Add mount_hammer2 and newfs_hammer2 to initrd list.
[dragonfly.git] / lib / libcrypt / crypt-sha256.c
blob1f7f7e3b8e6705f73e461894393889e15e9aef73
1 /*
2 * SHA256-based Unix crypt implementation.
3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
4 */
5 #include <errno.h>
6 #include <limits.h>
7 #include <stdint.h>
8 #include <stdbool.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <sys/endian.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
16 #include "local.h"
18 #if __BYTE_ORDER == __LITTLE_ENDIAN
19 # define SWAP(n) \
20 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
21 #else
22 # define SWAP(n) (n)
23 #endif
26 /* This array contains the bytes used to pad the buffer to the next
27 64-byte boundary. (FIPS 180-2:5.1.1) */
28 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
31 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
32 static const uint32_t K[64] =
34 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
35 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
36 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
37 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
38 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
39 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
40 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
41 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
42 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
43 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
44 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
45 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
46 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
47 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
48 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
49 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
53 /* Process LEN bytes of BUFFER, accumulating context into CTX.
54 It is assumed that LEN % 64 == 0. */
55 void
56 __crypt__sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
58 const uint32_t *words = buffer;
59 size_t nwords = len / sizeof (uint32_t);
60 uint32_t a = ctx->H[0];
61 uint32_t b = ctx->H[1];
62 uint32_t c = ctx->H[2];
63 uint32_t d = ctx->H[3];
64 uint32_t e = ctx->H[4];
65 uint32_t f = ctx->H[5];
66 uint32_t g = ctx->H[6];
67 uint32_t h = ctx->H[7];
69 /* First increment the byte count. FIPS 180-2 specifies the possible
70 length of the file up to 2^64 bits. Here we only compute the
71 number of bytes. Do a double word increment. */
72 ctx->total[0] += len;
73 if (ctx->total[0] < len)
74 ++ctx->total[1];
76 /* Process all bytes in the buffer with 64 bytes in each round of
77 the loop. */
78 while (nwords > 0)
80 uint32_t W[64];
81 uint32_t a_save = a;
82 uint32_t b_save = b;
83 uint32_t c_save = c;
84 uint32_t d_save = d;
85 uint32_t e_save = e;
86 uint32_t f_save = f;
87 uint32_t g_save = g;
88 uint32_t h_save = h;
90 /* Operators defined in FIPS 180-2:4.1.2. */
91 #define Ch(x, y, z) ((x & y) ^ (~x & z))
92 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
93 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
94 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
95 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
96 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
98 /* It is unfortunate that C does not provide an operator for
99 cyclic rotation. Hope the C compiler is smart enough. */
100 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
102 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
103 for (unsigned int t = 0; t < 16; ++t)
105 W[t] = SWAP (*words);
106 ++words;
108 for (unsigned int t = 16; t < 64; ++t)
109 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
111 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
112 for (unsigned int t = 0; t < 64; ++t)
114 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
115 uint32_t T2 = S0 (a) + Maj (a, b, c);
116 h = g;
117 g = f;
118 f = e;
119 e = d + T1;
120 d = c;
121 c = b;
122 b = a;
123 a = T1 + T2;
126 /* Add the starting values of the context according to FIPS 180-2:6.2.2
127 step 4. */
128 a += a_save;
129 b += b_save;
130 c += c_save;
131 d += d_save;
132 e += e_save;
133 f += f_save;
134 g += g_save;
135 h += h_save;
137 /* Prepare for the next round. */
138 nwords -= 16;
141 /* Put checksum in context given as argument. */
142 ctx->H[0] = a;
143 ctx->H[1] = b;
144 ctx->H[2] = c;
145 ctx->H[3] = d;
146 ctx->H[4] = e;
147 ctx->H[5] = f;
148 ctx->H[6] = g;
149 ctx->H[7] = h;
153 /* Initialize structure containing state of computation.
154 (FIPS 180-2:5.3.2) */
155 void
156 __crypt__sha256_init_ctx (struct sha256_ctx *ctx)
158 ctx->H[0] = 0x6a09e667;
159 ctx->H[1] = 0xbb67ae85;
160 ctx->H[2] = 0x3c6ef372;
161 ctx->H[3] = 0xa54ff53a;
162 ctx->H[4] = 0x510e527f;
163 ctx->H[5] = 0x9b05688c;
164 ctx->H[6] = 0x1f83d9ab;
165 ctx->H[7] = 0x5be0cd19;
167 ctx->total[0] = ctx->total[1] = 0;
168 ctx->buflen = 0;
172 /* Process the remaining bytes in the internal buffer and the usual
173 prolog according to the standard and write the result to RESBUF.
175 IMPORTANT: On some systems it is required that RESBUF is correctly
176 aligned for a 32 bits value. */
177 void *
178 __crypt__sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
180 /* Take yet unprocessed bytes into account. */
181 uint32_t bytes = ctx->buflen;
182 size_t pad;
184 /* Now count remaining bytes. */
185 ctx->total[0] += bytes;
186 if (ctx->total[0] < bytes)
187 ++ctx->total[1];
189 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
190 memcpy (&ctx->buffer[bytes], fillbuf, pad);
192 /* Put the 64-bit file length in *bits* at the end of the buffer. */
193 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
194 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
195 (ctx->total[0] >> 29));
197 /* Process last bytes. */
198 __crypt__sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
200 /* Put result from CTX in first 32 bytes following RESBUF. */
201 for (unsigned int i = 0; i < 8; ++i)
202 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
204 return resbuf;
207 void
208 __crypt__sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
210 /* When we already have some bits in our internal buffer concatenate
211 both inputs first. */
212 if (ctx->buflen != 0)
214 size_t left_over = ctx->buflen;
215 size_t add = 128 - left_over > len ? len : 128 - left_over;
217 memcpy (&ctx->buffer[left_over], buffer, add);
218 ctx->buflen += add;
220 if (ctx->buflen > 64)
222 __crypt__sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
224 ctx->buflen &= 63;
225 /* The regions in the following copy operation cannot overlap. */
226 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
227 ctx->buflen);
230 buffer = (const char *) buffer + add;
231 len -= add;
234 /* Process available complete blocks. */
235 if (len >= 64)
237 /* To check alignment gcc has an appropriate operator. Other
238 compilers don't. */
239 #if __GNUC__ >= 2
240 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
241 #else
242 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
243 #endif
244 if (UNALIGNED_P (buffer))
245 while (len > 64)
247 __crypt__sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
248 buffer = (const char *) buffer + 64;
249 len -= 64;
251 else
253 __crypt__sha256_process_block (buffer, len & ~63, ctx);
254 buffer = (const char *) buffer + (len & ~63);
255 len &= 63;
259 /* Move remaining bytes into internal buffer. */
260 if (len > 0)
262 size_t left_over = ctx->buflen;
264 memcpy (&ctx->buffer[left_over], buffer, len);
265 left_over += len;
266 if (left_over >= 64)
268 __crypt__sha256_process_block (ctx->buffer, 64, ctx);
269 left_over -= 64;
270 memcpy (ctx->buffer, &ctx->buffer[64], left_over);
272 ctx->buflen = left_over;
277 /* Define our magic string to mark salt for SHA256 "encryption"
278 replacement. */
279 static const char sha256_salt_prefix[] = "$5$";
281 /* Prefix for optional rounds specification. */
282 static const char sha256_rounds_prefix[] = "rounds=";
284 /* Maximum salt string length. */
285 #define SALT_LEN_MAX 16
286 /* Default number of rounds if not explicitly specified. */
287 #define ROUNDS_DEFAULT 5000
288 /* Minimum number of rounds. */
289 #define ROUNDS_MIN 1000
290 /* Maximum number of rounds. */
291 #define ROUNDS_MAX 999999999
293 /* Table with characters for base64 transformation. */
294 static const char b64t[64] =
295 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
298 static char *
299 crypt_sha256_r (const char *key, const char *salt, char *buffer, int buflen)
301 unsigned char alt_result[32]
302 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
303 unsigned char temp_result[32]
304 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
305 struct sha256_ctx ctx;
306 struct sha256_ctx alt_ctx;
307 size_t salt_len;
308 size_t key_len;
309 size_t cnt;
310 char *cp;
311 char *copied_key = NULL;
312 char *copied_salt = NULL;
313 char *p_bytes;
314 char *s_bytes;
315 /* Default number of rounds. */
316 size_t rounds = ROUNDS_DEFAULT;
317 bool rounds_custom = false;
319 /* Find beginning of salt string. The prefix should normally always
320 be present. Just in case it is not. */
321 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
322 /* Skip salt prefix. */
323 salt += sizeof (sha256_salt_prefix) - 1;
325 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
326 == 0)
328 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
329 char *endp;
330 unsigned long int srounds = strtoul (num, &endp, 10);
331 if (*endp == '$')
333 salt = endp + 1;
334 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
335 rounds_custom = true;
339 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
340 key_len = strlen (key);
342 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
344 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
345 key = copied_key =
346 memcpy (tmp + __alignof__ (uint32_t)
347 - (tmp - (char *) 0) % __alignof__ (uint32_t),
348 key, key_len);
351 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
353 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
354 salt = copied_salt =
355 memcpy (tmp + __alignof__ (uint32_t)
356 - (tmp - (char *) 0) % __alignof__ (uint32_t),
357 salt, salt_len);
360 /* Prepare for the real work. */
361 __crypt__sha256_init_ctx (&ctx);
363 /* Add the key string. */
364 __crypt__sha256_process_bytes (key, key_len, &ctx);
366 /* The last part is the salt string. This must be at most 16
367 characters and it ends at the first `$' character (for
368 compatibility with existing implementations). */
369 __crypt__sha256_process_bytes (salt, salt_len, &ctx);
372 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
373 final result will be added to the first context. */
374 __crypt__sha256_init_ctx (&alt_ctx);
376 /* Add key. */
377 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
379 /* Add salt. */
380 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx);
382 /* Add key again. */
383 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
385 /* Now get result of this (32 bytes) and add it to the other
386 context. */
387 __crypt__sha256_finish_ctx (&alt_ctx, alt_result);
389 /* Add for any character in the key one byte of the alternate sum. */
390 for (cnt = key_len; cnt > 32; cnt -= 32)
391 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
392 __crypt__sha256_process_bytes (alt_result, cnt, &ctx);
394 /* Take the binary representation of the length of the key and for every
395 1 add the alternate sum, for every 0 the key. */
396 for (cnt = key_len; cnt > 0; cnt >>= 1)
397 if ((cnt & 1) != 0)
398 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
399 else
400 __crypt__sha256_process_bytes (key, key_len, &ctx);
402 /* Create intermediate result. */
403 __crypt__sha256_finish_ctx (&ctx, alt_result);
405 /* Start computation of P byte sequence. */
406 __crypt__sha256_init_ctx (&alt_ctx);
408 /* For every character in the password add the entire password. */
409 for (cnt = 0; cnt < key_len; ++cnt)
410 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
412 /* Finish the digest. */
413 __crypt__sha256_finish_ctx (&alt_ctx, temp_result);
415 /* Create byte sequence P. */
416 cp = p_bytes = alloca (key_len);
417 for (cnt = key_len; cnt >= 32; cnt -= 32)
418 cp = mempcpy (cp, temp_result, 32);
419 memcpy (cp, temp_result, cnt);
421 /* Start computation of S byte sequence. */
422 __crypt__sha256_init_ctx (&alt_ctx);
424 /* For every character in the password add the entire password. */
425 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
426 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx);
428 /* Finish the digest. */
429 __crypt__sha256_finish_ctx (&alt_ctx, temp_result);
431 /* Create byte sequence S. */
432 cp = s_bytes = alloca (salt_len);
433 for (cnt = salt_len; cnt >= 32; cnt -= 32)
434 cp = mempcpy (cp, temp_result, 32);
435 memcpy (cp, temp_result, cnt);
437 /* Repeatedly run the collected hash value through SHA256 to burn
438 CPU cycles. */
439 for (cnt = 0; cnt < rounds; ++cnt)
441 /* New context. */
442 __crypt__sha256_init_ctx (&ctx);
444 /* Add key or last result. */
445 if ((cnt & 1) != 0)
446 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
447 else
448 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
450 /* Add salt for numbers not divisible by 3. */
451 if (cnt % 3 != 0)
452 __crypt__sha256_process_bytes (s_bytes, salt_len, &ctx);
454 /* Add key for numbers not divisible by 7. */
455 if (cnt % 7 != 0)
456 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
458 /* Add key or last result. */
459 if ((cnt & 1) != 0)
460 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
461 else
462 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
464 /* Create intermediate result. */
465 __crypt__sha256_finish_ctx (&ctx, alt_result);
468 /* Now we can construct the result string. It consists of three
469 parts. */
470 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
471 buflen -= sizeof (sha256_salt_prefix) - 1;
473 if (rounds_custom)
475 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
476 sha256_rounds_prefix, rounds);
477 cp += n;
478 buflen -= n;
481 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
482 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
484 if (buflen > 0)
486 *cp++ = '$';
487 --buflen;
490 #define b64_from_24bit(B2, B1, B0, N) \
491 do { \
492 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
493 int n = (N); \
494 while (n-- > 0 && buflen > 0) \
496 *cp++ = b64t[w & 0x3f]; \
497 --buflen; \
498 w >>= 6; \
500 } while (0)
502 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
503 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
504 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
505 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
506 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
507 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
508 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
509 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
510 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
511 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
512 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
513 if (buflen <= 0)
515 errno = ERANGE;
516 buffer = NULL;
518 else
519 *cp = '\0'; /* Terminate the string. */
521 /* Clear the buffer for the intermediate result so that people
522 attaching to processes or reading core dumps cannot get any
523 information. We do it in this way to clear correct_words[]
524 inside the SHA256 implementation as well. */
525 __crypt__sha256_init_ctx (&ctx);
526 __crypt__sha256_finish_ctx (&ctx, alt_result);
527 memset (temp_result, '\0', sizeof (temp_result));
528 memset (p_bytes, '\0', key_len);
529 memset (s_bytes, '\0', salt_len);
530 memset (&ctx, '\0', sizeof (ctx));
531 memset (&alt_ctx, '\0', sizeof (alt_ctx));
532 if (copied_key != NULL)
533 memset (copied_key, '\0', key_len);
534 if (copied_salt != NULL)
535 memset (copied_salt, '\0', salt_len);
537 return buffer;
541 /* This entry point is equivalent to the `crypt' function in Unix
542 libcs. */
543 char *
544 crypt_sha256 (const char *key, const char *salt)
546 /* We don't want to have an arbitrary limit in the size of the
547 password. We can compute an upper bound for the size of the
548 result in advance and so we can prepare the buffer we pass to
549 `crypt_sha256_r'. */
550 static char *buffer;
551 static int buflen;
552 int needed = (sizeof (sha256_salt_prefix) - 1
553 + sizeof (sha256_rounds_prefix) + 9 + 1
554 + strlen (salt) + 1 + 43 + 1);
556 if (buflen < needed)
558 char *new_buffer = (char *) realloc (buffer, needed);
559 if (new_buffer == NULL)
560 return NULL;
562 buffer = new_buffer;
563 buflen = needed;
566 return crypt_sha256_r (key, salt, buffer, buflen);
570 #ifdef TEST
571 static const struct
573 const char *input;
574 const char result[32];
575 } tests[] =
577 /* Test vectors from FIPS 180-2: appendix B.1. */
578 { "abc",
579 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
580 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
581 /* Test vectors from FIPS 180-2: appendix B.2. */
582 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
583 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
584 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
585 /* Test vectors from the NESSIE project. */
586 { "",
587 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
588 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
589 { "a",
590 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
591 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
592 { "message digest",
593 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
594 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
595 { "abcdefghijklmnopqrstuvwxyz",
596 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
597 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
598 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
599 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
600 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
601 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
602 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
603 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
604 { "123456789012345678901234567890123456789012345678901234567890"
605 "12345678901234567890",
606 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
607 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
609 #define ntests (sizeof (tests) / sizeof (tests[0]))
612 static const struct
614 const char *salt;
615 const char *input;
616 const char *expected;
617 } tests2[] =
619 { "$5$saltstring", "Hello world!",
620 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
621 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
622 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
623 "opqey6IcA" },
624 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
625 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
626 "mGRcvxa5" },
627 { "$5$rounds=1400$anotherlongsaltstring",
628 "a very much longer text to encrypt. This one even stretches over more"
629 "than one line.",
630 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
631 "oP84Bnq1" },
632 { "$5$rounds=77777$short",
633 "we have a short salt string but not a short password",
634 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
635 { "$5$rounds=123456$asaltof16chars..", "a short string",
636 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
637 "cZKmF/wJvD" },
638 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
639 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
640 "2bIC" },
642 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
646 main (void)
648 struct sha256_ctx ctx;
649 char sum[32];
650 int result = 0;
651 int cnt;
653 for (cnt = 0; cnt < (int) ntests; ++cnt)
655 __crypt__sha256_init_ctx (&ctx);
656 __crypt__sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
657 __crypt__sha256_finish_ctx (&ctx, sum);
658 if (memcmp (tests[cnt].result, sum, 32) != 0)
660 printf ("test %d run %d failed\n", cnt, 1);
661 result = 1;
664 __crypt__sha256_init_ctx (&ctx);
665 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
666 __crypt__sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
667 __crypt__sha256_finish_ctx (&ctx, sum);
668 if (memcmp (tests[cnt].result, sum, 32) != 0)
670 printf ("test %d run %d failed\n", cnt, 2);
671 result = 1;
675 /* Test vector from FIPS 180-2: appendix B.3. */
676 char buf[1000];
677 memset (buf, 'a', sizeof (buf));
678 __crypt__sha256_init_ctx (&ctx);
679 for (int i = 0; i < 1000; ++i)
680 __crypt__sha256_process_bytes (buf, sizeof (buf), &ctx);
681 __crypt__sha256_finish_ctx (&ctx, sum);
682 static const char expected[32] =
683 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
684 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
685 if (memcmp (expected, sum, 32) != 0)
687 printf ("test %d failed\n", cnt);
688 result = 1;
691 for (cnt = 0; cnt < ntests2; ++cnt)
693 char *cp = crypt_sha256 (tests2[cnt].input, tests2[cnt].salt);
695 if (strcmp (cp, tests2[cnt].expected) != 0)
697 printf ("test %d: expected \"%s\", got \"%s\"\n",
698 cnt, tests2[cnt].expected, cp);
699 result = 1;
703 if (result == 0)
704 puts ("all tests OK");
706 return result;
708 #endif