search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kqueue: Knote should not be accessed once the KN_PROCESSING is cleared
[dragonfly.git] / lib / libcrypt / crypt-sha256.c
blob9af9980b4d0aa71c877a547c3ea142b622d9c49a
1 /*
2 * SHA256-based Unix crypt implementation.
3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
4 */
5 #include <errno.h>
6 #include <limits.h>
7 #include <stdint.h>
8 #include <stdbool.h>
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <sys/endian.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
15
16
17 /* Structure to save state of computation between the single steps. */
18 struct sha256_ctx
19 {
20 uint32_t H[8];
21
22 uint32_t total[2];
23 uint32_t buflen;
24 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
25 };
26
27
28 #if __BYTE_ORDER == __LITTLE_ENDIAN
29 # define SWAP(n) \
30 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
31 #else
32 # define SWAP(n) (n)
33 #endif
34
35
36 /* This array contains the bytes used to pad the buffer to the next
37 64-byte boundary. (FIPS 180-2:5.1.1) */
38 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
39
40
41 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
42 static const uint32_t K[64] =
43 {
44 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
45 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
46 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
47 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
48 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
49 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
50 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
51 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
52 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
53 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
54 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
55 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
56 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
57 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
58 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
59 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
60 };
61
62
63 /* Process LEN bytes of BUFFER, accumulating context into CTX.
64 It is assumed that LEN % 64 == 0. */
65 static void
66 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
67 {
68 const uint32_t *words = buffer;
69 size_t nwords = len / sizeof (uint32_t);
70 uint32_t a = ctx->H[0];
71 uint32_t b = ctx->H[1];
72 uint32_t c = ctx->H[2];
73 uint32_t d = ctx->H[3];
74 uint32_t e = ctx->H[4];
75 uint32_t f = ctx->H[5];
76 uint32_t g = ctx->H[6];
77 uint32_t h = ctx->H[7];
78
79 /* First increment the byte count. FIPS 180-2 specifies the possible
80 length of the file up to 2^64 bits. Here we only compute the
81 number of bytes. Do a double word increment. */
82 ctx->total[0] += len;
83 if (ctx->total[0] < len)
84 ++ctx->total[1];
85
86 /* Process all bytes in the buffer with 64 bytes in each round of
87 the loop. */
88 while (nwords > 0)
89 {
90 uint32_t W[64];
91 uint32_t a_save = a;
92 uint32_t b_save = b;
93 uint32_t c_save = c;
94 uint32_t d_save = d;
95 uint32_t e_save = e;
96 uint32_t f_save = f;
97 uint32_t g_save = g;
98 uint32_t h_save = h;
99
100 /* Operators defined in FIPS 180-2:4.1.2. */
101 #define Ch(x, y, z) ((x & y) ^ (~x & z))
102 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
103 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
104 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
105 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
106 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
107
108 /* It is unfortunate that C does not provide an operator for
109 cyclic rotation. Hope the C compiler is smart enough. */
110 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
111
112 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
113 for (unsigned int t = 0; t < 16; ++t)
114 {
115 W[t] = SWAP (*words);
116 ++words;
117 }
118 for (unsigned int t = 16; t < 64; ++t)
119 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
120
121 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
122 for (unsigned int t = 0; t < 64; ++t)
123 {
124 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
125 uint32_t T2 = S0 (a) + Maj (a, b, c);
126 h = g;
127 g = f;
128 f = e;
129 e = d + T1;
130 d = c;
131 c = b;
132 b = a;
133 a = T1 + T2;
134 }
135
136 /* Add the starting values of the context according to FIPS 180-2:6.2.2
137 step 4. */
138 a += a_save;
139 b += b_save;
140 c += c_save;
141 d += d_save;
142 e += e_save;
143 f += f_save;
144 g += g_save;
145 h += h_save;
146
147 /* Prepare for the next round. */
148 nwords -= 16;
149 }
150
151 /* Put checksum in context given as argument. */
152 ctx->H[0] = a;
153 ctx->H[1] = b;
154 ctx->H[2] = c;
155 ctx->H[3] = d;
156 ctx->H[4] = e;
157 ctx->H[5] = f;
158 ctx->H[6] = g;
159 ctx->H[7] = h;
160 }
161
162
163 /* Initialize structure containing state of computation.
164 (FIPS 180-2:5.3.2) */
165 static void
166 sha256_init_ctx (struct sha256_ctx *ctx)
167 {
168 ctx->H[0] = 0x6a09e667;
169 ctx->H[1] = 0xbb67ae85;
170 ctx->H[2] = 0x3c6ef372;
171 ctx->H[3] = 0xa54ff53a;
172 ctx->H[4] = 0x510e527f;
173 ctx->H[5] = 0x9b05688c;
174 ctx->H[6] = 0x1f83d9ab;
175 ctx->H[7] = 0x5be0cd19;
176
177 ctx->total[0] = ctx->total[1] = 0;
178 ctx->buflen = 0;
179 }
180
181
182 /* Process the remaining bytes in the internal buffer and the usual
183 prolog according to the standard and write the result to RESBUF.
184
185 IMPORTANT: On some systems it is required that RESBUF is correctly
186 aligned for a 32 bits value. */
187 static void *
188 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
189 {
190 /* Take yet unprocessed bytes into account. */
191 uint32_t bytes = ctx->buflen;
192 size_t pad;
193
194 /* Now count remaining bytes. */
195 ctx->total[0] += bytes;
196 if (ctx->total[0] < bytes)
197 ++ctx->total[1];
198
199 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
200 memcpy (&ctx->buffer[bytes], fillbuf, pad);
201
202 /* Put the 64-bit file length in *bits* at the end of the buffer. */
203 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
204 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
205 (ctx->total[0] >> 29));
206
207 /* Process last bytes. */
208 sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
209
210 /* Put result from CTX in first 32 bytes following RESBUF. */
211 for (unsigned int i = 0; i < 8; ++i)
212 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
213
214 return resbuf;
215 }
216
217
218 static void
219 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
220 {
221 /* When we already have some bits in our internal buffer concatenate
222 both inputs first. */
223 if (ctx->buflen != 0)
224 {
225 size_t left_over = ctx->buflen;
226 size_t add = 128 - left_over > len ? len : 128 - left_over;
227
228 memcpy (&ctx->buffer[left_over], buffer, add);
229 ctx->buflen += add;
230
231 if (ctx->buflen > 64)
232 {
233 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
234
235 ctx->buflen &= 63;
236 /* The regions in the following copy operation cannot overlap. */
237 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
238 ctx->buflen);
239 }
240
241 buffer = (const char *) buffer + add;
242 len -= add;
243 }
244
245 /* Process available complete blocks. */
246 if (len >= 64)
247 {
248 /* To check alignment gcc has an appropriate operator. Other
249 compilers don't. */
250 #if __GNUC__ >= 2
251 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
252 #else
253 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
254 #endif
255 if (UNALIGNED_P (buffer))
256 while (len > 64)
257 {
258 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
259 buffer = (const char *) buffer + 64;
260 len -= 64;
261 }
262 else
263 {
264 sha256_process_block (buffer, len & ~63, ctx);
265 buffer = (const char *) buffer + (len & ~63);
266 len &= 63;
267 }
268 }
269
270 /* Move remaining bytes into internal buffer. */
271 if (len > 0)
272 {
273 size_t left_over = ctx->buflen;
274
275 memcpy (&ctx->buffer[left_over], buffer, len);
276 left_over += len;
277 if (left_over >= 64)
278 {
279 sha256_process_block (ctx->buffer, 64, ctx);
280 left_over -= 64;
281 memcpy (ctx->buffer, &ctx->buffer[64], left_over);
282 }
283 ctx->buflen = left_over;
284 }
285 }
286
287
288 /* Define our magic string to mark salt for SHA256 "encryption"
289 replacement. */
290 static const char sha256_salt_prefix[] = "$5$";
291
292 /* Prefix for optional rounds specification. */
293 static const char sha256_rounds_prefix[] = "rounds=";
294
295 /* Maximum salt string length. */
296 #define SALT_LEN_MAX 16
297 /* Default number of rounds if not explicitly specified. */
298 #define ROUNDS_DEFAULT 5000
299 /* Minimum number of rounds. */
300 #define ROUNDS_MIN 1000
301 /* Maximum number of rounds. */
302 #define ROUNDS_MAX 999999999
303
304 /* Table with characters for base64 transformation. */
305 static const char b64t[64] =
306 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
307
308
309 static char *
310 crypt_sha256_r (const char *key, const char *salt, char *buffer, int buflen)
311 {
312 unsigned char alt_result[32]
313 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
314 unsigned char temp_result[32]
315 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
316 struct sha256_ctx ctx;
317 struct sha256_ctx alt_ctx;
318 size_t salt_len;
319 size_t key_len;
320 size_t cnt;
321 char *cp;
322 char *copied_key = NULL;
323 char *copied_salt = NULL;
324 char *p_bytes;
325 char *s_bytes;
326 /* Default number of rounds. */
327 size_t rounds = ROUNDS_DEFAULT;
328 bool rounds_custom = false;
329
330 /* Find beginning of salt string. The prefix should normally always
331 be present. Just in case it is not. */
332 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
333 /* Skip salt prefix. */
334 salt += sizeof (sha256_salt_prefix) - 1;
335
336 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
337 == 0)
338 {
339 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
340 char *endp;
341 unsigned long int srounds = strtoul (num, &endp, 10);
342 if (*endp == '$')
343 {
344 salt = endp + 1;
345 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
346 rounds_custom = true;
347 }
348 }
349
350 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
351 key_len = strlen (key);
352
353 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
354 {
355 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
356 key = copied_key =
357 memcpy (tmp + __alignof__ (uint32_t)
358 - (tmp - (char *) 0) % __alignof__ (uint32_t),
359 key, key_len);
360 }
361
362 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
363 {
364 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
365 salt = copied_salt =
366 memcpy (tmp + __alignof__ (uint32_t)
367 - (tmp - (char *) 0) % __alignof__ (uint32_t),
368 salt, salt_len);
369 }
370
371 /* Prepare for the real work. */
372 sha256_init_ctx (&ctx);
373
374 /* Add the key string. */
375 sha256_process_bytes (key, key_len, &ctx);
376
377 /* The last part is the salt string. This must be at most 16
378 characters and it ends at the first `$' character (for
379 compatibility with existing implementations). */
380 sha256_process_bytes (salt, salt_len, &ctx);
381
382
383 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
384 final result will be added to the first context. */
385 sha256_init_ctx (&alt_ctx);
386
387 /* Add key. */
388 sha256_process_bytes (key, key_len, &alt_ctx);
389
390 /* Add salt. */
391 sha256_process_bytes (salt, salt_len, &alt_ctx);
392
393 /* Add key again. */
394 sha256_process_bytes (key, key_len, &alt_ctx);
395
396 /* Now get result of this (32 bytes) and add it to the other
397 context. */
398 sha256_finish_ctx (&alt_ctx, alt_result);
399
400 /* Add for any character in the key one byte of the alternate sum. */
401 for (cnt = key_len; cnt > 32; cnt -= 32)
402 sha256_process_bytes (alt_result, 32, &ctx);
403 sha256_process_bytes (alt_result, cnt, &ctx);
404
405 /* Take the binary representation of the length of the key and for every
406 1 add the alternate sum, for every 0 the key. */
407 for (cnt = key_len; cnt > 0; cnt >>= 1)
408 if ((cnt & 1) != 0)
409 sha256_process_bytes (alt_result, 32, &ctx);
410 else
411 sha256_process_bytes (key, key_len, &ctx);
412
413 /* Create intermediate result. */
414 sha256_finish_ctx (&ctx, alt_result);
415
416 /* Start computation of P byte sequence. */
417 sha256_init_ctx (&alt_ctx);
418
419 /* For every character in the password add the entire password. */
420 for (cnt = 0; cnt < key_len; ++cnt)
421 sha256_process_bytes (key, key_len, &alt_ctx);
422
423 /* Finish the digest. */
424 sha256_finish_ctx (&alt_ctx, temp_result);
425
426 /* Create byte sequence P. */
427 cp = p_bytes = alloca (key_len);
428 for (cnt = key_len; cnt >= 32; cnt -= 32)
429 cp = mempcpy (cp, temp_result, 32);
430 memcpy (cp, temp_result, cnt);
431
432 /* Start computation of S byte sequence. */
433 sha256_init_ctx (&alt_ctx);
434
435 /* For every character in the password add the entire password. */
436 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
437 sha256_process_bytes (salt, salt_len, &alt_ctx);
438
439 /* Finish the digest. */
440 sha256_finish_ctx (&alt_ctx, temp_result);
441
442 /* Create byte sequence S. */
443 cp = s_bytes = alloca (salt_len);
444 for (cnt = salt_len; cnt >= 32; cnt -= 32)
445 cp = mempcpy (cp, temp_result, 32);
446 memcpy (cp, temp_result, cnt);
447
448 /* Repeatedly run the collected hash value through SHA256 to burn
449 CPU cycles. */
450 for (cnt = 0; cnt < rounds; ++cnt)
451 {
452 /* New context. */
453 sha256_init_ctx (&ctx);
454
455 /* Add key or last result. */
456 if ((cnt & 1) != 0)
457 sha256_process_bytes (p_bytes, key_len, &ctx);
458 else
459 sha256_process_bytes (alt_result, 32, &ctx);
460
461 /* Add salt for numbers not divisible by 3. */
462 if (cnt % 3 != 0)
463 sha256_process_bytes (s_bytes, salt_len, &ctx);
464
465 /* Add key for numbers not divisible by 7. */
466 if (cnt % 7 != 0)
467 sha256_process_bytes (p_bytes, key_len, &ctx);
468
469 /* Add key or last result. */
470 if ((cnt & 1) != 0)
471 sha256_process_bytes (alt_result, 32, &ctx);
472 else
473 sha256_process_bytes (p_bytes, key_len, &ctx);
474
475 /* Create intermediate result. */
476 sha256_finish_ctx (&ctx, alt_result);
477 }
478
479 /* Now we can construct the result string. It consists of three
480 parts. */
481 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
482 buflen -= sizeof (sha256_salt_prefix) - 1;
483
484 if (rounds_custom)
485 {
486 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
487 sha256_rounds_prefix, rounds);
488 cp += n;
489 buflen -= n;
490 }
491
492 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
493 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
494
495 if (buflen > 0)
496 {
497 *cp++ = '$';
498 --buflen;
499 }
500
501 #define b64_from_24bit(B2, B1, B0, N) \
502 do { \
503 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
504 int n = (N); \
505 while (n-- > 0 && buflen > 0) \
506 { \
507 *cp++ = b64t[w & 0x3f]; \
508 --buflen; \
509 w >>= 6; \
510 } \
511 } while (0)
512
513 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
514 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
515 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
516 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
517 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
518 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
519 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
520 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
521 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
522 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
523 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
524 if (buflen <= 0)
525 {
526 errno = ERANGE;
527 buffer = NULL;
528 }
529 else
530 *cp = '\0'; /* Terminate the string. */
531
532 /* Clear the buffer for the intermediate result so that people
533 attaching to processes or reading core dumps cannot get any
534 information. We do it in this way to clear correct_words[]
535 inside the SHA256 implementation as well. */
536 sha256_init_ctx (&ctx);
537 sha256_finish_ctx (&ctx, alt_result);
538 memset (temp_result, '\0', sizeof (temp_result));
539 memset (p_bytes, '\0', key_len);
540 memset (s_bytes, '\0', salt_len);
541 memset (&ctx, '\0', sizeof (ctx));
542 memset (&alt_ctx, '\0', sizeof (alt_ctx));
543 if (copied_key != NULL)
544 memset (copied_key, '\0', key_len);
545 if (copied_salt != NULL)
546 memset (copied_salt, '\0', salt_len);
547
548 return buffer;
549 }
550
551
552 /* This entry point is equivalent to the `crypt' function in Unix
553 libcs. */
554 char *
555 crypt_sha256 (const char *key, const char *salt)
556 {
557 /* We don't want to have an arbitrary limit in the size of the
558 password. We can compute an upper bound for the size of the
559 result in advance and so we can prepare the buffer we pass to
560 `crypt_sha256_r'. */
561 static char *buffer;
562 static int buflen;
563 int needed = (sizeof (sha256_salt_prefix) - 1
564 + sizeof (sha256_rounds_prefix) + 9 + 1
565 + strlen (salt) + 1 + 43 + 1);
566
567 if (buflen < needed)
568 {
569 char *new_buffer = (char *) realloc (buffer, needed);
570 if (new_buffer == NULL)
571 return NULL;
572
573 buffer = new_buffer;
574 buflen = needed;
575 }
576
577 return crypt_sha256_r (key, salt, buffer, buflen);
578 }
579
580
581 #ifdef TEST
582 static const struct
583 {
584 const char *input;
585 const char result[32];
586 } tests[] =
587 {
588 /* Test vectors from FIPS 180-2: appendix B.1. */
589 { "abc",
590 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
591 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
592 /* Test vectors from FIPS 180-2: appendix B.2. */
593 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
594 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
595 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
596 /* Test vectors from the NESSIE project. */
597 { "",
598 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
599 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
600 { "a",
601 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
602 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
603 { "message digest",
604 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
605 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
606 { "abcdefghijklmnopqrstuvwxyz",
607 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
608 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
609 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
610 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
611 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
612 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
613 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
614 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
615 { "123456789012345678901234567890123456789012345678901234567890"
616 "12345678901234567890",
617 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
618 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
619 };
620 #define ntests (sizeof (tests) / sizeof (tests[0]))
621
622
623 static const struct
624 {
625 const char *salt;
626 const char *input;
627 const char *expected;
628 } tests2[] =
629 {
630 { "$5$saltstring", "Hello world!",
631 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
632 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
633 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
634 "opqey6IcA" },
635 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
636 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
637 "mGRcvxa5" },
638 { "$5$rounds=1400$anotherlongsaltstring",
639 "a very much longer text to encrypt. This one even stretches over more"
640 "than one line.",
641 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
642 "oP84Bnq1" },
643 { "$5$rounds=77777$short",
644 "we have a short salt string but not a short password",
645 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
646 { "$5$rounds=123456$asaltof16chars..", "a short string",
647 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
648 "cZKmF/wJvD" },
649 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
650 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
651 "2bIC" },
652 };
653 #define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
654
655
656 int
657 main (void)
658 {
659 struct sha256_ctx ctx;
660 char sum[32];
661 int result = 0;
662 int cnt;
663
664 for (cnt = 0; cnt < (int) ntests; ++cnt)
665 {
666 sha256_init_ctx (&ctx);
667 sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
668 sha256_finish_ctx (&ctx, sum);
669 if (memcmp (tests[cnt].result, sum, 32) != 0)
670 {
671 printf ("test %d run %d failed\n", cnt, 1);
672 result = 1;
673 }
674
675 sha256_init_ctx (&ctx);
676 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
677 sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
678 sha256_finish_ctx (&ctx, sum);
679 if (memcmp (tests[cnt].result, sum, 32) != 0)
680 {
681 printf ("test %d run %d failed\n", cnt, 2);
682 result = 1;
683 }
684 }
685
686 /* Test vector from FIPS 180-2: appendix B.3. */
687 char buf[1000];
688 memset (buf, 'a', sizeof (buf));
689 sha256_init_ctx (&ctx);
690 for (int i = 0; i < 1000; ++i)
691 sha256_process_bytes (buf, sizeof (buf), &ctx);
692 sha256_finish_ctx (&ctx, sum);
693 static const char expected[32] =
694 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
695 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
696 if (memcmp (expected, sum, 32) != 0)
697 {
698 printf ("test %d failed\n", cnt);
699 result = 1;
700 }
701
702 for (cnt = 0; cnt < ntests2; ++cnt)
703 {
704 char *cp = crypt_sha256 (tests2[cnt].input, tests2[cnt].salt);
705
706 if (strcmp (cp, tests2[cnt].expected) != 0)
707 {
708 printf ("test %d: expected \"%s\", got \"%s\"\n",
709 cnt, tests2[cnt].expected, cp);
710 result = 1;
711 }
712 }
713
714 if (result == 0)
715 puts ("all tests OK");
716
717 return result;
718 }
719 #endif
720
DragonFly BSD