Add support for truncated SHA512 variants.

This adds support for SHA512/224 and SHA512/256, as specified in FIPS
FIPS 180-4. These are truncated versions of the SHA512 hash.

ok tb@

2 files changed, 115 insertions, 2 deletions

diff --git a/src/lib/libcrypto/sha/sha512.c b/src/lib/libcrypto/sha/sha512.c
index a702d7d23b..4a4194350b 100644
--- a/src/lib/libcrypto/sha/sha512.c
+++ b/src/lib/libcrypto/sha/sha512.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha512.c,v 1.33 2023/04/14 10:41:34 jsing Exp $ */
+/* $OpenBSD: sha512.c,v 1.34 2023/04/14 10:45:15 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -62,6 +62,7 @@
 #include <openssl/sha.h>
 
 #include "crypto_internal.h"
+#include "sha_internal.h"
 
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
 
@@ -547,6 +548,19 @@ SHA512_Final(unsigned char *md, SHA512_CTX *c)
 
         /* Let compiler decide if it's appropriate to unroll... */
         switch (c->md_len) {
+        case SHA512_224_DIGEST_LENGTH:
+                for (n = 0; n < SHA512_224_DIGEST_LENGTH/8; n++) {
+                        crypto_store_htobe64(md, c->h[n]);
+                        md += 8;
+                }
+                crypto_store_htobe32(md, c->h[n] >> 32);
+                break;
+        case SHA512_256_DIGEST_LENGTH:
+                for (n = 0; n < SHA512_256_DIGEST_LENGTH/8; n++) {
+                        crypto_store_htobe64(md, c->h[n]);
+                        md += 8;
+                }
+                break;
         case SHA384_DIGEST_LENGTH:
                 for (n = 0; n < SHA384_DIGEST_LENGTH/8; n++) {
                         crypto_store_htobe64(md, c->h[n]);
@@ -559,7 +573,6 @@ SHA512_Final(unsigned char *md, SHA512_CTX *c)
                         md += 8;
                 }
                 break;
-                /* ... as well as make sure md_len is not abused. */
         default:
                 return 0;
         }
@@ -585,4 +598,68 @@ SHA512(const unsigned char *d, size_t n, unsigned char *md)
         return (md);
 }
 
+int
+SHA512_224_Init(SHA512_CTX *c)
+{
+        memset(c, 0, sizeof(*c));
+
+        /* FIPS 180-4 section 5.3.6.1. */
+        c->h[0] = U64(0x8c3d37c819544da2);
+        c->h[1] = U64(0x73e1996689dcd4d6);
+        c->h[2] = U64(0x1dfab7ae32ff9c82);
+        c->h[3] = U64(0x679dd514582f9fcf);
+        c->h[4] = U64(0x0f6d2b697bd44da8);
+        c->h[5] = U64(0x77e36f7304c48942);
+        c->h[6] = U64(0x3f9d85a86a1d36c8);
+        c->h[7] = U64(0x1112e6ad91d692a1);
+
+        c->md_len = SHA512_224_DIGEST_LENGTH;
+
+        return 1;
+}
+
+int
+SHA512_224_Update(SHA512_CTX *c, const void *data, size_t len)
+{
+        return SHA512_Update(c, data, len);
+}
+
+int
+SHA512_224_Final(unsigned char *md, SHA512_CTX *c)
+{
+        return SHA512_Final(md, c);
+}
+
+int
+SHA512_256_Init(SHA512_CTX *c)
+{
+        memset(c, 0, sizeof(*c));
+
+        /* FIPS 180-4 section 5.3.6.2. */
+        c->h[0] = U64(0x22312194fc2bf72c);
+        c->h[1] = U64(0x9f555fa3c84c64c2);
+        c->h[2] = U64(0x2393b86b6f53b151);
+        c->h[3] = U64(0x963877195940eabd);
+        c->h[4] = U64(0x96283ee2a88effe3);
+        c->h[5] = U64(0xbe5e1e2553863992);
+        c->h[6] = U64(0x2b0199fc2c85b8aa);
+        c->h[7] = U64(0x0eb72ddc81c52ca2);
+
+        c->md_len = SHA512_256_DIGEST_LENGTH;
+
+        return 1;
+}
+
+int
+SHA512_256_Update(SHA512_CTX *c, const void *data, size_t len)
+{
+        return SHA512_Update(c, data, len);
+}
+
+int
+SHA512_256_Final(unsigned char *md, SHA512_CTX *c)
+{
+        return SHA512_Final(md, c);
+}
+
 #endif /* !OPENSSL_NO_SHA512 */
diff --git a/src/lib/libcrypto/sha/sha_internal.h b/src/lib/libcrypto/sha/sha_internal.h
new file mode 100644
index 0000000000..c479993185
--- /dev/null
+++ b/src/lib/libcrypto/sha/sha_internal.h
@@ -0,0 +1,36 @@
+/*      $OpenBSD: sha_internal.h,v 1.1 2023/04/14 10:45:15 jsing Exp $ */
+/*
+ * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/sha.h>
+
+#ifndef HEADER_SHA_INTERNAL_H
+#define HEADER_SHA_INTERNAL_H
+
+#define SHA512_224_DIGEST_LENGTH        28
+#define SHA512_256_DIGEST_LENGTH        32
+
+int SHA512_224_Init(SHA512_CTX *c);
+int SHA512_224_Update(SHA512_CTX *c, const void *data, size_t len)
+        __attribute__ ((__bounded__(__buffer__,2,3)));
+int SHA512_224_Final(unsigned char *md, SHA512_CTX *c);
+
+int SHA512_256_Init(SHA512_CTX *c);
+int SHA512_256_Update(SHA512_CTX *c, const void *data, size_t len)
+        __attribute__ ((__bounded__(__buffer__,2,3)));
+int SHA512_256_Final(unsigned char *md, SHA512_CTX *c);
+
+#endif