1 /* SHA512-based Unix crypt implementation.
2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
3
4 #include <alloca.h>
5 #include <endian.h>
6 #include <errno.h>
7 #include <limits.h>
8 #include <stdbool.h>
9 #include <stdint.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <minmax.h>
14 #include <sys/types.h>
15
16 #include "xcrypt.h"
17
18 #define MIN(x,y) min(x,y)
19 #define MAX(x,y) max(x,y)
20
21 /* Structure to save state of computation between the single steps. */
22 struct sha512_ctx {
23 uint64_t H[8];
24
25 uint64_t total[2];
26 uint64_t buflen;
27 char buffer[256]; /* NB: always correctly aligned for uint64_t. */
28 };
29
30 #if __BYTE_ORDER == __LITTLE_ENDIAN
31 # define SWAP(n) \
32 (((n) << 56) \
33 | (((n) & 0xff00) << 40) \
34 | (((n) & 0xff0000) << 24) \
35 | (((n) & 0xff000000) << 8) \
36 | (((n) >> 8) & 0xff000000) \
37 | (((n) >> 24) & 0xff0000) \
38 | (((n) >> 40) & 0xff00) \
39 | ((n) >> 56))
40 #else
41 # define SWAP(n) (n)
42 #endif
43
44 /* This array contains the bytes used to pad the buffer to the next
45 64-byte boundary. (FIPS 180-2:5.1.2) */
46 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
47
48 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
49 static const uint64_t K[80] = {
50 UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),
51 UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
52 UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),
53 UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
54 UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),
55 UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
56 UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),
57 UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
58 UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),
59 UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
60 UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),
61 UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
62 UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),
63 UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
64 UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),
65 UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
66 UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),
67 UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
68 UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),
69 UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
70 UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
71 UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
72 UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),
73 UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
74 UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),
75 UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
76 UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),
77 UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
78 UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),
79 UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
80 UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),
81 UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
82 UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),
83 UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
84 UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),
85 UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
86 UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),
87 UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
88 UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),
89 UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817)
90 };
91
92 /* Process LEN bytes of BUFFER, accumulating context into CTX.
93 It is assumed that LEN % 128 == 0. */
94 static void
sha512_process_block(const void * buffer,size_t len,struct sha512_ctx * ctx)95 sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx)
96 {
97 unsigned int t;
98 const uint64_t *words = buffer;
99 size_t nwords = len / sizeof(uint64_t);
100 uint64_t a = ctx->H[0];
101 uint64_t b = ctx->H[1];
102 uint64_t c = ctx->H[2];
103 uint64_t d = ctx->H[3];
104 uint64_t e = ctx->H[4];
105 uint64_t f = ctx->H[5];
106 uint64_t g = ctx->H[6];
107 uint64_t h = ctx->H[7];
108
109 /* First increment the byte count. FIPS 180-2 specifies the possible
110 length of the file up to 2^128 bits. Here we only compute the
111 number of bytes. Do a double word increment. */
112 ctx->total[0] += len;
113 if (ctx->total[0] < len)
114 ++ctx->total[1];
115
116 /* Process all bytes in the buffer with 128 bytes in each round of
117 the loop. */
118 while (nwords > 0) {
119 uint64_t W[80];
120 uint64_t a_save = a;
121 uint64_t b_save = b;
122 uint64_t c_save = c;
123 uint64_t d_save = d;
124 uint64_t e_save = e;
125 uint64_t f_save = f;
126 uint64_t g_save = g;
127 uint64_t h_save = h;
128
129 /* Operators defined in FIPS 180-2:4.1.2. */
130 #define Ch(x, y, z) ((x & y) ^ (~x & z))
131 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
132 #define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
133 #define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
134 #define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
135 #define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
136
137 /* It is unfortunate that C does not provide an operator for
138 cyclic rotation. Hope the C compiler is smart enough. */
139 #define CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
140
141 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
142 for (t = 0; t < 16; ++t) {
143 W[t] = SWAP(*words);
144 ++words;
145 }
146 for (t = 16; t < 80; ++t)
147 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
148
149 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
150 for (t = 0; t < 80; ++t) {
151 uint64_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t];
152 uint64_t T2 = S0(a) + Maj(a, b, c);
153 h = g;
154 g = f;
155 f = e;
156 e = d + T1;
157 d = c;
158 c = b;
159 b = a;
160 a = T1 + T2;
161 }
162
163 /* Add the starting values of the context according to FIPS 180-2:6.3.2
164 step 4. */
165 a += a_save;
166 b += b_save;
167 c += c_save;
168 d += d_save;
169 e += e_save;
170 f += f_save;
171 g += g_save;
172 h += h_save;
173
174 /* Prepare for the next round. */
175 nwords -= 16;
176 }
177
178 /* Put checksum in context given as argument. */
179 ctx->H[0] = a;
180 ctx->H[1] = b;
181 ctx->H[2] = c;
182 ctx->H[3] = d;
183 ctx->H[4] = e;
184 ctx->H[5] = f;
185 ctx->H[6] = g;
186 ctx->H[7] = h;
187 }
188
189 /* Initialize structure containing state of computation.
190 (FIPS 180-2:5.3.3) */
sha512_init_ctx(struct sha512_ctx * ctx)191 static void sha512_init_ctx(struct sha512_ctx *ctx)
192 {
193 ctx->H[0] = UINT64_C(0x6a09e667f3bcc908);
194 ctx->H[1] = UINT64_C(0xbb67ae8584caa73b);
195 ctx->H[2] = UINT64_C(0x3c6ef372fe94f82b);
196 ctx->H[3] = UINT64_C(0xa54ff53a5f1d36f1);
197 ctx->H[4] = UINT64_C(0x510e527fade682d1);
198 ctx->H[5] = UINT64_C(0x9b05688c2b3e6c1f);
199 ctx->H[6] = UINT64_C(0x1f83d9abfb41bd6b);
200 ctx->H[7] = UINT64_C(0x5be0cd19137e2179);
201
202 ctx->total[0] = ctx->total[1] = 0;
203 ctx->buflen = 0;
204 }
205
206 /* Process the remaining bytes in the internal buffer and the usual
207 prolog according to the standard and write the result to RESBUF.
208
209 IMPORTANT: On some systems it is required that RESBUF is correctly
210 aligned for a 32 bits value. */
sha512_finish_ctx(struct sha512_ctx * ctx,void * resbuf)211 static void *sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf)
212 {
213 unsigned int i;
214 /* Take yet unprocessed bytes into account. */
215 uint64_t bytes = ctx->buflen;
216 size_t pad;
217
218 /* Now count remaining bytes. */
219 ctx->total[0] += bytes;
220 if (ctx->total[0] < bytes)
221 ++ctx->total[1];
222
223 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
224 memcpy(&ctx->buffer[bytes], fillbuf, pad);
225
226 /* Put the 128-bit file length in *bits* at the end of the buffer. */
227 *(uint64_t *) & ctx->buffer[bytes + pad + 8] = SWAP(ctx->total[0] << 3);
228 *(uint64_t *) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) |
229 (ctx->total[0] >> 61));
230
231 /* Process last bytes. */
232 sha512_process_block(ctx->buffer, bytes + pad + 16, ctx);
233
234 /* Put result from CTX in first 64 bytes following RESBUF. */
235 for (i = 0; i < 8; ++i)
236 ((uint64_t *) resbuf)[i] = SWAP(ctx->H[i]);
237
238 return resbuf;
239 }
240
241 static void
sha512_process_bytes(const void * buffer,size_t len,struct sha512_ctx * ctx)242 sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx)
243 {
244 /* When we already have some bits in our internal buffer concatenate
245 both inputs first. */
246 if (ctx->buflen != 0) {
247 size_t left_over = ctx->buflen;
248 size_t add = 256 - left_over > len ? len : 256 - left_over;
249
250 memcpy(&ctx->buffer[left_over], buffer, add);
251 ctx->buflen += add;
252
253 if (ctx->buflen > 128) {
254 sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
255
256 ctx->buflen &= 127;
257 /* The regions in the following copy operation cannot overlap. */
258 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
259 ctx->buflen);
260 }
261
262 buffer = (const char *)buffer + add;
263 len -= add;
264 }
265
266 /* Process available complete blocks. */
267 if (len >= 128) {
268 #if !_STRING_ARCH_unaligned
269 /* To check alignment gcc has an appropriate operator. Other
270 compilers don't. */
271 # if __GNUC__ >= 2
272 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
273 # else
274 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
275 # endif
276 if (UNALIGNED_P(buffer))
277 while (len > 128) {
278 sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128,
279 ctx);
280 buffer = (const char *)buffer + 128;
281 len -= 128;
282 } else
283 #endif
284 {
285 sha512_process_block(buffer, len & ~127, ctx);
286 buffer = (const char *)buffer + (len & ~127);
287 len &= 127;
288 }
289 }
290
291 /* Move remaining bytes into internal buffer. */
292 if (len > 0) {
293 size_t left_over = ctx->buflen;
294
295 memcpy(&ctx->buffer[left_over], buffer, len);
296 left_over += len;
297 if (left_over >= 128) {
298 sha512_process_block(ctx->buffer, 128, ctx);
299 left_over -= 128;
300 memcpy(ctx->buffer, &ctx->buffer[128], left_over);
301 }
302 ctx->buflen = left_over;
303 }
304 }
305
306 /* Define our magic string to mark salt for SHA512 "encryption"
307 replacement. */
308 static const char sha512_salt_prefix[] = "$6$";
309
310 /* Prefix for optional rounds specification. */
311 static const char sha512_rounds_prefix[] = "rounds=";
312
313 /* Maximum salt string length. */
314 #define SALT_LEN_MAX 16U
315 /* Default number of rounds if not explicitly specified. */
316 #define ROUNDS_DEFAULT 5000UL
317 /* Minimum number of rounds. */
318 #define ROUNDS_MIN 1000UL
319 /* Maximum number of rounds. */
320 #define ROUNDS_MAX 999999999UL
321
322 /* Table with characters for base64 transformation. */
323 static const char b64t[64] =
324 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
325
sha512_crypt_r(const char * key,const char * salt,char * buffer,int buflen)326 static char *sha512_crypt_r(const char *key, const char *salt, char *buffer,
327 int buflen)
328 {
329 unsigned char alt_result[64]
330 __attribute__ ((__aligned__(__alignof__(uint64_t))));
331 unsigned char temp_result[64]
332 __attribute__ ((__aligned__(__alignof__(uint64_t))));
333 struct sha512_ctx ctx;
334 struct sha512_ctx alt_ctx;
335 size_t salt_len;
336 size_t key_len;
337 size_t cnt;
338 char *cp;
339 char *copied_key = NULL;
340 char *copied_salt = NULL;
341 char *p_bytes;
342 char *s_bytes;
343 /* Default number of rounds. */
344 size_t rounds = ROUNDS_DEFAULT;
345 bool rounds_custom = false;
346
347 /* Find beginning of salt string. The prefix should normally always
348 be present. Just in case it is not. */
349 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
350 /* Skip salt prefix. */
351 salt += sizeof(sha512_salt_prefix) - 1;
352
353 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
354 == 0) {
355 const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
356 char *endp;
357 unsigned long int srounds = strtoul(num, &endp, 10);
358 if (*endp == '$') {
359 salt = endp + 1;
360 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
361 rounds_custom = true;
362 }
363 }
364
365 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
366 key_len = strlen(key);
367
368 if ((key - (char *)0) % __alignof__(uint64_t) != 0) {
369 char *tmp = (char *)alloca(key_len + __alignof__(uint64_t));
370 key = copied_key = memcpy(tmp + __alignof__(uint64_t)
371 - (tmp - (char *)0) % __alignof__(uint64_t),
372 key, key_len);
373 }
374
375 if ((salt - (char *)0) % __alignof__(uint64_t) != 0) {
376 char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t));
377 salt = copied_salt = memcpy(tmp + __alignof__(uint64_t)
378 - (tmp - (char *)0) % __alignof__(uint64_t),
379 salt, salt_len);
380 }
381
382 /* Prepare for the real work. */
383 sha512_init_ctx(&ctx);
384
385 /* Add the key string. */
386 sha512_process_bytes(key, key_len, &ctx);
387
388 /* The last part is the salt string. This must be at most 8
389 characters and it ends at the first `$' character (for
390 compatibility with existing implementations). */
391 sha512_process_bytes(salt, salt_len, &ctx);
392
393 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
394 final result will be added to the first context. */
395 sha512_init_ctx(&alt_ctx);
396
397 /* Add key. */
398 sha512_process_bytes(key, key_len, &alt_ctx);
399
400 /* Add salt. */
401 sha512_process_bytes(salt, salt_len, &alt_ctx);
402
403 /* Add key again. */
404 sha512_process_bytes(key, key_len, &alt_ctx);
405
406 /* Now get result of this (64 bytes) and add it to the other
407 context. */
408 sha512_finish_ctx(&alt_ctx, alt_result);
409
410 /* Add for any character in the key one byte of the alternate sum. */
411 for (cnt = key_len; cnt > 64; cnt -= 64)
412 sha512_process_bytes(alt_result, 64, &ctx);
413 sha512_process_bytes(alt_result, cnt, &ctx);
414
415 /* Take the binary representation of the length of the key and for every
416 1 add the alternate sum, for every 0 the key. */
417 for (cnt = key_len; cnt > 0; cnt >>= 1)
418 if ((cnt & 1) != 0)
419 sha512_process_bytes(alt_result, 64, &ctx);
420 else
421 sha512_process_bytes(key, key_len, &ctx);
422
423 /* Create intermediate result. */
424 sha512_finish_ctx(&ctx, alt_result);
425
426 /* Start computation of P byte sequence. */
427 sha512_init_ctx(&alt_ctx);
428
429 /* For every character in the password add the entire password. */
430 for (cnt = 0; cnt < key_len; ++cnt)
431 sha512_process_bytes(key, key_len, &alt_ctx);
432
433 /* Finish the digest. */
434 sha512_finish_ctx(&alt_ctx, temp_result);
435
436 /* Create byte sequence P. */
437 cp = p_bytes = alloca(key_len);
438 for (cnt = key_len; cnt >= 64; cnt -= 64)
439 cp = mempcpy(cp, temp_result, 64);
440 memcpy(cp, temp_result, cnt);
441
442 /* Start computation of S byte sequence. */
443 sha512_init_ctx(&alt_ctx);
444
445 /* For every character in the password add the entire password. */
446 for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt)
447 sha512_process_bytes(salt, salt_len, &alt_ctx);
448
449 /* Finish the digest. */
450 sha512_finish_ctx(&alt_ctx, temp_result);
451
452 /* Create byte sequence S. */
453 cp = s_bytes = alloca(salt_len);
454 for (cnt = salt_len; cnt >= 64; cnt -= 64)
455 cp = mempcpy(cp, temp_result, 64);
456 memcpy(cp, temp_result, cnt);
457
458 /* Repeatedly run the collected hash value through SHA512 to burn
459 CPU cycles. */
460 for (cnt = 0; cnt < rounds; ++cnt) {
461 /* New context. */
462 sha512_init_ctx(&ctx);
463
464 /* Add key or last result. */
465 if ((cnt & 1) != 0)
466 sha512_process_bytes(p_bytes, key_len, &ctx);
467 else
468 sha512_process_bytes(alt_result, 64, &ctx);
469
470 /* Add salt for numbers not divisible by 3. */
471 if (cnt % 3 != 0)
472 sha512_process_bytes(s_bytes, salt_len, &ctx);
473
474 /* Add key for numbers not divisible by 7. */
475 if (cnt % 7 != 0)
476 sha512_process_bytes(p_bytes, key_len, &ctx);
477
478 /* Add key or last result. */
479 if ((cnt & 1) != 0)
480 sha512_process_bytes(alt_result, 64, &ctx);
481 else
482 sha512_process_bytes(p_bytes, key_len, &ctx);
483
484 /* Create intermediate result. */
485 sha512_finish_ctx(&ctx, alt_result);
486 }
487
488 /* Now we can construct the result string. It consists of three
489 parts. */
490 cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
491 buflen -= sizeof(sha512_salt_prefix) - 1;
492
493 if (rounds_custom) {
494 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
495 sha512_rounds_prefix, rounds);
496 cp += n;
497 buflen -= n;
498 }
499
500 cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
501 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
502
503 if (buflen > 0) {
504 *cp++ = '$';
505 --buflen;
506 }
507 #define b64_from_24bit(B2, B1, B0, N) \
508 do { \
509 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
510 int n = (N); \
511 while (n-- > 0 && buflen > 0) \
512 { \
513 *cp++ = b64t[w & 0x3f]; \
514 --buflen; \
515 w >>= 6; \
516 } \
517 } while (0)
518
519 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
520 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
521 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
522 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
523 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
524 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
525 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
526 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
527 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
528 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
529 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
530 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
531 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
532 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
533 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
534 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
535 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
536 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
537 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
538 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
539 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
540 b64_from_24bit(0, 0, alt_result[63], 2);
541
542 if (buflen <= 0) {
543 errno = ERANGE;
544 buffer = NULL;
545 } else
546 *cp = '\0'; /* Terminate the string. */
547
548 /* Clear the buffer for the intermediate result so that people
549 attaching to processes or reading core dumps cannot get any
550 information. We do it in this way to clear correct_words[]
551 inside the SHA512 implementation as well. */
552 sha512_init_ctx(&ctx);
553 sha512_finish_ctx(&ctx, alt_result);
554 memset(temp_result, '\0', sizeof(temp_result));
555 memset(p_bytes, '\0', key_len);
556 memset(s_bytes, '\0', salt_len);
557 memset(&ctx, '\0', sizeof(ctx));
558 memset(&alt_ctx, '\0', sizeof(alt_ctx));
559 if (copied_key != NULL)
560 memset(copied_key, '\0', key_len);
561 if (copied_salt != NULL)
562 memset(copied_salt, '\0', salt_len);
563
564 return buffer;
565 }
566
567 /* This entry point is equivalent to the `crypt' function in Unix
568 libcs. */
sha512_crypt(const char * key,const char * salt)569 char *sha512_crypt(const char *key, const char *salt)
570 {
571 /* We don't want to have an arbitrary limit in the size of the
572 password. We can compute an upper bound for the size of the
573 result in advance and so we can prepare the buffer we pass to
574 `sha512_crypt_r'. */
575 static char *buffer;
576 static int buflen;
577 int needed = (sizeof(sha512_salt_prefix) - 1
578 + sizeof(sha512_rounds_prefix) + 9 + 1
579 + strlen(salt) + 1 + 86 + 1);
580
581 if (buflen < needed) {
582 char *new_buffer = (char *)realloc(buffer, needed);
583 if (new_buffer == NULL)
584 return NULL;
585
586 buffer = new_buffer;
587 buflen = needed;
588 }
589
590 return sha512_crypt_r(key, salt, buffer, buflen);
591 }
592
593 #ifdef TEST
594 static const struct {
595 const char *input;
596 const char result[64];
597 } tests[] = {
598 /* Test vectors from FIPS 180-2: appendix C.1. */
599 {
600 "abc",
601 "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
602 "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
603 "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
604 "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f"},
605 /* Test vectors from FIPS 180-2: appendix C.2. */
606 {
607 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
608 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
609 "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
610 "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
611 "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
612 "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09"},
613 /* Test vectors from the NESSIE project. */
614 {
615 "", "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
616 "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
617 "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
618 "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e"},
619 {
620 "a", "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
621 "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
622 "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
623 "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75"},
624 {
625 "message digest",
626 "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
627 "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
628 "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
629 "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c"},
630 {
631 "abcdefghijklmnopqrstuvwxyz",
632 "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
633 "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
634 "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
635 "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1"},
636 {
637 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
638 "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
639 "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
640 "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
641 "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45"},
642 {
643 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
644 "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
645 "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
646 "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
647 "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94"},
648 {
649 "123456789012345678901234567890123456789012345678901234567890"
650 "12345678901234567890",
651 "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
652 "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
653 "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
654 "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43"}
655 };
656
657 #define ntests (sizeof (tests) / sizeof (tests[0]))
658
659 static const struct {
660 const char *salt;
661 const char *input;
662 const char *expected;
663 } tests2[] = {
664 {
665 "$6$saltstring", "Hello world!",
666 "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
667 "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"}, {
668 "$6$rounds=10000$saltstringsaltstring", "Hello world!",
669 "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
670 "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v."}, {
671 "$6$rounds=5000$toolongsaltstring", "This is just a test",
672 "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
673 "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0"}, {
674 "$6$rounds=1400$anotherlongsaltstring",
675 "a very much longer text to encrypt. This one even stretches over more"
676 "than one line.",
677 "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
678 "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1"}, {
679 "$6$rounds=77777$short",
680 "we have a short salt string but not a short password",
681 "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
682 "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0"}, {
683 "$6$rounds=123456$asaltof16chars..", "a short string",
684 "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
685 "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1"}, {
686 "$6$rounds=10$roundstoolow", "the minimum number is still observed",
687 "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
688 "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX."},};
689 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
690
main(void)691 int main(void)
692 {
693 struct sha512_ctx ctx;
694 char sum[64];
695 int result = 0;
696 int cnt;
697
698 for (cnt = 0; cnt < (int)ntests; ++cnt) {
699 sha512_init_ctx(&ctx);
700 sha512_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
701 sha512_finish_ctx(&ctx, sum);
702 if (memcmp(tests[cnt].result, sum, 64) != 0) {
703 printf("test %d run %d failed\n", cnt, 1);
704 result = 1;
705 }
706
707 sha512_init_ctx(&ctx);
708 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
709 sha512_process_bytes(&tests[cnt].input[i], 1, &ctx);
710 sha512_finish_ctx(&ctx, sum);
711 if (memcmp(tests[cnt].result, sum, 64) != 0) {
712 printf("test %d run %d failed\n", cnt, 2);
713 result = 1;
714 }
715 }
716
717 /* Test vector from FIPS 180-2: appendix C.3. */
718 char buf[1000];
719 memset(buf, 'a', sizeof(buf));
720 sha512_init_ctx(&ctx);
721 for (int i = 0; i < 1000; ++i)
722 sha512_process_bytes(buf, sizeof(buf), &ctx);
723 sha512_finish_ctx(&ctx, sum);
724 static const char expected[64] =
725 "\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
726 "\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
727 "\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
728 "\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
729 if (memcmp(expected, sum, 64) != 0) {
730 printf("test %d failed\n", cnt);
731 result = 1;
732 }
733
734 for (cnt = 0; cnt < ntests2; ++cnt) {
735 char *cp = sha512_crypt(tests2[cnt].input, tests2[cnt].salt);
736
737 if (strcmp(cp, tests2[cnt].expected) != 0) {
738 printf("test %d: expected \"%s\", got \"%s\"\n",
739 cnt, tests2[cnt].expected, cp);
740 result = 1;
741 }
742 }
743
744 if (result == 0)
745 puts("all tests OK");
746
747 return result;
748 }
749 #endif
750