#!/usr/bin/perl -w
use strict;
use Getopt::Long qw(:config no_ignore_case);
use Pod::Usage;
use Digest::SHA;
use MIME::Base64;
use Math::Random::Secure qw(irand);

my %opts;
GetOptions(\%opts,
	qw[ help|?! man! f|format=s l|len=i s|salt=s S|Salt=s z|saltlen:i ]
) or pod2usage(2);
pod2usage(1) if $opts{help};
pod2usage(-verbose => 2) if $opts{man};

my $len = 256;
if (exists $opts{l}) {
	my @length = (224, 256, 384, 512);
	if (grep {$_ eq $opts{l}} @length) {
		$len = $opts{l};
	} else {
		print "Bad length\n";
		exit(1);
	}
}

sub fmt_base64 {
	return encode_base64(shift, '')."\n";
}

sub fmt_hex {
	return unpack('H*', shift)."\n";
}

sub fmt_bin {
	return shift;
}

my $fmt = \&{'fmt_base64'};
if (exists $opts{f}) {
	my %format = ('m' => \&{'fmt_base64'}, 'base64' => \&{'fmt_base64'},
		'x' => \&{'fmt_hex'}, 'hex' => \&{'fmt_hex'},
		'b' => \&{'fmt_bin'}, 'bin' => \&{'fmt_bin'});
	$fmt = $format{$opts{f}};
	if (!defined $fmt) {
		print "Bad format\n";
		exit(1);
	}
}

my $password = $ARGV[0];
if (!defined $password) {
	print "Missing password\n";
	exit(1);
}

my $salt = $opts{s};
if (exists $opts{S}) {
	if (defined $salt) {
		print "Redundant salt\n";
		exit(1);
	}
	$salt = pack('H*', $opts{S});
} elsif (!defined $salt and exists $opts{z}) {
	my $ssiz = $opts{z};
	if ($ssiz == 0) {
		$ssiz = 8;
	} elsif ($ssiz < 0) {
		print "Bad salt length\n";
		exit(1);
	}
	while ($ssiz >= 4) {
		$salt .= pack('N', irand());
		$ssiz -= 4;
	}
	$salt .= substr(pack('N', irand()), 1, $ssiz) if ($ssiz > 0);
}

my $ctx = Digest::SHA->new($len);
$ctx->add($password);
$ctx->add($salt) if (defined $salt);
my $dig = $ctx->digest;
$dig .= $salt if (defined $salt);

print &$fmt($dig);

__END__

=head1 NAME

ssha2passwd - Generate a SHA2 hashed password

=head1 DESCRIPTION

Hash the given password into a SHA2 digest with optional salt.

=head1 SYNOPSIS

   ssha2passwd [options] <password>

=head1 OPTIONS

=over

=item B<-f> or B<-format> <format>

Format options:

=over

=item B<m> or B<base64> : base64 encoded (default)

=item B<x> or B<hex> : hexadecimal string

=item B<b> or B<bin> : binary string

=back

=item B<-l> or B<-length> <length>

Hash algorithm bit length (224, 256, 384, or 512 | default: 256).

=item B<-s> or B<-salt> <string>

=item B<-S> or B<-Salt> <hexadecimal string>

Salt string appended to password and hashed. The resultant digest then
has the salt string appended.

=item B<-z> or B<-saltlen> [<length>]

Byte length of random salt appended to password and hashed, if no salt
string is explicitly given (0 is default, default: 8).

=item B<-?> or B<-help>

Print a brief help message.

=item B<-man>

Print the manual page.

=back
=cut