crypt/sha256-crypt.c

   1 /* One way encryption based on SHA256 sum.
   2    Copyright (C) 2007, 2009 Free Software Foundation, Inc.
   3    This file is part of the GNU C Library.
   4    Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
   5
   6    The GNU C Library is free software; you can redistribute it and/or
   7    modify it under the terms of the GNU Lesser General Public
   8    License as published by the Free Software Foundation; either
   9    version 2.1 of the License, or (at your option) any later version.
  10
  11    The GNU C Library is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14    Lesser General Public License for more details.
  15
  16    You should have received a copy of the GNU Lesser General Public
  17    License along with the GNU C Library; if not, see
  18    <http://www.gnu.org/licenses/>.  */
  19
  20 #include <assert.h>
  21 #include <errno.h>
  22 #include <stdbool.h>
  23 #include <stdlib.h>
  24 #include <string.h>
  25 #include <sys/param.h>
  26
  27 #include "sha256.h"
  28
  29
  30 #ifdef USE_NSS
  31 typedef int PRBool;
  32 # include <hasht.h>
  33 # include <nsslowhash.h>
  34
  35 # define sha256_init_ctx(ctxp, nss_ctxp) \
  36   do                                                                          \
  37     {                                                                         \
  38       if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256))      \
  39            == NULL))                                                          \
  40         {                                                                     \
  41           if (nss_ctx != NULL)                                                \
  42             NSSLOWHASH_Destroy (nss_ctx);                                     \
  43           if (nss_alt_ctx != NULL)                                            \
  44             NSSLOWHASH_Destroy (nss_alt_ctx);                                 \
  45           return NULL;                                                        \
  46         }                                                                     \
  47       NSSLOWHASH_Begin (nss_ctxp);                                            \
  48     }                                                                         \
  49   while (0)
  50
  51 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
  52   NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
  53
  54 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
  55   do                                                                          \
  56     {                                                                         \
  57       unsigned int ret;                                                       \
  58       NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result));               \
  59       assert (ret == sizeof (result));                                        \
  60       NSSLOWHASH_Destroy (nss_ctxp);                                          \
  61       nss_ctxp = NULL;                                                        \
  62     }                                                                         \
  63   while (0)
  64 #else
  65 # define sha256_init_ctx(ctxp, nss_ctxp) \
  66   __sha256_init_ctx (ctxp)
  67
  68 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
  69   __sha256_process_bytes(buf, len, ctxp)
  70
  71 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
  72   __sha256_finish_ctx (ctxp, result)
  73 #endif
  74
  75
  76 /* Define our magic string to mark salt for SHA256 "encryption"
  77    replacement.  */
  78 static const char sha256_salt_prefix[] = "$5$";
  79
  80 /* Prefix for optional rounds specification.  */
  81 static const char sha256_rounds_prefix[] = "rounds=";
  82
  83 /* Maximum salt string length.  */
  84 #define SALT_LEN_MAX 16
  85 /* Default number of rounds if not explicitly specified.  */
  86 #define ROUNDS_DEFAULT 5000
  87 /* Minimum number of rounds.  */
  88 #define ROUNDS_MIN 1000
  89 /* Maximum number of rounds.  */
  90 #define ROUNDS_MAX 999999999
  91
  92 /* Table with characters for base64 transformation.  */
  93 static const char b64t[64] =
  94 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  95
  96
  97 /* Prototypes for local functions.  */
  98 extern char *__sha256_crypt_r (const char *key, const char *salt,
  99                                char *buffer, int buflen);
 100 extern char *__sha256_crypt (const char *key, const char *salt);
 101
 102
 103 char *
 104 __sha256_crypt_r (key, salt, buffer, buflen)
 105      const char *key;
 106      const char *salt;
 107      char *buffer;
 108      int buflen;
 109 {
 110   unsigned char alt_result[32]
 111     __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
 112   unsigned char temp_result[32]
 113     __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
 114   size_t salt_len;
 115   size_t key_len;
 116   size_t cnt;
 117   char *cp;
 118   char *copied_key = NULL;
 119   char *copied_salt = NULL;
 120   char *p_bytes;
 121   char *s_bytes;
 122   /* Default number of rounds.  */
 123   size_t rounds = ROUNDS_DEFAULT;
 124   bool rounds_custom = false;
 125
 126   /* Find beginning of salt string.  The prefix should normally always
 127      be present.  Just in case it is not.  */
 128   if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
 129     /* Skip salt prefix.  */
 130     salt += sizeof (sha256_salt_prefix) - 1;
 131
 132   if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
 133       == 0)
 134     {
 135       const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
 136       char *endp;
 137       unsigned long int srounds = strtoul (num, &endp, 10);
 138       if (*endp == '$')
 139         {
 140           salt = endp + 1;
 141           rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
 142           rounds_custom = true;
 143         }
 144     }
 145
 146   salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
 147   key_len = strlen (key);
 148
 149   if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
 150     {
 151       char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
 152       key = copied_key =
 153         memcpy (tmp + __alignof__ (uint32_t)
 154                 - (tmp - (char *) 0) % __alignof__ (uint32_t),
 155                 key, key_len);
 156       assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
 157     }
 158
 159   if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
 160     {
 161       char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
 162       salt = copied_salt =
 163         memcpy (tmp + __alignof__ (uint32_t)
 164                 - (tmp - (char *) 0) % __alignof__ (uint32_t),
 165                 salt, salt_len);
 166       assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
 167     }
 168
 169 #ifdef USE_NSS
 170   /* Initialize libfreebl3.  */
 171   NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
 172   if (nss_ictx == NULL)
 173     return NULL;
 174   NSSLOWHASHContext *nss_ctx = NULL;
 175   NSSLOWHASHContext *nss_alt_ctx = NULL;
 176 #else
 177   struct sha256_ctx ctx;
 178   struct sha256_ctx alt_ctx;
 179 #endif
 180
 181   /* Prepare for the real work.  */
 182   sha256_init_ctx (&ctx, nss_ctx);
 183
 184   /* Add the key string.  */
 185   sha256_process_bytes (key, key_len, &ctx, nss_ctx);
 186
 187   /* The last part is the salt string.  This must be at most 16
 188      characters and it ends at the first `$' character.  */
 189   sha256_process_bytes (salt, salt_len, &ctx, nss_ctx);
 190
 191
 192   /* Compute alternate SHA256 sum with input KEY, SALT, and KEY.  The
 193      final result will be added to the first context.  */
 194   sha256_init_ctx (&alt_ctx, nss_alt_ctx);
 195
 196   /* Add key.  */
 197   sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 198
 199   /* Add salt.  */
 200   sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
 201
 202   /* Add key again.  */
 203   sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 204
 205   /* Now get result of this (32 bytes) and add it to the other
 206      context.  */
 207   sha256_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
 208
 209   /* Add for any character in the key one byte of the alternate sum.  */
 210   for (cnt = key_len; cnt > 32; cnt -= 32)
 211     sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
 212   sha256_process_bytes (alt_result, cnt, &ctx, nss_ctx);
 213
 214   /* Take the binary representation of the length of the key and for every
 215      1 add the alternate sum, for every 0 the key.  */
 216   for (cnt = key_len; cnt > 0; cnt >>= 1)
 217     if ((cnt & 1) != 0)
 218       sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
 219     else
 220       sha256_process_bytes (key, key_len, &ctx, nss_ctx);
 221
 222   /* Create intermediate result.  */
 223   sha256_finish_ctx (&ctx, nss_ctx, alt_result);
 224
 225   /* Start computation of P byte sequence.  */
 226   sha256_init_ctx (&alt_ctx, nss_alt_ctx);
 227
 228   /* For every character in the password add the entire password.  */
 229   for (cnt = 0; cnt < key_len; ++cnt)
 230     sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 231
 232   /* Finish the digest.  */
 233   sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
 234
 235   /* Create byte sequence P.  */
 236   cp = p_bytes = alloca (key_len);
 237   for (cnt = key_len; cnt >= 32; cnt -= 32)
 238     cp = mempcpy (cp, temp_result, 32);
 239   memcpy (cp, temp_result, cnt);
 240
 241   /* Start computation of S byte sequence.  */
 242   sha256_init_ctx (&alt_ctx, nss_alt_ctx);
 243
 244   /* For every character in the password add the entire password.  */
 245   for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
 246     sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
 247
 248   /* Finish the digest.  */
 249   sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
 250
 251   /* Create byte sequence S.  */
 252   cp = s_bytes = alloca (salt_len);
 253   for (cnt = salt_len; cnt >= 32; cnt -= 32)
 254     cp = mempcpy (cp, temp_result, 32);
 255   memcpy (cp, temp_result, cnt);
 256
 257   /* Repeatedly run the collected hash value through SHA256 to burn
 258      CPU cycles.  */
 259   for (cnt = 0; cnt < rounds; ++cnt)
 260     {
 261       /* New context.  */
 262       sha256_init_ctx (&ctx, nss_ctx);
 263
 264       /* Add key or last result.  */
 265       if ((cnt & 1) != 0)
 266         sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 267       else
 268         sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
 269
 270       /* Add salt for numbers not divisible by 3.  */
 271       if (cnt % 3 != 0)
 272         sha256_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
 273
 274       /* Add key for numbers not divisible by 7.  */
 275       if (cnt % 7 != 0)
 276         sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 277
 278       /* Add key or last result.  */
 279       if ((cnt & 1) != 0)
 280         sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
 281       else
 282         sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 283
 284       /* Create intermediate result.  */
 285       sha256_finish_ctx (&ctx, nss_ctx, alt_result);
 286     }
 287
 288 #ifdef USE_NSS
 289   /* Free libfreebl3 resources. */
 290   NSSLOW_Shutdown (nss_ictx);
 291 #endif
 292
 293   /* Now we can construct the result string.  It consists of three
 294      parts.  */
 295   cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
 296   buflen -= sizeof (sha256_salt_prefix) - 1;
 297
 298   if (rounds_custom)
 299     {
 300       int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
 301                         sha256_rounds_prefix, rounds);
 302       cp += n;
 303       buflen -= n;
 304     }
 305
 306   cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
 307   buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
 308
 309   if (buflen > 0)
 310     {
 311       *cp++ = '$';
 312       --buflen;
 313     }
 314
 315   void b64_from_24bit (unsigned int b2, unsigned int b1, unsigned int b0,
 316                        int n)
 317   {
 318     unsigned int w = (b2 << 16) | (b1 << 8) | b0;
 319     while (n-- > 0 && buflen > 0)
 320       {
 321         *cp++ = b64t[w & 0x3f];
 322         --buflen;
 323         w >>= 6;
 324       }
 325   }
 326
 327   b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
 328   b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
 329   b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
 330   b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
 331   b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
 332   b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
 333   b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
 334   b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
 335   b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
 336   b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
 337   b64_from_24bit (0, alt_result[31], alt_result[30], 3);
 338   if (buflen <= 0)
 339     {
 340       __set_errno (ERANGE);
 341       buffer = NULL;
 342     }
 343   else
 344     *cp = '\0';         /* Terminate the string.  */
 345
 346   /* Clear the buffer for the intermediate result so that people
 347      attaching to processes or reading core dumps cannot get any
 348      information.  We do it in this way to clear correct_words[]
 349      inside the SHA256 implementation as well.  */
 350 #ifndef USE_NSS
 351   __sha256_init_ctx (&ctx);
 352   __sha256_finish_ctx (&ctx, alt_result);
 353   memset (&ctx, '\0', sizeof (ctx));
 354   memset (&alt_ctx, '\0', sizeof (alt_ctx));
 355 #endif
 356   memset (temp_result, '\0', sizeof (temp_result));
 357   memset (p_bytes, '\0', key_len);
 358   memset (s_bytes, '\0', salt_len);
 359   if (copied_key != NULL)
 360     memset (copied_key, '\0', key_len);
 361   if (copied_salt != NULL)
 362     memset (copied_salt, '\0', salt_len);
 363
 364   return buffer;
 365 }
 366
 367 #ifndef _LIBC
 368 # define libc_freeres_ptr(decl) decl
 369 #endif
 370 libc_freeres_ptr (static char *buffer);
 371
 372 /* This entry point is equivalent to the `crypt' function in Unix
 373    libcs.  */
 374 char *
 375 __sha256_crypt (const char *key, const char *salt)
 376 {
 377   /* We don't want to have an arbitrary limit in the size of the
 378      password.  We can compute an upper bound for the size of the
 379      result in advance and so we can prepare the buffer we pass to
 380      `sha256_crypt_r'.  */
 381   static int buflen;
 382   int needed = (sizeof (sha256_salt_prefix) - 1
 383                 + sizeof (sha256_rounds_prefix) + 9 + 1
 384                 + strlen (salt) + 1 + 43 + 1);
 385
 386   if (buflen < needed)
 387     {
 388       char *new_buffer = (char *) realloc (buffer, needed);
 389       if (new_buffer == NULL)
 390         return NULL;
 391
 392       buffer = new_buffer;
 393       buflen = needed;
 394     }
 395
 396   return __sha256_crypt_r (key, salt, buffer, buflen);
 397 }
 398
 399 #ifndef _LIBC
 400 static void
 401 __attribute__ ((__destructor__))
 402 free_mem (void)
 403 {
 404   free (buffer);
 405 }
 406 #endif