1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/sha.h>
58
59 #include <string.h>
60
61 #include <openssl/mem.h>
62
63
64 #if !defined(OPENSSL_NO_ASM) && \
65 (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
66 defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
67 #define SHA256_ASM
68 #endif
69
SHA224_Init(SHA256_CTX * sha)70 int SHA224_Init(SHA256_CTX *sha) {
71 memset(sha, 0, sizeof(SHA256_CTX));
72 sha->h[0] = 0xc1059ed8UL;
73 sha->h[1] = 0x367cd507UL;
74 sha->h[2] = 0x3070dd17UL;
75 sha->h[3] = 0xf70e5939UL;
76 sha->h[4] = 0xffc00b31UL;
77 sha->h[5] = 0x68581511UL;
78 sha->h[6] = 0x64f98fa7UL;
79 sha->h[7] = 0xbefa4fa4UL;
80 sha->md_len = SHA224_DIGEST_LENGTH;
81 return 1;
82 }
83
SHA256_Init(SHA256_CTX * sha)84 int SHA256_Init(SHA256_CTX *sha) {
85 memset(sha, 0, sizeof(SHA256_CTX));
86 sha->h[0] = 0x6a09e667UL;
87 sha->h[1] = 0xbb67ae85UL;
88 sha->h[2] = 0x3c6ef372UL;
89 sha->h[3] = 0xa54ff53aUL;
90 sha->h[4] = 0x510e527fUL;
91 sha->h[5] = 0x9b05688cUL;
92 sha->h[6] = 0x1f83d9abUL;
93 sha->h[7] = 0x5be0cd19UL;
94 sha->md_len = SHA256_DIGEST_LENGTH;
95 return 1;
96 }
97
SHA224(const uint8_t * data,size_t len,uint8_t * out)98 uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) {
99 SHA256_CTX ctx;
100 static uint8_t buf[SHA224_DIGEST_LENGTH];
101
102 /* TODO(fork): remove this static buffer. */
103 if (out == NULL) {
104 out = buf;
105 }
106 SHA224_Init(&ctx);
107 SHA256_Update(&ctx, data, len);
108 SHA256_Final(out, &ctx);
109 OPENSSL_cleanse(&ctx, sizeof(ctx));
110 return out;
111 }
112
SHA256(const uint8_t * data,size_t len,uint8_t * out)113 uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) {
114 SHA256_CTX ctx;
115 static uint8_t buf[SHA256_DIGEST_LENGTH];
116
117 /* TODO(fork): remove this static buffer. */
118 if (out == NULL) {
119 out = buf;
120 }
121 SHA256_Init(&ctx);
122 SHA256_Update(&ctx, data, len);
123 SHA256_Final(out, &ctx);
124 OPENSSL_cleanse(&ctx, sizeof(ctx));
125 return out;
126 }
127
SHA224_Update(SHA256_CTX * ctx,const void * data,size_t len)128 int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
129 return SHA256_Update(ctx, data, len);
130 }
131
SHA224_Final(uint8_t * md,SHA256_CTX * ctx)132 int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) {
133 return SHA256_Final(md, ctx);
134 }
135
136 #define DATA_ORDER_IS_BIG_ENDIAN
137
138 #define HASH_LONG uint32_t
139 #define HASH_CTX SHA256_CTX
140 #define HASH_CBLOCK 64
141
142 /* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
143 * default: case below covers for it. It's not clear however if it's permitted
144 * to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
145 * then default: case shall be extended. For reference. Idea behind separate
146 * cases for pre-defined lenghts is to let the compiler decide if it's
147 * appropriate to unroll small loops.
148 *
149 * TODO(davidben): The small |md_len| case is one of the few places a low-level
150 * hash 'final' function can fail. This should never happen. */
151 #define HASH_MAKE_STRING(c, s) \
152 do { \
153 uint32_t ll; \
154 unsigned int nn; \
155 switch ((c)->md_len) { \
156 case SHA224_DIGEST_LENGTH: \
157 for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
158 ll = (c)->h[nn]; \
159 (void) HOST_l2c(ll, (s)); \
160 } \
161 break; \
162 case SHA256_DIGEST_LENGTH: \
163 for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
164 ll = (c)->h[nn]; \
165 (void) HOST_l2c(ll, (s)); \
166 } \
167 break; \
168 default: \
169 if ((c)->md_len > SHA256_DIGEST_LENGTH) { \
170 return 0; \
171 } \
172 for (nn = 0; nn < (c)->md_len / 4; nn++) { \
173 ll = (c)->h[nn]; \
174 (void) HOST_l2c(ll, (s)); \
175 } \
176 break; \
177 } \
178 } while (0)
179
180
181 #define HASH_UPDATE SHA256_Update
182 #define HASH_TRANSFORM SHA256_Transform
183 #define HASH_FINAL SHA256_Final
184 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
185 #ifndef SHA256_ASM
186 static
187 #endif
188 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
189
190 #include "../digest/md32_common.h"
191
192 #ifndef SHA256_ASM
193 static const HASH_LONG K256[64] = {
194 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
195 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
196 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
197 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
198 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
199 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
200 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
201 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
202 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
203 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
204 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
205 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
206 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};
207
208 /* FIPS specification refers to right rotations, while our ROTATE macro
209 * is left one. This is why you might notice that rotation coefficients
210 * differ from those observed in FIPS document by 32-N... */
211 #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
212 #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
213 #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
214 #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
215
216 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
217 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
218
219 #define ROUND_00_15(i, a, b, c, d, e, f, g, h) \
220 do { \
221 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
222 h = Sigma0(a) + Maj(a, b, c); \
223 d += T1; \
224 h += T1; \
225 } while (0)
226
227 #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \
228 do { \
229 s0 = X[(i + 1) & 0x0f]; \
230 s0 = sigma0(s0); \
231 s1 = X[(i + 14) & 0x0f]; \
232 s1 = sigma1(s1); \
233 T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
234 ROUND_00_15(i, a, b, c, d, e, f, g, h); \
235 } while (0)
236
sha256_block_data_order(SHA256_CTX * ctx,const void * in,size_t num)237 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
238 size_t num) {
239 uint32_t a, b, c, d, e, f, g, h, s0, s1, T1;
240 HASH_LONG X[16];
241 int i;
242 const uint8_t *data = in;
243 const union {
244 long one;
245 char little;
246 } is_endian = {1};
247
248 while (num--) {
249 a = ctx->h[0];
250 b = ctx->h[1];
251 c = ctx->h[2];
252 d = ctx->h[3];
253 e = ctx->h[4];
254 f = ctx->h[5];
255 g = ctx->h[6];
256 h = ctx->h[7];
257
258 if (!is_endian.little && sizeof(HASH_LONG) == 4 && ((size_t)in % 4) == 0) {
259 const HASH_LONG *W = (const HASH_LONG *)data;
260
261 T1 = X[0] = W[0];
262 ROUND_00_15(0, a, b, c, d, e, f, g, h);
263 T1 = X[1] = W[1];
264 ROUND_00_15(1, h, a, b, c, d, e, f, g);
265 T1 = X[2] = W[2];
266 ROUND_00_15(2, g, h, a, b, c, d, e, f);
267 T1 = X[3] = W[3];
268 ROUND_00_15(3, f, g, h, a, b, c, d, e);
269 T1 = X[4] = W[4];
270 ROUND_00_15(4, e, f, g, h, a, b, c, d);
271 T1 = X[5] = W[5];
272 ROUND_00_15(5, d, e, f, g, h, a, b, c);
273 T1 = X[6] = W[6];
274 ROUND_00_15(6, c, d, e, f, g, h, a, b);
275 T1 = X[7] = W[7];
276 ROUND_00_15(7, b, c, d, e, f, g, h, a);
277 T1 = X[8] = W[8];
278 ROUND_00_15(8, a, b, c, d, e, f, g, h);
279 T1 = X[9] = W[9];
280 ROUND_00_15(9, h, a, b, c, d, e, f, g);
281 T1 = X[10] = W[10];
282 ROUND_00_15(10, g, h, a, b, c, d, e, f);
283 T1 = X[11] = W[11];
284 ROUND_00_15(11, f, g, h, a, b, c, d, e);
285 T1 = X[12] = W[12];
286 ROUND_00_15(12, e, f, g, h, a, b, c, d);
287 T1 = X[13] = W[13];
288 ROUND_00_15(13, d, e, f, g, h, a, b, c);
289 T1 = X[14] = W[14];
290 ROUND_00_15(14, c, d, e, f, g, h, a, b);
291 T1 = X[15] = W[15];
292 ROUND_00_15(15, b, c, d, e, f, g, h, a);
293
294 data += HASH_CBLOCK;
295 } else {
296 HASH_LONG l;
297
298 HOST_c2l(data, l);
299 T1 = X[0] = l;
300 ROUND_00_15(0, a, b, c, d, e, f, g, h);
301 HOST_c2l(data, l);
302 T1 = X[1] = l;
303 ROUND_00_15(1, h, a, b, c, d, e, f, g);
304 HOST_c2l(data, l);
305 T1 = X[2] = l;
306 ROUND_00_15(2, g, h, a, b, c, d, e, f);
307 HOST_c2l(data, l);
308 T1 = X[3] = l;
309 ROUND_00_15(3, f, g, h, a, b, c, d, e);
310 HOST_c2l(data, l);
311 T1 = X[4] = l;
312 ROUND_00_15(4, e, f, g, h, a, b, c, d);
313 HOST_c2l(data, l);
314 T1 = X[5] = l;
315 ROUND_00_15(5, d, e, f, g, h, a, b, c);
316 HOST_c2l(data, l);
317 T1 = X[6] = l;
318 ROUND_00_15(6, c, d, e, f, g, h, a, b);
319 HOST_c2l(data, l);
320 T1 = X[7] = l;
321 ROUND_00_15(7, b, c, d, e, f, g, h, a);
322 HOST_c2l(data, l);
323 T1 = X[8] = l;
324 ROUND_00_15(8, a, b, c, d, e, f, g, h);
325 HOST_c2l(data, l);
326 T1 = X[9] = l;
327 ROUND_00_15(9, h, a, b, c, d, e, f, g);
328 HOST_c2l(data, l);
329 T1 = X[10] = l;
330 ROUND_00_15(10, g, h, a, b, c, d, e, f);
331 HOST_c2l(data, l);
332 T1 = X[11] = l;
333 ROUND_00_15(11, f, g, h, a, b, c, d, e);
334 HOST_c2l(data, l);
335 T1 = X[12] = l;
336 ROUND_00_15(12, e, f, g, h, a, b, c, d);
337 HOST_c2l(data, l);
338 T1 = X[13] = l;
339 ROUND_00_15(13, d, e, f, g, h, a, b, c);
340 HOST_c2l(data, l);
341 T1 = X[14] = l;
342 ROUND_00_15(14, c, d, e, f, g, h, a, b);
343 HOST_c2l(data, l);
344 T1 = X[15] = l;
345 ROUND_00_15(15, b, c, d, e, f, g, h, a);
346 }
347
348 for (i = 16; i < 64; i += 8) {
349 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
350 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
351 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
352 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
353 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
354 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
355 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
356 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
357 }
358
359 ctx->h[0] += a;
360 ctx->h[1] += b;
361 ctx->h[2] += c;
362 ctx->h[3] += d;
363 ctx->h[4] += e;
364 ctx->h[5] += f;
365 ctx->h[6] += g;
366 ctx->h[7] += h;
367 }
368 }
369
370 #endif /* SHA256_ASM */
371