1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
21 *
22 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
23 */
24
25 #include "common.h"
26
27 #if defined(MBEDTLS_SHA256_C)
28
29 #include "mbedtls/sha256.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32
33 #include <string.h>
34
35 #include "mbedtls/platform.h"
36
37 #if defined(__aarch64__)
38 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
39 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
40 # include <arm_neon.h>
41 # endif
42 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
43 # if defined(__unix__)
44 # if defined(__linux__)
45 /* Our preferred method of detection is getauxval() */
46 # include <sys/auxv.h>
47 # endif
48 /* Use SIGILL on Unix, and fall back to it on Linux */
49 # include <signal.h>
50 # endif
51 # endif
52 #elif defined(_M_ARM64)
53 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
54 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
55 # include <arm64_neon.h>
56 # endif
57 #else
58 # undef MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
59 # undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
60 #endif
61
62 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
63 /*
64 * Capability detection code comes early, so we can disable
65 * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found
66 */
67 #if defined(HWCAP_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)68 static int mbedtls_a64_crypto_sha256_determine_support( void )
69 {
70 return( ( getauxval( AT_HWCAP ) & HWCAP_SHA2 ) ? 1 : 0 );
71 }
72 #elif defined(__APPLE__)
mbedtls_a64_crypto_sha256_determine_support(void)73 static int mbedtls_a64_crypto_sha256_determine_support( void )
74 {
75 return( 1 );
76 }
77 #elif defined(_M_ARM64)
78 #define WIN32_LEAN_AND_MEAN
79 #include <Windows.h>
80 #include <processthreadsapi.h>
81
mbedtls_a64_crypto_sha256_determine_support(void)82 static int mbedtls_a64_crypto_sha256_determine_support( void )
83 {
84 return( IsProcessorFeaturePresent( PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE ) ?
85 1 : 0 );
86 }
87 #elif defined(__unix__) && defined(SIG_SETMASK)
88 /* Detection with SIGILL, setjmp() and longjmp() */
89 #include <signal.h>
90 #include <setjmp.h>
91
92 #ifndef asm
93 #define asm __asm__
94 #endif
95
96 static jmp_buf return_from_sigill;
97
98 /*
99 * A64 SHA256 support detection via SIGILL
100 */
sigill_handler(int signal)101 static void sigill_handler( int signal )
102 {
103 (void) signal;
104 longjmp( return_from_sigill, 1 );
105 }
106
mbedtls_a64_crypto_sha256_determine_support(void)107 static int mbedtls_a64_crypto_sha256_determine_support( void )
108 {
109 struct sigaction old_action, new_action;
110
111 sigset_t old_mask;
112 if( sigprocmask( 0, NULL, &old_mask ) )
113 return( 0 );
114
115 sigemptyset( &new_action.sa_mask );
116 new_action.sa_flags = 0;
117 new_action.sa_handler = sigill_handler;
118
119 sigaction( SIGILL, &new_action, &old_action );
120
121 static int ret = 0;
122
123 if( setjmp( return_from_sigill ) == 0 ) /* First return only */
124 {
125 /* If this traps, we will return a second time from setjmp() with 1 */
126 asm( "sha256h q0, q0, v0.4s" : : : "v0" );
127 ret = 1;
128 }
129
130 sigaction( SIGILL, &old_action, NULL );
131 sigprocmask( SIG_SETMASK, &old_mask, NULL );
132
133 return( ret );
134 }
135 #else
136 #warning "No mechanism to detect A64_CRYPTO found, using C code only"
137 #undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
138 #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
139
140 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
141
142 #if !defined(MBEDTLS_SHA256_ALT)
143
144 #define SHA256_BLOCK_SIZE 64
145
mbedtls_sha256_init(mbedtls_sha256_context * ctx)146 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
147 {
148 memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
149 }
150
mbedtls_sha256_free(mbedtls_sha256_context * ctx)151 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
152 {
153 if( ctx == NULL )
154 return;
155
156 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
157 }
158
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)159 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
160 const mbedtls_sha256_context *src )
161 {
162 *dst = *src;
163 }
164
165 /*
166 * SHA-256 context setup
167 */
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)168 int mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
169 {
170 #if defined(MBEDTLS_SHA224_C)
171 if( is224 != 0 && is224 != 1 )
172 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
173 #else
174 if( is224 != 0 )
175 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
176 #endif
177
178 ctx->total[0] = 0;
179 ctx->total[1] = 0;
180
181 if( is224 == 0 )
182 {
183 /* SHA-256 */
184 ctx->state[0] = 0x6A09E667;
185 ctx->state[1] = 0xBB67AE85;
186 ctx->state[2] = 0x3C6EF372;
187 ctx->state[3] = 0xA54FF53A;
188 ctx->state[4] = 0x510E527F;
189 ctx->state[5] = 0x9B05688C;
190 ctx->state[6] = 0x1F83D9AB;
191 ctx->state[7] = 0x5BE0CD19;
192 }
193 else
194 {
195 #if defined(MBEDTLS_SHA224_C)
196 /* SHA-224 */
197 ctx->state[0] = 0xC1059ED8;
198 ctx->state[1] = 0x367CD507;
199 ctx->state[2] = 0x3070DD17;
200 ctx->state[3] = 0xF70E5939;
201 ctx->state[4] = 0xFFC00B31;
202 ctx->state[5] = 0x68581511;
203 ctx->state[6] = 0x64F98FA7;
204 ctx->state[7] = 0xBEFA4FA4;
205 #endif
206 }
207
208 ctx->is224 = is224;
209
210 return( 0 );
211 }
212
213 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
214 static const uint32_t K[] =
215 {
216 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
217 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
218 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
219 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
220 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
221 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
222 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
223 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
224 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
225 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
226 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
227 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
228 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
229 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
230 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
231 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
232 };
233
234 #endif
235
236 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
237 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
238
239 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
240 # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
241 # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process
242 #endif
243
mbedtls_internal_sha256_process_many_a64_crypto(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)244 static size_t mbedtls_internal_sha256_process_many_a64_crypto(
245 mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len )
246 {
247 uint32x4_t abcd = vld1q_u32( &ctx->state[0] );
248 uint32x4_t efgh = vld1q_u32( &ctx->state[4] );
249
250 size_t processed = 0;
251
252 for( ;
253 len >= SHA256_BLOCK_SIZE;
254 processed += SHA256_BLOCK_SIZE,
255 msg += SHA256_BLOCK_SIZE,
256 len -= SHA256_BLOCK_SIZE )
257 {
258 uint32x4_t tmp, abcd_prev;
259
260 uint32x4_t abcd_orig = abcd;
261 uint32x4_t efgh_orig = efgh;
262
263 uint32x4_t sched0 = (uint32x4_t) vld1q_u8( msg + 16 * 0 );
264 uint32x4_t sched1 = (uint32x4_t) vld1q_u8( msg + 16 * 1 );
265 uint32x4_t sched2 = (uint32x4_t) vld1q_u8( msg + 16 * 2 );
266 uint32x4_t sched3 = (uint32x4_t) vld1q_u8( msg + 16 * 3 );
267
268 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */
269 /* Untested on BE */
270 sched0 = vreinterpretq_u32_u8( vrev32q_u8( vreinterpretq_u8_u32( sched0 ) ) );
271 sched1 = vreinterpretq_u32_u8( vrev32q_u8( vreinterpretq_u8_u32( sched1 ) ) );
272 sched2 = vreinterpretq_u32_u8( vrev32q_u8( vreinterpretq_u8_u32( sched2 ) ) );
273 sched3 = vreinterpretq_u32_u8( vrev32q_u8( vreinterpretq_u8_u32( sched3 ) ) );
274 #endif
275
276 /* Rounds 0 to 3 */
277 tmp = vaddq_u32( sched0, vld1q_u32( &K[0] ) );
278 abcd_prev = abcd;
279 abcd = vsha256hq_u32( abcd_prev, efgh, tmp );
280 efgh = vsha256h2q_u32( efgh, abcd_prev, tmp );
281
282 /* Rounds 4 to 7 */
283 tmp = vaddq_u32( sched1, vld1q_u32( &K[4] ) );
284 abcd_prev = abcd;
285 abcd = vsha256hq_u32( abcd_prev, efgh, tmp );
286 efgh = vsha256h2q_u32( efgh, abcd_prev, tmp );
287
288 /* Rounds 8 to 11 */
289 tmp = vaddq_u32( sched2, vld1q_u32( &K[8] ) );
290 abcd_prev = abcd;
291 abcd = vsha256hq_u32( abcd_prev, efgh, tmp );
292 efgh = vsha256h2q_u32( efgh, abcd_prev, tmp );
293
294 /* Rounds 12 to 15 */
295 tmp = vaddq_u32( sched3, vld1q_u32( &K[12] ) );
296 abcd_prev = abcd;
297 abcd = vsha256hq_u32( abcd_prev, efgh, tmp );
298 efgh = vsha256h2q_u32( efgh, abcd_prev, tmp );
299
300 for( int t = 16; t < 64; t += 16 )
301 {
302 /* Rounds t to t + 3 */
303 sched0 = vsha256su1q_u32( vsha256su0q_u32( sched0, sched1 ), sched2, sched3 );
304 tmp = vaddq_u32( sched0, vld1q_u32( &K[t] ) );
305 abcd_prev = abcd;
306 abcd = vsha256hq_u32( abcd_prev, efgh, tmp );
307 efgh = vsha256h2q_u32( efgh, abcd_prev, tmp );
308
309 /* Rounds t + 4 to t + 7 */
310 sched1 = vsha256su1q_u32( vsha256su0q_u32( sched1, sched2 ), sched3, sched0 );
311 tmp = vaddq_u32( sched1, vld1q_u32( &K[t + 4] ) );
312 abcd_prev = abcd;
313 abcd = vsha256hq_u32( abcd_prev, efgh, tmp );
314 efgh = vsha256h2q_u32( efgh, abcd_prev, tmp );
315
316 /* Rounds t + 8 to t + 11 */
317 sched2 = vsha256su1q_u32( vsha256su0q_u32( sched2, sched3 ), sched0, sched1 );
318 tmp = vaddq_u32( sched2, vld1q_u32( &K[t + 8] ) );
319 abcd_prev = abcd;
320 abcd = vsha256hq_u32( abcd_prev, efgh, tmp );
321 efgh = vsha256h2q_u32( efgh, abcd_prev, tmp );
322
323 /* Rounds t + 12 to t + 15 */
324 sched3 = vsha256su1q_u32( vsha256su0q_u32( sched3, sched0 ), sched1, sched2 );
325 tmp = vaddq_u32( sched3, vld1q_u32( &K[t + 12] ) );
326 abcd_prev = abcd;
327 abcd = vsha256hq_u32( abcd_prev, efgh, tmp );
328 efgh = vsha256h2q_u32( efgh, abcd_prev, tmp );
329 }
330
331 abcd = vaddq_u32( abcd, abcd_orig );
332 efgh = vaddq_u32( efgh, efgh_orig );
333 }
334
335 vst1q_u32( &ctx->state[0], abcd );
336 vst1q_u32( &ctx->state[4], efgh );
337
338 return( processed );
339 }
340
341 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
342 /*
343 * This function is for internal use only if we are building both C and A64
344 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
345 */
346 static
347 #endif
mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])348 int mbedtls_internal_sha256_process_a64_crypto( mbedtls_sha256_context *ctx,
349 const unsigned char data[SHA256_BLOCK_SIZE] )
350 {
351 return( ( mbedtls_internal_sha256_process_many_a64_crypto( ctx, data,
352 SHA256_BLOCK_SIZE ) == SHA256_BLOCK_SIZE ) ? 0 : -1 );
353 }
354
355 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
356
357
358 #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
359 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
360 #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process
361 #endif
362
363
364 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
365 !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
366
367 #define SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
368 #define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
369
370 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
371 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
372
373 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
374 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
375
376 #define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
377 #define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
378
379 #define R(t) \
380 ( \
381 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
382 S0(local.W[(t) - 15]) + local.W[(t) - 16] \
383 )
384
385 #define P(a,b,c,d,e,f,g,h,x,K) \
386 do \
387 { \
388 local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
389 local.temp2 = S2(a) + F0((a),(b),(c)); \
390 (d) += local.temp1; (h) = local.temp1 + local.temp2; \
391 } while( 0 )
392
393 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
394 /*
395 * This function is for internal use only if we are building both C and A64
396 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
397 */
398 static
399 #endif
mbedtls_internal_sha256_process_c(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])400 int mbedtls_internal_sha256_process_c( mbedtls_sha256_context *ctx,
401 const unsigned char data[SHA256_BLOCK_SIZE] )
402 {
403 struct
404 {
405 uint32_t temp1, temp2, W[64];
406 uint32_t A[8];
407 } local;
408
409 unsigned int i;
410
411 for( i = 0; i < 8; i++ )
412 local.A[i] = ctx->state[i];
413
414 #if defined(MBEDTLS_SHA256_SMALLER)
415 for( i = 0; i < 64; i++ )
416 {
417 if( i < 16 )
418 local.W[i] = MBEDTLS_GET_UINT32_BE( data, 4 * i );
419 else
420 R( i );
421
422 P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
423 local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
424
425 local.temp1 = local.A[7]; local.A[7] = local.A[6];
426 local.A[6] = local.A[5]; local.A[5] = local.A[4];
427 local.A[4] = local.A[3]; local.A[3] = local.A[2];
428 local.A[2] = local.A[1]; local.A[1] = local.A[0];
429 local.A[0] = local.temp1;
430 }
431 #else /* MBEDTLS_SHA256_SMALLER */
432 for( i = 0; i < 16; i++ )
433 local.W[i] = MBEDTLS_GET_UINT32_BE( data, 4 * i );
434
435 for( i = 0; i < 16; i += 8 )
436 {
437 P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
438 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0] );
439 P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
440 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1] );
441 P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
442 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2] );
443 P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
444 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3] );
445 P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
446 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4] );
447 P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
448 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5] );
449 P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
450 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6] );
451 P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
452 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7] );
453 }
454
455 for( i = 16; i < 64; i += 8 )
456 {
457 P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
458 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0] );
459 P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
460 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1] );
461 P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
462 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2] );
463 P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
464 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3] );
465 P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
466 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4] );
467 P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
468 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5] );
469 P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
470 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6] );
471 P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
472 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7] );
473 }
474 #endif /* MBEDTLS_SHA256_SMALLER */
475
476 for( i = 0; i < 8; i++ )
477 ctx->state[i] += local.A[i];
478
479 /* Zeroise buffers and variables to clear sensitive data from memory. */
480 mbedtls_platform_zeroize( &local, sizeof( local ) );
481
482 return( 0 );
483 }
484
485 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
486
487
488 #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
489
mbedtls_internal_sha256_process_many_c(mbedtls_sha256_context * ctx,const uint8_t * data,size_t len)490 static size_t mbedtls_internal_sha256_process_many_c(
491 mbedtls_sha256_context *ctx, const uint8_t *data, size_t len )
492 {
493 size_t processed = 0;
494
495 while( len >= SHA256_BLOCK_SIZE )
496 {
497 if( mbedtls_internal_sha256_process_c( ctx, data ) != 0 )
498 return( 0 );
499
500 data += SHA256_BLOCK_SIZE;
501 len -= SHA256_BLOCK_SIZE;
502
503 processed += SHA256_BLOCK_SIZE;
504 }
505
506 return( processed );
507 }
508
509 #endif /* !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
510
511
512 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
513
mbedtls_a64_crypto_sha256_has_support(void)514 static int mbedtls_a64_crypto_sha256_has_support( void )
515 {
516 static int done = 0;
517 static int supported = 0;
518
519 if( !done )
520 {
521 supported = mbedtls_a64_crypto_sha256_determine_support();
522 done = 1;
523 }
524
525 return( supported );
526 }
527
mbedtls_internal_sha256_process_many(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)528 static size_t mbedtls_internal_sha256_process_many( mbedtls_sha256_context *ctx,
529 const uint8_t *msg, size_t len )
530 {
531 if( mbedtls_a64_crypto_sha256_has_support() )
532 return( mbedtls_internal_sha256_process_many_a64_crypto( ctx, msg, len ) );
533 else
534 return( mbedtls_internal_sha256_process_many_c( ctx, msg, len ) );
535 }
536
mbedtls_internal_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])537 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
538 const unsigned char data[SHA256_BLOCK_SIZE] )
539 {
540 if( mbedtls_a64_crypto_sha256_has_support() )
541 return( mbedtls_internal_sha256_process_a64_crypto( ctx, data ) );
542 else
543 return( mbedtls_internal_sha256_process_c( ctx, data ) );
544 }
545
546 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
547
548
549 /*
550 * SHA-256 process buffer
551 */
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)552 int mbedtls_sha256_update( mbedtls_sha256_context *ctx,
553 const unsigned char *input,
554 size_t ilen )
555 {
556 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
557 size_t fill;
558 uint32_t left;
559
560 if( ilen == 0 )
561 return( 0 );
562
563 left = ctx->total[0] & 0x3F;
564 fill = SHA256_BLOCK_SIZE - left;
565
566 ctx->total[0] += (uint32_t) ilen;
567 ctx->total[0] &= 0xFFFFFFFF;
568
569 if( ctx->total[0] < (uint32_t) ilen )
570 ctx->total[1]++;
571
572 if( left && ilen >= fill )
573 {
574 memcpy( (void *) (ctx->buffer + left), input, fill );
575
576 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
577 return( ret );
578
579 input += fill;
580 ilen -= fill;
581 left = 0;
582 }
583
584 while( ilen >= SHA256_BLOCK_SIZE )
585 {
586 size_t processed =
587 mbedtls_internal_sha256_process_many( ctx, input, ilen );
588 if( processed < SHA256_BLOCK_SIZE )
589 return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
590
591 input += processed;
592 ilen -= processed;
593 }
594
595 if( ilen > 0 )
596 memcpy( (void *) (ctx->buffer + left), input, ilen );
597
598 return( 0 );
599 }
600
601 /*
602 * SHA-256 final digest
603 */
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char * output)604 int mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
605 unsigned char *output )
606 {
607 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
608 uint32_t used;
609 uint32_t high, low;
610
611 /*
612 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
613 */
614 used = ctx->total[0] & 0x3F;
615
616 ctx->buffer[used++] = 0x80;
617
618 if( used <= 56 )
619 {
620 /* Enough room for padding + length in current block */
621 memset( ctx->buffer + used, 0, 56 - used );
622 }
623 else
624 {
625 /* We'll need an extra block */
626 memset( ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used );
627
628 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
629 return( ret );
630
631 memset( ctx->buffer, 0, 56 );
632 }
633
634 /*
635 * Add message length
636 */
637 high = ( ctx->total[0] >> 29 )
638 | ( ctx->total[1] << 3 );
639 low = ( ctx->total[0] << 3 );
640
641 MBEDTLS_PUT_UINT32_BE( high, ctx->buffer, 56 );
642 MBEDTLS_PUT_UINT32_BE( low, ctx->buffer, 60 );
643
644 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
645 return( ret );
646
647 /*
648 * Output final state
649 */
650 MBEDTLS_PUT_UINT32_BE( ctx->state[0], output, 0 );
651 MBEDTLS_PUT_UINT32_BE( ctx->state[1], output, 4 );
652 MBEDTLS_PUT_UINT32_BE( ctx->state[2], output, 8 );
653 MBEDTLS_PUT_UINT32_BE( ctx->state[3], output, 12 );
654 MBEDTLS_PUT_UINT32_BE( ctx->state[4], output, 16 );
655 MBEDTLS_PUT_UINT32_BE( ctx->state[5], output, 20 );
656 MBEDTLS_PUT_UINT32_BE( ctx->state[6], output, 24 );
657
658 int truncated = 0;
659 #if defined(MBEDTLS_SHA224_C)
660 truncated = ctx->is224;
661 #endif
662 if( !truncated )
663 MBEDTLS_PUT_UINT32_BE( ctx->state[7], output, 28 );
664
665 return( 0 );
666 }
667
668 #endif /* !MBEDTLS_SHA256_ALT */
669
670 /*
671 * output = SHA-256( input buffer )
672 */
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char * output,int is224)673 int mbedtls_sha256( const unsigned char *input,
674 size_t ilen,
675 unsigned char *output,
676 int is224 )
677 {
678 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
679 mbedtls_sha256_context ctx;
680
681 #if defined(MBEDTLS_SHA224_C)
682 if( is224 != 0 && is224 != 1 )
683 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
684 #else
685 if( is224 != 0 )
686 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
687 #endif
688
689 mbedtls_sha256_init( &ctx );
690
691 if( ( ret = mbedtls_sha256_starts( &ctx, is224 ) ) != 0 )
692 goto exit;
693
694 if( ( ret = mbedtls_sha256_update( &ctx, input, ilen ) ) != 0 )
695 goto exit;
696
697 if( ( ret = mbedtls_sha256_finish( &ctx, output ) ) != 0 )
698 goto exit;
699
700 exit:
701 mbedtls_sha256_free( &ctx );
702
703 return( ret );
704 }
705
706 #if defined(MBEDTLS_SELF_TEST)
707 /*
708 * FIPS-180-2 test vectors
709 */
710 static const unsigned char sha256_test_buf[3][57] =
711 {
712 { "abc" },
713 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
714 { "" }
715 };
716
717 static const size_t sha256_test_buflen[3] =
718 {
719 3, 56, 1000
720 };
721
722 static const unsigned char sha256_test_sum[6][32] =
723 {
724 /*
725 * SHA-224 test vectors
726 */
727 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
728 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
729 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
730 0xE3, 0x6C, 0x9D, 0xA7 },
731 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
732 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
733 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
734 0x52, 0x52, 0x25, 0x25 },
735 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
736 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
737 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
738 0x4E, 0xE7, 0xAD, 0x67 },
739
740 /*
741 * SHA-256 test vectors
742 */
743 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
744 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
745 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
746 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
747 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
748 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
749 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
750 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
751 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
752 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
753 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
754 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
755 };
756
757 /*
758 * Checkup routine
759 */
mbedtls_sha256_self_test(int verbose)760 int mbedtls_sha256_self_test( int verbose )
761 {
762 int i, j, k, buflen, ret = 0;
763 unsigned char *buf;
764 unsigned char sha256sum[32];
765 mbedtls_sha256_context ctx;
766
767 buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
768 if( NULL == buf )
769 {
770 if( verbose != 0 )
771 mbedtls_printf( "Buffer allocation failed\n" );
772
773 return( 1 );
774 }
775
776 mbedtls_sha256_init( &ctx );
777
778 for( i = 0; i < 6; i++ )
779 {
780 j = i % 3;
781 k = i < 3;
782
783 if( verbose != 0 )
784 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
785
786 if( ( ret = mbedtls_sha256_starts( &ctx, k ) ) != 0 )
787 goto fail;
788
789 if( j == 2 )
790 {
791 memset( buf, 'a', buflen = 1000 );
792
793 for( j = 0; j < 1000; j++ )
794 {
795 ret = mbedtls_sha256_update( &ctx, buf, buflen );
796 if( ret != 0 )
797 goto fail;
798 }
799
800 }
801 else
802 {
803 ret = mbedtls_sha256_update( &ctx, sha256_test_buf[j],
804 sha256_test_buflen[j] );
805 if( ret != 0 )
806 goto fail;
807 }
808
809 if( ( ret = mbedtls_sha256_finish( &ctx, sha256sum ) ) != 0 )
810 goto fail;
811
812
813 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
814 {
815 ret = 1;
816 goto fail;
817 }
818
819 if( verbose != 0 )
820 mbedtls_printf( "passed\n" );
821 }
822
823 if( verbose != 0 )
824 mbedtls_printf( "\n" );
825
826 goto exit;
827
828 fail:
829 if( verbose != 0 )
830 mbedtls_printf( "failed\n" );
831
832 exit:
833 mbedtls_sha256_free( &ctx );
834 mbedtls_free( buf );
835
836 return( ret );
837 }
838
839 #endif /* MBEDTLS_SELF_TEST */
840
841 #endif /* MBEDTLS_SHA256_C */
842
