sha256 digests do not match test vectors

[cyphar]

As part of debugging archiecobbs/nmtree#4, I have confirmed that the issue is that some part of the SHA256 hashing code in this library produces output that doesn't match any of the test vectors.

However, if you enable SHA2_UNROLL_TRANSFORM, the output is fixed. So there's some kind of bug in the non-unrolled transform. In archiecobbs/nmtree#4, I speculated that it was a porting bug, but there are no substantial changes from NetBSD to this port, so it seems possible this is a NetBSD bug (maybe they always use SHA2_UNROLL_TRANSFORM and thus have never hit this issue?).

I've opened #3 to add tests that check the output of the library implementations against known-good test vectors. If you run make check you'll find that all of the SHA256 test vectors fail, but if you run make CFLAGS="-DSHA2_UNROLL_TRANSFORM" check all of the tests pass.

[archiecobbs]

What system are you building on?

I'm using openSUSE 15.4 and I don't get any errors (using version 1.0.1-4-g8f35714):

$ make check
make  rmd160-test sha1-test sha2-test
make[1]: Entering directory '/home/archie/proj/libnbcompat'
make[1]: 'sha1-test' is up to date.
make[1]: 'sha2-test' is up to date.
make[1]: Leaving directory '/home/archie/proj/libnbcompat'
make  check-TESTS
make[1]: Entering directory '/home/archie/proj/libnbcompat'
make[2]: Entering directory '/home/archie/proj/libnbcompat'
PASS: rmd160-test
PASS: sha1-test
PASS: sha2-test
============================================================================
Testsuite summary for libnbcompat 1.0.1
============================================================================
# TOTAL: 3
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[2]: Leaving directory '/home/archie/proj/libnbcompat'
make[1]: Leaving directory '/home/archie/proj/libnbcompat'
$ uname -a
Linux ops2 5.14.21-150400.24.55-default #1 SMP PREEMPT_DYNAMIC Mon Mar 27 15:25:48 UTC 2023 (cc75cf8) x86_64 x86_64 x86_64 GNU/Linux

[cyphar]

I'm on openSUSE Tumbleweed. Using the current HEAD,

make  rmd160-test sha1-test sha2-test
make[1]: Entering directory '/home/cyphar/src/libnbcompat'
make[1]: 'sha1-test' is up to date.
make[1]: 'sha2-test' is up to date.
make[1]: Leaving directory '/home/cyphar/src/libnbcompat'
make  check-TESTS
make[1]: Entering directory '/home/cyphar/src/libnbcompat'
make[2]: Entering directory '/home/cyphar/src/libnbcompat'
PASS: rmd160-test
PASS: sha1-test
FAIL: sha2-test
============================================================================
Testsuite summary for libnbcompat 1.0.1
============================================================================
# TOTAL: 3
# PASS:  2
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to https://github.com/archiecobbs/libnbcompat/issues
============================================================================
make[2]: *** [Makefile:1181: test-suite.log] Error 1
make[2]: Leaving directory '/home/cyphar/src/libnbcompat'
make[1]: *** [Makefile:1289: check-TESTS] Error 2
make[1]: Leaving directory '/home/cyphar/src/libnbcompat'
make: *** [Makefile:1515: check-am] Error 2
make check  0.14s user 0.04s system 104% cpu 0.170 total
% uname -a
Linux senku 6.2.12-1-default #1 SMP PREEMPT_DYNAMIC Thu Apr 20 11:01:10 UTC 2023 (eb3255d) x86_64 x86_64 x86_64 GNU/Linux

The test suite error log is:

=========================================
   libnbcompat 1.0.1: ./test-suite.log
=========================================

# TOTAL: 3
# PASS:  2
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: sha2-test
===============

sha256(\M-S) = cd9a4f7b68fefe95feab37f3e2a6b4fab88144d9baed20cb34f4d8d352b81351 != 28969cdfa74a12c82f3bad960b0b000aca2ac329deea5c2328ebc6f2ba9802c1
sha256(\^Q\M-/) = 237a603ef2d20eae305771306063843b4fe9555b29b521fa8e282af4df60660a != 5ca7133fa735326081558ac312c620eeca9970d1e70a4b95533d956f072d1f98
sha256(\M-4\^Y\^N) = 97551061bf56ce704a2d251ebabc35e99f34af4619c71e1265f5dadfef7cf750 != dff2e73091f6c05e528896c4c831b9448653dc2ff043528f6769437bc7b975c2
sha256(t\M-:%!) = 81c750687a05957ee90dd232e35fa471a7792fe2c4ee8c1d2ecb755471ff3a12 != b16aa56be3880d18cd41e68384cf1ec8c17680c45a02b1575dc1518923ae8b0e
sha256(\M-B\M^Y \M^V\M^B) = 26b84f434005032e98be7c36484bd96391f41ac1a3bd87685b6e5f45bd6b6ae0 != f0887fe961c9cd3beab957e8222494abb969b1ce4c6557976df8b0f6d20e9166
sha256(\M-a\M-\rMV!) = 3211f227ffcbc8e21a87b0cef15c747d88aa9173bb5dce55a25175085ac5e34a != eca0a060b489636225b4fa64d267dabbe44273067ac679f20820bddc6b6a90ac
sha256(\^F\M-`v\M-u\M-$B\M-U) = cae57ac0dea1d9692dfe86d9558a58733e5bff7664ffb9d832ac48b8d4d73885 != 3fd877e27450e6bbd5d74bb82f9870c64c66e109418baa8e6bbcff355e287926
sha256(W8\M-I)\M-D\M-t\M-L\M-6) = 77ed3a657a5560b19e10392227d605f50e06854a3fa359aa7a0750ecb4b7a8f1 != 963bb88f27f512777aab6c8b1a02c70ec0ad651d428f870036e1917120fb48bf
sha256(34\M-E\M^@u\M-S\M-t\^S\M^^) = d64a3a7f1840599dfc97263a8675d25127ec645d57daa073894eefae1ef07e4a != 078da3d77ed43bd3037a433fd0341855023793f9afd08b4b08ea1e5597ceef20
sha256(t\M-K\M^S\M^A\M-X\M^_Z\M-'3h) = 999823bb01bc9378b1f2d4858e0a2bc558d5c28a7ad27d7b60afa84f4d952acb != 73d6fad1caaa75b43b21733561fd3958bdc555194a037c2addec19dc2d7a52bd
sha256(v\M-m$\240\M-t\012A"\^^\M-?\M-O) = 291efe0f3594a1165cf4a417e9f1e0e621afde37e698f7233936d25e2d9d68ac != 044cef802901932e46dc46b2545e6c99c0fc323a0ed99b081bda4216857f38ac
sha256(\M^[\M-/i\M-K\M-#\^W\M-t"\M-~&\M-)\240) = e3140af6db799190461c08f900b3515a8992be9546ecf2908e70785724b81d8e != fe56287cd657e4afc50dba7a3a54c2a6324b886becdcd1fae473b769e551a09b
sha256(hQ\^\\M-[-\M-;\M-sS\^M\^?\M-6\^\\M-<) = 22fd4719d43bfd2eeabcbb8793a34ed9e37c5a2d858d6f79a46e6ee7fdbb0036 != af53430466715e99a602fc9f5945719b04dd24267e6a98471f7a7869bd3b4313
sha256(\M-/9z\M^K\M^M\M-W:\M-7\^B\M-N\M^NS\M-*\M^_) = ec501428f23cae939de36f2b5f909ca8d418e0424bcd69aa59bcf751212f80b5 != d189498a3463b18e846b8ab1b41583b0b7efc789dad8a7fb885bbf8fb5b45c5c
sha256()J\M-t\M^@.^\M^R^\M-1\M-F\M-L\M^\rO\011) = 629363b058db7238306dc5fad205252820773842b0c6db3b87b39b61fd040e27 != dcbaf335360de853b9cddfdafb90fa75567d0d3d58af8db9d764113aef570125
sha256(\012'\M^D|\M-\\M^X\M-=ob"\^K\^Dn\M-]v+) = 5760295836ba736b4e5e09a6857f24afac2d6d3e61cf6a46a103862c9f63d764 != 80c25ec1600587e7f28b18b1b18e3cdc89928e39cab3bc25e4d4a4c139bcedc4
sha256(\^[P?\M-9\M-';\^V\M--\M-#\M-|\M-q\^D&#\M-.v\^P) = 854a5379ba84b6766a76972e8878e1221505f4c8b12659e58be9e9008fada6cc != d5c30315f72ed05fe519a1bf75ab5fd0ffec5ac1acb0daf66b6b769598594509
sha256(Y\M-kE\M-;\M->\M-0T\M-0\M-9s4\M-U5\M^@\M-N\^C\M-v\M^Y) = 90e17673ee9517ae590d1ea6af73716a911eb087d6eb56fed881f5a11314ee80 != 32c38c54189f2357e96bd77eb00c2b9c341ebebacc2945f97804f59a93238288
sha256(X\M-e\M-#%\M^\\M-0\M-6\M-Q,\M^C\M-w#7\M^^5\M-})\M^K`) = ed89418769d738015d41b3f47ada76192b8d7069377a4773bc6a370b5042a459 != 9b5b37816de8fcdf3ec10b745428708df8f391c550ea6746b2cafe019c2b6ace
sha256(\M-A\M-o9\M-N\M-e\M^Nx\M-v\M-|\M-\\^R\M-`X\M-7\M-y\^B\M-,\M-Q\M-);) = 1cd4c9cb0fb510b8b6502509af416cfb00cf88037599c35d2114271355607364 != 6dd52b0d8b48cc8146cebd0216fbf5f6ef7eeafc0ff2ff9d1422d6345555a142
sha256(\M^\\M-+}}\M-J\M-l\M^X\M-K:\M-F\M-FM\M-U\M-TG\^M\^K\^P:\M^A\^L) = aa9f058b7d4dfe7fa8e9c3ec1e88ece44c3b2da3f1ce73d9ad7b9de6afbc8a7b != 44d34809fc60d1fcafa7f37b794d1d3a765dd0d23194ebbe340f013f0c39b613
sha256(\M-j\^U|\^B\M-k\M-/\^["\M-^"\^[S\M-r596\M-R5\M^]\^^\^\\M^W) = 2bb3cde3f1fdf6b14bc092a0f79c4518137adfd6d472af50ee8aec4fc69e0a55 != 9df5c16a3f580406f07d96149303d8c408869b32053b726cf3defd241e484957
sha256(\M-Z\M^Y\M^[\M-A\M-y\M-G\M-,\M^?2\M^B\M^Js\M-fr\M-P\M-$\M^R\M-v\M-n\M^I\134hg) = b1abaa3473caa2e6b0f7e9832eb424388f6af901128241f646b3b5ebf8b3de4f != 672b54e43f41ee77584bdf8bf854d97b6252c918f7ea2d26bc4097ea53a88f10
sha256(G\M^Y\^S\^A\^Um\^]\M^W|\^C8\M-o\M-<\M--A\000A3\M-.\M-{\M-Jk\M-O~) = 472808c48294585a4f7b77462d296093185fdc36addf80f6617f99126019d40f != feeb4b2b59fec8fdb1e55194a493d8c871757b5723675e93d3ac034b380b7fc9
sha256(.~\M-(M\M-$\M-<M|\M-{F>?,\M^FG\^Ez\M^?\M-s\M-{\M-l\M-l\M-!\M-R\000) = 643ab4497874869849f7b0dc58e37d2837a26577e34557c7312638ea6fbd6628 != 76e3acbc718836f2df8ad2d0d2d76f0cfa5fea0986be918f10bcee730df441b9
sha256(G\M-Gp\M-kEI\M-6\M-o\M-v8\^]b\M-i\M->\M-4d\M-M\M^X\M-SA\M-L\^\\011\M^X\^Zz) = 8835fd5677b482122cd6bd3ad6f7240dcf3d3ba1bd45400ca0fa2139306aac4d != 6733809c73e53666c735b3bd3daf87ebc77c72756150a616a194108d71231272
sha256(\M-,L&\M-X\M-4;\M^Ey\M-X\M-v\^\\M^X\^G\^Bn\M^C\M-i\M-5\M^F\M-a\^U\M^[\M-T;\M^E\^Y7) = 3a4b3094f22b0dc6662e19ed539be2109316ecb0927035bda9ed64a6e3fda82c != 0e6e3c143c3a5f7f38505ed6adc9b48c18edf6dedf11635f6e8f9ac73c39fe9e
sha256(\^Gw\M-|\^^\^\\M-$s\^D\M-B\M-bei(8\^P\M^^&\M-*\M-9\M-e\M-D\M-.N\M^F\000\M-_K\^_) = 992687d5d0986192804fef42cda4f618e0a47179f293cfcb36eff0b6a5fb6379 != ffb4fc03e054f8ecbc31470fc023bedcd4a406b9dd56c71da1b660dcc4842c65
sha256(\^ZW%\^\C\^]Nl.\^F\M-VRF\M-"\M^V\M^QPq\M-%1B^\M-O%Y\M^IB*f) = bbd3fcde62ad26711ac29d5fd7ef0891073c26422e6ea9d34b5b29d3e8caf1c7 != c644612cd326b38b1c6813b1daded34448805aef317c35f548dfb4a0d74b8106
sha256(\M^[$_\M-Z\M-Y\M-:\M-k\M^I\^M\M^\\^M\^N\M^?\M^An\M-{L\M-!8a\^K\M-G\M-W\M^L\M-1\M-(\^A\M-m2s) = 587c37b6edb91d614522605e14d5097535fd9bcd4afe444c177a7b0b66cfd8f5 != c0e29eeeb0d3a7707947e623cdc7d1899adc70dd7861205ea5e5813954fb7957
sha256(\M^U\M-'e\M^@\M^\\M-/0\M--\M-)\012\M-V\M-V\^\+K0%\^M\M-p\M-'\M-N#\M-7u<\M^Q\M^G\M-t1\M^\\M-b) = dc6a00395339781331fc1ca066578a4df39ee3b59cb5f63060e60d10aae0cfb2 != a4139b74b102cf1e2fce229a6cd84c87501f50afa4c80feacf7d8cf5ed94f042
sha256(\011\M-|\^Z\M-L\M-B0\M-"\^E\M-d\M-"\^H\M-fJ\M^O B\M^Q\M-u\M^A\M-!'V9-\M-$\M-8\M-@\M-O^\M-p+\M^U) = 8582b017c2907aab1325fce9ac56707d4f4445373c71fbeaca47529c0686077f != 4f44c1c7fbebb6f9601829f3897bfd650c56fa07844be76489076356ac1886a4
sha256(\^EF\M-w\M-8h+[\M^U\M-}28_\M-/%\M^EL\M-3\M-w\M-4\^L\M-H\M-z"\M^_\M-=R\M-1i4\M-*\M-3\M^H\M-') = f4cb0e11691dd78ba901536a842885d9eadb159c9d7fe7b62d0d4a929360de62 != b31ad3cd02b10db282b3576c059b746fb24ca6f09fef69402dc90ece7421cbb7
sha256(\M-1-\M-4\M-!\^BU)\M-3\M-7\M-1\M-d\134m\M-<{\M-*\M^H\M^W\240Wnf\M-vK\M-s\M-x#a\^S\M-&'n\M-g}) = f5f4b06dbdd0ad5e1d2abcf8748ee5839c5d0f08e0f12f6ac812c6dbbe8f7ba6 != 1c38bf6bbfd32292d67d1d651fd9d5b623b6ec1e854406223f51d0df46968712
sha256(\M-f\M^L\M-6\M-X\M-A\M^Fl\012q\M-g1?\M^C\M-\\^Q\M-%\M^@\M^\\M-u\M-O\M->\M-m\^ZX|\M-i\M-B\M-I.\^B*\M-<\^VD\M-;) = 8675878438d79d9ec04e45857500594f7ce9c22e5cd4afe525b317dd2f4ec0e9 != c2684c0dbb85c232b6da4fb5147dd0624429ec7e657991edd95eda37a587269e
sha256(N=\M^J\M-Cma\M-Y\M-e\^T\M^@\M^C\^QU\M-2S\M-3yi\M-~~\M-t\M^]\M-3\M-3\M^Y&\M-s\240\^Ki\M-#gt6`\000) = ee8a1fe4a64d824c57b35ded6c87fb2e27b38f0be4d62ab121a5277b54872cf3 != bf9d5e5b5393053f055b380baed7e792ae85ad37c0ada5fd4519542ccc461cf3
sha256(\^C\M-2d\M->Q\M-d\M-9A\M^FO\M^[p\M-4\M-IX\M-u5Z\M-,)KK\M^G\M-K\^C\^?\^Q\M-x_\^G\M-kW\M-3\M-p\M-8\M^UP) = 66c7c6dda7741eaaceca36d3404106b0578b7bef4407b5dc8c8436c8fa514f20 != d1f8bd684001ac5a4b67bbf79f87de524d2da99ac014dec3e4187728f4557471
sha256(\M-P\M-~\M-}\M^Vx|e\M^?\M-'\M-y\^P\M-V\M-P\M--\M-&=d\M-U\M-Dg\M^Y`\M-g\M-pj\M-k\M^Lp\M-_\M-o\M^UO\M^N9\M-o\M-[b\M^[) = 4ba5a7092ea316b63b03a62081a9d61d19d098f1a2759be03c2723b1beb1f068 != 49ba38db85c2796f85ffd57dd5ec337007414528ae33935b102d16a6b91ba6c1
sha256(\M-7\M-G\M^]~_\^^\M-l\M-M\M-~\M-_\^N{\M-t>s\^MD~`}\M^M\^T\M^I\M^B=\011\M-a\^R\^A\240\M-1%\M^@9\M-g\M-=Hu\M-1) = 920dca1f8b6efd780ab2518341e1ee4f7b34de5b33d46119e0b93d50a6b69198 != 725e6f8d888ebaf908b7692259ab8839c3248edd22ca115bb13e025808654700
sha256(d\M-M6>\M-L\M-`_\M-_\M-Z$\M^F\M-P\^Q\M-#\M-[\M^U\M-5 j\^Y\M-S\^E@F\M^A\M^]\M-P\M-Sg\M^C\M^U]~[\M-x\M-:\^X\M-?s\M^J) = 55a540db239e838a3925fb06a3353e086a82b1a5c379a21eb56b4f761ebb39a4 != 32caef024f84e97c30b4a7b9d04b678b3d8a6eb2259dff5b7f7c011f090845f8
sha256(j\M-F\M-F=a\M^N\M-/\000\M-Y\^\^(\^G\M-h<\0119\^R\M-8\M-b\^B\M-w\M^N\^S\M^W\^CI\M^Jy\M-F\^F\^?TI|a'\M-"9\^P\M-&) = 723dc7004d8c2d3c8f00e2f286300bc9d13e35948109263063269b56599dffc4 != 4bb33e7c6916e08a9b3ed6bcef790aaaee0dcf2e7a01afb056182dea2dad7d63
sha256(\M-Rh&\M-[\M^[\M-.\M-*\M^I&\M^Q\M-6\M^I\000\M-9ac \M^N\M^@j\^]\240wB\M^^EO\240\^Q\M^D\011Q\24012~`Z\M-8.\M-L\M-b) = 299dc6675c3c22a142b027b39063dbf55cd61e6a6177050ac50b9aad00f01d70 != 3ac7ac6bed82fdc8cd15b746f0ee7489158192c238f371c1883c9fe90b3e2831
sha256(?z\^E\M^[e\M-V\M-K\^BI J\M-,\^P\M-9\M-q\M-$\M-,\M^^Xh\M--\M-k\M->\M^SZ\M^^\M-5\M-9\^A\M^^\^\\M^S\M^K\M-|N\134Sx\M^Yz9G\M-r) = c2415fa2e0a0ebd6e531549d5fb0cb825b49d2361eb66053052447c18faba609 != bfce809534eefe871273964d32f091fe756c71a7f512ef5f2300bcd57f699e74
sha256(`\M^?\M-K#\M-V\M-8\M^NH[\M^R\012\M-x\^]\^P\M^C\M-v)\^]\^F\M-,\M^L\M-#\M-)e\M-8Y\^T\M-<*\M-]@TJ\^B\^?\M-J\M^Sk\M-=\M-h\M-sY\^E\^\) = 0d2351d21e696c4a22c48e304b94da79cab8d96f127d924fd680a8def81ee72f != 1d26f3e04f89b4eaa9dbed9231bb051eef2e8311ad26fe53d0bf0b821eaf7567
sha256(\M^^\M-M\^G\M-6\M^D\M-;\M^^\^Nf\M^R\M-c \M-N\M-DQ\^L\M-'\M^_\M-M\M-3\M-"!,&\M-Y\^M\M-v]\M-3>i-\^G<\M-At\M^D\^M\M-7\M^WPNH.\M-o) = 581531c2b750acca254e41abfd7d31b425c00762a84c6004299ec1eb18b6b673 != 0ffeb644a49e787ccc6970fe29705a4f4c2bfcfe7d19741c158333ff6982cc9c
sha256(\M^]d\M-^qa\M^IX\M^D\M-g\M-z=n\M^^\M-9\M^V\M-g\M-k\M-e\^Q\M-0\^_\M-a\M^\\M-T\M-&\M-32.\M^@\M-*\M-u+\M-vD~\M-Q\M^ENq\000\^_MT\M-x\M^S\^]) = 061657c0c36c7c93b62f2aed0dbe5d8c3980acdaa727bb2c04214691e53f4e7e != d048ee1524014adf9a56e60a388277de194c694cc787fc5a1b554ea9f07abfdf
sha256(\M-D\M--<^x\M-Y\^W\M-l\M-0\M-K\M-<\M-Q\M-D\M^A\M-|*\M-/#/~(\M^Wy\M-t\^NPL\M-C\011f.\M-io\M-l\M-= d~\M-p\^NF\^Y\M^_\M-<H/F) = 6767191a96c9476041a05a9e9d2f0ef2c587727228579e1a4400d5f3f1c0230f != 50dbf40066f8d270484ee2ef6632282dfa300a85a8530eceeb0e04275e1c1efd
sha256(N\M-oQ\^GE\M^[\M-]\M-x\M-rO\M-Geo\M-T\M^Im\M-(q\^]\M-5\^D\000\M-@\^VHG\M-v\M^R\M-8\M^F\M-N\M^M\^?Mg9P\M^P\M-3SN\M-}{\^M)\M^M\M-#K) = 898fdf47a02d49efa30ef451073c7f1cbdc67a09e5c82b958b76673e45c56789 != 7c5d14ed83dab875ac25ce7feed6ef837d58e79dc601fb3c1fca48d4464e8b83
sha256(\^D}'X\M-g\M-B\M-Ib?\M^[\M-[\M^S\M-6Y|^\M^D\240\M-M4\M-f\^P\^AK\M-K%\M-4\M^^\M-P\134~5n\M^X\M-G\M-&r\M-C\M-]\M-\\M-.\M-8C\^W\M-oaM4/) = 89d5a9973b6eb853deb11386ebd92c2b8e78160c4fb5e1bda57710765781fcae != 7d53eccd03da37bf58c1962a8f0f708a5c5c447f6a7e9e26137c169d5bdd82e4
sha256(=\M^C\M-_7\^W,\M^A\M-/\M-P\M-^\^QQ9\M-{\M-t9\^L"\M-`\M^X\M-E\M-/LZ\M-4\M^E$\^FQ\^K\M-@\M-f\M-Ot\^Wi\M-tD0\M-E'\^O\M-Z\M-`\M-K\M^D\M^]q\M-K\M-+) = d2a6f5f88decbcd13175335b27e4b4a66034ce2a6a326b2b3ebcd2a183003afe != 99dc772e91ea02d9e421d552d61901016b9fd4ad2df4a8212c1ec5ba13893ab2
sha256(3\M-}\M^[\M-A~+'\^_\240Lk\M^S\M-@\M-=\M-j\M-i\M^FT\M-'h-1\M-Y\M-4\M-Z\M-7\M-f\M-s,\M-U\M^O/\^T\M^Jh\M-{\M-g\M-(\M^LZ\M-1\M-X\M^N\M-\\M-M\M-^\M-3\012\M-2\^^^) = dc454b541cb63a7fb74e864539573aef6d54659fbaa79e8d5409f7e94dc345c9 != cefdae1a3d75e792e8698d5e71f177cc761314e9ad5df9602c6e60ae65c4c267
sha256(w\M-(y\M-O\M-!\^]\^?\M-J\M-G\M-((,\M-C\M^JC\M-\\M-svC\M-L\M^P\M^X7!;\M-V\M-}\M^U\M-YV\M-2\^Y\M-!@l\M->s\M-E,\M-Ul`\^NU\M-7[\M-C~\M-&\M^VA\M-<) = 53d41bf02ba73fc6793d1fc8d6650a2ac9aab5fcce9ee0e9cc83d8bf3b3e92f3 != c99d64fa4dadd4bc8a389531c68b4590c6df0b9099c4d583bc00889fb7b98008
sha256(E\M-#\M-f\M-8e'\M-r\^KE7\M-u\M-/\M^V\M-O\M-E\M--\M^Gw\M-"\M-]\M-f\M-Ou\^Q\M^HlU\M^P\M-l\M-bO\M-F\^["g9\M-R\^G\M-Z\M-?\M-c+\M-&\M-o\M-Y\M^?L\M-U\M-[\^[\M-U\M-j\M-S) = e963f10959f522b60497540508e9be29457a0b36af9f5a2e432d81306e133a97 != 4d12a849047c6acd4b2eee6be35fa9051b02d21d50d419543008c1d82c427072
sha256(%6*K\M^]t\M-=\M-f\^R\M^LO\M-\g#\^E\M^P\011G\M-<:\M-Z\M^]\M^]1n\M-<\M-qfz\M-T61\M^I\M^SrQ\M-qI\M-G.\^FJH`\M^M\M^T\^Kut\M-1\^?\M-o\M-@\M-_) = e5a665e0724aa7a569ee542d248028b4536674bc347d35fb8d5d77ee4917a8e5 != f8e4ccab6c979229f6066cc0cb0cfa81bb21447c16c68773be7e558e9f9d798d
sha256(>\M-?\M-0m\M-8\M-C\M^M[\2407\M-q6>\^Q\M^EP\M-*\M-YF\^F\M-bh5\240\^Z\M-pPxS<\M-B_/9W<\^D\M-62\M-v/h\M-B\M^T\M-+1\M-r\M-#\M-b\M-!\240\M-X\M-B\M->Q) = 0f9c86d719a1c4d00ffe3502da23515afb656f42c55faed4bcab2ab9b59f237c != 6595a2ef537a69ba8583dfbf7f5bec0ab1f93ce4c8ee1916eff44a93af5749c4
sha256(-RD}\^RD\M-R\M-k\M-B\M^FP\M-g\M-0VT\M-:\M-S[:h\M-n\M-\\^?\M^E\^U0kImu\M-s\M-g3\M^E\M-]\^[\000&%\^BK\M^A\240//\M-V\M-_\M-{nmV\^\\M-7\M-P\M-=z) = 0aff75ac10714e390de12df78eeca2c273d8ae01f12ff8ae4221b858118e13a3 != cfb88d6faf2de3a69d36195acec2e255e2af2b7d933997f348e09f6ce5758360
sha256(L\M-,\M-d"\M-d\240\^U\M-'T\M^R\M-3\M-3\M-;\M-{\M-_7X\M-j\M^?O\M-e\^D\M-4j&\M-I\^M\M-,\M-A\^Y\M-z\M^PP\M-v\^C\M-R\M-5\M^K9\M^L\M--mm\M^_\M-)"\M-!T\M-Y\M-`\M-<C\M^I\M^V\M^Bt\M-0) = dc92884e4ef6a4832353f83cdf6a61b6b27e783beeb1f344c149a1e3e0268cb1 != 4d54b2d284a6794581224e08f675541c8feab6eefa3ac1cfe5da4e03e62f72e4
sha256(\M^F \M-8o\M-<\M-*\M-NO\M-s\M-B\M^R\^[\M^Df\M-]\M-W\M-:\M-J\M-`~\M-o\M-oi<\M-qwb\M-\\M-+\M-8\M^Z\M^D\^A\^O\M-I\240\M-{v\M-N\^\&Y:\M-V7\M-&\^RS\M-r$\M-Q\M-1J\^E\M--\M-\\M-J\M->) = b42c6d05afee45eeb689ea91787711e9d8a8746b423a12e47168dee897a2a9fe != dba490256c9720c54c612a5bd1ef573cd51dc12b3e7bd8c6db2eabe0aacb846b
sha256(\M-Q\M->?\^S\M-~\M-:\M-~\M-|\^TAM\M^_\M-7\M-v\M^S\M-[\^V\M-\\^Z\M-bp\M-E\M-6G\M-X\^M\M-(X5\M^G\M-A\M--\M^L\M-8\M-K\^A\M^BC$A\^\\M-%\M-,\M-c\M-J"\M-ay\M-$\M^?I\M^F\M-s\M-r\^Q\M^P\M-s\M-W\M-s) = c4f06bd6323b167a5a8e4d0d1a949a04beb50def4447ede64279bd958276fe09 != 02804978eba6e1de65afdbc6a6091ed6b1ecee51e8bff40646a251de6678b7ef
sha256(\M-t\M^Y\M-L?n<\M-w\M-C\^R\M^?\M-_\M-:a\M-1&\^L7\^R\M^\\^Z\M-{9\^PG\^Y3g\M-7\M-2\M-m\M-kW\M^RS\M-e\^]b\M-:m\M^Q\^^{\M^A\M^L\M-J\M-aU?aF\M-jx\^Ox\M-b!\M^_b\M^S\011) = 818cc7549cc86f380d2379042cf54e0caf23b9cf2efe3d9b0efc3620a57a1a48 != 0b66c8b4fefebc8dc7da0bbedc1114f228aa63c37d5c30e91ab500f3eadfcec5
sha256(m\M-V\M-o\M-V\M-v\M-J\M-&;r\M^Z\M-(\^Xn0\M^K\M-A\M-=\240c\^G\M-@Z,\012\M-e\M-#hNnF\^H\^Qt\M^F\M^P\M-\+XwYg\M-O\M-Ld_\M-X d\M-1'\M^_\M-\\M-'q\M^@=\M-9\M-\\240\M^?S) = 060f5c6bdc3aa911bf7bb218f0a53301ca5c2c9ac64fd6ed688b2e4418ed96ba != c464a7bf6d180de4f744bb2fe5dc27a3f681334ffd54a9814650e60260a478e3
sha256(e\^Q\M-"$-\M-['1x\M-a\M^Z\M^B\M-E|\M^E\M-K\^E\M-&\M^H\^?\M-r\^AL\M-q\M-#\^\\M-9\M-:]\M-qiZ\M--\M-2\134"\M-3\M-E\M-mQ\M-A\^M\^D}%k\M^N4B\M^D*\M-d\M-f\M-E%\M-x\M-W\M-%\M-)D\M-/*) = 832010ffde1eab6da0081003fc26335dc4bdf2ad53272123c139f5f774a171df != d6859c0b5a0b66376a24f56b2ab104286ed0078634ba19112ace0d6d60a9c1ae
sha256(\M-b\M-wn\M^W`j\M^G.1t9\M-q\240?\M-M\M^R\M-f2\M-e\M-=N|\M-<N\M^W\M-q\M-/\M-A\M^Z\^V\M-}\M-i-w\M-K\M-eFAkQd\^L\M-]\M-9*\M-y\M^VSM\M-}\M^A\M-m\M-1|D$\M-O\^Z\M-D\M-WZ\M-N\M-k) = 7d1f3e9e8cfd0c49c977b96322269b03e0d4937490584ef93212df06e746d94d != 18041bd4665083001fba8c5411d2d748e8abbfdcdfd9218cb02b68a78e7d4c23
sha256(Z\M^F\M-77\M-j\M-j\M^N\M-iv\240\M-"M\M-&>~\M-W\M-n\M-z\M-Q\M^J\^P\^\\^R\^Q\M-b\M-3e\^LQ\M^G\M-B\M-(\M-&PTr\^H%\^_mB7\M-fa\M-G\M-?Lw\M-s59\^C\M^T\M-C\^?\M-!\M-)\M-y\M->\M^Cj\M-B\M^E\011) = 5a0eedd423564cff1b24ce11859302f9e55154aad35fa73018e464b560b5033e != 42e61e174fbb3897d6dd6cef3dd2802fe67b331953b06114a65c772859dfc1aa
FAIL sha2-test (exit status: 1)

I've run the same tests and test-suite inside an Ubuntu 23.04 VM and container on my laptop, as well as on my openSUSE Leap 15.4 server (both on the host and in an Ubuntu container). It seems that on openSUSE Leap 15.4 the test suite passes but if you run in inside a Ubuntu 23.04 or openSUSE Tumbleweed container or VM it fails.

This error also shows up with the properly packaged libnbcompat on Tumbleweed (resulting in the packaged nmtree giving you bad sha256 digests). The incorrect hashes are the same on all the platforms I've tested.

---

I looked into this a bit deeper last night -- this code comes from Aaron Gifford and it seems that there was a sha256 hashing bug in version 1.0.0beta1 (which appears to be the version used by libnbcompat) but the description doesn't match the issue we have here:

1.0.0b1 to 1.0 RELEASE Fixed an off-by-one implementation bug that affected
SHA-256 when hashed data length L = 55 + 64 * X where X is either zero or a
positive integer, and another (basically the same bug) bug in SHA-384 and
SHA-512 that showed up when hashed data lengths L = 111 + 128 * X. Thanks to
Rogier van de Pol for sending me test data that revealed the bug. The fix was
very simple (just two tiny changes). Also, I finally put the files into RCS so
future changes will be easier to manage. The sha2prog.c file was rewritten to
be more useful to me, and I got rid of the old C testing program and now use a
perl script with a subdirectory full of test data. It's a more flexible test
system.

I was staring at diffs between the two codebases last night but nothing obvious stood out -- there were a few changes to some of the hashing code but nothing that looks like the "off by one" referenced in the changelog. It's possible the code in NetBSD was already updated with the fix and they didn't update the copyright header mentioning the version...

[cyphar]

It seems like this is related to the different GCC versions being used. Leap 15.4 has GCC 7, but Tumbleweed and Ubuntu 23.04 have newer versions. If you install all of the intermediate versions on your Leap machine (I did this in a container), you'll note that the tests start failing with GCC 11:

% for CC in gcc-{7..12}; do export CC; ./configure ; make clean check ; done

Interestingly, the following warnings are new from GCC 11 (but I don't think they're related, the two ways of expressing an "array" parameter in C are equivalent):

depbase=`echo sha2.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ./libtool  --tag=CC   --mode=compile gcc-11 -DHAVE_CONFIG_H -I.    -Wall  -g -O2 -MT sha2.lo -MD -MP -MF $depbase.Tpo -c -o sha2.lo sha2.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc-11 -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT sha2.lo -MD -MP -MF .deps/sha2.Tpo -c sha2.c  -fPIC -DPIC -o .libs/sha2.o
sha2.c:531:29: warning: argument 1 of type 'sha2_byte[]' {aka 'unsigned char[]'} with mismatched bound [-Warray-parameter=]
  531 | void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
      |                   ~~~~~~~~~~^~~~~~~~
In file included from sha2.c:42:
./nbcompat/sha2.h:86:19: note: previously declared as 'uint8_t[32]' {aka 'unsigned char[32]'}
   86 | void SHA256_Final(uint8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*);
      |                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sha2.c:880:29: warning: argument 1 of type 'sha2_byte[]' {aka 'unsigned char[]'} with mismatched bound [-Warray-parameter=]
  880 | void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
      |                   ~~~~~~~~~~^~~~~~~~
In file included from sha2.c:42:
./nbcompat/sha2.h:114:19: note: previously declared as 'uint8_t[64]' {aka 'unsigned char[64]'}
  114 | void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*);
      |                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sha2.c:923:29: warning: argument 1 of type 'sha2_byte[]' {aka 'unsigned char[]'} with mismatched bound [-Warray-parameter=]
  923 | void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
      |                   ~~~~~~~~~~^~~~~~~~
In file included from sha2.c:42:
./nbcompat/sha2.h:100:19: note: previously declared as 'uint8_t[48]' {aka 'unsigned char[48]'}
  100 | void SHA384_Final(uint8_t[SHA384_DIGEST_LENGTH], SHA384_CTX*);
      |                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libtool: compile:  gcc-11 -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT sha2.lo -MD -MP -MF .deps/sha2.Tpo -c sha2.c -o sha2.o >/dev/null 2>&1
depbase=`echo sha2hl.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ./libtool  --tag=CC   --mode=compile gcc-11 -DHAVE_CONFIG_H -I.    -Wall  -g -O2 -MT sha2hl.lo -MD -MP -MF $depbase.Tpo -c -o sha2hl.lo sha2hl.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc-11 -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT sha2hl.lo -MD -MP -MF .deps/sha2hl.Tpo -c sha2hl.c  -fPIC -DPIC -o .libs/sha2hl.o
sha2hl.c:97:34: warning: argument 2 of type 'char[]' with mismatched bound [-Warray-parameter=]
   97 | SHA256_End(SHA256_CTX *ctx, char buffer[])
      |                             ~~~~~^~~~~~~~
In file included from sha2hl.c:51:
./nbcompat/sha2.h:87:31: note: previously declared as 'char[65]'
   87 | char* SHA256_End(SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH]);
      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sha2hl.c:157:35: warning: argument 2 of type 'char[]' with mismatched bound [-Warray-parameter=]
  157 | SHA384_End(SHA384_CTX * ctx, char buffer[])
      |                              ~~~~~^~~~~~~~
In file included from sha2hl.c:51:
./nbcompat/sha2.h:101:31: note: previously declared as 'char[97]'
  101 | char* SHA384_End(SHA384_CTX*, char[SHA384_DIGEST_STRING_LENGTH]);
      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sha2hl.c:217:35: warning: argument 2 of type 'char[]' with mismatched bound [-Warray-parameter=]
  217 | SHA512_End(SHA512_CTX * ctx, char buffer[])
      |                              ~~~~~^~~~~~~~
In file included from sha2hl.c:51:
./nbcompat/sha2.h:115:31: note: previously declared as 'char[129]'
  115 | char* SHA512_End(SHA512_CTX*, char[SHA512_DIGEST_STRING_LENGTH]);
      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sha2hl.c:243:53: warning: argument 3 of type 'char *' declared as a pointer [-Warray-parameter=]
  243 | SHA512_Data(const uint8_t * data, size_t len, char *digest)
      |                                               ~~~~~~^~~~~~
In file included from sha2hl.c:51:
./nbcompat/sha2.h:116:43: note: previously declared as an array 'char[129]'
  116 | char* SHA512_Data(const uint8_t*, size_t, char[SHA512_DIGEST_STRING_LENGTH]);
      |                                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libtool: compile:  gcc-11 -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT sha2hl.lo -MD -MP -MF .deps/sha2hl.Tpo -c sha2hl.c -o sha2hl.o >/dev/null 2>&1

I also tried all the versions of clang available on Leap (clang 7, 9, 11, 13, and 15), and it seems that this is a GCC-specific issue. I guess this implies it's either some kind of compiler bug, or there is some undefined behaviour in the sha256 code that changes the behaviour on newer GCC versions.

[cyphar]

Building with -O0 and -O1 also causes the tests to pass with GCC >=11, while -O2 and higher (as well as -Os) fail. Seems like there's a bug that GCC is uncovering. I tried to look at the changes by compiling with -S and looking at the output but there are too many changes to find the precise issue -- but with -O0 the -S output is the same.

[archiecobbs]

Wow, if you actually found a compiler bug then you get a gold star!

Hmm. I was able to reproduce the problem at first using gcc-11, but somehow now I'm having this problem trying to even run the tests:

$ make check
/bin/sh ./libtool  --tag=CC   --mode=link /usr/bin/gcc-11 -Wall  -g -O2 -version-info 0:0:0  -o libnbcompat.la -rpath /usr/lib64  glob.lo md5c.lo md5hl.lo rmd160.lo rmd160hl.lo sha1.lo sha1hl.lo sha2.lo sha2hl.lo vis.lo unvis.lo fgetln.lo fparseln.lo lchflags.lo lchmod.lo setgroupent.lo setpassent.lo setprogname.lo shquote.lo strlcat.lo strlcpy.lo strmode.lo setmode.lo pwcache.lo 
libtool: link: /usr/bin/gcc-11 -shared  -fPIC -DPIC  .libs/glob.o .libs/md5c.o .libs/md5hl.o .libs/rmd160.o .libs/rmd160hl.o .libs/sha1.o .libs/sha1hl.o .libs/sha2.o .libs/sha2hl.o .libs/vis.o .libs/unvis.o .libs/fgetln.o .libs/fparseln.o .libs/lchflags.o .libs/lchmod.o .libs/setgroupent.o .libs/setpassent.o .libs/setprogname.o .libs/shquote.o .libs/strlcat.o .libs/strlcpy.o .libs/strmode.o .libs/setmode.o .libs/pwcache.o    -g -O2   -Wl,-soname -Wl,libnbcompat.so.0 -o .libs/libnbcompat.so.0.0.0
libtool: link: (cd ".libs" && rm -f "libnbcompat.so.0" && ln -s "libnbcompat.so.0.0.0" "libnbcompat.so.0")
libtool: link: (cd ".libs" && rm -f "libnbcompat.so" && ln -s "libnbcompat.so.0.0.0" "libnbcompat.so")
libtool: link: ar cru .libs/libnbcompat.a  glob.o md5c.o md5hl.o rmd160.o rmd160hl.o sha1.o sha1hl.o sha2.o sha2hl.o vis.o unvis.o fgetln.o fparseln.o lchflags.o lchmod.o setgroupent.o setpassent.o setprogname.o shquote.o strlcat.o strlcpy.o strmode.o setmode.o pwcache.o
libtool: link: ranlib .libs/libnbcompat.a
libtool: link: ( cd ".libs" && rm -f "libnbcompat.la" && ln -s "../libnbcompat.la" "libnbcompat.la" )
make: *** No rule to make target 'private/cavs2c.awk', needed by 'all-am'.  Stop.

The problem seems to go away when I revert this change:

diff --git a/Makefile.am b/Makefile.am
index aeab142..f29608f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -84,7 +84,7 @@ noinst_HEADERS=                       private/cclass.h \
                                private/test-helpers.h \
                                private/utils.h
 
-noinst_SOURCES = private/cavs2c.awk
+noinst_SCRIPTS = private/cavs2c.awk
 
 if WITH_DB
 

[cyphar]

Ah my bad, it's because it typo'd the actual filename in the version I checked in while locally I had two copies... git mv private/ca{,v}s2c.awk should fix the issue (I did this and re-ran the build with a completely fresh checkout and it appeared to work).

I've forwarded the issue to the SUSE compiler people to see if they have an idea of what might be going on...

[cyphar]

Ah, it seems the issue is with how context->buffer is being aliased. -fstrict-aliasing is enabled with -O2 and above, and with -fno-strict-aliasing the issue disappears AFAICS. The 32bit word casting is something that is considered undefined behaviour with -fstrict-aliasing.

[archiecobbs]

Using -fno-strict-aliasing does fix the problem for me. However, doesn't this just work around the actual bug? I.e., wouldn't a better fix be to identify the illegal aliasing and fix it? This seems to work for me:

diff --git a/sha2.c b/sha2.c
index bdcbd31..5aad3bd 100644
--- a/sha2.c
+++ b/sha2.c
@@ -567,7 +567,7 @@ void SHA256_Final(sha2_byte digest[SHA256_DIGEST_LENGTH], SHA256_CTX* context) {
 			*context->buffer = 0x80;
 		}
 		/* Set the bit count: */
-		*(sha2_word64*)(void *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
+		memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], &context->bitcount, sizeof(context->bitcount));
 
 		/* Final transform: */
 		SHA256_Transform(context, (sha2_word32*)(void *)context->buffer);
@@ -870,8 +870,8 @@ static void SHA512_Last(SHA512_CTX* context) {
 		*context->buffer = 0x80;
 	}
 	/* Store the length of input data (in bits): */
-	*(sha2_word64*)(void *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
-	*(sha2_word64*)(void *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
+	memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], &context->bitcount[1], sizeof(context->bitcount[1]));
+	memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8], &context->bitcount[0], sizeof(context->bitcount[0]));
 
 	/* Final transform: */
 	SHA512_Transform(context, (sha2_word64*)(void *)context->buffer);

[archiecobbs]

Should be fixed by that patch in 864c1cf. Reopen if you find otherwise.

Thanks for detecting and tracking this one down!