]>
Commit | Line | Data |
---|---|---|
b1322259 | 1 | /* |
da1c088f | 2 | * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. |
b1322259 | 3 | * |
a598ed0d | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
b1322259 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
c842261b | 8 | */ |
b1322259 | 9 | |
85d843c8 P |
10 | /* |
11 | * SHA256 low level APIs are deprecated for public use, but still ok for | |
12 | * internal use. | |
13 | */ | |
14 | #include "internal/deprecated.h" | |
15 | ||
165fca51 | 16 | #include <openssl/opensslconf.h> |
fbf96849 | 17 | |
474e469b RS |
18 | #include <stdlib.h> |
19 | #include <string.h> | |
0f113f3e | 20 | |
474e469b RS |
21 | #include <openssl/crypto.h> |
22 | #include <openssl/sha.h> | |
23 | #include <openssl/opensslv.h> | |
e23d850f | 24 | #include "internal/endian.h" |
81bafac5 | 25 | #include "crypto/sha.h" |
0f113f3e | 26 | |
0f113f3e MC |
27 | int SHA224_Init(SHA256_CTX *c) |
28 | { | |
29 | memset(c, 0, sizeof(*c)); | |
30 | c->h[0] = 0xc1059ed8UL; | |
31 | c->h[1] = 0x367cd507UL; | |
32 | c->h[2] = 0x3070dd17UL; | |
33 | c->h[3] = 0xf70e5939UL; | |
34 | c->h[4] = 0xffc00b31UL; | |
35 | c->h[5] = 0x68581511UL; | |
36 | c->h[6] = 0x64f98fa7UL; | |
37 | c->h[7] = 0xbefa4fa4UL; | |
38 | c->md_len = SHA224_DIGEST_LENGTH; | |
39 | return 1; | |
40 | } | |
41 | ||
42 | int SHA256_Init(SHA256_CTX *c) | |
43 | { | |
44 | memset(c, 0, sizeof(*c)); | |
45 | c->h[0] = 0x6a09e667UL; | |
46 | c->h[1] = 0xbb67ae85UL; | |
47 | c->h[2] = 0x3c6ef372UL; | |
48 | c->h[3] = 0xa54ff53aUL; | |
49 | c->h[4] = 0x510e527fUL; | |
50 | c->h[5] = 0x9b05688cUL; | |
51 | c->h[6] = 0x1f83d9abUL; | |
52 | c->h[7] = 0x5be0cd19UL; | |
53 | c->md_len = SHA256_DIGEST_LENGTH; | |
54 | return 1; | |
55 | } | |
c842261b | 56 | |
81bafac5 FD |
57 | int ossl_sha256_192_init(SHA256_CTX *c) |
58 | { | |
59 | SHA256_Init(c); | |
60 | c->md_len = SHA256_192_DIGEST_LENGTH; | |
61 | return 1; | |
62 | } | |
63 | ||
7997b13a | 64 | int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) |
0f113f3e MC |
65 | { |
66 | return SHA256_Update(c, data, len); | |
67 | } | |
7997b13a | 68 | |
0f113f3e MC |
69 | int SHA224_Final(unsigned char *md, SHA256_CTX *c) |
70 | { | |
71 | return SHA256_Final(md, c); | |
72 | } | |
73 | ||
474e469b RS |
74 | #define DATA_ORDER_IS_BIG_ENDIAN |
75 | ||
76 | #define HASH_LONG SHA_LONG | |
77 | #define HASH_CTX SHA256_CTX | |
78 | #define HASH_CBLOCK SHA_CBLOCK | |
c842261b | 79 | |
7997b13a AP |
80 | /* |
81 | * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." | |
82 | * default: case below covers for it. It's not clear however if it's | |
31e9b9b2 | 83 | * permitted to truncate to amount of bytes not divisible by 4. I bet not, |
7997b13a | 84 | * but if it is, then default: case shall be extended. For reference. |
0d4fb843 | 85 | * Idea behind separate cases for pre-defined lengths is to let the |
7997b13a AP |
86 | * compiler decide if it's appropriate to unroll small loops. |
87 | */ | |
474e469b | 88 | #define HASH_MAKE_STRING(c,s) do { \ |
0f113f3e MC |
89 | unsigned long ll; \ |
90 | unsigned int nn; \ | |
91 | switch ((c)->md_len) \ | |
81bafac5 FD |
92 | { case SHA256_192_DIGEST_LENGTH: \ |
93 | for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) \ | |
94 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ | |
95 | break; \ | |
96 | case SHA224_DIGEST_LENGTH: \ | |
0f113f3e MC |
97 | for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \ |
98 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ | |
99 | break; \ | |
100 | case SHA256_DIGEST_LENGTH: \ | |
101 | for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \ | |
102 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ | |
103 | break; \ | |
104 | default: \ | |
105 | if ((c)->md_len > SHA256_DIGEST_LENGTH) \ | |
106 | return 0; \ | |
107 | for (nn=0;nn<(c)->md_len/4;nn++) \ | |
108 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ | |
109 | break; \ | |
110 | } \ | |
111 | } while (0) | |
112 | ||
474e469b RS |
113 | #define HASH_UPDATE SHA256_Update |
114 | #define HASH_TRANSFORM SHA256_Transform | |
115 | #define HASH_FINAL SHA256_Final | |
116 | #define HASH_BLOCK_DATA_ORDER sha256_block_data_order | |
117 | #ifndef SHA256_ASM | |
c5f17d45 | 118 | static |
474e469b | 119 | #endif |
0f113f3e | 120 | void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); |
c842261b | 121 | |
25f2138b | 122 | #include "crypto/md32_common.h" |
c842261b | 123 | |
474e469b | 124 | #ifndef SHA256_ASM |
c842261b | 125 | static const SHA_LONG K256[64] = { |
0f113f3e MC |
126 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, |
127 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, | |
128 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, | |
129 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, | |
130 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, | |
131 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, | |
132 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, | |
133 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, | |
134 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, | |
135 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, | |
136 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, | |
137 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, | |
138 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, | |
139 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, | |
140 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, | |
141 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL | |
142 | }; | |
c842261b | 143 | |
657d1927 MF |
144 | # ifndef PEDANTIC |
145 | # if defined(__GNUC__) && __GNUC__>=2 && \ | |
146 | !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) | |
cb2764f2 | 147 | # if defined(__riscv_zknh) |
657d1927 MF |
148 | # define Sigma0(x) ({ MD32_REG_T ret; \ |
149 | asm ("sha256sum0 %0, %1" \ | |
150 | : "=r"(ret) \ | |
151 | : "r"(x)); ret; }) | |
152 | # define Sigma1(x) ({ MD32_REG_T ret; \ | |
153 | asm ("sha256sum1 %0, %1" \ | |
154 | : "=r"(ret) \ | |
155 | : "r"(x)); ret; }) | |
156 | # define sigma0(x) ({ MD32_REG_T ret; \ | |
157 | asm ("sha256sig0 %0, %1" \ | |
158 | : "=r"(ret) \ | |
159 | : "r"(x)); ret; }) | |
160 | # define sigma1(x) ({ MD32_REG_T ret; \ | |
161 | asm ("sha256sig1 %0, %1" \ | |
162 | : "=r"(ret) \ | |
163 | : "r"(x)); ret; }) | |
164 | # endif | |
cb2764f2 | 165 | # if defined(__riscv_zbt) || defined(__riscv_zpn) |
657d1927 MF |
166 | # define Ch(x,y,z) ({ MD32_REG_T ret; \ |
167 | asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\ | |
168 | : "=r"(ret) \ | |
169 | : "r"(x), "r"(y), "r"(z)); ret; }) | |
170 | # define Maj(x,y,z) ({ MD32_REG_T ret; \ | |
171 | asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\ | |
172 | : "=r"(ret) \ | |
173 | : "r"(x^z), "r"(y), "r"(x)); ret; }) | |
174 | # endif | |
175 | # endif | |
176 | # endif | |
177 | ||
c842261b AP |
178 | /* |
179 | * FIPS specification refers to right rotations, while our ROTATE macro | |
180 | * is left one. This is why you might notice that rotation coefficients | |
181 | * differ from those observed in FIPS document by 32-N... | |
182 | */ | |
657d1927 MF |
183 | # ifndef Sigma0 |
184 | # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) | |
185 | # endif | |
186 | # ifndef Sigma1 | |
187 | # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) | |
188 | # endif | |
189 | # ifndef sigma0 | |
190 | # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) | |
191 | # endif | |
192 | # ifndef sigma1 | |
193 | # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) | |
194 | # endif | |
195 | # ifndef Ch | |
196 | # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) | |
197 | # endif | |
198 | # ifndef Maj | |
199 | # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) | |
200 | # endif | |
0f113f3e | 201 | |
474e469b | 202 | # ifdef OPENSSL_SMALL_FOOTPRINT |
0f113f3e MC |
203 | |
204 | static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, | |
205 | size_t num) | |
206 | { | |
207 | unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; | |
208 | SHA_LONG X[16], l; | |
209 | int i; | |
210 | const unsigned char *data = in; | |
211 | ||
212 | while (num--) { | |
213 | ||
214 | a = ctx->h[0]; | |
215 | b = ctx->h[1]; | |
216 | c = ctx->h[2]; | |
217 | d = ctx->h[3]; | |
218 | e = ctx->h[4]; | |
219 | f = ctx->h[5]; | |
220 | g = ctx->h[6]; | |
221 | h = ctx->h[7]; | |
222 | ||
223 | for (i = 0; i < 16; i++) { | |
09977dd0 | 224 | (void)HOST_c2l(data, l); |
0f113f3e MC |
225 | T1 = X[i] = l; |
226 | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; | |
227 | T2 = Sigma0(a) + Maj(a, b, c); | |
228 | h = g; | |
229 | g = f; | |
230 | f = e; | |
231 | e = d + T1; | |
232 | d = c; | |
233 | c = b; | |
234 | b = a; | |
235 | a = T1 + T2; | |
236 | } | |
237 | ||
238 | for (; i < 64; i++) { | |
239 | s0 = X[(i + 1) & 0x0f]; | |
240 | s0 = sigma0(s0); | |
241 | s1 = X[(i + 14) & 0x0f]; | |
242 | s1 = sigma1(s1); | |
243 | ||
244 | T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; | |
245 | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; | |
246 | T2 = Sigma0(a) + Maj(a, b, c); | |
247 | h = g; | |
248 | g = f; | |
249 | f = e; | |
250 | e = d + T1; | |
251 | d = c; | |
252 | c = b; | |
253 | b = a; | |
254 | a = T1 + T2; | |
255 | } | |
256 | ||
257 | ctx->h[0] += a; | |
258 | ctx->h[1] += b; | |
259 | ctx->h[2] += c; | |
260 | ctx->h[3] += d; | |
261 | ctx->h[4] += e; | |
262 | ctx->h[5] += f; | |
263 | ctx->h[6] += g; | |
264 | ctx->h[7] += h; | |
265 | ||
266 | } | |
c842261b AP |
267 | } |
268 | ||
474e469b | 269 | # else |
0f113f3e | 270 | |
474e469b | 271 | # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ |
0f113f3e MC |
272 | T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ |
273 | h = Sigma0(a) + Maj(a,b,c); \ | |
274 | d += T1; h += T1; } while (0) | |
275 | ||
474e469b | 276 | # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ |
0f113f3e MC |
277 | s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ |
278 | s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ | |
279 | T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ | |
280 | ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) | |
281 | ||
282 | static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, | |
283 | size_t num) | |
284 | { | |
285 | unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; | |
286 | SHA_LONG X[16]; | |
287 | int i; | |
288 | const unsigned char *data = in; | |
e23d850f | 289 | DECLARE_IS_ENDIAN; |
0f113f3e MC |
290 | |
291 | while (num--) { | |
292 | ||
293 | a = ctx->h[0]; | |
294 | b = ctx->h[1]; | |
295 | c = ctx->h[2]; | |
296 | d = ctx->h[3]; | |
297 | e = ctx->h[4]; | |
298 | f = ctx->h[5]; | |
299 | g = ctx->h[6]; | |
300 | h = ctx->h[7]; | |
301 | ||
e23d850f | 302 | if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4 |
0f113f3e MC |
303 | && ((size_t)in % 4) == 0) { |
304 | const SHA_LONG *W = (const SHA_LONG *)data; | |
305 | ||
306 | T1 = X[0] = W[0]; | |
307 | ROUND_00_15(0, a, b, c, d, e, f, g, h); | |
308 | T1 = X[1] = W[1]; | |
309 | ROUND_00_15(1, h, a, b, c, d, e, f, g); | |
310 | T1 = X[2] = W[2]; | |
311 | ROUND_00_15(2, g, h, a, b, c, d, e, f); | |
312 | T1 = X[3] = W[3]; | |
313 | ROUND_00_15(3, f, g, h, a, b, c, d, e); | |
314 | T1 = X[4] = W[4]; | |
315 | ROUND_00_15(4, e, f, g, h, a, b, c, d); | |
316 | T1 = X[5] = W[5]; | |
317 | ROUND_00_15(5, d, e, f, g, h, a, b, c); | |
318 | T1 = X[6] = W[6]; | |
319 | ROUND_00_15(6, c, d, e, f, g, h, a, b); | |
320 | T1 = X[7] = W[7]; | |
321 | ROUND_00_15(7, b, c, d, e, f, g, h, a); | |
322 | T1 = X[8] = W[8]; | |
323 | ROUND_00_15(8, a, b, c, d, e, f, g, h); | |
324 | T1 = X[9] = W[9]; | |
325 | ROUND_00_15(9, h, a, b, c, d, e, f, g); | |
326 | T1 = X[10] = W[10]; | |
327 | ROUND_00_15(10, g, h, a, b, c, d, e, f); | |
328 | T1 = X[11] = W[11]; | |
329 | ROUND_00_15(11, f, g, h, a, b, c, d, e); | |
330 | T1 = X[12] = W[12]; | |
331 | ROUND_00_15(12, e, f, g, h, a, b, c, d); | |
332 | T1 = X[13] = W[13]; | |
333 | ROUND_00_15(13, d, e, f, g, h, a, b, c); | |
334 | T1 = X[14] = W[14]; | |
335 | ROUND_00_15(14, c, d, e, f, g, h, a, b); | |
336 | T1 = X[15] = W[15]; | |
337 | ROUND_00_15(15, b, c, d, e, f, g, h, a); | |
338 | ||
339 | data += SHA256_CBLOCK; | |
340 | } else { | |
341 | SHA_LONG l; | |
342 | ||
09977dd0 | 343 | (void)HOST_c2l(data, l); |
0f113f3e MC |
344 | T1 = X[0] = l; |
345 | ROUND_00_15(0, a, b, c, d, e, f, g, h); | |
09977dd0 | 346 | (void)HOST_c2l(data, l); |
0f113f3e MC |
347 | T1 = X[1] = l; |
348 | ROUND_00_15(1, h, a, b, c, d, e, f, g); | |
09977dd0 | 349 | (void)HOST_c2l(data, l); |
0f113f3e MC |
350 | T1 = X[2] = l; |
351 | ROUND_00_15(2, g, h, a, b, c, d, e, f); | |
09977dd0 | 352 | (void)HOST_c2l(data, l); |
0f113f3e MC |
353 | T1 = X[3] = l; |
354 | ROUND_00_15(3, f, g, h, a, b, c, d, e); | |
09977dd0 | 355 | (void)HOST_c2l(data, l); |
0f113f3e MC |
356 | T1 = X[4] = l; |
357 | ROUND_00_15(4, e, f, g, h, a, b, c, d); | |
09977dd0 | 358 | (void)HOST_c2l(data, l); |
0f113f3e MC |
359 | T1 = X[5] = l; |
360 | ROUND_00_15(5, d, e, f, g, h, a, b, c); | |
09977dd0 | 361 | (void)HOST_c2l(data, l); |
0f113f3e MC |
362 | T1 = X[6] = l; |
363 | ROUND_00_15(6, c, d, e, f, g, h, a, b); | |
09977dd0 | 364 | (void)HOST_c2l(data, l); |
0f113f3e MC |
365 | T1 = X[7] = l; |
366 | ROUND_00_15(7, b, c, d, e, f, g, h, a); | |
09977dd0 | 367 | (void)HOST_c2l(data, l); |
0f113f3e MC |
368 | T1 = X[8] = l; |
369 | ROUND_00_15(8, a, b, c, d, e, f, g, h); | |
09977dd0 | 370 | (void)HOST_c2l(data, l); |
0f113f3e MC |
371 | T1 = X[9] = l; |
372 | ROUND_00_15(9, h, a, b, c, d, e, f, g); | |
09977dd0 | 373 | (void)HOST_c2l(data, l); |
0f113f3e MC |
374 | T1 = X[10] = l; |
375 | ROUND_00_15(10, g, h, a, b, c, d, e, f); | |
09977dd0 | 376 | (void)HOST_c2l(data, l); |
0f113f3e MC |
377 | T1 = X[11] = l; |
378 | ROUND_00_15(11, f, g, h, a, b, c, d, e); | |
09977dd0 | 379 | (void)HOST_c2l(data, l); |
0f113f3e MC |
380 | T1 = X[12] = l; |
381 | ROUND_00_15(12, e, f, g, h, a, b, c, d); | |
09977dd0 | 382 | (void)HOST_c2l(data, l); |
0f113f3e MC |
383 | T1 = X[13] = l; |
384 | ROUND_00_15(13, d, e, f, g, h, a, b, c); | |
09977dd0 | 385 | (void)HOST_c2l(data, l); |
0f113f3e MC |
386 | T1 = X[14] = l; |
387 | ROUND_00_15(14, c, d, e, f, g, h, a, b); | |
09977dd0 | 388 | (void)HOST_c2l(data, l); |
0f113f3e MC |
389 | T1 = X[15] = l; |
390 | ROUND_00_15(15, b, c, d, e, f, g, h, a); | |
391 | } | |
392 | ||
393 | for (i = 16; i < 64; i += 8) { | |
394 | ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); | |
395 | ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); | |
396 | ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); | |
397 | ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); | |
398 | ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); | |
399 | ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); | |
400 | ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); | |
401 | ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); | |
402 | } | |
403 | ||
404 | ctx->h[0] += a; | |
405 | ctx->h[1] += b; | |
406 | ctx->h[2] += c; | |
407 | ctx->h[3] += d; | |
408 | ctx->h[4] += e; | |
409 | ctx->h[5] += f; | |
410 | ctx->h[6] += g; | |
411 | ctx->h[7] += h; | |
412 | ||
413 | } | |
414 | } | |
415 | ||
474e469b RS |
416 | # endif |
417 | #endif /* SHA256_ASM */ |