1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/sha.h> 58 59 #include <string.h> 60 61 #include <openssl/mem.h> 62 63 64 #if !defined(OPENSSL_NO_ASM) && \ 65 (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ 66 defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) 67 #define SHA256_ASM 68 #endif 69 70 int SHA224_Init(SHA256_CTX *sha) { 71 memset(sha, 0, sizeof(SHA256_CTX)); 72 sha->h[0] = 0xc1059ed8UL; 73 sha->h[1] = 0x367cd507UL; 74 sha->h[2] = 0x3070dd17UL; 75 sha->h[3] = 0xf70e5939UL; 76 sha->h[4] = 0xffc00b31UL; 77 sha->h[5] = 0x68581511UL; 78 sha->h[6] = 0x64f98fa7UL; 79 sha->h[7] = 0xbefa4fa4UL; 80 sha->md_len = SHA224_DIGEST_LENGTH; 81 return 1; 82 } 83 84 int SHA256_Init(SHA256_CTX *sha) { 85 memset(sha, 0, sizeof(SHA256_CTX)); 86 sha->h[0] = 0x6a09e667UL; 87 sha->h[1] = 0xbb67ae85UL; 88 sha->h[2] = 0x3c6ef372UL; 89 sha->h[3] = 0xa54ff53aUL; 90 sha->h[4] = 0x510e527fUL; 91 sha->h[5] = 0x9b05688cUL; 92 sha->h[6] = 0x1f83d9abUL; 93 sha->h[7] = 0x5be0cd19UL; 94 sha->md_len = SHA256_DIGEST_LENGTH; 95 return 1; 96 } 97 98 uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out) { 99 SHA256_CTX ctx; 100 static uint8_t buf[SHA224_DIGEST_LENGTH]; 101 102 /* TODO(fork): remove this static buffer. */ 103 if (out == NULL) { 104 out = buf; 105 } 106 SHA224_Init(&ctx); 107 SHA256_Update(&ctx, data, len); 108 SHA256_Final(out, &ctx); 109 OPENSSL_cleanse(&ctx, sizeof(ctx)); 110 return out; 111 } 112 113 uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out) { 114 SHA256_CTX ctx; 115 static uint8_t buf[SHA256_DIGEST_LENGTH]; 116 117 /* TODO(fork): remove this static buffer. */ 118 if (out == NULL) { 119 out = buf; 120 } 121 SHA256_Init(&ctx); 122 SHA256_Update(&ctx, data, len); 123 SHA256_Final(out, &ctx); 124 OPENSSL_cleanse(&ctx, sizeof(ctx)); 125 return out; 126 } 127 128 int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) { 129 return SHA256_Update(ctx, data, len); 130 } 131 132 int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) { 133 return SHA256_Final(md, ctx); 134 } 135 136 #define DATA_ORDER_IS_BIG_ENDIAN 137 138 #define HASH_CTX SHA256_CTX 139 #define HASH_CBLOCK 64 140 141 /* Note that FIPS180-2 discusses "Truncation of the Hash Function Output." 142 * default: case below covers for it. It's not clear however if it's permitted 143 * to truncate to amount of bytes not divisible by 4. I bet not, but if it is, 144 * then default: case shall be extended. For reference. Idea behind separate 145 * cases for pre-defined lenghts is to let the compiler decide if it's 146 * appropriate to unroll small loops. 147 * 148 * TODO(davidben): The small |md_len| case is one of the few places a low-level 149 * hash 'final' function can fail. This should never happen. */ 150 #define HASH_MAKE_STRING(c, s) \ 151 do { \ 152 uint32_t ll; \ 153 unsigned int nn; \ 154 switch ((c)->md_len) { \ 155 case SHA224_DIGEST_LENGTH: \ 156 for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \ 157 ll = (c)->h[nn]; \ 158 HOST_l2c(ll, (s)); \ 159 } \ 160 break; \ 161 case SHA256_DIGEST_LENGTH: \ 162 for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \ 163 ll = (c)->h[nn]; \ 164 HOST_l2c(ll, (s)); \ 165 } \ 166 break; \ 167 default: \ 168 if ((c)->md_len > SHA256_DIGEST_LENGTH) { \ 169 return 0; \ 170 } \ 171 for (nn = 0; nn < (c)->md_len / 4; nn++) { \ 172 ll = (c)->h[nn]; \ 173 HOST_l2c(ll, (s)); \ 174 } \ 175 break; \ 176 } \ 177 } while (0) 178 179 180 #define HASH_UPDATE SHA256_Update 181 #define HASH_TRANSFORM SHA256_Transform 182 #define HASH_FINAL SHA256_Final 183 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order 184 #ifndef SHA256_ASM 185 static 186 #endif 187 void sha256_block_data_order(uint32_t *state, const uint8_t *in, size_t num); 188 189 #include "../digest/md32_common.h" 190 191 #ifndef SHA256_ASM 192 static const uint32_t K256[64] = { 193 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 194 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, 195 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 196 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 197 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, 198 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, 199 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 200 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 201 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, 202 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, 203 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 204 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 205 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL}; 206 207 #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) 208 209 /* FIPS specification refers to right rotations, while our ROTATE macro 210 * is left one. This is why you might notice that rotation coefficients 211 * differ from those observed in FIPS document by 32-N... */ 212 #define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10)) 213 #define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7)) 214 #define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3)) 215 #define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10)) 216 217 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) 218 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 219 220 #define ROUND_00_15(i, a, b, c, d, e, f, g, h) \ 221 do { \ 222 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \ 223 h = Sigma0(a) + Maj(a, b, c); \ 224 d += T1; \ 225 h += T1; \ 226 } while (0) 227 228 #define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \ 229 do { \ 230 s0 = X[(i + 1) & 0x0f]; \ 231 s0 = sigma0(s0); \ 232 s1 = X[(i + 14) & 0x0f]; \ 233 s1 = sigma1(s1); \ 234 T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \ 235 ROUND_00_15(i, a, b, c, d, e, f, g, h); \ 236 } while (0) 237 238 static void sha256_block_data_order(uint32_t *state, const uint8_t *data, 239 size_t num) { 240 uint32_t a, b, c, d, e, f, g, h, s0, s1, T1; 241 uint32_t X[16]; 242 int i; 243 244 while (num--) { 245 a = state[0]; 246 b = state[1]; 247 c = state[2]; 248 d = state[3]; 249 e = state[4]; 250 f = state[5]; 251 g = state[6]; 252 h = state[7]; 253 254 uint32_t l; 255 256 HOST_c2l(data, l); 257 T1 = X[0] = l; 258 ROUND_00_15(0, a, b, c, d, e, f, g, h); 259 HOST_c2l(data, l); 260 T1 = X[1] = l; 261 ROUND_00_15(1, h, a, b, c, d, e, f, g); 262 HOST_c2l(data, l); 263 T1 = X[2] = l; 264 ROUND_00_15(2, g, h, a, b, c, d, e, f); 265 HOST_c2l(data, l); 266 T1 = X[3] = l; 267 ROUND_00_15(3, f, g, h, a, b, c, d, e); 268 HOST_c2l(data, l); 269 T1 = X[4] = l; 270 ROUND_00_15(4, e, f, g, h, a, b, c, d); 271 HOST_c2l(data, l); 272 T1 = X[5] = l; 273 ROUND_00_15(5, d, e, f, g, h, a, b, c); 274 HOST_c2l(data, l); 275 T1 = X[6] = l; 276 ROUND_00_15(6, c, d, e, f, g, h, a, b); 277 HOST_c2l(data, l); 278 T1 = X[7] = l; 279 ROUND_00_15(7, b, c, d, e, f, g, h, a); 280 HOST_c2l(data, l); 281 T1 = X[8] = l; 282 ROUND_00_15(8, a, b, c, d, e, f, g, h); 283 HOST_c2l(data, l); 284 T1 = X[9] = l; 285 ROUND_00_15(9, h, a, b, c, d, e, f, g); 286 HOST_c2l(data, l); 287 T1 = X[10] = l; 288 ROUND_00_15(10, g, h, a, b, c, d, e, f); 289 HOST_c2l(data, l); 290 T1 = X[11] = l; 291 ROUND_00_15(11, f, g, h, a, b, c, d, e); 292 HOST_c2l(data, l); 293 T1 = X[12] = l; 294 ROUND_00_15(12, e, f, g, h, a, b, c, d); 295 HOST_c2l(data, l); 296 T1 = X[13] = l; 297 ROUND_00_15(13, d, e, f, g, h, a, b, c); 298 HOST_c2l(data, l); 299 T1 = X[14] = l; 300 ROUND_00_15(14, c, d, e, f, g, h, a, b); 301 HOST_c2l(data, l); 302 T1 = X[15] = l; 303 ROUND_00_15(15, b, c, d, e, f, g, h, a); 304 305 for (i = 16; i < 64; i += 8) { 306 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); 307 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); 308 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); 309 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); 310 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); 311 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); 312 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); 313 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); 314 } 315 316 state[0] += a; 317 state[1] += b; 318 state[2] += c; 319 state[3] += d; 320 state[4] += e; 321 state[5] += f; 322 state[6] += g; 323 state[7] += h; 324 } 325 } 326 327 #endif /* SHA256_ASM */ 328