SHA512 support (#223)

DmitriyMusatkin · web-flow · commit 6cde8e79f26f · 2025-10-02T10:18:13.000-07:00
diff --git a/include/aws/cal/hash.h b/include/aws/cal/hash.h
@@ -11,6 +11,7 @@
 
 AWS_PUSH_SANE_WARNING_LEVEL
 
+#define AWS_SHA512_LEN 64
 #define AWS_SHA256_LEN 32
 #define AWS_SHA1_LEN 20
 #define AWS_MD5_LEN 16
@@ -36,6 +37,11 @@ struct aws_hash {
 typedef struct aws_hash *(aws_hash_new_fn)(struct aws_allocator *allocator);
 
 AWS_EXTERN_C_BEGIN
+/**
+ * Allocates and initializes a sha256 hash instance.
+ */
+AWS_CAL_API struct aws_hash *aws_sha512_new(struct aws_allocator *allocator);
+
 /**
  * Allocates and initializes a sha256 hash instance.
  */
@@ -78,6 +84,20 @@ AWS_CAL_API int aws_md5_compute(
     struct aws_byte_buf *output,
     size_t truncate_to);
 
+/**
+ * Computes the sha512 hash over input and writes the digest output to 'output'.
+ * Use this if you don't need to stream the data you're hashing and you can load
+ * the entire input to hash into memory. If you specify truncate_to to something
+ * other than 0, the output will be truncated to that number of bytes. For
+ * example, if you want a SHA512 digest as the first 16 bytes, set truncate_to
+ * to 16. If you want the full digest size, just set this to 0.
+ */
+AWS_CAL_API int aws_sha512_compute(
+    struct aws_allocator *allocator,
+    const struct aws_byte_cursor *input,
+    struct aws_byte_buf *output,
+    size_t truncate_to);
+
 /**
  * Computes the sha256 hash over input and writes the digest output to 'output'.
  * Use this if you don't need to stream the data you're hashing and you can load
@@ -115,6 +135,15 @@ AWS_CAL_API int aws_sha1_compute(
  */
 AWS_CAL_API void aws_set_md5_new_fn(aws_hash_new_fn *fn);
 
+/**
+ * Set the implementation of sha512 to use. If you compiled without
+ * BYO_CRYPTO, you do not need to call this. However, if use this, we will
+ * honor it, regardless of compile options. This may be useful for testing
+ * purposes. If you did set BYO_CRYPTO, and you do not call this function
+ * you will segfault.
+ */
+AWS_CAL_API void aws_set_sha512_new_fn(aws_hash_new_fn *fn);
+
 /**
  * Set the implementation of sha256 to use. If you compiled without
  * BYO_CRYPTO, you do not need to call this. However, if use this, we will
diff --git a/source/darwin/commoncrypto_sha1.c b/source/darwin/commoncrypto_sha1.c
@@ -27,10 +27,6 @@ struct cc_sha1_hash {
 struct aws_hash *aws_sha1_default_new(struct aws_allocator *allocator) {
     struct cc_sha1_hash *sha1_hash = aws_mem_acquire(allocator, sizeof(struct cc_sha1_hash));
 
-    if (!sha1_hash) {
-        return NULL;
-    }
-
     sha1_hash->hash.allocator = allocator;
     sha1_hash->hash.vtable = &s_vtable;
     sha1_hash->hash.impl = sha1_hash;
diff --git a/source/darwin/commoncrypto_sha256.c b/source/darwin/commoncrypto_sha256.c
@@ -26,10 +26,6 @@ struct cc_sha256_hash {
 struct aws_hash *aws_sha256_default_new(struct aws_allocator *allocator) {
     struct cc_sha256_hash *sha256_hash = aws_mem_acquire(allocator, sizeof(struct cc_sha256_hash));
 
-    if (!sha256_hash) {
-        return NULL;
-    }
-
     sha256_hash->hash.allocator = allocator;
     sha256_hash->hash.vtable = &s_vtable;
     sha256_hash->hash.impl = sha256_hash;
diff --git a/source/darwin/commoncrypto_sha512.c b/source/darwin/commoncrypto_sha512.c
@@ -0,0 +1,72 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <aws/cal/hash.h>
+
+#include <CommonCrypto/CommonDigest.h>
+
+static void s_destroy(struct aws_hash *hash);
+static int s_update(struct aws_hash *hash, const struct aws_byte_cursor *to_hash);
+static int s_finalize(struct aws_hash *hash, struct aws_byte_buf *output);
+
+static struct aws_hash_vtable s_vtable = {
+    .destroy = s_destroy,
+    .update = s_update,
+    .finalize = s_finalize,
+    .alg_name = "SHA512",
+    .provider = "CommonCrypto",
+};
+
+struct cc_sha512_hash {
+    struct aws_hash hash;
+    CC_SHA512_CTX cc_hash;
+};
+
+struct aws_hash *aws_sha512_default_new(struct aws_allocator *allocator) {
+    struct cc_sha512_hash *sha512_hash = aws_mem_acquire(allocator, sizeof(struct cc_sha512_hash));
+
+    sha512_hash->hash.allocator = allocator;
+    sha512_hash->hash.vtable = &s_vtable;
+    sha512_hash->hash.impl = sha512_hash;
+    sha512_hash->hash.digest_size = AWS_SHA512_LEN;
+    sha512_hash->hash.good = true;
+
+    CC_SHA512_Init(&sha512_hash->cc_hash);
+    return &sha512_hash->hash;
+}
+
+static void s_destroy(struct aws_hash *hash) {
+    struct cc_sha512_hash *ctx = hash->impl;
+    aws_mem_release(hash->allocator, ctx);
+}
+
+static int s_update(struct aws_hash *hash, const struct aws_byte_cursor *to_hash) {
+    if (!hash->good) {
+        return aws_raise_error(AWS_ERROR_INVALID_STATE);
+    }
+
+    struct cc_sha512_hash *ctx = hash->impl;
+
+    CC_SHA512_Update(&ctx->cc_hash, to_hash->ptr, (CC_LONG)to_hash->len);
+    return AWS_OP_SUCCESS;
+}
+
+static int s_finalize(struct aws_hash *hash, struct aws_byte_buf *output) {
+    if (!hash->good) {
+        return aws_raise_error(AWS_ERROR_INVALID_STATE);
+    }
+
+    struct cc_sha512_hash *ctx = hash->impl;
+
+    size_t buffer_len = output->capacity - output->len;
+
+    if (buffer_len < hash->digest_size) {
+        return aws_raise_error(AWS_ERROR_SHORT_BUFFER);
+    }
+
+    CC_SHA512_Final(output->buffer + output->len, &ctx->cc_hash);
+    hash->good = false;
+    output->len += hash->digest_size;
+    return AWS_OP_SUCCESS;
+}
diff --git a/source/hash.c b/source/hash.c
@@ -5,10 +5,12 @@
 #include <aws/cal/hash.h>
 
 #ifndef BYO_CRYPTO
+extern struct aws_hash *aws_sha512_default_new(struct aws_allocator *allocator);
 extern struct aws_hash *aws_sha256_default_new(struct aws_allocator *allocator);
 extern struct aws_hash *aws_sha1_default_new(struct aws_allocator *allocator);
 extern struct aws_hash *aws_md5_default_new(struct aws_allocator *allocator);
 
+static aws_hash_new_fn *s_sha512_new_fn = aws_sha512_default_new;
 static aws_hash_new_fn *s_sha256_new_fn = aws_sha256_default_new;
 static aws_hash_new_fn *s_sha1_new_fn = aws_sha1_default_new;
 static aws_hash_new_fn *s_md5_new_fn = aws_md5_default_new;
@@ -18,6 +20,7 @@ static struct aws_hash *aws_hash_new_abort(struct aws_allocator *allocator) {
     abort();
 }
 
+static aws_hash_new_fn *s_sha512_new_fn = aws_hash_new_abort;
 static aws_hash_new_fn *s_sha256_new_fn = aws_hash_new_abort;
 static aws_hash_new_fn *s_sha1_new_fn = aws_hash_new_abort;
 static aws_hash_new_fn *s_md5_new_fn = aws_hash_new_abort;
@@ -27,6 +30,10 @@ struct aws_hash *aws_sha1_new(struct aws_allocator *allocator) {
     return s_sha1_new_fn(allocator);
 }
 
+struct aws_hash *aws_sha512_new(struct aws_allocator *allocator) {
+    return s_sha512_new_fn(allocator);
+}
+
 struct aws_hash *aws_sha256_new(struct aws_allocator *allocator) {
     return s_sha256_new_fn(allocator);
 }
@@ -39,6 +46,10 @@ void aws_set_md5_new_fn(aws_hash_new_fn *fn) {
     s_md5_new_fn = fn;
 }
 
+void aws_set_sha512_new_fn(aws_hash_new_fn *fn) {
+    s_sha512_new_fn = fn;
+}
+
 void aws_set_sha256_new_fn(aws_hash_new_fn *fn) {
     s_sha256_new_fn = fn;
 }
@@ -112,6 +123,14 @@ int aws_md5_compute(
     return compute_hash(aws_md5_new(allocator), input, output, truncate_to);
 }
 
+int aws_sha512_compute(
+    struct aws_allocator *allocator,
+    const struct aws_byte_cursor *input,
+    struct aws_byte_buf *output,
+    size_t truncate_to) {
+    return compute_hash(aws_sha512_new(allocator), input, output, truncate_to);
+}
+
 int aws_sha256_compute(
     struct aws_allocator *allocator,
     const struct aws_byte_cursor *input,
diff --git a/source/unix/opensslcrypto_hash.c b/source/unix/opensslcrypto_hash.c
@@ -20,6 +20,14 @@ static struct aws_hash_vtable s_md5_vtable = {
     .provider = "OpenSSL Compatible libcrypto",
 };
 
+static struct aws_hash_vtable s_sha512_vtable = {
+    .destroy = s_destroy,
+    .update = s_update,
+    .finalize = s_finalize,
+    .alg_name = "SHA512",
+    .provider = "OpenSSL Compatible libcrypto",
+};
+
 static struct aws_hash_vtable s_sha256_vtable = {
     .destroy = s_destroy,
     .update = s_update,
@@ -52,22 +60,14 @@ static void s_destroy(struct aws_hash *hash) {
 struct aws_hash *aws_md5_default_new(struct aws_allocator *allocator) {
     struct aws_hash *hash = aws_mem_acquire(allocator, sizeof(struct aws_hash));
 
-    if (!hash) {
-        return NULL;
-    }
-
     hash->allocator = allocator;
     hash->vtable = &s_md5_vtable;
     hash->digest_size = AWS_MD5_LEN;
     EVP_MD_CTX *ctx = g_aws_openssl_evp_md_ctx_table->new_fn();
     hash->impl = ctx;
     hash->good = true;
 
-    if (!hash->impl) {
-        s_destroy(hash);
-        aws_raise_error(AWS_ERROR_OOM);
-        return NULL;
-    }
+    AWS_FATAL_ASSERT(hash->impl);
 
     if (!g_aws_openssl_evp_md_ctx_table->init_ex_fn(ctx, EVP_md5(), NULL)) {
         s_destroy(hash);
@@ -78,25 +78,38 @@ struct aws_hash *aws_md5_default_new(struct aws_allocator *allocator) {
     return hash;
 }
 
-struct aws_hash *aws_sha256_default_new(struct aws_allocator *allocator) {
+struct aws_hash *aws_sha512_default_new(struct aws_allocator *allocator) {
     struct aws_hash *hash = aws_mem_acquire(allocator, sizeof(struct aws_hash));
 
-    if (!hash) {
+    hash->allocator = allocator;
+    hash->vtable = &s_sha512_vtable;
+    hash->digest_size = AWS_SHA512_LEN;
+    EVP_MD_CTX *ctx = g_aws_openssl_evp_md_ctx_table->new_fn();
+    hash->impl = ctx;
+    hash->good = true;
+
+    AWS_FATAL_ASSERT(hash->impl);
+
+    if (!g_aws_openssl_evp_md_ctx_table->init_ex_fn(ctx, EVP_sha512(), NULL)) {
+        s_destroy(hash);
+        aws_raise_error(AWS_ERROR_UNKNOWN);
         return NULL;
     }
 
+    return hash;
+}
+
+struct aws_hash *aws_sha256_default_new(struct aws_allocator *allocator) {
+    struct aws_hash *hash = aws_mem_acquire(allocator, sizeof(struct aws_hash));
+
     hash->allocator = allocator;
     hash->vtable = &s_sha256_vtable;
     hash->digest_size = AWS_SHA256_LEN;
     EVP_MD_CTX *ctx = g_aws_openssl_evp_md_ctx_table->new_fn();
     hash->impl = ctx;
     hash->good = true;
 
-    if (!hash->impl) {
-        s_destroy(hash);
-        aws_raise_error(AWS_ERROR_OOM);
-        return NULL;
-    }
+    AWS_FATAL_ASSERT(hash->impl);
 
     if (!g_aws_openssl_evp_md_ctx_table->init_ex_fn(ctx, EVP_sha256(), NULL)) {
         s_destroy(hash);
@@ -110,22 +123,14 @@ struct aws_hash *aws_sha256_default_new(struct aws_allocator *allocator) {
 struct aws_hash *aws_sha1_default_new(struct aws_allocator *allocator) {
     struct aws_hash *hash = aws_mem_acquire(allocator, sizeof(struct aws_hash));
 
-    if (!hash) {
-        return NULL;
-    }
-
     hash->allocator = allocator;
     hash->vtable = &s_sha1_vtable;
     hash->digest_size = AWS_SHA1_LEN;
     EVP_MD_CTX *ctx = g_aws_openssl_evp_md_ctx_table->new_fn();
     hash->impl = ctx;
     hash->good = true;
 
-    if (!hash->impl) {
-        s_destroy(hash);
-        aws_raise_error(AWS_ERROR_OOM);
-        return NULL;
-    }
+    AWS_FATAL_ASSERT(hash->impl);
 
     if (!g_aws_openssl_evp_md_ctx_table->init_ex_fn(ctx, EVP_sha1(), NULL)) {
         s_destroy(hash);
diff --git a/source/windows/bcrypt_hash.c b/source/windows/bcrypt_hash.c
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
diff --git a/tests/sha512_test.c b/tests/sha512_test.c
