1 /* $OpenBSD: sha256.c,v 1.32 2024/06/01 07:36:16 tb Exp $ */ 2 /* ==================================================================== 3 * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 * This product includes cryptographic software written by Eric Young 51 * (eay@cryptsoft.com). This product includes software written by Tim 52 * Hudson (tjh@cryptsoft.com). 53 */ 54 55 #include <endian.h> 56 #include <stdlib.h> 57 #include <string.h> 58 59 #include <openssl/opensslconf.h> 60 61 #include <openssl/crypto.h> 62 #include <openssl/sha.h> 63 64 #include "crypto_internal.h" 65 66 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256) 67 68 /* Ensure that SHA_LONG and uint32_t are equivalent. */ 69 CTASSERT(sizeof(SHA_LONG) == sizeof(uint32_t)); 70 71 #ifdef SHA256_ASM 72 void sha256_block_data_order(SHA256_CTX *ctx, const void *_in, size_t num); 73 #endif 74 75 #ifndef SHA256_ASM 76 static const SHA_LONG K256[64] = { 77 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 78 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 79 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 80 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 81 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 82 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 83 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 84 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 85 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 86 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 87 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 88 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 89 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 90 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 91 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 92 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, 93 }; 94 95 static inline SHA_LONG 96 Sigma0(SHA_LONG x) 97 { 98 return crypto_ror_u32(x, 2) ^ crypto_ror_u32(x, 13) ^ 99 crypto_ror_u32(x, 22); 100 } 101 102 static inline SHA_LONG 103 Sigma1(SHA_LONG x) 104 { 105 return crypto_ror_u32(x, 6) ^ crypto_ror_u32(x, 11) ^ 106 crypto_ror_u32(x, 25); 107 } 108 109 static inline SHA_LONG 110 sigma0(SHA_LONG x) 111 { 112 return crypto_ror_u32(x, 7) ^ crypto_ror_u32(x, 18) ^ (x >> 3); 113 } 114 115 static inline SHA_LONG 116 sigma1(SHA_LONG x) 117 { 118 return crypto_ror_u32(x, 17) ^ crypto_ror_u32(x, 19) ^ (x >> 10); 119 } 120 121 static inline SHA_LONG 122 Ch(SHA_LONG x, SHA_LONG y, SHA_LONG z) 123 { 124 return (x & y) ^ (~x & z); 125 } 126 127 static inline SHA_LONG 128 Maj(SHA_LONG x, SHA_LONG y, SHA_LONG z) 129 { 130 return (x & y) ^ (x & z) ^ (y & z); 131 } 132 133 static inline void 134 sha256_msg_schedule_update(SHA_LONG *W0, SHA_LONG W1, SHA_LONG W9, SHA_LONG W14) 135 { 136 *W0 = sigma1(W14) + W9 + sigma0(W1) + *W0; 137 } 138 139 static inline void 140 sha256_round(SHA_LONG *a, SHA_LONG *b, SHA_LONG *c, SHA_LONG *d, SHA_LONG *e, 141 SHA_LONG *f, SHA_LONG *g, SHA_LONG *h, SHA_LONG Kt, SHA_LONG Wt) 142 { 143 SHA_LONG T1, T2; 144 145 T1 = *h + Sigma1(*e) + Ch(*e, *f, *g) + Kt + Wt; 146 T2 = Sigma0(*a) + Maj(*a, *b, *c); 147 148 *h = *g; 149 *g = *f; 150 *f = *e; 151 *e = *d + T1; 152 *d = *c; 153 *c = *b; 154 *b = *a; 155 *a = T1 + T2; 156 } 157 158 static void 159 sha256_block_data_order(SHA256_CTX *ctx, const void *_in, size_t num) 160 { 161 const uint8_t *in = _in; 162 const SHA_LONG *in32; 163 SHA_LONG a, b, c, d, e, f, g, h; 164 SHA_LONG X[16]; 165 int i; 166 167 while (num--) { 168 a = ctx->h[0]; 169 b = ctx->h[1]; 170 c = ctx->h[2]; 171 d = ctx->h[3]; 172 e = ctx->h[4]; 173 f = ctx->h[5]; 174 g = ctx->h[6]; 175 h = ctx->h[7]; 176 177 if ((size_t)in % 4 == 0) { 178 /* Input is 32 bit aligned. */ 179 in32 = (const SHA_LONG *)in; 180 X[0] = be32toh(in32[0]); 181 X[1] = be32toh(in32[1]); 182 X[2] = be32toh(in32[2]); 183 X[3] = be32toh(in32[3]); 184 X[4] = be32toh(in32[4]); 185 X[5] = be32toh(in32[5]); 186 X[6] = be32toh(in32[6]); 187 X[7] = be32toh(in32[7]); 188 X[8] = be32toh(in32[8]); 189 X[9] = be32toh(in32[9]); 190 X[10] = be32toh(in32[10]); 191 X[11] = be32toh(in32[11]); 192 X[12] = be32toh(in32[12]); 193 X[13] = be32toh(in32[13]); 194 X[14] = be32toh(in32[14]); 195 X[15] = be32toh(in32[15]); 196 } else { 197 /* Input is not 32 bit aligned. */ 198 X[0] = crypto_load_be32toh(&in[0 * 4]); 199 X[1] = crypto_load_be32toh(&in[1 * 4]); 200 X[2] = crypto_load_be32toh(&in[2 * 4]); 201 X[3] = crypto_load_be32toh(&in[3 * 4]); 202 X[4] = crypto_load_be32toh(&in[4 * 4]); 203 X[5] = crypto_load_be32toh(&in[5 * 4]); 204 X[6] = crypto_load_be32toh(&in[6 * 4]); 205 X[7] = crypto_load_be32toh(&in[7 * 4]); 206 X[8] = crypto_load_be32toh(&in[8 * 4]); 207 X[9] = crypto_load_be32toh(&in[9 * 4]); 208 X[10] = crypto_load_be32toh(&in[10 * 4]); 209 X[11] = crypto_load_be32toh(&in[11 * 4]); 210 X[12] = crypto_load_be32toh(&in[12 * 4]); 211 X[13] = crypto_load_be32toh(&in[13 * 4]); 212 X[14] = crypto_load_be32toh(&in[14 * 4]); 213 X[15] = crypto_load_be32toh(&in[15 * 4]); 214 } 215 in += SHA256_CBLOCK; 216 217 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[0], X[0]); 218 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[1], X[1]); 219 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[2], X[2]); 220 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[3], X[3]); 221 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[4], X[4]); 222 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[5], X[5]); 223 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[6], X[6]); 224 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[7], X[7]); 225 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[8], X[8]); 226 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[9], X[9]); 227 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[10], X[10]); 228 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[11], X[11]); 229 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[12], X[12]); 230 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[13], X[13]); 231 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[14], X[14]); 232 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[15], X[15]); 233 234 for (i = 16; i < 64; i += 16) { 235 sha256_msg_schedule_update(&X[0], X[1], X[9], X[14]); 236 sha256_msg_schedule_update(&X[1], X[2], X[10], X[15]); 237 sha256_msg_schedule_update(&X[2], X[3], X[11], X[0]); 238 sha256_msg_schedule_update(&X[3], X[4], X[12], X[1]); 239 sha256_msg_schedule_update(&X[4], X[5], X[13], X[2]); 240 sha256_msg_schedule_update(&X[5], X[6], X[14], X[3]); 241 sha256_msg_schedule_update(&X[6], X[7], X[15], X[4]); 242 sha256_msg_schedule_update(&X[7], X[8], X[0], X[5]); 243 sha256_msg_schedule_update(&X[8], X[9], X[1], X[6]); 244 sha256_msg_schedule_update(&X[9], X[10], X[2], X[7]); 245 sha256_msg_schedule_update(&X[10], X[11], X[3], X[8]); 246 sha256_msg_schedule_update(&X[11], X[12], X[4], X[9]); 247 sha256_msg_schedule_update(&X[12], X[13], X[5], X[10]); 248 sha256_msg_schedule_update(&X[13], X[14], X[6], X[11]); 249 sha256_msg_schedule_update(&X[14], X[15], X[7], X[12]); 250 sha256_msg_schedule_update(&X[15], X[0], X[8], X[13]); 251 252 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 0], X[0]); 253 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 1], X[1]); 254 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 2], X[2]); 255 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 3], X[3]); 256 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 4], X[4]); 257 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 5], X[5]); 258 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 6], X[6]); 259 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 7], X[7]); 260 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 8], X[8]); 261 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 9], X[9]); 262 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 10], X[10]); 263 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 11], X[11]); 264 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 12], X[12]); 265 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 13], X[13]); 266 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 14], X[14]); 267 sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 15], X[15]); 268 } 269 270 ctx->h[0] += a; 271 ctx->h[1] += b; 272 ctx->h[2] += c; 273 ctx->h[3] += d; 274 ctx->h[4] += e; 275 ctx->h[5] += f; 276 ctx->h[6] += g; 277 ctx->h[7] += h; 278 } 279 } 280 #endif /* SHA256_ASM */ 281 282 int 283 SHA224_Init(SHA256_CTX *c) 284 { 285 memset(c, 0, sizeof(*c)); 286 287 c->h[0] = 0xc1059ed8UL; 288 c->h[1] = 0x367cd507UL; 289 c->h[2] = 0x3070dd17UL; 290 c->h[3] = 0xf70e5939UL; 291 c->h[4] = 0xffc00b31UL; 292 c->h[5] = 0x68581511UL; 293 c->h[6] = 0x64f98fa7UL; 294 c->h[7] = 0xbefa4fa4UL; 295 296 c->md_len = SHA224_DIGEST_LENGTH; 297 298 return 1; 299 } 300 LCRYPTO_ALIAS(SHA224_Init); 301 302 int 303 SHA224_Update(SHA256_CTX *c, const void *data, size_t len) 304 { 305 return SHA256_Update(c, data, len); 306 } 307 LCRYPTO_ALIAS(SHA224_Update); 308 309 int 310 SHA224_Final(unsigned char *md, SHA256_CTX *c) 311 { 312 return SHA256_Final(md, c); 313 } 314 LCRYPTO_ALIAS(SHA224_Final); 315 316 unsigned char * 317 SHA224(const unsigned char *d, size_t n, unsigned char *md) 318 { 319 SHA256_CTX c; 320 321 SHA224_Init(&c); 322 SHA256_Update(&c, d, n); 323 SHA256_Final(md, &c); 324 325 explicit_bzero(&c, sizeof(c)); 326 327 return (md); 328 } 329 LCRYPTO_ALIAS(SHA224); 330 331 int 332 SHA256_Init(SHA256_CTX *c) 333 { 334 memset(c, 0, sizeof(*c)); 335 336 c->h[0] = 0x6a09e667UL; 337 c->h[1] = 0xbb67ae85UL; 338 c->h[2] = 0x3c6ef372UL; 339 c->h[3] = 0xa54ff53aUL; 340 c->h[4] = 0x510e527fUL; 341 c->h[5] = 0x9b05688cUL; 342 c->h[6] = 0x1f83d9abUL; 343 c->h[7] = 0x5be0cd19UL; 344 345 c->md_len = SHA256_DIGEST_LENGTH; 346 347 return 1; 348 } 349 LCRYPTO_ALIAS(SHA256_Init); 350 351 int 352 SHA256_Update(SHA256_CTX *c, const void *data_, size_t len) 353 { 354 const unsigned char *data = data_; 355 unsigned char *p; 356 SHA_LONG l; 357 size_t n; 358 359 if (len == 0) 360 return 1; 361 362 l = (c->Nl + (((SHA_LONG)len) << 3)) & 0xffffffffUL; 363 /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to 364 * Wei Dai <weidai@eskimo.com> for pointing it out. */ 365 if (l < c->Nl) /* overflow */ 366 c->Nh++; 367 c->Nh += (SHA_LONG)(len >> 29); /* might cause compiler warning on 16-bit */ 368 c->Nl = l; 369 370 n = c->num; 371 if (n != 0) { 372 p = (unsigned char *)c->data; 373 374 if (len >= SHA_CBLOCK || len + n >= SHA_CBLOCK) { 375 memcpy(p + n, data, SHA_CBLOCK - n); 376 sha256_block_data_order(c, p, 1); 377 n = SHA_CBLOCK - n; 378 data += n; 379 len -= n; 380 c->num = 0; 381 memset(p, 0, SHA_CBLOCK); /* keep it zeroed */ 382 } else { 383 memcpy(p + n, data, len); 384 c->num += (unsigned int)len; 385 return 1; 386 } 387 } 388 389 n = len/SHA_CBLOCK; 390 if (n > 0) { 391 sha256_block_data_order(c, data, n); 392 n *= SHA_CBLOCK; 393 data += n; 394 len -= n; 395 } 396 397 if (len != 0) { 398 p = (unsigned char *)c->data; 399 c->num = (unsigned int)len; 400 memcpy(p, data, len); 401 } 402 return 1; 403 } 404 LCRYPTO_ALIAS(SHA256_Update); 405 406 void 407 SHA256_Transform(SHA256_CTX *c, const unsigned char *data) 408 { 409 sha256_block_data_order(c, data, 1); 410 } 411 LCRYPTO_ALIAS(SHA256_Transform); 412 413 int 414 SHA256_Final(unsigned char *md, SHA256_CTX *c) 415 { 416 unsigned char *p = (unsigned char *)c->data; 417 size_t n = c->num; 418 unsigned int nn; 419 420 p[n] = 0x80; /* there is always room for one */ 421 n++; 422 423 if (n > (SHA_CBLOCK - 8)) { 424 memset(p + n, 0, SHA_CBLOCK - n); 425 n = 0; 426 sha256_block_data_order(c, p, 1); 427 } 428 429 memset(p + n, 0, SHA_CBLOCK - 8 - n); 430 c->data[SHA_LBLOCK - 2] = htobe32(c->Nh); 431 c->data[SHA_LBLOCK - 1] = htobe32(c->Nl); 432 433 sha256_block_data_order(c, p, 1); 434 c->num = 0; 435 memset(p, 0, SHA_CBLOCK); 436 437 /* 438 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output." 439 * default: case below covers for it. It's not clear however if it's 440 * permitted to truncate to amount of bytes not divisible by 4. I bet not, 441 * but if it is, then default: case shall be extended. For reference. 442 * Idea behind separate cases for pre-defined lengths is to let the 443 * compiler decide if it's appropriate to unroll small loops. 444 */ 445 switch (c->md_len) { 446 case SHA224_DIGEST_LENGTH: 447 for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { 448 crypto_store_htobe32(md, c->h[nn]); 449 md += 4; 450 } 451 break; 452 453 case SHA256_DIGEST_LENGTH: 454 for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { 455 crypto_store_htobe32(md, c->h[nn]); 456 md += 4; 457 } 458 break; 459 460 default: 461 if (c->md_len > SHA256_DIGEST_LENGTH) 462 return 0; 463 for (nn = 0; nn < c->md_len / 4; nn++) { 464 crypto_store_htobe32(md, c->h[nn]); 465 md += 4; 466 } 467 break; 468 } 469 470 return 1; 471 } 472 LCRYPTO_ALIAS(SHA256_Final); 473 474 unsigned char * 475 SHA256(const unsigned char *d, size_t n, unsigned char *md) 476 { 477 SHA256_CTX c; 478 479 SHA256_Init(&c); 480 SHA256_Update(&c, d, n); 481 SHA256_Final(md, &c); 482 483 explicit_bzero(&c, sizeof(c)); 484 485 return (md); 486 } 487 LCRYPTO_ALIAS(SHA256); 488 489 #endif /* OPENSSL_NO_SHA256 */ 490