1 /* 2 * FIPS-180-2 compliant SHA-384/512 implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * The SHA-512 Secure Hash Standard was published by NIST in 2002. 21 * 22 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 23 */ 24 25 #if defined(__aarch64__) && !defined(__ARM_FEATURE_SHA512) && \ 26 defined(__clang__) && __clang_major__ >= 7 27 /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. 28 * 29 * The intrinsic declaration are guarded by predefined ACLE macros in clang: 30 * these are normally only enabled by the -march option on the command line. 31 * By defining the macros ourselves we gain access to those declarations without 32 * requiring -march on the command line. 33 * 34 * `arm_neon.h` could be included by any header file, so we put these defines 35 * at the top of this file, before any includes. 36 */ 37 #define __ARM_FEATURE_SHA512 1 38 #define MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG 39 #endif 40 41 #include "common.h" 42 43 #if defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA384_C) 44 45 #include "mbedtls/sha512.h" 46 #include "mbedtls/platform_util.h" 47 #include "mbedtls/error.h" 48 49 #if defined(_MSC_VER) || defined(__WATCOMC__) 50 #define UL64(x) x##ui64 51 #else 52 #define UL64(x) x##ULL 53 #endif 54 55 #include <string.h> 56 57 #include "mbedtls/platform.h" 58 59 #if defined(__aarch64__) 60 # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ 61 defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) 62 /* *INDENT-OFF* */ 63 /* 64 * Best performance comes from most recent compilers, with intrinsics and -O3. 65 * Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and 66 * can't always detect __ARM_FEATURE_SHA512 (notably clang 7-12). 67 * 68 * GCC < 8 won't work at all (lacks the sha512 instructions) 69 * GCC >= 8 uses intrinsics, sets __ARM_FEATURE_SHA512 70 * 71 * Clang < 7 won't work at all (lacks the sha512 instructions) 72 * Clang 7-12 don't have intrinsics (but we work around that with inline 73 * assembler) or __ARM_FEATURE_SHA512 74 * Clang == 13.0.0 same as clang 12 (only seen on macOS) 75 * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics 76 */ 77 # if !defined(__ARM_FEATURE_SHA512) || defined(MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG) 78 /* Test Clang first, as it defines __GNUC__ */ 79 # if defined(__clang__) 80 # if __clang_major__ < 7 81 # error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" 82 # else 83 # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) 84 # define MBEDTLS_POP_TARGET_PRAGMA 85 # endif 86 # elif defined(__GNUC__) 87 # if __GNUC__ < 8 88 # error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" 89 # else 90 # pragma GCC push_options 91 # pragma GCC target ("arch=armv8.2-a+sha3") 92 # define MBEDTLS_POP_TARGET_PRAGMA 93 # endif 94 # else 95 # error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" 96 # endif 97 # endif 98 /* *INDENT-ON* */ 99 # include <arm_neon.h> 100 # endif 101 # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) 102 # if defined(__unix__) 103 # if defined(__linux__) 104 /* Our preferred method of detection is getauxval() */ 105 # include <sys/auxv.h> 106 # endif 107 /* Use SIGILL on Unix, and fall back to it on Linux */ 108 # include <signal.h> 109 # endif 110 # endif 111 #elif defined(_M_ARM64) 112 # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ 113 defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) 114 # include <arm64_neon.h> 115 # endif 116 #else 117 # undef MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY 118 # undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 119 #endif 120 121 #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) 122 /* 123 * Capability detection code comes early, so we can disable 124 * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found 125 */ 126 #if defined(HWCAP_SHA512) 127 static int mbedtls_a64_crypto_sha512_determine_support(void) 128 { 129 return (getauxval(AT_HWCAP) & HWCAP_SHA512) ? 1 : 0; 130 } 131 #elif defined(__APPLE__) 132 #include <sys/types.h> 133 #include <sys/sysctl.h> 134 135 static int mbedtls_a64_crypto_sha512_determine_support(void) 136 { 137 int value = 0; 138 size_t value_len = sizeof(value); 139 140 int ret = sysctlbyname("hw.optional.armv8_2_sha512", &value, &value_len, 141 NULL, 0); 142 return ret == 0 && value != 0; 143 } 144 #elif defined(_M_ARM64) 145 /* 146 * As of March 2022, there don't appear to be any PF_ARM_V8_* flags 147 * available to pass to IsProcessorFeaturePresent() to check for 148 * SHA-512 support. So we fall back to the C code only. 149 */ 150 #if defined(_MSC_VER) 151 #pragma message "No mechanism to detect A64_CRYPTO found, using C code only" 152 #else 153 #warning "No mechanism to detect A64_CRYPTO found, using C code only" 154 #endif 155 #elif defined(__unix__) && defined(SIG_SETMASK) 156 /* Detection with SIGILL, setjmp() and longjmp() */ 157 #include <signal.h> 158 #include <setjmp.h> 159 160 static jmp_buf return_from_sigill; 161 162 /* 163 * A64 SHA512 support detection via SIGILL 164 */ 165 static void sigill_handler(int signal) 166 { 167 (void) signal; 168 longjmp(return_from_sigill, 1); 169 } 170 171 static int mbedtls_a64_crypto_sha512_determine_support(void) 172 { 173 struct sigaction old_action, new_action; 174 175 sigset_t old_mask; 176 if (sigprocmask(0, NULL, &old_mask)) { 177 return 0; 178 } 179 180 sigemptyset(&new_action.sa_mask); 181 new_action.sa_flags = 0; 182 new_action.sa_handler = sigill_handler; 183 184 sigaction(SIGILL, &new_action, &old_action); 185 186 static int ret = 0; 187 188 if (setjmp(return_from_sigill) == 0) { /* First return only */ 189 /* If this traps, we will return a second time from setjmp() with 1 */ 190 asm ("sha512h q0, q0, v0.2d" : : : "v0"); 191 ret = 1; 192 } 193 194 sigaction(SIGILL, &old_action, NULL); 195 sigprocmask(SIG_SETMASK, &old_mask, NULL); 196 197 return ret; 198 } 199 #else 200 #warning "No mechanism to detect A64_CRYPTO found, using C code only" 201 #undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT 202 #endif /* HWCAP_SHA512, __APPLE__, __unix__ && SIG_SETMASK */ 203 204 #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ 205 206 #if !defined(MBEDTLS_SHA512_ALT) 207 208 #define SHA512_BLOCK_SIZE 128 209 210 #if defined(MBEDTLS_SHA512_SMALLER) 211 static void sha512_put_uint64_be(uint64_t n, unsigned char *b, uint8_t i) 212 { 213 MBEDTLS_PUT_UINT64_BE(n, b, i); 214 } 215 #else 216 #define sha512_put_uint64_be MBEDTLS_PUT_UINT64_BE 217 #endif /* MBEDTLS_SHA512_SMALLER */ 218 219 void mbedtls_sha512_init(mbedtls_sha512_context *ctx) 220 { 221 memset(ctx, 0, sizeof(mbedtls_sha512_context)); 222 } 223 224 void mbedtls_sha512_free(mbedtls_sha512_context *ctx) 225 { 226 if (ctx == NULL) { 227 return; 228 } 229 230 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha512_context)); 231 } 232 233 void mbedtls_sha512_clone(mbedtls_sha512_context *dst, 234 const mbedtls_sha512_context *src) 235 { 236 *dst = *src; 237 } 238 239 /* 240 * SHA-512 context setup 241 */ 242 int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384) 243 { 244 #if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C) 245 if (is384 != 0 && is384 != 1) { 246 return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; 247 } 248 #elif defined(MBEDTLS_SHA512_C) 249 if (is384 != 0) { 250 return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; 251 } 252 #else /* defined MBEDTLS_SHA384_C only */ 253 if (is384 == 0) { 254 return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; 255 } 256 #endif 257 258 ctx->total[0] = 0; 259 ctx->total[1] = 0; 260 261 if (is384 == 0) { 262 #if defined(MBEDTLS_SHA512_C) 263 ctx->state[0] = UL64(0x6A09E667F3BCC908); 264 ctx->state[1] = UL64(0xBB67AE8584CAA73B); 265 ctx->state[2] = UL64(0x3C6EF372FE94F82B); 266 ctx->state[3] = UL64(0xA54FF53A5F1D36F1); 267 ctx->state[4] = UL64(0x510E527FADE682D1); 268 ctx->state[5] = UL64(0x9B05688C2B3E6C1F); 269 ctx->state[6] = UL64(0x1F83D9ABFB41BD6B); 270 ctx->state[7] = UL64(0x5BE0CD19137E2179); 271 #endif /* MBEDTLS_SHA512_C */ 272 } else { 273 #if defined(MBEDTLS_SHA384_C) 274 ctx->state[0] = UL64(0xCBBB9D5DC1059ED8); 275 ctx->state[1] = UL64(0x629A292A367CD507); 276 ctx->state[2] = UL64(0x9159015A3070DD17); 277 ctx->state[3] = UL64(0x152FECD8F70E5939); 278 ctx->state[4] = UL64(0x67332667FFC00B31); 279 ctx->state[5] = UL64(0x8EB44A8768581511); 280 ctx->state[6] = UL64(0xDB0C2E0D64F98FA7); 281 ctx->state[7] = UL64(0x47B5481DBEFA4FA4); 282 #endif /* MBEDTLS_SHA384_C */ 283 } 284 285 #if defined(MBEDTLS_SHA384_C) 286 ctx->is384 = is384; 287 #endif 288 289 return 0; 290 } 291 292 #if !defined(MBEDTLS_SHA512_PROCESS_ALT) 293 294 /* 295 * Round constants 296 */ 297 static const uint64_t K[80] = 298 { 299 UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD), 300 UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC), 301 UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019), 302 UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118), 303 UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE), 304 UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2), 305 UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1), 306 UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694), 307 UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3), 308 UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65), 309 UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483), 310 UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5), 311 UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210), 312 UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4), 313 UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725), 314 UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70), 315 UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926), 316 UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF), 317 UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8), 318 UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B), 319 UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001), 320 UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30), 321 UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910), 322 UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8), 323 UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53), 324 UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8), 325 UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB), 326 UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3), 327 UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60), 328 UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC), 329 UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9), 330 UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B), 331 UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207), 332 UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178), 333 UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6), 334 UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B), 335 UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493), 336 UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C), 337 UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A), 338 UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817) 339 }; 340 #endif 341 342 #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ 343 defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) 344 345 #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) 346 # define mbedtls_internal_sha512_process_many_a64_crypto mbedtls_internal_sha512_process_many 347 # define mbedtls_internal_sha512_process_a64_crypto mbedtls_internal_sha512_process 348 #endif 349 350 /* Accelerated SHA-512 implementation originally written by Simon Tatham for PuTTY, 351 * under the MIT licence; dual-licensed as Apache 2 with his kind permission. 352 */ 353 354 #if defined(__clang__) && \ 355 (__clang_major__ < 13 || \ 356 (__clang_major__ == 13 && __clang_minor__ == 0 && __clang_patchlevel__ == 0)) 357 static inline uint64x2_t vsha512su0q_u64(uint64x2_t x, uint64x2_t y) 358 { 359 asm ("sha512su0 %0.2D,%1.2D" : "+w" (x) : "w" (y)); 360 return x; 361 } 362 static inline uint64x2_t vsha512su1q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z) 363 { 364 asm ("sha512su1 %0.2D,%1.2D,%2.2D" : "+w" (x) : "w" (y), "w" (z)); 365 return x; 366 } 367 static inline uint64x2_t vsha512hq_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z) 368 { 369 asm ("sha512h %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z)); 370 return x; 371 } 372 static inline uint64x2_t vsha512h2q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z) 373 { 374 asm ("sha512h2 %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z)); 375 return x; 376 } 377 #endif /* __clang__ etc */ 378 379 static size_t mbedtls_internal_sha512_process_many_a64_crypto( 380 mbedtls_sha512_context *ctx, const uint8_t *msg, size_t len) 381 { 382 uint64x2_t ab = vld1q_u64(&ctx->state[0]); 383 uint64x2_t cd = vld1q_u64(&ctx->state[2]); 384 uint64x2_t ef = vld1q_u64(&ctx->state[4]); 385 uint64x2_t gh = vld1q_u64(&ctx->state[6]); 386 387 size_t processed = 0; 388 389 for (; 390 len >= SHA512_BLOCK_SIZE; 391 processed += SHA512_BLOCK_SIZE, 392 msg += SHA512_BLOCK_SIZE, 393 len -= SHA512_BLOCK_SIZE) { 394 uint64x2_t initial_sum, sum, intermed; 395 396 uint64x2_t ab_orig = ab; 397 uint64x2_t cd_orig = cd; 398 uint64x2_t ef_orig = ef; 399 uint64x2_t gh_orig = gh; 400 401 uint64x2_t s0 = (uint64x2_t) vld1q_u8(msg + 16 * 0); 402 uint64x2_t s1 = (uint64x2_t) vld1q_u8(msg + 16 * 1); 403 uint64x2_t s2 = (uint64x2_t) vld1q_u8(msg + 16 * 2); 404 uint64x2_t s3 = (uint64x2_t) vld1q_u8(msg + 16 * 3); 405 uint64x2_t s4 = (uint64x2_t) vld1q_u8(msg + 16 * 4); 406 uint64x2_t s5 = (uint64x2_t) vld1q_u8(msg + 16 * 5); 407 uint64x2_t s6 = (uint64x2_t) vld1q_u8(msg + 16 * 6); 408 uint64x2_t s7 = (uint64x2_t) vld1q_u8(msg + 16 * 7); 409 410 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* assume LE if these not defined; untested on BE */ 411 s0 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s0))); 412 s1 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s1))); 413 s2 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s2))); 414 s3 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s3))); 415 s4 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s4))); 416 s5 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s5))); 417 s6 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s6))); 418 s7 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s7))); 419 #endif 420 421 /* Rounds 0 and 1 */ 422 initial_sum = vaddq_u64(s0, vld1q_u64(&K[0])); 423 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh); 424 intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1)); 425 gh = vsha512h2q_u64(intermed, cd, ab); 426 cd = vaddq_u64(cd, intermed); 427 428 /* Rounds 2 and 3 */ 429 initial_sum = vaddq_u64(s1, vld1q_u64(&K[2])); 430 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef); 431 intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1)); 432 ef = vsha512h2q_u64(intermed, ab, gh); 433 ab = vaddq_u64(ab, intermed); 434 435 /* Rounds 4 and 5 */ 436 initial_sum = vaddq_u64(s2, vld1q_u64(&K[4])); 437 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd); 438 intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1)); 439 cd = vsha512h2q_u64(intermed, gh, ef); 440 gh = vaddq_u64(gh, intermed); 441 442 /* Rounds 6 and 7 */ 443 initial_sum = vaddq_u64(s3, vld1q_u64(&K[6])); 444 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab); 445 intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1)); 446 ab = vsha512h2q_u64(intermed, ef, cd); 447 ef = vaddq_u64(ef, intermed); 448 449 /* Rounds 8 and 9 */ 450 initial_sum = vaddq_u64(s4, vld1q_u64(&K[8])); 451 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh); 452 intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1)); 453 gh = vsha512h2q_u64(intermed, cd, ab); 454 cd = vaddq_u64(cd, intermed); 455 456 /* Rounds 10 and 11 */ 457 initial_sum = vaddq_u64(s5, vld1q_u64(&K[10])); 458 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef); 459 intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1)); 460 ef = vsha512h2q_u64(intermed, ab, gh); 461 ab = vaddq_u64(ab, intermed); 462 463 /* Rounds 12 and 13 */ 464 initial_sum = vaddq_u64(s6, vld1q_u64(&K[12])); 465 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd); 466 intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1)); 467 cd = vsha512h2q_u64(intermed, gh, ef); 468 gh = vaddq_u64(gh, intermed); 469 470 /* Rounds 14 and 15 */ 471 initial_sum = vaddq_u64(s7, vld1q_u64(&K[14])); 472 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab); 473 intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1)); 474 ab = vsha512h2q_u64(intermed, ef, cd); 475 ef = vaddq_u64(ef, intermed); 476 477 for (unsigned int t = 16; t < 80; t += 16) { 478 /* Rounds t and t + 1 */ 479 s0 = vsha512su1q_u64(vsha512su0q_u64(s0, s1), s7, vextq_u64(s4, s5, 1)); 480 initial_sum = vaddq_u64(s0, vld1q_u64(&K[t])); 481 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh); 482 intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1)); 483 gh = vsha512h2q_u64(intermed, cd, ab); 484 cd = vaddq_u64(cd, intermed); 485 486 /* Rounds t + 2 and t + 3 */ 487 s1 = vsha512su1q_u64(vsha512su0q_u64(s1, s2), s0, vextq_u64(s5, s6, 1)); 488 initial_sum = vaddq_u64(s1, vld1q_u64(&K[t + 2])); 489 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef); 490 intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1)); 491 ef = vsha512h2q_u64(intermed, ab, gh); 492 ab = vaddq_u64(ab, intermed); 493 494 /* Rounds t + 4 and t + 5 */ 495 s2 = vsha512su1q_u64(vsha512su0q_u64(s2, s3), s1, vextq_u64(s6, s7, 1)); 496 initial_sum = vaddq_u64(s2, vld1q_u64(&K[t + 4])); 497 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd); 498 intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1)); 499 cd = vsha512h2q_u64(intermed, gh, ef); 500 gh = vaddq_u64(gh, intermed); 501 502 /* Rounds t + 6 and t + 7 */ 503 s3 = vsha512su1q_u64(vsha512su0q_u64(s3, s4), s2, vextq_u64(s7, s0, 1)); 504 initial_sum = vaddq_u64(s3, vld1q_u64(&K[t + 6])); 505 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab); 506 intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1)); 507 ab = vsha512h2q_u64(intermed, ef, cd); 508 ef = vaddq_u64(ef, intermed); 509 510 /* Rounds t + 8 and t + 9 */ 511 s4 = vsha512su1q_u64(vsha512su0q_u64(s4, s5), s3, vextq_u64(s0, s1, 1)); 512 initial_sum = vaddq_u64(s4, vld1q_u64(&K[t + 8])); 513 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh); 514 intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1)); 515 gh = vsha512h2q_u64(intermed, cd, ab); 516 cd = vaddq_u64(cd, intermed); 517 518 /* Rounds t + 10 and t + 11 */ 519 s5 = vsha512su1q_u64(vsha512su0q_u64(s5, s6), s4, vextq_u64(s1, s2, 1)); 520 initial_sum = vaddq_u64(s5, vld1q_u64(&K[t + 10])); 521 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef); 522 intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1)); 523 ef = vsha512h2q_u64(intermed, ab, gh); 524 ab = vaddq_u64(ab, intermed); 525 526 /* Rounds t + 12 and t + 13 */ 527 s6 = vsha512su1q_u64(vsha512su0q_u64(s6, s7), s5, vextq_u64(s2, s3, 1)); 528 initial_sum = vaddq_u64(s6, vld1q_u64(&K[t + 12])); 529 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd); 530 intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1)); 531 cd = vsha512h2q_u64(intermed, gh, ef); 532 gh = vaddq_u64(gh, intermed); 533 534 /* Rounds t + 14 and t + 15 */ 535 s7 = vsha512su1q_u64(vsha512su0q_u64(s7, s0), s6, vextq_u64(s3, s4, 1)); 536 initial_sum = vaddq_u64(s7, vld1q_u64(&K[t + 14])); 537 sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab); 538 intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1)); 539 ab = vsha512h2q_u64(intermed, ef, cd); 540 ef = vaddq_u64(ef, intermed); 541 } 542 543 ab = vaddq_u64(ab, ab_orig); 544 cd = vaddq_u64(cd, cd_orig); 545 ef = vaddq_u64(ef, ef_orig); 546 gh = vaddq_u64(gh, gh_orig); 547 } 548 549 vst1q_u64(&ctx->state[0], ab); 550 vst1q_u64(&ctx->state[2], cd); 551 vst1q_u64(&ctx->state[4], ef); 552 vst1q_u64(&ctx->state[6], gh); 553 554 return processed; 555 } 556 557 #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) 558 /* 559 * This function is for internal use only if we are building both C and A64 560 * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() 561 */ 562 static 563 #endif 564 int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, 565 const unsigned char data[SHA512_BLOCK_SIZE]) 566 { 567 return (mbedtls_internal_sha512_process_many_a64_crypto(ctx, data, 568 SHA512_BLOCK_SIZE) == 569 SHA512_BLOCK_SIZE) ? 0 : -1; 570 } 571 572 #if defined(MBEDTLS_POP_TARGET_PRAGMA) 573 #if defined(__clang__) 574 #pragma clang attribute pop 575 #elif defined(__GNUC__) 576 #pragma GCC pop_options 577 #endif 578 #undef MBEDTLS_POP_TARGET_PRAGMA 579 #endif 580 581 #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ 582 583 584 #if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) 585 #define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many 586 #define mbedtls_internal_sha512_process_c mbedtls_internal_sha512_process 587 #endif 588 589 590 #if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) 591 592 #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) 593 /* 594 * This function is for internal use only if we are building both C and A64 595 * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() 596 */ 597 static 598 #endif 599 int mbedtls_internal_sha512_process_c(mbedtls_sha512_context *ctx, 600 const unsigned char data[SHA512_BLOCK_SIZE]) 601 { 602 int i; 603 struct { 604 uint64_t temp1, temp2, W[80]; 605 uint64_t A[8]; 606 } local; 607 608 #define SHR(x, n) ((x) >> (n)) 609 #define ROTR(x, n) (SHR((x), (n)) | ((x) << (64 - (n)))) 610 611 #define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) 612 #define S1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) 613 614 #define S2(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) 615 #define S3(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) 616 617 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y)))) 618 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) 619 620 #define P(a, b, c, d, e, f, g, h, x, K) \ 621 do \ 622 { \ 623 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \ 624 local.temp2 = S2(a) + F0((a), (b), (c)); \ 625 (d) += local.temp1; (h) = local.temp1 + local.temp2; \ 626 } while (0) 627 628 for (i = 0; i < 8; i++) { 629 local.A[i] = ctx->state[i]; 630 } 631 632 #if defined(MBEDTLS_SHA512_SMALLER) 633 for (i = 0; i < 80; i++) { 634 if (i < 16) { 635 local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3); 636 } else { 637 local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] + 638 S0(local.W[i - 15]) + local.W[i - 16]; 639 } 640 641 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 642 local.A[5], local.A[6], local.A[7], local.W[i], K[i]); 643 644 local.temp1 = local.A[7]; local.A[7] = local.A[6]; 645 local.A[6] = local.A[5]; local.A[5] = local.A[4]; 646 local.A[4] = local.A[3]; local.A[3] = local.A[2]; 647 local.A[2] = local.A[1]; local.A[1] = local.A[0]; 648 local.A[0] = local.temp1; 649 } 650 #else /* MBEDTLS_SHA512_SMALLER */ 651 for (i = 0; i < 16; i++) { 652 local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3); 653 } 654 655 for (; i < 80; i++) { 656 local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] + 657 S0(local.W[i - 15]) + local.W[i - 16]; 658 } 659 660 i = 0; 661 do { 662 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 663 local.A[5], local.A[6], local.A[7], local.W[i], K[i]); i++; 664 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], 665 local.A[4], local.A[5], local.A[6], local.W[i], K[i]); i++; 666 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], 667 local.A[3], local.A[4], local.A[5], local.W[i], K[i]); i++; 668 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], 669 local.A[2], local.A[3], local.A[4], local.W[i], K[i]); i++; 670 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], 671 local.A[1], local.A[2], local.A[3], local.W[i], K[i]); i++; 672 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], 673 local.A[0], local.A[1], local.A[2], local.W[i], K[i]); i++; 674 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], 675 local.A[7], local.A[0], local.A[1], local.W[i], K[i]); i++; 676 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], 677 local.A[6], local.A[7], local.A[0], local.W[i], K[i]); i++; 678 } while (i < 80); 679 #endif /* MBEDTLS_SHA512_SMALLER */ 680 681 for (i = 0; i < 8; i++) { 682 ctx->state[i] += local.A[i]; 683 } 684 685 /* Zeroise buffers and variables to clear sensitive data from memory. */ 686 mbedtls_platform_zeroize(&local, sizeof(local)); 687 688 return 0; 689 } 690 691 #endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ 692 693 694 #if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) 695 696 static size_t mbedtls_internal_sha512_process_many_c( 697 mbedtls_sha512_context *ctx, const uint8_t *data, size_t len) 698 { 699 size_t processed = 0; 700 701 while (len >= SHA512_BLOCK_SIZE) { 702 if (mbedtls_internal_sha512_process_c(ctx, data) != 0) { 703 return 0; 704 } 705 706 data += SHA512_BLOCK_SIZE; 707 len -= SHA512_BLOCK_SIZE; 708 709 processed += SHA512_BLOCK_SIZE; 710 } 711 712 return processed; 713 } 714 715 #endif /* !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ 716 717 718 #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) 719 720 static int mbedtls_a64_crypto_sha512_has_support(void) 721 { 722 static int done = 0; 723 static int supported = 0; 724 725 if (!done) { 726 supported = mbedtls_a64_crypto_sha512_determine_support(); 727 done = 1; 728 } 729 730 return supported; 731 } 732 733 static size_t mbedtls_internal_sha512_process_many(mbedtls_sha512_context *ctx, 734 const uint8_t *msg, size_t len) 735 { 736 if (mbedtls_a64_crypto_sha512_has_support()) { 737 return mbedtls_internal_sha512_process_many_a64_crypto(ctx, msg, len); 738 } else { 739 return mbedtls_internal_sha512_process_many_c(ctx, msg, len); 740 } 741 } 742 743 int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx, 744 const unsigned char data[SHA512_BLOCK_SIZE]) 745 { 746 if (mbedtls_a64_crypto_sha512_has_support()) { 747 return mbedtls_internal_sha512_process_a64_crypto(ctx, data); 748 } else { 749 return mbedtls_internal_sha512_process_c(ctx, data); 750 } 751 } 752 753 #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ 754 755 /* 756 * SHA-512 process buffer 757 */ 758 int mbedtls_sha512_update(mbedtls_sha512_context *ctx, 759 const unsigned char *input, 760 size_t ilen) 761 { 762 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 763 size_t fill; 764 unsigned int left; 765 766 if (ilen == 0) { 767 return 0; 768 } 769 770 left = (unsigned int) (ctx->total[0] & 0x7F); 771 fill = SHA512_BLOCK_SIZE - left; 772 773 ctx->total[0] += (uint64_t) ilen; 774 775 if (ctx->total[0] < (uint64_t) ilen) { 776 ctx->total[1]++; 777 } 778 779 if (left && ilen >= fill) { 780 memcpy((void *) (ctx->buffer + left), input, fill); 781 782 if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) { 783 return ret; 784 } 785 786 input += fill; 787 ilen -= fill; 788 left = 0; 789 } 790 791 while (ilen >= SHA512_BLOCK_SIZE) { 792 size_t processed = 793 mbedtls_internal_sha512_process_many(ctx, input, ilen); 794 if (processed < SHA512_BLOCK_SIZE) { 795 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 796 } 797 798 input += processed; 799 ilen -= processed; 800 } 801 802 if (ilen > 0) { 803 memcpy((void *) (ctx->buffer + left), input, ilen); 804 } 805 806 return 0; 807 } 808 809 /* 810 * SHA-512 final digest 811 */ 812 int mbedtls_sha512_finish(mbedtls_sha512_context *ctx, 813 unsigned char *output) 814 { 815 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 816 unsigned used; 817 uint64_t high, low; 818 819 /* 820 * Add padding: 0x80 then 0x00 until 16 bytes remain for the length 821 */ 822 used = ctx->total[0] & 0x7F; 823 824 ctx->buffer[used++] = 0x80; 825 826 if (used <= 112) { 827 /* Enough room for padding + length in current block */ 828 memset(ctx->buffer + used, 0, 112 - used); 829 } else { 830 /* We'll need an extra block */ 831 memset(ctx->buffer + used, 0, SHA512_BLOCK_SIZE - used); 832 833 if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) { 834 return ret; 835 } 836 837 memset(ctx->buffer, 0, 112); 838 } 839 840 /* 841 * Add message length 842 */ 843 high = (ctx->total[0] >> 61) 844 | (ctx->total[1] << 3); 845 low = (ctx->total[0] << 3); 846 847 sha512_put_uint64_be(high, ctx->buffer, 112); 848 sha512_put_uint64_be(low, ctx->buffer, 120); 849 850 if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) { 851 return ret; 852 } 853 854 /* 855 * Output final state 856 */ 857 sha512_put_uint64_be(ctx->state[0], output, 0); 858 sha512_put_uint64_be(ctx->state[1], output, 8); 859 sha512_put_uint64_be(ctx->state[2], output, 16); 860 sha512_put_uint64_be(ctx->state[3], output, 24); 861 sha512_put_uint64_be(ctx->state[4], output, 32); 862 sha512_put_uint64_be(ctx->state[5], output, 40); 863 864 int truncated = 0; 865 #if defined(MBEDTLS_SHA384_C) 866 truncated = ctx->is384; 867 #endif 868 if (!truncated) { 869 sha512_put_uint64_be(ctx->state[6], output, 48); 870 sha512_put_uint64_be(ctx->state[7], output, 56); 871 } 872 873 return 0; 874 } 875 876 #endif /* !MBEDTLS_SHA512_ALT */ 877 878 /* 879 * output = SHA-512( input buffer ) 880 */ 881 int mbedtls_sha512(const unsigned char *input, 882 size_t ilen, 883 unsigned char *output, 884 int is384) 885 { 886 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 887 mbedtls_sha512_context ctx; 888 889 #if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C) 890 if (is384 != 0 && is384 != 1) { 891 return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; 892 } 893 #elif defined(MBEDTLS_SHA512_C) 894 if (is384 != 0) { 895 return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; 896 } 897 #else /* defined MBEDTLS_SHA384_C only */ 898 if (is384 == 0) { 899 return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; 900 } 901 #endif 902 903 mbedtls_sha512_init(&ctx); 904 905 if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) { 906 goto exit; 907 } 908 909 if ((ret = mbedtls_sha512_update(&ctx, input, ilen)) != 0) { 910 goto exit; 911 } 912 913 if ((ret = mbedtls_sha512_finish(&ctx, output)) != 0) { 914 goto exit; 915 } 916 917 exit: 918 mbedtls_sha512_free(&ctx); 919 920 return ret; 921 } 922 923 #if defined(MBEDTLS_SELF_TEST) 924 925 /* 926 * FIPS-180-2 test vectors 927 */ 928 static const unsigned char sha_test_buf[3][113] = 929 { 930 { "abc" }, 931 { 932 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 933 }, 934 { "" } 935 }; 936 937 static const size_t sha_test_buflen[3] = 938 { 939 3, 112, 1000 940 }; 941 942 typedef const unsigned char (sha_test_sum_t)[64]; 943 944 /* 945 * SHA-384 test vectors 946 */ 947 #if defined(MBEDTLS_SHA384_C) 948 static sha_test_sum_t sha384_test_sum[] = 949 { 950 { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B, 951 0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07, 952 0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63, 953 0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED, 954 0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23, 955 0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 }, 956 { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8, 957 0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47, 958 0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2, 959 0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12, 960 0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9, 961 0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 }, 962 { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB, 963 0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C, 964 0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52, 965 0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B, 966 0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB, 967 0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 } 968 }; 969 #endif /* MBEDTLS_SHA384_C */ 970 971 /* 972 * SHA-512 test vectors 973 */ 974 #if defined(MBEDTLS_SHA512_C) 975 static sha_test_sum_t sha512_test_sum[] = 976 { 977 { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA, 978 0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31, 979 0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2, 980 0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A, 981 0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8, 982 0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD, 983 0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E, 984 0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F }, 985 { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA, 986 0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F, 987 0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1, 988 0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18, 989 0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4, 990 0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A, 991 0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54, 992 0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 }, 993 { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64, 994 0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63, 995 0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28, 996 0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB, 997 0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A, 998 0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B, 999 0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E, 1000 0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B } 1001 }; 1002 #endif /* MBEDTLS_SHA512_C */ 1003 1004 #define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0])) 1005 1006 static int mbedtls_sha512_common_self_test(int verbose, int is384) 1007 { 1008 int i, buflen, ret = 0; 1009 unsigned char *buf; 1010 unsigned char sha512sum[64]; 1011 mbedtls_sha512_context ctx; 1012 1013 #if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C) 1014 sha_test_sum_t *sha_test_sum = (is384) ? sha384_test_sum : sha512_test_sum; 1015 #elif defined(MBEDTLS_SHA512_C) 1016 sha_test_sum_t *sha_test_sum = sha512_test_sum; 1017 #else 1018 sha_test_sum_t *sha_test_sum = sha384_test_sum; 1019 #endif 1020 1021 buf = mbedtls_calloc(1024, sizeof(unsigned char)); 1022 if (NULL == buf) { 1023 if (verbose != 0) { 1024 mbedtls_printf("Buffer allocation failed\n"); 1025 } 1026 1027 return 1; 1028 } 1029 1030 mbedtls_sha512_init(&ctx); 1031 1032 for (i = 0; i < 3; i++) { 1033 if (verbose != 0) { 1034 mbedtls_printf(" SHA-%d test #%d: ", 512 - is384 * 128, i + 1); 1035 } 1036 1037 if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) { 1038 goto fail; 1039 } 1040 1041 if (i == 2) { 1042 memset(buf, 'a', buflen = 1000); 1043 1044 for (int j = 0; j < 1000; j++) { 1045 ret = mbedtls_sha512_update(&ctx, buf, buflen); 1046 if (ret != 0) { 1047 goto fail; 1048 } 1049 } 1050 } else { 1051 ret = mbedtls_sha512_update(&ctx, sha_test_buf[i], 1052 sha_test_buflen[i]); 1053 if (ret != 0) { 1054 goto fail; 1055 } 1056 } 1057 1058 if ((ret = mbedtls_sha512_finish(&ctx, sha512sum)) != 0) { 1059 goto fail; 1060 } 1061 1062 if (memcmp(sha512sum, sha_test_sum[i], 64 - is384 * 16) != 0) { 1063 ret = 1; 1064 goto fail; 1065 } 1066 1067 if (verbose != 0) { 1068 mbedtls_printf("passed\n"); 1069 } 1070 } 1071 1072 if (verbose != 0) { 1073 mbedtls_printf("\n"); 1074 } 1075 1076 goto exit; 1077 1078 fail: 1079 if (verbose != 0) { 1080 mbedtls_printf("failed\n"); 1081 } 1082 1083 exit: 1084 mbedtls_sha512_free(&ctx); 1085 mbedtls_free(buf); 1086 1087 return ret; 1088 } 1089 1090 #if defined(MBEDTLS_SHA512_C) 1091 int mbedtls_sha512_self_test(int verbose) 1092 { 1093 return mbedtls_sha512_common_self_test(verbose, 0); 1094 } 1095 #endif /* MBEDTLS_SHA512_C */ 1096 1097 #if defined(MBEDTLS_SHA384_C) 1098 int mbedtls_sha384_self_test(int verbose) 1099 { 1100 return mbedtls_sha512_common_self_test(verbose, 1); 1101 } 1102 #endif /* MBEDTLS_SHA384_C */ 1103 1104 #undef ARRAY_LENGTH 1105 1106 #endif /* MBEDTLS_SELF_TEST */ 1107 1108 #endif /* MBEDTLS_SHA512_C || MBEDTLS_SHA384_C */ 1109