1/* 2 * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10/* 11 * SHA256 low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14#include "internal/deprecated.h" 15 16#include <openssl/opensslconf.h> 17 18#include <stdlib.h> 19#include <string.h> 20 21#include <openssl/crypto.h> 22#include <openssl/sha.h> 23#include <openssl/opensslv.h> 24#include "internal/endian.h" 25 26int SHA224_Init(SHA256_CTX *c) 27{ 28 memset(c, 0, sizeof(*c)); 29 c->h[0] = 0xc1059ed8UL; 30 c->h[1] = 0x367cd507UL; 31 c->h[2] = 0x3070dd17UL; 32 c->h[3] = 0xf70e5939UL; 33 c->h[4] = 0xffc00b31UL; 34 c->h[5] = 0x68581511UL; 35 c->h[6] = 0x64f98fa7UL; 36 c->h[7] = 0xbefa4fa4UL; 37 c->md_len = SHA224_DIGEST_LENGTH; 38 return 1; 39} 40 41int SHA256_Init(SHA256_CTX *c) 42{ 43 memset(c, 0, sizeof(*c)); 44 c->h[0] = 0x6a09e667UL; 45 c->h[1] = 0xbb67ae85UL; 46 c->h[2] = 0x3c6ef372UL; 47 c->h[3] = 0xa54ff53aUL; 48 c->h[4] = 0x510e527fUL; 49 c->h[5] = 0x9b05688cUL; 50 c->h[6] = 0x1f83d9abUL; 51 c->h[7] = 0x5be0cd19UL; 52 c->md_len = SHA256_DIGEST_LENGTH; 53 return 1; 54} 55 56int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) 57{ 58 return SHA256_Update(c, data, len); 59} 60 61int SHA224_Final(unsigned char *md, SHA256_CTX *c) 62{ 63 return SHA256_Final(md, c); 64} 65 66#define DATA_ORDER_IS_BIG_ENDIAN 67 68#define HASH_LONG SHA_LONG 69#define HASH_CTX SHA256_CTX 70#define HASH_CBLOCK SHA_CBLOCK 71 72/* 73 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." 74 * default: case below covers for it. It's not clear however if it's 75 * permitted to truncate to amount of bytes not divisible by 4. I bet not, 76 * but if it is, then default: case shall be extended. For reference. 77 * Idea behind separate cases for pre-defined lengths is to let the 78 * compiler decide if it's appropriate to unroll small loops. 79 */ 80#define HASH_MAKE_STRING(c,s) do { \ 81 unsigned long ll; \ 82 unsigned int nn; \ 83 switch ((c)->md_len) \ 84 { case SHA224_DIGEST_LENGTH: \ 85 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \ 86 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 87 break; \ 88 case SHA256_DIGEST_LENGTH: \ 89 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \ 90 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 91 break; \ 92 default: \ 93 if ((c)->md_len > SHA256_DIGEST_LENGTH) \ 94 return 0; \ 95 for (nn=0;nn<(c)->md_len/4;nn++) \ 96 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 97 break; \ 98 } \ 99 } while (0) 100 101#define HASH_UPDATE SHA256_Update 102#define HASH_TRANSFORM SHA256_Transform 103#define HASH_FINAL SHA256_Final 104#define HASH_BLOCK_DATA_ORDER sha256_block_data_order 105#ifndef SHA256_ASM 106static 107#endif 108void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); 109 110#include "crypto/md32_common.h" 111 112#ifndef SHA256_ASM 113static const SHA_LONG K256[64] = { 114 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 115 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 116 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 117 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 118 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 119 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 120 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 121 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 122 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 123 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 124 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 125 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 126 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 127 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 128 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 129 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 130}; 131 132/* 133 * FIPS specification refers to right rotations, while our ROTATE macro 134 * is left one. This is why you might notice that rotation coefficients 135 * differ from those observed in FIPS document by 32-N... 136 */ 137# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) 138# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) 139# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) 140# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) 141 142# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 143# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 144 145# ifdef OPENSSL_SMALL_FOOTPRINT 146 147static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 148 size_t num) 149{ 150 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; 151 SHA_LONG X[16], l; 152 int i; 153 const unsigned char *data = in; 154 155 while (num--) { 156 157 a = ctx->h[0]; 158 b = ctx->h[1]; 159 c = ctx->h[2]; 160 d = ctx->h[3]; 161 e = ctx->h[4]; 162 f = ctx->h[5]; 163 g = ctx->h[6]; 164 h = ctx->h[7]; 165 166 for (i = 0; i < 16; i++) { 167 (void)HOST_c2l(data, l); 168 T1 = X[i] = l; 169 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; 170 T2 = Sigma0(a) + Maj(a, b, c); 171 h = g; 172 g = f; 173 f = e; 174 e = d + T1; 175 d = c; 176 c = b; 177 b = a; 178 a = T1 + T2; 179 } 180 181 for (; i < 64; i++) { 182 s0 = X[(i + 1) & 0x0f]; 183 s0 = sigma0(s0); 184 s1 = X[(i + 14) & 0x0f]; 185 s1 = sigma1(s1); 186 187 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; 188 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; 189 T2 = Sigma0(a) + Maj(a, b, c); 190 h = g; 191 g = f; 192 f = e; 193 e = d + T1; 194 d = c; 195 c = b; 196 b = a; 197 a = T1 + T2; 198 } 199 200 ctx->h[0] += a; 201 ctx->h[1] += b; 202 ctx->h[2] += c; 203 ctx->h[3] += d; 204 ctx->h[4] += e; 205 ctx->h[5] += f; 206 ctx->h[6] += g; 207 ctx->h[7] += h; 208 209 } 210} 211 212# else 213 214# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ 215 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ 216 h = Sigma0(a) + Maj(a,b,c); \ 217 d += T1; h += T1; } while (0) 218 219# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ 220 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ 221 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ 222 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ 223 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) 224 225static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 226 size_t num) 227{ 228 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; 229 SHA_LONG X[16]; 230 int i; 231 const unsigned char *data = in; 232 DECLARE_IS_ENDIAN; 233 234 while (num--) { 235 236 a = ctx->h[0]; 237 b = ctx->h[1]; 238 c = ctx->h[2]; 239 d = ctx->h[3]; 240 e = ctx->h[4]; 241 f = ctx->h[5]; 242 g = ctx->h[6]; 243 h = ctx->h[7]; 244 245 if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4 246 && ((size_t)in % 4) == 0) { 247 const SHA_LONG *W = (const SHA_LONG *)data; 248 249 T1 = X[0] = W[0]; 250 ROUND_00_15(0, a, b, c, d, e, f, g, h); 251 T1 = X[1] = W[1]; 252 ROUND_00_15(1, h, a, b, c, d, e, f, g); 253 T1 = X[2] = W[2]; 254 ROUND_00_15(2, g, h, a, b, c, d, e, f); 255 T1 = X[3] = W[3]; 256 ROUND_00_15(3, f, g, h, a, b, c, d, e); 257 T1 = X[4] = W[4]; 258 ROUND_00_15(4, e, f, g, h, a, b, c, d); 259 T1 = X[5] = W[5]; 260 ROUND_00_15(5, d, e, f, g, h, a, b, c); 261 T1 = X[6] = W[6]; 262 ROUND_00_15(6, c, d, e, f, g, h, a, b); 263 T1 = X[7] = W[7]; 264 ROUND_00_15(7, b, c, d, e, f, g, h, a); 265 T1 = X[8] = W[8]; 266 ROUND_00_15(8, a, b, c, d, e, f, g, h); 267 T1 = X[9] = W[9]; 268 ROUND_00_15(9, h, a, b, c, d, e, f, g); 269 T1 = X[10] = W[10]; 270 ROUND_00_15(10, g, h, a, b, c, d, e, f); 271 T1 = X[11] = W[11]; 272 ROUND_00_15(11, f, g, h, a, b, c, d, e); 273 T1 = X[12] = W[12]; 274 ROUND_00_15(12, e, f, g, h, a, b, c, d); 275 T1 = X[13] = W[13]; 276 ROUND_00_15(13, d, e, f, g, h, a, b, c); 277 T1 = X[14] = W[14]; 278 ROUND_00_15(14, c, d, e, f, g, h, a, b); 279 T1 = X[15] = W[15]; 280 ROUND_00_15(15, b, c, d, e, f, g, h, a); 281 282 data += SHA256_CBLOCK; 283 } else { 284 SHA_LONG l; 285 286 (void)HOST_c2l(data, l); 287 T1 = X[0] = l; 288 ROUND_00_15(0, a, b, c, d, e, f, g, h); 289 (void)HOST_c2l(data, l); 290 T1 = X[1] = l; 291 ROUND_00_15(1, h, a, b, c, d, e, f, g); 292 (void)HOST_c2l(data, l); 293 T1 = X[2] = l; 294 ROUND_00_15(2, g, h, a, b, c, d, e, f); 295 (void)HOST_c2l(data, l); 296 T1 = X[3] = l; 297 ROUND_00_15(3, f, g, h, a, b, c, d, e); 298 (void)HOST_c2l(data, l); 299 T1 = X[4] = l; 300 ROUND_00_15(4, e, f, g, h, a, b, c, d); 301 (void)HOST_c2l(data, l); 302 T1 = X[5] = l; 303 ROUND_00_15(5, d, e, f, g, h, a, b, c); 304 (void)HOST_c2l(data, l); 305 T1 = X[6] = l; 306 ROUND_00_15(6, c, d, e, f, g, h, a, b); 307 (void)HOST_c2l(data, l); 308 T1 = X[7] = l; 309 ROUND_00_15(7, b, c, d, e, f, g, h, a); 310 (void)HOST_c2l(data, l); 311 T1 = X[8] = l; 312 ROUND_00_15(8, a, b, c, d, e, f, g, h); 313 (void)HOST_c2l(data, l); 314 T1 = X[9] = l; 315 ROUND_00_15(9, h, a, b, c, d, e, f, g); 316 (void)HOST_c2l(data, l); 317 T1 = X[10] = l; 318 ROUND_00_15(10, g, h, a, b, c, d, e, f); 319 (void)HOST_c2l(data, l); 320 T1 = X[11] = l; 321 ROUND_00_15(11, f, g, h, a, b, c, d, e); 322 (void)HOST_c2l(data, l); 323 T1 = X[12] = l; 324 ROUND_00_15(12, e, f, g, h, a, b, c, d); 325 (void)HOST_c2l(data, l); 326 T1 = X[13] = l; 327 ROUND_00_15(13, d, e, f, g, h, a, b, c); 328 (void)HOST_c2l(data, l); 329 T1 = X[14] = l; 330 ROUND_00_15(14, c, d, e, f, g, h, a, b); 331 (void)HOST_c2l(data, l); 332 T1 = X[15] = l; 333 ROUND_00_15(15, b, c, d, e, f, g, h, a); 334 } 335 336 for (i = 16; i < 64; i += 8) { 337 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); 338 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); 339 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); 340 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); 341 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); 342 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); 343 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); 344 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); 345 } 346 347 ctx->h[0] += a; 348 ctx->h[1] += b; 349 ctx->h[2] += c; 350 ctx->h[3] += d; 351 ctx->h[4] += e; 352 ctx->h[5] += f; 353 ctx->h[6] += g; 354 ctx->h[7] += h; 355 356 } 357} 358 359# endif 360#endif /* SHA256_ASM */ 361