I am uploading a NMU to DELAYED/10 in order to fix this.
diff -Nru libscrypt-1.21/Makefile libscrypt-1.22/Makefile
--- libscrypt-1.21/Makefile 2015-07-09 10:59:57.000000000 +0000
+++ libscrypt-1.22/Makefile 2021-12-11 06:19:10.000000000 +0000
@@ -5,27 +5,28 @@
INSTALL_DATA ?= install
CC?=gcc
-CFLAGS?=-O2 -Wall -g -D_FORTIFY_SOURCE=2 -fstack-protector -fPIC
-LDFLAGS?=-Wl,-z,now -Wl,-z,relro -Wl,-soname,libscrypt.so.0
-Wl,--version-script=libscrypt.version
-CFLAGS_EXTRA?=-Wl,-rpath=.
+CFLAGS?=$(CFLAGS_EXTRA) -D_FORTIFY_SOURCE=2 -fPIC
+LDFLAGS?=$(LDFLAGS_EXTRA) -Wl,-soname,libscrypt.so.0
-Wl,--version-script=libscrypt.version
+CFLAGS_EXTRA?=-Wl,-rpath=. -O2 -Wall -g -fstack-protector
+LDFLAGS_EXTRA?=-Wl,-z,relro
all: reference
OBJS= crypto_scrypt-nosse.o sha256.o crypto-mcf.o b64.o
crypto-scrypt-saltgen.o crypto_scrypt-check.o crypto_scrypt-hash.o slowequals.o
libscrypt.so.0: $(OBJS)
- $(CC) $(LDFLAGS) -shared -o libscrypt.so.0 $(OBJS) -lm -lc
+ $(CC) $(LDFLAGS) -shared -o libscrypt.so.0 $(OBJS) -lm -lc
ar rcs libscrypt.a $(OBJS)
reference: libscrypt.so.0 main.o crypto_scrypt-hexconvert.o
ln -s -f libscrypt.so.0 libscrypt.so
- $(CC) -Wall -o reference main.o b64.o crypto_scrypt-hexconvert.o
$(CFLAGS_EXTRA) -L. -lscrypt
+ $(CC) -o reference main.o b64.o crypto_scrypt-hexconvert.o $(CFLAGS)
$(LDFLAGS_EXTRA) -L. -lscrypt
clean:
rm -f *.o reference libscrypt.so* libscrypt.a endian.h
check: all
- ./reference
+ LD_LIBRARY_PATH=. ./reference
devtest:
splint crypto_scrypt-hexconvert.c
diff -Nru libscrypt-1.21/README.md libscrypt-1.22/README.md
--- libscrypt-1.21/README.md 2015-07-09 10:59:57.000000000 +0000
+++ libscrypt-1.22/README.md 2021-12-11 06:19:10.000000000 +0000
@@ -62,6 +62,8 @@
SCRYPT_* constants are probably a little high for something like a Raspberry
pi. Using '1' as SCRYPT_p is acceptable from a security and performance
standpoint if needed.
Experiments were performed with using memset() to zero out passwords as they
were checked. This often caused issues with calling applications where the
password based have been passed as a const*. We highly recommend implementing
your own zeroing function the moment this library is called.
+There is apparently an issue when used on Samsung (and perhaps Android in
general) devices. See [this
issue](https://github.com/technion/libscrypt/issues/39) for more information.
+
Notes on Code Development
------------------------
diff -Nru libscrypt-1.21/crypto-mcf.c libscrypt-1.22/crypto-mcf.c
--- libscrypt-1.21/crypto-mcf.c 2015-07-09 10:59:57.000000000 +0000
+++ libscrypt-1.22/crypto-mcf.c 2021-12-11 06:19:10.000000000 +0000
@@ -1,14 +1,6 @@
#include <stdlib.h>
-#include <string.h>
#include <stdio.h>
#include <stdint.h>
-#include <float.h>
-#include <stdint.h>
-#include <math.h>
-
-#ifndef S_SPLINT_S /* Including this here triggers a known bug in splint */
-#include <unistd.h>
-#endif
#include "libscrypt.h"
@@ -70,4 +62,4 @@
return 0;
return 1;
-}
+}
diff -Nru libscrypt-1.21/crypto-scrypt-saltgen.c
libscrypt-1.22/crypto-scrypt-saltgen.c
--- libscrypt-1.21/crypto-scrypt-saltgen.c 2015-07-09 10:59:57.000000000
+0000
+++ libscrypt-1.22/crypto-scrypt-saltgen.c 2021-12-11 06:19:10.000000000
+0000
@@ -4,6 +4,10 @@
#include <errno.h>
#include <fcntl.h>
+/* Disable on Windows, there is no /dev/urandom.
+ Link-time error is better than runtime error. */
+#ifndef _WIN32
+
#ifndef S_SPLINT_S /* Including this here triggers a known bug in splint */
#include <unistd.h>
#endif
@@ -46,3 +50,5 @@
return 0;
}
+
+#endif
diff -Nru libscrypt-1.21/debian/changelog libscrypt-1.22/debian/changelog
--- libscrypt-1.21/debian/changelog 2023-07-13 12:40:40.000000000 +0000
+++ libscrypt-1.22/debian/changelog 2024-05-28 19:45:33.000000000 +0000
@@ -1,3 +1,11 @@
+libscrypt (1.22-0.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * d/watch: Scan via GitHub API (Closes: #1061571).
+ * New upstream release (Closes: #1061570).
+
+ -- Bastian Germann <b...@debian.org> Tue, 28 May 2024 21:45:33 +0200
+
libscrypt (1.21-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libscrypt-1.21/debian/patches/fix-makefile
libscrypt-1.22/debian/patches/fix-makefile
--- libscrypt-1.21/debian/patches/fix-makefile 2023-07-13 12:39:24.000000000
+0000
+++ libscrypt-1.22/debian/patches/fix-makefile 1970-01-01 00:00:00.000000000
+0000
@@ -1,21 +0,0 @@
-Description: Fix makefile flag handling
-Author: Tristan Seligmann <mithra...@debian.org>
-Origin: vendor
-Forwarded: no
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-Index: libscrypt/Makefile
-===================================================================
---- libscrypt.orig/Makefile 2014-12-14 02:38:36.667099740 +0200
-+++ libscrypt/Makefile 2014-12-14 05:53:34.488194255 +0200
-@@ -5,8 +5,8 @@
- INSTALL_DATA ?= install
-
- CC?=gcc
--CFLAGS?=-O2 -Wall -g -D_FORTIFY_SOURCE=2 -fstack-protector -fPIC
--LDFLAGS?=-Wl,-z,now -Wl,-z,relro -Wl,-soname,libscrypt.so.0
-Wl,--version-script=libscrypt.version
-+CFLAGS += -Wall -fPIC
-+LDFLAGS += -Wl,-z,now -Wl,-soname,libscrypt.so.0
-Wl,--version-script=libscrypt.version
- CFLAGS_EXTRA?=-Wl,-rpath=.
-
- all: reference
diff -Nru libscrypt-1.21/debian/patches/series
libscrypt-1.22/debian/patches/series
--- libscrypt-1.21/debian/patches/series 2023-07-13 12:39:24.000000000
+0000
+++ libscrypt-1.22/debian/patches/series 1970-01-01 00:00:00.000000000
+0000
@@ -1 +0,0 @@
-fix-makefile
diff -Nru libscrypt-1.21/debian/watch libscrypt-1.22/debian/watch
--- libscrypt-1.21/debian/watch 2023-07-13 12:39:24.000000000 +0000
+++ libscrypt-1.22/debian/watch 2024-05-28 19:39:07.000000000 +0000
@@ -1,3 +1,4 @@
-version=3
-https://github.com/technion/libscrypt/releases \
-.*[^n]/(?:|v|version-|version|release-|r|REL_|rel-|libscrypt(?:_|-))(\d[^\s/]*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz)
+version=4
+opts="filenamemangle=s%.*/@ANY_VERSION@%@PACKAGE@-$1.tar.gz%,searchmode=plain"
\
+ https://api.github.com/repos/technion/libscrypt/tags?per_page=100 \
+
https://api.github.com/repos/technion/libscrypt/tarball/refs/tags/@ANY_VERSION@
diff -Nru libscrypt-1.21/libscrypt.h libscrypt-1.22/libscrypt.h
--- libscrypt-1.21/libscrypt.h 2015-07-09 10:59:57.000000000 +0000
+++ libscrypt-1.22/libscrypt.h 2021-12-11 06:19:10.000000000 +0000
@@ -66,7 +66,7 @@
$pcL+DWle903AXcKJVwMffA== Salt is 16 bytes, or 24 in Base64
$dn+9ujljVc5JTJMC2fYu1ZEHdJyqYkOurmcrBQbMHUfnD6qxbTmNiR075ohNBZjvp66E2aV1pfOrmyNHUefjMg==
Hash is 64 bytes, or 88 in Base64.
Work order, salt and hash have separators (3)
- 3 + 6 + 24 + 88 + 3 + null byte = 25
+ 3 + 6 + 24 + 88 + 3 + null byte = 125
This is rounded up to a multiple of four for alignment
*/
#define SCRYPT_MCF_LEN 128
diff -Nru libscrypt-1.21/sha256.c libscrypt-1.22/sha256.c
--- libscrypt-1.21/sha256.c 2015-07-09 10:59:57.000000000 +0000
+++ libscrypt-1.22/sha256.c 2021-12-11 06:19:10.000000000 +0000
@@ -173,11 +173,6 @@
/* 4. Mix local working variables into global state */
for (i = 0; i < 8; i++)
state[i] += S[i];
-
- /* Clean the stack. */
- memset(W, 0, 256);
- memset(S, 0, 32);
- t0 = t1 = 0;
}
static unsigned char PAD[64] = {
@@ -320,9 +315,6 @@
for (i = 0; i < Klen; i++)
pad[i] ^= K[i];
libscrypt_SHA256_Update(&ctx->octx, pad, 64);
-
- /* Clean the stack. */
- memset(khash, 0, 32);
}
/* Add bytes to the HMAC-SHA256 operation. */
@@ -348,9 +340,6 @@
/* Finish the outer SHA256 operation. */
libscrypt_SHA256_Final(digest, &ctx->octx);
-
- /* Clean the stack. */
- memset(ihash, 0, 32);
}
/**
@@ -405,7 +394,4 @@
clen = 32;
memcpy(&buf[i * 32], T, clen);
}
-
- /* Clean PShctx, since we never called _Final on it. */
- memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
}
diff -Nru libscrypt-1.21/sha256.h libscrypt-1.22/sha256.h
--- libscrypt-1.21/sha256.h 2015-07-09 10:59:57.000000000 +0000
+++ libscrypt-1.22/sha256.h 2021-12-11 06:19:10.000000000 +0000
@@ -50,14 +50,14 @@
/* Original declaration:
* void SHA256_Final(unsigned char [32], SHA256_CTX *);
*/
-void libscrypt_SHA256_Final(/*@out@*/ unsigned char [], SHA256_CTX *);
+void libscrypt_SHA256_Final(/*@out@*/ unsigned char [32], SHA256_CTX *);
void libscrypt_HMAC_SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t);
void libscrypt_HMAC_SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t);
/* Original declaration:
* void HMAC_SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *);
*/
-void libscrypt_HMAC_SHA256_Final(unsigned char [], HMAC_SHA256_CTX *);
+void libscrypt_HMAC_SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *);
/**
* PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
