search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Adding upstream version 3.62+dfsg.
[syslinux-debian/hramrach.git] / com32 / libutil / sha256crypt.c
blob7dbd8faf30b39b1b86fb3f86a4c6be8142c6b2b4
1 /* SHA256-based Unix crypt implementation.
2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
3
4 #include <alloca.h>
5 #include <endian.h>
6 #include <errno.h>
7 #include <limits.h>
8 #include <stdint.h>
9 #include <stdbool.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
15
16 #include "xcrypt.h"
17
18 /* Structure to save state of computation between the single steps. */
19 struct sha256_ctx
20 {
21 uint32_t H[8];
22
23 uint32_t total[2];
24 uint32_t buflen;
25 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
26 };
27
28
29 #if __BYTE_ORDER == __LITTLE_ENDIAN
30 # define SWAP(n) \
31 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
32 #else
33 # define SWAP(n) (n)
34 #endif
35
36
37 /* This array contains the bytes used to pad the buffer to the next
38 64-byte boundary. (FIPS 180-2:5.1.1) */
39 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
40
41
42 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
43 static const uint32_t K[64] =
44 {
45 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
46 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
47 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
48 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
49 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
50 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
51 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
52 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
53 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
54 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
55 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
56 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
57 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
58 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
59 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
60 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
61 };
62
63
64 /* Process LEN bytes of BUFFER, accumulating context into CTX.
65 It is assumed that LEN % 64 == 0. */
66 static void
67 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
68 {
69 unsigned int t;
70 const uint32_t *words = buffer;
71 size_t nwords = len / sizeof (uint32_t);
72 uint32_t a = ctx->H[0];
73 uint32_t b = ctx->H[1];
74 uint32_t c = ctx->H[2];
75 uint32_t d = ctx->H[3];
76 uint32_t e = ctx->H[4];
77 uint32_t f = ctx->H[5];
78 uint32_t g = ctx->H[6];
79 uint32_t h = ctx->H[7];
80
81 /* First increment the byte count. FIPS 180-2 specifies the possible
82 length of the file up to 2^64 bits. Here we only compute the
83 number of bytes. Do a double word increment. */
84 ctx->total[0] += len;
85 if (ctx->total[0] < len)
86 ++ctx->total[1];
87
88 /* Process all bytes in the buffer with 64 bytes in each round of
89 the loop. */
90 while (nwords > 0)
91 {
92 uint32_t W[64];
93 uint32_t a_save = a;
94 uint32_t b_save = b;
95 uint32_t c_save = c;
96 uint32_t d_save = d;
97 uint32_t e_save = e;
98 uint32_t f_save = f;
99 uint32_t g_save = g;
100 uint32_t h_save = h;
101
102 /* Operators defined in FIPS 180-2:4.1.2. */
103 #define Ch(x, y, z) ((x & y) ^ (~x & z))
104 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
105 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
106 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
107 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
108 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
109
110 /* It is unfortunate that C does not provide an operator for
111 cyclic rotation. Hope the C compiler is smart enough. */
112 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
113
114 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
115 for (t = 0; t < 16; ++t)
116 {
117 W[t] = SWAP (*words);
118 ++words;
119 }
120 for (t = 16; t < 64; ++t)
121 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
122
123 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
124 for (t = 0; t < 64; ++t)
125 {
126 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
127 uint32_t T2 = S0 (a) + Maj (a, b, c);
128 h = g;
129 g = f;
130 f = e;
131 e = d + T1;
132 d = c;
133 c = b;
134 b = a;
135 a = T1 + T2;
136 }
137
138 /* Add the starting values of the context according to FIPS 180-2:6.2.2
139 step 4. */
140 a += a_save;
141 b += b_save;
142 c += c_save;
143 d += d_save;
144 e += e_save;
145 f += f_save;
146 g += g_save;
147 h += h_save;
148
149 /* Prepare for the next round. */
150 nwords -= 16;
151 }
152
153 /* Put checksum in context given as argument. */
154 ctx->H[0] = a;
155 ctx->H[1] = b;
156 ctx->H[2] = c;
157 ctx->H[3] = d;
158 ctx->H[4] = e;
159 ctx->H[5] = f;
160 ctx->H[6] = g;
161 ctx->H[7] = h;
162 }
163
164
165 /* Initialize structure containing state of computation.
166 (FIPS 180-2:5.3.2) */
167 static void
168 sha256_init_ctx (struct sha256_ctx *ctx)
169 {
170 ctx->H[0] = 0x6a09e667;
171 ctx->H[1] = 0xbb67ae85;
172 ctx->H[2] = 0x3c6ef372;
173 ctx->H[3] = 0xa54ff53a;
174 ctx->H[4] = 0x510e527f;
175 ctx->H[5] = 0x9b05688c;
176 ctx->H[6] = 0x1f83d9ab;
177 ctx->H[7] = 0x5be0cd19;
178
179 ctx->total[0] = ctx->total[1] = 0;
180 ctx->buflen = 0;
181 }
182
183
184 /* Process the remaining bytes in the internal buffer and the usual
185 prolog according to the standard and write the result to RESBUF.
186
187 IMPORTANT: On some systems it is required that RESBUF is correctly
188 aligned for a 32 bits value. */
189 static void *
190 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
191 {
192 unsigned int i;
193 /* Take yet unprocessed bytes into account. */
194 uint32_t bytes = ctx->buflen;
195 size_t pad;
196
197 /* Now count remaining bytes. */
198 ctx->total[0] += bytes;
199 if (ctx->total[0] < bytes)
200 ++ctx->total[1];
201
202 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
203 memcpy (&ctx->buffer[bytes], fillbuf, pad);
204
205 /* Put the 64-bit file length in *bits* at the end of the buffer. */
206 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
207 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
208 (ctx->total[0] >> 29));
209
210 /* Process last bytes. */
211 sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
212
213 /* Put result from CTX in first 32 bytes following RESBUF. */
214 for (i = 0; i < 8; ++i)
215 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
216
217 return resbuf;
218 }
219
220
221 static void
222 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
223 {
224 /* When we already have some bits in our internal buffer concatenate
225 both inputs first. */
226 if (ctx->buflen != 0)
227 {
228 size_t left_over = ctx->buflen;
229 size_t add = 128 - left_over > len ? len : 128 - left_over;
230
231 memcpy (&ctx->buffer[left_over], buffer, add);
232 ctx->buflen += add;
233
234 if (ctx->buflen > 64)
235 {
236 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
237
238 ctx->buflen &= 63;
239 /* The regions in the following copy operation cannot overlap. */
240 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
241 ctx->buflen);
242 }
243
244 buffer = (const char *) buffer + add;
245 len -= add;
246 }
247
248 /* Process available complete blocks. */
249 if (len >= 64)
250 {
251 /* To check alignment gcc has an appropriate operator. Other
252 compilers don't. */
253 #if __GNUC__ >= 2
254 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
255 #else
256 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
257 #endif
258 if (UNALIGNED_P (buffer))
259 while (len > 64)
260 {
261 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
262 buffer = (const char *) buffer + 64;
263 len -= 64;
264 }
265 else
266 {
267 sha256_process_block (buffer, len & ~63, ctx);
268 buffer = (const char *) buffer + (len & ~63);
269 len &= 63;
270 }
271 }
272
273 /* Move remaining bytes into internal buffer. */
274 if (len > 0)
275 {
276 size_t left_over = ctx->buflen;
277
278 memcpy (&ctx->buffer[left_over], buffer, len);
279 left_over += len;
280 if (left_over >= 64)
281 {
282 sha256_process_block (ctx->buffer, 64, ctx);
283 left_over -= 64;
284 memcpy (ctx->buffer, &ctx->buffer[64], left_over);
285 }
286 ctx->buflen = left_over;
287 }
288 }
289
290
291 /* Define our magic string to mark salt for SHA256 "encryption"
292 replacement. */
293 static const char sha256_salt_prefix[] = "$5$";
294
295 /* Prefix for optional rounds specification. */
296 static const char sha256_rounds_prefix[] = "rounds=";
297
298 /* Maximum salt string length. */
299 #define SALT_LEN_MAX 16
300 /* Default number of rounds if not explicitly specified. */
301 #define ROUNDS_DEFAULT 5000
302 /* Minimum number of rounds. */
303 #define ROUNDS_MIN 1000
304 /* Maximum number of rounds. */
305 #define ROUNDS_MAX 999999999
306
307 /* Table with characters for base64 transformation. */
308 static const char b64t[64] =
309 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
310
311
312 static char *
313 sha256_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
314 {
315 unsigned char alt_result[32]
316 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
317 unsigned char temp_result[32]
318 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
319 struct sha256_ctx ctx;
320 struct sha256_ctx alt_ctx;
321 size_t salt_len;
322 size_t key_len;
323 size_t cnt;
324 char *cp;
325 char *copied_key = NULL;
326 char *copied_salt = NULL;
327 char *p_bytes;
328 char *s_bytes;
329 /* Default number of rounds. */
330 size_t rounds = ROUNDS_DEFAULT;
331 bool rounds_custom = false;
332
333 /* Find beginning of salt string. The prefix should normally always
334 be present. Just in case it is not. */
335 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
336 /* Skip salt prefix. */
337 salt += sizeof (sha256_salt_prefix) - 1;
338
339 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
340 == 0)
341 {
342 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
343 char *endp;
344 unsigned long int srounds = strtoul (num, &endp, 10);
345 if (*endp == '$')
346 {
347 salt = endp + 1;
348 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
349 rounds_custom = true;
350 }
351 }
352
353 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
354 key_len = strlen (key);
355
356 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
357 {
358 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
359 key = copied_key =
360 memcpy (tmp + __alignof__ (uint32_t)
361 - (tmp - (char *) 0) % __alignof__ (uint32_t),
362 key, key_len);
363 }
364
365 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
366 {
367 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
368 salt = copied_salt =
369 memcpy (tmp + __alignof__ (uint32_t)
370 - (tmp - (char *) 0) % __alignof__ (uint32_t),
371 salt, salt_len);
372 }
373
374 /* Prepare for the real work. */
375 sha256_init_ctx (&ctx);
376
377 /* Add the key string. */
378 sha256_process_bytes (key, key_len, &ctx);
379
380 /* The last part is the salt string. This must be at most 8
381 characters and it ends at the first `$' character (for
382 compatibility with existing implementations). */
383 sha256_process_bytes (salt, salt_len, &ctx);
384
385
386 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
387 final result will be added to the first context. */
388 sha256_init_ctx (&alt_ctx);
389
390 /* Add key. */
391 sha256_process_bytes (key, key_len, &alt_ctx);
392
393 /* Add salt. */
394 sha256_process_bytes (salt, salt_len, &alt_ctx);
395
396 /* Add key again. */
397 sha256_process_bytes (key, key_len, &alt_ctx);
398
399 /* Now get result of this (32 bytes) and add it to the other
400 context. */
401 sha256_finish_ctx (&alt_ctx, alt_result);
402
403 /* Add for any character in the key one byte of the alternate sum. */
404 for (cnt = key_len; cnt > 32; cnt -= 32)
405 sha256_process_bytes (alt_result, 32, &ctx);
406 sha256_process_bytes (alt_result, cnt, &ctx);
407
408 /* Take the binary representation of the length of the key and for every
409 1 add the alternate sum, for every 0 the key. */
410 for (cnt = key_len; cnt > 0; cnt >>= 1)
411 if ((cnt & 1) != 0)
412 sha256_process_bytes (alt_result, 32, &ctx);
413 else
414 sha256_process_bytes (key, key_len, &ctx);
415
416 /* Create intermediate result. */
417 sha256_finish_ctx (&ctx, alt_result);
418
419 /* Start computation of P byte sequence. */
420 sha256_init_ctx (&alt_ctx);
421
422 /* For every character in the password add the entire password. */
423 for (cnt = 0; cnt < key_len; ++cnt)
424 sha256_process_bytes (key, key_len, &alt_ctx);
425
426 /* Finish the digest. */
427 sha256_finish_ctx (&alt_ctx, temp_result);
428
429 /* Create byte sequence P. */
430 cp = p_bytes = alloca (key_len);
431 for (cnt = key_len; cnt >= 32; cnt -= 32)
432 cp = mempcpy (cp, temp_result, 32);
433 memcpy (cp, temp_result, cnt);
434
435 /* Start computation of S byte sequence. */
436 sha256_init_ctx (&alt_ctx);
437
438 /* For every character in the password add the entire password. */
439 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
440 sha256_process_bytes (salt, salt_len, &alt_ctx);
441
442 /* Finish the digest. */
443 sha256_finish_ctx (&alt_ctx, temp_result);
444
445 /* Create byte sequence S. */
446 cp = s_bytes = alloca (salt_len);
447 for (cnt = salt_len; cnt >= 32; cnt -= 32)
448 cp = mempcpy (cp, temp_result, 32);
449 memcpy (cp, temp_result, cnt);
450
451 /* Repeatedly run the collected hash value through SHA256 to burn
452 CPU cycles. */
453 for (cnt = 0; cnt < rounds; ++cnt)
454 {
455 /* New context. */
456 sha256_init_ctx (&ctx);
457
458 /* Add key or last result. */
459 if ((cnt & 1) != 0)
460 sha256_process_bytes (p_bytes, key_len, &ctx);
461 else
462 sha256_process_bytes (alt_result, 32, &ctx);
463
464 /* Add salt for numbers not divisible by 3. */
465 if (cnt % 3 != 0)
466 sha256_process_bytes (s_bytes, salt_len, &ctx);
467
468 /* Add key for numbers not divisible by 7. */
469 if (cnt % 7 != 0)
470 sha256_process_bytes (p_bytes, key_len, &ctx);
471
472 /* Add key or last result. */
473 if ((cnt & 1) != 0)
474 sha256_process_bytes (alt_result, 32, &ctx);
475 else
476 sha256_process_bytes (p_bytes, key_len, &ctx);
477
478 /* Create intermediate result. */
479 sha256_finish_ctx (&ctx, alt_result);
480 }
481
482 /* Now we can construct the result string. It consists of three
483 parts. */
484 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
485 buflen -= sizeof (sha256_salt_prefix) - 1;
486
487 if (rounds_custom)
488 {
489 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
490 sha256_rounds_prefix, rounds);
491 cp += n;
492 buflen -= n;
493 }
494
495 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
496 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
497
498 if (buflen > 0)
499 {
500 *cp++ = '$';
501 --buflen;
502 }
503
504 #define b64_from_24bit(B2, B1, B0, N) \
505 do { \
506 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
507 int n = (N); \
508 while (n-- > 0 && buflen > 0) \
509 { \
510 *cp++ = b64t[w & 0x3f]; \
511 --buflen; \
512 w >>= 6; \
513 } \
514 } while (0)
515
516 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
517 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
518 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
519 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
520 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
521 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
522 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
523 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
524 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
525 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
526 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
527 if (buflen <= 0)
528 {
529 errno = ERANGE;
530 buffer = NULL;
531 }
532 else
533 *cp = '\0'; /* Terminate the string. */
534
535 /* Clear the buffer for the intermediate result so that people
536 attaching to processes or reading core dumps cannot get any
537 information. We do it in this way to clear correct_words[]
538 inside the SHA256 implementation as well. */
539 sha256_init_ctx (&ctx);
540 sha256_finish_ctx (&ctx, alt_result);
541 memset (temp_result, '\0', sizeof (temp_result));
542 memset (p_bytes, '\0', key_len);
543 memset (s_bytes, '\0', salt_len);
544 memset (&ctx, '\0', sizeof (ctx));
545 memset (&alt_ctx, '\0', sizeof (alt_ctx));
546 if (copied_key != NULL)
547 memset (copied_key, '\0', key_len);
548 if (copied_salt != NULL)
549 memset (copied_salt, '\0', salt_len);
550
551 return buffer;
552 }
553
554
555 /* This entry point is equivalent to the `crypt' function in Unix
556 libcs. */
557 char *
558 sha256_crypt (const char *key, const char *salt)
559 {
560 /* We don't want to have an arbitrary limit in the size of the
561 password. We can compute an upper bound for the size of the
562 result in advance and so we can prepare the buffer we pass to
563 `sha256_crypt_r'. */
564 static char *buffer;
565 static int buflen;
566 int needed = (sizeof (sha256_salt_prefix) - 1
567 + sizeof (sha256_rounds_prefix) + 9 + 1
568 + strlen (salt) + 1 + 43 + 1);
569
570 if (buflen < needed)
571 {
572 char *new_buffer = (char *) realloc (buffer, needed);
573 if (new_buffer == NULL)
574 return NULL;
575
576 buffer = new_buffer;
577 buflen = needed;
578 }
579
580 return sha256_crypt_r (key, salt, buffer, buflen);
581 }
582
583
584 #ifdef TEST
585 static const struct
586 {
587 const char *input;
588 const char result[32];
589 } tests[] =
590 {
591 /* Test vectors from FIPS 180-2: appendix B.1. */
592 { "abc",
593 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
594 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
595 /* Test vectors from FIPS 180-2: appendix B.2. */
596 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
597 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
598 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
599 /* Test vectors from the NESSIE project. */
600 { "",
601 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
602 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
603 { "a",
604 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
605 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
606 { "message digest",
607 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
608 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
609 { "abcdefghijklmnopqrstuvwxyz",
610 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
611 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
612 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
613 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
614 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
615 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
616 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
617 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
618 { "123456789012345678901234567890123456789012345678901234567890"
619 "12345678901234567890",
620 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
621 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
622 };
623 #define ntests (sizeof (tests) / sizeof (tests[0]))
624
625
626 static const struct
627 {
628 const char *salt;
629 const char *input;
630 const char *expected;
631 } tests2[] =
632 {
633 { "$5$saltstring", "Hello world!",
634 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
635 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
636 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
637 "opqey6IcA" },
638 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
639 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
640 "mGRcvxa5" },
641 { "$5$rounds=1400$anotherlongsaltstring",
642 "a very much longer text to encrypt. This one even stretches over more"
643 "than one line.",
644 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
645 "oP84Bnq1" },
646 { "$5$rounds=77777$short",
647 "we have a short salt string but not a short password",
648 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
649 { "$5$rounds=123456$asaltof16chars..", "a short string",
650 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
651 "cZKmF/wJvD" },
652 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
653 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
654 "2bIC" },
655 };
656 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
657
658
659 int
660 main (void)
661 {
662 struct sha256_ctx ctx;
663 char sum[32];
664 int result = 0;
665 int cnt;
666
667 for (cnt = 0; cnt < (int) ntests; ++cnt)
668 {
669 sha256_init_ctx (&ctx);
670 sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
671 sha256_finish_ctx (&ctx, sum);
672 if (memcmp (tests[cnt].result, sum, 32) != 0)
673 {
674 printf ("test %d run %d failed\n", cnt, 1);
675 result = 1;
676 }
677
678 sha256_init_ctx (&ctx);
679 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
680 sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
681 sha256_finish_ctx (&ctx, sum);
682 if (memcmp (tests[cnt].result, sum, 32) != 0)
683 {
684 printf ("test %d run %d failed\n", cnt, 2);
685 result = 1;
686 }
687 }
688
689 /* Test vector from FIPS 180-2: appendix B.3. */
690 char buf[1000];
691 memset (buf, 'a', sizeof (buf));
692 sha256_init_ctx (&ctx);
693 for (int i = 0; i < 1000; ++i)
694 sha256_process_bytes (buf, sizeof (buf), &ctx);
695 sha256_finish_ctx (&ctx, sum);
696 static const char expected[32] =
697 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
698 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
699 if (memcmp (expected, sum, 32) != 0)
700 {
701 printf ("test %d failed\n", cnt);
702 result = 1;
703 }
704
705 for (cnt = 0; cnt < ntests2; ++cnt)
706 {
707 char *cp = sha256_crypt (tests2[cnt].input, tests2[cnt].salt);
708
709 if (strcmp (cp, tests2[cnt].expected) != 0)
710 {
711 printf ("test %d: expected \"%s\", got \"%s\"\n",
712 cnt, tests2[cnt].expected, cp);
713 result = 1;
714 }
715 }
716
717 if (result == 0)
718 puts ("all tests OK");
719
720 return result;
721 }
722 #endif