source: rtems/cpukit/libcrypt/crypt-sha512.c

Last change on this file was fe90ada, checked in by Xin LI <delphij@…>, on 07/20/18 at 07:16:28

libcrypt: There is no need to clear message digest

context after they are finialized after r336539, so do not do it.

Submitted by: David CARLIER <devnexen gmail com>
MFC after: 1 month (after r336539)
Differential Revision: https://reviews.freebsd.org/D16059
  • Property mode set to 100644
File size: 9.1 KB
Line 
1/*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 2011 The FreeBSD Project. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28/* Based on:
29 * SHA512-based Unix crypt implementation. Released into the Public Domain by
30 * Ulrich Drepper <drepper@redhat.com>. */
31
32#include <sys/cdefs.h>
33__FBSDID("$FreeBSD$");
34
35#include <sys/endian.h>
36#include <sys/param.h>
37
38#include <errno.h>
39#include <limits.h>
40#include <sha512.h>
41#include <stdbool.h>
42#include <stdint.h>
43#include <stdio.h>
44#include <stdlib.h>
45#include <string.h>
46
47#include <crypt.h>
48
49/* Define our magic string to mark salt for SHA512 "encryption" replacement. */
50static const char sha512_salt_prefix[] = "$6$";
51
52/* Prefix for optional rounds specification. */
53static const char sha512_rounds_prefix[] = "rounds=";
54
55/* Maximum salt string length. */
56#define SALT_LEN_MAX 16
57/* Default number of rounds if not explicitly specified. */
58#define ROUNDS_DEFAULT 5000
59/* Minimum number of rounds. */
60#define ROUNDS_MIN 1000
61/* Maximum number of rounds. */
62#define ROUNDS_MAX 999999999
63
64char *
65crypt_sha512_r(const char *key, const char *salt, struct crypt_data *data)
66{
67        u_long srounds;
68        int n;
69        uint8_t alt_result[64], temp_result[64];
70        SHA512_CTX ctx, alt_ctx;
71        size_t salt_len, key_len, cnt, rounds;
72        char *cp, *p_bytes, *s_bytes, *endp;
73        const char *num;
74        bool rounds_custom;
75        char *buffer = &data->buffer[0];
76        int buflen = (int)sizeof(data->buffer);
77
78        /* Default number of rounds. */
79        rounds = ROUNDS_DEFAULT;
80        rounds_custom = false;
81
82        /* Find beginning of salt string. The prefix should normally always
83         * be present. Just in case it is not. */
84        if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
85                /* Skip salt prefix. */
86                salt += sizeof(sha512_salt_prefix) - 1;
87
88        if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
89            == 0) {
90                num = salt + sizeof(sha512_rounds_prefix) - 1;
91                srounds = strtoul(num, &endp, 10);
92
93                if (*endp == '$') {
94                        salt = endp + 1;
95                        rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
96                        rounds_custom = true;
97                }
98        }
99
100        salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
101        key_len = strlen(key);
102
103        /* Prepare for the real work. */
104        SHA512_Init(&ctx);
105
106        /* Add the key string. */
107        SHA512_Update(&ctx, key, key_len);
108
109        /* The last part is the salt string. This must be at most 8
110         * characters and it ends at the first `$' character (for
111         * compatibility with existing implementations). */
112        SHA512_Update(&ctx, salt, salt_len);
113
114        /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
115         * final result will be added to the first context. */
116        SHA512_Init(&alt_ctx);
117
118        /* Add key. */
119        SHA512_Update(&alt_ctx, key, key_len);
120
121        /* Add salt. */
122        SHA512_Update(&alt_ctx, salt, salt_len);
123
124        /* Add key again. */
125        SHA512_Update(&alt_ctx, key, key_len);
126
127        /* Now get result of this (64 bytes) and add it to the other context. */
128        SHA512_Final(alt_result, &alt_ctx);
129
130        /* Add for any character in the key one byte of the alternate sum. */
131        for (cnt = key_len; cnt > 64; cnt -= 64)
132                SHA512_Update(&ctx, alt_result, 64);
133        SHA512_Update(&ctx, alt_result, cnt);
134
135        /* Take the binary representation of the length of the key and for
136         * every 1 add the alternate sum, for every 0 the key. */
137        for (cnt = key_len; cnt > 0; cnt >>= 1)
138                if ((cnt & 1) != 0)
139                        SHA512_Update(&ctx, alt_result, 64);
140                else
141                        SHA512_Update(&ctx, key, key_len);
142
143        /* Create intermediate result. */
144        SHA512_Final(alt_result, &ctx);
145
146        /* Start computation of P byte sequence. */
147        SHA512_Init(&alt_ctx);
148
149        /* For every character in the password add the entire password. */
150        for (cnt = 0; cnt < key_len; ++cnt)
151                SHA512_Update(&alt_ctx, key, key_len);
152
153        /* Finish the digest. */
154        SHA512_Final(temp_result, &alt_ctx);
155
156        /* Create byte sequence P. */
157        cp = p_bytes = alloca(key_len);
158        for (cnt = key_len; cnt >= 64; cnt -= 64) {
159                memcpy(cp, temp_result, 64);
160                cp += 64;
161        }
162        memcpy(cp, temp_result, cnt);
163
164        /* Start computation of S byte sequence. */
165        SHA512_Init(&alt_ctx);
166
167        /* For every character in the password add the entire password. */
168        for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
169                SHA512_Update(&alt_ctx, salt, salt_len);
170
171        /* Finish the digest. */
172        SHA512_Final(temp_result, &alt_ctx);
173
174        /* Create byte sequence S. */
175        cp = s_bytes = alloca(salt_len);
176        for (cnt = salt_len; cnt >= 64; cnt -= 64) {
177                memcpy(cp, temp_result, 64);
178                cp += 64;
179        }
180        memcpy(cp, temp_result, cnt);
181
182        /* Repeatedly run the collected hash value through SHA512 to burn CPU
183         * cycles. */
184        for (cnt = 0; cnt < rounds; ++cnt) {
185                /* New context. */
186                SHA512_Init(&ctx);
187
188                /* Add key or last result. */
189                if ((cnt & 1) != 0)
190                        SHA512_Update(&ctx, p_bytes, key_len);
191                else
192                        SHA512_Update(&ctx, alt_result, 64);
193
194                /* Add salt for numbers not divisible by 3. */
195                if (cnt % 3 != 0)
196                        SHA512_Update(&ctx, s_bytes, salt_len);
197
198                /* Add key for numbers not divisible by 7. */
199                if (cnt % 7 != 0)
200                        SHA512_Update(&ctx, p_bytes, key_len);
201
202                /* Add key or last result. */
203                if ((cnt & 1) != 0)
204                        SHA512_Update(&ctx, alt_result, 64);
205                else
206                        SHA512_Update(&ctx, p_bytes, key_len);
207
208                /* Create intermediate result. */
209                SHA512_Final(alt_result, &ctx);
210        }
211
212        /* Now we can construct the result string. It consists of three
213         * parts. */
214        cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
215        buflen -= sizeof(sha512_salt_prefix) - 1;
216
217        if (rounds_custom) {
218                n = snprintf(cp, MAX(0, buflen), "%s%zu$",
219                         sha512_rounds_prefix, rounds);
220
221                cp += n;
222                buflen -= n;
223        }
224
225        cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len));
226        buflen -= MIN((size_t)MAX(0, buflen), salt_len);
227
228        if (buflen > 0) {
229                *cp++ = '$';
230                --buflen;
231        }
232
233        b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4, &buflen, &cp);
234        b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4, &buflen, &cp);
235        b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4, &buflen, &cp);
236        b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4, &buflen, &cp);
237        b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4, &buflen, &cp);
238        b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4, &buflen, &cp);
239        b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4, &buflen, &cp);
240        b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4, &buflen, &cp);
241        b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4, &buflen, &cp);
242        b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4, &buflen, &cp);
243        b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4, &buflen, &cp);
244        b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4, &buflen, &cp);
245        b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4, &buflen, &cp);
246        b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4, &buflen, &cp);
247        b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4, &buflen, &cp);
248        b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4, &buflen, &cp);
249        b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4, &buflen, &cp);
250        b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4, &buflen, &cp);
251        b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4, &buflen, &cp);
252        b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4, &buflen, &cp);
253        b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4, &buflen, &cp);
254        b64_from_24bit(0, 0, alt_result[63], 2, &buflen, &cp);
255
256        if (buflen <= 0) {
257                errno = ERANGE;
258                buffer = NULL;
259        }
260        else
261                *cp = '\0';     /* Terminate the string. */
262
263        /* Clear the buffer for the intermediate result so that people
264         * attaching to processes or reading core dumps cannot get any
265         * information. We do it in this way to clear correct_words[] inside
266         * the SHA512 implementation as well. */
267        SHA512_Init(&ctx);
268        SHA512_Final(alt_result, &ctx);
269        memset(temp_result, '\0', sizeof(temp_result));
270        memset(p_bytes, '\0', key_len);
271        memset(s_bytes, '\0', salt_len);
272
273        return buffer;
274}
275
276struct crypt_format crypt_sha512_format =
277    CRYPT_FORMAT_INITIALIZER(crypt_sha512_r, "$6$");
Note: See TracBrowser for help on using the repository browser.