From 05fedc11791248b3c674b37d7e212c863a4915af Mon Sep 17 00:00:00 2001 From: tedu Date: Mon, 12 May 2014 19:13:14 +0000 Subject: [PATCH] remove md5crypt. while changing things, add a crypt_checkpass wrapper that handles most of the edge cases. (not quite ready for production, though.) ok deraadt --- lib/libc/crypt/Makefile.inc | 6 +- lib/libc/crypt/crypt.3 | 31 +------ lib/libc/crypt/crypt.c | 9 +- lib/libc/crypt/cryptutil.c | 54 ++++++++++++ lib/libc/crypt/md5crypt.c | 160 ------------------------------------ 5 files changed, 65 insertions(+), 195 deletions(-) create mode 100644 lib/libc/crypt/cryptutil.c delete mode 100644 lib/libc/crypt/md5crypt.c diff --git a/lib/libc/crypt/Makefile.inc b/lib/libc/crypt/Makefile.inc index c852523372e..3676d7f6466 100644 --- a/lib/libc/crypt/Makefile.inc +++ b/lib/libc/crypt/Makefile.inc @@ -1,12 +1,12 @@ -# $OpenBSD: Makefile.inc,v 1.19 2013/10/21 20:33:23 deraadt Exp $ +# $OpenBSD: Makefile.inc,v 1.20 2014/05/12 19:13:14 tedu Exp $ .PATH: ${LIBCSRCDIR}/arch/${MACHINE_CPU}/crypt ${LIBCSRCDIR}/crypt -SRCS+= crypt.c crypt2.c md5crypt.c arc4random.c blowfish.c bcrypt.c +SRCS+= crypt.c crypt2.c cryptutil.c arc4random.c blowfish.c bcrypt.c MAN+= crypt.3 blowfish.3 arc4random.3 MLINKS+=crypt.3 encrypt.3 crypt.3 setkey.3 crypt.3 des_cipher.3 -MLINKS+=crypt.3 bcrypt_gensalt.3 crypt.3 bcrypt.3 crypt.3 md5crypt.3 +MLINKS+=crypt.3 bcrypt_gensalt.3 crypt.3 bcrypt.3 MLINKS+=crypt.3 des_setkey.3 blowfish.3 blf_key.3 blowfish.3 blf_enc.3 MLINKS+=blowfish.3 blf_dec.3 blowfish.3 blf_ecb_encrypt.3 MLINKS+=blowfish.3 blf_ecb_decrypt.3 blowfish.3 blf_cbc_encrypt.3 diff --git a/lib/libc/crypt/crypt.3 b/lib/libc/crypt/crypt.3 index f4a78781da9..b8777e39ca5 100644 --- a/lib/libc/crypt/crypt.3 +++ b/lib/libc/crypt/crypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: crypt.3,v 1.34 2014/03/19 02:34:45 tedu Exp $ +.\" $OpenBSD: crypt.3,v 1.35 2014/05/12 19:13:14 tedu Exp $ .\" .\" FreeSec: libcrypt .\" @@ -31,7 +31,7 @@ .\" .\" Manual page, using -mandoc macros .\" -.Dd $Mdocdate: March 19 2014 $ +.Dd $Mdocdate: May 12 2014 $ .Dt CRYPT 3 .Os .Sh NAME @@ -41,8 +41,7 @@ .Nm des_setkey , .Nm des_cipher , .Nm bcrypt_gensalt , -.Nm bcrypt , -.Nm md5crypt +.Nm bcrypt .Nd password hashing .Sh SYNOPSIS .In stdlib.h @@ -63,8 +62,6 @@ .Fn bcrypt_gensalt "u_int8_t log_rounds" .Ft char * .Fn bcrypt "const char *key" "const char *salt" -.Ft char * -.Fn md5crypt "const char *key" "const char *salt" .Sh DESCRIPTION The .Fn crypt @@ -88,9 +85,7 @@ If it begins with a string character .Pq Ql $ and a number then a different algorithm is used depending on the number. -At the moment a -.Ql $1 -chooses MD5 hashing and a +At the moment .Ql $2 chooses Blowfish hashing; see below for more information. .Ss Extended crypt @@ -113,24 +108,6 @@ This allows 24 bits for both .Fa count and .Fa salt . -.Ss "MD5" crypt -For -.Tn MD5 -crypt the version number, -.Fa salt -and the hashed password are separated by the -.Ql $ -character. -The maximum length of a password is limited by -the length counter of the MD5 context, which is about -2**64. -A valid MD5 password entry looks like this: -.Pp -.Dq $1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1 . -.Pp -The whole MD5 password string is passed as -.Fa setting -for interpretation. .Ss "Blowfish" crypt The .Tn Blowfish diff --git a/lib/libc/crypt/crypt.c b/lib/libc/crypt/crypt.c index 15a784532d3..ad8140e3022 100644 --- a/lib/libc/crypt/crypt.c +++ b/lib/libc/crypt/crypt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crypt.c,v 1.20 2005/08/08 08:05:33 espie Exp $ */ +/* $OpenBSD: crypt.c,v 1.21 2014/05/12 19:13:14 tedu Exp $ */ /* * FreeSec: libcrypt @@ -576,15 +576,14 @@ crypt(const char *key, const char *setting) u_int32_t count, salt, l, r0, r1, keybuf[2]; u_char *p, *q; static u_char output[21]; - extern char *md5crypt(const char *, const char *); extern char *bcrypt(const char *, const char *); if (setting[0] == '$') { switch (setting[1]) { - case '1': - return (md5crypt(key, setting)); - default: + case '2': return bcrypt(key, setting); + default: + return (NULL); } } diff --git a/lib/libc/crypt/cryptutil.c b/lib/libc/crypt/cryptutil.c new file mode 100644 index 00000000000..36deda778e4 --- /dev/null +++ b/lib/libc/crypt/cryptutil.c @@ -0,0 +1,54 @@ +/* $OpenBSD: cryptutil.c,v 1.1 2014/05/12 19:13:14 tedu Exp $ */ +/* + * Copyright (c) 2014 Ted Unangst + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#include +#include +#include +#include +#include + +int +crypt_checkpass(const char *pass, const char *goodhash) +{ + char dummy[_PASSWORD_LEN]; + char *res; + + if (goodhash == NULL) { + /* fake it */ + bcrypt_newhash(pass, 8, dummy, sizeof(dummy)); + goto fail; + } + + /* empty password */ + if (strlen(goodhash) == 0 && strlen(pass) == 0) + return 0; + + if (goodhash[0] == '$' && goodhash[1] == '2') { + return bcrypt_checkpass(pass, goodhash); + } + + /* have to do it the hard way */ + res = crypt(pass, goodhash); + if (strlen(res) != strlen(goodhash) || + timingsafe_bcmp(res, goodhash, strlen(goodhash)) != 0) { + goto fail; + } + + return 0; +fail: + errno = EACCES; + return -1; +} diff --git a/lib/libc/crypt/md5crypt.c b/lib/libc/crypt/md5crypt.c deleted file mode 100644 index a855835bccb..00000000000 --- a/lib/libc/crypt/md5crypt.c +++ /dev/null @@ -1,160 +0,0 @@ -/* $OpenBSD: md5crypt.c,v 1.17 2014/04/03 15:55:29 beck Exp $ */ - -/* - * Copyright (c) 2000 Poul-Henning Kamp - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * If we meet some day, and you think this stuff is worth it, you - * can buy me a beer in return. Poul-Henning Kamp - */ - -#include -#include -#include -#include -#include - -static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ - "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - -static void to64(char *, u_int32_t, int); - -static void -to64(char *s, u_int32_t v, int n) -{ - while (--n >= 0) { - *s++ = itoa64[v&0x3f]; - v >>= 6; - } -} - -/* - * UNIX password - * - * Use MD5 for what it is best at... - */ - -char *md5crypt(const char *pw, const char *salt); - -char * -md5crypt(const char *pw, const char *salt) -{ - /* - * This string is the magic for this algorithm. - * Having it this way, we can get better later on. - */ - static unsigned char *magic = (unsigned char *)"$1$"; - - static char passwd[120], *p; - static const unsigned char *sp,*ep; - unsigned char final[16]; - int sl,pl,i; - MD5_CTX ctx,ctx1; - u_int32_t l; - - /* Refine the salt first */ - sp = (const unsigned char *)salt; - - /* If it starts with the magic string, then skip that */ - if(!strncmp((const char *)sp,(const char *)magic,strlen((const char *)magic))) - sp += strlen((const char *)magic); - - /* It stops at the first '$', max 8 chars */ - for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) - continue; - - /* get the length of the true salt */ - sl = ep - sp; - - MD5Init(&ctx); - - /* The password first, since that is what is most unknown */ - MD5Update(&ctx,(const unsigned char *)pw,strlen(pw)); - - /* Then our magic string */ - MD5Update(&ctx,magic,strlen((const char *)magic)); - - /* Then the raw salt */ - MD5Update(&ctx,sp,sl); - - /* Then just as many characters of the MD5(pw,salt,pw) */ - MD5Init(&ctx1); - MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw)); - MD5Update(&ctx1,sp,sl); - MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw)); - MD5Final(final,&ctx1); - for(pl = strlen(pw); pl > 0; pl -= 16) - MD5Update(&ctx,final,pl>16 ? 16 : pl); - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - /* Then something really weird... */ - for (i = strlen(pw); i ; i >>= 1) - if(i&1) - MD5Update(&ctx, final, 1); - else - MD5Update(&ctx, (const unsigned char *)pw, 1); - - /* Now make the output string */ - snprintf(passwd, sizeof(passwd), "%s%.*s$", (char *)magic, - sl, (const char *)sp); - - MD5Final(final,&ctx); - - /* - * And now, just to make sure things don't run too fast - * On a 60 MHz Pentium this takes 34 msec, so you would - * need 30 seconds to build a 1000 entry dictionary... - * On a modern machine, with possible GPU optimization, - * this will run a lot faster than that. - */ - for(i=0;i<1000;i++) { - MD5Init(&ctx1); - if(i & 1) - MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw)); - else - MD5Update(&ctx1,final,16); - - if(i % 3) - MD5Update(&ctx1,sp,sl); - - if(i % 7) - MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw)); - - if(i & 1) - MD5Update(&ctx1,final,16); - else - MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw)); - MD5Final(final,&ctx1); - } - - p = passwd + strlen(passwd); - - l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; - l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; - l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; - l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; - l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; - l = final[11] ; to64(p,l,2); p += 2; - *p = '\0'; - - /* Don't leave anything around in vm they could use. */ - memset(final, 0, sizeof final); - - return passwd; -} - -- 2.20.1