sha-crypt: switch from rand to rand_core (#720)

Replaces the use of `Distribution` by first filling a buffer with random
bytes, then encoding it as Base64.

It seems the Base64 encoding is directly consumed by the algorithm, or
otherwise it would probably make sense to convert all usages of `salt`
to be raw bytes. That warrants further investigation.

Author: tarcieri

Cargo.lock

@@ -18,15 +18,15 @@ rust-version = "1.85"
 
 [dependencies]
 sha2 = { version = "0.11.0-rc.2", default-features = false }
+base64ct = { version = "1.7.1", default-features = false }
 
 # optional dependencies
-rand = { version = "0.9", optional = true }
+rand_core = { version = "0.9", optional = true, default-features = false, features = ["os_rng"] }
 subtle = { version = "2", optional = true, default-features = false }
-base64ct = "1.7.1"
 
 [features]
 default = ["simple"]
-simple = ["rand", "subtle"]
+simple = ["base64ct/alloc", "dep:rand_core", "dep:subtle"]
 
 [package.metadata.docs.rs]
 all-features = true

sha-crypt/Cargo.toml

@@ -14,10 +14,6 @@ pub const PW_SIZE_SHA512: usize = 86;
 #[cfg(feature = "simple")]
 pub const SALT_MAX_LEN: usize = 16;
 
-/// Encoding table.
-#[cfg(feature = "simple")]
-pub static TAB: &[u8] = b"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-
 /// Inverse encoding map for SHA512.
 #[rustfmt::skip]
 pub const MAP_SHA512: [u8; 64] = [

sha-crypt/src/defs.rs

@@ -56,12 +56,10 @@ use sha2::{Digest, Sha256, Sha512};
 
 #[cfg(feature = "simple")]
 use {
-    crate::{
-        defs::{SALT_MAX_LEN, TAB},
-        errors::CheckError,
-    },
+    crate::{defs::SALT_MAX_LEN, errors::CheckError},
     alloc::string::ToString,
-    rand::{Rng, distr::Distribution},
+    base64ct::{Base64ShaCrypt, Encoding},
+    rand_core::{OsRng, RngCore, TryRngCore},
 };
 
 #[cfg(feature = "simple")]
@@ -317,13 +315,7 @@ pub fn sha256_crypt_b64(password: &[u8], salt: &[u8], params: &Sha256Params) ->
 /// [1]: https://www.akkadia.org/drepper/SHA-crypt.txt
 #[cfg(feature = "simple")]
 pub fn sha512_simple(password: &str, params: &Sha512Params) -> String {
-    let rng = rand::rng();
-
-    let salt: String = rng
-        .sample_iter(&ShaCryptDistribution)
-        .take(SALT_MAX_LEN)
-        .collect();
-
+    let salt = random_salt();
     let out = sha512_crypt(password.as_bytes(), salt.as_bytes(), params);
 
     let mut result = String::new();
@@ -352,13 +344,7 @@ pub fn sha512_simple(password: &str, params: &Sha512Params) -> String {
 /// [1]: https://www.akkadia.org/drepper/SHA-crypt.txt
 #[cfg(feature = "simple")]
 pub fn sha256_simple(password: &str, params: &Sha256Params) -> String {
-    let rng = rand::rng();
-
-    let salt: String = rng
-        .sample_iter(&ShaCryptDistribution)
-        .take(SALT_MAX_LEN)
-        .collect();
-
+    let salt = random_salt();
     let out = sha256_crypt(password.as_bytes(), salt.as_bytes(), params);
 
     let mut result = String::new();
@@ -528,21 +514,13 @@ pub fn sha256_check(password: &str, hashed_value: &str) -> Result<(), CheckError
     }
 }
 
+/// Generate a random salt that is 16-bytes long.
 #[cfg(feature = "simple")]
-#[derive(Debug)]
-struct ShaCryptDistribution;
-
-#[cfg(feature = "simple")]
-impl Distribution<char> for ShaCryptDistribution {
-    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> char {
-        const RANGE: u32 = 26 + 26 + 10 + 2; // 2 == "./"
-        loop {
-            let var = rng.next_u32() >> (32 - 6);
-            if var < RANGE {
-                return TAB[var as usize] as char;
-            }
-        }
-    }
+fn random_salt() -> String {
+    // Create buffer containing raw bytes to encode as Base64
+    let mut buf = [0u8; (SALT_MAX_LEN * 3).div_ceil(4)];
+    OsRng.unwrap_err().fill_bytes(&mut buf);
+    Base64ShaCrypt::encode_string(&buf)
 }
 
 fn produce_byte_seq(len: usize, fill_from: &[u8]) -> Vec<u8> {