[thirdparty/glibc.git] / crypt / sha512-crypt.c

/* One way encryption based on SHA512 sum.
   Copyright (C) 2007-2019 Free Software Foundation, Inc.
   This file is part of the GNU C Library.
   Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <https://www.gnu.org/licenses/>.  */

#include <assert.h>
#include <errno.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <sys/param.h>

#include "sha512.h"
#include "crypt-private.h"


#ifdef USE_NSS
typedef int PRBool;
# include <hasht.h>
# include <nsslowhash.h>

# define sha512_init_ctx(ctxp, nss_ctxp) \
  do									      \
    {									      \
      if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA512))      \
	   == NULL))							      \
	{								      \
	  if (nss_ctx != NULL)						      \
	    NSSLOWHASH_Destroy (nss_ctx);				      \
	  if (nss_alt_ctx != NULL)					      \
	    NSSLOWHASH_Destroy (nss_alt_ctx);				      \
	  return NULL;							      \
	}								      \
      NSSLOWHASH_Begin (nss_ctxp);					      \
    }									      \
  while (0)

# define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
  NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)

# define sha512_finish_ctx(ctxp, nss_ctxp, result) \
  do									      \
    {									      \
      unsigned int ret;							      \
      NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result));		      \
      assert (ret == sizeof (result));					      \
      NSSLOWHASH_Destroy (nss_ctxp);					      \
      nss_ctxp = NULL;							      \
    }									      \
  while (0)
#else
# define sha512_init_ctx(ctxp, nss_ctxp) \
  __sha512_init_ctx (ctxp)

# define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
  __sha512_process_bytes(buf, len, ctxp)

# define sha512_finish_ctx(ctxp, nss_ctxp, result) \
  __sha512_finish_ctx (ctxp, result)
#endif


/* Define our magic string to mark salt for SHA512 "encryption"
   replacement.  */
static const char sha512_salt_prefix[] = "$6$";

/* Prefix for optional rounds specification.  */
static const char sha512_rounds_prefix[] = "rounds=";

/* Maximum salt string length.  */
#define SALT_LEN_MAX 16
/* Default number of rounds if not explicitly specified.  */
#define ROUNDS_DEFAULT 5000
/* Minimum number of rounds.  */
#define ROUNDS_MIN 1000
/* Maximum number of rounds.  */
#define ROUNDS_MAX 999999999


/* Prototypes for local functions.  */
extern char *__sha512_crypt_r (const char *key, const char *salt,
			       char *buffer, int buflen);
extern char *__sha512_crypt (const char *key, const char *salt);


char *
__sha512_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
{
  unsigned char alt_result[64]
    __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
  unsigned char temp_result[64]
    __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
  size_t salt_len;
  size_t key_len;
  size_t cnt;
  char *cp;
  char *copied_key = NULL;
  char *copied_salt = NULL;
  char *p_bytes;
  char *s_bytes;
  /* Default number of rounds.  */
  size_t rounds = ROUNDS_DEFAULT;
  bool rounds_custom = false;
  size_t alloca_used = 0;
  char *free_key = NULL;
  char *free_pbytes = NULL;

  /* Find beginning of salt string.  The prefix should normally always
     be present.  Just in case it is not.  */
  if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
    /* Skip salt prefix.  */
    salt += sizeof (sha512_salt_prefix) - 1;

  if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
      == 0)
    {
      const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
      char *endp;
      unsigned long int srounds = strtoul (num, &endp, 10);
      if (*endp == '$')
	{
	  salt = endp + 1;
	  rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
	  rounds_custom = true;
	}
    }

  salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
  key_len = strlen (key);

  if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
    {
      char *tmp;

      if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint64_t)))
	tmp = alloca_account (key_len + __alignof__ (uint64_t), alloca_used);
      else
	{
	  free_key = tmp = (char *) malloc (key_len + __alignof__ (uint64_t));
	  if (tmp == NULL)
	    return NULL;
	}

      key = copied_key =
	memcpy (tmp + __alignof__ (uint64_t)
		- (tmp - (char *) 0) % __alignof__ (uint64_t),
		key, key_len);
      assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
    }

  if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
    {
      char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
      salt = copied_salt =
	memcpy (tmp + __alignof__ (uint64_t)
		- (tmp - (char *) 0) % __alignof__ (uint64_t),
		salt, salt_len);
      assert ((salt - (char *) 0) % __alignof__ (uint64_t) == 0);
    }

#ifdef USE_NSS
  /* Initialize libfreebl3.  */
  NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
  if (nss_ictx == NULL)
    {
      free (free_key);
      return NULL;
    }
  NSSLOWHASHContext *nss_ctx = NULL;
  NSSLOWHASHContext *nss_alt_ctx = NULL;
#else
  struct sha512_ctx ctx;
  struct sha512_ctx alt_ctx;
#endif

  /* Prepare for the real work.  */
  sha512_init_ctx (&ctx, nss_ctx);

  /* Add the key string.  */
  sha512_process_bytes (key, key_len, &ctx, nss_ctx);

  /* The last part is the salt string.  This must be at most 16
     characters and it ends at the first `$' character.  */
  sha512_process_bytes (salt, salt_len, &ctx, nss_ctx);


  /* Compute alternate SHA512 sum with input KEY, SALT, and KEY.  The
     final result will be added to the first context.  */
  sha512_init_ctx (&alt_ctx, nss_alt_ctx);

  /* Add key.  */
  sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);

  /* Add salt.  */
  sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);

  /* Add key again.  */
  sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);

  /* Now get result of this (64 bytes) and add it to the other
     context.  */
  sha512_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);

  /* Add for any character in the key one byte of the alternate sum.  */
  for (cnt = key_len; cnt > 64; cnt -= 64)
    sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
  sha512_process_bytes (alt_result, cnt, &ctx, nss_ctx);

  /* Take the binary representation of the length of the key and for every
     1 add the alternate sum, for every 0 the key.  */
  for (cnt = key_len; cnt > 0; cnt >>= 1)
    if ((cnt & 1) != 0)
      sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
    else
      sha512_process_bytes (key, key_len, &ctx, nss_ctx);

  /* Create intermediate result.  */
  sha512_finish_ctx (&ctx, nss_ctx, alt_result);

  /* Start computation of P byte sequence.  */
  sha512_init_ctx (&alt_ctx, nss_alt_ctx);

  /* For every character in the password add the entire password.  */
  for (cnt = 0; cnt < key_len; ++cnt)
    sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);

  /* Finish the digest.  */
  sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);

  /* Create byte sequence P.  */
  if (__libc_use_alloca (alloca_used + key_len))
    cp = p_bytes = (char *) alloca (key_len);
  else
    {
      free_pbytes = cp = p_bytes = (char *)malloc (key_len);
      if (free_pbytes == NULL)
	{
	  free (free_key);
	  return NULL;
	}
    }

  for (cnt = key_len; cnt >= 64; cnt -= 64)
    cp = mempcpy (cp, temp_result, 64);
  memcpy (cp, temp_result, cnt);

  /* Start computation of S byte sequence.  */
  sha512_init_ctx (&alt_ctx, nss_alt_ctx);

  /* For every character in the password add the entire password.  */
  for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
    sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);

  /* Finish the digest.  */
  sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);

  /* Create byte sequence S.  */
  cp = s_bytes = alloca (salt_len);
  for (cnt = salt_len; cnt >= 64; cnt -= 64)
    cp = mempcpy (cp, temp_result, 64);
  memcpy (cp, temp_result, cnt);

  /* Repeatedly run the collected hash value through SHA512 to burn
     CPU cycles.  */
  for (cnt = 0; cnt < rounds; ++cnt)
    {
      /* New context.  */
      sha512_init_ctx (&ctx, nss_ctx);

      /* Add key or last result.  */
      if ((cnt & 1) != 0)
	sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
      else
	sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);

      /* Add salt for numbers not divisible by 3.  */
      if (cnt % 3 != 0)
	sha512_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);

      /* Add key for numbers not divisible by 7.  */
      if (cnt % 7 != 0)
	sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);

      /* Add key or last result.  */
      if ((cnt & 1) != 0)
	sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
      else
	sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);

      /* Create intermediate result.  */
      sha512_finish_ctx (&ctx, nss_ctx, alt_result);
    }

#ifdef USE_NSS
  /* Free libfreebl3 resources. */
  NSSLOW_Shutdown (nss_ictx);
#endif

  /* Now we can construct the result string.  It consists of three
     parts.  */
  cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
  buflen -= sizeof (sha512_salt_prefix) - 1;

  if (rounds_custom)
    {
      int n = __snprintf (cp, MAX (0, buflen), "%s%zu$",
			  sha512_rounds_prefix, rounds);
      cp += n;
      buflen -= n;
    }

  cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
  buflen -= MIN ((size_t) MAX (0, buflen), salt_len);

  if (buflen > 0)
    {
      *cp++ = '$';
      --buflen;
    }

  __b64_from_24bit (&cp, &buflen,
		    alt_result[0], alt_result[21], alt_result[42], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[22], alt_result[43], alt_result[1], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[44], alt_result[2], alt_result[23], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[3], alt_result[24], alt_result[45], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[25], alt_result[46], alt_result[4], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[47], alt_result[5], alt_result[26], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[6], alt_result[27], alt_result[48], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[28], alt_result[49], alt_result[7], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[50], alt_result[8], alt_result[29], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[9], alt_result[30], alt_result[51], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[31], alt_result[52], alt_result[10], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[53], alt_result[11], alt_result[32], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[12], alt_result[33], alt_result[54], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[34], alt_result[55], alt_result[13], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[56], alt_result[14], alt_result[35], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[15], alt_result[36], alt_result[57], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[37], alt_result[58], alt_result[16], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[59], alt_result[17], alt_result[38], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[18], alt_result[39], alt_result[60], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[40], alt_result[61], alt_result[19], 4);
  __b64_from_24bit (&cp, &buflen,
		    alt_result[62], alt_result[20], alt_result[41], 4);
  __b64_from_24bit (&cp, &buflen,
		    0, 0, alt_result[63], 2);

  if (buflen <= 0)
    {
      __set_errno (ERANGE);
      buffer = NULL;
    }
  else
    *cp = '\0';		/* Terminate the string.  */

  /* Clear the buffer for the intermediate result so that people
     attaching to processes or reading core dumps cannot get any
     information.  We do it in this way to clear correct_words[]
     inside the SHA512 implementation as well.  */
#ifndef USE_NSS
  __sha512_init_ctx (&ctx);
  __sha512_finish_ctx (&ctx, alt_result);
  explicit_bzero (&ctx, sizeof (ctx));
  explicit_bzero (&alt_ctx, sizeof (alt_ctx));
#endif
  explicit_bzero (temp_result, sizeof (temp_result));
  explicit_bzero (p_bytes, key_len);
  explicit_bzero (s_bytes, salt_len);
  if (copied_key != NULL)
    explicit_bzero (copied_key, key_len);
  if (copied_salt != NULL)
    explicit_bzero (copied_salt, salt_len);

  free (free_key);
  free (free_pbytes);
  return buffer;
}

#ifndef _LIBC
# define libc_freeres_ptr(decl) decl
#endif
libc_freeres_ptr (static char *buffer);

/* This entry point is equivalent to the `crypt' function in Unix
   libcs.  */
char *
__sha512_crypt (const char *key, const char *salt)
{
  /* We don't want to have an arbitrary limit in the size of the
     password.  We can compute an upper bound for the size of the
     result in advance and so we can prepare the buffer we pass to
     `sha512_crypt_r'.  */
  static int buflen;
  int needed = (sizeof (sha512_salt_prefix) - 1
		+ sizeof (sha512_rounds_prefix) + 9 + 1
		+ strlen (salt) + 1 + 86 + 1);

  if (buflen < needed)
    {
      char *new_buffer = (char *) realloc (buffer, needed);
      if (new_buffer == NULL)
	return NULL;

      buffer = new_buffer;
      buflen = needed;
    }

  return __sha512_crypt_r (key, salt, buffer, buflen);
}

#ifndef _LIBC
static void
__attribute__ ((__destructor__))
free_mem (void)
{
  free (buffer);
}
#endif
Commit	Line	Data
c3266dc0	1	/* One way encryption based on SHA512 sum.
04277e02	2	Copyright (C) 2007-2019 Free Software Foundation, Inc.
c3266dc0 UD	3	This file is part of the GNU C Library.
	4	Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
	5
	6	The GNU C Library is free software; you can redistribute it and/or
	7	modify it under the terms of the GNU Lesser General Public
	8	License as published by the Free Software Foundation; either
	9	version 2.1 of the License, or (at your option) any later version.
	10
	11	The GNU C Library is distributed in the hope that it will be useful,
	12	but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public
59ba27a6	17	License along with the GNU C Library; if not, see
5a82c748	18	<https://www.gnu.org/licenses/>. */
c3266dc0 UD	19
	20	#include <assert.h>
	21	#include <errno.h>
	22	#include <stdbool.h>
	23	#include <stdlib.h>
	24	#include <string.h>
e054f494	25	#include <stdint.h>
c3266dc0 UD	26	#include <sys/param.h>
	27
	28	#include "sha512.h"
8747cd03	29	#include "crypt-private.h"
c3266dc0 UD	30
c3266dc0 UD	31
ff886b82 UD	32	#ifdef USE_NSS
	33	typedef int PRBool;
	34	# include <hasht.h>
	35	# include <nsslowhash.h>
	36
	37	# define sha512_init_ctx(ctxp, nss_ctxp) \
	38	do \
	39	{ \
	40	if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA512)) \
	41	== NULL)) \
	42	{ \
	43	if (nss_ctx != NULL) \
	44	NSSLOWHASH_Destroy (nss_ctx); \
	45	if (nss_alt_ctx != NULL) \
	46	NSSLOWHASH_Destroy (nss_alt_ctx); \
	47	return NULL; \
	48	} \
	49	NSSLOWHASH_Begin (nss_ctxp); \
	50	} \
	51	while (0)
	52
	53	# define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
	54	NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
	55
	56	# define sha512_finish_ctx(ctxp, nss_ctxp, result) \
	57	do \
	58	{ \
	59	unsigned int ret; \
	60	NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
	61	assert (ret == sizeof (result)); \
	62	NSSLOWHASH_Destroy (nss_ctxp); \
	63	nss_ctxp = NULL; \
	64	} \
	65	while (0)
	66	#else
	67	# define sha512_init_ctx(ctxp, nss_ctxp) \
	68	__sha512_init_ctx (ctxp)
	69
	70	# define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
	71	__sha512_process_bytes(buf, len, ctxp)
	72
	73	# define sha512_finish_ctx(ctxp, nss_ctxp, result) \
	74	__sha512_finish_ctx (ctxp, result)
	75	#endif
	76
	77
c3266dc0 UD	78	/* Define our magic string to mark salt for SHA512 "encryption"
	79	replacement. */
	80	static const char sha512_salt_prefix[] = "$6$";
	81
	82	/* Prefix for optional rounds specification. */
	83	static const char sha512_rounds_prefix[] = "rounds=";
	84
	85	/* Maximum salt string length. */
	86	#define SALT_LEN_MAX 16
	87	/* Default number of rounds if not explicitly specified. */
	88	#define ROUNDS_DEFAULT 5000
	89	/* Minimum number of rounds. */
	90	#define ROUNDS_MIN 1000
	91	/* Maximum number of rounds. */
	92	#define ROUNDS_MAX 999999999
	93
c3266dc0 UD	94
	95	/* Prototypes for local functions. */
	96	extern char __sha512_crypt_r (const char key, const char *salt,
	97	char *buffer, int buflen);
	98	extern char __sha512_crypt (const char key, const char *salt);
	99
	100
	101	char *
9dd346ff	102	__sha512_crypt_r (const char key, const char salt, char *buffer, int buflen)
c3266dc0 UD	103	{
	104	unsigned char alt_result[64]
	105	__attribute__ ((__aligned__ (__alignof__ (uint64_t))));
	106	unsigned char temp_result[64]
	107	__attribute__ ((__aligned__ (__alignof__ (uint64_t))));
c3266dc0 UD	108	size_t salt_len;
	109	size_t key_len;
	110	size_t cnt;
	111	char *cp;
	112	char *copied_key = NULL;
	113	char *copied_salt = NULL;
	114	char *p_bytes;
	115	char *s_bytes;
	116	/* Default number of rounds. */
	117	size_t rounds = ROUNDS_DEFAULT;
	118	bool rounds_custom = false;
b8dc394d JL	119	size_t alloca_used = 0;
	120	char *free_key = NULL;
	121	char *free_pbytes = NULL;
c3266dc0 UD	122
	123	/* Find beginning of salt string. The prefix should normally always
	124	be present. Just in case it is not. */
	125	if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
	126	/* Skip salt prefix. */
	127	salt += sizeof (sha512_salt_prefix) - 1;
	128
	129	if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
	130	== 0)
	131	{
	132	const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
	133	char *endp;
	134	unsigned long int srounds = strtoul (num, &endp, 10);
	135	if (*endp == '$')
	136	{
	137	salt = endp + 1;
	138	rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
	139	rounds_custom = true;
	140	}
	141	}
	142
	143	salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
	144	key_len = strlen (key);
	145
	146	if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
	147	{
b8dc394d JL	148	char *tmp;
	149
	150	if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint64_t)))
	151	tmp = alloca_account (key_len + __alignof__ (uint64_t), alloca_used);
	152	else
	153	{
	154	free_key = tmp = (char *) malloc (key_len + __alignof__ (uint64_t));
	155	if (tmp == NULL)
	156	return NULL;
	157	}
	158
c3266dc0 UD	159	key = copied_key =
	160	memcpy (tmp + __alignof__ (uint64_t)
	161	- (tmp - (char *) 0) % __alignof__ (uint64_t),
	162	key, key_len);
	163	assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
	164	}
	165
	166	if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
	167	{
	168	char tmp = (char ) alloca (salt_len + __alignof__ (uint64_t));
	169	salt = copied_salt =
	170	memcpy (tmp + __alignof__ (uint64_t)
	171	- (tmp - (char *) 0) % __alignof__ (uint64_t),
	172	salt, salt_len);
	173	assert ((salt - (char *) 0) % __alignof__ (uint64_t) == 0);
	174	}
	175
ff886b82 UD	176	#ifdef USE_NSS
	177	/* Initialize libfreebl3. */
	178	NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
	179	if (nss_ictx == NULL)
b8dc394d JL	180	{
	181	free (free_key);
	182	return NULL;
	183	}
ff886b82 UD	184	NSSLOWHASHContext *nss_ctx = NULL;
	185	NSSLOWHASHContext *nss_alt_ctx = NULL;
	186	#else
	187	struct sha512_ctx ctx;
	188	struct sha512_ctx alt_ctx;
	189	#endif
	190
c3266dc0	191	/* Prepare for the real work. */
ff886b82	192	sha512_init_ctx (&ctx, nss_ctx);
c3266dc0 UD	193
c3266dc0 UD	194	/* Add the key string. */
ff886b82	195	sha512_process_bytes (key, key_len, &ctx, nss_ctx);
c3266dc0	196
7f745396 UD	197	/* The last part is the salt string. This must be at most 16
7f745396 UD	198	characters and it ends at the first `$' character. */
ff886b82	199	sha512_process_bytes (salt, salt_len, &ctx, nss_ctx);
c3266dc0 UD	200
	201
	202	/* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
	203	final result will be added to the first context. */
ff886b82	204	sha512_init_ctx (&alt_ctx, nss_alt_ctx);
c3266dc0 UD	205
c3266dc0 UD	206	/* Add key. */
ff886b82	207	sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
c3266dc0 UD	208
c3266dc0 UD	209	/* Add salt. */
ff886b82	210	sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
c3266dc0 UD	211
c3266dc0 UD	212	/* Add key again. */
ff886b82	213	sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
c3266dc0 UD	214
	215	/* Now get result of this (64 bytes) and add it to the other
	216	context. */
ff886b82	217	sha512_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
c3266dc0 UD	218
	219	/* Add for any character in the key one byte of the alternate sum. */
	220	for (cnt = key_len; cnt > 64; cnt -= 64)
ff886b82 UD	221	sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
ff886b82 UD	222	sha512_process_bytes (alt_result, cnt, &ctx, nss_ctx);
c3266dc0 UD	223
	224	/* Take the binary representation of the length of the key and for every
	225	1 add the alternate sum, for every 0 the key. */
	226	for (cnt = key_len; cnt > 0; cnt >>= 1)
	227	if ((cnt & 1) != 0)
ff886b82	228	sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
c3266dc0	229	else
ff886b82	230	sha512_process_bytes (key, key_len, &ctx, nss_ctx);
c3266dc0 UD	231
c3266dc0 UD	232	/* Create intermediate result. */
ff886b82	233	sha512_finish_ctx (&ctx, nss_ctx, alt_result);
c3266dc0 UD	234
c3266dc0 UD	235	/* Start computation of P byte sequence. */
ff886b82	236	sha512_init_ctx (&alt_ctx, nss_alt_ctx);
c3266dc0 UD	237
	238	/* For every character in the password add the entire password. */
	239	for (cnt = 0; cnt < key_len; ++cnt)
ff886b82	240	sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
c3266dc0 UD	241
c3266dc0 UD	242	/* Finish the digest. */
ff886b82	243	sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
c3266dc0 UD	244
c3266dc0 UD	245	/* Create byte sequence P. */
b8dc394d JL	246	if (__libc_use_alloca (alloca_used + key_len))
	247	cp = p_bytes = (char *) alloca (key_len);
	248	else
	249	{
	250	free_pbytes = cp = p_bytes = (char *)malloc (key_len);
	251	if (free_pbytes == NULL)
	252	{
	253	free (free_key);
	254	return NULL;
	255	}
	256	}
	257
c3266dc0 UD	258	for (cnt = key_len; cnt >= 64; cnt -= 64)
	259	cp = mempcpy (cp, temp_result, 64);
	260	memcpy (cp, temp_result, cnt);
	261
	262	/* Start computation of S byte sequence. */
ff886b82	263	sha512_init_ctx (&alt_ctx, nss_alt_ctx);
c3266dc0 UD	264
	265	/* For every character in the password add the entire password. */
	266	for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
ff886b82	267	sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
c3266dc0 UD	268
c3266dc0 UD	269	/* Finish the digest. */
ff886b82	270	sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
c3266dc0 UD	271
	272	/* Create byte sequence S. */
	273	cp = s_bytes = alloca (salt_len);
	274	for (cnt = salt_len; cnt >= 64; cnt -= 64)
	275	cp = mempcpy (cp, temp_result, 64);
	276	memcpy (cp, temp_result, cnt);
	277
	278	/* Repeatedly run the collected hash value through SHA512 to burn
	279	CPU cycles. */
	280	for (cnt = 0; cnt < rounds; ++cnt)
	281	{
	282	/* New context. */
ff886b82	283	sha512_init_ctx (&ctx, nss_ctx);
c3266dc0 UD	284
	285	/* Add key or last result. */
	286	if ((cnt & 1) != 0)
ff886b82	287	sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
c3266dc0	288	else
ff886b82	289	sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
c3266dc0 UD	290
	291	/* Add salt for numbers not divisible by 3. */
	292	if (cnt % 3 != 0)
ff886b82	293	sha512_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
c3266dc0 UD	294
	295	/* Add key for numbers not divisible by 7. */
	296	if (cnt % 7 != 0)
ff886b82	297	sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
c3266dc0 UD	298
	299	/* Add key or last result. */
	300	if ((cnt & 1) != 0)
ff886b82	301	sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
c3266dc0	302	else
ff886b82	303	sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
c3266dc0 UD	304
c3266dc0 UD	305	/* Create intermediate result. */
ff886b82	306	sha512_finish_ctx (&ctx, nss_ctx, alt_result);
c3266dc0 UD	307	}
c3266dc0 UD	308
ff886b82 UD	309	#ifdef USE_NSS
	310	/* Free libfreebl3 resources. */
	311	NSSLOW_Shutdown (nss_ictx);
	312	#endif
	313
c3266dc0 UD	314	/* Now we can construct the result string. It consists of three
	315	parts. */
	316	cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
	317	buflen -= sizeof (sha512_salt_prefix) - 1;
	318
	319	if (rounds_custom)
	320	{
61158ffa JM	321	int n = __snprintf (cp, MAX (0, buflen), "%s%zu$",
61158ffa JM	322	sha512_rounds_prefix, rounds);
c3266dc0 UD	323	cp += n;
	324	buflen -= n;
	325	}
	326
	327	cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
	328	buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
	329
	330	if (buflen > 0)
	331	{
	332	*cp++ = '$';
	333	--buflen;
	334	}
	335
8747cd03 KS	336	__b64_from_24bit (&cp, &buflen,
	337	alt_result[0], alt_result[21], alt_result[42], 4);
	338	__b64_from_24bit (&cp, &buflen,
	339	alt_result[22], alt_result[43], alt_result[1], 4);
	340	__b64_from_24bit (&cp, &buflen,
	341	alt_result[44], alt_result[2], alt_result[23], 4);
	342	__b64_from_24bit (&cp, &buflen,
	343	alt_result[3], alt_result[24], alt_result[45], 4);
	344	__b64_from_24bit (&cp, &buflen,
	345	alt_result[25], alt_result[46], alt_result[4], 4);
	346	__b64_from_24bit (&cp, &buflen,
	347	alt_result[47], alt_result[5], alt_result[26], 4);
	348	__b64_from_24bit (&cp, &buflen,
	349	alt_result[6], alt_result[27], alt_result[48], 4);
	350	__b64_from_24bit (&cp, &buflen,
	351	alt_result[28], alt_result[49], alt_result[7], 4);
	352	__b64_from_24bit (&cp, &buflen,
	353	alt_result[50], alt_result[8], alt_result[29], 4);
	354	__b64_from_24bit (&cp, &buflen,
	355	alt_result[9], alt_result[30], alt_result[51], 4);
	356	__b64_from_24bit (&cp, &buflen,
	357	alt_result[31], alt_result[52], alt_result[10], 4);
	358	__b64_from_24bit (&cp, &buflen,
	359	alt_result[53], alt_result[11], alt_result[32], 4);
	360	__b64_from_24bit (&cp, &buflen,
	361	alt_result[12], alt_result[33], alt_result[54], 4);
	362	__b64_from_24bit (&cp, &buflen,
	363	alt_result[34], alt_result[55], alt_result[13], 4);
	364	__b64_from_24bit (&cp, &buflen,
	365	alt_result[56], alt_result[14], alt_result[35], 4);
	366	__b64_from_24bit (&cp, &buflen,
	367	alt_result[15], alt_result[36], alt_result[57], 4);
	368	__b64_from_24bit (&cp, &buflen,
	369	alt_result[37], alt_result[58], alt_result[16], 4);
	370	__b64_from_24bit (&cp, &buflen,
	371	alt_result[59], alt_result[17], alt_result[38], 4);
	372	__b64_from_24bit (&cp, &buflen,
	373	alt_result[18], alt_result[39], alt_result[60], 4);
	374	__b64_from_24bit (&cp, &buflen,
	375	alt_result[40], alt_result[61], alt_result[19], 4);
	376	__b64_from_24bit (&cp, &buflen,
	377	alt_result[62], alt_result[20], alt_result[41], 4);
	378	__b64_from_24bit (&cp, &buflen,
	379	0, 0, alt_result[63], 2);
c3266dc0 UD	380
	381	if (buflen <= 0)
	382	{
	383	__set_errno (ERANGE);
	384	buffer = NULL;
	385	}
	386	else
	387	cp = '\0'; / Terminate the string. */
	388
	389	/* Clear the buffer for the intermediate result so that people
	390	attaching to processes or reading core dumps cannot get any
	391	information. We do it in this way to clear correct_words[]
	392	inside the SHA512 implementation as well. */
ff886b82	393	#ifndef USE_NSS
c3266dc0 UD	394	__sha512_init_ctx (&ctx);
c3266dc0 UD	395	__sha512_finish_ctx (&ctx, alt_result);
ea1bd74d ZW	396	explicit_bzero (&ctx, sizeof (ctx));
ea1bd74d ZW	397	explicit_bzero (&alt_ctx, sizeof (alt_ctx));
ff886b82	398	#endif
ea1bd74d ZW	399	explicit_bzero (temp_result, sizeof (temp_result));
	400	explicit_bzero (p_bytes, key_len);
	401	explicit_bzero (s_bytes, salt_len);
c3266dc0	402	if (copied_key != NULL)
ea1bd74d	403	explicit_bzero (copied_key, key_len);
c3266dc0	404	if (copied_salt != NULL)
ea1bd74d	405	explicit_bzero (copied_salt, salt_len);
c3266dc0	406
b8dc394d JL	407	free (free_key);
b8dc394d JL	408	free (free_pbytes);
c3266dc0 UD	409	return buffer;
	410	}
	411
	412	#ifndef _LIBC
	413	# define libc_freeres_ptr(decl) decl
	414	#endif
	415	libc_freeres_ptr (static char *buffer);
	416
	417	/* This entry point is equivalent to the `crypt' function in Unix
	418	libcs. */
	419	char *
	420	__sha512_crypt (const char key, const char salt)
	421	{
	422	/* We don't want to have an arbitrary limit in the size of the
	423	password. We can compute an upper bound for the size of the
	424	result in advance and so we can prepare the buffer we pass to
	425	`sha512_crypt_r'. */
	426	static int buflen;
	427	int needed = (sizeof (sha512_salt_prefix) - 1
	428	+ sizeof (sha512_rounds_prefix) + 9 + 1
	429	+ strlen (salt) + 1 + 86 + 1);
	430
	431	if (buflen < needed)
	432	{
	433	char new_buffer = (char ) realloc (buffer, needed);
	434	if (new_buffer == NULL)
	435	return NULL;
	436
	437	buffer = new_buffer;
	438	buflen = needed;
	439	}
	440
	441	return __sha512_crypt_r (key, salt, buffer, buflen);
	442	}
	443
	444	#ifndef _LIBC
	445	static void
	446	__attribute__ ((__destructor__))
	447	free_mem (void)
	448	{
	449	free (buffer);
	450	}
	451	#endif