]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/sha/sha256.c
projects / thirdparty / openssl.git / blob
? search:


096981b1a5d4eda1c22cba3aa727c2b7816de197
[thirdparty/openssl.git] / crypto / sha / sha256.c
1 /* crypto/sha/sha256.c */
2 /* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
4 * according to the OpenSSL license [found in ../../LICENSE].
5 * ====================================================================
6 */
7 #include <openssl/opensslconf.h>
8
9 #include <stdlib.h>
10 #include <string.h>
11
12 #include <openssl/crypto.h>
13 #include <openssl/sha.h>
14 #include <openssl/opensslv.h>
15
16 int SHA224_Init(SHA256_CTX *c)
17 {
18 memset(c, 0, sizeof(*c));
19 c->h[0] = 0xc1059ed8UL;
20 c->h[1] = 0x367cd507UL;
21 c->h[2] = 0x3070dd17UL;
22 c->h[3] = 0xf70e5939UL;
23 c->h[4] = 0xffc00b31UL;
24 c->h[5] = 0x68581511UL;
25 c->h[6] = 0x64f98fa7UL;
26 c->h[7] = 0xbefa4fa4UL;
27 c->md_len = SHA224_DIGEST_LENGTH;
28 return 1;
29 }
30
31 int SHA256_Init(SHA256_CTX *c)
32 {
33 memset(c, 0, sizeof(*c));
34 c->h[0] = 0x6a09e667UL;
35 c->h[1] = 0xbb67ae85UL;
36 c->h[2] = 0x3c6ef372UL;
37 c->h[3] = 0xa54ff53aUL;
38 c->h[4] = 0x510e527fUL;
39 c->h[5] = 0x9b05688cUL;
40 c->h[6] = 0x1f83d9abUL;
41 c->h[7] = 0x5be0cd19UL;
42 c->md_len = SHA256_DIGEST_LENGTH;
43 return 1;
44 }
45
46 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
47 {
48 SHA256_CTX c;
49 static unsigned char m[SHA224_DIGEST_LENGTH];
50
51 if (md == NULL)
52 md = m;
53 SHA224_Init(&c);
54 SHA256_Update(&c, d, n);
55 SHA256_Final(md, &c);
56 OPENSSL_cleanse(&c, sizeof(c));
57 return (md);
58 }
59
60 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
61 {
62 SHA256_CTX c;
63 static unsigned char m[SHA256_DIGEST_LENGTH];
64
65 if (md == NULL)
66 md = m;
67 SHA256_Init(&c);
68 SHA256_Update(&c, d, n);
69 SHA256_Final(md, &c);
70 OPENSSL_cleanse(&c, sizeof(c));
71 return (md);
72 }
73
74 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
75 {
76 return SHA256_Update(c, data, len);
77 }
78
79 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
80 {
81 return SHA256_Final(md, c);
82 }
83
84 #define DATA_ORDER_IS_BIG_ENDIAN
85
86 #define HASH_LONG SHA_LONG
87 #define HASH_CTX SHA256_CTX
88 #define HASH_CBLOCK SHA_CBLOCK
89
90 /*
91 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
92 * default: case below covers for it. It's not clear however if it's
93 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
94 * but if it is, then default: case shall be extended. For reference.
95 * Idea behind separate cases for pre-defined lenghts is to let the
96 * compiler decide if it's appropriate to unroll small loops.
97 */
98 #define HASH_MAKE_STRING(c,s) do { \
99 unsigned long ll; \
100 unsigned int nn; \
101 switch ((c)->md_len) \
102 { case SHA224_DIGEST_LENGTH: \
103 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
104 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
105 break; \
106 case SHA256_DIGEST_LENGTH: \
107 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
108 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
109 break; \
110 default: \
111 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
112 return 0; \
113 for (nn=0;nn<(c)->md_len/4;nn++) \
114 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
115 break; \
116 } \
117 } while (0)
118
119 #define HASH_UPDATE SHA256_Update
120 #define HASH_TRANSFORM SHA256_Transform
121 #define HASH_FINAL SHA256_Final
122 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
123 #ifndef SHA256_ASM
124 static
125 #endif
126 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
127
128 #include "internal/md32_common.h"
129
130 #ifndef SHA256_ASM
131 static const SHA_LONG K256[64] = {
132 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
133 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
134 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
135 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
136 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
137 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
138 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
139 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
140 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
141 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
142 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
143 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
144 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
145 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
146 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
147 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
148 };
149
150 /*
151 * FIPS specification refers to right rotations, while our ROTATE macro
152 * is left one. This is why you might notice that rotation coefficients
153 * differ from those observed in FIPS document by 32-N...
154 */
155 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
156 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
157 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
158 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
159
160 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
161 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
162
163 # ifdef OPENSSL_SMALL_FOOTPRINT
164
165 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
166 size_t num)
167 {
168 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
169 SHA_LONG X[16], l;
170 int i;
171 const unsigned char *data = in;
172
173 while (num--) {
174
175 a = ctx->h[0];
176 b = ctx->h[1];
177 c = ctx->h[2];
178 d = ctx->h[3];
179 e = ctx->h[4];
180 f = ctx->h[5];
181 g = ctx->h[6];
182 h = ctx->h[7];
183
184 for (i = 0; i < 16; i++) {
185 HOST_c2l(data, l);
186 T1 = X[i] = l;
187 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
188 T2 = Sigma0(a) + Maj(a, b, c);
189 h = g;
190 g = f;
191 f = e;
192 e = d + T1;
193 d = c;
194 c = b;
195 b = a;
196 a = T1 + T2;
197 }
198
199 for (; i < 64; i++) {
200 s0 = X[(i + 1) & 0x0f];
201 s0 = sigma0(s0);
202 s1 = X[(i + 14) & 0x0f];
203 s1 = sigma1(s1);
204
205 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
206 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
207 T2 = Sigma0(a) + Maj(a, b, c);
208 h = g;
209 g = f;
210 f = e;
211 e = d + T1;
212 d = c;
213 c = b;
214 b = a;
215 a = T1 + T2;
216 }
217
218 ctx->h[0] += a;
219 ctx->h[1] += b;
220 ctx->h[2] += c;
221 ctx->h[3] += d;
222 ctx->h[4] += e;
223 ctx->h[5] += f;
224 ctx->h[6] += g;
225 ctx->h[7] += h;
226
227 }
228 }
229
230 # else
231
232 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
233 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
234 h = Sigma0(a) + Maj(a,b,c); \
235 d += T1; h += T1; } while (0)
236
237 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
238 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
239 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
240 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
241 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
242
243 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
244 size_t num)
245 {
246 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
247 SHA_LONG X[16];
248 int i;
249 const unsigned char *data = in;
250 const union {
251 long one;
252 char little;
253 } is_endian = {
254 1
255 };
256
257 while (num--) {
258
259 a = ctx->h[0];
260 b = ctx->h[1];
261 c = ctx->h[2];
262 d = ctx->h[3];
263 e = ctx->h[4];
264 f = ctx->h[5];
265 g = ctx->h[6];
266 h = ctx->h[7];
267
268 if (!is_endian.little && sizeof(SHA_LONG) == 4
269 && ((size_t)in % 4) == 0) {
270 const SHA_LONG *W = (const SHA_LONG *)data;
271
272 T1 = X[0] = W[0];
273 ROUND_00_15(0, a, b, c, d, e, f, g, h);
274 T1 = X[1] = W[1];
275 ROUND_00_15(1, h, a, b, c, d, e, f, g);
276 T1 = X[2] = W[2];
277 ROUND_00_15(2, g, h, a, b, c, d, e, f);
278 T1 = X[3] = W[3];
279 ROUND_00_15(3, f, g, h, a, b, c, d, e);
280 T1 = X[4] = W[4];
281 ROUND_00_15(4, e, f, g, h, a, b, c, d);
282 T1 = X[5] = W[5];
283 ROUND_00_15(5, d, e, f, g, h, a, b, c);
284 T1 = X[6] = W[6];
285 ROUND_00_15(6, c, d, e, f, g, h, a, b);
286 T1 = X[7] = W[7];
287 ROUND_00_15(7, b, c, d, e, f, g, h, a);
288 T1 = X[8] = W[8];
289 ROUND_00_15(8, a, b, c, d, e, f, g, h);
290 T1 = X[9] = W[9];
291 ROUND_00_15(9, h, a, b, c, d, e, f, g);
292 T1 = X[10] = W[10];
293 ROUND_00_15(10, g, h, a, b, c, d, e, f);
294 T1 = X[11] = W[11];
295 ROUND_00_15(11, f, g, h, a, b, c, d, e);
296 T1 = X[12] = W[12];
297 ROUND_00_15(12, e, f, g, h, a, b, c, d);
298 T1 = X[13] = W[13];
299 ROUND_00_15(13, d, e, f, g, h, a, b, c);
300 T1 = X[14] = W[14];
301 ROUND_00_15(14, c, d, e, f, g, h, a, b);
302 T1 = X[15] = W[15];
303 ROUND_00_15(15, b, c, d, e, f, g, h, a);
304
305 data += SHA256_CBLOCK;
306 } else {
307 SHA_LONG l;
308
309 HOST_c2l(data, l);
310 T1 = X[0] = l;
311 ROUND_00_15(0, a, b, c, d, e, f, g, h);
312 HOST_c2l(data, l);
313 T1 = X[1] = l;
314 ROUND_00_15(1, h, a, b, c, d, e, f, g);
315 HOST_c2l(data, l);
316 T1 = X[2] = l;
317 ROUND_00_15(2, g, h, a, b, c, d, e, f);
318 HOST_c2l(data, l);
319 T1 = X[3] = l;
320 ROUND_00_15(3, f, g, h, a, b, c, d, e);
321 HOST_c2l(data, l);
322 T1 = X[4] = l;
323 ROUND_00_15(4, e, f, g, h, a, b, c, d);
324 HOST_c2l(data, l);
325 T1 = X[5] = l;
326 ROUND_00_15(5, d, e, f, g, h, a, b, c);
327 HOST_c2l(data, l);
328 T1 = X[6] = l;
329 ROUND_00_15(6, c, d, e, f, g, h, a, b);
330 HOST_c2l(data, l);
331 T1 = X[7] = l;
332 ROUND_00_15(7, b, c, d, e, f, g, h, a);
333 HOST_c2l(data, l);
334 T1 = X[8] = l;
335 ROUND_00_15(8, a, b, c, d, e, f, g, h);
336 HOST_c2l(data, l);
337 T1 = X[9] = l;
338 ROUND_00_15(9, h, a, b, c, d, e, f, g);
339 HOST_c2l(data, l);
340 T1 = X[10] = l;
341 ROUND_00_15(10, g, h, a, b, c, d, e, f);
342 HOST_c2l(data, l);
343 T1 = X[11] = l;
344 ROUND_00_15(11, f, g, h, a, b, c, d, e);
345 HOST_c2l(data, l);
346 T1 = X[12] = l;
347 ROUND_00_15(12, e, f, g, h, a, b, c, d);
348 HOST_c2l(data, l);
349 T1 = X[13] = l;
350 ROUND_00_15(13, d, e, f, g, h, a, b, c);
351 HOST_c2l(data, l);
352 T1 = X[14] = l;
353 ROUND_00_15(14, c, d, e, f, g, h, a, b);
354 HOST_c2l(data, l);
355 T1 = X[15] = l;
356 ROUND_00_15(15, b, c, d, e, f, g, h, a);
357 }
358
359 for (i = 16; i < 64; i += 8) {
360 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
361 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
362 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
363 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
364 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
365 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
366 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
367 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
368 }
369
370 ctx->h[0] += a;
371 ctx->h[1] += b;
372 ctx->h[2] += c;
373 ctx->h[3] += d;
374 ctx->h[4] += e;
375 ctx->h[5] += f;
376 ctx->h[6] += g;
377 ctx->h[7] += h;
378
379 }
380 }
381
382 # endif
383 #endif /* SHA256_ASM */
A mirror of the official openssl repository