1 /* crypto/sha/sha256.c */
2 /* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
4 * according to the OpenSSL license [found in ../../LICENSE].
5 * ====================================================================
10 # include <util/sha2.h>
12 # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2a 19 Mar 2015"
13 # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
15 const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
18 unsigned static char cleanse_ctr = 0;
19 static void OPENSSL_cleanse(void *ptr, size_t len)
21 unsigned char *p = ptr;
22 size_t loop = len, ctr = cleanse_ctr;
24 *(p++) = (unsigned char)ctr;
25 ctr += (17 + ((size_t)p & 0xF));
27 p = memchr(ptr, (unsigned char)ctr, len);
29 ctr += (63 + (size_t)p);
30 cleanse_ctr = (unsigned char)ctr;
33 fips_md_init_ctx(SHA224, SHA256)
35 memset(c, 0, sizeof(*c));
36 c->h[0] = 0xc1059ed8UL;
37 c->h[1] = 0x367cd507UL;
38 c->h[2] = 0x3070dd17UL;
39 c->h[3] = 0xf70e5939UL;
40 c->h[4] = 0xffc00b31UL;
41 c->h[5] = 0x68581511UL;
42 c->h[6] = 0x64f98fa7UL;
43 c->h[7] = 0xbefa4fa4UL;
44 c->md_len = SHA224_DIGEST_LENGTH;
50 memset(c, 0, sizeof(*c));
51 c->h[0] = 0x6a09e667UL;
52 c->h[1] = 0xbb67ae85UL;
53 c->h[2] = 0x3c6ef372UL;
54 c->h[3] = 0xa54ff53aUL;
55 c->h[4] = 0x510e527fUL;
56 c->h[5] = 0x9b05688cUL;
57 c->h[6] = 0x1f83d9abUL;
58 c->h[7] = 0x5be0cd19UL;
59 c->md_len = SHA256_DIGEST_LENGTH;
63 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
66 static unsigned char m[SHA224_DIGEST_LENGTH];
71 SHA256_Update(&c, d, n);
73 OPENSSL_cleanse(&c, sizeof(c));
77 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
80 static unsigned char m[SHA256_DIGEST_LENGTH];
85 SHA256_Update(&c, d, n);
87 OPENSSL_cleanse(&c, sizeof(c));
91 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
93 return SHA256_Update(c, data, len);
96 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
98 return SHA256_Final(md, c);
101 # define DATA_ORDER_IS_BIG_ENDIAN
103 # define HASH_LONG SHA_LONG
104 # define HASH_CTX SHA256_CTX
105 # define HASH_CBLOCK SHA_CBLOCK
107 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
108 * default: case below covers for it. It's not clear however if it's
109 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
110 * but if it is, then default: case shall be extended. For reference.
111 * Idea behind separate cases for pre-defined lenghts is to let the
112 * compiler decide if it's appropriate to unroll small loops.
114 # define HASH_MAKE_STRING(c,s) do { \
117 switch ((c)->md_len) \
118 { case SHA224_DIGEST_LENGTH: \
119 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
120 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
122 case SHA256_DIGEST_LENGTH: \
123 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
124 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
127 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
129 for (nn=0;nn<(c)->md_len/4;nn++) \
130 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
135 # define HASH_UPDATE SHA256_Update
136 # define HASH_TRANSFORM SHA256_Transform
137 # define HASH_FINAL SHA256_Final
138 # define HASH_BLOCK_DATA_ORDER sha256_block_data_order
142 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
144 # include "md32_common.h"
147 static const SHA_LONG K256[64] = {
148 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
149 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
150 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
151 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
152 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
153 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
154 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
155 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
156 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
157 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
158 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
159 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
160 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
161 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
162 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
163 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
167 * FIPS specification refers to right rotations, while our ROTATE macro
168 * is left one. This is why you might notice that rotation coefficients
169 * differ from those observed in FIPS document by 32-N...
171 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
172 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
173 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
174 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
176 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
177 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
179 # ifdef OPENSSL_SMALL_FOOTPRINT
181 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
184 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
187 const unsigned char *data = in;
200 for (i = 0; i < 16; i++) {
203 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
204 T2 = Sigma0(a) + Maj(a, b, c);
215 for (; i < 64; i++) {
216 s0 = X[(i + 1) & 0x0f];
218 s1 = X[(i + 14) & 0x0f];
221 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
222 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
223 T2 = Sigma0(a) + Maj(a, b, c);
248 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
249 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
250 h = Sigma0(a) + Maj(a,b,c); \
251 d += T1; h += T1; } while (0)
253 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
254 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
255 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
256 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
257 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
259 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
262 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
265 const unsigned char *data = in;
284 if (!is_endian.little && sizeof(SHA_LONG) == 4
285 && ((size_t)in % 4) == 0) {
286 const SHA_LONG *W = (const SHA_LONG *)data;
289 ROUND_00_15(0, a, b, c, d, e, f, g, h);
291 ROUND_00_15(1, h, a, b, c, d, e, f, g);
293 ROUND_00_15(2, g, h, a, b, c, d, e, f);
295 ROUND_00_15(3, f, g, h, a, b, c, d, e);
297 ROUND_00_15(4, e, f, g, h, a, b, c, d);
299 ROUND_00_15(5, d, e, f, g, h, a, b, c);
301 ROUND_00_15(6, c, d, e, f, g, h, a, b);
303 ROUND_00_15(7, b, c, d, e, f, g, h, a);
305 ROUND_00_15(8, a, b, c, d, e, f, g, h);
307 ROUND_00_15(9, h, a, b, c, d, e, f, g);
309 ROUND_00_15(10, g, h, a, b, c, d, e, f);
311 ROUND_00_15(11, f, g, h, a, b, c, d, e);
313 ROUND_00_15(12, e, f, g, h, a, b, c, d);
315 ROUND_00_15(13, d, e, f, g, h, a, b, c);
317 ROUND_00_15(14, c, d, e, f, g, h, a, b);
319 ROUND_00_15(15, b, c, d, e, f, g, h, a);
321 data += SHA256_CBLOCK;
327 ROUND_00_15(0, a, b, c, d, e, f, g, h);
330 ROUND_00_15(1, h, a, b, c, d, e, f, g);
333 ROUND_00_15(2, g, h, a, b, c, d, e, f);
336 ROUND_00_15(3, f, g, h, a, b, c, d, e);
339 ROUND_00_15(4, e, f, g, h, a, b, c, d);
342 ROUND_00_15(5, d, e, f, g, h, a, b, c);
345 ROUND_00_15(6, c, d, e, f, g, h, a, b);
348 ROUND_00_15(7, b, c, d, e, f, g, h, a);
351 ROUND_00_15(8, a, b, c, d, e, f, g, h);
354 ROUND_00_15(9, h, a, b, c, d, e, f, g);
357 ROUND_00_15(10, g, h, a, b, c, d, e, f);
360 ROUND_00_15(11, f, g, h, a, b, c, d, e);
363 ROUND_00_15(12, e, f, g, h, a, b, c, d);
366 ROUND_00_15(13, d, e, f, g, h, a, b, c);
369 ROUND_00_15(14, c, d, e, f, g, h, a, b);
372 ROUND_00_15(15, b, c, d, e, f, g, h, a);
375 for (i = 16; i < 64; i += 8) {
376 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
377 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
378 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
379 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
380 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
381 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
382 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
383 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
399 # endif /* SHA256_ASM */