Context Navigation

source: bootcd/isolinux/syslinux-6.03/com32/libutil/sha256crypt.c

Last change on this file was e16e8f2, checked in by Edwin Eefting <edwin@datux.nl>, 3 years ago
bootstuff
Property mode set to `100644`
File size: 21.3 KB

Line
1	/* SHA256-based Unix crypt implementation.
2	Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
3
4	#include <alloca.h>
5	#include <endian.h>
6	#include <errno.h>
7	#include <limits.h>
8	#include <stdint.h>
9	#include <stdbool.h>
10	#include <stdio.h>
11	#include <stdlib.h>
12	#include <string.h>
13	#include <minmax.h>
14	#include <sys/types.h>
15
16	#include "xcrypt.h"
17
18	#define MIN(x,y) min(x,y)
19	#define MAX(x,y) max(x,y)
20
21	/* Structure to save state of computation between the single steps. */
22	struct sha256_ctx {
23	uint32_t H[8];
24
25	uint32_t total[2];
26	uint32_t buflen;
27	char buffer[128]; /* NB: always correctly aligned for uint32_t. */
28	};
29
30	#if __BYTE_ORDER == __LITTLE_ENDIAN
31	# define SWAP(n) \
32	(((n) << 24) \| (((n) & 0xff00) << 8) \| (((n) >> 8) & 0xff00) \| ((n) >> 24))
33	#else
34	# define SWAP(n) (n)
35	#endif
36
37	/* This array contains the bytes used to pad the buffer to the next
38	64-byte boundary. (FIPS 180-2:5.1.1) */
39	static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
40
41	/* Constants for SHA256 from FIPS 180-2:4.2.2. */
42	static const uint32_t K[64] = {
43	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
44	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
45	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
46	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
47	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
48	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
49	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
50	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
51	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
52	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
53	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
54	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
55	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
56	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
57	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
58	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
59	};
60
61	/* Process LEN bytes of BUFFER, accumulating context into CTX.
62	It is assumed that LEN % 64 == 0. */
63	static void
64	sha256_process_block(const void buffer, size_t len, struct sha256_ctx ctx)
65	{
66	unsigned int t;
67	const uint32_t *words = buffer;
68	size_t nwords = len / sizeof(uint32_t);
69	uint32_t a = ctx->H[0];
70	uint32_t b = ctx->H[1];
71	uint32_t c = ctx->H[2];
72	uint32_t d = ctx->H[3];
73	uint32_t e = ctx->H[4];
74	uint32_t f = ctx->H[5];
75	uint32_t g = ctx->H[6];
76	uint32_t h = ctx->H[7];
77
78	/* First increment the byte count. FIPS 180-2 specifies the possible
79	length of the file up to 2^64 bits. Here we only compute the
80	number of bytes. Do a double word increment. */
81	ctx->total[0] += len;
82	if (ctx->total[0] < len)
83	++ctx->total[1];
84
85	/* Process all bytes in the buffer with 64 bytes in each round of
86	the loop. */
87	while (nwords > 0) {
88	uint32_t W[64];
89	uint32_t a_save = a;
90	uint32_t b_save = b;
91	uint32_t c_save = c;
92	uint32_t d_save = d;
93	uint32_t e_save = e;
94	uint32_t f_save = f;
95	uint32_t g_save = g;
96	uint32_t h_save = h;
97
98	/* Operators defined in FIPS 180-2:4.1.2. */
99	#define Ch(x, y, z) ((x & y) ^ (~x & z))
100	#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
101	#define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
102	#define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
103	#define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
104	#define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
105
106	/* It is unfortunate that C does not provide an operator for
107	cyclic rotation. Hope the C compiler is smart enough. */
108	#define CYCLIC(w, s) ((w >> s) \| (w << (32 - s)))
109
110	/* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
111	for (t = 0; t < 16; ++t) {
112	W[t] = SWAP(*words);
113	++words;
114	}
115	for (t = 16; t < 64; ++t)
116	W[t] = R1(W[t - 2]) + W[t - 7] + R0(W[t - 15]) + W[t - 16];
117
118	/* The actual computation according to FIPS 180-2:6.2.2 step 3. */
119	for (t = 0; t < 64; ++t) {
120	uint32_t T1 = h + S1(e) + Ch(e, f, g) + K[t] + W[t];
121	uint32_t T2 = S0(a) + Maj(a, b, c);
122	h = g;
123	g = f;
124	f = e;
125	e = d + T1;
126	d = c;
127	c = b;
128	b = a;
129	a = T1 + T2;
130	}
131
132	/* Add the starting values of the context according to FIPS 180-2:6.2.2
133	step 4. */
134	a += a_save;
135	b += b_save;
136	c += c_save;
137	d += d_save;
138	e += e_save;
139	f += f_save;
140	g += g_save;
141	h += h_save;
142
143	/* Prepare for the next round. */
144	nwords -= 16;
145	}
146
147	/* Put checksum in context given as argument. */
148	ctx->H[0] = a;
149	ctx->H[1] = b;
150	ctx->H[2] = c;
151	ctx->H[3] = d;
152	ctx->H[4] = e;
153	ctx->H[5] = f;
154	ctx->H[6] = g;
155	ctx->H[7] = h;
156	}
157
158	/* Initialize structure containing state of computation.
159	(FIPS 180-2:5.3.2) */
160	static void sha256_init_ctx(struct sha256_ctx *ctx)
161	{
162	ctx->H[0] = 0x6a09e667;
163	ctx->H[1] = 0xbb67ae85;
164	ctx->H[2] = 0x3c6ef372;
165	ctx->H[3] = 0xa54ff53a;
166	ctx->H[4] = 0x510e527f;
167	ctx->H[5] = 0x9b05688c;
168	ctx->H[6] = 0x1f83d9ab;
169	ctx->H[7] = 0x5be0cd19;
170
171	ctx->total[0] = ctx->total[1] = 0;
172	ctx->buflen = 0;
173	}
174
175	/* Process the remaining bytes in the internal buffer and the usual
176	prolog according to the standard and write the result to RESBUF.
177
178	IMPORTANT: On some systems it is required that RESBUF is correctly
179	aligned for a 32 bits value. */
180	static void sha256_finish_ctx(struct sha256_ctx ctx, void *resbuf)
181	{
182	unsigned int i;
183	/* Take yet unprocessed bytes into account. */
184	uint32_t bytes = ctx->buflen;
185	size_t pad;
186
187	/* Now count remaining bytes. */
188	ctx->total[0] += bytes;
189	if (ctx->total[0] < bytes)
190	++ctx->total[1];
191
192	pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
193	memcpy(&ctx->buffer[bytes], fillbuf, pad);
194
195	/* Put the 64-bit file length in bits at the end of the buffer. */
196	(uint32_t ) & ctx->buffer[bytes + pad + 4] = SWAP(ctx->total[0] << 3);
197	(uint32_t ) & ctx->buffer[bytes + pad] = SWAP((ctx->total[1] << 3) \|
198	(ctx->total[0] >> 29));
199
200	/* Process last bytes. */
201	sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
202
203	/* Put result from CTX in first 32 bytes following RESBUF. */
204	for (i = 0; i < 8; ++i)
205	((uint32_t *) resbuf)[i] = SWAP(ctx->H[i]);
206
207	return resbuf;
208	}
209
210	static void
211	sha256_process_bytes(const void buffer, size_t len, struct sha256_ctx ctx)
212	{
213	/* When we already have some bits in our internal buffer concatenate
214	both inputs first. */
215	if (ctx->buflen != 0) {
216	size_t left_over = ctx->buflen;
217	size_t add = 128 - left_over > len ? len : 128 - left_over;
218
219	memcpy(&ctx->buffer[left_over], buffer, add);
220	ctx->buflen += add;
221
222	if (ctx->buflen > 64) {
223	sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
224
225	ctx->buflen &= 63;
226	/* The regions in the following copy operation cannot overlap. */
227	memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
228	ctx->buflen);
229	}
230
231	buffer = (const char *)buffer + add;
232	len -= add;
233	}
234
235	/* Process available complete blocks. */
236	if (len >= 64) {
237	/* To check alignment gcc has an appropriate operator. Other
238	compilers don't. */
239	#if __GNUC__ >= 2
240	# define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
241	#else
242	# define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
243	#endif
244	if (UNALIGNED_P(buffer))
245	while (len > 64) {
246	sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
247	buffer = (const char *)buffer + 64;
248	len -= 64;
249	} else {
250	sha256_process_block(buffer, len & ~63, ctx);
251	buffer = (const char *)buffer + (len & ~63);
252	len &= 63;
253	}
254	}
255
256	/* Move remaining bytes into internal buffer. */
257	if (len > 0) {
258	size_t left_over = ctx->buflen;
259
260	memcpy(&ctx->buffer[left_over], buffer, len);
261	left_over += len;
262	if (left_over >= 64) {
263	sha256_process_block(ctx->buffer, 64, ctx);
264	left_over -= 64;
265	memcpy(ctx->buffer, &ctx->buffer[64], left_over);
266	}
267	ctx->buflen = left_over;
268	}
269	}
270
271	/* Define our magic string to mark salt for SHA256 "encryption"
272	replacement. */
273	static const char sha256_salt_prefix[] = "$5$";
274
275	/* Prefix for optional rounds specification. */
276	static const char sha256_rounds_prefix[] = "rounds=";
277
278	/* Maximum salt string length. */
279	#define SALT_LEN_MAX 16U
280	/* Default number of rounds if not explicitly specified. */
281	#define ROUNDS_DEFAULT 5000UL
282	/* Minimum number of rounds. */
283	#define ROUNDS_MIN 1000UL
284	/* Maximum number of rounds. */
285	#define ROUNDS_MAX 999999999UL
286
287	/* Table with characters for base64 transformation. */
288	static const char b64t[64] =
289	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
290
291	static char sha256_crypt_r(const char key, const char salt, char buffer,
292	int buflen)
293	{
294	unsigned char alt_result[32]
295	__attribute__ ((__aligned__(__alignof__(uint32_t))));
296	unsigned char temp_result[32]
297	__attribute__ ((__aligned__(__alignof__(uint32_t))));
298	struct sha256_ctx ctx;
299	struct sha256_ctx alt_ctx;
300	size_t salt_len;
301	size_t key_len;
302	size_t cnt;
303	char *cp;
304	char *copied_key = NULL;
305	char *copied_salt = NULL;
306	char *p_bytes;
307	char *s_bytes;
308	/* Default number of rounds. */
309	size_t rounds = ROUNDS_DEFAULT;
310	bool rounds_custom = false;
311
312	/* Find beginning of salt string. The prefix should normally always
313	be present. Just in case it is not. */
314	if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
315	/* Skip salt prefix. */
316	salt += sizeof(sha256_salt_prefix) - 1;
317
318	if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1)
319	== 0) {
320	const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
321	char *endp;
322	unsigned long int srounds = strtoul(num, &endp, 10);
323	if (*endp == '$') {
324	salt = endp + 1;
325	rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
326	rounds_custom = true;
327	}
328	}
329
330	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
331	key_len = strlen(key);
332
333	if ((key - (char *)0) % __alignof__(uint32_t) != 0) {
334	char tmp = (char )alloca(key_len + __alignof__(uint32_t));
335	key = copied_key = memcpy(tmp + __alignof__(uint32_t)
336	- (tmp - (char *)0) % __alignof__(uint32_t),
337	key, key_len);
338	}
339
340	if ((salt - (char *)0) % __alignof__(uint32_t) != 0) {
341	char tmp = (char )alloca(salt_len + __alignof__(uint32_t));
342	salt = copied_salt = memcpy(tmp + __alignof__(uint32_t)
343	- (tmp - (char *)0) % __alignof__(uint32_t),
344	salt, salt_len);
345	}
346
347	/* Prepare for the real work. */
348	sha256_init_ctx(&ctx);
349
350	/* Add the key string. */
351	sha256_process_bytes(key, key_len, &ctx);
352
353	/* The last part is the salt string. This must be at most 8
354	characters and it ends at the first `$' character (for
355	compatibility with existing implementations). */
356	sha256_process_bytes(salt, salt_len, &ctx);
357
358	/* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
359	final result will be added to the first context. */
360	sha256_init_ctx(&alt_ctx);
361
362	/* Add key. */
363	sha256_process_bytes(key, key_len, &alt_ctx);
364
365	/* Add salt. */
366	sha256_process_bytes(salt, salt_len, &alt_ctx);
367
368	/* Add key again. */
369	sha256_process_bytes(key, key_len, &alt_ctx);
370
371	/* Now get result of this (32 bytes) and add it to the other
372	context. */
373	sha256_finish_ctx(&alt_ctx, alt_result);
374
375	/* Add for any character in the key one byte of the alternate sum. */
376	for (cnt = key_len; cnt > 32; cnt -= 32)
377	sha256_process_bytes(alt_result, 32, &ctx);
378	sha256_process_bytes(alt_result, cnt, &ctx);
379
380	/* Take the binary representation of the length of the key and for every
381	1 add the alternate sum, for every 0 the key. */
382	for (cnt = key_len; cnt; cnt >>= 1)
383	if ((cnt & 1) != 0)
384	sha256_process_bytes(alt_result, 32, &ctx);
385	else
386	sha256_process_bytes(key, key_len, &ctx);
387
388	/* Create intermediate result. */
389	sha256_finish_ctx(&ctx, alt_result);
390
391	/* Start computation of P byte sequence. */
392	sha256_init_ctx(&alt_ctx);
393
394	/* For every character in the password add the entire password. */
395	for (cnt = 0; cnt < key_len; ++cnt)
396	sha256_process_bytes(key, key_len, &alt_ctx);
397
398	/* Finish the digest. */
399	sha256_finish_ctx(&alt_ctx, temp_result);
400
401	/* Create byte sequence P. */
402	cp = p_bytes = alloca(key_len);
403	for (cnt = key_len; cnt >= 32; cnt -= 32)
404	cp = mempcpy(cp, temp_result, 32);
405	memcpy(cp, temp_result, cnt);
406
407	/* Start computation of S byte sequence. */
408	sha256_init_ctx(&alt_ctx);
409
410	/* For every character in the password add the entire password. */
411	for (cnt = 0; cnt < (size_t)16 + alt_result[0]; ++cnt)
412	sha256_process_bytes(salt, salt_len, &alt_ctx);
413
414	/* Finish the digest. */
415	sha256_finish_ctx(&alt_ctx, temp_result);
416
417	/* Create byte sequence S. */
418	cp = s_bytes = alloca(salt_len);
419	for (cnt = salt_len; cnt >= 32; cnt -= 32)
420	cp = mempcpy(cp, temp_result, 32);
421	memcpy(cp, temp_result, cnt);
422
423	/* Repeatedly run the collected hash value through SHA256 to burn
424	CPU cycles. */
425	for (cnt = 0; cnt < rounds; ++cnt) {
426	/* New context. */
427	sha256_init_ctx(&ctx);
428
429	/* Add key or last result. */
430	if ((cnt & 1) != 0)
431	sha256_process_bytes(p_bytes, key_len, &ctx);
432	else
433	sha256_process_bytes(alt_result, 32, &ctx);
434
435	/* Add salt for numbers not divisible by 3. */
436	if (cnt % 3 != 0)
437	sha256_process_bytes(s_bytes, salt_len, &ctx);
438
439	/* Add key for numbers not divisible by 7. */
440	if (cnt % 7 != 0)
441	sha256_process_bytes(p_bytes, key_len, &ctx);
442
443	/* Add key or last result. */
444	if ((cnt & 1) != 0)
445	sha256_process_bytes(alt_result, 32, &ctx);
446	else
447	sha256_process_bytes(p_bytes, key_len, &ctx);
448
449	/* Create intermediate result. */
450	sha256_finish_ctx(&ctx, alt_result);
451	}
452
453	/* Now we can construct the result string. It consists of three
454	parts. */
455	cp = stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
456	buflen -= sizeof(sha256_salt_prefix) - 1;
457
458	if (rounds_custom) {
459	int n = snprintf(cp, MAX(0, buflen), "%s%zu$",
460	sha256_rounds_prefix, rounds);
461	cp += n;
462	buflen -= n;
463	}
464
465	cp = stpncpy(cp, salt, MIN((size_t) MAX(0, buflen), salt_len));
466	buflen -= MIN((size_t) MAX(0, buflen), salt_len);
467
468	if (buflen > 0) {
469	*cp++ = '$';
470	--buflen;
471	}
472	#define b64_from_24bit(B2, B1, B0, N) \
473	do { \
474	unsigned int w = ((B2) << 16) \| ((B1) << 8) \| (B0); \
475	int n = (N); \
476	while (n-- > 0 && buflen > 0) \
477	{ \
478	*cp++ = b64t[w & 0x3f]; \
479	--buflen; \
480	w >>= 6; \
481	} \
482	} while (0)
483
484	b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
485	b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
486	b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
487	b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
488	b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
489	b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
490	b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
491	b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
492	b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
493	b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
494	b64_from_24bit(0, alt_result[31], alt_result[30], 3);
495	if (buflen <= 0) {
496	errno = ERANGE;
497	buffer = NULL;
498	} else
499	cp = '\0'; / Terminate the string. */
500
501	/* Clear the buffer for the intermediate result so that people
502	attaching to processes or reading core dumps cannot get any
503	information. We do it in this way to clear correct_words[]
504	inside the SHA256 implementation as well. */
505	sha256_init_ctx(&ctx);
506	sha256_finish_ctx(&ctx, alt_result);
507	memset(temp_result, '\0', sizeof(temp_result));
508	memset(p_bytes, '\0', key_len);
509	memset(s_bytes, '\0', salt_len);
510	memset(&ctx, '\0', sizeof(ctx));
511	memset(&alt_ctx, '\0', sizeof(alt_ctx));
512	if (copied_key != NULL)
513	memset(copied_key, '\0', key_len);
514	if (copied_salt != NULL)
515	memset(copied_salt, '\0', salt_len);
516
517	return buffer;
518	}
519
520	/* This entry point is equivalent to the `crypt' function in Unix
521	libcs. */
522	char sha256_crypt(const char key, const char *salt)
523	{
524	/* We don't want to have an arbitrary limit in the size of the
525	password. We can compute an upper bound for the size of the
526	result in advance and so we can prepare the buffer we pass to
527	`sha256_crypt_r'. */
528	static char *buffer;
529	static int buflen;
530	int needed = (sizeof(sha256_salt_prefix) - 1
531	+ sizeof(sha256_rounds_prefix) + 9 + 1
532	+ strlen(salt) + 1 + 43 + 1);
533
534	if (buflen < needed) {
535	char new_buffer = (char )realloc(buffer, needed);
536	if (new_buffer == NULL)
537	return NULL;
538
539	buffer = new_buffer;
540	buflen = needed;
541	}
542
543	return sha256_crypt_r(key, salt, buffer, buflen);
544	}
545
546	#ifdef TEST
547	static const struct {
548	const char *input;
549	const char result[32];
550	} tests[] = {
551	/* Test vectors from FIPS 180-2: appendix B.1. */
552	{
553	"abc",
554	"\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
555	"\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad"},
556	/* Test vectors from FIPS 180-2: appendix B.2. */
557	{
558	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
559	"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
560	"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"},
561	/* Test vectors from the NESSIE project. */
562	{
563	"", "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
564	"\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55"},
565	{
566	"a", "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
567	"\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb"},
568	{
569	"message digest",
570	"\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
571	"\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50"},
572	{
573	"abcdefghijklmnopqrstuvwxyz",
574	"\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
575	"\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73"},
576	{
577	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
578	"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
579	"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"},
580	{
581	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
582	"\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
583	"\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0"},
584	{
585	"123456789012345678901234567890123456789012345678901234567890"
586	"12345678901234567890",
587	"\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
588	"\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e"}
589	};
590
591	#define ntests (sizeof (tests) / sizeof (tests[0]))
592
593	static const struct {
594	const char *salt;
595	const char *input;
596	const char *expected;
597	} tests2[] = {
598	{
599	"$5$saltstring", "Hello world!",
600	"$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"}, {
601	"$5$rounds=10000$saltstringsaltstring", "Hello world!",
602	"$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
603	"opqey6IcA"}, {
604	"$5$rounds=5000$toolongsaltstring", "This is just a test",
605	"$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
606	"mGRcvxa5"}, {
607	"$5$rounds=1400$anotherlongsaltstring",
608	"a very much longer text to encrypt. This one even stretches over more"
609	"than one line.",
610	"$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
611	"oP84Bnq1"}, {
612	"$5$rounds=77777$short",
613	"we have a short salt string but not a short password",
614	"$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/"},
615	{
616	"$5$rounds=123456$asaltof16chars..", "a short string",
617	"$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
618	"cZKmF/wJvD"}, {
619	"$5$rounds=10$roundstoolow", "the minimum number is still observed",
620	"$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
621	"2bIC"},};
622	#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
623
624	int main(void)
625	{
626	struct sha256_ctx ctx;
627	char sum[32];
628	int result = 0;
629	int cnt;
630
631	for (cnt = 0; cnt < (int)ntests; ++cnt) {
632	sha256_init_ctx(&ctx);
633	sha256_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
634	sha256_finish_ctx(&ctx, sum);
635	if (memcmp(tests[cnt].result, sum, 32) != 0) {
636	printf("test %d run %d failed\n", cnt, 1);
637	result = 1;
638	}
639
640	sha256_init_ctx(&ctx);
641	for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
642	sha256_process_bytes(&tests[cnt].input[i], 1, &ctx);
643	sha256_finish_ctx(&ctx, sum);
644	if (memcmp(tests[cnt].result, sum, 32) != 0) {
645	printf("test %d run %d failed\n", cnt, 2);
646	result = 1;
647	}
648	}
649
650	/* Test vector from FIPS 180-2: appendix B.3. */
651	char buf[1000];
652	memset(buf, 'a', sizeof(buf));
653	sha256_init_ctx(&ctx);
654	for (int i = 0; i < 1000; ++i)
655	sha256_process_bytes(buf, sizeof(buf), &ctx);
656	sha256_finish_ctx(&ctx, sum);
657	static const char expected[32] =
658	"\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
659	"\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
660	if (memcmp(expected, sum, 32) != 0) {
661	printf("test %d failed\n", cnt);
662	result = 1;
663	}
664
665	for (cnt = 0; cnt < ntests2; ++cnt) {
666	char *cp = sha256_crypt(tests2[cnt].input, tests2[cnt].salt);
667
668	if (strcmp(cp, tests2[cnt].expected) != 0) {
669	printf("test %d: expected \"%s\", got \"%s\"\n",
670	cnt, tests2[cnt].expected, cp);
671	result = 1;
672	}
673	}
674
675	if (result == 0)
676	puts("all tests OK");
677
678	return result;
679	}
680	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: