Gitly


1 /*
2  *  FIPS-180-2 compliant SHA-256 implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  */
7 /*
8  *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
9  *
10  *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
11  */
12 
13 /* Ensure that SIG_SETMASK is defined when -std=c99 is used. */
14 #if !defined(_GNU_SOURCE)
15 #define _GNU_SOURCE
16 #endif
17 
18 #if defined(__clang__) &&  (__clang_major__ >= 4)
19 
20 /* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if,
21  * but that is defined by build_info.h, and we need this block to happen first. */
22 #if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A')
23 #if __ARM_ARCH >= 8
24 #define MBEDTLS_SHA256_ARCH_IS_ARMV8_A
25 #endif
26 #endif
27 
28 #if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO)
29 /*
30  * The intrinsic declaration are guarded by predefined ACLE macros in clang:
31  * these are normally only enabled by the -march option on the command line.
32  * By defining the macros ourselves we gain access to those declarations without
33  * requiring -march on the command line.
34  *
35  * `arm_neon.h` is included by common.h, so we put these defines
36  * at the top of this file, before any includes but after the intrinsic
37  * declaration. This is necessary with
38  * Clang <=15.x. With Clang 16.0 and above, these macro definitions are
39  * no longer required, but they're harmless. See
40  * https://reviews.llvm.org/D131064
41  */
42 #define __ARM_FEATURE_CRYPTO 1
43 /* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
44  *
45  * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
46  * for older compilers.
47  */
48 #define __ARM_FEATURE_SHA2   1
49 #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
50 #endif
51 
52 #endif /* defined(__clang__) &&  (__clang_major__ >= 4) */
53 
54 #include "common.h"
55 
56 #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
57 
58 #include "mbedtls/sha256.h"
59 #include "mbedtls/platform_util.h"
60 #include "mbedtls/error.h"
61 
62 #include <string.h>
63 
64 #include "mbedtls/platform.h"
65 
66 #if defined(MBEDTLS_ARCH_IS_ARMV8_A)
67 
68 #  if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
69     defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
70 #       if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
71 #           if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
72 #               warning "Target does not support NEON instructions"
73 #               undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
74 #           else
75 #               error "Target does not support NEON instructions"
76 #           endif
77 #       endif
78 #   endif
79 
80 #  if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
81     defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
82 /* *INDENT-OFF* */
83 
84 #   if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
85 #      if defined(__ARMCOMPILER_VERSION)
86 #        if __ARMCOMPILER_VERSION <= 6090000
87 #          error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
88 #        endif
89 #          pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
90 #          define MBEDTLS_POP_TARGET_PRAGMA
91 #      elif defined(__clang__)
92 #        if __clang_major__ < 4
93 #          error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
94 #        endif
95 #        pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
96 #        define MBEDTLS_POP_TARGET_PRAGMA
97 #      elif defined(__GNUC__)
98          /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
99           *        intrinsics are missing. Missing intrinsics could be worked around.
100           */
101 #        if __GNUC__ < 6
102 #          error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
103 #        else
104 #          pragma GCC push_options
105 #          pragma GCC target ("arch=armv8-a+crypto")
106 #          define MBEDTLS_POP_TARGET_PRAGMA
107 #        endif
108 #      else
109 #        error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
110 #      endif
111 #    endif
112 /* *INDENT-ON* */
113 
114 #  endif
115 #  if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
116 #    if defined(__unix__)
117 #      if defined(__linux__)
118 /* Our preferred method of detection is getauxval() */
119 #        include <sys/auxv.h>
120 /* These are not always defined via sys/auxv.h */
121 #        if !defined(HWCAP_SHA2)
122 #          define HWCAP_SHA2  (1 << 6)
123 #        endif
124 #        if !defined(HWCAP2_SHA2)
125 #          define HWCAP2_SHA2 (1 << 3)
126 #        endif
127 #      endif
128 /* Use SIGILL on Unix, and fall back to it on Linux */
129 #      include <signal.h>
130 #    endif
131 #  endif
132 #elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
133 #  undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
134 #  undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
135 #endif
136 
137 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
138 /*
139  * Capability detection code comes early, so we can disable
140  * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found
141  */
142 #if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2)
143 static int mbedtls_a64_crypto_sha256_determine_support(void)
144 {
145     return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
146 }
147 #elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2)
148 static int mbedtls_a64_crypto_sha256_determine_support(void)
149 {
150     return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0;
151 }
152 #elif defined(__APPLE__)
153 static int mbedtls_a64_crypto_sha256_determine_support(void)
154 {
155     return 1;
156 }
157 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
158 #ifndef WIN32_LEAN_AND_MEAN
159 #define WIN32_LEAN_AND_MEAN
160 #endif
161 #include <Windows.h>
162 #include <processthreadsapi.h>
163 
164 static int mbedtls_a64_crypto_sha256_determine_support(void)
165 {
166     return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
167            1 : 0;
168 }
169 #elif defined(__unix__) && defined(SIG_SETMASK)
170 /* Detection with SIGILL, setjmp() and longjmp() */
171 #include <signal.h>
172 #include <setjmp.h>
173 
174 static jmp_buf return_from_sigill;
175 
176 /*
177  * Armv8-A SHA256 support detection via SIGILL
178  */
179 static void sigill_handler(int signal)
180 {
181     (void) signal;
182     longjmp(return_from_sigill, 1);
183 }
184 
185 static int mbedtls_a64_crypto_sha256_determine_support(void)
186 {
187     struct sigaction old_action, new_action;
188 
189     sigset_t old_mask;
190     if (sigprocmask(0, NULL, &old_mask)) {
191         return 0;
192     }
193 
194     sigemptyset(&new_action.sa_mask);
195     new_action.sa_flags = 0;
196     new_action.sa_handler = sigill_handler;
197 
198     sigaction(SIGILL, &new_action, &old_action);
199 
200     static int ret = 0;
201 
202     if (setjmp(return_from_sigill) == 0) {         /* First return only */
203         /* If this traps, we will return a second time from setjmp() with 1 */
204 #if defined(MBEDTLS_ARCH_IS_ARM64)
205         asm volatile ("sha256h q0, q0, v0.4s" : : : "v0");
206 #else
207         asm volatile ("sha256h.32 q0, q0, q0" : : : "q0");
208 #endif
209         ret = 1;
210     }
211 
212     sigaction(SIGILL, &old_action, NULL);
213     sigprocmask(SIG_SETMASK, &old_mask, NULL);
214 
215     return ret;
216 }
217 #else
218 #warning "No mechanism to detect ARMV8_CRYPTO found, using C code only"
219 #undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
220 #endif  /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
221 
222 #endif  /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
223 
224 #if !defined(MBEDTLS_SHA256_ALT)
225 
226 #define SHA256_BLOCK_SIZE 64
227 
228 void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
229 {
230     memset(ctx, 0, sizeof(mbedtls_sha256_context));
231 }
232 
233 void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
234 {
235     if (ctx == NULL) {
236         return;
237     }
238 
239     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
240 }
241 
242 void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
243                           const mbedtls_sha256_context *src)
244 {
245     *dst = *src;
246 }
247 
248 /*
249  * SHA-256 context setup
250  */
251 int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
252 {
253 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
254     if (is224 != 0 && is224 != 1) {
255         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
256     }
257 #elif defined(MBEDTLS_SHA256_C)
258     if (is224 != 0) {
259         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
260     }
261 #else /* defined MBEDTLS_SHA224_C only */
262     if (is224 == 0) {
263         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
264     }
265 #endif
266 
267     ctx->total[0] = 0;
268     ctx->total[1] = 0;
269 
270     if (is224 == 0) {
271 #if defined(MBEDTLS_SHA256_C)
272         ctx->state[0] = 0x6A09E667;
273         ctx->state[1] = 0xBB67AE85;
274         ctx->state[2] = 0x3C6EF372;
275         ctx->state[3] = 0xA54FF53A;
276         ctx->state[4] = 0x510E527F;
277         ctx->state[5] = 0x9B05688C;
278         ctx->state[6] = 0x1F83D9AB;
279         ctx->state[7] = 0x5BE0CD19;
280 #endif
281     } else {
282 #if defined(MBEDTLS_SHA224_C)
283         ctx->state[0] = 0xC1059ED8;
284         ctx->state[1] = 0x367CD507;
285         ctx->state[2] = 0x3070DD17;
286         ctx->state[3] = 0xF70E5939;
287         ctx->state[4] = 0xFFC00B31;
288         ctx->state[5] = 0x68581511;
289         ctx->state[6] = 0x64F98FA7;
290         ctx->state[7] = 0xBEFA4FA4;
291 #endif
292     }
293 
294 #if defined(MBEDTLS_SHA224_C)
295     ctx->is224 = is224;
296 #endif
297 
298     return 0;
299 }
300 
301 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
302 static const uint32_t K[] =
303 {
304     0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
305     0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
306     0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
307     0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
308     0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
309     0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
310     0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
311     0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
312     0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
313     0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
314     0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
315     0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
316     0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
317     0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
318     0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
319     0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
320 };
321 
322 #endif
323 
324 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
325     defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
326 
327 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
328 #  define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
329 #  define mbedtls_internal_sha256_process_a64_crypto      mbedtls_internal_sha256_process
330 #endif
331 
332 static size_t mbedtls_internal_sha256_process_many_a64_crypto(
333     mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
334 {
335     uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
336     uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
337 
338     size_t processed = 0;
339 
340     for (;
341          len >= SHA256_BLOCK_SIZE;
342          processed += SHA256_BLOCK_SIZE,
343          msg += SHA256_BLOCK_SIZE,
344          len -= SHA256_BLOCK_SIZE) {
345         uint32x4_t tmp, abcd_prev;
346 
347         uint32x4_t abcd_orig = abcd;
348         uint32x4_t efgh_orig = efgh;
349 
350         uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0));
351         uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1));
352         uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2));
353         uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3));
354 
355 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__  /* Will be true if not defined */
356                                                /* Untested on BE */
357         sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
358         sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
359         sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
360         sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
361 #endif
362 
363         /* Rounds 0 to 3 */
364         tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
365         abcd_prev = abcd;
366         abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
367         efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
368 
369         /* Rounds 4 to 7 */
370         tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
371         abcd_prev = abcd;
372         abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
373         efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
374 
375         /* Rounds 8 to 11 */
376         tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
377         abcd_prev = abcd;
378         abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
379         efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
380 
381         /* Rounds 12 to 15 */
382         tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
383         abcd_prev = abcd;
384         abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
385         efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
386 
387         for (int t = 16; t < 64; t += 16) {
388             /* Rounds t to t + 3 */
389             sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
390             tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
391             abcd_prev = abcd;
392             abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
393             efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
394 
395             /* Rounds t + 4 to t + 7 */
396             sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
397             tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
398             abcd_prev = abcd;
399             abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
400             efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
401 
402             /* Rounds t + 8 to t + 11 */
403             sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
404             tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
405             abcd_prev = abcd;
406             abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
407             efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
408 
409             /* Rounds t + 12 to t + 15 */
410             sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
411             tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
412             abcd_prev = abcd;
413             abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
414             efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
415         }
416 
417         abcd = vaddq_u32(abcd, abcd_orig);
418         efgh = vaddq_u32(efgh, efgh_orig);
419     }
420 
421     vst1q_u32(&ctx->state[0], abcd);
422     vst1q_u32(&ctx->state[4], efgh);
423 
424     return processed;
425 }
426 
427 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
428 /*
429  * This function is for internal use only if we are building both C and Armv8-A
430  * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
431  */
432 static
433 #endif
434 int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
435                                                const unsigned char data[SHA256_BLOCK_SIZE])
436 {
437     return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
438                                                             SHA256_BLOCK_SIZE) ==
439             SHA256_BLOCK_SIZE) ? 0 : -1;
440 }
441 
442 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
443 
444 #if defined(MBEDTLS_POP_TARGET_PRAGMA)
445 #if defined(__clang__)
446 #pragma clang attribute pop
447 #elif defined(__GNUC__)
448 #pragma GCC pop_options
449 #endif
450 #undef MBEDTLS_POP_TARGET_PRAGMA
451 #endif
452 
453 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
454 #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
455 #define mbedtls_internal_sha256_process_c      mbedtls_internal_sha256_process
456 #endif
457 
458 
459 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
460     !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
461 
462 #define  SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
463 #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
464 
465 #define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^  SHR(x, 3))
466 #define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^  SHR(x, 10))
467 
468 #define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
469 #define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
470 
471 #define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
472 #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
473 
474 #define R(t)                                                        \
475     (                                                               \
476         local.W[t] = S1(local.W[(t) -  2]) + local.W[(t) -  7] +    \
477                      S0(local.W[(t) - 15]) + local.W[(t) - 16]      \
478     )
479 
480 #define P(a, b, c, d, e, f, g, h, x, K)                                      \
481     do                                                              \
482     {                                                               \
483         local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x);    \
484         local.temp2 = S2(a) + F0((a), (b), (c));                      \
485         (d) += local.temp1; (h) = local.temp1 + local.temp2;        \
486     } while (0)
487 
488 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
489 /*
490  * This function is for internal use only if we are building both C and Armv8
491  * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
492  */
493 static
494 #endif
495 int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
496                                       const unsigned char data[SHA256_BLOCK_SIZE])
497 {
498     struct {
499         uint32_t temp1, temp2, W[64];
500         uint32_t A[8];
501     } local;
502 
503     unsigned int i;
504 
505     for (i = 0; i < 8; i++) {
506         local.A[i] = ctx->state[i];
507     }
508 
509 #if defined(MBEDTLS_SHA256_SMALLER)
510     for (i = 0; i < 64; i++) {
511         if (i < 16) {
512             local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
513         } else {
514             R(i);
515         }
516 
517         P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
518           local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
519 
520         local.temp1 = local.A[7]; local.A[7] = local.A[6];
521         local.A[6] = local.A[5]; local.A[5] = local.A[4];
522         local.A[4] = local.A[3]; local.A[3] = local.A[2];
523         local.A[2] = local.A[1]; local.A[1] = local.A[0];
524         local.A[0] = local.temp1;
525     }
526 #else /* MBEDTLS_SHA256_SMALLER */
527     for (i = 0; i < 16; i++) {
528         local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
529     }
530 
531     for (i = 0; i < 16; i += 8) {
532         P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
533           local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
534         P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
535           local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
536         P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
537           local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
538         P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
539           local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
540         P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
541           local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
542         P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
543           local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
544         P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
545           local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
546         P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
547           local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
548     }
549 
550     for (i = 16; i < 64; i += 8) {
551         P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
552           local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
553         P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
554           local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
555         P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
556           local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
557         P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
558           local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
559         P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
560           local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
561         P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
562           local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
563         P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
564           local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
565         P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
566           local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
567     }
568 #endif /* MBEDTLS_SHA256_SMALLER */
569 
570     for (i = 0; i < 8; i++) {
571         ctx->state[i] += local.A[i];
572     }
573 
574     /* Zeroise buffers and variables to clear sensitive data from memory. */
575     mbedtls_platform_zeroize(&local, sizeof(local));
576 
577     return 0;
578 }
579 
580 #endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
581 
582 
583 #if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
584 
585 static size_t mbedtls_internal_sha256_process_many_c(
586     mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
587 {
588     size_t processed = 0;
589 
590     while (len >= SHA256_BLOCK_SIZE) {
591         if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
592             return 0;
593         }
594 
595         data += SHA256_BLOCK_SIZE;
596         len  -= SHA256_BLOCK_SIZE;
597 
598         processed += SHA256_BLOCK_SIZE;
599     }
600 
601     return processed;
602 }
603 
604 #endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
605 
606 
607 #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
608 
609 static int mbedtls_a64_crypto_sha256_has_support(void)
610 {
611     static int done = 0;
612     static int supported = 0;
613 
614     if (!done) {
615         supported = mbedtls_a64_crypto_sha256_determine_support();
616         done = 1;
617     }
618 
619     return supported;
620 }
621 
622 static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
623                                                    const uint8_t *msg, size_t len)
624 {
625     if (mbedtls_a64_crypto_sha256_has_support()) {
626         return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
627     } else {
628         return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
629     }
630 }
631 
632 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
633                                     const unsigned char data[SHA256_BLOCK_SIZE])
634 {
635     if (mbedtls_a64_crypto_sha256_has_support()) {
636         return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
637     } else {
638         return mbedtls_internal_sha256_process_c(ctx, data);
639     }
640 }
641 
642 #endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
643 
644 
645 /*
646  * SHA-256 process buffer
647  */
648 int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
649                           const unsigned char *input,
650                           size_t ilen)
651 {
652     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
653     size_t fill;
654     uint32_t left;
655 
656     if (ilen == 0) {
657         return 0;
658     }
659 
660     left = ctx->total[0] & 0x3F;
661     fill = SHA256_BLOCK_SIZE - left;
662 
663     ctx->total[0] += (uint32_t) ilen;
664     ctx->total[0] &= 0xFFFFFFFF;
665 
666     if (ctx->total[0] < (uint32_t) ilen) {
667         ctx->total[1]++;
668     }
669 
670     if (left && ilen >= fill) {
671         memcpy((void *) (ctx->buffer + left), input, fill);
672 
673         if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
674             return ret;
675         }
676 
677         input += fill;
678         ilen  -= fill;
679         left = 0;
680     }
681 
682     while (ilen >= SHA256_BLOCK_SIZE) {
683         size_t processed =
684             mbedtls_internal_sha256_process_many(ctx, input, ilen);
685         if (processed < SHA256_BLOCK_SIZE) {
686             return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
687         }
688 
689         input += processed;
690         ilen  -= processed;
691     }
692 
693     if (ilen > 0) {
694         memcpy((void *) (ctx->buffer + left), input, ilen);
695     }
696 
697     return 0;
698 }
699 
700 /*
701  * SHA-256 final digest
702  */
703 int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
704                           unsigned char *output)
705 {
706     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
707     uint32_t used;
708     uint32_t high, low;
709     int truncated = 0;
710 
711     /*
712      * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
713      */
714     used = ctx->total[0] & 0x3F;
715 
716     ctx->buffer[used++] = 0x80;
717 
718     if (used <= 56) {
719         /* Enough room for padding + length in current block */
720         memset(ctx->buffer + used, 0, 56 - used);
721     } else {
722         /* We'll need an extra block */
723         memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
724 
725         if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
726             goto exit;
727         }
728 
729         memset(ctx->buffer, 0, 56);
730     }
731 
732     /*
733      * Add message length
734      */
735     high = (ctx->total[0] >> 29)
736            | (ctx->total[1] <<  3);
737     low  = (ctx->total[0] <<  3);
738 
739     MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
740     MBEDTLS_PUT_UINT32_BE(low,  ctx->buffer, 60);
741 
742     if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
743         goto exit;
744     }
745 
746     /*
747      * Output final state
748      */
749     MBEDTLS_PUT_UINT32_BE(ctx->state[0], output,  0);
750     MBEDTLS_PUT_UINT32_BE(ctx->state[1], output,  4);
751     MBEDTLS_PUT_UINT32_BE(ctx->state[2], output,  8);
752     MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
753     MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
754     MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
755     MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
756 
757 #if defined(MBEDTLS_SHA224_C)
758     truncated = ctx->is224;
759 #endif
760     if (!truncated) {
761         MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
762     }
763 
764     ret = 0;
765 
766 exit:
767     mbedtls_sha256_free(ctx);
768     return ret;
769 }
770 
771 #endif /* !MBEDTLS_SHA256_ALT */
772 
773 /*
774  * output = SHA-256( input buffer )
775  */
776 int mbedtls_sha256(const unsigned char *input,
777                    size_t ilen,
778                    unsigned char *output,
779                    int is224)
780 {
781     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
782     mbedtls_sha256_context ctx;
783 
784 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
785     if (is224 != 0 && is224 != 1) {
786         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
787     }
788 #elif defined(MBEDTLS_SHA256_C)
789     if (is224 != 0) {
790         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
791     }
792 #else /* defined MBEDTLS_SHA224_C only */
793     if (is224 == 0) {
794         return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
795     }
796 #endif
797 
798     mbedtls_sha256_init(&ctx);
799 
800     if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
801         goto exit;
802     }
803 
804     if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
805         goto exit;
806     }
807 
808     if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
809         goto exit;
810     }
811 
812 exit:
813     mbedtls_sha256_free(&ctx);
814 
815     return ret;
816 }
817 
818 #if defined(MBEDTLS_SELF_TEST)
819 /*
820  * FIPS-180-2 test vectors
821  */
822 static const unsigned char sha_test_buf[3][57] =
823 {
824     { "abc" },
825     { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
826     { "" }
827 };
828 
829 static const size_t sha_test_buflen[3] =
830 {
831     3, 56, 1000
832 };
833 
834 typedef const unsigned char (sha_test_sum_t)[32];
835 
836 /*
837  * SHA-224 test vectors
838  */
839 #if defined(MBEDTLS_SHA224_C)
840 static sha_test_sum_t sha224_test_sum[] =
841 {
842     { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
843       0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
844       0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
845       0xE3, 0x6C, 0x9D, 0xA7 },
846     { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
847       0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
848       0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
849       0x52, 0x52, 0x25, 0x25 },
850     { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
851       0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
852       0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
853       0x4E, 0xE7, 0xAD, 0x67 }
854 };
855 #endif
856 
857 /*
858  * SHA-256 test vectors
859  */
860 #if defined(MBEDTLS_SHA256_C)
861 static sha_test_sum_t sha256_test_sum[] =
862 {
863     { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
864       0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
865       0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
866       0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
867     { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
868       0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
869       0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
870       0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
871     { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
872       0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
873       0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
874       0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
875 };
876 #endif
877 
878 /*
879  * Checkup routine
880  */
881 static int mbedtls_sha256_common_self_test(int verbose, int is224)
882 {
883     int i, buflen, ret = 0;
884     unsigned char *buf;
885     unsigned char sha256sum[32];
886     mbedtls_sha256_context ctx;
887 
888 #if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
889     sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
890 #elif defined(MBEDTLS_SHA256_C)
891     sha_test_sum_t *sha_test_sum = sha256_test_sum;
892 #else
893     sha_test_sum_t *sha_test_sum = sha224_test_sum;
894 #endif
895 
896     buf = mbedtls_calloc(1024, sizeof(unsigned char));
897     if (NULL == buf) {
898         if (verbose != 0) {
899             mbedtls_printf("Buffer allocation failed\n");
900         }
901 
902         return 1;
903     }
904 
905     mbedtls_sha256_init(&ctx);
906 
907     for (i = 0; i < 3; i++) {
908         if (verbose != 0) {
909             mbedtls_printf("  SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
910         }
911 
912         if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
913             goto fail;
914         }
915 
916         if (i == 2) {
917             memset(buf, 'a', buflen = 1000);
918 
919             for (int j = 0; j < 1000; j++) {
920                 ret = mbedtls_sha256_update(&ctx, buf, buflen);
921                 if (ret != 0) {
922                     goto fail;
923                 }
924             }
925 
926         } else {
927             ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
928                                         sha_test_buflen[i]);
929             if (ret != 0) {
930                 goto fail;
931             }
932         }
933 
934         if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
935             goto fail;
936         }
937 
938 
939         if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
940             ret = 1;
941             goto fail;
942         }
943 
944         if (verbose != 0) {
945             mbedtls_printf("passed\n");
946         }
947     }
948 
949     if (verbose != 0) {
950         mbedtls_printf("\n");
951     }
952 
953     goto exit;
954 
955 fail:
956     if (verbose != 0) {
957         mbedtls_printf("failed\n");
958     }
959 
960 exit:
961     mbedtls_sha256_free(&ctx);
962     mbedtls_free(buf);
963 
964     return ret;
965 }
966 
967 #if defined(MBEDTLS_SHA256_C)
968 int mbedtls_sha256_self_test(int verbose)
969 {
970     return mbedtls_sha256_common_self_test(verbose, 0);
971 }
972 #endif /* MBEDTLS_SHA256_C */
973 
974 #if defined(MBEDTLS_SHA224_C)
975 int mbedtls_sha224_self_test(int verbose)
976 {
977     return mbedtls_sha256_common_self_test(verbose, 1);
978 }
979 #endif /* MBEDTLS_SHA224_C */
980 
981 #endif /* MBEDTLS_SELF_TEST */
982 
983 #endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
984