yescrypt 0.1.0

data/ext/yescrypt/sha256.h

@@ -0,0 +1,43 @@
+/*
+ * SHA-256 implementation for yescrypt.
+ * Based on the public domain implementation by Colin Percival.
+ *
+ * Copyright (c) 2009 Colin Percival
+ * Copyright (c) 2013-2021 Alexander Peslyak
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ */
+
+#ifndef SHA256_H
+#define SHA256_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+typedef struct {
+    uint32_t state[8];
+    uint64_t count;
+    uint8_t buf[64];
+} SHA256_CTX;
+
+void SHA256_Init(SHA256_CTX *ctx);
+void SHA256_Update(SHA256_CTX *ctx, const void *in, size_t len);
+void SHA256_Final(uint8_t digest[32], SHA256_CTX *ctx);
+
+/* HMAC-SHA256 */
+typedef struct {
+    SHA256_CTX ictx;
+    SHA256_CTX octx;
+} HMAC_SHA256_CTX;
+
+void HMAC_SHA256_Init(HMAC_SHA256_CTX *ctx, const void *key, size_t keylen);
+void HMAC_SHA256_Update(HMAC_SHA256_CTX *ctx, const void *in, size_t len);
+void HMAC_SHA256_Final(uint8_t digest[32], HMAC_SHA256_CTX *ctx);
+
+/* PBKDF2-HMAC-SHA256 */
+void PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *salt, size_t saltlen,
+    uint64_t c, uint8_t *buf, size_t dkLen);
+
+#endif /* SHA256_H */

data/ext/yescrypt/yescrypt-common.c

@@ -0,0 +1,381 @@
+/*
+ * yescrypt common functions: encoding, decoding, salt generation.
+ *
+ * Copyright (c) 2013-2021 Alexander Peslyak
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+#include "yescrypt.h"
+#include "insecure_memzero.h"
+#include "sha256.h"
+
+/* Base64 encoding table (crypt-style, ./0-9A-Za-z) */
+static const char *itoa64 =
+    "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+static uint8_t *encode64_uint32(uint8_t *dst, size_t dstlen,
+    uint32_t src, uint32_t srcbits)
+{
+    uint32_t bit;
+    for (bit = 0; bit < srcbits; bit += 6) {
+        if (dstlen < 1)
+            return NULL;
+        *dst++ = itoa64[src & 0x3f];
+        dstlen--;
+        src >>= 6;
+    }
+    return dst;
+}
+
+static const uint8_t *decode64_uint32(uint32_t *dst, uint32_t dstbits,
+    const uint8_t *src)
+{
+    uint32_t bit;
+    uint32_t val = 0;
+    for (bit = 0; bit < dstbits; bit += 6) {
+        uint32_t c = *src++;
+        if (c == '\0')
+            return NULL;
+        const char *p = strchr(itoa64, c);
+        if (!p)
+            return NULL;
+        val |= (uint32_t)(p - itoa64) << bit;
+    }
+    *dst = val;
+    return src;
+}
+
+static uint8_t *encode64(uint8_t *dst, size_t dstlen,
+    const uint8_t *src, size_t srclen)
+{
+    size_t i;
+    for (i = 0; i < srclen; ) {
+        uint8_t *dnext;
+        uint32_t value = 0, bits = 0;
+        do {
+            value |= (uint32_t)src[i++] << bits;
+            bits += 8;
+        } while (bits < 24 && i < srclen);
+        dnext = encode64_uint32(dst, dstlen, value, bits);
+        if (!dnext)
+            return NULL;
+        dstlen -= (dnext - dst);
+        dst = dnext;
+    }
+    return dst;
+}
+
+static const uint8_t *decode64(uint8_t *dst, size_t *dstlen,
+    const uint8_t *src)
+{
+    size_t len = 0;
+    size_t maxlen = *dstlen;
+
+    while (*src) {
+        uint32_t c = *src;
+        if (!strchr(itoa64, c))
+            break;
+
+        uint32_t value = 0;
+        uint32_t bits = 0;
+        const uint8_t *snext = src;
+        do {
+            const char *p = strchr(itoa64, *snext);
+            if (!p)
+                break;
+            value |= (uint32_t)(p - itoa64) << bits;
+            bits += 6;
+            snext++;
+        } while (bits < 24 && *snext && strchr(itoa64, *snext));
+
+        src = snext;
+        while (bits >= 8) {
+            if (len >= maxlen)
+                return NULL;
+            dst[len++] = value & 0xff;
+            value >>= 8;
+            bits -= 8;
+        }
+    }
+
+    *dstlen = len;
+    return src;
+}
+
+/* Memory allocation and initialization */
+int yescrypt_init_local(yescrypt_local_t *local)
+{
+    if (!local)
+        return -1;
+    local->base = NULL;
+    local->aligned_size = 0;
+    local->aligned = NULL;
+    return 0;
+}
+
+int yescrypt_free_local(yescrypt_local_t *local)
+{
+    if (!local)
+        return -1;
+    if (local->base) {
+        insecure_memzero(local->base, local->aligned_size);
+        free(local->base);
+    }
+    local->base = NULL;
+    local->aligned_size = 0;
+    local->aligned = NULL;
+    return 0;
+}
+
+int yescrypt_init_shared(yescrypt_shared_t *shared)
+{
+    if (!shared)
+        return -1;
+    shared->region.base = NULL;
+    shared->region.aligned_size = 0;
+    shared->region.aligned = NULL;
+    shared->mask1 = 0;
+    shared->N = 0;
+    shared->dummy = 0;
+    return 0;
+}
+
+int yescrypt_free_shared(yescrypt_shared_t *shared)
+{
+    if (!shared)
+        return -1;
+    if (shared->region.base) {
+        free(shared->region.base);
+    }
+    memset(shared, 0, sizeof(*shared));
+    return 0;
+}
+
+/* Ensure local storage has enough room */
+int yescrypt_ensure_local(yescrypt_local_t *local, size_t need)
+{
+    if (local->aligned_size >= need)
+        return 0;
+
+    if (local->base)
+        free(local->base);
+
+    local->base = malloc(need);
+    if (!local->base) {
+        local->aligned_size = 0;
+        local->aligned = NULL;
+        return -1;
+    }
+    local->aligned_size = need;
+    local->aligned = local->base;
+    return 0;
+}
+
+/* Generate a yescrypt setting/salt string.
+ * Format: $y$j<params>$<salt>$
+ * where params encode N_log2, r, p, t, flags
+ */
+uint8_t *yescrypt_gensalt(
+    uint32_t N_log2, uint32_t r, uint32_t p, uint32_t t,
+    yescrypt_flags_t flags,
+    const uint8_t *src, size_t srclen,
+    uint8_t *buf, size_t buflen)
+{
+    uint8_t *dst = buf;
+    uint8_t *end = buf + buflen - 1; /* leave room for NUL */
+
+    if (buflen < 32 || !src || srclen < 1)
+        return NULL;
+
+    /* Prefix */
+    *dst++ = '$';
+    *dst++ = 'y';
+    *dst++ = '$';
+
+    /* Flavor indicator */
+    *dst++ = 'j';
+
+    /* Encode params: N_log2 in 6 bits */
+    dst = encode64_uint32(dst, end - dst, N_log2, 6);
+    if (!dst) return NULL;
+
+    /* r in 30 bits */
+    dst = encode64_uint32(dst, end - dst, r, 30);
+    if (!dst) return NULL;
+
+    /* p in 30 bits */
+    dst = encode64_uint32(dst, end - dst, p, 30);
+    if (!dst) return NULL;
+
+    /* t in 6 bits */
+    dst = encode64_uint32(dst, end - dst, t, 6);
+    if (!dst) return NULL;
+
+    /* flags in 6 bits */
+    dst = encode64_uint32(dst, end - dst, (uint32_t)flags, 6);
+    if (!dst) return NULL;
+
+    *dst++ = '$';
+
+    /* Encode salt */
+    dst = encode64(dst, end - dst, src, srclen);
+    if (!dst) return NULL;
+
+    *dst++ = '$';
+    *dst = '\0';
+
+    return buf;
+}
+
+/* Decode a setting string to extract params */
+static const uint8_t *yescrypt_decode_params(
+    const uint8_t *setting,
+    uint32_t *N_log2, uint32_t *r, uint32_t *p, uint32_t *t,
+    yescrypt_flags_t *flags,
+    const uint8_t **salt, size_t *saltlen)
+{
+    const uint8_t *src;
+
+    /* Check prefix $y$j */
+    if (setting[0] != '$' || setting[1] != 'y' ||
+        setting[2] != '$' || setting[3] != 'j')
+        return NULL;
+
+    src = setting + 4;
+
+    src = decode64_uint32(N_log2, 6, src);
+    if (!src) return NULL;
+
+    src = decode64_uint32(r, 30, src);
+    if (!src) return NULL;
+
+    src = decode64_uint32(p, 30, src);
+    if (!src) return NULL;
+
+    src = decode64_uint32(t, 6, src);
+    if (!src) return NULL;
+
+    uint32_t f;
+    src = decode64_uint32(&f, 6, src);
+    if (!src) return NULL;
+    *flags = (yescrypt_flags_t)f;
+
+    if (*src != '$')
+        return NULL;
+    src++;
+
+    *salt = src;
+
+    /* Find end of salt */
+    const uint8_t *sEnd = (const uint8_t *)strchr((const char *)src, '$');
+    if (!sEnd)
+        return NULL;
+
+    *saltlen = sEnd - src;
+
+    return sEnd + 1; /* points past the trailing $ */
+}
+
+/* Public wrapper: decode params only (no salt output) for Ruby binding */
+const uint8_t *yescrypt_decode_params_ext(
+    const uint8_t *setting,
+    uint32_t *N_log2, uint32_t *r, uint32_t *p, uint32_t *t,
+    yescrypt_flags_t *flags)
+{
+    const uint8_t *salt;
+    size_t saltlen;
+    return yescrypt_decode_params(setting, N_log2, r, p, t, flags,
+        &salt, &saltlen);
+}
+
+/* Hash a password with yescrypt, crypt-style */
+uint8_t *yescrypt_r(
+    const yescrypt_shared_t *shared,
+    yescrypt_local_t *local,
+    const uint8_t *passwd, size_t passwdlen,
+    const uint8_t *setting,
+    uint8_t *buf, size_t buflen)
+{
+    uint32_t N_log2, r, p, t;
+    yescrypt_flags_t flags;
+    const uint8_t *salt_encoded;
+    size_t salt_encoded_len;
+    uint8_t salt_decoded[64];
+    size_t salt_decoded_len;
+    uint8_t dk[32];
+    uint8_t salt_buf[64];
+    uint8_t *dst;
+    size_t need;
+    uint8_t *retval = NULL;
+
+    memset(salt_decoded, 0, sizeof(salt_decoded));
+    memset(dk, 0, sizeof(dk));
+    memset(salt_buf, 0, sizeof(salt_buf));
+
+    if (!setting || !buf || buflen < 128)
+        return NULL;
+
+    /* Decode setting string */
+    const uint8_t *hash_pos = yescrypt_decode_params(
+        setting, &N_log2, &r, &p, &t, &flags,
+        &salt_encoded, &salt_encoded_len);
+    if (!hash_pos)
+        goto cleanup;
+
+    /* Reject unreasonable parameters from untrusted setting strings */
+    if (N_log2 < 1 || N_log2 > 24 || r < 1 || r > 256 || p < 1 || p > 256)
+        goto cleanup;
+
+    /* Decode the base64 salt */
+    salt_decoded_len = sizeof(salt_decoded);
+    if (salt_encoded_len >= sizeof(salt_buf))
+        goto cleanup;
+    memcpy(salt_buf, salt_encoded, salt_encoded_len);
+    salt_buf[salt_encoded_len] = '\0';
+    const uint8_t *dec_end = decode64(salt_decoded, &salt_decoded_len, salt_buf);
+    if (!dec_end)
+        goto cleanup;
+
+    /* Compute the hash */
+    yescrypt_params_t params;
+    params.flags = flags;
+    params.N = (uint64_t)1 << N_log2;
+    params.r = r;
+    params.p = p;
+    params.t = t;
+    params.g = 0;
+
+    if (yescrypt_kdf(shared, local, passwd, passwdlen,
+                     salt_decoded, salt_decoded_len, &params,
+                     dk, sizeof(dk)))
+        goto cleanup;
+
+    /* Build output: copy setting up to hash position, then encode hash */
+    need = (hash_pos - setting);
+    if (need + 64 > buflen)
+        goto cleanup;
+
+    memcpy(buf, setting, need);
+    dst = buf + need;
+
+    dst = encode64(dst, buflen - need, dk, sizeof(dk));
+    if (!dst)
+        goto cleanup;
+    *dst = '\0';
+
+    retval = buf;
+
+cleanup:
+    insecure_memzero(dk, sizeof(dk));
+    insecure_memzero(salt_decoded, sizeof(salt_decoded));
+    insecure_memzero(salt_buf, sizeof(salt_buf));
+
+    return retval;
+}