1/* SHA256-based Unix crypt implementation.
2 Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. */
3/* Windows VC++ port by Pierre Joye <pierre@php.net> */
4
5#include "php.h"
6#include "php_main.h"
7
8#include <errno.h>
9#include <limits.h>
10
11#ifdef PHP_WIN32
12# define __alignof__ __alignof
13# define alloca _alloca
14#else
15# ifndef HAVE_ALIGNOF
16# include <stddef.h>
17# define __alignof__(type) offsetof (struct { char c; type member;}, member)
18# endif
19# if HAVE_ATTRIBUTE_ALIGNED
20# define ALIGNED(size) __attribute__ ((__aligned__ (size)))
21# else
22# define ALIGNED(size)
23# endif
24#endif
25
26#include <stdio.h>
27#include <stdlib.h>
28
29#ifdef PHP_WIN32
30# include <string.h>
31#else
32# include <sys/param.h>
33# include <sys/types.h>
34# if HAVE_STRING_H
35# include <string.h>
36# else
37# include <strings.h>
38# endif
39#endif
40
41char * __php_stpncpy(char *dst, const char *src, size_t len)
42{
43 size_t n = strlen(src);
44 if (n > len) {
45 n = len;
46 }
47 return strncpy(dst, src, len) + n;
48}
49
50void * __php_mempcpy(void * dst, const void * src, size_t len)
51{
52 return (((char *)memcpy(dst, src, len)) + len);
53}
54
55#ifndef MIN
56# define MIN(a, b) (((a) < (b)) ? (a) : (b))
57#endif
58#ifndef MAX
59# define MAX(a, b) (((a) > (b)) ? (a) : (b))
60#endif
61
62/* Structure to save state of computation between the single steps. */
63struct sha256_ctx {
64 uint32_t H[8];
65
66 uint32_t total[2];
67 uint32_t buflen;
68 char buffer[128]; /* NB: always correctly aligned for uint32_t. */
69};
70
71#if PHP_WIN32 || (!defined(WORDS_BIGENDIAN))
72# define SWAP(n) \
73 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
74#else
75# define SWAP(n) (n)
76#endif
77
78/* This array contains the bytes used to pad the buffer to the next
79 64-byte boundary. (FIPS 180-2:5.1.1) */
80static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
81
82
83/* Constants for SHA256 from FIPS 180-2:4.2.2. */
84static const uint32_t K[64] = {
85 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
86 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
87 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
88 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
89 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
90 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
91 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
92 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
93 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
94 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
95 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
96 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
97 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
98 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
99 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
100 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
101};
102
103
104/* Process LEN bytes of BUFFER, accumulating context into CTX.
105 It is assumed that LEN % 64 == 0. */
106static void sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx) {
107 const uint32_t *words = buffer;
108 size_t nwords = len / sizeof (uint32_t);
109 unsigned int t;
110
111 uint32_t a = ctx->H[0];
112 uint32_t b = ctx->H[1];
113 uint32_t c = ctx->H[2];
114 uint32_t d = ctx->H[3];
115 uint32_t e = ctx->H[4];
116 uint32_t f = ctx->H[5];
117 uint32_t g = ctx->H[6];
118 uint32_t h = ctx->H[7];
119
120 /* First increment the byte count. FIPS 180-2 specifies the possible
121 length of the file up to 2^64 bits. Here we only compute the
122 number of bytes. Do a double word increment. */
123 ctx->total[0] += len;
124 if (ctx->total[0] < len) {
125 ++ctx->total[1];
126 }
127
128 /* Process all bytes in the buffer with 64 bytes in each round of
129 the loop. */
130 while (nwords > 0) {
131 uint32_t W[64];
132 uint32_t a_save = a;
133 uint32_t b_save = b;
134 uint32_t c_save = c;
135 uint32_t d_save = d;
136 uint32_t e_save = e;
137 uint32_t f_save = f;
138 uint32_t g_save = g;
139 uint32_t h_save = h;
140
141 /* Operators defined in FIPS 180-2:4.1.2. */
142#define Ch(x, y, z) ((x & y) ^ (~x & z))
143#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
144#define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
145#define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
146#define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
147#define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
148
149 /* It is unfortunate that C does not provide an operator for
150 cyclic rotation. Hope the C compiler is smart enough. */
151#define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
152
153 /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2. */
154 for (t = 0; t < 16; ++t) {
155 W[t] = SWAP (*words);
156 ++words;
157 }
158 for (t = 16; t < 64; ++t)
159 W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
160
161 /* The actual computation according to FIPS 180-2:6.2.2 step 3. */
162 for (t = 0; t < 64; ++t) {
163 uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
164 uint32_t T2 = S0 (a) + Maj (a, b, c);
165 h = g;
166 g = f;
167 f = e;
168 e = d + T1;
169 d = c;
170 c = b;
171 b = a;
172 a = T1 + T2;
173 }
174
175 /* Add the starting values of the context according to FIPS 180-2:6.2.2
176 step 4. */
177 a += a_save;
178 b += b_save;
179 c += c_save;
180 d += d_save;
181 e += e_save;
182 f += f_save;
183 g += g_save;
184 h += h_save;
185
186 /* Prepare for the next round. */
187 nwords -= 16;
188 }
189
190 /* Put checksum in context given as argument. */
191 ctx->H[0] = a;
192 ctx->H[1] = b;
193 ctx->H[2] = c;
194 ctx->H[3] = d;
195 ctx->H[4] = e;
196 ctx->H[5] = f;
197 ctx->H[6] = g;
198 ctx->H[7] = h;
199}
200
201
202/* Initialize structure containing state of computation.
203 (FIPS 180-2:5.3.2) */
204static void sha256_init_ctx(struct sha256_ctx *ctx) {
205 ctx->H[0] = 0x6a09e667;
206 ctx->H[1] = 0xbb67ae85;
207 ctx->H[2] = 0x3c6ef372;
208 ctx->H[3] = 0xa54ff53a;
209 ctx->H[4] = 0x510e527f;
210 ctx->H[5] = 0x9b05688c;
211 ctx->H[6] = 0x1f83d9ab;
212 ctx->H[7] = 0x5be0cd19;
213
214 ctx->total[0] = ctx->total[1] = 0;
215 ctx->buflen = 0;
216}
217
218
219/* Process the remaining bytes in the internal buffer and the usual
220 prolog according to the standard and write the result to RESBUF.
221
222 IMPORTANT: On some systems it is required that RESBUF is correctly
223 aligned for a 32 bits value. */
224static void * sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf) {
225 /* Take yet unprocessed bytes into account. */
226 uint32_t bytes = ctx->buflen;
227 size_t pad;
228 unsigned int i;
229
230 /* Now count remaining bytes. */
231 ctx->total[0] += bytes;
232 if (ctx->total[0] < bytes) {
233 ++ctx->total[1];
234 }
235
236 pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
237 memcpy(&ctx->buffer[bytes], fillbuf, pad);
238
239 /* Put the 64-bit file length in *bits* at the end of the buffer. */
240 *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
241 *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
242 (ctx->total[0] >> 29));
243
244 /* Process last bytes. */
245 sha256_process_block(ctx->buffer, bytes + pad + 8, ctx);
246
247 /* Put result from CTX in first 32 bytes following RESBUF. */
248 for (i = 0; i < 8; ++i) {
249 ((uint32_t *) resbuf)[i] = SWAP(ctx->H[i]);
250 }
251
252 return resbuf;
253}
254
255
256static void sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx) {
257 /* When we already have some bits in our internal buffer concatenate
258 both inputs first. */
259 if (ctx->buflen != 0) {
260 size_t left_over = ctx->buflen;
261 size_t add = 128 - left_over > len ? len : 128 - left_over;
262
263 memcpy(&ctx->buffer[left_over], buffer, add);
264 ctx->buflen += add;
265
266 if (ctx->buflen > 64) {
267 sha256_process_block(ctx->buffer, ctx->buflen & ~63, ctx);
268 ctx->buflen &= 63;
269 /* The regions in the following copy operation cannot overlap. */
270 memcpy(ctx->buffer, &ctx->buffer[(left_over + add) & ~63], ctx->buflen);
271 }
272
273 buffer = (const char *) buffer + add;
274 len -= add;
275 }
276
277 /* Process available complete blocks. */
278 if (len >= 64) {
279/* To check alignment gcc has an appropriate operator. Other
280compilers don't. */
281#if __GNUC__ >= 2
282# define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
283#else
284# define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
285#endif
286 if (UNALIGNED_P (buffer))
287 while (len > 64) {
288 sha256_process_block(memcpy(ctx->buffer, buffer, 64), 64, ctx);
289 buffer = (const char *) buffer + 64;
290 len -= 64;
291 } else {
292 sha256_process_block(buffer, len & ~63, ctx);
293 buffer = (const char *) buffer + (len & ~63);
294 len &= 63;
295 }
296 }
297
298 /* Move remaining bytes into internal buffer. */
299 if (len > 0) {
300 size_t left_over = ctx->buflen;
301
302 memcpy(&ctx->buffer[left_over], buffer, len);
303 left_over += len;
304 if (left_over >= 64) {
305 sha256_process_block(ctx->buffer, 64, ctx);
306 left_over -= 64;
307 memcpy(ctx->buffer, &ctx->buffer[64], left_over);
308 }
309 ctx->buflen = left_over;
310 }
311}
312
313
314/* Define our magic string to mark salt for SHA256 "encryption"
315 replacement. */
316static const char sha256_salt_prefix[] = "$5$";
317
318/* Prefix for optional rounds specification. */
319static const char sha256_rounds_prefix[] = "rounds=";
320
321/* Maximum salt string length. */
322#define SALT_LEN_MAX 16
323/* Default number of rounds if not explicitly specified. */
324#define ROUNDS_DEFAULT 5000
325/* Minimum number of rounds. */
326#define ROUNDS_MIN 1000
327/* Maximum number of rounds. */
328#define ROUNDS_MAX 999999999
329
330/* Table with characters for base64 transformation. */
331static const char b64t[64] =
332"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
333
334char * php_sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
335{
336#ifdef PHP_WIN32
337# if _MSC <= 1300
338# pragma pack(push, 16)
339 unsigned char alt_result[32];
340 unsigned char temp_result[32];
341# pragma pack(pop)
342# else
343 __declspec(align(32)) unsigned char alt_result[32];
344 __declspec(align(32)) unsigned char temp_result[32];
345# endif
346#else
347 unsigned char alt_result[32] ALIGNED(__alignof__ (uint32_t));
348 unsigned char temp_result[32] ALIGNED(__alignof__ (uint32_t));
349#endif
350
351 struct sha256_ctx ctx;
352 struct sha256_ctx alt_ctx;
353 size_t salt_len;
354 size_t key_len;
355 size_t cnt;
356 char *cp;
357 char *copied_key = NULL;
358 char *copied_salt = NULL;
359 char *p_bytes;
360 char *s_bytes;
361 /* Default number of rounds. */
362 size_t rounds = ROUNDS_DEFAULT;
363 zend_bool rounds_custom = 0;
364
365 /* Find beginning of salt string. The prefix should normally always
366 be present. Just in case it is not. */
367 if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0) {
368 /* Skip salt prefix. */
369 salt += sizeof(sha256_salt_prefix) - 1;
370 }
371
372 if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1) == 0) {
373 const char *num = salt + sizeof(sha256_rounds_prefix) - 1;
374 char *endp;
375 unsigned long int srounds = strtoul(num, &endp, 10);
376 if (*endp == '$') {
377 salt = endp + 1;
378 rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
379 rounds_custom = 1;
380 }
381 }
382
383 salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
384 key_len = strlen(key);
385
386 if ((key - (char *) 0) % __alignof__ (uint32_t) != 0) {
387 char *tmp = (char *) alloca(key_len + __alignof__(uint32_t));
388 key = copied_key = memcpy(tmp + __alignof__(uint32_t) - (tmp - (char *) 0) % __alignof__(uint32_t), key, key_len);
389 }
390
391 if ((salt - (char *) 0) % __alignof__(uint32_t) != 0) {
392 char *tmp = (char *) alloca(salt_len + 1 + __alignof__(uint32_t));
393 salt = copied_salt =
394 memcpy(tmp + __alignof__(uint32_t) - (tmp - (char *) 0) % __alignof__ (uint32_t), salt, salt_len);
395 copied_salt[salt_len] = 0;
396 }
397
398 /* Prepare for the real work. */
399 sha256_init_ctx(&ctx);
400
401 /* Add the key string. */
402 sha256_process_bytes(key, key_len, &ctx);
403
404 /* The last part is the salt string. This must be at most 16
405 characters and it ends at the first `$' character (for
406 compatibility with existing implementations). */
407 sha256_process_bytes(salt, salt_len, &ctx);
408
409
410 /* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
411 final result will be added to the first context. */
412 sha256_init_ctx(&alt_ctx);
413
414 /* Add key. */
415 sha256_process_bytes(key, key_len, &alt_ctx);
416
417 /* Add salt. */
418 sha256_process_bytes(salt, salt_len, &alt_ctx);
419
420 /* Add key again. */
421 sha256_process_bytes(key, key_len, &alt_ctx);
422
423 /* Now get result of this (32 bytes) and add it to the other
424 context. */
425 sha256_finish_ctx(&alt_ctx, alt_result);
426
427 /* Add for any character in the key one byte of the alternate sum. */
428 for (cnt = key_len; cnt > 32; cnt -= 32) {
429 sha256_process_bytes(alt_result, 32, &ctx);
430 }
431 sha256_process_bytes(alt_result, cnt, &ctx);
432
433 /* Take the binary representation of the length of the key and for every
434 1 add the alternate sum, for every 0 the key. */
435 for (cnt = key_len; cnt > 0; cnt >>= 1) {
436 if ((cnt & 1) != 0) {
437 sha256_process_bytes(alt_result, 32, &ctx);
438 } else {
439 sha256_process_bytes(key, key_len, &ctx);
440 }
441 }
442
443 /* Create intermediate result. */
444 sha256_finish_ctx(&ctx, alt_result);
445
446 /* Start computation of P byte sequence. */
447 sha256_init_ctx(&alt_ctx);
448
449 /* For every character in the password add the entire password. */
450 for (cnt = 0; cnt < key_len; ++cnt) {
451 sha256_process_bytes(key, key_len, &alt_ctx);
452 }
453
454 /* Finish the digest. */
455 sha256_finish_ctx(&alt_ctx, temp_result);
456
457 /* Create byte sequence P. */
458 cp = p_bytes = alloca(key_len);
459 for (cnt = key_len; cnt >= 32; cnt -= 32) {
460 cp = __php_mempcpy((void *)cp, (const void *)temp_result, 32);
461 }
462 memcpy(cp, temp_result, cnt);
463
464 /* Start computation of S byte sequence. */
465 sha256_init_ctx(&alt_ctx);
466
467 /* For every character in the password add the entire password. */
468 for (cnt = 0; cnt < (size_t) (16 + alt_result[0]); ++cnt) {
469 sha256_process_bytes(salt, salt_len, &alt_ctx);
470 }
471
472 /* Finish the digest. */
473 sha256_finish_ctx(&alt_ctx, temp_result);
474
475 /* Create byte sequence S. */
476 cp = s_bytes = alloca(salt_len);
477 for (cnt = salt_len; cnt >= 32; cnt -= 32) {
478 cp = __php_mempcpy(cp, temp_result, 32);
479 }
480 memcpy(cp, temp_result, cnt);
481
482 /* Repeatedly run the collected hash value through SHA256 to burn
483 CPU cycles. */
484 for (cnt = 0; cnt < rounds; ++cnt) {
485 /* New context. */
486 sha256_init_ctx(&ctx);
487
488 /* Add key or last result. */
489 if ((cnt & 1) != 0) {
490 sha256_process_bytes(p_bytes, key_len, &ctx);
491 } else {
492 sha256_process_bytes(alt_result, 32, &ctx);
493 }
494
495 /* Add salt for numbers not divisible by 3. */
496 if (cnt % 3 != 0) {
497 sha256_process_bytes(s_bytes, salt_len, &ctx);
498 }
499
500 /* Add key for numbers not divisible by 7. */
501 if (cnt % 7 != 0) {
502 sha256_process_bytes(p_bytes, key_len, &ctx);
503 }
504
505 /* Add key or last result. */
506 if ((cnt & 1) != 0) {
507 sha256_process_bytes(alt_result, 32, &ctx);
508 } else {
509 sha256_process_bytes(p_bytes, key_len, &ctx);
510 }
511
512 /* Create intermediate result. */
513 sha256_finish_ctx(&ctx, alt_result);
514 }
515
516 /* Now we can construct the result string. It consists of three
517 parts. */
518 cp = __php_stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
519 buflen -= sizeof(sha256_salt_prefix) - 1;
520
521 if (rounds_custom) {
522#ifdef PHP_WIN32
523 int n = _snprintf(cp, MAX(0, buflen), "%s%u$", sha256_rounds_prefix, rounds);
524#else
525 int n = snprintf(cp, MAX(0, buflen), "%s%zu$", sha256_rounds_prefix, rounds);
526#endif
527 cp += n;
528 buflen -= n;
529 }
530
531 cp = __php_stpncpy(cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
532 buflen -= MIN((size_t) MAX (0, buflen), salt_len);
533
534 if (buflen > 0) {
535 *cp++ = '$';
536 --buflen;
537 }
538
539#define b64_from_24bit(B2, B1, B0, N) \
540 do { \
541 unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
542 int n = (N); \
543 while (n-- > 0 && buflen > 0) \
544 { \
545 *cp++ = b64t[w & 0x3f]; \
546 --buflen; \
547 w >>= 6; \
548 } \
549 } while (0)
550
551 b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
552 b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
553 b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
554 b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
555 b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
556 b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
557 b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
558 b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
559 b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
560 b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
561 b64_from_24bit(0, alt_result[31], alt_result[30], 3);
562 if (buflen <= 0) {
563 errno = ERANGE;
564 buffer = NULL;
565 } else
566 *cp = '\0'; /* Terminate the string. */
567
568 /* Clear the buffer for the intermediate result so that people
569 attaching to processes or reading core dumps cannot get any
570 information. We do it in this way to clear correct_words[]
571 inside the SHA256 implementation as well. */
572 sha256_init_ctx(&ctx);
573 sha256_finish_ctx(&ctx, alt_result);
574 memset(temp_result, '\0', sizeof(temp_result));
575 memset(p_bytes, '\0', key_len);
576 memset(s_bytes, '\0', salt_len);
577 memset(&ctx, '\0', sizeof(ctx));
578 memset(&alt_ctx, '\0', sizeof(alt_ctx));
579
580 if (copied_key != NULL) {
581 memset(copied_key, '\0', key_len);
582
583 }
584 if (copied_salt != NULL) {
585 memset(copied_salt, '\0', salt_len);
586 }
587
588 return buffer;
589}
590
591
592/* This entry point is equivalent to the `crypt' function in Unix
593 libcs. */
594char * php_sha256_crypt(const char *key, const char *salt)
595{
596 /* We don't want to have an arbitrary limit in the size of the
597 password. We can compute an upper bound for the size of the
598 result in advance and so we can prepare the buffer we pass to
599 `sha256_crypt_r'. */
600 static char *buffer;
601 static int buflen;
602 int needed = (sizeof(sha256_salt_prefix) - 1
603 + sizeof(sha256_rounds_prefix) + 9 + 1
604 + strlen(salt) + 1 + 43 + 1);
605
606 if (buflen < needed) {
607 char *new_buffer = (char *) realloc(buffer, needed);
608 if (new_buffer == NULL) {
609 return NULL;
610 }
611
612 buffer = new_buffer;
613 buflen = needed;
614 }
615
616 return php_sha256_crypt_r(key, salt, buffer, buflen);
617}
618
619
620#ifdef TEST
621static const struct
622{
623 const char *input;
624 const char result[32];
625} tests[] =
626 {
627 /* Test vectors from FIPS 180-2: appendix B.1. */
628 { "abc",
629 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
630 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
631 /* Test vectors from FIPS 180-2: appendix B.2. */
632 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
633 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
634 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
635 /* Test vectors from the NESSIE project. */
636 { "",
637 "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
638 "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
639 { "a",
640 "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
641 "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
642 { "message digest",
643 "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
644 "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
645 { "abcdefghijklmnopqrstuvwxyz",
646 "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
647 "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
648 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
649 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
650 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
651 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
652 "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
653 "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
654 { "123456789012345678901234567890123456789012345678901234567890"
655 "12345678901234567890",
656 "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
657 "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
658 };
659#define ntests (sizeof (tests) / sizeof (tests[0]))
660
661
662static const struct
663{
664 const char *salt;
665 const char *input;
666 const char *expected;
667} tests2[] =
668{
669 { "$5$saltstring", "Hello world!",
670 "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
671 { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
672 "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
673 "opqey6IcA" },
674 { "$5$rounds=5000$toolongsaltstring", "This is just a test",
675 "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
676 "mGRcvxa5" },
677 { "$5$rounds=1400$anotherlongsaltstring",
678 "a very much longer text to encrypt. This one even stretches over more"
679 "than one line.",
680 "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
681 "oP84Bnq1" },
682 { "$5$rounds=77777$short",
683 "we have a short salt string but not a short password",
684 "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
685 { "$5$rounds=123456$asaltof16chars..", "a short string",
686 "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
687 "cZKmF/wJvD" },
688 { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
689 "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
690 "2bIC" },
691};
692#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
693
694
695int main(void) {
696 struct sha256_ctx ctx;
697 char sum[32];
698 int result = 0;
699 int cnt, i;
700 char buf[1000];
701 static const char expected[32] =
702 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
703 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
704
705 for (cnt = 0; cnt < (int) ntests; ++cnt) {
706 sha256_init_ctx(&ctx);
707 sha256_process_bytes(tests[cnt].input, strlen(tests[cnt].input), &ctx);
708 sha256_finish_ctx(&ctx, sum);
709 if (memcmp(tests[cnt].result, sum, 32) != 0) {
710 printf("test %d run %d failed\n", cnt, 1);
711 result = 1;
712 }
713
714 sha256_init_ctx(&ctx);
715 for (i = 0; tests[cnt].input[i] != '\0'; ++i) {
716 sha256_process_bytes(&tests[cnt].input[i], 1, &ctx);
717 }
718 sha256_finish_ctx(&ctx, sum);
719 if (memcmp(tests[cnt].result, sum, 32) != 0) {
720 printf("test %d run %d failed\n", cnt, 2);
721 result = 1;
722 }
723 }
724
725 /* Test vector from FIPS 180-2: appendix B.3. */
726
727 memset(buf, 'a', sizeof(buf));
728 sha256_init_ctx(&ctx);
729 for (i = 0; i < 1000; ++i) {
730 sha256_process_bytes (buf, sizeof (buf), &ctx);
731 }
732
733 sha256_finish_ctx(&ctx, sum);
734
735 if (memcmp(expected, sum, 32) != 0) {
736 printf("test %d failed\n", cnt);
737 result = 1;
738 }
739
740 for (cnt = 0; cnt < ntests2; ++cnt) {
741 char *cp = php_sha256_crypt(tests2[cnt].input, tests2[cnt].salt);
742 if (strcmp(cp, tests2[cnt].expected) != 0) {
743 printf("test %d: expected \"%s\", got \"%s\"\n", cnt, tests2[cnt].expected, cp);
744 result = 1;
745 }
746 }
747
748 if (result == 0)
749 puts("all tests OK");
750
751 return result;
752}
753#endif
754