TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 312da33ef121dcbaad3dee049f7b34243aead792 / . / library / sha2.c
blob: f8bbb7a3a32fdb630428d45f309f367aa2c9c2e3 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27 *
28 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29 */
30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#if defined(POLARSSL_SHA2_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]37#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38#include <stdio.h>
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]39#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame^]41/* Implementation that should never be optimized out by the compiler */
42static void polarssl_zeroize( void *v, size_t n ) {
43 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
44}
45
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]46#if !defined(POLARSSL_SHA2_ALT)
47
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48/*
49 * 32-bit integer manipulation macros (big endian)
50 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]51#ifndef GET_UINT32_BE
52#define GET_UINT32_BE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]54 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
55 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
56 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
57 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58}
59#endif
60
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]61#ifndef PUT_UINT32_BE
62#define PUT_UINT32_BE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63{ \
64 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
65 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
66 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
67 (b)[(i) + 3] = (unsigned char) ( (n) ); \
68}
69#endif
70
71/*
72 * SHA-256 context setup
73 */
74void sha2_starts( sha2_context *ctx, int is224 )
75{
76 ctx->total[0] = 0;
77 ctx->total[1] = 0;
78
79 if( is224 == 0 )
80 {
81 /* SHA-256 */
82 ctx->state[0] = 0x6A09E667;
83 ctx->state[1] = 0xBB67AE85;
84 ctx->state[2] = 0x3C6EF372;
85 ctx->state[3] = 0xA54FF53A;
86 ctx->state[4] = 0x510E527F;
87 ctx->state[5] = 0x9B05688C;
88 ctx->state[6] = 0x1F83D9AB;
89 ctx->state[7] = 0x5BE0CD19;
90 }
91 else
92 {
93 /* SHA-224 */
94 ctx->state[0] = 0xC1059ED8;
95 ctx->state[1] = 0x367CD507;
96 ctx->state[2] = 0x3070DD17;
97 ctx->state[3] = 0xF70E5939;
98 ctx->state[4] = 0xFFC00B31;
99 ctx->state[5] = 0x68581511;
100 ctx->state[6] = 0x64F98FA7;
101 ctx->state[7] = 0xBEFA4FA4;
102 }
103
104 ctx->is224 = is224;
105}
106
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]107void sha2_process( sha2_context *ctx, const unsigned char data[64] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]108{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]109 uint32_t temp1, temp2, W[64];
110 uint32_t A, B, C, D, E, F, G, H;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]111
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]112 GET_UINT32_BE( W[ 0], data, 0 );
113 GET_UINT32_BE( W[ 1], data, 4 );
114 GET_UINT32_BE( W[ 2], data, 8 );
115 GET_UINT32_BE( W[ 3], data, 12 );
116 GET_UINT32_BE( W[ 4], data, 16 );
117 GET_UINT32_BE( W[ 5], data, 20 );
118 GET_UINT32_BE( W[ 6], data, 24 );
119 GET_UINT32_BE( W[ 7], data, 28 );
120 GET_UINT32_BE( W[ 8], data, 32 );
121 GET_UINT32_BE( W[ 9], data, 36 );
122 GET_UINT32_BE( W[10], data, 40 );
123 GET_UINT32_BE( W[11], data, 44 );
124 GET_UINT32_BE( W[12], data, 48 );
125 GET_UINT32_BE( W[13], data, 52 );
126 GET_UINT32_BE( W[14], data, 56 );
127 GET_UINT32_BE( W[15], data, 60 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]128
129#define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
130#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
131
132#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
133#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
134
135#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
136#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
137
138#define F0(x,y,z) ((x & y) | (z & (x | y)))
139#define F1(x,y,z) (z ^ (x & (y ^ z)))
140
141#define R(t) \
142( \
143 W[t] = S1(W[t - 2]) + W[t - 7] + \
144 S0(W[t - 15]) + W[t - 16] \
145)
146
147#define P(a,b,c,d,e,f,g,h,x,K) \
148{ \
149 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
150 temp2 = S2(a) + F0(a,b,c); \
151 d += temp1; h = temp1 + temp2; \
152}
153
154 A = ctx->state[0];
155 B = ctx->state[1];
156 C = ctx->state[2];
157 D = ctx->state[3];
158 E = ctx->state[4];
159 F = ctx->state[5];
160 G = ctx->state[6];
161 H = ctx->state[7];
162
163 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
164 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
165 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
166 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
167 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
168 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
169 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
170 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
171 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
172 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
173 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
174 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
175 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
176 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
177 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
178 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
179 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
180 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
181 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
182 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
183 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
184 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
185 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
186 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
187 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
188 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
189 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
190 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
191 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
192 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
193 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
194 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
195 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
196 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
197 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
198 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
199 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
200 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
201 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
202 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
203 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
204 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
205 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
206 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
207 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
208 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
209 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
210 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
211 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
212 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
213 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
214 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
215 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
216 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
217 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
218 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
219 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
220 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
221 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
222 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
223 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
224 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
225 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
226 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
227
228 ctx->state[0] += A;
229 ctx->state[1] += B;
230 ctx->state[2] += C;
231 ctx->state[3] += D;
232 ctx->state[4] += E;
233 ctx->state[5] += F;
234 ctx->state[6] += G;
235 ctx->state[7] += H;
236}
237
238/*
239 * SHA-256 process buffer
240 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]241void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]242{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]243 size_t fill;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]244 uint32_t left;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]245
246 if( ilen <= 0 )
247 return;
248
249 left = ctx->total[0] & 0x3F;
250 fill = 64 - left;
251
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]252 ctx->total[0] += (uint32_t) ilen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]253 ctx->total[0] &= 0xFFFFFFFF;
254
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]255 if( ctx->total[0] < (uint32_t) ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]256 ctx->total[1]++;
257
258 if( left && ilen >= fill )
259 {
Paul Bakkereae09db2013-06-06 12:35:54 +0200[diff] [blame]260 memcpy( (void *) (ctx->buffer + left), input, fill );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]261 sha2_process( ctx, ctx->buffer );
262 input += fill;
263 ilen -= fill;
264 left = 0;
265 }
266
267 while( ilen >= 64 )
268 {
269 sha2_process( ctx, input );
270 input += 64;
271 ilen -= 64;
272 }
273
274 if( ilen > 0 )
Paul Bakkereae09db2013-06-06 12:35:54 +0200[diff] [blame]275 memcpy( (void *) (ctx->buffer + left), input, ilen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]276}
277
278static const unsigned char sha2_padding[64] =
279{
280 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
283 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
284};
285
286/*
287 * SHA-256 final digest
288 */
289void sha2_finish( sha2_context *ctx, unsigned char output[32] )
290{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]291 uint32_t last, padn;
292 uint32_t high, low;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]293 unsigned char msglen[8];
294
295 high = ( ctx->total[0] >> 29 )
296 | ( ctx->total[1] << 3 );
297 low = ( ctx->total[0] << 3 );
298
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]299 PUT_UINT32_BE( high, msglen, 0 );
300 PUT_UINT32_BE( low, msglen, 4 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]301
302 last = ctx->total[0] & 0x3F;
303 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
304
Paul Bakkereae09db2013-06-06 12:35:54 +0200[diff] [blame]305 sha2_update( ctx, sha2_padding, padn );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]306 sha2_update( ctx, msglen, 8 );
307
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]308 PUT_UINT32_BE( ctx->state[0], output, 0 );
309 PUT_UINT32_BE( ctx->state[1], output, 4 );
310 PUT_UINT32_BE( ctx->state[2], output, 8 );
311 PUT_UINT32_BE( ctx->state[3], output, 12 );
312 PUT_UINT32_BE( ctx->state[4], output, 16 );
313 PUT_UINT32_BE( ctx->state[5], output, 20 );
314 PUT_UINT32_BE( ctx->state[6], output, 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315
316 if( ctx->is224 == 0 )
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]317 PUT_UINT32_BE( ctx->state[7], output, 28 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318}
319
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]320#endif /* !POLARSSL_SHA2_ALT */
321
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322/*
323 * output = SHA-256( input buffer )
324 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]325void sha2( const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326 unsigned char output[32], int is224 )
327{
328 sha2_context ctx;
329
330 sha2_starts( &ctx, is224 );
331 sha2_update( &ctx, input, ilen );
332 sha2_finish( &ctx, output );
333
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame^]334 polarssl_zeroize( &ctx, sizeof( sha2_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335}
336
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]337#if defined(POLARSSL_FS_IO)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]338/*
339 * output = SHA-256( file contents )
340 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]341int sha2_file( const char *path, unsigned char output[32], int is224 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342{
343 FILE *f;
344 size_t n;
345 sha2_context ctx;
346 unsigned char buf[1024];
347
348 if( ( f = fopen( path, "rb" ) ) == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]349 return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350
351 sha2_starts( &ctx, is224 );
352
353 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]354 sha2_update( &ctx, buf, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355
356 sha2_finish( &ctx, output );
357
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame^]358 polarssl_zeroize( &ctx, sizeof( sha2_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359
360 if( ferror( f ) != 0 )
361 {
362 fclose( f );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]363 return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364 }
365
366 fclose( f );
367 return( 0 );
368}
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]369#endif /* POLARSSL_FS_IO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370
371/*
372 * SHA-256 HMAC context setup
373 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]374void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375 int is224 )
376{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]377 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378 unsigned char sum[32];
379
380 if( keylen > 64 )
381 {
382 sha2( key, keylen, sum, is224 );
383 keylen = ( is224 ) ? 28 : 32;
384 key = sum;
385 }
386
387 memset( ctx->ipad, 0x36, 64 );
388 memset( ctx->opad, 0x5C, 64 );
389
390 for( i = 0; i < keylen; i++ )
391 {
392 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
393 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
394 }
395
396 sha2_starts( ctx, is224 );
397 sha2_update( ctx, ctx->ipad, 64 );
398
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame^]399 polarssl_zeroize( sum, sizeof( sum ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]400}
401
402/*
403 * SHA-256 HMAC process buffer
404 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]405void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]406{
407 sha2_update( ctx, input, ilen );
408}
409
410/*
411 * SHA-256 HMAC final digest
412 */
413void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
414{
415 int is224, hlen;
416 unsigned char tmpbuf[32];
417
418 is224 = ctx->is224;
419 hlen = ( is224 == 0 ) ? 32 : 28;
420
421 sha2_finish( ctx, tmpbuf );
422 sha2_starts( ctx, is224 );
423 sha2_update( ctx, ctx->opad, 64 );
424 sha2_update( ctx, tmpbuf, hlen );
425 sha2_finish( ctx, output );
426
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame^]427 polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428}
429
430/*
Paul Bakker7d3b6612010-03-21 16:23:13 +0000[diff] [blame]431 * SHA-256 HMAC context reset
432 */
433void sha2_hmac_reset( sha2_context *ctx )
434{
435 sha2_starts( ctx, ctx->is224 );
436 sha2_update( ctx, ctx->ipad, 64 );
437}
438
439/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 * output = HMAC-SHA-256( hmac key, input buffer )
441 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]442void sha2_hmac( const unsigned char *key, size_t keylen,
443 const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]444 unsigned char output[32], int is224 )
445{
446 sha2_context ctx;
447
448 sha2_hmac_starts( &ctx, key, keylen, is224 );
449 sha2_hmac_update( &ctx, input, ilen );
450 sha2_hmac_finish( &ctx, output );
451
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame^]452 polarssl_zeroize( &ctx, sizeof( sha2_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453}
454
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]455#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]456/*
457 * FIPS-180-2 test vectors
458 */
459static unsigned char sha2_test_buf[3][57] =
460{
461 { "abc" },
462 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
463 { "" }
464};
465
466static const int sha2_test_buflen[3] =
467{
468 3, 56, 1000
469};
470
471static const unsigned char sha2_test_sum[6][32] =
472{
473 /*
474 * SHA-224 test vectors
475 */
476 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
477 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
478 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
479 0xE3, 0x6C, 0x9D, 0xA7 },
480 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
481 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
482 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
483 0x52, 0x52, 0x25, 0x25 },
484 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
485 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
486 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
487 0x4E, 0xE7, 0xAD, 0x67 },
488
489 /*
490 * SHA-256 test vectors
491 */
492 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
493 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
494 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
495 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
496 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
497 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
498 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
499 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
500 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
501 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
502 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
503 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
504};
505
506/*
507 * RFC 4231 test vectors
508 */
509static unsigned char sha2_hmac_test_key[7][26] =
510{
511 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
512 "\x0B\x0B\x0B\x0B" },
513 { "Jefe" },
514 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
515 "\xAA\xAA\xAA\xAA" },
516 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
517 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
518 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
519 "\x0C\x0C\x0C\x0C" },
520 { "" }, /* 0xAA 131 times */
521 { "" }
522};
523
524static const int sha2_hmac_test_keylen[7] =
525{
526 20, 4, 20, 25, 20, 131, 131
527};
528
529static unsigned char sha2_hmac_test_buf[7][153] =
530{
531 { "Hi There" },
532 { "what do ya want for nothing?" },
533 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
534 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
535 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
536 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
537 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
538 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
539 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
540 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
541 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
542 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
543 { "Test With Truncation" },
544 { "Test Using Larger Than Block-Size Key - Hash Key First" },
545 { "This is a test using a larger than block-size key "
546 "and a larger than block-size data. The key needs to "
547 "be hashed before being used by the HMAC algorithm." }
548};
549
550static const int sha2_hmac_test_buflen[7] =
551{
552 8, 28, 50, 50, 20, 54, 152
553};
554
555static const unsigned char sha2_hmac_test_sum[14][32] =
556{
557 /*
558 * HMAC-SHA-224 test vectors
559 */
560 { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
561 0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
562 0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
563 0x53, 0x68, 0x4B, 0x22 },
564 { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
565 0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
566 0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
567 0x8F, 0xD0, 0x5E, 0x44 },
568 { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
569 0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
570 0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
571 0xEC, 0x83, 0x33, 0xEA },
572 { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
573 0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
574 0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
575 0xE7, 0xAF, 0xEC, 0x5A },
576 { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
577 0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
578 { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
579 0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
580 0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
581 0x3F, 0xA6, 0x87, 0x0E },
582 { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
583 0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
584 0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
585 0xF6, 0xF5, 0x65, 0xD1 },
586
587 /*
588 * HMAC-SHA-256 test vectors
589 */
590 { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
591 0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
592 0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
593 0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
594 { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
595 0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
596 0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
597 0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
598 { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
599 0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
600 0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
601 0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
602 { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
603 0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
604 0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
605 0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
606 { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
607 0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
608 { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
609 0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
610 0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
611 0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
612 { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
613 0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
614 0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
615 0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
616};
617
618/*
619 * Checkup routine
620 */
621int sha2_self_test( int verbose )
622{
623 int i, j, k, buflen;
624 unsigned char buf[1024];
625 unsigned char sha2sum[32];
626 sha2_context ctx;
627
628 for( i = 0; i < 6; i++ )
629 {
630 j = i % 3;
631 k = i < 3;
632
633 if( verbose != 0 )
634 printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
635
636 sha2_starts( &ctx, k );
637
638 if( j == 2 )
639 {
640 memset( buf, 'a', buflen = 1000 );
641
642 for( j = 0; j < 1000; j++ )
643 sha2_update( &ctx, buf, buflen );
644 }
645 else
646 sha2_update( &ctx, sha2_test_buf[j],
647 sha2_test_buflen[j] );
648
649 sha2_finish( &ctx, sha2sum );
650
651 if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
652 {
653 if( verbose != 0 )
654 printf( "failed\n" );
655
656 return( 1 );
657 }
658
659 if( verbose != 0 )
660 printf( "passed\n" );
661 }
662
663 if( verbose != 0 )
664 printf( "\n" );
665
666 for( i = 0; i < 14; i++ )
667 {
668 j = i % 7;
669 k = i < 7;
670
671 if( verbose != 0 )
672 printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
673
674 if( j == 5 || j == 6 )
675 {
676 memset( buf, '\xAA', buflen = 131 );
677 sha2_hmac_starts( &ctx, buf, buflen, k );
678 }
679 else
680 sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
681 sha2_hmac_test_keylen[j], k );
682
683 sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
684 sha2_hmac_test_buflen[j] );
685
686 sha2_hmac_finish( &ctx, sha2sum );
687
688 buflen = ( j == 4 ) ? 16 : 32 - k * 4;
689
690 if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
691 {
692 if( verbose != 0 )
693 printf( "failed\n" );
694
695 return( 1 );
696 }
697
698 if( verbose != 0 )
699 printf( "passed\n" );
700 }
701
702 if( verbose != 0 )
703 printf( "\n" );
704
705 return( 0 );
706}
707
708#endif
709
710#endif