Home | History | Annotate | Download | only in sha
      1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      2  * All rights reserved.
      3  *
      4  * This package is an SSL implementation written
      5  * by Eric Young (eay (at) cryptsoft.com).
      6  * The implementation was written so as to conform with Netscapes SSL.
      7  *
      8  * This library is free for commercial and non-commercial use as long as
      9  * the following conditions are aheared to.  The following conditions
     10  * apply to all code found in this distribution, be it the RC4, RSA,
     11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     12  * included with this distribution is covered by the same copyright terms
     13  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     14  *
     15  * Copyright remains Eric Young's, and as such any Copyright notices in
     16  * the code are not to be removed.
     17  * If this package is used in a product, Eric Young should be given attribution
     18  * as the author of the parts of the library used.
     19  * This can be in the form of a textual message at program startup or
     20  * in documentation (online or textual) provided with the package.
     21  *
     22  * Redistribution and use in source and binary forms, with or without
     23  * modification, are permitted provided that the following conditions
     24  * are met:
     25  * 1. Redistributions of source code must retain the copyright
     26  *    notice, this list of conditions and the following disclaimer.
     27  * 2. Redistributions in binary form must reproduce the above copyright
     28  *    notice, this list of conditions and the following disclaimer in the
     29  *    documentation and/or other materials provided with the distribution.
     30  * 3. All advertising materials mentioning features or use of this software
     31  *    must display the following acknowledgement:
     32  *    "This product includes cryptographic software written by
     33  *     Eric Young (eay (at) cryptsoft.com)"
     34  *    The word 'cryptographic' can be left out if the rouines from the library
     35  *    being used are not cryptographic related :-).
     36  * 4. If you include any Windows specific code (or a derivative thereof) from
     37  *    the apps directory (application code) you must include an acknowledgement:
     38  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     39  *
     40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     50  * SUCH DAMAGE.
     51  *
     52  * The licence and distribution terms for any publically available version or
     53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     54  * copied and put under another distribution licence
     55  * [including the GNU Public Licence.] */
     56 
     57 #include <openssl/sha.h>
     58 
     59 #include <string.h>
     60 
     61 #include <openssl/mem.h>
     62 
     63 
     64 #if !defined(OPENSSL_NO_ASM) &&                         \
     65     (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
     66      defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
     67 #define SHA256_ASM
     68 #endif
     69 
     70 int SHA224_Init(SHA256_CTX *sha) {
     71   memset(sha, 0, sizeof(SHA256_CTX));
     72   sha->h[0] = 0xc1059ed8UL;
     73   sha->h[1] = 0x367cd507UL;
     74   sha->h[2] = 0x3070dd17UL;
     75   sha->h[3] = 0xf70e5939UL;
     76   sha->h[4] = 0xffc00b31UL;
     77   sha->h[5] = 0x68581511UL;
     78   sha->h[6] = 0x64f98fa7UL;
     79   sha->h[7] = 0xbefa4fa4UL;
     80   sha->md_len = SHA224_DIGEST_LENGTH;
     81   return 1;
     82 }
     83 
     84 int SHA256_Init(SHA256_CTX *sha) {
     85   memset(sha, 0, sizeof(SHA256_CTX));
     86   sha->h[0] = 0x6a09e667UL;
     87   sha->h[1] = 0xbb67ae85UL;
     88   sha->h[2] = 0x3c6ef372UL;
     89   sha->h[3] = 0xa54ff53aUL;
     90   sha->h[4] = 0x510e527fUL;
     91   sha->h[5] = 0x9b05688cUL;
     92   sha->h[6] = 0x1f83d9abUL;
     93   sha->h[7] = 0x5be0cd19UL;
     94   sha->md_len = SHA256_DIGEST_LENGTH;
     95   return 1;
     96 }
     97 
     98 uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) {
     99   SHA256_CTX ctx;
    100   static uint8_t buf[SHA224_DIGEST_LENGTH];
    101 
    102   /* TODO(fork): remove this static buffer. */
    103   if (out == NULL) {
    104     out = buf;
    105   }
    106   SHA224_Init(&ctx);
    107   SHA256_Update(&ctx, data, len);
    108   SHA256_Final(out, &ctx);
    109   OPENSSL_cleanse(&ctx, sizeof(ctx));
    110   return out;
    111 }
    112 
    113 uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) {
    114   SHA256_CTX ctx;
    115   static uint8_t buf[SHA256_DIGEST_LENGTH];
    116 
    117   /* TODO(fork): remove this static buffer. */
    118   if (out == NULL) {
    119     out = buf;
    120   }
    121   SHA256_Init(&ctx);
    122   SHA256_Update(&ctx, data, len);
    123   SHA256_Final(out, &ctx);
    124   OPENSSL_cleanse(&ctx, sizeof(ctx));
    125   return out;
    126 }
    127 
    128 int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
    129   return SHA256_Update(ctx, data, len);
    130 }
    131 
    132 int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) {
    133   return SHA256_Final(md, ctx);
    134 }
    135 
    136 #define DATA_ORDER_IS_BIG_ENDIAN
    137 
    138 #define HASH_LONG uint32_t
    139 #define HASH_CTX SHA256_CTX
    140 #define HASH_CBLOCK 64
    141 
    142 /* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
    143  * default: case below covers for it. It's not clear however if it's permitted
    144  * to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
    145  * then default: case shall be extended. For reference. Idea behind separate
    146  * cases for pre-defined lenghts is to let the compiler decide if it's
    147  * appropriate to unroll small loops.
    148  *
    149  * TODO(davidben): The small |md_len| case is one of the few places a low-level
    150  * hash 'final' function can fail. This should never happen. */
    151 #define HASH_MAKE_STRING(c, s)                              \
    152   do {                                                      \
    153     uint32_t ll;                                            \
    154     unsigned int nn;                                        \
    155     switch ((c)->md_len) {                                  \
    156       case SHA224_DIGEST_LENGTH:                            \
    157         for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
    158           ll = (c)->h[nn];                                  \
    159           (void) HOST_l2c(ll, (s));                         \
    160         }                                                   \
    161         break;                                              \
    162       case SHA256_DIGEST_LENGTH:                            \
    163         for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
    164           ll = (c)->h[nn];                                  \
    165           (void) HOST_l2c(ll, (s));                         \
    166         }                                                   \
    167         break;                                              \
    168       default:                                              \
    169         if ((c)->md_len > SHA256_DIGEST_LENGTH) {           \
    170           return 0;                                         \
    171         }                                                   \
    172         for (nn = 0; nn < (c)->md_len / 4; nn++) {          \
    173           ll = (c)->h[nn];                                  \
    174           (void) HOST_l2c(ll, (s));                         \
    175         }                                                   \
    176         break;                                              \
    177     }                                                       \
    178   } while (0)
    179 
    180 
    181 #define HASH_UPDATE SHA256_Update
    182 #define HASH_TRANSFORM SHA256_Transform
    183 #define HASH_FINAL SHA256_Final
    184 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
    185 #ifndef SHA256_ASM
    186 static
    187 #endif
    188 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
    189 
    190 #include "../digest/md32_common.h"
    191 
    192 #ifndef SHA256_ASM
    193 static const HASH_LONG K256[64] = {
    194     0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
    195     0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
    196     0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
    197     0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    198     0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
    199     0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
    200     0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
    201     0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    202     0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
    203     0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
    204     0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
    205     0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    206     0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};
    207 
    208 /* FIPS specification refers to right rotations, while our ROTATE macro
    209  * is left one. This is why you might notice that rotation coefficients
    210  * differ from those observed in FIPS document by 32-N... */
    211 #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
    212 #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
    213 #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
    214 #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
    215 
    216 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
    217 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
    218 
    219 #define ROUND_00_15(i, a, b, c, d, e, f, g, h)   \
    220   do {                                           \
    221     T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
    222     h = Sigma0(a) + Maj(a, b, c);                \
    223     d += T1;                                     \
    224     h += T1;                                     \
    225   } while (0)
    226 
    227 #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X)      \
    228   do {                                                 \
    229     s0 = X[(i + 1) & 0x0f];                            \
    230     s0 = sigma0(s0);                                   \
    231     s1 = X[(i + 14) & 0x0f];                           \
    232     s1 = sigma1(s1);                                   \
    233     T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
    234     ROUND_00_15(i, a, b, c, d, e, f, g, h);            \
    235   } while (0)
    236 
    237 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
    238                                     size_t num) {
    239   uint32_t a, b, c, d, e, f, g, h, s0, s1, T1;
    240   HASH_LONG X[16];
    241   int i;
    242   const uint8_t *data = in;
    243   const union {
    244     long one;
    245     char little;
    246   } is_endian = {1};
    247 
    248   while (num--) {
    249     a = ctx->h[0];
    250     b = ctx->h[1];
    251     c = ctx->h[2];
    252     d = ctx->h[3];
    253     e = ctx->h[4];
    254     f = ctx->h[5];
    255     g = ctx->h[6];
    256     h = ctx->h[7];
    257 
    258     if (!is_endian.little && sizeof(HASH_LONG) == 4 && ((size_t)in % 4) == 0) {
    259       const HASH_LONG *W = (const HASH_LONG *)data;
    260 
    261       T1 = X[0] = W[0];
    262       ROUND_00_15(0, a, b, c, d, e, f, g, h);
    263       T1 = X[1] = W[1];
    264       ROUND_00_15(1, h, a, b, c, d, e, f, g);
    265       T1 = X[2] = W[2];
    266       ROUND_00_15(2, g, h, a, b, c, d, e, f);
    267       T1 = X[3] = W[3];
    268       ROUND_00_15(3, f, g, h, a, b, c, d, e);
    269       T1 = X[4] = W[4];
    270       ROUND_00_15(4, e, f, g, h, a, b, c, d);
    271       T1 = X[5] = W[5];
    272       ROUND_00_15(5, d, e, f, g, h, a, b, c);
    273       T1 = X[6] = W[6];
    274       ROUND_00_15(6, c, d, e, f, g, h, a, b);
    275       T1 = X[7] = W[7];
    276       ROUND_00_15(7, b, c, d, e, f, g, h, a);
    277       T1 = X[8] = W[8];
    278       ROUND_00_15(8, a, b, c, d, e, f, g, h);
    279       T1 = X[9] = W[9];
    280       ROUND_00_15(9, h, a, b, c, d, e, f, g);
    281       T1 = X[10] = W[10];
    282       ROUND_00_15(10, g, h, a, b, c, d, e, f);
    283       T1 = X[11] = W[11];
    284       ROUND_00_15(11, f, g, h, a, b, c, d, e);
    285       T1 = X[12] = W[12];
    286       ROUND_00_15(12, e, f, g, h, a, b, c, d);
    287       T1 = X[13] = W[13];
    288       ROUND_00_15(13, d, e, f, g, h, a, b, c);
    289       T1 = X[14] = W[14];
    290       ROUND_00_15(14, c, d, e, f, g, h, a, b);
    291       T1 = X[15] = W[15];
    292       ROUND_00_15(15, b, c, d, e, f, g, h, a);
    293 
    294       data += HASH_CBLOCK;
    295     } else {
    296       HASH_LONG l;
    297 
    298       HOST_c2l(data, l);
    299       T1 = X[0] = l;
    300       ROUND_00_15(0, a, b, c, d, e, f, g, h);
    301       HOST_c2l(data, l);
    302       T1 = X[1] = l;
    303       ROUND_00_15(1, h, a, b, c, d, e, f, g);
    304       HOST_c2l(data, l);
    305       T1 = X[2] = l;
    306       ROUND_00_15(2, g, h, a, b, c, d, e, f);
    307       HOST_c2l(data, l);
    308       T1 = X[3] = l;
    309       ROUND_00_15(3, f, g, h, a, b, c, d, e);
    310       HOST_c2l(data, l);
    311       T1 = X[4] = l;
    312       ROUND_00_15(4, e, f, g, h, a, b, c, d);
    313       HOST_c2l(data, l);
    314       T1 = X[5] = l;
    315       ROUND_00_15(5, d, e, f, g, h, a, b, c);
    316       HOST_c2l(data, l);
    317       T1 = X[6] = l;
    318       ROUND_00_15(6, c, d, e, f, g, h, a, b);
    319       HOST_c2l(data, l);
    320       T1 = X[7] = l;
    321       ROUND_00_15(7, b, c, d, e, f, g, h, a);
    322       HOST_c2l(data, l);
    323       T1 = X[8] = l;
    324       ROUND_00_15(8, a, b, c, d, e, f, g, h);
    325       HOST_c2l(data, l);
    326       T1 = X[9] = l;
    327       ROUND_00_15(9, h, a, b, c, d, e, f, g);
    328       HOST_c2l(data, l);
    329       T1 = X[10] = l;
    330       ROUND_00_15(10, g, h, a, b, c, d, e, f);
    331       HOST_c2l(data, l);
    332       T1 = X[11] = l;
    333       ROUND_00_15(11, f, g, h, a, b, c, d, e);
    334       HOST_c2l(data, l);
    335       T1 = X[12] = l;
    336       ROUND_00_15(12, e, f, g, h, a, b, c, d);
    337       HOST_c2l(data, l);
    338       T1 = X[13] = l;
    339       ROUND_00_15(13, d, e, f, g, h, a, b, c);
    340       HOST_c2l(data, l);
    341       T1 = X[14] = l;
    342       ROUND_00_15(14, c, d, e, f, g, h, a, b);
    343       HOST_c2l(data, l);
    344       T1 = X[15] = l;
    345       ROUND_00_15(15, b, c, d, e, f, g, h, a);
    346     }
    347 
    348     for (i = 16; i < 64; i += 8) {
    349       ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
    350       ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
    351       ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
    352       ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
    353       ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
    354       ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
    355       ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
    356       ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
    357     }
    358 
    359     ctx->h[0] += a;
    360     ctx->h[1] += b;
    361     ctx->h[2] += c;
    362     ctx->h[3] += d;
    363     ctx->h[4] += e;
    364     ctx->h[5] += f;
    365     ctx->h[6] += g;
    366     ctx->h[7] += h;
    367   }
    368 }
    369 
    370 #endif /* SHA256_ASM */
    371