1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57#include <openssl/sha.h>
58
59#include <string.h>
60
61#include <openssl/mem.h>
62
63#include "internal.h"
64#include "../../internal.h"
65
66
67int SHA224_Init(SHA256_CTX *sha) {
68 OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
69 sha->h[0] = 0xc1059ed8UL;
70 sha->h[1] = 0x367cd507UL;
71 sha->h[2] = 0x3070dd17UL;
72 sha->h[3] = 0xf70e5939UL;
73 sha->h[4] = 0xffc00b31UL;
74 sha->h[5] = 0x68581511UL;
75 sha->h[6] = 0x64f98fa7UL;
76 sha->h[7] = 0xbefa4fa4UL;
77 sha->md_len = SHA224_DIGEST_LENGTH;
78 return 1;
79}
80
81int SHA256_Init(SHA256_CTX *sha) {
82 OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));
83 sha->h[0] = 0x6a09e667UL;
84 sha->h[1] = 0xbb67ae85UL;
85 sha->h[2] = 0x3c6ef372UL;
86 sha->h[3] = 0xa54ff53aUL;
87 sha->h[4] = 0x510e527fUL;
88 sha->h[5] = 0x9b05688cUL;
89 sha->h[6] = 0x1f83d9abUL;
90 sha->h[7] = 0x5be0cd19UL;
91 sha->md_len = SHA256_DIGEST_LENGTH;
92 return 1;
93}
94
95uint8_t *SHA224(const uint8_t *data, size_t len,
96 uint8_t out[SHA224_DIGEST_LENGTH]) {
97 SHA256_CTX ctx;
98 SHA224_Init(&ctx);
99 SHA224_Update(&ctx, data, len);
100 SHA224_Final(out, &ctx);
101 OPENSSL_cleanse(&ctx, sizeof(ctx));
102 return out;
103}
104
105uint8_t *SHA256(const uint8_t *data, size_t len,
106 uint8_t out[SHA256_DIGEST_LENGTH]) {
107 SHA256_CTX ctx;
108 SHA256_Init(&ctx);
109 SHA256_Update(&ctx, data, len);
110 SHA256_Final(out, &ctx);
111 OPENSSL_cleanse(&ctx, sizeof(ctx));
112 return out;
113}
114
115int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
116 return SHA256_Update(ctx, data, len);
117}
118
119int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) {
120 // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a
121 // smaller output.
122 return SHA256_Final(out, ctx);
123}
124
125#define DATA_ORDER_IS_BIG_ENDIAN
126
127#define HASH_CTX SHA256_CTX
128#define HASH_CBLOCK 64
129#define HASH_DIGEST_LENGTH 32
130
131// Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
132// default: case below covers for it. It's not clear however if it's permitted
133// to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
134// then default: case shall be extended. For reference. Idea behind separate
135// cases for pre-defined lenghts is to let the compiler decide if it's
136// appropriate to unroll small loops.
137//
138// TODO(davidben): The small |md_len| case is one of the few places a low-level
139// hash 'final' function can fail. This should never happen.
140#define HASH_MAKE_STRING(c, s) \
141 do { \
142 uint32_t ll; \
143 unsigned int nn; \
144 switch ((c)->md_len) { \
145 case SHA224_DIGEST_LENGTH: \
146 for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
147 ll = (c)->h[nn]; \
148 HOST_l2c(ll, (s)); \
149 } \
150 break; \
151 case SHA256_DIGEST_LENGTH: \
152 for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
153 ll = (c)->h[nn]; \
154 HOST_l2c(ll, (s)); \
155 } \
156 break; \
157 default: \
158 if ((c)->md_len > SHA256_DIGEST_LENGTH) { \
159 return 0; \
160 } \
161 for (nn = 0; nn < (c)->md_len / 4; nn++) { \
162 ll = (c)->h[nn]; \
163 HOST_l2c(ll, (s)); \
164 } \
165 break; \
166 } \
167 } while (0)
168
169
170#define HASH_UPDATE SHA256_Update
171#define HASH_TRANSFORM SHA256_Transform
172#define HASH_FINAL SHA256_Final
173#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
174#ifndef SHA256_ASM
175static void sha256_block_data_order(uint32_t *state, const uint8_t *in,
176 size_t num);
177#endif
178
179#include "../digest/md32_common.h"
180
181#ifndef SHA256_ASM
182static const uint32_t K256[64] = {
183 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
184 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
185 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
186 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
187 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
188 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
189 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
190 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
191 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
192 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
193 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
194 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
195 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};
196
197#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
198
199// FIPS specification refers to right rotations, while our ROTATE macro
200// is left one. This is why you might notice that rotation coefficients
201// differ from those observed in FIPS document by 32-N...
202#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
203#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
204#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
205#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
206
207#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
208#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
209
210#define ROUND_00_15(i, a, b, c, d, e, f, g, h) \
211 do { \
212 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
213 h = Sigma0(a) + Maj(a, b, c); \
214 d += T1; \
215 h += T1; \
216 } while (0)
217
218#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \
219 do { \
220 s0 = X[(i + 1) & 0x0f]; \
221 s0 = sigma0(s0); \
222 s1 = X[(i + 14) & 0x0f]; \
223 s1 = sigma1(s1); \
224 T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
225 ROUND_00_15(i, a, b, c, d, e, f, g, h); \
226 } while (0)
227
228static void sha256_block_data_order(uint32_t *state, const uint8_t *data,
229 size_t num) {
230 uint32_t a, b, c, d, e, f, g, h, s0, s1, T1;
231 uint32_t X[16];
232 int i;
233
234 while (num--) {
235 a = state[0];
236 b = state[1];
237 c = state[2];
238 d = state[3];
239 e = state[4];
240 f = state[5];
241 g = state[6];
242 h = state[7];
243
244 uint32_t l;
245
246 HOST_c2l(data, l);
247 T1 = X[0] = l;
248 ROUND_00_15(0, a, b, c, d, e, f, g, h);
249 HOST_c2l(data, l);
250 T1 = X[1] = l;
251 ROUND_00_15(1, h, a, b, c, d, e, f, g);
252 HOST_c2l(data, l);
253 T1 = X[2] = l;
254 ROUND_00_15(2, g, h, a, b, c, d, e, f);
255 HOST_c2l(data, l);
256 T1 = X[3] = l;
257 ROUND_00_15(3, f, g, h, a, b, c, d, e);
258 HOST_c2l(data, l);
259 T1 = X[4] = l;
260 ROUND_00_15(4, e, f, g, h, a, b, c, d);
261 HOST_c2l(data, l);
262 T1 = X[5] = l;
263 ROUND_00_15(5, d, e, f, g, h, a, b, c);
264 HOST_c2l(data, l);
265 T1 = X[6] = l;
266 ROUND_00_15(6, c, d, e, f, g, h, a, b);
267 HOST_c2l(data, l);
268 T1 = X[7] = l;
269 ROUND_00_15(7, b, c, d, e, f, g, h, a);
270 HOST_c2l(data, l);
271 T1 = X[8] = l;
272 ROUND_00_15(8, a, b, c, d, e, f, g, h);
273 HOST_c2l(data, l);
274 T1 = X[9] = l;
275 ROUND_00_15(9, h, a, b, c, d, e, f, g);
276 HOST_c2l(data, l);
277 T1 = X[10] = l;
278 ROUND_00_15(10, g, h, a, b, c, d, e, f);
279 HOST_c2l(data, l);
280 T1 = X[11] = l;
281 ROUND_00_15(11, f, g, h, a, b, c, d, e);
282 HOST_c2l(data, l);
283 T1 = X[12] = l;
284 ROUND_00_15(12, e, f, g, h, a, b, c, d);
285 HOST_c2l(data, l);
286 T1 = X[13] = l;
287 ROUND_00_15(13, d, e, f, g, h, a, b, c);
288 HOST_c2l(data, l);
289 T1 = X[14] = l;
290 ROUND_00_15(14, c, d, e, f, g, h, a, b);
291 HOST_c2l(data, l);
292 T1 = X[15] = l;
293 ROUND_00_15(15, b, c, d, e, f, g, h, a);
294
295 for (i = 16; i < 64; i += 8) {
296 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
297 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
298 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
299 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
300 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
301 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
302 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
303 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
304 }
305
306 state[0] += a;
307 state[1] += b;
308 state[2] += c;
309 state[3] += d;
310 state[4] += e;
311 state[5] += f;
312 state[6] += g;
313 state[7] += h;
314 }
315}
316
317#endif // !SHA256_ASM
318
319void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data,
320 size_t num_blocks) {
321 sha256_block_data_order(state, data, num_blocks);
322}
323
324#undef DATA_ORDER_IS_BIG_ENDIAN
325#undef HASH_CTX
326#undef HASH_CBLOCK
327#undef HASH_DIGEST_LENGTH
328#undef HASH_MAKE_STRING
329#undef HASH_UPDATE
330#undef HASH_TRANSFORM
331#undef HASH_FINAL
332#undef HASH_BLOCK_DATA_ORDER
333#undef ROTATE
334#undef Sigma0
335#undef Sigma1
336#undef sigma0
337#undef sigma1
338#undef Ch
339#undef Maj
340#undef ROUND_00_15
341#undef ROUND_16_63
342#undef HOST_c2l
343#undef HOST_l2c
344