lib/libcrypt/crypt-sha1.c

1.1  sjg /*
1.1  sjg  * Copyright (c) 2004, Juniper Networks, Inc.
1.1  sjg  * All rights reserved.
1.1  sjg  *
1.1  sjg  * Redistribution and use in source and binary forms, with or without
1.1  sjg  * modification, are permitted provided that the following conditions
1.1  sjg  * are met:
1.1  sjg  * 1. Redistributions of source code must retain the above copyright
1.1  sjg  *    notice, this list of conditions and the following disclaimer.
1.1  sjg  * 2. Redistributions in binary form must reproduce the above copyright
1.1  sjg  *    notice, this list of conditions and the following disclaimer in the
1.1  sjg  *    documentation and/or other materials provided with the distribution.
1.1  sjg  * 3. Neither the name of the copyright holders nor the names of its
1.1  sjg  *    contributors may be used to endorse or promote products derived
1.1  sjg  *    from this software without specific prior written permission.
1.1  sjg  *
1.1  sjg  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
1.1  sjg  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
1.1  sjg  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
1.1  sjg  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
1.1  sjg  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.1  sjg  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
1.1  sjg  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1.1  sjg  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1.1  sjg  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1.1  sjg  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
1.1  sjg  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.1  sjg  */
1.1  sjg
1.1  sjg #include <sys/cdefs.h>
1.1  sjg #if !defined(lint)
1.1  sjg __RCSID("$Id: crypt-sha1.c,v 1.1 2004/07/02 00:05:23 sjg Exp $");
1.1  sjg #endif /* not lint */
1.1  sjg
1.1  sjg #include <stdlib.h>
1.1  sjg #include <unistd.h>
1.1  sjg #include <stdio.h>
1.1  sjg #include <string.h>
1.1  sjg #include <time.h>
1.1  sjg
1.1  sjg #include <err.h>
1.1  sjg #include "crypt.h"
1.1  sjg
1.1  sjg /*
1.1  sjg  * The default iterations - should take >0s on a fast CPU
1.1  sjg  * but not be insane for a slow CPU.
1.1  sjg  */
1.1  sjg #ifndef CRYPT_SHA1_ITERATIONS
1.1  sjg # define CRYPT_SHA1_ITERATIONS 24680
1.1  sjg #endif
1.1  sjg /*
1.1  sjg  * Support a reasonably? long salt.
1.1  sjg  */
1.1  sjg #ifndef CRYPT_SHA1_SALT_LENGTH
1.1  sjg # define CRYPT_SHA1_SALT_LENGTH 64
1.1  sjg #endif
1.1  sjg
1.1  sjg extern void hmac_sha1(unsigned char *text, size_t text_len,
1.1  sjg 		      unsigned char *key, size_t key_len,
1.1  sjg 		      unsigned char *digest);
1.1  sjg
1.1  sjg /*
1.1  sjg  * This may be called from crypt_sha1 or gensalt.
1.1  sjg  *
1.1  sjg  * The value returned will be slightly less than <hint> which defaults
1.1  sjg  * to 24680.  The goals are that the number of iterations should take
1.1  sjg  * non-zero amount of time on a fast cpu while not taking insanely
1.1  sjg  * long on a slow cpu.  The current default will take about 5 seconds
1.1  sjg  * on a 100MHz sparc, and about 0.04 seconds on a 3GHz i386.
1.1  sjg  * The number is varied to frustrate those attempting to generate a
1.1  sjg  * dictionary of pre-computed hashes.
1.1  sjg  */
1.1  sjg unsigned int
1.1  sjg __crypt_sha1_iterations (unsigned int hint)
1.1  sjg {
1.1  sjg     static int once = 1;
1.1  sjg
1.1  sjg     /*
1.1  sjg      * We treat CRYPT_SHA1_ITERATIONS as a hint.
1.1  sjg      * Make it harder for someone to pre-compute hashes for a
1.1  sjg      * dictionary attack by not using the same iteration count for
1.1  sjg      * every entry.
1.1  sjg      */
1.1  sjg
1.1  sjg     if (once) {
1.1  sjg 	int pid = getpid();
1.1  sjg
1.1  sjg 	srandom(time(NULL) ^ (pid * pid));
1.1  sjg 	once = 0;
1.1  sjg     }
1.1  sjg     if (hint == 0)
1.1  sjg 	hint = CRYPT_SHA1_ITERATIONS;
1.1  sjg     return hint - (random() % (hint / 4));
1.1  sjg }
1.1  sjg
1.1  sjg /*
1.1  sjg  * UNIX password using hmac_sha1
1.1  sjg  * This is PBKDF1 from RFC 2898, but using hmac_sha1.
1.1  sjg  *
1.1  sjg  * The format of the encrypted password is:
1.1  sjg  * $<tag>$<iterations>$<salt>$<digest>
1.1  sjg  *
1.1  sjg  * where:
1.1  sjg  * 	<tag>		is "sha1"
1.1  sjg  *	<iterations>	is an unsigned int identifying how many rounds
1.1  sjg  * 			have been applied to <digest>.  The number
1.1  sjg  * 			should vary slightly for each password to make
1.1  sjg  * 			it harder to generate a dictionary of
1.1  sjg  * 			pre-computed hashes.  See crypt_sha1_iterations.
1.1  sjg  * 	<salt>		up to 64 bytes of random data, 8 bytes is
1.1  sjg  * 			currently considered more than enough.
1.1  sjg  *	<digest>	the hashed password.
1.1  sjg  *
1.1  sjg  * NOTE:
1.1  sjg  * To be FIPS 140 compliant, the password which is used as a hmac key,
1.1  sjg  * should be between 10 and 20 characters to provide at least 80bits
1.1  sjg  * strength, and avoid the need to hash it before using as the
1.1  sjg  * hmac key.
1.1  sjg  */
1.1  sjg char *
1.1  sjg __crypt_sha1 (const char *pw, const char *salt)
1.1  sjg {
1.1  sjg     static char *magic = SHA1_MAGIC;
1.1  sjg     static unsigned char hmac_buf[SHA1_SIZE];
1.1  sjg     static char passwd[(2 * sizeof(SHA1_MAGIC)) +
1.1  sjg 		       CRYPT_SHA1_SALT_LENGTH + SHA1_SIZE];
1.1  sjg     char *sp;
1.1  sjg     char *ep;
1.1  sjg     unsigned long ul;
1.1  sjg     int sl;
1.1  sjg     int pl;
1.1  sjg     int dl;
1.1  sjg     unsigned int iterations;
1.1  sjg     unsigned int i;
1.1  sjg
1.1  sjg     /*
1.1  sjg      * Salt format is
1.1  sjg      * $<tag>$<iterations>$salt[$]
1.1  sjg      * If it does not start with $ we use our default iterations.
1.1  sjg      */
1.1  sjg     sp = UNCONST(salt);
1.1  sjg
1.1  sjg     /* If it starts with the magic string, then skip that */
1.1  sjg     if (!strncmp(sp, magic, strlen(magic))) {
1.1  sjg 	sp += strlen(magic);
1.1  sjg 	/* and get the iteration count */
1.1  sjg 	iterations = strtoul(sp, &ep, 10);
1.1  sjg 	if (*ep != '$')
1.1  sjg 	    return NULL;		/* invalid input */
1.1  sjg 	sp = ep + 1;			/* skip over the '$' */
1.1  sjg     } else {
1.1  sjg 	iterations = __crypt_sha1_iterations(0);
1.1  sjg     }
1.1  sjg
1.1  sjg     /* It stops at the next '$', max CRYPT_SHA1_ITERATIONS chars */
1.1  sjg     for (ep = sp; *ep && *ep != '$' && ep < (sp + CRYPT_SHA1_ITERATIONS); ep++)
1.1  sjg 	continue;
1.1  sjg
1.1  sjg     /* Get the length of the actual salt */
1.1  sjg     sl = ep - sp;
1.1  sjg     pl = strlen(pw);
1.1  sjg
1.1  sjg     /*
1.1  sjg      * Now get to work...
1.1  sjg      * Prime the pump with <salt><magic><iterations>
1.1  sjg      */
1.1  sjg     dl = snprintf(passwd, sizeof (passwd), "%.*s%s%u",
1.1  sjg 		  sl, sp, magic, iterations);
1.1  sjg     /*
1.1  sjg      * Then hmac using <pw> as key, and repeat...
1.1  sjg      */
1.1  sjg     ep = UNCONST(pw);			/* keep gcc happy */
1.1  sjg     hmac_sha1(passwd, dl, ep, pl, hmac_buf);
1.1  sjg     for (i = 1; i < iterations; i++) {
1.1  sjg 	hmac_sha1(hmac_buf, SHA1_SIZE, ep, pl, hmac_buf);
1.1  sjg     }
1.1  sjg     /* Now output... */
1.1  sjg     pl = snprintf(passwd, sizeof(passwd), "%s%u$%.*s$",
1.1  sjg 		  magic, iterations, sl, sp);
1.1  sjg     ep = passwd + pl;
1.1  sjg
1.1  sjg     /* Every 3 bytes of hash gives 24 bits which is 4 base64 chars */
1.1  sjg     for (i = 0; i < SHA1_SIZE - 3; i += 3) {
1.1  sjg 	ul = (hmac_buf[i+0] << 16) |
1.1  sjg 	    (hmac_buf[i+1] << 8) |
1.1  sjg 	    hmac_buf[i+2];
1.1  sjg 	__crypt_to64(ep, ul, 4); ep += 4;
1.1  sjg     }
1.1  sjg     /* Only 2 bytes left, so we pad with byte0 */
1.1  sjg     ul = (hmac_buf[SHA1_SIZE - 2] << 16) |
1.1  sjg 	(hmac_buf[SHA1_SIZE - 1] << 8) |
1.1  sjg 	hmac_buf[0];
1.1  sjg     __crypt_to64(ep, ul, 4); ep += 4;
1.1  sjg     *ep = '\0';
1.1  sjg
1.1  sjg     /* Don't leave anything around in vm they could use. */
1.1  sjg     memset(hmac_buf, 0, sizeof hmac_buf);
1.1  sjg
1.1  sjg     return passwd;
1.1  sjg }