1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/sha.h> 58 59 #include <string.h> 60 61 #include <openssl/mem.h> 62 63 64 #if !defined(OPENSSL_NO_ASM) && \ 65 (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ 66 defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) 67 #define SHA256_ASM 68 #endif 69 70 int SHA224_Init(SHA256_CTX *sha) { 71 memset(sha, 0, sizeof(SHA256_CTX)); 72 sha->h[0] = 0xc1059ed8UL; 73 sha->h[1] = 0x367cd507UL; 74 sha->h[2] = 0x3070dd17UL; 75 sha->h[3] = 0xf70e5939UL; 76 sha->h[4] = 0xffc00b31UL; 77 sha->h[5] = 0x68581511UL; 78 sha->h[6] = 0x64f98fa7UL; 79 sha->h[7] = 0xbefa4fa4UL; 80 sha->md_len = SHA224_DIGEST_LENGTH; 81 return 1; 82 } 83 84 int SHA256_Init(SHA256_CTX *sha) { 85 memset(sha, 0, sizeof(SHA256_CTX)); 86 sha->h[0] = 0x6a09e667UL; 87 sha->h[1] = 0xbb67ae85UL; 88 sha->h[2] = 0x3c6ef372UL; 89 sha->h[3] = 0xa54ff53aUL; 90 sha->h[4] = 0x510e527fUL; 91 sha->h[5] = 0x9b05688cUL; 92 sha->h[6] = 0x1f83d9abUL; 93 sha->h[7] = 0x5be0cd19UL; 94 sha->md_len = SHA256_DIGEST_LENGTH; 95 return 1; 96 } 97 98 uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) { 99 SHA256_CTX ctx; 100 static uint8_t buf[SHA224_DIGEST_LENGTH]; 101 102 /* TODO(fork): remove this static buffer. */ 103 if (out == NULL) { 104 out = buf; 105 } 106 SHA224_Init(&ctx); 107 SHA256_Update(&ctx, data, len); 108 SHA256_Final(out, &ctx); 109 OPENSSL_cleanse(&ctx, sizeof(ctx)); 110 return out; 111 } 112 113 uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) { 114 SHA256_CTX ctx; 115 static uint8_t buf[SHA256_DIGEST_LENGTH]; 116 117 /* TODO(fork): remove this static buffer. */ 118 if (out == NULL) { 119 out = buf; 120 } 121 SHA256_Init(&ctx); 122 SHA256_Update(&ctx, data, len); 123 SHA256_Final(out, &ctx); 124 OPENSSL_cleanse(&ctx, sizeof(ctx)); 125 return out; 126 } 127 128 int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) { 129 return SHA256_Update(ctx, data, len); 130 } 131 132 int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) { 133 return SHA256_Final(md, ctx); 134 } 135 136 #define DATA_ORDER_IS_BIG_ENDIAN 137 138 #define HASH_LONG uint32_t 139 #define HASH_CTX SHA256_CTX 140 #define HASH_CBLOCK 64 141 142 /* Note that FIPS180-2 discusses "Truncation of the Hash Function Output." 143 * default: case below covers for it. It's not clear however if it's permitted 144 * to truncate to amount of bytes not divisible by 4. I bet not, but if it is, 145 * then default: case shall be extended. For reference. Idea behind separate 146 * cases for pre-defined lenghts is to let the compiler decide if it's 147 * appropriate to unroll small loops. 148 * 149 * TODO(davidben): The small |md_len| case is one of the few places a low-level 150 * hash 'final' function can fail. This should never happen. */ 151 #define HASH_MAKE_STRING(c, s) \ 152 do { \ 153 uint32_t ll; \ 154 unsigned int nn; \ 155 switch ((c)->md_len) { \ 156 case SHA224_DIGEST_LENGTH: \ 157 for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \ 158 ll = (c)->h[nn]; \ 159 (void) HOST_l2c(ll, (s)); \ 160 } \ 161 break; \ 162 case SHA256_DIGEST_LENGTH: \ 163 for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \ 164 ll = (c)->h[nn]; \ 165 (void) HOST_l2c(ll, (s)); \ 166 } \ 167 break; \ 168 default: \ 169 if ((c)->md_len > SHA256_DIGEST_LENGTH) { \ 170 return 0; \ 171 } \ 172 for (nn = 0; nn < (c)->md_len / 4; nn++) { \ 173 ll = (c)->h[nn]; \ 174 (void) HOST_l2c(ll, (s)); \ 175 } \ 176 break; \ 177 } \ 178 } while (0) 179 180 181 #define HASH_UPDATE SHA256_Update 182 #define HASH_TRANSFORM SHA256_Transform 183 #define HASH_FINAL SHA256_Final 184 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order 185 #ifndef SHA256_ASM 186 static 187 #endif 188 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); 189 190 #include "../digest/md32_common.h" 191 192 #ifndef SHA256_ASM 193 static const HASH_LONG K256[64] = { 194 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 195 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, 196 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 197 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 198 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, 199 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, 200 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 201 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 202 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, 203 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, 204 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 205 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 206 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL}; 207 208 /* FIPS specification refers to right rotations, while our ROTATE macro 209 * is left one. This is why you might notice that rotation coefficients 210 * differ from those observed in FIPS document by 32-N... */ 211 #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10)) 212 #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7)) 213 #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3)) 214 #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10)) 215 216 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) 217 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 218 219 #define ROUND_00_15(i, a, b, c, d, e, f, g, h) \ 220 do { \ 221 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \ 222 h = Sigma0(a) + Maj(a, b, c); \ 223 d += T1; \ 224 h += T1; \ 225 } while (0) 226 227 #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \ 228 do { \ 229 s0 = X[(i + 1) & 0x0f]; \ 230 s0 = sigma0(s0); \ 231 s1 = X[(i + 14) & 0x0f]; \ 232 s1 = sigma1(s1); \ 233 T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \ 234 ROUND_00_15(i, a, b, c, d, e, f, g, h); \ 235 } while (0) 236 237 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 238 size_t num) { 239 uint32_t a, b, c, d, e, f, g, h, s0, s1, T1; 240 HASH_LONG X[16]; 241 int i; 242 const uint8_t *data = in; 243 const union { 244 long one; 245 char little; 246 } is_endian = {1}; 247 248 while (num--) { 249 a = ctx->h[0]; 250 b = ctx->h[1]; 251 c = ctx->h[2]; 252 d = ctx->h[3]; 253 e = ctx->h[4]; 254 f = ctx->h[5]; 255 g = ctx->h[6]; 256 h = ctx->h[7]; 257 258 if (!is_endian.little && sizeof(HASH_LONG) == 4 && ((size_t)in % 4) == 0) { 259 const HASH_LONG *W = (const HASH_LONG *)data; 260 261 T1 = X[0] = W[0]; 262 ROUND_00_15(0, a, b, c, d, e, f, g, h); 263 T1 = X[1] = W[1]; 264 ROUND_00_15(1, h, a, b, c, d, e, f, g); 265 T1 = X[2] = W[2]; 266 ROUND_00_15(2, g, h, a, b, c, d, e, f); 267 T1 = X[3] = W[3]; 268 ROUND_00_15(3, f, g, h, a, b, c, d, e); 269 T1 = X[4] = W[4]; 270 ROUND_00_15(4, e, f, g, h, a, b, c, d); 271 T1 = X[5] = W[5]; 272 ROUND_00_15(5, d, e, f, g, h, a, b, c); 273 T1 = X[6] = W[6]; 274 ROUND_00_15(6, c, d, e, f, g, h, a, b); 275 T1 = X[7] = W[7]; 276 ROUND_00_15(7, b, c, d, e, f, g, h, a); 277 T1 = X[8] = W[8]; 278 ROUND_00_15(8, a, b, c, d, e, f, g, h); 279 T1 = X[9] = W[9]; 280 ROUND_00_15(9, h, a, b, c, d, e, f, g); 281 T1 = X[10] = W[10]; 282 ROUND_00_15(10, g, h, a, b, c, d, e, f); 283 T1 = X[11] = W[11]; 284 ROUND_00_15(11, f, g, h, a, b, c, d, e); 285 T1 = X[12] = W[12]; 286 ROUND_00_15(12, e, f, g, h, a, b, c, d); 287 T1 = X[13] = W[13]; 288 ROUND_00_15(13, d, e, f, g, h, a, b, c); 289 T1 = X[14] = W[14]; 290 ROUND_00_15(14, c, d, e, f, g, h, a, b); 291 T1 = X[15] = W[15]; 292 ROUND_00_15(15, b, c, d, e, f, g, h, a); 293 294 data += HASH_CBLOCK; 295 } else { 296 HASH_LONG l; 297 298 HOST_c2l(data, l); 299 T1 = X[0] = l; 300 ROUND_00_15(0, a, b, c, d, e, f, g, h); 301 HOST_c2l(data, l); 302 T1 = X[1] = l; 303 ROUND_00_15(1, h, a, b, c, d, e, f, g); 304 HOST_c2l(data, l); 305 T1 = X[2] = l; 306 ROUND_00_15(2, g, h, a, b, c, d, e, f); 307 HOST_c2l(data, l); 308 T1 = X[3] = l; 309 ROUND_00_15(3, f, g, h, a, b, c, d, e); 310 HOST_c2l(data, l); 311 T1 = X[4] = l; 312 ROUND_00_15(4, e, f, g, h, a, b, c, d); 313 HOST_c2l(data, l); 314 T1 = X[5] = l; 315 ROUND_00_15(5, d, e, f, g, h, a, b, c); 316 HOST_c2l(data, l); 317 T1 = X[6] = l; 318 ROUND_00_15(6, c, d, e, f, g, h, a, b); 319 HOST_c2l(data, l); 320 T1 = X[7] = l; 321 ROUND_00_15(7, b, c, d, e, f, g, h, a); 322 HOST_c2l(data, l); 323 T1 = X[8] = l; 324 ROUND_00_15(8, a, b, c, d, e, f, g, h); 325 HOST_c2l(data, l); 326 T1 = X[9] = l; 327 ROUND_00_15(9, h, a, b, c, d, e, f, g); 328 HOST_c2l(data, l); 329 T1 = X[10] = l; 330 ROUND_00_15(10, g, h, a, b, c, d, e, f); 331 HOST_c2l(data, l); 332 T1 = X[11] = l; 333 ROUND_00_15(11, f, g, h, a, b, c, d, e); 334 HOST_c2l(data, l); 335 T1 = X[12] = l; 336 ROUND_00_15(12, e, f, g, h, a, b, c, d); 337 HOST_c2l(data, l); 338 T1 = X[13] = l; 339 ROUND_00_15(13, d, e, f, g, h, a, b, c); 340 HOST_c2l(data, l); 341 T1 = X[14] = l; 342 ROUND_00_15(14, c, d, e, f, g, h, a, b); 343 HOST_c2l(data, l); 344 T1 = X[15] = l; 345 ROUND_00_15(15, b, c, d, e, f, g, h, a); 346 } 347 348 for (i = 16; i < 64; i += 8) { 349 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); 350 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); 351 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); 352 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); 353 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); 354 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); 355 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); 356 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); 357 } 358 359 ctx->h[0] += a; 360 ctx->h[1] += b; 361 ctx->h[2] += c; 362 ctx->h[3] += d; 363 ctx->h[4] += e; 364 ctx->h[5] += f; 365 ctx->h[6] += g; 366 ctx->h[7] += h; 367 } 368 } 369 370 #endif /* SHA256_ASM */ 371
