crypt/md5-crypt.c

   1 /* One way encryption based on MD5 sum.
   2    Compatible with the behavior of MD5 crypt introduced in FreeBSD 2.0.
   3    Copyright (C) 1996, 1997, 1999, 2000, 2001, 2002, 2004, 2009, 2012
   4    Free Software Foundation, Inc.
   5    This file is part of the GNU C Library.
   6    Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
   7
   8    The GNU C Library is free software; you can redistribute it and/or
   9    modify it under the terms of the GNU Lesser General Public
  10    License as published by the Free Software Foundation; either
  11    version 2.1 of the License, or (at your option) any later version.
  12
  13    The GNU C Library is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16    Lesser General Public License for more details.
  17
  18    You should have received a copy of the GNU Lesser General Public
  19    License along with the GNU C Library; if not, see
  20    <http://www.gnu.org/licenses/>.  */
  21
  22 #include <assert.h>
  23 #include <errno.h>
  24 #include <stdlib.h>
  25 #include <string.h>
  26 #include <sys/param.h>
  27
  28 #include "md5.h"
  29
  30
  31 #ifdef USE_NSS
  32 typedef int PRBool;
  33 # include <hasht.h>
  34 # include <nsslowhash.h>
  35
  36 # define md5_init_ctx(ctxp, nss_ctxp) \
  37   do                                                                          \
  38     {                                                                         \
  39       if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgMD5))         \
  40            == NULL))                                                          \
  41         {                                                                     \
  42           if (nss_ctx != NULL)                                                \
  43             NSSLOWHASH_Destroy (nss_ctx);                                     \
  44           if (nss_alt_ctx != NULL)                                            \
  45             NSSLOWHASH_Destroy (nss_alt_ctx);                                 \
  46           return NULL;                                                        \
  47         }                                                                     \
  48       NSSLOWHASH_Begin (nss_ctxp);                                            \
  49     }                                                                         \
  50   while (0)
  51
  52 # define md5_process_bytes(buf, len, ctxp, nss_ctxp) \
  53   NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
  54
  55 # define md5_finish_ctx(ctxp, nss_ctxp, result) \
  56   do                                                                          \
  57     {                                                                         \
  58       unsigned int ret;                                                       \
  59       NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result));               \
  60       assert (ret == sizeof (result));                                        \
  61       NSSLOWHASH_Destroy (nss_ctxp);                                          \
  62       nss_ctxp = NULL;                                                        \
  63     }                                                                         \
  64   while (0)
  65 #else
  66 # define md5_init_ctx(ctxp, nss_ctxp) \
  67   __md5_init_ctx (ctxp)
  68
  69 # define md5_process_bytes(buf, len, ctxp, nss_ctxp) \
  70   __md5_process_bytes(buf, len, ctxp)
  71
  72 # define md5_finish_ctx(ctxp, nss_ctxp, result) \
  73   __md5_finish_ctx (ctxp, result)
  74 #endif
  75
  76
  77 /* Define our magic string to mark salt for MD5 "encryption"
  78    replacement.  This is meant to be the same as for other MD5 based
  79    encryption implementations.  */
  80 static const char md5_salt_prefix[] = "$1$";
  81
  82 /* Table with characters for base64 transformation.  */
  83 static const char b64t[64] =
  84 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  85
  86
  87 /* Prototypes for local functions.  */
  88 extern char *__md5_crypt_r (const char *key, const char *salt,
  89                             char *buffer, int buflen);
  90 extern char *__md5_crypt (const char *key, const char *salt);
  91
  92
  93 /* This entry point is equivalent to the `crypt' function in Unix
  94    libcs.  */
  95 char *
  96 __md5_crypt_r (key, salt, buffer, buflen)
  97      const char *key;
  98      const char *salt;
  99      char *buffer;
 100      int buflen;
 101 {
 102   unsigned char alt_result[16]
 103     __attribute__ ((__aligned__ (__alignof__ (md5_uint32))));
 104   size_t salt_len;
 105   size_t key_len;
 106   size_t cnt;
 107   char *cp;
 108   char *copied_key = NULL;
 109   char *copied_salt = NULL;
 110   char *free_key = NULL;
 111   size_t alloca_used = 0;
 112
 113   /* Find beginning of salt string.  The prefix should normally always
 114      be present.  Just in case it is not.  */
 115   if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0)
 116     /* Skip salt prefix.  */
 117     salt += sizeof (md5_salt_prefix) - 1;
 118
 119   salt_len = MIN (strcspn (salt, "$"), 8);
 120   key_len = strlen (key);
 121
 122   if ((key - (char *) 0) % __alignof__ (md5_uint32) != 0)
 123     {
 124       char *tmp;
 125
 126       if (__libc_use_alloca (alloca_used + key_len + __alignof__ (md5_uint32)))
 127         tmp = (char *) alloca (key_len + __alignof__ (md5_uint32));
 128       else
 129         {
 130           free_key = tmp = (char *) malloc (key_len + __alignof__ (md5_uint32));
 131           if (tmp == NULL)
 132             return NULL;
 133         }
 134
 135       key = copied_key =
 136         memcpy (tmp + __alignof__ (md5_uint32)
 137                 - (tmp - (char *) 0) % __alignof__ (md5_uint32),
 138                 key, key_len);
 139       assert ((key - (char *) 0) % __alignof__ (md5_uint32) == 0);
 140     }
 141
 142   if ((salt - (char *) 0) % __alignof__ (md5_uint32) != 0)
 143     {
 144       char *tmp = (char *) alloca (salt_len + __alignof__ (md5_uint32));
 145       salt = copied_salt =
 146         memcpy (tmp + __alignof__ (md5_uint32)
 147                 - (tmp - (char *) 0) % __alignof__ (md5_uint32),
 148                 salt, salt_len);
 149       assert ((salt - (char *) 0) % __alignof__ (md5_uint32) == 0);
 150     }
 151
 152 #ifdef USE_NSS
 153   /* Initialize libfreebl3.  */
 154   NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
 155   if (nss_ictx == NULL)
 156     {
 157       free (free_key);
 158       return NULL;
 159     }
 160   NSSLOWHASHContext *nss_ctx = NULL;
 161   NSSLOWHASHContext *nss_alt_ctx = NULL;
 162 #else
 163   struct md5_ctx ctx;
 164   struct md5_ctx alt_ctx;
 165 #endif
 166
 167   /* Prepare for the real work.  */
 168   md5_init_ctx (&ctx, nss_ctx);
 169
 170   /* Add the key string.  */
 171   md5_process_bytes (key, key_len, &ctx, nss_ctx);
 172
 173   /* Because the SALT argument need not always have the salt prefix we
 174      add it separately.  */
 175   md5_process_bytes (md5_salt_prefix, sizeof (md5_salt_prefix) - 1,
 176                      &ctx, nss_ctx);
 177
 178   /* The last part is the salt string.  This must be at most 8
 179      characters and it ends at the first `$' character (for
 180      compatibility with existing implementations).  */
 181   md5_process_bytes (salt, salt_len, &ctx, nss_ctx);
 182
 183
 184   /* Compute alternate MD5 sum with input KEY, SALT, and KEY.  The
 185      final result will be added to the first context.  */
 186   md5_init_ctx (&alt_ctx, nss_alt_ctx);
 187
 188   /* Add key.  */
 189   md5_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 190
 191   /* Add salt.  */
 192   md5_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
 193
 194   /* Add key again.  */
 195   md5_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
 196
 197   /* Now get result of this (16 bytes) and add it to the other
 198      context.  */
 199   md5_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
 200
 201   /* Add for any character in the key one byte of the alternate sum.  */
 202   for (cnt = key_len; cnt > 16; cnt -= 16)
 203     md5_process_bytes (alt_result, 16, &ctx, nss_ctx);
 204   md5_process_bytes (alt_result, cnt, &ctx, nss_ctx);
 205
 206   /* For the following code we need a NUL byte.  */
 207   *alt_result = '\0';
 208
 209   /* The original implementation now does something weird: for every 1
 210      bit in the key the first 0 is added to the buffer, for every 0
 211      bit the first character of the key.  This does not seem to be
 212      what was intended but we have to follow this to be compatible.  */
 213   for (cnt = key_len; cnt > 0; cnt >>= 1)
 214     md5_process_bytes ((cnt & 1) != 0
 215                        ? (const void *) alt_result : (const void *) key, 1,
 216                        &ctx, nss_ctx);
 217
 218   /* Create intermediate result.  */
 219   md5_finish_ctx (&ctx, nss_ctx, alt_result);
 220
 221   /* Now comes another weirdness.  In fear of password crackers here
 222      comes a quite long loop which just processes the output of the
 223      previous round again.  We cannot ignore this here.  */
 224   for (cnt = 0; cnt < 1000; ++cnt)
 225     {
 226       /* New context.  */
 227       md5_init_ctx (&ctx, nss_ctx);
 228
 229       /* Add key or last result.  */
 230       if ((cnt & 1) != 0)
 231         md5_process_bytes (key, key_len, &ctx, nss_ctx);
 232       else
 233         md5_process_bytes (alt_result, 16, &ctx, nss_ctx);
 234
 235       /* Add salt for numbers not divisible by 3.  */
 236       if (cnt % 3 != 0)
 237         md5_process_bytes (salt, salt_len, &ctx, nss_ctx);
 238
 239       /* Add key for numbers not divisible by 7.  */
 240       if (cnt % 7 != 0)
 241         md5_process_bytes (key, key_len, &ctx, nss_ctx);
 242
 243       /* Add key or last result.  */
 244       if ((cnt & 1) != 0)
 245         md5_process_bytes (alt_result, 16, &ctx, nss_ctx);
 246       else
 247         md5_process_bytes (key, key_len, &ctx, nss_ctx);
 248
 249       /* Create intermediate result.  */
 250       md5_finish_ctx (&ctx, nss_ctx, alt_result);
 251     }
 252
 253 #ifdef USE_NSS
 254   /* Free libfreebl3 resources. */
 255   NSSLOW_Shutdown (nss_ictx);
 256 #endif
 257
 258   /* Now we can construct the result string.  It consists of three
 259      parts.  */
 260   cp = __stpncpy (buffer, md5_salt_prefix, MAX (0, buflen));
 261   buflen -= sizeof (md5_salt_prefix) - 1;
 262
 263   cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
 264   buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
 265
 266   if (buflen > 0)
 267     {
 268       *cp++ = '$';
 269       --buflen;
 270     }
 271
 272   void b64_from_24bit (unsigned int b2, unsigned int b1, unsigned int b0,
 273                        int n)
 274   {
 275     unsigned int w = (b2 << 16) | (b1 << 8) | b0;
 276     while (n-- > 0 && buflen > 0)
 277       {
 278         *cp++ = b64t[w & 0x3f];
 279         --buflen;
 280         w >>= 6;
 281       }
 282   }
 283
 284   b64_from_24bit (alt_result[0], alt_result[6], alt_result[12], 4);
 285   b64_from_24bit (alt_result[1], alt_result[7], alt_result[13], 4);
 286   b64_from_24bit (alt_result[2], alt_result[8], alt_result[14], 4);
 287   b64_from_24bit (alt_result[3], alt_result[9], alt_result[15], 4);
 288   b64_from_24bit (alt_result[4], alt_result[10], alt_result[5], 4);
 289   b64_from_24bit (0, 0, alt_result[11], 2);
 290   if (buflen <= 0)
 291     {
 292       __set_errno (ERANGE);
 293       buffer = NULL;
 294     }
 295   else
 296     *cp = '\0';         /* Terminate the string.  */
 297
 298   /* Clear the buffer for the intermediate result so that people
 299      attaching to processes or reading core dumps cannot get any
 300      information.  We do it in this way to clear correct_words[]
 301      inside the MD5 implementation as well.  */
 302 #ifndef USE_NSS
 303   __md5_init_ctx (&ctx);
 304   __md5_finish_ctx (&ctx, alt_result);
 305   memset (&ctx, '\0', sizeof (ctx));
 306   memset (&alt_ctx, '\0', sizeof (alt_ctx));
 307 #endif
 308   if (copied_key != NULL)
 309     memset (copied_key, '\0', key_len);
 310   if (copied_salt != NULL)
 311     memset (copied_salt, '\0', salt_len);
 312
 313   free (free_key);
 314   return buffer;
 315 }
 316
 317 #ifndef _LIBC
 318 # define libc_freeres_ptr(decl) decl
 319 #endif
 320 libc_freeres_ptr (static char *buffer);
 321
 322 char *
 323 __md5_crypt (const char *key, const char *salt)
 324 {
 325   /* We don't want to have an arbitrary limit in the size of the
 326      password.  We can compute the size of the result in advance and
 327      so we can prepare the buffer we pass to `md5_crypt_r'.  */
 328   static int buflen;
 329   int needed = 3 + strlen (salt) + 1 + 26 + 1;
 330
 331   if (buflen < needed)
 332     {
 333       char *new_buffer = (char *) realloc (buffer, needed);
 334       if (new_buffer == NULL)
 335         return NULL;
 336
 337       buffer = new_buffer;
 338       buflen = needed;
 339     }
 340
 341   return __md5_crypt_r (key, salt, buffer, buflen);
 342 }
 343
 344 #ifndef _LIBC
 345 static void
 346 __attribute__ ((__destructor__))
 347 free_mem (void)
 348 {
 349   free (buffer);
 350 }
 351 #endif