1 /************************* sha224-256.c ************************/
2 /***************** See RFC 6234 for details. *******************/
3 /* Copyright (c) 2011 IETF Trust and the persons identified as */
4 /* authors of the code. All rights reserved. */
5 /* See sha.h for terms of use and redistribution. */
9 * This file implements the Secure Hash Algorithms SHA-224 and
10 * SHA-256 as defined in the U.S. National Institute of Standards
11 * and Technology Federal Information Processing Standards
12 * Publication (FIPS PUB) 180-3 published in October 2008
13 * and formerly defined in its predecessors, FIPS PUB 180-1
16 * A combined document showing all algorithms is available at
17 * http://csrc.nist.gov/publications/fips/
18 * fips180-3/fips180-3_final.pdf
20 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit
21 * message digests for a given data stream. It should take about
22 * 2**n steps to find a message with the same digest as a given
23 * message and 2**(n/2) to find any two messages with the same
24 * digest, when n is the digest size in bits. Therefore, this
25 * algorithm can serve as a means of providing a
26 * "fingerprint" for a message.
29 * SHA-224 and SHA-256 are defined in terms of 32-bit "words".
30 * This code uses <stdint.h> (included via "sha.h") to define 32-
31 * and 8-bit unsigned integer types. If your C compiler does not
32 * support 32-bit unsigned integers, this code is not
36 * SHA-224 and SHA-256 are designed to work with messages less
37 * than 2^64 bits long. This implementation uses SHA224/256Input()
38 * to hash the bits that are a multiple of the size of an 8-bit
39 * octet, and then optionally uses SHA224/256FinalBits()
40 * to hash the final few bits of the input.
43 #include "tests/sha.h"
44 #include "tests/sha-private.h"
46 /* Define the SHA shift, rotate left, and rotate right macros */
47 #define SHA256_SHR(bits,word) ((word) >> (bits))
48 #define SHA256_ROTL(bits,word) \
49 (((word) << (bits)) | ((word) >> (32-(bits))))
50 #define SHA256_ROTR(bits,word) \
51 (((word) >> (bits)) | ((word) << (32-(bits))))
53 /* Define the SHA SIGMA and sigma macros */
54 #define SHA256_SIGMA0(word) \
55 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word))
56 #define SHA256_SIGMA1(word) \
57 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word))
58 #define SHA256_sigma0(word) \
59 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word))
60 #define SHA256_sigma1(word) \
61 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word))
64 * Add "length" to the length.
65 * Set Corrupted when overflow has occurred.
67 static uint32_t addTemp;
68 #define SHA224_256AddLength(context, length) \
69 (addTemp = (context)->Length_Low, (context)->Corrupted = \
70 (((context)->Length_Low += (length)) < addTemp) && \
71 (++(context)->Length_High == 0) ? shaInputTooLong : \
72 (context)->Corrupted )
74 /* Local Function Prototypes */
75 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0);
76 static void SHA224_256ProcessMessageBlock(SHA256Context *context);
77 static void SHA224_256Finalize(SHA256Context *context,
79 static void SHA224_256PadMessage(SHA256Context *context,
81 static int SHA224_256ResultN(SHA256Context *context,
82 uint8_t Message_Digest[ ], int HashSize);
84 /* Initial Hash Values: FIPS 180-3 section 5.3.2 */
85 static uint32_t SHA224_H0[SHA256HashSize/4] = {
86 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939,
87 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4
90 /* Initial Hash Values: FIPS 180-3 section 5.3.3 */
91 static uint32_t SHA256_H0[SHA256HashSize/4] = {
92 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
93 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
100 * This function will initialize the SHA224Context in preparation
101 * for computing a new SHA224 message digest.
105 * The context to reset.
110 int SHA224Reset(SHA224Context *context)
112 return SHA224_256Reset(context, SHA224_H0);
119 * This function accepts an array of octets as the next portion
124 * The SHA context to update.
125 * message_array[ ]: [in]
126 * An array of octets representing the next portion of
129 * The length of the message in message_array.
135 int SHA224Input(SHA224Context *context, const uint8_t *message_array,
138 return SHA256Input(context, message_array, length);
145 * This function will add in any final bits of the message.
149 * The SHA context to update.
151 * The final bits of the message, in the upper portion of the
152 * byte. (Use 0b###00000 instead of 0b00000### to input the
155 * The number of bits in message_bits, between 1 and 7.
160 int SHA224FinalBits(SHA224Context *context,
161 uint8_t message_bits, unsigned int length)
163 return SHA256FinalBits(context, message_bits, length);
170 * This function will return the 224-bit message digest
171 * into the Message_Digest array provided by the caller.
173 * The first octet of hash is stored in the element with index 0,
174 * the last octet of hash in the element with index 27.
178 * The context to use to calculate the SHA hash.
179 * Message_Digest[ ]: [out]
180 * Where the digest is returned.
185 int SHA224Result(SHA224Context *context,
186 uint8_t Message_Digest[SHA224HashSize])
188 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize);
195 * This function will initialize the SHA256Context in preparation
196 * for computing a new SHA256 message digest.
200 * The context to reset.
205 int SHA256Reset(SHA256Context *context)
207 return SHA224_256Reset(context, SHA256_H0);
214 * This function accepts an array of octets as the next portion
219 * The SHA context to update.
220 * message_array[ ]: [in]
221 * An array of octets representing the next portion of
224 * The length of the message in message_array.
229 int SHA256Input(SHA256Context *context, const uint8_t *message_array,
232 if (!context) return shaNull;
233 if (!length) return shaSuccess;
234 if (!message_array) return shaNull;
235 if (context->Computed) return context->Corrupted = shaStateError;
236 if (context->Corrupted) return context->Corrupted;
239 context->Message_Block[context->Message_Block_Index++] =
242 if ((SHA224_256AddLength(context, 8) == shaSuccess) &&
243 (context->Message_Block_Index == SHA256_Message_Block_Size))
244 SHA224_256ProcessMessageBlock(context);
249 return context->Corrupted;
257 * This function will add in any final bits of the message.
261 * The SHA context to update.
263 * The final bits of the message, in the upper portion of the
264 * byte. (Use 0b###00000 instead of 0b00000### to input the
267 * The number of bits in message_bits, between 1 and 7.
272 int SHA256FinalBits(SHA256Context *context,
273 uint8_t message_bits, unsigned int length)
275 static uint8_t masks[8] = {
276 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
277 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
278 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
279 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
281 static uint8_t markbit[8] = {
282 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
283 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
284 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
285 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
288 if (!context) return shaNull;
289 if (!length) return shaSuccess;
290 if (context->Corrupted) return context->Corrupted;
291 if (context->Computed) return context->Corrupted = shaStateError;
292 if (length >= 8) return context->Corrupted = shaBadParam;
294 SHA224_256AddLength(context, length);
295 SHA224_256Finalize(context, (uint8_t)
296 ((message_bits & masks[length]) | markbit[length]));
298 return context->Corrupted;
305 * This function will return the 256-bit message digest
306 * into the Message_Digest array provided by the caller.
308 * The first octet of hash is stored in the element with index 0,
309 * the last octet of hash in the element with index 31.
313 * The context to use to calculate the SHA hash.
314 * Message_Digest[ ]: [out]
315 * Where the digest is returned.
320 int SHA256Result(SHA256Context *context,
321 uint8_t Message_Digest[SHA256HashSize])
323 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize);
330 * This helper function will initialize the SHA256Context in
331 * preparation for computing a new SHA-224 or SHA-256 message digest.
335 * The context to reset.
337 * The initial hash value array to use.
342 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0)
344 if (!context) return shaNull;
346 context->Length_High = context->Length_Low = 0;
347 context->Message_Block_Index = 0;
349 context->Intermediate_Hash[0] = H0[0];
350 context->Intermediate_Hash[1] = H0[1];
351 context->Intermediate_Hash[2] = H0[2];
352 context->Intermediate_Hash[3] = H0[3];
353 context->Intermediate_Hash[4] = H0[4];
354 context->Intermediate_Hash[5] = H0[5];
355 context->Intermediate_Hash[6] = H0[6];
356 context->Intermediate_Hash[7] = H0[7];
358 context->Computed = 0;
359 context->Corrupted = shaSuccess;
365 * SHA224_256ProcessMessageBlock
368 * This helper function will process the next 512 bits of the
369 * message stored in the Message_Block array.
373 * The SHA context to update.
379 * Many of the variable names in this code, especially the
380 * single character names, were used because those were the
381 * names used in the Secure Hash Standard.
383 static void SHA224_256ProcessMessageBlock(SHA256Context *context)
385 /* Constants defined in FIPS 180-3, section 4.2.2 */
386 static const uint32_t K[64] = {
387 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
388 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
389 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
390 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
391 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
392 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
393 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
394 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
395 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
396 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
397 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
398 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
399 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
401 int t, t4; /* Loop counter */
402 uint32_t temp1, temp2; /* Temporary word value */
403 uint32_t W[64]; /* Word sequence */
404 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */
407 * Initialize the first 16 words in the array W
409 for (t = t4 = 0; t < 16; t++, t4 += 4)
410 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) |
411 (((uint32_t)context->Message_Block[t4 + 1]) << 16) |
412 (((uint32_t)context->Message_Block[t4 + 2]) << 8) |
413 (((uint32_t)context->Message_Block[t4 + 3]));
415 for (t = 16; t < 64; t++)
416 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] +
417 SHA256_sigma0(W[t-15]) + W[t-16];
419 A = context->Intermediate_Hash[0];
420 B = context->Intermediate_Hash[1];
421 C = context->Intermediate_Hash[2];
422 D = context->Intermediate_Hash[3];
423 E = context->Intermediate_Hash[4];
424 F = context->Intermediate_Hash[5];
425 G = context->Intermediate_Hash[6];
426 H = context->Intermediate_Hash[7];
428 for (t = 0; t < 64; t++) {
429 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
430 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C);
441 context->Intermediate_Hash[0] += A;
442 context->Intermediate_Hash[1] += B;
443 context->Intermediate_Hash[2] += C;
444 context->Intermediate_Hash[3] += D;
445 context->Intermediate_Hash[4] += E;
446 context->Intermediate_Hash[5] += F;
447 context->Intermediate_Hash[6] += G;
448 context->Intermediate_Hash[7] += H;
450 context->Message_Block_Index = 0;
457 * This helper function finishes off the digest calculations.
461 * The SHA context to update.
463 * The last byte to add to the message block before the 0-padding
464 * and length. This will contain the last bits of the message
465 * followed by another single bit. If the message was an
466 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
471 static void SHA224_256Finalize(SHA256Context *context,
475 SHA224_256PadMessage(context, Pad_Byte);
476 /* message may be sensitive, so clear it out */
477 for (i = 0; i < SHA256_Message_Block_Size; ++i)
478 context->Message_Block[i] = 0;
479 context->Length_High = 0; /* and clear length */
480 context->Length_Low = 0;
481 context->Computed = 1;
485 * SHA224_256PadMessage
488 * According to the standard, the message must be padded to the next
489 * even multiple of 512 bits. The first padding bit must be a '1'.
490 * The last 64 bits represent the length of the original message.
491 * All bits in between should be 0. This helper function will pad
492 * the message according to those rules by filling the
493 * Message_Block array accordingly. When it returns, it can be
494 * assumed that the message digest has been computed.
498 * The context to pad.
500 * The last byte to add to the message block before the 0-padding
501 * and length. This will contain the last bits of the message
502 * followed by another single bit. If the message was an
503 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
508 static void SHA224_256PadMessage(SHA256Context *context,
512 * Check to see if the current message block is too small to hold
513 * the initial padding bits and length. If so, we will pad the
514 * block, process it, and then continue padding into a second
517 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) {
518 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
519 while (context->Message_Block_Index < SHA256_Message_Block_Size)
520 context->Message_Block[context->Message_Block_Index++] = 0;
521 SHA224_256ProcessMessageBlock(context);
523 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
525 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8))
526 context->Message_Block[context->Message_Block_Index++] = 0;
529 * Store the message length as the last 8 octets
531 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24);
532 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16);
533 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8);
534 context->Message_Block[59] = (uint8_t)(context->Length_High);
535 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24);
536 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16);
537 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8);
538 context->Message_Block[63] = (uint8_t)(context->Length_Low);
540 SHA224_256ProcessMessageBlock(context);
547 * This helper function will return the 224-bit or 256-bit message
548 * digest into the Message_Digest array provided by the caller.
550 * The first octet of hash is stored in the element with index 0,
551 * the last octet of hash in the element with index 27/31.
555 * The context to use to calculate the SHA hash.
556 * Message_Digest[ ]: [out]
557 * Where the digest is returned.
559 * The size of the hash, either 28 or 32.
564 static int SHA224_256ResultN(SHA256Context *context,
565 uint8_t Message_Digest[ ], int HashSize)
569 if (!context) return shaNull;
570 if (!Message_Digest) return shaNull;
571 if (context->Corrupted) return context->Corrupted;
573 if (!context->Computed)
574 SHA224_256Finalize(context, 0x80);
576 for (i = 0; i < HashSize; ++i)
577 Message_Digest[i] = (uint8_t)
578 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) ));