1/* sha256.c - SHA256 hash function 2 * Copyright (C) 2003, 2006, 2008, 2009 Free Software Foundation, Inc. 3 * 4 * This file is part of Libgcrypt. 5 * 6 * Libgcrypt is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU Lesser General Public License as 8 * published by the Free Software Foundation; either version 2.1 of 9 * the License, or (at your option) any later version. 10 * 11 * Libgcrypt is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this program; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 21/* Test vectors: 22 23 "abc" 24 SHA224: 23097d22 3405d822 8642a477 bda255b3 2aadbce4 bda0b3f7 e36c9da7 25 SHA256: ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad 26 27 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 28 SHA224: 75388b16 512776cc 5dba5da1 fd890150 b0c6455c b4f58b19 52522525 29 SHA256: 248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1 30 31 "a" one million times 32 SHA224: 20794655 980c91d8 bbb4c1ea 97618a4b f03f4258 1948b2ee 4ee7ad67 33 SHA256: cdc76e5c 9914fb92 81a1c7e2 84d73e67 f1809a48 a497200e 046d39cc c7112cd0 34 35 */ 36 37 38#include <config.h> 39#include <stdio.h> 40#include <stdlib.h> 41#include <string.h> 42 43#include "g10lib.h" 44#include "bithelp.h" 45#include "cipher.h" 46#include "hash-common.h" 47 48typedef struct { 49 u32 h0,h1,h2,h3,h4,h5,h6,h7; 50 u32 nblocks; 51 byte buf[64]; 52 int count; 53} SHA256_CONTEXT; 54 55 56static void 57sha256_init (void *context) 58{ 59 SHA256_CONTEXT *hd = context; 60 61 hd->h0 = 0x6a09e667; 62 hd->h1 = 0xbb67ae85; 63 hd->h2 = 0x3c6ef372; 64 hd->h3 = 0xa54ff53a; 65 hd->h4 = 0x510e527f; 66 hd->h5 = 0x9b05688c; 67 hd->h6 = 0x1f83d9ab; 68 hd->h7 = 0x5be0cd19; 69 70 hd->nblocks = 0; 71 hd->count = 0; 72} 73 74 75static void 76sha224_init (void *context) 77{ 78 SHA256_CONTEXT *hd = context; 79 80 hd->h0 = 0xc1059ed8; 81 hd->h1 = 0x367cd507; 82 hd->h2 = 0x3070dd17; 83 hd->h3 = 0xf70e5939; 84 hd->h4 = 0xffc00b31; 85 hd->h5 = 0x68581511; 86 hd->h6 = 0x64f98fa7; 87 hd->h7 = 0xbefa4fa4; 88 89 hd->nblocks = 0; 90 hd->count = 0; 91} 92 93 94/* 95 Transform the message X which consists of 16 32-bit-words. See FIPS 96 180-2 for details. */ 97#define S0(x) (ror ((x), 7) ^ ror ((x), 18) ^ ((x) >> 3)) /* (4.6) */ 98#define S1(x) (ror ((x), 17) ^ ror ((x), 19) ^ ((x) >> 10)) /* (4.7) */ 99#define R(a,b,c,d,e,f,g,h,k,w) do \ 100 { \ 101 t1 = (h) + Sum1((e)) + Cho((e),(f),(g)) + (k) + (w); \ 102 t2 = Sum0((a)) + Maj((a),(b),(c)); \ 103 h = g; \ 104 g = f; \ 105 f = e; \ 106 e = d + t1; \ 107 d = c; \ 108 c = b; \ 109 b = a; \ 110 a = t1 + t2; \ 111 } while (0) 112 113/* (4.2) same as SHA-1's F1. */ 114static inline u32 115Cho (u32 x, u32 y, u32 z) 116{ 117 return (z ^ (x & (y ^ z))); 118} 119 120/* (4.3) same as SHA-1's F3 */ 121static inline u32 122Maj (u32 x, u32 y, u32 z) 123{ 124 return ((x & y) | (z & (x|y))); 125} 126 127/* (4.4) */ 128static inline u32 129Sum0 (u32 x) 130{ 131 return (ror (x, 2) ^ ror (x, 13) ^ ror (x, 22)); 132} 133 134/* (4.5) */ 135static inline u32 136Sum1 (u32 x) 137{ 138 return (ror (x, 6) ^ ror (x, 11) ^ ror (x, 25)); 139} 140 141 142static void 143transform (SHA256_CONTEXT *hd, const unsigned char *data) 144{ 145 static const u32 K[64] = { 146 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 147 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 148 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 149 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 150 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 151 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 152 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 153 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 154 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 155 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 156 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 157 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 158 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 159 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 160 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 161 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 162 }; 163 164 u32 a,b,c,d,e,f,g,h,t1,t2; 165 u32 x[16]; 166 u32 w[64]; 167 int i; 168 169 a = hd->h0; 170 b = hd->h1; 171 c = hd->h2; 172 d = hd->h3; 173 e = hd->h4; 174 f = hd->h5; 175 g = hd->h6; 176 h = hd->h7; 177 178#ifdef WORDS_BIGENDIAN 179 memcpy (x, data, 64); 180#else 181 { 182 byte *p2; 183 184 for (i=0, p2=(byte*)x; i < 16; i++, p2 += 4 ) 185 { 186 p2[3] = *data++; 187 p2[2] = *data++; 188 p2[1] = *data++; 189 p2[0] = *data++; 190 } 191 } 192#endif 193 194 for (i=0; i < 16; i++) 195 w[i] = x[i]; 196 for (; i < 64; i++) 197 w[i] = S1(w[i-2]) + w[i-7] + S0(w[i-15]) + w[i-16]; 198 199 for (i=0; i < 64;) 200 { 201#if 0 202 R(a,b,c,d,e,f,g,h,K[i],w[i]); 203 i++; 204#else 205 t1 = h + Sum1 (e) + Cho (e, f, g) + K[i] + w[i]; 206 t2 = Sum0 (a) + Maj (a, b, c); 207 d += t1; 208 h = t1 + t2; 209 210 t1 = g + Sum1 (d) + Cho (d, e, f) + K[i+1] + w[i+1]; 211 t2 = Sum0 (h) + Maj (h, a, b); 212 c += t1; 213 g = t1 + t2; 214 215 t1 = f + Sum1 (c) + Cho (c, d, e) + K[i+2] + w[i+2]; 216 t2 = Sum0 (g) + Maj (g, h, a); 217 b += t1; 218 f = t1 + t2; 219 220 t1 = e + Sum1 (b) + Cho (b, c, d) + K[i+3] + w[i+3]; 221 t2 = Sum0 (f) + Maj (f, g, h); 222 a += t1; 223 e = t1 + t2; 224 225 t1 = d + Sum1 (a) + Cho (a, b, c) + K[i+4] + w[i+4]; 226 t2 = Sum0 (e) + Maj (e, f, g); 227 h += t1; 228 d = t1 + t2; 229 230 t1 = c + Sum1 (h) + Cho (h, a, b) + K[i+5] + w[i+5]; 231 t2 = Sum0 (d) + Maj (d, e, f); 232 g += t1; 233 c = t1 + t2; 234 235 t1 = b + Sum1 (g) + Cho (g, h, a) + K[i+6] + w[i+6]; 236 t2 = Sum0 (c) + Maj (c, d, e); 237 f += t1; 238 b = t1 + t2; 239 240 t1 = a + Sum1 (f) + Cho (f, g, h) + K[i+7] + w[i+7]; 241 t2 = Sum0 (b) + Maj (b, c, d); 242 e += t1; 243 a = t1 + t2; 244 245 i += 8; 246#endif 247 } 248 249 hd->h0 += a; 250 hd->h1 += b; 251 hd->h2 += c; 252 hd->h3 += d; 253 hd->h4 += e; 254 hd->h5 += f; 255 hd->h6 += g; 256 hd->h7 += h; 257} 258#undef S0 259#undef S1 260#undef R 261 262 263/* Update the message digest with the contents of INBUF with length 264 INLEN. */ 265static void 266sha256_write (void *context, const void *inbuf_arg, size_t inlen) 267{ 268 const unsigned char *inbuf = inbuf_arg; 269 SHA256_CONTEXT *hd = context; 270 271 if (hd->count == 64) 272 { /* flush the buffer */ 273 transform (hd, hd->buf); 274 _gcry_burn_stack (74*4+32); 275 hd->count = 0; 276 hd->nblocks++; 277 } 278 if (!inbuf) 279 return; 280 if (hd->count) 281 { 282 for (; inlen && hd->count < 64; inlen--) 283 hd->buf[hd->count++] = *inbuf++; 284 sha256_write (hd, NULL, 0); 285 if (!inlen) 286 return; 287 } 288 289 while (inlen >= 64) 290 { 291 transform (hd, inbuf); 292 hd->count = 0; 293 hd->nblocks++; 294 inlen -= 64; 295 inbuf += 64; 296 } 297 _gcry_burn_stack (74*4+32); 298 for (; inlen && hd->count < 64; inlen--) 299 hd->buf[hd->count++] = *inbuf++; 300} 301 302 303/* 304 The routine finally terminates the computation and returns the 305 digest. The handle is prepared for a new cycle, but adding bytes 306 to the handle will the destroy the returned buffer. Returns: 32 307 bytes with the message the digest. */ 308static void 309sha256_final(void *context) 310{ 311 SHA256_CONTEXT *hd = context; 312 u32 t, msb, lsb; 313 byte *p; 314 315 sha256_write (hd, NULL, 0); /* flush */; 316 317 t = hd->nblocks; 318 /* multiply by 64 to make a byte count */ 319 lsb = t << 6; 320 msb = t >> 26; 321 /* add the count */ 322 t = lsb; 323 if ((lsb += hd->count) < t) 324 msb++; 325 /* multiply by 8 to make a bit count */ 326 t = lsb; 327 lsb <<= 3; 328 msb <<= 3; 329 msb |= t >> 29; 330 331 if (hd->count < 56) 332 { /* enough room */ 333 hd->buf[hd->count++] = 0x80; /* pad */ 334 while (hd->count < 56) 335 hd->buf[hd->count++] = 0; /* pad */ 336 } 337 else 338 { /* need one extra block */ 339 hd->buf[hd->count++] = 0x80; /* pad character */ 340 while (hd->count < 64) 341 hd->buf[hd->count++] = 0; 342 sha256_write (hd, NULL, 0); /* flush */; 343 memset (hd->buf, 0, 56 ); /* fill next block with zeroes */ 344 } 345 /* append the 64 bit count */ 346 hd->buf[56] = msb >> 24; 347 hd->buf[57] = msb >> 16; 348 hd->buf[58] = msb >> 8; 349 hd->buf[59] = msb; 350 hd->buf[60] = lsb >> 24; 351 hd->buf[61] = lsb >> 16; 352 hd->buf[62] = lsb >> 8; 353 hd->buf[63] = lsb; 354 transform (hd, hd->buf); 355 _gcry_burn_stack (74*4+32); 356 357 p = hd->buf; 358#ifdef WORDS_BIGENDIAN 359#define X(a) do { *(u32*)p = hd->h##a ; p += 4; } while(0) 360#else /* little endian */ 361#define X(a) do { *p++ = hd->h##a >> 24; *p++ = hd->h##a >> 16; \ 362 *p++ = hd->h##a >> 8; *p++ = hd->h##a; } while(0) 363#endif 364 X(0); 365 X(1); 366 X(2); 367 X(3); 368 X(4); 369 X(5); 370 X(6); 371 X(7); 372#undef X 373} 374 375static byte * 376sha256_read (void *context) 377{ 378 SHA256_CONTEXT *hd = context; 379 380 return hd->buf; 381} 382 383 384 385/* 386 Self-test section. 387 */ 388 389 390static gpg_err_code_t 391selftests_sha224 (int extended, selftest_report_func_t report) 392{ 393 const char *what; 394 const char *errtxt; 395 396 what = "short string"; 397 errtxt = _gcry_hash_selftest_check_one 398 (GCRY_MD_SHA224, 0, 399 "abc", 3, 400 "\x23\x09\x7d\x22\x34\x05\xd8\x22\x86\x42\xa4\x77\xbd\xa2\x55\xb3" 401 "\x2a\xad\xbc\xe4\xbd\xa0\xb3\xf7\xe3\x6c\x9d\xa7", 28); 402 if (errtxt) 403 goto failed; 404 405 if (extended) 406 { 407 what = "long string"; 408 errtxt = _gcry_hash_selftest_check_one 409 (GCRY_MD_SHA224, 0, 410 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56, 411 "\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01\x50" 412 "\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25", 28); 413 if (errtxt) 414 goto failed; 415 416 what = "one million \"a\""; 417 errtxt = _gcry_hash_selftest_check_one 418 (GCRY_MD_SHA224, 1, 419 NULL, 0, 420 "\x20\x79\x46\x55\x98\x0c\x91\xd8\xbb\xb4\xc1\xea\x97\x61\x8a\x4b" 421 "\xf0\x3f\x42\x58\x19\x48\xb2\xee\x4e\xe7\xad\x67", 28); 422 if (errtxt) 423 goto failed; 424 } 425 426 return 0; /* Succeeded. */ 427 428 failed: 429 if (report) 430 report ("digest", GCRY_MD_SHA224, what, errtxt); 431 return GPG_ERR_SELFTEST_FAILED; 432} 433 434static gpg_err_code_t 435selftests_sha256 (int extended, selftest_report_func_t report) 436{ 437 const char *what; 438 const char *errtxt; 439 440 what = "short string"; 441 errtxt = _gcry_hash_selftest_check_one 442 (GCRY_MD_SHA256, 0, 443 "abc", 3, 444 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23" 445 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad", 32); 446 if (errtxt) 447 goto failed; 448 449 if (extended) 450 { 451 what = "long string"; 452 errtxt = _gcry_hash_selftest_check_one 453 (GCRY_MD_SHA256, 0, 454 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56, 455 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39" 456 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1", 457 32); 458 if (errtxt) 459 goto failed; 460 461 what = "one million \"a\""; 462 errtxt = _gcry_hash_selftest_check_one 463 (GCRY_MD_SHA256, 1, 464 NULL, 0, 465 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67" 466 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0", 467 32); 468 if (errtxt) 469 goto failed; 470 } 471 472 return 0; /* Succeeded. */ 473 474 failed: 475 if (report) 476 report ("digest", GCRY_MD_SHA256, what, errtxt); 477 return GPG_ERR_SELFTEST_FAILED; 478} 479 480 481/* Run a full self-test for ALGO and return 0 on success. */ 482static gpg_err_code_t 483run_selftests (int algo, int extended, selftest_report_func_t report) 484{ 485 gpg_err_code_t ec; 486 487 switch (algo) 488 { 489 case GCRY_MD_SHA224: 490 ec = selftests_sha224 (extended, report); 491 break; 492 case GCRY_MD_SHA256: 493 ec = selftests_sha256 (extended, report); 494 break; 495 default: 496 ec = GPG_ERR_DIGEST_ALGO; 497 break; 498 499 } 500 return ec; 501} 502 503 504 505 506static byte asn224[19] = /* Object ID is 2.16.840.1.101.3.4.2.4 */ 507 { 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 508 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 509 0x1C 510 }; 511 512static gcry_md_oid_spec_t oid_spec_sha224[] = 513 { 514 /* From RFC3874, Section 4 */ 515 { "2.16.840.1.101.3.4.2.4" }, 516 { NULL }, 517 }; 518 519static byte asn256[19] = /* Object ID is 2.16.840.1.101.3.4.2.1 */ 520 { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 521 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 522 0x00, 0x04, 0x20 }; 523 524static gcry_md_oid_spec_t oid_spec_sha256[] = 525 { 526 /* According to the OpenPGP draft rfc2440-bis06 */ 527 { "2.16.840.1.101.3.4.2.1" }, 528 /* PKCS#1 sha256WithRSAEncryption */ 529 { "1.2.840.113549.1.1.11" }, 530 531 { NULL }, 532 }; 533 534gcry_md_spec_t _gcry_digest_spec_sha224 = 535 { 536 "SHA224", asn224, DIM (asn224), oid_spec_sha224, 28, 537 sha224_init, sha256_write, sha256_final, sha256_read, 538 sizeof (SHA256_CONTEXT) 539 }; 540md_extra_spec_t _gcry_digest_extraspec_sha224 = 541 { 542 run_selftests 543 }; 544 545gcry_md_spec_t _gcry_digest_spec_sha256 = 546 { 547 "SHA256", asn256, DIM (asn256), oid_spec_sha256, 32, 548 sha256_init, sha256_write, sha256_final, sha256_read, 549 sizeof (SHA256_CONTEXT) 550 }; 551md_extra_spec_t _gcry_digest_extraspec_sha256 = 552 { 553 run_selftests 554 }; 555