xref: /openbsd-src/lib/libcrypto/sha/sha256.c (revision fc405d53b73a2d73393cb97f684863d17b583e38) 
1 /* $OpenBSD: sha256.c,v 1.15 2023/03/29 05:34:01 jsing Exp $ */
2 /* ====================================================================
3  * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *    the documentation and/or other materials provided with the
15  *    distribution.
16  *
17  * 3. All advertising materials mentioning features or use of this
18  *    software must display the following acknowledgment:
19  *    "This product includes software developed by the OpenSSL Project
20  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21  *
22  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23  *    endorse or promote products derived from this software without
24  *    prior written permission. For written permission, please contact
25  *    openssl-core@openssl.org.
26  *
27  * 5. Products derived from this software may not be called "OpenSSL"
28  *    nor may "OpenSSL" appear in their names without prior written
29  *    permission of the OpenSSL Project.
30  *
31  * 6. Redistributions of any form whatsoever must retain the following
32  *    acknowledgment:
33  *    "This product includes software developed by the OpenSSL Project
34  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35  *
36  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47  * OF THE POSSIBILITY OF SUCH DAMAGE.
48  * ====================================================================
49  *
50  * This product includes cryptographic software written by Eric Young
51  * (eay@cryptsoft.com).  This product includes software written by Tim
52  * Hudson (tjh@cryptsoft.com).
53  */
54 
55 #include <openssl/opensslconf.h>
56 
57 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
58 
59 #include <endian.h>
60 #include <stdlib.h>
61 #include <string.h>
62 
63 #include <openssl/crypto.h>
64 #include <openssl/sha.h>
65 #include <openssl/opensslv.h>
66 
67 int
68 SHA224_Init(SHA256_CTX *c)
69 {
70 	memset (c, 0, sizeof(*c));
71 
72 	c->h[0] = 0xc1059ed8UL;
73 	c->h[1] = 0x367cd507UL;
74 	c->h[2] = 0x3070dd17UL;
75 	c->h[3] = 0xf70e5939UL;
76 	c->h[4] = 0xffc00b31UL;
77 	c->h[5] = 0x68581511UL;
78 	c->h[6] = 0x64f98fa7UL;
79 	c->h[7] = 0xbefa4fa4UL;
80 
81 	c->md_len = SHA224_DIGEST_LENGTH;
82 
83 	return 1;
84 }
85 
86 int
87 SHA256_Init(SHA256_CTX *c)
88 {
89 	memset (c, 0, sizeof(*c));
90 
91 	c->h[0] = 0x6a09e667UL;
92 	c->h[1] = 0xbb67ae85UL;
93 	c->h[2] = 0x3c6ef372UL;
94 	c->h[3] = 0xa54ff53aUL;
95 	c->h[4] = 0x510e527fUL;
96 	c->h[5] = 0x9b05688cUL;
97 	c->h[6] = 0x1f83d9abUL;
98 	c->h[7] = 0x5be0cd19UL;
99 
100 	c->md_len = SHA256_DIGEST_LENGTH;
101 
102 	return 1;
103 }
104 
105 unsigned char *
106 SHA224(const unsigned char *d, size_t n, unsigned char *md)
107 {
108 	SHA256_CTX c;
109 	static unsigned char m[SHA224_DIGEST_LENGTH];
110 
111 	if (md == NULL)
112 		md = m;
113 
114 	SHA224_Init(&c);
115 	SHA256_Update(&c, d, n);
116 	SHA256_Final(md, &c);
117 
118 	explicit_bzero(&c, sizeof(c));
119 
120 	return (md);
121 }
122 
123 unsigned char *
124 SHA256(const unsigned char *d, size_t n, unsigned char *md)
125 {
126 	SHA256_CTX c;
127 	static unsigned char m[SHA256_DIGEST_LENGTH];
128 
129 	if (md == NULL)
130 		md = m;
131 
132 	SHA256_Init(&c);
133 	SHA256_Update(&c, d, n);
134 	SHA256_Final(md, &c);
135 
136 	explicit_bzero(&c, sizeof(c));
137 
138 	return (md);
139 }
140 
141 int
142 SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
143 {
144 	return SHA256_Update(c, data, len);
145 }
146 
147 int
148 SHA224_Final(unsigned char *md, SHA256_CTX *c)
149 {
150 	return SHA256_Final(md, c);
151 }
152 
153 #define	DATA_ORDER_IS_BIG_ENDIAN
154 
155 #define	HASH_LONG		SHA_LONG
156 #define	HASH_CTX		SHA256_CTX
157 #define	HASH_CBLOCK		SHA_CBLOCK
158 /*
159  * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
160  * default: case below covers for it. It's not clear however if it's
161  * permitted to truncate to amount of bytes not divisible by 4. I bet not,
162  * but if it is, then default: case shall be extended. For reference.
163  * Idea behind separate cases for pre-defined lengths is to let the
164  * compiler decide if it's appropriate to unroll small loops.
165  */
166 #define	HASH_MAKE_STRING(c, s)	do {	\
167 	unsigned long ll;		\
168 	unsigned int  nn;		\
169 	switch ((c)->md_len)		\
170 	{   case SHA224_DIGEST_LENGTH:	\
171 		for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)	\
172 		{   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }	\
173 		break;			\
174 	    case SHA256_DIGEST_LENGTH:	\
175 		for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)	\
176 		{   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }	\
177 		break;			\
178 	    default:			\
179 		if ((c)->md_len > SHA256_DIGEST_LENGTH)	\
180 		    return 0;				\
181 		for (nn=0;nn<(c)->md_len/4;nn++)		\
182 		{   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }	\
183 		break;			\
184 	}				\
185 	} while (0)
186 
187 #define	HASH_UPDATE		SHA256_Update
188 #define	HASH_TRANSFORM		SHA256_Transform
189 #define	HASH_FINAL		SHA256_Final
190 #define	HASH_BLOCK_DATA_ORDER	sha256_block_data_order
191 #ifndef SHA256_ASM
192 static
193 #endif
194 void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num);
195 
196 #include "md32_common.h"
197 
198 #ifndef SHA256_ASM
199 static const SHA_LONG K256[64] = {
200 	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
201 	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
202 	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
203 	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
204 	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
205 	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
206 	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
207 	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
208 	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
209 	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
210 	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
211 	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
212 	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
213 	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
214 	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
215 	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
216 };
217 
218 /*
219  * FIPS specification refers to right rotations, while our ROTATE macro
220  * is left one. This is why you might notice that rotation coefficients
221  * differ from those observed in FIPS document by 32-N...
222  */
223 #define Sigma0(x)	(ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
224 #define Sigma1(x)	(ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
225 #define sigma0(x)	(ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
226 #define sigma1(x)	(ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
227 
228 #define Ch(x, y, z)	(((x) & (y)) ^ ((~(x)) & (z)))
229 #define Maj(x, y, z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
230 
231 #ifdef OPENSSL_SMALL_FOOTPRINT
232 
233 static void
234 sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num)
235 {
236 	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
237 	SHA_LONG	X[16], l;
238 	int i;
239 	const unsigned char *data = in;
240 
241 	while (num--) {
242 
243 		a = ctx->h[0];
244 		b = ctx->h[1];
245 		c = ctx->h[2];
246 		d = ctx->h[3];
247 		e = ctx->h[4];
248 		f = ctx->h[5];
249 		g = ctx->h[6];
250 		h = ctx->h[7];
251 
252 		for (i = 0; i < 16; i++) {
253 			HOST_c2l(data, l);
254 			T1 = X[i] = l;
255 			T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
256 			T2 = Sigma0(a) + Maj(a, b, c);
257 			h = g;
258 			g = f;
259 			f = e;
260 			e = d + T1;
261 			d = c;
262 			c = b;
263 			b = a;
264 			a = T1 + T2;
265 		}
266 
267 		for (; i < 64; i++) {
268 			s0 = X[(i + 1)&0x0f];
269 			s0 = sigma0(s0);
270 			s1 = X[(i + 14)&0x0f];
271 			s1 = sigma1(s1);
272 
273 			T1 = X[i&0xf] += s0 + s1 + X[(i + 9)&0xf];
274 			T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
275 			T2 = Sigma0(a) + Maj(a, b, c);
276 			h = g;
277 			g = f;
278 			f = e;
279 			e = d + T1;
280 			d = c;
281 			c = b;
282 			b = a;
283 			a = T1 + T2;
284 		}
285 
286 		ctx->h[0] += a;
287 		ctx->h[1] += b;
288 		ctx->h[2] += c;
289 		ctx->h[3] += d;
290 		ctx->h[4] += e;
291 		ctx->h[5] += f;
292 		ctx->h[6] += g;
293 		ctx->h[7] += h;
294 	}
295 }
296 
297 #else
298 
299 #define	ROUND_00_15(i, a, b, c, d, e, f, g, h)		do {	\
300 	T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];	\
301 	h = Sigma0(a) + Maj(a, b, c);			\
302 	d += T1;	h += T1;		} while (0)
303 
304 #define	ROUND_16_63(i, a, b, c, d, e, f, g, h, X)	do {	\
305 	s0 = X[(i+1)&0x0f];	s0 = sigma0(s0);	\
306 	s1 = X[(i+14)&0x0f];	s1 = sigma1(s1);	\
307 	T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];	\
308 	ROUND_00_15(i, a, b, c, d, e, f, g, h);		} while (0)
309 
310 static void
311 sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num)
312 {
313 	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
314 	SHA_LONG	X[16];
315 	int i;
316 	const unsigned char *data = in;
317 
318 	while (num--) {
319 
320 		a = ctx->h[0];
321 		b = ctx->h[1];
322 		c = ctx->h[2];
323 		d = ctx->h[3];
324 		e = ctx->h[4];
325 		f = ctx->h[5];
326 		g = ctx->h[6];
327 		h = ctx->h[7];
328 
329 		if (BYTE_ORDER != LITTLE_ENDIAN &&
330 		    sizeof(SHA_LONG) == 4 && ((size_t)in % 4) == 0) {
331 			const SHA_LONG *W = (const SHA_LONG *)data;
332 
333 			T1 = X[0] = W[0];
334 			ROUND_00_15(0, a, b, c, d, e, f, g, h);
335 			T1 = X[1] = W[1];
336 			ROUND_00_15(1, h, a, b, c, d, e, f, g);
337 			T1 = X[2] = W[2];
338 			ROUND_00_15(2, g, h, a, b, c, d, e, f);
339 			T1 = X[3] = W[3];
340 			ROUND_00_15(3, f, g, h, a, b, c, d, e);
341 			T1 = X[4] = W[4];
342 			ROUND_00_15(4, e, f, g, h, a, b, c, d);
343 			T1 = X[5] = W[5];
344 			ROUND_00_15(5, d, e, f, g, h, a, b, c);
345 			T1 = X[6] = W[6];
346 			ROUND_00_15(6, c, d, e, f, g, h, a, b);
347 			T1 = X[7] = W[7];
348 			ROUND_00_15(7, b, c, d, e, f, g, h, a);
349 			T1 = X[8] = W[8];
350 			ROUND_00_15(8, a, b, c, d, e, f, g, h);
351 			T1 = X[9] = W[9];
352 			ROUND_00_15(9, h, a, b, c, d, e, f, g);
353 			T1 = X[10] = W[10];
354 			ROUND_00_15(10, g, h, a, b, c, d, e, f);
355 			T1 = X[11] = W[11];
356 			ROUND_00_15(11, f, g, h, a, b, c, d, e);
357 			T1 = X[12] = W[12];
358 			ROUND_00_15(12, e, f, g, h, a, b, c, d);
359 			T1 = X[13] = W[13];
360 			ROUND_00_15(13, d, e, f, g, h, a, b, c);
361 			T1 = X[14] = W[14];
362 			ROUND_00_15(14, c, d, e, f, g, h, a, b);
363 			T1 = X[15] = W[15];
364 			ROUND_00_15(15, b, c, d, e, f, g, h, a);
365 
366 			data += SHA256_CBLOCK;
367 		} else {
368 			SHA_LONG l;
369 
370 			HOST_c2l(data, l);
371 			T1 = X[0] = l;
372 			ROUND_00_15(0, a, b, c, d, e, f, g, h);
373 			HOST_c2l(data, l);
374 			T1 = X[1] = l;
375 			ROUND_00_15(1, h, a, b, c, d, e, f, g);
376 			HOST_c2l(data, l);
377 			T1 = X[2] = l;
378 			ROUND_00_15(2, g, h, a, b, c, d, e, f);
379 			HOST_c2l(data, l);
380 			T1 = X[3] = l;
381 			ROUND_00_15(3, f, g, h, a, b, c, d, e);
382 			HOST_c2l(data, l);
383 			T1 = X[4] = l;
384 			ROUND_00_15(4, e, f, g, h, a, b, c, d);
385 			HOST_c2l(data, l);
386 			T1 = X[5] = l;
387 			ROUND_00_15(5, d, e, f, g, h, a, b, c);
388 			HOST_c2l(data, l);
389 			T1 = X[6] = l;
390 			ROUND_00_15(6, c, d, e, f, g, h, a, b);
391 			HOST_c2l(data, l);
392 			T1 = X[7] = l;
393 			ROUND_00_15(7, b, c, d, e, f, g, h, a);
394 			HOST_c2l(data, l);
395 			T1 = X[8] = l;
396 			ROUND_00_15(8, a, b, c, d, e, f, g, h);
397 			HOST_c2l(data, l);
398 			T1 = X[9] = l;
399 			ROUND_00_15(9, h, a, b, c, d, e, f, g);
400 			HOST_c2l(data, l);
401 			T1 = X[10] = l;
402 			ROUND_00_15(10, g, h, a, b, c, d, e, f);
403 			HOST_c2l(data, l);
404 			T1 = X[11] = l;
405 			ROUND_00_15(11, f, g, h, a, b, c, d, e);
406 			HOST_c2l(data, l);
407 			T1 = X[12] = l;
408 			ROUND_00_15(12, e, f, g, h, a, b, c, d);
409 			HOST_c2l(data, l);
410 			T1 = X[13] = l;
411 			ROUND_00_15(13, d, e, f, g, h, a, b, c);
412 			HOST_c2l(data, l);
413 			T1 = X[14] = l;
414 			ROUND_00_15(14, c, d, e, f, g, h, a, b);
415 			HOST_c2l(data, l);
416 			T1 = X[15] = l;
417 			ROUND_00_15(15, b, c, d, e, f, g, h, a);
418 		}
419 
420 		for (i = 16; i < 64; i += 8) {
421 			ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
422 			ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
423 			ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
424 			ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
425 			ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
426 			ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
427 			ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
428 			ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
429 		}
430 
431 		ctx->h[0] += a;
432 		ctx->h[1] += b;
433 		ctx->h[2] += c;
434 		ctx->h[3] += d;
435 		ctx->h[4] += e;
436 		ctx->h[5] += f;
437 		ctx->h[6] += g;
438 		ctx->h[7] += h;
439 	}
440 }
441 
442 #endif
443 #endif /* SHA256_ASM */
444 
445 #endif /* OPENSSL_NO_SHA256 */
446