xref: /illumos-gate/usr/src/lib/crypt_modules/sha256/crypt_sha.c (revision fb2caebe9e38ee2e6e469d5136fb247faaa7299b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Portions of this code from crypt_bsdmd5.so (bsdmd5.c) :
28  * ----------------------------------------------------------------------------
29  * "THE BEER-WARE LICENSE" (Revision 42):
30  * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
31  * can do whatever you want with this stuff. If we meet some day, and you think
32  * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
33  * ----------------------------------------------------------------------------
34  *
35  * $FreeBSD: crypt.c,v 1.5 1996/10/14 08:34:02 phk Exp $
36  *
37  */
38 
39 /*
40  * Implements the specification from:
41  *
42  * From http://people.redhat.com/drepper/SHA-crypt.txt
43  *
44  * Portions of the code taken from inspired by or verified against the
45  * source in the above document which is licensed as:
46  *
47  * "Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>."
48  */
49 
50 
51 #include <sys/types.h>
52 #include <sys/stat.h>
53 #include <sys/sysmacros.h>
54 #include <fcntl.h>
55 #include <unistd.h>
56 #include <string.h>
57 #include <stdio.h>
58 #include <errno.h>
59 #include <stdlib.h>
60 #include <alloca.h>
61 
62 #include <sha2.h>
63 #include <crypt.h>
64 
65 #define	MAX_SALT_LEN	16
66 #define	ROUNDS_DEFAULT	5000
67 #define	ROUNDS_MIN	1000
68 #define	ROUNDS_MAX	999999999
69 
70 #ifdef CRYPT_SHA256
71 
72 #define	DIGEST_CTX	SHA256_CTX
73 #define	DIGESTInit	SHA256Init
74 #define	DIGESTUpdate	SHA256Update
75 #define	DIGESTFinal	SHA256Final
76 #define	DIGEST_LEN	SHA256_DIGEST_LENGTH
77 #define	MIXCHARS	32
78 static const char crypt_alg_magic[] = "$5";
79 
80 #elif CRYPT_SHA512
81 
82 #define	DIGEST_CTX	SHA512_CTX
83 #define	DIGESTInit	SHA512Init
84 #define	DIGESTUpdate	SHA512Update
85 #define	DIGESTFinal	SHA512Final
86 #define	DIGEST_LEN	SHA512_DIGEST_LENGTH
87 #define	MIXCHARS	64
88 static const char crypt_alg_magic[] = "$6";
89 
90 #else
91 #error	"One of CRYPT_256 or CRYPT_512 must be defined"
92 #endif
93 
94 static const int crypt_alg_magic_len = sizeof (crypt_alg_magic) - 1;
95 
96 
97 static uchar_t b64t[] =		/* 0 ... 63 => ascii - 64 */
98 	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
99 
100 #define	b64_from_24bit(B2, B1, B0, N) \
101 { \
102 	uint_t w = ((B2) << 16) | ((B1) << 8) | (B0); \
103 	int n = (N); \
104 	while (--n >= 0 && ctbufflen > 0) { \
105 		*p++ = b64t[w & 0x3f]; \
106 		w >>= 6; \
107 		ctbufflen--; \
108 	} \
109 }
110 
111 static void
112 to64(char *s, uint64_t v, int n)
113 {
114 	while (--n >= 0) {
115 		*s++ = b64t[v&0x3f];
116 		v >>= 6;
117 	}
118 }
119 
120 #define	ROUNDS		"rounds="
121 #define	ROUNDSLEN	(sizeof (ROUNDS) - 1)
122 
123 /*
124  * get the integer value after rounds= where ever it occurs in the string.
125  * if the last char after the int is a , or $ that is fine anything else is an
126  * error.
127  */
128 static uint32_t
129 getrounds(const char *s)
130 {
131 	char *r, *p, *e;
132 	long val;
133 
134 	if (s == NULL)
135 		return (0);
136 
137 	if ((r = strstr(s, ROUNDS)) == NULL) {
138 		return (0);
139 	}
140 
141 	if (strncmp(r, ROUNDS, ROUNDSLEN) != 0) {
142 		return (0);
143 	}
144 
145 	p = r + ROUNDSLEN;
146 	errno = 0;
147 	val = strtol(p, &e, 10);
148 	/*
149 	 * An error occured or there is non-numeric stuff at the end
150 	 * which isn't one of the crypt(3c) special chars ',' or '$'
151 	 */
152 	if (errno != 0 || val < 0 ||
153 	    !(*e == '\0' || *e == ',' || *e == '$')) {
154 		return (0);
155 	}
156 
157 	return ((uint32_t)val);
158 }
159 
160 
161 char *
162 crypt_genhash_impl(char *ctbuffer,
163 	    size_t ctbufflen,
164 	    const char *plaintext,
165 	    const char *switchsalt,
166 	    const char **params)
167 {
168 	int salt_len, plaintext_len, i;
169 	char *salt;
170 	uchar_t A[DIGEST_LEN];
171 	uchar_t B[DIGEST_LEN];
172 	uchar_t DP[DIGEST_LEN];
173 	uchar_t DS[DIGEST_LEN];
174 	DIGEST_CTX ctxA, ctxB, ctxC, ctxDP, ctxDS;
175 	int rounds = ROUNDS_DEFAULT;
176 	int srounds = 0;
177 	boolean_t custom_rounds = B_FALSE;
178 	char *p;
179 	char *P, *Pp;
180 	char *S, *Sp;
181 
182 	/* Refine the salt */
183 	salt = (char *)switchsalt;
184 
185 	/* skip our magic string */
186 	if (strncmp((char *)salt, crypt_alg_magic, crypt_alg_magic_len) == 0) {
187 		salt += crypt_alg_magic_len + 1;
188 	}
189 
190 	srounds = getrounds(salt);
191 	if (srounds != 0) {
192 		rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
193 		custom_rounds = B_TRUE;
194 		p = strchr(salt, '$');
195 		if (p != NULL)
196 			salt = p + 1;
197 	}
198 
199 	salt_len = MIN(strcspn(salt, "$"), MAX_SALT_LEN);
200 	plaintext_len = strlen(plaintext);
201 
202 	/* 1. */
203 	DIGESTInit(&ctxA);
204 
205 	/* 2. The password first, since that is what is most unknown */
206 	DIGESTUpdate(&ctxA, plaintext, plaintext_len);
207 
208 	/* 3. Then the raw salt */
209 	DIGESTUpdate(&ctxA, salt, salt_len);
210 
211 	/* 4. - 8. */
212 	DIGESTInit(&ctxB);
213 	DIGESTUpdate(&ctxB, plaintext, plaintext_len);
214 	DIGESTUpdate(&ctxB, salt, salt_len);
215 	DIGESTUpdate(&ctxB, plaintext, plaintext_len);
216 	DIGESTFinal(B, &ctxB);
217 
218 	/* 9. - 10. */
219 	for (i = plaintext_len; i > MIXCHARS; i -= MIXCHARS)
220 		DIGESTUpdate(&ctxA, B, MIXCHARS);
221 	DIGESTUpdate(&ctxA, B, i);
222 
223 	/* 11. */
224 	for (i = plaintext_len; i > 0; i >>= 1) {
225 		if ((i & 1) != 0) {
226 			DIGESTUpdate(&ctxA, B, MIXCHARS);
227 		} else {
228 			DIGESTUpdate(&ctxA, plaintext, plaintext_len);
229 		}
230 	}
231 
232 	/* 12. */
233 	DIGESTFinal(A, &ctxA);
234 
235 	/* 13. - 15. */
236 	DIGESTInit(&ctxDP);
237 	for (i = 0; i < plaintext_len; i++)
238 		DIGESTUpdate(&ctxDP, plaintext, plaintext_len);
239 	DIGESTFinal(DP, &ctxDP);
240 
241 	/* 16. */
242 	Pp = P = alloca(plaintext_len);
243 	for (i = plaintext_len; i >= MIXCHARS; i -= MIXCHARS) {
244 		Pp = (char *)(memcpy(Pp, DP, MIXCHARS)) + MIXCHARS;
245 	}
246 	memcpy(Pp, DP, i);
247 
248 	/* 17. - 19. */
249 	DIGESTInit(&ctxDS);
250 	for (i = 0; i < 16 + (uint8_t)A[0]; i++)
251 		DIGESTUpdate(&ctxDS, salt, salt_len);
252 	DIGESTFinal(DS, &ctxDS);
253 
254 	/* 20. */
255 	Sp = S = alloca(salt_len);
256 	for (i = salt_len; i >= MIXCHARS; i -= MIXCHARS) {
257 		Sp = (char *)(memcpy(Sp, DS, MIXCHARS)) + MIXCHARS;
258 	}
259 	memcpy(Sp, DS, i);
260 
261 	/*  21. */
262 	for (i = 0; i < rounds; i++) {
263 		DIGESTInit(&ctxC);
264 
265 		if ((i & 1) != 0) {
266 			DIGESTUpdate(&ctxC, P, plaintext_len);
267 		} else {
268 			if (i == 0)
269 				DIGESTUpdate(&ctxC, A, MIXCHARS);
270 			else
271 				DIGESTUpdate(&ctxC, DP, MIXCHARS);
272 		}
273 
274 		if (i % 3 != 0) {
275 			DIGESTUpdate(&ctxC, S, salt_len);
276 		}
277 
278 		if (i % 7 != 0) {
279 			DIGESTUpdate(&ctxC, P, plaintext_len);
280 		}
281 
282 		if ((i & 1) != 0) {
283 			if (i == 0)
284 				DIGESTUpdate(&ctxC, A, MIXCHARS);
285 			else
286 				DIGESTUpdate(&ctxC, DP, MIXCHARS);
287 		} else {
288 			DIGESTUpdate(&ctxC, P, plaintext_len);
289 		}
290 		DIGESTFinal(DP, &ctxC);
291 	}
292 
293 	/* 22. Now make the output string */
294 	if (custom_rounds) {
295 		(void) snprintf(ctbuffer, ctbufflen,
296 		    "%s$rounds=%zu$", crypt_alg_magic, rounds);
297 	} else {
298 		(void) snprintf(ctbuffer, ctbufflen,
299 		    "%s$", crypt_alg_magic);
300 	}
301 	(void) strncat(ctbuffer, (const char *)salt, salt_len);
302 	(void) strlcat(ctbuffer, "$", ctbufflen);
303 
304 	p = ctbuffer + strlen(ctbuffer);
305 	ctbufflen -= strlen(ctbuffer);
306 
307 #ifdef CRYPT_SHA256
308 	b64_from_24bit(DP[ 0], DP[10], DP[20], 4);
309 	b64_from_24bit(DP[21], DP[ 1], DP[11], 4);
310 	b64_from_24bit(DP[12], DP[22], DP[ 2], 4);
311 	b64_from_24bit(DP[ 3], DP[13], DP[23], 4);
312 	b64_from_24bit(DP[24], DP[ 4], DP[14], 4);
313 	b64_from_24bit(DP[15], DP[25], DP[ 5], 4);
314 	b64_from_24bit(DP[ 6], DP[16], DP[26], 4);
315 	b64_from_24bit(DP[27], DP[ 7], DP[17], 4);
316 	b64_from_24bit(DP[18], DP[28], DP[ 8], 4);
317 	b64_from_24bit(DP[ 9], DP[19], DP[29], 4);
318 	b64_from_24bit(0, DP[31], DP[30], 3);
319 #elif CRYPT_SHA512
320 	b64_from_24bit(DP[ 0], DP[21], DP[42], 4);
321 	b64_from_24bit(DP[22], DP[43], DP[ 1], 4);
322 	b64_from_24bit(DP[44], DP[ 2], DP[23], 4);
323 	b64_from_24bit(DP[ 3], DP[24], DP[45], 4);
324 	b64_from_24bit(DP[25], DP[46], DP[ 4], 4);
325 	b64_from_24bit(DP[47], DP[ 5], DP[26], 4);
326 	b64_from_24bit(DP[ 6], DP[27], DP[48], 4);
327 	b64_from_24bit(DP[28], DP[49], DP[ 7], 4);
328 	b64_from_24bit(DP[50], DP[ 8], DP[29], 4);
329 	b64_from_24bit(DP[ 9], DP[30], DP[51], 4);
330 	b64_from_24bit(DP[31], DP[52], DP[10], 4);
331 	b64_from_24bit(DP[53], DP[11], DP[32], 4);
332 	b64_from_24bit(DP[12], DP[33], DP[54], 4);
333 	b64_from_24bit(DP[34], DP[55], DP[13], 4);
334 	b64_from_24bit(DP[56], DP[14], DP[35], 4);
335 	b64_from_24bit(DP[15], DP[36], DP[57], 4);
336 	b64_from_24bit(DP[37], DP[58], DP[16], 4);
337 	b64_from_24bit(DP[59], DP[17], DP[38], 4);
338 	b64_from_24bit(DP[18], DP[39], DP[60], 4);
339 	b64_from_24bit(DP[40], DP[61], DP[19], 4);
340 	b64_from_24bit(DP[62], DP[20], DP[41], 4);
341 	b64_from_24bit(0, 0, DP[63], 2);
342 #endif
343 	*p = '\0';
344 
345 	(void) memset(A, 0, sizeof (A));
346 	(void) memset(B, 0, sizeof (B));
347 	(void) memset(DP, 0, sizeof (DP));
348 	(void) memset(DS, 0, sizeof (DS));
349 
350 	return (ctbuffer);
351 }
352 
353 char *
354 crypt_gensalt_impl(char *gsbuffer,
355 	    size_t gsbufflen,
356 	    const char *oldsalt,
357 	    const struct passwd *userinfo,
358 	    const char **params)
359 {
360 	int fd;
361 	int err;
362 	ssize_t got;
363 	uint64_t rndval;
364 	uint32_t confrounds = 0;
365 	uint32_t saltrounds;
366 	char rndstr[sizeof (rndval) + 1];
367 	int i;
368 
369 	for (i = 0; params != NULL && params[i] != NULL; i++) {
370 		if (strncmp(params[i], ROUNDS, ROUNDSLEN) == 0) {
371 			confrounds = getrounds(params[i]);
372 		} else {
373 			errno = EINVAL;
374 			return (NULL);
375 		}
376 	}
377 
378 	/*
379 	 * If the config file has a higher value for rounds= than what
380 	 * was in the old salt use that, otherwise keep what was in the
381 	 * old salt.
382 	 */
383 	saltrounds = getrounds(oldsalt);
384 	if (confrounds > saltrounds) {
385 		saltrounds = confrounds;
386 	}
387 
388 	if ((fd = open("/dev/urandom", O_RDONLY)) == -1) {
389 		return (NULL);
390 	}
391 
392 	got = read(fd, &rndval, sizeof (rndval));
393 	if (got < sizeof (rndval)) {
394 		err = errno;
395 		(void) close(fd);
396 		errno = err;
397 		return (NULL);
398 	}
399 	(void) close(fd);
400 
401 	to64((char *)&rndstr, rndval, sizeof (rndval));
402 	rndstr[sizeof (rndstr) - 1] = 0;
403 
404 	if (saltrounds > 0) {
405 		if (snprintf(gsbuffer, gsbufflen,
406 		    "%s$rounds=%d$",
407 		    crypt_alg_magic, saltrounds) >= gsbufflen)
408 			goto fail;
409 	} else {
410 		if (snprintf(gsbuffer, gsbufflen,
411 		    "%s$", crypt_alg_magic) >= gsbufflen)
412 			goto fail;
413 	}
414 	if (strlcat(gsbuffer, rndstr, gsbufflen) >= gsbufflen)
415 		goto fail;
416 	if (strlcat(gsbuffer, "$", gsbufflen) >= gsbufflen)
417 		goto fail;
418 
419 	return (gsbuffer);
420 
421 fail:
422 	(void) memset(gsbuffer, 0, gsbufflen);
423 	return (gsbuffer);
424 }
425