search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix assertion in palloc and pvalloc as well.
[glibc.git] / crypt / sha512-crypt.c
blob523659e0cc5c397e6d33661b16ec2a4a72d057a0
1 /* One way encryption based on SHA512 sum.
2 Copyright (C) 2007, 2009 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, write to the Free
18 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19 02111-1307 USA. */
20
21 #include <assert.h>
22 #include <errno.h>
23 #include <stdbool.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <sys/param.h>
27
28 #include "sha512.h"
29
30
31 #ifdef USE_NSS
32 typedef int PRBool;
33 # include <hasht.h>
34 # include <nsslowhash.h>
35
36 # define sha512_init_ctx(ctxp, nss_ctxp) \
37 do \
38 { \
39 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA512)) \
40 == NULL)) \
41 { \
42 if (nss_ctx != NULL) \
43 NSSLOWHASH_Destroy (nss_ctx); \
44 if (nss_alt_ctx != NULL) \
45 NSSLOWHASH_Destroy (nss_alt_ctx); \
46 return NULL; \
47 } \
48 NSSLOWHASH_Begin (nss_ctxp); \
49 } \
50 while (0)
51
52 # define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
53 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
54
55 # define sha512_finish_ctx(ctxp, nss_ctxp, result) \
56 do \
57 { \
58 unsigned int ret; \
59 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
60 assert (ret == sizeof (result)); \
61 NSSLOWHASH_Destroy (nss_ctxp); \
62 nss_ctxp = NULL; \
63 } \
64 while (0)
65 #else
66 # define sha512_init_ctx(ctxp, nss_ctxp) \
67 __sha512_init_ctx (ctxp)
68
69 # define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
70 __sha512_process_bytes(buf, len, ctxp)
71
72 # define sha512_finish_ctx(ctxp, nss_ctxp, result) \
73 __sha512_finish_ctx (ctxp, result)
74 #endif
75
76
77 /* Define our magic string to mark salt for SHA512 "encryption"
78 replacement. */
79 static const char sha512_salt_prefix[] = "$6$";
80
81 /* Prefix for optional rounds specification. */
82 static const char sha512_rounds_prefix[] = "rounds=";
83
84 /* Maximum salt string length. */
85 #define SALT_LEN_MAX 16
86 /* Default number of rounds if not explicitly specified. */
87 #define ROUNDS_DEFAULT 5000
88 /* Minimum number of rounds. */
89 #define ROUNDS_MIN 1000
90 /* Maximum number of rounds. */
91 #define ROUNDS_MAX 999999999
92
93 /* Table with characters for base64 transformation. */
94 static const char b64t[64] =
95 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
96
97
98 /* Prototypes for local functions. */
99 extern char *__sha512_crypt_r (const char *key, const char *salt,
100 char *buffer, int buflen);
101 extern char *__sha512_crypt (const char *key, const char *salt);
102
103
104 char *
105 __sha512_crypt_r (key, salt, buffer, buflen)
106 const char *key;
107 const char *salt;
108 char *buffer;
109 int buflen;
110 {
111 unsigned char alt_result[64]
112 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
113 unsigned char temp_result[64]
114 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
115 size_t salt_len;
116 size_t key_len;
117 size_t cnt;
118 char *cp;
119 char *copied_key = NULL;
120 char *copied_salt = NULL;
121 char *p_bytes;
122 char *s_bytes;
123 /* Default number of rounds. */
124 size_t rounds = ROUNDS_DEFAULT;
125 bool rounds_custom = false;
126
127 /* Find beginning of salt string. The prefix should normally always
128 be present. Just in case it is not. */
129 if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
130 /* Skip salt prefix. */
131 salt += sizeof (sha512_salt_prefix) - 1;
132
133 if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
134 == 0)
135 {
136 const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
137 char *endp;
138 unsigned long int srounds = strtoul (num, &endp, 10);
139 if (*endp == '$')
140 {
141 salt = endp + 1;
142 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
143 rounds_custom = true;
144 }
145 }
146
147 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
148 key_len = strlen (key);
149
150 if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
151 {
152 char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
153 key = copied_key =
154 memcpy (tmp + __alignof__ (uint64_t)
155 - (tmp - (char *) 0) % __alignof__ (uint64_t),
156 key, key_len);
157 assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
158 }
159
160 if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
161 {
162 char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
163 salt = copied_salt =
164 memcpy (tmp + __alignof__ (uint64_t)
165 - (tmp - (char *) 0) % __alignof__ (uint64_t),
166 salt, salt_len);
167 assert ((salt - (char *) 0) % __alignof__ (uint64_t) == 0);
168 }
169
170 #ifdef USE_NSS
171 /* Initialize libfreebl3. */
172 NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
173 if (nss_ictx == NULL)
174 return NULL;
175 NSSLOWHASHContext *nss_ctx = NULL;
176 NSSLOWHASHContext *nss_alt_ctx = NULL;
177 #else
178 struct sha512_ctx ctx;
179 struct sha512_ctx alt_ctx;
180 #endif
181
182 /* Prepare for the real work. */
183 sha512_init_ctx (&ctx, nss_ctx);
184
185 /* Add the key string. */
186 sha512_process_bytes (key, key_len, &ctx, nss_ctx);
187
188 /* The last part is the salt string. This must be at most 16
189 characters and it ends at the first `$' character. */
190 sha512_process_bytes (salt, salt_len, &ctx, nss_ctx);
191
192
193 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
194 final result will be added to the first context. */
195 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
196
197 /* Add key. */
198 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
199
200 /* Add salt. */
201 sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
202
203 /* Add key again. */
204 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
205
206 /* Now get result of this (64 bytes) and add it to the other
207 context. */
208 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
209
210 /* Add for any character in the key one byte of the alternate sum. */
211 for (cnt = key_len; cnt > 64; cnt -= 64)
212 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
213 sha512_process_bytes (alt_result, cnt, &ctx, nss_ctx);
214
215 /* Take the binary representation of the length of the key and for every
216 1 add the alternate sum, for every 0 the key. */
217 for (cnt = key_len; cnt > 0; cnt >>= 1)
218 if ((cnt & 1) != 0)
219 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
220 else
221 sha512_process_bytes (key, key_len, &ctx, nss_ctx);
222
223 /* Create intermediate result. */
224 sha512_finish_ctx (&ctx, nss_ctx, alt_result);
225
226 /* Start computation of P byte sequence. */
227 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
228
229 /* For every character in the password add the entire password. */
230 for (cnt = 0; cnt < key_len; ++cnt)
231 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
232
233 /* Finish the digest. */
234 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
235
236 /* Create byte sequence P. */
237 cp = p_bytes = alloca (key_len);
238 for (cnt = key_len; cnt >= 64; cnt -= 64)
239 cp = mempcpy (cp, temp_result, 64);
240 memcpy (cp, temp_result, cnt);
241
242 /* Start computation of S byte sequence. */
243 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
244
245 /* For every character in the password add the entire password. */
246 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
247 sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
248
249 /* Finish the digest. */
250 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
251
252 /* Create byte sequence S. */
253 cp = s_bytes = alloca (salt_len);
254 for (cnt = salt_len; cnt >= 64; cnt -= 64)
255 cp = mempcpy (cp, temp_result, 64);
256 memcpy (cp, temp_result, cnt);
257
258 /* Repeatedly run the collected hash value through SHA512 to burn
259 CPU cycles. */
260 for (cnt = 0; cnt < rounds; ++cnt)
261 {
262 /* New context. */
263 sha512_init_ctx (&ctx, nss_ctx);
264
265 /* Add key or last result. */
266 if ((cnt & 1) != 0)
267 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
268 else
269 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
270
271 /* Add salt for numbers not divisible by 3. */
272 if (cnt % 3 != 0)
273 sha512_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
274
275 /* Add key for numbers not divisible by 7. */
276 if (cnt % 7 != 0)
277 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
278
279 /* Add key or last result. */
280 if ((cnt & 1) != 0)
281 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
282 else
283 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
284
285 /* Create intermediate result. */
286 sha512_finish_ctx (&ctx, nss_ctx, alt_result);
287 }
288
289 #ifdef USE_NSS
290 /* Free libfreebl3 resources. */
291 NSSLOW_Shutdown (nss_ictx);
292 #endif
293
294 /* Now we can construct the result string. It consists of three
295 parts. */
296 cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
297 buflen -= sizeof (sha512_salt_prefix) - 1;
298
299 if (rounds_custom)
300 {
301 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
302 sha512_rounds_prefix, rounds);
303 cp += n;
304 buflen -= n;
305 }
306
307 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
308 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
309
310 if (buflen > 0)
311 {
312 *cp++ = '$';
313 --buflen;
314 }
315
316 void b64_from_24bit (unsigned int b2, unsigned int b1, unsigned int b0,
317 int n)
318 {
319 unsigned int w = (b2 << 16) | (b1 << 8) | b0;
320 while (n-- > 0 && buflen > 0)
321 {
322 *cp++ = b64t[w & 0x3f];
323 --buflen;
324 w >>= 6;
325 }
326 }
327
328 b64_from_24bit (alt_result[0], alt_result[21], alt_result[42], 4);
329 b64_from_24bit (alt_result[22], alt_result[43], alt_result[1], 4);
330 b64_from_24bit (alt_result[44], alt_result[2], alt_result[23], 4);
331 b64_from_24bit (alt_result[3], alt_result[24], alt_result[45], 4);
332 b64_from_24bit (alt_result[25], alt_result[46], alt_result[4], 4);
333 b64_from_24bit (alt_result[47], alt_result[5], alt_result[26], 4);
334 b64_from_24bit (alt_result[6], alt_result[27], alt_result[48], 4);
335 b64_from_24bit (alt_result[28], alt_result[49], alt_result[7], 4);
336 b64_from_24bit (alt_result[50], alt_result[8], alt_result[29], 4);
337 b64_from_24bit (alt_result[9], alt_result[30], alt_result[51], 4);
338 b64_from_24bit (alt_result[31], alt_result[52], alt_result[10], 4);
339 b64_from_24bit (alt_result[53], alt_result[11], alt_result[32], 4);
340 b64_from_24bit (alt_result[12], alt_result[33], alt_result[54], 4);
341 b64_from_24bit (alt_result[34], alt_result[55], alt_result[13], 4);
342 b64_from_24bit (alt_result[56], alt_result[14], alt_result[35], 4);
343 b64_from_24bit (alt_result[15], alt_result[36], alt_result[57], 4);
344 b64_from_24bit (alt_result[37], alt_result[58], alt_result[16], 4);
345 b64_from_24bit (alt_result[59], alt_result[17], alt_result[38], 4);
346 b64_from_24bit (alt_result[18], alt_result[39], alt_result[60], 4);
347 b64_from_24bit (alt_result[40], alt_result[61], alt_result[19], 4);
348 b64_from_24bit (alt_result[62], alt_result[20], alt_result[41], 4);
349 b64_from_24bit (0, 0, alt_result[63], 2);
350
351 if (buflen <= 0)
352 {
353 __set_errno (ERANGE);
354 buffer = NULL;
355 }
356 else
357 *cp = '\0'; /* Terminate the string. */
358
359 /* Clear the buffer for the intermediate result so that people
360 attaching to processes or reading core dumps cannot get any
361 information. We do it in this way to clear correct_words[]
362 inside the SHA512 implementation as well. */
363 #ifndef USE_NSS
364 __sha512_init_ctx (&ctx);
365 __sha512_finish_ctx (&ctx, alt_result);
366 memset (&ctx, '\0', sizeof (ctx));
367 memset (&alt_ctx, '\0', sizeof (alt_ctx));
368 #endif
369 memset (temp_result, '\0', sizeof (temp_result));
370 memset (p_bytes, '\0', key_len);
371 memset (s_bytes, '\0', salt_len);
372 if (copied_key != NULL)
373 memset (copied_key, '\0', key_len);
374 if (copied_salt != NULL)
375 memset (copied_salt, '\0', salt_len);
376
377 return buffer;
378 }
379
380 #ifndef _LIBC
381 # define libc_freeres_ptr(decl) decl
382 #endif
383 libc_freeres_ptr (static char *buffer);
384
385 /* This entry point is equivalent to the `crypt' function in Unix
386 libcs. */
387 char *
388 __sha512_crypt (const char *key, const char *salt)
389 {
390 /* We don't want to have an arbitrary limit in the size of the
391 password. We can compute an upper bound for the size of the
392 result in advance and so we can prepare the buffer we pass to
393 `sha512_crypt_r'. */
394 static int buflen;
395 int needed = (sizeof (sha512_salt_prefix) - 1
396 + sizeof (sha512_rounds_prefix) + 9 + 1
397 + strlen (salt) + 1 + 86 + 1);
398
399 if (buflen < needed)
400 {
401 char *new_buffer = (char *) realloc (buffer, needed);
402 if (new_buffer == NULL)
403 return NULL;
404
405 buffer = new_buffer;
406 buflen = needed;
407 }
408
409 return __sha512_crypt_r (key, salt, buffer, buflen);
410 }
411
412 #ifndef _LIBC
413 static void
414 __attribute__ ((__destructor__))
415 free_mem (void)
416 {
417 free (buffer);
418 }
419 #endif
sources.redhat.com git mirror of glibc CVS