2 * SHA256-based Unix crypt implementation.
3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
12 #include <sys/endian.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
17 /* Structure to save state of computation between the single steps. */
24 char buffer
[128]; /* NB: always correctly aligned for uint32_t. */
28 #if __BYTE_ORDER == __LITTLE_ENDIAN
30 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
36 /* This array contains the bytes used to pad the buffer to the next
37 64-byte boundary. (FIPS 180-2:5.1.1) */
38 static const unsigned char fillbuf
[64] = { 0x80, 0 /* , 0, 0, ... */ };
41 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
42 static const uint32_t K
[64] =
44 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
45 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
46 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
47 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
48 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
49 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
50 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
51 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
52 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
53 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
54 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
55 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
56 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
57 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
58 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
59 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
63 /* Process LEN bytes of BUFFER, accumulating context into CTX.
64 It is assumed that LEN % 64 == 0. */
66 sha256_process_block (const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
68 const uint32_t *words
= buffer
;
69 size_t nwords
= len
/ sizeof (uint32_t);
70 uint32_t a
= ctx
->H
[0];
71 uint32_t b
= ctx
->H
[1];
72 uint32_t c
= ctx
->H
[2];
73 uint32_t d
= ctx
->H
[3];
74 uint32_t e
= ctx
->H
[4];
75 uint32_t f
= ctx
->H
[5];
76 uint32_t g
= ctx
->H
[6];
77 uint32_t h
= ctx
->H
[7];
79 /* First increment the byte count. FIPS 180-2 specifies the possible
80 length of the file up to 2^64 bits. Here we only compute the
81 number of bytes. Do a double word increment. */
83 if (ctx
->total
[0] < len
)
86 /* Process all bytes in the buffer with 64 bytes in each round of
100 /* Operators defined in FIPS 180-2:4.1.2. */
101 #define Ch(x, y, z) ((x & y) ^ (~x & z))
102 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
103 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
104 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
105 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
106 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
108 /* It is unfortunate that C does not provide an operator for
109 cyclic rotation. Hope the C compiler is smart enough. */
110 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
112 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
113 for (unsigned int t
= 0; t
< 16; ++t
)
115 W
[t
] = SWAP (*words
);
118 for (unsigned int t
= 16; t
< 64; ++t
)
119 W
[t
] = R1 (W
[t
- 2]) + W
[t
- 7] + R0 (W
[t
- 15]) + W
[t
- 16];
121 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
122 for (unsigned int t
= 0; t
< 64; ++t
)
124 uint32_t T1
= h
+ S1 (e
) + Ch (e
, f
, g
) + K
[t
] + W
[t
];
125 uint32_t T2
= S0 (a
) + Maj (a
, b
, c
);
136 /* Add the starting values of the context according to FIPS 180-2:6.2.2
147 /* Prepare for the next round. */
151 /* Put checksum in context given as argument. */
163 /* Initialize structure containing state of computation.
164 (FIPS 180-2:5.3.2) */
166 sha256_init_ctx (struct sha256_ctx
*ctx
)
168 ctx
->H
[0] = 0x6a09e667;
169 ctx
->H
[1] = 0xbb67ae85;
170 ctx
->H
[2] = 0x3c6ef372;
171 ctx
->H
[3] = 0xa54ff53a;
172 ctx
->H
[4] = 0x510e527f;
173 ctx
->H
[5] = 0x9b05688c;
174 ctx
->H
[6] = 0x1f83d9ab;
175 ctx
->H
[7] = 0x5be0cd19;
177 ctx
->total
[0] = ctx
->total
[1] = 0;
182 /* Process the remaining bytes in the internal buffer and the usual
183 prolog according to the standard and write the result to RESBUF.
185 IMPORTANT: On some systems it is required that RESBUF is correctly
186 aligned for a 32 bits value. */
188 sha256_finish_ctx (struct sha256_ctx
*ctx
, void *resbuf
)
190 /* Take yet unprocessed bytes into account. */
191 uint32_t bytes
= ctx
->buflen
;
194 /* Now count remaining bytes. */
195 ctx
->total
[0] += bytes
;
196 if (ctx
->total
[0] < bytes
)
199 pad
= bytes
>= 56 ? 64 + 56 - bytes
: 56 - bytes
;
200 memcpy (&ctx
->buffer
[bytes
], fillbuf
, pad
);
202 /* Put the 64-bit file length in *bits* at the end of the buffer. */
203 *(uint32_t *) &ctx
->buffer
[bytes
+ pad
+ 4] = SWAP (ctx
->total
[0] << 3);
204 *(uint32_t *) &ctx
->buffer
[bytes
+ pad
] = SWAP ((ctx
->total
[1] << 3) |
205 (ctx
->total
[0] >> 29));
207 /* Process last bytes. */
208 sha256_process_block (ctx
->buffer
, bytes
+ pad
+ 8, ctx
);
210 /* Put result from CTX in first 32 bytes following RESBUF. */
211 for (unsigned int i
= 0; i
< 8; ++i
)
212 ((uint32_t *) resbuf
)[i
] = SWAP (ctx
->H
[i
]);
219 sha256_process_bytes (const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
221 /* When we already have some bits in our internal buffer concatenate
222 both inputs first. */
223 if (ctx
->buflen
!= 0)
225 size_t left_over
= ctx
->buflen
;
226 size_t add
= 128 - left_over
> len
? len
: 128 - left_over
;
228 memcpy (&ctx
->buffer
[left_over
], buffer
, add
);
231 if (ctx
->buflen
> 64)
233 sha256_process_block (ctx
->buffer
, ctx
->buflen
& ~63, ctx
);
236 /* The regions in the following copy operation cannot overlap. */
237 memcpy (ctx
->buffer
, &ctx
->buffer
[(left_over
+ add
) & ~63],
241 buffer
= (const char *) buffer
+ add
;
245 /* Process available complete blocks. */
248 /* To check alignment gcc has an appropriate operator. Other
251 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
253 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
255 if (UNALIGNED_P (buffer
))
258 sha256_process_block (memcpy (ctx
->buffer
, buffer
, 64), 64, ctx
);
259 buffer
= (const char *) buffer
+ 64;
264 sha256_process_block (buffer
, len
& ~63, ctx
);
265 buffer
= (const char *) buffer
+ (len
& ~63);
270 /* Move remaining bytes into internal buffer. */
273 size_t left_over
= ctx
->buflen
;
275 memcpy (&ctx
->buffer
[left_over
], buffer
, len
);
279 sha256_process_block (ctx
->buffer
, 64, ctx
);
281 memcpy (ctx
->buffer
, &ctx
->buffer
[64], left_over
);
283 ctx
->buflen
= left_over
;
288 /* Define our magic string to mark salt for SHA256 "encryption"
290 static const char sha256_salt_prefix
[] = "$5$";
292 /* Prefix for optional rounds specification. */
293 static const char sha256_rounds_prefix
[] = "rounds=";
295 /* Maximum salt string length. */
296 #define SALT_LEN_MAX 16
297 /* Default number of rounds if not explicitly specified. */
298 #define ROUNDS_DEFAULT 5000
299 /* Minimum number of rounds. */
300 #define ROUNDS_MIN 1000
301 /* Maximum number of rounds. */
302 #define ROUNDS_MAX 999999999
304 /* Table with characters for base64 transformation. */
305 static const char b64t
[64] =
306 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
310 crypt_sha256_r (const char *key
, const char *salt
, char *buffer
, int buflen
)
312 unsigned char alt_result
[32]
313 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
314 unsigned char temp_result
[32]
315 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
316 struct sha256_ctx ctx
;
317 struct sha256_ctx alt_ctx
;
322 char *copied_key
= NULL
;
323 char *copied_salt
= NULL
;
326 /* Default number of rounds. */
327 size_t rounds
= ROUNDS_DEFAULT
;
328 bool rounds_custom
= false;
330 /* Find beginning of salt string. The prefix should normally always
331 be present. Just in case it is not. */
332 if (strncmp (sha256_salt_prefix
, salt
, sizeof (sha256_salt_prefix
) - 1) == 0)
333 /* Skip salt prefix. */
334 salt
+= sizeof (sha256_salt_prefix
) - 1;
336 if (strncmp (salt
, sha256_rounds_prefix
, sizeof (sha256_rounds_prefix
) - 1)
339 const char *num
= salt
+ sizeof (sha256_rounds_prefix
) - 1;
341 unsigned long int srounds
= strtoul (num
, &endp
, 10);
345 rounds
= MAX (ROUNDS_MIN
, MIN (srounds
, ROUNDS_MAX
));
346 rounds_custom
= true;
350 salt_len
= MIN (strcspn (salt
, "$"), SALT_LEN_MAX
);
351 key_len
= strlen (key
);
353 if ((key
- (char *) 0) % __alignof__ (uint32_t) != 0)
355 char *tmp
= (char *) alloca (key_len
+ __alignof__ (uint32_t));
357 memcpy (tmp
+ __alignof__ (uint32_t)
358 - (tmp
- (char *) 0) % __alignof__ (uint32_t),
362 if ((salt
- (char *) 0) % __alignof__ (uint32_t) != 0)
364 char *tmp
= (char *) alloca (salt_len
+ __alignof__ (uint32_t));
366 memcpy (tmp
+ __alignof__ (uint32_t)
367 - (tmp
- (char *) 0) % __alignof__ (uint32_t),
371 /* Prepare for the real work. */
372 sha256_init_ctx (&ctx
);
374 /* Add the key string. */
375 sha256_process_bytes (key
, key_len
, &ctx
);
377 /* The last part is the salt string. This must be at most 16
378 characters and it ends at the first `$' character (for
379 compatibility with existing implementations). */
380 sha256_process_bytes (salt
, salt_len
, &ctx
);
383 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
384 final result will be added to the first context. */
385 sha256_init_ctx (&alt_ctx
);
388 sha256_process_bytes (key
, key_len
, &alt_ctx
);
391 sha256_process_bytes (salt
, salt_len
, &alt_ctx
);
394 sha256_process_bytes (key
, key_len
, &alt_ctx
);
396 /* Now get result of this (32 bytes) and add it to the other
398 sha256_finish_ctx (&alt_ctx
, alt_result
);
400 /* Add for any character in the key one byte of the alternate sum. */
401 for (cnt
= key_len
; cnt
> 32; cnt
-= 32)
402 sha256_process_bytes (alt_result
, 32, &ctx
);
403 sha256_process_bytes (alt_result
, cnt
, &ctx
);
405 /* Take the binary representation of the length of the key and for every
406 1 add the alternate sum, for every 0 the key. */
407 for (cnt
= key_len
; cnt
> 0; cnt
>>= 1)
409 sha256_process_bytes (alt_result
, 32, &ctx
);
411 sha256_process_bytes (key
, key_len
, &ctx
);
413 /* Create intermediate result. */
414 sha256_finish_ctx (&ctx
, alt_result
);
416 /* Start computation of P byte sequence. */
417 sha256_init_ctx (&alt_ctx
);
419 /* For every character in the password add the entire password. */
420 for (cnt
= 0; cnt
< key_len
; ++cnt
)
421 sha256_process_bytes (key
, key_len
, &alt_ctx
);
423 /* Finish the digest. */
424 sha256_finish_ctx (&alt_ctx
, temp_result
);
426 /* Create byte sequence P. */
427 cp
= p_bytes
= alloca (key_len
);
428 for (cnt
= key_len
; cnt
>= 32; cnt
-= 32)
429 cp
= mempcpy (cp
, temp_result
, 32);
430 memcpy (cp
, temp_result
, cnt
);
432 /* Start computation of S byte sequence. */
433 sha256_init_ctx (&alt_ctx
);
435 /* For every character in the password add the entire password. */
436 for (cnt
= 0; cnt
< 16 + alt_result
[0]; ++cnt
)
437 sha256_process_bytes (salt
, salt_len
, &alt_ctx
);
439 /* Finish the digest. */
440 sha256_finish_ctx (&alt_ctx
, temp_result
);
442 /* Create byte sequence S. */
443 cp
= s_bytes
= alloca (salt_len
);
444 for (cnt
= salt_len
; cnt
>= 32; cnt
-= 32)
445 cp
= mempcpy (cp
, temp_result
, 32);
446 memcpy (cp
, temp_result
, cnt
);
448 /* Repeatedly run the collected hash value through SHA256 to burn
450 for (cnt
= 0; cnt
< rounds
; ++cnt
)
453 sha256_init_ctx (&ctx
);
455 /* Add key or last result. */
457 sha256_process_bytes (p_bytes
, key_len
, &ctx
);
459 sha256_process_bytes (alt_result
, 32, &ctx
);
461 /* Add salt for numbers not divisible by 3. */
463 sha256_process_bytes (s_bytes
, salt_len
, &ctx
);
465 /* Add key for numbers not divisible by 7. */
467 sha256_process_bytes (p_bytes
, key_len
, &ctx
);
469 /* Add key or last result. */
471 sha256_process_bytes (alt_result
, 32, &ctx
);
473 sha256_process_bytes (p_bytes
, key_len
, &ctx
);
475 /* Create intermediate result. */
476 sha256_finish_ctx (&ctx
, alt_result
);
479 /* Now we can construct the result string. It consists of three
481 cp
= stpncpy (buffer
, sha256_salt_prefix
, MAX (0, buflen
));
482 buflen
-= sizeof (sha256_salt_prefix
) - 1;
486 int n
= snprintf (cp
, MAX (0, buflen
), "%s%zu$",
487 sha256_rounds_prefix
, rounds
);
492 cp
= stpncpy (cp
, salt
, MIN ((size_t) MAX (0, buflen
), salt_len
));
493 buflen
-= MIN ((size_t) MAX (0, buflen
), salt_len
);
501 #define b64_from_24bit(B2, B1, B0, N) \
503 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
505 while (n-- > 0 && buflen > 0) \
507 *cp++ = b64t[w & 0x3f]; \
513 b64_from_24bit (alt_result
[0], alt_result
[10], alt_result
[20], 4);
514 b64_from_24bit (alt_result
[21], alt_result
[1], alt_result
[11], 4);
515 b64_from_24bit (alt_result
[12], alt_result
[22], alt_result
[2], 4);
516 b64_from_24bit (alt_result
[3], alt_result
[13], alt_result
[23], 4);
517 b64_from_24bit (alt_result
[24], alt_result
[4], alt_result
[14], 4);
518 b64_from_24bit (alt_result
[15], alt_result
[25], alt_result
[5], 4);
519 b64_from_24bit (alt_result
[6], alt_result
[16], alt_result
[26], 4);
520 b64_from_24bit (alt_result
[27], alt_result
[7], alt_result
[17], 4);
521 b64_from_24bit (alt_result
[18], alt_result
[28], alt_result
[8], 4);
522 b64_from_24bit (alt_result
[9], alt_result
[19], alt_result
[29], 4);
523 b64_from_24bit (0, alt_result
[31], alt_result
[30], 3);
530 *cp
= '\0'; /* Terminate the string. */
532 /* Clear the buffer for the intermediate result so that people
533 attaching to processes or reading core dumps cannot get any
534 information. We do it in this way to clear correct_words[]
535 inside the SHA256 implementation as well. */
536 sha256_init_ctx (&ctx
);
537 sha256_finish_ctx (&ctx
, alt_result
);
538 memset (temp_result
, '\0', sizeof (temp_result
));
539 memset (p_bytes
, '\0', key_len
);
540 memset (s_bytes
, '\0', salt_len
);
541 memset (&ctx
, '\0', sizeof (ctx
));
542 memset (&alt_ctx
, '\0', sizeof (alt_ctx
));
543 if (copied_key
!= NULL
)
544 memset (copied_key
, '\0', key_len
);
545 if (copied_salt
!= NULL
)
546 memset (copied_salt
, '\0', salt_len
);
552 /* This entry point is equivalent to the `crypt' function in Unix
555 crypt_sha256 (const char *key
, const char *salt
)
557 /* We don't want to have an arbitrary limit in the size of the
558 password. We can compute an upper bound for the size of the
559 result in advance and so we can prepare the buffer we pass to
563 int needed
= (sizeof (sha256_salt_prefix
) - 1
564 + sizeof (sha256_rounds_prefix
) + 9 + 1
565 + strlen (salt
) + 1 + 43 + 1);
569 char *new_buffer
= (char *) realloc (buffer
, needed
);
570 if (new_buffer
== NULL
)
577 return crypt_sha256_r (key
, salt
, buffer
, buflen
);
585 const char result
[32];
588 /* Test vectors from FIPS 180-2: appendix B.1. */
590 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
591 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
592 /* Test vectors from FIPS 180-2: appendix B.2. */
593 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
594 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
595 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
596 /* Test vectors from the NESSIE project. */
598 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
599 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
601 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
602 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
604 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
605 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
606 { "abcdefghijklmnopqrstuvwxyz",
607 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
608 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
609 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
610 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
611 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
612 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
613 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
614 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
615 { "123456789012345678901234567890123456789012345678901234567890"
616 "12345678901234567890",
617 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
618 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
620 #define ntests (sizeof (tests) / sizeof (tests[0]))
627 const char *expected
;
630 { "$5$saltstring", "Hello world!",
631 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
632 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
633 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
635 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
636 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
638 { "$5$rounds=1400$anotherlongsaltstring",
639 "a very much longer text to encrypt. This one even stretches over more"
641 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
643 { "$5$rounds=77777$short",
644 "we have a short salt string but not a short password",
645 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
646 { "$5$rounds=123456$asaltof16chars..", "a short string",
647 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
649 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
650 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
653 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
659 struct sha256_ctx ctx
;
664 for (cnt
= 0; cnt
< (int) ntests
; ++cnt
)
666 sha256_init_ctx (&ctx
);
667 sha256_process_bytes (tests
[cnt
].input
, strlen (tests
[cnt
].input
), &ctx
);
668 sha256_finish_ctx (&ctx
, sum
);
669 if (memcmp (tests
[cnt
].result
, sum
, 32) != 0)
671 printf ("test %d run %d failed\n", cnt
, 1);
675 sha256_init_ctx (&ctx
);
676 for (int i
= 0; tests
[cnt
].input
[i
] != '\0'; ++i
)
677 sha256_process_bytes (&tests
[cnt
].input
[i
], 1, &ctx
);
678 sha256_finish_ctx (&ctx
, sum
);
679 if (memcmp (tests
[cnt
].result
, sum
, 32) != 0)
681 printf ("test %d run %d failed\n", cnt
, 2);
686 /* Test vector from FIPS 180-2: appendix B.3. */
688 memset (buf
, 'a', sizeof (buf
));
689 sha256_init_ctx (&ctx
);
690 for (int i
= 0; i
< 1000; ++i
)
691 sha256_process_bytes (buf
, sizeof (buf
), &ctx
);
692 sha256_finish_ctx (&ctx
, sum
);
693 static const char expected
[32] =
694 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
695 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
696 if (memcmp (expected
, sum
, 32) != 0)
698 printf ("test %d failed\n", cnt
);
702 for (cnt
= 0; cnt
< ntests2
; ++cnt
)
704 char *cp
= crypt_sha256 (tests2
[cnt
].input
, tests2
[cnt
].salt
);
706 if (strcmp (cp
, tests2
[cnt
].expected
) != 0)
708 printf ("test %d: expected \"%s\", got \"%s\"\n",
709 cnt
, tests2
[cnt
].expected
, cp
);
715 puts ("all tests OK");