xcrypt 0.1.0

data/ext/libxcrypt/lib/libcrypt.map.in

@@ -0,0 +1,48 @@
+# This file is processed by gen-libcrypt-map to produce the versions
+# map file for libxcrypt.
+# symbol default_version compat_version [compat_version ...]
+
+# Actively supported POSIX interfaces; in GNU libc since 2.0
+crypt			XCRYPT_2.0	GLIBC_2.0
+crypt_r			XCRYPT_2.0	GLIBC_2.0
+
+# Actively supported Openwall extensions; never actually added to
+# upstream GNU libc, but present in at least Openwall, ALT, and SUSE
+# Linux distributions with one or more of these symbol versions
+crypt_rn		XCRYPT_2.0	GLIBC_2.0:owl:suse	GLIBC_2.2.1:alt
+crypt_gensalt		XCRYPT_2.0	GLIBC_2.0:owl:suse	GLIBC_2.2.1:alt     OW_CRYPT_1.0:suse
+crypt_gensalt_rn	XCRYPT_2.0	GLIBC_2.0:owl:suse	GLIBC_2.2.1:alt     OW_CRYPT_1.0:suse
+
+crypt_ra		XCRYPT_2.0	GLIBC_2.0:owl:suse	GLIBC_2.2.2:alt
+crypt_gensalt_ra	XCRYPT_2.0	GLIBC_2.0:owl:suse	GLIBC_2.2.2:alt     OW_CRYPT_1.0:suse
+
+# Actively supported interfaces from libxcrypt.
+crypt_checksalt		XCRYPT_4.3
+crypt_preferred_method	XCRYPT_4.4
+
+# Interfaces for code compatibility with libxcrypt v3.1.1 and earlier.
+# No longer available to new binaries.  Include in version-script, only
+# if one of the compatibility interfaces is enabled.
+crypt_gensalt_r		-		XCRYPT_2.0:alt:glibc:owl:suse:yes
+xcrypt			-		XCRYPT_2.0:alt:glibc:owl:suse:yes
+xcrypt_r		-		XCRYPT_2.0:alt:glibc:owl:suse:yes
+xcrypt_gensalt		-		XCRYPT_2.0:alt:glibc:owl:suse:yes
+xcrypt_gensalt_r	-		XCRYPT_2.0:alt:glibc:owl:suse:yes
+
+# Deprecated interfaces, POSIX and otherwise; also present in GNU libc
+# since 2.0
+encrypt			-		GLIBC_2.0
+encrypt_r		-		GLIBC_2.0
+setkey			-		GLIBC_2.0
+setkey_r		-		GLIBC_2.0
+fcrypt			-		GLIBC_2.0
+
+# This determines the ordering of the version chain.  Each symbol
+# version that appears above must also appear in this list, and to
+# simplify gen-libcrypt-map, so must all of the versions listed in
+# libcrypt.minver.  The ordering is left to right, top to bottom.
+%chain GLIBC_2.0 GLIBC_2.2 GLIBC_2.2.1 GLIBC_2.2.2 GLIBC_2.2.5 GLIBC_2.2.6
+%chain GLIBC_2.3 GLIBC_2.4 GLIBC_2.12 GLIBC_2.16 GLIBC_2.17 GLIBC_2.18
+%chain GLIBC_2.21 GLIBC_2.27 GLIBC_2.29 GLIBC_2.32 GLIBC_2.33 GLIBC_2.35
+%chain GLIBC_2.36 GLIBC_2.38
+%chain OW_CRYPT_1.0 XCRYPT_2.0 XCRYPT_4.3 XCRYPT_4.4

data/ext/libxcrypt/lib/libcrypt.minver

@@ -0,0 +1,97 @@
+# This file defines the minimum symbol version number used by the
+# system-provided libcrypt, for each CPU and OS where libxcrypt can be
+# binary backward compatible with it.  See also lib/libcrypt.map.in,
+# build-aux/scripts/compute-symver-floor, and
+# build-aux/scripts/gen-libcrypt-map.
+#
+# Lines in this file that start with '#' are comments; # is not
+# otherwise significant.  Blank lines are ignored.  All other lines
+# must have three or four columns: VERSION, SYSTEM, CPU_FAMILY,
+# and PREPROCESSOR_CHECK, in that order.
+#
+# VERSION is the minimum symbol version to use on hosts where SYSTEM
+# and CPU_FAMILY match autoconf's $host_os and $host_cpu values,
+# respectively, when interpreted as (Perl) regexes.  There is an implicit
+# ^ at the beginning of each regex (that is, they must match starting
+# at the beginning of the string) but there is no implicit $ at the end
+# (that is, they do not have to match the entire string).  Use '.'
+# to accept any string.
+#
+# If there is anything more on the line after the CPU_FAMILY field,
+# all of it is taken as a preprocessor #if expression which must be
+# true for this line's version number to be used.  The macros defined
+# in <limits.h> are available to this expression.  This mechanism is
+# for subarchitectures that do not change $host_cpu, e.g. x32 (I wish
+# they wouldn't do that...)
+#
+# The symbol version XCRYPT_2.0 is special; if this file selects that
+# version as the minimum for some platform, configure will
+# automatically switch into --disable-obsolete-api mode.  This is used
+# for platforms where either we have not yet implemented binary
+# backward compatibility with the system-provided libcrypt, or we know
+# there is no system-provided libcrypt to be compatible with.
+#
+# The symbol version ERROR is special; if this file selects that
+# version as the minimum for some platform, configuration will fail.
+# This is used for platforms where we know we ought to support
+# backward binary compatibility and the library shouldn't be allowed
+# to be used until someone's set this up properly.
+#
+# More specific regexes must be sorted below less specific ones, and
+# empty PREPROCESSOR_CHECK must be sorted below non-empty.  If neither
+# constraint applies, sort entries in descending order of symbol
+# version within one SYSTEM, and in alphabetical order of CPU_FAMILY
+# within each symbol version.
+#
+# Future cleanup: the ERROR lines for 'gnu*', 'kfreebsd*gnu*', and
+# 'linux*gnu*' can be removed once GNU libc stops shipping libcrypt.
+# It will be correct to use XCRYPT_2.0 as the minimum symbol version
+# for any platform added to glibc after that release.
+
+#VERSION     SYSTEM          CPU_FAMILY    PREPROCESSOR_CHECK
+
+# GNU Hurd
+GLIBC_2.38   gnu             x86_64
+GLIBC_2.2.6  gnu             i[3-9]86
+ERROR        gnu             .
+
+# FreeBSD kernel with GNU libc
+GLIBC_2.3    kfreebsd.*gnu   x86_64        !(defined __x86_64__ && ULONG_MAX == UINT_MAX) /* not x32 */
+GLIBC_2.3    kfreebsd.*gnu   i[3-9]86
+ERROR        kfreebsd.*gnu   .
+
+# Linux with GNU libc
+GLIBC_2.36   linux.*gnu      loongarch64   __WORDSIZE == 64 && ULONG_MAX != UINT_MAX /* lp64* ABI */
+GLIBC_2.35   linux.*gnu      or1k
+GLIBC_2.33   linux.*gnu      riscv32
+GLIBC_2.32   linux.*gnu      arc
+GLIBC_2.29   linux.*gnu      csky
+GLIBC_2.27   linux.*gnu      riscv64
+GLIBC_2.21   linux.*gnu      nios2
+GLIBC_2.18   linux.*gnu      microblaze
+GLIBC_2.17   linux.*gnu      aarch64
+GLIBC_2.17   linux.*gnu      powerpc64le
+GLIBC_2.16   linux.*gnu      x86_64        defined __x86_64__ && ULONG_MAX == UINT_MAX /* x32 */
+GLIBC_2.12   linux.*gnu      tilegx
+GLIBC_2.12   linux.*gnu      tilepro
+GLIBC_2.4    linux.*gnu      arm
+GLIBC_2.4    linux.*gnu      m68k          defined __mcoldfire__
+GLIBC_2.3    linux.*gnu      powerpc64
+GLIBC_2.2.5  linux.*gnu      x86_64        defined __x86_64__ && ULONG_MAX != UINT_MAX /* 64 */
+GLIBC_2.2    linux.*gnu      s390x
+GLIBC_2.0    linux.*gnu      alpha
+GLIBC_2.0    linux.*gnu      e2k
+GLIBC_2.0    linux.*gnu      hppa
+GLIBC_2.0    linux.*gnu      i[3-9]86
+GLIBC_2.0    linux.*gnu      ia64
+GLIBC_2.0    linux.*gnu      m68k
+GLIBC_2.0    linux.*gnu      mips
+GLIBC_2.0    linux.*gnu      powerpc
+GLIBC_2.0    linux.*gnu      s390
+GLIBC_2.0    linux.*gnu      sh
+GLIBC_2.0    linux.*gnu      sparc
+GLIBC_2.0    linux.*gnu      x86_64
+ERROR        linux.*gnu      .
+
+# Other systems.
+XCRYPT_2.0   .               .

data/ext/libxcrypt/lib/libxcrypt.pc.in

@@ -0,0 +1,15 @@
+#############################################
+#####   Pkg-Config file for libxcrypt   #####
+#############################################
+
+prefix=@prefix@
+exec_prefix=${prefix}
+
+libdir=@libdir@
+includedir=@includedir@
+
+Name: @PACKAGE@
+Version: @VERSION@
+Description: Extended crypt library for DES, MD5, Blowfish and others
+Libs: -L${libdir} -lcrypt
+Cflags: -I${includedir}

data/ext/libxcrypt/lib/util-base64.c

@@ -0,0 +1,26 @@
+/* Copyright (C) 2018-2021 Björn Esser <besser82@fedoraproject.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* Base64-related utility functions and data.  */
+
+#include "crypt-port.h"
+
+const unsigned char ascii64[65] =
+  "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+/* 0000000000111111111122222222223333333333444444444455555555556666 */
+/* 0123456789012345678901234567890123456789012345678901234567890123 */

data/ext/libxcrypt/lib/util-gensalt-sha.c

@@ -0,0 +1,88 @@
+/*
+ * Written by Solar Designer and placed in the public domain.
+ * See crypt-bcrypt.c for more information.
+ *
+ * This file contains setting-string generation code shared among the
+ * MD5, SHA256, and SHA512 hash algorithms, which use very similar
+ * setting formats.  Setting-string generation for bcrypt and DES is
+ * entirely in crypt-bcrypt.c and crypt-des.c respectively.
+ */
+
+#include "crypt-port.h"
+
+#include <errno.h>
+#include <stdio.h>
+
+#if INCLUDE_md5crypt || INCLUDE_sha256crypt || INCLUDE_sha512crypt || INCLUDE_sm3crypt
+
+void
+gensalt_sha_rn (const char *tag, size_t maxsalt, unsigned long defcount,
+                unsigned long mincount, unsigned long maxcount,
+                unsigned long count,
+                const uint8_t *rbytes, size_t nrbytes,
+                uint8_t *output, size_t output_size)
+{
+  /* We will use more rbytes if available, but at least this much is
+     required.  */
+  if (nrbytes < 3)
+    {
+      errno = EINVAL;
+      return;
+    }
+
+  if (count == 0)
+    count = defcount;
+  if (count < mincount)
+    count = mincount;
+  if (count > maxcount)
+    count = maxcount;
+
+  /* Compute how much space we need.  */
+  size_t output_len = 8; /* $x$ssss\0 */
+  if (count != defcount)
+    {
+      output_len += 9; /* rounds=1$ */
+      for (unsigned long ceiling = 10; ceiling < count; ceiling *= 10)
+        output_len += 1;
+    }
+  if (output_size < output_len)
+    {
+      errno = ERANGE;
+      return;
+    }
+
+  size_t written;
+  if (count == defcount)
+    {
+      written = (size_t) snprintf ((char *)output, output_size, "$%s$", tag);
+    }
+  else
+    written = (size_t) snprintf ((char *)output, output_size,
+                                 "$%s$rounds=%lu$", tag, count);
+
+  /* The length calculation above should ensure that this is always true.  */
+  assert (written + 5 < output_size);
+
+  size_t used_rbytes = 0;
+  while (written + 5 < output_size &&
+         used_rbytes + 3 < nrbytes &&
+         (used_rbytes * 4 / 3) < maxsalt)
+    {
+      unsigned long value =
+        ((unsigned long) (unsigned char) rbytes[used_rbytes + 0] <<  0) |
+        ((unsigned long) (unsigned char) rbytes[used_rbytes + 1] <<  8) |
+        ((unsigned long) (unsigned char) rbytes[used_rbytes + 2] << 16);
+
+      output[written + 0] = ascii64[value & 0x3f];
+      output[written + 1] = ascii64[(value >> 6) & 0x3f];
+      output[written + 2] = ascii64[(value >> 12) & 0x3f];
+      output[written + 3] = ascii64[(value >> 18) & 0x3f];
+
+      written += 4;
+      used_rbytes += 3;
+    }
+
+  output[written] = '\0';
+}
+
+#endif

data/ext/libxcrypt/lib/util-get-random-bytes.c

@@ -0,0 +1,154 @@
+/* Retrieval of cryptographically random bytes from the operating system.
+ *
+ * Written by Zack Weinberg <zackw at panix.com> in 2017.
+ *
+ * No copyright is claimed, and the software is hereby placed in the public
+ * domain.  In case this attempt to disclaim copyright and place the software
+ * in the public domain is deemed null and void, then the software is
+ * Copyright (c) 2017 Zack Weinberg and it is hereby released to the
+ * general public under the following terms:
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * There's ABSOLUTELY NO WARRANTY, express or implied.
+ */
+
+#include "crypt-port.h"
+
+#include <errno.h>
+#include <stdlib.h>
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_RANDOM_H
+#include <sys/random.h>
+#endif
+#ifdef HAVE_SYS_SYSCALL_H
+#include <sys/syscall.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+/* If we have O_CLOEXEC, we use it, but if we don't, we don't worry
+   about it.  */
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
+/* There is no universally portable way to access a system CSPRNG.
+   If the C library provides any of the following functions, we try them,
+   in order of preference: arc4random_buf, getentropy, getrandom.
+   If none of those are available or they don't work, we attempt to
+   make direct system calls for getentropy and getrandom.  If *that*
+   doesn't work, we try opening and reading /dev/urandom.
+
+   This function returns true if the exact number of requested bytes
+   was successfully read, false otherwise; if it returns false, errno
+   has been set.  It may block.  It cannot be used to read more than
+   256 bytes at a time (this is a limitation inherited from
+   getentropy() and enforced regardless of the actual back-end in use).
+
+   If we fall all the way back to /dev/urandom, we open and close it on
+   each call.  */
+
+bool
+get_random_bytes(void *buf, size_t buflen)
+{
+  if (buflen == 0)
+    return true;
+
+  /* Some, but not all, of the primitives below are limited to
+     producing no more than 256 bytes of random data.  Impose this
+     constraint on our callers regardless of which primitive is
+     actually used.  */
+  if (buflen > 256)
+    {
+      errno = EIO;
+      return false;
+    }
+
+  /* To eliminate the possibility of one of the primitives below failing
+     with EFAULT, force a crash now if the buffer is unwritable.  */
+  explicit_bzero (buf, buflen);
+
+#ifdef HAVE_ARC4RANDOM_BUF
+  /* arc4random_buf, if it exists, can never fail.  */
+  arc4random_buf (buf, buflen);
+  return true;
+
+#else /* no arc4random_buf */
+
+#ifdef HAVE_GETENTROPY
+  /* getentropy may exist but lack kernel support.  */
+  static bool getentropy_doesnt_work;
+  if (!getentropy_doesnt_work)
+    {
+      if (!getentropy (buf, buflen))
+        return true;
+      getentropy_doesnt_work = true;
+    }
+#endif
+
+#ifdef HAVE_GETRANDOM
+  /* Likewise getrandom.  */
+  static bool getrandom_doesnt_work;
+  if (!getrandom_doesnt_work)
+    {
+      if ((size_t)getrandom (buf, buflen, 0) == buflen)
+        return true;
+      getrandom_doesnt_work = true;
+    }
+#endif
+
+  /* If we can make arbitrary syscalls, try getentropy and getrandom
+     again that way.  */
+#ifdef HAVE_SYSCALL
+#ifdef SYS_getentropy
+  static bool sys_getentropy_doesnt_work;
+  if (!sys_getentropy_doesnt_work)
+    {
+      if (!syscall (SYS_getentropy, buf, buflen))
+        return true;
+      sys_getentropy_doesnt_work = true;
+    }
+#endif
+
+#ifdef SYS_getrandom
+  static bool sys_getrandom_doesnt_work;
+  if (!sys_getrandom_doesnt_work)
+    {
+      if ((size_t)syscall (SYS_getrandom, buf, buflen, 0) == buflen)
+        return true;
+      sys_getrandom_doesnt_work = true;
+    }
+#endif
+#endif
+
+#if defined HAVE_SYS_STAT_H && defined HAVE_FCNTL_H && defined HAVE_UNISTD_H
+  /* Try reading from /dev/urandom.  */
+  static bool dev_urandom_doesnt_work;
+  if (!dev_urandom_doesnt_work)
+    {
+      int fd = open ("/dev/urandom", O_RDONLY|O_CLOEXEC);
+      if (fd == -1)
+        dev_urandom_doesnt_work = true;
+      else
+        {
+          ssize_t nread = read (fd, buf, buflen);
+          if (nread < 0 || (size_t)nread < buflen)
+            dev_urandom_doesnt_work = true;
+
+          close(fd);
+          return !dev_urandom_doesnt_work;
+        }
+    }
+#endif
+
+  /* if we get here, we're just completely hosed */
+  errno = ENOSYS;
+  return false;
+#endif /* no arc4random_buf */
+}

data/ext/libxcrypt/lib/util-make-failure-token.c

@@ -0,0 +1,48 @@
+/* Copyright (C) 2018-2019 Björn Esser <besser82@fedoraproject.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "crypt-port.h"
+
+/* Fill the output buffer with a failure token.  */
+void
+make_failure_token (const char *setting, char *output, int size)
+{
+  if (size >= 3)
+    {
+      char token[3] = "*0";
+
+      if (setting && setting[0] == '*' && setting[1] == '0')
+        token[1] = '1';
+
+      output[0] = token[0];
+      output[1] = token[1];
+      output[2] = '\0';
+    }
+
+  /* If there's not enough space for the full failure token, do the
+     best we can.  */
+  else if (size == 2)
+    {
+      output[0] = '*';
+      output[1] = '\0';
+    }
+  else if (size == 1)
+    {
+      output[0] = '\0';
+    }
+}

data/ext/libxcrypt/lib/util-xbzero.c

@@ -0,0 +1,43 @@
+/* Copyright (C) 2018-2019 Björn Esser <besser82@fedoraproject.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "crypt-port.h"
+
+#if INCLUDE_explicit_bzero
+/* As long as this function is defined in a translation unit all by
+   itself, and we aren't doing LTO, it would be enough for it to just
+   call memset.  While compiling _this_ translation unit, the compiler
+   has no information about what the callers do with the buffer, so it
+   cannot eliminate the memset.  While compiling code that _calls_
+   this function, the compiler doesn't know what it does, so it cannot
+   eliminate the call (if it has special knowledge of a function with
+   this name, we would hope that it knows _not_ to optimize it out!)
+
+   However, in anticipation of doing LTO on this library one day, we
+   add two more defensive measures, when we know how: the function is
+   marked no-inline, and there is a no-op assembly insert immediately
+   after the memset call, declared to read the memory that the memset
+   writes.  */
+
+NO_INLINE void
+explicit_bzero (void *s, size_t len)
+{
+  s = memset (s, 0, len);
+  asm volatile ("" : : "g" (s) : "memory");
+}
+#endif

data/ext/libxcrypt/lib/util-xstrcpy.c

@@ -0,0 +1,42 @@
+/* Copyright (C) 2018-2019 Björn Esser <besser82@fedoraproject.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* Simple commonly used helper functions.  */
+
+#include "crypt-port.h"
+
+#include <stdlib.h>
+
+/* Provide a safe way to copy strings with the guarantee src,
+   including its terminating '\0', will fit d_size bytes.
+   The trailing bytes of d_size will be filled with '\0'.
+   dst and src must not be NULL.  Returns strlen (src).  */
+size_t
+strcpy_or_abort (void *dst, size_t d_size, const void *src)
+{
+  assert (dst != NULL);
+  assert (src != NULL);
+  size_t s_size = strlen ((const char *)src);
+  assert (d_size > s_size);
+  if (!(d_size > s_size)) /* for NDEBUG builds */
+    abort();
+
+  memcpy (dst, src, s_size);
+  memset (((char *)dst) + s_size, 0, d_size - s_size);
+  return s_size;
+}

data/ext/libxcrypt/lib/xcrypt.h.in

@@ -0,0 +1,58 @@
+/* libxcrypt interfaces for code compatibility.
+
+   Copyright (C) 2018 Björn Esser <besser82@fedoraproject.org>
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted.
+
+   THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+   ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+   ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+   OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+   HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+   SUCH DAMAGE.  */
+
+#ifndef _XCRYPT_H
+#define _XCRYPT_H 1
+
+#include <crypt.h>
+
+@BEGIN_DECLS@
+
+/* For backward compatibility with older versions (v3.1.1 and earlier)
+   of libcrypt, this header declares xcrypt, xcrypt_r, xcrypt_gensalt,
+   and xcrypt_gensalt_r as alternative names for crypt, crypt_r,
+   crypt_gensalt, and crypt_gensalt_rn, respectively.  If glibc's
+   <sys/cdefs.h> macro __REDIRECT_NTH (which declares an alternative
+   name at the object-file level) is available, we use it.  */
+#ifdef __REDIRECT_NTH
+extern char * __REDIRECT_NTH (xcrypt, (const char *__phrase,
+                              const char *__setting), crypt);
+
+extern char * __REDIRECT_NTH (xcrypt_r, (const char *__phrase,
+                              const char *__setting,
+                              struct crypt_data *__restrict __data), crypt_r);
+
+extern char * __REDIRECT_NTH (xcrypt_gensalt, (const char *__prefix,
+                              unsigned long __count, const char *__rbytes,
+                              int __nrbytes), crypt_gensalt);
+
+extern char * __REDIRECT_NTH (xcrypt_gensalt_r, (const char *__prefix,
+                              unsigned long __count, const char *__rbytes,
+                              int __nrbytes, char *__output,
+                              int __output_size), crypt_gensalt_rn);
+#else
+# define xcrypt           crypt
+# define xcrypt_r         crypt_r
+# define xcrypt_gensalt   crypt_gensalt
+# define xcrypt_gensalt_r crypt_gensalt_rn
+#endif
+
+@END_DECLS@
+
+#endif /* xcrypt.h */