[331] | 1 | /*
|
---|
| 2 | * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | /*-
|
---|
| 11 | * This is a generic 32 bit "collector" for message digest algorithms.
|
---|
| 12 | * Whenever needed it collects input character stream into chunks of
|
---|
| 13 | * 32 bit values and invokes a block function that performs actual hash
|
---|
| 14 | * calculations.
|
---|
| 15 | *
|
---|
| 16 | * Porting guide.
|
---|
| 17 | *
|
---|
| 18 | * Obligatory macros:
|
---|
| 19 | *
|
---|
| 20 | * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
|
---|
| 21 | * this macro defines byte order of input stream.
|
---|
| 22 | * HASH_CBLOCK
|
---|
| 23 | * size of a unit chunk HASH_BLOCK operates on.
|
---|
| 24 | * HASH_LONG
|
---|
| 25 | * has to be at lest 32 bit wide.
|
---|
| 26 | * HASH_CTX
|
---|
| 27 | * context structure that at least contains following
|
---|
| 28 | * members:
|
---|
| 29 | * typedef struct {
|
---|
| 30 | * ...
|
---|
| 31 | * HASH_LONG Nl,Nh;
|
---|
| 32 | * either {
|
---|
| 33 | * HASH_LONG data[HASH_LBLOCK];
|
---|
| 34 | * unsigned char data[HASH_CBLOCK];
|
---|
| 35 | * };
|
---|
| 36 | * unsigned int num;
|
---|
| 37 | * ...
|
---|
| 38 | * } HASH_CTX;
|
---|
| 39 | * data[] vector is expected to be zeroed upon first call to
|
---|
| 40 | * HASH_UPDATE.
|
---|
| 41 | * HASH_UPDATE
|
---|
| 42 | * name of "Update" function, implemented here.
|
---|
| 43 | * HASH_TRANSFORM
|
---|
| 44 | * name of "Transform" function, implemented here.
|
---|
| 45 | * HASH_FINAL
|
---|
| 46 | * name of "Final" function, implemented here.
|
---|
| 47 | * HASH_BLOCK_DATA_ORDER
|
---|
| 48 | * name of "block" function capable of treating *unaligned* input
|
---|
| 49 | * message in original (data) byte order, implemented externally.
|
---|
| 50 | * HASH_MAKE_STRING
|
---|
| 51 | * macro convering context variables to an ASCII hash string.
|
---|
| 52 | *
|
---|
| 53 | * MD5 example:
|
---|
| 54 | *
|
---|
| 55 | * #define DATA_ORDER_IS_LITTLE_ENDIAN
|
---|
| 56 | *
|
---|
| 57 | * #define HASH_LONG MD5_LONG
|
---|
| 58 | * #define HASH_CTX MD5_CTX
|
---|
| 59 | * #define HASH_CBLOCK MD5_CBLOCK
|
---|
| 60 | * #define HASH_UPDATE MD5_Update
|
---|
| 61 | * #define HASH_TRANSFORM MD5_Transform
|
---|
| 62 | * #define HASH_FINAL MD5_Final
|
---|
| 63 | * #define HASH_BLOCK_DATA_ORDER md5_block_data_order
|
---|
| 64 | *
|
---|
| 65 | * <appro@fy.chalmers.se>
|
---|
| 66 | */
|
---|
| 67 |
|
---|
| 68 | #include <openssl/crypto.h>
|
---|
| 69 |
|
---|
| 70 | #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
|
---|
| 71 | # error "DATA_ORDER must be defined!"
|
---|
| 72 | #endif
|
---|
| 73 |
|
---|
| 74 | #ifndef HASH_CBLOCK
|
---|
| 75 | # error "HASH_CBLOCK must be defined!"
|
---|
| 76 | #endif
|
---|
| 77 | #ifndef HASH_LONG
|
---|
| 78 | # error "HASH_LONG must be defined!"
|
---|
| 79 | #endif
|
---|
| 80 | #ifndef HASH_CTX
|
---|
| 81 | # error "HASH_CTX must be defined!"
|
---|
| 82 | #endif
|
---|
| 83 |
|
---|
| 84 | #ifndef HASH_UPDATE
|
---|
| 85 | # error "HASH_UPDATE must be defined!"
|
---|
| 86 | #endif
|
---|
| 87 | #ifndef HASH_TRANSFORM
|
---|
| 88 | # error "HASH_TRANSFORM must be defined!"
|
---|
| 89 | #endif
|
---|
| 90 | #ifndef HASH_FINAL
|
---|
| 91 | # error "HASH_FINAL must be defined!"
|
---|
| 92 | #endif
|
---|
| 93 |
|
---|
| 94 | #ifndef HASH_BLOCK_DATA_ORDER
|
---|
| 95 | # error "HASH_BLOCK_DATA_ORDER must be defined!"
|
---|
| 96 | #endif
|
---|
| 97 |
|
---|
| 98 | /*
|
---|
| 99 | * Engage compiler specific rotate intrinsic function if available.
|
---|
| 100 | */
|
---|
| 101 | #undef ROTATE
|
---|
| 102 | #ifndef PEDANTIC
|
---|
| 103 | # if defined(_MSC_VER)
|
---|
| 104 | # define ROTATE(a,n) _lrotl(a,n)
|
---|
| 105 | # elif defined(__ICC)
|
---|
| 106 | # define ROTATE(a,n) _rotl(a,n)
|
---|
| 107 | # elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
|
---|
| 108 | /*
|
---|
| 109 | * Some GNU C inline assembler templates. Note that these are
|
---|
| 110 | * rotates by *constant* number of bits! But that's exactly
|
---|
| 111 | * what we need here...
|
---|
| 112 | * <appro@fy.chalmers.se>
|
---|
| 113 | */
|
---|
| 114 | # if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
|
---|
| 115 | # define ROTATE(a,n) ({ register unsigned int ret; \
|
---|
| 116 | asm ( \
|
---|
| 117 | "roll %1,%0" \
|
---|
| 118 | : "=r"(ret) \
|
---|
| 119 | : "I"(n), "0"((unsigned int)(a)) \
|
---|
| 120 | : "cc"); \
|
---|
| 121 | ret; \
|
---|
| 122 | })
|
---|
| 123 | # elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
|
---|
| 124 | defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__)
|
---|
| 125 | # define ROTATE(a,n) ({ register unsigned int ret; \
|
---|
| 126 | asm ( \
|
---|
| 127 | "rlwinm %0,%1,%2,0,31" \
|
---|
| 128 | : "=r"(ret) \
|
---|
| 129 | : "r"(a), "I"(n)); \
|
---|
| 130 | ret; \
|
---|
| 131 | })
|
---|
| 132 | # elif defined(__s390x__)
|
---|
| 133 | # define ROTATE(a,n) ({ register unsigned int ret; \
|
---|
| 134 | asm ("rll %0,%1,%2" \
|
---|
| 135 | : "=r"(ret) \
|
---|
| 136 | : "r"(a), "I"(n)); \
|
---|
| 137 | ret; \
|
---|
| 138 | })
|
---|
| 139 | # endif
|
---|
| 140 | # endif
|
---|
| 141 | #endif /* PEDANTIC */
|
---|
| 142 |
|
---|
| 143 | #ifndef ROTATE
|
---|
| 144 | # define ROTATE(a,n) (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
|
---|
| 145 | #endif
|
---|
| 146 |
|
---|
| 147 | #if defined(DATA_ORDER_IS_BIG_ENDIAN)
|
---|
| 148 |
|
---|
| 149 | # ifndef PEDANTIC
|
---|
| 150 | # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
|
---|
| 151 | # if ((defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)) || \
|
---|
| 152 | (defined(__x86_64) || defined(__x86_64__))
|
---|
| 153 | # if !defined(B_ENDIAN)
|
---|
| 154 | /*
|
---|
| 155 | * This gives ~30-40% performance improvement in SHA-256 compiled
|
---|
| 156 | * with gcc [on P4]. Well, first macro to be frank. We can pull
|
---|
| 157 | * this trick on x86* platforms only, because these CPUs can fetch
|
---|
| 158 | * unaligned data without raising an exception.
|
---|
| 159 | */
|
---|
| 160 | # define HOST_c2l(c,l) ({ unsigned int r=*((const unsigned int *)(c)); \
|
---|
| 161 | asm ("bswapl %0":"=r"(r):"0"(r)); \
|
---|
| 162 | (c)+=4; (l)=r; })
|
---|
| 163 | # define HOST_l2c(l,c) ({ unsigned int r=(l); \
|
---|
| 164 | asm ("bswapl %0":"=r"(r):"0"(r)); \
|
---|
| 165 | *((unsigned int *)(c))=r; (c)+=4; r; })
|
---|
| 166 | # endif
|
---|
| 167 | # elif defined(__aarch64__)
|
---|
| 168 | # if defined(__BYTE_ORDER__)
|
---|
| 169 | # if defined(__ORDER_LITTLE_ENDIAN__) && __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
|
---|
| 170 | # define HOST_c2l(c,l) ({ unsigned int r; \
|
---|
| 171 | asm ("rev %w0,%w1" \
|
---|
| 172 | :"=r"(r) \
|
---|
| 173 | :"r"(*((const unsigned int *)(c))));\
|
---|
| 174 | (c)+=4; (l)=r; })
|
---|
| 175 | # define HOST_l2c(l,c) ({ unsigned int r; \
|
---|
| 176 | asm ("rev %w0,%w1" \
|
---|
| 177 | :"=r"(r) \
|
---|
| 178 | :"r"((unsigned int)(l)));\
|
---|
| 179 | *((unsigned int *)(c))=r; (c)+=4; r; })
|
---|
| 180 | # elif defined(__ORDER_BIG_ENDIAN__) && __BYTE_ORDER__==__ORDER_BIG_ENDIAN__
|
---|
| 181 | # define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4, (l))
|
---|
| 182 | # define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, (l))
|
---|
| 183 | # endif
|
---|
| 184 | # endif
|
---|
| 185 | # endif
|
---|
| 186 | # endif
|
---|
| 187 | # if defined(__s390__) || defined(__s390x__)
|
---|
| 188 | # define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4, (l))
|
---|
| 189 | # define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, (l))
|
---|
| 190 | # endif
|
---|
| 191 | # endif
|
---|
| 192 |
|
---|
| 193 | # ifndef HOST_c2l
|
---|
| 194 | # define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++)))<<24), \
|
---|
| 195 | l|=(((unsigned long)(*((c)++)))<<16), \
|
---|
| 196 | l|=(((unsigned long)(*((c)++)))<< 8), \
|
---|
| 197 | l|=(((unsigned long)(*((c)++))) ) )
|
---|
| 198 | # endif
|
---|
| 199 | # ifndef HOST_l2c
|
---|
| 200 | # define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
|
---|
| 201 | *((c)++)=(unsigned char)(((l)>>16)&0xff), \
|
---|
| 202 | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
|
---|
| 203 | *((c)++)=(unsigned char)(((l) )&0xff), \
|
---|
| 204 | l)
|
---|
| 205 | # endif
|
---|
| 206 |
|
---|
| 207 | #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
|
---|
| 208 |
|
---|
| 209 | # ifndef PEDANTIC
|
---|
| 210 | # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
|
---|
| 211 | # if defined(__s390x__)
|
---|
| 212 | # define HOST_c2l(c,l) ({ asm ("lrv %0,%1" \
|
---|
| 213 | :"=d"(l) :"m"(*(const unsigned int *)(c)));\
|
---|
| 214 | (c)+=4; (l); })
|
---|
| 215 | # define HOST_l2c(l,c) ({ asm ("strv %1,%0" \
|
---|
| 216 | :"=m"(*(unsigned int *)(c)) :"d"(l));\
|
---|
| 217 | (c)+=4; (l); })
|
---|
| 218 | # endif
|
---|
| 219 | # endif
|
---|
| 220 | # if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
|
---|
| 221 | # ifndef B_ENDIAN
|
---|
| 222 | /* See comment in DATA_ORDER_IS_BIG_ENDIAN section. */
|
---|
| 223 | # define HOST_c2l(c,l) ((l)=*((const unsigned int *)(c)), (c)+=4, l)
|
---|
| 224 | # define HOST_l2c(l,c) (*((unsigned int *)(c))=(l), (c)+=4, l)
|
---|
| 225 | # endif
|
---|
| 226 | # endif
|
---|
| 227 | # endif
|
---|
| 228 |
|
---|
| 229 | # ifndef HOST_c2l
|
---|
| 230 | # define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++))) ), \
|
---|
| 231 | l|=(((unsigned long)(*((c)++)))<< 8), \
|
---|
| 232 | l|=(((unsigned long)(*((c)++)))<<16), \
|
---|
| 233 | l|=(((unsigned long)(*((c)++)))<<24) )
|
---|
| 234 | # endif
|
---|
| 235 | # ifndef HOST_l2c
|
---|
| 236 | # define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
|
---|
| 237 | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
|
---|
| 238 | *((c)++)=(unsigned char)(((l)>>16)&0xff), \
|
---|
| 239 | *((c)++)=(unsigned char)(((l)>>24)&0xff), \
|
---|
| 240 | l)
|
---|
| 241 | # endif
|
---|
| 242 |
|
---|
| 243 | #endif
|
---|
| 244 |
|
---|
| 245 | /*
|
---|
| 246 | * Time for some action:-)
|
---|
| 247 | */
|
---|
| 248 |
|
---|
| 249 | int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len)
|
---|
| 250 | {
|
---|
| 251 | const unsigned char *data = data_;
|
---|
| 252 | unsigned char *p;
|
---|
| 253 | HASH_LONG l;
|
---|
| 254 | size_t n;
|
---|
| 255 |
|
---|
| 256 | if (len == 0)
|
---|
| 257 | return 1;
|
---|
| 258 |
|
---|
| 259 | l = (c->Nl + (((HASH_LONG) len) << 3)) & 0xffffffffUL;
|
---|
| 260 | /*
|
---|
| 261 | * 95-05-24 eay Fixed a bug with the overflow handling, thanks to Wei Dai
|
---|
| 262 | * <weidai@eskimo.com> for pointing it out.
|
---|
| 263 | */
|
---|
| 264 | if (l < c->Nl) /* overflow */
|
---|
| 265 | c->Nh++;
|
---|
| 266 | c->Nh += (HASH_LONG) (len >> 29); /* might cause compiler warning on
|
---|
| 267 | * 16-bit */
|
---|
| 268 | c->Nl = l;
|
---|
| 269 |
|
---|
| 270 | n = c->num;
|
---|
| 271 | if (n != 0) {
|
---|
| 272 | p = (unsigned char *)c->data;
|
---|
| 273 |
|
---|
| 274 | if (len >= HASH_CBLOCK || len + n >= HASH_CBLOCK) {
|
---|
| 275 | memcpy(p + n, data, HASH_CBLOCK - n);
|
---|
| 276 | HASH_BLOCK_DATA_ORDER(c, p, 1);
|
---|
| 277 | n = HASH_CBLOCK - n;
|
---|
| 278 | data += n;
|
---|
| 279 | len -= n;
|
---|
| 280 | c->num = 0;
|
---|
| 281 | /*
|
---|
| 282 | * We use memset rather than OPENSSL_cleanse() here deliberately.
|
---|
| 283 | * Using OPENSSL_cleanse() here could be a performance issue. It
|
---|
| 284 | * will get properly cleansed on finalisation so this isn't a
|
---|
| 285 | * security problem.
|
---|
| 286 | */
|
---|
| 287 | memset(p, 0, HASH_CBLOCK); /* keep it zeroed */
|
---|
| 288 | } else {
|
---|
| 289 | memcpy(p + n, data, len);
|
---|
| 290 | c->num += (unsigned int)len;
|
---|
| 291 | return 1;
|
---|
| 292 | }
|
---|
| 293 | }
|
---|
| 294 |
|
---|
| 295 | n = len / HASH_CBLOCK;
|
---|
| 296 | if (n > 0) {
|
---|
| 297 | HASH_BLOCK_DATA_ORDER(c, data, n);
|
---|
| 298 | n *= HASH_CBLOCK;
|
---|
| 299 | data += n;
|
---|
| 300 | len -= n;
|
---|
| 301 | }
|
---|
| 302 |
|
---|
| 303 | if (len != 0) {
|
---|
| 304 | p = (unsigned char *)c->data;
|
---|
| 305 | c->num = (unsigned int)len;
|
---|
| 306 | memcpy(p, data, len);
|
---|
| 307 | }
|
---|
| 308 | return 1;
|
---|
| 309 | }
|
---|
| 310 |
|
---|
| 311 | void HASH_TRANSFORM(HASH_CTX *c, const unsigned char *data)
|
---|
| 312 | {
|
---|
| 313 | HASH_BLOCK_DATA_ORDER(c, data, 1);
|
---|
| 314 | }
|
---|
| 315 |
|
---|
| 316 | int HASH_FINAL(unsigned char *md, HASH_CTX *c)
|
---|
| 317 | {
|
---|
| 318 | unsigned char *p = (unsigned char *)c->data;
|
---|
| 319 | size_t n = c->num;
|
---|
| 320 |
|
---|
| 321 | p[n] = 0x80; /* there is always room for one */
|
---|
| 322 | n++;
|
---|
| 323 |
|
---|
| 324 | if (n > (HASH_CBLOCK - 8)) {
|
---|
| 325 | memset(p + n, 0, HASH_CBLOCK - n);
|
---|
| 326 | n = 0;
|
---|
| 327 | HASH_BLOCK_DATA_ORDER(c, p, 1);
|
---|
| 328 | }
|
---|
| 329 | memset(p + n, 0, HASH_CBLOCK - 8 - n);
|
---|
| 330 |
|
---|
| 331 | p += HASH_CBLOCK - 8;
|
---|
| 332 | #if defined(DATA_ORDER_IS_BIG_ENDIAN)
|
---|
| 333 | (void)HOST_l2c(c->Nh, p);
|
---|
| 334 | (void)HOST_l2c(c->Nl, p);
|
---|
| 335 | #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
|
---|
| 336 | (void)HOST_l2c(c->Nl, p);
|
---|
| 337 | (void)HOST_l2c(c->Nh, p);
|
---|
| 338 | #endif
|
---|
| 339 | p -= HASH_CBLOCK;
|
---|
| 340 | HASH_BLOCK_DATA_ORDER(c, p, 1);
|
---|
| 341 | c->num = 0;
|
---|
| 342 | OPENSSL_cleanse(p, HASH_CBLOCK);
|
---|
| 343 |
|
---|
| 344 | #ifndef HASH_MAKE_STRING
|
---|
| 345 | # error "HASH_MAKE_STRING must be defined!"
|
---|
| 346 | #else
|
---|
| 347 | HASH_MAKE_STRING(c, md);
|
---|
| 348 | #endif
|
---|
| 349 |
|
---|
| 350 | return 1;
|
---|
| 351 | }
|
---|
| 352 |
|
---|
| 353 | #ifndef MD32_REG_T
|
---|
| 354 | # if defined(__alpha) || defined(__sparcv9) || defined(__mips)
|
---|
| 355 | # define MD32_REG_T long
|
---|
| 356 | /*
|
---|
| 357 | * This comment was originally written for MD5, which is why it
|
---|
| 358 | * discusses A-D. But it basically applies to all 32-bit digests,
|
---|
| 359 | * which is why it was moved to common header file.
|
---|
| 360 | *
|
---|
| 361 | * In case you wonder why A-D are declared as long and not
|
---|
| 362 | * as MD5_LONG. Doing so results in slight performance
|
---|
| 363 | * boost on LP64 architectures. The catch is we don't
|
---|
| 364 | * really care if 32 MSBs of a 64-bit register get polluted
|
---|
| 365 | * with eventual overflows as we *save* only 32 LSBs in
|
---|
| 366 | * *either* case. Now declaring 'em long excuses the compiler
|
---|
| 367 | * from keeping 32 MSBs zeroed resulting in 13% performance
|
---|
| 368 | * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
|
---|
| 369 | * Well, to be honest it should say that this *prevents*
|
---|
| 370 | * performance degradation.
|
---|
| 371 | * <appro@fy.chalmers.se>
|
---|
| 372 | */
|
---|
| 373 | # else
|
---|
| 374 | /*
|
---|
| 375 | * Above is not absolute and there are LP64 compilers that
|
---|
| 376 | * generate better code if MD32_REG_T is defined int. The above
|
---|
| 377 | * pre-processor condition reflects the circumstances under which
|
---|
| 378 | * the conclusion was made and is subject to further extension.
|
---|
| 379 | * <appro@fy.chalmers.se>
|
---|
| 380 | */
|
---|
| 381 | # define MD32_REG_T int
|
---|
| 382 | # endif
|
---|
| 383 | #endif
|
---|