Adding upstream version 4.00~pre53+dfsg.
[syslinux-debian/hramrach.git] / com32 / libutil / sha512crypt.c
blob9db9c0c8d9191b5d9cf5122bbeb955f9ee7625dc
1 /* SHA512-based Unix crypt implementation.
2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
4 #include <alloca.h>
5 #include <endian.h>
6 #include <errno.h>
7 #include <limits.h>
8 #include <stdbool.h>
9 #include <stdint.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <minmax.h>
14 #include <sys/types.h>
16 #include "xcrypt.h"
18 #define MIN(x,y) min(x,y)
19 #define MAX(x,y) max(x,y)
21 /* Structure to save state of computation between the single steps. */
22 struct sha512_ctx {
23 uint64_t H[8];
25 uint64_t total[2];
26 uint64_t buflen;
27 char buffer[256]; /* NB: always correctly aligned for uint64_t. */
30 #if __BYTE_ORDER == __LITTLE_ENDIAN
31 # define SWAP(n) \
32 (((n) << 56) \
33 | (((n) & 0xff00) << 40) \
34 | (((n) & 0xff0000) << 24) \
35 | (((n) & 0xff000000) << 8) \
36 | (((n) >> 8) & 0xff000000) \
37 | (((n) >> 24) & 0xff0000) \
38 | (((n) >> 40) & 0xff00) \
39 | ((n) >> 56))
40 #else
41 # define SWAP(n) (n)
42 #endif
44 /* This array contains the bytes used to pad the buffer to the next
45 64-byte boundary. (FIPS 180-2:5.1.2) */
46 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
48 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
49 static const uint64_t K[80] = {
50 UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),
51 UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
52 UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),
53 UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
54 UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),
55 UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
56 UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),
57 UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
58 UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),
59 UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
60 UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),
61 UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
62 UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),
63 UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
64 UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),
65 UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
66 UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),
67 UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
68 UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),
69 UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
70 UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
71 UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
72 UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),
73 UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
74 UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),
75 UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
76 UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),
77 UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
78 UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),
79 UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
80 UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),
81 UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
82 UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),
83 UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
84 UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),
85 UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
86 UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),
87 UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
88 UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),
89 UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817)
92 /* Process LEN bytes of BUFFER, accumulating context into CTX.
93 It is assumed that LEN % 128 == 0. */
94 static void
95 sha512_process_block(const void *buffer, size_t len, struct sha512_ctx *ctx)
97 unsigned int t;
98 const uint64_t *words = buffer;
99 size_t nwords = len / sizeof(uint64_t);
100 uint64_t a = ctx->H[0];
101 uint64_t b = ctx->H[1];
102 uint64_t c = ctx->H[2];
103 uint64_t d = ctx->H[3];
104 uint64_t e = ctx->H[4];
105 uint64_t f = ctx->H[5];
106 uint64_t g = ctx->H[6];
107 uint64_t h = ctx->H[7];
109 /* First increment the byte count. FIPS 180-2 specifies the possible
110 length of the file up to 2^128 bits. Here we only compute the
111 number of bytes. Do a double word increment. */
112 ctx->total[0] += len;
113 if (ctx->total[0] < len)
114 ++ctx->total[1];
116 /* Process all bytes in the buffer with 128 bytes in each round of
117 the loop. */
118 while (nwords > 0) {
119 uint64_t W[80];
120 uint64_t a_save = a;
121 uint64_t b_save = b;
122 uint64_t c_save = c;
123 uint64_t d_save = d;
124 uint64_t e_save = e;
125 uint64_t f_save = f;
126 uint64_t g_save = g;
127 uint64_t h_save = h;
129 /* Operators defined in FIPS 180-2:4.1.2. */
130 #define Ch(x, y, z) ((x & y) ^ (~x & z))
131 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
132 #define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
133 #define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
134 #define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
135 #define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
137 /* It is unfortunate that C does not provide an operator for
138 cyclic rotation. Hope the C compiler is smart enough. */
139 #define CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
141 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
142 for (t = 0; t < 16; ++t) {
143 W[t] = SWAP(*words);
144 ++words;
146 for (t = 16; t < 80; ++t)
147 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
149 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
150 for (t = 0; t < 80; ++t) {
151 uint64_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t];
152 uint64_t T2 = S0(a) + Maj(a, b, c);
153 h = g;
154 g = f;
155 f = e;
156 e = d + T1;
157 d = c;
158 c = b;
159 b = a;
160 a = T1 + T2;
163 /* Add the starting values of the context according to FIPS 180-2:6.3.2
164 step 4. */
165 a += a_save;
166 b += b_save;
167 c += c_save;
168 d += d_save;
169 e += e_save;
170 f += f_save;
171 g += g_save;
172 h += h_save;
174 /* Prepare for the next round. */
175 nwords -= 16;
178 /* Put checksum in context given as argument. */
179 ctx->H[0] = a;
180 ctx->H[1] = b;
181 ctx->H[2] = c;
182 ctx->H[3] = d;
183 ctx->H[4] = e;
184 ctx->H[5] = f;
185 ctx->H[6] = g;
186 ctx->H[7] = h;
189 /* Initialize structure containing state of computation.
190 (FIPS 180-2:5.3.3) */
191 static void sha512_init_ctx(struct sha512_ctx *ctx)
193 ctx->H[0] = UINT64_C(0x6a09e667f3bcc908);
194 ctx->H[1] = UINT64_C(0xbb67ae8584caa73b);
195 ctx->H[2] = UINT64_C(0x3c6ef372fe94f82b);
196 ctx->H[3] = UINT64_C(0xa54ff53a5f1d36f1);
197 ctx->H[4] = UINT64_C(0x510e527fade682d1);
198 ctx->H[5] = UINT64_C(0x9b05688c2b3e6c1f);
199 ctx->H[6] = UINT64_C(0x1f83d9abfb41bd6b);
200 ctx->H[7] = UINT64_C(0x5be0cd19137e2179);
202 ctx->total[0] = ctx->total[1] = 0;
203 ctx->buflen = 0;
206 /* Process the remaining bytes in the internal buffer and the usual
207 prolog according to the standard and write the result to RESBUF.
209 IMPORTANT: On some systems it is required that RESBUF is correctly
210 aligned for a 32 bits value. */
211 static void *sha512_finish_ctx(struct sha512_ctx *ctx, void *resbuf)
213 unsigned int i;
214 /* Take yet unprocessed bytes into account. */
215 uint64_t bytes = ctx->buflen;
216 size_t pad;
218 /* Now count remaining bytes. */
219 ctx->total[0] += bytes;
220 if (ctx->total[0] < bytes)
221 ++ctx->total[1];
223 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
224 memcpy(&ctx->buffer[bytes], fillbuf, pad);
226 /* Put the 128-bit file length in *bits* at the end of the buffer. */
227 *(uint64_t *) & ctx->buffer[bytes + pad + 8] = SWAP(ctx->total[0] << 3);
228 *(uint64_t *) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) |
229 (ctx->total[0] >> 61));
231 /* Process last bytes. */
232 sha512_process_block(ctx->buffer, bytes + pad + 16, ctx);
234 /* Put result from CTX in first 64 bytes following RESBUF. */
235 for (i = 0; i < 8; ++i)
236 ((uint64_t *) resbuf)[i] = SWAP(ctx->H[i]);
238 return resbuf;
241 static void
242 sha512_process_bytes(const void *buffer, size_t len, struct sha512_ctx *ctx)
244 /* When we already have some bits in our internal buffer concatenate
245 both inputs first. */
246 if (ctx->buflen != 0) {
247 size_t left_over = ctx->buflen;
248 size_t add = 256 - left_over > len ? len : 256 - left_over;
250 memcpy(&ctx->buffer[left_over], buffer, add);
251 ctx->buflen += add;
253 if (ctx->buflen > 128) {
254 sha512_process_block(ctx->buffer, ctx->buflen & ~127, ctx);
256 ctx->buflen &= 127;
257 /* The regions in the following copy operation cannot overlap. */
258 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
259 ctx->buflen);
262 buffer = (const char *)buffer + add;
263 len -= add;
266 /* Process available complete blocks. */
267 if (len >= 128) {
268 #if !_STRING_ARCH_unaligned
269 /* To check alignment gcc has an appropriate operator. Other
270 compilers don't. */
271 # if __GNUC__ >= 2
272 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
273 # else
274 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
275 # endif
276 if (UNALIGNED_P(buffer))
277 while (len > 128) {
278 sha512_process_block(memcpy(ctx->buffer, buffer, 128), 128,
279 ctx);
280 buffer = (const char *)buffer + 128;
281 len -= 128;
282 } else
283 #endif
285 sha512_process_block(buffer, len & ~127, ctx);
286 buffer = (const char *)buffer + (len & ~127);
287 len &= 127;
291 /* Move remaining bytes into internal buffer. */
292 if (len > 0) {
293 size_t left_over = ctx->buflen;
295 memcpy(&ctx->buffer[left_over], buffer, len);
296 left_over += len;
297 if (left_over >= 128) {
298 sha512_process_block(ctx->buffer, 128, ctx);
299 left_over -= 128;
300 memcpy(ctx->buffer, &ctx->buffer[128], left_over);
302 ctx->buflen = left_over;
306 /* Define our magic string to mark salt for SHA512 "encryption"
307 replacement. */
308 static const char sha512_salt_prefix[] = "$6$";
310 /* Prefix for optional rounds specification. */
311 static const char sha512_rounds_prefix[] = "rounds=";
313 /* Maximum salt string length. */
314 #define SALT_LEN_MAX 16U
315 /* Default number of rounds if not explicitly specified. */
316 #define ROUNDS_DEFAULT 5000UL
317 /* Minimum number of rounds. */
318 #define ROUNDS_MIN 1000UL
319 /* Maximum number of rounds. */
320 #define ROUNDS_MAX 999999999UL
322 /* Table with characters for base64 transformation. */
323 static const char b64t[64] =
324 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
326 static char *sha512_crypt_r(const char *key, const char *salt, char *buffer,
327 int buflen)
329 unsigned char alt_result[64]
330 __attribute__ ((__aligned__(__alignof__(uint64_t))));
331 unsigned char temp_result[64]
332 __attribute__ ((__aligned__(__alignof__(uint64_t))));
333 struct sha512_ctx ctx;
334 struct sha512_ctx alt_ctx;
335 size_t salt_len;
336 size_t key_len;
337 size_t cnt;
338 char *cp;
339 char *copied_key = NULL;
340 char *copied_salt = NULL;
341 char *p_bytes;
342 char *s_bytes;
343 /* Default number of rounds. */
344 size_t rounds = ROUNDS_DEFAULT;
345 bool rounds_custom = false;
347 /* Find beginning of salt string. The prefix should normally always
348 be present. Just in case it is not. */
349 if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
350 /* Skip salt prefix. */
351 salt += sizeof(sha512_salt_prefix) - 1;
353 if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
354 == 0) {
355 const char *num = salt + sizeof(sha512_rounds_prefix) - 1;
356 char *endp;
357 unsigned long int srounds = strtoul(num, &endp, 10);
358 if (*endp == '$') {
359 salt = endp + 1;
360 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
361 rounds_custom = true;
365 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
366 key_len = strlen(key);
368 if ((key - (char *)0) % __alignof__(uint64_t) != 0) {
369 char *tmp = (char *)alloca(key_len + __alignof__(uint64_t));
370 key = copied_key = memcpy(tmp + __alignof__(uint64_t)
371 - (tmp - (char *)0) % __alignof__(uint64_t),
372 key, key_len);
375 if ((salt - (char *)0) % __alignof__(uint64_t) != 0) {
376 char *tmp = (char *)alloca(salt_len + __alignof__(uint64_t));
377 salt = copied_salt = memcpy(tmp + __alignof__(uint64_t)
378 - (tmp - (char *)0) % __alignof__(uint64_t),
379 salt, salt_len);
382 /* Prepare for the real work. */
383 sha512_init_ctx(&ctx);
385 /* Add the key string. */
386 sha512_process_bytes(key, key_len, &ctx);
388 /* The last part is the salt string. This must be at most 8
389 characters and it ends at the first `$' character (for
390 compatibility with existing implementations). */
391 sha512_process_bytes(salt, salt_len, &ctx);
393 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
394 final result will be added to the first context. */
395 sha512_init_ctx(&alt_ctx);
397 /* Add key. */
398 sha512_process_bytes(key, key_len, &alt_ctx);
400 /* Add salt. */
401 sha512_process_bytes(salt, salt_len, &alt_ctx);
403 /* Add key again. */
404 sha512_process_bytes(key, key_len, &alt_ctx);
406 /* Now get result of this (64 bytes) and add it to the other
407 context. */
408 sha512_finish_ctx(&alt_ctx, alt_result);
410 /* Add for any character in the key one byte of the alternate sum. */
411 for (cnt = key_len; cnt > 64; cnt -= 64)
412 sha512_process_bytes(alt_result, 64, &ctx);
413 sha512_process_bytes(alt_result, cnt, &ctx);
415 /* Take the binary representation of the length of the key and for every
416 1 add the alternate sum, for every 0 the key. */
417 for (cnt = key_len; cnt > 0; cnt >>= 1)
418 if ((cnt & 1) != 0)
419 sha512_process_bytes(alt_result, 64, &ctx);
420 else
421 sha512_process_bytes(key, key_len, &ctx);
423 /* Create intermediate result. */
424 sha512_finish_ctx(&ctx, alt_result);
426 /* Start computation of P byte sequence. */
427 sha512_init_ctx(&alt_ctx);
429 /* For every character in the password add the entire password. */
430 for (cnt = 0; cnt < key_len; ++cnt)
431 sha512_process_bytes(key, key_len, &alt_ctx);
433 /* Finish the digest. */
434 sha512_finish_ctx(&alt_ctx, temp_result);
436 /* Create byte sequence P. */
437 cp = p_bytes = alloca(key_len);
438 for (cnt = key_len; cnt >= 64; cnt -= 64)
439 cp = mempcpy(cp, temp_result, 64);
440 memcpy(cp, temp_result, cnt);
442 /* Start computation of S byte sequence. */
443 sha512_init_ctx(&alt_ctx);
445 /* For every character in the password add the entire password. */
446 for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt)
447 sha512_process_bytes(salt, salt_len, &alt_ctx);
449 /* Finish the digest. */
450 sha512_finish_ctx(&alt_ctx, temp_result);
452 /* Create byte sequence S. */
453 cp = s_bytes = alloca(salt_len);
454 for (cnt = salt_len; cnt >= 64; cnt -= 64)
455 cp = mempcpy(cp, temp_result, 64);
456 memcpy(cp, temp_result, cnt);
458 /* Repeatedly run the collected hash value through SHA512 to burn
459 CPU cycles. */
460 for (cnt = 0; cnt < rounds; ++cnt) {
461 /* New context. */
462 sha512_init_ctx(&ctx);
464 /* Add key or last result. */
465 if ((cnt & 1) != 0)
466 sha512_process_bytes(p_bytes, key_len, &ctx);
467 else
468 sha512_process_bytes(alt_result, 64, &ctx);
470 /* Add salt for numbers not divisible by 3. */
471 if (cnt % 3 != 0)
472 sha512_process_bytes(s_bytes, salt_len, &ctx);
474 /* Add key for numbers not divisible by 7. */
475 if (cnt % 7 != 0)
476 sha512_process_bytes(p_bytes, key_len, &ctx);
478 /* Add key or last result. */
479 if ((cnt & 1) != 0)
480 sha512_process_bytes(alt_result, 64, &ctx);
481 else
482 sha512_process_bytes(p_bytes, key_len, &ctx);
484 /* Create intermediate result. */
485 sha512_finish_ctx(&ctx, alt_result);
488 /* Now we can construct the result string. It consists of three
489 parts. */
490 cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
491 buflen -= sizeof(sha512_salt_prefix) - 1;
493 if (rounds_custom) {
494 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
495 sha512_rounds_prefix, rounds);
496 cp += n;
497 buflen -= n;
500 cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
501 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
503 if (buflen > 0) {
504 *cp++ = '$';
505 --buflen;
507 #define b64_from_24bit(B2, B1, B0, N) \
508 do { \
509 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
510 int n = (N); \
511 while (n-- > 0 && buflen > 0) \
513 *cp++ = b64t[w & 0x3f]; \
514 --buflen; \
515 w >>= 6; \
517 } while (0)
519 b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
520 b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
521 b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
522 b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
523 b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
524 b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
525 b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
526 b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
527 b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
528 b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
529 b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
530 b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
531 b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
532 b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
533 b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
534 b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
535 b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
536 b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
537 b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
538 b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
539 b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
540 b64_from_24bit(0, 0, alt_result[63], 2);
542 if (buflen <= 0) {
543 errno = ERANGE;
544 buffer = NULL;
545 } else
546 *cp = '\0'; /* Terminate the string. */
548 /* Clear the buffer for the intermediate result so that people
549 attaching to processes or reading core dumps cannot get any
550 information. We do it in this way to clear correct_words[]
551 inside the SHA512 implementation as well. */
552 sha512_init_ctx(&ctx);
553 sha512_finish_ctx(&ctx, alt_result);
554 memset(temp_result, '\0', sizeof(temp_result));
555 memset(p_bytes, '\0', key_len);
556 memset(s_bytes, '\0', salt_len);
557 memset(&ctx, '\0', sizeof(ctx));
558 memset(&alt_ctx, '\0', sizeof(alt_ctx));
559 if (copied_key != NULL)
560 memset(copied_key, '\0', key_len);
561 if (copied_salt != NULL)
562 memset(copied_salt, '\0', salt_len);
564 return buffer;
567 /* This entry point is equivalent to the `crypt' function in Unix
568 libcs. */
569 char *sha512_crypt(const char *key, const char *salt)
571 /* We don't want to have an arbitrary limit in the size of the
572 password. We can compute an upper bound for the size of the
573 result in advance and so we can prepare the buffer we pass to
574 `sha512_crypt_r'. */
575 static char *buffer;
576 static int buflen;
577 int needed = (sizeof(sha512_salt_prefix) - 1
578 + sizeof(sha512_rounds_prefix) + 9 + 1
579 + strlen(salt) + 1 + 86 + 1);
581 if (buflen < needed) {
582 char *new_buffer = (char *)realloc(buffer, needed);
583 if (new_buffer == NULL)
584 return NULL;
586 buffer = new_buffer;
587 buflen = needed;
590 return sha512_crypt_r(key, salt, buffer, buflen);
593 #ifdef TEST
594 static const struct {
595 const char *input;
596 const char result[64];
597 } tests[] = {
598 /* Test vectors from FIPS 180-2: appendix C.1. */
600 "abc",
601 "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
602 "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
603 "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
604 "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f"},
605 /* Test vectors from FIPS 180-2: appendix C.2. */
607 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
608 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
609 "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
610 "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
611 "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
612 "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09"},
613 /* Test vectors from the NESSIE project. */
615 "", "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
616 "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
617 "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
618 "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e"},
620 "a", "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
621 "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
622 "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
623 "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75"},
625 "message digest",
626 "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
627 "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
628 "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
629 "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c"},
631 "abcdefghijklmnopqrstuvwxyz",
632 "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
633 "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
634 "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
635 "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1"},
637 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
638 "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
639 "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
640 "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
641 "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45"},
643 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
644 "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
645 "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
646 "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
647 "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94"},
649 "123456789012345678901234567890123456789012345678901234567890"
650 "12345678901234567890",
651 "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
652 "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
653 "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
654 "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43"}
657 #define ntests (sizeof (tests) / sizeof (tests[0]))
659 static const struct {
660 const char *salt;
661 const char *input;
662 const char *expected;
663 } tests2[] = {
665 "$6$saltstring", "Hello world!",
666 "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
667 "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"}, {
668 "$6$rounds=10000$saltstringsaltstring", "Hello world!",
669 "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
670 "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v."}, {
671 "$6$rounds=5000$toolongsaltstring", "This is just a test",
672 "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
673 "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0"}, {
674 "$6$rounds=1400$anotherlongsaltstring",
675 "a very much longer text to encrypt. This one even stretches over more"
676 "than one line.",
677 "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
678 "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1"}, {
679 "$6$rounds=77777$short",
680 "we have a short salt string but not a short password",
681 "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
682 "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0"}, {
683 "$6$rounds=123456$asaltof16chars..", "a short string",
684 "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
685 "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1"}, {
686 "$6$rounds=10$roundstoolow", "the minimum number is still observed",
687 "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
688 "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX."},};
689 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
691 int main(void)
693 struct sha512_ctx ctx;
694 char sum[64];
695 int result = 0;
696 int cnt;
698 for (cnt = 0; cnt < (int)ntests; ++cnt) {
699 sha512_init_ctx(&ctx);
700 sha512_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
701 sha512_finish_ctx(&ctx, sum);
702 if (memcmp(tests[cnt].result, sum, 64) != 0) {
703 printf("test %d run %d failed\n", cnt, 1);
704 result = 1;
707 sha512_init_ctx(&ctx);
708 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
709 sha512_process_bytes(&tests[cnt].input[i], 1, &ctx);
710 sha512_finish_ctx(&ctx, sum);
711 if (memcmp(tests[cnt].result, sum, 64) != 0) {
712 printf("test %d run %d failed\n", cnt, 2);
713 result = 1;
717 /* Test vector from FIPS 180-2: appendix C.3. */
718 char buf[1000];
719 memset(buf, 'a', sizeof(buf));
720 sha512_init_ctx(&ctx);
721 for (int i = 0; i < 1000; ++i)
722 sha512_process_bytes(buf, sizeof(buf), &ctx);
723 sha512_finish_ctx(&ctx, sum);
724 static const char expected[64] =
725 "\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
726 "\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
727 "\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
728 "\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
729 if (memcmp(expected, sum, 64) != 0) {
730 printf("test %d failed\n", cnt);
731 result = 1;
734 for (cnt = 0; cnt < ntests2; ++cnt) {
735 char *cp = sha512_crypt(tests2[cnt].input, tests2[cnt].salt);
737 if (strcmp(cp, tests2[cnt].expected) != 0) {
738 printf("test %d: expected \"%s\", got \"%s\"\n",
739 cnt, tests2[cnt].expected, cp);
740 result = 1;
744 if (result == 0)
745 puts("all tests OK");
747 return result;
749 #endif