xcrypt 0.1.0

data/ext/libxcrypt/test/symbols-compat.pl

@@ -0,0 +1,137 @@
+#! /usr/bin/perl
+# Written by Zack Weinberg <zackw at panix.com> in 2017 and 2020.
+# To the extent possible under law, Zack Weinberg has waived all
+# copyright and related or neighboring rights to this work.
+#
+# See https://creativecommons.org/publicdomain/zero/1.0/ for further
+# details.
+
+# This test is only run if we are building a shared library intended
+# to be binary backward compatible with GNU libc (libcrypt.so.1).
+# It locates any installed version of libcrypt.so.1, and verifies that
+# each public symbol exposed by that library is also exposed by our
+# libcrypt.so.1 with a matching symbol version.
+#
+# Due to limitations in Automake, this program takes parameters from
+# the environment:
+# $lib_la - full pathname of libcrypt.la
+# $SYMBOL_PREFIX - prefix, if any, added to global symbols defined from C
+# $CC, $NM - names of tools to run (defaults to 'cc' and 'nm' respectively)
+# $CFLAGS, $LDFLAGS - options to pass to $CC when linking (default: empty)
+
+use v5.14;    # implicit use strict, use feature ':5.14'
+use warnings FATAL => 'all';
+use utf8;
+use open qw(:std :utf8);
+no  if $] >= 5.022, warnings => 'experimental::re_strict';
+use if $] >= 5.022, re       => 'strict';
+
+use FindBin ();
+use lib $FindBin::Bin;
+use TestCommon qw(
+    compare_symbol_lists
+    ensure_C_locale
+    find_real_library
+    get_symbols
+    popen
+    sh_split
+    skip
+    subprocess_error
+    which
+);
+
+# Some differences between the symbols exported by heritage libcrypt.so.1
+# and our libcrypt.so.1 are expected:
+#
+#  * All of the symbols we define with GLIBC_2.xx version tags are
+#    compatibility symbols (nm prints only one @); naturally,
+#    glibc-provided libcrypt.so.1 defines some of those symbols as
+#    linkable symbols (two @).
+#
+#  * Older versions of libcrypt defined five symbols as linkable,
+#    with the XCRYPT_2.0 version tag, which are now compatibility-only:
+#    crypt_gensalt_r, xcrypt, xcrypt_gensalt, xcrypt_gensalt_r, and
+#    xcrypt_r.
+#
+# This sub is applied to the symbol listing from the system-provided
+# libcrypt.so.1; it edits that listing so that the comparison below
+# succeeds despite any expected differences.
+sub filter_expected_differences {
+    my $symbols = shift;
+    my %filtered;
+    my $formerly_linkable = qr{
+        ^ (?: crypt_gensalt_r
+            | xcrypt(?: _r)?
+            | xcrypt_gensalt(?: _r)?
+          ) @@
+    }x;
+    for my $s (keys %{$symbols}) {
+        $s =~ s/\b@@(?=GLIBC_)/@/;
+        $s =~ s/\b@@(?=XCRYPT_2\.0)/@/ if $s =~ $formerly_linkable;
+        $filtered{$s} = 1;
+    }
+    return \%filtered;
+}
+
+sub find_system_libcrypt {
+    # Ask the compiler whether a libcrypt.so.1 exists in its search
+    # path.  The compiler option -print-file-name should be supported
+    # on all operating systems where there's an older libcrypt that we
+    # can be backward compatible with.
+    state @CC;
+    if (!@CC) {
+        @CC = which($ENV{CC} || 'cc');
+        skip('C compiler not available') unless @CC;
+    }
+
+    state @CFLAGS;
+    if (!@CFLAGS) {
+        @CFLAGS = sh_split($ENV{CFLAGS} || q{});
+    }
+    state @LDFLAGS;
+    if (!@LDFLAGS) {
+        @LDFLAGS = sh_split($ENV{LDFLAGS} || q{});
+    }
+
+    my $fh =
+        popen('-|', @CC, @CFLAGS, @LDFLAGS, '-print-file-name=libcrypt.so.1');
+    my $path;
+    {
+        local $/ = undef;    # slurp
+        $path = <$fh>;
+    }
+    close $fh or subprocess_error($CC[0]);
+
+    chomp $path;
+    # If we get back either the empty string or the same string we put
+    # in, it means there is no libcrypt.so.1 on this system.
+    if ($path eq q{} || $path eq 'libcrypt.so.1') {
+        skip('no system-provided libcrypt.so.1');
+    }
+    return $path;
+}
+
+sub get_our_symbols {
+    return get_symbols(find_real_library(shift, 'shared'));
+}
+
+sub get_their_symbols {
+    return filter_expected_differences(get_symbols(find_system_libcrypt()));
+}
+
+#
+# Main
+#
+my $lib_la = $ENV{lib_la} || '/nonexistent';
+if (!-f $lib_la) {
+    print {*STDERR} "usage: lib_la=/path/to/library.la $0";
+    exit 1;
+}
+
+ensure_C_locale();
+exit compare_symbol_lists(
+    get_our_symbols($lib_la),
+    get_their_symbols(),
+    'symbol versions',
+    1,    # extra symbols are allowed
+);

data/ext/libxcrypt/test/symbols-renames.pl

@@ -0,0 +1,107 @@
+#! /usr/bin/perl
+# Written by Zack Weinberg <zackw at panix.com> in 2017 and 2020.
+# To the extent possible under law, Zack Weinberg has waived all
+# copyright and related or neighboring rights to this work.
+#
+# See https://creativecommons.org/publicdomain/zero/1.0/ for further
+# details.
+
+# Check that all of the symbols renamed by crypt-port.h
+# still appear somewhere in the source code.  This test does not attempt
+# to parse the source code, so it can get false negatives (e.g. a word used
+# in a comment will be enough).
+#
+# Due to limitations in Automake, this program takes parameters from
+# the environment:
+# $lib_la - full pathname of libcrypt.la
+# $SYMBOL_PREFIX - prefix, if any, added to global symbols defined from C
+# $NM, $CPP, $CPPFLAGS - nm utility, C preprocessor, and parameters
+
+use v5.14;    # implicit use strict, use feature ':5.14'
+use warnings FATAL => 'all';
+use utf8;
+use open qw(:std :utf8);
+no  if $] >= 5.022, warnings => 'experimental::re_strict';
+use if $] >= 5.022, re       => 'strict';
+
+use File::Temp ();
+
+use FindBin ();
+use lib $FindBin::Bin;
+use TestCommon qw(
+    compare_symbol_lists
+    ensure_C_locale
+    find_real_library
+    get_symbols
+    popen
+    sh_split
+    skip
+    subprocess_error
+    which
+);
+
+sub list_library_internals {
+    # We are only interested in symbols with the internal prefix,
+    # _crypt_.
+    return get_symbols(find_real_library(shift, 'static'),
+        sub { $_[0] =~ /^_crypt_/ });
+}
+
+sub list_symbol_renames {
+    state @CPP;
+    if (!@CPP) {
+        @CPP = which($ENV{CPP} || 'cc -E');
+        skip('C compiler not available') unless @CPP;
+    }
+    state @CPPFLAGS;
+    if (!@CPPFLAGS) {
+        @CPPFLAGS = sh_split($ENV{CPPFLAGS} || q{});
+    }
+
+    my $tmp = File::Temp->new(
+        DIR      => '.',
+        TEMPLATE => 'symbols-renames-XXXXXX',
+        SUFFIX   => '.c',
+        EXLOCK   => 0,
+    );
+    print {$tmp} qq{#include "crypt-port.h"\n};
+
+    my $fh = popen('-|', @CPP, @CPPFLAGS, '-dD', $tmp->filename);
+    local $_;
+    my %symbols;
+    my $pp_define = qr{
+        ^\#define \s+
+            [a-zA-Z_][a-zA-Z0-9_(),]* \s+
+            (_crypt_[a-zA-Z0-9_]*) \b
+    }x;
+    while (<$fh>) {
+        chomp;
+        s/\s+$//;
+        if ($_ =~ $pp_define) {
+            print {*STDERR} "| $1\n";
+            $symbols{$1} = 1;
+        }
+    }
+    close $fh or subprocess_error($CPP[0]);
+    return \%symbols;
+}
+
+#
+# Main
+#
+my $lib_la = $ENV{lib_la} || '/nonexistent';
+if (!-f $lib_la) {
+    print {*STDERR} "usage: lib_la=/path/to/library.la $0";
+    exit 1;
+}
+if (($ENV{HAVE_CPP_dD} // 'yes') eq 'no') {
+    skip('cpp -dD not available');
+}
+
+ensure_C_locale();
+exit compare_symbol_lists(
+    list_library_internals($lib_la),
+    list_symbol_renames(),
+    'renames',
+    0,    # extra symbols not allowed
+);

data/ext/libxcrypt/test/symbols-static.pl

@@ -0,0 +1,87 @@
+#! /usr/bin/perl
+# Written by Zack Weinberg <zackw at panix.com> in 2017 and 2020.
+# To the extent possible under law, Zack Weinberg has waived all
+# copyright and related or neighboring rights to this work.
+#
+# See https://creativecommons.org/publicdomain/zero/1.0/ for further
+# details.
+
+# Test that all global symbols in the static version of the library
+# (libcrypt.a) are either listed as global and supported for new code
+# in libcrypt.map.in, or begin with a _crypt prefix.  Also test that
+# all of the global, supported for new code, symbols mentioned in
+# libcrypt.map.in are in fact defined.
+#
+# Due to limitations in Automake, this program takes parameters from
+# the environment:
+# $lib_la - full pathname of libcrypt.la
+# $lib_map - full pathname of libcrypt.map.in
+# $SYMBOL_PREFIX - prefix, if any, added to global symbols defined from C
+# $NM, $CPP, $CPPFLAGS - nm utility, C preprocessor, and parameters
+
+use v5.14;    # implicit use strict, use feature ':5.14'
+use warnings FATAL => 'all';
+use utf8;
+use open qw(:std :utf8);
+no  if $] >= 5.022, warnings => 'experimental::re_strict';
+use if $] >= 5.022, re       => 'strict';
+
+use FindBin ();
+use lib $FindBin::Bin;
+use TestCommon qw(
+    error
+    ensure_C_locale
+    find_real_library
+    get_symbols
+    compare_symbol_lists
+);
+
+my $symbol_prefix = $ENV{SYMBOL_PREFIX} || q{};
+
+sub list_library_globals {
+    # Symbols that begin with _crypt_ are private to the library.
+    # Symbols that begin with _[_A-Y] are private to the C
+    # implementation.  All other symbols (including any that begin
+    # with _Z, which are C++ mangled names) are part of the library's
+    # public interface.
+    return get_symbols(
+        find_real_library(shift, 'static'),
+        sub { $_[0] !~ /^_(?:[_A-Y]|crypt_)/ },
+    );
+}
+
+sub list_expected_globals {
+    my ($lib_map) = @_;
+    open my $fh, '<', $lib_map
+        or error("$lib_map: $!");
+
+    local $_;
+    my %symbols;
+    while (<$fh>) {
+        chomp;
+        s/\s+$//;
+        next if /^($|#|%chain\b)/;
+
+        my @fields = split;
+        $symbols{$fields[0]} = 1 if $fields[1] ne '-';
+    }
+    return \%symbols;
+}
+
+#
+# Main
+#
+my $lib_la  = $ENV{lib_la}  || '/nonexistent';
+my $lib_map = $ENV{lib_map} || '/nonexistent';
+if (!-f $lib_la || !-f $lib_map) {
+    print {*STDERR} "usage: lib_la=/p/lib.la lib_map=/p/lib.map $0";
+    exit 1;
+}
+
+ensure_C_locale();
+exit compare_symbol_lists(
+    list_library_globals($lib_la),
+    list_expected_globals($lib_map),
+    'globals',
+    0,    # extra symbols not allowed
+);

data/ext/xcrypt/xcrypt.c

@@ -0,0 +1,9 @@
+/*
+ * xcrypt.c — compilation stub for ffi-compiler.
+ *
+ * The actual implementation lives in libxcrypt (ext/libxcrypt), which is
+ * linked statically into this shared library at build time.  Ruby code
+ * reaches the libxcrypt API through Ruby-FFI (see lib/xcrypt/ffi.rb); no
+ * wrapper functions are needed here.
+ */
+#include "crypt.h"

data/lib/xcrypt/ffi.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require "ffi"
+require "ffi-compiler/loader"
+
+module XCrypt
+  # Low-level FFI bindings for libxcrypt.
+  #
+  # Consumers should use the high-level {XCrypt} module methods instead of
+  # calling into this module directly.
+  #
+  # The shared library loaded here is compiled from the libxcrypt submodule
+  # (ext/libxcrypt) via ffi-compiler.  Run <tt>bundle exec rake compile</tt>
+  # to build it before loading this gem.
+  module FFI
+    extend ::FFI::Library
+
+    # Size constants mirrored from <crypt.h>.
+    CRYPT_OUTPUT_SIZE         = 384
+    CRYPT_MAX_PASSPHRASE_SIZE = 512
+    CRYPT_GENSALT_OUTPUT_SIZE = 192
+    CRYPT_DATA_RESERVED_SIZE  = 767
+    CRYPT_DATA_INTERNAL_SIZE  = 30_720
+
+    # sizeof(struct crypt_data) == 32768 bytes, as guaranteed by the header.
+    CRYPT_DATA_SIZE = 32_768
+
+    # crypt_checksalt(3) return codes.
+    CRYPT_SALT_OK              = 0
+    CRYPT_SALT_INVALID         = 1
+    CRYPT_SALT_METHOD_DISABLED = 2
+    CRYPT_SALT_METHOD_LEGACY   = 3
+    CRYPT_SALT_TOO_CHEAP       = 4
+
+    # Load the native extension compiled from the libxcrypt submodule.
+    # FFI::Compiler::Loader searches for lib<arch>-<os>/libxcrypt.{bundle,so}
+    # relative to this file's location.
+    begin
+      ffi_lib ::FFI::Compiler::Loader.find("xcrypt")
+    rescue LoadError
+      raise LoadError,
+            "XCrypt native extension not found. " \
+            "Build it with: rake compile"
+    end
+
+    # char *crypt_rn(const char *phrase, const char *setting,
+    #                void *data, int size)
+    #
+    # Thread-safe variant that writes to a caller-supplied buffer.  Returns
+    # NULL on error instead of a magic error string.
+    attach_function :crypt_rn, [:string, :string, :pointer, :int], :pointer
+
+    # char *crypt_gensalt_rn(const char *prefix, unsigned long count,
+    #                        const char *rbytes, int nrbytes,
+    #                        char *output, int output_size)
+    #
+    # Thread-safe salt generator that writes to a caller-supplied buffer.
+    # Pass NULL for rbytes to let the library obtain entropy from the OS.
+    attach_function :crypt_gensalt_rn,
+                    [:string, :ulong, :pointer, :int, :pointer, :int],
+                    :pointer
+
+    # int crypt_checksalt(const char *setting)
+    #
+    # Inspects a setting string and reports whether it is valid.
+    attach_function :crypt_checksalt, [:string], :int
+
+    # const char *crypt_preferred_method(void)
+    #
+    # Returns the prefix string of the library's preferred (strongest)
+    # hashing method.
+    attach_function :crypt_preferred_method, [], :string
+  end
+
+  private_constant :FFI
+end

data/lib/xcrypt/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module XCrypt
+  VERSION = "0.1.0"
+end

data/lib/xcrypt.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module XCrypt
+  require "xcrypt/version"
+  require "xcrypt/ffi"
+
+  Error ||= Class.new(StandardError)
+
+  ALGORITHMS = {
+    yescrypt:      "$y$",
+    gost_yescrypt: "$gy$",
+    scrypt:        "$7$",
+    bcrypt:        "$2b$",
+    sha512:        "$6$",
+    sha256:        "$5$",
+    sha1:          "$sha1$",
+    sun_md5:       "$md5",
+    md5:           "$1$",
+    bsdi_des:      "_",
+    des:           "",
+  }.freeze
+
+  PREFIXES = ALGORITHMS.invert.freeze
+  private_constant :ALGORITHMS, :PREFIXES
+
+  extend self
+
+  ALGORITHMS.each_key do |algorithm|
+    define_method(algorithm) do |phrase, setting = nil, cost: nil|
+      if setting
+        setting_algorithm = detect_algorithm(setting)
+        if setting_algorithm != algorithm
+          raise ArgumentError, "setting algorithm #{setting_algorithm.inspect} does not match expected #{algorithm.inspect}"
+        end
+      end
+      crypt(phrase, setting, algorithm:, cost:)
+    end
+  end
+
+  def algorithms = ALGORITHMS.keys
+
+  def detect_algorithm(setting) = PREFIXES[setting[/\A\$\w+\$?|_/].to_s]
+
+  def crypt(phrase, setting = nil, algorithm: nil, cost: nil)
+    setting, algorithm = nil, setting if setting.is_a? Symbol
+    setting ||= generate_setting(algorithm, cost:)
+    data = ::FFI::MemoryPointer.new(:uint8, FFI::CRYPT_DATA_SIZE)
+    result_ptr = FFI.crypt_rn(phrase, setting, data, FFI::CRYPT_DATA_SIZE)
+    raise Error, "crypt failed: invalid setting or unsupported algorithm" if result_ptr.null?
+    result_ptr.read_string
+  ensure
+    data&.clear
+  end
+
+  def verify(phrase, hash)
+    return false if hash.nil? || hash.empty? || hash.start_with?("*")
+    result = crypt(phrase, hash)
+    secure_compare(result, hash)
+  rescue Error
+    false
+  end
+
+  def generate_setting(algorithm = nil, cost: nil)
+    prefix = ALGORITHMS.fetch(algorithm) { raise ArgumentError, "unknown algorithm: #{algorithm.inspect}" } if algorithm
+    cost ||= 0
+
+    output = ::FFI::MemoryPointer.new(:char, FFI::CRYPT_GENSALT_OUTPUT_SIZE)
+    result_ptr = FFI.crypt_gensalt_rn(prefix, cost, nil, 0, output, FFI::CRYPT_GENSALT_OUTPUT_SIZE)
+    raise Error, "crypt_gensalt failed: unknown prefix or unsupported algorithm" if result_ptr.null?
+
+    result_ptr.read_string
+  end
+
+  private
+
+  def secure_compare(trusted, untrusted)
+    return false unless trusted.respond_to?   :to_str and trusted = trusted.to_str.b
+    return false unless untrusted.respond_to? :to_str and untrusted = untrusted.to_str.b
+
+    # avoid ability for attacker to guess length of string by timing attack
+    comparable = trusted[0, untrusted.bytesize].ljust(untrusted.bytesize, "\0".b)
+
+    result = defined?(OpenSSL.fixed_length_secure_compare) ?
+      OpenSSL.fixed_length_secure_compare(comparable, untrusted) :
+      comparable.each_byte.zip(untrusted.each_byte).reduce(0) { |acc, (a, b)| acc | (a ^ b) }.zero?
+
+    trusted.bytesize == untrusted.bytesize and result
+  end
+end