search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Adding upstream version 3.61.
[syslinux-debian/hramrach.git] / com32 / libutil / sha256crypt.c
blob938e94737f3f24fb1185bc089ca5ea36621a744c
1 /* SHA256-based Unix crypt implementation.
2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
3
4 #include <alloca.h>
5 #include <endian.h>
6 #include <errno.h>
7 #include <limits.h>
8 #include <stdint.h>
9 #include <stdbool.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
15
16
17 /* Structure to save state of computation between the single steps. */
18 struct sha256_ctx
19 {
20 uint32_t H[8];
21
22 uint32_t total[2];
23 uint32_t buflen;
24 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
25 };
26
27
28 #if __BYTE_ORDER == __LITTLE_ENDIAN
29 # define SWAP(n) \
30 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
31 #else
32 # define SWAP(n) (n)
33 #endif
34
35
36 /* This array contains the bytes used to pad the buffer to the next
37 64-byte boundary. (FIPS 180-2:5.1.1) */
38 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
39
40
41 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
42 static const uint32_t K[64] =
43 {
44 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
45 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
46 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
47 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
48 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
49 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
50 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
51 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
52 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
53 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
54 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
55 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
56 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
57 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
58 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
59 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
60 };
61
62
63 /* Process LEN bytes of BUFFER, accumulating context into CTX.
64 It is assumed that LEN % 64 == 0. */
65 static void
66 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
67 {
68 unsigned int t;
69 const uint32_t *words = buffer;
70 size_t nwords = len / sizeof (uint32_t);
71 uint32_t a = ctx->H[0];
72 uint32_t b = ctx->H[1];
73 uint32_t c = ctx->H[2];
74 uint32_t d = ctx->H[3];
75 uint32_t e = ctx->H[4];
76 uint32_t f = ctx->H[5];
77 uint32_t g = ctx->H[6];
78 uint32_t h = ctx->H[7];
79
80 /* First increment the byte count. FIPS 180-2 specifies the possible
81 length of the file up to 2^64 bits. Here we only compute the
82 number of bytes. Do a double word increment. */
83 ctx->total[0] += len;
84 if (ctx->total[0] < len)
85 ++ctx->total[1];
86
87 /* Process all bytes in the buffer with 64 bytes in each round of
88 the loop. */
89 while (nwords > 0)
90 {
91 uint32_t W[64];
92 uint32_t a_save = a;
93 uint32_t b_save = b;
94 uint32_t c_save = c;
95 uint32_t d_save = d;
96 uint32_t e_save = e;
97 uint32_t f_save = f;
98 uint32_t g_save = g;
99 uint32_t h_save = h;
100
101 /* Operators defined in FIPS 180-2:4.1.2. */
102 #define Ch(x, y, z) ((x & y) ^ (~x & z))
103 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
104 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
105 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
106 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
107 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
108
109 /* It is unfortunate that C does not provide an operator for
110 cyclic rotation. Hope the C compiler is smart enough. */
111 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
112
113 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
114 for (t = 0; t < 16; ++t)
115 {
116 W[t] = SWAP (*words);
117 ++words;
118 }
119 for (t = 16; t < 64; ++t)
120 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
121
122 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
123 for (t = 0; t < 64; ++t)
124 {
125 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
126 uint32_t T2 = S0 (a) + Maj (a, b, c);
127 h = g;
128 g = f;
129 f = e;
130 e = d + T1;
131 d = c;
132 c = b;
133 b = a;
134 a = T1 + T2;
135 }
136
137 /* Add the starting values of the context according to FIPS 180-2:6.2.2
138 step 4. */
139 a += a_save;
140 b += b_save;
141 c += c_save;
142 d += d_save;
143 e += e_save;
144 f += f_save;
145 g += g_save;
146 h += h_save;
147
148 /* Prepare for the next round. */
149 nwords -= 16;
150 }
151
152 /* Put checksum in context given as argument. */
153 ctx->H[0] = a;
154 ctx->H[1] = b;
155 ctx->H[2] = c;
156 ctx->H[3] = d;
157 ctx->H[4] = e;
158 ctx->H[5] = f;
159 ctx->H[6] = g;
160 ctx->H[7] = h;
161 }
162
163
164 /* Initialize structure containing state of computation.
165 (FIPS 180-2:5.3.2) */
166 static void
167 sha256_init_ctx (struct sha256_ctx *ctx)
168 {
169 ctx->H[0] = 0x6a09e667;
170 ctx->H[1] = 0xbb67ae85;
171 ctx->H[2] = 0x3c6ef372;
172 ctx->H[3] = 0xa54ff53a;
173 ctx->H[4] = 0x510e527f;
174 ctx->H[5] = 0x9b05688c;
175 ctx->H[6] = 0x1f83d9ab;
176 ctx->H[7] = 0x5be0cd19;
177
178 ctx->total[0] = ctx->total[1] = 0;
179 ctx->buflen = 0;
180 }
181
182
183 /* Process the remaining bytes in the internal buffer and the usual
184 prolog according to the standard and write the result to RESBUF.
185
186 IMPORTANT: On some systems it is required that RESBUF is correctly
187 aligned for a 32 bits value. */
188 static void *
189 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
190 {
191 unsigned int i;
192 /* Take yet unprocessed bytes into account. */
193 uint32_t bytes = ctx->buflen;
194 size_t pad;
195
196 /* Now count remaining bytes. */
197 ctx->total[0] += bytes;
198 if (ctx->total[0] < bytes)
199 ++ctx->total[1];
200
201 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
202 memcpy (&ctx->buffer[bytes], fillbuf, pad);
203
204 /* Put the 64-bit file length in *bits* at the end of the buffer. */
205 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
206 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
207 (ctx->total[0] >> 29));
208
209 /* Process last bytes. */
210 sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
211
212 /* Put result from CTX in first 32 bytes following RESBUF. */
213 for (i = 0; i < 8; ++i)
214 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
215
216 return resbuf;
217 }
218
219
220 static void
221 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
222 {
223 /* When we already have some bits in our internal buffer concatenate
224 both inputs first. */
225 if (ctx->buflen != 0)
226 {
227 size_t left_over = ctx->buflen;
228 size_t add = 128 - left_over > len ? len : 128 - left_over;
229
230 memcpy (&ctx->buffer[left_over], buffer, add);
231 ctx->buflen += add;
232
233 if (ctx->buflen > 64)
234 {
235 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
236
237 ctx->buflen &= 63;
238 /* The regions in the following copy operation cannot overlap. */
239 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
240 ctx->buflen);
241 }
242
243 buffer = (const char *) buffer + add;
244 len -= add;
245 }
246
247 /* Process available complete blocks. */
248 if (len >= 64)
249 {
250 /* To check alignment gcc has an appropriate operator. Other
251 compilers don't. */
252 #if __GNUC__ >= 2
253 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
254 #else
255 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
256 #endif
257 if (UNALIGNED_P (buffer))
258 while (len > 64)
259 {
260 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
261 buffer = (const char *) buffer + 64;
262 len -= 64;
263 }
264 else
265 {
266 sha256_process_block (buffer, len & ~63, ctx);
267 buffer = (const char *) buffer + (len & ~63);
268 len &= 63;
269 }
270 }
271
272 /* Move remaining bytes into internal buffer. */
273 if (len > 0)
274 {
275 size_t left_over = ctx->buflen;
276
277 memcpy (&ctx->buffer[left_over], buffer, len);
278 left_over += len;
279 if (left_over >= 64)
280 {
281 sha256_process_block (ctx->buffer, 64, ctx);
282 left_over -= 64;
283 memcpy (ctx->buffer, &ctx->buffer[64], left_over);
284 }
285 ctx->buflen = left_over;
286 }
287 }
288
289
290 /* Define our magic string to mark salt for SHA256 "encryption"
291 replacement. */
292 static const char sha256_salt_prefix[] = "$5$";
293
294 /* Prefix for optional rounds specification. */
295 static const char sha256_rounds_prefix[] = "rounds=";
296
297 /* Maximum salt string length. */
298 #define SALT_LEN_MAX 16
299 /* Default number of rounds if not explicitly specified. */
300 #define ROUNDS_DEFAULT 5000
301 /* Minimum number of rounds. */
302 #define ROUNDS_MIN 1000
303 /* Maximum number of rounds. */
304 #define ROUNDS_MAX 999999999
305
306 /* Table with characters for base64 transformation. */
307 static const char b64t[64] =
308 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
309
310
311 static char *
312 sha256_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
313 {
314 unsigned char alt_result[32]
315 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
316 unsigned char temp_result[32]
317 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
318 struct sha256_ctx ctx;
319 struct sha256_ctx alt_ctx;
320 size_t salt_len;
321 size_t key_len;
322 size_t cnt;
323 char *cp;
324 char *copied_key = NULL;
325 char *copied_salt = NULL;
326 char *p_bytes;
327 char *s_bytes;
328 /* Default number of rounds. */
329 size_t rounds = ROUNDS_DEFAULT;
330 bool rounds_custom = false;
331
332 /* Find beginning of salt string. The prefix should normally always
333 be present. Just in case it is not. */
334 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
335 /* Skip salt prefix. */
336 salt += sizeof (sha256_salt_prefix) - 1;
337
338 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
339 == 0)
340 {
341 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
342 char *endp;
343 unsigned long int srounds = strtoul (num, &endp, 10);
344 if (*endp == '$')
345 {
346 salt = endp + 1;
347 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
348 rounds_custom = true;
349 }
350 }
351
352 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
353 key_len = strlen (key);
354
355 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
356 {
357 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
358 key = copied_key =
359 memcpy (tmp + __alignof__ (uint32_t)
360 - (tmp - (char *) 0) % __alignof__ (uint32_t),
361 key, key_len);
362 }
363
364 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
365 {
366 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
367 salt = copied_salt =
368 memcpy (tmp + __alignof__ (uint32_t)
369 - (tmp - (char *) 0) % __alignof__ (uint32_t),
370 salt, salt_len);
371 }
372
373 /* Prepare for the real work. */
374 sha256_init_ctx (&ctx);
375
376 /* Add the key string. */
377 sha256_process_bytes (key, key_len, &ctx);
378
379 /* The last part is the salt string. This must be at most 8
380 characters and it ends at the first `$' character (for
381 compatibility with existing implementations). */
382 sha256_process_bytes (salt, salt_len, &ctx);
383
384
385 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
386 final result will be added to the first context. */
387 sha256_init_ctx (&alt_ctx);
388
389 /* Add key. */
390 sha256_process_bytes (key, key_len, &alt_ctx);
391
392 /* Add salt. */
393 sha256_process_bytes (salt, salt_len, &alt_ctx);
394
395 /* Add key again. */
396 sha256_process_bytes (key, key_len, &alt_ctx);
397
398 /* Now get result of this (32 bytes) and add it to the other
399 context. */
400 sha256_finish_ctx (&alt_ctx, alt_result);
401
402 /* Add for any character in the key one byte of the alternate sum. */
403 for (cnt = key_len; cnt > 32; cnt -= 32)
404 sha256_process_bytes (alt_result, 32, &ctx);
405 sha256_process_bytes (alt_result, cnt, &ctx);
406
407 /* Take the binary representation of the length of the key and for every
408 1 add the alternate sum, for every 0 the key. */
409 for (cnt = key_len; cnt > 0; cnt >>= 1)
410 if ((cnt & 1) != 0)
411 sha256_process_bytes (alt_result, 32, &ctx);
412 else
413 sha256_process_bytes (key, key_len, &ctx);
414
415 /* Create intermediate result. */
416 sha256_finish_ctx (&ctx, alt_result);
417
418 /* Start computation of P byte sequence. */
419 sha256_init_ctx (&alt_ctx);
420
421 /* For every character in the password add the entire password. */
422 for (cnt = 0; cnt < key_len; ++cnt)
423 sha256_process_bytes (key, key_len, &alt_ctx);
424
425 /* Finish the digest. */
426 sha256_finish_ctx (&alt_ctx, temp_result);
427
428 /* Create byte sequence P. */
429 cp = p_bytes = alloca (key_len);
430 for (cnt = key_len; cnt >= 32; cnt -= 32)
431 cp = mempcpy (cp, temp_result, 32);
432 memcpy (cp, temp_result, cnt);
433
434 /* Start computation of S byte sequence. */
435 sha256_init_ctx (&alt_ctx);
436
437 /* For every character in the password add the entire password. */
438 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
439 sha256_process_bytes (salt, salt_len, &alt_ctx);
440
441 /* Finish the digest. */
442 sha256_finish_ctx (&alt_ctx, temp_result);
443
444 /* Create byte sequence S. */
445 cp = s_bytes = alloca (salt_len);
446 for (cnt = salt_len; cnt >= 32; cnt -= 32)
447 cp = mempcpy (cp, temp_result, 32);
448 memcpy (cp, temp_result, cnt);
449
450 /* Repeatedly run the collected hash value through SHA256 to burn
451 CPU cycles. */
452 for (cnt = 0; cnt < rounds; ++cnt)
453 {
454 /* New context. */
455 sha256_init_ctx (&ctx);
456
457 /* Add key or last result. */
458 if ((cnt & 1) != 0)
459 sha256_process_bytes (p_bytes, key_len, &ctx);
460 else
461 sha256_process_bytes (alt_result, 32, &ctx);
462
463 /* Add salt for numbers not divisible by 3. */
464 if (cnt % 3 != 0)
465 sha256_process_bytes (s_bytes, salt_len, &ctx);
466
467 /* Add key for numbers not divisible by 7. */
468 if (cnt % 7 != 0)
469 sha256_process_bytes (p_bytes, key_len, &ctx);
470
471 /* Add key or last result. */
472 if ((cnt & 1) != 0)
473 sha256_process_bytes (alt_result, 32, &ctx);
474 else
475 sha256_process_bytes (p_bytes, key_len, &ctx);
476
477 /* Create intermediate result. */
478 sha256_finish_ctx (&ctx, alt_result);
479 }
480
481 /* Now we can construct the result string. It consists of three
482 parts. */
483 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
484 buflen -= sizeof (sha256_salt_prefix) - 1;
485
486 if (rounds_custom)
487 {
488 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
489 sha256_rounds_prefix, rounds);
490 cp += n;
491 buflen -= n;
492 }
493
494 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
495 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
496
497 if (buflen > 0)
498 {
499 *cp++ = '$';
500 --buflen;
501 }
502
503 #define b64_from_24bit(B2, B1, B0, N) \
504 do { \
505 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
506 int n = (N); \
507 while (n-- > 0 && buflen > 0) \
508 { \
509 *cp++ = b64t[w & 0x3f]; \
510 --buflen; \
511 w >>= 6; \
512 } \
513 } while (0)
514
515 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
516 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
517 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
518 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
519 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
520 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
521 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
522 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
523 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
524 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
525 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
526 if (buflen <= 0)
527 {
528 errno = ERANGE;
529 buffer = NULL;
530 }
531 else
532 *cp = '\0'; /* Terminate the string. */
533
534 /* Clear the buffer for the intermediate result so that people
535 attaching to processes or reading core dumps cannot get any
536 information. We do it in this way to clear correct_words[]
537 inside the SHA256 implementation as well. */
538 sha256_init_ctx (&ctx);
539 sha256_finish_ctx (&ctx, alt_result);
540 memset (temp_result, '\0', sizeof (temp_result));
541 memset (p_bytes, '\0', key_len);
542 memset (s_bytes, '\0', salt_len);
543 memset (&ctx, '\0', sizeof (ctx));
544 memset (&alt_ctx, '\0', sizeof (alt_ctx));
545 if (copied_key != NULL)
546 memset (copied_key, '\0', key_len);
547 if (copied_salt != NULL)
548 memset (copied_salt, '\0', salt_len);
549
550 return buffer;
551 }
552
553
554 /* This entry point is equivalent to the `crypt' function in Unix
555 libcs. */
556 char *
557 sha256_crypt (const char *key, const char *salt)
558 {
559 /* We don't want to have an arbitrary limit in the size of the
560 password. We can compute an upper bound for the size of the
561 result in advance and so we can prepare the buffer we pass to
562 `sha256_crypt_r'. */
563 static char *buffer;
564 static int buflen;
565 int needed = (sizeof (sha256_salt_prefix) - 1
566 + sizeof (sha256_rounds_prefix) + 9 + 1
567 + strlen (salt) + 1 + 43 + 1);
568
569 if (buflen < needed)
570 {
571 char *new_buffer = (char *) realloc (buffer, needed);
572 if (new_buffer == NULL)
573 return NULL;
574
575 buffer = new_buffer;
576 buflen = needed;
577 }
578
579 return sha256_crypt_r (key, salt, buffer, buflen);
580 }
581
582
583 #ifdef TEST
584 static const struct
585 {
586 const char *input;
587 const char result[32];
588 } tests[] =
589 {
590 /* Test vectors from FIPS 180-2: appendix B.1. */
591 { "abc",
592 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
593 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
594 /* Test vectors from FIPS 180-2: appendix B.2. */
595 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
596 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
597 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
598 /* Test vectors from the NESSIE project. */
599 { "",
600 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
601 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
602 { "a",
603 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
604 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
605 { "message digest",
606 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
607 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
608 { "abcdefghijklmnopqrstuvwxyz",
609 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
610 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
611 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
612 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
613 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
614 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
615 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
616 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
617 { "123456789012345678901234567890123456789012345678901234567890"
618 "12345678901234567890",
619 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
620 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
621 };
622 #define ntests (sizeof (tests) / sizeof (tests[0]))
623
624
625 static const struct
626 {
627 const char *salt;
628 const char *input;
629 const char *expected;
630 } tests2[] =
631 {
632 { "$5$saltstring", "Hello world!",
633 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
634 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
635 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
636 "opqey6IcA" },
637 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
638 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
639 "mGRcvxa5" },
640 { "$5$rounds=1400$anotherlongsaltstring",
641 "a very much longer text to encrypt. This one even stretches over more"
642 "than one line.",
643 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
644 "oP84Bnq1" },
645 { "$5$rounds=77777$short",
646 "we have a short salt string but not a short password",
647 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
648 { "$5$rounds=123456$asaltof16chars..", "a short string",
649 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
650 "cZKmF/wJvD" },
651 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
652 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
653 "2bIC" },
654 };
655 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
656
657
658 int
659 main (void)
660 {
661 struct sha256_ctx ctx;
662 char sum[32];
663 int result = 0;
664 int cnt;
665
666 for (cnt = 0; cnt < (int) ntests; ++cnt)
667 {
668 sha256_init_ctx (&ctx);
669 sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
670 sha256_finish_ctx (&ctx, sum);
671 if (memcmp (tests[cnt].result, sum, 32) != 0)
672 {
673 printf ("test %d run %d failed\n", cnt, 1);
674 result = 1;
675 }
676
677 sha256_init_ctx (&ctx);
678 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
679 sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
680 sha256_finish_ctx (&ctx, sum);
681 if (memcmp (tests[cnt].result, sum, 32) != 0)
682 {
683 printf ("test %d run %d failed\n", cnt, 2);
684 result = 1;
685 }
686 }
687
688 /* Test vector from FIPS 180-2: appendix B.3. */
689 char buf[1000];
690 memset (buf, 'a', sizeof (buf));
691 sha256_init_ctx (&ctx);
692 for (int i = 0; i < 1000; ++i)
693 sha256_process_bytes (buf, sizeof (buf), &ctx);
694 sha256_finish_ctx (&ctx, sum);
695 static const char expected[32] =
696 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
697 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
698 if (memcmp (expected, sum, 32) != 0)
699 {
700 printf ("test %d failed\n", cnt);
701 result = 1;
702 }
703
704 for (cnt = 0; cnt < ntests2; ++cnt)
705 {
706 char *cp = sha256_crypt (tests2[cnt].input, tests2[cnt].salt);
707
708 if (strcmp (cp, tests2[cnt].expected) != 0)
709 {
710 printf ("test %d: expected \"%s\", got \"%s\"\n",
711 cnt, tests2[cnt].expected, cp);
712 result = 1;
713 }
714 }
715
716 if (result == 0)
717 puts ("all tests OK");
718
719 return result;
720 }
721 #endif