1 /* sha256.c - SHA256 hash function
2 * Copyright (C) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
4 * This file is part of Libgcrypt.
6 * Libgcrypt is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser General Public License as
8 * published by the Free Software Foundation; either version 2.1 of
9 * the License, or (at your option) any later version.
11 * Libgcrypt is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this program; if not, see <http://www.gnu.org/licenses/>.
24 SHA224: 23097d22 3405d822 8642a477 bda255b3 2aadbce4 bda0b3f7 e36c9da7
25 SHA256: ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad
27 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
28 SHA224: 75388b16 512776cc 5dba5da1 fd890150 b0c6455c b4f58b19 52522525
29 SHA256: 248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1
32 SHA224: 20794655 980c91d8 bbb4c1ea 97618a4b f03f4258 1948b2ee 4ee7ad67
33 SHA256: cdc76e5c 9914fb92 81a1c7e2 84d73e67 f1809a48 a497200e 046d39cc c7112cd0
47 #include "hash-common.h"
50 /* USE_SSSE3 indicates whether to compile with Intel SSSE3 code. */
52 #if defined(__x86_64__) && defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) && \
53 defined(HAVE_GCC_INLINE_ASM_SSSE3) && \
54 defined(HAVE_INTEL_SYNTAX_PLATFORM_AS)
60 gcry_md_block_ctx_t bctx;
61 u32 h0,h1,h2,h3,h4,h5,h6,h7;
63 unsigned int use_ssse3:1;
69 transform (void *c, const unsigned char *data);
73 sha256_init (void *context, unsigned int flags)
75 SHA256_CONTEXT *hd = context;
89 hd->bctx.nblocks_high = 0;
91 hd->bctx.blocksize = 64;
92 hd->bctx.bwrite = transform;
95 hd->use_ssse3 = (_gcry_get_hw_features () & HWF_INTEL_SSSE3) != 0;
101 sha224_init (void *context, unsigned int flags)
103 SHA256_CONTEXT *hd = context;
116 hd->bctx.nblocks = 0;
117 hd->bctx.nblocks_high = 0;
119 hd->bctx.blocksize = 64;
120 hd->bctx.bwrite = transform;
123 hd->use_ssse3 = (_gcry_get_hw_features () & HWF_INTEL_SSSE3) != 0;
129 Transform the message X which consists of 16 32-bit-words. See FIPS
130 180-2 for details. */
131 #define S0(x) (ror ((x), 7) ^ ror ((x), 18) ^ ((x) >> 3)) /* (4.6) */
132 #define S1(x) (ror ((x), 17) ^ ror ((x), 19) ^ ((x) >> 10)) /* (4.7) */
133 #define R(a,b,c,d,e,f,g,h,k,w) do \
135 t1 = (h) + Sum1((e)) + Cho((e),(f),(g)) + (k) + (w); \
136 t2 = Sum0((a)) + Maj((a),(b),(c)); \
147 /* (4.2) same as SHA-1's F1. */
149 Cho (u32 x, u32 y, u32 z)
151 return (z ^ (x & (y ^ z)));
154 /* (4.3) same as SHA-1's F3 */
156 Maj (u32 x, u32 y, u32 z)
158 return ((x & y) | (z & (x|y)));
165 return (ror (x, 2) ^ ror (x, 13) ^ ror (x, 22));
172 return (ror (x, 6) ^ ror (x, 11) ^ ror (x, 25));
177 _transform (void *ctx, const unsigned char *data)
179 SHA256_CONTEXT *hd = ctx;
180 static const u32 K[64] = {
181 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
182 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
183 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
184 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
185 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
186 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
187 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
188 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
189 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
190 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
191 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
192 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
193 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
194 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
195 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
196 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
199 u32 a,b,c,d,e,f,g,h,t1,t2;
212 for (i=0; i < 16; i++)
213 w[i] = buf_get_be32(data + i * 4);
215 w[i] = S1(w[i-2]) + w[i-7] + S0(w[i-15]) + w[i-16];
220 R(a,b,c,d,e,f,g,h,K[i],w[i]);
223 t1 = h + Sum1 (e) + Cho (e, f, g) + K[i] + w[i];
224 t2 = Sum0 (a) + Maj (a, b, c);
228 t1 = g + Sum1 (d) + Cho (d, e, f) + K[i+1] + w[i+1];
229 t2 = Sum0 (h) + Maj (h, a, b);
233 t1 = f + Sum1 (c) + Cho (c, d, e) + K[i+2] + w[i+2];
234 t2 = Sum0 (g) + Maj (g, h, a);
238 t1 = e + Sum1 (b) + Cho (b, c, d) + K[i+3] + w[i+3];
239 t2 = Sum0 (f) + Maj (f, g, h);
243 t1 = d + Sum1 (a) + Cho (a, b, c) + K[i+4] + w[i+4];
244 t2 = Sum0 (e) + Maj (e, f, g);
248 t1 = c + Sum1 (h) + Cho (h, a, b) + K[i+5] + w[i+5];
249 t2 = Sum0 (d) + Maj (d, e, f);
253 t1 = b + Sum1 (g) + Cho (g, h, a) + K[i+6] + w[i+6];
254 t2 = Sum0 (c) + Maj (c, d, e);
258 t1 = a + Sum1 (f) + Cho (f, g, h) + K[i+7] + w[i+7];
259 t2 = Sum0 (b) + Maj (b, c, d);
276 return /*burn_stack*/ 74*4+32;
284 unsigned int _gcry_sha256_transform_amd64_ssse3(const void *input_data,
285 u32 state[8], size_t num_blks);
290 transform (void *ctx, const unsigned char *data)
292 SHA256_CONTEXT *hd = ctx;
296 return _gcry_sha256_transform_amd64_ssse3 (data, &hd->h0, 1)
300 return _transform (hd, data);
305 The routine finally terminates the computation and returns the
306 digest. The handle is prepared for a new cycle, but adding bytes
307 to the handle will the destroy the returned buffer. Returns: 32
308 bytes with the message the digest. */
310 sha256_final(void *context)
312 SHA256_CONTEXT *hd = context;
317 _gcry_md_block_write (hd, NULL, 0); /* flush */;
319 t = hd->bctx.nblocks;
320 if (sizeof t == sizeof hd->bctx.nblocks)
321 th = hd->bctx.nblocks_high;
323 th = hd->bctx.nblocks >> 32;
325 /* multiply by 64 to make a byte count */
327 msb = (th << 6) | (t >> 26);
330 if ((lsb += hd->bctx.count) < t)
332 /* multiply by 8 to make a bit count */
338 if (hd->bctx.count < 56)
340 hd->bctx.buf[hd->bctx.count++] = 0x80; /* pad */
341 while (hd->bctx.count < 56)
342 hd->bctx.buf[hd->bctx.count++] = 0; /* pad */
345 { /* need one extra block */
346 hd->bctx.buf[hd->bctx.count++] = 0x80; /* pad character */
347 while (hd->bctx.count < 64)
348 hd->bctx.buf[hd->bctx.count++] = 0;
349 _gcry_md_block_write (hd, NULL, 0); /* flush */;
350 memset (hd->bctx.buf, 0, 56 ); /* fill next block with zeroes */
352 /* append the 64 bit count */
353 buf_put_be32(hd->bctx.buf + 56, msb);
354 buf_put_be32(hd->bctx.buf + 60, lsb);
355 burn = transform (hd, hd->bctx.buf);
356 _gcry_burn_stack (burn);
359 #define X(a) do { *(u32*)p = be_bswap32(hd->h##a); p += 4; } while(0)
372 sha256_read (void *context)
374 SHA256_CONTEXT *hd = context;
386 static gpg_err_code_t
387 selftests_sha224 (int extended, selftest_report_func_t report)
392 what = "short string";
393 errtxt = _gcry_hash_selftest_check_one
396 "\x23\x09\x7d\x22\x34\x05\xd8\x22\x86\x42\xa4\x77\xbd\xa2\x55\xb3"
397 "\x2a\xad\xbc\xe4\xbd\xa0\xb3\xf7\xe3\x6c\x9d\xa7", 28);
403 what = "long string";
404 errtxt = _gcry_hash_selftest_check_one
406 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56,
407 "\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01\x50"
408 "\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25", 28);
412 what = "one million \"a\"";
413 errtxt = _gcry_hash_selftest_check_one
416 "\x20\x79\x46\x55\x98\x0c\x91\xd8\xbb\xb4\xc1\xea\x97\x61\x8a\x4b"
417 "\xf0\x3f\x42\x58\x19\x48\xb2\xee\x4e\xe7\xad\x67", 28);
422 return 0; /* Succeeded. */
426 report ("digest", GCRY_MD_SHA224, what, errtxt);
427 return GPG_ERR_SELFTEST_FAILED;
430 static gpg_err_code_t
431 selftests_sha256 (int extended, selftest_report_func_t report)
436 what = "short string";
437 errtxt = _gcry_hash_selftest_check_one
440 "\xba\x78\x16\xbf\x8f\x01\xcf\xea\x41\x41\x40\xde\x5d\xae\x22\x23"
441 "\xb0\x03\x61\xa3\x96\x17\x7a\x9c\xb4\x10\xff\x61\xf2\x00\x15\xad", 32);
447 what = "long string";
448 errtxt = _gcry_hash_selftest_check_one
450 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56,
451 "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39"
452 "\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1",
457 what = "one million \"a\"";
458 errtxt = _gcry_hash_selftest_check_one
461 "\xcd\xc7\x6e\x5c\x99\x14\xfb\x92\x81\xa1\xc7\xe2\x84\xd7\x3e\x67"
462 "\xf1\x80\x9a\x48\xa4\x97\x20\x0e\x04\x6d\x39\xcc\xc7\x11\x2c\xd0",
468 return 0; /* Succeeded. */
472 report ("digest", GCRY_MD_SHA256, what, errtxt);
473 return GPG_ERR_SELFTEST_FAILED;
477 /* Run a full self-test for ALGO and return 0 on success. */
478 static gpg_err_code_t
479 run_selftests (int algo, int extended, selftest_report_func_t report)
486 ec = selftests_sha224 (extended, report);
489 ec = selftests_sha256 (extended, report);
492 ec = GPG_ERR_DIGEST_ALGO;
502 static byte asn224[19] = /* Object ID is 2.16.840.1.101.3.4.2.4 */
503 { 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
504 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
508 static gcry_md_oid_spec_t oid_spec_sha224[] =
510 /* From RFC3874, Section 4 */
511 { "2.16.840.1.101.3.4.2.4" },
515 static byte asn256[19] = /* Object ID is 2.16.840.1.101.3.4.2.1 */
516 { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
517 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
520 static gcry_md_oid_spec_t oid_spec_sha256[] =
522 /* According to the OpenPGP draft rfc2440-bis06 */
523 { "2.16.840.1.101.3.4.2.1" },
524 /* PKCS#1 sha256WithRSAEncryption */
525 { "1.2.840.113549.1.1.11" },
530 gcry_md_spec_t _gcry_digest_spec_sha224 =
532 GCRY_MD_SHA224, {0, 1},
533 "SHA224", asn224, DIM (asn224), oid_spec_sha224, 28,
534 sha224_init, _gcry_md_block_write, sha256_final, sha256_read,
535 sizeof (SHA256_CONTEXT),
539 gcry_md_spec_t _gcry_digest_spec_sha256 =
541 GCRY_MD_SHA256, {0, 1},
542 "SHA256", asn256, DIM (asn256), oid_spec_sha256, 32,
543 sha256_init, _gcry_md_block_write, sha256_final, sha256_read,
544 sizeof (SHA256_CONTEXT),