feat(core): Add PBKDF2 support
Extend NSData+Crypto to support PBKDF2 with SHA1 HMAC as dovecot is using it since v2.3.0. The format hashed passwords is {PBKDF2}$1$<salt>$<rounds>$<hashed value in hex> The implementation of pkcs#5 PBKDF2 is taken from openbsd (with minor adjustments) as OpenSSL and GnuTLS would require quite new versions to support this hash.pull/276/head
parent
8f7df73a29
commit
2e0fc3ca09
|
@ -1660,8 +1660,9 @@ they have the same name as popular LDAP attributes (such as `givenName`,
|
||||||
passwords. Possible values are: `none`, `plain`, `crypt`, `md5`,
|
passwords. Possible values are: `none`, `plain`, `crypt`, `md5`,
|
||||||
`md5-crypt`, `smd5`, `cram-md5`, `ldap-md5`, and `sha`, `sha256`,
|
`md5-crypt`, `smd5`, `cram-md5`, `ldap-md5`, and `sha`, `sha256`,
|
||||||
`sha256-crypt`, `sha512`, `sha512-crypt`, its ssha (e.g. `ssha` or
|
`sha256-crypt`, `sha512`, `sha512-crypt`, its ssha (e.g. `ssha` or
|
||||||
`ssha256`) variants, `blf-crypt`, and `sym-aes-128-cbc`. Passwords
|
`ssha256`) variants, `blf-crypt`, `PBKDF2`, and `sym-aes-128-cbc`.
|
||||||
can have the scheme prepended in the form `{scheme}encryptedPass`.
|
Passwords can have the scheme prepended in the form
|
||||||
|
`{scheme}encryptedPass`.
|
||||||
|
|
||||||
If no scheme is given, _userPasswordAlgorithm_ is used instead. The
|
If no scheme is given, _userPasswordAlgorithm_ is used instead. The
|
||||||
schemes listed above follow the algorithms described in
|
schemes listed above follow the algorithms described in
|
||||||
|
|
|
@ -167,7 +167,7 @@ SOGo_OBJC_FILES = \
|
||||||
SOGoCredentialsFile.m \
|
SOGoCredentialsFile.m \
|
||||||
SOGoTextTemplateFile.m
|
SOGoTextTemplateFile.m
|
||||||
|
|
||||||
SOGo_C_FILES += lmhash.c aes.c crypt_blowfish.c
|
SOGo_C_FILES += lmhash.c aes.c crypt_blowfish.c pkcs5_pbkdf2.c
|
||||||
|
|
||||||
SOGo_RESOURCE_FILES = \
|
SOGo_RESOURCE_FILES = \
|
||||||
SOGoDefaults.plist \
|
SOGoDefaults.plist \
|
||||||
|
|
|
@ -54,7 +54,7 @@
|
||||||
- (NSData *) asSymAES128CBCUsingIV: (NSString *) theIV
|
- (NSData *) asSymAES128CBCUsingIV: (NSString *) theIV
|
||||||
keyPath: (NSString *) theKeyPath;
|
keyPath: (NSString *) theKeyPath;
|
||||||
- (NSData *) asCramMD5;
|
- (NSData *) asCramMD5;
|
||||||
|
- (NSData *) asPBKDF2SHA1UsingSalt: (NSData *) theSalt;
|
||||||
- (NSData *) asCryptUsingSalt: (NSData *) theSalt;
|
- (NSData *) asCryptUsingSalt: (NSData *) theSalt;
|
||||||
- (NSData *) asMD5CryptUsingSalt: (NSData *) theSalt;
|
- (NSData *) asMD5CryptUsingSalt: (NSData *) theSalt;
|
||||||
- (NSData *) asBlowfishCryptUsingSalt: (NSData *) theSalt;
|
- (NSData *) asBlowfishCryptUsingSalt: (NSData *) theSalt;
|
||||||
|
|
|
@ -52,6 +52,7 @@
|
||||||
#include "aes.h"
|
#include "aes.h"
|
||||||
#include "crypt_blowfish.h"
|
#include "crypt_blowfish.h"
|
||||||
#include "lmhash.h"
|
#include "lmhash.h"
|
||||||
|
#include "pkcs5_pbkdf2.h"
|
||||||
|
|
||||||
#import <Foundation/NSArray.h>
|
#import <Foundation/NSArray.h>
|
||||||
#import <NGExtensions/NGBase64Coding.h>
|
#import <NGExtensions/NGBase64Coding.h>
|
||||||
|
@ -262,6 +263,10 @@ static const char salt_chars[] =
|
||||||
{
|
{
|
||||||
return [self asBlowfishCryptUsingSalt: theSalt];
|
return [self asBlowfishCryptUsingSalt: theSalt];
|
||||||
}
|
}
|
||||||
|
else if ([passwordScheme caseInsensitiveCompare: @"pbkdf2"] == NSOrderedSame)
|
||||||
|
{
|
||||||
|
return [self asPBKDF2SHA1UsingSalt: theSalt];
|
||||||
|
}
|
||||||
else if ([[passwordScheme lowercaseString] hasPrefix: @"sym"])
|
else if ([[passwordScheme lowercaseString] hasPrefix: @"sym"])
|
||||||
{
|
{
|
||||||
// We first support one sym cipher, AES-128-CBC. If something else is provided
|
// We first support one sym cipher, AES-128-CBC. If something else is provided
|
||||||
|
@ -856,6 +861,60 @@ static const char salt_chars[] =
|
||||||
return [NSData dataWithBytes: hashed_password length: strlen(hashed_password)];
|
return [NSData dataWithBytes: hashed_password length: strlen(hashed_password)];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
- (NSData *) asPBKDF2SHA1UsingSalt: (NSData *) theSalt
|
||||||
|
{
|
||||||
|
NSString *saltString;
|
||||||
|
unsigned char hashed_password[PBKDF2_KEY_SIZE_SHA1] = {0};
|
||||||
|
int rounds = 0;
|
||||||
|
|
||||||
|
if ([theSalt length] == 0)
|
||||||
|
{
|
||||||
|
// generate a salt with default complexity if none was provided
|
||||||
|
NSData* saltData = [NSData generateSaltForLength: PBKDF2_SALT_LEN withPrintable: YES];
|
||||||
|
saltString = [[NSString alloc] initWithData: saltData encoding: NSUTF8StringEncoding];
|
||||||
|
[saltString autorelease];
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
NSString *saltAndRounds;
|
||||||
|
NSArray *saltAndRoundsComponents;
|
||||||
|
saltAndRounds = [[NSString alloc] initWithData: theSalt encoding: NSUTF8StringEncoding];
|
||||||
|
// salt is expected to be of the form salt$rounds
|
||||||
|
saltAndRoundsComponents = [saltAndRounds componentsSeparatedByString: @"$"];
|
||||||
|
AUTORELEASE(saltAndRounds);
|
||||||
|
|
||||||
|
if ([saltAndRoundsComponents count] != 2)
|
||||||
|
{
|
||||||
|
return nil;
|
||||||
|
}
|
||||||
|
saltString = [saltAndRoundsComponents objectAtIndex: 0];
|
||||||
|
|
||||||
|
rounds = [[saltAndRoundsComponents objectAtIndex: 1] intValue];
|
||||||
|
}
|
||||||
|
|
||||||
|
if (rounds == 0)
|
||||||
|
rounds = PBKDF2_DEFAULT_ROUNDS;
|
||||||
|
|
||||||
|
const char* password = [self bytes];
|
||||||
|
const unsigned char* salt = (const unsigned char*)[saltString UTF8String];
|
||||||
|
#if defined(HAVE_GNUTLS)
|
||||||
|
if (!check_gnutls_init())
|
||||||
|
return nil;
|
||||||
|
#endif
|
||||||
|
if (pkcs5_pbkdf2(password, [self length], salt, PBKDF2_SALT_LEN,
|
||||||
|
hashed_password, PBKDF2_KEY_SIZE_SHA1,
|
||||||
|
rounds) != 0)
|
||||||
|
{
|
||||||
|
return nil;
|
||||||
|
}
|
||||||
|
|
||||||
|
NSData *passwordData =
|
||||||
|
[NSData dataWithBytesNoCopy: hashed_password length: PBKDF2_KEY_SIZE_SHA1 freeWhenDone: NO];
|
||||||
|
NSString *hexHash = [NSData encodeDataAsHexString: passwordData];
|
||||||
|
|
||||||
|
NSString* result = [NSString stringWithFormat: @"$1$%@$%u$%@", saltString, rounds, hexHash];
|
||||||
|
return [result dataUsingEncoding:NSUTF8StringEncoding];
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the salt from a password encrypted with a specied scheme
|
* Get the salt from a password encrypted with a specied scheme
|
||||||
|
@ -882,11 +941,13 @@ static const char salt_chars[] =
|
||||||
}
|
}
|
||||||
else if ([theScheme caseInsensitiveCompare: @"md5-crypt"] == NSOrderedSame ||
|
else if ([theScheme caseInsensitiveCompare: @"md5-crypt"] == NSOrderedSame ||
|
||||||
[theScheme caseInsensitiveCompare: @"sha256-crypt"] == NSOrderedSame ||
|
[theScheme caseInsensitiveCompare: @"sha256-crypt"] == NSOrderedSame ||
|
||||||
[theScheme caseInsensitiveCompare: @"sha512-crypt"] == NSOrderedSame)
|
[theScheme caseInsensitiveCompare: @"sha512-crypt"] == NSOrderedSame ||
|
||||||
|
[theScheme caseInsensitiveCompare: @"pbkdf2"] == NSOrderedSame)
|
||||||
{
|
{
|
||||||
// md5-crypt is generated the following "$1$<salt>$<encrypted pass>"
|
// md5-crypt is generated the following "$1$<salt>$<encrypted pass>"
|
||||||
// sha256-crypt is generated the following "$5$<salt>$<encrypted pass>"
|
// sha256-crypt is generated the following "$5$<salt>$<encrypted pass>"
|
||||||
// sha512-crypt is generated the following "$6$<salt>$<encrypted pass>"
|
// sha512-crypt is generated the following "$6$<salt>$<encrypted pass>"
|
||||||
|
// pbkdf2 is generated as "$1$<salt>$<rounds>$<encrypted pass>"
|
||||||
NSString *cryptString;
|
NSString *cryptString;
|
||||||
NSArray *cryptParts;
|
NSArray *cryptParts;
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,141 @@
|
||||||
|
/* $OpenBSD: pkcs5_pbkdf2.c,v 1.11 2019/11/21 16:07:24 tedu Exp $ */
|
||||||
|
|
||||||
|
/*-
|
||||||
|
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
#ifdef HAVE_GNUTLS
|
||||||
|
#include <gnutls/gnutls.h>
|
||||||
|
#include <gnutls/crypto.h>
|
||||||
|
#define SHA_CTX gnutls_hash_hd_t
|
||||||
|
#define SHA1_Init(c) gnutls_hash_init(c, GNUTLS_DIG_SHA1)
|
||||||
|
#define SHA1_Update(c,b,l) gnutls_hash(*c, b, l)
|
||||||
|
#define SHA1_Final(b,c) gnutls_hash_deinit(*c, b);
|
||||||
|
#elif defined(HAVE_OPENSSL)
|
||||||
|
#include <openssl/sha.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define MINIMUM(a,b) (((a) < (b)) ? (a) : (b))
|
||||||
|
|
||||||
|
#define bcopy(b1,b2,len) (memmove((b2), (b1), (len)), (void) 0)
|
||||||
|
|
||||||
|
#define SHA1_BLOCK_LENGTH 64
|
||||||
|
#define SHA1_DIGEST_LENGTH 20
|
||||||
|
#define SHA1_DIGEST_STRING_LENGTH (SHA1_DIGEST_LENGTH * 2 + 1)
|
||||||
|
|
||||||
|
/*
|
||||||
|
* HMAC-SHA-1 (from RFC 2202).
|
||||||
|
*/
|
||||||
|
static void
|
||||||
|
hmac_sha1(const u_int8_t *text, size_t text_len, const u_int8_t *key,
|
||||||
|
size_t key_len, u_int8_t digest[SHA1_DIGEST_LENGTH])
|
||||||
|
{
|
||||||
|
SHA_CTX ctx;
|
||||||
|
u_int8_t k_pad[SHA1_BLOCK_LENGTH];
|
||||||
|
u_int8_t tk[SHA1_DIGEST_LENGTH];
|
||||||
|
int i;
|
||||||
|
|
||||||
|
if (key_len > SHA1_BLOCK_LENGTH) {
|
||||||
|
SHA1_Init(&ctx);
|
||||||
|
SHA1_Update(&ctx, key, key_len);
|
||||||
|
SHA1_Final(tk, &ctx);
|
||||||
|
|
||||||
|
key = tk;
|
||||||
|
key_len = SHA1_DIGEST_LENGTH;
|
||||||
|
}
|
||||||
|
|
||||||
|
memset(k_pad, 0, sizeof k_pad);
|
||||||
|
bcopy(key, k_pad, key_len);
|
||||||
|
for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
|
||||||
|
k_pad[i] ^= 0x36;
|
||||||
|
|
||||||
|
SHA1_Init(&ctx);
|
||||||
|
SHA1_Update(&ctx, k_pad, SHA1_BLOCK_LENGTH);
|
||||||
|
SHA1_Update(&ctx, text, text_len);
|
||||||
|
SHA1_Final(digest, &ctx);
|
||||||
|
|
||||||
|
memset(k_pad, 0, sizeof k_pad);
|
||||||
|
bcopy(key, k_pad, key_len);
|
||||||
|
for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
|
||||||
|
k_pad[i] ^= 0x5c;
|
||||||
|
|
||||||
|
SHA1_Init(&ctx);
|
||||||
|
SHA1_Update(&ctx, k_pad, SHA1_BLOCK_LENGTH);
|
||||||
|
SHA1_Update(&ctx, digest, SHA1_DIGEST_LENGTH);
|
||||||
|
SHA1_Final(digest, &ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Password-Based Key Derivation Function 2 (PKCS #5 v2.0).
|
||||||
|
* Code based on IEEE Std 802.11-2007, Annex H.4.2.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
pkcs5_pbkdf2(const char *pass, size_t pass_len, const uint8_t *salt,
|
||||||
|
size_t salt_len, uint8_t *key, size_t key_len, unsigned int rounds)
|
||||||
|
{
|
||||||
|
uint8_t *asalt, obuf[SHA1_DIGEST_LENGTH];
|
||||||
|
uint8_t d1[SHA1_DIGEST_LENGTH], d2[SHA1_DIGEST_LENGTH];
|
||||||
|
unsigned int i, j;
|
||||||
|
unsigned int count;
|
||||||
|
size_t r;
|
||||||
|
|
||||||
|
if (rounds < 1 || key_len == 0)
|
||||||
|
goto bad;
|
||||||
|
if (salt_len == 0 || salt_len > SIZE_MAX - 4)
|
||||||
|
goto bad;
|
||||||
|
if ((asalt = malloc(salt_len + 4)) == NULL)
|
||||||
|
goto bad;
|
||||||
|
|
||||||
|
memcpy(asalt, salt, salt_len);
|
||||||
|
|
||||||
|
for (count = 1; key_len > 0; count++) {
|
||||||
|
asalt[salt_len + 0] = (count >> 24) & 0xff;
|
||||||
|
asalt[salt_len + 1] = (count >> 16) & 0xff;
|
||||||
|
asalt[salt_len + 2] = (count >> 8) & 0xff;
|
||||||
|
asalt[salt_len + 3] = count & 0xff;
|
||||||
|
hmac_sha1(asalt, salt_len + 4, (const u_int8_t *)pass, pass_len, d1);
|
||||||
|
memcpy(obuf, d1, sizeof(obuf));
|
||||||
|
|
||||||
|
for (i = 1; i < rounds; i++) {
|
||||||
|
hmac_sha1(d1, sizeof(d1), (const u_int8_t *)pass, pass_len, d2);
|
||||||
|
memcpy(d1, d2, sizeof(d1));
|
||||||
|
for (j = 0; j < sizeof(obuf); j++)
|
||||||
|
obuf[j] ^= d1[j];
|
||||||
|
}
|
||||||
|
|
||||||
|
r = MINIMUM(key_len, SHA1_DIGEST_LENGTH);
|
||||||
|
memcpy(key, obuf, r);
|
||||||
|
key += r;
|
||||||
|
key_len -= r;
|
||||||
|
};
|
||||||
|
explicit_bzero(asalt, salt_len + 4);
|
||||||
|
free(asalt);
|
||||||
|
explicit_bzero(d1, sizeof(d1));
|
||||||
|
explicit_bzero(d2, sizeof(d2));
|
||||||
|
explicit_bzero(obuf, sizeof(obuf));
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
bad:
|
||||||
|
/* overwrite with random in case caller doesn't check return code */
|
||||||
|
//arc4random_buf(key, key_len);
|
||||||
|
return -1;
|
||||||
|
}
|
|
@ -0,0 +1,15 @@
|
||||||
|
#ifndef PKCS5_PBKDF2_H
|
||||||
|
#define PKCS5_PBKDF2_H
|
||||||
|
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
#define PBKDF2_KEY_SIZE_SHA1 (20)
|
||||||
|
#define PBKDF2_SALT_LEN (16)
|
||||||
|
#define PBKDF2_DEFAULT_ROUNDS (5000)
|
||||||
|
|
||||||
|
int
|
||||||
|
pkcs5_pbkdf2(const char *pass, size_t pass_len, const uint8_t *salt,
|
||||||
|
size_t salt_len, uint8_t *key, size_t key_len, unsigned int rounds);
|
||||||
|
|
||||||
|
#endif /* ! PKCS5_PBKDF2_H */
|
|
@ -1,6 +1,7 @@
|
||||||
/* TestNSString+MD5SHA1.m - this file is part of SOGo
|
/* TestNSString+Crypto.m - this file is part of SOGo
|
||||||
*
|
*
|
||||||
* Copyright (C) 2011, 2012 Jeroen Dekkers
|
* Copyright (C) 2011, 2012 Jeroen Dekkers
|
||||||
|
* Copyright (C) 2020 Nicolas Höft
|
||||||
*
|
*
|
||||||
* Author: Jeroen Dekkers <jeroen@dekkers.ch>
|
* Author: Jeroen Dekkers <jeroen@dekkers.ch>
|
||||||
*
|
*
|
||||||
|
@ -85,4 +86,30 @@
|
||||||
test([blf_key isEqualToCrypted:blf_result withDefaultScheme: @"BLF-CRYPT" keyPath: nil]);
|
test([blf_key isEqualToCrypted:blf_result withDefaultScheme: @"BLF-CRYPT" keyPath: nil]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
- (void) test_pbkdf2
|
||||||
|
{
|
||||||
|
NSString *error;
|
||||||
|
// well-known comparison
|
||||||
|
NSString *pbkdf2_key = @"123456";
|
||||||
|
NSString *pbkdf2_hash = @"{PBKDF2}$1$xbhnwhLxltdS9L5M$5001$f1699047a6132383490817d6e58a5284f13339f0";
|
||||||
|
NSString *pkbf2_prefix;
|
||||||
|
NSString *pkbf2_result;
|
||||||
|
|
||||||
|
error = [NSString stringWithFormat:
|
||||||
|
@"string '%@' wrong PBKDF2: '%@'",
|
||||||
|
pbkdf2_key, pbkdf2_hash];
|
||||||
|
testWithMessage([pbkdf2_key isEqualToCrypted:pbkdf2_hash withDefaultScheme: @"CRYPT" keyPath: nil], error);
|
||||||
|
|
||||||
|
// generate a new pbkdf2-crypt key
|
||||||
|
pkbf2_prefix = @"$1$";
|
||||||
|
pkbf2_result = [pbkdf2_key asCryptedPassUsingScheme: @"PBKDF2" keyPath: nil];
|
||||||
|
|
||||||
|
error = [NSString stringWithFormat:
|
||||||
|
@"returned hash '%@' has incorrect PBKDF2 prefix: '%@'",
|
||||||
|
pkbf2_result, pkbf2_prefix];
|
||||||
|
|
||||||
|
testWithMessage([pkbf2_result hasPrefix: pkbf2_prefix], error);
|
||||||
|
test([pbkdf2_key isEqualToCrypted:pkbf2_result withDefaultScheme: @"PBKDF2" keyPath: nil]);
|
||||||
|
}
|
||||||
|
|
||||||
@end
|
@end
|
||||||
|
|
Loading…
Reference in New Issue