3 The compression function of the sha256 hash function.
5 Copyright (C) 2001, 2010 Niels Möller
7 This file is part of GNU Nettle.
9 GNU Nettle is free software: you can redistribute it and/or
10 modify it under the terms of either:
12 * the GNU Lesser General Public License as published by the Free
13 Software Foundation; either version 3 of the License, or (at your
14 option) any later version.
18 * the GNU General Public License as published by the Free
19 Software Foundation; either version 2 of the License, or (at your
20 option) any later version.
22 or both in parallel, as here.
24 GNU Nettle is distributed in the hope that it will be useful,
25 but WITHOUT ANY WARRANTY; without even the implied warranty of
26 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
27 General Public License for more details.
29 You should have received copies of the GNU General Public License and
30 the GNU Lesser General Public License along with this program. If
31 not, see http://www.gnu.org/licenses/.
39 # define SHA256_DEBUG 0
45 fprintf(stderr, "%2d: %8x %8x %8x %8x %8x %8x %8x %8x\n", \
46 i, A, B, C, D ,E, F, G, H)
56 #include "sha2-internal.h"
60 /* A block, treated as a sequence of 32-bit words. */
61 #define SHA256_DATA_LENGTH 16
63 /* The SHA256 functions. The Choice function is the same as the SHA1
64 function f1, and the majority function is the same as the SHA1 f3
65 function. They can be optimized to save one boolean operation each
66 - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering
69 /* #define Choice(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */
70 #define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) )
71 /* #define Majority(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */
72 #define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
74 #define S0(x) (ROTL32(30,(x)) ^ ROTL32(19,(x)) ^ ROTL32(10,(x)))
75 #define S1(x) (ROTL32(26,(x)) ^ ROTL32(21,(x)) ^ ROTL32(7,(x)))
77 #define s0(x) (ROTL32(25,(x)) ^ ROTL32(14,(x)) ^ ((x) >> 3))
78 #define s1(x) (ROTL32(15,(x)) ^ ROTL32(13,(x)) ^ ((x) >> 10))
80 /* The initial expanding function. The hash function is defined over an
81 64-word expanded input array W, where the first 16 are copies of the input
82 data, and the remaining 64 are defined by
84 W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16]
86 This implementation generates these values on the fly in a circular
87 buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this
92 ( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) )
94 /* The prototype SHA sub-round. The fundamental sub-round is:
96 T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t]
97 T2 = S0(a) + Majority(a,b,c)
107 but this is implemented by unrolling the loop 8 times and renaming
109 ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each
112 /* It's crucial that DATA is only used once, as that argument will
113 * have side effects. */
114 #define ROUND(a,b,c,d,e,f,g,h,k,data) do { \
115 h += S1(e) + Choice(e,f,g) + k + data; \
117 h += S0(a) + Majority(a,b,c); \
121 #if HAVE_NATIVE_sha256_compress
123 _nettle_sha256_compress_c(uint32_t *state, const uint8_t *input, const uint32_t *k);
124 #define _nettle_sha256_compress _nettle_sha256_compress_c
128 _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k)
130 uint32_t data[SHA256_DATA_LENGTH];
131 uint32_t A, B, C, D, E, F, G, H; /* Local vars */
135 for (i = 0; i < SHA256_DATA_LENGTH; i++, input+= 4)
137 data[i] = READ_UINT32(input);
140 /* Set up first buffer and local data buffer */
151 /* First 16 subrounds that act on the original data */
154 for (i = 0, d = data; i<16; i+=8, k += 8, d+= 8)
156 ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i);
157 ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1);
158 ROUND(G, H, A, B, C, D, E, F, k[2], d[2]);
159 ROUND(F, G, H, A, B, C, D, E, k[3], d[3]);
160 ROUND(E, F, G, H, A, B, C, D, k[4], d[4]);
161 ROUND(D, E, F, G, H, A, B, C, k[5], d[5]);
162 ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6);
163 ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7);
166 for (; i<64; i += 16, k+= 16)
168 ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i);
169 ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1);
170 ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2);
171 ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); DEBUG(i+3);
172 ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); DEBUG(i+4);
173 ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); DEBUG(i+5);
174 ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); DEBUG(i+6);
175 ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); DEBUG(i+7);
176 ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); DEBUG(i+8);
177 ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); DEBUG(i+9);
178 ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); DEBUG(i+10);
179 ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); DEBUG(i+11);
180 ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); DEBUG(i+12);
181 ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); DEBUG(i+13);
182 ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14);
183 ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15);
196 fprintf(stderr, "99: %8x %8x %8x %8x %8x %8x %8x %8x\n",
197 state[0], state[1], state[2], state[3],
198 state[4], state[5], state[6], state[7]);