1 /* crypto/sha/sha256.c */
2 /* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
4 * according to the OpenSSL license [found in ../../LICENSE].
5 * ====================================================================
10 # include <util/sha2.h>
12 # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2a 19 Mar 2015"
13 # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
15 const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
18 unsigned static char cleanse_ctr = 0;
19 static void OPENSSL_cleanse(void *ptr, size_t len)
21 unsigned char *p = ptr;
22 size_t loop = len, ctr = cleanse_ctr;
24 *(p++) = (unsigned char)ctr;
25 ctr += (17 + ((size_t)p & 0xF));
27 p = memchr(ptr, (unsigned char)ctr, len);
29 ctr += (63 + (size_t)p);
30 cleanse_ctr = (unsigned char)ctr;
33 # define fips_md_init(alg) fips_md_init_ctx(alg, alg)
34 # define fips_md_init_ctx(alg, cx) \
35 int alg##_Init(cx##_CTX *c)
36 # define fips_cipher_abort(alg) while(0)
38 fips_md_init_ctx(SHA224, SHA256)
40 memset(c, 0, sizeof(*c));
41 c->h[0] = 0xc1059ed8UL;
42 c->h[1] = 0x367cd507UL;
43 c->h[2] = 0x3070dd17UL;
44 c->h[3] = 0xf70e5939UL;
45 c->h[4] = 0xffc00b31UL;
46 c->h[5] = 0x68581511UL;
47 c->h[6] = 0x64f98fa7UL;
48 c->h[7] = 0xbefa4fa4UL;
49 c->md_len = SHA224_DIGEST_LENGTH;
55 memset(c, 0, sizeof(*c));
56 c->h[0] = 0x6a09e667UL;
57 c->h[1] = 0xbb67ae85UL;
58 c->h[2] = 0x3c6ef372UL;
59 c->h[3] = 0xa54ff53aUL;
60 c->h[4] = 0x510e527fUL;
61 c->h[5] = 0x9b05688cUL;
62 c->h[6] = 0x1f83d9abUL;
63 c->h[7] = 0x5be0cd19UL;
64 c->md_len = SHA256_DIGEST_LENGTH;
68 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
71 static unsigned char m[SHA224_DIGEST_LENGTH];
76 SHA256_Update(&c, d, n);
78 OPENSSL_cleanse(&c, sizeof(c));
82 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
85 static unsigned char m[SHA256_DIGEST_LENGTH];
90 SHA256_Update(&c, d, n);
92 OPENSSL_cleanse(&c, sizeof(c));
96 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
98 return SHA256_Update(c, data, len);
101 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
103 return SHA256_Final(md, c);
106 # define DATA_ORDER_IS_BIG_ENDIAN
108 # define HASH_LONG SHA_LONG
109 # define HASH_CTX SHA256_CTX
110 # define HASH_CBLOCK SHA_CBLOCK
112 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
113 * default: case below covers for it. It's not clear however if it's
114 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
115 * but if it is, then default: case shall be extended. For reference.
116 * Idea behind separate cases for pre-defined lenghts is to let the
117 * compiler decide if it's appropriate to unroll small loops.
119 # define HASH_MAKE_STRING(c,s) do { \
122 switch ((c)->md_len) \
123 { case SHA224_DIGEST_LENGTH: \
124 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
125 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
127 case SHA256_DIGEST_LENGTH: \
128 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
129 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
132 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
134 for (nn=0;nn<(c)->md_len/4;nn++) \
135 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
140 # define HASH_UPDATE SHA256_Update
141 # define HASH_TRANSFORM SHA256_Transform
142 # define HASH_FINAL SHA256_Final
143 # define HASH_BLOCK_DATA_ORDER sha256_block_data_order
147 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
149 # include "md32_common.h"
152 static const SHA_LONG K256[64] = {
153 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
154 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
155 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
156 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
157 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
158 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
159 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
160 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
161 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
162 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
163 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
164 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
165 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
166 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
167 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
168 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
172 * FIPS specification refers to right rotations, while our ROTATE macro
173 * is left one. This is why you might notice that rotation coefficients
174 * differ from those observed in FIPS document by 32-N...
176 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
177 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
178 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
179 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
181 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
182 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
184 # ifdef OPENSSL_SMALL_FOOTPRINT
186 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
189 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
192 const unsigned char *data = in;
205 for (i = 0; i < 16; i++) {
208 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
209 T2 = Sigma0(a) + Maj(a, b, c);
220 for (; i < 64; i++) {
221 s0 = X[(i + 1) & 0x0f];
223 s1 = X[(i + 14) & 0x0f];
226 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
227 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
228 T2 = Sigma0(a) + Maj(a, b, c);
253 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
254 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
255 h = Sigma0(a) + Maj(a,b,c); \
256 d += T1; h += T1; } while (0)
258 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
259 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
260 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
261 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
262 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
264 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
267 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
270 const unsigned char *data = in;
289 if (!is_endian.little && sizeof(SHA_LONG) == 4
290 && ((size_t)in % 4) == 0) {
291 const SHA_LONG *W = (const SHA_LONG *)data;
294 ROUND_00_15(0, a, b, c, d, e, f, g, h);
296 ROUND_00_15(1, h, a, b, c, d, e, f, g);
298 ROUND_00_15(2, g, h, a, b, c, d, e, f);
300 ROUND_00_15(3, f, g, h, a, b, c, d, e);
302 ROUND_00_15(4, e, f, g, h, a, b, c, d);
304 ROUND_00_15(5, d, e, f, g, h, a, b, c);
306 ROUND_00_15(6, c, d, e, f, g, h, a, b);
308 ROUND_00_15(7, b, c, d, e, f, g, h, a);
310 ROUND_00_15(8, a, b, c, d, e, f, g, h);
312 ROUND_00_15(9, h, a, b, c, d, e, f, g);
314 ROUND_00_15(10, g, h, a, b, c, d, e, f);
316 ROUND_00_15(11, f, g, h, a, b, c, d, e);
318 ROUND_00_15(12, e, f, g, h, a, b, c, d);
320 ROUND_00_15(13, d, e, f, g, h, a, b, c);
322 ROUND_00_15(14, c, d, e, f, g, h, a, b);
324 ROUND_00_15(15, b, c, d, e, f, g, h, a);
326 data += SHA256_CBLOCK;
332 ROUND_00_15(0, a, b, c, d, e, f, g, h);
335 ROUND_00_15(1, h, a, b, c, d, e, f, g);
338 ROUND_00_15(2, g, h, a, b, c, d, e, f);
341 ROUND_00_15(3, f, g, h, a, b, c, d, e);
344 ROUND_00_15(4, e, f, g, h, a, b, c, d);
347 ROUND_00_15(5, d, e, f, g, h, a, b, c);
350 ROUND_00_15(6, c, d, e, f, g, h, a, b);
353 ROUND_00_15(7, b, c, d, e, f, g, h, a);
356 ROUND_00_15(8, a, b, c, d, e, f, g, h);
359 ROUND_00_15(9, h, a, b, c, d, e, f, g);
362 ROUND_00_15(10, g, h, a, b, c, d, e, f);
365 ROUND_00_15(11, f, g, h, a, b, c, d, e);
368 ROUND_00_15(12, e, f, g, h, a, b, c, d);
371 ROUND_00_15(13, d, e, f, g, h, a, b, c);
374 ROUND_00_15(14, c, d, e, f, g, h, a, b);
377 ROUND_00_15(15, b, c, d, e, f, g, h, a);
380 for (i = 16; i < 64; i += 8) {
381 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
382 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
383 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
384 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
385 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
386 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
387 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
388 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
404 # endif /* SHA256_ASM */