1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
|
/*
* Copyright (c) 2004, Juniper Networks, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "crypt-port.h"
#include "alg-hmac-sha1.h"
#include "byteorder.h"
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#if INCLUDE_sha1crypt
/*
* The default iterations - should take >0s on a fast CPU
* but not be insane for a slow CPU.
*/
#ifndef CRYPT_SHA1_ITERATIONS
# define CRYPT_SHA1_ITERATIONS 262144
#endif
/*
* Support a reasonably? long salt.
*/
#ifndef CRYPT_SHA1_SALT_LENGTH
# define CRYPT_SHA1_SALT_LENGTH 64
#endif
#define SHA1_SIZE 20 /* size of raw SHA1 digest, 160 bits */
#define SHA1_OUTPUT_SIZE 28 /* size of base64-ed output string */
static inline void
to64 (uint8_t *s, unsigned long v, int n)
{
while (--n >= 0)
{
*s++ = itoa64[v & 0x3f];
v >>= 6;
}
}
/*
* UNIX password using hmac_sha1
* This is PBKDF1 from RFC 2898, but using hmac_sha1.
*
* The format of the encrypted password is:
* $<tag>$<iterations>$<salt>$<digest>
*
* where:
* <tag> is "sha1"
* <iterations> is an unsigned int identifying how many rounds
* have been applied to <digest>. The number
* should vary slightly for each password to make
* it harder to generate a dictionary of
* pre-computed hashes. See gensalt_sha1crypt_rn.
* <salt> up to 64 bytes of random data, 8 bytes is
* currently considered more than enough.
* <digest> the hashed password.
*
* NOTE:
* To be FIPS 140 compliant, the password which is used as a hmac key,
* should be between 10 and 20 characters to provide at least 80bits
* strength, and avoid the need to hash it before using as the
* hmac key.
*/
void
crypt_sha1crypt_rn (const char *phrase, size_t phr_size,
const char *setting, size_t ARG_UNUSED (set_size),
uint8_t *output, size_t out_size,
void *scratch, size_t scr_size)
{
static const char *magic = "$sha1$";
if ((out_size < (strlen (magic) + 2 + 10 + CRYPT_SHA1_SALT_LENGTH +
SHA1_OUTPUT_SIZE)) ||
scr_size < SHA1_SIZE)
{
errno = ERANGE;
return;
}
const char *sp;
uint8_t *ep;
unsigned long ul;
size_t sl;
size_t pl = phr_size;
int dl;
unsigned long iterations;
unsigned long i;
/* XXX silence -Wpointer-sign (would be nice to fix this some other way) */
const uint8_t *pwu = (const uint8_t *)phrase;
uint8_t *hmac_buf = scratch;
/*
* Salt format is
* $<tag>$<iterations>$salt[$]
*/
/* If the string doesn't starts with the magic prefix, we shouldn't have been called */
if (strncmp (setting, magic, strlen (magic)))
{
errno = EINVAL;
return;
}
setting += strlen (magic);
/* get the iteration count */
iterations = (unsigned long)strtoul (setting, (char **)&ep, 10);
if (*ep != '$')
{
errno = EINVAL;
return; /* invalid input */
}
setting = (char *)ep + 1; /* skip over the '$' */
/* The next 1..CRYPT_SHA1_SALT_LENGTH bytes should be itoa64 characters,
followed by another '$' (or end of string). */
sp = setting + strspn (setting, (const char *)itoa64);
if (sp == setting || (*sp && *sp != '$'))
{
errno = EINVAL;
return;
}
sl = (size_t)(sp - setting);
/*
* Now get to work...
* Prime the pump with <salt><magic><iterations>
*/
dl = snprintf ((char *)output, out_size, "%.*s%s%lu",
(int)sl, setting, magic, iterations);
/*
* Then hmac using <phrase> as key, and repeat...
*/
hmac_sha1_process_data ((const unsigned char *)output, (size_t)dl,
pwu, pl, hmac_buf);
for (i = 1; i < iterations; ++i)
{
hmac_sha1_process_data (hmac_buf, SHA1_SIZE, pwu, pl, hmac_buf);
}
/* Now output... */
pl = (size_t)snprintf ((char *)output, out_size, "%s%lu$%.*s$",
magic, iterations, (int)sl, setting);
ep = output + pl;
/* Every 3 bytes of hash gives 24 bits which is 4 base64 chars */
for (i = 0; i < SHA1_SIZE - 3; i += 3)
{
ul = (unsigned long)((hmac_buf[i+0] << 16) |
(hmac_buf[i+1] << 8) |
hmac_buf[i+2]);
to64 (ep, ul, 4);
ep += 4;
}
/* Only 2 bytes left, so we pad with byte0 */
ul = (unsigned long)((hmac_buf[SHA1_SIZE - 2] << 16) |
(hmac_buf[SHA1_SIZE - 1] << 8) |
hmac_buf[0]);
to64 (ep, ul, 4);
ep += 4;
*ep = '\0';
/* Don't leave anything around in vm they could use. */
XCRYPT_SECURE_MEMSET (scratch, scr_size);
}
/* Modified excerpt from:
http://cvsweb.netbsd.org/bsdweb.cgi/~checkout~/src/lib/libcrypt/pw_gensalt.c */
void
gensalt_sha1crypt_rn (unsigned long count,
const uint8_t *rbytes, size_t nrbytes,
uint8_t *output, size_t o_size)
{
static_assert (sizeof (uint32_t) == 4,
"space calculations below assume 8-bit bytes");
/* Make sure we have enough random bytes to use for the salt.
The format supports using up to 48 random bytes, but 12 is
enough. We require another 4 bytes of randomness to perturb
'count' with. */
if (nrbytes < 12 + 4)
{
errno = EINVAL;
return;
}
/* Make sure we have enough output space, given the amount of
randomness available. $sha1$<10digits>$<(nrbytes-4)*4/3>$ */
if (o_size < (nrbytes - 4) * 4 / 3 + sizeof "$sha1$$$" + 10)
{
errno = ERANGE;
return;
}
/*
* We treat 'count' as a hint.
* Make it harder for someone to pre-compute hashes for a
* dictionary attack by not using the same iteration count for
* every entry.
*/
uint32_t rounds, random = le32_to_cpu (rbytes);
if (count == 0)
count = CRYPT_SHA1_ITERATIONS;
if (count < 4)
count = 4;
if (count > UINT32_MAX)
count = UINT32_MAX;
rounds = (uint32_t) (count - (random % (count / 4)));
uint32_t encbuf;
int n = snprintf((char *)output, o_size, "$sha1$%u$", (unsigned int)rounds);
assert (n >= 1 && (size_t)n + 2 < o_size);
const uint8_t *r = rbytes + 4;
const uint8_t *rlim = rbytes + nrbytes;
uint8_t *o = output + n;
uint8_t *olim = output + n + CRYPT_SHA1_SALT_LENGTH;
if (olim + 2 > output + o_size)
olim = output + o_size - 2;
for (; r + 3 < rlim && o + 4 < olim; r += 3, o += 4)
{
encbuf = ((((uint32_t)r[0]) << 16) |
(((uint32_t)r[1]) << 8) |
(((uint32_t)r[2]) << 0));
to64 (o, encbuf, 4);
}
o[0] = '$';
o[1] = '\0';
}
#endif
|
