crypt/sha512-crypt.c

   1 /* One way encryption based on SHA512 sum.
   2    Copyright (C) 2007-2017 Free Software Foundation, Inc.
   3    This file is part of the GNU C Library.
   4    Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
   5
   6    The GNU C Library is free software; you can redistribute it and/or
   7    modify it under the terms of the GNU Lesser General Public
   8    License as published by the Free Software Foundation; either
   9    version 2.1 of the License, or (at your option) any later version.
  10
  11    The GNU C Library is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14    Lesser General Public License for more details.
  15
  16    You should have received a copy of the GNU Lesser General Public
  17    License along with the GNU C Library; if not, see
  18    <http://www.gnu.org/licenses/>.  */
  19
  20 #include <assert.h>
  21 #include <errno.h>
  22 #include <stdbool.h>
  23 #include <stdlib.h>
  24 #include <string.h>
  25 #include <stdint.h>
  26 #include <sys/param.h>
  27
  28 #include "sha512.h"
  29 #include "crypt-private.h"
  30
  31
  32 #ifdef USE_NSS
  33 typedef int PRBool;
  34 # include <hasht.h>
  35 # include <nsslowhash.h>
  36
  37 # define sha512_init_ctx(ctxp, nss_ctxp) \
  38   do                                                                          \
  39     {                                                                         \
  40       if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA512))      \
  41            == NULL))                                                          \
  42         {                                                                     \
  43           if (nss_ctx != NULL)                                                \
  44             NSSLOWHASH_Destroy (nss_ctx);                                     \
  45           if (nss_alt_ctx != NULL)                                            \
  46             NSSLOWHASH_Destroy (nss_alt_ctx);                                 \
  47           return NULL;                                                        \
  48         }                                                                     \
  49       NSSLOWHASH_Begin (nss_ctxp);                                            \
  50     }                                                                         \
  51   while (0)
  52
  53 # define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
  54   NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
  55
  56 # define sha512_finish_ctx(ctxp, nss_ctxp, result) \
  57   do                                                                          \
  58     {                                                                         \
  59       unsigned int ret;                                                       \
  60       NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result));               \
  61       assert (ret == sizeof (result));                                        \
  62       NSSLOWHASH_Destroy (nss_ctxp);                                          \
  63       nss_ctxp = NULL;                                                        \
  64     }                                                                         \
  65   while (0)
  66 #else
  67 # define sha512_init_ctx(ctxp, nss_ctxp) \
  68   __sha512_init_ctx (ctxp)
  69
  70 # define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
  71   __sha512_process_bytes(buf, len, ctxp)
  72
  73 # define sha512_finish_ctx(ctxp, nss_ctxp, result) \
  74   __sha512_finish_ctx (ctxp, result)
  75 #endif
  76
  77
  78 /* Define our magic string to mark salt for SHA512 "encryption"
  79    replacement.  */
  80 static const char sha512_salt_prefix[] = "$6$";
  81
  82 /* Prefix for optional rounds specification.  */
  83 static const char sha512_rounds_prefix[] = "rounds=";
  84
  85 /* Maximum salt string length.  */
  86 #define SALT_LEN_MAX 16
  87 /* Default number of rounds if not explicitly specified.  */
  88 #define ROUNDS_DEFAULT 5000
  89 /* Minimum number of rounds.  */
  90 #define ROUNDS_MIN 1000
  91 /* Maximum number of rounds.  */
  92 #define ROUNDS_MAX 999999999
  93
  94
  95 /* Prototypes for local functions.  */
  96 extern char *__sha512_crypt_r (const char *key, const char *salt,
  97                                char *buffer, int buflen);
  98 extern char *__sha512_crypt (const char *key, const char *salt);
  99
 100
 101 char *
 102 __sha512_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
 103 {
 104   unsigned char alt_result[64]
 105     __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
 106   unsigned char temp_result[64]
 107     __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
 108   size_t salt_len;
 109   size_t key_len;
 110   size_t cnt;
 111   char *cp;
 112   char *copied_key = NULL;
 113   char *copied_salt = NULL;
 114   char *p_bytes;
 115   char *s_bytes;
 116   /* Default number of rounds.  */
 117   size_t rounds = ROUNDS_DEFAULT;
 118   bool rounds_custom = false;
 119   size_t alloca_used = 0;
 120   char *free_key = NULL;
 121   char *free_pbytes = NULL;
 122
 123   /* Find beginning of salt string.  The prefix should normally always
 124      be present.  Just in case it is not.  */
 125   if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
 126     /* Skip salt prefix.  */
 127     salt += sizeof (sha512_salt_prefix) - 1;
 128
 129   if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
 130       == 0)
 131     {
 132       const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
 133       char *endp;
 134       unsigned long int srounds = strtoul (num, &endp, 10);
 135       if (*endp == '$')
 136         {
 137           salt = endp + 1;
 138           rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
 139           rounds_custom = true;
 140         }
 141     }
 142
 143   salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
 144   key_len = strlen (key);
 145
 146   if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
 147     {
 148       char *tmp;
 149
 150       if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint64_t)))
 151         tmp = alloca_account (key_len + __alignof__ (uint64_t), alloca_used);
 152       else
 153         {
 154           free_key = tmp = (char *) malloc (key_len + __alignof__ (uint64_t));
 155           if (tmp == NULL)
 156             return NULL;
 157         }
 158
 159       key = copied_key =
 160         memcpy (tmp + __alignof__ (uint64_t)
 161                 - (tmp - (char *) 0) % __alignof__ (uint64_t),
 162                 key, key_len);
 163       assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
 164     }
 165
 166   if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
 167     {
 168       char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
 169       salt = copied_salt =
 170         memcpy (tmp + __alignof__ (uint64_t)
 171                 - (tmp - (char *) 0) % __alignof__ (uint64_t),
 172                 salt, salt_len);
 173       assert ((salt - (char *) 0) % __alignof__ (uint64_t) == 0);
 174     }
 175
 176 #ifdef USE_NSS
 177   /* Initialize libfreebl3.  */
 178   NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
 179   if (nss_ictx == NULL)
 180     {
 181       free (free_key);
 182       return NULL;
 183     }
 184   NSSLOWHASHContext *nss_ctx = NULL;
 185   NSSLOWHASHContext *nss_alt_ctx = NULL;
 186 #else
 187   struct sha512_ctx ctx;
 188   struct sha512_ctx alt_ctx;
 189 #endif
 190
 191   /* Prepare for the real work.  */
 192   sha512_init_ctx (&ctx, nss_ctx);
 193
 194   /* Add the key string.  */
 195   sha512_process_bytes (key, key_len, &ctx, nss_ctx);
 196
 197   /* The last part is the salt string.  This must be at most 16
 198      characters and it ends at the first `$' character.  */
 199   sha512_process_bytes (salt, salt_len, &ctx, nss_ctx);
 200
 201
 202   /* Compute alternate SHA512 sum with input KEY, SALT, and KEY.  The
 203      final result will be added to the first context.  */
 204   sha512_init_ctx (&alt_ctx, nss_alt_ctx);
 205
 206   /* Add key.  */
 207   sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 208
 209   /* Add salt.  */
 210   sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
 211
 212   /* Add key again.  */
 213   sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 214
 215   /* Now get result of this (64 bytes) and add it to the other
 216      context.  */
 217   sha512_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
 218
 219   /* Add for any character in the key one byte of the alternate sum.  */
 220   for (cnt = key_len; cnt > 64; cnt -= 64)
 221     sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
 222   sha512_process_bytes (alt_result, cnt, &ctx, nss_ctx);
 223
 224   /* Take the binary representation of the length of the key and for every
 225      1 add the alternate sum, for every 0 the key.  */
 226   for (cnt = key_len; cnt > 0; cnt >>= 1)
 227     if ((cnt & 1) != 0)
 228       sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
 229     else
 230       sha512_process_bytes (key, key_len, &ctx, nss_ctx);
 231
 232   /* Create intermediate result.  */
 233   sha512_finish_ctx (&ctx, nss_ctx, alt_result);
 234
 235   /* Start computation of P byte sequence.  */
 236   sha512_init_ctx (&alt_ctx, nss_alt_ctx);
 237
 238   /* For every character in the password add the entire password.  */
 239   for (cnt = 0; cnt < key_len; ++cnt)
 240     sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 241
 242   /* Finish the digest.  */
 243   sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
 244
 245   /* Create byte sequence P.  */
 246   if (__libc_use_alloca (alloca_used + key_len))
 247     cp = p_bytes = (char *) alloca (key_len);
 248   else
 249     {
 250       free_pbytes = cp = p_bytes = (char *)malloc (key_len);
 251       if (free_pbytes == NULL)
 252         {
 253           free (free_key);
 254           return NULL;
 255         }
 256     }
 257
 258   for (cnt = key_len; cnt >= 64; cnt -= 64)
 259     cp = mempcpy (cp, temp_result, 64);
 260   memcpy (cp, temp_result, cnt);
 261
 262   /* Start computation of S byte sequence.  */
 263   sha512_init_ctx (&alt_ctx, nss_alt_ctx);
 264
 265   /* For every character in the password add the entire password.  */
 266   for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
 267     sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
 268
 269   /* Finish the digest.  */
 270   sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
 271
 272   /* Create byte sequence S.  */
 273   cp = s_bytes = alloca (salt_len);
 274   for (cnt = salt_len; cnt >= 64; cnt -= 64)
 275     cp = mempcpy (cp, temp_result, 64);
 276   memcpy (cp, temp_result, cnt);
 277
 278   /* Repeatedly run the collected hash value through SHA512 to burn
 279      CPU cycles.  */
 280   for (cnt = 0; cnt < rounds; ++cnt)
 281     {
 282       /* New context.  */
 283       sha512_init_ctx (&ctx, nss_ctx);
 284
 285       /* Add key or last result.  */
 286       if ((cnt & 1) != 0)
 287         sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 288       else
 289         sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
 290
 291       /* Add salt for numbers not divisible by 3.  */
 292       if (cnt % 3 != 0)
 293         sha512_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
 294
 295       /* Add key for numbers not divisible by 7.  */
 296       if (cnt % 7 != 0)
 297         sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 298
 299       /* Add key or last result.  */
 300       if ((cnt & 1) != 0)
 301         sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
 302       else
 303         sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 304
 305       /* Create intermediate result.  */
 306       sha512_finish_ctx (&ctx, nss_ctx, alt_result);
 307     }
 308
 309 #ifdef USE_NSS
 310   /* Free libfreebl3 resources. */
 311   NSSLOW_Shutdown (nss_ictx);
 312 #endif
 313
 314   /* Now we can construct the result string.  It consists of three
 315      parts.  */
 316   cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
 317   buflen -= sizeof (sha512_salt_prefix) - 1;
 318
 319   if (rounds_custom)
 320     {
 321       int n = __snprintf (cp, MAX (0, buflen), "%s%zu$",
 322                           sha512_rounds_prefix, rounds);
 323       cp += n;
 324       buflen -= n;
 325     }
 326
 327   cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
 328   buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
 329
 330   if (buflen > 0)
 331     {
 332       *cp++ = '$';
 333       --buflen;
 334     }
 335
 336   __b64_from_24bit (&cp, &buflen,
 337                     alt_result[0], alt_result[21], alt_result[42], 4);
 338   __b64_from_24bit (&cp, &buflen,
 339                     alt_result[22], alt_result[43], alt_result[1], 4);
 340   __b64_from_24bit (&cp, &buflen,
 341                     alt_result[44], alt_result[2], alt_result[23], 4);
 342   __b64_from_24bit (&cp, &buflen,
 343                     alt_result[3], alt_result[24], alt_result[45], 4);
 344   __b64_from_24bit (&cp, &buflen,
 345                     alt_result[25], alt_result[46], alt_result[4], 4);
 346   __b64_from_24bit (&cp, &buflen,
 347                     alt_result[47], alt_result[5], alt_result[26], 4);
 348   __b64_from_24bit (&cp, &buflen,
 349                     alt_result[6], alt_result[27], alt_result[48], 4);
 350   __b64_from_24bit (&cp, &buflen,
 351                     alt_result[28], alt_result[49], alt_result[7], 4);
 352   __b64_from_24bit (&cp, &buflen,
 353                     alt_result[50], alt_result[8], alt_result[29], 4);
 354   __b64_from_24bit (&cp, &buflen,
 355                     alt_result[9], alt_result[30], alt_result[51], 4);
 356   __b64_from_24bit (&cp, &buflen,
 357                     alt_result[31], alt_result[52], alt_result[10], 4);
 358   __b64_from_24bit (&cp, &buflen,
 359                     alt_result[53], alt_result[11], alt_result[32], 4);
 360   __b64_from_24bit (&cp, &buflen,
 361                     alt_result[12], alt_result[33], alt_result[54], 4);
 362   __b64_from_24bit (&cp, &buflen,
 363                     alt_result[34], alt_result[55], alt_result[13], 4);
 364   __b64_from_24bit (&cp, &buflen,
 365                     alt_result[56], alt_result[14], alt_result[35], 4);
 366   __b64_from_24bit (&cp, &buflen,
 367                     alt_result[15], alt_result[36], alt_result[57], 4);
 368   __b64_from_24bit (&cp, &buflen,
 369                     alt_result[37], alt_result[58], alt_result[16], 4);
 370   __b64_from_24bit (&cp, &buflen,
 371                     alt_result[59], alt_result[17], alt_result[38], 4);
 372   __b64_from_24bit (&cp, &buflen,
 373                     alt_result[18], alt_result[39], alt_result[60], 4);
 374   __b64_from_24bit (&cp, &buflen,
 375                     alt_result[40], alt_result[61], alt_result[19], 4);
 376   __b64_from_24bit (&cp, &buflen,
 377                     alt_result[62], alt_result[20], alt_result[41], 4);
 378   __b64_from_24bit (&cp, &buflen,
 379                     0, 0, alt_result[63], 2);
 380
 381   if (buflen <= 0)
 382     {
 383       __set_errno (ERANGE);
 384       buffer = NULL;
 385     }
 386   else
 387     *cp = '\0';         /* Terminate the string.  */
 388
 389   /* Clear the buffer for the intermediate result so that people
 390      attaching to processes or reading core dumps cannot get any
 391      information.  We do it in this way to clear correct_words[]
 392      inside the SHA512 implementation as well.  */
 393 #ifndef USE_NSS
 394   __sha512_init_ctx (&ctx);
 395   __sha512_finish_ctx (&ctx, alt_result);
 396   explicit_bzero (&ctx, sizeof (ctx));
 397   explicit_bzero (&alt_ctx, sizeof (alt_ctx));
 398 #endif
 399   explicit_bzero (temp_result, sizeof (temp_result));
 400   explicit_bzero (p_bytes, key_len);
 401   explicit_bzero (s_bytes, salt_len);
 402   if (copied_key != NULL)
 403     explicit_bzero (copied_key, key_len);
 404   if (copied_salt != NULL)
 405     explicit_bzero (copied_salt, salt_len);
 406
 407   free (free_key);
 408   free (free_pbytes);
 409   return buffer;
 410 }
 411
 412 #ifndef _LIBC
 413 # define libc_freeres_ptr(decl) decl
 414 #endif
 415 libc_freeres_ptr (static char *buffer);
 416
 417 /* This entry point is equivalent to the `crypt' function in Unix
 418    libcs.  */
 419 char *
 420 __sha512_crypt (const char *key, const char *salt)
 421 {
 422   /* We don't want to have an arbitrary limit in the size of the
 423      password.  We can compute an upper bound for the size of the
 424      result in advance and so we can prepare the buffer we pass to
 425      `sha512_crypt_r'.  */
 426   static int buflen;
 427   int needed = (sizeof (sha512_salt_prefix) - 1
 428                 + sizeof (sha512_rounds_prefix) + 9 + 1
 429                 + strlen (salt) + 1 + 86 + 1);
 430
 431   if (buflen < needed)
 432     {
 433       char *new_buffer = (char *) realloc (buffer, needed);
 434       if (new_buffer == NULL)
 435         return NULL;
 436
 437       buffer = new_buffer;
 438       buflen = needed;
 439     }
 440
 441   return __sha512_crypt_r (key, salt, buffer, buflen);
 442 }
 443
 444 #ifndef _LIBC
 445 static void
 446 __attribute__ ((__destructor__))
 447 free_mem (void)
 448 {
 449   free (buffer);
 450 }
 451 #endif