Context Navigation

source: bootcd/isolinux/syslinux-6.03/com32/libutil/sha512crypt.c

Last change on this file was e16e8f2, checked in by Edwin Eefting <edwin@datux.nl>, 3 years ago
bootstuff
Property mode set to `100644`
File size: 25.9 KB

Line
1	/* SHA512-based Unix crypt implementation.
2	Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
3
4	#include <alloca.h>
5	#include <endian.h>
6	#include <errno.h>
7	#include <limits.h>
8	#include <stdbool.h>
9	#include <stdint.h>
10	#include <stdio.h>
11	#include <stdlib.h>
12	#include <string.h>
13	#include <minmax.h>
14	#include <sys/types.h>
15
16	#include "xcrypt.h"
17
18	#define MIN(x,y) min(x,y)
19	#define MAX(x,y) max(x,y)
20
21	/* Structure to save state of computation between the single steps. */
22	struct sha512_ctx {
23	uint64_t H[8];
24
25	uint64_t total[2];
26	uint64_t buflen;
27	char buffer[256]; /* NB: always correctly aligned for uint64_t. */
28	};
29
30	#if __BYTE_ORDER == __LITTLE_ENDIAN
31	# define SWAP(n) \
32	(((n) << 56) \
33	\| (((n) & 0xff00) << 40) \
34	\| (((n) & 0xff0000) << 24) \
35	\| (((n) & 0xff000000) << 8) \
36	\| (((n) >> 8) & 0xff000000) \
37	\| (((n) >> 24) & 0xff0000) \
38	\| (((n) >> 40) & 0xff00) \
39	\| ((n) >> 56))
40	#else
41	# define SWAP(n) (n)
42	#endif
43
44	/* This array contains the bytes used to pad the buffer to the next
45	64-byte boundary. (FIPS 180-2:5.1.2) */
46	static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
47
48	/* Constants for SHA512 from FIPS 180-2:4.2.3. */
49	static const uint64_t K[80] = {
50	UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),
51	UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
52	UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),
53	UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
54	UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),
55	UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
56	UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),
57	UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
58	UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),
59	UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
60	UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),
61	UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
62	UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),
63	UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
64	UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),
65	UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
66	UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),
67	UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
68	UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),
69	UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
70	UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
71	UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
72	UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),
73	UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
74	UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),
75	UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
76	UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),
77	UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
78	UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),
79	UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
80	UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),
81	UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
82	UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),
83	UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
84	UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),
85	UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
86	UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),
87	UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
88	UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),
89	UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817)
90	};
91
92	/* Process LEN bytes of BUFFER, accumulating context into CTX.
93	It is assumed that LEN % 128 == 0. */
94	static void
95	sha512_process_block(const void buffer, size_t len, struct sha512_ctx ctx)
96	{
97	unsigned int t;
98	const uint64_t *words = buffer;
99	size_t nwords = len / sizeof(uint64_t);
100	uint64_t a = ctx->H[0];
101	uint64_t b = ctx->H[1];
102	uint64_t c = ctx->H[2];
103	uint64_t d = ctx->H[3];
104	uint64_t e = ctx->H[4];
105	uint64_t f = ctx->H[5];
106	uint64_t g = ctx->H[6];
107	uint64_t h = ctx->H[7];
108
109	/* First increment the byte count. FIPS 180-2 specifies the possible
110	length of the file up to 2^128 bits. Here we only compute the
111	number of bytes. Do a double word increment. */
112	ctx->total[0] += len;
113	if (ctx->total[0] < len)
114	++ctx->total[1];
115
116	/* Process all bytes in the buffer with 128 bytes in each round of
117	the loop. */
118	while (nwords > 0) {
119	uint64_t W[80];
120	uint64_t a_save = a;
121	uint64_t b_save = b;
122	uint64_t c_save = c;
123	uint64_t d_save = d;
124	uint64_t e_save = e;
125	uint64_t f_save = f;
126	uint64_t g_save = g;
127	uint64_t h_save = h;
128
129	/* Operators defined in FIPS 180-2:4.1.2. */
130	#define Ch(x, y, z) ((x & y) ^ (~x & z))
131	#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
132	#define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
133	#define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
134	#define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
135	#define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
136
137	/* It is unfortunate that C does not provide an operator for
138	cyclic rotation. Hope the C compiler is smart enough. */
139	#define CYCLIC(w, s) ((w >> s) \| (w << (64 - s)))
140
141	/* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
142	for (t = 0; t < 16; ++t) {
143	W[t] = SWAP(*words);
144	++words;
145	}
146	for (t = 16; t < 80; ++t)
147	W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
148
149	/* The actual computation according to FIPS 180-2:6.3.2 step 3. */
150	for (t = 0; t < 80; ++t) {
151	uint64_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t];
152	uint64_t T2 = S0(a) + Maj(a, b, c);
153	h = g;
154	g = f;
155	f = e;
156	e = d + T1;
157	d = c;
158	c = b;
159	b = a;
160	a = T1 + T2;
161	}
162
163	/* Add the starting values of the context according to FIPS 180-2:6.3.2
164	step 4. */
165	a += a_save;
166	b += b_save;
167	c += c_save;
168	d += d_save;
169	e += e_save;
170	f += f_save;
171	g += g_save;
172	h += h_save;
173
174	/* Prepare for the next round. */
175	nwords -= 16;
176	}
177
178	/* Put checksum in context given as argument. */
179	ctx->H[0] = a;
180	ctx->H[1] = b;
181	ctx->H[2] = c;
182	ctx->H[3] = d;
183	ctx->H[4] = e;
184	ctx->H[5] = f;
185	ctx->H[6] = g;
186	ctx->H[7] = h;
187	}
188
189	/* Initialize structure containing state of computation.
190	(FIPS 180-2:5.3.3) */
191	static void sha512_init_ctx(struct sha512_ctx *ctx)
192	{
193	ctx->H[0] = UINT64_C(0x6a09e667f3bcc908);
194	ctx->H[1] = UINT64_C(0xbb67ae8584caa73b);
195	ctx->H[2] = UINT64_C(0x3c6ef372fe94f82b);
196	ctx->H[3] = UINT64_C(0xa54ff53a5f1d36f1);
197	ctx->H[4] = UINT64_C(0x510e527fade682d1);
198	ctx->H[5] = UINT64_C(0x9b05688c2b3e6c1f);
199	ctx->H[6] = UINT64_C(0x1f83d9abfb41bd6b);
200	ctx->H[7] = UINT64_C(0x5be0cd19137e2179);
201
202	ctx->total[0] = ctx->total[1] = 0;
203	ctx->buflen = 0;
204	}
205
206	/* Process the remaining bytes in the internal buffer and the usual
207	prolog according to the standard and write the result to RESBUF.
208
209	IMPORTANT: On some systems it is required that RESBUF is correctly
210	aligned for a 32 bits value. */
211	static void sha512_finish_ctx(struct sha512_ctx ctx, void *resbuf)
212	{
213	unsigned int i;
214	/* Take yet unprocessed bytes into account. */
215	uint64_t bytes = ctx->buflen;
216	size_t pad;
217
218	/* Now count remaining bytes. */
219	ctx->total[0] += bytes;
220	if (ctx->total[0] < bytes)
221	++ctx->total[1];
222
223	pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
224	memcpy(&ctx->buffer[bytes], fillbuf, pad);
225
226	/* Put the 128-bit file length in bits at the end of the buffer. */
227	(uint64_t ) & ctx->buffer[bytes + pad + 8] = SWAP(ctx->total[0] << 3);
228	(uint64_t ) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) \|
229	(ctx->total[0] >> 61));
230
231	/* Process last bytes. */
232	sha512_process_block(ctx->buffer, bytes + pad + 16, ctx);
233
234	/* Put result from CTX in first 64 bytes following RESBUF. */
235	for (i = 0; i < 8; ++i)
236	((uint64_t *) resbuf)[i] = SWAP(ctx->H[i]);
237
238	return resbuf;
239	}
240
241	static void
242	sha512_process_bytes(const void buffer, size_t len, struct sha512_ctx ctx)
243	{
244	/* When we already have some bits in our internal buffer concatenate
245	both inputs first. */
246	if (ctx->buflen != 0) {
247	size_t left_over = ctx->buflen;
248	size_t add = 256 - left_over > len ? len : 256 - left_over;
249
250	memcpy(&ctx->buffer[left_over], buffer, add);
251	ctx->buflen += add;
252
253	if (ctx->buflen > 128) {
254	sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
255
256	ctx->buflen &= 127;
257	/* The regions in the following copy operation cannot overlap. */
258	memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
259	ctx->buflen);
260	}
261
262	buffer = (const char *)buffer + add;
263	len -= add;
264	}
265
266	/* Process available complete blocks. */
267	if (len >= 128) {
268	#if !_STRING_ARCH_unaligned
269	/* To check alignment gcc has an appropriate operator. Other
270	compilers don't. */
271	# if __GNUC__ >= 2
272	# define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
273	# else
274	# define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
275	# endif
276	if (UNALIGNED_P(buffer))
277	while (len > 128) {
278	sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128,
279	ctx);
280	buffer = (const char *)buffer + 128;
281	len -= 128;
282	} else
283	#endif
284	{
285	sha512_process_block(buffer, len & ~127, ctx);
286	buffer = (const char *)buffer + (len & ~127);
287	len &= 127;
288	}
289	}
290
291	/* Move remaining bytes into internal buffer. */
292	if (len > 0) {
293	size_t left_over = ctx->buflen;
294
295	memcpy(&ctx->buffer[left_over], buffer, len);
296	left_over += len;
297	if (left_over >= 128) {
298	sha512_process_block(ctx->buffer, 128, ctx);
299	left_over -= 128;
300	memcpy(ctx->buffer, &ctx->buffer[128], left_over);
301	}
302	ctx->buflen = left_over;
303	}
304	}
305
306	/* Define our magic string to mark salt for SHA512 "encryption"
307	replacement. */
308	static const char sha512_salt_prefix[] = "$6$";
309
310	/* Prefix for optional rounds specification. */
311	static const char sha512_rounds_prefix[] = "rounds=";
312
313	/* Maximum salt string length. */
314	#define SALT_LEN_MAX 16U
315	/* Default number of rounds if not explicitly specified. */
316	#define ROUNDS_DEFAULT 5000UL
317	/* Minimum number of rounds. */
318	#define ROUNDS_MIN 1000UL
319	/* Maximum number of rounds. */
320	#define ROUNDS_MAX 999999999UL
321
322	/* Table with characters for base64 transformation. */
323	static const char b64t[64] =
324	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
325
326	static char sha512_crypt_r(const char key, const char salt, char buffer,
327	int buflen)
328	{
329	unsigned char alt_result[64]
330	__attribute__ ((__aligned__(__alignof__(uint64_t))));
331	unsigned char temp_result[64]
332	__attribute__ ((__aligned__(__alignof__(uint64_t))));
333	struct sha512_ctx ctx;
334	struct sha512_ctx alt_ctx;
335	size_t salt_len;
336	size_t key_len;
337	size_t cnt;
338	char *cp;
339	char *copied_key = NULL;
340	char *copied_salt = NULL;
341	char *p_bytes;
342	char *s_bytes;
343	/* Default number of rounds. */
344	size_t rounds = ROUNDS_DEFAULT;
345	bool rounds_custom = false;
346
347	/* Find beginning of salt string. The prefix should normally always
348	be present. Just in case it is not. */
349	if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
350	/* Skip salt prefix. */
351	salt += sizeof(sha512_salt_prefix) - 1;
352
353	if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
354	== 0) {
355	const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
356	char *endp;
357	unsigned long int srounds = strtoul(num, &endp, 10);
358	if (*endp == '$') {
359	salt = endp + 1;
360	rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
361	rounds_custom = true;
362	}
363	}
364
365	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
366	key_len = strlen(key);
367
368	if ((key - (char *)0) % __alignof__(uint64_t) != 0) {
369	char tmp = (char )alloca(key_len + __alignof__(uint64_t));
370	key = copied_key = memcpy(tmp + __alignof__(uint64_t)
371	- (tmp - (char *)0) % __alignof__(uint64_t),
372	key, key_len);
373	}
374
375	if ((salt - (char *)0) % __alignof__(uint64_t) != 0) {
376	char tmp = (char )alloca(salt_len + __alignof__(uint64_t));
377	salt = copied_salt = memcpy(tmp + __alignof__(uint64_t)
378	- (tmp - (char *)0) % __alignof__(uint64_t),
379	salt, salt_len);
380	}
381
382	/* Prepare for the real work. */
383	sha512_init_ctx(&ctx);
384
385	/* Add the key string. */
386	sha512_process_bytes(key, key_len, &ctx);
387
388	/* The last part is the salt string. This must be at most 8
389	characters and it ends at the first `$' character (for
390	compatibility with existing implementations). */
391	sha512_process_bytes(salt, salt_len, &ctx);
392
393	/* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
394	final result will be added to the first context. */
395	sha512_init_ctx(&alt_ctx);
396
397	/* Add key. */
398	sha512_process_bytes(key, key_len, &alt_ctx);
399
400	/* Add salt. */
401	sha512_process_bytes(salt, salt_len, &alt_ctx);
402
403	/* Add key again. */
404	sha512_process_bytes(key, key_len, &alt_ctx);
405
406	/* Now get result of this (64 bytes) and add it to the other
407	context. */
408	sha512_finish_ctx(&alt_ctx, alt_result);
409
410	/* Add for any character in the key one byte of the alternate sum. */
411	for (cnt = key_len; cnt > 64; cnt -= 64)
412	sha512_process_bytes(alt_result, 64, &ctx);
413	sha512_process_bytes(alt_result, cnt, &ctx);
414
415	/* Take the binary representation of the length of the key and for every
416	1 add the alternate sum, for every 0 the key. */
417	for (cnt = key_len; cnt > 0; cnt >>= 1)
418	if ((cnt & 1) != 0)
419	sha512_process_bytes(alt_result, 64, &ctx);
420	else
421	sha512_process_bytes(key, key_len, &ctx);
422
423	/* Create intermediate result. */
424	sha512_finish_ctx(&ctx, alt_result);
425
426	/* Start computation of P byte sequence. */
427	sha512_init_ctx(&alt_ctx);
428
429	/* For every character in the password add the entire password. */
430	for (cnt = 0; cnt < key_len; ++cnt)
431	sha512_process_bytes(key, key_len, &alt_ctx);
432
433	/* Finish the digest. */
434	sha512_finish_ctx(&alt_ctx, temp_result);
435
436	/* Create byte sequence P. */
437	cp = p_bytes = alloca(key_len);
438	for (cnt = key_len; cnt >= 64; cnt -= 64)
439	cp = mempcpy(cp, temp_result, 64);
440	memcpy(cp, temp_result, cnt);
441
442	/* Start computation of S byte sequence. */
443	sha512_init_ctx(&alt_ctx);
444
445	/* For every character in the password add the entire password. */
446	for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt)
447	sha512_process_bytes(salt, salt_len, &alt_ctx);
448
449	/* Finish the digest. */
450	sha512_finish_ctx(&alt_ctx, temp_result);
451
452	/* Create byte sequence S. */
453	cp = s_bytes = alloca(salt_len);
454	for (cnt = salt_len; cnt >= 64; cnt -= 64)
455	cp = mempcpy(cp, temp_result, 64);
456	memcpy(cp, temp_result, cnt);
457
458	/* Repeatedly run the collected hash value through SHA512 to burn
459	CPU cycles. */
460	for (cnt = 0; cnt < rounds; ++cnt) {
461	/* New context. */
462	sha512_init_ctx(&ctx);
463
464	/* Add key or last result. */
465	if ((cnt & 1) != 0)
466	sha512_process_bytes(p_bytes, key_len, &ctx);
467	else
468	sha512_process_bytes(alt_result, 64, &ctx);
469
470	/* Add salt for numbers not divisible by 3. */
471	if (cnt % 3 != 0)
472	sha512_process_bytes(s_bytes, salt_len, &ctx);
473
474	/* Add key for numbers not divisible by 7. */
475	if (cnt % 7 != 0)
476	sha512_process_bytes(p_bytes, key_len, &ctx);
477
478	/* Add key or last result. */
479	if ((cnt & 1) != 0)
480	sha512_process_bytes(alt_result, 64, &ctx);
481	else
482	sha512_process_bytes(p_bytes, key_len, &ctx);
483
484	/* Create intermediate result. */
485	sha512_finish_ctx(&ctx, alt_result);
486	}
487
488	/* Now we can construct the result string. It consists of three
489	parts. */
490	cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
491	buflen -= sizeof(sha512_salt_prefix) - 1;
492
493	if (rounds_custom) {
494	int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
495	sha512_rounds_prefix, rounds);
496	cp += n;
497	buflen -= n;
498	}
499
500	cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
501	buflen -= MIN((size_t) MAX(0, buflen), salt_len);
502
503	if (buflen > 0) {
504	*cp++ = '$';
505	--buflen;
506	}
507	#define b64_from_24bit(B2, B1, B0, N) \
508	do { \
509	unsigned int w = ((B2) << 16) \| ((B1) << 8) \| (B0); \
510	int n = (N); \
511	while (n-- > 0 && buflen > 0) \
512	{ \
513	*cp++ = b64t[w & 0x3f]; \
514	--buflen; \
515	w >>= 6; \
516	} \
517	} while (0)
518
519	b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
520	b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
521	b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
522	b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
523	b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
524	b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
525	b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
526	b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
527	b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
528	b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
529	b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
530	b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
531	b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
532	b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
533	b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
534	b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
535	b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
536	b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
537	b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
538	b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
539	b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
540	b64_from_24bit(0, 0, alt_result[63], 2);
541
542	if (buflen <= 0) {
543	errno = ERANGE;
544	buffer = NULL;
545	} else
546	cp = '\0'; / Terminate the string. */
547
548	/* Clear the buffer for the intermediate result so that people
549	attaching to processes or reading core dumps cannot get any
550	information. We do it in this way to clear correct_words[]
551	inside the SHA512 implementation as well. */
552	sha512_init_ctx(&ctx);
553	sha512_finish_ctx(&ctx, alt_result);
554	memset(temp_result, '\0', sizeof(temp_result));
555	memset(p_bytes, '\0', key_len);
556	memset(s_bytes, '\0', salt_len);
557	memset(&ctx, '\0', sizeof(ctx));
558	memset(&alt_ctx, '\0', sizeof(alt_ctx));
559	if (copied_key != NULL)
560	memset(copied_key, '\0', key_len);
561	if (copied_salt != NULL)
562	memset(copied_salt, '\0', salt_len);
563
564	return buffer;
565	}
566
567	/* This entry point is equivalent to the `crypt' function in Unix
568	libcs. */
569	char sha512_crypt(const char key, const char *salt)
570	{
571	/* We don't want to have an arbitrary limit in the size of the
572	password. We can compute an upper bound for the size of the
573	result in advance and so we can prepare the buffer we pass to
574	`sha512_crypt_r'. */
575	static char *buffer;
576	static int buflen;
577	int needed = (sizeof(sha512_salt_prefix) - 1
578	+ sizeof(sha512_rounds_prefix) + 9 + 1
579	+ strlen(salt) + 1 + 86 + 1);
580
581	if (buflen < needed) {
582	char new_buffer = (char )realloc(buffer, needed);
583	if (new_buffer == NULL)
584	return NULL;
585
586	buffer = new_buffer;
587	buflen = needed;
588	}
589
590	return sha512_crypt_r(key, salt, buffer, buflen);
591	}
592
593	#ifdef TEST
594	static const struct {
595	const char *input;
596	const char result[64];
597	} tests[] = {
598	/* Test vectors from FIPS 180-2: appendix C.1. */
599	{
600	"abc",
601	"\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
602	"\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
603	"\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
604	"\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f"},
605	/* Test vectors from FIPS 180-2: appendix C.2. */
606	{
607	"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
608	"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
609	"\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
610	"\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
611	"\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
612	"\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09"},
613	/* Test vectors from the NESSIE project. */
614	{
615	"", "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
616	"\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
617	"\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
618	"\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e"},
619	{
620	"a", "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
621	"\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
622	"\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
623	"\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75"},
624	{
625	"message digest",
626	"\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
627	"\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
628	"\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
629	"\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c"},
630	{
631	"abcdefghijklmnopqrstuvwxyz",
632	"\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
633	"\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
634	"\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
635	"\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1"},
636	{
637	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
638	"\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
639	"\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
640	"\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
641	"\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45"},
642	{
643	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
644	"\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
645	"\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
646	"\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
647	"\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94"},
648	{
649	"123456789012345678901234567890123456789012345678901234567890"
650	"12345678901234567890",
651	"\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
652	"\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
653	"\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
654	"\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43"}
655	};
656
657	#define ntests (sizeof (tests) / sizeof (tests[0]))
658
659	static const struct {
660	const char *salt;
661	const char *input;
662	const char *expected;
663	} tests2[] = {
664	{
665	"$6$saltstring", "Hello world!",
666	"$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
667	"esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"}, {
668	"$6$rounds=10000$saltstringsaltstring", "Hello world!",
669	"$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
670	"HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v."}, {
671	"$6$rounds=5000$toolongsaltstring", "This is just a test",
672	"$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
673	"zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0"}, {
674	"$6$rounds=1400$anotherlongsaltstring",
675	"a very much longer text to encrypt. This one even stretches over more"
676	"than one line.",
677	"$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
678	"vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1"}, {
679	"$6$rounds=77777$short",
680	"we have a short salt string but not a short password",
681	"$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
682	"ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0"}, {
683	"$6$rounds=123456$asaltof16chars..", "a short string",
684	"$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
685	"elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1"}, {
686	"$6$rounds=10$roundstoolow", "the minimum number is still observed",
687	"$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
688	"hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX."},};
689	#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
690
691	int main(void)
692	{
693	struct sha512_ctx ctx;
694	char sum[64];
695	int result = 0;
696	int cnt;
697
698	for (cnt = 0; cnt < (int)ntests; ++cnt) {
699	sha512_init_ctx(&ctx);
700	sha512_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
701	sha512_finish_ctx(&ctx, sum);
702	if (memcmp(tests[cnt].result, sum, 64) != 0) {
703	printf("test %d run %d failed\n", cnt, 1);
704	result = 1;
705	}
706
707	sha512_init_ctx(&ctx);
708	for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
709	sha512_process_bytes(&tests[cnt].input[i], 1, &ctx);
710	sha512_finish_ctx(&ctx, sum);
711	if (memcmp(tests[cnt].result, sum, 64) != 0) {
712	printf("test %d run %d failed\n", cnt, 2);
713	result = 1;
714	}
715	}
716
717	/* Test vector from FIPS 180-2: appendix C.3. */
718	char buf[1000];
719	memset(buf, 'a', sizeof(buf));
720	sha512_init_ctx(&ctx);
721	for (int i = 0; i < 1000; ++i)
722	sha512_process_bytes(buf, sizeof(buf), &ctx);
723	sha512_finish_ctx(&ctx, sum);
724	static const char expected[64] =
725	"\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
726	"\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
727	"\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
728	"\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
729	if (memcmp(expected, sum, 64) != 0) {
730	printf("test %d failed\n", cnt);
731	result = 1;
732	}
733
734	for (cnt = 0; cnt < ntests2; ++cnt) {
735	char *cp = sha512_crypt(tests2[cnt].input, tests2[cnt].salt);
736
737	if (strcmp(cp, tests2[cnt].expected) != 0) {
738	printf("test %d: expected \"%s\", got \"%s\"\n",
739	cnt, tests2[cnt].expected, cp);
740	result = 1;
741	}
742	}
743
744	if (result == 0)
745	puts("all tests OK");
746
747	return result;
748	}
749	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: