ref #206 : rolling back to include a crypt(3) implementation and adding sha512 support

--HG--
branch : sha512-auth
This commit is contained in:
Rodolphe Breard 2014-09-26 22:30:56 +02:00
parent 5c2cc95dc9
commit 65b902970a
6 changed files with 1358 additions and 32 deletions

View file

@ -57,7 +57,7 @@
#include "release.h" #include "release.h"
#include "bg_downloader_access.h" #include "bg_downloader_access.h"
#include "game_share/ccrypt.h" #include "game_share/crypt.h"
#include "game_share/bg_downloader_msg.h" #include "game_share/bg_downloader_msg.h"
#include "misc.h" #include "misc.h"

View file

@ -1,30 +0,0 @@
// Ryzom - MMORPG Framework <http://dev.ryzom.com/projects/ryzom/>
// Copyright (C) 2010 Winch Gate Property Limited
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
// published by the Free Software Foundation, either version 3 of the
// License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
#include "stdpch.h"
#include "ccrypt.h"
#define _GNU_SOURCE 1
#include <crypt.h>
// Crypts password using salt
std::string CCrypt::crypt(const std::string& password, const std::string& salt)
{
std::string result = ::crypt(password.c_str(), salt.c_str());
return result;
}

View file

@ -0,0 +1,985 @@
// Ryzom - MMORPG Framework <http://dev.ryzom.com/projects/ryzom/>
// Copyright (C) 2010 Winch Gate Property Limited
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
// published by the Free Software Foundation, either version 3 of the
// License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
#include "stdpch.h"
#include "crypt.h"
char * rz_crypt(register const char *key, register const char *setting);
char *__crypt_sha512(const char *key, const char *setting, char *output);
// Crypts password using salt
std::string CCrypt::crypt(const std::string& password, const std::string& salt)
{
std::string result = ::rz_crypt(password.c_str(), salt.c_str());
return result;
}
/*
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Tom Truscott.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char rz_sccsid[] = "@(#)crypt.c 8.1 (Berkeley) 6/4/93";
#endif /* LIBC_SCCS and not lint */
/* #include <unistd.h> */
#include <stdio.h>
#include <limits.h>
#define RZ__PASSWORD_EFMT1 '-'
#if DEBUG_CRYPT
void prtab(char *s, unsigned char *t, int num_rows);
#endif
/*
* UNIX password, and DES, encryption.
* By Tom Truscott, trt@rti.rti.org,
* from algorithms by Robert W. Baldwin and James Gillogly.
*
* References:
* "Mathematical Cryptology for Computer Scientists and Mathematicians,"
* by Wayne Patterson, 1987, ISBN 0-8476-7438-X.
*
* "Password Security: A Case History," R. Morris and Ken Thompson,
* Communications of the ACM, vol. 22, pp. 594-597, Nov. 1979.
*
* "DES will be Totally Insecure within Ten Years," M.E. Hellman,
* IEEE Spectrum, vol. 16, pp. 32-39, July 1979.
*/
/* ===== Configuration ==================== */
/*
* define "MUST_ALIGN" if your compiler cannot load/store
* long integers at arbitrary (e.g. odd) memory locations.
* (Either that or never pass unaligned addresses to des_cipher!)
*/
#if !defined(vax)
#define MUST_ALIGN
#endif
#ifdef CHAR_BITS
#if CHAR_BITS != 8
#error C_block structure assumes 8 bit characters
#endif
#endif
/*
* define "LONG_IS_32_BITS" only if sizeof(long)==4.
* This avoids use of bit fields (your compiler may be sloppy with them).
*/
#if !defined(cray) && !defined(__LP64__) && !defined(_LP64)
#define LONG_IS_32_BITS
#endif
/*
* define "B64" to be the declaration for a 64 bit integer.
* XXX this feature is currently unused, see "endian" comment below.
*/
#if defined(cray) || defined(__LP64__) || defined(_LP64)
#define B64 long
#endif
#if defined(convex)
#define B64 long long
#endif
/*
* define "LARGEDATA" to get faster permutations, by using about 72 kilobytes
* of lookup tables. This speeds up des_setkey() and des_cipher(), but has
* little effect on crypt().
*/
#if defined(notdef)
#define LARGEDATA
#endif
/* ==================================== */
/*
* Cipher-block representation (Bob Baldwin):
*
* DES operates on groups of 64 bits, numbered 1..64 (sigh). One
* representation is to store one bit per byte in an array of bytes. Bit N of
* the NBS spec is stored as the LSB of the Nth byte (index N-1) in the array.
* Another representation stores the 64 bits in 8 bytes, with bits 1..8 in the
* first byte, 9..16 in the second, and so on. The DES spec apparently has
* bit 1 in the MSB of the first byte, but that is particularly noxious so we
* bit-reverse each byte so that bit 1 is the LSB of the first byte, bit 8 is
* the MSB of the first byte. Specifically, the 64-bit input data and key are
* converted to LSB format, and the output 64-bit block is converted back into
* MSB format.
*
* DES operates internally on groups of 32 bits which are expanded to 48 bits
* by permutation E and shrunk back to 32 bits by the S boxes. To speed up
* the computation, the expansion is applied only once, the expanded
* representation is maintained during the encryption, and a compression
* permutation is applied only at the end. To speed up the S-box lookups,
* the 48 bits are maintained as eight 6 bit groups, one per byte, which
* directly feed the eight S-boxes. Within each byte, the 6 bits are the
* most significant ones. The low two bits of each byte are zero. (Thus,
* bit 1 of the 48 bit E expansion is stored as the "4"-valued bit of the
* first byte in the eight byte representation, bit 2 of the 48 bit value is
* the "8"-valued bit, and so on.) In fact, a combined "SPE"-box lookup is
* used, in which the output is the 64 bit result of an S-box lookup which
* has been permuted by P and expanded by E, and is ready for use in the next
* iteration. Two 32-bit wide tables, SPE[0] and SPE[1], are used for this
* lookup. Since each byte in the 48 bit path is a multiple of four, indexed
* lookup of SPE[0] and SPE[1] is simple and fast. The key schedule and
* "salt" are also converted to this 8*(6+2) format. The SPE table size is
* 8*64*8 = 4K bytes.
*
* To speed up bit-parallel operations (such as XOR), the 8 byte
* representation is "union"ed with 32 bit values "i0" and "i1", and, on
* machines which support it, a 64 bit value "b64". This data structure,
* "C_block", has two problems. First, alignment restrictions must be
* honored. Second, the byte-order (e.g. little-endian or big-endian) of
* the architecture becomes visible.
*
* The byte-order problem is unfortunate, since on the one hand it is good
* to have a machine-independent C_block representation (bits 1..8 in the
* first byte, etc.), and on the other hand it is good for the LSB of the
* first byte to be the LSB of i0. We cannot have both these things, so we
* currently use the "little-endian" representation and avoid any multi-byte
* operations that depend on byte order. This largely precludes use of the
* 64-bit datatype since the relative order of i0 and i1 are unknown. It
* also inhibits grouping the SPE table to look up 12 bits at a time. (The
* 12 bits can be stored in a 16-bit field with 3 low-order zeroes and 1
* high-order zero, providing fast indexing into a 64-bit wide SPE.) On the
* other hand, 64-bit datatypes are currently rare, and a 12-bit SPE lookup
* requires a 128 kilobyte table, so perhaps this is not a big loss.
*
* Permutation representation (Jim Gillogly):
*
* A transformation is defined by its effect on each of the 8 bytes of the
* 64-bit input. For each byte we give a 64-bit output that has the bits in
* the input distributed appropriately. The transformation is then the OR
* of the 8 sets of 64-bits. This uses 8*256*8 = 16K bytes of storage for
* each transformation. Unless LARGEDATA is defined, however, a more compact
* table is used which looks up 16 4-bit "chunks" rather than 8 8-bit chunks.
* The smaller table uses 16*16*8 = 2K bytes for each transformation. This
* is slower but tolerable, particularly for password encryption in which
* the SPE transformation is iterated many times. The small tables total 9K
* bytes, the large tables total 72K bytes.
*
* The transformations used are:
* IE3264: MSB->LSB conversion, initial permutation, and expansion.
* This is done by collecting the 32 even-numbered bits and applying
* a 32->64 bit transformation, and then collecting the 32 odd-numbered
* bits and applying the same transformation. Since there are only
* 32 input bits, the IE3264 transformation table is half the size of
* the usual table.
* CF6464: Compression, final permutation, and LSB->MSB conversion.
* This is done by two trivial 48->32 bit compressions to obtain
* a 64-bit block (the bit numbering is given in the "CIFP" table)
* followed by a 64->64 bit "cleanup" transformation. (It would
* be possible to group the bits in the 64-bit block so that 2
* identical 32->32 bit transformations could be used instead,
* saving a factor of 4 in space and possibly 2 in time, but
* byte-ordering and other complications rear their ugly head.
* Similar opportunities/problems arise in the key schedule
* transforms.)
* PC1ROT: MSB->LSB, PC1 permutation, rotate, and PC2 permutation.
* This admittedly baroque 64->64 bit transformation is used to
* produce the first code (in 8*(6+2) format) of the key schedule.
* PC2ROT[0]: Inverse PC2 permutation, rotate, and PC2 permutation.
* It would be possible to define 15 more transformations, each
* with a different rotation, to generate the entire key schedule.
* To save space, however, we instead permute each code into the
* next by using a transformation that "undoes" the PC2 permutation,
* rotates the code, and then applies PC2. Unfortunately, PC2
* transforms 56 bits into 48 bits, dropping 8 bits, so PC2 is not
* invertible. We get around that problem by using a modified PC2
* which retains the 8 otherwise-lost bits in the unused low-order
* bits of each byte. The low-order bits are cleared when the
* codes are stored into the key schedule.
* PC2ROT[1]: Same as PC2ROT[0], but with two rotations.
* This is faster than applying PC2ROT[0] twice,
*
* The Bell Labs "salt" (Bob Baldwin):
*
* The salting is a simple permutation applied to the 48-bit result of E.
* Specifically, if bit i (1 <= i <= 24) of the salt is set then bits i and
* i+24 of the result are swapped. The salt is thus a 24 bit number, with
* 16777216 possible values. (The original salt was 12 bits and could not
* swap bits 13..24 with 36..48.)
*
* It is possible, but ugly, to warp the SPE table to account for the salt
* permutation. Fortunately, the conditional bit swapping requires only
* about four machine instructions and can be done on-the-fly with about an
* 8% performance penalty.
*/
typedef union {
unsigned char b[8];
struct {
#if defined(LONG_IS_32_BITS)
/* long is often faster than a 32-bit bit field */
long i0;
long i1;
#else
long i0: 32;
long i1: 32;
#endif
} b32;
#if defined(B64)
B64 b64;
#endif
} C_block;
/*
* Convert twenty-four-bit long in host-order
* to six bits (and 2 low-order zeroes) per char little-endian format.
*/
#define TO_SIX_BIT(rslt, src) { \
C_block cvt; \
cvt.b[0] = (unsigned char) (src&0xFF); src >>= 6; \
cvt.b[1] = (unsigned char) (src&0xFF); src >>= 6; \
cvt.b[2] = (unsigned char) (src&0xFF); src >>= 6; \
cvt.b[3] = (unsigned char) (src&0xFF); \
rslt = (cvt.b32.i0 & 0x3f3f3f3fL) << 2; \
}
/*
* These macros may someday permit efficient use of 64-bit integers.
*/
#define ZERO(d,d0,d1) d0 = 0, d1 = 0
#define LOAD(d,d0,d1,bl) d0 = (bl).b32.i0, d1 = (bl).b32.i1
#define LOADREG(d,d0,d1,s,s0,s1) d0 = s0, d1 = s1
#define OR(d,d0,d1,bl) d0 |= (bl).b32.i0, d1 |= (bl).b32.i1
#define STORE(s,s0,s1,bl) (bl).b32.i0 = s0, (bl).b32.i1 = s1
#define DCL_BLOCK(d,d0,d1) long d0, d1
#if defined(LARGEDATA)
/* Waste memory like crazy. Also, do permutations in line */
#define LGCHUNKBITS 3
#define CHUNKBITS (1<<LGCHUNKBITS)
#define PERM6464(d,d0,d1,cpp,p) \
LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]); \
OR (d,d0,d1,(p)[(4<<CHUNKBITS)+(cpp)[4]]); \
OR (d,d0,d1,(p)[(5<<CHUNKBITS)+(cpp)[5]]); \
OR (d,d0,d1,(p)[(6<<CHUNKBITS)+(cpp)[6]]); \
OR (d,d0,d1,(p)[(7<<CHUNKBITS)+(cpp)[7]]);
#define PERM3264(d,d0,d1,cpp,p) \
LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]);
#else
/* "small data" */
#define LGCHUNKBITS 2
#define CHUNKBITS (1<<LGCHUNKBITS)
#define PERM6464(d,d0,d1,cpp,p) \
{ C_block tblk; rz_permute(cpp,&tblk,p,8); LOAD (d,d0,d1,tblk); }
#define PERM3264(d,d0,d1,cpp,p) \
{ C_block tblk; rz_permute(cpp,&tblk,p,4); LOAD (d,d0,d1,tblk); }
int rz_des_setkey(register const char *key);
int rz_des_cipher(const char *in, char *out, long salt, int num_iter);
void rz_init_des();
void rz_init_perm(C_block perm[64/CHUNKBITS][1<<CHUNKBITS],
unsigned char p[64], int chars_in, int chars_out);
void rz_permute(unsigned char *cp, C_block *out, register C_block *p, int chars_in) {
register DCL_BLOCK(D,D0,D1);
register C_block *tp;
register int t;
ZERO(D,D0,D1);
do {
t = *cp++;
tp = &p[t&0xf]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
tp = &p[t>>4]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
} while (--chars_in > 0);
STORE(D,D0,D1,*out);
}
#endif /* LARGEDATA */
/* ===== (mostly) Standard DES Tables ==================== */
static unsigned char IP[] = { /* initial permutation */
58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7,
};
/* The final permutation is the inverse of IP - no table is necessary */
static unsigned char ExpandTr[] = { /* expansion operation */
32, 1, 2, 3, 4, 5,
4, 5, 6, 7, 8, 9,
8, 9, 10, 11, 12, 13,
12, 13, 14, 15, 16, 17,
16, 17, 18, 19, 20, 21,
20, 21, 22, 23, 24, 25,
24, 25, 26, 27, 28, 29,
28, 29, 30, 31, 32, 1,
};
static unsigned char PC1[] = { /* permuted choice table 1 */
57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4,
};
static unsigned char Rotates[] = { /* PC1 rotation schedule */
1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1,
};
/* note: each "row" of PC2 is left-padded with bits that make it invertible */
static unsigned char PC2[] = { /* permuted choice table 2 */
9, 18, 14, 17, 11, 24, 1, 5,
22, 25, 3, 28, 15, 6, 21, 10,
35, 38, 23, 19, 12, 4, 26, 8,
43, 54, 16, 7, 27, 20, 13, 2,
0, 0, 41, 52, 31, 37, 47, 55,
0, 0, 30, 40, 51, 45, 33, 48,
0, 0, 44, 49, 39, 56, 34, 53,
0, 0, 46, 42, 50, 36, 29, 32,
};
static unsigned char S[8][64] = { /* 48->32 bit substitution tables */
/* S[1] */
{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
/* S[2] */
{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
/* S[3] */
{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
/* S[4] */
{ 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
/* S[5] */
{ 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
/* S[6] */
{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
/* S[7] */
{ 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
/* S[8] */
{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
};
static unsigned char P32Tr[] = { /* 32-bit permutation function */
16, 7, 20, 21,
29, 12, 28, 17,
1, 15, 23, 26,
5, 18, 31, 10,
2, 8, 24, 14,
32, 27, 3, 9,
19, 13, 30, 6,
22, 11, 4, 25,
};
static unsigned char CIFP[] = { /* compressed/interleaved permutation */
1, 2, 3, 4, 17, 18, 19, 20,
5, 6, 7, 8, 21, 22, 23, 24,
9, 10, 11, 12, 25, 26, 27, 28,
13, 14, 15, 16, 29, 30, 31, 32,
33, 34, 35, 36, 49, 50, 51, 52,
37, 38, 39, 40, 53, 54, 55, 56,
41, 42, 43, 44, 57, 58, 59, 60,
45, 46, 47, 48, 61, 62, 63, 64,
};
static unsigned char itoa64[] = /* 0..63 => ascii-64 */
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
/* ===== Tables that are initialized at run time ==================== */
static unsigned char a64toi[128]; /* ascii-64 => 0..63 */
/* Initial key schedule permutation */
static C_block PC1ROT[64/CHUNKBITS][1<<CHUNKBITS];
/* Subsequent key schedule rotation permutations */
static C_block PC2ROT[2][64/CHUNKBITS][1<<CHUNKBITS];
/* Initial permutation/expansion table */
static C_block IE3264[32/CHUNKBITS][1<<CHUNKBITS];
/* Table that combines the S, P, and E operations. */
static long SPE[2][8][64];
/* compressed/interleaved => final permutation table */
static C_block CF6464[64/CHUNKBITS][1<<CHUNKBITS];
/* ==================================== */
static C_block constdatablock; /* encryption constant */
static char cryptresult[1+4+4+11+1]; /* encrypted result */
/*
* Return a pointer to static data consisting of the "setting"
* followed by an encryption produced by the "key" and "setting".
*/
char * rz_crypt(register const char *key, register const char *setting) {
register char *encp;
register long i;
register int t;
long salt;
int num_iter, salt_size;
C_block keyblock, rsltblock;
#ifdef HL_NOENCRYPTION
char buff[1024];
strncpy(buff, key, 1024);
buff[1023] = 0;
return buff;
#endif
static char buf[128];
if (key[0] == '$' && key[1] == '6') {
return __crypt_sha512(key, setting, buf);
}
for (i = 0; i < 8; i++) {
if ((t = 2*(unsigned char)(*key)) != 0)
key++;
keyblock.b[i] = t;
}
if (rz_des_setkey((char *)keyblock.b)) /* also initializes "a64toi" */
return (NULL);
encp = &cryptresult[0];
switch (*setting) {
case RZ__PASSWORD_EFMT1:
/*
* Involve the rest of the password 8 characters at a time.
*/
while (*key) {
if (rz_des_cipher((char *)&keyblock,
(char *)&keyblock, 0L, 1))
return (NULL);
for (i = 0; i < 8; i++) {
if ((t = 2*(unsigned char)(*key)) != 0)
key++;
keyblock.b[i] ^= t;
}
if (rz_des_setkey((char *)keyblock.b))
return (NULL);
}
*encp++ = *setting++;
/* get iteration count */
num_iter = 0;
for (i = 4; --i >= 0; ) {
if ((t = (unsigned char)setting[i]) == '\0')
t = '.';
encp[i] = t;
num_iter = (num_iter<<6) | a64toi[t];
}
setting += 4;
encp += 4;
salt_size = 4;
break;
default:
num_iter = 25;
salt_size = 2;
}
salt = 0;
for (i = salt_size; --i >= 0; ) {
if ((t = (unsigned char)setting[i]) == '\0')
t = '.';
encp[i] = t;
salt = (salt<<6) | a64toi[t];
}
encp += salt_size;
if (rz_des_cipher((char *)&constdatablock, (char *)&rsltblock,
salt, num_iter))
return (NULL);
/*
* Encode the 64 cipher bits as 11 ascii characters.
*/
i = ((long)((rsltblock.b[0]<<8) | rsltblock.b[1])<<8) | rsltblock.b[2];
encp[3] = itoa64[i&0x3f]; i >>= 6;
encp[2] = itoa64[i&0x3f]; i >>= 6;
encp[1] = itoa64[i&0x3f]; i >>= 6;
encp[0] = itoa64[i]; encp += 4;
i = ((long)((rsltblock.b[3]<<8) | rsltblock.b[4])<<8) | rsltblock.b[5];
encp[3] = itoa64[i&0x3f]; i >>= 6;
encp[2] = itoa64[i&0x3f]; i >>= 6;
encp[1] = itoa64[i&0x3f]; i >>= 6;
encp[0] = itoa64[i]; encp += 4;
i = ((long)((rsltblock.b[6])<<8) | rsltblock.b[7])<<2;
encp[2] = itoa64[i&0x3f]; i >>= 6;
encp[1] = itoa64[i&0x3f]; i >>= 6;
encp[0] = itoa64[i];
encp[3] = 0;
return (cryptresult);
}
/*
* The Key Schedule, filled in by des_setkey() or setkey().
*/
#define KS_SIZE 16
static C_block KS[KS_SIZE];
/*
* Set up the key schedule from the key.
*/
int rz_des_setkey(register const char *key) {
register DCL_BLOCK(K, K0, K1);
register C_block *ptabp;
register int i;
static int des_ready = 0;
if (!des_ready) {
rz_init_des();
des_ready = 1;
}
PERM6464(K,K0,K1,(unsigned char *)key,(C_block *)PC1ROT);
key = (char *)&KS[0];
STORE(K&~0x03030303L, K0&~0x03030303L, K1, *(C_block *)key);
for (i = 1; i < 16; i++) {
key += sizeof(C_block);
STORE(K,K0,K1,*(C_block *)key);
ptabp = (C_block *)PC2ROT[Rotates[i]-1];
PERM6464(K,K0,K1,(unsigned char *)key,ptabp);
STORE(K&~0x03030303L, K0&~0x03030303L, K1, *(C_block *)key);
}
return (0);
}
/*
* Encrypt (or decrypt if num_iter < 0) the 8 chars at "in" with abs(num_iter)
* iterations of DES, using the given 24-bit salt and the pre-computed key
* schedule, and store the resulting 8 chars at "out" (in == out is permitted).
*
* NOTE: the performance of this routine is critically dependent on your
* compiler and machine architecture.
*/
int rz_des_cipher(const char *in, char *out, long salt, int num_iter) {
/* variables that we want in registers, most important first */
#if defined(pdp11)
register int j;
#endif
register long L0, L1, R0, R1, k;
register C_block *kp;
register int ks_inc, loop_count;
C_block B;
L0 = salt;
TO_SIX_BIT(salt, L0); /* convert to 4*(6+2) format */
#if defined(vax) || defined(pdp11)
salt = ~salt; /* "x &~ y" is faster than "x & y". */
#define SALT (~salt)
#else
#define SALT salt
#endif
#if defined(MUST_ALIGN)
B.b[0] = in[0]; B.b[1] = in[1]; B.b[2] = in[2]; B.b[3] = in[3];
B.b[4] = in[4]; B.b[5] = in[5]; B.b[6] = in[6]; B.b[7] = in[7];
LOAD(L,L0,L1,B);
#else
LOAD(L,L0,L1,*(C_block *)in);
#endif
LOADREG(R,R0,R1,L,L0,L1);
L0 &= 0x55555555L;
L1 &= 0x55555555L;
L0 = (L0 << 1) | L1; /* L0 is the even-numbered input bits */
R0 &= 0xaaaaaaaaL;
R1 = (R1 >> 1) & 0x55555555L;
L1 = R0 | R1; /* L1 is the odd-numbered input bits */
STORE(L,L0,L1,B);
PERM3264(L,L0,L1,B.b, (C_block *)IE3264); /* even bits */
PERM3264(R,R0,R1,B.b+4,(C_block *)IE3264); /* odd bits */
if (num_iter >= 0)
{ /* encryption */
kp = &KS[0];
ks_inc = sizeof(*kp);
}
else
{ /* decryption */
num_iter = -num_iter;
kp = &KS[KS_SIZE-1];
ks_inc = -((int) sizeof(*kp));
}
while (--num_iter >= 0) {
loop_count = 8;
do {
#define SPTAB(t, i) (*(long *)((unsigned char *)t + i*(sizeof(long)/4)))
#if defined(gould)
/* use this if B.b[i] is evaluated just once ... */
#define DOXOR(x,y,i) x^=SPTAB(SPE[0][i],B.b[i]); y^=SPTAB(SPE[1][i],B.b[i]);
#else
#if defined(pdp11)
/* use this if your "long" int indexing is slow */
#define DOXOR(x,y,i) j=B.b[i]; x^=SPTAB(SPE[0][i],j); y^=SPTAB(SPE[1][i],j);
#else
/* use this if "k" is allocated to a register ... */
#define DOXOR(x,y,i) k=B.b[i]; x^=SPTAB(SPE[0][i],k); y^=SPTAB(SPE[1][i],k);
#endif
#endif
#define CRUNCH(p0, p1, q0, q1) \
k = (q0 ^ q1) & SALT; \
B.b32.i0 = k ^ q0 ^ kp->b32.i0; \
B.b32.i1 = k ^ q1 ^ kp->b32.i1; \
kp = (C_block *)((char *)kp+ks_inc); \
\
DOXOR(p0, p1, 0); \
DOXOR(p0, p1, 1); \
DOXOR(p0, p1, 2); \
DOXOR(p0, p1, 3); \
DOXOR(p0, p1, 4); \
DOXOR(p0, p1, 5); \
DOXOR(p0, p1, 6); \
DOXOR(p0, p1, 7);
CRUNCH(L0, L1, R0, R1);
CRUNCH(R0, R1, L0, L1);
} while (--loop_count != 0);
kp = (C_block *)((char *)kp-(ks_inc*KS_SIZE));
/* swap L and R */
L0 ^= R0; L1 ^= R1;
R0 ^= L0; R1 ^= L1;
L0 ^= R0; L1 ^= R1;
}
/* store the encrypted (or decrypted) result */
L0 = ((L0 >> 3) & 0x0f0f0f0fL) | ((L1 << 1) & 0xf0f0f0f0L);
L1 = ((R0 >> 3) & 0x0f0f0f0fL) | ((R1 << 1) & 0xf0f0f0f0L);
STORE(L,L0,L1,B);
PERM6464(L,L0,L1,B.b, (C_block *)CF6464);
#if defined(MUST_ALIGN)
STORE(L,L0,L1,B);
out[0] = B.b[0]; out[1] = B.b[1]; out[2] = B.b[2]; out[3] = B.b[3];
out[4] = B.b[4]; out[5] = B.b[5]; out[6] = B.b[6]; out[7] = B.b[7];
#else
STORE(L,L0,L1,*(C_block *)out);
#endif
return (0);
}
/*
* Initialize various tables. This need only be done once. It could even be
* done at compile time, if the compiler were capable of that sort of thing.
*/
/* STATIC */void rz_init_des() {
register int i, j;
register long k;
register int tableno;
static unsigned char perm[64], tmp32[32]; /* "static" for speed */
/*
* table that converts chars "./0-9A-Za-z"to integers 0-63.
*/
for (i = 0; i < 64; i++)
a64toi[itoa64[i]] = i;
/*
* PC1ROT - bit reverse, then PC1, then Rotate, then PC2.
*/
for (i = 0; i < 64; i++)
perm[i] = 0;
for (i = 0; i < 64; i++) {
if ((k = PC2[i]) == 0)
continue;
k += Rotates[0]-1;
if ((k%28) < Rotates[0]) k -= 28;
k = PC1[k];
if (k > 0) {
k--;
k = (k|07) - (k&07);
k++;
}
perm[i] = (unsigned char) k;
}
#ifdef DEBUG_CRYPT
prtab("pc1tab", perm, 8);
#endif
rz_init_perm(PC1ROT, perm, 8, 8);
/*
* PC2ROT - PC2 inverse, then Rotate (once or twice), then PC2.
*/
for (j = 0; j < 2; j++) {
unsigned char pc2inv[64];
for (i = 0; i < 64; i++)
perm[i] = pc2inv[i] = 0;
for (i = 0; i < 64; i++) {
if ((k = PC2[i]) == 0)
continue;
pc2inv[k-1] = i+1;
}
for (i = 0; i < 64; i++) {
if ((k = PC2[i]) == 0)
continue;
k += j;
if ((k%28) <= j) k -= 28;
perm[i] = pc2inv[k];
}
#ifdef DEBUG_CRYPT
prtab("pc2tab", perm, 8);
#endif
rz_init_perm(PC2ROT[j], perm, 8, 8);
}
/*
* Bit reverse, then initial permutation, then expansion.
*/
for (i = 0; i < 8; i++) {
for (j = 0; j < 8; j++) {
k = (j < 2)? 0: IP[ExpandTr[i*6+j-2]-1];
if (k > 32)
k -= 32;
else if (k > 0)
k--;
if (k > 0) {
k--;
k = (k|07) - (k&07);
k++;
}
perm[i*8+j] = (unsigned char) k;
}
}
#ifdef DEBUG_CRYPT
prtab("ietab", perm, 8);
#endif
rz_init_perm(IE3264, perm, 4, 8);
/*
* Compression, then final permutation, then bit reverse.
*/
for (i = 0; i < 64; i++) {
k = IP[CIFP[i]-1];
if (k > 0) {
k--;
k = (k|07) - (k&07);
k++;
}
perm[k-1] = i+1;
}
#ifdef DEBUG_CRYPT
prtab("cftab", perm, 8);
#endif
rz_init_perm(CF6464, perm, 8, 8);
/*
* SPE table
*/
for (i = 0; i < 48; i++)
perm[i] = P32Tr[ExpandTr[i]-1];
for (tableno = 0; tableno < 8; tableno++) {
for (j = 0; j < 64; j++) {
k = (((j >> 0) &01) << 5)|
(((j >> 1) &01) << 3)|
(((j >> 2) &01) << 2)|
(((j >> 3) &01) << 1)|
(((j >> 4) &01) << 0)|
(((j >> 5) &01) << 4);
k = S[tableno][k];
k = (((k >> 3)&01) << 0)|
(((k >> 2)&01) << 1)|
(((k >> 1)&01) << 2)|
(((k >> 0)&01) << 3);
for (i = 0; i < 32; i++)
tmp32[i] = 0;
for (i = 0; i < 4; i++)
tmp32[4 * tableno + i] = (unsigned char)((k >> i) & 01);
k = 0;
for (i = 24; --i >= 0; )
k = (k<<1) | tmp32[perm[i]-1];
TO_SIX_BIT(SPE[0][tableno][j], k);
k = 0;
for (i = 24; --i >= 0; )
k = (k<<1) | tmp32[perm[i+24]-1];
TO_SIX_BIT(SPE[1][tableno][j], k);
}
}
}
/*
* Initialize "perm" to represent transformation "p", which rearranges
* (perhaps with expansion and/or contraction) one packed array of bits
* (of size "chars_in" characters) into another array (of size "chars_out"
* characters).
*
* "perm" must be all-zeroes on entry to this routine.
*/
/* STATIC */void rz_init_perm(C_block perm[64/CHUNKBITS][1<<CHUNKBITS],
unsigned char p[64], int /* chars_in */, int chars_out) {
register int i, j, k, l;
for (k = 0; k < chars_out*8; k++) { /* each output bit position */
l = p[k] - 1; /* where this bit comes from */
if (l < 0)
continue; /* output bit is always 0 */
i = l>>LGCHUNKBITS; /* which chunk this bit comes from */
l = 1<<(l&(CHUNKBITS-1)); /* mask for this bit */
for (j = 0; j < (1<<CHUNKBITS); j++) { /* each chunk value */
if ((j & l) != 0)
perm[i][j].b[k>>3] |= 1<<(k&07);
}
}
}
/*
* "setkey" routine (for backwards compatibility)
*/
int rz_setkey(register const char *key) {
register int i, j, k;
C_block keyblock;
for (i = 0; i < 8; i++) {
k = 0;
for (j = 0; j < 8; j++) {
k <<= 1;
k |= (unsigned char)*key++;
}
keyblock.b[i] = k;
}
return (rz_des_setkey((char *)keyblock.b));
}
/*
* "encrypt" routine (for backwards compatibility)
*/
int rz_encrypt(register char *block, int flag) {
register int i, j, k;
C_block cblock;
for (i = 0; i < 8; i++) {
k = 0;
for (j = 0; j < 8; j++) {
k <<= 1;
k |= (unsigned char)*block++;
}
cblock.b[i] = k;
}
if (rz_des_cipher((char *)&cblock, (char *)&cblock, 0L, (flag ? -1: 1)))
return (1);
for (i = 7; i >= 0; i--) {
k = cblock.b[i];
for (j = 7; j >= 0; j--) {
*--block = k&01;
k >>= 1;
}
}
return (0);
}
#ifdef DEBUG_CRYPT
void prtab(char *s, unsigned char *t, int num_rows)
{
register int i, j;
(void)printf("%s:\n", s);
for (i = 0; i < num_rows; i++) {
for (j = 0; j < 8; j++) {
(void)printf("%3d", t[i*8+j]);
}
(void)printf("\n");
}
(void)printf("\n");
}
#endif

View file

@ -0,0 +1,371 @@
/*
* public domain sha512 crypt implementation
*
* original sha crypt design: http://people.redhat.com/drepper/SHA-crypt.txt
* in this implementation at least 32bit int is assumed,
* key length is limited, the $6$ prefix is mandatory, '\n' and ':' is rejected
* in the salt and rounds= setting must contain a valid iteration count,
* on error "*" is returned.
*/
#include <ctype.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
/* public domain sha512 implementation based on fips180-3 */
/* >=2^64 bits messages are not supported (about 2000 peta bytes) */
struct sha512 {
uint64_t len; /* processed message length */
uint64_t h[8]; /* hash state */
uint8_t buf[128]; /* message block buffer */
};
static uint64_t ror(uint64_t n, int k) { return (n >> k) | (n << (64-k)); }
#define Ch(x,y,z) (z ^ (x & (y ^ z)))
#define Maj(x,y,z) ((x & y) | (z & (x | y)))
#define S0(x) (ror(x,28) ^ ror(x,34) ^ ror(x,39))
#define S1(x) (ror(x,14) ^ ror(x,18) ^ ror(x,41))
#define R0(x) (ror(x,1) ^ ror(x,8) ^ (x>>7))
#define R1(x) (ror(x,19) ^ ror(x,61) ^ (x>>6))
static const uint64_t K[80] = {
0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
};
static void processblock(struct sha512 *s, const uint8_t *buf)
{
uint64_t W[80], t1, t2, a, b, c, d, e, f, g, h;
int i;
for (i = 0; i < 16; i++) {
W[i] = (uint64_t)buf[8*i]<<56;
W[i] |= (uint64_t)buf[8*i+1]<<48;
W[i] |= (uint64_t)buf[8*i+2]<<40;
W[i] |= (uint64_t)buf[8*i+3]<<32;
W[i] |= (uint64_t)buf[8*i+4]<<24;
W[i] |= (uint64_t)buf[8*i+5]<<16;
W[i] |= (uint64_t)buf[8*i+6]<<8;
W[i] |= buf[8*i+7];
}
for (; i < 80; i++)
W[i] = R1(W[i-2]) + W[i-7] + R0(W[i-15]) + W[i-16];
a = s->h[0];
b = s->h[1];
c = s->h[2];
d = s->h[3];
e = s->h[4];
f = s->h[5];
g = s->h[6];
h = s->h[7];
for (i = 0; i < 80; i++) {
t1 = h + S1(e) + Ch(e,f,g) + K[i] + W[i];
t2 = S0(a) + Maj(a,b,c);
h = g;
g = f;
f = e;
e = d + t1;
d = c;
c = b;
b = a;
a = t1 + t2;
}
s->h[0] += a;
s->h[1] += b;
s->h[2] += c;
s->h[3] += d;
s->h[4] += e;
s->h[5] += f;
s->h[6] += g;
s->h[7] += h;
}
static void pad(struct sha512 *s)
{
unsigned r = s->len % 128;
s->buf[r++] = 0x80;
if (r > 112) {
memset(s->buf + r, 0, 128 - r);
r = 0;
processblock(s, s->buf);
}
memset(s->buf + r, 0, 120 - r);
s->len *= 8;
s->buf[120] = s->len >> 56;
s->buf[121] = s->len >> 48;
s->buf[122] = s->len >> 40;
s->buf[123] = s->len >> 32;
s->buf[124] = s->len >> 24;
s->buf[125] = s->len >> 16;
s->buf[126] = s->len >> 8;
s->buf[127] = s->len;
processblock(s, s->buf);
}
static void sha512_init(struct sha512 *s)
{
s->len = 0;
s->h[0] = 0x6a09e667f3bcc908ULL;
s->h[1] = 0xbb67ae8584caa73bULL;
s->h[2] = 0x3c6ef372fe94f82bULL;
s->h[3] = 0xa54ff53a5f1d36f1ULL;
s->h[4] = 0x510e527fade682d1ULL;
s->h[5] = 0x9b05688c2b3e6c1fULL;
s->h[6] = 0x1f83d9abfb41bd6bULL;
s->h[7] = 0x5be0cd19137e2179ULL;
}
static void sha512_sum(struct sha512 *s, uint8_t *md)
{
int i;
pad(s);
for (i = 0; i < 8; i++) {
md[8*i] = s->h[i] >> 56;
md[8*i+1] = s->h[i] >> 48;
md[8*i+2] = s->h[i] >> 40;
md[8*i+3] = s->h[i] >> 32;
md[8*i+4] = s->h[i] >> 24;
md[8*i+5] = s->h[i] >> 16;
md[8*i+6] = s->h[i] >> 8;
md[8*i+7] = s->h[i];
}
}
static void sha512_update(struct sha512 *s, const void *m, unsigned long len)
{
const uint8_t *p = (uint8_t *)m;
unsigned r = s->len % 128;
s->len += len;
if (r) {
if (len < 128 - r) {
memcpy(s->buf + r, p, len);
return;
}
memcpy(s->buf + r, p, 128 - r);
len -= 128 - r;
p += 128 - r;
processblock(s, s->buf);
}
for (; len >= 128; len -= 128, p += 128)
processblock(s, p);
memcpy(s->buf, p, len);
}
static const unsigned char b64[] =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
static char *to64(char *s, unsigned int u, int n)
{
while (--n >= 0) {
*s++ = b64[u % 64];
u /= 64;
}
return s;
}
/* key limit is not part of the original design, added for DoS protection.
* rounds limit has been lowered (versus the reference/spec), also for DoS
* protection. runtime is O(klen^2 + klen*rounds) */
#define KEY_MAX 256
#define SALT_MAX 16
#define ROUNDS_DEFAULT 5000
#define ROUNDS_MIN 1000
#define ROUNDS_MAX 9999999
/* hash n bytes of the repeated md message digest */
static void hashmd(struct sha512 *s, unsigned int n, const void *md)
{
unsigned int i;
for (i = n; i > 64; i -= 64)
sha512_update(s, md, 64);
sha512_update(s, md, i);
}
static char *sha512crypt(const char *key, const char *setting, char *output)
{
struct sha512 ctx;
unsigned char md[64], kmd[64], smd[64];
unsigned int i, r, klen, slen;
char rounds[20] = "";
const char *salt;
char *p;
/* reject large keys */
for (i = 0; i <= KEY_MAX && key[i]; i++);
if (i > KEY_MAX)
return 0;
klen = i;
/* setting: $6$rounds=n$salt$ (rounds=n$ and closing $ are optional) */
if (strncmp(setting, "$6$", 3) != 0)
return 0;
salt = setting + 3;
r = ROUNDS_DEFAULT;
if (strncmp(salt, "rounds=", sizeof "rounds=" - 1) == 0) {
unsigned long u;
char *end;
/*
* this is a deviation from the reference:
* bad rounds setting is rejected if it is
* - empty
* - unterminated (missing '$')
* - begins with anything but a decimal digit
* the reference implementation treats these bad
* rounds as part of the salt or parse them with
* strtoul semantics which may cause problems
* including non-portable hashes that depend on
* the host's value of ULONG_MAX.
*/
salt += sizeof "rounds=" - 1;
if (!isdigit(*salt))
return 0;
u = strtoul(salt, &end, 10);
if (*end != '$')
return 0;
salt = end+1;
if (u < ROUNDS_MIN)
r = ROUNDS_MIN;
else if (u > ROUNDS_MAX)
r = ROUNDS_MAX;
else
r = u;
/* needed when rounds is zero prefixed or out of bounds */
sprintf(rounds, "rounds=%u$", r);
}
for (i = 0; i < SALT_MAX && salt[i] && salt[i] != '$'; i++)
/* reject characters that interfere with /etc/shadow parsing */
if (salt[i] == '\n' || salt[i] == ':')
return 0;
slen = i;
/* B = sha(key salt key) */
sha512_init(&ctx);
sha512_update(&ctx, key, klen);
sha512_update(&ctx, salt, slen);
sha512_update(&ctx, key, klen);
sha512_sum(&ctx, md);
/* A = sha(key salt repeat-B alternate-B-key) */
sha512_init(&ctx);
sha512_update(&ctx, key, klen);
sha512_update(&ctx, salt, slen);
hashmd(&ctx, klen, md);
for (i = klen; i > 0; i >>= 1)
if (i & 1)
sha512_update(&ctx, md, sizeof md);
else
sha512_update(&ctx, key, klen);
sha512_sum(&ctx, md);
/* DP = sha(repeat-key), this step takes O(klen^2) time */
sha512_init(&ctx);
for (i = 0; i < klen; i++)
sha512_update(&ctx, key, klen);
sha512_sum(&ctx, kmd);
/* DS = sha(repeat-salt) */
sha512_init(&ctx);
for (i = 0; i < 16 + md[0]; i++)
sha512_update(&ctx, salt, slen);
sha512_sum(&ctx, smd);
/* iterate A = f(A,DP,DS), this step takes O(rounds*klen) time */
for (i = 0; i < r; i++) {
sha512_init(&ctx);
if (i % 2)
hashmd(&ctx, klen, kmd);
else
sha512_update(&ctx, md, sizeof md);
if (i % 3)
sha512_update(&ctx, smd, slen);
if (i % 7)
hashmd(&ctx, klen, kmd);
if (i % 2)
sha512_update(&ctx, md, sizeof md);
else
hashmd(&ctx, klen, kmd);
sha512_sum(&ctx, md);
}
/* output is $6$rounds=n$salt$hash */
p = output;
p += sprintf(p, "$6$%s%.*s$", rounds, slen, salt);
#if 1
static const unsigned char perm[][3] = {
0,21,42,22,43,1,44,2,23,3,24,45,25,46,4,
47,5,26,6,27,48,28,49,7,50,8,29,9,30,51,
31,52,10,53,11,32,12,33,54,34,55,13,56,14,35,
15,36,57,37,58,16,59,17,38,18,39,60,40,61,19,
62,20,41 };
for (i=0; i<21; i++) p = to64(p,
(md[perm[i][0]]<<16)|(md[perm[i][1]]<<8)|md[perm[i][2]], 4);
#else
p = to64(p, (md[0]<<16)|(md[21]<<8)|md[42], 4);
p = to64(p, (md[22]<<16)|(md[43]<<8)|md[1], 4);
p = to64(p, (md[44]<<16)|(md[2]<<8)|md[23], 4);
p = to64(p, (md[3]<<16)|(md[24]<<8)|md[45], 4);
p = to64(p, (md[25]<<16)|(md[46]<<8)|md[4], 4);
p = to64(p, (md[47]<<16)|(md[5]<<8)|md[26], 4);
p = to64(p, (md[6]<<16)|(md[27]<<8)|md[48], 4);
p = to64(p, (md[28]<<16)|(md[49]<<8)|md[7], 4);
p = to64(p, (md[50]<<16)|(md[8]<<8)|md[29], 4);
p = to64(p, (md[9]<<16)|(md[30]<<8)|md[51], 4);
p = to64(p, (md[31]<<16)|(md[52]<<8)|md[10], 4);
p = to64(p, (md[53]<<16)|(md[11]<<8)|md[32], 4);
p = to64(p, (md[12]<<16)|(md[33]<<8)|md[54], 4);
p = to64(p, (md[34]<<16)|(md[55]<<8)|md[13], 4);
p = to64(p, (md[56]<<16)|(md[14]<<8)|md[35], 4);
p = to64(p, (md[15]<<16)|(md[36]<<8)|md[57], 4);
p = to64(p, (md[37]<<16)|(md[58]<<8)|md[16], 4);
p = to64(p, (md[59]<<16)|(md[17]<<8)|md[38], 4);
p = to64(p, (md[18]<<16)|(md[39]<<8)|md[60], 4);
p = to64(p, (md[40]<<16)|(md[61]<<8)|md[19], 4);
p = to64(p, (md[62]<<16)|(md[20]<<8)|md[41], 4);
#endif
p = to64(p, md[63], 2);
*p = 0;
return output;
}
char *__crypt_sha512(const char *key, const char *setting, char *output)
{
static const char testkey[] = "Xy01@#\x01\x02\x80\x7f\xff\r\n\x81\t !";
static const char testsetting[] = "$6$rounds=1234$abc0123456789$";
static const char testhash[] = "$6$rounds=1234$abc0123456789$BCpt8zLrc/RcyuXmCDOE1ALqMXB2MH6n1g891HhFj8.w7LxGv.FTkqq6Vxc/km3Y0jE0j24jY5PIv/oOu6reg1";
char testbuf[128];
char *p, *q;
p = sha512crypt(key, setting, output);
/* self test and stack cleanup */
q = sha512crypt(testkey, testsetting, testbuf);
if (!p || q != testbuf || memcmp(testbuf, testhash, sizeof testhash))
return "*";
return p;
}

View file

@ -20,7 +20,7 @@
#include "game_share/tick_event_handler.h" #include "game_share/tick_event_handler.h"
#include "game_share/ryzom_version.h" #include "game_share/ryzom_version.h"
#include "game_share/ccrypt.h" #include "game_share/crypt.h"
#include "nel/misc/time_nl.h" #include "nel/misc/time_nl.h"
#include "client.h" #include "client.h"