Coverage Report

Created: 2025-03-18 06:55

/src/nettle/sha256.c
Line
Count
Source (jump to first uncovered line)
1
/* sha256.c
2
3
   The sha256 hash function.
4
   See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
5
6
   Copyright (C) 2001 Niels Möller
7
8
   This file is part of GNU Nettle.
9
10
   GNU Nettle is free software: you can redistribute it and/or
11
   modify it under the terms of either:
12
13
     * the GNU Lesser General Public License as published by the Free
14
       Software Foundation; either version 3 of the License, or (at your
15
       option) any later version.
16
17
   or
18
19
     * the GNU General Public License as published by the Free
20
       Software Foundation; either version 2 of the License, or (at your
21
       option) any later version.
22
23
   or both in parallel, as here.
24
25
   GNU Nettle is distributed in the hope that it will be useful,
26
   but WITHOUT ANY WARRANTY; without even the implied warranty of
27
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
28
   General Public License for more details.
29
30
   You should have received copies of the GNU General Public License and
31
   the GNU Lesser General Public License along with this program.  If
32
   not, see http://www.gnu.org/licenses/.
33
*/
34
35
/* Modelled after the sha1.c code by Peter Gutmann. */
36
37
#if HAVE_CONFIG_H
38
# include "config.h"
39
#endif
40
41
#include <assert.h>
42
#include <stdlib.h>
43
#include <string.h>
44
45
#include "sha2.h"
46
#include "sha2-internal.h"
47
48
#include "macros.h"
49
#include "md-internal.h"
50
#include "nettle-write.h"
51
52
/* Generated by the shadata program. */
53
static const uint32_t
54
K[64] =
55
{
56
  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 
57
  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 
58
  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 
59
  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 
60
  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 
61
  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 
62
  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 
63
  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 
64
  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 
65
  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 
66
  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 
67
  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 
68
  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 
69
  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 
70
  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 
71
  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, 
72
};
73
74
void
75
sha256_compress(uint32_t *state, const uint8_t *input)
76
296
{
77
296
  _nettle_sha256_compress_n(state, K, 1, input);
78
296
}
79
80
0
#define COMPRESS(ctx, data) (sha256_compress((ctx)->state, (data)))
81
82
/* Initialize the SHA values */
83
84
void
85
sha256_init(struct sha256_ctx *ctx)
86
592
{
87
  /* Initial values, also generated by the shadata program. */
88
592
  static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
89
592
  {
90
592
    0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, 
91
592
    0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, 
92
592
  };
93
94
592
  memcpy(ctx->state, H0, sizeof(H0));
95
96
  /* Initialize bit count */
97
592
  ctx->count = 0;
98
  
99
  /* Initialize buffer */
100
592
  ctx->index = 0;
101
592
}
102
103
void
104
sha256_update(struct sha256_ctx *ctx,
105
        size_t length, const uint8_t *data)
106
296
{
107
296
  size_t blocks;
108
296
  if (!length)
109
0
    return;
110
111
296
  if (ctx->index > 0)
112
0
    {
113
      /* Try to fill partial block */
114
0
      MD_FILL_OR_RETURN (ctx, length, data);
115
0
      sha256_compress (ctx->state, ctx->block);
116
0
      ctx->count++;
117
0
    }
118
119
296
  blocks = length >> 6;
120
296
  data = _nettle_sha256_compress_n (ctx->state, K, blocks, data);
121
296
  ctx->count += blocks;
122
296
  length &= 63;
123
124
296
  memcpy (ctx->block, data, length);
125
296
  ctx->index = length;
126
296
}
127
128
static void
129
sha256_write_digest(struct sha256_ctx *ctx,
130
        size_t length,
131
        uint8_t *digest)
132
296
{
133
296
  uint64_t bit_count;
134
135
296
  assert(length <= SHA256_DIGEST_SIZE);
136
137
296
  MD_PAD(ctx, 8, COMPRESS);
138
139
  /* There are 512 = 2^9 bits in one block */  
140
296
  bit_count = (ctx->count << 9) | (ctx->index << 3);
141
142
  /* This is slightly inefficient, as the numbers are converted to
143
     big-endian format, and will be converted back by the compression
144
     function. It's probably not worth the effort to fix this. */
145
296
  WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
146
296
  sha256_compress(ctx->state, ctx->block);
147
148
296
  _nettle_write_be32(length, digest, ctx->state);
149
296
}
150
151
void
152
sha256_digest(struct sha256_ctx *ctx,
153
        size_t length,
154
        uint8_t *digest)
155
296
{
156
296
  sha256_write_digest(ctx, length, digest);
157
296
  sha256_init(ctx);
158
296
}
159
160
/* sha224 variant. */
161
162
void
163
sha224_init(struct sha256_ctx *ctx)
164
0
{
165
  /* Initial values. Low 32 bits of the initial values for sha384. */
166
0
  static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
167
0
  {
168
0
    0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
169
0
    0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
170
0
  };
171
172
0
  memcpy(ctx->state, H0, sizeof(H0));
173
174
  /* Initialize bit count */
175
0
  ctx->count = 0;
176
  
177
  /* Initialize buffer */
178
0
  ctx->index = 0;
179
0
}
180
181
void
182
sha224_digest(struct sha256_ctx *ctx,
183
        size_t length,
184
        uint8_t *digest)
185
0
{
186
0
  sha256_write_digest(ctx, length, digest);
187
0
  sha224_init(ctx);
188
0
}