1 /* SHA256-based Unix crypt implementation.
2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
14 #include <sys/types.h>
18 #define MIN(x,y) min(x,y)
19 #define MAX(x,y) max(x,y)
21 /* Structure to save state of computation between the single steps. */
27 char buffer
[128]; /* NB: always correctly aligned for uint32_t. */
30 #if __BYTE_ORDER == __LITTLE_ENDIAN
32 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
37 /* This array contains the bytes used to pad the buffer to the next
38 64-byte boundary. (FIPS 180-2:5.1.1) */
39 static const unsigned char fillbuf
[64] = { 0x80, 0 /* , 0, 0, ... */ };
41 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
42 static const uint32_t K
[64] = {
43 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
44 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
45 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
46 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
47 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
48 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
49 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
50 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
51 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
52 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
53 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
54 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
55 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
56 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
57 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
58 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
61 /* Process LEN bytes of BUFFER, accumulating context into CTX.
62 It is assumed that LEN % 64 == 0. */
64 sha256_process_block(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
67 const uint32_t *words
= buffer
;
68 size_t nwords
= len
/ sizeof(uint32_t);
69 uint32_t a
= ctx
->H
[0];
70 uint32_t b
= ctx
->H
[1];
71 uint32_t c
= ctx
->H
[2];
72 uint32_t d
= ctx
->H
[3];
73 uint32_t e
= ctx
->H
[4];
74 uint32_t f
= ctx
->H
[5];
75 uint32_t g
= ctx
->H
[6];
76 uint32_t h
= ctx
->H
[7];
78 /* First increment the byte count. FIPS 180-2 specifies the possible
79 length of the file up to 2^64 bits. Here we only compute the
80 number of bytes. Do a double word increment. */
82 if (ctx
->total
[0] < len
)
85 /* Process all bytes in the buffer with 64 bytes in each round of
98 /* Operators defined in FIPS 180-2:4.1.2. */
99 #define Ch(x, y, z) ((x & y) ^ (~x & z))
100 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
101 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
102 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
103 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
104 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
106 /* It is unfortunate that C does not provide an operator for
107 cyclic rotation. Hope the C compiler is smart enough. */
108 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
110 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
111 for (t
= 0; t
< 16; ++t
) {
115 for (t
= 16; t
< 64; ++t
)
116 W
[t
] = R1(W
[t
- 2]) + W
[t
- 7] + R0(W
[t
- 15]) + W
[t
- 16];
118 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
119 for (t
= 0; t
< 64; ++t
) {
120 uint32_t T1
= h
+ S1(e
) + Ch(e
, f
, g
) + K
[t
] + W
[t
];
121 uint32_t T2
= S0(a
) + Maj(a
, b
, c
);
132 /* Add the starting values of the context according to FIPS 180-2:6.2.2
143 /* Prepare for the next round. */
147 /* Put checksum in context given as argument. */
158 /* Initialize structure containing state of computation.
159 (FIPS 180-2:5.3.2) */
160 static void sha256_init_ctx(struct sha256_ctx
*ctx
)
162 ctx
->H
[0] = 0x6a09e667;
163 ctx
->H
[1] = 0xbb67ae85;
164 ctx
->H
[2] = 0x3c6ef372;
165 ctx
->H
[3] = 0xa54ff53a;
166 ctx
->H
[4] = 0x510e527f;
167 ctx
->H
[5] = 0x9b05688c;
168 ctx
->H
[6] = 0x1f83d9ab;
169 ctx
->H
[7] = 0x5be0cd19;
171 ctx
->total
[0] = ctx
->total
[1] = 0;
175 /* Process the remaining bytes in the internal buffer and the usual
176 prolog according to the standard and write the result to RESBUF.
178 IMPORTANT: On some systems it is required that RESBUF is correctly
179 aligned for a 32 bits value. */
180 static void *sha256_finish_ctx(struct sha256_ctx
*ctx
, void *resbuf
)
183 /* Take yet unprocessed bytes into account. */
184 uint32_t bytes
= ctx
->buflen
;
187 /* Now count remaining bytes. */
188 ctx
->total
[0] += bytes
;
189 if (ctx
->total
[0] < bytes
)
192 pad
= bytes
>= 56 ? 64 + 56 - bytes
: 56 - bytes
;
193 memcpy(&ctx
->buffer
[bytes
], fillbuf
, pad
);
195 /* Put the 64-bit file length in *bits* at the end of the buffer. */
196 *(uint32_t *) & ctx
->buffer
[bytes
+ pad
+ 4] = SWAP(ctx
->total
[0] << 3);
197 *(uint32_t *) & ctx
->buffer
[bytes
+ pad
] = SWAP((ctx
->total
[1] << 3) |
198 (ctx
->total
[0] >> 29));
200 /* Process last bytes. */
201 sha256_process_block(ctx
->buffer
, bytes
+ pad
+ 8, ctx
);
203 /* Put result from CTX in first 32 bytes following RESBUF. */
204 for (i
= 0; i
< 8; ++i
)
205 ((uint32_t *) resbuf
)[i
] = SWAP(ctx
->H
[i
]);
211 sha256_process_bytes(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
213 /* When we already have some bits in our internal buffer concatenate
214 both inputs first. */
215 if (ctx
->buflen
!= 0) {
216 size_t left_over
= ctx
->buflen
;
217 size_t add
= 128 - left_over
> len
? len
: 128 - left_over
;
219 memcpy(&ctx
->buffer
[left_over
], buffer
, add
);
222 if (ctx
->buflen
> 64) {
223 sha256_process_block(ctx
->buffer
, ctx
->buflen
& ~63, ctx
);
226 /* The regions in the following copy operation cannot overlap. */
227 memcpy(ctx
->buffer
, &ctx
->buffer
[(left_over
+ add
) & ~63],
231 buffer
= (const char *)buffer
+ add
;
235 /* Process available complete blocks. */
237 /* To check alignment gcc has an appropriate operator. Other
240 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
242 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
244 if (UNALIGNED_P(buffer
))
246 sha256_process_block(memcpy(ctx
->buffer
, buffer
, 64), 64, ctx
);
247 buffer
= (const char *)buffer
+ 64;
250 sha256_process_block(buffer
, len
& ~63, ctx
);
251 buffer
= (const char *)buffer
+ (len
& ~63);
256 /* Move remaining bytes into internal buffer. */
258 size_t left_over
= ctx
->buflen
;
260 memcpy(&ctx
->buffer
[left_over
], buffer
, len
);
262 if (left_over
>= 64) {
263 sha256_process_block(ctx
->buffer
, 64, ctx
);
265 memcpy(ctx
->buffer
, &ctx
->buffer
[64], left_over
);
267 ctx
->buflen
= left_over
;
271 /* Define our magic string to mark salt for SHA256 "encryption"
273 static const char sha256_salt_prefix
[] = "$5$";
275 /* Prefix for optional rounds specification. */
276 static const char sha256_rounds_prefix
[] = "rounds=";
278 /* Maximum salt string length. */
279 #define SALT_LEN_MAX 16
280 /* Default number of rounds if not explicitly specified. */
281 #define ROUNDS_DEFAULT 5000
282 /* Minimum number of rounds. */
283 #define ROUNDS_MIN 1000
284 /* Maximum number of rounds. */
285 #define ROUNDS_MAX 999999999
287 /* Table with characters for base64 transformation. */
288 static const char b64t
[64] =
289 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
291 static char *sha256_crypt_r(const char *key
, const char *salt
, char *buffer
,
294 unsigned char alt_result
[32]
295 __attribute__ ((__aligned__(__alignof__(uint32_t))));
296 unsigned char temp_result
[32]
297 __attribute__ ((__aligned__(__alignof__(uint32_t))));
298 struct sha256_ctx ctx
;
299 struct sha256_ctx alt_ctx
;
304 char *copied_key
= NULL
;
305 char *copied_salt
= NULL
;
308 /* Default number of rounds. */
309 size_t rounds
= ROUNDS_DEFAULT
;
310 bool rounds_custom
= false;
312 /* Find beginning of salt string. The prefix should normally always
313 be present. Just in case it is not. */
314 if (strncmp(sha256_salt_prefix
, salt
, sizeof(sha256_salt_prefix
) - 1) == 0)
315 /* Skip salt prefix. */
316 salt
+= sizeof(sha256_salt_prefix
) - 1;
318 if (strncmp(salt
, sha256_rounds_prefix
, sizeof(sha256_rounds_prefix
) - 1)
320 const char *num
= salt
+ sizeof(sha256_rounds_prefix
) - 1;
322 unsigned long int srounds
= strtoul(num
, &endp
, 10);
325 rounds
= MAX(ROUNDS_MIN
, MIN(srounds
, ROUNDS_MAX
));
326 rounds_custom
= true;
330 salt_len
= MIN(strcspn(salt
, "$"), SALT_LEN_MAX
);
331 key_len
= strlen(key
);
333 if ((key
- (char *)0) % __alignof__(uint32_t) != 0) {
334 char *tmp
= (char *)alloca(key_len
+ __alignof__(uint32_t));
335 key
= copied_key
= memcpy(tmp
+ __alignof__(uint32_t)
336 - (tmp
- (char *)0) % __alignof__(uint32_t),
340 if ((salt
- (char *)0) % __alignof__(uint32_t) != 0) {
341 char *tmp
= (char *)alloca(salt_len
+ __alignof__(uint32_t));
342 salt
= copied_salt
= memcpy(tmp
+ __alignof__(uint32_t)
343 - (tmp
- (char *)0) % __alignof__(uint32_t),
347 /* Prepare for the real work. */
348 sha256_init_ctx(&ctx
);
350 /* Add the key string. */
351 sha256_process_bytes(key
, key_len
, &ctx
);
353 /* The last part is the salt string. This must be at most 8
354 characters and it ends at the first `$' character (for
355 compatibility with existing implementations). */
356 sha256_process_bytes(salt
, salt_len
, &ctx
);
358 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
359 final result will be added to the first context. */
360 sha256_init_ctx(&alt_ctx
);
363 sha256_process_bytes(key
, key_len
, &alt_ctx
);
366 sha256_process_bytes(salt
, salt_len
, &alt_ctx
);
369 sha256_process_bytes(key
, key_len
, &alt_ctx
);
371 /* Now get result of this (32 bytes) and add it to the other
373 sha256_finish_ctx(&alt_ctx
, alt_result
);
375 /* Add for any character in the key one byte of the alternate sum. */
376 for (cnt
= key_len
; cnt
> 32; cnt
-= 32)
377 sha256_process_bytes(alt_result
, 32, &ctx
);
378 sha256_process_bytes(alt_result
, cnt
, &ctx
);
380 /* Take the binary representation of the length of the key and for every
381 1 add the alternate sum, for every 0 the key. */
382 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
384 sha256_process_bytes(alt_result
, 32, &ctx
);
386 sha256_process_bytes(key
, key_len
, &ctx
);
388 /* Create intermediate result. */
389 sha256_finish_ctx(&ctx
, alt_result
);
391 /* Start computation of P byte sequence. */
392 sha256_init_ctx(&alt_ctx
);
394 /* For every character in the password add the entire password. */
395 for (cnt
= 0; cnt
< key_len
; ++cnt
)
396 sha256_process_bytes(key
, key_len
, &alt_ctx
);
398 /* Finish the digest. */
399 sha256_finish_ctx(&alt_ctx
, temp_result
);
401 /* Create byte sequence P. */
402 cp
= p_bytes
= alloca(key_len
);
403 for (cnt
= key_len
; cnt
>= 32; cnt
-= 32)
404 cp
= mempcpy(cp
, temp_result
, 32);
405 memcpy(cp
, temp_result
, cnt
);
407 /* Start computation of S byte sequence. */
408 sha256_init_ctx(&alt_ctx
);
410 /* For every character in the password add the entire password. */
411 for (cnt
= 0; cnt
< 16 + alt_result
[0]; ++cnt
)
412 sha256_process_bytes(salt
, salt_len
, &alt_ctx
);
414 /* Finish the digest. */
415 sha256_finish_ctx(&alt_ctx
, temp_result
);
417 /* Create byte sequence S. */
418 cp
= s_bytes
= alloca(salt_len
);
419 for (cnt
= salt_len
; cnt
>= 32; cnt
-= 32)
420 cp
= mempcpy(cp
, temp_result
, 32);
421 memcpy(cp
, temp_result
, cnt
);
423 /* Repeatedly run the collected hash value through SHA256 to burn
425 for (cnt
= 0; cnt
< rounds
; ++cnt
) {
427 sha256_init_ctx(&ctx
);
429 /* Add key or last result. */
431 sha256_process_bytes(p_bytes
, key_len
, &ctx
);
433 sha256_process_bytes(alt_result
, 32, &ctx
);
435 /* Add salt for numbers not divisible by 3. */
437 sha256_process_bytes(s_bytes
, salt_len
, &ctx
);
439 /* Add key for numbers not divisible by 7. */
441 sha256_process_bytes(p_bytes
, key_len
, &ctx
);
443 /* Add key or last result. */
445 sha256_process_bytes(alt_result
, 32, &ctx
);
447 sha256_process_bytes(p_bytes
, key_len
, &ctx
);
449 /* Create intermediate result. */
450 sha256_finish_ctx(&ctx
, alt_result
);
453 /* Now we can construct the result string. It consists of three
455 cp
= stpncpy(buffer
, sha256_salt_prefix
, MAX(0, buflen
));
456 buflen
-= sizeof(sha256_salt_prefix
) - 1;
459 int n
= snprintf(cp
, MAX(0, buflen
), "%s%zu$",
460 sha256_rounds_prefix
, rounds
);
465 cp
= stpncpy(cp
, salt
, MIN((size_t) MAX(0, buflen
), salt_len
));
466 buflen
-= MIN((size_t) MAX(0, buflen
), salt_len
);
472 #define b64_from_24bit(B2, B1, B0, N) \
474 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
476 while (n-- > 0 && buflen > 0) \
478 *cp++ = b64t[w & 0x3f]; \
484 b64_from_24bit(alt_result
[0], alt_result
[10], alt_result
[20], 4);
485 b64_from_24bit(alt_result
[21], alt_result
[1], alt_result
[11], 4);
486 b64_from_24bit(alt_result
[12], alt_result
[22], alt_result
[2], 4);
487 b64_from_24bit(alt_result
[3], alt_result
[13], alt_result
[23], 4);
488 b64_from_24bit(alt_result
[24], alt_result
[4], alt_result
[14], 4);
489 b64_from_24bit(alt_result
[15], alt_result
[25], alt_result
[5], 4);
490 b64_from_24bit(alt_result
[6], alt_result
[16], alt_result
[26], 4);
491 b64_from_24bit(alt_result
[27], alt_result
[7], alt_result
[17], 4);
492 b64_from_24bit(alt_result
[18], alt_result
[28], alt_result
[8], 4);
493 b64_from_24bit(alt_result
[9], alt_result
[19], alt_result
[29], 4);
494 b64_from_24bit(0, alt_result
[31], alt_result
[30], 3);
499 *cp
= '\0'; /* Terminate the string. */
501 /* Clear the buffer for the intermediate result so that people
502 attaching to processes or reading core dumps cannot get any
503 information. We do it in this way to clear correct_words[]
504 inside the SHA256 implementation as well. */
505 sha256_init_ctx(&ctx
);
506 sha256_finish_ctx(&ctx
, alt_result
);
507 memset(temp_result
, '\0', sizeof(temp_result
));
508 memset(p_bytes
, '\0', key_len
);
509 memset(s_bytes
, '\0', salt_len
);
510 memset(&ctx
, '\0', sizeof(ctx
));
511 memset(&alt_ctx
, '\0', sizeof(alt_ctx
));
512 if (copied_key
!= NULL
)
513 memset(copied_key
, '\0', key_len
);
514 if (copied_salt
!= NULL
)
515 memset(copied_salt
, '\0', salt_len
);
520 /* This entry point is equivalent to the `crypt' function in Unix
522 char *sha256_crypt(const char *key
, const char *salt
)
524 /* We don't want to have an arbitrary limit in the size of the
525 password. We can compute an upper bound for the size of the
526 result in advance and so we can prepare the buffer we pass to
530 int needed
= (sizeof(sha256_salt_prefix
) - 1
531 + sizeof(sha256_rounds_prefix
) + 9 + 1
532 + strlen(salt
) + 1 + 43 + 1);
534 if (buflen
< needed
) {
535 char *new_buffer
= (char *)realloc(buffer
, needed
);
536 if (new_buffer
== NULL
)
543 return sha256_crypt_r(key
, salt
, buffer
, buflen
);
547 static const struct {
549 const char result
[32];
551 /* Test vectors from FIPS 180-2: appendix B.1. */
554 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
555 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad"},
556 /* Test vectors from FIPS 180-2: appendix B.2. */
558 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
559 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
560 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"},
561 /* Test vectors from the NESSIE project. */
563 "", "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
564 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55"},
566 "a", "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
567 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb"},
570 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
571 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50"},
573 "abcdefghijklmnopqrstuvwxyz",
574 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
575 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73"},
577 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
578 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
579 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"},
581 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
582 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
583 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0"},
585 "123456789012345678901234567890123456789012345678901234567890"
586 "12345678901234567890",
587 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
588 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e"}
591 #define ntests (sizeof (tests) / sizeof (tests[0]))
593 static const struct {
596 const char *expected
;
599 "$5$saltstring", "Hello world!",
600 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"}, {
601 "$5$rounds=10000$saltstringsaltstring", "Hello world!",
602 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
604 "$5$rounds=5000$toolongsaltstring", "This is just a test",
605 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
607 "$5$rounds=1400$anotherlongsaltstring",
608 "a very much longer text to encrypt. This one even stretches over more"
610 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
612 "$5$rounds=77777$short",
613 "we have a short salt string but not a short password",
614 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/"},
616 "$5$rounds=123456$asaltof16chars..", "a short string",
617 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
619 "$5$rounds=10$roundstoolow", "the minimum number is still observed",
620 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
622 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
626 struct sha256_ctx ctx
;
631 for (cnt
= 0; cnt
< (int)ntests
; ++cnt
) {
632 sha256_init_ctx(&ctx
);
633 sha256_process_bytes(tests
[cnt
].input
, strlen(tests
[cnt
].input
), &ctx
);
634 sha256_finish_ctx(&ctx
, sum
);
635 if (memcmp(tests
[cnt
].result
, sum
, 32) != 0) {
636 printf("test %d run %d failed\n", cnt
, 1);
640 sha256_init_ctx(&ctx
);
641 for (int i
= 0; tests
[cnt
].input
[i
] != '\0'; ++i
)
642 sha256_process_bytes(&tests
[cnt
].input
[i
], 1, &ctx
);
643 sha256_finish_ctx(&ctx
, sum
);
644 if (memcmp(tests
[cnt
].result
, sum
, 32) != 0) {
645 printf("test %d run %d failed\n", cnt
, 2);
650 /* Test vector from FIPS 180-2: appendix B.3. */
652 memset(buf
, 'a', sizeof(buf
));
653 sha256_init_ctx(&ctx
);
654 for (int i
= 0; i
< 1000; ++i
)
655 sha256_process_bytes(buf
, sizeof(buf
), &ctx
);
656 sha256_finish_ctx(&ctx
, sum
);
657 static const char expected
[32] =
658 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
659 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
660 if (memcmp(expected
, sum
, 32) != 0) {
661 printf("test %d failed\n", cnt
);
665 for (cnt
= 0; cnt
< ntests2
; ++cnt
) {
666 char *cp
= sha256_crypt(tests2
[cnt
].input
, tests2
[cnt
].salt
);
668 if (strcmp(cp
, tests2
[cnt
].expected
) != 0) {
669 printf("test %d: expected \"%s\", got \"%s\"\n",
670 cnt
, tests2
[cnt
].expected
, cp
);
676 puts("all tests OK");