sha256.c 4.38 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
/* sha256.c
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

   The sha256 hash function.
   See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf

   Copyright (C) 2001 Niels Möller

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
34 35 36

/* Modelled after the sha1.c code by Peter Gutmann. */

37 38 39
#if HAVE_CONFIG_H
# include "config.h"
#endif
40 41 42 43 44

#include <assert.h>
#include <stdlib.h>
#include <string.h>

45
#include "sha2.h"
46
#include "sha2-internal.h"
47 48

#include "macros.h"
49
#include "nettle-write.h"
50

51 52 53 54 55 56 57 58
/* Generated by the shadata program. */
static const uint32_t
K[64] =
{
  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 
  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 
  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 
  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 
59
  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 
60 61
  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 
  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 
62
  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 
63 64 65 66 67 68 69 70 71 72
  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 
  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 
  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 
  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 
  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 
  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 
  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 
  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, 
};

73
#define COMPRESS(ctx, data) (_nettle_sha256_compress((ctx)->state, (data), K))
74

75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
/* Initialize the SHA values */

void
sha256_init(struct sha256_ctx *ctx)
{
  /* Initial values, also generated by the shadata program. */
  static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
  {
    0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, 
    0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, 
  };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
90
  ctx->count = 0;
91 92 93 94 95 96 97
  
  /* Initialize buffer */
  ctx->index = 0;
}

void
sha256_update(struct sha256_ctx *ctx,
98
	      size_t length, const uint8_t *data)
99
{
100
  MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++);
101 102
}

103
static void
104
sha256_write_digest(struct sha256_ctx *ctx,
105
		    size_t length,
106
		    uint8_t *digest)
107
{
108
  uint64_t bit_count;
109

110
  assert(length <= SHA256_DIGEST_SIZE);
111

112 113 114
  MD_PAD(ctx, 8, COMPRESS);

  /* There are 512 = 2^9 bits in one block */  
115
  bit_count = (ctx->count << 9) | (ctx->index << 3);
116 117 118 119

  /* This is slightly inefficient, as the numbers are converted to
     big-endian format, and will be converted back by the compression
     function. It's probably not worth the effort to fix this. */
120
  WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
121 122
  COMPRESS(ctx, ctx->block);

123
  _nettle_write_be32(length, digest, ctx->state);
124 125 126
}

void
127
sha256_digest(struct sha256_ctx *ctx,
128
	      size_t length,
129 130
	      uint8_t *digest)
{
131
  sha256_write_digest(ctx, length, digest);
132 133 134
  sha256_init(ctx);
}

135
/* sha224 variant. */
136 137 138 139

void
sha224_init(struct sha256_ctx *ctx)
{
140
  /* Initial values. Low 32 bits of the initial values for sha384. */
141 142 143 144 145 146 147 148 149
  static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
  {
    0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
    0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
  };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
150
  ctx->count = 0;
151
  
152 153 154
  /* Initialize buffer */
  ctx->index = 0;
}
155

156 157
void
sha224_digest(struct sha256_ctx *ctx,
158
	      size_t length,
159 160
	      uint8_t *digest)
{
161
  sha256_write_digest(ctx, length, digest);
162
  sha224_init(ctx);
163
}