From: Angus Gratton Date: Fri, 25 Nov 2016 08:07:19 +0000 (+1100) Subject: mbedTLS SHA: Fix cloning of SHA-384 digests X-Git-Tag: v1.0~13^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=88b264cfcee5cccd7cbd6aa0d277f6156d8e49a4;p=esp-idf mbedTLS SHA: Fix cloning of SHA-384 digests Hardware unit only reads 384 bits of state for SHA-384 LOAD, which is enough for final digest but not enough if you plan to resume digest in software. --- diff --git a/components/esp32/hwcrypto/sha.c b/components/esp32/hwcrypto/sha.c index 601981e2a1..61e37b01d2 100644 --- a/components/esp32/hwcrypto/sha.c +++ b/components/esp32/hwcrypto/sha.c @@ -82,7 +82,7 @@ inline static size_t sha_engine_index(esp_sha_type type) { } } -/* Return state & digest length (in bytes) for a given SHA type */ +/* Return digest length (in bytes) for a given SHA type */ inline static size_t sha_length(esp_sha_type type) { switch(type) { case SHA1: @@ -90,7 +90,7 @@ inline static size_t sha_length(esp_sha_type type) { case SHA2_256: return 32; case SHA2_384: - return 64; + return 48; case SHA2_512: return 64; default: diff --git a/components/esp32/include/hwcrypto/sha.h b/components/esp32/include/hwcrypto/sha.h index 2a0ec78abe..921f597fdd 100644 --- a/components/esp32/include/hwcrypto/sha.h +++ b/components/esp32/include/hwcrypto/sha.h @@ -113,11 +113,14 @@ void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_ * value that is read is the SHA digest (in big endian * format). Otherwise, the value that is read is an interim SHA state. * + * @note If sha_type is SHA2_384, only 48 bytes of state will be read. + * This is enough for the final SHA2_384 digest, but if you want the + * interim SHA-384 state (to continue digesting) then pass SHA2_512 instead. + * * @param sha_type SHA algorithm in use. * * @param state Pointer to a memory buffer to hold the SHA state. Size - * is 20 bytes (SHA1), 64 bytes (SHA2_256), or 128 bytes (SHA2_384 or - * SHA2_512). + * is 20 bytes (SHA1), 32 bytes (SHA2_256), 48 bytes (SHA2_384) or 64 bytes (SHA2_512). * */ void esp_sha_read_digest_state(esp_sha_type sha_type, void *digest_state); diff --git a/components/mbedtls/port/esp_sha512.c b/components/mbedtls/port/esp_sha512.c index cfd0f3fdfe..7a2bb15cb7 100644 --- a/components/mbedtls/port/esp_sha512.c +++ b/components/mbedtls/port/esp_sha512.c @@ -121,8 +121,12 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst, if (src->mode == ESP_MBEDTLS_SHA512_HARDWARE) { /* Copy hardware digest state out to cloned state, which will be a software digest. + + Always read 512 bits of state, even for SHA-384 + (SHA-384 state is identical to SHA-512, only + digest is truncated.) */ - esp_sha_read_digest_state(sha_type(dst), dst->state); + esp_sha_read_digest_state(SHA2_512, dst->state); dst->mode = ESP_MBEDTLS_SHA512_SOFTWARE; } }