2 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * SHA256 low level APIs are deprecated for public use, but still ok for
14 #include "internal/deprecated.h"
16 #include <openssl/opensslconf.h>
21 #include <openssl/crypto.h>
22 #include <openssl/sha.h>
23 #include <openssl/opensslv.h>
24 #include "internal/endian.h"
25 #include "crypto/sha.h"
27 int SHA224_Init(SHA256_CTX *c)
29 memset(c, 0, sizeof(*c));
30 c->h[0] = 0xc1059ed8UL;
31 c->h[1] = 0x367cd507UL;
32 c->h[2] = 0x3070dd17UL;
33 c->h[3] = 0xf70e5939UL;
34 c->h[4] = 0xffc00b31UL;
35 c->h[5] = 0x68581511UL;
36 c->h[6] = 0x64f98fa7UL;
37 c->h[7] = 0xbefa4fa4UL;
38 c->md_len = SHA224_DIGEST_LENGTH;
42 int SHA256_Init(SHA256_CTX *c)
44 memset(c, 0, sizeof(*c));
45 c->h[0] = 0x6a09e667UL;
46 c->h[1] = 0xbb67ae85UL;
47 c->h[2] = 0x3c6ef372UL;
48 c->h[3] = 0xa54ff53aUL;
49 c->h[4] = 0x510e527fUL;
50 c->h[5] = 0x9b05688cUL;
51 c->h[6] = 0x1f83d9abUL;
52 c->h[7] = 0x5be0cd19UL;
53 c->md_len = SHA256_DIGEST_LENGTH;
57 int ossl_sha256_192_init(SHA256_CTX *c)
60 c->md_len = SHA256_192_DIGEST_LENGTH;
64 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
66 return SHA256_Update(c, data, len);
69 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
71 return SHA256_Final(md, c);
74 #define DATA_ORDER_IS_BIG_ENDIAN
76 #define HASH_LONG SHA_LONG
77 #define HASH_CTX SHA256_CTX
78 #define HASH_CBLOCK SHA_CBLOCK
81 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82 * default: case below covers for it. It's not clear however if it's
83 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
84 * but if it is, then default: case shall be extended. For reference.
85 * Idea behind separate cases for pre-defined lengths is to let the
86 * compiler decide if it's appropriate to unroll small loops.
88 #define HASH_MAKE_STRING(c,s) do { \
91 switch ((c)->md_len) \
92 { case SHA256_192_DIGEST_LENGTH: \
93 for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) \
94 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
96 case SHA224_DIGEST_LENGTH: \
97 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
98 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
100 case SHA256_DIGEST_LENGTH: \
101 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
102 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
105 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
107 for (nn=0;nn<(c)->md_len/4;nn++) \
108 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
113 #define HASH_UPDATE SHA256_Update
114 #define HASH_TRANSFORM SHA256_Transform
115 #define HASH_FINAL SHA256_Final
116 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
120 # ifdef INCLUDE_C_SHA256
121 void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
122 # endif /* INCLUDE_C_SHA256 */
123 #endif /* SHA256_ASM */
124 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
126 #include "crypto/md32_common.h"
128 #if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
129 static const SHA_LONG K256[64] = {
130 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
131 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
132 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
133 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
134 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
135 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
136 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
137 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
138 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
139 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
140 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
141 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
142 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
143 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
144 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
145 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
149 # if defined(__GNUC__) && __GNUC__>=2 && \
150 !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
151 # if defined(__riscv_zknh)
152 # define Sigma0(x) ({ MD32_REG_T ret; \
153 asm ("sha256sum0 %0, %1" \
156 # define Sigma1(x) ({ MD32_REG_T ret; \
157 asm ("sha256sum1 %0, %1" \
160 # define sigma0(x) ({ MD32_REG_T ret; \
161 asm ("sha256sig0 %0, %1" \
164 # define sigma1(x) ({ MD32_REG_T ret; \
165 asm ("sha256sig1 %0, %1" \
169 # if defined(__riscv_zbt) || defined(__riscv_zpn)
170 # define Ch(x,y,z) ({ MD32_REG_T ret; \
171 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
173 : "r"(x), "r"(y), "r"(z)); ret; })
174 # define Maj(x,y,z) ({ MD32_REG_T ret; \
175 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
177 : "r"(x^z), "r"(y), "r"(x)); ret; })
183 * FIPS specification refers to right rotations, while our ROTATE macro
184 * is left one. This is why you might notice that rotation coefficients
185 * differ from those observed in FIPS document by 32-N...
188 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
191 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
194 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
197 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
200 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
203 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
206 # ifdef OPENSSL_SMALL_FOOTPRINT
208 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
211 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
214 const unsigned char *data = in;
227 for (i = 0; i < 16; i++) {
228 (void)HOST_c2l(data, l);
230 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
231 T2 = Sigma0(a) + Maj(a, b, c);
242 for (; i < 64; i++) {
243 s0 = X[(i + 1) & 0x0f];
245 s1 = X[(i + 14) & 0x0f];
248 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
249 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
250 T2 = Sigma0(a) + Maj(a, b, c);
275 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
276 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
277 h = Sigma0(a) + Maj(a,b,c); \
278 d += T1; h += T1; } while (0)
280 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
281 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
282 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
283 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
284 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
286 #ifdef INCLUDE_C_SHA256
287 void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
289 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
293 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
296 const unsigned char *data = in;
310 if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
311 && ((size_t)in % 4) == 0) {
312 const SHA_LONG *W = (const SHA_LONG *)data;
315 ROUND_00_15(0, a, b, c, d, e, f, g, h);
317 ROUND_00_15(1, h, a, b, c, d, e, f, g);
319 ROUND_00_15(2, g, h, a, b, c, d, e, f);
321 ROUND_00_15(3, f, g, h, a, b, c, d, e);
323 ROUND_00_15(4, e, f, g, h, a, b, c, d);
325 ROUND_00_15(5, d, e, f, g, h, a, b, c);
327 ROUND_00_15(6, c, d, e, f, g, h, a, b);
329 ROUND_00_15(7, b, c, d, e, f, g, h, a);
331 ROUND_00_15(8, a, b, c, d, e, f, g, h);
333 ROUND_00_15(9, h, a, b, c, d, e, f, g);
335 ROUND_00_15(10, g, h, a, b, c, d, e, f);
337 ROUND_00_15(11, f, g, h, a, b, c, d, e);
339 ROUND_00_15(12, e, f, g, h, a, b, c, d);
341 ROUND_00_15(13, d, e, f, g, h, a, b, c);
343 ROUND_00_15(14, c, d, e, f, g, h, a, b);
345 ROUND_00_15(15, b, c, d, e, f, g, h, a);
347 data += SHA256_CBLOCK;
351 (void)HOST_c2l(data, l);
353 ROUND_00_15(0, a, b, c, d, e, f, g, h);
354 (void)HOST_c2l(data, l);
356 ROUND_00_15(1, h, a, b, c, d, e, f, g);
357 (void)HOST_c2l(data, l);
359 ROUND_00_15(2, g, h, a, b, c, d, e, f);
360 (void)HOST_c2l(data, l);
362 ROUND_00_15(3, f, g, h, a, b, c, d, e);
363 (void)HOST_c2l(data, l);
365 ROUND_00_15(4, e, f, g, h, a, b, c, d);
366 (void)HOST_c2l(data, l);
368 ROUND_00_15(5, d, e, f, g, h, a, b, c);
369 (void)HOST_c2l(data, l);
371 ROUND_00_15(6, c, d, e, f, g, h, a, b);
372 (void)HOST_c2l(data, l);
374 ROUND_00_15(7, b, c, d, e, f, g, h, a);
375 (void)HOST_c2l(data, l);
377 ROUND_00_15(8, a, b, c, d, e, f, g, h);
378 (void)HOST_c2l(data, l);
380 ROUND_00_15(9, h, a, b, c, d, e, f, g);
381 (void)HOST_c2l(data, l);
383 ROUND_00_15(10, g, h, a, b, c, d, e, f);
384 (void)HOST_c2l(data, l);
386 ROUND_00_15(11, f, g, h, a, b, c, d, e);
387 (void)HOST_c2l(data, l);
389 ROUND_00_15(12, e, f, g, h, a, b, c, d);
390 (void)HOST_c2l(data, l);
392 ROUND_00_15(13, d, e, f, g, h, a, b, c);
393 (void)HOST_c2l(data, l);
395 ROUND_00_15(14, c, d, e, f, g, h, a, b);
396 (void)HOST_c2l(data, l);
398 ROUND_00_15(15, b, c, d, e, f, g, h, a);
401 for (i = 16; i < 64; i += 8) {
402 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
403 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
404 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
405 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
406 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
407 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
408 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
409 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
425 #endif /* SHA256_ASM */