]> jfr.im git - solanum.git/blob - librb/src/crypt.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
[openssl] Forward-port some more cleanups from fixes to 3.5
[solanum.git] / librb / src / crypt.c
1 /*
2 * crypt.c: Implements unix style crypt() for platforms that don't have it
3 * This version has MD5, DES, and SHA256/SHA512 crypt.
4 * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from
5 * Drepper's public domain implementation.
6 */
7
8 /*
9 * crypt() for uClibc
10 *
11 * Copyright (C) 2000 by Lineo, inc. and Erik Andersen
12 * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org>
13 * Written by Erik Andersen <andersen@uclibc.org>
14 *
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU Library General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful, but WITHOUT
21 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License
23 * for more details.
24 *
25 * You should have received a copy of the GNU Library General Public License
26 * along with this program; if not, write to the Free Software Foundation,
27 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 */
29
30 #include <librb_config.h>
31 #include <rb_lib.h>
32
33 static char *rb_md5_crypt(const char *pw, const char *salt);
34 static char *rb_des_crypt(const char *pw, const char *salt);
35 static char *rb_sha256_crypt(const char *key, const char *salt);
36 static char *rb_sha512_crypt(const char *key, const char *salt);
37
38 char *
39 rb_crypt(const char *key, const char *salt)
40 {
41 /* First, check if we are supposed to be using a replacement
42 * hash instead of DES... */
43 if(salt[0] == '$' && (salt[2] == '$' || salt[3] == '$'))
44 {
45 switch(salt[1])
46 {
47 case '1':
48 return rb_md5_crypt(key, salt);
49 break;
50 case '5':
51 return rb_sha256_crypt(key, salt);
52 break;
53 case '6':
54 return rb_sha512_crypt(key, salt);
55 break;
56 default:
57 return NULL;
58 break;
59 };
60 }
61 else
62 return rb_des_crypt(key, salt);
63 }
64
65 #define b64_from_24bit(B2, B1, B0, N) \
66 do \
67 { \
68 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
69 int n = (N); \
70 while (n-- > 0 && buflen > 0) \
71 { \
72 *cp++ = ascii64[w & 0x3f]; \
73 --buflen; \
74 w >>= 6; \
75 } \
76 } while (0)
77
78 #ifndef MAX
79 # define MAX(a,b) (((a) > (b)) ? (a) : (b))
80 #endif
81 #ifndef MIN
82 # define MIN(a,b) (((a) < (b)) ? (a) : (b))
83 #endif
84
85 /* Here is the des crypt() stuff */
86
87 /*
88 * FreeSec: libcrypt for NetBSD
89 *
90 * Copyright (c) 1994 David Burren
91 * All rights reserved.
92 *
93 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
94 * this file should now *only* export crypt(), in order to make
95 * binaries of libcrypt exportable from the USA
96 *
97 * Adapted for FreeBSD-4.0 by Mark R V Murray
98 * this file should now *only* export crypt_des(), in order to make
99 * a module that can be optionally included in libcrypt.
100 *
101 * Redistribution and use in source and binary forms, with or without
102 * modification, are permitted provided that the following conditions
103 * are met:
104 * 1. Redistributions of source code must retain the above copyright
105 * notice, this list of conditions and the following disclaimer.
106 * 2. Redistributions in binary form must reproduce the above copyright
107 * notice, this list of conditions and the following disclaimer in the
108 * documentation and/or other materials provided with the distribution.
109 * 3. Neither the name of the author nor the names of other contributors
110 * may be used to endorse or promote products derived from this software
111 * without specific prior written permission.
112 *
113 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
114 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
115 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
116 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
117 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
118 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
119 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
120 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
121 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
122 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
123 * SUCH DAMAGE.
124 *
125 * This is an original implementation of the DES and the crypt(3) interfaces
126 * by David Burren <davidb@werj.com.au>.
127 *
128 * An excellent reference on the underlying algorithm (and related
129 * algorithms) is:
130 *
131 * B. Schneier, Applied Cryptography: protocols, algorithms,
132 * and source code in C, John Wiley & Sons, 1994.
133 *
134 * Note that in that book's description of DES the lookups for the initial,
135 * pbox, and final permutations are inverted (this has been brought to the
136 * attention of the author). A list of errata for this book has been
137 * posted to the sci.crypt newsgroup by the author and is available for FTP.
138 *
139 * ARCHITECTURE ASSUMPTIONS:
140 * It is assumed that the 8-byte arrays passed by reference can be
141 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
142 * alignment).
143 */
144
145
146 /* Re-entrantify me -- all this junk needs to be in
147 * struct crypt_data to make this really reentrant... */
148 static uint8_t inv_key_perm[64];
149 static uint8_t inv_comp_perm[56];
150 static uint8_t u_sbox[8][64];
151 static uint8_t un_pbox[32];
152 static uint32_t en_keysl[16], en_keysr[16];
153 static uint32_t de_keysl[16], de_keysr[16];
154 static uint32_t ip_maskl[8][256], ip_maskr[8][256];
155 static uint32_t fp_maskl[8][256], fp_maskr[8][256];
156 static uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
157 static uint32_t comp_maskl[8][128], comp_maskr[8][128];
158 static uint32_t saltbits;
159 static uint32_t old_salt;
160 static uint32_t old_rawkey0, old_rawkey1;
161
162
163 /* Static stuff that stays resident and doesn't change after
164 * being initialized, and therefore doesn't need to be made
165 * reentrant. */
166 static uint8_t init_perm[64], final_perm[64];
167 static uint8_t m_sbox[4][4096];
168 static uint32_t psbox[4][256];
169
170 /* A pile of data */
171 static const uint8_t ascii64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
172
173 static const uint8_t IP[64] = {
174 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
175 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
176 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
177 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
178 };
179
180 static const uint8_t key_perm[56] = {
181 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
182 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
183 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
184 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
185 };
186
187 static const uint8_t key_shifts[16] = {
188 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
189 };
190
191 static const uint8_t comp_perm[48] = {
192 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
193 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
194 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
195 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
196 };
197
198 /*
199 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
200 */
201
202 static const uint8_t sbox[8][64] = {
203 {
204 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
205 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
206 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
207 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
208 {
209 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
210 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
211 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
212 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
213 {
214 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
215 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
216 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
217 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
218 {
219 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
220 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
221 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
222 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
223 {
224 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
225 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
226 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
227 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
228 {
229 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
230 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
231 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
232 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
233 {
234 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
235 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
236 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
237 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
238 {
239 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
240 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
241 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
242 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
243 };
244
245 static const uint8_t pbox[32] = {
246 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
247 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
248 };
249
250 static const uint32_t bits32[32] = {
251 0x80000000, 0x40000000, 0x20000000, 0x10000000,
252 0x08000000, 0x04000000, 0x02000000, 0x01000000,
253 0x00800000, 0x00400000, 0x00200000, 0x00100000,
254 0x00080000, 0x00040000, 0x00020000, 0x00010000,
255 0x00008000, 0x00004000, 0x00002000, 0x00001000,
256 0x00000800, 0x00000400, 0x00000200, 0x00000100,
257 0x00000080, 0x00000040, 0x00000020, 0x00000010,
258 0x00000008, 0x00000004, 0x00000002, 0x00000001
259 };
260
261 static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
262
263 static const uint32_t *bits28, *bits24;
264
265
266 static int
267 rb_ascii_to_bin(char ch)
268 {
269 if(ch > 'z')
270 return (0);
271 if(ch >= 'a')
272 return (ch - 'a' + 38);
273 if(ch > 'Z')
274 return (0);
275 if(ch >= 'A')
276 return (ch - 'A' + 12);
277 if(ch > '9')
278 return (0);
279 if(ch >= '.')
280 return (ch - '.');
281 return (0);
282 }
283
284 static void
285 rb_des_init(void)
286 {
287 int i, j, b, k, inbit, obit;
288 uint32_t *p, *il, *ir, *fl, *fr;
289 static int rb_des_initialised = 0;
290
291 if(rb_des_initialised == 1)
292 return;
293
294 old_rawkey0 = old_rawkey1 = 0L;
295 saltbits = 0L;
296 old_salt = 0L;
297 bits24 = (bits28 = bits32 + 4) + 4;
298
299 /*
300 * Invert the S-boxes, reordering the input bits.
301 */
302 for(i = 0; i < 8; i++)
303 for(j = 0; j < 64; j++)
304 {
305 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
306 u_sbox[i][j] = sbox[i][b];
307 }
308
309 /*
310 * Convert the inverted S-boxes into 4 arrays of 8 bits.
311 * Each will handle 12 bits of the S-box input.
312 */
313 for(b = 0; b < 4; b++)
314 for(i = 0; i < 64; i++)
315 for(j = 0; j < 64; j++)
316 m_sbox[b][(i << 6) | j] =
317 (uint8_t)((u_sbox[(b << 1)][i] << 4) |
318 u_sbox[(b << 1) + 1][j]);
319
320 /*
321 * Set up the initial & final permutations into a useful form, and
322 * initialise the inverted key permutation.
323 */
324 for(i = 0; i < 64; i++)
325 {
326 init_perm[final_perm[i] = IP[i] - 1] = (uint8_t)i;
327 inv_key_perm[i] = 255;
328 }
329
330 /*
331 * Invert the key permutation and initialise the inverted key
332 * compression permutation.
333 */
334 for(i = 0; i < 56; i++)
335 {
336 inv_key_perm[key_perm[i] - 1] = (uint8_t)i;
337 inv_comp_perm[i] = 255;
338 }
339
340 /*
341 * Invert the key compression permutation.
342 */
343 for(i = 0; i < 48; i++)
344 {
345 inv_comp_perm[comp_perm[i] - 1] = (uint8_t)i;
346 }
347
348 /*
349 * Set up the OR-mask arrays for the initial and final permutations,
350 * and for the key initial and compression permutations.
351 */
352 for(k = 0; k < 8; k++)
353 {
354 for(i = 0; i < 256; i++)
355 {
356 *(il = &ip_maskl[k][i]) = 0L;
357 *(ir = &ip_maskr[k][i]) = 0L;
358 *(fl = &fp_maskl[k][i]) = 0L;
359 *(fr = &fp_maskr[k][i]) = 0L;
360 for(j = 0; j < 8; j++)
361 {
362 inbit = 8 * k + j;
363 if(i & bits8[j])
364 {
365 if((obit = init_perm[inbit]) < 32)
366 *il |= bits32[obit];
367 else
368 *ir |= bits32[obit - 32];
369 if((obit = final_perm[inbit]) < 32)
370 *fl |= bits32[obit];
371 else
372 *fr |= bits32[obit - 32];
373 }
374 }
375 }
376 for(i = 0; i < 128; i++)
377 {
378 *(il = &key_perm_maskl[k][i]) = 0L;
379 *(ir = &key_perm_maskr[k][i]) = 0L;
380 for(j = 0; j < 7; j++)
381 {
382 inbit = 8 * k + j;
383 if(i & bits8[j + 1])
384 {
385 if((obit = inv_key_perm[inbit]) == 255)
386 continue;
387 if(obit < 28)
388 *il |= bits28[obit];
389 else
390 *ir |= bits28[obit - 28];
391 }
392 }
393 *(il = &comp_maskl[k][i]) = 0L;
394 *(ir = &comp_maskr[k][i]) = 0L;
395 for(j = 0; j < 7; j++)
396 {
397 inbit = 7 * k + j;
398 if(i & bits8[j + 1])
399 {
400 if((obit = inv_comp_perm[inbit]) == 255)
401 continue;
402 if(obit < 24)
403 *il |= bits24[obit];
404 else
405 *ir |= bits24[obit - 24];
406 }
407 }
408 }
409 }
410
411 /*
412 * Invert the P-box permutation, and convert into OR-masks for
413 * handling the output of the S-box arrays setup above.
414 */
415 for(i = 0; i < 32; i++)
416 un_pbox[pbox[i] - 1] = (uint8_t)i;
417
418 for(b = 0; b < 4; b++)
419 for(i = 0; i < 256; i++)
420 {
421 *(p = &psbox[b][i]) = 0L;
422 for(j = 0; j < 8; j++)
423 {
424 if(i & bits8[j])
425 *p |= bits32[un_pbox[8 * b + j]];
426 }
427 }
428
429 rb_des_initialised = 1;
430 }
431
432
433 static void
434 rb_setup_salt(long salt)
435 {
436 uint32_t obit, saltbit;
437 int i;
438
439 if(salt == (long)old_salt)
440 return;
441 old_salt = salt;
442
443 saltbits = 0L;
444 saltbit = 1;
445 obit = 0x800000;
446 for(i = 0; i < 24; i++)
447 {
448 if(salt & saltbit)
449 saltbits |= obit;
450 saltbit <<= 1;
451 obit >>= 1;
452 }
453 }
454
455 static int
456 rb_des_setkey(const char *key)
457 {
458 uint32_t k0, k1, rawkey0, rawkey1;
459 int shifts, round;
460
461 rb_des_init();
462
463 rawkey0 = ntohl(*(const uint32_t *)key);
464 rawkey1 = ntohl(*(const uint32_t *)(key + 4));
465
466 if((rawkey0 | rawkey1) && rawkey0 == old_rawkey0 && rawkey1 == old_rawkey1)
467 {
468 /*
469 * Already setup for this key.
470 * This optimisation fails on a zero key (which is weak and
471 * has bad parity anyway) in order to simplify the starting
472 * conditions.
473 */
474 return (0);
475 }
476 old_rawkey0 = rawkey0;
477 old_rawkey1 = rawkey1;
478
479 /*
480 * Do key permutation and split into two 28-bit subkeys.
481 */
482 k0 = key_perm_maskl[0][rawkey0 >> 25]
483 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
484 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
485 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
486 | key_perm_maskl[4][rawkey1 >> 25]
487 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
488 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
489 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
490 k1 = key_perm_maskr[0][rawkey0 >> 25]
491 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
492 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
493 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
494 | key_perm_maskr[4][rawkey1 >> 25]
495 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
496 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
497 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
498 /*
499 * Rotate subkeys and do compression permutation.
500 */
501 shifts = 0;
502 for(round = 0; round < 16; round++)
503 {
504 uint32_t t0, t1;
505
506 shifts += key_shifts[round];
507
508 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
509 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
510
511 de_keysl[15 - round] =
512 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
513 | comp_maskl[1][(t0 >> 14) & 0x7f]
514 | comp_maskl[2][(t0 >> 7) & 0x7f]
515 | comp_maskl[3][t0 & 0x7f]
516 | comp_maskl[4][(t1 >> 21) & 0x7f]
517 | comp_maskl[5][(t1 >> 14) & 0x7f]
518 | comp_maskl[6][(t1 >> 7) & 0x7f] | comp_maskl[7][t1 & 0x7f];
519
520 de_keysr[15 - round] =
521 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
522 | comp_maskr[1][(t0 >> 14) & 0x7f]
523 | comp_maskr[2][(t0 >> 7) & 0x7f]
524 | comp_maskr[3][t0 & 0x7f]
525 | comp_maskr[4][(t1 >> 21) & 0x7f]
526 | comp_maskr[5][(t1 >> 14) & 0x7f]
527 | comp_maskr[6][(t1 >> 7) & 0x7f] | comp_maskr[7][t1 & 0x7f];
528 }
529 return (0);
530 }
531
532 static int
533 rb_do_des(uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out, int count)
534 {
535 /*
536 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
537 */
538 uint32_t l, r, *kl, *kr, *kl1, *kr1;
539 uint32_t f, r48l, r48r;
540 int round;
541
542 if(count == 0)
543 {
544 return (1);
545 }
546 else if(count > 0)
547 {
548 /*
549 * Encrypting
550 */
551 kl1 = en_keysl;
552 kr1 = en_keysr;
553 }
554 else
555 {
556 /*
557 * Decrypting
558 */
559 count = -count;
560 kl1 = de_keysl;
561 kr1 = de_keysr;
562 }
563
564 /*
565 * Do initial permutation (IP).
566 */
567 l = ip_maskl[0][l_in >> 24]
568 | ip_maskl[1][(l_in >> 16) & 0xff]
569 | ip_maskl[2][(l_in >> 8) & 0xff]
570 | ip_maskl[3][l_in & 0xff]
571 | ip_maskl[4][r_in >> 24]
572 | ip_maskl[5][(r_in >> 16) & 0xff]
573 | ip_maskl[6][(r_in >> 8) & 0xff] | ip_maskl[7][r_in & 0xff];
574 r = ip_maskr[0][l_in >> 24]
575 | ip_maskr[1][(l_in >> 16) & 0xff]
576 | ip_maskr[2][(l_in >> 8) & 0xff]
577 | ip_maskr[3][l_in & 0xff]
578 | ip_maskr[4][r_in >> 24]
579 | ip_maskr[5][(r_in >> 16) & 0xff]
580 | ip_maskr[6][(r_in >> 8) & 0xff] | ip_maskr[7][r_in & 0xff];
581
582 while(count--)
583 {
584 /*
585 * Do each round.
586 */
587 kl = kl1;
588 kr = kr1;
589 round = 16;
590 while(round--)
591 {
592 /*
593 * Expand R to 48 bits (simulate the E-box).
594 */
595 r48l = ((r & 0x00000001) << 23)
596 | ((r & 0xf8000000) >> 9)
597 | ((r & 0x1f800000) >> 11)
598 | ((r & 0x01f80000) >> 13) | ((r & 0x001f8000) >> 15);
599
600 r48r = ((r & 0x0001f800) << 7)
601 | ((r & 0x00001f80) << 5)
602 | ((r & 0x000001f8) << 3)
603 | ((r & 0x0000001f) << 1) | ((r & 0x80000000) >> 31);
604 /*
605 * Do salting for crypt() and friends, and
606 * XOR with the permuted key.
607 */
608 f = (r48l ^ r48r) & saltbits;
609 r48l ^= f ^ *kl++;
610 r48r ^= f ^ *kr++;
611 /*
612 * Do sbox lookups (which shrink it back to 32 bits)
613 * and do the pbox permutation at the same time.
614 */
615 f = psbox[0][m_sbox[0][r48l >> 12]]
616 | psbox[1][m_sbox[1][r48l & 0xfff]]
617 | psbox[2][m_sbox[2][r48r >> 12]]
618 | psbox[3][m_sbox[3][r48r & 0xfff]];
619 /*
620 * Now that we've permuted things, complete f().
621 */
622 f ^= l;
623 l = r;
624 r = f;
625 }
626 r = l;
627 l = f;
628 }
629 /*
630 * Do final permutation (inverse of IP).
631 */
632 *l_out = fp_maskl[0][l >> 24]
633 | fp_maskl[1][(l >> 16) & 0xff]
634 | fp_maskl[2][(l >> 8) & 0xff]
635 | fp_maskl[3][l & 0xff]
636 | fp_maskl[4][r >> 24]
637 | fp_maskl[5][(r >> 16) & 0xff]
638 | fp_maskl[6][(r >> 8) & 0xff] | fp_maskl[7][r & 0xff];
639 *r_out = fp_maskr[0][l >> 24]
640 | fp_maskr[1][(l >> 16) & 0xff]
641 | fp_maskr[2][(l >> 8) & 0xff]
642 | fp_maskr[3][l & 0xff]
643 | fp_maskr[4][r >> 24]
644 | fp_maskr[5][(r >> 16) & 0xff]
645 | fp_maskr[6][(r >> 8) & 0xff] | fp_maskr[7][r & 0xff];
646 return (0);
647 }
648
649 static char *
650 rb_des_crypt(const char *key, const char *setting)
651 {
652 uint32_t count, salt, l, r0, r1, keybuf[2];
653 uint8_t *p, *q;
654 static char output[21];
655
656 rb_des_init();
657
658 /*
659 * Copy the key, shifting each character up by one bit
660 * and padding with zeros.
661 */
662 q = (uint8_t *)keybuf;
663 while(q - (uint8_t *)keybuf - 8)
664 {
665 *q++ = *key << 1;
666 if(*(q - 1))
667 key++;
668 }
669 if(rb_des_setkey((char *)keybuf))
670 return (NULL);
671 {
672 /*
673 * "old"-style:
674 * setting - 2 bytes of salt
675 * key - up to 8 characters
676 */
677 count = 25;
678
679 salt = (rb_ascii_to_bin(setting[1]) << 6) | rb_ascii_to_bin(setting[0]);
680
681 output[0] = setting[0];
682 /*
683 * If the encrypted password that the salt was extracted from
684 * is only 1 character long, the salt will be corrupted. We
685 * need to ensure that the output string doesn't have an extra
686 * NUL in it!
687 */
688 output[1] = setting[1] ? setting[1] : output[0];
689
690 p = (uint8_t *)output + 2;
691 }
692 rb_setup_salt(salt);
693 /*
694 * Do it.
695 */
696 if(rb_do_des(0L, 0L, &r0, &r1, (int)count))
697 return (NULL);
698 /*
699 * Now encode the result...
700 */
701 l = (r0 >> 8);
702 *p++ = ascii64[(l >> 18) & 0x3f];
703 *p++ = ascii64[(l >> 12) & 0x3f];
704 *p++ = ascii64[(l >> 6) & 0x3f];
705 *p++ = ascii64[l & 0x3f];
706
707 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
708 *p++ = ascii64[(l >> 18) & 0x3f];
709 *p++ = ascii64[(l >> 12) & 0x3f];
710 *p++ = ascii64[(l >> 6) & 0x3f];
711 *p++ = ascii64[l & 0x3f];
712
713 l = r1 << 2;
714 *p++ = ascii64[(l >> 12) & 0x3f];
715 *p++ = ascii64[(l >> 6) & 0x3f];
716 *p++ = ascii64[l & 0x3f];
717 *p = 0;
718
719 return (output);
720 }
721
722 /* Now md5 crypt */
723 /*
724 * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
725 *
726 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
727 * rights reserved.
728 *
729 * License to copy and use this software is granted provided that it
730 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
731 * Algorithm" in all material mentioning or referencing this software
732 * or this function.
733 *
734 * License is also granted to make and use derivative works provided
735 * that such works are identified as "derived from the RSA Data
736 * Security, Inc. MD5 Message-Digest Algorithm" in all material
737 * mentioning or referencing the derived work.
738 *
739 * RSA Data Security, Inc. makes no representations concerning either
740 * the merchantability of this software or the suitability of this
741 * software for any particular purpose. It is provided "as is"
742 * without express or implied warranty of any kind.
743 *
744 * These notices must be retained in any copies of any part of this
745 * documentation and/or software.
746 *
747 * This code is the same as the code published by RSA Inc. It has been
748 * edited for clarity and style only.
749 */
750
751 #define MD5_BLOCK_LENGTH 64
752 #define MD5_DIGEST_LENGTH 16
753 #define MD5_DIGEST_STRING_LENGTH (MD5_DIGEST_LENGTH * 2 + 1)
754 #define MD5_SIZE 16
755
756 static void
757 _crypt_to64(char *s, unsigned long v, int n)
758 {
759 while (--n >= 0) {
760 *s++ = ascii64[v&0x3f];
761 v >>= 6;
762 }
763 }
764
765 /* MD5 context. */
766 typedef struct MD5Context {
767 uint32_t state[4]; /* state (ABCD) */
768 uint32_t count[2]; /* number of bits, modulo 2^64 (lsb first) */
769 unsigned char buffer[64]; /* input buffer */
770 } MD5_CTX;
771
772 static void MD5Transform(uint32_t [4], const unsigned char [64]);
773 static void MD5Init (MD5_CTX *);
774 static void MD5Update (MD5_CTX *, const void *, unsigned int);
775 static void MD5Final (unsigned char [16], MD5_CTX *);
776
777 #ifndef WORDS_BIGENDIAN
778 #define Encode memcpy
779 #define Decode memcpy
780 #else
781
782 /*
783 * Encodes input (uint32_t) into output (unsigned char). Assumes len is
784 * a multiple of 4.
785 */
786
787 static void
788 Encode (unsigned char *output, uint32_t *input, unsigned int len)
789 {
790 unsigned int i;
791 uint32_t *op = (uint32_t *)output;
792
793 for (i = 0; i < len / 4; i++)
794 op[i] = htole32(input[i]);
795 }
796
797 /*
798 * Decodes input (unsigned char) into output (uint32_t). Assumes len is
799 * a multiple of 4.
800 */
801
802 static void
803 Decode (uint32_t *output, const unsigned char *input, unsigned int len)
804 {
805 unsigned int i;
806 const uint32_t *ip = (const uint32_t *)input;
807
808 for (i = 0; i < len / 4; i++)
809 output[i] = le32toh(ip[i]);
810 }
811 #endif
812
813 static unsigned char PADDING[64] = {
814 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
815 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
816 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
817 };
818
819 /* F, G, H and I are basic MD5 functions. */
820 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
821 #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
822 #define H(x, y, z) ((x) ^ (y) ^ (z))
823 #define I(x, y, z) ((y) ^ ((x) | (~z)))
824
825 /* ROTATE_LEFT rotates x left n bits. */
826 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
827
828 /*
829 * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
830 * Rotation is separate from addition to prevent recomputation.
831 */
832 #define FF(a, b, c, d, x, s, ac) { \
833 (a) += F ((b), (c), (d)) + (x) + (uint32_t)(ac); \
834 (a) = ROTATE_LEFT ((a), (s)); \
835 (a) += (b); \
836 }
837 #define GG(a, b, c, d, x, s, ac) { \
838 (a) += G ((b), (c), (d)) + (x) + (uint32_t)(ac); \
839 (a) = ROTATE_LEFT ((a), (s)); \
840 (a) += (b); \
841 }
842 #define HH(a, b, c, d, x, s, ac) { \
843 (a) += H ((b), (c), (d)) + (x) + (uint32_t)(ac); \
844 (a) = ROTATE_LEFT ((a), (s)); \
845 (a) += (b); \
846 }
847 #define II(a, b, c, d, x, s, ac) { \
848 (a) += I ((b), (c), (d)) + (x) + (uint32_t)(ac); \
849 (a) = ROTATE_LEFT ((a), (s)); \
850 (a) += (b); \
851 }
852
853 /* MD5 initialization. Begins an MD5 operation, writing a new context. */
854
855 static void
856 MD5Init (context)
857 MD5_CTX *context;
858 {
859
860 context->count[0] = context->count[1] = 0;
861
862 /* Load magic initialization constants. */
863 context->state[0] = 0x67452301;
864 context->state[1] = 0xefcdab89;
865 context->state[2] = 0x98badcfe;
866 context->state[3] = 0x10325476;
867 }
868
869 /*
870 * MD5 block update operation. Continues an MD5 message-digest
871 * operation, processing another message block, and updating the
872 * context.
873 */
874
875 static void
876 MD5Update (context, in, inputLen)
877 MD5_CTX *context;
878 const void *in;
879 unsigned int inputLen;
880 {
881 unsigned int i, idx, partLen;
882 const unsigned char *input = in;
883
884 /* Compute number of bytes mod 64 */
885 idx = (unsigned int)((context->count[0] >> 3) & 0x3F);
886
887 /* Update number of bits */
888 if ((context->count[0] += ((uint32_t)inputLen << 3))
889 < ((uint32_t)inputLen << 3))
890 context->count[1]++;
891 context->count[1] += ((uint32_t)inputLen >> 29);
892
893 partLen = 64 - idx;
894
895 /* Transform as many times as possible. */
896 if (inputLen >= partLen) {
897 memcpy((void *)&context->buffer[idx], (const void *)input,
898 partLen);
899 MD5Transform (context->state, context->buffer);
900
901 for (i = partLen; i + 63 < inputLen; i += 64)
902 MD5Transform (context->state, &input[i]);
903
904 idx = 0;
905 }
906 else
907 i = 0;
908
909 /* Buffer remaining input */
910 memcpy ((void *)&context->buffer[idx], (const void *)&input[i],
911 inputLen-i);
912 }
913
914 /*
915 * MD5 padding. Adds padding followed by original length.
916 */
917
918 static void
919 MD5Pad (context)
920 MD5_CTX *context;
921 {
922 unsigned char bits[8];
923 unsigned int idx, padLen;
924
925 /* Save number of bits */
926 Encode (bits, context->count, 8);
927
928 /* Pad out to 56 mod 64. */
929 idx = (unsigned int)((context->count[0] >> 3) & 0x3f);
930 padLen = (idx < 56) ? (56 - idx) : (120 - idx);
931 MD5Update (context, PADDING, padLen);
932
933 /* Append length (before padding) */
934 MD5Update (context, bits, 8);
935 }
936
937 /*
938 * MD5 finalization. Ends an MD5 message-digest operation, writing the
939 * the message digest and zeroizing the context.
940 */
941
942 static void
943 MD5Final (digest, context)
944 unsigned char digest[16];
945 MD5_CTX *context;
946 {
947 /* Do padding. */
948 MD5Pad (context);
949
950 /* Store state in digest */
951 Encode (digest, context->state, 16);
952
953 /* Zeroize sensitive information. */
954 memset ((void *)context, 0, sizeof (*context));
955 }
956
957 /* MD5 basic transformation. Transforms state based on block. */
958
959 static void
960 MD5Transform (state, block)
961 uint32_t state[4];
962 const unsigned char block[64];
963 {
964 uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];
965
966 Decode (x, block, 64);
967
968 /* Round 1 */
969 #define S11 7
970 #define S12 12
971 #define S13 17
972 #define S14 22
973 FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
974 FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
975 FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
976 FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
977 FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
978 FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
979 FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
980 FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
981 FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
982 FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
983 FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
984 FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
985 FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
986 FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
987 FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
988 FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
989
990 /* Round 2 */
991 #define S21 5
992 #define S22 9
993 #define S23 14
994 #define S24 20
995 GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
996 GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
997 GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
998 GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
999 GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
1000 GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
1001 GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
1002 GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
1003 GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
1004 GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
1005 GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
1006 GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
1007 GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
1008 GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
1009 GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
1010 GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
1011
1012 /* Round 3 */
1013 #define S31 4
1014 #define S32 11
1015 #define S33 16
1016 #define S34 23
1017 HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
1018 HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
1019 HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
1020 HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
1021 HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
1022 HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
1023 HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
1024 HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
1025 HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
1026 HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
1027 HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
1028 HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
1029 HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
1030 HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
1031 HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
1032 HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
1033
1034 /* Round 4 */
1035 #define S41 6
1036 #define S42 10
1037 #define S43 15
1038 #define S44 21
1039 II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
1040 II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
1041 II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
1042 II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
1043 II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
1044 II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
1045 II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
1046 II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
1047 II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
1048 II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
1049 II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
1050 II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
1051 II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
1052 II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
1053 II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
1054 II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
1055
1056 state[0] += a;
1057 state[1] += b;
1058 state[2] += c;
1059 state[3] += d;
1060
1061 /* Zeroize sensitive information. */
1062 memset ((void *)x, 0, sizeof (x));
1063 }
1064
1065 /*
1066 * UNIX password
1067 */
1068
1069 static char *
1070 rb_md5_crypt(const char *pw, const char *salt)
1071 {
1072 MD5_CTX ctx,ctx1;
1073 unsigned long l;
1074 int sl, pl;
1075 unsigned int i;
1076 unsigned char final[MD5_SIZE];
1077 static const char *sp, *ep;
1078 static char passwd[120], *p;
1079 static const char *magic = "$1$";
1080
1081 /* Refine the Salt first */
1082 sp = salt;
1083
1084 /* If it starts with the magic string, then skip that */
1085 if(!strncmp(sp, magic, strlen(magic)))
1086 sp += strlen(magic);
1087
1088 /* It stops at the first '$', max 8 chars */
1089 for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
1090 continue;
1091
1092 /* get the length of the true salt */
1093 sl = ep - sp;
1094
1095 MD5Init(&ctx);
1096
1097 /* The password first, since that is what is most unknown */
1098 MD5Update(&ctx, (const unsigned char *)pw, strlen(pw));
1099
1100 /* Then our magic string */
1101 MD5Update(&ctx, (const unsigned char *)magic, strlen(magic));
1102
1103 /* Then the raw salt */
1104 MD5Update(&ctx, (const unsigned char *)sp, (unsigned int)sl);
1105
1106 /* Then just as many characters of the MD5(pw,salt,pw) */
1107 MD5Init(&ctx1);
1108 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1109 MD5Update(&ctx1, (const unsigned char *)sp, (unsigned int)sl);
1110 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1111 MD5Final(final, &ctx1);
1112 for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE)
1113 MD5Update(&ctx, (const unsigned char *)final,
1114 (unsigned int)(pl > MD5_SIZE ? MD5_SIZE : pl));
1115
1116 /* Don't leave anything around in vm they could use. */
1117 memset(final, 0, sizeof(final));
1118
1119 /* Then something really weird... */
1120 for (i = strlen(pw); i; i >>= 1)
1121 if(i & 1)
1122 MD5Update(&ctx, (const unsigned char *)final, 1);
1123 else
1124 MD5Update(&ctx, (const unsigned char *)pw, 1);
1125
1126 /* Now make the output string */
1127 rb_strlcpy(passwd, magic, sizeof(passwd));
1128 strncat(passwd, sp, (unsigned int)sl);
1129 rb_strlcat(passwd, "$", sizeof(passwd));
1130
1131 MD5Final(final, &ctx);
1132
1133 /*
1134 * and now, just to make sure things don't run too fast
1135 * On a 60 Mhz Pentium this takes 34 msec, so you would
1136 * need 30 seconds to build a 1000 entry dictionary...
1137 */
1138 for(i = 0; i < 1000; i++) {
1139 MD5Init(&ctx1);
1140 if(i & 1)
1141 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1142 else
1143 MD5Update(&ctx1, (const unsigned char *)final, MD5_SIZE);
1144
1145 if(i % 3)
1146 MD5Update(&ctx1, (const unsigned char *)sp, (unsigned int)sl);
1147
1148 if(i % 7)
1149 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1150
1151 if(i & 1)
1152 MD5Update(&ctx1, (const unsigned char *)final, MD5_SIZE);
1153 else
1154 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1155 MD5Final(final, &ctx1);
1156 }
1157
1158 p = passwd + strlen(passwd);
1159
1160 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
1161 _crypt_to64(p, l, 4); p += 4;
1162 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
1163 _crypt_to64(p, l, 4); p += 4;
1164 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
1165 _crypt_to64(p, l, 4); p += 4;
1166 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
1167 _crypt_to64(p, l, 4); p += 4;
1168 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
1169 _crypt_to64(p, l, 4); p += 4;
1170 l = final[11];
1171 _crypt_to64(p, l, 2); p += 2;
1172 *p = '\0';
1173
1174 /* Don't leave anything around in vm they could use. */
1175 memset(final, 0, sizeof(final));
1176
1177 return (passwd);
1178 }
1179
1180
1181 /* SHA256-based Unix crypt implementation.
1182 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
1183
1184 /* Structure to save state of computation between the single steps. */
1185 struct sha256_ctx
1186 {
1187 uint32_t H[8];
1188
1189 uint32_t total[2];
1190 uint32_t buflen;
1191 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
1192 };
1193
1194 #ifndef WORDS_BIGENDIAN
1195 # define SHA256_SWAP(n) \
1196 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
1197 #else
1198 # define SHA256_SWAP(n) (n)
1199 #endif
1200
1201 /* This array contains the bytes used to pad the buffer to the next
1202 64-byte boundary. (FIPS 180-2:5.1.1) */
1203 static const unsigned char SHA256_fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
1204
1205
1206 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
1207 static const uint32_t SHA256_K[64] = {
1208 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
1209 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
1210 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
1211 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
1212 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
1213 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
1214 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
1215 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
1216 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
1217 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
1218 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
1219 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
1220 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
1221 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
1222 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
1223 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
1224 };
1225
1226
1227 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1228 It is assumed that LEN % 64 == 0. */
1229 static void rb_sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx)
1230 {
1231 const uint32_t *words = buffer;
1232 size_t nwords = len / sizeof(uint32_t);
1233 uint32_t a = ctx->H[0];
1234 uint32_t b = ctx->H[1];
1235 uint32_t c = ctx->H[2];
1236 uint32_t d = ctx->H[3];
1237 uint32_t e = ctx->H[4];
1238 uint32_t f = ctx->H[5];
1239 uint32_t g = ctx->H[6];
1240 uint32_t h = ctx->H[7];
1241
1242 /* First increment the byte count. FIPS 180-2 specifies the possible
1243 length of the file up to 2^64 bits. Here we only compute the
1244 number of bytes. Do a double word increment. */
1245 ctx->total[0] += len;
1246 if (ctx->total[0] < len)
1247 ++ctx->total[1];
1248
1249 /* Process all bytes in the buffer with 64 bytes in each round of
1250 the loop. */
1251 while (nwords > 0)
1252 {
1253 uint32_t W[64];
1254 uint32_t a_save = a;
1255 uint32_t b_save = b;
1256 uint32_t c_save = c;
1257 uint32_t d_save = d;
1258 uint32_t e_save = e;
1259 uint32_t f_save = f;
1260 uint32_t g_save = g;
1261 uint32_t h_save = h;
1262 unsigned int t;
1263
1264 /* Operators defined in FIPS 180-2:4.1.2. */
1265 #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z))
1266 #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1267 #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22))
1268 #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25))
1269 #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3))
1270 #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10))
1271
1272 /* It is unfortunate that C does not provide an operator for
1273 cyclic rotation. Hope the C compiler is smart enough. */
1274 #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
1275
1276 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
1277 for (t = 0; t < 16; ++t)
1278 {
1279 W[t] = SHA256_SWAP(*words);
1280 ++words;
1281 }
1282 for (t = 16; t < 64; ++t)
1283 W[t] = SHA256_R1(W[t - 2]) + W[t - 7] + SHA256_R0(W[t - 15]) + W[t - 16];
1284
1285 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
1286 for (t = 0; t < 64; ++t)
1287 {
1288 uint32_t T1 = h + SHA256_S1(e) + SHA256_Ch(e, f, g) + SHA256_K[t] + W[t];
1289 uint32_t T2 = SHA256_S0(a) + SHA256_Maj(a, b, c);
1290 h = g;
1291 g = f;
1292 f = e;
1293 e = d + T1;
1294 d = c;
1295 c = b;
1296 b = a;
1297 a = T1 + T2;
1298 }
1299
1300 /* Add the starting values of the context according to FIPS 180-2:6.2.2
1301 step 4. */
1302 a += a_save;
1303 b += b_save;
1304 c += c_save;
1305 d += d_save;
1306 e += e_save;
1307 f += f_save;
1308 g += g_save;
1309 h += h_save;
1310
1311 /* Prepare for the next round. */
1312 nwords -= 16;
1313 }
1314
1315 /* Put checksum in context given as argument. */
1316 ctx->H[0] = a;
1317 ctx->H[1] = b;
1318 ctx->H[2] = c;
1319 ctx->H[3] = d;
1320 ctx->H[4] = e;
1321 ctx->H[5] = f;
1322 ctx->H[6] = g;
1323 ctx->H[7] = h;
1324 }
1325
1326
1327 /* Initialize structure containing state of computation.
1328 (FIPS 180-2:5.3.2) */
1329 static void rb_sha256_init_ctx(struct sha256_ctx *ctx)
1330 {
1331 ctx->H[0] = 0x6a09e667;
1332 ctx->H[1] = 0xbb67ae85;
1333 ctx->H[2] = 0x3c6ef372;
1334 ctx->H[3] = 0xa54ff53a;
1335 ctx->H[4] = 0x510e527f;
1336 ctx->H[5] = 0x9b05688c;
1337 ctx->H[6] = 0x1f83d9ab;
1338 ctx->H[7] = 0x5be0cd19;
1339
1340 ctx->total[0] = ctx->total[1] = 0;
1341 ctx->buflen = 0;
1342 }
1343
1344
1345 /* Process the remaining bytes in the internal buffer and the usual
1346 prolog according to the standard and write the result to RESBUF.
1347
1348 IMPORTANT: On some systems it is required that RESBUF is correctly
1349 aligned for a 32 bits value. */
1350 static void *rb_sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
1351 {
1352 /* Take yet unprocessed bytes into account. */
1353 uint32_t bytes = ctx->buflen, *ptr;
1354 size_t pad;
1355 unsigned int i;
1356
1357 /* Now count remaining bytes. */
1358 ctx->total[0] += bytes;
1359 if (ctx->total[0] < bytes)
1360 ++ctx->total[1];
1361
1362 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
1363 memcpy(&ctx->buffer[bytes], SHA256_fillbuf, pad);
1364
1365 /* Put the 64-bit file length in *bits* at the end of the buffer. */
1366 ptr = (uint32_t *)&ctx->buffer[bytes + pad + 4]; /* Avoid warnings about strict aliasing */
1367 *ptr = SHA256_SWAP(ctx->total[0] << 3);
1368
1369 ptr = (uint32_t *)&ctx->buffer[bytes + pad];
1370 *ptr = SHA256_SWAP((ctx->total[1] << 3) | (ctx->total[0] >> 29));
1371
1372 /* Process last bytes. */
1373 rb_sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
1374
1375 /* Put result from CTX in first 32 bytes following RESBUF. */
1376 for (i = 0; i < 8; ++i)
1377 ((uint32_t *) resbuf)[i] = SHA256_SWAP(ctx->H[i]);
1378
1379 return resbuf;
1380 }
1381
1382
1383 static void rb_sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx)
1384 {
1385 /* When we already have some bits in our internal buffer concatenate
1386 both inputs first. */
1387 if (ctx->buflen != 0)
1388 {
1389 size_t left_over = ctx->buflen;
1390 size_t add = 128 - left_over > len ? len : 128 - left_over;
1391
1392 memcpy(&ctx->buffer[left_over], buffer, add);
1393 ctx->buflen += add;
1394
1395 if (ctx->buflen > 64)
1396 {
1397 rb_sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
1398
1399 ctx->buflen &= 63;
1400 /* The regions in the following copy operation cannot overlap. */
1401 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], ctx->buflen);
1402 }
1403
1404 buffer = (const char *)buffer + add;
1405 len -= add;
1406 }
1407
1408 /* Process available complete blocks. */
1409 if (len >= 64)
1410 {
1411 /* To check alignment gcc has an appropriate operator. Other
1412 compilers don't. */
1413 #if __GNUC__ >= 2
1414 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
1415 #else
1416 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
1417 #endif
1418 if (SHA256_UNALIGNED_P(buffer))
1419 while (len > 64)
1420 {
1421 rb_sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
1422 buffer = (const char *)buffer + 64;
1423 len -= 64;
1424 }
1425 else
1426 {
1427 rb_sha256_process_block(buffer, len & ~63, ctx);
1428 buffer = (const char *)buffer + (len & ~63);
1429 len &= 63;
1430 }
1431 }
1432
1433 /* Move remaining bytes into internal buffer. */
1434 if (len > 0)
1435 {
1436 size_t left_over = ctx->buflen;
1437
1438 memcpy(&ctx->buffer[left_over], buffer, len);
1439 left_over += len;
1440 if (left_over >= 64)
1441 {
1442 rb_sha256_process_block(ctx->buffer, 64, ctx);
1443 left_over -= 64;
1444 memcpy(ctx->buffer, &ctx->buffer[64], left_over);
1445 }
1446 ctx->buflen = left_over;
1447 }
1448 }
1449
1450
1451 /* Define our magic string to mark salt for SHA256 "encryption"
1452 replacement. */
1453 static const char sha256_salt_prefix[] = "$5$";
1454
1455 /* Prefix for optional rounds specification. */
1456 static const char sha256_rounds_prefix[] = "rounds=";
1457
1458 /* Maximum salt string length. */
1459 #define SHA256_SALT_LEN_MAX 16
1460 /* Default number of rounds if not explicitly specified. */
1461 #define SHA256_ROUNDS_DEFAULT 5000
1462 /* Minimum number of rounds. */
1463 #define SHA256_ROUNDS_MIN 1000
1464 /* Maximum number of rounds. */
1465 #define SHA256_ROUNDS_MAX 999999999
1466
1467 static char *rb_sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
1468 {
1469 unsigned char alt_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1470 unsigned char temp_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1471 struct sha256_ctx ctx;
1472 struct sha256_ctx alt_ctx;
1473 size_t salt_len;
1474 size_t key_len;
1475 size_t cnt;
1476 char *cp;
1477 char *copied_key = NULL;
1478 char *copied_salt = NULL;
1479 char *p_bytes;
1480 char *s_bytes;
1481 /* Default number of rounds. */
1482 size_t rounds = SHA256_ROUNDS_DEFAULT;
1483 int rounds_custom = 0;
1484
1485 /* Find beginning of salt string. The prefix should normally always
1486 be present. Just in case it is not. */
1487 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
1488 /* Skip salt prefix. */
1489 salt += sizeof(sha256_salt_prefix) - 1;
1490
1491 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) == 0)
1492 {
1493 const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
1494 char *endp;
1495 unsigned long int srounds = strtoul(num, &endp, 10);
1496 if (*endp == '$')
1497 {
1498 salt = endp + 1;
1499 rounds = MAX(SHA256_ROUNDS_MIN, MIN(srounds, SHA256_ROUNDS_MAX));
1500 rounds_custom = 1;
1501 }
1502 }
1503
1504 salt_len = MIN(strcspn(salt, "$"), SHA256_SALT_LEN_MAX);
1505 key_len = strlen(key);
1506
1507 if ((key - (char *)0) % __alignof__(uint32_t) != 0)
1508 {
1509 char *tmp = (char *)alloca(key_len + __alignof__(uint32_t));
1510 key = copied_key =
1511 memcpy(tmp + __alignof__(uint32_t)
1512 - (tmp - (char *)0) % __alignof__(uint32_t), key, key_len);
1513 }
1514
1515 if ((salt - (char *)0) % __alignof__(uint32_t) != 0)
1516 {
1517 char *tmp = (char *)alloca(salt_len + __alignof__(uint32_t));
1518 salt = copied_salt =
1519 memcpy(tmp + __alignof__(uint32_t)
1520 - (tmp - (char *)0) % __alignof__(uint32_t), salt, salt_len);
1521 }
1522
1523 /* Prepare for the real work. */
1524 rb_sha256_init_ctx(&ctx);
1525
1526 /* Add the key string. */
1527 rb_sha256_process_bytes(key, key_len, &ctx);
1528
1529 /* The last part is the salt string. This must be at most 16
1530 characters and it ends at the first `$' character (for
1531 compatibility with existing implementations). */
1532 rb_sha256_process_bytes(salt, salt_len, &ctx);
1533
1534
1535 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
1536 final result will be added to the first context. */
1537 rb_sha256_init_ctx(&alt_ctx);
1538
1539 /* Add key. */
1540 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1541
1542 /* Add salt. */
1543 rb_sha256_process_bytes(salt, salt_len, &alt_ctx);
1544
1545 /* Add key again. */
1546 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1547
1548 /* Now get result of this (32 bytes) and add it to the other
1549 context. */
1550 rb_sha256_finish_ctx(&alt_ctx, alt_result);
1551
1552 /* Add for any character in the key one byte of the alternate sum. */
1553 for (cnt = key_len; cnt > 32; cnt -= 32)
1554 rb_sha256_process_bytes(alt_result, 32, &ctx);
1555 rb_sha256_process_bytes(alt_result, cnt, &ctx);
1556
1557 /* Take the binary representation of the length of the key and for every
1558 1 add the alternate sum, for every 0 the key. */
1559 for (cnt = key_len; cnt > 0; cnt >>= 1)
1560 if ((cnt & 1) != 0)
1561 rb_sha256_process_bytes(alt_result, 32, &ctx);
1562 else
1563 rb_sha256_process_bytes(key, key_len, &ctx);
1564
1565 /* Create intermediate result. */
1566 rb_sha256_finish_ctx(&ctx, alt_result);
1567
1568 /* Start computation of P byte sequence. */
1569 rb_sha256_init_ctx(&alt_ctx);
1570
1571 /* For every character in the password add the entire password. */
1572 for (cnt = 0; cnt < key_len; ++cnt)
1573 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1574
1575 /* Finish the digest. */
1576 rb_sha256_finish_ctx(&alt_ctx, temp_result);
1577
1578 /* Create byte sequence P. */
1579 cp = p_bytes = alloca(key_len);
1580 for (cnt = key_len; cnt >= 32; cnt -= 32)
1581 {
1582 memcpy(cp, temp_result, 32);
1583 cp += 32;
1584 }
1585 memcpy(cp, temp_result, cnt);
1586
1587 /* Start computation of S byte sequence. */
1588 rb_sha256_init_ctx(&alt_ctx);
1589
1590 /* For every character in the password add the entire password. */
1591 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
1592 rb_sha256_process_bytes(salt, salt_len, &alt_ctx);
1593
1594 /* Finish the digest. */
1595 rb_sha256_finish_ctx(&alt_ctx, temp_result);
1596
1597 /* Create byte sequence S. */
1598 cp = s_bytes = alloca(salt_len);
1599 for (cnt = salt_len; cnt >= 32; cnt -= 32)
1600 {
1601 memcpy(cp, temp_result, 32);
1602 cp += 32;
1603 }
1604 memcpy(cp, temp_result, cnt);
1605
1606 /* Repeatedly run the collected hash value through SHA256 to burn
1607 CPU cycles. */
1608 for (cnt = 0; cnt < rounds; ++cnt)
1609 {
1610 /* New context. */
1611 rb_sha256_init_ctx(&ctx);
1612
1613 /* Add key or last result. */
1614 if ((cnt & 1) != 0)
1615 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1616 else
1617 rb_sha256_process_bytes(alt_result, 32, &ctx);
1618
1619 /* Add salt for numbers not divisible by 3. */
1620 if (cnt % 3 != 0)
1621 rb_sha256_process_bytes(s_bytes, salt_len, &ctx);
1622
1623 /* Add key for numbers not divisible by 7. */
1624 if (cnt % 7 != 0)
1625 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1626
1627 /* Add key or last result. */
1628 if ((cnt & 1) != 0)
1629 rb_sha256_process_bytes(alt_result, 32, &ctx);
1630 else
1631 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1632
1633 /* Create intermediate result. */
1634 rb_sha256_finish_ctx(&ctx, alt_result);
1635 }
1636
1637 /* Now we can construct the result string. It consists of three
1638 parts. */
1639 memset(buffer, '\0', MAX(0, buflen));
1640 strncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
1641 if((cp = strchr(buffer, '\0')) == NULL)
1642 cp = buffer + MAX(0, buflen);
1643 buflen -= sizeof(sha256_salt_prefix) - 1;
1644
1645 if (rounds_custom)
1646 {
1647 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
1648 sha256_rounds_prefix, rounds);
1649 cp += n;
1650 buflen -= n;
1651 }
1652
1653 memset(cp, '\0', salt_len);
1654 strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
1655 if((cp = strchr(buffer, '\0')) == NULL)
1656 cp += salt_len;
1657 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
1658
1659 if (buflen > 0)
1660 {
1661 *cp++ = '$';
1662 --buflen;
1663 }
1664
1665 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
1666 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
1667 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
1668 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
1669 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
1670 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
1671 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
1672 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
1673 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
1674 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
1675 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
1676 if (buflen <= 0)
1677 {
1678 errno = ERANGE;
1679 buffer = NULL;
1680 }
1681 else
1682 *cp = '\0'; /* Terminate the string. */
1683
1684 /* Clear the buffer for the intermediate result so that people
1685 attaching to processes or reading core dumps cannot get any
1686 information. We do it in this way to clear correct_words[]
1687 inside the SHA256 implementation as well. */
1688 rb_sha256_init_ctx(&ctx);
1689 rb_sha256_finish_ctx(&ctx, alt_result);
1690 memset(temp_result, '\0', sizeof(temp_result));
1691 memset(p_bytes, '\0', key_len);
1692 memset(s_bytes, '\0', salt_len);
1693 memset(&ctx, '\0', sizeof(ctx));
1694 memset(&alt_ctx, '\0', sizeof(alt_ctx));
1695 if (copied_key != NULL)
1696 memset(copied_key, '\0', key_len);
1697 if (copied_salt != NULL)
1698 memset(copied_salt, '\0', salt_len);
1699
1700 return buffer;
1701 }
1702
1703
1704 /* This entry point is equivalent to the `crypt' function in Unix
1705 libcs. */
1706 static char *rb_sha256_crypt(const char *key, const char *salt)
1707 {
1708 /* We don't want to have an arbitrary limit in the size of the
1709 password. We can compute an upper bound for the size of the
1710 result in advance and so we can prepare the buffer we pass to
1711 `rb_sha256_crypt_r'. */
1712 static char *buffer;
1713 static int buflen;
1714 int needed = (sizeof(sha256_salt_prefix) - 1
1715 + sizeof(sha256_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 43 + 1);
1716
1717 char *new_buffer = (char *)malloc(needed);
1718 if (new_buffer == NULL)
1719 return NULL;
1720
1721 buffer = new_buffer;
1722 buflen = needed;
1723
1724 return rb_sha256_crypt_r(key, salt, buffer, buflen);
1725 }
1726
1727 /* Structure to save state of computation between the single steps. */
1728 struct sha512_ctx
1729 {
1730 uint64_t H[8];
1731
1732 uint64_t total[2];
1733 uint64_t buflen;
1734 char buffer[256]; /* NB: always correctly aligned for uint64_t. */
1735 };
1736
1737
1738 #ifndef WORDS_BIGENDIAN
1739 # define SHA512_SWAP(n) \
1740 (((n) << 56) \
1741 | (((n) & 0xff00) << 40) \
1742 | (((n) & 0xff0000) << 24) \
1743 | (((n) & 0xff000000) << 8) \
1744 | (((n) >> 8) & 0xff000000) \
1745 | (((n) >> 24) & 0xff0000) \
1746 | (((n) >> 40) & 0xff00) \
1747 | ((n) >> 56))
1748 #else
1749 # define SHA512_SWAP(n) (n)
1750 #endif
1751
1752
1753 /* This array contains the bytes used to pad the buffer to the next
1754 64-byte boundary. (FIPS 180-2:5.1.2) */
1755 static const unsigned char SHA512_fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
1756
1757
1758 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
1759 static const uint64_t SHA512_K[80] = {
1760 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
1761 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
1762 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
1763 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
1764 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
1765 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
1766 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
1767 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
1768 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
1769 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
1770 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
1771 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
1772 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
1773 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
1774 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
1775 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
1776 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
1777 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
1778 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
1779 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
1780 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
1781 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
1782 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
1783 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
1784 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
1785 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
1786 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
1787 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
1788 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
1789 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
1790 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
1791 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
1792 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
1793 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
1794 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
1795 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
1796 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
1797 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
1798 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
1799 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
1800 };
1801
1802
1803 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1804 It is assumed that LEN % 128 == 0. */
1805 static void rb_sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx)
1806 {
1807 const uint64_t *words = buffer;
1808 size_t nwords = len / sizeof(uint64_t);
1809 uint64_t a = ctx->H[0];
1810 uint64_t b = ctx->H[1];
1811 uint64_t c = ctx->H[2];
1812 uint64_t d = ctx->H[3];
1813 uint64_t e = ctx->H[4];
1814 uint64_t f = ctx->H[5];
1815 uint64_t g = ctx->H[6];
1816 uint64_t h = ctx->H[7];
1817
1818 /* First increment the byte count. FIPS 180-2 specifies the possible
1819 length of the file up to 2^128 bits. Here we only compute the
1820 number of bytes. Do a double word increment. */
1821 ctx->total[0] += len;
1822 if (ctx->total[0] < len)
1823 ++ctx->total[1];
1824
1825 /* Process all bytes in the buffer with 128 bytes in each round of
1826 the loop. */
1827 while (nwords > 0)
1828 {
1829 uint64_t W[80];
1830 uint64_t a_save = a;
1831 uint64_t b_save = b;
1832 uint64_t c_save = c;
1833 uint64_t d_save = d;
1834 uint64_t e_save = e;
1835 uint64_t f_save = f;
1836 uint64_t g_save = g;
1837 uint64_t h_save = h;
1838 unsigned int t;
1839
1840 /* Operators defined in FIPS 180-2:4.1.2. */
1841 #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z))
1842 #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1843 #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39))
1844 #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41))
1845 #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7))
1846 #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6))
1847
1848 /* It is unfortunate that C does not provide an operator for
1849 cyclic rotation. Hope the C compiler is smart enough. */
1850 #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
1851
1852 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
1853 for (t = 0; t < 16; ++t)
1854 {
1855 W[t] = SHA512_SWAP(*words);
1856 ++words;
1857 }
1858 for (t = 16; t < 80; ++t)
1859 W[t] = SHA512_R1(W[t - 2]) + W[t - 7] + SHA512_R0(W[t - 15]) + W[t - 16];
1860
1861 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
1862 for (t = 0; t < 80; ++t)
1863 {
1864 uint64_t T1 = h + SHA512_S1(e) + SHA512_Ch(e, f, g) + SHA512_K[t] + W[t];
1865 uint64_t T2 = SHA512_S0(a) + SHA512_Maj(a, b, c);
1866 h = g;
1867 g = f;
1868 f = e;
1869 e = d + T1;
1870 d = c;
1871 c = b;
1872 b = a;
1873 a = T1 + T2;
1874 }
1875
1876 /* Add the starting values of the context according to FIPS 180-2:6.3.2
1877 step 4. */
1878 a += a_save;
1879 b += b_save;
1880 c += c_save;
1881 d += d_save;
1882 e += e_save;
1883 f += f_save;
1884 g += g_save;
1885 h += h_save;
1886
1887 /* Prepare for the next round. */
1888 nwords -= 16;
1889 }
1890
1891 /* Put checksum in context given as argument. */
1892 ctx->H[0] = a;
1893 ctx->H[1] = b;
1894 ctx->H[2] = c;
1895 ctx->H[3] = d;
1896 ctx->H[4] = e;
1897 ctx->H[5] = f;
1898 ctx->H[6] = g;
1899 ctx->H[7] = h;
1900 }
1901
1902
1903 /* Initialize structure containing state of computation.
1904 (FIPS 180-2:5.3.3) */
1905 static void rb_sha512_init_ctx(struct sha512_ctx *ctx)
1906 {
1907 ctx->H[0] = 0x6a09e667f3bcc908ULL;
1908 ctx->H[1] = 0xbb67ae8584caa73bULL;
1909 ctx->H[2] = 0x3c6ef372fe94f82bULL;
1910 ctx->H[3] = 0xa54ff53a5f1d36f1ULL;
1911 ctx->H[4] = 0x510e527fade682d1ULL;
1912 ctx->H[5] = 0x9b05688c2b3e6c1fULL;
1913 ctx->H[6] = 0x1f83d9abfb41bd6bULL;
1914 ctx->H[7] = 0x5be0cd19137e2179ULL;
1915
1916 ctx->total[0] = ctx->total[1] = 0;
1917 ctx->buflen = 0;
1918 }
1919
1920
1921 /* Process the remaining bytes in the internal buffer and the usual
1922 prolog according to the standard and write the result to RESBUF.
1923
1924 IMPORTANT: On some systems it is required that RESBUF is correctly
1925 aligned for a 32 bits value. */
1926 static void *rb_sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf)
1927 {
1928 /* Take yet unprocessed bytes into account. */
1929 uint64_t bytes = ctx->buflen, *ptr;
1930 size_t pad;
1931 unsigned int i;
1932
1933 /* Now count remaining bytes. */
1934 ctx->total[0] += bytes;
1935 if (ctx->total[0] < bytes)
1936 ++ctx->total[1];
1937
1938 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
1939 memcpy(&ctx->buffer[bytes], SHA512_fillbuf, pad);
1940
1941 /* Put the 128-bit file length in *bits* at the end of the buffer. */
1942 ptr = (uint64_t *)&ctx->buffer[bytes + pad + 8]; /* Avoid warnings about strict aliasing */
1943 *ptr = SHA512_SWAP(ctx->total[0] << 3);
1944
1945 ptr = (uint64_t *)&ctx->buffer[bytes + pad];
1946 *ptr = SHA512_SWAP((ctx->total[1] << 3) | (ctx->total[0] >> 61));
1947
1948 /* Process last bytes. */
1949 rb_sha512_process_block(ctx->buffer, bytes + pad + 16, ctx);
1950
1951 /* Put result from CTX in first 64 bytes following RESBUF. */
1952 for (i = 0; i < 8; ++i)
1953 ((uint64_t *) resbuf)[i] = SHA512_SWAP(ctx->H[i]);
1954
1955 return resbuf;
1956 }
1957
1958
1959 static void rb_sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx)
1960 {
1961 /* When we already have some bits in our internal buffer concatenate
1962 both inputs first. */
1963 if (ctx->buflen != 0)
1964 {
1965 size_t left_over = ctx->buflen;
1966 size_t add = 256 - left_over > len ? len : 256 - left_over;
1967
1968 memcpy(&ctx->buffer[left_over], buffer, add);
1969 ctx->buflen += add;
1970
1971 if (ctx->buflen > 128)
1972 {
1973 rb_sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
1974
1975 ctx->buflen &= 127;
1976 /* The regions in the following copy operation cannot overlap. */
1977 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127], ctx->buflen);
1978 }
1979
1980 buffer = (const char *)buffer + add;
1981 len -= add;
1982 }
1983
1984 /* Process available complete blocks. */
1985 if (len >= 128)
1986 {
1987 #if !_STRING_ARCH_unaligned
1988 /* To check alignment gcc has an appropriate operator. Other
1989 compilers don't. */
1990 # if __GNUC__ >= 2
1991 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
1992 # else
1993 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
1994 # endif
1995 if (SHA512_UNALIGNED_P(buffer))
1996 while (len > 128)
1997 {
1998 rb_sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, ctx);
1999 buffer = (const char *)buffer + 128;
2000 len -= 128;
2001 }
2002 else
2003 #endif
2004 {
2005 rb_sha512_process_block(buffer, len & ~127, ctx);
2006 buffer = (const char *)buffer + (len & ~127);
2007 len &= 127;
2008 }
2009 }
2010
2011 /* Move remaining bytes into internal buffer. */
2012 if (len > 0)
2013 {
2014 size_t left_over = ctx->buflen;
2015
2016 memcpy(&ctx->buffer[left_over], buffer, len);
2017 left_over += len;
2018 if (left_over >= 128)
2019 {
2020 rb_sha512_process_block(ctx->buffer, 128, ctx);
2021 left_over -= 128;
2022 memcpy(ctx->buffer, &ctx->buffer[128], left_over);
2023 }
2024 ctx->buflen = left_over;
2025 }
2026 }
2027
2028
2029 /* Define our magic string to mark salt for SHA512 "encryption"
2030 replacement. */
2031 static const char sha512_salt_prefix[] = "$6$";
2032
2033 /* Prefix for optional rounds specification. */
2034 static const char sha512_rounds_prefix[] = "rounds=";
2035
2036 /* Maximum salt string length. */
2037 #define SHA512_SALT_LEN_MAX 16
2038 /* Default number of rounds if not explicitly specified. */
2039 #define SHA512_ROUNDS_DEFAULT 5000
2040 /* Minimum number of rounds. */
2041 #define SHA512_ROUNDS_MIN 1000
2042 /* Maximum number of rounds. */
2043 #define SHA512_ROUNDS_MAX 999999999
2044
2045 static char *rb_sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
2046 {
2047 unsigned char alt_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2048 unsigned char temp_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2049 struct sha512_ctx ctx;
2050 struct sha512_ctx alt_ctx;
2051 size_t salt_len;
2052 size_t key_len;
2053 size_t cnt;
2054 char *cp;
2055 char *copied_key = NULL;
2056 char *copied_salt = NULL;
2057 char *p_bytes;
2058 char *s_bytes;
2059 /* Default number of rounds. */
2060 size_t rounds = SHA512_ROUNDS_DEFAULT;
2061 int rounds_custom = 0;
2062
2063 /* Find beginning of salt string. The prefix should normally always
2064 be present. Just in case it is not. */
2065 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
2066 /* Skip salt prefix. */
2067 salt += sizeof(sha512_salt_prefix) - 1;
2068
2069 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) == 0)
2070 {
2071 const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
2072 char *endp;
2073 unsigned long int srounds = strtoul(num, &endp, 10);
2074 if (*endp == '$')
2075 {
2076 salt = endp + 1;
2077 rounds = MAX(SHA512_ROUNDS_MIN, MIN(srounds, SHA512_ROUNDS_MAX));
2078 rounds_custom = 1;
2079 }
2080 }
2081
2082 salt_len = MIN(strcspn(salt, "$"), SHA512_SALT_LEN_MAX);
2083 key_len = strlen(key);
2084
2085 if ((key - (char *)0) % __alignof__(uint64_t) != 0)
2086 {
2087 char *tmp = (char *)alloca(key_len + __alignof__(uint64_t));
2088 key = copied_key =
2089 memcpy(tmp + __alignof__(uint64_t)
2090 - (tmp - (char *)0) % __alignof__(uint64_t), key, key_len);
2091 }
2092
2093 if ((salt - (char *)0) % __alignof__(uint64_t) != 0)
2094 {
2095 char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t));
2096 salt = copied_salt =
2097 memcpy(tmp + __alignof__(uint64_t)
2098 - (tmp - (char *)0) % __alignof__(uint64_t), salt, salt_len);
2099 }
2100
2101 /* Prepare for the real work. */
2102 rb_sha512_init_ctx(&ctx);
2103
2104 /* Add the key string. */
2105 rb_sha512_process_bytes(key, key_len, &ctx);
2106
2107 /* The last part is the salt string. This must be at most 16
2108 characters and it ends at the first `$' character (for
2109 compatibility with existing implementations). */
2110 rb_sha512_process_bytes(salt, salt_len, &ctx);
2111
2112
2113 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
2114 final result will be added to the first context. */
2115 rb_sha512_init_ctx(&alt_ctx);
2116
2117 /* Add key. */
2118 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2119
2120 /* Add salt. */
2121 rb_sha512_process_bytes(salt, salt_len, &alt_ctx);
2122
2123 /* Add key again. */
2124 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2125
2126 /* Now get result of this (64 bytes) and add it to the other
2127 context. */
2128 rb_sha512_finish_ctx(&alt_ctx, alt_result);
2129
2130 /* Add for any character in the key one byte of the alternate sum. */
2131 for (cnt = key_len; cnt > 64; cnt -= 64)
2132 rb_sha512_process_bytes(alt_result, 64, &ctx);
2133 rb_sha512_process_bytes(alt_result, cnt, &ctx);
2134
2135 /* Take the binary representation of the length of the key and for every
2136 1 add the alternate sum, for every 0 the key. */
2137 for (cnt = key_len; cnt > 0; cnt >>= 1)
2138 if ((cnt & 1) != 0)
2139 rb_sha512_process_bytes(alt_result, 64, &ctx);
2140 else
2141 rb_sha512_process_bytes(key, key_len, &ctx);
2142
2143 /* Create intermediate result. */
2144 rb_sha512_finish_ctx(&ctx, alt_result);
2145
2146 /* Start computation of P byte sequence. */
2147 rb_sha512_init_ctx(&alt_ctx);
2148
2149 /* For every character in the password add the entire password. */
2150 for (cnt = 0; cnt < key_len; ++cnt)
2151 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2152
2153 /* Finish the digest. */
2154 rb_sha512_finish_ctx(&alt_ctx, temp_result);
2155
2156 /* Create byte sequence P. */
2157 cp = p_bytes = alloca(key_len);
2158 for (cnt = key_len; cnt >= 64; cnt -= 64)
2159 {
2160 memcpy(cp, temp_result, 64);
2161 cp += 64;
2162 }
2163 memcpy(cp, temp_result, cnt);
2164
2165 /* Start computation of S byte sequence. */
2166 rb_sha512_init_ctx(&alt_ctx);
2167
2168 /* For every character in the password add the entire password. */
2169 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
2170 rb_sha512_process_bytes(salt, salt_len, &alt_ctx);
2171
2172 /* Finish the digest. */
2173 rb_sha512_finish_ctx(&alt_ctx, temp_result);
2174
2175 /* Create byte sequence S. */
2176 cp = s_bytes = alloca(salt_len);
2177 for (cnt = salt_len; cnt >= 64; cnt -= 64)
2178 {
2179 memcpy(cp, temp_result, 64);
2180 cp += 64;
2181 }
2182 memcpy(cp, temp_result, cnt);
2183
2184 /* Repeatedly run the collected hash value through SHA512 to burn
2185 CPU cycles. */
2186 for (cnt = 0; cnt < rounds; ++cnt)
2187 {
2188 /* New context. */
2189 rb_sha512_init_ctx(&ctx);
2190
2191 /* Add key or last result. */
2192 if ((cnt & 1) != 0)
2193 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2194 else
2195 rb_sha512_process_bytes(alt_result, 64, &ctx);
2196
2197 /* Add salt for numbers not divisible by 3. */
2198 if (cnt % 3 != 0)
2199 rb_sha512_process_bytes(s_bytes, salt_len, &ctx);
2200
2201 /* Add key for numbers not divisible by 7. */
2202 if (cnt % 7 != 0)
2203 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2204
2205 /* Add key or last result. */
2206 if ((cnt & 1) != 0)
2207 rb_sha512_process_bytes(alt_result, 64, &ctx);
2208 else
2209 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2210
2211 /* Create intermediate result. */
2212 rb_sha512_finish_ctx(&ctx, alt_result);
2213 }
2214
2215 /* Now we can construct the result string. It consists of three
2216 parts. */
2217 memset(buffer, '\0', MAX(0, buflen));
2218 strncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
2219 if((cp = strchr(buffer, '\0')) == NULL)
2220 cp = buffer + MAX(0, buflen);
2221 buflen -= sizeof(sha512_salt_prefix) - 1;
2222
2223 if (rounds_custom)
2224 {
2225 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
2226 sha512_rounds_prefix, rounds);
2227 cp += n;
2228 buflen -= n;
2229 }
2230
2231 memset(cp, '\0', MIN((size_t) MAX(0, buflen), salt_len));
2232 strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
2233 if((cp = strchr(buffer, '\0')) == NULL)
2234 cp = buffer + salt_len;
2235 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
2236
2237 if (buflen > 0)
2238 {
2239 *cp++ = '$';
2240 --buflen;
2241 }
2242
2243 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
2244 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
2245 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
2246 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
2247 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
2248 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
2249 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
2250 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
2251 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
2252 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
2253 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
2254 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
2255 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
2256 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
2257 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
2258 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
2259 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
2260 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
2261 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
2262 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
2263 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
2264 b64_from_24bit(0, 0, alt_result[63], 2);
2265
2266 if (buflen <= 0)
2267 {
2268 errno = ERANGE;
2269 buffer = NULL;
2270 }
2271 else
2272 *cp = '\0'; /* Terminate the string. */
2273
2274 /* Clear the buffer for the intermediate result so that people
2275 attaching to processes or reading core dumps cannot get any
2276 information. We do it in this way to clear correct_words[]
2277 inside the SHA512 implementation as well. */
2278 rb_sha512_init_ctx(&ctx);
2279 rb_sha512_finish_ctx(&ctx, alt_result);
2280 memset(temp_result, '\0', sizeof(temp_result));
2281 memset(p_bytes, '\0', key_len);
2282 memset(s_bytes, '\0', salt_len);
2283 memset(&ctx, '\0', sizeof(ctx));
2284 memset(&alt_ctx, '\0', sizeof(alt_ctx));
2285 if (copied_key != NULL)
2286 memset(copied_key, '\0', key_len);
2287 if (copied_salt != NULL)
2288 memset(copied_salt, '\0', salt_len);
2289
2290 return buffer;
2291 }
2292
2293
2294 /* This entry point is equivalent to the `crypt' function in Unix
2295 libcs. */
2296 static char *rb_sha512_crypt(const char *key, const char *salt)
2297 {
2298 /* We don't want to have an arbitrary limit in the size of the
2299 password. We can compute an upper bound for the size of the
2300 result in advance and so we can prepare the buffer we pass to
2301 `rb_sha512_crypt_r'. */
2302 static char *buffer;
2303 static int buflen;
2304 int needed = (sizeof(sha512_salt_prefix) - 1
2305 + sizeof(sha512_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 86 + 1);
2306
2307 if (buflen < needed)
2308 {
2309 char *new_buffer = (char *)realloc(buffer, needed);
2310 if (new_buffer == NULL)
2311 return NULL;
2312
2313 buffer = new_buffer;
2314 buflen = needed;
2315 }
2316
2317 return rb_sha512_crypt_r(key, salt, buffer, buflen);
2318 }
Fork of solanum ircd, history is rebased regularly