sha256.c revision 296465
1/* crypto/sha/sha256.c */ 2/* ==================================================================== 3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved 4 * according to the OpenSSL license [found in ../../LICENSE]. 5 * ==================================================================== 6 */ 7#include <openssl/opensslconf.h> 8#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256) 9 10# include <stdlib.h> 11# include <string.h> 12 13# include <openssl/crypto.h> 14# include <openssl/sha.h> 15# ifdef OPENSSL_FIPS 16# include <openssl/fips.h> 17# endif 18 19# include <openssl/opensslv.h> 20 21const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT; 22 23int SHA224_Init(SHA256_CTX *c) 24{ 25# ifdef OPENSSL_FIPS 26 FIPS_selftest_check(); 27# endif 28 c->h[0] = 0xc1059ed8UL; 29 c->h[1] = 0x367cd507UL; 30 c->h[2] = 0x3070dd17UL; 31 c->h[3] = 0xf70e5939UL; 32 c->h[4] = 0xffc00b31UL; 33 c->h[5] = 0x68581511UL; 34 c->h[6] = 0x64f98fa7UL; 35 c->h[7] = 0xbefa4fa4UL; 36 c->Nl = 0; 37 c->Nh = 0; 38 c->num = 0; 39 c->md_len = SHA224_DIGEST_LENGTH; 40 return 1; 41} 42 43int SHA256_Init(SHA256_CTX *c) 44{ 45# ifdef OPENSSL_FIPS 46 FIPS_selftest_check(); 47# endif 48 c->h[0] = 0x6a09e667UL; 49 c->h[1] = 0xbb67ae85UL; 50 c->h[2] = 0x3c6ef372UL; 51 c->h[3] = 0xa54ff53aUL; 52 c->h[4] = 0x510e527fUL; 53 c->h[5] = 0x9b05688cUL; 54 c->h[6] = 0x1f83d9abUL; 55 c->h[7] = 0x5be0cd19UL; 56 c->Nl = 0; 57 c->Nh = 0; 58 c->num = 0; 59 c->md_len = SHA256_DIGEST_LENGTH; 60 return 1; 61} 62 63unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md) 64{ 65 SHA256_CTX c; 66 static unsigned char m[SHA224_DIGEST_LENGTH]; 67 68 if (md == NULL) 69 md = m; 70 SHA224_Init(&c); 71 SHA256_Update(&c, d, n); 72 SHA256_Final(md, &c); 73 OPENSSL_cleanse(&c, sizeof(c)); 74 return (md); 75} 76 77unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md) 78{ 79 SHA256_CTX c; 80 static unsigned char m[SHA256_DIGEST_LENGTH]; 81 82 if (md == NULL) 83 md = m; 84 SHA256_Init(&c); 85 SHA256_Update(&c, d, n); 86 SHA256_Final(md, &c); 87 OPENSSL_cleanse(&c, sizeof(c)); 88 return (md); 89} 90 91int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) 92{ 93 return SHA256_Update(c, data, len); 94} 95 96int SHA224_Final(unsigned char *md, SHA256_CTX *c) 97{ 98 return SHA256_Final(md, c); 99} 100 101# define DATA_ORDER_IS_BIG_ENDIAN 102 103# define HASH_LONG SHA_LONG 104# define HASH_CTX SHA256_CTX 105# define HASH_CBLOCK SHA_CBLOCK 106/* 107 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." 108 * default: case below covers for it. It's not clear however if it's 109 * permitted to truncate to amount of bytes not divisible by 4. I bet not, 110 * but if it is, then default: case shall be extended. For reference. 111 * Idea behind separate cases for pre-defined lenghts is to let the 112 * compiler decide if it's appropriate to unroll small loops. 113 */ 114# define HASH_MAKE_STRING(c,s) do { \ 115 unsigned long ll; \ 116 unsigned int xn; \ 117 switch ((c)->md_len) \ 118 { case SHA224_DIGEST_LENGTH: \ 119 for (xn=0;xn<SHA224_DIGEST_LENGTH/4;xn++) \ 120 { ll=(c)->h[xn]; HOST_l2c(ll,(s)); } \ 121 break; \ 122 case SHA256_DIGEST_LENGTH: \ 123 for (xn=0;xn<SHA256_DIGEST_LENGTH/4;xn++) \ 124 { ll=(c)->h[xn]; HOST_l2c(ll,(s)); } \ 125 break; \ 126 default: \ 127 if ((c)->md_len > SHA256_DIGEST_LENGTH) \ 128 return 0; \ 129 for (xn=0;xn<(c)->md_len/4;xn++) \ 130 { ll=(c)->h[xn]; HOST_l2c(ll,(s)); } \ 131 break; \ 132 } \ 133 } while (0) 134 135# define HASH_UPDATE SHA256_Update 136# define HASH_TRANSFORM SHA256_Transform 137# define HASH_FINAL SHA256_Final 138# define HASH_BLOCK_DATA_ORDER sha256_block_data_order 139# ifndef SHA256_ASM 140static 141# endif 142void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); 143 144# include "md32_common.h" 145 146# ifndef SHA256_ASM 147static const SHA_LONG K256[64] = { 148 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 149 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 150 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 151 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 152 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 153 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 154 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 155 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 156 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 157 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 158 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 159 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 160 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 161 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 162 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 163 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 164}; 165 166/* 167 * FIPS specification refers to right rotations, while our ROTATE macro 168 * is left one. This is why you might notice that rotation coefficients 169 * differ from those observed in FIPS document by 32-N... 170 */ 171# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) 172# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) 173# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) 174# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) 175 176# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 177# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 178 179# ifdef OPENSSL_SMALL_FOOTPRINT 180 181static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 182 size_t num) 183{ 184 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; 185 SHA_LONG X[16], l; 186 int i; 187 const unsigned char *data = in; 188 189 while (num--) { 190 191 a = ctx->h[0]; 192 b = ctx->h[1]; 193 c = ctx->h[2]; 194 d = ctx->h[3]; 195 e = ctx->h[4]; 196 f = ctx->h[5]; 197 g = ctx->h[6]; 198 h = ctx->h[7]; 199 200 for (i = 0; i < 16; i++) { 201 HOST_c2l(data, l); 202 T1 = X[i] = l; 203 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; 204 T2 = Sigma0(a) + Maj(a, b, c); 205 h = g; 206 g = f; 207 f = e; 208 e = d + T1; 209 d = c; 210 c = b; 211 b = a; 212 a = T1 + T2; 213 } 214 215 for (; i < 64; i++) { 216 s0 = X[(i + 1) & 0x0f]; 217 s0 = sigma0(s0); 218 s1 = X[(i + 14) & 0x0f]; 219 s1 = sigma1(s1); 220 221 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; 222 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; 223 T2 = Sigma0(a) + Maj(a, b, c); 224 h = g; 225 g = f; 226 f = e; 227 e = d + T1; 228 d = c; 229 c = b; 230 b = a; 231 a = T1 + T2; 232 } 233 234 ctx->h[0] += a; 235 ctx->h[1] += b; 236 ctx->h[2] += c; 237 ctx->h[3] += d; 238 ctx->h[4] += e; 239 ctx->h[5] += f; 240 ctx->h[6] += g; 241 ctx->h[7] += h; 242 243 } 244} 245 246# else 247 248# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ 249 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ 250 h = Sigma0(a) + Maj(a,b,c); \ 251 d += T1; h += T1; } while (0) 252 253# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ 254 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ 255 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ 256 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ 257 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) 258 259static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 260 size_t num) 261{ 262 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; 263 SHA_LONG X[16]; 264 int i; 265 const unsigned char *data = in; 266 const union { 267 long one; 268 char little; 269 } is_endian = { 270 1 271 }; 272 273 while (num--) { 274 275 a = ctx->h[0]; 276 b = ctx->h[1]; 277 c = ctx->h[2]; 278 d = ctx->h[3]; 279 e = ctx->h[4]; 280 f = ctx->h[5]; 281 g = ctx->h[6]; 282 h = ctx->h[7]; 283 284 if (!is_endian.little && sizeof(SHA_LONG) == 4 285 && ((size_t)in % 4) == 0) { 286 const SHA_LONG *W = (const SHA_LONG *)data; 287 288 T1 = X[0] = W[0]; 289 ROUND_00_15(0, a, b, c, d, e, f, g, h); 290 T1 = X[1] = W[1]; 291 ROUND_00_15(1, h, a, b, c, d, e, f, g); 292 T1 = X[2] = W[2]; 293 ROUND_00_15(2, g, h, a, b, c, d, e, f); 294 T1 = X[3] = W[3]; 295 ROUND_00_15(3, f, g, h, a, b, c, d, e); 296 T1 = X[4] = W[4]; 297 ROUND_00_15(4, e, f, g, h, a, b, c, d); 298 T1 = X[5] = W[5]; 299 ROUND_00_15(5, d, e, f, g, h, a, b, c); 300 T1 = X[6] = W[6]; 301 ROUND_00_15(6, c, d, e, f, g, h, a, b); 302 T1 = X[7] = W[7]; 303 ROUND_00_15(7, b, c, d, e, f, g, h, a); 304 T1 = X[8] = W[8]; 305 ROUND_00_15(8, a, b, c, d, e, f, g, h); 306 T1 = X[9] = W[9]; 307 ROUND_00_15(9, h, a, b, c, d, e, f, g); 308 T1 = X[10] = W[10]; 309 ROUND_00_15(10, g, h, a, b, c, d, e, f); 310 T1 = X[11] = W[11]; 311 ROUND_00_15(11, f, g, h, a, b, c, d, e); 312 T1 = X[12] = W[12]; 313 ROUND_00_15(12, e, f, g, h, a, b, c, d); 314 T1 = X[13] = W[13]; 315 ROUND_00_15(13, d, e, f, g, h, a, b, c); 316 T1 = X[14] = W[14]; 317 ROUND_00_15(14, c, d, e, f, g, h, a, b); 318 T1 = X[15] = W[15]; 319 ROUND_00_15(15, b, c, d, e, f, g, h, a); 320 321 data += SHA256_CBLOCK; 322 } else { 323 SHA_LONG l; 324 325 HOST_c2l(data, l); 326 T1 = X[0] = l; 327 ROUND_00_15(0, a, b, c, d, e, f, g, h); 328 HOST_c2l(data, l); 329 T1 = X[1] = l; 330 ROUND_00_15(1, h, a, b, c, d, e, f, g); 331 HOST_c2l(data, l); 332 T1 = X[2] = l; 333 ROUND_00_15(2, g, h, a, b, c, d, e, f); 334 HOST_c2l(data, l); 335 T1 = X[3] = l; 336 ROUND_00_15(3, f, g, h, a, b, c, d, e); 337 HOST_c2l(data, l); 338 T1 = X[4] = l; 339 ROUND_00_15(4, e, f, g, h, a, b, c, d); 340 HOST_c2l(data, l); 341 T1 = X[5] = l; 342 ROUND_00_15(5, d, e, f, g, h, a, b, c); 343 HOST_c2l(data, l); 344 T1 = X[6] = l; 345 ROUND_00_15(6, c, d, e, f, g, h, a, b); 346 HOST_c2l(data, l); 347 T1 = X[7] = l; 348 ROUND_00_15(7, b, c, d, e, f, g, h, a); 349 HOST_c2l(data, l); 350 T1 = X[8] = l; 351 ROUND_00_15(8, a, b, c, d, e, f, g, h); 352 HOST_c2l(data, l); 353 T1 = X[9] = l; 354 ROUND_00_15(9, h, a, b, c, d, e, f, g); 355 HOST_c2l(data, l); 356 T1 = X[10] = l; 357 ROUND_00_15(10, g, h, a, b, c, d, e, f); 358 HOST_c2l(data, l); 359 T1 = X[11] = l; 360 ROUND_00_15(11, f, g, h, a, b, c, d, e); 361 HOST_c2l(data, l); 362 T1 = X[12] = l; 363 ROUND_00_15(12, e, f, g, h, a, b, c, d); 364 HOST_c2l(data, l); 365 T1 = X[13] = l; 366 ROUND_00_15(13, d, e, f, g, h, a, b, c); 367 HOST_c2l(data, l); 368 T1 = X[14] = l; 369 ROUND_00_15(14, c, d, e, f, g, h, a, b); 370 HOST_c2l(data, l); 371 T1 = X[15] = l; 372 ROUND_00_15(15, b, c, d, e, f, g, h, a); 373 } 374 375 for (i = 16; i < 64; i += 8) { 376 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); 377 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); 378 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); 379 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); 380 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); 381 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); 382 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); 383 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); 384 } 385 386 ctx->h[0] += a; 387 ctx->h[1] += b; 388 ctx->h[2] += c; 389 ctx->h[3] += d; 390 ctx->h[4] += e; 391 ctx->h[5] += f; 392 ctx->h[6] += g; 393 ctx->h[7] += h; 394 395 } 396} 397 398# endif 399# endif /* SHA256_ASM */ 400 401#endif /* OPENSSL_NO_SHA256 */ 402