mbedTLS SHA: Fix cloning of SHA-384 digests

Hardware unit only reads 384 bits of state for SHA-384 LOAD, which is enough for final digest but not enough if you plan to resume digest in software.
espressif · Nov 25, 2016 · 88b264c · 88b264c
1 parent a902e2a
commit 88b264c
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/components/esp32/hwcrypto/sha.c b/components/esp32/hwcrypto/sha.c
@@ -82,15 +82,15 @@ inline static size_t sha_engine_index(esp_sha_type type) {
     }
 }
 
-/* Return state & digest length (in bytes) for a given SHA type */
+/* Return digest length (in bytes) for a given SHA type */
 inline static size_t sha_length(esp_sha_type type) {
     switch(type) {
     case SHA1:
         return 20;
     case SHA2_256:
         return 32;
     case SHA2_384:
-        return 64;
+        return 48;
     case SHA2_512:
         return 64;
     default:

diff --git a/components/esp32/include/hwcrypto/sha.h b/components/esp32/include/hwcrypto/sha.h
@@ -113,11 +113,14 @@ void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_
  * value that is read is the SHA digest (in big endian
  * format). Otherwise, the value that is read is an interim SHA state.
  *
+ * @note If sha_type is SHA2_384, only 48 bytes of state will be read.
+ * This is enough for the final SHA2_384 digest, but if you want the
+ * interim SHA-384 state (to continue digesting) then pass SHA2_512 instead.
+ *
  * @param sha_type SHA algorithm in use.
  *
  * @param state Pointer to a memory buffer to hold the SHA state. Size
- * is 20 bytes (SHA1), 64 bytes (SHA2_256), or 128 bytes (SHA2_384 or
- * SHA2_512).
+ * is 20 bytes (SHA1), 32 bytes (SHA2_256), 48 bytes (SHA2_384) or 64 bytes (SHA2_512).
  *
  */
 void esp_sha_read_digest_state(esp_sha_type sha_type, void *digest_state);

diff --git a/components/mbedtls/port/esp_sha512.c b/components/mbedtls/port/esp_sha512.c
@@ -121,8 +121,12 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
     if (src->mode == ESP_MBEDTLS_SHA512_HARDWARE) {
         /* Copy hardware digest state out to cloned state,
            which will be a software digest.
+
+           Always read 512 bits of state, even for SHA-384
+           (SHA-384 state is identical to SHA-512, only
+           digest is truncated.)
         */
-        esp_sha_read_digest_state(sha_type(dst), dst->state);
+        esp_sha_read_digest_state(SHA2_512, dst->state);
         dst->mode = ESP_MBEDTLS_SHA512_SOFTWARE;
     }
 }