Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / 1207cf23f7de1fce045fbafcf0bd189d5d3e8c5c / . / ap / build / uClibc / libcrypt / sha512-crypt.c
blob: 0321be0bb8d8c79bfae1582438e0ebaf74800fb5 [file] [log] [blame]
lh9ed821d2023-04-07 01:36:19 -0700[diff] [blame]1/* One way encryption based on SHA512 sum.
2 Copyright (C) 2007, 2009 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, write to the Free
18 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19 02111-1307 USA. */
20
21#include <assert.h>
22#include <errno.h>
23#include <stdbool.h>
24#include <stdlib.h>
25#include <string.h>
26#include <sys/param.h>
27
28#include "sha512.h"
29#include "libcrypt.h"
30
31/* Define our magic string to mark salt for SHA512 "encryption"
32 replacement. */
33static const char sha512_salt_prefix[] = "$6$";
34
35/* Prefix for optional rounds specification. */
36static const char sha512_rounds_prefix[] = "rounds=";
37
38/* Maximum salt string length. */
39#define SALT_LEN_MAX 16
40/* Default number of rounds if not explicitly specified. */
41#define ROUNDS_DEFAULT 5000
42/* Minimum number of rounds. */
43#define ROUNDS_MIN 1000
44/* Maximum number of rounds. */
45#define ROUNDS_MAX 999999999
46
47/* Table with characters for base64 transformation. */
48static const char b64t[64] =
49"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
50
51#define B64_FROM_24BIT(b2, b1, b0, steps) \
52 { \
53 int n = (steps); \
54 unsigned int w = ((b2) << 16) | ((b1) << 8) | (b0); \
55 while (n-- > 0 && buflen > 0) \
56 { \
57 *cp++ = b64t[w & 0x3f]; \
58 --buflen; \
59 w >>= 6; \
60 } \
61 }
62
63char *
64__sha512_crypt_r (const char *key,
65 const char *salt,
66 char *buffer,
67 int buflen)
68{
69 unsigned char alt_result[64]
70 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
71 unsigned char temp_result[64]
72 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
73 size_t salt_len;
74 size_t key_len;
75 size_t cnt;
76 char *cp;
77 char *copied_key = NULL;
78 char *copied_salt = NULL;
79 char *p_bytes;
80 char *s_bytes;
81 /* Default number of rounds. */
82 size_t rounds = ROUNDS_DEFAULT;
83 bool rounds_custom = false;
84
85 /* Find beginning of salt string. The prefix should normally always
86 be present. Just in case it is not. */
87 if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
88 /* Skip salt prefix. */
89 salt += sizeof (sha512_salt_prefix) - 1;
90
91 if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
92 == 0)
93 {
94 const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
95 char *endp;
96 unsigned long int srounds = strtoul (num, &endp, 10);
97 if (*endp == '$')
98 {
99 salt = endp + 1;
100 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
101 rounds_custom = true;
102 }
103 }
104
105 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
106 key_len = strlen (key);
107
108 if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
109 {
110 char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
111 key = copied_key =
112 memcpy (tmp + __alignof__ (uint64_t)
113 - (tmp - (char *) 0) % __alignof__ (uint64_t),
114 key, key_len);
115 assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
116 }
117
118 if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
119 {
120 char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
121 salt = copied_salt =
122 memcpy (tmp + __alignof__ (uint64_t)
123 - (tmp - (char *) 0) % __alignof__ (uint64_t),
124 salt, salt_len);
125 assert ((salt - (char *) 0) % __alignof__ (uint64_t) == 0);
126 }
127
128 struct sha512_ctx ctx;
129 struct sha512_ctx alt_ctx;
130
131 /* Prepare for the real work. */
132 __sha512_init_ctx (&ctx);
133
134 /* Add the key string. */
135 __sha512_process_bytes (key, key_len, &ctx);
136
137 /* The last part is the salt string. This must be at most 16
138 characters and it ends at the first `$' character. */
139 __sha512_process_bytes (salt, salt_len, &ctx);
140
141
142 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
143 final result will be added to the first context. */
144 __sha512_init_ctx (&alt_ctx);
145
146 /* Add key. */
147 __sha512_process_bytes (key, key_len, &alt_ctx);
148
149 /* Add salt. */
150 __sha512_process_bytes (salt, salt_len, &alt_ctx);
151
152 /* Add key again. */
153 __sha512_process_bytes (key, key_len, &alt_ctx);
154
155 /* Now get result of this (64 bytes) and add it to the other
156 context. */
157 __sha512_finish_ctx (&alt_ctx, alt_result);
158
159 /* Add for any character in the key one byte of the alternate sum. */
160 for (cnt = key_len; cnt > 64; cnt -= 64)
161 __sha512_process_bytes (alt_result, 64, &ctx);
162
163 __sha512_process_bytes (alt_result, cnt, &ctx);
164
165 /* Take the binary representation of the length of the key and for every
166 1 add the alternate sum, for every 0 the key. */
167 for (cnt = key_len; cnt > 0; cnt >>= 1)
168 if ((cnt & 1) != 0)
169 __sha512_process_bytes (alt_result, 64, &ctx);
170 else
171 __sha512_process_bytes (key, key_len, &ctx);
172
173 /* Create intermediate result. */
174 __sha512_finish_ctx (&ctx, alt_result);
175
176 /* Start computation of P byte sequence. */
177 __sha512_init_ctx (&alt_ctx);
178
179 /* For every character in the password add the entire password. */
180 for (cnt = 0; cnt < key_len; ++cnt)
181 __sha512_process_bytes (key, key_len, &alt_ctx);
182
183 /* Finish the digest. */
184 __sha512_finish_ctx (&alt_ctx, temp_result);
185
186 /* Create byte sequence P. */
187 cp = p_bytes = alloca (key_len);
188 for (cnt = key_len; cnt >= 64; cnt -= 64)
189 cp = mempcpy (cp, temp_result, 64);
190 memcpy (cp, temp_result, cnt);
191
192 /* Start computation of S byte sequence. */
193 __sha512_init_ctx (&alt_ctx);
194
195 /* For every character in the password add the entire password. */
196 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
197 __sha512_process_bytes (salt, salt_len, &alt_ctx);
198
199 /* Finish the digest. */
200 __sha512_finish_ctx (&alt_ctx, temp_result);
201
202 /* Create byte sequence S. */
203 cp = s_bytes = alloca (salt_len);
204 for (cnt = salt_len; cnt >= 64; cnt -= 64)
205 cp = mempcpy (cp, temp_result, 64);
206 memcpy (cp, temp_result, cnt);
207
208 /* Repeatedly run the collected hash value through SHA512 to burn
209 CPU cycles. */
210 for (cnt = 0; cnt < rounds; ++cnt)
211 {
212 /* New context. */
213 __sha512_init_ctx (&ctx);
214
215 /* Add key or last result. */
216 if ((cnt & 1) != 0)
217 __sha512_process_bytes (p_bytes, key_len, &ctx);
218 else
219 __sha512_process_bytes (alt_result, 64, &ctx);
220
221 /* Add salt for numbers not divisible by 3. */
222 if (cnt % 3 != 0)
223 __sha512_process_bytes (s_bytes, salt_len, &ctx);
224
225 /* Add key for numbers not divisible by 7. */
226 if (cnt % 7 != 0)
227 __sha512_process_bytes (p_bytes, key_len, &ctx);
228
229 /* Add key or last result. */
230 if ((cnt & 1) != 0)
231 __sha512_process_bytes (alt_result, 64, &ctx);
232 else
233 __sha512_process_bytes (p_bytes, key_len, &ctx);
234
235 /* Create intermediate result. */
236 __sha512_finish_ctx (&ctx, alt_result);
237 }
238
239 /* Now we can construct the result string. It consists of three
240 parts. */
241 cp = stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
242 buflen -= sizeof (sha512_salt_prefix) - 1;
243
244 if (rounds_custom)
245 {
246 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
247 sha512_rounds_prefix, rounds);
248 cp += n;
249 buflen -= n;
250 }
251
252 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
253 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
254
255 if (buflen > 0)
256 {
257 *cp++ = '$';
258 --buflen;
259 }
260
261 B64_FROM_24BIT (alt_result[0], alt_result[21], alt_result[42], 4);
262 B64_FROM_24BIT (alt_result[22], alt_result[43], alt_result[1], 4);
263 B64_FROM_24BIT (alt_result[44], alt_result[2], alt_result[23], 4);
264 B64_FROM_24BIT (alt_result[3], alt_result[24], alt_result[45], 4);
265 B64_FROM_24BIT (alt_result[25], alt_result[46], alt_result[4], 4);
266 B64_FROM_24BIT (alt_result[47], alt_result[5], alt_result[26], 4);
267 B64_FROM_24BIT (alt_result[6], alt_result[27], alt_result[48], 4);
268 B64_FROM_24BIT (alt_result[28], alt_result[49], alt_result[7], 4);
269 B64_FROM_24BIT (alt_result[50], alt_result[8], alt_result[29], 4);
270 B64_FROM_24BIT (alt_result[9], alt_result[30], alt_result[51], 4);
271 B64_FROM_24BIT (alt_result[31], alt_result[52], alt_result[10], 4);
272 B64_FROM_24BIT (alt_result[53], alt_result[11], alt_result[32], 4);
273 B64_FROM_24BIT (alt_result[12], alt_result[33], alt_result[54], 4);
274 B64_FROM_24BIT (alt_result[34], alt_result[55], alt_result[13], 4);
275 B64_FROM_24BIT (alt_result[56], alt_result[14], alt_result[35], 4);
276 B64_FROM_24BIT (alt_result[15], alt_result[36], alt_result[57], 4);
277 B64_FROM_24BIT (alt_result[37], alt_result[58], alt_result[16], 4);
278 B64_FROM_24BIT (alt_result[59], alt_result[17], alt_result[38], 4);
279 B64_FROM_24BIT (alt_result[18], alt_result[39], alt_result[60], 4);
280 B64_FROM_24BIT (alt_result[40], alt_result[61], alt_result[19], 4);
281 B64_FROM_24BIT (alt_result[62], alt_result[20], alt_result[41], 4);
282 B64_FROM_24BIT (0, 0, alt_result[63], 2);
283
284 if (buflen <= 0)
285 {
286 __set_errno (ERANGE);
287 buffer = NULL;
288 }
289 else
290 *cp = '\0'; /* Terminate the string. */
291
292 /* Clear the buffer for the intermediate result so that people
293 attaching to processes or reading core dumps cannot get any
294 information. We do it in this way to clear correct_words[]
295 inside the SHA512 implementation as well. */
296 __sha512_init_ctx (&ctx);
297 __sha512_finish_ctx (&ctx, alt_result);
298 memset (&ctx, '\0', sizeof (ctx));
299 memset (&alt_ctx, '\0', sizeof (alt_ctx));
300
301 memset (temp_result, '\0', sizeof (temp_result));
302 memset (p_bytes, '\0', key_len);
303 memset (s_bytes, '\0', salt_len);
304 if (copied_key != NULL)
305 memset (copied_key, '\0', key_len);
306 if (copied_salt != NULL)
307 memset (copied_salt, '\0', salt_len);
308
309 return buffer;
310}
311
312static char *buffer;
313
314/* This entry point is equivalent to the `crypt' function in Unix
315 libcs. */
316char *
317__sha512_crypt (const unsigned char *key, const unsigned char *salt)
318{
319 /* We don't want to have an arbitrary limit in the size of the
320 password. We can compute an upper bound for the size of the
321 result in advance and so we can prepare the buffer we pass to
322 `sha512_crypt_r'. */
323 static int buflen;
324 int needed = (sizeof (sha512_salt_prefix) - 1
325 + sizeof (sha512_rounds_prefix) + 9 + 1
326 + strlen (salt) + 1 + 86 + 1);
327
328 if (buflen < needed)
329 {
330 char *new_buffer = (char *) realloc (buffer, needed);
331 if (new_buffer == NULL)
332 return NULL;
333
334 buffer = new_buffer;
335 buflen = needed;
336 }
337
338 return __sha512_crypt_r ((const char *) key, (const char *) salt, buffer, buflen);
339}