1 /* One way encryption based on SHA256 sum.
2 Copyright (C) 2007, 2009 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <http://www.gnu.org/licenses/>. */
25 #include <sys/param.h>
33 # include <nsslowhash.h>
35 # define sha256_init_ctx(ctxp, nss_ctxp) \
38 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256)) \
41 if (nss_ctx != NULL) \
42 NSSLOWHASH_Destroy (nss_ctx); \
43 if (nss_alt_ctx != NULL) \
44 NSSLOWHASH_Destroy (nss_alt_ctx); \
47 NSSLOWHASH_Begin (nss_ctxp); \
51 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
52 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
54 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
58 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
59 assert (ret == sizeof (result)); \
60 NSSLOWHASH_Destroy (nss_ctxp); \
65 # define sha256_init_ctx(ctxp, nss_ctxp) \
66 __sha256_init_ctx (ctxp)
68 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
69 __sha256_process_bytes(buf, len, ctxp)
71 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
72 __sha256_finish_ctx (ctxp, result)
76 /* Define our magic string to mark salt for SHA256 "encryption"
78 static const char sha256_salt_prefix
[] = "$5$";
80 /* Prefix for optional rounds specification. */
81 static const char sha256_rounds_prefix
[] = "rounds=";
83 /* Maximum salt string length. */
84 #define SALT_LEN_MAX 16
85 /* Default number of rounds if not explicitly specified. */
86 #define ROUNDS_DEFAULT 5000
87 /* Minimum number of rounds. */
88 #define ROUNDS_MIN 1000
89 /* Maximum number of rounds. */
90 #define ROUNDS_MAX 999999999
92 /* Table with characters for base64 transformation. */
93 static const char b64t
[64] =
94 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
97 /* Prototypes for local functions. */
98 extern char *__sha256_crypt_r (const char *key
, const char *salt
,
99 char *buffer
, int buflen
);
100 extern char *__sha256_crypt (const char *key
, const char *salt
);
104 __sha256_crypt_r (key
, salt
, buffer
, buflen
)
110 unsigned char alt_result
[32]
111 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
112 unsigned char temp_result
[32]
113 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
118 char *copied_key
= NULL
;
119 char *copied_salt
= NULL
;
122 /* Default number of rounds. */
123 size_t rounds
= ROUNDS_DEFAULT
;
124 bool rounds_custom
= false;
126 /* Find beginning of salt string. The prefix should normally always
127 be present. Just in case it is not. */
128 if (strncmp (sha256_salt_prefix
, salt
, sizeof (sha256_salt_prefix
) - 1) == 0)
129 /* Skip salt prefix. */
130 salt
+= sizeof (sha256_salt_prefix
) - 1;
132 if (strncmp (salt
, sha256_rounds_prefix
, sizeof (sha256_rounds_prefix
) - 1)
135 const char *num
= salt
+ sizeof (sha256_rounds_prefix
) - 1;
137 unsigned long int srounds
= strtoul (num
, &endp
, 10);
141 rounds
= MAX (ROUNDS_MIN
, MIN (srounds
, ROUNDS_MAX
));
142 rounds_custom
= true;
146 salt_len
= MIN (strcspn (salt
, "$"), SALT_LEN_MAX
);
147 key_len
= strlen (key
);
149 if ((key
- (char *) 0) % __alignof__ (uint32_t) != 0)
151 char *tmp
= (char *) alloca (key_len
+ __alignof__ (uint32_t));
153 memcpy (tmp
+ __alignof__ (uint32_t)
154 - (tmp
- (char *) 0) % __alignof__ (uint32_t),
156 assert ((key
- (char *) 0) % __alignof__ (uint32_t) == 0);
159 if ((salt
- (char *) 0) % __alignof__ (uint32_t) != 0)
161 char *tmp
= (char *) alloca (salt_len
+ __alignof__ (uint32_t));
163 memcpy (tmp
+ __alignof__ (uint32_t)
164 - (tmp
- (char *) 0) % __alignof__ (uint32_t),
166 assert ((salt
- (char *) 0) % __alignof__ (uint32_t) == 0);
170 /* Initialize libfreebl3. */
171 NSSLOWInitContext
*nss_ictx
= NSSLOW_Init ();
172 if (nss_ictx
== NULL
)
174 NSSLOWHASHContext
*nss_ctx
= NULL
;
175 NSSLOWHASHContext
*nss_alt_ctx
= NULL
;
177 struct sha256_ctx ctx
;
178 struct sha256_ctx alt_ctx
;
181 /* Prepare for the real work. */
182 sha256_init_ctx (&ctx
, nss_ctx
);
184 /* Add the key string. */
185 sha256_process_bytes (key
, key_len
, &ctx
, nss_ctx
);
187 /* The last part is the salt string. This must be at most 16
188 characters and it ends at the first `$' character. */
189 sha256_process_bytes (salt
, salt_len
, &ctx
, nss_ctx
);
192 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
193 final result will be added to the first context. */
194 sha256_init_ctx (&alt_ctx
, nss_alt_ctx
);
197 sha256_process_bytes (key
, key_len
, &alt_ctx
, nss_alt_ctx
);
200 sha256_process_bytes (salt
, salt_len
, &alt_ctx
, nss_alt_ctx
);
203 sha256_process_bytes (key
, key_len
, &alt_ctx
, nss_alt_ctx
);
205 /* Now get result of this (32 bytes) and add it to the other
207 sha256_finish_ctx (&alt_ctx
, nss_alt_ctx
, alt_result
);
209 /* Add for any character in the key one byte of the alternate sum. */
210 for (cnt
= key_len
; cnt
> 32; cnt
-= 32)
211 sha256_process_bytes (alt_result
, 32, &ctx
, nss_ctx
);
212 sha256_process_bytes (alt_result
, cnt
, &ctx
, nss_ctx
);
214 /* Take the binary representation of the length of the key and for every
215 1 add the alternate sum, for every 0 the key. */
216 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
218 sha256_process_bytes (alt_result
, 32, &ctx
, nss_ctx
);
220 sha256_process_bytes (key
, key_len
, &ctx
, nss_ctx
);
222 /* Create intermediate result. */
223 sha256_finish_ctx (&ctx
, nss_ctx
, alt_result
);
225 /* Start computation of P byte sequence. */
226 sha256_init_ctx (&alt_ctx
, nss_alt_ctx
);
228 /* For every character in the password add the entire password. */
229 for (cnt
= 0; cnt
< key_len
; ++cnt
)
230 sha256_process_bytes (key
, key_len
, &alt_ctx
, nss_alt_ctx
);
232 /* Finish the digest. */
233 sha256_finish_ctx (&alt_ctx
, nss_alt_ctx
, temp_result
);
235 /* Create byte sequence P. */
236 cp
= p_bytes
= alloca (key_len
);
237 for (cnt
= key_len
; cnt
>= 32; cnt
-= 32)
238 cp
= mempcpy (cp
, temp_result
, 32);
239 memcpy (cp
, temp_result
, cnt
);
241 /* Start computation of S byte sequence. */
242 sha256_init_ctx (&alt_ctx
, nss_alt_ctx
);
244 /* For every character in the password add the entire password. */
245 for (cnt
= 0; cnt
< 16 + alt_result
[0]; ++cnt
)
246 sha256_process_bytes (salt
, salt_len
, &alt_ctx
, nss_alt_ctx
);
248 /* Finish the digest. */
249 sha256_finish_ctx (&alt_ctx
, nss_alt_ctx
, temp_result
);
251 /* Create byte sequence S. */
252 cp
= s_bytes
= alloca (salt_len
);
253 for (cnt
= salt_len
; cnt
>= 32; cnt
-= 32)
254 cp
= mempcpy (cp
, temp_result
, 32);
255 memcpy (cp
, temp_result
, cnt
);
257 /* Repeatedly run the collected hash value through SHA256 to burn
259 for (cnt
= 0; cnt
< rounds
; ++cnt
)
262 sha256_init_ctx (&ctx
, nss_ctx
);
264 /* Add key or last result. */
266 sha256_process_bytes (p_bytes
, key_len
, &ctx
, nss_ctx
);
268 sha256_process_bytes (alt_result
, 32, &ctx
, nss_ctx
);
270 /* Add salt for numbers not divisible by 3. */
272 sha256_process_bytes (s_bytes
, salt_len
, &ctx
, nss_ctx
);
274 /* Add key for numbers not divisible by 7. */
276 sha256_process_bytes (p_bytes
, key_len
, &ctx
, nss_ctx
);
278 /* Add key or last result. */
280 sha256_process_bytes (alt_result
, 32, &ctx
, nss_ctx
);
282 sha256_process_bytes (p_bytes
, key_len
, &ctx
, nss_ctx
);
284 /* Create intermediate result. */
285 sha256_finish_ctx (&ctx
, nss_ctx
, alt_result
);
289 /* Free libfreebl3 resources. */
290 NSSLOW_Shutdown (nss_ictx
);
293 /* Now we can construct the result string. It consists of three
295 cp
= __stpncpy (buffer
, sha256_salt_prefix
, MAX (0, buflen
));
296 buflen
-= sizeof (sha256_salt_prefix
) - 1;
300 int n
= snprintf (cp
, MAX (0, buflen
), "%s%zu$",
301 sha256_rounds_prefix
, rounds
);
306 cp
= __stpncpy (cp
, salt
, MIN ((size_t) MAX (0, buflen
), salt_len
));
307 buflen
-= MIN ((size_t) MAX (0, buflen
), salt_len
);
315 void b64_from_24bit (unsigned int b2
, unsigned int b1
, unsigned int b0
,
318 unsigned int w
= (b2
<< 16) | (b1
<< 8) | b0
;
319 while (n
-- > 0 && buflen
> 0)
321 *cp
++ = b64t
[w
& 0x3f];
327 b64_from_24bit (alt_result
[0], alt_result
[10], alt_result
[20], 4);
328 b64_from_24bit (alt_result
[21], alt_result
[1], alt_result
[11], 4);
329 b64_from_24bit (alt_result
[12], alt_result
[22], alt_result
[2], 4);
330 b64_from_24bit (alt_result
[3], alt_result
[13], alt_result
[23], 4);
331 b64_from_24bit (alt_result
[24], alt_result
[4], alt_result
[14], 4);
332 b64_from_24bit (alt_result
[15], alt_result
[25], alt_result
[5], 4);
333 b64_from_24bit (alt_result
[6], alt_result
[16], alt_result
[26], 4);
334 b64_from_24bit (alt_result
[27], alt_result
[7], alt_result
[17], 4);
335 b64_from_24bit (alt_result
[18], alt_result
[28], alt_result
[8], 4);
336 b64_from_24bit (alt_result
[9], alt_result
[19], alt_result
[29], 4);
337 b64_from_24bit (0, alt_result
[31], alt_result
[30], 3);
340 __set_errno (ERANGE
);
344 *cp
= '\0'; /* Terminate the string. */
346 /* Clear the buffer for the intermediate result so that people
347 attaching to processes or reading core dumps cannot get any
348 information. We do it in this way to clear correct_words[]
349 inside the SHA256 implementation as well. */
351 __sha256_init_ctx (&ctx
);
352 __sha256_finish_ctx (&ctx
, alt_result
);
353 memset (&ctx
, '\0', sizeof (ctx
));
354 memset (&alt_ctx
, '\0', sizeof (alt_ctx
));
356 memset (temp_result
, '\0', sizeof (temp_result
));
357 memset (p_bytes
, '\0', key_len
);
358 memset (s_bytes
, '\0', salt_len
);
359 if (copied_key
!= NULL
)
360 memset (copied_key
, '\0', key_len
);
361 if (copied_salt
!= NULL
)
362 memset (copied_salt
, '\0', salt_len
);
368 # define libc_freeres_ptr(decl) decl
370 libc_freeres_ptr (static char *buffer
);
372 /* This entry point is equivalent to the `crypt' function in Unix
375 __sha256_crypt (const char *key
, const char *salt
)
377 /* We don't want to have an arbitrary limit in the size of the
378 password. We can compute an upper bound for the size of the
379 result in advance and so we can prepare the buffer we pass to
382 int needed
= (sizeof (sha256_salt_prefix
) - 1
383 + sizeof (sha256_rounds_prefix
) + 9 + 1
384 + strlen (salt
) + 1 + 43 + 1);
388 char *new_buffer
= (char *) realloc (buffer
, needed
);
389 if (new_buffer
== NULL
)
396 return __sha256_crypt_r (key
, salt
, buffer
, buflen
);
401 __attribute__ ((__destructor__
))