mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opendj-server-legacy/src/main/java/org/opends/server/extensions/Sha2Crypt.java
@@ -11,8 +11,8 @@ * Header, with the fields enclosed by brackets [] replaced by your own identifying * information: "Portions Copyright [year] [name of copyright owner]". * * Portions Copyright 2012 Dariusz Janny <dariusz.janny@gmail.com> * Copyright 2013 ForgeRock AS. * Portions Copyright 2013-2016 ForgeRock AS. * * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. @@ -31,25 +31,22 @@ package org.opends.server.extensions; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Random; import java.util.regex.Matcher; import java.util.regex.Pattern; import org.apache.commons.codec.Charsets; /** * SHA2-based Unix crypt implementation. * * <p> * Based on the C implementation released into the Public Domain by Ulrich * Drepper <drepper@redhat.com> * Based on the C implementation released into the Public Domain by Ulrich Drepper <drepper@redhat.com> * http://www.akkadia.org/drepper/SHA-crypt.txt * </p> * * <p> * Conversion to Kotlin and from there to Java in 2012 by Christian Hammers * <ch@lathspell.de> and likewise put into the Public Domain. * </p> * * Conversion to Kotlin and from there to Java in 2012 by Christian Hammers <ch@lathspell.de> and likewise put * into the Public Domain. * <p> * This class is immutable and thread-safe. * </p> @@ -79,7 +76,7 @@ * @version $Id$ * @since 1.7 */ static class B64 { private static class B64 { /** * Table with characters for Base64 transformation. @@ -138,138 +135,132 @@ */ private static final int ROUNDS_DEFAULT = 5000; /** * Maximum number of rounds. */ /** Maximum number of rounds. */ private static final int ROUNDS_MAX = 999999999; /** * Minimum number of rounds. */ /** Minimum number of rounds. */ private static final int ROUNDS_MIN = 1000; /** * Prefix for optional rounds specification. */ /** Prefix for optional rounds specification. */ private static final String ROUNDS_PREFIX = "rounds="; /** * The MessageDigest algorithms. */ /** The MessageDigest algorithms. */ private static final String SHA256_ALGORITHM = "SHA-256"; private static final String SHA512_ALGORITHM = "SHA-512"; /** * The number of bytes the final hash value will have. */ /** The number of bytes the final hash value will have. */ private static final int SHA256_BLOCKSIZE = 32; /** The prefixes that can be used to identify this crypt() variant (SHA-256). */ private static final String SHA256_PREFIX = "$5$"; /** The number of bytes the final hash value will have (SHA-512 variant). */ private static final int SHA512_BLOCKSIZE = 64; /** * The prefixes that can be used to identify this crypt() variant. */ static final String SHA256_PREFIX = "$5$"; /** The prefixes that can be used to identify this crypt() variant (SHA-512). */ private static final String SHA512_PREFIX = "$6$"; static final String SHA512_PREFIX = "$6$"; /** The pattern to match valid salt values. */ private static final Pattern SALT_PATTERN = Pattern .compile("^\\$([56])\\$(rounds=(\\d+)\\$)?([\\.\\/a-zA-Z0-9]{1,16}).*"); /** * Returns the magic string denoting the SHA-256 scheme is being used. * * @return the magic string */ public static String getMagicSHA256Prefix() static String getMagicSHA256Prefix() { return SHA256_PREFIX; } /** * Returns the magic string denoting the SHA-512 scheme is being used. * * @return the magic string */ public static String getMagicSHA512Prefix() static String getMagicSHA512Prefix() { return SHA512_PREFIX; } /** * Generates a libc crypt() compatible "$5$" hash value with random salt. * * <p> * See {@link Crypt#crypt(String, String)} for details. * * @param keyBytes * The plaintext that should be hashed. * @throws Exception exception * @return compatible "$5$" hash value with random sal * plaintext to hash * @return complete hash value * @throws RuntimeException * when a {@link java.security.NoSuchAlgorithmException} is caught. */ public static String sha256Crypt(byte[] keyBytes) throws Exception { static String sha256Crypt(final byte[] keyBytes) { return sha256Crypt(keyBytes, null); } /** * Generates a libc6 crypt() compatible "$5$" hash value. * * <p> * See {@link Crypt#crypt(String, String)} for details. * * @param keyBytes * The plaintext that should be hashed. * plaintext to hash * @param salt * The real salt value without prefix or "rounds=". * @throws Exception exception * @return compatible "$5$" hash value * real salt value without prefix or "rounds=" * @return complete hash value including salt * @throws IllegalArgumentException * if the salt does not match the allowed pattern * @throws RuntimeException * when a {@link java.security.NoSuchAlgorithmException} is caught. */ public static String sha256Crypt(byte[] keyBytes, String salt) throws Exception { static String sha256Crypt(final byte[] keyBytes, String salt) { if (salt == null) { salt = SHA256_PREFIX + B64.getRandomSalt(8); } return sha2Crypt(keyBytes, salt, SHA256_PREFIX, SHA256_BLOCKSIZE, SHA256_ALGORITHM); return sha2Crypt(keyBytes, salt, SHA256_PREFIX, SHA256_BLOCKSIZE, SHA256_ALGORITHM); } /** * Generates a libc6 crypt() compatible "$5$" or "$6$" SHA2 based hash value. * * This is a nearly line by line conversion of the original C function. The * numbered comments are from the algorithm description, the short C-style * ones from the original C code and the ones with "Remark" from me. * * <p> * This is a nearly line by line conversion of the original C function. The numbered comments are from the algorithm * description, the short C-style ones from the original C code and the ones with "Remark" from me. * <p> * See {@link Crypt#crypt(String, String)} for details. * * @param keyBytes * The plaintext that should be hashed. * @param salt_string * The real salt value without prefix or "rounds=". * plaintext to hash * @param salt * real salt value without prefix or "rounds=" * @param saltPrefix * Either $5$ or $6$. * either $5$ or $6$ * @param blocksize * A value that differs between $5$ and $6$. * a value that differs between $5$ and $6$ * @param algorithm * The MessageDigest algorithm identifier string. * @throws Exception exception * @return The complete hash value including prefix and salt. * {@link MessageDigest} algorithm identifier string * @return complete hash value including prefix and salt * @throws IllegalArgumentException * if the given salt is <code>null</code> or does not match the allowed pattern * @throws IllegalArgumentException * when a {@link NoSuchAlgorithmException} is caught * @see MessageDigestAlgorithms */ private static String sha2Crypt(byte[] keyBytes, String salt, String saltPrefix, int blocksize, String algorithm) throws Exception { int keyLen = keyBytes.length; private static String sha2Crypt(final byte[] keyBytes, final String salt, final String saltPrefix, final int blocksize, final String algorithm) { final int keyLen = keyBytes.length; // Extracts effective salt and the number of rounds from the given salt. int rounds = ROUNDS_DEFAULT; boolean roundsCustom = false; if (salt == null) { throw new IllegalArgumentException("Invalid salt value: null"); throw new IllegalArgumentException("Salt must not be null"); } Pattern p = Pattern .compile("^\\$([56])\\$(rounds=(\\d+)\\$)?([\\.\\/a-zA-Z0-9]{1,16}).*"); Matcher m = p.matcher(salt); if (m == null || !m.find()) { final Matcher m = SALT_PATTERN.matcher(salt); if (!m.find()) { throw new IllegalArgumentException("Invalid salt value: " + salt); } if (m.group(3) != null) { @@ -277,18 +268,18 @@ rounds = Math.max(ROUNDS_MIN, Math.min(ROUNDS_MAX, rounds)); roundsCustom = true; } String saltString = m.group(4); byte[] saltBytes = saltString.getBytes("UTF-8"); int saltLen = saltBytes.length; final String saltString = m.group(4); final byte[] saltBytes = saltString.getBytes(Charsets.UTF_8); final int saltLen = saltBytes.length; // 1. start digest A // Prepare for the real work. MessageDigest ctx = MessageDigest.getInstance(algorithm); MessageDigest ctx = getDigest(algorithm); // 2. the password string is added to digest A /* * Add the key string. */ /* * Add the key string. */ ctx.update(keyBytes); // 3. the salt string is added to digest A. This is just the salt string @@ -300,52 +291,51 @@ // and /possibly/ allows a plain text attack. Since the rounds=<N> // specification should never be added this would also create an // inconsistency. /* * The last part is the salt string. This must be at most 16 characters and * it ends at the first `$' character (for compatibility with existing * implementations). */ /* * The last part is the salt string. This must be at most 16 characters and it ends at the first `$' character * (for compatibility with existing implementations). */ ctx.update(saltBytes); // 4. start digest B /* * Compute alternate sha512 sum with input KEY, SALT, and KEY. The final * result will be added to the first context. */ MessageDigest altCtx = MessageDigest.getInstance(algorithm); /* * Compute alternate sha512 sum with input KEY, SALT, and KEY. The final result will be added to the first * context. */ MessageDigest altCtx = getDigest(algorithm); // 5. add the password to digest B /* * Add key. */ /* * Add key. */ altCtx.update(keyBytes); // 6. add the salt string to digest B /* * Add salt. */ /* * Add salt. */ altCtx.update(saltBytes); // 7. add the password again to digest B /* * Add key again. */ /* * Add key again. */ altCtx.update(keyBytes); // 8. finish digest B /* * Now get result of this (32 bytes) and add it to the other context. */ /* * Now get result of this (32 bytes) and add it to the other context. */ byte[] altResult = altCtx.digest(); // 9. For each block of 32 or 64 bytes in the password string (excluding // the terminating NUL in the C representation), add digest B to digest A /* * Add for any character in the key one byte of the alternate sum. */ /* * (Remark: the C code comment seems wrong for key length > 32!) */ /* * Add for any character in the key one byte of the alternate sum. */ /* * (Remark: the C code comment seems wrong for key length > 32!) */ int cnt = keyBytes.length; while (cnt > blocksize) { ctx.update(altResult, 0, blocksize); @@ -366,10 +356,10 @@ // // NB: this step differs significantly from the MD5 algorithm. It // adds more randomness. /* * Take the binary representation of the length of the key and for every 1 * add the alternate sum, for every 0 the key. */ /* * Take the binary representation of the length of the key and for every 1 add the alternate sum, for every 0 * the key. */ cnt = keyBytes.length; while (cnt > 0) { if ((cnt & 1) != 0) { @@ -381,32 +371,32 @@ } // 12. finish digest A /* * Create intermediate result. */ /* * Create intermediate result. */ altResult = ctx.digest(); // 13. start digest DP /* * Start computation of P byte sequence. */ altCtx = MessageDigest.getInstance(algorithm); /* * Start computation of P byte sequence. */ altCtx = getDigest(algorithm); // 14. for every byte in the password (excluding the terminating NUL byte // in the C representation of the string) // // add the password to digest DP /* * For every character in the password add the entire password. */ /* * For every character in the password add the entire password. */ for (int i = 1; i <= keyLen; i++) { altCtx.update(keyBytes); } // 15. finish digest DP /* * Finish the digest. */ /* * Finish the digest. */ byte[] tempResult = altCtx.digest(); // 16. produce byte sequence P of the same length as the password where @@ -416,10 +406,10 @@ // // b) for the remaining N (up to 31 or 63) bytes use the first N // bytes of digest DP /* * Create byte sequence P. */ byte[] pBytes = new byte[keyLen]; /* * Create byte sequence P. */ final byte[] pBytes = new byte[keyLen]; int cp = 0; while (cp < keyLen - blocksize) { System.arraycopy(tempResult, 0, pBytes, cp, blocksize); @@ -428,26 +418,26 @@ System.arraycopy(tempResult, 0, pBytes, cp, keyLen - cp); // 17. start digest DS /* * Start computation of S byte sequence. */ altCtx = MessageDigest.getInstance(algorithm); /* * Start computation of S byte sequence. */ altCtx = getDigest(algorithm); // 18. repeast the following 16+A[0] times, where A[0] represents the first // byte in digest A interpreted as an 8-bit unsigned value // // add the salt to digest DS /* * For every character in the password add the entire password. */ /* * For every character in the password add the entire password. */ for (int i = 1; i <= 16 + (altResult[0] & 0xff); i++) { altCtx.update(saltBytes); } // 19. finish digest DS /* * Finish the digest. */ /* * Finish the digest. */ tempResult = altCtx.digest(); // 20. produce byte sequence S of the same length as the salt string where @@ -457,11 +447,11 @@ // // b) for the remaining N (up to 31 or 63) bytes use the first N // bytes of digest DS /* * Create byte sequence S. */ /* * Create byte sequence S. */ // Remark: The salt is limited to 16 chars, how does this make sense? byte[] sBytes = new byte[saltLen]; final byte[] sBytes = new byte[saltLen]; cp = 0; while (cp < saltLen - blocksize) { System.arraycopy(tempResult, 0, sBytes, cp, blocksize); @@ -477,22 +467,21 @@ // digest produced in step 12. In the latter steps it is the digest // produced in step 21.h. The following text uses the notation // "digest A/C" to describe this behavior. /* * Repeatedly run the collected hash value through sha512 to burn CPU * cycles. */ /* * Repeatedly run the collected hash value through sha512 to burn CPU cycles. */ for (int i = 0; i <= rounds - 1; i++) { // a) start digest C /* * New context. */ ctx = MessageDigest.getInstance(algorithm); /* * New context. */ ctx = getDigest(algorithm); // b) for odd round numbers add the byte sequence P to digest C // c) for even round numbers add digest A/C /* * Add key or last result. */ /* * Add key or last result. */ if ((i & 1) != 0) { ctx.update(pBytes, 0, keyLen); } else { @@ -500,26 +489,26 @@ } // d) for all round numbers not divisible by 3 add the byte sequence S /* * Add salt for numbers not divisible by 3. */ /* * Add salt for numbers not divisible by 3. */ if (i % 3 != 0) { ctx.update(sBytes, 0, saltLen); } // e) for all round numbers not divisible by 7 add the byte sequence P /* * Add key for numbers not divisible by 7. */ /* * Add key for numbers not divisible by 7. */ if (i % 7 != 0) { ctx.update(pBytes, 0, keyLen); } // f) for odd round numbers add digest A/C // g) for even round numbers add the byte sequence P /* * Add key or last result. */ /* * Add key or last result. */ if ((i & 1) != 0) { ctx.update(altResult, 0, blocksize); } else { @@ -527,9 +516,9 @@ } // h) finish digest C. /* * Create intermediate result. */ /* * Create intermediate result. */ altResult = ctx.digest(); } @@ -545,12 +534,17 @@ // c) the salt string truncated to 16 characters // // d) a '$' character /* * Now we can construct the result string. It consists of three parts. */ StringBuilder buffer = new StringBuilder(saltPrefix + (roundsCustom ? ROUNDS_PREFIX + rounds + "$" : "") + saltString + "$"); /* * Now we can construct the result string. It consists of three parts. */ final StringBuilder buffer = new StringBuilder(saltPrefix); if (roundsCustom) { buffer.append(ROUNDS_PREFIX); buffer.append(rounds); buffer.append("$"); } buffer.append(saltString); buffer.append("$"); // e) the base-64 encoded final C digest. The encoding used is as // follows: @@ -574,8 +568,7 @@ // characters as output for SHA-512 and SHA-512 respectively. // This was just a safeguard in the C implementation: // int buflen = salt_prefix.length() - 1 + ROUNDS_PREFIX.length() + 9 + 1 + // salt_string.length() + 1 + 86 + 1; // int buflen = salt_prefix.length() - 1 + ROUNDS_PREFIX.length() + 9 + 1 + salt_string.length() + 1 + 86 + 1; if (blocksize == 32) { B64.b64from24bit(altResult[0], altResult[10], altResult[20], 4, buffer); @@ -614,10 +607,10 @@ B64.b64from24bit((byte) 0, (byte) 0, altResult[63], 2, buffer); } /* * Clear the buffer for the intermediate result so that people attaching to * processes or reading core dumps cannot get any information. */ /* * Clear the buffer for the intermediate result so that people attaching to processes or reading core dumps * cannot get any information. */ // Is there a better way to do this with the JVM? Arrays.fill(tempResult, (byte) 0); Arrays.fill(pBytes, (byte) 0); @@ -632,36 +625,47 @@ /** * Generates a libc crypt() compatible "$6$" hash value with random salt. * * <p> * See {@link Crypt#crypt(String, String)} for details. * * @param keyBytes * The plaintext that should be hashed. * @throws Exception exception * @return compatible "$6$" hash value with random salt * plaintext to hash * @return complete hash value * @throws RuntimeException * when a {@link java.security.NoSuchAlgorithmException} is caught. */ public static String sha512Crypt(byte[] keyBytes) throws Exception { static String sha512Crypt(final byte[] keyBytes) { return sha512Crypt(keyBytes, null); } /** * Generates a libc6 crypt() compatible "$6$" hash value. * * <p> * See {@link Crypt#crypt(String, String)} for details. * * @param keyBytes * The plaintext that should be hashed. * plaintext to hash * @param salt * The real salt value without prefix or "rounds=". * @throws Exception exception * @return compatible "$6$" hash value * real salt value without prefix or "rounds=" * @return complete hash value including salt * @throws IllegalArgumentException * if the salt does not match the allowed pattern * @throws RuntimeException * when a {@link java.security.NoSuchAlgorithmException} is caught. */ public static String sha512Crypt(byte[] keyBytes, String salt) throws Exception { static String sha512Crypt(final byte[] keyBytes, String salt) { if (salt == null) { salt = SHA512_PREFIX + B64.getRandomSalt(8); } return sha2Crypt(keyBytes, salt, SHA512_PREFIX, SHA512_BLOCKSIZE, SHA512_ALGORITHM); return sha2Crypt(keyBytes, salt, SHA512_PREFIX, SHA512_BLOCKSIZE, SHA512_ALGORITHM); } private static MessageDigest getDigest(final String algorithm) { try { return MessageDigest.getInstance(algorithm); } catch (final NoSuchAlgorithmException e) { throw new IllegalArgumentException(e); } } }
