3 The sha256 hash function.
4 See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
6 Copyright (C) 2001 Niels Möller
8 This file is part of GNU Nettle.
10 GNU Nettle is free software: you can redistribute it and/or
11 modify it under the terms of either:
13 * the GNU Lesser General Public License as published by the Free
14 Software Foundation; either version 3 of the License, or (at your
15 option) any later version.
19 * the GNU General Public License as published by the Free
20 Software Foundation; either version 2 of the License, or (at your
21 option) any later version.
23 or both in parallel, as here.
25 GNU Nettle is distributed in the hope that it will be useful,
26 but WITHOUT ANY WARRANTY; without even the implied warranty of
27 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28 General Public License for more details.
30 You should have received copies of the GNU General Public License and
31 the GNU Lesser General Public License along with this program. If
32 not, see http://www.gnu.org/licenses/.
35 /* Modelled after the sha1.c code by Peter Gutmann. */
46 #include "sha2-internal.h"
49 #include "nettle-write.h"
51 /* Generated by the shadata program. */
55 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
56 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
57 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
58 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
59 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
60 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
61 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
62 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
63 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
64 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
65 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
66 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
67 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
68 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
69 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
70 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
73 #define COMPRESS(ctx, data) (_nettle_sha256_compress((ctx)->state, (data), K))
75 /* Initialize the SHA values */
78 sha256_init(struct sha256_ctx *ctx)
80 /* Initial values, also generated by the shadata program. */
81 static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
83 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
84 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
87 memcpy(ctx->state, H0, sizeof(H0));
89 /* Initialize bit count */
92 /* Initialize buffer */
97 sha256_update(struct sha256_ctx *ctx,
98 size_t length, const uint8_t *data)
100 MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++);
104 sha256_write_digest(struct sha256_ctx *ctx,
110 assert(length <= SHA256_DIGEST_SIZE);
112 MD_PAD(ctx, 8, COMPRESS);
114 /* There are 512 = 2^9 bits in one block */
115 bit_count = (ctx->count << 9) | (ctx->index << 3);
117 /* This is slightly inefficient, as the numbers are converted to
118 big-endian format, and will be converted back by the compression
119 function. It's probably not worth the effort to fix this. */
120 WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
121 COMPRESS(ctx, ctx->block);
123 _nettle_write_be32(length, digest, ctx->state);
127 sha256_digest(struct sha256_ctx *ctx,
131 sha256_write_digest(ctx, length, digest);
135 /* sha224 variant. */
138 sha224_init(struct sha256_ctx *ctx)
140 /* Initial values. Low 32 bits of the initial values for sha384. */
141 static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
143 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
144 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
147 memcpy(ctx->state, H0, sizeof(H0));
149 /* Initialize bit count */
152 /* Initialize buffer */
157 sha224_digest(struct sha256_ctx *ctx,
161 sha256_write_digest(ctx, length, digest);