blob: 58964b56769c7b62bd0135ecf2102e29c41c93c7 [file] [log] [blame]
/*
* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
*
* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
* rights reserved.
*
* License to copy and use this software is granted provided that it
* is identified as the "RSA Data Security, Inc. MD5 Message-Digest
* Algorithm" in all material mentioning or referencing this software
* or this function.
*
* License is also granted to make and use derivative works provided
* that such works are identified as "derived from the RSA Data
* Security, Inc. MD5 Message-Digest Algorithm" in all material
* mentioning or referencing the derived work.
*
* RSA Data Security, Inc. makes no representations concerning either
* the merchantability of this software or the suitability of this
* software for any particular purpose. It is provided "as is"
* without express or implied warranty of any kind.
*
* These notices must be retained in any copies of any part of this
* documentation and/or software.
*
* $FreeBSD: src/lib/libmd/md5c.c,v 1.9.2.1 1999/08/29 14:57:12 peter Exp $
*
* This code is the same as the code published by RSA Inc. It has been
* edited for clarity and style only.
*
* ----------------------------------------------------------------------------
* The md5_crypt() function was taken from freeBSD's libcrypt and contains
* this license:
* "THE BEER-WARE LICENSE" (Revision 42):
* <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
* can do whatever you want with this stuff. If we meet some day, and you think
* this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
*
* $FreeBSD: src/lib/libcrypt/crypt.c,v 1.7.2.1 1999/08/29 14:56:33 peter Exp $
*
* ----------------------------------------------------------------------------
* On April 19th, 2001 md5_crypt() was modified to make it reentrant
* by Erik Andersen <andersen@uclibc.org>
*
*
* June 28, 2001 Manuel Novoa III
*
* "Un-inlined" code using loops and static const tables in order to
* reduce generated code size (on i386 from approx 4k to approx 2.5k).
*
* June 29, 2001 Manuel Novoa III
*
* Completely removed static PADDING array.
*
* Reintroduced the loop unrolling in MD5_Transform and added the
* MD5_SIZE_OVER_SPEED option for configurability. Define below as:
* 0 fully unrolled loops
* 1 partially unrolled (4 ops per loop)
* 2 no unrolling -- introduces the need to swap 4 variables (slow)
* 3 no unrolling and all 4 loops merged into one with switch
* in each loop (glacial)
* On i386, sizes are roughly (-Os -fno-builtin):
* 0: 3k 1: 2.5k 2: 2.2k 3: 2k
*
* Since SuSv3 does not require crypt_r, modified again August 7, 2002
* by Erik Andersen to remove reentrance stuff...
*/
/*
* UNIX password
*
* Use MD5 for what it is best at...
*/
#define MD5_OUT_BUFSIZE 36
static char *
NOINLINE
md5_crypt(char result[MD5_OUT_BUFSIZE], const unsigned char *pw, const unsigned char *salt)
{
char *p;
unsigned char final[17]; /* final[16] exists only to aid in looping */
int sl, pl, i, pw_len;
md5_ctx_t ctx, ctx1;
/* NB: in busybox, "$1$" in salt is always present */
/* Refine the Salt first */
/* Get the length of the salt including "$1$" */
sl = 3;
while (salt[sl] && salt[sl] != '$' && sl < (3 + 8))
sl++;
/* Hash. the password first, since that is what is most unknown */
md5_begin(&ctx);
pw_len = strlen((char*)pw);
md5_hash(pw, pw_len, &ctx);
/* Then the salt including "$1$" */
md5_hash(salt, sl, &ctx);
/* Copy salt to result; skip "$1$" */
memcpy(result, salt, sl);
result[sl] = '$';
salt += 3;
sl -= 3;
/* Then just as many characters of the MD5(pw, salt, pw) */
md5_begin(&ctx1);
md5_hash(pw, pw_len, &ctx1);
md5_hash(salt, sl, &ctx1);
md5_hash(pw, pw_len, &ctx1);
md5_end(final, &ctx1);
for (pl = pw_len; pl > 0; pl -= 16)
md5_hash(final, pl > 16 ? 16 : pl, &ctx);
/* Then something really weird... */
memset(final, 0, sizeof(final));
for (i = pw_len; i; i >>= 1) {
md5_hash(((i & 1) ? final : (const unsigned char *) pw), 1, &ctx);
}
md5_end(final, &ctx);
/* And now, just to make sure things don't run too fast.
* On a 60 Mhz Pentium this takes 34 msec, so you would
* need 30 seconds to build a 1000 entry dictionary...
*/
for (i = 0; i < 1000; i++) {
md5_begin(&ctx1);
if (i & 1)
md5_hash(pw, pw_len, &ctx1);
else
md5_hash(final, 16, &ctx1);
if (i % 3)
md5_hash(salt, sl, &ctx1);
if (i % 7)
md5_hash(pw, pw_len, &ctx1);
if (i & 1)
md5_hash(final, 16, &ctx1);
else
md5_hash(pw, pw_len, &ctx1);
md5_end(final, &ctx1);
}
p = result + sl + 4; /* 12 bytes max (sl is up to 8 bytes) */
/* Add 5*4+2 = 22 bytes of hash, + NUL byte. */
final[16] = final[5];
for (i = 0; i < 5; i++) {
unsigned l = (final[i] << 16) | (final[i+6] << 8) | final[i+12];
p = to64(p, l, 4);
}
p = to64(p, final[11], 2);
*p = '\0';
/* Don't leave anything around in vm they could use. */
memset(final, 0, sizeof(final));
return result;
}