]> git.ipfire.org Git - thirdparty/glibc.git/blob - crypt/sha512-crypt.c
projects / thirdparty / glibc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright dates with scripts/update-copyrights.
[thirdparty/glibc.git] / crypt / sha512-crypt.c
1 /* One way encryption based on SHA512 sum.
2 Copyright (C) 2007-2015 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <http://www.gnu.org/licenses/>. */
19
20 #include <assert.h>
21 #include <errno.h>
22 #include <stdbool.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <stdint.h>
26 #include <sys/param.h>
27
28 #include "sha512.h"
29 #include "crypt-private.h"
30
31
32 #ifdef USE_NSS
33 typedef int PRBool;
34 # include <hasht.h>
35 # include <nsslowhash.h>
36
37 # define sha512_init_ctx(ctxp, nss_ctxp) \
38 do \
39 { \
40 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA512)) \
41 == NULL)) \
42 { \
43 if (nss_ctx != NULL) \
44 NSSLOWHASH_Destroy (nss_ctx); \
45 if (nss_alt_ctx != NULL) \
46 NSSLOWHASH_Destroy (nss_alt_ctx); \
47 return NULL; \
48 } \
49 NSSLOWHASH_Begin (nss_ctxp); \
50 } \
51 while (0)
52
53 # define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
54 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
55
56 # define sha512_finish_ctx(ctxp, nss_ctxp, result) \
57 do \
58 { \
59 unsigned int ret; \
60 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
61 assert (ret == sizeof (result)); \
62 NSSLOWHASH_Destroy (nss_ctxp); \
63 nss_ctxp = NULL; \
64 } \
65 while (0)
66 #else
67 # define sha512_init_ctx(ctxp, nss_ctxp) \
68 __sha512_init_ctx (ctxp)
69
70 # define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
71 __sha512_process_bytes(buf, len, ctxp)
72
73 # define sha512_finish_ctx(ctxp, nss_ctxp, result) \
74 __sha512_finish_ctx (ctxp, result)
75 #endif
76
77
78 /* Define our magic string to mark salt for SHA512 "encryption"
79 replacement. */
80 static const char sha512_salt_prefix[] = "$6$";
81
82 /* Prefix for optional rounds specification. */
83 static const char sha512_rounds_prefix[] = "rounds=";
84
85 /* Maximum salt string length. */
86 #define SALT_LEN_MAX 16
87 /* Default number of rounds if not explicitly specified. */
88 #define ROUNDS_DEFAULT 5000
89 /* Minimum number of rounds. */
90 #define ROUNDS_MIN 1000
91 /* Maximum number of rounds. */
92 #define ROUNDS_MAX 999999999
93
94
95 /* Prototypes for local functions. */
96 extern char *__sha512_crypt_r (const char *key, const char *salt,
97 char *buffer, int buflen);
98 extern char *__sha512_crypt (const char *key, const char *salt);
99
100
101 char *
102 __sha512_crypt_r (key, salt, buffer, buflen)
103 const char *key;
104 const char *salt;
105 char *buffer;
106 int buflen;
107 {
108 unsigned char alt_result[64]
109 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
110 unsigned char temp_result[64]
111 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
112 size_t salt_len;
113 size_t key_len;
114 size_t cnt;
115 char *cp;
116 char *copied_key = NULL;
117 char *copied_salt = NULL;
118 char *p_bytes;
119 char *s_bytes;
120 /* Default number of rounds. */
121 size_t rounds = ROUNDS_DEFAULT;
122 bool rounds_custom = false;
123 size_t alloca_used = 0;
124 char *free_key = NULL;
125 char *free_pbytes = NULL;
126
127 /* Find beginning of salt string. The prefix should normally always
128 be present. Just in case it is not. */
129 if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
130 /* Skip salt prefix. */
131 salt += sizeof (sha512_salt_prefix) - 1;
132
133 if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
134 == 0)
135 {
136 const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
137 char *endp;
138 unsigned long int srounds = strtoul (num, &endp, 10);
139 if (*endp == '$')
140 {
141 salt = endp + 1;
142 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
143 rounds_custom = true;
144 }
145 }
146
147 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
148 key_len = strlen (key);
149
150 if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
151 {
152 char *tmp;
153
154 if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint64_t)))
155 tmp = alloca_account (key_len + __alignof__ (uint64_t), alloca_used);
156 else
157 {
158 free_key = tmp = (char *) malloc (key_len + __alignof__ (uint64_t));
159 if (tmp == NULL)
160 return NULL;
161 }
162
163 key = copied_key =
164 memcpy (tmp + __alignof__ (uint64_t)
165 - (tmp - (char *) 0) % __alignof__ (uint64_t),
166 key, key_len);
167 assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
168 }
169
170 if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
171 {
172 char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
173 salt = copied_salt =
174 memcpy (tmp + __alignof__ (uint64_t)
175 - (tmp - (char *) 0) % __alignof__ (uint64_t),
176 salt, salt_len);
177 assert ((salt - (char *) 0) % __alignof__ (uint64_t) == 0);
178 }
179
180 #ifdef USE_NSS
181 /* Initialize libfreebl3. */
182 NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
183 if (nss_ictx == NULL)
184 {
185 free (free_key);
186 return NULL;
187 }
188 NSSLOWHASHContext *nss_ctx = NULL;
189 NSSLOWHASHContext *nss_alt_ctx = NULL;
190 #else
191 struct sha512_ctx ctx;
192 struct sha512_ctx alt_ctx;
193 #endif
194
195 /* Prepare for the real work. */
196 sha512_init_ctx (&ctx, nss_ctx);
197
198 /* Add the key string. */
199 sha512_process_bytes (key, key_len, &ctx, nss_ctx);
200
201 /* The last part is the salt string. This must be at most 16
202 characters and it ends at the first `$' character. */
203 sha512_process_bytes (salt, salt_len, &ctx, nss_ctx);
204
205
206 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
207 final result will be added to the first context. */
208 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
209
210 /* Add key. */
211 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
212
213 /* Add salt. */
214 sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
215
216 /* Add key again. */
217 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
218
219 /* Now get result of this (64 bytes) and add it to the other
220 context. */
221 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
222
223 /* Add for any character in the key one byte of the alternate sum. */
224 for (cnt = key_len; cnt > 64; cnt -= 64)
225 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
226 sha512_process_bytes (alt_result, cnt, &ctx, nss_ctx);
227
228 /* Take the binary representation of the length of the key and for every
229 1 add the alternate sum, for every 0 the key. */
230 for (cnt = key_len; cnt > 0; cnt >>= 1)
231 if ((cnt & 1) != 0)
232 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
233 else
234 sha512_process_bytes (key, key_len, &ctx, nss_ctx);
235
236 /* Create intermediate result. */
237 sha512_finish_ctx (&ctx, nss_ctx, alt_result);
238
239 /* Start computation of P byte sequence. */
240 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
241
242 /* For every character in the password add the entire password. */
243 for (cnt = 0; cnt < key_len; ++cnt)
244 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
245
246 /* Finish the digest. */
247 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
248
249 /* Create byte sequence P. */
250 if (__libc_use_alloca (alloca_used + key_len))
251 cp = p_bytes = (char *) alloca (key_len);
252 else
253 {
254 free_pbytes = cp = p_bytes = (char *)malloc (key_len);
255 if (free_pbytes == NULL)
256 {
257 free (free_key);
258 return NULL;
259 }
260 }
261
262 for (cnt = key_len; cnt >= 64; cnt -= 64)
263 cp = mempcpy (cp, temp_result, 64);
264 memcpy (cp, temp_result, cnt);
265
266 /* Start computation of S byte sequence. */
267 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
268
269 /* For every character in the password add the entire password. */
270 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
271 sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
272
273 /* Finish the digest. */
274 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
275
276 /* Create byte sequence S. */
277 cp = s_bytes = alloca (salt_len);
278 for (cnt = salt_len; cnt >= 64; cnt -= 64)
279 cp = mempcpy (cp, temp_result, 64);
280 memcpy (cp, temp_result, cnt);
281
282 /* Repeatedly run the collected hash value through SHA512 to burn
283 CPU cycles. */
284 for (cnt = 0; cnt < rounds; ++cnt)
285 {
286 /* New context. */
287 sha512_init_ctx (&ctx, nss_ctx);
288
289 /* Add key or last result. */
290 if ((cnt & 1) != 0)
291 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
292 else
293 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
294
295 /* Add salt for numbers not divisible by 3. */
296 if (cnt % 3 != 0)
297 sha512_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
298
299 /* Add key for numbers not divisible by 7. */
300 if (cnt % 7 != 0)
301 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
302
303 /* Add key or last result. */
304 if ((cnt & 1) != 0)
305 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
306 else
307 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
308
309 /* Create intermediate result. */
310 sha512_finish_ctx (&ctx, nss_ctx, alt_result);
311 }
312
313 #ifdef USE_NSS
314 /* Free libfreebl3 resources. */
315 NSSLOW_Shutdown (nss_ictx);
316 #endif
317
318 /* Now we can construct the result string. It consists of three
319 parts. */
320 cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
321 buflen -= sizeof (sha512_salt_prefix) - 1;
322
323 if (rounds_custom)
324 {
325 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
326 sha512_rounds_prefix, rounds);
327 cp += n;
328 buflen -= n;
329 }
330
331 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
332 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
333
334 if (buflen > 0)
335 {
336 *cp++ = '$';
337 --buflen;
338 }
339
340 __b64_from_24bit (&cp, &buflen,
341 alt_result[0], alt_result[21], alt_result[42], 4);
342 __b64_from_24bit (&cp, &buflen,
343 alt_result[22], alt_result[43], alt_result[1], 4);
344 __b64_from_24bit (&cp, &buflen,
345 alt_result[44], alt_result[2], alt_result[23], 4);
346 __b64_from_24bit (&cp, &buflen,
347 alt_result[3], alt_result[24], alt_result[45], 4);
348 __b64_from_24bit (&cp, &buflen,
349 alt_result[25], alt_result[46], alt_result[4], 4);
350 __b64_from_24bit (&cp, &buflen,
351 alt_result[47], alt_result[5], alt_result[26], 4);
352 __b64_from_24bit (&cp, &buflen,
353 alt_result[6], alt_result[27], alt_result[48], 4);
354 __b64_from_24bit (&cp, &buflen,
355 alt_result[28], alt_result[49], alt_result[7], 4);
356 __b64_from_24bit (&cp, &buflen,
357 alt_result[50], alt_result[8], alt_result[29], 4);
358 __b64_from_24bit (&cp, &buflen,
359 alt_result[9], alt_result[30], alt_result[51], 4);
360 __b64_from_24bit (&cp, &buflen,
361 alt_result[31], alt_result[52], alt_result[10], 4);
362 __b64_from_24bit (&cp, &buflen,
363 alt_result[53], alt_result[11], alt_result[32], 4);
364 __b64_from_24bit (&cp, &buflen,
365 alt_result[12], alt_result[33], alt_result[54], 4);
366 __b64_from_24bit (&cp, &buflen,
367 alt_result[34], alt_result[55], alt_result[13], 4);
368 __b64_from_24bit (&cp, &buflen,
369 alt_result[56], alt_result[14], alt_result[35], 4);
370 __b64_from_24bit (&cp, &buflen,
371 alt_result[15], alt_result[36], alt_result[57], 4);
372 __b64_from_24bit (&cp, &buflen,
373 alt_result[37], alt_result[58], alt_result[16], 4);
374 __b64_from_24bit (&cp, &buflen,
375 alt_result[59], alt_result[17], alt_result[38], 4);
376 __b64_from_24bit (&cp, &buflen,
377 alt_result[18], alt_result[39], alt_result[60], 4);
378 __b64_from_24bit (&cp, &buflen,
379 alt_result[40], alt_result[61], alt_result[19], 4);
380 __b64_from_24bit (&cp, &buflen,
381 alt_result[62], alt_result[20], alt_result[41], 4);
382 __b64_from_24bit (&cp, &buflen,
383 0, 0, alt_result[63], 2);
384
385 if (buflen <= 0)
386 {
387 __set_errno (ERANGE);
388 buffer = NULL;
389 }
390 else
391 *cp = '\0'; /* Terminate the string. */
392
393 /* Clear the buffer for the intermediate result so that people
394 attaching to processes or reading core dumps cannot get any
395 information. We do it in this way to clear correct_words[]
396 inside the SHA512 implementation as well. */
397 #ifndef USE_NSS
398 __sha512_init_ctx (&ctx);
399 __sha512_finish_ctx (&ctx, alt_result);
400 memset (&ctx, '\0', sizeof (ctx));
401 memset (&alt_ctx, '\0', sizeof (alt_ctx));
402 #endif
403 memset (temp_result, '\0', sizeof (temp_result));
404 memset (p_bytes, '\0', key_len);
405 memset (s_bytes, '\0', salt_len);
406 if (copied_key != NULL)
407 memset (copied_key, '\0', key_len);
408 if (copied_salt != NULL)
409 memset (copied_salt, '\0', salt_len);
410
411 free (free_key);
412 free (free_pbytes);
413 return buffer;
414 }
415
416 #ifndef _LIBC
417 # define libc_freeres_ptr(decl) decl
418 #endif
419 libc_freeres_ptr (static char *buffer);
420
421 /* This entry point is equivalent to the `crypt' function in Unix
422 libcs. */
423 char *
424 __sha512_crypt (const char *key, const char *salt)
425 {
426 /* We don't want to have an arbitrary limit in the size of the
427 password. We can compute an upper bound for the size of the
428 result in advance and so we can prepare the buffer we pass to
429 `sha512_crypt_r'. */
430 static int buflen;
431 int needed = (sizeof (sha512_salt_prefix) - 1
432 + sizeof (sha512_rounds_prefix) + 9 + 1
433 + strlen (salt) + 1 + 86 + 1);
434
435 if (buflen < needed)
436 {
437 char *new_buffer = (char *) realloc (buffer, needed);
438 if (new_buffer == NULL)
439 return NULL;
440
441 buffer = new_buffer;
442 buflen = needed;
443 }
444
445 return __sha512_crypt_r (key, salt, buffer, buflen);
446 }
447
448 #ifndef _LIBC
449 static void
450 __attribute__ ((__destructor__))
451 free_mem (void)
452 {
453 free (buffer);
454 }
455 #endif
A mirror of the official glibc repository