3 The sha512 hash function.
4 See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
6 Copyright (C) 2001, 2010 Niels Möller
7 Copyright (C) 2014 Joachim Strömbergson
9 This file is part of GNU Nettle.
11 GNU Nettle is free software: you can redistribute it and/or
12 modify it under the terms of either:
14 * the GNU Lesser General Public License as published by the Free
15 Software Foundation; either version 3 of the License, or (at your
16 option) any later version.
20 * the GNU General Public License as published by the Free
21 Software Foundation; either version 2 of the License, or (at your
22 option) any later version.
24 or both in parallel, as here.
26 GNU Nettle is distributed in the hope that it will be useful,
27 but WITHOUT ANY WARRANTY; without even the implied warranty of
28 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
29 General Public License for more details.
31 You should have received copies of the GNU General Public License and
32 the GNU Lesser General Public License along with this program. If
33 not, see http://www.gnu.org/licenses/.
36 /* Modelled after the sha1.c code by Peter Gutmann. */
47 #include "sha2-internal.h"
51 /* Generated by the gp script
56 root = prime(i)^(1/3);
57 fraction = root - floor(root);
58 print(floor(2^64 * fraction));
66 |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}'
74 0x428A2F98D728AE22ULL,0x7137449123EF65CDULL,
75 0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL,
76 0x3956C25BF348B538ULL,0x59F111F1B605D019ULL,
77 0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL,
78 0xD807AA98A3030242ULL,0x12835B0145706FBEULL,
79 0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL,
80 0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL,
81 0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL,
82 0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL,
83 0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL,
84 0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL,
85 0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL,
86 0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL,
87 0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL,
88 0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL,
89 0x06CA6351E003826FULL,0x142929670A0E6E70ULL,
90 0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL,
91 0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL,
92 0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL,
93 0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL,
94 0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL,
95 0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL,
96 0xD192E819D6EF5218ULL,0xD69906245565A910ULL,
97 0xF40E35855771202AULL,0x106AA07032BBD1B8ULL,
98 0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL,
99 0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL,
100 0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL,
101 0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL,
102 0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL,
103 0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL,
104 0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL,
105 0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL,
106 0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL,
107 0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL,
108 0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL,
109 0x113F9804BEF90DAEULL,0x1B710B35131C471BULL,
110 0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL,
111 0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL,
112 0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL,
113 0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL,
116 #define COMPRESS(ctx, data) (_nettle_sha512_compress((ctx)->state, (data), K))
119 sha512_init(struct sha512_ctx *ctx)
121 /* Initial values, generated by the gp script
124 root = prime(i)^(1/2);
125 fraction = root - floor(root);
126 print(floor(2^64 * fraction));
130 static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
132 0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL,
133 0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL,
134 0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL,
135 0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL,
138 memcpy(ctx->state, H0, sizeof(H0));
140 /* Initialize bit count */
141 ctx->count_low = ctx->count_high = 0;
143 /* Initialize buffer */
148 sha512_update(struct sha512_ctx *ctx,
149 size_t length, const uint8_t *data)
151 MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx));
155 sha512_write_digest(struct sha512_ctx *ctx,
165 assert(length <= SHA512_DIGEST_SIZE);
167 MD_PAD(ctx, 16, COMPRESS);
169 /* There are 1024 = 2^10 bits in one block */
170 high = (ctx->count_high << 10) | (ctx->count_low >> 54);
171 low = (ctx->count_low << 10) | (ctx->index << 3);
173 /* This is slightly inefficient, as the numbers are converted to
174 big-endian format, and will be converted back by the compression
175 function. It's probably not worth the effort to fix this. */
176 WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high);
177 WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low);
178 COMPRESS(ctx, ctx->block);
181 leftover = length % 8;
183 for (i = 0; i < words; i++, digest += 8)
184 WRITE_UINT64(digest, ctx->state[i]);
188 /* Truncate to the right size */
189 uint64_t word = ctx->state[i] >> (8*(8 - leftover));
192 digest[--leftover] = word & 0xff;
199 sha512_digest(struct sha512_ctx *ctx,
203 assert(length <= SHA512_DIGEST_SIZE);
205 sha512_write_digest(ctx, length, digest);
209 /* sha384 variant. */
211 sha384_init(struct sha512_ctx *ctx)
213 /* Initial values, generated by the gp script
216 root = prime(i)^(1/2);
217 fraction = root - floor(root);
218 print(floor(2^64 * fraction));
222 static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
224 0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL,
225 0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL,
226 0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL,
227 0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL,
230 memcpy(ctx->state, H0, sizeof(H0));
232 /* Initialize bit count */
233 ctx->count_low = ctx->count_high = 0;
235 /* Initialize buffer */
240 sha384_digest(struct sha512_ctx *ctx,
244 assert(length <= SHA384_DIGEST_SIZE);
246 sha512_write_digest(ctx, length, digest);
251 /* sha-512/224 variant. */
253 sha512_224_init(struct sha512_224_ctx *ctx)
255 static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
257 0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL,
258 0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL,
259 0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL,
260 0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL,
263 memcpy(ctx->state, H0, sizeof(H0));
265 /* Initialize bit count */
266 ctx->count_low = ctx->count_high = 0;
268 /* Initialize buffer */
273 sha512_224_digest(struct sha512_224_ctx *ctx,
277 assert(length <= SHA224_DIGEST_SIZE);
279 sha512_write_digest(ctx, length, digest);
280 sha512_224_init(ctx);
284 /* sha-512/256 variant. */
286 sha512_256_init(struct sha512_256_ctx *ctx)
288 static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
290 0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL,
291 0x2393b86b6f53b151ULL, 0x963877195940eabdULL,
292 0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL,
293 0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL,
296 memcpy(ctx->state, H0, sizeof(H0));
298 /* Initialize bit count */
299 ctx->count_low = ctx->count_high = 0;
301 /* Initialize buffer */
306 sha512_256_digest(struct sha512_256_ctx *ctx,
310 assert(length <= SHA256_DIGEST_SIZE);
312 sha512_write_digest(ctx, length, digest);
313 sha512_256_init(ctx);