2012-12-19 Steve Ellcey <sellcey@mips.com>
[glibc.git] / crypt / sha256-crypt.c
blob440933ac015ab2f6b92b242f8d64f80eeeb7ea41
1 /* One way encryption based on SHA256 sum.
2 Copyright (C) 2007, 2009, 2012 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <http://www.gnu.org/licenses/>. */
20 #include <assert.h>
21 #include <errno.h>
22 #include <stdbool.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <sys/param.h>
27 #include "sha256.h"
30 #ifdef USE_NSS
31 typedef int PRBool;
32 # include <hasht.h>
33 # include <nsslowhash.h>
35 # define sha256_init_ctx(ctxp, nss_ctxp) \
36 do \
37 { \
38 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256)) \
39 == NULL)) \
40 { \
41 if (nss_ctx != NULL) \
42 NSSLOWHASH_Destroy (nss_ctx); \
43 if (nss_alt_ctx != NULL) \
44 NSSLOWHASH_Destroy (nss_alt_ctx); \
45 return NULL; \
46 } \
47 NSSLOWHASH_Begin (nss_ctxp); \
48 } \
49 while (0)
51 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
52 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
54 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
55 do \
56 { \
57 unsigned int ret; \
58 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
59 assert (ret == sizeof (result)); \
60 NSSLOWHASH_Destroy (nss_ctxp); \
61 nss_ctxp = NULL; \
62 } \
63 while (0)
64 #else
65 # define sha256_init_ctx(ctxp, nss_ctxp) \
66 __sha256_init_ctx (ctxp)
68 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
69 __sha256_process_bytes(buf, len, ctxp)
71 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
72 __sha256_finish_ctx (ctxp, result)
73 #endif
76 /* Define our magic string to mark salt for SHA256 "encryption"
77 replacement. */
78 static const char sha256_salt_prefix[] = "$5$";
80 /* Prefix for optional rounds specification. */
81 static const char sha256_rounds_prefix[] = "rounds=";
83 /* Maximum salt string length. */
84 #define SALT_LEN_MAX 16
85 /* Default number of rounds if not explicitly specified. */
86 #define ROUNDS_DEFAULT 5000
87 /* Minimum number of rounds. */
88 #define ROUNDS_MIN 1000
89 /* Maximum number of rounds. */
90 #define ROUNDS_MAX 999999999
92 /* Table with characters for base64 transformation. */
93 static const char b64t[64] =
94 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
97 /* Prototypes for local functions. */
98 extern char *__sha256_crypt_r (const char *key, const char *salt,
99 char *buffer, int buflen);
100 extern char *__sha256_crypt (const char *key, const char *salt);
103 char *
104 __sha256_crypt_r (key, salt, buffer, buflen)
105 const char *key;
106 const char *salt;
107 char *buffer;
108 int buflen;
110 unsigned char alt_result[32]
111 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
112 unsigned char temp_result[32]
113 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
114 size_t salt_len;
115 size_t key_len;
116 size_t cnt;
117 char *cp;
118 char *copied_key = NULL;
119 char *copied_salt = NULL;
120 char *p_bytes;
121 char *s_bytes;
122 /* Default number of rounds. */
123 size_t rounds = ROUNDS_DEFAULT;
124 bool rounds_custom = false;
125 size_t alloca_used = 0;
126 char *free_key = NULL;
127 char *free_pbytes = NULL;
129 /* Find beginning of salt string. The prefix should normally always
130 be present. Just in case it is not. */
131 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
132 /* Skip salt prefix. */
133 salt += sizeof (sha256_salt_prefix) - 1;
135 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
136 == 0)
138 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
139 char *endp;
140 unsigned long int srounds = strtoul (num, &endp, 10);
141 if (*endp == '$')
143 salt = endp + 1;
144 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
145 rounds_custom = true;
149 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
150 key_len = strlen (key);
152 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
154 char *tmp;
156 if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint32_t)))
157 tmp = alloca_account (key_len + __alignof__ (uint32_t), alloca_used);
158 else
160 free_key = tmp = (char *) malloc (key_len + __alignof__ (uint32_t));
161 if (tmp == NULL)
162 return NULL;
165 key = copied_key =
166 memcpy (tmp + __alignof__ (uint32_t)
167 - (tmp - (char *) 0) % __alignof__ (uint32_t),
168 key, key_len);
169 assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
172 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
174 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
175 alloca_used += salt_len + __alignof__ (uint32_t);
176 salt = copied_salt =
177 memcpy (tmp + __alignof__ (uint32_t)
178 - (tmp - (char *) 0) % __alignof__ (uint32_t),
179 salt, salt_len);
180 assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
183 #ifdef USE_NSS
184 /* Initialize libfreebl3. */
185 NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
186 if (nss_ictx == NULL)
188 free (free_key);
189 return NULL;
191 NSSLOWHASHContext *nss_ctx = NULL;
192 NSSLOWHASHContext *nss_alt_ctx = NULL;
193 #else
194 struct sha256_ctx ctx;
195 struct sha256_ctx alt_ctx;
196 #endif
198 /* Prepare for the real work. */
199 sha256_init_ctx (&ctx, nss_ctx);
201 /* Add the key string. */
202 sha256_process_bytes (key, key_len, &ctx, nss_ctx);
204 /* The last part is the salt string. This must be at most 16
205 characters and it ends at the first `$' character. */
206 sha256_process_bytes (salt, salt_len, &ctx, nss_ctx);
209 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
210 final result will be added to the first context. */
211 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
213 /* Add key. */
214 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
216 /* Add salt. */
217 sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
219 /* Add key again. */
220 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
222 /* Now get result of this (32 bytes) and add it to the other
223 context. */
224 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
226 /* Add for any character in the key one byte of the alternate sum. */
227 for (cnt = key_len; cnt > 32; cnt -= 32)
228 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
229 sha256_process_bytes (alt_result, cnt, &ctx, nss_ctx);
231 /* Take the binary representation of the length of the key and for every
232 1 add the alternate sum, for every 0 the key. */
233 for (cnt = key_len; cnt > 0; cnt >>= 1)
234 if ((cnt & 1) != 0)
235 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
236 else
237 sha256_process_bytes (key, key_len, &ctx, nss_ctx);
239 /* Create intermediate result. */
240 sha256_finish_ctx (&ctx, nss_ctx, alt_result);
242 /* Start computation of P byte sequence. */
243 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
245 /* For every character in the password add the entire password. */
246 for (cnt = 0; cnt < key_len; ++cnt)
247 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
249 /* Finish the digest. */
250 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
252 /* Create byte sequence P. */
253 if (__libc_use_alloca (alloca_used + key_len))
254 cp = p_bytes = (char *) alloca (key_len);
255 else
257 free_pbytes = cp = p_bytes = (char *)malloc (key_len);
258 if (free_pbytes == NULL)
260 free (free_key);
261 return NULL;
265 for (cnt = key_len; cnt >= 32; cnt -= 32)
266 cp = mempcpy (cp, temp_result, 32);
267 memcpy (cp, temp_result, cnt);
269 /* Start computation of S byte sequence. */
270 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
272 /* For every character in the password add the entire password. */
273 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
274 sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
276 /* Finish the digest. */
277 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
279 /* Create byte sequence S. */
280 cp = s_bytes = alloca (salt_len);
281 for (cnt = salt_len; cnt >= 32; cnt -= 32)
282 cp = mempcpy (cp, temp_result, 32);
283 memcpy (cp, temp_result, cnt);
285 /* Repeatedly run the collected hash value through SHA256 to burn
286 CPU cycles. */
287 for (cnt = 0; cnt < rounds; ++cnt)
289 /* New context. */
290 sha256_init_ctx (&ctx, nss_ctx);
292 /* Add key or last result. */
293 if ((cnt & 1) != 0)
294 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
295 else
296 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
298 /* Add salt for numbers not divisible by 3. */
299 if (cnt % 3 != 0)
300 sha256_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
302 /* Add key for numbers not divisible by 7. */
303 if (cnt % 7 != 0)
304 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
306 /* Add key or last result. */
307 if ((cnt & 1) != 0)
308 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
309 else
310 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
312 /* Create intermediate result. */
313 sha256_finish_ctx (&ctx, nss_ctx, alt_result);
316 #ifdef USE_NSS
317 /* Free libfreebl3 resources. */
318 NSSLOW_Shutdown (nss_ictx);
319 #endif
321 /* Now we can construct the result string. It consists of three
322 parts. */
323 cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
324 buflen -= sizeof (sha256_salt_prefix) - 1;
326 if (rounds_custom)
328 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
329 sha256_rounds_prefix, rounds);
330 cp += n;
331 buflen -= n;
334 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
335 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
337 if (buflen > 0)
339 *cp++ = '$';
340 --buflen;
343 void b64_from_24bit (unsigned int b2, unsigned int b1, unsigned int b0,
344 int n)
346 unsigned int w = (b2 << 16) | (b1 << 8) | b0;
347 while (n-- > 0 && buflen > 0)
349 *cp++ = b64t[w & 0x3f];
350 --buflen;
351 w >>= 6;
355 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
356 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
357 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
358 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
359 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
360 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
361 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
362 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
363 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
364 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
365 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
366 if (buflen <= 0)
368 __set_errno (ERANGE);
369 buffer = NULL;
371 else
372 *cp = '\0'; /* Terminate the string. */
374 /* Clear the buffer for the intermediate result so that people
375 attaching to processes or reading core dumps cannot get any
376 information. We do it in this way to clear correct_words[]
377 inside the SHA256 implementation as well. */
378 #ifndef USE_NSS
379 __sha256_init_ctx (&ctx);
380 __sha256_finish_ctx (&ctx, alt_result);
381 memset (&ctx, '\0', sizeof (ctx));
382 memset (&alt_ctx, '\0', sizeof (alt_ctx));
383 #endif
384 memset (temp_result, '\0', sizeof (temp_result));
385 memset (p_bytes, '\0', key_len);
386 memset (s_bytes, '\0', salt_len);
387 if (copied_key != NULL)
388 memset (copied_key, '\0', key_len);
389 if (copied_salt != NULL)
390 memset (copied_salt, '\0', salt_len);
392 free (free_key);
393 free (free_pbytes);
394 return buffer;
397 #ifndef _LIBC
398 # define libc_freeres_ptr(decl) decl
399 #endif
400 libc_freeres_ptr (static char *buffer);
402 /* This entry point is equivalent to the `crypt' function in Unix
403 libcs. */
404 char *
405 __sha256_crypt (const char *key, const char *salt)
407 /* We don't want to have an arbitrary limit in the size of the
408 password. We can compute an upper bound for the size of the
409 result in advance and so we can prepare the buffer we pass to
410 `sha256_crypt_r'. */
411 static int buflen;
412 int needed = (sizeof (sha256_salt_prefix) - 1
413 + sizeof (sha256_rounds_prefix) + 9 + 1
414 + strlen (salt) + 1 + 43 + 1);
416 if (buflen < needed)
418 char *new_buffer = (char *) realloc (buffer, needed);
419 if (new_buffer == NULL)
420 return NULL;
422 buffer = new_buffer;
423 buflen = needed;
426 return __sha256_crypt_r (key, salt, buffer, buflen);
429 #ifndef _LIBC
430 static void
431 __attribute__ ((__destructor__))
432 free_mem (void)
434 free (buffer);
436 #endif