1/* One way encryption based on SHA256 sum.
2 Copyright (C) 2007-2020 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <https://www.gnu.org/licenses/>. */
19
20#include <assert.h>
21#include <errno.h>
22#include <stdbool.h>
23#include <stdlib.h>
24#include <string.h>
25#include <stdint.h>
26#include <sys/param.h>
27
28#include "sha256.h"
29#include "crypt-private.h"
30
31
32#ifdef USE_NSS
33typedef int PRBool;
34# include <hasht.h>
35# include <nsslowhash.h>
36
37# define sha256_init_ctx(ctxp, nss_ctxp) \
38 do \
39 { \
40 if (((nss_ctxp = NSSLOWHASH_NewContext (nss_ictx, HASH_AlgSHA256)) \
41 == NULL)) \
42 { \
43 if (nss_ctx != NULL) \
44 NSSLOWHASH_Destroy (nss_ctx); \
45 if (nss_alt_ctx != NULL) \
46 NSSLOWHASH_Destroy (nss_alt_ctx); \
47 return NULL; \
48 } \
49 NSSLOWHASH_Begin (nss_ctxp); \
50 } \
51 while (0)
52
53# define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
54 NSSLOWHASH_Update (nss_ctxp, (const unsigned char *) buf, len)
55
56# define sha256_finish_ctx(ctxp, nss_ctxp, result) \
57 do \
58 { \
59 unsigned int ret; \
60 NSSLOWHASH_End (nss_ctxp, result, &ret, sizeof (result)); \
61 assert (ret == sizeof (result)); \
62 NSSLOWHASH_Destroy (nss_ctxp); \
63 nss_ctxp = NULL; \
64 } \
65 while (0)
66#else
67# define sha256_init_ctx(ctxp, nss_ctxp) \
68 __sha256_init_ctx (ctxp)
69
70# define sha256_process_bytes(buf, len, ctxp, nss_ctxp) \
71 __sha256_process_bytes(buf, len, ctxp)
72
73# define sha256_finish_ctx(ctxp, nss_ctxp, result) \
74 __sha256_finish_ctx (ctxp, result)
75#endif
76
77
78/* Define our magic string to mark salt for SHA256 "encryption"
79 replacement. */
80static const char sha256_salt_prefix[] = "$5$";
81
82/* Prefix for optional rounds specification. */
83static const char sha256_rounds_prefix[] = "rounds=";
84
85/* Maximum salt string length. */
86#define SALT_LEN_MAX 16
87/* Default number of rounds if not explicitly specified. */
88#define ROUNDS_DEFAULT 5000
89/* Minimum number of rounds. */
90#define ROUNDS_MIN 1000
91/* Maximum number of rounds. */
92#define ROUNDS_MAX 999999999
93
94
95/* Prototypes for local functions. */
96extern char *__sha256_crypt_r (const char *key, const char *salt,
97 char *buffer, int buflen);
98extern char *__sha256_crypt (const char *key, const char *salt);
99
100
101char *
102__sha256_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
103{
104 unsigned char alt_result[32]
105 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
106 unsigned char temp_result[32]
107 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
108 size_t salt_len;
109 size_t key_len;
110 size_t cnt;
111 char *cp;
112 char *copied_key = NULL;
113 char *copied_salt = NULL;
114 char *p_bytes;
115 char *s_bytes;
116 /* Default number of rounds. */
117 size_t rounds = ROUNDS_DEFAULT;
118 bool rounds_custom = false;
119 size_t alloca_used = 0;
120 char *free_key = NULL;
121 char *free_pbytes = NULL;
122
123 /* Find beginning of salt string. The prefix should normally always
124 be present. Just in case it is not. */
125 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
126 /* Skip salt prefix. */
127 salt += sizeof (sha256_salt_prefix) - 1;
128
129 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
130 == 0)
131 {
132 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
133 char *endp;
134 unsigned long int srounds = strtoul (num, &endp, 10);
135 if (*endp == '$')
136 {
137 salt = endp + 1;
138 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
139 rounds_custom = true;
140 }
141 }
142
143 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
144 key_len = strlen (key);
145
146 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
147 {
148 char *tmp;
149
150 if (__libc_use_alloca (alloca_used + key_len + __alignof__ (uint32_t)))
151 tmp = alloca_account (key_len + __alignof__ (uint32_t), alloca_used);
152 else
153 {
154 free_key = tmp = (char *) malloc (key_len + __alignof__ (uint32_t));
155 if (tmp == NULL)
156 return NULL;
157 }
158
159 key = copied_key =
160 memcpy (tmp + __alignof__ (uint32_t)
161 - (tmp - (char *) 0) % __alignof__ (uint32_t),
162 key, key_len);
163 assert ((key - (char *) 0) % __alignof__ (uint32_t) == 0);
164 }
165
166 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
167 {
168 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
169 alloca_used += salt_len + __alignof__ (uint32_t);
170 salt = copied_salt =
171 memcpy (tmp + __alignof__ (uint32_t)
172 - (tmp - (char *) 0) % __alignof__ (uint32_t),
173 salt, salt_len);
174 assert ((salt - (char *) 0) % __alignof__ (uint32_t) == 0);
175 }
176
177#ifdef USE_NSS
178 /* Initialize libfreebl3. */
179 NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
180 if (nss_ictx == NULL)
181 {
182 free (free_key);
183 return NULL;
184 }
185 NSSLOWHASHContext *nss_ctx = NULL;
186 NSSLOWHASHContext *nss_alt_ctx = NULL;
187#else
188 struct sha256_ctx ctx;
189 struct sha256_ctx alt_ctx;
190#endif
191
192 /* Prepare for the real work. */
193 sha256_init_ctx (&ctx, nss_ctx);
194
195 /* Add the key string. */
196 sha256_process_bytes (key, key_len, &ctx, nss_ctx);
197
198 /* The last part is the salt string. This must be at most 16
199 characters and it ends at the first `$' character. */
200 sha256_process_bytes (salt, salt_len, &ctx, nss_ctx);
201
202
203 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
204 final result will be added to the first context. */
205 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
206
207 /* Add key. */
208 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
209
210 /* Add salt. */
211 sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
212
213 /* Add key again. */
214 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
215
216 /* Now get result of this (32 bytes) and add it to the other
217 context. */
218 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, alt_result);
219
220 /* Add for any character in the key one byte of the alternate sum. */
221 for (cnt = key_len; cnt > 32; cnt -= 32)
222 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
223 sha256_process_bytes (alt_result, cnt, &ctx, nss_ctx);
224
225 /* Take the binary representation of the length of the key and for every
226 1 add the alternate sum, for every 0 the key. */
227 for (cnt = key_len; cnt > 0; cnt >>= 1)
228 if ((cnt & 1) != 0)
229 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
230 else
231 sha256_process_bytes (key, key_len, &ctx, nss_ctx);
232
233 /* Create intermediate result. */
234 sha256_finish_ctx (&ctx, nss_ctx, alt_result);
235
236 /* Start computation of P byte sequence. */
237 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
238
239 /* For every character in the password add the entire password. */
240 for (cnt = 0; cnt < key_len; ++cnt)
241 sha256_process_bytes (key, key_len, &alt_ctx, nss_alt_ctx);
242
243 /* Finish the digest. */
244 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
245
246 /* Create byte sequence P. */
247 if (__libc_use_alloca (alloca_used + key_len))
248 cp = p_bytes = (char *) alloca (key_len);
249 else
250 {
251 free_pbytes = cp = p_bytes = (char *)malloc (key_len);
252 if (free_pbytes == NULL)
253 {
254 free (free_key);
255 return NULL;
256 }
257 }
258
259 for (cnt = key_len; cnt >= 32; cnt -= 32)
260 cp = mempcpy (cp, temp_result, 32);
261 memcpy (cp, temp_result, cnt);
262
263 /* Start computation of S byte sequence. */
264 sha256_init_ctx (&alt_ctx, nss_alt_ctx);
265
266 /* For every character in the password add the entire password. */
267 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
268 sha256_process_bytes (salt, salt_len, &alt_ctx, nss_alt_ctx);
269
270 /* Finish the digest. */
271 sha256_finish_ctx (&alt_ctx, nss_alt_ctx, temp_result);
272
273 /* Create byte sequence S. */
274 cp = s_bytes = alloca (salt_len);
275 for (cnt = salt_len; cnt >= 32; cnt -= 32)
276 cp = mempcpy (cp, temp_result, 32);
277 memcpy (cp, temp_result, cnt);
278
279 /* Repeatedly run the collected hash value through SHA256 to burn
280 CPU cycles. */
281 for (cnt = 0; cnt < rounds; ++cnt)
282 {
283 /* New context. */
284 sha256_init_ctx (&ctx, nss_ctx);
285
286 /* Add key or last result. */
287 if ((cnt & 1) != 0)
288 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
289 else
290 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
291
292 /* Add salt for numbers not divisible by 3. */
293 if (cnt % 3 != 0)
294 sha256_process_bytes (s_bytes, salt_len, &ctx, nss_ctx);
295
296 /* Add key for numbers not divisible by 7. */
297 if (cnt % 7 != 0)
298 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
299
300 /* Add key or last result. */
301 if ((cnt & 1) != 0)
302 sha256_process_bytes (alt_result, 32, &ctx, nss_ctx);
303 else
304 sha256_process_bytes (p_bytes, key_len, &ctx, nss_ctx);
305
306 /* Create intermediate result. */
307 sha256_finish_ctx (&ctx, nss_ctx, alt_result);
308 }
309
310#ifdef USE_NSS
311 /* Free libfreebl3 resources. */
312 NSSLOW_Shutdown (nss_ictx);
313#endif
314
315 /* Now we can construct the result string. It consists of three
316 parts. */
317 cp = __stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
318 buflen -= sizeof (sha256_salt_prefix) - 1;
319
320 if (rounds_custom)
321 {
322 int n = __snprintf (cp, MAX (0, buflen), "%s%zu$",
323 sha256_rounds_prefix, rounds);
324 cp += n;
325 buflen -= n;
326 }
327
328 cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
329 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
330
331 if (buflen > 0)
332 {
333 *cp++ = '$';
334 --buflen;
335 }
336
337 __b64_from_24bit (&cp, &buflen,
338 alt_result[0], alt_result[10], alt_result[20], 4);
339 __b64_from_24bit (&cp, &buflen,
340 alt_result[21], alt_result[1], alt_result[11], 4);
341 __b64_from_24bit (&cp, &buflen,
342 alt_result[12], alt_result[22], alt_result[2], 4);
343 __b64_from_24bit (&cp, &buflen,
344 alt_result[3], alt_result[13], alt_result[23], 4);
345 __b64_from_24bit (&cp, &buflen,
346 alt_result[24], alt_result[4], alt_result[14], 4);
347 __b64_from_24bit (&cp, &buflen,
348 alt_result[15], alt_result[25], alt_result[5], 4);
349 __b64_from_24bit (&cp, &buflen,
350 alt_result[6], alt_result[16], alt_result[26], 4);
351 __b64_from_24bit (&cp, &buflen,
352 alt_result[27], alt_result[7], alt_result[17], 4);
353 __b64_from_24bit (&cp, &buflen,
354 alt_result[18], alt_result[28], alt_result[8], 4);
355 __b64_from_24bit (&cp, &buflen,
356 alt_result[9], alt_result[19], alt_result[29], 4);
357 __b64_from_24bit (&cp, &buflen,
358 0, alt_result[31], alt_result[30], 3);
359 if (buflen <= 0)
360 {
361 __set_errno (ERANGE);
362 buffer = NULL;
363 }
364 else
365 *cp = '\0'; /* Terminate the string. */
366
367 /* Clear the buffer for the intermediate result so that people
368 attaching to processes or reading core dumps cannot get any
369 information. We do it in this way to clear correct_words[]
370 inside the SHA256 implementation as well. */
371#ifndef USE_NSS
372 __sha256_init_ctx (&ctx);
373 __sha256_finish_ctx (&ctx, alt_result);
374 explicit_bzero (&ctx, sizeof (ctx));
375 explicit_bzero (&alt_ctx, sizeof (alt_ctx));
376#endif
377 explicit_bzero (temp_result, sizeof (temp_result));
378 explicit_bzero (p_bytes, key_len);
379 explicit_bzero (s_bytes, salt_len);
380 if (copied_key != NULL)
381 explicit_bzero (copied_key, key_len);
382 if (copied_salt != NULL)
383 explicit_bzero (copied_salt, salt_len);
384
385 free (free_key);
386 free (free_pbytes);
387 return buffer;
388}
389
390#ifndef _LIBC
391# define libc_freeres_ptr(decl) decl
392#endif
393libc_freeres_ptr (static char *buffer);
394
395/* This entry point is equivalent to the `crypt' function in Unix
396 libcs. */
397char *
398__sha256_crypt (const char *key, const char *salt)
399{
400 /* We don't want to have an arbitrary limit in the size of the
401 password. We can compute an upper bound for the size of the
402 result in advance and so we can prepare the buffer we pass to
403 `sha256_crypt_r'. */
404 static int buflen;
405 int needed = (sizeof (sha256_salt_prefix) - 1
406 + sizeof (sha256_rounds_prefix) + 9 + 1
407 + strlen (salt) + 1 + 43 + 1);
408
409 if (buflen < needed)
410 {
411 char *new_buffer = (char *) realloc (buffer, needed);
412 if (new_buffer == NULL)
413 return NULL;
414
415 buffer = new_buffer;
416 buflen = needed;
417 }
418
419 return __sha256_crypt_r (key, salt, buffer, buflen);
420}
421
422#ifndef _LIBC
423static void
424__attribute__ ((__destructor__))
425free_mem (void)
426{
427 free (buffer);
428}
429#endif
430