Simplify perturb_byte logic.
[glibc.git] / crypt / md5-crypt.c
blobd2a17ef65972333cd6cd94084cb063b5e34d90ad
1 /* One way encryption based on MD5 sum.
2 Compatible with the behavior of MD5 crypt introduced in FreeBSD 2.0.
3 Copyright (C) 1996-2013 Free Software Foundation, Inc.
4 This file is part of the GNU C Library.
5 Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
7 The GNU C Library is free software; you can redistribute it and/or
8 modify it under the terms of the GNU Lesser General Public
9 License as published by the Free Software Foundation; either
10 version 2.1 of the License, or (at your option) any later version.
12 The GNU C Library is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public
18 License along with the GNU C Library; if not, see
19 <http://www.gnu.org/licenses/>. */
21 #include <assert.h>
22 #include <errno.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/param.h>
27 #include "md5.h"
30 #ifdef USE_NSS
31 typedef int PRBool;
32 # include <hasht.h>
33 # include <nsslowhash.h>
35 # define md5_init_ctx(ctxp, nss_ctxp) \
36 do \
37 { \
38 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgMD5)) \
39 == NULL)) \
40 { \
41 if (nss_ctx != NULL) \
42 NSSLOWHASH_Destroy (nss_ctx); \
43 if (nss_alt_ctx != NULL) \
44 NSSLOWHASH_Destroy (nss_alt_ctx); \
45 return NULL; \
46 } \
47 NSSLOWHASH_Begin (nss_ctxp); \
48 } \
49 while (0)
51 # define md5_process_bytes(buf, len, ctxp, nss_ctxp) \
52 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
54 # define md5_finish_ctx(ctxp, nss_ctxp, result) \
55 do \
56 { \
57 unsigned int ret; \
58 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
59 assert (ret == sizeof (result)); \
60 NSSLOWHASH_Destroy (nss_ctxp); \
61 nss_ctxp = NULL; \
62 } \
63 while (0)
64 #else
65 # define md5_init_ctx(ctxp, nss_ctxp) \
66 __md5_init_ctx (ctxp)
68 # define md5_process_bytes(buf, len, ctxp, nss_ctxp) \
69 __md5_process_bytes(buf, len, ctxp)
71 # define md5_finish_ctx(ctxp, nss_ctxp, result) \
72 __md5_finish_ctx (ctxp, result)
73 #endif
76 /* Define our magic string to mark salt for MD5 "encryption"
77 replacement. This is meant to be the same as for other MD5 based
78 encryption implementations. */
79 static const char md5_salt_prefix[] = "$1$";
81 /* Table with characters for base64 transformation. */
82 static const char b64t[64] =
83 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
86 /* Prototypes for local functions. */
87 extern char *__md5_crypt_r (const char *key, const char *salt,
88 char *buffer, int buflen);
89 extern char *__md5_crypt (const char *key, const char *salt);
92 /* This entry point is equivalent to the `crypt' function in Unix
93 libcs. */
94 char *
95 __md5_crypt_r (key, salt, buffer, buflen)
96 const char *key;
97 const char *salt;
98 char *buffer;
99 int buflen;
101 unsigned char alt_result[16]
102 __attribute__ ((__aligned__ (__alignof__ (md5_uint32))));
103 size_t salt_len;
104 size_t key_len;
105 size_t cnt;
106 char *cp;
107 char *copied_key = NULL;
108 char *copied_salt = NULL;
109 char *free_key = NULL;
110 size_t alloca_used = 0;
112 /* Find beginning of salt string. The prefix should normally always
113 be present. Just in case it is not. */
114 if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0)
115 /* Skip salt prefix. */
116 salt += sizeof (md5_salt_prefix) - 1;
118 salt_len = MIN (strcspn (salt, "$"), 8);
119 key_len = strlen (key);
121 if ((key - (char *) 0) % __alignof__ (md5_uint32) != 0)
123 char *tmp;
125 if (__libc_use_alloca (alloca_used + key_len + __alignof__ (md5_uint32)))
126 tmp = (char *) alloca (key_len + __alignof__ (md5_uint32));
127 else
129 free_key = tmp = (char *) malloc (key_len + __alignof__ (md5_uint32));
130 if (tmp == NULL)
131 return NULL;
134 key = copied_key =
135 memcpy (tmp + __alignof__ (md5_uint32)
136 - (tmp - (char *) 0) % __alignof__ (md5_uint32),
137 key, key_len);
138 assert ((key - (char *) 0) % __alignof__ (md5_uint32) == 0);
141 if ((salt - (char *) 0) % __alignof__ (md5_uint32) != 0)
143 char *tmp = (char *) alloca (salt_len + __alignof__ (md5_uint32));
144 salt = copied_salt =
145 memcpy (tmp + __alignof__ (md5_uint32)
146 - (tmp - (char *) 0) % __alignof__ (md5_uint32),
147 salt, salt_len);
148 assert ((salt - (char *) 0) % __alignof__ (md5_uint32) == 0);
151 #ifdef USE_NSS
152 /* Initialize libfreebl3. */
153 NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
154 if (nss_ictx == NULL)
156 free (free_key);
157 return NULL;
159 NSSLOWHASHContext *nss_ctx = NULL;
160 NSSLOWHASHContext *nss_alt_ctx = NULL;
161 #else
162 struct md5_ctx ctx;
163 struct md5_ctx alt_ctx;
164 #endif
166 /* Prepare for the real work. */
167 md5_init_ctx (&ctx, nss_ctx);
169 /* Add the key string. */
170 md5_process_bytes (key, key_len, &ctx, nss_ctx);
172 /* Because the SALT argument need not always have the salt prefix we
173 add it separately. */
174 md5_process_bytes (md5_salt_prefix, sizeof (md5_salt_prefix) - 1,
175 &ctx, nss_ctx);
177 /* The last part is the salt string. This must be at most 8
178 characters and it ends at the first `$' character (for
179 compatibility with existing implementations). */
180 md5_process_bytes (salt, salt_len, &ctx, nss_ctx);
183 /* Compute alternate MD5 sum with input KEY, SALT, and KEY. The
184 final result will be added to the first context. */
185 md5_init_ctx (&alt_ctx, nss_alt_ctx);
187 /* Add key. */
188 md5_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
190 /* Add salt. */
191 md5_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
193 /* Add key again. */
194 md5_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
196 /* Now get result of this (16 bytes) and add it to the other
197 context. */
198 md5_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
200 /* Add for any character in the key one byte of the alternate sum. */
201 for (cnt = key_len; cnt > 16; cnt -= 16)
202 md5_process_bytes (alt_result, 16, &ctx, nss_ctx);
203 md5_process_bytes (alt_result, cnt, &ctx, nss_ctx);
205 /* For the following code we need a NUL byte. */
206 *alt_result = '\0';
208 /* The original implementation now does something weird: for every 1
209 bit in the key the first 0 is added to the buffer, for every 0
210 bit the first character of the key. This does not seem to be
211 what was intended but we have to follow this to be compatible. */
212 for (cnt = key_len; cnt > 0; cnt >>= 1)
213 md5_process_bytes ((cnt & 1) != 0
214 ? (const void *) alt_result : (const void *) key, 1,
215 &ctx, nss_ctx);
217 /* Create intermediate result. */
218 md5_finish_ctx (&ctx, nss_ctx, alt_result);
220 /* Now comes another weirdness. In fear of password crackers here
221 comes a quite long loop which just processes the output of the
222 previous round again. We cannot ignore this here. */
223 for (cnt = 0; cnt < 1000; ++cnt)
225 /* New context. */
226 md5_init_ctx (&ctx, nss_ctx);
228 /* Add key or last result. */
229 if ((cnt & 1) != 0)
230 md5_process_bytes (key, key_len, &ctx, nss_ctx);
231 else
232 md5_process_bytes (alt_result, 16, &ctx, nss_ctx);
234 /* Add salt for numbers not divisible by 3. */
235 if (cnt % 3 != 0)
236 md5_process_bytes (salt, salt_len, &ctx, nss_ctx);
238 /* Add key for numbers not divisible by 7. */
239 if (cnt % 7 != 0)
240 md5_process_bytes (key, key_len, &ctx, nss_ctx);
242 /* Add key or last result. */
243 if ((cnt & 1) != 0)
244 md5_process_bytes (alt_result, 16, &ctx, nss_ctx);
245 else
246 md5_process_bytes (key, key_len, &ctx, nss_ctx);
248 /* Create intermediate result. */
249 md5_finish_ctx (&ctx, nss_ctx, alt_result);
252 #ifdef USE_NSS
253 /* Free libfreebl3 resources. */
254 NSSLOW_Shutdown (nss_ictx);
255 #endif
257 /* Now we can construct the result string. It consists of three
258 parts. */
259 cp = __stpncpy (buffer, md5_salt_prefix, MAX (0, buflen));
260 buflen -= sizeof (md5_salt_prefix) - 1;
262 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
263 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
265 if (buflen > 0)
267 *cp++ = '$';
268 --buflen;
271 void b64_from_24bit (unsigned int b2, unsigned int b1, unsigned int b0,
272 int n)
274 unsigned int w = (b2 << 16) | (b1 << 8) | b0;
275 while (n-- > 0 && buflen > 0)
277 *cp++ = b64t[w & 0x3f];
278 --buflen;
279 w >>= 6;
283 b64_from_24bit (alt_result[0], alt_result[6], alt_result[12], 4);
284 b64_from_24bit (alt_result[1], alt_result[7], alt_result[13], 4);
285 b64_from_24bit (alt_result[2], alt_result[8], alt_result[14], 4);
286 b64_from_24bit (alt_result[3], alt_result[9], alt_result[15], 4);
287 b64_from_24bit (alt_result[4], alt_result[10], alt_result[5], 4);
288 b64_from_24bit (0, 0, alt_result[11], 2);
289 if (buflen <= 0)
291 __set_errno (ERANGE);
292 buffer = NULL;
294 else
295 *cp = '\0'; /* Terminate the string. */
297 /* Clear the buffer for the intermediate result so that people
298 attaching to processes or reading core dumps cannot get any
299 information. We do it in this way to clear correct_words[]
300 inside the MD5 implementation as well. */
301 #ifndef USE_NSS
302 __md5_init_ctx (&ctx);
303 __md5_finish_ctx (&ctx, alt_result);
304 memset (&ctx, '\0', sizeof (ctx));
305 memset (&alt_ctx, '\0', sizeof (alt_ctx));
306 #endif
307 if (copied_key != NULL)
308 memset (copied_key, '\0', key_len);
309 if (copied_salt != NULL)
310 memset (copied_salt, '\0', salt_len);
312 free (free_key);
313 return buffer;
316 #ifndef _LIBC
317 # define libc_freeres_ptr(decl) decl
318 #endif
319 libc_freeres_ptr (static char *buffer);
321 char *
322 __md5_crypt (const char *key, const char *salt)
324 /* We don't want to have an arbitrary limit in the size of the
325 password. We can compute the size of the result in advance and
326 so we can prepare the buffer we pass to `md5_crypt_r'. */
327 static int buflen;
328 int needed = 3 + strlen (salt) + 1 + 26 + 1;
330 if (buflen < needed)
332 char *new_buffer = (char *) realloc (buffer, needed);
333 if (new_buffer == NULL)
334 return NULL;
336 buffer = new_buffer;
337 buflen = needed;
340 return __md5_crypt_r (key, salt, buffer, buflen);
343 #ifndef _LIBC
344 static void
345 __attribute__ ((__destructor__))
346 free_mem (void)
348 free (buffer);
350 #endif