1/* One way encryption based on SHA512 sum.
2 Copyright (C) 2007-2021 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <https://www.gnu.org/licenses/>. */
19
20#include <assert.h>
21#include <errno.h>
22#include <stdbool.h>
23#include <stdlib.h>
24#include <string.h>
25#include <stdint.h>
26#include <sys/param.h>
27
28#include "sha512.h"
29#include "crypt-private.h"
30
31
32#ifdef USE_NSS
33typedef int PRBool;
34# include <hasht.h>
35# include <nsslowhash.h>
36
37# define sha512_init_ctx(ctxp, nss_ctxp) \
38 do \
39 { \
40 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA512)) \
41 == NULL)) \
42 { \
43 if (nss_ctx != NULL) \
44 NSSLOWHASH_Destroy (nss_ctx); \
45 if (nss_alt_ctx != NULL) \
46 NSSLOWHASH_Destroy (nss_alt_ctx); \
47 return NULL; \
48 } \
49 NSSLOWHASH_Begin (nss_ctxp); \
50 } \
51 while (0)
52
53# define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
54 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
55
56# define sha512_finish_ctx(ctxp, nss_ctxp, result) \
57 do \
58 { \
59 unsigned int ret; \
60 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
61 assert (ret == sizeof (result)); \
62 NSSLOWHASH_Destroy (nss_ctxp); \
63 nss_ctxp = NULL; \
64 } \
65 while (0)
66#else
67# define sha512_init_ctx(ctxp, nss_ctxp) \
68 __sha512_init_ctx (ctxp)
69
70# define sha512_process_bytes(buf, len, ctxp, nss_ctxp) \
71 __sha512_process_bytes(buf, len, ctxp)
72
73# define sha512_finish_ctx(ctxp, nss_ctxp, result) \
74 __sha512_finish_ctx (ctxp, result)
75#endif
76
77
78/* Define our magic string to mark salt for SHA512 "encryption"
79 replacement. */
80static const char sha512_salt_prefix[] = "$6$";
81
82/* Prefix for optional rounds specification. */
83static const char sha512_rounds_prefix[] = "rounds=";
84
85/* Maximum salt string length. */
86#define SALT_LEN_MAX 16
87/* Default number of rounds if not explicitly specified. */
88#define ROUNDS_DEFAULT 5000
89/* Minimum number of rounds. */
90#define ROUNDS_MIN 1000
91/* Maximum number of rounds. */
92#define ROUNDS_MAX 999999999
93
94
95/* Prototypes for local functions. */
96extern char *__sha512_crypt_r (const char *key, const char *salt,
97 char *buffer, int buflen);
98extern char *__sha512_crypt (const char *key, const char *salt);
99
100
101char *
102__sha512_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
103{
104 unsigned char alt_result[64]
105 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
106 unsigned char temp_result[64]
107 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
108 size_t salt_len;
109 size_t key_len;
110 size_t cnt;
111 char *cp;
112 char *copied_key = NULL;
113 char *copied_salt = NULL;
114 char *p_bytes;
115 char *s_bytes;
116 /* Default number of rounds. */
117 size_t rounds = ROUNDS_DEFAULT;
118 bool rounds_custom = false;
119 size_t alloca_used = 0;
120 char *free_key = NULL;
121 char *free_pbytes = NULL;
122
123 /* Find beginning of salt string. The prefix should normally always
124 be present. Just in case it is not. */
125 if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
126 /* Skip salt prefix. */
127 salt += sizeof (sha512_salt_prefix) - 1;
128
129 if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
130 == 0)
131 {
132 const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
133 char *endp;
134 unsigned long int srounds = strtoul (num, &endp, 10);
135 if (*endp == '$')
136 {
137 salt = endp + 1;
138 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
139 rounds_custom = true;
140 }
141 }
142
143 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
144 key_len = strlen (key);
145
146 if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
147 {
148 char *tmp;
149
150 if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint64_t)))
151 tmp = alloca_account (key_len + __alignof__ (uint64_t), alloca_used);
152 else
153 {
154 free_key = tmp = (char *) malloc (key_len + __alignof__ (uint64_t));
155 if (tmp == NULL)
156 return NULL;
157 }
158
159 key = copied_key =
160 memcpy (tmp + __alignof__ (uint64_t)
161 - (tmp - (char *) 0) % __alignof__ (uint64_t),
162 key, key_len);
163 assert ((key - (char *) 0) % __alignof__ (uint64_t) == 0);
164 }
165
166 if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
167 {
168 char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
169 salt = copied_salt =
170 memcpy (tmp + __alignof__ (uint64_t)
171 - (tmp - (char *) 0) % __alignof__ (uint64_t),
172 salt, salt_len);
173 assert ((salt - (char *) 0) % __alignof__ (uint64_t) == 0);
174 }
175
176#ifdef USE_NSS
177 /* Initialize libfreebl3. */
178 NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
179 if (nss_ictx == NULL)
180 {
181 free (free_key);
182 return NULL;
183 }
184 NSSLOWHASHContext *nss_ctx = NULL;
185 NSSLOWHASHContext *nss_alt_ctx = NULL;
186#else
187 struct sha512_ctx ctx;
188 struct sha512_ctx alt_ctx;
189#endif
190
191 /* Prepare for the real work. */
192 sha512_init_ctx (&ctx, nss_ctx);
193
194 /* Add the key string. */
195 sha512_process_bytes (key, key_len, &ctx, nss_ctx);
196
197 /* The last part is the salt string. This must be at most 16
198 characters and it ends at the first `$' character. */
199 sha512_process_bytes (salt, salt_len, &ctx, nss_ctx);
200
201
202 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
203 final result will be added to the first context. */
204 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
205
206 /* Add key. */
207 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
208
209 /* Add salt. */
210 sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
211
212 /* Add key again. */
213 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
214
215 /* Now get result of this (64 bytes) and add it to the other
216 context. */
217 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
218
219 /* Add for any character in the key one byte of the alternate sum. */
220 for (cnt = key_len; cnt > 64; cnt -= 64)
221 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
222 sha512_process_bytes (alt_result, cnt, &ctx, nss_ctx);
223
224 /* Take the binary representation of the length of the key and for every
225 1 add the alternate sum, for every 0 the key. */
226 for (cnt = key_len; cnt > 0; cnt >>= 1)
227 if ((cnt & 1) != 0)
228 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
229 else
230 sha512_process_bytes (key, key_len, &ctx, nss_ctx);
231
232 /* Create intermediate result. */
233 sha512_finish_ctx (&ctx, nss_ctx, alt_result);
234
235 /* Start computation of P byte sequence. */
236 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
237
238 /* For every character in the password add the entire password. */
239 for (cnt = 0; cnt < key_len; ++cnt)
240 sha512_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
241
242 /* Finish the digest. */
243 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
244
245 /* Create byte sequence P. */
246 if (__libc_use_alloca (alloca_used + key_len))
247 cp = p_bytes = (char *) alloca (key_len);
248 else
249 {
250 free_pbytes = cp = p_bytes = (char *)malloc (key_len);
251 if (free_pbytes == NULL)
252 {
253 free (free_key);
254 return NULL;
255 }
256 }
257
258 for (cnt = key_len; cnt >= 64; cnt -= 64)
259 cp = mempcpy (cp, temp_result, 64);
260 memcpy (cp, temp_result, cnt);
261
262 /* Start computation of S byte sequence. */
263 sha512_init_ctx (&alt_ctx, nss_alt_ctx);
264
265 /* For every character in the password add the entire password. */
266 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
267 sha512_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
268
269 /* Finish the digest. */
270 sha512_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
271
272 /* Create byte sequence S. */
273 cp = s_bytes = alloca (salt_len);
274 for (cnt = salt_len; cnt >= 64; cnt -= 64)
275 cp = mempcpy (cp, temp_result, 64);
276 memcpy (cp, temp_result, cnt);
277
278 /* Repeatedly run the collected hash value through SHA512 to burn
279 CPU cycles. */
280 for (cnt = 0; cnt < rounds; ++cnt)
281 {
282 /* New context. */
283 sha512_init_ctx (&ctx, nss_ctx);
284
285 /* Add key or last result. */
286 if ((cnt & 1) != 0)
287 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
288 else
289 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
290
291 /* Add salt for numbers not divisible by 3. */
292 if (cnt % 3 != 0)
293 sha512_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
294
295 /* Add key for numbers not divisible by 7. */
296 if (cnt % 7 != 0)
297 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
298
299 /* Add key or last result. */
300 if ((cnt & 1) != 0)
301 sha512_process_bytes (alt_result, 64, &ctx, nss_ctx);
302 else
303 sha512_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
304
305 /* Create intermediate result. */
306 sha512_finish_ctx (&ctx, nss_ctx, alt_result);
307 }
308
309#ifdef USE_NSS
310 /* Free libfreebl3 resources. */
311 NSSLOW_Shutdown (nss_ictx);
312#endif
313
314 /* Now we can construct the result string. It consists of three
315 parts. */
316 cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
317 buflen -= sizeof (sha512_salt_prefix) - 1;
318
319 if (rounds_custom)
320 {
321 int n = __snprintf (cp, MAX (0, buflen), "%s%zu$",
322 sha512_rounds_prefix, rounds);
323 cp += n;
324 buflen -= n;
325 }
326
327 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
328 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
329
330 if (buflen > 0)
331 {
332 *cp++ = '$';
333 --buflen;
334 }
335
336 __b64_from_24bit (&cp, &buflen,
337 alt_result[0], alt_result[21], alt_result[42], 4);
338 __b64_from_24bit (&cp, &buflen,
339 alt_result[22], alt_result[43], alt_result[1], 4);
340 __b64_from_24bit (&cp, &buflen,
341 alt_result[44], alt_result[2], alt_result[23], 4);
342 __b64_from_24bit (&cp, &buflen,
343 alt_result[3], alt_result[24], alt_result[45], 4);
344 __b64_from_24bit (&cp, &buflen,
345 alt_result[25], alt_result[46], alt_result[4], 4);
346 __b64_from_24bit (&cp, &buflen,
347 alt_result[47], alt_result[5], alt_result[26], 4);
348 __b64_from_24bit (&cp, &buflen,
349 alt_result[6], alt_result[27], alt_result[48], 4);
350 __b64_from_24bit (&cp, &buflen,
351 alt_result[28], alt_result[49], alt_result[7], 4);
352 __b64_from_24bit (&cp, &buflen,
353 alt_result[50], alt_result[8], alt_result[29], 4);
354 __b64_from_24bit (&cp, &buflen,
355 alt_result[9], alt_result[30], alt_result[51], 4);
356 __b64_from_24bit (&cp, &buflen,
357 alt_result[31], alt_result[52], alt_result[10], 4);
358 __b64_from_24bit (&cp, &buflen,
359 alt_result[53], alt_result[11], alt_result[32], 4);
360 __b64_from_24bit (&cp, &buflen,
361 alt_result[12], alt_result[33], alt_result[54], 4);
362 __b64_from_24bit (&cp, &buflen,
363 alt_result[34], alt_result[55], alt_result[13], 4);
364 __b64_from_24bit (&cp, &buflen,
365 alt_result[56], alt_result[14], alt_result[35], 4);
366 __b64_from_24bit (&cp, &buflen,
367 alt_result[15], alt_result[36], alt_result[57], 4);
368 __b64_from_24bit (&cp, &buflen,
369 alt_result[37], alt_result[58], alt_result[16], 4);
370 __b64_from_24bit (&cp, &buflen,
371 alt_result[59], alt_result[17], alt_result[38], 4);
372 __b64_from_24bit (&cp, &buflen,
373 alt_result[18], alt_result[39], alt_result[60], 4);
374 __b64_from_24bit (&cp, &buflen,
375 alt_result[40], alt_result[61], alt_result[19], 4);
376 __b64_from_24bit (&cp, &buflen,
377 alt_result[62], alt_result[20], alt_result[41], 4);
378 __b64_from_24bit (&cp, &buflen,
379 0, 0, alt_result[63], 2);
380
381 if (buflen <= 0)
382 {
383 __set_errno (ERANGE);
384 buffer = NULL;
385 }
386 else
387 *cp = '\0'; /* Terminate the string. */
388
389 /* Clear the buffer for the intermediate result so that people
390 attaching to processes or reading core dumps cannot get any
391 information. We do it in this way to clear correct_words[]
392 inside the SHA512 implementation as well. */
393#ifndef USE_NSS
394 __sha512_init_ctx (&ctx);
395 __sha512_finish_ctx (&ctx, alt_result);
396 explicit_bzero (&ctx, sizeof (ctx));
397 explicit_bzero (&alt_ctx, sizeof (alt_ctx));
398#endif
399 explicit_bzero (temp_result, sizeof (temp_result));
400 explicit_bzero (p_bytes, key_len);
401 explicit_bzero (s_bytes, salt_len);
402 if (copied_key != NULL)
403 explicit_bzero (copied_key, key_len);
404 if (copied_salt != NULL)
405 explicit_bzero (copied_salt, salt_len);
406
407 free (free_key);
408 free (free_pbytes);
409 return buffer;
410}
411
412#ifndef _LIBC
413# define libc_freeres_ptr(decl) decl
414#endif
415libc_freeres_ptr (static char *buffer);
416
417/* This entry point is equivalent to the `crypt' function in Unix
418 libcs. */
419char *
420__sha512_crypt (const char *key, const char *salt)
421{
422 /* We don't want to have an arbitrary limit in the size of the
423 password. We can compute an upper bound for the size of the
424 result in advance and so we can prepare the buffer we pass to
425 `sha512_crypt_r'. */
426 static int buflen;
427 int needed = (sizeof (sha512_salt_prefix) - 1
428 + sizeof (sha512_rounds_prefix) + 9 + 1
429 + strlen (salt) + 1 + 86 + 1);
430
431 if (buflen < needed)
432 {
433 char *new_buffer = (char *) realloc (buffer, needed);
434 if (new_buffer == NULL)
435 return NULL;
436
437 buffer = new_buffer;
438 buflen = needed;
439 }
440
441 return __sha512_crypt_r (key, salt, buffer, buflen);
442}
443
444#ifndef _LIBC
445static void
446__attribute__ ((__destructor__))
447free_mem (void)
448{
449 free (buffer);
450}
451#endif
452