SHA512/224 and SHA512/256

Support added for these two digests, available only via the EVP interface.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5093)

7 files changed, 169 insertions, 8 deletions

diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c
index 257d405ba7..1267531a7d 100644
--- a/crypto/evp/c_alld.c
+++ b/crypto/evp/c_alld.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -39,6 +39,8 @@ void openssl_add_all_digests_int(void)
     EVP_add_digest(EVP_sha256());
     EVP_add_digest(EVP_sha384());
     EVP_add_digest(EVP_sha512());
+    EVP_add_digest(EVP_sha512_224());
+    EVP_add_digest(EVP_sha512_256());
 #ifndef OPENSSL_NO_WHIRLPOOL
     EVP_add_digest(EVP_whirlpool());
 #endif
diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c
index 0fa184b310..d73e412b8d 100644
--- a/crypto/evp/m_sha1.c
+++ b/crypto/evp/m_sha1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -15,6 +15,7 @@
 #include <openssl/sha.h>
 #include <openssl/rsa.h>
 #include "internal/evp_int.h"
+#include "internal/sha.h"
 
 static int init(EVP_MD_CTX *ctx)
 {
@@ -173,6 +174,16 @@ const EVP_MD *EVP_sha256(void)
     return &sha256_md;
 }
 
+static int init512_224(EVP_MD_CTX *ctx)
+{
+    return sha512_224_init(EVP_MD_CTX_md_data(ctx));
+}
+
+static int init512_256(EVP_MD_CTX *ctx)
+{
+    return sha512_256_init(EVP_MD_CTX_md_data(ctx));
+}
+
 static int init384(EVP_MD_CTX *ctx)
 {
     return SHA384_Init(EVP_MD_CTX_md_data(ctx));
@@ -194,6 +205,44 @@ static int final512(EVP_MD_CTX *ctx, unsigned char *md)
     return SHA512_Final(md, EVP_MD_CTX_md_data(ctx));
 }
 
+static const EVP_MD sha512_224_md = {
+    NID_sha512_224,
+    NID_sha512_224WithRSAEncryption,
+    SHA224_DIGEST_LENGTH,
+    EVP_MD_FLAG_DIGALGID_ABSENT,
+    init512_224,
+    update512,
+    final512,
+    NULL,
+    NULL,
+    SHA512_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA512_CTX),
+};
+
+const EVP_MD *EVP_sha512_224(void)
+{
+    return &sha512_224_md;
+}
+
+static const EVP_MD sha512_256_md = {
+    NID_sha512_256,
+    NID_sha512_256WithRSAEncryption,
+    SHA256_DIGEST_LENGTH,
+    EVP_MD_FLAG_DIGALGID_ABSENT,
+    init512_256,
+    update512,
+    final512,
+    NULL,
+    NULL,
+    SHA512_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA512_CTX),
+};
+
+const EVP_MD *EVP_sha512_256(void)
+{
+    return &sha512_256_md;
+}
+
 static const EVP_MD sha384_md = {
     NID_sha384,
     NID_sha384WithRSAEncryption,
diff --git a/crypto/include/internal/sha.h b/crypto/include/internal/sha.h
new file mode 100644
index 0000000000..458a75e89d
--- /dev/null
+++ b/crypto/include/internal/sha.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2018, Oracle and/or its affiliates.  All rights reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_INTERNAL_SHA_H
+# define HEADER_INTERNAL_SHA_H
+
+# include <openssl/opensslconf.h>
+
+int sha512_224_init(SHA512_CTX *);
+int sha512_256_init(SHA512_CTX *);
+
+#endif
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 535d315037..772445385c 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -10,7 +10,7 @@
  */
 
 /* Serialized OID's */
-static const unsigned char so[7324] = {
+static const unsigned char so[7342] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,                 /* [    0] OBJ_rsadsi */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,            /* [    6] OBJ_pkcs */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,       /* [   13] OBJ_md2 */
@@ -1030,9 +1030,11 @@ static const unsigned char so[7324] = {
     0x2A,0x81,0x1C,0xCF,0x55,0x01,                 /* [ 7301] OBJ_sm_scheme */
     0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x11,       /* [ 7307] OBJ_sm3 */
     0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x78,       /* [ 7315] OBJ_sm3WithRSAEncryption */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0F,  /* [ 7323] OBJ_sha512_224WithRSAEncryption */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x10,  /* [ 7332] OBJ_sha512_256WithRSAEncryption */
 };
 
-#define NUM_NID 1145
+#define NUM_NID 1147
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2179,9 +2181,11 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"sm-scheme", "sm-scheme", NID_sm_scheme, 6, &so[7301]},
     {"SM3", "sm3", NID_sm3, 8, &so[7307]},
     {"RSA-SM3", "sm3WithRSAEncryption", NID_sm3WithRSAEncryption, 8, &so[7315]},
+    {"RSA-SHA512/224", "sha512-224WithRSAEncryption", NID_sha512_224WithRSAEncryption, 9, &so[7323]},
+    {"RSA-SHA512/256", "sha512-256WithRSAEncryption", NID_sha512_256WithRSAEncryption, 9, &so[7332]},
 };
 
-#define NUM_SN 1136
+#define NUM_SN 1138
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -2422,6 +2426,8 @@ static const unsigned int sn_objs[NUM_SN] = {
      668,    /* "RSA-SHA256" */
      669,    /* "RSA-SHA384" */
      670,    /* "RSA-SHA512" */
+    1145,    /* "RSA-SHA512/224" */
+    1146,    /* "RSA-SHA512/256" */
     1144,    /* "RSA-SM3" */
      919,    /* "RSAES-OAEP" */
      912,    /* "RSASSA-PSS" */
@@ -3321,7 +3327,7 @@ static const unsigned int sn_objs[NUM_SN] = {
     1093,    /* "x509ExtAdmission" */
 };
 
-#define NUM_LN 1136
+#define NUM_LN 1138
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -4395,7 +4401,9 @@ static const unsigned int ln_objs[NUM_LN] = {
      669,    /* "sha384WithRSAEncryption" */
      674,    /* "sha512" */
     1094,    /* "sha512-224" */
+    1145,    /* "sha512-224WithRSAEncryption" */
     1095,    /* "sha512-256" */
+    1146,    /* "sha512-256WithRSAEncryption" */
      670,    /* "sha512WithRSAEncryption" */
       42,    /* "shaWithRSAEncryption" */
     1100,    /* "shake128" */
@@ -4461,7 +4469,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      125,    /* "zlib compression" */
 };
 
-#define NUM_OBJ 1025
+#define NUM_OBJ 1027
 static const unsigned int obj_objs[NUM_OBJ] = {
        0,    /* OBJ_undef                        0 */
      181,    /* OBJ_iso                          1 */
@@ -5170,6 +5178,8 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      669,    /* OBJ_sha384WithRSAEncryption      1 2 840 113549 1 1 12 */
      670,    /* OBJ_sha512WithRSAEncryption      1 2 840 113549 1 1 13 */
      671,    /* OBJ_sha224WithRSAEncryption      1 2 840 113549 1 1 14 */
+    1145,    /* OBJ_sha512_224WithRSAEncryption  1 2 840 113549 1 1 15 */
+    1146,    /* OBJ_sha512_256WithRSAEncryption  1 2 840 113549 1 1 16 */
       28,    /* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
        9,    /* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
       10,    /* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 83641c451e..bef6050a19 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -1142,3 +1142,5 @@ oscca		1141
 sm_scheme		1142
 sm3		1143
 sm3WithRSAEncryption		1144
+sha512_224WithRSAEncryption		1145
+sha512_256WithRSAEncryption		1146
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 87c2683291..74550be2df 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -178,6 +178,8 @@ pkcs1 11		: RSA-SHA256		: sha256WithRSAEncryption
 pkcs1 12		: RSA-SHA384		: sha384WithRSAEncryption
 pkcs1 13		: RSA-SHA512		: sha512WithRSAEncryption
 pkcs1 14		: RSA-SHA224		: sha224WithRSAEncryption
+pkcs1 15		: RSA-SHA512/224	: sha512-224WithRSAEncryption
+pkcs1 16		: RSA-SHA512/256	: sha512-256WithRSAEncryption
 
 pkcs 3			: pkcs3
 pkcs3 1			:			: dhKeyAgreement
diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c
index bb7cc5efb8..50b65ee811 100644
--- a/crypto/sha/sha512.c
+++ b/crypto/sha/sha512.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -50,6 +50,7 @@
 #include <openssl/opensslv.h>
 
 #include "internal/cryptlib.h"
+#include "internal/sha.h"
 
 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
     defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
@@ -59,6 +60,42 @@
 # define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
 #endif
 
+int sha512_224_init(SHA512_CTX *c)
+{
+    c->h[0] = U64(0x8c3d37c819544da2);
+    c->h[1] = U64(0x73e1996689dcd4d6);
+    c->h[2] = U64(0x1dfab7ae32ff9c82);
+    c->h[3] = U64(0x679dd514582f9fcf);
+    c->h[4] = U64(0x0f6d2b697bd44da8);
+    c->h[5] = U64(0x77e36f7304c48942);
+    c->h[6] = U64(0x3f9d85a86a1d36c8);
+    c->h[7] = U64(0x1112e6ad91d692a1);
+
+    c->Nl = 0;
+    c->Nh = 0;
+    c->num = 0;
+    c->md_len = SHA224_DIGEST_LENGTH;
+    return 1;
+}
+
+int sha512_256_init(SHA512_CTX *c)
+{
+    c->h[0] = U64(0x22312194fc2bf72c);
+    c->h[1] = U64(0x9f555fa3c84c64c2);
+    c->h[2] = U64(0x2393b86b6f53b151);
+    c->h[3] = U64(0x963877195940eabd);
+    c->h[4] = U64(0x96283ee2a88effe3);
+    c->h[5] = U64(0xbe5e1e2553863992);
+    c->h[6] = U64(0x2b0199fc2c85b8aa);
+    c->h[7] = U64(0x0eb72ddc81c52ca2);
+
+    c->Nl = 0;
+    c->Nh = 0;
+    c->num = 0;
+    c->md_len = SHA256_DIGEST_LENGTH;
+    return 1;
+}
+
 int SHA384_Init(SHA512_CTX *c)
 {
     c->h[0] = U64(0xcbbb9d5dc1059ed8);
@@ -143,6 +180,46 @@ int SHA512_Final(unsigned char *md, SHA512_CTX *c)
 
     switch (c->md_len) {
     /* Let compiler decide if it's appropriate to unroll... */
+    case SHA224_DIGEST_LENGTH:
+        for (n = 0; n < SHA224_DIGEST_LENGTH / 8; n++) {
+            SHA_LONG64 t = c->h[n];
+
+            *(md++) = (unsigned char)(t >> 56);
+            *(md++) = (unsigned char)(t >> 48);
+            *(md++) = (unsigned char)(t >> 40);
+            *(md++) = (unsigned char)(t >> 32);
+            *(md++) = (unsigned char)(t >> 24);
+            *(md++) = (unsigned char)(t >> 16);
+            *(md++) = (unsigned char)(t >> 8);
+            *(md++) = (unsigned char)(t);
+        }
+        /*
+         * For 224 bits, there are four bytes left over that have to be
+         * processed separately.
+         */
+        {
+            SHA_LONG64 t = c->h[SHA224_DIGEST_LENGTH / 8];
+
+            *(md++) = (unsigned char)(t >> 56);
+            *(md++) = (unsigned char)(t >> 48);
+            *(md++) = (unsigned char)(t >> 40);
+            *(md++) = (unsigned char)(t >> 32);
+        }
+        break;
+    case SHA256_DIGEST_LENGTH:
+        for (n = 0; n < SHA256_DIGEST_LENGTH / 8; n++) {
+            SHA_LONG64 t = c->h[n];
+
+            *(md++) = (unsigned char)(t >> 56);
+            *(md++) = (unsigned char)(t >> 48);
+            *(md++) = (unsigned char)(t >> 40);
+            *(md++) = (unsigned char)(t >> 32);
+            *(md++) = (unsigned char)(t >> 24);
+            *(md++) = (unsigned char)(t >> 16);
+            *(md++) = (unsigned char)(t >> 8);
+            *(md++) = (unsigned char)(t);
+        }
+        break;
     case SHA384_DIGEST_LENGTH:
         for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) {
             SHA_LONG64 t = c->h[n];