• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <openssl/sha.h>
58 
59 #include <string.h>
60 
61 #include <openssl/mem.h>
62 
63 #include "../../internal.h"
64 
65 
66 #if !defined(OPENSSL_NO_ASM) &&                         \
67     (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
68      defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
69 #define SHA256_ASM
70 #endif
71 
SHA224_Init(SHA256_CTX * sha)72 int SHA224_Init(SHA256_CTX *sha) {
73   OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
74   sha->h[0] = 0xc1059ed8UL;
75   sha->h[1] = 0x367cd507UL;
76   sha->h[2] = 0x3070dd17UL;
77   sha->h[3] = 0xf70e5939UL;
78   sha->h[4] = 0xffc00b31UL;
79   sha->h[5] = 0x68581511UL;
80   sha->h[6] = 0x64f98fa7UL;
81   sha->h[7] = 0xbefa4fa4UL;
82   sha->md_len = SHA224_DIGEST_LENGTH;
83   return 1;
84 }
85 
SHA256_Init(SHA256_CTX * sha)86 int SHA256_Init(SHA256_CTX *sha) {
87   OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
88   sha->h[0] = 0x6a09e667UL;
89   sha->h[1] = 0xbb67ae85UL;
90   sha->h[2] = 0x3c6ef372UL;
91   sha->h[3] = 0xa54ff53aUL;
92   sha->h[4] = 0x510e527fUL;
93   sha->h[5] = 0x9b05688cUL;
94   sha->h[6] = 0x1f83d9abUL;
95   sha->h[7] = 0x5be0cd19UL;
96   sha->md_len = SHA256_DIGEST_LENGTH;
97   return 1;
98 }
99 
SHA224(const uint8_t * data,size_t len,uint8_t * out)100 uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) {
101   SHA256_CTX ctx;
102   SHA224_Init(&ctx);
103   SHA224_Update(&ctx, data, len);
104   SHA224_Final(out, &ctx);
105   OPENSSL_cleanse(&ctx, sizeof(ctx));
106   return out;
107 }
108 
SHA256(const uint8_t * data,size_t len,uint8_t * out)109 uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) {
110   SHA256_CTX ctx;
111   SHA256_Init(&ctx);
112   SHA256_Update(&ctx, data, len);
113   SHA256_Final(out, &ctx);
114   OPENSSL_cleanse(&ctx, sizeof(ctx));
115   return out;
116 }
117 
SHA224_Update(SHA256_CTX * ctx,const void * data,size_t len)118 int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
119   return SHA256_Update(ctx, data, len);
120 }
121 
SHA224_Final(uint8_t * md,SHA256_CTX * ctx)122 int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) {
123   return SHA256_Final(md, ctx);
124 }
125 
126 #define DATA_ORDER_IS_BIG_ENDIAN
127 
128 #define HASH_CTX SHA256_CTX
129 #define HASH_CBLOCK 64
130 
131 /* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
132  * default: case below covers for it. It's not clear however if it's permitted
133  * to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
134  * then default: case shall be extended. For reference. Idea behind separate
135  * cases for pre-defined lenghts is to let the compiler decide if it's
136  * appropriate to unroll small loops.
137  *
138  * TODO(davidben): The small |md_len| case is one of the few places a low-level
139  * hash 'final' function can fail. This should never happen. */
140 #define HASH_MAKE_STRING(c, s)                              \
141   do {                                                      \
142     uint32_t ll;                                            \
143     unsigned int nn;                                        \
144     switch ((c)->md_len) {                                  \
145       case SHA224_DIGEST_LENGTH:                            \
146         for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
147           ll = (c)->h[nn];                                  \
148           HOST_l2c(ll, (s));                                \
149         }                                                   \
150         break;                                              \
151       case SHA256_DIGEST_LENGTH:                            \
152         for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
153           ll = (c)->h[nn];                                  \
154           HOST_l2c(ll, (s));                                \
155         }                                                   \
156         break;                                              \
157       default:                                              \
158         if ((c)->md_len > SHA256_DIGEST_LENGTH) {           \
159           return 0;                                         \
160         }                                                   \
161         for (nn = 0; nn < (c)->md_len / 4; nn++) {          \
162           ll = (c)->h[nn];                                  \
163           HOST_l2c(ll, (s));                                \
164         }                                                   \
165         break;                                              \
166     }                                                       \
167   } while (0)
168 
169 
170 #define HASH_UPDATE SHA256_Update
171 #define HASH_TRANSFORM SHA256_Transform
172 #define HASH_FINAL SHA256_Final
173 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
174 #ifndef SHA256_ASM
175 static
176 #endif
177 void sha256_block_data_order(uint32_t *state, const uint8_t *in, size_t num);
178 
179 #include "../digest/md32_common.h"
180 
181 #ifndef SHA256_ASM
182 static const uint32_t K256[64] = {
183     0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
184     0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
185     0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
186     0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
187     0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
188     0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
189     0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
190     0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
191     0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
192     0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
193     0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
194     0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
195     0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};
196 
197 #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
198 
199 /* FIPS specification refers to right rotations, while our ROTATE macro
200  * is left one. This is why you might notice that rotation coefficients
201  * differ from those observed in FIPS document by 32-N... */
202 #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
203 #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
204 #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
205 #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
206 
207 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
208 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
209 
210 #define ROUND_00_15(i, a, b, c, d, e, f, g, h)   \
211   do {                                           \
212     T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
213     h = Sigma0(a) + Maj(a, b, c);                \
214     d += T1;                                     \
215     h += T1;                                     \
216   } while (0)
217 
218 #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X)      \
219   do {                                                 \
220     s0 = X[(i + 1) & 0x0f];                            \
221     s0 = sigma0(s0);                                   \
222     s1 = X[(i + 14) & 0x0f];                           \
223     s1 = sigma1(s1);                                   \
224     T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
225     ROUND_00_15(i, a, b, c, d, e, f, g, h);            \
226   } while (0)
227 
sha256_block_data_order(uint32_t * state,const uint8_t * data,size_t num)228 static void sha256_block_data_order(uint32_t *state, const uint8_t *data,
229                                     size_t num) {
230   uint32_t a, b, c, d, e, f, g, h, s0, s1, T1;
231   uint32_t X[16];
232   int i;
233 
234   while (num--) {
235     a = state[0];
236     b = state[1];
237     c = state[2];
238     d = state[3];
239     e = state[4];
240     f = state[5];
241     g = state[6];
242     h = state[7];
243 
244     uint32_t l;
245 
246     HOST_c2l(data, l);
247     T1 = X[0] = l;
248     ROUND_00_15(0, a, b, c, d, e, f, g, h);
249     HOST_c2l(data, l);
250     T1 = X[1] = l;
251     ROUND_00_15(1, h, a, b, c, d, e, f, g);
252     HOST_c2l(data, l);
253     T1 = X[2] = l;
254     ROUND_00_15(2, g, h, a, b, c, d, e, f);
255     HOST_c2l(data, l);
256     T1 = X[3] = l;
257     ROUND_00_15(3, f, g, h, a, b, c, d, e);
258     HOST_c2l(data, l);
259     T1 = X[4] = l;
260     ROUND_00_15(4, e, f, g, h, a, b, c, d);
261     HOST_c2l(data, l);
262     T1 = X[5] = l;
263     ROUND_00_15(5, d, e, f, g, h, a, b, c);
264     HOST_c2l(data, l);
265     T1 = X[6] = l;
266     ROUND_00_15(6, c, d, e, f, g, h, a, b);
267     HOST_c2l(data, l);
268     T1 = X[7] = l;
269     ROUND_00_15(7, b, c, d, e, f, g, h, a);
270     HOST_c2l(data, l);
271     T1 = X[8] = l;
272     ROUND_00_15(8, a, b, c, d, e, f, g, h);
273     HOST_c2l(data, l);
274     T1 = X[9] = l;
275     ROUND_00_15(9, h, a, b, c, d, e, f, g);
276     HOST_c2l(data, l);
277     T1 = X[10] = l;
278     ROUND_00_15(10, g, h, a, b, c, d, e, f);
279     HOST_c2l(data, l);
280     T1 = X[11] = l;
281     ROUND_00_15(11, f, g, h, a, b, c, d, e);
282     HOST_c2l(data, l);
283     T1 = X[12] = l;
284     ROUND_00_15(12, e, f, g, h, a, b, c, d);
285     HOST_c2l(data, l);
286     T1 = X[13] = l;
287     ROUND_00_15(13, d, e, f, g, h, a, b, c);
288     HOST_c2l(data, l);
289     T1 = X[14] = l;
290     ROUND_00_15(14, c, d, e, f, g, h, a, b);
291     HOST_c2l(data, l);
292     T1 = X[15] = l;
293     ROUND_00_15(15, b, c, d, e, f, g, h, a);
294 
295     for (i = 16; i < 64; i += 8) {
296       ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
297       ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
298       ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
299       ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
300       ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
301       ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
302       ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
303       ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
304     }
305 
306     state[0] += a;
307     state[1] += b;
308     state[2] += c;
309     state[3] += d;
310     state[4] += e;
311     state[5] += f;
312     state[6] += g;
313     state[7] += h;
314   }
315 }
316 
317 #endif /* !SHA256_ASM */
318 
319 #undef DATA_ORDER_IS_BIG_ENDIAN
320 #undef HASH_CTX
321 #undef HASH_CBLOCK
322 #undef HASH_MAKE_STRING
323 #undef HASH_UPDATE
324 #undef HASH_TRANSFORM
325 #undef HASH_FINAL
326 #undef HASH_BLOCK_DATA_ORDER
327 #undef ROTATE
328 #undef Sigma0
329 #undef Sigma1
330 #undef sigma0
331 #undef sigma1
332 #undef Ch
333 #undef Maj
334 #undef ROUND_00_15
335 #undef ROUND_16_63
336 #undef HOST_c2l
337 #undef HOST_l2c
338