/src/mbedtls/library/sha512.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * FIPS-180-2 compliant SHA-384/512 implementation |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | /* |
8 | | * The SHA-512 Secure Hash Standard was published by NIST in 2002. |
9 | | * |
10 | | * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf |
11 | | */ |
12 | | |
13 | | #if defined(__aarch64__) && !defined(__ARM_FEATURE_SHA512) && \ |
14 | | defined(__clang__) && __clang_major__ >= 7 |
15 | | /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. |
16 | | * |
17 | | * The intrinsic declaration are guarded by predefined ACLE macros in clang: |
18 | | * these are normally only enabled by the -march option on the command line. |
19 | | * By defining the macros ourselves we gain access to those declarations without |
20 | | * requiring -march on the command line. |
21 | | * |
22 | | * `arm_neon.h` is included by common.h, so we put these defines |
23 | | * at the top of this file, before any includes. |
24 | | */ |
25 | | #define __ARM_FEATURE_SHA512 1 |
26 | | #define MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG |
27 | | #endif |
28 | | |
29 | | #include "common.h" |
30 | | |
31 | | #if defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA384_C) |
32 | | |
33 | | #include "mbedtls/sha512.h" |
34 | | #include "mbedtls/platform_util.h" |
35 | | #include "mbedtls/error.h" |
36 | | |
37 | | #if defined(_MSC_VER) || defined(__WATCOMC__) |
38 | | #define UL64(x) x##ui64 |
39 | | #else |
40 | 204k | #define UL64(x) x##ULL |
41 | | #endif |
42 | | |
43 | | #include <string.h> |
44 | | |
45 | | #include "mbedtls/platform.h" |
46 | | |
47 | | #if defined(__aarch64__) |
48 | | # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ |
49 | | defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) |
50 | | /* *INDENT-OFF* */ |
51 | | # if !defined(MBEDTLS_HAVE_NEON_INTRINSICS) |
52 | | # error "Target does not support NEON instructions" |
53 | | # endif |
54 | | /* |
55 | | * Best performance comes from most recent compilers, with intrinsics and -O3. |
56 | | * Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and |
57 | | * can't always detect __ARM_FEATURE_SHA512 (notably clang 7-12). |
58 | | * |
59 | | * GCC < 8 won't work at all (lacks the sha512 instructions) |
60 | | * GCC >= 8 uses intrinsics, sets __ARM_FEATURE_SHA512 |
61 | | * |
62 | | * Clang < 7 won't work at all (lacks the sha512 instructions) |
63 | | * Clang 7-12 don't have intrinsics (but we work around that with inline |
64 | | * assembler) or __ARM_FEATURE_SHA512 |
65 | | * Clang == 13.0.0 same as clang 12 (only seen on macOS) |
66 | | * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics |
67 | | */ |
68 | | # if !defined(__ARM_FEATURE_SHA512) || defined(MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG) |
69 | | /* Test Clang first, as it defines __GNUC__ */ |
70 | | # if defined(__ARMCOMPILER_VERSION) |
71 | | # if __ARMCOMPILER_VERSION < 6090000 |
72 | | # error "A more recent armclang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" |
73 | | # elif __ARMCOMPILER_VERSION == 6090000 |
74 | | # error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" |
75 | | # else |
76 | | # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) |
77 | | # define MBEDTLS_POP_TARGET_PRAGMA |
78 | | # endif |
79 | | # elif defined(__clang__) |
80 | | # if __clang_major__ < 7 |
81 | | # error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" |
82 | | # else |
83 | | # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) |
84 | | # define MBEDTLS_POP_TARGET_PRAGMA |
85 | | # endif |
86 | | # elif defined(__GNUC__) |
87 | | # if __GNUC__ < 8 |
88 | | # error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" |
89 | | # else |
90 | | # pragma GCC push_options |
91 | | # pragma GCC target ("arch=armv8.2-a+sha3") |
92 | | # define MBEDTLS_POP_TARGET_PRAGMA |
93 | | # endif |
94 | | # else |
95 | | # error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" |
96 | | # endif |
97 | | # endif |
98 | | /* *INDENT-ON* */ |
99 | | # endif |
100 | | # if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) |
101 | | # if defined(__unix__) |
102 | | # if defined(__linux__) |
103 | | /* Our preferred method of detection is getauxval() */ |
104 | | # include <sys/auxv.h> |
105 | | # if !defined(HWCAP_SHA512) |
106 | | /* The same header that declares getauxval() should provide the HWCAP_xxx |
107 | | * constants to analyze its return value. However, the libc may be too |
108 | | * old to have the constant that we need. So if it's missing, assume that |
109 | | * the value is the same one used by the Linux kernel ABI. |
110 | | */ |
111 | | # define HWCAP_SHA512 (1 << 21) |
112 | | # endif |
113 | | # endif |
114 | | /* Use SIGILL on Unix, and fall back to it on Linux */ |
115 | | # include <signal.h> |
116 | | # endif |
117 | | # endif |
118 | | #elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) |
119 | | # undef MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY |
120 | | # undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT |
121 | | #endif |
122 | | |
123 | | #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) |
124 | | /* |
125 | | * Capability detection code comes early, so we can disable |
126 | | * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found |
127 | | */ |
128 | | #if defined(HWCAP_SHA512) |
129 | | static int mbedtls_a64_crypto_sha512_determine_support(void) |
130 | | { |
131 | | return (getauxval(AT_HWCAP) & HWCAP_SHA512) ? 1 : 0; |
132 | | } |
133 | | #elif defined(__APPLE__) |
134 | | #include <sys/types.h> |
135 | | #include <sys/sysctl.h> |
136 | | |
137 | | static int mbedtls_a64_crypto_sha512_determine_support(void) |
138 | | { |
139 | | int value = 0; |
140 | | size_t value_len = sizeof(value); |
141 | | |
142 | | int ret = sysctlbyname("hw.optional.armv8_2_sha512", &value, &value_len, |
143 | | NULL, 0); |
144 | | return ret == 0 && value != 0; |
145 | | } |
146 | | #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) |
147 | | /* |
148 | | * As of March 2022, there don't appear to be any PF_ARM_V8_* flags |
149 | | * available to pass to IsProcessorFeaturePresent() to check for |
150 | | * SHA-512 support. So we fall back to the C code only. |
151 | | */ |
152 | | #if defined(_MSC_VER) |
153 | | #pragma message "No mechanism to detect A64_CRYPTO found, using C code only" |
154 | | #else |
155 | | #warning "No mechanism to detect A64_CRYPTO found, using C code only" |
156 | | #endif |
157 | | #elif defined(__unix__) && defined(SIG_SETMASK) |
158 | | /* Detection with SIGILL, setjmp() and longjmp() */ |
159 | | #include <signal.h> |
160 | | #include <setjmp.h> |
161 | | |
162 | | static jmp_buf return_from_sigill; |
163 | | |
164 | | /* |
165 | | * A64 SHA512 support detection via SIGILL |
166 | | */ |
167 | | static void sigill_handler(int signal) |
168 | | { |
169 | | (void) signal; |
170 | | longjmp(return_from_sigill, 1); |
171 | | } |
172 | | |
173 | | static int mbedtls_a64_crypto_sha512_determine_support(void) |
174 | | { |
175 | | struct sigaction old_action, new_action; |
176 | | |
177 | | sigset_t old_mask; |
178 | | if (sigprocmask(0, NULL, &old_mask)) { |
179 | | return 0; |
180 | | } |
181 | | |
182 | | sigemptyset(&new_action.sa_mask); |
183 | | new_action.sa_flags = 0; |
184 | | new_action.sa_handler = sigill_handler; |
185 | | |
186 | | sigaction(SIGILL, &new_action, &old_action); |
187 | | |
188 | | static int ret = 0; |
189 | | |
190 | | if (setjmp(return_from_sigill) == 0) { /* First return only */ |
191 | | /* If this traps, we will return a second time from setjmp() with 1 */ |
192 | | asm ("sha512h q0, q0, v0.2d" : : : "v0"); |
193 | | ret = 1; |
194 | | } |
195 | | |
196 | | sigaction(SIGILL, &old_action, NULL); |
197 | | sigprocmask(SIG_SETMASK, &old_mask, NULL); |
198 | | |
199 | | return ret; |
200 | | } |
201 | | #else |
202 | | #warning "No mechanism to detect A64_CRYPTO found, using C code only" |
203 | | #undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT |
204 | | #endif /* HWCAP_SHA512, __APPLE__, __unix__ && SIG_SETMASK */ |
205 | | |
206 | | #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ |
207 | | |
208 | | #if !defined(MBEDTLS_SHA512_ALT) |
209 | | |
210 | 2.74M | #define SHA512_BLOCK_SIZE 128 |
211 | | |
212 | | #if defined(MBEDTLS_SHA512_SMALLER) |
213 | | static void sha512_put_uint64_be(uint64_t n, unsigned char *b, uint8_t i) |
214 | | { |
215 | | MBEDTLS_PUT_UINT64_BE(n, b, i); |
216 | | } |
217 | | #else |
218 | 232k | #define sha512_put_uint64_be MBEDTLS_PUT_UINT64_BE |
219 | | #endif /* MBEDTLS_SHA512_SMALLER */ |
220 | | |
221 | | void mbedtls_sha512_init(mbedtls_sha512_context *ctx) |
222 | 1.24k | { |
223 | 1.24k | memset(ctx, 0, sizeof(mbedtls_sha512_context)); |
224 | 1.24k | } |
225 | | |
226 | | void mbedtls_sha512_free(mbedtls_sha512_context *ctx) |
227 | 26.5k | { |
228 | 26.5k | if (ctx == NULL) { |
229 | 0 | return; |
230 | 0 | } |
231 | | |
232 | 26.5k | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha512_context)); |
233 | 26.5k | } |
234 | | |
235 | | void mbedtls_sha512_clone(mbedtls_sha512_context *dst, |
236 | | const mbedtls_sha512_context *src) |
237 | 0 | { |
238 | 0 | *dst = *src; |
239 | 0 | } |
240 | | |
241 | | /* |
242 | | * SHA-512 context setup |
243 | | */ |
244 | | int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384) |
245 | 25.6k | { |
246 | 25.6k | #if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C) |
247 | 25.6k | if (is384 != 0 && is384 != 1) { |
248 | 0 | return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; |
249 | 0 | } |
250 | | #elif defined(MBEDTLS_SHA512_C) |
251 | | if (is384 != 0) { |
252 | | return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; |
253 | | } |
254 | | #else /* defined MBEDTLS_SHA384_C only */ |
255 | | if (is384 == 0) { |
256 | | return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; |
257 | | } |
258 | | #endif |
259 | | |
260 | 25.6k | ctx->total[0] = 0; |
261 | 25.6k | ctx->total[1] = 0; |
262 | | |
263 | 25.6k | if (is384 == 0) { |
264 | 14.9k | #if defined(MBEDTLS_SHA512_C) |
265 | 14.9k | ctx->state[0] = UL64(0x6A09E667F3BCC908); |
266 | 14.9k | ctx->state[1] = UL64(0xBB67AE8584CAA73B); |
267 | 14.9k | ctx->state[2] = UL64(0x3C6EF372FE94F82B); |
268 | 14.9k | ctx->state[3] = UL64(0xA54FF53A5F1D36F1); |
269 | 14.9k | ctx->state[4] = UL64(0x510E527FADE682D1); |
270 | 14.9k | ctx->state[5] = UL64(0x9B05688C2B3E6C1F); |
271 | 14.9k | ctx->state[6] = UL64(0x1F83D9ABFB41BD6B); |
272 | 14.9k | ctx->state[7] = UL64(0x5BE0CD19137E2179); |
273 | 14.9k | #endif /* MBEDTLS_SHA512_C */ |
274 | 14.9k | } else { |
275 | 10.6k | #if defined(MBEDTLS_SHA384_C) |
276 | 10.6k | ctx->state[0] = UL64(0xCBBB9D5DC1059ED8); |
277 | 10.6k | ctx->state[1] = UL64(0x629A292A367CD507); |
278 | 10.6k | ctx->state[2] = UL64(0x9159015A3070DD17); |
279 | 10.6k | ctx->state[3] = UL64(0x152FECD8F70E5939); |
280 | 10.6k | ctx->state[4] = UL64(0x67332667FFC00B31); |
281 | 10.6k | ctx->state[5] = UL64(0x8EB44A8768581511); |
282 | 10.6k | ctx->state[6] = UL64(0xDB0C2E0D64F98FA7); |
283 | 10.6k | ctx->state[7] = UL64(0x47B5481DBEFA4FA4); |
284 | 10.6k | #endif /* MBEDTLS_SHA384_C */ |
285 | 10.6k | } |
286 | | |
287 | 25.6k | #if defined(MBEDTLS_SHA384_C) |
288 | 25.6k | ctx->is384 = is384; |
289 | 25.6k | #endif |
290 | | |
291 | 25.6k | return 0; |
292 | 25.6k | } |
293 | | |
294 | | #if !defined(MBEDTLS_SHA512_PROCESS_ALT) |
295 | | |
296 | | /* |
297 | | * Round constants |
298 | | */ |
299 | | static const uint64_t K[80] = |
300 | | { |
301 | | UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD), |
302 | | UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC), |
303 | | UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019), |
304 | | UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118), |
305 | | UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE), |
306 | | UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2), |
307 | | UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1), |
308 | | UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694), |
309 | | UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3), |
310 | | UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65), |
311 | | UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483), |
312 | | UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5), |
313 | | UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210), |
314 | | UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4), |
315 | | UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725), |
316 | | UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70), |
317 | | UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926), |
318 | | UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF), |
319 | | UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8), |
320 | | UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B), |
321 | | UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001), |
322 | | UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30), |
323 | | UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910), |
324 | | UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8), |
325 | | UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53), |
326 | | UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8), |
327 | | UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB), |
328 | | UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3), |
329 | | UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60), |
330 | | UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC), |
331 | | UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9), |
332 | | UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B), |
333 | | UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207), |
334 | | UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178), |
335 | | UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6), |
336 | | UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B), |
337 | | UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493), |
338 | | UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C), |
339 | | UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A), |
340 | | UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817) |
341 | | }; |
342 | | #endif |
343 | | |
344 | | #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ |
345 | | defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) |
346 | | |
347 | | #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) |
348 | | # define mbedtls_internal_sha512_process_many_a64_crypto mbedtls_internal_sha512_process_many |
349 | | # define mbedtls_internal_sha512_process_a64_crypto mbedtls_internal_sha512_process |
350 | | #endif |
351 | | |
352 | | /* Accelerated SHA-512 implementation originally written by Simon Tatham for PuTTY, |
353 | | * under the MIT licence; dual-licensed as Apache 2 with his kind permission. |
354 | | */ |
355 | | |
356 | | #if defined(__clang__) && \ |
357 | | (__clang_major__ < 13 || \ |
358 | | (__clang_major__ == 13 && __clang_minor__ == 0 && __clang_patchlevel__ == 0)) |
359 | | static inline uint64x2_t vsha512su0q_u64(uint64x2_t x, uint64x2_t y) |
360 | | { |
361 | | asm ("sha512su0 %0.2D,%1.2D" : "+w" (x) : "w" (y)); |
362 | | return x; |
363 | | } |
364 | | static inline uint64x2_t vsha512su1q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z) |
365 | | { |
366 | | asm ("sha512su1 %0.2D,%1.2D,%2.2D" : "+w" (x) : "w" (y), "w" (z)); |
367 | | return x; |
368 | | } |
369 | | static inline uint64x2_t vsha512hq_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z) |
370 | | { |
371 | | asm ("sha512h %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z)); |
372 | | return x; |
373 | | } |
374 | | static inline uint64x2_t vsha512h2q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z) |
375 | | { |
376 | | asm ("sha512h2 %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z)); |
377 | | return x; |
378 | | } |
379 | | #endif /* __clang__ etc */ |
380 | | |
381 | | static size_t mbedtls_internal_sha512_process_many_a64_crypto( |
382 | | mbedtls_sha512_context *ctx, const uint8_t *msg, size_t len) |
383 | | { |
384 | | uint64x2_t ab = vld1q_u64(&ctx->state[0]); |
385 | | uint64x2_t cd = vld1q_u64(&ctx->state[2]); |
386 | | uint64x2_t ef = vld1q_u64(&ctx->state[4]); |
387 | | uint64x2_t gh = vld1q_u64(&ctx->state[6]); |
388 | | |
389 | | size_t processed = 0; |
390 | | |
391 | | for (; |
392 | | len >= SHA512_BLOCK_SIZE; |
393 | | processed += SHA512_BLOCK_SIZE, |
394 | | msg += SHA512_BLOCK_SIZE, |
395 | | len -= SHA512_BLOCK_SIZE) { |
396 | | uint64x2_t initial_sum, sum, intermed; |
397 | | |
398 | | uint64x2_t ab_orig = ab; |
399 | | uint64x2_t cd_orig = cd; |
400 | | uint64x2_t ef_orig = ef; |
401 | | uint64x2_t gh_orig = gh; |
402 | | |
403 | | uint64x2_t s0 = (uint64x2_t) vld1q_u8(msg + 16 * 0); |
404 | | uint64x2_t s1 = (uint64x2_t) vld1q_u8(msg + 16 * 1); |
405 | | uint64x2_t s2 = (uint64x2_t) vld1q_u8(msg + 16 * 2); |
406 | | uint64x2_t s3 = (uint64x2_t) vld1q_u8(msg + 16 * 3); |
407 | | uint64x2_t s4 = (uint64x2_t) vld1q_u8(msg + 16 * 4); |
408 | | uint64x2_t s5 = (uint64x2_t) vld1q_u8(msg + 16 * 5); |
409 | | uint64x2_t s6 = (uint64x2_t) vld1q_u8(msg + 16 * 6); |
410 | | uint64x2_t s7 = (uint64x2_t) vld1q_u8(msg + 16 * 7); |
411 | | |
412 | | #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* assume LE if these not defined; untested on BE */ |
413 | | s0 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s0))); |
414 | | s1 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s1))); |
415 | | s2 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s2))); |
416 | | s3 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s3))); |
417 | | s4 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s4))); |
418 | | s5 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s5))); |
419 | | s6 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s6))); |
420 | | s7 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s7))); |
421 | | #endif |
422 | | |
423 | | /* Rounds 0 and 1 */ |
424 | | initial_sum = vaddq_u64(s0, vld1q_u64(&K[0])); |
425 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh); |
426 | | intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1)); |
427 | | gh = vsha512h2q_u64(intermed, cd, ab); |
428 | | cd = vaddq_u64(cd, intermed); |
429 | | |
430 | | /* Rounds 2 and 3 */ |
431 | | initial_sum = vaddq_u64(s1, vld1q_u64(&K[2])); |
432 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef); |
433 | | intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1)); |
434 | | ef = vsha512h2q_u64(intermed, ab, gh); |
435 | | ab = vaddq_u64(ab, intermed); |
436 | | |
437 | | /* Rounds 4 and 5 */ |
438 | | initial_sum = vaddq_u64(s2, vld1q_u64(&K[4])); |
439 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd); |
440 | | intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1)); |
441 | | cd = vsha512h2q_u64(intermed, gh, ef); |
442 | | gh = vaddq_u64(gh, intermed); |
443 | | |
444 | | /* Rounds 6 and 7 */ |
445 | | initial_sum = vaddq_u64(s3, vld1q_u64(&K[6])); |
446 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab); |
447 | | intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1)); |
448 | | ab = vsha512h2q_u64(intermed, ef, cd); |
449 | | ef = vaddq_u64(ef, intermed); |
450 | | |
451 | | /* Rounds 8 and 9 */ |
452 | | initial_sum = vaddq_u64(s4, vld1q_u64(&K[8])); |
453 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh); |
454 | | intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1)); |
455 | | gh = vsha512h2q_u64(intermed, cd, ab); |
456 | | cd = vaddq_u64(cd, intermed); |
457 | | |
458 | | /* Rounds 10 and 11 */ |
459 | | initial_sum = vaddq_u64(s5, vld1q_u64(&K[10])); |
460 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef); |
461 | | intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1)); |
462 | | ef = vsha512h2q_u64(intermed, ab, gh); |
463 | | ab = vaddq_u64(ab, intermed); |
464 | | |
465 | | /* Rounds 12 and 13 */ |
466 | | initial_sum = vaddq_u64(s6, vld1q_u64(&K[12])); |
467 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd); |
468 | | intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1)); |
469 | | cd = vsha512h2q_u64(intermed, gh, ef); |
470 | | gh = vaddq_u64(gh, intermed); |
471 | | |
472 | | /* Rounds 14 and 15 */ |
473 | | initial_sum = vaddq_u64(s7, vld1q_u64(&K[14])); |
474 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab); |
475 | | intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1)); |
476 | | ab = vsha512h2q_u64(intermed, ef, cd); |
477 | | ef = vaddq_u64(ef, intermed); |
478 | | |
479 | | for (unsigned int t = 16; t < 80; t += 16) { |
480 | | /* Rounds t and t + 1 */ |
481 | | s0 = vsha512su1q_u64(vsha512su0q_u64(s0, s1), s7, vextq_u64(s4, s5, 1)); |
482 | | initial_sum = vaddq_u64(s0, vld1q_u64(&K[t])); |
483 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh); |
484 | | intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1)); |
485 | | gh = vsha512h2q_u64(intermed, cd, ab); |
486 | | cd = vaddq_u64(cd, intermed); |
487 | | |
488 | | /* Rounds t + 2 and t + 3 */ |
489 | | s1 = vsha512su1q_u64(vsha512su0q_u64(s1, s2), s0, vextq_u64(s5, s6, 1)); |
490 | | initial_sum = vaddq_u64(s1, vld1q_u64(&K[t + 2])); |
491 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef); |
492 | | intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1)); |
493 | | ef = vsha512h2q_u64(intermed, ab, gh); |
494 | | ab = vaddq_u64(ab, intermed); |
495 | | |
496 | | /* Rounds t + 4 and t + 5 */ |
497 | | s2 = vsha512su1q_u64(vsha512su0q_u64(s2, s3), s1, vextq_u64(s6, s7, 1)); |
498 | | initial_sum = vaddq_u64(s2, vld1q_u64(&K[t + 4])); |
499 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd); |
500 | | intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1)); |
501 | | cd = vsha512h2q_u64(intermed, gh, ef); |
502 | | gh = vaddq_u64(gh, intermed); |
503 | | |
504 | | /* Rounds t + 6 and t + 7 */ |
505 | | s3 = vsha512su1q_u64(vsha512su0q_u64(s3, s4), s2, vextq_u64(s7, s0, 1)); |
506 | | initial_sum = vaddq_u64(s3, vld1q_u64(&K[t + 6])); |
507 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab); |
508 | | intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1)); |
509 | | ab = vsha512h2q_u64(intermed, ef, cd); |
510 | | ef = vaddq_u64(ef, intermed); |
511 | | |
512 | | /* Rounds t + 8 and t + 9 */ |
513 | | s4 = vsha512su1q_u64(vsha512su0q_u64(s4, s5), s3, vextq_u64(s0, s1, 1)); |
514 | | initial_sum = vaddq_u64(s4, vld1q_u64(&K[t + 8])); |
515 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh); |
516 | | intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1)); |
517 | | gh = vsha512h2q_u64(intermed, cd, ab); |
518 | | cd = vaddq_u64(cd, intermed); |
519 | | |
520 | | /* Rounds t + 10 and t + 11 */ |
521 | | s5 = vsha512su1q_u64(vsha512su0q_u64(s5, s6), s4, vextq_u64(s1, s2, 1)); |
522 | | initial_sum = vaddq_u64(s5, vld1q_u64(&K[t + 10])); |
523 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef); |
524 | | intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1)); |
525 | | ef = vsha512h2q_u64(intermed, ab, gh); |
526 | | ab = vaddq_u64(ab, intermed); |
527 | | |
528 | | /* Rounds t + 12 and t + 13 */ |
529 | | s6 = vsha512su1q_u64(vsha512su0q_u64(s6, s7), s5, vextq_u64(s2, s3, 1)); |
530 | | initial_sum = vaddq_u64(s6, vld1q_u64(&K[t + 12])); |
531 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd); |
532 | | intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1)); |
533 | | cd = vsha512h2q_u64(intermed, gh, ef); |
534 | | gh = vaddq_u64(gh, intermed); |
535 | | |
536 | | /* Rounds t + 14 and t + 15 */ |
537 | | s7 = vsha512su1q_u64(vsha512su0q_u64(s7, s0), s6, vextq_u64(s3, s4, 1)); |
538 | | initial_sum = vaddq_u64(s7, vld1q_u64(&K[t + 14])); |
539 | | sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab); |
540 | | intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1)); |
541 | | ab = vsha512h2q_u64(intermed, ef, cd); |
542 | | ef = vaddq_u64(ef, intermed); |
543 | | } |
544 | | |
545 | | ab = vaddq_u64(ab, ab_orig); |
546 | | cd = vaddq_u64(cd, cd_orig); |
547 | | ef = vaddq_u64(ef, ef_orig); |
548 | | gh = vaddq_u64(gh, gh_orig); |
549 | | } |
550 | | |
551 | | vst1q_u64(&ctx->state[0], ab); |
552 | | vst1q_u64(&ctx->state[2], cd); |
553 | | vst1q_u64(&ctx->state[4], ef); |
554 | | vst1q_u64(&ctx->state[6], gh); |
555 | | |
556 | | return processed; |
557 | | } |
558 | | |
559 | | #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) |
560 | | /* |
561 | | * This function is for internal use only if we are building both C and A64 |
562 | | * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() |
563 | | */ |
564 | | static |
565 | | #endif |
566 | | int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, |
567 | | const unsigned char data[SHA512_BLOCK_SIZE]) |
568 | | { |
569 | | return (mbedtls_internal_sha512_process_many_a64_crypto(ctx, data, |
570 | | SHA512_BLOCK_SIZE) == |
571 | | SHA512_BLOCK_SIZE) ? 0 : -1; |
572 | | } |
573 | | |
574 | | #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ |
575 | | |
576 | | #if defined(MBEDTLS_POP_TARGET_PRAGMA) |
577 | | #if defined(__clang__) |
578 | | #pragma clang attribute pop |
579 | | #elif defined(__GNUC__) |
580 | | #pragma GCC pop_options |
581 | | #endif |
582 | | #undef MBEDTLS_POP_TARGET_PRAGMA |
583 | | #endif |
584 | | |
585 | | |
586 | | #if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) |
587 | | #define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many |
588 | 625k | #define mbedtls_internal_sha512_process_c mbedtls_internal_sha512_process |
589 | | #endif |
590 | | |
591 | | |
592 | | #if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) |
593 | | |
594 | | #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) |
595 | | /* |
596 | | * This function is for internal use only if we are building both C and A64 |
597 | | * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() |
598 | | */ |
599 | | static |
600 | | #endif |
601 | | int mbedtls_internal_sha512_process_c(mbedtls_sha512_context *ctx, |
602 | | const unsigned char data[SHA512_BLOCK_SIZE]) |
603 | 661k | { |
604 | 661k | int i; |
605 | 661k | struct { |
606 | 661k | uint64_t temp1, temp2, W[80]; |
607 | 661k | uint64_t A[8]; |
608 | 661k | } local; |
609 | | |
610 | 571M | #define SHR(x, n) ((x) >> (n)) |
611 | 487M | #define ROTR(x, n) (SHR((x), (n)) | ((x) << (64 - (n)))) |
612 | | |
613 | 42.3M | #define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) |
614 | 42.3M | #define S1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) |
615 | | |
616 | 52.9M | #define S2(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) |
617 | 52.9M | #define S3(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) |
618 | | |
619 | 52.9M | #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y)))) |
620 | 52.9M | #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) |
621 | | |
622 | 661k | #define P(a, b, c, d, e, f, g, h, x, K) \ |
623 | 52.9M | do \ |
624 | 52.9M | { \ |
625 | 52.9M | local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \ |
626 | 52.9M | local.temp2 = S2(a) + F0((a), (b), (c)); \ |
627 | 52.9M | (d) += local.temp1; (h) = local.temp1 + local.temp2; \ |
628 | 52.9M | } while (0) |
629 | | |
630 | 5.95M | for (i = 0; i < 8; i++) { |
631 | 5.29M | local.A[i] = ctx->state[i]; |
632 | 5.29M | } |
633 | | |
634 | | #if defined(MBEDTLS_SHA512_SMALLER) |
635 | | for (i = 0; i < 80; i++) { |
636 | | if (i < 16) { |
637 | | local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3); |
638 | | } else { |
639 | | local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] + |
640 | | S0(local.W[i - 15]) + local.W[i - 16]; |
641 | | } |
642 | | |
643 | | P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], |
644 | | local.A[5], local.A[6], local.A[7], local.W[i], K[i]); |
645 | | |
646 | | local.temp1 = local.A[7]; local.A[7] = local.A[6]; |
647 | | local.A[6] = local.A[5]; local.A[5] = local.A[4]; |
648 | | local.A[4] = local.A[3]; local.A[3] = local.A[2]; |
649 | | local.A[2] = local.A[1]; local.A[1] = local.A[0]; |
650 | | local.A[0] = local.temp1; |
651 | | } |
652 | | #else /* MBEDTLS_SHA512_SMALLER */ |
653 | 11.2M | for (i = 0; i < 16; i++) { |
654 | 10.5M | local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3); |
655 | 10.5M | } |
656 | | |
657 | 43.0M | for (; i < 80; i++) { |
658 | 42.3M | local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] + |
659 | 42.3M | S0(local.W[i - 15]) + local.W[i - 16]; |
660 | 42.3M | } |
661 | | |
662 | 661k | i = 0; |
663 | 6.61M | do { |
664 | 6.61M | P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4], |
665 | 6.61M | local.A[5], local.A[6], local.A[7], local.W[i], K[i]); i++; |
666 | 6.61M | P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3], |
667 | 6.61M | local.A[4], local.A[5], local.A[6], local.W[i], K[i]); i++; |
668 | 6.61M | P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2], |
669 | 6.61M | local.A[3], local.A[4], local.A[5], local.W[i], K[i]); i++; |
670 | 6.61M | P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1], |
671 | 6.61M | local.A[2], local.A[3], local.A[4], local.W[i], K[i]); i++; |
672 | 6.61M | P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0], |
673 | 6.61M | local.A[1], local.A[2], local.A[3], local.W[i], K[i]); i++; |
674 | 6.61M | P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7], |
675 | 6.61M | local.A[0], local.A[1], local.A[2], local.W[i], K[i]); i++; |
676 | 6.61M | P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6], |
677 | 6.61M | local.A[7], local.A[0], local.A[1], local.W[i], K[i]); i++; |
678 | 6.61M | P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5], |
679 | 6.61M | local.A[6], local.A[7], local.A[0], local.W[i], K[i]); i++; |
680 | 6.61M | } while (i < 80); |
681 | 661k | #endif /* MBEDTLS_SHA512_SMALLER */ |
682 | | |
683 | 5.95M | for (i = 0; i < 8; i++) { |
684 | 5.29M | ctx->state[i] += local.A[i]; |
685 | 5.29M | } |
686 | | |
687 | | /* Zeroise buffers and variables to clear sensitive data from memory. */ |
688 | 661k | mbedtls_platform_zeroize(&local, sizeof(local)); |
689 | | |
690 | 661k | return 0; |
691 | 661k | } |
692 | | |
693 | | #endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ |
694 | | |
695 | | |
696 | | #if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) |
697 | | |
698 | | static size_t mbedtls_internal_sha512_process_many_c( |
699 | | mbedtls_sha512_context *ctx, const uint8_t *data, size_t len) |
700 | 32.9k | { |
701 | 32.9k | size_t processed = 0; |
702 | | |
703 | 658k | while (len >= SHA512_BLOCK_SIZE) { |
704 | 625k | if (mbedtls_internal_sha512_process_c(ctx, data) != 0) { |
705 | 0 | return 0; |
706 | 0 | } |
707 | | |
708 | 625k | data += SHA512_BLOCK_SIZE; |
709 | 625k | len -= SHA512_BLOCK_SIZE; |
710 | | |
711 | 625k | processed += SHA512_BLOCK_SIZE; |
712 | 625k | } |
713 | | |
714 | 32.9k | return processed; |
715 | 32.9k | } |
716 | | |
717 | | #endif /* !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ |
718 | | |
719 | | |
720 | | #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) |
721 | | |
722 | | static int mbedtls_a64_crypto_sha512_has_support(void) |
723 | | { |
724 | | static int done = 0; |
725 | | static int supported = 0; |
726 | | |
727 | | if (!done) { |
728 | | supported = mbedtls_a64_crypto_sha512_determine_support(); |
729 | | done = 1; |
730 | | } |
731 | | |
732 | | return supported; |
733 | | } |
734 | | |
735 | | static size_t mbedtls_internal_sha512_process_many(mbedtls_sha512_context *ctx, |
736 | | const uint8_t *msg, size_t len) |
737 | | { |
738 | | if (mbedtls_a64_crypto_sha512_has_support()) { |
739 | | return mbedtls_internal_sha512_process_many_a64_crypto(ctx, msg, len); |
740 | | } else { |
741 | | return mbedtls_internal_sha512_process_many_c(ctx, msg, len); |
742 | | } |
743 | | } |
744 | | |
745 | | int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx, |
746 | | const unsigned char data[SHA512_BLOCK_SIZE]) |
747 | | { |
748 | | if (mbedtls_a64_crypto_sha512_has_support()) { |
749 | | return mbedtls_internal_sha512_process_a64_crypto(ctx, data); |
750 | | } else { |
751 | | return mbedtls_internal_sha512_process_c(ctx, data); |
752 | | } |
753 | | } |
754 | | |
755 | | #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ |
756 | | |
757 | | /* |
758 | | * SHA-512 process buffer |
759 | | */ |
760 | | int mbedtls_sha512_update(mbedtls_sha512_context *ctx, |
761 | | const unsigned char *input, |
762 | | size_t ilen) |
763 | 134k | { |
764 | 134k | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
765 | 134k | size_t fill; |
766 | 134k | unsigned int left; |
767 | | |
768 | 134k | if (ilen == 0) { |
769 | 62.3k | return 0; |
770 | 62.3k | } |
771 | | |
772 | 72.2k | left = (unsigned int) (ctx->total[0] & 0x7F); |
773 | 72.2k | fill = SHA512_BLOCK_SIZE - left; |
774 | | |
775 | 72.2k | ctx->total[0] += (uint64_t) ilen; |
776 | | |
777 | 72.2k | if (ctx->total[0] < (uint64_t) ilen) { |
778 | 0 | ctx->total[1]++; |
779 | 0 | } |
780 | | |
781 | 72.2k | if (left && ilen >= fill) { |
782 | 8.21k | memcpy((void *) (ctx->buffer + left), input, fill); |
783 | | |
784 | 8.21k | if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) { |
785 | 0 | return ret; |
786 | 0 | } |
787 | | |
788 | 8.21k | input += fill; |
789 | 8.21k | ilen -= fill; |
790 | 8.21k | left = 0; |
791 | 8.21k | } |
792 | | |
793 | 105k | while (ilen >= SHA512_BLOCK_SIZE) { |
794 | 32.9k | size_t processed = |
795 | 32.9k | mbedtls_internal_sha512_process_many(ctx, input, ilen); |
796 | 32.9k | if (processed < SHA512_BLOCK_SIZE) { |
797 | 0 | return MBEDTLS_ERR_ERROR_GENERIC_ERROR; |
798 | 0 | } |
799 | | |
800 | 32.9k | input += processed; |
801 | 32.9k | ilen -= processed; |
802 | 32.9k | } |
803 | | |
804 | 72.2k | if (ilen > 0) { |
805 | 47.3k | memcpy((void *) (ctx->buffer + left), input, ilen); |
806 | 47.3k | } |
807 | | |
808 | 72.2k | return 0; |
809 | 72.2k | } |
810 | | |
811 | | /* |
812 | | * SHA-512 final digest |
813 | | */ |
814 | | int mbedtls_sha512_finish(mbedtls_sha512_context *ctx, |
815 | | unsigned char *output) |
816 | 25.3k | { |
817 | 25.3k | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
818 | 25.3k | unsigned used; |
819 | 25.3k | uint64_t high, low; |
820 | 25.3k | int truncated = 0; |
821 | | |
822 | | /* |
823 | | * Add padding: 0x80 then 0x00 until 16 bytes remain for the length |
824 | | */ |
825 | 25.3k | used = ctx->total[0] & 0x7F; |
826 | | |
827 | 25.3k | ctx->buffer[used++] = 0x80; |
828 | | |
829 | 25.3k | if (used <= 112) { |
830 | | /* Enough room for padding + length in current block */ |
831 | 22.8k | memset(ctx->buffer + used, 0, 112 - used); |
832 | 22.8k | } else { |
833 | | /* We'll need an extra block */ |
834 | 2.45k | memset(ctx->buffer + used, 0, SHA512_BLOCK_SIZE - used); |
835 | | |
836 | 2.45k | if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) { |
837 | 0 | goto exit; |
838 | 0 | } |
839 | | |
840 | 2.45k | memset(ctx->buffer, 0, 112); |
841 | 2.45k | } |
842 | | |
843 | | /* |
844 | | * Add message length |
845 | | */ |
846 | 25.3k | high = (ctx->total[0] >> 61) |
847 | 25.3k | | (ctx->total[1] << 3); |
848 | 25.3k | low = (ctx->total[0] << 3); |
849 | | |
850 | 25.3k | sha512_put_uint64_be(high, ctx->buffer, 112); |
851 | 25.3k | sha512_put_uint64_be(low, ctx->buffer, 120); |
852 | | |
853 | 25.3k | if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) { |
854 | 0 | goto exit; |
855 | 0 | } |
856 | | |
857 | | /* |
858 | | * Output final state |
859 | | */ |
860 | 25.3k | sha512_put_uint64_be(ctx->state[0], output, 0); |
861 | 25.3k | sha512_put_uint64_be(ctx->state[1], output, 8); |
862 | 25.3k | sha512_put_uint64_be(ctx->state[2], output, 16); |
863 | 25.3k | sha512_put_uint64_be(ctx->state[3], output, 24); |
864 | 25.3k | sha512_put_uint64_be(ctx->state[4], output, 32); |
865 | 25.3k | sha512_put_uint64_be(ctx->state[5], output, 40); |
866 | | |
867 | 25.3k | #if defined(MBEDTLS_SHA384_C) |
868 | 25.3k | truncated = ctx->is384; |
869 | 25.3k | #endif |
870 | 25.3k | if (!truncated) { |
871 | 14.7k | sha512_put_uint64_be(ctx->state[6], output, 48); |
872 | 14.7k | sha512_put_uint64_be(ctx->state[7], output, 56); |
873 | 14.7k | } |
874 | | |
875 | 25.3k | ret = 0; |
876 | | |
877 | 25.3k | exit: |
878 | 25.3k | mbedtls_sha512_free(ctx); |
879 | 25.3k | return ret; |
880 | 25.3k | } |
881 | | |
882 | | #endif /* !MBEDTLS_SHA512_ALT */ |
883 | | |
884 | | /* |
885 | | * output = SHA-512( input buffer ) |
886 | | */ |
887 | | int mbedtls_sha512(const unsigned char *input, |
888 | | size_t ilen, |
889 | | unsigned char *output, |
890 | | int is384) |
891 | 20 | { |
892 | 20 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
893 | 20 | mbedtls_sha512_context ctx; |
894 | | |
895 | 20 | #if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C) |
896 | 20 | if (is384 != 0 && is384 != 1) { |
897 | 0 | return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; |
898 | 0 | } |
899 | | #elif defined(MBEDTLS_SHA512_C) |
900 | | if (is384 != 0) { |
901 | | return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; |
902 | | } |
903 | | #else /* defined MBEDTLS_SHA384_C only */ |
904 | | if (is384 == 0) { |
905 | | return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA; |
906 | | } |
907 | | #endif |
908 | | |
909 | 20 | mbedtls_sha512_init(&ctx); |
910 | | |
911 | 20 | if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) { |
912 | 0 | goto exit; |
913 | 0 | } |
914 | | |
915 | 20 | if ((ret = mbedtls_sha512_update(&ctx, input, ilen)) != 0) { |
916 | 0 | goto exit; |
917 | 0 | } |
918 | | |
919 | 20 | if ((ret = mbedtls_sha512_finish(&ctx, output)) != 0) { |
920 | 0 | goto exit; |
921 | 0 | } |
922 | | |
923 | 20 | exit: |
924 | 20 | mbedtls_sha512_free(&ctx); |
925 | | |
926 | 20 | return ret; |
927 | 20 | } |
928 | | |
929 | | #if defined(MBEDTLS_SELF_TEST) |
930 | | |
931 | | /* |
932 | | * FIPS-180-2 test vectors |
933 | | */ |
934 | | static const unsigned char sha_test_buf[3][113] = |
935 | | { |
936 | | { "abc" }, |
937 | | { |
938 | | "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" |
939 | | }, |
940 | | { "" } |
941 | | }; |
942 | | |
943 | | static const size_t sha_test_buflen[3] = |
944 | | { |
945 | | 3, 112, 1000 |
946 | | }; |
947 | | |
948 | | typedef const unsigned char (sha_test_sum_t)[64]; |
949 | | |
950 | | /* |
951 | | * SHA-384 test vectors |
952 | | */ |
953 | | #if defined(MBEDTLS_SHA384_C) |
954 | | static sha_test_sum_t sha384_test_sum[] = |
955 | | { |
956 | | { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B, |
957 | | 0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07, |
958 | | 0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63, |
959 | | 0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED, |
960 | | 0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23, |
961 | | 0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 }, |
962 | | { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8, |
963 | | 0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47, |
964 | | 0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2, |
965 | | 0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12, |
966 | | 0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9, |
967 | | 0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 }, |
968 | | { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB, |
969 | | 0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C, |
970 | | 0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52, |
971 | | 0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B, |
972 | | 0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB, |
973 | | 0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 } |
974 | | }; |
975 | | #endif /* MBEDTLS_SHA384_C */ |
976 | | |
977 | | /* |
978 | | * SHA-512 test vectors |
979 | | */ |
980 | | #if defined(MBEDTLS_SHA512_C) |
981 | | static sha_test_sum_t sha512_test_sum[] = |
982 | | { |
983 | | { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA, |
984 | | 0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31, |
985 | | 0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2, |
986 | | 0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A, |
987 | | 0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8, |
988 | | 0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD, |
989 | | 0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E, |
990 | | 0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F }, |
991 | | { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA, |
992 | | 0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F, |
993 | | 0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1, |
994 | | 0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18, |
995 | | 0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4, |
996 | | 0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A, |
997 | | 0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54, |
998 | | 0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 }, |
999 | | { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64, |
1000 | | 0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63, |
1001 | | 0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28, |
1002 | | 0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB, |
1003 | | 0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A, |
1004 | | 0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B, |
1005 | | 0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E, |
1006 | | 0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B } |
1007 | | }; |
1008 | | #endif /* MBEDTLS_SHA512_C */ |
1009 | | |
1010 | | static int mbedtls_sha512_common_self_test(int verbose, int is384) |
1011 | 0 | { |
1012 | 0 | int i, buflen, ret = 0; |
1013 | 0 | unsigned char *buf; |
1014 | 0 | unsigned char sha512sum[64]; |
1015 | 0 | mbedtls_sha512_context ctx; |
1016 | |
|
1017 | 0 | #if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C) |
1018 | 0 | sha_test_sum_t *sha_test_sum = (is384) ? sha384_test_sum : sha512_test_sum; |
1019 | | #elif defined(MBEDTLS_SHA512_C) |
1020 | | sha_test_sum_t *sha_test_sum = sha512_test_sum; |
1021 | | #else |
1022 | | sha_test_sum_t *sha_test_sum = sha384_test_sum; |
1023 | | #endif |
1024 | |
|
1025 | 0 | buf = mbedtls_calloc(1024, sizeof(unsigned char)); |
1026 | 0 | if (NULL == buf) { |
1027 | 0 | if (verbose != 0) { |
1028 | 0 | mbedtls_printf("Buffer allocation failed\n"); |
1029 | 0 | } |
1030 | |
|
1031 | 0 | return 1; |
1032 | 0 | } |
1033 | | |
1034 | 0 | mbedtls_sha512_init(&ctx); |
1035 | |
|
1036 | 0 | for (i = 0; i < 3; i++) { |
1037 | 0 | if (verbose != 0) { |
1038 | 0 | mbedtls_printf(" SHA-%d test #%d: ", 512 - is384 * 128, i + 1); |
1039 | 0 | } |
1040 | |
|
1041 | 0 | if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) { |
1042 | 0 | goto fail; |
1043 | 0 | } |
1044 | | |
1045 | 0 | if (i == 2) { |
1046 | 0 | memset(buf, 'a', buflen = 1000); |
1047 | |
|
1048 | 0 | for (int j = 0; j < 1000; j++) { |
1049 | 0 | ret = mbedtls_sha512_update(&ctx, buf, buflen); |
1050 | 0 | if (ret != 0) { |
1051 | 0 | goto fail; |
1052 | 0 | } |
1053 | 0 | } |
1054 | 0 | } else { |
1055 | 0 | ret = mbedtls_sha512_update(&ctx, sha_test_buf[i], |
1056 | 0 | sha_test_buflen[i]); |
1057 | 0 | if (ret != 0) { |
1058 | 0 | goto fail; |
1059 | 0 | } |
1060 | 0 | } |
1061 | | |
1062 | 0 | if ((ret = mbedtls_sha512_finish(&ctx, sha512sum)) != 0) { |
1063 | 0 | goto fail; |
1064 | 0 | } |
1065 | | |
1066 | 0 | if (memcmp(sha512sum, sha_test_sum[i], 64 - is384 * 16) != 0) { |
1067 | 0 | ret = 1; |
1068 | 0 | goto fail; |
1069 | 0 | } |
1070 | | |
1071 | 0 | if (verbose != 0) { |
1072 | 0 | mbedtls_printf("passed\n"); |
1073 | 0 | } |
1074 | 0 | } |
1075 | | |
1076 | 0 | if (verbose != 0) { |
1077 | 0 | mbedtls_printf("\n"); |
1078 | 0 | } |
1079 | |
|
1080 | 0 | goto exit; |
1081 | | |
1082 | 0 | fail: |
1083 | 0 | if (verbose != 0) { |
1084 | 0 | mbedtls_printf("failed\n"); |
1085 | 0 | } |
1086 | |
|
1087 | 0 | exit: |
1088 | 0 | mbedtls_sha512_free(&ctx); |
1089 | 0 | mbedtls_free(buf); |
1090 | |
|
1091 | 0 | return ret; |
1092 | 0 | } |
1093 | | |
1094 | | #if defined(MBEDTLS_SHA512_C) |
1095 | | int mbedtls_sha512_self_test(int verbose) |
1096 | 0 | { |
1097 | 0 | return mbedtls_sha512_common_self_test(verbose, 0); |
1098 | 0 | } |
1099 | | #endif /* MBEDTLS_SHA512_C */ |
1100 | | |
1101 | | #if defined(MBEDTLS_SHA384_C) |
1102 | | int mbedtls_sha384_self_test(int verbose) |
1103 | 0 | { |
1104 | 0 | return mbedtls_sha512_common_self_test(verbose, 1); |
1105 | 0 | } |
1106 | | #endif /* MBEDTLS_SHA384_C */ |
1107 | | |
1108 | | #undef ARRAY_LENGTH |
1109 | | |
1110 | | #endif /* MBEDTLS_SELF_TEST */ |
1111 | | |
1112 | | #endif /* MBEDTLS_SHA512_C || MBEDTLS_SHA384_C */ |