1 files changed, 0 insertions, 496 deletions
diff --git a/src/lib/libcrypto/sha/sha256.c b/src/lib/libcrypto/sha/sha256.c
deleted file mode 100644
index 5d002ca62c..0000000000
--- a/src/lib/libcrypto/sha/sha256.c
+++ /dev/null
@@ -1,496 +0,0 @@
-/* $OpenBSD: sha256.c,v 1.33 2025/02/14 12:01:58 jsing Exp $ */
-/* ====================================================================
- * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- */
-#include <endian.h>
-#include <stdlib.h>
-#include <string.h>
-#include <openssl/opensslconf.h>
-#include <openssl/crypto.h>
-#include <openssl/sha.h>
-#include "crypto_internal.h"
-#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
-/* Ensure that SHA_LONG and uint32_t are equivalent. */
-CTASSERT(sizeof(SHA_LONG) == sizeof(uint32_t));
-void sha256_block_data_order(SHA256_CTX *ctx, const void *_in, size_t num);
-void sha256_block_generic(SHA256_CTX *ctx, const void *_in, size_t num);
-#ifndef HAVE_SHA256_BLOCK_GENERIC
-static const SHA_LONG K256[64] = {
-        0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
-        0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
-        0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
-        0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
-        0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
-        0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
-        0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
-        0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
-        0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
-        0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
-        0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
-        0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
-        0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
-        0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
-        0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
-        0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
-};
-static inline SHA_LONG
-Sigma0(SHA_LONG x)
-{
-        return crypto_ror_u32(x, 2) ^ crypto_ror_u32(x, 13) ^
-            crypto_ror_u32(x, 22);
-}
-static inline SHA_LONG
-Sigma1(SHA_LONG x)
-{
-        return crypto_ror_u32(x, 6) ^ crypto_ror_u32(x, 11) ^
-            crypto_ror_u32(x, 25);
-}
-static inline SHA_LONG
-sigma0(SHA_LONG x)
-{
-        return crypto_ror_u32(x, 7) ^ crypto_ror_u32(x, 18) ^ (x >> 3);
-}
-static inline SHA_LONG
-sigma1(SHA_LONG x)
-{
-        return crypto_ror_u32(x, 17) ^ crypto_ror_u32(x, 19) ^ (x >> 10);
-}
-static inline SHA_LONG
-Ch(SHA_LONG x, SHA_LONG y, SHA_LONG z)
-{
-        return (x & y) ^ (~x & z);
-}
-static inline SHA_LONG
-Maj(SHA_LONG x, SHA_LONG y, SHA_LONG z)
-{
-        return (x & y) ^ (x & z) ^ (y & z);
-}
-static inline void
-sha256_msg_schedule_update(SHA_LONG *W0, SHA_LONG W1, SHA_LONG W9, SHA_LONG W14)
-{
-        *W0 = sigma1(W14) + W9 + sigma0(W1) + *W0;
-}
-static inline void
-sha256_round(SHA_LONG *a, SHA_LONG *b, SHA_LONG *c, SHA_LONG *d, SHA_LONG *e,
-    SHA_LONG *f, SHA_LONG *g, SHA_LONG *h, SHA_LONG Kt, SHA_LONG Wt)
-{
-        SHA_LONG T1, T2;
-        T1 = *h + Sigma1(*e) + Ch(*e, *f, *g) + Kt + Wt;
-        T2 = Sigma0(*a) + Maj(*a, *b, *c);
-        *h = *g;
-        *g = *f;
-        *f = *e;
-        *e = *d + T1;
-        *d = *c;
-        *c = *b;
-        *b = *a;
-        *a = T1 + T2;
-}
-void
-sha256_block_generic(SHA256_CTX *ctx, const void *_in, size_t num)
-{
-        const uint8_t *in = _in;
-        const SHA_LONG *in32;
-        SHA_LONG a, b, c, d, e, f, g, h;
-        SHA_LONG X[16];
-        int i;
-        while (num--) {
-                a = ctx->h[0];
-                b = ctx->h[1];
-                c = ctx->h[2];
-                d = ctx->h[3];
-                e = ctx->h[4];
-                f = ctx->h[5];
-                g = ctx->h[6];
-                h = ctx->h[7];
-                if ((size_t)in % 4 == 0) {
-                        /* Input is 32 bit aligned. */
-                        in32 = (const SHA_LONG *)in;
-                        X[0] = be32toh(in32[0]);
-                        X[1] = be32toh(in32[1]);
-                        X[2] = be32toh(in32[2]);
-                        X[3] = be32toh(in32[3]);
-                        X[4] = be32toh(in32[4]);
-                        X[5] = be32toh(in32[5]);
-                        X[6] = be32toh(in32[6]);
-                        X[7] = be32toh(in32[7]);
-                        X[8] = be32toh(in32[8]);
-                        X[9] = be32toh(in32[9]);
-                        X[10] = be32toh(in32[10]);
-                        X[11] = be32toh(in32[11]);
-                        X[12] = be32toh(in32[12]);
-                        X[13] = be32toh(in32[13]);
-                        X[14] = be32toh(in32[14]);
-                        X[15] = be32toh(in32[15]);
-                } else {
-                        /* Input is not 32 bit aligned. */
-                        X[0] = crypto_load_be32toh(&in[0 * 4]);
-                        X[1] = crypto_load_be32toh(&in[1 * 4]);
-                        X[2] = crypto_load_be32toh(&in[2 * 4]);
-                        X[3] = crypto_load_be32toh(&in[3 * 4]);
-                        X[4] = crypto_load_be32toh(&in[4 * 4]);
-                        X[5] = crypto_load_be32toh(&in[5 * 4]);
-                        X[6] = crypto_load_be32toh(&in[6 * 4]);
-                        X[7] = crypto_load_be32toh(&in[7 * 4]);
-                        X[8] = crypto_load_be32toh(&in[8 * 4]);
-                        X[9] = crypto_load_be32toh(&in[9 * 4]);
-                        X[10] = crypto_load_be32toh(&in[10 * 4]);
-                        X[11] = crypto_load_be32toh(&in[11 * 4]);
-                        X[12] = crypto_load_be32toh(&in[12 * 4]);
-                        X[13] = crypto_load_be32toh(&in[13 * 4]);
-                        X[14] = crypto_load_be32toh(&in[14 * 4]);
-                        X[15] = crypto_load_be32toh(&in[15 * 4]);
-                }
-                in += SHA256_CBLOCK;
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[0], X[0]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[1], X[1]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[2], X[2]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[3], X[3]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[4], X[4]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[5], X[5]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[6], X[6]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[7], X[7]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[8], X[8]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[9], X[9]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[10], X[10]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[11], X[11]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[12], X[12]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[13], X[13]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[14], X[14]);
-                sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[15], X[15]);
-                for (i = 16; i < 64; i += 16) {
-                        sha256_msg_schedule_update(&X[0], X[1], X[9], X[14]);
-                        sha256_msg_schedule_update(&X[1], X[2], X[10], X[15]);
-                        sha256_msg_schedule_update(&X[2], X[3], X[11], X[0]);
-                        sha256_msg_schedule_update(&X[3], X[4], X[12], X[1]);
-                        sha256_msg_schedule_update(&X[4], X[5], X[13], X[2]);
-                        sha256_msg_schedule_update(&X[5], X[6], X[14], X[3]);
-                        sha256_msg_schedule_update(&X[6], X[7], X[15], X[4]);
-                        sha256_msg_schedule_update(&X[7], X[8], X[0], X[5]);
-                        sha256_msg_schedule_update(&X[8], X[9], X[1], X[6]);
-                        sha256_msg_schedule_update(&X[9], X[10], X[2], X[7]);
-                        sha256_msg_schedule_update(&X[10], X[11], X[3], X[8]);
-                        sha256_msg_schedule_update(&X[11], X[12], X[4], X[9]);
-                        sha256_msg_schedule_update(&X[12], X[13], X[5], X[10]);
-                        sha256_msg_schedule_update(&X[13], X[14], X[6], X[11]);
-                        sha256_msg_schedule_update(&X[14], X[15], X[7], X[12]);
-                        sha256_msg_schedule_update(&X[15], X[0], X[8], X[13]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 0], X[0]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 1], X[1]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 2], X[2]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 3], X[3]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 4], X[4]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 5], X[5]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 6], X[6]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 7], X[7]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 8], X[8]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 9], X[9]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 10], X[10]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 11], X[11]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 12], X[12]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 13], X[13]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 14], X[14]);
-                        sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 15], X[15]);
-                }
-                ctx->h[0] += a;
-                ctx->h[1] += b;
-                ctx->h[2] += c;
-                ctx->h[3] += d;
-                ctx->h[4] += e;
-                ctx->h[5] += f;
-                ctx->h[6] += g;
-                ctx->h[7] += h;
-        }
-}
-#endif
-#ifndef HAVE_SHA256_BLOCK_DATA_ORDER
-void
-sha256_block_data_order(SHA256_CTX *ctx, const void *_in, size_t num)
-{
-        sha256_block_generic(ctx, _in, num);
-}
-#endif
-int
-SHA224_Init(SHA256_CTX *c)
-{
-        memset(c, 0, sizeof(*c));
-        c->h[0] = 0xc1059ed8UL;
-        c->h[1] = 0x367cd507UL;
-        c->h[2] = 0x3070dd17UL;
-        c->h[3] = 0xf70e5939UL;
-        c->h[4] = 0xffc00b31UL;
-        c->h[5] = 0x68581511UL;
-        c->h[6] = 0x64f98fa7UL;
-        c->h[7] = 0xbefa4fa4UL;
-        c->md_len = SHA224_DIGEST_LENGTH;
-        return 1;
-}
-LCRYPTO_ALIAS(SHA224_Init);
-int
-SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
-{
-        return SHA256_Update(c, data, len);
-}
-LCRYPTO_ALIAS(SHA224_Update);
-int
-SHA224_Final(unsigned char *md, SHA256_CTX *c)
-{
-        return SHA256_Final(md, c);
-}
-LCRYPTO_ALIAS(SHA224_Final);
-unsigned char *
-SHA224(const unsigned char *d, size_t n, unsigned char *md)
-{
-        SHA256_CTX c;
-        SHA224_Init(&c);
-        SHA256_Update(&c, d, n);
-        SHA256_Final(md, &c);
-        explicit_bzero(&c, sizeof(c));
-        return (md);
-}
-LCRYPTO_ALIAS(SHA224);
-int
-SHA256_Init(SHA256_CTX *c)
-{
-        memset(c, 0, sizeof(*c));
-        c->h[0] = 0x6a09e667UL;
-        c->h[1] = 0xbb67ae85UL;
-        c->h[2] = 0x3c6ef372UL;
-        c->h[3] = 0xa54ff53aUL;
-        c->h[4] = 0x510e527fUL;
-        c->h[5] = 0x9b05688cUL;
-        c->h[6] = 0x1f83d9abUL;
-        c->h[7] = 0x5be0cd19UL;
-        c->md_len = SHA256_DIGEST_LENGTH;
-        return 1;
-}
-LCRYPTO_ALIAS(SHA256_Init);
-int
-SHA256_Update(SHA256_CTX *c, const void *data_, size_t len)
-{
-        const unsigned char *data = data_;
-        unsigned char *p;
-        SHA_LONG l;
-        size_t n;
-        if (len == 0)
-                return 1;
-        l = (c->Nl + (((SHA_LONG)len) << 3)) & 0xffffffffUL;
-        /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
-         * Wei Dai <weidai@eskimo.com> for pointing it out. */
-        if (l < c->Nl) /* overflow */
-                c->Nh++;
-        c->Nh += (SHA_LONG)(len >> 29); /* might cause compiler warning on 16-bit */
-        c->Nl = l;
-        n = c->num;
-        if (n != 0) {
-                p = (unsigned char *)c->data;
-                if (len >= SHA_CBLOCK || len + n >= SHA_CBLOCK) {
-                        memcpy(p + n, data, SHA_CBLOCK - n);
-                        sha256_block_data_order(c, p, 1);
-                        n = SHA_CBLOCK - n;
-                        data += n;
-                        len -= n;
-                        c->num = 0;
-                        memset(p, 0, SHA_CBLOCK);       /* keep it zeroed */
-                } else {
-                        memcpy(p + n, data, len);
-                        c->num += (unsigned int)len;
-                        return 1;
-                }
-        }
-        n = len/SHA_CBLOCK;
-        if (n > 0) {
-                sha256_block_data_order(c, data, n);
-                n *= SHA_CBLOCK;
-                data += n;
-                len -= n;
-        }
-        if (len != 0) {
-                p = (unsigned char *)c->data;
-                c->num = (unsigned int)len;
-                memcpy(p, data, len);
-        }
-        return 1;
-}
-LCRYPTO_ALIAS(SHA256_Update);
-void
-SHA256_Transform(SHA256_CTX *c, const unsigned char *data)
-{
-        sha256_block_data_order(c, data, 1);
-}
-LCRYPTO_ALIAS(SHA256_Transform);
-int
-SHA256_Final(unsigned char *md, SHA256_CTX *c)
-{
-        unsigned char *p = (unsigned char *)c->data;
-        size_t n = c->num;
-        unsigned int nn;
-        p[n] = 0x80; /* there is always room for one */
-        n++;
-        if (n > (SHA_CBLOCK - 8)) {
-                memset(p + n, 0, SHA_CBLOCK - n);
-                n = 0;
-                sha256_block_data_order(c, p, 1);
-        }
-        memset(p + n, 0, SHA_CBLOCK - 8 - n);
-        c->data[SHA_LBLOCK - 2] = htobe32(c->Nh);
-        c->data[SHA_LBLOCK - 1] = htobe32(c->Nl);
-        sha256_block_data_order(c, p, 1);
-        c->num = 0;
-        memset(p, 0, SHA_CBLOCK);
-        /*
-         * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
-         * default: case below covers for it. It's not clear however if it's
-         * permitted to truncate to amount of bytes not divisible by 4. I bet not,
-         * but if it is, then default: case shall be extended. For reference.
-         * Idea behind separate cases for pre-defined lengths is to let the
-         * compiler decide if it's appropriate to unroll small loops.
-         */
-        switch (c->md_len) {
-        case SHA224_DIGEST_LENGTH:
-                for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) {
-                        crypto_store_htobe32(md, c->h[nn]);
-                        md += 4;
-                }
-                break;
-        case SHA256_DIGEST_LENGTH:
-                for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) {
-                        crypto_store_htobe32(md, c->h[nn]);
-                        md += 4;
-                }
-                break;
-        default:
-                if (c->md_len > SHA256_DIGEST_LENGTH)
-                        return 0;
-                for (nn = 0; nn < c->md_len / 4; nn++) {
-                        crypto_store_htobe32(md, c->h[nn]);
-                        md += 4;
-                }
-                break;
-        }
-        return 1;
-}
-LCRYPTO_ALIAS(SHA256_Final);
-unsigned char *
-SHA256(const unsigned char *d, size_t n, unsigned char *md)
-{
-        SHA256_CTX c;
-        SHA256_Init(&c);
-        SHA256_Update(&c, d, n);
-        SHA256_Final(md, &c);
-        explicit_bzero(&c, sizeof(c));
-        return (md);
-}
-LCRYPTO_ALIAS(SHA256);
-#endif /* OPENSSL_NO_SHA256 */

diff --git a/src/lib/libcrypto/sha/sha256.c b/src/lib/libcrypto/sha/sha256.c deleted file mode 100644 index 5d002ca62c..0000000000 --- a/src/lib/libcrypto/sha/sha256.c +++ /dev/null
@@ -1,496 +0,0 @@
1	/* $OpenBSD: sha256.c,v 1.33 2025/02/14 12:01:58 jsing Exp $ */
2	/* ====================================================================
3	* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
4	*
5	* Redistribution and use in source and binary forms, with or without
6	* modification, are permitted provided that the following conditions
7	* are met:
8	*
9	* 1. Redistributions of source code must retain the above copyright
10	* notice, this list of conditions and the following disclaimer.
11	*
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in
14	* the documentation and/or other materials provided with the
15	* distribution.
16	*
17	* 3. All advertising materials mentioning features or use of this
18	* software must display the following acknowledgment:
19	* "This product includes software developed by the OpenSSL Project
20	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21	*
22	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23	* endorse or promote products derived from this software without
24	* prior written permission. For written permission, please contact
25	* openssl-core@openssl.org.
26	*
27	* 5. Products derived from this software may not be called "OpenSSL"
28	* nor may "OpenSSL" appear in their names without prior written
29	* permission of the OpenSSL Project.
30	*
31	* 6. Redistributions of any form whatsoever must retain the following
32	* acknowledgment:
33	* "This product includes software developed by the OpenSSL Project
34	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35	*
36	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47	* OF THE POSSIBILITY OF SUCH DAMAGE.
48	* ====================================================================
49	*
50	* This product includes cryptographic software written by Eric Young
51	* (eay@cryptsoft.com). This product includes software written by Tim
52	* Hudson (tjh@cryptsoft.com).
53	*/
54
55	#include <endian.h>
56	#include <stdlib.h>
57	#include <string.h>
58
59	#include <openssl/opensslconf.h>
60
61	#include <openssl/crypto.h>
62	#include <openssl/sha.h>
63
64	#include "crypto_internal.h"
65
66	#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
67
68	/* Ensure that SHA_LONG and uint32_t are equivalent. */
69	CTASSERT(sizeof(SHA_LONG) == sizeof(uint32_t));
70
71	void sha256_block_data_order(SHA256_CTX ctx, const void _in, size_t num);
72	void sha256_block_generic(SHA256_CTX ctx, const void _in, size_t num);
73
74	#ifndef HAVE_SHA256_BLOCK_GENERIC
75	static const SHA_LONG K256[64] = {
76	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
77	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
78	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
79	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
80	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
81	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
82	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
83	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
84	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
85	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
86	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
87	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
88	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
89	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
90	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
91	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
92	};
93
94	static inline SHA_LONG
95	Sigma0(SHA_LONG x)
96	{
97	return crypto_ror_u32(x, 2) ^ crypto_ror_u32(x, 13) ^
98	crypto_ror_u32(x, 22);
99	}
100
101	static inline SHA_LONG
102	Sigma1(SHA_LONG x)
103	{
104	return crypto_ror_u32(x, 6) ^ crypto_ror_u32(x, 11) ^
105	crypto_ror_u32(x, 25);
106	}
107
108	static inline SHA_LONG
109	sigma0(SHA_LONG x)
110	{
111	return crypto_ror_u32(x, 7) ^ crypto_ror_u32(x, 18) ^ (x >> 3);
112	}
113
114	static inline SHA_LONG
115	sigma1(SHA_LONG x)
116	{
117	return crypto_ror_u32(x, 17) ^ crypto_ror_u32(x, 19) ^ (x >> 10);
118	}
119
120	static inline SHA_LONG
121	Ch(SHA_LONG x, SHA_LONG y, SHA_LONG z)
122	{
123	return (x & y) ^ (~x & z);
124	}
125
126	static inline SHA_LONG
127	Maj(SHA_LONG x, SHA_LONG y, SHA_LONG z)
128	{
129	return (x & y) ^ (x & z) ^ (y & z);
130	}
131
132	static inline void
133	sha256_msg_schedule_update(SHA_LONG *W0, SHA_LONG W1, SHA_LONG W9, SHA_LONG W14)
134	{
135	W0 = sigma1(W14) + W9 + sigma0(W1) + W0;
136	}
137
138	static inline void
139	sha256_round(SHA_LONG a, SHA_LONG b, SHA_LONG c, SHA_LONG d, SHA_LONG *e,
140	SHA_LONG f, SHA_LONG g, SHA_LONG *h, SHA_LONG Kt, SHA_LONG Wt)
141	{
142	SHA_LONG T1, T2;
143
144	T1 = h + Sigma1(e) + Ch(e, f, *g) + Kt + Wt;
145	T2 = Sigma0(a) + Maj(a, b, c);
146
147	h = g;
148	g = f;
149	f = e;
150	e = d + T1;
151	d = c;
152	c = b;
153	b = a;
154	*a = T1 + T2;
155	}
156
157	void
158	sha256_block_generic(SHA256_CTX ctx, const void _in, size_t num)
159	{
160	const uint8_t *in = _in;
161	const SHA_LONG *in32;
162	SHA_LONG a, b, c, d, e, f, g, h;
163	SHA_LONG X[16];
164	int i;
165
166	while (num--) {
167	a = ctx->h[0];
168	b = ctx->h[1];
169	c = ctx->h[2];
170	d = ctx->h[3];
171	e = ctx->h[4];
172	f = ctx->h[5];
173	g = ctx->h[6];
174	h = ctx->h[7];
175
176	if ((size_t)in % 4 == 0) {
177	/* Input is 32 bit aligned. */
178	in32 = (const SHA_LONG *)in;
179	X[0] = be32toh(in32[0]);
180	X[1] = be32toh(in32[1]);
181	X[2] = be32toh(in32[2]);
182	X[3] = be32toh(in32[3]);
183	X[4] = be32toh(in32[4]);
184	X[5] = be32toh(in32[5]);
185	X[6] = be32toh(in32[6]);
186	X[7] = be32toh(in32[7]);
187	X[8] = be32toh(in32[8]);
188	X[9] = be32toh(in32[9]);
189	X[10] = be32toh(in32[10]);
190	X[11] = be32toh(in32[11]);
191	X[12] = be32toh(in32[12]);
192	X[13] = be32toh(in32[13]);
193	X[14] = be32toh(in32[14]);
194	X[15] = be32toh(in32[15]);
195	} else {
196	/* Input is not 32 bit aligned. */
197	X[0] = crypto_load_be32toh(&in[0 * 4]);
198	X[1] = crypto_load_be32toh(&in[1 * 4]);
199	X[2] = crypto_load_be32toh(&in[2 * 4]);
200	X[3] = crypto_load_be32toh(&in[3 * 4]);
201	X[4] = crypto_load_be32toh(&in[4 * 4]);
202	X[5] = crypto_load_be32toh(&in[5 * 4]);
203	X[6] = crypto_load_be32toh(&in[6 * 4]);
204	X[7] = crypto_load_be32toh(&in[7 * 4]);
205	X[8] = crypto_load_be32toh(&in[8 * 4]);
206	X[9] = crypto_load_be32toh(&in[9 * 4]);
207	X[10] = crypto_load_be32toh(&in[10 * 4]);
208	X[11] = crypto_load_be32toh(&in[11 * 4]);
209	X[12] = crypto_load_be32toh(&in[12 * 4]);
210	X[13] = crypto_load_be32toh(&in[13 * 4]);
211	X[14] = crypto_load_be32toh(&in[14 * 4]);
212	X[15] = crypto_load_be32toh(&in[15 * 4]);
213	}
214	in += SHA256_CBLOCK;
215
216	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[0], X[0]);
217	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[1], X[1]);
218	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[2], X[2]);
219	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[3], X[3]);
220	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[4], X[4]);
221	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[5], X[5]);
222	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[6], X[6]);
223	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[7], X[7]);
224	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[8], X[8]);
225	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[9], X[9]);
226	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[10], X[10]);
227	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[11], X[11]);
228	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[12], X[12]);
229	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[13], X[13]);
230	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[14], X[14]);
231	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[15], X[15]);
232
233	for (i = 16; i < 64; i += 16) {
234	sha256_msg_schedule_update(&X[0], X[1], X[9], X[14]);
235	sha256_msg_schedule_update(&X[1], X[2], X[10], X[15]);
236	sha256_msg_schedule_update(&X[2], X[3], X[11], X[0]);
237	sha256_msg_schedule_update(&X[3], X[4], X[12], X[1]);
238	sha256_msg_schedule_update(&X[4], X[5], X[13], X[2]);
239	sha256_msg_schedule_update(&X[5], X[6], X[14], X[3]);
240	sha256_msg_schedule_update(&X[6], X[7], X[15], X[4]);
241	sha256_msg_schedule_update(&X[7], X[8], X[0], X[5]);
242	sha256_msg_schedule_update(&X[8], X[9], X[1], X[6]);
243	sha256_msg_schedule_update(&X[9], X[10], X[2], X[7]);
244	sha256_msg_schedule_update(&X[10], X[11], X[3], X[8]);
245	sha256_msg_schedule_update(&X[11], X[12], X[4], X[9]);
246	sha256_msg_schedule_update(&X[12], X[13], X[5], X[10]);
247	sha256_msg_schedule_update(&X[13], X[14], X[6], X[11]);
248	sha256_msg_schedule_update(&X[14], X[15], X[7], X[12]);
249	sha256_msg_schedule_update(&X[15], X[0], X[8], X[13]);
250
251	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 0], X[0]);
252	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 1], X[1]);
253	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 2], X[2]);
254	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 3], X[3]);
255	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 4], X[4]);
256	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 5], X[5]);
257	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 6], X[6]);
258	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 7], X[7]);
259	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 8], X[8]);
260	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 9], X[9]);
261	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 10], X[10]);
262	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 11], X[11]);
263	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 12], X[12]);
264	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 13], X[13]);
265	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 14], X[14]);
266	sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 15], X[15]);
267	}
268
269	ctx->h[0] += a;
270	ctx->h[1] += b;
271	ctx->h[2] += c;
272	ctx->h[3] += d;
273	ctx->h[4] += e;
274	ctx->h[5] += f;
275	ctx->h[6] += g;
276	ctx->h[7] += h;
277	}
278	}
279	#endif
280
281	#ifndef HAVE_SHA256_BLOCK_DATA_ORDER
282	void
283	sha256_block_data_order(SHA256_CTX ctx, const void _in, size_t num)
284	{
285	sha256_block_generic(ctx, _in, num);
286	}
287	#endif
288
289	int
290	SHA224_Init(SHA256_CTX *c)
291	{
292	memset(c, 0, sizeof(*c));
293
294	c->h[0] = 0xc1059ed8UL;
295	c->h[1] = 0x367cd507UL;
296	c->h[2] = 0x3070dd17UL;
297	c->h[3] = 0xf70e5939UL;
298	c->h[4] = 0xffc00b31UL;
299	c->h[5] = 0x68581511UL;
300	c->h[6] = 0x64f98fa7UL;
301	c->h[7] = 0xbefa4fa4UL;
302
303	c->md_len = SHA224_DIGEST_LENGTH;
304
305	return 1;
306	}
307	LCRYPTO_ALIAS(SHA224_Init);
308
309	int
310	SHA224_Update(SHA256_CTX c, const void data, size_t len)
311	{
312	return SHA256_Update(c, data, len);
313	}
314	LCRYPTO_ALIAS(SHA224_Update);
315
316	int
317	SHA224_Final(unsigned char md, SHA256_CTX c)
318	{
319	return SHA256_Final(md, c);
320	}
321	LCRYPTO_ALIAS(SHA224_Final);
322
323	unsigned char *
324	SHA224(const unsigned char d, size_t n, unsigned char md)
325	{
326	SHA256_CTX c;
327
328	SHA224_Init(&c);
329	SHA256_Update(&c, d, n);
330	SHA256_Final(md, &c);
331
332	explicit_bzero(&c, sizeof(c));
333
334	return (md);
335	}
336	LCRYPTO_ALIAS(SHA224);
337
338	int
339	SHA256_Init(SHA256_CTX *c)
340	{
341	memset(c, 0, sizeof(*c));
342
343	c->h[0] = 0x6a09e667UL;
344	c->h[1] = 0xbb67ae85UL;
345	c->h[2] = 0x3c6ef372UL;
346	c->h[3] = 0xa54ff53aUL;
347	c->h[4] = 0x510e527fUL;
348	c->h[5] = 0x9b05688cUL;
349	c->h[6] = 0x1f83d9abUL;
350	c->h[7] = 0x5be0cd19UL;
351
352	c->md_len = SHA256_DIGEST_LENGTH;
353
354	return 1;
355	}
356	LCRYPTO_ALIAS(SHA256_Init);
357
358	int
359	SHA256_Update(SHA256_CTX c, const void data_, size_t len)
360	{
361	const unsigned char *data = data_;
362	unsigned char *p;
363	SHA_LONG l;
364	size_t n;
365
366	if (len == 0)
367	return 1;
368
369	l = (c->Nl + (((SHA_LONG)len) << 3)) & 0xffffffffUL;
370	/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
371	* Wei Dai <weidai@eskimo.com> for pointing it out. */
372	if (l < c->Nl) /* overflow */
373	c->Nh++;
374	c->Nh += (SHA_LONG)(len >> 29); /* might cause compiler warning on 16-bit */
375	c->Nl = l;
376
377	n = c->num;
378	if (n != 0) {
379	p = (unsigned char *)c->data;
380
381	if (len >= SHA_CBLOCK \|\| len + n >= SHA_CBLOCK) {
382	memcpy(p + n, data, SHA_CBLOCK - n);
383	sha256_block_data_order(c, p, 1);
384	n = SHA_CBLOCK - n;
385	data += n;
386	len -= n;
387	c->num = 0;
388	memset(p, 0, SHA_CBLOCK); /* keep it zeroed */
389	} else {
390	memcpy(p + n, data, len);
391	c->num += (unsigned int)len;
392	return 1;
393	}
394	}
395
396	n = len/SHA_CBLOCK;
397	if (n > 0) {
398	sha256_block_data_order(c, data, n);
399	n *= SHA_CBLOCK;
400	data += n;
401	len -= n;
402	}
403
404	if (len != 0) {
405	p = (unsigned char *)c->data;
406	c->num = (unsigned int)len;
407	memcpy(p, data, len);
408	}
409	return 1;
410	}
411	LCRYPTO_ALIAS(SHA256_Update);
412
413	void
414	SHA256_Transform(SHA256_CTX c, const unsigned char data)
415	{
416	sha256_block_data_order(c, data, 1);
417	}
418	LCRYPTO_ALIAS(SHA256_Transform);
419
420	int
421	SHA256_Final(unsigned char md, SHA256_CTX c)
422	{
423	unsigned char p = (unsigned char )c->data;
424	size_t n = c->num;
425	unsigned int nn;
426
427	p[n] = 0x80; /* there is always room for one */
428	n++;
429
430	if (n > (SHA_CBLOCK - 8)) {
431	memset(p + n, 0, SHA_CBLOCK - n);
432	n = 0;
433	sha256_block_data_order(c, p, 1);
434	}
435
436	memset(p + n, 0, SHA_CBLOCK - 8 - n);
437	c->data[SHA_LBLOCK - 2] = htobe32(c->Nh);
438	c->data[SHA_LBLOCK - 1] = htobe32(c->Nl);
439
440	sha256_block_data_order(c, p, 1);
441	c->num = 0;
442	memset(p, 0, SHA_CBLOCK);
443
444	/*
445	* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
446	* default: case below covers for it. It's not clear however if it's
447	* permitted to truncate to amount of bytes not divisible by 4. I bet not,
448	* but if it is, then default: case shall be extended. For reference.
449	* Idea behind separate cases for pre-defined lengths is to let the
450	* compiler decide if it's appropriate to unroll small loops.
451	*/
452	switch (c->md_len) {
453	case SHA224_DIGEST_LENGTH:
454	for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) {
455	crypto_store_htobe32(md, c->h[nn]);
456	md += 4;
457	}
458	break;
459
460	case SHA256_DIGEST_LENGTH:
461	for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) {
462	crypto_store_htobe32(md, c->h[nn]);
463	md += 4;
464	}
465	break;
466
467	default:
468	if (c->md_len > SHA256_DIGEST_LENGTH)
469	return 0;
470	for (nn = 0; nn < c->md_len / 4; nn++) {
471	crypto_store_htobe32(md, c->h[nn]);
472	md += 4;
473	}
474	break;
475	}
476
477	return 1;
478	}
479	LCRYPTO_ALIAS(SHA256_Final);
480
481	unsigned char *
482	SHA256(const unsigned char d, size_t n, unsigned char md)
483	{
484	SHA256_CTX c;
485
486	SHA256_Init(&c);
487	SHA256_Update(&c, d, n);
488	SHA256_Final(md, &c);
489
490	explicit_bzero(&c, sizeof(c));
491
492	return (md);
493	}
494	LCRYPTO_ALIAS(SHA256);
495
496	#endif /* OPENSSL_NO_SHA256 */