search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Don't pad code segments out to 64k any more
[glibc/nacl-glibc.git] / crypt / sha512-crypt.c
blobea96e525fb9f8d8c7552ab645211cd9ca6170882
1 /* One way encryption based on SHA512 sum.
2 Copyright (C) 2007 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, write to the Free
18 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19 02111-1307 USA. */
20
21 #include <assert.h>
22 #include <errno.h>
23 #include <stdbool.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <sys/param.h>
27
28 #include "sha512.h"
29
30
31 /* Define our magic string to mark salt for SHA512 "encryption"
32 replacement. */
33 static const char sha512_salt_prefix[] = "$6$";
34
35 /* Prefix for optional rounds specification. */
36 static const char sha512_rounds_prefix[] = "rounds=";
37
38 /* Maximum salt string length. */
39 #define SALT_LEN_MAX 16
40 /* Default number of rounds if not explicitly specified. */
41 #define ROUNDS_DEFAULT 5000
42 /* Minimum number of rounds. */
43 #define ROUNDS_MIN 1000
44 /* Maximum number of rounds. */
45 #define ROUNDS_MAX 999999999
46
47 /* Table with characters for base64 transformation. */
48 static const char b64t[64] =
49 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
50
51
52 /* Prototypes for local functions. */
53 extern char *__sha512_crypt_r (const char *key, const char *salt,
54 char *buffer, int buflen);
55 extern char *__sha512_crypt (const char *key, const char *salt);
56
57
58 char *
59 __sha512_crypt_r (key, salt, buffer, buflen)
60 const char *key;
61 const char *salt;
62 char *buffer;
63 int buflen;
64 {
65 unsigned char alt_result[64]
66 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
67 unsigned char temp_result[64]
68 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
69 struct sha512_ctx ctx;
70 struct sha512_ctx alt_ctx;
71 size_t salt_len;
72 size_t key_len;
73 size_t cnt;
74 char *cp;
75 char *copied_key = NULL;
76 char *copied_salt = NULL;
77 char *p_bytes;
78 char *s_bytes;
79 /* Default number of rounds. */
80 size_t rounds = ROUNDS_DEFAULT;
81 bool rounds_custom = false;
82
83 /* Find beginning of salt string. The prefix should normally always
84 be present. Just in case it is not. */
85 if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
86 /* Skip salt prefix. */
87 salt += sizeof (sha512_salt_prefix) - 1;
88
89 if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
90 == 0)
91 {
92 const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
93 char *endp;
94 unsigned long int srounds = strtoul (num, &endp, 10);
95 if (*endp == '$')
96 {
97 salt = endp + 1;
98 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
99 rounds_custom = true;
100 }
101 }
102
103 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
104 key_len = strlen (key);
105
106 if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
107 {
108 char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
109 key = copied_key =
110 memcpy (tmp + __alignof__ (uint64_t)
111 - (tmp - (char *) 0) % __alignof__ (uint64_t),
112 key, key_len);
113 assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
114 }
115
116 if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
117 {
118 char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
119 salt = copied_salt =
120 memcpy (tmp + __alignof__ (uint64_t)
121 - (tmp - (char *) 0) % __alignof__ (uint64_t),
122 salt, salt_len);
123 assert ((salt - (char *) 0) % __alignof__ (uint64_t) == 0);
124 }
125
126 /* Prepare for the real work. */
127 __sha512_init_ctx (&ctx);
128
129 /* Add the key string. */
130 __sha512_process_bytes (key, key_len, &ctx);
131
132 /* The last part is the salt string. This must be at most 16
133 characters and it ends at the first `$' character. */
134 __sha512_process_bytes (salt, salt_len, &ctx);
135
136
137 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
138 final result will be added to the first context. */
139 __sha512_init_ctx (&alt_ctx);
140
141 /* Add key. */
142 __sha512_process_bytes (key, key_len, &alt_ctx);
143
144 /* Add salt. */
145 __sha512_process_bytes (salt, salt_len, &alt_ctx);
146
147 /* Add key again. */
148 __sha512_process_bytes (key, key_len, &alt_ctx);
149
150 /* Now get result of this (64 bytes) and add it to the other
151 context. */
152 __sha512_finish_ctx (&alt_ctx, alt_result);
153
154 /* Add for any character in the key one byte of the alternate sum. */
155 for (cnt = key_len; cnt > 64; cnt -= 64)
156 __sha512_process_bytes (alt_result, 64, &ctx);
157 __sha512_process_bytes (alt_result, cnt, &ctx);
158
159 /* Take the binary representation of the length of the key and for every
160 1 add the alternate sum, for every 0 the key. */
161 for (cnt = key_len; cnt > 0; cnt >>= 1)
162 if ((cnt & 1) != 0)
163 __sha512_process_bytes (alt_result, 64, &ctx);
164 else
165 __sha512_process_bytes (key, key_len, &ctx);
166
167 /* Create intermediate result. */
168 __sha512_finish_ctx (&ctx, alt_result);
169
170 /* Start computation of P byte sequence. */
171 __sha512_init_ctx (&alt_ctx);
172
173 /* For every character in the password add the entire password. */
174 for (cnt = 0; cnt < key_len; ++cnt)
175 __sha512_process_bytes (key, key_len, &alt_ctx);
176
177 /* Finish the digest. */
178 __sha512_finish_ctx (&alt_ctx, temp_result);
179
180 /* Create byte sequence P. */
181 cp = p_bytes = alloca (key_len);
182 for (cnt = key_len; cnt >= 64; cnt -= 64)
183 cp = mempcpy (cp, temp_result, 64);
184 memcpy (cp, temp_result, cnt);
185
186 /* Start computation of S byte sequence. */
187 __sha512_init_ctx (&alt_ctx);
188
189 /* For every character in the password add the entire password. */
190 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
191 __sha512_process_bytes (salt, salt_len, &alt_ctx);
192
193 /* Finish the digest. */
194 __sha512_finish_ctx (&alt_ctx, temp_result);
195
196 /* Create byte sequence S. */
197 cp = s_bytes = alloca (salt_len);
198 for (cnt = salt_len; cnt >= 64; cnt -= 64)
199 cp = mempcpy (cp, temp_result, 64);
200 memcpy (cp, temp_result, cnt);
201
202 /* Repeatedly run the collected hash value through SHA512 to burn
203 CPU cycles. */
204 for (cnt = 0; cnt < rounds; ++cnt)
205 {
206 /* New context. */
207 __sha512_init_ctx (&ctx);
208
209 /* Add key or last result. */
210 if ((cnt & 1) != 0)
211 __sha512_process_bytes (p_bytes, key_len, &ctx);
212 else
213 __sha512_process_bytes (alt_result, 64, &ctx);
214
215 /* Add salt for numbers not divisible by 3. */
216 if (cnt % 3 != 0)
217 __sha512_process_bytes (s_bytes, salt_len, &ctx);
218
219 /* Add key for numbers not divisible by 7. */
220 if (cnt % 7 != 0)
221 __sha512_process_bytes (p_bytes, key_len, &ctx);
222
223 /* Add key or last result. */
224 if ((cnt & 1) != 0)
225 __sha512_process_bytes (alt_result, 64, &ctx);
226 else
227 __sha512_process_bytes (p_bytes, key_len, &ctx);
228
229 /* Create intermediate result. */
230 __sha512_finish_ctx (&ctx, alt_result);
231 }
232
233 /* Now we can construct the result string. It consists of three
234 parts. */
235 cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
236 buflen -= sizeof (sha512_salt_prefix) - 1;
237
238 if (rounds_custom)
239 {
240 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
241 sha512_rounds_prefix, rounds);
242 cp += n;
243 buflen -= n;
244 }
245
246 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
247 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
248
249 if (buflen > 0)
250 {
251 *cp++ = '$';
252 --buflen;
253 }
254
255 #define b64_from_24bit(B2, B1, B0, N) \
256 do { \
257 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
258 int n = (N); \
259 while (n-- > 0 && buflen > 0) \
260 { \
261 *cp++ = b64t[w & 0x3f]; \
262 --buflen; \
263 w >>= 6; \
264 } \
265 } while (0)
266
267 b64_from_24bit (alt_result[0], alt_result[21], alt_result[42], 4);
268 b64_from_24bit (alt_result[22], alt_result[43], alt_result[1], 4);
269 b64_from_24bit (alt_result[44], alt_result[2], alt_result[23], 4);
270 b64_from_24bit (alt_result[3], alt_result[24], alt_result[45], 4);
271 b64_from_24bit (alt_result[25], alt_result[46], alt_result[4], 4);
272 b64_from_24bit (alt_result[47], alt_result[5], alt_result[26], 4);
273 b64_from_24bit (alt_result[6], alt_result[27], alt_result[48], 4);
274 b64_from_24bit (alt_result[28], alt_result[49], alt_result[7], 4);
275 b64_from_24bit (alt_result[50], alt_result[8], alt_result[29], 4);
276 b64_from_24bit (alt_result[9], alt_result[30], alt_result[51], 4);
277 b64_from_24bit (alt_result[31], alt_result[52], alt_result[10], 4);
278 b64_from_24bit (alt_result[53], alt_result[11], alt_result[32], 4);
279 b64_from_24bit (alt_result[12], alt_result[33], alt_result[54], 4);
280 b64_from_24bit (alt_result[34], alt_result[55], alt_result[13], 4);
281 b64_from_24bit (alt_result[56], alt_result[14], alt_result[35], 4);
282 b64_from_24bit (alt_result[15], alt_result[36], alt_result[57], 4);
283 b64_from_24bit (alt_result[37], alt_result[58], alt_result[16], 4);
284 b64_from_24bit (alt_result[59], alt_result[17], alt_result[38], 4);
285 b64_from_24bit (alt_result[18], alt_result[39], alt_result[60], 4);
286 b64_from_24bit (alt_result[40], alt_result[61], alt_result[19], 4);
287 b64_from_24bit (alt_result[62], alt_result[20], alt_result[41], 4);
288 b64_from_24bit (0, 0, alt_result[63], 2);
289
290 if (buflen <= 0)
291 {
292 __set_errno (ERANGE);
293 buffer = NULL;
294 }
295 else
296 *cp = '\0'; /* Terminate the string. */
297
298 /* Clear the buffer for the intermediate result so that people
299 attaching to processes or reading core dumps cannot get any
300 information. We do it in this way to clear correct_words[]
301 inside the SHA512 implementation as well. */
302 __sha512_init_ctx (&ctx);
303 __sha512_finish_ctx (&ctx, alt_result);
304 memset (temp_result, '\0', sizeof (temp_result));
305 memset (p_bytes, '\0', key_len);
306 memset (s_bytes, '\0', salt_len);
307 memset (&ctx, '\0', sizeof (ctx));
308 memset (&alt_ctx, '\0', sizeof (alt_ctx));
309 if (copied_key != NULL)
310 memset (copied_key, '\0', key_len);
311 if (copied_salt != NULL)
312 memset (copied_salt, '\0', salt_len);
313
314 return buffer;
315 }
316
317 #ifndef _LIBC
318 # define libc_freeres_ptr(decl) decl
319 #endif
320 libc_freeres_ptr (static char *buffer);
321
322 /* This entry point is equivalent to the `crypt' function in Unix
323 libcs. */
324 char *
325 __sha512_crypt (const char *key, const char *salt)
326 {
327 /* We don't want to have an arbitrary limit in the size of the
328 password. We can compute an upper bound for the size of the
329 result in advance and so we can prepare the buffer we pass to
330 `sha512_crypt_r'. */
331 static int buflen;
332 int needed = (sizeof (sha512_salt_prefix) - 1
333 + sizeof (sha512_rounds_prefix) + 9 + 1
334 + strlen (salt) + 1 + 86 + 1);
335
336 if (buflen < needed)
337 {
338 char *new_buffer = (char *) realloc (buffer, needed);
339 if (new_buffer == NULL)
340 return NULL;
341
342 buffer = new_buffer;
343 buflen = needed;
344 }
345
346 return __sha512_crypt_r (key, salt, buffer, buflen);
347 }
348
349 #ifndef _LIBC
350 static void
351 __attribute__ ((__destructor__))
352 free_mem (void)
353 {
354 free (buffer);
355 }
356 #endif
Port of glibc to Google Native Client (NaCl)