libxcrypt icon indicating copy to clipboard operation
libxcrypt copied to clipboard
verified publisher icon besser82

Add sm3{,-yescrypt} backend and tests.

Open besser82 opened this issue 10 months ago • 4 comments

These hashing methods are useful in applications that need modern password hashing methods, but require to rely on cryptographic properties that have been approved by the Chinese Office of State Commercial Cryptography Administration (OSCCA).

ShangMi 3 is a cryptographic hash function used in the Chinese National Standard. It was published by the National Cryptography Administration (Chinese: 国家密码管理局) on 2010-12-17 as "GM/T 0004-2012: SM3 cryptographic hash algorithm".

SM3 is used for implementing digital signatures, message authentication codes, and pseudorandom number generators. The algorithm is public and is considered similar to SHA-256 in security and efficiency. SM3 is also used with Transport Layer Security.

SM3 is defined in each of:

  • GM/T 0004-2012: SM3 cryptographic hash algorithm
  • GB/T 32905-2016: Information security techniques SM3 cryptographic hash algorithm
  • ISO/IEC 10118-3:2018: IT Security techniques—Hash-functions, Part 3: Dedicated hash-functions
  • IETF RFC draft-sca-cfrg-sm3-02

See: https://datatracker.ietf.org/doc/html/draft-sca-cfrg-sm3

sm3crypt is currently in active use by the EulerOS, Kylin, openEuler, and openKylin distributions.

The additionally - in hope of adaption by the afore mentioned distributions - implemented sm3-yescrypt uses the output from the yescrypt hashing method in place of a hmac message. Thus, the yescrypt crypto properties are superseeded by the ShangMi 3 hash function with a 256 bit digest.

Fixes #188.

besser82 avatar Feb 14 '25 11:02 besser82

Codecov Report

Attention: Patch coverage is 93.53100% with 24 lines in your changes missing coverage. Please review.

Project coverage is 90.44%. Comparing base (dbcfb01) to head (353e507). Report is 3 commits behind head on develop.

Files with missing lines Patch % Lines
lib/crypt-sm3-yescrypt.c 75.71% 11 Missing and 6 partials :warning:
lib/crypt-sm3.c 93.57% 5 Missing and 2 partials :warning:
Additional details and impacted files 
@@             Coverage Diff             @@
##           develop     #206      +/-   ##
===========================================
+ Coverage    90.15%   90.44%   +0.29%     
===========================================
  Files           32       36       +4     
  Lines         3626     3988     +362     
  Branches       689      747      +58     
===========================================
+ Hits          3269     3607     +338     
- Misses         226      242      +16     
- Partials       131      139       +8

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Feb 14 '25 12:02 codecov[bot]

The additionally - in hope of adaption by the afore mentioned distributions - implemented sm3-yescrypt

While I did suggest this in #188, that was before I learned that the existing SHA-crypt based algorithm is already widely used. I have mixed feelings about us introducing an extra algorithm, even if better, given that these are only for standards compliance in China. I understand there's value not only for Chinese users in supporting the existing hashes that they use. Also, greater (even if indirect) usage of yescrypt may result in feedback that would help us improve yescrypt itself. So I don't mind.

Regarding testing, as I recall for gost-yescrypt back then I suggested to @vt-alt to manually run tests with yescrypt hacked to always return a constant. I suggest that you try the same here. This should show two things (to manually confirm):

  1. That the final hash value changes when yescrypt's return value is changed from the real hash to the constant. To confirm that the combined algorithm doesn't inadvertently ignore yescrypt.
  2. That the final hash value changes with input changes (so test with multiple different inputs, separately for password and salt) even when yescrypt hash fails to change. To confirm that the outer layer does provide (at least) basic hash properties on its own.

No need to have these tests in the tree (like we don't for gost-yescrypt). This is just something to confirm manually once.

Overall, I skimmed, but I'm not eager to spend a lot of my time on this PR. Thanks!

solardiz avatar Feb 15 '25 19:02 solardiz

Regarding testing, as I recall for gost-yescrypt back then I suggested to @vt-alt to manually run tests with yescrypt hacked to always return a constant. I suggest that you try the same here. This should show two things (to manually confirm):

  1. That the final hash value changes when yescrypt's return value is changed from the real hash to the constant. To confirm that the combined algorithm doesn't inadvertently ignore yescrypt.
  2. That the final hash value changes with input changes (so test with multiple different inputs, separately for password and salt) even when yescrypt hash fails to change. To confirm that the outer layer does provide (at least) basic hash properties on its own.

No need to have these tests in the tree (like we don't for gost-yescrypt). This is just something to confirm manually once.

Confirming the HMAC capsule works as intended.

besser82 avatar Feb 15 '25 22:02 besser82

For the record: Request for hashcat supporting sm3crypt: https://github.com/hashcat/hashcat/issues/3987

besser82 avatar Feb 15 '25 22:02 besser82

@besser82 We've had some requests to backport this for compat with other distros who are using it already. Could you consider a new release? Many thanks.

thesamesam avatar Oct 05 '25 04:10 thesamesam

@besser82 We've had some requests to backport this for compat with other distros who are using it already. Could you consider a new release? Many thanks.

@thesamesam v4.5.0 just got released.

besser82 avatar Nov 04 '25 12:11 besser82