1 /* ====================================================================
2 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
3 * according to the OpenSSL license [found in ../../LICENSE].
4 * ====================================================================
6 #include <openssl/opensslconf.h>
11 #include <openssl/crypto.h>
12 #include <openssl/sha.h>
13 #include <openssl/opensslv.h>
15 int SHA224_Init(SHA256_CTX *c)
17 memset(c, 0, sizeof(*c));
18 c->h[0] = 0xc1059ed8UL;
19 c->h[1] = 0x367cd507UL;
20 c->h[2] = 0x3070dd17UL;
21 c->h[3] = 0xf70e5939UL;
22 c->h[4] = 0xffc00b31UL;
23 c->h[5] = 0x68581511UL;
24 c->h[6] = 0x64f98fa7UL;
25 c->h[7] = 0xbefa4fa4UL;
26 c->md_len = SHA224_DIGEST_LENGTH;
30 int SHA256_Init(SHA256_CTX *c)
32 memset(c, 0, sizeof(*c));
33 c->h[0] = 0x6a09e667UL;
34 c->h[1] = 0xbb67ae85UL;
35 c->h[2] = 0x3c6ef372UL;
36 c->h[3] = 0xa54ff53aUL;
37 c->h[4] = 0x510e527fUL;
38 c->h[5] = 0x9b05688cUL;
39 c->h[6] = 0x1f83d9abUL;
40 c->h[7] = 0x5be0cd19UL;
41 c->md_len = SHA256_DIGEST_LENGTH;
45 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
48 static unsigned char m[SHA224_DIGEST_LENGTH];
53 SHA256_Update(&c, d, n);
55 OPENSSL_cleanse(&c, sizeof(c));
59 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
62 static unsigned char m[SHA256_DIGEST_LENGTH];
67 SHA256_Update(&c, d, n);
69 OPENSSL_cleanse(&c, sizeof(c));
73 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
75 return SHA256_Update(c, data, len);
78 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
80 return SHA256_Final(md, c);
83 #define DATA_ORDER_IS_BIG_ENDIAN
85 #define HASH_LONG SHA_LONG
86 #define HASH_CTX SHA256_CTX
87 #define HASH_CBLOCK SHA_CBLOCK
90 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
91 * default: case below covers for it. It's not clear however if it's
92 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
93 * but if it is, then default: case shall be extended. For reference.
94 * Idea behind separate cases for pre-defined lengths is to let the
95 * compiler decide if it's appropriate to unroll small loops.
97 #define HASH_MAKE_STRING(c,s) do { \
100 switch ((c)->md_len) \
101 { case SHA224_DIGEST_LENGTH: \
102 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
103 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
105 case SHA256_DIGEST_LENGTH: \
106 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
107 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
110 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
112 for (nn=0;nn<(c)->md_len/4;nn++) \
113 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
118 #define HASH_UPDATE SHA256_Update
119 #define HASH_TRANSFORM SHA256_Transform
120 #define HASH_FINAL SHA256_Final
121 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
125 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
127 #include "internal/md32_common.h"
130 static const SHA_LONG K256[64] = {
131 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
132 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
133 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
134 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
135 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
136 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
137 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
138 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
139 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
140 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
141 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
142 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
143 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
144 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
145 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
146 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
150 * FIPS specification refers to right rotations, while our ROTATE macro
151 * is left one. This is why you might notice that rotation coefficients
152 * differ from those observed in FIPS document by 32-N...
154 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
155 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
156 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
157 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
159 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
160 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
162 # ifdef OPENSSL_SMALL_FOOTPRINT
164 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
167 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
170 const unsigned char *data = in;
183 for (i = 0; i < 16; i++) {
186 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
187 T2 = Sigma0(a) + Maj(a, b, c);
198 for (; i < 64; i++) {
199 s0 = X[(i + 1) & 0x0f];
201 s1 = X[(i + 14) & 0x0f];
204 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
205 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
206 T2 = Sigma0(a) + Maj(a, b, c);
231 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
232 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
233 h = Sigma0(a) + Maj(a,b,c); \
234 d += T1; h += T1; } while (0)
236 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
237 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
238 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
239 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
240 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
242 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
245 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
248 const unsigned char *data = in;
267 if (!is_endian.little && sizeof(SHA_LONG) == 4
268 && ((size_t)in % 4) == 0) {
269 const SHA_LONG *W = (const SHA_LONG *)data;
272 ROUND_00_15(0, a, b, c, d, e, f, g, h);
274 ROUND_00_15(1, h, a, b, c, d, e, f, g);
276 ROUND_00_15(2, g, h, a, b, c, d, e, f);
278 ROUND_00_15(3, f, g, h, a, b, c, d, e);
280 ROUND_00_15(4, e, f, g, h, a, b, c, d);
282 ROUND_00_15(5, d, e, f, g, h, a, b, c);
284 ROUND_00_15(6, c, d, e, f, g, h, a, b);
286 ROUND_00_15(7, b, c, d, e, f, g, h, a);
288 ROUND_00_15(8, a, b, c, d, e, f, g, h);
290 ROUND_00_15(9, h, a, b, c, d, e, f, g);
292 ROUND_00_15(10, g, h, a, b, c, d, e, f);
294 ROUND_00_15(11, f, g, h, a, b, c, d, e);
296 ROUND_00_15(12, e, f, g, h, a, b, c, d);
298 ROUND_00_15(13, d, e, f, g, h, a, b, c);
300 ROUND_00_15(14, c, d, e, f, g, h, a, b);
302 ROUND_00_15(15, b, c, d, e, f, g, h, a);
304 data += SHA256_CBLOCK;
310 ROUND_00_15(0, a, b, c, d, e, f, g, h);
313 ROUND_00_15(1, h, a, b, c, d, e, f, g);
316 ROUND_00_15(2, g, h, a, b, c, d, e, f);
319 ROUND_00_15(3, f, g, h, a, b, c, d, e);
322 ROUND_00_15(4, e, f, g, h, a, b, c, d);
325 ROUND_00_15(5, d, e, f, g, h, a, b, c);
328 ROUND_00_15(6, c, d, e, f, g, h, a, b);
331 ROUND_00_15(7, b, c, d, e, f, g, h, a);
334 ROUND_00_15(8, a, b, c, d, e, f, g, h);
337 ROUND_00_15(9, h, a, b, c, d, e, f, g);
340 ROUND_00_15(10, g, h, a, b, c, d, e, f);
343 ROUND_00_15(11, f, g, h, a, b, c, d, e);
346 ROUND_00_15(12, e, f, g, h, a, b, c, d);
349 ROUND_00_15(13, d, e, f, g, h, a, b, c);
352 ROUND_00_15(14, c, d, e, f, g, h, a, b);
355 ROUND_00_15(15, b, c, d, e, f, g, h, a);
358 for (i = 16; i < 64; i += 8) {
359 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
360 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
361 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
362 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
363 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
364 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
365 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
366 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
382 #endif /* SHA256_ASM */