Home | History | Annotate | Line # | Download | only in libcrypt 
      1 /* $NetBSD: crypt-sha1.c,v 1.11 2024/07/23 22:37:11 riastradh Exp $ */
      2 
      3 /*
      4  * Copyright (c) 2004, Juniper Networks, Inc.
      5  * All rights reserved.
      6  *
      7  * Redistribution and use in source and binary forms, with or without
      8  * modification, are permitted provided that the following conditions
      9  * are met:
     10  * 1. Redistributions of source code must retain the above copyright
     11  *    notice, this list of conditions and the following disclaimer.
     12  * 2. Redistributions in binary form must reproduce the above copyright
     13  *    notice, this list of conditions and the following disclaimer in the
     14  *    documentation and/or other materials provided with the distribution.
     15  * 3. Neither the name of the copyright holders nor the names of its
     16  *    contributors may be used to endorse or promote products derived
     17  *    from this software without specific prior written permission.
     18  *
     19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     20  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     21  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
     22  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
     23  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     24  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
     25  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     26  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     27  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     28  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     29  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     30  */
     31 
     32 #include <sys/cdefs.h>
     33 #if !defined(lint)
     34 __RCSID("$NetBSD: crypt-sha1.c,v 1.11 2024/07/23 22:37:11 riastradh Exp $");
     35 #endif /* not lint */
     36 
     37 #include <stdlib.h>
     38 #include <unistd.h>
     39 #include <stdio.h>
     40 #include <string.h>
     41 #include <time.h>
     42 
     43 #include <err.h>
     44 #include "crypt.h"
     45 
     46 /*
     47  * The default iterations - should take >0s on a fast CPU
     48  * but not be insane for a slow CPU.
     49  */
     50 #ifndef CRYPT_SHA1_ITERATIONS
     51 # define CRYPT_SHA1_ITERATIONS 24680
     52 #endif
     53 /*
     54  * Support a reasonably? long salt.
     55  */
     56 #ifndef CRYPT_SHA1_SALT_LENGTH
     57 # define CRYPT_SHA1_SALT_LENGTH 64
     58 #endif
     59 
     60 /*
     61  * This may be called from crypt_sha1 or gensalt.
     62  *
     63  * The value returned will be slightly less than <hint> which defaults
     64  * to 24680.  The goals are that the number of iterations should take
     65  * non-zero amount of time on a fast cpu while not taking insanely
     66  * long on a slow cpu.  The current default will take about 5 seconds
     67  * on a 100MHz sparc, and about 0.04 seconds on a 3GHz i386.
     68  * The number is varied to frustrate those attempting to generate a
     69  * dictionary of pre-computed hashes.
     70  */
     71 crypt_private unsigned int
     72 __crypt_sha1_iterations (unsigned int hint)
     73 {
     74     /*
     75      * We treat CRYPT_SHA1_ITERATIONS as a hint.
     76      * Make it harder for someone to pre-compute hashes for a
     77      * dictionary attack by not using the same iteration count for
     78      * every entry.
     79      */
     80     if (hint < 4)
     81 	hint = CRYPT_SHA1_ITERATIONS;
     82     return hint - arc4random_uniform(hint / 4);
     83 }
     84 
     85 /*
     86  * UNIX password using hmac_sha1
     87  * This is PBKDF1 from RFC 2898, but using hmac_sha1.
     88  *
     89  * The format of the encrypted password is:
     90  * $<tag>$<iterations>$<salt>$<digest>
     91  *
     92  * where:
     93  * 	<tag>		is "sha1"
     94  *	<iterations>	is an unsigned int identifying how many rounds
     95  * 			have been applied to <digest>.  The number
     96  * 			should vary slightly for each password to make
     97  * 			it harder to generate a dictionary of
     98  * 			pre-computed hashes.  See crypt_sha1_iterations.
     99  * 	<salt>		up to 64 bytes of random data, 8 bytes is
    100  * 			currently considered more than enough.
    101  *	<digest>	the hashed password.
    102  *
    103  * NOTE:
    104  * To be FIPS 140 compliant, the password which is used as a hmac key,
    105  * should be between 10 and 20 characters to provide at least 80bits
    106  * strength, and avoid the need to hash it before using as the
    107  * hmac key.
    108  */
    109 crypt_private char *
    110 __crypt_sha1 (const char *pw, const char *salt)
    111 {
    112     static const char *magic = SHA1_MAGIC;
    113     static unsigned char hmac_buf[SHA1_SIZE];
    114     static char passwd[(2 * sizeof(SHA1_MAGIC)) +
    115 		       CRYPT_SHA1_SALT_LENGTH + SHA1_SIZE];
    116     const char *sp;
    117     char *ep;
    118     unsigned long ul;
    119     int sl;
    120     int pl;
    121     int dl;
    122     unsigned int iterations;
    123     unsigned int i;
    124     /* XXX silence -Wpointer-sign (would be nice to fix this some other way) */
    125     const unsigned char *pwu = (const unsigned char *)pw;
    126 
    127     /*
    128      * Salt format is
    129      * $<tag>$<iterations>$salt[$]
    130      * If it does not start with $ we use our default iterations.
    131      */
    132 
    133     /* If it starts with the magic string, then skip that */
    134     if (!strncmp(salt, magic, strlen(magic))) {
    135 	salt += strlen(magic);
    136 	/* and get the iteration count */
    137 	iterations = strtoul(salt, &ep, 10);
    138 	if (*ep != '$')
    139 	    return NULL;		/* invalid input */
    140 	salt = ep + 1;			/* skip over the '$' */
    141     } else {
    142 	iterations = __crypt_sha1_iterations(0);
    143     }
    144 
    145     /* It stops at the next '$', max CRYPT_SHA1_ITERATIONS chars */
    146     for (sp = salt; *sp && *sp != '$' && sp < (salt + CRYPT_SHA1_ITERATIONS); sp++)
    147 	continue;
    148 
    149     /* Get the length of the actual salt */
    150     sl = sp - salt;
    151     pl = strlen(pw);
    152 
    153     /*
    154      * Now get to work...
    155      * Prime the pump with <salt><magic><iterations>
    156      */
    157     dl = snprintf(passwd, sizeof (passwd), "%.*s%s%u",
    158 		  sl, salt, magic, iterations);
    159     /*
    160      * Then hmac using <pw> as key, and repeat...
    161      */
    162     __hmac_sha1((unsigned char *)passwd, dl, pwu, pl, hmac_buf);
    163     for (i = 1; i < iterations; i++) {
    164 	__hmac_sha1(hmac_buf, SHA1_SIZE, pwu, pl, hmac_buf);
    165     }
    166     /* Now output... */
    167     pl = snprintf(passwd, sizeof(passwd), "%s%u$%.*s$",
    168 		  magic, iterations, sl, salt);
    169     ep = passwd + pl;
    170 
    171     /* Every 3 bytes of hash gives 24 bits which is 4 base64 chars */
    172     for (i = 0; i < SHA1_SIZE - 3; i += 3) {
    173 	ul = (hmac_buf[i+0] << 16) |
    174 	    (hmac_buf[i+1] << 8) |
    175 	    hmac_buf[i+2];
    176 	__crypt_to64(ep, ul, 4); ep += 4;
    177     }
    178     /* Only 2 bytes left, so we pad with byte0 */
    179     ul = (hmac_buf[SHA1_SIZE - 2] << 16) |
    180 	(hmac_buf[SHA1_SIZE - 1] << 8) |
    181 	hmac_buf[0];
    182     __crypt_to64(ep, ul, 4); ep += 4;
    183     *ep = '\0';
    184 
    185     /* Don't leave anything around in vm they could use. */
    186     explicit_memset(hmac_buf, 0, sizeof hmac_buf);
    187 
    188     return passwd;
    189 }
    190