source: rtems/cpukit/libcrypt/crypt-sha512.c @ e25acd8

5
Last change on this file since e25acd8 was 4466321, checked in by Sebastian Huber <sebastian.huber@…>, on 11/13/14 at 14:13:24

Add crypt_r(), etc.

Add crypt_add_format(), crypt_r(), crypt_md5_r(), crypt_sha256_r() and
crypt_sha512_r().

  • Property mode set to 100644
File size: 9.3 KB
Line 
1/*
2 * Copyright (c) 2011 The FreeBSD Project. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 *    notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 *    notice, this list of conditions and the following disclaimer in the
11 *    documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23 * SUCH DAMAGE.
24 */
25
26/* Based on:
27 * SHA512-based Unix crypt implementation. Released into the Public Domain by
28 * Ulrich Drepper <drepper@redhat.com>. */
29
30#include <sys/cdefs.h>
31__FBSDID("$FreeBSD$");
32
33#include <sys/endian.h>
34#include <sys/param.h>
35
36#include <errno.h>
37#include <limits.h>
38#include <sha512.h>
39#include <stdbool.h>
40#include <stdint.h>
41#include <stdio.h>
42#include <stdlib.h>
43#include <string.h>
44
45#include <crypt.h>
46
47/* Define our magic string to mark salt for SHA512 "encryption" replacement. */
48static const char sha512_salt_prefix[] = "$6$";
49
50/* Prefix for optional rounds specification. */
51static const char sha512_rounds_prefix[] = "rounds=";
52
53/* Maximum salt string length. */
54#define SALT_LEN_MAX 16
55/* Default number of rounds if not explicitly specified. */
56#define ROUNDS_DEFAULT 5000
57/* Minimum number of rounds. */
58#define ROUNDS_MIN 1000
59/* Maximum number of rounds. */
60#define ROUNDS_MAX 999999999
61
62char *
63crypt_sha512_r(const char *key, const char *salt, struct crypt_data *data)
64{
65        u_long srounds;
66        int n;
67        uint8_t alt_result[64], temp_result[64];
68        SHA512_CTX ctx, alt_ctx;
69        size_t salt_len, key_len, cnt, rounds;
70        char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp;
71        const char *num;
72        bool rounds_custom;
73        char *buffer = &data->buffer[0];
74        int buflen = (int)sizeof(data->buffer);
75
76        copied_key = NULL;
77        copied_salt = NULL;
78
79        /* Default number of rounds. */
80        rounds = ROUNDS_DEFAULT;
81        rounds_custom = false;
82
83        /* Find beginning of salt string. The prefix should normally always
84         * be present. Just in case it is not. */
85        if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
86                /* Skip salt prefix. */
87                salt += sizeof(sha512_salt_prefix) - 1;
88
89        if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
90            == 0) {
91                num = salt + sizeof(sha512_rounds_prefix) - 1;
92                srounds = strtoul(num, &endp, 10);
93
94                if (*endp == '$') {
95                        salt = endp + 1;
96                        rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
97                        rounds_custom = true;
98                }
99        }
100
101        salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
102        key_len = strlen(key);
103
104        /* Prepare for the real work. */
105        SHA512_Init(&ctx);
106
107        /* Add the key string. */
108        SHA512_Update(&ctx, key, key_len);
109
110        /* The last part is the salt string. This must be at most 8
111         * characters and it ends at the first `$' character (for
112         * compatibility with existing implementations). */
113        SHA512_Update(&ctx, salt, salt_len);
114
115        /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
116         * final result will be added to the first context. */
117        SHA512_Init(&alt_ctx);
118
119        /* Add key. */
120        SHA512_Update(&alt_ctx, key, key_len);
121
122        /* Add salt. */
123        SHA512_Update(&alt_ctx, salt, salt_len);
124
125        /* Add key again. */
126        SHA512_Update(&alt_ctx, key, key_len);
127
128        /* Now get result of this (64 bytes) and add it to the other context. */
129        SHA512_Final(alt_result, &alt_ctx);
130
131        /* Add for any character in the key one byte of the alternate sum. */
132        for (cnt = key_len; cnt > 64; cnt -= 64)
133                SHA512_Update(&ctx, alt_result, 64);
134        SHA512_Update(&ctx, alt_result, cnt);
135
136        /* Take the binary representation of the length of the key and for
137         * every 1 add the alternate sum, for every 0 the key. */
138        for (cnt = key_len; cnt > 0; cnt >>= 1)
139                if ((cnt & 1) != 0)
140                        SHA512_Update(&ctx, alt_result, 64);
141                else
142                        SHA512_Update(&ctx, key, key_len);
143
144        /* Create intermediate result. */
145        SHA512_Final(alt_result, &ctx);
146
147        /* Start computation of P byte sequence. */
148        SHA512_Init(&alt_ctx);
149
150        /* For every character in the password add the entire password. */
151        for (cnt = 0; cnt < key_len; ++cnt)
152                SHA512_Update(&alt_ctx, key, key_len);
153
154        /* Finish the digest. */
155        SHA512_Final(temp_result, &alt_ctx);
156
157        /* Create byte sequence P. */
158        cp = p_bytes = alloca(key_len);
159        for (cnt = key_len; cnt >= 64; cnt -= 64) {
160                memcpy(cp, temp_result, 64);
161                cp += 64;
162        }
163        memcpy(cp, temp_result, cnt);
164
165        /* Start computation of S byte sequence. */
166        SHA512_Init(&alt_ctx);
167
168        /* For every character in the password add the entire password. */
169        for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
170                SHA512_Update(&alt_ctx, salt, salt_len);
171
172        /* Finish the digest. */
173        SHA512_Final(temp_result, &alt_ctx);
174
175        /* Create byte sequence S. */
176        cp = s_bytes = alloca(salt_len);
177        for (cnt = salt_len; cnt >= 64; cnt -= 64) {
178                memcpy(cp, temp_result, 64);
179                cp += 64;
180        }
181        memcpy(cp, temp_result, cnt);
182
183        /* Repeatedly run the collected hash value through SHA512 to burn CPU
184         * cycles. */
185        for (cnt = 0; cnt < rounds; ++cnt) {
186                /* New context. */
187                SHA512_Init(&ctx);
188
189                /* Add key or last result. */
190                if ((cnt & 1) != 0)
191                        SHA512_Update(&ctx, p_bytes, key_len);
192                else
193                        SHA512_Update(&ctx, alt_result, 64);
194
195                /* Add salt for numbers not divisible by 3. */
196                if (cnt % 3 != 0)
197                        SHA512_Update(&ctx, s_bytes, salt_len);
198
199                /* Add key for numbers not divisible by 7. */
200                if (cnt % 7 != 0)
201                        SHA512_Update(&ctx, p_bytes, key_len);
202
203                /* Add key or last result. */
204                if ((cnt & 1) != 0)
205                        SHA512_Update(&ctx, alt_result, 64);
206                else
207                        SHA512_Update(&ctx, p_bytes, key_len);
208
209                /* Create intermediate result. */
210                SHA512_Final(alt_result, &ctx);
211        }
212
213        /* Now we can construct the result string. It consists of three
214         * parts. */
215        cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
216        buflen -= sizeof(sha512_salt_prefix) - 1;
217
218        if (rounds_custom) {
219                n = snprintf(cp, MAX(0, buflen), "%s%zu$",
220                         sha512_rounds_prefix, rounds);
221
222                cp += n;
223                buflen -= n;
224        }
225
226        cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len));
227        buflen -= MIN((size_t)MAX(0, buflen), salt_len);
228
229        if (buflen > 0) {
230                *cp++ = '$';
231                --buflen;
232        }
233
234        b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4, &buflen, &cp);
235        b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4, &buflen, &cp);
236        b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4, &buflen, &cp);
237        b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4, &buflen, &cp);
238        b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4, &buflen, &cp);
239        b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4, &buflen, &cp);
240        b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4, &buflen, &cp);
241        b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4, &buflen, &cp);
242        b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4, &buflen, &cp);
243        b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4, &buflen, &cp);
244        b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4, &buflen, &cp);
245        b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4, &buflen, &cp);
246        b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4, &buflen, &cp);
247        b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4, &buflen, &cp);
248        b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4, &buflen, &cp);
249        b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4, &buflen, &cp);
250        b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4, &buflen, &cp);
251        b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4, &buflen, &cp);
252        b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4, &buflen, &cp);
253        b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4, &buflen, &cp);
254        b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4, &buflen, &cp);
255        b64_from_24bit(0, 0, alt_result[63], 2, &buflen, &cp);
256
257        if (buflen <= 0) {
258                errno = ERANGE;
259                buffer = NULL;
260        }
261        else
262                *cp = '\0';     /* Terminate the string. */
263
264        /* Clear the buffer for the intermediate result so that people
265         * attaching to processes or reading core dumps cannot get any
266         * information. We do it in this way to clear correct_words[] inside
267         * the SHA512 implementation as well. */
268        SHA512_Init(&ctx);
269        SHA512_Final(alt_result, &ctx);
270        memset(temp_result, '\0', sizeof(temp_result));
271        memset(p_bytes, '\0', key_len);
272        memset(s_bytes, '\0', salt_len);
273        memset(&ctx, '\0', sizeof(ctx));
274        memset(&alt_ctx, '\0', sizeof(alt_ctx));
275        if (copied_key != NULL)
276                memset(copied_key, '\0', key_len);
277        if (copied_salt != NULL)
278                memset(copied_salt, '\0', salt_len);
279
280        return buffer;
281}
282
283struct crypt_format crypt_sha512_format =
284    CRYPT_FORMAT_INITIALIZER(crypt_sha512_r, "$6$");
Note: See TracBrowser for help on using the repository browser.