1 /* 2 * SHA256-based Unix crypt implementation. 3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. 4 */ 5 #include <errno.h> 6 #include <limits.h> 7 #include <stdint.h> 8 #include <stdbool.h> 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <sys/endian.h> 13 #include <sys/param.h> 14 #include <sys/types.h> 15 16 #include "local.h" 17 18 #if _BYTE_ORDER == _LITTLE_ENDIAN 19 # define SWAP(n) \ 20 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) 21 #else 22 # define SWAP(n) (n) 23 #endif 24 25 26 /* This array contains the bytes used to pad the buffer to the next 27 64-byte boundary. (FIPS 180-2:5.1.1) */ 28 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; 29 30 31 /* Constants for SHA256 from FIPS 180-2:4.2.2. */ 32 static const uint32_t K[64] = 33 { 34 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 35 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 36 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 37 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 38 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 39 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 40 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 41 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 42 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 43 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 44 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 45 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 46 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 47 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 48 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 49 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 50 }; 51 52 53 /* Process LEN bytes of BUFFER, accumulating context into CTX. 54 It is assumed that LEN % 64 == 0. */ 55 void 56 __crypt__sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx) 57 { 58 const uint32_t *words = buffer; 59 size_t nwords = len / sizeof (uint32_t); 60 uint32_t a = ctx->H[0]; 61 uint32_t b = ctx->H[1]; 62 uint32_t c = ctx->H[2]; 63 uint32_t d = ctx->H[3]; 64 uint32_t e = ctx->H[4]; 65 uint32_t f = ctx->H[5]; 66 uint32_t g = ctx->H[6]; 67 uint32_t h = ctx->H[7]; 68 69 /* First increment the byte count. FIPS 180-2 specifies the possible 70 length of the file up to 2^64 bits. Here we only compute the 71 number of bytes. Do a double word increment. */ 72 ctx->total[0] += len; 73 if (ctx->total[0] < len) 74 ++ctx->total[1]; 75 76 /* Process all bytes in the buffer with 64 bytes in each round of 77 the loop. */ 78 while (nwords > 0) 79 { 80 uint32_t W[64]; 81 uint32_t a_save = a; 82 uint32_t b_save = b; 83 uint32_t c_save = c; 84 uint32_t d_save = d; 85 uint32_t e_save = e; 86 uint32_t f_save = f; 87 uint32_t g_save = g; 88 uint32_t h_save = h; 89 90 /* Operators defined in FIPS 180-2:4.1.2. */ 91 #define Ch(x, y, z) ((x & y) ^ (~x & z)) 92 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) 93 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22)) 94 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25)) 95 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3)) 96 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10)) 97 98 /* It is unfortunate that C does not provide an operator for 99 cyclic rotation. Hope the C compiler is smart enough. */ 100 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s))) 101 102 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */ 103 for (unsigned int t = 0; t < 16; ++t) 104 { 105 W[t] = SWAP (*words); 106 ++words; 107 } 108 for (unsigned int t = 16; t < 64; ++t) 109 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16]; 110 111 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */ 112 for (unsigned int t = 0; t < 64; ++t) 113 { 114 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t]; 115 uint32_t T2 = S0 (a) + Maj (a, b, c); 116 h = g; 117 g = f; 118 f = e; 119 e = d + T1; 120 d = c; 121 c = b; 122 b = a; 123 a = T1 + T2; 124 } 125 126 /* Add the starting values of the context according to FIPS 180-2:6.2.2 127 step 4. */ 128 a += a_save; 129 b += b_save; 130 c += c_save; 131 d += d_save; 132 e += e_save; 133 f += f_save; 134 g += g_save; 135 h += h_save; 136 137 /* Prepare for the next round. */ 138 nwords -= 16; 139 } 140 141 /* Put checksum in context given as argument. */ 142 ctx->H[0] = a; 143 ctx->H[1] = b; 144 ctx->H[2] = c; 145 ctx->H[3] = d; 146 ctx->H[4] = e; 147 ctx->H[5] = f; 148 ctx->H[6] = g; 149 ctx->H[7] = h; 150 } 151 152 153 /* Initialize structure containing state of computation. 154 (FIPS 180-2:5.3.2) */ 155 void 156 __crypt__sha256_init_ctx (struct sha256_ctx *ctx) 157 { 158 ctx->H[0] = 0x6a09e667; 159 ctx->H[1] = 0xbb67ae85; 160 ctx->H[2] = 0x3c6ef372; 161 ctx->H[3] = 0xa54ff53a; 162 ctx->H[4] = 0x510e527f; 163 ctx->H[5] = 0x9b05688c; 164 ctx->H[6] = 0x1f83d9ab; 165 ctx->H[7] = 0x5be0cd19; 166 167 ctx->total[0] = ctx->total[1] = 0; 168 ctx->buflen = 0; 169 } 170 171 172 /* Process the remaining bytes in the internal buffer and the usual 173 prolog according to the standard and write the result to RESBUF. 174 175 IMPORTANT: On some systems it is required that RESBUF is correctly 176 aligned for a 32 bits value. */ 177 void * 178 __crypt__sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf) 179 { 180 /* Take yet unprocessed bytes into account. */ 181 uint32_t bytes = ctx->buflen; 182 size_t pad; 183 184 /* Now count remaining bytes. */ 185 ctx->total[0] += bytes; 186 if (ctx->total[0] < bytes) 187 ++ctx->total[1]; 188 189 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes; 190 memcpy (&ctx->buffer[bytes], fillbuf, pad); 191 192 /* Put the 64-bit file length in *bits* at the end of the buffer. */ 193 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3); 194 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) | 195 (ctx->total[0] >> 29)); 196 197 /* Process last bytes. */ 198 __crypt__sha256_process_block (ctx->buffer, bytes + pad + 8, ctx); 199 200 /* Put result from CTX in first 32 bytes following RESBUF. */ 201 for (unsigned int i = 0; i < 8; ++i) 202 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]); 203 204 return resbuf; 205 } 206 207 void 208 __crypt__sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx) 209 { 210 /* When we already have some bits in our internal buffer concatenate 211 both inputs first. */ 212 if (ctx->buflen != 0) 213 { 214 size_t left_over = ctx->buflen; 215 size_t add = 128 - left_over > len ? len : 128 - left_over; 216 217 memcpy (&ctx->buffer[left_over], buffer, add); 218 ctx->buflen += add; 219 220 if (ctx->buflen > 64) 221 { 222 __crypt__sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx); 223 224 ctx->buflen &= 63; 225 /* The regions in the following copy operation cannot overlap. */ 226 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63], 227 ctx->buflen); 228 } 229 230 buffer = (const char *) buffer + add; 231 len -= add; 232 } 233 234 /* Process available complete blocks. */ 235 if (len >= 64) 236 { 237 /* To check alignment gcc has an appropriate operator. Other 238 compilers don't. */ 239 #if __GNUC__ >= 2 240 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0) 241 #else 242 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0) 243 #endif 244 if (UNALIGNED_P (buffer)) 245 while (len > 64) 246 { 247 __crypt__sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx); 248 buffer = (const char *) buffer + 64; 249 len -= 64; 250 } 251 else 252 { 253 __crypt__sha256_process_block (buffer, len & ~63, ctx); 254 buffer = (const char *) buffer + (len & ~63); 255 len &= 63; 256 } 257 } 258 259 /* Move remaining bytes into internal buffer. */ 260 if (len > 0) 261 { 262 size_t left_over = ctx->buflen; 263 264 memcpy (&ctx->buffer[left_over], buffer, len); 265 left_over += len; 266 if (left_over >= 64) 267 { 268 __crypt__sha256_process_block (ctx->buffer, 64, ctx); 269 left_over -= 64; 270 memcpy (ctx->buffer, &ctx->buffer[64], left_over); 271 } 272 ctx->buflen = left_over; 273 } 274 } 275 276 277 /* Define our magic string to mark salt for SHA256 "encryption" 278 replacement. */ 279 static const char sha256_salt_prefix[] = "$5$"; 280 281 /* Prefix for optional rounds specification. */ 282 static const char sha256_rounds_prefix[] = "rounds="; 283 284 /* Maximum salt string length. */ 285 #define SALT_LEN_MAX 16 286 /* Default number of rounds if not explicitly specified. */ 287 #define ROUNDS_DEFAULT 5000 288 /* Minimum number of rounds. */ 289 #define ROUNDS_MIN 1000 290 /* Maximum number of rounds. */ 291 #define ROUNDS_MAX 999999999 292 293 /* Table with characters for base64 transformation. */ 294 static const char b64t[64] = 295 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 296 297 298 static char * 299 crypt_sha256_r (const char *key, const char *salt, char *buffer, int buflen) 300 { 301 unsigned char alt_result[32] 302 __attribute__ ((__aligned__ (__alignof__ (uint32_t)))); 303 unsigned char temp_result[32] 304 __attribute__ ((__aligned__ (__alignof__ (uint32_t)))); 305 struct sha256_ctx ctx; 306 struct sha256_ctx alt_ctx; 307 size_t salt_len; 308 size_t key_len; 309 size_t cnt; 310 char *cp; 311 char *copied_key = NULL; 312 char *copied_salt = NULL; 313 char *p_bytes; 314 char *s_bytes; 315 /* Default number of rounds. */ 316 size_t rounds = ROUNDS_DEFAULT; 317 bool rounds_custom = false; 318 319 /* Find beginning of salt string. The prefix should normally always 320 be present. Just in case it is not. */ 321 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0) 322 /* Skip salt prefix. */ 323 salt += sizeof (sha256_salt_prefix) - 1; 324 325 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1) 326 == 0) 327 { 328 const char *num = salt + sizeof (sha256_rounds_prefix) - 1; 329 char *endp; 330 unsigned long int srounds = strtoul (num, &endp, 10); 331 if (*endp == '$') 332 { 333 salt = endp + 1; 334 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX)); 335 rounds_custom = true; 336 } 337 } 338 339 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX); 340 key_len = strlen (key); 341 342 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0) 343 { 344 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t)); 345 key = copied_key = 346 memcpy (tmp + __alignof__ (uint32_t) 347 - (tmp - (char *) 0) % __alignof__ (uint32_t), 348 key, key_len); 349 } 350 351 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0) 352 { 353 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t)); 354 salt = copied_salt = 355 memcpy (tmp + __alignof__ (uint32_t) 356 - (tmp - (char *) 0) % __alignof__ (uint32_t), 357 salt, salt_len); 358 } 359 360 /* Prepare for the real work. */ 361 __crypt__sha256_init_ctx (&ctx); 362 363 /* Add the key string. */ 364 __crypt__sha256_process_bytes (key, key_len, &ctx); 365 366 /* The last part is the salt string. This must be at most 16 367 characters and it ends at the first `$' character (for 368 compatibility with existing implementations). */ 369 __crypt__sha256_process_bytes (salt, salt_len, &ctx); 370 371 372 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The 373 final result will be added to the first context. */ 374 __crypt__sha256_init_ctx (&alt_ctx); 375 376 /* Add key. */ 377 __crypt__sha256_process_bytes (key, key_len, &alt_ctx); 378 379 /* Add salt. */ 380 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx); 381 382 /* Add key again. */ 383 __crypt__sha256_process_bytes (key, key_len, &alt_ctx); 384 385 /* Now get result of this (32 bytes) and add it to the other 386 context. */ 387 __crypt__sha256_finish_ctx (&alt_ctx, alt_result); 388 389 /* Add for any character in the key one byte of the alternate sum. */ 390 for (cnt = key_len; cnt > 32; cnt -= 32) 391 __crypt__sha256_process_bytes (alt_result, 32, &ctx); 392 __crypt__sha256_process_bytes (alt_result, cnt, &ctx); 393 394 /* Take the binary representation of the length of the key and for every 395 1 add the alternate sum, for every 0 the key. */ 396 for (cnt = key_len; cnt > 0; cnt >>= 1) 397 if ((cnt & 1) != 0) 398 __crypt__sha256_process_bytes (alt_result, 32, &ctx); 399 else 400 __crypt__sha256_process_bytes (key, key_len, &ctx); 401 402 /* Create intermediate result. */ 403 __crypt__sha256_finish_ctx (&ctx, alt_result); 404 405 /* Start computation of P byte sequence. */ 406 __crypt__sha256_init_ctx (&alt_ctx); 407 408 /* For every character in the password add the entire password. */ 409 for (cnt = 0; cnt < key_len; ++cnt) 410 __crypt__sha256_process_bytes (key, key_len, &alt_ctx); 411 412 /* Finish the digest. */ 413 __crypt__sha256_finish_ctx (&alt_ctx, temp_result); 414 415 /* Create byte sequence P. */ 416 cp = p_bytes = alloca (key_len); 417 for (cnt = key_len; cnt >= 32; cnt -= 32) 418 cp = mempcpy (cp, temp_result, 32); 419 memcpy (cp, temp_result, cnt); 420 421 /* Start computation of S byte sequence. */ 422 __crypt__sha256_init_ctx (&alt_ctx); 423 424 /* For every character in the password add the entire password. */ 425 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) 426 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx); 427 428 /* Finish the digest. */ 429 __crypt__sha256_finish_ctx (&alt_ctx, temp_result); 430 431 /* Create byte sequence S. */ 432 cp = s_bytes = alloca (salt_len); 433 for (cnt = salt_len; cnt >= 32; cnt -= 32) 434 cp = mempcpy (cp, temp_result, 32); 435 memcpy (cp, temp_result, cnt); 436 437 /* Repeatedly run the collected hash value through SHA256 to burn 438 CPU cycles. */ 439 for (cnt = 0; cnt < rounds; ++cnt) 440 { 441 /* New context. */ 442 __crypt__sha256_init_ctx (&ctx); 443 444 /* Add key or last result. */ 445 if ((cnt & 1) != 0) 446 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx); 447 else 448 __crypt__sha256_process_bytes (alt_result, 32, &ctx); 449 450 /* Add salt for numbers not divisible by 3. */ 451 if (cnt % 3 != 0) 452 __crypt__sha256_process_bytes (s_bytes, salt_len, &ctx); 453 454 /* Add key for numbers not divisible by 7. */ 455 if (cnt % 7 != 0) 456 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx); 457 458 /* Add key or last result. */ 459 if ((cnt & 1) != 0) 460 __crypt__sha256_process_bytes (alt_result, 32, &ctx); 461 else 462 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx); 463 464 /* Create intermediate result. */ 465 __crypt__sha256_finish_ctx (&ctx, alt_result); 466 } 467 468 /* Now we can construct the result string. It consists of three 469 parts. */ 470 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen)); 471 buflen -= sizeof (sha256_salt_prefix) - 1; 472 473 if (rounds_custom) 474 { 475 int n = snprintf (cp, MAX (0, buflen), "%s%zu$", 476 sha256_rounds_prefix, rounds); 477 cp += n; 478 buflen -= n; 479 } 480 481 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len)); 482 buflen -= MIN ((size_t) MAX (0, buflen), salt_len); 483 484 if (buflen > 0) 485 { 486 *cp++ = '$'; 487 --buflen; 488 } 489 490 #define b64_from_24bit(B2, B1, B0, N) \ 491 do { \ 492 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \ 493 int n = (N); \ 494 while (n-- > 0 && buflen > 0) \ 495 { \ 496 *cp++ = b64t[w & 0x3f]; \ 497 --buflen; \ 498 w >>= 6; \ 499 } \ 500 } while (0) 501 502 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4); 503 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4); 504 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4); 505 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4); 506 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4); 507 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4); 508 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4); 509 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4); 510 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4); 511 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4); 512 b64_from_24bit (0, alt_result[31], alt_result[30], 3); 513 if (buflen <= 0) 514 { 515 errno = ERANGE; 516 buffer = NULL; 517 } 518 else 519 *cp = '\0'; /* Terminate the string. */ 520 521 /* Clear the buffer for the intermediate result so that people 522 attaching to processes or reading core dumps cannot get any 523 information. We do it in this way to clear correct_words[] 524 inside the SHA256 implementation as well. */ 525 __crypt__sha256_init_ctx (&ctx); 526 __crypt__sha256_finish_ctx (&ctx, alt_result); 527 memset (temp_result, '\0', sizeof (temp_result)); 528 memset (p_bytes, '\0', key_len); 529 memset (s_bytes, '\0', salt_len); 530 memset (&ctx, '\0', sizeof (ctx)); 531 memset (&alt_ctx, '\0', sizeof (alt_ctx)); 532 if (copied_key != NULL) 533 memset (copied_key, '\0', key_len); 534 if (copied_salt != NULL) 535 memset (copied_salt, '\0', salt_len); 536 537 return buffer; 538 } 539 540 541 /* This entry point is equivalent to the `crypt' function in Unix 542 libcs. */ 543 char * 544 crypt_sha256 (const char *key, const char *salt) 545 { 546 /* We don't want to have an arbitrary limit in the size of the 547 password. We can compute an upper bound for the size of the 548 result in advance and so we can prepare the buffer we pass to 549 `crypt_sha256_r'. */ 550 static char *buffer; 551 static int buflen; 552 int needed = (sizeof (sha256_salt_prefix) - 1 553 + sizeof (sha256_rounds_prefix) + 9 + 1 554 + strlen (salt) + 1 + 43 + 1); 555 556 if (buflen < needed) 557 { 558 char *new_buffer = (char *) realloc (buffer, needed); 559 if (new_buffer == NULL) 560 return NULL; 561 562 buffer = new_buffer; 563 buflen = needed; 564 } 565 566 return crypt_sha256_r (key, salt, buffer, buflen); 567 } 568 569 570 #ifdef TEST 571 static const struct 572 { 573 const char *input; 574 const char result[32]; 575 } tests[] = 576 { 577 /* Test vectors from FIPS 180-2: appendix B.1. */ 578 { "abc", 579 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23" 580 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" }, 581 /* Test vectors from FIPS 180-2: appendix B.2. */ 582 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 583 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 584 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" }, 585 /* Test vectors from the NESSIE project. */ 586 { "", 587 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24" 588 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" }, 589 { "a", 590 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d" 591 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" }, 592 { "message digest", 593 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad" 594 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" }, 595 { "abcdefghijklmnopqrstuvwxyz", 596 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52" 597 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" }, 598 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 599 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 600 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" }, 601 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 602 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80" 603 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" }, 604 { "123456789012345678901234567890123456789012345678901234567890" 605 "12345678901234567890", 606 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e" 607 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" } 608 }; 609 #define ntests (NELEM(tests)) 610 611 612 static const struct 613 { 614 const char *salt; 615 const char *input; 616 const char *expected; 617 } tests2[] = 618 { 619 { "$5$saltstring", "Hello world!", 620 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" }, 621 { "$5$rounds=10000$saltstringsaltstring", "Hello world!", 622 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2." 623 "opqey6IcA" }, 624 { "$5$rounds=5000$toolongsaltstring", "This is just a test", 625 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8" 626 "mGRcvxa5" }, 627 { "$5$rounds=1400$anotherlongsaltstring", 628 "a very much longer text to encrypt. This one even stretches over more" 629 "than one line.", 630 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12" 631 "oP84Bnq1" }, 632 { "$5$rounds=77777$short", 633 "we have a short salt string but not a short password", 634 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" }, 635 { "$5$rounds=123456$asaltof16chars..", "a short string", 636 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/" 637 "cZKmF/wJvD" }, 638 { "$5$rounds=10$roundstoolow", "the minimum number is still observed", 639 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97" 640 "2bIC" }, 641 }; 642 #define ntests2 (NELEM(tests2)) 643 644 645 int 646 main (void) 647 { 648 struct sha256_ctx ctx; 649 char sum[32]; 650 int result = 0; 651 int cnt; 652 653 for (cnt = 0; cnt < (int) ntests; ++cnt) 654 { 655 __crypt__sha256_init_ctx (&ctx); 656 __crypt__sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx); 657 __crypt__sha256_finish_ctx (&ctx, sum); 658 if (memcmp (tests[cnt].result, sum, 32) != 0) 659 { 660 printf ("test %d run %d failed\n", cnt, 1); 661 result = 1; 662 } 663 664 __crypt__sha256_init_ctx (&ctx); 665 for (int i = 0; tests[cnt].input[i] != '\0'; ++i) 666 __crypt__sha256_process_bytes (&tests[cnt].input[i], 1, &ctx); 667 __crypt__sha256_finish_ctx (&ctx, sum); 668 if (memcmp (tests[cnt].result, sum, 32) != 0) 669 { 670 printf ("test %d run %d failed\n", cnt, 2); 671 result = 1; 672 } 673 } 674 675 /* Test vector from FIPS 180-2: appendix B.3. */ 676 char buf[1000]; 677 memset (buf, 'a', sizeof (buf)); 678 __crypt__sha256_init_ctx (&ctx); 679 for (int i = 0; i < 1000; ++i) 680 __crypt__sha256_process_bytes (buf, sizeof (buf), &ctx); 681 __crypt__sha256_finish_ctx (&ctx, sum); 682 static const char expected[32] = 683 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67" 684 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0"; 685 if (memcmp (expected, sum, 32) != 0) 686 { 687 printf ("test %d failed\n", cnt); 688 result = 1; 689 } 690 691 for (cnt = 0; cnt < ntests2; ++cnt) 692 { 693 char *cp = crypt_sha256 (tests2[cnt].input, tests2[cnt].salt); 694 695 if (strcmp (cp, tests2[cnt].expected) != 0) 696 { 697 printf ("test %d: expected \"%s\", got \"%s\"\n", 698 cnt, tests2[cnt].expected, cp); 699 result = 1; 700 } 701 } 702 703 if (result == 0) 704 puts ("all tests OK"); 705 706 return result; 707 } 708 #endif 709 710