feat(crypto): Add sha2 (based on crypt(3)) hashing algorithms (#59)

Adds crypt(3) style hashing and verifying for SHA-256 and SHA-512. Based on the information from passlib and https://www.akkadia.org/drepper/SHA-crypt.txt

Author: juriaankennedy

README.md

@@ -29,22 +29,24 @@ needs to be updated.
 ### Algorithms
 
 | Algorithm       | Identifiers                                                        | Secure             |
-|-----------------|--------------------------------------------------------------------| ------------------ |
+| --------------- | ------------------------------------------------------------------ | ------------------ |
 | [argon2][1]     | argon2i, argon2id                                                  | :heavy_check_mark: |
 | [bcrypt][2]     | 2, 2a, 2b, 2y                                                      | :heavy_check_mark: |
 | [md5-crypt][3]  | 1                                                                  | :x:                |
 | [md5 plain][4]  | Hex encoded string                                                 | :x:                |
 | [md5 salted][5] | md5salted-suffix,md5salted-prefix                                  | :x:                |
-| [scrypt][6]     | scrypt, 7                                                          | :heavy_check_mark: |
-| [pbkpdf2][7]    | pbkdf2, pbkdf2-sha224, pbkdf2-sha256, pbkdf2-sha384, pbkdf2-sha512 | :heavy_check_mark: |
+| [sha2-crypt][6] | 5, 6                                                               | :heavy_check_mark: |
+| [scrypt][7]     | scrypt, 7                                                          | :heavy_check_mark: |
+| [pbkpdf2][8]    | pbkdf2, pbkdf2-sha224, pbkdf2-sha256, pbkdf2-sha384, pbkdf2-sha512 | :heavy_check_mark: |
 
 [1]: https://pkg.go.dev/github.com/zitadel/passwap/argon2
 [2]: https://pkg.go.dev/github.com/zitadel/passwap/bcrypt
 [3]: https://pkg.go.dev/github.com/zitadel/passwap/md5
 [4]: https://pkg.go.dev/github.com/zitadel/passwap/md5plain
 [5]: https://pkg.go.dev/github.com/zitadel/passwap/md5salted
-[6]: https://pkg.go.dev/github.com/zitadel/passwap/scrypt
-[7]: https://pkg.go.dev/github.com/zitadel/passwap/pbkdf2
+[6]: https://pkg.go.dev/github.com/zitadel/passwap/sha2
+[7]: https://pkg.go.dev/github.com/zitadel/passwap/scrypt
+[8]: https://pkg.go.dev/github.com/zitadel/passwap/pbkdf2
 
 ### Encoding
 
@@ -139,6 +141,21 @@ $md5salted-suffix$kJ4QkJaQ$3EbD/pJddrq5HW3mpZ4KZ1
 
 There is no cost parameter for MD5 because MD5 is old and is considered too light and insecure. It is provided to verify and migrate to a better algorithm. Do not use for new hashes.
 
+### SHA2 crypt
+
+SHA2 Crypt shares its encoding scheme with MD5 Crypt, but uses SHA-256 or SHA-512 instead of MD5 and uses a different [hashing algorithm](https://www.akkadia.org/drepper/SHA-crypt.txt)
+The resulting Modular Crypt Format string looks as follows:
+
+```
+$5$rounds=5000$RPvilwjD1ebXJfzg$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5
+(1)   (2)           (3)                 (4)
+```
+
+1. The identifier is always `5` (SHA-256) or `6` (SHA-512)
+2. The cost parameter in rounds, which is a linear value - `5000` in this example. Note that according to the specification this part is optional (in which case the default of 5000 rounds will be used). In this implementation the rounds are always returned, even when they match the default
+3. Base64-like-encoded salt.
+4. Base64-like-encoded SHA-256/512 hash output of the password and salt combined.
+
 ### Scrypt
 
 Scrypt uses standard raw Base64 encoding (no padding) for the salt and hash.

internal/encoding/crypt3.go

@@ -0,0 +1,22 @@
+package encoding
+
+const crypt3Encoding = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+// crypt(3) uses a slightly different Base64 scheme. Also called hash64 in PassLib
+func EncodeCrypt3(raw []byte) []byte {
+	dest := make([]byte, 0, (len(raw)*8+6-1)/6)
+
+	v := uint(0)
+	bits := uint(0)
+
+	for _, b := range raw {
+		v |= (uint(b) << bits)
+
+		for bits = bits + 8; bits > 6; bits -= 6 {
+			dest = append(dest, crypt3Encoding[v&63])
+			v >>= 6
+		}
+	}
+	dest = append(dest, crypt3Encoding[v&63])
+	return dest
+}

internal/encoding/crypt3_test.go

@@ -0,0 +1,49 @@
+package encoding
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestEncodeCrypt3(t *testing.T) {
+	tests := []struct {
+		name string
+		raw  []byte
+		want []byte
+	}{
+		{
+			name: "Empty input",
+			raw:  []byte{},
+			want: []byte{'.'},
+		},
+		{
+			name: "Single byte",
+			raw:  []byte{255},
+			want: []byte{'z', '1'},
+		},
+		{
+			name: "Two bytes",
+			raw:  []byte{255, 255},
+			want: []byte{'z', 'z', 'D'},
+		},
+		{
+			name: "Three bytes",
+			raw:  []byte{255, 255, 255},
+			want: []byte{'z', 'z', 'z', 'z'},
+		},
+		{
+			name: "Patterned input",
+			raw:  []byte{0, 1, 2, 3, 4, 5, 6, 7},
+			want: []byte{'.', '2', 'U', '.', '1', 'E', 'E', '/', '4', 'Q', '.'},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := EncodeCrypt3(tt.raw)
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("EncodeCrypt3() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

md5/md5.go

@@ -18,6 +18,7 @@ import (
 	"io"
 	"strings"
 
+	"github.com/zitadel/passwap/internal/encoding"
 	"github.com/zitadel/passwap/internal/salt"
 	"github.com/zitadel/passwap/verifier"
 )
@@ -29,29 +30,8 @@ const (
 	// Format of the Modular Crypt Format, as used by passlib.
 	// See https://passlib.readthedocs.io/en/stable/lib/passlib.hash.md5_crypt.html#format
 	Format = Prefix + "%s$%s"
-
-	// Encoding is the character set used for encoding salt and checksum.
-	Encoding = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 )
 
-func encode(raw []byte) []byte {
-	dest := make([]byte, 0, (len(raw)*8+6-1)/6)
-
-	v := uint(0)
-	bits := uint(0)
-
-	for _, b := range raw {
-		v |= (uint(b) << bits)
-
-		for bits = bits + 8; bits > 6; bits -= 6 {
-			dest = append(dest, Encoding[v&63])
-			v >>= 6
-		}
-	}
-	dest = append(dest, Encoding[v&63])
-	return dest
-}
-
 var swaps = [md5.Size]int{12, 6, 0, 13, 7, 1, 14, 8, 2, 15, 9, 3, 5, 10, 4, 11}
 
 // checksum implements https://passlib.readthedocs.io/en/stable/lib/passlib.hash.md5_crypt.html#algorithm
@@ -113,7 +93,7 @@ func checksum(password, salt []byte) []byte {
 		swapped[i] = hash[j]
 	}
 
-	return encode(swapped)
+	return encoding.EncodeCrypt3(swapped)
 }
 
 // 6 saltbytes result in 8 characters of encoded salt.
@@ -125,7 +105,7 @@ func hash(r io.Reader, password string) (string, error) {
 		return "", fmt.Errorf("md5: %w", err)
 	}
 
-	encSalt := encode(salt)
+	encSalt := encoding.EncodeCrypt3(salt)
 
 	checksum := checksum([]byte(password), encSalt)
 	return fmt.Sprintf(Format, encSalt, checksum), nil