Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / 9ed821d7e5d875a3395740a9cc2545671fa429b7 / . / ap / libc / glibc / glibc-2.22 / crypt / sha256-crypt.c
blob: d90e291aa76a08d2ab4c6c4552618a8b51c8078e [file] [log] [blame]
lh9ed821d2023-04-07 01:36:19 -0700[diff] [blame^]1/* One way encryption based on SHA256 sum.
2 Copyright (C) 2007-2015 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <http://www.gnu.org/licenses/>. */
19
20#include <assert.h>
21#include <errno.h>
22#include <stdbool.h>
23#include <stdlib.h>
24#include <string.h>
25#include <stdint.h>
26#include <sys/param.h>
27
28#include "sha256.h"
29#include "crypt-private.h"
30
31
32#ifdef USE_NSS
33typedef int PRBool;
34# include <hasht.h>
35# include <nsslowhash.h>
36
37# define sha256_init_ctx(ctxp, nss_ctxp) \
38 do \
39 { \
40 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256)) \
41 == NULL)) \
42 { \
43 if (nss_ctx != NULL) \
44 NSSLOWHASH_Destroy (nss_ctx); \
45 if (nss_alt_ctx != NULL) \
46 NSSLOWHASH_Destroy (nss_alt_ctx); \
47 return NULL; \
48 } \
49 NSSLOWHASH_Begin (nss_ctxp); \
50 } \
51 while (0)
52
53# define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
54 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
55
56# define sha256_finish_ctx(ctxp, nss_ctxp, result) \
57 do \
58 { \
59 unsigned int ret; \
60 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
61 assert (ret == sizeof (result)); \
62 NSSLOWHASH_Destroy (nss_ctxp); \
63 nss_ctxp = NULL; \
64 } \
65 while (0)
66#else
67# define sha256_init_ctx(ctxp, nss_ctxp) \
68 __sha256_init_ctx (ctxp)
69
70# define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
71 __sha256_process_bytes(buf, len, ctxp)
72
73# define sha256_finish_ctx(ctxp, nss_ctxp, result) \
74 __sha256_finish_ctx (ctxp, result)
75#endif
76
77
78/* Define our magic string to mark salt for SHA256 "encryption"
79 replacement. */
80static const char sha256_salt_prefix[] = "$5$";
81
82/* Prefix for optional rounds specification. */
83static const char sha256_rounds_prefix[] = "rounds=";
84
85/* Maximum salt string length. */
86#define SALT_LEN_MAX 16
87/* Default number of rounds if not explicitly specified. */
88#define ROUNDS_DEFAULT 5000
89/* Minimum number of rounds. */
90#define ROUNDS_MIN 1000
91/* Maximum number of rounds. */
92#define ROUNDS_MAX 999999999
93
94
95/* Prototypes for local functions. */
96extern char *__sha256_crypt_r (const char *key, const char *salt,
97 char *buffer, int buflen);
98extern char *__sha256_crypt (const char *key, const char *salt);
99
100
101char *
102__sha256_crypt_r (key, salt, buffer, buflen)
103 const char *key;
104 const char *salt;
105 char *buffer;
106 int buflen;
107{
108 unsigned char alt_result[32]
109 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
110 unsigned char temp_result[32]
111 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
112 size_t salt_len;
113 size_t key_len;
114 size_t cnt;
115 char *cp;
116 char *copied_key = NULL;
117 char *copied_salt = NULL;
118 char *p_bytes;
119 char *s_bytes;
120 /* Default number of rounds. */
121 size_t rounds = ROUNDS_DEFAULT;
122 bool rounds_custom = false;
123 size_t alloca_used = 0;
124 char *free_key = NULL;
125 char *free_pbytes = NULL;
126
127 /* Find beginning of salt string. The prefix should normally always
128 be present. Just in case it is not. */
129 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
130 /* Skip salt prefix. */
131 salt += sizeof (sha256_salt_prefix) - 1;
132
133 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
134 == 0)
135 {
136 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
137 char *endp;
138 unsigned long int srounds = strtoul (num, &endp, 10);
139 if (*endp == '$')
140 {
141 salt = endp + 1;
142 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
143 rounds_custom = true;
144 }
145 }
146
147 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
148 key_len = strlen (key);
149
150 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
151 {
152 char *tmp;
153
154 if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint32_t)))
155 tmp = alloca_account (key_len + __alignof__ (uint32_t), alloca_used);
156 else
157 {
158 free_key = tmp = (char *) malloc (key_len + __alignof__ (uint32_t));
159 if (tmp == NULL)
160 return NULL;
161 }
162
163 key = copied_key =
164 memcpy (tmp + __alignof__ (uint32_t)
165 - (tmp - (char *) 0) % __alignof__ (uint32_t),
166 key, key_len);
167 assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
168 }
169
170 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
171 {
172 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
173 alloca_used += salt_len + __alignof__ (uint32_t);
174 salt = copied_salt =
175 memcpy (tmp + __alignof__ (uint32_t)
176 - (tmp - (char *) 0) % __alignof__ (uint32_t),
177 salt, salt_len);
178 assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
179 }
180
181#ifdef USE_NSS
182 /* Initialize libfreebl3. */
183 NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
184 if (nss_ictx == NULL)
185 {
186 free (free_key);
187 return NULL;
188 }
189 NSSLOWHASHContext *nss_ctx = NULL;
190 NSSLOWHASHContext *nss_alt_ctx = NULL;
191#else
192 struct sha256_ctx ctx;
193 struct sha256_ctx alt_ctx;
194#endif
195
196 /* Prepare for the real work. */
197 sha256_init_ctx (&ctx, nss_ctx);
198
199 /* Add the key string. */
200 sha256_process_bytes (key, key_len, &ctx, nss_ctx);
201
202 /* The last part is the salt string. This must be at most 16
203 characters and it ends at the first `$' character. */
204 sha256_process_bytes (salt, salt_len, &ctx, nss_ctx);
205
206
207 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
208 final result will be added to the first context. */
209 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
210
211 /* Add key. */
212 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
213
214 /* Add salt. */
215 sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
216
217 /* Add key again. */
218 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
219
220 /* Now get result of this (32 bytes) and add it to the other
221 context. */
222 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
223
224 /* Add for any character in the key one byte of the alternate sum. */
225 for (cnt = key_len; cnt > 32; cnt -= 32)
226 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
227 sha256_process_bytes (alt_result, cnt, &ctx, nss_ctx);
228
229 /* Take the binary representation of the length of the key and for every
230 1 add the alternate sum, for every 0 the key. */
231 for (cnt = key_len; cnt > 0; cnt >>= 1)
232 if ((cnt & 1) != 0)
233 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
234 else
235 sha256_process_bytes (key, key_len, &ctx, nss_ctx);
236
237 /* Create intermediate result. */
238 sha256_finish_ctx (&ctx, nss_ctx, alt_result);
239
240 /* Start computation of P byte sequence. */
241 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
242
243 /* For every character in the password add the entire password. */
244 for (cnt = 0; cnt < key_len; ++cnt)
245 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
246
247 /* Finish the digest. */
248 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
249
250 /* Create byte sequence P. */
251 if (__libc_use_alloca (alloca_used + key_len))
252 cp = p_bytes = (char *) alloca (key_len);
253 else
254 {
255 free_pbytes = cp = p_bytes = (char *)malloc (key_len);
256 if (free_pbytes == NULL)
257 {
258 free (free_key);
259 return NULL;
260 }
261 }
262
263 for (cnt = key_len; cnt >= 32; cnt -= 32)
264 cp = mempcpy (cp, temp_result, 32);
265 memcpy (cp, temp_result, cnt);
266
267 /* Start computation of S byte sequence. */
268 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
269
270 /* For every character in the password add the entire password. */
271 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
272 sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
273
274 /* Finish the digest. */
275 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
276
277 /* Create byte sequence S. */
278 cp = s_bytes = alloca (salt_len);
279 for (cnt = salt_len; cnt >= 32; cnt -= 32)
280 cp = mempcpy (cp, temp_result, 32);
281 memcpy (cp, temp_result, cnt);
282
283 /* Repeatedly run the collected hash value through SHA256 to burn
284 CPU cycles. */
285 for (cnt = 0; cnt < rounds; ++cnt)
286 {
287 /* New context. */
288 sha256_init_ctx (&ctx, nss_ctx);
289
290 /* Add key or last result. */
291 if ((cnt & 1) != 0)
292 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
293 else
294 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
295
296 /* Add salt for numbers not divisible by 3. */
297 if (cnt % 3 != 0)
298 sha256_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
299
300 /* Add key for numbers not divisible by 7. */
301 if (cnt % 7 != 0)
302 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
303
304 /* Add key or last result. */
305 if ((cnt & 1) != 0)
306 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
307 else
308 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
309
310 /* Create intermediate result. */
311 sha256_finish_ctx (&ctx, nss_ctx, alt_result);
312 }
313
314#ifdef USE_NSS
315 /* Free libfreebl3 resources. */
316 NSSLOW_Shutdown (nss_ictx);
317#endif
318
319 /* Now we can construct the result string. It consists of three
320 parts. */
321 cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
322 buflen -= sizeof (sha256_salt_prefix) - 1;
323
324 if (rounds_custom)
325 {
326 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
327 sha256_rounds_prefix, rounds);
328 cp += n;
329 buflen -= n;
330 }
331
332 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
333 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
334
335 if (buflen > 0)
336 {
337 *cp++ = '$';
338 --buflen;
339 }
340
341 __b64_from_24bit (&cp, &buflen,
342 alt_result[0], alt_result[10], alt_result[20], 4);
343 __b64_from_24bit (&cp, &buflen,
344 alt_result[21], alt_result[1], alt_result[11], 4);
345 __b64_from_24bit (&cp, &buflen,
346 alt_result[12], alt_result[22], alt_result[2], 4);
347 __b64_from_24bit (&cp, &buflen,
348 alt_result[3], alt_result[13], alt_result[23], 4);
349 __b64_from_24bit (&cp, &buflen,
350 alt_result[24], alt_result[4], alt_result[14], 4);
351 __b64_from_24bit (&cp, &buflen,
352 alt_result[15], alt_result[25], alt_result[5], 4);
353 __b64_from_24bit (&cp, &buflen,
354 alt_result[6], alt_result[16], alt_result[26], 4);
355 __b64_from_24bit (&cp, &buflen,
356 alt_result[27], alt_result[7], alt_result[17], 4);
357 __b64_from_24bit (&cp, &buflen,
358 alt_result[18], alt_result[28], alt_result[8], 4);
359 __b64_from_24bit (&cp, &buflen,
360 alt_result[9], alt_result[19], alt_result[29], 4);
361 __b64_from_24bit (&cp, &buflen,
362 0, alt_result[31], alt_result[30], 3);
363 if (buflen <= 0)
364 {
365 __set_errno (ERANGE);
366 buffer = NULL;
367 }
368 else
369 *cp = '\0'; /* Terminate the string. */
370
371 /* Clear the buffer for the intermediate result so that people
372 attaching to processes or reading core dumps cannot get any
373 information. We do it in this way to clear correct_words[]
374 inside the SHA256 implementation as well. */
375#ifndef USE_NSS
376 __sha256_init_ctx (&ctx);
377 __sha256_finish_ctx (&ctx, alt_result);
378 memset (&ctx, '\0', sizeof (ctx));
379 memset (&alt_ctx, '\0', sizeof (alt_ctx));
380#endif
381 memset (temp_result, '\0', sizeof (temp_result));
382 memset (p_bytes, '\0', key_len);
383 memset (s_bytes, '\0', salt_len);
384 if (copied_key != NULL)
385 memset (copied_key, '\0', key_len);
386 if (copied_salt != NULL)
387 memset (copied_salt, '\0', salt_len);
388
389 free (free_key);
390 free (free_pbytes);
391 return buffer;
392}
393
394#ifndef _LIBC
395# define libc_freeres_ptr(decl) decl
396#endif
397libc_freeres_ptr (static char *buffer);
398
399/* This entry point is equivalent to the `crypt' function in Unix
400 libcs. */
401char *
402__sha256_crypt (const char *key, const char *salt)
403{
404 /* We don't want to have an arbitrary limit in the size of the
405 password. We can compute an upper bound for the size of the
406 result in advance and so we can prepare the buffer we pass to
407 `sha256_crypt_r'. */
408 static int buflen;
409 int needed = (sizeof (sha256_salt_prefix) - 1
410 + sizeof (sha256_rounds_prefix) + 9 + 1
411 + strlen (salt) + 1 + 43 + 1);
412
413 if (buflen < needed)
414 {
415 char *new_buffer = (char *) realloc (buffer, needed);
416 if (new_buffer == NULL)
417 return NULL;
418
419 buffer = new_buffer;
420 buflen = needed;
421 }
422
423 return __sha256_crypt_r (key, salt, buffer, buflen);
424}
425
426#ifndef _LIBC
427static void
428__attribute__ ((__destructor__))
429free_mem (void)
430{
431 free (buffer);
432}
433#endif