1 /* sha256.c - SHA256 hash function
2 * Copyright (C) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
4 * This file is part of Libgcrypt.
6 * Libgcrypt is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser General Public License as
8 * published by the Free Software Foundation; either version 2.1 of
9 * the License, or (at your option) any later version.
11 * Libgcrypt is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this program; if not, see <http://www.gnu.org/licenses/>.
24 SHA224: 23097d22 3405d822 8642a477 bda255b3 2aadbce4 bda0b3f7 e36c9da7
25 SHA256: ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad
27 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
28 SHA224: 75388b16 512776cc 5dba5da1 fd890150 b0c6455c b4f58b19 52522525
29 SHA256: 248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1
32 SHA224: 20794655 980c91d8 bbb4c1ea 97618a4b f03f4258 1948b2ee 4ee7ad67
33 SHA256: cdc76e5c 9914fb92 81a1c7e2 84d73e67 f1809a48 a497200e 046d39cc c7112cd0
46 #include "hash-common.h"
49 u32 h0
,h1
,h2
,h3
,h4
,h5
,h6
,h7
;
57 sha256_init (void *context
)
59 SHA256_CONTEXT
*hd
= context
;
76 sha224_init (void *context
)
78 SHA256_CONTEXT
*hd
= context
;
95 Transform the message X which consists of 16 32-bit-words. See FIPS
97 #define S0(x) (ror ((x), 7) ^ ror ((x), 18) ^ ((x) >> 3)) /* (4.6) */
98 #define S1(x) (ror ((x), 17) ^ ror ((x), 19) ^ ((x) >> 10)) /* (4.7) */
99 #define R(a,b,c,d,e,f,g,h,k,w) do \
101 t1 = (h) + Sum1((e)) + Cho((e),(f),(g)) + (k) + (w); \
102 t2 = Sum0((a)) + Maj((a),(b),(c)); \
113 /* (4.2) same as SHA-1's F1. */
115 Cho (u32 x
, u32 y
, u32 z
)
117 return (z
^ (x
& (y
^ z
)));
120 /* (4.3) same as SHA-1's F3 */
122 Maj (u32 x
, u32 y
, u32 z
)
124 return ((x
& y
) | (z
& (x
|y
)));
131 return (ror (x
, 2) ^ ror (x
, 13) ^ ror (x
, 22));
138 return (ror (x
, 6) ^ ror (x
, 11) ^ ror (x
, 25));
143 transform (SHA256_CONTEXT
*hd
, const unsigned char *data
)
145 static const u32 K
[64] = {
146 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
147 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
148 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
149 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
150 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
151 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
152 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
153 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
154 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
155 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
156 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
157 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
158 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
159 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
160 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
161 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
164 u32 a
,b
,c
,d
,e
,f
,g
,h
,t1
,t2
;
178 #ifdef WORDS_BIGENDIAN
179 memcpy (x
, data
, 64);
184 for (i
=0, p2
=(byte
*)x
; i
< 16; i
++, p2
+= 4 )
194 for (i
=0; i
< 16; i
++)
197 w
[i
] = S1(w
[i
-2]) + w
[i
-7] + S0(w
[i
-15]) + w
[i
-16];
202 R(a
,b
,c
,d
,e
,f
,g
,h
,K
[i
],w
[i
]);
205 t1
= h
+ Sum1 (e
) + Cho (e
, f
, g
) + K
[i
] + w
[i
];
206 t2
= Sum0 (a
) + Maj (a
, b
, c
);
210 t1
= g
+ Sum1 (d
) + Cho (d
, e
, f
) + K
[i
+1] + w
[i
+1];
211 t2
= Sum0 (h
) + Maj (h
, a
, b
);
215 t1
= f
+ Sum1 (c
) + Cho (c
, d
, e
) + K
[i
+2] + w
[i
+2];
216 t2
= Sum0 (g
) + Maj (g
, h
, a
);
220 t1
= e
+ Sum1 (b
) + Cho (b
, c
, d
) + K
[i
+3] + w
[i
+3];
221 t2
= Sum0 (f
) + Maj (f
, g
, h
);
225 t1
= d
+ Sum1 (a
) + Cho (a
, b
, c
) + K
[i
+4] + w
[i
+4];
226 t2
= Sum0 (e
) + Maj (e
, f
, g
);
230 t1
= c
+ Sum1 (h
) + Cho (h
, a
, b
) + K
[i
+5] + w
[i
+5];
231 t2
= Sum0 (d
) + Maj (d
, e
, f
);
235 t1
= b
+ Sum1 (g
) + Cho (g
, h
, a
) + K
[i
+6] + w
[i
+6];
236 t2
= Sum0 (c
) + Maj (c
, d
, e
);
240 t1
= a
+ Sum1 (f
) + Cho (f
, g
, h
) + K
[i
+7] + w
[i
+7];
241 t2
= Sum0 (b
) + Maj (b
, c
, d
);
263 /* Update the message digest with the contents of INBUF with length
266 sha256_write (void *context
, const void *inbuf_arg
, size_t inlen
)
268 const unsigned char *inbuf
= inbuf_arg
;
269 SHA256_CONTEXT
*hd
= context
;
272 { /* flush the buffer */
273 transform (hd
, hd
->buf
);
274 _gcry_burn_stack (74*4+32);
282 for (; inlen
&& hd
->count
< 64; inlen
--)
283 hd
->buf
[hd
->count
++] = *inbuf
++;
284 sha256_write (hd
, NULL
, 0);
291 transform (hd
, inbuf
);
297 _gcry_burn_stack (74*4+32);
298 for (; inlen
&& hd
->count
< 64; inlen
--)
299 hd
->buf
[hd
->count
++] = *inbuf
++;
304 The routine finally terminates the computation and returns the
305 digest. The handle is prepared for a new cycle, but adding bytes
306 to the handle will the destroy the returned buffer. Returns: 32
307 bytes with the message the digest. */
309 sha256_final(void *context
)
311 SHA256_CONTEXT
*hd
= context
;
315 sha256_write (hd
, NULL
, 0); /* flush */;
318 /* multiply by 64 to make a byte count */
323 if ((lsb
+= hd
->count
) < t
)
325 /* multiply by 8 to make a bit count */
333 hd
->buf
[hd
->count
++] = 0x80; /* pad */
334 while (hd
->count
< 56)
335 hd
->buf
[hd
->count
++] = 0; /* pad */
338 { /* need one extra block */
339 hd
->buf
[hd
->count
++] = 0x80; /* pad character */
340 while (hd
->count
< 64)
341 hd
->buf
[hd
->count
++] = 0;
342 sha256_write (hd
, NULL
, 0); /* flush */;
343 memset (hd
->buf
, 0, 56 ); /* fill next block with zeroes */
345 /* append the 64 bit count */
346 hd
->buf
[56] = msb
>> 24;
347 hd
->buf
[57] = msb
>> 16;
348 hd
->buf
[58] = msb
>> 8;
350 hd
->buf
[60] = lsb
>> 24;
351 hd
->buf
[61] = lsb
>> 16;
352 hd
->buf
[62] = lsb
>> 8;
354 transform (hd
, hd
->buf
);
355 _gcry_burn_stack (74*4+32);
358 #ifdef WORDS_BIGENDIAN
359 #define X(a) do { *(u32*)p = hd->h##a ; p += 4; } while(0)
360 #else /* little endian */
361 #define X(a) do { *p++ = hd->h##a >> 24; *p++ = hd->h##a >> 16; \
362 *p++ = hd->h##a >> 8; *p++ = hd->h##a; } while(0)
376 sha256_read (void *context
)
378 SHA256_CONTEXT
*hd
= context
;
390 static gpg_err_code_t
391 selftests_sha224 (int extended
, selftest_report_func_t report
)
396 what
= "short string";
397 errtxt
= _gcry_hash_selftest_check_one
400 "\x23\x09\x7d\x22\x34\x05\xd8\x22\x86\x42\xa4\x77\xbd\xa2\x55\xb3"
401 "\x2a\xad\xbc\xe4\xbd\xa0\xb3\xf7\xe3\x6c\x9d\xa7", 28);
407 what
= "long string";
408 errtxt
= _gcry_hash_selftest_check_one
410 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56,
411 "\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01\x50"
412 "\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25", 28);
416 what
= "one million \"a\"";
417 errtxt
= _gcry_hash_selftest_check_one
420 "\x20\x79\x46\x55\x98\x0c\x91\xd8\xbb\xb4\xc1\xea\x97\x61\x8a\x4b"
421 "\xf0\x3f\x42\x58\x19\x48\xb2\xee\x4e\xe7\xad\x67", 28);
426 return 0; /* Succeeded. */
430 report ("digest", GCRY_MD_SHA224
, what
, errtxt
);
431 return GPG_ERR_SELFTEST_FAILED
;
434 static gpg_err_code_t
435 selftests_sha256 (int extended
, selftest_report_func_t report
)
440 what
= "short string";
441 errtxt
= _gcry_hash_selftest_check_one
444 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
445 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad", 32);
451 what
= "long string";
452 errtxt
= _gcry_hash_selftest_check_one
454 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56,
455 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
456 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1",
461 what
= "one million \"a\"";
462 errtxt
= _gcry_hash_selftest_check_one
465 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
466 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0",
472 return 0; /* Succeeded. */
476 report ("digest", GCRY_MD_SHA256
, what
, errtxt
);
477 return GPG_ERR_SELFTEST_FAILED
;
481 /* Run a full self-test for ALGO and return 0 on success. */
482 static gpg_err_code_t
483 run_selftests (int algo
, int extended
, selftest_report_func_t report
)
490 ec
= selftests_sha224 (extended
, report
);
493 ec
= selftests_sha256 (extended
, report
);
496 ec
= GPG_ERR_DIGEST_ALGO
;
506 static byte asn224
[19] = /* Object ID is 2.16.840.1.101.3.4.2.4 */
507 { 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
508 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
512 static gcry_md_oid_spec_t oid_spec_sha224
[] =
514 /* From RFC3874, Section 4 */
515 { "2.16.840.1.101.3.4.2.4" },
519 static byte asn256
[19] = /* Object ID is 2.16.840.1.101.3.4.2.1 */
520 { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
521 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
524 static gcry_md_oid_spec_t oid_spec_sha256
[] =
526 /* According to the OpenPGP draft rfc2440-bis06 */
527 { "2.16.840.1.101.3.4.2.1" },
528 /* PKCS#1 sha256WithRSAEncryption */
529 { "1.2.840.113549.1.1.11" },
534 gcry_md_spec_t _gcry_digest_spec_sha224
=
536 "SHA224", asn224
, DIM (asn224
), oid_spec_sha224
, 28,
537 sha224_init
, sha256_write
, sha256_final
, sha256_read
,
538 sizeof (SHA256_CONTEXT
)
540 md_extra_spec_t _gcry_digest_extraspec_sha224
=
545 gcry_md_spec_t _gcry_digest_spec_sha256
=
547 "SHA256", asn256
, DIM (asn256
), oid_spec_sha256
, 32,
548 sha256_init
, sha256_write
, sha256_final
, sha256_read
,
549 sizeof (SHA256_CONTEXT
)
551 md_extra_spec_t _gcry_digest_extraspec_sha256
=