]>
Commit | Line | Data |
---|---|---|
e5462937 | 1 | /* sha256.c |
90112edb NM |
2 | |
3 | The sha256 hash function. | |
4 | See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf | |
5 | ||
6 | Copyright (C) 2001 Niels Möller | |
7 | ||
8 | This file is part of GNU Nettle. | |
9 | ||
10 | GNU Nettle is free software: you can redistribute it and/or | |
11 | modify it under the terms of either: | |
12 | ||
13 | * the GNU Lesser General Public License as published by the Free | |
14 | Software Foundation; either version 3 of the License, or (at your | |
15 | option) any later version. | |
16 | ||
17 | or | |
18 | ||
19 | * the GNU General Public License as published by the Free | |
20 | Software Foundation; either version 2 of the License, or (at your | |
21 | option) any later version. | |
22 | ||
23 | or both in parallel, as here. | |
24 | ||
25 | GNU Nettle is distributed in the hope that it will be useful, | |
26 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
27 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
28 | General Public License for more details. | |
29 | ||
30 | You should have received copies of the GNU General Public License and | |
31 | the GNU Lesser General Public License along with this program. If | |
32 | not, see http://www.gnu.org/licenses/. | |
33 | */ | |
9d103c65 NM |
34 | |
35 | /* Modelled after the sha1.c code by Peter Gutmann. */ | |
36 | ||
c5c15385 NM |
37 | #if HAVE_CONFIG_H |
38 | # include "config.h" | |
39 | #endif | |
9d103c65 NM |
40 | |
41 | #include <assert.h> | |
42 | #include <stdlib.h> | |
43 | #include <string.h> | |
44 | ||
111518dd | 45 | #include "sha2.h" |
da81c86a | 46 | #include "sha2-internal.h" |
c5c15385 NM |
47 | |
48 | #include "macros.h" | |
fad1bf50 | 49 | #include "md-internal.h" |
0f51b4d8 | 50 | #include "nettle-write.h" |
c5c15385 | 51 | |
9d103c65 NM |
52 | /* Generated by the shadata program. */ |
53 | static const uint32_t | |
54 | K[64] = | |
55 | { | |
56 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, | |
57 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, | |
58 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, | |
59 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, | |
4b98efe1 | 60 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
9d103c65 NM |
61 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, |
62 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, | |
4b98efe1 | 63 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, |
9d103c65 NM |
64 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, |
65 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, | |
66 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, | |
67 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, | |
68 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, | |
69 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, | |
70 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, | |
71 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, | |
72 | }; | |
73 | ||
fad1bf50 NM |
74 | void |
75 | sha256_compress(uint32_t *state, const uint8_t *input) | |
76 | { | |
77 | _nettle_sha256_compress_n(state, K, 1, input); | |
78 | } | |
79 | ||
8beda43f | 80 | #define COMPRESS(ctx, data) (sha256_compress((ctx)->state, (data))) |
2a3f11f9 | 81 | |
9d103c65 NM |
82 | /* Initialize the SHA values */ |
83 | ||
84 | void | |
85 | sha256_init(struct sha256_ctx *ctx) | |
86 | { | |
87 | /* Initial values, also generated by the shadata program. */ | |
88 | static const uint32_t H0[_SHA256_DIGEST_LENGTH] = | |
89 | { | |
90 | 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, | |
91 | 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, | |
92 | }; | |
93 | ||
94 | memcpy(ctx->state, H0, sizeof(H0)); | |
95 | ||
96 | /* Initialize bit count */ | |
cb83bd33 | 97 | ctx->count = 0; |
9d103c65 NM |
98 | |
99 | /* Initialize buffer */ | |
100 | ctx->index = 0; | |
101 | } | |
102 | ||
9d103c65 NM |
103 | void |
104 | sha256_update(struct sha256_ctx *ctx, | |
b8bfc32f | 105 | size_t length, const uint8_t *data) |
9d103c65 | 106 | { |
fad1bf50 | 107 | size_t blocks; |
99e62003 NM |
108 | if (!length) |
109 | return; | |
110 | ||
fad1bf50 NM |
111 | if (ctx->index > 0) |
112 | { | |
113 | /* Try to fill partial block */ | |
114 | MD_FILL_OR_RETURN (ctx, length, data); | |
115 | sha256_compress (ctx->state, ctx->block); | |
116 | ctx->count++; | |
117 | } | |
118 | ||
119 | blocks = length >> 6; | |
120 | data = _nettle_sha256_compress_n (ctx->state, K, blocks, data); | |
121 | ctx->count += blocks; | |
122 | length &= 63; | |
123 | ||
124 | memcpy (ctx->block, data, length); | |
125 | ctx->index = length; | |
9d103c65 NM |
126 | } |
127 | ||
2f43e1c8 | 128 | static void |
2a3f11f9 | 129 | sha256_write_digest(struct sha256_ctx *ctx, |
b8bfc32f | 130 | size_t length, |
2a3f11f9 | 131 | uint8_t *digest) |
9d103c65 | 132 | { |
cb83bd33 | 133 | uint64_t bit_count; |
057bf08c | 134 | |
2a3f11f9 | 135 | assert(length <= SHA256_DIGEST_SIZE); |
343b4bad | 136 | |
057bf08c NM |
137 | MD_PAD(ctx, 8, COMPRESS); |
138 | ||
139 | /* There are 512 = 2^9 bits in one block */ | |
cb83bd33 | 140 | bit_count = (ctx->count << 9) | (ctx->index << 3); |
057bf08c NM |
141 | |
142 | /* This is slightly inefficient, as the numbers are converted to | |
143 | big-endian format, and will be converted back by the compression | |
144 | function. It's probably not worth the effort to fix this. */ | |
d22bac82 | 145 | WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count); |
8beda43f | 146 | sha256_compress(ctx->state, ctx->block); |
057bf08c | 147 | |
2a3f11f9 | 148 | _nettle_write_be32(length, digest, ctx->state); |
9d103c65 NM |
149 | } |
150 | ||
151 | void | |
2f43e1c8 | 152 | sha256_digest(struct sha256_ctx *ctx, |
b8bfc32f | 153 | size_t length, |
9d103c65 NM |
154 | uint8_t *digest) |
155 | { | |
2a3f11f9 | 156 | sha256_write_digest(ctx, length, digest); |
0f51b4d8 NM |
157 | sha256_init(ctx); |
158 | } | |
159 | ||
89755c91 | 160 | /* sha224 variant. */ |
0f51b4d8 NM |
161 | |
162 | void | |
163 | sha224_init(struct sha256_ctx *ctx) | |
164 | { | |
94d79445 | 165 | /* Initial values. Low 32 bits of the initial values for sha384. */ |
0f51b4d8 NM |
166 | static const uint32_t H0[_SHA256_DIGEST_LENGTH] = |
167 | { | |
168 | 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, | |
169 | 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4, | |
170 | }; | |
171 | ||
172 | memcpy(ctx->state, H0, sizeof(H0)); | |
173 | ||
174 | /* Initialize bit count */ | |
cb83bd33 | 175 | ctx->count = 0; |
2f43e1c8 | 176 | |
0f51b4d8 NM |
177 | /* Initialize buffer */ |
178 | ctx->index = 0; | |
179 | } | |
9d103c65 | 180 | |
0f51b4d8 NM |
181 | void |
182 | sha224_digest(struct sha256_ctx *ctx, | |
b8bfc32f | 183 | size_t length, |
0f51b4d8 NM |
184 | uint8_t *digest) |
185 | { | |
2a3f11f9 | 186 | sha256_write_digest(ctx, length, digest); |
0f51b4d8 | 187 | sha224_init(ctx); |
9d103c65 | 188 | } |