Subject: Adding sha1 hashed passwords
To: None <firstname.lastname@example.org>
From: Simon J. Gerraty <email@example.com>
Date: 05/29/2004 00:47:50
I'm adding support for crypt_sha1()
I've some questions before posting patches...
A sha1 hashed passwd looks like:
<iterations> is the number of times hmac_sha1 is applied to the
salt using the password as key. The value can be controlled via
<salt> can be up to 64 random bytes, but pwd_gensalt only uses 8.
<digest> is the final hmac result. The actual algoritm used is
essentially PBKDF1 from RFC 2898 (though using hmac_sha1 rather than
SHA1 directly), and reflects suggestions from several developers.
I notice that libcrypt uses __md5crypt() rather than the name
crypt_md5() used in FreeBSD (where I presume the routine originated).
I'm wondering if there's a reason to change the name of crypt_sha1 to
__sha1crypt for NetBSD or wether the current name is ok.
I extracted the static to64 from md5crypt.c and put it in its
own .c file as crypt_to64 and it is now used by __md5crypt, crypt_sha1
and pwd_gensalt. Again, is there a reason the name should be
Also, should hmac_sha1 be added to libcrypt or libc (or both?)
I've currently added it to both - to make my testing easier.
FWIW the hmac implementation is very simple - based on RFC 2104 and
includes unit tests for hmac_sha1 and hmac_md5.
Finally, does adding crypt_sha1 require bumping the version of