1 /* crypto/sha/sha256.c */
2 /* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
4 * according to the OpenSSL license [found in ../../LICENSE].
5 * ====================================================================
7 #include <openssl/opensslconf.h>
8 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
13 # include <openssl/crypto.h>
14 # include <openssl/sha.h>
15 # include <openssl/opensslv.h>
17 const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
19 fips_md_init_ctx(SHA224, SHA256)
21 memset(c, 0, sizeof(*c));
22 c->h[0] = 0xc1059ed8UL;
23 c->h[1] = 0x367cd507UL;
24 c->h[2] = 0x3070dd17UL;
25 c->h[3] = 0xf70e5939UL;
26 c->h[4] = 0xffc00b31UL;
27 c->h[5] = 0x68581511UL;
28 c->h[6] = 0x64f98fa7UL;
29 c->h[7] = 0xbefa4fa4UL;
30 c->md_len = SHA224_DIGEST_LENGTH;
36 memset(c, 0, sizeof(*c));
37 c->h[0] = 0x6a09e667UL;
38 c->h[1] = 0xbb67ae85UL;
39 c->h[2] = 0x3c6ef372UL;
40 c->h[3] = 0xa54ff53aUL;
41 c->h[4] = 0x510e527fUL;
42 c->h[5] = 0x9b05688cUL;
43 c->h[6] = 0x1f83d9abUL;
44 c->h[7] = 0x5be0cd19UL;
45 c->md_len = SHA256_DIGEST_LENGTH;
49 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
52 static unsigned char m[SHA224_DIGEST_LENGTH];
57 SHA256_Update(&c, d, n);
59 OPENSSL_cleanse(&c, sizeof(c));
63 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
66 static unsigned char m[SHA256_DIGEST_LENGTH];
71 SHA256_Update(&c, d, n);
73 OPENSSL_cleanse(&c, sizeof(c));
77 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
79 return SHA256_Update(c, data, len);
82 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
84 return SHA256_Final(md, c);
87 # define DATA_ORDER_IS_BIG_ENDIAN
89 # define HASH_LONG SHA_LONG
90 # define HASH_CTX SHA256_CTX
91 # define HASH_CBLOCK SHA_CBLOCK
93 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
94 * default: case below covers for it. It's not clear however if it's
95 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
96 * but if it is, then default: case shall be extended. For reference.
97 * Idea behind separate cases for pre-defined lenghts is to let the
98 * compiler decide if it's appropriate to unroll small loops.
100 # define HASH_MAKE_STRING(c,s) do { \
103 switch ((c)->md_len) \
104 { case SHA224_DIGEST_LENGTH: \
105 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
106 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
108 case SHA256_DIGEST_LENGTH: \
109 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
110 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
113 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
115 for (nn=0;nn<(c)->md_len/4;nn++) \
116 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
121 # define HASH_UPDATE SHA256_Update
122 # define HASH_TRANSFORM SHA256_Transform
123 # define HASH_FINAL SHA256_Final
124 # define HASH_BLOCK_DATA_ORDER sha256_block_data_order
128 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
130 # include "md32_common.h"
133 static const SHA_LONG K256[64] = {
134 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
135 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
136 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
137 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
138 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
139 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
140 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
141 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
142 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
143 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
144 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
145 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
146 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
147 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
148 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
149 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
153 * FIPS specification refers to right rotations, while our ROTATE macro
154 * is left one. This is why you might notice that rotation coefficients
155 * differ from those observed in FIPS document by 32-N...
157 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
158 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
159 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
160 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
162 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
163 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
165 # ifdef OPENSSL_SMALL_FOOTPRINT
167 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
170 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
173 const unsigned char *data = in;
186 for (i = 0; i < 16; i++) {
189 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
190 T2 = Sigma0(a) + Maj(a, b, c);
201 for (; i < 64; i++) {
202 s0 = X[(i + 1) & 0x0f];
204 s1 = X[(i + 14) & 0x0f];
207 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
208 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
209 T2 = Sigma0(a) + Maj(a, b, c);
234 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
235 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
236 h = Sigma0(a) + Maj(a,b,c); \
237 d += T1; h += T1; } while (0)
239 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
240 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
241 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
242 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
243 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
245 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
248 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
251 const unsigned char *data = in;
270 if (!is_endian.little && sizeof(SHA_LONG) == 4
271 && ((size_t)in % 4) == 0) {
272 const SHA_LONG *W = (const SHA_LONG *)data;
275 ROUND_00_15(0, a, b, c, d, e, f, g, h);
277 ROUND_00_15(1, h, a, b, c, d, e, f, g);
279 ROUND_00_15(2, g, h, a, b, c, d, e, f);
281 ROUND_00_15(3, f, g, h, a, b, c, d, e);
283 ROUND_00_15(4, e, f, g, h, a, b, c, d);
285 ROUND_00_15(5, d, e, f, g, h, a, b, c);
287 ROUND_00_15(6, c, d, e, f, g, h, a, b);
289 ROUND_00_15(7, b, c, d, e, f, g, h, a);
291 ROUND_00_15(8, a, b, c, d, e, f, g, h);
293 ROUND_00_15(9, h, a, b, c, d, e, f, g);
295 ROUND_00_15(10, g, h, a, b, c, d, e, f);
297 ROUND_00_15(11, f, g, h, a, b, c, d, e);
299 ROUND_00_15(12, e, f, g, h, a, b, c, d);
301 ROUND_00_15(13, d, e, f, g, h, a, b, c);
303 ROUND_00_15(14, c, d, e, f, g, h, a, b);
305 ROUND_00_15(15, b, c, d, e, f, g, h, a);
307 data += SHA256_CBLOCK;
313 ROUND_00_15(0, a, b, c, d, e, f, g, h);
316 ROUND_00_15(1, h, a, b, c, d, e, f, g);
319 ROUND_00_15(2, g, h, a, b, c, d, e, f);
322 ROUND_00_15(3, f, g, h, a, b, c, d, e);
325 ROUND_00_15(4, e, f, g, h, a, b, c, d);
328 ROUND_00_15(5, d, e, f, g, h, a, b, c);
331 ROUND_00_15(6, c, d, e, f, g, h, a, b);
334 ROUND_00_15(7, b, c, d, e, f, g, h, a);
337 ROUND_00_15(8, a, b, c, d, e, f, g, h);
340 ROUND_00_15(9, h, a, b, c, d, e, f, g);
343 ROUND_00_15(10, g, h, a, b, c, d, e, f);
346 ROUND_00_15(11, f, g, h, a, b, c, d, e);
349 ROUND_00_15(12, e, f, g, h, a, b, c, d);
352 ROUND_00_15(13, d, e, f, g, h, a, b, c);
355 ROUND_00_15(14, c, d, e, f, g, h, a, b);
358 ROUND_00_15(15, b, c, d, e, f, g, h, a);
361 for (i = 16; i < 64; i += 8) {
362 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
363 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
364 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
365 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
366 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
367 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
368 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
369 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
385 # endif /* SHA256_ASM */
387 #endif /* OPENSSL_NO_SHA256 */