1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/sha.h>
58
59 #include <string.h>
60
61 #include <openssl/mem.h>
62
63 #include "../internal.h"
64
65
66 #if !defined(OPENSSL_NO_ASM) && \
67 (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
68 defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
69 #define SHA256_ASM
70 #endif
71
SHA224_Init(SHA256_CTX * sha)72 int SHA224_Init(SHA256_CTX *sha) {
73 OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
74 sha->h[0] = 0xc1059ed8UL;
75 sha->h[1] = 0x367cd507UL;
76 sha->h[2] = 0x3070dd17UL;
77 sha->h[3] = 0xf70e5939UL;
78 sha->h[4] = 0xffc00b31UL;
79 sha->h[5] = 0x68581511UL;
80 sha->h[6] = 0x64f98fa7UL;
81 sha->h[7] = 0xbefa4fa4UL;
82 sha->md_len = SHA224_DIGEST_LENGTH;
83 return 1;
84 }
85
SHA256_Init(SHA256_CTX * sha)86 int SHA256_Init(SHA256_CTX *sha) {
87 OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
88 sha->h[0] = 0x6a09e667UL;
89 sha->h[1] = 0xbb67ae85UL;
90 sha->h[2] = 0x3c6ef372UL;
91 sha->h[3] = 0xa54ff53aUL;
92 sha->h[4] = 0x510e527fUL;
93 sha->h[5] = 0x9b05688cUL;
94 sha->h[6] = 0x1f83d9abUL;
95 sha->h[7] = 0x5be0cd19UL;
96 sha->md_len = SHA256_DIGEST_LENGTH;
97 return 1;
98 }
99
SHA224(const uint8_t * data,size_t len,uint8_t * out)100 uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) {
101 SHA256_CTX ctx;
102 static uint8_t buf[SHA224_DIGEST_LENGTH];
103
104 /* TODO(fork): remove this static buffer. */
105 if (out == NULL) {
106 out = buf;
107 }
108 SHA224_Init(&ctx);
109 SHA224_Update(&ctx, data, len);
110 SHA224_Final(out, &ctx);
111 OPENSSL_cleanse(&ctx, sizeof(ctx));
112 return out;
113 }
114
SHA256(const uint8_t * data,size_t len,uint8_t * out)115 uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) {
116 SHA256_CTX ctx;
117 static uint8_t buf[SHA256_DIGEST_LENGTH];
118
119 /* TODO(fork): remove this static buffer. */
120 if (out == NULL) {
121 out = buf;
122 }
123 SHA256_Init(&ctx);
124 SHA256_Update(&ctx, data, len);
125 SHA256_Final(out, &ctx);
126 OPENSSL_cleanse(&ctx, sizeof(ctx));
127 return out;
128 }
129
SHA224_Update(SHA256_CTX * ctx,const void * data,size_t len)130 int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
131 return SHA256_Update(ctx, data, len);
132 }
133
SHA224_Final(uint8_t * md,SHA256_CTX * ctx)134 int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) {
135 return SHA256_Final(md, ctx);
136 }
137
138 #define DATA_ORDER_IS_BIG_ENDIAN
139
140 #define HASH_CTX SHA256_CTX
141 #define HASH_CBLOCK 64
142
143 /* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
144 * default: case below covers for it. It's not clear however if it's permitted
145 * to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
146 * then default: case shall be extended. For reference. Idea behind separate
147 * cases for pre-defined lenghts is to let the compiler decide if it's
148 * appropriate to unroll small loops.
149 *
150 * TODO(davidben): The small |md_len| case is one of the few places a low-level
151 * hash 'final' function can fail. This should never happen. */
152 #define HASH_MAKE_STRING(c, s) \
153 do { \
154 uint32_t ll; \
155 unsigned int nn; \
156 switch ((c)->md_len) { \
157 case SHA224_DIGEST_LENGTH: \
158 for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
159 ll = (c)->h[nn]; \
160 HOST_l2c(ll, (s)); \
161 } \
162 break; \
163 case SHA256_DIGEST_LENGTH: \
164 for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
165 ll = (c)->h[nn]; \
166 HOST_l2c(ll, (s)); \
167 } \
168 break; \
169 default: \
170 if ((c)->md_len > SHA256_DIGEST_LENGTH) { \
171 return 0; \
172 } \
173 for (nn = 0; nn < (c)->md_len / 4; nn++) { \
174 ll = (c)->h[nn]; \
175 HOST_l2c(ll, (s)); \
176 } \
177 break; \
178 } \
179 } while (0)
180
181
182 #define HASH_UPDATE SHA256_Update
183 #define HASH_TRANSFORM SHA256_Transform
184 #define HASH_FINAL SHA256_Final
185 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
186 #ifndef SHA256_ASM
187 static
188 #endif
189 void sha256_block_data_order(uint32_t *state, const uint8_t *in, size_t num);
190
191 #include "../digest/md32_common.h"
192
193 #ifndef SHA256_ASM
194 static const uint32_t K256[64] = {
195 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
196 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
197 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
198 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
199 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
200 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
201 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
202 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
203 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
204 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
205 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
206 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
207 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};
208
209 #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
210
211 /* FIPS specification refers to right rotations, while our ROTATE macro
212 * is left one. This is why you might notice that rotation coefficients
213 * differ from those observed in FIPS document by 32-N... */
214 #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
215 #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
216 #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
217 #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
218
219 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
220 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
221
222 #define ROUND_00_15(i, a, b, c, d, e, f, g, h) \
223 do { \
224 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
225 h = Sigma0(a) + Maj(a, b, c); \
226 d += T1; \
227 h += T1; \
228 } while (0)
229
230 #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \
231 do { \
232 s0 = X[(i + 1) & 0x0f]; \
233 s0 = sigma0(s0); \
234 s1 = X[(i + 14) & 0x0f]; \
235 s1 = sigma1(s1); \
236 T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
237 ROUND_00_15(i, a, b, c, d, e, f, g, h); \
238 } while (0)
239
sha256_block_data_order(uint32_t * state,const uint8_t * data,size_t num)240 static void sha256_block_data_order(uint32_t *state, const uint8_t *data,
241 size_t num) {
242 uint32_t a, b, c, d, e, f, g, h, s0, s1, T1;
243 uint32_t X[16];
244 int i;
245
246 while (num--) {
247 a = state[0];
248 b = state[1];
249 c = state[2];
250 d = state[3];
251 e = state[4];
252 f = state[5];
253 g = state[6];
254 h = state[7];
255
256 uint32_t l;
257
258 HOST_c2l(data, l);
259 T1 = X[0] = l;
260 ROUND_00_15(0, a, b, c, d, e, f, g, h);
261 HOST_c2l(data, l);
262 T1 = X[1] = l;
263 ROUND_00_15(1, h, a, b, c, d, e, f, g);
264 HOST_c2l(data, l);
265 T1 = X[2] = l;
266 ROUND_00_15(2, g, h, a, b, c, d, e, f);
267 HOST_c2l(data, l);
268 T1 = X[3] = l;
269 ROUND_00_15(3, f, g, h, a, b, c, d, e);
270 HOST_c2l(data, l);
271 T1 = X[4] = l;
272 ROUND_00_15(4, e, f, g, h, a, b, c, d);
273 HOST_c2l(data, l);
274 T1 = X[5] = l;
275 ROUND_00_15(5, d, e, f, g, h, a, b, c);
276 HOST_c2l(data, l);
277 T1 = X[6] = l;
278 ROUND_00_15(6, c, d, e, f, g, h, a, b);
279 HOST_c2l(data, l);
280 T1 = X[7] = l;
281 ROUND_00_15(7, b, c, d, e, f, g, h, a);
282 HOST_c2l(data, l);
283 T1 = X[8] = l;
284 ROUND_00_15(8, a, b, c, d, e, f, g, h);
285 HOST_c2l(data, l);
286 T1 = X[9] = l;
287 ROUND_00_15(9, h, a, b, c, d, e, f, g);
288 HOST_c2l(data, l);
289 T1 = X[10] = l;
290 ROUND_00_15(10, g, h, a, b, c, d, e, f);
291 HOST_c2l(data, l);
292 T1 = X[11] = l;
293 ROUND_00_15(11, f, g, h, a, b, c, d, e);
294 HOST_c2l(data, l);
295 T1 = X[12] = l;
296 ROUND_00_15(12, e, f, g, h, a, b, c, d);
297 HOST_c2l(data, l);
298 T1 = X[13] = l;
299 ROUND_00_15(13, d, e, f, g, h, a, b, c);
300 HOST_c2l(data, l);
301 T1 = X[14] = l;
302 ROUND_00_15(14, c, d, e, f, g, h, a, b);
303 HOST_c2l(data, l);
304 T1 = X[15] = l;
305 ROUND_00_15(15, b, c, d, e, f, g, h, a);
306
307 for (i = 16; i < 64; i += 8) {
308 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
309 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
310 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
311 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
312 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
313 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
314 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
315 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
316 }
317
318 state[0] += a;
319 state[1] += b;
320 state[2] += c;
321 state[3] += d;
322 state[4] += e;
323 state[5] += f;
324 state[6] += g;
325 state[7] += h;
326 }
327 }
328
329 #endif /* SHA256_ASM */
330