2
* Copyright (C) 2001 Niels Moller
4
* This program is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU General Public License as
6
* published by the Free Software Foundation; either version 2 of the
7
* License, or (at your option) any later version.
9
* The nettle library is distributed in the hope that it will be useful, but
10
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
12
* License for more details.
14
* You should have received a copy of the GNU Lesser General Public License
15
* along with the nettle library; see the file COPYING.LIB. If not, write to
16
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
20
/* Modelled after the sha1.c code by Peter Gutmann. */
28
/* A block, treated as a sequence of 32-bit words. */
29
#define SHA256_DATA_LENGTH 16
31
#define ROTR(n,x) ((x)>>(n) | ((x)<<(32-(n))))
32
#define SHR(n,x) ((x)>>(n))
34
#define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) )
35
#define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
37
#define S0(x) (ROTR(2,(x)) ^ ROTR(13,(x)) ^ ROTR(22,(x)))
38
#define S1(x) (ROTR(6,(x)) ^ ROTR(11,(x)) ^ ROTR(25,(x)))
40
#define s0(x) (ROTR(7,(x)) ^ ROTR(18,(x)) ^ SHR(3,(x)))
41
#define s1(x) (ROTR(17,(x)) ^ ROTR(19,(x)) ^ SHR(10,(x)))
43
static const uint32_t K[64] = {
44
0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
45
0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
46
0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
47
0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
48
0xe49b69c1UL, 0xefbe4786UL, 0xfc19dc6UL, 0x240ca1ccUL,
49
0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
50
0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
51
0xc6e00bf3UL, 0xd5a79147UL, 0x6ca6351UL, 0x14292967UL,
52
0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
53
0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
54
0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
55
0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
56
0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
57
0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
58
0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
59
0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
63
( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) )
65
#define ROUND(a,b,c,d,e,f,g,h,k,data) do { \
66
uint32_t T1 = h + S1(e) + Choice(e,f,g) + k + data; \
67
uint32_t T2 = S0(a) + Majority(a,b,c); \
73
#define EXTRACT_UCHAR(p) (*(const unsigned char *)(p))
76
#define STRING2INT(s) ((((((EXTRACT_UCHAR(s) << 8) \
77
| EXTRACT_UCHAR(s+1)) << 8) \
78
| EXTRACT_UCHAR(s+2)) << 8) \
82
#define EXTRACT_UCHAR(p) (*(const mutils_word8 *)(p))
85
#define STRING2INT(s) ((((((EXTRACT_UCHAR(s) << 8) \
86
| EXTRACT_UCHAR(s+1)) << 8) \
87
| EXTRACT_UCHAR(s+2)) << 8) \
90
/* Initialize the SHA values */
92
void sha256_init(struct sha256_ctx *ctx)
94
/* Initial values, also generated by the shadata program. */
95
static const uint32_t H0[_SHA256_DIGEST_LENGTH] = {
96
0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
97
0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
100
memcpy(ctx->state, H0, sizeof(H0));
102
/* Initialize bit count */
103
ctx->count_low = ctx->count_high = 0;
105
/* Initialize buffer */
109
/* Perform the SHA transformation. Note that this code, like MD5, seems to
110
break some optimizing compilers due to the complexity of the expressions
111
and the size of the basic block. It may be necessary to split it into
112
sections, e.g. based on the four subrounds
114
Note that this function destroys the data area */
116
static void sha256_transform(uint32_t *state, uint32_t *data)
118
uint32_t A, B, C, D, E, F, G, H; /* Local vars */
123
/* Set up first buffer and local data buffer */
134
/* First 16 subrounds that act on the original data */
136
for (i = 0, k = K, d = data; i < 16; i += 8, k += 8, d += 8) {
137
ROUND(A, B, C, D, E, F, G, H, k[0], d[0]);
138
ROUND(H, A, B, C, D, E, F, G, k[1], d[1]);
139
ROUND(G, H, A, B, C, D, E, F, k[2], d[2]);
140
ROUND(F, G, H, A, B, C, D, E, k[3], d[3]);
141
ROUND(E, F, G, H, A, B, C, D, k[4], d[4]);
142
ROUND(D, E, F, G, H, A, B, C, k[5], d[5]);
143
ROUND(C, D, E, F, G, H, A, B, k[6], d[6]);
144
ROUND(B, C, D, E, F, G, H, A, k[7], d[7]);
147
for (; i < 64; i += 16, k += 16) {
148
ROUND(A, B, C, D, E, F, G, H, k[0], EXPAND(data, 0));
149
ROUND(H, A, B, C, D, E, F, G, k[1], EXPAND(data, 1));
150
ROUND(G, H, A, B, C, D, E, F, k[2], EXPAND(data, 2));
151
ROUND(F, G, H, A, B, C, D, E, k[3], EXPAND(data, 3));
152
ROUND(E, F, G, H, A, B, C, D, k[4], EXPAND(data, 4));
153
ROUND(D, E, F, G, H, A, B, C, k[5], EXPAND(data, 5));
154
ROUND(C, D, E, F, G, H, A, B, k[6], EXPAND(data, 6));
155
ROUND(B, C, D, E, F, G, H, A, k[7], EXPAND(data, 7));
156
ROUND(A, B, C, D, E, F, G, H, k[8], EXPAND(data, 8));
157
ROUND(H, A, B, C, D, E, F, G, k[9], EXPAND(data, 9));
158
ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10));
159
ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11));
160
ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12));
161
ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13));
162
ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14));
163
ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15));
177
static void sha256_block(struct sha256_ctx *ctx, const unsigned char *block)
179
uint32_t data[SHA256_DATA_LENGTH];
182
/* Update block count */
183
if (!++ctx->count_low)
186
/* Endian independent conversion */
187
for (i = 0; i < SHA256_DATA_LENGTH; i++, block += 4)
188
data[i] = STRING2INT(block);
190
sha256_transform(ctx->state, data);
194
sha256_update(struct sha256_ctx *ctx, const unsigned char *buffer, uint32_t length)
198
if (ctx->index) { /* Try to fill partial block */
199
left = SHA256_DATA_SIZE - ctx->index;
201
memcpy(ctx->block + ctx->index, buffer, length);
202
ctx->index += length;
203
return; /* Finished */
205
memcpy(ctx->block + ctx->index, buffer, left);
206
sha256_block(ctx, ctx->block);
211
while (length >= SHA256_DATA_SIZE) {
212
sha256_block(ctx, buffer);
213
buffer += SHA256_DATA_SIZE;
214
length -= SHA256_DATA_SIZE;
216
/* Buffer leftovers */
217
/* NOTE: The corresponding sha1 code checks for the special case length == 0.
218
* That seems supoptimal, as I suspect it increases the number of branches. */
220
memcpy(ctx->block, buffer, length);
224
/* Final wrapup - pad to SHA1_DATA_SIZE-byte boundary with the bit pattern
225
1 0* (64-bit count of bits processed, MSB-first) */
227
void sha256_final(struct sha256_ctx *ctx)
229
uint32_t data[SHA256_DATA_LENGTH];
235
/* Set the first char of padding to 0x80. This is safe since there is
236
always at least one byte free */
238
/* assert(i < SHA256_DATA_SIZE);
240
ctx->block[i++] = 0x80;
242
/* Fill rest of word */
246
/* i is now a multiple of the word size 4 */
248
for (i = 0; i < words; i++)
249
data[i] = STRING2INT(ctx->block + 4 * i);
251
if (words > (SHA256_DATA_LENGTH - 2)) { /* No room for length in this block. Process it and
252
* pad with another one */
253
for (i = words; i < SHA256_DATA_LENGTH; i++)
255
sha256_transform(ctx->state, data);
256
for (i = 0; i < (SHA256_DATA_LENGTH - 2); i++)
259
for (i = words; i < SHA256_DATA_LENGTH - 2; i++)
262
/* There are 512 = 2^9 bits in one block */
263
data[SHA256_DATA_LENGTH - 2] =
264
(ctx->count_high << 9) | (ctx->count_low >> 23);
265
data[SHA256_DATA_LENGTH - 1] =
266
(ctx->count_low << 9) | (ctx->index << 3);
267
sha256_transform(ctx->state, data);
270
void sha256_digest(const struct sha256_ctx *ctx, unsigned char *s)
275
for (i = 0; i < _SHA256_DIGEST_LENGTH; i++) {
276
*s++ = ctx->state[i] >> 24;
277
*s++ = 0xff & (ctx->state[i] >> 16);
278
*s++ = 0xff & (ctx->state[i] >> 8);
279
*s++ = 0xff & ctx->state[i];