1/* 2 * FIPS-180-2 compliant SHA-256 implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7/* 8 * The SHA-256 Secure Hash Standard was published by NIST in 2002. 9 * 10 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 11 */ 12 13#if defined(__clang__) && (__clang_major__ >= 4) 14 15/* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if, 16 * but that is defined by build_info.h, and we need this block to happen first. */ 17#if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A') 18#if __ARM_ARCH >= 8 19#define MBEDTLS_SHA256_ARCH_IS_ARMV8_A 20#endif 21#endif 22 23#if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO) 24/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. 25 * 26 * The intrinsic declaration are guarded by predefined ACLE macros in clang: 27 * these are normally only enabled by the -march option on the command line. 28 * By defining the macros ourselves we gain access to those declarations without 29 * requiring -march on the command line. 30 * 31 * `arm_neon.h` is included by common.h, so we put these defines 32 * at the top of this file, before any includes. 33 */ 34#define __ARM_FEATURE_CRYPTO 1 35/* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions 36 * 37 * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it 38 * for older compilers. 39 */ 40#define __ARM_FEATURE_SHA2 1 41#define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG 42#endif 43 44#endif /* defined(__clang__) && (__clang_major__ >= 4) */ 45 46/* Ensure that SIG_SETMASK is defined when -std=c99 is used. */ 47#if !defined(_GNU_SOURCE) 48#define _GNU_SOURCE 49#endif 50 51#include "common.h" 52 53#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C) 54 55#include "mbedtls/sha256.h" 56#include "mbedtls/platform_util.h" 57#include "mbedtls/error.h" 58 59#include <string.h> 60 61#include "mbedtls/platform.h" 62 63#if defined(MBEDTLS_ARCH_IS_ARMV8_A) 64 65# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ 66 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 67# if !defined(MBEDTLS_HAVE_NEON_INTRINSICS) 68# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 69# warning "Target does not support NEON instructions" 70# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 71# else 72# error "Target does not support NEON instructions" 73# endif 74# endif 75# endif 76 77# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ 78 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 79/* *INDENT-OFF* */ 80 81# if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) 82# if defined(__ARMCOMPILER_VERSION) 83# if __ARMCOMPILER_VERSION <= 6090000 84# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" 85# endif 86# pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function) 87# define MBEDTLS_POP_TARGET_PRAGMA 88# elif defined(__clang__) 89# if __clang_major__ < 4 90# error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" 91# endif 92# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) 93# define MBEDTLS_POP_TARGET_PRAGMA 94# elif defined(__GNUC__) 95 /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some 96 * intrinsics are missing. Missing intrinsics could be worked around. 97 */ 98# if __GNUC__ < 6 99# error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" 100# else 101# pragma GCC push_options 102# pragma GCC target ("arch=armv8-a+crypto") 103# define MBEDTLS_POP_TARGET_PRAGMA 104# endif 105# else 106# error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" 107# endif 108# endif 109/* *INDENT-ON* */ 110 111# endif 112# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 113# if defined(__unix__) 114# if defined(__linux__) 115/* Our preferred method of detection is getauxval() */ 116# include <sys/auxv.h> 117/* These are not always defined via sys/auxv.h */ 118# if !defined(HWCAP_SHA2) 119# define HWCAP_SHA2 (1 << 6) 120# endif 121# if !defined(HWCAP2_SHA2) 122# define HWCAP2_SHA2 (1 << 3) 123# endif 124# endif 125/* Use SIGILL on Unix, and fall back to it on Linux */ 126# include <signal.h> 127# endif 128# endif 129#elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) 130# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY 131# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 132#endif 133 134#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 135/* 136 * Capability detection code comes early, so we can disable 137 * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found 138 */ 139#if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2) 140static int mbedtls_a64_crypto_sha256_determine_support(void) 141{ 142 return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0; 143} 144#elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2) 145static int mbedtls_a64_crypto_sha256_determine_support(void) 146{ 147 return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0; 148} 149#elif defined(__APPLE__) 150static int mbedtls_a64_crypto_sha256_determine_support(void) 151{ 152 return 1; 153} 154#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) 155#define WIN32_LEAN_AND_MEAN 156#include <Windows.h> 157#include <processthreadsapi.h> 158 159static int mbedtls_a64_crypto_sha256_determine_support(void) 160{ 161 return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ? 162 1 : 0; 163} 164#elif defined(__unix__) && defined(SIG_SETMASK) 165/* Detection with SIGILL, setjmp() and longjmp() */ 166#include <signal.h> 167#include <setjmp.h> 168 169static jmp_buf return_from_sigill; 170 171/* 172 * Armv8-A SHA256 support detection via SIGILL 173 */ 174static void sigill_handler(int signal) 175{ 176 (void) signal; 177 longjmp(return_from_sigill, 1); 178} 179 180static int mbedtls_a64_crypto_sha256_determine_support(void) 181{ 182 struct sigaction old_action, new_action; 183 184 sigset_t old_mask; 185 if (sigprocmask(0, NULL, &old_mask)) { 186 return 0; 187 } 188 189 sigemptyset(&new_action.sa_mask); 190 new_action.sa_flags = 0; 191 new_action.sa_handler = sigill_handler; 192 193 sigaction(SIGILL, &new_action, &old_action); 194 195 static int ret = 0; 196 197 if (setjmp(return_from_sigill) == 0) { /* First return only */ 198 /* If this traps, we will return a second time from setjmp() with 1 */ 199#if defined(MBEDTLS_ARCH_IS_ARM64) 200 asm volatile ("sha256h q0, q0, v0.4s" : : : "v0"); 201#else 202 asm volatile ("sha256h.32 q0, q0, q0" : : : "q0"); 203#endif 204 ret = 1; 205 } 206 207 sigaction(SIGILL, &old_action, NULL); 208 sigprocmask(SIG_SETMASK, &old_mask, NULL); 209 210 return ret; 211} 212#else 213#warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" 214#undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT 215#endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */ 216 217#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */ 218 219#if !defined(MBEDTLS_SHA256_ALT) 220 221#define SHA256_BLOCK_SIZE 64 222 223void mbedtls_sha256_init(mbedtls_sha256_context *ctx) 224{ 225 memset(ctx, 0, sizeof(mbedtls_sha256_context)); 226} 227 228void mbedtls_sha256_free(mbedtls_sha256_context *ctx) 229{ 230 if (ctx == NULL) { 231 return; 232 } 233 234 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context)); 235} 236 237void mbedtls_sha256_clone(mbedtls_sha256_context *dst, 238 const mbedtls_sha256_context *src) 239{ 240 *dst = *src; 241} 242 243/* 244 * SHA-256 context setup 245 */ 246int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224) 247{ 248#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 249 if (is224 != 0 && is224 != 1) { 250 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 251 } 252#elif defined(MBEDTLS_SHA256_C) 253 if (is224 != 0) { 254 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 255 } 256#else /* defined MBEDTLS_SHA224_C only */ 257 if (is224 == 0) { 258 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 259 } 260#endif 261 262 ctx->total[0] = 0; 263 ctx->total[1] = 0; 264 265 if (is224 == 0) { 266#if defined(MBEDTLS_SHA256_C) 267 ctx->state[0] = 0x6A09E667; 268 ctx->state[1] = 0xBB67AE85; 269 ctx->state[2] = 0x3C6EF372; 270 ctx->state[3] = 0xA54FF53A; 271 ctx->state[4] = 0x510E527F; 272 ctx->state[5] = 0x9B05688C; 273 ctx->state[6] = 0x1F83D9AB; 274 ctx->state[7] = 0x5BE0CD19; 275#endif 276 } else { 277#if defined(MBEDTLS_SHA224_C) 278 ctx->state[0] = 0xC1059ED8; 279 ctx->state[1] = 0x367CD507; 280 ctx->state[2] = 0x3070DD17; 281 ctx->state[3] = 0xF70E5939; 282 ctx->state[4] = 0xFFC00B31; 283 ctx->state[5] = 0x68581511; 284 ctx->state[6] = 0x64F98FA7; 285 ctx->state[7] = 0xBEFA4FA4; 286#endif 287 } 288 289#if defined(MBEDTLS_SHA224_C) 290 ctx->is224 = is224; 291#endif 292 293 return 0; 294} 295 296#if !defined(MBEDTLS_SHA256_PROCESS_ALT) 297static const uint32_t K[] = 298{ 299 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 300 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, 301 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 302 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174, 303 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 304 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 305 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 306 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967, 307 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 308 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 309 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 310 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 311 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 312 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 313 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 314 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2, 315}; 316 317#endif 318 319#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ 320 defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 321 322#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 323# define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many 324# define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process 325#endif 326 327static size_t mbedtls_internal_sha256_process_many_a64_crypto( 328 mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len) 329{ 330 uint32x4_t abcd = vld1q_u32(&ctx->state[0]); 331 uint32x4_t efgh = vld1q_u32(&ctx->state[4]); 332 333 size_t processed = 0; 334 335 for (; 336 len >= SHA256_BLOCK_SIZE; 337 processed += SHA256_BLOCK_SIZE, 338 msg += SHA256_BLOCK_SIZE, 339 len -= SHA256_BLOCK_SIZE) { 340 uint32x4_t tmp, abcd_prev; 341 342 uint32x4_t abcd_orig = abcd; 343 uint32x4_t efgh_orig = efgh; 344 345 uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0)); 346 uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1)); 347 uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2)); 348 uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3)); 349 350#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */ 351 /* Untested on BE */ 352 sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0))); 353 sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1))); 354 sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2))); 355 sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3))); 356#endif 357 358 /* Rounds 0 to 3 */ 359 tmp = vaddq_u32(sched0, vld1q_u32(&K[0])); 360 abcd_prev = abcd; 361 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 362 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 363 364 /* Rounds 4 to 7 */ 365 tmp = vaddq_u32(sched1, vld1q_u32(&K[4])); 366 abcd_prev = abcd; 367 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 368 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 369 370 /* Rounds 8 to 11 */ 371 tmp = vaddq_u32(sched2, vld1q_u32(&K[8])); 372 abcd_prev = abcd; 373 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 374 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 375 376 /* Rounds 12 to 15 */ 377 tmp = vaddq_u32(sched3, vld1q_u32(&K[12])); 378 abcd_prev = abcd; 379 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 380 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 381 382 for (int t = 16; t < 64; t += 16) { 383 /* Rounds t to t + 3 */ 384 sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3); 385 tmp = vaddq_u32(sched0, vld1q_u32(&K[t])); 386 abcd_prev = abcd; 387 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 388 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 389 390 /* Rounds t + 4 to t + 7 */ 391 sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0); 392 tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4])); 393 abcd_prev = abcd; 394 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 395 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 396 397 /* Rounds t + 8 to t + 11 */ 398 sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1); 399 tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8])); 400 abcd_prev = abcd; 401 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 402 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 403 404 /* Rounds t + 12 to t + 15 */ 405 sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2); 406 tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12])); 407 abcd_prev = abcd; 408 abcd = vsha256hq_u32(abcd_prev, efgh, tmp); 409 efgh = vsha256h2q_u32(efgh, abcd_prev, tmp); 410 } 411 412 abcd = vaddq_u32(abcd, abcd_orig); 413 efgh = vaddq_u32(efgh, efgh_orig); 414 } 415 416 vst1q_u32(&ctx->state[0], abcd); 417 vst1q_u32(&ctx->state[4], efgh); 418 419 return processed; 420} 421 422#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 423/* 424 * This function is for internal use only if we are building both C and Armv8-A 425 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() 426 */ 427static 428#endif 429int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, 430 const unsigned char data[SHA256_BLOCK_SIZE]) 431{ 432 return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data, 433 SHA256_BLOCK_SIZE) == 434 SHA256_BLOCK_SIZE) ? 0 : -1; 435} 436 437#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ 438 439#if defined(MBEDTLS_POP_TARGET_PRAGMA) 440#if defined(__clang__) 441#pragma clang attribute pop 442#elif defined(__GNUC__) 443#pragma GCC pop_options 444#endif 445#undef MBEDTLS_POP_TARGET_PRAGMA 446#endif 447 448#if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 449#define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many 450#define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process 451#endif 452 453 454#if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \ 455 !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 456 457#define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n)) 458#define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n)))) 459 460#define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 461#define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 462 463#define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 464#define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 465 466#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y)))) 467#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) 468 469#define R(t) \ 470 ( \ 471 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \ 472 S0(local.W[(t) - 15]) + local.W[(t) - 16] \ 473 ) 474 475#define P(a, b, c, d, e, f, g, h, x, K) \ 476 do \ 477 { \ 478 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \ 479 local.temp2 = S2(a) + F0((a), (b), (c)); \ 480 (d) += local.temp1; (h) = local.temp1 + local.temp2; \ 481 } while (0) 482 483#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 484/* 485 * This function is for internal use only if we are building both C and Armv8 486 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() 487 */ 488static 489#endif 490int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx, 491 const unsigned char data[SHA256_BLOCK_SIZE]) 492{ 493 struct { 494 uint32_t temp1, temp2, W[64]; 495 uint32_t A[8]; 496 } local; 497 498 unsigned int i; 499 500 for (i = 0; i < 8; i++) { 501 local.A[i] = ctx->state[i]; 502 } 503 504#if defined(MBEDTLS_SHA256_SMALLER) 505 for (i = 0; i < 64; i++) { 506 if (i < 16) { 507 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i); 508 } else { 509 R(i); 510 } 511 512 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 513 local.A[5], local.A[6], local.A[7], local.W[i], K[i]); 514 515 local.temp1 = local.A[7]; local.A[7] = local.A[6]; 516 local.A[6] = local.A[5]; local.A[5] = local.A[4]; 517 local.A[4] = local.A[3]; local.A[3] = local.A[2]; 518 local.A[2] = local.A[1]; local.A[1] = local.A[0]; 519 local.A[0] = local.temp1; 520 } 521#else /* MBEDTLS_SHA256_SMALLER */ 522 for (i = 0; i < 16; i++) { 523 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i); 524 } 525 526 for (i = 0; i < 16; i += 8) { 527 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 528 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]); 529 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], 530 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]); 531 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], 532 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]); 533 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], 534 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]); 535 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], 536 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]); 537 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], 538 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]); 539 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], 540 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]); 541 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], 542 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]); 543 } 544 545 for (i = 16; i < 64; i += 8) { 546 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], 547 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]); 548 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], 549 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]); 550 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], 551 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]); 552 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], 553 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]); 554 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], 555 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]); 556 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], 557 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]); 558 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], 559 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]); 560 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], 561 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]); 562 } 563#endif /* MBEDTLS_SHA256_SMALLER */ 564 565 for (i = 0; i < 8; i++) { 566 ctx->state[i] += local.A[i]; 567 } 568 569 /* Zeroise buffers and variables to clear sensitive data from memory. */ 570 mbedtls_platform_zeroize(&local, sizeof(local)); 571 572 return 0; 573} 574 575#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ 576 577 578#if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) 579 580static size_t mbedtls_internal_sha256_process_many_c( 581 mbedtls_sha256_context *ctx, const uint8_t *data, size_t len) 582{ 583 size_t processed = 0; 584 585 while (len >= SHA256_BLOCK_SIZE) { 586 if (mbedtls_internal_sha256_process_c(ctx, data) != 0) { 587 return 0; 588 } 589 590 data += SHA256_BLOCK_SIZE; 591 len -= SHA256_BLOCK_SIZE; 592 593 processed += SHA256_BLOCK_SIZE; 594 } 595 596 return processed; 597} 598 599#endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ 600 601 602#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) 603 604static int mbedtls_a64_crypto_sha256_has_support(void) 605{ 606 static int done = 0; 607 static int supported = 0; 608 609 if (!done) { 610 supported = mbedtls_a64_crypto_sha256_determine_support(); 611 done = 1; 612 } 613 614 return supported; 615} 616 617static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx, 618 const uint8_t *msg, size_t len) 619{ 620 if (mbedtls_a64_crypto_sha256_has_support()) { 621 return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len); 622 } else { 623 return mbedtls_internal_sha256_process_many_c(ctx, msg, len); 624 } 625} 626 627int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx, 628 const unsigned char data[SHA256_BLOCK_SIZE]) 629{ 630 if (mbedtls_a64_crypto_sha256_has_support()) { 631 return mbedtls_internal_sha256_process_a64_crypto(ctx, data); 632 } else { 633 return mbedtls_internal_sha256_process_c(ctx, data); 634 } 635} 636 637#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */ 638 639 640/* 641 * SHA-256 process buffer 642 */ 643int mbedtls_sha256_update(mbedtls_sha256_context *ctx, 644 const unsigned char *input, 645 size_t ilen) 646{ 647 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 648 size_t fill; 649 uint32_t left; 650 651 if (ilen == 0) { 652 return 0; 653 } 654 655 left = ctx->total[0] & 0x3F; 656 fill = SHA256_BLOCK_SIZE - left; 657 658 ctx->total[0] += (uint32_t) ilen; 659 ctx->total[0] &= 0xFFFFFFFF; 660 661 if (ctx->total[0] < (uint32_t) ilen) { 662 ctx->total[1]++; 663 } 664 665 if (left && ilen >= fill) { 666 memcpy((void *) (ctx->buffer + left), input, fill); 667 668 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 669 return ret; 670 } 671 672 input += fill; 673 ilen -= fill; 674 left = 0; 675 } 676 677 while (ilen >= SHA256_BLOCK_SIZE) { 678 size_t processed = 679 mbedtls_internal_sha256_process_many(ctx, input, ilen); 680 if (processed < SHA256_BLOCK_SIZE) { 681 return MBEDTLS_ERR_ERROR_GENERIC_ERROR; 682 } 683 684 input += processed; 685 ilen -= processed; 686 } 687 688 if (ilen > 0) { 689 memcpy((void *) (ctx->buffer + left), input, ilen); 690 } 691 692 return 0; 693} 694 695/* 696 * SHA-256 final digest 697 */ 698int mbedtls_sha256_finish(mbedtls_sha256_context *ctx, 699 unsigned char *output) 700{ 701 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 702 uint32_t used; 703 uint32_t high, low; 704 int truncated = 0; 705 706 /* 707 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length 708 */ 709 used = ctx->total[0] & 0x3F; 710 711 ctx->buffer[used++] = 0x80; 712 713 if (used <= 56) { 714 /* Enough room for padding + length in current block */ 715 memset(ctx->buffer + used, 0, 56 - used); 716 } else { 717 /* We'll need an extra block */ 718 memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used); 719 720 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 721 goto exit; 722 } 723 724 memset(ctx->buffer, 0, 56); 725 } 726 727 /* 728 * Add message length 729 */ 730 high = (ctx->total[0] >> 29) 731 | (ctx->total[1] << 3); 732 low = (ctx->total[0] << 3); 733 734 MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56); 735 MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60); 736 737 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) { 738 goto exit; 739 } 740 741 /* 742 * Output final state 743 */ 744 MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0); 745 MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4); 746 MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8); 747 MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12); 748 MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16); 749 MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20); 750 MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24); 751 752#if defined(MBEDTLS_SHA224_C) 753 truncated = ctx->is224; 754#endif 755 if (!truncated) { 756 MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28); 757 } 758 759 ret = 0; 760 761exit: 762 mbedtls_sha256_free(ctx); 763 return ret; 764} 765 766#endif /* !MBEDTLS_SHA256_ALT */ 767 768/* 769 * output = SHA-256( input buffer ) 770 */ 771int mbedtls_sha256(const unsigned char *input, 772 size_t ilen, 773 unsigned char *output, 774 int is224) 775{ 776 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 777 mbedtls_sha256_context ctx; 778 779#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 780 if (is224 != 0 && is224 != 1) { 781 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 782 } 783#elif defined(MBEDTLS_SHA256_C) 784 if (is224 != 0) { 785 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 786 } 787#else /* defined MBEDTLS_SHA224_C only */ 788 if (is224 == 0) { 789 return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA; 790 } 791#endif 792 793 mbedtls_sha256_init(&ctx); 794 795 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) { 796 goto exit; 797 } 798 799 if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) { 800 goto exit; 801 } 802 803 if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) { 804 goto exit; 805 } 806 807exit: 808 mbedtls_sha256_free(&ctx); 809 810 return ret; 811} 812 813#if defined(MBEDTLS_SELF_TEST) 814/* 815 * FIPS-180-2 test vectors 816 */ 817static const unsigned char sha_test_buf[3][57] = 818{ 819 { "abc" }, 820 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 821 { "" } 822}; 823 824static const size_t sha_test_buflen[3] = 825{ 826 3, 56, 1000 827}; 828 829typedef const unsigned char (sha_test_sum_t)[32]; 830 831/* 832 * SHA-224 test vectors 833 */ 834#if defined(MBEDTLS_SHA224_C) 835static sha_test_sum_t sha224_test_sum[] = 836{ 837 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22, 838 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3, 839 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7, 840 0xE3, 0x6C, 0x9D, 0xA7 }, 841 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC, 842 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50, 843 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19, 844 0x52, 0x52, 0x25, 0x25 }, 845 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8, 846 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B, 847 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE, 848 0x4E, 0xE7, 0xAD, 0x67 } 849}; 850#endif 851 852/* 853 * SHA-256 test vectors 854 */ 855#if defined(MBEDTLS_SHA256_C) 856static sha_test_sum_t sha256_test_sum[] = 857{ 858 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, 859 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, 860 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, 861 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD }, 862 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8, 863 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39, 864 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67, 865 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 }, 866 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92, 867 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67, 868 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E, 869 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 } 870}; 871#endif 872 873/* 874 * Checkup routine 875 */ 876static int mbedtls_sha256_common_self_test(int verbose, int is224) 877{ 878 int i, buflen, ret = 0; 879 unsigned char *buf; 880 unsigned char sha256sum[32]; 881 mbedtls_sha256_context ctx; 882 883#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C) 884 sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum; 885#elif defined(MBEDTLS_SHA256_C) 886 sha_test_sum_t *sha_test_sum = sha256_test_sum; 887#else 888 sha_test_sum_t *sha_test_sum = sha224_test_sum; 889#endif 890 891 buf = mbedtls_calloc(1024, sizeof(unsigned char)); 892 if (NULL == buf) { 893 if (verbose != 0) { 894 mbedtls_printf("Buffer allocation failed\n"); 895 } 896 897 return 1; 898 } 899 900 mbedtls_sha256_init(&ctx); 901 902 for (i = 0; i < 3; i++) { 903 if (verbose != 0) { 904 mbedtls_printf(" SHA-%d test #%d: ", 256 - is224 * 32, i + 1); 905 } 906 907 if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) { 908 goto fail; 909 } 910 911 if (i == 2) { 912 memset(buf, 'a', buflen = 1000); 913 914 for (int j = 0; j < 1000; j++) { 915 ret = mbedtls_sha256_update(&ctx, buf, buflen); 916 if (ret != 0) { 917 goto fail; 918 } 919 } 920 921 } else { 922 ret = mbedtls_sha256_update(&ctx, sha_test_buf[i], 923 sha_test_buflen[i]); 924 if (ret != 0) { 925 goto fail; 926 } 927 } 928 929 if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) { 930 goto fail; 931 } 932 933 934 if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) { 935 ret = 1; 936 goto fail; 937 } 938 939 if (verbose != 0) { 940 mbedtls_printf("passed\n"); 941 } 942 } 943 944 if (verbose != 0) { 945 mbedtls_printf("\n"); 946 } 947 948 goto exit; 949 950fail: 951 if (verbose != 0) { 952 mbedtls_printf("failed\n"); 953 } 954 955exit: 956 mbedtls_sha256_free(&ctx); 957 mbedtls_free(buf); 958 959 return ret; 960} 961 962#if defined(MBEDTLS_SHA256_C) 963int mbedtls_sha256_self_test(int verbose) 964{ 965 return mbedtls_sha256_common_self_test(verbose, 0); 966} 967#endif /* MBEDTLS_SHA256_C */ 968 969#if defined(MBEDTLS_SHA224_C) 970int mbedtls_sha224_self_test(int verbose) 971{ 972 return mbedtls_sha256_common_self_test(verbose, 1); 973} 974#endif /* MBEDTLS_SHA224_C */ 975 976#endif /* MBEDTLS_SELF_TEST */ 977 978#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */ 979