Context Navigation

source: bootcd/isolinux/syslinux-6.03/com32/libutil/sha256crypt.c

Last change on this file was e16e8f2, checked in by Edwin Eefting <edwin@datux.nl>, 3 years ago
bootstuff
Property mode set to `100644`
File size: 21.3 KB

Rev	Line
[e16e8f2]	1	/* SHA256-based Unix crypt implementation.
	2	Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
	3
	4	#include <alloca.h>
	5	#include <endian.h>
	6	#include <errno.h>
	7	#include <limits.h>
	8	#include <stdint.h>
	9	#include <stdbool.h>
	10	#include <stdio.h>
	11	#include <stdlib.h>
	12	#include <string.h>
	13	#include <minmax.h>
	14	#include <sys/types.h>
	15
	16	#include "xcrypt.h"
	17
	18	#define MIN(x,y) min(x,y)
	19	#define MAX(x,y) max(x,y)
	20
	21	/* Structure to save state of computation between the single steps. */
	22	struct sha256_ctx {
	23	uint32_t H[8];
	24
	25	uint32_t total[2];
	26	uint32_t buflen;
	27	char buffer[128]; /* NB: always correctly aligned for uint32_t. */
	28	};
	29
	30	#if __BYTE_ORDER == __LITTLE_ENDIAN
	31	# define SWAP(n) \
	32	(((n) << 24) \| (((n) & 0xff00) << 8) \| (((n) >> 8) & 0xff00) \| ((n) >> 24))
	33	#else
	34	# define SWAP(n) (n)
	35	#endif
	36
	37	/* This array contains the bytes used to pad the buffer to the next
	38	64-byte boundary. (FIPS 180-2:5.1.1) */
	39	static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
	40
	41	/* Constants for SHA256 from FIPS 180-2:4.2.2. */
	42	static const uint32_t K[64] = {
	43	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
	44	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
	45	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
	46	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
	47	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
	48	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
	49	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
	50	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
	51	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
	52	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
	53	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
	54	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
	55	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
	56	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
	57	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
	58	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
	59	};
	60
	61	/* Process LEN bytes of BUFFER, accumulating context into CTX.
	62	It is assumed that LEN % 64 == 0. */
	63	static void
	64	sha256_process_block(const void buffer, size_t len, struct sha256_ctx ctx)
	65	{
	66	unsigned int t;
	67	const uint32_t *words = buffer;
	68	size_t nwords = len / sizeof(uint32_t);
	69	uint32_t a = ctx->H[0];
	70	uint32_t b = ctx->H[1];
	71	uint32_t c = ctx->H[2];
	72	uint32_t d = ctx->H[3];
	73	uint32_t e = ctx->H[4];
	74	uint32_t f = ctx->H[5];
	75	uint32_t g = ctx->H[6];
	76	uint32_t h = ctx->H[7];
	77
	78	/* First increment the byte count. FIPS 180-2 specifies the possible
	79	length of the file up to 2^64 bits. Here we only compute the
	80	number of bytes. Do a double word increment. */
	81	ctx->total[0] += len;
	82	if (ctx->total[0] < len)
	83	++ctx->total[1];
	84
	85	/* Process all bytes in the buffer with 64 bytes in each round of
	86	the loop. */
	87	while (nwords > 0) {
	88	uint32_t W[64];
	89	uint32_t a_save = a;
	90	uint32_t b_save = b;
	91	uint32_t c_save = c;
	92	uint32_t d_save = d;
	93	uint32_t e_save = e;
	94	uint32_t f_save = f;
	95	uint32_t g_save = g;
	96	uint32_t h_save = h;
	97
	98	/* Operators defined in FIPS 180-2:4.1.2. */
	99	#define Ch(x, y, z) ((x & y) ^ (~x & z))
	100	#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
	101	#define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
	102	#define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
	103	#define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
	104	#define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
	105
	106	/* It is unfortunate that C does not provide an operator for
	107	cyclic rotation. Hope the C compiler is smart enough. */
	108	#define CYCLIC(w, s) ((w >> s) \| (w << (32 - s)))
	109
	110	/* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
	111	for (t = 0; t < 16; ++t) {
	112	W[t] = SWAP(*words);
	113	++words;
	114	}
	115	for (t = 16; t < 64; ++t)
	116	W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
	117
	118	/* The actual computation according to FIPS 180-2:6.2.2 step 3. */
	119	for (t = 0; t < 64; ++t) {
	120	uint32_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t];
	121	uint32_t T2 = S0(a) + Maj(a, b, c);
	122	h = g;
	123	g = f;
	124	f = e;
	125	e = d + T1;
	126	d = c;
	127	c = b;
	128	b = a;
	129	a = T1 + T2;
	130	}
	131
	132	/* Add the starting values of the context according to FIPS 180-2:6.2.2
	133	step 4. */
	134	a += a_save;
	135	b += b_save;
	136	c += c_save;
	137	d += d_save;
	138	e += e_save;
	139	f += f_save;
	140	g += g_save;
	141	h += h_save;
	142
	143	/* Prepare for the next round. */
	144	nwords -= 16;
	145	}
	146
	147	/* Put checksum in context given as argument. */
	148	ctx->H[0] = a;
	149	ctx->H[1] = b;
	150	ctx->H[2] = c;
	151	ctx->H[3] = d;
	152	ctx->H[4] = e;
	153	ctx->H[5] = f;
	154	ctx->H[6] = g;
	155	ctx->H[7] = h;
	156	}
	157
	158	/* Initialize structure containing state of computation.
	159	(FIPS 180-2:5.3.2) */
	160	static void sha256_init_ctx(struct sha256_ctx *ctx)
	161	{
	162	ctx->H[0] = 0x6a09e667;
	163	ctx->H[1] = 0xbb67ae85;
	164	ctx->H[2] = 0x3c6ef372;
	165	ctx->H[3] = 0xa54ff53a;
	166	ctx->H[4] = 0x510e527f;
	167	ctx->H[5] = 0x9b05688c;
	168	ctx->H[6] = 0x1f83d9ab;
	169	ctx->H[7] = 0x5be0cd19;
	170
	171	ctx->total[0] = ctx->total[1] = 0;
	172	ctx->buflen = 0;
	173	}
	174
	175	/* Process the remaining bytes in the internal buffer and the usual
	176	prolog according to the standard and write the result to RESBUF.
	177
	178	IMPORTANT: On some systems it is required that RESBUF is correctly
	179	aligned for a 32 bits value. */
	180	static void sha256_finish_ctx(struct sha256_ctx ctx, void *resbuf)
	181	{
	182	unsigned int i;
	183	/* Take yet unprocessed bytes into account. */
	184	uint32_t bytes = ctx->buflen;
	185	size_t pad;
	186
	187	/* Now count remaining bytes. */
	188	ctx->total[0] += bytes;
	189	if (ctx->total[0] < bytes)
	190	++ctx->total[1];
	191
	192	pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
	193	memcpy(&ctx->buffer[bytes], fillbuf, pad);
	194
	195	/* Put the 64-bit file length in bits at the end of the buffer. */
	196	(uint32_t ) & ctx->buffer[bytes + pad + 4] = SWAP(ctx->total[0] << 3);
	197	(uint32_t ) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) \|
	198	(ctx->total[0] >> 29));
	199
	200	/* Process last bytes. */
	201	sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
	202
	203	/* Put result from CTX in first 32 bytes following RESBUF. */
	204	for (i = 0; i < 8; ++i)
	205	((uint32_t *) resbuf)[i] = SWAP(ctx->H[i]);
	206
	207	return resbuf;
	208	}
	209
	210	static void
	211	sha256_process_bytes(const void buffer, size_t len, struct sha256_ctx ctx)
	212	{
	213	/* When we already have some bits in our internal buffer concatenate
	214	both inputs first. */
	215	if (ctx->buflen != 0) {
	216	size_t left_over = ctx->buflen;
	217	size_t add = 128 - left_over > len ? len : 128 - left_over;
	218
	219	memcpy(&ctx->buffer[left_over], buffer, add);
	220	ctx->buflen += add;
	221
	222	if (ctx->buflen > 64) {
	223	sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
	224
	225	ctx->buflen &= 63;
	226	/* The regions in the following copy operation cannot overlap. */
	227	memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
	228	ctx->buflen);
	229	}
	230
	231	buffer = (const char *)buffer + add;
	232	len -= add;
	233	}
	234
	235	/* Process available complete blocks. */
	236	if (len >= 64) {
	237	/* To check alignment gcc has an appropriate operator. Other
	238	compilers don't. */
	239	#if __GNUC__ >= 2
	240	# define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
	241	#else
	242	# define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
	243	#endif
	244	if (UNALIGNED_P(buffer))
	245	while (len > 64) {
	246	sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
	247	buffer = (const char *)buffer + 64;
	248	len -= 64;
	249	} else {
	250	sha256_process_block(buffer, len & ~63, ctx);
	251	buffer = (const char *)buffer + (len & ~63);
	252	len &= 63;
	253	}
	254	}
	255
	256	/* Move remaining bytes into internal buffer. */
	257	if (len > 0) {
	258	size_t left_over = ctx->buflen;
	259
	260	memcpy(&ctx->buffer[left_over], buffer, len);
	261	left_over += len;
	262	if (left_over >= 64) {
	263	sha256_process_block(ctx->buffer, 64, ctx);
	264	left_over -= 64;
	265	memcpy(ctx->buffer, &ctx->buffer[64], left_over);
	266	}
	267	ctx->buflen = left_over;
	268	}
	269	}
	270
	271	/* Define our magic string to mark salt for SHA256 "encryption"
	272	replacement. */
	273	static const char sha256_salt_prefix[] = "$5$";
	274
	275	/* Prefix for optional rounds specification. */
	276	static const char sha256_rounds_prefix[] = "rounds=";
	277
	278	/* Maximum salt string length. */
	279	#define SALT_LEN_MAX 16U
	280	/* Default number of rounds if not explicitly specified. */
	281	#define ROUNDS_DEFAULT 5000UL
	282	/* Minimum number of rounds. */
	283	#define ROUNDS_MIN 1000UL
	284	/* Maximum number of rounds. */
	285	#define ROUNDS_MAX 999999999UL
	286
	287	/* Table with characters for base64 transformation. */
	288	static const char b64t[64] =
	289	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
	290
	291	static char sha256_crypt_r(const char key, const char salt, char buffer,
	292	int buflen)
	293	{
	294	unsigned char alt_result[32]
	295	__attribute__ ((__aligned__(__alignof__(uint32_t))));
	296	unsigned char temp_result[32]
	297	__attribute__ ((__aligned__(__alignof__(uint32_t))));
	298	struct sha256_ctx ctx;
	299	struct sha256_ctx alt_ctx;
	300	size_t salt_len;
	301	size_t key_len;
	302	size_t cnt;
	303	char *cp;
	304	char *copied_key = NULL;
	305	char *copied_salt = NULL;
	306	char *p_bytes;
	307	char *s_bytes;
	308	/* Default number of rounds. */
	309	size_t rounds = ROUNDS_DEFAULT;
	310	bool rounds_custom = false;
	311
	312	/* Find beginning of salt string. The prefix should normally always
	313	be present. Just in case it is not. */
	314	if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
	315	/* Skip salt prefix. */
	316	salt += sizeof(sha256_salt_prefix) - 1;
	317
	318	if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1)
	319	== 0) {
	320	const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
	321	char *endp;
	322	unsigned long int srounds = strtoul(num, &endp, 10);
	323	if (*endp == '$') {
	324	salt = endp + 1;
	325	rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
	326	rounds_custom = true;
	327	}
	328	}
	329
	330	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
	331	key_len = strlen(key);
	332
	333	if ((key - (char *)0) % __alignof__(uint32_t) != 0) {
	334	char tmp = (char )alloca(key_len + __alignof__(uint32_t));
	335	key = copied_key = memcpy(tmp + __alignof__(uint32_t)
	336	- (tmp - (char *)0) % __alignof__(uint32_t),
	337	key, key_len);
	338	}
	339
	340	if ((salt - (char *)0) % __alignof__(uint32_t) != 0) {
	341	char tmp = (char )alloca(salt_len + __alignof__(uint32_t));
	342	salt = copied_salt = memcpy(tmp + __alignof__(uint32_t)
	343	- (tmp - (char *)0) % __alignof__(uint32_t),
	344	salt, salt_len);
	345	}
	346
	347	/* Prepare for the real work. */
	348	sha256_init_ctx(&ctx);
	349
	350	/* Add the key string. */
	351	sha256_process_bytes(key, key_len, &ctx);
	352
	353	/* The last part is the salt string. This must be at most 8
	354	characters and it ends at the first `$' character (for
	355	compatibility with existing implementations). */
	356	sha256_process_bytes(salt, salt_len, &ctx);
	357
	358	/* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
	359	final result will be added to the first context. */
	360	sha256_init_ctx(&alt_ctx);
	361
	362	/* Add key. */
	363	sha256_process_bytes(key, key_len, &alt_ctx);
	364
	365	/* Add salt. */
	366	sha256_process_bytes(salt, salt_len, &alt_ctx);
	367
	368	/* Add key again. */
	369	sha256_process_bytes(key, key_len, &alt_ctx);
	370
	371	/* Now get result of this (32 bytes) and add it to the other
	372	context. */
	373	sha256_finish_ctx(&alt_ctx, alt_result);
	374
	375	/* Add for any character in the key one byte of the alternate sum. */
	376	for (cnt = key_len; cnt > 32; cnt -= 32)
	377	sha256_process_bytes(alt_result, 32, &ctx);
	378	sha256_process_bytes(alt_result, cnt, &ctx);
	379
	380	/* Take the binary representation of the length of the key and for every
	381	1 add the alternate sum, for every 0 the key. */
	382	for (cnt = key_len; cnt; cnt >>= 1)
	383	if ((cnt & 1) != 0)
	384	sha256_process_bytes(alt_result, 32, &ctx);
	385	else
	386	sha256_process_bytes(key, key_len, &ctx);
	387
	388	/* Create intermediate result. */
	389	sha256_finish_ctx(&ctx, alt_result);
	390
	391	/* Start computation of P byte sequence. */
	392	sha256_init_ctx(&alt_ctx);
	393
	394	/* For every character in the password add the entire password. */
	395	for (cnt = 0; cnt < key_len; ++cnt)
	396	sha256_process_bytes(key, key_len, &alt_ctx);
	397
	398	/* Finish the digest. */
	399	sha256_finish_ctx(&alt_ctx, temp_result);
	400
	401	/* Create byte sequence P. */
	402	cp = p_bytes = alloca(key_len);
	403	for (cnt = key_len; cnt >= 32; cnt -= 32)
	404	cp = mempcpy(cp, temp_result, 32);
	405	memcpy(cp, temp_result, cnt);
	406
	407	/* Start computation of S byte sequence. */
	408	sha256_init_ctx(&alt_ctx);
	409
	410	/* For every character in the password add the entire password. */
	411	for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt)
	412	sha256_process_bytes(salt, salt_len, &alt_ctx);
	413
	414	/* Finish the digest. */
	415	sha256_finish_ctx(&alt_ctx, temp_result);
	416
	417	/* Create byte sequence S. */
	418	cp = s_bytes = alloca(salt_len);
	419	for (cnt = salt_len; cnt >= 32; cnt -= 32)
	420	cp = mempcpy(cp, temp_result, 32);
	421	memcpy(cp, temp_result, cnt);
	422
	423	/* Repeatedly run the collected hash value through SHA256 to burn
	424	CPU cycles. */
	425	for (cnt = 0; cnt < rounds; ++cnt) {
	426	/* New context. */
	427	sha256_init_ctx(&ctx);
	428
	429	/* Add key or last result. */
	430	if ((cnt & 1) != 0)
	431	sha256_process_bytes(p_bytes, key_len, &ctx);
	432	else
	433	sha256_process_bytes(alt_result, 32, &ctx);
	434
	435	/* Add salt for numbers not divisible by 3. */
	436	if (cnt % 3 != 0)
	437	sha256_process_bytes(s_bytes, salt_len, &ctx);
	438
	439	/* Add key for numbers not divisible by 7. */
	440	if (cnt % 7 != 0)
	441	sha256_process_bytes(p_bytes, key_len, &ctx);
	442
	443	/* Add key or last result. */
	444	if ((cnt & 1) != 0)
	445	sha256_process_bytes(alt_result, 32, &ctx);
	446	else
	447	sha256_process_bytes(p_bytes, key_len, &ctx);
	448
	449	/* Create intermediate result. */
	450	sha256_finish_ctx(&ctx, alt_result);
	451	}
	452
	453	/* Now we can construct the result string. It consists of three
	454	parts. */
	455	cp = stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
	456	buflen -= sizeof(sha256_salt_prefix) - 1;
	457
	458	if (rounds_custom) {
	459	int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
	460	sha256_rounds_prefix, rounds);
	461	cp += n;
	462	buflen -= n;
	463	}
	464
	465	cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
	466	buflen -= MIN((size_t) MAX(0, buflen), salt_len);
	467
	468	if (buflen > 0) {
	469	*cp++ = '$';
	470	--buflen;
	471	}
	472	#define b64_from_24bit(B2, B1, B0, N) \
	473	do { \
	474	unsigned int w = ((B2) << 16) \| ((B1) << 8) \| (B0); \
	475	int n = (N); \
	476	while (n-- > 0 && buflen > 0) \
	477	{ \
	478	*cp++ = b64t[w & 0x3f]; \
	479	--buflen; \
	480	w >>= 6; \
	481	} \
	482	} while (0)
	483
	484	b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
	485	b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
	486	b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
	487	b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
	488	b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
	489	b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
	490	b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
	491	b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
	492	b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
	493	b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
	494	b64_from_24bit(0, alt_result[31], alt_result[30], 3);
	495	if (buflen <= 0) {
	496	errno = ERANGE;
	497	buffer = NULL;
	498	} else
	499	cp = '\0'; / Terminate the string. */
	500
	501	/* Clear the buffer for the intermediate result so that people
	502	attaching to processes or reading core dumps cannot get any
	503	information. We do it in this way to clear correct_words[]
	504	inside the SHA256 implementation as well. */
	505	sha256_init_ctx(&ctx);
	506	sha256_finish_ctx(&ctx, alt_result);
	507	memset(temp_result, '\0', sizeof(temp_result));
	508	memset(p_bytes, '\0', key_len);
	509	memset(s_bytes, '\0', salt_len);
	510	memset(&ctx, '\0', sizeof(ctx));
	511	memset(&alt_ctx, '\0', sizeof(alt_ctx));
	512	if (copied_key != NULL)
	513	memset(copied_key, '\0', key_len);
	514	if (copied_salt != NULL)
	515	memset(copied_salt, '\0', salt_len);
	516
	517	return buffer;
	518	}
	519
	520	/* This entry point is equivalent to the `crypt' function in Unix
	521	libcs. */
	522	char sha256_crypt(const char key, const char *salt)
	523	{
	524	/* We don't want to have an arbitrary limit in the size of the
	525	password. We can compute an upper bound for the size of the
	526	result in advance and so we can prepare the buffer we pass to
	527	`sha256_crypt_r'. */
	528	static char *buffer;
	529	static int buflen;
	530	int needed = (sizeof(sha256_salt_prefix) - 1
	531	+ sizeof(sha256_rounds_prefix) + 9 + 1
	532	+ strlen(salt) + 1 + 43 + 1);
	533
	534	if (buflen < needed) {
	535	char new_buffer = (char )realloc(buffer, needed);
	536	if (new_buffer == NULL)
	537	return NULL;
	538
	539	buffer = new_buffer;
	540	buflen = needed;
	541	}
	542
	543	return sha256_crypt_r(key, salt, buffer, buflen);
	544	}
	545
	546	#ifdef TEST
	547	static const struct {
	548	const char *input;
	549	const char result[32];
	550	} tests[] = {
	551	/* Test vectors from FIPS 180-2: appendix B.1. */
	552	{
	553	"abc",
	554	"\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
	555	"\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad"},
	556	/* Test vectors from FIPS 180-2: appendix B.2. */
	557	{
	558	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
	559	"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
	560	"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"},
	561	/* Test vectors from the NESSIE project. */
	562	{
	563	"", "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
	564	"\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55"},
	565	{
	566	"a", "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
	567	"\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb"},
	568	{
	569	"message digest",
	570	"\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
	571	"\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50"},
	572	{
	573	"abcdefghijklmnopqrstuvwxyz",
	574	"\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
	575	"\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73"},
	576	{
	577	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
	578	"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
	579	"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"},
	580	{
	581	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
	582	"\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
	583	"\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0"},
	584	{
	585	"123456789012345678901234567890123456789012345678901234567890"
	586	"12345678901234567890",
	587	"\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
	588	"\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e"}
	589	};
	590
	591	#define ntests (sizeof (tests) / sizeof (tests[0]))
	592
	593	static const struct {
	594	const char *salt;
	595	const char *input;
	596	const char *expected;
	597	} tests2[] = {
	598	{
	599	"$5$saltstring", "Hello world!",
	600	"$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"}, {
	601	"$5$rounds=10000$saltstringsaltstring", "Hello world!",
	602	"$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
	603	"opqey6IcA"}, {
	604	"$5$rounds=5000$toolongsaltstring", "This is just a test",
	605	"$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
	606	"mGRcvxa5"}, {
	607	"$5$rounds=1400$anotherlongsaltstring",
	608	"a very much longer text to encrypt. This one even stretches over more"
	609	"than one line.",
	610	"$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
	611	"oP84Bnq1"}, {
	612	"$5$rounds=77777$short",
	613	"we have a short salt string but not a short password",
	614	"$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/"},
	615	{
	616	"$5$rounds=123456$asaltof16chars..", "a short string",
	617	"$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
	618	"cZKmF/wJvD"}, {
	619	"$5$rounds=10$roundstoolow", "the minimum number is still observed",
	620	"$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
	621	"2bIC"},};
	622	#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
	623
	624	int main(void)
	625	{
	626	struct sha256_ctx ctx;
	627	char sum[32];
	628	int result = 0;
	629	int cnt;
	630
	631	for (cnt = 0; cnt < (int)ntests; ++cnt) {
	632	sha256_init_ctx(&ctx);
	633	sha256_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
	634	sha256_finish_ctx(&ctx, sum);
	635	if (memcmp(tests[cnt].result, sum, 32) != 0) {
	636	printf("test %d run %d failed\n", cnt, 1);
	637	result = 1;
	638	}
	639
	640	sha256_init_ctx(&ctx);
	641	for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
	642	sha256_process_bytes(&tests[cnt].input[i], 1, &ctx);
	643	sha256_finish_ctx(&ctx, sum);
	644	if (memcmp(tests[cnt].result, sum, 32) != 0) {
	645	printf("test %d run %d failed\n", cnt, 2);
	646	result = 1;
	647	}
	648	}
	649
	650	/* Test vector from FIPS 180-2: appendix B.3. */
	651	char buf[1000];
	652	memset(buf, 'a', sizeof(buf));
	653	sha256_init_ctx(&ctx);
	654	for (int i = 0; i < 1000; ++i)
	655	sha256_process_bytes(buf, sizeof(buf), &ctx);
	656	sha256_finish_ctx(&ctx, sum);
	657	static const char expected[32] =
	658	"\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
	659	"\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
	660	if (memcmp(expected, sum, 32) != 0) {
	661	printf("test %d failed\n", cnt);
	662	result = 1;
	663	}
	664
	665	for (cnt = 0; cnt < ntests2; ++cnt) {
	666	char *cp = sha256_crypt(tests2[cnt].input, tests2[cnt].salt);
	667
	668	if (strcmp(cp, tests2[cnt].expected) != 0) {
	669	printf("test %d: expected \"%s\", got \"%s\"\n",
	670	cnt, tests2[cnt].expected, cp);
	671	result = 1;
	672	}
	673	}
	674
	675	if (result == 0)
	676	puts("all tests OK");
	677
	678	return result;
	679	}
	680	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: