release/src/router/openssl/crypto/sha/sha256.c

   1 /* crypto/sha/sha256.c */
   2 /* ====================================================================
   3  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
   4  * according to the OpenSSL license [found in ../../LICENSE].
   5  * ====================================================================
   6  */
   7 #include <openssl/opensslconf.h>
   8 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
   9
  10 #include <stdlib.h>
  11 #include <string.h>
  12
  13 #include <openssl/crypto.h>
  14 #include <openssl/sha.h>
  15 #include <openssl/opensslv.h>
  16
  17 const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;
  18
  19 fips_md_init_ctx(SHA224, SHA256)
  20         {
  21         memset (c,0,sizeof(*c));
  22         c->h[0]=0xc1059ed8UL;   c->h[1]=0x367cd507UL;
  23         c->h[2]=0x3070dd17UL;   c->h[3]=0xf70e5939UL;
  24         c->h[4]=0xffc00b31UL;   c->h[5]=0x68581511UL;
  25         c->h[6]=0x64f98fa7UL;   c->h[7]=0xbefa4fa4UL;
  26         c->md_len=SHA224_DIGEST_LENGTH;
  27         return 1;
  28         }
  29
  30 fips_md_init(SHA256)
  31         {
  32         memset (c,0,sizeof(*c));
  33         c->h[0]=0x6a09e667UL;   c->h[1]=0xbb67ae85UL;
  34         c->h[2]=0x3c6ef372UL;   c->h[3]=0xa54ff53aUL;
  35         c->h[4]=0x510e527fUL;   c->h[5]=0x9b05688cUL;
  36         c->h[6]=0x1f83d9abUL;   c->h[7]=0x5be0cd19UL;
  37         c->md_len=SHA256_DIGEST_LENGTH;
  38         return 1;
  39         }
  40
  41 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
  42         {
  43         SHA256_CTX c;
  44         static unsigned char m[SHA224_DIGEST_LENGTH];
  45
  46         if (md == NULL) md=m;
  47         SHA224_Init(&c);
  48         SHA256_Update(&c,d,n);
  49         SHA256_Final(md,&c);
  50         OPENSSL_cleanse(&c,sizeof(c));
  51         return(md);
  52         }
  53
  54 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
  55         {
  56         SHA256_CTX c;
  57         static unsigned char m[SHA256_DIGEST_LENGTH];
  58
  59         if (md == NULL) md=m;
  60         SHA256_Init(&c);
  61         SHA256_Update(&c,d,n);
  62         SHA256_Final(md,&c);
  63         OPENSSL_cleanse(&c,sizeof(c));
  64         return(md);
  65         }
  66
  67 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
  68 {   return SHA256_Update (c,data,len);   }
  69 int SHA224_Final (unsigned char *md, SHA256_CTX *c)
  70 {   return SHA256_Final (md,c);   }
  71
  72 #define DATA_ORDER_IS_BIG_ENDIAN
  73
  74 #define HASH_LONG               SHA_LONG
  75 #define HASH_CTX                SHA256_CTX
  76 #define HASH_CBLOCK             SHA_CBLOCK
  77 /*
  78  * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
  79  * default: case below covers for it. It's not clear however if it's
  80  * permitted to truncate to amount of bytes not divisible by 4. I bet not,
  81  * but if it is, then default: case shall be extended. For reference.
  82  * Idea behind separate cases for pre-defined lenghts is to let the
  83  * compiler decide if it's appropriate to unroll small loops.
  84  */
  85 #define HASH_MAKE_STRING(c,s)   do {    \
  86         unsigned long ll;               \
  87         unsigned int  nn;               \
  88         switch ((c)->md_len)            \
  89         {   case SHA224_DIGEST_LENGTH:  \
  90                 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
  91                 {   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }        \
  92                 break;                  \
  93             case SHA256_DIGEST_LENGTH:  \
  94                 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
  95                 {   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }        \
  96                 break;                  \
  97             default:                    \
  98                 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
  99                     return 0;                           \
 100                 for (nn=0;nn<(c)->md_len/4;nn++)                \
 101                 {   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }        \
 102                 break;                  \
 103         }                               \
 104         } while (0)
 105
 106 #define HASH_UPDATE             SHA256_Update
 107 #define HASH_TRANSFORM          SHA256_Transform
 108 #define HASH_FINAL              SHA256_Final
 109 #define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
 110 #ifndef SHA256_ASM
 111 static
 112 #endif
 113 void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num);
 114
 115 #include "md32_common.h"
 116
 117 #ifndef SHA256_ASM
 118 static const SHA_LONG K256[64] = {
 119         0x428a2f98UL,0x71374491UL,0xb5c0fbcfUL,0xe9b5dba5UL,
 120         0x3956c25bUL,0x59f111f1UL,0x923f82a4UL,0xab1c5ed5UL,
 121         0xd807aa98UL,0x12835b01UL,0x243185beUL,0x550c7dc3UL,
 122         0x72be5d74UL,0x80deb1feUL,0x9bdc06a7UL,0xc19bf174UL,
 123         0xe49b69c1UL,0xefbe4786UL,0x0fc19dc6UL,0x240ca1ccUL,
 124         0x2de92c6fUL,0x4a7484aaUL,0x5cb0a9dcUL,0x76f988daUL,
 125         0x983e5152UL,0xa831c66dUL,0xb00327c8UL,0xbf597fc7UL,
 126         0xc6e00bf3UL,0xd5a79147UL,0x06ca6351UL,0x14292967UL,
 127         0x27b70a85UL,0x2e1b2138UL,0x4d2c6dfcUL,0x53380d13UL,
 128         0x650a7354UL,0x766a0abbUL,0x81c2c92eUL,0x92722c85UL,
 129         0xa2bfe8a1UL,0xa81a664bUL,0xc24b8b70UL,0xc76c51a3UL,
 130         0xd192e819UL,0xd6990624UL,0xf40e3585UL,0x106aa070UL,
 131         0x19a4c116UL,0x1e376c08UL,0x2748774cUL,0x34b0bcb5UL,
 132         0x391c0cb3UL,0x4ed8aa4aUL,0x5b9cca4fUL,0x682e6ff3UL,
 133         0x748f82eeUL,0x78a5636fUL,0x84c87814UL,0x8cc70208UL,
 134         0x90befffaUL,0xa4506cebUL,0xbef9a3f7UL,0xc67178f2UL };
 135
 136 /*
 137  * FIPS specification refers to right rotations, while our ROTATE macro
 138  * is left one. This is why you might notice that rotation coefficients
 139  * differ from those observed in FIPS document by 32-N...
 140  */
 141 #define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
 142 #define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
 143 #define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
 144 #define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
 145
 146 #define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
 147 #define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
 148
 149 #ifdef OPENSSL_SMALL_FOOTPRINT
 150
 151 static void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num)
 152         {
 153         unsigned MD32_REG_T a,b,c,d,e,f,g,h,s0,s1,T1,T2;
 154         SHA_LONG        X[16],l;
 155         int i;
 156         const unsigned char *data=in;
 157
 158                         while (num--) {
 159
 160         a = ctx->h[0];  b = ctx->h[1];  c = ctx->h[2];  d = ctx->h[3];
 161         e = ctx->h[4];  f = ctx->h[5];  g = ctx->h[6];  h = ctx->h[7];
 162
 163         for (i=0;i<16;i++)
 164                 {
 165                 HOST_c2l(data,l); T1 = X[i] = l;
 166                 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];
 167                 T2 = Sigma0(a) + Maj(a,b,c);
 168                 h = g;  g = f;  f = e;  e = d + T1;
 169                 d = c;  c = b;  b = a;  a = T1 + T2;
 170                 }
 171
 172         for (;i<64;i++)
 173                 {
 174                 s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);
 175                 s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);
 176
 177                 T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
 178                 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];
 179                 T2 = Sigma0(a) + Maj(a,b,c);
 180                 h = g;  g = f;  f = e;  e = d + T1;
 181                 d = c;  c = b;  b = a;  a = T1 + T2;
 182                 }
 183
 184         ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
 185         ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
 186
 187                         }
 188 }
 189
 190 #else
 191
 192 #define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
 193         T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
 194         h = Sigma0(a) + Maj(a,b,c);                     \
 195         d += T1;        h += T1;                } while (0)
 196
 197 #define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
 198         s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
 199         s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
 200         T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
 201         ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)
 202
 203 static void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num)
 204         {
 205         unsigned MD32_REG_T a,b,c,d,e,f,g,h,s0,s1,T1;
 206         SHA_LONG        X[16];
 207         int i;
 208         const unsigned char *data=in;
 209         const union { long one; char little; } is_endian = {1};
 210
 211                         while (num--) {
 212
 213         a = ctx->h[0];  b = ctx->h[1];  c = ctx->h[2];  d = ctx->h[3];
 214         e = ctx->h[4];  f = ctx->h[5];  g = ctx->h[6];  h = ctx->h[7];
 215
 216         if (!is_endian.little && sizeof(SHA_LONG)==4 && ((size_t)in%4)==0)
 217                 {
 218                 const SHA_LONG *W=(const SHA_LONG *)data;
 219
 220                 T1 = X[0] = W[0];       ROUND_00_15(0,a,b,c,d,e,f,g,h);
 221                 T1 = X[1] = W[1];       ROUND_00_15(1,h,a,b,c,d,e,f,g);
 222                 T1 = X[2] = W[2];       ROUND_00_15(2,g,h,a,b,c,d,e,f);
 223                 T1 = X[3] = W[3];       ROUND_00_15(3,f,g,h,a,b,c,d,e);
 224                 T1 = X[4] = W[4];       ROUND_00_15(4,e,f,g,h,a,b,c,d);
 225                 T1 = X[5] = W[5];       ROUND_00_15(5,d,e,f,g,h,a,b,c);
 226                 T1 = X[6] = W[6];       ROUND_00_15(6,c,d,e,f,g,h,a,b);
 227                 T1 = X[7] = W[7];       ROUND_00_15(7,b,c,d,e,f,g,h,a);
 228                 T1 = X[8] = W[8];       ROUND_00_15(8,a,b,c,d,e,f,g,h);
 229                 T1 = X[9] = W[9];       ROUND_00_15(9,h,a,b,c,d,e,f,g);
 230                 T1 = X[10] = W[10];     ROUND_00_15(10,g,h,a,b,c,d,e,f);
 231                 T1 = X[11] = W[11];     ROUND_00_15(11,f,g,h,a,b,c,d,e);
 232                 T1 = X[12] = W[12];     ROUND_00_15(12,e,f,g,h,a,b,c,d);
 233                 T1 = X[13] = W[13];     ROUND_00_15(13,d,e,f,g,h,a,b,c);
 234                 T1 = X[14] = W[14];     ROUND_00_15(14,c,d,e,f,g,h,a,b);
 235                 T1 = X[15] = W[15];     ROUND_00_15(15,b,c,d,e,f,g,h,a);
 236
 237                 data += SHA256_CBLOCK;
 238                 }
 239         else
 240                 {
 241                 SHA_LONG l;
 242
 243                 HOST_c2l(data,l); T1 = X[0] = l;  ROUND_00_15(0,a,b,c,d,e,f,g,h);
 244                 HOST_c2l(data,l); T1 = X[1] = l;  ROUND_00_15(1,h,a,b,c,d,e,f,g);
 245                 HOST_c2l(data,l); T1 = X[2] = l;  ROUND_00_15(2,g,h,a,b,c,d,e,f);
 246                 HOST_c2l(data,l); T1 = X[3] = l;  ROUND_00_15(3,f,g,h,a,b,c,d,e);
 247                 HOST_c2l(data,l); T1 = X[4] = l;  ROUND_00_15(4,e,f,g,h,a,b,c,d);
 248                 HOST_c2l(data,l); T1 = X[5] = l;  ROUND_00_15(5,d,e,f,g,h,a,b,c);
 249                 HOST_c2l(data,l); T1 = X[6] = l;  ROUND_00_15(6,c,d,e,f,g,h,a,b);
 250                 HOST_c2l(data,l); T1 = X[7] = l;  ROUND_00_15(7,b,c,d,e,f,g,h,a);
 251                 HOST_c2l(data,l); T1 = X[8] = l;  ROUND_00_15(8,a,b,c,d,e,f,g,h);
 252                 HOST_c2l(data,l); T1 = X[9] = l;  ROUND_00_15(9,h,a,b,c,d,e,f,g);
 253                 HOST_c2l(data,l); T1 = X[10] = l; ROUND_00_15(10,g,h,a,b,c,d,e,f);
 254                 HOST_c2l(data,l); T1 = X[11] = l; ROUND_00_15(11,f,g,h,a,b,c,d,e);
 255                 HOST_c2l(data,l); T1 = X[12] = l; ROUND_00_15(12,e,f,g,h,a,b,c,d);
 256                 HOST_c2l(data,l); T1 = X[13] = l; ROUND_00_15(13,d,e,f,g,h,a,b,c);
 257                 HOST_c2l(data,l); T1 = X[14] = l; ROUND_00_15(14,c,d,e,f,g,h,a,b);
 258                 HOST_c2l(data,l); T1 = X[15] = l; ROUND_00_15(15,b,c,d,e,f,g,h,a);
 259                 }
 260
 261         for (i=16;i<64;i+=8)
 262                 {
 263                 ROUND_16_63(i+0,a,b,c,d,e,f,g,h,X);
 264                 ROUND_16_63(i+1,h,a,b,c,d,e,f,g,X);
 265                 ROUND_16_63(i+2,g,h,a,b,c,d,e,f,X);
 266                 ROUND_16_63(i+3,f,g,h,a,b,c,d,e,X);
 267                 ROUND_16_63(i+4,e,f,g,h,a,b,c,d,X);
 268                 ROUND_16_63(i+5,d,e,f,g,h,a,b,c,X);
 269                 ROUND_16_63(i+6,c,d,e,f,g,h,a,b,X);
 270                 ROUND_16_63(i+7,b,c,d,e,f,g,h,a,X);
 271                 }
 272
 273         ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
 274         ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
 275
 276                         }
 277         }
 278
 279 #endif
 280 #endif /* SHA256_ASM */
 281
 282 #endif /* OPENSSL_NO_SHA256 */