1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * Copyright (C) 2018-2022, Intel Corporation.
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 *
20 * This file is part of mbed TLS (https://tls.mbed.org)
21 */
22 /*
23 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
24 *
25 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
26 */
27
28 #include "md.h"
29 #include "sha256.h"
30
31 static const uint32_t k[] =
32 {
33 0x428A2F98U, 0x71374491U, 0xB5C0FBCFU, 0xE9B5DBA5U,
34 0x3956C25BU, 0x59F111F1U, 0x923F82A4U, 0xAB1C5ED5U,
35 0xD807AA98U, 0x12835B01U, 0x243185BEU, 0x550C7DC3U,
36 0x72BE5D74U, 0x80DEB1FEU, 0x9BDC06A7U, 0xC19BF174U,
37 0xE49B69C1U, 0xEFBE4786U, 0x0FC19DC6U, 0x240CA1CCU,
38 0x2DE92C6FU, 0x4A7484AAU, 0x5CB0A9DCU, 0x76F988DAU,
39 0x983E5152U, 0xA831C66DU, 0xB00327C8U, 0xBF597FC7U,
40 0xC6E00BF3U, 0xD5A79147U, 0x06CA6351U, 0x14292967U,
41 0x27B70A85U, 0x2E1B2138U, 0x4D2C6DFCU, 0x53380D13U,
42 0x650A7354U, 0x766A0ABBU, 0x81C2C92EU, 0x92722C85U,
43 0xA2BFE8A1U, 0xA81A664BU, 0xC24B8B70U, 0xC76C51A3U,
44 0xD192E819U, 0xD6990624U, 0xF40E3585U, 0x106AA070U,
45 0x19A4C116U, 0x1E376C08U, 0x2748774CU, 0x34B0BCB5U,
46 0x391C0CB3U, 0x4ED8AA4AU, 0x5B9CCA4FU, 0x682E6FF3U,
47 0x748F82EEU, 0x78A5636FU, 0x84C87814U, 0x8CC70208U,
48 0x90BEFFFAU, 0xA4506CEBU, 0xBEF9A3F7U, 0xC67178F2U,
49 };
50
51 /**
52 * @brief get unsinged int value for big endian.
53 *
54 * @param[in] b pointer to data which is NON-NULL
55 */
get_uint32_be(const uint8_t * b,uint32_t i)56 static inline uint32_t get_uint32_be(const uint8_t *b, uint32_t i)
57 {
58 uint32_t n;
59
60 n = ((uint32_t) (*(b + i)) << 24)
61 | ((uint32_t) (*(b + i + 1U)) << 16)
62 | ((uint32_t) (*(b + i + 2U)) << 8)
63 | ((uint32_t) (*(b + i + 3U)));
64
65 return n;
66 }
67
68 /**
69 * @brief put unsinged int value for big endian.
70 * @param[inout] b pointer to data which is NON-NULL
71 */
put_unint32_be(uint32_t n,uint8_t * b,uint32_t i)72 static inline void put_unint32_be(uint32_t n, uint8_t *b, uint32_t i)
73 {
74 *(b + i) = (uint8_t) (n >> 24);
75 *(b + i + 1U) = (uint8_t) (n >> 16);
76 *(b + i + 2U) = (uint8_t) (n >> 8);
77 *(b + i + 3U) = (uint8_t) n;
78 }
79
shr(uint32_t x,uint8_t n)80 static inline uint32_t shr(uint32_t x, uint8_t n)
81 {
82 return ((x & 0xFFFFFFFFU) >> n);
83 }
84
rotr(uint32_t x,uint8_t n)85 static inline uint32_t rotr(uint32_t x, uint8_t n)
86 {
87 return (shr(x, n) | (x << (32U - n)));
88 }
89
sigma0(uint32_t x)90 static inline uint32_t sigma0(uint32_t x)
91 {
92 return (rotr(x, 7U) ^ rotr(x, 18U) ^ shr(x, 3U));
93 }
94
sigma1(uint32_t x)95 static inline uint32_t sigma1(uint32_t x)
96 {
97 return (rotr(x, 17U) ^ rotr(x, 19U) ^ shr(x, 10U));
98 }
99
sigma2(uint32_t x)100 static inline uint32_t sigma2(uint32_t x)
101 {
102 return (rotr(x, 2U) ^ rotr(x, 13U) ^ rotr(x, 22U));
103 }
104
sigma3(uint32_t x)105 static inline uint32_t sigma3(uint32_t x)
106 {
107 return (rotr(x, 6U) ^ rotr(x, 11U) ^ rotr(x, 25U));
108 }
109
majority(uint32_t x,uint32_t y,uint32_t z)110 static inline uint32_t majority(uint32_t x, uint32_t y, uint32_t z)
111 {
112 return ((x & y) | (z & (x | y)));
113 }
114
choice_alg(uint32_t x,uint32_t y,uint32_t z)115 static inline uint32_t choice_alg(uint32_t x, uint32_t y, uint32_t z)
116 {
117 return (z ^ (x & (y ^ z)));
118 }
119
decomposition(uint32_t * w,uint32_t i)120 static inline void decomposition(uint32_t *w, uint32_t i)
121 {
122 *(w + i) = sigma1(*(w + i - (2U))) + *(w + i - (7U)) + sigma0(*(w + i - (15U))) + *(w + i - (16U));
123 }
124
125 /**
126 * @brief Part of compress.
127 *
128 * @param[inout] d and h are NON-null pointer
129 */
hash_computation(uint32_t a,uint32_t b,uint32_t c,uint32_t * d,uint32_t e,uint32_t f,uint32_t g,uint32_t * h,uint32_t x,uint32_t j)130 static inline void hash_computation( uint32_t a, uint32_t b, uint32_t c,
131 uint32_t *d, uint32_t e, uint32_t f, uint32_t g, uint32_t *h, uint32_t x, uint32_t j)
132 {
133 uint32_t temp1, temp2;
134
135 temp1 = *h + sigma3(e) + choice_alg(e, f, g) + j + x;
136 temp2 = sigma2(a) + majority(a, b, c);
137 *d += temp1;
138 *h = temp1 + temp2;
139 }
140
mbedtls_sha256_init(mbedtls_sha256_context * ctx)141 void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
142 {
143 (void)memset(ctx, 0U, sizeof(mbedtls_sha256_context));
144 }
145
mbedtls_sha256_free(mbedtls_sha256_context * ctx)146 void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
147 {
148 if (ctx != NULL) {
149 (void)mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
150 }
151 }
152
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)153 void mbedtls_sha256_clone(mbedtls_sha256_context *dst, const mbedtls_sha256_context *src)
154 {
155 *dst = *src;
156 }
157
158 /*
159 * SHA-256 context setup
160 */
mbedtls_sha256_starts_ret(mbedtls_sha256_context * ctx,int32_t is224)161 int32_t mbedtls_sha256_starts_ret(mbedtls_sha256_context *ctx, int32_t is224)
162 {
163 ctx->total[0] = 0U;
164 ctx->total[1] = 0U;
165
166 if (is224 == 0) {
167 /* SHA-256 */
168 ctx->state[0] = 0x6A09E667U;
169 ctx->state[1] = 0xBB67AE85U;
170 ctx->state[2] = 0x3C6EF372U;
171 ctx->state[3] = 0xA54FF53AU;
172 ctx->state[4] = 0x510E527FU;
173 ctx->state[5] = 0x9B05688CU;
174 ctx->state[6] = 0x1F83D9ABU;
175 ctx->state[7] = 0x5BE0CD19U;
176 } else {
177 /* SHA-224 */
178 ctx->state[0] = 0xC1059ED8U;
179 ctx->state[1] = 0x367CD507U;
180 ctx->state[2] = 0x3070DD17U;
181 ctx->state[3] = 0xF70E5939U;
182 ctx->state[4] = 0xFFC00B31U;
183 ctx->state[5] = 0x68581511U;
184 ctx->state[6] = 0x64F98FA7U;
185 ctx->state[7] = 0xBEFA4FA4U;
186 }
187
188 ctx->is224 = is224;
189
190 return 0;
191 }
192
mbedtls_internal_sha256_process(mbedtls_sha256_context * ctx,const uint8_t data[64])193 int32_t mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx, const uint8_t data[64])
194 {
195 uint32_t w[64];
196 uint32_t a[8];
197 uint32_t i;
198
199 for (i = 0U; i < 8U; i++) {
200 a[i] = ctx->state[i];
201 }
202
203 for (i = 0U; i < 16U; i++) {
204 w[i] = get_uint32_be(data, 4 * i);
205 }
206
207 for (i = 0U; i < 16U; i += 8U) {
208 hash_computation(a[0], a[1], a[2], &a[3], a[4], a[5], a[6], &a[7], w[i + 0U], k[i + 0U]);
209 hash_computation(a[7], a[0], a[1], &a[2], a[3], a[4], a[5], &a[6], w[i + 1U], k[i + 1U]);
210 hash_computation(a[6], a[7], a[0], &a[1], a[2], a[3], a[4], &a[5], w[i + 2U], k[i + 2U]);
211 hash_computation(a[5], a[6], a[7], &a[0], a[1], a[2], a[3], &a[4], w[i + 3U], k[i + 3U]);
212 hash_computation(a[4], a[5], a[6], &a[7], a[0], a[1], a[2], &a[3], w[i + 4U], k[i + 4U]);
213 hash_computation(a[3], a[4], a[5], &a[6], a[7], a[0], a[1], &a[2], w[i + 5U], k[i + 5U]);
214 hash_computation(a[2], a[3], a[4], &a[5], a[6], a[7], a[0], &a[1], w[i + 6U], k[i + 6U]);
215 hash_computation(a[1], a[2], a[3], &a[4], a[5], a[6], a[7], &a[0], w[i + 7U], k[i + 7U]);
216 }
217
218 for (i = 16U; i < 64U; i += 8U) {
219 decomposition(w, (i + 0U));
220 hash_computation(a[0], a[1], a[2], &a[3], a[4], a[5], a[6], &a[7], w[i + 0U], k[i + 0U]);
221
222 decomposition(w, (i + 1U));
223 hash_computation(a[7], a[0], a[1], &a[2], a[3], a[4], a[5], &a[6], w[i + 1U], k[i + 1U]);
224
225 decomposition(w, (i + 2U));
226 hash_computation(a[6], a[7], a[0], &a[1], a[2], a[3], a[4], &a[5], w[i + 2U], k[i + 2U]);
227
228 decomposition(w, (i + 3U));
229 hash_computation(a[5], a[6], a[7], &a[0], a[1], a[2], a[3], &a[4], w[i + 3U], k[i + 3U]);
230
231 decomposition(w, (i + 4U));
232 hash_computation(a[4], a[5], a[6], &a[7], a[0], a[1], a[2], &a[3], w[i + 4U], k[i + 4U]);
233
234 decomposition(w, (i + 5U));
235 hash_computation(a[3], a[4], a[5], &a[6], a[7], a[0], a[1], &a[2], w[i + 5U], k[i + 5U]);
236
237 decomposition(w, (i + 6U));
238 hash_computation(a[2], a[3], a[4], &a[5], a[6], a[7], a[0], &a[1], w[i + 6U], k[i + 6U]);
239
240 decomposition(w, (i + 7U));
241 hash_computation(a[1], a[2], a[3], &a[4], a[5], a[6], a[7], &a[0], w[i + 7U], k[i + 7U]);
242 }
243
244 for (i = 0U; i < 8U; i++) {
245 ctx->state[i] += a[i];
246 }
247
248 return 0;
249 }
250
251 /*
252 * SHA-256 process buffer
253 */
mbedtls_sha256_update_ret(mbedtls_sha256_context * ctx,const uint8_t * input,size_t ilen)254 int32_t mbedtls_sha256_update_ret(mbedtls_sha256_context *ctx, const uint8_t *input, size_t ilen)
255 {
256 int32_t ret = 0;
257 size_t fill;
258 uint32_t left;
259 const uint8_t *data = input;
260 size_t len = ilen;
261
262 if ((len != 0U) && (data != NULL)) {
263 left = ctx->total[0] & 0x3FU;
264 fill = 64U - left;
265
266 ctx->total[0] += (uint32_t)len;
267 ctx->total[0] &= 0xFFFFFFFFU;
268
269 if (ctx->total[0] < (uint32_t)len) {
270 ctx->total[1]++;
271 }
272
273 if ((left != 0U) && (len >= fill)) {
274 (void)memcpy_s((void *)&ctx->buffer[left], fill, data, fill);
275
276 ret = mbedtls_internal_sha256_process(ctx, ctx->buffer);
277 if (ret == 0) {
278 data += fill;
279 len -= fill;
280 left = 0U;
281 }
282 }
283
284 if (ret == 0) {
285 while (len >= 64U) {
286 ret = mbedtls_internal_sha256_process(ctx, data);
287 if (ret == 0) {
288 data += 64;
289 len -= 64U;
290 break;
291 }
292 }
293
294 if (ret == 0) {
295 if (len > 0U) {
296 (void)memcpy_s((void *)&ctx->buffer[left], len, data, len);
297 }
298 }
299 }
300 }
301
302 return ret;
303 }
304
305 /*
306 * SHA-256 final digest
307 */
mbedtls_sha256_finish_ret(mbedtls_sha256_context * ctx,uint8_t output[32])308 int32_t mbedtls_sha256_finish_ret(mbedtls_sha256_context *ctx, uint8_t output[32])
309 {
310 int32_t ret = 0;
311 uint32_t used;
312 uint32_t high, low;
313
314 /*
315 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
316 */
317 used = ctx->total[0] & 0x3FU;
318
319 ctx->buffer[used] = 0x80U;
320
321 used++;
322
323 if (used <= 56U) {
324 /* Enough room for padding + length in current block */
325 (void)memset((void *)&ctx->buffer[used], 0U, 56U - used);
326 } else {
327 /* We'll need an extra block */
328 (void)memset((void *)&ctx->buffer[used], 0U, 64U - used);
329
330 ret = mbedtls_internal_sha256_process(ctx, ctx->buffer);
331 if (ret == 0) {
332 (void)memset(ctx->buffer, 0U, 56U);
333 }
334 }
335
336 /*
337 * Add message length
338 */
339 if (ret == 0) {
340 high = (ctx->total[0] >> 29)
341 | (ctx->total[1] << 3);
342 low = (ctx->total[0] << 3);
343
344 put_unint32_be(high, ctx->buffer, 56);
345 put_unint32_be(low, ctx->buffer, 60);
346
347 ret = mbedtls_internal_sha256_process(ctx, ctx->buffer);
348 if (ret == 0) {
349 /*
350 * Output final state
351 */
352 put_unint32_be(ctx->state[0], output, 0);
353 put_unint32_be(ctx->state[1], output, 4);
354 put_unint32_be(ctx->state[2], output, 8);
355 put_unint32_be(ctx->state[3], output, 12);
356 put_unint32_be(ctx->state[4], output, 16);
357 put_unint32_be(ctx->state[5], output, 20);
358 put_unint32_be(ctx->state[6], output, 24);
359
360 if (ctx->is224 == 0) {
361 put_unint32_be(ctx->state[7], output, 28);
362 }
363 }
364 }
365
366 return ret;
367 }
368
369 /*
370 * output = SHA-256(input buffer)
371 */
mbedtls_sha256_ret(const uint8_t * input,size_t ilen,uint8_t output[32],int32_t is224)372 int32_t mbedtls_sha256_ret(const uint8_t *input, size_t ilen, uint8_t output[32], int32_t is224)
373 {
374 int32_t ret = 0;
375 mbedtls_sha256_context ctx;
376
377 mbedtls_sha256_init(&ctx);
378
379 ret = mbedtls_sha256_starts_ret(&ctx, is224);
380 if (ret == 0) {
381 ret = mbedtls_sha256_update_ret(&ctx, input, ilen);
382 }
383
384 if (ret == 0) {
385 ret = mbedtls_sha256_finish_ret(&ctx, output);
386 }
387
388 mbedtls_sha256_free(&ctx);
389
390 return ret;
391 }
392