Context Navigation

source: bootcd/isolinux/syslinux-6.03/com32/libutil/sha512crypt.c

Last change on this file was e16e8f2, checked in by Edwin Eefting <edwin@datux.nl>, 3 years ago
bootstuff
Property mode set to `100644`
File size: 25.9 KB

Rev	Line
[e16e8f2]	1	/* SHA512-based Unix crypt implementation.
	2	Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
	3
	4	#include <alloca.h>
	5	#include <endian.h>
	6	#include <errno.h>
	7	#include <limits.h>
	8	#include <stdbool.h>
	9	#include <stdint.h>
	10	#include <stdio.h>
	11	#include <stdlib.h>
	12	#include <string.h>
	13	#include <minmax.h>
	14	#include <sys/types.h>
	15
	16	#include "xcrypt.h"
	17
	18	#define MIN(x,y) min(x,y)
	19	#define MAX(x,y) max(x,y)
	20
	21	/* Structure to save state of computation between the single steps. */
	22	struct sha512_ctx {
	23	uint64_t H[8];
	24
	25	uint64_t total[2];
	26	uint64_t buflen;
	27	char buffer[256]; /* NB: always correctly aligned for uint64_t. */
	28	};
	29
	30	#if __BYTE_ORDER == __LITTLE_ENDIAN
	31	# define SWAP(n) \
	32	(((n) << 56) \
	33	\| (((n) & 0xff00) << 40) \
	34	\| (((n) & 0xff0000) << 24) \
	35	\| (((n) & 0xff000000) << 8) \
	36	\| (((n) >> 8) & 0xff000000) \
	37	\| (((n) >> 24) & 0xff0000) \
	38	\| (((n) >> 40) & 0xff00) \
	39	\| ((n) >> 56))
	40	#else
	41	# define SWAP(n) (n)
	42	#endif
	43
	44	/* This array contains the bytes used to pad the buffer to the next
	45	64-byte boundary. (FIPS 180-2:5.1.2) */
	46	static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
	47
	48	/* Constants for SHA512 from FIPS 180-2:4.2.3. */
	49	static const uint64_t K[80] = {
	50	UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),
	51	UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
	52	UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),
	53	UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
	54	UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),
	55	UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
	56	UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),
	57	UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
	58	UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),
	59	UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
	60	UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),
	61	UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
	62	UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),
	63	UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
	64	UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),
	65	UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
	66	UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),
	67	UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
	68	UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),
	69	UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
	70	UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
	71	UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
	72	UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),
	73	UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
	74	UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),
	75	UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
	76	UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),
	77	UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
	78	UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),
	79	UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
	80	UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),
	81	UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
	82	UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),
	83	UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
	84	UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),
	85	UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
	86	UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),
	87	UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
	88	UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),
	89	UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817)
	90	};
	91
	92	/* Process LEN bytes of BUFFER, accumulating context into CTX.
	93	It is assumed that LEN % 128 == 0. */
	94	static void
	95	sha512_process_block(const void buffer, size_t len, struct sha512_ctx ctx)
	96	{
	97	unsigned int t;
	98	const uint64_t *words = buffer;
	99	size_t nwords = len / sizeof(uint64_t);
	100	uint64_t a = ctx->H[0];
	101	uint64_t b = ctx->H[1];
	102	uint64_t c = ctx->H[2];
	103	uint64_t d = ctx->H[3];
	104	uint64_t e = ctx->H[4];
	105	uint64_t f = ctx->H[5];
	106	uint64_t g = ctx->H[6];
	107	uint64_t h = ctx->H[7];
	108
	109	/* First increment the byte count. FIPS 180-2 specifies the possible
	110	length of the file up to 2^128 bits. Here we only compute the
	111	number of bytes. Do a double word increment. */
	112	ctx->total[0] += len;
	113	if (ctx->total[0] < len)
	114	++ctx->total[1];
	115
	116	/* Process all bytes in the buffer with 128 bytes in each round of
	117	the loop. */
	118	while (nwords > 0) {
	119	uint64_t W[80];
	120	uint64_t a_save = a;
	121	uint64_t b_save = b;
	122	uint64_t c_save = c;
	123	uint64_t d_save = d;
	124	uint64_t e_save = e;
	125	uint64_t f_save = f;
	126	uint64_t g_save = g;
	127	uint64_t h_save = h;
	128
	129	/* Operators defined in FIPS 180-2:4.1.2. */
	130	#define Ch(x, y, z) ((x & y) ^ (~x & z))
	131	#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
	132	#define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
	133	#define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
	134	#define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
	135	#define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
	136
	137	/* It is unfortunate that C does not provide an operator for
	138	cyclic rotation. Hope the C compiler is smart enough. */
	139	#define CYCLIC(w, s) ((w >> s) \| (w << (64 - s)))
	140
	141	/* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
	142	for (t = 0; t < 16; ++t) {
	143	W[t] = SWAP(*words);
	144	++words;
	145	}
	146	for (t = 16; t < 80; ++t)
	147	W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
	148
	149	/* The actual computation according to FIPS 180-2:6.3.2 step 3. */
	150	for (t = 0; t < 80; ++t) {
	151	uint64_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t];
	152	uint64_t T2 = S0(a) + Maj(a, b, c);
	153	h = g;
	154	g = f;
	155	f = e;
	156	e = d + T1;
	157	d = c;
	158	c = b;
	159	b = a;
	160	a = T1 + T2;
	161	}
	162
	163	/* Add the starting values of the context according to FIPS 180-2:6.3.2
	164	step 4. */
	165	a += a_save;
	166	b += b_save;
	167	c += c_save;
	168	d += d_save;
	169	e += e_save;
	170	f += f_save;
	171	g += g_save;
	172	h += h_save;
	173
	174	/* Prepare for the next round. */
	175	nwords -= 16;
	176	}
	177
	178	/* Put checksum in context given as argument. */
	179	ctx->H[0] = a;
	180	ctx->H[1] = b;
	181	ctx->H[2] = c;
	182	ctx->H[3] = d;
	183	ctx->H[4] = e;
	184	ctx->H[5] = f;
	185	ctx->H[6] = g;
	186	ctx->H[7] = h;
	187	}
	188
	189	/* Initialize structure containing state of computation.
	190	(FIPS 180-2:5.3.3) */
	191	static void sha512_init_ctx(struct sha512_ctx *ctx)
	192	{
	193	ctx->H[0] = UINT64_C(0x6a09e667f3bcc908);
	194	ctx->H[1] = UINT64_C(0xbb67ae8584caa73b);
	195	ctx->H[2] = UINT64_C(0x3c6ef372fe94f82b);
	196	ctx->H[3] = UINT64_C(0xa54ff53a5f1d36f1);
	197	ctx->H[4] = UINT64_C(0x510e527fade682d1);
	198	ctx->H[5] = UINT64_C(0x9b05688c2b3e6c1f);
	199	ctx->H[6] = UINT64_C(0x1f83d9abfb41bd6b);
	200	ctx->H[7] = UINT64_C(0x5be0cd19137e2179);
	201
	202	ctx->total[0] = ctx->total[1] = 0;
	203	ctx->buflen = 0;
	204	}
	205
	206	/* Process the remaining bytes in the internal buffer and the usual
	207	prolog according to the standard and write the result to RESBUF.
	208
	209	IMPORTANT: On some systems it is required that RESBUF is correctly
	210	aligned for a 32 bits value. */
	211	static void sha512_finish_ctx(struct sha512_ctx ctx, void *resbuf)
	212	{
	213	unsigned int i;
	214	/* Take yet unprocessed bytes into account. */
	215	uint64_t bytes = ctx->buflen;
	216	size_t pad;
	217
	218	/* Now count remaining bytes. */
	219	ctx->total[0] += bytes;
	220	if (ctx->total[0] < bytes)
	221	++ctx->total[1];
	222
	223	pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
	224	memcpy(&ctx->buffer[bytes], fillbuf, pad);
	225
	226	/* Put the 128-bit file length in bits at the end of the buffer. */
	227	(uint64_t ) & ctx->buffer[bytes + pad + 8] = SWAP(ctx->total[0] << 3);
	228	(uint64_t ) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) \|
	229	(ctx->total[0] >> 61));
	230
	231	/* Process last bytes. */
	232	sha512_process_block(ctx->buffer, bytes + pad + 16, ctx);
	233
	234	/* Put result from CTX in first 64 bytes following RESBUF. */
	235	for (i = 0; i < 8; ++i)
	236	((uint64_t *) resbuf)[i] = SWAP(ctx->H[i]);
	237
	238	return resbuf;
	239	}
	240
	241	static void
	242	sha512_process_bytes(const void buffer, size_t len, struct sha512_ctx ctx)
	243	{
	244	/* When we already have some bits in our internal buffer concatenate
	245	both inputs first. */
	246	if (ctx->buflen != 0) {
	247	size_t left_over = ctx->buflen;
	248	size_t add = 256 - left_over > len ? len : 256 - left_over;
	249
	250	memcpy(&ctx->buffer[left_over], buffer, add);
	251	ctx->buflen += add;
	252
	253	if (ctx->buflen > 128) {
	254	sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
	255
	256	ctx->buflen &= 127;
	257	/* The regions in the following copy operation cannot overlap. */
	258	memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
	259	ctx->buflen);
	260	}
	261
	262	buffer = (const char *)buffer + add;
	263	len -= add;
	264	}
	265
	266	/* Process available complete blocks. */
	267	if (len >= 128) {
	268	#if !_STRING_ARCH_unaligned
	269	/* To check alignment gcc has an appropriate operator. Other
	270	compilers don't. */
	271	# if __GNUC__ >= 2
	272	# define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
	273	# else
	274	# define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
	275	# endif
	276	if (UNALIGNED_P(buffer))
	277	while (len > 128) {
	278	sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128,
	279	ctx);
	280	buffer = (const char *)buffer + 128;
	281	len -= 128;
	282	} else
	283	#endif
	284	{
	285	sha512_process_block(buffer, len & ~127, ctx);
	286	buffer = (const char *)buffer + (len & ~127);
	287	len &= 127;
	288	}
	289	}
	290
	291	/* Move remaining bytes into internal buffer. */
	292	if (len > 0) {
	293	size_t left_over = ctx->buflen;
	294
	295	memcpy(&ctx->buffer[left_over], buffer, len);
	296	left_over += len;
	297	if (left_over >= 128) {
	298	sha512_process_block(ctx->buffer, 128, ctx);
	299	left_over -= 128;
	300	memcpy(ctx->buffer, &ctx->buffer[128], left_over);
	301	}
	302	ctx->buflen = left_over;
	303	}
	304	}
	305
	306	/* Define our magic string to mark salt for SHA512 "encryption"
	307	replacement. */
	308	static const char sha512_salt_prefix[] = "$6$";
	309
	310	/* Prefix for optional rounds specification. */
	311	static const char sha512_rounds_prefix[] = "rounds=";
	312
	313	/* Maximum salt string length. */
	314	#define SALT_LEN_MAX 16U
	315	/* Default number of rounds if not explicitly specified. */
	316	#define ROUNDS_DEFAULT 5000UL
	317	/* Minimum number of rounds. */
	318	#define ROUNDS_MIN 1000UL
	319	/* Maximum number of rounds. */
	320	#define ROUNDS_MAX 999999999UL
	321
	322	/* Table with characters for base64 transformation. */
	323	static const char b64t[64] =
	324	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
	325
	326	static char sha512_crypt_r(const char key, const char salt, char buffer,
	327	int buflen)
	328	{
	329	unsigned char alt_result[64]
	330	__attribute__ ((__aligned__(__alignof__(uint64_t))));
	331	unsigned char temp_result[64]
	332	__attribute__ ((__aligned__(__alignof__(uint64_t))));
	333	struct sha512_ctx ctx;
	334	struct sha512_ctx alt_ctx;
	335	size_t salt_len;
	336	size_t key_len;
	337	size_t cnt;
	338	char *cp;
	339	char *copied_key = NULL;
	340	char *copied_salt = NULL;
	341	char *p_bytes;
	342	char *s_bytes;
	343	/* Default number of rounds. */
	344	size_t rounds = ROUNDS_DEFAULT;
	345	bool rounds_custom = false;
	346
	347	/* Find beginning of salt string. The prefix should normally always
	348	be present. Just in case it is not. */
	349	if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
	350	/* Skip salt prefix. */
	351	salt += sizeof(sha512_salt_prefix) - 1;
	352
	353	if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
	354	== 0) {
	355	const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
	356	char *endp;
	357	unsigned long int srounds = strtoul(num, &endp, 10);
	358	if (*endp == '$') {
	359	salt = endp + 1;
	360	rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
	361	rounds_custom = true;
	362	}
	363	}
	364
	365	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
	366	key_len = strlen(key);
	367
	368	if ((key - (char *)0) % __alignof__(uint64_t) != 0) {
	369	char tmp = (char )alloca(key_len + __alignof__(uint64_t));
	370	key = copied_key = memcpy(tmp + __alignof__(uint64_t)
	371	- (tmp - (char *)0) % __alignof__(uint64_t),
	372	key, key_len);
	373	}
	374
	375	if ((salt - (char *)0) % __alignof__(uint64_t) != 0) {
	376	char tmp = (char )alloca(salt_len + __alignof__(uint64_t));
	377	salt = copied_salt = memcpy(tmp + __alignof__(uint64_t)
	378	- (tmp - (char *)0) % __alignof__(uint64_t),
	379	salt, salt_len);
	380	}
	381
	382	/* Prepare for the real work. */
	383	sha512_init_ctx(&ctx);
	384
	385	/* Add the key string. */
	386	sha512_process_bytes(key, key_len, &ctx);
	387
	388	/* The last part is the salt string. This must be at most 8
	389	characters and it ends at the first `$' character (for
	390	compatibility with existing implementations). */
	391	sha512_process_bytes(salt, salt_len, &ctx);
	392
	393	/* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
	394	final result will be added to the first context. */
	395	sha512_init_ctx(&alt_ctx);
	396
	397	/* Add key. */
	398	sha512_process_bytes(key, key_len, &alt_ctx);
	399
	400	/* Add salt. */
	401	sha512_process_bytes(salt, salt_len, &alt_ctx);
	402
	403	/* Add key again. */
	404	sha512_process_bytes(key, key_len, &alt_ctx);
	405
	406	/* Now get result of this (64 bytes) and add it to the other
	407	context. */
	408	sha512_finish_ctx(&alt_ctx, alt_result);
	409
	410	/* Add for any character in the key one byte of the alternate sum. */
	411	for (cnt = key_len; cnt > 64; cnt -= 64)
	412	sha512_process_bytes(alt_result, 64, &ctx);
	413	sha512_process_bytes(alt_result, cnt, &ctx);
	414
	415	/* Take the binary representation of the length of the key and for every
	416	1 add the alternate sum, for every 0 the key. */
	417	for (cnt = key_len; cnt > 0; cnt >>= 1)
	418	if ((cnt & 1) != 0)
	419	sha512_process_bytes(alt_result, 64, &ctx);
	420	else
	421	sha512_process_bytes(key, key_len, &ctx);
	422
	423	/* Create intermediate result. */
	424	sha512_finish_ctx(&ctx, alt_result);
	425
	426	/* Start computation of P byte sequence. */
	427	sha512_init_ctx(&alt_ctx);
	428
	429	/* For every character in the password add the entire password. */
	430	for (cnt = 0; cnt < key_len; ++cnt)
	431	sha512_process_bytes(key, key_len, &alt_ctx);
	432
	433	/* Finish the digest. */
	434	sha512_finish_ctx(&alt_ctx, temp_result);
	435
	436	/* Create byte sequence P. */
	437	cp = p_bytes = alloca(key_len);
	438	for (cnt = key_len; cnt >= 64; cnt -= 64)
	439	cp = mempcpy(cp, temp_result, 64);
	440	memcpy(cp, temp_result, cnt);
	441
	442	/* Start computation of S byte sequence. */
	443	sha512_init_ctx(&alt_ctx);
	444
	445	/* For every character in the password add the entire password. */
	446	for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt)
	447	sha512_process_bytes(salt, salt_len, &alt_ctx);
	448
	449	/* Finish the digest. */
	450	sha512_finish_ctx(&alt_ctx, temp_result);
	451
	452	/* Create byte sequence S. */
	453	cp = s_bytes = alloca(salt_len);
	454	for (cnt = salt_len; cnt >= 64; cnt -= 64)
	455	cp = mempcpy(cp, temp_result, 64);
	456	memcpy(cp, temp_result, cnt);
	457
	458	/* Repeatedly run the collected hash value through SHA512 to burn
	459	CPU cycles. */
	460	for (cnt = 0; cnt < rounds; ++cnt) {
	461	/* New context. */
	462	sha512_init_ctx(&ctx);
	463
	464	/* Add key or last result. */
	465	if ((cnt & 1) != 0)
	466	sha512_process_bytes(p_bytes, key_len, &ctx);
	467	else
	468	sha512_process_bytes(alt_result, 64, &ctx);
	469
	470	/* Add salt for numbers not divisible by 3. */
	471	if (cnt % 3 != 0)
	472	sha512_process_bytes(s_bytes, salt_len, &ctx);
	473
	474	/* Add key for numbers not divisible by 7. */
	475	if (cnt % 7 != 0)
	476	sha512_process_bytes(p_bytes, key_len, &ctx);
	477
	478	/* Add key or last result. */
	479	if ((cnt & 1) != 0)
	480	sha512_process_bytes(alt_result, 64, &ctx);
	481	else
	482	sha512_process_bytes(p_bytes, key_len, &ctx);
	483
	484	/* Create intermediate result. */
	485	sha512_finish_ctx(&ctx, alt_result);
	486	}
	487
	488	/* Now we can construct the result string. It consists of three
	489	parts. */
	490	cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
	491	buflen -= sizeof(sha512_salt_prefix) - 1;
	492
	493	if (rounds_custom) {
	494	int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
	495	sha512_rounds_prefix, rounds);
	496	cp += n;
	497	buflen -= n;
	498	}
	499
	500	cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
	501	buflen -= MIN((size_t) MAX(0, buflen), salt_len);
	502
	503	if (buflen > 0) {
	504	*cp++ = '$';
	505	--buflen;
	506	}
	507	#define b64_from_24bit(B2, B1, B0, N) \
	508	do { \
	509	unsigned int w = ((B2) << 16) \| ((B1) << 8) \| (B0); \
	510	int n = (N); \
	511	while (n-- > 0 && buflen > 0) \
	512	{ \
	513	*cp++ = b64t[w & 0x3f]; \
	514	--buflen; \
	515	w >>= 6; \
	516	} \
	517	} while (0)
	518
	519	b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
	520	b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
	521	b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
	522	b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
	523	b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
	524	b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
	525	b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
	526	b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
	527	b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
	528	b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
	529	b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
	530	b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
	531	b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
	532	b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
	533	b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
	534	b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
	535	b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
	536	b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
	537	b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
	538	b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
	539	b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
	540	b64_from_24bit(0, 0, alt_result[63], 2);
	541
	542	if (buflen <= 0) {
	543	errno = ERANGE;
	544	buffer = NULL;
	545	} else
	546	cp = '\0'; / Terminate the string. */
	547
	548	/* Clear the buffer for the intermediate result so that people
	549	attaching to processes or reading core dumps cannot get any
	550	information. We do it in this way to clear correct_words[]
	551	inside the SHA512 implementation as well. */
	552	sha512_init_ctx(&ctx);
	553	sha512_finish_ctx(&ctx, alt_result);
	554	memset(temp_result, '\0', sizeof(temp_result));
	555	memset(p_bytes, '\0', key_len);
	556	memset(s_bytes, '\0', salt_len);
	557	memset(&ctx, '\0', sizeof(ctx));
	558	memset(&alt_ctx, '\0', sizeof(alt_ctx));
	559	if (copied_key != NULL)
	560	memset(copied_key, '\0', key_len);
	561	if (copied_salt != NULL)
	562	memset(copied_salt, '\0', salt_len);
	563
	564	return buffer;
	565	}
	566
	567	/* This entry point is equivalent to the `crypt' function in Unix
	568	libcs. */
	569	char sha512_crypt(const char key, const char *salt)
	570	{
	571	/* We don't want to have an arbitrary limit in the size of the
	572	password. We can compute an upper bound for the size of the
	573	result in advance and so we can prepare the buffer we pass to
	574	`sha512_crypt_r'. */
	575	static char *buffer;
	576	static int buflen;
	577	int needed = (sizeof(sha512_salt_prefix) - 1
	578	+ sizeof(sha512_rounds_prefix) + 9 + 1
	579	+ strlen(salt) + 1 + 86 + 1);
	580
	581	if (buflen < needed) {
	582	char new_buffer = (char )realloc(buffer, needed);
	583	if (new_buffer == NULL)
	584	return NULL;
	585
	586	buffer = new_buffer;
	587	buflen = needed;
	588	}
	589
	590	return sha512_crypt_r(key, salt, buffer, buflen);
	591	}
	592
	593	#ifdef TEST
	594	static const struct {
	595	const char *input;
	596	const char result[64];
	597	} tests[] = {
	598	/* Test vectors from FIPS 180-2: appendix C.1. */
	599	{
	600	"abc",
	601	"\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
	602	"\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
	603	"\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
	604	"\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f"},
	605	/* Test vectors from FIPS 180-2: appendix C.2. */
	606	{
	607	"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
	608	"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
	609	"\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
	610	"\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
	611	"\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
	612	"\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09"},
	613	/* Test vectors from the NESSIE project. */
	614	{
	615	"", "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
	616	"\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
	617	"\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
	618	"\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e"},
	619	{
	620	"a", "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
	621	"\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
	622	"\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
	623	"\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75"},
	624	{
	625	"message digest",
	626	"\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
	627	"\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
	628	"\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
	629	"\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c"},
	630	{
	631	"abcdefghijklmnopqrstuvwxyz",
	632	"\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
	633	"\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
	634	"\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
	635	"\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1"},
	636	{
	637	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
	638	"\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
	639	"\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
	640	"\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
	641	"\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45"},
	642	{
	643	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
	644	"\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
	645	"\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
	646	"\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
	647	"\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94"},
	648	{
	649	"123456789012345678901234567890123456789012345678901234567890"
	650	"12345678901234567890",
	651	"\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
	652	"\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
	653	"\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
	654	"\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43"}
	655	};
	656
	657	#define ntests (sizeof (tests) / sizeof (tests[0]))
	658
	659	static const struct {
	660	const char *salt;
	661	const char *input;
	662	const char *expected;
	663	} tests2[] = {
	664	{
	665	"$6$saltstring", "Hello world!",
	666	"$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
	667	"esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"}, {
	668	"$6$rounds=10000$saltstringsaltstring", "Hello world!",
	669	"$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
	670	"HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v."}, {
	671	"$6$rounds=5000$toolongsaltstring", "This is just a test",
	672	"$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
	673	"zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0"}, {
	674	"$6$rounds=1400$anotherlongsaltstring",
	675	"a very much longer text to encrypt. This one even stretches over more"
	676	"than one line.",
	677	"$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
	678	"vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1"}, {
	679	"$6$rounds=77777$short",
	680	"we have a short salt string but not a short password",
	681	"$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
	682	"ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0"}, {
	683	"$6$rounds=123456$asaltof16chars..", "a short string",
	684	"$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
	685	"elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1"}, {
	686	"$6$rounds=10$roundstoolow", "the minimum number is still observed",
	687	"$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
	688	"hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX."},};
	689	#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
	690
	691	int main(void)
	692	{
	693	struct sha512_ctx ctx;
	694	char sum[64];
	695	int result = 0;
	696	int cnt;
	697
	698	for (cnt = 0; cnt < (int)ntests; ++cnt) {
	699	sha512_init_ctx(&ctx);
	700	sha512_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
	701	sha512_finish_ctx(&ctx, sum);
	702	if (memcmp(tests[cnt].result, sum, 64) != 0) {
	703	printf("test %d run %d failed\n", cnt, 1);
	704	result = 1;
	705	}
	706
	707	sha512_init_ctx(&ctx);
	708	for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
	709	sha512_process_bytes(&tests[cnt].input[i], 1, &ctx);
	710	sha512_finish_ctx(&ctx, sum);
	711	if (memcmp(tests[cnt].result, sum, 64) != 0) {
	712	printf("test %d run %d failed\n", cnt, 2);
	713	result = 1;
	714	}
	715	}
	716
	717	/* Test vector from FIPS 180-2: appendix C.3. */
	718	char buf[1000];
	719	memset(buf, 'a', sizeof(buf));
	720	sha512_init_ctx(&ctx);
	721	for (int i = 0; i < 1000; ++i)
	722	sha512_process_bytes(buf, sizeof(buf), &ctx);
	723	sha512_finish_ctx(&ctx, sum);
	724	static const char expected[64] =
	725	"\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
	726	"\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
	727	"\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
	728	"\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
	729	if (memcmp(expected, sum, 64) != 0) {
	730	printf("test %d failed\n", cnt);
	731	result = 1;
	732	}
	733
	734	for (cnt = 0; cnt < ntests2; ++cnt) {
	735	char *cp = sha512_crypt(tests2[cnt].input, tests2[cnt].salt);
	736
	737	if (strcmp(cp, tests2[cnt].expected) != 0) {
	738	printf("test %d: expected \"%s\", got \"%s\"\n",
	739	cnt, tests2[cnt].expected, cp);
	740	result = 1;
	741	}
	742	}
	743
	744	if (result == 0)
	745	puts("all tests OK");
	746
	747	return result;
	748	}
	749	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: