crypt-sha1.c revision 1.10
1/* $NetBSD: crypt-sha1.c,v 1.10 2021/10/29 13:22:08 nia Exp $ */ 2 3/* 4 * Copyright (c) 2004, Juniper Networks, Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the copyright holders nor the names of its 16 * contributors may be used to endorse or promote products derived 17 * from this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32#include <sys/cdefs.h> 33#if !defined(lint) 34__RCSID("$NetBSD: crypt-sha1.c,v 1.10 2021/10/29 13:22:08 nia Exp $"); 35#endif /* not lint */ 36 37#include <stdlib.h> 38#include <unistd.h> 39#include <stdio.h> 40#include <string.h> 41#include <time.h> 42 43#include <err.h> 44#include "crypt.h" 45 46/* 47 * The default iterations - should take >0s on a fast CPU 48 * but not be insane for a slow CPU. 49 */ 50#ifndef CRYPT_SHA1_ITERATIONS 51# define CRYPT_SHA1_ITERATIONS 24680 52#endif 53/* 54 * Support a reasonably? long salt. 55 */ 56#ifndef CRYPT_SHA1_SALT_LENGTH 57# define CRYPT_SHA1_SALT_LENGTH 64 58#endif 59 60/* 61 * This may be called from crypt_sha1 or gensalt. 62 * 63 * The value returned will be slightly less than <hint> which defaults 64 * to 24680. The goals are that the number of iterations should take 65 * non-zero amount of time on a fast cpu while not taking insanely 66 * long on a slow cpu. The current default will take about 5 seconds 67 * on a 100MHz sparc, and about 0.04 seconds on a 3GHz i386. 68 * The number is varied to frustrate those attempting to generate a 69 * dictionary of pre-computed hashes. 70 */ 71crypt_private unsigned int 72__crypt_sha1_iterations (unsigned int hint) 73{ 74 /* 75 * We treat CRYPT_SHA1_ITERATIONS as a hint. 76 * Make it harder for someone to pre-compute hashes for a 77 * dictionary attack by not using the same iteration count for 78 * every entry. 79 */ 80 if (hint < 4) 81 hint = CRYPT_SHA1_ITERATIONS; 82 return hint - arc4random_uniform(hint / 4); 83} 84 85/* 86 * UNIX password using hmac_sha1 87 * This is PBKDF1 from RFC 2898, but using hmac_sha1. 88 * 89 * The format of the encrypted password is: 90 * $<tag>$<iterations>$<salt>$<digest> 91 * 92 * where: 93 * <tag> is "sha1" 94 * <iterations> is an unsigned int identifying how many rounds 95 * have been applied to <digest>. The number 96 * should vary slightly for each password to make 97 * it harder to generate a dictionary of 98 * pre-computed hashes. See crypt_sha1_iterations. 99 * <salt> up to 64 bytes of random data, 8 bytes is 100 * currently considered more than enough. 101 * <digest> the hashed password. 102 * 103 * NOTE: 104 * To be FIPS 140 compliant, the password which is used as a hmac key, 105 * should be between 10 and 20 characters to provide at least 80bits 106 * strength, and avoid the need to hash it before using as the 107 * hmac key. 108 */ 109crypt_private char * 110__crypt_sha1 (const char *pw, const char *salt) 111{ 112 static const char *magic = SHA1_MAGIC; 113 static unsigned char hmac_buf[SHA1_SIZE]; 114 static char passwd[(2 * sizeof(SHA1_MAGIC)) + 115 CRYPT_SHA1_SALT_LENGTH + SHA1_SIZE]; 116 const char *sp; 117 char *ep; 118 unsigned long ul; 119 int sl; 120 int pl; 121 int dl; 122 unsigned int iterations; 123 unsigned int i; 124 /* XXX silence -Wpointer-sign (would be nice to fix this some other way) */ 125 const unsigned char *pwu = (const unsigned char *)pw; 126 127 /* 128 * Salt format is 129 * $<tag>$<iterations>$salt[$] 130 * If it does not start with $ we use our default iterations. 131 */ 132 133 /* If it starts with the magic string, then skip that */ 134 if (!strncmp(salt, magic, strlen(magic))) { 135 salt += strlen(magic); 136 /* and get the iteration count */ 137 iterations = strtoul(salt, &ep, 10); 138 if (*ep != '$') 139 return NULL; /* invalid input */ 140 salt = ep + 1; /* skip over the '$' */ 141 } else { 142 iterations = __crypt_sha1_iterations(0); 143 } 144 145 /* It stops at the next '$', max CRYPT_SHA1_ITERATIONS chars */ 146 for (sp = salt; *sp && *sp != '$' && sp < (salt + CRYPT_SHA1_ITERATIONS); sp++) 147 continue; 148 149 /* Get the length of the actual salt */ 150 sl = sp - salt; 151 pl = strlen(pw); 152 153 /* 154 * Now get to work... 155 * Prime the pump with <salt><magic><iterations> 156 */ 157 dl = snprintf(passwd, sizeof (passwd), "%.*s%s%u", 158 sl, salt, magic, iterations); 159 /* 160 * Then hmac using <pw> as key, and repeat... 161 */ 162 __hmac_sha1((unsigned char *)passwd, dl, pwu, pl, hmac_buf); 163 for (i = 1; i < iterations; i++) { 164 __hmac_sha1(hmac_buf, SHA1_SIZE, pwu, pl, hmac_buf); 165 } 166 /* Now output... */ 167 pl = snprintf(passwd, sizeof(passwd), "%s%u$%.*s$", 168 magic, iterations, sl, salt); 169 ep = passwd + pl; 170 171 /* Every 3 bytes of hash gives 24 bits which is 4 base64 chars */ 172 for (i = 0; i < SHA1_SIZE - 3; i += 3) { 173 ul = (hmac_buf[i+0] << 16) | 174 (hmac_buf[i+1] << 8) | 175 hmac_buf[i+2]; 176 __crypt_to64(ep, ul, 4); ep += 4; 177 } 178 /* Only 2 bytes left, so we pad with byte0 */ 179 ul = (hmac_buf[SHA1_SIZE - 2] << 16) | 180 (hmac_buf[SHA1_SIZE - 1] << 8) | 181 hmac_buf[0]; 182 __crypt_to64(ep, ul, 4); ep += 4; 183 *ep = '\0'; 184 185 /* Don't leave anything around in vm they could use. */ 186 explicit_memset(hmac_buf, 0, sizeof hmac_buf); 187 188 return passwd; 189} 190