1 /*
2 * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * SHA256 low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <openssl/opensslconf.h>
17
18 #include <stdlib.h>
19 #include <string.h>
20
21 #include <openssl/crypto.h>
22 #include <openssl/sha.h>
23 #include <openssl/opensslv.h>
24 #include "internal/endian.h"
25
SHA224_Init(SHA256_CTX * c)26 int SHA224_Init(SHA256_CTX *c)
27 {
28 memset(c, 0, sizeof(*c));
29 c->h[0] = 0xc1059ed8UL;
30 c->h[1] = 0x367cd507UL;
31 c->h[2] = 0x3070dd17UL;
32 c->h[3] = 0xf70e5939UL;
33 c->h[4] = 0xffc00b31UL;
34 c->h[5] = 0x68581511UL;
35 c->h[6] = 0x64f98fa7UL;
36 c->h[7] = 0xbefa4fa4UL;
37 c->md_len = SHA224_DIGEST_LENGTH;
38 return 1;
39 }
40
SHA256_Init(SHA256_CTX * c)41 int SHA256_Init(SHA256_CTX *c)
42 {
43 memset(c, 0, sizeof(*c));
44 c->h[0] = 0x6a09e667UL;
45 c->h[1] = 0xbb67ae85UL;
46 c->h[2] = 0x3c6ef372UL;
47 c->h[3] = 0xa54ff53aUL;
48 c->h[4] = 0x510e527fUL;
49 c->h[5] = 0x9b05688cUL;
50 c->h[6] = 0x1f83d9abUL;
51 c->h[7] = 0x5be0cd19UL;
52 c->md_len = SHA256_DIGEST_LENGTH;
53 return 1;
54 }
55
SHA224_Update(SHA256_CTX * c,const void * data,size_t len)56 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
57 {
58 return SHA256_Update(c, data, len);
59 }
60
SHA224_Final(unsigned char * md,SHA256_CTX * c)61 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
62 {
63 return SHA256_Final(md, c);
64 }
65
66 #define DATA_ORDER_IS_BIG_ENDIAN
67
68 #define HASH_LONG SHA_LONG
69 #define HASH_CTX SHA256_CTX
70 #define HASH_CBLOCK SHA_CBLOCK
71
72 /*
73 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
74 * default: case below covers for it. It's not clear however if it's
75 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
76 * but if it is, then default: case shall be extended. For reference.
77 * Idea behind separate cases for pre-defined lengths is to let the
78 * compiler decide if it's appropriate to unroll small loops.
79 */
80 #define HASH_MAKE_STRING(c,s) do { \
81 unsigned long ll; \
82 unsigned int nn; \
83 switch ((c)->md_len) \
84 { case SHA224_DIGEST_LENGTH: \
85 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
86 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
87 break; \
88 case SHA256_DIGEST_LENGTH: \
89 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
90 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
91 break; \
92 default: \
93 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
94 return 0; \
95 for (nn=0;nn<(c)->md_len/4;nn++) \
96 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
97 break; \
98 } \
99 } while (0)
100
101 #define HASH_UPDATE SHA256_Update
102 #define HASH_TRANSFORM SHA256_Transform
103 #define HASH_FINAL SHA256_Final
104 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
105 #ifndef SHA256_ASM
106 static
107 #endif
108 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
109
110 #include "crypto/md32_common.h"
111
112 #ifndef SHA256_ASM
113 static const SHA_LONG K256[64] = {
114 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
115 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
116 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
117 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
118 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
119 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
120 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
121 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
122 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
123 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
124 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
125 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
126 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
127 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
128 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
129 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
130 };
131
132 /*
133 * FIPS specification refers to right rotations, while our ROTATE macro
134 * is left one. This is why you might notice that rotation coefficients
135 * differ from those observed in FIPS document by 32-N...
136 */
137 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
138 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
139 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
140 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
141
142 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
143 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
144
145 # ifdef OPENSSL_SMALL_FOOTPRINT
146
sha256_block_data_order(SHA256_CTX * ctx,const void * in,size_t num)147 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
148 size_t num)
149 {
150 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
151 SHA_LONG X[16], l;
152 int i;
153 const unsigned char *data = in;
154
155 while (num--) {
156
157 a = ctx->h[0];
158 b = ctx->h[1];
159 c = ctx->h[2];
160 d = ctx->h[3];
161 e = ctx->h[4];
162 f = ctx->h[5];
163 g = ctx->h[6];
164 h = ctx->h[7];
165
166 for (i = 0; i < 16; i++) {
167 (void)HOST_c2l(data, l);
168 T1 = X[i] = l;
169 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
170 T2 = Sigma0(a) + Maj(a, b, c);
171 h = g;
172 g = f;
173 f = e;
174 e = d + T1;
175 d = c;
176 c = b;
177 b = a;
178 a = T1 + T2;
179 }
180
181 for (; i < 64; i++) {
182 s0 = X[(i + 1) & 0x0f];
183 s0 = sigma0(s0);
184 s1 = X[(i + 14) & 0x0f];
185 s1 = sigma1(s1);
186
187 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
188 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
189 T2 = Sigma0(a) + Maj(a, b, c);
190 h = g;
191 g = f;
192 f = e;
193 e = d + T1;
194 d = c;
195 c = b;
196 b = a;
197 a = T1 + T2;
198 }
199
200 ctx->h[0] += a;
201 ctx->h[1] += b;
202 ctx->h[2] += c;
203 ctx->h[3] += d;
204 ctx->h[4] += e;
205 ctx->h[5] += f;
206 ctx->h[6] += g;
207 ctx->h[7] += h;
208
209 }
210 }
211
212 # else
213
214 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
215 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
216 h = Sigma0(a) + Maj(a,b,c); \
217 d += T1; h += T1; } while (0)
218
219 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
220 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
221 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
222 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
223 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
224
sha256_block_data_order(SHA256_CTX * ctx,const void * in,size_t num)225 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
226 size_t num)
227 {
228 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
229 SHA_LONG X[16];
230 int i;
231 const unsigned char *data = in;
232 DECLARE_IS_ENDIAN;
233
234 while (num--) {
235
236 a = ctx->h[0];
237 b = ctx->h[1];
238 c = ctx->h[2];
239 d = ctx->h[3];
240 e = ctx->h[4];
241 f = ctx->h[5];
242 g = ctx->h[6];
243 h = ctx->h[7];
244
245 if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
246 && ((size_t)in % 4) == 0) {
247 const SHA_LONG *W = (const SHA_LONG *)data;
248
249 T1 = X[0] = W[0];
250 ROUND_00_15(0, a, b, c, d, e, f, g, h);
251 T1 = X[1] = W[1];
252 ROUND_00_15(1, h, a, b, c, d, e, f, g);
253 T1 = X[2] = W[2];
254 ROUND_00_15(2, g, h, a, b, c, d, e, f);
255 T1 = X[3] = W[3];
256 ROUND_00_15(3, f, g, h, a, b, c, d, e);
257 T1 = X[4] = W[4];
258 ROUND_00_15(4, e, f, g, h, a, b, c, d);
259 T1 = X[5] = W[5];
260 ROUND_00_15(5, d, e, f, g, h, a, b, c);
261 T1 = X[6] = W[6];
262 ROUND_00_15(6, c, d, e, f, g, h, a, b);
263 T1 = X[7] = W[7];
264 ROUND_00_15(7, b, c, d, e, f, g, h, a);
265 T1 = X[8] = W[8];
266 ROUND_00_15(8, a, b, c, d, e, f, g, h);
267 T1 = X[9] = W[9];
268 ROUND_00_15(9, h, a, b, c, d, e, f, g);
269 T1 = X[10] = W[10];
270 ROUND_00_15(10, g, h, a, b, c, d, e, f);
271 T1 = X[11] = W[11];
272 ROUND_00_15(11, f, g, h, a, b, c, d, e);
273 T1 = X[12] = W[12];
274 ROUND_00_15(12, e, f, g, h, a, b, c, d);
275 T1 = X[13] = W[13];
276 ROUND_00_15(13, d, e, f, g, h, a, b, c);
277 T1 = X[14] = W[14];
278 ROUND_00_15(14, c, d, e, f, g, h, a, b);
279 T1 = X[15] = W[15];
280 ROUND_00_15(15, b, c, d, e, f, g, h, a);
281
282 data += SHA256_CBLOCK;
283 } else {
284 SHA_LONG l;
285
286 (void)HOST_c2l(data, l);
287 T1 = X[0] = l;
288 ROUND_00_15(0, a, b, c, d, e, f, g, h);
289 (void)HOST_c2l(data, l);
290 T1 = X[1] = l;
291 ROUND_00_15(1, h, a, b, c, d, e, f, g);
292 (void)HOST_c2l(data, l);
293 T1 = X[2] = l;
294 ROUND_00_15(2, g, h, a, b, c, d, e, f);
295 (void)HOST_c2l(data, l);
296 T1 = X[3] = l;
297 ROUND_00_15(3, f, g, h, a, b, c, d, e);
298 (void)HOST_c2l(data, l);
299 T1 = X[4] = l;
300 ROUND_00_15(4, e, f, g, h, a, b, c, d);
301 (void)HOST_c2l(data, l);
302 T1 = X[5] = l;
303 ROUND_00_15(5, d, e, f, g, h, a, b, c);
304 (void)HOST_c2l(data, l);
305 T1 = X[6] = l;
306 ROUND_00_15(6, c, d, e, f, g, h, a, b);
307 (void)HOST_c2l(data, l);
308 T1 = X[7] = l;
309 ROUND_00_15(7, b, c, d, e, f, g, h, a);
310 (void)HOST_c2l(data, l);
311 T1 = X[8] = l;
312 ROUND_00_15(8, a, b, c, d, e, f, g, h);
313 (void)HOST_c2l(data, l);
314 T1 = X[9] = l;
315 ROUND_00_15(9, h, a, b, c, d, e, f, g);
316 (void)HOST_c2l(data, l);
317 T1 = X[10] = l;
318 ROUND_00_15(10, g, h, a, b, c, d, e, f);
319 (void)HOST_c2l(data, l);
320 T1 = X[11] = l;
321 ROUND_00_15(11, f, g, h, a, b, c, d, e);
322 (void)HOST_c2l(data, l);
323 T1 = X[12] = l;
324 ROUND_00_15(12, e, f, g, h, a, b, c, d);
325 (void)HOST_c2l(data, l);
326 T1 = X[13] = l;
327 ROUND_00_15(13, d, e, f, g, h, a, b, c);
328 (void)HOST_c2l(data, l);
329 T1 = X[14] = l;
330 ROUND_00_15(14, c, d, e, f, g, h, a, b);
331 (void)HOST_c2l(data, l);
332 T1 = X[15] = l;
333 ROUND_00_15(15, b, c, d, e, f, g, h, a);
334 }
335
336 for (i = 16; i < 64; i += 8) {
337 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
338 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
339 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
340 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
341 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
342 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
343 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
344 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
345 }
346
347 ctx->h[0] += a;
348 ctx->h[1] += b;
349 ctx->h[2] += c;
350 ctx->h[3] += d;
351 ctx->h[4] += e;
352 ctx->h[5] += f;
353 ctx->h[6] += g;
354 ctx->h[7] += h;
355
356 }
357 }
358
359 # endif
360 #endif /* SHA256_ASM */
361