search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Replace crtendS.o with crtend.o for static link
[glibc.git] / crypt / sha256-crypt.c
blob440933ac015ab2f6b92b242f8d64f80eeeb7ea41
1 /* One way encryption based on SHA256 sum.
2 Copyright (C) 2007, 2009, 2012 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <http://www.gnu.org/licenses/>. */
19
20 #include <assert.h>
21 #include <errno.h>
22 #include <stdbool.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/param.h>
26
27 #include "sha256.h"
28
29
30 #ifdef USE_NSS
31 typedef int PRBool;
32 # include <hasht.h>
33 # include <nsslowhash.h>
34
35 # define sha256_init_ctx(ctxp, nss_ctxp) \
36 do \
37 { \
38 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256)) \
39 == NULL)) \
40 { \
41 if (nss_ctx != NULL) \
42 NSSLOWHASH_Destroy (nss_ctx); \
43 if (nss_alt_ctx != NULL) \
44 NSSLOWHASH_Destroy (nss_alt_ctx); \
45 return NULL; \
46 } \
47 NSSLOWHASH_Begin (nss_ctxp); \
48 } \
49 while (0)
50
51 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
52 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
53
54 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
55 do \
56 { \
57 unsigned int ret; \
58 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
59 assert (ret == sizeof (result)); \
60 NSSLOWHASH_Destroy (nss_ctxp); \
61 nss_ctxp = NULL; \
62 } \
63 while (0)
64 #else
65 # define sha256_init_ctx(ctxp, nss_ctxp) \
66 __sha256_init_ctx (ctxp)
67
68 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
69 __sha256_process_bytes(buf, len, ctxp)
70
71 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
72 __sha256_finish_ctx (ctxp, result)
73 #endif
74
75
76 /* Define our magic string to mark salt for SHA256 "encryption"
77 replacement. */
78 static const char sha256_salt_prefix[] = "$5$";
79
80 /* Prefix for optional rounds specification. */
81 static const char sha256_rounds_prefix[] = "rounds=";
82
83 /* Maximum salt string length. */
84 #define SALT_LEN_MAX 16
85 /* Default number of rounds if not explicitly specified. */
86 #define ROUNDS_DEFAULT 5000
87 /* Minimum number of rounds. */
88 #define ROUNDS_MIN 1000
89 /* Maximum number of rounds. */
90 #define ROUNDS_MAX 999999999
91
92 /* Table with characters for base64 transformation. */
93 static const char b64t[64] =
94 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
95
96
97 /* Prototypes for local functions. */
98 extern char *__sha256_crypt_r (const char *key, const char *salt,
99 char *buffer, int buflen);
100 extern char *__sha256_crypt (const char *key, const char *salt);
101
102
103 char *
104 __sha256_crypt_r (key, salt, buffer, buflen)
105 const char *key;
106 const char *salt;
107 char *buffer;
108 int buflen;
109 {
110 unsigned char alt_result[32]
111 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
112 unsigned char temp_result[32]
113 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
114 size_t salt_len;
115 size_t key_len;
116 size_t cnt;
117 char *cp;
118 char *copied_key = NULL;
119 char *copied_salt = NULL;
120 char *p_bytes;
121 char *s_bytes;
122 /* Default number of rounds. */
123 size_t rounds = ROUNDS_DEFAULT;
124 bool rounds_custom = false;
125 size_t alloca_used = 0;
126 char *free_key = NULL;
127 char *free_pbytes = NULL;
128
129 /* Find beginning of salt string. The prefix should normally always
130 be present. Just in case it is not. */
131 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
132 /* Skip salt prefix. */
133 salt += sizeof (sha256_salt_prefix) - 1;
134
135 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
136 == 0)
137 {
138 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
139 char *endp;
140 unsigned long int srounds = strtoul (num, &endp, 10);
141 if (*endp == '$')
142 {
143 salt = endp + 1;
144 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
145 rounds_custom = true;
146 }
147 }
148
149 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
150 key_len = strlen (key);
151
152 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
153 {
154 char *tmp;
155
156 if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint32_t)))
157 tmp = alloca_account (key_len + __alignof__ (uint32_t), alloca_used);
158 else
159 {
160 free_key = tmp = (char *) malloc (key_len + __alignof__ (uint32_t));
161 if (tmp == NULL)
162 return NULL;
163 }
164
165 key = copied_key =
166 memcpy (tmp + __alignof__ (uint32_t)
167 - (tmp - (char *) 0) % __alignof__ (uint32_t),
168 key, key_len);
169 assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
170 }
171
172 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
173 {
174 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
175 alloca_used += salt_len + __alignof__ (uint32_t);
176 salt = copied_salt =
177 memcpy (tmp + __alignof__ (uint32_t)
178 - (tmp - (char *) 0) % __alignof__ (uint32_t),
179 salt, salt_len);
180 assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
181 }
182
183 #ifdef USE_NSS
184 /* Initialize libfreebl3. */
185 NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
186 if (nss_ictx == NULL)
187 {
188 free (free_key);
189 return NULL;
190 }
191 NSSLOWHASHContext *nss_ctx = NULL;
192 NSSLOWHASHContext *nss_alt_ctx = NULL;
193 #else
194 struct sha256_ctx ctx;
195 struct sha256_ctx alt_ctx;
196 #endif
197
198 /* Prepare for the real work. */
199 sha256_init_ctx (&ctx, nss_ctx);
200
201 /* Add the key string. */
202 sha256_process_bytes (key, key_len, &ctx, nss_ctx);
203
204 /* The last part is the salt string. This must be at most 16
205 characters and it ends at the first `$' character. */
206 sha256_process_bytes (salt, salt_len, &ctx, nss_ctx);
207
208
209 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
210 final result will be added to the first context. */
211 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
212
213 /* Add key. */
214 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
215
216 /* Add salt. */
217 sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
218
219 /* Add key again. */
220 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
221
222 /* Now get result of this (32 bytes) and add it to the other
223 context. */
224 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
225
226 /* Add for any character in the key one byte of the alternate sum. */
227 for (cnt = key_len; cnt > 32; cnt -= 32)
228 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
229 sha256_process_bytes (alt_result, cnt, &ctx, nss_ctx);
230
231 /* Take the binary representation of the length of the key and for every
232 1 add the alternate sum, for every 0 the key. */
233 for (cnt = key_len; cnt > 0; cnt >>= 1)
234 if ((cnt & 1) != 0)
235 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
236 else
237 sha256_process_bytes (key, key_len, &ctx, nss_ctx);
238
239 /* Create intermediate result. */
240 sha256_finish_ctx (&ctx, nss_ctx, alt_result);
241
242 /* Start computation of P byte sequence. */
243 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
244
245 /* For every character in the password add the entire password. */
246 for (cnt = 0; cnt < key_len; ++cnt)
247 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
248
249 /* Finish the digest. */
250 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
251
252 /* Create byte sequence P. */
253 if (__libc_use_alloca (alloca_used + key_len))
254 cp = p_bytes = (char *) alloca (key_len);
255 else
256 {
257 free_pbytes = cp = p_bytes = (char *)malloc (key_len);
258 if (free_pbytes == NULL)
259 {
260 free (free_key);
261 return NULL;
262 }
263 }
264
265 for (cnt = key_len; cnt >= 32; cnt -= 32)
266 cp = mempcpy (cp, temp_result, 32);
267 memcpy (cp, temp_result, cnt);
268
269 /* Start computation of S byte sequence. */
270 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
271
272 /* For every character in the password add the entire password. */
273 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
274 sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
275
276 /* Finish the digest. */
277 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
278
279 /* Create byte sequence S. */
280 cp = s_bytes = alloca (salt_len);
281 for (cnt = salt_len; cnt >= 32; cnt -= 32)
282 cp = mempcpy (cp, temp_result, 32);
283 memcpy (cp, temp_result, cnt);
284
285 /* Repeatedly run the collected hash value through SHA256 to burn
286 CPU cycles. */
287 for (cnt = 0; cnt < rounds; ++cnt)
288 {
289 /* New context. */
290 sha256_init_ctx (&ctx, nss_ctx);
291
292 /* Add key or last result. */
293 if ((cnt & 1) != 0)
294 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
295 else
296 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
297
298 /* Add salt for numbers not divisible by 3. */
299 if (cnt % 3 != 0)
300 sha256_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
301
302 /* Add key for numbers not divisible by 7. */
303 if (cnt % 7 != 0)
304 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
305
306 /* Add key or last result. */
307 if ((cnt & 1) != 0)
308 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
309 else
310 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
311
312 /* Create intermediate result. */
313 sha256_finish_ctx (&ctx, nss_ctx, alt_result);
314 }
315
316 #ifdef USE_NSS
317 /* Free libfreebl3 resources. */
318 NSSLOW_Shutdown (nss_ictx);
319 #endif
320
321 /* Now we can construct the result string. It consists of three
322 parts. */
323 cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
324 buflen -= sizeof (sha256_salt_prefix) - 1;
325
326 if (rounds_custom)
327 {
328 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
329 sha256_rounds_prefix, rounds);
330 cp += n;
331 buflen -= n;
332 }
333
334 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
335 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
336
337 if (buflen > 0)
338 {
339 *cp++ = '$';
340 --buflen;
341 }
342
343 void b64_from_24bit (unsigned int b2, unsigned int b1, unsigned int b0,
344 int n)
345 {
346 unsigned int w = (b2 << 16) | (b1 << 8) | b0;
347 while (n-- > 0 && buflen > 0)
348 {
349 *cp++ = b64t[w & 0x3f];
350 --buflen;
351 w >>= 6;
352 }
353 }
354
355 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
356 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
357 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
358 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
359 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
360 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
361 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
362 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
363 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
364 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
365 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
366 if (buflen <= 0)
367 {
368 __set_errno (ERANGE);
369 buffer = NULL;
370 }
371 else
372 *cp = '\0'; /* Terminate the string. */
373
374 /* Clear the buffer for the intermediate result so that people
375 attaching to processes or reading core dumps cannot get any
376 information. We do it in this way to clear correct_words[]
377 inside the SHA256 implementation as well. */
378 #ifndef USE_NSS
379 __sha256_init_ctx (&ctx);
380 __sha256_finish_ctx (&ctx, alt_result);
381 memset (&ctx, '\0', sizeof (ctx));
382 memset (&alt_ctx, '\0', sizeof (alt_ctx));
383 #endif
384 memset (temp_result, '\0', sizeof (temp_result));
385 memset (p_bytes, '\0', key_len);
386 memset (s_bytes, '\0', salt_len);
387 if (copied_key != NULL)
388 memset (copied_key, '\0', key_len);
389 if (copied_salt != NULL)
390 memset (copied_salt, '\0', salt_len);
391
392 free (free_key);
393 free (free_pbytes);
394 return buffer;
395 }
396
397 #ifndef _LIBC
398 # define libc_freeres_ptr(decl) decl
399 #endif
400 libc_freeres_ptr (static char *buffer);
401
402 /* This entry point is equivalent to the `crypt' function in Unix
403 libcs. */
404 char *
405 __sha256_crypt (const char *key, const char *salt)
406 {
407 /* We don't want to have an arbitrary limit in the size of the
408 password. We can compute an upper bound for the size of the
409 result in advance and so we can prepare the buffer we pass to
410 `sha256_crypt_r'. */
411 static int buflen;
412 int needed = (sizeof (sha256_salt_prefix) - 1
413 + sizeof (sha256_rounds_prefix) + 9 + 1
414 + strlen (salt) + 1 + 43 + 1);
415
416 if (buflen < needed)
417 {
418 char *new_buffer = (char *) realloc (buffer, needed);
419 if (new_buffer == NULL)
420 return NULL;
421
422 buffer = new_buffer;
423 buflen = needed;
424 }
425
426 return __sha256_crypt_r (key, salt, buffer, buflen);
427 }
428
429 #ifndef _LIBC
430 static void
431 __attribute__ ((__destructor__))
432 free_mem (void)
433 {
434 free (buffer);
435 }
436 #endif
sources.redhat.com git mirror of glibc CVS