1 /* One way encryption based on SHA512 sum.
2 Copyright (C) 2007, 2009 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <http://www.gnu.org/licenses/>. */
19
20 #include <assert.h>
21 #include <errno.h>
22 #include <stdbool.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/param.h>
26
27 #include "sha512.h"
28 #include "libcrypt.h"
29
30 /* Define our magic string to mark salt for SHA512 "encryption"
31 replacement. */
32 static const char sha512_salt_prefix[] = "$6$";
33
34 /* Prefix for optional rounds specification. */
35 static const char sha512_rounds_prefix[] = "rounds=";
36
37 /* Maximum salt string length. */
38 #define SALT_LEN_MAX 16
39 /* Default number of rounds if not explicitly specified. */
40 #define ROUNDS_DEFAULT 5000
41 /* Minimum number of rounds. */
42 #define ROUNDS_MIN 1000
43 /* Maximum number of rounds. */
44 #define ROUNDS_MAX 999999999
45
46 /* Table with characters for base64 transformation. */
47 static const char b64t[64] =
48 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
49
50 #define B64_FROM_24BIT(b2, b1, b0, steps) \
51 { \
52 int n = (steps); \
53 unsigned int w = ((b2) << 16) | ((b1) << 8) | (b0); \
54 while (n-- > 0 && buflen > 0) \
55 { \
56 *cp++ = b64t[w & 0x3f]; \
57 --buflen; \
58 w >>= 6; \
59 } \
60 }
61
62 char *
__sha512_crypt_r(const char * key,const char * salt,char * buffer,int buflen)63 __sha512_crypt_r (const char *key,
64 const char *salt,
65 char *buffer,
66 int buflen)
67 {
68 unsigned char alt_result[64]
69 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
70 unsigned char temp_result[64]
71 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
72 size_t salt_len;
73 size_t key_len;
74 size_t cnt;
75 char *cp;
76 char *copied_key = NULL;
77 char *copied_salt = NULL;
78 char *p_bytes;
79 char *s_bytes;
80 /* Default number of rounds. */
81 size_t rounds = ROUNDS_DEFAULT;
82 bool rounds_custom = false;
83
84 /* Find beginning of salt string. The prefix should normally always
85 be present. Just in case it is not. */
86 if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
87 /* Skip salt prefix. */
88 salt += sizeof (sha512_salt_prefix) - 1;
89
90 if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
91 == 0)
92 {
93 const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
94 char *endp;
95 unsigned long int srounds = strtoul (num, &endp, 10);
96 if (*endp == '$')
97 {
98 salt = endp + 1;
99 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
100 rounds_custom = true;
101 }
102 }
103
104 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
105 key_len = strlen (key);
106
107 if ((uintptr_t)key % __alignof__ (uint64_t) != 0)
108 {
109 char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
110 key = copied_key =
111 memcpy (tmp + __alignof__ (uint64_t)
112 - (uintptr_t)tmp % __alignof__ (uint64_t),
113 key, key_len);
114 assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
115 }
116
117 if ((uintptr_t)salt % __alignof__ (uint64_t) != 0)
118 {
119 char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
120 salt = copied_salt =
121 memcpy (tmp + __alignof__ (uint64_t)
122 - (uintptr_t)tmp % __alignof__ (uint64_t),
123 salt, salt_len);
124 assert ((uintptr_t)salt % __alignof__ (uint64_t) == 0);
125 }
126
127 struct sha512_ctx ctx;
128 struct sha512_ctx alt_ctx;
129
130 /* Prepare for the real work. */
131 __sha512_init_ctx (&ctx);
132
133 /* Add the key string. */
134 __sha512_process_bytes (key, key_len, &ctx);
135
136 /* The last part is the salt string. This must be at most 16
137 characters and it ends at the first `$' character. */
138 __sha512_process_bytes (salt, salt_len, &ctx);
139
140
141 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
142 final result will be added to the first context. */
143 __sha512_init_ctx (&alt_ctx);
144
145 /* Add key. */
146 __sha512_process_bytes (key, key_len, &alt_ctx);
147
148 /* Add salt. */
149 __sha512_process_bytes (salt, salt_len, &alt_ctx);
150
151 /* Add key again. */
152 __sha512_process_bytes (key, key_len, &alt_ctx);
153
154 /* Now get result of this (64 bytes) and add it to the other
155 context. */
156 __sha512_finish_ctx (&alt_ctx, alt_result);
157
158 /* Add for any character in the key one byte of the alternate sum. */
159 for (cnt = key_len; cnt > 64; cnt -= 64)
160 __sha512_process_bytes (alt_result, 64, &ctx);
161
162 __sha512_process_bytes (alt_result, cnt, &ctx);
163
164 /* Take the binary representation of the length of the key and for every
165 1 add the alternate sum, for every 0 the key. */
166 for (cnt = key_len; cnt > 0; cnt >>= 1)
167 if ((cnt & 1) != 0)
168 __sha512_process_bytes (alt_result, 64, &ctx);
169 else
170 __sha512_process_bytes (key, key_len, &ctx);
171
172 /* Create intermediate result. */
173 __sha512_finish_ctx (&ctx, alt_result);
174
175 /* Start computation of P byte sequence. */
176 __sha512_init_ctx (&alt_ctx);
177
178 /* For every character in the password add the entire password. */
179 for (cnt = 0; cnt < key_len; ++cnt)
180 __sha512_process_bytes (key, key_len, &alt_ctx);
181
182 /* Finish the digest. */
183 __sha512_finish_ctx (&alt_ctx, temp_result);
184
185 /* Create byte sequence P. */
186 cp = p_bytes = alloca (key_len);
187 for (cnt = key_len; cnt >= 64; cnt -= 64)
188 cp = mempcpy (cp, temp_result, 64);
189 memcpy (cp, temp_result, cnt);
190
191 /* Start computation of S byte sequence. */
192 __sha512_init_ctx (&alt_ctx);
193
194 /* For every character in the password add the entire password. */
195 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
196 __sha512_process_bytes (salt, salt_len, &alt_ctx);
197
198 /* Finish the digest. */
199 __sha512_finish_ctx (&alt_ctx, temp_result);
200
201 /* Create byte sequence S. */
202 cp = s_bytes = alloca (salt_len);
203 for (cnt = salt_len; cnt >= 64; cnt -= 64)
204 cp = mempcpy (cp, temp_result, 64);
205 memcpy (cp, temp_result, cnt);
206
207 /* Repeatedly run the collected hash value through SHA512 to burn
208 CPU cycles. */
209 for (cnt = 0; cnt < rounds; ++cnt)
210 {
211 /* New context. */
212 __sha512_init_ctx (&ctx);
213
214 /* Add key or last result. */
215 if ((cnt & 1) != 0)
216 __sha512_process_bytes (p_bytes, key_len, &ctx);
217 else
218 __sha512_process_bytes (alt_result, 64, &ctx);
219
220 /* Add salt for numbers not divisible by 3. */
221 if (cnt % 3 != 0)
222 __sha512_process_bytes (s_bytes, salt_len, &ctx);
223
224 /* Add key for numbers not divisible by 7. */
225 if (cnt % 7 != 0)
226 __sha512_process_bytes (p_bytes, key_len, &ctx);
227
228 /* Add key or last result. */
229 if ((cnt & 1) != 0)
230 __sha512_process_bytes (alt_result, 64, &ctx);
231 else
232 __sha512_process_bytes (p_bytes, key_len, &ctx);
233
234 /* Create intermediate result. */
235 __sha512_finish_ctx (&ctx, alt_result);
236 }
237
238 /* Now we can construct the result string. It consists of three
239 parts. */
240 cp = stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
241 buflen -= sizeof (sha512_salt_prefix) - 1;
242
243 if (rounds_custom)
244 {
245 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
246 sha512_rounds_prefix, rounds);
247 cp += n;
248 buflen -= n;
249 }
250
251 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
252 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
253
254 if (buflen > 0)
255 {
256 *cp++ = '$';
257 --buflen;
258 }
259
260 B64_FROM_24BIT (alt_result[0], alt_result[21], alt_result[42], 4);
261 B64_FROM_24BIT (alt_result[22], alt_result[43], alt_result[1], 4);
262 B64_FROM_24BIT (alt_result[44], alt_result[2], alt_result[23], 4);
263 B64_FROM_24BIT (alt_result[3], alt_result[24], alt_result[45], 4);
264 B64_FROM_24BIT (alt_result[25], alt_result[46], alt_result[4], 4);
265 B64_FROM_24BIT (alt_result[47], alt_result[5], alt_result[26], 4);
266 B64_FROM_24BIT (alt_result[6], alt_result[27], alt_result[48], 4);
267 B64_FROM_24BIT (alt_result[28], alt_result[49], alt_result[7], 4);
268 B64_FROM_24BIT (alt_result[50], alt_result[8], alt_result[29], 4);
269 B64_FROM_24BIT (alt_result[9], alt_result[30], alt_result[51], 4);
270 B64_FROM_24BIT (alt_result[31], alt_result[52], alt_result[10], 4);
271 B64_FROM_24BIT (alt_result[53], alt_result[11], alt_result[32], 4);
272 B64_FROM_24BIT (alt_result[12], alt_result[33], alt_result[54], 4);
273 B64_FROM_24BIT (alt_result[34], alt_result[55], alt_result[13], 4);
274 B64_FROM_24BIT (alt_result[56], alt_result[14], alt_result[35], 4);
275 B64_FROM_24BIT (alt_result[15], alt_result[36], alt_result[57], 4);
276 B64_FROM_24BIT (alt_result[37], alt_result[58], alt_result[16], 4);
277 B64_FROM_24BIT (alt_result[59], alt_result[17], alt_result[38], 4);
278 B64_FROM_24BIT (alt_result[18], alt_result[39], alt_result[60], 4);
279 B64_FROM_24BIT (alt_result[40], alt_result[61], alt_result[19], 4);
280 B64_FROM_24BIT (alt_result[62], alt_result[20], alt_result[41], 4);
281 B64_FROM_24BIT (0, 0, alt_result[63], 2);
282
283 if (buflen <= 0)
284 {
285 __set_errno (ERANGE);
286 buffer = NULL;
287 }
288 else
289 *cp = '\0'; /* Terminate the string. */
290
291 /* Clear the buffer for the intermediate result so that people
292 attaching to processes or reading core dumps cannot get any
293 information. We do it in this way to clear correct_words[]
294 inside the SHA512 implementation as well. */
295 __sha512_init_ctx (&ctx);
296 __sha512_finish_ctx (&ctx, alt_result);
297 memset (&ctx, '\0', sizeof (ctx));
298 memset (&alt_ctx, '\0', sizeof (alt_ctx));
299
300 memset (temp_result, '\0', sizeof (temp_result));
301 memset (p_bytes, '\0', key_len);
302 memset (s_bytes, '\0', salt_len);
303 if (copied_key != NULL)
304 memset (copied_key, '\0', key_len);
305 if (copied_salt != NULL)
306 memset (copied_salt, '\0', salt_len);
307
308 return buffer;
309 }
310
311 static char *buffer;
312
313 /* This entry point is equivalent to the `crypt' function in Unix
314 libcs. */
315 char *
__sha512_crypt(const unsigned char * key,const unsigned char * salt)316 __sha512_crypt (const unsigned char *key, const unsigned char *salt)
317 {
318 /* We don't want to have an arbitrary limit in the size of the
319 password. We can compute an upper bound for the size of the
320 result in advance and so we can prepare the buffer we pass to
321 `sha512_crypt_r'. */
322 static int buflen;
323 int needed = (sizeof (sha512_salt_prefix) - 1
324 + sizeof (sha512_rounds_prefix) + 9 + 1
325 + strlen (salt) + 1 + 86 + 1);
326
327 if (buflen < needed)
328 {
329 char *new_buffer = (char *) realloc (buffer, needed);
330 if (new_buffer == NULL)
331 return NULL;
332
333 buffer = new_buffer;
334 buflen = needed;
335 }
336
337 return __sha512_crypt_r ((const char *) key, (const char *) salt, buffer, buflen);
338 }
339