Full backend for scrypt with tests

.gitignore

@@ -63,6 +63,7 @@
 /test-crypt-md5
 /test-crypt-nthash
 /test-crypt-pbkdf1-sha1
+/test-crypt-scrypt
 /test-crypt-sha256
 /test-crypt-sha512
 /test-crypt-sunmd5

LICENSING

@@ -35,6 +35,9 @@ source tree.  For specific licensing terms consult the files themselves.
    alg-yescrypt.h, alg-yescrypt-opt.c, alg-yescrypt-sha256.c,
    alg-yescrypt-sha256.h, alg-yescrypt-sysendian.h
 
+ * Copyright Alexander Peslyak, Björn Esser; 0-clause BSD:
+   crypt-scrypt.c
+
  * Copyright Michael Bretterklieber, Björn Esser et al.; 2-clause BSD:
    crypt-nthash.c
 

Makefile.am

@@ -39,9 +39,8 @@ libcrypt_la_SOURCES = \
 	alg-yescrypt-sha256.c alg-yescrypt-common.c \
 	crypt.c crypt-bcrypt.c crypt-des.c crypt-gensalt-static.c \
 	crypt-gensalt.c crypt-md5.c crypt-nthash.c crypt-pbkdf1-sha1.c \
-	crypt-sha256.c crypt-sha512.c crypt-static.c crypt-sunmd5.c \
-	crypt-yescrypt.c randombytes.c
-
+	crypt-scrypt.c crypt-sha256.c crypt-sha512.c crypt-static.c \
+	crypt-sunmd5.c crypt-yescrypt.c randombytes.c
 
 EXTRA_DIST += yescrypt-platform.c
 
@@ -157,8 +156,8 @@ check_PROGRAMS = \
 	test-alg-sha1 test-alg-sha256 test-alg-sha512 \
 	test-crypt-bcrypt test-crypt-des \
 	test-crypt-md5 test-crypt-nthash \
-	test-crypt-pbkdf1-sha1 test-crypt-sha256 test-crypt-sha512 \
-	test-crypt-sunmd5 test-crypt-yescrypt \
+	test-crypt-pbkdf1-sha1 test-crypt-scrypt test-crypt-sha256 \
+	test-crypt-sha512 test-crypt-sunmd5 test-crypt-yescrypt \
 	test-byteorder test-badsalt test-badsetting test-gensalt \
 	test-crypt-badargs test-short-outbuf \
         test-getrandom-interface test-getrandom-fallbacks
@@ -192,15 +191,16 @@ LOG_COMPILER = m4/skip-if-exec-format-error
 endif
 EXTRA_DIST += m4/skip-if-exec-format-error
 
-test_crypt_yescrypt_LDADD = libcrypt.la
 test_crypt_bcrypt_LDADD = libcrypt.la
 test_crypt_des_LDADD = libcrypt.la
 test_crypt_md5_LDADD = libcrypt.la
 test_crypt_nthash_LDADD = libcrypt.la
 test_crypt_pbkdf1_sha1_LDADD = libcrypt.la
+test_crypt_scrypt_LDADD = libcrypt.la
 test_crypt_sha256_LDADD = libcrypt.la
 test_crypt_sha512_LDADD = libcrypt.la
 test_crypt_sunmd5_LDADD = libcrypt.la
+test_crypt_yescrypt_LDADD = libcrypt.la
 test_badsalt_LDADD = libcrypt.la
 test_badsetting_LDADD = libcrypt.la
 test_gensalt_LDADD = libcrypt.la

NEWS

@@ -5,6 +5,8 @@ Please send bug reports, questions and suggestions to
 
 Version 4.2.0
 * Implement yescrypt ($y$) and scrypt ($7$) hashing algorithms.
+* For scrypt the implemented gensalt function ensures every new hash
+  is computed using at least 32 MiBytes of RAM.
 
 Version 4.1.2
 * Add optional 'check-valgrind' target to the Makefile.

alg-yescrypt-common.c

@@ -20,7 +20,7 @@
 
 #include "crypt-port.h"
 
-#if INCLUDE_yescrypt
+#if INCLUDE_yescrypt || INCLUDE_scrypt
 
 #include <stdint.h>
 #include <string.h>
@@ -598,4 +598,4 @@ uint8_t *yescrypt_encode_params_r(const yescrypt_params_t *params,
 	return buf;
 }
 
-#endif /* INCLUDE_yescrypt */
+#endif /* INCLUDE_yescrypt || INCLUDE_scrypt */

alg-yescrypt-opt.c

@@ -30,7 +30,7 @@
 
 #include "crypt-port.h"
 
-#if INCLUDE_yescrypt
+#if INCLUDE_yescrypt || INCLUDE_scrypt
 
 #pragma GCC diagnostic ignored "-Wcast-align"
 #ifdef __clang__
@@ -1426,4 +1426,4 @@ int yescrypt_free_local(yescrypt_local_t *local)
 	return free_region(local);
 }
 
-#endif /* INCLUDE_yescrypt */
+#endif /* INCLUDE_yescrypt || INCLUDE_scrypt */

alg-yescrypt-sha256.c

@@ -27,7 +27,7 @@
 
 #include "crypt-port.h"
 
-#if INCLUDE_yescrypt
+#if INCLUDE_yescrypt || INCLUDE_scrypt
 
 #include <assert.h>
 #include <stdint.h>
@@ -649,4 +649,4 @@ PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
 	insecure_memzero(&u, sizeof(u));
 }
 
-#endif /* INCLUDE_yescrypt */
+#endif /* INCLUDE_yescrypt || INCLUDE_scrypt */

crypt-port.h

@@ -108,8 +108,8 @@ typedef union
   explicit_memset (s, 0x00, len)
 #else
 /* The best hope we have in this case.  */
-static inline
-void _xcrypt_secure_memset (void *s, size_t len)
+static inline void
+_xcrypt_secure_memset (void *s, size_t len)
 {
   volatile unsigned char *c = s;
   while (len--)
@@ -119,10 +119,25 @@ void _xcrypt_secure_memset (void *s, size_t len)
   _xcrypt_secure_memset (s, len)
 #endif
 
-/* Provide a safe way to copy strings.  */
-#define XCRYPT_STRCPY_OR_ABORT(dest, destsize, src) \
-  assert (destsize >= strlen ((const char *) src) + 1); \
-  memcpy (dest, src, strlen ((const char *) src) + 1)
+/* Provide a safe way to copy strings with the guarantee src,
+   including its terminating '\0', will fit d_size bytes.
+   The trailing bytes of d_size will be filled with '\0'.
+   dst and src must not be NULL.  Returns strlen (src).  */
+static inline size_t
+_xcrypt_strcpy_or_abort (char *dst, const size_t d_size,
+                         const char *src)
+{
+  assert (dst != NULL);
+  assert (src != NULL);
+  const size_t s_size = strlen (src);
+  assert (d_size >= s_size + 1);
+  memcpy (dst, src, s_size);
+  XCRYPT_SECURE_MEMSET (dst + s_size, d_size - s_size);
+  return s_size;
+}
+#define XCRYPT_STRCPY_OR_ABORT(dst, d_size, src) \
+  _xcrypt_strcpy_or_abort ((char *) dst, (const size_t) d_size, \
+                           (const char *) src)
 
 /* Per-symbol version tagging.  Currently we only know how to do this
    using GCC extensions.  */