1 /* 2 * SHA256-based Unix crypt implementation. 3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. 4 */ 5 #include <errno.h> 6 #include <limits.h> 7 #include <stdint.h> 8 #include <stdbool.h> 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <sys/endian.h> 13 #include <sys/param.h> 14 #include <sys/types.h> 15 16 17 /* Structure to save state of computation between the single steps. */ 18 struct sha256_ctx 19 { 20 uint32_t H[8]; 21 22 uint32_t total[2]; 23 uint32_t buflen; 24 char buffer[128]; /* NB: always correctly aligned for uint32_t. */ 25 }; 26 27 28 #if __BYTE_ORDER == __LITTLE_ENDIAN 29 # define SWAP(n) \ 30 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) 31 #else 32 # define SWAP(n) (n) 33 #endif 34 35 36 /* This array contains the bytes used to pad the buffer to the next 37 64-byte boundary. (FIPS 180-2:5.1.1) */ 38 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; 39 40 41 /* Constants for SHA256 from FIPS 180-2:4.2.2. */ 42 static const uint32_t K[64] = 43 { 44 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 45 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 46 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 47 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 48 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 49 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 50 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 51 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 52 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 53 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 54 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 55 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 56 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 57 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 58 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 59 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 60 }; 61 62 63 /* Process LEN bytes of BUFFER, accumulating context into CTX. 64 It is assumed that LEN % 64 == 0. */ 65 static void 66 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx) 67 { 68 const uint32_t *words = buffer; 69 size_t nwords = len / sizeof (uint32_t); 70 uint32_t a = ctx->H[0]; 71 uint32_t b = ctx->H[1]; 72 uint32_t c = ctx->H[2]; 73 uint32_t d = ctx->H[3]; 74 uint32_t e = ctx->H[4]; 75 uint32_t f = ctx->H[5]; 76 uint32_t g = ctx->H[6]; 77 uint32_t h = ctx->H[7]; 78 79 /* First increment the byte count. FIPS 180-2 specifies the possible 80 length of the file up to 2^64 bits. Here we only compute the 81 number of bytes. Do a double word increment. */ 82 ctx->total[0] += len; 83 if (ctx->total[0] < len) 84 ++ctx->total[1]; 85 86 /* Process all bytes in the buffer with 64 bytes in each round of 87 the loop. */ 88 while (nwords > 0) 89 { 90 uint32_t W[64]; 91 uint32_t a_save = a; 92 uint32_t b_save = b; 93 uint32_t c_save = c; 94 uint32_t d_save = d; 95 uint32_t e_save = e; 96 uint32_t f_save = f; 97 uint32_t g_save = g; 98 uint32_t h_save = h; 99 100 /* Operators defined in FIPS 180-2:4.1.2. */ 101 #define Ch(x, y, z) ((x & y) ^ (~x & z)) 102 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) 103 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22)) 104 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25)) 105 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3)) 106 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10)) 107 108 /* It is unfortunate that C does not provide an operator for 109 cyclic rotation. Hope the C compiler is smart enough. */ 110 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s))) 111 112 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */ 113 for (unsigned int t = 0; t < 16; ++t) 114 { 115 W[t] = SWAP (*words); 116 ++words; 117 } 118 for (unsigned int t = 16; t < 64; ++t) 119 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16]; 120 121 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */ 122 for (unsigned int t = 0; t < 64; ++t) 123 { 124 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t]; 125 uint32_t T2 = S0 (a) + Maj (a, b, c); 126 h = g; 127 g = f; 128 f = e; 129 e = d + T1; 130 d = c; 131 c = b; 132 b = a; 133 a = T1 + T2; 134 } 135 136 /* Add the starting values of the context according to FIPS 180-2:6.2.2 137 step 4. */ 138 a += a_save; 139 b += b_save; 140 c += c_save; 141 d += d_save; 142 e += e_save; 143 f += f_save; 144 g += g_save; 145 h += h_save; 146 147 /* Prepare for the next round. */ 148 nwords -= 16; 149 } 150 151 /* Put checksum in context given as argument. */ 152 ctx->H[0] = a; 153 ctx->H[1] = b; 154 ctx->H[2] = c; 155 ctx->H[3] = d; 156 ctx->H[4] = e; 157 ctx->H[5] = f; 158 ctx->H[6] = g; 159 ctx->H[7] = h; 160 } 161 162 163 /* Initialize structure containing state of computation. 164 (FIPS 180-2:5.3.2) */ 165 static void 166 sha256_init_ctx (struct sha256_ctx *ctx) 167 { 168 ctx->H[0] = 0x6a09e667; 169 ctx->H[1] = 0xbb67ae85; 170 ctx->H[2] = 0x3c6ef372; 171 ctx->H[3] = 0xa54ff53a; 172 ctx->H[4] = 0x510e527f; 173 ctx->H[5] = 0x9b05688c; 174 ctx->H[6] = 0x1f83d9ab; 175 ctx->H[7] = 0x5be0cd19; 176 177 ctx->total[0] = ctx->total[1] = 0; 178 ctx->buflen = 0; 179 } 180 181 182 /* Process the remaining bytes in the internal buffer and the usual 183 prolog according to the standard and write the result to RESBUF. 184 185 IMPORTANT: On some systems it is required that RESBUF is correctly 186 aligned for a 32 bits value. */ 187 static void * 188 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf) 189 { 190 /* Take yet unprocessed bytes into account. */ 191 uint32_t bytes = ctx->buflen; 192 size_t pad; 193 194 /* Now count remaining bytes. */ 195 ctx->total[0] += bytes; 196 if (ctx->total[0] < bytes) 197 ++ctx->total[1]; 198 199 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes; 200 memcpy (&ctx->buffer[bytes], fillbuf, pad); 201 202 /* Put the 64-bit file length in *bits* at the end of the buffer. */ 203 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3); 204 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) | 205 (ctx->total[0] >> 29)); 206 207 /* Process last bytes. */ 208 sha256_process_block (ctx->buffer, bytes + pad + 8, ctx); 209 210 /* Put result from CTX in first 32 bytes following RESBUF. */ 211 for (unsigned int i = 0; i < 8; ++i) 212 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]); 213 214 return resbuf; 215 } 216 217 218 static void 219 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx) 220 { 221 /* When we already have some bits in our internal buffer concatenate 222 both inputs first. */ 223 if (ctx->buflen != 0) 224 { 225 size_t left_over = ctx->buflen; 226 size_t add = 128 - left_over > len ? len : 128 - left_over; 227 228 memcpy (&ctx->buffer[left_over], buffer, add); 229 ctx->buflen += add; 230 231 if (ctx->buflen > 64) 232 { 233 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx); 234 235 ctx->buflen &= 63; 236 /* The regions in the following copy operation cannot overlap. */ 237 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63], 238 ctx->buflen); 239 } 240 241 buffer = (const char *) buffer + add; 242 len -= add; 243 } 244 245 /* Process available complete blocks. */ 246 if (len >= 64) 247 { 248 /* To check alignment gcc has an appropriate operator. Other 249 compilers don't. */ 250 #if __GNUC__ >= 2 251 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0) 252 #else 253 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0) 254 #endif 255 if (UNALIGNED_P (buffer)) 256 while (len > 64) 257 { 258 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); 259 buffer = (const char *) buffer + 64; 260 len -= 64; 261 } 262 else 263 { 264 sha256_process_block (buffer, len & ~63, ctx); 265 buffer = (const char *) buffer + (len & ~63); 266 len &= 63; 267 } 268 } 269 270 /* Move remaining bytes into internal buffer. */ 271 if (len > 0) 272 { 273 size_t left_over = ctx->buflen; 274 275 memcpy (&ctx->buffer[left_over], buffer, len); 276 left_over += len; 277 if (left_over >= 64) 278 { 279 sha256_process_block (ctx->buffer, 64, ctx); 280 left_over -= 64; 281 memcpy (ctx->buffer, &ctx->buffer[64], left_over); 282 } 283 ctx->buflen = left_over; 284 } 285 } 286 287 288 /* Define our magic string to mark salt for SHA256 "encryption" 289 replacement. */ 290 static const char sha256_salt_prefix[] = "$5$"; 291 292 /* Prefix for optional rounds specification. */ 293 static const char sha256_rounds_prefix[] = "rounds="; 294 295 /* Maximum salt string length. */ 296 #define SALT_LEN_MAX 16 297 /* Default number of rounds if not explicitly specified. */ 298 #define ROUNDS_DEFAULT 5000 299 /* Minimum number of rounds. */ 300 #define ROUNDS_MIN 1000 301 /* Maximum number of rounds. */ 302 #define ROUNDS_MAX 999999999 303 304 /* Table with characters for base64 transformation. */ 305 static const char b64t[64] = 306 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 307 308 309 static char * 310 crypt_sha256_r (const char *key, const char *salt, char *buffer, int buflen) 311 { 312 unsigned char alt_result[32] 313 __attribute__ ((__aligned__ (__alignof__ (uint32_t)))); 314 unsigned char temp_result[32] 315 __attribute__ ((__aligned__ (__alignof__ (uint32_t)))); 316 struct sha256_ctx ctx; 317 struct sha256_ctx alt_ctx; 318 size_t salt_len; 319 size_t key_len; 320 size_t cnt; 321 char *cp; 322 char *copied_key = NULL; 323 char *copied_salt = NULL; 324 char *p_bytes; 325 char *s_bytes; 326 /* Default number of rounds. */ 327 size_t rounds = ROUNDS_DEFAULT; 328 bool rounds_custom = false; 329 330 /* Find beginning of salt string. The prefix should normally always 331 be present. Just in case it is not. */ 332 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0) 333 /* Skip salt prefix. */ 334 salt += sizeof (sha256_salt_prefix) - 1; 335 336 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1) 337 == 0) 338 { 339 const char *num = salt + sizeof (sha256_rounds_prefix) - 1; 340 char *endp; 341 unsigned long int srounds = strtoul (num, &endp, 10); 342 if (*endp == '$') 343 { 344 salt = endp + 1; 345 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX)); 346 rounds_custom = true; 347 } 348 } 349 350 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX); 351 key_len = strlen (key); 352 353 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0) 354 { 355 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t)); 356 key = copied_key = 357 memcpy (tmp + __alignof__ (uint32_t) 358 - (tmp - (char *) 0) % __alignof__ (uint32_t), 359 key, key_len); 360 } 361 362 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0) 363 { 364 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t)); 365 salt = copied_salt = 366 memcpy (tmp + __alignof__ (uint32_t) 367 - (tmp - (char *) 0) % __alignof__ (uint32_t), 368 salt, salt_len); 369 } 370 371 /* Prepare for the real work. */ 372 sha256_init_ctx (&ctx); 373 374 /* Add the key string. */ 375 sha256_process_bytes (key, key_len, &ctx); 376 377 /* The last part is the salt string. This must be at most 16 378 characters and it ends at the first `$' character (for 379 compatibility with existing implementations). */ 380 sha256_process_bytes (salt, salt_len, &ctx); 381 382 383 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The 384 final result will be added to the first context. */ 385 sha256_init_ctx (&alt_ctx); 386 387 /* Add key. */ 388 sha256_process_bytes (key, key_len, &alt_ctx); 389 390 /* Add salt. */ 391 sha256_process_bytes (salt, salt_len, &alt_ctx); 392 393 /* Add key again. */ 394 sha256_process_bytes (key, key_len, &alt_ctx); 395 396 /* Now get result of this (32 bytes) and add it to the other 397 context. */ 398 sha256_finish_ctx (&alt_ctx, alt_result); 399 400 /* Add for any character in the key one byte of the alternate sum. */ 401 for (cnt = key_len; cnt > 32; cnt -= 32) 402 sha256_process_bytes (alt_result, 32, &ctx); 403 sha256_process_bytes (alt_result, cnt, &ctx); 404 405 /* Take the binary representation of the length of the key and for every 406 1 add the alternate sum, for every 0 the key. */ 407 for (cnt = key_len; cnt > 0; cnt >>= 1) 408 if ((cnt & 1) != 0) 409 sha256_process_bytes (alt_result, 32, &ctx); 410 else 411 sha256_process_bytes (key, key_len, &ctx); 412 413 /* Create intermediate result. */ 414 sha256_finish_ctx (&ctx, alt_result); 415 416 /* Start computation of P byte sequence. */ 417 sha256_init_ctx (&alt_ctx); 418 419 /* For every character in the password add the entire password. */ 420 for (cnt = 0; cnt < key_len; ++cnt) 421 sha256_process_bytes (key, key_len, &alt_ctx); 422 423 /* Finish the digest. */ 424 sha256_finish_ctx (&alt_ctx, temp_result); 425 426 /* Create byte sequence P. */ 427 cp = p_bytes = alloca (key_len); 428 for (cnt = key_len; cnt >= 32; cnt -= 32) 429 cp = mempcpy (cp, temp_result, 32); 430 memcpy (cp, temp_result, cnt); 431 432 /* Start computation of S byte sequence. */ 433 sha256_init_ctx (&alt_ctx); 434 435 /* For every character in the password add the entire password. */ 436 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) 437 sha256_process_bytes (salt, salt_len, &alt_ctx); 438 439 /* Finish the digest. */ 440 sha256_finish_ctx (&alt_ctx, temp_result); 441 442 /* Create byte sequence S. */ 443 cp = s_bytes = alloca (salt_len); 444 for (cnt = salt_len; cnt >= 32; cnt -= 32) 445 cp = mempcpy (cp, temp_result, 32); 446 memcpy (cp, temp_result, cnt); 447 448 /* Repeatedly run the collected hash value through SHA256 to burn 449 CPU cycles. */ 450 for (cnt = 0; cnt < rounds; ++cnt) 451 { 452 /* New context. */ 453 sha256_init_ctx (&ctx); 454 455 /* Add key or last result. */ 456 if ((cnt & 1) != 0) 457 sha256_process_bytes (p_bytes, key_len, &ctx); 458 else 459 sha256_process_bytes (alt_result, 32, &ctx); 460 461 /* Add salt for numbers not divisible by 3. */ 462 if (cnt % 3 != 0) 463 sha256_process_bytes (s_bytes, salt_len, &ctx); 464 465 /* Add key for numbers not divisible by 7. */ 466 if (cnt % 7 != 0) 467 sha256_process_bytes (p_bytes, key_len, &ctx); 468 469 /* Add key or last result. */ 470 if ((cnt & 1) != 0) 471 sha256_process_bytes (alt_result, 32, &ctx); 472 else 473 sha256_process_bytes (p_bytes, key_len, &ctx); 474 475 /* Create intermediate result. */ 476 sha256_finish_ctx (&ctx, alt_result); 477 } 478 479 /* Now we can construct the result string. It consists of three 480 parts. */ 481 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen)); 482 buflen -= sizeof (sha256_salt_prefix) - 1; 483 484 if (rounds_custom) 485 { 486 int n = snprintf (cp, MAX (0, buflen), "%s%zu$", 487 sha256_rounds_prefix, rounds); 488 cp += n; 489 buflen -= n; 490 } 491 492 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len)); 493 buflen -= MIN ((size_t) MAX (0, buflen), salt_len); 494 495 if (buflen > 0) 496 { 497 *cp++ = '$'; 498 --buflen; 499 } 500 501 #define b64_from_24bit(B2, B1, B0, N) \ 502 do { \ 503 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \ 504 int n = (N); \ 505 while (n-- > 0 && buflen > 0) \ 506 { \ 507 *cp++ = b64t[w & 0x3f]; \ 508 --buflen; \ 509 w >>= 6; \ 510 } \ 511 } while (0) 512 513 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4); 514 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4); 515 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4); 516 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4); 517 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4); 518 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4); 519 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4); 520 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4); 521 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4); 522 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4); 523 b64_from_24bit (0, alt_result[31], alt_result[30], 3); 524 if (buflen <= 0) 525 { 526 errno = ERANGE; 527 buffer = NULL; 528 } 529 else 530 *cp = '\0'; /* Terminate the string. */ 531 532 /* Clear the buffer for the intermediate result so that people 533 attaching to processes or reading core dumps cannot get any 534 information. We do it in this way to clear correct_words[] 535 inside the SHA256 implementation as well. */ 536 sha256_init_ctx (&ctx); 537 sha256_finish_ctx (&ctx, alt_result); 538 memset (temp_result, '\0', sizeof (temp_result)); 539 memset (p_bytes, '\0', key_len); 540 memset (s_bytes, '\0', salt_len); 541 memset (&ctx, '\0', sizeof (ctx)); 542 memset (&alt_ctx, '\0', sizeof (alt_ctx)); 543 if (copied_key != NULL) 544 memset (copied_key, '\0', key_len); 545 if (copied_salt != NULL) 546 memset (copied_salt, '\0', salt_len); 547 548 return buffer; 549 } 550 551 552 /* This entry point is equivalent to the `crypt' function in Unix 553 libcs. */ 554 char * 555 crypt_sha256 (const char *key, const char *salt) 556 { 557 /* We don't want to have an arbitrary limit in the size of the 558 password. We can compute an upper bound for the size of the 559 result in advance and so we can prepare the buffer we pass to 560 `crypt_sha256_r'. */ 561 static char *buffer; 562 static int buflen; 563 int needed = (sizeof (sha256_salt_prefix) - 1 564 + sizeof (sha256_rounds_prefix) + 9 + 1 565 + strlen (salt) + 1 + 43 + 1); 566 567 if (buflen < needed) 568 { 569 char *new_buffer = (char *) realloc (buffer, needed); 570 if (new_buffer == NULL) 571 return NULL; 572 573 buffer = new_buffer; 574 buflen = needed; 575 } 576 577 return crypt_sha256_r (key, salt, buffer, buflen); 578 } 579 580 581 #ifdef TEST 582 static const struct 583 { 584 const char *input; 585 const char result[32]; 586 } tests[] = 587 { 588 /* Test vectors from FIPS 180-2: appendix B.1. */ 589 { "abc", 590 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23" 591 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" }, 592 /* Test vectors from FIPS 180-2: appendix B.2. */ 593 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 594 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 595 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" }, 596 /* Test vectors from the NESSIE project. */ 597 { "", 598 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24" 599 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" }, 600 { "a", 601 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d" 602 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" }, 603 { "message digest", 604 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad" 605 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" }, 606 { "abcdefghijklmnopqrstuvwxyz", 607 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52" 608 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" }, 609 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 610 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 611 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" }, 612 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 613 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80" 614 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" }, 615 { "123456789012345678901234567890123456789012345678901234567890" 616 "12345678901234567890", 617 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e" 618 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" } 619 }; 620 #define ntests (sizeof (tests) / sizeof (tests[0])) 621 622 623 static const struct 624 { 625 const char *salt; 626 const char *input; 627 const char *expected; 628 } tests2[] = 629 { 630 { "$5$saltstring", "Hello world!", 631 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" }, 632 { "$5$rounds=10000$saltstringsaltstring", "Hello world!", 633 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2." 634 "opqey6IcA" }, 635 { "$5$rounds=5000$toolongsaltstring", "This is just a test", 636 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8" 637 "mGRcvxa5" }, 638 { "$5$rounds=1400$anotherlongsaltstring", 639 "a very much longer text to encrypt. This one even stretches over more" 640 "than one line.", 641 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12" 642 "oP84Bnq1" }, 643 { "$5$rounds=77777$short", 644 "we have a short salt string but not a short password", 645 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" }, 646 { "$5$rounds=123456$asaltof16chars..", "a short string", 647 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/" 648 "cZKmF/wJvD" }, 649 { "$5$rounds=10$roundstoolow", "the minimum number is still observed", 650 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97" 651 "2bIC" }, 652 }; 653 #define ntests2 (sizeof (tests2) / sizeof (tests2[0])) 654 655 656 int 657 main (void) 658 { 659 struct sha256_ctx ctx; 660 char sum[32]; 661 int result = 0; 662 int cnt; 663 664 for (cnt = 0; cnt < (int) ntests; ++cnt) 665 { 666 sha256_init_ctx (&ctx); 667 sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx); 668 sha256_finish_ctx (&ctx, sum); 669 if (memcmp (tests[cnt].result, sum, 32) != 0) 670 { 671 printf ("test %d run %d failed\n", cnt, 1); 672 result = 1; 673 } 674 675 sha256_init_ctx (&ctx); 676 for (int i = 0; tests[cnt].input[i] != '\0'; ++i) 677 sha256_process_bytes (&tests[cnt].input[i], 1, &ctx); 678 sha256_finish_ctx (&ctx, sum); 679 if (memcmp (tests[cnt].result, sum, 32) != 0) 680 { 681 printf ("test %d run %d failed\n", cnt, 2); 682 result = 1; 683 } 684 } 685 686 /* Test vector from FIPS 180-2: appendix B.3. */ 687 char buf[1000]; 688 memset (buf, 'a', sizeof (buf)); 689 sha256_init_ctx (&ctx); 690 for (int i = 0; i < 1000; ++i) 691 sha256_process_bytes (buf, sizeof (buf), &ctx); 692 sha256_finish_ctx (&ctx, sum); 693 static const char expected[32] = 694 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67" 695 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0"; 696 if (memcmp (expected, sum, 32) != 0) 697 { 698 printf ("test %d failed\n", cnt); 699 result = 1; 700 } 701 702 for (cnt = 0; cnt < ntests2; ++cnt) 703 { 704 char *cp = crypt_sha256 (tests2[cnt].input, tests2[cnt].salt); 705 706 if (strcmp (cp, tests2[cnt].expected) != 0) 707 { 708 printf ("test %d: expected \"%s\", got \"%s\"\n", 709 cnt, tests2[cnt].expected, cp); 710 result = 1; 711 } 712 } 713 714 if (result == 0) 715 puts ("all tests OK"); 716 717 return result; 718 } 719 #endif 720 721