2 * SHA256-based Unix crypt implementation.
3 * Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
12 #include <sys/endian.h>
13 #include <sys/param.h>
14 #include <sys/types.h>
19 #if _BYTE_ORDER == _LITTLE_ENDIAN
21 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
27 /* This array contains the bytes used to pad the buffer to the next
28 64-byte boundary. (FIPS 180-2:5.1.1) */
29 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
32 /* Constants for SHA256 from FIPS 180-2:4.2.2. */
33 static const uint32_t K[64] =
35 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
36 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
37 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
38 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
39 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
40 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
41 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
42 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
43 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
44 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
45 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
46 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
47 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
48 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
49 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
50 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
54 /* Process LEN bytes of BUFFER, accumulating context into CTX.
55 It is assumed that LEN % 64 == 0. */
57 __crypt__sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
59 const uint32_t *words = buffer;
60 size_t nwords = len / sizeof (uint32_t);
61 uint32_t a = ctx->H[0];
62 uint32_t b = ctx->H[1];
63 uint32_t c = ctx->H[2];
64 uint32_t d = ctx->H[3];
65 uint32_t e = ctx->H[4];
66 uint32_t f = ctx->H[5];
67 uint32_t g = ctx->H[6];
68 uint32_t h = ctx->H[7];
70 /* First increment the byte count. FIPS 180-2 specifies the possible
71 length of the file up to 2^64 bits. Here we only compute the
72 number of bytes. Do a double word increment. */
74 if (ctx->total[0] < len)
77 /* Process all bytes in the buffer with 64 bytes in each round of
91 /* Operators defined in FIPS 180-2:4.1.2. */
92 #define Ch(x, y, z) ((x & y) ^ (~x & z))
93 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
94 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
95 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
96 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
97 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
99 /* It is unfortunate that C does not provide an operator for
100 cyclic rotation. Hope the C compiler is smart enough. */
101 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
103 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
104 for (unsigned int t = 0; t < 16; ++t)
106 W[t] = SWAP (*words);
109 for (unsigned int t = 16; t < 64; ++t)
110 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
112 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
113 for (unsigned int t = 0; t < 64; ++t)
115 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
116 uint32_t T2 = S0 (a) + Maj (a, b, c);
127 /* Add the starting values of the context according to FIPS 180-2:6.2.2
138 /* Prepare for the next round. */
142 /* Put checksum in context given as argument. */
154 /* Initialize structure containing state of computation.
155 (FIPS 180-2:5.3.2) */
157 __crypt__sha256_init_ctx (struct sha256_ctx *ctx)
159 ctx->H[0] = 0x6a09e667;
160 ctx->H[1] = 0xbb67ae85;
161 ctx->H[2] = 0x3c6ef372;
162 ctx->H[3] = 0xa54ff53a;
163 ctx->H[4] = 0x510e527f;
164 ctx->H[5] = 0x9b05688c;
165 ctx->H[6] = 0x1f83d9ab;
166 ctx->H[7] = 0x5be0cd19;
168 ctx->total[0] = ctx->total[1] = 0;
173 /* Process the remaining bytes in the internal buffer and the usual
174 prolog according to the standard and write the result to RESBUF.
176 IMPORTANT: On some systems it is required that RESBUF is correctly
177 aligned for a 32 bits value. */
179 __crypt__sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
181 /* Take yet unprocessed bytes into account. */
182 uint32_t bytes = ctx->buflen;
185 /* Now count remaining bytes. */
186 ctx->total[0] += bytes;
187 if (ctx->total[0] < bytes)
190 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
191 memcpy (&ctx->buffer[bytes], fillbuf, pad);
193 /* Put the 64-bit file length in *bits* at the end of the buffer. */
194 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
195 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
196 (ctx->total[0] >> 29));
198 /* Process last bytes. */
199 __crypt__sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
201 /* Put result from CTX in first 32 bytes following RESBUF. */
202 for (unsigned int i = 0; i < 8; ++i)
203 ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
209 __crypt__sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
211 /* When we already have some bits in our internal buffer concatenate
212 both inputs first. */
213 if (ctx->buflen != 0)
215 size_t left_over = ctx->buflen;
216 size_t add = 128 - left_over > len ? len : 128 - left_over;
218 memcpy (&ctx->buffer[left_over], buffer, add);
221 if (ctx->buflen > 64)
223 __crypt__sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
226 /* The regions in the following copy operation cannot overlap. */
227 memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
231 buffer = (const char *) buffer + add;
235 /* Process available complete blocks. */
238 /* To check alignment gcc has an appropriate operator. Other
241 # define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
243 # define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
245 if (UNALIGNED_P (buffer))
248 __crypt__sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
249 buffer = (const char *) buffer + 64;
254 __crypt__sha256_process_block (buffer, len & ~63, ctx);
255 buffer = (const char *) buffer + (len & ~63);
260 /* Move remaining bytes into internal buffer. */
263 size_t left_over = ctx->buflen;
265 memcpy (&ctx->buffer[left_over], buffer, len);
269 __crypt__sha256_process_block (ctx->buffer, 64, ctx);
271 memcpy (ctx->buffer, &ctx->buffer[64], left_over);
273 ctx->buflen = left_over;
278 /* Define our magic string to mark salt for SHA256 "encryption"
280 static const char sha256_salt_prefix[] = "$5$";
282 /* Prefix for optional rounds specification. */
283 static const char sha256_rounds_prefix[] = "rounds=";
285 /* Maximum salt string length. */
286 #define SALT_LEN_MAX 16
287 /* Default number of rounds if not explicitly specified. */
288 #define ROUNDS_DEFAULT 5000
289 /* Minimum number of rounds. */
290 #define ROUNDS_MIN 1000
291 /* Maximum number of rounds. */
292 #define ROUNDS_MAX 999999999
294 /* Table with characters for base64 transformation. */
295 static const char b64t[64] =
296 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
300 crypt_sha256_r (const char *key, const char *salt, char *buffer, int buflen)
302 unsigned char alt_result[32]
303 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
304 unsigned char temp_result[32]
305 __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
306 struct sha256_ctx ctx;
307 struct sha256_ctx alt_ctx;
312 char *copied_key = NULL;
313 char *copied_salt = NULL;
316 /* Default number of rounds. */
317 size_t rounds = ROUNDS_DEFAULT;
318 bool rounds_custom = false;
320 /* Find beginning of salt string. The prefix should normally always
321 be present. Just in case it is not. */
322 if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
323 /* Skip salt prefix. */
324 salt += sizeof (sha256_salt_prefix) - 1;
326 if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
329 const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
331 unsigned long int srounds = strtoul (num, &endp, 10);
335 rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
336 rounds_custom = true;
340 salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
341 key_len = strlen (key);
343 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
345 char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
347 memcpy (tmp + __alignof__ (uint32_t)
348 - (tmp - (char *) 0) % __alignof__ (uint32_t),
352 if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
354 char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
356 memcpy (tmp + __alignof__ (uint32_t)
357 - (tmp - (char *) 0) % __alignof__ (uint32_t),
361 /* Prepare for the real work. */
362 __crypt__sha256_init_ctx (&ctx);
364 /* Add the key string. */
365 __crypt__sha256_process_bytes (key, key_len, &ctx);
367 /* The last part is the salt string. This must be at most 16
368 characters and it ends at the first `$' character (for
369 compatibility with existing implementations). */
370 __crypt__sha256_process_bytes (salt, salt_len, &ctx);
373 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
374 final result will be added to the first context. */
375 __crypt__sha256_init_ctx (&alt_ctx);
378 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
381 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx);
384 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
386 /* Now get result of this (32 bytes) and add it to the other
388 __crypt__sha256_finish_ctx (&alt_ctx, alt_result);
390 /* Add for any character in the key one byte of the alternate sum. */
391 for (cnt = key_len; cnt > 32; cnt -= 32)
392 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
393 __crypt__sha256_process_bytes (alt_result, cnt, &ctx);
395 /* Take the binary representation of the length of the key and for every
396 1 add the alternate sum, for every 0 the key. */
397 for (cnt = key_len; cnt > 0; cnt >>= 1)
399 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
401 __crypt__sha256_process_bytes (key, key_len, &ctx);
403 /* Create intermediate result. */
404 __crypt__sha256_finish_ctx (&ctx, alt_result);
406 /* Start computation of P byte sequence. */
407 __crypt__sha256_init_ctx (&alt_ctx);
409 /* For every character in the password add the entire password. */
410 for (cnt = 0; cnt < key_len; ++cnt)
411 __crypt__sha256_process_bytes (key, key_len, &alt_ctx);
413 /* Finish the digest. */
414 __crypt__sha256_finish_ctx (&alt_ctx, temp_result);
416 /* Create byte sequence P. */
417 cp = p_bytes = alloca (key_len);
418 for (cnt = key_len; cnt >= 32; cnt -= 32)
419 cp = mempcpy (cp, temp_result, 32);
420 memcpy (cp, temp_result, cnt);
422 /* Start computation of S byte sequence. */
423 __crypt__sha256_init_ctx (&alt_ctx);
425 /* For every character in the password add the entire password. */
426 for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
427 __crypt__sha256_process_bytes (salt, salt_len, &alt_ctx);
429 /* Finish the digest. */
430 __crypt__sha256_finish_ctx (&alt_ctx, temp_result);
432 /* Create byte sequence S. */
433 cp = s_bytes = alloca (salt_len);
434 for (cnt = salt_len; cnt >= 32; cnt -= 32)
435 cp = mempcpy (cp, temp_result, 32);
436 memcpy (cp, temp_result, cnt);
438 /* Repeatedly run the collected hash value through SHA256 to burn
440 for (cnt = 0; cnt < rounds; ++cnt)
443 __crypt__sha256_init_ctx (&ctx);
445 /* Add key or last result. */
447 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
449 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
451 /* Add salt for numbers not divisible by 3. */
453 __crypt__sha256_process_bytes (s_bytes, salt_len, &ctx);
455 /* Add key for numbers not divisible by 7. */
457 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
459 /* Add key or last result. */
461 __crypt__sha256_process_bytes (alt_result, 32, &ctx);
463 __crypt__sha256_process_bytes (p_bytes, key_len, &ctx);
465 /* Create intermediate result. */
466 __crypt__sha256_finish_ctx (&ctx, alt_result);
469 /* Now we can construct the result string. It consists of three
471 cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
472 buflen -= sizeof (sha256_salt_prefix) - 1;
476 int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
477 sha256_rounds_prefix, rounds);
482 cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
483 buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
491 #define b64_from_24bit(B2, B1, B0, N) \
493 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
495 while (n-- > 0 && buflen > 0) \
497 *cp++ = b64t[w & 0x3f]; \
503 b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
504 b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
505 b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
506 b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
507 b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
508 b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
509 b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
510 b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
511 b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
512 b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
513 b64_from_24bit (0, alt_result[31], alt_result[30], 3);
520 *cp = '\0'; /* Terminate the string. */
522 /* Clear the buffer for the intermediate result so that people
523 attaching to processes or reading core dumps cannot get any
524 information. We do it in this way to clear correct_words[]
525 inside the SHA256 implementation as well. */
526 __crypt__sha256_init_ctx (&ctx);
527 __crypt__sha256_finish_ctx (&ctx, alt_result);
528 memset (temp_result, '\0', sizeof (temp_result));
529 memset (p_bytes, '\0', key_len);
530 memset (s_bytes, '\0', salt_len);
531 memset (&ctx, '\0', sizeof (ctx));
532 memset (&alt_ctx, '\0', sizeof (alt_ctx));
533 if (copied_key != NULL)
534 memset (copied_key, '\0', key_len);
535 if (copied_salt != NULL)
536 memset (copied_salt, '\0', salt_len);
542 /* This entry point is equivalent to the `crypt' function in Unix
545 crypt_sha256 (const char *key, const char *salt)
547 /* We don't want to have an arbitrary limit in the size of the
548 password. We can compute an upper bound for the size of the
549 result in advance and so we can prepare the buffer we pass to
553 int needed = (sizeof (sha256_salt_prefix) - 1
554 + sizeof (sha256_rounds_prefix) + 9 + 1
555 + strlen (salt) + 1 + 43 + 1);
559 char *new_buffer = (char *) realloc (buffer, needed);
560 if (new_buffer == NULL)
567 return crypt_sha256_r (key, salt, buffer, buflen);
575 const char result[32];
578 /* Test vectors from FIPS 180-2: appendix B.1. */
580 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
581 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
582 /* Test vectors from FIPS 180-2: appendix B.2. */
583 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
584 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
585 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
586 /* Test vectors from the NESSIE project. */
588 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
589 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
591 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
592 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
594 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
595 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
596 { "abcdefghijklmnopqrstuvwxyz",
597 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
598 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
599 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
600 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
601 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
602 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
603 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
604 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
605 { "123456789012345678901234567890123456789012345678901234567890"
606 "12345678901234567890",
607 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
608 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
610 #define ntests (NELEM(tests))
617 const char *expected;
620 { "$5$saltstring", "Hello world!",
621 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
622 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
623 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
625 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
626 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
628 { "$5$rounds=1400$anotherlongsaltstring",
629 "a very much longer text to encrypt. This one even stretches over more"
631 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
633 { "$5$rounds=77777$short",
634 "we have a short salt string but not a short password",
635 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
636 { "$5$rounds=123456$asaltof16chars..", "a short string",
637 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
639 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
640 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
643 #define ntests2 (NELEM(tests2))
649 struct sha256_ctx ctx;
654 for (cnt = 0; cnt < (int) ntests; ++cnt)
656 __crypt__sha256_init_ctx (&ctx);
657 __crypt__sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
658 __crypt__sha256_finish_ctx (&ctx, sum);
659 if (memcmp (tests[cnt].result, sum, 32) != 0)
661 printf ("test %d run %d failed\n", cnt, 1);
665 __crypt__sha256_init_ctx (&ctx);
666 for (int i = 0; tests[cnt].input[i] != '\0'; ++i)
667 __crypt__sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
668 __crypt__sha256_finish_ctx (&ctx, sum);
669 if (memcmp (tests[cnt].result, sum, 32) != 0)
671 printf ("test %d run %d failed\n", cnt, 2);
676 /* Test vector from FIPS 180-2: appendix B.3. */
678 memset (buf, 'a', sizeof (buf));
679 __crypt__sha256_init_ctx (&ctx);
680 for (int i = 0; i < 1000; ++i)
681 __crypt__sha256_process_bytes (buf, sizeof (buf), &ctx);
682 __crypt__sha256_finish_ctx (&ctx, sum);
683 static const char expected[32] =
684 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
685 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
686 if (memcmp (expected, sum, 32) != 0)
688 printf ("test %d failed\n", cnt);
692 for (cnt = 0; cnt < ntests2; ++cnt)
694 char *cp = crypt_sha256 (tests2[cnt].input, tests2[cnt].salt);
696 if (strcmp (cp, tests2[cnt].expected) != 0)
698 printf ("test %d: expected \"%s\", got \"%s\"\n",
699 cnt, tests2[cnt].expected, cp);
705 puts ("all tests OK");