1
/* crypto/md32_common.h */
2
/* ====================================================================
3
* Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
5
* Redistribution and use in source and binary forms, with or without
6
* modification, are permitted provided that the following conditions
9
* 1. Redistributions of source code must retain the above copyright
10
* notice, this list of conditions and the following disclaimer.
12
* 2. Redistributions in binary form must reproduce the above copyright
13
* notice, this list of conditions and the following disclaimer in
14
* the documentation and/or other materials provided with the
17
* 3. All advertising materials mentioning features or use of this
18
* software must display the following acknowledgment:
19
* "This product includes software developed by the OpenSSL Project
20
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
22
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23
* endorse or promote products derived from this software without
24
* prior written permission. For written permission, please contact
25
* licensing@OpenSSL.org.
27
* 5. Products derived from this software may not be called "OpenSSL"
28
* nor may "OpenSSL" appear in their names without prior written
29
* permission of the OpenSSL Project.
31
* 6. Redistributions of any form whatsoever must retain the following
33
* "This product includes software developed by the OpenSSL Project
34
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
36
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47
* OF THE POSSIBILITY OF SUCH DAMAGE.
48
* ====================================================================
50
* This product includes cryptographic software written by Eric Young
51
* (eay@cryptsoft.com). This product includes software written by Tim
52
* Hudson (tjh@cryptsoft.com).
57
* This is a generic 32 bit "collector" for message digest algorithms.
58
* Whenever needed it collects input character stream into chunks of
59
* 32 bit values and invokes a block function that performs actual hash
66
* DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
67
* this macro defines byte order of input stream.
69
* size of a unit chunk HASH_BLOCK operates on.
71
* has to be at lest 32 bit wide, if it's wider, then
72
* HASH_LONG_LOG2 *has to* be defined along
74
* context structure that at least contains following
79
* HASH_LONG data[HASH_LBLOCK];
84
* name of "Update" function, implemented here.
86
* name of "Transform" function, implemented here.
88
* name of "Final" function, implemented here.
89
* HASH_BLOCK_HOST_ORDER
90
* name of "block" function treating *aligned* input message
91
* in host byte order, implemented externally.
92
* HASH_BLOCK_DATA_ORDER
93
* name of "block" function treating *unaligned* input message
94
* in original (data) byte order, implemented externally (it
95
* actually is optional if data and host are of the same
98
* macro convering context variables to an ASCII hash string.
102
* B_ENDIAN or L_ENDIAN
103
* defines host byte-order.
105
* defaults to 2 if not states otherwise.
107
* assumed to be HASH_CBLOCK/4 if not stated otherwise.
108
* HASH_BLOCK_DATA_ORDER_ALIGNED
109
* alternative "block" function capable of treating
110
* aligned input message in original (data) order,
111
* implemented externally.
115
* #define DATA_ORDER_IS_LITTLE_ENDIAN
117
* #define HASH_LONG MD5_LONG
118
* #define HASH_LONG_LOG2 MD5_LONG_LOG2
119
* #define HASH_CTX MD5_CTX
120
* #define HASH_CBLOCK MD5_CBLOCK
121
* #define HASH_LBLOCK MD5_LBLOCK
122
* #define HASH_UPDATE MD5_Update
123
* #define HASH_TRANSFORM MD5_Transform
124
* #define HASH_FINAL MD5_Final
125
* #define HASH_BLOCK_HOST_ORDER md5_block_host_order
126
* #define HASH_BLOCK_DATA_ORDER md5_block_data_order
128
* <appro@fy.chalmers.se>
131
#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
132
#error "DATA_ORDER must be defined!"
136
#error "HASH_CBLOCK must be defined!"
139
#error "HASH_LONG must be defined!"
142
#error "HASH_CTX must be defined!"
146
#error "HASH_UPDATE must be defined!"
148
#ifndef HASH_TRANSFORM
149
#error "HASH_TRANSFORM must be defined!"
152
#error "HASH_FINAL must be defined!"
155
#ifndef HASH_BLOCK_HOST_ORDER
156
#error "HASH_BLOCK_HOST_ORDER must be defined!"
161
* Moved below as it's required only if HASH_BLOCK_DATA_ORDER_ALIGNED
164
#ifndef HASH_BLOCK_DATA_ORDER
165
#error "HASH_BLOCK_DATA_ORDER must be defined!"
170
#define HASH_LBLOCK (HASH_CBLOCK/4)
173
#ifndef HASH_LONG_LOG2
174
#define HASH_LONG_LOG2 2
178
* Engage compiler specific rotate intrinsic function if available.
182
# if defined(_MSC_VER) || defined(__ICC)
183
# define ROTATE(a,n) _lrotl(a,n)
184
# elif defined(__MWERKS__)
185
# if defined(__POWERPC__)
186
# define ROTATE(a,n) __rlwinm(a,n,0,31)
187
# elif defined(__MC68K__)
188
/* Motorola specific tweak. <appro@fy.chalmers.se> */
189
# define ROTATE(a,n) ( n<24 ? __rol(a,n) : __ror(a,32-n) )
191
# define ROTATE(a,n) __rol(a,n)
193
# elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
195
* Some GNU C inline assembler templates. Note that these are
196
* rotates by *constant* number of bits! But that's exactly
197
* what we need here...
199
* <appro@fy.chalmers.se>
201
# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
202
# define ROTATE(a,n) ({ register unsigned int ret; \
210
# elif defined(__powerpc) || defined(__ppc)
211
# define ROTATE(a,n) ({ register unsigned int ret; \
213
"rlwinm %0,%1,%2,0,31" \
222
* Engage compiler specific "fetch in reverse byte order"
223
* intrinsic function if available.
225
# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
226
/* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
227
# if (defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)) && !defined(I386_ONLY)
228
# define BE_FETCH32(a) ({ register unsigned int l=(a);\
231
: "=r"(l) : "0"(l)); \
234
# elif defined(__powerpc)
235
# define LE_FETCH32(a) ({ register unsigned int l; \
243
# elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
244
# define LE_FETCH32(a) ({ register unsigned int l; \
246
"lda [%1]#ASI_PRIMARY_LITTLE,%0"\
253
#endif /* PEDANTIC */
255
#if HASH_LONG_LOG2==2 /* Engage only if sizeof(HASH_LONG)== 4 */
256
/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
258
/* 5 instructions with rotate instruction, else 9 */
259
#define REVERSE_FETCH32(a,l) ( \
260
l=*(const HASH_LONG *)(a), \
261
((ROTATE(l,8)&0x00FF00FF)|(ROTATE((l&0x00FF00FF),24))) \
264
/* 6 instructions with rotate instruction, else 8 */
265
#define REVERSE_FETCH32(a,l) ( \
266
l=*(const HASH_LONG *)(a), \
267
l=(((l>>8)&0x00FF00FF)|((l&0x00FF00FF)<<8)), \
271
* Originally the middle line started with l=(((l&0xFF00FF00)>>8)|...
272
* It's rewritten as above for two reasons:
273
* - RISCs aren't good at long constants and have to explicitely
274
* compose 'em with several (well, usually 2) instructions in a
275
* register before performing the actual operation and (as you
276
* already realized:-) having same constant should inspire the
277
* compiler to permanently allocate the only register for it;
278
* - most modern CPUs have two ALUs, but usually only one has
279
* circuitry for shifts:-( this minor tweak inspires compiler
280
* to schedule shift instructions in a better way...
282
* <appro@fy.chalmers.se>
288
#define ROTATE(a,n) (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
292
* Make some obvious choices. E.g., HASH_BLOCK_DATA_ORDER_ALIGNED
293
* and HASH_BLOCK_HOST_ORDER ought to be the same if input data
294
* and host are of the same "endianess". It's possible to mask
295
* this with blank #define HASH_BLOCK_DATA_ORDER though...
297
* <appro@fy.chalmers.se>
299
#if defined(B_ENDIAN)
300
# if defined(DATA_ORDER_IS_BIG_ENDIAN)
301
# if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
302
# define HASH_BLOCK_DATA_ORDER_ALIGNED HASH_BLOCK_HOST_ORDER
304
# elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
305
# ifndef HOST_FETCH32
307
# define HOST_FETCH32(p,l) LE_FETCH32(p)
308
# elif defined(REVERSE_FETCH32)
309
# define HOST_FETCH32(p,l) REVERSE_FETCH32(p,l)
313
#elif defined(L_ENDIAN)
314
# if defined(DATA_ORDER_IS_LITTLE_ENDIAN)
315
# if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
316
# define HASH_BLOCK_DATA_ORDER_ALIGNED HASH_BLOCK_HOST_ORDER
318
# elif defined(DATA_ORDER_IS_BIG_ENDIAN)
319
# ifndef HOST_FETCH32
321
# define HOST_FETCH32(p,l) BE_FETCH32(p)
322
# elif defined(REVERSE_FETCH32)
323
# define HOST_FETCH32(p,l) REVERSE_FETCH32(p,l)
329
#if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
330
#ifndef HASH_BLOCK_DATA_ORDER
331
#error "HASH_BLOCK_DATA_ORDER must be defined!"
335
#if defined(DATA_ORDER_IS_BIG_ENDIAN)
337
#define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++)))<<24), \
338
l|=(((unsigned long)(*((c)++)))<<16), \
339
l|=(((unsigned long)(*((c)++)))<< 8), \
340
l|=(((unsigned long)(*((c)++))) ), \
342
#define HOST_p_c2l(c,l,n) { \
344
case 0: l =((unsigned long)(*((c)++)))<<24; \
345
case 1: l|=((unsigned long)(*((c)++)))<<16; \
346
case 2: l|=((unsigned long)(*((c)++)))<< 8; \
347
case 3: l|=((unsigned long)(*((c)++))); \
349
#define HOST_p_c2l_p(c,l,sc,len) { \
351
case 0: l =((unsigned long)(*((c)++)))<<24; \
352
if (--len == 0) break; \
353
case 1: l|=((unsigned long)(*((c)++)))<<16; \
354
if (--len == 0) break; \
355
case 2: l|=((unsigned long)(*((c)++)))<< 8; \
357
/* NOTE the pointer is not incremented at the end of this */
358
#define HOST_c2l_p(c,l,n) { \
361
case 3: l =((unsigned long)(*(--(c))))<< 8; \
362
case 2: l|=((unsigned long)(*(--(c))))<<16; \
363
case 1: l|=((unsigned long)(*(--(c))))<<24; \
365
#define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
366
*((c)++)=(unsigned char)(((l)>>16)&0xff), \
367
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
368
*((c)++)=(unsigned char)(((l) )&0xff), \
371
#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
373
#define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++))) ), \
374
l|=(((unsigned long)(*((c)++)))<< 8), \
375
l|=(((unsigned long)(*((c)++)))<<16), \
376
l|=(((unsigned long)(*((c)++)))<<24), \
378
#define HOST_p_c2l(c,l,n) { \
380
case 0: l =((unsigned long)(*((c)++))); \
381
case 1: l|=((unsigned long)(*((c)++)))<< 8; \
382
case 2: l|=((unsigned long)(*((c)++)))<<16; \
383
case 3: l|=((unsigned long)(*((c)++)))<<24; \
385
#define HOST_p_c2l_p(c,l,sc,len) { \
387
case 0: l =((unsigned long)(*((c)++))); \
388
if (--len == 0) break; \
389
case 1: l|=((unsigned long)(*((c)++)))<< 8; \
390
if (--len == 0) break; \
391
case 2: l|=((unsigned long)(*((c)++)))<<16; \
393
/* NOTE the pointer is not incremented at the end of this */
394
#define HOST_c2l_p(c,l,n) { \
397
case 3: l =((unsigned long)(*(--(c))))<<16; \
398
case 2: l|=((unsigned long)(*(--(c))))<< 8; \
399
case 1: l|=((unsigned long)(*(--(c)))); \
401
#define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \
402
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
403
*((c)++)=(unsigned char)(((l)>>16)&0xff), \
404
*((c)++)=(unsigned char)(((l)>>24)&0xff), \
410
* Time for some action:-)
413
int HASH_UPDATE (HASH_CTX *c, const void *data_, FIPS_SHA_SIZE_T len)
415
const unsigned char *data=data_;
416
register HASH_LONG * p;
417
register HASH_LONG l;
420
if(FIPS_selftest_failed())
423
if (len==0) return 1;
425
l=(c->Nl+(((HASH_LONG)len)<<3))&0xffffffffUL;
426
/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
427
* Wei Dai <weidai@eskimo.com> for pointing it out. */
428
if (l < c->Nl) /* overflow */
439
if ((c->num+len) >= HASH_CBLOCK)
441
l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
442
for (; sw<HASH_LBLOCK; sw++)
444
HOST_c2l(data,l); p[sw]=l;
446
HASH_BLOCK_HOST_ORDER (c,p,1);
447
len-=(HASH_CBLOCK-c->num);
449
/* drop through and do the rest */
454
if ((sc+len) < 4) /* ugly, add char's to a word */
456
l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l;
464
HOST_p_c2l(data,l,sc);
466
for (; sw < ew; sw++)
468
HOST_c2l(data,l); p[sw]=l;
472
HOST_c2l_p(data,l,ec); p[sw]=l;
482
#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
484
* Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined
485
* only if sizeof(HASH_LONG)==4.
487
if ((((unsigned long)data)%4) == 0)
489
/* data is properly aligned so that we can cast it: */
490
HASH_BLOCK_DATA_ORDER_ALIGNED (c,(const HASH_LONG *)data,sw);
496
#if !defined(HASH_BLOCK_DATA_ORDER)
499
memcpy (p=c->data,data,HASH_CBLOCK);
500
HASH_BLOCK_DATA_ORDER_ALIGNED(c,p,1);
506
#if defined(HASH_BLOCK_DATA_ORDER)
508
HASH_BLOCK_DATA_ORDER(c,data,sw);
520
ew=len>>2; /* words to copy */
524
HOST_c2l(data,l); *p=l;
526
HOST_c2l_p(data,l,ec);
533
void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
535
#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
536
if ((((unsigned long)data)%4) == 0)
537
/* data is properly aligned so that we can cast it: */
538
HASH_BLOCK_DATA_ORDER_ALIGNED (c,(const HASH_LONG *)data,1);
540
#if !defined(HASH_BLOCK_DATA_ORDER)
542
memcpy (c->data,data,HASH_CBLOCK);
543
HASH_BLOCK_DATA_ORDER_ALIGNED (c,c->data,1);
547
#if defined(HASH_BLOCK_DATA_ORDER)
548
HASH_BLOCK_DATA_ORDER (c,data,1);
553
int HASH_FINAL (unsigned char *md, HASH_CTX *c)
555
register HASH_LONG *p;
556
register unsigned long l;
558
static const unsigned char end[4]={0x80,0x00,0x00,0x00};
559
const unsigned char *cp=end;
561
/* c->num should definitly have room for at least one more byte. */
567
/* purify often complains about the following line as an
568
* Uninitialized Memory Read. While this can be true, the
569
* following p_c2l macro will reset l when that case is true.
570
* This is because j&0x03 contains the number of 'valid' bytes
571
* already in p[i]. If and only if j&0x03 == 0, the UMR will
572
* occur but this is also the only time p_c2l will do
573
* l= *(cp++) instead of l|= *(cp++)
574
* Many thanks to Alex Tang <altitude@cic.net> for pickup this
577
if (j==0) p[i]=0; /* Yeah, but that's not the way to fix it:-) */
581
l = (j==0) ? 0 : p[i];
583
HOST_p_c2l(cp,l,j); p[i++]=l; /* i is the next 'undefined word' */
585
if (i>(HASH_LBLOCK-2)) /* save room for Nl and Nh */
587
if (i<HASH_LBLOCK) p[i]=0;
588
HASH_BLOCK_HOST_ORDER (c,p,1);
591
for (; i<(HASH_LBLOCK-2); i++)
594
#if defined(DATA_ORDER_IS_BIG_ENDIAN)
595
p[HASH_LBLOCK-2]=c->Nh;
596
p[HASH_LBLOCK-1]=c->Nl;
597
#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
598
p[HASH_LBLOCK-2]=c->Nl;
599
p[HASH_LBLOCK-1]=c->Nh;
601
HASH_BLOCK_HOST_ORDER (c,p,1);
603
#ifndef HASH_MAKE_STRING
604
#error "HASH_MAKE_STRING must be defined!"
606
HASH_MAKE_STRING(c,md);
610
/* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
611
* but I'm not worried :-)
612
OPENSSL_cleanse((void *)c,sizeof(HASH_CTX));
618
#define MD32_REG_T long
620
* This comment was originaly written for MD5, which is why it
621
* discusses A-D. But it basically applies to all 32-bit digests,
622
* which is why it was moved to common header file.
624
* In case you wonder why A-D are declared as long and not
625
* as MD5_LONG. Doing so results in slight performance
626
* boost on LP64 architectures. The catch is we don't
627
* really care if 32 MSBs of a 64-bit register get polluted
628
* with eventual overflows as we *save* only 32 LSBs in
629
* *either* case. Now declaring 'em long excuses the compiler
630
* from keeping 32 MSBs zeroed resulting in 13% performance
631
* improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
632
* Well, to be honest it should say that this *prevents*
633
* performance degradation.
634
* <appro@fy.chalmers.se>
635
* Apparently there're LP64 compilers that generate better
636
* code if A-D are declared int. Most notably GCC-x86_64
637
* generates better code.
638
* <appro@fy.chalmers.se>