1 /* $NetBSD: crypt-sha1.c,v 1.3 2006/10/27 18:22:56 drochner Exp $ */
4 * Copyright (c) 2004, Juniper Networks, Inc.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the copyright holders nor the names of its
16 * contributors may be used to endorse or promote products derived
17 * from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 #include <sys/cdefs.h>
34 __RCSID("$NetBSD: crypt-sha1.c,v 1.3 2006/10/27 18:22:56 drochner Exp $");
47 * The default iterations - should take >0s on a fast CPU
48 * but not be insane for a slow CPU.
50 #ifndef CRYPT_SHA1_ITERATIONS
51 # define CRYPT_SHA1_ITERATIONS 24680
54 * Support a reasonably? long salt.
56 #ifndef CRYPT_SHA1_SALT_LENGTH
57 # define CRYPT_SHA1_SALT_LENGTH 64
61 * This may be called from crypt_sha1 or gensalt.
63 * The value returned will be slightly less than <hint> which defaults
64 * to 24680. The goals are that the number of iterations should take
65 * non-zero amount of time on a fast cpu while not taking insanely
66 * long on a slow cpu. The current default will take about 5 seconds
67 * on a 100MHz sparc, and about 0.04 seconds on a 3GHz i386.
68 * The number is varied to frustrate those attempting to generate a
69 * dictionary of pre-computed hashes.
72 __crypt_sha1_iterations (unsigned int hint
)
77 * We treat CRYPT_SHA1_ITERATIONS as a hint.
78 * Make it harder for someone to pre-compute hashes for a
79 * dictionary attack by not using the same iteration count for
86 srandom(time(NULL
) ^ (pid
* pid
));
90 hint
= CRYPT_SHA1_ITERATIONS
;
91 return hint
- (random() % (hint
/ 4));
95 * UNIX password using hmac_sha1
96 * This is PBKDF1 from RFC 2898, but using hmac_sha1.
98 * The format of the encrypted password is:
99 * $<tag>$<iterations>$<salt>$<digest>
103 * <iterations> is an unsigned int identifying how many rounds
104 * have been applied to <digest>. The number
105 * should vary slightly for each password to make
106 * it harder to generate a dictionary of
107 * pre-computed hashes. See crypt_sha1_iterations.
108 * <salt> up to 64 bytes of random data, 8 bytes is
109 * currently considered more than enough.
110 * <digest> the hashed password.
113 * To be FIPS 140 compliant, the password which is used as a hmac key,
114 * should be between 10 and 20 characters to provide at least 80bits
115 * strength, and avoid the need to hash it before using as the
119 __crypt_sha1 (const char *pw
, const char *salt
)
121 static const char *magic
= SHA1_MAGIC
;
122 static unsigned char hmac_buf
[SHA1_SIZE
];
123 static char passwd
[(2 * sizeof(SHA1_MAGIC
)) +
124 CRYPT_SHA1_SALT_LENGTH
+ SHA1_SIZE
];
131 unsigned int iterations
;
136 * $<tag>$<iterations>$salt[$]
137 * If it does not start with $ we use our default iterations.
139 sp
= __UNCONST(salt
);
141 /* If it starts with the magic string, then skip that */
142 if (!strncmp(sp
, magic
, strlen(magic
))) {
144 /* and get the iteration count */
145 iterations
= strtoul(sp
, &ep
, 10);
147 return NULL
; /* invalid input */
148 sp
= ep
+ 1; /* skip over the '$' */
150 iterations
= __crypt_sha1_iterations(0);
153 /* It stops at the next '$', max CRYPT_SHA1_ITERATIONS chars */
154 for (ep
= sp
; *ep
&& *ep
!= '$' && ep
< (sp
+ CRYPT_SHA1_ITERATIONS
); ep
++)
157 /* Get the length of the actual salt */
163 * Prime the pump with <salt><magic><iterations>
165 dl
= snprintf(passwd
, sizeof (passwd
), "%.*s%s%u",
166 sl
, sp
, magic
, iterations
);
168 * Then hmac using <pw> as key, and repeat...
170 ep
= __UNCONST(pw
); /* keep gcc happy */
171 __hmac_sha1(passwd
, dl
, ep
, pl
, hmac_buf
);
172 for (i
= 1; i
< iterations
; i
++) {
173 __hmac_sha1(hmac_buf
, SHA1_SIZE
, ep
, pl
, hmac_buf
);
176 pl
= snprintf(passwd
, sizeof(passwd
), "%s%u$%.*s$",
177 magic
, iterations
, sl
, sp
);
180 /* Every 3 bytes of hash gives 24 bits which is 4 base64 chars */
181 for (i
= 0; i
< SHA1_SIZE
- 3; i
+= 3) {
182 ul
= (hmac_buf
[i
+0] << 16) |
183 (hmac_buf
[i
+1] << 8) |
185 __crypt_to64(ep
, ul
, 4); ep
+= 4;
187 /* Only 2 bytes left, so we pad with byte0 */
188 ul
= (hmac_buf
[SHA1_SIZE
- 2] << 16) |
189 (hmac_buf
[SHA1_SIZE
- 1] << 8) |
191 __crypt_to64(ep
, ul
, 4); ep
+= 4;
194 /* Don't leave anything around in vm they could use. */
195 memset(hmac_buf
, 0, sizeof hmac_buf
);