001    /*
002     * Licensed to the Apache Software Foundation (ASF) under one or more
003     * contributor license agreements.  See the NOTICE file distributed with
004     * this work for additional information regarding copyright ownership.
005     * The ASF licenses this file to You under the Apache License, Version 2.0
006     * (the "License"); you may not use this file except in compliance with
007     * the License.  You may obtain a copy of the License at
008     *
009     *      http://www.apache.org/licenses/LICENSE-2.0
010     *
011     * Unless required by applicable law or agreed to in writing, software
012     * distributed under the License is distributed on an "AS IS" BASIS,
013     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014     * See the License for the specific language governing permissions and
015     * limitations under the License.
016     */
017    package org.apache.commons.codec.digest;
018    
019    import java.security.MessageDigest;
020    import java.security.NoSuchAlgorithmException;
021    import java.util.Arrays;
022    import java.util.regex.Matcher;
023    import java.util.regex.Pattern;
024    
025    import org.apache.commons.codec.Charsets;
026    
027    /**
028     * SHA2-based Unix crypt implementation.
029     * <p>
030     * Based on the C implementation released into the Public Domain by Ulrich Drepper &lt;drepper@redhat.com&gt;
031     * http://www.akkadia.org/drepper/SHA-crypt.txt
032     * <p>
033     * Conversion to Kotlin and from there to Java in 2012 by Christian Hammers &lt;ch@lathspell.de&gt; and likewise put
034     * into the Public Domain.
035     * <p>
036     * This class is immutable and thread-safe.
037     *
038     * @version $Id: Sha2Crypt.html 889935 2013-12-11 05:05:13Z ggregory $
039     * @since 1.7
040     */
041    public class Sha2Crypt {
042    
043        /** Default number of rounds if not explicitly specified. */
044        private static final int ROUNDS_DEFAULT = 5000;
045    
046        /** Maximum number of rounds. */
047        private static final int ROUNDS_MAX = 999999999;
048    
049        /** Minimum number of rounds. */
050        private static final int ROUNDS_MIN = 1000;
051    
052        /** Prefix for optional rounds specification. */
053        private static final String ROUNDS_PREFIX = "rounds=";
054    
055        /** The number of bytes the final hash value will have (SHA-256 variant). */
056        private static final int SHA256_BLOCKSIZE = 32;
057    
058        /** The prefixes that can be used to identify this crypt() variant (SHA-256). */
059        static final String SHA256_PREFIX = "$5$";
060    
061        /** The number of bytes the final hash value will have (SHA-512 variant). */
062        private static final int SHA512_BLOCKSIZE = 64;
063    
064        /** The prefixes that can be used to identify this crypt() variant (SHA-512). */
065        static final String SHA512_PREFIX = "$6$";
066    
067        /** The pattern to match valid salt values. */
068        private static final Pattern SALT_PATTERN = Pattern
069                .compile("^\\$([56])\\$(rounds=(\\d+)\\$)?([\\.\\/a-zA-Z0-9]{1,16}).*");
070    
071        /**
072         * Generates a libc crypt() compatible "$5$" hash value with random salt.
073         * <p>
074         * See {@link Crypt#crypt(String, String)} for details.
075         *
076         * @throws RuntimeException
077         *             when a {@link java.security.NoSuchAlgorithmException} is caught.
078         */
079        public static String sha256Crypt(byte[] keyBytes) {
080            return sha256Crypt(keyBytes, null);
081        }
082    
083        /**
084         * Generates a libc6 crypt() compatible "$5$" hash value.
085         * <p>
086         * See {@link Crypt#crypt(String, String)} for details.
087         *
088         * @throws IllegalArgumentException
089         *             if the salt does not match the allowed pattern
090         * @throws RuntimeException
091         *             when a {@link java.security.NoSuchAlgorithmException} is caught.
092         */
093        public static String sha256Crypt(byte[] keyBytes, String salt) {
094            if (salt == null) {
095                salt = SHA256_PREFIX + B64.getRandomSalt(8);
096            }
097            return sha2Crypt(keyBytes, salt, SHA256_PREFIX, SHA256_BLOCKSIZE, MessageDigestAlgorithms.SHA_256);
098        }
099    
100        /**
101         * Generates a libc6 crypt() compatible "$5$" or "$6$" SHA2 based hash value.
102         * <p>
103         * This is a nearly line by line conversion of the original C function. The numbered comments are from the
104         * algorithm description, the short C-style ones from the original C code and the ones with "Remark" from me.
105         * <p>
106         * See {@link Crypt#crypt(String, String)} for details.
107         *
108         * @param keyBytes
109         *            plaintext that should be hashed
110         * @param salt
111         *            real salt value without prefix or "rounds="
112         * @param saltPrefix
113         *            either $5$ or $6$
114         * @param blocksize
115         *            a value that differs between $5$ and $6$
116         * @param algorithm
117         *            {@link MessageDigest} algorithm identifier string
118         * @return complete hash value including prefix and salt
119         * @throws IllegalArgumentException
120         *             if the given salt is {@code null} or does not match the allowed pattern
121         * @throws IllegalArgumentException
122         *             when a {@link NoSuchAlgorithmException} is caught
123         * @see MessageDigestAlgorithms
124         */
125        private static String sha2Crypt(byte[] keyBytes, String salt, String saltPrefix, int blocksize, String algorithm) {
126    
127            int keyLen = keyBytes.length;
128    
129            // Extracts effective salt and the number of rounds from the given salt.
130            int rounds = ROUNDS_DEFAULT;
131            boolean roundsCustom = false;
132            if (salt == null) {
133                throw new IllegalArgumentException("Salt must not be null");
134            }
135    
136            Matcher m = SALT_PATTERN.matcher(salt);
137            if (m == null || !m.find()) {
138                throw new IllegalArgumentException("Invalid salt value: " + salt);
139            }
140            if (m.group(3) != null) {
141                rounds = Integer.parseInt(m.group(3));
142                rounds = Math.max(ROUNDS_MIN, Math.min(ROUNDS_MAX, rounds));
143                roundsCustom = true;
144            }
145            String saltString = m.group(4);
146            byte[] saltBytes = saltString.getBytes(Charsets.UTF_8);
147            int saltLen = saltBytes.length;
148    
149            // 1. start digest A
150            // Prepare for the real work.
151            MessageDigest ctx = DigestUtils.getDigest(algorithm);
152    
153            // 2. the password string is added to digest A
154            /*
155             * Add the key string.
156             */
157            ctx.update(keyBytes);
158    
159            // 3. the salt string is added to digest A. This is just the salt string
160            // itself without the enclosing '$', without the magic salt_prefix $5$ and
161            // $6$ respectively and without the rounds=<N> specification.
162            //
163            // NB: the MD5 algorithm did add the $1$ salt_prefix. This is not deemed
164            // necessary since it is a constant string and does not add security
165            // and /possibly/ allows a plain text attack. Since the rounds=<N>
166            // specification should never be added this would also create an
167            // inconsistency.
168            /*
169             * The last part is the salt string. This must be at most 16 characters and it ends at the first `$' character
170             * (for compatibility with existing implementations).
171             */
172            ctx.update(saltBytes);
173    
174            // 4. start digest B
175            /*
176             * Compute alternate sha512 sum with input KEY, SALT, and KEY. The final result will be added to the first
177             * context.
178             */
179            MessageDigest altCtx = DigestUtils.getDigest(algorithm);
180    
181            // 5. add the password to digest B
182            /*
183             * Add key.
184             */
185            altCtx.update(keyBytes);
186    
187            // 6. add the salt string to digest B
188            /*
189             * Add salt.
190             */
191            altCtx.update(saltBytes);
192    
193            // 7. add the password again to digest B
194            /*
195             * Add key again.
196             */
197            altCtx.update(keyBytes);
198    
199            // 8. finish digest B
200            /*
201             * Now get result of this (32 bytes) and add it to the other context.
202             */
203            byte[] altResult = altCtx.digest();
204    
205            // 9. For each block of 32 or 64 bytes in the password string (excluding
206            // the terminating NUL in the C representation), add digest B to digest A
207            /*
208             * Add for any character in the key one byte of the alternate sum.
209             */
210            /*
211             * (Remark: the C code comment seems wrong for key length > 32!)
212             */
213            int cnt = keyBytes.length;
214            while (cnt > blocksize) {
215                ctx.update(altResult, 0, blocksize);
216                cnt -= blocksize;
217            }
218    
219            // 10. For the remaining N bytes of the password string add the first
220            // N bytes of digest B to digest A
221            ctx.update(altResult, 0, cnt);
222    
223            // 11. For each bit of the binary representation of the length of the
224            // password string up to and including the highest 1-digit, starting
225            // from to lowest bit position (numeric value 1):
226            //
227            // a) for a 1-digit add digest B to digest A
228            //
229            // b) for a 0-digit add the password string
230            //
231            // NB: this step differs significantly from the MD5 algorithm. It
232            // adds more randomness.
233            /*
234             * Take the binary representation of the length of the key and for every 1 add the alternate sum, for every 0
235             * the key.
236             */
237            cnt = keyBytes.length;
238            while (cnt > 0) {
239                if ((cnt & 1) != 0) {
240                    ctx.update(altResult, 0, blocksize);
241                } else {
242                    ctx.update(keyBytes);
243                }
244                cnt >>= 1;
245            }
246    
247            // 12. finish digest A
248            /*
249             * Create intermediate result.
250             */
251            altResult = ctx.digest();
252    
253            // 13. start digest DP
254            /*
255             * Start computation of P byte sequence.
256             */
257            altCtx = DigestUtils.getDigest(algorithm);
258    
259            // 14. for every byte in the password (excluding the terminating NUL byte
260            // in the C representation of the string)
261            //
262            // add the password to digest DP
263            /*
264             * For every character in the password add the entire password.
265             */
266            for (int i = 1; i <= keyLen; i++) {
267                altCtx.update(keyBytes);
268            }
269    
270            // 15. finish digest DP
271            /*
272             * Finish the digest.
273             */
274            byte[] tempResult = altCtx.digest();
275    
276            // 16. produce byte sequence P of the same length as the password where
277            //
278            // a) for each block of 32 or 64 bytes of length of the password string
279            // the entire digest DP is used
280            //
281            // b) for the remaining N (up to 31 or 63) bytes use the first N
282            // bytes of digest DP
283            /*
284             * Create byte sequence P.
285             */
286            byte[] pBytes = new byte[keyLen];
287            int cp = 0;
288            while (cp < keyLen - blocksize) {
289                System.arraycopy(tempResult, 0, pBytes, cp, blocksize);
290                cp += blocksize;
291            }
292            System.arraycopy(tempResult, 0, pBytes, cp, keyLen - cp);
293    
294            // 17. start digest DS
295            /*
296             * Start computation of S byte sequence.
297             */
298            altCtx = DigestUtils.getDigest(algorithm);
299    
300            // 18. repeast the following 16+A[0] times, where A[0] represents the first
301            // byte in digest A interpreted as an 8-bit unsigned value
302            //
303            // add the salt to digest DS
304            /*
305             * For every character in the password add the entire password.
306             */
307            for (int i = 1; i <= 16 + (altResult[0] & 0xff); i++) {
308                altCtx.update(saltBytes);
309            }
310    
311            // 19. finish digest DS
312            /*
313             * Finish the digest.
314             */
315            tempResult = altCtx.digest();
316    
317            // 20. produce byte sequence S of the same length as the salt string where
318            //
319            // a) for each block of 32 or 64 bytes of length of the salt string
320            // the entire digest DS is used
321            //
322            // b) for the remaining N (up to 31 or 63) bytes use the first N
323            // bytes of digest DS
324            /*
325             * Create byte sequence S.
326             */
327            // Remark: The salt is limited to 16 chars, how does this make sense?
328            byte[] sBytes = new byte[saltLen];
329            cp = 0;
330            while (cp < saltLen - blocksize) {
331                System.arraycopy(tempResult, 0, sBytes, cp, blocksize);
332                cp += blocksize;
333            }
334            System.arraycopy(tempResult, 0, sBytes, cp, saltLen - cp);
335    
336            // 21. repeat a loop according to the number specified in the rounds=<N>
337            // specification in the salt (or the default value if none is
338            // present). Each round is numbered, starting with 0 and up to N-1.
339            //
340            // The loop uses a digest as input. In the first round it is the
341            // digest produced in step 12. In the latter steps it is the digest
342            // produced in step 21.h. The following text uses the notation
343            // "digest A/C" to describe this behavior.
344            /*
345             * Repeatedly run the collected hash value through sha512 to burn CPU cycles.
346             */
347            for (int i = 0; i <= rounds - 1; i++) {
348                // a) start digest C
349                /*
350                 * New context.
351                 */
352                ctx = DigestUtils.getDigest(algorithm);
353    
354                // b) for odd round numbers add the byte sequense P to digest C
355                // c) for even round numbers add digest A/C
356                /*
357                 * Add key or last result.
358                 */
359                if ((i & 1) != 0) {
360                    ctx.update(pBytes, 0, keyLen);
361                } else {
362                    ctx.update(altResult, 0, blocksize);
363                }
364    
365                // d) for all round numbers not divisible by 3 add the byte sequence S
366                /*
367                 * Add salt for numbers not divisible by 3.
368                 */
369                if (i % 3 != 0) {
370                    ctx.update(sBytes, 0, saltLen);
371                }
372    
373                // e) for all round numbers not divisible by 7 add the byte sequence P
374                /*
375                 * Add key for numbers not divisible by 7.
376                 */
377                if (i % 7 != 0) {
378                    ctx.update(pBytes, 0, keyLen);
379                }
380    
381                // f) for odd round numbers add digest A/C
382                // g) for even round numbers add the byte sequence P
383                /*
384                 * Add key or last result.
385                 */
386                if ((i & 1) != 0) {
387                    ctx.update(altResult, 0, blocksize);
388                } else {
389                    ctx.update(pBytes, 0, keyLen);
390                }
391    
392                // h) finish digest C.
393                /*
394                 * Create intermediate result.
395                 */
396                altResult = ctx.digest();
397            }
398    
399            // 22. Produce the output string. This is an ASCII string of the maximum
400            // size specified above, consisting of multiple pieces:
401            //
402            // a) the salt salt_prefix, $5$ or $6$ respectively
403            //
404            // b) the rounds=<N> specification, if one was present in the input
405            // salt string. A trailing '$' is added in this case to separate
406            // the rounds specification from the following text.
407            //
408            // c) the salt string truncated to 16 characters
409            //
410            // d) a '$' character
411            /*
412             * Now we can construct the result string. It consists of three parts.
413             */
414            StringBuilder buffer = new StringBuilder(saltPrefix);
415            if (roundsCustom) {
416                buffer.append(ROUNDS_PREFIX);
417                buffer.append(rounds);
418                buffer.append("$");
419            }
420            buffer.append(saltString);
421            buffer.append("$");
422    
423            // e) the base-64 encoded final C digest. The encoding used is as
424            // follows:
425            // [...]
426            //
427            // Each group of three bytes from the digest produces four
428            // characters as output:
429            //
430            // 1. character: the six low bits of the first byte
431            // 2. character: the two high bits of the first byte and the
432            // four low bytes from the second byte
433            // 3. character: the four high bytes from the second byte and
434            // the two low bits from the third byte
435            // 4. character: the six high bits from the third byte
436            //
437            // The groups of three bytes are as follows (in this sequence).
438            // These are the indices into the byte array containing the
439            // digest, starting with index 0. For the last group there are
440            // not enough bytes left in the digest and the value zero is used
441            // in its place. This group also produces only three or two
442            // characters as output for SHA-512 and SHA-512 respectively.
443    
444            // This was just a safeguard in the C implementation:
445            // int buflen = salt_prefix.length() - 1 + ROUNDS_PREFIX.length() + 9 + 1 + salt_string.length() + 1 + 86 + 1;
446    
447            if (blocksize == 32) {
448                B64.b64from24bit(altResult[0], altResult[10], altResult[20], 4, buffer);
449                B64.b64from24bit(altResult[21], altResult[1], altResult[11], 4, buffer);
450                B64.b64from24bit(altResult[12], altResult[22], altResult[2], 4, buffer);
451                B64.b64from24bit(altResult[3], altResult[13], altResult[23], 4, buffer);
452                B64.b64from24bit(altResult[24], altResult[4], altResult[14], 4, buffer);
453                B64.b64from24bit(altResult[15], altResult[25], altResult[5], 4, buffer);
454                B64.b64from24bit(altResult[6], altResult[16], altResult[26], 4, buffer);
455                B64.b64from24bit(altResult[27], altResult[7], altResult[17], 4, buffer);
456                B64.b64from24bit(altResult[18], altResult[28], altResult[8], 4, buffer);
457                B64.b64from24bit(altResult[9], altResult[19], altResult[29], 4, buffer);
458                B64.b64from24bit((byte) 0, altResult[31], altResult[30], 3, buffer);
459            } else {
460                B64.b64from24bit(altResult[0], altResult[21], altResult[42], 4, buffer);
461                B64.b64from24bit(altResult[22], altResult[43], altResult[1], 4, buffer);
462                B64.b64from24bit(altResult[44], altResult[2], altResult[23], 4, buffer);
463                B64.b64from24bit(altResult[3], altResult[24], altResult[45], 4, buffer);
464                B64.b64from24bit(altResult[25], altResult[46], altResult[4], 4, buffer);
465                B64.b64from24bit(altResult[47], altResult[5], altResult[26], 4, buffer);
466                B64.b64from24bit(altResult[6], altResult[27], altResult[48], 4, buffer);
467                B64.b64from24bit(altResult[28], altResult[49], altResult[7], 4, buffer);
468                B64.b64from24bit(altResult[50], altResult[8], altResult[29], 4, buffer);
469                B64.b64from24bit(altResult[9], altResult[30], altResult[51], 4, buffer);
470                B64.b64from24bit(altResult[31], altResult[52], altResult[10], 4, buffer);
471                B64.b64from24bit(altResult[53], altResult[11], altResult[32], 4, buffer);
472                B64.b64from24bit(altResult[12], altResult[33], altResult[54], 4, buffer);
473                B64.b64from24bit(altResult[34], altResult[55], altResult[13], 4, buffer);
474                B64.b64from24bit(altResult[56], altResult[14], altResult[35], 4, buffer);
475                B64.b64from24bit(altResult[15], altResult[36], altResult[57], 4, buffer);
476                B64.b64from24bit(altResult[37], altResult[58], altResult[16], 4, buffer);
477                B64.b64from24bit(altResult[59], altResult[17], altResult[38], 4, buffer);
478                B64.b64from24bit(altResult[18], altResult[39], altResult[60], 4, buffer);
479                B64.b64from24bit(altResult[40], altResult[61], altResult[19], 4, buffer);
480                B64.b64from24bit(altResult[62], altResult[20], altResult[41], 4, buffer);
481                B64.b64from24bit((byte) 0, (byte) 0, altResult[63], 2, buffer);
482            }
483    
484            /*
485             * Clear the buffer for the intermediate result so that people attaching to processes or reading core dumps
486             * cannot get any information.
487             */
488            // Is there a better way to do this with the JVM?
489            Arrays.fill(tempResult, (byte) 0);
490            Arrays.fill(pBytes, (byte) 0);
491            Arrays.fill(sBytes, (byte) 0);
492            ctx.reset();
493            altCtx.reset();
494            Arrays.fill(keyBytes, (byte) 0);
495            Arrays.fill(saltBytes, (byte) 0);
496    
497            return buffer.toString();
498        }
499    
500        /**
501         * Generates a libc crypt() compatible "$6$" hash value with random salt.
502         * <p>
503         * See {@link Crypt#crypt(String, String)} for details.
504         *
505         * @throws RuntimeException
506         *             when a {@link java.security.NoSuchAlgorithmException} is caught.
507         */
508        public static String sha512Crypt(byte[] keyBytes) {
509            return sha512Crypt(keyBytes, null);
510        }
511    
512        /**
513         * Generates a libc6 crypt() compatible "$6$" hash value.
514         * <p>
515         * See {@link Crypt#crypt(String, String)} for details.
516         *
517         * @throws IllegalArgumentException
518         *             if the salt does not match the allowed pattern
519         * @throws RuntimeException
520         *             when a {@link java.security.NoSuchAlgorithmException} is caught.
521         */
522        public static String sha512Crypt(byte[] keyBytes, String salt) {
523            if (salt == null) {
524                salt = SHA512_PREFIX + B64.getRandomSalt(8);
525            }
526            return sha2Crypt(keyBytes, salt, SHA512_PREFIX, SHA512_BLOCKSIZE, MessageDigestAlgorithms.SHA_512);
527        }
528    }