[thirdparty/glibc.git] / crypt / sha256-crypt.c

/* One way encryption based on SHA256 sum.
   Copyright (C) 2007-2021 Free Software Foundation, Inc.
   This file is part of the GNU C Library.
   Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <https://www.gnu.org/licenses/>.  */

#include <assert.h>
#include <errno.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <sys/param.h>

#include "sha256.h"
#include "crypt-private.h"


#ifdef USE_NSS
typedef int PRBool;
# include <hasht.h>
# include <nsslowhash.h>

# define sha256_init_ctx(ctxp, nss_ctxp) \
  do									      \
    {									      \
      if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256))      \
	   == NULL))							      \
	{								      \
	  if (nss_ctx != NULL)						      \
	    NSSLOWHASH_Destroy (nss_ctx);				      \
	  if (nss_alt_ctx != NULL)					      \
	    NSSLOWHASH_Destroy (nss_alt_ctx);				      \
	  return NULL;							      \
	}								      \
      NSSLOWHASH_Begin (nss_ctxp);					      \
    }									      \
  while (0)

# define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
  NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)

# define sha256_finish_ctx(ctxp, nss_ctxp, result) \
  do									      \
    {									      \
      unsigned int ret;							      \
      NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result));		      \
      assert (ret == sizeof (result));					      \
      NSSLOWHASH_Destroy (nss_ctxp);					      \
      nss_ctxp = NULL;							      \
    }									      \
  while (0)
#else
# define sha256_init_ctx(ctxp, nss_ctxp) \
  __sha256_init_ctx (ctxp)

# define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
  __sha256_process_bytes(buf, len, ctxp)

# define sha256_finish_ctx(ctxp, nss_ctxp, result) \
  __sha256_finish_ctx (ctxp, result)
#endif


/* Define our magic string to mark salt for SHA256 "encryption"
   replacement.  */
static const char sha256_salt_prefix[] = "$5$";

/* Prefix for optional rounds specification.  */
static const char sha256_rounds_prefix[] = "rounds=";

/* Maximum salt string length.  */
#define SALT_LEN_MAX 16
/* Default number of rounds if not explicitly specified.  */
#define ROUNDS_DEFAULT 5000
/* Minimum number of rounds.  */
#define ROUNDS_MIN 1000
/* Maximum number of rounds.  */
#define ROUNDS_MAX 999999999


/* Prototypes for local functions.  */
extern char *__sha256_crypt_r (const char *key, const char *salt,
			       char *buffer, int buflen);
extern char *__sha256_crypt (const char *key, const char *salt);


char *
__sha256_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
{
  unsigned char alt_result[32]
    __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
  unsigned char temp_result[32]
    __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
  size_t salt_len;
  size_t key_len;
  size_t cnt;
  char *cp;
  char *copied_key = NULL;
  char *copied_salt = NULL;
  char *p_bytes;
  char *s_bytes;
  /* Default number of rounds.  */
  size_t rounds = ROUNDS_DEFAULT;
  bool rounds_custom = false;
  size_t alloca_used = 0;
  char *free_key = NULL;
  char *free_pbytes = NULL;

  /* Find beginning of salt string.  The prefix should normally always
     be present.  Just in case it is not.  */
  if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
    /* Skip salt prefix.  */
    salt += sizeof (sha256_salt_prefix) - 1;

  if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
      == 0)
    {
      const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
      char *endp;
      unsigned long int srounds = strtoul (num, &endp, 10);
      if (*endp == '$')
	{
	  salt = endp + 1;
	  rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
	  rounds_custom = true;
	}
    }

  salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
  key_len = strlen (key);

  if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
    {
      char *tmp;

      if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint32_t)))
	tmp = alloca_account (key_len + __alignof__ (uint32_t), alloca_used);
      else
	{
	  free_key = tmp = (char *) malloc (key_len + __alignof__ (uint32_t));
	  if (tmp == NULL)
	    return NULL;
	}

      key = copied_key =
	memcpy (tmp + __alignof__ (uint32_t)
		- (tmp - (char *) 0) % __alignof__ (uint32_t),
		key, key_len);
      assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
    }

  if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
    {
      char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
      alloca_used += salt_len + __alignof__ (uint32_t);
      salt = copied_salt =
	memcpy (tmp + __alignof__ (uint32_t)
		- (tmp - (char *) 0) % __alignof__ (uint32_t),
		salt, salt_len);
      assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
    }

#ifdef USE_NSS
  /* Initialize libfreebl3.  */
  NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
  if (nss_ictx == NULL)
    {
      free (free_key);
      return NULL;
    }
  NSSLOWHASHContext *nss_ctx = NULL;
  NSSLOWHASHContext *nss_alt_ctx = NULL;
#else
  struct sha256_ctx ctx;
  struct sha256_ctx alt_ctx;
#endif

  /* Prepare for the real work.  */
  sha256_init_ctx (&ctx, nss_ctx);

  /* Add the key string.  */
  sha256_process_bytes (key, key_len, &ctx, nss_ctx);

  /* The last part is the salt string.  This must be at most 16
     characters and it ends at the first `$' character.  */
  sha256_process_bytes (salt, salt_len, &ctx, nss_ctx);


  /* Compute alternate SHA256 sum with input KEY, SALT, and KEY.  The
     final result will be added to the first context.  */
  sha256_init_ctx (&alt_ctx, nss_alt_ctx);

  /* Add key.  */
  sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);

  /* Add salt.  */
  sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);

  /* Add key again.  */
  sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);

  /* Now get result of this (32 bytes) and add it to the other
     context.  */
  sha256_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);

  /* Add for any character in the key one byte of the alternate sum.  */
  for (cnt = key_len; cnt > 32; cnt -= 32)
    sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
  sha256_process_bytes (alt_result, cnt, &ctx, nss_ctx);

  /* Take the binary representation of the length of the key and for every
     1 add the alternate sum, for every 0 the key.  */
  for (cnt = key_len; cnt > 0; cnt >>= 1)
    if ((cnt & 1) != 0)
      sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
    else
      sha256_process_bytes (key, key_len, &ctx, nss_ctx);

  /* Create intermediate result.  */
  sha256_finish_ctx (&ctx, nss_ctx, alt_result);

  /* Start computation of P byte sequence.  */
  sha256_init_ctx (&alt_ctx, nss_alt_ctx);

  /* For every character in the password add the entire password.  */
  for (cnt = 0; cnt < key_len; ++cnt)
    sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);

  /* Finish the digest.  */
  sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);

  /* Create byte sequence P.  */
  if (__libc_use_alloca (alloca_used + key_len))
    cp = p_bytes = (char *) alloca (key_len);
  else
    {
      free_pbytes = cp = p_bytes = (char *)malloc (key_len);
      if (free_pbytes == NULL)
	{
	  free (free_key);
	  return NULL;
	}
    }

  for (cnt = key_len; cnt >= 32; cnt -= 32)
    cp = mempcpy (cp, temp_result, 32);
  memcpy (cp, temp_result, cnt);

  /* Start computation of S byte sequence.  */
  sha256_init_ctx (&alt_ctx, nss_alt_ctx);

  /* For every character in the password add the entire password.  */
  for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
    sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);

  /* Finish the digest.  */
  sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);

  /* Create byte sequence S.  */
  cp = s_bytes = alloca (salt_len);
  for (cnt = salt_len; cnt >= 32; cnt -= 32)
    cp = mempcpy (cp, temp_result, 32);
  memcpy (cp, temp_result, cnt);

  /* Repeatedly run the collected hash value through SHA256 to burn
     CPU cycles.  */
  for (cnt = 0; cnt < rounds; ++cnt)
    {
      /* New context.  */
      sha256_init_ctx (&ctx, nss_ctx);

      /* Add key or last result.  */
      if ((cnt & 1) != 0)
	sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
      else
	sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);

      /* Add salt for numbers not divisible by 3.  */
      if (cnt % 3 != 0)
	sha256_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);

      /* Add key for numbers not divisible by 7.  */
      if (cnt % 7 != 0)
	sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);

      /* Add key or last result.  */
      if ((cnt & 1) != 0)
	sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
      else
	sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);

      /* Create intermediate result.  */
      sha256_finish_ctx (&ctx, nss_ctx, alt_result);
    }

#ifdef USE_NSS
  /* Free libfreebl3 resources. */
  NSSLOW_Shutdown (nss_ictx);
#endif

  /* Now we can construct the result string.  It consists of three
     parts.  */
  cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
  buflen -= sizeof (sha256_salt_prefix) - 1;

  if (rounds_custom)
    {
      int n = __snprintf (cp, MAX (0, buflen), "%s%zu$",
			  sha256_rounds_prefix, rounds);
      cp += n;
      buflen -= n;
    }

  cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
  buflen -= MIN ((size_t) MAX (0, buflen), salt_len);

  if (buflen > 0)
    {
      *cp++ = '$';
      --buflen;
    }

  __b64_from_24bit (&cp, &buflen,
		    alt_result[0], alt_result[10], alt_result[20], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[21], alt_result[1], alt_result[11], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[12], alt_result[22], alt_result[2], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[3], alt_result[13], alt_result[23], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[24], alt_result[4], alt_result[14], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[15], alt_result[25], alt_result[5], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[6], alt_result[16], alt_result[26], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[27], alt_result[7], alt_result[17], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[18], alt_result[28], alt_result[8], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[9], alt_result[19], alt_result[29], 4);
  __b64_from_24bit (&cp, &buflen,
		    0, alt_result[31], alt_result[30], 3);
  if (buflen <= 0)
    {
      __set_errno (ERANGE);
      buffer = NULL;
    }
  else
    *cp = '\0';		/* Terminate the string.  */

  /* Clear the buffer for the intermediate result so that people
     attaching to processes or reading core dumps cannot get any
     information.  We do it in this way to clear correct_words[]
     inside the SHA256 implementation as well.  */
#ifndef USE_NSS
  __sha256_init_ctx (&ctx);
  __sha256_finish_ctx (&ctx, alt_result);
  explicit_bzero (&ctx, sizeof (ctx));
  explicit_bzero (&alt_ctx, sizeof (alt_ctx));
#endif
  explicit_bzero (temp_result, sizeof (temp_result));
  explicit_bzero (p_bytes, key_len);
  explicit_bzero (s_bytes, salt_len);
  if (copied_key != NULL)
    explicit_bzero (copied_key, key_len);
  if (copied_salt != NULL)
    explicit_bzero (copied_salt, salt_len);

  free (free_key);
  free (free_pbytes);
  return buffer;
}

#ifndef _LIBC
# define libc_freeres_ptr(decl) decl
#endif
libc_freeres_ptr (static char *buffer);

/* This entry point is equivalent to the `crypt' function in Unix
   libcs.  */
char *
__sha256_crypt (const char *key, const char *salt)
{
  /* We don't want to have an arbitrary limit in the size of the
     password.  We can compute an upper bound for the size of the
     result in advance and so we can prepare the buffer we pass to
     `sha256_crypt_r'.  */
  static int buflen;
  int needed = (sizeof (sha256_salt_prefix) - 1
		+ sizeof (sha256_rounds_prefix) + 9 + 1
		+ strlen (salt) + 1 + 43 + 1);

  if (buflen < needed)
    {
      char *new_buffer = (char *) realloc (buffer, needed);
      if (new_buffer == NULL)
	return NULL;

      buffer = new_buffer;
      buflen = needed;
    }

  return __sha256_crypt_r (key, salt, buffer, buflen);
}

#ifndef _LIBC
static void
__attribute__ ((__destructor__))
free_mem (void)
{
  free (buffer);
}
#endif
Commit	Line	Data
9425cb9e	1	/* One way encryption based on SHA256 sum.
2b778ceb	2	Copyright (C) 2007-2021 Free Software Foundation, Inc.
9425cb9e UD	3	This file is part of the GNU C Library.
	4	Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
	5
	6	The GNU C Library is free software; you can redistribute it and/or
	7	modify it under the terms of the GNU Lesser General Public
	8	License as published by the Free Software Foundation; either
	9	version 2.1 of the License, or (at your option) any later version.
	10
	11	The GNU C Library is distributed in the hope that it will be useful,
	12	but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public
59ba27a6	17	License along with the GNU C Library; if not, see
5a82c748	18	<https://www.gnu.org/licenses/>. */
9425cb9e UD	19
	20	#include <assert.h>
	21	#include <errno.h>
	22	#include <stdbool.h>
	23	#include <stdlib.h>
	24	#include <string.h>
e054f494	25	#include <stdint.h>
9425cb9e UD	26	#include <sys/param.h>
	27
	28	#include "sha256.h"
8747cd03	29	#include "crypt-private.h"
9425cb9e UD	30
9425cb9e UD	31
ff886b82 UD	32	#ifdef USE_NSS
	33	typedef int PRBool;
	34	# include <hasht.h>
	35	# include <nsslowhash.h>
	36
	37	# define sha256_init_ctx(ctxp, nss_ctxp) \
	38	do \
	39	{ \
	40	if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256)) \
	41	== NULL)) \
	42	{ \
	43	if (nss_ctx != NULL) \
	44	NSSLOWHASH_Destroy (nss_ctx); \
	45	if (nss_alt_ctx != NULL) \
	46	NSSLOWHASH_Destroy (nss_alt_ctx); \
	47	return NULL; \
	48	} \
	49	NSSLOWHASH_Begin (nss_ctxp); \
	50	} \
	51	while (0)
	52
	53	# define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
	54	NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
	55
	56	# define sha256_finish_ctx(ctxp, nss_ctxp, result) \
	57	do \
	58	{ \
	59	unsigned int ret; \
	60	NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
	61	assert (ret == sizeof (result)); \
	62	NSSLOWHASH_Destroy (nss_ctxp); \
	63	nss_ctxp = NULL; \
	64	} \
	65	while (0)
	66	#else
	67	# define sha256_init_ctx(ctxp, nss_ctxp) \
	68	__sha256_init_ctx (ctxp)
	69
	70	# define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
	71	__sha256_process_bytes(buf, len, ctxp)
	72
	73	# define sha256_finish_ctx(ctxp, nss_ctxp, result) \
	74	__sha256_finish_ctx (ctxp, result)
	75	#endif
	76
	77
9425cb9e UD	78	/* Define our magic string to mark salt for SHA256 "encryption"
	79	replacement. */
	80	static const char sha256_salt_prefix[] = "$5$";
	81
	82	/* Prefix for optional rounds specification. */
	83	static const char sha256_rounds_prefix[] = "rounds=";
	84
	85	/* Maximum salt string length. */
	86	#define SALT_LEN_MAX 16
	87	/* Default number of rounds if not explicitly specified. */
	88	#define ROUNDS_DEFAULT 5000
	89	/* Minimum number of rounds. */
	90	#define ROUNDS_MIN 1000
	91	/* Maximum number of rounds. */
	92	#define ROUNDS_MAX 999999999
	93
9425cb9e UD	94
	95	/* Prototypes for local functions. */
	96	extern char __sha256_crypt_r (const char key, const char *salt,
	97	char *buffer, int buflen);
	98	extern char __sha256_crypt (const char key, const char *salt);
	99
	100
	101	char *
9dd346ff	102	__sha256_crypt_r (const char key, const char salt, char *buffer, int buflen)
9425cb9e UD	103	{
	104	unsigned char alt_result[32]
	105	__attribute__ ((__aligned__ (__alignof__ (uint32_t))));
	106	unsigned char temp_result[32]
	107	__attribute__ ((__aligned__ (__alignof__ (uint32_t))));
9425cb9e UD	108	size_t salt_len;
	109	size_t key_len;
	110	size_t cnt;
	111	char *cp;
	112	char *copied_key = NULL;
	113	char *copied_salt = NULL;
	114	char *p_bytes;
	115	char *s_bytes;
	116	/* Default number of rounds. */
	117	size_t rounds = ROUNDS_DEFAULT;
	118	bool rounds_custom = false;
b8dc394d JL	119	size_t alloca_used = 0;
	120	char *free_key = NULL;
	121	char *free_pbytes = NULL;
9425cb9e UD	122
	123	/* Find beginning of salt string. The prefix should normally always
	124	be present. Just in case it is not. */
	125	if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
	126	/* Skip salt prefix. */
	127	salt += sizeof (sha256_salt_prefix) - 1;
	128
	129	if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
	130	== 0)
	131	{
	132	const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
	133	char *endp;
	134	unsigned long int srounds = strtoul (num, &endp, 10);
	135	if (*endp == '$')
	136	{
	137	salt = endp + 1;
	138	rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
	139	rounds_custom = true;
	140	}
	141	}
	142
	143	salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
	144	key_len = strlen (key);
	145
	146	if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
	147	{
b8dc394d JL	148	char *tmp;
	149
	150	if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint32_t)))
	151	tmp = alloca_account (key_len + __alignof__ (uint32_t), alloca_used);
	152	else
	153	{
	154	free_key = tmp = (char *) malloc (key_len + __alignof__ (uint32_t));
	155	if (tmp == NULL)
	156	return NULL;
	157	}
	158
9425cb9e UD	159	key = copied_key =
	160	memcpy (tmp + __alignof__ (uint32_t)
	161	- (tmp - (char *) 0) % __alignof__ (uint32_t),
	162	key, key_len);
	163	assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
	164	}
	165
	166	if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
	167	{
	168	char tmp = (char ) alloca (salt_len + __alignof__ (uint32_t));
b8dc394d	169	alloca_used += salt_len + __alignof__ (uint32_t);
9425cb9e UD	170	salt = copied_salt =
	171	memcpy (tmp + __alignof__ (uint32_t)
	172	- (tmp - (char *) 0) % __alignof__ (uint32_t),
	173	salt, salt_len);
	174	assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
	175	}
	176
ff886b82 UD	177	#ifdef USE_NSS
	178	/* Initialize libfreebl3. */
	179	NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
	180	if (nss_ictx == NULL)
b8dc394d JL	181	{
	182	free (free_key);
	183	return NULL;
	184	}
ff886b82 UD	185	NSSLOWHASHContext *nss_ctx = NULL;
	186	NSSLOWHASHContext *nss_alt_ctx = NULL;
	187	#else
	188	struct sha256_ctx ctx;
	189	struct sha256_ctx alt_ctx;
	190	#endif
	191
9425cb9e	192	/* Prepare for the real work. */
ff886b82	193	sha256_init_ctx (&ctx, nss_ctx);
9425cb9e UD	194
9425cb9e UD	195	/* Add the key string. */
ff886b82	196	sha256_process_bytes (key, key_len, &ctx, nss_ctx);
9425cb9e	197
7f745396 UD	198	/* The last part is the salt string. This must be at most 16
7f745396 UD	199	characters and it ends at the first `$' character. */
ff886b82	200	sha256_process_bytes (salt, salt_len, &ctx, nss_ctx);
9425cb9e UD	201
	202
	203	/* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
	204	final result will be added to the first context. */
ff886b82	205	sha256_init_ctx (&alt_ctx, nss_alt_ctx);
9425cb9e UD	206
9425cb9e UD	207	/* Add key. */
ff886b82	208	sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
9425cb9e UD	209
9425cb9e UD	210	/* Add salt. */
ff886b82	211	sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
9425cb9e UD	212
9425cb9e UD	213	/* Add key again. */
ff886b82	214	sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
9425cb9e UD	215
	216	/* Now get result of this (32 bytes) and add it to the other
	217	context. */
ff886b82	218	sha256_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
9425cb9e UD	219
	220	/* Add for any character in the key one byte of the alternate sum. */
	221	for (cnt = key_len; cnt > 32; cnt -= 32)
ff886b82 UD	222	sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
ff886b82 UD	223	sha256_process_bytes (alt_result, cnt, &ctx, nss_ctx);
9425cb9e UD	224
	225	/* Take the binary representation of the length of the key and for every
	226	1 add the alternate sum, for every 0 the key. */
	227	for (cnt = key_len; cnt > 0; cnt >>= 1)
	228	if ((cnt & 1) != 0)
ff886b82	229	sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
9425cb9e	230	else
ff886b82	231	sha256_process_bytes (key, key_len, &ctx, nss_ctx);
9425cb9e UD	232
9425cb9e UD	233	/* Create intermediate result. */
ff886b82	234	sha256_finish_ctx (&ctx, nss_ctx, alt_result);
9425cb9e UD	235
9425cb9e UD	236	/* Start computation of P byte sequence. */
ff886b82	237	sha256_init_ctx (&alt_ctx, nss_alt_ctx);
9425cb9e UD	238
	239	/* For every character in the password add the entire password. */
	240	for (cnt = 0; cnt < key_len; ++cnt)
ff886b82	241	sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
9425cb9e UD	242
9425cb9e UD	243	/* Finish the digest. */
ff886b82	244	sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
9425cb9e UD	245
9425cb9e UD	246	/* Create byte sequence P. */
b8dc394d JL	247	if (__libc_use_alloca (alloca_used + key_len))
	248	cp = p_bytes = (char *) alloca (key_len);
	249	else
	250	{
	251	free_pbytes = cp = p_bytes = (char *)malloc (key_len);
	252	if (free_pbytes == NULL)
	253	{
	254	free (free_key);
	255	return NULL;
	256	}
	257	}
	258
9425cb9e UD	259	for (cnt = key_len; cnt >= 32; cnt -= 32)
	260	cp = mempcpy (cp, temp_result, 32);
	261	memcpy (cp, temp_result, cnt);
	262
	263	/* Start computation of S byte sequence. */
ff886b82	264	sha256_init_ctx (&alt_ctx, nss_alt_ctx);
9425cb9e UD	265
	266	/* For every character in the password add the entire password. */
	267	for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
ff886b82	268	sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
9425cb9e UD	269
9425cb9e UD	270	/* Finish the digest. */
ff886b82	271	sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
9425cb9e UD	272
	273	/* Create byte sequence S. */
	274	cp = s_bytes = alloca (salt_len);
	275	for (cnt = salt_len; cnt >= 32; cnt -= 32)
	276	cp = mempcpy (cp, temp_result, 32);
	277	memcpy (cp, temp_result, cnt);
	278
	279	/* Repeatedly run the collected hash value through SHA256 to burn
	280	CPU cycles. */
	281	for (cnt = 0; cnt < rounds; ++cnt)
	282	{
	283	/* New context. */
ff886b82	284	sha256_init_ctx (&ctx, nss_ctx);
9425cb9e UD	285
	286	/* Add key or last result. */
	287	if ((cnt & 1) != 0)
ff886b82	288	sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
9425cb9e	289	else
ff886b82	290	sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
9425cb9e UD	291
	292	/* Add salt for numbers not divisible by 3. */
	293	if (cnt % 3 != 0)
ff886b82	294	sha256_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
9425cb9e UD	295
	296	/* Add key for numbers not divisible by 7. */
	297	if (cnt % 7 != 0)
ff886b82	298	sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
9425cb9e UD	299
	300	/* Add key or last result. */
	301	if ((cnt & 1) != 0)
ff886b82	302	sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
9425cb9e	303	else
ff886b82	304	sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
9425cb9e UD	305
9425cb9e UD	306	/* Create intermediate result. */
ff886b82	307	sha256_finish_ctx (&ctx, nss_ctx, alt_result);
9425cb9e UD	308	}
9425cb9e UD	309
ff886b82 UD	310	#ifdef USE_NSS
	311	/* Free libfreebl3 resources. */
	312	NSSLOW_Shutdown (nss_ictx);
	313	#endif
	314
9425cb9e UD	315	/* Now we can construct the result string. It consists of three
	316	parts. */
	317	cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
	318	buflen -= sizeof (sha256_salt_prefix) - 1;
	319
	320	if (rounds_custom)
	321	{
61158ffa JM	322	int n = __snprintf (cp, MAX (0, buflen), "%s%zu$",
61158ffa JM	323	sha256_rounds_prefix, rounds);
9425cb9e UD	324	cp += n;
	325	buflen -= n;
	326	}
	327
	328	cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
	329	buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
	330
	331	if (buflen > 0)
	332	{
	333	*cp++ = '$';
	334	--buflen;
	335	}
	336
8747cd03 KS	337	__b64_from_24bit (&cp, &buflen,
	338	alt_result[0], alt_result[10], alt_result[20], 4);
	339	__b64_from_24bit (&cp, &buflen,
	340	alt_result[21], alt_result[1], alt_result[11], 4);
	341	__b64_from_24bit (&cp, &buflen,
	342	alt_result[12], alt_result[22], alt_result[2], 4);
	343	__b64_from_24bit (&cp, &buflen,
	344	alt_result[3], alt_result[13], alt_result[23], 4);
	345	__b64_from_24bit (&cp, &buflen,
	346	alt_result[24], alt_result[4], alt_result[14], 4);
	347	__b64_from_24bit (&cp, &buflen,
	348	alt_result[15], alt_result[25], alt_result[5], 4);
	349	__b64_from_24bit (&cp, &buflen,
	350	alt_result[6], alt_result[16], alt_result[26], 4);
	351	__b64_from_24bit (&cp, &buflen,
	352	alt_result[27], alt_result[7], alt_result[17], 4);
	353	__b64_from_24bit (&cp, &buflen,
	354	alt_result[18], alt_result[28], alt_result[8], 4);
	355	__b64_from_24bit (&cp, &buflen,
	356	alt_result[9], alt_result[19], alt_result[29], 4);
	357	__b64_from_24bit (&cp, &buflen,
	358	0, alt_result[31], alt_result[30], 3);
9425cb9e UD	359	if (buflen <= 0)
	360	{
	361	__set_errno (ERANGE);
	362	buffer = NULL;
	363	}
	364	else
	365	cp = '\0'; / Terminate the string. */
	366
	367	/* Clear the buffer for the intermediate result so that people
	368	attaching to processes or reading core dumps cannot get any
	369	information. We do it in this way to clear correct_words[]
	370	inside the SHA256 implementation as well. */
ff886b82	371	#ifndef USE_NSS
9425cb9e UD	372	__sha256_init_ctx (&ctx);
9425cb9e UD	373	__sha256_finish_ctx (&ctx, alt_result);
ea1bd74d ZW	374	explicit_bzero (&ctx, sizeof (ctx));
ea1bd74d ZW	375	explicit_bzero (&alt_ctx, sizeof (alt_ctx));
ff886b82	376	#endif
ea1bd74d ZW	377	explicit_bzero (temp_result, sizeof (temp_result));
	378	explicit_bzero (p_bytes, key_len);
	379	explicit_bzero (s_bytes, salt_len);
9425cb9e	380	if (copied_key != NULL)
ea1bd74d	381	explicit_bzero (copied_key, key_len);
9425cb9e	382	if (copied_salt != NULL)
ea1bd74d	383	explicit_bzero (copied_salt, salt_len);
9425cb9e	384
b8dc394d JL	385	free (free_key);
b8dc394d JL	386	free (free_pbytes);
9425cb9e UD	387	return buffer;
	388	}
	389
	390	#ifndef _LIBC
	391	# define libc_freeres_ptr(decl) decl
	392	#endif
	393	libc_freeres_ptr (static char *buffer);
	394
	395	/* This entry point is equivalent to the `crypt' function in Unix
	396	libcs. */
	397	char *
	398	__sha256_crypt (const char key, const char salt)
	399	{
	400	/* We don't want to have an arbitrary limit in the size of the
	401	password. We can compute an upper bound for the size of the
	402	result in advance and so we can prepare the buffer we pass to
	403	`sha256_crypt_r'. */
	404	static int buflen;
	405	int needed = (sizeof (sha256_salt_prefix) - 1
	406	+ sizeof (sha256_rounds_prefix) + 9 + 1
	407	+ strlen (salt) + 1 + 43 + 1);
	408
	409	if (buflen < needed)
	410	{
	411	char new_buffer = (char ) realloc (buffer, needed);
	412	if (new_buffer == NULL)
	413	return NULL;
	414
	415	buffer = new_buffer;
	416	buflen = needed;
	417	}
	418
	419	return __sha256_crypt_r (key, salt, buffer, buflen);
	420	}
	421
	422	#ifndef _LIBC
	423	static void
	424	__attribute__ ((__destructor__))
	425	free_mem (void)
	426	{
	427	free (buffer);
	428	}
	429	#endif