mbedTLS SHA: Fix cloning of SHA-384 digests

Hardware unit only reads 384 bits of state for SHA-384 LOAD, which is enough for final digest but not enough if you plan to resume digest in software.
2016-11-25 19:07:19 +11:00 · 2016-11-25 19:07:19 +11:00 · 88b264cfce
parent a902e2a9de
commit 88b264cfce
3 changed files with 12 additions and 5 deletions
--- a/components/esp32/hwcrypto/sha.c
+++ b/components/esp32/hwcrypto/sha.c
@ -82,7 +82,7 @@ inline static size_t sha_engine_index(esp_sha_type type) {
    }
 }

-/* Return state & digest length (in bytes) for a given SHA type */
+/* Return digest length (in bytes) for a given SHA type */
 inline static size_t sha_length(esp_sha_type type) {
    switch(type) {
    case SHA1:
@ -90,7 +90,7 @@ inline static size_t sha_length(esp_sha_type type) {
    case SHA2_256:
        return 32;
    case SHA2_384:
-        return 64;
+        return 48;
    case SHA2_512:
        return 64;
    default:
--- a/components/esp32/include/hwcrypto/sha.h
+++ b/components/esp32/include/hwcrypto/sha.h
@ -113,11 +113,14 @@ void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_
 * value that is read is the SHA digest (in big endian
 * format). Otherwise, the value that is read is an interim SHA state.
 *
+ * @note If sha_type is SHA2_384, only 48 bytes of state will be read.
+ * This is enough for the final SHA2_384 digest, but if you want the
+ * interim SHA-384 state (to continue digesting) then pass SHA2_512 instead.
+ *
 * @param sha_type SHA algorithm in use.
 *
 * @param state Pointer to a memory buffer to hold the SHA state. Size
- * is 20 bytes (SHA1), 64 bytes (SHA2_256), or 128 bytes (SHA2_384 or
- * SHA2_512).
+ * is 20 bytes (SHA1), 32 bytes (SHA2_256), 48 bytes (SHA2_384) or 64 bytes (SHA2_512).
 *
 */
 void esp_sha_read_digest_state(esp_sha_type sha_type, void *digest_state);
--- a/components/mbedtls/port/esp_sha512.c
+++ b/components/mbedtls/port/esp_sha512.c
@ -121,8 +121,12 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
    if (src->mode == ESP_MBEDTLS_SHA512_HARDWARE) {
        /* Copy hardware digest state out to cloned state,
           which will be a software digest.
+
+           Always read 512 bits of state, even for SHA-384
+           (SHA-384 state is identical to SHA-512, only
+           digest is truncated.)
        */
-        esp_sha_read_digest_state(sha_type(dst), dst->state);
+        esp_sha_read_digest_state(SHA2_512, dst->state);
        dst->mode = ESP_MBEDTLS_SHA512_SOFTWARE;
    }
 }