nettle.texinfo

\input texinfo          @c -*-texinfo-*-
@c %**start of header
@setfilename nettle.info
@settitle Nettle: a low-level cryptographic library
@documentencoding UTF-8
@footnotestyle separate
@syncodeindex fn cp
@c %**end of header

@set UPDATED-FOR 3.2
@set AUTHOR Niels Möller

@copying
This manual is for the Nettle library (version @value{UPDATED-FOR}), a
low-level cryptographic library.

Originally written 2001 by @value{AUTHOR}, updated 2015.

@quotation
This manual is placed in the public domain. You may freely copy it, in
whole or in part, with or without modification. Attribution is
appreciated, but not required.
@end quotation
@end copying

@ifnottex
@macro pmod {m} 
(mod \m\)
@end macro
@end ifnottex

@titlepage
@title Nettle Manual
@subtitle For the Nettle Library version @value{UPDATED-FOR}
@author @value{AUTHOR}
@page
@vskip 0pt plus 1filll
@insertcopying
@end titlepage

@dircategory Encryption
@direntry
* Nettle: (nettle).             A low-level cryptographic library.
@end direntry

@contents

@ifnottex
@node     Top, Introduction, (dir), (dir)
@comment  node-name,  next,  previous,  up
@top Nettle

This document describes the Nettle low-level cryptographic library. You
can use the library directly from your C programs, or write or use an
object-oriented wrapper for your favorite language or application.

@insertcopying

@menu
* Introduction::                What is Nettle?
* Copyright::                   Your rights.
* Conventions::                 General interface conventions.
* Example::                     An example program.
* Linking::                     Linking with libnettle and libhogweed.
* Reference::                   All Nettle functions and features.
* Nettle soup::                 For the serious nettle hacker.
* Installation::                How to install Nettle.
* Index::                       Function and concept index.

@detailmenu
 --- The Detailed Node Listing ---

Reference

* Hash functions::              
* Cipher functions::            
* Cipher modes::                
* Keyed hash functions::        
* Key derivation functions::    
* Public-key algorithms::       
* Randomness::                  
* ASCII encoding::              
* Miscellaneous functions::     
* Compatibility functions::     

Hash functions

* Recommended hash functions::
* Legacy hash functions::
* nettle_hash abstraction::

Cipher modes

* CBC::                         
* CTR::                         
* GCM::                         
* CCM::                         

Keyed Hash Functions

* HMAC::
* UMAC::

Public-key algorithms

* RSA::                         The RSA public key algorithm.
* DSA::                         The DSA digital signature algorithm.
* Elliptic curves::             Elliptic curves and ECDSA

@end detailmenu
@end menu

@end ifnottex

@node Introduction, Copyright, Top, Top
@comment  node-name,  next,  previous,  up
@chapter Introduction

Nettle is a cryptographic library that is designed to fit easily in more
or less any context: In crypto toolkits for object-oriented languages
(C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in
kernel space. In most contexts, you need more than the basic
cryptographic algorithms, you also need some way to keep track of available
algorithms, their properties and variants. You often have some algorithm
selection process, often dictated by a protocol you want to implement.

And as the requirements of applications differ in subtle and not so
subtle ways, an API that fits one application well can be a pain to use
in a different context. And that is why there are so many different
cryptographic libraries around.

Nettle tries to avoid this problem by doing one thing, the low-level
crypto stuff, and providing a @emph{simple} but general interface to it.
In particular, Nettle doesn't do algorithm selection. It doesn't do
memory allocation. It doesn't do any I/O.

The idea is that one can build several application and context specific
interfaces on top of Nettle, and share the code, test cases, benchmarks,
documentation, etc. Examples are the Nettle module for the Pike
language, and LSH, which both use an object-oriented abstraction on top
of the library.

This manual explains how to use the Nettle library. It also tries to
provide some background on the cryptography, and advice on how to best
put it to use.

@node Copyright, Conventions, Introduction, Top
@comment  node-name,  next,  previous,  up
@chapter Copyright

Nettle is dual licenced under the GNU General Public License version 2
or later, and the GNU Lesser General Public License version 3 or later.
When using Nettle, you must comply fully with all conditions of at least
one of these licenses. A few of the individual files are licensed under
more permissive terms, or in the public domain. To find the current
status of particular files, you have to read the copyright notices at
the top of the files.

This manual is in the public domain. You may freely copy it in whole or
in part, e.g., into documentation of programs that build on Nettle.
Attribution, as well as contribution of improvements to the text, is of
course appreciated, but it is not required.

A list of the supported algorithms, their origins, and exceptions to the
above licensing:

@table @emph
@item AES
The implementation of the AES cipher (also known as rijndael) is written
by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and
@value{AUTHOR}, Sparc assembler by @value{AUTHOR}.

@item ARCFOUR
The implementation of the ARCFOUR (also known as RC4) cipher is written
by @value{AUTHOR}.

@item ARCTWO
The implementation of the ARCTWO (also known as RC2) cipher is written
by Nikos Mavroyanopoulos and modified by Werner Koch and Simon
Josefsson.

@item BLOWFISH
The implementation of the BLOWFISH cipher is written by Werner Koch,
copyright owned by the Free Software Foundation. Also hacked by Simon
Josefsson and Niels Möller.

@item CAMELLIA
The C implementation is by Nippon Telegraph and Telephone Corporation
(NTT), heavily modified by @value{AUTHOR}. Assembler for x86 and x86_64
by @value{AUTHOR}.

@item CAST128
The implementation of the CAST128 cipher is written by Steve Reid.
Released into the public domain.

@item CHACHA
Implemented by Joachim Strömbergson, based on the implementation of
SALSA20 (see below). Assembly for x86_64 by Niels Möller.

@item DES
The implementation of the DES cipher is written by Dana L. How, and
released under the LGPL, version 2 or later.

@item GOSTHASH94
The C implementation of the GOST94 message digest is written by 
Aleksey Kravchenko and was ported from the rhash library by Nikos
Mavrogiannopoulos. It is released under the MIT license.

@item MD2
The implementation of MD2 is written by Andrew Kuchling, and hacked
some by Andreas Sigfridsson and @value{AUTHOR}. Python Cryptography
Toolkit license (essentially public domain).

@item MD4
This is almost the same code as for MD5 below, with modifications by
Marcus Comstedt. Released into the public domain.

@item MD5
The implementation of the MD5 message digest is written by Colin Plumb.
It has been hacked some more by Andrew Kuchling and @value{AUTHOR}.
Released into the public domain.

@item PBKDF2
The C implementation of PBKDF2 is based on earlier work for Shishi and
GnuTLS by Simon Josefsson.

@item RIPEMD160
The implementation of RIPEMD160 message digest is based on the code in
libgcrypt, copyright owned by the Free Software Foundation. Ported to
Nettle by Andres Mejia.

@item SALSA20
The C implementation of SALSA20 is based on D. J. Bernstein's reference
implementation (in the public domain), adapted to Nettle by Simon
Josefsson, and heavily modified by Niels Möller. Assembly for x86_64 and
ARM by Niels Möller.

@item SERPENT
The implementation of the SERPENT cipher is based on the code in libgcrypt,
copyright owned by the Free Software Foundation. Adapted to Nettle by
Simon Josefsson and heavily modified by Niels Möller. Assembly for
x86_64 by Niels Möller.

@item POLY1305
Based on the implementation by Andrew M. (floodyberry), modified by
Nikos Mavrogiannopoulos and Niels Möller. Assembly for x86_64 by Niels
Möller.

@item SHA1
The C implementation of the SHA1 message digest is written by Peter
Gutmann, and hacked some more by Andrew Kuchling and @value{AUTHOR}.
Released into the public domain. Assembler for x86, x86_64 and ARM by
@value{AUTHOR}, released under the LGPL.

@item SHA2
Written by @value{AUTHOR}, using Peter Gutmann's SHA1 code as a model. 

@item SHA3
Written by @value{AUTHOR}.

@item TWOFISH
The implementation of the TWOFISH cipher is written by Ruud de Rooij.

@item UMAC
Written by @value{AUTHOR}.

@item RSA
Written by @value{AUTHOR}. Uses the GMP library for bignum operations.

@item DSA
Written by @value{AUTHOR}. Uses the GMP library for bignum operations.

@item ECDSA
Written by @value{AUTHOR}. Uses the GMP library for bignum operations.
Development of Nettle's ECC support was funded by the .SE Internet Fund.
@end table

@node Conventions, Example, Copyright, Top
@comment  node-name,  next,  previous,  up
@chapter Conventions

For each supported algorithm, there is an include file that defines a
@emph{context struct}, a few constants, and declares functions for
operating on the context. The context struct encapsulates all information
needed by the algorithm, and it can be copied or moved in memory with no
unexpected effects.

For consistency, functions for different algorithms are very similar,
but there are some differences, for instance reflecting if the key setup
or encryption function differ for encryption and decryption, and whether
or not key setup can fail. There are also differences between algorithms
that don't show in function prototypes, but which the application must
nevertheless be aware of. There is no big difference between the
functions for stream ciphers and for block ciphers, although they should
be used quite differently by the application.

If your application uses more than one algorithm of the same type, you
should probably create an interface that is tailor-made for your needs,
and then write a few lines of glue code on top of Nettle.

By convention, for an algorithm named @code{foo}, the struct tag for the
context struct is @code{foo_ctx}, constants and functions uses prefixes
like @code{FOO_BLOCK_SIZE} (a constant) and @code{foo_set_key} (a
function).

In all functions, strings are represented with an explicit length, of
type @code{size_t}, and a pointer of type @code{uint8_t *} or
@code{const uint8_t *}. For functions that transform one string to
another, the argument order is length, destination pointer and source
pointer. Source and destination areas are usually of the same length.
When they differ, e.g., for @code{ccm_encrypt_message}, the length
argument specifies the size of the destination area. Source and
destination pointers may be equal, so that you can process strings in
place, but source and destination areas @emph{must not} overlap in any
other way.

Many of the functions lack return value and can never fail. Those
functions which can fail, return one on success and zero on failure.

@c FIXME: Say something about the name mangling.

@node Example, Linking, Conventions, Top
@comment  node-name,  next,  previous,  up
@chapter Example

A simple example program that reads a file from standard input and
writes its SHA1 check-sum on standard output should give the flavor of
Nettle.

@example
@verbatiminclude sha-example.c
@end example

On a typical Unix system, this program can be compiled and linked with
the command line 
@example
gcc sha-example.c -o sha-example -lnettle
@end example

@node Linking, Reference, Example, Top
@comment  node-name,  next,  previous,  up
@chapter Linking

Nettle actually consists of two libraries, @file{libnettle} and
@file{libhogweed}. The @file{libhogweed} library contains those
functions of Nettle that uses bignum operations, and depends on the GMP
library. With this division, linking works the same for both static and
dynamic libraries.

If an application uses only the symmetric crypto algorithms of Nettle
(i.e., block ciphers, hash functions, and the like), it's sufficient to
link with @code{-lnettle}. If an application also uses public-key
algorithms, the recommended linker flags are @code{-lhogweed -lnettle
-lgmp}. If the involved libraries are installed as dynamic libraries, it
may be sufficient to link with just @code{-lhogweed}, and the loader
will resolve the dependencies automatically.

@node Reference, Nettle soup, Linking, Top
@comment  node-name,  next,  previous,  up
@chapter Reference

This chapter describes all the Nettle functions, grouped by family.

@menu
* Hash functions::              
* Cipher functions::            
* Cipher modes::                
* Authenticated encryption::
* Keyed hash functions::        
* Key derivation functions::    
* Public-key algorithms::       
* Randomness::                  
* ASCII encoding::              
* Miscellaneous functions::     
* Compatibility functions::     
@end menu

@node Hash functions, Cipher functions, Reference, Reference
@comment  node-name,  next,  previous,  up

@section Hash functions
@cindex Hash function
A cryptographic @dfn{hash function} is a function that takes variable
size strings, and maps them to strings of fixed, short, length. There
are naturally lots of collisions, as there are more possible 1MB files
than 20 byte strings. But the function is constructed such that is hard
to find the collisions. More precisely, a cryptographic hash function
@code{H} should have the following properties:

@table @emph

@item One-way
@cindex One-way
Given a hash value @code{H(x)} it is hard to find a string @code{x}
that hashes to that value.

@item Collision-resistant
@cindex Collision-resistant
It is hard to find two different strings, @code{x} and @code{y}, such
that @code{H(x)} = @code{H(y)}.

@end table

Hash functions are useful as building blocks for digital signatures,
message authentication codes, pseudo random generators, association of
unique ids to documents, and many other things.

The most commonly used hash functions are MD5 and SHA1. Unfortunately,
both these fail the collision-resistance requirement; cryptologists have
found ways to construct colliding inputs. The recommended hash functions
for new applications are SHA2 (with main variants SHA256 and SHA512). At
the time of this writing (Autumn 2015), SHA3 has recently been
standardized, and the new SHA3 and other top SHA3 candidates may also be
reasonable alternatives.

@menu
* Recommended hash functions::
* Legacy hash functions::
* nettle_hash abstraction::
@end menu

@node Recommended hash functions, Legacy hash functions,, Hash functions
@comment  node-name,  next,  previous,  up
@subsection Recommended hash functions

The following hash functions have no known weaknesses, and are suitable
for new applications. The SHA2 family of hash functions were specified
by @dfn{NIST}, intended as a replacement for @acronym{SHA1}.

@subsubsection @acronym{SHA256}

SHA256 is a member of the SHA2 family. It outputs hash values of 256
bits, or 32 octets. Nettle defines SHA256 in @file{<nettle/sha2.h>}.

@deftp {Context struct} {struct sha256_ctx}
@end deftp

@defvr Constant SHA256_DIGEST_SIZE
The size of a SHA256 digest, i.e. 32.
@end defvr

@defvr Constant SHA256_BLOCK_SIZE
The internal block size of SHA256. Useful for some special constructions,
in particular HMAC-SHA256.
@end defvr

@deftypefun void sha256_init (struct sha256_ctx *@var{ctx})
Initialize the SHA256 state.
@end deftypefun

@deftypefun void sha256_update (struct sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void sha256_digest (struct sha256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{SHA256_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{sha256_init}.
@end deftypefun

Earlier versions of nettle defined SHA256 in the header file
@file{<nettle/sha.h>}, which is now deprecated, but kept for
compatibility.

@subsubsection @acronym{SHA224}

SHA224 is a variant of SHA256, with a different initial state, and with
the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in
@file{<nettle/sha2.h>} (and in @file{<nettle/sha.h>}, for backwards
compatibility).

@deftp {Context struct} {struct sha224_ctx}
@end deftp

@defvr Constant SHA224_DIGEST_SIZE
The size of a SHA224 digest, i.e. 28.
@end defvr

@defvr Constant SHA224_BLOCK_SIZE
The internal block size of SHA224. Useful for some special constructions,
in particular HMAC-SHA224.
@end defvr

@deftypefun void sha224_init (struct sha224_ctx *@var{ctx})
Initialize the SHA224 state.
@end deftypefun

@deftypefun void sha224_update (struct sha224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void sha224_digest (struct sha224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{SHA224_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{sha224_init}.
@end deftypefun

@subsubsection @acronym{SHA512}

SHA512 is a larger sibling to SHA256, with a very similar structure but
with both the output and the internal variables of twice the size. The
internal variables are 64 bits rather than 32, making it significantly
slower on 32-bit computers. It outputs hash values of 512 bits, or 64
octets. Nettle defines SHA512 in @file{<nettle/sha2.h>} (and in
@file{<nettle/sha.h>}, for backwards compatibility).

@deftp {Context struct} {struct sha512_ctx}
@end deftp

@defvr Constant SHA512_DIGEST_SIZE
The size of a SHA512 digest, i.e. 64.
@end defvr

@defvr Constant SHA512_BLOCK_SIZE
The internal block size of SHA512, 128. Useful for some special
constructions, in particular HMAC-SHA512.
@end defvr

@deftypefun void sha512_init (struct sha512_ctx *@var{ctx})
Initialize the SHA512 state.
@end deftypefun

@deftypefun void sha512_update (struct sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void sha512_digest (struct sha512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{SHA512_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{sha512_init}.
@end deftypefun

@subsubsection @acronym{SHA384 and other variants of SHA512}

Several variants of SHA512 have been defined, with a different initial
state, and with the output truncated to shorter length than 512 bits.
Naming is a bit confused, these algorithms are called SHA512-224,
SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits,
respectively. Nettle defines these in @file{<nettle/sha2.h>} (and in
@file{<nettle/sha.h>}, for backwards compatibility).

@deftp {Context struct} {struct sha512_224_ctx}
@deftpx {Context struct} {struct sha512_256_ctx}
@deftpx {Context struct} {struct sha384_ctx}
These context structs are all the same as sha512_ctx. They are defined as
simple preprocessor aliases, which may cause some problems if used as
identifiers for other purposes. So avoid doing that.
@end deftp

@defvr Constant SHA512_224_DIGEST_SIZE
@defvrx Constant SHA512_256_DIGEST_SIZE
@defvrx Constant SHA384_DIGEST_SIZE
The digest size for each variant, i.e., 28, 32, and 48, respectively.
@end defvr

@defvr Constant SHA512_224_BLOCK_SIZE
@defvrx Constant SHA512_256_BLOCK_SIZE
@defvrx Constant SHA384_BLOCK_SIZE
The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for
some special constructions, in particular HMAC-SHA384.
@end defvr

@deftypefun void sha512_224_init (struct sha512_224_ctx *@var{ctx})
@deftypefunx void sha512_256_init (struct sha512_256_ctx *@var{ctx})
@deftypefunx void sha384_init (struct sha384_ctx *@var{ctx})
Initialize the context struct.
@end deftypefun

@deftypefun void sha512_224_update (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
@deftypefunx void sha512_256_update (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
@deftypefunx void sha384_update (struct sha384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data. These are all aliases for sha512_update, which does
the same thing.
@end deftypefun

@deftypefun void sha512_224_digest (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
@deftypefunx void sha512_256_digest (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
@deftypefunx void sha384_digest (struct sha384_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it to
@var{digest}. @var{length} may be smaller than the specified digest
size, in which case only the first @var{length} octets of the digest are
written.

These function also reset the context in the same way as the
corresponding init function.
@end deftypefun

@subsubsection @acronym{SHA3-224}
@cindex SHA3

The SHA3 hash functions were specified by NIST in response to weaknesses
in SHA1, and doubts about SHA2 hash functions which structurally are
very similar to SHA1. SHA3 is a result of a competition, where the
winner, also known as Keccak, was designed by Guido Bertoni, Joan
Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very
different from all widely used earlier hash functions. Like SHA2, there
are several variants, with output sizes of 224, 256, 384 and 512 bits
(28, 32, 48 and 64 octets, respectively). In August 2015, it was
formally standardized by NIST, as FIPS 202,
@uref{http://dx.doi.org/10.6028/NIST.FIPS.202}.

Note that the SHA3 implementation in earlier versions of Nettle was
based on the specification at the time Keccak was announced as the
winner of the competition, which is incompatible with the final standard
and hence with current versions of Nettle. The @file{nette/sha3.h}
defines a preprocessor symbol @code{NETTLE_SHA3_FIPS202} to indicate
conformance with the standard.

@defvr Constant NETTLE_SHA3_FIPS202
Defined to 1 in Nettle versions supporting FIPS 202. Undefined in
earlier versions.
@end defvr

Nettle defines SHA3-224 in @file{<nettle/sha3.h>}.

@deftp {Context struct} {struct sha3_224_ctx}
@end deftp

@defvr Constant SHA3_224_DIGEST_SIZE
The size of a SHA3_224 digest, i.e., 28.
@end defvr

@defvr Constant SHA3_224_BLOCK_SIZE
The internal block size of SHA3_224.
@end defvr

@deftypefun void sha3_224_init (struct sha3_224_ctx *@var{ctx})
Initialize the SHA3-224 state.
@end deftypefun

@deftypefun void sha3_224_update (struct sha3_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void sha3_224_digest (struct sha3_224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{SHA3_224_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context.
@end deftypefun

@subsubsection @acronym{SHA3-256}

This is SHA3 with 256-bit output size, and possibly the most useful
of the SHA3 hash functions.

Nettle defines SHA3-256 in @file{<nettle/sha3.h>}.

@deftp {Context struct} {struct sha3_256_ctx}
@end deftp

@defvr Constant SHA3_256_DIGEST_SIZE
The size of a SHA3_256 digest, i.e., 32.
@end defvr

@defvr Constant SHA3_256_BLOCK_SIZE
The internal block size of SHA3_256.
@end defvr

@deftypefun void sha3_256_init (struct sha3_256_ctx *@var{ctx})
Initialize the SHA3-256 state.
@end deftypefun

@deftypefun void sha3_256_update (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void sha3_256_digest (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{SHA3_256_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context.
@end deftypefun

@subsubsection @acronym{SHA3-384}

This is SHA3 with 384-bit output size.

Nettle defines SHA3-384 in @file{<nettle/sha3.h>}.

@deftp {Context struct} {struct sha3_384_ctx}
@end deftp

@defvr Constant SHA3_384_DIGEST_SIZE
The size of a SHA3_384 digest, i.e., 48.
@end defvr

@defvr Constant SHA3_384_BLOCK_SIZE
The internal block size of SHA3_384.
@end defvr

@deftypefun void sha3_384_init (struct sha3_384_ctx *@var{ctx})
Initialize the SHA3-384 state.
@end deftypefun

@deftypefun void sha3_384_update (struct sha3_384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void sha3_384_digest (struct sha3_384_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{SHA3_384_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context.
@end deftypefun

@subsubsection @acronym{SHA3-512}

This is SHA3 with 512-bit output size.

Nettle defines SHA3-512 in @file{<nettle/sha3.h>}.

@deftp {Context struct} {struct sha3_512_ctx}
@end deftp

@defvr Constant SHA3_512_DIGEST_SIZE
The size of a SHA3_512 digest, i.e. 64.
@end defvr

@defvr Constant SHA3_512_BLOCK_SIZE
The internal block size of SHA3_512.
@end defvr

@deftypefun void sha3_512_init (struct sha3_512_ctx *@var{ctx})
Initialize the SHA3-512 state.
@end deftypefun

@deftypefun void sha3_512_update (struct sha3_512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void sha3_512_digest (struct sha3_512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{SHA3_512_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context.
@end deftypefun

@node Legacy hash functions, nettle_hash abstraction, Recommended hash functions, Hash functions
@comment  node-name,  next,  previous,  up
@subsection Legacy hash functions

The hash functions in this section all have some known weaknesses, and
should be avoided for new applications. These hash functions are mainly
useful for compatibility with old applications and protocols. Some are
still considered safe as building blocks for particular constructions,
e.g., there seems to be no known attacks against HMAC-SHA1 or even
HMAC-MD5. In some important cases, use of a ``legacy'' hash function
does not in itself make the application insecure; if a known weakness is
relevant depends on how the hash function is used, and on the threat
model.

@subsubsection @acronym{MD5}

MD5 is a message digest function constructed by Ronald Rivest, and
described in @cite{RFC 1321}. It outputs message digests of 128 bits, or
16 octets. Nettle defines MD5 in @file{<nettle/md5.h>}.

@deftp {Context struct} {struct md5_ctx}
@end deftp

@defvr Constant MD5_DIGEST_SIZE
The size of an MD5 digest, i.e. 16.
@end defvr

@defvr Constant MD5_BLOCK_SIZE
The internal block size of MD5. Useful for some special constructions,
in particular HMAC-MD5.
@end defvr

@deftypefun void md5_init (struct md5_ctx *@var{ctx})
Initialize the MD5 state.
@end deftypefun

@deftypefun void md5_update (struct md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void md5_digest (struct md5_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{MD5_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{md5_init}.
@end deftypefun

The normal way to use MD5 is to call the functions in order: First
@code{md5_init}, then @code{md5_update} zero or more times, and finally
@code{md5_digest}. After @code{md5_digest}, the context is reset to
its initial state, so you can start over calling @code{md5_update} to
hash new data.

To start over, you can call @code{md5_init} at any time.

@subsubsection @acronym{MD2}

MD2 is another hash function of Ronald Rivest's, described in
@cite{RFC 1319}. It outputs message digests of 128 bits, or 16 octets.
Nettle defines MD2 in @file{<nettle/md2.h>}.

@deftp {Context struct} {struct md2_ctx}
@end deftp

@defvr Constant MD2_DIGEST_SIZE
The size of an MD2 digest, i.e. 16.
@end defvr

@defvr Constant MD2_BLOCK_SIZE
The internal block size of MD2.
@end defvr

@deftypefun void md2_init (struct md2_ctx *@var{ctx})
Initialize the MD2 state.
@end deftypefun

@deftypefun void md2_update (struct md2_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void md2_digest (struct md2_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{MD2_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{md2_init}.
@end deftypefun

@subsubsection @acronym{MD4}

MD4 is a predecessor of MD5, described in @cite{RFC 1320}. Like MD5, it
is constructed by Ronald Rivest. It outputs message digests of 128 bits,
or 16 octets. Nettle defines MD4 in @file{<nettle/md4.h>}. Use of MD4 is
not recommended, but it is sometimes needed for compatibility with
existing applications and protocols.

@deftp {Context struct} {struct md4_ctx}
@end deftp

@defvr Constant MD4_DIGEST_SIZE
The size of an MD4 digest, i.e. 16.
@end defvr

@defvr Constant MD4_BLOCK_SIZE
The internal block size of MD4.
@end defvr

@deftypefun void md4_init (struct md4_ctx *@var{ctx})
Initialize the MD4 state.
@end deftypefun

@deftypefun void md4_update (struct md4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void md4_digest (struct md4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{MD4_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{md4_init}.
@end deftypefun

@subsubsection @acronym{RIPEMD160}

RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon
Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD
(which, like MD4 and MD5, fails the collision-resistance requirement).
It produces message digests of 160 bits, or 20 octets. Nettle defined
RIPEMD160 in @file{nettle/ripemd160.h}.

@deftp {Context struct} {struct ripemd160_ctx}
@end deftp

@defvr Constant RIPEMD160_DIGEST_SIZE
The size of a RIPEMD160 digest, i.e. 20.
@end defvr

@defvr Constant RIPEMD160_BLOCK_SIZE
The internal block size of RIPEMD160.
@end defvr

@deftypefun void ripemd160_init (struct ripemd160_ctx *@var{ctx})
Initialize the RIPEMD160 state.
@end deftypefun

@deftypefun void ripemd160_update (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void ripemd160_digest (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{RIPEMD160_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{ripemd160_init}.
@end deftypefun

@subsubsection @acronym{SHA1}

SHA1 is a hash function specified by @dfn{NIST} (The U.S. National
Institute for Standards and Technology). It outputs hash values of 160
bits, or 20 octets. Nettle defines SHA1 in @file{<nettle/sha1.h>} (and
in @file{<nettle/sha.h>}, for backwards compatibility).

@deftp {Context struct} {struct sha1_ctx}
@end deftp

@defvr Constant SHA1_DIGEST_SIZE
The size of a SHA1 digest, i.e. 20.
@end defvr

@defvr Constant SHA1_BLOCK_SIZE
The internal block size of SHA1. Useful for some special constructions,
in particular HMAC-SHA1.
@end defvr

@deftypefun void sha1_init (struct sha1_ctx *@var{ctx})
Initialize the SHA1 state.
@end deftypefun

@deftypefun void sha1_update (struct sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void sha1_digest (struct sha1_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{SHA1_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{sha1_init}.
@end deftypefun


@subsubsection @acronym{GOSTHASH94}

The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm 
used in Russian government standards (see @cite{RFC 4357}).
It outputs message digests of 256 bits, or 32 octets.
Nettle defines GOSTHASH94 in @file{<nettle/gosthash94.h>}.

@deftp {Context struct} {struct gosthash94_ctx}
@end deftp

@defvr Constant GOSTHASH94_DIGEST_SIZE
The size of a GOSTHASH94 digest, i.e. 32.
@end defvr

@defvr Constant GOSTHASH94_BLOCK_SIZE
The internal block size of GOSTHASH94, i.e., 32.
@end defvr

@deftypefun void gosthash94_init (struct gosthash94_ctx *@var{ctx})
Initialize the GOSTHASH94 state.
@end deftypefun

@deftypefun void gosthash94_update (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data})
Hash some more data.
@end deftypefun

@deftypefun void gosthash94_digest (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest})
Performs final processing and extracts the message digest, writing it
to @var{digest}. @var{length} may be smaller than
@code{GOSTHASH94_DIGEST_SIZE}, in which case only the first @var{length}
octets of the digest are written.

This function also resets the context in the same way as
@code{gosthash94_init}.
@end deftypefun

@node nettle_hash abstraction,, Legacy hash functions, Hash functions
@comment  node-name,  next,  previous,  up