3 * The sha256 hash function.
5 * See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
8 /* nettle, low-level cryptographics library
10 * Copyright (C) 2001 Niels Möller
12 * The nettle library is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Lesser General Public License as published by
14 * the Free Software Foundation; either version 2.1 of the License, or (at your
15 * option) any later version.
17 * The nettle library is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
20 * License for more details.
22 * You should have received a copy of the GNU Lesser General Public License
23 * along with the nettle library; see the file COPYING.LIB. If not, write to
24 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /* Modelled after the sha1.c code by Peter Gutmann. */
41 #include "nettle-write.h"
43 /* Generated by the shadata program. */
47 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
48 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
49 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
50 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
51 0xe49b69c1UL, 0xefbe4786UL, 0xfc19dc6UL, 0x240ca1ccUL,
52 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
53 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
54 0xc6e00bf3UL, 0xd5a79147UL, 0x6ca6351UL, 0x14292967UL,
55 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
56 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
57 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
58 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
59 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
60 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
61 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
62 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
65 /* Initialize the SHA values */
68 sha256_init(struct sha256_ctx *ctx)
70 /* Initial values, also generated by the shadata program. */
71 static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
73 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
74 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
77 memcpy(ctx->state, H0, sizeof(H0));
79 /* Initialize bit count */
80 ctx->count_low = ctx->count_high = 0;
82 /* Initialize buffer */
86 #define SHA256_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low)
89 sha256_update(struct sha256_ctx *ctx,
90 unsigned length, const uint8_t *buffer)
93 { /* Try to fill partial block */
94 unsigned left = SHA256_DATA_SIZE - ctx->index;
97 memcpy(ctx->block + ctx->index, buffer, length);
99 return; /* Finished */
103 memcpy(ctx->block + ctx->index, buffer, left);
105 _nettle_sha256_compress(ctx->state, ctx->block, K);
112 while (length >= SHA256_DATA_SIZE)
114 _nettle_sha256_compress(ctx->state, buffer, K);
117 buffer += SHA256_DATA_SIZE;
118 length -= SHA256_DATA_SIZE;
120 /* Buffer leftovers */
121 /* NOTE: The corresponding sha1 code checks for the special case length == 0.
122 * That seems supoptimal, as I suspect it increases the number of branches. */
124 memcpy(ctx->block, buffer, length);
128 /* Final wrapup - pad to SHA1_DATA_SIZE-byte boundary with the bit pattern
129 1 0* (64-bit count of bits processed, MSB-first) */
132 sha256_final(struct sha256_ctx *ctx)
134 uint32_t bitcount_high;
135 uint32_t bitcount_low;
140 /* Set the first char of padding to 0x80. This is safe since there is
141 always at least one byte free */
143 assert(i < SHA256_DATA_SIZE);
144 ctx->block[i++] = 0x80;
146 if (i > (SHA1_DATA_SIZE - 8))
147 { /* No room for length in this block. Process it and
148 * pad with another one */
149 memset(ctx->block + i, 0, SHA256_DATA_SIZE - i);
150 _nettle_sha256_compress(ctx->state, ctx->block, K);
155 if (i < (SHA256_DATA_SIZE - 8))
156 memset(ctx->block + i, 0, (SHA256_DATA_SIZE - 8) - i);
158 /* There are 512 = 2^9 bits in one block */
159 bitcount_high = (ctx->count_high << 9) | (ctx->count_low >> 23);
160 bitcount_low = (ctx->count_low << 9) | (ctx->index << 3);
162 /* This is slightly inefficient, as the numbers are converted to
163 big-endian format, and will be converted back by the compression
164 function. It's probably not worth the effort to fix this. */
165 WRITE_UINT32(ctx->block + (SHA256_DATA_SIZE - 8), bitcount_high);
166 WRITE_UINT32(ctx->block + (SHA256_DATA_SIZE - 4), bitcount_low);
168 _nettle_sha256_compress(ctx->state, ctx->block, K);
172 sha256_digest(struct sha256_ctx *ctx,
176 assert(length <= SHA256_DIGEST_SIZE);
179 _nettle_write_be32(length, digest, ctx->state);
183 /* sha224 variant. FIXME: Move to seperate file? */
186 sha224_init(struct sha256_ctx *ctx)
188 /* Initial values. I's unclear how they are chosen. */
189 static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
191 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
192 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
195 memcpy(ctx->state, H0, sizeof(H0));
197 /* Initialize bit count */
198 ctx->count_low = ctx->count_high = 0;
200 /* Initialize buffer */
205 sha224_digest(struct sha256_ctx *ctx,
209 assert(length <= SHA224_DIGEST_SIZE);
212 _nettle_write_be32(length, digest, ctx->state);