• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  FIPS-180-2 compliant SHA-256 implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 /*
20  *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
21  *
22  *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
23  */
24 
25 #if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) && \
26     defined(__clang__) && __clang_major__ >= 4
27 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
28  *
29  * The intrinsic declaration are guarded by predefined ACLE macros in clang:
30  * these are normally only enabled by the -march option on the command line.
31  * By defining the macros ourselves we gain access to those declarations without
32  * requiring -march on the command line.
33  *
34  * `arm_neon.h` could be included by any header file, so we put these defines
35  * at the top of this file, before any includes.
36  */
37 #define __ARM_FEATURE_CRYPTO 1
38 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
39  *
40  * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
41  * for older compilers.
42  */
43 #define __ARM_FEATURE_SHA2   1
44 #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
45 #endif
46 
47 #include "common.h"
48 
49 #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
50 
51 #include "mbedtls/sha256.h"
52 #include "mbedtls/platform_util.h"
53 #include "mbedtls/error.h"
54 
55 #include <string.h>
56 
57 #include "mbedtls/platform.h"
58 
59 #if defined(__aarch64__)
60 #  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
61     defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
62 /* *INDENT-OFF* */
63 #    if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
64 #      if defined(__clang__)
65 #        if __clang_major__ < 4
66 #          error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
67 #        endif
68 #        pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
69 #        define MBEDTLS_POP_TARGET_PRAGMA
70 #      elif defined(__GNUC__)
71          /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
72           *        intrinsics are missing. Missing intrinsics could be worked around.
73           */
74 #        if __GNUC__ < 6
75 #          error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
76 #        else
77 #          pragma GCC push_options
78 #          pragma GCC target ("arch=armv8-a+crypto")
79 #          define MBEDTLS_POP_TARGET_PRAGMA
80 #        endif
81 #      else
82 #        error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
83 #      endif
84 #    endif
85 /* *INDENT-ON* */
86 #    include <arm_neon.h>
87 #  endif
88 #  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
89 #    if defined(__unix__)
90 #      if defined(__linux__)
91 /* Our preferred method of detection is getauxval() */
92 #        include <sys/auxv.h>
93 #      endif
94 /* Use SIGILL on Unix, and fall back to it on Linux */
95 #      include <signal.h>
96 #    endif
97 #  endif
98 #elif defined(_M_ARM64)
99 #  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
100     defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
101 #    include <arm64_neon.h>
102 #  endif
103 #else
104 #  undef MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
105 #  undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
106 #endif
107 
108 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
109 /*
110  * Capability detection code comes early, so we can disable
111  * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found
112  */
113 #if defined(HWCAP_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)114 static int mbedtls_a64_crypto_sha256_determine_support(void)
115 {
116     return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
117 }
118 #elif defined(__APPLE__)
mbedtls_a64_crypto_sha256_determine_support(void)119 static int mbedtls_a64_crypto_sha256_determine_support(void)
120 {
121     return 1;
122 }
123 #elif defined(_M_ARM64)
124 #define WIN32_LEAN_AND_MEAN
125 #include <Windows.h>
126 #include <processthreadsapi.h>
127 
mbedtls_a64_crypto_sha256_determine_support(void)128 static int mbedtls_a64_crypto_sha256_determine_support(void)
129 {
130     return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
131            1 : 0;
132 }
133 #elif defined(__unix__) && defined(SIG_SETMASK)
134 /* Detection with SIGILL, setjmp() and longjmp() */
135 #include <signal.h>
136 #include <setjmp.h>
137 
138 static jmp_buf return_from_sigill;
139 
140 /*
141  * A64 SHA256 support detection via SIGILL
142  */
sigill_handler(int signal)143 static void sigill_handler(int signal)
144 {
145     (void) signal;
146     longjmp(return_from_sigill, 1);
147 }
148 
mbedtls_a64_crypto_sha256_determine_support(void)149 static int mbedtls_a64_crypto_sha256_determine_support(void)
150 {
151     struct sigaction old_action, new_action;
152 
153     sigset_t old_mask;
154     if (sigprocmask(0, NULL, &old_mask)) {
155         return 0;
156     }
157 
158     sigemptyset(&new_action.sa_mask);
159     new_action.sa_flags = 0;
160     new_action.sa_handler = sigill_handler;
161 
162     sigaction(SIGILL, &new_action, &old_action);
163 
164     static int ret = 0;
165 
166     if (setjmp(return_from_sigill) == 0) {         /* First return only */
167         /* If this traps, we will return a second time from setjmp() with 1 */
168         asm ("sha256h q0, q0, v0.4s" : : : "v0");
169         ret = 1;
170     }
171 
172     sigaction(SIGILL, &old_action, NULL);
173     sigprocmask(SIG_SETMASK, &old_mask, NULL);
174 
175     return ret;
176 }
177 #else
178 #warning "No mechanism to detect A64_CRYPTO found, using C code only"
179 #undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
180 #endif  /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
181 
182 #endif  /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
183 
184 #if !defined(MBEDTLS_SHA256_ALT)
185 
186 #define SHA256_BLOCK_SIZE 64
187 
mbedtls_sha256_init(mbedtls_sha256_context * ctx)188 void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
189 {
190     memset(ctx, 0, sizeof(mbedtls_sha256_context));
191 }
192 
mbedtls_sha256_free(mbedtls_sha256_context * ctx)193 void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
194 {
195     if (ctx == NULL) {
196         return;
197     }
198 
199     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
200 }
201 
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)202 void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
203                           const mbedtls_sha256_context *src)
204 {
205     *dst = *src;
206 }
207 
208 /*
209  * SHA-256 context setup
210  */
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)211 int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
212 {
213 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
214     if (is224 != 0 && is224 != 1) {
215         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
216     }
217 #elif defined(MBEDTLS_SHA256_C)
218     if (is224 != 0) {
219         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
220     }
221 #else /* defined MBEDTLS_SHA224_C only */
222     if (is224 == 0) {
223         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
224     }
225 #endif
226 
227     ctx->total[0] = 0;
228     ctx->total[1] = 0;
229 
230     if (is224 == 0) {
231 #if defined(MBEDTLS_SHA256_C)
232         ctx->state[0] = 0x6A09E667;
233         ctx->state[1] = 0xBB67AE85;
234         ctx->state[2] = 0x3C6EF372;
235         ctx->state[3] = 0xA54FF53A;
236         ctx->state[4] = 0x510E527F;
237         ctx->state[5] = 0x9B05688C;
238         ctx->state[6] = 0x1F83D9AB;
239         ctx->state[7] = 0x5BE0CD19;
240 #endif
241     } else {
242 #if defined(MBEDTLS_SHA224_C)
243         ctx->state[0] = 0xC1059ED8;
244         ctx->state[1] = 0x367CD507;
245         ctx->state[2] = 0x3070DD17;
246         ctx->state[3] = 0xF70E5939;
247         ctx->state[4] = 0xFFC00B31;
248         ctx->state[5] = 0x68581511;
249         ctx->state[6] = 0x64F98FA7;
250         ctx->state[7] = 0xBEFA4FA4;
251 #endif
252     }
253 
254 #if defined(MBEDTLS_SHA224_C)
255     ctx->is224 = is224;
256 #endif
257 
258     return 0;
259 }
260 
261 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
262 static const uint32_t K[] =
263 {
264     0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
265     0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
266     0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
267     0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
268     0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
269     0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
270     0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
271     0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
272     0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
273     0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
274     0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
275     0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
276     0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
277     0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
278     0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
279     0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
280 };
281 
282 #endif
283 
284 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
285     defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
286 
287 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
288 #  define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
289 #  define mbedtls_internal_sha256_process_a64_crypto      mbedtls_internal_sha256_process
290 #endif
291 
mbedtls_internal_sha256_process_many_a64_crypto(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)292 static size_t mbedtls_internal_sha256_process_many_a64_crypto(
293     mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
294 {
295     uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
296     uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
297 
298     size_t processed = 0;
299 
300     for (;
301          len >= SHA256_BLOCK_SIZE;
302          processed += SHA256_BLOCK_SIZE,
303          msg += SHA256_BLOCK_SIZE,
304          len -= SHA256_BLOCK_SIZE) {
305         uint32x4_t tmp, abcd_prev;
306 
307         uint32x4_t abcd_orig = abcd;
308         uint32x4_t efgh_orig = efgh;
309 
310         uint32x4_t sched0 = (uint32x4_t) vld1q_u8(msg + 16 * 0);
311         uint32x4_t sched1 = (uint32x4_t) vld1q_u8(msg + 16 * 1);
312         uint32x4_t sched2 = (uint32x4_t) vld1q_u8(msg + 16 * 2);
313         uint32x4_t sched3 = (uint32x4_t) vld1q_u8(msg + 16 * 3);
314 
315 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__  /* Will be true if not defined */
316                                                /* Untested on BE */
317         sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
318         sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
319         sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
320         sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
321 #endif
322 
323         /* Rounds 0 to 3 */
324         tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
325         abcd_prev = abcd;
326         abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
327         efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
328 
329         /* Rounds 4 to 7 */
330         tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
331         abcd_prev = abcd;
332         abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
333         efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
334 
335         /* Rounds 8 to 11 */
336         tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
337         abcd_prev = abcd;
338         abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
339         efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
340 
341         /* Rounds 12 to 15 */
342         tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
343         abcd_prev = abcd;
344         abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
345         efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
346 
347         for (int t = 16; t < 64; t += 16) {
348             /* Rounds t to t + 3 */
349             sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
350             tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
351             abcd_prev = abcd;
352             abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
353             efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
354 
355             /* Rounds t + 4 to t + 7 */
356             sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
357             tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
358             abcd_prev = abcd;
359             abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
360             efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
361 
362             /* Rounds t + 8 to t + 11 */
363             sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
364             tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
365             abcd_prev = abcd;
366             abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
367             efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
368 
369             /* Rounds t + 12 to t + 15 */
370             sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
371             tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
372             abcd_prev = abcd;
373             abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
374             efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
375         }
376 
377         abcd = vaddq_u32(abcd, abcd_orig);
378         efgh = vaddq_u32(efgh, efgh_orig);
379     }
380 
381     vst1q_u32(&ctx->state[0], abcd);
382     vst1q_u32(&ctx->state[4], efgh);
383 
384     return processed;
385 }
386 
387 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
388 /*
389  * This function is for internal use only if we are building both C and A64
390  * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
391  */
392 static
393 #endif
mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])394 int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
395                                                const unsigned char data[SHA256_BLOCK_SIZE])
396 {
397     return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
398                                                             SHA256_BLOCK_SIZE) ==
399             SHA256_BLOCK_SIZE) ? 0 : -1;
400 }
401 
402 #if defined(MBEDTLS_POP_TARGET_PRAGMA)
403 #if defined(__clang__)
404 #pragma clang attribute pop
405 #elif defined(__GNUC__)
406 #pragma GCC pop_options
407 #endif
408 #undef MBEDTLS_POP_TARGET_PRAGMA
409 #endif
410 
411 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
412 
413 #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
414 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
415 #define mbedtls_internal_sha256_process_c      mbedtls_internal_sha256_process
416 #endif
417 
418 
419 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
420     !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
421 
422 #define  SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
423 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
424 
425 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^  SHR(x, 3))
426 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^  SHR(x, 10))
427 
428 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
429 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
430 
431 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
432 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
433 
434 #define R(t)                                                        \
435     (                                                               \
436         local.W[t] = S1(local.W[(t) -  2]) + local.W[(t) -  7] +    \
437                      S0(local.W[(t) - 15]) + local.W[(t) - 16]      \
438     )
439 
440 #define P(a, b, c, d, e, f, g, h, x, K)                                      \
441     do                                                              \
442     {                                                               \
443         local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x);    \
444         local.temp2 = S2(a) + F0((a), (b), (c));                      \
445         (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
446     } while (0)
447 
448 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
449 /*
450  * This function is for internal use only if we are building both C and A64
451  * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
452  */
453 static
454 #endif
mbedtls_internal_sha256_process_c(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])455 int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
456                                       const unsigned char data[SHA256_BLOCK_SIZE])
457 {
458     struct {
459         uint32_t temp1, temp2, W[64];
460         uint32_t A[8];
461     } local;
462 
463     unsigned int i;
464 
465     for (i = 0; i < 8; i++) {
466         local.A[i] = ctx->state[i];
467     }
468 
469 #if defined(MBEDTLS_SHA256_SMALLER)
470     for (i = 0; i < 64; i++) {
471         if (i < 16) {
472             local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
473         } else {
474             R(i);
475         }
476 
477         P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
478           local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
479 
480         local.temp1 = local.A[7]; local.A[7] = local.A[6];
481         local.A[6] = local.A[5]; local.A[5] = local.A[4];
482         local.A[4] = local.A[3]; local.A[3] = local.A[2];
483         local.A[2] = local.A[1]; local.A[1] = local.A[0];
484         local.A[0] = local.temp1;
485     }
486 #else /* MBEDTLS_SHA256_SMALLER */
487     for (i = 0; i < 16; i++) {
488         local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
489     }
490 
491     for (i = 0; i < 16; i += 8) {
492         P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
493           local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
494         P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
495           local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
496         P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
497           local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
498         P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
499           local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
500         P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
501           local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
502         P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
503           local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
504         P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
505           local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
506         P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
507           local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
508     }
509 
510     for (i = 16; i < 64; i += 8) {
511         P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
512           local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
513         P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
514           local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
515         P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
516           local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
517         P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
518           local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
519         P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
520           local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
521         P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
522           local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
523         P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
524           local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
525         P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
526           local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
527     }
528 #endif /* MBEDTLS_SHA256_SMALLER */
529 
530     for (i = 0; i < 8; i++) {
531         ctx->state[i] += local.A[i];
532     }
533 
534     /* Zeroise buffers and variables to clear sensitive data from memory. */
535     mbedtls_platform_zeroize(&local, sizeof(local));
536 
537     return 0;
538 }
539 
540 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
541 
542 
543 #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
544 
mbedtls_internal_sha256_process_many_c(mbedtls_sha256_context * ctx,const uint8_t * data,size_t len)545 static size_t mbedtls_internal_sha256_process_many_c(
546     mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
547 {
548     size_t processed = 0;
549 
550     while (len >= SHA256_BLOCK_SIZE) {
551         if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
552             return 0;
553         }
554 
555         data += SHA256_BLOCK_SIZE;
556         len  -= SHA256_BLOCK_SIZE;
557 
558         processed += SHA256_BLOCK_SIZE;
559     }
560 
561     return processed;
562 }
563 
564 #endif /* !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
565 
566 
567 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
568 
mbedtls_a64_crypto_sha256_has_support(void)569 static int mbedtls_a64_crypto_sha256_has_support(void)
570 {
571     static int done = 0;
572     static int supported = 0;
573 
574     if (!done) {
575         supported = mbedtls_a64_crypto_sha256_determine_support();
576         done = 1;
577     }
578 
579     return supported;
580 }
581 
mbedtls_internal_sha256_process_many(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)582 static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
583                                                    const uint8_t *msg, size_t len)
584 {
585     if (mbedtls_a64_crypto_sha256_has_support()) {
586         return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
587     } else {
588         return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
589     }
590 }
591 
mbedtls_internal_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])592 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
593                                     const unsigned char data[SHA256_BLOCK_SIZE])
594 {
595     if (mbedtls_a64_crypto_sha256_has_support()) {
596         return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
597     } else {
598         return mbedtls_internal_sha256_process_c(ctx, data);
599     }
600 }
601 
602 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
603 
604 
605 /*
606  * SHA-256 process buffer
607  */
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)608 int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
609                           const unsigned char *input,
610                           size_t ilen)
611 {
612     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
613     size_t fill;
614     uint32_t left;
615 
616     if (ilen == 0) {
617         return 0;
618     }
619 
620     left = ctx->total[0] & 0x3F;
621     fill = SHA256_BLOCK_SIZE - left;
622 
623     ctx->total[0] += (uint32_t) ilen;
624     ctx->total[0] &= 0xFFFFFFFF;
625 
626     if (ctx->total[0] < (uint32_t) ilen) {
627         ctx->total[1]++;
628     }
629 
630     if (left && ilen >= fill) {
631         memcpy((void *) (ctx->buffer + left), input, fill);
632 
633         if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
634             return ret;
635         }
636 
637         input += fill;
638         ilen  -= fill;
639         left = 0;
640     }
641 
642     while (ilen >= SHA256_BLOCK_SIZE) {
643         size_t processed =
644             mbedtls_internal_sha256_process_many(ctx, input, ilen);
645         if (processed < SHA256_BLOCK_SIZE) {
646             return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
647         }
648 
649         input += processed;
650         ilen  -= processed;
651     }
652 
653     if (ilen > 0) {
654         memcpy((void *) (ctx->buffer + left), input, ilen);
655     }
656 
657     return 0;
658 }
659 
660 /*
661  * SHA-256 final digest
662  */
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char * output)663 int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
664                           unsigned char *output)
665 {
666     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
667     uint32_t used;
668     uint32_t high, low;
669 
670     /*
671      * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
672      */
673     used = ctx->total[0] & 0x3F;
674 
675     ctx->buffer[used++] = 0x80;
676 
677     if (used <= 56) {
678         /* Enough room for padding + length in current block */
679         memset(ctx->buffer + used, 0, 56 - used);
680     } else {
681         /* We'll need an extra block */
682         memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
683 
684         if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
685             return ret;
686         }
687 
688         memset(ctx->buffer, 0, 56);
689     }
690 
691     /*
692      * Add message length
693      */
694     high = (ctx->total[0] >> 29)
695            | (ctx->total[1] <<  3);
696     low  = (ctx->total[0] <<  3);
697 
698     MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
699     MBEDTLS_PUT_UINT32_BE(low,  ctx->buffer, 60);
700 
701     if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
702         return ret;
703     }
704 
705     /*
706      * Output final state
707      */
708     MBEDTLS_PUT_UINT32_BE(ctx->state[0], output,  0);
709     MBEDTLS_PUT_UINT32_BE(ctx->state[1], output,  4);
710     MBEDTLS_PUT_UINT32_BE(ctx->state[2], output,  8);
711     MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
712     MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
713     MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
714     MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
715 
716     int truncated = 0;
717 #if defined(MBEDTLS_SHA224_C)
718     truncated = ctx->is224;
719 #endif
720     if (!truncated) {
721         MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
722     }
723 
724     return 0;
725 }
726 
727 #endif /* !MBEDTLS_SHA256_ALT */
728 
729 /*
730  * output = SHA-256( input buffer )
731  */
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char * output,int is224)732 int mbedtls_sha256(const unsigned char *input,
733                    size_t ilen,
734                    unsigned char *output,
735                    int is224)
736 {
737     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
738     mbedtls_sha256_context ctx;
739 
740 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
741     if (is224 != 0 && is224 != 1) {
742         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
743     }
744 #elif defined(MBEDTLS_SHA256_C)
745     if (is224 != 0) {
746         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
747     }
748 #else /* defined MBEDTLS_SHA224_C only */
749     if (is224 == 0) {
750         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
751     }
752 #endif
753 
754     mbedtls_sha256_init(&ctx);
755 
756     if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
757         goto exit;
758     }
759 
760     if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
761         goto exit;
762     }
763 
764     if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
765         goto exit;
766     }
767 
768 exit:
769     mbedtls_sha256_free(&ctx);
770 
771     return ret;
772 }
773 
774 #if defined(MBEDTLS_SELF_TEST)
775 /*
776  * FIPS-180-2 test vectors
777  */
778 static const unsigned char sha_test_buf[3][57] =
779 {
780     { "abc" },
781     { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
782     { "" }
783 };
784 
785 static const size_t sha_test_buflen[3] =
786 {
787     3, 56, 1000
788 };
789 
790 typedef const unsigned char (sha_test_sum_t)[32];
791 
792 /*
793  * SHA-224 test vectors
794  */
795 #if defined(MBEDTLS_SHA224_C)
796 static sha_test_sum_t sha224_test_sum[] =
797 {
798     { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
799       0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
800       0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
801       0xE3, 0x6C, 0x9D, 0xA7 },
802     { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
803       0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
804       0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
805       0x52, 0x52, 0x25, 0x25 },
806     { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
807       0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
808       0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
809       0x4E, 0xE7, 0xAD, 0x67 }
810 };
811 #endif
812 
813 /*
814  * SHA-256 test vectors
815  */
816 #if defined(MBEDTLS_SHA256_C)
817 static sha_test_sum_t sha256_test_sum[] =
818 {
819     { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
820       0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
821       0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
822       0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
823     { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
824       0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
825       0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
826       0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
827     { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
828       0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
829       0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
830       0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
831 };
832 #endif
833 
834 /*
835  * Checkup routine
836  */
mbedtls_sha256_common_self_test(int verbose,int is224)837 static int mbedtls_sha256_common_self_test(int verbose, int is224)
838 {
839     int i, buflen, ret = 0;
840     unsigned char *buf;
841     unsigned char sha256sum[32];
842     mbedtls_sha256_context ctx;
843 
844 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
845     sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
846 #elif defined(MBEDTLS_SHA256_C)
847     sha_test_sum_t *sha_test_sum = sha256_test_sum;
848 #else
849     sha_test_sum_t *sha_test_sum = sha224_test_sum;
850 #endif
851 
852     buf = mbedtls_calloc(1024, sizeof(unsigned char));
853     if (NULL == buf) {
854         if (verbose != 0) {
855             mbedtls_printf("Buffer allocation failed\n");
856         }
857 
858         return 1;
859     }
860 
861     mbedtls_sha256_init(&ctx);
862 
863     for (i = 0; i < 3; i++) {
864         if (verbose != 0) {
865             mbedtls_printf("  SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
866         }
867 
868         if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
869             goto fail;
870         }
871 
872         if (i == 2) {
873             memset(buf, 'a', buflen = 1000);
874 
875             for (int j = 0; j < 1000; j++) {
876                 ret = mbedtls_sha256_update(&ctx, buf, buflen);
877                 if (ret != 0) {
878                     goto fail;
879                 }
880             }
881 
882         } else {
883             ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
884                                         sha_test_buflen[i]);
885             if (ret != 0) {
886                 goto fail;
887             }
888         }
889 
890         if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
891             goto fail;
892         }
893 
894 
895         if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
896             ret = 1;
897             goto fail;
898         }
899 
900         if (verbose != 0) {
901             mbedtls_printf("passed\n");
902         }
903     }
904 
905     if (verbose != 0) {
906         mbedtls_printf("\n");
907     }
908 
909     goto exit;
910 
911 fail:
912     if (verbose != 0) {
913         mbedtls_printf("failed\n");
914     }
915 
916 exit:
917     mbedtls_sha256_free(&ctx);
918     mbedtls_free(buf);
919 
920     return ret;
921 }
922 
923 #if defined(MBEDTLS_SHA256_C)
mbedtls_sha256_self_test(int verbose)924 int mbedtls_sha256_self_test(int verbose)
925 {
926     return mbedtls_sha256_common_self_test(verbose, 0);
927 }
928 #endif /* MBEDTLS_SHA256_C */
929 
930 #if defined(MBEDTLS_SHA224_C)
mbedtls_sha224_self_test(int verbose)931 int mbedtls_sha224_self_test(int verbose)
932 {
933     return mbedtls_sha256_common_self_test(verbose, 1);
934 }
935 #endif /* MBEDTLS_SHA224_C */
936 
937 #endif /* MBEDTLS_SELF_TEST */
938 
939 #endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
940