Add support for timeconting in userland.

This diff exposes parts of clock_gettime(2) and gettimeofday(2) to
userland via libc eliberating processes from the need for a context
switch everytime they want to count the passage of time.

If a timecounter clock can be exposed to userland than it needs to set
its tc_user member to a non-zero value. Tested with one or multiple
counters per architecture.

The timing data is shared through a pointer found in the new ELF
auxiliary vector AUX_openbsd_timekeep containing timehands information
that is frequently updated by the kernel.

Timing differences between the last kernel update and the current time
are adjusted in userland by the tc_get_timecount() function inside the
MD usertc.c file.

This permits a much more responsive environment, quite visible in
browsers, office programs and gaming (apparently one is are able to fly
in Minecraft now).

Tested by robert@, sthen@, naddy@, kmos@, phessler@, and many others!

OK from at least kettenis@, cheloha@, naddy@, sthen@

Pull in <time.h> for clock_gettime()

ok deraadt@

increase the minimum for auto rounds to 6. that was the previous low bound
for login.conf, and we don't want to go lower.

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

The number of rounds is just two digits in the salt. We've already
verified that they are there via isdigit() so we can convert from
ASCII to an int without using atoi(). OK guenther@ deraadt@

standards compliant error return (null). will make ruby happier, at least.
ok deraadt jeremy

dial the time back to about 0.1s, closer to the original targets and
friendlier for users. requested by deraadt

rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks,
nor are they the same size.

stupid me. need errno.h

set errno = EINVAL for invalid salts and hashes in most functions.
remember to set EACCES in bcrypt_checkpass for hash differences.
the higher level crypt_checkpass function will reset errno to EACCES in
all cases, which is probably the right behavior, but this change gives code
working with the lower level functions the correct errno if they care.

convert clock() to clock_gettime() for improved precision (and accuracy?)
guenther suggested using thread time, which actually may improve accuracy
if somebody puts this in a threaded program.

copy bcrypt autotune from encrypt(1) and expose via crypt_newhash
ok deraadt miod

introduce a hashspace define and check that there's enough space to
write out a hash. also simplify writing out the hash.

From ISO/IEC 9899:1999 and 9899:201x,
6.11.5 - Storage-class specifiers:
The placement of a storage-class specifier other than at the
beginning of the declaration specifiers in a declaration is
an obsolescent feature.

Diff from Jean-Philippe Ouellet (jean-philippe (at) ouellet.biz)

Add missing header needed by isdigit().
While there, sort headers.

ok tedu@

fix stupid commit

use explicit_bzero

now that 5.5 has been released with compatibility for 2b hashes,
switch to generating them by default. prodded by deraadt and sthen

1. Drop support for no minor. This variant doesn't exist anymore.
2. Pull up the actual minor processing code into the switch that
parses it.
3. atoi is actually simpler than strtonum in this case, but check the
input beforehand so we don't get unexpected results.
4. Slightly more consistent style between various parse and check and
increment operations on salt.
ok deraadt

one small tweak to avoid ever going off the end of a string.

improved checking for invalid hashes. from solar designer

use char * for strings, saving casts. add return codes to base64 functions

oops, merge error

clear stack variables, suggested by djm

some improvements suggested by djm.
use better constant for salt size.
always copy ":" to gerror, in case somebody is dumb enough to overwrite it
timingsafe_bcmp before somebody whines about strcmp

two functions don't need to be exported

minimal change to implementation of bcrypt to not require static globals.
add some friendlier functions.
move the classic static data api into wrapper functions.
a few more changes to come...

switch to shorter ISC license. this was ok with Niels Provos.

consolidate the base64 code in one place, and remove inadequate test code

solar's testsuite revealed insufficient validation of invalid input hashes.
add a more complete check for the rounds parameter. ok deraadt

remove redundant test

sticking strlen into a char leads to wraparound at 256. fix this and
introduce a new 'b' hash minor. still generate 'a' minors for now.
reported by solar designer. diff by some combination of solar and jca.
ok deraadt

pseudo-code corrections from Solar Designer <solar@openwall.com>

arc4random_buf is the easy way to fill a buffer now. ok deraadt

Zero state buffers on return. OK deraadt@

Get rid of useless #if 0 block, especially since the code is included
immediately after.

OK millert@.

Change hard coded numbers to sizeof(buf). Also change some
sizeof(buf) - 1 to sizeof(buf), since fgets takes the whole buffer size.

Based on diff from Charles Longeau <chl at tuxfamily dot org> long ago.

OK millert@.

allocate gsalt large enough; from Matthew R. Dempsky <mrd at alkemio
dot org>; ok djm@ deraadt@

be more careful with atoi() result; ok otto

Test the upper limit for the max # of rounds to, to avoid wrapping and ending
up with a low number of rounds. Spotted by mpech@; ok mpech@ millert@

ansi

protos

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

grammer/spelling

return error if salt is too small; pr 1336

fix base64 encoding, this problem was reported by
Solar Designer <solar@false.com> some time ago.

#if __STDC__ -> #ifdef __STDC__, now all of them.

indentation cleanup

#if __STDC__ --> #ifdef __STDC__

tabify

Clean up some -Wall flowers.

fix that repeating passwords yield same hash + increment minor

Be more careful about possible type promotion

yet another random() converted to arc4random()

prelim manpage, cleanup, fixed crippled plaintext: sed does a nice
job on replacing everything, just wouldnt skip it

header update

password hashing algorithm using blowfish

Pull in <time.h> for clock_gettime()

ok deraadt@

increase the minimum for auto rounds to 6. that was the previous low bound
for login.conf, and we don't want to go lower.

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

The number of rounds is just two digits in the salt. We've already
verified that they are there via isdigit() so we can convert from
ASCII to an int without using atoi(). OK guenther@ deraadt@

standards compliant error return (null). will make ruby happier, at least.
ok deraadt jeremy

dial the time back to about 0.1s, closer to the original targets and
friendlier for users. requested by deraadt

rename blocks to words. bcrypt "blocks" are unrelated to blowfish blocks,
nor are they the same size.

stupid me. need errno.h

set errno = EINVAL for invalid salts and hashes in most functions.
remember to set EACCES in bcrypt_checkpass for hash differences.
the higher level crypt_checkpass function will reset errno to EACCES in
all cases, which is probably the right behavior, but this change gives code
working with the lower level functions the correct errno if they care.

convert clock() to clock_gettime() for improved precision (and accuracy?)
guenther suggested using thread time, which actually may improve accuracy
if somebody puts this in a threaded program.

copy bcrypt autotune from encrypt(1) and expose via crypt_newhash
ok deraadt miod

introduce a hashspace define and check that there's enough space to
write out a hash. also simplify writing out the hash.

From ISO/IEC 9899:1999 and 9899:201x,
6.11.5 - Storage-class specifiers:
The placement of a storage-class specifier other than at the
beginning of the declaration specifiers in a declaration is
an obsolescent feature.

Diff from Jean-Philippe Ouellet (jean-philippe (at) ouellet.biz)

Add missing header needed by isdigit().
While there, sort headers.

ok tedu@

fix stupid commit

use explicit_bzero

now that 5.5 has been released with compatibility for 2b hashes,
switch to generating them by default. prodded by deraadt and sthen

1. Drop support for no minor. This variant doesn't exist anymore.
2. Pull up the actual minor processing code into the switch that
parses it.
3. atoi is actually simpler than strtonum in this case, but check the
input beforehand so we don't get unexpected results.
4. Slightly more consistent style between various parse and check and
increment operations on salt.
ok deraadt

one small tweak to avoid ever going off the end of a string.

improved checking for invalid hashes. from solar designer

use char * for strings, saving casts. add return codes to base64 functions

oops, merge error

clear stack variables, suggested by djm

some improvements suggested by djm.
use better constant for salt size.
always copy ":" to gerror, in case somebody is dumb enough to overwrite it
timingsafe_bcmp before somebody whines about strcmp

two functions don't need to be exported

minimal change to implementation of bcrypt to not require static globals.
add some friendlier functions.
move the classic static data api into wrapper functions.
a few more changes to come...

switch to shorter ISC license. this was ok with Niels Provos.

consolidate the base64 code in one place, and remove inadequate test code

solar's testsuite revealed insufficient validation of invalid input hashes.
add a more complete check for the rounds parameter. ok deraadt

remove redundant test

sticking strlen into a char leads to wraparound at 256. fix this and
introduce a new 'b' hash minor. still generate 'a' minors for now.
reported by solar designer. diff by some combination of solar and jca.
ok deraadt

pseudo-code corrections from Solar Designer <solar@openwall.com>

arc4random_buf is the easy way to fill a buffer now. ok deraadt

Zero state buffers on return. OK deraadt@

Get rid of useless #if 0 block, especially since the code is included
immediately after.

OK millert@.

Change hard coded numbers to sizeof(buf). Also change some
sizeof(buf) - 1 to sizeof(buf), since fgets takes the whole buffer size.

Based on diff from Charles Longeau <chl at tuxfamily dot org> long ago.

OK millert@.

allocate gsalt large enough; from Matthew R. Dempsky <mrd at alkemio
dot org>; ok djm@ deraadt@

be more careful with atoi() result; ok otto

Test the upper limit for the max # of rounds to, to avoid wrapping and ending
up with a low number of rounds. Spotted by mpech@; ok mpech@ millert@

ansi

protos

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

grammer/spelling

return error if salt is too small; pr 1336

fix base64 encoding, this problem was reported by
Solar Designer <solar@false.com> some time ago.

#if __STDC__ -> #ifdef __STDC__, now all of them.

indentation cleanup

#if __STDC__ --> #ifdef __STDC__

tabify

Clean up some -Wall flowers.

fix that repeating passwords yield same hash + increment minor

Be more careful about possible type promotion

yet another random() converted to arc4random()

prelim manpage, cleanup, fixed crippled plaintext: sed does a nice
job on replacing everything, just wouldnt skip it

header update

password hashing algorithm using blowfish