Coverage Report

Created: 2025-11-16 06:28

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/nettle/sha256.c
Line
Count
Source
1
/* sha256.c
2
3
   The sha256 hash function.
4
   See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
5
6
   Copyright (C) 2001 Niels Möller
7
8
   This file is part of GNU Nettle.
9
10
   GNU Nettle is free software: you can redistribute it and/or
11
   modify it under the terms of either:
12
13
     * the GNU Lesser General Public License as published by the Free
14
       Software Foundation; either version 3 of the License, or (at your
15
       option) any later version.
16
17
   or
18
19
     * the GNU General Public License as published by the Free
20
       Software Foundation; either version 2 of the License, or (at your
21
       option) any later version.
22
23
   or both in parallel, as here.
24
25
   GNU Nettle is distributed in the hope that it will be useful,
26
   but WITHOUT ANY WARRANTY; without even the implied warranty of
27
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
28
   General Public License for more details.
29
30
   You should have received copies of the GNU General Public License and
31
   the GNU Lesser General Public License along with this program.  If
32
   not, see http://www.gnu.org/licenses/.
33
*/
34
35
/* Modelled after the sha1.c code by Peter Gutmann. */
36
37
#if HAVE_CONFIG_H
38
# include "config.h"
39
#endif
40
41
#include <assert.h>
42
#include <stdlib.h>
43
#include <string.h>
44
45
#include "sha2.h"
46
#include "sha2-internal.h"
47
48
#include "macros.h"
49
#include "md-internal.h"
50
#include "nettle-write.h"
51
52
/* Generated by the shadata program. */
53
static const uint32_t
54
K[64] =
55
{
56
  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 
57
  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 
58
  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 
59
  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 
60
  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 
61
  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 
62
  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 
63
  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 
64
  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 
65
  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 
66
  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 
67
  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 
68
  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 
69
  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 
70
  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 
71
  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, 
72
};
73
74
void
75
sha256_compress(uint32_t *state, const uint8_t *input)
76
350
{
77
350
  _nettle_sha256_compress_n(state, K, 1, input);
78
350
}
79
80
0
#define COMPRESS(ctx, data) (sha256_compress((ctx)->state, (data)))
81
82
/* Initialize the SHA values */
83
84
void
85
sha256_init(struct sha256_ctx *ctx)
86
700
{
87
  /* Initial values, also generated by the shadata program. */
88
700
  static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
89
700
  {
90
700
    0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, 
91
700
    0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, 
92
700
  };
93
94
700
  memcpy(ctx->state, H0, sizeof(H0));
95
96
  /* Initialize bit count */
97
700
  ctx->count = 0;
98
  
99
  /* Initialize buffer */
100
700
  ctx->index = 0;
101
700
}
102
103
void
104
sha256_update(struct sha256_ctx *ctx,
105
        size_t length, const uint8_t *data)
106
350
{
107
350
  size_t blocks;
108
350
  if (ctx->index > 0)
109
0
    {
110
      /* Try to fill partial block */
111
0
      MD_FILL_OR_RETURN (ctx, length, data);
112
0
      sha256_compress (ctx->state, ctx->block);
113
0
      ctx->count++;
114
0
    }
115
116
350
  blocks = length >> 6;
117
350
  data = _nettle_sha256_compress_n (ctx->state, K, blocks, data);
118
350
  ctx->count += blocks;
119
350
  length &= 63;
120
121
350
  memcpy (ctx->block, data, length);
122
350
  ctx->index = length;
123
350
}
124
125
static void
126
sha256_write_digest(struct sha256_ctx *ctx,
127
        size_t length,
128
        uint8_t *digest)
129
350
{
130
350
  uint64_t bit_count;
131
132
350
  assert(length <= SHA256_DIGEST_SIZE);
133
134
350
  MD_PAD(ctx, 8, COMPRESS);
135
136
  /* There are 512 = 2^9 bits in one block */  
137
350
  bit_count = (ctx->count << 9) | (ctx->index << 3);
138
139
  /* This is slightly inefficient, as the numbers are converted to
140
     big-endian format, and will be converted back by the compression
141
     function. It's probably not worth the effort to fix this. */
142
350
  WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
143
350
  sha256_compress(ctx->state, ctx->block);
144
145
350
  _nettle_write_be32(length, digest, ctx->state);
146
350
}
147
148
void
149
sha256_digest(struct sha256_ctx *ctx,
150
        size_t length,
151
        uint8_t *digest)
152
350
{
153
350
  sha256_write_digest(ctx, length, digest);
154
350
  sha256_init(ctx);
155
350
}
156
157
/* sha224 variant. */
158
159
void
160
sha224_init(struct sha256_ctx *ctx)
161
0
{
162
  /* Initial values. Low 32 bits of the initial values for sha384. */
163
0
  static const uint32_t H0[_SHA256_DIGEST_LENGTH] =
164
0
  {
165
0
    0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
166
0
    0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
167
0
  };
168
169
0
  memcpy(ctx->state, H0, sizeof(H0));
170
171
  /* Initialize bit count */
172
0
  ctx->count = 0;
173
  
174
  /* Initialize buffer */
175
0
  ctx->index = 0;
176
0
}
177
178
void
179
sha224_digest(struct sha256_ctx *ctx,
180
        size_t length,
181
        uint8_t *digest)
182
0
{
183
0
  sha256_write_digest(ctx, length, digest);
184
0
  sha224_init(ctx);
185
0
}