3 The sha512 hash function.
4 See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
6 Copyright (C) 2001, 2010 Niels Möller
7 Copyright (C) 2014 Joachim Strömbergson
9 This file is part of GNU Nettle.
11 GNU Nettle is free software: you can redistribute it and/or
12 modify it under the terms of either:
14 * the GNU Lesser General Public License as published by the Free
15 Software Foundation; either version 3 of the License, or (at your
16 option) any later version.
20 * the GNU General Public License as published by the Free
21 Software Foundation; either version 2 of the License, or (at your
22 option) any later version.
24 or both in parallel, as here.
26 GNU Nettle is distributed in the hope that it will be useful,
27 but WITHOUT ANY WARRANTY; without even the implied warranty of
28 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
29 General Public License for more details.
31 You should have received copies of the GNU General Public License and
32 the GNU Lesser General Public License along with this program. If
33 not, see http://www.gnu.org/licenses/.
36 /* Modelled after the sha1.c code by Peter Gutmann. */
50 /* Generated by the gp script
55 root = prime(i)^(1/3);
56 fraction = root - floor(root);
57 print(floor(2^64 * fraction));
65 |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}'
73 0x428A2F98D728AE22ULL,0x7137449123EF65CDULL,
74 0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL,
75 0x3956C25BF348B538ULL,0x59F111F1B605D019ULL,
76 0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL,
77 0xD807AA98A3030242ULL,0x12835B0145706FBEULL,
78 0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL,
79 0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL,
80 0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL,
81 0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL,
82 0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL,
83 0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL,
84 0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL,
85 0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL,
86 0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL,
87 0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL,
88 0x06CA6351E003826FULL,0x142929670A0E6E70ULL,
89 0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL,
90 0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL,
91 0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL,
92 0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL,
93 0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL,
94 0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL,
95 0xD192E819D6EF5218ULL,0xD69906245565A910ULL,
96 0xF40E35855771202AULL,0x106AA07032BBD1B8ULL,
97 0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL,
98 0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL,
99 0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL,
100 0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL,
101 0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL,
102 0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL,
103 0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL,
104 0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL,
105 0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL,
106 0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL,
107 0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL,
108 0x113F9804BEF90DAEULL,0x1B710B35131C471BULL,
109 0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL,
110 0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL,
111 0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL,
112 0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL,
115 #define COMPRESS(ctx, data) (_nettle_sha512_compress((ctx)->state, (data), K))
118 sha512_init(struct sha512_ctx *ctx)
120 /* Initial values, generated by the gp script
123 root = prime(i)^(1/2);
124 fraction = root - floor(root);
125 print(floor(2^64 * fraction));
129 static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
131 0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL,
132 0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL,
133 0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL,
134 0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL,
137 memcpy(ctx->state, H0, sizeof(H0));
139 /* Initialize bit count */
140 ctx->count_low = ctx->count_high = 0;
142 /* Initialize buffer */
147 sha512_update(struct sha512_ctx *ctx,
148 size_t length, const uint8_t *data)
150 MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx));
154 sha512_write_digest(struct sha512_ctx *ctx,
164 assert(length <= SHA512_DIGEST_SIZE);
166 MD_PAD(ctx, 16, COMPRESS);
168 /* There are 1024 = 2^10 bits in one block */
169 high = (ctx->count_high << 10) | (ctx->count_low >> 54);
170 low = (ctx->count_low << 10) | (ctx->index << 3);
172 /* This is slightly inefficient, as the numbers are converted to
173 big-endian format, and will be converted back by the compression
174 function. It's probably not worth the effort to fix this. */
175 WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high);
176 WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low);
177 COMPRESS(ctx, ctx->block);
180 leftover = length % 8;
182 for (i = 0; i < words; i++, digest += 8)
183 WRITE_UINT64(digest, ctx->state[i]);
187 /* Truncate to the right size */
188 uint64_t word = ctx->state[i] >> (8*(8 - leftover));
191 digest[--leftover] = word & 0xff;
198 sha512_digest(struct sha512_ctx *ctx,
202 assert(length <= SHA512_DIGEST_SIZE);
204 sha512_write_digest(ctx, length, digest);
208 /* sha384 variant. */
210 sha384_init(struct sha512_ctx *ctx)
212 /* Initial values, generated by the gp script
215 root = prime(i)^(1/2);
216 fraction = root - floor(root);
217 print(floor(2^64 * fraction));
221 static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
223 0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL,
224 0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL,
225 0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL,
226 0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL,
229 memcpy(ctx->state, H0, sizeof(H0));
231 /* Initialize bit count */
232 ctx->count_low = ctx->count_high = 0;
234 /* Initialize buffer */
239 sha384_digest(struct sha512_ctx *ctx,
243 assert(length <= SHA384_DIGEST_SIZE);
245 sha512_write_digest(ctx, length, digest);
250 /* sha-512/224 variant. */
252 sha512_224_init(struct sha512_224_ctx *ctx)
254 static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
256 0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL,
257 0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL,
258 0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL,
259 0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL,
262 memcpy(ctx->state, H0, sizeof(H0));
264 /* Initialize bit count */
265 ctx->count_low = ctx->count_high = 0;
267 /* Initialize buffer */
272 sha512_224_digest(struct sha512_224_ctx *ctx,
276 assert(length <= SHA224_DIGEST_SIZE);
278 sha512_write_digest(ctx, length, digest);
279 sha512_224_init(ctx);
283 /* sha-512/256 variant. */
285 sha512_256_init(struct sha512_256_ctx *ctx)
287 static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
289 0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL,
290 0x2393b86b6f53b151ULL, 0x963877195940eabdULL,
291 0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL,
292 0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL,
295 memcpy(ctx->state, H0, sizeof(H0));
297 /* Initialize bit count */
298 ctx->count_low = ctx->count_high = 0;
300 /* Initialize buffer */
305 sha512_256_digest(struct sha512_256_ctx *ctx,
309 assert(length <= SHA256_DIGEST_SIZE);
311 sha512_write_digest(ctx, length, digest);
312 sha512_256_init(ctx);