From f1ab9df7ee3a03e579fde535a9b7d16d789478e6 Mon Sep 17 00:00:00 2001
From: Adriaan de Groot <groot@kde.org>
Date: Tue, 20 Jun 2017 04:39:04 -0400
Subject: [PATCH 1/3] Salt: improve saltiness.

---
 src/modules/users/SetPasswordJob.cpp | 51 ++++++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 2 deletions(-)

diff --git a/src/modules/users/SetPasswordJob.cpp b/src/modules/users/SetPasswordJob.cpp
index 79b3eeb26..d301bd23c 100644
--- a/src/modules/users/SetPasswordJob.cpp
+++ b/src/modules/users/SetPasswordJob.cpp
@@ -25,6 +25,7 @@
 
 #include <QDir>
 
+#include <random>
 #include <crypt.h>
 
 
@@ -50,6 +51,53 @@ SetPasswordJob::prettyStatusMessage() const
 }
 
 
+/// Returns a modular hashing salt for method 6 (SHA512) with a 16 character random salt.
+QString
+make_salt(size_t length)
+{
+    Q_ASSERT(length >= 8);
+    Q_ASSERT(length <= 128);
+
+    static const char salt_chars[] = {
+        '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B',
+        'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
+        'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd',
+        'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r',
+        's', 't', 'u', 'v', 'w', 'x', 'y', 'z' };
+
+    static_assert( sizeof(salt_chars) == 64, "Missing salt_chars");
+
+    std::random_device r;
+    std::seed_seq seed{r(), r(), r(), r(), r(), r(), r(), r()};
+    std::mt19937_64 twister(seed);
+
+    std::uint64_t next;
+    size_t current_length = 0;
+
+    QString salt_string;
+    salt_string.reserve(length + 10);
+
+    while ( current_length < length )
+    {
+        next = twister();
+        // In 64 bits, we have 10 blocks of 6 bits; map each block of 6 bits
+        // to a single salt character.
+        for ( unsigned int char_count = 0; char_count < 10; ++char_count )
+        {
+            char c = salt_chars[next & 0b0111111];
+            next >>= 6;
+            salt_string.append( c );
+            if (++current_length >= length)
+                break;
+        }
+    }
+
+    salt_string.truncate( length );
+    salt_string.insert( 0, "$6$" );
+    salt_string.append( '$' );
+    return salt_string;
+}
+
 Calamares::JobResult
 SetPasswordJob::exec()
 {
@@ -75,8 +123,7 @@ SetPasswordJob::exec()
 
     QString encrypted = QString::fromLatin1(
                             crypt( m_newPassword.toUtf8(),
-                                   QString( "$6$%1$" )
-                                .arg( m_userName ).toUtf8() ) );
+                                   make_salt( 16 ).toUtf8() ) );
 
     int ec = CalamaresUtils::System::instance()->
                           targetEnvCall( { "usermod",

From de45f43640298a395ac76ea4ed1fbdcd22c2195b Mon Sep 17 00:00:00 2001
From: Adriaan de Groot <groot@kde.org>
Date: Tue, 20 Jun 2017 17:18:12 -0400
Subject: [PATCH 2/3] Salt: add copyright info

---
 src/modules/users/SetPasswordJob.cpp | 3 ++-
 src/modules/users/SetPasswordJob.h   | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/modules/users/SetPasswordJob.cpp b/src/modules/users/SetPasswordJob.cpp
index d301bd23c..bf3423347 100644
--- a/src/modules/users/SetPasswordJob.cpp
+++ b/src/modules/users/SetPasswordJob.cpp
@@ -1,6 +1,7 @@
 /* === This file is part of Calamares - <http://github.com/calamares> ===
  *
  *   Copyright 2014-2017, Teo Mrnjavac <teo@kde.org>
+ *   Copyright 2017, Adriaan de Groot <groot@kde.org>
  *
  *   Calamares is free software: you can redistribute it and/or modify
  *   it under the terms of the GNU General Public License as published by
@@ -53,7 +54,7 @@ SetPasswordJob::prettyStatusMessage() const
 
 /// Returns a modular hashing salt for method 6 (SHA512) with a 16 character random salt.
 QString
-make_salt(size_t length)
+SetPasswordJob::make_salt(size_t length)
 {
     Q_ASSERT(length >= 8);
     Q_ASSERT(length <= 128);
diff --git a/src/modules/users/SetPasswordJob.h b/src/modules/users/SetPasswordJob.h
index f8e0c2447..45e99a57a 100644
--- a/src/modules/users/SetPasswordJob.h
+++ b/src/modules/users/SetPasswordJob.h
@@ -1,6 +1,7 @@
 /* === This file is part of Calamares - <http://github.com/calamares> ===
  *
  *   Copyright 2014-2015, Teo Mrnjavac <teo@kde.org>
+ *   Copyright 2017, Adriaan de Groot <groot@kde.org>
  *
  *   Calamares is free software: you can redistribute it and/or modify
  *   it under the terms of the GNU General Public License as published by
@@ -32,6 +33,8 @@ public:
     QString prettyStatusMessage() const override;
     Calamares::JobResult exec() override;
 
+    static QString make_salt(size_t length);
+
 private:
     QString m_userName;
     QString m_newPassword;

From 9f526be19833b7ffcf8bc970e07e8fcba963de31 Mon Sep 17 00:00:00 2001
From: Adriaan de Groot <groot@kde.org>
Date: Tue, 20 Jun 2017 17:43:50 -0400
Subject: [PATCH 3/3] Salt: add test for salt format

---
 src/modules/users/CMakeLists.txt    | 25 ++++++++++++-
 src/modules/users/PasswordTests.cpp | 54 +++++++++++++++++++++++++++++
 src/modules/users/PasswordTests.h   | 36 +++++++++++++++++++
 3 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 src/modules/users/PasswordTests.cpp
 create mode 100644 src/modules/users/PasswordTests.h

diff --git a/src/modules/users/CMakeLists.txt b/src/modules/users/CMakeLists.txt
index b48390ee6..bd3798b8a 100644
--- a/src/modules/users/CMakeLists.txt
+++ b/src/modules/users/CMakeLists.txt
@@ -1,8 +1,16 @@
-include_directories( ${PROJECT_BINARY_DIR}/src/libcalamaresui )
+find_package(ECM 5.10.0 NO_MODULE)
+if( ECM_FOUND )
+    set(CMAKE_MODULE_PATH ${ECM_MODULE_PATH} ${CMAKE_MODULE_PATH})
+    include( ECMAddTests )
+endif()
+
+find_package( Qt5 COMPONENTS Core Test REQUIRED )
 
 list( APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMakeModules" )
 find_package( Crypt )
 
+include_directories( ${PROJECT_BINARY_DIR}/src/libcalamaresui )
+
 calamares_add_plugin( users
     TYPE viewmodule
     EXPORT_MACRO PLUGINDLLEXPORT_PRO
@@ -21,3 +29,18 @@ calamares_add_plugin( users
         ${CRYPT_LIBRARIES}
     SHARED_LIB
 )
+
+if( ECM_FOUND )
+    ecm_add_test(
+            PasswordTests.cpp
+            SetPasswordJob.cpp
+        TEST_NAME
+            passwordtest
+        LINK_LIBRARIES
+            ${CALAMARES_LIBRARIES}
+            Qt5::Core
+            Qt5::Test
+            ${CRYPT_LIBRARIES}
+    )
+    set_target_properties( passwordtest PROPERTIES AUTOMOC TRUE )
+endif()
diff --git a/src/modules/users/PasswordTests.cpp b/src/modules/users/PasswordTests.cpp
new file mode 100644
index 000000000..cb52e7ef7
--- /dev/null
+++ b/src/modules/users/PasswordTests.cpp
@@ -0,0 +1,54 @@
+/* === This file is part of Calamares - <http://github.com/calamares> ===
+ *
+ *   Copyright 2017, Adriaan de Groot <groot@kde.org>
+ *
+ *   Calamares is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   Calamares is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with Calamares. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "SetPasswordJob.h"
+
+#include "PasswordTests.h"
+
+#include <QtTest/QtTest>
+
+QTEST_GUILESS_MAIN( PasswordTests )
+
+PasswordTests::PasswordTests()
+{
+}
+
+PasswordTests::~PasswordTests()
+{
+}
+
+void
+PasswordTests::initTestCase()
+{
+}
+
+void
+PasswordTests::testSalt()
+{
+    QString s = SetPasswordJob::make_salt( 8 );
+    QCOMPARE( s.length(), 4 + 8 ); // 8 salt chars, plus $6$, plus trailing $
+    QVERIFY( s.startsWith( "$6$" ) );
+    QVERIFY( s.endsWith( '$' ) );
+    qDebug() << "Obtained salt" << s;
+
+    s = SetPasswordJob::make_salt( 11 );
+    QCOMPARE( s.length(), 4 + 11 );
+    QVERIFY( s.startsWith( "$6$" ) );
+    QVERIFY( s.endsWith( '$' ) );
+    qDebug() << "Obtained salt" << s;
+}
diff --git a/src/modules/users/PasswordTests.h b/src/modules/users/PasswordTests.h
new file mode 100644
index 000000000..5b51fd11f
--- /dev/null
+++ b/src/modules/users/PasswordTests.h
@@ -0,0 +1,36 @@
+/* === This file is part of Calamares - <http://github.com/calamares> ===
+ *
+ *   Copyright 2017, Adriaan de Groot <groot@kde.org>
+ *
+ *   Calamares is free software: you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   Calamares is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with Calamares. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef PASSWORDTESTS_H
+#define PASSWORDTESTS_H
+
+#include <QObject>
+
+class PasswordTests : public QObject
+{
+    Q_OBJECT
+public:
+    PasswordTests();
+    ~PasswordTests() override;
+
+private Q_SLOTS:
+    void initTestCase();
+    void testSalt();
+};
+
+#endif