1 /* 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdlib.h> 11 #include <string.h> 12 13 #include <openssl/opensslconf.h> 14 #include <openssl/sha.h> 15 #include "internal/endian.h" 16 17 #define DATA_ORDER_IS_BIG_ENDIAN 18 19 #define HASH_LONG SHA_LONG 20 #define HASH_CTX SHA_CTX 21 #define HASH_CBLOCK SHA_CBLOCK 22 #define HASH_MAKE_STRING(c,s) do { \ 23 unsigned long ll; \ 24 ll=(c)->h0; (void)HOST_l2c(ll,(s)); \ 25 ll=(c)->h1; (void)HOST_l2c(ll,(s)); \ 26 ll=(c)->h2; (void)HOST_l2c(ll,(s)); \ 27 ll=(c)->h3; (void)HOST_l2c(ll,(s)); \ 28 ll=(c)->h4; (void)HOST_l2c(ll,(s)); \ 29 } while (0) 30 31 #define HASH_UPDATE SHA1_Update 32 #define HASH_TRANSFORM SHA1_Transform 33 #define HASH_FINAL SHA1_Final 34 #define HASH_INIT SHA1_Init 35 #define HASH_BLOCK_DATA_ORDER sha1_block_data_order 36 #define Xupdate(a,ix,ia,ib,ic,id) ( (a)=(ia^ib^ic^id), \ 37 ix=(a)=ROTATE((a),1) \ 38 ) 39 40 #ifndef SHA1_ASM 41 static void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num); 42 #else 43 void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num); 44 #endif 45 46 #include "crypto/md32_common.h" 47 48 #define INIT_DATA_h0 0x67452301UL 49 #define INIT_DATA_h1 0xefcdab89UL 50 #define INIT_DATA_h2 0x98badcfeUL 51 #define INIT_DATA_h3 0x10325476UL 52 #define INIT_DATA_h4 0xc3d2e1f0UL 53 54 int HASH_INIT(SHA_CTX *c) 55 { 56 memset(c, 0, sizeof(*c)); 57 c->h0 = INIT_DATA_h0; 58 c->h1 = INIT_DATA_h1; 59 c->h2 = INIT_DATA_h2; 60 c->h3 = INIT_DATA_h3; 61 c->h4 = INIT_DATA_h4; 62 return 1; 63 } 64 65 #define K_00_19 0x5a827999UL 66 #define K_20_39 0x6ed9eba1UL 67 #define K_40_59 0x8f1bbcdcUL 68 #define K_60_79 0xca62c1d6UL 69 70 /* 71 * As pointed out by Wei Dai, F() below can be simplified to the code in 72 * F_00_19. Wei attributes these optimizations to Peter Gutmann's SHS code, 73 * and he attributes it to Rich Schroeppel. 74 * #define F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) 75 * I've just become aware of another tweak to be made, again from Wei Dai, 76 * in F_40_59, (x&a)|(y&a) -> (x|y)&a 77 */ 78 #define F_00_19(b,c,d) ((((c) ^ (d)) & (b)) ^ (d)) 79 #define F_20_39(b,c,d) ((b) ^ (c) ^ (d)) 80 #define F_40_59(b,c,d) (((b) & (c)) | (((b)|(c)) & (d))) 81 #define F_60_79(b,c,d) F_20_39(b,c,d) 82 83 #ifndef OPENSSL_SMALL_FOOTPRINT 84 85 # define BODY_00_15(i,a,b,c,d,e,f,xi) \ 86 (f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ 87 (b)=ROTATE((b),30); 88 89 # define BODY_16_19(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \ 90 Xupdate(f,xi,xa,xb,xc,xd); \ 91 (f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ 92 (b)=ROTATE((b),30); 93 94 # define BODY_20_31(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \ 95 Xupdate(f,xi,xa,xb,xc,xd); \ 96 (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ 97 (b)=ROTATE((b),30); 98 99 # define BODY_32_39(i,a,b,c,d,e,f,xa,xb,xc,xd) \ 100 Xupdate(f,xa,xa,xb,xc,xd); \ 101 (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ 102 (b)=ROTATE((b),30); 103 104 # define BODY_40_59(i,a,b,c,d,e,f,xa,xb,xc,xd) \ 105 Xupdate(f,xa,xa,xb,xc,xd); \ 106 (f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \ 107 (b)=ROTATE((b),30); 108 109 # define BODY_60_79(i,a,b,c,d,e,f,xa,xb,xc,xd) \ 110 Xupdate(f,xa,xa,xb,xc,xd); \ 111 (f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \ 112 (b)=ROTATE((b),30); 113 114 # ifdef X 115 # undef X 116 # endif 117 # ifndef MD32_XARRAY 118 /* 119 * Originally X was an array. As it's automatic it's natural 120 * to expect RISC compiler to accommodate at least part of it in 121 * the register bank, isn't it? Unfortunately not all compilers 122 * "find" this expectation reasonable:-( On order to make such 123 * compilers generate better code I replace X[] with a bunch of 124 * X0, X1, etc. See the function body below... 125 */ 126 # define X(i) XX##i 127 # else 128 /* 129 * However! Some compilers (most notably HP C) get overwhelmed by 130 * that many local variables so that we have to have the way to 131 * fall down to the original behavior. 132 */ 133 # define X(i) XX[i] 134 # endif 135 136 # if !defined(SHA1_ASM) 137 static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num) 138 { 139 const unsigned char *data = p; 140 register unsigned MD32_REG_T A, B, C, D, E, T, l; 141 # ifndef MD32_XARRAY 142 unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, 143 XX8, XX9, XX10, XX11, XX12, XX13, XX14, XX15; 144 # else 145 SHA_LONG XX[16]; 146 # endif 147 148 A = c->h0; 149 B = c->h1; 150 C = c->h2; 151 D = c->h3; 152 E = c->h4; 153 154 for (;;) { 155 DECLARE_IS_ENDIAN; 156 157 if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4 158 && ((size_t)p % 4) == 0) { 159 const SHA_LONG *W = (const SHA_LONG *)data; 160 161 X(0) = W[0]; 162 X(1) = W[1]; 163 BODY_00_15(0, A, B, C, D, E, T, X(0)); 164 X(2) = W[2]; 165 BODY_00_15(1, T, A, B, C, D, E, X(1)); 166 X(3) = W[3]; 167 BODY_00_15(2, E, T, A, B, C, D, X(2)); 168 X(4) = W[4]; 169 BODY_00_15(3, D, E, T, A, B, C, X(3)); 170 X(5) = W[5]; 171 BODY_00_15(4, C, D, E, T, A, B, X(4)); 172 X(6) = W[6]; 173 BODY_00_15(5, B, C, D, E, T, A, X(5)); 174 X(7) = W[7]; 175 BODY_00_15(6, A, B, C, D, E, T, X(6)); 176 X(8) = W[8]; 177 BODY_00_15(7, T, A, B, C, D, E, X(7)); 178 X(9) = W[9]; 179 BODY_00_15(8, E, T, A, B, C, D, X(8)); 180 X(10) = W[10]; 181 BODY_00_15(9, D, E, T, A, B, C, X(9)); 182 X(11) = W[11]; 183 BODY_00_15(10, C, D, E, T, A, B, X(10)); 184 X(12) = W[12]; 185 BODY_00_15(11, B, C, D, E, T, A, X(11)); 186 X(13) = W[13]; 187 BODY_00_15(12, A, B, C, D, E, T, X(12)); 188 X(14) = W[14]; 189 BODY_00_15(13, T, A, B, C, D, E, X(13)); 190 X(15) = W[15]; 191 BODY_00_15(14, E, T, A, B, C, D, X(14)); 192 BODY_00_15(15, D, E, T, A, B, C, X(15)); 193 194 data += SHA_CBLOCK; 195 } else { 196 (void)HOST_c2l(data, l); 197 X(0) = l; 198 (void)HOST_c2l(data, l); 199 X(1) = l; 200 BODY_00_15(0, A, B, C, D, E, T, X(0)); 201 (void)HOST_c2l(data, l); 202 X(2) = l; 203 BODY_00_15(1, T, A, B, C, D, E, X(1)); 204 (void)HOST_c2l(data, l); 205 X(3) = l; 206 BODY_00_15(2, E, T, A, B, C, D, X(2)); 207 (void)HOST_c2l(data, l); 208 X(4) = l; 209 BODY_00_15(3, D, E, T, A, B, C, X(3)); 210 (void)HOST_c2l(data, l); 211 X(5) = l; 212 BODY_00_15(4, C, D, E, T, A, B, X(4)); 213 (void)HOST_c2l(data, l); 214 X(6) = l; 215 BODY_00_15(5, B, C, D, E, T, A, X(5)); 216 (void)HOST_c2l(data, l); 217 X(7) = l; 218 BODY_00_15(6, A, B, C, D, E, T, X(6)); 219 (void)HOST_c2l(data, l); 220 X(8) = l; 221 BODY_00_15(7, T, A, B, C, D, E, X(7)); 222 (void)HOST_c2l(data, l); 223 X(9) = l; 224 BODY_00_15(8, E, T, A, B, C, D, X(8)); 225 (void)HOST_c2l(data, l); 226 X(10) = l; 227 BODY_00_15(9, D, E, T, A, B, C, X(9)); 228 (void)HOST_c2l(data, l); 229 X(11) = l; 230 BODY_00_15(10, C, D, E, T, A, B, X(10)); 231 (void)HOST_c2l(data, l); 232 X(12) = l; 233 BODY_00_15(11, B, C, D, E, T, A, X(11)); 234 (void)HOST_c2l(data, l); 235 X(13) = l; 236 BODY_00_15(12, A, B, C, D, E, T, X(12)); 237 (void)HOST_c2l(data, l); 238 X(14) = l; 239 BODY_00_15(13, T, A, B, C, D, E, X(13)); 240 (void)HOST_c2l(data, l); 241 X(15) = l; 242 BODY_00_15(14, E, T, A, B, C, D, X(14)); 243 BODY_00_15(15, D, E, T, A, B, C, X(15)); 244 } 245 246 BODY_16_19(16, C, D, E, T, A, B, X(0), X(0), X(2), X(8), X(13)); 247 BODY_16_19(17, B, C, D, E, T, A, X(1), X(1), X(3), X(9), X(14)); 248 BODY_16_19(18, A, B, C, D, E, T, X(2), X(2), X(4), X(10), X(15)); 249 BODY_16_19(19, T, A, B, C, D, E, X(3), X(3), X(5), X(11), X(0)); 250 251 BODY_20_31(20, E, T, A, B, C, D, X(4), X(4), X(6), X(12), X(1)); 252 BODY_20_31(21, D, E, T, A, B, C, X(5), X(5), X(7), X(13), X(2)); 253 BODY_20_31(22, C, D, E, T, A, B, X(6), X(6), X(8), X(14), X(3)); 254 BODY_20_31(23, B, C, D, E, T, A, X(7), X(7), X(9), X(15), X(4)); 255 BODY_20_31(24, A, B, C, D, E, T, X(8), X(8), X(10), X(0), X(5)); 256 BODY_20_31(25, T, A, B, C, D, E, X(9), X(9), X(11), X(1), X(6)); 257 BODY_20_31(26, E, T, A, B, C, D, X(10), X(10), X(12), X(2), X(7)); 258 BODY_20_31(27, D, E, T, A, B, C, X(11), X(11), X(13), X(3), X(8)); 259 BODY_20_31(28, C, D, E, T, A, B, X(12), X(12), X(14), X(4), X(9)); 260 BODY_20_31(29, B, C, D, E, T, A, X(13), X(13), X(15), X(5), X(10)); 261 BODY_20_31(30, A, B, C, D, E, T, X(14), X(14), X(0), X(6), X(11)); 262 BODY_20_31(31, T, A, B, C, D, E, X(15), X(15), X(1), X(7), X(12)); 263 264 BODY_32_39(32, E, T, A, B, C, D, X(0), X(2), X(8), X(13)); 265 BODY_32_39(33, D, E, T, A, B, C, X(1), X(3), X(9), X(14)); 266 BODY_32_39(34, C, D, E, T, A, B, X(2), X(4), X(10), X(15)); 267 BODY_32_39(35, B, C, D, E, T, A, X(3), X(5), X(11), X(0)); 268 BODY_32_39(36, A, B, C, D, E, T, X(4), X(6), X(12), X(1)); 269 BODY_32_39(37, T, A, B, C, D, E, X(5), X(7), X(13), X(2)); 270 BODY_32_39(38, E, T, A, B, C, D, X(6), X(8), X(14), X(3)); 271 BODY_32_39(39, D, E, T, A, B, C, X(7), X(9), X(15), X(4)); 272 273 BODY_40_59(40, C, D, E, T, A, B, X(8), X(10), X(0), X(5)); 274 BODY_40_59(41, B, C, D, E, T, A, X(9), X(11), X(1), X(6)); 275 BODY_40_59(42, A, B, C, D, E, T, X(10), X(12), X(2), X(7)); 276 BODY_40_59(43, T, A, B, C, D, E, X(11), X(13), X(3), X(8)); 277 BODY_40_59(44, E, T, A, B, C, D, X(12), X(14), X(4), X(9)); 278 BODY_40_59(45, D, E, T, A, B, C, X(13), X(15), X(5), X(10)); 279 BODY_40_59(46, C, D, E, T, A, B, X(14), X(0), X(6), X(11)); 280 BODY_40_59(47, B, C, D, E, T, A, X(15), X(1), X(7), X(12)); 281 BODY_40_59(48, A, B, C, D, E, T, X(0), X(2), X(8), X(13)); 282 BODY_40_59(49, T, A, B, C, D, E, X(1), X(3), X(9), X(14)); 283 BODY_40_59(50, E, T, A, B, C, D, X(2), X(4), X(10), X(15)); 284 BODY_40_59(51, D, E, T, A, B, C, X(3), X(5), X(11), X(0)); 285 BODY_40_59(52, C, D, E, T, A, B, X(4), X(6), X(12), X(1)); 286 BODY_40_59(53, B, C, D, E, T, A, X(5), X(7), X(13), X(2)); 287 BODY_40_59(54, A, B, C, D, E, T, X(6), X(8), X(14), X(3)); 288 BODY_40_59(55, T, A, B, C, D, E, X(7), X(9), X(15), X(4)); 289 BODY_40_59(56, E, T, A, B, C, D, X(8), X(10), X(0), X(5)); 290 BODY_40_59(57, D, E, T, A, B, C, X(9), X(11), X(1), X(6)); 291 BODY_40_59(58, C, D, E, T, A, B, X(10), X(12), X(2), X(7)); 292 BODY_40_59(59, B, C, D, E, T, A, X(11), X(13), X(3), X(8)); 293 294 BODY_60_79(60, A, B, C, D, E, T, X(12), X(14), X(4), X(9)); 295 BODY_60_79(61, T, A, B, C, D, E, X(13), X(15), X(5), X(10)); 296 BODY_60_79(62, E, T, A, B, C, D, X(14), X(0), X(6), X(11)); 297 BODY_60_79(63, D, E, T, A, B, C, X(15), X(1), X(7), X(12)); 298 BODY_60_79(64, C, D, E, T, A, B, X(0), X(2), X(8), X(13)); 299 BODY_60_79(65, B, C, D, E, T, A, X(1), X(3), X(9), X(14)); 300 BODY_60_79(66, A, B, C, D, E, T, X(2), X(4), X(10), X(15)); 301 BODY_60_79(67, T, A, B, C, D, E, X(3), X(5), X(11), X(0)); 302 BODY_60_79(68, E, T, A, B, C, D, X(4), X(6), X(12), X(1)); 303 BODY_60_79(69, D, E, T, A, B, C, X(5), X(7), X(13), X(2)); 304 BODY_60_79(70, C, D, E, T, A, B, X(6), X(8), X(14), X(3)); 305 BODY_60_79(71, B, C, D, E, T, A, X(7), X(9), X(15), X(4)); 306 BODY_60_79(72, A, B, C, D, E, T, X(8), X(10), X(0), X(5)); 307 BODY_60_79(73, T, A, B, C, D, E, X(9), X(11), X(1), X(6)); 308 BODY_60_79(74, E, T, A, B, C, D, X(10), X(12), X(2), X(7)); 309 BODY_60_79(75, D, E, T, A, B, C, X(11), X(13), X(3), X(8)); 310 BODY_60_79(76, C, D, E, T, A, B, X(12), X(14), X(4), X(9)); 311 BODY_60_79(77, B, C, D, E, T, A, X(13), X(15), X(5), X(10)); 312 BODY_60_79(78, A, B, C, D, E, T, X(14), X(0), X(6), X(11)); 313 BODY_60_79(79, T, A, B, C, D, E, X(15), X(1), X(7), X(12)); 314 315 c->h0 = (c->h0 + E) & 0xffffffffL; 316 c->h1 = (c->h1 + T) & 0xffffffffL; 317 c->h2 = (c->h2 + A) & 0xffffffffL; 318 c->h3 = (c->h3 + B) & 0xffffffffL; 319 c->h4 = (c->h4 + C) & 0xffffffffL; 320 321 if (--num == 0) 322 break; 323 324 A = c->h0; 325 B = c->h1; 326 C = c->h2; 327 D = c->h3; 328 E = c->h4; 329 330 } 331 } 332 # endif 333 334 #else /* OPENSSL_SMALL_FOOTPRINT */ 335 336 # define BODY_00_15(xi) do { \ 337 T=E+K_00_19+F_00_19(B,C,D); \ 338 E=D, D=C, C=ROTATE(B,30), B=A; \ 339 A=ROTATE(A,5)+T+xi; } while(0) 340 341 # define BODY_16_19(xa,xb,xc,xd) do { \ 342 Xupdate(T,xa,xa,xb,xc,xd); \ 343 T+=E+K_00_19+F_00_19(B,C,D); \ 344 E=D, D=C, C=ROTATE(B,30), B=A; \ 345 A=ROTATE(A,5)+T; } while(0) 346 347 # define BODY_20_39(xa,xb,xc,xd) do { \ 348 Xupdate(T,xa,xa,xb,xc,xd); \ 349 T+=E+K_20_39+F_20_39(B,C,D); \ 350 E=D, D=C, C=ROTATE(B,30), B=A; \ 351 A=ROTATE(A,5)+T; } while(0) 352 353 # define BODY_40_59(xa,xb,xc,xd) do { \ 354 Xupdate(T,xa,xa,xb,xc,xd); \ 355 T+=E+K_40_59+F_40_59(B,C,D); \ 356 E=D, D=C, C=ROTATE(B,30), B=A; \ 357 A=ROTATE(A,5)+T; } while(0) 358 359 # define BODY_60_79(xa,xb,xc,xd) do { \ 360 Xupdate(T,xa,xa,xb,xc,xd); \ 361 T=E+K_60_79+F_60_79(B,C,D); \ 362 E=D, D=C, C=ROTATE(B,30), B=A; \ 363 A=ROTATE(A,5)+T+xa; } while(0) 364 365 # if !defined(SHA1_ASM) 366 static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num) 367 { 368 const unsigned char *data = p; 369 register unsigned MD32_REG_T A, B, C, D, E, T, l; 370 int i; 371 SHA_LONG X[16]; 372 373 A = c->h0; 374 B = c->h1; 375 C = c->h2; 376 D = c->h3; 377 E = c->h4; 378 379 for (;;) { 380 for (i = 0; i < 16; i++) { 381 (void)HOST_c2l(data, l); 382 X[i] = l; 383 BODY_00_15(X[i]); 384 } 385 for (i = 0; i < 4; i++) { 386 BODY_16_19(X[i], X[i + 2], X[i + 8], X[(i + 13) & 15]); 387 } 388 for (; i < 24; i++) { 389 BODY_20_39(X[i & 15], X[(i + 2) & 15], X[(i + 8) & 15], 390 X[(i + 13) & 15]); 391 } 392 for (i = 0; i < 20; i++) { 393 BODY_40_59(X[(i + 8) & 15], X[(i + 10) & 15], X[i & 15], 394 X[(i + 5) & 15]); 395 } 396 for (i = 4; i < 24; i++) { 397 BODY_60_79(X[(i + 8) & 15], X[(i + 10) & 15], X[i & 15], 398 X[(i + 5) & 15]); 399 } 400 401 c->h0 = (c->h0 + A) & 0xffffffffL; 402 c->h1 = (c->h1 + B) & 0xffffffffL; 403 c->h2 = (c->h2 + C) & 0xffffffffL; 404 c->h3 = (c->h3 + D) & 0xffffffffL; 405 c->h4 = (c->h4 + E) & 0xffffffffL; 406 407 if (--num == 0) 408 break; 409 410 A = c->h0; 411 B = c->h1; 412 C = c->h2; 413 D = c->h3; 414 E = c->h4; 415 416 } 417 } 418 # endif 419 420 #endif 421