1 /* 2 * SHA256-based Unix crypt implementation. 3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. 4 */ 5 #include <errno.h> 6 #include <limits.h> 7 #include <stdint.h> 8 #include <stdbool.h> 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <sys/endian.h> 13 #include <sys/param.h> 14 #include <sys/types.h> 15 16 #include "crypt.h" 17 #include "local.h" 18 19 #if _BYTE_ORDER == _LITTLE_ENDIAN 20 # define SWAP(n) \ 21 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) 22 #else 23 # define SWAP(n) (n) 24 #endif 25 26 27 /* This array contains the bytes used to pad the buffer to the next 28 64-byte boundary. (FIPS 180-2:5.1.1) */ 29 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; 30 31 32 /* Constants for SHA256 from FIPS 180-2:4.2.2. */ 33 static const uint32_t K[64] = 34 { 35 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 36 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 37 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 38 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 39 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 40 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 41 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 42 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 43 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 44 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 45 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 46 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 47 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 48 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 49 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 50 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 51 }; 52 53 54 /* Process LEN bytes of BUFFER, accumulating context into CTX. 55 It is assumed that LEN % 64 == 0. */ 56 void 57 __crypt__sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx) 58 { 59 const uint32_t *words = buffer; 60 size_t nwords = len / sizeof (uint32_t); 61 uint32_t a = ctx->H[0]; 62 uint32_t b = ctx->H[1]; 63 uint32_t c = ctx->H[2]; 64 uint32_t d = ctx->H[3]; 65 uint32_t e = ctx->H[4]; 66 uint32_t f = ctx->H[5]; 67 uint32_t g = ctx->H[6]; 68 uint32_t h = ctx->H[7]; 69 70 /* First increment the byte count. FIPS 180-2 specifies the possible 71 length of the file up to 2^64 bits. Here we only compute the 72 number of bytes. Do a double word increment. */ 73 ctx->total[0] += len; 74 if (ctx->total[0] < len) 75 ++ctx->total[1]; 76 77 /* Process all bytes in the buffer with 64 bytes in each round of 78 the loop. */ 79 while (nwords > 0) 80 { 81 uint32_t W[64]; 82 uint32_t a_save = a; 83 uint32_t b_save = b; 84 uint32_t c_save = c; 85 uint32_t d_save = d; 86 uint32_t e_save = e; 87 uint32_t f_save = f; 88 uint32_t g_save = g; 89 uint32_t h_save = h; 90 91 /* Operators defined in FIPS 180-2:4.1.2. */ 92 #define Ch(x, y, z) ((x & y) ^ (~x & z)) 93 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) 94 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22)) 95 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25)) 96 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3)) 97 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10)) 98 99 /* It is unfortunate that C does not provide an operator for 100 cyclic rotation. Hope the C compiler is smart enough. */ 101 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s))) 102 103 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */ 104 for (unsigned int t = 0; t < 16; ++t) 105 { 106 W[t] = SWAP (*words); 107 ++words; 108 } 109 for (unsigned int t = 16; t < 64; ++t) 110 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16]; 111 112 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */ 113 for (unsigned int t = 0; t < 64; ++t) 114 { 115 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t]; 116 uint32_t T2 = S0 (a) + Maj (a, b, c); 117 h = g; 118 g = f; 119 f = e; 120 e = d + T1; 121 d = c; 122 c = b; 123 b = a; 124 a = T1 + T2; 125 } 126 127 /* Add the starting values of the context according to FIPS 180-2:6.2.2 128 step 4. */ 129 a += a_save; 130 b += b_save; 131 c += c_save; 132 d += d_save; 133 e += e_save; 134 f += f_save; 135 g += g_save; 136 h += h_save; 137 138 /* Prepare for the next round. */ 139 nwords -= 16; 140 } 141 142 /* Put checksum in context given as argument. */ 143 ctx->H[0] = a; 144 ctx->H[1] = b; 145 ctx->H[2] = c; 146 ctx->H[3] = d; 147 ctx->H[4] = e; 148 ctx->H[5] = f; 149 ctx->H[6] = g; 150 ctx->H[7] = h; 151 } 152 153 154 /* Initialize structure containing state of computation. 155 (FIPS 180-2:5.3.2) */ 156 void 157 __crypt__sha256_init_ctx (struct sha256_ctx *ctx) 158 { 159 ctx->H[0] = 0x6a09e667; 160 ctx->H[1] = 0xbb67ae85; 161 ctx->H[2] = 0x3c6ef372; 162 ctx->H[3] = 0xa54ff53a; 163 ctx->H[4] = 0x510e527f; 164 ctx->H[5] = 0x9b05688c; 165 ctx->H[6] = 0x1f83d9ab; 166 ctx->H[7] = 0x5be0cd19; 167 168 ctx->total[0] = ctx->total[1] = 0; 169 ctx->buflen = 0; 170 } 171 172 173 /* Process the remaining bytes in the internal buffer and the usual 174 prolog according to the standard and write the result to RESBUF. 175 176 IMPORTANT: On some systems it is required that RESBUF is correctly 177 aligned for a 32 bits value. */ 178 void * 179 __crypt__sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf) 180 { 181 /* Take yet unprocessed bytes into account. */ 182 uint32_t bytes = ctx->buflen; 183 size_t pad; 184 185 /* Now count remaining bytes. */ 186 ctx->total[0] += bytes; 187 if (ctx->total[0] < bytes) 188 ++ctx->total[1]; 189 190 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes; 191 memcpy (&ctx->buffer[bytes], fillbuf, pad); 192 193 /* Put the 64-bit file length in *bits* at the end of the buffer. */ 194 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3); 195 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) | 196 (ctx->total[0] >> 29)); 197 198 /* Process last bytes. */ 199 __crypt__sha256_process_block (ctx->buffer, bytes + pad + 8, ctx); 200 201 /* Put result from CTX in first 32 bytes following RESBUF. */ 202 for (unsigned int i = 0; i < 8; ++i) 203 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]); 204 205 return resbuf; 206 } 207 208 void 209 __crypt__sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx) 210 { 211 /* When we already have some bits in our internal buffer concatenate 212 both inputs first. */ 213 if (ctx->buflen != 0) 214 { 215 size_t left_over = ctx->buflen; 216 size_t add = 128 - left_over > len ? len : 128 - left_over; 217 218 memcpy (&ctx->buffer[left_over], buffer, add); 219 ctx->buflen += add; 220 221 if (ctx->buflen > 64) 222 { 223 __crypt__sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx); 224 225 ctx->buflen &= 63; 226 /* The regions in the following copy operation cannot overlap. */ 227 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63], 228 ctx->buflen); 229 } 230 231 buffer = (const char *) buffer + add; 232 len -= add; 233 } 234 235 /* Process available complete blocks. */ 236 if (len >= 64) 237 { 238 /* To check alignment gcc has an appropriate operator. Other 239 compilers don't. */ 240 #if __GNUC__ >= 2 241 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0) 242 #else 243 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0) 244 #endif 245 if (UNALIGNED_P (buffer)) 246 while (len > 64) 247 { 248 __crypt__sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); 249 buffer = (const char *) buffer + 64; 250 len -= 64; 251 } 252 else 253 { 254 __crypt__sha256_process_block (buffer, len & ~63, ctx); 255 buffer = (const char *) buffer + (len & ~63); 256 len &= 63; 257 } 258 } 259 260 /* Move remaining bytes into internal buffer. */ 261 if (len > 0) 262 { 263 size_t left_over = ctx->buflen; 264 265 memcpy (&ctx->buffer[left_over], buffer, len); 266 left_over += len; 267 if (left_over >= 64) 268 { 269 __crypt__sha256_process_block (ctx->buffer, 64, ctx); 270 left_over -= 64; 271 memcpy (ctx->buffer, &ctx->buffer[64], left_over); 272 } 273 ctx->buflen = left_over; 274 } 275 } 276 277 278 /* Define our magic string to mark salt for SHA256 "encryption" 279 replacement. */ 280 static const char sha256_salt_prefix[] = "$5$"; 281 282 /* Prefix for optional rounds specification. */ 283 static const char sha256_rounds_prefix[] = "rounds="; 284 285 /* Maximum salt string length. */ 286 #define SALT_LEN_MAX 16 287 /* Default number of rounds if not explicitly specified. */ 288 #define ROUNDS_DEFAULT 5000 289 /* Minimum number of rounds. */ 290 #define ROUNDS_MIN 1000 291 /* Maximum number of rounds. */ 292 #define ROUNDS_MAX 999999999 293 294 /* Table with characters for base64 transformation. */ 295 static const char b64t[64] = 296 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 297 298 299 static char * 300 crypt_sha256_r (const char *key, const char *salt, char *buffer, int buflen) 301 { 302 unsigned char alt_result[32] 303 __attribute__ ((__aligned__ (__alignof__ (uint32_t)))); 304 unsigned char temp_result[32] 305 __attribute__ ((__aligned__ (__alignof__ (uint32_t)))); 306 struct sha256_ctx ctx; 307 struct sha256_ctx alt_ctx; 308 size_t salt_len; 309 size_t key_len; 310 size_t cnt; 311 char *cp; 312 char *copied_key = NULL; 313 char *copied_salt = NULL; 314 char *p_bytes; 315 char *s_bytes; 316 /* Default number of rounds. */ 317 size_t rounds = ROUNDS_DEFAULT; 318 bool rounds_custom = false; 319 320 /* Find beginning of salt string. The prefix should normally always 321 be present. Just in case it is not. */ 322 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0) 323 /* Skip salt prefix. */ 324 salt += sizeof (sha256_salt_prefix) - 1; 325 326 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1) 327 == 0) 328 { 329 const char *num = salt + sizeof (sha256_rounds_prefix) - 1; 330 char *endp; 331 unsigned long int srounds = strtoul (num, &endp, 10); 332 if (*endp == '$') 333 { 334 salt = endp + 1; 335 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX)); 336 rounds_custom = true; 337 } 338 } 339 340 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX); 341 key_len = strlen (key); 342 343 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0) 344 { 345 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t)); 346 key = copied_key = 347 memcpy (tmp + __alignof__ (uint32_t) 348 - (tmp - (char *) 0) % __alignof__ (uint32_t), 349 key, key_len); 350 } 351 352 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0) 353 { 354 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t)); 355 salt = copied_salt = 356 memcpy (tmp + __alignof__ (uint32_t) 357 - (tmp - (char *) 0) % __alignof__ (uint32_t), 358 salt, salt_len); 359 } 360 361 /* Prepare for the real work. */ 362 __crypt__sha256_init_ctx (&ctx); 363 364 /* Add the key string. */ 365 __crypt__sha256_process_bytes (key, key_len, &ctx); 366 367 /* The last part is the salt string. This must be at most 16 368 characters and it ends at the first `$' character (for 369 compatibility with existing implementations). */ 370 __crypt__sha256_process_bytes (salt, salt_len, &ctx); 371 372 373 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The 374 final result will be added to the first context. */ 375 __crypt__sha256_init_ctx (&alt_ctx); 376 377 /* Add key. */ 378 __crypt__sha256_process_bytes (key, key_len, &alt_ctx); 379 380 /* Add salt. */ 381 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx); 382 383 /* Add key again. */ 384 __crypt__sha256_process_bytes (key, key_len, &alt_ctx); 385 386 /* Now get result of this (32 bytes) and add it to the other 387 context. */ 388 __crypt__sha256_finish_ctx (&alt_ctx, alt_result); 389 390 /* Add for any character in the key one byte of the alternate sum. */ 391 for (cnt = key_len; cnt > 32; cnt -= 32) 392 __crypt__sha256_process_bytes (alt_result, 32, &ctx); 393 __crypt__sha256_process_bytes (alt_result, cnt, &ctx); 394 395 /* Take the binary representation of the length of the key and for every 396 1 add the alternate sum, for every 0 the key. */ 397 for (cnt = key_len; cnt > 0; cnt >>= 1) 398 if ((cnt & 1) != 0) 399 __crypt__sha256_process_bytes (alt_result, 32, &ctx); 400 else 401 __crypt__sha256_process_bytes (key, key_len, &ctx); 402 403 /* Create intermediate result. */ 404 __crypt__sha256_finish_ctx (&ctx, alt_result); 405 406 /* Start computation of P byte sequence. */ 407 __crypt__sha256_init_ctx (&alt_ctx); 408 409 /* For every character in the password add the entire password. */ 410 for (cnt = 0; cnt < key_len; ++cnt) 411 __crypt__sha256_process_bytes (key, key_len, &alt_ctx); 412 413 /* Finish the digest. */ 414 __crypt__sha256_finish_ctx (&alt_ctx, temp_result); 415 416 /* Create byte sequence P. */ 417 cp = p_bytes = alloca (key_len); 418 for (cnt = key_len; cnt >= 32; cnt -= 32) 419 cp = mempcpy (cp, temp_result, 32); 420 memcpy (cp, temp_result, cnt); 421 422 /* Start computation of S byte sequence. */ 423 __crypt__sha256_init_ctx (&alt_ctx); 424 425 /* For every character in the password add the entire password. */ 426 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) 427 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx); 428 429 /* Finish the digest. */ 430 __crypt__sha256_finish_ctx (&alt_ctx, temp_result); 431 432 /* Create byte sequence S. */ 433 cp = s_bytes = alloca (salt_len); 434 for (cnt = salt_len; cnt >= 32; cnt -= 32) 435 cp = mempcpy (cp, temp_result, 32); 436 memcpy (cp, temp_result, cnt); 437 438 /* Repeatedly run the collected hash value through SHA256 to burn 439 CPU cycles. */ 440 for (cnt = 0; cnt < rounds; ++cnt) 441 { 442 /* New context. */ 443 __crypt__sha256_init_ctx (&ctx); 444 445 /* Add key or last result. */ 446 if ((cnt & 1) != 0) 447 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx); 448 else 449 __crypt__sha256_process_bytes (alt_result, 32, &ctx); 450 451 /* Add salt for numbers not divisible by 3. */ 452 if (cnt % 3 != 0) 453 __crypt__sha256_process_bytes (s_bytes, salt_len, &ctx); 454 455 /* Add key for numbers not divisible by 7. */ 456 if (cnt % 7 != 0) 457 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx); 458 459 /* Add key or last result. */ 460 if ((cnt & 1) != 0) 461 __crypt__sha256_process_bytes (alt_result, 32, &ctx); 462 else 463 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx); 464 465 /* Create intermediate result. */ 466 __crypt__sha256_finish_ctx (&ctx, alt_result); 467 } 468 469 /* Now we can construct the result string. It consists of three 470 parts. */ 471 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen)); 472 buflen -= sizeof (sha256_salt_prefix) - 1; 473 474 if (rounds_custom) 475 { 476 int n = snprintf (cp, MAX (0, buflen), "%s%zu$", 477 sha256_rounds_prefix, rounds); 478 cp += n; 479 buflen -= n; 480 } 481 482 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len)); 483 buflen -= MIN ((size_t) MAX (0, buflen), salt_len); 484 485 if (buflen > 0) 486 { 487 *cp++ = '$'; 488 --buflen; 489 } 490 491 #define b64_from_24bit(B2, B1, B0, N) \ 492 do { \ 493 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \ 494 int n = (N); \ 495 while (n-- > 0 && buflen > 0) \ 496 { \ 497 *cp++ = b64t[w & 0x3f]; \ 498 --buflen; \ 499 w >>= 6; \ 500 } \ 501 } while (0) 502 503 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4); 504 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4); 505 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4); 506 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4); 507 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4); 508 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4); 509 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4); 510 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4); 511 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4); 512 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4); 513 b64_from_24bit (0, alt_result[31], alt_result[30], 3); 514 if (buflen <= 0) 515 { 516 errno = ERANGE; 517 buffer = NULL; 518 } 519 else 520 *cp = '\0'; /* Terminate the string. */ 521 522 /* Clear the buffer for the intermediate result so that people 523 attaching to processes or reading core dumps cannot get any 524 information. We do it in this way to clear correct_words[] 525 inside the SHA256 implementation as well. */ 526 __crypt__sha256_init_ctx (&ctx); 527 __crypt__sha256_finish_ctx (&ctx, alt_result); 528 memset (temp_result, '\0', sizeof (temp_result)); 529 memset (p_bytes, '\0', key_len); 530 memset (s_bytes, '\0', salt_len); 531 memset (&ctx, '\0', sizeof (ctx)); 532 memset (&alt_ctx, '\0', sizeof (alt_ctx)); 533 if (copied_key != NULL) 534 memset (copied_key, '\0', key_len); 535 if (copied_salt != NULL) 536 memset (copied_salt, '\0', salt_len); 537 538 return buffer; 539 } 540 541 542 /* This entry point is equivalent to the `crypt' function in Unix 543 libcs. */ 544 char * 545 crypt_sha256 (const char *key, const char *salt) 546 { 547 /* We don't want to have an arbitrary limit in the size of the 548 password. We can compute an upper bound for the size of the 549 result in advance and so we can prepare the buffer we pass to 550 `crypt_sha256_r'. */ 551 static char *buffer; 552 static int buflen; 553 int needed = (sizeof (sha256_salt_prefix) - 1 554 + sizeof (sha256_rounds_prefix) + 9 + 1 555 + strlen (salt) + 1 + 43 + 1); 556 557 if (buflen < needed) 558 { 559 char *new_buffer = (char *) realloc (buffer, needed); 560 if (new_buffer == NULL) 561 return NULL; 562 563 buffer = new_buffer; 564 buflen = needed; 565 } 566 567 return crypt_sha256_r (key, salt, buffer, buflen); 568 } 569 570 571 #ifdef TEST 572 static const struct 573 { 574 const char *input; 575 const char result[32]; 576 } tests[] = 577 { 578 /* Test vectors from FIPS 180-2: appendix B.1. */ 579 { "abc", 580 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23" 581 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" }, 582 /* Test vectors from FIPS 180-2: appendix B.2. */ 583 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 584 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 585 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" }, 586 /* Test vectors from the NESSIE project. */ 587 { "", 588 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24" 589 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" }, 590 { "a", 591 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d" 592 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" }, 593 { "message digest", 594 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad" 595 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" }, 596 { "abcdefghijklmnopqrstuvwxyz", 597 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52" 598 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" }, 599 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 600 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 601 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" }, 602 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 603 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80" 604 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" }, 605 { "123456789012345678901234567890123456789012345678901234567890" 606 "12345678901234567890", 607 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e" 608 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" } 609 }; 610 #define ntests (NELEM(tests)) 611 612 613 static const struct 614 { 615 const char *salt; 616 const char *input; 617 const char *expected; 618 } tests2[] = 619 { 620 { "$5$saltstring", "Hello world!", 621 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" }, 622 { "$5$rounds=10000$saltstringsaltstring", "Hello world!", 623 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2." 624 "opqey6IcA" }, 625 { "$5$rounds=5000$toolongsaltstring", "This is just a test", 626 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8" 627 "mGRcvxa5" }, 628 { "$5$rounds=1400$anotherlongsaltstring", 629 "a very much longer text to encrypt. This one even stretches over more" 630 "than one line.", 631 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12" 632 "oP84Bnq1" }, 633 { "$5$rounds=77777$short", 634 "we have a short salt string but not a short password", 635 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" }, 636 { "$5$rounds=123456$asaltof16chars..", "a short string", 637 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/" 638 "cZKmF/wJvD" }, 639 { "$5$rounds=10$roundstoolow", "the minimum number is still observed", 640 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97" 641 "2bIC" }, 642 }; 643 #define ntests2 (NELEM(tests2)) 644 645 646 int 647 main (void) 648 { 649 struct sha256_ctx ctx; 650 char sum[32]; 651 int result = 0; 652 int cnt; 653 654 for (cnt = 0; cnt < (int) ntests; ++cnt) 655 { 656 __crypt__sha256_init_ctx (&ctx); 657 __crypt__sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx); 658 __crypt__sha256_finish_ctx (&ctx, sum); 659 if (memcmp (tests[cnt].result, sum, 32) != 0) 660 { 661 printf ("test %d run %d failed\n", cnt, 1); 662 result = 1; 663 } 664 665 __crypt__sha256_init_ctx (&ctx); 666 for (int i = 0; tests[cnt].input[i] != '\0'; ++i) 667 __crypt__sha256_process_bytes (&tests[cnt].input[i], 1, &ctx); 668 __crypt__sha256_finish_ctx (&ctx, sum); 669 if (memcmp (tests[cnt].result, sum, 32) != 0) 670 { 671 printf ("test %d run %d failed\n", cnt, 2); 672 result = 1; 673 } 674 } 675 676 /* Test vector from FIPS 180-2: appendix B.3. */ 677 char buf[1000]; 678 memset (buf, 'a', sizeof (buf)); 679 __crypt__sha256_init_ctx (&ctx); 680 for (int i = 0; i < 1000; ++i) 681 __crypt__sha256_process_bytes (buf, sizeof (buf), &ctx); 682 __crypt__sha256_finish_ctx (&ctx, sum); 683 static const char expected[32] = 684 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67" 685 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0"; 686 if (memcmp (expected, sum, 32) != 0) 687 { 688 printf ("test %d failed\n", cnt); 689 result = 1; 690 } 691 692 for (cnt = 0; cnt < ntests2; ++cnt) 693 { 694 char *cp = crypt_sha256 (tests2[cnt].input, tests2[cnt].salt); 695 696 if (strcmp (cp, tests2[cnt].expected) != 0) 697 { 698 printf ("test %d: expected \"%s\", got \"%s\"\n", 699 cnt, tests2[cnt].expected, cp); 700 result = 1; 701 } 702 } 703 704 if (result == 0) 705 puts ("all tests OK"); 706 707 return result; 708 } 709 #endif 710 711