xcrypt 0.1.0

data/ext/libxcrypt/lib/crypt-scrypt.c

@@ -0,0 +1,247 @@
+/* Copyright (C) 2013 Alexander Peslyak
+ * Copyright (C) 2018 Björn Esser <besser82@fedoraproject.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "crypt-port.h"
+#include "crypt-hashes.h"
+
+#include <errno.h>
+
+#if INCLUDE_scrypt
+
+static int
+check_salt_char (char ch)
+{
+  if (ch > 'z')
+    return 0;
+  if (ch >= 'a')
+    return 1;
+  if (ch > 'Z')
+    return 0;
+  if (ch >= 'A')
+    return 1;
+  if (ch > '9')
+    return 0;
+  if (ch >= '.' || ch == '$')
+    return 1;
+  return 0;
+}
+
+static int
+verify_salt (const char *setting, size_t set_size)
+{
+  for (size_t i = 3 + 1 + 5 * 2; i < set_size; i++)
+    {
+      if (!check_salt_char (setting[i]))
+        {
+          /* Salt is terminated properly.
+             Following characters don't matter.  */
+          if (setting[i - 1] == '$')
+            break;
+
+          /* Salt has an invalid character.  */
+          return 0;
+        }
+    }
+  return 1;
+}
+
+static uint8_t *
+encode64_uint32 (uint8_t * dst, ssize_t dstlen,
+                 uint32_t src, uint32_t srcbits)
+{
+  uint32_t bit;
+
+  for (bit = 0; bit < srcbits; bit += 6)
+    {
+      if (dstlen < 1)
+        {
+          errno = ERANGE;
+          return NULL;
+        }
+      *dst++ = ascii64[src & 0x3f];
+      dstlen--;
+      src >>= 6;
+    }
+
+  *dst = '\0';
+  return dst;
+}
+
+static uint8_t *
+encode64 (uint8_t * dst, ssize_t dstlen,
+          const uint8_t * src, size_t srclen)
+{
+  size_t i;
+
+  for (i = 0; i < srclen; )
+    {
+      uint8_t * dnext;
+      uint32_t value = 0, bits = 0;
+      do
+        {
+          value |= (uint32_t) src[i++] << bits;
+          bits += 8;
+        }
+      while (bits < 24 && i < srclen);
+      dnext = encode64_uint32 (dst, dstlen, value, bits);
+      if (!dnext)
+        {
+          errno = ERANGE;
+          return NULL;
+        }
+      dstlen -= (dnext - dst);
+      dst = dnext;
+    }
+
+  *dst = '\0';
+  return dst;
+}
+
+static uint32_t
+N2log2 (uint64_t N)
+{
+  uint32_t N_log2;
+
+  if (N < 2)
+    return 0;
+
+  N_log2 = 2;
+  while (N >> N_log2 != 0)
+    N_log2++;
+  N_log2--;
+
+  if (N >> N_log2 != 1)
+    return 0;
+
+  return N_log2;
+}
+
+/*
+ * Wrapper for crypt_yescrypt_rn to compute the hash.
+ */
+void
+crypt_scrypt_rn (const char *phrase, size_t phr_size,
+                 const char *setting, size_t set_size,
+                 uint8_t *output, size_t o_size,
+                 void *scratch, size_t s_size)
+{
+  if (o_size < set_size + 1 + 43 + 1 ||
+      CRYPT_OUTPUT_SIZE < set_size + 1 + 43 + 1)
+    {
+      errno = ERANGE;
+      return;
+    }
+
+  /* Setting is invalid.  */
+  if (strncmp (setting, "$7$", 3) || !verify_salt (setting, set_size))
+    {
+      errno = EINVAL;
+      return;
+    }
+
+  crypt_yescrypt_rn (phrase, phr_size, setting, set_size,
+                     output, o_size, scratch, s_size);
+  return;
+}
+
+void
+gensalt_scrypt_rn (unsigned long count,
+                   const uint8_t *rbytes, size_t nrbytes,
+                   uint8_t *output, size_t o_size)
+{
+  /* Up to 512 bits (64 bytes) of entropy for computing the salt portion
+     of the MCF-setting are supported.  */
+  nrbytes = (nrbytes > 64 ? 64 : nrbytes);
+
+  if (o_size < 3 + 1 + 5 * 2 + BASE64_LEN (nrbytes) + 1 ||
+      CRYPT_GENSALT_OUTPUT_SIZE < 3 + 1 + 5 * 2 + BASE64_LEN (nrbytes) + 1)
+    {
+      errno = ERANGE;
+      return;
+    }
+
+  if ((count > 0 && count < 6) || count > 11 || nrbytes < 16)
+    {
+      errno = EINVAL;
+      return;
+    }
+
+  /* Temporary buffer for operation.  The buffer is guaranteed to be
+     large enough to hold the maximum size of the generated salt.  */
+  uint8_t outbuf[CRYPT_GENSALT_OUTPUT_SIZE];
+  uint8_t *out_p = outbuf + 4;
+  ssize_t out_s = CRYPT_GENSALT_OUTPUT_SIZE - (out_p - outbuf);
+
+  /* Valid cost parameters are from 6 to 11.  The default is 7.
+     Any cost parameter below 6 is not to be considered strong
+     enough anymore, because using less than 32 MiBytes of RAM
+     when computing a hash is even weaker than bcrypt ($2y$).
+     These are used to set scrypt's 'N' and 'r' parameters as
+     follows:
+     N (block count) is specified in units of r (block size,
+     adjustable in steps of 128 bytes).
+
+     128 bytes * r = size of each memory block
+
+     128 bytes * r * N = total amount of memory used for hashing
+                         in N blocks of r * 128 bytes.
+
+     The author of yescrypt recommends in the documentation to use
+     r=8 (a block size of 1 KiB) for total sizes of 2 MiB and less,
+     and r=32 (a block size of 4KiB) above that.
+     This has to do with the typical per-core last-level cache sizes
+     of current CPUs.  */
+  if (count == 0)
+    count = 7;
+
+  uint32_t p = 1;
+  uint32_t r = 32;
+  uint64_t N = 1ULL << (count + 7); // 6 -> 8192, 7 -> 16384, ... 11 -> 262144
+
+  if (out_s > (ssize_t) BASE64_LEN (30))
+    {
+      outbuf[0] = '$';
+      outbuf[1] = '7';
+      outbuf[2] = '$';
+      outbuf[3] = ascii64[N2log2 (N)];
+
+      out_p = encode64_uint32 (out_p, out_s, r, 30);
+      out_s -= (out_p - outbuf);
+    }
+
+  if (out_p && out_s > (ssize_t) BASE64_LEN (30))
+    {
+      out_p = encode64_uint32 (out_p, out_s, p, 30);
+      out_s -= (out_p - outbuf);
+    }
+
+  if (out_p && out_s > (ssize_t) BASE64_LEN (nrbytes))
+    {
+      out_p = encode64 (out_p, out_s, rbytes, nrbytes);
+    }
+
+  if (out_p)
+    {
+      strcpy_or_abort (output, o_size, outbuf);
+    }
+
+  return;
+}
+
+#endif /* INCLUDE_scrypt */

data/ext/libxcrypt/lib/crypt-sha256.c

@@ -0,0 +1,308 @@
+/* One way encryption based on the SHA256-based Unix crypt implementation.
+ *
+ * Written by Ulrich Drepper <drepper at redhat.com> in 2007 [1].
+ * Modified by Zack Weinberg <zackw at panix.com> in 2017, 2018.
+ * Composed by Björn Esser <besser82 at fedoraproject.org> in 2018.
+ * Modified by Björn Esser <besser82 at fedoraproject.org> in 2020.
+ * To the extent possible under law, the named authors have waived all
+ * copyright and related or neighboring rights to this work.
+ *
+ * See https://creativecommons.org/publicdomain/zero/1.0/ for further
+ * details.
+ *
+ * This file is a modified except from [2], lines 648 up to 909.
+ *
+ * [1]  https://www.akkadia.org/drepper/sha-crypt.html
+ * [2]  https://www.akkadia.org/drepper/SHA-crypt.txt
+ */
+
+#include "crypt-port.h"
+#include "alg-sha256.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#if INCLUDE_sha256crypt
+
+/* Define our magic string to mark salt for SHA256 "encryption"
+   replacement.  */
+static const char sha256_salt_prefix[] = "$5$";
+
+/* Prefix for optional rounds specification.  */
+static const char sha256_rounds_prefix[] = "rounds=";
+
+/* Maximum salt string length.  */
+#define SALT_LEN_MAX 16
+/* Default number of rounds if not explicitly specified.  */
+#define ROUNDS_DEFAULT 5000
+/* Minimum number of rounds.  */
+#define ROUNDS_MIN 1000
+/* Maximum number of rounds.  */
+#define ROUNDS_MAX 999999999
+
+/* The maximum possible length of a SHA256-hashed password string,
+   including the terminating NUL character.  Prefix (including its NUL)
+   + rounds tag ("rounds=$" = "rounds=\0") + strlen(ROUNDS_MAX)
+   + salt (up to SALT_LEN_MAX chars) + '$' + hash (43 chars).  */
+
+#define LENGTH_OF_NUMBER(n) (sizeof #n - 1)
+
+#define SHA256_HASH_LENGTH \
+  (sizeof (sha256_salt_prefix) + sizeof (sha256_rounds_prefix) + \
+   LENGTH_OF_NUMBER (ROUNDS_MAX) + SALT_LEN_MAX + 1 + 43)
+
+static_assert (SHA256_HASH_LENGTH <= CRYPT_OUTPUT_SIZE,
+               "CRYPT_OUTPUT_SIZE is too small for SHA256");
+
+/* A sha256_buffer holds all of the sensitive intermediate data.  */
+struct sha256_buffer
+{
+  SHA256_CTX ctx;
+  uint8_t result[32];
+  uint8_t p_bytes[32];
+  uint8_t s_bytes[32];
+};
+
+static_assert (sizeof (struct sha256_buffer) <= ALG_SPECIFIC_SIZE,
+               "ALG_SPECIFIC_SIZE is too small for SHA256");
+
+
+/* Feed CTX with LEN bytes of a virtual byte sequence consisting of
+   BLOCK repeated over and over indefinitely.  */
+static void
+SHA256_Update_recycled (SHA256_CTX *ctx,
+                        unsigned char block[32], size_t len)
+{
+  size_t cnt;
+  for (cnt = len; cnt >= 32; cnt -= 32)
+    SHA256_Update (ctx, block, 32);
+  SHA256_Update (ctx, block, cnt);
+}
+
+void
+crypt_sha256crypt_rn (const char *phrase, size_t phr_size,
+                      const char *setting, size_t ARG_UNUSED (set_size),
+                      uint8_t *output, size_t out_size,
+                      void *scratch, size_t scr_size)
+{
+  /* This shouldn't ever happen, but...  */
+  if (out_size < SHA256_HASH_LENGTH
+      || scr_size < sizeof (struct sha256_buffer))
+    {
+      errno = ERANGE;
+      return;
+    }
+
+  struct sha256_buffer *buf = scratch;
+  SHA256_CTX *ctx = &buf->ctx;
+  uint8_t *result = buf->result;
+  uint8_t *p_bytes = buf->p_bytes;
+  uint8_t *s_bytes = buf->s_bytes;
+  char *cp = (char *)output;
+  const char *salt = setting;
+
+  size_t salt_size;
+  size_t cnt;
+  /* Default number of rounds.  */
+  size_t rounds = ROUNDS_DEFAULT;
+  bool rounds_custom = false;
+
+  /* Find beginning of salt string.  The prefix should normally always
+     be present.  Just in case it is not.  */
+  if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
+    /* Skip salt prefix.  */
+    salt += sizeof (sha256_salt_prefix) - 1;
+
+  if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
+      == 0)
+    {
+      const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
+      /* Do not allow an explicit setting of zero rounds, nor of the
+         default number of rounds, nor leading zeroes on the rounds.  */
+      if (!(*num >= '1' && *num <= '9'))
+        {
+          errno = EINVAL;
+          return;
+        }
+
+      errno = 0;
+      char *endp;
+      rounds = strtoul (num, &endp, 10);
+      if (endp == num || *endp != '$'
+          || rounds < ROUNDS_MIN
+          || rounds > ROUNDS_MAX
+          || errno)
+        {
+          errno = EINVAL;
+          return;
+        }
+      salt = endp + 1;
+      rounds_custom = true;
+    }
+
+  /* The salt ends at the next '$' or the end of the string.
+     Ensure ':' does not appear in the salt (it is used as a separator in /etc/passwd).
+     Also check for '\n', as in /etc/passwd the whole parameters of the user data must
+     be on a single line. */
+  salt_size = strcspn (salt, "$:\n");
+  if (!(salt[salt_size] == '$' || !salt[salt_size]))
+    {
+      errno = EINVAL;
+      return;
+    }
+
+  /* Ensure we do not use more salt than SALT_LEN_MAX. */
+  if (salt_size > SALT_LEN_MAX)
+    salt_size = SALT_LEN_MAX;
+
+  /* Compute alternate SHA256 sum with input PHRASE, SALT, and PHRASE.  The
+     final result will be added to the first context.  */
+  SHA256_Init (ctx);
+
+  /* Add phrase.  */
+  SHA256_Update (ctx, phrase, phr_size);
+
+  /* Add salt.  */
+  SHA256_Update (ctx, salt, salt_size);
+
+  /* Add phrase again.  */
+  SHA256_Update (ctx, phrase, phr_size);
+
+  /* Now get result of this (32 bytes).  */
+  SHA256_Final (result, ctx);
+
+  /* Prepare for the real work.  */
+  SHA256_Init (ctx);
+
+  /* Add the phrase string.  */
+  SHA256_Update (ctx, phrase, phr_size);
+
+  /* The last part is the salt string.  This must be at most 8
+     characters and it ends at the first `$' character (for
+     compatibility with existing implementations).  */
+  SHA256_Update (ctx, salt, salt_size);
+
+  /* Add for any character in the phrase one byte of the alternate sum.  */
+  for (cnt = phr_size; cnt > 32; cnt -= 32)
+    SHA256_Update (ctx, result, 32);
+  SHA256_Update (ctx, result, cnt);
+
+  /* Take the binary representation of the length of the phrase and for every
+     1 add the alternate sum, for every 0 the phrase.  */
+  for (cnt = phr_size; cnt > 0; cnt >>= 1)
+    if ((cnt & 1) != 0)
+      SHA256_Update (ctx, result, 32);
+    else
+      SHA256_Update (ctx, phrase, phr_size);
+
+  /* Create intermediate result.  */
+  SHA256_Final (result, ctx);
+
+  /* Start computation of P byte sequence.  */
+  SHA256_Init (ctx);
+
+  /* For every character in the password add the entire password.  */
+  for (cnt = 0; cnt < phr_size; ++cnt)
+    SHA256_Update (ctx, phrase, phr_size);
+
+  /* Finish the digest.  */
+  SHA256_Final (p_bytes, ctx);
+
+  /* Start computation of S byte sequence.  */
+  SHA256_Init (ctx);
+
+  /* For every character in the password add the entire password.  */
+  for (cnt = 0; cnt < (size_t) 16 + (size_t) result[0]; ++cnt)
+    SHA256_Update (ctx, salt, salt_size);
+
+  /* Finish the digest.  */
+  SHA256_Final (s_bytes, ctx);
+
+  /* Repeatedly run the collected hash value through SHA256 to burn
+     CPU cycles.  */
+  for (cnt = 0; cnt < rounds; ++cnt)
+    {
+      /* New context.  */
+      SHA256_Init (ctx);
+
+      /* Add phrase or last result.  */
+      if ((cnt & 1) != 0)
+        SHA256_Update_recycled (ctx, p_bytes, phr_size);
+      else
+        SHA256_Update (ctx, result, 32);
+
+      /* Add salt for numbers not divisible by 3.  */
+      if (cnt % 3 != 0)
+        SHA256_Update_recycled (ctx, s_bytes, salt_size);
+
+      /* Add phrase for numbers not divisible by 7.  */
+      if (cnt % 7 != 0)
+        SHA256_Update_recycled (ctx, p_bytes, phr_size);
+
+      /* Add phrase or last result.  */
+      if ((cnt & 1) != 0)
+        SHA256_Update (ctx, result, 32);
+      else
+        SHA256_Update_recycled (ctx, p_bytes, phr_size);
+
+      /* Create intermediate result.  */
+      SHA256_Final (result, ctx);
+    }
+
+  /* Now we can construct the result string.  It consists of four
+     parts, one of which is optional.  We already know that there
+     is sufficient space at CP for the longest possible result string.  */
+  memcpy (cp, sha256_salt_prefix, sizeof (sha256_salt_prefix) - 1);
+  cp += sizeof (sha256_salt_prefix) - 1;
+
+  if (rounds_custom)
+    {
+      int n = snprintf (cp,
+                        SHA256_HASH_LENGTH - (sizeof (sha256_salt_prefix) - 1),
+                        "%s%zu$", sha256_rounds_prefix, rounds);
+      cp += n;
+    }
+
+  memcpy (cp, salt, salt_size);
+  cp += salt_size;
+  *cp++ = '$';
+
+#define b64_from_24bit(B2, B1, B0, N)                   \
+  do {                                                  \
+    unsigned int w = ((((unsigned int)(B2)) << 16) |    \
+                      (((unsigned int)(B1)) << 8) |     \
+                      ((unsigned int)(B0)));            \
+    int n = (N);                                        \
+    while (n-- > 0)                                     \
+      {                                                 \
+        *cp++ = b64t[w & 0x3f];                         \
+        w >>= 6;                                        \
+      }                                                 \
+  } while (0)
+
+  b64_from_24bit (result[0], result[10], result[20], 4);
+  b64_from_24bit (result[21], result[1], result[11], 4);
+  b64_from_24bit (result[12], result[22], result[2], 4);
+  b64_from_24bit (result[3], result[13], result[23], 4);
+  b64_from_24bit (result[24], result[4], result[14], 4);
+  b64_from_24bit (result[15], result[25], result[5], 4);
+  b64_from_24bit (result[6], result[16], result[26], 4);
+  b64_from_24bit (result[27], result[7], result[17], 4);
+  b64_from_24bit (result[18], result[28], result[8], 4);
+  b64_from_24bit (result[9], result[19], result[29], 4);
+  b64_from_24bit (0, result[31], result[30], 3);
+
+  *cp = '\0';
+}
+
+void
+gensalt_sha256crypt_rn (unsigned long count,
+                        const uint8_t *rbytes, size_t nrbytes,
+                        uint8_t *output, size_t output_size)
+{
+  gensalt_sha_rn ("5", SALT_LEN_MAX, ROUNDS_DEFAULT, ROUNDS_MIN, ROUNDS_MAX,
+                  count, rbytes, nrbytes, output, output_size);
+}
+
+#endif