1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/sha.h>
58
59 #include <string.h>
60
61 #include <openssl/mem.h>
62
63 #include "internal.h"
64 #include "../../internal.h"
65
66
SHA224_Init(SHA256_CTX * sha)67 int SHA224_Init(SHA256_CTX *sha) {
68 OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
69 sha->h[0] = 0xc1059ed8UL;
70 sha->h[1] = 0x367cd507UL;
71 sha->h[2] = 0x3070dd17UL;
72 sha->h[3] = 0xf70e5939UL;
73 sha->h[4] = 0xffc00b31UL;
74 sha->h[5] = 0x68581511UL;
75 sha->h[6] = 0x64f98fa7UL;
76 sha->h[7] = 0xbefa4fa4UL;
77 sha->md_len = SHA224_DIGEST_LENGTH;
78 return 1;
79 }
80
SHA256_Init(SHA256_CTX * sha)81 int SHA256_Init(SHA256_CTX *sha) {
82 OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
83 sha->h[0] = 0x6a09e667UL;
84 sha->h[1] = 0xbb67ae85UL;
85 sha->h[2] = 0x3c6ef372UL;
86 sha->h[3] = 0xa54ff53aUL;
87 sha->h[4] = 0x510e527fUL;
88 sha->h[5] = 0x9b05688cUL;
89 sha->h[6] = 0x1f83d9abUL;
90 sha->h[7] = 0x5be0cd19UL;
91 sha->md_len = SHA256_DIGEST_LENGTH;
92 return 1;
93 }
94
SHA224(const uint8_t * data,size_t len,uint8_t * out)95 uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) {
96 SHA256_CTX ctx;
97 SHA224_Init(&ctx);
98 SHA224_Update(&ctx, data, len);
99 SHA224_Final(out, &ctx);
100 OPENSSL_cleanse(&ctx, sizeof(ctx));
101 return out;
102 }
103
SHA256(const uint8_t * data,size_t len,uint8_t * out)104 uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) {
105 SHA256_CTX ctx;
106 SHA256_Init(&ctx);
107 SHA256_Update(&ctx, data, len);
108 SHA256_Final(out, &ctx);
109 OPENSSL_cleanse(&ctx, sizeof(ctx));
110 return out;
111 }
112
SHA224_Update(SHA256_CTX * ctx,const void * data,size_t len)113 int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
114 return SHA256_Update(ctx, data, len);
115 }
116
SHA224_Final(uint8_t * md,SHA256_CTX * ctx)117 int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) {
118 return SHA256_Final(md, ctx);
119 }
120
121 #define DATA_ORDER_IS_BIG_ENDIAN
122
123 #define HASH_CTX SHA256_CTX
124 #define HASH_CBLOCK 64
125
126 // Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
127 // default: case below covers for it. It's not clear however if it's permitted
128 // to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
129 // then default: case shall be extended. For reference. Idea behind separate
130 // cases for pre-defined lenghts is to let the compiler decide if it's
131 // appropriate to unroll small loops.
132 //
133 // TODO(davidben): The small |md_len| case is one of the few places a low-level
134 // hash 'final' function can fail. This should never happen.
135 #define HASH_MAKE_STRING(c, s) \
136 do { \
137 uint32_t ll; \
138 unsigned int nn; \
139 switch ((c)->md_len) { \
140 case SHA224_DIGEST_LENGTH: \
141 for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
142 ll = (c)->h[nn]; \
143 HOST_l2c(ll, (s)); \
144 } \
145 break; \
146 case SHA256_DIGEST_LENGTH: \
147 for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
148 ll = (c)->h[nn]; \
149 HOST_l2c(ll, (s)); \
150 } \
151 break; \
152 default: \
153 if ((c)->md_len > SHA256_DIGEST_LENGTH) { \
154 return 0; \
155 } \
156 for (nn = 0; nn < (c)->md_len / 4; nn++) { \
157 ll = (c)->h[nn]; \
158 HOST_l2c(ll, (s)); \
159 } \
160 break; \
161 } \
162 } while (0)
163
164
165 #define HASH_UPDATE SHA256_Update
166 #define HASH_TRANSFORM SHA256_Transform
167 #define HASH_FINAL SHA256_Final
168 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
169 #ifndef SHA256_ASM
170 static void sha256_block_data_order(uint32_t *state, const uint8_t *in,
171 size_t num);
172 #endif
173
174 #include "../digest/md32_common.h"
175
176 #ifndef SHA256_ASM
177 static const uint32_t K256[64] = {
178 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
179 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
180 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
181 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
182 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
183 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
184 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
185 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
186 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
187 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
188 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
189 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
190 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};
191
192 #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
193
194 // FIPS specification refers to right rotations, while our ROTATE macro
195 // is left one. This is why you might notice that rotation coefficients
196 // differ from those observed in FIPS document by 32-N...
197 #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
198 #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
199 #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
200 #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
201
202 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
203 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
204
205 #define ROUND_00_15(i, a, b, c, d, e, f, g, h) \
206 do { \
207 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
208 h = Sigma0(a) + Maj(a, b, c); \
209 d += T1; \
210 h += T1; \
211 } while (0)
212
213 #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \
214 do { \
215 s0 = X[(i + 1) & 0x0f]; \
216 s0 = sigma0(s0); \
217 s1 = X[(i + 14) & 0x0f]; \
218 s1 = sigma1(s1); \
219 T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
220 ROUND_00_15(i, a, b, c, d, e, f, g, h); \
221 } while (0)
222
sha256_block_data_order(uint32_t * state,const uint8_t * data,size_t num)223 static void sha256_block_data_order(uint32_t *state, const uint8_t *data,
224 size_t num) {
225 uint32_t a, b, c, d, e, f, g, h, s0, s1, T1;
226 uint32_t X[16];
227 int i;
228
229 while (num--) {
230 a = state[0];
231 b = state[1];
232 c = state[2];
233 d = state[3];
234 e = state[4];
235 f = state[5];
236 g = state[6];
237 h = state[7];
238
239 uint32_t l;
240
241 HOST_c2l(data, l);
242 T1 = X[0] = l;
243 ROUND_00_15(0, a, b, c, d, e, f, g, h);
244 HOST_c2l(data, l);
245 T1 = X[1] = l;
246 ROUND_00_15(1, h, a, b, c, d, e, f, g);
247 HOST_c2l(data, l);
248 T1 = X[2] = l;
249 ROUND_00_15(2, g, h, a, b, c, d, e, f);
250 HOST_c2l(data, l);
251 T1 = X[3] = l;
252 ROUND_00_15(3, f, g, h, a, b, c, d, e);
253 HOST_c2l(data, l);
254 T1 = X[4] = l;
255 ROUND_00_15(4, e, f, g, h, a, b, c, d);
256 HOST_c2l(data, l);
257 T1 = X[5] = l;
258 ROUND_00_15(5, d, e, f, g, h, a, b, c);
259 HOST_c2l(data, l);
260 T1 = X[6] = l;
261 ROUND_00_15(6, c, d, e, f, g, h, a, b);
262 HOST_c2l(data, l);
263 T1 = X[7] = l;
264 ROUND_00_15(7, b, c, d, e, f, g, h, a);
265 HOST_c2l(data, l);
266 T1 = X[8] = l;
267 ROUND_00_15(8, a, b, c, d, e, f, g, h);
268 HOST_c2l(data, l);
269 T1 = X[9] = l;
270 ROUND_00_15(9, h, a, b, c, d, e, f, g);
271 HOST_c2l(data, l);
272 T1 = X[10] = l;
273 ROUND_00_15(10, g, h, a, b, c, d, e, f);
274 HOST_c2l(data, l);
275 T1 = X[11] = l;
276 ROUND_00_15(11, f, g, h, a, b, c, d, e);
277 HOST_c2l(data, l);
278 T1 = X[12] = l;
279 ROUND_00_15(12, e, f, g, h, a, b, c, d);
280 HOST_c2l(data, l);
281 T1 = X[13] = l;
282 ROUND_00_15(13, d, e, f, g, h, a, b, c);
283 HOST_c2l(data, l);
284 T1 = X[14] = l;
285 ROUND_00_15(14, c, d, e, f, g, h, a, b);
286 HOST_c2l(data, l);
287 T1 = X[15] = l;
288 ROUND_00_15(15, b, c, d, e, f, g, h, a);
289
290 for (i = 16; i < 64; i += 8) {
291 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
292 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
293 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
294 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
295 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
296 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
297 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
298 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
299 }
300
301 state[0] += a;
302 state[1] += b;
303 state[2] += c;
304 state[3] += d;
305 state[4] += e;
306 state[5] += f;
307 state[6] += g;
308 state[7] += h;
309 }
310 }
311
312 #endif // !SHA256_ASM
313
SHA256_TransformBlocks(uint32_t state[8],const uint8_t * data,size_t num_blocks)314 void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data,
315 size_t num_blocks) {
316 sha256_block_data_order(state, data, num_blocks);
317 }
318
319 #undef DATA_ORDER_IS_BIG_ENDIAN
320 #undef HASH_CTX
321 #undef HASH_CBLOCK
322 #undef HASH_MAKE_STRING
323 #undef HASH_UPDATE
324 #undef HASH_TRANSFORM
325 #undef HASH_FINAL
326 #undef HASH_BLOCK_DATA_ORDER
327 #undef ROTATE
328 #undef Sigma0
329 #undef Sigma1
330 #undef sigma0
331 #undef sigma1
332 #undef Ch
333 #undef Maj
334 #undef ROUND_00_15
335 #undef ROUND_16_63
336 #undef HOST_c2l
337 #undef HOST_l2c
338