xcrypt 0.1.0

data/ext/libxcrypt/lib/crypt-sm3.c

@@ -0,0 +1,308 @@
+/* One way encryption based on the SHA256-based Unix crypt implementation.
+ *
+ * Written by Ulrich Drepper <drepper at redhat.com> in 2007 [1].
+ * Modified by Zack Weinberg <zackw at panix.com> in 2017, 2018.
+ * Composed by Björn Esser <besser82 at fedoraproject.org> in 2018.
+ * Modified by Björn Esser <besser82 at fedoraproject.org> in 2020.
+ * Modified by Tianjia Zhang <tianjia.zhang at linux.alibaba.com> in 2024.
+ * To the extent possible under law, the named authors have waived all
+ * copyright and related or neighboring rights to this work.
+ *
+ * See https://creativecommons.org/publicdomain/zero/1.0/ for further
+ * details.
+ *
+ * This file is a modified except from [2], lines 648 up to 909.
+ *
+ * [1]  https://www.akkadia.org/drepper/sha-crypt.html
+ * [2]  https://www.akkadia.org/drepper/SHA-crypt.txt
+ */
+
+#include "crypt-port.h"
+#include "alg-sm3.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#if INCLUDE_sm3crypt
+
+/* Define our magic string to mark salt for SM3 "encryption"
+   replacement.  */
+static const char sm3_salt_prefix[] = "$sm3$";
+
+/* Prefix for optional rounds specification.  */
+static const char sm3_rounds_prefix[] = "rounds=";
+
+/* Maximum salt string length.  */
+#define SALT_LEN_MAX 16
+/* Default number of rounds if not explicitly specified.  */
+#define ROUNDS_DEFAULT 5000
+/* Minimum number of rounds.  */
+#define ROUNDS_MIN 1000
+/* Maximum number of rounds.  */
+#define ROUNDS_MAX 999999999
+
+/* The maximum possible length of a SM3-hashed password string,
+   including the terminating NUL character.  Prefix (including its NUL)
+   + rounds tag ("rounds=$" = "rounds=\0") + strlen(ROUNDS_MAX)
+   + salt (up to SALT_LEN_MAX chars) + '$' + hash (43 chars).  */
+
+#define LENGTH_OF_NUMBER(n) (sizeof #n - 1)
+
+#define SM3_HASH_LENGTH \
+  (sizeof (sm3_salt_prefix) + sizeof (sm3_rounds_prefix) + \
+   LENGTH_OF_NUMBER (ROUNDS_MAX) + SALT_LEN_MAX + 1 + 43)
+
+static_assert (SM3_HASH_LENGTH <= CRYPT_OUTPUT_SIZE,
+               "CRYPT_OUTPUT_SIZE is too small for SM3");
+
+/* A sm3_buffer holds all of the sensitive intermediate data.  */
+struct sm3_buffer
+{
+  sm3_ctx ctx;
+  uint8_t result[32];
+  uint8_t p_bytes[32];
+  uint8_t s_bytes[32];
+};
+
+static_assert (sizeof (struct sm3_buffer) <= ALG_SPECIFIC_SIZE,
+               "ALG_SPECIFIC_SIZE is too small for SM3crypt");
+
+
+/* Feed CTX with LEN bytes of a virtual byte sequence consisting of
+   BLOCK repeated over and over indefinitely.  */
+static void
+sm3_update_recycled (sm3_ctx *ctx,
+                     unsigned char block[32], size_t len)
+{
+  size_t cnt;
+  for (cnt = len; cnt >= 32; cnt -= 32)
+    sm3_update (ctx, block, 32);
+  sm3_update (ctx, block, cnt);
+}
+
+void
+crypt_sm3crypt_rn (const char *phrase, size_t phr_size,
+                   const char *setting, size_t ARG_UNUSED (set_size),
+                   uint8_t *output, size_t out_size,
+                   void *scratch, size_t scr_size)
+{
+  /* This shouldn't ever happen, but...  */
+  if (out_size < SM3_HASH_LENGTH
+      || scr_size < sizeof (struct sm3_buffer))
+    {
+      errno = ERANGE;
+      return;
+    }
+
+  struct sm3_buffer *buf = scratch;
+  sm3_ctx *ctx = &buf->ctx;
+  uint8_t *result = buf->result;
+  uint8_t *p_bytes = buf->p_bytes;
+  uint8_t *s_bytes = buf->s_bytes;
+  char *cp = (char *)output;
+  const char *salt = setting;
+
+  size_t salt_size;
+  size_t cnt;
+  /* Default number of rounds.  */
+  size_t rounds = ROUNDS_DEFAULT;
+  bool rounds_custom = false;
+
+  /* Find beginning of salt string.  The prefix should normally always
+     be present.  Just in case it is not.  */
+  if (strncmp (sm3_salt_prefix, salt, sizeof (sm3_salt_prefix) - 1) == 0)
+    /* Skip salt prefix.  */
+    salt += sizeof (sm3_salt_prefix) - 1;
+
+  if (strncmp (salt, sm3_rounds_prefix, sizeof (sm3_rounds_prefix) - 1)
+      == 0)
+    {
+      const char *num = salt + sizeof (sm3_rounds_prefix) - 1;
+      /* Do not allow an explicit setting of zero rounds, nor of the
+         default number of rounds, nor leading zeroes on the rounds.  */
+      if (!(*num >= '1' && *num <= '9'))
+        {
+          errno = EINVAL;
+          return;
+        }
+
+      errno = 0;
+      char *endp;
+      rounds = strtoul (num, &endp, 10);
+      if (endp == num || *endp != '$'
+          || rounds < ROUNDS_MIN
+          || rounds > ROUNDS_MAX
+          || errno)
+        {
+          errno = EINVAL;
+          return;
+        }
+      salt = endp + 1;
+      rounds_custom = true;
+    }
+
+  /* The salt ends at the next '$' or the end of the string.
+     Ensure ':' does not appear in the salt (it is used as a separator in /etc/passwd).
+     Also check for '\n', as in /etc/passwd the whole parameters of the user data must
+     be on a single line. */
+  salt_size = strcspn (salt, "$:\n");
+  if (!(salt[salt_size] == '$' || !salt[salt_size]))
+    {
+      errno = EINVAL;
+      return;
+    }
+
+  /* Ensure we do not use more salt than SALT_LEN_MAX. */
+  if (salt_size > SALT_LEN_MAX)
+    salt_size = SALT_LEN_MAX;
+
+  /* Compute alternate SM3 sum with input PHRASE, SALT, and PHRASE.  The
+     final result will be added to the first context.  */
+  sm3_init (ctx);
+
+  /* Add phrase.  */
+  sm3_update (ctx, phrase, phr_size);
+
+  /* Add salt.  */
+  sm3_update (ctx, salt, salt_size);
+
+  /* Add phrase again.  */
+  sm3_update (ctx, phrase, phr_size);
+
+  /* Now get result of this (32 bytes).  */
+  sm3_final (result, ctx);
+
+  /* Prepare for the real work.  */
+  sm3_init (ctx);
+
+  /* Add the phrase string.  */
+  sm3_update (ctx, phrase, phr_size);
+
+  /* The last part is the salt string.  This must be at most 8
+     characters and it ends at the first `$' character (for
+     compatibility with existing implementations).  */
+  sm3_update (ctx, salt, salt_size);
+
+  /* Add for any character in the phrase one byte of the alternate sum.  */
+  for (cnt = phr_size; cnt > 32; cnt -= 32)
+    sm3_update (ctx, result, 32);
+  sm3_update (ctx, result, cnt);
+
+  /* Take the binary representation of the length of the phrase and for every
+     1 add the alternate sum, for every 0 the phrase.  */
+  for (cnt = phr_size; cnt > 0; cnt >>= 1)
+    if ((cnt & 1) != 0)
+      sm3_update (ctx, result, 32);
+    else
+      sm3_update (ctx, phrase, phr_size);
+
+  /* Create intermediate result.  */
+  sm3_final (result, ctx);
+
+  /* Start computation of P byte sequence.  */
+  sm3_init (ctx);
+
+  /* For every character in the password add the entire password.  */
+  for (cnt = 0; cnt < phr_size; ++cnt)
+    sm3_update (ctx, phrase, phr_size);
+
+  /* Finish the digest.  */
+  sm3_final (p_bytes, ctx);
+
+  /* Start computation of S byte sequence.  */
+  sm3_init (ctx);
+
+  /* For every character in the password add the entire password.  */
+  for (cnt = 0; cnt < (size_t) 16 + (size_t) result[0]; ++cnt)
+    sm3_update (ctx, salt, salt_size);
+
+  /* Finish the digest.  */
+  sm3_final (s_bytes, ctx);
+
+  /* Repeatedly run the collected hash value through SM3 to burn
+     CPU cycles.  */
+  for (cnt = 0; cnt < rounds; ++cnt)
+    {
+      /* New context.  */
+      sm3_init (ctx);
+
+      /* Add phrase or last result.  */
+      if ((cnt & 1) != 0)
+        sm3_update_recycled (ctx, p_bytes, phr_size);
+      else
+        sm3_update (ctx, result, 32);
+
+      /* Add salt for numbers not divisible by 3.  */
+      if (cnt % 3 != 0)
+        sm3_update_recycled (ctx, s_bytes, salt_size);
+
+      /* Add phrase for numbers not divisible by 7.  */
+      if (cnt % 7 != 0)
+        sm3_update_recycled (ctx, p_bytes, phr_size);
+
+      /* Add phrase or last result.  */
+      if ((cnt & 1) != 0)
+        sm3_update (ctx, result, 32);
+      else
+        sm3_update_recycled (ctx, p_bytes, phr_size);
+
+      /* Create intermediate result.  */
+      sm3_final (result, ctx);
+    }
+
+  /* Now we can construct the result string.  It consists of four
+     parts, one of which is optional.  We already know that there
+     is sufficient space at CP for the longest possible result string.  */
+  memcpy (cp, sm3_salt_prefix, sizeof (sm3_salt_prefix) - 1);
+  cp += sizeof (sm3_salt_prefix) - 1;
+
+  if (rounds_custom)
+    {
+      int n = snprintf (cp, SM3_HASH_LENGTH - (sizeof (sm3_salt_prefix) - 1),
+                        "%s%zu$", sm3_rounds_prefix, rounds);
+      cp += n;
+    }
+
+  memcpy (cp, salt, salt_size);
+  cp += salt_size;
+  *cp++ = '$';
+
+#define b64_from_24bit(B2, B1, B0, N)                   \
+  do {                                                  \
+    unsigned int w = ((((unsigned int)(B2)) << 16) |    \
+                      (((unsigned int)(B1)) << 8) |     \
+                      ((unsigned int)(B0)));            \
+    int n = (N);                                        \
+    while (n-- > 0)                                     \
+      {                                                 \
+        *cp++ = b64t[w & 0x3f];                         \
+        w >>= 6;                                        \
+      }                                                 \
+  } while (0)
+
+  b64_from_24bit (result[0], result[10], result[20], 4);
+  b64_from_24bit (result[21], result[1], result[11], 4);
+  b64_from_24bit (result[12], result[22], result[2], 4);
+  b64_from_24bit (result[3], result[13], result[23], 4);
+  b64_from_24bit (result[24], result[4], result[14], 4);
+  b64_from_24bit (result[15], result[25], result[5], 4);
+  b64_from_24bit (result[6], result[16], result[26], 4);
+  b64_from_24bit (result[27], result[7], result[17], 4);
+  b64_from_24bit (result[18], result[28], result[8], 4);
+  b64_from_24bit (result[9], result[19], result[29], 4);
+  b64_from_24bit (0, result[31], result[30], 3);
+
+  *cp = '\0';
+}
+
+void
+gensalt_sm3crypt_rn (unsigned long count,
+                     const uint8_t *rbytes, size_t nrbytes,
+                     uint8_t *output, size_t output_size)
+{
+  gensalt_sha_rn ("sm3", SALT_LEN_MAX, ROUNDS_DEFAULT, ROUNDS_MIN, ROUNDS_MAX,
+                  count, rbytes, nrbytes, output, output_size);
+}
+
+#endif

data/ext/libxcrypt/lib/crypt-static.c

@@ -0,0 +1,44 @@
+/* Copyright (C) 2007-2017 Thorsten Kukuk
+   Copyright (C) 2019 Björn Esser
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public License
+   as published by the Free Software Foundation; either version 2.1 of
+   the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include "crypt-port.h"
+
+/* The functions that use global state objects are isolated in their
+   own files so that a statically-linked program that doesn't use them
+   will not have the state objects in its data segment.  */
+
+#if INCLUDE_crypt
+char *
+crypt (const char *key, const char *setting)
+{
+  static struct crypt_data nr_crypt_ctx;
+  return crypt_r (key, setting, &nr_crypt_ctx);
+}
+SYMVER_crypt;
+#endif
+
+/* For code compatibility with old glibc.  */
+#if INCLUDE_fcrypt
+strong_alias (crypt, fcrypt);
+SYMVER_fcrypt;
+#endif
+
+/* For code compatibility with older versions (v3.1.1 and earlier).  */
+#if INCLUDE_crypt && INCLUDE_xcrypt
+strong_alias (crypt, xcrypt);
+SYMVER_xcrypt;
+#endif

data/ext/libxcrypt/lib/crypt-sunmd5.c

@@ -0,0 +1,314 @@
+/* Copyright (c) 2018 Zack Weinberg.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This is a clean-room reimplementation of the Sun-MD5 password hash,
+ * based on the prose description of the algorithm in the Passlib v1.7.1
+ * documentation:
+ * https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sun_md5_crypt.html
+ */
+
+#include "crypt-port.h"
+#include "alg-md5.h"
+
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#if INCLUDE_sunmd5
+
+#define SUNMD5_PREFIX           "$md5"
+#define SUNMD5_PREFIX_LEN       4
+#define SUNMD5_SALT_LEN         8
+#define SUNMD5_MAX_SETTING_LEN  32 /* $md5,rounds=4294963199$12345678$ */
+#define SUNMD5_BARE_OUTPUT_LEN  22 /* not counting the setting or the NUL */
+#define SUNMD5_MAX_ROUNDS       (0xFFFFFFFFul)
+
+/* At each round of the algorithm, this string (including the trailing
+   NUL) may or may not be included in the input to MD5, depending on a
+   pseudorandom coin toss.  It is Hamlet's famous soliloquy from the
+   play of the same name, which is in the public domain.  Text from
+   <https://www.gutenberg.org/files/1524/old/2ws2610.tex> with double
+   blank lines replaced with `\n`.  Note that more recent Project
+   Gutenberg editions of _Hamlet_ are punctuated differently.  */
+static const char hamlet_quotation[] =
+  "To be, or not to be,--that is the question:--\n"
+  "Whether 'tis nobler in the mind to suffer\n"
+  "The slings and arrows of outrageous fortune\n"
+  "Or to take arms against a sea of troubles,\n"
+  "And by opposing end them?--To die,--to sleep,--\n"
+  "No more; and by a sleep to say we end\n"
+  "The heartache, and the thousand natural shocks\n"
+  "That flesh is heir to,--'tis a consummation\n"
+  "Devoutly to be wish'd. To die,--to sleep;--\n"
+  "To sleep! perchance to dream:--ay, there's the rub;\n"
+  "For in that sleep of death what dreams may come,\n"
+  "When we have shuffled off this mortal coil,\n"
+  "Must give us pause: there's the respect\n"
+  "That makes calamity of so long life;\n"
+  "For who would bear the whips and scorns of time,\n"
+  "The oppressor's wrong, the proud man's contumely,\n"
+  "The pangs of despis'd love, the law's delay,\n"
+  "The insolence of office, and the spurns\n"
+  "That patient merit of the unworthy takes,\n"
+  "When he himself might his quietus make\n"
+  "With a bare bodkin? who would these fardels bear,\n"
+  "To grunt and sweat under a weary life,\n"
+  "But that the dread of something after death,--\n"
+  "The undiscover'd country, from whose bourn\n"
+  "No traveller returns,--puzzles the will,\n"
+  "And makes us rather bear those ills we have\n"
+  "Than fly to others that we know not of?\n"
+  "Thus conscience does make cowards of us all;\n"
+  "And thus the native hue of resolution\n"
+  "Is sicklied o'er with the pale cast of thought;\n"
+  "And enterprises of great pith and moment,\n"
+  "With this regard, their currents turn awry,\n"
+  "And lose the name of action.--Soft you now!\n"
+  "The fair Ophelia!--Nymph, in thy orisons\n"
+  "Be all my sins remember'd.\n";
+
+/* Decide, pseudorandomly, whether or not to include the above quotation
+   in the input to MD5.  */
+static inline bool
+get_nth_bit (const uint8_t digest[16], unsigned int n)
+{
+  unsigned int byte = (n % 128) / 8;
+  unsigned int bit  = (n % 128) % 8;
+  return !!(digest[byte] & (1 << bit));
+}
+
+static bool
+muffet_coin_toss (const uint8_t prev_digest[16], unsigned int round_count)
+{
+  unsigned int x, y, a, b, r, v, i;
+  for (i = 0, x = 0, y = 0; i < 8; i++)
+    {
+      a = prev_digest[(i + 0) % 16];
+      b = prev_digest[(i + 3) % 16];
+      r = a >> (b % 5);
+      v = prev_digest[r % 16];
+      if (b & (1u << (a % 8)))
+        v /= 2;
+      x |= ((unsigned int) +get_nth_bit (prev_digest, v)) << i;
+
+      a = prev_digest[(i + 8)  % 16];
+      b = prev_digest[(i + 11) % 16];
+      r = a >> (b % 5);
+      v = prev_digest[r % 16];
+      if (b & (1u << (a % 8)))
+        v /= 2;
+      y |= ((unsigned int) +get_nth_bit (prev_digest, v)) << i;
+    }
+
+  if (get_nth_bit (prev_digest, round_count))
+    x /= 2;
+  if (get_nth_bit (prev_digest, round_count + 64))
+    y /= 2;
+
+  return !!(get_nth_bit (prev_digest, x) ^ get_nth_bit (prev_digest, y));
+}
+
+static inline void
+write_itoa64_4 (uint8_t *output,
+                unsigned int b0, unsigned int b1, unsigned int b2)
+{
+  unsigned int value = (b0 << 0) | (b1 << 8) | (b2 << 16);
+  output[0] = itoa64[value & 0x3f];
+  output[1] = itoa64[(value >> 6) & 0x3f];
+  output[2] = itoa64[(value >> 12) & 0x3f];
+  output[3] = itoa64[(value >> 18) & 0x3f];
+}
+
+/* used only for the last two bytes of crypt_sunmd5_rn output */
+static inline void
+write_itoa64_2 (uint8_t *output,
+                unsigned int b0, unsigned int b1, unsigned int b2)
+{
+  unsigned int value = (b0 << 0) | (b1 << 8) | (b2 << 16);
+  output[0] = itoa64[value & 0x3f];
+  output[1] = itoa64[(value >> 6) & 0x3f];
+}
+
+/* Module entry points.  */
+
+void
+crypt_sunmd5_rn (const char *phrase, size_t phr_size,
+                 const char *setting, size_t ARG_UNUSED (set_size),
+                 uint8_t *output, size_t out_size,
+                 void *scratch, size_t scr_size)
+{
+  struct crypt_sunmd5_scratch
+  {
+    MD5_CTX ctx;
+    uint8_t dg[16];
+    char    rn[16];
+  };
+
+  /* If 'setting' doesn't start with the prefix, we should not have
+     been called in the first place.  */
+  if (strncmp (setting, SUNMD5_PREFIX, SUNMD5_PREFIX_LEN)
+      || (setting[SUNMD5_PREFIX_LEN] != '$'
+          && setting[SUNMD5_PREFIX_LEN] != ','))
+    {
+      errno = EINVAL;
+      return;
+    }
+
+  /* For bug-compatibility with the original implementation, we allow
+     'rounds=' to follow either '$md5,' or '$md5$'.  */
+  const char *p = setting + SUNMD5_PREFIX_LEN + 1;
+  unsigned int nrounds = 4096;
+  if (!strncmp (p, "rounds=", sizeof "rounds=" - 1))
+    {
+      p += sizeof "rounds=" - 1;
+      /* Do not allow an explicit setting of zero additional rounds,
+         nor leading zeroes on the number of rounds.  */
+      if (!(*p >= '1' && *p <= '9'))
+        {
+          errno = EINVAL;
+          return;
+        }
+
+      errno = 0;
+      char *endp;
+      unsigned long arounds = strtoul (p, &endp, 10);
+      if (endp == p || arounds > SUNMD5_MAX_ROUNDS || errno)
+        {
+          errno = EINVAL;
+          return;
+        }
+      nrounds += (unsigned int)arounds;
+      p = endp;
+      if (*p != '$')
+        {
+          errno = EINVAL;
+          return;
+        }
+      p += 1;
+    }
+
+  /* p now points to the beginning of the actual salt.  */
+  p += strspn (p, (const char *)itoa64);
+  if (*p != '\0' && *p != '$')
+    {
+      errno = EINVAL;
+      return;
+    }
+  /* For bug-compatibility with the original implementation, if p
+     points to a '$' and the following character is either another '$'
+     or NUL, the first '$' should be included in the salt.  */
+  if (p[0] == '$' && (p[1] == '$' || p[1] == '\0'))
+    p += 1;
+
+  size_t saltlen = (size_t) (p - setting);
+  /* Do we have enough space?  */
+  if (scr_size < sizeof (struct crypt_sunmd5_scratch)
+      || out_size < saltlen + SUNMD5_BARE_OUTPUT_LEN + 2)
+    {
+      errno = ERANGE;
+      return;
+    }
+
+  struct crypt_sunmd5_scratch *s = scratch;
+
+  /* Initial round.  */
+  MD5_Init (&s->ctx);
+  MD5_Update (&s->ctx, phrase, phr_size);
+  MD5_Update (&s->ctx, setting, saltlen);
+  MD5_Final (s->dg, &s->ctx);
+
+  /* Stretching rounds.  */
+  for (unsigned int i = 0; i < nrounds; i++)
+    {
+      MD5_Init (&s->ctx);
+
+      MD5_Update (&s->ctx, s->dg, sizeof s->dg);
+
+      /* The trailing nul is intentionally included.  */
+      if (muffet_coin_toss (s->dg, i))
+        MD5_Update (&s->ctx, hamlet_quotation, sizeof hamlet_quotation);
+
+      int nwritten = snprintf (s->rn, sizeof s->rn, "%u", i);
+      assert (nwritten >= 1 && (unsigned int)nwritten + 1 <= sizeof s->rn);
+      MD5_Update (&s->ctx, s->rn, (unsigned int)nwritten);
+
+      MD5_Final (s->dg, &s->ctx);
+    }
+
+  memcpy (output, setting, saltlen);
+  *(output + saltlen + 0) = '$';
+  /* This is the same permuted order used by BSD md5-crypt ($1$).  */
+  write_itoa64_4 (output + saltlen +  1, s->dg[12], s->dg[ 6], s->dg[0]);
+  write_itoa64_4 (output + saltlen +  5, s->dg[13], s->dg[ 7], s->dg[1]);
+  write_itoa64_4 (output + saltlen +  9, s->dg[14], s->dg[ 8], s->dg[2]);
+  write_itoa64_4 (output + saltlen + 13, s->dg[15], s->dg[ 9], s->dg[3]);
+  write_itoa64_4 (output + saltlen + 17, s->dg[ 5], s->dg[10], s->dg[4]);
+  write_itoa64_2 (output + saltlen + 21, s->dg[11], 0, 0);
+  *(output + saltlen + 23) = '\0';
+}
+
+void
+gensalt_sunmd5_rn (unsigned long count,
+                   const uint8_t *rbytes,
+                   size_t nrbytes,
+                   uint8_t *output,
+                   size_t o_size)
+{
+  if (o_size < SUNMD5_MAX_SETTING_LEN + 1)
+    {
+      errno = ERANGE;
+      return;
+    }
+  if (nrbytes < 6 + 2)
+    {
+      errno = EINVAL;
+      return;
+    }
+
+  /* The default number of rounds, 4096, is much too low.  The actual
+     number of rounds is somewhat randomized to make construction of
+     rainbow tables more difficult (effectively this means an extra 16
+     bits of entropy are smuggled into the salt via the round number).  */
+  if (count < 32768)
+    count = 32768;
+  else if (count > SUNMD5_MAX_ROUNDS - 65536)
+    count = SUNMD5_MAX_ROUNDS - 65536;
+
+  count += ((unsigned long)rbytes[0]) << 8;
+  count += ((unsigned long)rbytes[1]) << 0;
+
+  assert (count != 0);
+
+  size_t written = (size_t) snprintf ((char *)output, o_size,
+                                      "%s,rounds=%lu$", SUNMD5_PREFIX, count);
+
+
+  write_itoa64_4(output + written + 0, rbytes[2], rbytes[3], rbytes[4]);
+  write_itoa64_4(output + written + 4, rbytes[5], rbytes[6], rbytes[7]);
+
+  output[written + 8] = '$';
+  output[written + 9] = '\0';
+}
+
+#endif