1 /*
2 * SHA256-based Unix crypt implementation.
3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
4 */
5 #include <errno.h>
6 #include <limits.h>
7 #include <stdint.h>
8 #include <stdbool.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <sys/endian.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
15
16 #include "crypt.h"
17 #include "local.h"
18
19 #if _BYTE_ORDER == _LITTLE_ENDIAN
20 # define SWAP(n) \
21 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
22 #else
23 # define SWAP(n) (n)
24 #endif
25
26
27 /* This array contains the bytes used to pad the buffer to the next
28 64-byte boundary. (FIPS 180-2:5.1.1) */
29 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
30
31
32 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
33 static const uint32_t K[64] =
34 {
35 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
36 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
37 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
38 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
39 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
40 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
41 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
42 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
43 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
44 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
45 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
46 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
47 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
48 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
49 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
50 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
51 };
52
53
54 /* Process LEN bytes of BUFFER, accumulating context into CTX.
55 It is assumed that LEN % 64 == 0. */
56 void
__crypt__sha256_process_block(const void * buffer,size_t len,struct sha256_ctx * ctx)57 __crypt__sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
58 {
59 const uint32_t *words = buffer;
60 size_t nwords = len / sizeof (uint32_t);
61 uint32_t a = ctx->H[0];
62 uint32_t b = ctx->H[1];
63 uint32_t c = ctx->H[2];
64 uint32_t d = ctx->H[3];
65 uint32_t e = ctx->H[4];
66 uint32_t f = ctx->H[5];
67 uint32_t g = ctx->H[6];
68 uint32_t h = ctx->H[7];
69
70 /* First increment the byte count. FIPS 180-2 specifies the possible
71 length of the file up to 2^64 bits. Here we only compute the
72 number of bytes. Do a double word increment. */
73 ctx->total[0] += len;
74 if (ctx->total[0] < len)
75 ++ctx->total[1];
76
77 /* Process all bytes in the buffer with 64 bytes in each round of
78 the loop. */
79 while (nwords > 0)
80 {
81 uint32_t W[64];
82 uint32_t a_save = a;
83 uint32_t b_save = b;
84 uint32_t c_save = c;
85 uint32_t d_save = d;
86 uint32_t e_save = e;
87 uint32_t f_save = f;
88 uint32_t g_save = g;
89 uint32_t h_save = h;
90
91 /* Operators defined in FIPS 180-2:4.1.2. */
92 #define Ch(x, y, z) ((x & y) ^ (~x & z))
93 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
94 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
95 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
96 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
97 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
98
99 /* It is unfortunate that C does not provide an operator for
100 cyclic rotation. Hope the C compiler is smart enough. */
101 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
102
103 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
104 for (unsigned int t = 0; t < 16; ++t)
105 {
106 W[t] = SWAP (*words);
107 ++words;
108 }
109 for (unsigned int t = 16; t < 64; ++t)
110 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
111
112 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
113 for (unsigned int t = 0; t < 64; ++t)
114 {
115 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
116 uint32_t T2 = S0 (a) + Maj (a, b, c);
117 h = g;
118 g = f;
119 f = e;
120 e = d + T1;
121 d = c;
122 c = b;
123 b = a;
124 a = T1 + T2;
125 }
126
127 /* Add the starting values of the context according to FIPS 180-2:6.2.2
128 step 4. */
129 a += a_save;
130 b += b_save;
131 c += c_save;
132 d += d_save;
133 e += e_save;
134 f += f_save;
135 g += g_save;
136 h += h_save;
137
138 /* Prepare for the next round. */
139 nwords -= 16;
140 }
141
142 /* Put checksum in context given as argument. */
143 ctx->H[0] = a;
144 ctx->H[1] = b;
145 ctx->H[2] = c;
146 ctx->H[3] = d;
147 ctx->H[4] = e;
148 ctx->H[5] = f;
149 ctx->H[6] = g;
150 ctx->H[7] = h;
151 }
152
153
154 /* Initialize structure containing state of computation.
155 (FIPS 180-2:5.3.2) */
156 void
__crypt__sha256_init_ctx(struct sha256_ctx * ctx)157 __crypt__sha256_init_ctx (struct sha256_ctx *ctx)
158 {
159 ctx->H[0] = 0x6a09e667;
160 ctx->H[1] = 0xbb67ae85;
161 ctx->H[2] = 0x3c6ef372;
162 ctx->H[3] = 0xa54ff53a;
163 ctx->H[4] = 0x510e527f;
164 ctx->H[5] = 0x9b05688c;
165 ctx->H[6] = 0x1f83d9ab;
166 ctx->H[7] = 0x5be0cd19;
167
168 ctx->total[0] = ctx->total[1] = 0;
169 ctx->buflen = 0;
170 }
171
172
173 /* Process the remaining bytes in the internal buffer and the usual
174 prolog according to the standard and write the result to RESBUF.
175
176 IMPORTANT: On some systems it is required that RESBUF is correctly
177 aligned for a 32 bits value. */
178 void *
__crypt__sha256_finish_ctx(struct sha256_ctx * ctx,void * resbuf)179 __crypt__sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
180 {
181 /* Take yet unprocessed bytes into account. */
182 uint32_t bytes = ctx->buflen;
183 size_t pad;
184
185 /* Now count remaining bytes. */
186 ctx->total[0] += bytes;
187 if (ctx->total[0] < bytes)
188 ++ctx->total[1];
189
190 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
191 memcpy (&ctx->buffer[bytes], fillbuf, pad);
192
193 /* Put the 64-bit file length in *bits* at the end of the buffer. */
194 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
195 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
196 (ctx->total[0] >> 29));
197
198 /* Process last bytes. */
199 __crypt__sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
200
201 /* Put result from CTX in first 32 bytes following RESBUF. */
202 for (unsigned int i = 0; i < 8; ++i)
203 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
204
205 return resbuf;
206 }
207
208 void
__crypt__sha256_process_bytes(const void * buffer,size_t len,struct sha256_ctx * ctx)209 __crypt__sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
210 {
211 /* When we already have some bits in our internal buffer concatenate
212 both inputs first. */
213 if (ctx->buflen != 0)
214 {
215 size_t left_over = ctx->buflen;
216 size_t add = 128 - left_over > len ? len : 128 - left_over;
217
218 memcpy (&ctx->buffer[left_over], buffer, add);
219 ctx->buflen += add;
220
221 if (ctx->buflen > 64)
222 {
223 __crypt__sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
224
225 ctx->buflen &= 63;
226 /* The regions in the following copy operation cannot overlap. */
227 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
228 ctx->buflen);
229 }
230
231 buffer = (const char *) buffer + add;
232 len -= add;
233 }
234
235 /* Process available complete blocks. */
236 if (len >= 64)
237 {
238 /* To check alignment gcc has an appropriate operator. Other
239 compilers don't. */
240 #if __GNUC__ >= 2
241 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
242 #else
243 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
244 #endif
245 if (UNALIGNED_P (buffer))
246 while (len > 64)
247 {
248 __crypt__sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
249 buffer = (const char *) buffer + 64;
250 len -= 64;
251 }
252 else
253 {
254 __crypt__sha256_process_block (buffer, len & ~63, ctx);
255 buffer = (const char *) buffer + (len & ~63);
256 len &= 63;
257 }
258 }
259
260 /* Move remaining bytes into internal buffer. */
261 if (len > 0)
262 {
263 size_t left_over = ctx->buflen;
264
265 memcpy (&ctx->buffer[left_over], buffer, len);
266 left_over += len;
267 if (left_over >= 64)
268 {
269 __crypt__sha256_process_block (ctx->buffer, 64, ctx);
270 left_over -= 64;
271 memcpy (ctx->buffer, &ctx->buffer[64], left_over);
272 }
273 ctx->buflen = left_over;
274 }
275 }
276
277
278 /* Define our magic string to mark salt for SHA256 "encryption"
279 replacement. */
280 static const char sha256_salt_prefix[] = "$5$";
281
282 /* Prefix for optional rounds specification. */
283 static const char sha256_rounds_prefix[] = "rounds=";
284
285 /* Maximum salt string length. */
286 #define SALT_LEN_MAX 16
287 /* Default number of rounds if not explicitly specified. */
288 #define ROUNDS_DEFAULT 5000
289 /* Minimum number of rounds. */
290 #define ROUNDS_MIN 1000
291 /* Maximum number of rounds. */
292 #define ROUNDS_MAX 999999999
293
294 /* Table with characters for base64 transformation. */
295 static const char b64t[64] =
296 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
297
298
299 static char *
crypt_sha256_r(const char * key,const char * salt,char * buffer,int buflen)300 crypt_sha256_r (const char *key, const char *salt, char *buffer, int buflen)
301 {
302 unsigned char alt_result[32]
303 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
304 unsigned char temp_result[32]
305 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
306 struct sha256_ctx ctx;
307 struct sha256_ctx alt_ctx;
308 size_t salt_len;
309 size_t key_len;
310 size_t cnt;
311 char *cp;
312 char *copied_key = NULL;
313 char *copied_salt = NULL;
314 char *p_bytes;
315 char *s_bytes;
316 /* Default number of rounds. */
317 size_t rounds = ROUNDS_DEFAULT;
318 bool rounds_custom = false;
319
320 /* Find beginning of salt string. The prefix should normally always
321 be present. Just in case it is not. */
322 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
323 /* Skip salt prefix. */
324 salt += sizeof (sha256_salt_prefix) - 1;
325
326 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
327 == 0)
328 {
329 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
330 char *endp;
331 unsigned long int srounds = strtoul (num, &endp, 10);
332 if (*endp == '$')
333 {
334 salt = endp + 1;
335 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
336 rounds_custom = true;
337 }
338 }
339
340 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
341 key_len = strlen (key);
342
343 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
344 {
345 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
346 key = copied_key =
347 memcpy (tmp + __alignof__ (uint32_t)
348 - (tmp - (char *) 0) % __alignof__ (uint32_t),
349 key, key_len);
350 }
351
352 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
353 {
354 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
355 salt = copied_salt =
356 memcpy (tmp + __alignof__ (uint32_t)
357 - (tmp - (char *) 0) % __alignof__ (uint32_t),
358 salt, salt_len);
359 }
360
361 /* Prepare for the real work. */
362 __crypt__sha256_init_ctx (&ctx);
363
364 /* Add the key string. */
365 __crypt__sha256_process_bytes (key, key_len, &ctx);
366
367 /* The last part is the salt string. This must be at most 16
368 characters and it ends at the first `$' character (for
369 compatibility with existing implementations). */
370 __crypt__sha256_process_bytes (salt, salt_len, &ctx);
371
372
373 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
374 final result will be added to the first context. */
375 __crypt__sha256_init_ctx (&alt_ctx);
376
377 /* Add key. */
378 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
379
380 /* Add salt. */
381 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx);
382
383 /* Add key again. */
384 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
385
386 /* Now get result of this (32 bytes) and add it to the other
387 context. */
388 __crypt__sha256_finish_ctx (&alt_ctx, alt_result);
389
390 /* Add for any character in the key one byte of the alternate sum. */
391 for (cnt = key_len; cnt > 32; cnt -= 32)
392 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
393 __crypt__sha256_process_bytes (alt_result, cnt, &ctx);
394
395 /* Take the binary representation of the length of the key and for every
396 1 add the alternate sum, for every 0 the key. */
397 for (cnt = key_len; cnt > 0; cnt >>= 1)
398 if ((cnt & 1) != 0)
399 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
400 else
401 __crypt__sha256_process_bytes (key, key_len, &ctx);
402
403 /* Create intermediate result. */
404 __crypt__sha256_finish_ctx (&ctx, alt_result);
405
406 /* Start computation of P byte sequence. */
407 __crypt__sha256_init_ctx (&alt_ctx);
408
409 /* For every character in the password add the entire password. */
410 for (cnt = 0; cnt < key_len; ++cnt)
411 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
412
413 /* Finish the digest. */
414 __crypt__sha256_finish_ctx (&alt_ctx, temp_result);
415
416 /* Create byte sequence P. */
417 cp = p_bytes = alloca (key_len);
418 for (cnt = key_len; cnt >= 32; cnt -= 32)
419 cp = mempcpy (cp, temp_result, 32);
420 memcpy (cp, temp_result, cnt);
421
422 /* Start computation of S byte sequence. */
423 __crypt__sha256_init_ctx (&alt_ctx);
424
425 /* For every character in the password add the entire password. */
426 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
427 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx);
428
429 /* Finish the digest. */
430 __crypt__sha256_finish_ctx (&alt_ctx, temp_result);
431
432 /* Create byte sequence S. */
433 cp = s_bytes = alloca (salt_len);
434 for (cnt = salt_len; cnt >= 32; cnt -= 32)
435 cp = mempcpy (cp, temp_result, 32);
436 memcpy (cp, temp_result, cnt);
437
438 /* Repeatedly run the collected hash value through SHA256 to burn
439 CPU cycles. */
440 for (cnt = 0; cnt < rounds; ++cnt)
441 {
442 /* New context. */
443 __crypt__sha256_init_ctx (&ctx);
444
445 /* Add key or last result. */
446 if ((cnt & 1) != 0)
447 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
448 else
449 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
450
451 /* Add salt for numbers not divisible by 3. */
452 if (cnt % 3 != 0)
453 __crypt__sha256_process_bytes (s_bytes, salt_len, &ctx);
454
455 /* Add key for numbers not divisible by 7. */
456 if (cnt % 7 != 0)
457 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
458
459 /* Add key or last result. */
460 if ((cnt & 1) != 0)
461 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
462 else
463 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
464
465 /* Create intermediate result. */
466 __crypt__sha256_finish_ctx (&ctx, alt_result);
467 }
468
469 /* Now we can construct the result string. It consists of three
470 parts. */
471 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
472 buflen -= sizeof (sha256_salt_prefix) - 1;
473
474 if (rounds_custom)
475 {
476 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
477 sha256_rounds_prefix, rounds);
478 cp += n;
479 buflen -= n;
480 }
481
482 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
483 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
484
485 if (buflen > 0)
486 {
487 *cp++ = '$';
488 --buflen;
489 }
490
491 #define b64_from_24bit(B2, B1, B0, N) \
492 do { \
493 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
494 int n = (N); \
495 while (n-- > 0 && buflen > 0) \
496 { \
497 *cp++ = b64t[w & 0x3f]; \
498 --buflen; \
499 w >>= 6; \
500 } \
501 } while (0)
502
503 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
504 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
505 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
506 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
507 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
508 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
509 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
510 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
511 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
512 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
513 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
514 if (buflen <= 0)
515 {
516 errno = ERANGE;
517 buffer = NULL;
518 }
519 else
520 *cp = '\0'; /* Terminate the string. */
521
522 /* Clear the buffer for the intermediate result so that people
523 attaching to processes or reading core dumps cannot get any
524 information. We do it in this way to clear correct_words[]
525 inside the SHA256 implementation as well. */
526 __crypt__sha256_init_ctx (&ctx);
527 __crypt__sha256_finish_ctx (&ctx, alt_result);
528 memset (temp_result, '\0', sizeof (temp_result));
529 memset (p_bytes, '\0', key_len);
530 memset (s_bytes, '\0', salt_len);
531 memset (&ctx, '\0', sizeof (ctx));
532 memset (&alt_ctx, '\0', sizeof (alt_ctx));
533 if (copied_key != NULL)
534 memset (copied_key, '\0', key_len);
535 if (copied_salt != NULL)
536 memset (copied_salt, '\0', salt_len);
537
538 return buffer;
539 }
540
541
542 /* This entry point is equivalent to the `crypt' function in Unix
543 libcs. */
544 char *
crypt_sha256(const char * key,const char * salt)545 crypt_sha256 (const char *key, const char *salt)
546 {
547 /* We don't want to have an arbitrary limit in the size of the
548 password. We can compute an upper bound for the size of the
549 result in advance and so we can prepare the buffer we pass to
550 `crypt_sha256_r'. */
551 static char *buffer;
552 static int buflen;
553 int needed = (sizeof (sha256_salt_prefix) - 1
554 + sizeof (sha256_rounds_prefix) + 9 + 1
555 + strlen (salt) + 1 + 43 + 1);
556
557 if (buflen < needed)
558 {
559 char *new_buffer = (char *) realloc (buffer, needed);
560 if (new_buffer == NULL)
561 return NULL;
562
563 buffer = new_buffer;
564 buflen = needed;
565 }
566
567 return crypt_sha256_r (key, salt, buffer, buflen);
568 }
569
570
571 #ifdef TEST
572 static const struct
573 {
574 const char *input;
575 const char result[32];
576 } tests[] =
577 {
578 /* Test vectors from FIPS 180-2: appendix B.1. */
579 { "abc",
580 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
581 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
582 /* Test vectors from FIPS 180-2: appendix B.2. */
583 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
584 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
585 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
586 /* Test vectors from the NESSIE project. */
587 { "",
588 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
589 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
590 { "a",
591 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
592 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
593 { "message digest",
594 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
595 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
596 { "abcdefghijklmnopqrstuvwxyz",
597 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
598 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
599 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
600 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
601 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
602 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
603 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
604 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
605 { "123456789012345678901234567890123456789012345678901234567890"
606 "12345678901234567890",
607 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
608 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
609 };
610 #define ntests (NELEM(tests))
611
612
613 static const struct
614 {
615 const char *salt;
616 const char *input;
617 const char *expected;
618 } tests2[] =
619 {
620 { "$5$saltstring", "Hello world!",
621 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
622 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
623 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
624 "opqey6IcA" },
625 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
626 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
627 "mGRcvxa5" },
628 { "$5$rounds=1400$anotherlongsaltstring",
629 "a very much longer text to encrypt. This one even stretches over more"
630 "than one line.",
631 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
632 "oP84Bnq1" },
633 { "$5$rounds=77777$short",
634 "we have a short salt string but not a short password",
635 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
636 { "$5$rounds=123456$asaltof16chars..", "a short string",
637 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
638 "cZKmF/wJvD" },
639 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
640 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
641 "2bIC" },
642 };
643 #define ntests2 (NELEM(tests2))
644
645
646 int
main(void)647 main (void)
648 {
649 struct sha256_ctx ctx;
650 char sum[32];
651 int result = 0;
652 int cnt;
653
654 for (cnt = 0; cnt < (int) ntests; ++cnt)
655 {
656 __crypt__sha256_init_ctx (&ctx);
657 __crypt__sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
658 __crypt__sha256_finish_ctx (&ctx, sum);
659 if (memcmp (tests[cnt].result, sum, 32) != 0)
660 {
661 printf ("test %d run %d failed\n", cnt, 1);
662 result = 1;
663 }
664
665 __crypt__sha256_init_ctx (&ctx);
666 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
667 __crypt__sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
668 __crypt__sha256_finish_ctx (&ctx, sum);
669 if (memcmp (tests[cnt].result, sum, 32) != 0)
670 {
671 printf ("test %d run %d failed\n", cnt, 2);
672 result = 1;
673 }
674 }
675
676 /* Test vector from FIPS 180-2: appendix B.3. */
677 char buf[1000];
678 memset (buf, 'a', sizeof (buf));
679 __crypt__sha256_init_ctx (&ctx);
680 for (int i = 0; i < 1000; ++i)
681 __crypt__sha256_process_bytes (buf, sizeof (buf), &ctx);
682 __crypt__sha256_finish_ctx (&ctx, sum);
683 static const char expected[32] =
684 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
685 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
686 if (memcmp (expected, sum, 32) != 0)
687 {
688 printf ("test %d failed\n", cnt);
689 result = 1;
690 }
691
692 for (cnt = 0; cnt < ntests2; ++cnt)
693 {
694 char *cp = crypt_sha256 (tests2[cnt].input, tests2[cnt].salt);
695
696 if (strcmp (cp, tests2[cnt].expected) != 0)
697 {
698 printf ("test %d: expected \"%s\", got \"%s\"\n",
699 cnt, tests2[cnt].expected, cp);
700 result = 1;
701 }
702 }
703
704 if (result == 0)
705 puts ("all tests OK");
706
707 return result;
708 }
709 #endif
710
711