#include <errno.h>#include <limits.h>#include <stdint.h>#include <stdbool.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/param.h>#include <sys/types.h>Go to the source code of this file.
Classes | |
| struct | sha256_ctx |
Macros | |
| #define | MAX(x, y) |
| #define | MIN(x, y) |
| #define | SWAP(n) |
| #define | Ch(x, y, z) |
| #define | Maj(x, y, z) |
| #define | S0(x) |
| #define | S1(x) |
| #define | R0(x) |
| #define | R1(x) |
| #define | CYCLIC(w, s) |
| #define | UNALIGNED_P(p) |
| #define | SALT_LEN_MAX 16 |
| #define | ROUNDS_DEFAULT 5000 |
| #define | ROUNDS_MIN 1000 |
| #define | ROUNDS_MAX 999999999 |
| #define | b64_from_24bit(B2, B1, B0, N) |
Functions | |
| static void | sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx) |
| static void | sha256_init_ctx (struct sha256_ctx *ctx) |
| static void * | sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf) |
| static void | sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx) |
| static char * | sha256_crypt_r (const char *key, const char *salt, char *buffer, int buflen) |
| char * | sha256_crypt (const char *key, const char *salt) |
Variables | |
| static const unsigned char | fillbuf [64] = { 0x80, 0 } |
| static const uint32_t | K [64] |
| static const char | sha256_salt_prefix [] = "$5$" |
| static const char | sha256_rounds_prefix [] = "rounds=" |
| static const char | b64t [65] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" |
Macro Definition Documentation
◆ MAX
◆ MIN
◆ SWAP
| #define SWAP | ( | n | ) |
◆ Ch
| #define Ch | ( | x, | |
| y, | |||
| z ) |
Value:
((x & y) ^ (~x & z))
◆ Maj
| #define Maj | ( | x, | |
| y, | |||
| z ) |
Value:
((x & y) ^ (x & z) ^ (y & z))
◆ S0
◆ S1
◆ R0
◆ R1
◆ CYCLIC
| #define CYCLIC | ( | w, | |
| s ) |
Value:
((w >> s) | (w << (32 - s)))
◆ UNALIGNED_P
| #define UNALIGNED_P | ( | p | ) |
Value:
(((uintptr_t) p) % sizeof (uint32_t) != 0)
◆ SALT_LEN_MAX
◆ ROUNDS_DEFAULT
◆ ROUNDS_MIN
◆ ROUNDS_MAX
◆ b64_from_24bit
| #define b64_from_24bit | ( | B2, | |
| B1, | |||
| B0, | |||
| N ) |
Value:
do { \
unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
int n = (N); \
while (n-- > 0 && buflen > 0) \
{ \
*cp++ = b64t[w & 0x3f]; \
--buflen; \
w >>= 6; \
} \
} while (0)
Function Documentation
◆ sha256_process_block()
|
static |
Definition at line 99 of file crypt.cc.
100{
101 const uint32_t *words = (const uint32_t *) buffer;
102 size_t nwords = len / sizeof(uint32_t);
104 uint32_t b = ctx->H[1];
105 uint32_t c = ctx->H[2];
106 uint32_t d = ctx->H[3];
107 uint32_t e = ctx->H[4];
108 uint32_t f = ctx->H[5];
109 uint32_t g = ctx->H[6];
110 uint32_t h = ctx->H[7];
111
112 /* First increment the byte count. FIPS 180-2 specifies the possible
113 length of the file up to 2^64 bits. Here we only compute the
114 number of bytes. Do a double word increment. */
115 ctx->total[0] += len;
117 ++ctx->total[1];
118
119 /* Process all bytes in the buffer with 64 bytes in each round of
120 the loop. */
121 while (nwords > 0) {
122 uint32_t W[64];
123 unsigned int t;
124 uint32_t a_save = a;
125 uint32_t b_save = b;
126 uint32_t c_save = c;
127 uint32_t d_save = d;
128 uint32_t e_save = e;
129 uint32_t f_save = f;
130 uint32_t g_save = g;
131 uint32_t h_save = h;
132
133 /* Operators defined in FIPS 180-2:4.1.2. */
134#define Ch(x, y, z) ((x & y) ^ (~x & z))
135#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
136#define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
137#define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
138#define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
139#define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
140
141 /* It is unfortunate that C does not provide an operator for
142 cyclic rotation. Hope the C compiler is smart enough. */
143#define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
144
145 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
146 for (t = 0; t < 16; ++t) {
147 W[t] = SWAP(*words);
148 ++words;
149 }
150 for (t = 16; t < 64; ++t)
152
153 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
154 for (t = 0; t < 64; ++t) {
157 h = g;
158 g = f;
159 f = e;
160 e = d + T1;
161 d = c;
162 c = b;
163 b = a;
164 a = T1 + T2;
165 }
166
167 /* Add the starting values of the context according to FIPS 180-2:6.2.2
168 step 4. */
169 a += a_save;
170 b += b_save;
171 c += c_save;
172 d += d_save;
173 e += e_save;
174 f += f_save;
175 g += g_save;
176 h += h_save;
177
178 /* Prepare for the next round. */
179 nwords -= 16;
180 }
181
182 /* Put checksum in context given as argument. */
184 ctx->H[1] = b;
185 ctx->H[2] = c;
186 ctx->H[3] = d;
187 ctx->H[4] = e;
188 ctx->H[5] = f;
189 ctx->H[6] = g;
190 ctx->H[7] = h;
191}
#define Maj(x, y, z)
#define S0(x)
#define R1(x)
#define S1(x)
#define R0(x)
#define Ch(x, y, z)
◆ sha256_init_ctx()
|
static |
◆ sha256_finish_ctx()
|
static |
Definition at line 217 of file crypt.cc.
218{
219 /* Take yet unprocessed bytes into account. */
220 uint32_t bytes = ctx->buflen;
221 size_t pad;
222 unsigned int i;
223
224 /* Now count remaining bytes. */
225 ctx->total[0] += bytes;
227 ++ctx->total[1];
228
229 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
231
232 /* Put the 64-bit file length in *bits* at the end of the buffer. */
235
236 /* Process last bytes. */
238
239 /* Put result from CTX in first 32 bytes following RESBUF. */
240 for (i = 0; i < 8; ++i)
242
243 return resbuf;
244}
static void sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx)
Definition crypt.cc:99
◆ sha256_process_bytes()
|
static |
Definition at line 247 of file crypt.cc.
248{
249 /* When we already have some bits in our internal buffer concatenate
250 both inputs first. */
253 size_t add = 128 - left_over > len ? len : 128 - left_over;
254
255 memcpy(&ctx->buffer[left_over], buffer, add);
256 ctx->buflen += add;
257
260
261 ctx->buflen &= 63;
262 /* The regions in the following copy operation cannot overlap. */
264 }
265
266 buffer = (const char *) buffer + add;
267 len -= add;
268 }
269
270 /* Process available complete blocks. */
271 if (len >= 64) {
272/* To check alignment gcc has an appropriate operator. Other
273 compilers don't. */
274#if __GNUC__ >= 2
275#define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
276#else
277#define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
278#endif
280 while (len > 64) {
282 buffer = (const char *) buffer + 64;
283 len -= 64;
284 } else {
285 sha256_process_block(buffer, len & ~63, ctx);
286 buffer = (const char *) buffer + (len & ~63);
287 len &= 63;
288 }
289 }
290
291 /* Move remaining bytes into internal buffer. */
292 if (len > 0) {
294
295 memcpy(&ctx->buffer[left_over], buffer, len);
296 left_over += len;
297 if (left_over >= 64) {
299 left_over -= 64;
301 }
302 ctx->buflen = left_over;
303 }
304}
#define UNALIGNED_P(p)
◆ sha256_crypt_r()
|
static |
Definition at line 327 of file crypt.cc.
328{
329#ifdef _MSC_VER
330 unsigned char alt_result[32];
331 unsigned char temp_result[32];
332#else
333 unsigned char alt_result[32]
334 __attribute__ ((__aligned__(__alignof__(uint32_t))));
335 unsigned char temp_result[32]
336 __attribute__ ((__aligned__(__alignof__(uint32_t))));
337#endif
340 size_t salt_len;
341 size_t key_len;
342 size_t cnt;
343 char *cp;
344 char *copied_key = NULL;
345 char *copied_salt = NULL;
346 char *p_bytes;
347 char *s_bytes;
348 /* Default number of rounds. */
350 int rounds_custom = 0;
351
352 /* Find beginning of salt string. The prefix should normally always
353 be present. Just in case it is not. */
355 /* Skip salt prefix. */
357
359 == 0) {
361 char *endp;
362 unsigned long int srounds = strtoul(num, &endp, 10);
363 if (*endp == '$') {
364 salt = endp + 1;
366 rounds_custom = 1;
367 }
368 }
369
371 key_len = strlen(key);
372
373 if ((key - (char *) 0) % __alignof__(uint32_t) != 0) {
374 char *tmp = (char *) alloca(key_len + __alignof__(uint32_t));
376 - (tmp - (char *) 0) % __alignof__(uint32_t), key, key_len);
377 }
378
379 if ((salt - (char *) 0) % __alignof__(uint32_t) != 0) {
380 char *tmp = (char *) alloca(salt_len + __alignof__(uint32_t));
381 salt = copied_salt = (char *) memcpy(tmp + __alignof__(uint32_t)
382 - (tmp - (char *) 0) % __alignof__(uint32_t), salt, salt_len);
383 }
384
385 /* Prepare for the real work. */
386 sha256_init_ctx(&ctx);
387
388 /* Add the key string. */
389 sha256_process_bytes(key, key_len, &ctx);
390
391 /* The last part is the salt string. This must be at most 16
392 characters and it ends at the first `$' character (for
393 compatibility with existing implementations). */
394 sha256_process_bytes(salt, salt_len, &ctx);
395
396
397 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
398 final result will be added to the first context. */
399 sha256_init_ctx(&alt_ctx);
400
401 /* Add key. */
402 sha256_process_bytes(key, key_len, &alt_ctx);
403
404 /* Add salt. */
405 sha256_process_bytes(salt, salt_len, &alt_ctx);
406
407 /* Add key again. */
408 sha256_process_bytes(key, key_len, &alt_ctx);
409
410 /* Now get result of this (32 bytes) and add it to the other
411 context. */
412 sha256_finish_ctx(&alt_ctx, alt_result);
413
414 /* Add for any character in the key one byte of the alternate sum. */
415 for (cnt = key_len; cnt > 32; cnt -= 32)
416 sha256_process_bytes(alt_result, 32, &ctx);
417 sha256_process_bytes(alt_result, cnt, &ctx);
418
419 /* Take the binary representation of the length of the key and for every
420 1 add the alternate sum, for every 0 the key. */
421 for (cnt = key_len; cnt > 0; cnt >>= 1)
422 if ((cnt & 1) != 0)
423 sha256_process_bytes(alt_result, 32, &ctx);
424 else
425 sha256_process_bytes(key, key_len, &ctx);
426
427 /* Create intermediate result. */
428 sha256_finish_ctx(&ctx, alt_result);
429
430 /* Start computation of P byte sequence. */
431 sha256_init_ctx(&alt_ctx);
432
433 /* For every character in the password add the entire password. */
434 for (cnt = 0; cnt < key_len; ++cnt)
435 sha256_process_bytes(key, key_len, &alt_ctx);
436
437 /* Finish the digest. */
438 sha256_finish_ctx(&alt_ctx, temp_result);
439
440 /* Create byte sequence P. */
441 cp = p_bytes = (char*) alloca(key_len);
442 for (cnt = key_len; cnt >= 32; cnt -= 32) {
443 memcpy(cp, temp_result, 32);
444 cp += 32;
445 }
446 memcpy(cp, temp_result, cnt);
447
448 /* Start computation of S byte sequence. */
449 sha256_init_ctx(&alt_ctx);
450
451 /* For every character in the password add the entire password. */
452 for (cnt = 0; (int) cnt < 16 + alt_result[0]; ++cnt)
453 sha256_process_bytes(salt, salt_len, &alt_ctx);
454
455 /* Finish the digest. */
456 sha256_finish_ctx(&alt_ctx, temp_result);
457
458 /* Create byte sequence S. */
459 cp = s_bytes = (char*) alloca(salt_len);
460 for (cnt = salt_len; cnt >= 32; cnt -= 32) {
461 memcpy(cp, temp_result, 32);
462 cp += 32;
463 }
464 memcpy(cp, temp_result, cnt);
465
466 /* Repeatedly run the collected hash value through SHA256 to burn
467 CPU cycles. */
468 for (cnt = 0; cnt < rounds; ++cnt) {
469 /* New context. */
470 sha256_init_ctx(&ctx);
471
472 /* Add key or last result. */
473 if ((cnt & 1) != 0)
474 sha256_process_bytes(p_bytes, key_len, &ctx);
475 else
476 sha256_process_bytes(alt_result, 32, &ctx);
477
478 /* Add salt for numbers not divisible by 3. */
479 if (cnt % 3 != 0)
480 sha256_process_bytes(s_bytes, salt_len, &ctx);
481
482 /* Add key for numbers not divisible by 7. */
483 if (cnt % 7 != 0)
484 sha256_process_bytes(p_bytes, key_len, &ctx);
485
486 /* Add key or last result. */
487 if ((cnt & 1) != 0)
488 sha256_process_bytes(alt_result, 32, &ctx);
489 else
490 sha256_process_bytes(p_bytes, key_len, &ctx);
491
492 /* Create intermediate result. */
493 sha256_finish_ctx(&ctx, alt_result);
494 }
495
496 /* Now we can construct the result string. It consists of three
497 parts. */
501
502 if (rounds_custom) {
503#ifdef _MSC_VER
505 sha256_rounds_prefix, rounds);
506#else
508 sha256_rounds_prefix, rounds);
509#endif
510 cp += n;
512 }
513
515 cp = cp + strlen(cp);
517
519 *cp++ = '$';
520 --buflen;
521 }
522#define b64_from_24bit(B2, B1, B0, N) \
523 do { \
524 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
525 int n = (N); \
526 while (n-- > 0 && buflen > 0) \
527 { \
528 *cp++ = b64t[w & 0x3f]; \
529 --buflen; \
530 w >>= 6; \
531 } \
532 } while (0)
533
534 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
535 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
536 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
537 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
538 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
539 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
540 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
541 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
542 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
543 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
544 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
546 errno = ERANGE;
547 buffer = NULL;
548 } else
549 *cp = '\0'; /* Terminate the string. */
550
551 /* Clear the buffer for the intermediate result so that people
552 attaching to processes or reading core dumps cannot get any
553 information. We do it in this way to clear correct_words[]
554 inside the SHA256 implementation as well. */
555 sha256_init_ctx(&ctx);
556 sha256_finish_ctx(&ctx, alt_result);
557 memset(temp_result, '\0', sizeof(temp_result));
558 memset(p_bytes, '\0', key_len);
559 memset(s_bytes, '\0', salt_len);
560 memset(&ctx, '\0', sizeof(ctx));
561 memset(&alt_ctx, '\0', sizeof(alt_ctx));
562 if (copied_key != NULL)
563 memset(copied_key, '\0', key_len);
564 if (copied_salt != NULL)
565 memset(copied_salt, '\0', salt_len);
566
568}
static void * sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
Definition crypt.cc:217
static void sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx)
Definition crypt.cc:247
#define b64_from_24bit(B2, B1, B0, N)
Definition crypt.cc:54
◆ sha256_crypt()
| char * sha256_crypt | ( | const char * | key, |
| const char * | salt ) |
Definition at line 573 of file crypt.cc.
574{
575 /* We don't want to have an arbitrary limit in the size of the
576 password. We can compute an upper bound for the size of the
577 result in advance and so we can prepare the buffer we pass to
578 `sha256_crypt_r'. */
579 static char *buffer;
580 static int buflen;
583
584 if (buflen < needed) {
585 char *new_buffer = (char *) realloc(buffer, needed);
586 if (new_buffer == NULL)
587 return NULL;
588
589 buffer = new_buffer;
590 buflen = needed;
591 }
592
594}
static char * sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
Definition crypt.cc:327
Variable Documentation
◆ fillbuf
|
static |
◆ K
|
static |
Initial value:
= {
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
}
Definition at line 77 of file crypt.cc.
77 {
78 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
79 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
80 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
81 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
82 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
83 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
84 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
85 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
86 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
87 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
88 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
89 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
90 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
91 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
92 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
93 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
94};
◆ sha256_salt_prefix
◆ sha256_rounds_prefix
◆ b64t
Generated by
1.12.0