[thirdparty/nettle.git] / sha256.c

/* sha256.c

   The sha256 hash function.
   See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf

   Copyright (C) 2001 Niels Möller

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/

/* Modelled after the sha1.c code by Peter Gutmann. */

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>
#include <stdlib.h>
#include <string.h>

#include "sha2.h"
#include "sha2-internal.h"

#include "macros.h"
#include "md-internal.h"
#include "nettle-write.h"

/* Generated by the shadata program. */
static const uint32_t
K[64] =
{
  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 
  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 
  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 
  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 
  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 
  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 
  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 
  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 
  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 
  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 
  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 
  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 
  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 
  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 
  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 
  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, 
};

void
sha256_compress(uint32_t *state, const uint8_t *input)
{
  _nettle_sha256_compress_n(state, K, 1, input);
}

#define COMPRESS(ctx, data) (sha256_compress((ctx)->state, (data)))

/* Initialize the SHA values */

void
sha256_init(struct sha256_ctx *ctx)
{
  /* Initial values, also generated by the shadata program. */
  static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
  {
    0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, 
    0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, 
  };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
  ctx->count = 0;
  
  /* Initialize buffer */
  ctx->index = 0;
}

void
sha256_update(struct sha256_ctx *ctx,
	      size_t length, const uint8_t *data)
{
  size_t blocks;
  if (!length)
    return;

  if (ctx->index > 0)
    {
      /* Try to fill partial block */
      MD_FILL_OR_RETURN (ctx, length, data);
      sha256_compress (ctx->state, ctx->block);
      ctx->count++;
    }

  blocks = length >> 6;
  data = _nettle_sha256_compress_n (ctx->state, K, blocks, data);
  ctx->count += blocks;
  length &= 63;

  memcpy (ctx->block, data, length);
  ctx->index = length;
}

static void
sha256_write_digest(struct sha256_ctx *ctx,
		    size_t length,
		    uint8_t *digest)
{
  uint64_t bit_count;

  assert(length <= SHA256_DIGEST_SIZE);

  MD_PAD(ctx, 8, COMPRESS);

  /* There are 512 = 2^9 bits in one block */  
  bit_count = (ctx->count << 9) | (ctx->index << 3);

  /* This is slightly inefficient, as the numbers are converted to
     big-endian format, and will be converted back by the compression
     function. It's probably not worth the effort to fix this. */
  WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
  sha256_compress(ctx->state, ctx->block);

  _nettle_write_be32(length, digest, ctx->state);
}

void
sha256_digest(struct sha256_ctx *ctx,
	      size_t length,
	      uint8_t *digest)
{
  sha256_write_digest(ctx, length, digest);
  sha256_init(ctx);
}

/* sha224 variant. */

void
sha224_init(struct sha256_ctx *ctx)
{
  /* Initial values. Low 32 bits of the initial values for sha384. */
  static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
  {
    0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
    0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
  };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
  ctx->count = 0;
  
  /* Initialize buffer */
  ctx->index = 0;
}

void
sha224_digest(struct sha256_ctx *ctx,
	      size_t length,
	      uint8_t *digest)
{
  sha256_write_digest(ctx, length, digest);
  sha224_init(ctx);
}
Commit	Line	Data
e5462937	1	/* sha256.c
90112edb NM	2
	3	The sha256 hash function.
	4	See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
	5
	6	Copyright (C) 2001 Niels Möller
	7
	8	This file is part of GNU Nettle.
	9
	10	GNU Nettle is free software: you can redistribute it and/or
	11	modify it under the terms of either:
	12
	13	* the GNU Lesser General Public License as published by the Free
	14	Software Foundation; either version 3 of the License, or (at your
	15	option) any later version.
	16
	17	or
	18
	19	* the GNU General Public License as published by the Free
	20	Software Foundation; either version 2 of the License, or (at your
	21	option) any later version.
	22
	23	or both in parallel, as here.
	24
	25	GNU Nettle is distributed in the hope that it will be useful,
	26	but WITHOUT ANY WARRANTY; without even the implied warranty of
	27	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	28	General Public License for more details.
	29
	30	You should have received copies of the GNU General Public License and
	31	the GNU Lesser General Public License along with this program. If
	32	not, see http://www.gnu.org/licenses/.
	33	*/
9d103c65 NM	34
	35	/* Modelled after the sha1.c code by Peter Gutmann. */
	36
c5c15385 NM	37	#if HAVE_CONFIG_H
	38	# include "config.h"
	39	#endif
9d103c65 NM	40
	41	#include <assert.h>
	42	#include <stdlib.h>
	43	#include <string.h>
	44
111518dd	45	#include "sha2.h"
da81c86a	46	#include "sha2-internal.h"
c5c15385 NM	47
c5c15385 NM	48	#include "macros.h"
fad1bf50	49	#include "md-internal.h"
0f51b4d8	50	#include "nettle-write.h"
c5c15385	51
9d103c65 NM	52	/* Generated by the shadata program. */
	53	static const uint32_t
	54	K[64] =
	55	{
	56	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
	57	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
	58	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
	59	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
4b98efe1	60	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
9d103c65 NM	61	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
9d103c65 NM	62	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
4b98efe1	63	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
9d103c65 NM	64	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
	65	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
	66	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
	67	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
	68	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
	69	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
	70	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
	71	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
	72	};
	73
fad1bf50 NM	74	void
	75	sha256_compress(uint32_t state, const uint8_t input)
	76	{
	77	_nettle_sha256_compress_n(state, K, 1, input);
	78	}
	79
8beda43f	80	#define COMPRESS(ctx, data) (sha256_compress((ctx)->state, (data)))
2a3f11f9	81
9d103c65 NM	82	/* Initialize the SHA values */
	83
	84	void
	85	sha256_init(struct sha256_ctx *ctx)
	86	{
	87	/* Initial values, also generated by the shadata program. */
	88	static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
	89	{
	90	0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
	91	0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
	92	};
	93
	94	memcpy(ctx->state, H0, sizeof(H0));
	95
	96	/* Initialize bit count */
cb83bd33	97	ctx->count = 0;
9d103c65 NM	98
	99	/* Initialize buffer */
	100	ctx->index = 0;
	101	}
	102
9d103c65 NM	103	void
9d103c65 NM	104	sha256_update(struct sha256_ctx *ctx,
b8bfc32f	105	size_t length, const uint8_t *data)
9d103c65	106	{
fad1bf50	107	size_t blocks;
99e62003 NM	108	if (!length)
	109	return;
	110
fad1bf50 NM	111	if (ctx->index > 0)
	112	{
	113	/* Try to fill partial block */
	114	MD_FILL_OR_RETURN (ctx, length, data);
	115	sha256_compress (ctx->state, ctx->block);
	116	ctx->count++;
	117	}
	118
	119	blocks = length >> 6;
	120	data = _nettle_sha256_compress_n (ctx->state, K, blocks, data);
	121	ctx->count += blocks;
	122	length &= 63;
	123
	124	memcpy (ctx->block, data, length);
	125	ctx->index = length;
9d103c65 NM	126	}
9d103c65 NM	127
2f43e1c8	128	static void
2a3f11f9	129	sha256_write_digest(struct sha256_ctx *ctx,
b8bfc32f	130	size_t length,
2a3f11f9	131	uint8_t *digest)
9d103c65	132	{
cb83bd33	133	uint64_t bit_count;
057bf08c	134
2a3f11f9	135	assert(length <= SHA256_DIGEST_SIZE);
343b4bad	136
057bf08c NM	137	MD_PAD(ctx, 8, COMPRESS);
	138
	139	/* There are 512 = 2^9 bits in one block */
cb83bd33	140	bit_count = (ctx->count << 9) \| (ctx->index << 3);
057bf08c NM	141
	142	/* This is slightly inefficient, as the numbers are converted to
	143	big-endian format, and will be converted back by the compression
	144	function. It's probably not worth the effort to fix this. */
d22bac82	145	WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
8beda43f	146	sha256_compress(ctx->state, ctx->block);
057bf08c	147
2a3f11f9	148	_nettle_write_be32(length, digest, ctx->state);
9d103c65 NM	149	}
	150
	151	void
2f43e1c8	152	sha256_digest(struct sha256_ctx *ctx,
b8bfc32f	153	size_t length,
9d103c65 NM	154	uint8_t *digest)
9d103c65 NM	155	{
2a3f11f9	156	sha256_write_digest(ctx, length, digest);
0f51b4d8 NM	157	sha256_init(ctx);
	158	}
	159
89755c91	160	/* sha224 variant. */
0f51b4d8 NM	161
	162	void
	163	sha224_init(struct sha256_ctx *ctx)
	164	{
94d79445	165	/* Initial values. Low 32 bits of the initial values for sha384. */
0f51b4d8 NM	166	static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
	167	{
	168	0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
	169	0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
	170	};
	171
	172	memcpy(ctx->state, H0, sizeof(H0));
	173
	174	/* Initialize bit count */
cb83bd33	175	ctx->count = 0;
2f43e1c8	176
0f51b4d8 NM	177	/* Initialize buffer */
	178	ctx->index = 0;
	179	}
9d103c65	180
0f51b4d8 NM	181	void
0f51b4d8 NM	182	sha224_digest(struct sha256_ctx *ctx,
b8bfc32f	183	size_t length,
0f51b4d8 NM	184	uint8_t *digest)
0f51b4d8 NM	185	{
2a3f11f9	186	sha256_write_digest(ctx, length, digest);
0f51b4d8	187	sha224_init(ctx);
9d103c65	188	}