1 /* SHA256-based Unix crypt implementation. 2 Released into the Public Domain by Ulrich Drepper <drepper (at) redhat.com>. */ 3 4 #include <alloca.h> 5 #include <endian.h> 6 #include <errno.h> 7 #include <limits.h> 8 #include <stdint.h> 9 #include <stdbool.h> 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include <minmax.h> 14 #include <sys/types.h> 15 16 #include "xcrypt.h" 17 18 #define MIN(x,y) min(x,y) 19 #define MAX(x,y) max(x,y) 20 21 /* Structure to save state of computation between the single steps. */ 22 struct sha256_ctx { 23 uint32_t H[8]; 24 25 uint32_t total[2]; 26 uint32_t buflen; 27 char buffer[128]; /* NB: always correctly aligned for uint32_t. */ 28 }; 29 30 #if __BYTE_ORDER == __LITTLE_ENDIAN 31 # define SWAP(n) \ 32 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) 33 #else 34 # define SWAP(n) (n) 35 #endif 36 37 /* This array contains the bytes used to pad the buffer to the next 38 64-byte boundary. (FIPS 180-2:5.1.1) */ 39 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; 40 41 /* Constants for SHA256 from FIPS 180-2:4.2.2. */ 42 static const uint32_t K[64] = { 43 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 44 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 45 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 46 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 47 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 48 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 49 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 50 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 51 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 52 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 53 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 54 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 55 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 56 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 57 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 58 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 59 }; 60 61 /* Process LEN bytes of BUFFER, accumulating context into CTX. 62 It is assumed that LEN % 64 == 0. */ 63 static void 64 sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx) 65 { 66 unsigned int t; 67 const uint32_t *words = buffer; 68 size_t nwords = len / sizeof(uint32_t); 69 uint32_t a = ctx->H[0]; 70 uint32_t b = ctx->H[1]; 71 uint32_t c = ctx->H[2]; 72 uint32_t d = ctx->H[3]; 73 uint32_t e = ctx->H[4]; 74 uint32_t f = ctx->H[5]; 75 uint32_t g = ctx->H[6]; 76 uint32_t h = ctx->H[7]; 77 78 /* First increment the byte count. FIPS 180-2 specifies the possible 79 length of the file up to 2^64 bits. Here we only compute the 80 number of bytes. Do a double word increment. */ 81 ctx->total[0] += len; 82 if (ctx->total[0] < len) 83 ++ctx->total[1]; 84 85 /* Process all bytes in the buffer with 64 bytes in each round of 86 the loop. */ 87 while (nwords > 0) { 88 uint32_t W[64]; 89 uint32_t a_save = a; 90 uint32_t b_save = b; 91 uint32_t c_save = c; 92 uint32_t d_save = d; 93 uint32_t e_save = e; 94 uint32_t f_save = f; 95 uint32_t g_save = g; 96 uint32_t h_save = h; 97 98 /* Operators defined in FIPS 180-2:4.1.2. */ 99 #define Ch(x, y, z) ((x & y) ^ (~x & z)) 100 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) 101 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22)) 102 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25)) 103 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3)) 104 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10)) 105 106 /* It is unfortunate that C does not provide an operator for 107 cyclic rotation. Hope the C compiler is smart enough. */ 108 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s))) 109 110 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */ 111 for (t = 0; t < 16; ++t) { 112 W[t] = SWAP(*words); 113 ++words; 114 } 115 for (t = 16; t < 64; ++t) 116 W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16]; 117 118 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */ 119 for (t = 0; t < 64; ++t) { 120 uint32_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t]; 121 uint32_t T2 = S0(a) + Maj(a, b, c); 122 h = g; 123 g = f; 124 f = e; 125 e = d + T1; 126 d = c; 127 c = b; 128 b = a; 129 a = T1 + T2; 130 } 131 132 /* Add the starting values of the context according to FIPS 180-2:6.2.2 133 step 4. */ 134 a += a_save; 135 b += b_save; 136 c += c_save; 137 d += d_save; 138 e += e_save; 139 f += f_save; 140 g += g_save; 141 h += h_save; 142 143 /* Prepare for the next round. */ 144 nwords -= 16; 145 } 146 147 /* Put checksum in context given as argument. */ 148 ctx->H[0] = a; 149 ctx->H[1] = b; 150 ctx->H[2] = c; 151 ctx->H[3] = d; 152 ctx->H[4] = e; 153 ctx->H[5] = f; 154 ctx->H[6] = g; 155 ctx->H[7] = h; 156 } 157 158 /* Initialize structure containing state of computation. 159 (FIPS 180-2:5.3.2) */ 160 static void sha256_init_ctx(struct sha256_ctx *ctx) 161 { 162 ctx->H[0] = 0x6a09e667; 163 ctx->H[1] = 0xbb67ae85; 164 ctx->H[2] = 0x3c6ef372; 165 ctx->H[3] = 0xa54ff53a; 166 ctx->H[4] = 0x510e527f; 167 ctx->H[5] = 0x9b05688c; 168 ctx->H[6] = 0x1f83d9ab; 169 ctx->H[7] = 0x5be0cd19; 170 171 ctx->total[0] = ctx->total[1] = 0; 172 ctx->buflen = 0; 173 } 174 175 /* Process the remaining bytes in the internal buffer and the usual 176 prolog according to the standard and write the result to RESBUF. 177 178 IMPORTANT: On some systems it is required that RESBUF is correctly 179 aligned for a 32 bits value. */ 180 static void *sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf) 181 { 182 unsigned int i; 183 /* Take yet unprocessed bytes into account. */ 184 uint32_t bytes = ctx->buflen; 185 size_t pad; 186 187 /* Now count remaining bytes. */ 188 ctx->total[0] += bytes; 189 if (ctx->total[0] < bytes) 190 ++ctx->total[1]; 191 192 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes; 193 memcpy(&ctx->buffer[bytes], fillbuf, pad); 194 195 /* Put the 64-bit file length in *bits* at the end of the buffer. */ 196 *(uint32_t *) & ctx->buffer[bytes + pad + 4] = SWAP(ctx->total[0] << 3); 197 *(uint32_t *) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) | 198 (ctx->total[0] >> 29)); 199 200 /* Process last bytes. */ 201 sha256_process_block(ctx->buffer, bytes + pad + 8, ctx); 202 203 /* Put result from CTX in first 32 bytes following RESBUF. */ 204 for (i = 0; i < 8; ++i) 205 ((uint32_t *) resbuf)[i] = SWAP(ctx->H[i]); 206 207 return resbuf; 208 } 209 210 static void 211 sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx) 212 { 213 /* When we already have some bits in our internal buffer concatenate 214 both inputs first. */ 215 if (ctx->buflen != 0) { 216 size_t left_over = ctx->buflen; 217 size_t add = 128 - left_over > len ? len : 128 - left_over; 218 219 memcpy(&ctx->buffer[left_over], buffer, add); 220 ctx->buflen += add; 221 222 if (ctx->buflen > 64) { 223 sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx); 224 225 ctx->buflen &= 63; 226 /* The regions in the following copy operation cannot overlap. */ 227 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], 228 ctx->buflen); 229 } 230 231 buffer = (const char *)buffer + add; 232 len -= add; 233 } 234 235 /* Process available complete blocks. */ 236 if (len >= 64) { 237 /* To check alignment gcc has an appropriate operator. Other 238 compilers don't. */ 239 #if __GNUC__ >= 2 240 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0) 241 #else 242 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0) 243 #endif 244 if (UNALIGNED_P(buffer)) 245 while (len > 64) { 246 sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx); 247 buffer = (const char *)buffer + 64; 248 len -= 64; 249 } else { 250 sha256_process_block(buffer, len & ~63, ctx); 251 buffer = (const char *)buffer + (len & ~63); 252 len &= 63; 253 } 254 } 255 256 /* Move remaining bytes into internal buffer. */ 257 if (len > 0) { 258 size_t left_over = ctx->buflen; 259 260 memcpy(&ctx->buffer[left_over], buffer, len); 261 left_over += len; 262 if (left_over >= 64) { 263 sha256_process_block(ctx->buffer, 64, ctx); 264 left_over -= 64; 265 memcpy(ctx->buffer, &ctx->buffer[64], left_over); 266 } 267 ctx->buflen = left_over; 268 } 269 } 270 271 /* Define our magic string to mark salt for SHA256 "encryption" 272 replacement. */ 273 static const char sha256_salt_prefix[] = "$5$"; 274 275 /* Prefix for optional rounds specification. */ 276 static const char sha256_rounds_prefix[] = "rounds="; 277 278 /* Maximum salt string length. */ 279 #define SALT_LEN_MAX 16U 280 /* Default number of rounds if not explicitly specified. */ 281 #define ROUNDS_DEFAULT 5000UL 282 /* Minimum number of rounds. */ 283 #define ROUNDS_MIN 1000UL 284 /* Maximum number of rounds. */ 285 #define ROUNDS_MAX 999999999UL 286 287 /* Table with characters for base64 transformation. */ 288 static const char b64t[64] = 289 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 290 291 static char *sha256_crypt_r(const char *key, const char *salt, char *buffer, 292 int buflen) 293 { 294 unsigned char alt_result[32] 295 __attribute__ ((__aligned__(__alignof__(uint32_t)))); 296 unsigned char temp_result[32] 297 __attribute__ ((__aligned__(__alignof__(uint32_t)))); 298 struct sha256_ctx ctx; 299 struct sha256_ctx alt_ctx; 300 size_t salt_len; 301 size_t key_len; 302 size_t cnt; 303 char *cp; 304 char *copied_key = NULL; 305 char *copied_salt = NULL; 306 char *p_bytes; 307 char *s_bytes; 308 /* Default number of rounds. */ 309 size_t rounds = ROUNDS_DEFAULT; 310 bool rounds_custom = false; 311 312 /* Find beginning of salt string. The prefix should normally always 313 be present. Just in case it is not. */ 314 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0) 315 /* Skip salt prefix. */ 316 salt += sizeof(sha256_salt_prefix) - 1; 317 318 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) 319 == 0) { 320 const char *num = salt + sizeof(sha256_rounds_prefix) - 1; 321 char *endp; 322 unsigned long int srounds = strtoul(num, &endp, 10); 323 if (*endp == '$') { 324 salt = endp + 1; 325 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX)); 326 rounds_custom = true; 327 } 328 } 329 330 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); 331 key_len = strlen(key); 332 333 if ((key - (char *)0) % __alignof__(uint32_t) != 0) { 334 char *tmp = (char *)alloca(key_len + __alignof__(uint32_t)); 335 key = copied_key = memcpy(tmp + __alignof__(uint32_t) 336 - (tmp - (char *)0) % __alignof__(uint32_t), 337 key, key_len); 338 } 339 340 if ((salt - (char *)0) % __alignof__(uint32_t) != 0) { 341 char *tmp = (char *)alloca(salt_len + __alignof__(uint32_t)); 342 salt = copied_salt = memcpy(tmp + __alignof__(uint32_t) 343 - (tmp - (char *)0) % __alignof__(uint32_t), 344 salt, salt_len); 345 } 346 347 /* Prepare for the real work. */ 348 sha256_init_ctx(&ctx); 349 350 /* Add the key string. */ 351 sha256_process_bytes(key, key_len, &ctx); 352 353 /* The last part is the salt string. This must be at most 8 354 characters and it ends at the first `$' character (for 355 compatibility with existing implementations). */ 356 sha256_process_bytes(salt, salt_len, &ctx); 357 358 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The 359 final result will be added to the first context. */ 360 sha256_init_ctx(&alt_ctx); 361 362 /* Add key. */ 363 sha256_process_bytes(key, key_len, &alt_ctx); 364 365 /* Add salt. */ 366 sha256_process_bytes(salt, salt_len, &alt_ctx); 367 368 /* Add key again. */ 369 sha256_process_bytes(key, key_len, &alt_ctx); 370 371 /* Now get result of this (32 bytes) and add it to the other 372 context. */ 373 sha256_finish_ctx(&alt_ctx, alt_result); 374 375 /* Add for any character in the key one byte of the alternate sum. */ 376 for (cnt = key_len; cnt > 32; cnt -= 32) 377 sha256_process_bytes(alt_result, 32, &ctx); 378 sha256_process_bytes(alt_result, cnt, &ctx); 379 380 /* Take the binary representation of the length of the key and for every 381 1 add the alternate sum, for every 0 the key. */ 382 for (cnt = key_len; cnt; cnt >>= 1) 383 if ((cnt & 1) != 0) 384 sha256_process_bytes(alt_result, 32, &ctx); 385 else 386 sha256_process_bytes(key, key_len, &ctx); 387 388 /* Create intermediate result. */ 389 sha256_finish_ctx(&ctx, alt_result); 390 391 /* Start computation of P byte sequence. */ 392 sha256_init_ctx(&alt_ctx); 393 394 /* For every character in the password add the entire password. */ 395 for (cnt = 0; cnt < key_len; ++cnt) 396 sha256_process_bytes(key, key_len, &alt_ctx); 397 398 /* Finish the digest. */ 399 sha256_finish_ctx(&alt_ctx, temp_result); 400 401 /* Create byte sequence P. */ 402 cp = p_bytes = alloca(key_len); 403 for (cnt = key_len; cnt >= 32; cnt -= 32) 404 cp = mempcpy(cp, temp_result, 32); 405 memcpy(cp, temp_result, cnt); 406 407 /* Start computation of S byte sequence. */ 408 sha256_init_ctx(&alt_ctx); 409 410 /* For every character in the password add the entire password. */ 411 for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt) 412 sha256_process_bytes(salt, salt_len, &alt_ctx); 413 414 /* Finish the digest. */ 415 sha256_finish_ctx(&alt_ctx, temp_result); 416 417 /* Create byte sequence S. */ 418 cp = s_bytes = alloca(salt_len); 419 for (cnt = salt_len; cnt >= 32; cnt -= 32) 420 cp = mempcpy(cp, temp_result, 32); 421 memcpy(cp, temp_result, cnt); 422 423 /* Repeatedly run the collected hash value through SHA256 to burn 424 CPU cycles. */ 425 for (cnt = 0; cnt < rounds; ++cnt) { 426 /* New context. */ 427 sha256_init_ctx(&ctx); 428 429 /* Add key or last result. */ 430 if ((cnt & 1) != 0) 431 sha256_process_bytes(p_bytes, key_len, &ctx); 432 else 433 sha256_process_bytes(alt_result, 32, &ctx); 434 435 /* Add salt for numbers not divisible by 3. */ 436 if (cnt % 3 != 0) 437 sha256_process_bytes(s_bytes, salt_len, &ctx); 438 439 /* Add key for numbers not divisible by 7. */ 440 if (cnt % 7 != 0) 441 sha256_process_bytes(p_bytes, key_len, &ctx); 442 443 /* Add key or last result. */ 444 if ((cnt & 1) != 0) 445 sha256_process_bytes(alt_result, 32, &ctx); 446 else 447 sha256_process_bytes(p_bytes, key_len, &ctx); 448 449 /* Create intermediate result. */ 450 sha256_finish_ctx(&ctx, alt_result); 451 } 452 453 /* Now we can construct the result string. It consists of three 454 parts. */ 455 cp = stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen)); 456 buflen -= sizeof(sha256_salt_prefix) - 1; 457 458 if (rounds_custom) { 459 int n = snprintf(cp, MAX(0, buflen), "%s%zu$", 460 sha256_rounds_prefix, rounds); 461 cp += n; 462 buflen -= n; 463 } 464 465 cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len)); 466 buflen -= MIN((size_t) MAX(0, buflen), salt_len); 467 468 if (buflen > 0) { 469 *cp++ = '$'; 470 --buflen; 471 } 472 #define b64_from_24bit(B2, B1, B0, N) \ 473 do { \ 474 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \ 475 int n = (N); \ 476 while (n-- > 0 && buflen > 0) \ 477 { \ 478 *cp++ = b64t[w & 0x3f]; \ 479 --buflen; \ 480 w >>= 6; \ 481 } \ 482 } while (0) 483 484 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4); 485 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4); 486 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4); 487 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4); 488 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4); 489 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4); 490 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4); 491 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4); 492 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4); 493 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4); 494 b64_from_24bit(0, alt_result[31], alt_result[30], 3); 495 if (buflen <= 0) { 496 errno = ERANGE; 497 buffer = NULL; 498 } else 499 *cp = '\0'; /* Terminate the string. */ 500 501 /* Clear the buffer for the intermediate result so that people 502 attaching to processes or reading core dumps cannot get any 503 information. We do it in this way to clear correct_words[] 504 inside the SHA256 implementation as well. */ 505 sha256_init_ctx(&ctx); 506 sha256_finish_ctx(&ctx, alt_result); 507 memset(temp_result, '\0', sizeof(temp_result)); 508 memset(p_bytes, '\0', key_len); 509 memset(s_bytes, '\0', salt_len); 510 memset(&ctx, '\0', sizeof(ctx)); 511 memset(&alt_ctx, '\0', sizeof(alt_ctx)); 512 if (copied_key != NULL) 513 memset(copied_key, '\0', key_len); 514 if (copied_salt != NULL) 515 memset(copied_salt, '\0', salt_len); 516 517 return buffer; 518 } 519 520 /* This entry point is equivalent to the `crypt' function in Unix 521 libcs. */ 522 char *sha256_crypt(const char *key, const char *salt) 523 { 524 /* We don't want to have an arbitrary limit in the size of the 525 password. We can compute an upper bound for the size of the 526 result in advance and so we can prepare the buffer we pass to 527 `sha256_crypt_r'. */ 528 static char *buffer; 529 static int buflen; 530 int needed = (sizeof(sha256_salt_prefix) - 1 531 + sizeof(sha256_rounds_prefix) + 9 + 1 532 + strlen(salt) + 1 + 43 + 1); 533 534 if (buflen < needed) { 535 char *new_buffer = (char *)realloc(buffer, needed); 536 if (new_buffer == NULL) 537 return NULL; 538 539 buffer = new_buffer; 540 buflen = needed; 541 } 542 543 return sha256_crypt_r(key, salt, buffer, buflen); 544 } 545 546 #ifdef TEST 547 static const struct { 548 const char *input; 549 const char result[32]; 550 } tests[] = { 551 /* Test vectors from FIPS 180-2: appendix B.1. */ 552 { 553 "abc", 554 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23" 555 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad"}, 556 /* Test vectors from FIPS 180-2: appendix B.2. */ 557 { 558 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 559 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 560 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"}, 561 /* Test vectors from the NESSIE project. */ 562 { 563 "", "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24" 564 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55"}, 565 { 566 "a", "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d" 567 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb"}, 568 { 569 "message digest", 570 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad" 571 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50"}, 572 { 573 "abcdefghijklmnopqrstuvwxyz", 574 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52" 575 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73"}, 576 { 577 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 578 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 579 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"}, 580 { 581 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 582 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80" 583 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0"}, 584 { 585 "123456789012345678901234567890123456789012345678901234567890" 586 "12345678901234567890", 587 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e" 588 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e"} 589 }; 590 591 #define ntests (sizeof (tests) / sizeof (tests[0])) 592 593 static const struct { 594 const char *salt; 595 const char *input; 596 const char *expected; 597 } tests2[] = { 598 { 599 "$5$saltstring", "Hello world!", 600 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"}, { 601 "$5$rounds=10000$saltstringsaltstring", "Hello world!", 602 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2." 603 "opqey6IcA"}, { 604 "$5$rounds=5000$toolongsaltstring", "This is just a test", 605 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8" 606 "mGRcvxa5"}, { 607 "$5$rounds=1400$anotherlongsaltstring", 608 "a very much longer text to encrypt. This one even stretches over more" 609 "than one line.", 610 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12" 611 "oP84Bnq1"}, { 612 "$5$rounds=77777$short", 613 "we have a short salt string but not a short password", 614 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/"}, 615 { 616 "$5$rounds=123456$asaltof16chars..", "a short string", 617 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/" 618 "cZKmF/wJvD"}, { 619 "$5$rounds=10$roundstoolow", "the minimum number is still observed", 620 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97" 621 "2bIC"},}; 622 #define ntests2 (sizeof (tests2) / sizeof (tests2[0])) 623 624 int main(void) 625 { 626 struct sha256_ctx ctx; 627 char sum[32]; 628 int result = 0; 629 int cnt; 630 631 for (cnt = 0; cnt < (int)ntests; ++cnt) { 632 sha256_init_ctx(&ctx); 633 sha256_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx); 634 sha256_finish_ctx(&ctx, sum); 635 if (memcmp(tests[cnt].result, sum, 32) != 0) { 636 printf("test %d run %d failed\n", cnt, 1); 637 result = 1; 638 } 639 640 sha256_init_ctx(&ctx); 641 for (int i = 0; tests[cnt].input[i] != '\0'; ++i) 642 sha256_process_bytes(&tests[cnt].input[i], 1, &ctx); 643 sha256_finish_ctx(&ctx, sum); 644 if (memcmp(tests[cnt].result, sum, 32) != 0) { 645 printf("test %d run %d failed\n", cnt, 2); 646 result = 1; 647 } 648 } 649 650 /* Test vector from FIPS 180-2: appendix B.3. */ 651 char buf[1000]; 652 memset(buf, 'a', sizeof(buf)); 653 sha256_init_ctx(&ctx); 654 for (int i = 0; i < 1000; ++i) 655 sha256_process_bytes(buf, sizeof(buf), &ctx); 656 sha256_finish_ctx(&ctx, sum); 657 static const char expected[32] = 658 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67" 659 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0"; 660 if (memcmp(expected, sum, 32) != 0) { 661 printf("test %d failed\n", cnt); 662 result = 1; 663 } 664 665 for (cnt = 0; cnt < ntests2; ++cnt) { 666 char *cp = sha256_crypt(tests2[cnt].input, tests2[cnt].salt); 667 668 if (strcmp(cp, tests2[cnt].expected) != 0) { 669 printf("test %d: expected \"%s\", got \"%s\"\n", 670 cnt, tests2[cnt].expected, cp); 671 result = 1; 672 } 673 } 674 675 if (result == 0) 676 puts("all tests OK"); 677 678 return result; 679 } 680 #endif 681
