From yasu@home.utahime.org  Sat May 31 13:47:52 2008
Return-Path: <yasu@home.utahime.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5C2DB1065674
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 31 May 2008 13:47:52 +0000 (UTC)
	(envelope-from yasu@home.utahime.org)
Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 4305C8FC12
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 31 May 2008 13:47:50 +0000 (UTC)
	(envelope-from yasu@home.utahime.org)
Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1])
	by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id 0783917022;
	Sat, 31 May 2008 22:47:50 +0900 (JST)
Received: from eastasia.home.utahime.org (localhost [127.0.0.1])
	by localhost-backdoor.home.utahime.org (Postfix) with ESMTP id 90FBC171BA;
	Sat, 31 May 2008 22:47:49 +0900 (JST)
Received: by eastasia.home.utahime.org (Postfix, from userid 1000)
	id 614DB17162; Sat, 31 May 2008 22:47:49 +0900 (JST)
Message-Id: <20080531134749.614DB17162@eastasia.home.utahime.org>
Date: Sat, 31 May 2008 22:47:49 +0900 (JST)
From: KIMURA Yasuhiro <yasu@utahime.org>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] Add SHA-256/512 hash algorithm to crypt(3)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         124164
>Category:       misc
>Synopsis:       [patch] Add SHA-256/512 hash algorithm to crypt(3)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    markm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 31 13:50:04 UTC 2008
>Closed-Date:    Mon Feb 13 16:57:20 UTC 2012
>Last-Modified:  Mon Feb 13 16:57:20 UTC 2012
>Originator:     KIMURA Yasuhiro
>Release:        FreeBSD 7.0-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD xxxx 7.0-RELEASE-p1 FreeBSD 7.0-RELEASE-p1 #0: Thu Apr 17 10:38:41 JST 2008 xxxx i386


	
>Description:
	

This patch adds SHA-256 and SHA-512 hash algorithms to crypt(3)
function. It is created and tested on 7.0-RELEASE, but should also be
applicable to both 7.0-STABLE and -CURRENT.

1. Background

Ulrich Drepper (drepper@redhat.com) proposed to add SHA-256/512 hash
to crypt(3) function:

http://people.redhat.com/drepper/sha-crypt.html
http://people.redhat.com/drepper/SHA-crypt.txt

The specification includes sample implementaion codes, and they are
put in public domain status. So there is no copyright problem and I
decided to port them to FreeBSD.

2. Porting

The sample codes include 2 functions, shar256_crypt() and
shar512_crypt(). They are compatible with existhing crypt_???()
functions in our libcrypt source code. So porting is straightforward
except following 3 minor problems:

(1) endian.h

On Linux (or on GLIBC) endian.h is put in /usr/include, while it is
put in /usr/include/sys on *BSD. I add #ifdef clause which should work
well both on Linux and *BSD.

(2) variable definition of loop counter inside 'for' statement

In original code there are some 'for' statements such as following:

  for (unsigned int t = 0; t < 64; ++t)
  {
    ....

GCC complains it is not C99 compatible. So I moved variable definition
out of the statement.

(3) Use of some GNU-extended functions

Following 3 GNU-extended functions are used in original code:

- mempcpy()
- stpncpy()
- __stpncpy() (Same as stpncpy())

I changed code so it use memcpy() instead of mempcpy(), and added
function definition of static stpncpy() and __stpncpy() by using
strncpy().

I'm going to feedback these porting problems to the author.

3. Interoperability test

My home network has following NIS server and clients:

server:	   FreeBSD i386 7.0-RELEASE with patch
client #1: FreeBSD i386 7.0-RELEASE with patch
client #2: Debian i386 Unstable (GLIBC 2.7)

I can successfully login into both clients by using SHA-256 or
SHA-512 encoded passwd stored in NIS server. So my porting seems to be
compatible with GLIBC implementation.

4. ToDo

Man page of crypt(3) should be updated. I couldn't do it because I
don't know roff syntax ;-).

>How-To-Repeat:
	
>Fix:

	

--- patch-libcrypt begins here ---
Index: Makefile
===================================================================
RCS file: /usr1/freebsd/cvsroot/src/lib/libcrypt/Makefile,v
retrieving revision 1.39
diff -u -r1.39 Makefile
--- Makefile	21 May 2007 02:49:03 -0000	1.39
+++ Makefile	28 May 2008 22:25:16 -0000
@@ -12,7 +12,8 @@
 .PATH:		${.CURDIR}/../libmd
 SRCS=		crypt.c misc.c \
 		crypt-md5.c md5c.c \
-		crypt-nthash.c md4c.c
+		crypt-nthash.c md4c.c \
+		crypt-sha256.c crypt-sha512.c
 MAN=		crypt.3
 MLINKS=		crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3
 CFLAGS+=	-I${.CURDIR}/../libmd -I${.CURDIR}/../libutil
Index: crypt-sha256.c
===================================================================
RCS file: crypt-sha256.c
diff -N crypt-sha256.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ crypt-sha256.c	30 May 2008 21:54:33 -0000
@@ -0,0 +1,754 @@
+/* SHA256-based Unix crypt implementation.
+   Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.  */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/param.h>
+#include <sys/types.h>
+
+/* sys/param.h must be included before checking OS and C Library */
+#if defined(__GNU_LIBRARY__)
+/* OS with GNU C Library (Linux or Hurd(?)) */
+#include <endian.h>
+#elif (defined(BSD) && (BSD >= 199306))
+/* 4.4BSD code base or newer */
+#include <sys/endian.h>
+#else
+/* Other OS (such as Solaris or AIX?) */
+#error I don't know what to do.
+#endif
+
+/* Structure to save state of computation between the single steps.  */
+struct sha256_ctx
+{
+  uint32_t H[8];
+
+  uint32_t total[2];
+  uint32_t buflen;
+  char buffer[128];	/* NB: always correctly aligned for uint32_t.  */
+};
+
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+# define SWAP(n) \
+    (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
+#else
+# define SWAP(n) (n)
+#endif
+
+
+/* This array contains the bytes used to pad the buffer to the next
+   64-byte boundary.  (FIPS 180-2:5.1.1)  */
+static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
+
+
+/* Constants for SHA256 from FIPS 180-2:4.2.2.  */
+static const uint32_t K[64] =
+  {
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
+    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
+    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
+    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
+    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+  };
+
+#ifndef _GNU_SOURCE
+
+/* stpncpy(3) is GNU extension and not available with non-glibc OS
+   such as *BSD. So define it as static function for them. */
+static char*
+stpncpy(char *dst, const char* src, size_t len)
+{
+  char *p;
+  size_t n;
+
+  strncpy(dst, src, len);
+  n = strlen(src);
+  if (n < len)
+    p = dst + n;
+  else
+    p = dst + len;
+  return p;
+}
+
+#endif /* !_GNU_SOURCE */
+
+/* Process LEN bytes of BUFFER, accumulating context into CTX.
+   It is assumed that LEN % 64 == 0.  */
+static void
+sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
+{
+  const uint32_t *words = buffer;
+  size_t nwords = len / sizeof (uint32_t);
+  uint32_t a = ctx->H[0];
+  uint32_t b = ctx->H[1];
+  uint32_t c = ctx->H[2];
+  uint32_t d = ctx->H[3];
+  uint32_t e = ctx->H[4];
+  uint32_t f = ctx->H[5];
+  uint32_t g = ctx->H[6];
+  uint32_t h = ctx->H[7];
+
+  /* First increment the byte count.  FIPS 180-2 specifies the possible
+     length of the file up to 2^64 bits.  Here we only compute the
+     number of bytes.  Do a double word increment.  */
+  ctx->total[0] += len;
+  if (ctx->total[0] < len)
+    ++ctx->total[1];
+
+  /* Process all bytes in the buffer with 64 bytes in each round of
+     the loop.  */
+  while (nwords > 0)
+    {
+      uint32_t W[64];
+      uint32_t a_save = a;
+      uint32_t b_save = b;
+      uint32_t c_save = c;
+      uint32_t d_save = d;
+      uint32_t e_save = e;
+      uint32_t f_save = f;
+      uint32_t g_save = g;
+      uint32_t h_save = h;
+      unsigned int t;
+
+      /* Operators defined in FIPS 180-2:4.1.2.  */
+#define Ch(x, y, z) ((x & y) ^ (~x & z))
+#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
+#define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
+#define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
+#define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
+#define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
+
+      /* It is unfortunate that C does not provide an operator for
+	 cyclic rotation.  Hope the C compiler is smart enough.  */
+#define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
+
+      /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2.  */
+      for (t = 0; t < 16; ++t)
+	{
+	  W[t] = SWAP (*words);
+	  ++words;
+	}
+      for (t = 16; t < 64; ++t)
+	W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
+
+      /* The actual computation according to FIPS 180-2:6.2.2 step 3.  */
+      for (t = 0; t < 64; ++t)
+	{
+	  uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
+	  uint32_t T2 = S0 (a) + Maj (a, b, c);
+	  h = g;
+	  g = f;
+	  f = e;
+	  e = d + T1;
+	  d = c;
+	  c = b;
+	  b = a;
+	  a = T1 + T2;
+	}
+
+      /* Add the starting values of the context according to FIPS 180-2:6.2.2
+	 step 4.  */
+      a += a_save;
+      b += b_save;
+      c += c_save;
+      d += d_save;
+      e += e_save;
+      f += f_save;
+      g += g_save;
+      h += h_save;
+
+      /* Prepare for the next round.  */
+      nwords -= 16;
+    }
+
+  /* Put checksum in context given as argument.  */
+  ctx->H[0] = a;
+  ctx->H[1] = b;
+  ctx->H[2] = c;
+  ctx->H[3] = d;
+  ctx->H[4] = e;
+  ctx->H[5] = f;
+  ctx->H[6] = g;
+  ctx->H[7] = h;
+}
+
+
+/* Initialize structure containing state of computation.
+   (FIPS 180-2:5.3.2)  */
+static void
+sha256_init_ctx (struct sha256_ctx *ctx)
+{
+  ctx->H[0] = 0x6a09e667;
+  ctx->H[1] = 0xbb67ae85;
+  ctx->H[2] = 0x3c6ef372;
+  ctx->H[3] = 0xa54ff53a;
+  ctx->H[4] = 0x510e527f;
+  ctx->H[5] = 0x9b05688c;
+  ctx->H[6] = 0x1f83d9ab;
+  ctx->H[7] = 0x5be0cd19;
+
+  ctx->total[0] = ctx->total[1] = 0;
+  ctx->buflen = 0;
+}
+
+
+/* Process the remaining bytes in the internal buffer and the usual
+   prolog according to the standard and write the result to RESBUF.
+
+   IMPORTANT: On some systems it is required that RESBUF is correctly
+   aligned for a 32 bits value.  */
+static void *
+sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
+{
+  /* Take yet unprocessed bytes into account.  */
+  uint32_t bytes = ctx->buflen;
+  size_t pad;
+
+  /* Now count remaining bytes.  */
+  ctx->total[0] += bytes;
+  if (ctx->total[0] < bytes)
+    ++ctx->total[1];
+
+  pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
+  memcpy (&ctx->buffer[bytes], fillbuf, pad);
+
+  /* Put the 64-bit file length in *bits* at the end of the buffer.  */
+  *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
+  *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
+						  (ctx->total[0] >> 29));
+
+  /* Process last bytes.  */
+  sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
+
+  /* Put result from CTX in first 32 bytes following RESBUF.  */
+  unsigned int i;
+  for (i = 0; i < 8; ++i)
+    ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
+
+  return resbuf;
+}
+
+
+static void
+sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
+{
+  /* When we already have some bits in our internal buffer concatenate
+     both inputs first.  */
+  if (ctx->buflen != 0)
+    {
+      size_t left_over = ctx->buflen;
+      size_t add = 128 - left_over > len ? len : 128 - left_over;
+
+      memcpy (&ctx->buffer[left_over], buffer, add);
+      ctx->buflen += add;
+
+      if (ctx->buflen > 64)
+	{
+	  sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
+
+	  ctx->buflen &= 63;
+	  /* The regions in the following copy operation cannot overlap.  */
+	  memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
+		  ctx->buflen);
+	}
+
+      buffer = (const char *) buffer + add;
+      len -= add;
+    }
+
+  /* Process available complete blocks.  */
+  if (len >= 64)
+    {
+/* To check alignment gcc has an appropriate operator.  Other
+   compilers don't.  */
+#if __GNUC__ >= 2
+# define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
+#else
+# define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
+#endif
+      if (UNALIGNED_P (buffer))
+	while (len > 64)
+	  {
+	    sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
+	    buffer = (const char *) buffer + 64;
+	    len -= 64;
+	  }
+      else
+	{
+	  sha256_process_block (buffer, len & ~63, ctx);
+	  buffer = (const char *) buffer + (len & ~63);
+	  len &= 63;
+	}
+    }
+
+  /* Move remaining bytes into internal buffer.  */
+  if (len > 0)
+    {
+      size_t left_over = ctx->buflen;
+
+      memcpy (&ctx->buffer[left_over], buffer, len);
+      left_over += len;
+      if (left_over >= 64)
+	{
+	  sha256_process_block (ctx->buffer, 64, ctx);
+	  left_over -= 64;
+	  memcpy (ctx->buffer, &ctx->buffer[64], left_over);
+	}
+      ctx->buflen = left_over;
+    }
+}
+
+
+/* Define our magic string to mark salt for SHA256 "encryption"
+   replacement.  */
+static const char sha256_salt_prefix[] = "$5$";
+
+/* Prefix for optional rounds specification.  */
+static const char sha256_rounds_prefix[] = "rounds=";
+
+/* Maximum salt string length.  */
+#define SALT_LEN_MAX 16
+/* Default number of rounds if not explicitly specified.  */
+#define ROUNDS_DEFAULT 5000
+/* Minimum number of rounds.  */
+#define ROUNDS_MIN 1000
+/* Maximum number of rounds.  */
+#define ROUNDS_MAX 999999999
+
+/* Table with characters for base64 transformation.  */
+static const char b64t[64] =
+"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+
+static char *
+sha256_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
+{
+  unsigned char alt_result[32]
+    __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
+  unsigned char temp_result[32]
+    __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
+  struct sha256_ctx ctx;
+  struct sha256_ctx alt_ctx;
+  size_t salt_len;
+  size_t key_len;
+  size_t cnt;
+  char *cp;
+  char *copied_key = NULL;
+  char *copied_salt = NULL;
+  char *p_bytes;
+  char *s_bytes;
+  /* Default number of rounds.  */
+  size_t rounds = ROUNDS_DEFAULT;
+  bool rounds_custom = false;
+
+  /* Find beginning of salt string.  The prefix should normally always
+     be present.  Just in case it is not.  */
+  if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
+    /* Skip salt prefix.  */
+    salt += sizeof (sha256_salt_prefix) - 1;
+
+  if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
+      == 0)
+    {
+      const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
+      char *endp;
+      unsigned long int srounds = strtoul (num, &endp, 10);
+      if (*endp == '$')
+	{
+	  salt = endp + 1;
+	  rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
+	  rounds_custom = true;
+	}
+    }
+
+  salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
+  key_len = strlen (key);
+
+  if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
+    {
+      char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
+      key = copied_key =
+	memcpy (tmp + __alignof__ (uint32_t)
+		- (tmp - (char *) 0) % __alignof__ (uint32_t),
+		key, key_len);
+    }
+
+  if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
+    {
+      char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
+      salt = copied_salt =
+	memcpy (tmp + __alignof__ (uint32_t)
+		- (tmp - (char *) 0) % __alignof__ (uint32_t),
+		salt, salt_len);
+    }
+
+  /* Prepare for the real work.  */
+  sha256_init_ctx (&ctx);
+
+  /* Add the key string.  */
+  sha256_process_bytes (key, key_len, &ctx);
+
+  /* The last part is the salt string.  This must be at most 8
+     characters and it ends at the first `$' character (for
+     compatibility with existing implementations).  */
+  sha256_process_bytes (salt, salt_len, &ctx);
+
+
+  /* Compute alternate SHA256 sum with input KEY, SALT, and KEY.  The
+     final result will be added to the first context.  */
+  sha256_init_ctx (&alt_ctx);
+
+  /* Add key.  */
+  sha256_process_bytes (key, key_len, &alt_ctx);
+
+  /* Add salt.  */
+  sha256_process_bytes (salt, salt_len, &alt_ctx);
+
+  /* Add key again.  */
+  sha256_process_bytes (key, key_len, &alt_ctx);
+
+  /* Now get result of this (32 bytes) and add it to the other
+     context.  */
+  sha256_finish_ctx (&alt_ctx, alt_result);
+
+  /* Add for any character in the key one byte of the alternate sum.  */
+  for (cnt = key_len; cnt > 32; cnt -= 32)
+    sha256_process_bytes (alt_result, 32, &ctx);
+  sha256_process_bytes (alt_result, cnt, &ctx);
+
+  /* Take the binary representation of the length of the key and for every
+     1 add the alternate sum, for every 0 the key.  */
+  for (cnt = key_len; cnt > 0; cnt >>= 1)
+    if ((cnt & 1) != 0)
+      sha256_process_bytes (alt_result, 32, &ctx);
+    else
+      sha256_process_bytes (key, key_len, &ctx);
+
+  /* Create intermediate result.  */
+  sha256_finish_ctx (&ctx, alt_result);
+
+  /* Start computation of P byte sequence.  */
+  sha256_init_ctx (&alt_ctx);
+
+  /* For every character in the password add the entire password.  */
+  for (cnt = 0; cnt < key_len; ++cnt)
+    sha256_process_bytes (key, key_len, &alt_ctx);
+
+  /* Finish the digest.  */
+  sha256_finish_ctx (&alt_ctx, temp_result);
+
+  /* Create byte sequence P.  */
+  cp = p_bytes = alloca (key_len);
+  for (cnt = key_len; cnt >= 32; cnt -= 32) {
+    memcpy (cp, temp_result, 32);
+    cp += 32;
+  }
+  memcpy (cp, temp_result, cnt);
+
+  /* Start computation of S byte sequence.  */
+  sha256_init_ctx (&alt_ctx);
+
+  /* For every character in the password add the entire password.  */
+  for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
+    sha256_process_bytes (salt, salt_len, &alt_ctx);
+
+  /* Finish the digest.  */
+  sha256_finish_ctx (&alt_ctx, temp_result);
+
+  /* Create byte sequence S.  */
+  cp = s_bytes = alloca (salt_len);
+  for (cnt = salt_len; cnt >= 32; cnt -= 32) {
+    memcpy (cp, temp_result, 32);
+    cp += 32;
+  }
+  memcpy (cp, temp_result, cnt);
+
+  /* Repeatedly run the collected hash value through SHA256 to burn
+     CPU cycles.  */
+  for (cnt = 0; cnt < rounds; ++cnt)
+    {
+      /* New context.  */
+      sha256_init_ctx (&ctx);
+
+      /* Add key or last result.  */
+      if ((cnt & 1) != 0)
+	sha256_process_bytes (p_bytes, key_len, &ctx);
+      else
+	sha256_process_bytes (alt_result, 32, &ctx);
+
+      /* Add salt for numbers not divisible by 3.  */
+      if (cnt % 3 != 0)
+	sha256_process_bytes (s_bytes, salt_len, &ctx);
+
+      /* Add key for numbers not divisible by 7.  */
+      if (cnt % 7 != 0)
+	sha256_process_bytes (p_bytes, key_len, &ctx);
+
+      /* Add key or last result.  */
+      if ((cnt & 1) != 0)
+	sha256_process_bytes (alt_result, 32, &ctx);
+      else
+	sha256_process_bytes (p_bytes, key_len, &ctx);
+
+      /* Create intermediate result.  */
+      sha256_finish_ctx (&ctx, alt_result);
+    }
+
+  /* Now we can construct the result string.  It consists of three
+     parts.  */
+  cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
+  buflen -= sizeof (sha256_salt_prefix) - 1;
+
+  if (rounds_custom)
+    {
+      int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
+			sha256_rounds_prefix, rounds);
+      cp += n;
+      buflen -= n;
+    }
+
+  cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
+  buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
+
+  if (buflen > 0)
+    {
+      *cp++ = '$';
+      --buflen;
+    }
+
+#define b64_from_24bit(B2, B1, B0, N)					      \
+  do {									      \
+    unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);			      \
+    int n = (N);							      \
+    while (n-- > 0 && buflen > 0)					      \
+      {									      \
+	*cp++ = b64t[w & 0x3f];						      \
+	--buflen;							      \
+	w >>= 6;							      \
+      }									      \
+  } while (0)
+
+  b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
+  b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
+  b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
+  b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
+  b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
+  b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
+  b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
+  b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
+  b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
+  b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
+  b64_from_24bit (0, alt_result[31], alt_result[30], 3);
+  if (buflen <= 0)
+    {
+      errno = ERANGE;
+      buffer = NULL;
+    }
+  else
+    *cp = '\0';		/* Terminate the string.  */
+
+  /* Clear the buffer for the intermediate result so that people
+     attaching to processes or reading core dumps cannot get any
+     information.  We do it in this way to clear correct_words[]
+     inside the SHA256 implementation as well.  */
+  sha256_init_ctx (&ctx);
+  sha256_finish_ctx (&ctx, alt_result);
+  memset (temp_result, '\0', sizeof (temp_result));
+  memset (p_bytes, '\0', key_len);
+  memset (s_bytes, '\0', salt_len);
+  memset (&ctx, '\0', sizeof (ctx));
+  memset (&alt_ctx, '\0', sizeof (alt_ctx));
+  if (copied_key != NULL)
+    memset (copied_key, '\0', key_len);
+  if (copied_salt != NULL)
+    memset (copied_salt, '\0', salt_len);
+
+  return buffer;
+}
+
+
+/* This entry point is equivalent to the `crypt' function in Unix
+   libcs.  */
+char *
+sha256_crypt (const char *key, const char *salt)
+{
+  /* We don't want to have an arbitrary limit in the size of the
+     password.  We can compute an upper bound for the size of the
+     result in advance and so we can prepare the buffer we pass to
+     `sha256_crypt_r'.  */
+  static char *buffer;
+  static int buflen;
+  int needed = (sizeof (sha256_salt_prefix) - 1
+		+ sizeof (sha256_rounds_prefix) + 9 + 1
+		+ strlen (salt) + 1 + 43 + 1);
+
+  if (buflen < needed)
+    {
+      char *new_buffer = (char *) realloc (buffer, needed);
+      if (new_buffer == NULL)
+	return NULL;
+
+      buffer = new_buffer;
+      buflen = needed;
+    }
+
+  return sha256_crypt_r (key, salt, buffer, buflen);
+}
+
+
+#ifdef TEST
+static const struct
+{
+  const char *input;
+  const char result[32];
+} tests[] =
+  {
+    /* Test vectors from FIPS 180-2: appendix B.1.  */
+    { "abc",
+      "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
+      "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
+    /* Test vectors from FIPS 180-2: appendix B.2.  */
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+      "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
+      "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
+    /* Test vectors from the NESSIE project.  */
+    { "",
+      "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
+      "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
+    { "a",
+      "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
+      "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
+    { "message digest",
+      "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
+      "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
+    { "abcdefghijklmnopqrstuvwxyz",
+      "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
+      "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+      "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
+      "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+      "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
+      "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
+    { "123456789012345678901234567890123456789012345678901234567890"
+      "12345678901234567890",
+      "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
+      "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
+  };
+#define ntests (sizeof (tests) / sizeof (tests[0]))
+
+
+static const struct
+{
+  const char *salt;
+  const char *input;
+  const char *expected;
+} tests2[] =
+{
+  { "$5$saltstring", "Hello world!",
+    "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
+  { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
+    "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
+    "opqey6IcA" },
+  { "$5$rounds=5000$toolongsaltstring", "This is just a test",
+    "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
+    "mGRcvxa5" },
+  { "$5$rounds=1400$anotherlongsaltstring",
+    "a very much longer text to encrypt.  This one even stretches over more"
+    "than one line.",
+    "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
+    "oP84Bnq1" },
+  { "$5$rounds=77777$short",
+    "we have a short salt string but not a short password",
+    "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
+  { "$5$rounds=123456$asaltof16chars..", "a short string",
+    "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
+    "cZKmF/wJvD" },
+  { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
+    "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
+    "2bIC" },
+};
+#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
+
+
+int
+main (void)
+{
+  struct sha256_ctx ctx;
+  char sum[32];
+  int result = 0;
+  int i, cnt;
+
+  for (cnt = 0; cnt < (int) ntests; ++cnt)
+    {
+      sha256_init_ctx (&ctx);
+      sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
+      sha256_finish_ctx (&ctx, sum);
+      if (memcmp (tests[cnt].result, sum, 32) != 0)
+	{
+	  printf ("test %d run %d failed\n", cnt, 1);
+	  result = 1;
+	}
+
+      sha256_init_ctx (&ctx);
+      for (i = 0; tests[cnt].input[i] != '\0'; ++i)
+	sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
+      sha256_finish_ctx (&ctx, sum);
+      if (memcmp (tests[cnt].result, sum, 32) != 0)
+	{
+	  printf ("test %d run %d failed\n", cnt, 2);
+	  result = 1;
+	}
+    }
+
+  /* Test vector from FIPS 180-2: appendix B.3.  */
+  char buf[1000];
+  memset (buf, 'a', sizeof (buf));
+  sha256_init_ctx (&ctx);
+  for (i = 0; i < 1000; ++i)
+    sha256_process_bytes (buf, sizeof (buf), &ctx);
+  sha256_finish_ctx (&ctx, sum);
+  static const char expected[32] =
+    "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
+    "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
+  if (memcmp (expected, sum, 32) != 0)
+    {
+      printf ("test %d failed\n", cnt);
+      result = 1;
+    }
+
+  for (cnt = 0; cnt < ntests2; ++cnt)
+    {
+      char *cp = sha256_crypt (tests2[cnt].input, tests2[cnt].salt);
+
+      if (strcmp (cp, tests2[cnt].expected) != 0)
+	{
+	  printf ("test %d: expected \"%s\", got \"%s\"\n",
+		  cnt, tests2[cnt].expected, cp);
+	  result = 1;
+	}
+    }
+
+  if (result == 0)
+    puts ("all tests OK");
+
+  return result;
+}
+#endif
Index: crypt-sha512.c
===================================================================
RCS file: crypt-sha512.c
diff -N crypt-sha512.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ crypt-sha512.c	30 May 2008 21:54:45 -0000
@@ -0,0 +1,824 @@
+/* SHA512-based Unix crypt implementation.
+   Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.  */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/param.h>
+#include <sys/types.h>
+
+/* sys/param.h must be included before checking OS and C Library */
+#if defined(__GNU_LIBRARY__)
+/* OS with GNU C Library (Linux or Hurd(?)) */
+#include <endian.h>
+#elif (defined(BSD) && (BSD >= 199306))
+/* 4.4BSD code base or newer */
+#include <sys/endian.h>
+#else
+/* Other OS (such as Solaris or AIX?) */
+#error I don't know what to do.
+#endif
+
+/* Structure to save state of computation between the single steps.  */
+struct sha512_ctx
+{
+  uint64_t H[8];
+
+  uint64_t total[2];
+  uint64_t buflen;
+  char buffer[256];	/* NB: always correctly aligned for uint64_t.  */
+};
+
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+# define SWAP(n) \
+  (((n) << 56)					\
+   | (((n) & 0xff00) << 40)			\
+   | (((n) & 0xff0000) << 24)			\
+   | (((n) & 0xff000000) << 8)			\
+   | (((n) >> 8) & 0xff000000)			\
+   | (((n) >> 24) & 0xff0000)			\
+   | (((n) >> 40) & 0xff00)			\
+   | ((n) >> 56))
+#else
+# define SWAP(n) (n)
+#endif
+
+
+/* This array contains the bytes used to pad the buffer to the next
+   64-byte boundary.  (FIPS 180-2:5.1.2)  */
+static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ...  */ };
+
+
+/* Constants for SHA512 from FIPS 180-2:4.2.3.  */
+static const uint64_t K[80] =
+  {
+    UINT64_C (0x428a2f98d728ae22), UINT64_C (0x7137449123ef65cd),
+    UINT64_C (0xb5c0fbcfec4d3b2f), UINT64_C (0xe9b5dba58189dbbc),
+    UINT64_C (0x3956c25bf348b538), UINT64_C (0x59f111f1b605d019),
+    UINT64_C (0x923f82a4af194f9b), UINT64_C (0xab1c5ed5da6d8118),
+    UINT64_C (0xd807aa98a3030242), UINT64_C (0x12835b0145706fbe),
+    UINT64_C (0x243185be4ee4b28c), UINT64_C (0x550c7dc3d5ffb4e2),
+    UINT64_C (0x72be5d74f27b896f), UINT64_C (0x80deb1fe3b1696b1),
+    UINT64_C (0x9bdc06a725c71235), UINT64_C (0xc19bf174cf692694),
+    UINT64_C (0xe49b69c19ef14ad2), UINT64_C (0xefbe4786384f25e3),
+    UINT64_C (0x0fc19dc68b8cd5b5), UINT64_C (0x240ca1cc77ac9c65),
+    UINT64_C (0x2de92c6f592b0275), UINT64_C (0x4a7484aa6ea6e483),
+    UINT64_C (0x5cb0a9dcbd41fbd4), UINT64_C (0x76f988da831153b5),
+    UINT64_C (0x983e5152ee66dfab), UINT64_C (0xa831c66d2db43210),
+    UINT64_C (0xb00327c898fb213f), UINT64_C (0xbf597fc7beef0ee4),
+    UINT64_C (0xc6e00bf33da88fc2), UINT64_C (0xd5a79147930aa725),
+    UINT64_C (0x06ca6351e003826f), UINT64_C (0x142929670a0e6e70),
+    UINT64_C (0x27b70a8546d22ffc), UINT64_C (0x2e1b21385c26c926),
+    UINT64_C (0x4d2c6dfc5ac42aed), UINT64_C (0x53380d139d95b3df),
+    UINT64_C (0x650a73548baf63de), UINT64_C (0x766a0abb3c77b2a8),
+    UINT64_C (0x81c2c92e47edaee6), UINT64_C (0x92722c851482353b),
+    UINT64_C (0xa2bfe8a14cf10364), UINT64_C (0xa81a664bbc423001),
+    UINT64_C (0xc24b8b70d0f89791), UINT64_C (0xc76c51a30654be30),
+    UINT64_C (0xd192e819d6ef5218), UINT64_C (0xd69906245565a910),
+    UINT64_C (0xf40e35855771202a), UINT64_C (0x106aa07032bbd1b8),
+    UINT64_C (0x19a4c116b8d2d0c8), UINT64_C (0x1e376c085141ab53),
+    UINT64_C (0x2748774cdf8eeb99), UINT64_C (0x34b0bcb5e19b48a8),
+    UINT64_C (0x391c0cb3c5c95a63), UINT64_C (0x4ed8aa4ae3418acb),
+    UINT64_C (0x5b9cca4f7763e373), UINT64_C (0x682e6ff3d6b2b8a3),
+    UINT64_C (0x748f82ee5defb2fc), UINT64_C (0x78a5636f43172f60),
+    UINT64_C (0x84c87814a1f0ab72), UINT64_C (0x8cc702081a6439ec),
+    UINT64_C (0x90befffa23631e28), UINT64_C (0xa4506cebde82bde9),
+    UINT64_C (0xbef9a3f7b2c67915), UINT64_C (0xc67178f2e372532b),
+    UINT64_C (0xca273eceea26619c), UINT64_C (0xd186b8c721c0c207),
+    UINT64_C (0xeada7dd6cde0eb1e), UINT64_C (0xf57d4f7fee6ed178),
+    UINT64_C (0x06f067aa72176fba), UINT64_C (0x0a637dc5a2c898a6),
+    UINT64_C (0x113f9804bef90dae), UINT64_C (0x1b710b35131c471b),
+    UINT64_C (0x28db77f523047d84), UINT64_C (0x32caab7b40c72493),
+    UINT64_C (0x3c9ebe0a15c9bebc), UINT64_C (0x431d67c49c100d4c),
+    UINT64_C (0x4cc5d4becb3e42b6), UINT64_C (0x597f299cfc657e2a),
+    UINT64_C (0x5fcb6fab3ad6faec), UINT64_C (0x6c44198c4a475817)
+  };
+
+
+#ifndef _GNU_SOURCE
+
+/* __stpncpy(3) is GNU extension and not available with non-glibc OS
+   such as *BSD. So define it as static function for them. */
+static char*
+__stpncpy(char *dst, const char* src, size_t len)
+{
+  char *p;
+  size_t n;
+
+  strncpy(dst, src, len);
+  n = strlen(src);
+  if (n < len)
+    p = dst + n;
+  else
+    p = dst + len;
+  return p;
+}
+
+#endif /* !_GNU_SOURCE */
+
+/* Process LEN bytes of BUFFER, accumulating context into CTX.
+   It is assumed that LEN % 128 == 0.  */
+static void
+sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
+{
+  const uint64_t *words = buffer;
+  size_t nwords = len / sizeof (uint64_t);
+  uint64_t a = ctx->H[0];
+  uint64_t b = ctx->H[1];
+  uint64_t c = ctx->H[2];
+  uint64_t d = ctx->H[3];
+  uint64_t e = ctx->H[4];
+  uint64_t f = ctx->H[5];
+  uint64_t g = ctx->H[6];
+  uint64_t h = ctx->H[7];
+
+  /* First increment the byte count.  FIPS 180-2 specifies the possible
+     length of the file up to 2^128 bits.  Here we only compute the
+     number of bytes.  Do a double word increment.  */
+  ctx->total[0] += len;
+  if (ctx->total[0] < len)
+    ++ctx->total[1];
+
+  /* Process all bytes in the buffer with 128 bytes in each round of
+     the loop.  */
+  while (nwords > 0)
+    {
+      uint64_t W[80];
+      uint64_t a_save = a;
+      uint64_t b_save = b;
+      uint64_t c_save = c;
+      uint64_t d_save = d;
+      uint64_t e_save = e;
+      uint64_t f_save = f;
+      uint64_t g_save = g;
+      uint64_t h_save = h;
+      unsigned int t;
+
+      /* Operators defined in FIPS 180-2:4.1.2.  */
+#define Ch(x, y, z) ((x & y) ^ (~x & z))
+#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
+#define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
+#define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
+#define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
+#define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
+
+      /* It is unfortunate that C does not provide an operator for
+	 cyclic rotation.  Hope the C compiler is smart enough.  */
+#define CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
+
+      /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2.  */
+      for (t = 0; t < 16; ++t)
+	{
+	  W[t] = SWAP (*words);
+	  ++words;
+	}
+      for (t = 16; t < 80; ++t)
+	W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
+
+      /* The actual computation according to FIPS 180-2:6.3.2 step 3.  */
+      for (t = 0; t < 80; ++t)
+	{
+	  uint64_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
+	  uint64_t T2 = S0 (a) + Maj (a, b, c);
+	  h = g;
+	  g = f;
+	  f = e;
+	  e = d + T1;
+	  d = c;
+	  c = b;
+	  b = a;
+	  a = T1 + T2;
+	}
+
+      /* Add the starting values of the context according to FIPS 180-2:6.3.2
+	 step 4.  */
+      a += a_save;
+      b += b_save;
+      c += c_save;
+      d += d_save;
+      e += e_save;
+      f += f_save;
+      g += g_save;
+      h += h_save;
+
+      /* Prepare for the next round.  */
+      nwords -= 16;
+    }
+
+  /* Put checksum in context given as argument.  */
+  ctx->H[0] = a;
+  ctx->H[1] = b;
+  ctx->H[2] = c;
+  ctx->H[3] = d;
+  ctx->H[4] = e;
+  ctx->H[5] = f;
+  ctx->H[6] = g;
+  ctx->H[7] = h;
+}
+
+
+/* Initialize structure containing state of computation.
+   (FIPS 180-2:5.3.3)  */
+static void
+sha512_init_ctx (struct sha512_ctx *ctx)
+{
+  ctx->H[0] = UINT64_C (0x6a09e667f3bcc908);
+  ctx->H[1] = UINT64_C (0xbb67ae8584caa73b);
+  ctx->H[2] = UINT64_C (0x3c6ef372fe94f82b);
+  ctx->H[3] = UINT64_C (0xa54ff53a5f1d36f1);
+  ctx->H[4] = UINT64_C (0x510e527fade682d1);
+  ctx->H[5] = UINT64_C (0x9b05688c2b3e6c1f);
+  ctx->H[6] = UINT64_C (0x1f83d9abfb41bd6b);
+  ctx->H[7] = UINT64_C (0x5be0cd19137e2179);
+
+  ctx->total[0] = ctx->total[1] = 0;
+  ctx->buflen = 0;
+}
+
+
+/* Process the remaining bytes in the internal buffer and the usual
+   prolog according to the standard and write the result to RESBUF.
+
+   IMPORTANT: On some systems it is required that RESBUF is correctly
+   aligned for a 32 bits value.  */
+static void *
+sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
+{
+  /* Take yet unprocessed bytes into account.  */
+  uint64_t bytes = ctx->buflen;
+  size_t pad;
+
+  /* Now count remaining bytes.  */
+  ctx->total[0] += bytes;
+  if (ctx->total[0] < bytes)
+    ++ctx->total[1];
+
+  pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
+  memcpy (&ctx->buffer[bytes], fillbuf, pad);
+
+  /* Put the 128-bit file length in *bits* at the end of the buffer.  */
+  *(uint64_t *) &ctx->buffer[bytes + pad + 8] = SWAP (ctx->total[0] << 3);
+  *(uint64_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
+						  (ctx->total[0] >> 61));
+
+  /* Process last bytes.  */
+  sha512_process_block (ctx->buffer, bytes + pad + 16, ctx);
+
+  /* Put result from CTX in first 64 bytes following RESBUF.  */
+  unsigned int i;
+  for (i = 0; i < 8; ++i)
+    ((uint64_t *) resbuf)[i] = SWAP (ctx->H[i]);
+
+  return resbuf;
+}
+
+
+static void
+sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
+{
+  /* When we already have some bits in our internal buffer concatenate
+     both inputs first.  */
+  if (ctx->buflen != 0)
+    {
+      size_t left_over = ctx->buflen;
+      size_t add = 256 - left_over > len ? len : 256 - left_over;
+
+      memcpy (&ctx->buffer[left_over], buffer, add);
+      ctx->buflen += add;
+
+      if (ctx->buflen > 128)
+	{
+	  sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
+
+	  ctx->buflen &= 127;
+	  /* The regions in the following copy operation cannot overlap.  */
+	  memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
+		  ctx->buflen);
+	}
+
+      buffer = (const char *) buffer + add;
+      len -= add;
+    }
+
+  /* Process available complete blocks.  */
+  if (len >= 128)
+    {
+#if !_STRING_ARCH_unaligned
+/* To check alignment gcc has an appropriate operator.  Other
+   compilers don't.  */
+# if __GNUC__ >= 2
+#  define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
+# else
+#  define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
+# endif
+      if (UNALIGNED_P (buffer))
+	while (len > 128)
+	  {
+	    sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128,
+				    ctx);
+	    buffer = (const char *) buffer + 128;
+	    len -= 128;
+	  }
+      else
+#endif
+	{
+	  sha512_process_block (buffer, len & ~127, ctx);
+	  buffer = (const char *) buffer + (len & ~127);
+	  len &= 127;
+	}
+    }
+
+  /* Move remaining bytes into internal buffer.  */
+  if (len > 0)
+    {
+      size_t left_over = ctx->buflen;
+
+      memcpy (&ctx->buffer[left_over], buffer, len);
+      left_over += len;
+      if (left_over >= 128)
+	{
+	  sha512_process_block (ctx->buffer, 128, ctx);
+	  left_over -= 128;
+	  memcpy (ctx->buffer, &ctx->buffer[128], left_over);
+	}
+      ctx->buflen = left_over;
+    }
+}
+
+
+/* Define our magic string to mark salt for SHA512 "encryption"
+   replacement.  */
+static const char sha512_salt_prefix[] = "$6$";
+
+/* Prefix for optional rounds specification.  */
+static const char sha512_rounds_prefix[] = "rounds=";
+
+/* Maximum salt string length.  */
+#define SALT_LEN_MAX 16
+/* Default number of rounds if not explicitly specified.  */
+#define ROUNDS_DEFAULT 5000
+/* Minimum number of rounds.  */
+#define ROUNDS_MIN 1000
+/* Maximum number of rounds.  */
+#define ROUNDS_MAX 999999999
+
+/* Table with characters for base64 transformation.  */
+static const char b64t[64] =
+"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+
+static char *
+sha512_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
+{
+  unsigned char alt_result[64]
+    __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
+  unsigned char temp_result[64]
+    __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
+  struct sha512_ctx ctx;
+  struct sha512_ctx alt_ctx;
+  size_t salt_len;
+  size_t key_len;
+  size_t cnt;
+  char *cp;
+  char *copied_key = NULL;
+  char *copied_salt = NULL;
+  char *p_bytes;
+  char *s_bytes;
+  /* Default number of rounds.  */
+  size_t rounds = ROUNDS_DEFAULT;
+  bool rounds_custom = false;
+
+  /* Find beginning of salt string.  The prefix should normally always
+     be present.  Just in case it is not.  */
+  if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
+    /* Skip salt prefix.  */
+    salt += sizeof (sha512_salt_prefix) - 1;
+
+  if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
+      == 0)
+    {
+      const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
+      char *endp;
+      unsigned long int srounds = strtoul (num, &endp, 10);
+      if (*endp == '$')
+	{
+	  salt = endp + 1;
+	  rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
+	  rounds_custom = true;
+	}
+    }
+
+  salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
+  key_len = strlen (key);
+
+  if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
+    {
+      char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
+      key = copied_key =
+	memcpy (tmp + __alignof__ (uint64_t)
+		- (tmp - (char *) 0) % __alignof__ (uint64_t),
+		key, key_len);
+    }
+
+  if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
+    {
+      char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
+      salt = copied_salt =
+	memcpy (tmp + __alignof__ (uint64_t)
+		- (tmp - (char *) 0) % __alignof__ (uint64_t),
+		salt, salt_len);
+    }
+
+  /* Prepare for the real work.  */
+  sha512_init_ctx (&ctx);
+
+  /* Add the key string.  */
+  sha512_process_bytes (key, key_len, &ctx);
+
+  /* The last part is the salt string.  This must be at most 8
+     characters and it ends at the first `$' character (for
+     compatibility with existing implementations).  */
+  sha512_process_bytes (salt, salt_len, &ctx);
+
+
+  /* Compute alternate SHA512 sum with input KEY, SALT, and KEY.  The
+     final result will be added to the first context.  */
+  sha512_init_ctx (&alt_ctx);
+
+  /* Add key.  */
+  sha512_process_bytes (key, key_len, &alt_ctx);
+
+  /* Add salt.  */
+  sha512_process_bytes (salt, salt_len, &alt_ctx);
+
+  /* Add key again.  */
+  sha512_process_bytes (key, key_len, &alt_ctx);
+
+  /* Now get result of this (64 bytes) and add it to the other
+     context.  */
+  sha512_finish_ctx (&alt_ctx, alt_result);
+
+  /* Add for any character in the key one byte of the alternate sum.  */
+  for (cnt = key_len; cnt > 64; cnt -= 64)
+    sha512_process_bytes (alt_result, 64, &ctx);
+  sha512_process_bytes (alt_result, cnt, &ctx);
+
+  /* Take the binary representation of the length of the key and for every
+     1 add the alternate sum, for every 0 the key.  */
+  for (cnt = key_len; cnt > 0; cnt >>= 1)
+    if ((cnt & 1) != 0)
+      sha512_process_bytes (alt_result, 64, &ctx);
+    else
+      sha512_process_bytes (key, key_len, &ctx);
+
+  /* Create intermediate result.  */
+  sha512_finish_ctx (&ctx, alt_result);
+
+  /* Start computation of P byte sequence.  */
+  sha512_init_ctx (&alt_ctx);
+
+  /* For every character in the password add the entire password.  */
+  for (cnt = 0; cnt < key_len; ++cnt)
+    sha512_process_bytes (key, key_len, &alt_ctx);
+
+  /* Finish the digest.  */
+  sha512_finish_ctx (&alt_ctx, temp_result);
+
+  /* Create byte sequence P.  */
+  cp = p_bytes = alloca (key_len);
+  for (cnt = key_len; cnt >= 64; cnt -= 64) {
+    memcpy (cp, temp_result, 64);
+    cp += 64;
+  }
+  memcpy (cp, temp_result, cnt);
+
+  /* Start computation of S byte sequence.  */
+  sha512_init_ctx (&alt_ctx);
+
+  /* For every character in the password add the entire password.  */
+  for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
+    sha512_process_bytes (salt, salt_len, &alt_ctx);
+
+  /* Finish the digest.  */
+  sha512_finish_ctx (&alt_ctx, temp_result);
+
+  /* Create byte sequence S.  */
+  cp = s_bytes = alloca (salt_len);
+  for (cnt = salt_len; cnt >= 64; cnt -= 64) {
+    memcpy (cp, temp_result, 64);
+    cp += 64;
+  }
+  memcpy (cp, temp_result, cnt);
+
+  /* Repeatedly run the collected hash value through SHA512 to burn
+     CPU cycles.  */
+  for (cnt = 0; cnt < rounds; ++cnt)
+    {
+      /* New context.  */
+      sha512_init_ctx (&ctx);
+
+      /* Add key or last result.  */
+      if ((cnt & 1) != 0)
+	sha512_process_bytes (p_bytes, key_len, &ctx);
+      else
+	sha512_process_bytes (alt_result, 64, &ctx);
+
+      /* Add salt for numbers not divisible by 3.  */
+      if (cnt % 3 != 0)
+	sha512_process_bytes (s_bytes, salt_len, &ctx);
+
+      /* Add key for numbers not divisible by 7.  */
+      if (cnt % 7 != 0)
+	sha512_process_bytes (p_bytes, key_len, &ctx);
+
+      /* Add key or last result.  */
+      if ((cnt & 1) != 0)
+	sha512_process_bytes (alt_result, 64, &ctx);
+      else
+	sha512_process_bytes (p_bytes, key_len, &ctx);
+
+      /* Create intermediate result.  */
+      sha512_finish_ctx (&ctx, alt_result);
+    }
+
+  /* Now we can construct the result string.  It consists of three
+     parts.  */
+  cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
+  buflen -= sizeof (sha512_salt_prefix) - 1;
+
+  if (rounds_custom)
+    {
+      int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
+			sha512_rounds_prefix, rounds);
+      cp += n;
+      buflen -= n;
+    }
+
+  cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
+  buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
+
+  if (buflen > 0)
+    {
+      *cp++ = '$';
+      --buflen;
+    }
+
+#define b64_from_24bit(B2, B1, B0, N)					      \
+  do {									      \
+    unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);			      \
+    int n = (N);							      \
+    while (n-- > 0 && buflen > 0)					      \
+      {									      \
+	*cp++ = b64t[w & 0x3f];						      \
+	--buflen;							      \
+	w >>= 6;							      \
+      }									      \
+  } while (0)
+
+  b64_from_24bit (alt_result[0], alt_result[21], alt_result[42], 4);
+  b64_from_24bit (alt_result[22], alt_result[43], alt_result[1], 4);
+  b64_from_24bit (alt_result[44], alt_result[2], alt_result[23], 4);
+  b64_from_24bit (alt_result[3], alt_result[24], alt_result[45], 4);
+  b64_from_24bit (alt_result[25], alt_result[46], alt_result[4], 4);
+  b64_from_24bit (alt_result[47], alt_result[5], alt_result[26], 4);
+  b64_from_24bit (alt_result[6], alt_result[27], alt_result[48], 4);
+  b64_from_24bit (alt_result[28], alt_result[49], alt_result[7], 4);
+  b64_from_24bit (alt_result[50], alt_result[8], alt_result[29], 4);
+  b64_from_24bit (alt_result[9], alt_result[30], alt_result[51], 4);
+  b64_from_24bit (alt_result[31], alt_result[52], alt_result[10], 4);
+  b64_from_24bit (alt_result[53], alt_result[11], alt_result[32], 4);
+  b64_from_24bit (alt_result[12], alt_result[33], alt_result[54], 4);
+  b64_from_24bit (alt_result[34], alt_result[55], alt_result[13], 4);
+  b64_from_24bit (alt_result[56], alt_result[14], alt_result[35], 4);
+  b64_from_24bit (alt_result[15], alt_result[36], alt_result[57], 4);
+  b64_from_24bit (alt_result[37], alt_result[58], alt_result[16], 4);
+  b64_from_24bit (alt_result[59], alt_result[17], alt_result[38], 4);
+  b64_from_24bit (alt_result[18], alt_result[39], alt_result[60], 4);
+  b64_from_24bit (alt_result[40], alt_result[61], alt_result[19], 4);
+  b64_from_24bit (alt_result[62], alt_result[20], alt_result[41], 4);
+  b64_from_24bit (0, 0, alt_result[63], 2);
+
+  if (buflen <= 0)
+    {
+      errno = ERANGE;
+      buffer = NULL;
+    }
+  else
+    *cp = '\0';		/* Terminate the string.  */
+
+  /* Clear the buffer for the intermediate result so that people
+     attaching to processes or reading core dumps cannot get any
+     information.  We do it in this way to clear correct_words[]
+     inside the SHA512 implementation as well.  */
+  sha512_init_ctx (&ctx);
+  sha512_finish_ctx (&ctx, alt_result);
+  memset (temp_result, '\0', sizeof (temp_result));
+  memset (p_bytes, '\0', key_len);
+  memset (s_bytes, '\0', salt_len);
+  memset (&ctx, '\0', sizeof (ctx));
+  memset (&alt_ctx, '\0', sizeof (alt_ctx));
+  if (copied_key != NULL)
+    memset (copied_key, '\0', key_len);
+  if (copied_salt != NULL)
+    memset (copied_salt, '\0', salt_len);
+
+  return buffer;
+}
+
+
+/* This entry point is equivalent to the `crypt' function in Unix
+   libcs.  */
+char *
+sha512_crypt (const char *key, const char *salt)
+{
+  /* We don't want to have an arbitrary limit in the size of the
+     password.  We can compute an upper bound for the size of the
+     result in advance and so we can prepare the buffer we pass to
+     `sha512_crypt_r'.  */
+  static char *buffer;
+  static int buflen;
+  int needed = (sizeof (sha512_salt_prefix) - 1
+		+ sizeof (sha512_rounds_prefix) + 9 + 1
+		+ strlen (salt) + 1 + 86 + 1);
+
+  if (buflen < needed)
+    {
+      char *new_buffer = (char *) realloc (buffer, needed);
+      if (new_buffer == NULL)
+	return NULL;
+
+      buffer = new_buffer;
+      buflen = needed;
+    }
+
+  return sha512_crypt_r (key, salt, buffer, buflen);
+}
+
+
+#ifdef TEST
+static const struct
+{
+  const char *input;
+  const char result[64];
+} tests[] =
+  {
+    /* Test vectors from FIPS 180-2: appendix C.1.  */
+    { "abc",
+      "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
+      "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
+      "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
+      "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f" },
+    /* Test vectors from FIPS 180-2: appendix C.2.  */
+    { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
+      "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
+      "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
+      "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
+      "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
+      "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09" },
+    /* Test vectors from the NESSIE project.  */
+    { "",
+      "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
+      "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
+      "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
+      "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e" },
+    { "a",
+      "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
+      "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
+      "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
+      "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75" },
+    { "message digest",
+      "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
+      "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
+      "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
+      "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c" },
+    { "abcdefghijklmnopqrstuvwxyz",
+      "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
+      "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
+      "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
+      "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+      "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
+      "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
+      "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
+      "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+      "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
+      "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
+      "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
+      "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94" },
+    { "123456789012345678901234567890123456789012345678901234567890"
+      "12345678901234567890",
+      "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
+      "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
+      "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
+      "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43" }
+  };
+#define ntests (sizeof (tests) / sizeof (tests[0]))
+
+
+static const struct
+{
+  const char *salt;
+  const char *input;
+  const char *expected;
+} tests2[] =
+{
+  { "$6$saltstring", "Hello world!",
+    "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
+    "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" },
+  { "$6$rounds=10000$saltstringsaltstring", "Hello world!",
+    "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
+    "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." },
+  { "$6$rounds=5000$toolongsaltstring", "This is just a test",
+    "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
+    "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0" },
+  { "$6$rounds=1400$anotherlongsaltstring",
+    "a very much longer text to encrypt.  This one even stretches over more"
+    "than one line.",
+    "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
+    "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1" },
+  { "$6$rounds=77777$short",
+    "we have a short salt string but not a short password",
+    "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
+    "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0" },
+  { "$6$rounds=123456$asaltof16chars..", "a short string",
+    "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
+    "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1" },
+  { "$6$rounds=10$roundstoolow", "the minimum number is still observed",
+    "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
+    "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX." },
+};
+#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
+
+
+int
+main (void)
+{
+  struct sha512_ctx ctx;
+  char sum[64];
+  int result = 0;
+  int i, cnt;
+
+  for (cnt = 0; cnt < (int) ntests; ++cnt)
+    {
+      sha512_init_ctx (&ctx);
+      sha512_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
+      sha512_finish_ctx (&ctx, sum);
+      if (memcmp (tests[cnt].result, sum, 64) != 0)
+	{
+	  printf ("test %d run %d failed\n", cnt, 1);
+	  result = 1;
+	}
+
+      sha512_init_ctx (&ctx);
+      for (i = 0; tests[cnt].input[i] != '\0'; ++i)
+	sha512_process_bytes (&tests[cnt].input[i], 1, &ctx);
+      sha512_finish_ctx (&ctx, sum);
+      if (memcmp (tests[cnt].result, sum, 64) != 0)
+	{
+	  printf ("test %d run %d failed\n", cnt, 2);
+	  result = 1;
+	}
+    }
+
+  /* Test vector from FIPS 180-2: appendix C.3.  */
+  char buf[1000];
+  memset (buf, 'a', sizeof (buf));
+  sha512_init_ctx (&ctx);
+  for (i = 0; i < 1000; ++i)
+    sha512_process_bytes (buf, sizeof (buf), &ctx);
+  sha512_finish_ctx (&ctx, sum);
+  static const char expected[64] =
+    "\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
+    "\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
+    "\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
+    "\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
+  if (memcmp (expected, sum, 64) != 0)
+    {
+      printf ("test %d failed\n", cnt);
+      result = 1;
+    }
+
+  for (cnt = 0; cnt < ntests2; ++cnt)
+    {
+      char *cp = sha512_crypt (tests2[cnt].input, tests2[cnt].salt);
+
+      if (strcmp (cp, tests2[cnt].expected) != 0)
+	{
+	  printf ("test %d: expected \"%s\", got \"%s\"\n",
+	   	  cnt, tests2[cnt].expected, cp);
+	  result = 1;
+	}
+    }
+
+  if (result == 0)
+    puts ("all tests OK");
+
+  return result;
+}
+#endif
Index: crypt.c
===================================================================
RCS file: /usr1/freebsd/cvsroot/src/lib/libcrypt/crypt.c,v
retrieving revision 1.23
diff -u -r1.23 crypt.c
--- crypt.c	2 Jun 2003 19:29:27 -0000	1.23
+++ crypt.c	29 May 2008 22:52:20 -0000
@@ -63,6 +63,16 @@
 		"$3$"
 	},
 	{
+		"sha256",
+		sha256_crypt,
+		"$5$"
+	},
+	{
+		"sha512",
+		sha512_crypt,
+		"$6$"
+	},
+	{
 		NULL,
 		NULL,
 		NULL
Index: crypt.h
===================================================================
RCS file: /usr1/freebsd/cvsroot/src/lib/libcrypt/crypt.h,v
retrieving revision 1.8
diff -u -r1.8 crypt.h
--- crypt.h	2 Jun 2003 19:29:27 -0000	1.8
+++ crypt.h	30 May 2008 00:04:15 -0000
@@ -36,5 +36,7 @@
 char *crypt_md5(const char *pw, const char *salt);
 char *crypt_nthash(const char *pw, const char *salt);
 char *crypt_blowfish(const char *pw, const char *salt);
+char *sha256_crypt (const char *pw, const char *salt);
+char *sha512_crypt (const char *pw, const char *salt);
 
 extern void _crypt_to64(char *s, u_long v, int n);
--- patch-libcrypt ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->cperciva 
Responsible-Changed-By: remko 
Responsible-Changed-When: Sat May 31 16:06:28 UTC 2008 
Responsible-Changed-Why:  
Colin, you are our crypto guru, can you please review the proposal? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124164 

From: Yasuhiro KIMURA <yasu@utahime.org>
To: cperciva@FreeBSD.org
Cc: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org,
 remko@FreeBSD.org
Subject: Re: kern/124164: [PATCH] Add SHA-256/512 hash algorithm to crypt(3)
Date: Mon, 08 Sep 2008 23:05:30 +0900 (JST)

 Hello.
 
 Would you please tell me current status of this PR? Are there any
 comment, freedback, suggestion or something else?
 
 Best Regards.
 
 ---
 Yasuhiro KIMURA
Responsible-Changed-From-To: cperciva->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Sep 15 00:01:21 UTC 2008 
Responsible-Changed-Why:  
cperciva is not able to work on this one at the moment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124164 

From: David Magda <dmagda@ee.ryerson.ca>
To: bug-followup@FreeBSD.org, yasu@utahime.org
Cc:  
Subject: Re: kern/124164: [patch] Add SHA-256/512 hash algorithm to crypt(3)
Date: Thu, 11 Nov 2010 09:47:52 -0500

 Any news on this functionality? Is the patch still useful against 8.x  
 and -CURRENT?
 

From: Yasuhiro KIMURA <yasu@utahime.org>
To: dmagda+fbugs@ee.ryerson.ca
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/124164: [patch] Add SHA-256/512 hash algorithm to crypt(3)
Date: Mon, 15 Nov 2010 08:01:41 +0900 (JST)

 ----Next_Part(Mon_Nov_15_08_01_41_2010_891)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Still useful at least on 8.x. Attached patch is modified on for 8.1R.
 
 ----Next_Part(Mon_Nov_15_08_01_41_2010_891)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline; filename="patch-libcrypt-8.1R"
 
 Index: Makefile
 ===================================================================
 RCS file: /usr0/freebsd/cvsroot/src/lib/libcrypt/Makefile,v
 retrieving revision 1.40.2.1.4.1
 diff -u -r1.40.2.1.4.1 Makefile
 --- Makefile	14 Jun 2010 02:09:06 -0000	1.40.2.1.4.1
 +++ Makefile	20 Jul 2010 04:11:44 -0000
 @@ -12,7 +12,8 @@
  .PATH:		${.CURDIR}/../libmd
  SRCS=		crypt.c misc.c \
  		crypt-md5.c md5c.c \
 -		crypt-nthash.c md4c.c
 +		crypt-nthash.c md4c.c \
 +		crypt-sha256.c crypt-sha512.c
  MAN=		crypt.3
  MLINKS=		crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3
  CFLAGS+=	-I${.CURDIR}/../libmd -I${.CURDIR}/../libutil
 Index: crypt-sha256.c
 ===================================================================
 RCS file: crypt-sha256.c
 diff -N crypt-sha256.c
 --- /dev/null	1 Jan 1970 00:00:00 -0000
 +++ crypt-sha256.c	20 Jul 2010 04:14:11 -0000
 @@ -0,0 +1,733 @@
 +/* SHA256-based Unix crypt implementation.
 +   Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.  */
 +
 +#include <errno.h>
 +#include <limits.h>
 +#include <stdint.h>
 +#include <stdbool.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +#include <sys/param.h>
 +#include <sys/types.h>
 +
 +/* sys/param.h must be included before checking OS and C Library */
 +#if defined(__GNU_LIBRARY__)
 +/* OS with GNU C Library (Linux or Hurd(?)) */
 +#include <endian.h>
 +#elif (defined(BSD) && (BSD >= 199306))
 +/* 4.4BSD code base or newer */
 +#include <sys/endian.h>
 +#else
 +/* Other OS (such as Solaris or AIX?) */
 +#error I don't know what to do.
 +#endif
 +
 +/* Structure to save state of computation between the single steps.  */
 +struct sha256_ctx
 +{
 +  uint32_t H[8];
 +
 +  uint32_t total[2];
 +  uint32_t buflen;
 +  char buffer[128];	/* NB: always correctly aligned for uint32_t.  */
 +};
 +
 +
 +#if __BYTE_ORDER == __LITTLE_ENDIAN
 +# define SWAP(n) \
 +    (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
 +#else
 +# define SWAP(n) (n)
 +#endif
 +
 +
 +/* This array contains the bytes used to pad the buffer to the next
 +   64-byte boundary.  (FIPS 180-2:5.1.1)  */
 +static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
 +
 +
 +/* Constants for SHA256 from FIPS 180-2:4.2.2.  */
 +static const uint32_t K[64] =
 +  {
 +    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
 +    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
 +    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
 +    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
 +    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
 +    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
 +    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
 +    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
 +    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
 +    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
 +    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
 +    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
 +    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
 +    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
 +    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
 +    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
 +  };
 +
 +/* Process LEN bytes of BUFFER, accumulating context into CTX.
 +   It is assumed that LEN % 64 == 0.  */
 +static void
 +sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
 +{
 +  const uint32_t *words = buffer;
 +  size_t nwords = len / sizeof (uint32_t);
 +  uint32_t a = ctx->H[0];
 +  uint32_t b = ctx->H[1];
 +  uint32_t c = ctx->H[2];
 +  uint32_t d = ctx->H[3];
 +  uint32_t e = ctx->H[4];
 +  uint32_t f = ctx->H[5];
 +  uint32_t g = ctx->H[6];
 +  uint32_t h = ctx->H[7];
 +
 +  /* First increment the byte count.  FIPS 180-2 specifies the possible
 +     length of the file up to 2^64 bits.  Here we only compute the
 +     number of bytes.  Do a double word increment.  */
 +  ctx->total[0] += len;
 +  if (ctx->total[0] < len)
 +    ++ctx->total[1];
 +
 +  /* Process all bytes in the buffer with 64 bytes in each round of
 +     the loop.  */
 +  while (nwords > 0)
 +    {
 +      uint32_t W[64];
 +      uint32_t a_save = a;
 +      uint32_t b_save = b;
 +      uint32_t c_save = c;
 +      uint32_t d_save = d;
 +      uint32_t e_save = e;
 +      uint32_t f_save = f;
 +      uint32_t g_save = g;
 +      uint32_t h_save = h;
 +      unsigned int t;
 +
 +      /* Operators defined in FIPS 180-2:4.1.2.  */
 +#define Ch(x, y, z) ((x & y) ^ (~x & z))
 +#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
 +#define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
 +#define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
 +#define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
 +#define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
 +
 +      /* It is unfortunate that C does not provide an operator for
 +	 cyclic rotation.  Hope the C compiler is smart enough.  */
 +#define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
 +
 +      /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2.  */
 +      for (t = 0; t < 16; ++t)
 +	{
 +	  W[t] = SWAP (*words);
 +	  ++words;
 +	}
 +      for (t = 16; t < 64; ++t)
 +	W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
 +
 +      /* The actual computation according to FIPS 180-2:6.2.2 step 3.  */
 +      for (t = 0; t < 64; ++t)
 +	{
 +	  uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
 +	  uint32_t T2 = S0 (a) + Maj (a, b, c);
 +	  h = g;
 +	  g = f;
 +	  f = e;
 +	  e = d + T1;
 +	  d = c;
 +	  c = b;
 +	  b = a;
 +	  a = T1 + T2;
 +	}
 +
 +      /* Add the starting values of the context according to FIPS 180-2:6.2.2
 +	 step 4.  */
 +      a += a_save;
 +      b += b_save;
 +      c += c_save;
 +      d += d_save;
 +      e += e_save;
 +      f += f_save;
 +      g += g_save;
 +      h += h_save;
 +
 +      /* Prepare for the next round.  */
 +      nwords -= 16;
 +    }
 +
 +  /* Put checksum in context given as argument.  */
 +  ctx->H[0] = a;
 +  ctx->H[1] = b;
 +  ctx->H[2] = c;
 +  ctx->H[3] = d;
 +  ctx->H[4] = e;
 +  ctx->H[5] = f;
 +  ctx->H[6] = g;
 +  ctx->H[7] = h;
 +}
 +
 +
 +/* Initialize structure containing state of computation.
 +   (FIPS 180-2:5.3.2)  */
 +static void
 +sha256_init_ctx (struct sha256_ctx *ctx)
 +{
 +  ctx->H[0] = 0x6a09e667;
 +  ctx->H[1] = 0xbb67ae85;
 +  ctx->H[2] = 0x3c6ef372;
 +  ctx->H[3] = 0xa54ff53a;
 +  ctx->H[4] = 0x510e527f;
 +  ctx->H[5] = 0x9b05688c;
 +  ctx->H[6] = 0x1f83d9ab;
 +  ctx->H[7] = 0x5be0cd19;
 +
 +  ctx->total[0] = ctx->total[1] = 0;
 +  ctx->buflen = 0;
 +}
 +
 +
 +/* Process the remaining bytes in the internal buffer and the usual
 +   prolog according to the standard and write the result to RESBUF.
 +
 +   IMPORTANT: On some systems it is required that RESBUF is correctly
 +   aligned for a 32 bits value.  */
 +static void *
 +sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
 +{
 +  /* Take yet unprocessed bytes into account.  */
 +  uint32_t bytes = ctx->buflen;
 +  size_t pad;
 +
 +  /* Now count remaining bytes.  */
 +  ctx->total[0] += bytes;
 +  if (ctx->total[0] < bytes)
 +    ++ctx->total[1];
 +
 +  pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
 +  memcpy (&ctx->buffer[bytes], fillbuf, pad);
 +
 +  /* Put the 64-bit file length in *bits* at the end of the buffer.  */
 +  *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
 +  *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
 +						  (ctx->total[0] >> 29));
 +
 +  /* Process last bytes.  */
 +  sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
 +
 +  /* Put result from CTX in first 32 bytes following RESBUF.  */
 +  unsigned int i;
 +  for (i = 0; i < 8; ++i)
 +    ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
 +
 +  return resbuf;
 +}
 +
 +
 +static void
 +sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
 +{
 +  /* When we already have some bits in our internal buffer concatenate
 +     both inputs first.  */
 +  if (ctx->buflen != 0)
 +    {
 +      size_t left_over = ctx->buflen;
 +      size_t add = 128 - left_over > len ? len : 128 - left_over;
 +
 +      memcpy (&ctx->buffer[left_over], buffer, add);
 +      ctx->buflen += add;
 +
 +      if (ctx->buflen > 64)
 +	{
 +	  sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
 +
 +	  ctx->buflen &= 63;
 +	  /* The regions in the following copy operation cannot overlap.  */
 +	  memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
 +		  ctx->buflen);
 +	}
 +
 +      buffer = (const char *) buffer + add;
 +      len -= add;
 +    }
 +
 +  /* Process available complete blocks.  */
 +  if (len >= 64)
 +    {
 +/* To check alignment gcc has an appropriate operator.  Other
 +   compilers don't.  */
 +#if __GNUC__ >= 2
 +# define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
 +#else
 +# define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
 +#endif
 +      if (UNALIGNED_P (buffer))
 +	while (len > 64)
 +	  {
 +	    sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
 +	    buffer = (const char *) buffer + 64;
 +	    len -= 64;
 +	  }
 +      else
 +	{
 +	  sha256_process_block (buffer, len & ~63, ctx);
 +	  buffer = (const char *) buffer + (len & ~63);
 +	  len &= 63;
 +	}
 +    }
 +
 +  /* Move remaining bytes into internal buffer.  */
 +  if (len > 0)
 +    {
 +      size_t left_over = ctx->buflen;
 +
 +      memcpy (&ctx->buffer[left_over], buffer, len);
 +      left_over += len;
 +      if (left_over >= 64)
 +	{
 +	  sha256_process_block (ctx->buffer, 64, ctx);
 +	  left_over -= 64;
 +	  memcpy (ctx->buffer, &ctx->buffer[64], left_over);
 +	}
 +      ctx->buflen = left_over;
 +    }
 +}
 +
 +
 +/* Define our magic string to mark salt for SHA256 "encryption"
 +   replacement.  */
 +static const char sha256_salt_prefix[] = "$5$";
 +
 +/* Prefix for optional rounds specification.  */
 +static const char sha256_rounds_prefix[] = "rounds=";
 +
 +/* Maximum salt string length.  */
 +#define SALT_LEN_MAX 16
 +/* Default number of rounds if not explicitly specified.  */
 +#define ROUNDS_DEFAULT 5000
 +/* Minimum number of rounds.  */
 +#define ROUNDS_MIN 1000
 +/* Maximum number of rounds.  */
 +#define ROUNDS_MAX 999999999
 +
 +/* Table with characters for base64 transformation.  */
 +static const char b64t[64] =
 +"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 +
 +
 +static char *
 +sha256_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
 +{
 +  unsigned char alt_result[32]
 +    __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
 +  unsigned char temp_result[32]
 +    __attribute__ ((__aligned__ (__alignof__ (uint32_t))));
 +  struct sha256_ctx ctx;
 +  struct sha256_ctx alt_ctx;
 +  size_t salt_len;
 +  size_t key_len;
 +  size_t cnt;
 +  char *cp;
 +  char *copied_key = NULL;
 +  char *copied_salt = NULL;
 +  char *p_bytes;
 +  char *s_bytes;
 +  /* Default number of rounds.  */
 +  size_t rounds = ROUNDS_DEFAULT;
 +  bool rounds_custom = false;
 +
 +  /* Find beginning of salt string.  The prefix should normally always
 +     be present.  Just in case it is not.  */
 +  if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
 +    /* Skip salt prefix.  */
 +    salt += sizeof (sha256_salt_prefix) - 1;
 +
 +  if (strncmp (salt, sha256_rounds_prefix, sizeof (sha256_rounds_prefix) - 1)
 +      == 0)
 +    {
 +      const char *num = salt + sizeof (sha256_rounds_prefix) - 1;
 +      char *endp;
 +      unsigned long int srounds = strtoul (num, &endp, 10);
 +      if (*endp == '$')
 +	{
 +	  salt = endp + 1;
 +	  rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
 +	  rounds_custom = true;
 +	}
 +    }
 +
 +  salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
 +  key_len = strlen (key);
 +
 +  if ((key - (char *) 0) % __alignof__ (uint32_t) != 0)
 +    {
 +      char *tmp = (char *) alloca (key_len + __alignof__ (uint32_t));
 +      key = copied_key =
 +	memcpy (tmp + __alignof__ (uint32_t)
 +		- (tmp - (char *) 0) % __alignof__ (uint32_t),
 +		key, key_len);
 +    }
 +
 +  if ((salt - (char *) 0) % __alignof__ (uint32_t) != 0)
 +    {
 +      char *tmp = (char *) alloca (salt_len + __alignof__ (uint32_t));
 +      salt = copied_salt =
 +	memcpy (tmp + __alignof__ (uint32_t)
 +		- (tmp - (char *) 0) % __alignof__ (uint32_t),
 +		salt, salt_len);
 +    }
 +
 +  /* Prepare for the real work.  */
 +  sha256_init_ctx (&ctx);
 +
 +  /* Add the key string.  */
 +  sha256_process_bytes (key, key_len, &ctx);
 +
 +  /* The last part is the salt string.  This must be at most 8
 +     characters and it ends at the first `$' character (for
 +     compatibility with existing implementations).  */
 +  sha256_process_bytes (salt, salt_len, &ctx);
 +
 +
 +  /* Compute alternate SHA256 sum with input KEY, SALT, and KEY.  The
 +     final result will be added to the first context.  */
 +  sha256_init_ctx (&alt_ctx);
 +
 +  /* Add key.  */
 +  sha256_process_bytes (key, key_len, &alt_ctx);
 +
 +  /* Add salt.  */
 +  sha256_process_bytes (salt, salt_len, &alt_ctx);
 +
 +  /* Add key again.  */
 +  sha256_process_bytes (key, key_len, &alt_ctx);
 +
 +  /* Now get result of this (32 bytes) and add it to the other
 +     context.  */
 +  sha256_finish_ctx (&alt_ctx, alt_result);
 +
 +  /* Add for any character in the key one byte of the alternate sum.  */
 +  for (cnt = key_len; cnt > 32; cnt -= 32)
 +    sha256_process_bytes (alt_result, 32, &ctx);
 +  sha256_process_bytes (alt_result, cnt, &ctx);
 +
 +  /* Take the binary representation of the length of the key and for every
 +     1 add the alternate sum, for every 0 the key.  */
 +  for (cnt = key_len; cnt > 0; cnt >>= 1)
 +    if ((cnt & 1) != 0)
 +      sha256_process_bytes (alt_result, 32, &ctx);
 +    else
 +      sha256_process_bytes (key, key_len, &ctx);
 +
 +  /* Create intermediate result.  */
 +  sha256_finish_ctx (&ctx, alt_result);
 +
 +  /* Start computation of P byte sequence.  */
 +  sha256_init_ctx (&alt_ctx);
 +
 +  /* For every character in the password add the entire password.  */
 +  for (cnt = 0; cnt < key_len; ++cnt)
 +    sha256_process_bytes (key, key_len, &alt_ctx);
 +
 +  /* Finish the digest.  */
 +  sha256_finish_ctx (&alt_ctx, temp_result);
 +
 +  /* Create byte sequence P.  */
 +  cp = p_bytes = alloca (key_len);
 +  for (cnt = key_len; cnt >= 32; cnt -= 32) {
 +    memcpy (cp, temp_result, 32);
 +    cp += 32;
 +  }
 +  memcpy (cp, temp_result, cnt);
 +
 +  /* Start computation of S byte sequence.  */
 +  sha256_init_ctx (&alt_ctx);
 +
 +  /* For every character in the password add the entire password.  */
 +  for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
 +    sha256_process_bytes (salt, salt_len, &alt_ctx);
 +
 +  /* Finish the digest.  */
 +  sha256_finish_ctx (&alt_ctx, temp_result);
 +
 +  /* Create byte sequence S.  */
 +  cp = s_bytes = alloca (salt_len);
 +  for (cnt = salt_len; cnt >= 32; cnt -= 32) {
 +    memcpy (cp, temp_result, 32);
 +    cp += 32;
 +  }
 +  memcpy (cp, temp_result, cnt);
 +
 +  /* Repeatedly run the collected hash value through SHA256 to burn
 +     CPU cycles.  */
 +  for (cnt = 0; cnt < rounds; ++cnt)
 +    {
 +      /* New context.  */
 +      sha256_init_ctx (&ctx);
 +
 +      /* Add key or last result.  */
 +      if ((cnt & 1) != 0)
 +	sha256_process_bytes (p_bytes, key_len, &ctx);
 +      else
 +	sha256_process_bytes (alt_result, 32, &ctx);
 +
 +      /* Add salt for numbers not divisible by 3.  */
 +      if (cnt % 3 != 0)
 +	sha256_process_bytes (s_bytes, salt_len, &ctx);
 +
 +      /* Add key for numbers not divisible by 7.  */
 +      if (cnt % 7 != 0)
 +	sha256_process_bytes (p_bytes, key_len, &ctx);
 +
 +      /* Add key or last result.  */
 +      if ((cnt & 1) != 0)
 +	sha256_process_bytes (alt_result, 32, &ctx);
 +      else
 +	sha256_process_bytes (p_bytes, key_len, &ctx);
 +
 +      /* Create intermediate result.  */
 +      sha256_finish_ctx (&ctx, alt_result);
 +    }
 +
 +  /* Now we can construct the result string.  It consists of three
 +     parts.  */
 +  cp = stpncpy (buffer, sha256_salt_prefix, MAX (0, buflen));
 +  buflen -= sizeof (sha256_salt_prefix) - 1;
 +
 +  if (rounds_custom)
 +    {
 +      int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
 +			sha256_rounds_prefix, rounds);
 +      cp += n;
 +      buflen -= n;
 +    }
 +
 +  cp = stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
 +  buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
 +
 +  if (buflen > 0)
 +    {
 +      *cp++ = '$';
 +      --buflen;
 +    }
 +
 +#define b64_from_24bit(B2, B1, B0, N)					      \
 +  do {									      \
 +    unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);			      \
 +    int n = (N);							      \
 +    while (n-- > 0 && buflen > 0)					      \
 +      {									      \
 +	*cp++ = b64t[w & 0x3f];						      \
 +	--buflen;							      \
 +	w >>= 6;							      \
 +      }									      \
 +  } while (0)
 +
 +  b64_from_24bit (alt_result[0], alt_result[10], alt_result[20], 4);
 +  b64_from_24bit (alt_result[21], alt_result[1], alt_result[11], 4);
 +  b64_from_24bit (alt_result[12], alt_result[22], alt_result[2], 4);
 +  b64_from_24bit (alt_result[3], alt_result[13], alt_result[23], 4);
 +  b64_from_24bit (alt_result[24], alt_result[4], alt_result[14], 4);
 +  b64_from_24bit (alt_result[15], alt_result[25], alt_result[5], 4);
 +  b64_from_24bit (alt_result[6], alt_result[16], alt_result[26], 4);
 +  b64_from_24bit (alt_result[27], alt_result[7], alt_result[17], 4);
 +  b64_from_24bit (alt_result[18], alt_result[28], alt_result[8], 4);
 +  b64_from_24bit (alt_result[9], alt_result[19], alt_result[29], 4);
 +  b64_from_24bit (0, alt_result[31], alt_result[30], 3);
 +  if (buflen <= 0)
 +    {
 +      errno = ERANGE;
 +      buffer = NULL;
 +    }
 +  else
 +    *cp = '\0';		/* Terminate the string.  */
 +
 +  /* Clear the buffer for the intermediate result so that people
 +     attaching to processes or reading core dumps cannot get any
 +     information.  We do it in this way to clear correct_words[]
 +     inside the SHA256 implementation as well.  */
 +  sha256_init_ctx (&ctx);
 +  sha256_finish_ctx (&ctx, alt_result);
 +  memset (temp_result, '\0', sizeof (temp_result));
 +  memset (p_bytes, '\0', key_len);
 +  memset (s_bytes, '\0', salt_len);
 +  memset (&ctx, '\0', sizeof (ctx));
 +  memset (&alt_ctx, '\0', sizeof (alt_ctx));
 +  if (copied_key != NULL)
 +    memset (copied_key, '\0', key_len);
 +  if (copied_salt != NULL)
 +    memset (copied_salt, '\0', salt_len);
 +
 +  return buffer;
 +}
 +
 +
 +/* This entry point is equivalent to the `crypt' function in Unix
 +   libcs.  */
 +char *
 +sha256_crypt (const char *key, const char *salt)
 +{
 +  /* We don't want to have an arbitrary limit in the size of the
 +     password.  We can compute an upper bound for the size of the
 +     result in advance and so we can prepare the buffer we pass to
 +     `sha256_crypt_r'.  */
 +  static char *buffer;
 +  static int buflen;
 +  int needed = (sizeof (sha256_salt_prefix) - 1
 +		+ sizeof (sha256_rounds_prefix) + 9 + 1
 +		+ strlen (salt) + 1 + 43 + 1);
 +
 +  if (buflen < needed)
 +    {
 +      char *new_buffer = (char *) realloc (buffer, needed);
 +      if (new_buffer == NULL)
 +	return NULL;
 +
 +      buffer = new_buffer;
 +      buflen = needed;
 +    }
 +
 +  return sha256_crypt_r (key, salt, buffer, buflen);
 +}
 +
 +
 +#ifdef TEST
 +static const struct
 +{
 +  const char *input;
 +  const char result[32];
 +} tests[] =
 +  {
 +    /* Test vectors from FIPS 180-2: appendix B.1.  */
 +    { "abc",
 +      "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
 +      "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad" },
 +    /* Test vectors from FIPS 180-2: appendix B.2.  */
 +    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 +      "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
 +      "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
 +    /* Test vectors from the NESSIE project.  */
 +    { "",
 +      "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
 +      "\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55" },
 +    { "a",
 +      "\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
 +      "\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb" },
 +    { "message digest",
 +      "\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
 +      "\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50" },
 +    { "abcdefghijklmnopqrstuvwxyz",
 +      "\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
 +      "\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73" },
 +    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 +      "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
 +      "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1" },
 +    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
 +      "\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
 +      "\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0" },
 +    { "123456789012345678901234567890123456789012345678901234567890"
 +      "12345678901234567890",
 +      "\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
 +      "\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e" }
 +  };
 +#define ntests (sizeof (tests) / sizeof (tests[0]))
 +
 +
 +static const struct
 +{
 +  const char *salt;
 +  const char *input;
 +  const char *expected;
 +} tests2[] =
 +{
 +  { "$5$saltstring", "Hello world!",
 +    "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5" },
 +  { "$5$rounds=10000$saltstringsaltstring", "Hello world!",
 +    "$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
 +    "opqey6IcA" },
 +  { "$5$rounds=5000$toolongsaltstring", "This is just a test",
 +    "$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
 +    "mGRcvxa5" },
 +  { "$5$rounds=1400$anotherlongsaltstring",
 +    "a very much longer text to encrypt.  This one even stretches over more"
 +    "than one line.",
 +    "$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
 +    "oP84Bnq1" },
 +  { "$5$rounds=77777$short",
 +    "we have a short salt string but not a short password",
 +    "$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/" },
 +  { "$5$rounds=123456$asaltof16chars..", "a short string",
 +    "$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
 +    "cZKmF/wJvD" },
 +  { "$5$rounds=10$roundstoolow", "the minimum number is still observed",
 +    "$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
 +    "2bIC" },
 +};
 +#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
 +
 +
 +int
 +main (void)
 +{
 +  struct sha256_ctx ctx;
 +  char sum[32];
 +  int result = 0;
 +  int i, cnt;
 +
 +  for (cnt = 0; cnt < (int) ntests; ++cnt)
 +    {
 +      sha256_init_ctx (&ctx);
 +      sha256_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
 +      sha256_finish_ctx (&ctx, sum);
 +      if (memcmp (tests[cnt].result, sum, 32) != 0)
 +	{
 +	  printf ("test %d run %d failed\n", cnt, 1);
 +	  result = 1;
 +	}
 +
 +      sha256_init_ctx (&ctx);
 +      for (i = 0; tests[cnt].input[i] != '\0'; ++i)
 +	sha256_process_bytes (&tests[cnt].input[i], 1, &ctx);
 +      sha256_finish_ctx (&ctx, sum);
 +      if (memcmp (tests[cnt].result, sum, 32) != 0)
 +	{
 +	  printf ("test %d run %d failed\n", cnt, 2);
 +	  result = 1;
 +	}
 +    }
 +
 +  /* Test vector from FIPS 180-2: appendix B.3.  */
 +  char buf[1000];
 +  memset (buf, 'a', sizeof (buf));
 +  sha256_init_ctx (&ctx);
 +  for (i = 0; i < 1000; ++i)
 +    sha256_process_bytes (buf, sizeof (buf), &ctx);
 +  sha256_finish_ctx (&ctx, sum);
 +  static const char expected[32] =
 +    "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
 +    "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
 +  if (memcmp (expected, sum, 32) != 0)
 +    {
 +      printf ("test %d failed\n", cnt);
 +      result = 1;
 +    }
 +
 +  for (cnt = 0; cnt < ntests2; ++cnt)
 +    {
 +      char *cp = sha256_crypt (tests2[cnt].input, tests2[cnt].salt);
 +
 +      if (strcmp (cp, tests2[cnt].expected) != 0)
 +	{
 +	  printf ("test %d: expected \"%s\", got \"%s\"\n",
 +		  cnt, tests2[cnt].expected, cp);
 +	  result = 1;
 +	}
 +    }
 +
 +  if (result == 0)
 +    puts ("all tests OK");
 +
 +  return result;
 +}
 +#endif
 Index: crypt-sha512.c
 ===================================================================
 RCS file: crypt-sha512.c
 diff -N crypt-sha512.c
 --- /dev/null	1 Jan 1970 00:00:00 -0000
 +++ crypt-sha512.c	20 Jul 2010 04:11:44 -0000
 @@ -0,0 +1,824 @@
 +/* SHA512-based Unix crypt implementation.
 +   Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.  */
 +
 +#include <errno.h>
 +#include <limits.h>
 +#include <stdbool.h>
 +#include <stdint.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +#include <sys/param.h>
 +#include <sys/types.h>
 +
 +/* sys/param.h must be included before checking OS and C Library */
 +#if defined(__GNU_LIBRARY__)
 +/* OS with GNU C Library (Linux or Hurd(?)) */
 +#include <endian.h>
 +#elif (defined(BSD) && (BSD >= 199306))
 +/* 4.4BSD code base or newer */
 +#include <sys/endian.h>
 +#else
 +/* Other OS (such as Solaris or AIX?) */
 +#error I don't know what to do.
 +#endif
 +
 +/* Structure to save state of computation between the single steps.  */
 +struct sha512_ctx
 +{
 +  uint64_t H[8];
 +
 +  uint64_t total[2];
 +  uint64_t buflen;
 +  char buffer[256];	/* NB: always correctly aligned for uint64_t.  */
 +};
 +
 +
 +#if __BYTE_ORDER == __LITTLE_ENDIAN
 +# define SWAP(n) \
 +  (((n) << 56)					\
 +   | (((n) & 0xff00) << 40)			\
 +   | (((n) & 0xff0000) << 24)			\
 +   | (((n) & 0xff000000) << 8)			\
 +   | (((n) >> 8) & 0xff000000)			\
 +   | (((n) >> 24) & 0xff0000)			\
 +   | (((n) >> 40) & 0xff00)			\
 +   | ((n) >> 56))
 +#else
 +# define SWAP(n) (n)
 +#endif
 +
 +
 +/* This array contains the bytes used to pad the buffer to the next
 +   64-byte boundary.  (FIPS 180-2:5.1.2)  */
 +static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ...  */ };
 +
 +
 +/* Constants for SHA512 from FIPS 180-2:4.2.3.  */
 +static const uint64_t K[80] =
 +  {
 +    UINT64_C (0x428a2f98d728ae22), UINT64_C (0x7137449123ef65cd),
 +    UINT64_C (0xb5c0fbcfec4d3b2f), UINT64_C (0xe9b5dba58189dbbc),
 +    UINT64_C (0x3956c25bf348b538), UINT64_C (0x59f111f1b605d019),
 +    UINT64_C (0x923f82a4af194f9b), UINT64_C (0xab1c5ed5da6d8118),
 +    UINT64_C (0xd807aa98a3030242), UINT64_C (0x12835b0145706fbe),
 +    UINT64_C (0x243185be4ee4b28c), UINT64_C (0x550c7dc3d5ffb4e2),
 +    UINT64_C (0x72be5d74f27b896f), UINT64_C (0x80deb1fe3b1696b1),
 +    UINT64_C (0x9bdc06a725c71235), UINT64_C (0xc19bf174cf692694),
 +    UINT64_C (0xe49b69c19ef14ad2), UINT64_C (0xefbe4786384f25e3),
 +    UINT64_C (0x0fc19dc68b8cd5b5), UINT64_C (0x240ca1cc77ac9c65),
 +    UINT64_C (0x2de92c6f592b0275), UINT64_C (0x4a7484aa6ea6e483),
 +    UINT64_C (0x5cb0a9dcbd41fbd4), UINT64_C (0x76f988da831153b5),
 +    UINT64_C (0x983e5152ee66dfab), UINT64_C (0xa831c66d2db43210),
 +    UINT64_C (0xb00327c898fb213f), UINT64_C (0xbf597fc7beef0ee4),
 +    UINT64_C (0xc6e00bf33da88fc2), UINT64_C (0xd5a79147930aa725),
 +    UINT64_C (0x06ca6351e003826f), UINT64_C (0x142929670a0e6e70),
 +    UINT64_C (0x27b70a8546d22ffc), UINT64_C (0x2e1b21385c26c926),
 +    UINT64_C (0x4d2c6dfc5ac42aed), UINT64_C (0x53380d139d95b3df),
 +    UINT64_C (0x650a73548baf63de), UINT64_C (0x766a0abb3c77b2a8),
 +    UINT64_C (0x81c2c92e47edaee6), UINT64_C (0x92722c851482353b),
 +    UINT64_C (0xa2bfe8a14cf10364), UINT64_C (0xa81a664bbc423001),
 +    UINT64_C (0xc24b8b70d0f89791), UINT64_C (0xc76c51a30654be30),
 +    UINT64_C (0xd192e819d6ef5218), UINT64_C (0xd69906245565a910),
 +    UINT64_C (0xf40e35855771202a), UINT64_C (0x106aa07032bbd1b8),
 +    UINT64_C (0x19a4c116b8d2d0c8), UINT64_C (0x1e376c085141ab53),
 +    UINT64_C (0x2748774cdf8eeb99), UINT64_C (0x34b0bcb5e19b48a8),
 +    UINT64_C (0x391c0cb3c5c95a63), UINT64_C (0x4ed8aa4ae3418acb),
 +    UINT64_C (0x5b9cca4f7763e373), UINT64_C (0x682e6ff3d6b2b8a3),
 +    UINT64_C (0x748f82ee5defb2fc), UINT64_C (0x78a5636f43172f60),
 +    UINT64_C (0x84c87814a1f0ab72), UINT64_C (0x8cc702081a6439ec),
 +    UINT64_C (0x90befffa23631e28), UINT64_C (0xa4506cebde82bde9),
 +    UINT64_C (0xbef9a3f7b2c67915), UINT64_C (0xc67178f2e372532b),
 +    UINT64_C (0xca273eceea26619c), UINT64_C (0xd186b8c721c0c207),
 +    UINT64_C (0xeada7dd6cde0eb1e), UINT64_C (0xf57d4f7fee6ed178),
 +    UINT64_C (0x06f067aa72176fba), UINT64_C (0x0a637dc5a2c898a6),
 +    UINT64_C (0x113f9804bef90dae), UINT64_C (0x1b710b35131c471b),
 +    UINT64_C (0x28db77f523047d84), UINT64_C (0x32caab7b40c72493),
 +    UINT64_C (0x3c9ebe0a15c9bebc), UINT64_C (0x431d67c49c100d4c),
 +    UINT64_C (0x4cc5d4becb3e42b6), UINT64_C (0x597f299cfc657e2a),
 +    UINT64_C (0x5fcb6fab3ad6faec), UINT64_C (0x6c44198c4a475817)
 +  };
 +
 +
 +#ifndef _GNU_SOURCE
 +
 +/* __stpncpy(3) is GNU extension and not available with non-glibc OS
 +   such as *BSD. So define it as static function for them. */
 +static char*
 +__stpncpy(char *dst, const char* src, size_t len)
 +{
 +  char *p;
 +  size_t n;
 +
 +  strncpy(dst, src, len);
 +  n = strlen(src);
 +  if (n < len)
 +    p = dst + n;
 +  else
 +    p = dst + len;
 +  return p;
 +}
 +
 +#endif /* !_GNU_SOURCE */
 +
 +/* Process LEN bytes of BUFFER, accumulating context into CTX.
 +   It is assumed that LEN % 128 == 0.  */
 +static void
 +sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
 +{
 +  const uint64_t *words = buffer;
 +  size_t nwords = len / sizeof (uint64_t);
 +  uint64_t a = ctx->H[0];
 +  uint64_t b = ctx->H[1];
 +  uint64_t c = ctx->H[2];
 +  uint64_t d = ctx->H[3];
 +  uint64_t e = ctx->H[4];
 +  uint64_t f = ctx->H[5];
 +  uint64_t g = ctx->H[6];
 +  uint64_t h = ctx->H[7];
 +
 +  /* First increment the byte count.  FIPS 180-2 specifies the possible
 +     length of the file up to 2^128 bits.  Here we only compute the
 +     number of bytes.  Do a double word increment.  */
 +  ctx->total[0] += len;
 +  if (ctx->total[0] < len)
 +    ++ctx->total[1];
 +
 +  /* Process all bytes in the buffer with 128 bytes in each round of
 +     the loop.  */
 +  while (nwords > 0)
 +    {
 +      uint64_t W[80];
 +      uint64_t a_save = a;
 +      uint64_t b_save = b;
 +      uint64_t c_save = c;
 +      uint64_t d_save = d;
 +      uint64_t e_save = e;
 +      uint64_t f_save = f;
 +      uint64_t g_save = g;
 +      uint64_t h_save = h;
 +      unsigned int t;
 +
 +      /* Operators defined in FIPS 180-2:4.1.2.  */
 +#define Ch(x, y, z) ((x & y) ^ (~x & z))
 +#define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
 +#define S0(x) (CYCLIC (x, 28) ^ CYCLIC (x, 34) ^ CYCLIC (x, 39))
 +#define S1(x) (CYCLIC (x, 14) ^ CYCLIC (x, 18) ^ CYCLIC (x, 41))
 +#define R0(x) (CYCLIC (x, 1) ^ CYCLIC (x, 8) ^ (x >> 7))
 +#define R1(x) (CYCLIC (x, 19) ^ CYCLIC (x, 61) ^ (x >> 6))
 +
 +      /* It is unfortunate that C does not provide an operator for
 +	 cyclic rotation.  Hope the C compiler is smart enough.  */
 +#define CYCLIC(w, s) ((w >> s) | (w << (64 - s)))
 +
 +      /* Compute the message schedule according to FIPS 180-2:6.3.2 step 2.  */
 +      for (t = 0; t < 16; ++t)
 +	{
 +	  W[t] = SWAP (*words);
 +	  ++words;
 +	}
 +      for (t = 16; t < 80; ++t)
 +	W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
 +
 +      /* The actual computation according to FIPS 180-2:6.3.2 step 3.  */
 +      for (t = 0; t < 80; ++t)
 +	{
 +	  uint64_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
 +	  uint64_t T2 = S0 (a) + Maj (a, b, c);
 +	  h = g;
 +	  g = f;
 +	  f = e;
 +	  e = d + T1;
 +	  d = c;
 +	  c = b;
 +	  b = a;
 +	  a = T1 + T2;
 +	}
 +
 +      /* Add the starting values of the context according to FIPS 180-2:6.3.2
 +	 step 4.  */
 +      a += a_save;
 +      b += b_save;
 +      c += c_save;
 +      d += d_save;
 +      e += e_save;
 +      f += f_save;
 +      g += g_save;
 +      h += h_save;
 +
 +      /* Prepare for the next round.  */
 +      nwords -= 16;
 +    }
 +
 +  /* Put checksum in context given as argument.  */
 +  ctx->H[0] = a;
 +  ctx->H[1] = b;
 +  ctx->H[2] = c;
 +  ctx->H[3] = d;
 +  ctx->H[4] = e;
 +  ctx->H[5] = f;
 +  ctx->H[6] = g;
 +  ctx->H[7] = h;
 +}
 +
 +
 +/* Initialize structure containing state of computation.
 +   (FIPS 180-2:5.3.3)  */
 +static void
 +sha512_init_ctx (struct sha512_ctx *ctx)
 +{
 +  ctx->H[0] = UINT64_C (0x6a09e667f3bcc908);
 +  ctx->H[1] = UINT64_C (0xbb67ae8584caa73b);
 +  ctx->H[2] = UINT64_C (0x3c6ef372fe94f82b);
 +  ctx->H[3] = UINT64_C (0xa54ff53a5f1d36f1);
 +  ctx->H[4] = UINT64_C (0x510e527fade682d1);
 +  ctx->H[5] = UINT64_C (0x9b05688c2b3e6c1f);
 +  ctx->H[6] = UINT64_C (0x1f83d9abfb41bd6b);
 +  ctx->H[7] = UINT64_C (0x5be0cd19137e2179);
 +
 +  ctx->total[0] = ctx->total[1] = 0;
 +  ctx->buflen = 0;
 +}
 +
 +
 +/* Process the remaining bytes in the internal buffer and the usual
 +   prolog according to the standard and write the result to RESBUF.
 +
 +   IMPORTANT: On some systems it is required that RESBUF is correctly
 +   aligned for a 32 bits value.  */
 +static void *
 +sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
 +{
 +  /* Take yet unprocessed bytes into account.  */
 +  uint64_t bytes = ctx->buflen;
 +  size_t pad;
 +
 +  /* Now count remaining bytes.  */
 +  ctx->total[0] += bytes;
 +  if (ctx->total[0] < bytes)
 +    ++ctx->total[1];
 +
 +  pad = bytes >= 112 ? 128 + 112 - bytes : 112 - bytes;
 +  memcpy (&ctx->buffer[bytes], fillbuf, pad);
 +
 +  /* Put the 128-bit file length in *bits* at the end of the buffer.  */
 +  *(uint64_t *) &ctx->buffer[bytes + pad + 8] = SWAP (ctx->total[0] << 3);
 +  *(uint64_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
 +						  (ctx->total[0] >> 61));
 +
 +  /* Process last bytes.  */
 +  sha512_process_block (ctx->buffer, bytes + pad + 16, ctx);
 +
 +  /* Put result from CTX in first 64 bytes following RESBUF.  */
 +  unsigned int i;
 +  for (i = 0; i < 8; ++i)
 +    ((uint64_t *) resbuf)[i] = SWAP (ctx->H[i]);
 +
 +  return resbuf;
 +}
 +
 +
 +static void
 +sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
 +{
 +  /* When we already have some bits in our internal buffer concatenate
 +     both inputs first.  */
 +  if (ctx->buflen != 0)
 +    {
 +      size_t left_over = ctx->buflen;
 +      size_t add = 256 - left_over > len ? len : 256 - left_over;
 +
 +      memcpy (&ctx->buffer[left_over], buffer, add);
 +      ctx->buflen += add;
 +
 +      if (ctx->buflen > 128)
 +	{
 +	  sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
 +
 +	  ctx->buflen &= 127;
 +	  /* The regions in the following copy operation cannot overlap.  */
 +	  memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~127],
 +		  ctx->buflen);
 +	}
 +
 +      buffer = (const char *) buffer + add;
 +      len -= add;
 +    }
 +
 +  /* Process available complete blocks.  */
 +  if (len >= 128)
 +    {
 +#if !_STRING_ARCH_unaligned
 +/* To check alignment gcc has an appropriate operator.  Other
 +   compilers don't.  */
 +# if __GNUC__ >= 2
 +#  define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint64_t) != 0)
 +# else
 +#  define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint64_t) != 0)
 +# endif
 +      if (UNALIGNED_P (buffer))
 +	while (len > 128)
 +	  {
 +	    sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128,
 +				    ctx);
 +	    buffer = (const char *) buffer + 128;
 +	    len -= 128;
 +	  }
 +      else
 +#endif
 +	{
 +	  sha512_process_block (buffer, len & ~127, ctx);
 +	  buffer = (const char *) buffer + (len & ~127);
 +	  len &= 127;
 +	}
 +    }
 +
 +  /* Move remaining bytes into internal buffer.  */
 +  if (len > 0)
 +    {
 +      size_t left_over = ctx->buflen;
 +
 +      memcpy (&ctx->buffer[left_over], buffer, len);
 +      left_over += len;
 +      if (left_over >= 128)
 +	{
 +	  sha512_process_block (ctx->buffer, 128, ctx);
 +	  left_over -= 128;
 +	  memcpy (ctx->buffer, &ctx->buffer[128], left_over);
 +	}
 +      ctx->buflen = left_over;
 +    }
 +}
 +
 +
 +/* Define our magic string to mark salt for SHA512 "encryption"
 +   replacement.  */
 +static const char sha512_salt_prefix[] = "$6$";
 +
 +/* Prefix for optional rounds specification.  */
 +static const char sha512_rounds_prefix[] = "rounds=";
 +
 +/* Maximum salt string length.  */
 +#define SALT_LEN_MAX 16
 +/* Default number of rounds if not explicitly specified.  */
 +#define ROUNDS_DEFAULT 5000
 +/* Minimum number of rounds.  */
 +#define ROUNDS_MIN 1000
 +/* Maximum number of rounds.  */
 +#define ROUNDS_MAX 999999999
 +
 +/* Table with characters for base64 transformation.  */
 +static const char b64t[64] =
 +"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 +
 +
 +static char *
 +sha512_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
 +{
 +  unsigned char alt_result[64]
 +    __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
 +  unsigned char temp_result[64]
 +    __attribute__ ((__aligned__ (__alignof__ (uint64_t))));
 +  struct sha512_ctx ctx;
 +  struct sha512_ctx alt_ctx;
 +  size_t salt_len;
 +  size_t key_len;
 +  size_t cnt;
 +  char *cp;
 +  char *copied_key = NULL;
 +  char *copied_salt = NULL;
 +  char *p_bytes;
 +  char *s_bytes;
 +  /* Default number of rounds.  */
 +  size_t rounds = ROUNDS_DEFAULT;
 +  bool rounds_custom = false;
 +
 +  /* Find beginning of salt string.  The prefix should normally always
 +     be present.  Just in case it is not.  */
 +  if (strncmp (sha512_salt_prefix, salt, sizeof (sha512_salt_prefix) - 1) == 0)
 +    /* Skip salt prefix.  */
 +    salt += sizeof (sha512_salt_prefix) - 1;
 +
 +  if (strncmp (salt, sha512_rounds_prefix, sizeof (sha512_rounds_prefix) - 1)
 +      == 0)
 +    {
 +      const char *num = salt + sizeof (sha512_rounds_prefix) - 1;
 +      char *endp;
 +      unsigned long int srounds = strtoul (num, &endp, 10);
 +      if (*endp == '$')
 +	{
 +	  salt = endp + 1;
 +	  rounds = MAX (ROUNDS_MIN, MIN (srounds, ROUNDS_MAX));
 +	  rounds_custom = true;
 +	}
 +    }
 +
 +  salt_len = MIN (strcspn (salt, "$"), SALT_LEN_MAX);
 +  key_len = strlen (key);
 +
 +  if ((key - (char *) 0) % __alignof__ (uint64_t) != 0)
 +    {
 +      char *tmp = (char *) alloca (key_len + __alignof__ (uint64_t));
 +      key = copied_key =
 +	memcpy (tmp + __alignof__ (uint64_t)
 +		- (tmp - (char *) 0) % __alignof__ (uint64_t),
 +		key, key_len);
 +    }
 +
 +  if ((salt - (char *) 0) % __alignof__ (uint64_t) != 0)
 +    {
 +      char *tmp = (char *) alloca (salt_len + __alignof__ (uint64_t));
 +      salt = copied_salt =
 +	memcpy (tmp + __alignof__ (uint64_t)
 +		- (tmp - (char *) 0) % __alignof__ (uint64_t),
 +		salt, salt_len);
 +    }
 +
 +  /* Prepare for the real work.  */
 +  sha512_init_ctx (&ctx);
 +
 +  /* Add the key string.  */
 +  sha512_process_bytes (key, key_len, &ctx);
 +
 +  /* The last part is the salt string.  This must be at most 8
 +     characters and it ends at the first `$' character (for
 +     compatibility with existing implementations).  */
 +  sha512_process_bytes (salt, salt_len, &ctx);
 +
 +
 +  /* Compute alternate SHA512 sum with input KEY, SALT, and KEY.  The
 +     final result will be added to the first context.  */
 +  sha512_init_ctx (&alt_ctx);
 +
 +  /* Add key.  */
 +  sha512_process_bytes (key, key_len, &alt_ctx);
 +
 +  /* Add salt.  */
 +  sha512_process_bytes (salt, salt_len, &alt_ctx);
 +
 +  /* Add key again.  */
 +  sha512_process_bytes (key, key_len, &alt_ctx);
 +
 +  /* Now get result of this (64 bytes) and add it to the other
 +     context.  */
 +  sha512_finish_ctx (&alt_ctx, alt_result);
 +
 +  /* Add for any character in the key one byte of the alternate sum.  */
 +  for (cnt = key_len; cnt > 64; cnt -= 64)
 +    sha512_process_bytes (alt_result, 64, &ctx);
 +  sha512_process_bytes (alt_result, cnt, &ctx);
 +
 +  /* Take the binary representation of the length of the key and for every
 +     1 add the alternate sum, for every 0 the key.  */
 +  for (cnt = key_len; cnt > 0; cnt >>= 1)
 +    if ((cnt & 1) != 0)
 +      sha512_process_bytes (alt_result, 64, &ctx);
 +    else
 +      sha512_process_bytes (key, key_len, &ctx);
 +
 +  /* Create intermediate result.  */
 +  sha512_finish_ctx (&ctx, alt_result);
 +
 +  /* Start computation of P byte sequence.  */
 +  sha512_init_ctx (&alt_ctx);
 +
 +  /* For every character in the password add the entire password.  */
 +  for (cnt = 0; cnt < key_len; ++cnt)
 +    sha512_process_bytes (key, key_len, &alt_ctx);
 +
 +  /* Finish the digest.  */
 +  sha512_finish_ctx (&alt_ctx, temp_result);
 +
 +  /* Create byte sequence P.  */
 +  cp = p_bytes = alloca (key_len);
 +  for (cnt = key_len; cnt >= 64; cnt -= 64) {
 +    memcpy (cp, temp_result, 64);
 +    cp += 64;
 +  }
 +  memcpy (cp, temp_result, cnt);
 +
 +  /* Start computation of S byte sequence.  */
 +  sha512_init_ctx (&alt_ctx);
 +
 +  /* For every character in the password add the entire password.  */
 +  for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
 +    sha512_process_bytes (salt, salt_len, &alt_ctx);
 +
 +  /* Finish the digest.  */
 +  sha512_finish_ctx (&alt_ctx, temp_result);
 +
 +  /* Create byte sequence S.  */
 +  cp = s_bytes = alloca (salt_len);
 +  for (cnt = salt_len; cnt >= 64; cnt -= 64) {
 +    memcpy (cp, temp_result, 64);
 +    cp += 64;
 +  }
 +  memcpy (cp, temp_result, cnt);
 +
 +  /* Repeatedly run the collected hash value through SHA512 to burn
 +     CPU cycles.  */
 +  for (cnt = 0; cnt < rounds; ++cnt)
 +    {
 +      /* New context.  */
 +      sha512_init_ctx (&ctx);
 +
 +      /* Add key or last result.  */
 +      if ((cnt & 1) != 0)
 +	sha512_process_bytes (p_bytes, key_len, &ctx);
 +      else
 +	sha512_process_bytes (alt_result, 64, &ctx);
 +
 +      /* Add salt for numbers not divisible by 3.  */
 +      if (cnt % 3 != 0)
 +	sha512_process_bytes (s_bytes, salt_len, &ctx);
 +
 +      /* Add key for numbers not divisible by 7.  */
 +      if (cnt % 7 != 0)
 +	sha512_process_bytes (p_bytes, key_len, &ctx);
 +
 +      /* Add key or last result.  */
 +      if ((cnt & 1) != 0)
 +	sha512_process_bytes (alt_result, 64, &ctx);
 +      else
 +	sha512_process_bytes (p_bytes, key_len, &ctx);
 +
 +      /* Create intermediate result.  */
 +      sha512_finish_ctx (&ctx, alt_result);
 +    }
 +
 +  /* Now we can construct the result string.  It consists of three
 +     parts.  */
 +  cp = __stpncpy (buffer, sha512_salt_prefix, MAX (0, buflen));
 +  buflen -= sizeof (sha512_salt_prefix) - 1;
 +
 +  if (rounds_custom)
 +    {
 +      int n = snprintf (cp, MAX (0, buflen), "%s%zu$",
 +			sha512_rounds_prefix, rounds);
 +      cp += n;
 +      buflen -= n;
 +    }
 +
 +  cp = __stpncpy (cp, salt, MIN ((size_t) MAX (0, buflen), salt_len));
 +  buflen -= MIN ((size_t) MAX (0, buflen), salt_len);
 +
 +  if (buflen > 0)
 +    {
 +      *cp++ = '$';
 +      --buflen;
 +    }
 +
 +#define b64_from_24bit(B2, B1, B0, N)					      \
 +  do {									      \
 +    unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0);			      \
 +    int n = (N);							      \
 +    while (n-- > 0 && buflen > 0)					      \
 +      {									      \
 +	*cp++ = b64t[w & 0x3f];						      \
 +	--buflen;							      \
 +	w >>= 6;							      \
 +      }									      \
 +  } while (0)
 +
 +  b64_from_24bit (alt_result[0], alt_result[21], alt_result[42], 4);
 +  b64_from_24bit (alt_result[22], alt_result[43], alt_result[1], 4);
 +  b64_from_24bit (alt_result[44], alt_result[2], alt_result[23], 4);
 +  b64_from_24bit (alt_result[3], alt_result[24], alt_result[45], 4);
 +  b64_from_24bit (alt_result[25], alt_result[46], alt_result[4], 4);
 +  b64_from_24bit (alt_result[47], alt_result[5], alt_result[26], 4);
 +  b64_from_24bit (alt_result[6], alt_result[27], alt_result[48], 4);
 +  b64_from_24bit (alt_result[28], alt_result[49], alt_result[7], 4);
 +  b64_from_24bit (alt_result[50], alt_result[8], alt_result[29], 4);
 +  b64_from_24bit (alt_result[9], alt_result[30], alt_result[51], 4);
 +  b64_from_24bit (alt_result[31], alt_result[52], alt_result[10], 4);
 +  b64_from_24bit (alt_result[53], alt_result[11], alt_result[32], 4);
 +  b64_from_24bit (alt_result[12], alt_result[33], alt_result[54], 4);
 +  b64_from_24bit (alt_result[34], alt_result[55], alt_result[13], 4);
 +  b64_from_24bit (alt_result[56], alt_result[14], alt_result[35], 4);
 +  b64_from_24bit (alt_result[15], alt_result[36], alt_result[57], 4);
 +  b64_from_24bit (alt_result[37], alt_result[58], alt_result[16], 4);
 +  b64_from_24bit (alt_result[59], alt_result[17], alt_result[38], 4);
 +  b64_from_24bit (alt_result[18], alt_result[39], alt_result[60], 4);
 +  b64_from_24bit (alt_result[40], alt_result[61], alt_result[19], 4);
 +  b64_from_24bit (alt_result[62], alt_result[20], alt_result[41], 4);
 +  b64_from_24bit (0, 0, alt_result[63], 2);
 +
 +  if (buflen <= 0)
 +    {
 +      errno = ERANGE;
 +      buffer = NULL;
 +    }
 +  else
 +    *cp = '\0';		/* Terminate the string.  */
 +
 +  /* Clear the buffer for the intermediate result so that people
 +     attaching to processes or reading core dumps cannot get any
 +     information.  We do it in this way to clear correct_words[]
 +     inside the SHA512 implementation as well.  */
 +  sha512_init_ctx (&ctx);
 +  sha512_finish_ctx (&ctx, alt_result);
 +  memset (temp_result, '\0', sizeof (temp_result));
 +  memset (p_bytes, '\0', key_len);
 +  memset (s_bytes, '\0', salt_len);
 +  memset (&ctx, '\0', sizeof (ctx));
 +  memset (&alt_ctx, '\0', sizeof (alt_ctx));
 +  if (copied_key != NULL)
 +    memset (copied_key, '\0', key_len);
 +  if (copied_salt != NULL)
 +    memset (copied_salt, '\0', salt_len);
 +
 +  return buffer;
 +}
 +
 +
 +/* This entry point is equivalent to the `crypt' function in Unix
 +   libcs.  */
 +char *
 +sha512_crypt (const char *key, const char *salt)
 +{
 +  /* We don't want to have an arbitrary limit in the size of the
 +     password.  We can compute an upper bound for the size of the
 +     result in advance and so we can prepare the buffer we pass to
 +     `sha512_crypt_r'.  */
 +  static char *buffer;
 +  static int buflen;
 +  int needed = (sizeof (sha512_salt_prefix) - 1
 +		+ sizeof (sha512_rounds_prefix) + 9 + 1
 +		+ strlen (salt) + 1 + 86 + 1);
 +
 +  if (buflen < needed)
 +    {
 +      char *new_buffer = (char *) realloc (buffer, needed);
 +      if (new_buffer == NULL)
 +	return NULL;
 +
 +      buffer = new_buffer;
 +      buflen = needed;
 +    }
 +
 +  return sha512_crypt_r (key, salt, buffer, buflen);
 +}
 +
 +
 +#ifdef TEST
 +static const struct
 +{
 +  const char *input;
 +  const char result[64];
 +} tests[] =
 +  {
 +    /* Test vectors from FIPS 180-2: appendix C.1.  */
 +    { "abc",
 +      "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
 +      "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
 +      "\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
 +      "\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f" },
 +    /* Test vectors from FIPS 180-2: appendix C.2.  */
 +    { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
 +      "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
 +      "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
 +      "\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
 +      "\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
 +      "\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09" },
 +    /* Test vectors from the NESSIE project.  */
 +    { "",
 +      "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
 +      "\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
 +      "\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
 +      "\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e" },
 +    { "a",
 +      "\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
 +      "\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
 +      "\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
 +      "\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75" },
 +    { "message digest",
 +      "\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
 +      "\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
 +      "\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
 +      "\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c" },
 +    { "abcdefghijklmnopqrstuvwxyz",
 +      "\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
 +      "\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
 +      "\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
 +      "\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1" },
 +    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 +      "\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
 +      "\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
 +      "\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
 +      "\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45" },
 +    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
 +      "\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
 +      "\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
 +      "\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
 +      "\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94" },
 +    { "123456789012345678901234567890123456789012345678901234567890"
 +      "12345678901234567890",
 +      "\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
 +      "\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
 +      "\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
 +      "\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43" }
 +  };
 +#define ntests (sizeof (tests) / sizeof (tests[0]))
 +
 +
 +static const struct
 +{
 +  const char *salt;
 +  const char *input;
 +  const char *expected;
 +} tests2[] =
 +{
 +  { "$6$saltstring", "Hello world!",
 +    "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
 +    "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" },
 +  { "$6$rounds=10000$saltstringsaltstring", "Hello world!",
 +    "$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
 +    "HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." },
 +  { "$6$rounds=5000$toolongsaltstring", "This is just a test",
 +    "$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
 +    "zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0" },
 +  { "$6$rounds=1400$anotherlongsaltstring",
 +    "a very much longer text to encrypt.  This one even stretches over more"
 +    "than one line.",
 +    "$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
 +    "vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1" },
 +  { "$6$rounds=77777$short",
 +    "we have a short salt string but not a short password",
 +    "$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
 +    "ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0" },
 +  { "$6$rounds=123456$asaltof16chars..", "a short string",
 +    "$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
 +    "elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1" },
 +  { "$6$rounds=10$roundstoolow", "the minimum number is still observed",
 +    "$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
 +    "hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX." },
 +};
 +#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
 +
 +
 +int
 +main (void)
 +{
 +  struct sha512_ctx ctx;
 +  char sum[64];
 +  int result = 0;
 +  int i, cnt;
 +
 +  for (cnt = 0; cnt < (int) ntests; ++cnt)
 +    {
 +      sha512_init_ctx (&ctx);
 +      sha512_process_bytes (tests[cnt].input, strlen (tests[cnt].input), &ctx);
 +      sha512_finish_ctx (&ctx, sum);
 +      if (memcmp (tests[cnt].result, sum, 64) != 0)
 +	{
 +	  printf ("test %d run %d failed\n", cnt, 1);
 +	  result = 1;
 +	}
 +
 +      sha512_init_ctx (&ctx);
 +      for (i = 0; tests[cnt].input[i] != '\0'; ++i)
 +	sha512_process_bytes (&tests[cnt].input[i], 1, &ctx);
 +      sha512_finish_ctx (&ctx, sum);
 +      if (memcmp (tests[cnt].result, sum, 64) != 0)
 +	{
 +	  printf ("test %d run %d failed\n", cnt, 2);
 +	  result = 1;
 +	}
 +    }
 +
 +  /* Test vector from FIPS 180-2: appendix C.3.  */
 +  char buf[1000];
 +  memset (buf, 'a', sizeof (buf));
 +  sha512_init_ctx (&ctx);
 +  for (i = 0; i < 1000; ++i)
 +    sha512_process_bytes (buf, sizeof (buf), &ctx);
 +  sha512_finish_ctx (&ctx, sum);
 +  static const char expected[64] =
 +    "\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
 +    "\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
 +    "\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
 +    "\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
 +  if (memcmp (expected, sum, 64) != 0)
 +    {
 +      printf ("test %d failed\n", cnt);
 +      result = 1;
 +    }
 +
 +  for (cnt = 0; cnt < ntests2; ++cnt)
 +    {
 +      char *cp = sha512_crypt (tests2[cnt].input, tests2[cnt].salt);
 +
 +      if (strcmp (cp, tests2[cnt].expected) != 0)
 +	{
 +	  printf ("test %d: expected \"%s\", got \"%s\"\n",
 +	   	  cnt, tests2[cnt].expected, cp);
 +	  result = 1;
 +	}
 +    }
 +
 +  if (result == 0)
 +    puts ("all tests OK");
 +
 +  return result;
 +}
 +#endif
 Index: crypt.c
 ===================================================================
 RCS file: /usr0/freebsd/cvsroot/src/lib/libcrypt/crypt.c,v
 retrieving revision 1.23.32.1.4.1
 diff -u -r1.23.32.1.4.1 crypt.c
 --- crypt.c	14 Jun 2010 02:09:06 -0000	1.23.32.1.4.1
 +++ crypt.c	20 Jul 2010 04:11:44 -0000
 @@ -63,6 +63,16 @@
  		"$3$"
  	},
  	{
 +		"sha256",
 +		sha256_crypt,
 +		"$5$"
 +	},
 +	{
 +		"sha512",
 +		sha512_crypt,
 +		"$6$"
 +	},
 +	{
  		NULL,
  		NULL,
  		NULL
 Index: crypt.h
 ===================================================================
 RCS file: /usr0/freebsd/cvsroot/src/lib/libcrypt/crypt.h,v
 retrieving revision 1.8.32.1.4.1
 diff -u -r1.8.32.1.4.1 crypt.h
 --- crypt.h	14 Jun 2010 02:09:06 -0000	1.8.32.1.4.1
 +++ crypt.h	20 Jul 2010 04:11:44 -0000
 @@ -36,5 +36,7 @@
  char *crypt_md5(const char *pw, const char *salt);
  char *crypt_nthash(const char *pw, const char *salt);
  char *crypt_blowfish(const char *pw, const char *salt);
 +char *sha256_crypt (const char *pw, const char *salt);
 +char *sha512_crypt (const char *pw, const char *salt);
  
  extern void _crypt_to64(char *s, u_long v, int n);
 
 ----Next_Part(Mon_Nov_15_08_01_41_2010_891)----
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: markm 
Responsible-Changed-When: Sun Jan 30 09:50:32 UTC 2011 
Responsible-Changed-Why:  
I've done crypt(3) in the past; may as well pick this one up. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124164 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/124164: commit references a PR
Date: Sat,  9 Apr 2011 13:56:50 +0000 (UTC)

 Author: markm
 Date: Sat Apr  9 13:56:29 2011
 New Revision: 220496
 URL: http://svn.freebsd.org/changeset/base/220496
 
 Log:
   Add SHA512 (Actually, this is Colin Percival's code for SHA256, with
   relevant constants changed).
   
   While I'm here clean up the tests and Makefile.
   
   PR:		misc/124164
   Submitted by:	KIMURA Yasuhiro < yasu utahime org >
   MFC after:	1 month
 
 Added:
   head/lib/libmd/sha512.3   (contents, props changed)
   head/lib/libmd/sha512.h   (contents, props changed)
   head/lib/libmd/sha512c.c   (contents, props changed)
 Modified:
   head/lib/libmd/Makefile
   head/lib/libmd/mddriver.c
   head/lib/libmd/rmddriver.c
   head/lib/libmd/shadriver.c
 
 Modified: head/lib/libmd/Makefile
 ==============================================================================
 --- head/lib/libmd/Makefile	Sat Apr  9 13:45:13 2011	(r220495)
 +++ head/lib/libmd/Makefile	Sat Apr  9 13:56:29 2011	(r220496)
 @@ -5,12 +5,13 @@ SHLIBDIR?= /lib
  SRCS=	md2c.c md4c.c md5c.c md2hl.c md4hl.c md5hl.c \
  	rmd160c.c rmd160hl.c \
  	sha0c.c sha0hl.c sha1c.c sha1hl.c \
 -	sha256c.c sha256hl.c
 -INCS=	md2.h md4.h md5.h ripemd.h sha.h sha256.h
 +	sha256c.c sha256hl.c \
 +	sha512c.c sha512hl.c
 +INCS=	md2.h md4.h md5.h ripemd.h sha.h sha256.h sha512.h
  
  WARNS?=	0
  
 -MAN+=	md2.3 md4.3 md5.3 ripemd.3 sha.3 sha256.3
 +MAN+=	md2.3 md4.3 md5.3 ripemd.3 sha.3 sha256.3 sha512.3
  MLINKS+=md2.3 MD2Init.3 md2.3 MD2Update.3 md2.3 MD2Final.3
  MLINKS+=md2.3 MD2End.3  md2.3 MD2File.3   md2.3 MD2FileChunk.3
  MLINKS+=md2.3 MD2Data.3
 @@ -34,10 +35,15 @@ MLINKS+=sha256.3 SHA256_Init.3  sha256.3
  MLINKS+=sha256.3 SHA256_Final.3 sha256.3 SHA256_End.3
  MLINKS+=sha256.3 SHA256_File.3  sha256.3 SHA256_FileChunk.3
  MLINKS+=sha256.3 SHA256_Data.3
 +MLINKS+=sha512.3 SHA512_Init.3  sha512.3 SHA512_Update.3
 +MLINKS+=sha512.3 SHA512_Final.3 sha512.3 SHA512_End.3
 +MLINKS+=sha512.3 SHA512_File.3  sha512.3 SHA512_FileChunk.3
 +MLINKS+=sha512.3 SHA512_Data.3
  CLEANFILES+=	md[245]hl.c md[245].ref md[245].3 mddriver \
  		rmd160.ref rmd160hl.c rmddriver \
  		sha0.ref sha0hl.c sha1.ref sha1hl.c shadriver \
 -		sha256.ref sha256hl.c
 +		sha256.ref sha256hl.c sha512.ref sha512hl.c
 +
  CFLAGS+= -I${.CURDIR}
  .PATH: ${.CURDIR}/${MACHINE_ARCH}
  
 @@ -81,6 +87,12 @@ sha256hl.c: mdXhl.c
  			-e  's/SHA256__/SHA256_/g' \
  		${.ALLSRC}) > ${.TARGET}
  
 +sha512hl.c: mdXhl.c
 +	(echo '#define LENGTH 64'; \
 +		sed -e 's/mdX/sha512/g' -e 's/MDX/SHA512_/g'	\
 +			-e  's/SHA512__/SHA512_/g' \
 +		${.ALLSRC}) > ${.TARGET}
 +
  rmd160hl.c: mdXhl.c
  	(echo '#define LENGTH 20'; \
  		sed -e 's/mdX/ripemd/g' -e 's/MDX/RIPEMD160_/g' \
 @@ -110,8 +122,10 @@ md4.ref:
  	@echo 'MD4 ("abc") = a448017aaf21d8525fc10ae87aa6729d' >> ${.TARGET}
  	@echo 'MD4 ("message digest") = d9130a8164549fe818874806e1c7014b' >> ${.TARGET}
  	@echo 'MD4 ("abcdefghijklmnopqrstuvwxyz") = d79e1c308aa5bbcdeea8ed63df412da9' >> ${.TARGET}
 -	@echo 'MD4 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 043f8582f241db351ce627e153e7f0e4' >> ${.TARGET}
 -	@echo 'MD4 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = e33b4ddc9c38f2199c3e7b164fcc0536' >> ${.TARGET}
 +	@echo 'MD4 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'043f8582f241db351ce627e153e7f0e4' >> ${.TARGET}
 +	@echo 'MD4 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'e33b4ddc9c38f2199c3e7b164fcc0536' >> ${.TARGET}
  
  md5.ref:
  	echo 'MD5 test suite:' > ${.TARGET}
 @@ -124,54 +138,74 @@ md5.ref:
  	@echo 'MD5 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = 57edf4a22be3c955ac49da2e2107b67a' >> ${.TARGET}
  
  sha0.ref:
 -	(echo 'SHA-0 test suite:'; \
 -	echo 'SHA-0 ("") = f96cea198ad1dd5617ac084a3d92c6107708c0ef'; \
 -	echo 'SHA-0 ("abc") = 0164b8a914cd2a5e74c4f7ff082c4d97f1edf880'; \
 -	echo 'SHA-0 ("message digest") =' \
 -		'c1b0f222d150ebb9aa36a40cafdc8bcbed830b14'; \
 -	echo 'SHA-0 ("abcdefghijklmnopqrstuvwxyz") =' \
 -		'b40ce07a430cfd3c033039b9fe9afec95dc1bdcd'; \
 -	echo 'SHA-0 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 -		'79e966f7a3a990df33e40e3d7f8f18d2caebadfa'; \
 -	echo 'SHA-0 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 -		'4aa29d14d171522ece47bee8957e35a41f3e9cff' ) > ${.TARGET}
 +	echo 'SHA-0 test suite:' > ${.TARGET}
 +	@echo 'SHA-0 ("") = f96cea198ad1dd5617ac084a3d92c6107708c0ef' >> ${.TARGET}
 +	@echo 'SHA-0 ("abc") = 0164b8a914cd2a5e74c4f7ff082c4d97f1edf880' >> ${.TARGET}
 +	@echo 'SHA-0 ("message digest") =' \
 +		'c1b0f222d150ebb9aa36a40cafdc8bcbed830b14' >> ${.TARGET}
 +	@echo 'SHA-0 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'b40ce07a430cfd3c033039b9fe9afec95dc1bdcd' >> ${.TARGET}
 +	@echo 'SHA-0 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'79e966f7a3a990df33e40e3d7f8f18d2caebadfa' >> ${.TARGET}
 +	@echo 'SHA-0 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'4aa29d14d171522ece47bee8957e35a41f3e9cff' >> ${.TARGET}
  
  sha1.ref:
 -	(echo 'SHA-1 test suite:'; \
 -	echo 'SHA-1 ("") = da39a3ee5e6b4b0d3255bfef95601890afd80709'; \
 -	echo 'SHA-1 ("abc") = a9993e364706816aba3e25717850c26c9cd0d89d'; \
 -	echo 'SHA-1 ("message digest") =' \
 -		'c12252ceda8be8994d5fa0290a47231c1d16aae3'; \
 -	echo 'SHA-1 ("abcdefghijklmnopqrstuvwxyz") =' \
 -		'32d10c7b8cf96570ca04ce37f2a19d84240d3a89'; \
 -	echo 'SHA-1 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 -		'761c457bf73b14d27e9e9265c46f4b4dda11f940'; \
 -	echo 'SHA-1 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 -		'50abf5706a150990a08b2c5ea40fa0e585554732' ) > ${.TARGET}
 +	echo 'SHA-1 test suite:' > ${.TARGET}
 +	@echo 'SHA-1 ("") = da39a3ee5e6b4b0d3255bfef95601890afd80709' >> ${.TARGET}
 +	@echo 'SHA-1 ("abc") = a9993e364706816aba3e25717850c26c9cd0d89d' >> ${.TARGET}
 +	@echo 'SHA-1 ("message digest") =' \
 +		'c12252ceda8be8994d5fa0290a47231c1d16aae3' >> ${.TARGET}
 +	@echo 'SHA-1 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'32d10c7b8cf96570ca04ce37f2a19d84240d3a89' >> ${.TARGET}
 +	@echo 'SHA-1 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'761c457bf73b14d27e9e9265c46f4b4dda11f940' >> ${.TARGET}
 +	@echo 'SHA-1 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'50abf5706a150990a08b2c5ea40fa0e585554732' >> ${.TARGET}
  
  sha256.ref:
  	echo 'SHA-256 test suite:' > ${.TARGET}
  	@echo 'SHA-256 ("") = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' >> ${.TARGET}
 -	@echo 'SHA-256 ("abc") = ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad' >> ${.TARGET}
 -	@echo 'SHA-256 ("message digest") = f7846f55cf23e14eebeab5b4e1550cad5b509e3348fbc4efa3a1413d393cb650' >> ${.TARGET}
 -	@echo 'SHA-256 ("abcdefghijklmnopqrstuvwxyz") = 71c480df93d6ae2f1efad1447c66c9525e316218cf51fc8d9ed832f2daf18b73' >> ${.TARGET}
 -	@echo 'SHA-256 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = db4bfcbd4da0cd85a60c3c37d3fbd8805c77f15fc6b1fdfe614ee0a7c8fdb4c0' >> ${.TARGET}
 -	@echo 'SHA-256 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = f371bc4a311f2b009eef952dd83ca80e2b60026c8e935592d0f9c308453c813e' >> ${.TARGET}
 +	@echo 'SHA-256 ("abc") =' \
 +		'ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad' >> ${.TARGET}
 +	@echo 'SHA-256 ("message digest") =' \
 +		'f7846f55cf23e14eebeab5b4e1550cad5b509e3348fbc4efa3a1413d393cb650' >> ${.TARGET}
 +	@echo 'SHA-256 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'71c480df93d6ae2f1efad1447c66c9525e316218cf51fc8d9ed832f2daf18b73' >> ${.TARGET}
 +	@echo 'SHA-256 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'db4bfcbd4da0cd85a60c3c37d3fbd8805c77f15fc6b1fdfe614ee0a7c8fdb4c0' >> ${.TARGET}
 +	@echo 'SHA-256 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'f371bc4a311f2b009eef952dd83ca80e2b60026c8e935592d0f9c308453c813e' >> ${.TARGET}
 +
 +sha512.ref:
 +	echo 'SHA-512 test suite:' > ${.TARGET}
 +	@echo 'SHA-512 ("") =' \
 +		'cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e' >> ${.TARGET}
 +	@echo 'SHA-512 ("abc") =' \
 +		'ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f' >> ${.TARGET}
 +	@echo 'SHA-512 ("message digest") =' \
 +		'107dbf389d9e9f71a3a95f6c055b9251bc5268c2be16d6c13492ea45b0199f3309e16455ab1e96118e8a905d5597b72038ddb372a89826046de66687bb420e7c' >> ${.TARGET}
 +	@echo 'SHA-512 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'4dbff86cc2ca1bae1e16468a05cb9881c97f1753bce3619034898faa1aabe429955a1bf8ec483d7421fe3c1646613a59ed5441fb0f321389f77f48a879c7b1f1' >> ${.TARGET}
 +	@echo 'SHA-512 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'1e07be23c26a86ea37ea810c8ec7809352515a970e9253c26f536cfc7a9996c45c8370583e0a78fa4a90041d71a4ceab7423f19c71b9d5a3e01249f0bebd5894' >> ${.TARGET}
 +	@echo 'SHA-512 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'72ec1ef1124a45b047e8b7c75a932195135bb61de24ec0d1914042246e0aec3a2354e093d76f3048b456764346900cb130d2a4fd5dd16abb5e30bcb850dee843' >> ${.TARGET}
  
  rmd160.ref:
 -	(echo 'RIPEMD160 test suite:'; \
 -	echo 'RIPEMD160 ("") = 9c1185a5c5e9fc54612808977ee8f548b2258d31'; \
 -	echo 'RIPEMD160 ("abc") = 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc'; \
 -	echo 'RIPEMD160 ("message digest") =' \
 -		'5d0689ef49d2fae572b881b123a85ffa21595f36'; \
 -	echo 'RIPEMD160 ("abcdefghijklmnopqrstuvwxyz") =' \
 -		'f71c27109c692c1b56bbdceb5b9d2865b3708dbc'; \
 -	echo 'RIPEMD160 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 -		'b0e20b6e3116640286ed3a87a5713079b21f5189'; \
 -	echo 'RIPEMD160 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 -		'9b752e45573d4b39f4dbd3323cab82bf63326bfb' ) > ${.TARGET}
 +	echo 'RIPEMD160 test suite:' > ${.TARGET}
 +	@echo 'RIPEMD160 ("") = 9c1185a5c5e9fc54612808977ee8f548b2258d31' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("abc") = 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("message digest") =' \
 +		'5d0689ef49d2fae572b881b123a85ffa21595f36' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'f71c27109c692c1b56bbdceb5b9d2865b3708dbc' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'b0e20b6e3116640286ed3a87a5713079b21f5189' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'9b752e45573d4b39f4dbd3323cab82bf63326bfb' >> ${.TARGET}
  
 -test:	md2.ref md4.ref md5.ref sha0.ref rmd160.ref sha1.ref sha256.ref
 +test:	md2.ref md4.ref md5.ref sha0.ref rmd160.ref sha1.ref sha256.ref sha512.ref
  	@${ECHO} if any of these test fail, the code produces wrong results
  	@${ECHO} and should NOT be used.
  	${CC} ${CFLAGS} ${LDFLAGS} -DMD=2 -o mddriver ${.CURDIR}/mddriver.c ./libmd.a
 @@ -197,6 +231,9 @@ test:	md2.ref md4.ref md5.ref sha0.ref r
  	${CC} ${CFLAGS} ${LDFLAGS} -DSHA=256 -o shadriver ${.CURDIR}/shadriver.c libmd.a
  	./shadriver | cmp sha256.ref -
  	@${ECHO} SHA-256 passed test
 +	${CC} ${CFLAGS} ${LDFLAGS} -DSHA=512 -o shadriver ${.CURDIR}/shadriver.c libmd.a
 +	./shadriver | cmp sha512.ref -
 +	@${ECHO} SHA-512 passed test
  	-rm -f shadriver
  
  .include <bsd.lib.mk>
 
 Modified: head/lib/libmd/mddriver.c
 ==============================================================================
 --- head/lib/libmd/mddriver.c	Sat Apr  9 13:45:13 2011	(r220495)
 +++ head/lib/libmd/mddriver.c	Sat Apr  9 13:56:29 2011	(r220496)
 @@ -1,33 +1,31 @@
 -/* MDDRIVER.C - test driver for MD2, MD4 and MD5
 - */
 +/* MDDRIVER.C - test driver for MD2, MD4 and MD5 */
 +
 +/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All rights
 + * reserved.
 + * 
 + * RSA Data Security, Inc. makes no representations concerning either the
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + * 
 + * These notices must be retained in any copies of any part of this
 + * documentation and/or software. */
  
  #include <sys/cdefs.h>
  __FBSDID("$FreeBSD$");
  
 -/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
 -   rights reserved.
 -
 -   RSA Data Security, Inc. makes no representations concerning either
 -   the merchantability of this software or the suitability of this
 -   software for any particular purpose. It is provided "as is"
 -   without express or implied warranty of any kind.
 -
 -   These notices must be retained in any copies of any part of this
 -   documentation and/or software.
 - */
 -
 -/* The following makes MD default to MD5 if it has not already been
 -     defined with C compiler flags.
 - */
 -#ifndef MD
 -#define MD 5
 -#endif
 -
  #include <sys/types.h>
  
  #include <stdio.h>
  #include <time.h>
  #include <string.h>
 +
 +/* The following makes MD default to MD5 if it has not already been defined
 + * with C compiler flags. */
 +#ifndef MD
 +#define MD 5
 +#endif
 +
  #if MD == 2
  #include "md2.h"
  #define MDData MD2Data
 @@ -41,32 +39,31 @@ __FBSDID("$FreeBSD$");
  #define MDData MD5Data
  #endif
  
 -/* Digests a string and prints the result.
 - */
 -static void MDString (string)
 -char *string;
 +/* Digests a string and prints the result. */
 +static void 
 +MDString(char *string)
  {
 -  char buf[33];
 +	char buf[33];
  
 -  printf ("MD%d (\"%s\") = %s\n", 
 -	MD, string, MDData(string,strlen(string),buf));
 +	printf("MD%d (\"%s\") = %s\n",
 +	       MD, string, MDData(string, strlen(string), buf));
  }
  
 -/* Digests a reference suite of strings and prints the results.
 - */
 -main()
 +/* Digests a reference suite of strings and prints the results. */
 +int
 +main(void)
  {
 -  printf ("MD%d test suite:\n", MD);
 +	printf("MD%d test suite:\n", MD);
 +
 +	MDString("");
 +	MDString("a");
 +	MDString("abc");
 +	MDString("message digest");
 +	MDString("abcdefghijklmnopqrstuvwxyz");
 +	MDString("ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 +		"abcdefghijklmnopqrstuvwxyz0123456789");
 +	MDString("1234567890123456789012345678901234567890"
 +		"1234567890123456789012345678901234567890");
  
 -  MDString ("");
 -  MDString ("a");
 -  MDString ("abc");
 -  MDString ("message digest");
 -  MDString ("abcdefghijklmnopqrstuvwxyz");
 -  MDString
 -    ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
 -  MDString
 -    ("1234567890123456789012345678901234567890\
 -1234567890123456789012345678901234567890");
 -  return 0;
 +	return 0;
  }
 
 Modified: head/lib/libmd/rmddriver.c
 ==============================================================================
 --- head/lib/libmd/rmddriver.c	Sat Apr  9 13:45:13 2011	(r220495)
 +++ head/lib/libmd/rmddriver.c	Sat Apr  9 13:56:29 2011	(r220496)
 @@ -1,53 +1,51 @@
 -/* RIPEMD160DRIVER.C - test driver for RIPEMD160
 - */
 +/* RIPEMD160DRIVER.C - test driver for RIPEMD160 */
 +
 +/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All rights
 + * reserved.
 + * 
 + * RSA Data Security, Inc. makes no representations concerning either the
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + * 
 + * These notices must be retained in any copies of any part of this
 + * documentation and/or software. */
  
  #include <sys/cdefs.h>
  __FBSDID("$FreeBSD$");
  
 -/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
 -   rights reserved.
 -
 -   RSA Data Security, Inc. makes no representations concerning either
 -   the merchantability of this software or the suitability of this
 -   software for any particular purpose. It is provided "as is"
 -   without express or implied warranty of any kind.
 -
 -   These notices must be retained in any copies of any part of this
 -   documentation and/or software.
 - */
 -
  #include <sys/types.h>
  
  #include <stdio.h>
  #include <time.h>
  #include <string.h>
 +
  #include "ripemd.h"
  
 -/* Digests a string and prints the result.
 - */
 -static void RIPEMD160String (string)
 -char *string;
 +/* Digests a string and prints the result. */
 +static void 
 +RIPEMD160String(char *string)
  {
 -  char buf[2*20+1];
 +	char buf[2*20 + 1];
  
 -  printf ("RIPEMD160 (\"%s\") = %s\n", 
 -	string, RIPEMD160_Data(string,strlen(string),buf));
 +	printf("RIPEMD160 (\"%s\") = %s\n",
 +	       string, RIPEMD160_Data(string, strlen(string), buf));
  }
  
 -/* Digests a reference suite of strings and prints the results.
 - */
 -main()
 +/* Digests a reference suite of strings and prints the results. */
 +int
 +main(void)
  {
 -  printf ("RIPEMD160 test suite:\n");
 +	printf("RIPEMD160 test suite:\n");
 +
 +	RIPEMD160String("");
 +	RIPEMD160String("abc");
 +	RIPEMD160String("message digest");
 +	RIPEMD160String("abcdefghijklmnopqrstuvwxyz");
 +	RIPEMD160String("ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 +		"abcdefghijklmnopqrstuvwxyz0123456789");
 +	RIPEMD160String("1234567890123456789012345678901234567890"
 +		"1234567890123456789012345678901234567890");
  
 -  RIPEMD160String ("");
 -  RIPEMD160String ("abc");
 -  RIPEMD160String ("message digest");
 -  RIPEMD160String ("abcdefghijklmnopqrstuvwxyz");
 -  RIPEMD160String
 -    ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
 -  RIPEMD160String
 -    ("1234567890123456789012345678901234567890\
 -1234567890123456789012345678901234567890");
 -  return 0;
 +	return 0;
  }
 
 Added: head/lib/libmd/sha512.3
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/lib/libmd/sha512.3	Sat Apr  9 13:56:29 2011	(r220496)
 @@ -0,0 +1,139 @@
 +.\"
 +.\" ----------------------------------------------------------------------------
 +.\" "THE BEER-WARE LICENSE" (Revision 42):
 +.\" <phk@FreeBSD.org> wrote this file.  As long as you retain this notice you
 +.\" can do whatever you want with this stuff. If we meet some day, and you think
 +.\" this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 +.\" ----------------------------------------------------------------------------
 +.\"
 +.\" 	From: Id: mdX.3,v 1.14 1999/02/11 20:31:49 wollman Exp
 +.\" $FreeBSD$
 +.\"
 +.Dd April 1, 2011
 +.Dt SHA512 3
 +.Os
 +.Sh NAME
 +.Nm SHA512_Init ,
 +.Nm SHA512_Update ,
 +.Nm SHA512_Final ,
 +.Nm SHA512_End ,
 +.Nm SHA512_File ,
 +.Nm SHA512_FileChunk ,
 +.Nm SHA512_Data
 +.Nd calculate the FIPS 180-2 ``SHA-512'' message digest
 +.Sh LIBRARY
 +.Lb libmd
 +.Sh SYNOPSIS
 +.In sys/types.h
 +.In sha512.h
 +.Ft void
 +.Fn SHA512_Init "SHA512_CTX *context"
 +.Ft void
 +.Fn SHA512_Update "SHA512_CTX *context" "const unsigned char *data" "size_t len"
 +.Ft void
 +.Fn SHA512_Final "unsigned char digest[64]" "SHA512_CTX *context"
 +.Ft "char *"
 +.Fn SHA512_End "SHA512_CTX *context" "char *buf"
 +.Ft "char *"
 +.Fn SHA512_File "const char *filename" "char *buf"
 +.Ft "char *"
 +.Fn SHA512_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length"
 +.Ft "char *"
 +.Fn SHA512_Data "const unsigned char *data" "unsigned int len" "char *buf"
 +.Sh DESCRIPTION
 +The
 +.Li SHA512_
 +functions calculate a 512-bit cryptographic checksum (digest)
 +for any number of input bytes.
 +A cryptographic checksum is a one-way
 +hash function; that is, it is computationally impractical to find
 +the input corresponding to a particular output.
 +This net result is
 +a
 +.Dq fingerprint
 +of the input-data, which does not disclose the actual input.
 +.Pp
 +The
 +.Fn SHA512_Init ,
 +.Fn SHA512_Update ,
 +and
 +.Fn SHA512_Final
 +functions are the core functions.
 +Allocate an
 +.Vt SHA512_CTX ,
 +initialize it with
 +.Fn SHA512_Init ,
 +run over the data with
 +.Fn SHA512_Update ,
 +and finally extract the result using
 +.Fn SHA512_Final .
 +.Pp
 +.Fn SHA512_End
 +is a wrapper for
 +.Fn SHA512_Final
 +which converts the return value to a 65-character
 +(including the terminating '\e0')
 +.Tn ASCII
 +string which represents the 512 bits in hexadecimal.
 +.Pp
 +.Fn SHA512_File
 +calculates the digest of a file, and uses
 +.Fn SHA512_End
 +to return the result.
 +If the file cannot be opened, a null pointer is returned.
 +.Fn SHA512_FileChunk
 +is similar to
 +.Fn SHA512_File ,
 +but it only calculates the digest over a byte-range of the file specified,
 +starting at
 +.Fa offset
 +and spanning
 +.Fa length
 +bytes.
 +If the
 +.Fa length
 +parameter is specified as 0, or more than the length of the remaining part
 +of the file,
 +.Fn SHA512_FileChunk
 +calculates the digest from
 +.Fa offset
 +to the end of file.
 +.Fn SHA512_Data
 +calculates the digest of a chunk of data in memory, and uses
 +.Fn SHA512_End
 +to return the result.
 +.Pp
 +When using
 +.Fn SHA512_End ,
 +.Fn SHA512_File ,
 +or
 +.Fn SHA512_Data ,
 +the
 +.Fa buf
 +argument can be a null pointer, in which case the returned string
 +is allocated with
 +.Xr malloc 3
 +and subsequently must be explicitly deallocated using
 +.Xr free 3
 +after use.
 +If the
 +.Fa buf
 +argument is non-null it must point to at least 65 characters of buffer space.
 +.Sh SEE ALSO
 +.Xr md2 3 ,
 +.Xr md4 3 ,
 +.Xr md5 3 ,
 +.Xr ripemd 3 ,
 +.Xr sha 3
 +.Sh HISTORY
 +These functions appeared in
 +.Fx 4.0 .
 +.Sh AUTHORS
 +The core hash routines were implemented by Colin Percival based on
 +the published
 +.Tn FIPS 180-2
 +standard.
 +.Sh BUGS
 +No method is known to exist which finds two files having the same hash value,
 +nor to find a file with a specific hash value.
 +There is on the other hand no guarantee that such a method does not exist.
 
 Added: head/lib/libmd/sha512.h
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/lib/libmd/sha512.h	Sat Apr  9 13:56:29 2011	(r220496)
 @@ -0,0 +1,50 @@
 +/*-
 + * Copyright 2005 Colin Percival
 + * All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 + * SUCH DAMAGE.
 + *
 + * $FreeBSD$
 + */
 +
 +#ifndef _SHA512_H_
 +#define _SHA512_H_
 +
 +#include <sys/types.h>
 +
 +typedef struct SHA512Context {
 +	uint64_t state[8];
 +	uint64_t count[2];
 +	unsigned char buf[128];
 +} SHA512_CTX;
 +
 +__BEGIN_DECLS
 +void	SHA512_Init(SHA512_CTX *);
 +void	SHA512_Update(SHA512_CTX *, const void *, size_t);
 +void	SHA512_Final(unsigned char [64], SHA512_CTX *);
 +char   *SHA512_End(SHA512_CTX *, char *);
 +char   *SHA512_File(const char *, char *);
 +char   *SHA512_FileChunk(const char *, char *, off_t, off_t);
 +char   *SHA512_Data(const void *, unsigned int, char *);
 +__END_DECLS
 +
 +#endif /* !_SHA512_H_ */
 
 Added: head/lib/libmd/sha512c.c
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/lib/libmd/sha512c.c	Sat Apr  9 13:56:29 2011	(r220496)
 @@ -0,0 +1,320 @@
 +/*-
 + * Copyright 2005 Colin Percival
 + * All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 + * SUCH DAMAGE.
 + */
 +
 +#include <sys/cdefs.h>
 +__FBSDID("$FreeBSD$");
 +
 +#include <sys/endian.h>
 +#include <sys/types.h>
 +
 +#include <string.h>
 +
 +#include "sha512.h"
 +
 +#if BYTE_ORDER == BIG_ENDIAN
 +
 +/* Copy a vector of big-endian uint64_t into a vector of bytes */
 +#define be64enc_vect(dst, src, len)	\
 +	memcpy((void *)dst, (const void *)src, (size_t)len)
 +
 +/* Copy a vector of bytes into a vector of big-endian uint64_t */
 +#define be64dec_vect(dst, src, len)	\
 +	memcpy((void *)dst, (const void *)src, (size_t)len)
 +
 +#else /* BYTE_ORDER != BIG_ENDIAN */
 +
 +/*
 + * Encode a length len/4 vector of (uint64_t) into a length len vector of
 + * (unsigned char) in big-endian form.  Assumes len is a multiple of 8.
 + */
 +static void
 +be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)
 +{
 +	size_t i;
 +
 +	for (i = 0; i < len / 8; i++)
 +		be64enc(dst + i * 8, src[i]);
 +}
 +
 +/*
 + * Decode a big-endian length len vector of (unsigned char) into a length
 + * len/4 vector of (uint64_t).  Assumes len is a multiple of 8.
 + */
 +static void
 +be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)
 +{
 +	size_t i;
 +
 +	for (i = 0; i < len / 8; i++)
 +		dst[i] = be64dec(src + i * 8);
 +}
 +
 +#endif /* BYTE_ORDER != BIG_ENDIAN */
 +
 +/* Elementary functions used by SHA512 */
 +#define Ch(x, y, z)	((x & (y ^ z)) ^ z)
 +#define Maj(x, y, z)	((x & (y | z)) | (y & z))
 +#define SHR(x, n)	(x >> n)
 +#define ROTR(x, n)	((x >> n) | (x << (64 - n)))
 +#define S0(x)		(ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
 +#define S1(x)		(ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
 +#define s0(x)		(ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
 +#define s1(x)		(ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
 +
 +/* SHA512 round function */
 +#define RND(a, b, c, d, e, f, g, h, k)			\
 +	t0 = h + S1(e) + Ch(e, f, g) + k;		\
 +	t1 = S0(a) + Maj(a, b, c);			\
 +	d += t0;					\
 +	h  = t0 + t1;
 +
 +/* Adjusted round function for rotating state */
 +#define RNDr(S, W, i, k)			\
 +	RND(S[(80 - i) % 8], S[(81 - i) % 8],	\
 +	    S[(82 - i) % 8], S[(83 - i) % 8],	\
 +	    S[(84 - i) % 8], S[(85 - i) % 8],	\
 +	    S[(86 - i) % 8], S[(87 - i) % 8],	\
 +	    W[i] + k)
 +
 +/*
 + * SHA512 block compression function.  The 512-bit state is transformed via
 + * the 512-bit input block to produce a new state.
 + */
 +static void
 +SHA512_Transform(uint64_t * state, const unsigned char block[128])
 +{
 +	uint64_t W[80];
 +	uint64_t S[8];
 +	uint64_t t0, t1;
 +	int i;
 +
 +	/* 1. Prepare message schedule W. */
 +	be64dec_vect(W, block, 128);
 +	for (i = 16; i < 80; i++)
 +		W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
 +
 +	/* 2. Initialize working variables. */
 +	memcpy(S, state, 64);
 +
 +	/* 3. Mix. */
 +	RNDr(S, W, 0, 0x428a2f98d728ae22ULL);
 +	RNDr(S, W, 1, 0x7137449123ef65cdULL);
 +	RNDr(S, W, 2, 0xb5c0fbcfec4d3b2fULL);
 +	RNDr(S, W, 3, 0xe9b5dba58189dbbcULL);
 +	RNDr(S, W, 4, 0x3956c25bf348b538ULL);
 +	RNDr(S, W, 5, 0x59f111f1b605d019ULL);
 +	RNDr(S, W, 6, 0x923f82a4af194f9bULL);
 +	RNDr(S, W, 7, 0xab1c5ed5da6d8118ULL);
 +	RNDr(S, W, 8, 0xd807aa98a3030242ULL);
 +	RNDr(S, W, 9, 0x12835b0145706fbeULL);
 +	RNDr(S, W, 10, 0x243185be4ee4b28cULL);
 +	RNDr(S, W, 11, 0x550c7dc3d5ffb4e2ULL);
 +	RNDr(S, W, 12, 0x72be5d74f27b896fULL);
 +	RNDr(S, W, 13, 0x80deb1fe3b1696b1ULL);
 +	RNDr(S, W, 14, 0x9bdc06a725c71235ULL);
 +	RNDr(S, W, 15, 0xc19bf174cf692694ULL);
 +	RNDr(S, W, 16, 0xe49b69c19ef14ad2ULL);
 +	RNDr(S, W, 17, 0xefbe4786384f25e3ULL);
 +	RNDr(S, W, 18, 0x0fc19dc68b8cd5b5ULL);
 +	RNDr(S, W, 19, 0x240ca1cc77ac9c65ULL);
 +	RNDr(S, W, 20, 0x2de92c6f592b0275ULL);
 +	RNDr(S, W, 21, 0x4a7484aa6ea6e483ULL);
 +	RNDr(S, W, 22, 0x5cb0a9dcbd41fbd4ULL);
 +	RNDr(S, W, 23, 0x76f988da831153b5ULL);
 +	RNDr(S, W, 24, 0x983e5152ee66dfabULL);
 +	RNDr(S, W, 25, 0xa831c66d2db43210ULL);
 +	RNDr(S, W, 26, 0xb00327c898fb213fULL);
 +	RNDr(S, W, 27, 0xbf597fc7beef0ee4ULL);
 +	RNDr(S, W, 28, 0xc6e00bf33da88fc2ULL);
 +	RNDr(S, W, 29, 0xd5a79147930aa725ULL);
 +	RNDr(S, W, 30, 0x06ca6351e003826fULL);
 +	RNDr(S, W, 31, 0x142929670a0e6e70ULL);
 +	RNDr(S, W, 32, 0x27b70a8546d22ffcULL);
 +	RNDr(S, W, 33, 0x2e1b21385c26c926ULL);
 +	RNDr(S, W, 34, 0x4d2c6dfc5ac42aedULL);
 +	RNDr(S, W, 35, 0x53380d139d95b3dfULL);
 +	RNDr(S, W, 36, 0x650a73548baf63deULL);
 +	RNDr(S, W, 37, 0x766a0abb3c77b2a8ULL);
 +	RNDr(S, W, 38, 0x81c2c92e47edaee6ULL);
 +	RNDr(S, W, 39, 0x92722c851482353bULL);
 +	RNDr(S, W, 40, 0xa2bfe8a14cf10364ULL);
 +	RNDr(S, W, 41, 0xa81a664bbc423001ULL);
 +	RNDr(S, W, 42, 0xc24b8b70d0f89791ULL);
 +	RNDr(S, W, 43, 0xc76c51a30654be30ULL);
 +	RNDr(S, W, 44, 0xd192e819d6ef5218ULL);
 +	RNDr(S, W, 45, 0xd69906245565a910ULL);
 +	RNDr(S, W, 46, 0xf40e35855771202aULL);
 +	RNDr(S, W, 47, 0x106aa07032bbd1b8ULL);
 +	RNDr(S, W, 48, 0x19a4c116b8d2d0c8ULL);
 +	RNDr(S, W, 49, 0x1e376c085141ab53ULL);
 +	RNDr(S, W, 50, 0x2748774cdf8eeb99ULL);
 +	RNDr(S, W, 51, 0x34b0bcb5e19b48a8ULL);
 +	RNDr(S, W, 52, 0x391c0cb3c5c95a63ULL);
 +	RNDr(S, W, 53, 0x4ed8aa4ae3418acbULL);
 +	RNDr(S, W, 54, 0x5b9cca4f7763e373ULL);
 +	RNDr(S, W, 55, 0x682e6ff3d6b2b8a3ULL);
 +	RNDr(S, W, 56, 0x748f82ee5defb2fcULL);
 +	RNDr(S, W, 57, 0x78a5636f43172f60ULL);
 +	RNDr(S, W, 58, 0x84c87814a1f0ab72ULL);
 +	RNDr(S, W, 59, 0x8cc702081a6439ecULL);
 +	RNDr(S, W, 60, 0x90befffa23631e28ULL);
 +	RNDr(S, W, 61, 0xa4506cebde82bde9ULL);
 +	RNDr(S, W, 62, 0xbef9a3f7b2c67915ULL);
 +	RNDr(S, W, 63, 0xc67178f2e372532bULL);
 +	RNDr(S, W, 64, 0xca273eceea26619cULL);
 +	RNDr(S, W, 65, 0xd186b8c721c0c207ULL);
 +	RNDr(S, W, 66, 0xeada7dd6cde0eb1eULL);
 +	RNDr(S, W, 67, 0xf57d4f7fee6ed178ULL);
 +	RNDr(S, W, 68, 0x06f067aa72176fbaULL);
 +	RNDr(S, W, 69, 0x0a637dc5a2c898a6ULL);
 +	RNDr(S, W, 70, 0x113f9804bef90daeULL);
 +	RNDr(S, W, 71, 0x1b710b35131c471bULL);
 +	RNDr(S, W, 72, 0x28db77f523047d84ULL);
 +	RNDr(S, W, 73, 0x32caab7b40c72493ULL);
 +	RNDr(S, W, 74, 0x3c9ebe0a15c9bebcULL);
 +	RNDr(S, W, 75, 0x431d67c49c100d4cULL);
 +	RNDr(S, W, 76, 0x4cc5d4becb3e42b6ULL);
 +	RNDr(S, W, 77, 0x597f299cfc657e2aULL);
 +	RNDr(S, W, 78, 0x5fcb6fab3ad6faecULL);
 +	RNDr(S, W, 79, 0x6c44198c4a475817ULL);
 +
 +	/* 4. Mix local working variables into global state */
 +	for (i = 0; i < 8; i++)
 +		state[i] += S[i];
 +}
 +
 +static unsigned char PAD[128] = {
 +	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
 +};
 +
 +/* Add padding and terminating bit-count. */
 +static void
 +SHA512_Pad(SHA512_CTX * ctx)
 +{
 +	unsigned char len[16];
 +	uint64_t r, plen;
 +
 +	/*
 +	 * Convert length to a vector of bytes -- we do this now rather
 +	 * than later because the length will change after we pad.
 +	 */
 +	be64enc_vect(len, ctx->count, 16);
 +
 +	/* Add 1--128 bytes so that the resulting length is 112 mod 128 */
 +	r = (ctx->count[1] >> 3) & 0x7f;
 +	plen = (r < 112) ? (112 - r) : (240 - r);
 +	SHA512_Update(ctx, PAD, (size_t)plen);
 +
 +	/* Add the terminating bit-count */
 +	SHA512_Update(ctx, len, 16);
 +}
 +
 +/* SHA-512 initialization.  Begins a SHA-512 operation. */
 +void
 +SHA512_Init(SHA512_CTX * ctx)
 +{
 +
 +	/* Zero bits processed so far */
 +	ctx->count[0] = ctx->count[1] = 0;
 +
 +	/* Magic initialization constants */
 +	ctx->state[0] = 0x6a09e667f3bcc908ULL;
 +	ctx->state[1] = 0xbb67ae8584caa73bULL;
 +	ctx->state[2] = 0x3c6ef372fe94f82bULL;
 +	ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
 +	ctx->state[4] = 0x510e527fade682d1ULL;
 +	ctx->state[5] = 0x9b05688c2b3e6c1fULL;
 +	ctx->state[6] = 0x1f83d9abfb41bd6bULL;
 +	ctx->state[7] = 0x5be0cd19137e2179ULL;
 +}
 +
 +/* Add bytes into the hash */
 +void
 +SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len)
 +{
 +	uint64_t bitlen[2];
 +	uint64_t r;
 +	const unsigned char *src = in;
 +
 +	/* Number of bytes left in the buffer from previous updates */
 +	r = (ctx->count[1] >> 3) & 0x7f;
 +
 +	/* Convert the length into a number of bits */
 +	bitlen[1] = ((uint64_t)len) << 3;
 +	bitlen[0] = ((uint64_t)len) >> 61;
 +
 +	/* Update number of bits */
 +	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
 +		ctx->count[0]++;
 +	ctx->count[0] += bitlen[0];
 +
 +	/* Handle the case where we don't need to perform any transforms */
 +	if (len < 128 - r) {
 +		memcpy(&ctx->buf[r], src, len);
 +		return;
 +	}
 +
 +	/* Finish the current block */
 +	memcpy(&ctx->buf[r], src, 128 - r);
 +	SHA512_Transform(ctx->state, ctx->buf);
 +	src += 128 - r;
 +	len -= 128 - r;
 +
 +	/* Perform complete blocks */
 +	while (len >= 128) {
 +		SHA512_Transform(ctx->state, src);
 +		src += 128;
 +		len -= 128;
 +	}
 +
 +	/* Copy left over data into buffer */
 +	memcpy(ctx->buf, src, len);
 +}
 +
 +/*
 + * SHA-512 finalization.  Pads the input data, exports the hash value,
 + * and clears the context state.
 + */
 +void
 +SHA512_Final(unsigned char digest[64], SHA512_CTX * ctx)
 +{
 +
 +	/* Add padding */
 +	SHA512_Pad(ctx);
 +
 +	/* Write the hash */
 +	be64enc_vect(digest, ctx->state, 64);
 +
 +	/* Clear the context state */
 +	memset((void *)ctx, 0, sizeof(*ctx));
 +}
 
 Modified: head/lib/libmd/shadriver.c
 ==============================================================================
 --- head/lib/libmd/shadriver.c	Sat Apr  9 13:45:13 2011	(r220495)
 +++ head/lib/libmd/shadriver.c	Sat Apr  9 13:56:29 2011	(r220496)
 @@ -1,66 +1,67 @@
 -/* SHADRIVER.C - test driver for SHA-1 (and SHA-0)
 - */
 +/* SHADRIVER.C - test driver for SHA-1 (and SHA-2) */
 +
 +/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All rights
 + * reserved.
 + * 
 + * RSA Data Security, Inc. makes no representations concerning either the
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + * 
 + * These notices must be retained in any copies of any part of this
 + * documentation and/or software. */
  
  #include <sys/cdefs.h>
  __FBSDID("$FreeBSD$");
  
 -/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
 -   rights reserved.
 -
 -   RSA Data Security, Inc. makes no representations concerning either
 -   the merchantability of this software or the suitability of this
 -   software for any particular purpose. It is provided "as is"
 -   without express or implied warranty of any kind.
 -
 -   These notices must be retained in any copies of any part of this
 -   documentation and/or software.
 - */
 -
 -/* The following makes SHA default to SHA-1 if it has not already been
 -     defined with C compiler flags.
 - */
 -#ifndef SHA
 -#define SHA 1
 -#endif
 -
  #include <sys/types.h>
  
  #include <stdio.h>
  #include <time.h>
  #include <string.h>
 +
  #include "sha.h"
  #include "sha256.h"
 +#include "sha512.h"
 +
 +/* The following makes SHA default to SHA-1 if it has not already been
 + * defined with C compiler flags. */
 +#ifndef SHA
 +#define SHA 1
 +#endif
 +
  #if SHA == 1
  #define SHA_Data SHA1_Data
  #elif SHA == 256
  #define SHA_Data SHA256_Data
 +#elif SHA == 512
 +#define SHA_Data SHA512_Data
  #endif
  
 -/* Digests a string and prints the result.
 - */
 -static void SHAString (string)
 -char *string;
 +/* Digests a string and prints the result. */
 +static void
 +SHAString(char *string)
  {
 -  char buf[2*32+1];
 +	char buf[2*64 + 1];
  
 -  printf ("SHA-%d (\"%s\") = %s\n", 
 -	SHA, string, SHA_Data(string,strlen(string),buf));
 +	printf("SHA-%d (\"%s\") = %s\n",
 +	       SHA, string, SHA_Data(string, strlen(string), buf));
  }
  
 -/* Digests a reference suite of strings and prints the results.
 - */
 -main()
 +/* Digests a reference suite of strings and prints the results. */
 +int
 +main(void)
  {
 -  printf ("SHA-%d test suite:\n", SHA);
 +	printf("SHA-%d test suite:\n", SHA);
 +
 +	SHAString("");
 +	SHAString("abc");
 +	SHAString("message digest");
 +	SHAString("abcdefghijklmnopqrstuvwxyz");
 +	SHAString("ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 +		  "abcdefghijklmnopqrstuvwxyz0123456789");
 +	SHAString("1234567890123456789012345678901234567890"
 
 *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/124164: commit references a PR
Date: Sat,  9 Apr 2011 14:02:20 +0000 (UTC)

 Author: markm
 Date: Sat Apr  9 14:02:04 2011
 New Revision: 220497
 URL: http://svn.freebsd.org/changeset/base/220497
 
 Log:
   Add SHA256/512 ($5$ and $6$) to crypt(3). Used in linux-world, doesn't
   hurt us.
   
   PR:		misc/124164
   Submitted by:	KIMURA Yasuhiro < yasu utahime org >
   MFC after:	1 month
 
 Added:
   head/lib/libcrypt/crypt-sha256.c   (contents, props changed)
   head/lib/libcrypt/crypt-sha512.c   (contents, props changed)
 Modified:
   head/lib/libcrypt/Makefile
   head/lib/libcrypt/crypt.c
   head/lib/libcrypt/crypt.h
   head/lib/libcrypt/misc.c
 
 Modified: head/lib/libcrypt/Makefile
 ==============================================================================
 --- head/lib/libcrypt/Makefile	Sat Apr  9 13:56:29 2011	(r220496)
 +++ head/lib/libcrypt/Makefile	Sat Apr  9 14:02:04 2011	(r220497)
 @@ -12,7 +12,9 @@ LIB=		crypt
  .PATH:		${.CURDIR}/../libmd
  SRCS=		crypt.c misc.c \
  		crypt-md5.c md5c.c \
 -		crypt-nthash.c md4c.c
 +		crypt-nthash.c md4c.c \
 +		crypt-sha256.c sha256c.c \
 +		crypt-sha512.c sha512c.c
  MAN=		crypt.3
  MLINKS=		crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3
  CFLAGS+=	-I${.CURDIR}/../libmd -I${.CURDIR}/../libutil
 
 Added: head/lib/libcrypt/crypt-sha256.c
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/lib/libcrypt/crypt-sha256.c	Sat Apr  9 14:02:04 2011	(r220497)
 @@ -0,0 +1,477 @@
 +/*
 + * Copyright (c) 2011 The FreeBSD Project. All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 + * SUCH DAMAGE.
 + */
 +
 +/* Based on:
 + * SHA256-based Unix crypt implementation. Released into the Public Domain by
 + * Ulrich Drepper <drepper@redhat.com>. */
 +
 +#include <sys/cdefs.h>
 +__FBSDID("$FreeBSD$");
 +
 +#include <sys/endian.h>
 +#include <sys/param.h>
 +
 +#include <errno.h>
 +#include <limits.h>
 +#include <sha256.h>
 +#include <stdbool.h>
 +#include <stdint.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +
 +#include "crypt.h"
 +
 +/* Define our magic string to mark salt for SHA256 "encryption" replacement. */
 +static const char sha256_salt_prefix[] = "$5$";
 +
 +/* Prefix for optional rounds specification. */
 +static const char sha256_rounds_prefix[] = "rounds=";
 +
 +/* Maximum salt string length. */
 +#define SALT_LEN_MAX 16
 +/* Default number of rounds if not explicitly specified. */
 +#define ROUNDS_DEFAULT 5000
 +/* Minimum number of rounds. */
 +#define ROUNDS_MIN 1000
 +/* Maximum number of rounds. */
 +#define ROUNDS_MAX 999999999
 +
 +static char *
 +sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
 +{
 +	u_long srounds;
 +	int n;
 +	uint8_t alt_result[32], temp_result[32];
 +	SHA256_CTX ctx, alt_ctx;
 +	size_t salt_len, key_len, cnt, rounds;
 +	char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp;
 +	const char *num;
 +	bool rounds_custom;
 +
 +	copied_key = NULL;
 +	copied_salt = NULL;
 +
 +	/* Default number of rounds. */
 +	rounds = ROUNDS_DEFAULT;
 +	rounds_custom = false;
 +
 +	/* Find beginning of salt string. The prefix should normally always
 +	 * be present. Just in case it is not. */
 +	if (strncmp(sha256_salt_prefix, salt, sizeof(sha256_salt_prefix) - 1) == 0)
 +		/* Skip salt prefix. */
 +		salt += sizeof(sha256_salt_prefix) - 1;
 +
 +	if (strncmp(salt, sha256_rounds_prefix, sizeof(sha256_rounds_prefix) - 1)
 +	    == 0) {
 +		num = salt + sizeof(sha256_rounds_prefix) - 1;
 +		srounds = strtoul(num, &endp, 10);
 +
 +		if (*endp == '$') {
 +			salt = endp + 1;
 +			rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
 +			rounds_custom = true;
 +		}
 +	}
 +
 +	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
 +	key_len = strlen(key);
 +
 +	/* Prepare for the real work. */
 +	SHA256_Init(&ctx);
 +
 +	/* Add the key string. */
 +	SHA256_Update(&ctx, key, key_len);
 +
 +	/* The last part is the salt string. This must be at most 8
 +	 * characters and it ends at the first `$' character (for
 +	 * compatibility with existing implementations). */
 +	SHA256_Update(&ctx, salt, salt_len);
 +
 +	/* Compute alternate SHA256 sum with input KEY, SALT, and KEY. The
 +	 * final result will be added to the first context. */
 +	SHA256_Init(&alt_ctx);
 +
 +	/* Add key. */
 +	SHA256_Update(&alt_ctx, key, key_len);
 +
 +	/* Add salt. */
 +	SHA256_Update(&alt_ctx, salt, salt_len);
 +
 +	/* Add key again. */
 +	SHA256_Update(&alt_ctx, key, key_len);
 +
 +	/* Now get result of this (32 bytes) and add it to the other context. */
 +	SHA256_Final(alt_result, &alt_ctx);
 +
 +	/* Add for any character in the key one byte of the alternate sum. */
 +	for (cnt = key_len; cnt > 32; cnt -= 32)
 +		SHA256_Update(&ctx, alt_result, 32);
 +	SHA256_Update(&ctx, alt_result, cnt);
 +
 +	/* Take the binary representation of the length of the key and for
 +	 * every 1 add the alternate sum, for every 0 the key. */
 +	for (cnt = key_len; cnt > 0; cnt >>= 1)
 +		if ((cnt & 1) != 0)
 +			SHA256_Update(&ctx, alt_result, 32);
 +		else
 +			SHA256_Update(&ctx, key, key_len);
 +
 +	/* Create intermediate result. */
 +	SHA256_Final(alt_result, &ctx);
 +
 +	/* Start computation of P byte sequence. */
 +	SHA256_Init(&alt_ctx);
 +
 +	/* For every character in the password add the entire password. */
 +	for (cnt = 0; cnt < key_len; ++cnt)
 +		SHA256_Update(&alt_ctx, key, key_len);
 +
 +	/* Finish the digest. */
 +	SHA256_Final(temp_result, &alt_ctx);
 +
 +	/* Create byte sequence P. */
 +	cp = p_bytes = alloca(key_len);
 +	for (cnt = key_len; cnt >= 32; cnt -= 32) {
 +		memcpy(cp, temp_result, 32);
 +		cp += 32;
 +	}
 +	memcpy(cp, temp_result, cnt);
 +
 +	/* Start computation of S byte sequence. */
 +	SHA256_Init(&alt_ctx);
 +
 +	/* For every character in the password add the entire password. */
 +	for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
 +		SHA256_Update(&alt_ctx, salt, salt_len);
 +
 +	/* Finish the digest. */
 +	SHA256_Final(temp_result, &alt_ctx);
 +
 +	/* Create byte sequence S. */
 +	cp = s_bytes = alloca(salt_len);
 +	for (cnt = salt_len; cnt >= 32; cnt -= 32) {
 +		memcpy(cp, temp_result, 32);
 +		cp += 32;
 +	}
 +	memcpy(cp, temp_result, cnt);
 +
 +	/* Repeatedly run the collected hash value through SHA256 to burn CPU
 +	 * cycles. */
 +	for (cnt = 0; cnt < rounds; ++cnt) {
 +		/* New context. */
 +		SHA256_Init(&ctx);
 +
 +		/* Add key or last result. */
 +		if ((cnt & 1) != 0)
 +			SHA256_Update(&ctx, p_bytes, key_len);
 +		else
 +			SHA256_Update(&ctx, alt_result, 32);
 +
 +		/* Add salt for numbers not divisible by 3. */
 +		if (cnt % 3 != 0)
 +			SHA256_Update(&ctx, s_bytes, salt_len);
 +
 +		/* Add key for numbers not divisible by 7. */
 +		if (cnt % 7 != 0)
 +			SHA256_Update(&ctx, p_bytes, key_len);
 +
 +		/* Add key or last result. */
 +		if ((cnt & 1) != 0)
 +			SHA256_Update(&ctx, alt_result, 32);
 +		else
 +			SHA256_Update(&ctx, p_bytes, key_len);
 +
 +		/* Create intermediate result. */
 +		SHA256_Final(alt_result, &ctx);
 +	}
 +
 +	/* Now we can construct the result string. It consists of three
 +	 * parts. */
 +	cp = stpncpy(buffer, sha256_salt_prefix, MAX(0, buflen));
 +	buflen -= sizeof(sha256_salt_prefix) - 1;
 +
 +	if (rounds_custom) {
 +		n = snprintf(cp, MAX(0, buflen), "%s%zu$",
 +			 sha256_rounds_prefix, rounds);
 +
 +		cp += n;
 +		buflen -= n;
 +	}
 +
 +	cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len));
 +	buflen -= MIN((size_t)MAX(0, buflen), salt_len);
 +
 +	if (buflen > 0) {
 +		*cp++ = '$';
 +		--buflen;
 +	}
 +
 +	b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4, &buflen, &cp);
 +	b64_from_24bit(0, alt_result[31], alt_result[30], 3, &buflen, &cp);
 +	if (buflen <= 0) {
 +		errno = ERANGE;
 +		buffer = NULL;
 +	}
 +	else
 +		*cp = '\0';	/* Terminate the string. */
 +
 +	/* Clear the buffer for the intermediate result so that people
 +	 * attaching to processes or reading core dumps cannot get any
 +	 * information. We do it in this way to clear correct_words[] inside
 +	 * the SHA256 implementation as well. */
 +	SHA256_Init(&ctx);
 +	SHA256_Final(alt_result, &ctx);
 +	memset(temp_result, '\0', sizeof(temp_result));
 +	memset(p_bytes, '\0', key_len);
 +	memset(s_bytes, '\0', salt_len);
 +	memset(&ctx, '\0', sizeof(ctx));
 +	memset(&alt_ctx, '\0', sizeof(alt_ctx));
 +	if (copied_key != NULL)
 +		memset(copied_key, '\0', key_len);
 +	if (copied_salt != NULL)
 +		memset(copied_salt, '\0', salt_len);
 +
 +	return buffer;
 +}
 +
 +/* This entry point is equivalent to crypt(3). */
 +char *
 +sha256_crypt(const char *key, const char *salt)
 +{
 +	/* We don't want to have an arbitrary limit in the size of the
 +	 * password. We can compute an upper bound for the size of the
 +	 * result in advance and so we can prepare the buffer we pass to
 +	 * `sha256_crypt_r'. */
 +	static char *buffer;
 +	static int buflen;
 +	int needed;
 +	char *new_buffer;
 +
 +	needed = (sizeof(sha256_salt_prefix) - 1
 +	      + sizeof(sha256_rounds_prefix) + 9 + 1
 +	      + strlen(salt) + 1 + 43 + 1);
 +
 +	if (buflen < needed) {
 +		new_buffer = (char *)realloc(buffer, needed);
 +
 +		if (new_buffer == NULL)
 +			return NULL;
 +
 +		buffer = new_buffer;
 +		buflen = needed;
 +	}
 +
 +	return sha256_crypt_r(key, salt, buffer, buflen);
 +}
 +
 +#ifdef TEST
 +
 +static const struct {
 +	const char *input;
 +	const char result[32];
 +} tests[] =
 +{
 +	/* Test vectors from FIPS 180-2: appendix B.1. */
 +	{
 +		"abc",
 +		"\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
 +		"\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad"
 +	},
 +	/* Test vectors from FIPS 180-2: appendix B.2. */
 +	{
 +		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 +		"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
 +		"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"
 +	},
 +	/* Test vectors from the NESSIE project. */
 +	{
 +		"",
 +		"\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24"
 +		"\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55"
 +	},
 +	{
 +		"a",
 +		"\xca\x97\x81\x12\xca\x1b\xbd\xca\xfa\xc2\x31\xb3\x9a\x23\xdc\x4d"
 +		"\xa7\x86\xef\xf8\x14\x7c\x4e\x72\xb9\x80\x77\x85\xaf\xee\x48\xbb"
 +	},
 +	{
 +		"message digest",
 +		"\xf7\x84\x6f\x55\xcf\x23\xe1\x4e\xeb\xea\xb5\xb4\xe1\x55\x0c\xad"
 +		"\x5b\x50\x9e\x33\x48\xfb\xc4\xef\xa3\xa1\x41\x3d\x39\x3c\xb6\x50"
 +	},
 +	{
 +		"abcdefghijklmnopqrstuvwxyz",
 +		"\x71\xc4\x80\xdf\x93\xd6\xae\x2f\x1e\xfa\xd1\x44\x7c\x66\xc9\x52"
 +		"\x5e\x31\x62\x18\xcf\x51\xfc\x8d\x9e\xd8\x32\xf2\xda\xf1\x8b\x73"
 +	},
 +	{
 +		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 +		"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
 +		"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1"
 +	},
 +	{
 +		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
 +		"\xdb\x4b\xfc\xbd\x4d\xa0\xcd\x85\xa6\x0c\x3c\x37\xd3\xfb\xd8\x80"
 +		"\x5c\x77\xf1\x5f\xc6\xb1\xfd\xfe\x61\x4e\xe0\xa7\xc8\xfd\xb4\xc0"
 +	},
 +	{
 +		"123456789012345678901234567890123456789012345678901234567890"
 +		"12345678901234567890",
 +		"\xf3\x71\xbc\x4a\x31\x1f\x2b\x00\x9e\xef\x95\x2d\xd8\x3c\xa8\x0e"
 +		"\x2b\x60\x02\x6c\x8e\x93\x55\x92\xd0\xf9\xc3\x08\x45\x3c\x81\x3e"
 +	}
 +};
 +
 +#define ntests (sizeof (tests) / sizeof (tests[0]))
 +
 +static const struct {
 +	const char *salt;
 +	const char *input;
 +	const char *expected;
 +} tests2[] =
 +{
 +	{
 +		"$5$saltstring", "Hello world!",
 +		"$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5"
 +	},
 +	{
 +		"$5$rounds=10000$saltstringsaltstring", "Hello world!",
 +		"$5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2."
 +		"opqey6IcA"
 +	},
 +	{
 +		"$5$rounds=5000$toolongsaltstring", "This is just a test",
 +		"$5$rounds=5000$toolongsaltstrin$Un/5jzAHMgOGZ5.mWJpuVolil07guHPvOW8"
 +		"mGRcvxa5"
 +	},
 +	{
 +		"$5$rounds=1400$anotherlongsaltstring",
 +		"a very much longer text to encrypt.  This one even stretches over more"
 +		"than one line.",
 +		"$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12"
 +		"oP84Bnq1"
 +	},
 +	{
 +		"$5$rounds=77777$short",
 +		"we have a short salt string but not a short password",
 +		"$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/"
 +	},
 +	{
 +		"$5$rounds=123456$asaltof16chars..", "a short string",
 +		"$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/"
 +		"cZKmF/wJvD"
 +	},
 +	{
 +		"$5$rounds=10$roundstoolow", "the minimum number is still observed",
 +		"$5$rounds=1000$roundstoolow$yfvwcWrQ8l/K0DAWyuPMDNHpIVlTQebY9l/gL97"
 +		"2bIC"
 +	},
 +};
 +
 +#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
 +
 +int
 +main(void)
 +{
 +	SHA256_CTX ctx;
 +	uint8_t sum[32];
 +	int result = 0;
 +	int i, cnt;
 +
 +	for (cnt = 0; cnt < (int)ntests; ++cnt) {
 +		SHA256_Init(&ctx);
 +		SHA256_Update(&ctx, tests[cnt].input, strlen(tests[cnt].input));
 +		SHA256_Final(sum, &ctx);
 +		if (memcmp(tests[cnt].result, sum, 32) != 0) {
 +			for (i = 0; i < 32; i++)
 +				printf("%02X", tests[cnt].result[i]);
 +			printf("\n");
 +			for (i = 0; i < 32; i++)
 +				printf("%02X", sum[i]);
 +			printf("\n");
 +			printf("test %d run %d failed\n", cnt, 1);
 +			result = 1;
 +		}
 +
 +		SHA256_Init(&ctx);
 +		for (i = 0; tests[cnt].input[i] != '\0'; ++i)
 +			SHA256_Update(&ctx, &tests[cnt].input[i], 1);
 +		SHA256_Final(sum, &ctx);
 +		if (memcmp(tests[cnt].result, sum, 32) != 0) {
 +			for (i = 0; i < 32; i++)
 +				printf("%02X", tests[cnt].result[i]);
 +			printf("\n");
 +			for (i = 0; i < 32; i++)
 +				printf("%02X", sum[i]);
 +			printf("\n");
 +			printf("test %d run %d failed\n", cnt, 2);
 +			result = 1;
 +		}
 +	}
 +
 +	/* Test vector from FIPS 180-2: appendix B.3. */
 +	char buf[1000];
 +
 +	memset(buf, 'a', sizeof(buf));
 +	SHA256_Init(&ctx);
 +	for (i = 0; i < 1000; ++i)
 +		SHA256_Update(&ctx, buf, sizeof(buf));
 +	SHA256_Final(sum, &ctx);
 +	static const char expected[32] =
 +	"\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
 +	"\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0";
 +
 +	if (memcmp(expected, sum, 32) != 0) {
 +		printf("test %d failed\n", cnt);
 +		result = 1;
 +	}
 +
 +	for (cnt = 0; cnt < ntests2; ++cnt) {
 +		char *cp = sha256_crypt(tests2[cnt].input, tests2[cnt].salt);
 +
 +		if (strcmp(cp, tests2[cnt].expected) != 0) {
 +			printf("test %d: expected \"%s\", got \"%s\"\n",
 +			       cnt, tests2[cnt].expected, cp);
 +			result = 1;
 +		}
 +	}
 +
 +	if (result == 0)
 +		puts("all tests OK");
 +
 +	return result;
 +}
 +
 +#endif /* TEST */
 
 Added: head/lib/libcrypt/crypt-sha512.c
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/lib/libcrypt/crypt-sha512.c	Sat Apr  9 14:02:04 2011	(r220497)
 @@ -0,0 +1,500 @@
 +/*
 + * Copyright (c) 2011 The FreeBSD Project. All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 + * SUCH DAMAGE.
 + */
 +
 +/* Based on:
 + * SHA512-based Unix crypt implementation. Released into the Public Domain by
 + * Ulrich Drepper <drepper@redhat.com>. */
 +
 +#include <sys/cdefs.h>
 +__FBSDID("$FreeBSD$");
 +
 +#include <sys/endian.h>
 +#include <sys/param.h>
 +
 +#include <errno.h>
 +#include <limits.h>
 +#include <sha512.h>
 +#include <stdbool.h>
 +#include <stdint.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +
 +#include "crypt.h"
 +
 +/* Define our magic string to mark salt for SHA512 "encryption" replacement. */
 +static const char sha512_salt_prefix[] = "$6$";
 +
 +/* Prefix for optional rounds specification. */
 +static const char sha512_rounds_prefix[] = "rounds=";
 +
 +/* Maximum salt string length. */
 +#define SALT_LEN_MAX 16
 +/* Default number of rounds if not explicitly specified. */
 +#define ROUNDS_DEFAULT 5000
 +/* Minimum number of rounds. */
 +#define ROUNDS_MIN 1000
 +/* Maximum number of rounds. */
 +#define ROUNDS_MAX 999999999
 +
 +static char *
 +sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
 +{
 +	u_long srounds;
 +	int n;
 +	uint8_t alt_result[64], temp_result[64];
 +	SHA512_CTX ctx, alt_ctx;
 +	size_t salt_len, key_len, cnt, rounds;
 +	char *cp, *copied_key, *copied_salt, *p_bytes, *s_bytes, *endp;
 +	const char *num;
 +	bool rounds_custom;
 +
 +	copied_key = NULL;
 +	copied_salt = NULL;
 +
 +	/* Default number of rounds. */
 +	rounds = ROUNDS_DEFAULT;
 +	rounds_custom = false;
 +
 +	/* Find beginning of salt string. The prefix should normally always
 +	 * be present. Just in case it is not. */
 +	if (strncmp(sha512_salt_prefix, salt, sizeof(sha512_salt_prefix) - 1) == 0)
 +		/* Skip salt prefix. */
 +		salt += sizeof(sha512_salt_prefix) - 1;
 +
 +	if (strncmp(salt, sha512_rounds_prefix, sizeof(sha512_rounds_prefix) - 1)
 +	    == 0) {
 +		num = salt + sizeof(sha512_rounds_prefix) - 1;
 +		srounds = strtoul(num, &endp, 10);
 +
 +		if (*endp == '$') {
 +			salt = endp + 1;
 +			rounds = MAX(ROUNDS_MIN, MIN(srounds, ROUNDS_MAX));
 +			rounds_custom = true;
 +		}
 +	}
 +
 +	salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
 +	key_len = strlen(key);
 +
 +	/* Prepare for the real work. */
 +	SHA512_Init(&ctx);
 +
 +	/* Add the key string. */
 +	SHA512_Update(&ctx, key, key_len);
 +
 +	/* The last part is the salt string. This must be at most 8
 +	 * characters and it ends at the first `$' character (for
 +	 * compatibility with existing implementations). */
 +	SHA512_Update(&ctx, salt, salt_len);
 +
 +	/* Compute alternate SHA512 sum with input KEY, SALT, and KEY. The
 +	 * final result will be added to the first context. */
 +	SHA512_Init(&alt_ctx);
 +
 +	/* Add key. */
 +	SHA512_Update(&alt_ctx, key, key_len);
 +
 +	/* Add salt. */
 +	SHA512_Update(&alt_ctx, salt, salt_len);
 +
 +	/* Add key again. */
 +	SHA512_Update(&alt_ctx, key, key_len);
 +
 +	/* Now get result of this (64 bytes) and add it to the other context. */
 +	SHA512_Final(alt_result, &alt_ctx);
 +
 +	/* Add for any character in the key one byte of the alternate sum. */
 +	for (cnt = key_len; cnt > 64; cnt -= 64)
 +		SHA512_Update(&ctx, alt_result, 64);
 +	SHA512_Update(&ctx, alt_result, cnt);
 +
 +	/* Take the binary representation of the length of the key and for
 +	 * every 1 add the alternate sum, for every 0 the key. */
 +	for (cnt = key_len; cnt > 0; cnt >>= 1)
 +		if ((cnt & 1) != 0)
 +			SHA512_Update(&ctx, alt_result, 64);
 +		else
 +			SHA512_Update(&ctx, key, key_len);
 +
 +	/* Create intermediate result. */
 +	SHA512_Final(alt_result, &ctx);
 +
 +	/* Start computation of P byte sequence. */
 +	SHA512_Init(&alt_ctx);
 +
 +	/* For every character in the password add the entire password. */
 +	for (cnt = 0; cnt < key_len; ++cnt)
 +		SHA512_Update(&alt_ctx, key, key_len);
 +
 +	/* Finish the digest. */
 +	SHA512_Final(temp_result, &alt_ctx);
 +
 +	/* Create byte sequence P. */
 +	cp = p_bytes = alloca(key_len);
 +	for (cnt = key_len; cnt >= 64; cnt -= 64) {
 +		memcpy(cp, temp_result, 64);
 +		cp += 64;
 +	}
 +	memcpy(cp, temp_result, cnt);
 +
 +	/* Start computation of S byte sequence. */
 +	SHA512_Init(&alt_ctx);
 +
 +	/* For every character in the password add the entire password. */
 +	for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
 +		SHA512_Update(&alt_ctx, salt, salt_len);
 +
 +	/* Finish the digest. */
 +	SHA512_Final(temp_result, &alt_ctx);
 +
 +	/* Create byte sequence S. */
 +	cp = s_bytes = alloca(salt_len);
 +	for (cnt = salt_len; cnt >= 64; cnt -= 64) {
 +		memcpy(cp, temp_result, 64);
 +		cp += 64;
 +	}
 +	memcpy(cp, temp_result, cnt);
 +
 +	/* Repeatedly run the collected hash value through SHA512 to burn CPU
 +	 * cycles. */
 +	for (cnt = 0; cnt < rounds; ++cnt) {
 +		/* New context. */
 +		SHA512_Init(&ctx);
 +
 +		/* Add key or last result. */
 +		if ((cnt & 1) != 0)
 +			SHA512_Update(&ctx, p_bytes, key_len);
 +		else
 +			SHA512_Update(&ctx, alt_result, 64);
 +
 +		/* Add salt for numbers not divisible by 3. */
 +		if (cnt % 3 != 0)
 +			SHA512_Update(&ctx, s_bytes, salt_len);
 +
 +		/* Add key for numbers not divisible by 7. */
 +		if (cnt % 7 != 0)
 +			SHA512_Update(&ctx, p_bytes, key_len);
 +
 +		/* Add key or last result. */
 +		if ((cnt & 1) != 0)
 +			SHA512_Update(&ctx, alt_result, 64);
 +		else
 +			SHA512_Update(&ctx, p_bytes, key_len);
 +
 +		/* Create intermediate result. */
 +		SHA512_Final(alt_result, &ctx);
 +	}
 +
 +	/* Now we can construct the result string. It consists of three
 +	 * parts. */
 +	cp = stpncpy(buffer, sha512_salt_prefix, MAX(0, buflen));
 +	buflen -= sizeof(sha512_salt_prefix) - 1;
 +
 +	if (rounds_custom) {
 +		n = snprintf(cp, MAX(0, buflen), "%s%zu$",
 +			 sha512_rounds_prefix, rounds);
 +
 +		cp += n;
 +		buflen -= n;
 +	}
 +
 +	cp = stpncpy(cp, salt, MIN((size_t)MAX(0, buflen), salt_len));
 +	buflen -= MIN((size_t)MAX(0, buflen), salt_len);
 +
 +	if (buflen > 0) {
 +		*cp++ = '$';
 +		--buflen;
 +	}
 +
 +	b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4, &buflen, &cp);
 +	b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4, &buflen, &cp);
 +	b64_from_24bit(0, 0, alt_result[63], 2, &buflen, &cp);
 +
 +	if (buflen <= 0) {
 +		errno = ERANGE;
 +		buffer = NULL;
 +	}
 +	else
 +		*cp = '\0';	/* Terminate the string. */
 +
 +	/* Clear the buffer for the intermediate result so that people
 +	 * attaching to processes or reading core dumps cannot get any
 +	 * information. We do it in this way to clear correct_words[] inside
 +	 * the SHA512 implementation as well. */
 +	SHA512_Init(&ctx);
 +	SHA512_Final(alt_result, &ctx);
 +	memset(temp_result, '\0', sizeof(temp_result));
 +	memset(p_bytes, '\0', key_len);
 +	memset(s_bytes, '\0', salt_len);
 +	memset(&ctx, '\0', sizeof(ctx));
 +	memset(&alt_ctx, '\0', sizeof(alt_ctx));
 +	if (copied_key != NULL)
 +		memset(copied_key, '\0', key_len);
 +	if (copied_salt != NULL)
 +		memset(copied_salt, '\0', salt_len);
 +
 +	return buffer;
 +}
 +
 +/* This entry point is equivalent to crypt(3). */
 +char *
 +sha512_crypt(const char *key, const char *salt)
 +{
 +	/* We don't want to have an arbitrary limit in the size of the
 +	 * password. We can compute an upper bound for the size of the
 +	 * result in advance and so we can prepare the buffer we pass to
 +	 * `sha512_crypt_r'. */
 +	static char *buffer;
 +	static int buflen;
 +	int needed;
 +	char *new_buffer;
 +
 +	needed = (sizeof(sha512_salt_prefix) - 1
 +	      + sizeof(sha512_rounds_prefix) + 9 + 1
 +	      + strlen(salt) + 1 + 86 + 1);
 +
 +	if (buflen < needed) {
 +		new_buffer = (char *)realloc(buffer, needed);
 +
 +		if (new_buffer == NULL)
 +			return NULL;
 +
 +		buffer = new_buffer;
 +		buflen = needed;
 +	}
 +
 +	return sha512_crypt_r(key, salt, buffer, buflen);
 +}
 +
 +#ifdef TEST
 +
 +static const struct {
 +	const char *input;
 +	const char result[64];
 +} tests[] =
 +{
 +	/* Test vectors from FIPS 180-2: appendix C.1. */
 +	{
 +		"abc",
 +		"\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31"
 +		"\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a"
 +		"\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd"
 +		"\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f"
 +	},
 +	/* Test vectors from FIPS 180-2: appendix C.2. */
 +	{
 +		"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
 +		"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
 +		"\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f"
 +		"\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18"
 +		"\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a"
 +		"\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09"
 +	},
 +	/* Test vectors from the NESSIE project. */
 +	{
 +		"",
 +		"\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07"
 +		"\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce"
 +		"\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f"
 +		"\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e"
 +	},
 +	{
 +		"a",
 +		"\x1f\x40\xfc\x92\xda\x24\x16\x94\x75\x09\x79\xee\x6c\xf5\x82\xf2"
 +		"\xd5\xd7\xd2\x8e\x18\x33\x5d\xe0\x5a\xbc\x54\xd0\x56\x0e\x0f\x53"
 +		"\x02\x86\x0c\x65\x2b\xf0\x8d\x56\x02\x52\xaa\x5e\x74\x21\x05\x46"
 +		"\xf3\x69\xfb\xbb\xce\x8c\x12\xcf\xc7\x95\x7b\x26\x52\xfe\x9a\x75"
 +	},
 +	{
 +		"message digest",
 +		"\x10\x7d\xbf\x38\x9d\x9e\x9f\x71\xa3\xa9\x5f\x6c\x05\x5b\x92\x51"
 +		"\xbc\x52\x68\xc2\xbe\x16\xd6\xc1\x34\x92\xea\x45\xb0\x19\x9f\x33"
 +		"\x09\xe1\x64\x55\xab\x1e\x96\x11\x8e\x8a\x90\x5d\x55\x97\xb7\x20"
 +		"\x38\xdd\xb3\x72\xa8\x98\x26\x04\x6d\xe6\x66\x87\xbb\x42\x0e\x7c"
 +	},
 +	{
 +		"abcdefghijklmnopqrstuvwxyz",
 +		"\x4d\xbf\xf8\x6c\xc2\xca\x1b\xae\x1e\x16\x46\x8a\x05\xcb\x98\x81"
 +		"\xc9\x7f\x17\x53\xbc\xe3\x61\x90\x34\x89\x8f\xaa\x1a\xab\xe4\x29"
 +		"\x95\x5a\x1b\xf8\xec\x48\x3d\x74\x21\xfe\x3c\x16\x46\x61\x3a\x59"
 +		"\xed\x54\x41\xfb\x0f\x32\x13\x89\xf7\x7f\x48\xa8\x79\xc7\xb1\xf1"
 +	},
 +	{
 +		"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 +		"\x20\x4a\x8f\xc6\xdd\xa8\x2f\x0a\x0c\xed\x7b\xeb\x8e\x08\xa4\x16"
 +		"\x57\xc1\x6e\xf4\x68\xb2\x28\xa8\x27\x9b\xe3\x31\xa7\x03\xc3\x35"
 +		"\x96\xfd\x15\xc1\x3b\x1b\x07\xf9\xaa\x1d\x3b\xea\x57\x78\x9c\xa0"
 +		"\x31\xad\x85\xc7\xa7\x1d\xd7\x03\x54\xec\x63\x12\x38\xca\x34\x45"
 +	},
 +	{
 +		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
 +		"\x1e\x07\xbe\x23\xc2\x6a\x86\xea\x37\xea\x81\x0c\x8e\xc7\x80\x93"
 +		"\x52\x51\x5a\x97\x0e\x92\x53\xc2\x6f\x53\x6c\xfc\x7a\x99\x96\xc4"
 +		"\x5c\x83\x70\x58\x3e\x0a\x78\xfa\x4a\x90\x04\x1d\x71\xa4\xce\xab"
 +		"\x74\x23\xf1\x9c\x71\xb9\xd5\xa3\xe0\x12\x49\xf0\xbe\xbd\x58\x94"
 +	},
 +	{
 +		"123456789012345678901234567890123456789012345678901234567890"
 +		"12345678901234567890",
 +		"\x72\xec\x1e\xf1\x12\x4a\x45\xb0\x47\xe8\xb7\xc7\x5a\x93\x21\x95"
 +		"\x13\x5b\xb6\x1d\xe2\x4e\xc0\xd1\x91\x40\x42\x24\x6e\x0a\xec\x3a"
 +		"\x23\x54\xe0\x93\xd7\x6f\x30\x48\xb4\x56\x76\x43\x46\x90\x0c\xb1"
 +		"\x30\xd2\xa4\xfd\x5d\xd1\x6a\xbb\x5e\x30\xbc\xb8\x50\xde\xe8\x43"
 +	}
 +};
 +
 +#define ntests (sizeof (tests) / sizeof (tests[0]))
 +
 +static const struct {
 +	const char *salt;
 +	const char *input;
 +	const char *expected;
 +} tests2[] =
 +{
 +	{
 +		"$6$saltstring", "Hello world!",
 +		"$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu"
 +		"esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"
 +	},
 +	{
 +		"$6$rounds=10000$saltstringsaltstring", "Hello world!",
 +		"$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sb"
 +		"HbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v."
 +	},
 +	{
 +		"$6$rounds=5000$toolongsaltstring", "This is just a test",
 +		"$6$rounds=5000$toolongsaltstrin$lQ8jolhgVRVhY4b5pZKaysCLi0QBxGoNeKQ"
 +		"zQ3glMhwllF7oGDZxUhx1yxdYcz/e1JSbq3y6JMxxl8audkUEm0"
 +	},
 +	{
 +		"$6$rounds=1400$anotherlongsaltstring",
 +		"a very much longer text to encrypt.  This one even stretches over more"
 +		"than one line.",
 +		"$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wP"
 +		"vMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1"
 +	},
 +	{
 +		"$6$rounds=77777$short",
 +		"we have a short salt string but not a short password",
 +		"$6$rounds=77777$short$WuQyW2YR.hBNpjjRhpYD/ifIw05xdfeEyQoMxIXbkvr0g"
 +		"ge1a1x3yRULJ5CCaUeOxFmtlcGZelFl5CxtgfiAc0"
 +	},
 +	{
 +		"$6$rounds=123456$asaltof16chars..", "a short string",
 +		"$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwc"
 +		"elCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1"
 +	},
 +	{
 +		"$6$rounds=10$roundstoolow", "the minimum number is still observed",
 +		"$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1x"
 +		"hLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX."
 +	},
 +};
 +
 +#define ntests2 (sizeof (tests2) / sizeof (tests2[0]))
 +
 +int
 +main(void)
 +{
 +	SHA512_CTX ctx;
 +	uint8_t sum[64];
 +	int result = 0;
 +	int i, cnt;
 +
 +	for (cnt = 0; cnt < (int)ntests; ++cnt) {
 +		SHA512_Init(&ctx);
 +		SHA512_Update(&ctx, tests[cnt].input, strlen(tests[cnt].input));
 +		SHA512_Final(sum, &ctx);
 +		if (memcmp(tests[cnt].result, sum, 64) != 0) {
 +			printf("test %d run %d failed\n", cnt, 1);
 +			result = 1;
 +		}
 +
 +		SHA512_Init(&ctx);
 +		for (i = 0; tests[cnt].input[i] != '\0'; ++i)
 +			SHA512_Update(&ctx, &tests[cnt].input[i], 1);
 +		SHA512_Final(sum, &ctx);
 +		if (memcmp(tests[cnt].result, sum, 64) != 0) {
 +			printf("test %d run %d failed\n", cnt, 2);
 +			result = 1;
 +		}
 +	}
 +
 +	/* Test vector from FIPS 180-2: appendix C.3. */
 +	char buf[1000];
 +
 +	memset(buf, 'a', sizeof(buf));
 +	SHA512_Init(&ctx);
 +	for (i = 0; i < 1000; ++i)
 +		SHA512_Update(&ctx, buf, sizeof(buf));
 +	SHA512_Final(sum, &ctx);
 +	static const char expected[64] =
 +	"\xe7\x18\x48\x3d\x0c\xe7\x69\x64\x4e\x2e\x42\xc7\xbc\x15\xb4\x63"
 +	"\x8e\x1f\x98\xb1\x3b\x20\x44\x28\x56\x32\xa8\x03\xaf\xa9\x73\xeb"
 +	"\xde\x0f\xf2\x44\x87\x7e\xa6\x0a\x4c\xb0\x43\x2c\xe5\x77\xc3\x1b"
 +	"\xeb\x00\x9c\x5c\x2c\x49\xaa\x2e\x4e\xad\xb2\x17\xad\x8c\xc0\x9b";
 +
 +	if (memcmp(expected, sum, 64) != 0) {
 +		printf("test %d failed\n", cnt);
 +		result = 1;
 +	}
 +
 +	for (cnt = 0; cnt < ntests2; ++cnt) {
 +		char *cp = sha512_crypt(tests2[cnt].input, tests2[cnt].salt);
 +
 +		if (strcmp(cp, tests2[cnt].expected) != 0) {
 +			printf("test %d: expected \"%s\", got \"%s\"\n",
 +			       cnt, tests2[cnt].expected, cp);
 +			result = 1;
 +		}
 +	}
 +
 +	if (result == 0)
 +		puts("all tests OK");
 +
 +	return result;
 +}
 +
 +#endif /* TEST */
 
 Modified: head/lib/libcrypt/crypt.c
 ==============================================================================
 --- head/lib/libcrypt/crypt.c	Sat Apr  9 13:56:29 2011	(r220496)
 +++ head/lib/libcrypt/crypt.c	Sat Apr  9 14:02:04 2011	(r220497)
 @@ -63,6 +63,16 @@ static const struct {
  		"$3$"
 
 *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: arundel 
State-Changed-When: Sun Apr 10 19:15:20 UTC 2011 
State-Changed-Why:  
Patched in HEAD (r220496, r220497). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124164 

From: KIMURA Yasuhiro <yasu@utahime.org>
To: markm@FreeBSD.org
Cc: arundel@FreeBSD.org, bug-followup@FreeBSD.org
Subject: Re: misc/124164: [patch] Add SHA-256/512 hash algorithm to crypt(3)
Date: Sat, 14 Jan 2012 21:55:58 +0900

 Hello.
 
 Would you please MFC to stable/8 and close this PR?
 
 Best Regards.
 
 

From: Tim Bishop <tdb@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/124164: [patch] Add SHA-256/512 hash algorithm to crypt(3)
Date: Sun, 5 Feb 2012 17:49:25 +0000

 It'd be great if this PR could be merged to 8 before the 8.3 release.
 
 Tim.
 
 -- 
 Tim Bishop
 http://www.bishnet.net/tim/
 PGP Key: 0x5AE7D984

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/124164: commit references a PR
Date: Mon, 13 Feb 2012 16:43:41 +0000 (UTC)

 Author: markm
 Date: Mon Feb 13 16:43:29 2012
 New Revision: 231588
 URL: http://svn.freebsd.org/changeset/base/231588
 
 Log:
   MFC: sha256 ($5$) and sha512 ($6$) crypt(3) types.
   
   PR:		misc/124164
   Delayed by:	markm
 
 Added:
   stable/8/lib/libcrypt/crypt-sha256.c
      - copied, changed from r220497, head/lib/libcrypt/crypt-sha256.c
   stable/8/lib/libcrypt/crypt-sha512.c
      - copied, changed from r220497, head/lib/libcrypt/crypt-sha512.c
   stable/8/lib/libmd/sha512.3
      - copied unchanged from r220496, head/lib/libmd/sha512.3
   stable/8/lib/libmd/sha512.h
      - copied unchanged from r220496, head/lib/libmd/sha512.h
   stable/8/lib/libmd/sha512c.c
      - copied unchanged from r220496, head/lib/libmd/sha512c.c
 Modified:
   stable/8/lib/libcrypt/Makefile
   stable/8/lib/libcrypt/crypt.c
   stable/8/lib/libcrypt/crypt.h
   stable/8/lib/libcrypt/misc.c
   stable/8/lib/libmd/Makefile
   stable/8/lib/libmd/mddriver.c
   stable/8/lib/libmd/rmddriver.c
   stable/8/lib/libmd/shadriver.c
 Directory Properties:
   stable/8/   (props changed)
   stable/8/lib/   (props changed)
   stable/8/lib/libcrypt/   (props changed)
   stable/8/lib/libmd/   (props changed)
 
 Modified: stable/8/lib/libcrypt/Makefile
 ==============================================================================
 --- stable/8/lib/libcrypt/Makefile	Mon Feb 13 15:21:12 2012	(r231587)
 +++ stable/8/lib/libcrypt/Makefile	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -12,7 +12,9 @@ LIB=		crypt
  .PATH:		${.CURDIR}/../libmd
  SRCS=		crypt.c misc.c \
  		crypt-md5.c md5c.c \
 -		crypt-nthash.c md4c.c
 +		crypt-nthash.c md4c.c \
 +		crypt-sha256.c sha256c.c \
 +		crypt-sha512.c sha512c.c
  MAN=		crypt.3
  MLINKS=		crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3
  CFLAGS+=	-I${.CURDIR}/../libmd -I${.CURDIR}/../libutil
 @@ -29,7 +31,9 @@ CFLAGS+=	-I${.CURDIR} -DHAS_DES -DHAS_BL
  SRCS+=		auth.c property.c
  .for sym in auth_getval property_find properties_read properties_free \
  	    MD4Init MD4Final MD4Update MD4Pad \
 -	    MD5Init MD5Final MD5Update MD5Pad
 +	    MD5Init MD5Final MD5Update MD5Pad \
 +	    SHA256_Init SHA256_Final SHA256_Update \
 +	    SHA512_Init SHA512_Final SHA512_Update
  CFLAGS+=	-D${sym}=__${sym}
  .endfor
  
 
 Copied and modified: stable/8/lib/libcrypt/crypt-sha256.c (from r220497, head/lib/libcrypt/crypt-sha256.c)
 ==============================================================================
 --- head/lib/libcrypt/crypt-sha256.c	Sat Apr  9 14:02:04 2011	(r220497, copy source)
 +++ stable/8/lib/libcrypt/crypt-sha256.c	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -60,7 +60,7 @@ static const char sha256_rounds_prefix[]
  #define ROUNDS_MAX 999999999
  
  static char *
 -sha256_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
 +crypt_sha256_r(const char *key, const char *salt, char *buffer, int buflen)
  {
  	u_long srounds;
  	int n;
 @@ -268,12 +268,12 @@ sha256_crypt_r(const char *key, const ch
  
  /* This entry point is equivalent to crypt(3). */
  char *
 -sha256_crypt(const char *key, const char *salt)
 +crypt_sha256(const char *key, const char *salt)
  {
  	/* We don't want to have an arbitrary limit in the size of the
  	 * password. We can compute an upper bound for the size of the
  	 * result in advance and so we can prepare the buffer we pass to
 -	 * `sha256_crypt_r'. */
 +	 * `crypt_sha256_r'. */
  	static char *buffer;
  	static int buflen;
  	int needed;
 @@ -293,7 +293,7 @@ sha256_crypt(const char *key, const char
  		buflen = needed;
  	}
  
 -	return sha256_crypt_r(key, salt, buffer, buflen);
 +	return crypt_sha256_r(key, salt, buffer, buflen);
  }
  
  #ifdef TEST
 @@ -459,7 +459,7 @@ main(void)
  	}
  
  	for (cnt = 0; cnt < ntests2; ++cnt) {
 -		char *cp = sha256_crypt(tests2[cnt].input, tests2[cnt].salt);
 +		char *cp = crypt_sha256(tests2[cnt].input, tests2[cnt].salt);
  
  		if (strcmp(cp, tests2[cnt].expected) != 0) {
  			printf("test %d: expected \"%s\", got \"%s\"\n",
 
 Copied and modified: stable/8/lib/libcrypt/crypt-sha512.c (from r220497, head/lib/libcrypt/crypt-sha512.c)
 ==============================================================================
 --- head/lib/libcrypt/crypt-sha512.c	Sat Apr  9 14:02:04 2011	(r220497, copy source)
 +++ stable/8/lib/libcrypt/crypt-sha512.c	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -60,7 +60,7 @@ static const char sha512_rounds_prefix[]
  #define ROUNDS_MAX 999999999
  
  static char *
 -sha512_crypt_r(const char *key, const char *salt, char *buffer, int buflen)
 +crypt_sha512_r(const char *key, const char *salt, char *buffer, int buflen)
  {
  	u_long srounds;
  	int n;
 @@ -280,12 +280,12 @@ sha512_crypt_r(const char *key, const ch
  
  /* This entry point is equivalent to crypt(3). */
  char *
 -sha512_crypt(const char *key, const char *salt)
 +crypt_sha512(const char *key, const char *salt)
  {
  	/* We don't want to have an arbitrary limit in the size of the
  	 * password. We can compute an upper bound for the size of the
  	 * result in advance and so we can prepare the buffer we pass to
 -	 * `sha512_crypt_r'. */
 +	 * `crypt_sha512_r'. */
  	static char *buffer;
  	static int buflen;
  	int needed;
 @@ -305,7 +305,7 @@ sha512_crypt(const char *key, const char
  		buflen = needed;
  	}
  
 -	return sha512_crypt_r(key, salt, buffer, buflen);
 +	return crypt_sha512_r(key, salt, buffer, buflen);
  }
  
  #ifdef TEST
 @@ -482,7 +482,7 @@ main(void)
  	}
  
  	for (cnt = 0; cnt < ntests2; ++cnt) {
 -		char *cp = sha512_crypt(tests2[cnt].input, tests2[cnt].salt);
 +		char *cp = crypt_sha512(tests2[cnt].input, tests2[cnt].salt);
  
  		if (strcmp(cp, tests2[cnt].expected) != 0) {
  			printf("test %d: expected \"%s\", got \"%s\"\n",
 
 Modified: stable/8/lib/libcrypt/crypt.c
 ==============================================================================
 --- stable/8/lib/libcrypt/crypt.c	Mon Feb 13 15:21:12 2012	(r231587)
 +++ stable/8/lib/libcrypt/crypt.c	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -63,6 +63,16 @@ static const struct {
  		"$3$"
  	},
  	{
 +		"sha256",
 +		crypt_sha256,
 +		"$5$"
 +	},
 +	{
 +		"sha512",
 +		crypt_sha512,
 +		"$6$"
 +	},
 +	{
  		NULL,
  		NULL,
  		NULL
 
 Modified: stable/8/lib/libcrypt/crypt.h
 ==============================================================================
 --- stable/8/lib/libcrypt/crypt.h	Mon Feb 13 15:21:12 2012	(r231587)
 +++ stable/8/lib/libcrypt/crypt.h	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -36,5 +36,8 @@ char *crypt_des(const char *pw, const ch
  char *crypt_md5(const char *pw, const char *salt);
  char *crypt_nthash(const char *pw, const char *salt);
  char *crypt_blowfish(const char *pw, const char *salt);
 +char *crypt_sha256 (const char *pw, const char *salt);
 +char *crypt_sha512 (const char *pw, const char *salt);
  
  extern void _crypt_to64(char *s, u_long v, int n);
 +extern void b64_from_24bit(uint8_t B2, uint8_t B1, uint8_t B0, int n, int *buflen, char **cp);
 
 Modified: stable/8/lib/libcrypt/misc.c
 ==============================================================================
 --- stable/8/lib/libcrypt/misc.c	Mon Feb 13 15:21:12 2012	(r231587)
 +++ stable/8/lib/libcrypt/misc.c	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -45,3 +45,19 @@ _crypt_to64(char *s, u_long v, int n)
  		v >>= 6;
  	}
  }
 +
 +void
 +b64_from_24bit(uint8_t B2, uint8_t B1, uint8_t B0, int n, int *buflen, char **cp)
 +{
 +	uint32_t w;
 +	int i;
 +
 +	w = (B2 << 16) | (B1 << 8) | B0;
 +	for (i = 0; i < n; i++) {
 +		**cp = itoa64[w&0x3f];
 +		(*cp)++;
 +		if ((*buflen)-- < 0)
 +			break;
 +		w >>= 6;
 +	}
 +}
 
 Modified: stable/8/lib/libmd/Makefile
 ==============================================================================
 --- stable/8/lib/libmd/Makefile	Mon Feb 13 15:21:12 2012	(r231587)
 +++ stable/8/lib/libmd/Makefile	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -5,10 +5,11 @@ SHLIBDIR?= /lib
  SRCS=	md2c.c md4c.c md5c.c md2hl.c md4hl.c md5hl.c \
  	rmd160c.c rmd160hl.c \
  	sha0c.c sha0hl.c sha1c.c sha1hl.c \
 -	sha256c.c sha256hl.c
 -INCS=	md2.h md4.h md5.h ripemd.h sha.h sha256.h
 +	sha256c.c sha256hl.c \
 +	sha512c.c sha512hl.c
 +INCS=	md2.h md4.h md5.h ripemd.h sha.h sha256.h sha512.h
  
 -MAN+=	md2.3 md4.3 md5.3 ripemd.3 sha.3 sha256.3
 +MAN+=	md2.3 md4.3 md5.3 ripemd.3 sha.3 sha256.3 sha512.3
  MLINKS+=md2.3 MD2Init.3 md2.3 MD2Update.3 md2.3 MD2Final.3
  MLINKS+=md2.3 MD2End.3  md2.3 MD2File.3   md2.3 MD2FileChunk.3
  MLINKS+=md2.3 MD2Data.3
 @@ -32,10 +33,15 @@ MLINKS+=sha256.3 SHA256_Init.3  sha256.3
  MLINKS+=sha256.3 SHA256_Final.3 sha256.3 SHA256_End.3
  MLINKS+=sha256.3 SHA256_File.3  sha256.3 SHA256_FileChunk.3
  MLINKS+=sha256.3 SHA256_Data.3
 +MLINKS+=sha512.3 SHA512_Init.3  sha512.3 SHA512_Update.3
 +MLINKS+=sha512.3 SHA512_Final.3 sha512.3 SHA512_End.3
 +MLINKS+=sha512.3 SHA512_File.3  sha512.3 SHA512_FileChunk.3
 +MLINKS+=sha512.3 SHA512_Data.3
  CLEANFILES+=	md[245]hl.c md[245].ref md[245].3 mddriver \
  		rmd160.ref rmd160hl.c rmddriver \
  		sha0.ref sha0hl.c sha1.ref sha1hl.c shadriver \
 -		sha256.ref sha256hl.c
 +		sha256.ref sha256hl.c sha512.ref sha512hl.c
 +
  CFLAGS+= -I${.CURDIR}
  .PATH: ${.CURDIR}/${MACHINE_ARCH}
  
 @@ -76,6 +82,12 @@ sha256hl.c: mdXhl.c
  			-e  's/SHA256__/SHA256_/g' \
  		${.ALLSRC}) > ${.TARGET}
  
 +sha512hl.c: mdXhl.c
 +	(echo '#define LENGTH 64'; \
 +		sed -e 's/mdX/sha512/g' -e 's/MDX/SHA512_/g'	\
 +			-e  's/SHA512__/SHA512_/g' \
 +		${.ALLSRC}) > ${.TARGET}
 +
  rmd160hl.c: mdXhl.c
  	(echo '#define LENGTH 20'; \
  		sed -e 's/mdX/ripemd/g' -e 's/MDX/RIPEMD160_/g' \
 @@ -105,8 +117,10 @@ md4.ref:
  	@echo 'MD4 ("abc") = a448017aaf21d8525fc10ae87aa6729d' >> ${.TARGET}
  	@echo 'MD4 ("message digest") = d9130a8164549fe818874806e1c7014b' >> ${.TARGET}
  	@echo 'MD4 ("abcdefghijklmnopqrstuvwxyz") = d79e1c308aa5bbcdeea8ed63df412da9' >> ${.TARGET}
 -	@echo 'MD4 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 043f8582f241db351ce627e153e7f0e4' >> ${.TARGET}
 -	@echo 'MD4 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = e33b4ddc9c38f2199c3e7b164fcc0536' >> ${.TARGET}
 +	@echo 'MD4 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'043f8582f241db351ce627e153e7f0e4' >> ${.TARGET}
 +	@echo 'MD4 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'e33b4ddc9c38f2199c3e7b164fcc0536' >> ${.TARGET}
  
  md5.ref:
  	echo 'MD5 test suite:' > ${.TARGET}
 @@ -119,54 +133,74 @@ md5.ref:
  	@echo 'MD5 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = 57edf4a22be3c955ac49da2e2107b67a' >> ${.TARGET}
  
  sha0.ref:
 -	(echo 'SHA-0 test suite:'; \
 -	echo 'SHA-0 ("") = f96cea198ad1dd5617ac084a3d92c6107708c0ef'; \
 -	echo 'SHA-0 ("abc") = 0164b8a914cd2a5e74c4f7ff082c4d97f1edf880'; \
 -	echo 'SHA-0 ("message digest") =' \
 -		'c1b0f222d150ebb9aa36a40cafdc8bcbed830b14'; \
 -	echo 'SHA-0 ("abcdefghijklmnopqrstuvwxyz") =' \
 -		'b40ce07a430cfd3c033039b9fe9afec95dc1bdcd'; \
 -	echo 'SHA-0 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 -		'79e966f7a3a990df33e40e3d7f8f18d2caebadfa'; \
 -	echo 'SHA-0 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 -		'4aa29d14d171522ece47bee8957e35a41f3e9cff' ) > ${.TARGET}
 +	echo 'SHA-0 test suite:' > ${.TARGET}
 +	@echo 'SHA-0 ("") = f96cea198ad1dd5617ac084a3d92c6107708c0ef' >> ${.TARGET}
 +	@echo 'SHA-0 ("abc") = 0164b8a914cd2a5e74c4f7ff082c4d97f1edf880' >> ${.TARGET}
 +	@echo 'SHA-0 ("message digest") =' \
 +		'c1b0f222d150ebb9aa36a40cafdc8bcbed830b14' >> ${.TARGET}
 +	@echo 'SHA-0 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'b40ce07a430cfd3c033039b9fe9afec95dc1bdcd' >> ${.TARGET}
 +	@echo 'SHA-0 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'79e966f7a3a990df33e40e3d7f8f18d2caebadfa' >> ${.TARGET}
 +	@echo 'SHA-0 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'4aa29d14d171522ece47bee8957e35a41f3e9cff' >> ${.TARGET}
  
  sha1.ref:
 -	(echo 'SHA-1 test suite:'; \
 -	echo 'SHA-1 ("") = da39a3ee5e6b4b0d3255bfef95601890afd80709'; \
 -	echo 'SHA-1 ("abc") = a9993e364706816aba3e25717850c26c9cd0d89d'; \
 -	echo 'SHA-1 ("message digest") =' \
 -		'c12252ceda8be8994d5fa0290a47231c1d16aae3'; \
 -	echo 'SHA-1 ("abcdefghijklmnopqrstuvwxyz") =' \
 -		'32d10c7b8cf96570ca04ce37f2a19d84240d3a89'; \
 -	echo 'SHA-1 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 -		'761c457bf73b14d27e9e9265c46f4b4dda11f940'; \
 -	echo 'SHA-1 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 -		'50abf5706a150990a08b2c5ea40fa0e585554732' ) > ${.TARGET}
 +	echo 'SHA-1 test suite:' > ${.TARGET}
 +	@echo 'SHA-1 ("") = da39a3ee5e6b4b0d3255bfef95601890afd80709' >> ${.TARGET}
 +	@echo 'SHA-1 ("abc") = a9993e364706816aba3e25717850c26c9cd0d89d' >> ${.TARGET}
 +	@echo 'SHA-1 ("message digest") =' \
 +		'c12252ceda8be8994d5fa0290a47231c1d16aae3' >> ${.TARGET}
 +	@echo 'SHA-1 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'32d10c7b8cf96570ca04ce37f2a19d84240d3a89' >> ${.TARGET}
 +	@echo 'SHA-1 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'761c457bf73b14d27e9e9265c46f4b4dda11f940' >> ${.TARGET}
 +	@echo 'SHA-1 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'50abf5706a150990a08b2c5ea40fa0e585554732' >> ${.TARGET}
  
  sha256.ref:
  	echo 'SHA-256 test suite:' > ${.TARGET}
  	@echo 'SHA-256 ("") = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' >> ${.TARGET}
 -	@echo 'SHA-256 ("abc") = ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad' >> ${.TARGET}
 -	@echo 'SHA-256 ("message digest") = f7846f55cf23e14eebeab5b4e1550cad5b509e3348fbc4efa3a1413d393cb650' >> ${.TARGET}
 -	@echo 'SHA-256 ("abcdefghijklmnopqrstuvwxyz") = 71c480df93d6ae2f1efad1447c66c9525e316218cf51fc8d9ed832f2daf18b73' >> ${.TARGET}
 -	@echo 'SHA-256 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = db4bfcbd4da0cd85a60c3c37d3fbd8805c77f15fc6b1fdfe614ee0a7c8fdb4c0' >> ${.TARGET}
 -	@echo 'SHA-256 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = f371bc4a311f2b009eef952dd83ca80e2b60026c8e935592d0f9c308453c813e' >> ${.TARGET}
 +	@echo 'SHA-256 ("abc") =' \
 +		'ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad' >> ${.TARGET}
 +	@echo 'SHA-256 ("message digest") =' \
 +		'f7846f55cf23e14eebeab5b4e1550cad5b509e3348fbc4efa3a1413d393cb650' >> ${.TARGET}
 +	@echo 'SHA-256 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'71c480df93d6ae2f1efad1447c66c9525e316218cf51fc8d9ed832f2daf18b73' >> ${.TARGET}
 +	@echo 'SHA-256 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'db4bfcbd4da0cd85a60c3c37d3fbd8805c77f15fc6b1fdfe614ee0a7c8fdb4c0' >> ${.TARGET}
 +	@echo 'SHA-256 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'f371bc4a311f2b009eef952dd83ca80e2b60026c8e935592d0f9c308453c813e' >> ${.TARGET}
 +
 +sha512.ref:
 +	echo 'SHA-512 test suite:' > ${.TARGET}
 +	@echo 'SHA-512 ("") =' \
 +		'cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e' >> ${.TARGET}
 +	@echo 'SHA-512 ("abc") =' \
 +		'ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f' >> ${.TARGET}
 +	@echo 'SHA-512 ("message digest") =' \
 +		'107dbf389d9e9f71a3a95f6c055b9251bc5268c2be16d6c13492ea45b0199f3309e16455ab1e96118e8a905d5597b72038ddb372a89826046de66687bb420e7c' >> ${.TARGET}
 +	@echo 'SHA-512 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'4dbff86cc2ca1bae1e16468a05cb9881c97f1753bce3619034898faa1aabe429955a1bf8ec483d7421fe3c1646613a59ed5441fb0f321389f77f48a879c7b1f1' >> ${.TARGET}
 +	@echo 'SHA-512 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'1e07be23c26a86ea37ea810c8ec7809352515a970e9253c26f536cfc7a9996c45c8370583e0a78fa4a90041d71a4ceab7423f19c71b9d5a3e01249f0bebd5894' >> ${.TARGET}
 +	@echo 'SHA-512 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'72ec1ef1124a45b047e8b7c75a932195135bb61de24ec0d1914042246e0aec3a2354e093d76f3048b456764346900cb130d2a4fd5dd16abb5e30bcb850dee843' >> ${.TARGET}
  
  rmd160.ref:
 -	(echo 'RIPEMD160 test suite:'; \
 -	echo 'RIPEMD160 ("") = 9c1185a5c5e9fc54612808977ee8f548b2258d31'; \
 -	echo 'RIPEMD160 ("abc") = 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc'; \
 -	echo 'RIPEMD160 ("message digest") =' \
 -		'5d0689ef49d2fae572b881b123a85ffa21595f36'; \
 -	echo 'RIPEMD160 ("abcdefghijklmnopqrstuvwxyz") =' \
 -		'f71c27109c692c1b56bbdceb5b9d2865b3708dbc'; \
 -	echo 'RIPEMD160 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 -		'b0e20b6e3116640286ed3a87a5713079b21f5189'; \
 -	echo 'RIPEMD160 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 -		'9b752e45573d4b39f4dbd3323cab82bf63326bfb' ) > ${.TARGET}
 +	echo 'RIPEMD160 test suite:' > ${.TARGET}
 +	@echo 'RIPEMD160 ("") = 9c1185a5c5e9fc54612808977ee8f548b2258d31' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("abc") = 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("message digest") =' \
 +		'5d0689ef49d2fae572b881b123a85ffa21595f36' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("abcdefghijklmnopqrstuvwxyz") =' \
 +		'f71c27109c692c1b56bbdceb5b9d2865b3708dbc' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") =' \
 +		'b0e20b6e3116640286ed3a87a5713079b21f5189' >> ${.TARGET}
 +	@echo 'RIPEMD160 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") =' \
 +		'9b752e45573d4b39f4dbd3323cab82bf63326bfb' >> ${.TARGET}
  
 -test:	md2.ref md4.ref md5.ref sha0.ref rmd160.ref sha1.ref sha256.ref
 +test:	md2.ref md4.ref md5.ref sha0.ref rmd160.ref sha1.ref sha256.ref sha512.ref
  	@${ECHO} if any of these test fail, the code produces wrong results
  	@${ECHO} and should NOT be used.
  	${CC} ${CFLAGS} ${LDFLAGS} -DMD=2 -o mddriver ${.CURDIR}/mddriver.c ./libmd.a
 @@ -192,6 +226,9 @@ test:	md2.ref md4.ref md5.ref sha0.ref r
  	${CC} ${CFLAGS} ${LDFLAGS} -DSHA=256 -o shadriver ${.CURDIR}/shadriver.c libmd.a
  	./shadriver | cmp sha256.ref -
  	@${ECHO} SHA-256 passed test
 +	${CC} ${CFLAGS} ${LDFLAGS} -DSHA=512 -o shadriver ${.CURDIR}/shadriver.c libmd.a
 +	./shadriver | cmp sha512.ref -
 +	@${ECHO} SHA-512 passed test
  	-rm -f shadriver
  
  .include <bsd.lib.mk>
 
 Modified: stable/8/lib/libmd/mddriver.c
 ==============================================================================
 --- stable/8/lib/libmd/mddriver.c	Mon Feb 13 15:21:12 2012	(r231587)
 +++ stable/8/lib/libmd/mddriver.c	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -1,33 +1,31 @@
 -/* MDDRIVER.C - test driver for MD2, MD4 and MD5
 - */
 +/* MDDRIVER.C - test driver for MD2, MD4 and MD5 */
 +
 +/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All rights
 + * reserved.
 + * 
 + * RSA Data Security, Inc. makes no representations concerning either the
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + * 
 + * These notices must be retained in any copies of any part of this
 + * documentation and/or software. */
  
  #include <sys/cdefs.h>
  __FBSDID("$FreeBSD$");
  
 -/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
 -   rights reserved.
 -
 -   RSA Data Security, Inc. makes no representations concerning either
 -   the merchantability of this software or the suitability of this
 -   software for any particular purpose. It is provided "as is"
 -   without express or implied warranty of any kind.
 -
 -   These notices must be retained in any copies of any part of this
 -   documentation and/or software.
 - */
 -
 -/* The following makes MD default to MD5 if it has not already been
 -     defined with C compiler flags.
 - */
 -#ifndef MD
 -#define MD 5
 -#endif
 -
  #include <sys/types.h>
  
  #include <stdio.h>
  #include <time.h>
  #include <string.h>
 +
 +/* The following makes MD default to MD5 if it has not already been defined
 + * with C compiler flags. */
 +#ifndef MD
 +#define MD 5
 +#endif
 +
  #if MD == 2
  #include "md2.h"
  #define MDData MD2Data
 @@ -41,32 +39,31 @@ __FBSDID("$FreeBSD$");
  #define MDData MD5Data
  #endif
  
 -/* Digests a string and prints the result.
 - */
 -static void MDString (string)
 -char *string;
 +/* Digests a string and prints the result. */
 +static void 
 +MDString(char *string)
  {
 -  char buf[33];
 +	char buf[33];
  
 -  printf ("MD%d (\"%s\") = %s\n", 
 -	MD, string, MDData(string,strlen(string),buf));
 +	printf("MD%d (\"%s\") = %s\n",
 +	       MD, string, MDData(string, strlen(string), buf));
  }
  
 -/* Digests a reference suite of strings and prints the results.
 - */
 -main()
 +/* Digests a reference suite of strings and prints the results. */
 +int
 +main(void)
  {
 -  printf ("MD%d test suite:\n", MD);
 +	printf("MD%d test suite:\n", MD);
 +
 +	MDString("");
 +	MDString("a");
 +	MDString("abc");
 +	MDString("message digest");
 +	MDString("abcdefghijklmnopqrstuvwxyz");
 +	MDString("ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 +		"abcdefghijklmnopqrstuvwxyz0123456789");
 +	MDString("1234567890123456789012345678901234567890"
 +		"1234567890123456789012345678901234567890");
  
 -  MDString ("");
 -  MDString ("a");
 -  MDString ("abc");
 -  MDString ("message digest");
 -  MDString ("abcdefghijklmnopqrstuvwxyz");
 -  MDString
 -    ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
 -  MDString
 -    ("1234567890123456789012345678901234567890\
 -1234567890123456789012345678901234567890");
 -  return 0;
 +	return 0;
  }
 
 Modified: stable/8/lib/libmd/rmddriver.c
 ==============================================================================
 --- stable/8/lib/libmd/rmddriver.c	Mon Feb 13 15:21:12 2012	(r231587)
 +++ stable/8/lib/libmd/rmddriver.c	Mon Feb 13 16:43:29 2012	(r231588)
 @@ -1,53 +1,51 @@
 -/* RIPEMD160DRIVER.C - test driver for RIPEMD160
 - */
 +/* RIPEMD160DRIVER.C - test driver for RIPEMD160 */
 +
 +/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All rights
 + * reserved.
 + * 
 + * RSA Data Security, Inc. makes no representations concerning either the
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + * 
 + * These notices must be retained in any copies of any part of this
 + * documentation and/or software. */
  
  #include <sys/cdefs.h>
  __FBSDID("$FreeBSD$");
  
 -/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
 -   rights reserved.
 -
 -   RSA Data Security, Inc. makes no representations concerning either
 -   the merchantability of this software or the suitability of this
 -   software for any particular purpose. It is provided "as is"
 -   without express or implied warranty of any kind.
 -
 -   These notices must be retained in any copies of any part of this
 -   documentation and/or software.
 - */
 -
  #include <sys/types.h>
  
  #include <stdio.h>
  #include <time.h>
  #include <string.h>
 +
  #include "ripemd.h"
  
 -/* Digests a string and prints the result.
 - */
 -static void RIPEMD160String (string)
 -char *string;
 +/* Digests a string and prints the result. */
 +static void 
 +RIPEMD160String(char *string)
  {
 -  char buf[2*20+1];
 +	char buf[2*20 + 1];
  
 -  printf ("RIPEMD160 (\"%s\") = %s\n", 
 -	string, RIPEMD160_Data(string,strlen(string),buf));
 +	printf("RIPEMD160 (\"%s\") = %s\n",
 +	       string, RIPEMD160_Data(string, strlen(string), buf));
  }
  
 -/* Digests a reference suite of strings and prints the results.
 - */
 -main()
 +/* Digests a reference suite of strings and prints the results. */
 +int
 +main(void)
  {
 -  printf ("RIPEMD160 test suite:\n");
 +	printf("RIPEMD160 test suite:\n");
 +
 +	RIPEMD160String("");
 +	RIPEMD160String("abc");
 +	RIPEMD160String("message digest");
 +	RIPEMD160String("abcdefghijklmnopqrstuvwxyz");
 +	RIPEMD160String("ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 +		"abcdefghijklmnopqrstuvwxyz0123456789");
 +	RIPEMD160String("1234567890123456789012345678901234567890"
 +		"1234567890123456789012345678901234567890");
  
 -  RIPEMD160String ("");
 -  RIPEMD160String ("abc");
 -  RIPEMD160String ("message digest");
 -  RIPEMD160String ("abcdefghijklmnopqrstuvwxyz");
 -  RIPEMD160String
 -    ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
 -  RIPEMD160String
 -    ("1234567890123456789012345678901234567890\
 -1234567890123456789012345678901234567890");
 -  return 0;
 +	return 0;
  }
 
 Copied: stable/8/lib/libmd/sha512.3 (from r220496, head/lib/libmd/sha512.3)
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ stable/8/lib/libmd/sha512.3	Mon Feb 13 16:43:29 2012	(r231588, copy of r220496, head/lib/libmd/sha512.3)
 @@ -0,0 +1,139 @@
 +.\"
 +.\" ----------------------------------------------------------------------------
 +.\" "THE BEER-WARE LICENSE" (Revision 42):
 +.\" <phk@FreeBSD.org> wrote this file.  As long as you retain this notice you
 +.\" can do whatever you want with this stuff. If we meet some day, and you think
 +.\" this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 +.\" ----------------------------------------------------------------------------
 +.\"
 +.\" 	From: Id: mdX.3,v 1.14 1999/02/11 20:31:49 wollman Exp
 +.\" $FreeBSD$
 +.\"
 +.Dd April 1, 2011
 +.Dt SHA512 3
 +.Os
 +.Sh NAME
 +.Nm SHA512_Init ,
 +.Nm SHA512_Update ,
 +.Nm SHA512_Final ,
 +.Nm SHA512_End ,
 +.Nm SHA512_File ,
 +.Nm SHA512_FileChunk ,
 +.Nm SHA512_Data
 +.Nd calculate the FIPS 180-2 ``SHA-512'' message digest
 +.Sh LIBRARY
 +.Lb libmd
 +.Sh SYNOPSIS
 +.In sys/types.h
 +.In sha512.h
 +.Ft void
 +.Fn SHA512_Init "SHA512_CTX *context"
 +.Ft void
 +.Fn SHA512_Update "SHA512_CTX *context" "const unsigned char *data" "size_t len"
 +.Ft void
 +.Fn SHA512_Final "unsigned char digest[64]" "SHA512_CTX *context"
 +.Ft "char *"
 +.Fn SHA512_End "SHA512_CTX *context" "char *buf"
 +.Ft "char *"
 +.Fn SHA512_File "const char *filename" "char *buf"
 +.Ft "char *"
 +.Fn SHA512_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length"
 +.Ft "char *"
 +.Fn SHA512_Data "const unsigned char *data" "unsigned int len" "char *buf"
 +.Sh DESCRIPTION
 +The
 +.Li SHA512_
 +functions calculate a 512-bit cryptographic checksum (digest)
 +for any number of input bytes.
 +A cryptographic checksum is a one-way
 +hash function; that is, it is computationally impractical to find
 +the input corresponding to a particular output.
 +This net result is
 +a
 +.Dq fingerprint
 +of the input-data, which does not disclose the actual input.
 +.Pp
 +The
 +.Fn SHA512_Init ,
 +.Fn SHA512_Update ,
 +and
 +.Fn SHA512_Final
 +functions are the core functions.
 +Allocate an
 +.Vt SHA512_CTX ,
 +initialize it with
 +.Fn SHA512_Init ,
 +run over the data with
 +.Fn SHA512_Update ,
 +and finally extract the result using
 +.Fn SHA512_Final .
 +.Pp
 +.Fn SHA512_End
 +is a wrapper for
 +.Fn SHA512_Final
 +which converts the return value to a 65-character
 +(including the terminating '\e0')
 +.Tn ASCII
 +string which represents the 512 bits in hexadecimal.
 +.Pp
 +.Fn SHA512_File
 +calculates the digest of a file, and uses
 +.Fn SHA512_End
 +to return the result.
 +If the file cannot be opened, a null pointer is returned.
 +.Fn SHA512_FileChunk
 +is similar to
 +.Fn SHA512_File ,
 +but it only calculates the digest over a byte-range of the file specified,
 +starting at
 +.Fa offset
 +and spanning
 +.Fa length
 +bytes.
 +If the
 +.Fa length
 +parameter is specified as 0, or more than the length of the remaining part
 +of the file,
 +.Fn SHA512_FileChunk
 +calculates the digest from
 +.Fa offset
 +to the end of file.
 +.Fn SHA512_Data
 +calculates the digest of a chunk of data in memory, and uses
 +.Fn SHA512_End
 +to return the result.
 +.Pp
 +When using
 +.Fn SHA512_End ,
 +.Fn SHA512_File ,
 +or
 +.Fn SHA512_Data ,
 +the
 +.Fa buf
 +argument can be a null pointer, in which case the returned string
 +is allocated with
 +.Xr malloc 3
 +and subsequently must be explicitly deallocated using
 +.Xr free 3
 +after use.
 +If the
 +.Fa buf
 +argument is non-null it must point to at least 65 characters of buffer space.
 +.Sh SEE ALSO
 +.Xr md2 3 ,
 +.Xr md4 3 ,
 +.Xr md5 3 ,
 +.Xr ripemd 3 ,
 +.Xr sha 3
 +.Sh HISTORY
 +These functions appeared in
 +.Fx 4.0 .
 +.Sh AUTHORS
 +The core hash routines were implemented by Colin Percival based on
 +the published
 +.Tn FIPS 180-2
 +standard.
 +.Sh BUGS
 +No method is known to exist which finds two files having the same hash value,
 +nor to find a file with a specific hash value.
 +There is on the other hand no guarantee that such a method does not exist.
 
 Copied: stable/8/lib/libmd/sha512.h (from r220496, head/lib/libmd/sha512.h)
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ stable/8/lib/libmd/sha512.h	Mon Feb 13 16:43:29 2012	(r231588, copy of r220496, head/lib/libmd/sha512.h)
 @@ -0,0 +1,50 @@
 +/*-
 + * Copyright 2005 Colin Percival
 + * All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 + * SUCH DAMAGE.
 + *
 + * $FreeBSD$
 + */
 +
 +#ifndef _SHA512_H_
 +#define _SHA512_H_
 +
 +#include <sys/types.h>
 +
 +typedef struct SHA512Context {
 +	uint64_t state[8];
 +	uint64_t count[2];
 +	unsigned char buf[128];
 +} SHA512_CTX;
 +
 +__BEGIN_DECLS
 +void	SHA512_Init(SHA512_CTX *);
 +void	SHA512_Update(SHA512_CTX *, const void *, size_t);
 +void	SHA512_Final(unsigned char [64], SHA512_CTX *);
 +char   *SHA512_End(SHA512_CTX *, char *);
 +char   *SHA512_File(const char *, char *);
 +char   *SHA512_FileChunk(const char *, char *, off_t, off_t);
 +char   *SHA512_Data(const void *, unsigned int, char *);
 +__END_DECLS
 +
 +#endif /* !_SHA512_H_ */
 
 Copied: stable/8/lib/libmd/sha512c.c (from r220496, head/lib/libmd/sha512c.c)
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ stable/8/lib/libmd/sha512c.c	Mon Feb 13 16:43:29 2012	(r231588, copy of r220496, head/lib/libmd/sha512c.c)
 @@ -0,0 +1,320 @@
 +/*-
 + * Copyright 2005 Colin Percival
 + * All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 + * SUCH DAMAGE.
 + */
 +
 +#include <sys/cdefs.h>
 +__FBSDID("$FreeBSD$");
 +
 +#include <sys/endian.h>
 +#include <sys/types.h>
 +
 +#include <string.h>
 +
 +#include "sha512.h"
 +
 +#if BYTE_ORDER == BIG_ENDIAN
 +
 +/* Copy a vector of big-endian uint64_t into a vector of bytes */
 +#define be64enc_vect(dst, src, len)	\
 +	memcpy((void *)dst, (const void *)src, (size_t)len)
 +
 +/* Copy a vector of bytes into a vector of big-endian uint64_t */
 +#define be64dec_vect(dst, src, len)	\
 +	memcpy((void *)dst, (const void *)src, (size_t)len)
 +
 +#else /* BYTE_ORDER != BIG_ENDIAN */
 +
 +/*
 + * Encode a length len/4 vector of (uint64_t) into a length len vector of
 + * (unsigned char) in big-endian form.  Assumes len is a multiple of 8.
 + */
 +static void
 +be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)
 +{
 +	size_t i;
 +
 +	for (i = 0; i < len / 8; i++)
 +		be64enc(dst + i * 8, src[i]);
 +}
 +
 +/*
 + * Decode a big-endian length len vector of (unsigned char) into a length
 + * len/4 vector of (uint64_t).  Assumes len is a multiple of 8.
 + */
 +static void
 +be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)
 +{
 +	size_t i;
 +
 +	for (i = 0; i < len / 8; i++)
 +		dst[i] = be64dec(src + i * 8);
 +}
 +
 +#endif /* BYTE_ORDER != BIG_ENDIAN */
 +
 +/* Elementary functions used by SHA512 */
 +#define Ch(x, y, z)	((x & (y ^ z)) ^ z)
 +#define Maj(x, y, z)	((x & (y | z)) | (y & z))
 +#define SHR(x, n)	(x >> n)
 +#define ROTR(x, n)	((x >> n) | (x << (64 - n)))
 +#define S0(x)		(ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
 +#define S1(x)		(ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
 +#define s0(x)		(ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
 +#define s1(x)		(ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
 +
 +/* SHA512 round function */
 +#define RND(a, b, c, d, e, f, g, h, k)			\
 +	t0 = h + S1(e) + Ch(e, f, g) + k;		\
 +	t1 = S0(a) + Maj(a, b, c);			\
 +	d += t0;					\
 +	h  = t0 + t1;
 +
 +/* Adjusted round function for rotating state */
 +#define RNDr(S, W, i, k)			\
 +	RND(S[(80 - i) % 8], S[(81 - i) % 8],	\
 +	    S[(82 - i) % 8], S[(83 - i) % 8],	\
 +	    S[(84 - i) % 8], S[(85 - i) % 8],	\
 +	    S[(86 - i) % 8], S[(87 - i) % 8],	\
 +	    W[i] + k)
 +
 +/*
 + * SHA512 block compression function.  The 512-bit state is transformed via
 + * the 512-bit input block to produce a new state.
 + */
 +static void
 +SHA512_Transform(uint64_t * state, const unsigned char block[128])
 +{
 +	uint64_t W[80];
 +	uint64_t S[8];
 +	uint64_t t0, t1;
 +	int i;
 +
 +	/* 1. Prepare message schedule W. */
 +	be64dec_vect(W, block, 128);
 +	for (i = 16; i < 80; i++)
 +		W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
 +
 +	/* 2. Initialize working variables. */
 +	memcpy(S, state, 64);
 +
 +	/* 3. Mix. */
 +	RNDr(S, W, 0, 0x428a2f98d728ae22ULL);
 +	RNDr(S, W, 1, 0x7137449123ef65cdULL);
 +	RNDr(S, W, 2, 0xb5c0fbcfec4d3b2fULL);
 +	RNDr(S, W, 3, 0xe9b5dba58189dbbcULL);
 +	RNDr(S, W, 4, 0x3956c25bf348b538ULL);
 +	RNDr(S, W, 5, 0x59f111f1b605d019ULL);
 +	RNDr(S, W, 6, 0x923f82a4af194f9bULL);
 +	RNDr(S, W, 7, 0xab1c5ed5da6d8118ULL);
 +	RNDr(S, W, 8, 0xd807aa98a3030242ULL);
 +	RNDr(S, W, 9, 0x12835b0145706fbeULL);
 +	RNDr(S, W, 10, 0x243185be4ee4b28cULL);
 +	RNDr(S, W, 11, 0x550c7dc3d5ffb4e2ULL);
 +	RNDr(S, W, 12, 0x72be5d74f27b896fULL);
 +	RNDr(S, W, 13, 0x80deb1fe3b1696b1ULL);
 +	RNDr(S, W, 14, 0x9bdc06a725c71235ULL);
 +	RNDr(S, W, 15, 0xc19bf174cf692694ULL);
 +	RNDr(S, W, 16, 0xe49b69c19ef14ad2ULL);
 +	RNDr(S, W, 17, 0xefbe4786384f25e3ULL);
 +	RNDr(S, W, 18, 0x0fc19dc68b8cd5b5ULL);
 +	RNDr(S, W, 19, 0x240ca1cc77ac9c65ULL);
 +	RNDr(S, W, 20, 0x2de92c6f592b0275ULL);
 +	RNDr(S, W, 21, 0x4a7484aa6ea6e483ULL);
 +	RNDr(S, W, 22, 0x5cb0a9dcbd41fbd4ULL);
 +	RNDr(S, W, 23, 0x76f988da831153b5ULL);
 +	RNDr(S, W, 24, 0x983e5152ee66dfabULL);
 +	RNDr(S, W, 25, 0xa831c66d2db43210ULL);
 +	RNDr(S, W, 26, 0xb00327c898fb213fULL);
 +	RNDr(S, W, 27, 0xbf597fc7beef0ee4ULL);
 +	RNDr(S, W, 28, 0xc6e00bf33da88fc2ULL);
 +	RNDr(S, W, 29, 0xd5a79147930aa725ULL);
 +	RNDr(S, W, 30, 0x06ca6351e003826fULL);
 +	RNDr(S, W, 31, 0x142929670a0e6e70ULL);
 +	RNDr(S, W, 32, 0x27b70a8546d22ffcULL);
 +	RNDr(S, W, 33, 0x2e1b21385c26c926ULL);
 +	RNDr(S, W, 34, 0x4d2c6dfc5ac42aedULL);
 +	RNDr(S, W, 35, 0x53380d139d95b3dfULL);
 +	RNDr(S, W, 36, 0x650a73548baf63deULL);
 +	RNDr(S, W, 37, 0x766a0abb3c77b2a8ULL);
 +	RNDr(S, W, 38, 0x81c2c92e47edaee6ULL);
 +	RNDr(S, W, 39, 0x92722c851482353bULL);
 +	RNDr(S, W, 40, 0xa2bfe8a14cf10364ULL);
 +	RNDr(S, W, 41, 0xa81a664bbc423001ULL);
 +	RNDr(S, W, 42, 0xc24b8b70d0f89791ULL);
 +	RNDr(S, W, 43, 0xc76c51a30654be30ULL);
 +	RNDr(S, W, 44, 0xd192e819d6ef5218ULL);
 +	RNDr(S, W, 45, 0xd69906245565a910ULL);
 +	RNDr(S, W, 46, 0xf40e35855771202aULL);
 +	RNDr(S, W, 47, 0x106aa07032bbd1b8ULL);
 +	RNDr(S, W, 48, 0x19a4c116b8d2d0c8ULL);
 +	RNDr(S, W, 49, 0x1e376c085141ab53ULL);
 +	RNDr(S, W, 50, 0x2748774cdf8eeb99ULL);
 +	RNDr(S, W, 51, 0x34b0bcb5e19b48a8ULL);
 +	RNDr(S, W, 52, 0x391c0cb3c5c95a63ULL);
 +	RNDr(S, W, 53, 0x4ed8aa4ae3418acbULL);
 +	RNDr(S, W, 54, 0x5b9cca4f7763e373ULL);
 +	RNDr(S, W, 55, 0x682e6ff3d6b2b8a3ULL);
 +	RNDr(S, W, 56, 0x748f82ee5defb2fcULL);
 +	RNDr(S, W, 57, 0x78a5636f43172f60ULL);
 +	RNDr(S, W, 58, 0x84c87814a1f0ab72ULL);
 +	RNDr(S, W, 59, 0x8cc702081a6439ecULL);
 +	RNDr(S, W, 60, 0x90befffa23631e28ULL);
 +	RNDr(S, W, 61, 0xa4506cebde82bde9ULL);
 +	RNDr(S, W, 62, 0xbef9a3f7b2c67915ULL);
 +	RNDr(S, W, 63, 0xc67178f2e372532bULL);
 +	RNDr(S, W, 64, 0xca273eceea26619cULL);
 +	RNDr(S, W, 65, 0xd186b8c721c0c207ULL);
 +	RNDr(S, W, 66, 0xeada7dd6cde0eb1eULL);
 +	RNDr(S, W, 67, 0xf57d4f7fee6ed178ULL);
 +	RNDr(S, W, 68, 0x06f067aa72176fbaULL);
 +	RNDr(S, W, 69, 0x0a637dc5a2c898a6ULL);
 +	RNDr(S, W, 70, 0x113f9804bef90daeULL);
 +	RNDr(S, W, 71, 0x1b710b35131c471bULL);
 +	RNDr(S, W, 72, 0x28db77f523047d84ULL);
 +	RNDr(S, W, 73, 0x32caab7b40c72493ULL);
 +	RNDr(S, W, 74, 0x3c9ebe0a15c9bebcULL);
 +	RNDr(S, W, 75, 0x431d67c49c100d4cULL);
 +	RNDr(S, W, 76, 0x4cc5d4becb3e42b6ULL);
 +	RNDr(S, W, 77, 0x597f299cfc657e2aULL);
 +	RNDr(S, W, 78, 0x5fcb6fab3ad6faecULL);
 +	RNDr(S, W, 79, 0x6c44198c4a475817ULL);
 +
 +	/* 4. Mix local working variables into global state */
 +	for (i = 0; i < 8; i++)
 +		state[i] += S[i];
 +}
 +
 +static unsigned char PAD[128] = {
 +	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 +	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
 +};
 +
 +/* Add padding and terminating bit-count. */
 +static void
 +SHA512_Pad(SHA512_CTX * ctx)
 +{
 +	unsigned char len[16];
 +	uint64_t r, plen;
 +
 +	/*
 +	 * Convert length to a vector of bytes -- we do this now rather
 +	 * than later because the length will change after we pad.
 +	 */
 +	be64enc_vect(len, ctx->count, 16);
 +
 +	/* Add 1--128 bytes so that the resulting length is 112 mod 128 */
 +	r = (ctx->count[1] >> 3) & 0x7f;
 +	plen = (r < 112) ? (112 - r) : (240 - r);
 +	SHA512_Update(ctx, PAD, (size_t)plen);
 +
 +	/* Add the terminating bit-count */
 +	SHA512_Update(ctx, len, 16);
 +}
 +
 +/* SHA-512 initialization.  Begins a SHA-512 operation. */
 +void
 +SHA512_Init(SHA512_CTX * ctx)
 +{
 +
 +	/* Zero bits processed so far */
 +	ctx->count[0] = ctx->count[1] = 0;
 +
 +	/* Magic initialization constants */
 +	ctx->state[0] = 0x6a09e667f3bcc908ULL;
 +	ctx->state[1] = 0xbb67ae8584caa73bULL;
 +	ctx->state[2] = 0x3c6ef372fe94f82bULL;
 +	ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
 +	ctx->state[4] = 0x510e527fade682d1ULL;
 +	ctx->state[5] = 0x9b05688c2b3e6c1fULL;
 
 *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: markm 
State-Changed-When: Mon Feb 13 16:56:39 UTC 2012 
State-Changed-Why:  
Merged to STABLE-8 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124164 
>Unformatted:
