2 * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * SHA256 low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
16 #include <openssl/opensslconf.h>
21 #include <openssl/crypto.h>
22 #include <openssl/sha.h>
23 #include <openssl/opensslv.h>
25 int SHA224_Init(SHA256_CTX *c)
27 memset(c, 0, sizeof(*c));
28 c->h[0] = 0xc1059ed8UL;
29 c->h[1] = 0x367cd507UL;
30 c->h[2] = 0x3070dd17UL;
31 c->h[3] = 0xf70e5939UL;
32 c->h[4] = 0xffc00b31UL;
33 c->h[5] = 0x68581511UL;
34 c->h[6] = 0x64f98fa7UL;
35 c->h[7] = 0xbefa4fa4UL;
36 c->md_len = SHA224_DIGEST_LENGTH;
40 int SHA256_Init(SHA256_CTX *c)
42 memset(c, 0, sizeof(*c));
43 c->h[0] = 0x6a09e667UL;
44 c->h[1] = 0xbb67ae85UL;
45 c->h[2] = 0x3c6ef372UL;
46 c->h[3] = 0xa54ff53aUL;
47 c->h[4] = 0x510e527fUL;
48 c->h[5] = 0x9b05688cUL;
49 c->h[6] = 0x1f83d9abUL;
50 c->h[7] = 0x5be0cd19UL;
51 c->md_len = SHA256_DIGEST_LENGTH;
55 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
58 static unsigned char m[SHA224_DIGEST_LENGTH];
63 SHA256_Update(&c, d, n);
65 OPENSSL_cleanse(&c, sizeof(c));
69 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
72 static unsigned char m[SHA256_DIGEST_LENGTH];
77 SHA256_Update(&c, d, n);
79 OPENSSL_cleanse(&c, sizeof(c));
83 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
85 return SHA256_Update(c, data, len);
88 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
90 return SHA256_Final(md, c);
93 #define DATA_ORDER_IS_BIG_ENDIAN
95 #define HASH_LONG SHA_LONG
96 #define HASH_CTX SHA256_CTX
97 #define HASH_CBLOCK SHA_CBLOCK
100 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
101 * default: case below covers for it. It's not clear however if it's
102 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
103 * but if it is, then default: case shall be extended. For reference.
104 * Idea behind separate cases for pre-defined lengths is to let the
105 * compiler decide if it's appropriate to unroll small loops.
107 #define HASH_MAKE_STRING(c,s) do { \
110 switch ((c)->md_len) \
111 { case SHA224_DIGEST_LENGTH: \
112 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
113 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
115 case SHA256_DIGEST_LENGTH: \
116 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
117 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
120 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
122 for (nn=0;nn<(c)->md_len/4;nn++) \
123 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
128 #define HASH_UPDATE SHA256_Update
129 #define HASH_TRANSFORM SHA256_Transform
130 #define HASH_FINAL SHA256_Final
131 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
135 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
137 #include "crypto/md32_common.h"
140 static const SHA_LONG K256[64] = {
141 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
142 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
143 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
144 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
145 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
146 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
147 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
148 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
149 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
150 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
151 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
152 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
153 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
154 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
155 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
156 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
160 * FIPS specification refers to right rotations, while our ROTATE macro
161 * is left one. This is why you might notice that rotation coefficients
162 * differ from those observed in FIPS document by 32-N...
164 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
165 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
166 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
167 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
169 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
170 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
172 # ifdef OPENSSL_SMALL_FOOTPRINT
174 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
177 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
180 const unsigned char *data = in;
193 for (i = 0; i < 16; i++) {
194 (void)HOST_c2l(data, l);
196 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
197 T2 = Sigma0(a) + Maj(a, b, c);
208 for (; i < 64; i++) {
209 s0 = X[(i + 1) & 0x0f];
211 s1 = X[(i + 14) & 0x0f];
214 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
215 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
216 T2 = Sigma0(a) + Maj(a, b, c);
241 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
242 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
243 h = Sigma0(a) + Maj(a,b,c); \
244 d += T1; h += T1; } while (0)
246 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
247 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
248 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
249 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
250 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
252 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
255 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
258 const unsigned char *data = in;
277 if (!is_endian.little && sizeof(SHA_LONG) == 4
278 && ((size_t)in % 4) == 0) {
279 const SHA_LONG *W = (const SHA_LONG *)data;
282 ROUND_00_15(0, a, b, c, d, e, f, g, h);
284 ROUND_00_15(1, h, a, b, c, d, e, f, g);
286 ROUND_00_15(2, g, h, a, b, c, d, e, f);
288 ROUND_00_15(3, f, g, h, a, b, c, d, e);
290 ROUND_00_15(4, e, f, g, h, a, b, c, d);
292 ROUND_00_15(5, d, e, f, g, h, a, b, c);
294 ROUND_00_15(6, c, d, e, f, g, h, a, b);
296 ROUND_00_15(7, b, c, d, e, f, g, h, a);
298 ROUND_00_15(8, a, b, c, d, e, f, g, h);
300 ROUND_00_15(9, h, a, b, c, d, e, f, g);
302 ROUND_00_15(10, g, h, a, b, c, d, e, f);
304 ROUND_00_15(11, f, g, h, a, b, c, d, e);
306 ROUND_00_15(12, e, f, g, h, a, b, c, d);
308 ROUND_00_15(13, d, e, f, g, h, a, b, c);
310 ROUND_00_15(14, c, d, e, f, g, h, a, b);
312 ROUND_00_15(15, b, c, d, e, f, g, h, a);
314 data += SHA256_CBLOCK;
318 (void)HOST_c2l(data, l);
320 ROUND_00_15(0, a, b, c, d, e, f, g, h);
321 (void)HOST_c2l(data, l);
323 ROUND_00_15(1, h, a, b, c, d, e, f, g);
324 (void)HOST_c2l(data, l);
326 ROUND_00_15(2, g, h, a, b, c, d, e, f);
327 (void)HOST_c2l(data, l);
329 ROUND_00_15(3, f, g, h, a, b, c, d, e);
330 (void)HOST_c2l(data, l);
332 ROUND_00_15(4, e, f, g, h, a, b, c, d);
333 (void)HOST_c2l(data, l);
335 ROUND_00_15(5, d, e, f, g, h, a, b, c);
336 (void)HOST_c2l(data, l);
338 ROUND_00_15(6, c, d, e, f, g, h, a, b);
339 (void)HOST_c2l(data, l);
341 ROUND_00_15(7, b, c, d, e, f, g, h, a);
342 (void)HOST_c2l(data, l);
344 ROUND_00_15(8, a, b, c, d, e, f, g, h);
345 (void)HOST_c2l(data, l);
347 ROUND_00_15(9, h, a, b, c, d, e, f, g);
348 (void)HOST_c2l(data, l);
350 ROUND_00_15(10, g, h, a, b, c, d, e, f);
351 (void)HOST_c2l(data, l);
353 ROUND_00_15(11, f, g, h, a, b, c, d, e);
354 (void)HOST_c2l(data, l);
356 ROUND_00_15(12, e, f, g, h, a, b, c, d);
357 (void)HOST_c2l(data, l);
359 ROUND_00_15(13, d, e, f, g, h, a, b, c);
360 (void)HOST_c2l(data, l);
362 ROUND_00_15(14, c, d, e, f, g, h, a, b);
363 (void)HOST_c2l(data, l);
365 ROUND_00_15(15, b, c, d, e, f, g, h, a);
368 for (i = 16; i < 64; i += 8) {
369 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
370 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
371 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
372 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
373 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
374 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
375 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
376 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
392 #endif /* SHA256_ASM */