2 * SHA512-based Unix crypt implementation.
3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
12 #include <sys/endian.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
19 #if _BYTE_ORDER == _LITTLE_ENDIAN
22 | (((n) & 0xff00) << 40) \
23 | (((n) & 0xff0000) << 24) \
24 | (((n) & 0xff000000) << 8) \
25 | (((n) >> 8) & 0xff000000) \
26 | (((n) >> 24) & 0xff0000) \
27 | (((n) >> 40) & 0xff00) \
34 /* This array contains the bytes used to pad the buffer to the next
35 64-byte boundary. (FIPS 180-2:5.1.2) */
36 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
39 /* Constants for SHA512 from FIPS 180-2:4.2.3. */
40 static const uint64_t K[80] =
42 UINT64_C (0x428a2f98d728ae22), UINT64_C (0x7137449123ef65cd),
43 UINT64_C (0xb5c0fbcfec4d3b2f), UINT64_C (0xe9b5dba58189dbbc),
44 UINT64_C (0x3956c25bf348b538), UINT64_C (0x59f111f1b605d019),
45 UINT64_C (0x923f82a4af194f9b), UINT64_C (0xab1c5ed5da6d8118),
46 UINT64_C (0xd807aa98a3030242), UINT64_C (0x12835b0145706fbe),
47 UINT64_C (0x243185be4ee4b28c), UINT64_C (0x550c7dc3d5ffb4e2),
48 UINT64_C (0x72be5d74f27b896f), UINT64_C (0x80deb1fe3b1696b1),
49 UINT64_C (0x9bdc06a725c71235), UINT64_C (0xc19bf174cf692694),
50 UINT64_C (0xe49b69c19ef14ad2), UINT64_C (0xefbe4786384f25e3),
51 UINT64_C (0x0fc19dc68b8cd5b5), UINT64_C (0x240ca1cc77ac9c65),
52 UINT64_C (0x2de92c6f592b0275), UINT64_C (0x4a7484aa6ea6e483),
53 UINT64_C (0x5cb0a9dcbd41fbd4), UINT64_C (0x76f988da831153b5),
54 UINT64_C (0x983e5152ee66dfab), UINT64_C (0xa831c66d2db43210),
55 UINT64_C (0xb00327c898fb213f), UINT64_C (0xbf597fc7beef0ee4),
56 UINT64_C (0xc6e00bf33da88fc2), UINT64_C (0xd5a79147930aa725),
57 UINT64_C (0x06ca6351e003826f), UINT64_C (0x142929670a0e6e70),
58 UINT64_C (0x27b70a8546d22ffc), UINT64_C (0x2e1b21385c26c926),
59 UINT64_C (0x4d2c6dfc5ac42aed), UINT64_C (0x53380d139d95b3df),
60 UINT64_C (0x650a73548baf63de), UINT64_C (0x766a0abb3c77b2a8),
61 UINT64_C (0x81c2c92e47edaee6), UINT64_C (0x92722c851482353b),
62 UINT64_C (0xa2bfe8a14cf10364), UINT64_C (0xa81a664bbc423001),
63 UINT64_C (0xc24b8b70d0f89791), UINT64_C (0xc76c51a30654be30),
64 UINT64_C (0xd192e819d6ef5218), UINT64_C (0xd69906245565a910),
65 UINT64_C (0xf40e35855771202a), UINT64_C (0x106aa07032bbd1b8),
66 UINT64_C (0x19a4c116b8d2d0c8), UINT64_C (0x1e376c085141ab53),
67 UINT64_C (0x2748774cdf8eeb99), UINT64_C (0x34b0bcb5e19b48a8),
68 UINT64_C (0x391c0cb3c5c95a63), UINT64_C (0x4ed8aa4ae3418acb),
69 UINT64_C (0x5b9cca4f7763e373), UINT64_C (0x682e6ff3d6b2b8a3),
70 UINT64_C (0x748f82ee5defb2fc), UINT64_C (0x78a5636f43172f60),
71 UINT64_C (0x84c87814a1f0ab72), UINT64_C (0x8cc702081a6439ec),
72 UINT64_C (0x90befffa23631e28), UINT64_C (0xa4506cebde82bde9),
73 UINT64_C (0xbef9a3f7b2c67915), UINT64_C (0xc67178f2e372532b),
74 UINT64_C (0xca273eceea26619c), UINT64_C (0xd186b8c721c0c207),
75 UINT64_C (0xeada7dd6cde0eb1e), UINT64_C (0xf57d4f7fee6ed178),
76 UINT64_C (0x06f067aa72176fba), UINT64_C (0x0a637dc5a2c898a6),
77 UINT64_C (0x113f9804bef90dae), UINT64_C (0x1b710b35131c471b),
78 UINT64_C (0x28db77f523047d84), UINT64_C (0x32caab7b40c72493),
79 UINT64_C (0x3c9ebe0a15c9bebc), UINT64_C (0x431d67c49c100d4c),
80 UINT64_C (0x4cc5d4becb3e42b6), UINT64_C (0x597f299cfc657e2a),
81 UINT64_C (0x5fcb6fab3ad6faec), UINT64_C (0x6c44198c4a475817)
85 /* Process LEN bytes of BUFFER, accumulating context into CTX.
86 It is assumed that LEN % 128 == 0. */
88 __crypt__sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
90 const uint64_t *words = buffer;
91 size_t nwords = len / sizeof (uint64_t);
92 uint64_t a = ctx->H[0];
93 uint64_t b = ctx->H[1];
94 uint64_t c = ctx->H[2];
95 uint64_t d = ctx->H[3];
96 uint64_t e = ctx->H[4];
97 uint64_t f = ctx->H[5];
98 uint64_t g = ctx->H[6];
99 uint64_t h = ctx->H[7];
101 /* First increment the byte count. FIPS 180-2 specifies the possible
102 length of the file up to 2^128 bits. Here we only compute the
103 number of bytes. Do a double word increment. */
104 ctx->total[0] += len;
105 if (ctx->total[0] < len)
108 /* Process all bytes in the buffer with 128 bytes in each round of
122 /* Operators defined in FIPS 180-2:4.1.2. */
123 #define Ch(x, y, z) ((x & y) ^ (~x & z))
124 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
125 #define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
126 #define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
127 #define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
128 #define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
130 /* It is unfortunate that C does not provide an operator for
131 cyclic rotation. Hope the C compiler is smart enough. */
132 #define CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
134 /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2. */
135 for (unsigned int t = 0; t < 16; ++t)
137 W[t] = SWAP (*words);
140 for (unsigned int t = 16; t < 80; ++t)
141 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
143 /* The actual computation according to FIPS 180-2:6.3.2 step 3. */
144 for (unsigned int t = 0; t < 80; ++t)
146 uint64_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
147 uint64_t T2 = S0 (a) + Maj (a, b, c);
158 /* Add the starting values of the context according to FIPS 180-2:6.3.2
169 /* Prepare for the next round. */
173 /* Put checksum in context given as argument. */
185 /* Initialize structure containing state of computation.
186 (FIPS 180-2:5.3.3) */
188 __crypt__sha512_init_ctx (struct sha512_ctx *ctx)
190 ctx->H[0] = UINT64_C (0x6a09e667f3bcc908);
191 ctx->H[1] = UINT64_C (0xbb67ae8584caa73b);
192 ctx->H[2] = UINT64_C (0x3c6ef372fe94f82b);
193 ctx->H[3] = UINT64_C (0xa54ff53a5f1d36f1);
194 ctx->H[4] = UINT64_C (0x510e527fade682d1);
195 ctx->H[5] = UINT64_C (0x9b05688c2b3e6c1f);
196 ctx->H[6] = UINT64_C (0x1f83d9abfb41bd6b);
197 ctx->H[7] = UINT64_C (0x5be0cd19137e2179);
199 ctx->total[0] = ctx->total[1] = 0;
204 /* Process the remaining bytes in the internal buffer and the usual
205 prolog according to the standard and write the result to RESBUF.
207 IMPORTANT: On some systems it is required that RESBUF is correctly
208 aligned for a 32 bits value. */
210 __crypt__sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
212 /* Take yet unprocessed bytes into account. */
213 uint64_t bytes = ctx->buflen;
216 /* Now count remaining bytes. */
217 ctx->total[0] += bytes;
218 if (ctx->total[0] < bytes)
221 pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
222 memcpy (&ctx->buffer[bytes], fillbuf, pad);
224 /* Put the 128-bit file length in *bits* at the end of the buffer. */
225 *(uint64_t *) &ctx->buffer[bytes + pad + 8] = SWAP (ctx->total[0] << 3);
226 *(uint64_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
227 (ctx->total[0] >> 61));
229 /* Process last bytes. */
230 __crypt__sha512_process_block (ctx->buffer, bytes + pad + 16, ctx);
232 /* Put result from CTX in first 64 bytes following RESBUF. */
233 for (unsigned int i = 0; i < 8; ++i)
234 ((uint64_t *) resbuf)[i] = SWAP (ctx->H[i]);
241 __crypt__sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
243 /* When we already have some bits in our internal buffer concatenate
244 both inputs first. */
245 if (ctx->buflen != 0)
247 size_t left_over = ctx->buflen;
248 size_t add = 256 - left_over > len ? len : 256 - left_over;
250 memcpy (&ctx->buffer[left_over], buffer, add);
253 if (ctx->buflen > 128)
255 __crypt__sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
258 /* The regions in the following copy operation cannot overlap. */
259 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
263 buffer = (const char *) buffer + add;
267 /* Process available complete blocks. */
271 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
273 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
275 if (UNALIGNED_P (buffer))
278 __crypt__sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128,
280 buffer = (const char *) buffer + 128;
285 __crypt__sha512_process_block (buffer, len & ~127, ctx);
286 buffer = (const char *) buffer + (len & ~127);
291 /* Move remaining bytes into internal buffer. */
294 size_t left_over = ctx->buflen;
296 memcpy (&ctx->buffer[left_over], buffer, len);
298 if (left_over >= 128)
300 __crypt__sha512_process_block (ctx->buffer, 128, ctx);
302 memcpy (ctx->buffer, &ctx->buffer[128], left_over);
304 ctx->buflen = left_over;
309 /* Define our magic string to mark salt for SHA512 "encryption"
311 static const char sha512_salt_prefix[] = "$6$";
313 /* Prefix for optional rounds specification. */
314 static const char sha512_rounds_prefix[] = "rounds=";
316 /* Maximum salt string length. */
317 #define SALT_LEN_MAX 16
318 /* Default number of rounds if not explicitly specified. */
319 #define ROUNDS_DEFAULT 5000
320 /* Minimum number of rounds. */
321 #define ROUNDS_MIN 1000
322 /* Maximum number of rounds. */
323 #define ROUNDS_MAX 999999999
325 /* Table with characters for base64 transformation. */
326 static const char b64t[64] =
327 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
331 crypt_sha512_r (const char *key, const char *salt, char *buffer, int buflen)
333 unsigned char alt_result[64]
334 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
335 unsigned char temp_result[64]
336 __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
337 struct sha512_ctx ctx;
338 struct sha512_ctx alt_ctx;
343 char *copied_key = NULL;
344 char *copied_salt = NULL;
347 /* Default number of rounds. */
348 size_t rounds = ROUNDS_DEFAULT;
349 bool rounds_custom = false;
351 /* Find beginning of salt string. The prefix should normally always
352 be present. Just in case it is not. */
353 if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
354 /* Skip salt prefix. */
355 salt += sizeof (sha512_salt_prefix) - 1;
357 if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
360 const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
362 unsigned long int srounds = strtoul (num, &endp, 10);
366 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
367 rounds_custom = true;
371 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
372 key_len = strlen (key);
374 if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
376 char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
378 memcpy (tmp + __alignof__ (uint64_t)
379 - (tmp - (char *) 0) % __alignof__ (uint64_t),
383 if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
385 char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
387 memcpy (tmp + __alignof__ (uint64_t)
388 - (tmp - (char *) 0) % __alignof__ (uint64_t),
392 /* Prepare for the real work. */
393 __crypt__sha512_init_ctx (&ctx);
395 /* Add the key string. */
396 __crypt__sha512_process_bytes (key, key_len, &ctx);
398 /* The last part is the salt string. This must be at most 16
399 characters and it ends at the first `$' character (for
400 compatibility with existing implementations). */
401 __crypt__sha512_process_bytes (salt, salt_len, &ctx);
404 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
405 final result will be added to the first context. */
406 __crypt__sha512_init_ctx (&alt_ctx);
409 __crypt__sha512_process_bytes (key, key_len, &alt_ctx);
412 __crypt__sha512_process_bytes (salt, salt_len, &alt_ctx);
415 __crypt__sha512_process_bytes (key, key_len, &alt_ctx);
417 /* Now get result of this (64 bytes) and add it to the other
419 __crypt__sha512_finish_ctx (&alt_ctx, alt_result);
421 /* Add for any character in the key one byte of the alternate sum. */
422 for (cnt = key_len; cnt > 64; cnt -= 64)
423 __crypt__sha512_process_bytes (alt_result, 64, &ctx);
424 __crypt__sha512_process_bytes (alt_result, cnt, &ctx);
426 /* Take the binary representation of the length of the key and for every
427 1 add the alternate sum, for every 0 the key. */
428 for (cnt = key_len; cnt > 0; cnt >>= 1)
430 __crypt__sha512_process_bytes (alt_result, 64, &ctx);
432 __crypt__sha512_process_bytes (key, key_len, &ctx);
434 /* Create intermediate result. */
435 __crypt__sha512_finish_ctx (&ctx, alt_result);
437 /* Start computation of P byte sequence. */
438 __crypt__sha512_init_ctx (&alt_ctx);
440 /* For every character in the password add the entire password. */
441 for (cnt = 0; cnt < key_len; ++cnt)
442 __crypt__sha512_process_bytes (key, key_len, &alt_ctx);
444 /* Finish the digest. */
445 __crypt__sha512_finish_ctx (&alt_ctx, temp_result);
447 /* Create byte sequence P. */
448 cp = p_bytes = alloca (key_len);
449 for (cnt = key_len; cnt >= 64; cnt -= 64)
450 cp = mempcpy (cp, temp_result, 64);
451 memcpy (cp, temp_result, cnt);
453 /* Start computation of S byte sequence. */
454 __crypt__sha512_init_ctx (&alt_ctx);
456 /* For every character in the password add the entire password. */
457 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
458 __crypt__sha512_process_bytes (salt, salt_len, &alt_ctx);
460 /* Finish the digest. */
461 __crypt__sha512_finish_ctx (&alt_ctx, temp_result);
463 /* Create byte sequence S. */
464 cp = s_bytes = alloca (salt_len);
465 for (cnt = salt_len; cnt >= 64; cnt -= 64)
466 cp = mempcpy (cp, temp_result, 64);
467 memcpy (cp, temp_result, cnt);
469 /* Repeatedly run the collected hash value through SHA512 to burn
471 for (cnt = 0; cnt < rounds; ++cnt)
474 __crypt__sha512_init_ctx (&ctx);
476 /* Add key or last result. */
478 __crypt__sha512_process_bytes (p_bytes, key_len, &ctx);
480 __crypt__sha512_process_bytes (alt_result, 64, &ctx);
482 /* Add salt for numbers not divisible by 3. */
484 __crypt__sha512_process_bytes (s_bytes, salt_len, &ctx);
486 /* Add key for numbers not divisible by 7. */
488 __crypt__sha512_process_bytes (p_bytes, key_len, &ctx);
490 /* Add key or last result. */
492 __crypt__sha512_process_bytes (alt_result, 64, &ctx);
494 __crypt__sha512_process_bytes (p_bytes, key_len, &ctx);
496 /* Create intermediate result. */
497 __crypt__sha512_finish_ctx (&ctx, alt_result);
500 /* Now we can construct the result string. It consists of three
502 cp = stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
503 buflen -= sizeof (sha512_salt_prefix) - 1;
507 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
508 sha512_rounds_prefix, rounds);
513 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
514 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
522 #define b64_from_24bit(B2, B1, B0, N) \
524 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
526 while (n-- > 0 && buflen > 0) \
528 *cp++ = b64t[w & 0x3f]; \
534 b64_from_24bit (alt_result[0], alt_result[21], alt_result[42], 4);
535 b64_from_24bit (alt_result[22], alt_result[43], alt_result[1], 4);
536 b64_from_24bit (alt_result[44], alt_result[2], alt_result[23], 4);
537 b64_from_24bit (alt_result[3], alt_result[24], alt_result[45], 4);
538 b64_from_24bit (alt_result[25], alt_result[46], alt_result[4], 4);
539 b64_from_24bit (alt_result[47], alt_result[5], alt_result[26], 4);
540 b64_from_24bit (alt_result[6], alt_result[27], alt_result[48], 4);
541 b64_from_24bit (alt_result[28], alt_result[49], alt_result[7], 4);
542 b64_from_24bit (alt_result[50], alt_result[8], alt_result[29], 4);
543 b64_from_24bit (alt_result[9], alt_result[30], alt_result[51], 4);
544 b64_from_24bit (alt_result[31], alt_result[52], alt_result[10], 4);
545 b64_from_24bit (alt_result[53], alt_result[11], alt_result[32], 4);
546 b64_from_24bit (alt_result[12], alt_result[33], alt_result[54], 4);
547 b64_from_24bit (alt_result[34], alt_result[55], alt_result[13], 4);
548 b64_from_24bit (alt_result[56], alt_result[14], alt_result[35], 4);
549 b64_from_24bit (alt_result[15], alt_result[36], alt_result[57], 4);
550 b64_from_24bit (alt_result[37], alt_result[58], alt_result[16], 4);
551 b64_from_24bit (alt_result[59], alt_result[17], alt_result[38], 4);
552 b64_from_24bit (alt_result[18], alt_result[39], alt_result[60], 4);
553 b64_from_24bit (alt_result[40], alt_result[61], alt_result[19], 4);
554 b64_from_24bit (alt_result[62], alt_result[20], alt_result[41], 4);
555 b64_from_24bit (0, 0, alt_result[63], 2);
563 *cp = '\0'; /* Terminate the string. */
565 /* Clear the buffer for the intermediate result so that people
566 attaching to processes or reading core dumps cannot get any
567 information. We do it in this way to clear correct_words[]
568 inside the SHA512 implementation as well. */
569 __crypt__sha512_init_ctx (&ctx);
570 __crypt__sha512_finish_ctx (&ctx, alt_result);
571 memset (temp_result, '\0', sizeof (temp_result));
572 memset (p_bytes, '\0', key_len);
573 memset (s_bytes, '\0', salt_len);
574 memset (&ctx, '\0', sizeof (ctx));
575 memset (&alt_ctx, '\0', sizeof (alt_ctx));
576 if (copied_key != NULL)
577 memset (copied_key, '\0', key_len);
578 if (copied_salt != NULL)
579 memset (copied_salt, '\0', salt_len);
585 /* This entry point is equivalent to the `crypt' function in Unix
588 crypt_sha512 (const char *key, const char *salt)
590 /* We don't want to have an arbitrary limit in the size of the
591 password. We can compute an upper bound for the size of the
592 result in advance and so we can prepare the buffer we pass to
596 int needed = (sizeof (sha512_salt_prefix) - 1
597 + sizeof (sha512_rounds_prefix) + 9 + 1
598 + strlen (salt) + 1 + 86 + 1);
602 char *new_buffer = (char *) realloc (buffer, needed);
603 if (new_buffer == NULL)
610 return crypt_sha512_r (key, salt, buffer, buflen);
618 const char result[64];
621 /* Test vectors from FIPS 180-2: appendix C.1. */
623 "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
624 "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
625 "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
626 "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f" },
627 /* Test vectors from FIPS 180-2: appendix C.2. */
628 { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
629 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
630 "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
631 "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
632 "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
633 "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09" },
634 /* Test vectors from the NESSIE project. */
636 "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
637 "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
638 "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
639 "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e" },
641 "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
642 "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
643 "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
644 "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75" },
646 "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
647 "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
648 "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
649 "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c" },
650 { "abcdefghijklmnopqrstuvwxyz",
651 "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
652 "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
653 "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
654 "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1" },
655 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
656 "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
657 "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
658 "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
659 "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45" },
660 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
661 "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
662 "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
663 "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
664 "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94" },
665 { "123456789012345678901234567890123456789012345678901234567890"
666 "12345678901234567890",
667 "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
668 "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
669 "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
670 "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43" }
672 #define ntests (NELEM(tests))
679 const char *expected;
682 { "$6$saltstring", "Hello world!",
683 "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
684 "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" },
685 { "$6$rounds=10000$saltstringsaltstring", "Hello world!",
686 "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
687 "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." },
688 { "$6$rounds=5000$toolongsaltstring", "This is just a test",
689 "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
690 "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0" },
691 { "$6$rounds=1400$anotherlongsaltstring",
692 "a very much longer text to encrypt. This one even stretches over more"
694 "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
695 "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1" },
696 { "$6$rounds=77777$short",
697 "we have a short salt string but not a short password",
698 "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
699 "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0" },
700 { "$6$rounds=123456$asaltof16chars..", "a short string",
701 "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
702 "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1" },
703 { "$6$rounds=10$roundstoolow", "the minimum number is still observed",
704 "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
705 "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX." },
707 #define ntests2 (NELEM(tests2))
713 struct sha512_ctx ctx;
718 for (cnt = 0; cnt < (int) ntests; ++cnt)
720 __crypt__sha512_init_ctx (&ctx);
721 __crypt__sha512_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
722 __crypt__sha512_finish_ctx (&ctx, sum);
723 if (memcmp (tests[cnt].result, sum, 64) != 0)
725 printf ("test %d run %d failed\n", cnt, 1);
729 __crypt__sha512_init_ctx (&ctx);
730 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
731 __crypt__sha512_process_bytes (&tests[cnt].input[i], 1, &ctx);
732 __crypt__sha512_finish_ctx (&ctx, sum);
733 if (memcmp (tests[cnt].result, sum, 64) != 0)
735 printf ("test %d run %d failed\n", cnt, 2);
740 /* Test vector from FIPS 180-2: appendix C.3. */
742 memset (buf, 'a', sizeof (buf));
743 __crypt__sha512_init_ctx (&ctx);
744 for (int i = 0; i < 1000; ++i)
745 __crypt__sha512_process_bytes (buf, sizeof (buf), &ctx);
746 __crypt__sha512_finish_ctx (&ctx, sum);
747 static const char expected[64] =
748 "\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
749 "\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
750 "\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
751 "\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
752 if (memcmp (expected, sum, 64) != 0)
754 printf ("test %d failed\n", cnt);
758 for (cnt = 0; cnt < ntests2; ++cnt)
760 char *cp = crypt_sha512 (tests2[cnt].input, tests2[cnt].salt);
762 if (strcmp (cp, tests2[cnt].expected) != 0)
764 printf ("test %d: expected \"%s\", got \"%s\"\n",
765 cnt, tests2[cnt].expected, cp);
771 puts ("all tests OK");