1 /*
2 * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * SHA256 low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14 #include "internal/deprecated.h"
15
16 #include <openssl/opensslconf.h>
17
18 #include <stdlib.h>
19 #include <string.h>
20
21 #include <openssl/crypto.h>
22 #include <openssl/sha.h>
23 #include <openssl/opensslv.h>
24 #include "internal/endian.h"
25
SHA224_Init(SHA256_CTX * c)26 int SHA224_Init(SHA256_CTX *c)
27 {
28 memset(c, 0, sizeof(*c));
29 c->h[0] = 0xc1059ed8UL;
30 c->h[1] = 0x367cd507UL;
31 c->h[2] = 0x3070dd17UL;
32 c->h[3] = 0xf70e5939UL;
33 c->h[4] = 0xffc00b31UL;
34 c->h[5] = 0x68581511UL;
35 c->h[6] = 0x64f98fa7UL;
36 c->h[7] = 0xbefa4fa4UL;
37 c->md_len = SHA224_DIGEST_LENGTH;
38 return 1;
39 }
40
SHA256_Init(SHA256_CTX * c)41 int SHA256_Init(SHA256_CTX *c)
42 {
43 memset(c, 0, sizeof(*c));
44 c->h[0] = 0x6a09e667UL;
45 c->h[1] = 0xbb67ae85UL;
46 c->h[2] = 0x3c6ef372UL;
47 c->h[3] = 0xa54ff53aUL;
48 c->h[4] = 0x510e527fUL;
49 c->h[5] = 0x9b05688cUL;
50 c->h[6] = 0x1f83d9abUL;
51 c->h[7] = 0x5be0cd19UL;
52 c->md_len = SHA256_DIGEST_LENGTH;
53 return 1;
54 }
55
SHA224_Update(SHA256_CTX * c,const void * data,size_t len)56 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
57 {
58 return SHA256_Update(c, data, len);
59 }
60
SHA224_Final(unsigned char * md,SHA256_CTX * c)61 int SHA224_Final(unsigned char *md, SHA256_CTX *c)
62 {
63 return SHA256_Final(md, c);
64 }
65
66 #define DATA_ORDER_IS_BIG_ENDIAN
67
68 #define HASH_LONG SHA_LONG
69 #define HASH_CTX SHA256_CTX
70 #define HASH_CBLOCK SHA_CBLOCK
71
72 /*
73 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
74 * default: case below covers for it. It's not clear however if it's
75 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
76 * but if it is, then default: case shall be extended. For reference.
77 * Idea behind separate cases for pre-defined lengths is to let the
78 * compiler decide if it's appropriate to unroll small loops.
79 */
80 #define HASH_MAKE_STRING(c,s) do { \
81 unsigned long ll; \
82 unsigned int nn; \
83 switch ((c)->md_len) \
84 { case SHA224_DIGEST_LENGTH: \
85 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
86 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
87 break; \
88 case SHA256_DIGEST_LENGTH: \
89 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
90 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
91 break; \
92 default: \
93 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
94 return 0; \
95 for (nn=0;nn<(c)->md_len/4;nn++) \
96 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
97 break; \
98 } \
99 } while (0)
100
101 #define HASH_UPDATE SHA256_Update
102 #define HASH_TRANSFORM SHA256_Transform
103 #define HASH_FINAL SHA256_Final
104 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
105 #ifndef SHA256_ASM
106 static
107 #endif
108 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
109
110 #include "crypto/md32_common.h"
111
112 #ifndef SHA256_ASM
113 static const SHA_LONG K256[64] = {
114 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
115 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
116 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
117 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
118 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
119 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
120 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
121 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
122 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
123 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
124 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
125 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
126 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
127 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
128 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
129 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
130 };
131
132 # ifndef PEDANTIC
133 # if defined(__GNUC__) && __GNUC__>=2 && \
134 !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
135 # if __riscv_zknh
136 # define Sigma0(x) ({ MD32_REG_T ret; \
137 asm ("sha256sum0 %0, %1" \
138 : "=r"(ret) \
139 : "r"(x)); ret; })
140 # define Sigma1(x) ({ MD32_REG_T ret; \
141 asm ("sha256sum1 %0, %1" \
142 : "=r"(ret) \
143 : "r"(x)); ret; })
144 # define sigma0(x) ({ MD32_REG_T ret; \
145 asm ("sha256sig0 %0, %1" \
146 : "=r"(ret) \
147 : "r"(x)); ret; })
148 # define sigma1(x) ({ MD32_REG_T ret; \
149 asm ("sha256sig1 %0, %1" \
150 : "=r"(ret) \
151 : "r"(x)); ret; })
152 # endif
153 # if __riscv_zbt || __riscv_zpn
154 # define Ch(x,y,z) ({ MD32_REG_T ret; \
155 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
156 : "=r"(ret) \
157 : "r"(x), "r"(y), "r"(z)); ret; })
158 # define Maj(x,y,z) ({ MD32_REG_T ret; \
159 asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
160 : "=r"(ret) \
161 : "r"(x^z), "r"(y), "r"(x)); ret; })
162 # endif
163 # endif
164 # endif
165
166 /*
167 * FIPS specification refers to right rotations, while our ROTATE macro
168 * is left one. This is why you might notice that rotation coefficients
169 * differ from those observed in FIPS document by 32-N...
170 */
171 # ifndef Sigma0
172 # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
173 # endif
174 # ifndef Sigma1
175 # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
176 # endif
177 # ifndef sigma0
178 # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
179 # endif
180 # ifndef sigma1
181 # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
182 # endif
183 # ifndef Ch
184 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
185 # endif
186 # ifndef Maj
187 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
188 # endif
189
190 # ifdef OPENSSL_SMALL_FOOTPRINT
191
sha256_block_data_order(SHA256_CTX * ctx,const void * in,size_t num)192 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
193 size_t num)
194 {
195 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
196 SHA_LONG X[16], l;
197 int i;
198 const unsigned char *data = in;
199
200 while (num--) {
201
202 a = ctx->h[0];
203 b = ctx->h[1];
204 c = ctx->h[2];
205 d = ctx->h[3];
206 e = ctx->h[4];
207 f = ctx->h[5];
208 g = ctx->h[6];
209 h = ctx->h[7];
210
211 for (i = 0; i < 16; i++) {
212 (void)HOST_c2l(data, l);
213 T1 = X[i] = l;
214 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
215 T2 = Sigma0(a) + Maj(a, b, c);
216 h = g;
217 g = f;
218 f = e;
219 e = d + T1;
220 d = c;
221 c = b;
222 b = a;
223 a = T1 + T2;
224 }
225
226 for (; i < 64; i++) {
227 s0 = X[(i + 1) & 0x0f];
228 s0 = sigma0(s0);
229 s1 = X[(i + 14) & 0x0f];
230 s1 = sigma1(s1);
231
232 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
233 T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
234 T2 = Sigma0(a) + Maj(a, b, c);
235 h = g;
236 g = f;
237 f = e;
238 e = d + T1;
239 d = c;
240 c = b;
241 b = a;
242 a = T1 + T2;
243 }
244
245 ctx->h[0] += a;
246 ctx->h[1] += b;
247 ctx->h[2] += c;
248 ctx->h[3] += d;
249 ctx->h[4] += e;
250 ctx->h[5] += f;
251 ctx->h[6] += g;
252 ctx->h[7] += h;
253
254 }
255 }
256
257 # else
258
259 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
260 T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
261 h = Sigma0(a) + Maj(a,b,c); \
262 d += T1; h += T1; } while (0)
263
264 # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
265 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
266 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
267 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
268 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
269
sha256_block_data_order(SHA256_CTX * ctx,const void * in,size_t num)270 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
271 size_t num)
272 {
273 unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
274 SHA_LONG X[16];
275 int i;
276 const unsigned char *data = in;
277 DECLARE_IS_ENDIAN;
278
279 while (num--) {
280
281 a = ctx->h[0];
282 b = ctx->h[1];
283 c = ctx->h[2];
284 d = ctx->h[3];
285 e = ctx->h[4];
286 f = ctx->h[5];
287 g = ctx->h[6];
288 h = ctx->h[7];
289
290 if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
291 && ((size_t)in % 4) == 0) {
292 const SHA_LONG *W = (const SHA_LONG *)data;
293
294 T1 = X[0] = W[0];
295 ROUND_00_15(0, a, b, c, d, e, f, g, h);
296 T1 = X[1] = W[1];
297 ROUND_00_15(1, h, a, b, c, d, e, f, g);
298 T1 = X[2] = W[2];
299 ROUND_00_15(2, g, h, a, b, c, d, e, f);
300 T1 = X[3] = W[3];
301 ROUND_00_15(3, f, g, h, a, b, c, d, e);
302 T1 = X[4] = W[4];
303 ROUND_00_15(4, e, f, g, h, a, b, c, d);
304 T1 = X[5] = W[5];
305 ROUND_00_15(5, d, e, f, g, h, a, b, c);
306 T1 = X[6] = W[6];
307 ROUND_00_15(6, c, d, e, f, g, h, a, b);
308 T1 = X[7] = W[7];
309 ROUND_00_15(7, b, c, d, e, f, g, h, a);
310 T1 = X[8] = W[8];
311 ROUND_00_15(8, a, b, c, d, e, f, g, h);
312 T1 = X[9] = W[9];
313 ROUND_00_15(9, h, a, b, c, d, e, f, g);
314 T1 = X[10] = W[10];
315 ROUND_00_15(10, g, h, a, b, c, d, e, f);
316 T1 = X[11] = W[11];
317 ROUND_00_15(11, f, g, h, a, b, c, d, e);
318 T1 = X[12] = W[12];
319 ROUND_00_15(12, e, f, g, h, a, b, c, d);
320 T1 = X[13] = W[13];
321 ROUND_00_15(13, d, e, f, g, h, a, b, c);
322 T1 = X[14] = W[14];
323 ROUND_00_15(14, c, d, e, f, g, h, a, b);
324 T1 = X[15] = W[15];
325 ROUND_00_15(15, b, c, d, e, f, g, h, a);
326
327 data += SHA256_CBLOCK;
328 } else {
329 SHA_LONG l;
330
331 (void)HOST_c2l(data, l);
332 T1 = X[0] = l;
333 ROUND_00_15(0, a, b, c, d, e, f, g, h);
334 (void)HOST_c2l(data, l);
335 T1 = X[1] = l;
336 ROUND_00_15(1, h, a, b, c, d, e, f, g);
337 (void)HOST_c2l(data, l);
338 T1 = X[2] = l;
339 ROUND_00_15(2, g, h, a, b, c, d, e, f);
340 (void)HOST_c2l(data, l);
341 T1 = X[3] = l;
342 ROUND_00_15(3, f, g, h, a, b, c, d, e);
343 (void)HOST_c2l(data, l);
344 T1 = X[4] = l;
345 ROUND_00_15(4, e, f, g, h, a, b, c, d);
346 (void)HOST_c2l(data, l);
347 T1 = X[5] = l;
348 ROUND_00_15(5, d, e, f, g, h, a, b, c);
349 (void)HOST_c2l(data, l);
350 T1 = X[6] = l;
351 ROUND_00_15(6, c, d, e, f, g, h, a, b);
352 (void)HOST_c2l(data, l);
353 T1 = X[7] = l;
354 ROUND_00_15(7, b, c, d, e, f, g, h, a);
355 (void)HOST_c2l(data, l);
356 T1 = X[8] = l;
357 ROUND_00_15(8, a, b, c, d, e, f, g, h);
358 (void)HOST_c2l(data, l);
359 T1 = X[9] = l;
360 ROUND_00_15(9, h, a, b, c, d, e, f, g);
361 (void)HOST_c2l(data, l);
362 T1 = X[10] = l;
363 ROUND_00_15(10, g, h, a, b, c, d, e, f);
364 (void)HOST_c2l(data, l);
365 T1 = X[11] = l;
366 ROUND_00_15(11, f, g, h, a, b, c, d, e);
367 (void)HOST_c2l(data, l);
368 T1 = X[12] = l;
369 ROUND_00_15(12, e, f, g, h, a, b, c, d);
370 (void)HOST_c2l(data, l);
371 T1 = X[13] = l;
372 ROUND_00_15(13, d, e, f, g, h, a, b, c);
373 (void)HOST_c2l(data, l);
374 T1 = X[14] = l;
375 ROUND_00_15(14, c, d, e, f, g, h, a, b);
376 (void)HOST_c2l(data, l);
377 T1 = X[15] = l;
378 ROUND_00_15(15, b, c, d, e, f, g, h, a);
379 }
380
381 for (i = 16; i < 64; i += 8) {
382 ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
383 ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
384 ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
385 ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
386 ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
387 ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
388 ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
389 ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
390 }
391
392 ctx->h[0] += a;
393 ctx->h[1] += b;
394 ctx->h[2] += c;
395 ctx->h[3] += d;
396 ctx->h[4] += e;
397 ctx->h[5] += f;
398 ctx->h[6] += g;
399 ctx->h[7] += h;
400
401 }
402 }
403
404 # endif
405 #endif /* SHA256_ASM */
406