Gitiles
Code Review Sign In
gerrit.nordix.org / codeaurora / busybox / 6bd54d48f44b65464dd637add13292ca8189e1ef / . / libbb / pw_encrypt_sha.c
blob: 3dbaeabc93284f96c109af19bfe1216e9a1643c8 [file] [log] [blame]
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]1/* SHA256 and SHA512-based Unix crypt implementation.
2 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
3 */
4
5/* Prefix for optional rounds specification. */
6static const char str_rounds[] = "rounds=%u$";
7
8/* Maximum salt string length. */
9#define SALT_LEN_MAX 16
10/* Default number of rounds if not explicitly specified. */
11#define ROUNDS_DEFAULT 5000
12/* Minimum number of rounds. */
13#define ROUNDS_MIN 1000
14/* Maximum number of rounds. */
15#define ROUNDS_MAX 999999999
16
17static char *
18NOINLINE
19sha_crypt(/*const*/ char *key_data, /*const*/ char *salt_data)
20{
21 void (*sha_begin)(void *ctx) FAST_FUNC;
22 void (*sha_hash)(const void *buffer, size_t len, void *ctx) FAST_FUNC;
23 void* (*sha_end)(void *resbuf, void *ctx) FAST_FUNC;
24 int _32or64;
25
26 char *result, *resptr;
27
28 /* btw, sha256 needs [32] and uint32_t only */
29 unsigned char alt_result[64] __attribute__((__aligned__(__alignof__(uint64_t))));
30 unsigned char temp_result[64] __attribute__((__aligned__(__alignof__(uint64_t))));
31 union {
32 sha256_ctx_t x;
33 sha512_ctx_t y;
34 } ctx;
35 union {
36 sha256_ctx_t x;
37 sha512_ctx_t y;
38 } alt_ctx;
39 unsigned salt_len;
40 unsigned key_len;
41 unsigned cnt;
42 unsigned rounds;
43 char *cp;
44 char is_sha512;
45
46 /* Analyze salt, construct already known part of result */
47 cnt = strlen(salt_data) + 1 + 43 + 1;
48 is_sha512 = salt_data[1];
49 if (is_sha512 == '6')
50 cnt += 43;
51 result = resptr = xzalloc(cnt); /* will provide NUL terminator */
52 *resptr++ = '$';
53 *resptr++ = is_sha512;
54 *resptr++ = '$';
55 rounds = ROUNDS_DEFAULT;
56 salt_data += 3;
57 if (strncmp(salt_data, str_rounds, 7) == 0) {
58 /* 7 == strlen("rounds=") */
59 char *endp;
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]60 cnt = bb_strtou(salt_data + 7, &endp, 10);
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]61 if (*endp == '$') {
62 salt_data = endp + 1;
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]63 rounds = cnt;
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]64 if (rounds < ROUNDS_MIN)
65 rounds = ROUNDS_MIN;
66 if (rounds > ROUNDS_MAX)
67 rounds = ROUNDS_MAX;
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]68 /* add "rounds=NNNNN$" to result */
69 resptr += sprintf(resptr, str_rounds, rounds);
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]70 }
71 }
72 salt_len = strchrnul(salt_data, '$') - salt_data;
73 if (salt_len > SALT_LEN_MAX)
74 salt_len = SALT_LEN_MAX;
75 /* xstrdup assures suitable alignment; also we will use it
76 as a scratch space later. */
77 salt_data = xstrndup(salt_data, salt_len);
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]78 /* add "salt$" to result */
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]79 strcpy(resptr, salt_data);
80 resptr += salt_len;
81 *resptr++ = '$';
82 /* key data doesn't need much processing */
83 key_len = strlen(key_data);
84 key_data = xstrdup(key_data);
85
86 /* Which flavor of SHAnnn ops to use? */
87 sha_begin = (void*)sha256_begin;
88 sha_hash = (void*)sha256_hash;
89 sha_end = (void*)sha256_end;
90 _32or64 = 32;
91 if (is_sha512 == '6') {
92 sha_begin = (void*)sha512_begin;
93 sha_hash = (void*)sha512_hash;
94 sha_end = (void*)sha512_end;
95 _32or64 = 64;
96 }
97
98 /* Add KEY, SALT. */
99 sha_begin(&ctx);
100 sha_hash(key_data, key_len, &ctx);
101 sha_hash(salt_data, salt_len, &ctx);
102
103 /* Compute alternate SHA sum with input KEY, SALT, and KEY.
104 The final result will be added to the first context. */
105 sha_begin(&alt_ctx);
106 sha_hash(key_data, key_len, &alt_ctx);
107 sha_hash(salt_data, salt_len, &alt_ctx);
108 sha_hash(key_data, key_len, &alt_ctx);
109 sha_end(alt_result, &alt_ctx);
110
111 /* Add result of this to the other context. */
112 /* Add for any character in the key one byte of the alternate sum. */
113 for (cnt = key_len; cnt > _32or64; cnt -= _32or64)
114 sha_hash(alt_result, _32or64, &ctx);
115 sha_hash(alt_result, cnt, &ctx);
116
117 /* Take the binary representation of the length of the key and for every
118 1 add the alternate sum, for every 0 the key. */
119 for (cnt = key_len; cnt != 0; cnt >>= 1)
120 if ((cnt & 1) != 0)
121 sha_hash(alt_result, _32or64, &ctx);
122 else
123 sha_hash(key_data, key_len, &ctx);
124
125 /* Create intermediate result. */
126 sha_end(alt_result, &ctx);
127
128 /* Start computation of P byte sequence. */
129 /* For every character in the password add the entire password. */
130 sha_begin(&alt_ctx);
131 for (cnt = 0; cnt < key_len; ++cnt)
132 sha_hash(key_data, key_len, &alt_ctx);
133 sha_end(temp_result, &alt_ctx);
134
135 /* NB: past this point, raw key_data is not used anymore */
136
137 /* Create byte sequence P. */
138#define p_bytes key_data /* reuse the buffer as it is of the key_len size */
139 cp = p_bytes; /* was: ... = alloca(key_len); */
140 for (cnt = key_len; cnt >= _32or64; cnt -= _32or64) {
141 cp = memcpy(cp, temp_result, _32or64);
142 cp += _32or64;
143 }
144 memcpy(cp, temp_result, cnt);
145
146 /* Start computation of S byte sequence. */
147 /* For every character in the password add the entire password. */
148 sha_begin(&alt_ctx);
149 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
150 sha_hash(salt_data, salt_len, &alt_ctx);
151 sha_end(temp_result, &alt_ctx);
152
153 /* NB: past this point, raw salt_data is not used anymore */
154
155 /* Create byte sequence S. */
156#define s_bytes salt_data /* reuse the buffer as it is of the salt_len size */
157 cp = s_bytes; /* was: ... = alloca(salt_len); */
158 for (cnt = salt_len; cnt >= _32or64; cnt -= _32or64) {
159 cp = memcpy(cp, temp_result, _32or64);
160 cp += _32or64;
161 }
162 memcpy(cp, temp_result, cnt);
163
164 /* Repeatedly run the collected hash value through SHA to burn
165 CPU cycles. */
166 for (cnt = 0; cnt < rounds; ++cnt) {
167 sha_begin(&ctx);
168
169 /* Add key or last result. */
170 if ((cnt & 1) != 0)
171 sha_hash(p_bytes, key_len, &ctx);
172 else
173 sha_hash(alt_result, _32or64, &ctx);
174 /* Add salt for numbers not divisible by 3. */
175 if (cnt % 3 != 0)
176 sha_hash(s_bytes, salt_len, &ctx);
177 /* Add key for numbers not divisible by 7. */
178 if (cnt % 7 != 0)
179 sha_hash(p_bytes, key_len, &ctx);
180 /* Add key or last result. */
181 if ((cnt & 1) != 0)
182 sha_hash(alt_result, _32or64, &ctx);
183 else
184 sha_hash(p_bytes, key_len, &ctx);
185
186 sha_end(alt_result, &ctx);
187 }
188
189
190 /* Append encrypted password to result buffer */
191//TODO: replace with something like
192// bb_uuencode(cp, src, length, bb_uuenc_tbl_XXXbase64);
193#define b64_from_24bit(B2, B1, B0, N) \
194do { \
195 unsigned w = ((B2) << 16) | ((B1) << 8) | (B0); \
196 resptr = to64(resptr, w, N); \
197} while (0)
198 if (is_sha512 == '5') {
Denis Vlasenko6bd54d42008-11-13 12:55:11 +0000[diff] [blame^]199 int i = 0;
200 int j = 10;
201 int k = 20;
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]202 while (1) {
203 b64_from_24bit(alt_result[i], alt_result[j], alt_result[k], 4);
204 if (i == 9)
205 break;
Denis Vlasenko6bd54d42008-11-13 12:55:11 +0000[diff] [blame^]206 /* if x - 9 produces < 0, subtract 2 more:
207 * ((i >> 8) << 1) is either 0 or binary 111111...1110 */
208 i -= 9; i = (i & 0x1f) + ((i >> 8) << 1);
209 j -= 9; j = (j & 0x1f) + ((j >> 8) << 1);
210 k -= 9; k = (k & 0x1f) + ((k >> 8) << 1);
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]211 }
Denis Vlasenko6bd54d42008-11-13 12:55:11 +0000[diff] [blame^]212 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]213 /* was:
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]214 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
215 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
216 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
217 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
218 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
219 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
220 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
221 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
222 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
223 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
224 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]225 */
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]226 } else {
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]227 unsigned i = 0;
228 unsigned j = 21;
229 unsigned k = 42;
230 while (1) {
231 b64_from_24bit(alt_result[i], alt_result[j], alt_result[k], 4);
232 if (i == 62)
233 break;
234 i += 22; i = ((i >> 6) + i) & 0x3f;
235 j += 22; j = ((j >> 6) + j) & 0x3f;
236 k += 22; k = ((k >> 6) + k) & 0x3f;
237 }
238 b64_from_24bit(0, 0, alt_result[63], 2);
239 /* was:
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]240 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
241 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
242 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
243 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
244 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
245 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
246 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
247 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
248 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
249 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
250 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
251 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
252 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
253 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
254 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
255 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
256 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
257 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
258 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
259 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
260 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
261 b64_from_24bit(0, 0, alt_result[63], 2);
Denis Vlasenko6b1e3d72008-11-13 12:23:46 +0000[diff] [blame]262 */
Denis Vlasenko2211d522008-11-10 18:52:35 +0000[diff] [blame]263 }
264 /* *resptr = '\0'; - xzalloc did it */
265#undef b64_from_24bit
266
267 /* Clear the buffer for the intermediate result so that people
268 attaching to processes or reading core dumps cannot get any
269 information. */
270 memset(temp_result, 0, sizeof(temp_result));
271 memset(alt_result, 0, sizeof(alt_result));
272 memset(&ctx, 0, sizeof(ctx));
273 memset(&alt_ctx, 0, sizeof(alt_ctx));
274 memset(key_data, 0, key_len); /* also p_bytes */
275 memset(salt_data, 0, salt_len); /* also s_bytes */
276 free(key_data);
277 free(salt_data);
278#undef p_bytes
279#undef s_bytes
280
281 return result;
282}