search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Adding upstream version 3.53.
[syslinux-debian/hramrach.git] / com32 / libutil / sha512crypt.c
blob0c3a918a39a2ff4fd7e9275b0215ca951048bd73
1 /* SHA512-based Unix crypt implementation.
2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
3
4 #include <alloca.h>
5 #include <endian.h>
6 #include <errno.h>
7 #include <limits.h>
8 #include <stdbool.h>
9 #include <stdint.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
15
16
17 /* Structure to save state of computation between the single steps. */
18 struct sha512_ctx
19 {
20 uint64_t H[8];
21
22 uint64_t total[2];
23 uint64_t buflen;
24 char buffer[256]; /* NB: always correctly aligned for uint64_t. */
25 };
26
27
28 #if __BYTE_ORDER == __LITTLE_ENDIAN
29 # define SWAP(n) \
30 (((n) << 56) \
31 | (((n) & 0xff00) << 40) \
32 | (((n) & 0xff0000) << 24) \
33 | (((n) & 0xff000000) << 8) \
34 | (((n) >> 8) & 0xff000000) \
35 | (((n) >> 24) & 0xff0000) \
36 | (((n) >> 40) & 0xff00) \
37 | ((n) >> 56))
38 #else
39 # define SWAP(n) (n)
40 #endif
41
42
43 /* This array contains the bytes used to pad the buffer to the next
44 64-byte boundary. (FIPS 180-2:5.1.2) */
45 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
46
47
48 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
49 static const uint64_t K[80] =
50 {
51 UINT64_C (0x428a2f98d728ae22), UINT64_C (0x7137449123ef65cd),
52 UINT64_C (0xb5c0fbcfec4d3b2f), UINT64_C (0xe9b5dba58189dbbc),
53 UINT64_C (0x3956c25bf348b538), UINT64_C (0x59f111f1b605d019),
54 UINT64_C (0x923f82a4af194f9b), UINT64_C (0xab1c5ed5da6d8118),
55 UINT64_C (0xd807aa98a3030242), UINT64_C (0x12835b0145706fbe),
56 UINT64_C (0x243185be4ee4b28c), UINT64_C (0x550c7dc3d5ffb4e2),
57 UINT64_C (0x72be5d74f27b896f), UINT64_C (0x80deb1fe3b1696b1),
58 UINT64_C (0x9bdc06a725c71235), UINT64_C (0xc19bf174cf692694),
59 UINT64_C (0xe49b69c19ef14ad2), UINT64_C (0xefbe4786384f25e3),
60 UINT64_C (0x0fc19dc68b8cd5b5), UINT64_C (0x240ca1cc77ac9c65),
61 UINT64_C (0x2de92c6f592b0275), UINT64_C (0x4a7484aa6ea6e483),
62 UINT64_C (0x5cb0a9dcbd41fbd4), UINT64_C (0x76f988da831153b5),
63 UINT64_C (0x983e5152ee66dfab), UINT64_C (0xa831c66d2db43210),
64 UINT64_C (0xb00327c898fb213f), UINT64_C (0xbf597fc7beef0ee4),
65 UINT64_C (0xc6e00bf33da88fc2), UINT64_C (0xd5a79147930aa725),
66 UINT64_C (0x06ca6351e003826f), UINT64_C (0x142929670a0e6e70),
67 UINT64_C (0x27b70a8546d22ffc), UINT64_C (0x2e1b21385c26c926),
68 UINT64_C (0x4d2c6dfc5ac42aed), UINT64_C (0x53380d139d95b3df),
69 UINT64_C (0x650a73548baf63de), UINT64_C (0x766a0abb3c77b2a8),
70 UINT64_C (0x81c2c92e47edaee6), UINT64_C (0x92722c851482353b),
71 UINT64_C (0xa2bfe8a14cf10364), UINT64_C (0xa81a664bbc423001),
72 UINT64_C (0xc24b8b70d0f89791), UINT64_C (0xc76c51a30654be30),
73 UINT64_C (0xd192e819d6ef5218), UINT64_C (0xd69906245565a910),
74 UINT64_C (0xf40e35855771202a), UINT64_C (0x106aa07032bbd1b8),
75 UINT64_C (0x19a4c116b8d2d0c8), UINT64_C (0x1e376c085141ab53),
76 UINT64_C (0x2748774cdf8eeb99), UINT64_C (0x34b0bcb5e19b48a8),
77 UINT64_C (0x391c0cb3c5c95a63), UINT64_C (0x4ed8aa4ae3418acb),
78 UINT64_C (0x5b9cca4f7763e373), UINT64_C (0x682e6ff3d6b2b8a3),
79 UINT64_C (0x748f82ee5defb2fc), UINT64_C (0x78a5636f43172f60),
80 UINT64_C (0x84c87814a1f0ab72), UINT64_C (0x8cc702081a6439ec),
81 UINT64_C (0x90befffa23631e28), UINT64_C (0xa4506cebde82bde9),
82 UINT64_C (0xbef9a3f7b2c67915), UINT64_C (0xc67178f2e372532b),
83 UINT64_C (0xca273eceea26619c), UINT64_C (0xd186b8c721c0c207),
84 UINT64_C (0xeada7dd6cde0eb1e), UINT64_C (0xf57d4f7fee6ed178),
85 UINT64_C (0x06f067aa72176fba), UINT64_C (0x0a637dc5a2c898a6),
86 UINT64_C (0x113f9804bef90dae), UINT64_C (0x1b710b35131c471b),
87 UINT64_C (0x28db77f523047d84), UINT64_C (0x32caab7b40c72493),
88 UINT64_C (0x3c9ebe0a15c9bebc), UINT64_C (0x431d67c49c100d4c),
89 UINT64_C (0x4cc5d4becb3e42b6), UINT64_C (0x597f299cfc657e2a),
90 UINT64_C (0x5fcb6fab3ad6faec), UINT64_C (0x6c44198c4a475817)
91 };
92
93
94 /* Process LEN bytes of BUFFER, accumulating context into CTX.
95 It is assumed that LEN % 128 == 0. */
96 static void
97 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
98 {
99 unsigned int t;
100 const uint64_t *words = buffer;
101 size_t nwords = len / sizeof (uint64_t);
102 uint64_t a = ctx->H[0];
103 uint64_t b = ctx->H[1];
104 uint64_t c = ctx->H[2];
105 uint64_t d = ctx->H[3];
106 uint64_t e = ctx->H[4];
107 uint64_t f = ctx->H[5];
108 uint64_t g = ctx->H[6];
109 uint64_t h = ctx->H[7];
110
111 /* First increment the byte count. FIPS 180-2 specifies the possible
112 length of the file up to 2^128 bits. Here we only compute the
113 number of bytes. Do a double word increment. */
114 ctx->total[0] += len;
115 if (ctx->total[0] < len)
116 ++ctx->total[1];
117
118 /* Process all bytes in the buffer with 128 bytes in each round of
119 the loop. */
120 while (nwords > 0)
121 {
122 uint64_t W[80];
123 uint64_t a_save = a;
124 uint64_t b_save = b;
125 uint64_t c_save = c;
126 uint64_t d_save = d;
127 uint64_t e_save = e;
128 uint64_t f_save = f;
129 uint64_t g_save = g;
130 uint64_t h_save = h;
131
132 /* Operators defined in FIPS 180-2:4.1.2. */
133 #define Ch(x, y, z) ((x & y) ^ (~x & z))
134 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
135 #define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
136 #define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
137 #define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
138 #define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
139
140 /* It is unfortunate that C does not provide an operator for
141 cyclic rotation. Hope the C compiler is smart enough. */
142 #define CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
143
144 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
145 for (t = 0; t < 16; ++t)
146 {
147 W[t] = SWAP (*words);
148 ++words;
149 }
150 for (t = 16; t < 80; ++t)
151 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
152
153 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
154 for (t = 0; t < 80; ++t)
155 {
156 uint64_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
157 uint64_t T2 = S0 (a) + Maj (a, b, c);
158 h = g;
159 g = f;
160 f = e;
161 e = d + T1;
162 d = c;
163 c = b;
164 b = a;
165 a = T1 + T2;
166 }
167
168 /* Add the starting values of the context according to FIPS 180-2:6.3.2
169 step 4. */
170 a += a_save;
171 b += b_save;
172 c += c_save;
173 d += d_save;
174 e += e_save;
175 f += f_save;
176 g += g_save;
177 h += h_save;
178
179 /* Prepare for the next round. */
180 nwords -= 16;
181 }
182
183 /* Put checksum in context given as argument. */
184 ctx->H[0] = a;
185 ctx->H[1] = b;
186 ctx->H[2] = c;
187 ctx->H[3] = d;
188 ctx->H[4] = e;
189 ctx->H[5] = f;
190 ctx->H[6] = g;
191 ctx->H[7] = h;
192 }
193
194
195 /* Initialize structure containing state of computation.
196 (FIPS 180-2:5.3.3) */
197 static void
198 sha512_init_ctx (struct sha512_ctx *ctx)
199 {
200 ctx->H[0] = UINT64_C (0x6a09e667f3bcc908);
201 ctx->H[1] = UINT64_C (0xbb67ae8584caa73b);
202 ctx->H[2] = UINT64_C (0x3c6ef372fe94f82b);
203 ctx->H[3] = UINT64_C (0xa54ff53a5f1d36f1);
204 ctx->H[4] = UINT64_C (0x510e527fade682d1);
205 ctx->H[5] = UINT64_C (0x9b05688c2b3e6c1f);
206 ctx->H[6] = UINT64_C (0x1f83d9abfb41bd6b);
207 ctx->H[7] = UINT64_C (0x5be0cd19137e2179);
208
209 ctx->total[0] = ctx->total[1] = 0;
210 ctx->buflen = 0;
211 }
212
213
214 /* Process the remaining bytes in the internal buffer and the usual
215 prolog according to the standard and write the result to RESBUF.
216
217 IMPORTANT: On some systems it is required that RESBUF is correctly
218 aligned for a 32 bits value. */
219 static void *
220 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
221 {
222 unsigned int i;
223 /* Take yet unprocessed bytes into account. */
224 uint64_t bytes = ctx->buflen;
225 size_t pad;
226
227 /* Now count remaining bytes. */
228 ctx->total[0] += bytes;
229 if (ctx->total[0] < bytes)
230 ++ctx->total[1];
231
232 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
233 memcpy (&ctx->buffer[bytes], fillbuf, pad);
234
235 /* Put the 128-bit file length in *bits* at the end of the buffer. */
236 *(uint64_t *) &ctx->buffer[bytes + pad + 8] = SWAP (ctx->total[0] << 3);
237 *(uint64_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
238 (ctx->total[0] >> 61));
239
240 /* Process last bytes. */
241 sha512_process_block (ctx->buffer, bytes + pad + 16, ctx);
242
243 /* Put result from CTX in first 64 bytes following RESBUF. */
244 for (i = 0; i < 8; ++i)
245 ((uint64_t *) resbuf)[i] = SWAP (ctx->H[i]);
246
247 return resbuf;
248 }
249
250
251 static void
252 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
253 {
254 /* When we already have some bits in our internal buffer concatenate
255 both inputs first. */
256 if (ctx->buflen != 0)
257 {
258 size_t left_over = ctx->buflen;
259 size_t add = 256 - left_over > len ? len : 256 - left_over;
260
261 memcpy (&ctx->buffer[left_over], buffer, add);
262 ctx->buflen += add;
263
264 if (ctx->buflen > 128)
265 {
266 sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
267
268 ctx->buflen &= 127;
269 /* The regions in the following copy operation cannot overlap. */
270 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
271 ctx->buflen);
272 }
273
274 buffer = (const char *) buffer + add;
275 len -= add;
276 }
277
278 /* Process available complete blocks. */
279 if (len >= 128)
280 {
281 #if !_STRING_ARCH_unaligned
282 /* To check alignment gcc has an appropriate operator. Other
283 compilers don't. */
284 # if __GNUC__ >= 2
285 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
286 # else
287 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
288 # endif
289 if (UNALIGNED_P (buffer))
290 while (len > 128)
291 {
292 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128,
293 ctx);
294 buffer = (const char *) buffer + 128;
295 len -= 128;
296 }
297 else
298 #endif
299 {
300 sha512_process_block (buffer, len & ~127, ctx);
301 buffer = (const char *) buffer + (len & ~127);
302 len &= 127;
303 }
304 }
305
306 /* Move remaining bytes into internal buffer. */
307 if (len > 0)
308 {
309 size_t left_over = ctx->buflen;
310
311 memcpy (&ctx->buffer[left_over], buffer, len);
312 left_over += len;
313 if (left_over >= 128)
314 {
315 sha512_process_block (ctx->buffer, 128, ctx);
316 left_over -= 128;
317 memcpy (ctx->buffer, &ctx->buffer[128], left_over);
318 }
319 ctx->buflen = left_over;
320 }
321 }
322
323
324 /* Define our magic string to mark salt for SHA512 "encryption"
325 replacement. */
326 static const char sha512_salt_prefix[] = "$6$";
327
328 /* Prefix for optional rounds specification. */
329 static const char sha512_rounds_prefix[] = "rounds=";
330
331 /* Maximum salt string length. */
332 #define SALT_LEN_MAX 16
333 /* Default number of rounds if not explicitly specified. */
334 #define ROUNDS_DEFAULT 5000
335 /* Minimum number of rounds. */
336 #define ROUNDS_MIN 1000
337 /* Maximum number of rounds. */
338 #define ROUNDS_MAX 999999999
339
340 /* Table with characters for base64 transformation. */
341 static const char b64t[64] =
342 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
343
344
345 static char *
346 sha512_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
347 {
348 unsigned char alt_result[64]
349 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
350 unsigned char temp_result[64]
351 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
352 struct sha512_ctx ctx;
353 struct sha512_ctx alt_ctx;
354 size_t salt_len;
355 size_t key_len;
356 size_t cnt;
357 char *cp;
358 char *copied_key = NULL;
359 char *copied_salt = NULL;
360 char *p_bytes;
361 char *s_bytes;
362 /* Default number of rounds. */
363 size_t rounds = ROUNDS_DEFAULT;
364 bool rounds_custom = false;
365
366 /* Find beginning of salt string. The prefix should normally always
367 be present. Just in case it is not. */
368 if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
369 /* Skip salt prefix. */
370 salt += sizeof (sha512_salt_prefix) - 1;
371
372 if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
373 == 0)
374 {
375 const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
376 char *endp;
377 unsigned long int srounds = strtoul (num, &endp, 10);
378 if (*endp == '$')
379 {
380 salt = endp + 1;
381 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
382 rounds_custom = true;
383 }
384 }
385
386 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
387 key_len = strlen (key);
388
389 if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
390 {
391 char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
392 key = copied_key =
393 memcpy (tmp + __alignof__ (uint64_t)
394 - (tmp - (char *) 0) % __alignof__ (uint64_t),
395 key, key_len);
396 }
397
398 if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
399 {
400 char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
401 salt = copied_salt =
402 memcpy (tmp + __alignof__ (uint64_t)
403 - (tmp - (char *) 0) % __alignof__ (uint64_t),
404 salt, salt_len);
405 }
406
407 /* Prepare for the real work. */
408 sha512_init_ctx (&ctx);
409
410 /* Add the key string. */
411 sha512_process_bytes (key, key_len, &ctx);
412
413 /* The last part is the salt string. This must be at most 8
414 characters and it ends at the first `$' character (for
415 compatibility with existing implementations). */
416 sha512_process_bytes (salt, salt_len, &ctx);
417
418
419 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
420 final result will be added to the first context. */
421 sha512_init_ctx (&alt_ctx);
422
423 /* Add key. */
424 sha512_process_bytes (key, key_len, &alt_ctx);
425
426 /* Add salt. */
427 sha512_process_bytes (salt, salt_len, &alt_ctx);
428
429 /* Add key again. */
430 sha512_process_bytes (key, key_len, &alt_ctx);
431
432 /* Now get result of this (64 bytes) and add it to the other
433 context. */
434 sha512_finish_ctx (&alt_ctx, alt_result);
435
436 /* Add for any character in the key one byte of the alternate sum. */
437 for (cnt = key_len; cnt > 64; cnt -= 64)
438 sha512_process_bytes (alt_result, 64, &ctx);
439 sha512_process_bytes (alt_result, cnt, &ctx);
440
441 /* Take the binary representation of the length of the key and for every
442 1 add the alternate sum, for every 0 the key. */
443 for (cnt = key_len; cnt > 0; cnt >>= 1)
444 if ((cnt & 1) != 0)
445 sha512_process_bytes (alt_result, 64, &ctx);
446 else
447 sha512_process_bytes (key, key_len, &ctx);
448
449 /* Create intermediate result. */
450 sha512_finish_ctx (&ctx, alt_result);
451
452 /* Start computation of P byte sequence. */
453 sha512_init_ctx (&alt_ctx);
454
455 /* For every character in the password add the entire password. */
456 for (cnt = 0; cnt < key_len; ++cnt)
457 sha512_process_bytes (key, key_len, &alt_ctx);
458
459 /* Finish the digest. */
460 sha512_finish_ctx (&alt_ctx, temp_result);
461
462 /* Create byte sequence P. */
463 cp = p_bytes = alloca (key_len);
464 for (cnt = key_len; cnt >= 64; cnt -= 64)
465 cp = mempcpy (cp, temp_result, 64);
466 memcpy (cp, temp_result, cnt);
467
468 /* Start computation of S byte sequence. */
469 sha512_init_ctx (&alt_ctx);
470
471 /* For every character in the password add the entire password. */
472 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
473 sha512_process_bytes (salt, salt_len, &alt_ctx);
474
475 /* Finish the digest. */
476 sha512_finish_ctx (&alt_ctx, temp_result);
477
478 /* Create byte sequence S. */
479 cp = s_bytes = alloca (salt_len);
480 for (cnt = salt_len; cnt >= 64; cnt -= 64)
481 cp = mempcpy (cp, temp_result, 64);
482 memcpy (cp, temp_result, cnt);
483
484 /* Repeatedly run the collected hash value through SHA512 to burn
485 CPU cycles. */
486 for (cnt = 0; cnt < rounds; ++cnt)
487 {
488 /* New context. */
489 sha512_init_ctx (&ctx);
490
491 /* Add key or last result. */
492 if ((cnt & 1) != 0)
493 sha512_process_bytes (p_bytes, key_len, &ctx);
494 else
495 sha512_process_bytes (alt_result, 64, &ctx);
496
497 /* Add salt for numbers not divisible by 3. */
498 if (cnt % 3 != 0)
499 sha512_process_bytes (s_bytes, salt_len, &ctx);
500
501 /* Add key for numbers not divisible by 7. */
502 if (cnt % 7 != 0)
503 sha512_process_bytes (p_bytes, key_len, &ctx);
504
505 /* Add key or last result. */
506 if ((cnt & 1) != 0)
507 sha512_process_bytes (alt_result, 64, &ctx);
508 else
509 sha512_process_bytes (p_bytes, key_len, &ctx);
510
511 /* Create intermediate result. */
512 sha512_finish_ctx (&ctx, alt_result);
513 }
514
515 /* Now we can construct the result string. It consists of three
516 parts. */
517 cp = stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
518 buflen -= sizeof (sha512_salt_prefix) - 1;
519
520 if (rounds_custom)
521 {
522 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
523 sha512_rounds_prefix, rounds);
524 cp += n;
525 buflen -= n;
526 }
527
528 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
529 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
530
531 if (buflen > 0)
532 {
533 *cp++ = '$';
534 --buflen;
535 }
536
537 #define b64_from_24bit(B2, B1, B0, N) \
538 do { \
539 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
540 int n = (N); \
541 while (n-- > 0 && buflen > 0) \
542 { \
543 *cp++ = b64t[w & 0x3f]; \
544 --buflen; \
545 w >>= 6; \
546 } \
547 } while (0)
548
549 b64_from_24bit (alt_result[0], alt_result[21], alt_result[42], 4);
550 b64_from_24bit (alt_result[22], alt_result[43], alt_result[1], 4);
551 b64_from_24bit (alt_result[44], alt_result[2], alt_result[23], 4);
552 b64_from_24bit (alt_result[3], alt_result[24], alt_result[45], 4);
553 b64_from_24bit (alt_result[25], alt_result[46], alt_result[4], 4);
554 b64_from_24bit (alt_result[47], alt_result[5], alt_result[26], 4);
555 b64_from_24bit (alt_result[6], alt_result[27], alt_result[48], 4);
556 b64_from_24bit (alt_result[28], alt_result[49], alt_result[7], 4);
557 b64_from_24bit (alt_result[50], alt_result[8], alt_result[29], 4);
558 b64_from_24bit (alt_result[9], alt_result[30], alt_result[51], 4);
559 b64_from_24bit (alt_result[31], alt_result[52], alt_result[10], 4);
560 b64_from_24bit (alt_result[53], alt_result[11], alt_result[32], 4);
561 b64_from_24bit (alt_result[12], alt_result[33], alt_result[54], 4);
562 b64_from_24bit (alt_result[34], alt_result[55], alt_result[13], 4);
563 b64_from_24bit (alt_result[56], alt_result[14], alt_result[35], 4);
564 b64_from_24bit (alt_result[15], alt_result[36], alt_result[57], 4);
565 b64_from_24bit (alt_result[37], alt_result[58], alt_result[16], 4);
566 b64_from_24bit (alt_result[59], alt_result[17], alt_result[38], 4);
567 b64_from_24bit (alt_result[18], alt_result[39], alt_result[60], 4);
568 b64_from_24bit (alt_result[40], alt_result[61], alt_result[19], 4);
569 b64_from_24bit (alt_result[62], alt_result[20], alt_result[41], 4);
570 b64_from_24bit (0, 0, alt_result[63], 2);
571
572 if (buflen <= 0)
573 {
574 errno = ERANGE;
575 buffer = NULL;
576 }
577 else
578 *cp = '\0'; /* Terminate the string. */
579
580 /* Clear the buffer for the intermediate result so that people
581 attaching to processes or reading core dumps cannot get any
582 information. We do it in this way to clear correct_words[]
583 inside the SHA512 implementation as well. */
584 sha512_init_ctx (&ctx);
585 sha512_finish_ctx (&ctx, alt_result);
586 memset (temp_result, '\0', sizeof (temp_result));
587 memset (p_bytes, '\0', key_len);
588 memset (s_bytes, '\0', salt_len);
589 memset (&ctx, '\0', sizeof (ctx));
590 memset (&alt_ctx, '\0', sizeof (alt_ctx));
591 if (copied_key != NULL)
592 memset (copied_key, '\0', key_len);
593 if (copied_salt != NULL)
594 memset (copied_salt, '\0', salt_len);
595
596 return buffer;
597 }
598
599
600 /* This entry point is equivalent to the `crypt' function in Unix
601 libcs. */
602 char *
603 sha512_crypt (const char *key, const char *salt)
604 {
605 /* We don't want to have an arbitrary limit in the size of the
606 password. We can compute an upper bound for the size of the
607 result in advance and so we can prepare the buffer we pass to
608 `sha512_crypt_r'. */
609 static char *buffer;
610 static int buflen;
611 int needed = (sizeof (sha512_salt_prefix) - 1
612 + sizeof (sha512_rounds_prefix) + 9 + 1
613 + strlen (salt) + 1 + 86 + 1);
614
615 if (buflen < needed)
616 {
617 char *new_buffer = (char *) realloc (buffer, needed);
618 if (new_buffer == NULL)
619 return NULL;
620
621 buffer = new_buffer;
622 buflen = needed;
623 }
624
625 return sha512_crypt_r (key, salt, buffer, buflen);
626 }
627
628
629 #ifdef TEST
630 static const struct
631 {
632 const char *input;
633 const char result[64];
634 } tests[] =
635 {
636 /* Test vectors from FIPS 180-2: appendix C.1. */
637 { "abc",
638 "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
639 "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
640 "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
641 "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f" },
642 /* Test vectors from FIPS 180-2: appendix C.2. */
643 { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
644 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
645 "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
646 "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
647 "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
648 "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09" },
649 /* Test vectors from the NESSIE project. */
650 { "",
651 "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
652 "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
653 "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
654 "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e" },
655 { "a",
656 "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
657 "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
658 "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
659 "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75" },
660 { "message digest",
661 "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
662 "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
663 "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
664 "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c" },
665 { "abcdefghijklmnopqrstuvwxyz",
666 "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
667 "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
668 "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
669 "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1" },
670 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
671 "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
672 "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
673 "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
674 "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45" },
675 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
676 "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
677 "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
678 "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
679 "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94" },
680 { "123456789012345678901234567890123456789012345678901234567890"
681 "12345678901234567890",
682 "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
683 "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
684 "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
685 "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43" }
686 };
687 #define ntests (sizeof (tests) / sizeof (tests[0]))
688
689
690 static const struct
691 {
692 const char *salt;
693 const char *input;
694 const char *expected;
695 } tests2[] =
696 {
697 { "$6$saltstring", "Hello world!",
698 "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
699 "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" },
700 { "$6$rounds=10000$saltstringsaltstring", "Hello world!",
701 "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
702 "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." },
703 { "$6$rounds=5000$toolongsaltstring", "This is just a test",
704 "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
705 "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0" },
706 { "$6$rounds=1400$anotherlongsaltstring",
707 "a very much longer text to encrypt. This one even stretches over more"
708 "than one line.",
709 "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
710 "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1" },
711 { "$6$rounds=77777$short",
712 "we have a short salt string but not a short password",
713 "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
714 "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0" },
715 { "$6$rounds=123456$asaltof16chars..", "a short string",
716 "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
717 "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1" },
718 { "$6$rounds=10$roundstoolow", "the minimum number is still observed",
719 "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
720 "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX." },
721 };
722 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
723
724
725 int
726 main (void)
727 {
728 struct sha512_ctx ctx;
729 char sum[64];
730 int result = 0;
731 int cnt;
732
733 for (cnt = 0; cnt < (int) ntests; ++cnt)
734 {
735 sha512_init_ctx (&ctx);
736 sha512_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
737 sha512_finish_ctx (&ctx, sum);
738 if (memcmp (tests[cnt].result, sum, 64) != 0)
739 {
740 printf ("test %d run %d failed\n", cnt, 1);
741 result = 1;
742 }
743
744 sha512_init_ctx (&ctx);
745 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
746 sha512_process_bytes (&tests[cnt].input[i], 1, &ctx);
747 sha512_finish_ctx (&ctx, sum);
748 if (memcmp (tests[cnt].result, sum, 64) != 0)
749 {
750 printf ("test %d run %d failed\n", cnt, 2);
751 result = 1;
752 }
753 }
754
755 /* Test vector from FIPS 180-2: appendix C.3. */
756 char buf[1000];
757 memset (buf, 'a', sizeof (buf));
758 sha512_init_ctx (&ctx);
759 for (int i = 0; i < 1000; ++i)
760 sha512_process_bytes (buf, sizeof (buf), &ctx);
761 sha512_finish_ctx (&ctx, sum);
762 static const char expected[64] =
763 "\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
764 "\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
765 "\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
766 "\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
767 if (memcmp (expected, sum, 64) != 0)
768 {
769 printf ("test %d failed\n", cnt);
770 result = 1;
771 }
772
773 for (cnt = 0; cnt < ntests2; ++cnt)
774 {
775 char *cp = sha512_crypt (tests2[cnt].input, tests2[cnt].salt);
776
777 if (strcmp (cp, tests2[cnt].expected) != 0)
778 {
779 printf ("test %d: expected \"%s\", got \"%s\"\n",
780 cnt, tests2[cnt].expected, cp);
781 result = 1;
782 }
783 }
784
785 if (result == 0)
786 puts ("all tests OK");
787
788 return result;
789 }
790 #endif