/src/openssl30/crypto/sha/sha256.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * SHA256 low level APIs are deprecated for public use, but still ok for |
12 | | * internal use. |
13 | | */ |
14 | | #include "internal/deprecated.h" |
15 | | |
16 | | #include <openssl/opensslconf.h> |
17 | | |
18 | | #include <stdlib.h> |
19 | | #include <string.h> |
20 | | |
21 | | #include <openssl/crypto.h> |
22 | | #include <openssl/sha.h> |
23 | | #include <openssl/opensslv.h> |
24 | | #include "internal/endian.h" |
25 | | |
26 | | int SHA224_Init(SHA256_CTX *c) |
27 | 269k | { |
28 | 269k | memset(c, 0, sizeof(*c)); |
29 | 269k | c->h[0] = 0xc1059ed8UL; |
30 | 269k | c->h[1] = 0x367cd507UL; |
31 | 269k | c->h[2] = 0x3070dd17UL; |
32 | 269k | c->h[3] = 0xf70e5939UL; |
33 | 269k | c->h[4] = 0xffc00b31UL; |
34 | 269k | c->h[5] = 0x68581511UL; |
35 | 269k | c->h[6] = 0x64f98fa7UL; |
36 | 269k | c->h[7] = 0xbefa4fa4UL; |
37 | 269k | c->md_len = SHA224_DIGEST_LENGTH; |
38 | 269k | return 1; |
39 | 269k | } |
40 | | |
41 | | int SHA256_Init(SHA256_CTX *c) |
42 | 742M | { |
43 | 742M | memset(c, 0, sizeof(*c)); |
44 | 742M | c->h[0] = 0x6a09e667UL; |
45 | 742M | c->h[1] = 0xbb67ae85UL; |
46 | 742M | c->h[2] = 0x3c6ef372UL; |
47 | 742M | c->h[3] = 0xa54ff53aUL; |
48 | 742M | c->h[4] = 0x510e527fUL; |
49 | 742M | c->h[5] = 0x9b05688cUL; |
50 | 742M | c->h[6] = 0x1f83d9abUL; |
51 | 742M | c->h[7] = 0x5be0cd19UL; |
52 | 742M | c->md_len = SHA256_DIGEST_LENGTH; |
53 | 742M | return 1; |
54 | 742M | } |
55 | | |
56 | | int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) |
57 | 271k | { |
58 | 271k | return SHA256_Update(c, data, len); |
59 | 271k | } |
60 | | |
61 | | int SHA224_Final(unsigned char *md, SHA256_CTX *c) |
62 | 268k | { |
63 | 268k | return SHA256_Final(md, c); |
64 | 268k | } |
65 | | |
66 | | #define DATA_ORDER_IS_BIG_ENDIAN |
67 | | |
68 | 1.06G | #define HASH_LONG SHA_LONG |
69 | | #define HASH_CTX SHA256_CTX |
70 | 2.66G | #define HASH_CBLOCK SHA_CBLOCK |
71 | | |
72 | | /* |
73 | | * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." |
74 | | * default: case below covers for it. It's not clear however if it's |
75 | | * permitted to truncate to amount of bytes not divisible by 4. I bet not, |
76 | | * but if it is, then default: case shall be extended. For reference. |
77 | | * Idea behind separate cases for pre-defined lengths is to let the |
78 | | * compiler decide if it's appropriate to unroll small loops. |
79 | | */ |
80 | | #define HASH_MAKE_STRING(c, s) \ |
81 | 149k | do { \ |
82 | 149k | unsigned long ll; \ |
83 | 149k | unsigned int nn; \ |
84 | 149k | switch ((c)->md_len) { \ |
85 | 50.8k | case SHA224_DIGEST_LENGTH: \ |
86 | 407k | for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \ |
87 | 356k | ll = (c)->h[nn]; \ |
88 | 356k | (void)HOST_l2c(ll, (s)); \ |
89 | 356k | } \ |
90 | 50.8k | break; \ |
91 | 98.8k | case SHA256_DIGEST_LENGTH: \ |
92 | 890k | for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \ |
93 | 791k | ll = (c)->h[nn]; \ |
94 | 791k | (void)HOST_l2c(ll, (s)); \ |
95 | 791k | } \ |
96 | 98.8k | break; \ |
97 | 0 | default: \ |
98 | 0 | if ((c)->md_len > SHA256_DIGEST_LENGTH) \ |
99 | 0 | return 0; \ |
100 | 0 | for (nn = 0; nn < (c)->md_len / 4; nn++) { \ |
101 | 0 | ll = (c)->h[nn]; \ |
102 | 0 | (void)HOST_l2c(ll, (s)); \ |
103 | 0 | } \ |
104 | 0 | break; \ |
105 | 149k | } \ |
106 | 149k | } while (0) |
107 | | |
108 | | #define HASH_UPDATE SHA256_Update |
109 | | #define HASH_TRANSFORM SHA256_Transform |
110 | | #define HASH_FINAL SHA256_Final |
111 | 267M | #define HASH_BLOCK_DATA_ORDER sha256_block_data_order |
112 | | #ifndef SHA256_ASM |
113 | | static |
114 | | #endif |
115 | | void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); |
116 | | |
117 | | #include "crypto/md32_common.h" |
118 | | |
119 | | #ifndef SHA256_ASM |
120 | | static const SHA_LONG K256[64] = { |
121 | | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, |
122 | | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, |
123 | | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, |
124 | | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, |
125 | | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
126 | | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, |
127 | | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, |
128 | | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, |
129 | | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, |
130 | | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
131 | | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, |
132 | | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, |
133 | | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, |
134 | | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, |
135 | | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
136 | | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL |
137 | | }; |
138 | | |
139 | | /* |
140 | | * FIPS specification refers to right rotations, while our ROTATE macro |
141 | | * is left one. This is why you might notice that rotation coefficients |
142 | | * differ from those observed in FIPS document by 32-N... |
143 | | */ |
144 | | #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10)) |
145 | | #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7)) |
146 | | #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3)) |
147 | | #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10)) |
148 | | |
149 | | #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) |
150 | | #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) |
151 | | |
152 | | #ifdef OPENSSL_SMALL_FOOTPRINT |
153 | | |
154 | | static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, |
155 | | size_t num) |
156 | | { |
157 | | unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; |
158 | | SHA_LONG X[16], l; |
159 | | int i; |
160 | | const unsigned char *data = in; |
161 | | |
162 | | while (num--) { |
163 | | |
164 | | a = ctx->h[0]; |
165 | | b = ctx->h[1]; |
166 | | c = ctx->h[2]; |
167 | | d = ctx->h[3]; |
168 | | e = ctx->h[4]; |
169 | | f = ctx->h[5]; |
170 | | g = ctx->h[6]; |
171 | | h = ctx->h[7]; |
172 | | |
173 | | for (i = 0; i < 16; i++) { |
174 | | (void)HOST_c2l(data, l); |
175 | | T1 = X[i] = l; |
176 | | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; |
177 | | T2 = Sigma0(a) + Maj(a, b, c); |
178 | | h = g; |
179 | | g = f; |
180 | | f = e; |
181 | | e = d + T1; |
182 | | d = c; |
183 | | c = b; |
184 | | b = a; |
185 | | a = T1 + T2; |
186 | | } |
187 | | |
188 | | for (; i < 64; i++) { |
189 | | s0 = X[(i + 1) & 0x0f]; |
190 | | s0 = sigma0(s0); |
191 | | s1 = X[(i + 14) & 0x0f]; |
192 | | s1 = sigma1(s1); |
193 | | |
194 | | T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; |
195 | | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; |
196 | | T2 = Sigma0(a) + Maj(a, b, c); |
197 | | h = g; |
198 | | g = f; |
199 | | f = e; |
200 | | e = d + T1; |
201 | | d = c; |
202 | | c = b; |
203 | | b = a; |
204 | | a = T1 + T2; |
205 | | } |
206 | | |
207 | | ctx->h[0] += a; |
208 | | ctx->h[1] += b; |
209 | | ctx->h[2] += c; |
210 | | ctx->h[3] += d; |
211 | | ctx->h[4] += e; |
212 | | ctx->h[5] += f; |
213 | | ctx->h[6] += g; |
214 | | ctx->h[7] += h; |
215 | | } |
216 | | } |
217 | | |
218 | | #else |
219 | | |
220 | | #define ROUND_00_15(i, a, b, c, d, e, f, g, h) \ |
221 | | do { \ |
222 | | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \ |
223 | | h = Sigma0(a) + Maj(a, b, c); \ |
224 | | d += T1; \ |
225 | | h += T1; \ |
226 | | } while (0) |
227 | | |
228 | | #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \ |
229 | | do { \ |
230 | | s0 = X[(i + 1) & 0x0f]; \ |
231 | | s0 = sigma0(s0); \ |
232 | | s1 = X[(i + 14) & 0x0f]; \ |
233 | | s1 = sigma1(s1); \ |
234 | | T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \ |
235 | | ROUND_00_15(i, a, b, c, d, e, f, g, h); \ |
236 | | } while (0) |
237 | | |
238 | | static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, |
239 | | size_t num) |
240 | | { |
241 | | unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; |
242 | | SHA_LONG X[16]; |
243 | | int i; |
244 | | const unsigned char *data = in; |
245 | | DECLARE_IS_ENDIAN; |
246 | | |
247 | | while (num--) { |
248 | | |
249 | | a = ctx->h[0]; |
250 | | b = ctx->h[1]; |
251 | | c = ctx->h[2]; |
252 | | d = ctx->h[3]; |
253 | | e = ctx->h[4]; |
254 | | f = ctx->h[5]; |
255 | | g = ctx->h[6]; |
256 | | h = ctx->h[7]; |
257 | | |
258 | | if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4 |
259 | | && ((size_t)in % 4) == 0) { |
260 | | const SHA_LONG *W = (const SHA_LONG *)data; |
261 | | |
262 | | T1 = X[0] = W[0]; |
263 | | ROUND_00_15(0, a, b, c, d, e, f, g, h); |
264 | | T1 = X[1] = W[1]; |
265 | | ROUND_00_15(1, h, a, b, c, d, e, f, g); |
266 | | T1 = X[2] = W[2]; |
267 | | ROUND_00_15(2, g, h, a, b, c, d, e, f); |
268 | | T1 = X[3] = W[3]; |
269 | | ROUND_00_15(3, f, g, h, a, b, c, d, e); |
270 | | T1 = X[4] = W[4]; |
271 | | ROUND_00_15(4, e, f, g, h, a, b, c, d); |
272 | | T1 = X[5] = W[5]; |
273 | | ROUND_00_15(5, d, e, f, g, h, a, b, c); |
274 | | T1 = X[6] = W[6]; |
275 | | ROUND_00_15(6, c, d, e, f, g, h, a, b); |
276 | | T1 = X[7] = W[7]; |
277 | | ROUND_00_15(7, b, c, d, e, f, g, h, a); |
278 | | T1 = X[8] = W[8]; |
279 | | ROUND_00_15(8, a, b, c, d, e, f, g, h); |
280 | | T1 = X[9] = W[9]; |
281 | | ROUND_00_15(9, h, a, b, c, d, e, f, g); |
282 | | T1 = X[10] = W[10]; |
283 | | ROUND_00_15(10, g, h, a, b, c, d, e, f); |
284 | | T1 = X[11] = W[11]; |
285 | | ROUND_00_15(11, f, g, h, a, b, c, d, e); |
286 | | T1 = X[12] = W[12]; |
287 | | ROUND_00_15(12, e, f, g, h, a, b, c, d); |
288 | | T1 = X[13] = W[13]; |
289 | | ROUND_00_15(13, d, e, f, g, h, a, b, c); |
290 | | T1 = X[14] = W[14]; |
291 | | ROUND_00_15(14, c, d, e, f, g, h, a, b); |
292 | | T1 = X[15] = W[15]; |
293 | | ROUND_00_15(15, b, c, d, e, f, g, h, a); |
294 | | |
295 | | data += SHA256_CBLOCK; |
296 | | } else { |
297 | | SHA_LONG l; |
298 | | |
299 | | (void)HOST_c2l(data, l); |
300 | | T1 = X[0] = l; |
301 | | ROUND_00_15(0, a, b, c, d, e, f, g, h); |
302 | | (void)HOST_c2l(data, l); |
303 | | T1 = X[1] = l; |
304 | | ROUND_00_15(1, h, a, b, c, d, e, f, g); |
305 | | (void)HOST_c2l(data, l); |
306 | | T1 = X[2] = l; |
307 | | ROUND_00_15(2, g, h, a, b, c, d, e, f); |
308 | | (void)HOST_c2l(data, l); |
309 | | T1 = X[3] = l; |
310 | | ROUND_00_15(3, f, g, h, a, b, c, d, e); |
311 | | (void)HOST_c2l(data, l); |
312 | | T1 = X[4] = l; |
313 | | ROUND_00_15(4, e, f, g, h, a, b, c, d); |
314 | | (void)HOST_c2l(data, l); |
315 | | T1 = X[5] = l; |
316 | | ROUND_00_15(5, d, e, f, g, h, a, b, c); |
317 | | (void)HOST_c2l(data, l); |
318 | | T1 = X[6] = l; |
319 | | ROUND_00_15(6, c, d, e, f, g, h, a, b); |
320 | | (void)HOST_c2l(data, l); |
321 | | T1 = X[7] = l; |
322 | | ROUND_00_15(7, b, c, d, e, f, g, h, a); |
323 | | (void)HOST_c2l(data, l); |
324 | | T1 = X[8] = l; |
325 | | ROUND_00_15(8, a, b, c, d, e, f, g, h); |
326 | | (void)HOST_c2l(data, l); |
327 | | T1 = X[9] = l; |
328 | | ROUND_00_15(9, h, a, b, c, d, e, f, g); |
329 | | (void)HOST_c2l(data, l); |
330 | | T1 = X[10] = l; |
331 | | ROUND_00_15(10, g, h, a, b, c, d, e, f); |
332 | | (void)HOST_c2l(data, l); |
333 | | T1 = X[11] = l; |
334 | | ROUND_00_15(11, f, g, h, a, b, c, d, e); |
335 | | (void)HOST_c2l(data, l); |
336 | | T1 = X[12] = l; |
337 | | ROUND_00_15(12, e, f, g, h, a, b, c, d); |
338 | | (void)HOST_c2l(data, l); |
339 | | T1 = X[13] = l; |
340 | | ROUND_00_15(13, d, e, f, g, h, a, b, c); |
341 | | (void)HOST_c2l(data, l); |
342 | | T1 = X[14] = l; |
343 | | ROUND_00_15(14, c, d, e, f, g, h, a, b); |
344 | | (void)HOST_c2l(data, l); |
345 | | T1 = X[15] = l; |
346 | | ROUND_00_15(15, b, c, d, e, f, g, h, a); |
347 | | } |
348 | | |
349 | | for (i = 16; i < 64; i += 8) { |
350 | | ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); |
351 | | ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); |
352 | | ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); |
353 | | ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); |
354 | | ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); |
355 | | ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); |
356 | | ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); |
357 | | ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); |
358 | | } |
359 | | |
360 | | ctx->h[0] += a; |
361 | | ctx->h[1] += b; |
362 | | ctx->h[2] += c; |
363 | | ctx->h[3] += d; |
364 | | ctx->h[4] += e; |
365 | | ctx->h[5] += f; |
366 | | ctx->h[6] += g; |
367 | | ctx->h[7] += h; |
368 | | } |
369 | | } |
370 | | |
371 | | #endif |
372 | | #endif /* SHA256_ASM */ |