1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/sha.h> 58 59 #include <string.h> 60 61 #include <openssl/mem.h> 62 63 64 #if !defined(OPENSSL_NO_ASM) && \ 65 (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || defined(OPENSSL_ARM)) 66 #define SHA256_ASM 67 #endif 68 69 int SHA224_Init(SHA256_CTX *sha) { 70 memset(sha, 0, sizeof(SHA256_CTX)); 71 sha->h[0] = 0xc1059ed8UL; 72 sha->h[1] = 0x367cd507UL; 73 sha->h[2] = 0x3070dd17UL; 74 sha->h[3] = 0xf70e5939UL; 75 sha->h[4] = 0xffc00b31UL; 76 sha->h[5] = 0x68581511UL; 77 sha->h[6] = 0x64f98fa7UL; 78 sha->h[7] = 0xbefa4fa4UL; 79 sha->md_len = SHA224_DIGEST_LENGTH; 80 return 1; 81 } 82 83 int SHA256_Init(SHA256_CTX *sha) { 84 memset(sha, 0, sizeof(SHA256_CTX)); 85 sha->h[0] = 0x6a09e667UL; 86 sha->h[1] = 0xbb67ae85UL; 87 sha->h[2] = 0x3c6ef372UL; 88 sha->h[3] = 0xa54ff53aUL; 89 sha->h[4] = 0x510e527fUL; 90 sha->h[5] = 0x9b05688cUL; 91 sha->h[6] = 0x1f83d9abUL; 92 sha->h[7] = 0x5be0cd19UL; 93 sha->md_len = SHA256_DIGEST_LENGTH; 94 return 1; 95 } 96 97 uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) { 98 SHA256_CTX ctx; 99 static uint8_t buf[SHA224_DIGEST_LENGTH]; 100 101 /* TODO(fork): remove this static buffer. */ 102 if (out == NULL) { 103 out = buf; 104 } 105 SHA224_Init(&ctx); 106 SHA256_Update(&ctx, data, len); 107 SHA256_Final(out, &ctx); 108 OPENSSL_cleanse(&ctx, sizeof(ctx)); 109 return out; 110 } 111 112 uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) { 113 SHA256_CTX ctx; 114 static uint8_t buf[SHA256_DIGEST_LENGTH]; 115 116 /* TODO(fork): remove this static buffer. */ 117 if (out == NULL) { 118 out = buf; 119 } 120 SHA256_Init(&ctx); 121 SHA256_Update(&ctx, data, len); 122 SHA256_Final(out, &ctx); 123 OPENSSL_cleanse(&ctx, sizeof(ctx)); 124 return out; 125 } 126 127 int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) { 128 return SHA256_Update(ctx, data, len); 129 } 130 131 int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) { 132 return SHA256_Final(md, ctx); 133 } 134 135 #define DATA_ORDER_IS_BIG_ENDIAN 136 137 #define HASH_LONG uint32_t 138 #define HASH_CTX SHA256_CTX 139 #define HASH_CBLOCK 64 140 141 /* Note that FIPS180-2 discusses "Truncation of the Hash Function Output." 142 * default: case below covers for it. It's not clear however if it's permitted 143 * to truncate to amount of bytes not divisible by 4. I bet not, but if it is, 144 * then default: case shall be extended. For reference. Idea behind separate 145 * cases for pre-defined lenghts is to let the compiler decide if it's 146 * appropriate to unroll small loops. */ 147 #define HASH_MAKE_STRING(c, s) \ 148 do { \ 149 unsigned long ll; \ 150 unsigned int nn; \ 151 switch ((c)->md_len) { \ 152 case SHA224_DIGEST_LENGTH: \ 153 for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \ 154 ll = (c)->h[nn]; \ 155 (void) HOST_l2c(ll, (s)); \ 156 } \ 157 break; \ 158 case SHA256_DIGEST_LENGTH: \ 159 for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \ 160 ll = (c)->h[nn]; \ 161 (void) HOST_l2c(ll, (s)); \ 162 } \ 163 break; \ 164 default: \ 165 if ((c)->md_len > SHA256_DIGEST_LENGTH) \ 166 return 0; \ 167 for (nn = 0; nn < (c)->md_len / 4; nn++) { \ 168 ll = (c)->h[nn]; \ 169 (void) HOST_l2c(ll, (s)); \ 170 } \ 171 break; \ 172 } \ 173 } while (0) 174 175 176 #define HASH_UPDATE SHA256_Update 177 #define HASH_TRANSFORM SHA256_Transform 178 #define HASH_FINAL SHA256_Final 179 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order 180 #ifndef SHA256_ASM 181 static 182 #endif 183 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); 184 185 #include "../digest/md32_common.h" 186 187 #ifndef SHA256_ASM 188 static const HASH_LONG K256[64] = { 189 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 190 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, 191 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 192 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 193 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, 194 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, 195 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 196 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 197 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, 198 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, 199 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 200 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 201 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL}; 202 203 /* FIPS specification refers to right rotations, while our ROTATE macro 204 * is left one. This is why you might notice that rotation coefficients 205 * differ from those observed in FIPS document by 32-N... */ 206 #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10)) 207 #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7)) 208 #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3)) 209 #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10)) 210 211 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) 212 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 213 214 #define ROUND_00_15(i, a, b, c, d, e, f, g, h) \ 215 do { \ 216 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \ 217 h = Sigma0(a) + Maj(a, b, c); \ 218 d += T1; \ 219 h += T1; \ 220 } while (0) 221 222 #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \ 223 do { \ 224 s0 = X[(i + 1) & 0x0f]; \ 225 s0 = sigma0(s0); \ 226 s1 = X[(i + 14) & 0x0f]; \ 227 s1 = sigma1(s1); \ 228 T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \ 229 ROUND_00_15(i, a, b, c, d, e, f, g, h); \ 230 } while (0) 231 232 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 233 size_t num) { 234 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; 235 HASH_LONG X[16]; 236 int i; 237 const uint8_t *data = in; 238 const union { 239 long one; 240 char little; 241 } is_endian = {1}; 242 243 while (num--) { 244 a = ctx->h[0]; 245 b = ctx->h[1]; 246 c = ctx->h[2]; 247 d = ctx->h[3]; 248 e = ctx->h[4]; 249 f = ctx->h[5]; 250 g = ctx->h[6]; 251 h = ctx->h[7]; 252 253 if (!is_endian.little && sizeof(HASH_LONG) == 4 && ((size_t)in % 4) == 0) { 254 const HASH_LONG *W = (const HASH_LONG *)data; 255 256 T1 = X[0] = W[0]; 257 ROUND_00_15(0, a, b, c, d, e, f, g, h); 258 T1 = X[1] = W[1]; 259 ROUND_00_15(1, h, a, b, c, d, e, f, g); 260 T1 = X[2] = W[2]; 261 ROUND_00_15(2, g, h, a, b, c, d, e, f); 262 T1 = X[3] = W[3]; 263 ROUND_00_15(3, f, g, h, a, b, c, d, e); 264 T1 = X[4] = W[4]; 265 ROUND_00_15(4, e, f, g, h, a, b, c, d); 266 T1 = X[5] = W[5]; 267 ROUND_00_15(5, d, e, f, g, h, a, b, c); 268 T1 = X[6] = W[6]; 269 ROUND_00_15(6, c, d, e, f, g, h, a, b); 270 T1 = X[7] = W[7]; 271 ROUND_00_15(7, b, c, d, e, f, g, h, a); 272 T1 = X[8] = W[8]; 273 ROUND_00_15(8, a, b, c, d, e, f, g, h); 274 T1 = X[9] = W[9]; 275 ROUND_00_15(9, h, a, b, c, d, e, f, g); 276 T1 = X[10] = W[10]; 277 ROUND_00_15(10, g, h, a, b, c, d, e, f); 278 T1 = X[11] = W[11]; 279 ROUND_00_15(11, f, g, h, a, b, c, d, e); 280 T1 = X[12] = W[12]; 281 ROUND_00_15(12, e, f, g, h, a, b, c, d); 282 T1 = X[13] = W[13]; 283 ROUND_00_15(13, d, e, f, g, h, a, b, c); 284 T1 = X[14] = W[14]; 285 ROUND_00_15(14, c, d, e, f, g, h, a, b); 286 T1 = X[15] = W[15]; 287 ROUND_00_15(15, b, c, d, e, f, g, h, a); 288 289 data += HASH_CBLOCK; 290 } else { 291 HASH_LONG l; 292 293 HOST_c2l(data, l); 294 T1 = X[0] = l; 295 ROUND_00_15(0, a, b, c, d, e, f, g, h); 296 HOST_c2l(data, l); 297 T1 = X[1] = l; 298 ROUND_00_15(1, h, a, b, c, d, e, f, g); 299 HOST_c2l(data, l); 300 T1 = X[2] = l; 301 ROUND_00_15(2, g, h, a, b, c, d, e, f); 302 HOST_c2l(data, l); 303 T1 = X[3] = l; 304 ROUND_00_15(3, f, g, h, a, b, c, d, e); 305 HOST_c2l(data, l); 306 T1 = X[4] = l; 307 ROUND_00_15(4, e, f, g, h, a, b, c, d); 308 HOST_c2l(data, l); 309 T1 = X[5] = l; 310 ROUND_00_15(5, d, e, f, g, h, a, b, c); 311 HOST_c2l(data, l); 312 T1 = X[6] = l; 313 ROUND_00_15(6, c, d, e, f, g, h, a, b); 314 HOST_c2l(data, l); 315 T1 = X[7] = l; 316 ROUND_00_15(7, b, c, d, e, f, g, h, a); 317 HOST_c2l(data, l); 318 T1 = X[8] = l; 319 ROUND_00_15(8, a, b, c, d, e, f, g, h); 320 HOST_c2l(data, l); 321 T1 = X[9] = l; 322 ROUND_00_15(9, h, a, b, c, d, e, f, g); 323 HOST_c2l(data, l); 324 T1 = X[10] = l; 325 ROUND_00_15(10, g, h, a, b, c, d, e, f); 326 HOST_c2l(data, l); 327 T1 = X[11] = l; 328 ROUND_00_15(11, f, g, h, a, b, c, d, e); 329 HOST_c2l(data, l); 330 T1 = X[12] = l; 331 ROUND_00_15(12, e, f, g, h, a, b, c, d); 332 HOST_c2l(data, l); 333 T1 = X[13] = l; 334 ROUND_00_15(13, d, e, f, g, h, a, b, c); 335 HOST_c2l(data, l); 336 T1 = X[14] = l; 337 ROUND_00_15(14, c, d, e, f, g, h, a, b); 338 HOST_c2l(data, l); 339 T1 = X[15] = l; 340 ROUND_00_15(15, b, c, d, e, f, g, h, a); 341 } 342 343 for (i = 16; i < 64; i += 8) { 344 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); 345 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); 346 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); 347 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); 348 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); 349 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); 350 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); 351 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); 352 } 353 354 ctx->h[0] += a; 355 ctx->h[1] += b; 356 ctx->h[2] += c; 357 ctx->h[3] += d; 358 ctx->h[4] += e; 359 ctx->h[5] += f; 360 ctx->h[6] += g; 361 ctx->h[7] += h; 362 } 363 } 364 365 #endif /* SHA256_ASM */ 366