]> jfr.im git - solanum.git/blob - librb/src/crypt.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #278 from edk0/override
[solanum.git] / librb / src / crypt.c
1 /*
2 * crypt.c: Implements unix style crypt() for platforms that don't have it
3 * This version has MD5, DES, and SHA256/SHA512 crypt.
4 * DES taken from uClibc, MD5 taken from BSD, SHA256/SHA512 taken from
5 * Drepper's public domain implementation.
6 */
7
8 /*
9 * crypt() for uClibc
10 *
11 * Copyright (C) 2000 by Lineo, inc. and Erik Andersen
12 * Copyright (C) 2000,2001 by Erik Andersen <andersen@uclibc.org>
13 * Written by Erik Andersen <andersen@uclibc.org>
14 *
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU Library General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful, but WITHOUT
21 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License
23 * for more details.
24 *
25 * You should have received a copy of the GNU Library General Public License
26 * along with this program; if not, write to the Free Software Foundation,
27 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 */
29
30 #include <librb_config.h>
31 #include <rb_lib.h>
32
33 static char *rb_md5_crypt(const char *pw, const char *salt);
34 static char *rb_des_crypt(const char *pw, const char *salt);
35 static char *rb_sha256_crypt(const char *key, const char *salt);
36 static char *rb_sha512_crypt(const char *key, const char *salt);
37
38 char *
39 rb_crypt(const char *key, const char *salt)
40 {
41 /* First, check if we are supposed to be using a replacement
42 * hash instead of DES... */
43 if(salt[0] == '$' && (salt[2] == '$' || salt[3] == '$'))
44 {
45 switch(salt[1])
46 {
47 case '1':
48 return rb_md5_crypt(key, salt);
49 case '5':
50 return rb_sha256_crypt(key, salt);
51 case '6':
52 return rb_sha512_crypt(key, salt);
53 default:
54 return NULL;
55 };
56 }
57 else
58 return rb_des_crypt(key, salt);
59 }
60
61 #define b64_from_24bit(B2, B1, B0, N) \
62 do \
63 { \
64 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
65 int n = (N); \
66 while (n-- > 0 && buflen > 0) \
67 { \
68 *cp++ = ascii64[w & 0x3f]; \
69 --buflen; \
70 w >>= 6; \
71 } \
72 } while (0)
73
74 #ifndef MAX
75 # define MAX(a,b) (((a) > (b)) ? (a) : (b))
76 #endif
77 #ifndef MIN
78 # define MIN(a,b) (((a) < (b)) ? (a) : (b))
79 #endif
80
81 /* Here is the des crypt() stuff */
82
83 /*
84 * FreeSec: libcrypt for NetBSD
85 *
86 * Copyright (c) 1994 David Burren
87 * All rights reserved.
88 *
89 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
90 * this file should now *only* export crypt(), in order to make
91 * binaries of libcrypt exportable from the USA
92 *
93 * Adapted for FreeBSD-4.0 by Mark R V Murray
94 * this file should now *only* export crypt_des(), in order to make
95 * a module that can be optionally included in libcrypt.
96 *
97 * Redistribution and use in source and binary forms, with or without
98 * modification, are permitted provided that the following conditions
99 * are met:
100 * 1. Redistributions of source code must retain the above copyright
101 * notice, this list of conditions and the following disclaimer.
102 * 2. Redistributions in binary form must reproduce the above copyright
103 * notice, this list of conditions and the following disclaimer in the
104 * documentation and/or other materials provided with the distribution.
105 * 3. Neither the name of the author nor the names of other contributors
106 * may be used to endorse or promote products derived from this software
107 * without specific prior written permission.
108 *
109 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
110 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
111 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
112 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
113 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
114 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
115 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
116 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
117 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
118 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
119 * SUCH DAMAGE.
120 *
121 * This is an original implementation of the DES and the crypt(3) interfaces
122 * by David Burren <davidb@werj.com.au>.
123 *
124 * An excellent reference on the underlying algorithm (and related
125 * algorithms) is:
126 *
127 * B. Schneier, Applied Cryptography: protocols, algorithms,
128 * and source code in C, John Wiley & Sons, 1994.
129 *
130 * Note that in that book's description of DES the lookups for the initial,
131 * pbox, and final permutations are inverted (this has been brought to the
132 * attention of the author). A list of errata for this book has been
133 * posted to the sci.crypt newsgroup by the author and is available for FTP.
134 *
135 * ARCHITECTURE ASSUMPTIONS:
136 * It is assumed that the 8-byte arrays passed by reference can be
137 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
138 * alignment).
139 */
140
141
142 /* Re-entrantify me -- all this junk needs to be in
143 * struct crypt_data to make this really reentrant... */
144 static uint8_t inv_key_perm[64];
145 static uint8_t inv_comp_perm[56];
146 static uint8_t u_sbox[8][64];
147 static uint8_t un_pbox[32];
148 static uint32_t en_keysl[16], en_keysr[16];
149 static uint32_t de_keysl[16], de_keysr[16];
150 static uint32_t ip_maskl[8][256], ip_maskr[8][256];
151 static uint32_t fp_maskl[8][256], fp_maskr[8][256];
152 static uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
153 static uint32_t comp_maskl[8][128], comp_maskr[8][128];
154 static uint32_t saltbits;
155 static uint32_t old_salt;
156 static uint32_t old_rawkey0, old_rawkey1;
157
158
159 /* Static stuff that stays resident and doesn't change after
160 * being initialized, and therefore doesn't need to be made
161 * reentrant. */
162 static uint8_t init_perm[64], final_perm[64];
163 static uint8_t m_sbox[4][4096];
164 static uint32_t psbox[4][256];
165
166 /* A pile of data */
167 static const uint8_t ascii64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
168
169 static const uint8_t IP[64] = {
170 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
171 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
172 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
173 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
174 };
175
176 static const uint8_t key_perm[56] = {
177 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
178 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
179 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
180 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
181 };
182
183 static const uint8_t key_shifts[16] = {
184 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
185 };
186
187 static const uint8_t comp_perm[48] = {
188 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
189 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
190 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
191 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
192 };
193
194 /*
195 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
196 */
197
198 static const uint8_t sbox[8][64] = {
199 {
200 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
201 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
202 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
203 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
204 {
205 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
206 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
207 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
208 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
209 {
210 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
211 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
212 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
213 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
214 {
215 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
216 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
217 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
218 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
219 {
220 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
221 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
222 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
223 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
224 {
225 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
226 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
227 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
228 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
229 {
230 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
231 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
232 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
233 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
234 {
235 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
236 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
237 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
238 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
239 };
240
241 static const uint8_t pbox[32] = {
242 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
243 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
244 };
245
246 static const uint32_t bits32[32] = {
247 0x80000000, 0x40000000, 0x20000000, 0x10000000,
248 0x08000000, 0x04000000, 0x02000000, 0x01000000,
249 0x00800000, 0x00400000, 0x00200000, 0x00100000,
250 0x00080000, 0x00040000, 0x00020000, 0x00010000,
251 0x00008000, 0x00004000, 0x00002000, 0x00001000,
252 0x00000800, 0x00000400, 0x00000200, 0x00000100,
253 0x00000080, 0x00000040, 0x00000020, 0x00000010,
254 0x00000008, 0x00000004, 0x00000002, 0x00000001
255 };
256
257 static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
258
259 static const uint32_t *bits28, *bits24;
260
261
262 static int
263 rb_ascii_to_bin(char ch)
264 {
265 if(ch > 'z')
266 return (0);
267 if(ch >= 'a')
268 return (ch - 'a' + 38);
269 if(ch > 'Z')
270 return (0);
271 if(ch >= 'A')
272 return (ch - 'A' + 12);
273 if(ch > '9')
274 return (0);
275 if(ch >= '.')
276 return (ch - '.');
277 return (0);
278 }
279
280 static void
281 rb_des_init(void)
282 {
283 int i, j, b, k, inbit, obit;
284 uint32_t *p, *il, *ir, *fl, *fr;
285 static int rb_des_initialised = 0;
286
287 if(rb_des_initialised == 1)
288 return;
289
290 old_rawkey0 = old_rawkey1 = 0L;
291 saltbits = 0L;
292 old_salt = 0L;
293 bits24 = (bits28 = bits32 + 4) + 4;
294
295 /*
296 * Invert the S-boxes, reordering the input bits.
297 */
298 for(i = 0; i < 8; i++)
299 for(j = 0; j < 64; j++)
300 {
301 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
302 u_sbox[i][j] = sbox[i][b];
303 }
304
305 /*
306 * Convert the inverted S-boxes into 4 arrays of 8 bits.
307 * Each will handle 12 bits of the S-box input.
308 */
309 for(b = 0; b < 4; b++)
310 for(i = 0; i < 64; i++)
311 for(j = 0; j < 64; j++)
312 m_sbox[b][(i << 6) | j] =
313 (uint8_t)((u_sbox[(b << 1)][i] << 4) |
314 u_sbox[(b << 1) + 1][j]);
315
316 /*
317 * Set up the initial & final permutations into a useful form, and
318 * initialise the inverted key permutation.
319 */
320 for(i = 0; i < 64; i++)
321 {
322 init_perm[final_perm[i] = IP[i] - 1] = (uint8_t)i;
323 inv_key_perm[i] = 255;
324 }
325
326 /*
327 * Invert the key permutation and initialise the inverted key
328 * compression permutation.
329 */
330 for(i = 0; i < 56; i++)
331 {
332 inv_key_perm[key_perm[i] - 1] = (uint8_t)i;
333 inv_comp_perm[i] = 255;
334 }
335
336 /*
337 * Invert the key compression permutation.
338 */
339 for(i = 0; i < 48; i++)
340 {
341 inv_comp_perm[comp_perm[i] - 1] = (uint8_t)i;
342 }
343
344 /*
345 * Set up the OR-mask arrays for the initial and final permutations,
346 * and for the key initial and compression permutations.
347 */
348 for(k = 0; k < 8; k++)
349 {
350 for(i = 0; i < 256; i++)
351 {
352 *(il = &ip_maskl[k][i]) = 0L;
353 *(ir = &ip_maskr[k][i]) = 0L;
354 *(fl = &fp_maskl[k][i]) = 0L;
355 *(fr = &fp_maskr[k][i]) = 0L;
356 for(j = 0; j < 8; j++)
357 {
358 inbit = 8 * k + j;
359 if(i & bits8[j])
360 {
361 if((obit = init_perm[inbit]) < 32)
362 *il |= bits32[obit];
363 else
364 *ir |= bits32[obit - 32];
365 if((obit = final_perm[inbit]) < 32)
366 *fl |= bits32[obit];
367 else
368 *fr |= bits32[obit - 32];
369 }
370 }
371 }
372 for(i = 0; i < 128; i++)
373 {
374 *(il = &key_perm_maskl[k][i]) = 0L;
375 *(ir = &key_perm_maskr[k][i]) = 0L;
376 for(j = 0; j < 7; j++)
377 {
378 inbit = 8 * k + j;
379 if(i & bits8[j + 1])
380 {
381 if((obit = inv_key_perm[inbit]) == 255)
382 continue;
383 if(obit < 28)
384 *il |= bits28[obit];
385 else
386 *ir |= bits28[obit - 28];
387 }
388 }
389 *(il = &comp_maskl[k][i]) = 0L;
390 *(ir = &comp_maskr[k][i]) = 0L;
391 for(j = 0; j < 7; j++)
392 {
393 inbit = 7 * k + j;
394 if(i & bits8[j + 1])
395 {
396 if((obit = inv_comp_perm[inbit]) == 255)
397 continue;
398 if(obit < 24)
399 *il |= bits24[obit];
400 else
401 *ir |= bits24[obit - 24];
402 }
403 }
404 }
405 }
406
407 /*
408 * Invert the P-box permutation, and convert into OR-masks for
409 * handling the output of the S-box arrays setup above.
410 */
411 for(i = 0; i < 32; i++)
412 un_pbox[pbox[i] - 1] = (uint8_t)i;
413
414 for(b = 0; b < 4; b++)
415 for(i = 0; i < 256; i++)
416 {
417 *(p = &psbox[b][i]) = 0L;
418 for(j = 0; j < 8; j++)
419 {
420 if(i & bits8[j])
421 *p |= bits32[un_pbox[8 * b + j]];
422 }
423 }
424
425 rb_des_initialised = 1;
426 }
427
428
429 static void
430 rb_setup_salt(long salt)
431 {
432 uint32_t obit, saltbit;
433 int i;
434
435 if(salt == (long)old_salt)
436 return;
437 old_salt = salt;
438
439 saltbits = 0L;
440 saltbit = 1;
441 obit = 0x800000;
442 for(i = 0; i < 24; i++)
443 {
444 if(salt & saltbit)
445 saltbits |= obit;
446 saltbit <<= 1;
447 obit >>= 1;
448 }
449 }
450
451 static int
452 rb_des_setkey(const char *key)
453 {
454 uint32_t k0, k1, rawkey0, rawkey1;
455 int shifts, round;
456
457 rb_des_init();
458
459 rawkey0 = ntohl(*(const uint32_t *)key);
460 rawkey1 = ntohl(*(const uint32_t *)(key + 4));
461
462 if((rawkey0 | rawkey1) && rawkey0 == old_rawkey0 && rawkey1 == old_rawkey1)
463 {
464 /*
465 * Already setup for this key.
466 * This optimisation fails on a zero key (which is weak and
467 * has bad parity anyway) in order to simplify the starting
468 * conditions.
469 */
470 return (0);
471 }
472 old_rawkey0 = rawkey0;
473 old_rawkey1 = rawkey1;
474
475 /*
476 * Do key permutation and split into two 28-bit subkeys.
477 */
478 k0 = key_perm_maskl[0][rawkey0 >> 25]
479 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
480 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
481 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
482 | key_perm_maskl[4][rawkey1 >> 25]
483 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
484 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
485 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
486 k1 = key_perm_maskr[0][rawkey0 >> 25]
487 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
488 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
489 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
490 | key_perm_maskr[4][rawkey1 >> 25]
491 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
492 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
493 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
494 /*
495 * Rotate subkeys and do compression permutation.
496 */
497 shifts = 0;
498 for(round = 0; round < 16; round++)
499 {
500 uint32_t t0, t1;
501
502 shifts += key_shifts[round];
503
504 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
505 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
506
507 de_keysl[15 - round] =
508 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
509 | comp_maskl[1][(t0 >> 14) & 0x7f]
510 | comp_maskl[2][(t0 >> 7) & 0x7f]
511 | comp_maskl[3][t0 & 0x7f]
512 | comp_maskl[4][(t1 >> 21) & 0x7f]
513 | comp_maskl[5][(t1 >> 14) & 0x7f]
514 | comp_maskl[6][(t1 >> 7) & 0x7f] | comp_maskl[7][t1 & 0x7f];
515
516 de_keysr[15 - round] =
517 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
518 | comp_maskr[1][(t0 >> 14) & 0x7f]
519 | comp_maskr[2][(t0 >> 7) & 0x7f]
520 | comp_maskr[3][t0 & 0x7f]
521 | comp_maskr[4][(t1 >> 21) & 0x7f]
522 | comp_maskr[5][(t1 >> 14) & 0x7f]
523 | comp_maskr[6][(t1 >> 7) & 0x7f] | comp_maskr[7][t1 & 0x7f];
524 }
525 return (0);
526 }
527
528 static int
529 rb_do_des(uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out, int count)
530 {
531 /*
532 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
533 */
534 uint32_t l, r, *kl, *kr, *kl1, *kr1;
535 uint32_t f = 0, r48l, r48r;
536 int round;
537
538 if(count == 0)
539 {
540 return (1);
541 }
542 else if(count > 0)
543 {
544 /*
545 * Encrypting
546 */
547 kl1 = en_keysl;
548 kr1 = en_keysr;
549 }
550 else
551 {
552 /*
553 * Decrypting
554 */
555 count = -count;
556 kl1 = de_keysl;
557 kr1 = de_keysr;
558 }
559
560 /*
561 * Do initial permutation (IP).
562 */
563 l = ip_maskl[0][l_in >> 24]
564 | ip_maskl[1][(l_in >> 16) & 0xff]
565 | ip_maskl[2][(l_in >> 8) & 0xff]
566 | ip_maskl[3][l_in & 0xff]
567 | ip_maskl[4][r_in >> 24]
568 | ip_maskl[5][(r_in >> 16) & 0xff]
569 | ip_maskl[6][(r_in >> 8) & 0xff] | ip_maskl[7][r_in & 0xff];
570 r = ip_maskr[0][l_in >> 24]
571 | ip_maskr[1][(l_in >> 16) & 0xff]
572 | ip_maskr[2][(l_in >> 8) & 0xff]
573 | ip_maskr[3][l_in & 0xff]
574 | ip_maskr[4][r_in >> 24]
575 | ip_maskr[5][(r_in >> 16) & 0xff]
576 | ip_maskr[6][(r_in >> 8) & 0xff] | ip_maskr[7][r_in & 0xff];
577
578 while(count--)
579 {
580 /*
581 * Do each round.
582 */
583 kl = kl1;
584 kr = kr1;
585 round = 16;
586 while(round--)
587 {
588 /*
589 * Expand R to 48 bits (simulate the E-box).
590 */
591 r48l = ((r & 0x00000001) << 23)
592 | ((r & 0xf8000000) >> 9)
593 | ((r & 0x1f800000) >> 11)
594 | ((r & 0x01f80000) >> 13) | ((r & 0x001f8000) >> 15);
595
596 r48r = ((r & 0x0001f800) << 7)
597 | ((r & 0x00001f80) << 5)
598 | ((r & 0x000001f8) << 3)
599 | ((r & 0x0000001f) << 1) | ((r & 0x80000000) >> 31);
600 /*
601 * Do salting for crypt() and friends, and
602 * XOR with the permuted key.
603 */
604 f = (r48l ^ r48r) & saltbits;
605 r48l ^= f ^ *kl++;
606 r48r ^= f ^ *kr++;
607 /*
608 * Do sbox lookups (which shrink it back to 32 bits)
609 * and do the pbox permutation at the same time.
610 */
611 f = psbox[0][m_sbox[0][r48l >> 12]]
612 | psbox[1][m_sbox[1][r48l & 0xfff]]
613 | psbox[2][m_sbox[2][r48r >> 12]]
614 | psbox[3][m_sbox[3][r48r & 0xfff]];
615 /*
616 * Now that we've permuted things, complete f().
617 */
618 f ^= l;
619 l = r;
620 r = f;
621 }
622 r = l;
623 l = f;
624 }
625 /*
626 * Do final permutation (inverse of IP).
627 */
628 *l_out = fp_maskl[0][l >> 24]
629 | fp_maskl[1][(l >> 16) & 0xff]
630 | fp_maskl[2][(l >> 8) & 0xff]
631 | fp_maskl[3][l & 0xff]
632 | fp_maskl[4][r >> 24]
633 | fp_maskl[5][(r >> 16) & 0xff]
634 | fp_maskl[6][(r >> 8) & 0xff] | fp_maskl[7][r & 0xff];
635 *r_out = fp_maskr[0][l >> 24]
636 | fp_maskr[1][(l >> 16) & 0xff]
637 | fp_maskr[2][(l >> 8) & 0xff]
638 | fp_maskr[3][l & 0xff]
639 | fp_maskr[4][r >> 24]
640 | fp_maskr[5][(r >> 16) & 0xff]
641 | fp_maskr[6][(r >> 8) & 0xff] | fp_maskr[7][r & 0xff];
642 return (0);
643 }
644
645 static char *
646 rb_des_crypt(const char *key, const char *setting)
647 {
648 uint32_t count, salt, l, r0, r1, keybuf[2];
649 uint8_t *p, *q;
650 static char output[21];
651
652 rb_des_init();
653
654 /*
655 * Copy the key, shifting each character up by one bit
656 * and padding with zeros.
657 */
658 q = (uint8_t *)keybuf;
659 while(q - (uint8_t *)keybuf - 8)
660 {
661 *q++ = *key << 1;
662 if(*(q - 1))
663 key++;
664 }
665 if(rb_des_setkey((char *)keybuf))
666 return (NULL);
667 {
668 /*
669 * "old"-style:
670 * setting - 2 bytes of salt
671 * key - up to 8 characters
672 */
673 count = 25;
674
675 salt = (rb_ascii_to_bin(setting[1]) << 6) | rb_ascii_to_bin(setting[0]);
676
677 output[0] = setting[0];
678 /*
679 * If the encrypted password that the salt was extracted from
680 * is only 1 character long, the salt will be corrupted. We
681 * need to ensure that the output string doesn't have an extra
682 * NUL in it!
683 */
684 output[1] = setting[1] ? setting[1] : output[0];
685
686 p = (uint8_t *)output + 2;
687 }
688 rb_setup_salt(salt);
689 /*
690 * Do it.
691 */
692 if(rb_do_des(0L, 0L, &r0, &r1, (int)count))
693 return (NULL);
694 /*
695 * Now encode the result...
696 */
697 l = (r0 >> 8);
698 *p++ = ascii64[(l >> 18) & 0x3f];
699 *p++ = ascii64[(l >> 12) & 0x3f];
700 *p++ = ascii64[(l >> 6) & 0x3f];
701 *p++ = ascii64[l & 0x3f];
702
703 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
704 *p++ = ascii64[(l >> 18) & 0x3f];
705 *p++ = ascii64[(l >> 12) & 0x3f];
706 *p++ = ascii64[(l >> 6) & 0x3f];
707 *p++ = ascii64[l & 0x3f];
708
709 l = r1 << 2;
710 *p++ = ascii64[(l >> 12) & 0x3f];
711 *p++ = ascii64[(l >> 6) & 0x3f];
712 *p++ = ascii64[l & 0x3f];
713 *p = 0;
714
715 return (output);
716 }
717
718 /* Now md5 crypt */
719 /*
720 * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
721 *
722 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
723 * rights reserved.
724 *
725 * License to copy and use this software is granted provided that it
726 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
727 * Algorithm" in all material mentioning or referencing this software
728 * or this function.
729 *
730 * License is also granted to make and use derivative works provided
731 * that such works are identified as "derived from the RSA Data
732 * Security, Inc. MD5 Message-Digest Algorithm" in all material
733 * mentioning or referencing the derived work.
734 *
735 * RSA Data Security, Inc. makes no representations concerning either
736 * the merchantability of this software or the suitability of this
737 * software for any particular purpose. It is provided "as is"
738 * without express or implied warranty of any kind.
739 *
740 * These notices must be retained in any copies of any part of this
741 * documentation and/or software.
742 *
743 * This code is the same as the code published by RSA Inc. It has been
744 * edited for clarity and style only.
745 */
746
747 #define MD5_SIZE 16
748
749 static void
750 _crypt_to64(char *s, unsigned long v, int n)
751 {
752 while (--n >= 0) {
753 *s++ = ascii64[v&0x3f];
754 v >>= 6;
755 }
756 }
757
758 /* MD5 context. */
759 typedef struct MD5Context {
760 uint32_t state[4]; /* state (ABCD) */
761 uint32_t count[2]; /* number of bits, modulo 2^64 (lsb first) */
762 unsigned char buffer[64]; /* input buffer */
763 } MD5_CTX;
764
765 static void MD5Transform(uint32_t [4], const unsigned char [64]);
766 static void MD5Init (MD5_CTX *);
767 static void MD5Update (MD5_CTX *, const void *, unsigned int);
768 static void MD5Final (unsigned char [16], MD5_CTX *);
769
770 #ifndef WORDS_BIGENDIAN
771 #define Encode memcpy
772 #define Decode memcpy
773 #else
774
775 /*
776 * Encodes input (uint32_t) into output (unsigned char). Assumes len is
777 * a multiple of 4.
778 */
779
780 static void
781 Encode (unsigned char *output, uint32_t *input, unsigned int len)
782 {
783 unsigned int i;
784 uint32_t *op = (uint32_t *)output;
785
786 for (i = 0; i < len / 4; i++)
787 op[i] = htole32(input[i]);
788 }
789
790 /*
791 * Decodes input (unsigned char) into output (uint32_t). Assumes len is
792 * a multiple of 4.
793 */
794
795 static void
796 Decode (uint32_t *output, const unsigned char *input, unsigned int len)
797 {
798 unsigned int i;
799 const uint32_t *ip = (const uint32_t *)input;
800
801 for (i = 0; i < len / 4; i++)
802 output[i] = le32toh(ip[i]);
803 }
804 #endif
805
806 static unsigned char PADDING[64] = {
807 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
808 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
809 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
810 };
811
812 /* F, G, H and I are basic MD5 functions. */
813 #define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
814 #define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
815 #define H(x, y, z) ((x) ^ (y) ^ (z))
816 #define I(x, y, z) ((y) ^ ((x) | (~z)))
817
818 /* ROTATE_LEFT rotates x left n bits. */
819 #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
820
821 /*
822 * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
823 * Rotation is separate from addition to prevent recomputation.
824 */
825 #define FF(a, b, c, d, x, s, ac) { \
826 (a) += F ((b), (c), (d)) + (x) + (uint32_t)(ac); \
827 (a) = ROTATE_LEFT ((a), (s)); \
828 (a) += (b); \
829 }
830 #define GG(a, b, c, d, x, s, ac) { \
831 (a) += G ((b), (c), (d)) + (x) + (uint32_t)(ac); \
832 (a) = ROTATE_LEFT ((a), (s)); \
833 (a) += (b); \
834 }
835 #define HH(a, b, c, d, x, s, ac) { \
836 (a) += H ((b), (c), (d)) + (x) + (uint32_t)(ac); \
837 (a) = ROTATE_LEFT ((a), (s)); \
838 (a) += (b); \
839 }
840 #define II(a, b, c, d, x, s, ac) { \
841 (a) += I ((b), (c), (d)) + (x) + (uint32_t)(ac); \
842 (a) = ROTATE_LEFT ((a), (s)); \
843 (a) += (b); \
844 }
845
846 /* MD5 initialization. Begins an MD5 operation, writing a new context. */
847
848 static void
849 MD5Init (context)
850 MD5_CTX *context;
851 {
852
853 context->count[0] = context->count[1] = 0;
854
855 /* Load magic initialization constants. */
856 context->state[0] = 0x67452301;
857 context->state[1] = 0xefcdab89;
858 context->state[2] = 0x98badcfe;
859 context->state[3] = 0x10325476;
860 }
861
862 /*
863 * MD5 block update operation. Continues an MD5 message-digest
864 * operation, processing another message block, and updating the
865 * context.
866 */
867
868 static void
869 MD5Update (context, in, inputLen)
870 MD5_CTX *context;
871 const void *in;
872 unsigned int inputLen;
873 {
874 unsigned int i, idx, partLen;
875 const unsigned char *input = in;
876
877 /* Compute number of bytes mod 64 */
878 idx = (unsigned int)((context->count[0] >> 3) & 0x3F);
879
880 /* Update number of bits */
881 if ((context->count[0] += ((uint32_t)inputLen << 3))
882 < ((uint32_t)inputLen << 3))
883 context->count[1]++;
884 context->count[1] += ((uint32_t)inputLen >> 29);
885
886 partLen = 64 - idx;
887
888 /* Transform as many times as possible. */
889 if (inputLen >= partLen) {
890 memcpy((void *)&context->buffer[idx], (const void *)input,
891 partLen);
892 MD5Transform (context->state, context->buffer);
893
894 for (i = partLen; i + 63 < inputLen; i += 64)
895 MD5Transform (context->state, &input[i]);
896
897 idx = 0;
898 }
899 else
900 i = 0;
901
902 /* Buffer remaining input */
903 memcpy ((void *)&context->buffer[idx], (const void *)&input[i],
904 inputLen-i);
905 }
906
907 /*
908 * MD5 padding. Adds padding followed by original length.
909 */
910
911 static void
912 MD5Pad (context)
913 MD5_CTX *context;
914 {
915 unsigned char bits[8];
916 unsigned int idx, padLen;
917
918 /* Save number of bits */
919 Encode (bits, context->count, 8);
920
921 /* Pad out to 56 mod 64. */
922 idx = (unsigned int)((context->count[0] >> 3) & 0x3f);
923 padLen = (idx < 56) ? (56 - idx) : (120 - idx);
924 MD5Update (context, PADDING, padLen);
925
926 /* Append length (before padding) */
927 MD5Update (context, bits, 8);
928 }
929
930 /*
931 * MD5 finalization. Ends an MD5 message-digest operation, writing the
932 * the message digest and zeroizing the context.
933 */
934
935 static void
936 MD5Final (digest, context)
937 unsigned char digest[16];
938 MD5_CTX *context;
939 {
940 /* Do padding. */
941 MD5Pad (context);
942
943 /* Store state in digest */
944 Encode (digest, context->state, 16);
945
946 /* Zeroize sensitive information. */
947 memset ((void *)context, 0, sizeof (*context));
948 }
949
950 /* MD5 basic transformation. Transforms state based on block. */
951
952 static void
953 MD5Transform (state, block)
954 uint32_t state[4];
955 const unsigned char block[64];
956 {
957 uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];
958
959 Decode (x, block, 64);
960
961 /* Round 1 */
962 #define S11 7
963 #define S12 12
964 #define S13 17
965 #define S14 22
966 FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
967 FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
968 FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
969 FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
970 FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
971 FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
972 FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
973 FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
974 FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
975 FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
976 FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
977 FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
978 FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
979 FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
980 FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
981 FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
982
983 /* Round 2 */
984 #define S21 5
985 #define S22 9
986 #define S23 14
987 #define S24 20
988 GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
989 GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
990 GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
991 GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
992 GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
993 GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
994 GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
995 GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
996 GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
997 GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
998 GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
999 GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
1000 GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
1001 GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
1002 GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
1003 GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
1004
1005 /* Round 3 */
1006 #define S31 4
1007 #define S32 11
1008 #define S33 16
1009 #define S34 23
1010 HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
1011 HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
1012 HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
1013 HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
1014 HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
1015 HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
1016 HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
1017 HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
1018 HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
1019 HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
1020 HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
1021 HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
1022 HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
1023 HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
1024 HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
1025 HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
1026
1027 /* Round 4 */
1028 #define S41 6
1029 #define S42 10
1030 #define S43 15
1031 #define S44 21
1032 II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
1033 II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
1034 II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
1035 II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
1036 II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
1037 II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
1038 II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
1039 II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
1040 II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
1041 II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
1042 II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
1043 II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
1044 II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
1045 II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
1046 II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
1047 II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
1048
1049 state[0] += a;
1050 state[1] += b;
1051 state[2] += c;
1052 state[3] += d;
1053
1054 /* Zeroize sensitive information. */
1055 memset ((void *)x, 0, sizeof (x));
1056 }
1057
1058 /*
1059 * UNIX password
1060 */
1061
1062 static char *
1063 rb_md5_crypt(const char *pw, const char *salt)
1064 {
1065 MD5_CTX ctx,ctx1;
1066 unsigned long l;
1067 int sl, pl;
1068 unsigned int i;
1069 unsigned char final[MD5_SIZE];
1070 static const char *sp, *ep;
1071 static char passwd[120], *p;
1072 static const char *magic = "$1$";
1073
1074 /* Refine the Salt first */
1075 sp = salt;
1076
1077 /* If it starts with the magic string, then skip that */
1078 if(!strncmp(sp, magic, strlen(magic)))
1079 sp += strlen(magic);
1080
1081 /* It stops at the first '$', max 8 chars */
1082 for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
1083 continue;
1084
1085 /* get the length of the true salt */
1086 sl = ep - sp;
1087
1088 MD5Init(&ctx);
1089
1090 /* The password first, since that is what is most unknown */
1091 MD5Update(&ctx, (const unsigned char *)pw, strlen(pw));
1092
1093 /* Then our magic string */
1094 MD5Update(&ctx, (const unsigned char *)magic, strlen(magic));
1095
1096 /* Then the raw salt */
1097 MD5Update(&ctx, (const unsigned char *)sp, (unsigned int)sl);
1098
1099 /* Then just as many characters of the MD5(pw,salt,pw) */
1100 MD5Init(&ctx1);
1101 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1102 MD5Update(&ctx1, (const unsigned char *)sp, (unsigned int)sl);
1103 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1104 MD5Final(final, &ctx1);
1105 for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE)
1106 MD5Update(&ctx, (const unsigned char *)final,
1107 (unsigned int)(pl > MD5_SIZE ? MD5_SIZE : pl));
1108
1109 /* Don't leave anything around in vm they could use. */
1110 memset(final, 0, sizeof(final));
1111
1112 /* Then something really weird... */
1113 for (i = strlen(pw); i; i >>= 1)
1114 if(i & 1)
1115 MD5Update(&ctx, (const unsigned char *)final, 1);
1116 else
1117 MD5Update(&ctx, (const unsigned char *)pw, 1);
1118
1119 /* Now make the output string */
1120 rb_strlcpy(passwd, magic, sizeof(passwd));
1121 strncat(passwd, sp, (unsigned int)sl);
1122 rb_strlcat(passwd, "$", sizeof(passwd));
1123
1124 MD5Final(final, &ctx);
1125
1126 /*
1127 * and now, just to make sure things don't run too fast
1128 * On a 60 Mhz Pentium this takes 34 msec, so you would
1129 * need 30 seconds to build a 1000 entry dictionary...
1130 */
1131 for(i = 0; i < 1000; i++) {
1132 MD5Init(&ctx1);
1133 if(i & 1)
1134 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1135 else
1136 MD5Update(&ctx1, (const unsigned char *)final, MD5_SIZE);
1137
1138 if(i % 3)
1139 MD5Update(&ctx1, (const unsigned char *)sp, (unsigned int)sl);
1140
1141 if(i % 7)
1142 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1143
1144 if(i & 1)
1145 MD5Update(&ctx1, (const unsigned char *)final, MD5_SIZE);
1146 else
1147 MD5Update(&ctx1, (const unsigned char *)pw, strlen(pw));
1148 MD5Final(final, &ctx1);
1149 }
1150
1151 p = passwd + strlen(passwd);
1152
1153 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
1154 _crypt_to64(p, l, 4); p += 4;
1155 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
1156 _crypt_to64(p, l, 4); p += 4;
1157 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
1158 _crypt_to64(p, l, 4); p += 4;
1159 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
1160 _crypt_to64(p, l, 4); p += 4;
1161 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
1162 _crypt_to64(p, l, 4); p += 4;
1163 l = final[11];
1164 _crypt_to64(p, l, 2); p += 2;
1165 *p = '\0';
1166
1167 /* Don't leave anything around in vm they could use. */
1168 memset(final, 0, sizeof(final));
1169
1170 return (passwd);
1171 }
1172
1173
1174 /* SHA256-based Unix crypt implementation.
1175 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
1176
1177 /* Structure to save state of computation between the single steps. */
1178 struct sha256_ctx
1179 {
1180 uint32_t H[8];
1181
1182 uint32_t total[2];
1183 uint32_t buflen;
1184 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
1185 };
1186
1187 #ifndef WORDS_BIGENDIAN
1188 # define SHA256_SWAP(n) \
1189 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
1190 #else
1191 # define SHA256_SWAP(n) (n)
1192 #endif
1193
1194 /* This array contains the bytes used to pad the buffer to the next
1195 64-byte boundary. (FIPS 180-2:5.1.1) */
1196 static const unsigned char SHA256_fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
1197
1198
1199 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
1200 static const uint32_t SHA256_K[64] = {
1201 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
1202 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
1203 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
1204 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
1205 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
1206 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
1207 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
1208 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
1209 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
1210 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
1211 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
1212 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
1213 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
1214 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
1215 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
1216 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
1217 };
1218
1219
1220 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1221 It is assumed that LEN % 64 == 0. */
1222 static void rb_sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx)
1223 {
1224 const uint32_t *words = buffer;
1225 size_t nwords = len / sizeof(uint32_t);
1226 uint32_t a = ctx->H[0];
1227 uint32_t b = ctx->H[1];
1228 uint32_t c = ctx->H[2];
1229 uint32_t d = ctx->H[3];
1230 uint32_t e = ctx->H[4];
1231 uint32_t f = ctx->H[5];
1232 uint32_t g = ctx->H[6];
1233 uint32_t h = ctx->H[7];
1234
1235 /* First increment the byte count. FIPS 180-2 specifies the possible
1236 length of the file up to 2^64 bits. Here we only compute the
1237 number of bytes. Do a double word increment. */
1238 ctx->total[0] += len;
1239 if (ctx->total[0] < len)
1240 ++ctx->total[1];
1241
1242 /* Process all bytes in the buffer with 64 bytes in each round of
1243 the loop. */
1244 while (nwords > 0)
1245 {
1246 uint32_t W[64];
1247 uint32_t a_save = a;
1248 uint32_t b_save = b;
1249 uint32_t c_save = c;
1250 uint32_t d_save = d;
1251 uint32_t e_save = e;
1252 uint32_t f_save = f;
1253 uint32_t g_save = g;
1254 uint32_t h_save = h;
1255 unsigned int t;
1256
1257 /* Operators defined in FIPS 180-2:4.1.2. */
1258 #define SHA256_Ch(x, y, z) ((x & y) ^ (~x & z))
1259 #define SHA256_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1260 #define SHA256_S0(x) (SHA256_CYCLIC (x, 2) ^ SHA256_CYCLIC (x, 13) ^ SHA256_CYCLIC (x, 22))
1261 #define SHA256_S1(x) (SHA256_CYCLIC (x, 6) ^ SHA256_CYCLIC (x, 11) ^ SHA256_CYCLIC (x, 25))
1262 #define SHA256_R0(x) (SHA256_CYCLIC (x, 7) ^ SHA256_CYCLIC (x, 18) ^ (x >> 3))
1263 #define SHA256_R1(x) (SHA256_CYCLIC (x, 17) ^ SHA256_CYCLIC (x, 19) ^ (x >> 10))
1264
1265 /* It is unfortunate that C does not provide an operator for
1266 cyclic rotation. Hope the C compiler is smart enough. */
1267 #define SHA256_CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
1268
1269 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
1270 for (t = 0; t < 16; ++t)
1271 {
1272 W[t] = SHA256_SWAP(*words);
1273 ++words;
1274 }
1275 for (t = 16; t < 64; ++t)
1276 W[t] = SHA256_R1(W[t - 2]) + W[t - 7] + SHA256_R0(W[t - 15]) + W[t - 16];
1277
1278 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
1279 for (t = 0; t < 64; ++t)
1280 {
1281 uint32_t T1 = h + SHA256_S1(e) + SHA256_Ch(e, f, g) + SHA256_K[t] + W[t];
1282 uint32_t T2 = SHA256_S0(a) + SHA256_Maj(a, b, c);
1283 h = g;
1284 g = f;
1285 f = e;
1286 e = d + T1;
1287 d = c;
1288 c = b;
1289 b = a;
1290 a = T1 + T2;
1291 }
1292
1293 /* Add the starting values of the context according to FIPS 180-2:6.2.2
1294 step 4. */
1295 a += a_save;
1296 b += b_save;
1297 c += c_save;
1298 d += d_save;
1299 e += e_save;
1300 f += f_save;
1301 g += g_save;
1302 h += h_save;
1303
1304 /* Prepare for the next round. */
1305 nwords -= 16;
1306 }
1307
1308 /* Put checksum in context given as argument. */
1309 ctx->H[0] = a;
1310 ctx->H[1] = b;
1311 ctx->H[2] = c;
1312 ctx->H[3] = d;
1313 ctx->H[4] = e;
1314 ctx->H[5] = f;
1315 ctx->H[6] = g;
1316 ctx->H[7] = h;
1317 }
1318
1319
1320 /* Initialize structure containing state of computation.
1321 (FIPS 180-2:5.3.2) */
1322 static void rb_sha256_init_ctx(struct sha256_ctx *ctx)
1323 {
1324 ctx->H[0] = 0x6a09e667;
1325 ctx->H[1] = 0xbb67ae85;
1326 ctx->H[2] = 0x3c6ef372;
1327 ctx->H[3] = 0xa54ff53a;
1328 ctx->H[4] = 0x510e527f;
1329 ctx->H[5] = 0x9b05688c;
1330 ctx->H[6] = 0x1f83d9ab;
1331 ctx->H[7] = 0x5be0cd19;
1332
1333 ctx->total[0] = ctx->total[1] = 0;
1334 ctx->buflen = 0;
1335 }
1336
1337
1338 /* Process the remaining bytes in the internal buffer and the usual
1339 prolog according to the standard and write the result to RESBUF.
1340
1341 IMPORTANT: On some systems it is required that RESBUF is correctly
1342 aligned for a 32 bits value. */
1343 static void *rb_sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
1344 {
1345 /* Take yet unprocessed bytes into account. */
1346 uint32_t bytes = ctx->buflen, *ptr;
1347 size_t pad;
1348 unsigned int i;
1349
1350 /* Now count remaining bytes. */
1351 ctx->total[0] += bytes;
1352 if (ctx->total[0] < bytes)
1353 ++ctx->total[1];
1354
1355 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
1356 memcpy(&ctx->buffer[bytes], SHA256_fillbuf, pad);
1357
1358 /* Put the 64-bit file length in *bits* at the end of the buffer. */
1359 ptr = (uint32_t *)&ctx->buffer[bytes + pad + 4]; /* Avoid warnings about strict aliasing */
1360 *ptr = SHA256_SWAP(ctx->total[0] << 3);
1361
1362 ptr = (uint32_t *)&ctx->buffer[bytes + pad];
1363 *ptr = SHA256_SWAP((ctx->total[1] << 3) | (ctx->total[0] >> 29));
1364
1365 /* Process last bytes. */
1366 rb_sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
1367
1368 /* Put result from CTX in first 32 bytes following RESBUF. */
1369 for (i = 0; i < 8; ++i)
1370 ((uint32_t *) resbuf)[i] = SHA256_SWAP(ctx->H[i]);
1371
1372 return resbuf;
1373 }
1374
1375
1376 static void rb_sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx)
1377 {
1378 /* When we already have some bits in our internal buffer concatenate
1379 both inputs first. */
1380 if (ctx->buflen != 0)
1381 {
1382 size_t left_over = ctx->buflen;
1383 size_t add = 128 - left_over > len ? len : 128 - left_over;
1384
1385 memcpy(&ctx->buffer[left_over], buffer, add);
1386 ctx->buflen += add;
1387
1388 if (ctx->buflen > 64)
1389 {
1390 rb_sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
1391
1392 ctx->buflen &= 63;
1393 /* The regions in the following copy operation cannot overlap. */
1394 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], ctx->buflen);
1395 }
1396
1397 buffer = (const char *)buffer + add;
1398 len -= add;
1399 }
1400
1401 /* Process available complete blocks. */
1402 if (len >= 64)
1403 {
1404 /* To check alignment gcc has an appropriate operator. Other
1405 compilers don't. */
1406 #if __GNUC__ >= 2
1407 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
1408 #else
1409 # define SHA256_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
1410 #endif
1411 if (SHA256_UNALIGNED_P(buffer))
1412 while (len > 64)
1413 {
1414 rb_sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
1415 buffer = (const char *)buffer + 64;
1416 len -= 64;
1417 }
1418 else
1419 {
1420 rb_sha256_process_block(buffer, len & ~63, ctx);
1421 buffer = (const char *)buffer + (len & ~63);
1422 len &= 63;
1423 }
1424 }
1425
1426 /* Move remaining bytes into internal buffer. */
1427 if (len > 0)
1428 {
1429 size_t left_over = ctx->buflen;
1430
1431 memcpy(&ctx->buffer[left_over], buffer, len);
1432 left_over += len;
1433 if (left_over >= 64)
1434 {
1435 rb_sha256_process_block(ctx->buffer, 64, ctx);
1436 left_over -= 64;
1437 memcpy(ctx->buffer, &ctx->buffer[64], left_over);
1438 }
1439 ctx->buflen = left_over;
1440 }
1441 }
1442
1443
1444 /* Define our magic string to mark salt for SHA256 "encryption"
1445 replacement. */
1446 static const char sha256_salt_prefix[] = "$5$";
1447
1448 /* Prefix for optional rounds specification. */
1449 static const char sha256_rounds_prefix[] = "rounds=";
1450
1451 /* Maximum salt string length. */
1452 #define SHA256_SALT_LEN_MAX 16
1453 /* Default number of rounds if not explicitly specified. */
1454 #define SHA256_ROUNDS_DEFAULT 5000
1455 /* Minimum number of rounds. */
1456 #define SHA256_ROUNDS_MIN 1000
1457 /* Maximum number of rounds. */
1458 #define SHA256_ROUNDS_MAX 999999999
1459
1460 static char *rb_sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
1461 {
1462 unsigned char alt_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1463 unsigned char temp_result[32] __attribute__ ((__aligned__(__alignof__(uint32_t))));
1464 struct sha256_ctx ctx;
1465 struct sha256_ctx alt_ctx;
1466 size_t salt_len;
1467 size_t key_len;
1468 size_t cnt;
1469 char *cp;
1470 char *copied_key = NULL;
1471 char *copied_salt = NULL;
1472 char *p_bytes;
1473 char *s_bytes;
1474 /* Default number of rounds. */
1475 size_t rounds = SHA256_ROUNDS_DEFAULT;
1476 int rounds_custom = 0;
1477
1478 /* Find beginning of salt string. The prefix should normally always
1479 be present. Just in case it is not. */
1480 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
1481 /* Skip salt prefix. */
1482 salt += sizeof(sha256_salt_prefix) - 1;
1483
1484 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) == 0)
1485 {
1486 const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
1487 char *endp;
1488 unsigned long int srounds = strtoul(num, &endp, 10);
1489 if (*endp == '$')
1490 {
1491 salt = endp + 1;
1492 rounds = MAX(SHA256_ROUNDS_MIN, MIN(srounds, SHA256_ROUNDS_MAX));
1493 rounds_custom = 1;
1494 }
1495 }
1496
1497 salt_len = MIN(strcspn(salt, "$"), SHA256_SALT_LEN_MAX);
1498 key_len = strlen(key);
1499
1500 if ((key - (char *)0) % __alignof__(uint32_t) != 0)
1501 {
1502 char *tmp = (char *)alloca(key_len + __alignof__(uint32_t));
1503 key = copied_key =
1504 memcpy(tmp + __alignof__(uint32_t)
1505 - (tmp - (char *)0) % __alignof__(uint32_t), key, key_len);
1506 }
1507
1508 if ((salt - (char *)0) % __alignof__(uint32_t) != 0)
1509 {
1510 char *tmp = (char *)alloca(salt_len + __alignof__(uint32_t));
1511 salt = copied_salt =
1512 memcpy(tmp + __alignof__(uint32_t)
1513 - (tmp - (char *)0) % __alignof__(uint32_t), salt, salt_len);
1514 }
1515
1516 /* Prepare for the real work. */
1517 rb_sha256_init_ctx(&ctx);
1518
1519 /* Add the key string. */
1520 rb_sha256_process_bytes(key, key_len, &ctx);
1521
1522 /* The last part is the salt string. This must be at most 16
1523 characters and it ends at the first `$' character (for
1524 compatibility with existing implementations). */
1525 rb_sha256_process_bytes(salt, salt_len, &ctx);
1526
1527
1528 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
1529 final result will be added to the first context. */
1530 rb_sha256_init_ctx(&alt_ctx);
1531
1532 /* Add key. */
1533 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1534
1535 /* Add salt. */
1536 rb_sha256_process_bytes(salt, salt_len, &alt_ctx);
1537
1538 /* Add key again. */
1539 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1540
1541 /* Now get result of this (32 bytes) and add it to the other
1542 context. */
1543 rb_sha256_finish_ctx(&alt_ctx, alt_result);
1544
1545 /* Add for any character in the key one byte of the alternate sum. */
1546 for (cnt = key_len; cnt > 32; cnt -= 32)
1547 rb_sha256_process_bytes(alt_result, 32, &ctx);
1548 rb_sha256_process_bytes(alt_result, cnt, &ctx);
1549
1550 /* Take the binary representation of the length of the key and for every
1551 1 add the alternate sum, for every 0 the key. */
1552 for (cnt = key_len; cnt > 0; cnt >>= 1)
1553 if ((cnt & 1) != 0)
1554 rb_sha256_process_bytes(alt_result, 32, &ctx);
1555 else
1556 rb_sha256_process_bytes(key, key_len, &ctx);
1557
1558 /* Create intermediate result. */
1559 rb_sha256_finish_ctx(&ctx, alt_result);
1560
1561 /* Start computation of P byte sequence. */
1562 rb_sha256_init_ctx(&alt_ctx);
1563
1564 /* For every character in the password add the entire password. */
1565 for (cnt = 0; cnt < key_len; ++cnt)
1566 rb_sha256_process_bytes(key, key_len, &alt_ctx);
1567
1568 /* Finish the digest. */
1569 rb_sha256_finish_ctx(&alt_ctx, temp_result);
1570
1571 /* Create byte sequence P. */
1572 cp = p_bytes = alloca(key_len);
1573 for (cnt = key_len; cnt >= 32; cnt -= 32)
1574 {
1575 memcpy(cp, temp_result, 32);
1576 cp += 32;
1577 }
1578 memcpy(cp, temp_result, cnt);
1579
1580 /* Start computation of S byte sequence. */
1581 rb_sha256_init_ctx(&alt_ctx);
1582
1583 /* For every character in the password add the entire password. */
1584 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
1585 rb_sha256_process_bytes(salt, salt_len, &alt_ctx);
1586
1587 /* Finish the digest. */
1588 rb_sha256_finish_ctx(&alt_ctx, temp_result);
1589
1590 /* Create byte sequence S. */
1591 cp = s_bytes = alloca(salt_len);
1592 for (cnt = salt_len; cnt >= 32; cnt -= 32)
1593 {
1594 memcpy(cp, temp_result, 32);
1595 cp += 32;
1596 }
1597 memcpy(cp, temp_result, cnt);
1598
1599 /* Repeatedly run the collected hash value through SHA256 to burn
1600 CPU cycles. */
1601 for (cnt = 0; cnt < rounds; ++cnt)
1602 {
1603 /* New context. */
1604 rb_sha256_init_ctx(&ctx);
1605
1606 /* Add key or last result. */
1607 if ((cnt & 1) != 0)
1608 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1609 else
1610 rb_sha256_process_bytes(alt_result, 32, &ctx);
1611
1612 /* Add salt for numbers not divisible by 3. */
1613 if (cnt % 3 != 0)
1614 rb_sha256_process_bytes(s_bytes, salt_len, &ctx);
1615
1616 /* Add key for numbers not divisible by 7. */
1617 if (cnt % 7 != 0)
1618 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1619
1620 /* Add key or last result. */
1621 if ((cnt & 1) != 0)
1622 rb_sha256_process_bytes(alt_result, 32, &ctx);
1623 else
1624 rb_sha256_process_bytes(p_bytes, key_len, &ctx);
1625
1626 /* Create intermediate result. */
1627 rb_sha256_finish_ctx(&ctx, alt_result);
1628 }
1629
1630 /* Now we can construct the result string. It consists of three
1631 parts. */
1632 memset(buffer, '\0', MAX(0, buflen));
1633 strncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
1634 if((cp = strchr(buffer, '\0')) == NULL)
1635 cp = buffer + MAX(0, buflen);
1636 buflen -= sizeof(sha256_salt_prefix) - 1;
1637
1638 if (rounds_custom)
1639 {
1640 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
1641 sha256_rounds_prefix, rounds);
1642 cp += n;
1643 buflen -= n;
1644 }
1645
1646 memset(cp, '\0', salt_len);
1647 strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
1648 if((cp = strchr(buffer, '\0')) == NULL)
1649 cp += salt_len;
1650 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
1651
1652 if (buflen > 0)
1653 {
1654 *cp++ = '$';
1655 --buflen;
1656 }
1657
1658 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
1659 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
1660 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
1661 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
1662 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
1663 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
1664 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
1665 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
1666 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
1667 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
1668 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
1669 if (buflen <= 0)
1670 {
1671 errno = ERANGE;
1672 buffer = NULL;
1673 }
1674 else
1675 *cp = '\0'; /* Terminate the string. */
1676
1677 /* Clear the buffer for the intermediate result so that people
1678 attaching to processes or reading core dumps cannot get any
1679 information. We do it in this way to clear correct_words[]
1680 inside the SHA256 implementation as well. */
1681 rb_sha256_init_ctx(&ctx);
1682 rb_sha256_finish_ctx(&ctx, alt_result);
1683 memset(temp_result, '\0', sizeof(temp_result));
1684 memset(p_bytes, '\0', key_len);
1685 memset(s_bytes, '\0', salt_len);
1686 memset(&ctx, '\0', sizeof(ctx));
1687 memset(&alt_ctx, '\0', sizeof(alt_ctx));
1688 if (copied_key != NULL)
1689 memset(copied_key, '\0', key_len);
1690 if (copied_salt != NULL)
1691 memset(copied_salt, '\0', salt_len);
1692
1693 return buffer;
1694 }
1695
1696
1697 /* This entry point is equivalent to the `crypt' function in Unix
1698 libcs. */
1699 static char *rb_sha256_crypt(const char *key, const char *salt)
1700 {
1701 /* We don't want to have an arbitrary limit in the size of the
1702 password. We can compute an upper bound for the size of the
1703 result in advance and so we can prepare the buffer we pass to
1704 `rb_sha256_crypt_r'. */
1705 static char *buffer;
1706 static int buflen;
1707 int needed = (sizeof(sha256_salt_prefix) - 1
1708 + sizeof(sha256_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 43 + 1);
1709
1710 char *new_buffer = (char *)malloc(needed);
1711 if (new_buffer == NULL)
1712 return NULL;
1713
1714 buffer = new_buffer;
1715 buflen = needed;
1716
1717 return rb_sha256_crypt_r(key, salt, buffer, buflen);
1718 }
1719
1720 /* Structure to save state of computation between the single steps. */
1721 struct sha512_ctx
1722 {
1723 uint64_t H[8];
1724
1725 uint64_t total[2];
1726 uint64_t buflen;
1727 char buffer[256]; /* NB: always correctly aligned for uint64_t. */
1728 };
1729
1730
1731 #ifndef WORDS_BIGENDIAN
1732 # define SHA512_SWAP(n) \
1733 (((n) << 56) \
1734 | (((n) & 0xff00) << 40) \
1735 | (((n) & 0xff0000) << 24) \
1736 | (((n) & 0xff000000) << 8) \
1737 | (((n) >> 8) & 0xff000000) \
1738 | (((n) >> 24) & 0xff0000) \
1739 | (((n) >> 40) & 0xff00) \
1740 | ((n) >> 56))
1741 #else
1742 # define SHA512_SWAP(n) (n)
1743 #endif
1744
1745
1746 /* This array contains the bytes used to pad the buffer to the next
1747 64-byte boundary. (FIPS 180-2:5.1.2) */
1748 static const unsigned char SHA512_fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
1749
1750
1751 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
1752 static const uint64_t SHA512_K[80] = {
1753 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
1754 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
1755 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
1756 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
1757 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
1758 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
1759 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
1760 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
1761 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
1762 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
1763 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
1764 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
1765 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
1766 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
1767 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
1768 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
1769 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
1770 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
1771 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
1772 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
1773 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
1774 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
1775 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
1776 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
1777 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
1778 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
1779 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
1780 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
1781 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
1782 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
1783 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
1784 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
1785 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
1786 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
1787 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
1788 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
1789 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
1790 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
1791 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
1792 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
1793 };
1794
1795
1796 /* Process LEN bytes of BUFFER, accumulating context into CTX.
1797 It is assumed that LEN % 128 == 0. */
1798 static void rb_sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx)
1799 {
1800 const uint64_t *words = buffer;
1801 size_t nwords = len / sizeof(uint64_t);
1802 uint64_t a = ctx->H[0];
1803 uint64_t b = ctx->H[1];
1804 uint64_t c = ctx->H[2];
1805 uint64_t d = ctx->H[3];
1806 uint64_t e = ctx->H[4];
1807 uint64_t f = ctx->H[5];
1808 uint64_t g = ctx->H[6];
1809 uint64_t h = ctx->H[7];
1810
1811 /* First increment the byte count. FIPS 180-2 specifies the possible
1812 length of the file up to 2^128 bits. Here we only compute the
1813 number of bytes. Do a double word increment. */
1814 ctx->total[0] += len;
1815 if (ctx->total[0] < len)
1816 ++ctx->total[1];
1817
1818 /* Process all bytes in the buffer with 128 bytes in each round of
1819 the loop. */
1820 while (nwords > 0)
1821 {
1822 uint64_t W[80];
1823 uint64_t a_save = a;
1824 uint64_t b_save = b;
1825 uint64_t c_save = c;
1826 uint64_t d_save = d;
1827 uint64_t e_save = e;
1828 uint64_t f_save = f;
1829 uint64_t g_save = g;
1830 uint64_t h_save = h;
1831 unsigned int t;
1832
1833 /* Operators defined in FIPS 180-2:4.1.2. */
1834 #define SHA512_Ch(x, y, z) ((x & y) ^ (~x & z))
1835 #define SHA512_Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
1836 #define SHA512_S0(x) (SHA512_CYCLIC (x, 28) ^ SHA512_CYCLIC (x, 34) ^ SHA512_CYCLIC (x, 39))
1837 #define SHA512_S1(x) (SHA512_CYCLIC (x, 14) ^ SHA512_CYCLIC (x, 18) ^ SHA512_CYCLIC (x, 41))
1838 #define SHA512_R0(x) (SHA512_CYCLIC (x, 1) ^ SHA512_CYCLIC (x, 8) ^ (x >> 7))
1839 #define SHA512_R1(x) (SHA512_CYCLIC (x, 19) ^ SHA512_CYCLIC (x, 61) ^ (x >> 6))
1840
1841 /* It is unfortunate that C does not provide an operator for
1842 cyclic rotation. Hope the C compiler is smart enough. */
1843 #define SHA512_CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
1844
1845 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
1846 for (t = 0; t < 16; ++t)
1847 {
1848 W[t] = SHA512_SWAP(*words);
1849 ++words;
1850 }
1851 for (t = 16; t < 80; ++t)
1852 W[t] = SHA512_R1(W[t - 2]) + W[t - 7] + SHA512_R0(W[t - 15]) + W[t - 16];
1853
1854 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
1855 for (t = 0; t < 80; ++t)
1856 {
1857 uint64_t T1 = h + SHA512_S1(e) + SHA512_Ch(e, f, g) + SHA512_K[t] + W[t];
1858 uint64_t T2 = SHA512_S0(a) + SHA512_Maj(a, b, c);
1859 h = g;
1860 g = f;
1861 f = e;
1862 e = d + T1;
1863 d = c;
1864 c = b;
1865 b = a;
1866 a = T1 + T2;
1867 }
1868
1869 /* Add the starting values of the context according to FIPS 180-2:6.3.2
1870 step 4. */
1871 a += a_save;
1872 b += b_save;
1873 c += c_save;
1874 d += d_save;
1875 e += e_save;
1876 f += f_save;
1877 g += g_save;
1878 h += h_save;
1879
1880 /* Prepare for the next round. */
1881 nwords -= 16;
1882 }
1883
1884 /* Put checksum in context given as argument. */
1885 ctx->H[0] = a;
1886 ctx->H[1] = b;
1887 ctx->H[2] = c;
1888 ctx->H[3] = d;
1889 ctx->H[4] = e;
1890 ctx->H[5] = f;
1891 ctx->H[6] = g;
1892 ctx->H[7] = h;
1893 }
1894
1895
1896 /* Initialize structure containing state of computation.
1897 (FIPS 180-2:5.3.3) */
1898 static void rb_sha512_init_ctx(struct sha512_ctx *ctx)
1899 {
1900 ctx->H[0] = 0x6a09e667f3bcc908ULL;
1901 ctx->H[1] = 0xbb67ae8584caa73bULL;
1902 ctx->H[2] = 0x3c6ef372fe94f82bULL;
1903 ctx->H[3] = 0xa54ff53a5f1d36f1ULL;
1904 ctx->H[4] = 0x510e527fade682d1ULL;
1905 ctx->H[5] = 0x9b05688c2b3e6c1fULL;
1906 ctx->H[6] = 0x1f83d9abfb41bd6bULL;
1907 ctx->H[7] = 0x5be0cd19137e2179ULL;
1908
1909 ctx->total[0] = ctx->total[1] = 0;
1910 ctx->buflen = 0;
1911 }
1912
1913
1914 /* Process the remaining bytes in the internal buffer and the usual
1915 prolog according to the standard and write the result to RESBUF.
1916
1917 IMPORTANT: On some systems it is required that RESBUF is correctly
1918 aligned for a 32 bits value. */
1919 static void *rb_sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf)
1920 {
1921 /* Take yet unprocessed bytes into account. */
1922 uint64_t bytes = ctx->buflen, *ptr;
1923 size_t pad;
1924 unsigned int i;
1925
1926 /* Now count remaining bytes. */
1927 ctx->total[0] += bytes;
1928 if (ctx->total[0] < bytes)
1929 ++ctx->total[1];
1930
1931 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
1932 memcpy(&ctx->buffer[bytes], SHA512_fillbuf, pad);
1933
1934 /* Put the 128-bit file length in *bits* at the end of the buffer. */
1935 ptr = (uint64_t *)&ctx->buffer[bytes + pad + 8]; /* Avoid warnings about strict aliasing */
1936 *ptr = SHA512_SWAP(ctx->total[0] << 3);
1937
1938 ptr = (uint64_t *)&ctx->buffer[bytes + pad];
1939 *ptr = SHA512_SWAP((ctx->total[1] << 3) | (ctx->total[0] >> 61));
1940
1941 /* Process last bytes. */
1942 rb_sha512_process_block(ctx->buffer, bytes + pad + 16, ctx);
1943
1944 /* Put result from CTX in first 64 bytes following RESBUF. */
1945 for (i = 0; i < 8; ++i)
1946 ((uint64_t *) resbuf)[i] = SHA512_SWAP(ctx->H[i]);
1947
1948 return resbuf;
1949 }
1950
1951
1952 static void rb_sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx)
1953 {
1954 /* When we already have some bits in our internal buffer concatenate
1955 both inputs first. */
1956 if (ctx->buflen != 0)
1957 {
1958 size_t left_over = ctx->buflen;
1959 size_t add = 256 - left_over > len ? len : 256 - left_over;
1960
1961 memcpy(&ctx->buffer[left_over], buffer, add);
1962 ctx->buflen += add;
1963
1964 if (ctx->buflen > 128)
1965 {
1966 rb_sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
1967
1968 ctx->buflen &= 127;
1969 /* The regions in the following copy operation cannot overlap. */
1970 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127], ctx->buflen);
1971 }
1972
1973 buffer = (const char *)buffer + add;
1974 len -= add;
1975 }
1976
1977 /* Process available complete blocks. */
1978 if (len >= 128)
1979 {
1980 #if !_STRING_ARCH_unaligned
1981 /* To check alignment gcc has an appropriate operator. Other
1982 compilers don't. */
1983 # if __GNUC__ >= 2
1984 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
1985 # else
1986 # define SHA512_UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
1987 # endif
1988 if (SHA512_UNALIGNED_P(buffer))
1989 while (len > 128)
1990 {
1991 rb_sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, ctx);
1992 buffer = (const char *)buffer + 128;
1993 len -= 128;
1994 }
1995 else
1996 #endif
1997 {
1998 rb_sha512_process_block(buffer, len & ~127, ctx);
1999 buffer = (const char *)buffer + (len & ~127);
2000 len &= 127;
2001 }
2002 }
2003
2004 /* Move remaining bytes into internal buffer. */
2005 if (len > 0)
2006 {
2007 size_t left_over = ctx->buflen;
2008
2009 memcpy(&ctx->buffer[left_over], buffer, len);
2010 left_over += len;
2011 if (left_over >= 128)
2012 {
2013 rb_sha512_process_block(ctx->buffer, 128, ctx);
2014 left_over -= 128;
2015 memcpy(ctx->buffer, &ctx->buffer[128], left_over);
2016 }
2017 ctx->buflen = left_over;
2018 }
2019 }
2020
2021
2022 /* Define our magic string to mark salt for SHA512 "encryption"
2023 replacement. */
2024 static const char sha512_salt_prefix[] = "$6$";
2025
2026 /* Prefix for optional rounds specification. */
2027 static const char sha512_rounds_prefix[] = "rounds=";
2028
2029 /* Maximum salt string length. */
2030 #define SHA512_SALT_LEN_MAX 16
2031 /* Default number of rounds if not explicitly specified. */
2032 #define SHA512_ROUNDS_DEFAULT 5000
2033 /* Minimum number of rounds. */
2034 #define SHA512_ROUNDS_MIN 1000
2035 /* Maximum number of rounds. */
2036 #define SHA512_ROUNDS_MAX 999999999
2037
2038 static char *rb_sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
2039 {
2040 unsigned char alt_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2041 unsigned char temp_result[64] __attribute__ ((__aligned__(__alignof__(uint64_t))));
2042 struct sha512_ctx ctx;
2043 struct sha512_ctx alt_ctx;
2044 size_t salt_len;
2045 size_t key_len;
2046 size_t cnt;
2047 char *cp;
2048 char *copied_key = NULL;
2049 char *copied_salt = NULL;
2050 char *p_bytes;
2051 char *s_bytes;
2052 /* Default number of rounds. */
2053 size_t rounds = SHA512_ROUNDS_DEFAULT;
2054 int rounds_custom = 0;
2055
2056 /* Find beginning of salt string. The prefix should normally always
2057 be present. Just in case it is not. */
2058 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
2059 /* Skip salt prefix. */
2060 salt += sizeof(sha512_salt_prefix) - 1;
2061
2062 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) == 0)
2063 {
2064 const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
2065 char *endp;
2066 unsigned long int srounds = strtoul(num, &endp, 10);
2067 if (*endp == '$')
2068 {
2069 salt = endp + 1;
2070 rounds = MAX(SHA512_ROUNDS_MIN, MIN(srounds, SHA512_ROUNDS_MAX));
2071 rounds_custom = 1;
2072 }
2073 }
2074
2075 salt_len = MIN(strcspn(salt, "$"), SHA512_SALT_LEN_MAX);
2076 key_len = strlen(key);
2077
2078 if ((key - (char *)0) % __alignof__(uint64_t) != 0)
2079 {
2080 char *tmp = (char *)alloca(key_len + __alignof__(uint64_t));
2081 key = copied_key =
2082 memcpy(tmp + __alignof__(uint64_t)
2083 - (tmp - (char *)0) % __alignof__(uint64_t), key, key_len);
2084 }
2085
2086 if ((salt - (char *)0) % __alignof__(uint64_t) != 0)
2087 {
2088 char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t));
2089 salt = copied_salt =
2090 memcpy(tmp + __alignof__(uint64_t)
2091 - (tmp - (char *)0) % __alignof__(uint64_t), salt, salt_len);
2092 }
2093
2094 /* Prepare for the real work. */
2095 rb_sha512_init_ctx(&ctx);
2096
2097 /* Add the key string. */
2098 rb_sha512_process_bytes(key, key_len, &ctx);
2099
2100 /* The last part is the salt string. This must be at most 16
2101 characters and it ends at the first `$' character (for
2102 compatibility with existing implementations). */
2103 rb_sha512_process_bytes(salt, salt_len, &ctx);
2104
2105
2106 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
2107 final result will be added to the first context. */
2108 rb_sha512_init_ctx(&alt_ctx);
2109
2110 /* Add key. */
2111 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2112
2113 /* Add salt. */
2114 rb_sha512_process_bytes(salt, salt_len, &alt_ctx);
2115
2116 /* Add key again. */
2117 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2118
2119 /* Now get result of this (64 bytes) and add it to the other
2120 context. */
2121 rb_sha512_finish_ctx(&alt_ctx, alt_result);
2122
2123 /* Add for any character in the key one byte of the alternate sum. */
2124 for (cnt = key_len; cnt > 64; cnt -= 64)
2125 rb_sha512_process_bytes(alt_result, 64, &ctx);
2126 rb_sha512_process_bytes(alt_result, cnt, &ctx);
2127
2128 /* Take the binary representation of the length of the key and for every
2129 1 add the alternate sum, for every 0 the key. */
2130 for (cnt = key_len; cnt > 0; cnt >>= 1)
2131 if ((cnt & 1) != 0)
2132 rb_sha512_process_bytes(alt_result, 64, &ctx);
2133 else
2134 rb_sha512_process_bytes(key, key_len, &ctx);
2135
2136 /* Create intermediate result. */
2137 rb_sha512_finish_ctx(&ctx, alt_result);
2138
2139 /* Start computation of P byte sequence. */
2140 rb_sha512_init_ctx(&alt_ctx);
2141
2142 /* For every character in the password add the entire password. */
2143 for (cnt = 0; cnt < key_len; ++cnt)
2144 rb_sha512_process_bytes(key, key_len, &alt_ctx);
2145
2146 /* Finish the digest. */
2147 rb_sha512_finish_ctx(&alt_ctx, temp_result);
2148
2149 /* Create byte sequence P. */
2150 cp = p_bytes = alloca(key_len);
2151 for (cnt = key_len; cnt >= 64; cnt -= 64)
2152 {
2153 memcpy(cp, temp_result, 64);
2154 cp += 64;
2155 }
2156 memcpy(cp, temp_result, cnt);
2157
2158 /* Start computation of S byte sequence. */
2159 rb_sha512_init_ctx(&alt_ctx);
2160
2161 /* For every character in the password add the entire password. */
2162 for (cnt = 0; cnt < (size_t)(16 + alt_result[0]); ++cnt)
2163 rb_sha512_process_bytes(salt, salt_len, &alt_ctx);
2164
2165 /* Finish the digest. */
2166 rb_sha512_finish_ctx(&alt_ctx, temp_result);
2167
2168 /* Create byte sequence S. */
2169 cp = s_bytes = alloca(salt_len);
2170 for (cnt = salt_len; cnt >= 64; cnt -= 64)
2171 {
2172 memcpy(cp, temp_result, 64);
2173 cp += 64;
2174 }
2175 memcpy(cp, temp_result, cnt);
2176
2177 /* Repeatedly run the collected hash value through SHA512 to burn
2178 CPU cycles. */
2179 for (cnt = 0; cnt < rounds; ++cnt)
2180 {
2181 /* New context. */
2182 rb_sha512_init_ctx(&ctx);
2183
2184 /* Add key or last result. */
2185 if ((cnt & 1) != 0)
2186 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2187 else
2188 rb_sha512_process_bytes(alt_result, 64, &ctx);
2189
2190 /* Add salt for numbers not divisible by 3. */
2191 if (cnt % 3 != 0)
2192 rb_sha512_process_bytes(s_bytes, salt_len, &ctx);
2193
2194 /* Add key for numbers not divisible by 7. */
2195 if (cnt % 7 != 0)
2196 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2197
2198 /* Add key or last result. */
2199 if ((cnt & 1) != 0)
2200 rb_sha512_process_bytes(alt_result, 64, &ctx);
2201 else
2202 rb_sha512_process_bytes(p_bytes, key_len, &ctx);
2203
2204 /* Create intermediate result. */
2205 rb_sha512_finish_ctx(&ctx, alt_result);
2206 }
2207
2208 /* Now we can construct the result string. It consists of three
2209 parts. */
2210 memset(buffer, '\0', MAX(0, buflen));
2211 strncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
2212 if((cp = strchr(buffer, '\0')) == NULL)
2213 cp = buffer + MAX(0, buflen);
2214 buflen -= sizeof(sha512_salt_prefix) - 1;
2215
2216 if (rounds_custom)
2217 {
2218 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
2219 sha512_rounds_prefix, rounds);
2220 cp += n;
2221 buflen -= n;
2222 }
2223
2224 memset(cp, '\0', MIN((size_t) MAX(0, buflen), salt_len));
2225 strncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
2226 if((cp = strchr(buffer, '\0')) == NULL)
2227 cp = buffer + salt_len;
2228 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
2229
2230 if (buflen > 0)
2231 {
2232 *cp++ = '$';
2233 --buflen;
2234 }
2235
2236 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
2237 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
2238 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
2239 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
2240 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
2241 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
2242 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
2243 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
2244 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
2245 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
2246 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
2247 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
2248 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
2249 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
2250 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
2251 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
2252 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
2253 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
2254 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
2255 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
2256 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
2257 b64_from_24bit(0, 0, alt_result[63], 2);
2258
2259 if (buflen <= 0)
2260 {
2261 errno = ERANGE;
2262 buffer = NULL;
2263 }
2264 else
2265 *cp = '\0'; /* Terminate the string. */
2266
2267 /* Clear the buffer for the intermediate result so that people
2268 attaching to processes or reading core dumps cannot get any
2269 information. We do it in this way to clear correct_words[]
2270 inside the SHA512 implementation as well. */
2271 rb_sha512_init_ctx(&ctx);
2272 rb_sha512_finish_ctx(&ctx, alt_result);
2273 memset(temp_result, '\0', sizeof(temp_result));
2274 memset(p_bytes, '\0', key_len);
2275 memset(s_bytes, '\0', salt_len);
2276 memset(&ctx, '\0', sizeof(ctx));
2277 memset(&alt_ctx, '\0', sizeof(alt_ctx));
2278 if (copied_key != NULL)
2279 memset(copied_key, '\0', key_len);
2280 if (copied_salt != NULL)
2281 memset(copied_salt, '\0', salt_len);
2282
2283 return buffer;
2284 }
2285
2286
2287 /* This entry point is equivalent to the `crypt' function in Unix
2288 libcs. */
2289 static char *rb_sha512_crypt(const char *key, const char *salt)
2290 {
2291 /* We don't want to have an arbitrary limit in the size of the
2292 password. We can compute an upper bound for the size of the
2293 result in advance and so we can prepare the buffer we pass to
2294 `rb_sha512_crypt_r'. */
2295 static char *buffer;
2296 static int buflen;
2297 int needed = (sizeof(sha512_salt_prefix) - 1
2298 + sizeof(sha512_rounds_prefix) + 9 + 1 + strlen(salt) + 1 + 86 + 1);
2299
2300 if (buflen < needed)
2301 {
2302 char *new_buffer = (char *)realloc(buffer, needed);
2303 if (new_buffer == NULL)
2304 return NULL;
2305
2306 buffer = new_buffer;
2307 buflen = needed;
2308 }
2309
2310 return rb_sha512_crypt_r(key, salt, buffer, buflen);
2311 }
Fork of solanum ircd, history is rebased regularly