]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/sha/sha256.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Copyright year updates
[thirdparty/openssl.git] / crypto / sha / sha256.c
CommitLineData
b1322259 1/*
da1c088f 2 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
b1322259 3 *
a598ed0d 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
b1322259
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
c842261b 8 */
b1322259 9
85d843c8
P		 10/*
11 * SHA256 low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
165fca51 16#include <openssl/opensslconf.h>
fbf96849 17
474e469b
RS		 18#include <stdlib.h>
19#include <string.h>
0f113f3e 20
474e469b
RS		 21#include <openssl/crypto.h>
22#include <openssl/sha.h>
23#include <openssl/opensslv.h>
e23d850f 24#include "internal/endian.h"
81bafac5 25#include "crypto/sha.h"
0f113f3e 26
0f113f3e
MC		 27int SHA224_Init(SHA256_CTX *c)
28{
29 memset(c, 0, sizeof(*c));
30 c->h[0] = 0xc1059ed8UL;
31 c->h[1] = 0x367cd507UL;
32 c->h[2] = 0x3070dd17UL;
33 c->h[3] = 0xf70e5939UL;
34 c->h[4] = 0xffc00b31UL;
35 c->h[5] = 0x68581511UL;
36 c->h[6] = 0x64f98fa7UL;
37 c->h[7] = 0xbefa4fa4UL;
38 c->md_len = SHA224_DIGEST_LENGTH;
39 return 1;
40}
41
42int SHA256_Init(SHA256_CTX *c)
43{
44 memset(c, 0, sizeof(*c));
45 c->h[0] = 0x6a09e667UL;
46 c->h[1] = 0xbb67ae85UL;
47 c->h[2] = 0x3c6ef372UL;
48 c->h[3] = 0xa54ff53aUL;
49 c->h[4] = 0x510e527fUL;
50 c->h[5] = 0x9b05688cUL;
51 c->h[6] = 0x1f83d9abUL;
52 c->h[7] = 0x5be0cd19UL;
53 c->md_len = SHA256_DIGEST_LENGTH;
54 return 1;
55}
c842261b 56
81bafac5
FD		 57int ossl_sha256_192_init(SHA256_CTX *c)
58{
59 SHA256_Init(c);
60 c->md_len = SHA256_192_DIGEST_LENGTH;
61 return 1;
62}
63
7997b13a 64int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
0f113f3e
MC		 65{
66 return SHA256_Update(c, data, len);
67}
7997b13a 68
0f113f3e
MC		 69int SHA224_Final(unsigned char *md, SHA256_CTX *c)
70{
71 return SHA256_Final(md, c);
72}
73
474e469b
RS		 74#define DATA_ORDER_IS_BIG_ENDIAN
75
76#define HASH_LONG SHA_LONG
77#define HASH_CTX SHA256_CTX
78#define HASH_CBLOCK SHA_CBLOCK
c842261b 79
7997b13a
AP		 80/*
81 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82 * default: case below covers for it. It's not clear however if it's
31e9b9b2 83 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
7997b13a 84 * but if it is, then default: case shall be extended. For reference.
0d4fb843 85 * Idea behind separate cases for pre-defined lengths is to let the
7997b13a
AP		 86 * compiler decide if it's appropriate to unroll small loops.
87 */
474e469b 88#define HASH_MAKE_STRING(c,s) do { \
0f113f3e
MC		 89 unsigned long ll; \
90 unsigned int nn; \
91 switch ((c)->md_len) \
81bafac5
FD		 92 { case SHA256_192_DIGEST_LENGTH: \
93 for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) \
94 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
95 break; \
96 case SHA224_DIGEST_LENGTH: \
0f113f3e
MC		 97 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
98 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
99 break; \
100 case SHA256_DIGEST_LENGTH: \
101 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
102 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
103 break; \
104 default: \
105 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
106 return 0; \
107 for (nn=0;nn<(c)->md_len/4;nn++) \
108 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
109 break; \
110 } \
111 } while (0)
112
474e469b
RS		 113#define HASH_UPDATE SHA256_Update
114#define HASH_TRANSFORM SHA256_Transform
115#define HASH_FINAL SHA256_Final
116#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
117#ifndef SHA256_ASM
c5f17d45 118static
474e469b 119#endif
0f113f3e 120void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
c842261b 121
25f2138b 122#include "crypto/md32_common.h"
c842261b 123
474e469b 124#ifndef SHA256_ASM
c842261b 125static const SHA_LONG K256[64] = {
0f113f3e
MC		 126 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
127 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
128 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
129 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
130 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
131 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
132 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
133 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
134 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
135 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
136 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
137 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
138 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
139 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
140 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
141 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
142};
c842261b 143
657d1927
MF		 144# ifndef PEDANTIC
145# if defined(__GNUC__) && __GNUC__>=2 && \
146 !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
cb2764f2 147# if defined(__riscv_zknh)
657d1927
MF		 148# define Sigma0(x) ({ MD32_REG_T ret; \
149 asm ("sha256sum0 %0, %1" \
150 : "=r"(ret) \
151 : "r"(x)); ret; })
152# define Sigma1(x) ({ MD32_REG_T ret; \
153 asm ("sha256sum1 %0, %1" \
154 : "=r"(ret) \
155 : "r"(x)); ret; })
156# define sigma0(x) ({ MD32_REG_T ret; \
157 asm ("sha256sig0 %0, %1" \
158 : "=r"(ret) \
159 : "r"(x)); ret; })
160# define sigma1(x) ({ MD32_REG_T ret; \
161 asm ("sha256sig1 %0, %1" \
162 : "=r"(ret) \
163 : "r"(x)); ret; })
164# endif
cb2764f2 165# if defined(__riscv_zbt) || defined(__riscv_zpn)
657d1927
MF		 166# define Ch(x,y,z) ({ MD32_REG_T ret; \
167 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
168 : "=r"(ret) \
169 : "r"(x), "r"(y), "r"(z)); ret; })
170# define Maj(x,y,z) ({ MD32_REG_T ret; \
171 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
172 : "=r"(ret) \
173 : "r"(x^z), "r"(y), "r"(x)); ret; })
174# endif
175# endif
176# endif
177
c842261b
AP		 178/*
179 * FIPS specification refers to right rotations, while our ROTATE macro
180 * is left one. This is why you might notice that rotation coefficients
181 * differ from those observed in FIPS document by 32-N...
182 */
657d1927
MF		 183# ifndef Sigma0
184# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
185# endif
186# ifndef Sigma1
187# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
188# endif
189# ifndef sigma0
190# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
191# endif
192# ifndef sigma1
193# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
194# endif
195# ifndef Ch
196# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
197# endif
198# ifndef Maj
199# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
200# endif
0f113f3e 201
474e469b 202# ifdef OPENSSL_SMALL_FOOTPRINT
0f113f3e
MC		 203
204static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
205 size_t num)
206{
207 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
208 SHA_LONG X[16], l;
209 int i;
210 const unsigned char *data = in;
211
212 while (num--) {
213
214 a = ctx->h[0];
215 b = ctx->h[1];
216 c = ctx->h[2];
217 d = ctx->h[3];
218 e = ctx->h[4];
219 f = ctx->h[5];
220 g = ctx->h[6];
221 h = ctx->h[7];
222
223 for (i = 0; i < 16; i++) {
09977dd0 224 (void)HOST_c2l(data, l);
0f113f3e
MC		 225 T1 = X[i] = l;
226 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
227 T2 = Sigma0(a) + Maj(a, b, c);
228 h = g;
229 g = f;
230 f = e;
231 e = d + T1;
232 d = c;
233 c = b;
234 b = a;
235 a = T1 + T2;
236 }
237
238 for (; i < 64; i++) {
239 s0 = X[(i + 1) & 0x0f];
240 s0 = sigma0(s0);
241 s1 = X[(i + 14) & 0x0f];
242 s1 = sigma1(s1);
243
244 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
245 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
246 T2 = Sigma0(a) + Maj(a, b, c);
247 h = g;
248 g = f;
249 f = e;
250 e = d + T1;
251 d = c;
252 c = b;
253 b = a;
254 a = T1 + T2;
255 }
256
257 ctx->h[0] += a;
258 ctx->h[1] += b;
259 ctx->h[2] += c;
260 ctx->h[3] += d;
261 ctx->h[4] += e;
262 ctx->h[5] += f;
263 ctx->h[6] += g;
264 ctx->h[7] += h;
265
266 }
c842261b
AP		 267}
268
474e469b 269# else
0f113f3e 270
474e469b 271# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
0f113f3e
MC		 272 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
273 h = Sigma0(a) + Maj(a,b,c); \
274 d += T1; h += T1; } while (0)
275
474e469b 276# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
0f113f3e
MC		 277 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
278 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
279 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
280 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
281
282static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
283 size_t num)
284{
285 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
286 SHA_LONG X[16];
287 int i;
288 const unsigned char *data = in;
e23d850f 289 DECLARE_IS_ENDIAN;
0f113f3e
MC		 290
291 while (num--) {
292
293 a = ctx->h[0];
294 b = ctx->h[1];
295 c = ctx->h[2];
296 d = ctx->h[3];
297 e = ctx->h[4];
298 f = ctx->h[5];
299 g = ctx->h[6];
300 h = ctx->h[7];
301
e23d850f 302 if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
0f113f3e
MC		 303 && ((size_t)in % 4) == 0) {
304 const SHA_LONG *W = (const SHA_LONG *)data;
305
306 T1 = X[0] = W[0];
307 ROUND_00_15(0, a, b, c, d, e, f, g, h);
308 T1 = X[1] = W[1];
309 ROUND_00_15(1, h, a, b, c, d, e, f, g);
310 T1 = X[2] = W[2];
311 ROUND_00_15(2, g, h, a, b, c, d, e, f);
312 T1 = X[3] = W[3];
313 ROUND_00_15(3, f, g, h, a, b, c, d, e);
314 T1 = X[4] = W[4];
315 ROUND_00_15(4, e, f, g, h, a, b, c, d);
316 T1 = X[5] = W[5];
317 ROUND_00_15(5, d, e, f, g, h, a, b, c);
318 T1 = X[6] = W[6];
319 ROUND_00_15(6, c, d, e, f, g, h, a, b);
320 T1 = X[7] = W[7];
321 ROUND_00_15(7, b, c, d, e, f, g, h, a);
322 T1 = X[8] = W[8];
323 ROUND_00_15(8, a, b, c, d, e, f, g, h);
324 T1 = X[9] = W[9];
325 ROUND_00_15(9, h, a, b, c, d, e, f, g);
326 T1 = X[10] = W[10];
327 ROUND_00_15(10, g, h, a, b, c, d, e, f);
328 T1 = X[11] = W[11];
329 ROUND_00_15(11, f, g, h, a, b, c, d, e);
330 T1 = X[12] = W[12];
331 ROUND_00_15(12, e, f, g, h, a, b, c, d);
332 T1 = X[13] = W[13];
333 ROUND_00_15(13, d, e, f, g, h, a, b, c);
334 T1 = X[14] = W[14];
335 ROUND_00_15(14, c, d, e, f, g, h, a, b);
336 T1 = X[15] = W[15];
337 ROUND_00_15(15, b, c, d, e, f, g, h, a);
338
339 data += SHA256_CBLOCK;
340 } else {
341 SHA_LONG l;
342
09977dd0 343 (void)HOST_c2l(data, l);
0f113f3e
MC		 344 T1 = X[0] = l;
345 ROUND_00_15(0, a, b, c, d, e, f, g, h);
09977dd0 346 (void)HOST_c2l(data, l);
0f113f3e
MC		 347 T1 = X[1] = l;
348 ROUND_00_15(1, h, a, b, c, d, e, f, g);
09977dd0 349 (void)HOST_c2l(data, l);
0f113f3e
MC		 350 T1 = X[2] = l;
351 ROUND_00_15(2, g, h, a, b, c, d, e, f);
09977dd0 352 (void)HOST_c2l(data, l);
0f113f3e
MC		 353 T1 = X[3] = l;
354 ROUND_00_15(3, f, g, h, a, b, c, d, e);
09977dd0 355 (void)HOST_c2l(data, l);
0f113f3e
MC		 356 T1 = X[4] = l;
357 ROUND_00_15(4, e, f, g, h, a, b, c, d);
09977dd0 358 (void)HOST_c2l(data, l);
0f113f3e
MC		 359 T1 = X[5] = l;
360 ROUND_00_15(5, d, e, f, g, h, a, b, c);
09977dd0 361 (void)HOST_c2l(data, l);
0f113f3e
MC		 362 T1 = X[6] = l;
363 ROUND_00_15(6, c, d, e, f, g, h, a, b);
09977dd0 364 (void)HOST_c2l(data, l);
0f113f3e
MC		 365 T1 = X[7] = l;
366 ROUND_00_15(7, b, c, d, e, f, g, h, a);
09977dd0 367 (void)HOST_c2l(data, l);
0f113f3e
MC		 368 T1 = X[8] = l;
369 ROUND_00_15(8, a, b, c, d, e, f, g, h);
09977dd0 370 (void)HOST_c2l(data, l);
0f113f3e
MC		 371 T1 = X[9] = l;
372 ROUND_00_15(9, h, a, b, c, d, e, f, g);
09977dd0 373 (void)HOST_c2l(data, l);
0f113f3e
MC		 374 T1 = X[10] = l;
375 ROUND_00_15(10, g, h, a, b, c, d, e, f);
09977dd0 376 (void)HOST_c2l(data, l);
0f113f3e
MC		 377 T1 = X[11] = l;
378 ROUND_00_15(11, f, g, h, a, b, c, d, e);
09977dd0 379 (void)HOST_c2l(data, l);
0f113f3e
MC		 380 T1 = X[12] = l;
381 ROUND_00_15(12, e, f, g, h, a, b, c, d);
09977dd0 382 (void)HOST_c2l(data, l);
0f113f3e
MC		 383 T1 = X[13] = l;
384 ROUND_00_15(13, d, e, f, g, h, a, b, c);
09977dd0 385 (void)HOST_c2l(data, l);
0f113f3e
MC		 386 T1 = X[14] = l;
387 ROUND_00_15(14, c, d, e, f, g, h, a, b);
09977dd0 388 (void)HOST_c2l(data, l);
0f113f3e
MC		 389 T1 = X[15] = l;
390 ROUND_00_15(15, b, c, d, e, f, g, h, a);
391 }
392
393 for (i = 16; i < 64; i += 8) {
394 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
395 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
396 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
397 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
398 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
399 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
400 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
401 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
402 }
403
404 ctx->h[0] += a;
405 ctx->h[1] += b;
406 ctx->h[2] += c;
407 ctx->h[3] += d;
408 ctx->h[4] += e;
409 ctx->h[5] += f;
410 ctx->h[6] += g;
411 ctx->h[7] += h;
412
413 }
414}
415
474e469b
RS		 416# endif
417#endif /* SHA256_ASM */
A mirror of the official openssl repository