Coverage Report

Created: 2024-11-21 07:03

/src/openssl/crypto/sha/sha256.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
/*
11
 * SHA256 low level APIs are deprecated for public use, but still ok for
12
 * internal use.
13
 */
14
#include "internal/deprecated.h"
15
16
#include <openssl/opensslconf.h>
17
18
#include <stdlib.h>
19
#include <string.h>
20
21
#include <openssl/crypto.h>
22
#include <openssl/sha.h>
23
#include <openssl/opensslv.h>
24
#include "internal/endian.h"
25
#include "crypto/sha.h"
26
27
int SHA224_Init(SHA256_CTX *c)
28
1.43k
{
29
1.43k
    memset(c, 0, sizeof(*c));
30
1.43k
    c->h[0] = 0xc1059ed8UL;
31
1.43k
    c->h[1] = 0x367cd507UL;
32
1.43k
    c->h[2] = 0x3070dd17UL;
33
1.43k
    c->h[3] = 0xf70e5939UL;
34
1.43k
    c->h[4] = 0xffc00b31UL;
35
1.43k
    c->h[5] = 0x68581511UL;
36
1.43k
    c->h[6] = 0x64f98fa7UL;
37
1.43k
    c->h[7] = 0xbefa4fa4UL;
38
1.43k
    c->md_len = SHA224_DIGEST_LENGTH;
39
1.43k
    return 1;
40
1.43k
}
41
42
int SHA256_Init(SHA256_CTX *c)
43
1.16k
{
44
1.16k
    memset(c, 0, sizeof(*c));
45
1.16k
    c->h[0] = 0x6a09e667UL;
46
1.16k
    c->h[1] = 0xbb67ae85UL;
47
1.16k
    c->h[2] = 0x3c6ef372UL;
48
1.16k
    c->h[3] = 0xa54ff53aUL;
49
1.16k
    c->h[4] = 0x510e527fUL;
50
1.16k
    c->h[5] = 0x9b05688cUL;
51
1.16k
    c->h[6] = 0x1f83d9abUL;
52
1.16k
    c->h[7] = 0x5be0cd19UL;
53
1.16k
    c->md_len = SHA256_DIGEST_LENGTH;
54
1.16k
    return 1;
55
1.16k
}
56
57
int ossl_sha256_192_init(SHA256_CTX *c)
58
0
{
59
0
    SHA256_Init(c);
60
0
    c->md_len = SHA256_192_DIGEST_LENGTH;
61
0
    return 1;
62
0
}
63
64
int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
65
11.7k
{
66
11.7k
    return SHA256_Update(c, data, len);
67
11.7k
}
68
69
int SHA224_Final(unsigned char *md, SHA256_CTX *c)
70
5.31k
{
71
5.31k
    return SHA256_Final(md, c);
72
5.31k
}
73
74
#define DATA_ORDER_IS_BIG_ENDIAN
75
76
33.8k
#define HASH_LONG               SHA_LONG
77
#define HASH_CTX                SHA256_CTX
78
162k
#define HASH_CBLOCK             SHA_CBLOCK
79
80
/*
81
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82
 * default: case below covers for it. It's not clear however if it's
83
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
84
 * but if it is, then default: case shall be extended. For reference.
85
 * Idea behind separate cases for pre-defined lengths is to let the
86
 * compiler decide if it's appropriate to unroll small loops.
87
 */
88
18.1k
#define HASH_MAKE_STRING(c,s)   do {    \
89
18.1k
        unsigned long ll;               \
90
18.1k
        unsigned int  nn;               \
91
18.1k
        switch ((c)->md_len) {          \
92
0
            case SHA256_192_DIGEST_LENGTH: \
93
0
                for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) { \
94
0
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
95
0
                }                       \
96
0
                break;                  \
97
5.31k
            case SHA224_DIGEST_LENGTH:  \
98
42.5k
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) {     \
99
37.1k
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
100
37.1k
                }                       \
101
5.31k
                break;                  \
102
12.8k
            case SHA256_DIGEST_LENGTH:  \
103
115k
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) {     \
104
102k
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
105
102k
                }                       \
106
12.8k
                break;                  \
107
0
            default:                    \
108
0
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
109
0
                    return 0;                           \
110
0
                for (nn=0;nn<(c)->md_len/4;nn++) {              \
111
0
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
112
0
                }                       \
113
0
                break;                  \
114
18.1k
        }                               \
115
18.1k
    } while (0)
116
117
#define HASH_UPDATE             SHA256_Update
118
#define HASH_TRANSFORM          SHA256_Transform
119
#define HASH_FINAL              SHA256_Final
120
33.8k
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
121
#ifndef SHA256_ASM
122
static
123
#else
124
# ifdef INCLUDE_C_SHA256
125
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
126
# endif /* INCLUDE_C_SHA256 */
127
#endif /* SHA256_ASM */
128
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
129
130
#include "crypto/md32_common.h"
131
132
#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
133
static const SHA_LONG K256[64] = {
134
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
135
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
136
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
137
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
138
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
139
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
140
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
141
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
142
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
143
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
144
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
145
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
146
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
147
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
148
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
149
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
150
};
151
152
# ifndef PEDANTIC
153
#  if defined(__GNUC__) && __GNUC__>=2 && \
154
      !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
155
#   if defined(__riscv_zknh)
156
#    define Sigma0(x) ({ MD32_REG_T ret;            \
157
                        asm ("sha256sum0 %0, %1"    \
158
                        : "=r"(ret)                 \
159
                        : "r"(x)); ret;             })
160
#    define Sigma1(x) ({ MD32_REG_T ret;            \
161
                        asm ("sha256sum1 %0, %1"    \
162
                        : "=r"(ret)                 \
163
                        : "r"(x)); ret;             })
164
#    define sigma0(x) ({ MD32_REG_T ret;            \
165
                        asm ("sha256sig0 %0, %1"    \
166
                        : "=r"(ret)                 \
167
                        : "r"(x)); ret;             })
168
#    define sigma1(x) ({ MD32_REG_T ret;            \
169
                        asm ("sha256sig1 %0, %1"    \
170
                        : "=r"(ret)                 \
171
                        : "r"(x)); ret;             })
172
#   endif
173
#   if defined(__riscv_zbt) || defined(__riscv_zpn)
174
#    define Ch(x,y,z) ({  MD32_REG_T ret;                           \
175
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
176
                        : "=r"(ret)                                 \
177
                        : "r"(x), "r"(y), "r"(z)); ret;             })
178
#    define Maj(x,y,z) ({ MD32_REG_T ret;                           \
179
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
180
                        : "=r"(ret)                                 \
181
                        : "r"(x^z), "r"(y), "r"(x)); ret;           })
182
#   endif
183
#  endif
184
# endif
185
186
/*
187
 * FIPS specification refers to right rotations, while our ROTATE macro
188
 * is left one. This is why you might notice that rotation coefficients
189
 * differ from those observed in FIPS document by 32-N...
190
 */
191
# ifndef Sigma0
192
21.7M
#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
193
# endif
194
# ifndef Sigma1
195
21.7M
#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
196
# endif
197
# ifndef sigma0
198
16.3M
#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
199
# endif
200
# ifndef sigma1
201
16.3M
#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
202
# endif
203
# ifndef Ch
204
21.7M
#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
205
# endif
206
# ifndef Maj
207
21.7M
#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
208
# endif
209
210
# ifdef OPENSSL_SMALL_FOOTPRINT
211
212
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
213
                                    size_t num)
214
{
215
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
216
    SHA_LONG X[16], l;
217
    int i;
218
    const unsigned char *data = in;
219
220
    while (num--) {
221
222
        a = ctx->h[0];
223
        b = ctx->h[1];
224
        c = ctx->h[2];
225
        d = ctx->h[3];
226
        e = ctx->h[4];
227
        f = ctx->h[5];
228
        g = ctx->h[6];
229
        h = ctx->h[7];
230
231
        for (i = 0; i < 16; i++) {
232
            (void)HOST_c2l(data, l);
233
            T1 = X[i] = l;
234
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
235
            T2 = Sigma0(a) + Maj(a, b, c);
236
            h = g;
237
            g = f;
238
            f = e;
239
            e = d + T1;
240
            d = c;
241
            c = b;
242
            b = a;
243
            a = T1 + T2;
244
        }
245
246
        for (; i < 64; i++) {
247
            s0 = X[(i + 1) & 0x0f];
248
            s0 = sigma0(s0);
249
            s1 = X[(i + 14) & 0x0f];
250
            s1 = sigma1(s1);
251
252
            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
253
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
254
            T2 = Sigma0(a) + Maj(a, b, c);
255
            h = g;
256
            g = f;
257
            f = e;
258
            e = d + T1;
259
            d = c;
260
            c = b;
261
            b = a;
262
            a = T1 + T2;
263
        }
264
265
        ctx->h[0] += a;
266
        ctx->h[1] += b;
267
        ctx->h[2] += c;
268
        ctx->h[3] += d;
269
        ctx->h[4] += e;
270
        ctx->h[5] += f;
271
        ctx->h[6] += g;
272
        ctx->h[7] += h;
273
274
    }
275
}
276
277
# else
278
279
21.7M
#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
280
21.7M
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
281
21.7M
        h = Sigma0(a) + Maj(a,b,c);                     \
282
21.7M
        d += T1;        h += T1;                } while (0)
283
284
16.3M
#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
285
16.3M
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
286
16.3M
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
287
16.3M
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
288
16.3M
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)
289
290
#ifdef INCLUDE_C_SHA256
291
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
292
#else
293
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
294
                                    size_t num)
295
#endif
296
15.0k
{
297
15.0k
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
298
15.0k
    SHA_LONG X[16];
299
15.0k
    int i;
300
15.0k
    const unsigned char *data = in;
301
15.0k
    DECLARE_IS_ENDIAN;
302
303
354k
    while (num--) {
304
305
339k
        a = ctx->h[0];
306
339k
        b = ctx->h[1];
307
339k
        c = ctx->h[2];
308
339k
        d = ctx->h[3];
309
339k
        e = ctx->h[4];
310
339k
        f = ctx->h[5];
311
339k
        g = ctx->h[6];
312
339k
        h = ctx->h[7];
313
314
339k
        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
315
339k
            && ((size_t)in % 4) == 0) {
316
0
            const SHA_LONG *W = (const SHA_LONG *)data;
317
318
0
            T1 = X[0] = W[0];
319
0
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
320
0
            T1 = X[1] = W[1];
321
0
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
322
0
            T1 = X[2] = W[2];
323
0
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
324
0
            T1 = X[3] = W[3];
325
0
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
326
0
            T1 = X[4] = W[4];
327
0
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
328
0
            T1 = X[5] = W[5];
329
0
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
330
0
            T1 = X[6] = W[6];
331
0
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
332
0
            T1 = X[7] = W[7];
333
0
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
334
0
            T1 = X[8] = W[8];
335
0
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
336
0
            T1 = X[9] = W[9];
337
0
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
338
0
            T1 = X[10] = W[10];
339
0
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
340
0
            T1 = X[11] = W[11];
341
0
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
342
0
            T1 = X[12] = W[12];
343
0
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
344
0
            T1 = X[13] = W[13];
345
0
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
346
0
            T1 = X[14] = W[14];
347
0
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
348
0
            T1 = X[15] = W[15];
349
0
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
350
351
0
            data += SHA256_CBLOCK;
352
339k
        } else {
353
339k
            SHA_LONG l;
354
355
339k
            (void)HOST_c2l(data, l);
356
339k
            T1 = X[0] = l;
357
339k
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
358
339k
            (void)HOST_c2l(data, l);
359
339k
            T1 = X[1] = l;
360
339k
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
361
339k
            (void)HOST_c2l(data, l);
362
339k
            T1 = X[2] = l;
363
339k
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
364
339k
            (void)HOST_c2l(data, l);
365
339k
            T1 = X[3] = l;
366
339k
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
367
339k
            (void)HOST_c2l(data, l);
368
339k
            T1 = X[4] = l;
369
339k
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
370
339k
            (void)HOST_c2l(data, l);
371
339k
            T1 = X[5] = l;
372
339k
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
373
339k
            (void)HOST_c2l(data, l);
374
339k
            T1 = X[6] = l;
375
339k
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
376
339k
            (void)HOST_c2l(data, l);
377
339k
            T1 = X[7] = l;
378
339k
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
379
339k
            (void)HOST_c2l(data, l);
380
339k
            T1 = X[8] = l;
381
339k
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
382
339k
            (void)HOST_c2l(data, l);
383
339k
            T1 = X[9] = l;
384
339k
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
385
339k
            (void)HOST_c2l(data, l);
386
339k
            T1 = X[10] = l;
387
339k
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
388
339k
            (void)HOST_c2l(data, l);
389
339k
            T1 = X[11] = l;
390
339k
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
391
339k
            (void)HOST_c2l(data, l);
392
339k
            T1 = X[12] = l;
393
339k
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
394
339k
            (void)HOST_c2l(data, l);
395
339k
            T1 = X[13] = l;
396
339k
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
397
339k
            (void)HOST_c2l(data, l);
398
339k
            T1 = X[14] = l;
399
339k
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
400
339k
            (void)HOST_c2l(data, l);
401
339k
            T1 = X[15] = l;
402
339k
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
403
339k
        }
404
405
2.37M
        for (i = 16; i < 64; i += 8) {
406
2.03M
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
407
2.03M
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
408
2.03M
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
409
2.03M
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
410
2.03M
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
411
2.03M
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
412
2.03M
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
413
2.03M
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
414
2.03M
        }
415
416
339k
        ctx->h[0] += a;
417
339k
        ctx->h[1] += b;
418
339k
        ctx->h[2] += c;
419
339k
        ctx->h[3] += d;
420
339k
        ctx->h[4] += e;
421
339k
        ctx->h[5] += f;
422
339k
        ctx->h[6] += g;
423
339k
        ctx->h[7] += h;
424
425
339k
    }
426
15.0k
}
427
428
# endif
429
#endif                         /* SHA256_ASM */