1/* $NetBSD: crypt-sha1.c,v 1.10 2021/10/29 13:22:08 nia Exp $ */
2
3/*
4 * Copyright (c) 2004, Juniper Networks, Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the copyright holders nor the names of its
16 *    contributors may be used to endorse or promote products derived
17 *    from this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32#include <sys/cdefs.h>
33#if !defined(lint)
34__RCSID("$NetBSD: crypt-sha1.c,v 1.10 2021/10/29 13:22:08 nia Exp $");
35#endif /* not lint */
36
37#include <stdlib.h>
38#include <unistd.h>
39#include <stdio.h>
40#include <string.h>
41#include <time.h>
42
43#include <err.h>
44#include "crypt.h"
45
46/*
47 * The default iterations - should take >0s on a fast CPU
48 * but not be insane for a slow CPU.
49 */
50#ifndef CRYPT_SHA1_ITERATIONS
51# define CRYPT_SHA1_ITERATIONS 24680
52#endif
53/*
54 * Support a reasonably? long salt.
55 */
56#ifndef CRYPT_SHA1_SALT_LENGTH
57# define CRYPT_SHA1_SALT_LENGTH 64
58#endif
59
60/*
61 * This may be called from crypt_sha1 or gensalt.
62 *
63 * The value returned will be slightly less than <hint> which defaults
64 * to 24680.  The goals are that the number of iterations should take
65 * non-zero amount of time on a fast cpu while not taking insanely
66 * long on a slow cpu.  The current default will take about 5 seconds
67 * on a 100MHz sparc, and about 0.04 seconds on a 3GHz i386.
68 * The number is varied to frustrate those attempting to generate a
69 * dictionary of pre-computed hashes.
70 */
71crypt_private unsigned int
72__crypt_sha1_iterations (unsigned int hint)
73{
74    /*
75     * We treat CRYPT_SHA1_ITERATIONS as a hint.
76     * Make it harder for someone to pre-compute hashes for a
77     * dictionary attack by not using the same iteration count for
78     * every entry.
79     */
80    if (hint < 4)
81	hint = CRYPT_SHA1_ITERATIONS;
82    return hint - arc4random_uniform(hint / 4);
83}
84
85/*
86 * UNIX password using hmac_sha1
87 * This is PBKDF1 from RFC 2898, but using hmac_sha1.
88 *
89 * The format of the encrypted password is:
90 * $<tag>$<iterations>$<salt>$<digest>
91 *
92 * where:
93 * 	<tag>		is "sha1"
94 *	<iterations>	is an unsigned int identifying how many rounds
95 * 			have been applied to <digest>.  The number
96 * 			should vary slightly for each password to make
97 * 			it harder to generate a dictionary of
98 * 			pre-computed hashes.  See crypt_sha1_iterations.
99 * 	<salt>		up to 64 bytes of random data, 8 bytes is
100 * 			currently considered more than enough.
101 *	<digest>	the hashed password.
102 *
103 * NOTE:
104 * To be FIPS 140 compliant, the password which is used as a hmac key,
105 * should be between 10 and 20 characters to provide at least 80bits
106 * strength, and avoid the need to hash it before using as the
107 * hmac key.
108 */
109crypt_private char *
110__crypt_sha1 (const char *pw, const char *salt)
111{
112    static const char *magic = SHA1_MAGIC;
113    static unsigned char hmac_buf[SHA1_SIZE];
114    static char passwd[(2 * sizeof(SHA1_MAGIC)) +
115		       CRYPT_SHA1_SALT_LENGTH + SHA1_SIZE];
116    const char *sp;
117    char *ep;
118    unsigned long ul;
119    int sl;
120    int pl;
121    int dl;
122    unsigned int iterations;
123    unsigned int i;
124    /* XXX silence -Wpointer-sign (would be nice to fix this some other way) */
125    const unsigned char *pwu = (const unsigned char *)pw;
126
127    /*
128     * Salt format is
129     * $<tag>$<iterations>$salt[$]
130     * If it does not start with $ we use our default iterations.
131     */
132
133    /* If it starts with the magic string, then skip that */
134    if (!strncmp(salt, magic, strlen(magic))) {
135	salt += strlen(magic);
136	/* and get the iteration count */
137	iterations = strtoul(salt, &ep, 10);
138	if (*ep != '$')
139	    return NULL;		/* invalid input */
140	salt = ep + 1;			/* skip over the '$' */
141    } else {
142	iterations = __crypt_sha1_iterations(0);
143    }
144
145    /* It stops at the next '$', max CRYPT_SHA1_ITERATIONS chars */
146    for (sp = salt; *sp && *sp != '$' && sp < (salt + CRYPT_SHA1_ITERATIONS); sp++)
147	continue;
148
149    /* Get the length of the actual salt */
150    sl = sp - salt;
151    pl = strlen(pw);
152
153    /*
154     * Now get to work...
155     * Prime the pump with <salt><magic><iterations>
156     */
157    dl = snprintf(passwd, sizeof (passwd), "%.*s%s%u",
158		  sl, salt, magic, iterations);
159    /*
160     * Then hmac using <pw> as key, and repeat...
161     */
162    __hmac_sha1((unsigned char *)passwd, dl, pwu, pl, hmac_buf);
163    for (i = 1; i < iterations; i++) {
164	__hmac_sha1(hmac_buf, SHA1_SIZE, pwu, pl, hmac_buf);
165    }
166    /* Now output... */
167    pl = snprintf(passwd, sizeof(passwd), "%s%u$%.*s$",
168		  magic, iterations, sl, salt);
169    ep = passwd + pl;
170
171    /* Every 3 bytes of hash gives 24 bits which is 4 base64 chars */
172    for (i = 0; i < SHA1_SIZE - 3; i += 3) {
173	ul = (hmac_buf[i+0] << 16) |
174	    (hmac_buf[i+1] << 8) |
175	    hmac_buf[i+2];
176	__crypt_to64(ep, ul, 4); ep += 4;
177    }
178    /* Only 2 bytes left, so we pad with byte0 */
179    ul = (hmac_buf[SHA1_SIZE - 2] << 16) |
180	(hmac_buf[SHA1_SIZE - 1] << 8) |
181	hmac_buf[0];
182    __crypt_to64(ep, ul, 4); ep += 4;
183    *ep = '\0';
184
185    /* Don't leave anything around in vm they could use. */
186    explicit_memset(hmac_buf, 0, sizeof hmac_buf);
187
188    return passwd;
189}
190