feat(core): Add PBKDF2 support

Extend NSData+Crypto to support PBKDF2 with SHA1 HMAC as dovecot is using it since v2.3.0. The format hashed passwords is {PBKDF2}$1$<salt>$<rounds>$<hashed value in hex> The implementation of pkcs#5 PBKDF2 is taken from openbsd (with minor adjustments) as OpenSSL and GnuTLS would require quite new versions to support this hash.
2020-05-03 19:17:54 +02:00 · 2020-05-03 19:17:54 +02:00 · 2e0fc3ca09
parent 8f7df73a29
commit 2e0fc3ca09
7 changed files with 251 additions and 6 deletions
--- a/Documentation/SOGoInstallationGuide.asciidoc
+++ b/Documentation/SOGoInstallationGuide.asciidoc
@ -1660,8 +1660,9 @@ they have the same name as popular LDAP attributes (such as `givenName`,
 passwords. Possible values are: `none`, `plain`, `crypt`, `md5`,
 `md5-crypt`, `smd5`, `cram-md5`, `ldap-md5`, and `sha`, `sha256`,
 `sha256-crypt`, `sha512`, `sha512-crypt`, its ssha (e.g. `ssha` or
-`ssha256`) variants, `blf-crypt`, and `sym-aes-128-cbc`. Passwords
-can have the scheme prepended in the form `{scheme}encryptedPass`.
+`ssha256`) variants, `blf-crypt`, `PBKDF2`, and `sym-aes-128-cbc`.
+Passwords can have the scheme prepended in the form
+`{scheme}encryptedPass`.

 If no scheme is given, _userPasswordAlgorithm_ is used instead. The
 schemes listed above follow the algorithms described in
--- a/SoObjects/SOGo/GNUmakefile
+++ b/SoObjects/SOGo/GNUmakefile
@ -167,7 +167,7 @@ SOGo_OBJC_FILES = \
 	SOGoCredentialsFile.m		\
 	SOGoTextTemplateFile.m

-SOGo_C_FILES += lmhash.c aes.c crypt_blowfish.c
+SOGo_C_FILES += lmhash.c aes.c crypt_blowfish.c pkcs5_pbkdf2.c

 SOGo_RESOURCE_FILES = \
 	SOGoDefaults.plist \
--- a/SoObjects/SOGo/NSData+Crypto.h
+++ b/SoObjects/SOGo/NSData+Crypto.h
@ -54,7 +54,7 @@
 - (NSData *) asSymAES128CBCUsingIV: (NSString *) theIV
                           keyPath: (NSString *) theKeyPath;
 - (NSData *) asCramMD5;
-
+- (NSData *) asPBKDF2SHA1UsingSalt: (NSData *) theSalt;
 - (NSData *) asCryptUsingSalt: (NSData *) theSalt;
 - (NSData *) asMD5CryptUsingSalt: (NSData *) theSalt;
 - (NSData *) asBlowfishCryptUsingSalt: (NSData *) theSalt;
--- a/SoObjects/SOGo/NSData+Crypto.m
+++ b/SoObjects/SOGo/NSData+Crypto.m
@ -52,6 +52,7 @@
 #include "aes.h"
 #include "crypt_blowfish.h"
 #include "lmhash.h"
+#include "pkcs5_pbkdf2.h"

 #import <Foundation/NSArray.h>
 #import <NGExtensions/NGBase64Coding.h>
@ -262,6 +263,10 @@ static const char salt_chars[] =
    {
      return [self asBlowfishCryptUsingSalt: theSalt];
    }
+  else if ([passwordScheme caseInsensitiveCompare: @"pbkdf2"] == NSOrderedSame)
+    {
+      return [self asPBKDF2SHA1UsingSalt: theSalt];
+    }
  else if ([[passwordScheme lowercaseString] hasPrefix: @"sym"])
    {
      // We first support one sym cipher, AES-128-CBC. If something else is provided
@ -856,6 +861,60 @@ static const char salt_chars[] =
  return [NSData dataWithBytes: hashed_password length: strlen(hashed_password)];
 }

+- (NSData *) asPBKDF2SHA1UsingSalt: (NSData *) theSalt
+{
+  NSString *saltString;
+  unsigned char hashed_password[PBKDF2_KEY_SIZE_SHA1] = {0};
+  int rounds = 0;
+
+  if ([theSalt length] == 0)
+    {
+      // generate a salt with default complexity if none was provided
+      NSData* saltData = [NSData generateSaltForLength: PBKDF2_SALT_LEN withPrintable: YES];
+      saltString = [[NSString alloc] initWithData: saltData encoding: NSUTF8StringEncoding];
+      [saltString autorelease];
+    }
+  else
+    {
+      NSString *saltAndRounds;
+      NSArray *saltAndRoundsComponents;
+      saltAndRounds = [[NSString alloc] initWithData: theSalt encoding: NSUTF8StringEncoding];
+      // salt is expected to be of the form salt$rounds
+      saltAndRoundsComponents = [saltAndRounds componentsSeparatedByString: @"$"];
+      AUTORELEASE(saltAndRounds);
+
+      if ([saltAndRoundsComponents count] != 2)
+        {
+          return nil;
+        }
+      saltString = [saltAndRoundsComponents objectAtIndex: 0];
+
+      rounds = [[saltAndRoundsComponents objectAtIndex: 1] intValue];
+    }
+
+  if (rounds == 0)
+      rounds = PBKDF2_DEFAULT_ROUNDS;
+
+  const char* password = [self bytes];
+  const unsigned char* salt = (const unsigned char*)[saltString UTF8String];
+#if defined(HAVE_GNUTLS)
+  if (!check_gnutls_init())
+    return nil;
+#endif
+  if (pkcs5_pbkdf2(password, [self length], salt, PBKDF2_SALT_LEN,
+                   hashed_password, PBKDF2_KEY_SIZE_SHA1,
+                   rounds) != 0)
+    {
+      return nil;
+    }
+
+  NSData *passwordData =
+    [NSData dataWithBytesNoCopy: hashed_password  length: PBKDF2_KEY_SIZE_SHA1  freeWhenDone: NO];
+  NSString *hexHash = [NSData encodeDataAsHexString: passwordData];
+
+  NSString* result = [NSString stringWithFormat: @"$1$%@$%u$%@", saltString, rounds, hexHash];
+  return [result dataUsingEncoding:NSUTF8StringEncoding];
+}

 /**
 * Get the salt from a password encrypted with a specied scheme
@ -882,11 +941,13 @@ static const char salt_chars[] =
    }
  else if ([theScheme caseInsensitiveCompare: @"md5-crypt"] == NSOrderedSame ||
      [theScheme caseInsensitiveCompare: @"sha256-crypt"] == NSOrderedSame ||
-      [theScheme caseInsensitiveCompare: @"sha512-crypt"] == NSOrderedSame)
+      [theScheme caseInsensitiveCompare: @"sha512-crypt"] == NSOrderedSame ||
+      [theScheme caseInsensitiveCompare: @"pbkdf2"] == NSOrderedSame)
    {
      // md5-crypt is generated the following "$1$<salt>$<encrypted pass>"
      // sha256-crypt is generated the following "$5$<salt>$<encrypted pass>"
      // sha512-crypt is generated the following "$6$<salt>$<encrypted pass>"
+      // pbkdf2 is generated as "$1$<salt>$<rounds>$<encrypted pass>"
      NSString *cryptString;
      NSArray *cryptParts;

--- a/SoObjects/SOGo/pkcs5_pbkdf2.c
+++ b/SoObjects/SOGo/pkcs5_pbkdf2.c
@ -0,0 +1,141 @@
+/*	$OpenBSD: pkcs5_pbkdf2.c,v 1.11 2019/11/21 16:07:24 tedu Exp $	*/
+
+/*-
+ * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+
+#include <string.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#ifdef HAVE_GNUTLS
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#define SHA_CTX            gnutls_hash_hd_t
+#define SHA1_Init(c)       gnutls_hash_init(c, GNUTLS_DIG_SHA1)
+#define SHA1_Update(c,b,l) gnutls_hash(*c, b, l)
+#define SHA1_Final(b,c)    gnutls_hash_deinit(*c, b);
+#elif defined(HAVE_OPENSSL)
+#include <openssl/sha.h>
+#endif
+
+#define	MINIMUM(a,b) (((a) < (b)) ? (a) : (b))
+
+#define bcopy(b1,b2,len) (memmove((b2), (b1), (len)), (void) 0)
+
+#define	SHA1_BLOCK_LENGTH		64
+#define	SHA1_DIGEST_LENGTH		20
+#define	SHA1_DIGEST_STRING_LENGTH	(SHA1_DIGEST_LENGTH * 2 + 1)
+
+/*
+ * HMAC-SHA-1 (from RFC 2202).
+ */
+static void
+hmac_sha1(const u_int8_t *text, size_t text_len, const u_int8_t *key,
+    size_t key_len, u_int8_t digest[SHA1_DIGEST_LENGTH])
+{
+	SHA_CTX ctx;
+	u_int8_t k_pad[SHA1_BLOCK_LENGTH];
+	u_int8_t tk[SHA1_DIGEST_LENGTH];
+	int i;
+
+	if (key_len > SHA1_BLOCK_LENGTH) {
+		SHA1_Init(&ctx);
+		SHA1_Update(&ctx, key, key_len);
+		SHA1_Final(tk, &ctx);
+
+		key = tk;
+		key_len = SHA1_DIGEST_LENGTH;
+	}
+
+	memset(k_pad, 0, sizeof k_pad);
+	bcopy(key, k_pad, key_len);
+	for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
+		k_pad[i] ^= 0x36;
+
+	SHA1_Init(&ctx);
+	SHA1_Update(&ctx, k_pad, SHA1_BLOCK_LENGTH);
+	SHA1_Update(&ctx, text, text_len);
+	SHA1_Final(digest, &ctx);
+
+	memset(k_pad, 0, sizeof k_pad);
+	bcopy(key, k_pad, key_len);
+	for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
+		k_pad[i] ^= 0x5c;
+
+	SHA1_Init(&ctx);
+	SHA1_Update(&ctx, k_pad, SHA1_BLOCK_LENGTH);
+	SHA1_Update(&ctx, digest, SHA1_DIGEST_LENGTH);
+	SHA1_Final(digest, &ctx);
+}
+
+/*
+ * Password-Based Key Derivation Function 2 (PKCS #5 v2.0).
+ * Code based on IEEE Std 802.11-2007, Annex H.4.2.
+ */
+int
+pkcs5_pbkdf2(const char *pass, size_t pass_len, const uint8_t *salt,
+    size_t salt_len, uint8_t *key, size_t key_len, unsigned int rounds)
+{
+	uint8_t *asalt, obuf[SHA1_DIGEST_LENGTH];
+	uint8_t d1[SHA1_DIGEST_LENGTH], d2[SHA1_DIGEST_LENGTH];
+	unsigned int i, j;
+	unsigned int count;
+	size_t r;
+
+	if (rounds < 1 || key_len == 0)
+		goto bad;
+	if (salt_len == 0 || salt_len > SIZE_MAX - 4)
+		goto bad;
+	if ((asalt = malloc(salt_len + 4)) == NULL)
+		goto bad;
+
+	memcpy(asalt, salt, salt_len);
+
+	for (count = 1; key_len > 0; count++) {
+		asalt[salt_len + 0] = (count >> 24) & 0xff;
+		asalt[salt_len + 1] = (count >> 16) & 0xff;
+		asalt[salt_len + 2] = (count >> 8) & 0xff;
+		asalt[salt_len + 3] = count & 0xff;
+		hmac_sha1(asalt, salt_len + 4, (const u_int8_t *)pass, pass_len, d1);
+		memcpy(obuf, d1, sizeof(obuf));
+
+		for (i = 1; i < rounds; i++) {
+			hmac_sha1(d1, sizeof(d1), (const u_int8_t *)pass, pass_len, d2);
+			memcpy(d1, d2, sizeof(d1));
+			for (j = 0; j < sizeof(obuf); j++)
+				obuf[j] ^= d1[j];
+		}
+
+		r = MINIMUM(key_len, SHA1_DIGEST_LENGTH);
+		memcpy(key, obuf, r);
+		key += r;
+		key_len -= r;
+	};
+	explicit_bzero(asalt, salt_len + 4);
+	free(asalt);
+	explicit_bzero(d1, sizeof(d1));
+	explicit_bzero(d2, sizeof(d2));
+	explicit_bzero(obuf, sizeof(obuf));
+
+	return 0;
+
+bad:
+	/* overwrite with random in case caller doesn't check return code */
+	//arc4random_buf(key, key_len);
+	return -1;
+}
--- a/SoObjects/SOGo/pkcs5_pbkdf2.h
+++ b/SoObjects/SOGo/pkcs5_pbkdf2.h
@ -0,0 +1,15 @@
+#ifndef PKCS5_PBKDF2_H
+#define PKCS5_PBKDF2_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define PBKDF2_KEY_SIZE_SHA1 (20)
+#define PBKDF2_SALT_LEN (16)
+#define PBKDF2_DEFAULT_ROUNDS (5000)
+
+int
+pkcs5_pbkdf2(const char *pass, size_t pass_len, const uint8_t *salt,
+    size_t salt_len, uint8_t *key, size_t key_len, unsigned int rounds);
+
+#endif /* ! PKCS5_PBKDF2_H */
--- a/Tests/Unit/TestNSString+Crypto.m
+++ b/Tests/Unit/TestNSString+Crypto.m
@ -1,6 +1,7 @@
-/* TestNSString+MD5SHA1.m - this file is part of SOGo
+/* TestNSString+Crypto.m - this file is part of SOGo
 *
 * Copyright (C) 2011, 2012 Jeroen Dekkers
+ * Copyright (C) 2020 Nicolas Höft
 *
 * Author: Jeroen Dekkers <jeroen@dekkers.ch>
 *
@ -85,4 +86,30 @@
  test([blf_key isEqualToCrypted:blf_result withDefaultScheme: @"BLF-CRYPT" keyPath: nil]);
 }

+- (void) test_pbkdf2
+{
+  NSString *error;
+  // well-known comparison
+  NSString *pbkdf2_key = @"123456";
+  NSString *pbkdf2_hash = @"{PBKDF2}$1$xbhnwhLxltdS9L5M$5001$f1699047a6132383490817d6e58a5284f13339f0";
+  NSString *pkbf2_prefix;
+  NSString *pkbf2_result;
+
+  error = [NSString stringWithFormat:
+                          @"string '%@' wrong PBKDF2: '%@'",
+                        pbkdf2_key, pbkdf2_hash];
+  testWithMessage([pbkdf2_key isEqualToCrypted:pbkdf2_hash withDefaultScheme: @"CRYPT" keyPath: nil], error);
+
+  // generate a new pbkdf2-crypt key
+  pkbf2_prefix = @"$1$";
+  pkbf2_result = [pbkdf2_key asCryptedPassUsingScheme: @"PBKDF2" keyPath: nil];
+
+  error = [NSString stringWithFormat:
+                          @"returned hash '%@' has incorrect PBKDF2 prefix: '%@'",
+                        pkbf2_result, pkbf2_prefix];
+
+  testWithMessage([pkbf2_result hasPrefix: pkbf2_prefix], error);
+  test([pbkdf2_key isEqualToCrypted:pkbf2_result withDefaultScheme: @"PBKDF2" keyPath: nil]);
+}
+
@end