Loading...
Searching...
No Matches
crypt-sha.c File Reference
#include "postgres.h"#include "common/string.h"#include "mb/pg_wchar.h"#include "miscadmin.h"#include "px-crypt.h"#include "px.h"
Include dependency graph for crypt-sha.c:
Go to the source code of this file.
Macros | |
| #define | b64_from_24bit(B2, B1, B0, N) |
Enumerations | |
| enum | PGCRYPTO_SHA_t { PGCRYPTO_SHA256CRYPT = 0 , PGCRYPTO_SHA512CRYPT = 1 , PGCRYPTO_SHA_UNKOWN } |
Functions | |
| char * | px_crypt_shacrypt (const char *pw, const char *salt, char *passwd, unsigned dstlen) |
Variables | |
| static const char | _crypt_itoa64 [64+1] |
Macro Definition Documentation
◆ b64_from_24bit
Value:
Enumeration Type Documentation
◆ PGCRYPTO_SHA_t
| Enumerator | |
|---|---|
| PGCRYPTO_SHA256CRYPT | |
| PGCRYPTO_SHA512CRYPT | |
| PGCRYPTO_SHA_UNKOWN | |
Definition at line 55 of file crypt-sha.c.
Function Documentation
◆ px_crypt_shacrypt()
Definition at line 69 of file crypt-sha.c.
70{
73
74 /* Used to create the password hash string */
76
81
85
86 /* temporary buffer for digests */
95 unsigned int block; /* number of bytes processed */
98 salt_len = 0;
99
100 /* Sanity checks */
103
106
109
110 /*
111 * Make sure result buffers are large enough.
112 */
115
116 /* Init result buffer */
119
120 /* Init contents of buffers properly */
123
124 /*
125 * Decode the salt string. We need to know how many rounds and which
126 * digest we have to use to hash the password.
127 */
129 dec_salt_binary = salt;
130
131 /*
132 * Analyze and prepare the salt string
133 *
134 * The magic string should be specified in the first three bytes of the
135 * salt string. Do some sanity checks first.
136 */
141
142 /*
143 * Check format of magic bytes. These should define either 5=sha256crypt
144 * or 6=sha512crypt in the second byte, enclosed by ascii dollar signs.
145 */
151
152 /*
153 * Check magic byte for supported shacrypt digest.
154 *
155 * We're just interested in the very first 3 bytes of the salt string,
156 * since this defines the digest length to use.
157 */
159 {
162 }
164 {
167 }
168
169 /*
170 * dec_salt_binary pointer is positioned after the magic bytes now
171 *
172 * We extract any options in the following code branch. The only optional
173 * setting we need to take care of is the "rounds" option. Note that the
174 * salt generator already checked for invalid settings before, but we need
175 * to do it here again to protect against injection of wrong values when
176 * called without the generator.
177 *
178 * If there is any garbage added after the magic byte and the options/salt
179 * string, we don't treat this special: This is just absorbed as part of
180 * the salt with up to PX_SHACRYPT_SALT_LEN_MAX.
181 *
182 * Unknown magic byte is handled further below.
183 */
186 {
190
195
197
198 /*
199 * We violate supported lower or upper bound of rounds, but in this
200 * case we change this value to the supported lower or upper value. We
201 * don't do this silently and print a NOTICE in such a case.
202 *
203 * Note that a salt string generated with gen_salt() would never
204 * generated such a salt string, since it would error out.
205 *
206 * But Drepper's upstream reference implementation supports this when
207 * passing the salt string directly, so we maintain compatibility.
208 */
210 {
215 PX_SHACRYPT_ROUNDS_MAX));
217 }
219 {
224 PX_SHACRYPT_ROUNDS_MIN));
226 }
227
229 rounds_custom = 1;
230 }
231
232 /*
233 * Choose the correct digest length and add the magic bytes to the result
234 * buffer. Also handle possible invalid magic byte we've extracted above.
235 */
237 {
239 {
240 /* Two PX_MD objects required */
244
248
249 /* digest buffer length is 32 for sha256 */
250 buf_size = 32;
251
253 break;
254 }
255
257 {
258 /* Two PX_MD objects required */
262
266
268
270 break;
271 }
272
275 }
276
279
280 /*
281 * We need the real decoded salt string from salt input, this is every
282 * character before the last '$' in the preamble. Append every compatible
283 * character up to PX_SHACRYPT_SALT_MAX_LEN to the result buffer. Note
284 * that depending on the input, there might be no '$' marker after the
285 * salt, when there is no password hash attached at the end.
286 *
287 * We try hard to recognize mistakes, but since we might get an input
288 * string which might also have the password hash after the salt string
289 * section we give up as soon we reach the end of the input or if there
290 * are any bytes consumed for the salt string until we reach the first '$'
291 * marker thereafter.
292 */
295 ep++)
296 {
297 /*
298 * Filter out any string which shouldn't be here.
299 *
300 * First check for accidentally embedded magic strings here. We don't
301 * support '$' in salt strings anyways and seeing a magic byte trying
302 * to identify shacrypt hashes might indicate that something went
303 * wrong when generating this salt string. Note that we later check
304 * for non-supported literals anyways, but any '$' here confuses us at
305 * this point.
306 */
310
314
315 /*
316 * This looks very strict, but we assume the caller did something
317 * wrong when we see a "rounds=" option here.
318 */
322
324 {
327 else
332 }
333 else
334 {
335 /*
336 * We encountered a '$' marker. Check if we already absorbed some
337 * bytes from input. If true, we are optimistic and terminate at
338 * this stage. If not, we try further.
339 *
340 * If we already consumed enough bytes for the salt string,
341 * everything that is after this marker is considered to be part
342 * of an optionally specified password hash and ignored.
343 */
345 break;
346 }
347 }
348
353
354 /*
355 * Sanity check: at this point the salt string buffer must not exceed
356 * expected size.
357 */
360
361 /*-
362 * 1. Start digest A
363 * 2. Add the password string to digest A
364 * 3. Add the salt to digest A
365 */
368
369 /*-
370 * 4. Create digest B
371 * 5. Add password to digest B
372 * 6. Add the salt string to digest B
373 * 7. Add the password again to digest B
374 * 8. Finalize digest B
375 */
380
381 /*
382 * 9. For each block (excluding the NULL byte), add digest B to digest A.
383 */
386
387 /*-
388 * 10. For the remaining N bytes of the password string, add the first N
389 * bytes of digest B to A.
390 */
392
393 /*-
394 * 11. For each bit of the binary representation of the length of the
395 * password string up to and including the highest 1-digit, starting from
396 * to lowest bit position (numeric value 1)
397 *
398 * a) for a 1-digit add digest B (sha_buf) to digest A
399 * b) for a 0-digit add the password string
400 */
401 block = len;
402 while (block)
403 {
407
408 /* right shift to next byte */
409 block >>= 1;
410 }
411
412 /* 12. Finalize digest A */
414
415 /* 13. Start digest DP */
417
418 /*-
419 * 14 Add every byte of the password string (excluding trailing NULL)
420 * to the digest DP
421 */
424
425 /* 15. Finalize digest DP */
427
428 /*-
429 * 16. produce byte sequence P with same length as password.
430 * a) for each block of 32 or 64 bytes of length of the password
431 * string the entire digest DP is used
432 * b) for the remaining N (up to 31 or 63) bytes use the
433 * first N bytes of digest DP
434 */
436 {
438 }
439
440 /* N step of 16, copy over the bytes from password */
444
445 /*
446 * 17. Start digest DS
447 */
449
450 /*-
451 * 18. Repeat the following 16+A[0] times, where A[0] represents the first
452 * byte in digest A interpreted as an 8-bit unsigned value
453 * add the salt to digest DS
454 */
457
458 /*
459 * 19. Finalize digest DS
460 */
462
463 /*-
464 * 20. Produce byte sequence S of the same length as the salt string where
465 *
466 * a) for each block of 32 or 64 bytes of length of the salt string the
467 * entire digest DS is used
468 *
469 * b) for the remaining N (up to 31 or 63) bytes use the first N
470 * bytes of digest DS
471 */
474
478
479 /* Make sure we don't leave something important behind */
481
482 /*-
483 * 21. Repeat a loop according to the number specified in the rounds=<N>
484 * specification in the salt (or the default value if none is
485 * present). Each round is numbered, starting with 0 and up to N-1.
486 *
487 * The loop uses a digest as input. In the first round it is the
488 * digest produced in step 12. In the latter steps it is the digest
489 * produced in step 21.h of the previous round. The following text
490 * uses the notation "digest A/B" to describe this behavior.
491 */
493 {
494 /*
495 * Make it possible to abort in case large values for "rounds" are
496 * specified.
497 */
498 CHECK_FOR_INTERRUPTS();
499
500 /* a) start digest B */
502
503 /*-
504 * b) for odd round numbers add the byte sequence P to digest B
505 * c) for even round numbers add digest A/B
506 */
510
511 /* d) for all round numbers not divisible by 3 add the byte sequence S */
512 if ((block % 3) != 0)
514
515 /* e) for all round numbers not divisible by 7 add the byte sequence P */
516 if ((block % 7) != 0)
518
519 /*-
520 * f) for odd round numbers add digest A/C
521 * g) for even round numbers add the byte sequence P
522 */
526
527 /* h) finish digest C. */
529 }
530
533
536
539
542
543 /* prepare final result buffer */
545
546#define b64_from_24bit(B2, B1, B0, N) \
547 do { \
548 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
549 int i = (N); \
550 while (i-- > 0) \
551 { \
552 appendStringInfoCharMacro(out_buf, _crypt_itoa64[w & 0x3f]); \
553 w >>= 6; \
554 } \
555 } while (0)
556
558 {
560 {
572
573 break;
574 }
575
577 {
600
601 break;
602 }
603
605 /* we shouldn't land here ... */
607 }
608
609 /*
610 * Copy over result to specified buffer.
611 *
612 * The passwd character buffer should have at least PX_SHACRYPT_BUF_LEN
613 * allocated, since we checked above if dstlen is smaller than
614 * PX_SHACRYPT_BUF_LEN (which also includes the NULL byte).
615 *
616 * In that case we would have failed above already.
617 */
619
620 /* make sure nothing important is left behind */
624
625 /* ...and we're done */
627
628error:
631
634
637
642}
#define b64_from_24bit(B2, B1, B0, N)
int strtoint(const char *pg_restrict str, char **pg_restrict endptr, int base)
Definition string.c:50
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition stringinfo.c:145
void appendStringInfoString(StringInfo str, const char *s)
Definition stringinfo.c:230
Definition stringinfo.h:47
References _crypt_itoa64, appendStringInfo(), appendStringInfoCharMacro, appendStringInfoString(), b64_from_24bit, CHECK_FOR_INTERRUPTS, DEBUG1, destroyStringInfo(), elog, ereport, err(), errcode(), errhint(), errmsg(), ERROR, error(), fb(), len, makeStringInfoExt(), NOTICE, palloc0(), pfree(), pg_mblen(), PGCRYPTO_SHA256CRYPT, PGCRYPTO_SHA512CRYPT, PGCRYPTO_SHA_UNKOWN, px_find_digest(), px_md_finish, px_md_free, px_md_reset, px_md_update, px_memset(), PX_SHACRYPT_BUF_LEN, PX_SHACRYPT_DIGEST_MAX_LEN, PX_SHACRYPT_ROUNDS_DEFAULT, PX_SHACRYPT_ROUNDS_MAX, PX_SHACRYPT_ROUNDS_MIN, PX_SHACRYPT_SALT_MAX_LEN, strtoint(), and type.
Referenced by run_crypt_sha().
Variable Documentation
◆ _crypt_itoa64
Initial value:
=
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
Definition at line 62 of file crypt-sha.c.
Referenced by px_crypt_shacrypt().
