Coverage Report

Created: 2023-09-24 16:03

/src/mbedtls/library/sha256.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  FIPS-180-2 compliant SHA-256 implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0
6
 *
7
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8
 *  not use this file except in compliance with the License.
9
 *  You may obtain a copy of the License at
10
 *
11
 *  http://www.apache.org/licenses/LICENSE-2.0
12
 *
13
 *  Unless required by applicable law or agreed to in writing, software
14
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16
 *  See the License for the specific language governing permissions and
17
 *  limitations under the License.
18
 */
19
/*
20
 *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
21
 *
22
 *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
23
 */
24
25
#include "common.h"
26
27
#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
28
29
#include "mbedtls/sha256.h"
30
#include "mbedtls/platform_util.h"
31
#include "mbedtls/error.h"
32
33
#include <string.h>
34
35
#include "mbedtls/platform.h"
36
37
#if defined(__aarch64__)
38
#  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
39
    defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
40
#    include <arm_neon.h>
41
#  endif
42
#  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
43
#    if defined(__unix__)
44
#      if defined(__linux__)
45
/* Our preferred method of detection is getauxval() */
46
#        include <sys/auxv.h>
47
#      endif
48
/* Use SIGILL on Unix, and fall back to it on Linux */
49
#      include <signal.h>
50
#    endif
51
#  endif
52
#elif defined(_M_ARM64)
53
#  if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
54
    defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
55
#    include <arm64_neon.h>
56
#  endif
57
#else
58
#  undef MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
59
#  undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
60
#endif
61
62
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
63
/*
64
 * Capability detection code comes early, so we can disable
65
 * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found
66
 */
67
#if defined(HWCAP_SHA2)
68
static int mbedtls_a64_crypto_sha256_determine_support(void)
69
{
70
    return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
71
}
72
#elif defined(__APPLE__)
73
static int mbedtls_a64_crypto_sha256_determine_support(void)
74
{
75
    return 1;
76
}
77
#elif defined(_M_ARM64)
78
#define WIN32_LEAN_AND_MEAN
79
#include <Windows.h>
80
#include <processthreadsapi.h>
81
82
static int mbedtls_a64_crypto_sha256_determine_support(void)
83
{
84
    return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
85
           1 : 0;
86
}
87
#elif defined(__unix__) && defined(SIG_SETMASK)
88
/* Detection with SIGILL, setjmp() and longjmp() */
89
#include <signal.h>
90
#include <setjmp.h>
91
92
static jmp_buf return_from_sigill;
93
94
/*
95
 * A64 SHA256 support detection via SIGILL
96
 */
97
static void sigill_handler(int signal)
98
{
99
    (void) signal;
100
    longjmp(return_from_sigill, 1);
101
}
102
103
static int mbedtls_a64_crypto_sha256_determine_support(void)
104
{
105
    struct sigaction old_action, new_action;
106
107
    sigset_t old_mask;
108
    if (sigprocmask(0, NULL, &old_mask)) {
109
        return 0;
110
    }
111
112
    sigemptyset(&new_action.sa_mask);
113
    new_action.sa_flags = 0;
114
    new_action.sa_handler = sigill_handler;
115
116
    sigaction(SIGILL, &new_action, &old_action);
117
118
    static int ret = 0;
119
120
    if (setjmp(return_from_sigill) == 0) {         /* First return only */
121
        /* If this traps, we will return a second time from setjmp() with 1 */
122
        asm ("sha256h q0, q0, v0.4s" : : : "v0");
123
        ret = 1;
124
    }
125
126
    sigaction(SIGILL, &old_action, NULL);
127
    sigprocmask(SIG_SETMASK, &old_mask, NULL);
128
129
    return ret;
130
}
131
#else
132
#warning "No mechanism to detect A64_CRYPTO found, using C code only"
133
#undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
134
#endif  /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
135
136
#endif  /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
137
138
#if !defined(MBEDTLS_SHA256_ALT)
139
140
1.52M
#define SHA256_BLOCK_SIZE 64
141
142
void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
143
28.6k
{
144
28.6k
    memset(ctx, 0, sizeof(mbedtls_sha256_context));
145
28.6k
}
146
147
void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
148
28.6k
{
149
28.6k
    if (ctx == NULL) {
150
0
        return;
151
0
    }
152
153
28.6k
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
154
28.6k
}
155
156
void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
157
                          const mbedtls_sha256_context *src)
158
0
{
159
0
    *dst = *src;
160
0
}
161
162
/*
163
 * SHA-256 context setup
164
 */
165
int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
166
46.4k
{
167
46.4k
#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
168
46.4k
    if (is224 != 0 && is224 != 1) {
169
0
        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
170
0
    }
171
#elif defined(MBEDTLS_SHA256_C)
172
    if (is224 != 0) {
173
        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
174
    }
175
#else /* defined MBEDTLS_SHA224_C only */
176
    if (is224 == 0) {
177
        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
178
    }
179
#endif
180
181
46.4k
    ctx->total[0] = 0;
182
46.4k
    ctx->total[1] = 0;
183
184
46.4k
    if (is224 == 0) {
185
46.3k
#if defined(MBEDTLS_SHA256_C)
186
46.3k
        ctx->state[0] = 0x6A09E667;
187
46.3k
        ctx->state[1] = 0xBB67AE85;
188
46.3k
        ctx->state[2] = 0x3C6EF372;
189
46.3k
        ctx->state[3] = 0xA54FF53A;
190
46.3k
        ctx->state[4] = 0x510E527F;
191
46.3k
        ctx->state[5] = 0x9B05688C;
192
46.3k
        ctx->state[6] = 0x1F83D9AB;
193
46.3k
        ctx->state[7] = 0x5BE0CD19;
194
46.3k
#endif
195
46.3k
    } else {
196
93
#if defined(MBEDTLS_SHA224_C)
197
93
        ctx->state[0] = 0xC1059ED8;
198
93
        ctx->state[1] = 0x367CD507;
199
93
        ctx->state[2] = 0x3070DD17;
200
93
        ctx->state[3] = 0xF70E5939;
201
93
        ctx->state[4] = 0xFFC00B31;
202
93
        ctx->state[5] = 0x68581511;
203
93
        ctx->state[6] = 0x64F98FA7;
204
93
        ctx->state[7] = 0xBEFA4FA4;
205
93
#endif
206
93
    }
207
208
46.4k
#if defined(MBEDTLS_SHA224_C)
209
46.4k
    ctx->is224 = is224;
210
46.4k
#endif
211
212
46.4k
    return 0;
213
46.4k
}
214
215
#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
216
static const uint32_t K[] =
217
{
218
    0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
219
    0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
220
    0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
221
    0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
222
    0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
223
    0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
224
    0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
225
    0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
226
    0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
227
    0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
228
    0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
229
    0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
230
    0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
231
    0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
232
    0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
233
    0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
234
};
235
236
#endif
237
238
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
239
    defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
240
241
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
242
#  define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
243
#  define mbedtls_internal_sha256_process_a64_crypto      mbedtls_internal_sha256_process
244
#endif
245
246
static size_t mbedtls_internal_sha256_process_many_a64_crypto(
247
    mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
248
{
249
    uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
250
    uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
251
252
    size_t processed = 0;
253
254
    for (;
255
         len >= SHA256_BLOCK_SIZE;
256
         processed += SHA256_BLOCK_SIZE,
257
         msg += SHA256_BLOCK_SIZE,
258
         len -= SHA256_BLOCK_SIZE) {
259
        uint32x4_t tmp, abcd_prev;
260
261
        uint32x4_t abcd_orig = abcd;
262
        uint32x4_t efgh_orig = efgh;
263
264
        uint32x4_t sched0 = (uint32x4_t) vld1q_u8(msg + 16 * 0);
265
        uint32x4_t sched1 = (uint32x4_t) vld1q_u8(msg + 16 * 1);
266
        uint32x4_t sched2 = (uint32x4_t) vld1q_u8(msg + 16 * 2);
267
        uint32x4_t sched3 = (uint32x4_t) vld1q_u8(msg + 16 * 3);
268
269
#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__  /* Will be true if not defined */
270
                                               /* Untested on BE */
271
        sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
272
        sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
273
        sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
274
        sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
275
#endif
276
277
        /* Rounds 0 to 3 */
278
        tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
279
        abcd_prev = abcd;
280
        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
281
        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
282
283
        /* Rounds 4 to 7 */
284
        tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
285
        abcd_prev = abcd;
286
        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
287
        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
288
289
        /* Rounds 8 to 11 */
290
        tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
291
        abcd_prev = abcd;
292
        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
293
        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
294
295
        /* Rounds 12 to 15 */
296
        tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
297
        abcd_prev = abcd;
298
        abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
299
        efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
300
301
        for (int t = 16; t < 64; t += 16) {
302
            /* Rounds t to t + 3 */
303
            sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
304
            tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
305
            abcd_prev = abcd;
306
            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
307
            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
308
309
            /* Rounds t + 4 to t + 7 */
310
            sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
311
            tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
312
            abcd_prev = abcd;
313
            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
314
            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
315
316
            /* Rounds t + 8 to t + 11 */
317
            sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
318
            tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
319
            abcd_prev = abcd;
320
            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
321
            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
322
323
            /* Rounds t + 12 to t + 15 */
324
            sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
325
            tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
326
            abcd_prev = abcd;
327
            abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
328
            efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
329
        }
330
331
        abcd = vaddq_u32(abcd, abcd_orig);
332
        efgh = vaddq_u32(efgh, efgh_orig);
333
    }
334
335
    vst1q_u32(&ctx->state[0], abcd);
336
    vst1q_u32(&ctx->state[4], efgh);
337
338
    return processed;
339
}
340
341
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
342
/*
343
 * This function is for internal use only if we are building both C and A64
344
 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
345
 */
346
static
347
#endif
348
int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
349
                                               const unsigned char data[SHA256_BLOCK_SIZE])
350
{
351
    return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
352
                                                            SHA256_BLOCK_SIZE) ==
353
            SHA256_BLOCK_SIZE) ? 0 : -1;
354
}
355
356
#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
357
358
359
#if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
360
#define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
361
291k
#define mbedtls_internal_sha256_process_c      mbedtls_internal_sha256_process
362
#endif
363
364
365
#if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
366
    !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
367
368
125M
#define  SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
369
125M
#define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
370
371
#define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^  SHR(x, 3))
372
#define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^  SHR(x, 10))
373
374
20.9M
#define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
375
20.9M
#define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
376
377
20.9M
#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
378
20.9M
#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
379
380
#define R(t)                                                        \
381
    (                                                               \
382
        local.W[t] = S1(local.W[(t) -  2]) + local.W[(t) -  7] +    \
383
                     S0(local.W[(t) - 15]) + local.W[(t) - 16]      \
384
    )
385
386
#define P(a, b, c, d, e, f, g, h, x, K)                                      \
387
20.9M
    do                                                              \
388
20.9M
    {                                                               \
389
20.9M
        local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x);    \
390
20.9M
        local.temp2 = S2(a) + F0((a), (b), (c));                      \
391
20.9M
        (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
392
20.9M
    } while (0)
393
394
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
395
/*
396
 * This function is for internal use only if we are building both C and A64
397
 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
398
 */
399
static
400
#endif
401
int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
402
                                      const unsigned char data[SHA256_BLOCK_SIZE])
403
327k
{
404
327k
    struct {
405
327k
        uint32_t temp1, temp2, W[64];
406
327k
        uint32_t A[8];
407
327k
    } local;
408
409
327k
    unsigned int i;
410
411
2.94M
    for (i = 0; i < 8; i++) {
412
2.61M
        local.A[i] = ctx->state[i];
413
2.61M
    }
414
415
#if defined(MBEDTLS_SHA256_SMALLER)
416
    for (i = 0; i < 64; i++) {
417
        if (i < 16) {
418
            local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
419
        } else {
420
            R(i);
421
        }
422
423
        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
424
          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
425
426
        local.temp1 = local.A[7]; local.A[7] = local.A[6];
427
        local.A[6] = local.A[5]; local.A[5] = local.A[4];
428
        local.A[4] = local.A[3]; local.A[3] = local.A[2];
429
        local.A[2] = local.A[1]; local.A[1] = local.A[0];
430
        local.A[0] = local.temp1;
431
    }
432
#else /* MBEDTLS_SHA256_SMALLER */
433
5.56M
    for (i = 0; i < 16; i++) {
434
5.23M
        local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
435
5.23M
    }
436
437
982k
    for (i = 0; i < 16; i += 8) {
438
654k
        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
439
654k
          local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
440
654k
        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
441
654k
          local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
442
654k
        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
443
654k
          local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
444
654k
        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
445
654k
          local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
446
654k
        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
447
654k
          local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
448
654k
        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
449
654k
          local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
450
654k
        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
451
654k
          local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
452
654k
        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
453
654k
          local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
454
654k
    }
455
456
2.29M
    for (i = 16; i < 64; i += 8) {
457
1.96M
        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
458
1.96M
          local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
459
1.96M
        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
460
1.96M
          local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
461
1.96M
        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
462
1.96M
          local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
463
1.96M
        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
464
1.96M
          local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
465
1.96M
        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
466
1.96M
          local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
467
1.96M
        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
468
1.96M
          local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
469
1.96M
        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
470
1.96M
          local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
471
1.96M
        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
472
1.96M
          local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
473
1.96M
    }
474
327k
#endif /* MBEDTLS_SHA256_SMALLER */
475
476
2.94M
    for (i = 0; i < 8; i++) {
477
2.61M
        ctx->state[i] += local.A[i];
478
2.61M
    }
479
480
    /* Zeroise buffers and variables to clear sensitive data from memory. */
481
327k
    mbedtls_platform_zeroize(&local, sizeof(local));
482
483
327k
    return 0;
484
327k
}
485
486
#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
487
488
489
#if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
490
491
static size_t mbedtls_internal_sha256_process_many_c(
492
    mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
493
63.5k
{
494
63.5k
    size_t processed = 0;
495
496
355k
    while (len >= SHA256_BLOCK_SIZE) {
497
291k
        if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
498
0
            return 0;
499
0
        }
500
501
291k
        data += SHA256_BLOCK_SIZE;
502
291k
        len  -= SHA256_BLOCK_SIZE;
503
504
291k
        processed += SHA256_BLOCK_SIZE;
505
291k
    }
506
507
63.5k
    return processed;
508
63.5k
}
509
510
#endif /* !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
511
512
513
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
514
515
static int mbedtls_a64_crypto_sha256_has_support(void)
516
{
517
    static int done = 0;
518
    static int supported = 0;
519
520
    if (!done) {
521
        supported = mbedtls_a64_crypto_sha256_determine_support();
522
        done = 1;
523
    }
524
525
    return supported;
526
}
527
528
static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
529
                                                   const uint8_t *msg, size_t len)
530
{
531
    if (mbedtls_a64_crypto_sha256_has_support()) {
532
        return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
533
    } else {
534
        return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
535
    }
536
}
537
538
int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
539
                                    const unsigned char data[SHA256_BLOCK_SIZE])
540
{
541
    if (mbedtls_a64_crypto_sha256_has_support()) {
542
        return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
543
    } else {
544
        return mbedtls_internal_sha256_process_c(ctx, data);
545
    }
546
}
547
548
#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
549
550
551
/*
552
 * SHA-256 process buffer
553
 */
554
int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
555
                          const unsigned char *input,
556
                          size_t ilen)
557
82.0k
{
558
82.0k
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
559
82.0k
    size_t fill;
560
82.0k
    uint32_t left;
561
562
82.0k
    if (ilen == 0) {
563
0
        return 0;
564
0
    }
565
566
82.0k
    left = ctx->total[0] & 0x3F;
567
82.0k
    fill = SHA256_BLOCK_SIZE - left;
568
569
82.0k
    ctx->total[0] += (uint32_t) ilen;
570
82.0k
    ctx->total[0] &= 0xFFFFFFFF;
571
572
82.0k
    if (ctx->total[0] < (uint32_t) ilen) {
573
0
        ctx->total[1]++;
574
0
    }
575
576
82.0k
    if (left && ilen >= fill) {
577
35.1k
        memcpy((void *) (ctx->buffer + left), input, fill);
578
579
35.1k
        if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
580
0
            return ret;
581
0
        }
582
583
35.1k
        input += fill;
584
35.1k
        ilen  -= fill;
585
35.1k
        left = 0;
586
35.1k
    }
587
588
145k
    while (ilen >= SHA256_BLOCK_SIZE) {
589
63.5k
        size_t processed =
590
63.5k
            mbedtls_internal_sha256_process_many(ctx, input, ilen);
591
63.5k
        if (processed < SHA256_BLOCK_SIZE) {
592
0
            return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
593
0
        }
594
595
63.5k
        input += processed;
596
63.5k
        ilen  -= processed;
597
63.5k
    }
598
599
82.0k
    if (ilen > 0) {
600
81.6k
        memcpy((void *) (ctx->buffer + left), input, ilen);
601
81.6k
    }
602
603
82.0k
    return 0;
604
82.0k
}
605
606
/*
607
 * SHA-256 final digest
608
 */
609
int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
610
                          unsigned char *output)
611
333
{
612
333
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
613
333
    uint32_t used;
614
333
    uint32_t high, low;
615
616
    /*
617
     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
618
     */
619
333
    used = ctx->total[0] & 0x3F;
620
621
333
    ctx->buffer[used++] = 0x80;
622
623
333
    if (used <= 56) {
624
        /* Enough room for padding + length in current block */
625
333
        memset(ctx->buffer + used, 0, 56 - used);
626
333
    } else {
627
        /* We'll need an extra block */
628
0
        memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
629
630
0
        if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
631
0
            return ret;
632
0
        }
633
634
0
        memset(ctx->buffer, 0, 56);
635
0
    }
636
637
    /*
638
     * Add message length
639
     */
640
333
    high = (ctx->total[0] >> 29)
641
333
           | (ctx->total[1] <<  3);
642
333
    low  = (ctx->total[0] <<  3);
643
644
333
    MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
645
333
    MBEDTLS_PUT_UINT32_BE(low,  ctx->buffer, 60);
646
647
333
    if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
648
0
        return ret;
649
0
    }
650
651
    /*
652
     * Output final state
653
     */
654
333
    MBEDTLS_PUT_UINT32_BE(ctx->state[0], output,  0);
655
333
    MBEDTLS_PUT_UINT32_BE(ctx->state[1], output,  4);
656
333
    MBEDTLS_PUT_UINT32_BE(ctx->state[2], output,  8);
657
333
    MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
658
333
    MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
659
333
    MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
660
333
    MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
661
662
333
    int truncated = 0;
663
333
#if defined(MBEDTLS_SHA224_C)
664
333
    truncated = ctx->is224;
665
333
#endif
666
333
    if (!truncated) {
667
240
        MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
668
240
    }
669
670
333
    return 0;
671
333
}
672
673
#endif /* !MBEDTLS_SHA256_ALT */
674
675
/*
676
 * output = SHA-256( input buffer )
677
 */
678
int mbedtls_sha256(const unsigned char *input,
679
                   size_t ilen,
680
                   unsigned char *output,
681
                   int is224)
682
0
{
683
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
684
0
    mbedtls_sha256_context ctx;
685
686
0
#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
687
0
    if (is224 != 0 && is224 != 1) {
688
0
        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
689
0
    }
690
#elif defined(MBEDTLS_SHA256_C)
691
    if (is224 != 0) {
692
        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
693
    }
694
#else /* defined MBEDTLS_SHA224_C only */
695
    if (is224 == 0) {
696
        return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
697
    }
698
#endif
699
700
0
    mbedtls_sha256_init(&ctx);
701
702
0
    if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
703
0
        goto exit;
704
0
    }
705
706
0
    if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
707
0
        goto exit;
708
0
    }
709
710
0
    if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
711
0
        goto exit;
712
0
    }
713
714
0
exit:
715
0
    mbedtls_sha256_free(&ctx);
716
717
0
    return ret;
718
0
}
719
720
#if defined(MBEDTLS_SELF_TEST)
721
/*
722
 * FIPS-180-2 test vectors
723
 */
724
static const unsigned char sha_test_buf[3][57] =
725
{
726
    { "abc" },
727
    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
728
    { "" }
729
};
730
731
static const size_t sha_test_buflen[3] =
732
{
733
    3, 56, 1000
734
};
735
736
typedef const unsigned char (sha_test_sum_t)[32];
737
738
/*
739
 * SHA-224 test vectors
740
 */
741
#if defined(MBEDTLS_SHA224_C)
742
static sha_test_sum_t sha224_test_sum[] =
743
{
744
    { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
745
      0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
746
      0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
747
      0xE3, 0x6C, 0x9D, 0xA7 },
748
    { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
749
      0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
750
      0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
751
      0x52, 0x52, 0x25, 0x25 },
752
    { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
753
      0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
754
      0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
755
      0x4E, 0xE7, 0xAD, 0x67 }
756
};
757
#endif
758
759
/*
760
 * SHA-256 test vectors
761
 */
762
#if defined(MBEDTLS_SHA256_C)
763
static sha_test_sum_t sha256_test_sum[] =
764
{
765
    { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
766
      0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
767
      0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
768
      0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
769
    { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
770
      0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
771
      0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
772
      0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
773
    { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
774
      0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
775
      0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
776
      0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
777
};
778
#endif
779
780
/*
781
 * Checkup routine
782
 */
783
static int mbedtls_sha256_common_self_test(int verbose, int is224)
784
0
{
785
0
    int i, buflen, ret = 0;
786
0
    unsigned char *buf;
787
0
    unsigned char sha256sum[32];
788
0
    mbedtls_sha256_context ctx;
789
790
0
#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
791
0
    sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
792
#elif defined(MBEDTLS_SHA256_C)
793
    sha_test_sum_t *sha_test_sum = sha256_test_sum;
794
#else
795
    sha_test_sum_t *sha_test_sum = sha224_test_sum;
796
#endif
797
798
0
    buf = mbedtls_calloc(1024, sizeof(unsigned char));
799
0
    if (NULL == buf) {
800
0
        if (verbose != 0) {
801
0
            mbedtls_printf("Buffer allocation failed\n");
802
0
        }
803
804
0
        return 1;
805
0
    }
806
807
0
    mbedtls_sha256_init(&ctx);
808
809
0
    for (i = 0; i < 3; i++) {
810
0
        if (verbose != 0) {
811
0
            mbedtls_printf("  SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
812
0
        }
813
814
0
        if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
815
0
            goto fail;
816
0
        }
817
818
0
        if (i == 2) {
819
0
            memset(buf, 'a', buflen = 1000);
820
821
0
            for (int j = 0; j < 1000; j++) {
822
0
                ret = mbedtls_sha256_update(&ctx, buf, buflen);
823
0
                if (ret != 0) {
824
0
                    goto fail;
825
0
                }
826
0
            }
827
828
0
        } else {
829
0
            ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
830
0
                                        sha_test_buflen[i]);
831
0
            if (ret != 0) {
832
0
                goto fail;
833
0
            }
834
0
        }
835
836
0
        if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
837
0
            goto fail;
838
0
        }
839
840
841
0
        if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
842
0
            ret = 1;
843
0
            goto fail;
844
0
        }
845
846
0
        if (verbose != 0) {
847
0
            mbedtls_printf("passed\n");
848
0
        }
849
0
    }
850
851
0
    if (verbose != 0) {
852
0
        mbedtls_printf("\n");
853
0
    }
854
855
0
    goto exit;
856
857
0
fail:
858
0
    if (verbose != 0) {
859
0
        mbedtls_printf("failed\n");
860
0
    }
861
862
0
exit:
863
0
    mbedtls_sha256_free(&ctx);
864
0
    mbedtls_free(buf);
865
866
0
    return ret;
867
0
}
868
869
#if defined(MBEDTLS_SHA256_C)
870
int mbedtls_sha256_self_test(int verbose)
871
0
{
872
0
    return mbedtls_sha256_common_self_test(verbose, 0);
873
0
}
874
#endif /* MBEDTLS_SHA256_C */
875
876
#if defined(MBEDTLS_SHA224_C)
877
int mbedtls_sha224_self_test(int verbose)
878
0
{
879
0
    return mbedtls_sha256_common_self_test(verbose, 1);
880
0
}
881
#endif /* MBEDTLS_SHA224_C */
882
883
#endif /* MBEDTLS_SELF_TEST */
884
885
#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */