crypt/sha256-crypt.c

   1 /* One way encryption based on SHA256 sum.
   2    Copyright (C) 2007, 2009 Free Software Foundation, Inc.
   3    This file is part of the GNU C Library.
   4    Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
   5
   6    The GNU C Library is free software; you can redistribute it and/or
   7    modify it under the terms of the GNU Lesser General Public
   8    License as published by the Free Software Foundation; either
   9    version 2.1 of the License, or (at your option) any later version.
  10
  11    The GNU C Library is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14    Lesser General Public License for more details.
  15
  16    You should have received a copy of the GNU Lesser General Public
  17    License along with the GNU C Library; if not, write to the Free
  18    Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
  19    02111-1307 USA.  */
  20
  21 #include <assert.h>
  22 #include <errno.h>
  23 #include <stdbool.h>
  24 #include <stdlib.h>
  25 #include <string.h>
  26 #include <sys/param.h>
  27
  28 #include "sha256.h"
  29
  30
  31 #ifdef USE_NSS
  32 typedef int PRBool;
  33 # include <hasht.h>
  34 # include <nsslowhash.h>
  35
  36 # define sha256_init_ctx(ctxp, nss_ctxp) \
  37   do                                                                          \
  38     {                                                                         \
  39       if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256))      \
  40            == NULL))                                                          \
  41         {                                                                     \
  42           if (nss_ctx != NULL)                                                \
  43             NSSLOWHASH_Destroy (nss_ctx);                                     \
  44           if (nss_alt_ctx != NULL)                                            \
  45             NSSLOWHASH_Destroy (nss_alt_ctx);                                 \
  46           return NULL;                                                        \
  47         }                                                                     \
  48       NSSLOWHASH_Begin (nss_ctxp);                                            \
  49     }                                                                         \
  50   while (0)
  51
  52 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
  53   NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
  54
  55 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
  56   do                                                                          \
  57     {                                                                         \
  58       unsigned int ret;                                                       \
  59       NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result));               \
  60       assert (ret == sizeof (result));                                        \
  61       NSSLOWHASH_Destroy (nss_ctxp);                                          \
  62       nss_ctxp = NULL;                                                        \
  63     }                                                                         \
  64   while (0)
  65 #else
  66 # define sha256_init_ctx(ctxp, nss_ctxp) \
  67   __sha256_init_ctx (ctxp)
  68
  69 # define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
  70   __sha256_process_bytes(buf, len, ctxp)
  71
  72 # define sha256_finish_ctx(ctxp, nss_ctxp, result) \
  73   __sha256_finish_ctx (ctxp, result)
  74 #endif
  75
  76
  77 /* Define our magic string to mark salt for SHA256 "encryption"
  78    replacement.  */
  79 static const char sha256_salt_prefix[] = "$5$";
  80
  81 /* Prefix for optional rounds specification.  */
  82 static const char sha256_rounds_prefix[] = "rounds=";
  83
  84 /* Maximum salt string length.  */
  85 #define SALT_LEN_MAX 16
  86 /* Default number of rounds if not explicitly specified.  */
  87 #define ROUNDS_DEFAULT 5000
  88 /* Minimum number of rounds.  */
  89 #define ROUNDS_MIN 1000
  90 /* Maximum number of rounds.  */
  91 #define ROUNDS_MAX 999999999
  92
  93 /* Table with characters for base64 transformation.  */
  94 static const char b64t[64] =
  95 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  96
  97
  98 /* Prototypes for local functions.  */
  99 extern char *__sha256_crypt_r (const char *key, const char *salt,
 100                                char *buffer, int buflen);
 101 extern char *__sha256_crypt (const char *key, const char *salt);
 102
 103
 104 char *
 105 __sha256_crypt_r (key, salt, buffer, buflen)
 106      const char *key;
 107      const char *salt;
 108      char *buffer;
 109      int buflen;
 110 {
 111   unsigned char alt_result[32]
 112     __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
 113   unsigned char temp_result[32]
 114     __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
 115   size_t salt_len;
 116   size_t key_len;
 117   size_t cnt;
 118   char *cp;
 119   char *copied_key = NULL;
 120   char *copied_salt = NULL;
 121   char *p_bytes;
 122   char *s_bytes;
 123   /* Default number of rounds.  */
 124   size_t rounds = ROUNDS_DEFAULT;
 125   bool rounds_custom = false;
 126
 127   /* Find beginning of salt string.  The prefix should normally always
 128      be present.  Just in case it is not.  */
 129   if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
 130     /* Skip salt prefix.  */
 131     salt += sizeof (sha256_salt_prefix) - 1;
 132
 133   if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
 134       == 0)
 135     {
 136       const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
 137       char *endp;
 138       unsigned long int srounds = strtoul (num, &endp, 10);
 139       if (*endp == '$')
 140         {
 141           salt = endp + 1;
 142           rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
 143           rounds_custom = true;
 144         }
 145     }
 146
 147   salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
 148   key_len = strlen (key);
 149
 150   if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
 151     {
 152       char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
 153       key = copied_key =
 154         memcpy (tmp + __alignof__ (uint32_t)
 155                 - (tmp - (char *) 0) % __alignof__ (uint32_t),
 156                 key, key_len);
 157       assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
 158     }
 159
 160   if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
 161     {
 162       char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
 163       salt = copied_salt =
 164         memcpy (tmp + __alignof__ (uint32_t)
 165                 - (tmp - (char *) 0) % __alignof__ (uint32_t),
 166                 salt, salt_len);
 167       assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
 168     }
 169
 170 #ifdef USE_NSS
 171   /* Initialize libfreebl3.  */
 172   NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
 173   if (nss_ictx == NULL)
 174     return NULL;
 175   NSSLOWHASHContext *nss_ctx = NULL;
 176   NSSLOWHASHContext *nss_alt_ctx = NULL;
 177 #else
 178   struct sha256_ctx ctx;
 179   struct sha256_ctx alt_ctx;
 180 #endif
 181
 182   /* Prepare for the real work.  */
 183   sha256_init_ctx (&ctx, nss_ctx);
 184
 185   /* Add the key string.  */
 186   sha256_process_bytes (key, key_len, &ctx, nss_ctx);
 187
 188   /* The last part is the salt string.  This must be at most 16
 189      characters and it ends at the first `$' character.  */
 190   sha256_process_bytes (salt, salt_len, &ctx, nss_ctx);
 191
 192
 193   /* Compute alternate SHA256 sum with input KEY, SALT, and KEY.  The
 194      final result will be added to the first context.  */
 195   sha256_init_ctx (&alt_ctx, nss_alt_ctx);
 196
 197   /* Add key.  */
 198   sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 199
 200   /* Add salt.  */
 201   sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
 202
 203   /* Add key again.  */
 204   sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 205
 206   /* Now get result of this (32 bytes) and add it to the other
 207      context.  */
 208   sha256_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
 209
 210   /* Add for any character in the key one byte of the alternate sum.  */
 211   for (cnt = key_len; cnt > 32; cnt -= 32)
 212     sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
 213   sha256_process_bytes (alt_result, cnt, &ctx, nss_ctx);
 214
 215   /* Take the binary representation of the length of the key and for every
 216      1 add the alternate sum, for every 0 the key.  */
 217   for (cnt = key_len; cnt > 0; cnt >>= 1)
 218     if ((cnt & 1) != 0)
 219       sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
 220     else
 221       sha256_process_bytes (key, key_len, &ctx, nss_ctx);
 222
 223   /* Create intermediate result.  */
 224   sha256_finish_ctx (&ctx, nss_ctx, alt_result);
 225
 226   /* Start computation of P byte sequence.  */
 227   sha256_init_ctx (&alt_ctx, nss_alt_ctx);
 228
 229   /* For every character in the password add the entire password.  */
 230   for (cnt = 0; cnt < key_len; ++cnt)
 231     sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 232
 233   /* Finish the digest.  */
 234   sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
 235
 236   /* Create byte sequence P.  */
 237   cp = p_bytes = alloca (key_len);
 238   for (cnt = key_len; cnt >= 32; cnt -= 32)
 239     cp = mempcpy (cp, temp_result, 32);
 240   memcpy (cp, temp_result, cnt);
 241
 242   /* Start computation of S byte sequence.  */
 243   sha256_init_ctx (&alt_ctx, nss_alt_ctx);
 244
 245   /* For every character in the password add the entire password.  */
 246   for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
 247     sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
 248
 249   /* Finish the digest.  */
 250   sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
 251
 252   /* Create byte sequence S.  */
 253   cp = s_bytes = alloca (salt_len);
 254   for (cnt = salt_len; cnt >= 32; cnt -= 32)
 255     cp = mempcpy (cp, temp_result, 32);
 256   memcpy (cp, temp_result, cnt);
 257
 258   /* Repeatedly run the collected hash value through SHA256 to burn
 259      CPU cycles.  */
 260   for (cnt = 0; cnt < rounds; ++cnt)
 261     {
 262       /* New context.  */
 263       sha256_init_ctx (&ctx, nss_ctx);
 264
 265       /* Add key or last result.  */
 266       if ((cnt & 1) != 0)
 267         sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 268       else
 269         sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
 270
 271       /* Add salt for numbers not divisible by 3.  */
 272       if (cnt % 3 != 0)
 273         sha256_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
 274
 275       /* Add key for numbers not divisible by 7.  */
 276       if (cnt % 7 != 0)
 277         sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 278
 279       /* Add key or last result.  */
 280       if ((cnt & 1) != 0)
 281         sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
 282       else
 283         sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
 284
 285       /* Create intermediate result.  */
 286       sha256_finish_ctx (&ctx, nss_ctx, alt_result);
 287     }
 288
 289 #ifdef USE_NSS
 290   /* Free libfreebl3 resources. */
 291   NSSLOW_Shutdown (nss_ictx);
 292 #endif
 293
 294   /* Now we can construct the result string.  It consists of three
 295      parts.  */
 296   cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
 297   buflen -= sizeof (sha256_salt_prefix) - 1;
 298
 299   if (rounds_custom)
 300     {
 301       int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
 302                         sha256_rounds_prefix, rounds);
 303       cp += n;
 304       buflen -= n;
 305     }
 306
 307   cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
 308   buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
 309
 310   if (buflen > 0)
 311     {
 312       *cp++ = '$';
 313       --buflen;
 314     }
 315
 316   void b64_from_24bit (unsigned int b2, unsigned int b1, unsigned int b0,
 317                        int n)
 318   {
 319     unsigned int w = (b2 << 16) | (b1 << 8) | b0;
 320     while (n-- > 0 && buflen > 0)
 321       {
 322         *cp++ = b64t[w & 0x3f];
 323         --buflen;
 324         w >>= 6;
 325       }
 326   }
 327
 328   b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
 329   b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
 330   b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
 331   b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
 332   b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
 333   b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
 334   b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
 335   b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
 336   b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
 337   b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
 338   b64_from_24bit (0, alt_result[31], alt_result[30], 3);
 339   if (buflen <= 0)
 340     {
 341       __set_errno (ERANGE);
 342       buffer = NULL;
 343     }
 344   else
 345     *cp = '\0';         /* Terminate the string.  */
 346
 347   /* Clear the buffer for the intermediate result so that people
 348      attaching to processes or reading core dumps cannot get any
 349      information.  We do it in this way to clear correct_words[]
 350      inside the SHA256 implementation as well.  */
 351 #ifndef USE_NSS
 352   __sha256_init_ctx (&ctx);
 353   __sha256_finish_ctx (&ctx, alt_result);
 354   memset (&ctx, '\0', sizeof (ctx));
 355   memset (&alt_ctx, '\0', sizeof (alt_ctx));
 356 #endif
 357   memset (temp_result, '\0', sizeof (temp_result));
 358   memset (p_bytes, '\0', key_len);
 359   memset (s_bytes, '\0', salt_len);
 360   if (copied_key != NULL)
 361     memset (copied_key, '\0', key_len);
 362   if (copied_salt != NULL)
 363     memset (copied_salt, '\0', salt_len);
 364
 365   return buffer;
 366 }
 367
 368 #ifndef _LIBC
 369 # define libc_freeres_ptr(decl) decl
 370 #endif
 371 libc_freeres_ptr (static char *buffer);
 372
 373 /* This entry point is equivalent to the `crypt' function in Unix
 374    libcs.  */
 375 char *
 376 __sha256_crypt (const char *key, const char *salt)
 377 {
 378   /* We don't want to have an arbitrary limit in the size of the
 379      password.  We can compute an upper bound for the size of the
 380      result in advance and so we can prepare the buffer we pass to
 381      `sha256_crypt_r'.  */
 382   static int buflen;
 383   int needed = (sizeof (sha256_salt_prefix) - 1
 384                 + sizeof (sha256_rounds_prefix) + 9 + 1
 385                 + strlen (salt) + 1 + 43 + 1);
 386
 387   if (buflen < needed)
 388     {
 389       char *new_buffer = (char *) realloc (buffer, needed);
 390       if (new_buffer == NULL)
 391         return NULL;
 392
 393       buffer = new_buffer;
 394       buflen = needed;
 395     }
 396
 397   return __sha256_crypt_r (key, salt, buffer, buflen);
 398 }
 399
 400 #ifndef _LIBC
 401 static void
 402 __attribute__ ((__destructor__))
 403 free_mem (void)
 404 {
 405   free (buffer);
 406 }
 407 #endif