xref: /freebsd/crypto/openssl/crypto/sha/sha256.c (revision c81495a621c461b3d3395a7c5b0e73458201c443)
1 /*
2  * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * SHA256 low level APIs are deprecated for public use, but still ok for
12  * internal use.
13  */
14 #include "internal/deprecated.h"
15 
16 #include <openssl/opensslconf.h>
17 
18 #include <stdlib.h>
19 #include <string.h>
20 
21 #include <openssl/crypto.h>
22 #include <openssl/sha.h>
23 #include <openssl/opensslv.h>
24 #include "internal/endian.h"
25 
26 int SHA224_Init(SHA256_CTX *c)
27 {
28     memset(c, 0, sizeof(*c));
29     c->h[0] = 0xc1059ed8UL;
30     c->h[1] = 0x367cd507UL;
31     c->h[2] = 0x3070dd17UL;
32     c->h[3] = 0xf70e5939UL;
33     c->h[4] = 0xffc00b31UL;
34     c->h[5] = 0x68581511UL;
35     c->h[6] = 0x64f98fa7UL;
36     c->h[7] = 0xbefa4fa4UL;
37     c->md_len = SHA224_DIGEST_LENGTH;
38     return 1;
39 }
40 
41 int SHA256_Init(SHA256_CTX *c)
42 {
43     memset(c, 0, sizeof(*c));
44     c->h[0] = 0x6a09e667UL;
45     c->h[1] = 0xbb67ae85UL;
46     c->h[2] = 0x3c6ef372UL;
47     c->h[3] = 0xa54ff53aUL;
48     c->h[4] = 0x510e527fUL;
49     c->h[5] = 0x9b05688cUL;
50     c->h[6] = 0x1f83d9abUL;
51     c->h[7] = 0x5be0cd19UL;
52     c->md_len = SHA256_DIGEST_LENGTH;
53     return 1;
54 }
55 
56 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
57 {
58     return SHA256_Update(c, data, len);
59 }
60 
61 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
62 {
63     return SHA256_Final(md, c);
64 }
65 
66 #define DATA_ORDER_IS_BIG_ENDIAN
67 
68 #define HASH_LONG               SHA_LONG
69 #define HASH_CTX                SHA256_CTX
70 #define HASH_CBLOCK             SHA_CBLOCK
71 
72 /*
73  * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
74  * default: case below covers for it. It's not clear however if it's
75  * permitted to truncate to amount of bytes not divisible by 4. I bet not,
76  * but if it is, then default: case shall be extended. For reference.
77  * Idea behind separate cases for pre-defined lengths is to let the
78  * compiler decide if it's appropriate to unroll small loops.
79  */
80 #define HASH_MAKE_STRING(c,s)   do {    \
81         unsigned long ll;               \
82         unsigned int  nn;               \
83         switch ((c)->md_len)            \
84         {   case SHA224_DIGEST_LENGTH:  \
85                 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
86                 {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
87                 break;                  \
88             case SHA256_DIGEST_LENGTH:  \
89                 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
90                 {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
91                 break;                  \
92             default:                    \
93                 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
94                     return 0;                           \
95                 for (nn=0;nn<(c)->md_len/4;nn++)                \
96                 {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
97                 break;                  \
98         }                               \
99         } while (0)
100 
101 #define HASH_UPDATE             SHA256_Update
102 #define HASH_TRANSFORM          SHA256_Transform
103 #define HASH_FINAL              SHA256_Final
104 #define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
105 #ifndef SHA256_ASM
106 static
107 #endif
108 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
109 
110 #include "crypto/md32_common.h"
111 
112 #ifndef SHA256_ASM
113 static const SHA_LONG K256[64] = {
114     0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
115     0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
116     0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
117     0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
118     0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
119     0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
120     0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
121     0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
122     0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
123     0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
124     0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
125     0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
126     0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
127     0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
128     0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
129     0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
130 };
131 
132 /*
133  * FIPS specification refers to right rotations, while our ROTATE macro
134  * is left one. This is why you might notice that rotation coefficients
135  * differ from those observed in FIPS document by 32-N...
136  */
137 # define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
138 # define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
139 # define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
140 # define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
141 
142 # define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
143 # define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
144 
145 # ifdef OPENSSL_SMALL_FOOTPRINT
146 
147 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
148                                     size_t num)
149 {
150     unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
151     SHA_LONG X[16], l;
152     int i;
153     const unsigned char *data = in;
154 
155     while (num--) {
156 
157         a = ctx->h[0];
158         b = ctx->h[1];
159         c = ctx->h[2];
160         d = ctx->h[3];
161         e = ctx->h[4];
162         f = ctx->h[5];
163         g = ctx->h[6];
164         h = ctx->h[7];
165 
166         for (i = 0; i < 16; i++) {
167             (void)HOST_c2l(data, l);
168             T1 = X[i] = l;
169             T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
170             T2 = Sigma0(a) + Maj(a, b, c);
171             h = g;
172             g = f;
173             f = e;
174             e = d + T1;
175             d = c;
176             c = b;
177             b = a;
178             a = T1 + T2;
179         }
180 
181         for (; i < 64; i++) {
182             s0 = X[(i + 1) & 0x0f];
183             s0 = sigma0(s0);
184             s1 = X[(i + 14) & 0x0f];
185             s1 = sigma1(s1);
186 
187             T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
188             T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
189             T2 = Sigma0(a) + Maj(a, b, c);
190             h = g;
191             g = f;
192             f = e;
193             e = d + T1;
194             d = c;
195             c = b;
196             b = a;
197             a = T1 + T2;
198         }
199 
200         ctx->h[0] += a;
201         ctx->h[1] += b;
202         ctx->h[2] += c;
203         ctx->h[3] += d;
204         ctx->h[4] += e;
205         ctx->h[5] += f;
206         ctx->h[6] += g;
207         ctx->h[7] += h;
208 
209     }
210 }
211 
212 # else
213 
214 #  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
215         T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
216         h = Sigma0(a) + Maj(a,b,c);                     \
217         d += T1;        h += T1;                } while (0)
218 
219 #  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
220         s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
221         s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
222         T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
223         ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)
224 
225 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
226                                     size_t num)
227 {
228     unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
229     SHA_LONG X[16];
230     int i;
231     const unsigned char *data = in;
232     DECLARE_IS_ENDIAN;
233 
234     while (num--) {
235 
236         a = ctx->h[0];
237         b = ctx->h[1];
238         c = ctx->h[2];
239         d = ctx->h[3];
240         e = ctx->h[4];
241         f = ctx->h[5];
242         g = ctx->h[6];
243         h = ctx->h[7];
244 
245         if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
246             && ((size_t)in % 4) == 0) {
247             const SHA_LONG *W = (const SHA_LONG *)data;
248 
249             T1 = X[0] = W[0];
250             ROUND_00_15(0, a, b, c, d, e, f, g, h);
251             T1 = X[1] = W[1];
252             ROUND_00_15(1, h, a, b, c, d, e, f, g);
253             T1 = X[2] = W[2];
254             ROUND_00_15(2, g, h, a, b, c, d, e, f);
255             T1 = X[3] = W[3];
256             ROUND_00_15(3, f, g, h, a, b, c, d, e);
257             T1 = X[4] = W[4];
258             ROUND_00_15(4, e, f, g, h, a, b, c, d);
259             T1 = X[5] = W[5];
260             ROUND_00_15(5, d, e, f, g, h, a, b, c);
261             T1 = X[6] = W[6];
262             ROUND_00_15(6, c, d, e, f, g, h, a, b);
263             T1 = X[7] = W[7];
264             ROUND_00_15(7, b, c, d, e, f, g, h, a);
265             T1 = X[8] = W[8];
266             ROUND_00_15(8, a, b, c, d, e, f, g, h);
267             T1 = X[9] = W[9];
268             ROUND_00_15(9, h, a, b, c, d, e, f, g);
269             T1 = X[10] = W[10];
270             ROUND_00_15(10, g, h, a, b, c, d, e, f);
271             T1 = X[11] = W[11];
272             ROUND_00_15(11, f, g, h, a, b, c, d, e);
273             T1 = X[12] = W[12];
274             ROUND_00_15(12, e, f, g, h, a, b, c, d);
275             T1 = X[13] = W[13];
276             ROUND_00_15(13, d, e, f, g, h, a, b, c);
277             T1 = X[14] = W[14];
278             ROUND_00_15(14, c, d, e, f, g, h, a, b);
279             T1 = X[15] = W[15];
280             ROUND_00_15(15, b, c, d, e, f, g, h, a);
281 
282             data += SHA256_CBLOCK;
283         } else {
284             SHA_LONG l;
285 
286             (void)HOST_c2l(data, l);
287             T1 = X[0] = l;
288             ROUND_00_15(0, a, b, c, d, e, f, g, h);
289             (void)HOST_c2l(data, l);
290             T1 = X[1] = l;
291             ROUND_00_15(1, h, a, b, c, d, e, f, g);
292             (void)HOST_c2l(data, l);
293             T1 = X[2] = l;
294             ROUND_00_15(2, g, h, a, b, c, d, e, f);
295             (void)HOST_c2l(data, l);
296             T1 = X[3] = l;
297             ROUND_00_15(3, f, g, h, a, b, c, d, e);
298             (void)HOST_c2l(data, l);
299             T1 = X[4] = l;
300             ROUND_00_15(4, e, f, g, h, a, b, c, d);
301             (void)HOST_c2l(data, l);
302             T1 = X[5] = l;
303             ROUND_00_15(5, d, e, f, g, h, a, b, c);
304             (void)HOST_c2l(data, l);
305             T1 = X[6] = l;
306             ROUND_00_15(6, c, d, e, f, g, h, a, b);
307             (void)HOST_c2l(data, l);
308             T1 = X[7] = l;
309             ROUND_00_15(7, b, c, d, e, f, g, h, a);
310             (void)HOST_c2l(data, l);
311             T1 = X[8] = l;
312             ROUND_00_15(8, a, b, c, d, e, f, g, h);
313             (void)HOST_c2l(data, l);
314             T1 = X[9] = l;
315             ROUND_00_15(9, h, a, b, c, d, e, f, g);
316             (void)HOST_c2l(data, l);
317             T1 = X[10] = l;
318             ROUND_00_15(10, g, h, a, b, c, d, e, f);
319             (void)HOST_c2l(data, l);
320             T1 = X[11] = l;
321             ROUND_00_15(11, f, g, h, a, b, c, d, e);
322             (void)HOST_c2l(data, l);
323             T1 = X[12] = l;
324             ROUND_00_15(12, e, f, g, h, a, b, c, d);
325             (void)HOST_c2l(data, l);
326             T1 = X[13] = l;
327             ROUND_00_15(13, d, e, f, g, h, a, b, c);
328             (void)HOST_c2l(data, l);
329             T1 = X[14] = l;
330             ROUND_00_15(14, c, d, e, f, g, h, a, b);
331             (void)HOST_c2l(data, l);
332             T1 = X[15] = l;
333             ROUND_00_15(15, b, c, d, e, f, g, h, a);
334         }
335 
336         for (i = 16; i < 64; i += 8) {
337             ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
338             ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
339             ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
340             ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
341             ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
342             ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
343             ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
344             ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
345         }
346 
347         ctx->h[0] += a;
348         ctx->h[1] += b;
349         ctx->h[2] += c;
350         ctx->h[3] += d;
351         ctx->h[4] += e;
352         ctx->h[5] += f;
353         ctx->h[6] += g;
354         ctx->h[7] += h;
355 
356     }
357 }
358 
359 # endif
360 #endif                         /* SHA256_ASM */
361