1 /* 2 * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/opensslconf.h> 11 12 #include <stdlib.h> 13 #include <string.h> 14 15 #include <openssl/crypto.h> 16 #include <openssl/sha.h> 17 #include <openssl/opensslv.h> 18 19 int SHA224_Init(SHA256_CTX *c) 20 { 21 memset(c, 0, sizeof(*c)); 22 c->h[0] = 0xc1059ed8UL; 23 c->h[1] = 0x367cd507UL; 24 c->h[2] = 0x3070dd17UL; 25 c->h[3] = 0xf70e5939UL; 26 c->h[4] = 0xffc00b31UL; 27 c->h[5] = 0x68581511UL; 28 c->h[6] = 0x64f98fa7UL; 29 c->h[7] = 0xbefa4fa4UL; 30 c->md_len = SHA224_DIGEST_LENGTH; 31 return 1; 32 } 33 34 int SHA256_Init(SHA256_CTX *c) 35 { 36 memset(c, 0, sizeof(*c)); 37 c->h[0] = 0x6a09e667UL; 38 c->h[1] = 0xbb67ae85UL; 39 c->h[2] = 0x3c6ef372UL; 40 c->h[3] = 0xa54ff53aUL; 41 c->h[4] = 0x510e527fUL; 42 c->h[5] = 0x9b05688cUL; 43 c->h[6] = 0x1f83d9abUL; 44 c->h[7] = 0x5be0cd19UL; 45 c->md_len = SHA256_DIGEST_LENGTH; 46 return 1; 47 } 48 49 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md) 50 { 51 SHA256_CTX c; 52 static unsigned char m[SHA224_DIGEST_LENGTH]; 53 54 if (md == NULL) 55 md = m; 56 SHA224_Init(&c); 57 SHA256_Update(&c, d, n); 58 SHA256_Final(md, &c); 59 OPENSSL_cleanse(&c, sizeof(c)); 60 return md; 61 } 62 63 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md) 64 { 65 SHA256_CTX c; 66 static unsigned char m[SHA256_DIGEST_LENGTH]; 67 68 if (md == NULL) 69 md = m; 70 SHA256_Init(&c); 71 SHA256_Update(&c, d, n); 72 SHA256_Final(md, &c); 73 OPENSSL_cleanse(&c, sizeof(c)); 74 return md; 75 } 76 77 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) 78 { 79 return SHA256_Update(c, data, len); 80 } 81 82 int SHA224_Final(unsigned char *md, SHA256_CTX *c) 83 { 84 return SHA256_Final(md, c); 85 } 86 87 #define DATA_ORDER_IS_BIG_ENDIAN 88 89 #define HASH_LONG SHA_LONG 90 #define HASH_CTX SHA256_CTX 91 #define HASH_CBLOCK SHA_CBLOCK 92 93 /* 94 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." 95 * default: case below covers for it. It's not clear however if it's 96 * permitted to truncate to amount of bytes not divisible by 4. I bet not, 97 * but if it is, then default: case shall be extended. For reference. 98 * Idea behind separate cases for pre-defined lengths is to let the 99 * compiler decide if it's appropriate to unroll small loops. 100 */ 101 #define HASH_MAKE_STRING(c,s) do { \ 102 unsigned long ll; \ 103 unsigned int nn; \ 104 switch ((c)->md_len) \ 105 { case SHA224_DIGEST_LENGTH: \ 106 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \ 107 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 108 break; \ 109 case SHA256_DIGEST_LENGTH: \ 110 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \ 111 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 112 break; \ 113 default: \ 114 if ((c)->md_len > SHA256_DIGEST_LENGTH) \ 115 return 0; \ 116 for (nn=0;nn<(c)->md_len/4;nn++) \ 117 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ 118 break; \ 119 } \ 120 } while (0) 121 122 #define HASH_UPDATE SHA256_Update 123 #define HASH_TRANSFORM SHA256_Transform 124 #define HASH_FINAL SHA256_Final 125 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order 126 #ifndef SHA256_ASM 127 static 128 #endif 129 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num); 130 131 #include "crypto/md32_common.h" 132 133 #ifndef SHA256_ASM 134 static const SHA_LONG K256[64] = { 135 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 136 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 137 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 138 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 139 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 140 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 141 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 142 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 143 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 144 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 145 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 146 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 147 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 148 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 149 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 150 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 151 }; 152 153 /* 154 * FIPS specification refers to right rotations, while our ROTATE macro 155 * is left one. This is why you might notice that rotation coefficients 156 * differ from those observed in FIPS document by 32-N... 157 */ 158 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) 159 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) 160 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) 161 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) 162 163 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 164 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 165 166 # ifdef OPENSSL_SMALL_FOOTPRINT 167 168 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 169 size_t num) 170 { 171 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; 172 SHA_LONG X[16], l; 173 int i; 174 const unsigned char *data = in; 175 176 while (num--) { 177 178 a = ctx->h[0]; 179 b = ctx->h[1]; 180 c = ctx->h[2]; 181 d = ctx->h[3]; 182 e = ctx->h[4]; 183 f = ctx->h[5]; 184 g = ctx->h[6]; 185 h = ctx->h[7]; 186 187 for (i = 0; i < 16; i++) { 188 (void)HOST_c2l(data, l); 189 T1 = X[i] = l; 190 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; 191 T2 = Sigma0(a) + Maj(a, b, c); 192 h = g; 193 g = f; 194 f = e; 195 e = d + T1; 196 d = c; 197 c = b; 198 b = a; 199 a = T1 + T2; 200 } 201 202 for (; i < 64; i++) { 203 s0 = X[(i + 1) & 0x0f]; 204 s0 = sigma0(s0); 205 s1 = X[(i + 14) & 0x0f]; 206 s1 = sigma1(s1); 207 208 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf]; 209 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; 210 T2 = Sigma0(a) + Maj(a, b, c); 211 h = g; 212 g = f; 213 f = e; 214 e = d + T1; 215 d = c; 216 c = b; 217 b = a; 218 a = T1 + T2; 219 } 220 221 ctx->h[0] += a; 222 ctx->h[1] += b; 223 ctx->h[2] += c; 224 ctx->h[3] += d; 225 ctx->h[4] += e; 226 ctx->h[5] += f; 227 ctx->h[6] += g; 228 ctx->h[7] += h; 229 230 } 231 } 232 233 # else 234 235 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ 236 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ 237 h = Sigma0(a) + Maj(a,b,c); \ 238 d += T1; h += T1; } while (0) 239 240 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ 241 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ 242 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ 243 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ 244 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) 245 246 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in, 247 size_t num) 248 { 249 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; 250 SHA_LONG X[16]; 251 int i; 252 const unsigned char *data = in; 253 const union { 254 long one; 255 char little; 256 } is_endian = { 257 1 258 }; 259 260 while (num--) { 261 262 a = ctx->h[0]; 263 b = ctx->h[1]; 264 c = ctx->h[2]; 265 d = ctx->h[3]; 266 e = ctx->h[4]; 267 f = ctx->h[5]; 268 g = ctx->h[6]; 269 h = ctx->h[7]; 270 271 if (!is_endian.little && sizeof(SHA_LONG) == 4 272 && ((size_t)in % 4) == 0) { 273 const SHA_LONG *W = (const SHA_LONG *)data; 274 275 T1 = X[0] = W[0]; 276 ROUND_00_15(0, a, b, c, d, e, f, g, h); 277 T1 = X[1] = W[1]; 278 ROUND_00_15(1, h, a, b, c, d, e, f, g); 279 T1 = X[2] = W[2]; 280 ROUND_00_15(2, g, h, a, b, c, d, e, f); 281 T1 = X[3] = W[3]; 282 ROUND_00_15(3, f, g, h, a, b, c, d, e); 283 T1 = X[4] = W[4]; 284 ROUND_00_15(4, e, f, g, h, a, b, c, d); 285 T1 = X[5] = W[5]; 286 ROUND_00_15(5, d, e, f, g, h, a, b, c); 287 T1 = X[6] = W[6]; 288 ROUND_00_15(6, c, d, e, f, g, h, a, b); 289 T1 = X[7] = W[7]; 290 ROUND_00_15(7, b, c, d, e, f, g, h, a); 291 T1 = X[8] = W[8]; 292 ROUND_00_15(8, a, b, c, d, e, f, g, h); 293 T1 = X[9] = W[9]; 294 ROUND_00_15(9, h, a, b, c, d, e, f, g); 295 T1 = X[10] = W[10]; 296 ROUND_00_15(10, g, h, a, b, c, d, e, f); 297 T1 = X[11] = W[11]; 298 ROUND_00_15(11, f, g, h, a, b, c, d, e); 299 T1 = X[12] = W[12]; 300 ROUND_00_15(12, e, f, g, h, a, b, c, d); 301 T1 = X[13] = W[13]; 302 ROUND_00_15(13, d, e, f, g, h, a, b, c); 303 T1 = X[14] = W[14]; 304 ROUND_00_15(14, c, d, e, f, g, h, a, b); 305 T1 = X[15] = W[15]; 306 ROUND_00_15(15, b, c, d, e, f, g, h, a); 307 308 data += SHA256_CBLOCK; 309 } else { 310 SHA_LONG l; 311 312 (void)HOST_c2l(data, l); 313 T1 = X[0] = l; 314 ROUND_00_15(0, a, b, c, d, e, f, g, h); 315 (void)HOST_c2l(data, l); 316 T1 = X[1] = l; 317 ROUND_00_15(1, h, a, b, c, d, e, f, g); 318 (void)HOST_c2l(data, l); 319 T1 = X[2] = l; 320 ROUND_00_15(2, g, h, a, b, c, d, e, f); 321 (void)HOST_c2l(data, l); 322 T1 = X[3] = l; 323 ROUND_00_15(3, f, g, h, a, b, c, d, e); 324 (void)HOST_c2l(data, l); 325 T1 = X[4] = l; 326 ROUND_00_15(4, e, f, g, h, a, b, c, d); 327 (void)HOST_c2l(data, l); 328 T1 = X[5] = l; 329 ROUND_00_15(5, d, e, f, g, h, a, b, c); 330 (void)HOST_c2l(data, l); 331 T1 = X[6] = l; 332 ROUND_00_15(6, c, d, e, f, g, h, a, b); 333 (void)HOST_c2l(data, l); 334 T1 = X[7] = l; 335 ROUND_00_15(7, b, c, d, e, f, g, h, a); 336 (void)HOST_c2l(data, l); 337 T1 = X[8] = l; 338 ROUND_00_15(8, a, b, c, d, e, f, g, h); 339 (void)HOST_c2l(data, l); 340 T1 = X[9] = l; 341 ROUND_00_15(9, h, a, b, c, d, e, f, g); 342 (void)HOST_c2l(data, l); 343 T1 = X[10] = l; 344 ROUND_00_15(10, g, h, a, b, c, d, e, f); 345 (void)HOST_c2l(data, l); 346 T1 = X[11] = l; 347 ROUND_00_15(11, f, g, h, a, b, c, d, e); 348 (void)HOST_c2l(data, l); 349 T1 = X[12] = l; 350 ROUND_00_15(12, e, f, g, h, a, b, c, d); 351 (void)HOST_c2l(data, l); 352 T1 = X[13] = l; 353 ROUND_00_15(13, d, e, f, g, h, a, b, c); 354 (void)HOST_c2l(data, l); 355 T1 = X[14] = l; 356 ROUND_00_15(14, c, d, e, f, g, h, a, b); 357 (void)HOST_c2l(data, l); 358 T1 = X[15] = l; 359 ROUND_00_15(15, b, c, d, e, f, g, h, a); 360 } 361 362 for (i = 16; i < 64; i += 8) { 363 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); 364 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); 365 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); 366 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); 367 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); 368 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); 369 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); 370 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); 371 } 372 373 ctx->h[0] += a; 374 ctx->h[1] += b; 375 ctx->h[2] += c; 376 ctx->h[3] += d; 377 ctx->h[4] += e; 378 ctx->h[5] += f; 379 ctx->h[6] += g; 380 ctx->h[7] += h; 381 382 } 383 } 384 385 # endif 386 #endif /* SHA256_ASM */ 387