kris
/
boringssl
1
0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
5554 Incheckningar
12 Grenar
38 MiB
 
 
 
 
 
 
Träd: 045ee41928
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '045ee41928'
${ noResults }
boringssl/crypto/fipsmodule/sha/sha256.c

343 rader
12 KiB
Blame Historik 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/sha.h>

  58. 

  59. #include <string.h>

  60. 

  61. #include <openssl/mem.h>

  62. 

  63. #include "../../internal.h"

  64. 

  65. 

  66. #if !defined(OPENSSL_NO_ASM) &&                         \

  67.     (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \

  68.      defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))

  69. #define SHA256_ASM

  70. #endif

  71. 

  72. int SHA224_Init(SHA256_CTX *sha) {

  73.   OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));

  74.   sha->h[0] = 0xc1059ed8UL;

  75.   sha->h[1] = 0x367cd507UL;

  76.   sha->h[2] = 0x3070dd17UL;

  77.   sha->h[3] = 0xf70e5939UL;

  78.   sha->h[4] = 0xffc00b31UL;

  79.   sha->h[5] = 0x68581511UL;

  80.   sha->h[6] = 0x64f98fa7UL;

  81.   sha->h[7] = 0xbefa4fa4UL;

  82.   sha->md_len = SHA224_DIGEST_LENGTH;

  83.   return 1;

  84. }

  85. 

  86. int SHA256_Init(SHA256_CTX *sha) {

  87.   OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));

  88.   sha->h[0] = 0x6a09e667UL;

  89.   sha->h[1] = 0xbb67ae85UL;

  90.   sha->h[2] = 0x3c6ef372UL;

  91.   sha->h[3] = 0xa54ff53aUL;

  92.   sha->h[4] = 0x510e527fUL;

  93.   sha->h[5] = 0x9b05688cUL;

  94.   sha->h[6] = 0x1f83d9abUL;

  95.   sha->h[7] = 0x5be0cd19UL;

  96.   sha->md_len = SHA256_DIGEST_LENGTH;

  97.   return 1;

  98. }

  99. 

  100. uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) {

  101.   SHA256_CTX ctx;

  102.   SHA224_Init(&ctx);

  103.   SHA224_Update(&ctx, data, len);

  104.   SHA224_Final(out, &ctx);

  105.   OPENSSL_cleanse(&ctx, sizeof(ctx));

  106.   return out;

  107. }

  108. 

  109. uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) {

  110.   SHA256_CTX ctx;

  111.   SHA256_Init(&ctx);

  112.   SHA256_Update(&ctx, data, len);

  113.   SHA256_Final(out, &ctx);

  114.   OPENSSL_cleanse(&ctx, sizeof(ctx));

  115.   return out;

  116. }

  117. 

  118. int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {

  119.   return SHA256_Update(ctx, data, len);

  120. }

  121. 

  122. int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) {

  123.   return SHA256_Final(md, ctx);

  124. }

  125. 

  126. #define DATA_ORDER_IS_BIG_ENDIAN

  127. 

  128. #define HASH_CTX SHA256_CTX

  129. #define HASH_CBLOCK 64

  130. 

  131. // Note that FIPS180-2 discusses "Truncation of the Hash Function Output."

  132. // default: case below covers for it. It's not clear however if it's permitted

  133. // to truncate to amount of bytes not divisible by 4. I bet not, but if it is,

  134. // then default: case shall be extended. For reference. Idea behind separate

  135. // cases for pre-defined lenghts is to let the compiler decide if it's

  136. // appropriate to unroll small loops.

  137. //

  138. // TODO(davidben): The small |md_len| case is one of the few places a low-level

  139. // hash 'final' function can fail. This should never happen.

  140. #define HASH_MAKE_STRING(c, s)                              \

  141.   do {                                                      \

  142.     uint32_t ll;                                            \

  143.     unsigned int nn;                                        \

  144.     switch ((c)->md_len) {                                  \

  145.       case SHA224_DIGEST_LENGTH:                            \

  146.         for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \

  147.           ll = (c)->h[nn];                                  \

  148.           HOST_l2c(ll, (s));                                \

  149.         }                                                   \

  150.         break;                                              \

  151.       case SHA256_DIGEST_LENGTH:                            \

  152.         for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \

  153.           ll = (c)->h[nn];                                  \

  154.           HOST_l2c(ll, (s));                                \

  155.         }                                                   \

  156.         break;                                              \

  157.       default:                                              \

  158.         if ((c)->md_len > SHA256_DIGEST_LENGTH) {           \

  159.           return 0;                                         \

  160.         }                                                   \

  161.         for (nn = 0; nn < (c)->md_len / 4; nn++) {          \

  162.           ll = (c)->h[nn];                                  \

  163.           HOST_l2c(ll, (s));                                \

  164.         }                                                   \

  165.         break;                                              \

  166.     }                                                       \

  167.   } while (0)

  168. 

  169. 

  170. #define HASH_UPDATE SHA256_Update

  171. #define HASH_TRANSFORM SHA256_Transform

  172. #define HASH_FINAL SHA256_Final

  173. #define HASH_BLOCK_DATA_ORDER sha256_block_data_order

  174. #ifndef SHA256_ASM

  175. static

  176. #endif

  177. void sha256_block_data_order(uint32_t *state, const uint8_t *in, size_t num);

  178. 

  179. #include "../digest/md32_common.h"

  180. 

  181. #ifndef SHA256_ASM

  182. static const uint32_t K256[64] = {

  183.     0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,

  184.     0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,

  185.     0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,

  186.     0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,

  187.     0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,

  188.     0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,

  189.     0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,

  190.     0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,

  191.     0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,

  192.     0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,

  193.     0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,

  194.     0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,

  195.     0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};

  196. 

  197. #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))

  198. 

  199. // FIPS specification refers to right rotations, while our ROTATE macro

  200. // is left one. This is why you might notice that rotation coefficients

  201. // differ from those observed in FIPS document by 32-N...

  202. #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))

  203. #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))

  204. #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))

  205. #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))

  206. 

  207. #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))

  208. #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))

  209. 

  210. #define ROUND_00_15(i, a, b, c, d, e, f, g, h)   \

  211.   do {                                           \

  212.     T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \

  213.     h = Sigma0(a) + Maj(a, b, c);                \

  214.     d += T1;                                     \

  215.     h += T1;                                     \

  216.   } while (0)

  217. 

  218. #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X)      \

  219.   do {                                                 \

  220.     s0 = X[(i + 1) & 0x0f];                            \

  221.     s0 = sigma0(s0);                                   \

  222.     s1 = X[(i + 14) & 0x0f];                           \

  223.     s1 = sigma1(s1);                                   \

  224.     T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \

  225.     ROUND_00_15(i, a, b, c, d, e, f, g, h);            \

  226.   } while (0)

  227. 

  228. static void sha256_block_data_order(uint32_t *state, const uint8_t *data,

  229.                                     size_t num) {

  230.   uint32_t a, b, c, d, e, f, g, h, s0, s1, T1;

  231.   uint32_t X[16];

  232.   int i;

  233. 

  234.   while (num--) {

  235.     a = state[0];

  236.     b = state[1];

  237.     c = state[2];

  238.     d = state[3];

  239.     e = state[4];

  240.     f = state[5];

  241.     g = state[6];

  242.     h = state[7];

  243. 

  244.     uint32_t l;

  245. 

  246.     HOST_c2l(data, l);

  247.     T1 = X[0] = l;

  248.     ROUND_00_15(0, a, b, c, d, e, f, g, h);

  249.     HOST_c2l(data, l);

  250.     T1 = X[1] = l;

  251.     ROUND_00_15(1, h, a, b, c, d, e, f, g);

  252.     HOST_c2l(data, l);

  253.     T1 = X[2] = l;

  254.     ROUND_00_15(2, g, h, a, b, c, d, e, f);

  255.     HOST_c2l(data, l);

  256.     T1 = X[3] = l;

  257.     ROUND_00_15(3, f, g, h, a, b, c, d, e);

  258.     HOST_c2l(data, l);

  259.     T1 = X[4] = l;

  260.     ROUND_00_15(4, e, f, g, h, a, b, c, d);

  261.     HOST_c2l(data, l);

  262.     T1 = X[5] = l;

  263.     ROUND_00_15(5, d, e, f, g, h, a, b, c);

  264.     HOST_c2l(data, l);

  265.     T1 = X[6] = l;

  266.     ROUND_00_15(6, c, d, e, f, g, h, a, b);

  267.     HOST_c2l(data, l);

  268.     T1 = X[7] = l;

  269.     ROUND_00_15(7, b, c, d, e, f, g, h, a);

  270.     HOST_c2l(data, l);

  271.     T1 = X[8] = l;

  272.     ROUND_00_15(8, a, b, c, d, e, f, g, h);

  273.     HOST_c2l(data, l);

  274.     T1 = X[9] = l;

  275.     ROUND_00_15(9, h, a, b, c, d, e, f, g);

  276.     HOST_c2l(data, l);

  277.     T1 = X[10] = l;

  278.     ROUND_00_15(10, g, h, a, b, c, d, e, f);

  279.     HOST_c2l(data, l);

  280.     T1 = X[11] = l;

  281.     ROUND_00_15(11, f, g, h, a, b, c, d, e);

  282.     HOST_c2l(data, l);

  283.     T1 = X[12] = l;

  284.     ROUND_00_15(12, e, f, g, h, a, b, c, d);

  285.     HOST_c2l(data, l);

  286.     T1 = X[13] = l;

  287.     ROUND_00_15(13, d, e, f, g, h, a, b, c);

  288.     HOST_c2l(data, l);

  289.     T1 = X[14] = l;

  290.     ROUND_00_15(14, c, d, e, f, g, h, a, b);

  291.     HOST_c2l(data, l);

  292.     T1 = X[15] = l;

  293.     ROUND_00_15(15, b, c, d, e, f, g, h, a);

  294. 

  295.     for (i = 16; i < 64; i += 8) {

  296.       ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);

  297.       ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);

  298.       ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);

  299.       ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);

  300.       ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);

  301.       ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);

  302.       ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);

  303.       ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);

  304.     }

  305. 

  306.     state[0] += a;

  307.     state[1] += b;

  308.     state[2] += c;

  309.     state[3] += d;

  310.     state[4] += e;

  311.     state[5] += f;

  312.     state[6] += g;

  313.     state[7] += h;

  314.   }

  315. }

  316. 

  317. #endif  // !SHA256_ASM

  318. 

  319. void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data,

  320.                             size_t num_blocks) {

  321.   sha256_block_data_order(state, data, num_blocks);

  322. }

  323. 

  324. #undef DATA_ORDER_IS_BIG_ENDIAN

  325. #undef HASH_CTX

  326. #undef HASH_CBLOCK

  327. #undef HASH_MAKE_STRING

  328. #undef HASH_UPDATE

  329. #undef HASH_TRANSFORM

  330. #undef HASH_FINAL

  331. #undef HASH_BLOCK_DATA_ORDER

  332. #undef ROTATE

  333. #undef Sigma0

  334. #undef Sigma1

  335. #undef sigma0

  336. #undef sigma1

  337. #undef Ch

  338. #undef Maj

  339. #undef ROUND_00_15

  340. #undef ROUND_16_63

  341. #undef HOST_c2l

  342. #undef HOST_l2c