1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
use compress;
/// Raw SHA-256 compression function (hazmat).
///
/// Applies the SHA-256 compression function to the 32-bit `state` for each
/// 64-byte block in `blocks`, updating `state` in place. This is the bare
/// FIPS 180-4 Sec. 6.2 transformation, with no padding, length encoding, or
/// finalisation.
///
/// # Contract
///
/// Callers are responsible for the parts of SHA-256 that this function does
/// *not* perform:
///
/// * Padding the input per FIPS 180-4 Sec. 5.1.1 (append `0x80`, zero-fill
/// to a 56-mod-64-byte boundary, append the 64-bit big-endian bit length).
/// * Splitting the padded message into 64-byte blocks before calling.
/// * Initialising `state` to the SHA-256 IV `H0_256` (or to a midstream value
/// from a previous call) before the first invocation.
/// * Emitting the final digest as the big-endian byte serialisation of
/// `state` after the last call.
///
/// Misuse (skipped padding, wrong IV, etc.) silently produces a non-FIPS
/// output. The verification proofs target [`crate::sha256`] etc., which
/// internally do all of the above and call this function as a building block.
///
/// # Examples
///
/// ```
/// # #[cfg(feature = "compress")] {
/// // A correctly padded one-block message ("abc" with FIPS padding):
/// let mut block = [0u8; 64];
/// block[..3].copy_from_slice(b"abc");
/// block[3] = 0x80;
/// block[63] = 24; // 24-bit message length
/// let mut state = [
/// 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
/// 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
/// ];
/// sha2::compress256(&mut state, &[block]);
/// assert_eq!(state[0], 0xba7816bf);
/// # }
/// ```