1/* SHA512-based Unix crypt implementation. 2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */ 3 4#include <alloca.h> 5#include <endian.h> 6#include <errno.h> 7#include <limits.h> 8#include <stdbool.h> 9#include <stdint.h> 10#include <stdio.h> 11#include <stdlib.h> 12#include <string.h> 13#include <minmax.h> 14#include <sys/types.h> 15 16#include "xcrypt.h" 17 18#define MIN(x,y) min(x,y) 19#define MAX(x,y) max(x,y) 20 21/* Structure to save state of computation between the single steps. */ 22struct sha512_ctx { 23 uint64_t H[8]; 24 25 uint64_t total[2]; 26 uint64_t buflen; 27 char buffer[256]; /* NB: always correctly aligned for uint64_t. */ 28}; 29 30#if __BYTE_ORDER == __LITTLE_ENDIAN 31# define SWAP(n) \ 32 (((n) << 56) \ 33 | (((n) & 0xff00) << 40) \ 34 | (((n) & 0xff0000) << 24) \ 35 | (((n) & 0xff000000) << 8) \ 36 | (((n) >> 8) & 0xff000000) \ 37 | (((n) >> 24) & 0xff0000) \ 38 | (((n) >> 40) & 0xff00) \ 39 | ((n) >> 56)) 40#else 41# define SWAP(n) (n) 42#endif 43 44/* This array contains the bytes used to pad the buffer to the next 45 64-byte boundary. (FIPS 180-2:5.1.2) */ 46static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ }; 47 48/* Constants for SHA512 from FIPS 180-2:4.2.3. */ 49static const uint64_t K[80] = { 50 UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd), 51 UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc), 52 UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019), 53 UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118), 54 UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe), 55 UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2), 56 UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1), 57 UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694), 58 UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3), 59 UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65), 60 UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483), 61 UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5), 62 UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210), 63 UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4), 64 UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725), 65 UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70), 66 UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926), 67 UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df), 68 UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8), 69 UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b), 70 UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001), 71 UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30), 72 UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910), 73 UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8), 74 UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53), 75 UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8), 76 UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb), 77 UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3), 78 UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60), 79 UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec), 80 UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9), 81 UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b), 82 UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207), 83 UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178), 84 UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6), 85 UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b), 86 UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493), 87 UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c), 88 UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a), 89 UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817) 90}; 91 92/* Process LEN bytes of BUFFER, accumulating context into CTX. 93 It is assumed that LEN % 128 == 0. */ 94static void 95sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx) 96{ 97 unsigned int t; 98 const uint64_t *words = buffer; 99 size_t nwords = len / sizeof(uint64_t); 100 uint64_t a = ctx->H[0]; 101 uint64_t b = ctx->H[1]; 102 uint64_t c = ctx->H[2]; 103 uint64_t d = ctx->H[3]; 104 uint64_t e = ctx->H[4]; 105 uint64_t f = ctx->H[5]; 106 uint64_t g = ctx->H[6]; 107 uint64_t h = ctx->H[7]; 108 109 /* First increment the byte count. FIPS 180-2 specifies the possible 110 length of the file up to 2^128 bits. Here we only compute the 111 number of bytes. Do a double word increment. */ 112 ctx->total[0] += len; 113 if (ctx->total[0] < len) 114 ++ctx->total[1]; 115 116 /* Process all bytes in the buffer with 128 bytes in each round of 117 the loop. */ 118 while (nwords > 0) { 119 uint64_t W[80]; 120 uint64_t a_save = a; 121 uint64_t b_save = b; 122 uint64_t c_save = c; 123 uint64_t d_save = d; 124 uint64_t e_save = e; 125 uint64_t f_save = f; 126 uint64_t g_save = g; 127 uint64_t h_save = h; 128 129 /* Operators defined in FIPS 180-2:4.1.2. */ 130#define Ch(x, y, z) ((x & y) ^ (~x & z)) 131#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) 132#define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39)) 133#define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41)) 134#define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7)) 135#define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6)) 136 137 /* It is unfortunate that C does not provide an operator for 138 cyclic rotation. Hope the C compiler is smart enough. */ 139#define CYCLIC(w, s) ((w >> s) | (w << (64 - s))) 140 141 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */ 142 for (t = 0; t < 16; ++t) { 143 W[t] = SWAP(*words); 144 ++words; 145 } 146 for (t = 16; t < 80; ++t) 147 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16]; 148 149 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */ 150 for (t = 0; t < 80; ++t) { 151 uint64_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t]; 152 uint64_t T2 = S0(a) + Maj(a, b, c); 153 h = g; 154 g = f; 155 f = e; 156 e = d + T1; 157 d = c; 158 c = b; 159 b = a; 160 a = T1 + T2; 161 } 162 163 /* Add the starting values of the context according to FIPS 180-2:6.3.2 164 step 4. */ 165 a += a_save; 166 b += b_save; 167 c += c_save; 168 d += d_save; 169 e += e_save; 170 f += f_save; 171 g += g_save; 172 h += h_save; 173 174 /* Prepare for the next round. */ 175 nwords -= 16; 176 } 177 178 /* Put checksum in context given as argument. */ 179 ctx->H[0] = a; 180 ctx->H[1] = b; 181 ctx->H[2] = c; 182 ctx->H[3] = d; 183 ctx->H[4] = e; 184 ctx->H[5] = f; 185 ctx->H[6] = g; 186 ctx->H[7] = h; 187} 188 189/* Initialize structure containing state of computation. 190 (FIPS 180-2:5.3.3) */ 191static void sha512_init_ctx(struct sha512_ctx *ctx) 192{ 193 ctx->H[0] = UINT64_C(0x6a09e667f3bcc908); 194 ctx->H[1] = UINT64_C(0xbb67ae8584caa73b); 195 ctx->H[2] = UINT64_C(0x3c6ef372fe94f82b); 196 ctx->H[3] = UINT64_C(0xa54ff53a5f1d36f1); 197 ctx->H[4] = UINT64_C(0x510e527fade682d1); 198 ctx->H[5] = UINT64_C(0x9b05688c2b3e6c1f); 199 ctx->H[6] = UINT64_C(0x1f83d9abfb41bd6b); 200 ctx->H[7] = UINT64_C(0x5be0cd19137e2179); 201 202 ctx->total[0] = ctx->total[1] = 0; 203 ctx->buflen = 0; 204} 205 206/* Process the remaining bytes in the internal buffer and the usual 207 prolog according to the standard and write the result to RESBUF. 208 209 IMPORTANT: On some systems it is required that RESBUF is correctly 210 aligned for a 32 bits value. */ 211static void *sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf) 212{ 213 unsigned int i; 214 /* Take yet unprocessed bytes into account. */ 215 uint64_t bytes = ctx->buflen; 216 size_t pad; 217 218 /* Now count remaining bytes. */ 219 ctx->total[0] += bytes; 220 if (ctx->total[0] < bytes) 221 ++ctx->total[1]; 222 223 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes; 224 memcpy(&ctx->buffer[bytes], fillbuf, pad); 225 226 /* Put the 128-bit file length in *bits* at the end of the buffer. */ 227 *(uint64_t *) & ctx->buffer[bytes + pad + 8] = SWAP(ctx->total[0] << 3); 228 *(uint64_t *) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) | 229 (ctx->total[0] >> 61)); 230 231 /* Process last bytes. */ 232 sha512_process_block(ctx->buffer, bytes + pad + 16, ctx); 233 234 /* Put result from CTX in first 64 bytes following RESBUF. */ 235 for (i = 0; i < 8; ++i) 236 ((uint64_t *) resbuf)[i] = SWAP(ctx->H[i]); 237 238 return resbuf; 239} 240 241static void 242sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx) 243{ 244 /* When we already have some bits in our internal buffer concatenate 245 both inputs first. */ 246 if (ctx->buflen != 0) { 247 size_t left_over = ctx->buflen; 248 size_t add = 256 - left_over > len ? len : 256 - left_over; 249 250 memcpy(&ctx->buffer[left_over], buffer, add); 251 ctx->buflen += add; 252 253 if (ctx->buflen > 128) { 254 sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx); 255 256 ctx->buflen &= 127; 257 /* The regions in the following copy operation cannot overlap. */ 258 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127], 259 ctx->buflen); 260 } 261 262 buffer = (const char *)buffer + add; 263 len -= add; 264 } 265 266 /* Process available complete blocks. */ 267 if (len >= 128) { 268#if !_STRING_ARCH_unaligned 269/* To check alignment gcc has an appropriate operator. Other 270 compilers don't. */ 271# if __GNUC__ >= 2 272# define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0) 273# else 274# define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0) 275# endif 276 if (UNALIGNED_P(buffer)) 277 while (len > 128) { 278 sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128, 279 ctx); 280 buffer = (const char *)buffer + 128; 281 len -= 128; 282 } else 283#endif 284 { 285 sha512_process_block(buffer, len & ~127, ctx); 286 buffer = (const char *)buffer + (len & ~127); 287 len &= 127; 288 } 289 } 290 291 /* Move remaining bytes into internal buffer. */ 292 if (len > 0) { 293 size_t left_over = ctx->buflen; 294 295 memcpy(&ctx->buffer[left_over], buffer, len); 296 left_over += len; 297 if (left_over >= 128) { 298 sha512_process_block(ctx->buffer, 128, ctx); 299 left_over -= 128; 300 memcpy(ctx->buffer, &ctx->buffer[128], left_over); 301 } 302 ctx->buflen = left_over; 303 } 304} 305 306/* Define our magic string to mark salt for SHA512 "encryption" 307 replacement. */ 308static const char sha512_salt_prefix[] = "$6$"; 309 310/* Prefix for optional rounds specification. */ 311static const char sha512_rounds_prefix[] = "rounds="; 312 313/* Maximum salt string length. */ 314#define SALT_LEN_MAX 16U 315/* Default number of rounds if not explicitly specified. */ 316#define ROUNDS_DEFAULT 5000UL 317/* Minimum number of rounds. */ 318#define ROUNDS_MIN 1000UL 319/* Maximum number of rounds. */ 320#define ROUNDS_MAX 999999999UL 321 322/* Table with characters for base64 transformation. */ 323static const char b64t[64] = 324 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 325 326static char *sha512_crypt_r(const char *key, const char *salt, char *buffer, 327 int buflen) 328{ 329 unsigned char alt_result[64] 330 __attribute__ ((__aligned__(__alignof__(uint64_t)))); 331 unsigned char temp_result[64] 332 __attribute__ ((__aligned__(__alignof__(uint64_t)))); 333 struct sha512_ctx ctx; 334 struct sha512_ctx alt_ctx; 335 size_t salt_len; 336 size_t key_len; 337 size_t cnt; 338 char *cp; 339 char *copied_key = NULL; 340 char *copied_salt = NULL; 341 char *p_bytes; 342 char *s_bytes; 343 /* Default number of rounds. */ 344 size_t rounds = ROUNDS_DEFAULT; 345 bool rounds_custom = false; 346 347 /* Find beginning of salt string. The prefix should normally always 348 be present. Just in case it is not. */ 349 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0) 350 /* Skip salt prefix. */ 351 salt += sizeof(sha512_salt_prefix) - 1; 352 353 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1) 354 == 0) { 355 const char *num = salt + sizeof(sha512_rounds_prefix) - 1; 356 char *endp; 357 unsigned long int srounds = strtoul(num, &endp, 10); 358 if (*endp == '$') { 359 salt = endp + 1; 360 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX)); 361 rounds_custom = true; 362 } 363 } 364 365 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); 366 key_len = strlen(key); 367 368 if ((key - (char *)0) % __alignof__(uint64_t) != 0) { 369 char *tmp = (char *)alloca(key_len + __alignof__(uint64_t)); 370 key = copied_key = memcpy(tmp + __alignof__(uint64_t) 371 - (tmp - (char *)0) % __alignof__(uint64_t), 372 key, key_len); 373 } 374 375 if ((salt - (char *)0) % __alignof__(uint64_t) != 0) { 376 char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t)); 377 salt = copied_salt = memcpy(tmp + __alignof__(uint64_t) 378 - (tmp - (char *)0) % __alignof__(uint64_t), 379 salt, salt_len); 380 } 381 382 /* Prepare for the real work. */ 383 sha512_init_ctx(&ctx); 384 385 /* Add the key string. */ 386 sha512_process_bytes(key, key_len, &ctx); 387 388 /* The last part is the salt string. This must be at most 8 389 characters and it ends at the first `$' character (for 390 compatibility with existing implementations). */ 391 sha512_process_bytes(salt, salt_len, &ctx); 392 393 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The 394 final result will be added to the first context. */ 395 sha512_init_ctx(&alt_ctx); 396 397 /* Add key. */ 398 sha512_process_bytes(key, key_len, &alt_ctx); 399 400 /* Add salt. */ 401 sha512_process_bytes(salt, salt_len, &alt_ctx); 402 403 /* Add key again. */ 404 sha512_process_bytes(key, key_len, &alt_ctx); 405 406 /* Now get result of this (64 bytes) and add it to the other 407 context. */ 408 sha512_finish_ctx(&alt_ctx, alt_result); 409 410 /* Add for any character in the key one byte of the alternate sum. */ 411 for (cnt = key_len; cnt > 64; cnt -= 64) 412 sha512_process_bytes(alt_result, 64, &ctx); 413 sha512_process_bytes(alt_result, cnt, &ctx); 414 415 /* Take the binary representation of the length of the key and for every 416 1 add the alternate sum, for every 0 the key. */ 417 for (cnt = key_len; cnt > 0; cnt >>= 1) 418 if ((cnt & 1) != 0) 419 sha512_process_bytes(alt_result, 64, &ctx); 420 else 421 sha512_process_bytes(key, key_len, &ctx); 422 423 /* Create intermediate result. */ 424 sha512_finish_ctx(&ctx, alt_result); 425 426 /* Start computation of P byte sequence. */ 427 sha512_init_ctx(&alt_ctx); 428 429 /* For every character in the password add the entire password. */ 430 for (cnt = 0; cnt < key_len; ++cnt) 431 sha512_process_bytes(key, key_len, &alt_ctx); 432 433 /* Finish the digest. */ 434 sha512_finish_ctx(&alt_ctx, temp_result); 435 436 /* Create byte sequence P. */ 437 cp = p_bytes = alloca(key_len); 438 for (cnt = key_len; cnt >= 64; cnt -= 64) 439 cp = mempcpy(cp, temp_result, 64); 440 memcpy(cp, temp_result, cnt); 441 442 /* Start computation of S byte sequence. */ 443 sha512_init_ctx(&alt_ctx); 444 445 /* For every character in the password add the entire password. */ 446 for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt) 447 sha512_process_bytes(salt, salt_len, &alt_ctx); 448 449 /* Finish the digest. */ 450 sha512_finish_ctx(&alt_ctx, temp_result); 451 452 /* Create byte sequence S. */ 453 cp = s_bytes = alloca(salt_len); 454 for (cnt = salt_len; cnt >= 64; cnt -= 64) 455 cp = mempcpy(cp, temp_result, 64); 456 memcpy(cp, temp_result, cnt); 457 458 /* Repeatedly run the collected hash value through SHA512 to burn 459 CPU cycles. */ 460 for (cnt = 0; cnt < rounds; ++cnt) { 461 /* New context. */ 462 sha512_init_ctx(&ctx); 463 464 /* Add key or last result. */ 465 if ((cnt & 1) != 0) 466 sha512_process_bytes(p_bytes, key_len, &ctx); 467 else 468 sha512_process_bytes(alt_result, 64, &ctx); 469 470 /* Add salt for numbers not divisible by 3. */ 471 if (cnt % 3 != 0) 472 sha512_process_bytes(s_bytes, salt_len, &ctx); 473 474 /* Add key for numbers not divisible by 7. */ 475 if (cnt % 7 != 0) 476 sha512_process_bytes(p_bytes, key_len, &ctx); 477 478 /* Add key or last result. */ 479 if ((cnt & 1) != 0) 480 sha512_process_bytes(alt_result, 64, &ctx); 481 else 482 sha512_process_bytes(p_bytes, key_len, &ctx); 483 484 /* Create intermediate result. */ 485 sha512_finish_ctx(&ctx, alt_result); 486 } 487 488 /* Now we can construct the result string. It consists of three 489 parts. */ 490 cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen)); 491 buflen -= sizeof(sha512_salt_prefix) - 1; 492 493 if (rounds_custom) { 494 int n = snprintf(cp, MAX(0, buflen), "%s%zu$", 495 sha512_rounds_prefix, rounds); 496 cp += n; 497 buflen -= n; 498 } 499 500 cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len)); 501 buflen -= MIN((size_t) MAX(0, buflen), salt_len); 502 503 if (buflen > 0) { 504 *cp++ = '$'; 505 --buflen; 506 } 507#define b64_from_24bit(B2, B1, B0, N) \ 508 do { \ 509 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \ 510 int n = (N); \ 511 while (n-- > 0 && buflen > 0) \ 512 { \ 513 *cp++ = b64t[w & 0x3f]; \ 514 --buflen; \ 515 w >>= 6; \ 516 } \ 517 } while (0) 518 519 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4); 520 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4); 521 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4); 522 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4); 523 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4); 524 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4); 525 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4); 526 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4); 527 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4); 528 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4); 529 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4); 530 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4); 531 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4); 532 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4); 533 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4); 534 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4); 535 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4); 536 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4); 537 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4); 538 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4); 539 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4); 540 b64_from_24bit(0, 0, alt_result[63], 2); 541 542 if (buflen <= 0) { 543 errno = ERANGE; 544 buffer = NULL; 545 } else 546 *cp = '\0'; /* Terminate the string. */ 547 548 /* Clear the buffer for the intermediate result so that people 549 attaching to processes or reading core dumps cannot get any 550 information. We do it in this way to clear correct_words[] 551 inside the SHA512 implementation as well. */ 552 sha512_init_ctx(&ctx); 553 sha512_finish_ctx(&ctx, alt_result); 554 memset(temp_result, '\0', sizeof(temp_result)); 555 memset(p_bytes, '\0', key_len); 556 memset(s_bytes, '\0', salt_len); 557 memset(&ctx, '\0', sizeof(ctx)); 558 memset(&alt_ctx, '\0', sizeof(alt_ctx)); 559 if (copied_key != NULL) 560 memset(copied_key, '\0', key_len); 561 if (copied_salt != NULL) 562 memset(copied_salt, '\0', salt_len); 563 564 return buffer; 565} 566 567/* This entry point is equivalent to the `crypt' function in Unix 568 libcs. */ 569char *sha512_crypt(const char *key, const char *salt) 570{ 571 /* We don't want to have an arbitrary limit in the size of the 572 password. We can compute an upper bound for the size of the 573 result in advance and so we can prepare the buffer we pass to 574 `sha512_crypt_r'. */ 575 static char *buffer; 576 static int buflen; 577 int needed = (sizeof(sha512_salt_prefix) - 1 578 + sizeof(sha512_rounds_prefix) + 9 + 1 579 + strlen(salt) + 1 + 86 + 1); 580 581 if (buflen < needed) { 582 char *new_buffer = (char *)realloc(buffer, needed); 583 if (new_buffer == NULL) 584 return NULL; 585 586 buffer = new_buffer; 587 buflen = needed; 588 } 589 590 return sha512_crypt_r(key, salt, buffer, buflen); 591} 592 593#ifdef TEST 594static const struct { 595 const char *input; 596 const char result[64]; 597} tests[] = { 598 /* Test vectors from FIPS 180-2: appendix C.1. */ 599 { 600 "abc", 601 "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31" 602 "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a" 603 "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd" 604 "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f"}, 605 /* Test vectors from FIPS 180-2: appendix C.2. */ 606 { 607 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 608 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", 609 "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f" 610 "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18" 611 "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a" 612 "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09"}, 613 /* Test vectors from the NESSIE project. */ 614 { 615 "", "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07" 616 "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce" 617 "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f" 618 "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e"}, 619 { 620 "a", "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2" 621 "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53" 622 "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46" 623 "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75"}, 624 { 625 "message digest", 626 "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51" 627 "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33" 628 "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20" 629 "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c"}, 630 { 631 "abcdefghijklmnopqrstuvwxyz", 632 "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81" 633 "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29" 634 "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59" 635 "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1"}, 636 { 637 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 638 "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16" 639 "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35" 640 "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0" 641 "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45"}, 642 { 643 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 644 "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93" 645 "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4" 646 "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab" 647 "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94"}, 648 { 649 "123456789012345678901234567890123456789012345678901234567890" 650 "12345678901234567890", 651 "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95" 652 "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a" 653 "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1" 654 "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43"} 655}; 656 657#define ntests (sizeof (tests) / sizeof (tests[0])) 658 659static const struct { 660 const char *salt; 661 const char *input; 662 const char *expected; 663} tests2[] = { 664 { 665 "$6$saltstring", "Hello world!", 666 "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" 667 "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"}, { 668 "$6$rounds=10000$saltstringsaltstring", "Hello world!", 669 "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb" 670 "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v."}, { 671 "$6$rounds=5000$toolongsaltstring", "This is just a test", 672 "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ" 673 "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0"}, { 674 "$6$rounds=1400$anotherlongsaltstring", 675 "a very much longer text to encrypt. This one even stretches over more" 676 "than one line.", 677 "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP" 678 "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1"}, { 679 "$6$rounds=77777$short", 680 "we have a short salt string but not a short password", 681 "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g" 682 "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0"}, { 683 "$6$rounds=123456$asaltof16chars..", "a short string", 684 "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc" 685 "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1"}, { 686"$6$rounds=10$roundstoolow", "the minimum number is still observed", 687 "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x" 688 "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX."},}; 689#define ntests2 (sizeof (tests2) / sizeof (tests2[0])) 690 691int main(void) 692{ 693 struct sha512_ctx ctx; 694 char sum[64]; 695 int result = 0; 696 int cnt; 697 698 for (cnt = 0; cnt < (int)ntests; ++cnt) { 699 sha512_init_ctx(&ctx); 700 sha512_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx); 701 sha512_finish_ctx(&ctx, sum); 702 if (memcmp(tests[cnt].result, sum, 64) != 0) { 703 printf("test %d run %d failed\n", cnt, 1); 704 result = 1; 705 } 706 707 sha512_init_ctx(&ctx); 708 for (int i = 0; tests[cnt].input[i] != '\0'; ++i) 709 sha512_process_bytes(&tests[cnt].input[i], 1, &ctx); 710 sha512_finish_ctx(&ctx, sum); 711 if (memcmp(tests[cnt].result, sum, 64) != 0) { 712 printf("test %d run %d failed\n", cnt, 2); 713 result = 1; 714 } 715 } 716 717 /* Test vector from FIPS 180-2: appendix C.3. */ 718 char buf[1000]; 719 memset(buf, 'a', sizeof(buf)); 720 sha512_init_ctx(&ctx); 721 for (int i = 0; i < 1000; ++i) 722 sha512_process_bytes(buf, sizeof(buf), &ctx); 723 sha512_finish_ctx(&ctx, sum); 724 static const char expected[64] = 725 "\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63" 726 "\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb" 727 "\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b" 728 "\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b"; 729 if (memcmp(expected, sum, 64) != 0) { 730 printf("test %d failed\n", cnt); 731 result = 1; 732 } 733 734 for (cnt = 0; cnt < ntests2; ++cnt) { 735 char *cp = sha512_crypt(tests2[cnt].input, tests2[cnt].salt); 736 737 if (strcmp(cp, tests2[cnt].expected) != 0) { 738 printf("test %d: expected \"%s\", got \"%s\"\n", 739 cnt, tests2[cnt].expected, cp); 740 result = 1; 741 } 742 } 743 744 if (result == 0) 745 puts("all tests OK"); 746 747 return result; 748} 749#endif 750