crypt/sha256-crypt.c

   1 /* One way encryption based on SHA256 sum.
   2    Copyright (C) 2007 Free Software Foundation, Inc.
   3    This file is part of the GNU C Library.
   4    Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
   5
   6    The GNU C Library is free software; you can redistribute it and/or
   7    modify it under the terms of the GNU Lesser General Public
   8    License as published by the Free Software Foundation; either
   9    version 2.1 of the License, or (at your option) any later version.
  10
  11    The GNU C Library is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14    Lesser General Public License for more details.
  15
  16    You should have received a copy of the GNU Lesser General Public
  17    License along with the GNU C Library; if not, write to the Free
  18    Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
  19    02111-1307 USA.  */
  20
  21 #include <assert.h>
  22 #include <errno.h>
  23 #include <stdbool.h>
  24 #include <stdlib.h>
  25 #include <string.h>
  26 #include <sys/param.h>
  27
  28 #include "sha256.h"
  29
  30
  31 /* Define our magic string to mark salt for SHA256 "encryption"
  32    replacement.  */
  33 static const char sha256_salt_prefix[] = "$5$";
  34
  35 /* Prefix for optional rounds specification.  */
  36 static const char sha256_rounds_prefix[] = "rounds=";
  37
  38 /* Maximum salt string length.  */
  39 #define SALT_LEN_MAX 16
  40 /* Default number of rounds if not explicitly specified.  */
  41 #define ROUNDS_DEFAULT 5000
  42 /* Minimum number of rounds.  */
  43 #define ROUNDS_MIN 1000
  44 /* Maximum number of rounds.  */
  45 #define ROUNDS_MAX 999999999
  46
  47 /* Table with characters for base64 transformation.  */
  48 static const char b64t[64] =
  49 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  50
  51
  52 /* Prototypes for local functions.  */
  53 extern char *__sha256_crypt_r (const char *key, const char *salt,
  54                                char *buffer, int buflen);
  55 extern char *__sha256_crypt (const char *key, const char *salt);
  56
  57
  58 char *
  59 __sha256_crypt_r (key, salt, buffer, buflen)
  60      const char *key;
  61      const char *salt;
  62      char *buffer;
  63      int buflen;
  64 {
  65   unsigned char alt_result[32]
  66     __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
  67   unsigned char temp_result[32]
  68     __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
  69   struct sha256_ctx ctx;
  70   struct sha256_ctx alt_ctx;
  71   size_t salt_len;
  72   size_t key_len;
  73   size_t cnt;
  74   char *cp;
  75   char *copied_key = NULL;
  76   char *copied_salt = NULL;
  77   char *p_bytes;
  78   char *s_bytes;
  79   /* Default number of rounds.  */
  80   size_t rounds = ROUNDS_DEFAULT;
  81   bool rounds_custom = false;
  82
  83   /* Find beginning of salt string.  The prefix should normally always
  84      be present.  Just in case it is not.  */
  85   if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
  86     /* Skip salt prefix.  */
  87     salt += sizeof (sha256_salt_prefix) - 1;
  88
  89   if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
  90       == 0)
  91     {
  92       const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
  93       char *endp;
  94       unsigned long int srounds = strtoul (num, &endp, 10);
  95       if (*endp == '$')
  96         {
  97           salt = endp + 1;
  98           rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
  99           rounds_custom = true;
 100         }
 101     }
 102
 103   salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
 104   key_len = strlen (key);
 105
 106   if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
 107     {
 108       char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
 109       key = copied_key =
 110         memcpy (tmp + __alignof__ (uint32_t)
 111                 - (tmp - (char *) 0) % __alignof__ (uint32_t),
 112                 key, key_len);
 113       assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
 114     }
 115
 116   if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
 117     {
 118       char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
 119       salt = copied_salt =
 120         memcpy (tmp + __alignof__ (uint32_t)
 121                 - (tmp - (char *) 0) % __alignof__ (uint32_t),
 122                 salt, salt_len);
 123       assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
 124     }
 125
 126   /* Prepare for the real work.  */
 127   __sha256_init_ctx (&ctx);
 128
 129   /* Add the key string.  */
 130   __sha256_process_bytes (key, key_len, &ctx);
 131
 132   /* The last part is the salt string.  This must be at most 16
 133      characters and it ends at the first `$' character.  */
 134   __sha256_process_bytes (salt, salt_len, &ctx);
 135
 136
 137   /* Compute alternate SHA256 sum with input KEY, SALT, and KEY.  The
 138      final result will be added to the first context.  */
 139   __sha256_init_ctx (&alt_ctx);
 140
 141   /* Add key.  */
 142   __sha256_process_bytes (key, key_len, &alt_ctx);
 143
 144   /* Add salt.  */
 145   __sha256_process_bytes (salt, salt_len, &alt_ctx);
 146
 147   /* Add key again.  */
 148   __sha256_process_bytes (key, key_len, &alt_ctx);
 149
 150   /* Now get result of this (32 bytes) and add it to the other
 151      context.  */
 152   __sha256_finish_ctx (&alt_ctx, alt_result);
 153
 154   /* Add for any character in the key one byte of the alternate sum.  */
 155   for (cnt = key_len; cnt > 32; cnt -= 32)
 156     __sha256_process_bytes (alt_result, 32, &ctx);
 157   __sha256_process_bytes (alt_result, cnt, &ctx);
 158
 159   /* Take the binary representation of the length of the key and for every
 160      1 add the alternate sum, for every 0 the key.  */
 161   for (cnt = key_len; cnt > 0; cnt >>= 1)
 162     if ((cnt & 1) != 0)
 163       __sha256_process_bytes (alt_result, 32, &ctx);
 164     else
 165       __sha256_process_bytes (key, key_len, &ctx);
 166
 167   /* Create intermediate result.  */
 168   __sha256_finish_ctx (&ctx, alt_result);
 169
 170   /* Start computation of P byte sequence.  */
 171   __sha256_init_ctx (&alt_ctx);
 172
 173   /* For every character in the password add the entire password.  */
 174   for (cnt = 0; cnt < key_len; ++cnt)
 175     __sha256_process_bytes (key, key_len, &alt_ctx);
 176
 177   /* Finish the digest.  */
 178   __sha256_finish_ctx (&alt_ctx, temp_result);
 179
 180   /* Create byte sequence P.  */
 181   cp = p_bytes = alloca (key_len);
 182   for (cnt = key_len; cnt >= 32; cnt -= 32)
 183     cp = mempcpy (cp, temp_result, 32);
 184   memcpy (cp, temp_result, cnt);
 185
 186   /* Start computation of S byte sequence.  */
 187   __sha256_init_ctx (&alt_ctx);
 188
 189   /* For every character in the password add the entire password.  */
 190   for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
 191     __sha256_process_bytes (salt, salt_len, &alt_ctx);
 192
 193   /* Finish the digest.  */
 194   __sha256_finish_ctx (&alt_ctx, temp_result);
 195
 196   /* Create byte sequence S.  */
 197   cp = s_bytes = alloca (salt_len);
 198   for (cnt = salt_len; cnt >= 32; cnt -= 32)
 199     cp = mempcpy (cp, temp_result, 32);
 200   memcpy (cp, temp_result, cnt);
 201
 202   /* Repeatedly run the collected hash value through SHA256 to burn
 203      CPU cycles.  */
 204   for (cnt = 0; cnt < rounds; ++cnt)
 205     {
 206       /* New context.  */
 207       __sha256_init_ctx (&ctx);
 208
 209       /* Add key or last result.  */
 210       if ((cnt & 1) != 0)
 211         __sha256_process_bytes (p_bytes, key_len, &ctx);
 212       else
 213         __sha256_process_bytes (alt_result, 32, &ctx);
 214
 215       /* Add salt for numbers not divisible by 3.  */
 216       if (cnt % 3 != 0)
 217         __sha256_process_bytes (s_bytes, salt_len, &ctx);
 218
 219       /* Add key for numbers not divisible by 7.  */
 220       if (cnt % 7 != 0)
 221         __sha256_process_bytes (p_bytes, key_len, &ctx);
 222
 223       /* Add key or last result.  */
 224       if ((cnt & 1) != 0)
 225         __sha256_process_bytes (alt_result, 32, &ctx);
 226       else
 227         __sha256_process_bytes (p_bytes, key_len, &ctx);
 228
 229       /* Create intermediate result.  */
 230       __sha256_finish_ctx (&ctx, alt_result);
 231     }
 232
 233   /* Now we can construct the result string.  It consists of three
 234      parts.  */
 235   cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
 236   buflen -= sizeof (sha256_salt_prefix) - 1;
 237
 238   if (rounds_custom)
 239     {
 240       int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
 241                         sha256_rounds_prefix, rounds);
 242       cp += n;
 243       buflen -= n;
 244     }
 245
 246   cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
 247   buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
 248
 249   if (buflen > 0)
 250     {
 251       *cp++ = '$';
 252       --buflen;
 253     }
 254
 255 #define b64_from_24bit(B2, B1, B0, N)                                         \
 256   do {                                                                        \
 257     unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);                       \
 258     int n = (N);                                                              \
 259     while (n-- > 0 && buflen > 0)                                             \
 260       {                                                                       \
 261         *cp++ = b64t[w & 0x3f];                                               \
 262         --buflen;                                                             \
 263         w >>= 6;                                                              \
 264       }                                                                       \
 265   } while (0)
 266
 267   b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
 268   b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
 269   b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
 270   b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
 271   b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
 272   b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
 273   b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
 274   b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
 275   b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
 276   b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
 277   b64_from_24bit (0, alt_result[31], alt_result[30], 3);
 278   if (buflen <= 0)
 279     {
 280       __set_errno (ERANGE);
 281       buffer = NULL;
 282     }
 283   else
 284     *cp = '\0';         /* Terminate the string.  */
 285
 286   /* Clear the buffer for the intermediate result so that people
 287      attaching to processes or reading core dumps cannot get any
 288      information.  We do it in this way to clear correct_words[]
 289      inside the SHA256 implementation as well.  */
 290   __sha256_init_ctx (&ctx);
 291   __sha256_finish_ctx (&ctx, alt_result);
 292   memset (temp_result, '\0', sizeof (temp_result));
 293   memset (p_bytes, '\0', key_len);
 294   memset (s_bytes, '\0', salt_len);
 295   memset (&ctx, '\0', sizeof (ctx));
 296   memset (&alt_ctx, '\0', sizeof (alt_ctx));
 297   if (copied_key != NULL)
 298     memset (copied_key, '\0', key_len);
 299   if (copied_salt != NULL)
 300     memset (copied_salt, '\0', salt_len);
 301
 302   return buffer;
 303 }
 304
 305 #ifndef _LIBC
 306 # define libc_freeres_ptr(decl) decl
 307 #endif
 308 libc_freeres_ptr (static char *buffer);
 309
 310 /* This entry point is equivalent to the `crypt' function in Unix
 311    libcs.  */
 312 char *
 313 __sha256_crypt (const char *key, const char *salt)
 314 {
 315   /* We don't want to have an arbitrary limit in the size of the
 316      password.  We can compute an upper bound for the size of the
 317      result in advance and so we can prepare the buffer we pass to
 318      `sha256_crypt_r'.  */
 319   static int buflen;
 320   int needed = (sizeof (sha256_salt_prefix) - 1
 321                 + sizeof (sha256_rounds_prefix) + 9 + 1
 322                 + strlen (salt) + 1 + 43 + 1);
 323
 324   if (buflen < needed)
 325     {
 326       char *new_buffer = (char *) realloc (buffer, needed);
 327       if (new_buffer == NULL)
 328         return NULL;
 329
 330       buffer = new_buffer;
 331       buflen = needed;
 332     }
 333
 334   return __sha256_crypt_r (key, salt, buffer, buflen);
 335 }
 336
 337 #ifndef _LIBC
 338 static void
 339 __attribute__ ((__destructor__))
 340 free_mem (void)
 341 {
 342   free (buffer);
 343 }
 344 #endif