2 * SHA-256 algorithm as described at
4 * http://csrc.nist.gov/cryptval/shs.html
9 /* ----------------------------------------------------------------------
10 * Core SHA256 algorithm: processes 16-word blocks into a message digest.
13 #define ror(x,y) ( ((x) << (32-y)) | (((uint32)(x)) >> (y)) )
14 #define shr(x,y) ( (((uint32)(x)) >> (y)) )
15 #define Ch(x,y,z) ( ((x) & (y)) ^ (~(x) & (z)) )
16 #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) )
17 #define bigsigma0(x) ( ror((x),2) ^ ror((x),13) ^ ror((x),22) )
18 #define bigsigma1(x) ( ror((x),6) ^ ror((x),11) ^ ror((x),25) )
19 #define smallsigma0(x) ( ror((x),7) ^ ror((x),18) ^ shr((x),3) )
20 #define smallsigma1(x) ( ror((x),17) ^ ror((x),19) ^ shr((x),10) )
22 void SHA256_Core_Init(SHA256_State *s) {
33 void SHA256_Block(SHA256_State *s, uint32 *block) {
35 uint32 a,b,c,d,e,f,g,h;
36 static const int k[] = {
37 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
38 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
39 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
40 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
41 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
42 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
43 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
44 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
45 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
46 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
47 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
48 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
49 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
50 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
51 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
52 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
57 for (t = 0; t < 16; t++)
60 for (t = 16; t < 64; t++)
61 w[t] = smallsigma1(w[t-2]) + w[t-7] + smallsigma0(w[t-15]) + w[t-16];
63 a = s->h[0]; b = s->h[1]; c = s->h[2]; d = s->h[3];
64 e = s->h[4]; f = s->h[5]; g = s->h[6]; h = s->h[7];
66 for (t = 0; t < 64; t+=8) {
69 #define ROUND(j,a,b,c,d,e,f,g,h) \
70 t1 = h + bigsigma1(e) + Ch(e,f,g) + k[j] + w[j]; \
71 t2 = bigsigma0(a) + Maj(a,b,c); \
72 d = d + t1; h = t1 + t2;
74 ROUND(t+0, a,b,c,d,e,f,g,h);
75 ROUND(t+1, h,a,b,c,d,e,f,g);
76 ROUND(t+2, g,h,a,b,c,d,e,f);
77 ROUND(t+3, f,g,h,a,b,c,d,e);
78 ROUND(t+4, e,f,g,h,a,b,c,d);
79 ROUND(t+5, d,e,f,g,h,a,b,c);
80 ROUND(t+6, c,d,e,f,g,h,a,b);
81 ROUND(t+7, b,c,d,e,f,g,h,a);
84 s->h[0] += a; s->h[1] += b; s->h[2] += c; s->h[3] += d;
85 s->h[4] += e; s->h[5] += f; s->h[6] += g; s->h[7] += h;
88 /* ----------------------------------------------------------------------
89 * Outer SHA256 algorithm: take an arbitrary length byte string,
90 * convert it into 16-word blocks with the prescribed padding at
91 * the end, and pass those blocks to the core SHA256 algorithm.
96 void SHA256_Init(SHA256_State *s) {
99 s->lenhi = s->lenlo = 0;
102 void SHA256_Bytes(SHA256_State *s, const void *p, int len) {
103 unsigned char *q = (unsigned char *)p;
104 uint32 wordblock[16];
109 * Update the length field.
112 s->lenhi += (s->lenlo < lenw);
114 if (s->blkused && s->blkused+len < BLKSIZE) {
116 * Trivial case: just add to the block.
118 memcpy(s->block + s->blkused, q, len);
122 * We must complete and process at least one block.
124 while (s->blkused + len >= BLKSIZE) {
125 memcpy(s->block + s->blkused, q, BLKSIZE - s->blkused);
126 q += BLKSIZE - s->blkused;
127 len -= BLKSIZE - s->blkused;
128 /* Now process the block. Gather bytes big-endian into words */
129 for (i = 0; i < 16; i++) {
131 ( ((uint32)s->block[i*4+0]) << 24 ) |
132 ( ((uint32)s->block[i*4+1]) << 16 ) |
133 ( ((uint32)s->block[i*4+2]) << 8 ) |
134 ( ((uint32)s->block[i*4+3]) << 0 );
136 SHA256_Block(s, wordblock);
139 memcpy(s->block, q, len);
144 void SHA256_Final(SHA256_State *s, unsigned char *digest) {
150 if (s->blkused >= 56)
151 pad = 56 + 64 - s->blkused;
153 pad = 56 - s->blkused;
155 lenhi = (s->lenhi << 3) | (s->lenlo >> (32-3));
156 lenlo = (s->lenlo << 3);
160 SHA256_Bytes(s, &c, pad);
162 c[0] = (lenhi >> 24) & 0xFF;
163 c[1] = (lenhi >> 16) & 0xFF;
164 c[2] = (lenhi >> 8) & 0xFF;
165 c[3] = (lenhi >> 0) & 0xFF;
166 c[4] = (lenlo >> 24) & 0xFF;
167 c[5] = (lenlo >> 16) & 0xFF;
168 c[6] = (lenlo >> 8) & 0xFF;
169 c[7] = (lenlo >> 0) & 0xFF;
171 SHA256_Bytes(s, &c, 8);
173 for (i = 0; i < 8; i++) {
174 digest[i*4+0] = (s->h[i] >> 24) & 0xFF;
175 digest[i*4+1] = (s->h[i] >> 16) & 0xFF;
176 digest[i*4+2] = (s->h[i] >> 8) & 0xFF;
177 digest[i*4+3] = (s->h[i] >> 0) & 0xFF;
181 void SHA256_Simple(const void *p, int len, unsigned char *output) {
185 SHA256_Bytes(&s, p, len);
186 SHA256_Final(&s, output);
190 * Thin abstraction for things where hashes are pluggable.
193 static void *sha256_init(void)
197 s = snew(SHA256_State);
202 static void sha256_bytes(void *handle, void *p, int len)
204 SHA256_State *s = handle;
206 SHA256_Bytes(s, p, len);
209 static void sha256_final(void *handle, unsigned char *output)
211 SHA256_State *s = handle;
213 SHA256_Final(s, output);
217 const struct ssh_hash ssh_sha256 = {
218 sha256_init, sha256_bytes, sha256_final, 32, "SHA-256"
228 unsigned char digest[32];
232 const char *teststring;
233 unsigned char digest[32];
236 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea,
237 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,
238 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,
239 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad,
241 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", {
242 0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8,
243 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39,
244 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67,
245 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1,
251 for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
252 SHA256_Simple(tests[i].teststring,
253 strlen(tests[i].teststring), digest);
254 for (j = 0; j < 32; j++) {
255 if (digest[j] != tests[i].digest[j]) {
257 "\"%s\" digest byte %d should be 0x%02x, is 0x%02x\n",
258 tests[i].teststring, j, tests[i].digest[j], digest[j]);
264 printf("%d errors\n", errors);
projects / PuTTY.git / blob