1 /* 2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdlib.h> 11 #include <string.h> 12 13 #include <openssl/opensslconf.h> 14 #include <openssl/sha.h> 15 16 #define DATA_ORDER_IS_BIG_ENDIAN 17 18 #define HASH_LONG SHA_LONG 19 #define HASH_CTX SHA_CTX 20 #define HASH_CBLOCK SHA_CBLOCK 21 #define HASH_MAKE_STRING(c,s) do { \ 22 unsigned long ll; \ 23 ll=(c)->h0; (void)HOST_l2c(ll,(s)); \ 24 ll=(c)->h1; (void)HOST_l2c(ll,(s)); \ 25 ll=(c)->h2; (void)HOST_l2c(ll,(s)); \ 26 ll=(c)->h3; (void)HOST_l2c(ll,(s)); \ 27 ll=(c)->h4; (void)HOST_l2c(ll,(s)); \ 28 } while (0) 29 30 #define HASH_UPDATE SHA1_Update 31 #define HASH_TRANSFORM SHA1_Transform 32 #define HASH_FINAL SHA1_Final 33 #define HASH_INIT SHA1_Init 34 #define HASH_BLOCK_DATA_ORDER sha1_block_data_order 35 #define Xupdate(a,ix,ia,ib,ic,id) ( (a)=(ia^ib^ic^id), \ 36 ix=(a)=ROTATE((a),1) \ 37 ) 38 39 #ifndef SHA1_ASM 40 static void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num); 41 #else 42 void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num); 43 #endif 44 45 #include "crypto/md32_common.h" 46 47 #define INIT_DATA_h0 0x67452301UL 48 #define INIT_DATA_h1 0xefcdab89UL 49 #define INIT_DATA_h2 0x98badcfeUL 50 #define INIT_DATA_h3 0x10325476UL 51 #define INIT_DATA_h4 0xc3d2e1f0UL 52 53 int HASH_INIT(SHA_CTX *c) 54 { 55 memset(c, 0, sizeof(*c)); 56 c->h0 = INIT_DATA_h0; 57 c->h1 = INIT_DATA_h1; 58 c->h2 = INIT_DATA_h2; 59 c->h3 = INIT_DATA_h3; 60 c->h4 = INIT_DATA_h4; 61 return 1; 62 } 63 64 #define K_00_19 0x5a827999UL 65 #define K_20_39 0x6ed9eba1UL 66 #define K_40_59 0x8f1bbcdcUL 67 #define K_60_79 0xca62c1d6UL 68 69 /* 70 * As pointed out by Wei Dai, F() below can be simplified to the code in 71 * F_00_19. Wei attributes these optimizations to Peter Gutmann's SHS code, 72 * and he attributes it to Rich Schroeppel. 73 * #define F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) 74 * I've just become aware of another tweak to be made, again from Wei Dai, 75 * in F_40_59, (x&a)|(y&a) -> (x|y)&a 76 */ 77 #define F_00_19(b,c,d) ((((c) ^ (d)) & (b)) ^ (d)) 78 #define F_20_39(b,c,d) ((b) ^ (c) ^ (d)) 79 #define F_40_59(b,c,d) (((b) & (c)) | (((b)|(c)) & (d))) 80 #define F_60_79(b,c,d) F_20_39(b,c,d) 81 82 #ifndef OPENSSL_SMALL_FOOTPRINT 83 84 # define BODY_00_15(i,a,b,c,d,e,f,xi) \ 85 (f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ 86 (b)=ROTATE((b),30); 87 88 # define BODY_16_19(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \ 89 Xupdate(f,xi,xa,xb,xc,xd); \ 90 (f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ 91 (b)=ROTATE((b),30); 92 93 # define BODY_20_31(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \ 94 Xupdate(f,xi,xa,xb,xc,xd); \ 95 (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ 96 (b)=ROTATE((b),30); 97 98 # define BODY_32_39(i,a,b,c,d,e,f,xa,xb,xc,xd) \ 99 Xupdate(f,xa,xa,xb,xc,xd); \ 100 (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ 101 (b)=ROTATE((b),30); 102 103 # define BODY_40_59(i,a,b,c,d,e,f,xa,xb,xc,xd) \ 104 Xupdate(f,xa,xa,xb,xc,xd); \ 105 (f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \ 106 (b)=ROTATE((b),30); 107 108 # define BODY_60_79(i,a,b,c,d,e,f,xa,xb,xc,xd) \ 109 Xupdate(f,xa,xa,xb,xc,xd); \ 110 (f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \ 111 (b)=ROTATE((b),30); 112 113 # ifdef X 114 # undef X 115 # endif 116 # ifndef MD32_XARRAY 117 /* 118 * Originally X was an array. As it's automatic it's natural 119 * to expect RISC compiler to accommodate at least part of it in 120 * the register bank, isn't it? Unfortunately not all compilers 121 * "find" this expectation reasonable:-( On order to make such 122 * compilers generate better code I replace X[] with a bunch of 123 * X0, X1, etc. See the function body below... 124 */ 125 # define X(i) XX##i 126 # else 127 /* 128 * However! Some compilers (most notably HP C) get overwhelmed by 129 * that many local variables so that we have to have the way to 130 * fall down to the original behavior. 131 */ 132 # define X(i) XX[i] 133 # endif 134 135 # if !defined(SHA1_ASM) 136 static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num) 137 { 138 const unsigned char *data = p; 139 register unsigned MD32_REG_T A, B, C, D, E, T, l; 140 # ifndef MD32_XARRAY 141 unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, 142 XX8, XX9, XX10, XX11, XX12, XX13, XX14, XX15; 143 # else 144 SHA_LONG XX[16]; 145 # endif 146 147 A = c->h0; 148 B = c->h1; 149 C = c->h2; 150 D = c->h3; 151 E = c->h4; 152 153 for (;;) { 154 const union { 155 long one; 156 char little; 157 } is_endian = { 158 1 159 }; 160 161 if (!is_endian.little && sizeof(SHA_LONG) == 4 162 && ((size_t)p % 4) == 0) { 163 const SHA_LONG *W = (const SHA_LONG *)data; 164 165 X(0) = W[0]; 166 X(1) = W[1]; 167 BODY_00_15(0, A, B, C, D, E, T, X(0)); 168 X(2) = W[2]; 169 BODY_00_15(1, T, A, B, C, D, E, X(1)); 170 X(3) = W[3]; 171 BODY_00_15(2, E, T, A, B, C, D, X(2)); 172 X(4) = W[4]; 173 BODY_00_15(3, D, E, T, A, B, C, X(3)); 174 X(5) = W[5]; 175 BODY_00_15(4, C, D, E, T, A, B, X(4)); 176 X(6) = W[6]; 177 BODY_00_15(5, B, C, D, E, T, A, X(5)); 178 X(7) = W[7]; 179 BODY_00_15(6, A, B, C, D, E, T, X(6)); 180 X(8) = W[8]; 181 BODY_00_15(7, T, A, B, C, D, E, X(7)); 182 X(9) = W[9]; 183 BODY_00_15(8, E, T, A, B, C, D, X(8)); 184 X(10) = W[10]; 185 BODY_00_15(9, D, E, T, A, B, C, X(9)); 186 X(11) = W[11]; 187 BODY_00_15(10, C, D, E, T, A, B, X(10)); 188 X(12) = W[12]; 189 BODY_00_15(11, B, C, D, E, T, A, X(11)); 190 X(13) = W[13]; 191 BODY_00_15(12, A, B, C, D, E, T, X(12)); 192 X(14) = W[14]; 193 BODY_00_15(13, T, A, B, C, D, E, X(13)); 194 X(15) = W[15]; 195 BODY_00_15(14, E, T, A, B, C, D, X(14)); 196 BODY_00_15(15, D, E, T, A, B, C, X(15)); 197 198 data += SHA_CBLOCK; 199 } else { 200 (void)HOST_c2l(data, l); 201 X(0) = l; 202 (void)HOST_c2l(data, l); 203 X(1) = l; 204 BODY_00_15(0, A, B, C, D, E, T, X(0)); 205 (void)HOST_c2l(data, l); 206 X(2) = l; 207 BODY_00_15(1, T, A, B, C, D, E, X(1)); 208 (void)HOST_c2l(data, l); 209 X(3) = l; 210 BODY_00_15(2, E, T, A, B, C, D, X(2)); 211 (void)HOST_c2l(data, l); 212 X(4) = l; 213 BODY_00_15(3, D, E, T, A, B, C, X(3)); 214 (void)HOST_c2l(data, l); 215 X(5) = l; 216 BODY_00_15(4, C, D, E, T, A, B, X(4)); 217 (void)HOST_c2l(data, l); 218 X(6) = l; 219 BODY_00_15(5, B, C, D, E, T, A, X(5)); 220 (void)HOST_c2l(data, l); 221 X(7) = l; 222 BODY_00_15(6, A, B, C, D, E, T, X(6)); 223 (void)HOST_c2l(data, l); 224 X(8) = l; 225 BODY_00_15(7, T, A, B, C, D, E, X(7)); 226 (void)HOST_c2l(data, l); 227 X(9) = l; 228 BODY_00_15(8, E, T, A, B, C, D, X(8)); 229 (void)HOST_c2l(data, l); 230 X(10) = l; 231 BODY_00_15(9, D, E, T, A, B, C, X(9)); 232 (void)HOST_c2l(data, l); 233 X(11) = l; 234 BODY_00_15(10, C, D, E, T, A, B, X(10)); 235 (void)HOST_c2l(data, l); 236 X(12) = l; 237 BODY_00_15(11, B, C, D, E, T, A, X(11)); 238 (void)HOST_c2l(data, l); 239 X(13) = l; 240 BODY_00_15(12, A, B, C, D, E, T, X(12)); 241 (void)HOST_c2l(data, l); 242 X(14) = l; 243 BODY_00_15(13, T, A, B, C, D, E, X(13)); 244 (void)HOST_c2l(data, l); 245 X(15) = l; 246 BODY_00_15(14, E, T, A, B, C, D, X(14)); 247 BODY_00_15(15, D, E, T, A, B, C, X(15)); 248 } 249 250 BODY_16_19(16, C, D, E, T, A, B, X(0), X(0), X(2), X(8), X(13)); 251 BODY_16_19(17, B, C, D, E, T, A, X(1), X(1), X(3), X(9), X(14)); 252 BODY_16_19(18, A, B, C, D, E, T, X(2), X(2), X(4), X(10), X(15)); 253 BODY_16_19(19, T, A, B, C, D, E, X(3), X(3), X(5), X(11), X(0)); 254 255 BODY_20_31(20, E, T, A, B, C, D, X(4), X(4), X(6), X(12), X(1)); 256 BODY_20_31(21, D, E, T, A, B, C, X(5), X(5), X(7), X(13), X(2)); 257 BODY_20_31(22, C, D, E, T, A, B, X(6), X(6), X(8), X(14), X(3)); 258 BODY_20_31(23, B, C, D, E, T, A, X(7), X(7), X(9), X(15), X(4)); 259 BODY_20_31(24, A, B, C, D, E, T, X(8), X(8), X(10), X(0), X(5)); 260 BODY_20_31(25, T, A, B, C, D, E, X(9), X(9), X(11), X(1), X(6)); 261 BODY_20_31(26, E, T, A, B, C, D, X(10), X(10), X(12), X(2), X(7)); 262 BODY_20_31(27, D, E, T, A, B, C, X(11), X(11), X(13), X(3), X(8)); 263 BODY_20_31(28, C, D, E, T, A, B, X(12), X(12), X(14), X(4), X(9)); 264 BODY_20_31(29, B, C, D, E, T, A, X(13), X(13), X(15), X(5), X(10)); 265 BODY_20_31(30, A, B, C, D, E, T, X(14), X(14), X(0), X(6), X(11)); 266 BODY_20_31(31, T, A, B, C, D, E, X(15), X(15), X(1), X(7), X(12)); 267 268 BODY_32_39(32, E, T, A, B, C, D, X(0), X(2), X(8), X(13)); 269 BODY_32_39(33, D, E, T, A, B, C, X(1), X(3), X(9), X(14)); 270 BODY_32_39(34, C, D, E, T, A, B, X(2), X(4), X(10), X(15)); 271 BODY_32_39(35, B, C, D, E, T, A, X(3), X(5), X(11), X(0)); 272 BODY_32_39(36, A, B, C, D, E, T, X(4), X(6), X(12), X(1)); 273 BODY_32_39(37, T, A, B, C, D, E, X(5), X(7), X(13), X(2)); 274 BODY_32_39(38, E, T, A, B, C, D, X(6), X(8), X(14), X(3)); 275 BODY_32_39(39, D, E, T, A, B, C, X(7), X(9), X(15), X(4)); 276 277 BODY_40_59(40, C, D, E, T, A, B, X(8), X(10), X(0), X(5)); 278 BODY_40_59(41, B, C, D, E, T, A, X(9), X(11), X(1), X(6)); 279 BODY_40_59(42, A, B, C, D, E, T, X(10), X(12), X(2), X(7)); 280 BODY_40_59(43, T, A, B, C, D, E, X(11), X(13), X(3), X(8)); 281 BODY_40_59(44, E, T, A, B, C, D, X(12), X(14), X(4), X(9)); 282 BODY_40_59(45, D, E, T, A, B, C, X(13), X(15), X(5), X(10)); 283 BODY_40_59(46, C, D, E, T, A, B, X(14), X(0), X(6), X(11)); 284 BODY_40_59(47, B, C, D, E, T, A, X(15), X(1), X(7), X(12)); 285 BODY_40_59(48, A, B, C, D, E, T, X(0), X(2), X(8), X(13)); 286 BODY_40_59(49, T, A, B, C, D, E, X(1), X(3), X(9), X(14)); 287 BODY_40_59(50, E, T, A, B, C, D, X(2), X(4), X(10), X(15)); 288 BODY_40_59(51, D, E, T, A, B, C, X(3), X(5), X(11), X(0)); 289 BODY_40_59(52, C, D, E, T, A, B, X(4), X(6), X(12), X(1)); 290 BODY_40_59(53, B, C, D, E, T, A, X(5), X(7), X(13), X(2)); 291 BODY_40_59(54, A, B, C, D, E, T, X(6), X(8), X(14), X(3)); 292 BODY_40_59(55, T, A, B, C, D, E, X(7), X(9), X(15), X(4)); 293 BODY_40_59(56, E, T, A, B, C, D, X(8), X(10), X(0), X(5)); 294 BODY_40_59(57, D, E, T, A, B, C, X(9), X(11), X(1), X(6)); 295 BODY_40_59(58, C, D, E, T, A, B, X(10), X(12), X(2), X(7)); 296 BODY_40_59(59, B, C, D, E, T, A, X(11), X(13), X(3), X(8)); 297 298 BODY_60_79(60, A, B, C, D, E, T, X(12), X(14), X(4), X(9)); 299 BODY_60_79(61, T, A, B, C, D, E, X(13), X(15), X(5), X(10)); 300 BODY_60_79(62, E, T, A, B, C, D, X(14), X(0), X(6), X(11)); 301 BODY_60_79(63, D, E, T, A, B, C, X(15), X(1), X(7), X(12)); 302 BODY_60_79(64, C, D, E, T, A, B, X(0), X(2), X(8), X(13)); 303 BODY_60_79(65, B, C, D, E, T, A, X(1), X(3), X(9), X(14)); 304 BODY_60_79(66, A, B, C, D, E, T, X(2), X(4), X(10), X(15)); 305 BODY_60_79(67, T, A, B, C, D, E, X(3), X(5), X(11), X(0)); 306 BODY_60_79(68, E, T, A, B, C, D, X(4), X(6), X(12), X(1)); 307 BODY_60_79(69, D, E, T, A, B, C, X(5), X(7), X(13), X(2)); 308 BODY_60_79(70, C, D, E, T, A, B, X(6), X(8), X(14), X(3)); 309 BODY_60_79(71, B, C, D, E, T, A, X(7), X(9), X(15), X(4)); 310 BODY_60_79(72, A, B, C, D, E, T, X(8), X(10), X(0), X(5)); 311 BODY_60_79(73, T, A, B, C, D, E, X(9), X(11), X(1), X(6)); 312 BODY_60_79(74, E, T, A, B, C, D, X(10), X(12), X(2), X(7)); 313 BODY_60_79(75, D, E, T, A, B, C, X(11), X(13), X(3), X(8)); 314 BODY_60_79(76, C, D, E, T, A, B, X(12), X(14), X(4), X(9)); 315 BODY_60_79(77, B, C, D, E, T, A, X(13), X(15), X(5), X(10)); 316 BODY_60_79(78, A, B, C, D, E, T, X(14), X(0), X(6), X(11)); 317 BODY_60_79(79, T, A, B, C, D, E, X(15), X(1), X(7), X(12)); 318 319 c->h0 = (c->h0 + E) & 0xffffffffL; 320 c->h1 = (c->h1 + T) & 0xffffffffL; 321 c->h2 = (c->h2 + A) & 0xffffffffL; 322 c->h3 = (c->h3 + B) & 0xffffffffL; 323 c->h4 = (c->h4 + C) & 0xffffffffL; 324 325 if (--num == 0) 326 break; 327 328 A = c->h0; 329 B = c->h1; 330 C = c->h2; 331 D = c->h3; 332 E = c->h4; 333 334 } 335 } 336 # endif 337 338 #else /* OPENSSL_SMALL_FOOTPRINT */ 339 340 # define BODY_00_15(xi) do { \ 341 T=E+K_00_19+F_00_19(B,C,D); \ 342 E=D, D=C, C=ROTATE(B,30), B=A; \ 343 A=ROTATE(A,5)+T+xi; } while(0) 344 345 # define BODY_16_19(xa,xb,xc,xd) do { \ 346 Xupdate(T,xa,xa,xb,xc,xd); \ 347 T+=E+K_00_19+F_00_19(B,C,D); \ 348 E=D, D=C, C=ROTATE(B,30), B=A; \ 349 A=ROTATE(A,5)+T; } while(0) 350 351 # define BODY_20_39(xa,xb,xc,xd) do { \ 352 Xupdate(T,xa,xa,xb,xc,xd); \ 353 T+=E+K_20_39+F_20_39(B,C,D); \ 354 E=D, D=C, C=ROTATE(B,30), B=A; \ 355 A=ROTATE(A,5)+T; } while(0) 356 357 # define BODY_40_59(xa,xb,xc,xd) do { \ 358 Xupdate(T,xa,xa,xb,xc,xd); \ 359 T+=E+K_40_59+F_40_59(B,C,D); \ 360 E=D, D=C, C=ROTATE(B,30), B=A; \ 361 A=ROTATE(A,5)+T; } while(0) 362 363 # define BODY_60_79(xa,xb,xc,xd) do { \ 364 Xupdate(T,xa,xa,xb,xc,xd); \ 365 T=E+K_60_79+F_60_79(B,C,D); \ 366 E=D, D=C, C=ROTATE(B,30), B=A; \ 367 A=ROTATE(A,5)+T+xa; } while(0) 368 369 # if !defined(SHA1_ASM) 370 static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num) 371 { 372 const unsigned char *data = p; 373 register unsigned MD32_REG_T A, B, C, D, E, T, l; 374 int i; 375 SHA_LONG X[16]; 376 377 A = c->h0; 378 B = c->h1; 379 C = c->h2; 380 D = c->h3; 381 E = c->h4; 382 383 for (;;) { 384 for (i = 0; i < 16; i++) { 385 (void)HOST_c2l(data, l); 386 X[i] = l; 387 BODY_00_15(X[i]); 388 } 389 for (i = 0; i < 4; i++) { 390 BODY_16_19(X[i], X[i + 2], X[i + 8], X[(i + 13) & 15]); 391 } 392 for (; i < 24; i++) { 393 BODY_20_39(X[i & 15], X[(i + 2) & 15], X[(i + 8) & 15], 394 X[(i + 13) & 15]); 395 } 396 for (i = 0; i < 20; i++) { 397 BODY_40_59(X[(i + 8) & 15], X[(i + 10) & 15], X[i & 15], 398 X[(i + 5) & 15]); 399 } 400 for (i = 4; i < 24; i++) { 401 BODY_60_79(X[(i + 8) & 15], X[(i + 10) & 15], X[i & 15], 402 X[(i + 5) & 15]); 403 } 404 405 c->h0 = (c->h0 + A) & 0xffffffffL; 406 c->h1 = (c->h1 + B) & 0xffffffffL; 407 c->h2 = (c->h2 + C) & 0xffffffffL; 408 c->h3 = (c->h3 + D) & 0xffffffffL; 409 c->h4 = (c->h4 + E) & 0xffffffffL; 410 411 if (--num == 0) 412 break; 413 414 A = c->h0; 415 B = c->h1; 416 C = c->h2; 417 D = c->h3; 418 E = c->h4; 419 420 } 421 } 422 # endif 423 424 #endif 425