1 /* SHA256 and SHA512-based Unix crypt implementation.
2  * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
3  */
4 
5 /* Prefix for optional rounds specification.  */
6 static const char str_rounds[] ALIGN1 = "rounds=%u$";
7 
8 /* Maximum salt string length.  */
9 #define SALT_LEN_MAX 16
10 /* Default number of rounds if not explicitly specified.  */
11 #define ROUNDS_DEFAULT 5000
12 /* Minimum number of rounds.  */
13 #define ROUNDS_MIN 1000
14 /* Maximum number of rounds.  */
15 #define ROUNDS_MAX 999999999
16 
17 static char *
18 NOINLINE
sha_crypt(char * key_data,char * salt_data)19 sha_crypt(/*const*/ char *key_data, /*const*/ char *salt_data)
20 {
21 #undef sha_end
22 	void (*sha_begin)(void *ctx) FAST_FUNC;
23 	void (*sha_hash)(void *ctx, const void *buffer, size_t len) FAST_FUNC;
24 	unsigned (*sha_end)(void *ctx, void *resbuf) FAST_FUNC;
25 	int _32or64;
26 
27 	char *result, *resptr;
28 
29 	/* btw, sha256 needs [32] and uint32_t only */
30 	struct {
31 		unsigned char alt_result[64];
32 		unsigned char temp_result[64];
33 		union {
34 			sha256_ctx_t x;
35 			sha512_ctx_t y;
36 		} ctx;
37 		union {
38 			sha256_ctx_t x;
39 			sha512_ctx_t y;
40 		} alt_ctx;
41 	} L __attribute__((__aligned__(__alignof__(uint64_t))));
42 #define alt_result  (L.alt_result )
43 #define temp_result (L.temp_result)
44 #define ctx         (L.ctx        )
45 #define alt_ctx     (L.alt_ctx    )
46 	unsigned salt_len;
47 	unsigned key_len;
48 	unsigned cnt;
49 	unsigned rounds;
50 	char *cp;
51 
52 	/* Analyze salt, construct already known part of result */
53 	cnt = strlen(salt_data) + 1 + 43 + 1;
54 	_32or64 = 32;
55 	if (salt_data[1] == '6') { /* sha512 */
56 		_32or64 *= 2; /*64*/
57 		cnt += 43;
58 	}
59 	result = resptr = xzalloc(cnt); /* will provide NUL terminator */
60 	*resptr++ = '$';
61 	*resptr++ = salt_data[1];
62 	*resptr++ = '$';
63 	rounds = ROUNDS_DEFAULT;
64 	salt_data += 3;
65 	if (strncmp(salt_data, str_rounds, 7) == 0) {
66 		/* 7 == strlen("rounds=") */
67 		char *endp;
68 		cnt = bb_strtou(salt_data + 7, &endp, 10);
69 		if (*endp == '$') {
70 			salt_data = endp + 1;
71 			rounds = cnt;
72 			if (rounds < ROUNDS_MIN)
73 				rounds = ROUNDS_MIN;
74 			if (rounds > ROUNDS_MAX)
75 				rounds = ROUNDS_MAX;
76 			/* add "rounds=NNNNN$" to result */
77 			resptr += sprintf(resptr, str_rounds, rounds);
78 		}
79 	}
80 	salt_len = strchrnul(salt_data, '$') - salt_data;
81 	if (salt_len > SALT_LEN_MAX)
82 		salt_len = SALT_LEN_MAX;
83 	/* xstrdup assures suitable alignment; also we will use it
84 	   as a scratch space later. */
85 	salt_data = xstrndup(salt_data, salt_len);
86 	/* add "salt$" to result */
87 	strcpy(resptr, salt_data);
88 	resptr += salt_len;
89 	*resptr++ = '$';
90 	/* key data doesn't need much processing */
91 	key_len = strlen(key_data);
92 	key_data = xstrdup(key_data);
93 
94 	/* Which flavor of SHAnnn ops to use? */
95 	sha_begin = (void*)sha256_begin;
96 	sha_hash = (void*)sha256_hash;
97 	sha_end = (void*)sha256_end;
98 	if (_32or64 != 32) {
99 		sha_begin = (void*)sha512_begin;
100 		sha_hash = (void*)sha512_hash;
101 		sha_end = (void*)sha512_end;
102 	}
103 
104 	/* Add KEY, SALT.  */
105 	sha_begin(&ctx);
106 	sha_hash(&ctx, key_data, key_len);
107 	sha_hash(&ctx, salt_data, salt_len);
108 
109 	/* Compute alternate SHA sum with input KEY, SALT, and KEY.
110 	   The final result will be added to the first context.  */
111 	sha_begin(&alt_ctx);
112 	sha_hash(&alt_ctx, key_data, key_len);
113 	sha_hash(&alt_ctx, salt_data, salt_len);
114 	sha_hash(&alt_ctx, key_data, key_len);
115 	sha_end(&alt_ctx, alt_result);
116 
117 	/* Add result of this to the other context.  */
118 	/* Add for any character in the key one byte of the alternate sum.  */
119 	for (cnt = key_len; cnt > _32or64; cnt -= _32or64)
120 		sha_hash(&ctx, alt_result, _32or64);
121 	sha_hash(&ctx, alt_result, cnt);
122 
123 	/* Take the binary representation of the length of the key and for every
124 	   1 add the alternate sum, for every 0 the key.  */
125 	for (cnt = key_len; cnt != 0; cnt >>= 1)
126 		if ((cnt & 1) != 0)
127 			sha_hash(&ctx, alt_result, _32or64);
128 		else
129 			sha_hash(&ctx, key_data, key_len);
130 
131 	/* Create intermediate result.  */
132 	sha_end(&ctx, alt_result);
133 
134 	/* Start computation of P byte sequence.  */
135 	/* For every character in the password add the entire password.  */
136 	sha_begin(&alt_ctx);
137 	for (cnt = 0; cnt < key_len; ++cnt)
138 		sha_hash(&alt_ctx, key_data, key_len);
139 	sha_end(&alt_ctx, temp_result);
140 
141 	/* NB: past this point, raw key_data is not used anymore */
142 
143 	/* Create byte sequence P.  */
144 #define p_bytes key_data /* reuse the buffer as it is of the key_len size */
145 	cp = p_bytes; /* was: ... = alloca(key_len); */
146 	for (cnt = key_len; cnt >= _32or64; cnt -= _32or64) {
147 		cp = memcpy(cp, temp_result, _32or64);
148 		cp += _32or64;
149 	}
150 	memcpy(cp, temp_result, cnt);
151 
152 	/* Start computation of S byte sequence.  */
153 	/* For every character in the password add the entire password.  */
154 	sha_begin(&alt_ctx);
155 	for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
156 		sha_hash(&alt_ctx, salt_data, salt_len);
157 	sha_end(&alt_ctx, temp_result);
158 
159 	/* NB: past this point, raw salt_data is not used anymore */
160 
161 	/* Create byte sequence S.  */
162 #define s_bytes salt_data /* reuse the buffer as it is of the salt_len size */
163 	cp = s_bytes; /* was: ... = alloca(salt_len); */
164 	for (cnt = salt_len; cnt >= _32or64; cnt -= _32or64) {
165 		cp = memcpy(cp, temp_result, _32or64);
166 		cp += _32or64;
167 	}
168 	memcpy(cp, temp_result, cnt);
169 
170 	/* Repeatedly run the collected hash value through SHA to burn
171 	   CPU cycles.  */
172 	for (cnt = 0; cnt < rounds; ++cnt) {
173 		sha_begin(&ctx);
174 
175 		/* Add key or last result.  */
176 		if ((cnt & 1) != 0)
177 			sha_hash(&ctx, p_bytes, key_len);
178 		else
179 			sha_hash(&ctx, alt_result, _32or64);
180 		/* Add salt for numbers not divisible by 3.  */
181 		if (cnt % 3 != 0)
182 			sha_hash(&ctx, s_bytes, salt_len);
183 		/* Add key for numbers not divisible by 7.  */
184 		if (cnt % 7 != 0)
185 			sha_hash(&ctx, p_bytes, key_len);
186 		/* Add key or last result.  */
187 		if ((cnt & 1) != 0)
188 			sha_hash(&ctx, alt_result, _32or64);
189 		else
190 			sha_hash(&ctx, p_bytes, key_len);
191 
192 		sha_end(&ctx, alt_result);
193 	}
194 
195 	/* Append encrypted password to result buffer */
196 //TODO: replace with something like
197 //	bb_uuencode(cp, src, length, bb_uuenc_tbl_XXXbase64);
198 #define b64_from_24bit(B2, B1, B0, N) \
199 do { \
200 	unsigned w = ((B2) << 16) | ((B1) << 8) | (B0); \
201 	resptr = to64(resptr, w, N); \
202 } while (0)
203 	if (_32or64 == 32) { /* sha256 */
204 		unsigned i = 0;
205 		while (1) {
206 			unsigned j = i + 10;
207 			unsigned k = i + 20;
208 			if (j >= 30) j -= 30;
209 			if (k >= 30) k -= 30;
210 			b64_from_24bit(alt_result[i], alt_result[j], alt_result[k], 4);
211 			if (k == 29)
212 				break;
213 			i = k + 1;
214 		}
215 		b64_from_24bit(0, alt_result[31], alt_result[30], 3);
216 		/* was:
217 		b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
218 		b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
219 		b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
220 		b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
221 		b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
222 		b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
223 		b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
224 		b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
225 		b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
226 		b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
227 		b64_from_24bit(0, alt_result[31], alt_result[30], 3);
228 		*/
229 	} else {
230 		unsigned i = 0;
231 		while (1) {
232 			unsigned j = i + 21;
233 			unsigned k = i + 42;
234 			if (j >= 63) j -= 63;
235 			if (k >= 63) k -= 63;
236 			b64_from_24bit(alt_result[i], alt_result[j], alt_result[k], 4);
237 			if (j == 20)
238 				break;
239 			i = j + 1;
240 		}
241 		b64_from_24bit(0, 0, alt_result[63], 2);
242 		/* was:
243 		b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
244 		b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
245 		b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
246 		b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
247 		b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
248 		b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
249 		b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
250 		b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
251 		b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
252 		b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
253 		b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
254 		b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
255 		b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
256 		b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
257 		b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
258 		b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
259 		b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
260 		b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
261 		b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
262 		b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
263 		b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
264 		b64_from_24bit(0, 0, alt_result[63], 2);
265 		*/
266 	}
267 	/* *resptr = '\0'; - xzalloc did it */
268 #undef b64_from_24bit
269 
270 	/* Clear the buffer for the intermediate result so that people
271 	   attaching to processes or reading core dumps cannot get any
272 	   information.  */
273 	memset(&L, 0, sizeof(L)); /* [alt]_ctx and XXX_result buffers */
274 	memset(key_data, 0, key_len); /* also p_bytes */
275 	memset(salt_data, 0, salt_len); /* also s_bytes */
276 	free(key_data);
277 	free(salt_data);
278 #undef p_bytes
279 #undef s_bytes
280 
281 	return result;
282 #undef alt_result
283 #undef temp_result
284 #undef ctx
285 #undef alt_ctx
286 }
287