Revert md_len removal from SHA256_CTX and SHA512_CTX.
This reverts commits:
- 91586371422dae70481c39752e55f01f50e9a93a
- a90aa643024459c1698dbec84f4c79a3238b3db8
- c0d8b83b4462a0eb1889f32dbd7f46e83f4dbc81
It turns out code outside of BoringSSL also mismatches Init and Update/Final
functions. Since this is largely cosmetic, it's probably not worth the cost to
do this.
Change-Id: I14e7b299172939f69ced2114be45ccba1dbbb704
Reviewed-on: https://boringssl-review.googlesource.com/7793
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/digest/md32_common.h b/crypto/digest/md32_common.h
index 77aaa44..4cf050c 100644
--- a/crypto/digest/md32_common.h
+++ b/crypto/digest/md32_common.h
@@ -90,7 +90,7 @@
* |HASH_TRANSFORM| must be defined as the the name of the "Transform"
* function to generate.
*
- * |HASH_FINISH| must be defined as the name of "finish" function to generate.
+ * |HASH_FINAL| must be defined as the name of "Final" function to generate.
*
* |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function.
* That function must be implemented manually. It must be capable of operating
@@ -103,7 +103,11 @@
* It must update the hash state |state| with |num| blocks of data from |data|,
* where each block is |HASH_CBLOCK| bytes; i.e. |data| points to a array of
* |HASH_CBLOCK * num| bytes. |state| points to the |h| member of a |HASH_CTX|,
- * and so will have |<chaining length> / sizeof(uint32_t)| elements. */
+ * and so will have |<chaining length> / sizeof(uint32_t)| elements.
+ *
+ * |HASH_MAKE_STRING(c, s)| must be defined as a block statement that converts
+ * the hash state |c->h| into the output byte order, storing the result in |s|.
+ */
#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
#error "DATA_ORDER must be defined!"
@@ -122,14 +126,18 @@
#ifndef HASH_TRANSFORM
#error "HASH_TRANSFORM must be defined!"
#endif
-#ifndef HASH_FINISH
-#error "HASH_FINISH must be defined!"
+#ifndef HASH_FINAL
+#error "HASH_FINAL must be defined!"
#endif
#ifndef HASH_BLOCK_DATA_ORDER
#error "HASH_BLOCK_DATA_ORDER must be defined!"
#endif
+#ifndef HASH_MAKE_STRING
+#error "HASH_MAKE_STRING must be defined!"
+#endif
+
#if defined(DATA_ORDER_IS_BIG_ENDIAN)
#define HOST_c2l(c, l) \
@@ -212,7 +220,7 @@
}
-static void HASH_FINISH(HASH_CTX *c) {
+int HASH_FINAL(uint8_t *md, HASH_CTX *c) {
/* |c->data| always has room for at least one byte. A full block would have
* been consumed. */
size_t n = c->num;
@@ -241,6 +249,9 @@
HASH_BLOCK_DATA_ORDER(c->h, c->data, 1);
c->num = 0;
memset(c->data, 0, HASH_CBLOCK);
+
+ HASH_MAKE_STRING(c, md);
+ return 1;
}
diff --git a/crypto/md4/md4.c b/crypto/md4/md4.c
index 5293f14..f79da9f 100644
--- a/crypto/md4/md4.c
+++ b/crypto/md4/md4.c
@@ -88,27 +88,23 @@
#define HASH_CBLOCK 64
#define HASH_UPDATE MD4_Update
#define HASH_TRANSFORM MD4_Transform
-#define HASH_FINISH md4_finish
+#define HASH_FINAL MD4_Final
+#define HASH_MAKE_STRING(c, s) \
+ do { \
+ uint32_t ll; \
+ ll = (c)->h[0]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[1]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[2]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[3]; \
+ HOST_l2c(ll, (s)); \
+ } while (0)
#define HASH_BLOCK_DATA_ORDER md4_block_data_order
#include "../digest/md32_common.h"
-int MD4_Final(uint8_t *md, MD4_CTX *md4) {
- md4_finish(md4);
-
- uint32_t ll;
- ll = md4->h[0];
- HOST_l2c(ll, md);
- ll = md4->h[1];
- HOST_l2c(ll, md);
- ll = md4->h[2];
- HOST_l2c(ll, md);
- ll = md4->h[3];
- HOST_l2c(ll, md);
-
- return 1;
-}
-
/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
* simplified to the code below. Wei attributes these optimizations
* to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel. */
diff --git a/crypto/md5/md5.c b/crypto/md5/md5.c
index ad37537..66483b8 100644
--- a/crypto/md5/md5.c
+++ b/crypto/md5/md5.c
@@ -101,27 +101,23 @@
#define HASH_CBLOCK 64
#define HASH_UPDATE MD5_Update
#define HASH_TRANSFORM MD5_Transform
-#define HASH_FINISH md5_finish
+#define HASH_FINAL MD5_Final
+#define HASH_MAKE_STRING(c, s) \
+ do { \
+ uint32_t ll; \
+ ll = (c)->h[0]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[1]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[2]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[3]; \
+ HOST_l2c(ll, (s)); \
+ } while (0)
#define HASH_BLOCK_DATA_ORDER md5_block_data_order
#include "../digest/md32_common.h"
-int MD5_Final(uint8_t *md, MD5_CTX *md5) {
- md5_finish(md5);
-
- uint32_t ll;
- ll = md5->h[0];
- HOST_l2c(ll, md);
- ll = md5->h[1];
- HOST_l2c(ll, md);
- ll = md5->h[2];
- HOST_l2c(ll, md);
- ll = md5->h[3];
- HOST_l2c(ll, md);
-
- return 1;
-}
-
/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
* simplified to the code below. Wei attributes these optimizations
* to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
diff --git a/crypto/sha/sha1.c b/crypto/sha/sha1.c
index 5967af0..74e841c 100644
--- a/crypto/sha/sha1.c
+++ b/crypto/sha/sha1.c
@@ -98,10 +98,24 @@
#define HASH_CTX SHA_CTX
#define HASH_CBLOCK 64
+#define HASH_MAKE_STRING(c, s) \
+ do { \
+ uint32_t ll; \
+ ll = (c)->h[0]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[1]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[2]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[3]; \
+ HOST_l2c(ll, (s)); \
+ ll = (c)->h[4]; \
+ HOST_l2c(ll, (s)); \
+ } while (0)
#define HASH_UPDATE SHA1_Update
#define HASH_TRANSFORM SHA1_Transform
-#define HASH_FINISH sha1_finish
+#define HASH_FINAL SHA1_Final
#define HASH_BLOCK_DATA_ORDER sha1_block_data_order
#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
#define Xupdate(a, ix, ia, ib, ic, id) \
@@ -114,24 +128,6 @@
#include "../digest/md32_common.h"
-int SHA1_Final(uint8_t *md, SHA_CTX *sha) {
- sha1_finish(sha);
-
- uint32_t ll;
- ll = sha->h[0];
- HOST_l2c(ll, md);
- ll = sha->h[1];
- HOST_l2c(ll, md);
- ll = sha->h[2];
- HOST_l2c(ll, md);
- ll = sha->h[3];
- HOST_l2c(ll, md);
- ll = sha->h[4];
- HOST_l2c(ll, md);
-
- return 1;
-}
-
#define K_00_19 0x5a827999UL
#define K_20_39 0x6ed9eba1UL
#define K_40_59 0x8f1bbcdcUL
diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c
index f2bb54e..58f7c42 100644
--- a/crypto/sha/sha256.c
+++ b/crypto/sha/sha256.c
@@ -77,6 +77,7 @@
sha->h[5] = 0x68581511UL;
sha->h[6] = 0x64f98fa7UL;
sha->h[7] = 0xbefa4fa4UL;
+ sha->md_len = SHA224_DIGEST_LENGTH;
return 1;
}
@@ -90,6 +91,7 @@
sha->h[5] = 0x9b05688cUL;
sha->h[6] = 0x1f83d9abUL;
sha->h[7] = 0x5be0cd19UL;
+ sha->md_len = SHA256_DIGEST_LENGTH;
return 1;
}
@@ -127,14 +129,57 @@
return SHA256_Update(ctx, data, len);
}
+int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) {
+ return SHA256_Final(md, ctx);
+}
+
#define DATA_ORDER_IS_BIG_ENDIAN
#define HASH_CTX SHA256_CTX
#define HASH_CBLOCK 64
+/* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
+ * default: case below covers for it. It's not clear however if it's permitted
+ * to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
+ * then default: case shall be extended. For reference. Idea behind separate
+ * cases for pre-defined lenghts is to let the compiler decide if it's
+ * appropriate to unroll small loops.
+ *
+ * TODO(davidben): The small |md_len| case is one of the few places a low-level
+ * hash 'final' function can fail. This should never happen. */
+#define HASH_MAKE_STRING(c, s) \
+ do { \
+ uint32_t ll; \
+ unsigned int nn; \
+ switch ((c)->md_len) { \
+ case SHA224_DIGEST_LENGTH: \
+ for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
+ ll = (c)->h[nn]; \
+ HOST_l2c(ll, (s)); \
+ } \
+ break; \
+ case SHA256_DIGEST_LENGTH: \
+ for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
+ ll = (c)->h[nn]; \
+ HOST_l2c(ll, (s)); \
+ } \
+ break; \
+ default: \
+ if ((c)->md_len > SHA256_DIGEST_LENGTH) { \
+ return 0; \
+ } \
+ for (nn = 0; nn < (c)->md_len / 4; nn++) { \
+ ll = (c)->h[nn]; \
+ HOST_l2c(ll, (s)); \
+ } \
+ break; \
+ } \
+ } while (0)
+
+
#define HASH_UPDATE SHA256_Update
#define HASH_TRANSFORM SHA256_Transform
-#define HASH_FINISH sha256_finish
+#define HASH_FINAL SHA256_Final
#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
#ifndef SHA256_ASM
static
@@ -143,30 +188,6 @@
#include "../digest/md32_common.h"
-int SHA224_Final(uint8_t *md, SHA256_CTX *sha) {
- sha256_finish(sha);
-
- unsigned nn;
- for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) {
- uint32_t ll = sha->h[nn];
- HOST_l2c(ll, md);
- }
-
- return 1;
-}
-
-int SHA256_Final(uint8_t *md, SHA256_CTX *sha) {
- sha256_finish(sha);
-
- unsigned nn;
- for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) {
- uint32_t ll = sha->h[nn];
- HOST_l2c(ll, md);
- }
-
- return 1;
-}
-
#ifndef SHA256_ASM
static const uint32_t K256[64] = {
0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c
index dc2015d..f473046 100644
--- a/crypto/sha/sha512.c
+++ b/crypto/sha/sha512.c
@@ -97,6 +97,7 @@
sha->Nl = 0;
sha->Nh = 0;
sha->num = 0;
+ sha->md_len = SHA384_DIGEST_LENGTH;
return 1;
}
@@ -114,6 +115,7 @@
sha->Nl = 0;
sha->Nh = 0;
sha->num = 0;
+ sha->md_len = SHA512_DIGEST_LENGTH;
return 1;
}
@@ -153,36 +155,15 @@
#endif
void sha512_block_data_order(uint64_t *state, const uint64_t *W, size_t num);
-static void sha512_finish(SHA512_CTX *sha);
+
+int SHA384_Final(uint8_t *md, SHA512_CTX *sha) {
+ return SHA512_Final(md, sha);
+}
int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
return SHA512_Update(sha, data, len);
}
-void SHA384_Transform(SHA512_CTX *c, const uint8_t *data) {
- return SHA512_Transform(c, data);
-}
-
-int SHA384_Final(uint8_t *md, SHA512_CTX *sha) {
- sha512_finish(sha);
-
- size_t n;
- for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) {
- uint64_t t = sha->h[n];
-
- *(md++) = (uint8_t)(t >> 56);
- *(md++) = (uint8_t)(t >> 48);
- *(md++) = (uint8_t)(t >> 40);
- *(md++) = (uint8_t)(t >> 32);
- *(md++) = (uint8_t)(t >> 24);
- *(md++) = (uint8_t)(t >> 16);
- *(md++) = (uint8_t)(t >> 8);
- *(md++) = (uint8_t)(t);
- }
-
- return 1;
-}
-
void SHA512_Transform(SHA512_CTX *c, const uint8_t *data) {
#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
if ((size_t)data % sizeof(c->u.d[0]) != 0) {
@@ -253,7 +234,7 @@
return 1;
}
-static void sha512_finish(SHA512_CTX *sha) {
+int SHA512_Final(uint8_t *md, SHA512_CTX *sha) {
uint8_t *p = (uint8_t *)sha->u.p;
size_t n = sha->num;
@@ -284,23 +265,48 @@
p[sizeof(sha->u) - 16] = (uint8_t)(sha->Nh >> 56);
sha512_block_data_order(sha->h, (uint64_t *)p, 1);
-}
-int SHA512_Final(uint8_t *md, SHA512_CTX *sha) {
- sha512_finish(sha);
+ if (md == NULL) {
+ /* TODO(davidben): This NULL check is absent in other low-level hash 'final'
+ * functions and is one of the few places one can fail. */
+ return 0;
+ }
- size_t n;
- for (n = 0; n < SHA512_DIGEST_LENGTH / 8; n++) {
- uint64_t t = sha->h[n];
+ switch (sha->md_len) {
+ /* Let compiler decide if it's appropriate to unroll... */
+ case SHA384_DIGEST_LENGTH:
+ for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) {
+ uint64_t t = sha->h[n];
- *(md++) = (uint8_t)(t >> 56);
- *(md++) = (uint8_t)(t >> 48);
- *(md++) = (uint8_t)(t >> 40);
- *(md++) = (uint8_t)(t >> 32);
- *(md++) = (uint8_t)(t >> 24);
- *(md++) = (uint8_t)(t >> 16);
- *(md++) = (uint8_t)(t >> 8);
- *(md++) = (uint8_t)(t);
+ *(md++) = (uint8_t)(t >> 56);
+ *(md++) = (uint8_t)(t >> 48);
+ *(md++) = (uint8_t)(t >> 40);
+ *(md++) = (uint8_t)(t >> 32);
+ *(md++) = (uint8_t)(t >> 24);
+ *(md++) = (uint8_t)(t >> 16);
+ *(md++) = (uint8_t)(t >> 8);
+ *(md++) = (uint8_t)(t);
+ }
+ break;
+ case SHA512_DIGEST_LENGTH:
+ for (n = 0; n < SHA512_DIGEST_LENGTH / 8; n++) {
+ uint64_t t = sha->h[n];
+
+ *(md++) = (uint8_t)(t >> 56);
+ *(md++) = (uint8_t)(t >> 48);
+ *(md++) = (uint8_t)(t >> 40);
+ *(md++) = (uint8_t)(t >> 32);
+ *(md++) = (uint8_t)(t >> 24);
+ *(md++) = (uint8_t)(t >> 16);
+ *(md++) = (uint8_t)(t >> 8);
+ *(md++) = (uint8_t)(t);
+ }
+ break;
+ /* ... as well as make sure md_len is not abused. */
+ default:
+ /* TODO(davidben): This bad |md_len| case is one of the few places a
+ * low-level hash 'final' function can fail. This should never happen. */
+ return 0;
}
return 1;
diff --git a/decrepit/ripemd/internal.h b/decrepit/ripemd/internal.h
index dea532b..c4db4b2 100644
--- a/decrepit/ripemd/internal.h
+++ b/decrepit/ripemd/internal.h
@@ -74,7 +74,21 @@
#define HASH_CBLOCK RIPEMD160_CBLOCK
#define HASH_UPDATE RIPEMD160_Update
#define HASH_TRANSFORM RIPEMD160_Transform
-#define HASH_FINISH ripemd160_finish
+#define HASH_FINAL RIPEMD160_Final
+#define HASH_MAKE_STRING(c, s) \
+ do { \
+ unsigned long ll; \
+ ll = (c)->h[0]; \
+ (void)HOST_l2c(ll, (s)); \
+ ll = (c)->h[1]; \
+ (void)HOST_l2c(ll, (s)); \
+ ll = (c)->h[2]; \
+ (void)HOST_l2c(ll, (s)); \
+ ll = (c)->h[3]; \
+ (void)HOST_l2c(ll, (s)); \
+ ll = (c)->h[4]; \
+ (void)HOST_l2c(ll, (s)); \
+ } while (0)
#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order
#include "../../crypto/digest/md32_common.h"
diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c
index c871ea7..6ed7816 100644
--- a/decrepit/ripemd/ripemd.c
+++ b/decrepit/ripemd/ripemd.c
@@ -71,24 +71,6 @@
return 1;
}
-int RIPEMD160_Final(uint8_t *md, RIPEMD160_CTX *ctx) {
- ripemd160_finish(ctx);
-
- unsigned long ll;
- ll = ctx->h[0];
- (void)HOST_l2c(ll, md);
- ll = ctx->h[1];
- (void)HOST_l2c(ll, md);
- ll = ctx->h[2];
- (void)HOST_l2c(ll, md);
- ll = ctx->h[3];
- (void)HOST_l2c(ll, md);
- ll = ctx->h[4];
- (void)HOST_l2c(ll, md);
-
- return 1;
-}
-
static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data,
size_t num) {
uint32_t A, B, C, D, E;
diff --git a/include/openssl/sha.h b/include/openssl/sha.h
index 6e3df8f..48a52e8 100644
--- a/include/openssl/sha.h
+++ b/include/openssl/sha.h
@@ -128,15 +128,15 @@
/* SHA224_DIGEST_LENGTH is the length of a SHA-224 digest. */
#define SHA224_DIGEST_LENGTH 28
-/* SHA224_Init initialises |sha| and returns one. */
+/* SHA224_Init initialises |sha| and returns 1. */
OPENSSL_EXPORT int SHA224_Init(SHA256_CTX *sha);
-/* SHA224_Update adds |len| bytes from |data| to |sha| and returns one. */
+/* SHA224_Update adds |len| bytes from |data| to |sha| and returns 1. */
OPENSSL_EXPORT int SHA224_Update(SHA256_CTX *sha, const void *data, size_t len);
/* SHA224_Final adds the final padding to |sha| and writes the resulting digest
* to |md|, which must have at least |SHA224_DIGEST_LENGTH| bytes of space. It
- * returns one. */
+ * returns one on success and zero on programmer error. */
OPENSSL_EXPORT int SHA224_Final(uint8_t *md, SHA256_CTX *sha);
/* SHA224 writes the digest of |len| bytes from |data| to |out| and returns
@@ -153,15 +153,15 @@
/* SHA256_DIGEST_LENGTH is the length of a SHA-256 digest. */
#define SHA256_DIGEST_LENGTH 32
-/* SHA256_Init initialises |sha| and returns one. */
+/* SHA256_Init initialises |sha| and returns 1. */
OPENSSL_EXPORT int SHA256_Init(SHA256_CTX *sha);
-/* SHA256_Update adds |len| bytes from |data| to |sha| and returns one. */
+/* SHA256_Update adds |len| bytes from |data| to |sha| and returns 1. */
OPENSSL_EXPORT int SHA256_Update(SHA256_CTX *sha, const void *data, size_t len);
/* SHA256_Final adds the final padding to |sha| and writes the resulting digest
* to |md|, which must have at least |SHA256_DIGEST_LENGTH| bytes of space. It
- * returns one. */
+ * returns one on success and zero on programmer error. */
OPENSSL_EXPORT int SHA256_Final(uint8_t *md, SHA256_CTX *sha);
/* SHA256 writes the digest of |len| bytes from |data| to |out| and returns
@@ -177,7 +177,7 @@
uint32_t h[8];
uint32_t Nl, Nh;
uint8_t data[SHA256_CBLOCK];
- unsigned num;
+ unsigned num, md_len;
};
@@ -189,15 +189,15 @@
/* SHA384_DIGEST_LENGTH is the length of a SHA-384 digest. */
#define SHA384_DIGEST_LENGTH 48
-/* SHA384_Init initialises |sha| and returns one. */
+/* SHA384_Init initialises |sha| and returns 1. */
OPENSSL_EXPORT int SHA384_Init(SHA512_CTX *sha);
-/* SHA384_Update adds |len| bytes from |data| to |sha| and returns one. */
+/* SHA384_Update adds |len| bytes from |data| to |sha| and returns 1. */
OPENSSL_EXPORT int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len);
/* SHA384_Final adds the final padding to |sha| and writes the resulting digest
* to |md|, which must have at least |SHA384_DIGEST_LENGTH| bytes of space. It
- * returns one. */
+ * returns one on success and zero on programmer error. */
OPENSSL_EXPORT int SHA384_Final(uint8_t *md, SHA512_CTX *sha);
/* SHA384 writes the digest of |len| bytes from |data| to |out| and returns
@@ -218,15 +218,15 @@
/* SHA512_DIGEST_LENGTH is the length of a SHA-512 digest. */
#define SHA512_DIGEST_LENGTH 64
-/* SHA512_Init initialises |sha| and returns one. */
+/* SHA512_Init initialises |sha| and returns 1. */
OPENSSL_EXPORT int SHA512_Init(SHA512_CTX *sha);
-/* SHA512_Update adds |len| bytes from |data| to |sha| and returns one. */
+/* SHA512_Update adds |len| bytes from |data| to |sha| and returns 1. */
OPENSSL_EXPORT int SHA512_Update(SHA512_CTX *sha, const void *data, size_t len);
/* SHA512_Final adds the final padding to |sha| and writes the resulting digest
* to |md|, which must have at least |SHA512_DIGEST_LENGTH| bytes of space. It
- * returns one. */
+ * returns one on success and zero on programmer error. */
OPENSSL_EXPORT int SHA512_Final(uint8_t *md, SHA512_CTX *sha);
/* SHA512 writes the digest of |len| bytes from |data| to |out| and returns
@@ -245,7 +245,7 @@
uint64_t d[16];
uint8_t p[128];
} u;
- unsigned num;
+ unsigned num, md_len;
};
