1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
9 *
10 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
11 */
12
13 #if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) && \
14 defined(__clang__) && __clang_major__ >= 4
15 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
16 *
17 * The intrinsic declaration are guarded by predefined ACLE macros in clang:
18 * these are normally only enabled by the -march option on the command line.
19 * By defining the macros ourselves we gain access to those declarations without
20 * requiring -march on the command line.
21 *
22 * `arm_neon.h` could be included by any header file, so we put these defines
23 * at the top of this file, before any includes.
24 */
25 #define __ARM_FEATURE_CRYPTO 1
26 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
27 *
28 * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
29 * for older compilers.
30 */
31 #define __ARM_FEATURE_SHA2 1
32 #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
33 #endif
34
35 #include "common.h"
36
37 #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
38
39 #include "mbedtls/sha256.h"
40 #include "mbedtls/platform_util.h"
41 #include "mbedtls/error.h"
42
43 #include <string.h>
44
45 #include "mbedtls/platform.h"
46
47 #if defined(__aarch64__)
48
49 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
50 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
51
52 /* *INDENT-OFF* */
53
54 # ifdef __ARM_NEON
55 # include <arm_neon.h>
56 # else
57 # error "Target does not support NEON instructions"
58 # endif
59
60 # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
61 # if defined(__ARMCOMPILER_VERSION)
62 # if __ARMCOMPILER_VERSION <= 6090000
63 # error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
64 # endif
65 # pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
66 # define MBEDTLS_POP_TARGET_PRAGMA
67 # elif defined(__clang__)
68 # if __clang_major__ < 4
69 # error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
70 # endif
71 # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
72 # define MBEDTLS_POP_TARGET_PRAGMA
73 # elif defined(__GNUC__)
74 /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
75 * intrinsics are missing. Missing intrinsics could be worked around.
76 */
77 # if __GNUC__ < 6
78 # error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
79 # else
80 # pragma GCC push_options
81 # pragma GCC target ("arch=armv8-a+crypto")
82 # define MBEDTLS_POP_TARGET_PRAGMA
83 # endif
84 # else
85 # error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
86 # endif
87 # endif
88 /* *INDENT-ON* */
89
90 # endif
91 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
92 # if defined(__unix__)
93 # if defined(__linux__)
94 /* Our preferred method of detection is getauxval() */
95 # include <sys/auxv.h>
96 # endif
97 /* Use SIGILL on Unix, and fall back to it on Linux */
98 # include <signal.h>
99 # endif
100 # endif
101 #elif defined(_M_ARM64)
102 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
103 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
104 # include <arm64_neon.h>
105 # endif
106 #else
107 # undef MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
108 # undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
109 #endif
110
111 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
112 /*
113 * Capability detection code comes early, so we can disable
114 * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found
115 */
116 #if defined(HWCAP_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)117 static int mbedtls_a64_crypto_sha256_determine_support(void)
118 {
119 return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
120 }
121 #elif defined(__APPLE__)
mbedtls_a64_crypto_sha256_determine_support(void)122 static int mbedtls_a64_crypto_sha256_determine_support(void)
123 {
124 return 1;
125 }
126 #elif defined(_M_ARM64)
127 #define WIN32_LEAN_AND_MEAN
128 #include <Windows.h>
129 #include <processthreadsapi.h>
130
mbedtls_a64_crypto_sha256_determine_support(void)131 static int mbedtls_a64_crypto_sha256_determine_support(void)
132 {
133 return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
134 1 : 0;
135 }
136 #elif defined(__unix__) && defined(SIG_SETMASK)
137 /* Detection with SIGILL, setjmp() and longjmp() */
138 #include <signal.h>
139 #include <setjmp.h>
140
141 static jmp_buf return_from_sigill;
142
143 /*
144 * A64 SHA256 support detection via SIGILL
145 */
sigill_handler(int signal)146 static void sigill_handler(int signal)
147 {
148 (void) signal;
149 longjmp(return_from_sigill, 1);
150 }
151
mbedtls_a64_crypto_sha256_determine_support(void)152 static int mbedtls_a64_crypto_sha256_determine_support(void)
153 {
154 struct sigaction old_action, new_action;
155
156 sigset_t old_mask;
157 if (sigprocmask(0, NULL, &old_mask)) {
158 return 0;
159 }
160
161 sigemptyset(&new_action.sa_mask);
162 new_action.sa_flags = 0;
163 new_action.sa_handler = sigill_handler;
164
165 sigaction(SIGILL, &new_action, &old_action);
166
167 static int ret = 0;
168
169 if (setjmp(return_from_sigill) == 0) { /* First return only */
170 /* If this traps, we will return a second time from setjmp() with 1 */
171 asm ("sha256h q0, q0, v0.4s" : : : "v0");
172 ret = 1;
173 }
174
175 sigaction(SIGILL, &old_action, NULL);
176 sigprocmask(SIG_SETMASK, &old_mask, NULL);
177
178 return ret;
179 }
180 #else
181 #warning "No mechanism to detect A64_CRYPTO found, using C code only"
182 #undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
183 #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
184
185 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
186
187 #if !defined(MBEDTLS_SHA256_ALT)
188
189 #define SHA256_BLOCK_SIZE 64
190
mbedtls_sha256_init(mbedtls_sha256_context * ctx)191 void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
192 {
193 memset(ctx, 0, sizeof(mbedtls_sha256_context));
194 }
195
mbedtls_sha256_free(mbedtls_sha256_context * ctx)196 void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
197 {
198 if (ctx == NULL) {
199 return;
200 }
201
202 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
203 }
204
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)205 void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
206 const mbedtls_sha256_context *src)
207 {
208 *dst = *src;
209 }
210
211 /*
212 * SHA-256 context setup
213 */
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)214 int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
215 {
216 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
217 if (is224 != 0 && is224 != 1) {
218 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
219 }
220 #elif defined(MBEDTLS_SHA256_C)
221 if (is224 != 0) {
222 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
223 }
224 #else /* defined MBEDTLS_SHA224_C only */
225 if (is224 == 0) {
226 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
227 }
228 #endif
229
230 ctx->total[0] = 0;
231 ctx->total[1] = 0;
232
233 if (is224 == 0) {
234 #if defined(MBEDTLS_SHA256_C)
235 ctx->state[0] = 0x6A09E667;
236 ctx->state[1] = 0xBB67AE85;
237 ctx->state[2] = 0x3C6EF372;
238 ctx->state[3] = 0xA54FF53A;
239 ctx->state[4] = 0x510E527F;
240 ctx->state[5] = 0x9B05688C;
241 ctx->state[6] = 0x1F83D9AB;
242 ctx->state[7] = 0x5BE0CD19;
243 #endif
244 } else {
245 #if defined(MBEDTLS_SHA224_C)
246 ctx->state[0] = 0xC1059ED8;
247 ctx->state[1] = 0x367CD507;
248 ctx->state[2] = 0x3070DD17;
249 ctx->state[3] = 0xF70E5939;
250 ctx->state[4] = 0xFFC00B31;
251 ctx->state[5] = 0x68581511;
252 ctx->state[6] = 0x64F98FA7;
253 ctx->state[7] = 0xBEFA4FA4;
254 #endif
255 }
256
257 #if defined(MBEDTLS_SHA224_C)
258 ctx->is224 = is224;
259 #endif
260
261 return 0;
262 }
263
264 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
265 static const uint32_t K[] =
266 {
267 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
268 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
269 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
270 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
271 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
272 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
273 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
274 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
275 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
276 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
277 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
278 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
279 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
280 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
281 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
282 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
283 };
284
285 #endif
286
287 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
288 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
289
290 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
291 # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
292 # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process
293 #endif
294
mbedtls_internal_sha256_process_many_a64_crypto(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)295 static size_t mbedtls_internal_sha256_process_many_a64_crypto(
296 mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
297 {
298 uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
299 uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
300
301 size_t processed = 0;
302
303 for (;
304 len >= SHA256_BLOCK_SIZE;
305 processed += SHA256_BLOCK_SIZE,
306 msg += SHA256_BLOCK_SIZE,
307 len -= SHA256_BLOCK_SIZE) {
308 uint32x4_t tmp, abcd_prev;
309
310 uint32x4_t abcd_orig = abcd;
311 uint32x4_t efgh_orig = efgh;
312
313 uint32x4_t sched0 = (uint32x4_t) vld1q_u8(msg + 16 * 0);
314 uint32x4_t sched1 = (uint32x4_t) vld1q_u8(msg + 16 * 1);
315 uint32x4_t sched2 = (uint32x4_t) vld1q_u8(msg + 16 * 2);
316 uint32x4_t sched3 = (uint32x4_t) vld1q_u8(msg + 16 * 3);
317
318 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */
319 /* Untested on BE */
320 sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
321 sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
322 sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
323 sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
324 #endif
325
326 /* Rounds 0 to 3 */
327 tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
328 abcd_prev = abcd;
329 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
330 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
331
332 /* Rounds 4 to 7 */
333 tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
334 abcd_prev = abcd;
335 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
336 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
337
338 /* Rounds 8 to 11 */
339 tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
340 abcd_prev = abcd;
341 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
342 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
343
344 /* Rounds 12 to 15 */
345 tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
346 abcd_prev = abcd;
347 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
348 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
349
350 for (int t = 16; t < 64; t += 16) {
351 /* Rounds t to t + 3 */
352 sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
353 tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
354 abcd_prev = abcd;
355 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
356 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
357
358 /* Rounds t + 4 to t + 7 */
359 sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
360 tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
361 abcd_prev = abcd;
362 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
363 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
364
365 /* Rounds t + 8 to t + 11 */
366 sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
367 tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
368 abcd_prev = abcd;
369 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
370 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
371
372 /* Rounds t + 12 to t + 15 */
373 sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
374 tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
375 abcd_prev = abcd;
376 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
377 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
378 }
379
380 abcd = vaddq_u32(abcd, abcd_orig);
381 efgh = vaddq_u32(efgh, efgh_orig);
382 }
383
384 vst1q_u32(&ctx->state[0], abcd);
385 vst1q_u32(&ctx->state[4], efgh);
386
387 return processed;
388 }
389
390 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
391 /*
392 * This function is for internal use only if we are building both C and A64
393 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
394 */
395 static
396 #endif
mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])397 int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
398 const unsigned char data[SHA256_BLOCK_SIZE])
399 {
400 return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
401 SHA256_BLOCK_SIZE) ==
402 SHA256_BLOCK_SIZE) ? 0 : -1;
403 }
404
405 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
406
407 #if defined(MBEDTLS_POP_TARGET_PRAGMA)
408 #if defined(__clang__)
409 #pragma clang attribute pop
410 #elif defined(__GNUC__)
411 #pragma GCC pop_options
412 #endif
413 #undef MBEDTLS_POP_TARGET_PRAGMA
414 #endif
415
416 #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
417 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
418 #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process
419 #endif
420
421
422 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
423 !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
424
425 #define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
426 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
427
428 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
429 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
430
431 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
432 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
433
434 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
435 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
436
437 #define R(t) \
438 ( \
439 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
440 S0(local.W[(t) - 15]) + local.W[(t) - 16] \
441 )
442
443 #define P(a, b, c, d, e, f, g, h, x, K) \
444 do \
445 { \
446 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \
447 local.temp2 = S2(a) + F0((a), (b), (c)); \
448 (d) += local.temp1; (h) = local.temp1 + local.temp2; \
449 } while (0)
450
451 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
452 /*
453 * This function is for internal use only if we are building both C and A64
454 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
455 */
456 static
457 #endif
mbedtls_internal_sha256_process_c(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])458 int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
459 const unsigned char data[SHA256_BLOCK_SIZE])
460 {
461 struct {
462 uint32_t temp1, temp2, W[64];
463 uint32_t A[8];
464 } local;
465
466 unsigned int i;
467
468 for (i = 0; i < 8; i++) {
469 local.A[i] = ctx->state[i];
470 }
471
472 #if defined(MBEDTLS_SHA256_SMALLER)
473 for (i = 0; i < 64; i++) {
474 if (i < 16) {
475 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
476 } else {
477 R(i);
478 }
479
480 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
481 local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
482
483 local.temp1 = local.A[7]; local.A[7] = local.A[6];
484 local.A[6] = local.A[5]; local.A[5] = local.A[4];
485 local.A[4] = local.A[3]; local.A[3] = local.A[2];
486 local.A[2] = local.A[1]; local.A[1] = local.A[0];
487 local.A[0] = local.temp1;
488 }
489 #else /* MBEDTLS_SHA256_SMALLER */
490 for (i = 0; i < 16; i++) {
491 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
492 }
493
494 for (i = 0; i < 16; i += 8) {
495 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
496 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
497 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
498 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
499 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
500 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
501 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
502 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
503 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
504 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
505 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
506 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
507 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
508 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
509 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
510 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
511 }
512
513 for (i = 16; i < 64; i += 8) {
514 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
515 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
516 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
517 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
518 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
519 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
520 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
521 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
522 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
523 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
524 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
525 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
526 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
527 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
528 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
529 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
530 }
531 #endif /* MBEDTLS_SHA256_SMALLER */
532
533 for (i = 0; i < 8; i++) {
534 ctx->state[i] += local.A[i];
535 }
536
537 /* Zeroise buffers and variables to clear sensitive data from memory. */
538 mbedtls_platform_zeroize(&local, sizeof(local));
539
540 return 0;
541 }
542
543 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
544
545
546 #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
547
mbedtls_internal_sha256_process_many_c(mbedtls_sha256_context * ctx,const uint8_t * data,size_t len)548 static size_t mbedtls_internal_sha256_process_many_c(
549 mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
550 {
551 size_t processed = 0;
552
553 while (len >= SHA256_BLOCK_SIZE) {
554 if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
555 return 0;
556 }
557
558 data += SHA256_BLOCK_SIZE;
559 len -= SHA256_BLOCK_SIZE;
560
561 processed += SHA256_BLOCK_SIZE;
562 }
563
564 return processed;
565 }
566
567 #endif /* !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
568
569
570 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
571
mbedtls_a64_crypto_sha256_has_support(void)572 static int mbedtls_a64_crypto_sha256_has_support(void)
573 {
574 static int done = 0;
575 static int supported = 0;
576
577 if (!done) {
578 supported = mbedtls_a64_crypto_sha256_determine_support();
579 done = 1;
580 }
581
582 return supported;
583 }
584
mbedtls_internal_sha256_process_many(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)585 static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
586 const uint8_t *msg, size_t len)
587 {
588 if (mbedtls_a64_crypto_sha256_has_support()) {
589 return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
590 } else {
591 return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
592 }
593 }
594
mbedtls_internal_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])595 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
596 const unsigned char data[SHA256_BLOCK_SIZE])
597 {
598 if (mbedtls_a64_crypto_sha256_has_support()) {
599 return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
600 } else {
601 return mbedtls_internal_sha256_process_c(ctx, data);
602 }
603 }
604
605 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
606
607
608 /*
609 * SHA-256 process buffer
610 */
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)611 int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
612 const unsigned char *input,
613 size_t ilen)
614 {
615 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
616 size_t fill;
617 uint32_t left;
618
619 if (ilen == 0) {
620 return 0;
621 }
622
623 left = ctx->total[0] & 0x3F;
624 fill = SHA256_BLOCK_SIZE - left;
625
626 ctx->total[0] += (uint32_t) ilen;
627 ctx->total[0] &= 0xFFFFFFFF;
628
629 if (ctx->total[0] < (uint32_t) ilen) {
630 ctx->total[1]++;
631 }
632
633 if (left && ilen >= fill) {
634 memcpy((void *) (ctx->buffer + left), input, fill);
635
636 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
637 return ret;
638 }
639
640 input += fill;
641 ilen -= fill;
642 left = 0;
643 }
644
645 while (ilen >= SHA256_BLOCK_SIZE) {
646 size_t processed =
647 mbedtls_internal_sha256_process_many(ctx, input, ilen);
648 if (processed < SHA256_BLOCK_SIZE) {
649 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
650 }
651
652 input += processed;
653 ilen -= processed;
654 }
655
656 if (ilen > 0) {
657 memcpy((void *) (ctx->buffer + left), input, ilen);
658 }
659
660 return 0;
661 }
662
663 /*
664 * SHA-256 final digest
665 */
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char * output)666 int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
667 unsigned char *output)
668 {
669 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
670 uint32_t used;
671 uint32_t high, low;
672 int truncated = 0;
673
674 /*
675 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
676 */
677 used = ctx->total[0] & 0x3F;
678
679 ctx->buffer[used++] = 0x80;
680
681 if (used <= 56) {
682 /* Enough room for padding + length in current block */
683 memset(ctx->buffer + used, 0, 56 - used);
684 } else {
685 /* We'll need an extra block */
686 memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
687
688 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
689 goto exit;
690 }
691
692 memset(ctx->buffer, 0, 56);
693 }
694
695 /*
696 * Add message length
697 */
698 high = (ctx->total[0] >> 29)
699 | (ctx->total[1] << 3);
700 low = (ctx->total[0] << 3);
701
702 MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
703 MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60);
704
705 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
706 goto exit;
707 }
708
709 /*
710 * Output final state
711 */
712 MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0);
713 MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4);
714 MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8);
715 MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
716 MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
717 MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
718 MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
719
720 #if defined(MBEDTLS_SHA224_C)
721 truncated = ctx->is224;
722 #endif
723 if (!truncated) {
724 MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
725 }
726
727 ret = 0;
728
729 exit:
730 mbedtls_sha256_free(ctx);
731 return ret;
732 }
733
734 #endif /* !MBEDTLS_SHA256_ALT */
735
736 /*
737 * output = SHA-256( input buffer )
738 */
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char * output,int is224)739 int mbedtls_sha256(const unsigned char *input,
740 size_t ilen,
741 unsigned char *output,
742 int is224)
743 {
744 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
745 mbedtls_sha256_context ctx;
746
747 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
748 if (is224 != 0 && is224 != 1) {
749 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
750 }
751 #elif defined(MBEDTLS_SHA256_C)
752 if (is224 != 0) {
753 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
754 }
755 #else /* defined MBEDTLS_SHA224_C only */
756 if (is224 == 0) {
757 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
758 }
759 #endif
760
761 mbedtls_sha256_init(&ctx);
762
763 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
764 goto exit;
765 }
766
767 if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
768 goto exit;
769 }
770
771 if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
772 goto exit;
773 }
774
775 exit:
776 mbedtls_sha256_free(&ctx);
777
778 return ret;
779 }
780
781 #if defined(MBEDTLS_SELF_TEST)
782 /*
783 * FIPS-180-2 test vectors
784 */
785 static const unsigned char sha_test_buf[3][57] =
786 {
787 { "abc" },
788 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
789 { "" }
790 };
791
792 static const size_t sha_test_buflen[3] =
793 {
794 3, 56, 1000
795 };
796
797 typedef const unsigned char (sha_test_sum_t)[32];
798
799 /*
800 * SHA-224 test vectors
801 */
802 #if defined(MBEDTLS_SHA224_C)
803 static sha_test_sum_t sha224_test_sum[] =
804 {
805 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
806 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
807 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
808 0xE3, 0x6C, 0x9D, 0xA7 },
809 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
810 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
811 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
812 0x52, 0x52, 0x25, 0x25 },
813 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
814 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
815 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
816 0x4E, 0xE7, 0xAD, 0x67 }
817 };
818 #endif
819
820 /*
821 * SHA-256 test vectors
822 */
823 #if defined(MBEDTLS_SHA256_C)
824 static sha_test_sum_t sha256_test_sum[] =
825 {
826 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
827 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
828 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
829 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
830 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
831 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
832 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
833 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
834 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
835 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
836 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
837 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
838 };
839 #endif
840
841 /*
842 * Checkup routine
843 */
mbedtls_sha256_common_self_test(int verbose,int is224)844 static int mbedtls_sha256_common_self_test(int verbose, int is224)
845 {
846 int i, buflen, ret = 0;
847 unsigned char *buf;
848 unsigned char sha256sum[32];
849 mbedtls_sha256_context ctx;
850
851 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
852 sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
853 #elif defined(MBEDTLS_SHA256_C)
854 sha_test_sum_t *sha_test_sum = sha256_test_sum;
855 #else
856 sha_test_sum_t *sha_test_sum = sha224_test_sum;
857 #endif
858
859 buf = mbedtls_calloc(1024, sizeof(unsigned char));
860 if (NULL == buf) {
861 if (verbose != 0) {
862 mbedtls_printf("Buffer allocation failed\n");
863 }
864
865 return 1;
866 }
867
868 mbedtls_sha256_init(&ctx);
869
870 for (i = 0; i < 3; i++) {
871 if (verbose != 0) {
872 mbedtls_printf(" SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
873 }
874
875 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
876 goto fail;
877 }
878
879 if (i == 2) {
880 memset(buf, 'a', buflen = 1000);
881
882 for (int j = 0; j < 1000; j++) {
883 ret = mbedtls_sha256_update(&ctx, buf, buflen);
884 if (ret != 0) {
885 goto fail;
886 }
887 }
888
889 } else {
890 ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
891 sha_test_buflen[i]);
892 if (ret != 0) {
893 goto fail;
894 }
895 }
896
897 if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
898 goto fail;
899 }
900
901
902 if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
903 ret = 1;
904 goto fail;
905 }
906
907 if (verbose != 0) {
908 mbedtls_printf("passed\n");
909 }
910 }
911
912 if (verbose != 0) {
913 mbedtls_printf("\n");
914 }
915
916 goto exit;
917
918 fail:
919 if (verbose != 0) {
920 mbedtls_printf("failed\n");
921 }
922
923 exit:
924 mbedtls_sha256_free(&ctx);
925 mbedtls_free(buf);
926
927 return ret;
928 }
929
930 #if defined(MBEDTLS_SHA256_C)
mbedtls_sha256_self_test(int verbose)931 int mbedtls_sha256_self_test(int verbose)
932 {
933 return mbedtls_sha256_common_self_test(verbose, 0);
934 }
935 #endif /* MBEDTLS_SHA256_C */
936
937 #if defined(MBEDTLS_SHA224_C)
mbedtls_sha224_self_test(int verbose)938 int mbedtls_sha224_self_test(int verbose)
939 {
940 return mbedtls_sha256_common_self_test(verbose, 1);
941 }
942 #endif /* MBEDTLS_SHA224_C */
943
944 #endif /* MBEDTLS_SELF_TEST */
945
946 #endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
947
