1 /* One way encryption based on SHA256 sum.
2 Copyright (C) 2007 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, write to the Free
18 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
26 #include <sys/param.h>
31 /* Define our magic string to mark salt for SHA256 "encryption"
33 static const char sha256_salt_prefix
[] = "$5$";
35 /* Prefix for optional rounds specification. */
36 static const char sha256_rounds_prefix
[] = "rounds=";
38 /* Maximum salt string length. */
39 #define SALT_LEN_MAX 16
40 /* Default number of rounds if not explicitly specified. */
41 #define ROUNDS_DEFAULT 5000
42 /* Minimum number of rounds. */
43 #define ROUNDS_MIN 1000
44 /* Maximum number of rounds. */
45 #define ROUNDS_MAX 999999999
47 /* Table with characters for base64 transformation. */
48 static const char b64t
[64] =
49 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
52 /* Prototypes for local functions. */
53 extern char *__sha256_crypt_r (const char *key
, const char *salt
,
54 char *buffer
, int buflen
);
55 extern char *__sha256_crypt (const char *key
, const char *salt
);
59 __sha256_crypt_r (key
, salt
, buffer
, buflen
)
65 unsigned char alt_result
[32]
66 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
67 unsigned char temp_result
[32]
68 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
69 struct sha256_ctx ctx
;
70 struct sha256_ctx alt_ctx
;
75 char *copied_key
= NULL
;
76 char *copied_salt
= NULL
;
79 /* Default number of rounds. */
80 size_t rounds
= ROUNDS_DEFAULT
;
81 bool rounds_custom
= false;
83 /* Find beginning of salt string. The prefix should normally always
84 be present. Just in case it is not. */
85 if (strncmp (sha256_salt_prefix
, salt
, sizeof (sha256_salt_prefix
) - 1) == 0)
86 /* Skip salt prefix. */
87 salt
+= sizeof (sha256_salt_prefix
) - 1;
89 if (strncmp (salt
, sha256_rounds_prefix
, sizeof (sha256_rounds_prefix
) - 1)
92 const char *num
= salt
+ sizeof (sha256_rounds_prefix
) - 1;
94 unsigned long int srounds
= strtoul (num
, &endp
, 10);
98 rounds
= MAX (ROUNDS_MIN
, MIN (srounds
, ROUNDS_MAX
));
103 salt_len
= MIN (strcspn (salt
, "$"), SALT_LEN_MAX
);
104 key_len
= strlen (key
);
106 if ((key
- (char *) 0) % __alignof__ (uint32_t) != 0)
108 char *tmp
= (char *) alloca (key_len
+ __alignof__ (uint32_t));
110 memcpy (tmp
+ __alignof__ (uint32_t)
111 - (tmp
- (char *) 0) % __alignof__ (uint32_t),
113 assert ((key
- (char *) 0) % __alignof__ (uint32_t) == 0);
116 if ((salt
- (char *) 0) % __alignof__ (uint32_t) != 0)
118 char *tmp
= (char *) alloca (salt_len
+ __alignof__ (uint32_t));
120 memcpy (tmp
+ __alignof__ (uint32_t)
121 - (tmp
- (char *) 0) % __alignof__ (uint32_t),
123 assert ((salt
- (char *) 0) % __alignof__ (uint32_t) == 0);
126 /* Prepare for the real work. */
127 __sha256_init_ctx (&ctx
);
129 /* Add the key string. */
130 __sha256_process_bytes (key
, key_len
, &ctx
);
132 /* The last part is the salt string. This must be at most 8
133 characters and it ends at the first `$' character (for
134 compatibility with existing implementations). */
135 __sha256_process_bytes (salt
, salt_len
, &ctx
);
138 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
139 final result will be added to the first context. */
140 __sha256_init_ctx (&alt_ctx
);
143 __sha256_process_bytes (key
, key_len
, &alt_ctx
);
146 __sha256_process_bytes (salt
, salt_len
, &alt_ctx
);
149 __sha256_process_bytes (key
, key_len
, &alt_ctx
);
151 /* Now get result of this (32 bytes) and add it to the other
153 __sha256_finish_ctx (&alt_ctx
, alt_result
);
155 /* Add for any character in the key one byte of the alternate sum. */
156 for (cnt
= key_len
; cnt
> 32; cnt
-= 32)
157 __sha256_process_bytes (alt_result
, 32, &ctx
);
158 __sha256_process_bytes (alt_result
, cnt
, &ctx
);
160 /* Take the binary representation of the length of the key and for every
161 1 add the alternate sum, for every 0 the key. */
162 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
164 __sha256_process_bytes (alt_result
, 32, &ctx
);
166 __sha256_process_bytes (key
, key_len
, &ctx
);
168 /* Create intermediate result. */
169 __sha256_finish_ctx (&ctx
, alt_result
);
171 /* Start computation of P byte sequence. */
172 __sha256_init_ctx (&alt_ctx
);
174 /* For every character in the password add the entire password. */
175 for (cnt
= 0; cnt
< key_len
; ++cnt
)
176 __sha256_process_bytes (key
, key_len
, &alt_ctx
);
178 /* Finish the digest. */
179 __sha256_finish_ctx (&alt_ctx
, temp_result
);
181 /* Create byte sequence P. */
182 cp
= p_bytes
= alloca (key_len
);
183 for (cnt
= key_len
; cnt
>= 32; cnt
-= 32)
184 cp
= mempcpy (cp
, temp_result
, 32);
185 memcpy (cp
, temp_result
, cnt
);
187 /* Start computation of S byte sequence. */
188 __sha256_init_ctx (&alt_ctx
);
190 /* For every character in the password add the entire password. */
191 for (cnt
= 0; cnt
< 16 + alt_result
[0]; ++cnt
)
192 __sha256_process_bytes (salt
, salt_len
, &alt_ctx
);
194 /* Finish the digest. */
195 __sha256_finish_ctx (&alt_ctx
, temp_result
);
197 /* Create byte sequence S. */
198 cp
= s_bytes
= alloca (salt_len
);
199 for (cnt
= salt_len
; cnt
>= 32; cnt
-= 32)
200 cp
= mempcpy (cp
, temp_result
, 32);
201 memcpy (cp
, temp_result
, cnt
);
203 /* Repeatedly run the collected hash value through SHA256 to burn
205 for (cnt
= 0; cnt
< rounds
; ++cnt
)
208 __sha256_init_ctx (&ctx
);
210 /* Add key or last result. */
212 __sha256_process_bytes (p_bytes
, key_len
, &ctx
);
214 __sha256_process_bytes (alt_result
, 32, &ctx
);
216 /* Add salt for numbers not divisible by 3. */
218 __sha256_process_bytes (s_bytes
, salt_len
, &ctx
);
220 /* Add key for numbers not divisible by 7. */
222 __sha256_process_bytes (p_bytes
, key_len
, &ctx
);
224 /* Add key or last result. */
226 __sha256_process_bytes (alt_result
, 32, &ctx
);
228 __sha256_process_bytes (p_bytes
, key_len
, &ctx
);
230 /* Create intermediate result. */
231 __sha256_finish_ctx (&ctx
, alt_result
);
234 /* Now we can construct the result string. It consists of three
236 cp
= __stpncpy (buffer
, sha256_salt_prefix
, MAX (0, buflen
));
237 buflen
-= sizeof (sha256_salt_prefix
) - 1;
241 int n
= snprintf (cp
, MAX (0, buflen
), "%s%zu$",
242 sha256_rounds_prefix
, rounds
);
247 cp
= __stpncpy (cp
, salt
, MIN ((size_t) MAX (0, buflen
), salt_len
));
248 buflen
-= MIN ((size_t) MAX (0, buflen
), salt_len
);
256 #define b64_from_24bit(B2, B1, B0, N) \
258 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
260 while (n-- > 0 && buflen > 0) \
262 *cp++ = b64t[w & 0x3f]; \
268 b64_from_24bit (alt_result
[0], alt_result
[10], alt_result
[20], 4);
269 b64_from_24bit (alt_result
[21], alt_result
[1], alt_result
[11], 4);
270 b64_from_24bit (alt_result
[12], alt_result
[22], alt_result
[2], 4);
271 b64_from_24bit (alt_result
[3], alt_result
[13], alt_result
[23], 4);
272 b64_from_24bit (alt_result
[24], alt_result
[4], alt_result
[14], 4);
273 b64_from_24bit (alt_result
[15], alt_result
[25], alt_result
[5], 4);
274 b64_from_24bit (alt_result
[6], alt_result
[16], alt_result
[26], 4);
275 b64_from_24bit (alt_result
[27], alt_result
[7], alt_result
[17], 4);
276 b64_from_24bit (alt_result
[18], alt_result
[28], alt_result
[8], 4);
277 b64_from_24bit (alt_result
[9], alt_result
[19], alt_result
[29], 4);
278 b64_from_24bit (0, alt_result
[31], alt_result
[30], 3);
281 __set_errno (ERANGE
);
285 *cp
= '\0'; /* Terminate the string. */
287 /* Clear the buffer for the intermediate result so that people
288 attaching to processes or reading core dumps cannot get any
289 information. We do it in this way to clear correct_words[]
290 inside the SHA256 implementation as well. */
291 __sha256_init_ctx (&ctx
);
292 __sha256_finish_ctx (&ctx
, alt_result
);
293 memset (temp_result
, '\0', sizeof (temp_result
));
294 memset (p_bytes
, '\0', key_len
);
295 memset (s_bytes
, '\0', salt_len
);
296 memset (&ctx
, '\0', sizeof (ctx
));
297 memset (&alt_ctx
, '\0', sizeof (alt_ctx
));
298 if (copied_key
!= NULL
)
299 memset (copied_key
, '\0', key_len
);
300 if (copied_salt
!= NULL
)
301 memset (copied_salt
, '\0', salt_len
);
307 # define libc_freeres_ptr(decl) decl
309 libc_freeres_ptr (static char *buffer
);
311 /* This entry point is equivalent to the `crypt' function in Unix
314 __sha256_crypt (const char *key
, const char *salt
)
316 /* We don't want to have an arbitrary limit in the size of the
317 password. We can compute an upper bound for the size of the
318 result in advance and so we can prepare the buffer we pass to
321 int needed
= (sizeof (sha256_salt_prefix
) - 1
322 + sizeof (sha256_rounds_prefix
) + 9 + 1
323 + strlen (salt
) + 1 + 43 + 1);
327 char *new_buffer
= (char *) realloc (buffer
, needed
);
328 if (new_buffer
== NULL
)
335 return __sha256_crypt_r (key
, salt
, buffer
, buflen
);
340 __attribute__ ((__destructor__
))