2  *  FIPS-180-2 compliant SHA-256 implementation
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8  *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
10  *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
24 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
27  * these are normally only enabled by the -march option on the command line.
29  * requiring -march on the command line.
35 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
46 /* Ensure that SIG_SETMASK is defined when -std=c99 is used. */
79 /* *INDENT-OFF* */
84 #          error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
102 #          pragma GCC target ("arch=armv8-a+crypto")
109 /* *INDENT-ON* */
174  * Armv8-A SHA256 support detection via SIGILL
246  * SHA-256 context setup
264     ctx->total[0] = 0;  in mbedtls_sha256_starts()
265     ctx->total[1] = 0;  in mbedtls_sha256_starts()
269         ctx->state[0] = 0x6A09E667;  in mbedtls_sha256_starts()
270         ctx->state[1] = 0xBB67AE85;  in mbedtls_sha256_starts()
271         ctx->state[2] = 0x3C6EF372;  in mbedtls_sha256_starts()
272         ctx->state[3] = 0xA54FF53A;  in mbedtls_sha256_starts()
273         ctx->state[4] = 0x510E527F;  in mbedtls_sha256_starts()
274         ctx->state[5] = 0x9B05688C;  in mbedtls_sha256_starts()
275         ctx->state[6] = 0x1F83D9AB;  in mbedtls_sha256_starts()
276         ctx->state[7] = 0x5BE0CD19;  in mbedtls_sha256_starts()
280         ctx->state[0] = 0xC1059ED8;  in mbedtls_sha256_starts()
281         ctx->state[1] = 0x367CD507;  in mbedtls_sha256_starts()
282         ctx->state[2] = 0x3070DD17;  in mbedtls_sha256_starts()
283         ctx->state[3] = 0xF70E5939;  in mbedtls_sha256_starts()
284         ctx->state[4] = 0xFFC00B31;  in mbedtls_sha256_starts()
285         ctx->state[5] = 0x68581511;  in mbedtls_sha256_starts()
286         ctx->state[6] = 0x64F98FA7;  in mbedtls_sha256_starts()
287         ctx->state[7] = 0xBEFA4FA4;  in mbedtls_sha256_starts()
292     ctx->is224 = is224;  in mbedtls_sha256_starts()
332     uint32x4_t abcd = vld1q_u32(&ctx->state[0]);  in mbedtls_internal_sha256_process_many_a64_crypto()
333     uint32x4_t efgh = vld1q_u32(&ctx->state[4]);  in mbedtls_internal_sha256_process_many_a64_crypto()
341          len -= SHA256_BLOCK_SIZE) {  in mbedtls_internal_sha256_process_many_a64_crypto()
418     vst1q_u32(&ctx->state[0], abcd);  in mbedtls_internal_sha256_process_many_a64_crypto()
419     vst1q_u32(&ctx->state[4], efgh);  in mbedtls_internal_sha256_process_many_a64_crypto()
426  * This function is for internal use only if we are building both C and Armv8-A
436             SHA256_BLOCK_SIZE) ? 0 : -1;  in mbedtls_internal_sha256_process_a64_crypto()
460 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
473         local.W[t] = S1(local.W[(t) -  2]) + local.W[(t) -  7] +    \
474                      S0(local.W[(t) - 15]) + local.W[(t) - 16]      \
496         uint32_t temp1, temp2, W[64];  in mbedtls_internal_sha256_process_c()  member
503         local.A[i] = ctx->state[i];  in mbedtls_internal_sha256_process_c()
509             local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);  in mbedtls_internal_sha256_process_c()
515           local.A[5], local.A[6], local.A[7], local.W[i], K[i]);  in mbedtls_internal_sha256_process_c()
525         local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);  in mbedtls_internal_sha256_process_c()
530           local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);  in mbedtls_internal_sha256_process_c()
532           local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);  in mbedtls_internal_sha256_process_c()
534           local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);  in mbedtls_internal_sha256_process_c()
536           local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);  in mbedtls_internal_sha256_process_c()
538           local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);  in mbedtls_internal_sha256_process_c()
540           local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);  in mbedtls_internal_sha256_process_c()
542           local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);  in mbedtls_internal_sha256_process_c()
544           local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);  in mbedtls_internal_sha256_process_c()
568         ctx->state[i] += local.A[i];  in mbedtls_internal_sha256_process_c()
593         len  -= SHA256_BLOCK_SIZE;  in mbedtls_internal_sha256_process_many_c()
643  * SHA-256 process buffer
657     left = ctx->total[0] & 0x3F;  in mbedtls_sha256_update()
658     fill = SHA256_BLOCK_SIZE - left;  in mbedtls_sha256_update()
660     ctx->total[0] += (uint32_t) ilen;  in mbedtls_sha256_update()
661     ctx->total[0] &= 0xFFFFFFFF;  in mbedtls_sha256_update()
663     if (ctx->total[0] < (uint32_t) ilen) {  in mbedtls_sha256_update()
664         ctx->total[1]++;  in mbedtls_sha256_update()
668         memcpy((void *) (ctx->buffer + left), input, fill);  in mbedtls_sha256_update()
670         if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {  in mbedtls_sha256_update()
675         ilen  -= fill;  in mbedtls_sha256_update()
687         ilen  -= processed;  in mbedtls_sha256_update()
691         memcpy((void *) (ctx->buffer + left), input, ilen);  in mbedtls_sha256_update()
698  * SHA-256 final digest
711     used = ctx->total[0] & 0x3F;  in mbedtls_sha256_finish()
713     ctx->buffer[used++] = 0x80;  in mbedtls_sha256_finish()
717         memset(ctx->buffer + used, 0, 56 - used);  in mbedtls_sha256_finish()
720         memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);  in mbedtls_sha256_finish()
722         if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {  in mbedtls_sha256_finish()
726         memset(ctx->buffer, 0, 56);  in mbedtls_sha256_finish()
732     high = (ctx->total[0] >> 29)  in mbedtls_sha256_finish()
733            | (ctx->total[1] <<  3);  in mbedtls_sha256_finish()
734     low  = (ctx->total[0] <<  3);  in mbedtls_sha256_finish()
736     MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);  in mbedtls_sha256_finish()
737     MBEDTLS_PUT_UINT32_BE(low,  ctx->buffer, 60);  in mbedtls_sha256_finish()
739     if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {  in mbedtls_sha256_finish()
746     MBEDTLS_PUT_UINT32_BE(ctx->state[0], output,  0);  in mbedtls_sha256_finish()
747     MBEDTLS_PUT_UINT32_BE(ctx->state[1], output,  4);  in mbedtls_sha256_finish()
748     MBEDTLS_PUT_UINT32_BE(ctx->state[2], output,  8);  in mbedtls_sha256_finish()
749     MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);  in mbedtls_sha256_finish()
750     MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);  in mbedtls_sha256_finish()
751     MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);  in mbedtls_sha256_finish()
752     MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);  in mbedtls_sha256_finish()
755     truncated = ctx->is224;  in mbedtls_sha256_finish()
758         MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);  in mbedtls_sha256_finish()
771  * output = SHA-256( input buffer )
817  * FIPS-180-2 test vectors
834  * SHA-224 test vectors
855  * SHA-256 test vectors
906             mbedtls_printf("  SHA-%d test #%d: ", 256 - is224 * 32, i + 1);  in mbedtls_sha256_common_self_test()
936         if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {  in mbedtls_sha256_common_self_test()