/work/mbedtls-2.28.8/library/sha512.c

Source (jump to first uncovered line)
/*
 *  FIPS-180-2 compliant SHA-384/512 implementation
 *
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 */
/*
 *  The SHA-512 Secure Hash Standard was published by NIST in 2002.
 *
 *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
 */

#include "common.h"

#if defined(MBEDTLS_SHA512_C)

#include "mbedtls/sha512.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"

#if defined(_MSC_VER) || defined(__WATCOMC__)
  #define UL64(x) x##ui64
#else
  #define UL64(x) x##ULL
#endif

#include <string.h>

#include "mbedtls/platform.h"

#define SHA512_VALIDATE_RET(cond)                           \
    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_SHA512_BAD_INPUT_DATA)
#define SHA512_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE(cond)

#if !defined(MBEDTLS_SHA512_ALT)

#if defined(MBEDTLS_SHA512_SMALLER)
static void sha512_put_uint64_be(uint64_t n, unsigned char *b, uint8_t i)
{
    MBEDTLS_PUT_UINT64_BE(n, b, i);
}
#else
#define sha512_put_uint64_be    MBEDTLS_PUT_UINT64_BE
#endif /* MBEDTLS_SHA512_SMALLER */

void mbedtls_sha512_init(mbedtls_sha512_context *ctx)
{
    SHA512_VALIDATE(ctx != NULL);

    memset(ctx, 0, sizeof(mbedtls_sha512_context));
}

void mbedtls_sha512_free(mbedtls_sha512_context *ctx)
{
    if (ctx == NULL) {
        return;
    }

    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha512_context));
}

void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
                          const mbedtls_sha512_context *src)
{
    SHA512_VALIDATE(dst != NULL);
    SHA512_VALIDATE(src != NULL);

    *dst = *src;
}

/*
 * SHA-512 context setup
 */
int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384)
{
    SHA512_VALIDATE_RET(ctx != NULL);
#if !defined(MBEDTLS_SHA512_NO_SHA384)
    SHA512_VALIDATE_RET(is384 == 0 || is384 == 1);
#else
    SHA512_VALIDATE_RET(is384 == 0);
#endif

    ctx->total[0] = 0;
    ctx->total[1] = 0;

    if (is384 == 0) {
        /* SHA-512 */
        ctx->state[0] = UL64(0x6A09E667F3BCC908);
        ctx->state[1] = UL64(0xBB67AE8584CAA73B);
        ctx->state[2] = UL64(0x3C6EF372FE94F82B);
        ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
        ctx->state[4] = UL64(0x510E527FADE682D1);
        ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
        ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
        ctx->state[7] = UL64(0x5BE0CD19137E2179);
    } else {
#if defined(MBEDTLS_SHA512_NO_SHA384)
        return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
#else
        /* SHA-384 */
        ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
        ctx->state[1] = UL64(0x629A292A367CD507);
        ctx->state[2] = UL64(0x9159015A3070DD17);
        ctx->state[3] = UL64(0x152FECD8F70E5939);
        ctx->state[4] = UL64(0x67332667FFC00B31);
        ctx->state[5] = UL64(0x8EB44A8768581511);
        ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
        ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
#endif /* MBEDTLS_SHA512_NO_SHA384 */
    }

#if !defined(MBEDTLS_SHA512_NO_SHA384)
    ctx->is384 = is384;
#endif

    return 0;
}

#if !defined(MBEDTLS_DEPRECATED_REMOVED)
void mbedtls_sha512_starts(mbedtls_sha512_context *ctx,
                           int is384)
{
    mbedtls_sha512_starts_ret(ctx, is384);
}
#endif

#if !defined(MBEDTLS_SHA512_PROCESS_ALT)

/*
 * Round constants
 */
static const uint64_t K[80] =
{
    UL64(0x428A2F98D728AE22),  UL64(0x7137449123EF65CD),
    UL64(0xB5C0FBCFEC4D3B2F),  UL64(0xE9B5DBA58189DBBC),
    UL64(0x3956C25BF348B538),  UL64(0x59F111F1B605D019),
    UL64(0x923F82A4AF194F9B),  UL64(0xAB1C5ED5DA6D8118),
    UL64(0xD807AA98A3030242),  UL64(0x12835B0145706FBE),
    UL64(0x243185BE4EE4B28C),  UL64(0x550C7DC3D5FFB4E2),
    UL64(0x72BE5D74F27B896F),  UL64(0x80DEB1FE3B1696B1),
    UL64(0x9BDC06A725C71235),  UL64(0xC19BF174CF692694),
    UL64(0xE49B69C19EF14AD2),  UL64(0xEFBE4786384F25E3),
    UL64(0x0FC19DC68B8CD5B5),  UL64(0x240CA1CC77AC9C65),
    UL64(0x2DE92C6F592B0275),  UL64(0x4A7484AA6EA6E483),
    UL64(0x5CB0A9DCBD41FBD4),  UL64(0x76F988DA831153B5),
    UL64(0x983E5152EE66DFAB),  UL64(0xA831C66D2DB43210),
    UL64(0xB00327C898FB213F),  UL64(0xBF597FC7BEEF0EE4),
    UL64(0xC6E00BF33DA88FC2),  UL64(0xD5A79147930AA725),
    UL64(0x06CA6351E003826F),  UL64(0x142929670A0E6E70),
    UL64(0x27B70A8546D22FFC),  UL64(0x2E1B21385C26C926),
    UL64(0x4D2C6DFC5AC42AED),  UL64(0x53380D139D95B3DF),
    UL64(0x650A73548BAF63DE),  UL64(0x766A0ABB3C77B2A8),
    UL64(0x81C2C92E47EDAEE6),  UL64(0x92722C851482353B),
    UL64(0xA2BFE8A14CF10364),  UL64(0xA81A664BBC423001),
    UL64(0xC24B8B70D0F89791),  UL64(0xC76C51A30654BE30),
    UL64(0xD192E819D6EF5218),  UL64(0xD69906245565A910),
    UL64(0xF40E35855771202A),  UL64(0x106AA07032BBD1B8),
    UL64(0x19A4C116B8D2D0C8),  UL64(0x1E376C085141AB53),
    UL64(0x2748774CDF8EEB99),  UL64(0x34B0BCB5E19B48A8),
    UL64(0x391C0CB3C5C95A63),  UL64(0x4ED8AA4AE3418ACB),
    UL64(0x5B9CCA4F7763E373),  UL64(0x682E6FF3D6B2B8A3),
    UL64(0x748F82EE5DEFB2FC),  UL64(0x78A5636F43172F60),
    UL64(0x84C87814A1F0AB72),  UL64(0x8CC702081A6439EC),
    UL64(0x90BEFFFA23631E28),  UL64(0xA4506CEBDE82BDE9),
    UL64(0xBEF9A3F7B2C67915),  UL64(0xC67178F2E372532B),
    UL64(0xCA273ECEEA26619C),  UL64(0xD186B8C721C0C207),
    UL64(0xEADA7DD6CDE0EB1E),  UL64(0xF57D4F7FEE6ED178),
    UL64(0x06F067AA72176FBA),  UL64(0x0A637DC5A2C898A6),
    UL64(0x113F9804BEF90DAE),  UL64(0x1B710B35131C471B),
    UL64(0x28DB77F523047D84),  UL64(0x32CAAB7B40C72493),
    UL64(0x3C9EBE0A15C9BEBC),  UL64(0x431D67C49C100D4C),
    UL64(0x4CC5D4BECB3E42B6),  UL64(0x597F299CFC657E2A),
    UL64(0x5FCB6FAB3AD6FAEC),  UL64(0x6C44198C4A475817)
};

int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
                                    const unsigned char data[128])
{
    int i;
    struct {
        uint64_t temp1, temp2, W[80];
        uint64_t A[8];
    } local;

    SHA512_VALIDATE_RET(ctx != NULL);
    SHA512_VALIDATE_RET((const unsigned char *) data != NULL);

#define  SHR(x, n) ((x) >> (n))
#define ROTR(x, n) (SHR((x), (n)) | ((x) << (64 - (n))))

#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
#define S1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^  SHR(x, 6))

#define S2(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
#define S3(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))

#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))

#define P(a, b, c, d, e, f, g, h, x, K)                                      \
    do                                                              \
    {                                                               \
        local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x);    \
        local.temp2 = S2(a) + F0((a), (b), (c));                      \
        (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
    } while (0)

    for (i = 0; i < 8; i++) {
        local.A[i] = ctx->state[i];
    }

#if defined(MBEDTLS_SHA512_SMALLER)
    for (i = 0; i < 80; i++) {
        if (i < 16) {
            local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
        } else {
            local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
                         S0(local.W[i - 15]) + local.W[i - 16];
        }

        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
          local.A[5], local.A[6], local.A[7], local.W[i], K[i]);

        local.temp1 = local.A[7]; local.A[7] = local.A[6];
        local.A[6] = local.A[5]; local.A[5] = local.A[4];
        local.A[4] = local.A[3]; local.A[3] = local.A[2];
        local.A[2] = local.A[1]; local.A[1] = local.A[0];
        local.A[0] = local.temp1;
    }
#else /* MBEDTLS_SHA512_SMALLER */
    for (i = 0; i < 16; i++) {
        local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
    }

    for (; i < 80; i++) {
        local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
                     S0(local.W[i - 15]) + local.W[i - 16];
    }

    i = 0;
    do {
        P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
          local.A[5], local.A[6], local.A[7], local.W[i], K[i]); i++;
        P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
          local.A[4], local.A[5], local.A[6], local.W[i], K[i]); i++;
        P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
          local.A[3], local.A[4], local.A[5], local.W[i], K[i]); i++;
        P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
          local.A[2], local.A[3], local.A[4], local.W[i], K[i]); i++;
        P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
          local.A[1], local.A[2], local.A[3], local.W[i], K[i]); i++;
        P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
          local.A[0], local.A[1], local.A[2], local.W[i], K[i]); i++;
        P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
          local.A[7], local.A[0], local.A[1], local.W[i], K[i]); i++;
        P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
          local.A[6], local.A[7], local.A[0], local.W[i], K[i]); i++;
    } while (i < 80);
#endif /* MBEDTLS_SHA512_SMALLER */

    for (i = 0; i < 8; i++) {
        ctx->state[i] += local.A[i];
    }

    /* Zeroise buffers and variables to clear sensitive data from memory. */
    mbedtls_platform_zeroize(&local, sizeof(local));

    return 0;
}

#if !defined(MBEDTLS_DEPRECATED_REMOVED)
void mbedtls_sha512_process(mbedtls_sha512_context *ctx,
                            const unsigned char data[128])
{
    mbedtls_internal_sha512_process(ctx, data);
}
#endif
#endif /* !MBEDTLS_SHA512_PROCESS_ALT */

/*
 * SHA-512 process buffer
 */
int mbedtls_sha512_update_ret(mbedtls_sha512_context *ctx,
                              const unsigned char *input,
                              size_t ilen)
{
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    size_t fill;
    unsigned int left;

    SHA512_VALIDATE_RET(ctx != NULL);
    SHA512_VALIDATE_RET(ilen == 0 || input != NULL);

    if (ilen == 0) {
        return 0;
    }

    left = (unsigned int) (ctx->total[0] & 0x7F);
    fill = 128 - left;

    ctx->total[0] += (uint64_t) ilen;

    if (ctx->total[0] < (uint64_t) ilen) {
        ctx->total[1]++;
    }

    if (left && ilen >= fill) {
        memcpy((void *) (ctx->buffer + left), input, fill);

        if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
            return ret;
        }

        input += fill;
        ilen  -= fill;
        left = 0;
    }

    while (ilen >= 128) {
        if ((ret = mbedtls_internal_sha512_process(ctx, input)) != 0) {
            return ret;
        }

        input += 128;
        ilen  -= 128;
    }

    if (ilen > 0) {
        memcpy((void *) (ctx->buffer + left), input, ilen);
    }

    return 0;
}

#if !defined(MBEDTLS_DEPRECATED_REMOVED)
void mbedtls_sha512_update(mbedtls_sha512_context *ctx,
                           const unsigned char *input,
                           size_t ilen)
{
    mbedtls_sha512_update_ret(ctx, input, ilen);
}
#endif

/*
 * SHA-512 final digest
 */
int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
                              unsigned char output[64])
{
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    unsigned used;
    uint64_t high, low;

    SHA512_VALIDATE_RET(ctx != NULL);
    SHA512_VALIDATE_RET((unsigned char *) output != NULL);

    /*
     * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
     */
    used = ctx->total[0] & 0x7F;

    ctx->buffer[used++] = 0x80;

    if (used <= 112) {
        /* Enough room for padding + length in current block */
        memset(ctx->buffer + used, 0, 112 - used);
    } else {
        /* We'll need an extra block */
        memset(ctx->buffer + used, 0, 128 - used);

        if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
            return ret;
        }

        memset(ctx->buffer, 0, 112);
    }

    /*
     * Add message length
     */
    high = (ctx->total[0] >> 61)
           | (ctx->total[1] <<  3);
    low  = (ctx->total[0] <<  3);

    sha512_put_uint64_be(high, ctx->buffer, 112);
    sha512_put_uint64_be(low,  ctx->buffer, 120);

    if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
        return ret;
    }

    /*
     * Output final state
     */
    sha512_put_uint64_be(ctx->state[0], output,  0);
    sha512_put_uint64_be(ctx->state[1], output,  8);
    sha512_put_uint64_be(ctx->state[2], output, 16);
    sha512_put_uint64_be(ctx->state[3], output, 24);
    sha512_put_uint64_be(ctx->state[4], output, 32);
    sha512_put_uint64_be(ctx->state[5], output, 40);

    int truncated = 0;
#if !defined(MBEDTLS_SHA512_NO_SHA384)
    truncated = ctx->is384;
#endif
    if (!truncated) {
        sha512_put_uint64_be(ctx->state[6], output, 48);
        sha512_put_uint64_be(ctx->state[7], output, 56);
    }

    return 0;
}

#if !defined(MBEDTLS_DEPRECATED_REMOVED)
void mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
                           unsigned char output[64])
{
    mbedtls_sha512_finish_ret(ctx, output);
}
#endif

#endif /* !MBEDTLS_SHA512_ALT */

/*
 * output = SHA-512( input buffer )
 */
int mbedtls_sha512_ret(const unsigned char *input,
                       size_t ilen,
                       unsigned char output[64],
                       int is384)
{
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    mbedtls_sha512_context ctx;

#if !defined(MBEDTLS_SHA512_NO_SHA384)
    SHA512_VALIDATE_RET(is384 == 0 || is384 == 1);
#else
    SHA512_VALIDATE_RET(is384 == 0);
#endif
    SHA512_VALIDATE_RET(ilen == 0 || input != NULL);
    SHA512_VALIDATE_RET((unsigned char *) output != NULL);

    mbedtls_sha512_init(&ctx);

    if ((ret = mbedtls_sha512_starts_ret(&ctx, is384)) != 0) {
        goto exit;
    }

    if ((ret = mbedtls_sha512_update_ret(&ctx, input, ilen)) != 0) {
        goto exit;
    }

    if ((ret = mbedtls_sha512_finish_ret(&ctx, output)) != 0) {
        goto exit;
    }

exit:
    mbedtls_sha512_free(&ctx);

    return ret;
}

#if !defined(MBEDTLS_DEPRECATED_REMOVED)
void mbedtls_sha512(const unsigned char *input,
                    size_t ilen,
                    unsigned char output[64],
                    int is384)
{
    mbedtls_sha512_ret(input, ilen, output, is384);
}
#endif

#if defined(MBEDTLS_SELF_TEST)

/*
 * FIPS-180-2 test vectors
 */
static const unsigned char sha512_test_buf[3][113] =
{
    { "abc" },
    {
        "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
    },
    { "" }
};

static const size_t sha512_test_buflen[3] =
{
    3, 112, 1000
};

static const unsigned char sha512_test_sum[][64] =
{
#if !defined(MBEDTLS_SHA512_NO_SHA384)
    /*
     * SHA-384 test vectors
     */
    { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
      0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
      0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
      0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
      0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
      0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
    { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
      0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
      0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
      0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
      0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
      0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
    { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
      0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
      0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
      0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
      0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
      0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
#endif /* !MBEDTLS_SHA512_NO_SHA384 */

    /*
     * SHA-512 test vectors
     */
    { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
      0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
      0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
      0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
      0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
      0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
      0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
      0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
    { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
      0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
      0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
      0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
      0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
      0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
      0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
      0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
    { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
      0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
      0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
      0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
      0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
      0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
      0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
      0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
};

#define ARRAY_LENGTH(a)   (sizeof(a) / sizeof((a)[0]))

/*
 * Checkup routine
 */
int mbedtls_sha512_self_test(int verbose)
{
    int i, j, k, buflen, ret = 0;
    unsigned char *buf;
    unsigned char sha512sum[64];
    mbedtls_sha512_context ctx;

    buf = mbedtls_calloc(1024, sizeof(unsigned char));
    if (NULL == buf) {
        if (verbose != 0) {
            mbedtls_printf("Buffer allocation failed\n");
        }

        return 1;
    }

    mbedtls_sha512_init(&ctx);

    for (i = 0; i < (int) ARRAY_LENGTH(sha512_test_sum); i++) {
        j = i % 3;
#if !defined(MBEDTLS_SHA512_NO_SHA384)
        k = i < 3;
#else
        k = 0;
#endif

        if (verbose != 0) {
            mbedtls_printf("  SHA-%d test #%d: ", 512 - k * 128, j + 1);
        }

        if ((ret = mbedtls_sha512_starts_ret(&ctx, k)) != 0) {
            goto fail;
        }

        if (j == 2) {
            memset(buf, 'a', buflen = 1000);

            for (j = 0; j < 1000; j++) {
                ret = mbedtls_sha512_update_ret(&ctx, buf, buflen);
                if (ret != 0) {
                    goto fail;
                }
            }
        } else {
            ret = mbedtls_sha512_update_ret(&ctx, sha512_test_buf[j],
                                            sha512_test_buflen[j]);
            if (ret != 0) {
                goto fail;
            }
        }

        if ((ret = mbedtls_sha512_finish_ret(&ctx, sha512sum)) != 0) {
            goto fail;
        }

        if (memcmp(sha512sum, sha512_test_sum[i], 64 - k * 16) != 0) {
            ret = 1;
            goto fail;
        }

        if (verbose != 0) {
            mbedtls_printf("passed\n");
        }
    }

    if (verbose != 0) {
        mbedtls_printf("\n");
    }

    goto exit;

fail:
    if (verbose != 0) {
        mbedtls_printf("failed\n");
    }

exit:
    mbedtls_sha512_free(&ctx);
    mbedtls_free(buf);

    return ret;
}

#undef ARRAY_LENGTH

#endif /* MBEDTLS_SELF_TEST */

#endif /* MBEDTLS_SHA512_C */

Coverage Report

Created: 2025-07-01 06:54

Line	Count	Source (jump to first uncovered line)
1		/*
2		* FIPS-180-2 compliant SHA-384/512 implementation
3		*
4		* Copyright The Mbed TLS Contributors
5		* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6		*/
7		/*
8		* The SHA-512 Secure Hash Standard was published by NIST in 2002.
9		*
10		* http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
11		*/
12
13		#include "common.h"
14
15		#if defined(MBEDTLS_SHA512_C)
16
17		#include "mbedtls/sha512.h"
18		#include "mbedtls/platform_util.h"
19		#include "mbedtls/error.h"
20
21		#if defined(_MSC_VER) \|\| defined(__WATCOMC__)
22		#define UL64(x) x##ui64
23		#else
24	0	#define UL64(x) x##ULL
25		#endif
26
27		#include <string.h>
28
29		#include "mbedtls/platform.h"
30
31		#define SHA512_VALIDATE_RET(cond) \
32	0	MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_SHA512_BAD_INPUT_DATA)
33	0	#define SHA512_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE(cond)
34
35		#if !defined(MBEDTLS_SHA512_ALT)
36
37		#if defined(MBEDTLS_SHA512_SMALLER)
38		static void sha512_put_uint64_be(uint64_t n, unsigned char *b, uint8_t i)
39		{
40		MBEDTLS_PUT_UINT64_BE(n, b, i);
41		}
42		#else
43	0	#define sha512_put_uint64_be MBEDTLS_PUT_UINT64_BE
44		#endif /* MBEDTLS_SHA512_SMALLER */
45
46		void mbedtls_sha512_init(mbedtls_sha512_context *ctx)
47	0	{
48	0	SHA512_VALIDATE(ctx != NULL);
49
50	0	memset(ctx, 0, sizeof(mbedtls_sha512_context));
51	0	}
52
53		void mbedtls_sha512_free(mbedtls_sha512_context *ctx)
54	0	{
55	0	if (ctx == NULL) {
56	0	return;
57	0	}
58
59	0	mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha512_context));
60	0	}
61
62		void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
63		const mbedtls_sha512_context *src)
64	0	{
65	0	SHA512_VALIDATE(dst != NULL);
66	0	SHA512_VALIDATE(src != NULL);
67
68	0	dst = src;
69	0	}
70
71		/*
72		* SHA-512 context setup
73		*/
74		int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384)
75	0	{
76	0	SHA512_VALIDATE_RET(ctx != NULL);
77	0	#if !defined(MBEDTLS_SHA512_NO_SHA384)
78	0	SHA512_VALIDATE_RET(is384 == 0 \|\| is384 == 1);
79		#else
80		SHA512_VALIDATE_RET(is384 == 0);
81		#endif
82
83	0	ctx->total[0] = 0;
84	0	ctx->total[1] = 0;
85
86	0	if (is384 == 0) {
87		/* SHA-512 */
88	0	ctx->state[0] = UL64(0x6A09E667F3BCC908);
89	0	ctx->state[1] = UL64(0xBB67AE8584CAA73B);
90	0	ctx->state[2] = UL64(0x3C6EF372FE94F82B);
91	0	ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
92	0	ctx->state[4] = UL64(0x510E527FADE682D1);
93	0	ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
94	0	ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
95	0	ctx->state[7] = UL64(0x5BE0CD19137E2179);
96	0	} else {
97		#if defined(MBEDTLS_SHA512_NO_SHA384)
98		return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
99		#else
100		/* SHA-384 */
101	0	ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
102	0	ctx->state[1] = UL64(0x629A292A367CD507);
103	0	ctx->state[2] = UL64(0x9159015A3070DD17);
104	0	ctx->state[3] = UL64(0x152FECD8F70E5939);
105	0	ctx->state[4] = UL64(0x67332667FFC00B31);
106	0	ctx->state[5] = UL64(0x8EB44A8768581511);
107	0	ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
108	0	ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
109	0	#endif /* MBEDTLS_SHA512_NO_SHA384 */
110	0	}
111
112	0	#if !defined(MBEDTLS_SHA512_NO_SHA384)
113	0	ctx->is384 = is384;
114	0	#endif
115
116	0	return 0;
117	0	}
118
119		#if !defined(MBEDTLS_DEPRECATED_REMOVED)
120		void mbedtls_sha512_starts(mbedtls_sha512_context *ctx,
121		int is384)
122	0	{
123	0	mbedtls_sha512_starts_ret(ctx, is384);
124	0	}
125		#endif
126
127		#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
128
129		/*
130		* Round constants
131		*/
132		static const uint64_t K[80] =
133		{
134		UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
135		UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
136		UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
137		UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
138		UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
139		UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
140		UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
141		UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
142		UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
143		UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
144		UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
145		UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
146		UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
147		UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
148		UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
149		UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
150		UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
151		UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
152		UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
153		UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
154		UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
155		UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
156		UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
157		UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
158		UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
159		UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
160		UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
161		UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
162		UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
163		UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
164		UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
165		UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
166		UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
167		UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
168		UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
169		UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
170		UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
171		UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
172		UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
173		UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
174		};
175
176		int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
177		const unsigned char data[128])
178	0	{
179	0	int i;
180	0	struct {
181	0	uint64_t temp1, temp2, W[80];
182	0	uint64_t A[8];
183	0	} local;
184
185	0	SHA512_VALIDATE_RET(ctx != NULL);
186	0	SHA512_VALIDATE_RET((const unsigned char *) data != NULL);
187
188	0	#define SHR(x, n) ((x) >> (n))
189	0	#define ROTR(x, n) (SHR((x), (n)) \| ((x) << (64 - (n))))
190
191	0	#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
192	0	#define S1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
193
194	0	#define S2(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
195	0	#define S3(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
196
197	0	#define F0(x, y, z) (((x) & (y)) \| ((z) & ((x) \| (y))))
198	0	#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
199
200	0	#define P(a, b, c, d, e, f, g, h, x, K) \
201	0	do \
202	0	{ \
203	0	local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \
204	0	local.temp2 = S2(a) + F0((a), (b), (c)); \
205	0	(d) += local.temp1; (h) = local.temp1 + local.temp2; \
206	0	} while (0)
207
208	0	for (i = 0; i < 8; i++) {
209	0	local.A[i] = ctx->state[i];
210	0	}
211
212		#if defined(MBEDTLS_SHA512_SMALLER)
213		for (i = 0; i < 80; i++) {
214		if (i < 16) {
215		local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
216		} else {
217		local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
218		S0(local.W[i - 15]) + local.W[i - 16];
219		}
220
221		P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
222		local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
223
224		local.temp1 = local.A[7]; local.A[7] = local.A[6];
225		local.A[6] = local.A[5]; local.A[5] = local.A[4];
226		local.A[4] = local.A[3]; local.A[3] = local.A[2];
227		local.A[2] = local.A[1]; local.A[1] = local.A[0];
228		local.A[0] = local.temp1;
229		}
230		#else /* MBEDTLS_SHA512_SMALLER */
231	0	for (i = 0; i < 16; i++) {
232	0	local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
233	0	}
234
235	0	for (; i < 80; i++) {
236	0	local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
237	0	S0(local.W[i - 15]) + local.W[i - 16];
238	0	}
239
240	0	i = 0;
241	0	do {
242	0	P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
243	0	local.A[5], local.A[6], local.A[7], local.W[i], K[i]); i++;
244	0	P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
245	0	local.A[4], local.A[5], local.A[6], local.W[i], K[i]); i++;
246	0	P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
247	0	local.A[3], local.A[4], local.A[5], local.W[i], K[i]); i++;
248	0	P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
249	0	local.A[2], local.A[3], local.A[4], local.W[i], K[i]); i++;
250	0	P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
251	0	local.A[1], local.A[2], local.A[3], local.W[i], K[i]); i++;
252	0	P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
253	0	local.A[0], local.A[1], local.A[2], local.W[i], K[i]); i++;
254	0	P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
255	0	local.A[7], local.A[0], local.A[1], local.W[i], K[i]); i++;
256	0	P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
257	0	local.A[6], local.A[7], local.A[0], local.W[i], K[i]); i++;
258	0	} while (i < 80);
259	0	#endif /* MBEDTLS_SHA512_SMALLER */
260
261	0	for (i = 0; i < 8; i++) {
262	0	ctx->state[i] += local.A[i];
263	0	}
264
265		/* Zeroise buffers and variables to clear sensitive data from memory. */
266	0	mbedtls_platform_zeroize(&local, sizeof(local));
267
268	0	return 0;
269	0	}
270
271		#if !defined(MBEDTLS_DEPRECATED_REMOVED)
272		void mbedtls_sha512_process(mbedtls_sha512_context *ctx,
273		const unsigned char data[128])
274	0	{
275	0	mbedtls_internal_sha512_process(ctx, data);
276	0	}
277		#endif
278		#endif /* !MBEDTLS_SHA512_PROCESS_ALT */
279
280		/*
281		* SHA-512 process buffer
282		*/
283		int mbedtls_sha512_update_ret(mbedtls_sha512_context *ctx,
284		const unsigned char *input,
285		size_t ilen)
286	0	{
287	0	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
288	0	size_t fill;
289	0	unsigned int left;
290
291	0	SHA512_VALIDATE_RET(ctx != NULL);
292	0	SHA512_VALIDATE_RET(ilen == 0 \|\| input != NULL);
293
294	0	if (ilen == 0) {
295	0	return 0;
296	0	}
297
298	0	left = (unsigned int) (ctx->total[0] & 0x7F);
299	0	fill = 128 - left;
300
301	0	ctx->total[0] += (uint64_t) ilen;
302
303	0	if (ctx->total[0] < (uint64_t) ilen) {
304	0	ctx->total[1]++;
305	0	}
306
307	0	if (left && ilen >= fill) {
308	0	memcpy((void *) (ctx->buffer + left), input, fill);
309
310	0	if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
311	0	return ret;
312	0	}
313
314	0	input += fill;
315	0	ilen -= fill;
316	0	left = 0;
317	0	}
318
319	0	while (ilen >= 128) {
320	0	if ((ret = mbedtls_internal_sha512_process(ctx, input)) != 0) {
321	0	return ret;
322	0	}
323
324	0	input += 128;
325	0	ilen -= 128;
326	0	}
327
328	0	if (ilen > 0) {
329	0	memcpy((void *) (ctx->buffer + left), input, ilen);
330	0	}
331
332	0	return 0;
333	0	}
334
335		#if !defined(MBEDTLS_DEPRECATED_REMOVED)
336		void mbedtls_sha512_update(mbedtls_sha512_context *ctx,
337		const unsigned char *input,
338		size_t ilen)
339	0	{
340	0	mbedtls_sha512_update_ret(ctx, input, ilen);
341	0	}
342		#endif
343
344		/*
345		* SHA-512 final digest
346		*/
347		int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
348		unsigned char output[64])
349	0	{
350	0	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
351	0	unsigned used;
352	0	uint64_t high, low;
353
354	0	SHA512_VALIDATE_RET(ctx != NULL);
355	0	SHA512_VALIDATE_RET((unsigned char *) output != NULL);
356
357		/*
358		* Add padding: 0x80 then 0x00 until 16 bytes remain for the length
359		*/
360	0	used = ctx->total[0] & 0x7F;
361
362	0	ctx->buffer[used++] = 0x80;
363
364	0	if (used <= 112) {
365		/* Enough room for padding + length in current block */
366	0	memset(ctx->buffer + used, 0, 112 - used);
367	0	} else {
368		/* We'll need an extra block */
369	0	memset(ctx->buffer + used, 0, 128 - used);
370
371	0	if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
372	0	return ret;
373	0	}
374
375	0	memset(ctx->buffer, 0, 112);
376	0	}
377
378		/*
379		* Add message length
380		*/
381	0	high = (ctx->total[0] >> 61)
382	0	\| (ctx->total[1] << 3);
383	0	low = (ctx->total[0] << 3);
384
385	0	sha512_put_uint64_be(high, ctx->buffer, 112);
386	0	sha512_put_uint64_be(low, ctx->buffer, 120);
387
388	0	if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
389	0	return ret;
390	0	}
391
392		/*
393		* Output final state
394		*/
395	0	sha512_put_uint64_be(ctx->state[0], output, 0);
396	0	sha512_put_uint64_be(ctx->state[1], output, 8);
397	0	sha512_put_uint64_be(ctx->state[2], output, 16);
398	0	sha512_put_uint64_be(ctx->state[3], output, 24);
399	0	sha512_put_uint64_be(ctx->state[4], output, 32);
400	0	sha512_put_uint64_be(ctx->state[5], output, 40);
401
402	0	int truncated = 0;
403	0	#if !defined(MBEDTLS_SHA512_NO_SHA384)
404	0	truncated = ctx->is384;
405	0	#endif
406	0	if (!truncated) {
407	0	sha512_put_uint64_be(ctx->state[6], output, 48);
408	0	sha512_put_uint64_be(ctx->state[7], output, 56);
409	0	}
410
411	0	return 0;
412	0	}
413
414		#if !defined(MBEDTLS_DEPRECATED_REMOVED)
415		void mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
416		unsigned char output[64])
417	0	{
418	0	mbedtls_sha512_finish_ret(ctx, output);
419	0	}
420		#endif
421
422		#endif /* !MBEDTLS_SHA512_ALT */
423
424		/*
425		* output = SHA-512( input buffer )
426		*/
427		int mbedtls_sha512_ret(const unsigned char *input,
428		size_t ilen,
429		unsigned char output[64],
430		int is384)
431	0	{
432	0	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
433	0	mbedtls_sha512_context ctx;
434
435	0	#if !defined(MBEDTLS_SHA512_NO_SHA384)
436	0	SHA512_VALIDATE_RET(is384 == 0 \|\| is384 == 1);
437		#else
438		SHA512_VALIDATE_RET(is384 == 0);
439		#endif
440	0	SHA512_VALIDATE_RET(ilen == 0 \|\| input != NULL);
441	0	SHA512_VALIDATE_RET((unsigned char *) output != NULL);
442
443	0	mbedtls_sha512_init(&ctx);
444
445	0	if ((ret = mbedtls_sha512_starts_ret(&ctx, is384)) != 0) {
446	0	goto exit;
447	0	}
448
449	0	if ((ret = mbedtls_sha512_update_ret(&ctx, input, ilen)) != 0) {
450	0	goto exit;
451	0	}
452
453	0	if ((ret = mbedtls_sha512_finish_ret(&ctx, output)) != 0) {
454	0	goto exit;
455	0	}
456
457	0	exit:
458	0	mbedtls_sha512_free(&ctx);
459
460	0	return ret;
461	0	}
462
463		#if !defined(MBEDTLS_DEPRECATED_REMOVED)
464		void mbedtls_sha512(const unsigned char *input,
465		size_t ilen,
466		unsigned char output[64],
467		int is384)
468	0	{
469	0	mbedtls_sha512_ret(input, ilen, output, is384);
470	0	}
471		#endif
472
473		#if defined(MBEDTLS_SELF_TEST)
474
475		/*
476		* FIPS-180-2 test vectors
477		*/
478		static const unsigned char sha512_test_buf[3][113] =
479		{
480		{ "abc" },
481		{
482		"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
483		},
484		{ "" }
485		};
486
487		static const size_t sha512_test_buflen[3] =
488		{
489		3, 112, 1000
490		};
491
492		static const unsigned char sha512_test_sum[][64] =
493		{
494		#if !defined(MBEDTLS_SHA512_NO_SHA384)
495		/*
496		* SHA-384 test vectors
497		*/
498		{ 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
499		0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
500		0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
501		0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
502		0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
503		0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
504		{ 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
505		0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
506		0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
507		0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
508		0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
509		0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
510		{ 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
511		0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
512		0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
513		0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
514		0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
515		0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
516		#endif /* !MBEDTLS_SHA512_NO_SHA384 */
517
518		/*
519		* SHA-512 test vectors
520		*/
521		{ 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
522		0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
523		0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
524		0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
525		0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
526		0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
527		0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
528		0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
529		{ 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
530		0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
531		0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
532		0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
533		0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
534		0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
535		0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
536		0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
537		{ 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
538		0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
539		0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
540		0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
541		0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
542		0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
543		0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
544		0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
545		};
546
547	0	#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
548
549		/*
550		* Checkup routine
551		*/
552		int mbedtls_sha512_self_test(int verbose)
553	0	{
554	0	int i, j, k, buflen, ret = 0;
555	0	unsigned char *buf;
556	0	unsigned char sha512sum[64];
557	0	mbedtls_sha512_context ctx;
558
559	0	buf = mbedtls_calloc(1024, sizeof(unsigned char));
560	0	if (NULL == buf) {
561	0	if (verbose != 0) {
562	0	mbedtls_printf("Buffer allocation failed\n");
563	0	}
564
565	0	return 1;
566	0	}
567
568	0	mbedtls_sha512_init(&ctx);
569
570	0	for (i = 0; i < (int) ARRAY_LENGTH(sha512_test_sum); i++) {
571	0	j = i % 3;
572	0	#if !defined(MBEDTLS_SHA512_NO_SHA384)
573	0	k = i < 3;
574		#else
575		k = 0;
576		#endif
577
578	0	if (verbose != 0) {
579	0	mbedtls_printf(" SHA-%d test #%d: ", 512 - k * 128, j + 1);
580	0	}
581
582	0	if ((ret = mbedtls_sha512_starts_ret(&ctx, k)) != 0) {
583	0	goto fail;
584	0	}
585
586	0	if (j == 2) {
587	0	memset(buf, 'a', buflen = 1000);
588
589	0	for (j = 0; j < 1000; j++) {
590	0	ret = mbedtls_sha512_update_ret(&ctx, buf, buflen);
591	0	if (ret != 0) {
592	0	goto fail;
593	0	}
594	0	}
595	0	} else {
596	0	ret = mbedtls_sha512_update_ret(&ctx, sha512_test_buf[j],
597	0	sha512_test_buflen[j]);
598	0	if (ret != 0) {
599	0	goto fail;
600	0	}
601	0	}
602
603	0	if ((ret = mbedtls_sha512_finish_ret(&ctx, sha512sum)) != 0) {
604	0	goto fail;
605	0	}
606
607	0	if (memcmp(sha512sum, sha512_test_sum[i], 64 - k * 16) != 0) {
608	0	ret = 1;
609	0	goto fail;
610	0	}
611
612	0	if (verbose != 0) {
613	0	mbedtls_printf("passed\n");
614	0	}
615	0	}
616
617	0	if (verbose != 0) {
618	0	mbedtls_printf("\n");
619	0	}
620
621	0	goto exit;
622
623	0	fail:
624	0	if (verbose != 0) {
625	0	mbedtls_printf("failed\n");
626	0	}
627
628	0	exit:
629	0	mbedtls_sha512_free(&ctx);
630	0	mbedtls_free(buf);
631
632	0	return ret;
633	0	}
634
635		#undef ARRAY_LENGTH
636
637		#endif /* MBEDTLS_SELF_TEST */
638
639		#endif /* MBEDTLS_SHA512_C */