1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
9 *
10 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
11 */
12
13 #if defined(__clang__) && (__clang_major__ >= 4)
14
15 /* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if,
16 * but that is defined by build_info.h, and we need this block to happen first. */
17 #if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A')
18 #if __ARM_ARCH >= 8
19 #define MBEDTLS_SHA256_ARCH_IS_ARMV8_A
20 #endif
21 #endif
22
23 #if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO)
24 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
25 *
26 * The intrinsic declaration are guarded by predefined ACLE macros in clang:
27 * these are normally only enabled by the -march option on the command line.
28 * By defining the macros ourselves we gain access to those declarations without
29 * requiring -march on the command line.
30 *
31 * `arm_neon.h` is included by common.h, so we put these defines
32 * at the top of this file, before any includes.
33 */
34 #define __ARM_FEATURE_CRYPTO 1
35 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
36 *
37 * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
38 * for older compilers.
39 */
40 #define __ARM_FEATURE_SHA2 1
41 #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
42 #endif
43
44 #endif /* defined(__clang__) && (__clang_major__ >= 4) */
45
46 /* Ensure that SIG_SETMASK is defined when -std=c99 is used. */
47 #define _GNU_SOURCE
48
49 #include "common.h"
50
51 #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
52
53 #include "mbedtls/sha256.h"
54 #include "mbedtls/platform_util.h"
55 #include "mbedtls/error.h"
56
57 #include <string.h>
58
59 #include "mbedtls/platform.h"
60
61 #if defined(MBEDTLS_ARCH_IS_ARMV8_A)
62
63 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
64 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
65 # if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
66 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
67 # warning "Target does not support NEON instructions"
68 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
69 # else
70 # error "Target does not support NEON instructions"
71 # endif
72 # endif
73 # endif
74
75 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
76 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
77 /* *INDENT-OFF* */
78
79 # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
80 # if defined(__ARMCOMPILER_VERSION)
81 # if __ARMCOMPILER_VERSION <= 6090000
82 # error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
83 # endif
84 # pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
85 # define MBEDTLS_POP_TARGET_PRAGMA
86 # elif defined(__clang__)
87 # if __clang_major__ < 4
88 # error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
89 # endif
90 # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
91 # define MBEDTLS_POP_TARGET_PRAGMA
92 # elif defined(__GNUC__)
93 /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
94 * intrinsics are missing. Missing intrinsics could be worked around.
95 */
96 # if __GNUC__ < 6
97 # error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
98 # else
99 # pragma GCC push_options
100 # pragma GCC target ("arch=armv8-a+crypto")
101 # define MBEDTLS_POP_TARGET_PRAGMA
102 # endif
103 # else
104 # error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
105 # endif
106 # endif
107 /* *INDENT-ON* */
108
109 # endif
110 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
111 # if defined(__unix__)
112 # if defined(__linux__)
113 /* Our preferred method of detection is getauxval() */
114 # include <sys/auxv.h>
115 /* These are not always defined via sys/auxv.h */
116 # if !defined(HWCAP_SHA2)
117 # define HWCAP_SHA2 (1 << 6)
118 # endif
119 # if !defined(HWCAP2_SHA2)
120 # define HWCAP2_SHA2 (1 << 3)
121 # endif
122 # endif
123 /* Use SIGILL on Unix, and fall back to it on Linux */
124 # include <signal.h>
125 # endif
126 # endif
127 #elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
128 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
129 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
130 #endif
131
132 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
133 /*
134 * Capability detection code comes early, so we can disable
135 * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found
136 */
137 #if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)138 static int mbedtls_a64_crypto_sha256_determine_support(void)
139 {
140 return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
141 }
142 #elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)143 static int mbedtls_a64_crypto_sha256_determine_support(void)
144 {
145 return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0;
146 }
147 #elif defined(__APPLE__)
mbedtls_a64_crypto_sha256_determine_support(void)148 static int mbedtls_a64_crypto_sha256_determine_support(void)
149 {
150 return 1;
151 }
152 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
153 #define WIN32_LEAN_AND_MEAN
154 #include <Windows.h>
155 #include <processthreadsapi.h>
156
mbedtls_a64_crypto_sha256_determine_support(void)157 static int mbedtls_a64_crypto_sha256_determine_support(void)
158 {
159 return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
160 1 : 0;
161 }
162 #elif defined(__unix__) && defined(SIG_SETMASK)
163 /* Detection with SIGILL, setjmp() and longjmp() */
164 #include <signal.h>
165 #include <setjmp.h>
166
167 static jmp_buf return_from_sigill;
168
169 /*
170 * Armv8-A SHA256 support detection via SIGILL
171 */
sigill_handler(int signal)172 static void sigill_handler(int signal)
173 {
174 (void) signal;
175 longjmp(return_from_sigill, 1);
176 }
177
mbedtls_a64_crypto_sha256_determine_support(void)178 static int mbedtls_a64_crypto_sha256_determine_support(void)
179 {
180 struct sigaction old_action, new_action;
181
182 sigset_t old_mask;
183 if (sigprocmask(0, NULL, &old_mask)) {
184 return 0;
185 }
186
187 sigemptyset(&new_action.sa_mask);
188 new_action.sa_flags = 0;
189 new_action.sa_handler = sigill_handler;
190
191 sigaction(SIGILL, &new_action, &old_action);
192
193 static int ret = 0;
194
195 if (setjmp(return_from_sigill) == 0) { /* First return only */
196 /* If this traps, we will return a second time from setjmp() with 1 */
197 #if defined(MBEDTLS_ARCH_IS_ARM64)
198 asm volatile ("sha256h q0, q0, v0.4s" : : : "v0");
199 #else
200 asm volatile ("sha256h.32 q0, q0, q0" : : : "q0");
201 #endif
202 ret = 1;
203 }
204
205 sigaction(SIGILL, &old_action, NULL);
206 sigprocmask(SIG_SETMASK, &old_mask, NULL);
207
208 return ret;
209 }
210 #else
211 #warning "No mechanism to detect ARMV8_CRYPTO found, using C code only"
212 #undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
213 #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
214
215 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
216
217 #if !defined(MBEDTLS_SHA256_ALT)
218
219 #define SHA256_BLOCK_SIZE 64
220
mbedtls_sha256_init(mbedtls_sha256_context * ctx)221 void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
222 {
223 memset(ctx, 0, sizeof(mbedtls_sha256_context));
224 }
225
mbedtls_sha256_free(mbedtls_sha256_context * ctx)226 void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
227 {
228 if (ctx == NULL) {
229 return;
230 }
231
232 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
233 }
234
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)235 void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
236 const mbedtls_sha256_context *src)
237 {
238 *dst = *src;
239 }
240
241 /*
242 * SHA-256 context setup
243 */
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)244 int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
245 {
246 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
247 if (is224 != 0 && is224 != 1) {
248 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
249 }
250 #elif defined(MBEDTLS_SHA256_C)
251 if (is224 != 0) {
252 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
253 }
254 #else /* defined MBEDTLS_SHA224_C only */
255 if (is224 == 0) {
256 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
257 }
258 #endif
259
260 ctx->total[0] = 0;
261 ctx->total[1] = 0;
262
263 if (is224 == 0) {
264 #if defined(MBEDTLS_SHA256_C)
265 ctx->state[0] = 0x6A09E667;
266 ctx->state[1] = 0xBB67AE85;
267 ctx->state[2] = 0x3C6EF372;
268 ctx->state[3] = 0xA54FF53A;
269 ctx->state[4] = 0x510E527F;
270 ctx->state[5] = 0x9B05688C;
271 ctx->state[6] = 0x1F83D9AB;
272 ctx->state[7] = 0x5BE0CD19;
273 #endif
274 } else {
275 #if defined(MBEDTLS_SHA224_C)
276 ctx->state[0] = 0xC1059ED8;
277 ctx->state[1] = 0x367CD507;
278 ctx->state[2] = 0x3070DD17;
279 ctx->state[3] = 0xF70E5939;
280 ctx->state[4] = 0xFFC00B31;
281 ctx->state[5] = 0x68581511;
282 ctx->state[6] = 0x64F98FA7;
283 ctx->state[7] = 0xBEFA4FA4;
284 #endif
285 }
286
287 #if defined(MBEDTLS_SHA224_C)
288 ctx->is224 = is224;
289 #endif
290
291 return 0;
292 }
293
294 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
295 static const uint32_t K[] =
296 {
297 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
298 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
299 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
300 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
301 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
302 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
303 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
304 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
305 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
306 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
307 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
308 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
309 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
310 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
311 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
312 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
313 };
314
315 #endif
316
317 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
318 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
319
320 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
321 # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
322 # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process
323 #endif
324
mbedtls_internal_sha256_process_many_a64_crypto(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)325 static size_t mbedtls_internal_sha256_process_many_a64_crypto(
326 mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
327 {
328 uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
329 uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
330
331 size_t processed = 0;
332
333 for (;
334 len >= SHA256_BLOCK_SIZE;
335 processed += SHA256_BLOCK_SIZE,
336 msg += SHA256_BLOCK_SIZE,
337 len -= SHA256_BLOCK_SIZE) {
338 uint32x4_t tmp, abcd_prev;
339
340 uint32x4_t abcd_orig = abcd;
341 uint32x4_t efgh_orig = efgh;
342
343 uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0));
344 uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1));
345 uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2));
346 uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3));
347
348 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */
349 /* Untested on BE */
350 sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
351 sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
352 sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
353 sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
354 #endif
355
356 /* Rounds 0 to 3 */
357 tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
358 abcd_prev = abcd;
359 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
360 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
361
362 /* Rounds 4 to 7 */
363 tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
364 abcd_prev = abcd;
365 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
366 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
367
368 /* Rounds 8 to 11 */
369 tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
370 abcd_prev = abcd;
371 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
372 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
373
374 /* Rounds 12 to 15 */
375 tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
376 abcd_prev = abcd;
377 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
378 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
379
380 for (int t = 16; t < 64; t += 16) {
381 /* Rounds t to t + 3 */
382 sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
383 tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
384 abcd_prev = abcd;
385 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
386 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
387
388 /* Rounds t + 4 to t + 7 */
389 sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
390 tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
391 abcd_prev = abcd;
392 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
393 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
394
395 /* Rounds t + 8 to t + 11 */
396 sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
397 tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
398 abcd_prev = abcd;
399 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
400 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
401
402 /* Rounds t + 12 to t + 15 */
403 sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
404 tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
405 abcd_prev = abcd;
406 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
407 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
408 }
409
410 abcd = vaddq_u32(abcd, abcd_orig);
411 efgh = vaddq_u32(efgh, efgh_orig);
412 }
413
414 vst1q_u32(&ctx->state[0], abcd);
415 vst1q_u32(&ctx->state[4], efgh);
416
417 return processed;
418 }
419
420 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
421 /*
422 * This function is for internal use only if we are building both C and Armv8-A
423 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
424 */
425 static
426 #endif
mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])427 int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
428 const unsigned char data[SHA256_BLOCK_SIZE])
429 {
430 return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
431 SHA256_BLOCK_SIZE) ==
432 SHA256_BLOCK_SIZE) ? 0 : -1;
433 }
434
435 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
436
437 #if defined(MBEDTLS_POP_TARGET_PRAGMA)
438 #if defined(__clang__)
439 #pragma clang attribute pop
440 #elif defined(__GNUC__)
441 #pragma GCC pop_options
442 #endif
443 #undef MBEDTLS_POP_TARGET_PRAGMA
444 #endif
445
446 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
447 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
448 #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process
449 #endif
450
451
452 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
453 !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
454
455 #define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
456 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
457
458 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
459 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
460
461 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
462 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
463
464 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
465 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
466
467 #define R(t) \
468 ( \
469 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
470 S0(local.W[(t) - 15]) + local.W[(t) - 16] \
471 )
472
473 #define P(a, b, c, d, e, f, g, h, x, K) \
474 do \
475 { \
476 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \
477 local.temp2 = S2(a) + F0((a), (b), (c)); \
478 (d) += local.temp1; (h) = local.temp1 + local.temp2; \
479 } while (0)
480
481 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
482 /*
483 * This function is for internal use only if we are building both C and Armv8
484 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
485 */
486 static
487 #endif
mbedtls_internal_sha256_process_c(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])488 int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
489 const unsigned char data[SHA256_BLOCK_SIZE])
490 {
491 struct {
492 uint32_t temp1, temp2, W[64];
493 uint32_t A[8];
494 } local;
495
496 unsigned int i;
497
498 for (i = 0; i < 8; i++) {
499 local.A[i] = ctx->state[i];
500 }
501
502 #if defined(MBEDTLS_SHA256_SMALLER)
503 for (i = 0; i < 64; i++) {
504 if (i < 16) {
505 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
506 } else {
507 R(i);
508 }
509
510 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
511 local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
512
513 local.temp1 = local.A[7]; local.A[7] = local.A[6];
514 local.A[6] = local.A[5]; local.A[5] = local.A[4];
515 local.A[4] = local.A[3]; local.A[3] = local.A[2];
516 local.A[2] = local.A[1]; local.A[1] = local.A[0];
517 local.A[0] = local.temp1;
518 }
519 #else /* MBEDTLS_SHA256_SMALLER */
520 for (i = 0; i < 16; i++) {
521 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
522 }
523
524 for (i = 0; i < 16; i += 8) {
525 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
526 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
527 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
528 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
529 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
530 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
531 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
532 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
533 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
534 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
535 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
536 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
537 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
538 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
539 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
540 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
541 }
542
543 for (i = 16; i < 64; i += 8) {
544 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
545 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
546 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
547 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
548 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
549 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
550 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
551 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
552 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
553 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
554 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
555 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
556 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
557 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
558 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
559 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
560 }
561 #endif /* MBEDTLS_SHA256_SMALLER */
562
563 for (i = 0; i < 8; i++) {
564 ctx->state[i] += local.A[i];
565 }
566
567 /* Zeroise buffers and variables to clear sensitive data from memory. */
568 mbedtls_platform_zeroize(&local, sizeof(local));
569
570 return 0;
571 }
572
573 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
574
575
576 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
577
mbedtls_internal_sha256_process_many_c(mbedtls_sha256_context * ctx,const uint8_t * data,size_t len)578 static size_t mbedtls_internal_sha256_process_many_c(
579 mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
580 {
581 size_t processed = 0;
582
583 while (len >= SHA256_BLOCK_SIZE) {
584 if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
585 return 0;
586 }
587
588 data += SHA256_BLOCK_SIZE;
589 len -= SHA256_BLOCK_SIZE;
590
591 processed += SHA256_BLOCK_SIZE;
592 }
593
594 return processed;
595 }
596
597 #endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
598
599
600 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
601
mbedtls_a64_crypto_sha256_has_support(void)602 static int mbedtls_a64_crypto_sha256_has_support(void)
603 {
604 static int done = 0;
605 static int supported = 0;
606
607 if (!done) {
608 supported = mbedtls_a64_crypto_sha256_determine_support();
609 done = 1;
610 }
611
612 return supported;
613 }
614
mbedtls_internal_sha256_process_many(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)615 static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
616 const uint8_t *msg, size_t len)
617 {
618 if (mbedtls_a64_crypto_sha256_has_support()) {
619 return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
620 } else {
621 return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
622 }
623 }
624
mbedtls_internal_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])625 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
626 const unsigned char data[SHA256_BLOCK_SIZE])
627 {
628 if (mbedtls_a64_crypto_sha256_has_support()) {
629 return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
630 } else {
631 return mbedtls_internal_sha256_process_c(ctx, data);
632 }
633 }
634
635 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
636
637
638 /*
639 * SHA-256 process buffer
640 */
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)641 int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
642 const unsigned char *input,
643 size_t ilen)
644 {
645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
646 size_t fill;
647 uint32_t left;
648
649 if (ilen == 0) {
650 return 0;
651 }
652
653 left = ctx->total[0] & 0x3F;
654 fill = SHA256_BLOCK_SIZE - left;
655
656 ctx->total[0] += (uint32_t) ilen;
657 ctx->total[0] &= 0xFFFFFFFF;
658
659 if (ctx->total[0] < (uint32_t) ilen) {
660 ctx->total[1]++;
661 }
662
663 if (left && ilen >= fill) {
664 memcpy((void *) (ctx->buffer + left), input, fill);
665
666 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
667 return ret;
668 }
669
670 input += fill;
671 ilen -= fill;
672 left = 0;
673 }
674
675 while (ilen >= SHA256_BLOCK_SIZE) {
676 size_t processed =
677 mbedtls_internal_sha256_process_many(ctx, input, ilen);
678 if (processed < SHA256_BLOCK_SIZE) {
679 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
680 }
681
682 input += processed;
683 ilen -= processed;
684 }
685
686 if (ilen > 0) {
687 memcpy((void *) (ctx->buffer + left), input, ilen);
688 }
689
690 return 0;
691 }
692
693 /*
694 * SHA-256 final digest
695 */
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char * output)696 int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
697 unsigned char *output)
698 {
699 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
700 uint32_t used;
701 uint32_t high, low;
702 int truncated = 0;
703
704 /*
705 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
706 */
707 used = ctx->total[0] & 0x3F;
708
709 ctx->buffer[used++] = 0x80;
710
711 if (used <= 56) {
712 /* Enough room for padding + length in current block */
713 memset(ctx->buffer + used, 0, 56 - used);
714 } else {
715 /* We'll need an extra block */
716 memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
717
718 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
719 goto exit;
720 }
721
722 memset(ctx->buffer, 0, 56);
723 }
724
725 /*
726 * Add message length
727 */
728 high = (ctx->total[0] >> 29)
729 | (ctx->total[1] << 3);
730 low = (ctx->total[0] << 3);
731
732 MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
733 MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60);
734
735 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
736 goto exit;
737 }
738
739 /*
740 * Output final state
741 */
742 MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0);
743 MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4);
744 MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8);
745 MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
746 MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
747 MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
748 MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
749
750 #if defined(MBEDTLS_SHA224_C)
751 truncated = ctx->is224;
752 #endif
753 if (!truncated) {
754 MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
755 }
756
757 ret = 0;
758
759 exit:
760 mbedtls_sha256_free(ctx);
761 return ret;
762 }
763
764 #endif /* !MBEDTLS_SHA256_ALT */
765
766 /*
767 * output = SHA-256( input buffer )
768 */
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char * output,int is224)769 int mbedtls_sha256(const unsigned char *input,
770 size_t ilen,
771 unsigned char *output,
772 int is224)
773 {
774 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
775 mbedtls_sha256_context ctx;
776
777 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
778 if (is224 != 0 && is224 != 1) {
779 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
780 }
781 #elif defined(MBEDTLS_SHA256_C)
782 if (is224 != 0) {
783 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
784 }
785 #else /* defined MBEDTLS_SHA224_C only */
786 if (is224 == 0) {
787 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
788 }
789 #endif
790
791 mbedtls_sha256_init(&ctx);
792
793 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
794 goto exit;
795 }
796
797 if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
798 goto exit;
799 }
800
801 if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
802 goto exit;
803 }
804
805 exit:
806 mbedtls_sha256_free(&ctx);
807
808 return ret;
809 }
810
811 #if defined(MBEDTLS_SELF_TEST)
812 /*
813 * FIPS-180-2 test vectors
814 */
815 static const unsigned char sha_test_buf[3][57] =
816 {
817 { "abc" },
818 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
819 { "" }
820 };
821
822 static const size_t sha_test_buflen[3] =
823 {
824 3, 56, 1000
825 };
826
827 typedef const unsigned char (sha_test_sum_t)[32];
828
829 /*
830 * SHA-224 test vectors
831 */
832 #if defined(MBEDTLS_SHA224_C)
833 static sha_test_sum_t sha224_test_sum[] =
834 {
835 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
836 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
837 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
838 0xE3, 0x6C, 0x9D, 0xA7 },
839 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
840 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
841 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
842 0x52, 0x52, 0x25, 0x25 },
843 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
844 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
845 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
846 0x4E, 0xE7, 0xAD, 0x67 }
847 };
848 #endif
849
850 /*
851 * SHA-256 test vectors
852 */
853 #if defined(MBEDTLS_SHA256_C)
854 static sha_test_sum_t sha256_test_sum[] =
855 {
856 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
857 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
858 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
859 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
860 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
861 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
862 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
863 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
864 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
865 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
866 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
867 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
868 };
869 #endif
870
871 /*
872 * Checkup routine
873 */
mbedtls_sha256_common_self_test(int verbose,int is224)874 static int mbedtls_sha256_common_self_test(int verbose, int is224)
875 {
876 int i, buflen, ret = 0;
877 unsigned char *buf;
878 unsigned char sha256sum[32];
879 mbedtls_sha256_context ctx;
880
881 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
882 sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
883 #elif defined(MBEDTLS_SHA256_C)
884 sha_test_sum_t *sha_test_sum = sha256_test_sum;
885 #else
886 sha_test_sum_t *sha_test_sum = sha224_test_sum;
887 #endif
888
889 buf = mbedtls_calloc(1024, sizeof(unsigned char));
890 if (NULL == buf) {
891 if (verbose != 0) {
892 mbedtls_printf("Buffer allocation failed\n");
893 }
894
895 return 1;
896 }
897
898 mbedtls_sha256_init(&ctx);
899
900 for (i = 0; i < 3; i++) {
901 if (verbose != 0) {
902 mbedtls_printf(" SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
903 }
904
905 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
906 goto fail;
907 }
908
909 if (i == 2) {
910 memset(buf, 'a', buflen = 1000);
911
912 for (int j = 0; j < 1000; j++) {
913 ret = mbedtls_sha256_update(&ctx, buf, buflen);
914 if (ret != 0) {
915 goto fail;
916 }
917 }
918
919 } else {
920 ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
921 sha_test_buflen[i]);
922 if (ret != 0) {
923 goto fail;
924 }
925 }
926
927 if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
928 goto fail;
929 }
930
931
932 if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
933 ret = 1;
934 goto fail;
935 }
936
937 if (verbose != 0) {
938 mbedtls_printf("passed\n");
939 }
940 }
941
942 if (verbose != 0) {
943 mbedtls_printf("\n");
944 }
945
946 goto exit;
947
948 fail:
949 if (verbose != 0) {
950 mbedtls_printf("failed\n");
951 }
952
953 exit:
954 mbedtls_sha256_free(&ctx);
955 mbedtls_free(buf);
956
957 return ret;
958 }
959
960 #if defined(MBEDTLS_SHA256_C)
mbedtls_sha256_self_test(int verbose)961 int mbedtls_sha256_self_test(int verbose)
962 {
963 return mbedtls_sha256_common_self_test(verbose, 0);
964 }
965 #endif /* MBEDTLS_SHA256_C */
966
967 #if defined(MBEDTLS_SHA224_C)
mbedtls_sha224_self_test(int verbose)968 int mbedtls_sha224_self_test(int verbose)
969 {
970 return mbedtls_sha256_common_self_test(verbose, 1);
971 }
972 #endif /* MBEDTLS_SHA224_C */
973
974 #endif /* MBEDTLS_SELF_TEST */
975
976 #endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
977
