1
/* sha256.c - SHA256 hash function
2
* Copyright (C) 2003, 2006, 2008 Free Software Foundation, Inc.
4
* This file is part of Libgcrypt.
6
* Libgcrypt is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU Lesser General Public License as
8
* published by the Free Software Foundation; either version 2.1 of
9
* the License, or (at your option) any later version.
11
* Libgcrypt is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU Lesser General Public License for more details.
16
* You should have received a copy of the GNU Lesser General Public
17
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
24
SHA224: 23097d22 3405d822 8642a477 bda255b3 2aadbce4 bda0b3f7 e36c9da7
25
SHA256: ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad
27
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
28
SHA224: 75388b16 512776cc 5dba5da1 fd890150 b0c6455c b4f58b19 52522525
29
SHA256: 248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1
32
SHA224: 20794655 980c91d8 bbb4c1ea 97618a4b f03f4258 1948b2ee 4ee7ad67
33
SHA256: cdc76e5c 9914fb92 81a1c7e2 84d73e67 f1809a48 a497200e 046d39cc c7112cd0
47
#include "hash-common.h"
50
u32 h0,h1,h2,h3,h4,h5,h6,h7;
58
sha256_init (void *context)
60
SHA256_CONTEXT *hd = context;
77
sha224_init (void *context)
79
SHA256_CONTEXT *hd = context;
96
Transform the message X which consists of 16 32-bit-words. See FIPS
98
#define Cho(x,y,z) (z ^ (x & (y ^ z))) /* (4.2) same as SHA-1's F1 */
99
#define Maj(x,y,z) ((x & y) | (z & (x|y))) /* (4.3) same as SHA-1's F3 */
100
#define Sum0(x) (ror ((x), 2) ^ ror ((x), 13) ^ ror ((x), 22)) /* (4.4) */
101
#define Sum1(x) (ror ((x), 6) ^ ror ((x), 11) ^ ror ((x), 25)) /* (4.5) */
102
#define S0(x) (ror ((x), 7) ^ ror ((x), 18) ^ ((x) >> 3)) /* (4.6) */
103
#define S1(x) (ror ((x), 17) ^ ror ((x), 19) ^ ((x) >> 10)) /* (4.7) */
104
#define R(a,b,c,d,e,f,g,h,k,w) do \
106
t1 = (h) + Sum1((e)) + Cho((e),(f),(g)) + (k) + (w); \
107
t2 = Sum0((a)) + Maj((a),(b),(c)); \
119
transform (SHA256_CONTEXT *hd, const unsigned char *data)
121
static const u32 K[64] = {
122
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
123
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
124
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
125
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
126
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
127
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
128
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
129
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
130
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
131
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
132
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
133
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
134
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
135
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
136
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
137
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
140
u32 a,b,c,d,e,f,g,h,t1,t2;
154
#ifdef WORDS_BIGENDIAN
155
memcpy (x, data, 64);
160
for (i=0, p2=(byte*)x; i < 16; i++, p2 += 4 )
170
for (i=0; i < 16; i++)
173
w[i] = S1(w[i-2]) + w[i-7] + S0(w[i-15]) + w[i-16];
175
for (i=0; i < 64; i++)
176
R(a,b,c,d,e,f,g,h,K[i],w[i]);
196
/* Update the message digest with the contents of INBUF with length
199
sha256_write (void *context, const void *inbuf_arg, size_t inlen)
201
const unsigned char *inbuf = inbuf_arg;
202
SHA256_CONTEXT *hd = context;
205
{ /* flush the buffer */
206
transform (hd, hd->buf);
207
_gcry_burn_stack (74*4+32);
215
for (; inlen && hd->count < 64; inlen--)
216
hd->buf[hd->count++] = *inbuf++;
217
sha256_write (hd, NULL, 0);
224
transform (hd, inbuf);
230
_gcry_burn_stack (74*4+32);
231
for (; inlen && hd->count < 64; inlen--)
232
hd->buf[hd->count++] = *inbuf++;
237
The routine finally terminates the computation and returns the
238
digest. The handle is prepared for a new cycle, but adding bytes
239
to the handle will the destroy the returned buffer. Returns: 32
240
bytes with the message the digest. */
242
sha256_final(void *context)
244
SHA256_CONTEXT *hd = context;
248
sha256_write (hd, NULL, 0); /* flush */;
251
/* multiply by 64 to make a byte count */
256
if ((lsb += hd->count) < t)
258
/* multiply by 8 to make a bit count */
266
hd->buf[hd->count++] = 0x80; /* pad */
267
while (hd->count < 56)
268
hd->buf[hd->count++] = 0; /* pad */
271
{ /* need one extra block */
272
hd->buf[hd->count++] = 0x80; /* pad character */
273
while (hd->count < 64)
274
hd->buf[hd->count++] = 0;
275
sha256_write (hd, NULL, 0); /* flush */;
276
memset (hd->buf, 0, 56 ); /* fill next block with zeroes */
278
/* append the 64 bit count */
279
hd->buf[56] = msb >> 24;
280
hd->buf[57] = msb >> 16;
281
hd->buf[58] = msb >> 8;
283
hd->buf[60] = lsb >> 24;
284
hd->buf[61] = lsb >> 16;
285
hd->buf[62] = lsb >> 8;
287
transform (hd, hd->buf);
288
_gcry_burn_stack (74*4+32);
291
#ifdef WORDS_BIGENDIAN
292
#define X(a) do { *(u32*)p = hd->h##a ; p += 4; } while(0)
293
#else /* little endian */
294
#define X(a) do { *p++ = hd->h##a >> 24; *p++ = hd->h##a >> 16; \
295
*p++ = hd->h##a >> 8; *p++ = hd->h##a; } while(0)
309
sha256_read (void *context)
311
SHA256_CONTEXT *hd = context;
323
static gpg_err_code_t
324
selftests_sha224 (int extended, selftest_report_func_t report)
329
what = "short string";
330
errtxt = _gcry_hash_selftest_check_one
333
"\x23\x09\x7d\x22\x34\x05\xd8\x22\x86\x42\xa4\x77\xbd\xa2\x55\xb3"
334
"\x2a\xad\xbc\xe4\xbd\xa0\xb3\xf7\xe3\x6c\x9d\xa7", 28);
340
what = "long string";
341
errtxt = _gcry_hash_selftest_check_one
343
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56,
344
"\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01\x50"
345
"\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25", 28);
349
what = "one million \"a\"";
350
errtxt = _gcry_hash_selftest_check_one
353
"\x20\x79\x46\x55\x98\x0c\x91\xd8\xbb\xb4\xc1\xea\x97\x61\x8a\x4b"
354
"\xf0\x3f\x42\x58\x19\x48\xb2\xee\x4e\xe7\xad\x67", 28);
359
return 0; /* Succeeded. */
363
report ("digest", GCRY_MD_SHA224, what, errtxt);
364
return GPG_ERR_SELFTEST_FAILED;
367
static gpg_err_code_t
368
selftests_sha256 (int extended, selftest_report_func_t report)
373
what = "short string";
374
errtxt = _gcry_hash_selftest_check_one
377
"\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
378
"\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad", 32);
384
what = "long string";
385
errtxt = _gcry_hash_selftest_check_one
387
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56,
388
"\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
389
"\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1",
394
what = "one million \"a\"";
395
errtxt = _gcry_hash_selftest_check_one
398
"\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
399
"\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0",
405
return 0; /* Succeeded. */
409
report ("digest", GCRY_MD_SHA256, what, errtxt);
410
return GPG_ERR_SELFTEST_FAILED;
414
/* Run a full self-test for ALGO and return 0 on success. */
415
static gpg_err_code_t
416
run_selftests (int algo, int extended, selftest_report_func_t report)
423
ec = selftests_sha224 (extended, report);
426
ec = selftests_sha256 (extended, report);
429
ec = GPG_ERR_DIGEST_ALGO;
439
static byte asn224[19] = /* Object ID is 2.16.840.1.101.3.4.2.4 */
440
{ 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
441
0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
445
static gcry_md_oid_spec_t oid_spec_sha224[] =
447
/* From RFC3874, Section 4 */
448
{ "2.16.840.1.101.3.4.2.4" },
452
static byte asn256[19] = /* Object ID is 2.16.840.1.101.3.4.2.1 */
453
{ 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
454
0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
457
static gcry_md_oid_spec_t oid_spec_sha256[] =
459
/* According to the OpenPGP draft rfc2440-bis06 */
460
{ "2.16.840.1.101.3.4.2.1" },
461
/* PKCS#1 sha256WithRSAEncryption */
462
{ "1.2.840.113549.1.1.11" },
467
gcry_md_spec_t _gcry_digest_spec_sha224 =
469
"SHA224", asn224, DIM (asn224), oid_spec_sha224, 28,
470
sha224_init, sha256_write, sha256_final, sha256_read,
471
sizeof (SHA256_CONTEXT)
473
md_extra_spec_t _gcry_digest_extraspec_sha224 =
478
gcry_md_spec_t _gcry_digest_spec_sha256 =
480
"SHA256", asn256, DIM (asn256), oid_spec_sha256, 32,
481
sha256_init, sha256_write, sha256_final, sha256_read,
482
sizeof (SHA256_CONTEXT)
484
md_extra_spec_t _gcry_digest_extraspec_sha256 =