xcrypt 0.1.0

data/ext/libxcrypt/test/explicit-bzero.c

@@ -0,0 +1,334 @@
+/* Test that explicit_bzero block clears are not optimized out.
+   Copyright (C) 2016-2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* This test is conceptually based on a test designed by Matthew
+   Dempsky for the OpenBSD regression suite:
+   <openbsd>/src/regress/lib/libc/explicit_bzero/explicit_bzero.c.
+   The basic idea is, we have a function that contains a
+   block-clearing operation (not necessarily explicit_bzero), after
+   which the block is dead, in the compiler-jargon sense.  Execute
+   that function while running on a user-allocated alternative
+   stack. Then we have another pointer to the memory region affected
+   by the block clear -- namely, the original allocation for the
+   alternative stack -- and can find out whether it actually happened.
+
+   The OpenBSD test uses sigaltstack and SIGUSR1 to get onto an
+   alternative stack.  This causes a number of awkward problems; some
+   operating systems (e.g. Solaris and OSX) wipe the signal stack upon
+   returning to the normal stack, there's no way to be sure that other
+   processes running on the same system will not interfere, and the
+   signal stack is very small so it's not safe to call printf there.
+   This implementation instead uses the <ucontext.h> coroutine
+   interface.  The coroutine stack is still too small to safely use
+   printf, but we know the OS won't erase it, so we can do all the
+   checks and printing from the normal stack.  */
+
+#include "crypt-port.h"
+
+#if !defined USE_SWAPCONTEXT || defined XCRYPT_USE_ASAN
+/* We can't do this test if we don't have the ucontext API.
+   Also ASAN may have some problems with using swapcontext().  */
+int main(void)
+{
+  return 77;
+}
+#else
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ucontext.h>
+
+#ifdef HAVE_VALGRIND_VALGRIND_H
+# include <valgrind/valgrind.h>
+# include <valgrind/memcheck.h>
+#else
+# define VALGRIND_STACK_REGISTER(start, end) do {} while (0)
+# define VALGRIND_MAKE_MEM_DEFINED(addr, len) do {} while (0)
+#endif
+
+/* A byte pattern that is unlikely to occur by chance: the first 16
+   prime numbers (OEIS A000040).  */
+static const unsigned char test_pattern[16] =
+{
+  2, 3, 5, 7,  11, 13, 17, 19,  23, 29, 31, 37,  41, 43, 47, 53
+};
+
+/* Immediately after each subtest returns, we call swapcontext to get
+   back onto the main stack.  That call might itself overwrite the
+   test pattern, so we fill a modest-sized buffer with copies of it
+   and check whether any of them survived.  */
+
+#define PATTERN_SIZE (sizeof test_pattern)
+#define PATTERN_REPS 32
+#define TEST_BUFFER_SIZE (PATTERN_SIZE * PATTERN_REPS)
+
+/* There are three subtests, two of which are sanity checks.
+   Each test follows this sequence:
+
+     main                      coroutine
+     ----                      --------
+     advance cur_subtest
+     swap
+                               call setup function
+                                 prepare test buffer
+                                 swap
+     verify that buffer
+     was filled in
+     swap
+                                 possibly clear buffer
+                                 return
+                               swap
+     check buffer again,
+     according to test
+     expectation
+
+   In the "no_clear" case, we don't do anything to the test buffer
+   between preparing it and letting it go out of scope, and we expect
+   to find it.  This confirms that the test buffer does get filled in
+   and we can find it from the stack buffer.  In the "ordinary_clear"
+   case, we clear it using memset.  Depending on the target, the
+   compiler may not be able to apply dead store elimination to the
+   memset call, so the test does not fail if the memset is not
+   eliminated.  Finally, the "explicit_clear" case uses explicit_bzero
+   and expects _not_ to find the test buffer, which is the real
+   test.  */
+
+static ucontext_t uc_main, uc_co;
+
+static NO_INLINE int
+use_test_buffer (unsigned char *buf)
+{
+  unsigned int sum = 0;
+
+  for (unsigned int i = 0; i < PATTERN_REPS; i++)
+    sum += buf[i * PATTERN_SIZE];
+
+  return (sum == 2 * PATTERN_REPS) ? 0 : 1;
+}
+
+/* Always check the test buffer immediately after filling it; this
+   makes externally visible side effects depend on the buffer existing
+   and having been filled in.  */
+static inline void
+prepare_test_buffer (unsigned char *buf)
+{
+  for (unsigned int i = 0; i < PATTERN_REPS; i++)
+    memcpy (buf + i*PATTERN_SIZE, test_pattern, PATTERN_SIZE);
+
+  if (swapcontext (&uc_co, &uc_main))
+    abort ();
+
+  /* Force the compiler to really copy the pattern to buf.  */
+  if (use_test_buffer (buf))
+    abort ();
+}
+
+static void
+setup_no_clear (void)
+{
+  unsigned char buf[TEST_BUFFER_SIZE];
+  prepare_test_buffer (buf);
+}
+
+static void
+setup_ordinary_clear (void)
+{
+  unsigned char buf[TEST_BUFFER_SIZE];
+  prepare_test_buffer (buf);
+  memset (buf, 0, TEST_BUFFER_SIZE);
+}
+
+static void
+setup_explicit_clear (void)
+{
+  unsigned char buf[TEST_BUFFER_SIZE];
+  prepare_test_buffer (buf);
+  explicit_bzero (buf, TEST_BUFFER_SIZE);
+}
+
+enum test_expectation
+{
+  EXPECT_NONE = 1,
+  EXPECT_SOME,
+  EXPECT_ALL,
+  NO_EXPECTATIONS,
+  ARRAY_END = 0
+};
+struct subtest
+{
+  void (*setup_subtest) (void);
+  const char *label;
+  enum test_expectation expected;
+};
+static const struct subtest *cur_subtest;
+
+static const struct subtest subtests[] =
+{
+  { setup_no_clear,       "no clear",       EXPECT_SOME     },
+  /* The memset may happen or not, depending on compiler
+     optimizations.  */
+  { setup_ordinary_clear, "ordinary clear", NO_EXPECTATIONS },
+  { setup_explicit_clear, "explicit clear", EXPECT_NONE     },
+  { 0,                    0,                ARRAY_END       }
+};
+
+static void
+test_coroutine (void)
+{
+  while (cur_subtest->setup_subtest)
+    {
+      cur_subtest->setup_subtest ();
+      if (swapcontext (&uc_co, &uc_main))
+        abort ();
+    }
+}
+
+/* All the code above this point runs on the coroutine stack.
+   All the code below this point runs on the main stack.  */
+
+static int test_status;
+static unsigned char *co_stack_buffer;
+static size_t co_stack_size;
+
+static unsigned int
+count_test_patterns (unsigned char *buf, size_t bufsiz)
+{
+  VALGRIND_MAKE_MEM_DEFINED (buf, bufsiz);
+  unsigned char *first = memmem (buf, bufsiz, test_pattern, PATTERN_SIZE);
+  if (!first)
+    return 0;
+  unsigned int cnt = 0;
+  for (unsigned int i = 0; i < PATTERN_REPS; i++)
+    {
+      unsigned char *p = first + i*PATTERN_SIZE;
+      if (p + PATTERN_SIZE - buf > (ptrdiff_t)bufsiz)
+        break;
+      if (memcmp (p, test_pattern, PATTERN_SIZE) == 0)
+        cnt++;
+    }
+  return cnt;
+}
+
+static void
+check_test_buffer (enum test_expectation expected,
+                   const char *label, const char *stage)
+{
+  unsigned int cnt = count_test_patterns (co_stack_buffer, co_stack_size);
+  switch (expected)
+    {
+    case EXPECT_NONE:
+      if (cnt == 0)
+        printf ("PASS: %s/%s: expected 0 got %u\n", label, stage, cnt);
+      else
+        {
+          printf ("FAIL: %s/%s: expected 0 got %u\n", label, stage, cnt);
+          test_status = 1;
+        }
+      break;
+
+    case EXPECT_SOME:
+      if (cnt > 0)
+        printf ("PASS: %s/%s: expected some got %u\n", label, stage, cnt);
+      else
+        {
+          printf ("FAIL: %s/%s: expected some got 0\n", label, stage);
+          test_status = 1;
+        }
+      break;
+
+    case EXPECT_ALL:
+      if (cnt == PATTERN_REPS)
+        printf ("PASS: %s/%s: expected %d got %u\n", label, stage,
+                PATTERN_REPS, cnt);
+      else
+        {
+          printf ("FAIL: %s/%s: expected %d got %u\n", label, stage,
+                  PATTERN_REPS, cnt);
+          test_status = 1;
+        }
+      break;
+
+    case NO_EXPECTATIONS:
+      printf ("INFO: %s/%s: found %u patterns%s\n", label, stage, cnt,
+              cnt == 0 ? " (memset not eliminated)" : "");
+      break;
+
+    default:
+      printf ("ERROR: %s/%s: invalid value for 'expected' = %d\n",
+              label, stage, (int)expected);
+      test_status = 1;
+    }
+}
+
+static void
+test_loop (void)
+{
+  cur_subtest = subtests;
+  while (cur_subtest->setup_subtest)
+    {
+      if (swapcontext (&uc_main, &uc_co))
+        abort ();
+      check_test_buffer (EXPECT_ALL, cur_subtest->label, "prepare");
+      if (swapcontext (&uc_main, &uc_co))
+        abort ();
+      check_test_buffer (cur_subtest->expected, cur_subtest->label, "test");
+      cur_subtest++;
+    }
+  /* Terminate the coroutine.  */
+  if (swapcontext (&uc_main, &uc_co))
+    abort ();
+}
+
+int
+main (void)
+{
+  size_t page_alignment = sizeof (void *);
+  long page_alignment_l = sysconf (_SC_PAGESIZE);
+  if (page_alignment_l > (long) sizeof (void *))
+    page_alignment = (size_t) page_alignment_l;
+
+  co_stack_size = (size_t) SIGSTKSZ + (size_t) TEST_BUFFER_SIZE;
+  if (co_stack_size < page_alignment * 4)
+    co_stack_size = page_alignment * 4;
+
+  void *p;
+  int err = posix_memalign (&p, page_alignment, co_stack_size);
+  if (err || !p)
+    {
+      printf ("ERROR: allocating alt stack: %s\n", strerror (err));
+      return 2;
+    }
+  co_stack_buffer = p;
+  memset (co_stack_buffer, 0, co_stack_size);
+  VALGRIND_STACK_REGISTER (co_stack_buffer, co_stack_buffer + co_stack_size);
+
+  if (getcontext (&uc_co))
+    {
+      printf ("ERROR: allocating coroutine context: %s\n", strerror (err));
+      return 2;
+    }
+  uc_co.uc_stack.ss_sp   = co_stack_buffer;
+  uc_co.uc_stack.ss_size = co_stack_size;
+  uc_co.uc_link          = &uc_main;
+  makecontext (&uc_co, test_coroutine, 0);
+
+  test_loop ();
+  return test_status;
+}
+
+#endif /* have ucontext.h || defined XCRYPT_USE_ASAN */

data/ext/libxcrypt/test/gensalt-bcrypt_x.c

@@ -0,0 +1,54 @@
+/* Copyright (C) 2025 Björn Esser <besser82@fedoraproject.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "crypt-port.h"
+
+#if INCLUDE_bcrypt_x
+
+#include <errno.h>
+#include <stdio.h>
+
+int
+main (void)
+{
+  char *retval;
+
+  errno = 0;
+  retval = crypt_gensalt ("$2x$", 0, NULL, 0);
+
+  if (retval || errno != EINVAL)
+    {
+      fprintf (stderr, "gensalt: expected \"NULL\", got \"%s\" "
+                       "with errno == %i, instead of %i.\n",
+               retval ? retval : "NULL", errno, EINVAL);
+
+      return 1;
+    }
+
+  return 0;
+}
+
+#else
+
+int
+main (void)
+{
+  return 77; /* UNSUPPORTED */
+}
+
+#endif /* INCLUDE_bcrypt_x */

data/ext/libxcrypt/test/gensalt-extradata.c

@@ -0,0 +1,246 @@
+/* Test that the prefix argument to crypt_gensalt affects only the
+   choice of hashing method, not any of the parameters or the salt.
+
+   Written by Zack Weinberg <zackw at panix.com> in 2018.
+   To the extent possible under law, Zack Weinberg has waived all
+   copyright and related or neighboring rights to this work.
+
+   See https://creativecommons.org/publicdomain/zero/1.0/ for further
+   details.  */
+
+#include "crypt-port.h"
+
+#include <errno.h>
+#include <stdio.h>
+
+/* Random bytes used when calling crypt_gensalt; for determinism, these
+   are fixed from run to run.  */
+#define N_RBYTES 64ul
+
+static const char rbytes1[] =
+  "90idUkI2+mu2E/tMTViD418j2sPdEYq9LYq0yRW7RYhr4RqQ+oVzIIEcfJBqpf/D";
+
+static const char rbytes2[] =
+  "sEwXQxrjBTEADauxCpvOQqq7iU9oq6uJ+Iux/fbhtLRj1MWgBFyo/t+nh/nzm0Kn";
+
+static_assert(sizeof rbytes1 == N_RBYTES + 1, "rbytes1 is wrong length");
+static_assert(sizeof rbytes2 == N_RBYTES + 1, "rbytes2 is wrong length");
+
+struct testcase
+{
+  const char *prefix;
+  unsigned long count1;
+  unsigned long count2;
+};
+
+/* This list should include one entry for each potentially-supported
+   hash prefix.  If the hash method has tunable cost, set count1 and
+   count2 to two different nonzero values, within the supported cost
+   range.  Neither value should equal the default cost.  If the hash
+   method does not have tunable cost, set count1 and count2 to zero.  */
+static const struct testcase testcases[] =
+{
+#if INCLUDE_descrypt || INCLUDE_bigcrypt
+  { "", 0, 0 },
+#endif
+#if INCLUDE_bsdicrypt
+  { "_", 7019, 1120211 },
+#endif
+#if INCLUDE_nt
+  { "$3$", 0, 0 },
+#endif
+#if INCLUDE_md5crypt
+  { "$1$", 0, 0 },
+#endif
+#if INCLUDE_sunmd5
+  { "$md5",  7019, 1120211 },
+#endif
+#if INCLUDE_sm3crypt
+  { "$sm3$",  7019, 1120211 },
+#endif
+#if INCLUDE_sha1crypt
+  { "$sha1", 7019, 1120211 },
+#endif
+#if INCLUDE_sha256crypt
+  { "$5$", 7019, 1120211 },
+#endif
+#if INCLUDE_sha512crypt
+  { "$6$", 7019, 1120211 },
+#endif
+#if INCLUDE_bcrypt
+  { "$2b$", 7, 11 },
+#endif
+#if INCLUDE_bcrypt_y
+  { "$2y$", 7, 11 },
+#endif
+#if INCLUDE_bcrypt_a
+  { "$2a$", 7, 11 },
+#endif
+#if INCLUDE_scrypt
+  { "$7$", 7, 11, },
+#endif
+#if INCLUDE_yescrypt
+  { "$y$", 7, 11, },
+#endif
+#if INCLUDE_gost_yescrypt
+  { "$gy$", 7, 11, },
+#endif
+#if INCLUDE_sm3_yescrypt
+  { "$sm3y$", 7, 11, },
+#endif
+  { 0, 0, 0, }
+};
+
+static int
+do_crypt_gensalt(const char *prefix,
+                 const char rbytes[MIN_SIZE(N_RBYTES)],
+                 unsigned long count,
+                 char outbuf[MIN_SIZE(CRYPT_GENSALT_OUTPUT_SIZE)])
+{
+  /* Detect failure to NUL-terminate the output properly.  */
+  static int ncalls = 0;
+  memset(outbuf, '!' + (ncalls % ('~' - '!' + 1)),
+         CRYPT_GENSALT_OUTPUT_SIZE - 1);
+  outbuf[CRYPT_GENSALT_OUTPUT_SIZE - 1] = 0;
+  ncalls++;
+
+  char *rv = crypt_gensalt_rn(prefix, count, rbytes, N_RBYTES,
+                              outbuf, CRYPT_GENSALT_OUTPUT_SIZE);
+  if (rv == 0)
+    {
+      printf("ERROR: gensalt(%s, %lu, %c%c..., %lu, outbuf, %lu) = 0/%s\n",
+             prefix, count, rbytes[0], rbytes[1],
+             N_RBYTES, (unsigned long)CRYPT_GENSALT_OUTPUT_SIZE,
+             strerror(errno));
+      outbuf[0] = '*';
+      memset (outbuf+1, 0, CRYPT_GENSALT_OUTPUT_SIZE-1);
+      return 1;
+    }
+  else if (rv[0] == '*')
+    {
+      printf("ERROR: gensalt(%s, %lu, %c%c..., %lu, outbuf, %lu) = %s/%s\n",
+             prefix, count, rbytes[0], rbytes[1],
+             N_RBYTES, (unsigned long)CRYPT_GENSALT_OUTPUT_SIZE,
+             outbuf, strerror(errno));
+      outbuf[0] = '*';
+      memset (outbuf+1, 0, CRYPT_GENSALT_OUTPUT_SIZE-1);
+      return 1;
+    }
+  else
+    return 0;
+}
+
+static int
+do_check_equal(const char *stst, const char *sref,
+               const char *prefix, const char rbytes[N_RBYTES],
+               unsigned long count, const char *setting)
+{
+  if (!strcmp(stst, sref))
+    return 0;
+
+  printf("FAIL: expected %s\n"
+         "           got %s\n"
+         "  from %s, %lu, %c%c...\n"
+         "   and %s\n",
+         sref, stst, prefix, count, rbytes[0], rbytes[1], setting);
+  return 1;
+}
+
+int
+main(void)
+{
+  int status = 0;
+  char sref[6][CRYPT_GENSALT_OUTPUT_SIZE];
+  char stst[CRYPT_GENSALT_OUTPUT_SIZE];
+
+  for (size_t i = 0; testcases[i].prefix; i++)
+    {
+      const char *prefix   = testcases[i].prefix;
+      unsigned long count1 = testcases[i].count1;
+      unsigned long count2 = testcases[i].count2;
+      int ncases;
+
+      memset(sref, 0, sizeof sref);
+
+      /* If count1 and count2 are both nonzero, then they should also
+         be unequal, and we have six reference cases:
+         (0, count1, count2) x (rbytes1, rbytes2).
+         If count1 and count2 are both zero, then we only have two
+         reference cases: 0 x (rbytes1, rbytes2) (this happens when the
+         hash method doesn't have tunable cost).
+         It is incorrect for only one of count1 and count2 to be zero,
+         or for them to be equal but nonzero.  */
+      if (count1 == 0 && count2 == 0)
+        {
+          ncases = 2;
+          status |= do_crypt_gensalt(prefix, rbytes1, 0, sref[0]);
+          status |= do_crypt_gensalt(prefix, rbytes2, 0, sref[1]);
+        }
+      else if (count1 != 0 && count2 != 0 && count1 != count2)
+        {
+          ncases = 6;
+          status |= do_crypt_gensalt(prefix, rbytes1, 0,      sref[0]);
+          status |= do_crypt_gensalt(prefix, rbytes2, 0,      sref[1]);
+          status |= do_crypt_gensalt(prefix, rbytes1, count1, sref[2]);
+          status |= do_crypt_gensalt(prefix, rbytes2, count1, sref[3]);
+          status |= do_crypt_gensalt(prefix, rbytes1, count2, sref[4]);
+          status |= do_crypt_gensalt(prefix, rbytes2, count2, sref[5]);
+        }
+      else
+        {
+          printf ("ERROR: %zu/%s: inappropriate count1=%lu count2=%lu\n",
+                  i, prefix, count1, count2);
+          status = 1;
+          continue;
+        }
+
+      /* At this point, sref[0..ncases] are filled with setting
+         strings corresponding to different combinations of salt and
+         cost.  If we reuse those strings as prefixes for crypt_gensalt,
+         none of the additional information should affect the output.  */
+      for (int j = 0; j < ncases; j++)
+        {
+          if (sref[j][0] == '*')
+            continue; /* initial crypt_gensalt call failed */
+          if (count1 == 0 && count2 == 0)
+            {
+              status |= do_crypt_gensalt(sref[j], rbytes1, 0, stst);
+              status |= do_check_equal(stst, sref[0],
+                                       prefix, rbytes1, 0, sref[j]);
+
+              status |= do_crypt_gensalt(sref[j], rbytes2, 0, stst);
+              status |= do_check_equal(stst, sref[1],
+                                       prefix, rbytes2, 0, sref[j]);
+            }
+          else
+            {
+              status |= do_crypt_gensalt(sref[j], rbytes1, 0,      stst);
+              status |= do_check_equal(stst, sref[0],
+                                       prefix, rbytes1, 0, sref[j]);
+
+              status |= do_crypt_gensalt(sref[j], rbytes2, 0,      stst);
+              status |= do_check_equal(stst, sref[1],
+                                       prefix, rbytes2, 0, sref[j]);
+
+              status |= do_crypt_gensalt(sref[j], rbytes1, count1, stst);
+              status |= do_check_equal(stst, sref[2],
+                                       prefix, rbytes1, count1, sref[j]);
+
+              status |= do_crypt_gensalt(sref[j], rbytes2, count1, stst);
+              status |= do_check_equal(stst, sref[3],
+                                       prefix, rbytes2, count1, sref[j]);
+
+              status |= do_crypt_gensalt(sref[j], rbytes1, count2, stst);
+              status |= do_check_equal(stst, sref[4],
+                                       prefix, rbytes1, count2, sref[j]);
+
+              status |= do_crypt_gensalt(sref[j], rbytes2, count2, stst);
+              status |= do_check_equal(stst, sref[5],
+                                       prefix, rbytes2, count2, sref[j]);
+            }
+        }
+
+    }
+
+  return status;
+}