTX
*, const void *, unsigned int);
768 static void MD5Final (unsigned char [16], MD5_CTX
*);
770 #ifndef WORDS_BIGENDIAN
771 #define Encode memcpy
772 #define Decode memcpy
776 * Encodes input (uint32_t) into output (unsigned char). Assumes len is
781 Encode (unsigned char *output
, uint32_t *input
, unsigned int len
)
784 uint32_t *op
= (uint32_t *)output
;
786 for (i
= 0; i
< len
/ 4; i
++)
787 op
[i
] = htole32(input
[i
]);
791 * Decodes input (unsigned char) into output (uint32_t). Assumes len is
796 Decode (uint32_t *output
, const unsigned char *input
, unsigned int len
)
799 const uint32_t *ip
= (const uint32_t *)input
;
801 for (i
= 0; i
< len
/ 4; i
++)
802 output
[i
] = le32toh(ip
[i
]);
806 static unsigned char PADDING
[64] = {
807 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
808 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
809 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
812 /* F, G, H and I are basic MD5 functions. */
813 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
814 #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
815 #define H(x, y, z) ((x) ^ (y) ^ (z))
816 #define I(x, y, z) ((y) ^ ((x) | (~z)))
818 /* ROTATE_LEFT rotates x left n bits. */
819 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
822 * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
823 * Rotation is separate from addition to prevent recomputation.
825 #define FF(a, b, c, d, x, s, ac) { \
826 (a) += F ((b), (c), (d)) + (x) + (uint32_t)(ac); \
827 (a) = ROTATE_LEFT ((a), (s)); \
830 #define GG(a, b, c, d, x, s, ac) { \
831 (a) += G ((b), (c), (d)) + (x) + (uint32_t)(ac); \
832 (a) = ROTATE_LEFT ((a), (s)); \
835 #define HH(a, b, c, d, x, s, ac) { \
836 (a) += H ((b), (c), (d)) + (x) + (uint32_t)(ac); \
837 (a) = ROTATE_LEFT ((a), (s)); \
840 #define II(a, b, c, d, x, s, ac) { \
841 (a) += I ((b), (c), (d)) + (x) + (uint32_t)(ac); \
842 (a) = ROTATE_LEFT ((a), (s)); \
846 /* MD5 initialization. Begins an MD5 operation, writing a new context. */
853 context
->count
[0] = context
->count
[1] = 0;
855 /* Load magic initialization constants. */
856 context
->state
[0] = 0x67452301;
857 context
->state
[1] = 0xefcdab89;
858 context
->state
[2] = 0x98badcfe;
859 context
->state
[3] = 0x10325476;
863 * MD5 block update operation. Continues an MD5 message-digest
864 * operation, processing another message block, and updating the
869 MD5Update (context
, in
, inputLen
)
872 unsigned int inputLen
;
874 unsigned int i
, idx
, partLen
;
875 const unsigned char *input
= in
;
877 /* Compute number of bytes mod 64 */
878 idx
= (unsigned int)((context
->count
[0] >> 3) & 0x3F);
880 /* Update number of bits */
881 if ((context
->count
[0] += ((uint32_t)inputLen
<< 3))
882 < ((uint32_t)inputLen
<< 3))
884 context
->count
[1] += ((uint32_t)inputLen
>> 29);
888 /* Transform as many times as possible. */
889 if (inputLen
>= partLen
) {
890 memcpy((void *)&context
->buffer
[idx
], (const void *)input
,
892 MD5Transform (context
->state
, context
->buffer
);
894 for (i
= partLen
; i
+ 63 < inputLen
; i
+= 64)
895 MD5Transform (context
->state
, &input
[i
]);
902 /* Buffer remaining input */
903 memcpy ((void *)&context
->buffer
[idx
], (const void *)&input
[i
],
908 * MD5 padding. Adds padding followed by original length.
915 unsigned char bits
[8];
916 unsigned int idx
, padLen
;
918 /* Save number of bits */
919 Encode (bits
, context
->count
, 8);
921 /* Pad out to 56 mod 64. */
922 idx
= (unsigned int)((context
->count
[0] >> 3) & 0x3f);
923 padLen
= (idx
< 56) ? (56 - idx
) : (120 - idx
);
924 MD5Update (context
, PADDING
, padLen
);
926 /* Append length (before padding) */
927 MD5Update (context
, bits
, 8);
931 * MD5 finalization. Ends an MD5 message-digest operation, writing the
932 * the message digest and zeroizing the context.
936 MD5Final (digest
, context
)
937 unsigned char digest
[16];
943 /* Store state in digest */
944 Encode (digest
, context
->state
, 16);
946 /* Zeroize sensitive information. */
947 memset ((void *)context
, 0, sizeof (*context
));
950 /* MD5 basic transformation. Transforms state based on block. */
953 MD5Transform (state
, block
)
955 const unsigned char block
[64];
957 uint32_t a
= state
[0], b
= state
[1], c
= state
[2], d
= state
[3], x
[16];
959 Decode (x
, block
, 64);
966 FF (a
, b
, c
, d
, x
[ 0], S11
, 0xd76aa478); /* 1 */
967 FF (d
, a
, b
, c
, x
[ 1], S12
, 0xe8c7b756); /* 2 */
968 FF (c
, d
, a
, b
, x
[ 2], S13
, 0x242070db); /* 3 */
969 FF (b
, c
, d
, a
, x
[ 3], S14
, 0xc1bdceee); /* 4 */
970 FF (a
, b
, c
, d
, x
[ 4], S11
, 0xf57c0faf); /* 5 */
971 FF (d
, a
, b
, c
, x
[ 5], S12
, 0x4787c62a); /* 6 */
972 FF (c
, d
, a
, b
, x
[ 6], S13
, 0xa8304613); /* 7 */
973 FF (b
, c
, d
, a
, x
[ 7], S14
, 0xfd469501); /* 8 */
974 FF (a
, b
, c
, d
, x
[ 8], S11
, 0x698098d8); /* 9 */
975 FF (d
, a
, b
, c
, x
[ 9], S12
, 0x8b44f7af); /* 10 */
976 FF (c
, d
, a
, b
, x
[10], S13
, 0xffff5bb1); /* 11 */
977 FF (b
, c
, d
, a
, x
[11], S14
, 0x895cd7be); /* 12 */
978 FF (a
, b
, c
, d
, x
[12], S11
, 0x6b901122); /* 13 */
979 FF (d
, a
, b
, c
, x
[13], S12
, 0xfd987193); /* 14 */
980 FF (c
, d
, a
, b
, x
[14], S13
, 0xa679438e); /* 15 */
981 FF (b
, c
, d
, a
, x
[15], S14
, 0x49b40821); /* 16 */
988 GG (a
, b
, c
, d
, x
[ 1], S21
, 0xf61e2562); /* 17 */
989 GG (d
, a
, b
, c
, x
[ 6], S22
, 0xc040b340); /* 18 */
990 GG (c
, d
, a
, b
, x
[11], S23
, 0x265e5a51); /* 19 */
991 GG (b
, c
, d
, a
, x
[ 0], S24
, 0xe9b6c7aa); /* 20 */
992 GG (a
, b
, c
, d
, x
[ 5], S21
, 0xd62f105d); /* 21 */
993 GG (d
, a
, b
, c
, x
[10], S22
, 0x2441453); /* 22 */
994 GG (c
, d
, a
, b
, x
[15], S23
, 0xd8a1e681); /* 23 */
995 GG (b
, c
, d
, a
, x
[ 4], S24
, 0xe7d3fbc8); /* 24 */
996 GG (a
, b
, c
, d
, x
[ 9], S21
, 0x21e1cde6); /* 25 */
997 GG (d
, a
, b
, c
, x
[14], S22
, 0xc33707d6); /* 26 */
998 GG (c
, d
, a
, b
, x
[ 3], S23
, 0xf4d50d87); /* 27 */
999 GG (b
, c
, d
, a
, x
[ 8], S24
, 0x455a14ed); /* 28 */
1000 GG (a
, b
, c
, d
, x
[13], S21
, 0xa9e3e905); /* 29 */
1001 GG (d
, a
, b
, c
, x
[ 2], S22
, 0xfcefa3f8); /* 30 */
1002 GG (c
, d
, a
, b
, x
[ 7], S23
, 0x676f02d9); /* 31 */
1003 GG (b
, c
, d
, a
, x
[12], S24
, 0x8d2a4c8a); /* 32 */
1010 HH (a
, b
, c
, d
, x
[ 5], S31
, 0xfffa3942); /* 33 */
1011 HH (d
, a
, b
, c
, x
[ 8], S32
, 0x8771f681); /* 34 */
1012 HH (c
, d
, a
, b
, x
[11], S33
, 0x6d9d6122); /* 35 */
1013 HH (b
, c
, d
, a
, x
[14], S34
, 0xfde5380c); /* 36 */
1014 HH (a
, b
, c
, d
, x
[ 1], S31
, 0xa4beea44); /* 37 */
1015 HH (d
, a
, b
, c
, x
[ 4], S32
, 0x4bdecfa9); /* 38 */
1016 HH (c
, d
, a
, b
, x
[ 7], S33
, 0xf6bb4b60); /* 39 */
1017 HH (b
, c
, d
, a
, x
[10], S34
, 0xbebfbc70); /* 40 */
1018 HH (a
, b
, c
, d
, x
[13], S31
, 0x289b7ec6); /* 41 */
1019 HH (d
, a
, b
, c
, x
[ 0], S32
, 0xeaa127fa); /* 42 */
1020 HH (c
, d
, a
, b
, x
[ 3], S33
, 0xd4ef3085); /* 43 */
1021 HH (b
, c
, d
, a
, x
[ 6], S34
, 0x4881d05); /* 44 */
1022 HH (a
, b
, c
, d
, x
[ 9], S31
, 0xd9d4d039); /* 45 */
1023 HH (d
, a
, b
, c
, x
[12], S32
, 0xe6db99e5); /* 46 */
1024 HH (c
, d
, a
, b
, x
[15], S33
, 0x1fa27cf8); /* 47 */
1025 HH (b
, c
, d
, a
, x
[ 2], S34
, 0xc4ac5665); /* 48 */
1032 II (a
, b
, c
, d
, x
[ 0], S41
, 0xf4292244); /* 49 */
1033 II (d
, a
, b
, c
, x
[ 7], S42
, 0x432aff97); /* 50 */
1034 II (c
, d
, a
, b
, x
[14], S43
, 0xab9423a7); /* 51 */
1035 II (b
, c
, d
, a
, x
[ 5], S44
, 0xfc93a039); /* 52 */
1036 II (a
, b
, c
, d
, x
[12], S41
, 0x655b59c3); /* 53 */
1037 II (d
, a
, b
, c
, x
[ 3], S42
, 0x8f0ccc92); /* 54 */
1038 II (c
, d
, a
, b
, x
[10], S43
, 0xffeff47d); /* 55 */
1039 II (b
, c
, d
, a
, x
[ 1], S44
, 0x85845dd1); /* 56 */
1040 II (a
, b
, c
, d
, x
[ 8], S41
, 0x6fa87e4f); /* 57 */
1041 II (d
, a
, b
, c
, x
[15], S42
, 0xfe2ce6e0); /* 58 */
1042 II (c
, d
, a
, b
, x
[ 6], S43
, 0xa3014314); /* 59 */
1043 II (b
, c
, d
, a
, x
[13], S44
, 0x4e0811a1); /* 60 */
1044 II (a
, b
, c
, d
, x
[ 4], S41
, 0xf7537e82); /* 61 */
1045 II (d
, a
, b
, c
, x
[11], S42
, 0xbd3af235); /* 62 */
1046 II (c
, d
, a
, b
, x
[ 2], S43
, 0x2ad7d2bb); /* 63 */
1047 II (b
, c
, d
, a
, x
[ 9], S44
, 0xeb86d391); /* 64 */
1054 /* Zeroize sensitive information. */
1055 memset ((void *)x
, 0, sizeof (x
));
1063 rb_md5_crypt(const char *pw
, const char *salt
)
1069 unsigned char final
[MD5_SIZE
];
1070 static const char *sp
, *ep
;
1071 static char passwd
[120], *p
;
1072 static const char *magic
= "$1$";
1074 /* Refine the Salt first */
1077 /* If it starts with the magic string, then skip that */
1078 if(!strncmp(sp
, magic
, strlen(magic
)))
1079 sp
+= strlen(magic
);
1081 /* It stops at the first '$', max 8 chars */
1082 for(ep
= sp
; *ep
&& *ep
!= '$' && ep
< (sp
+ 8); ep
++)
1085 /* get the length of the true salt */
1090 /* The password first, since that is what is most unknown */
1091 MD5Update(&ctx
, (const unsigned char *)pw
, strlen(pw
));
1093 /* Then our magic string */
1094 MD5Update(&ctx
, (const unsigned char *)magic
, strlen(magic
));
1096 /* Then the raw salt */
1097 MD5Update(&ctx
, (const unsigned char *)sp
, (unsigned int)sl
);
1099 /* Then just as many characters of the MD5(pw,salt,pw) */
1101 MD5Update(&ctx1
, (const unsigned char *)pw
, strlen(pw
));
1102 MD5Update(&ctx1
, (const unsigned char *)sp
, (unsigned int)sl
);
1103 MD5Update(&ctx1
, (const unsigned char *)pw
, strlen(pw
));
1104 MD5Final(final
, &ctx1
);
1105 for(pl
= (int)strlen(pw
); pl
> 0; pl
-= MD5_SIZE
)
1106 MD5Update(&ctx
, (const unsigned char *)final
,
1107 (unsigned int)(pl
> MD5_SIZE
? MD5_SIZE
: pl
));
1109 /* Don't leave anything around in vm they could use. */
1110 memset(final
, 0, sizeof(final
));
1112 /* Then something really weird... */
1113 for (i
= strlen(pw
); i
; i
>>= 1)
1115 MD5Update(&ctx
, (const unsigned char *)final
, 1);
1117 MD5Update(&ctx
, (const unsigned char *)pw
, 1);
1119 /* Now make the output string */
1120 rb_strlcpy(passwd
, magic
, sizeof(passwd
));
1121 strncat(passwd
, sp
, (unsigned int)sl
);
1122 rb_strlcat(passwd
, "$", sizeof(passwd
));
1124 MD5Final(final
, &ctx
);
1127 * and now, just to make sure things don't run too fast
1128 * On a 60 Mhz Pentium this takes 34 msec, so you would
1129 * need 30 seconds to build a 1000 entry dictionary...
1131 for(i
= 0; i
< 1000; i
++) {
1134 MD5Update(&ctx1
, (const unsigned char *)pw
, strlen(pw
));
1136 MD5Update(&ctx1
, (const unsigned char *)final
, MD5_SIZE
);
1139 MD5Update(&ctx1
, (const unsigned char *)sp
, (unsigned int)sl
);
1142 MD5Update(&ctx1
, (const unsigned char *)pw
, strlen(pw
));
1145 MD5Update(&ctx1
, (const unsigned char *)final
, MD5_SIZE
);
1147 MD5Update(&ctx1
, (const unsigned char *)pw
, strlen(pw
));
1148 MD5Final(final
, &ctx1
);
1151 p
= passwd
+ strlen(passwd
);
1153 l
= (final
[ 0]<<16) | (final
[ 6]<<8) | final
[12];
1154 _crypt_to64(p
, l
, 4); p
+= 4;
1155 l
= (final
[ 1]<<16) | (final
[ 7]<<8) | final
[13];
1156 _crypt_to64(p
, l
, 4); p
+= 4;
1157 l
= (final
[ 2]<<16) | (final
[ 8]<<8) | final
[14];
1158 _crypt_to64(p
, l
, 4); p
+= 4;
1159 l
= (final
[ 3]<<16) | (final
[ 9]<<8) | final
[15];
1160 _crypt_to64(p
, l
, 4); p
+= 4;
1161 l
= (final
[ 4]<<16) | (final
[10]<<8) | final
[ 5];
1162 _crypt_to64(p
, l
, 4); p
+= 4;
1164 _crypt_to64(p
, l
, 2); p
+= 2;
1167 /* Don't leave anything around in vm they could use. */
1168 memset(final
, 0, sizeof(final
));
1174 /* SHA256-based Unix crypt implementation.
1175 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
1177 /* Structure to save state of computation between the single steps. */
1184 char buffer
[128]; /* NB: always correctly aligned for uint32_t. */
1187 #ifndef WORDS_BIGENDIAN
1188 # define SHA256_SWAP(n) \
1189 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
1191 # define SHA256_SWAP(n) (n)
1194 /* This array contains the bytes used to pad the buffer to the next
1195 64-byte boundary. (FIPS 180-2:5.1.1) */
1196 static const unsigned char SHA256_fillbuf
[64] = { 0x80, 0 /* , 0, 0, ... */ };
1199 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
1200 static const uint32_t SHA256_K
[64] = {
1201 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
1202 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
1203 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
1204 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
1205 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
1206 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
1207 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
1208 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
1209 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
1210 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
1211 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
1212 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
1213 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
1214 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
1215 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
1216 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
1220 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1221 It is assumed that LEN % 64 == 0. */
1222 static void rb_sha256_process_block(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
1224 const uint32_t *words
= buffer
;
1225 size_t nwords
= len
/ sizeof(uint32_t);
1226 uint32_t a
= ctx
->H
[0];
1227 uint32_t b
= ctx
->H
[1];
1228 uint32_t c
= ctx
->H
[2];
1229 uint32_t d
= ctx
->H
[3];
1230 uint32_t e
= ctx
->H
[4];
1231 uint32_t f
= ctx
->H
[5];
1232 uint32_t g
= ctx
->H
[6];
1233 uint32_t h
= ctx
->H
[7];
1235 /* First increment the byte count. FIPS 180-2 specifies the possible
1236 length of the file up to 2^64 bits. Here we only compute the
1237 number of bytes. Do a double word increment. */
1238 ctx
->total
[0] += len
;
1239 if (ctx
->total
[0] < len
)
1242 /* Process all bytes in the buffer with 64 bytes in each round of
1247 uint32_t a_save
= a
;
1248 uint32_t b_save
= b
;
1249 uint32_t c_save
= c
;
1250 uint32_t d_save
= d
;
1251 uint32_t e_save
= e
;
1252 uint32_t f_save
= f
;
1253 uint32_t g_save
= g
;
1254 uint32_t h_save
= h
;
1257 /* Operators defined in FIPS 180-2:4.1.2. */
1258 #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z))
1259 #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1260 #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22))
1261 #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25))
1262 #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3))
1263 #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10))
1265 /* It is unfortunate that C does not provide an operator for
1266 cyclic rotation. Hope the C compiler is smart enough. */
1267 #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
1269 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
1270 for (t
= 0; t
< 16; ++t
)
1272 W
[t
] = SHA256_SWAP(*words
);
1275 for (t
= 16; t
< 64; ++t
)
1276 W
[t
] = SHA256_R1(W
[t
- 2]) + W
[t
- 7] + SHA256_R0(W
[t
- 15]) + W
[t
- 16];
1278 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
1279 for (t
= 0; t
< 64; ++t
)
1281 uint32_t T1
= h
+ SHA256_S1(e
) + SHA256_Ch(e
, f
, g
) + SHA256_K
[t
] + W
[t
];
1282 uint32_t T2
= SHA256_S0(a
) + SHA256_Maj(a
, b
, c
);
1293 /* Add the starting values of the context according to FIPS 180-2:6.2.2
1304 /* Prepare for the next round. */
1308 /* Put checksum in context given as argument. */
1320 /* Initialize structure containing state of computation.
1321 (FIPS 180-2:5.3.2) */
1322 static void rb_sha256_init_ctx(struct sha256_ctx
*ctx
)
1324 ctx
->H
[0] = 0x6a09e667;
1325 ctx
->H
[1] = 0xbb67ae85;
1326 ctx
->H
[2] = 0x3c6ef372;
1327 ctx
->H
[3] = 0xa54ff53a;
1328 ctx
->H
[4] = 0x510e527f;
1329 ctx
->H
[5] = 0x9b05688c;
1330 ctx
->H
[6] = 0x1f83d9ab;
1331 ctx
->H
[7] = 0x5be0cd19;
1333 ctx
->total
[0] = ctx
->total
[1] = 0;
1338 /* Process the remaining bytes in the internal buffer and the usual
1339 prolog according to the standard and write the result to RESBUF.
1341 IMPORTANT: On some systems it is required that RESBUF is correctly
1342 aligned for a 32 bits value. */
1343 static void *rb_sha256_finish_ctx(struct sha256_ctx
*ctx
, void *resbuf
)
1345 /* Take yet unprocessed bytes into account. */
1346 uint32_t bytes
= ctx
->buflen
, *ptr
;
1350 /* Now count remaining bytes. */
1351 ctx
->total
[0] += bytes
;
1352 if (ctx
->total
[0] < bytes
)
1355 pad
= bytes
>= 56 ? 64 + 56 - bytes
: 56 - bytes
;
1356 memcpy(&ctx
->buffer
[bytes
], SHA256_fillbuf
, pad
);
1358 /* Put the 64-bit file length in *bits* at the end of the buffer. */
1359 ptr
= (uint32_t *)&ctx
->buffer
[bytes
+ pad
+ 4]; /* Avoid warnings about strict aliasing */
1360 *ptr
= SHA256_SWAP(ctx
->total
[0] << 3);
1362 ptr
= (uint32_t *)&ctx
->buffer
[bytes
+ pad
];
1363 *ptr
= SHA256_SWAP((ctx
->total
[1] << 3) | (ctx
->total
[0] >> 29));
1365 /* Process last bytes. */
1366 rb_sha256_process_block(ctx
->buffer
, bytes
+ pad
+ 8, ctx
);
1368 /* Put result from CTX in first 32 bytes following RESBUF. */
1369 for (i
= 0; i
< 8; ++i
)
1370 ((uint32_t *) resbuf
)[i
] = SHA256_SWAP(ctx
->H
[i
]);
1376 static void rb_sha256_process_bytes(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
1378 /* When we already have some bits in our internal buffer concatenate
1379 both inputs first. */
1380 if (ctx
->buflen
!= 0)
1382 size_t left_over
= ctx
->buflen
;
1383 size_t add
= 128 - left_over
> len
? len
: 128 - left_over
;
1385 memcpy(&ctx
->buffer
[left_over
], buffer
, add
);
1388 if (ctx
->buflen
> 64)
1390 rb_sha256_process_block(ctx
->buffer
, ctx
->buflen
& ~63, ctx
);
1393 /* The regions in the following copy operation cannot overlap. */
1394 memcpy(ctx
->buffer
, &ctx
->buffer
[(left_over
+ add
) & ~63], ctx
->buflen
);
1397 buffer
= (const char *)buffer
+ add
;
1401 /* Process available complete blocks. */
1404 /* To check alignment gcc has an appropriate operator. Other
1407 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
1409 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
1411 if (SHA256_UNALIGNED_P(buffer
))
1414 rb_sha256_process_block(memcpy(ctx
->buffer
, buffer
, 64), 64, ctx
);
1415 buffer
= (const char *)buffer
+ 64;
1420 rb_sha256_process_block(buffer
, len
& ~63, ctx
);
1421 buffer
= (const char *)buffer
+ (len
& ~63);
1426 /* Move remaining bytes into internal buffer. */
1429 size_t left_over
= ctx
->buflen
;
1431 memcpy(&ctx
->buffer
[left_over
], buffer
, len
);
1433 if (left_over
>= 64)
1435 rb_sha256_process_block(ctx
->buffer
, 64, ctx
);
1437 memcpy(ctx
->buffer
, &ctx
->buffer
[64], left_over
);
1439 ctx
->buflen
= left_over
;
1444 /* Define our magic string to mark salt for SHA256 "encryption"
1446 static const char sha256_salt_prefix
[] = "$5$";
1448 /* Prefix for optional rounds specification. */
1449 static const char sha256_rounds_prefix
[] = "rounds=";
1451 /* Maximum salt string length. */
1452 #define SHA256_SALT_LEN_MAX 16
1453 /* Default number of rounds if not explicitly specified. */
1454 #define SHA256_ROUNDS_DEFAULT 5000
1455 /* Minimum number of rounds. */
1456 #define SHA256_ROUNDS_MIN 1000
1457 /* Maximum number of rounds. */
1458 #define SHA256_ROUNDS_MAX 999999999
1460 static char *rb_sha256_crypt_r(const char *key
, const char *salt
, char *buffer
, int buflen
)
1462 unsigned char alt_result
[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1463 unsigned char temp_result
[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1464 struct sha256_ctx ctx
;
1465 struct sha256_ctx alt_ctx
;
1470 char *copied_key
= NULL
;
1471 char *copied_salt
= NULL
;
1474 /* Default number of rounds. */
1475 size_t rounds
= SHA256_ROUNDS_DEFAULT
;
1476 int rounds_custom
= 0;
1478 /* Find beginning of salt string. The prefix should normally always
1479 be present. Just in case it is not. */
1480 if (strncmp(sha256_salt_prefix
, salt
, sizeof(sha256_salt_prefix
) - 1) == 0)
1481 /* Skip salt prefix. */
1482 salt
+= sizeof(sha256_salt_prefix
) - 1;
1484 if (strncmp(salt
, sha256_rounds_prefix
, sizeof(sha256_rounds_prefix
) - 1) == 0)
1486 const char *num
= salt
+ sizeof(sha256_rounds_prefix
) - 1;
1488 unsigned long int srounds
= strtoul(num
, &endp
, 10);
1492 rounds
= MAX(SHA256_ROUNDS_MIN
, MIN(srounds
, SHA256_ROUNDS_MAX
));
1497 salt_len
= MIN(strcspn(salt
, "$"), SHA256_SALT_LEN_MAX
);
1498 key_len
= strlen(key
);
1500 if ((key
- (char *)0) % __alignof__(uint32_t) != 0)
1502 char *tmp
= (char *)alloca(key_len
+ __alignof__(uint32_t));
1504 memcpy(tmp
+ __alignof__(uint32_t)
1505 - (tmp
- (char *)0) % __alignof__(uint32_t), key
, key_len
);
1508 if ((salt
- (char *)0) % __alignof__(uint32_t) != 0)
1510 char *tmp
= (char *)alloca(salt_len
+ __alignof__(uint32_t));
1511 salt
= copied_salt
=
1512 memcpy(tmp
+ __alignof__(uint32_t)
1513 - (tmp
- (char *)0) % __alignof__(uint32_t), salt
, salt_len
);
1516 /* Prepare for the real work. */
1517 rb_sha256_init_ctx(&ctx
);
1519 /* Add the key string. */
1520 rb_sha256_process_bytes(key
, key_len
, &ctx
);
1522 /* The last part is the salt string. This must be at most 16
1523 characters and it ends at the first `$' character (for
1524 compatibility with existing implementations). */
1525 rb_sha256_process_bytes(salt
, salt_len
, &ctx
);
1528 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
1529 final result will be added to the first context. */
1530 rb_sha256_init_ctx(&alt_ctx
);
1533 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1536 rb_sha256_process_bytes(salt
, salt_len
, &alt_ctx
);
1538 /* Add key again. */
1539 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1541 /* Now get result of this (32 bytes) and add it to the other
1543 rb_sha256_finish_ctx(&alt_ctx
, alt_result
);
1545 /* Add for any character in the key one byte of the alternate sum. */
1546 for (cnt
= key_len
; cnt
> 32; cnt
-= 32)
1547 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1548 rb_sha256_process_bytes(alt_result
, cnt
, &ctx
);
1550 /* Take the binary representation of the length of the key and for every
1551 1 add the alternate sum, for every 0 the key. */
1552 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
1554 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1556 rb_sha256_process_bytes(key
, key_len
, &ctx
);
1558 /* Create intermediate result. */
1559 rb_sha256_finish_ctx(&ctx
, alt_result
);
1561 /* Start computation of P byte sequence. */
1562 rb_sha256_init_ctx(&alt_ctx
);
1564 /* For every character in the password add the entire password. */
1565 for (cnt
= 0; cnt
< key_len
; ++cnt
)
1566 rb_sha256_process_bytes(key
, key_len
, &alt_ctx
);
1568 /* Finish the digest. */
1569 rb_sha256_finish_ctx(&alt_ctx
, temp_result
);
1571 /* Create byte sequence P. */
1572 cp
= p_bytes
= alloca(key_len
);
1573 for (cnt
= key_len
; cnt
>= 32; cnt
-= 32)
1575 memcpy(cp
, temp_result
, 32);
1578 memcpy(cp
, temp_result
, cnt
);
1580 /* Start computation of S byte sequence. */
1581 rb_sha256_init_ctx(&alt_ctx
);
1583 /* For every character in the password add the entire password. */
1584 for (cnt
= 0; cnt
< (size_t)(16 + alt_result
[0]); ++cnt
)
1585 rb_sha256_process_bytes(salt
, salt_len
, &alt_ctx
);
1587 /* Finish the digest. */
1588 rb_sha256_finish_ctx(&alt_ctx
, temp_result
);
1590 /* Create byte sequence S. */
1591 cp
= s_bytes
= alloca(salt_len
);
1592 for (cnt
= salt_len
; cnt
>= 32; cnt
-= 32)
1594 memcpy(cp
, temp_result
, 32);
1597 memcpy(cp
, temp_result
, cnt
);
1599 /* Repeatedly run the collected hash value through SHA256 to burn
1601 for (cnt
= 0; cnt
< rounds
; ++cnt
)
1604 rb_sha256_init_ctx(&ctx
);
1606 /* Add key or last result. */
1608 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1610 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1612 /* Add salt for numbers not divisible by 3. */
1614 rb_sha256_process_bytes(s_bytes
, salt_len
, &ctx
);
1616 /* Add key for numbers not divisible by 7. */
1618 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1620 /* Add key or last result. */
1622 rb_sha256_process_bytes(alt_result
, 32, &ctx
);
1624 rb_sha256_process_bytes(p_bytes
, key_len
, &ctx
);
1626 /* Create intermediate result. */
1627 rb_sha256_finish_ctx(&ctx
, alt_result
);
1630 /* Now we can construct the result string. It consists of three
1632 memset(buffer
, '\0', MAX(0, buflen
));
1633 strncpy(buffer
, sha256_salt_prefix
, MAX(0, buflen
));
1634 if((cp
= strchr(buffer
, '\0')) == NULL
)
1635 cp
= buffer
+ MAX(0, buflen
);
1636 buflen
-= sizeof(sha256_salt_prefix
) - 1;
1640 int n
= snprintf(cp
, MAX(0, buflen
), "%s%zu$",
1641 sha256_rounds_prefix
, rounds
);
1646 memset(cp
, '\0', salt_len
);
1647 strncpy(cp
, salt
, MIN((size_t) MAX(0, buflen
), salt_len
));
1648 if((cp
= strchr(buffer
, '\0')) == NULL
)
1650 buflen
-= MIN((size_t) MAX(0, buflen
), salt_len
);
1658 b64_from_24bit(alt_result
[0], alt_result
[10], alt_result
[20], 4);
1659 b64_from_24bit(alt_result
[21], alt_result
[1], alt_result
[11], 4);
1660 b64_from_24bit(alt_result
[12], alt_result
[22], alt_result
[2], 4);
1661 b64_from_24bit(alt_result
[3], alt_result
[13], alt_result
[23], 4);
1662 b64_from_24bit(alt_result
[24], alt_result
[4], alt_result
[14], 4);
1663 b64_from_24bit(alt_result
[15], alt_result
[25], alt_result
[5], 4);
1664 b64_from_24bit(alt_result
[6], alt_result
[16], alt_result
[26], 4);
1665 b64_from_24bit(alt_result
[27], alt_result
[7], alt_result
[17], 4);
1666 b64_from_24bit(alt_result
[18], alt_result
[28], alt_result
[8], 4);
1667 b64_from_24bit(alt_result
[9], alt_result
[19], alt_result
[29], 4);
1668 b64_from_24bit(0, alt_result
[31], alt_result
[30], 3);
1675 *cp
= '\0'; /* Terminate the string. */
1677 /* Clear the buffer for the intermediate result so that people
1678 attaching to processes or reading core dumps cannot get any
1679 information. We do it in this way to clear correct_words[]
1680 inside the SHA256 implementation as well. */
1681 rb_sha256_init_ctx(&ctx
);
1682 rb_sha256_finish_ctx(&ctx
, alt_result
);
1683 memset(temp_result
, '\0', sizeof(temp_result
));
1684 memset(p_bytes
, '\0', key_len
);
1685 memset(s_bytes
, '\0', salt_len
);
1686 memset(&ctx
, '\0', sizeof(ctx
));
1687 memset(&alt_ctx
, '\0', sizeof(alt_ctx
));
1688 if (copied_key
!= NULL
)
1689 memset(copied_key
, '\0', key_len
);
1690 if (copied_salt
!= NULL
)
1691 memset(copied_salt
, '\0', salt_len
);
1697 /* This entry point is equivalent to the `crypt' function in Unix
1699 static char *rb_sha256_crypt(const char *key
, const char *salt
)
1701 /* We don't want to have an arbitrary limit in the size of the
1702 password. We can compute an upper bound for the size of the
1703 result in advance and so we can prepare the buffer we pass to
1704 `rb_sha256_crypt_r'. */
1705 static char *buffer
;
1707 int needed
= (sizeof(sha256_salt_prefix
) - 1
1708 + sizeof(sha256_rounds_prefix
) + 9 + 1 + strlen(salt
) + 1 + 43 + 1);
1710 char *new_buffer
= (char *)malloc(needed
);
1711 if (new_buffer
== NULL
)
1714 buffer
= new_buffer
;
1717 return rb_sha256_crypt_r(key
, salt
, buffer
, buflen
);
1720 /* Structure to save state of computation between the single steps. */
1727 char buffer
[256]; /* NB: always correctly aligned for uint64_t. */
1731 #ifndef WORDS_BIGENDIAN
1732 # define SHA512_SWAP(n) \
1734 | (((n) & 0xff00) << 40) \
1735 | (((n) & 0xff0000) << 24) \
1736 | (((n) & 0xff000000) << 8) \
1737 | (((n) >> 8) & 0xff000000) \
1738 | (((n) >> 24) & 0xff0000) \
1739 | (((n) >> 40) & 0xff00) \
1742 # define SHA512_SWAP(n) (n)
1746 /* This array contains the bytes used to pad the buffer to the next
1747 64-byte boundary. (FIPS 180-2:5.1.2) */
1748 static const unsigned char SHA512_fillbuf
[128] = { 0x80, 0 /* , 0, 0, ... */ };
1751 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
1752 static const uint64_t SHA512_K
[80] = {
1753 0x428a2f98d728ae22ULL
, 0x7137449123ef65cdULL
,
1754 0xb5c0fbcfec4d3b2fULL
, 0xe9b5dba58189dbbcULL
,
1755 0x3956c25bf348b538ULL
, 0x59f111f1b605d019ULL
,
1756 0x923f82a4af194f9bULL
, 0xab1c5ed5da6d8118ULL
,
1757 0xd807aa98a3030242ULL
, 0x12835b0145706fbeULL
,
1758 0x243185be4ee4b28cULL
, 0x550c7dc3d5ffb4e2ULL
,
1759 0x72be5d74f27b896fULL
, 0x80deb1fe3b1696b1ULL
,
1760 0x9bdc06a725c71235ULL
, 0xc19bf174cf692694ULL
,
1761 0xe49b69c19ef14ad2ULL
, 0xefbe4786384f25e3ULL
,
1762 0x0fc19dc68b8cd5b5ULL
, 0x240ca1cc77ac9c65ULL
,
1763 0x2de92c6f592b0275ULL
, 0x4a7484aa6ea6e483ULL
,
1764 0x5cb0a9dcbd41fbd4ULL
, 0x76f988da831153b5ULL
,
1765 0x983e5152ee66dfabULL
, 0xa831c66d2db43210ULL
,
1766 0xb00327c898fb213fULL
, 0xbf597fc7beef0ee4ULL
,
1767 0xc6e00bf33da88fc2ULL
, 0xd5a79147930aa725ULL
,
1768 0x06ca6351e003826fULL
, 0x142929670a0e6e70ULL
,
1769 0x27b70a8546d22ffcULL
, 0x2e1b21385c26c926ULL
,
1770 0x4d2c6dfc5ac42aedULL
, 0x53380d139d95b3dfULL
,
1771 0x650a73548baf63deULL
, 0x766a0abb3c77b2a8ULL
,
1772 0x81c2c92e47edaee6ULL
, 0x92722c851482353bULL
,
1773 0xa2bfe8a14cf10364ULL
, 0xa81a664bbc423001ULL
,
1774 0xc24b8b70d0f89791ULL
, 0xc76c51a30654be30ULL
,
1775 0xd192e819d6ef5218ULL
, 0xd69906245565a910ULL
,
1776 0xf40e35855771202aULL
, 0x106aa07032bbd1b8ULL
,
1777 0x19a4c116b8d2d0c8ULL
, 0x1e376c085141ab53ULL
,
1778 0x2748774cdf8eeb99ULL
, 0x34b0bcb5e19b48a8ULL
,
1779 0x391c0cb3c5c95a63ULL
, 0x4ed8aa4ae3418acbULL
,
1780 0x5b9cca4f7763e373ULL
, 0x682e6ff3d6b2b8a3ULL
,
1781 0x748f82ee5defb2fcULL
, 0x78a5636f43172f60ULL
,
1782 0x84c87814a1f0ab72ULL
, 0x8cc702081a6439ecULL
,
1783 0x90befffa23631e28ULL
, 0xa4506cebde82bde9ULL
,
1784 0xbef9a3f7b2c67915ULL
, 0xc67178f2e372532bULL
,
1785 0xca273eceea26619cULL
, 0xd186b8c721c0c207ULL
,
1786 0xeada7dd6cde0eb1eULL
, 0xf57d4f7fee6ed178ULL
,
1787 0x06f067aa72176fbaULL
, 0x0a637dc5a2c898a6ULL
,
1788 0x113f9804bef90daeULL
, 0x1b710b35131c471bULL
,
1789 0x28db77f523047d84ULL
, 0x32caab7b40c72493ULL
,
1790 0x3c9ebe0a15c9bebcULL
, 0x431d67c49c100d4cULL
,
1791 0x4cc5d4becb3e42b6ULL
, 0x597f299cfc657e2aULL
,
1792 0x5fcb6fab3ad6faecULL
, 0x6c44198c4a475817ULL
1796 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1797 It is assumed that LEN % 128 == 0. */
1798 static void rb_sha512_process_block(const void *buffer
, size_t len
, struct sha512_ctx
*ctx
)
1800 const uint64_t *words
= buffer
;
1801 size_t nwords
= len
/ sizeof(uint64_t);
1802 uint64_t a
= ctx
->H
[0];
1803 uint64_t b
= ctx
->H
[1];
1804 uint64_t c
= ctx
->H
[2];
1805 uint64_t d
= ctx
->H
[3];
1806 uint64_t e
= ctx
->H
[4];
1807 uint64_t f
= ctx
->H
[5];
1808 uint64_t g
= ctx
->H
[6];
1809 uint64_t h
= ctx
->H
[7];
1811 /* First increment the byte count. FIPS 180-2 specifies the possible
1812 length of the file up to 2^128 bits. Here we only compute the
1813 number of bytes. Do a double word increment. */
1814 ctx
->total
[0] += len
;
1815 if (ctx
->total
[0] < len
)
1818 /* Process all bytes in the buffer with 128 bytes in each round of
1823 uint64_t a_save
= a
;
1824 uint64_t b_save
= b
;
1825 uint64_t c_save
= c
;
1826 uint64_t d_save
= d
;
1827 uint64_t e_save
= e
;
1828 uint64_t f_save
= f
;
1829 uint64_t g_save
= g
;
1830 uint64_t h_save
= h
;
1833 /* Operators defined in FIPS 180-2:4.1.2. */
1834 #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z))
1835 #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1836 #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39))
1837 #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41))
1838 #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7))
1839 #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6))
1841 /* It is unfortunate that C does not provide an operator for
1842 cyclic rotation. Hope the C compiler is smart enough. */
1843 #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
1845 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
1846 for (t
= 0; t
< 16; ++t
)
1848 W
[t
] = SHA512_SWAP(*words
);
1851 for (t
= 16; t
< 80; ++t
)
1852 W
[t
] = SHA512_R1(W
[t
- 2]) + W
[t
- 7] + SHA512_R0(W
[t
- 15]) + W
[t
- 16];
1854 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
1855 for (t
= 0; t
< 80; ++t
)
1857 uint64_t T1
= h
+ SHA512_S1(e
) + SHA512_Ch(e
, f
, g
) + SHA512_K
[t
] + W
[t
];
1858 uint64_t T2
= SHA512_S0(a
) + SHA512_Maj(a
, b
, c
);
1869 /* Add the starting values of the context according to FIPS 180-2:6.3.2
1880 /* Prepare for the next round. */
1884 /* Put checksum in context given as argument. */
1896 /* Initialize structure containing state of computation.
1897 (FIPS 180-2:5.3.3) */
1898 static void rb_sha512_init_ctx(struct sha512_ctx
*ctx
)
1900 ctx
->H
[0] = 0x6a09e667f3bcc908ULL
;
1901 ctx
->H
[1] = 0xbb67ae8584caa73bULL
;
1902 ctx
->H
[2] = 0x3c6ef372fe94f82bULL
;
1903 ctx
->H
[3] = 0xa54ff53a5f1d36f1ULL
;
1904 ctx
->H
[4] = 0x510e527fade682d1ULL
;
1905 ctx
->H
[5] = 0x9b05688c2b3e6c1fULL
;
1906 ctx
->H
[6] = 0x1f83d9abfb41bd6bULL
;
1907 ctx
->H
[7] = 0x5be0cd19137e2179ULL
;
1909 ctx
->total
[0] = ctx
->total
[1] = 0;
1914 /* Process the remaining bytes in the internal buffer and the usual
1915 prolog according to the standard and write the result to RESBUF.
1917 IMPORTANT: On some systems it is required that RESBUF is correctly
1918 aligned for a 32 bits value. */
1919 static void *rb_sha512_finish_ctx(struct sha512_ctx
*ctx
, void *resbuf
)
1921 /* Take yet unprocessed bytes into account. */
1922 uint64_t bytes
= ctx
->buflen
, *ptr
;
1926 /* Now count remaining bytes. */
1927 ctx
->total
[0] += bytes
;
1928 if (ctx
->total
[0] < bytes
)
1931 pad
= bytes
>= 112 ? 128 + 112 - bytes
: 112 - bytes
;
1932 memcpy(&ctx
->buffer
[bytes
], SHA512_fillbuf
, pad
);
1934 /* Put the 128-bit file length in *bits* at the end of the buffer. */
1935 ptr
= (uint64_t *)&ctx
->buffer
[bytes
+ pad
+ 8]; /* Avoid warnings about strict aliasing */
1936 *ptr
= SHA512_SWAP(ctx
->total
[0] << 3);
1938 ptr
= (uint64_t *)&ctx
->buffer
[bytes
+ pad
];
1939 *ptr
= SHA512_SWAP((ctx
->total
[1] << 3) | (ctx
->total
[0] >> 61));
1941 /* Process last bytes. */
1942 rb_sha512_process_block(ctx
->buffer
, bytes
+ pad
+ 16, ctx
);
1944 /* Put result from CTX in first 64 bytes following RESBUF. */
1945 for (i
= 0; i
< 8; ++i
)
1946 ((uint64_t *) resbuf
)[i
] = SHA512_SWAP(ctx
->H
[i
]);
1952 static void rb_sha512_process_bytes(const void *buffer
, size_t len
, struct sha512_ctx
*ctx
)
1954 /* When we already have some bits in our internal buffer concatenate
1955 both inputs first. */
1956 if (ctx
->buflen
!= 0)
1958 size_t left_over
= ctx
->buflen
;
1959 size_t add
= 256 - left_over
> len
? len
: 256 - left_over
;
1961 memcpy(&ctx
->buffer
[left_over
], buffer
, add
);
1964 if (ctx
->buflen
> 128)
1966 rb_sha512_process_block(ctx
->buffer
, ctx
->buflen
& ~127, ctx
);
1969 /* The regions in the following copy operation cannot overlap. */
1970 memcpy(ctx
->buffer
, &ctx
->buffer
[(left_over
+ add
) & ~127], ctx
->buflen
);
1973 buffer
= (const char *)buffer
+ add
;
1977 /* Process available complete blocks. */
1980 #if !_STRING_ARCH_unaligned
1981 /* To check alignment gcc has an appropriate operator. Other
1984 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
1986 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
1988 if (SHA512_UNALIGNED_P(buffer
))
1991 rb_sha512_process_block(memcpy(ctx
->buffer
, buffer
, 128), 128, ctx
);
1992 buffer
= (const char *)buffer
+ 128;
1998 rb_sha512_process_block(buffer
, len
& ~127, ctx
);
1999 buffer
= (const char *)buffer
+ (len
& ~127);
2004 /* Move remaining bytes into internal buffer. */
2007 size_t left_over
= ctx
->buflen
;
2009 memcpy(&ctx
->buffer
[left_over
], buffer
, len
);
2011 if (left_over
>= 128)
2013 rb_sha512_process_block(ctx
->buffer
, 128, ctx
);
2015 memcpy(ctx
->buffer
, &ctx
->buffer
[128], left_over
);
2017 ctx
->buflen
= left_over
;
2022 /* Define our magic string to mark salt for SHA512 "encryption"
2024 static const char sha512_salt_prefix
[] = "$6$";
2026 /* Prefix for optional rounds specification. */
2027 static const char sha512_rounds_prefix
[] = "rounds=";
2029 /* Maximum salt string length. */
2030 #define SHA512_SALT_LEN_MAX 16
2031 /* Default number of rounds if not explicitly specified. */
2032 #define SHA512_ROUNDS_DEFAULT 5000
2033 /* Minimum number of rounds. */
2034 #define SHA512_ROUNDS_MIN 1000
2035 /* Maximum number of rounds. */
2036 #define SHA512_ROUNDS_MAX 999999999
2038 static char *rb_sha512_crypt_r(const char *key
, const char *salt
, char *buffer
, int buflen
)
2040 unsigned char alt_result
[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2041 unsigned char temp_result
[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2042 struct sha512_ctx ctx
;
2043 struct sha512_ctx alt_ctx
;
2048 char *copied_key
= NULL
;
2049 char *copied_salt
= NULL
;
2052 /* Default number of rounds. */
2053 size_t rounds
= SHA512_ROUNDS_DEFAULT
;
2054 int rounds_custom
= 0;
2056 /* Find beginning of salt string. The prefix should normally always
2057 be present. Just in case it is not. */
2058 if (strncmp(sha512_salt_prefix
, salt
, sizeof(sha512_salt_prefix
) - 1) == 0)
2059 /* Skip salt prefix. */
2060 salt
+= sizeof(sha512_salt_prefix
) - 1;
2062 if (strncmp(salt
, sha512_rounds_prefix
, sizeof(sha512_rounds_prefix
) - 1) == 0)
2064 const char *num
= salt
+ sizeof(sha512_rounds_prefix
) - 1;
2066 unsigned long int srounds
= strtoul(num
, &endp
, 10);
2070 rounds
= MAX(SHA512_ROUNDS_MIN
, MIN(srounds
, SHA512_ROUNDS_MAX
));
2075 salt_len
= MIN(strcspn(salt
, "$"), SHA512_SALT_LEN_MAX
);
2076 key_len
= strlen(key
);
2078 if ((key
- (char *)0) % __alignof__(uint64_t) != 0)
2080 char *tmp
= (char *)alloca(key_len
+ __alignof__(uint64_t));
2082 memcpy(tmp
+ __alignof__(uint64_t)
2083 - (tmp
- (char *)0) % __alignof__(uint64_t), key
, key_len
);
2086 if ((salt
- (char *)0) % __alignof__(uint64_t) != 0)
2088 char *tmp
= (char *)alloca(salt_len
+ __alignof__(uint64_t));
2089 salt
= copied_salt
=
2090 memcpy(tmp
+ __alignof__(uint64_t)
2091 - (tmp
- (char *)0) % __alignof__(uint64_t), salt
, salt_len
);
2094 /* Prepare for the real work. */
2095 rb_sha512_init_ctx(&ctx
);
2097 /* Add the key string. */
2098 rb_sha512_process_bytes(key
, key_len
, &ctx
);
2100 /* The last part is the salt string. This must be at most 16
2101 characters and it ends at the first `$' character (for
2102 compatibility with existing implementations). */
2103 rb_sha512_process_bytes(salt
, salt_len
, &ctx
);
2106 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
2107 final result will be added to the first context. */
2108 rb_sha512_init_ctx(&alt_ctx
);
2111 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2114 rb_sha512_process_bytes(salt
, salt_len
, &alt_ctx
);
2116 /* Add key again. */
2117 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2119 /* Now get result of this (64 bytes) and add it to the other
2121 rb_sha512_finish_ctx(&alt_ctx
, alt_result
);
2123 /* Add for any character in the key one byte of the alternate sum. */
2124 for (cnt
= key_len
; cnt
> 64; cnt
-= 64)
2125 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2126 rb_sha512_process_bytes(alt_result
, cnt
, &ctx
);
2128 /* Take the binary representation of the length of the key and for every
2129 1 add the alternate sum, for every 0 the key. */
2130 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
2132 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2134 rb_sha512_process_bytes(key
, key_len
, &ctx
);
2136 /* Create intermediate result. */
2137 rb_sha512_finish_ctx(&ctx
, alt_result
);
2139 /* Start computation of P byte sequence. */
2140 rb_sha512_init_ctx(&alt_ctx
);
2142 /* For every character in the password add the entire password. */
2143 for (cnt
= 0; cnt
< key_len
; ++cnt
)
2144 rb_sha512_process_bytes(key
, key_len
, &alt_ctx
);
2146 /* Finish the digest. */
2147 rb_sha512_finish_ctx(&alt_ctx
, temp_result
);
2149 /* Create byte sequence P. */
2150 cp
= p_bytes
= alloca(key_len
);
2151 for (cnt
= key_len
; cnt
>= 64; cnt
-= 64)
2153 memcpy(cp
, temp_result
, 64);
2156 memcpy(cp
, temp_result
, cnt
);
2158 /* Start computation of S byte sequence. */
2159 rb_sha512_init_ctx(&alt_ctx
);
2161 /* For every character in the password add the entire password. */
2162 for (cnt
= 0; cnt
< (size_t)(16 + alt_result
[0]); ++cnt
)
2163 rb_sha512_process_bytes(salt
, salt_len
, &alt_ctx
);
2165 /* Finish the digest. */
2166 rb_sha512_finish_ctx(&alt_ctx
, temp_result
);
2168 /* Create byte sequence S. */
2169 cp
= s_bytes
= alloca(salt_len
);
2170 for (cnt
= salt_len
; cnt
>= 64; cnt
-= 64)
2172 memcpy(cp
, temp_result
, 64);
2175 memcpy(cp
, temp_result
, cnt
);
2177 /* Repeatedly run the collected hash value through SHA512 to burn
2179 for (cnt
= 0; cnt
< rounds
; ++cnt
)
2182 rb_sha512_init_ctx(&ctx
);
2184 /* Add key or last result. */
2186 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2188 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2190 /* Add salt for numbers not divisible by 3. */
2192 rb_sha512_process_bytes(s_bytes
, salt_len
, &ctx
);
2194 /* Add key for numbers not divisible by 7. */
2196 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2198 /* Add key or last result. */
2200 rb_sha512_process_bytes(alt_result
, 64, &ctx
);
2202 rb_sha512_process_bytes(p_bytes
, key_len
, &ctx
);
2204 /* Create intermediate result. */
2205 rb_sha512_finish_ctx(&ctx
, alt_result
);
2208 /* Now we can construct the result string. It consists of three
2210 memset(buffer
, '\0', MAX(0, buflen
));
2211 strncpy(buffer
, sha512_salt_prefix
, MAX(0, buflen
));
2212 if((cp
= strchr(buffer
, '\0')) == NULL
)
2213 cp
= buffer
+ MAX(0, buflen
);
2214 buflen
-= sizeof(sha512_salt_prefix
) - 1;
2218 int n
= snprintf(cp
, MAX(0, buflen
), "%s%zu$",
2219 sha512_rounds_prefix
, rounds
);
2224 memset(cp
, '\0', MIN((size_t) MAX(0, buflen
), salt_len
));
2225 strncpy(cp
, salt
, MIN((size_t) MAX(0, buflen
), salt_len
));
2226 if((cp
= strchr(buffer
, '\0')) == NULL
)
2227 cp
= buffer
+ salt_len
;
2228 buflen
-= MIN((size_t) MAX(0, buflen
), salt_len
);
2236 b64_from_24bit(alt_result
[0], alt_result
[21], alt_result
[42], 4);
2237 b64_from_24bit(alt_result
[22], alt_result
[43], alt_result
[1], 4);
2238 b64_from_24bit(alt_result
[44], alt_result
[2], alt_result
[23], 4);
2239 b64_from_24bit(alt_result
[3], alt_result
[24], alt_result
[45], 4);
2240 b64_from_24bit(alt_result
[25], alt_result
[46], alt_result
[4], 4);
2241 b64_from_24bit(alt_result
[47], alt_result
[5], alt_result
[26], 4);
2242 b64_from_24bit(alt_result
[6], alt_result
[27], alt_result
[48], 4);
2243 b64_from_24bit(alt_result
[28], alt_result
[49], alt_result
[7], 4);
2244 b64_from_24bit(alt_result
[50], alt_result
[8], alt_result
[29], 4);
2245 b64_from_24bit(alt_result
[9], alt_result
[30], alt_result
[51], 4);
2246 b64_from_24bit(alt_result
[31], alt_result
[52], alt_result
[10], 4);
2247 b64_from_24bit(alt_result
[53], alt_result
[11], alt_result
[32], 4);
2248 b64_from_24bit(alt_result
[12], alt_result
[33], alt_result
[54], 4);
2249 b64_from_24bit(alt_result
[34], alt_result
[55], alt_result
[13], 4);
2250 b64_from_24bit(alt_result
[56], alt_result
[14], alt_result
[35], 4);
2251 b64_from_24bit(alt_result
[15], alt_result
[36], alt_result
[57], 4);
2252 b64_from_24bit(alt_result
[37], alt_result
[58], alt_result
[16], 4);
2253 b64_from_24bit(alt_result
[59], alt_result
[17], alt_result
[38], 4);
2254 b64_from_24bit(alt_result
[18], alt_result
[39], alt_result
[60], 4);
2255 b64_from_24bit(alt_result
[40], alt_result
[61], alt_result
[19], 4);
2256 b64_from_24bit(alt_result
[62], alt_result
[20], alt_result
[41], 4);
2257 b64_from_24bit(0, 0, alt_result
[63], 2);
2265 *cp
= '\0'; /* Terminate the string. */
2267 /* Clear the buffer for the intermediate result so that people
2268 attaching to processes or reading core dumps cannot get any
2269 information. We do it in this way to clear correct_words[]
2270 inside the SHA512 implementation as well. */
2271 rb_sha512_init_ctx(&ctx
);
2272 rb_sha512_finish_ctx(&ctx
, alt_result
);
2273 memset(temp_result
, '\0', sizeof(temp_result
));
2274 memset(p_bytes
, '\0', key_len
);
2275 memset(s_bytes
, '\0', salt_len
);
2276 memset(&ctx
, '\0', sizeof(ctx
));
2277 memset(&alt_ctx
, '\0', sizeof(alt_ctx
));
2278 if (copied_key
!= NULL
)
2279 memset(copied_key
, '\0', key_len
);
2280 if (copied_salt
!= NULL
)
2281 memset(copied_salt
, '\0', salt_len
);
2287 /* This entry point is equivalent to the `crypt' function in Unix
2289 static char *rb_sha512_crypt(const char *key
, const char *salt
)
2291 /* We don't want to have an arbitrary limit in the size of the
2292 password. We can compute an upper bound for the size of the
2293 result in advance and so we can prepare the buffer we pass to
2294 `rb_sha512_crypt_r'. */
2295 static char *buffer
;
2297 int needed
= (sizeof(sha512_salt_prefix
) - 1
2298 + sizeof(sha512_rounds_prefix
) + 9 + 1 + strlen(salt
) + 1 + 86 + 1);
2300 if (buflen
< needed
)
2302 char *new_buffer
= (char *)realloc(buffer
, needed
);
2303 if (new_buffer
== NULL
)
2306 buffer
= new_buffer
;
2310 return rb_sha512_crypt_r(key
, salt
, buffer
, buflen
);