/src/openssl/crypto/sha/sha256.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/opensslconf.h> |
11 | | |
12 | | #include <stdlib.h> |
13 | | #include <string.h> |
14 | | |
15 | | #include <openssl/crypto.h> |
16 | | #include <openssl/sha.h> |
17 | | #include <openssl/opensslv.h> |
18 | | |
19 | | int SHA224_Init(SHA256_CTX *c) |
20 | 0 | { |
21 | 0 | memset(c, 0, sizeof(*c)); |
22 | 0 | c->h[0] = 0xc1059ed8UL; |
23 | 0 | c->h[1] = 0x367cd507UL; |
24 | 0 | c->h[2] = 0x3070dd17UL; |
25 | 0 | c->h[3] = 0xf70e5939UL; |
26 | 0 | c->h[4] = 0xffc00b31UL; |
27 | 0 | c->h[5] = 0x68581511UL; |
28 | 0 | c->h[6] = 0x64f98fa7UL; |
29 | 0 | c->h[7] = 0xbefa4fa4UL; |
30 | 0 | c->md_len = SHA224_DIGEST_LENGTH; |
31 | 0 | return 1; |
32 | 0 | } |
33 | | |
34 | | int SHA256_Init(SHA256_CTX *c) |
35 | 127k | { |
36 | 127k | memset(c, 0, sizeof(*c)); |
37 | 127k | c->h[0] = 0x6a09e667UL; |
38 | 127k | c->h[1] = 0xbb67ae85UL; |
39 | 127k | c->h[2] = 0x3c6ef372UL; |
40 | 127k | c->h[3] = 0xa54ff53aUL; |
41 | 127k | c->h[4] = 0x510e527fUL; |
42 | 127k | c->h[5] = 0x9b05688cUL; |
43 | 127k | c->h[6] = 0x1f83d9abUL; |
44 | 127k | c->h[7] = 0x5be0cd19UL; |
45 | 127k | c->md_len = SHA256_DIGEST_LENGTH; |
46 | 127k | return 1; |
47 | 127k | } |
48 | | |
49 | | unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md) |
50 | 0 | { |
51 | 0 | SHA256_CTX c; |
52 | 0 | static unsigned char m[SHA224_DIGEST_LENGTH]; |
53 | 0 |
|
54 | 0 | if (md == NULL) |
55 | 0 | md = m; |
56 | 0 | SHA224_Init(&c); |
57 | 0 | SHA256_Update(&c, d, n); |
58 | 0 | SHA256_Final(md, &c); |
59 | 0 | OPENSSL_cleanse(&c, sizeof(c)); |
60 | 0 | return md; |
61 | 0 | } |
62 | | |
63 | | unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md) |
64 | 127k | { |
65 | 127k | SHA256_CTX c; |
66 | 127k | static unsigned char m[SHA256_DIGEST_LENGTH]; |
67 | 127k | |
68 | 127k | if (md == NULL) |
69 | 127k | md = m; |
70 | 127k | SHA256_Init(&c); |
71 | 127k | SHA256_Update(&c, d, n); |
72 | 127k | SHA256_Final(md, &c); |
73 | 127k | OPENSSL_cleanse(&c, sizeof(c)); |
74 | 127k | return md; |
75 | 127k | } |
76 | | |
77 | | int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) |
78 | 0 | { |
79 | 0 | return SHA256_Update(c, data, len); |
80 | 0 | } |
81 | | |
82 | | int SHA224_Final(unsigned char *md, SHA256_CTX *c) |
83 | 0 | { |
84 | 0 | return SHA256_Final(md, c); |
85 | 0 | } |
86 | | |
87 | | #define DATA_ORDER_IS_BIG_ENDIAN |
88 | | |
89 | 127k | #define HASH_LONG SHA_LONG |
90 | | #define HASH_CTX SHA256_CTX |
91 | 888k | #define HASH_CBLOCK SHA_CBLOCK |
92 | | |
93 | | /* |
94 | | * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." |
95 | | * default: case below covers for it. It's not clear however if it's |
96 | | * permitted to truncate to amount of bytes not divisible by 4. I bet not, |
97 | | * but if it is, then default: case shall be extended. For reference. |
98 | | * Idea behind separate cases for pre-defined lengths is to let the |
99 | | * compiler decide if it's appropriate to unroll small loops. |
100 | | */ |
101 | 127k | #define HASH_MAKE_STRING(c,s) do { \ |
102 | 127k | unsigned long ll; \ |
103 | 127k | unsigned int nn; \ |
104 | 127k | switch ((c)->md_len) \ |
105 | 127k | { case SHA224_DIGEST_LENGTH: \ |
106 | 0 | for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \ |
107 | 0 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ |
108 | 0 | break; \ |
109 | 127k | case SHA256_DIGEST_LENGTH: \ |
110 | 1.15M | for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \ |
111 | 1.02M | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ |
112 | 127k | break; \ |
113 | 127k | default: \ |
114 | 0 | if ((c)->md_len > SHA256_DIGEST_LENGTH) \ |
115 | 0 | return 0; \ |
116 | 0 | for (nn=0;nn<(c)->md_len/4;nn++) \ |
117 | 0 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ |
118 | 0 | break; \ |
119 | 127k | } \ |
120 | 127k | } while (0) |
121 | | |
122 | | #define HASH_UPDATE SHA256_Update |
123 | | #define HASH_TRANSFORM SHA256_Transform |
124 | | #define HASH_FINAL SHA256_Final |
125 | 248k | #define HASH_BLOCK_DATA_ORDER sha256_block_data_order |
126 | | #ifndef SHA256_ASM |
127 | | static |
128 | | #endif |
129 | | void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); |
130 | | |
131 | | #include "internal/md32_common.h" |
132 | | |
133 | | #ifndef SHA256_ASM |
134 | | static const SHA_LONG K256[64] = { |
135 | | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, |
136 | | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, |
137 | | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, |
138 | | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, |
139 | | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
140 | | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, |
141 | | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, |
142 | | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, |
143 | | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, |
144 | | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
145 | | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, |
146 | | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, |
147 | | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, |
148 | | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, |
149 | | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
150 | | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL |
151 | | }; |
152 | | |
153 | | /* |
154 | | * FIPS specification refers to right rotations, while our ROTATE macro |
155 | | * is left one. This is why you might notice that rotation coefficients |
156 | | * differ from those observed in FIPS document by 32-N... |
157 | | */ |
158 | | # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) |
159 | | # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) |
160 | | # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) |
161 | | # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) |
162 | | |
163 | | # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) |
164 | | # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) |
165 | | |
166 | | # ifdef OPENSSL_SMALL_FOOTPRINT |
167 | | |
168 | | static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, |
169 | | size_t num) |
170 | | { |
171 | | unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; |
172 | | SHA_LONG X[16], l; |
173 | | int i; |
174 | | const unsigned char *data = in; |
175 | | |
176 | | while (num--) { |
177 | | |
178 | | a = ctx->h[0]; |
179 | | b = ctx->h[1]; |
180 | | c = ctx->h[2]; |
181 | | d = ctx->h[3]; |
182 | | e = ctx->h[4]; |
183 | | f = ctx->h[5]; |
184 | | g = ctx->h[6]; |
185 | | h = ctx->h[7]; |
186 | | |
187 | | for (i = 0; i < 16; i++) { |
188 | | (void)HOST_c2l(data, l); |
189 | | T1 = X[i] = l; |
190 | | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; |
191 | | T2 = Sigma0(a) + Maj(a, b, c); |
192 | | h = g; |
193 | | g = f; |
194 | | f = e; |
195 | | e = d + T1; |
196 | | d = c; |
197 | | c = b; |
198 | | b = a; |
199 | | a = T1 + T2; |
200 | | } |
201 | | |
202 | | for (; i < 64; i++) { |
203 | | s0 = X[(i + 1) & 0x0f]; |
204 | | s0 = sigma0(s0); |
205 | | s1 = X[(i + 14) & 0x0f]; |
206 | | s1 = sigma1(s1); |
207 | | |
208 | | T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; |
209 | | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; |
210 | | T2 = Sigma0(a) + Maj(a, b, c); |
211 | | h = g; |
212 | | g = f; |
213 | | f = e; |
214 | | e = d + T1; |
215 | | d = c; |
216 | | c = b; |
217 | | b = a; |
218 | | a = T1 + T2; |
219 | | } |
220 | | |
221 | | ctx->h[0] += a; |
222 | | ctx->h[1] += b; |
223 | | ctx->h[2] += c; |
224 | | ctx->h[3] += d; |
225 | | ctx->h[4] += e; |
226 | | ctx->h[5] += f; |
227 | | ctx->h[6] += g; |
228 | | ctx->h[7] += h; |
229 | | |
230 | | } |
231 | | } |
232 | | |
233 | | # else |
234 | | |
235 | | # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ |
236 | | T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ |
237 | | h = Sigma0(a) + Maj(a,b,c); \ |
238 | | d += T1; h += T1; } while (0) |
239 | | |
240 | | # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ |
241 | | s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ |
242 | | s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ |
243 | | T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ |
244 | | ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) |
245 | | |
246 | | static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, |
247 | | size_t num) |
248 | | { |
249 | | unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; |
250 | | SHA_LONG X[16]; |
251 | | int i; |
252 | | const unsigned char *data = in; |
253 | | const union { |
254 | | long one; |
255 | | char little; |
256 | | } is_endian = { |
257 | | 1 |
258 | | }; |
259 | | |
260 | | while (num--) { |
261 | | |
262 | | a = ctx->h[0]; |
263 | | b = ctx->h[1]; |
264 | | c = ctx->h[2]; |
265 | | d = ctx->h[3]; |
266 | | e = ctx->h[4]; |
267 | | f = ctx->h[5]; |
268 | | g = ctx->h[6]; |
269 | | h = ctx->h[7]; |
270 | | |
271 | | if (!is_endian.little && sizeof(SHA_LONG) == 4 |
272 | | && ((size_t)in % 4) == 0) { |
273 | | const SHA_LONG *W = (const SHA_LONG *)data; |
274 | | |
275 | | T1 = X[0] = W[0]; |
276 | | ROUND_00_15(0, a, b, c, d, e, f, g, h); |
277 | | T1 = X[1] = W[1]; |
278 | | ROUND_00_15(1, h, a, b, c, d, e, f, g); |
279 | | T1 = X[2] = W[2]; |
280 | | ROUND_00_15(2, g, h, a, b, c, d, e, f); |
281 | | T1 = X[3] = W[3]; |
282 | | ROUND_00_15(3, f, g, h, a, b, c, d, e); |
283 | | T1 = X[4] = W[4]; |
284 | | ROUND_00_15(4, e, f, g, h, a, b, c, d); |
285 | | T1 = X[5] = W[5]; |
286 | | ROUND_00_15(5, d, e, f, g, h, a, b, c); |
287 | | T1 = X[6] = W[6]; |
288 | | ROUND_00_15(6, c, d, e, f, g, h, a, b); |
289 | | T1 = X[7] = W[7]; |
290 | | ROUND_00_15(7, b, c, d, e, f, g, h, a); |
291 | | T1 = X[8] = W[8]; |
292 | | ROUND_00_15(8, a, b, c, d, e, f, g, h); |
293 | | T1 = X[9] = W[9]; |
294 | | ROUND_00_15(9, h, a, b, c, d, e, f, g); |
295 | | T1 = X[10] = W[10]; |
296 | | ROUND_00_15(10, g, h, a, b, c, d, e, f); |
297 | | T1 = X[11] = W[11]; |
298 | | ROUND_00_15(11, f, g, h, a, b, c, d, e); |
299 | | T1 = X[12] = W[12]; |
300 | | ROUND_00_15(12, e, f, g, h, a, b, c, d); |
301 | | T1 = X[13] = W[13]; |
302 | | ROUND_00_15(13, d, e, f, g, h, a, b, c); |
303 | | T1 = X[14] = W[14]; |
304 | | ROUND_00_15(14, c, d, e, f, g, h, a, b); |
305 | | T1 = X[15] = W[15]; |
306 | | ROUND_00_15(15, b, c, d, e, f, g, h, a); |
307 | | |
308 | | data += SHA256_CBLOCK; |
309 | | } else { |
310 | | SHA_LONG l; |
311 | | |
312 | | (void)HOST_c2l(data, l); |
313 | | T1 = X[0] = l; |
314 | | ROUND_00_15(0, a, b, c, d, e, f, g, h); |
315 | | (void)HOST_c2l(data, l); |
316 | | T1 = X[1] = l; |
317 | | ROUND_00_15(1, h, a, b, c, d, e, f, g); |
318 | | (void)HOST_c2l(data, l); |
319 | | T1 = X[2] = l; |
320 | | ROUND_00_15(2, g, h, a, b, c, d, e, f); |
321 | | (void)HOST_c2l(data, l); |
322 | | T1 = X[3] = l; |
323 | | ROUND_00_15(3, f, g, h, a, b, c, d, e); |
324 | | (void)HOST_c2l(data, l); |
325 | | T1 = X[4] = l; |
326 | | ROUND_00_15(4, e, f, g, h, a, b, c, d); |
327 | | (void)HOST_c2l(data, l); |
328 | | T1 = X[5] = l; |
329 | | ROUND_00_15(5, d, e, f, g, h, a, b, c); |
330 | | (void)HOST_c2l(data, l); |
331 | | T1 = X[6] = l; |
332 | | ROUND_00_15(6, c, d, e, f, g, h, a, b); |
333 | | (void)HOST_c2l(data, l); |
334 | | T1 = X[7] = l; |
335 | | ROUND_00_15(7, b, c, d, e, f, g, h, a); |
336 | | (void)HOST_c2l(data, l); |
337 | | T1 = X[8] = l; |
338 | | ROUND_00_15(8, a, b, c, d, e, f, g, h); |
339 | | (void)HOST_c2l(data, l); |
340 | | T1 = X[9] = l; |
341 | | ROUND_00_15(9, h, a, b, c, d, e, f, g); |
342 | | (void)HOST_c2l(data, l); |
343 | | T1 = X[10] = l; |
344 | | ROUND_00_15(10, g, h, a, b, c, d, e, f); |
345 | | (void)HOST_c2l(data, l); |
346 | | T1 = X[11] = l; |
347 | | ROUND_00_15(11, f, g, h, a, b, c, d, e); |
348 | | (void)HOST_c2l(data, l); |
349 | | T1 = X[12] = l; |
350 | | ROUND_00_15(12, e, f, g, h, a, b, c, d); |
351 | | (void)HOST_c2l(data, l); |
352 | | T1 = X[13] = l; |
353 | | ROUND_00_15(13, d, e, f, g, h, a, b, c); |
354 | | (void)HOST_c2l(data, l); |
355 | | T1 = X[14] = l; |
356 | | ROUND_00_15(14, c, d, e, f, g, h, a, b); |
357 | | (void)HOST_c2l(data, l); |
358 | | T1 = X[15] = l; |
359 | | ROUND_00_15(15, b, c, d, e, f, g, h, a); |
360 | | } |
361 | | |
362 | | for (i = 16; i < 64; i += 8) { |
363 | | ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); |
364 | | ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); |
365 | | ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); |
366 | | ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); |
367 | | ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); |
368 | | ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); |
369 | | ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); |
370 | | ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); |
371 | | } |
372 | | |
373 | | ctx->h[0] += a; |
374 | | ctx->h[1] += b; |
375 | | ctx->h[2] += c; |
376 | | ctx->h[3] += d; |
377 | | ctx->h[4] += e; |
378 | | ctx->h[5] += f; |
379 | | ctx->h[6] += g; |
380 | | ctx->h[7] += h; |
381 | | |
382 | | } |
383 | | } |
384 | | |
385 | | # endif |
386 | | #endif /* SHA256_ASM */ |