/*
 * Copyright (c) 2004, Juniper Networks, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the copyright holders nor the names of its
 *    contributors may be used to endorse or promote products derived
 *    from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "crypt-port.h"
#include "crypt-private.h"
#include "alg-hmac-sha1.h"
#include "byteorder.h"

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>

#if INCLUDE_sha1

/*
 * The default iterations - should take >0s on a fast CPU
 * but not be insane for a slow CPU.
 */
#ifndef CRYPT_SHA1_ITERATIONS
# define CRYPT_SHA1_ITERATIONS 262144
#endif
/*
 * Support a reasonably? long salt.
 */
#ifndef CRYPT_SHA1_SALT_LENGTH
# define CRYPT_SHA1_SALT_LENGTH 64
#endif

#define SHA1_SIZE 20         /* size of raw SHA1 digest, 160 bits */
#define SHA1_OUTPUT_SIZE 28  /* size of base64-ed output string */

static const uint8_t itoa64[] =
  "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

static inline void
to64 (uint8_t *s, unsigned long v, int n)
{
  while (--n >= 0)
    {
      *s++ = itoa64[v & 0x3f];
      v >>= 6;
    }
}

/*
 * UNIX password using hmac_sha1
 * This is PBKDF1 from RFC 2898, but using hmac_sha1.
 *
 * The format of the encrypted password is:
 * $<tag>$<iterations>$<salt>$<digest>
 *
 * where:
 * 	<tag>		is "sha1"
 *	<iterations>	is an unsigned int identifying how many rounds
 * 			have been applied to <digest>.  The number
 * 			should vary slightly for each password to make
 * 			it harder to generate a dictionary of
 * 			pre-computed hashes.  See gensalt_sha1_rn.
 * 	<salt>		up to 64 bytes of random data, 8 bytes is
 * 			currently considered more than enough.
 *	<digest>	the hashed password.
 *
 * NOTE:
 * To be FIPS 140 compliant, the password which is used as a hmac key,
 * should be between 10 and 20 characters to provide at least 80bits
 * strength, and avoid the need to hash it before using as the
 * hmac key.
 */
void
crypt_sha1_rn (const char *phrase, size_t phr_size,
               const char *setting, size_t ARG_UNUSED (set_size),
               uint8_t *output, size_t out_size,
               void *scratch, size_t scr_size)
{
  static const char *magic = "$sha1$";

  if ((out_size < (strlen (magic) + 2 + 10 + CRYPT_SHA1_SALT_LENGTH +
                   SHA1_OUTPUT_SIZE)) ||
      scr_size < SHA1_SIZE)
    {
      errno = ERANGE;
      return;
    }

  const char *sp;
  uint8_t *ep;
  unsigned long ul;
  size_t sl;
  size_t pl = phr_size;
  int dl;
  unsigned long iterations;
  unsigned long i;
  /* XXX silence -Wpointer-sign (would be nice to fix this some other way) */
  const uint8_t *pwu = (const uint8_t *)phrase;
  uint8_t *hmac_buf = scratch;

  /*
   * Salt format is
   * $<tag>$<iterations>$salt[$]
   */

  /* If the string doesn't starts with the magic prefix, we shouldn't have been called */
  if (strncmp (setting, magic, strlen (magic)))
    {
      errno = EINVAL;
      return;
    }

  setting += strlen (magic);
  /* get the iteration count */
  iterations = (unsigned long)strtoul (setting, (char **)&ep, 10);
  if (*ep != '$')
    {
      errno = EINVAL;
      return;  /* invalid input */
    }
  setting = (char *)ep + 1;  /* skip over the '$' */

  /* The next 1..CRYPT_SHA1_SALT_LENGTH bytes should be itoa64 characters,
     followed by another '$' (or end of string).  */
  sp = setting + strspn (setting, (const char *)itoa64);
  if (sp == setting || (*sp && *sp != '$'))
    {
      errno = EINVAL;
      return;
    }

  sl = (size_t)(sp - setting);

  /*
   * Now get to work...
   * Prime the pump with <salt><magic><iterations>
   */
  dl = snprintf ((char *)output, out_size, "%.*s%s%lu",
                 (int)sl, setting, magic, iterations);
  /*
   * Then hmac using <phrase> as key, and repeat...
   */
  hmac_sha1_process_data ((const unsigned char *)output, (size_t)dl,
                          pwu, pl, hmac_buf);
  for (i = 1; i < iterations; ++i)
    {
      hmac_sha1_process_data (hmac_buf, SHA1_SIZE, pwu, pl, hmac_buf);
    }
  /* Now output... */
  pl = (size_t)snprintf ((char *)output, out_size, "%s%lu$%.*s$",
                         magic, iterations, (int)sl, setting);
  ep = output + pl;

  /* Every 3 bytes of hash gives 24 bits which is 4 base64 chars */
  for (i = 0; i < SHA1_SIZE - 3; i += 3)
    {
      ul = (unsigned long)((hmac_buf[i+0] << 16) |
                           (hmac_buf[i+1] << 8) |
                           hmac_buf[i+2]);
      to64 (ep, ul, 4);
      ep += 4;
    }
  /* Only 2 bytes left, so we pad with byte0 */
  ul = (unsigned long)((hmac_buf[SHA1_SIZE - 2] << 16) |
                       (hmac_buf[SHA1_SIZE - 1] << 8) |
                       hmac_buf[0]);
  to64 (ep, ul, 4);
  ep += 4;
  *ep = '\0';

  /* Don't leave anything around in vm they could use. */
  XCRYPT_SECURE_MEMSET (scratch, scr_size);
}

/* Modified excerpt from:
   http://cvsweb.netbsd.org/bsdweb.cgi/~checkout~/src/lib/libcrypt/pw_gensalt.c */
void
gensalt_sha1_rn (unsigned long count,
                 const uint8_t *rbytes, size_t nrbytes,
                 uint8_t *output, size_t o_size)
{
  static_assert (sizeof (uint32_t) == 4,
                 "space calculations below assume 8-bit bytes");

  /* Make sure we have enough random bytes to use for the salt.
     The format supports using up to 48 random bytes, but 12 is
     enough.  We require another 4 bytes of randomness to perturb
     'count' with.  */
  if (nrbytes < 12 + 4)
    {
      errno = EINVAL;
      return;
    }

  /* Make sure we have enough output space, given the amount of
     randomness available.  $sha1$<10digits>$<(nrbytes-4)*4/3>$ */
  if (o_size < (nrbytes - 4) * 4 / 3 + sizeof "$sha1$$$" + 10)
    {
      errno = ERANGE;
      return;
    }

  /*
   * We treat 'count' as a hint.
   * Make it harder for someone to pre-compute hashes for a
   * dictionary attack by not using the same iteration count for
   * every entry.
   */
  uint32_t rounds, random = le32_to_cpu (rbytes);

  if (count == 0)
    count = CRYPT_SHA1_ITERATIONS;
  if (count > UINT32_MAX)
    count = UINT32_MAX;
  rounds = (uint32_t) (count - (random % (count / 4)));

  uint32_t encbuf;
  int n = snprintf((char *)output, o_size, "$sha1$%u$", (unsigned int)rounds);
  assert (n >= 1 && (size_t)n + 2 < o_size);

  const uint8_t *r = rbytes + 4;
  const uint8_t *rlim = rbytes + nrbytes;
  uint8_t *o = output + n;
  uint8_t *olim = output + n + CRYPT_SHA1_SALT_LENGTH;
  if (olim + 2 > output + o_size)
    olim = output + o_size - 2;

  for (; r + 3 < rlim && o + 4 < olim; r += 3, o += 4)
    {
      encbuf = ((((uint32_t)r[0]) << 16) |
                (((uint32_t)r[1]) <<  8) |
                (((uint32_t)r[2]) <<  0));
      to64 (o, encbuf, 4);
    }

  o[0] = '$';
  o[1] = '\0';
}

#endif