3 The sha256 hash function.
4 See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
6 Copyright (C) 2001 Niels Möller
8 This file is part of GNU Nettle.
10 GNU Nettle is free software: you can redistribute it and/or
11 modify it under the terms of either:
13 * the GNU Lesser General Public License as published by the Free
14 Software Foundation; either version 3 of the License, or (at your
15 option) any later version.
19 * the GNU General Public License as published by the Free
20 Software Foundation; either version 2 of the License, or (at your
21 option) any later version.
23 or both in parallel, as here.
25 GNU Nettle is distributed in the hope that it will be useful,
26 but WITHOUT ANY WARRANTY; without even the implied warranty of
27 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28 General Public License for more details.
30 You should have received copies of the GNU General Public License and
31 the GNU Lesser General Public License along with this program. If
32 not, see http://www.gnu.org/licenses/.
35 /* Modelled after the sha1.c code by Peter Gutmann. */
48 #include "nettle-write.h"
50 /* Generated by the shadata program. */
54 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
55 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
56 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
57 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
58 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
59 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
60 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
61 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
62 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
63 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
64 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
65 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
66 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
67 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
68 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
69 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
72 #define COMPRESS(ctx, data) (_nettle_sha256_compress((ctx)->state, (data), K))
74 /* Initialize the SHA values */
77 sha256_init(struct sha256_ctx *ctx)
79 /* Initial values, also generated by the shadata program. */
80 static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
82 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
83 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
86 memcpy(ctx->state, H0, sizeof(H0));
88 /* Initialize bit count */
91 /* Initialize buffer */
96 sha256_update(struct sha256_ctx *ctx,
97 size_t length, const uint8_t *data)
99 MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++);
103 sha256_write_digest(struct sha256_ctx *ctx,
109 assert(length <= SHA256_DIGEST_SIZE);
111 MD_PAD(ctx, 8, COMPRESS);
113 /* There are 512 = 2^9 bits in one block */
114 bit_count = (ctx->count << 9) | (ctx->index << 3);
116 /* This is slightly inefficient, as the numbers are converted to
117 big-endian format, and will be converted back by the compression
118 function. It's probably not worth the effort to fix this. */
119 WRITE_UINT64(ctx->block + (SHA256_DATA_SIZE - 8), bit_count);
120 COMPRESS(ctx, ctx->block);
122 _nettle_write_be32(length, digest, ctx->state);
126 sha256_digest(struct sha256_ctx *ctx,
130 sha256_write_digest(ctx, length, digest);
134 /* sha224 variant. */
137 sha224_init(struct sha256_ctx *ctx)
139 /* Initial values. Low 32 bits of the initial values for sha384. */
140 static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
142 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
143 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
146 memcpy(ctx->state, H0, sizeof(H0));
148 /* Initialize bit count */
151 /* Initialize buffer */
156 sha224_digest(struct sha256_ctx *ctx,
160 sha256_write_digest(ctx, length, digest);