1 /* 2 * FIPS-180-2 compliant SHA-256 implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 /* 8 * The SHA-256 Secure Hash Standard was published by NIST in 2002. 9 * 10 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 11 */ 12 13 #if defined(__clang__) && (__clang_major__ >= 4) 14 15 /* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if, 16 * but that is defined by build_info.h, and we need this block to happen first. */ 17 #if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A') 18 #if __ARM_ARCH >= 8 19 #define MBEDTLS_SHA256_ARCH_IS_ARMV8_A 20 #endif 21 #endif 22 23 #if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO) 24 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. 25 * 26 * The intrinsic declaration are guarded by predefined ACLE macros in clang: 27 * these are normally only enabled by the -march option on the command line. 28 * By defining the macros ourselves we gain access to those declarations without 29 * requiring -march on the command line. 30 * 31 * `arm_neon.h` is included by common.h, so we put these defines 32 * at the top of this file, before any includes. 33 */ 34 #define __ARM_FEATURE_CRYPTO 1 35 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions 36 * 37 * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it 38 * for older compilers. 39 */ 40 #define __ARM_FEATURE_SHA2 1 41 #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG 42 #endif 43 44 #endif /* defined(__clang__) && (__clang_major__ >= 4) */ 45 46 /* Ensure that SIG_SETMASK is defined when -std=c99 is used. */ 47 #define _GNU_SOURCE 48 49 #include "common.h" 50 51 #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C) 52 53 #include "mbedtls/sha256.h" 54 #include "mbedtls/platform_util.h" 55 #include "mbedtls/error.h" 56 57 #include <string.h> 58 59 #include "mbedtls/platform.h" 60 61 #if defined(MBEDTLS_ARCH_IS_ARMV8_A) 62 63 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ 64 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 65 # if !defined(MBEDTLS_HAVE_NEON_INTRINSICS) 66 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 67 # warning "Target does not support NEON instructions" 68 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 69 # else 70 # error "Target does not support NEON instructions" 71 # endif 72 # endif 73 # endif 74 75 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ 76 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 77 /* *INDENT-OFF* */ 78 79 # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) 80 # if defined(__ARMCOMPILER_VERSION) 81 # if __ARMCOMPILER_VERSION <= 6090000 82 # error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" 83 # endif 84 # pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function) 85 # define MBEDTLS_POP_TARGET_PRAGMA 86 # elif defined(__clang__) 87 # if __clang_major__ < 4 88 # error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" 89 # endif 90 # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) 91 # define MBEDTLS_POP_TARGET_PRAGMA 92 # elif defined(__GNUC__) 93 /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some 94 * intrinsics are missing. Missing intrinsics could be worked around. 95 */ 96 # if __GNUC__ < 6 97 # error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" 98 # else 99 # pragma GCC push_options 100 # pragma GCC target ("arch=armv8-a+crypto") 101 # define MBEDTLS_POP_TARGET_PRAGMA 102 # endif 103 # else 104 # error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" 105 # endif 106 # endif 107 /* *INDENT-ON* */ 108 109 # endif 110 # if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 111 # if defined(__unix__) 112 # if defined(__linux__) 113 /* Our preferred method of detection is getauxval() */ 114 # include <sys/auxv.h> 115 /* These are not always defined via sys/auxv.h */ 116 # if !defined(HWCAP_SHA2) 117 # define HWCAP_SHA2 (1 << 6) 118 # endif 119 # if !defined(HWCAP2_SHA2) 120 # define HWCAP2_SHA2 (1 << 3) 121 # endif 122 # endif 123 /* Use SIGILL on Unix, and fall back to it on Linux */ 124 # include <signal.h> 125 # endif 126 # endif 127 #elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) 128 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY 129 # undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 130 #endif 131 132 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 133 /* 134 * Capability detection code comes early, so we can disable 135 * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found 136 */ 137 #if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2) 138 static int mbedtls_a64_crypto_sha256_determine_support(void) 139 { 140 return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0; 141 } 142 #elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2) 143 static int mbedtls_a64_crypto_sha256_determine_support(void) 144 { 145 return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0; 146 } 147 #elif defined(__APPLE__) 148 static int mbedtls_a64_crypto_sha256_determine_support(void) 149 { 150 return 1; 151 } 152 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) 153 #define WIN32_LEAN_AND_MEAN 154 #include <Windows.h> 155 #include <processthreadsapi.h> 156 157 static int mbedtls_a64_crypto_sha256_determine_support(void) 158 { 159 return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ? 160 1 : 0; 161 } 162 #elif defined(__unix__) && defined(SIG_SETMASK) 163 /* Detection with SIGILL, setjmp() and longjmp() */ 164 #include <signal.h> 165 #include <setjmp.h> 166 167 static jmp_buf return_from_sigill; 168 169 /* 170 * Armv8-A SHA256 support detection via SIGILL 171 */ 172 static void sigill_handler(int signal) 173 { 174 (void) signal; 175 longjmp(return_from_sigill, 1); 176 } 177 178 static int mbedtls_a64_crypto_sha256_determine_support(void) 179 { 180 struct sigaction old_action, new_action; 181 182 sigset_t old_mask; 183 if (sigprocmask(0, NULL, &old_mask)) { 184 return 0; 185 } 186 187 sigemptyset(&new_action.sa_mask); 188 new_action.sa_flags = 0; 189 new_action.sa_handler = sigill_handler; 190 191 sigaction(SIGILL, &new_action, &old_action); 192 193 static int ret = 0; 194 195 if (setjmp(return_from_sigill) == 0) { /* First return only */ 196 /* If this traps, we will return a second time from setjmp() with 1 */ 197 #if defined(MBEDTLS_ARCH_IS_ARM64) 198 asm volatile ("sha256h q0, q0, v0.4s" : : : "v0"); 199 #else 200 asm volatile ("sha256h.32 q0, q0, q0" : : : "q0"); 201 #endif 202 ret = 1; 203 } 204 205 sigaction(SIGILL, &old_action, NULL); 206 sigprocmask(SIG_SETMASK, &old_mask, NULL); 207 208 return ret; 209 } 210 #else 211 #warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" 212 #undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 213 #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */ 214 215 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */ 216 217 #if !defined(MBEDTLS_SHA256_ALT) 218 219 #define SHA256_BLOCK_SIZE 64 220 221 void mbedtls_sha256_init(mbedtls_sha256_context *ctx) 222 { 223 memset(ctx, 0, sizeof(mbedtls_sha256_context)); 224 } 225 226 void mbedtls_sha256_free(mbedtls_sha256_context *ctx) 227 { 228 if (ctx == NULL) { 229 return; 230 } 231 232 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context)); 233 } 234 235 void mbedtls_sha256_clone(mbedtls_sha256_context *dst, 236 const mbedtls_sha256_context *src) 237 { 238 *dst = *src; 239 } 240 241 /* 242 * SHA-256 context setup 243 */ 244 int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224) 245 { 246 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 247 if (is224 != 0 && is224 != 1) { 248 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 249 } 250 #elif defined(MBEDTLS_SHA256_C) 251 if (is224 != 0) { 252 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 253 } 254 #else /* defined MBEDTLS_SHA224_C only */ 255 if (is224 == 0) { 256 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 257 } 258 #endif 259 260 ctx->total[0] = 0; 261 ctx->total[1] = 0; 262 263 if (is224 == 0) { 264 #if defined(MBEDTLS_SHA256_C) 265 ctx->state[0] = 0x6A09E667; 266 ctx->state[1] = 0xBB67AE85; 267 ctx->state[2] = 0x3C6EF372; 268 ctx->state[3] = 0xA54FF53A; 269 ctx->state[4] = 0x510E527F; 270 ctx->state[5] = 0x9B05688C; 271 ctx->state[6] = 0x1F83D9AB; 272 ctx->state[7] = 0x5BE0CD19; 273 #endif 274 } else { 275 #if defined(MBEDTLS_SHA224_C) 276 ctx->state[0] = 0xC1059ED8; 277 ctx->state[1] = 0x367CD507; 278 ctx->state[2] = 0x3070DD17; 279 ctx->state[3] = 0xF70E5939; 280 ctx->state[4] = 0xFFC00B31; 281 ctx->state[5] = 0x68581511; 282 ctx->state[6] = 0x64F98FA7; 283 ctx->state[7] = 0xBEFA4FA4; 284 #endif 285 } 286 287 #if defined(MBEDTLS_SHA224_C) 288 ctx->is224 = is224; 289 #endif 290 291 return 0; 292 } 293 294 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) 295 static const uint32_t K[] = 296 { 297 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 298 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, 299 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 300 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174, 301 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 302 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 303 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 304 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967, 305 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 306 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 307 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 308 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 309 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 310 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 311 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 312 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2, 313 }; 314 315 #endif 316 317 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ 318 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 319 320 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 321 # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many 322 # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process 323 #endif 324 325 static size_t mbedtls_internal_sha256_process_many_a64_crypto( 326 mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len) 327 { 328 uint32x4_t abcd = vld1q_u32(&ctx->state[0]); 329 uint32x4_t efgh = vld1q_u32(&ctx->state[4]); 330 331 size_t processed = 0; 332 333 for (; 334 len >= SHA256_BLOCK_SIZE; 335 processed += SHA256_BLOCK_SIZE, 336 msg += SHA256_BLOCK_SIZE, 337 len -= SHA256_BLOCK_SIZE) { 338 uint32x4_t tmp, abcd_prev; 339 340 uint32x4_t abcd_orig = abcd; 341 uint32x4_t efgh_orig = efgh; 342 343 uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0)); 344 uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1)); 345 uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2)); 346 uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3)); 347 348 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */ 349 /* Untested on BE */ 350 sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0))); 351 sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1))); 352 sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2))); 353 sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3))); 354 #endif 355 356 /* Rounds 0 to 3 */ 357 tmp = vaddq_u32(sched0, vld1q_u32(&K[0])); 358 abcd_prev = abcd; 359 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 360 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 361 362 /* Rounds 4 to 7 */ 363 tmp = vaddq_u32(sched1, vld1q_u32(&K[4])); 364 abcd_prev = abcd; 365 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 366 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 367 368 /* Rounds 8 to 11 */ 369 tmp = vaddq_u32(sched2, vld1q_u32(&K[8])); 370 abcd_prev = abcd; 371 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 372 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 373 374 /* Rounds 12 to 15 */ 375 tmp = vaddq_u32(sched3, vld1q_u32(&K[12])); 376 abcd_prev = abcd; 377 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 378 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 379 380 for (int t = 16; t < 64; t += 16) { 381 /* Rounds t to t + 3 */ 382 sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3); 383 tmp = vaddq_u32(sched0, vld1q_u32(&K[t])); 384 abcd_prev = abcd; 385 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 386 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 387 388 /* Rounds t + 4 to t + 7 */ 389 sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0); 390 tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4])); 391 abcd_prev = abcd; 392 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 393 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 394 395 /* Rounds t + 8 to t + 11 */ 396 sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1); 397 tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8])); 398 abcd_prev = abcd; 399 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 400 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 401 402 /* Rounds t + 12 to t + 15 */ 403 sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2); 404 tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12])); 405 abcd_prev = abcd; 406 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 407 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 408 } 409 410 abcd = vaddq_u32(abcd, abcd_orig); 411 efgh = vaddq_u32(efgh, efgh_orig); 412 } 413 414 vst1q_u32(&ctx->state[0], abcd); 415 vst1q_u32(&ctx->state[4], efgh); 416 417 return processed; 418 } 419 420 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 421 /* 422 * This function is for internal use only if we are building both C and Armv8-A 423 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() 424 */ 425 static 426 #endif 427 int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, 428 const unsigned char data[SHA256_BLOCK_SIZE]) 429 { 430 return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data, 431 SHA256_BLOCK_SIZE) == 432 SHA256_BLOCK_SIZE) ? 0 : -1; 433 } 434 435 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ 436 437 #if defined(MBEDTLS_POP_TARGET_PRAGMA) 438 #if defined(__clang__) 439 #pragma clang attribute pop 440 #elif defined(__GNUC__) 441 #pragma GCC pop_options 442 #endif 443 #undef MBEDTLS_POP_TARGET_PRAGMA 444 #endif 445 446 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 447 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many 448 #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process 449 #endif 450 451 452 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \ 453 !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 454 455 #define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n)) 456 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n)))) 457 458 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 459 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 460 461 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 462 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 463 464 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y)))) 465 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) 466 467 #define R(t) \ 468 ( \ 469 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \ 470 S0(local.W[(t) - 15]) + local.W[(t) - 16] \ 471 ) 472 473 #define P(a, b, c, d, e, f, g, h, x, K) \ 474 do \ 475 { \ 476 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \ 477 local.temp2 = S2(a) + F0((a), (b), (c)); \ 478 (d) += local.temp1; (h) = local.temp1 + local.temp2; \ 479 } while (0) 480 481 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 482 /* 483 * This function is for internal use only if we are building both C and Armv8 484 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() 485 */ 486 static 487 #endif 488 int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx, 489 const unsigned char data[SHA256_BLOCK_SIZE]) 490 { 491 struct { 492 uint32_t temp1, temp2, W[64]; 493 uint32_t A[8]; 494 } local; 495 496 unsigned int i; 497 498 for (i = 0; i < 8; i++) { 499 local.A[i] = ctx->state[i]; 500 } 501 502 #if defined(MBEDTLS_SHA256_SMALLER) 503 for (i = 0; i < 64; i++) { 504 if (i < 16) { 505 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i); 506 } else { 507 R(i); 508 } 509 510 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 511 local.A[5], local.A[6], local.A[7], local.W[i], K[i]); 512 513 local.temp1 = local.A[7]; local.A[7] = local.A[6]; 514 local.A[6] = local.A[5]; local.A[5] = local.A[4]; 515 local.A[4] = local.A[3]; local.A[3] = local.A[2]; 516 local.A[2] = local.A[1]; local.A[1] = local.A[0]; 517 local.A[0] = local.temp1; 518 } 519 #else /* MBEDTLS_SHA256_SMALLER */ 520 for (i = 0; i < 16; i++) { 521 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i); 522 } 523 524 for (i = 0; i < 16; i += 8) { 525 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 526 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]); 527 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], 528 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]); 529 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], 530 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]); 531 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], 532 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]); 533 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], 534 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]); 535 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], 536 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]); 537 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], 538 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]); 539 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], 540 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]); 541 } 542 543 for (i = 16; i < 64; i += 8) { 544 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 545 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]); 546 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], 547 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]); 548 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], 549 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]); 550 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], 551 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]); 552 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], 553 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]); 554 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], 555 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]); 556 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], 557 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]); 558 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], 559 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]); 560 } 561 #endif /* MBEDTLS_SHA256_SMALLER */ 562 563 for (i = 0; i < 8; i++) { 564 ctx->state[i] += local.A[i]; 565 } 566 567 /* Zeroise buffers and variables to clear sensitive data from memory. */ 568 mbedtls_platform_zeroize(&local, sizeof(local)); 569 570 return 0; 571 } 572 573 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ 574 575 576 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 577 578 static size_t mbedtls_internal_sha256_process_many_c( 579 mbedtls_sha256_context *ctx, const uint8_t *data, size_t len) 580 { 581 size_t processed = 0; 582 583 while (len >= SHA256_BLOCK_SIZE) { 584 if (mbedtls_internal_sha256_process_c(ctx, data) != 0) { 585 return 0; 586 } 587 588 data += SHA256_BLOCK_SIZE; 589 len -= SHA256_BLOCK_SIZE; 590 591 processed += SHA256_BLOCK_SIZE; 592 } 593 594 return processed; 595 } 596 597 #endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ 598 599 600 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 601 602 static int mbedtls_a64_crypto_sha256_has_support(void) 603 { 604 static int done = 0; 605 static int supported = 0; 606 607 if (!done) { 608 supported = mbedtls_a64_crypto_sha256_determine_support(); 609 done = 1; 610 } 611 612 return supported; 613 } 614 615 static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx, 616 const uint8_t *msg, size_t len) 617 { 618 if (mbedtls_a64_crypto_sha256_has_support()) { 619 return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len); 620 } else { 621 return mbedtls_internal_sha256_process_many_c(ctx, msg, len); 622 } 623 } 624 625 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx, 626 const unsigned char data[SHA256_BLOCK_SIZE]) 627 { 628 if (mbedtls_a64_crypto_sha256_has_support()) { 629 return mbedtls_internal_sha256_process_a64_crypto(ctx, data); 630 } else { 631 return mbedtls_internal_sha256_process_c(ctx, data); 632 } 633 } 634 635 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */ 636 637 638 /* 639 * SHA-256 process buffer 640 */ 641 int mbedtls_sha256_update(mbedtls_sha256_context *ctx, 642 const unsigned char *input, 643 size_t ilen) 644 { 645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 646 size_t fill; 647 uint32_t left; 648 649 if (ilen == 0) { 650 return 0; 651 } 652 653 left = ctx->total[0] & 0x3F; 654 fill = SHA256_BLOCK_SIZE - left; 655 656 ctx->total[0] += (uint32_t) ilen; 657 ctx->total[0] &= 0xFFFFFFFF; 658 659 if (ctx->total[0] < (uint32_t) ilen) { 660 ctx->total[1]++; 661 } 662 663 if (left && ilen >= fill) { 664 memcpy((void *) (ctx->buffer + left), input, fill); 665 666 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 667 return ret; 668 } 669 670 input += fill; 671 ilen -= fill; 672 left = 0; 673 } 674 675 while (ilen >= SHA256_BLOCK_SIZE) { 676 size_t processed = 677 mbedtls_internal_sha256_process_many(ctx, input, ilen); 678 if (processed < SHA256_BLOCK_SIZE) { 679 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 680 } 681 682 input += processed; 683 ilen -= processed; 684 } 685 686 if (ilen > 0) { 687 memcpy((void *) (ctx->buffer + left), input, ilen); 688 } 689 690 return 0; 691 } 692 693 /* 694 * SHA-256 final digest 695 */ 696 int mbedtls_sha256_finish(mbedtls_sha256_context *ctx, 697 unsigned char *output) 698 { 699 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 700 uint32_t used; 701 uint32_t high, low; 702 int truncated = 0; 703 704 /* 705 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length 706 */ 707 used = ctx->total[0] & 0x3F; 708 709 ctx->buffer[used++] = 0x80; 710 711 if (used <= 56) { 712 /* Enough room for padding + length in current block */ 713 memset(ctx->buffer + used, 0, 56 - used); 714 } else { 715 /* We'll need an extra block */ 716 memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used); 717 718 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 719 goto exit; 720 } 721 722 memset(ctx->buffer, 0, 56); 723 } 724 725 /* 726 * Add message length 727 */ 728 high = (ctx->total[0] >> 29) 729 | (ctx->total[1] << 3); 730 low = (ctx->total[0] << 3); 731 732 MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56); 733 MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60); 734 735 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 736 goto exit; 737 } 738 739 /* 740 * Output final state 741 */ 742 MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0); 743 MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4); 744 MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8); 745 MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12); 746 MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16); 747 MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20); 748 MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24); 749 750 #if defined(MBEDTLS_SHA224_C) 751 truncated = ctx->is224; 752 #endif 753 if (!truncated) { 754 MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28); 755 } 756 757 ret = 0; 758 759 exit: 760 mbedtls_sha256_free(ctx); 761 return ret; 762 } 763 764 #endif /* !MBEDTLS_SHA256_ALT */ 765 766 /* 767 * output = SHA-256( input buffer ) 768 */ 769 int mbedtls_sha256(const unsigned char *input, 770 size_t ilen, 771 unsigned char *output, 772 int is224) 773 { 774 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 775 mbedtls_sha256_context ctx; 776 777 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 778 if (is224 != 0 && is224 != 1) { 779 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 780 } 781 #elif defined(MBEDTLS_SHA256_C) 782 if (is224 != 0) { 783 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 784 } 785 #else /* defined MBEDTLS_SHA224_C only */ 786 if (is224 == 0) { 787 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 788 } 789 #endif 790 791 mbedtls_sha256_init(&ctx); 792 793 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) { 794 goto exit; 795 } 796 797 if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) { 798 goto exit; 799 } 800 801 if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) { 802 goto exit; 803 } 804 805 exit: 806 mbedtls_sha256_free(&ctx); 807 808 return ret; 809 } 810 811 #if defined(MBEDTLS_SELF_TEST) 812 /* 813 * FIPS-180-2 test vectors 814 */ 815 static const unsigned char sha_test_buf[3][57] = 816 { 817 { "abc" }, 818 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 819 { "" } 820 }; 821 822 static const size_t sha_test_buflen[3] = 823 { 824 3, 56, 1000 825 }; 826 827 typedef const unsigned char (sha_test_sum_t)[32]; 828 829 /* 830 * SHA-224 test vectors 831 */ 832 #if defined(MBEDTLS_SHA224_C) 833 static sha_test_sum_t sha224_test_sum[] = 834 { 835 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22, 836 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3, 837 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7, 838 0xE3, 0x6C, 0x9D, 0xA7 }, 839 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC, 840 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50, 841 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19, 842 0x52, 0x52, 0x25, 0x25 }, 843 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8, 844 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B, 845 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE, 846 0x4E, 0xE7, 0xAD, 0x67 } 847 }; 848 #endif 849 850 /* 851 * SHA-256 test vectors 852 */ 853 #if defined(MBEDTLS_SHA256_C) 854 static sha_test_sum_t sha256_test_sum[] = 855 { 856 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, 857 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, 858 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, 859 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD }, 860 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8, 861 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39, 862 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67, 863 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 }, 864 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92, 865 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67, 866 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E, 867 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 } 868 }; 869 #endif 870 871 /* 872 * Checkup routine 873 */ 874 static int mbedtls_sha256_common_self_test(int verbose, int is224) 875 { 876 int i, buflen, ret = 0; 877 unsigned char *buf; 878 unsigned char sha256sum[32]; 879 mbedtls_sha256_context ctx; 880 881 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 882 sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum; 883 #elif defined(MBEDTLS_SHA256_C) 884 sha_test_sum_t *sha_test_sum = sha256_test_sum; 885 #else 886 sha_test_sum_t *sha_test_sum = sha224_test_sum; 887 #endif 888 889 buf = mbedtls_calloc(1024, sizeof(unsigned char)); 890 if (NULL == buf) { 891 if (verbose != 0) { 892 mbedtls_printf("Buffer allocation failed\n"); 893 } 894 895 return 1; 896 } 897 898 mbedtls_sha256_init(&ctx); 899 900 for (i = 0; i < 3; i++) { 901 if (verbose != 0) { 902 mbedtls_printf(" SHA-%d test #%d: ", 256 - is224 * 32, i + 1); 903 } 904 905 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) { 906 goto fail; 907 } 908 909 if (i == 2) { 910 memset(buf, 'a', buflen = 1000); 911 912 for (int j = 0; j < 1000; j++) { 913 ret = mbedtls_sha256_update(&ctx, buf, buflen); 914 if (ret != 0) { 915 goto fail; 916 } 917 } 918 919 } else { 920 ret = mbedtls_sha256_update(&ctx, sha_test_buf[i], 921 sha_test_buflen[i]); 922 if (ret != 0) { 923 goto fail; 924 } 925 } 926 927 if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) { 928 goto fail; 929 } 930 931 932 if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) { 933 ret = 1; 934 goto fail; 935 } 936 937 if (verbose != 0) { 938 mbedtls_printf("passed\n"); 939 } 940 } 941 942 if (verbose != 0) { 943 mbedtls_printf("\n"); 944 } 945 946 goto exit; 947 948 fail: 949 if (verbose != 0) { 950 mbedtls_printf("failed\n"); 951 } 952 953 exit: 954 mbedtls_sha256_free(&ctx); 955 mbedtls_free(buf); 956 957 return ret; 958 } 959 960 #if defined(MBEDTLS_SHA256_C) 961 int mbedtls_sha256_self_test(int verbose) 962 { 963 return mbedtls_sha256_common_self_test(verbose, 0); 964 } 965 #endif /* MBEDTLS_SHA256_C */ 966 967 #if defined(MBEDTLS_SHA224_C) 968 int mbedtls_sha224_self_test(int verbose) 969 { 970 return mbedtls_sha256_common_self_test(verbose, 1); 971 } 972 #endif /* MBEDTLS_SHA224_C */ 973 974 #endif /* MBEDTLS_SELF_TEST */ 975 976 #endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */ 977