1 /* $NetBSD: pwhash.c,v 1.16 2019/10/21 02:36:48 jhigh Exp $ */
2 /* $OpenBSD: encrypt.c,v 1.16 2002/02/16 21:27:45 millert Exp $ */
3
4 /*
5 * Copyright (c) 1996, Jason Downs. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
17 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
20 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
23 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28 #include <sys/cdefs.h>
29
30 #ifndef lint
31 __RCSID("$NetBSD: pwhash.c,v 1.16 2019/10/21 02:36:48 jhigh Exp $");
32 #endif
33
34 #include <sys/types.h>
35 #include <ctype.h>
36 #include <err.h>
37 #include <errno.h>
38 #include <pwd.h>
39 #include <stdio.h>
40 #include <stdlib.h>
41 #include <string.h>
42 #include <unistd.h>
43 #include <limits.h>
44 #include <login_cap.h>
45 #include <util.h>
46
47 /*
48 * Very simple little program, for encrypting passwords from the command
49 * line. Useful for scripts and such.
50 */
51
52 #define DO_MAKEKEY 0
53 #define DO_DES 1
54 #define DO_MD5 2
55 #define DO_BLF 3
56 #define DO_SHA1 4
57
58 #ifdef HAVE_ARGON2
59 #define DO_ARGON2 5
60 /*
61 * Argon2 variant may be specified in /etc/passwd.conf
62 * If not found, default to ARGON2_DEFAULT_VARIANT_STR
63 * acceptable values are: argon2i, argon2d, argon2id
64 */
65 #define ARGON2_DEFAULT_VARIANT_STR "argon2id"
66 #endif /* HAVE_ARGON2 */
67
68 __dead static void
usage(void)69 usage(void)
70 {
71
72 (void)fprintf(stderr,
73 #ifdef HAVE_ARGON2
74 "Usage: %s [-km] [-A variant[,params]] [-b rounds] [-S rounds] [-s salt] [-p | string]\n",
75 #else
76 "Usage: %s [-km] [-b rounds] [-S rounds] [-s salt] [-p | string]\n",
77 #endif /* HAVE_ARGON2 */
78 getprogname());
79 exit(1);
80 }
81
82 static char *
trim(char * line)83 trim(char *line)
84 {
85 char *ptr;
86
87 for (ptr = &line[strlen(line) - 1]; ptr > line; ptr--) {
88 if (!isspace((unsigned char)*ptr))
89 break;
90 }
91 ptr[1] = '\0';
92
93 for (ptr = line; *ptr && isspace((unsigned char)*ptr); ptr++)
94 continue;
95
96 return ptr;
97 }
98
99 static void
print_passwd(char * string,int operation,const char * extra)100 print_passwd(char *string, int operation, const char *extra)
101 {
102 char buf[_PASSWORD_LEN];
103 char option[LINE_MAX], *key, *opt;
104 int error = 0;
105 const char *salt = buf;
106
107 switch(operation) {
108 case DO_MAKEKEY:
109 /*
110 * makekey mode: parse string into separate DES key and salt.
111 */
112 if (strlen(string) != 10) {
113 /* To be compatible... */
114 error = EFTYPE;
115 break;
116 }
117 salt = &string[8];
118 break;
119
120 case DO_MD5:
121 error = pw_gensalt(buf, _PASSWORD_LEN, "md5", extra);
122 break;
123
124 case DO_SHA1:
125 error = pw_gensalt(buf, _PASSWORD_LEN, "sha1", extra);
126 break;
127
128 case DO_BLF:
129 error = pw_gensalt(buf, _PASSWORD_LEN, "blowfish", extra);
130 break;
131
132 case DO_DES:
133 salt = extra;
134 break;
135
136 #ifdef HAVE_ARGON2
137 case DO_ARGON2:
138 /* pwhash -A <variant>[,param]* */
139 /* param
140 * m=<m_cost>
141 * t=<t_cost>
142 * p=<threads>
143 */
144 snprintf(option, sizeof(option), "%s", extra);
145 opt = option;
146 key = strsep(&opt, ",");
147 error = pw_gensalt(buf, _PASSWORD_LEN, key, opt);
148 break;
149 #endif /* HAVE_ARGON2 */
150
151 default:
152 pw_getconf(option, sizeof(option), "default", "localcipher");
153 opt = option;
154 key = strsep(&opt, ",");
155 error = pw_gensalt(buf, _PASSWORD_LEN, key, opt);
156 break;
157 }
158
159 if (error)
160 err(1, "Cannot generate salt");
161
162 (void)fputs(crypt(string, salt), stdout);
163 }
164
165 int
main(int argc,char ** argv)166 main(int argc, char **argv)
167 {
168 int opt;
169 int operation = -1;
170 int prompt = 0;
171 const char *extra = NULL; /* Store salt or number of rounds */
172
173 setprogname(argv[0]);
174
175 if (strcmp(getprogname(), "makekey") == 0)
176 operation = DO_MAKEKEY;
177
178 #ifdef HAVE_ARGON2
179 while ((opt = getopt(argc, argv, "kmpS:s:b:A:")) != -1) {
180 #else
181 while ((opt = getopt(argc, argv, "kmpS:s:b:")) != -1) {
182 #endif /* HAVE_ARGON2 */
183 switch (opt) {
184 case 'k': /* Stdin/Stdout Unix crypt */
185 if (operation != -1 || prompt)
186 usage();
187 operation = DO_MAKEKEY;
188 break;
189
190 case 'm': /* MD5 password hash */
191 if (operation != -1)
192 usage();
193 operation = DO_MD5;
194 extra = NULL;
195 break;
196
197 case 'p':
198 if (operation == DO_MAKEKEY)
199 usage();
200 prompt = 1;
201 break;
202
203 case 'S': /* SHA1 password hash */
204 if (operation != -1)
205 usage();
206 operation = DO_SHA1;
207 extra = optarg;
208 break;
209
210 case 's': /* Unix crypt (DES) */
211 if (operation != -1 || optarg[0] == '$')
212 usage();
213 operation = DO_DES;
214 extra = optarg;
215 break;
216
217 case 'b': /* Blowfish password hash */
218 if (operation != -1)
219 usage();
220 operation = DO_BLF;
221 extra = optarg;
222 break;
223
224 #ifdef HAVE_ARGON2
225 case 'A': /* Argon2 password hash */
226 if (operation != -1)
227 usage();
228 operation = DO_ARGON2;
229 extra = optarg;
230 break;
231 #endif /* HAVE_ARGON2 */
232
233 default:
234 usage();
235 }
236 }
237
238 if (((argc - optind) < 1) || operation == DO_MAKEKEY) {
239 char line[LINE_MAX], *string;
240
241 if (prompt) {
242 string = getpass("Enter string: ");
243 print_passwd(string, operation, extra);
244 (void)fputc('\n', stdout);
245 } else {
246 /* Encrypt stdin to stdout. */
247 while (!feof(stdin) &&
248 (fgets(line, sizeof(line), stdin) != NULL)) {
249 /* Kill the whitesapce. */
250 string = trim(line);
251 if (*string == '\0')
252 continue;
253
254 print_passwd(string, operation, extra);
255
256 if (operation == DO_MAKEKEY) {
257 (void)fflush(stdout);
258 break;
259 }
260 (void)fputc('\n', stdout);
261 }
262 }
263 } else {
264 char *string;
265
266 /* can't combine -p with a supplied string */
267 if (prompt)
268 usage();
269
270 /* Perhaps it isn't worth worrying about, but... */
271 if ((string = strdup(argv[optind])) == NULL)
272 err(1, NULL);
273 /* Wipe the argument. */
274 (void)memset(argv[optind], 0, strlen(argv[optind]));
275
276 print_passwd(string, operation, extra);
277
278 (void)fputc('\n', stdout);
279
280 /* Wipe our copy, before we free it. */
281 (void)memset(string, 0, strlen(string));
282 free(string);
283 }
284 return 0;
285 }
286