1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
9 *
10 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
11 */
12
13 #if defined(__clang__) && (__clang_major__ >= 4)
14
15 /* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if,
16 * but that is defined by build_info.h, and we need this block to happen first. */
17 #if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A')
18 #if __ARM_ARCH >= 8
19 #define MBEDTLS_SHA256_ARCH_IS_ARMV8_A
20 #endif
21 #endif
22
23 #if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO)
24 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
25 *
26 * The intrinsic declaration are guarded by predefined ACLE macros in clang:
27 * these are normally only enabled by the -march option on the command line.
28 * By defining the macros ourselves we gain access to those declarations without
29 * requiring -march on the command line.
30 *
31 * `arm_neon.h` is included by common.h, so we put these defines
32 * at the top of this file, before any includes.
33 */
34 #define __ARM_FEATURE_CRYPTO 1
35 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
36 *
37 * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
38 * for older compilers.
39 */
40 #define __ARM_FEATURE_SHA2 1
41 #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
42 #endif
43
44 #endif /* defined(__clang__) && (__clang_major__ >= 4) */
45
46 /* Ensure that SIG_SETMASK is defined when -std=c99 is used. */
47 #if !defined(_GNU_SOURCE)
48 #define _GNU_SOURCE
49 #endif
50
51 #include "common.h"
52
53 #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
54
55 #include "mbedtls/sha256.h"
56 #include "mbedtls/platform_util.h"
57 #include "mbedtls/error.h"
58
59 #include <string.h>
60
61 #include "mbedtls/platform.h"
62
63 #if defined(MBEDTLS_ARCH_IS_ARMV8_A)
64
65 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
66 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
67 # if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
68 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
69 # warning "Target does not support NEON instructions"
70 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
71 # else
72 # error "Target does not support NEON instructions"
73 # endif
74 # endif
75 # endif
76
77 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
78 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
79 /* *INDENT-OFF* */
80
81 # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
82 # if defined(__ARMCOMPILER_VERSION)
83 # if __ARMCOMPILER_VERSION <= 6090000
84 # error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
85 # endif
86 # pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
87 # define MBEDTLS_POP_TARGET_PRAGMA
88 # elif defined(__clang__)
89 # if __clang_major__ < 4
90 # error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
91 # endif
92 # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
93 # define MBEDTLS_POP_TARGET_PRAGMA
94 # elif defined(__GNUC__)
95 /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
96 * intrinsics are missing. Missing intrinsics could be worked around.
97 */
98 # if __GNUC__ < 6
99 # error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
100 # else
101 # pragma GCC push_options
102 # pragma GCC target ("arch=armv8-a+crypto")
103 # define MBEDTLS_POP_TARGET_PRAGMA
104 # endif
105 # else
106 # error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
107 # endif
108 # endif
109 /* *INDENT-ON* */
110
111 # endif
112 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
113 # if defined(__unix__)
114 # if defined(__linux__)
115 /* Our preferred method of detection is getauxval() */
116 # include <sys/auxv.h>
117 /* These are not always defined via sys/auxv.h */
118 # if !defined(HWCAP_SHA2)
119 # define HWCAP_SHA2 (1 << 6)
120 # endif
121 # if !defined(HWCAP2_SHA2)
122 # define HWCAP2_SHA2 (1 << 3)
123 # endif
124 # endif
125 /* Use SIGILL on Unix, and fall back to it on Linux */
126 # include <signal.h>
127 # endif
128 # endif
129 #elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
130 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
131 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
132 #endif
133
134 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
135 /*
136 * Capability detection code comes early, so we can disable
137 * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found
138 */
139 #if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)140 static int mbedtls_a64_crypto_sha256_determine_support(void)
141 {
142 return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
143 }
144 #elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)145 static int mbedtls_a64_crypto_sha256_determine_support(void)
146 {
147 return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0;
148 }
149 #elif defined(__APPLE__)
mbedtls_a64_crypto_sha256_determine_support(void)150 static int mbedtls_a64_crypto_sha256_determine_support(void)
151 {
152 return 1;
153 }
154 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
155 #ifndef WIN32_LEAN_AND_MEAN
156 #define WIN32_LEAN_AND_MEAN
157 #endif
158 #include <Windows.h>
159 #include <processthreadsapi.h>
160
mbedtls_a64_crypto_sha256_determine_support(void)161 static int mbedtls_a64_crypto_sha256_determine_support(void)
162 {
163 return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
164 1 : 0;
165 }
166 #elif defined(__unix__) && defined(SIG_SETMASK)
167 /* Detection with SIGILL, setjmp() and longjmp() */
168 #include <signal.h>
169 #include <setjmp.h>
170
171 static jmp_buf return_from_sigill;
172
173 /*
174 * Armv8-A SHA256 support detection via SIGILL
175 */
sigill_handler(int signal)176 static void sigill_handler(int signal)
177 {
178 (void) signal;
179 longjmp(return_from_sigill, 1);
180 }
181
mbedtls_a64_crypto_sha256_determine_support(void)182 static int mbedtls_a64_crypto_sha256_determine_support(void)
183 {
184 struct sigaction old_action, new_action;
185
186 sigset_t old_mask;
187 if (sigprocmask(0, NULL, &old_mask)) {
188 return 0;
189 }
190
191 sigemptyset(&new_action.sa_mask);
192 new_action.sa_flags = 0;
193 new_action.sa_handler = sigill_handler;
194
195 sigaction(SIGILL, &new_action, &old_action);
196
197 static int ret = 0;
198
199 if (setjmp(return_from_sigill) == 0) { /* First return only */
200 /* If this traps, we will return a second time from setjmp() with 1 */
201 #if defined(MBEDTLS_ARCH_IS_ARM64)
202 asm volatile ("sha256h q0, q0, v0.4s" : : : "v0");
203 #else
204 asm volatile ("sha256h.32 q0, q0, q0" : : : "q0");
205 #endif
206 ret = 1;
207 }
208
209 sigaction(SIGILL, &old_action, NULL);
210 sigprocmask(SIG_SETMASK, &old_mask, NULL);
211
212 return ret;
213 }
214 #else
215 #warning "No mechanism to detect ARMV8_CRYPTO found, using C code only"
216 #undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
217 #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
218
219 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
220
221 #if !defined(MBEDTLS_SHA256_ALT)
222
223 #define SHA256_BLOCK_SIZE 64
224
mbedtls_sha256_init(mbedtls_sha256_context * ctx)225 void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
226 {
227 memset(ctx, 0, sizeof(mbedtls_sha256_context));
228 }
229
mbedtls_sha256_free(mbedtls_sha256_context * ctx)230 void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
231 {
232 if (ctx == NULL) {
233 return;
234 }
235
236 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
237 }
238
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)239 void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
240 const mbedtls_sha256_context *src)
241 {
242 *dst = *src;
243 }
244
245 /*
246 * SHA-256 context setup
247 */
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)248 int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
249 {
250 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
251 if (is224 != 0 && is224 != 1) {
252 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
253 }
254 #elif defined(MBEDTLS_SHA256_C)
255 if (is224 != 0) {
256 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
257 }
258 #else /* defined MBEDTLS_SHA224_C only */
259 if (is224 == 0) {
260 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
261 }
262 #endif
263
264 ctx->total[0] = 0;
265 ctx->total[1] = 0;
266
267 if (is224 == 0) {
268 #if defined(MBEDTLS_SHA256_C)
269 ctx->state[0] = 0x6A09E667;
270 ctx->state[1] = 0xBB67AE85;
271 ctx->state[2] = 0x3C6EF372;
272 ctx->state[3] = 0xA54FF53A;
273 ctx->state[4] = 0x510E527F;
274 ctx->state[5] = 0x9B05688C;
275 ctx->state[6] = 0x1F83D9AB;
276 ctx->state[7] = 0x5BE0CD19;
277 #endif
278 } else {
279 #if defined(MBEDTLS_SHA224_C)
280 ctx->state[0] = 0xC1059ED8;
281 ctx->state[1] = 0x367CD507;
282 ctx->state[2] = 0x3070DD17;
283 ctx->state[3] = 0xF70E5939;
284 ctx->state[4] = 0xFFC00B31;
285 ctx->state[5] = 0x68581511;
286 ctx->state[6] = 0x64F98FA7;
287 ctx->state[7] = 0xBEFA4FA4;
288 #endif
289 }
290
291 #if defined(MBEDTLS_SHA224_C)
292 ctx->is224 = is224;
293 #endif
294
295 return 0;
296 }
297
298 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
299 static const uint32_t K[] =
300 {
301 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
302 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
303 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
304 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
305 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
306 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
307 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
308 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
309 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
310 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
311 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
312 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
313 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
314 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
315 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
316 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
317 };
318
319 #endif
320
321 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
322 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
323
324 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
325 # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
326 # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process
327 #endif
328
mbedtls_internal_sha256_process_many_a64_crypto(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)329 static size_t mbedtls_internal_sha256_process_many_a64_crypto(
330 mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
331 {
332 uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
333 uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
334
335 size_t processed = 0;
336
337 for (;
338 len >= SHA256_BLOCK_SIZE;
339 processed += SHA256_BLOCK_SIZE,
340 msg += SHA256_BLOCK_SIZE,
341 len -= SHA256_BLOCK_SIZE) {
342 uint32x4_t tmp, abcd_prev;
343
344 uint32x4_t abcd_orig = abcd;
345 uint32x4_t efgh_orig = efgh;
346
347 uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0));
348 uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1));
349 uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2));
350 uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3));
351
352 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */
353 /* Untested on BE */
354 sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
355 sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
356 sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
357 sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
358 #endif
359
360 /* Rounds 0 to 3 */
361 tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
362 abcd_prev = abcd;
363 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
364 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
365
366 /* Rounds 4 to 7 */
367 tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
368 abcd_prev = abcd;
369 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
370 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
371
372 /* Rounds 8 to 11 */
373 tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
374 abcd_prev = abcd;
375 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
376 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
377
378 /* Rounds 12 to 15 */
379 tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
380 abcd_prev = abcd;
381 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
382 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
383
384 for (int t = 16; t < 64; t += 16) {
385 /* Rounds t to t + 3 */
386 sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
387 tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
388 abcd_prev = abcd;
389 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
390 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
391
392 /* Rounds t + 4 to t + 7 */
393 sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
394 tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
395 abcd_prev = abcd;
396 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
397 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
398
399 /* Rounds t + 8 to t + 11 */
400 sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
401 tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
402 abcd_prev = abcd;
403 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
404 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
405
406 /* Rounds t + 12 to t + 15 */
407 sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
408 tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
409 abcd_prev = abcd;
410 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
411 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
412 }
413
414 abcd = vaddq_u32(abcd, abcd_orig);
415 efgh = vaddq_u32(efgh, efgh_orig);
416 }
417
418 vst1q_u32(&ctx->state[0], abcd);
419 vst1q_u32(&ctx->state[4], efgh);
420
421 return processed;
422 }
423
424 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
425 /*
426 * This function is for internal use only if we are building both C and Armv8-A
427 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
428 */
429 static
430 #endif
mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])431 int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
432 const unsigned char data[SHA256_BLOCK_SIZE])
433 {
434 return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
435 SHA256_BLOCK_SIZE) ==
436 SHA256_BLOCK_SIZE) ? 0 : -1;
437 }
438
439 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
440
441 #if defined(MBEDTLS_POP_TARGET_PRAGMA)
442 #if defined(__clang__)
443 #pragma clang attribute pop
444 #elif defined(__GNUC__)
445 #pragma GCC pop_options
446 #endif
447 #undef MBEDTLS_POP_TARGET_PRAGMA
448 #endif
449
450 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
451 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
452 #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process
453 #endif
454
455
456 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
457 !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
458
459 #define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
460 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
461
462 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
463 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
464
465 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
466 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
467
468 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
469 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
470
471 #define R(t) \
472 ( \
473 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
474 S0(local.W[(t) - 15]) + local.W[(t) - 16] \
475 )
476
477 #define P(a, b, c, d, e, f, g, h, x, K) \
478 do \
479 { \
480 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \
481 local.temp2 = S2(a) + F0((a), (b), (c)); \
482 (d) += local.temp1; (h) = local.temp1 + local.temp2; \
483 } while (0)
484
485 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
486 /*
487 * This function is for internal use only if we are building both C and Armv8
488 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
489 */
490 static
491 #endif
mbedtls_internal_sha256_process_c(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])492 int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
493 const unsigned char data[SHA256_BLOCK_SIZE])
494 {
495 struct {
496 uint32_t temp1, temp2, W[64];
497 uint32_t A[8];
498 } local;
499
500 unsigned int i;
501
502 for (i = 0; i < 8; i++) {
503 local.A[i] = ctx->state[i];
504 }
505
506 #if defined(MBEDTLS_SHA256_SMALLER)
507 for (i = 0; i < 64; i++) {
508 if (i < 16) {
509 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
510 } else {
511 R(i);
512 }
513
514 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
515 local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
516
517 local.temp1 = local.A[7]; local.A[7] = local.A[6];
518 local.A[6] = local.A[5]; local.A[5] = local.A[4];
519 local.A[4] = local.A[3]; local.A[3] = local.A[2];
520 local.A[2] = local.A[1]; local.A[1] = local.A[0];
521 local.A[0] = local.temp1;
522 }
523 #else /* MBEDTLS_SHA256_SMALLER */
524 for (i = 0; i < 16; i++) {
525 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
526 }
527
528 for (i = 0; i < 16; i += 8) {
529 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
530 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
531 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
532 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
533 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
534 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
535 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
536 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
537 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
538 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
539 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
540 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
541 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
542 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
543 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
544 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
545 }
546
547 for (i = 16; i < 64; i += 8) {
548 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
549 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
550 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
551 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
552 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
553 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
554 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
555 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
556 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
557 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
558 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
559 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
560 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
561 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
562 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
563 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
564 }
565 #endif /* MBEDTLS_SHA256_SMALLER */
566
567 for (i = 0; i < 8; i++) {
568 ctx->state[i] += local.A[i];
569 }
570
571 /* Zeroise buffers and variables to clear sensitive data from memory. */
572 mbedtls_platform_zeroize(&local, sizeof(local));
573
574 return 0;
575 }
576
577 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
578
579
580 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
581
mbedtls_internal_sha256_process_many_c(mbedtls_sha256_context * ctx,const uint8_t * data,size_t len)582 static size_t mbedtls_internal_sha256_process_many_c(
583 mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
584 {
585 size_t processed = 0;
586
587 while (len >= SHA256_BLOCK_SIZE) {
588 if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
589 return 0;
590 }
591
592 data += SHA256_BLOCK_SIZE;
593 len -= SHA256_BLOCK_SIZE;
594
595 processed += SHA256_BLOCK_SIZE;
596 }
597
598 return processed;
599 }
600
601 #endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
602
603
604 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
605
mbedtls_a64_crypto_sha256_has_support(void)606 static int mbedtls_a64_crypto_sha256_has_support(void)
607 {
608 static int done = 0;
609 static int supported = 0;
610
611 if (!done) {
612 supported = mbedtls_a64_crypto_sha256_determine_support();
613 done = 1;
614 }
615
616 return supported;
617 }
618
mbedtls_internal_sha256_process_many(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)619 static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
620 const uint8_t *msg, size_t len)
621 {
622 if (mbedtls_a64_crypto_sha256_has_support()) {
623 return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
624 } else {
625 return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
626 }
627 }
628
mbedtls_internal_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])629 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
630 const unsigned char data[SHA256_BLOCK_SIZE])
631 {
632 if (mbedtls_a64_crypto_sha256_has_support()) {
633 return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
634 } else {
635 return mbedtls_internal_sha256_process_c(ctx, data);
636 }
637 }
638
639 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
640
641
642 /*
643 * SHA-256 process buffer
644 */
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)645 int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
646 const unsigned char *input,
647 size_t ilen)
648 {
649 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
650 size_t fill;
651 uint32_t left;
652
653 if (ilen == 0) {
654 return 0;
655 }
656
657 left = ctx->total[0] & 0x3F;
658 fill = SHA256_BLOCK_SIZE - left;
659
660 ctx->total[0] += (uint32_t) ilen;
661 ctx->total[0] &= 0xFFFFFFFF;
662
663 if (ctx->total[0] < (uint32_t) ilen) {
664 ctx->total[1]++;
665 }
666
667 if (left && ilen >= fill) {
668 memcpy((void *) (ctx->buffer + left), input, fill);
669
670 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
671 return ret;
672 }
673
674 input += fill;
675 ilen -= fill;
676 left = 0;
677 }
678
679 while (ilen >= SHA256_BLOCK_SIZE) {
680 size_t processed =
681 mbedtls_internal_sha256_process_many(ctx, input, ilen);
682 if (processed < SHA256_BLOCK_SIZE) {
683 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
684 }
685
686 input += processed;
687 ilen -= processed;
688 }
689
690 if (ilen > 0) {
691 memcpy((void *) (ctx->buffer + left), input, ilen);
692 }
693
694 return 0;
695 }
696
697 /*
698 * SHA-256 final digest
699 */
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char * output)700 int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
701 unsigned char *output)
702 {
703 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
704 uint32_t used;
705 uint32_t high, low;
706 int truncated = 0;
707
708 /*
709 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
710 */
711 used = ctx->total[0] & 0x3F;
712
713 ctx->buffer[used++] = 0x80;
714
715 if (used <= 56) {
716 /* Enough room for padding + length in current block */
717 memset(ctx->buffer + used, 0, 56 - used);
718 } else {
719 /* We'll need an extra block */
720 memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
721
722 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
723 goto exit;
724 }
725
726 memset(ctx->buffer, 0, 56);
727 }
728
729 /*
730 * Add message length
731 */
732 high = (ctx->total[0] >> 29)
733 | (ctx->total[1] << 3);
734 low = (ctx->total[0] << 3);
735
736 MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
737 MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60);
738
739 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
740 goto exit;
741 }
742
743 /*
744 * Output final state
745 */
746 MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0);
747 MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4);
748 MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8);
749 MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
750 MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
751 MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
752 MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
753
754 #if defined(MBEDTLS_SHA224_C)
755 truncated = ctx->is224;
756 #endif
757 if (!truncated) {
758 MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
759 }
760
761 ret = 0;
762
763 exit:
764 mbedtls_sha256_free(ctx);
765 return ret;
766 }
767
768 #endif /* !MBEDTLS_SHA256_ALT */
769
770 /*
771 * output = SHA-256( input buffer )
772 */
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char * output,int is224)773 int mbedtls_sha256(const unsigned char *input,
774 size_t ilen,
775 unsigned char *output,
776 int is224)
777 {
778 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
779 mbedtls_sha256_context ctx;
780
781 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
782 if (is224 != 0 && is224 != 1) {
783 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
784 }
785 #elif defined(MBEDTLS_SHA256_C)
786 if (is224 != 0) {
787 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
788 }
789 #else /* defined MBEDTLS_SHA224_C only */
790 if (is224 == 0) {
791 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
792 }
793 #endif
794
795 mbedtls_sha256_init(&ctx);
796
797 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
798 goto exit;
799 }
800
801 if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
802 goto exit;
803 }
804
805 if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
806 goto exit;
807 }
808
809 exit:
810 mbedtls_sha256_free(&ctx);
811
812 return ret;
813 }
814
815 #if defined(MBEDTLS_SELF_TEST)
816 /*
817 * FIPS-180-2 test vectors
818 */
819 static const unsigned char sha_test_buf[3][57] =
820 {
821 { "abc" },
822 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
823 { "" }
824 };
825
826 static const size_t sha_test_buflen[3] =
827 {
828 3, 56, 1000
829 };
830
831 typedef const unsigned char (sha_test_sum_t)[32];
832
833 /*
834 * SHA-224 test vectors
835 */
836 #if defined(MBEDTLS_SHA224_C)
837 static sha_test_sum_t sha224_test_sum[] =
838 {
839 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
840 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
841 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
842 0xE3, 0x6C, 0x9D, 0xA7 },
843 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
844 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
845 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
846 0x52, 0x52, 0x25, 0x25 },
847 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
848 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
849 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
850 0x4E, 0xE7, 0xAD, 0x67 }
851 };
852 #endif
853
854 /*
855 * SHA-256 test vectors
856 */
857 #if defined(MBEDTLS_SHA256_C)
858 static sha_test_sum_t sha256_test_sum[] =
859 {
860 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
861 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
862 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
863 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
864 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
865 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
866 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
867 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
868 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
869 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
870 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
871 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
872 };
873 #endif
874
875 /*
876 * Checkup routine
877 */
mbedtls_sha256_common_self_test(int verbose,int is224)878 static int mbedtls_sha256_common_self_test(int verbose, int is224)
879 {
880 int i, buflen, ret = 0;
881 unsigned char *buf;
882 unsigned char sha256sum[32];
883 mbedtls_sha256_context ctx;
884
885 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
886 sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
887 #elif defined(MBEDTLS_SHA256_C)
888 sha_test_sum_t *sha_test_sum = sha256_test_sum;
889 #else
890 sha_test_sum_t *sha_test_sum = sha224_test_sum;
891 #endif
892
893 buf = mbedtls_calloc(1024, sizeof(unsigned char));
894 if (NULL == buf) {
895 if (verbose != 0) {
896 mbedtls_printf("Buffer allocation failed\n");
897 }
898
899 return 1;
900 }
901
902 mbedtls_sha256_init(&ctx);
903
904 for (i = 0; i < 3; i++) {
905 if (verbose != 0) {
906 mbedtls_printf(" SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
907 }
908
909 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
910 goto fail;
911 }
912
913 if (i == 2) {
914 memset(buf, 'a', buflen = 1000);
915
916 for (int j = 0; j < 1000; j++) {
917 ret = mbedtls_sha256_update(&ctx, buf, buflen);
918 if (ret != 0) {
919 goto fail;
920 }
921 }
922
923 } else {
924 ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
925 sha_test_buflen[i]);
926 if (ret != 0) {
927 goto fail;
928 }
929 }
930
931 if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
932 goto fail;
933 }
934
935
936 if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
937 ret = 1;
938 goto fail;
939 }
940
941 if (verbose != 0) {
942 mbedtls_printf("passed\n");
943 }
944 }
945
946 if (verbose != 0) {
947 mbedtls_printf("\n");
948 }
949
950 goto exit;
951
952 fail:
953 if (verbose != 0) {
954 mbedtls_printf("failed\n");
955 }
956
957 exit:
958 mbedtls_sha256_free(&ctx);
959 mbedtls_free(buf);
960
961 return ret;
962 }
963
964 #if defined(MBEDTLS_SHA256_C)
mbedtls_sha256_self_test(int verbose)965 int mbedtls_sha256_self_test(int verbose)
966 {
967 return mbedtls_sha256_common_self_test(verbose, 0);
968 }
969 #endif /* MBEDTLS_SHA256_C */
970
971 #if defined(MBEDTLS_SHA224_C)
mbedtls_sha224_self_test(int verbose)972 int mbedtls_sha224_self_test(int verbose)
973 {
974 return mbedtls_sha256_common_self_test(verbose, 1);
975 }
976 #endif /* MBEDTLS_SHA224_C */
977
978 #endif /* MBEDTLS_SELF_TEST */
979
980 #endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
981
