1 /* SHA256-based Unix crypt implementation.
2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
3
4 #include <alloca.h>
5 #include <endian.h>
6 #include <errno.h>
7 #include <limits.h>
8 #include <stdint.h>
9 #include <stdbool.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <minmax.h>
14 #include <sys/types.h>
15
16 #include "xcrypt.h"
17
18 #define MIN(x,y) min(x,y)
19 #define MAX(x,y) max(x,y)
20
21 /* Structure to save state of computation between the single steps. */
22 struct sha256_ctx {
23 uint32_t H[8];
24
25 uint32_t total[2];
26 uint32_t buflen;
27 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
28 };
29
30 #if __BYTE_ORDER == __LITTLE_ENDIAN
31 # define SWAP(n) \
32 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
33 #else
34 # define SWAP(n) (n)
35 #endif
36
37 /* This array contains the bytes used to pad the buffer to the next
38 64-byte boundary. (FIPS 180-2:5.1.1) */
39 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
40
41 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
42 static const uint32_t K[64] = {
43 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
44 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
45 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
46 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
47 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
48 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
49 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
50 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
51 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
52 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
53 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
54 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
55 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
56 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
57 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
58 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
59 };
60
61 /* Process LEN bytes of BUFFER, accumulating context into CTX.
62 It is assumed that LEN % 64 == 0. */
63 static void
sha256_process_block(const void * buffer,size_t len,struct sha256_ctx * ctx)64 sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx)
65 {
66 unsigned int t;
67 const uint32_t *words = buffer;
68 size_t nwords = len / sizeof(uint32_t);
69 uint32_t a = ctx->H[0];
70 uint32_t b = ctx->H[1];
71 uint32_t c = ctx->H[2];
72 uint32_t d = ctx->H[3];
73 uint32_t e = ctx->H[4];
74 uint32_t f = ctx->H[5];
75 uint32_t g = ctx->H[6];
76 uint32_t h = ctx->H[7];
77
78 /* First increment the byte count. FIPS 180-2 specifies the possible
79 length of the file up to 2^64 bits. Here we only compute the
80 number of bytes. Do a double word increment. */
81 ctx->total[0] += len;
82 if (ctx->total[0] < len)
83 ++ctx->total[1];
84
85 /* Process all bytes in the buffer with 64 bytes in each round of
86 the loop. */
87 while (nwords > 0) {
88 uint32_t W[64];
89 uint32_t a_save = a;
90 uint32_t b_save = b;
91 uint32_t c_save = c;
92 uint32_t d_save = d;
93 uint32_t e_save = e;
94 uint32_t f_save = f;
95 uint32_t g_save = g;
96 uint32_t h_save = h;
97
98 /* Operators defined in FIPS 180-2:4.1.2. */
99 #define Ch(x, y, z) ((x & y) ^ (~x & z))
100 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
101 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
102 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
103 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
104 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
105
106 /* It is unfortunate that C does not provide an operator for
107 cyclic rotation. Hope the C compiler is smart enough. */
108 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
109
110 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
111 for (t = 0; t < 16; ++t) {
112 W[t] = SWAP(*words);
113 ++words;
114 }
115 for (t = 16; t < 64; ++t)
116 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
117
118 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
119 for (t = 0; t < 64; ++t) {
120 uint32_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t];
121 uint32_t T2 = S0(a) + Maj(a, b, c);
122 h = g;
123 g = f;
124 f = e;
125 e = d + T1;
126 d = c;
127 c = b;
128 b = a;
129 a = T1 + T2;
130 }
131
132 /* Add the starting values of the context according to FIPS 180-2:6.2.2
133 step 4. */
134 a += a_save;
135 b += b_save;
136 c += c_save;
137 d += d_save;
138 e += e_save;
139 f += f_save;
140 g += g_save;
141 h += h_save;
142
143 /* Prepare for the next round. */
144 nwords -= 16;
145 }
146
147 /* Put checksum in context given as argument. */
148 ctx->H[0] = a;
149 ctx->H[1] = b;
150 ctx->H[2] = c;
151 ctx->H[3] = d;
152 ctx->H[4] = e;
153 ctx->H[5] = f;
154 ctx->H[6] = g;
155 ctx->H[7] = h;
156 }
157
158 /* Initialize structure containing state of computation.
159 (FIPS 180-2:5.3.2) */
sha256_init_ctx(struct sha256_ctx * ctx)160 static void sha256_init_ctx(struct sha256_ctx *ctx)
161 {
162 ctx->H[0] = 0x6a09e667;
163 ctx->H[1] = 0xbb67ae85;
164 ctx->H[2] = 0x3c6ef372;
165 ctx->H[3] = 0xa54ff53a;
166 ctx->H[4] = 0x510e527f;
167 ctx->H[5] = 0x9b05688c;
168 ctx->H[6] = 0x1f83d9ab;
169 ctx->H[7] = 0x5be0cd19;
170
171 ctx->total[0] = ctx->total[1] = 0;
172 ctx->buflen = 0;
173 }
174
175 /* Process the remaining bytes in the internal buffer and the usual
176 prolog according to the standard and write the result to RESBUF.
177
178 IMPORTANT: On some systems it is required that RESBUF is correctly
179 aligned for a 32 bits value. */
sha256_finish_ctx(struct sha256_ctx * ctx,void * resbuf)180 static void *sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
181 {
182 unsigned int i;
183 /* Take yet unprocessed bytes into account. */
184 uint32_t bytes = ctx->buflen;
185 size_t pad;
186
187 /* Now count remaining bytes. */
188 ctx->total[0] += bytes;
189 if (ctx->total[0] < bytes)
190 ++ctx->total[1];
191
192 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
193 memcpy(&ctx->buffer[bytes], fillbuf, pad);
194
195 /* Put the 64-bit file length in *bits* at the end of the buffer. */
196 *(uint32_t *) & ctx->buffer[bytes + pad + 4] = SWAP(ctx->total[0] << 3);
197 *(uint32_t *) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) |
198 (ctx->total[0] >> 29));
199
200 /* Process last bytes. */
201 sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
202
203 /* Put result from CTX in first 32 bytes following RESBUF. */
204 for (i = 0; i < 8; ++i)
205 ((uint32_t *) resbuf)[i] = SWAP(ctx->H[i]);
206
207 return resbuf;
208 }
209
210 static void
sha256_process_bytes(const void * buffer,size_t len,struct sha256_ctx * ctx)211 sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx)
212 {
213 /* When we already have some bits in our internal buffer concatenate
214 both inputs first. */
215 if (ctx->buflen != 0) {
216 size_t left_over = ctx->buflen;
217 size_t add = 128 - left_over > len ? len : 128 - left_over;
218
219 memcpy(&ctx->buffer[left_over], buffer, add);
220 ctx->buflen += add;
221
222 if (ctx->buflen > 64) {
223 sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
224
225 ctx->buflen &= 63;
226 /* The regions in the following copy operation cannot overlap. */
227 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
228 ctx->buflen);
229 }
230
231 buffer = (const char *)buffer + add;
232 len -= add;
233 }
234
235 /* Process available complete blocks. */
236 if (len >= 64) {
237 /* To check alignment gcc has an appropriate operator. Other
238 compilers don't. */
239 #if __GNUC__ >= 2
240 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
241 #else
242 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
243 #endif
244 if (UNALIGNED_P(buffer))
245 while (len > 64) {
246 sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
247 buffer = (const char *)buffer + 64;
248 len -= 64;
249 } else {
250 sha256_process_block(buffer, len & ~63, ctx);
251 buffer = (const char *)buffer + (len & ~63);
252 len &= 63;
253 }
254 }
255
256 /* Move remaining bytes into internal buffer. */
257 if (len > 0) {
258 size_t left_over = ctx->buflen;
259
260 memcpy(&ctx->buffer[left_over], buffer, len);
261 left_over += len;
262 if (left_over >= 64) {
263 sha256_process_block(ctx->buffer, 64, ctx);
264 left_over -= 64;
265 memcpy(ctx->buffer, &ctx->buffer[64], left_over);
266 }
267 ctx->buflen = left_over;
268 }
269 }
270
271 /* Define our magic string to mark salt for SHA256 "encryption"
272 replacement. */
273 static const char sha256_salt_prefix[] = "$5$";
274
275 /* Prefix for optional rounds specification. */
276 static const char sha256_rounds_prefix[] = "rounds=";
277
278 /* Maximum salt string length. */
279 #define SALT_LEN_MAX 16U
280 /* Default number of rounds if not explicitly specified. */
281 #define ROUNDS_DEFAULT 5000UL
282 /* Minimum number of rounds. */
283 #define ROUNDS_MIN 1000UL
284 /* Maximum number of rounds. */
285 #define ROUNDS_MAX 999999999UL
286
287 /* Table with characters for base64 transformation. */
288 static const char b64t[64] =
289 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
290
sha256_crypt_r(const char * key,const char * salt,char * buffer,int buflen)291 static char *sha256_crypt_r(const char *key, const char *salt, char *buffer,
292 int buflen)
293 {
294 unsigned char alt_result[32]
295 __attribute__ ((__aligned__(__alignof__(uint32_t))));
296 unsigned char temp_result[32]
297 __attribute__ ((__aligned__(__alignof__(uint32_t))));
298 struct sha256_ctx ctx;
299 struct sha256_ctx alt_ctx;
300 size_t salt_len;
301 size_t key_len;
302 size_t cnt;
303 char *cp;
304 char *copied_key = NULL;
305 char *copied_salt = NULL;
306 char *p_bytes;
307 char *s_bytes;
308 /* Default number of rounds. */
309 size_t rounds = ROUNDS_DEFAULT;
310 bool rounds_custom = false;
311
312 /* Find beginning of salt string. The prefix should normally always
313 be present. Just in case it is not. */
314 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
315 /* Skip salt prefix. */
316 salt += sizeof(sha256_salt_prefix) - 1;
317
318 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1)
319 == 0) {
320 const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
321 char *endp;
322 unsigned long int srounds = strtoul(num, &endp, 10);
323 if (*endp == '$') {
324 salt = endp + 1;
325 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
326 rounds_custom = true;
327 }
328 }
329
330 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
331 key_len = strlen(key);
332
333 if ((key - (char *)0) % __alignof__(uint32_t) != 0) {
334 char *tmp = (char *)alloca(key_len + __alignof__(uint32_t));
335 key = copied_key = memcpy(tmp + __alignof__(uint32_t)
336 - (tmp - (char *)0) % __alignof__(uint32_t),
337 key, key_len);
338 }
339
340 if ((salt - (char *)0) % __alignof__(uint32_t) != 0) {
341 char *tmp = (char *)alloca(salt_len + __alignof__(uint32_t));
342 salt = copied_salt = memcpy(tmp + __alignof__(uint32_t)
343 - (tmp - (char *)0) % __alignof__(uint32_t),
344 salt, salt_len);
345 }
346
347 /* Prepare for the real work. */
348 sha256_init_ctx(&ctx);
349
350 /* Add the key string. */
351 sha256_process_bytes(key, key_len, &ctx);
352
353 /* The last part is the salt string. This must be at most 8
354 characters and it ends at the first `$' character (for
355 compatibility with existing implementations). */
356 sha256_process_bytes(salt, salt_len, &ctx);
357
358 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
359 final result will be added to the first context. */
360 sha256_init_ctx(&alt_ctx);
361
362 /* Add key. */
363 sha256_process_bytes(key, key_len, &alt_ctx);
364
365 /* Add salt. */
366 sha256_process_bytes(salt, salt_len, &alt_ctx);
367
368 /* Add key again. */
369 sha256_process_bytes(key, key_len, &alt_ctx);
370
371 /* Now get result of this (32 bytes) and add it to the other
372 context. */
373 sha256_finish_ctx(&alt_ctx, alt_result);
374
375 /* Add for any character in the key one byte of the alternate sum. */
376 for (cnt = key_len; cnt > 32; cnt -= 32)
377 sha256_process_bytes(alt_result, 32, &ctx);
378 sha256_process_bytes(alt_result, cnt, &ctx);
379
380 /* Take the binary representation of the length of the key and for every
381 1 add the alternate sum, for every 0 the key. */
382 for (cnt = key_len; cnt; cnt >>= 1)
383 if ((cnt & 1) != 0)
384 sha256_process_bytes(alt_result, 32, &ctx);
385 else
386 sha256_process_bytes(key, key_len, &ctx);
387
388 /* Create intermediate result. */
389 sha256_finish_ctx(&ctx, alt_result);
390
391 /* Start computation of P byte sequence. */
392 sha256_init_ctx(&alt_ctx);
393
394 /* For every character in the password add the entire password. */
395 for (cnt = 0; cnt < key_len; ++cnt)
396 sha256_process_bytes(key, key_len, &alt_ctx);
397
398 /* Finish the digest. */
399 sha256_finish_ctx(&alt_ctx, temp_result);
400
401 /* Create byte sequence P. */
402 cp = p_bytes = alloca(key_len);
403 for (cnt = key_len; cnt >= 32; cnt -= 32)
404 cp = mempcpy(cp, temp_result, 32);
405 memcpy(cp, temp_result, cnt);
406
407 /* Start computation of S byte sequence. */
408 sha256_init_ctx(&alt_ctx);
409
410 /* For every character in the password add the entire password. */
411 for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt)
412 sha256_process_bytes(salt, salt_len, &alt_ctx);
413
414 /* Finish the digest. */
415 sha256_finish_ctx(&alt_ctx, temp_result);
416
417 /* Create byte sequence S. */
418 cp = s_bytes = alloca(salt_len);
419 for (cnt = salt_len; cnt >= 32; cnt -= 32)
420 cp = mempcpy(cp, temp_result, 32);
421 memcpy(cp, temp_result, cnt);
422
423 /* Repeatedly run the collected hash value through SHA256 to burn
424 CPU cycles. */
425 for (cnt = 0; cnt < rounds; ++cnt) {
426 /* New context. */
427 sha256_init_ctx(&ctx);
428
429 /* Add key or last result. */
430 if ((cnt & 1) != 0)
431 sha256_process_bytes(p_bytes, key_len, &ctx);
432 else
433 sha256_process_bytes(alt_result, 32, &ctx);
434
435 /* Add salt for numbers not divisible by 3. */
436 if (cnt % 3 != 0)
437 sha256_process_bytes(s_bytes, salt_len, &ctx);
438
439 /* Add key for numbers not divisible by 7. */
440 if (cnt % 7 != 0)
441 sha256_process_bytes(p_bytes, key_len, &ctx);
442
443 /* Add key or last result. */
444 if ((cnt & 1) != 0)
445 sha256_process_bytes(alt_result, 32, &ctx);
446 else
447 sha256_process_bytes(p_bytes, key_len, &ctx);
448
449 /* Create intermediate result. */
450 sha256_finish_ctx(&ctx, alt_result);
451 }
452
453 /* Now we can construct the result string. It consists of three
454 parts. */
455 cp = stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
456 buflen -= sizeof(sha256_salt_prefix) - 1;
457
458 if (rounds_custom) {
459 int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
460 sha256_rounds_prefix, rounds);
461 cp += n;
462 buflen -= n;
463 }
464
465 cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
466 buflen -= MIN((size_t) MAX(0, buflen), salt_len);
467
468 if (buflen > 0) {
469 *cp++ = '$';
470 --buflen;
471 }
472 #define b64_from_24bit(B2, B1, B0, N) \
473 do { \
474 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
475 int n = (N); \
476 while (n-- > 0 && buflen > 0) \
477 { \
478 *cp++ = b64t[w & 0x3f]; \
479 --buflen; \
480 w >>= 6; \
481 } \
482 } while (0)
483
484 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
485 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
486 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
487 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
488 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
489 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
490 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
491 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
492 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
493 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
494 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
495 if (buflen <= 0) {
496 errno = ERANGE;
497 buffer = NULL;
498 } else
499 *cp = '\0'; /* Terminate the string. */
500
501 /* Clear the buffer for the intermediate result so that people
502 attaching to processes or reading core dumps cannot get any
503 information. We do it in this way to clear correct_words[]
504 inside the SHA256 implementation as well. */
505 sha256_init_ctx(&ctx);
506 sha256_finish_ctx(&ctx, alt_result);
507 memset(temp_result, '\0', sizeof(temp_result));
508 memset(p_bytes, '\0', key_len);
509 memset(s_bytes, '\0', salt_len);
510 memset(&ctx, '\0', sizeof(ctx));
511 memset(&alt_ctx, '\0', sizeof(alt_ctx));
512 if (copied_key != NULL)
513 memset(copied_key, '\0', key_len);
514 if (copied_salt != NULL)
515 memset(copied_salt, '\0', salt_len);
516
517 return buffer;
518 }
519
520 /* This entry point is equivalent to the `crypt' function in Unix
521 libcs. */
sha256_crypt(const char * key,const char * salt)522 char *sha256_crypt(const char *key, const char *salt)
523 {
524 /* We don't want to have an arbitrary limit in the size of the
525 password. We can compute an upper bound for the size of the
526 result in advance and so we can prepare the buffer we pass to
527 `sha256_crypt_r'. */
528 static char *buffer;
529 static int buflen;
530 int needed = (sizeof(sha256_salt_prefix) - 1
531 + sizeof(sha256_rounds_prefix) + 9 + 1
532 + strlen(salt) + 1 + 43 + 1);
533
534 if (buflen < needed) {
535 char *new_buffer = (char *)realloc(buffer, needed);
536 if (new_buffer == NULL)
537 return NULL;
538
539 buffer = new_buffer;
540 buflen = needed;
541 }
542
543 return sha256_crypt_r(key, salt, buffer, buflen);
544 }
545
546 #ifdef TEST
547 static const struct {
548 const char *input;
549 const char result[32];
550 } tests[] = {
551 /* Test vectors from FIPS 180-2: appendix B.1. */
552 {
553 "abc",
554 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
555 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad"},
556 /* Test vectors from FIPS 180-2: appendix B.2. */
557 {
558 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
559 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
560 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"},
561 /* Test vectors from the NESSIE project. */
562 {
563 "", "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
564 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55"},
565 {
566 "a", "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
567 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb"},
568 {
569 "message digest",
570 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
571 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50"},
572 {
573 "abcdefghijklmnopqrstuvwxyz",
574 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
575 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73"},
576 {
577 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
578 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
579 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"},
580 {
581 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
582 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
583 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0"},
584 {
585 "123456789012345678901234567890123456789012345678901234567890"
586 "12345678901234567890",
587 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
588 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e"}
589 };
590
591 #define ntests (sizeof (tests) / sizeof (tests[0]))
592
593 static const struct {
594 const char *salt;
595 const char *input;
596 const char *expected;
597 } tests2[] = {
598 {
599 "$5$saltstring", "Hello world!",
600 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"}, {
601 "$5$rounds=10000$saltstringsaltstring", "Hello world!",
602 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
603 "opqey6IcA"}, {
604 "$5$rounds=5000$toolongsaltstring", "This is just a test",
605 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
606 "mGRcvxa5"}, {
607 "$5$rounds=1400$anotherlongsaltstring",
608 "a very much longer text to encrypt. This one even stretches over more"
609 "than one line.",
610 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
611 "oP84Bnq1"}, {
612 "$5$rounds=77777$short",
613 "we have a short salt string but not a short password",
614 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/"},
615 {
616 "$5$rounds=123456$asaltof16chars..", "a short string",
617 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
618 "cZKmF/wJvD"}, {
619 "$5$rounds=10$roundstoolow", "the minimum number is still observed",
620 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
621 "2bIC"},};
622 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
623
main(void)624 int main(void)
625 {
626 struct sha256_ctx ctx;
627 char sum[32];
628 int result = 0;
629 int cnt;
630
631 for (cnt = 0; cnt < (int)ntests; ++cnt) {
632 sha256_init_ctx(&ctx);
633 sha256_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
634 sha256_finish_ctx(&ctx, sum);
635 if (memcmp(tests[cnt].result, sum, 32) != 0) {
636 printf("test %d run %d failed\n", cnt, 1);
637 result = 1;
638 }
639
640 sha256_init_ctx(&ctx);
641 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
642 sha256_process_bytes(&tests[cnt].input[i], 1, &ctx);
643 sha256_finish_ctx(&ctx, sum);
644 if (memcmp(tests[cnt].result, sum, 32) != 0) {
645 printf("test %d run %d failed\n", cnt, 2);
646 result = 1;
647 }
648 }
649
650 /* Test vector from FIPS 180-2: appendix B.3. */
651 char buf[1000];
652 memset(buf, 'a', sizeof(buf));
653 sha256_init_ctx(&ctx);
654 for (int i = 0; i < 1000; ++i)
655 sha256_process_bytes(buf, sizeof(buf), &ctx);
656 sha256_finish_ctx(&ctx, sum);
657 static const char expected[32] =
658 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
659 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
660 if (memcmp(expected, sum, 32) != 0) {
661 printf("test %d failed\n", cnt);
662 result = 1;
663 }
664
665 for (cnt = 0; cnt < ntests2; ++cnt) {
666 char *cp = sha256_crypt(tests2[cnt].input, tests2[cnt].salt);
667
668 if (strcmp(cp, tests2[cnt].expected) != 0) {
669 printf("test %d: expected \"%s\", got \"%s\"\n",
670 cnt, tests2[cnt].expected, cp);
671 result = 1;
672 }
673 }
674
675 if (result == 0)
676 puts("all tests OK");
677
678 return result;
679 }
680 #endif
681