search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add mount_hammer2 and newfs_hammer2 to initrd list.
[dragonfly.git] / lib / libcrypt / crypt-sha256.c
blob1f7f7e3b8e6705f73e461894393889e15e9aef73
1 /*
2 * SHA256-based Unix crypt implementation.
3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
4 */
5 #include <errno.h>
6 #include <limits.h>
7 #include <stdint.h>
8 #include <stdbool.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <sys/endian.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
15
16 #include "local.h"
17
18 #if __BYTE_ORDER == __LITTLE_ENDIAN
19 # define SWAP(n) \
20 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
21 #else
22 # define SWAP(n) (n)
23 #endif
24
25
26 /* This array contains the bytes used to pad the buffer to the next
27 64-byte boundary. (FIPS 180-2:5.1.1) */
28 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
29
30
31 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
32 static const uint32_t K[64] =
33 {
34 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
35 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
36 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
37 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
38 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
39 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
40 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
41 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
42 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
43 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
44 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
45 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
46 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
47 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
48 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
49 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
50 };
51
52
53 /* Process LEN bytes of BUFFER, accumulating context into CTX.
54 It is assumed that LEN % 64 == 0. */
55 void
56 __crypt__sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
57 {
58 const uint32_t *words = buffer;
59 size_t nwords = len / sizeof (uint32_t);
60 uint32_t a = ctx->H[0];
61 uint32_t b = ctx->H[1];
62 uint32_t c = ctx->H[2];
63 uint32_t d = ctx->H[3];
64 uint32_t e = ctx->H[4];
65 uint32_t f = ctx->H[5];
66 uint32_t g = ctx->H[6];
67 uint32_t h = ctx->H[7];
68
69 /* First increment the byte count. FIPS 180-2 specifies the possible
70 length of the file up to 2^64 bits. Here we only compute the
71 number of bytes. Do a double word increment. */
72 ctx->total[0] += len;
73 if (ctx->total[0] < len)
74 ++ctx->total[1];
75
76 /* Process all bytes in the buffer with 64 bytes in each round of
77 the loop. */
78 while (nwords > 0)
79 {
80 uint32_t W[64];
81 uint32_t a_save = a;
82 uint32_t b_save = b;
83 uint32_t c_save = c;
84 uint32_t d_save = d;
85 uint32_t e_save = e;
86 uint32_t f_save = f;
87 uint32_t g_save = g;
88 uint32_t h_save = h;
89
90 /* Operators defined in FIPS 180-2:4.1.2. */
91 #define Ch(x, y, z) ((x & y) ^ (~x & z))
92 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
93 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
94 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
95 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
96 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
97
98 /* It is unfortunate that C does not provide an operator for
99 cyclic rotation. Hope the C compiler is smart enough. */
100 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
101
102 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
103 for (unsigned int t = 0; t < 16; ++t)
104 {
105 W[t] = SWAP (*words);
106 ++words;
107 }
108 for (unsigned int t = 16; t < 64; ++t)
109 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
110
111 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
112 for (unsigned int t = 0; t < 64; ++t)
113 {
114 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
115 uint32_t T2 = S0 (a) + Maj (a, b, c);
116 h = g;
117 g = f;
118 f = e;
119 e = d + T1;
120 d = c;
121 c = b;
122 b = a;
123 a = T1 + T2;
124 }
125
126 /* Add the starting values of the context according to FIPS 180-2:6.2.2
127 step 4. */
128 a += a_save;
129 b += b_save;
130 c += c_save;
131 d += d_save;
132 e += e_save;
133 f += f_save;
134 g += g_save;
135 h += h_save;
136
137 /* Prepare for the next round. */
138 nwords -= 16;
139 }
140
141 /* Put checksum in context given as argument. */
142 ctx->H[0] = a;
143 ctx->H[1] = b;
144 ctx->H[2] = c;
145 ctx->H[3] = d;
146 ctx->H[4] = e;
147 ctx->H[5] = f;
148 ctx->H[6] = g;
149 ctx->H[7] = h;
150 }
151
152
153 /* Initialize structure containing state of computation.
154 (FIPS 180-2:5.3.2) */
155 void
156 __crypt__sha256_init_ctx (struct sha256_ctx *ctx)
157 {
158 ctx->H[0] = 0x6a09e667;
159 ctx->H[1] = 0xbb67ae85;
160 ctx->H[2] = 0x3c6ef372;
161 ctx->H[3] = 0xa54ff53a;
162 ctx->H[4] = 0x510e527f;
163 ctx->H[5] = 0x9b05688c;
164 ctx->H[6] = 0x1f83d9ab;
165 ctx->H[7] = 0x5be0cd19;
166
167 ctx->total[0] = ctx->total[1] = 0;
168 ctx->buflen = 0;
169 }
170
171
172 /* Process the remaining bytes in the internal buffer and the usual
173 prolog according to the standard and write the result to RESBUF.
174
175 IMPORTANT: On some systems it is required that RESBUF is correctly
176 aligned for a 32 bits value. */
177 void *
178 __crypt__sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
179 {
180 /* Take yet unprocessed bytes into account. */
181 uint32_t bytes = ctx->buflen;
182 size_t pad;
183
184 /* Now count remaining bytes. */
185 ctx->total[0] += bytes;
186 if (ctx->total[0] < bytes)
187 ++ctx->total[1];
188
189 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
190 memcpy (&ctx->buffer[bytes], fillbuf, pad);
191
192 /* Put the 64-bit file length in *bits* at the end of the buffer. */
193 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
194 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
195 (ctx->total[0] >> 29));
196
197 /* Process last bytes. */
198 __crypt__sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
199
200 /* Put result from CTX in first 32 bytes following RESBUF. */
201 for (unsigned int i = 0; i < 8; ++i)
202 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
203
204 return resbuf;
205 }
206
207 void
208 __crypt__sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
209 {
210 /* When we already have some bits in our internal buffer concatenate
211 both inputs first. */
212 if (ctx->buflen != 0)
213 {
214 size_t left_over = ctx->buflen;
215 size_t add = 128 - left_over > len ? len : 128 - left_over;
216
217 memcpy (&ctx->buffer[left_over], buffer, add);
218 ctx->buflen += add;
219
220 if (ctx->buflen > 64)
221 {
222 __crypt__sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
223
224 ctx->buflen &= 63;
225 /* The regions in the following copy operation cannot overlap. */
226 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
227 ctx->buflen);
228 }
229
230 buffer = (const char *) buffer + add;
231 len -= add;
232 }
233
234 /* Process available complete blocks. */
235 if (len >= 64)
236 {
237 /* To check alignment gcc has an appropriate operator. Other
238 compilers don't. */
239 #if __GNUC__ >= 2
240 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
241 #else
242 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
243 #endif
244 if (UNALIGNED_P (buffer))
245 while (len > 64)
246 {
247 __crypt__sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
248 buffer = (const char *) buffer + 64;
249 len -= 64;
250 }
251 else
252 {
253 __crypt__sha256_process_block (buffer, len & ~63, ctx);
254 buffer = (const char *) buffer + (len & ~63);
255 len &= 63;
256 }
257 }
258
259 /* Move remaining bytes into internal buffer. */
260 if (len > 0)
261 {
262 size_t left_over = ctx->buflen;
263
264 memcpy (&ctx->buffer[left_over], buffer, len);
265 left_over += len;
266 if (left_over >= 64)
267 {
268 __crypt__sha256_process_block (ctx->buffer, 64, ctx);
269 left_over -= 64;
270 memcpy (ctx->buffer, &ctx->buffer[64], left_over);
271 }
272 ctx->buflen = left_over;
273 }
274 }
275
276
277 /* Define our magic string to mark salt for SHA256 "encryption"
278 replacement. */
279 static const char sha256_salt_prefix[] = "$5$";
280
281 /* Prefix for optional rounds specification. */
282 static const char sha256_rounds_prefix[] = "rounds=";
283
284 /* Maximum salt string length. */
285 #define SALT_LEN_MAX 16
286 /* Default number of rounds if not explicitly specified. */
287 #define ROUNDS_DEFAULT 5000
288 /* Minimum number of rounds. */
289 #define ROUNDS_MIN 1000
290 /* Maximum number of rounds. */
291 #define ROUNDS_MAX 999999999
292
293 /* Table with characters for base64 transformation. */
294 static const char b64t[64] =
295 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
296
297
298 static char *
299 crypt_sha256_r (const char *key, const char *salt, char *buffer, int buflen)
300 {
301 unsigned char alt_result[32]
302 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
303 unsigned char temp_result[32]
304 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
305 struct sha256_ctx ctx;
306 struct sha256_ctx alt_ctx;
307 size_t salt_len;
308 size_t key_len;
309 size_t cnt;
310 char *cp;
311 char *copied_key = NULL;
312 char *copied_salt = NULL;
313 char *p_bytes;
314 char *s_bytes;
315 /* Default number of rounds. */
316 size_t rounds = ROUNDS_DEFAULT;
317 bool rounds_custom = false;
318
319 /* Find beginning of salt string. The prefix should normally always
320 be present. Just in case it is not. */
321 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
322 /* Skip salt prefix. */
323 salt += sizeof (sha256_salt_prefix) - 1;
324
325 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
326 == 0)
327 {
328 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
329 char *endp;
330 unsigned long int srounds = strtoul (num, &endp, 10);
331 if (*endp == '$')
332 {
333 salt = endp + 1;
334 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
335 rounds_custom = true;
336 }
337 }
338
339 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
340 key_len = strlen (key);
341
342 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
343 {
344 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
345 key = copied_key =
346 memcpy (tmp + __alignof__ (uint32_t)
347 - (tmp - (char *) 0) % __alignof__ (uint32_t),
348 key, key_len);
349 }
350
351 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
352 {
353 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
354 salt = copied_salt =
355 memcpy (tmp + __alignof__ (uint32_t)
356 - (tmp - (char *) 0) % __alignof__ (uint32_t),
357 salt, salt_len);
358 }
359
360 /* Prepare for the real work. */
361 __crypt__sha256_init_ctx (&ctx);
362
363 /* Add the key string. */
364 __crypt__sha256_process_bytes (key, key_len, &ctx);
365
366 /* The last part is the salt string. This must be at most 16
367 characters and it ends at the first `$' character (for
368 compatibility with existing implementations). */
369 __crypt__sha256_process_bytes (salt, salt_len, &ctx);
370
371
372 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
373 final result will be added to the first context. */
374 __crypt__sha256_init_ctx (&alt_ctx);
375
376 /* Add key. */
377 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
378
379 /* Add salt. */
380 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx);
381
382 /* Add key again. */
383 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
384
385 /* Now get result of this (32 bytes) and add it to the other
386 context. */
387 __crypt__sha256_finish_ctx (&alt_ctx, alt_result);
388
389 /* Add for any character in the key one byte of the alternate sum. */
390 for (cnt = key_len; cnt > 32; cnt -= 32)
391 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
392 __crypt__sha256_process_bytes (alt_result, cnt, &ctx);
393
394 /* Take the binary representation of the length of the key and for every
395 1 add the alternate sum, for every 0 the key. */
396 for (cnt = key_len; cnt > 0; cnt >>= 1)
397 if ((cnt & 1) != 0)
398 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
399 else
400 __crypt__sha256_process_bytes (key, key_len, &ctx);
401
402 /* Create intermediate result. */
403 __crypt__sha256_finish_ctx (&ctx, alt_result);
404
405 /* Start computation of P byte sequence. */
406 __crypt__sha256_init_ctx (&alt_ctx);
407
408 /* For every character in the password add the entire password. */
409 for (cnt = 0; cnt < key_len; ++cnt)
410 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
411
412 /* Finish the digest. */
413 __crypt__sha256_finish_ctx (&alt_ctx, temp_result);
414
415 /* Create byte sequence P. */
416 cp = p_bytes = alloca (key_len);
417 for (cnt = key_len; cnt >= 32; cnt -= 32)
418 cp = mempcpy (cp, temp_result, 32);
419 memcpy (cp, temp_result, cnt);
420
421 /* Start computation of S byte sequence. */
422 __crypt__sha256_init_ctx (&alt_ctx);
423
424 /* For every character in the password add the entire password. */
425 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
426 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx);
427
428 /* Finish the digest. */
429 __crypt__sha256_finish_ctx (&alt_ctx, temp_result);
430
431 /* Create byte sequence S. */
432 cp = s_bytes = alloca (salt_len);
433 for (cnt = salt_len; cnt >= 32; cnt -= 32)
434 cp = mempcpy (cp, temp_result, 32);
435 memcpy (cp, temp_result, cnt);
436
437 /* Repeatedly run the collected hash value through SHA256 to burn
438 CPU cycles. */
439 for (cnt = 0; cnt < rounds; ++cnt)
440 {
441 /* New context. */
442 __crypt__sha256_init_ctx (&ctx);
443
444 /* Add key or last result. */
445 if ((cnt & 1) != 0)
446 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
447 else
448 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
449
450 /* Add salt for numbers not divisible by 3. */
451 if (cnt % 3 != 0)
452 __crypt__sha256_process_bytes (s_bytes, salt_len, &ctx);
453
454 /* Add key for numbers not divisible by 7. */
455 if (cnt % 7 != 0)
456 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
457
458 /* Add key or last result. */
459 if ((cnt & 1) != 0)
460 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
461 else
462 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
463
464 /* Create intermediate result. */
465 __crypt__sha256_finish_ctx (&ctx, alt_result);
466 }
467
468 /* Now we can construct the result string. It consists of three
469 parts. */
470 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
471 buflen -= sizeof (sha256_salt_prefix) - 1;
472
473 if (rounds_custom)
474 {
475 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
476 sha256_rounds_prefix, rounds);
477 cp += n;
478 buflen -= n;
479 }
480
481 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
482 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
483
484 if (buflen > 0)
485 {
486 *cp++ = '$';
487 --buflen;
488 }
489
490 #define b64_from_24bit(B2, B1, B0, N) \
491 do { \
492 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
493 int n = (N); \
494 while (n-- > 0 && buflen > 0) \
495 { \
496 *cp++ = b64t[w & 0x3f]; \
497 --buflen; \
498 w >>= 6; \
499 } \
500 } while (0)
501
502 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
503 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
504 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
505 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
506 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
507 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
508 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
509 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
510 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
511 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
512 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
513 if (buflen <= 0)
514 {
515 errno = ERANGE;
516 buffer = NULL;
517 }
518 else
519 *cp = '\0'; /* Terminate the string. */
520
521 /* Clear the buffer for the intermediate result so that people
522 attaching to processes or reading core dumps cannot get any
523 information. We do it in this way to clear correct_words[]
524 inside the SHA256 implementation as well. */
525 __crypt__sha256_init_ctx (&ctx);
526 __crypt__sha256_finish_ctx (&ctx, alt_result);
527 memset (temp_result, '\0', sizeof (temp_result));
528 memset (p_bytes, '\0', key_len);
529 memset (s_bytes, '\0', salt_len);
530 memset (&ctx, '\0', sizeof (ctx));
531 memset (&alt_ctx, '\0', sizeof (alt_ctx));
532 if (copied_key != NULL)
533 memset (copied_key, '\0', key_len);
534 if (copied_salt != NULL)
535 memset (copied_salt, '\0', salt_len);
536
537 return buffer;
538 }
539
540
541 /* This entry point is equivalent to the `crypt' function in Unix
542 libcs. */
543 char *
544 crypt_sha256 (const char *key, const char *salt)
545 {
546 /* We don't want to have an arbitrary limit in the size of the
547 password. We can compute an upper bound for the size of the
548 result in advance and so we can prepare the buffer we pass to
549 `crypt_sha256_r'. */
550 static char *buffer;
551 static int buflen;
552 int needed = (sizeof (sha256_salt_prefix) - 1
553 + sizeof (sha256_rounds_prefix) + 9 + 1
554 + strlen (salt) + 1 + 43 + 1);
555
556 if (buflen < needed)
557 {
558 char *new_buffer = (char *) realloc (buffer, needed);
559 if (new_buffer == NULL)
560 return NULL;
561
562 buffer = new_buffer;
563 buflen = needed;
564 }
565
566 return crypt_sha256_r (key, salt, buffer, buflen);
567 }
568
569
570 #ifdef TEST
571 static const struct
572 {
573 const char *input;
574 const char result[32];
575 } tests[] =
576 {
577 /* Test vectors from FIPS 180-2: appendix B.1. */
578 { "abc",
579 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
580 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
581 /* Test vectors from FIPS 180-2: appendix B.2. */
582 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
583 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
584 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
585 /* Test vectors from the NESSIE project. */
586 { "",
587 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
588 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
589 { "a",
590 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
591 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
592 { "message digest",
593 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
594 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
595 { "abcdefghijklmnopqrstuvwxyz",
596 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
597 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
598 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
599 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
600 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
601 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
602 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
603 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
604 { "123456789012345678901234567890123456789012345678901234567890"
605 "12345678901234567890",
606 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
607 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
608 };
609 #define ntests (sizeof (tests) / sizeof (tests[0]))
610
611
612 static const struct
613 {
614 const char *salt;
615 const char *input;
616 const char *expected;
617 } tests2[] =
618 {
619 { "$5$saltstring", "Hello world!",
620 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
621 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
622 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
623 "opqey6IcA" },
624 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
625 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
626 "mGRcvxa5" },
627 { "$5$rounds=1400$anotherlongsaltstring",
628 "a very much longer text to encrypt. This one even stretches over more"
629 "than one line.",
630 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
631 "oP84Bnq1" },
632 { "$5$rounds=77777$short",
633 "we have a short salt string but not a short password",
634 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
635 { "$5$rounds=123456$asaltof16chars..", "a short string",
636 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
637 "cZKmF/wJvD" },
638 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
639 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
640 "2bIC" },
641 };
642 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
643
644
645 int
646 main (void)
647 {
648 struct sha256_ctx ctx;
649 char sum[32];
650 int result = 0;
651 int cnt;
652
653 for (cnt = 0; cnt < (int) ntests; ++cnt)
654 {
655 __crypt__sha256_init_ctx (&ctx);
656 __crypt__sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
657 __crypt__sha256_finish_ctx (&ctx, sum);
658 if (memcmp (tests[cnt].result, sum, 32) != 0)
659 {
660 printf ("test %d run %d failed\n", cnt, 1);
661 result = 1;
662 }
663
664 __crypt__sha256_init_ctx (&ctx);
665 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
666 __crypt__sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
667 __crypt__sha256_finish_ctx (&ctx, sum);
668 if (memcmp (tests[cnt].result, sum, 32) != 0)
669 {
670 printf ("test %d run %d failed\n", cnt, 2);
671 result = 1;
672 }
673 }
674
675 /* Test vector from FIPS 180-2: appendix B.3. */
676 char buf[1000];
677 memset (buf, 'a', sizeof (buf));
678 __crypt__sha256_init_ctx (&ctx);
679 for (int i = 0; i < 1000; ++i)
680 __crypt__sha256_process_bytes (buf, sizeof (buf), &ctx);
681 __crypt__sha256_finish_ctx (&ctx, sum);
682 static const char expected[32] =
683 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
684 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
685 if (memcmp (expected, sum, 32) != 0)
686 {
687 printf ("test %d failed\n", cnt);
688 result = 1;
689 }
690
691 for (cnt = 0; cnt < ntests2; ++cnt)
692 {
693 char *cp = crypt_sha256 (tests2[cnt].input, tests2[cnt].salt);
694
695 if (strcmp (cp, tests2[cnt].expected) != 0)
696 {
697 printf ("test %d: expected \"%s\", got \"%s\"\n",
698 cnt, tests2[cnt].expected, cp);
699 result = 1;
700 }
701 }
702
703 if (result == 0)
704 puts ("all tests OK");
705
706 return result;
707 }
708 #endif
709
DragonFly BSD