Changeset 25770 in project


Ignore:
Timestamp:
01/05/12 22:55:43 (9 years ago)
Author:
sjamaan
Message:

crypt: Update bcrypt fallback implementation to upstream (OpenWall?) version 1.2, fixing CVE-2011-2483. We don't (currently) provide access to the old broken implementation via '2x' and '2y' prefixes. We probably should, but that's a whole different can of worms...

Location:
release/4/crypt/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • release/4/crypt/trunk/crypt.scm

    r22343 r25770  
    9696        ((string-prefix? "$1$" str) 'md5)
    9797        ((string-prefix? "$sha1$" str) 'sha1)
    98         ;; These are just stupid
     98        ;; These are just stupid. The APR and openwall things should probably
     99        ;; be exposed somehow so that the user can force the implementation.
     100        ;; OTOH, we already override 2a to mean 2y when using OpenWall so we
     101        ;; can correctly read blowfish crypted passwords from the BSD version.
     102        ;; WHAT AN INCREDIBLE FUCKING MESS!
    99103        ((string-prefix? "$apr1$" str) 'md5-apr)
    100104        ((string-prefix? "{SHA}" str) 'sha1-apr)
    101105        ((string-prefix? "$P$" str) 'phpass)
    102106        ((string-prefix? "$H$" str) 'phpass-bbforum)
     107        ((string-prefix? "$2x$" str) 'blowfish-from-known-buggy-openwall-version)
     108        ((string-prefix? "$2y$" str) 'blowfish-from-known-correct-openwall-version)
    103109        ;; The following two are not supported (and probably never will be)
    104110        ;; but they are here for completeness.  NTLM doesn't use salts(!)
  • release/4/crypt/trunk/implementations/blowfish/common_blowfish.c

    r22216 r25770  
    88
    99typedef unsigned int BF_word;
     10typedef signed int BF_word_signed;
    1011
    1112static unsigned char BF_itoa64[64 + 1] =
     
    1415static void BF_encode(char *dst, const BF_word *src, int size)
    1516{
    16         unsigned char *sptr = (unsigned char *)src;
    17         unsigned char *end = sptr + size;
     17        const unsigned char *sptr = (const unsigned char *)src;
     18        const unsigned char *end = sptr + size;
    1819        unsigned char *dptr = (unsigned char *)dst;
    1920        unsigned int c1, c2;
  • release/4/crypt/trunk/implementations/blowfish/crypt_blowfish.c

    r22254 r25770  
    11/*
     2 * The crypt_blowfish homepage is:
     3 *
     4 *      http://www.openwall.com/crypt/
     5 *
    26 * This code comes from John the Ripper password cracker, with reentrant
    37 * and crypt(3) interfaces added, but optimizations specific to password
    48 * cracking removed.
    59 *
    6  * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
    7  * placed in the public domain.
    8  *
    9  * There's absolutely no warranty.
     10 * Written by Solar Designer <solar at openwall.com> in 1998-2011.
     11 * No copyright is claimed, and the software is hereby placed in the public
     12 * domain.  In case this attempt to disclaim copyright and place the software
     13 * in the public domain is deemed null and void, then the software is
     14 * Copyright (c) 1998-2011 Solar Designer and it is hereby released to the
     15 * general public under the following terms:
     16 *
     17 * Redistribution and use in source and binary forms, with or without
     18 * modification, are permitted.
     19 *
     20 * There's ABSOLUTELY NO WARRANTY, express or implied.
    1021 *
    1122 * It is my intent that you should be able to use this on your system,
    12  * as a part of a software package, or anywhere else to improve security,
     23 * as part of a software package, or anywhere else to improve security,
    1324 * ensure compatibility, or for any other purpose.  I would appreciate
    1425 * it if you give credit where it is due and keep your modifications in
     
    1728 * of your choice.
    1829 *
    19  * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
    20  * by Niels Provos <provos at citi.umich.edu>, and uses some of his
     30 * This implementation is mostly compatible with OpenBSD's bcrypt.c (prefix
     31 * "$2a$") by Niels Provos <provos at citi.umich.edu>, and uses some of his
    2132 * ideas.  The password hashing algorithm was designed by David Mazieres
    22  * <dm at lcs.mit.edu>.
     33 * <dm at lcs.mit.edu>.  For more information on the level of compatibility,
     34 * prefer refer to the comments in BF_set_key() below and to the included
     35 * crypt(3) man page.
    2336 *
    2437 * There's a paper on the algorithm that explains its design decisions:
     
    3043 * hadn't seen his code).
    3144 *
     45 *
     46 * This is based on crypt_blowfish 1.2
    3247 * Chicken egg changes:
    3348 * - Got rid of __CONST; Chicken requires a C compiler
    3449 *    that understands the "const" keyword anyway (>= C89).
    35  * - Split up common stuff into common_blowfish.c (a bit hacky)
     50 * - Put stuff that's also used in gensalt into common_blowfish.c (a bit hacky)
     51 * - Rip out assembly support for simplicity, portability and compactness
     52 * - Don't unneccessarily add a \0 at the end of the output
     53 *    (needed to hack self-test because of this, too)
     54 * - Rip out the "safety" feature when passed "2a" as type.  We assume
     55 *    the hashes were generated with a correct algorithm (either the BSD
     56 *    implementation or the new version of the crypt egg - it's not that
     57 *    old and we don't have a lot of users so the chances are bigger
     58 *    that someone's trying to check a proper hash than a buggy one).
    3659 */
    3760
     
    353376};
    354377
    355 /*
    356  * This may be optimized out if built with function inlining and no BF_ASM.
    357  */
    358 static void clean(void *data, int size)
    359 {
    360 #if BF_ASM
    361         extern void _BF_clean(void *data);
    362 #endif
    363         memset(data, 0, size);
    364 #if BF_ASM
    365         _BF_clean(data);
    366 #endif
    367 }
    368 
    369378#define BF_safe_atoi64(dst, src) \
    370379{ \
     
    380389        unsigned char *dptr = (unsigned char *)dst;
    381390        unsigned char *end = dptr + size;
    382         unsigned char *sptr = (unsigned char *)src;
     391        const unsigned char *sptr = (const unsigned char *)src;
    383392        unsigned int tmp, c1, c2, c3, c4;
    384393
     
    502511#endif
    503512
    504 static void BF_set_key(const char *key, BF_key expanded, BF_key initial)
     513static void BF_set_key(const char *key, BF_key expanded, BF_key initial,
     514    unsigned char flags)
    505515{
    506516        const char *ptr = key;
    507         int i, j;
    508         BF_word tmp;
     517        unsigned int bug, i, j;
     518        BF_word safety, sign, diff, tmp[2];
     519
     520/*
     521 * There was a sign extension bug in older revisions of this function.  While
     522 * we would have liked to simply fix the bug and move on, we have to provide
     523 * a backwards compatibility feature (essentially the bug) for some systems and
     524 * a safety measure for some others.  The latter is needed because for certain
     525 * multiple inputs to the buggy algorithm there exist easily found inputs to
     526 * the correct algorithm that produce the same hash.  Thus, we optionally
     527 * deviate from the correct algorithm just enough to avoid such collisions.
     528 * While the bug itself affected the majority of passwords containing
     529 * characters with the 8th bit set (although only a percentage of those in a
     530 * collision-producing way), the anti-collision safety measure affects
     531 * only a subset of passwords containing the '\xff' character (not even all of
     532 * those passwords, just some of them).  This character is not found in valid
     533 * UTF-8 sequences and is rarely used in popular 8-bit character encodings.
     534 * Thus, the safety measure is unlikely to cause much annoyance, and is a
     535 * reasonable tradeoff to use when authenticating against existing hashes that
     536 * are not reliably known to have been computed with the correct algorithm.
     537 *
     538 * We use an approach that tries to minimize side-channel leaks of password
     539 * information - that is, we mostly use fixed-cost bitwise operations instead
     540 * of branches or table lookups.  (One conditional branch based on password
     541 * length remains.  It is not part of the bug aftermath, though, and is
     542 * difficult and possibly unreasonable to avoid given the use of C strings by
     543 * the caller, which results in similar timing leaks anyway.)
     544 *
     545 * For actual implementation, we set an array index in the variable "bug"
     546 * (0 means no bug, 1 means sign extension bug emulation) and a flag in the
     547 * variable "safety" (bit 16 is set when the safety measure is requested).
     548 * Valid combinations of settings are:
     549 *
     550 * Prefix "$2a$": bug = 0, safety = 0x10000
     551 * Prefix "$2x$": bug = 1, safety = 0
     552 * Prefix "$2y$": bug = 0, safety = 0
     553 */
     554        bug = (unsigned int)flags & 1;
     555        safety = ((BF_word)flags & 2) << 15;
     556
     557        sign = diff = 0;
    509558
    510559        for (i = 0; i < BF_N + 2; i++) {
    511                 tmp = 0;
     560                tmp[0] = tmp[1] = 0;
    512561                for (j = 0; j < 4; j++) {
    513                         tmp <<= 8;
    514                         tmp |= *ptr;
    515 
    516                         if (!*ptr) ptr = key; else ptr++;
     562                        tmp[0] <<= 8;
     563                        tmp[0] |= (unsigned char)*ptr; /* correct */
     564                        tmp[1] <<= 8;
     565                        tmp[1] |= (BF_word_signed)(signed char)*ptr; /* bug */
     566/*
     567 * Sign extension in the first char has no effect - nothing to overwrite yet,
     568 * and those extra 24 bits will be fully shifted out of the 32-bit word.  For
     569 * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign
     570 * extension in tmp[1] occurs.  Once this flag is set, it remains set.
     571 */
     572                        if (j)
     573                                sign |= tmp[1] & 0x80;
     574                        if (!*ptr)
     575                                ptr = key;
     576                        else
     577                                ptr++;
    517578                }
    518 
    519                 expanded[i] = tmp;
    520                 initial[i] = BF_init_state.P[i] ^ tmp;
     579                diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */
     580
     581                expanded[i] = tmp[bug];
     582                initial[i] = BF_init_state.P[i] ^ tmp[bug];
    521583        }
     584
     585/*
     586 * At this point, "diff" is zero iff the correct and buggy algorithms produced
     587 * exactly the same result.  If so and if "sign" is non-zero, which indicates
     588 * that there was a non-benign sign extension, this means that we have a
     589 * collision between the correctly computed hash for this password and a set of
     590 * passwords that could be supplied to the buggy algorithm.  Our safety measure
     591 * is meant to protect from such many-buggy to one-correct collisions, by
     592 * deviating from the correct algorithm in such cases.  Let's check for this.
     593 */
     594        diff |= diff >> 16; /* still zero iff exact match */
     595        diff &= 0xffff; /* ditto */
     596        diff += 0xffff; /* bit 16 set iff "diff" was non-zero (on non-match) */
     597        sign <<= 9; /* move the non-benign sign extension flag to bit 16 */
     598        sign &= ~diff & safety; /* action needed? */
     599
     600/*
     601 * If we have determined that we need to deviate from the correct algorithm,
     602 * flip bit 16 in initial expanded key.  (The choice of 16 is arbitrary, but
     603 * let's stick to it now.  It came out of the approach we used above, and it's
     604 * not any worse than any other choice we could make.)
     605 *
     606 * It is crucial that we don't do the same to the expanded key used in the main
     607 * Eksblowfish loop.  By doing it to only one of these two, we deviate from a
     608 * state that could be directly specified by a password to the buggy algorithm
     609 * (and to the fully correct one as well, but that's a side-effect).
     610 */
     611        initial[0] ^= sign;
    522612}
    523613
    524 static char *_crypt_blowfish_rn(const char *key, const char *setting,
    525         char *output, int size)
     614static char *BF_crypt(const char *key, const char *setting,
     615        char *output, int size,
     616        BF_word min)
    526617{
    527618#if BF_ASM
    528619        extern void _BF_body_r(BF_ctx *ctx);
    529620#endif
     621        static const unsigned char flags_by_subtype[26] =
     622                /* HACKED FOR CHICKEN: Prefer compatibility with OpenBSD */
     623                {/*2*/ 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     624                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0};
    530625        struct {
    531626                BF_ctx ctx;
     
    542637        int i;
    543638
    544         if (size < 7 + 22 + 31 /*+ 1 */) {
     639        if (size < 7 + 22 + 31 /*+ 1*/) {
    545640                __set_errno(ERANGE);
    546641                return NULL;
     
    549644        if (setting[0] != '$' ||
    550645            setting[1] != '2' ||
    551             setting[2] != 'a' ||
     646            setting[2] < 'a' || setting[2] > 'z' ||
     647            !flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a'] ||
    552648            setting[3] != '$' ||
    553649            setting[4] < '0' || setting[4] > '3' ||
     
    560656
    561657        count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
    562         if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
    563                 clean(data.binary.salt, sizeof(data.binary.salt));
     658        if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
    564659                __set_errno(EINVAL);
    565660                return NULL;
     
    567662        BF_swap(data.binary.salt, 4);
    568663
    569         BF_set_key(key, data.expanded_key, data.ctx.P);
     664        BF_set_key(key, data.expanded_key, data.ctx.P,
     665            flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a']);
    570666
    571667        memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
     
    597693
    598694        do {
    599                 data.ctx.P[0] ^= data.expanded_key[0];
    600                 data.ctx.P[1] ^= data.expanded_key[1];
    601                 data.ctx.P[2] ^= data.expanded_key[2];
    602                 data.ctx.P[3] ^= data.expanded_key[3];
    603                 data.ctx.P[4] ^= data.expanded_key[4];
    604                 data.ctx.P[5] ^= data.expanded_key[5];
    605                 data.ctx.P[6] ^= data.expanded_key[6];
    606                 data.ctx.P[7] ^= data.expanded_key[7];
    607                 data.ctx.P[8] ^= data.expanded_key[8];
    608                 data.ctx.P[9] ^= data.expanded_key[9];
    609                 data.ctx.P[10] ^= data.expanded_key[10];
    610                 data.ctx.P[11] ^= data.expanded_key[11];
    611                 data.ctx.P[12] ^= data.expanded_key[12];
    612                 data.ctx.P[13] ^= data.expanded_key[13];
    613                 data.ctx.P[14] ^= data.expanded_key[14];
    614                 data.ctx.P[15] ^= data.expanded_key[15];
    615                 data.ctx.P[16] ^= data.expanded_key[16];
    616                 data.ctx.P[17] ^= data.expanded_key[17];
    617 
    618                 BF_body();
    619 
    620                 tmp1 = data.binary.salt[0];
    621                 tmp2 = data.binary.salt[1];
    622                 tmp3 = data.binary.salt[2];
    623                 tmp4 = data.binary.salt[3];
    624                 data.ctx.P[0] ^= tmp1;
    625                 data.ctx.P[1] ^= tmp2;
    626                 data.ctx.P[2] ^= tmp3;
    627                 data.ctx.P[3] ^= tmp4;
    628                 data.ctx.P[4] ^= tmp1;
    629                 data.ctx.P[5] ^= tmp2;
    630                 data.ctx.P[6] ^= tmp3;
    631                 data.ctx.P[7] ^= tmp4;
    632                 data.ctx.P[8] ^= tmp1;
    633                 data.ctx.P[9] ^= tmp2;
    634                 data.ctx.P[10] ^= tmp3;
    635                 data.ctx.P[11] ^= tmp4;
    636                 data.ctx.P[12] ^= tmp1;
    637                 data.ctx.P[13] ^= tmp2;
    638                 data.ctx.P[14] ^= tmp3;
    639                 data.ctx.P[15] ^= tmp4;
    640                 data.ctx.P[16] ^= tmp1;
    641                 data.ctx.P[17] ^= tmp2;
    642 
    643                 BF_body();
     695                int done;
     696
     697                for (i = 0; i < BF_N + 2; i += 2) {
     698                        data.ctx.P[i] ^= data.expanded_key[i];
     699                        data.ctx.P[i + 1] ^= data.expanded_key[i + 1];
     700                }
     701
     702                done = 0;
     703                do {
     704                        BF_body();
     705                        if (done)
     706                                break;
     707                        done = 1;
     708
     709                        tmp1 = data.binary.salt[0];
     710                        tmp2 = data.binary.salt[1];
     711                        tmp3 = data.binary.salt[2];
     712                        tmp4 = data.binary.salt[3];
     713                        for (i = 0; i < BF_N; i += 4) {
     714                                data.ctx.P[i] ^= tmp1;
     715                                data.ctx.P[i + 1] ^= tmp2;
     716                                data.ctx.P[i + 2] ^= tmp3;
     717                                data.ctx.P[i + 3] ^= tmp4;
     718                        }
     719                        data.ctx.P[16] ^= tmp1;
     720                        data.ctx.P[17] ^= tmp2;
     721                } while (1);
    644722        } while (--count);
    645723
     
    668746        /* output[7 + 22 + 31] = '\0'; */
    669747
    670 /* Overwrite the most obvious sensitive data we have on the stack.  Note
    671  * that this does not guarantee there's no sensitive data left on the
    672  * stack and/or in registers; I'm not aware of portable code that does. */
    673         clean(&data, sizeof(data));
    674 
    675748        return output;
    676749}
     750
     751static int _crypt_output_magic(const char *setting, char *output, int size)
     752{
     753        if (size < 3)
     754                return -1;
     755
     756        output[0] = '*';
     757        output[1] = '0';
     758        output[2] = '\0';
     759
     760        if (setting[0] == '*' && setting[1] == '0')
     761                output[1] = '1';
     762
     763        return 0;
     764}
     765
     766/*
     767 * Please preserve the runtime self-test.  It serves two purposes at once:
     768 *
     769 * 1. We really can't afford the risk of producing incompatible hashes e.g.
     770 * when there's something like gcc bug 26587 again, whereas an application or
     771 * library integrating this code might not also integrate our external tests or
     772 * it might not run them after every build.  Even if it does, the miscompile
     773 * might only occur on the production build, but not on a testing build (such
     774 * as because of different optimization settings).  It is painful to recover
     775 * from incorrectly-computed hashes - merely fixing whatever broke is not
     776 * enough.  Thus, a proactive measure like this self-test is needed.
     777 *
     778 * 2. We don't want to leave sensitive data from our actual password hash
     779 * computation on the stack or in registers.  Previous revisions of the code
     780 * would do explicit cleanups, but simply running the self-test after hash
     781 * computation is more reliable.
     782 *
     783 * The performance cost of this quick self-test is around 0.6% at the "$2a$08"
     784 * setting.
     785 */
     786static char *_crypt_blowfish_rn(const char *key, const char *setting,
     787        char *output, int size)
     788{
     789        const char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8";
     790        const char *test_setting = "$2a$00$abcdefghijklmnopqrstuu";
     791        static const char * const test_hash[2] =
     792                {"VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55", /* $2x$ */
     793                "i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55"}; /* $2a$, $2y$ */
     794        char *retval;
     795        char *p;
     796        int save_errno, ok;
     797        struct {
     798                char s[7 + 22 + 1];
     799                char o[7 + 22 + 31 + 1 + 1 + 1];
     800        } buf;
     801
     802/* Hash the supplied password */
     803        _crypt_output_magic(setting, output, size);
     804        retval = BF_crypt(key, setting, output, size, 16);
     805        save_errno = errno;
     806
     807/*
     808 * Do a quick self-test.  It is important that we make both calls to BF_crypt()
     809 * from the same scope such that they likely use the same stack locations,
     810 * which makes the second call overwrite the first call's sensitive data on the
     811 * stack and makes it more likely that any alignment related issues would be
     812 * detected by the self-test.
     813 */
     814        memcpy(buf.s, test_setting, sizeof(buf.s));
     815        if (retval)
     816                buf.s[2] = setting[2];
     817        memset(buf.o, 0x55, sizeof(buf.o));
     818        buf.o[sizeof(buf.o) - 1] = 0;
     819        p = BF_crypt(test_key, buf.s, buf.o, sizeof(buf.o) - (1 + 1), 1);
     820
     821        /* Added for Chicken because we don't add the \0 in BF_crypt */
     822        p[sizeof(buf.o) - (1 + 1) - 1] = 0;
     823
     824        ok = (p == buf.o &&
     825            !memcmp(p, buf.s, 7 + 22) &&
     826            !memcmp(p + (7 + 22),
     827            test_hash[(unsigned int)(unsigned char)buf.s[2] & 1],
     828            31 + 1 + 1 + 1));
     829
     830        {
     831                const char *k = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345";
     832                BF_key ae, ai, ye, yi;
     833                BF_set_key(k, ae, ai, 2); /* $2a$ */
     834                BF_set_key(k, ye, yi, 4); /* $2y$ */
     835                ai[0] ^= 0x10000; /* undo the safety (for comparison) */
     836                ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 &&
     837                    !memcmp(ae, ye, sizeof(ae)) &&
     838                    !memcmp(ai, yi, sizeof(ai));
     839        }
     840
     841        __set_errno(save_errno);
     842        if (ok)
     843                return retval;
     844
     845/* Should not happen */
     846        _crypt_output_magic(setting, output, size);
     847        __set_errno(EINVAL); /* pretend we don't support this hash type */
     848        return NULL;
     849}
  • release/4/crypt/trunk/tests/run.scm

    r22441 r25770  
    9090                      "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
    9191                "$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui")
    92 
     92    (test-crypt (conc "0123456789abcdefghijklmnopqrstuvwxyz"
     93                      "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
     94                      "chars after 72 are ignored")
     95                "$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui")
     96
     97    ;; Test data for compatibility with old buggy version of OpenWall bcrypt.
     98    ;; These will only work when using the "fallback" version of bcrypt shipped
     99    ;; with this egg or when the native bcrypt happens to be based on OpenWall.
     100    ;; These are completely broken and you should only uncomment these if you
     101    ;; know what you're doing (we hacked the code so that "2a" is taken to mean
     102    ;; the same thing as "2y", disabling the "security measure" - it is
     103    ;; incompatible with the BSD implementation.  Using 2y to indicate using
     104    ;; the "proper" algorithm was a mistake IMO)
     105    #|
     106    (test-crypt "\xa3"
     107                "$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e")
     108    (test-crypt "\xff\xff\xa3"
     109                "$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e")
     110    (test-crypt "\xff\xff\xa3"
     111                "$2y$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e")
     112    (test-crypt "$2a$05$/OK.fbVrR/bpIqNJ5ianF.nqd1wy.pTMdcvrRWxyiGL2eMz.2a85."
     113                "\xff\xff\xa3")
     114    (test-crypt "\xa3"
     115                "$2y$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq")
     116    |#
     117    (test-crypt "\xa3"
     118                "$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq")
     119    #|
     120    (test-crypt (conc "1\xa3" "345")
     121                "$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi")
     122    (test-crypt (conc "\xff\xa3" "345")
     123                "$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi")
     124    (test-crypt (conc "\xff\xa3" "34" "\xff\xff\xff\xa3" "345")
     125                "$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi")
     126    |#
     127    ;; From the 2y below. This is where our testsuite differs from openwall's
     128    (test-crypt (conc "\xff\xa3" "34" "\xff\xff\xff\xa3" "345")
     129                "$2a$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi")
     130    #|
     131    (test-crypt (conc "\xff\xa3" "34" "\xff\xff\xff\xa3" "345")
     132                "$2y$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi")
     133    (test-crypt (conc "\xff\xa3" "34" "\xff\xff\xff\xa3" "345")
     134                "$2a$05$/OK.fbVrR/bpIqNJ5ianF.ZC1JEJ8Z4gPfpe1JOr/oyPXTWl9EFd.")
     135    (test-crypt (conc "\xff\xa3" "345")
     136                "$2y$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e")
     137    |#
     138    (test-crypt (conc "\xff\xa3" "345")
     139                "$2a$05$/OK.fbVrR/bpIqNJ5ianF.nRht2l/HRhr6zmCp9vYUvvsqynflf9e")
     140    (test-crypt (conc "\xa3" "ab")
     141                "$2a$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS")
     142    #|
     143    (test-crypt (conc "\xa3" "ab")
     144                "$2x$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS")
     145    (test-crypt (conc "\xa3" "ab")
     146                "$2y$05$/OK.fbVrR/bpIqNJ5ianF.6IflQkJytoRVc1yuaNtHfiuq.FRlSIS")
     147    (test-crypt "\xd1\x91"
     148                "$2x$05$6bNw2HLQYeqHYyBfLMsv/OiwqTymGIGzFsA4hOTWebfehXHNprcAS")
     149    (test-crypt "\xd0\xc1\xd2\xcf\xcc\xd8"
     150                "$2x$05$6bNw2HLQYeqHYyBfLMsv/O9LIGgn8OMzuDoHfof8AQimSGfcSWxnS")
     151    |#
     152    (test-crypt (conc "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
     153                      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
     154                      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
     155                      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
     156                      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
     157                      "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
     158                      "chars after 72 are ignored as usual")
     159                "$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6")
     160    (test-crypt (conc "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"
     161                      "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"
     162                      "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"
     163                      "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"
     164                      "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"
     165                      "\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55")
     166                "$2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy")
     167    (test-crypt (conc "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"
     168                      "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"
     169                      "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"
     170                      "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"
     171                      "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"
     172                      "\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff")
     173                "$2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe")
     174    (test-crypt ""
     175                "$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy")
     176   
    93177    ;; From http://openwall.info/wiki/john/sample-hashes
    94178    (test-crypt "password"
Note: See TracChangeset for help on using the changeset viewer.