1 /* crypto/sha/sha256.c */ 2 /* ==================================================================== 3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved 4 * according to the OpenSSL license [found in ../../LICENSE]. 5 * ==================================================================== 6 */ 7 #include <openssl/opensslconf.h> 8 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256) 9 10 # include <stdlib.h> 11 # include <string.h> 12 13 # include <openssl/crypto.h> 14 # include <openssl/sha.h> 15 # include <openssl/opensslv.h> 16 17 const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT; 18 19 fips_md_init_ctx(SHA224, SHA256) 20 { 21 memset(c, 0, sizeof(*c)); 22 c->h[0] = 0xc1059ed8UL; 23 c->h[1] = 0x367cd507UL; 24 c->h[2] = 0x3070dd17UL; 25 c->h[3] = 0xf70e5939UL; 26 c->h[4] = 0xffc00b31UL; 27 c->h[5] = 0x68581511UL; 28 c->h[6] = 0x64f98fa7UL; 29 c->h[7] = 0xbefa4fa4UL; 30 c->md_len = SHA224_DIGEST_LENGTH; 31 return 1; 32 } 33 34 fips_md_init(SHA256) 35 { 36 memset(c, 0, sizeof(*c)); 37 c->h[0] = 0x6a09e667UL; 38 c->h[1] = 0xbb67ae85UL; 39 c->h[2] = 0x3c6ef372UL; 40 c->h[3] = 0xa54ff53aUL; 41 c->h[4] = 0x510e527fUL; 42 c->h[5] = 0x9b05688cUL; 43 c->h[6] = 0x1f83d9abUL; 44 c->h[7] = 0x5be0cd19UL; 45 c->md_len = SHA256_DIGEST_LENGTH; 46 return 1; 47 } 48 49 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md) 50 { 51 SHA256_CTX c; 52 static unsigned char m[SHA224_DIGEST_LENGTH]; 53 54 if (md == NULL) 55 md = m; 56 SHA224_Init(&c); 57 SHA256_Update(&c, d, n); 58 SHA256_Final(md, &c); 59 OPENSSL_cleanse(&c, sizeof(c)); 60 return (md); 61 } 62 63 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md) 64 { 65 SHA256_CTX c; 66 static unsigned char m[SHA256_DIGEST_LENGTH]; 67 68 if (md == NULL) 69 md = m; 70 SHA256_Init(&c); 71 SHA256_Update(&c, d, n); 72 SHA256_Final(md, &c); 73 OPENSSL_cleanse(&c, sizeof(c)); 74 return (md); 75 } 76 77 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) 78 { 79 return SHA256_Update(c, data, len); 80 } 81 82 int SHA224_Final(unsigned char *md, SHA256_CTX *c) 83 { 84 return SHA256_Final(md, c); 85 } 86 87 # define DATA_ORDER_IS_BIG_ENDIAN 88 89 # define HASH_LONG SHA_LONG 90 # define HASH_CTX SHA256_CTX 91 # define HASH_CBLOCK SHA_CBLOCK 92 /* 93 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." 94 * default: case below covers for it. It's not clear however if it's 95 * permitted to truncate to amount of bytes not divisible by 4. I bet not, 96 * but if it is, then default: case shall be extended. For reference. 97 * Idea behind separate cases for pre-defined lenghts is to let the 98 * compiler decide if it's appropriate to unroll small loops. 99 */ 100 # define HASH_MAKE_STRING(c,s) do { \ 101 unsigned long ll; \ 102 unsigned int nn; \ 103 switch ((c)->md_len) \ 104 { case SHA224_DIGEST_LENGTH: \ 105 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \ 106 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 107 break; \ 108 case SHA256_DIGEST_LENGTH: \ 109 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \ 110 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 111 break; \ 112 default: \ 113 if ((c)->md_len > SHA256_DIGEST_LENGTH) \ 114 return 0; \ 115 for (nn=0;nn<(c)->md_len/4;nn++) \ 116 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 117 break; \ 118 } \ 119 } while (0) 120 121 # define HASH_UPDATE SHA256_Update 122 # define HASH_TRANSFORM SHA256_Transform 123 # define HASH_FINAL SHA256_Final 124 # define HASH_BLOCK_DATA_ORDER sha256_block_data_order 125 # ifndef SHA256_ASM 126 static 127 # endif 128 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); 129 130 # include "md32_common.h" 131 132 # ifndef SHA256_ASM 133 static const SHA_LONG K256[64] = { 134 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 135 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 136 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 137 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 138 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 139 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 140 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 141 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 142 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 143 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 144 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 145 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 146 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 147 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 148 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 149 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 150 }; 151 152 /* 153 * FIPS specification refers to right rotations, while our ROTATE macro 154 * is left one. This is why you might notice that rotation coefficients 155 * differ from those observed in FIPS document by 32-N... 156 */ 157 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) 158 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) 159 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) 160 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) 161 162 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 163 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 164 165 # ifdef OPENSSL_SMALL_FOOTPRINT 166 167 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 168 size_t num) 169 { 170 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; 171 SHA_LONG X[16], l; 172 int i; 173 const unsigned char *data = in; 174 175 while (num--) { 176 177 a = ctx->h[0]; 178 b = ctx->h[1]; 179 c = ctx->h[2]; 180 d = ctx->h[3]; 181 e = ctx->h[4]; 182 f = ctx->h[5]; 183 g = ctx->h[6]; 184 h = ctx->h[7]; 185 186 for (i = 0; i < 16; i++) { 187 HOST_c2l(data, l); 188 T1 = X[i] = l; 189 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; 190 T2 = Sigma0(a) + Maj(a, b, c); 191 h = g; 192 g = f; 193 f = e; 194 e = d + T1; 195 d = c; 196 c = b; 197 b = a; 198 a = T1 + T2; 199 } 200 201 for (; i < 64; i++) { 202 s0 = X[(i + 1) & 0x0f]; 203 s0 = sigma0(s0); 204 s1 = X[(i + 14) & 0x0f]; 205 s1 = sigma1(s1); 206 207 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; 208 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; 209 T2 = Sigma0(a) + Maj(a, b, c); 210 h = g; 211 g = f; 212 f = e; 213 e = d + T1; 214 d = c; 215 c = b; 216 b = a; 217 a = T1 + T2; 218 } 219 220 ctx->h[0] += a; 221 ctx->h[1] += b; 222 ctx->h[2] += c; 223 ctx->h[3] += d; 224 ctx->h[4] += e; 225 ctx->h[5] += f; 226 ctx->h[6] += g; 227 ctx->h[7] += h; 228 229 } 230 } 231 232 # else 233 234 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ 235 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ 236 h = Sigma0(a) + Maj(a,b,c); \ 237 d += T1; h += T1; } while (0) 238 239 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ 240 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ 241 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ 242 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ 243 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) 244 245 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 246 size_t num) 247 { 248 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; 249 SHA_LONG X[16]; 250 int i; 251 const unsigned char *data = in; 252 const union { 253 long one; 254 char little; 255 } is_endian = { 256 1 257 }; 258 259 while (num--) { 260 261 a = ctx->h[0]; 262 b = ctx->h[1]; 263 c = ctx->h[2]; 264 d = ctx->h[3]; 265 e = ctx->h[4]; 266 f = ctx->h[5]; 267 g = ctx->h[6]; 268 h = ctx->h[7]; 269 270 if (!is_endian.little && sizeof(SHA_LONG) == 4 271 && ((size_t)in % 4) == 0) { 272 const SHA_LONG *W = (const SHA_LONG *)data; 273 274 T1 = X[0] = W[0]; 275 ROUND_00_15(0, a, b, c, d, e, f, g, h); 276 T1 = X[1] = W[1]; 277 ROUND_00_15(1, h, a, b, c, d, e, f, g); 278 T1 = X[2] = W[2]; 279 ROUND_00_15(2, g, h, a, b, c, d, e, f); 280 T1 = X[3] = W[3]; 281 ROUND_00_15(3, f, g, h, a, b, c, d, e); 282 T1 = X[4] = W[4]; 283 ROUND_00_15(4, e, f, g, h, a, b, c, d); 284 T1 = X[5] = W[5]; 285 ROUND_00_15(5, d, e, f, g, h, a, b, c); 286 T1 = X[6] = W[6]; 287 ROUND_00_15(6, c, d, e, f, g, h, a, b); 288 T1 = X[7] = W[7]; 289 ROUND_00_15(7, b, c, d, e, f, g, h, a); 290 T1 = X[8] = W[8]; 291 ROUND_00_15(8, a, b, c, d, e, f, g, h); 292 T1 = X[9] = W[9]; 293 ROUND_00_15(9, h, a, b, c, d, e, f, g); 294 T1 = X[10] = W[10]; 295 ROUND_00_15(10, g, h, a, b, c, d, e, f); 296 T1 = X[11] = W[11]; 297 ROUND_00_15(11, f, g, h, a, b, c, d, e); 298 T1 = X[12] = W[12]; 299 ROUND_00_15(12, e, f, g, h, a, b, c, d); 300 T1 = X[13] = W[13]; 301 ROUND_00_15(13, d, e, f, g, h, a, b, c); 302 T1 = X[14] = W[14]; 303 ROUND_00_15(14, c, d, e, f, g, h, a, b); 304 T1 = X[15] = W[15]; 305 ROUND_00_15(15, b, c, d, e, f, g, h, a); 306 307 data += SHA256_CBLOCK; 308 } else { 309 SHA_LONG l; 310 311 HOST_c2l(data, l); 312 T1 = X[0] = l; 313 ROUND_00_15(0, a, b, c, d, e, f, g, h); 314 HOST_c2l(data, l); 315 T1 = X[1] = l; 316 ROUND_00_15(1, h, a, b, c, d, e, f, g); 317 HOST_c2l(data, l); 318 T1 = X[2] = l; 319 ROUND_00_15(2, g, h, a, b, c, d, e, f); 320 HOST_c2l(data, l); 321 T1 = X[3] = l; 322 ROUND_00_15(3, f, g, h, a, b, c, d, e); 323 HOST_c2l(data, l); 324 T1 = X[4] = l; 325 ROUND_00_15(4, e, f, g, h, a, b, c, d); 326 HOST_c2l(data, l); 327 T1 = X[5] = l; 328 ROUND_00_15(5, d, e, f, g, h, a, b, c); 329 HOST_c2l(data, l); 330 T1 = X[6] = l; 331 ROUND_00_15(6, c, d, e, f, g, h, a, b); 332 HOST_c2l(data, l); 333 T1 = X[7] = l; 334 ROUND_00_15(7, b, c, d, e, f, g, h, a); 335 HOST_c2l(data, l); 336 T1 = X[8] = l; 337 ROUND_00_15(8, a, b, c, d, e, f, g, h); 338 HOST_c2l(data, l); 339 T1 = X[9] = l; 340 ROUND_00_15(9, h, a, b, c, d, e, f, g); 341 HOST_c2l(data, l); 342 T1 = X[10] = l; 343 ROUND_00_15(10, g, h, a, b, c, d, e, f); 344 HOST_c2l(data, l); 345 T1 = X[11] = l; 346 ROUND_00_15(11, f, g, h, a, b, c, d, e); 347 HOST_c2l(data, l); 348 T1 = X[12] = l; 349 ROUND_00_15(12, e, f, g, h, a, b, c, d); 350 HOST_c2l(data, l); 351 T1 = X[13] = l; 352 ROUND_00_15(13, d, e, f, g, h, a, b, c); 353 HOST_c2l(data, l); 354 T1 = X[14] = l; 355 ROUND_00_15(14, c, d, e, f, g, h, a, b); 356 HOST_c2l(data, l); 357 T1 = X[15] = l; 358 ROUND_00_15(15, b, c, d, e, f, g, h, a); 359 } 360 361 for (i = 16; i < 64; i += 8) { 362 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); 363 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); 364 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); 365 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); 366 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); 367 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); 368 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); 369 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); 370 } 371 372 ctx->h[0] += a; 373 ctx->h[1] += b; 374 ctx->h[2] += c; 375 ctx->h[3] += d; 376 ctx->h[4] += e; 377 ctx->h[5] += f; 378 ctx->h[6] += g; 379 ctx->h[7] += h; 380 381 } 382 } 383 384 # endif 385 # endif /* SHA256_ASM */ 386 387 #endif /* OPENSSL_NO_SHA256 */ 388