//! SHA-2 hash functions: SHA-256, SHA-384, SHA-512 (FIPS 180-4). // --------------------------------------------------------------------------- // SHA-256 // --------------------------------------------------------------------------- /// SHA-256 round constants (first 32 bits of the fractional parts of the /// cube roots of the first 64 primes). const K256: [u32; 64] = [ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2, ]; /// Initial hash values for SHA-256 (first 32 bits of the fractional parts /// of the square roots of the first 8 primes). const H256_INIT: [u32; 8] = [ 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19, ]; /// SHA-256 hasher with streaming API. #[derive(Clone)] pub struct Sha256 { state: [u32; 8], buf: [u8; 64], buf_len: usize, total_len: u64, } impl Sha256 { pub fn new() -> Self { Self { state: H256_INIT, buf: [0u8; 64], buf_len: 0, total_len: 0, } } pub fn update(&mut self, data: &[u8]) { self.total_len += data.len() as u64; let mut offset = 0; // Fill the buffer if partially filled. if self.buf_len > 0 { let space = 64 - self.buf_len; let copy_len = space.min(data.len()); self.buf[self.buf_len..self.buf_len + copy_len].copy_from_slice(&data[..copy_len]); self.buf_len += copy_len; offset += copy_len; if self.buf_len == 64 { let block = self.buf; sha256_compress(&mut self.state, &block); self.buf_len = 0; } } // Process full blocks directly. while offset + 64 <= data.len() { let block: [u8; 64] = data[offset..offset + 64].try_into().unwrap(); sha256_compress(&mut self.state, &block); offset += 64; } // Buffer remaining bytes. let remaining = data.len() - offset; if remaining > 0 { self.buf[..remaining].copy_from_slice(&data[offset..]); self.buf_len = remaining; } } pub fn finalize(mut self) -> [u8; 32] { // Pad per FIPS 180-4 §5.1.1. let bit_len = self.total_len * 8; // Append 0x80 byte. self.buf[self.buf_len] = 0x80; self.buf_len += 1; // If not enough room for the 8-byte length, pad and compress. if self.buf_len > 56 { for i in self.buf_len..64 { self.buf[i] = 0; } let block = self.buf; sha256_compress(&mut self.state, &block); self.buf_len = 0; } // Zero-pad up to byte 56, then append 64-bit big-endian length. for i in self.buf_len..56 { self.buf[i] = 0; } self.buf[56..64].copy_from_slice(&bit_len.to_be_bytes()); let block = self.buf; sha256_compress(&mut self.state, &block); // Produce the digest. let mut out = [0u8; 32]; for (i, word) in self.state.iter().enumerate() { out[i * 4..(i + 1) * 4].copy_from_slice(&word.to_be_bytes()); } out } } impl Default for Sha256 { fn default() -> Self { Self::new() } } /// One-shot SHA-256. pub fn sha256(data: &[u8]) -> [u8; 32] { let mut h = Sha256::new(); h.update(data); h.finalize() } /// SHA-256 compression function: process one 64-byte block. fn sha256_compress(state: &mut [u32; 8], block: &[u8; 64]) { // Prepare the message schedule. let mut w = [0u32; 64]; for i in 0..16 { w[i] = u32::from_be_bytes([ block[i * 4], block[i * 4 + 1], block[i * 4 + 2], block[i * 4 + 3], ]); } for i in 16..64 { let s0 = w[i - 15].rotate_right(7) ^ w[i - 15].rotate_right(18) ^ (w[i - 15] >> 3); let s1 = w[i - 2].rotate_right(17) ^ w[i - 2].rotate_right(19) ^ (w[i - 2] >> 10); w[i] = w[i - 16] .wrapping_add(s0) .wrapping_add(w[i - 7]) .wrapping_add(s1); } let [mut a, mut b, mut c, mut d, mut e, mut f, mut g, mut h] = *state; for i in 0..64 { let s1 = e.rotate_right(6) ^ e.rotate_right(11) ^ e.rotate_right(25); let ch = (e & f) ^ ((!e) & g); let temp1 = h .wrapping_add(s1) .wrapping_add(ch) .wrapping_add(K256[i]) .wrapping_add(w[i]); let s0 = a.rotate_right(2) ^ a.rotate_right(13) ^ a.rotate_right(22); let maj = (a & b) ^ (a & c) ^ (b & c); let temp2 = s0.wrapping_add(maj); h = g; g = f; f = e; e = d.wrapping_add(temp1); d = c; c = b; b = a; a = temp1.wrapping_add(temp2); } state[0] = state[0].wrapping_add(a); state[1] = state[1].wrapping_add(b); state[2] = state[2].wrapping_add(c); state[3] = state[3].wrapping_add(d); state[4] = state[4].wrapping_add(e); state[5] = state[5].wrapping_add(f); state[6] = state[6].wrapping_add(g); state[7] = state[7].wrapping_add(h); } // --------------------------------------------------------------------------- // SHA-512 // --------------------------------------------------------------------------- /// SHA-512 round constants (first 64 bits of the fractional parts of the /// cube roots of the first 80 primes). const K512: [u64; 80] = [ 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019, 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242, 0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, 0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f, 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725, 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc, 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df, 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001, 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218, 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8, 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc, 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec, 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207, 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba, 0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b, 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 0x5fcb6fab3ad6faec, 0x6c44198c4a475817, ]; /// Initial hash values for SHA-512. const H512_INIT: [u64; 8] = [ 0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1, 0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179, ]; /// Initial hash values for SHA-384 (different from SHA-512). const H384_INIT: [u64; 8] = [ 0xcbbb9d5dc1059ed8, 0x629a292a367cd507, 0x9159015a3070dd17, 0x152fecd8f70e5939, 0x67332667ffc00b31, 0x8eb44a8768581511, 0xdb0c2e0d64f98fa7, 0x47b5481dbefa4fa4, ]; /// SHA-512 hasher with streaming API. #[derive(Clone)] pub struct Sha512 { state: [u64; 8], buf: [u8; 128], buf_len: usize, total_len: u128, } impl Sha512 { pub fn new() -> Self { Self { state: H512_INIT, buf: [0u8; 128], buf_len: 0, total_len: 0, } } fn with_init(init: [u64; 8]) -> Self { Self { state: init, buf: [0u8; 128], buf_len: 0, total_len: 0, } } pub fn update(&mut self, data: &[u8]) { self.total_len += data.len() as u128; let mut offset = 0; if self.buf_len > 0 { let space = 128 - self.buf_len; let copy_len = space.min(data.len()); self.buf[self.buf_len..self.buf_len + copy_len].copy_from_slice(&data[..copy_len]); self.buf_len += copy_len; offset += copy_len; if self.buf_len == 128 { let block = self.buf; sha512_compress(&mut self.state, &block); self.buf_len = 0; } } while offset + 128 <= data.len() { let block: [u8; 128] = data[offset..offset + 128].try_into().unwrap(); sha512_compress(&mut self.state, &block); offset += 128; } let remaining = data.len() - offset; if remaining > 0 { self.buf[..remaining].copy_from_slice(&data[offset..]); self.buf_len = remaining; } } pub fn finalize(mut self) -> [u8; 64] { // Pad per FIPS 180-4 §5.1.2. let bit_len = self.total_len * 8; self.buf[self.buf_len] = 0x80; self.buf_len += 1; // Need 16 bytes for the 128-bit length at the end. if self.buf_len > 112 { for i in self.buf_len..128 { self.buf[i] = 0; } let block = self.buf; sha512_compress(&mut self.state, &block); self.buf_len = 0; } for i in self.buf_len..112 { self.buf[i] = 0; } self.buf[112..128].copy_from_slice(&bit_len.to_be_bytes()); let block = self.buf; sha512_compress(&mut self.state, &block); let mut out = [0u8; 64]; for (i, word) in self.state.iter().enumerate() { out[i * 8..(i + 1) * 8].copy_from_slice(&word.to_be_bytes()); } out } } impl Default for Sha512 { fn default() -> Self { Self::new() } } /// One-shot SHA-512. pub fn sha512(data: &[u8]) -> [u8; 64] { let mut h = Sha512::new(); h.update(data); h.finalize() } /// SHA-512 compression function: process one 128-byte block. fn sha512_compress(state: &mut [u64; 8], block: &[u8; 128]) { let mut w = [0u64; 80]; for i in 0..16 { w[i] = u64::from_be_bytes([ block[i * 8], block[i * 8 + 1], block[i * 8 + 2], block[i * 8 + 3], block[i * 8 + 4], block[i * 8 + 5], block[i * 8 + 6], block[i * 8 + 7], ]); } for i in 16..80 { let s0 = w[i - 15].rotate_right(1) ^ w[i - 15].rotate_right(8) ^ (w[i - 15] >> 7); let s1 = w[i - 2].rotate_right(19) ^ w[i - 2].rotate_right(61) ^ (w[i - 2] >> 6); w[i] = w[i - 16] .wrapping_add(s0) .wrapping_add(w[i - 7]) .wrapping_add(s1); } let [mut a, mut b, mut c, mut d, mut e, mut f, mut g, mut h] = *state; for i in 0..80 { let s1 = e.rotate_right(14) ^ e.rotate_right(18) ^ e.rotate_right(41); let ch = (e & f) ^ ((!e) & g); let temp1 = h .wrapping_add(s1) .wrapping_add(ch) .wrapping_add(K512[i]) .wrapping_add(w[i]); let s0 = a.rotate_right(28) ^ a.rotate_right(34) ^ a.rotate_right(39); let maj = (a & b) ^ (a & c) ^ (b & c); let temp2 = s0.wrapping_add(maj); h = g; g = f; f = e; e = d.wrapping_add(temp1); d = c; c = b; b = a; a = temp1.wrapping_add(temp2); } state[0] = state[0].wrapping_add(a); state[1] = state[1].wrapping_add(b); state[2] = state[2].wrapping_add(c); state[3] = state[3].wrapping_add(d); state[4] = state[4].wrapping_add(e); state[5] = state[5].wrapping_add(f); state[6] = state[6].wrapping_add(g); state[7] = state[7].wrapping_add(h); } // --------------------------------------------------------------------------- // SHA-384 // --------------------------------------------------------------------------- /// SHA-384 hasher (SHA-512 with different initial values, truncated to 384 bits). #[derive(Clone)] pub struct Sha384 { inner: Sha512, } impl Sha384 { pub fn new() -> Self { Self { inner: Sha512::with_init(H384_INIT), } } pub fn update(&mut self, data: &[u8]) { self.inner.update(data); } pub fn finalize(self) -> [u8; 48] { let full = self.inner.finalize(); let mut out = [0u8; 48]; out.copy_from_slice(&full[..48]); out } } impl Default for Sha384 { fn default() -> Self { Self::new() } } /// One-shot SHA-384. pub fn sha384(data: &[u8]) -> [u8; 48] { let mut h = Sha384::new(); h.update(data); h.finalize() } // --------------------------------------------------------------------------- // Tests // --------------------------------------------------------------------------- #[cfg(test)] mod tests { use super::*; fn hex(bytes: &[u8]) -> String { bytes.iter().map(|b| format!("{b:02x}")).collect() } // ----------------------------------------------------------------------- // SHA-256 NIST test vectors (FIPS 180-4 / NIST CSRC examples) // ----------------------------------------------------------------------- #[test] fn sha256_empty() { assert_eq!( hex(&sha256(b"")), "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ); } #[test] fn sha256_abc() { assert_eq!( hex(&sha256(b"abc")), "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" ); } #[test] fn sha256_448bit() { // "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" (448 bits) assert_eq!( hex(&sha256( b"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" )), "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1" ); } #[test] fn sha256_896bit() { // "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" assert_eq!( hex(&sha256(b"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu")), "cf5b16a778af8380036ce59e7b0492370b249b11e8f07a51afac45037afee9d1" ); } #[test] fn sha256_million_a() { // 1,000,000 repetitions of 'a' let mut h = Sha256::new(); // Feed in chunks to test streaming. let chunk = [b'a'; 1000]; for _ in 0..1000 { h.update(&chunk); } assert_eq!( hex(&h.finalize()), "cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0" ); } #[test] fn sha256_streaming() { // Verify streaming matches one-shot. let data = b"The quick brown fox jumps over the lazy dog"; let expected = sha256(data); let mut h = Sha256::new(); h.update(&data[..10]); h.update(&data[10..20]); h.update(&data[20..]); assert_eq!(h.finalize(), expected); } // ----------------------------------------------------------------------- // SHA-512 NIST test vectors // ----------------------------------------------------------------------- #[test] fn sha512_empty() { assert_eq!( hex(&sha512(b"")), "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" ); } #[test] fn sha512_abc() { assert_eq!( hex(&sha512(b"abc")), "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f" ); } #[test] fn sha512_896bit() { assert_eq!( hex(&sha512(b"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu")), "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909" ); } #[test] fn sha512_million_a() { let mut h = Sha512::new(); let chunk = [b'a'; 1000]; for _ in 0..1000 { h.update(&chunk); } assert_eq!( hex(&h.finalize()), "e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973ebde0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b" ); } #[test] fn sha512_streaming() { let data = b"The quick brown fox jumps over the lazy dog"; let expected = sha512(data); let mut h = Sha512::new(); h.update(&data[..5]); h.update(&data[5..]); assert_eq!(h.finalize(), expected); } // ----------------------------------------------------------------------- // SHA-384 NIST test vectors // ----------------------------------------------------------------------- #[test] fn sha384_empty() { assert_eq!( hex(&sha384(b"")), "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b" ); } #[test] fn sha384_abc() { assert_eq!( hex(&sha384(b"abc")), "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7" ); } #[test] fn sha384_896bit() { assert_eq!( hex(&sha384(b"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu")), "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712fcc7c71a557e2db966c3e9fa91746039" ); } #[test] fn sha384_million_a() { let mut h = Sha384::new(); let chunk = [b'a'; 1000]; for _ in 0..1000 { h.update(&chunk); } assert_eq!( hex(&h.finalize()), "9d0e1809716474cb086e834e310a4a1ced149e9c00f248527972cec5704c2a5b07b8b3dc38ecc4ebae97ddd87f3d8985" ); } #[test] fn sha384_streaming() { let data = b"The quick brown fox jumps over the lazy dog"; let expected = sha384(data); let mut h = Sha384::new(); h.update(&data[..15]); h.update(&data[15..]); assert_eq!(h.finalize(), expected); } // ----------------------------------------------------------------------- // Edge cases // ----------------------------------------------------------------------- #[test] fn sha256_exactly_one_block() { // 55 bytes + 1 byte (0x80) + 8 bytes (length) = 64 = one block after padding let data = [0xABu8; 55]; let result = sha256(&data); // Verify streaming matches. let mut h = Sha256::new(); h.update(&data); assert_eq!(h.finalize(), result); } #[test] fn sha256_exactly_56_bytes() { // 56 bytes requires two blocks (56 + 1 + 8 > 64). let data = [0xCDu8; 56]; let result = sha256(&data); let mut h = Sha256::new(); h.update(&data); assert_eq!(h.finalize(), result); } #[test] fn sha512_exactly_one_block() { // 111 bytes + 1 + 16 = 128 let data = [0xABu8; 111]; let result = sha512(&data); let mut h = Sha512::new(); h.update(&data); assert_eq!(h.finalize(), result); } #[test] fn sha512_exactly_112_bytes() { // 112 + 1 + 16 > 128 => requires second block let data = [0xCDu8; 112]; let result = sha512(&data); let mut h = Sha512::new(); h.update(&data); assert_eq!(h.finalize(), result); } #[test] fn sha256_byte_at_a_time() { let data = b"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; let expected = sha256(data); let mut h = Sha256::new(); for byte in data.iter() { h.update(&[*byte]); } assert_eq!(h.finalize(), expected); } }