1 /* 2 * FIPS-180-2 compliant SHA-256 implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * The SHA-256 Secure Hash Standard was published by NIST in 2002. 21 * 22 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 23 */ 24 25 #if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) && \ 26 defined(__clang__) && __clang_major__ >= 4 27 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. 28 * 29 * The intrinsic declaration are guarded by predefined ACLE macros in clang: 30 * these are normally only enabled by the -march option on the command line. 31 * By defining the macros ourselves we gain access to those declarations without 32 * requiring -march on the command line. 33 * 34 * `arm_neon.h` could be included by any header file, so we put these defines 35 * at the top of this file, before any includes. 36 */ 37 #define __ARM_FEATURE_CRYPTO 1 38 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions 39 * 40 * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it 41 * for older compilers. 42 */ 43 #define __ARM_FEATURE_SHA2 1 44 #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG 45 #endif 46 47 #include "common.h" 48 49 #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C) 50 51 #include "mbedtls/sha256.h" 52 #include "mbedtls/platform_util.h" 53 #include "mbedtls/error.h" 54 55 #include <string.h> 56 57 #include "mbedtls/platform.h" 58 59 #if defined(__aarch64__) 60 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ 61 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) 62 /* *INDENT-OFF* */ 63 # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) 64 # if defined(__clang__) 65 # if __clang_major__ < 4 66 # error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" 67 # endif 68 # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) 69 # define MBEDTLS_POP_TARGET_PRAGMA 70 # elif defined(__GNUC__) 71 /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some 72 * intrinsics are missing. Missing intrinsics could be worked around. 73 */ 74 # if __GNUC__ < 6 75 # error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" 76 # else 77 # pragma GCC push_options 78 # pragma GCC target ("arch=armv8-a+crypto") 79 # define MBEDTLS_POP_TARGET_PRAGMA 80 # endif 81 # else 82 # error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_A64_CRYPTO_*" 83 # endif 84 # endif 85 /* *INDENT-ON* */ 86 # include <arm_neon.h> 87 # endif 88 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) 89 # if defined(__unix__) 90 # if defined(__linux__) 91 /* Our preferred method of detection is getauxval() */ 92 # include <sys/auxv.h> 93 # endif 94 /* Use SIGILL on Unix, and fall back to it on Linux */ 95 # include <signal.h> 96 # endif 97 # endif 98 #elif defined(_M_ARM64) 99 # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ 100 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) 101 # include <arm64_neon.h> 102 # endif 103 #else 104 # undef MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY 105 # undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 106 #endif 107 108 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) 109 /* 110 * Capability detection code comes early, so we can disable 111 * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found 112 */ 113 #if defined(HWCAP_SHA2) 114 static int mbedtls_a64_crypto_sha256_determine_support(void) 115 { 116 return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0; 117 } 118 #elif defined(__APPLE__) 119 static int mbedtls_a64_crypto_sha256_determine_support(void) 120 { 121 return 1; 122 } 123 #elif defined(_M_ARM64) 124 #define WIN32_LEAN_AND_MEAN 125 #include <Windows.h> 126 #include <processthreadsapi.h> 127 128 static int mbedtls_a64_crypto_sha256_determine_support(void) 129 { 130 return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ? 131 1 : 0; 132 } 133 #elif defined(__unix__) && defined(SIG_SETMASK) 134 /* Detection with SIGILL, setjmp() and longjmp() */ 135 #include <signal.h> 136 #include <setjmp.h> 137 138 static jmp_buf return_from_sigill; 139 140 /* 141 * A64 SHA256 support detection via SIGILL 142 */ 143 static void sigill_handler(int signal) 144 { 145 (void) signal; 146 longjmp(return_from_sigill, 1); 147 } 148 149 static int mbedtls_a64_crypto_sha256_determine_support(void) 150 { 151 struct sigaction old_action, new_action; 152 153 sigset_t old_mask; 154 if (sigprocmask(0, NULL, &old_mask)) { 155 return 0; 156 } 157 158 sigemptyset(&new_action.sa_mask); 159 new_action.sa_flags = 0; 160 new_action.sa_handler = sigill_handler; 161 162 sigaction(SIGILL, &new_action, &old_action); 163 164 static int ret = 0; 165 166 if (setjmp(return_from_sigill) == 0) { /* First return only */ 167 /* If this traps, we will return a second time from setjmp() with 1 */ 168 asm ("sha256h q0, q0, v0.4s" : : : "v0"); 169 ret = 1; 170 } 171 172 sigaction(SIGILL, &old_action, NULL); 173 sigprocmask(SIG_SETMASK, &old_mask, NULL); 174 175 return ret; 176 } 177 #else 178 #warning "No mechanism to detect A64_CRYPTO found, using C code only" 179 #undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 180 #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */ 181 182 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */ 183 184 #if !defined(MBEDTLS_SHA256_ALT) 185 186 #define SHA256_BLOCK_SIZE 64 187 188 void mbedtls_sha256_init(mbedtls_sha256_context *ctx) 189 { 190 memset(ctx, 0, sizeof(mbedtls_sha256_context)); 191 } 192 193 void mbedtls_sha256_free(mbedtls_sha256_context *ctx) 194 { 195 if (ctx == NULL) { 196 return; 197 } 198 199 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context)); 200 } 201 202 void mbedtls_sha256_clone(mbedtls_sha256_context *dst, 203 const mbedtls_sha256_context *src) 204 { 205 *dst = *src; 206 } 207 208 /* 209 * SHA-256 context setup 210 */ 211 int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224) 212 { 213 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 214 if (is224 != 0 && is224 != 1) { 215 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 216 } 217 #elif defined(MBEDTLS_SHA256_C) 218 if (is224 != 0) { 219 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 220 } 221 #else /* defined MBEDTLS_SHA224_C only */ 222 if (is224 == 0) { 223 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 224 } 225 #endif 226 227 ctx->total[0] = 0; 228 ctx->total[1] = 0; 229 230 if (is224 == 0) { 231 #if defined(MBEDTLS_SHA256_C) 232 ctx->state[0] = 0x6A09E667; 233 ctx->state[1] = 0xBB67AE85; 234 ctx->state[2] = 0x3C6EF372; 235 ctx->state[3] = 0xA54FF53A; 236 ctx->state[4] = 0x510E527F; 237 ctx->state[5] = 0x9B05688C; 238 ctx->state[6] = 0x1F83D9AB; 239 ctx->state[7] = 0x5BE0CD19; 240 #endif 241 } else { 242 #if defined(MBEDTLS_SHA224_C) 243 ctx->state[0] = 0xC1059ED8; 244 ctx->state[1] = 0x367CD507; 245 ctx->state[2] = 0x3070DD17; 246 ctx->state[3] = 0xF70E5939; 247 ctx->state[4] = 0xFFC00B31; 248 ctx->state[5] = 0x68581511; 249 ctx->state[6] = 0x64F98FA7; 250 ctx->state[7] = 0xBEFA4FA4; 251 #endif 252 } 253 254 #if defined(MBEDTLS_SHA224_C) 255 ctx->is224 = is224; 256 #endif 257 258 return 0; 259 } 260 261 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) 262 static const uint32_t K[] = 263 { 264 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 265 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, 266 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 267 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174, 268 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 269 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 270 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 271 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967, 272 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 273 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 274 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 275 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 276 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 277 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 278 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 279 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2, 280 }; 281 282 #endif 283 284 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ 285 defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) 286 287 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) 288 # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many 289 # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process 290 #endif 291 292 static size_t mbedtls_internal_sha256_process_many_a64_crypto( 293 mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len) 294 { 295 uint32x4_t abcd = vld1q_u32(&ctx->state[0]); 296 uint32x4_t efgh = vld1q_u32(&ctx->state[4]); 297 298 size_t processed = 0; 299 300 for (; 301 len >= SHA256_BLOCK_SIZE; 302 processed += SHA256_BLOCK_SIZE, 303 msg += SHA256_BLOCK_SIZE, 304 len -= SHA256_BLOCK_SIZE) { 305 uint32x4_t tmp, abcd_prev; 306 307 uint32x4_t abcd_orig = abcd; 308 uint32x4_t efgh_orig = efgh; 309 310 uint32x4_t sched0 = (uint32x4_t) vld1q_u8(msg + 16 * 0); 311 uint32x4_t sched1 = (uint32x4_t) vld1q_u8(msg + 16 * 1); 312 uint32x4_t sched2 = (uint32x4_t) vld1q_u8(msg + 16 * 2); 313 uint32x4_t sched3 = (uint32x4_t) vld1q_u8(msg + 16 * 3); 314 315 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */ 316 /* Untested on BE */ 317 sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0))); 318 sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1))); 319 sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2))); 320 sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3))); 321 #endif 322 323 /* Rounds 0 to 3 */ 324 tmp = vaddq_u32(sched0, vld1q_u32(&K[0])); 325 abcd_prev = abcd; 326 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 327 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 328 329 /* Rounds 4 to 7 */ 330 tmp = vaddq_u32(sched1, vld1q_u32(&K[4])); 331 abcd_prev = abcd; 332 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 333 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 334 335 /* Rounds 8 to 11 */ 336 tmp = vaddq_u32(sched2, vld1q_u32(&K[8])); 337 abcd_prev = abcd; 338 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 339 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 340 341 /* Rounds 12 to 15 */ 342 tmp = vaddq_u32(sched3, vld1q_u32(&K[12])); 343 abcd_prev = abcd; 344 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 345 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 346 347 for (int t = 16; t < 64; t += 16) { 348 /* Rounds t to t + 3 */ 349 sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3); 350 tmp = vaddq_u32(sched0, vld1q_u32(&K[t])); 351 abcd_prev = abcd; 352 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 353 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 354 355 /* Rounds t + 4 to t + 7 */ 356 sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0); 357 tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4])); 358 abcd_prev = abcd; 359 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 360 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 361 362 /* Rounds t + 8 to t + 11 */ 363 sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1); 364 tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8])); 365 abcd_prev = abcd; 366 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 367 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 368 369 /* Rounds t + 12 to t + 15 */ 370 sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2); 371 tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12])); 372 abcd_prev = abcd; 373 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 374 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 375 } 376 377 abcd = vaddq_u32(abcd, abcd_orig); 378 efgh = vaddq_u32(efgh, efgh_orig); 379 } 380 381 vst1q_u32(&ctx->state[0], abcd); 382 vst1q_u32(&ctx->state[4], efgh); 383 384 return processed; 385 } 386 387 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) 388 /* 389 * This function is for internal use only if we are building both C and A64 390 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() 391 */ 392 static 393 #endif 394 int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, 395 const unsigned char data[SHA256_BLOCK_SIZE]) 396 { 397 return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data, 398 SHA256_BLOCK_SIZE) == 399 SHA256_BLOCK_SIZE) ? 0 : -1; 400 } 401 402 #if defined(MBEDTLS_POP_TARGET_PRAGMA) 403 #if defined(__clang__) 404 #pragma clang attribute pop 405 #elif defined(__GNUC__) 406 #pragma GCC pop_options 407 #endif 408 #undef MBEDTLS_POP_TARGET_PRAGMA 409 #endif 410 411 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */ 412 413 #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) 414 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many 415 #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process 416 #endif 417 418 419 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \ 420 !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) 421 422 #define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n)) 423 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n)))) 424 425 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 426 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 427 428 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 429 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 430 431 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y)))) 432 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) 433 434 #define R(t) \ 435 ( \ 436 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \ 437 S0(local.W[(t) - 15]) + local.W[(t) - 16] \ 438 ) 439 440 #define P(a, b, c, d, e, f, g, h, x, K) \ 441 do \ 442 { \ 443 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \ 444 local.temp2 = S2(a) + F0((a), (b), (c)); \ 445 (d) += local.temp1; (h) = local.temp1 + local.temp2; \ 446 } while (0) 447 448 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) 449 /* 450 * This function is for internal use only if we are building both C and A64 451 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() 452 */ 453 static 454 #endif 455 int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx, 456 const unsigned char data[SHA256_BLOCK_SIZE]) 457 { 458 struct { 459 uint32_t temp1, temp2, W[64]; 460 uint32_t A[8]; 461 } local; 462 463 unsigned int i; 464 465 for (i = 0; i < 8; i++) { 466 local.A[i] = ctx->state[i]; 467 } 468 469 #if defined(MBEDTLS_SHA256_SMALLER) 470 for (i = 0; i < 64; i++) { 471 if (i < 16) { 472 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i); 473 } else { 474 R(i); 475 } 476 477 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 478 local.A[5], local.A[6], local.A[7], local.W[i], K[i]); 479 480 local.temp1 = local.A[7]; local.A[7] = local.A[6]; 481 local.A[6] = local.A[5]; local.A[5] = local.A[4]; 482 local.A[4] = local.A[3]; local.A[3] = local.A[2]; 483 local.A[2] = local.A[1]; local.A[1] = local.A[0]; 484 local.A[0] = local.temp1; 485 } 486 #else /* MBEDTLS_SHA256_SMALLER */ 487 for (i = 0; i < 16; i++) { 488 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i); 489 } 490 491 for (i = 0; i < 16; i += 8) { 492 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 493 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]); 494 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], 495 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]); 496 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], 497 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]); 498 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], 499 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]); 500 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], 501 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]); 502 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], 503 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]); 504 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], 505 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]); 506 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], 507 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]); 508 } 509 510 for (i = 16; i < 64; i += 8) { 511 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 512 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]); 513 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], 514 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]); 515 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], 516 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]); 517 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], 518 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]); 519 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], 520 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]); 521 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], 522 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]); 523 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], 524 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]); 525 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], 526 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]); 527 } 528 #endif /* MBEDTLS_SHA256_SMALLER */ 529 530 for (i = 0; i < 8; i++) { 531 ctx->state[i] += local.A[i]; 532 } 533 534 /* Zeroise buffers and variables to clear sensitive data from memory. */ 535 mbedtls_platform_zeroize(&local, sizeof(local)); 536 537 return 0; 538 } 539 540 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */ 541 542 543 #if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) 544 545 static size_t mbedtls_internal_sha256_process_many_c( 546 mbedtls_sha256_context *ctx, const uint8_t *data, size_t len) 547 { 548 size_t processed = 0; 549 550 while (len >= SHA256_BLOCK_SIZE) { 551 if (mbedtls_internal_sha256_process_c(ctx, data) != 0) { 552 return 0; 553 } 554 555 data += SHA256_BLOCK_SIZE; 556 len -= SHA256_BLOCK_SIZE; 557 558 processed += SHA256_BLOCK_SIZE; 559 } 560 561 return processed; 562 } 563 564 #endif /* !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */ 565 566 567 #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) 568 569 static int mbedtls_a64_crypto_sha256_has_support(void) 570 { 571 static int done = 0; 572 static int supported = 0; 573 574 if (!done) { 575 supported = mbedtls_a64_crypto_sha256_determine_support(); 576 done = 1; 577 } 578 579 return supported; 580 } 581 582 static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx, 583 const uint8_t *msg, size_t len) 584 { 585 if (mbedtls_a64_crypto_sha256_has_support()) { 586 return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len); 587 } else { 588 return mbedtls_internal_sha256_process_many_c(ctx, msg, len); 589 } 590 } 591 592 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx, 593 const unsigned char data[SHA256_BLOCK_SIZE]) 594 { 595 if (mbedtls_a64_crypto_sha256_has_support()) { 596 return mbedtls_internal_sha256_process_a64_crypto(ctx, data); 597 } else { 598 return mbedtls_internal_sha256_process_c(ctx, data); 599 } 600 } 601 602 #endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */ 603 604 605 /* 606 * SHA-256 process buffer 607 */ 608 int mbedtls_sha256_update(mbedtls_sha256_context *ctx, 609 const unsigned char *input, 610 size_t ilen) 611 { 612 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 613 size_t fill; 614 uint32_t left; 615 616 if (ilen == 0) { 617 return 0; 618 } 619 620 left = ctx->total[0] & 0x3F; 621 fill = SHA256_BLOCK_SIZE - left; 622 623 ctx->total[0] += (uint32_t) ilen; 624 ctx->total[0] &= 0xFFFFFFFF; 625 626 if (ctx->total[0] < (uint32_t) ilen) { 627 ctx->total[1]++; 628 } 629 630 if (left && ilen >= fill) { 631 memcpy((void *) (ctx->buffer + left), input, fill); 632 633 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 634 return ret; 635 } 636 637 input += fill; 638 ilen -= fill; 639 left = 0; 640 } 641 642 while (ilen >= SHA256_BLOCK_SIZE) { 643 size_t processed = 644 mbedtls_internal_sha256_process_many(ctx, input, ilen); 645 if (processed < SHA256_BLOCK_SIZE) { 646 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 647 } 648 649 input += processed; 650 ilen -= processed; 651 } 652 653 if (ilen > 0) { 654 memcpy((void *) (ctx->buffer + left), input, ilen); 655 } 656 657 return 0; 658 } 659 660 /* 661 * SHA-256 final digest 662 */ 663 int mbedtls_sha256_finish(mbedtls_sha256_context *ctx, 664 unsigned char *output) 665 { 666 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 667 uint32_t used; 668 uint32_t high, low; 669 670 /* 671 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length 672 */ 673 used = ctx->total[0] & 0x3F; 674 675 ctx->buffer[used++] = 0x80; 676 677 if (used <= 56) { 678 /* Enough room for padding + length in current block */ 679 memset(ctx->buffer + used, 0, 56 - used); 680 } else { 681 /* We'll need an extra block */ 682 memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used); 683 684 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 685 return ret; 686 } 687 688 memset(ctx->buffer, 0, 56); 689 } 690 691 /* 692 * Add message length 693 */ 694 high = (ctx->total[0] >> 29) 695 | (ctx->total[1] << 3); 696 low = (ctx->total[0] << 3); 697 698 MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56); 699 MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60); 700 701 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 702 return ret; 703 } 704 705 /* 706 * Output final state 707 */ 708 MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0); 709 MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4); 710 MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8); 711 MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12); 712 MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16); 713 MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20); 714 MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24); 715 716 int truncated = 0; 717 #if defined(MBEDTLS_SHA224_C) 718 truncated = ctx->is224; 719 #endif 720 if (!truncated) { 721 MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28); 722 } 723 724 return 0; 725 } 726 727 #endif /* !MBEDTLS_SHA256_ALT */ 728 729 /* 730 * output = SHA-256( input buffer ) 731 */ 732 int mbedtls_sha256(const unsigned char *input, 733 size_t ilen, 734 unsigned char *output, 735 int is224) 736 { 737 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 738 mbedtls_sha256_context ctx; 739 740 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 741 if (is224 != 0 && is224 != 1) { 742 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 743 } 744 #elif defined(MBEDTLS_SHA256_C) 745 if (is224 != 0) { 746 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 747 } 748 #else /* defined MBEDTLS_SHA224_C only */ 749 if (is224 == 0) { 750 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 751 } 752 #endif 753 754 mbedtls_sha256_init(&ctx); 755 756 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) { 757 goto exit; 758 } 759 760 if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) { 761 goto exit; 762 } 763 764 if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) { 765 goto exit; 766 } 767 768 exit: 769 mbedtls_sha256_free(&ctx); 770 771 return ret; 772 } 773 774 #if defined(MBEDTLS_SELF_TEST) 775 /* 776 * FIPS-180-2 test vectors 777 */ 778 static const unsigned char sha_test_buf[3][57] = 779 { 780 { "abc" }, 781 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 782 { "" } 783 }; 784 785 static const size_t sha_test_buflen[3] = 786 { 787 3, 56, 1000 788 }; 789 790 typedef const unsigned char (sha_test_sum_t)[32]; 791 792 /* 793 * SHA-224 test vectors 794 */ 795 #if defined(MBEDTLS_SHA224_C) 796 static sha_test_sum_t sha224_test_sum[] = 797 { 798 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22, 799 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3, 800 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7, 801 0xE3, 0x6C, 0x9D, 0xA7 }, 802 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC, 803 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50, 804 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19, 805 0x52, 0x52, 0x25, 0x25 }, 806 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8, 807 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B, 808 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE, 809 0x4E, 0xE7, 0xAD, 0x67 } 810 }; 811 #endif 812 813 /* 814 * SHA-256 test vectors 815 */ 816 #if defined(MBEDTLS_SHA256_C) 817 static sha_test_sum_t sha256_test_sum[] = 818 { 819 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, 820 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, 821 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, 822 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD }, 823 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8, 824 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39, 825 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67, 826 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 }, 827 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92, 828 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67, 829 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E, 830 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 } 831 }; 832 #endif 833 834 /* 835 * Checkup routine 836 */ 837 static int mbedtls_sha256_common_self_test(int verbose, int is224) 838 { 839 int i, buflen, ret = 0; 840 unsigned char *buf; 841 unsigned char sha256sum[32]; 842 mbedtls_sha256_context ctx; 843 844 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 845 sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum; 846 #elif defined(MBEDTLS_SHA256_C) 847 sha_test_sum_t *sha_test_sum = sha256_test_sum; 848 #else 849 sha_test_sum_t *sha_test_sum = sha224_test_sum; 850 #endif 851 852 buf = mbedtls_calloc(1024, sizeof(unsigned char)); 853 if (NULL == buf) { 854 if (verbose != 0) { 855 mbedtls_printf("Buffer allocation failed\n"); 856 } 857 858 return 1; 859 } 860 861 mbedtls_sha256_init(&ctx); 862 863 for (i = 0; i < 3; i++) { 864 if (verbose != 0) { 865 mbedtls_printf(" SHA-%d test #%d: ", 256 - is224 * 32, i + 1); 866 } 867 868 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) { 869 goto fail; 870 } 871 872 if (i == 2) { 873 memset(buf, 'a', buflen = 1000); 874 875 for (int j = 0; j < 1000; j++) { 876 ret = mbedtls_sha256_update(&ctx, buf, buflen); 877 if (ret != 0) { 878 goto fail; 879 } 880 } 881 882 } else { 883 ret = mbedtls_sha256_update(&ctx, sha_test_buf[i], 884 sha_test_buflen[i]); 885 if (ret != 0) { 886 goto fail; 887 } 888 } 889 890 if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) { 891 goto fail; 892 } 893 894 895 if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) { 896 ret = 1; 897 goto fail; 898 } 899 900 if (verbose != 0) { 901 mbedtls_printf("passed\n"); 902 } 903 } 904 905 if (verbose != 0) { 906 mbedtls_printf("\n"); 907 } 908 909 goto exit; 910 911 fail: 912 if (verbose != 0) { 913 mbedtls_printf("failed\n"); 914 } 915 916 exit: 917 mbedtls_sha256_free(&ctx); 918 mbedtls_free(buf); 919 920 return ret; 921 } 922 923 #if defined(MBEDTLS_SHA256_C) 924 int mbedtls_sha256_self_test(int verbose) 925 { 926 return mbedtls_sha256_common_self_test(verbose, 0); 927 } 928 #endif /* MBEDTLS_SHA256_C */ 929 930 #if defined(MBEDTLS_SHA224_C) 931 int mbedtls_sha224_self_test(int verbose) 932 { 933 return mbedtls_sha256_common_self_test(verbose, 1); 934 } 935 #endif /* MBEDTLS_SHA224_C */ 936 937 #endif /* MBEDTLS_SELF_TEST */ 938 939 #endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */ 940