xref: /freebsd/crypto/openssl/crypto/sha/sha256.c (revision 0e33efe4e4b5d24e2d416938af8bc6e6e4160ec8)
1 /* crypto/sha/sha256.c */
2 /* ====================================================================
3  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
4  * according to the OpenSSL license [found in ../../LICENSE].
5  * ====================================================================
6  */
7 #include <openssl/opensslconf.h>
8 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
9 
10 # include <stdlib.h>
11 # include <string.h>
12 
13 # include <openssl/crypto.h>
14 # include <openssl/sha.h>
15 # include <openssl/opensslv.h>
16 
17 const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
18 
19 fips_md_init_ctx(SHA224, SHA256)
20 {
21     memset(c, 0, sizeof(*c));
22     c->h[0] = 0xc1059ed8UL;
23     c->h[1] = 0x367cd507UL;
24     c->h[2] = 0x3070dd17UL;
25     c->h[3] = 0xf70e5939UL;
26     c->h[4] = 0xffc00b31UL;
27     c->h[5] = 0x68581511UL;
28     c->h[6] = 0x64f98fa7UL;
29     c->h[7] = 0xbefa4fa4UL;
30     c->md_len = SHA224_DIGEST_LENGTH;
31     return 1;
32 }
33 
34 fips_md_init(SHA256)
35 {
36     memset(c, 0, sizeof(*c));
37     c->h[0] = 0x6a09e667UL;
38     c->h[1] = 0xbb67ae85UL;
39     c->h[2] = 0x3c6ef372UL;
40     c->h[3] = 0xa54ff53aUL;
41     c->h[4] = 0x510e527fUL;
42     c->h[5] = 0x9b05688cUL;
43     c->h[6] = 0x1f83d9abUL;
44     c->h[7] = 0x5be0cd19UL;
45     c->md_len = SHA256_DIGEST_LENGTH;
46     return 1;
47 }
48 
49 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
50 {
51     SHA256_CTX c;
52     static unsigned char m[SHA224_DIGEST_LENGTH];
53 
54     if (md == NULL)
55         md = m;
56     SHA224_Init(&c);
57     SHA256_Update(&c, d, n);
58     SHA256_Final(md, &c);
59     OPENSSL_cleanse(&c, sizeof(c));
60     return (md);
61 }
62 
63 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
64 {
65     SHA256_CTX c;
66     static unsigned char m[SHA256_DIGEST_LENGTH];
67 
68     if (md == NULL)
69         md = m;
70     SHA256_Init(&c);
71     SHA256_Update(&c, d, n);
72     SHA256_Final(md, &c);
73     OPENSSL_cleanse(&c, sizeof(c));
74     return (md);
75 }
76 
77 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
78 {
79     return SHA256_Update(c, data, len);
80 }
81 
82 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
83 {
84     return SHA256_Final(md, c);
85 }
86 
87 # define DATA_ORDER_IS_BIG_ENDIAN
88 
89 # define HASH_LONG               SHA_LONG
90 # define HASH_CTX                SHA256_CTX
91 # define HASH_CBLOCK             SHA_CBLOCK
92 /*
93  * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
94  * default: case below covers for it. It's not clear however if it's
95  * permitted to truncate to amount of bytes not divisible by 4. I bet not,
96  * but if it is, then default: case shall be extended. For reference.
97  * Idea behind separate cases for pre-defined lenghts is to let the
98  * compiler decide if it's appropriate to unroll small loops.
99  */
100 # define HASH_MAKE_STRING(c,s)   do {    \
101         unsigned long ll;               \
102         unsigned int  nn;               \
103         switch ((c)->md_len)            \
104         {   case SHA224_DIGEST_LENGTH:  \
105                 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
106                 {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
107                 break;                  \
108             case SHA256_DIGEST_LENGTH:  \
109                 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
110                 {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
111                 break;                  \
112             default:                    \
113                 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
114                     return 0;                           \
115                 for (nn=0;nn<(c)->md_len/4;nn++)                \
116                 {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
117                 break;                  \
118         }                               \
119         } while (0)
120 
121 # define HASH_UPDATE             SHA256_Update
122 # define HASH_TRANSFORM          SHA256_Transform
123 # define HASH_FINAL              SHA256_Final
124 # define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
125 # ifndef SHA256_ASM
126 static
127 # endif
128 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
129 
130 # include "md32_common.h"
131 
132 # ifndef SHA256_ASM
133 static const SHA_LONG K256[64] = {
134     0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
135     0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
136     0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
137     0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
138     0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
139     0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
140     0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
141     0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
142     0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
143     0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
144     0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
145     0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
146     0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
147     0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
148     0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
149     0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
150 };
151 
152 /*
153  * FIPS specification refers to right rotations, while our ROTATE macro
154  * is left one. This is why you might notice that rotation coefficients
155  * differ from those observed in FIPS document by 32-N...
156  */
157 #  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
158 #  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
159 #  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
160 #  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
161 
162 #  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
163 #  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
164 
165 #  ifdef OPENSSL_SMALL_FOOTPRINT
166 
167 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
168                                     size_t num)
169 {
170     unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
171     SHA_LONG X[16], l;
172     int i;
173     const unsigned char *data = in;
174 
175     while (num--) {
176 
177         a = ctx->h[0];
178         b = ctx->h[1];
179         c = ctx->h[2];
180         d = ctx->h[3];
181         e = ctx->h[4];
182         f = ctx->h[5];
183         g = ctx->h[6];
184         h = ctx->h[7];
185 
186         for (i = 0; i < 16; i++) {
187             HOST_c2l(data, l);
188             T1 = X[i] = l;
189             T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
190             T2 = Sigma0(a) + Maj(a, b, c);
191             h = g;
192             g = f;
193             f = e;
194             e = d + T1;
195             d = c;
196             c = b;
197             b = a;
198             a = T1 + T2;
199         }
200 
201         for (; i < 64; i++) {
202             s0 = X[(i + 1) & 0x0f];
203             s0 = sigma0(s0);
204             s1 = X[(i + 14) & 0x0f];
205             s1 = sigma1(s1);
206 
207             T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
208             T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
209             T2 = Sigma0(a) + Maj(a, b, c);
210             h = g;
211             g = f;
212             f = e;
213             e = d + T1;
214             d = c;
215             c = b;
216             b = a;
217             a = T1 + T2;
218         }
219 
220         ctx->h[0] += a;
221         ctx->h[1] += b;
222         ctx->h[2] += c;
223         ctx->h[3] += d;
224         ctx->h[4] += e;
225         ctx->h[5] += f;
226         ctx->h[6] += g;
227         ctx->h[7] += h;
228 
229     }
230 }
231 
232 #  else
233 
234 #   define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
235         T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
236         h = Sigma0(a) + Maj(a,b,c);                     \
237         d += T1;        h += T1;                } while (0)
238 
239 #   define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
240         s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
241         s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
242         T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
243         ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)
244 
245 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
246                                     size_t num)
247 {
248     unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
249     SHA_LONG X[16];
250     int i;
251     const unsigned char *data = in;
252     const union {
253         long one;
254         char little;
255     } is_endian = {
256         1
257     };
258 
259     while (num--) {
260 
261         a = ctx->h[0];
262         b = ctx->h[1];
263         c = ctx->h[2];
264         d = ctx->h[3];
265         e = ctx->h[4];
266         f = ctx->h[5];
267         g = ctx->h[6];
268         h = ctx->h[7];
269 
270         if (!is_endian.little && sizeof(SHA_LONG) == 4
271             && ((size_t)in % 4) == 0) {
272             const SHA_LONG *W = (const SHA_LONG *)data;
273 
274             T1 = X[0] = W[0];
275             ROUND_00_15(0, a, b, c, d, e, f, g, h);
276             T1 = X[1] = W[1];
277             ROUND_00_15(1, h, a, b, c, d, e, f, g);
278             T1 = X[2] = W[2];
279             ROUND_00_15(2, g, h, a, b, c, d, e, f);
280             T1 = X[3] = W[3];
281             ROUND_00_15(3, f, g, h, a, b, c, d, e);
282             T1 = X[4] = W[4];
283             ROUND_00_15(4, e, f, g, h, a, b, c, d);
284             T1 = X[5] = W[5];
285             ROUND_00_15(5, d, e, f, g, h, a, b, c);
286             T1 = X[6] = W[6];
287             ROUND_00_15(6, c, d, e, f, g, h, a, b);
288             T1 = X[7] = W[7];
289             ROUND_00_15(7, b, c, d, e, f, g, h, a);
290             T1 = X[8] = W[8];
291             ROUND_00_15(8, a, b, c, d, e, f, g, h);
292             T1 = X[9] = W[9];
293             ROUND_00_15(9, h, a, b, c, d, e, f, g);
294             T1 = X[10] = W[10];
295             ROUND_00_15(10, g, h, a, b, c, d, e, f);
296             T1 = X[11] = W[11];
297             ROUND_00_15(11, f, g, h, a, b, c, d, e);
298             T1 = X[12] = W[12];
299             ROUND_00_15(12, e, f, g, h, a, b, c, d);
300             T1 = X[13] = W[13];
301             ROUND_00_15(13, d, e, f, g, h, a, b, c);
302             T1 = X[14] = W[14];
303             ROUND_00_15(14, c, d, e, f, g, h, a, b);
304             T1 = X[15] = W[15];
305             ROUND_00_15(15, b, c, d, e, f, g, h, a);
306 
307             data += SHA256_CBLOCK;
308         } else {
309             SHA_LONG l;
310 
311             HOST_c2l(data, l);
312             T1 = X[0] = l;
313             ROUND_00_15(0, a, b, c, d, e, f, g, h);
314             HOST_c2l(data, l);
315             T1 = X[1] = l;
316             ROUND_00_15(1, h, a, b, c, d, e, f, g);
317             HOST_c2l(data, l);
318             T1 = X[2] = l;
319             ROUND_00_15(2, g, h, a, b, c, d, e, f);
320             HOST_c2l(data, l);
321             T1 = X[3] = l;
322             ROUND_00_15(3, f, g, h, a, b, c, d, e);
323             HOST_c2l(data, l);
324             T1 = X[4] = l;
325             ROUND_00_15(4, e, f, g, h, a, b, c, d);
326             HOST_c2l(data, l);
327             T1 = X[5] = l;
328             ROUND_00_15(5, d, e, f, g, h, a, b, c);
329             HOST_c2l(data, l);
330             T1 = X[6] = l;
331             ROUND_00_15(6, c, d, e, f, g, h, a, b);
332             HOST_c2l(data, l);
333             T1 = X[7] = l;
334             ROUND_00_15(7, b, c, d, e, f, g, h, a);
335             HOST_c2l(data, l);
336             T1 = X[8] = l;
337             ROUND_00_15(8, a, b, c, d, e, f, g, h);
338             HOST_c2l(data, l);
339             T1 = X[9] = l;
340             ROUND_00_15(9, h, a, b, c, d, e, f, g);
341             HOST_c2l(data, l);
342             T1 = X[10] = l;
343             ROUND_00_15(10, g, h, a, b, c, d, e, f);
344             HOST_c2l(data, l);
345             T1 = X[11] = l;
346             ROUND_00_15(11, f, g, h, a, b, c, d, e);
347             HOST_c2l(data, l);
348             T1 = X[12] = l;
349             ROUND_00_15(12, e, f, g, h, a, b, c, d);
350             HOST_c2l(data, l);
351             T1 = X[13] = l;
352             ROUND_00_15(13, d, e, f, g, h, a, b, c);
353             HOST_c2l(data, l);
354             T1 = X[14] = l;
355             ROUND_00_15(14, c, d, e, f, g, h, a, b);
356             HOST_c2l(data, l);
357             T1 = X[15] = l;
358             ROUND_00_15(15, b, c, d, e, f, g, h, a);
359         }
360 
361         for (i = 16; i < 64; i += 8) {
362             ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
363             ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
364             ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
365             ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
366             ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
367             ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
368             ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
369             ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
370         }
371 
372         ctx->h[0] += a;
373         ctx->h[1] += b;
374         ctx->h[2] += c;
375         ctx->h[3] += d;
376         ctx->h[4] += e;
377         ctx->h[5] += f;
378         ctx->h[6] += g;
379         ctx->h[7] += h;
380 
381     }
382 }
383 
384 #  endif
385 # endif                         /* SHA256_ASM */
386 
387 #endif                          /* OPENSSL_NO_SHA256 */
388