Fix mdoc(7)/man(7) mix up.
[netbsd-mini2440.git] / lib / libcrypt / crypt-sha1.c
blob1d613c13f32f82e57abd44632e6181963fbd207a
1 /* $NetBSD$ */
3 /*
4 * Copyright (c) 2004, Juniper Networks, Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the copyright holders nor the names of its
16 * contributors may be used to endorse or promote products derived
17 * from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 #include <sys/cdefs.h>
33 #if !defined(lint)
34 __RCSID("$NetBSD$");
35 #endif /* not lint */
37 #include <stdlib.h>
38 #include <unistd.h>
39 #include <stdio.h>
40 #include <string.h>
41 #include <time.h>
43 #include <err.h>
44 #include "crypt.h"
47 * The default iterations - should take >0s on a fast CPU
48 * but not be insane for a slow CPU.
50 #ifndef CRYPT_SHA1_ITERATIONS
51 # define CRYPT_SHA1_ITERATIONS 24680
52 #endif
54 * Support a reasonably? long salt.
56 #ifndef CRYPT_SHA1_SALT_LENGTH
57 # define CRYPT_SHA1_SALT_LENGTH 64
58 #endif
61 * This may be called from crypt_sha1 or gensalt.
63 * The value returned will be slightly less than <hint> which defaults
64 * to 24680. The goals are that the number of iterations should take
65 * non-zero amount of time on a fast cpu while not taking insanely
66 * long on a slow cpu. The current default will take about 5 seconds
67 * on a 100MHz sparc, and about 0.04 seconds on a 3GHz i386.
68 * The number is varied to frustrate those attempting to generate a
69 * dictionary of pre-computed hashes.
71 unsigned int
72 __crypt_sha1_iterations (unsigned int hint)
74 static int once = 1;
77 * We treat CRYPT_SHA1_ITERATIONS as a hint.
78 * Make it harder for someone to pre-compute hashes for a
79 * dictionary attack by not using the same iteration count for
80 * every entry.
83 if (once) {
84 int pid = getpid();
86 srandom(time(NULL) ^ (pid * pid));
87 once = 0;
89 if (hint == 0)
90 hint = CRYPT_SHA1_ITERATIONS;
91 return hint - (random() % (hint / 4));
95 * UNIX password using hmac_sha1
96 * This is PBKDF1 from RFC 2898, but using hmac_sha1.
98 * The format of the encrypted password is:
99 * $<tag>$<iterations>$<salt>$<digest>
101 * where:
102 * <tag> is "sha1"
103 * <iterations> is an unsigned int identifying how many rounds
104 * have been applied to <digest>. The number
105 * should vary slightly for each password to make
106 * it harder to generate a dictionary of
107 * pre-computed hashes. See crypt_sha1_iterations.
108 * <salt> up to 64 bytes of random data, 8 bytes is
109 * currently considered more than enough.
110 * <digest> the hashed password.
112 * NOTE:
113 * To be FIPS 140 compliant, the password which is used as a hmac key,
114 * should be between 10 and 20 characters to provide at least 80bits
115 * strength, and avoid the need to hash it before using as the
116 * hmac key.
118 char *
119 __crypt_sha1 (const char *pw, const char *salt)
121 static const char *magic = SHA1_MAGIC;
122 static unsigned char hmac_buf[SHA1_SIZE];
123 static char passwd[(2 * sizeof(SHA1_MAGIC)) +
124 CRYPT_SHA1_SALT_LENGTH + SHA1_SIZE];
125 char *sp;
126 char *ep;
127 unsigned long ul;
128 int sl;
129 int pl;
130 int dl;
131 unsigned int iterations;
132 unsigned int i;
135 * Salt format is
136 * $<tag>$<iterations>$salt[$]
137 * If it does not start with $ we use our default iterations.
139 sp = __UNCONST(salt);
141 /* If it starts with the magic string, then skip that */
142 if (!strncmp(sp, magic, strlen(magic))) {
143 sp += strlen(magic);
144 /* and get the iteration count */
145 iterations = strtoul(sp, &ep, 10);
146 if (*ep != '$')
147 return NULL; /* invalid input */
148 sp = ep + 1; /* skip over the '$' */
149 } else {
150 iterations = __crypt_sha1_iterations(0);
153 /* It stops at the next '$', max CRYPT_SHA1_ITERATIONS chars */
154 for (ep = sp; *ep && *ep != '$' && ep < (sp + CRYPT_SHA1_ITERATIONS); ep++)
155 continue;
157 /* Get the length of the actual salt */
158 sl = ep - sp;
159 pl = strlen(pw);
162 * Now get to work...
163 * Prime the pump with <salt><magic><iterations>
165 dl = snprintf(passwd, sizeof (passwd), "%.*s%s%u",
166 sl, sp, magic, iterations);
168 * Then hmac using <pw> as key, and repeat...
170 ep = __UNCONST(pw); /* keep gcc happy */
171 __hmac_sha1(passwd, dl, ep, pl, hmac_buf);
172 for (i = 1; i < iterations; i++) {
173 __hmac_sha1(hmac_buf, SHA1_SIZE, ep, pl, hmac_buf);
175 /* Now output... */
176 pl = snprintf(passwd, sizeof(passwd), "%s%u$%.*s$",
177 magic, iterations, sl, sp);
178 ep = passwd + pl;
180 /* Every 3 bytes of hash gives 24 bits which is 4 base64 chars */
181 for (i = 0; i < SHA1_SIZE - 3; i += 3) {
182 ul = (hmac_buf[i+0] << 16) |
183 (hmac_buf[i+1] << 8) |
184 hmac_buf[i+2];
185 __crypt_to64(ep, ul, 4); ep += 4;
187 /* Only 2 bytes left, so we pad with byte0 */
188 ul = (hmac_buf[SHA1_SIZE - 2] << 16) |
189 (hmac_buf[SHA1_SIZE - 1] << 8) |
190 hmac_buf[0];
191 __crypt_to64(ep, ul, 4); ep += 4;
192 *ep = '\0';
194 /* Don't leave anything around in vm they could use. */
195 memset(hmac_buf, 0, sizeof hmac_buf);
197 return passwd;