1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
9 *
10 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
11 */
12
13 #if defined(__clang__) && (__clang_major__ >= 4)
14
15 /* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if,
16 * but that is defined by build_info.h, and we need this block to happen first. */
17 #if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A')
18 #if __ARM_ARCH >= 8
19 #define MBEDTLS_SHA256_ARCH_IS_ARMV8_A
20 #endif
21 #endif
22
23 #if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO)
24 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
25 *
26 * The intrinsic declaration are guarded by predefined ACLE macros in clang:
27 * these are normally only enabled by the -march option on the command line.
28 * By defining the macros ourselves we gain access to those declarations without
29 * requiring -march on the command line.
30 *
31 * `arm_neon.h` is included by common.h, so we put these defines
32 * at the top of this file, before any includes.
33 */
34 #define __ARM_FEATURE_CRYPTO 1
35 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
36 *
37 * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
38 * for older compilers.
39 */
40 #define __ARM_FEATURE_SHA2 1
41 #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
42 #endif
43
44 #endif /* defined(__clang__) && (__clang_major__ >= 4) */
45
46 /* Ensure that SIG_SETMASK is defined when -std=c99 is used. */
47 #if !defined(_GNU_SOURCE)
48 #define _GNU_SOURCE
49 #endif
50
51 #include "common.h"
52
53 #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
54
55 #include "mbedtls/sha256.h"
56 #include "mbedtls/platform_util.h"
57 #include "mbedtls/error.h"
58
59 #include <string.h>
60
61 #include "mbedtls/platform.h"
62
63 #if defined(MBEDTLS_ARCH_IS_ARMV8_A)
64
65 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
66 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
67 # if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
68 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
69 # warning "Target does not support NEON instructions"
70 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
71 # else
72 # error "Target does not support NEON instructions"
73 # endif
74 # endif
75 # endif
76
77 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
78 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
79 /* *INDENT-OFF* */
80
81 # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
82 # if defined(__ARMCOMPILER_VERSION)
83 # if __ARMCOMPILER_VERSION <= 6090000
84 # error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
85 # endif
86 # pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
87 # define MBEDTLS_POP_TARGET_PRAGMA
88 # elif defined(__clang__)
89 # if __clang_major__ < 4
90 # error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
91 # endif
92 # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
93 # define MBEDTLS_POP_TARGET_PRAGMA
94 # elif defined(__GNUC__)
95 /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
96 * intrinsics are missing. Missing intrinsics could be worked around.
97 */
98 # if __GNUC__ < 6
99 # error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
100 # else
101 # pragma GCC push_options
102 # pragma GCC target ("arch=armv8-a+crypto")
103 # define MBEDTLS_POP_TARGET_PRAGMA
104 # endif
105 # else
106 # error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
107 # endif
108 # endif
109 /* *INDENT-ON* */
110
111 # endif
112 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
113 # if defined(__unix__)
114 # if defined(__linux__)
115 /* Our preferred method of detection is getauxval() */
116 # include <sys/auxv.h>
117 /* These are not always defined via sys/auxv.h */
118 # if !defined(HWCAP_SHA2)
119 # define HWCAP_SHA2 (1 << 6)
120 # endif
121 # if !defined(HWCAP2_SHA2)
122 # define HWCAP2_SHA2 (1 << 3)
123 # endif
124 # endif
125 /* Use SIGILL on Unix, and fall back to it on Linux */
126 # include <signal.h>
127 # endif
128 # endif
129 #elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
130 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
131 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
132 #endif
133
134 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
135 /*
136 * Capability detection code comes early, so we can disable
137 * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found
138 */
139 #if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)140 static int mbedtls_a64_crypto_sha256_determine_support(void)
141 {
142 return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
143 }
144 #elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2)
mbedtls_a64_crypto_sha256_determine_support(void)145 static int mbedtls_a64_crypto_sha256_determine_support(void)
146 {
147 return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0;
148 }
149 #elif defined(__APPLE__)
mbedtls_a64_crypto_sha256_determine_support(void)150 static int mbedtls_a64_crypto_sha256_determine_support(void)
151 {
152 return 1;
153 }
154 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
155 #define WIN32_LEAN_AND_MEAN
156 #include <Windows.h>
157 #include <processthreadsapi.h>
158
mbedtls_a64_crypto_sha256_determine_support(void)159 static int mbedtls_a64_crypto_sha256_determine_support(void)
160 {
161 return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
162 1 : 0;
163 }
164 #elif defined(__unix__) && defined(SIG_SETMASK)
165 /* Detection with SIGILL, setjmp() and longjmp() */
166 #include <signal.h>
167 #include <setjmp.h>
168
169 static jmp_buf return_from_sigill;
170
171 /*
172 * Armv8-A SHA256 support detection via SIGILL
173 */
sigill_handler(int signal)174 static void sigill_handler(int signal)
175 {
176 (void) signal;
177 longjmp(return_from_sigill, 1);
178 }
179
mbedtls_a64_crypto_sha256_determine_support(void)180 static int mbedtls_a64_crypto_sha256_determine_support(void)
181 {
182 struct sigaction old_action, new_action;
183
184 sigset_t old_mask;
185 if (sigprocmask(0, NULL, &old_mask)) {
186 return 0;
187 }
188
189 sigemptyset(&new_action.sa_mask);
190 new_action.sa_flags = 0;
191 new_action.sa_handler = sigill_handler;
192
193 sigaction(SIGILL, &new_action, &old_action);
194
195 static int ret = 0;
196
197 if (setjmp(return_from_sigill) == 0) { /* First return only */
198 /* If this traps, we will return a second time from setjmp() with 1 */
199 #if defined(MBEDTLS_ARCH_IS_ARM64)
200 asm volatile ("sha256h q0, q0, v0.4s" : : : "v0");
201 #else
202 asm volatile ("sha256h.32 q0, q0, q0" : : : "q0");
203 #endif
204 ret = 1;
205 }
206
207 sigaction(SIGILL, &old_action, NULL);
208 sigprocmask(SIG_SETMASK, &old_mask, NULL);
209
210 return ret;
211 }
212 #else
213 #warning "No mechanism to detect ARMV8_CRYPTO found, using C code only"
214 #undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
215 #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
216
217 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
218
219 #if !defined(MBEDTLS_SHA256_ALT)
220
221 #define SHA256_BLOCK_SIZE 64
222
mbedtls_sha256_init(mbedtls_sha256_context * ctx)223 void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
224 {
225 memset(ctx, 0, sizeof(mbedtls_sha256_context));
226 }
227
mbedtls_sha256_free(mbedtls_sha256_context * ctx)228 void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
229 {
230 if (ctx == NULL) {
231 return;
232 }
233
234 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
235 }
236
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)237 void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
238 const mbedtls_sha256_context *src)
239 {
240 *dst = *src;
241 }
242
243 /*
244 * SHA-256 context setup
245 */
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)246 int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
247 {
248 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
249 if (is224 != 0 && is224 != 1) {
250 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
251 }
252 #elif defined(MBEDTLS_SHA256_C)
253 if (is224 != 0) {
254 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
255 }
256 #else /* defined MBEDTLS_SHA224_C only */
257 if (is224 == 0) {
258 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
259 }
260 #endif
261
262 ctx->total[0] = 0;
263 ctx->total[1] = 0;
264
265 if (is224 == 0) {
266 #if defined(MBEDTLS_SHA256_C)
267 ctx->state[0] = 0x6A09E667;
268 ctx->state[1] = 0xBB67AE85;
269 ctx->state[2] = 0x3C6EF372;
270 ctx->state[3] = 0xA54FF53A;
271 ctx->state[4] = 0x510E527F;
272 ctx->state[5] = 0x9B05688C;
273 ctx->state[6] = 0x1F83D9AB;
274 ctx->state[7] = 0x5BE0CD19;
275 #endif
276 } else {
277 #if defined(MBEDTLS_SHA224_C)
278 ctx->state[0] = 0xC1059ED8;
279 ctx->state[1] = 0x367CD507;
280 ctx->state[2] = 0x3070DD17;
281 ctx->state[3] = 0xF70E5939;
282 ctx->state[4] = 0xFFC00B31;
283 ctx->state[5] = 0x68581511;
284 ctx->state[6] = 0x64F98FA7;
285 ctx->state[7] = 0xBEFA4FA4;
286 #endif
287 }
288
289 #if defined(MBEDTLS_SHA224_C)
290 ctx->is224 = is224;
291 #endif
292
293 return 0;
294 }
295
296 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
297 static const uint32_t K[] =
298 {
299 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
300 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
301 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
302 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
303 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
304 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
305 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
306 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
307 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
308 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
309 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
310 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
311 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
312 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
313 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
314 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
315 };
316
317 #endif
318
319 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
320 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
321
322 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
323 # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
324 # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process
325 #endif
326
mbedtls_internal_sha256_process_many_a64_crypto(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)327 static size_t mbedtls_internal_sha256_process_many_a64_crypto(
328 mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
329 {
330 uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
331 uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
332
333 size_t processed = 0;
334
335 for (;
336 len >= SHA256_BLOCK_SIZE;
337 processed += SHA256_BLOCK_SIZE,
338 msg += SHA256_BLOCK_SIZE,
339 len -= SHA256_BLOCK_SIZE) {
340 uint32x4_t tmp, abcd_prev;
341
342 uint32x4_t abcd_orig = abcd;
343 uint32x4_t efgh_orig = efgh;
344
345 uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0));
346 uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1));
347 uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2));
348 uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3));
349
350 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */
351 /* Untested on BE */
352 sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
353 sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
354 sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
355 sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
356 #endif
357
358 /* Rounds 0 to 3 */
359 tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
360 abcd_prev = abcd;
361 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
362 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
363
364 /* Rounds 4 to 7 */
365 tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
366 abcd_prev = abcd;
367 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
368 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
369
370 /* Rounds 8 to 11 */
371 tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
372 abcd_prev = abcd;
373 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
374 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
375
376 /* Rounds 12 to 15 */
377 tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
378 abcd_prev = abcd;
379 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
380 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
381
382 for (int t = 16; t < 64; t += 16) {
383 /* Rounds t to t + 3 */
384 sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
385 tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
386 abcd_prev = abcd;
387 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
388 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
389
390 /* Rounds t + 4 to t + 7 */
391 sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
392 tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
393 abcd_prev = abcd;
394 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
395 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
396
397 /* Rounds t + 8 to t + 11 */
398 sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
399 tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
400 abcd_prev = abcd;
401 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
402 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
403
404 /* Rounds t + 12 to t + 15 */
405 sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
406 tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
407 abcd_prev = abcd;
408 abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
409 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
410 }
411
412 abcd = vaddq_u32(abcd, abcd_orig);
413 efgh = vaddq_u32(efgh, efgh_orig);
414 }
415
416 vst1q_u32(&ctx->state[0], abcd);
417 vst1q_u32(&ctx->state[4], efgh);
418
419 return processed;
420 }
421
422 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
423 /*
424 * This function is for internal use only if we are building both C and Armv8-A
425 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
426 */
427 static
428 #endif
mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])429 int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
430 const unsigned char data[SHA256_BLOCK_SIZE])
431 {
432 return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
433 SHA256_BLOCK_SIZE) ==
434 SHA256_BLOCK_SIZE) ? 0 : -1;
435 }
436
437 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
438
439 #if defined(MBEDTLS_POP_TARGET_PRAGMA)
440 #if defined(__clang__)
441 #pragma clang attribute pop
442 #elif defined(__GNUC__)
443 #pragma GCC pop_options
444 #endif
445 #undef MBEDTLS_POP_TARGET_PRAGMA
446 #endif
447
448 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
449 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
450 #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process
451 #endif
452
453
454 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
455 !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
456
457 #define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
458 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
459
460 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
461 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
462
463 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
464 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
465
466 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
467 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
468
469 #define R(t) \
470 ( \
471 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
472 S0(local.W[(t) - 15]) + local.W[(t) - 16] \
473 )
474
475 #define P(a, b, c, d, e, f, g, h, x, K) \
476 do \
477 { \
478 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \
479 local.temp2 = S2(a) + F0((a), (b), (c)); \
480 (d) += local.temp1; (h) = local.temp1 + local.temp2; \
481 } while (0)
482
483 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
484 /*
485 * This function is for internal use only if we are building both C and Armv8
486 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
487 */
488 static
489 #endif
mbedtls_internal_sha256_process_c(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])490 int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
491 const unsigned char data[SHA256_BLOCK_SIZE])
492 {
493 struct {
494 uint32_t temp1, temp2, W[64];
495 uint32_t A[8];
496 } local;
497
498 unsigned int i;
499
500 for (i = 0; i < 8; i++) {
501 local.A[i] = ctx->state[i];
502 }
503
504 #if defined(MBEDTLS_SHA256_SMALLER)
505 for (i = 0; i < 64; i++) {
506 if (i < 16) {
507 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
508 } else {
509 R(i);
510 }
511
512 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
513 local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
514
515 local.temp1 = local.A[7]; local.A[7] = local.A[6];
516 local.A[6] = local.A[5]; local.A[5] = local.A[4];
517 local.A[4] = local.A[3]; local.A[3] = local.A[2];
518 local.A[2] = local.A[1]; local.A[1] = local.A[0];
519 local.A[0] = local.temp1;
520 }
521 #else /* MBEDTLS_SHA256_SMALLER */
522 for (i = 0; i < 16; i++) {
523 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
524 }
525
526 for (i = 0; i < 16; i += 8) {
527 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
528 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
529 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
530 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
531 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
532 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
533 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
534 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
535 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
536 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
537 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
538 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
539 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
540 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
541 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
542 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
543 }
544
545 for (i = 16; i < 64; i += 8) {
546 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
547 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
548 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
549 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
550 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
551 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
552 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
553 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
554 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
555 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
556 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
557 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
558 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
559 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
560 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
561 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
562 }
563 #endif /* MBEDTLS_SHA256_SMALLER */
564
565 for (i = 0; i < 8; i++) {
566 ctx->state[i] += local.A[i];
567 }
568
569 /* Zeroise buffers and variables to clear sensitive data from memory. */
570 mbedtls_platform_zeroize(&local, sizeof(local));
571
572 return 0;
573 }
574
575 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
576
577
578 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
579
mbedtls_internal_sha256_process_many_c(mbedtls_sha256_context * ctx,const uint8_t * data,size_t len)580 static size_t mbedtls_internal_sha256_process_many_c(
581 mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
582 {
583 size_t processed = 0;
584
585 while (len >= SHA256_BLOCK_SIZE) {
586 if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
587 return 0;
588 }
589
590 data += SHA256_BLOCK_SIZE;
591 len -= SHA256_BLOCK_SIZE;
592
593 processed += SHA256_BLOCK_SIZE;
594 }
595
596 return processed;
597 }
598
599 #endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
600
601
602 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
603
mbedtls_a64_crypto_sha256_has_support(void)604 static int mbedtls_a64_crypto_sha256_has_support(void)
605 {
606 static int done = 0;
607 static int supported = 0;
608
609 if (!done) {
610 supported = mbedtls_a64_crypto_sha256_determine_support();
611 done = 1;
612 }
613
614 return supported;
615 }
616
mbedtls_internal_sha256_process_many(mbedtls_sha256_context * ctx,const uint8_t * msg,size_t len)617 static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
618 const uint8_t *msg, size_t len)
619 {
620 if (mbedtls_a64_crypto_sha256_has_support()) {
621 return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
622 } else {
623 return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
624 }
625 }
626
mbedtls_internal_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[SHA256_BLOCK_SIZE])627 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
628 const unsigned char data[SHA256_BLOCK_SIZE])
629 {
630 if (mbedtls_a64_crypto_sha256_has_support()) {
631 return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
632 } else {
633 return mbedtls_internal_sha256_process_c(ctx, data);
634 }
635 }
636
637 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
638
639
640 /*
641 * SHA-256 process buffer
642 */
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)643 int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
644 const unsigned char *input,
645 size_t ilen)
646 {
647 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
648 size_t fill;
649 uint32_t left;
650
651 if (ilen == 0) {
652 return 0;
653 }
654
655 left = ctx->total[0] & 0x3F;
656 fill = SHA256_BLOCK_SIZE - left;
657
658 ctx->total[0] += (uint32_t) ilen;
659 ctx->total[0] &= 0xFFFFFFFF;
660
661 if (ctx->total[0] < (uint32_t) ilen) {
662 ctx->total[1]++;
663 }
664
665 if (left && ilen >= fill) {
666 memcpy((void *) (ctx->buffer + left), input, fill);
667
668 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
669 return ret;
670 }
671
672 input += fill;
673 ilen -= fill;
674 left = 0;
675 }
676
677 while (ilen >= SHA256_BLOCK_SIZE) {
678 size_t processed =
679 mbedtls_internal_sha256_process_many(ctx, input, ilen);
680 if (processed < SHA256_BLOCK_SIZE) {
681 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
682 }
683
684 input += processed;
685 ilen -= processed;
686 }
687
688 if (ilen > 0) {
689 memcpy((void *) (ctx->buffer + left), input, ilen);
690 }
691
692 return 0;
693 }
694
695 /*
696 * SHA-256 final digest
697 */
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char * output)698 int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
699 unsigned char *output)
700 {
701 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
702 uint32_t used;
703 uint32_t high, low;
704 int truncated = 0;
705
706 /*
707 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
708 */
709 used = ctx->total[0] & 0x3F;
710
711 ctx->buffer[used++] = 0x80;
712
713 if (used <= 56) {
714 /* Enough room for padding + length in current block */
715 memset(ctx->buffer + used, 0, 56 - used);
716 } else {
717 /* We'll need an extra block */
718 memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
719
720 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
721 goto exit;
722 }
723
724 memset(ctx->buffer, 0, 56);
725 }
726
727 /*
728 * Add message length
729 */
730 high = (ctx->total[0] >> 29)
731 | (ctx->total[1] << 3);
732 low = (ctx->total[0] << 3);
733
734 MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
735 MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60);
736
737 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
738 goto exit;
739 }
740
741 /*
742 * Output final state
743 */
744 MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0);
745 MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4);
746 MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8);
747 MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
748 MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
749 MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
750 MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
751
752 #if defined(MBEDTLS_SHA224_C)
753 truncated = ctx->is224;
754 #endif
755 if (!truncated) {
756 MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
757 }
758
759 ret = 0;
760
761 exit:
762 mbedtls_sha256_free(ctx);
763 return ret;
764 }
765
766 #endif /* !MBEDTLS_SHA256_ALT */
767
768 /*
769 * output = SHA-256( input buffer )
770 */
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char * output,int is224)771 int mbedtls_sha256(const unsigned char *input,
772 size_t ilen,
773 unsigned char *output,
774 int is224)
775 {
776 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
777 mbedtls_sha256_context ctx;
778
779 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
780 if (is224 != 0 && is224 != 1) {
781 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
782 }
783 #elif defined(MBEDTLS_SHA256_C)
784 if (is224 != 0) {
785 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
786 }
787 #else /* defined MBEDTLS_SHA224_C only */
788 if (is224 == 0) {
789 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
790 }
791 #endif
792
793 mbedtls_sha256_init(&ctx);
794
795 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
796 goto exit;
797 }
798
799 if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
800 goto exit;
801 }
802
803 if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
804 goto exit;
805 }
806
807 exit:
808 mbedtls_sha256_free(&ctx);
809
810 return ret;
811 }
812
813 #if defined(MBEDTLS_SELF_TEST)
814 /*
815 * FIPS-180-2 test vectors
816 */
817 static const unsigned char sha_test_buf[3][57] =
818 {
819 { "abc" },
820 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
821 { "" }
822 };
823
824 static const size_t sha_test_buflen[3] =
825 {
826 3, 56, 1000
827 };
828
829 typedef const unsigned char (sha_test_sum_t)[32];
830
831 /*
832 * SHA-224 test vectors
833 */
834 #if defined(MBEDTLS_SHA224_C)
835 static sha_test_sum_t sha224_test_sum[] =
836 {
837 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
838 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
839 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
840 0xE3, 0x6C, 0x9D, 0xA7 },
841 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
842 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
843 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
844 0x52, 0x52, 0x25, 0x25 },
845 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
846 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
847 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
848 0x4E, 0xE7, 0xAD, 0x67 }
849 };
850 #endif
851
852 /*
853 * SHA-256 test vectors
854 */
855 #if defined(MBEDTLS_SHA256_C)
856 static sha_test_sum_t sha256_test_sum[] =
857 {
858 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
859 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
860 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
861 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
862 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
863 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
864 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
865 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
866 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
867 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
868 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
869 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
870 };
871 #endif
872
873 /*
874 * Checkup routine
875 */
mbedtls_sha256_common_self_test(int verbose,int is224)876 static int mbedtls_sha256_common_self_test(int verbose, int is224)
877 {
878 int i, buflen, ret = 0;
879 unsigned char *buf;
880 unsigned char sha256sum[32];
881 mbedtls_sha256_context ctx;
882
883 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
884 sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
885 #elif defined(MBEDTLS_SHA256_C)
886 sha_test_sum_t *sha_test_sum = sha256_test_sum;
887 #else
888 sha_test_sum_t *sha_test_sum = sha224_test_sum;
889 #endif
890
891 buf = mbedtls_calloc(1024, sizeof(unsigned char));
892 if (NULL == buf) {
893 if (verbose != 0) {
894 mbedtls_printf("Buffer allocation failed\n");
895 }
896
897 return 1;
898 }
899
900 mbedtls_sha256_init(&ctx);
901
902 for (i = 0; i < 3; i++) {
903 if (verbose != 0) {
904 mbedtls_printf(" SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
905 }
906
907 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
908 goto fail;
909 }
910
911 if (i == 2) {
912 memset(buf, 'a', buflen = 1000);
913
914 for (int j = 0; j < 1000; j++) {
915 ret = mbedtls_sha256_update(&ctx, buf, buflen);
916 if (ret != 0) {
917 goto fail;
918 }
919 }
920
921 } else {
922 ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
923 sha_test_buflen[i]);
924 if (ret != 0) {
925 goto fail;
926 }
927 }
928
929 if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
930 goto fail;
931 }
932
933
934 if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
935 ret = 1;
936 goto fail;
937 }
938
939 if (verbose != 0) {
940 mbedtls_printf("passed\n");
941 }
942 }
943
944 if (verbose != 0) {
945 mbedtls_printf("\n");
946 }
947
948 goto exit;
949
950 fail:
951 if (verbose != 0) {
952 mbedtls_printf("failed\n");
953 }
954
955 exit:
956 mbedtls_sha256_free(&ctx);
957 mbedtls_free(buf);
958
959 return ret;
960 }
961
962 #if defined(MBEDTLS_SHA256_C)
mbedtls_sha256_self_test(int verbose)963 int mbedtls_sha256_self_test(int verbose)
964 {
965 return mbedtls_sha256_common_self_test(verbose, 0);
966 }
967 #endif /* MBEDTLS_SHA256_C */
968
969 #if defined(MBEDTLS_SHA224_C)
mbedtls_sha224_self_test(int verbose)970 int mbedtls_sha224_self_test(int verbose)
971 {
972 return mbedtls_sha256_common_self_test(verbose, 1);
973 }
974 #endif /* MBEDTLS_SHA224_C */
975
976 #endif /* MBEDTLS_SELF_TEST */
977
978 #endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
979