VirtualBox

source: vbox/trunk/src/libs/openssl-3.3.2/crypto/sha/sha256.c

Last change on this file was 108206, checked in by vboxsync, 3 months ago

openssl-3.3.2: Exported all files to OSE and removed .scm-settings ​bugref:10757
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 14.0 KB
Line 
1/*
2 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * SHA256 low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
16#include <openssl/opensslconf.h>
17
18#include <stdlib.h>
19#include <string.h>
20
21#include <openssl/crypto.h>
22#include <openssl/sha.h>
23#include <openssl/opensslv.h>
24#include "internal/endian.h"
25#include "crypto/sha.h"
26
27int SHA224_Init(SHA256_CTX *c)
28{
29 memset(c, 0, sizeof(*c));
30 c->h[0] = 0xc1059ed8UL;
31 c->h[1] = 0x367cd507UL;
32 c->h[2] = 0x3070dd17UL;
33 c->h[3] = 0xf70e5939UL;
34 c->h[4] = 0xffc00b31UL;
35 c->h[5] = 0x68581511UL;
36 c->h[6] = 0x64f98fa7UL;
37 c->h[7] = 0xbefa4fa4UL;
38 c->md_len = SHA224_DIGEST_LENGTH;
39 return 1;
40}
41
42int SHA256_Init(SHA256_CTX *c)
43{
44 memset(c, 0, sizeof(*c));
45 c->h[0] = 0x6a09e667UL;
46 c->h[1] = 0xbb67ae85UL;
47 c->h[2] = 0x3c6ef372UL;
48 c->h[3] = 0xa54ff53aUL;
49 c->h[4] = 0x510e527fUL;
50 c->h[5] = 0x9b05688cUL;
51 c->h[6] = 0x1f83d9abUL;
52 c->h[7] = 0x5be0cd19UL;
53 c->md_len = SHA256_DIGEST_LENGTH;
54 return 1;
55}
56
57int ossl_sha256_192_init(SHA256_CTX *c)
58{
59 SHA256_Init(c);
60 c->md_len = SHA256_192_DIGEST_LENGTH;
61 return 1;
62}
63
64int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
65{
66 return SHA256_Update(c, data, len);
67}
68
69int SHA224_Final(unsigned char *md, SHA256_CTX *c)
70{
71 return SHA256_Final(md, c);
72}
73
74#define DATA_ORDER_IS_BIG_ENDIAN
75
76#define HASH_LONG SHA_LONG
77#define HASH_CTX SHA256_CTX
78#define HASH_CBLOCK SHA_CBLOCK
79
80/*
81 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82 * default: case below covers for it. It's not clear however if it's
83 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
84 * but if it is, then default: case shall be extended. For reference.
85 * Idea behind separate cases for pre-defined lengths is to let the
86 * compiler decide if it's appropriate to unroll small loops.
87 */
88#define HASH_MAKE_STRING(c,s) do { \
89 unsigned long ll; \
90 unsigned int nn; \
91 switch ((c)->md_len) \
92 { case SHA256_192_DIGEST_LENGTH: \
93 for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) \
94 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
95 break; \
96 case SHA224_DIGEST_LENGTH: \
97 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
98 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
99 break; \
100 case SHA256_DIGEST_LENGTH: \
101 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
102 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
103 break; \
104 default: \
105 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
106 return 0; \
107 for (nn=0;nn<(c)->md_len/4;nn++) \
108 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
109 break; \
110 } \
111 } while (0)
112
113#define HASH_UPDATE SHA256_Update
114#define HASH_TRANSFORM SHA256_Transform
115#define HASH_FINAL SHA256_Final
116#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
117#ifndef SHA256_ASM
118static
119#else
120# ifdef INCLUDE_C_SHA256
121void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
122# endif /* INCLUDE_C_SHA256 */
123#endif /* SHA256_ASM */
124void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
125
126#include "crypto/md32_common.h"
127
128#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
129static const SHA_LONG K256[64] = {
130 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
131 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
132 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
133 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
134 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
135 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
136 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
137 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
138 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
139 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
140 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
141 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
142 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
143 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
144 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
145 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
146};
147
148# ifndef PEDANTIC
149# if defined(__GNUC__) && __GNUC__>=2 && \
150 !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
151# if defined(__riscv_zknh)
152# define Sigma0(x) ({ MD32_REG_T ret; \
153 asm ("sha256sum0 %0, %1" \
154 : "=r"(ret) \
155 : "r"(x)); ret; })
156# define Sigma1(x) ({ MD32_REG_T ret; \
157 asm ("sha256sum1 %0, %1" \
158 : "=r"(ret) \
159 : "r"(x)); ret; })
160# define sigma0(x) ({ MD32_REG_T ret; \
161 asm ("sha256sig0 %0, %1" \
162 : "=r"(ret) \
163 : "r"(x)); ret; })
164# define sigma1(x) ({ MD32_REG_T ret; \
165 asm ("sha256sig1 %0, %1" \
166 : "=r"(ret) \
167 : "r"(x)); ret; })
168# endif
169# if defined(__riscv_zbt) || defined(__riscv_zpn)
170# define Ch(x,y,z) ({ MD32_REG_T ret; \
171 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
172 : "=r"(ret) \
173 : "r"(x), "r"(y), "r"(z)); ret; })
174# define Maj(x,y,z) ({ MD32_REG_T ret; \
175 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
176 : "=r"(ret) \
177 : "r"(x^z), "r"(y), "r"(x)); ret; })
178# endif
179# endif
180# endif
181
182/*
183 * FIPS specification refers to right rotations, while our ROTATE macro
184 * is left one. This is why you might notice that rotation coefficients
185 * differ from those observed in FIPS document by 32-N...
186 */
187# ifndef Sigma0
188# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
189# endif
190# ifndef Sigma1
191# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
192# endif
193# ifndef sigma0
194# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
195# endif
196# ifndef sigma1
197# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
198# endif
199# ifndef Ch
200# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
201# endif
202# ifndef Maj
203# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
204# endif
205
206# ifdef OPENSSL_SMALL_FOOTPRINT
207
208static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
209 size_t num)
210{
211 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
212 SHA_LONG X[16], l;
213 int i;
214 const unsigned char *data = in;
215
216 while (num--) {
217
218 a = ctx->h[0];
219 b = ctx->h[1];
220 c = ctx->h[2];
221 d = ctx->h[3];
222 e = ctx->h[4];
223 f = ctx->h[5];
224 g = ctx->h[6];
225 h = ctx->h[7];
226
227 for (i = 0; i < 16; i++) {
228 (void)HOST_c2l(data, l);
229 T1 = X[i] = l;
230 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
231 T2 = Sigma0(a) + Maj(a, b, c);
232 h = g;
233 g = f;
234 f = e;
235 e = d + T1;
236 d = c;
237 c = b;
238 b = a;
239 a = T1 + T2;
240 }
241
242 for (; i < 64; i++) {
243 s0 = X[(i + 1) & 0x0f];
244 s0 = sigma0(s0);
245 s1 = X[(i + 14) & 0x0f];
246 s1 = sigma1(s1);
247
248 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
249 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
250 T2 = Sigma0(a) + Maj(a, b, c);
251 h = g;
252 g = f;
253 f = e;
254 e = d + T1;
255 d = c;
256 c = b;
257 b = a;
258 a = T1 + T2;
259 }
260
261 ctx->h[0] += a;
262 ctx->h[1] += b;
263 ctx->h[2] += c;
264 ctx->h[3] += d;
265 ctx->h[4] += e;
266 ctx->h[5] += f;
267 ctx->h[6] += g;
268 ctx->h[7] += h;
269
270 }
271}
272
273# else
274
275# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
276 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
277 h = Sigma0(a) + Maj(a,b,c); \
278 d += T1; h += T1; } while (0)
279
280# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
281 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
282 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
283 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
284 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
285
286#ifdef INCLUDE_C_SHA256
287void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
288#else
289static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
290 size_t num)
291#endif
292{
293 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
294 SHA_LONG X[16];
295 int i;
296 const unsigned char *data = in;
297 DECLARE_IS_ENDIAN;
298
299 while (num--) {
300
301 a = ctx->h[0];
302 b = ctx->h[1];
303 c = ctx->h[2];
304 d = ctx->h[3];
305 e = ctx->h[4];
306 f = ctx->h[5];
307 g = ctx->h[6];
308 h = ctx->h[7];
309
310 if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
311 && ((size_t)in % 4) == 0) {
312 const SHA_LONG *W = (const SHA_LONG *)data;
313
314 T1 = X[0] = W[0];
315 ROUND_00_15(0, a, b, c, d, e, f, g, h);
316 T1 = X[1] = W[1];
317 ROUND_00_15(1, h, a, b, c, d, e, f, g);
318 T1 = X[2] = W[2];
319 ROUND_00_15(2, g, h, a, b, c, d, e, f);
320 T1 = X[3] = W[3];
321 ROUND_00_15(3, f, g, h, a, b, c, d, e);
322 T1 = X[4] = W[4];
323 ROUND_00_15(4, e, f, g, h, a, b, c, d);
324 T1 = X[5] = W[5];
325 ROUND_00_15(5, d, e, f, g, h, a, b, c);
326 T1 = X[6] = W[6];
327 ROUND_00_15(6, c, d, e, f, g, h, a, b);
328 T1 = X[7] = W[7];
329 ROUND_00_15(7, b, c, d, e, f, g, h, a);
330 T1 = X[8] = W[8];
331 ROUND_00_15(8, a, b, c, d, e, f, g, h);
332 T1 = X[9] = W[9];
333 ROUND_00_15(9, h, a, b, c, d, e, f, g);
334 T1 = X[10] = W[10];
335 ROUND_00_15(10, g, h, a, b, c, d, e, f);
336 T1 = X[11] = W[11];
337 ROUND_00_15(11, f, g, h, a, b, c, d, e);
338 T1 = X[12] = W[12];
339 ROUND_00_15(12, e, f, g, h, a, b, c, d);
340 T1 = X[13] = W[13];
341 ROUND_00_15(13, d, e, f, g, h, a, b, c);
342 T1 = X[14] = W[14];
343 ROUND_00_15(14, c, d, e, f, g, h, a, b);
344 T1 = X[15] = W[15];
345 ROUND_00_15(15, b, c, d, e, f, g, h, a);
346
347 data += SHA256_CBLOCK;
348 } else {
349 SHA_LONG l;
350
351 (void)HOST_c2l(data, l);
352 T1 = X[0] = l;
353 ROUND_00_15(0, a, b, c, d, e, f, g, h);
354 (void)HOST_c2l(data, l);
355 T1 = X[1] = l;
356 ROUND_00_15(1, h, a, b, c, d, e, f, g);
357 (void)HOST_c2l(data, l);
358 T1 = X[2] = l;
359 ROUND_00_15(2, g, h, a, b, c, d, e, f);
360 (void)HOST_c2l(data, l);
361 T1 = X[3] = l;
362 ROUND_00_15(3, f, g, h, a, b, c, d, e);
363 (void)HOST_c2l(data, l);
364 T1 = X[4] = l;
365 ROUND_00_15(4, e, f, g, h, a, b, c, d);
366 (void)HOST_c2l(data, l);
367 T1 = X[5] = l;
368 ROUND_00_15(5, d, e, f, g, h, a, b, c);
369 (void)HOST_c2l(data, l);
370 T1 = X[6] = l;
371 ROUND_00_15(6, c, d, e, f, g, h, a, b);
372 (void)HOST_c2l(data, l);
373 T1 = X[7] = l;
374 ROUND_00_15(7, b, c, d, e, f, g, h, a);
375 (void)HOST_c2l(data, l);
376 T1 = X[8] = l;
377 ROUND_00_15(8, a, b, c, d, e, f, g, h);
378 (void)HOST_c2l(data, l);
379 T1 = X[9] = l;
380 ROUND_00_15(9, h, a, b, c, d, e, f, g);
381 (void)HOST_c2l(data, l);
382 T1 = X[10] = l;
383 ROUND_00_15(10, g, h, a, b, c, d, e, f);
384 (void)HOST_c2l(data, l);
385 T1 = X[11] = l;
386 ROUND_00_15(11, f, g, h, a, b, c, d, e);
387 (void)HOST_c2l(data, l);
388 T1 = X[12] = l;
389 ROUND_00_15(12, e, f, g, h, a, b, c, d);
390 (void)HOST_c2l(data, l);
391 T1 = X[13] = l;
392 ROUND_00_15(13, d, e, f, g, h, a, b, c);
393 (void)HOST_c2l(data, l);
394 T1 = X[14] = l;
395 ROUND_00_15(14, c, d, e, f, g, h, a, b);
396 (void)HOST_c2l(data, l);
397 T1 = X[15] = l;
398 ROUND_00_15(15, b, c, d, e, f, g, h, a);
399 }
400
401 for (i = 16; i < 64; i += 8) {
402 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
403 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
404 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
405 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
406 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
407 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
408 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
409 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
410 }
411
412 ctx->h[0] += a;
413 ctx->h[1] += b;
414 ctx->h[2] += c;
415 ctx->h[3] += d;
416 ctx->h[4] += e;
417 ctx->h[5] += f;
418 ctx->h[6] += g;
419 ctx->h[7] += h;
420
421 }
422}
423
424# endif
425#endif /* SHA256_ASM */
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette