1/*
2 * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*-
11 * This is a generic 32 bit "collector" for message digest algorithms.
12 * Whenever needed it collects input character stream into chunks of
13 * 32 bit values and invokes a block function that performs actual hash
14 * calculations.
15 *
16 * Porting guide.
17 *
18 * Obligatory macros:
19 *
20 * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
21 * this macro defines byte order of input stream.
22 * HASH_CBLOCK
23 * size of a unit chunk HASH_BLOCK operates on.
24 * HASH_LONG
25 * has to be at least 32 bit wide.
26 * HASH_CTX
27 * context structure that at least contains following
28 * members:
29 * typedef struct {
30 * ...
31 * HASH_LONG Nl,Nh;
32 * either {
33 * HASH_LONG data[HASH_LBLOCK];
34 * unsigned char data[HASH_CBLOCK];
35 * };
36 * unsigned int num;
37 * ...
38 * } HASH_CTX;
39 * data[] vector is expected to be zeroed upon first call to
40 * HASH_UPDATE.
41 * HASH_UPDATE
42 * name of "Update" function, implemented here.
43 * HASH_TRANSFORM
44 * name of "Transform" function, implemented here.
45 * HASH_FINAL
46 * name of "Final" function, implemented here.
47 * HASH_BLOCK_DATA_ORDER
48 * name of "block" function capable of treating *unaligned* input
49 * message in original (data) byte order, implemented externally.
50 * HASH_MAKE_STRING
51 * macro converting context variables to an ASCII hash string.
52 *
53 * MD5 example:
54 *
55 * #define DATA_ORDER_IS_LITTLE_ENDIAN
56 *
57 * #define HASH_LONG MD5_LONG
58 * #define HASH_CTX MD5_CTX
59 * #define HASH_CBLOCK MD5_CBLOCK
60 * #define HASH_UPDATE MD5_Update
61 * #define HASH_TRANSFORM MD5_Transform
62 * #define HASH_FINAL MD5_Final
63 * #define HASH_BLOCK_DATA_ORDER md5_block_data_order
64 */
65
66#include <openssl/crypto.h>
67
68#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
69# error "DATA_ORDER must be defined!"
70#endif
71
72#ifndef HASH_CBLOCK
73# error "HASH_CBLOCK must be defined!"
74#endif
75#ifndef HASH_LONG
76# error "HASH_LONG must be defined!"
77#endif
78#ifndef HASH_CTX
79# error "HASH_CTX must be defined!"
80#endif
81
82#ifndef HASH_UPDATE
83# error "HASH_UPDATE must be defined!"
84#endif
85#ifndef HASH_TRANSFORM
86# error "HASH_TRANSFORM must be defined!"
87#endif
88#ifndef HASH_FINAL
89# error "HASH_FINAL must be defined!"
90#endif
91
92#ifndef HASH_BLOCK_DATA_ORDER
93# error "HASH_BLOCK_DATA_ORDER must be defined!"
94#endif
95
96#define ROTATE(a,n) (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
97
98#if defined(DATA_ORDER_IS_BIG_ENDIAN)
99
100# define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++)))<<24), \
101 l|=(((unsigned long)(*((c)++)))<<16), \
102 l|=(((unsigned long)(*((c)++)))<< 8), \
103 l|=(((unsigned long)(*((c)++))) ) )
104# define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
105 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
106 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
107 *((c)++)=(unsigned char)(((l) )&0xff), \
108 l)
109
110#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
111
112# define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++))) ), \
113 l|=(((unsigned long)(*((c)++)))<< 8), \
114 l|=(((unsigned long)(*((c)++)))<<16), \
115 l|=(((unsigned long)(*((c)++)))<<24) )
116# define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
117 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
118 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
119 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
120 l)
121
122#endif
123
124/*
125 * Time for some action :-)
126 */
127
128int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len)
129{
130 const unsigned char *data = data_;
131 unsigned char *p;
132 HASH_LONG l;
133 size_t n;
134
135 if (len == 0)
136 return 1;
137
138 l = (c->Nl + (((HASH_LONG) len) << 3)) & 0xffffffffUL;
139 if (l < c->Nl) /* overflow */
140 c->Nh++;
141 c->Nh += (HASH_LONG) (len >> 29); /* might cause compiler warning on
142 * 16-bit */
143 c->Nl = l;
144
145 n = c->num;
146 if (n != 0) {
147 p = (unsigned char *)c->data;
148
149 if (len >= HASH_CBLOCK || len + n >= HASH_CBLOCK) {
150 memcpy(p + n, data, HASH_CBLOCK - n);
151 HASH_BLOCK_DATA_ORDER(c, p, 1);
152 n = HASH_CBLOCK - n;
153 data += n;
154 len -= n;
155 c->num = 0;
156 /*
157 * We use memset rather than OPENSSL_cleanse() here deliberately.
158 * Using OPENSSL_cleanse() here could be a performance issue. It
159 * will get properly cleansed on finalisation so this isn't a
160 * security problem.
161 */
162 memset(p, 0, HASH_CBLOCK); /* keep it zeroed */
163 } else {
164 memcpy(p + n, data, len);
165 c->num += (unsigned int)len;
166 return 1;
167 }
168 }
169
170 n = len / HASH_CBLOCK;
171 if (n > 0) {
172 HASH_BLOCK_DATA_ORDER(c, data, n);
173 n *= HASH_CBLOCK;
174 data += n;
175 len -= n;
176 }
177
178 if (len != 0) {
179 p = (unsigned char *)c->data;
180 c->num = (unsigned int)len;
181 memcpy(p, data, len);
182 }
183 return 1;
184}
185
186void HASH_TRANSFORM(HASH_CTX *c, const unsigned char *data)
187{
188 HASH_BLOCK_DATA_ORDER(c, data, 1);
189}
190
191int HASH_FINAL(unsigned char *md, HASH_CTX *c)
192{
193 unsigned char *p = (unsigned char *)c->data;
194 size_t n = c->num;
195
196 p[n] = 0x80; /* there is always room for one */
197 n++;
198
199 if (n > (HASH_CBLOCK - 8)) {
200 memset(p + n, 0, HASH_CBLOCK - n);
201 n = 0;
202 HASH_BLOCK_DATA_ORDER(c, p, 1);
203 }
204 memset(p + n, 0, HASH_CBLOCK - 8 - n);
205
206 p += HASH_CBLOCK - 8;
207#if defined(DATA_ORDER_IS_BIG_ENDIAN)
208 (void)HOST_l2c(c->Nh, p);
209 (void)HOST_l2c(c->Nl, p);
210#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
211 (void)HOST_l2c(c->Nl, p);
212 (void)HOST_l2c(c->Nh, p);
213#endif
214 p -= HASH_CBLOCK;
215 HASH_BLOCK_DATA_ORDER(c, p, 1);
216 c->num = 0;
217 OPENSSL_cleanse(p, HASH_CBLOCK);
218
219#ifndef HASH_MAKE_STRING
220# error "HASH_MAKE_STRING must be defined!"
221#else
222 HASH_MAKE_STRING(c, md);
223#endif
224
225 return 1;
226}
227
228#ifndef MD32_REG_T
229# if defined(__alpha) || defined(__sparcv9) || defined(__mips)
230# define MD32_REG_T long
231/*
232 * This comment was originally written for MD5, which is why it
233 * discusses A-D. But it basically applies to all 32-bit digests,
234 * which is why it was moved to common header file.
235 *
236 * In case you wonder why A-D are declared as long and not
237 * as MD5_LONG. Doing so results in slight performance
238 * boost on LP64 architectures. The catch is we don't
239 * really care if 32 MSBs of a 64-bit register get polluted
240 * with eventual overflows as we *save* only 32 LSBs in
241 * *either* case. Now declaring 'em long excuses the compiler
242 * from keeping 32 MSBs zeroed resulting in 13% performance
243 * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
244 * Well, to be honest it should say that this *prevents*
245 * performance degradation.
246 */
247# else
248/*
249 * Above is not absolute and there are LP64 compilers that
250 * generate better code if MD32_REG_T is defined int. The above
251 * pre-processor condition reflects the circumstances under which
252 * the conclusion was made and is subject to further extension.
253 */
254# define MD32_REG_T int
255# endif
256#endif
257