]>
Commit | Line | Data |
---|---|---|
7bf7a6d0 MTL |
1 | /* |
2 | * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
3e575651 | 8 | */ |
d3819813 | 9 | |
7bf7a6d0 | 10 | #include <openssl/opensslconf.h> |
d3819813 | 11 | |
7bf7a6d0 MTL |
12 | #include <stdlib.h> |
13 | #include <string.h> | |
d3819813 | 14 | |
7bf7a6d0 MTL |
15 | #include <openssl/crypto.h> |
16 | #include <openssl/sha.h> | |
17 | #include <openssl/opensslv.h> | |
b6f94dbe | 18 | |
7bf7a6d0 | 19 | int SHA224_Init(SHA256_CTX *c) |
d3819813 MTL |
20 | { |
21 | memset(c, 0, sizeof(*c)); | |
22 | c->h[0] = 0xc1059ed8UL; | |
23 | c->h[1] = 0x367cd507UL; | |
24 | c->h[2] = 0x3070dd17UL; | |
25 | c->h[3] = 0xf70e5939UL; | |
26 | c->h[4] = 0xffc00b31UL; | |
27 | c->h[5] = 0x68581511UL; | |
28 | c->h[6] = 0x64f98fa7UL; | |
29 | c->h[7] = 0xbefa4fa4UL; | |
30 | c->md_len = SHA224_DIGEST_LENGTH; | |
31 | return 1; | |
32 | } | |
33 | ||
7bf7a6d0 | 34 | int SHA256_Init(SHA256_CTX *c) |
d3819813 MTL |
35 | { |
36 | memset(c, 0, sizeof(*c)); | |
37 | c->h[0] = 0x6a09e667UL; | |
38 | c->h[1] = 0xbb67ae85UL; | |
39 | c->h[2] = 0x3c6ef372UL; | |
40 | c->h[3] = 0xa54ff53aUL; | |
41 | c->h[4] = 0x510e527fUL; | |
42 | c->h[5] = 0x9b05688cUL; | |
43 | c->h[6] = 0x1f83d9abUL; | |
44 | c->h[7] = 0x5be0cd19UL; | |
45 | c->md_len = SHA256_DIGEST_LENGTH; | |
46 | return 1; | |
47 | } | |
3e575651 SL |
48 | |
49 | unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md) | |
d3819813 MTL |
50 | { |
51 | SHA256_CTX c; | |
52 | static unsigned char m[SHA224_DIGEST_LENGTH]; | |
53 | ||
54 | if (md == NULL) | |
55 | md = m; | |
56 | SHA224_Init(&c); | |
57 | SHA256_Update(&c, d, n); | |
58 | SHA256_Final(md, &c); | |
59 | OPENSSL_cleanse(&c, sizeof(c)); | |
60 | return (md); | |
61 | } | |
3e575651 SL |
62 | |
63 | unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md) | |
d3819813 MTL |
64 | { |
65 | SHA256_CTX c; | |
66 | static unsigned char m[SHA256_DIGEST_LENGTH]; | |
67 | ||
68 | if (md == NULL) | |
69 | md = m; | |
70 | SHA256_Init(&c); | |
71 | SHA256_Update(&c, d, n); | |
72 | SHA256_Final(md, &c); | |
73 | OPENSSL_cleanse(&c, sizeof(c)); | |
74 | return (md); | |
75 | } | |
3e575651 SL |
76 | |
77 | int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) | |
d3819813 MTL |
78 | { |
79 | return SHA256_Update(c, data, len); | |
80 | } | |
3e575651 | 81 | |
d3819813 MTL |
82 | int SHA224_Final(unsigned char *md, SHA256_CTX *c) |
83 | { | |
84 | return SHA256_Final(md, c); | |
85 | } | |
86 | ||
7bf7a6d0 MTL |
87 | #define DATA_ORDER_IS_BIG_ENDIAN |
88 | ||
89 | #define HASH_LONG SHA_LONG | |
90 | #define HASH_CTX SHA256_CTX | |
91 | #define HASH_CBLOCK SHA_CBLOCK | |
3e575651 | 92 | |
3e575651 SL |
93 | /* |
94 | * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." | |
95 | * default: case below covers for it. It's not clear however if it's | |
96 | * permitted to truncate to amount of bytes not divisible by 4. I bet not, | |
97 | * but if it is, then default: case shall be extended. For reference. | |
7bf7a6d0 | 98 | * Idea behind separate cases for pre-defined lengths is to let the |
3e575651 SL |
99 | * compiler decide if it's appropriate to unroll small loops. |
100 | */ | |
7bf7a6d0 | 101 | #define HASH_MAKE_STRING(c,s) do { \ |
d3819813 MTL |
102 | unsigned long ll; \ |
103 | unsigned int nn; \ | |
104 | switch ((c)->md_len) \ | |
105 | { case SHA224_DIGEST_LENGTH: \ | |
106 | for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \ | |
107 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ | |
108 | break; \ | |
109 | case SHA256_DIGEST_LENGTH: \ | |
110 | for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \ | |
111 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ | |
112 | break; \ | |
113 | default: \ | |
114 | if ((c)->md_len > SHA256_DIGEST_LENGTH) \ | |
115 | return 0; \ | |
116 | for (nn=0;nn<(c)->md_len/4;nn++) \ | |
117 | { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ | |
118 | break; \ | |
119 | } \ | |
120 | } while (0) | |
121 | ||
7bf7a6d0 MTL |
122 | #define HASH_UPDATE SHA256_Update |
123 | #define HASH_TRANSFORM SHA256_Transform | |
124 | #define HASH_FINAL SHA256_Final | |
125 | #define HASH_BLOCK_DATA_ORDER sha256_block_data_order | |
126 | #ifndef SHA256_ASM | |
3e575651 | 127 | static |
7bf7a6d0 | 128 | #endif |
d3819813 | 129 | void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); |
3e575651 | 130 | |
7bf7a6d0 | 131 | #include "internal/md32_common.h" |
3e575651 | 132 | |
7bf7a6d0 | 133 | #ifndef SHA256_ASM |
3e575651 | 134 | static const SHA_LONG K256[64] = { |
d3819813 MTL |
135 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, |
136 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, | |
137 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, | |
138 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, | |
139 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, | |
140 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, | |
141 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, | |
142 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, | |
143 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, | |
144 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, | |
145 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, | |
146 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, | |
147 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, | |
148 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, | |
149 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, | |
150 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL | |
151 | }; | |
3e575651 SL |
152 | |
153 | /* | |
154 | * FIPS specification refers to right rotations, while our ROTATE macro | |
155 | * is left one. This is why you might notice that rotation coefficients | |
156 | * differ from those observed in FIPS document by 32-N... | |
157 | */ | |
7bf7a6d0 MTL |
158 | # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) |
159 | # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) | |
160 | # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) | |
161 | # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) | |
d3819813 | 162 | |
7bf7a6d0 MTL |
163 | # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) |
164 | # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) | |
d3819813 | 165 | |
7bf7a6d0 | 166 | # ifdef OPENSSL_SMALL_FOOTPRINT |
d3819813 MTL |
167 | |
168 | static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, | |
169 | size_t num) | |
170 | { | |
171 | unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; | |
172 | SHA_LONG X[16], l; | |
173 | int i; | |
174 | const unsigned char *data = in; | |
175 | ||
176 | while (num--) { | |
177 | ||
178 | a = ctx->h[0]; | |
179 | b = ctx->h[1]; | |
180 | c = ctx->h[2]; | |
181 | d = ctx->h[3]; | |
182 | e = ctx->h[4]; | |
183 | f = ctx->h[5]; | |
184 | g = ctx->h[6]; | |
185 | h = ctx->h[7]; | |
186 | ||
187 | for (i = 0; i < 16; i++) { | |
7bf7a6d0 | 188 | (void)HOST_c2l(data, l); |
d3819813 MTL |
189 | T1 = X[i] = l; |
190 | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; | |
191 | T2 = Sigma0(a) + Maj(a, b, c); | |
192 | h = g; | |
193 | g = f; | |
194 | f = e; | |
195 | e = d + T1; | |
196 | d = c; | |
197 | c = b; | |
198 | b = a; | |
199 | a = T1 + T2; | |
200 | } | |
201 | ||
202 | for (; i < 64; i++) { | |
203 | s0 = X[(i + 1) & 0x0f]; | |
204 | s0 = sigma0(s0); | |
205 | s1 = X[(i + 14) & 0x0f]; | |
206 | s1 = sigma1(s1); | |
207 | ||
208 | T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; | |
209 | T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; | |
210 | T2 = Sigma0(a) + Maj(a, b, c); | |
211 | h = g; | |
212 | g = f; | |
213 | f = e; | |
214 | e = d + T1; | |
215 | d = c; | |
216 | c = b; | |
217 | b = a; | |
218 | a = T1 + T2; | |
219 | } | |
220 | ||
221 | ctx->h[0] += a; | |
222 | ctx->h[1] += b; | |
223 | ctx->h[2] += c; | |
224 | ctx->h[3] += d; | |
225 | ctx->h[4] += e; | |
226 | ctx->h[5] += f; | |
227 | ctx->h[6] += g; | |
228 | ctx->h[7] += h; | |
229 | ||
230 | } | |
3e575651 SL |
231 | } |
232 | ||
7bf7a6d0 | 233 | # else |
d3819813 | 234 | |
7bf7a6d0 | 235 | # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ |
d3819813 MTL |
236 | T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ |
237 | h = Sigma0(a) + Maj(a,b,c); \ | |
238 | d += T1; h += T1; } while (0) | |
239 | ||
7bf7a6d0 | 240 | # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ |
d3819813 MTL |
241 | s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ |
242 | s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ | |
243 | T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ | |
244 | ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) | |
245 | ||
246 | static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, | |
247 | size_t num) | |
248 | { | |
249 | unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; | |
250 | SHA_LONG X[16]; | |
251 | int i; | |
252 | const unsigned char *data = in; | |
253 | const union { | |
254 | long one; | |
255 | char little; | |
256 | } is_endian = { | |
257 | 1 | |
258 | }; | |
259 | ||
260 | while (num--) { | |
261 | ||
262 | a = ctx->h[0]; | |
263 | b = ctx->h[1]; | |
264 | c = ctx->h[2]; | |
265 | d = ctx->h[3]; | |
266 | e = ctx->h[4]; | |
267 | f = ctx->h[5]; | |
268 | g = ctx->h[6]; | |
269 | h = ctx->h[7]; | |
270 | ||
271 | if (!is_endian.little && sizeof(SHA_LONG) == 4 | |
272 | && ((size_t)in % 4) == 0) { | |
273 | const SHA_LONG *W = (const SHA_LONG *)data; | |
274 | ||
275 | T1 = X[0] = W[0]; | |
276 | ROUND_00_15(0, a, b, c, d, e, f, g, h); | |
277 | T1 = X[1] = W[1]; | |
278 | ROUND_00_15(1, h, a, b, c, d, e, f, g); | |
279 | T1 = X[2] = W[2]; | |
280 | ROUND_00_15(2, g, h, a, b, c, d, e, f); | |
281 | T1 = X[3] = W[3]; | |
282 | ROUND_00_15(3, f, g, h, a, b, c, d, e); | |
283 | T1 = X[4] = W[4]; | |
284 | ROUND_00_15(4, e, f, g, h, a, b, c, d); | |
285 | T1 = X[5] = W[5]; | |
286 | ROUND_00_15(5, d, e, f, g, h, a, b, c); | |
287 | T1 = X[6] = W[6]; | |
288 | ROUND_00_15(6, c, d, e, f, g, h, a, b); | |
289 | T1 = X[7] = W[7]; | |
290 | ROUND_00_15(7, b, c, d, e, f, g, h, a); | |
291 | T1 = X[8] = W[8]; | |
292 | ROUND_00_15(8, a, b, c, d, e, f, g, h); | |
293 | T1 = X[9] = W[9]; | |
294 | ROUND_00_15(9, h, a, b, c, d, e, f, g); | |
295 | T1 = X[10] = W[10]; | |
296 | ROUND_00_15(10, g, h, a, b, c, d, e, f); | |
297 | T1 = X[11] = W[11]; | |
298 | ROUND_00_15(11, f, g, h, a, b, c, d, e); | |
299 | T1 = X[12] = W[12]; | |
300 | ROUND_00_15(12, e, f, g, h, a, b, c, d); | |
301 | T1 = X[13] = W[13]; | |
302 | ROUND_00_15(13, d, e, f, g, h, a, b, c); | |
303 | T1 = X[14] = W[14]; | |
304 | ROUND_00_15(14, c, d, e, f, g, h, a, b); | |
305 | T1 = X[15] = W[15]; | |
306 | ROUND_00_15(15, b, c, d, e, f, g, h, a); | |
307 | ||
308 | data += SHA256_CBLOCK; | |
309 | } else { | |
310 | SHA_LONG l; | |
311 | ||
7bf7a6d0 | 312 | (void)HOST_c2l(data, l); |
d3819813 MTL |
313 | T1 = X[0] = l; |
314 | ROUND_00_15(0, a, b, c, d, e, f, g, h); | |
7bf7a6d0 | 315 | (void)HOST_c2l(data, l); |
d3819813 MTL |
316 | T1 = X[1] = l; |
317 | ROUND_00_15(1, h, a, b, c, d, e, f, g); | |
7bf7a6d0 | 318 | (void)HOST_c2l(data, l); |
d3819813 MTL |
319 | T1 = X[2] = l; |
320 | ROUND_00_15(2, g, h, a, b, c, d, e, f); | |
7bf7a6d0 | 321 | (void)HOST_c2l(data, l); |
d3819813 MTL |
322 | T1 = X[3] = l; |
323 | ROUND_00_15(3, f, g, h, a, b, c, d, e); | |
7bf7a6d0 | 324 | (void)HOST_c2l(data, l); |
d3819813 MTL |
325 | T1 = X[4] = l; |
326 | ROUND_00_15(4, e, f, g, h, a, b, c, d); | |
7bf7a6d0 | 327 | (void)HOST_c2l(data, l); |
d3819813 MTL |
328 | T1 = X[5] = l; |
329 | ROUND_00_15(5, d, e, f, g, h, a, b, c); | |
7bf7a6d0 | 330 | (void)HOST_c2l(data, l); |
d3819813 MTL |
331 | T1 = X[6] = l; |
332 | ROUND_00_15(6, c, d, e, f, g, h, a, b); | |
7bf7a6d0 | 333 | (void)HOST_c2l(data, l); |
d3819813 MTL |
334 | T1 = X[7] = l; |
335 | ROUND_00_15(7, b, c, d, e, f, g, h, a); | |
7bf7a6d0 | 336 | (void)HOST_c2l(data, l); |
d3819813 MTL |
337 | T1 = X[8] = l; |
338 | ROUND_00_15(8, a, b, c, d, e, f, g, h); | |
7bf7a6d0 | 339 | (void)HOST_c2l(data, l); |
d3819813 MTL |
340 | T1 = X[9] = l; |
341 | ROUND_00_15(9, h, a, b, c, d, e, f, g); | |
7bf7a6d0 | 342 | (void)HOST_c2l(data, l); |
d3819813 MTL |
343 | T1 = X[10] = l; |
344 | ROUND_00_15(10, g, h, a, b, c, d, e, f); | |
7bf7a6d0 | 345 | (void)HOST_c2l(data, l); |
d3819813 MTL |
346 | T1 = X[11] = l; |
347 | ROUND_00_15(11, f, g, h, a, b, c, d, e); | |
7bf7a6d0 | 348 | (void)HOST_c2l(data, l); |
d3819813 MTL |
349 | T1 = X[12] = l; |
350 | ROUND_00_15(12, e, f, g, h, a, b, c, d); | |
7bf7a6d0 | 351 | (void)HOST_c2l(data, l); |
d3819813 MTL |
352 | T1 = X[13] = l; |
353 | ROUND_00_15(13, d, e, f, g, h, a, b, c); | |
7bf7a6d0 | 354 | (void)HOST_c2l(data, l); |
d3819813 MTL |
355 | T1 = X[14] = l; |
356 | ROUND_00_15(14, c, d, e, f, g, h, a, b); | |
7bf7a6d0 | 357 | (void)HOST_c2l(data, l); |
d3819813 MTL |
358 | T1 = X[15] = l; |
359 | ROUND_00_15(15, b, c, d, e, f, g, h, a); | |
360 | } | |
361 | ||
362 | for (i = 16; i < 64; i += 8) { | |
363 | ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); | |
364 | ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); | |
365 | ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); | |
366 | ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); | |
367 | ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); | |
368 | ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); | |
369 | ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); | |
370 | ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); | |
371 | } | |
372 | ||
373 | ctx->h[0] += a; | |
374 | ctx->h[1] += b; | |
375 | ctx->h[2] += c; | |
376 | ctx->h[3] += d; | |
377 | ctx->h[4] += e; | |
378 | ctx->h[5] += f; | |
379 | ctx->h[6] += g; | |
380 | ctx->h[7] += h; | |
381 | ||
382 | } | |
383 | } | |
384 | ||
7bf7a6d0 MTL |
385 | # endif |
386 | #endif /* SHA256_ASM */ |