TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5c2364c2bac4c0c0c269235aa701ec7e07a1e00e / . / library / sha2.c
blob: 0245f312c1fe95812c73426f5ce96c6ead73e220 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27 *
28 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29 */
30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#if defined(POLARSSL_SHA2_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]37#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38#include <stdio.h>
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]39#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
41/*
42 * 32-bit integer manipulation macros (big endian)
43 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]44#ifndef GET_UINT32_BE
45#define GET_UINT32_BE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]47 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
48 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
49 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
50 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51}
52#endif
53
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]54#ifndef PUT_UINT32_BE
55#define PUT_UINT32_BE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56{ \
57 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
58 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
59 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
60 (b)[(i) + 3] = (unsigned char) ( (n) ); \
61}
62#endif
63
64/*
65 * SHA-256 context setup
66 */
67void sha2_starts( sha2_context *ctx, int is224 )
68{
69 ctx->total[0] = 0;
70 ctx->total[1] = 0;
71
72 if( is224 == 0 )
73 {
74 /* SHA-256 */
75 ctx->state[0] = 0x6A09E667;
76 ctx->state[1] = 0xBB67AE85;
77 ctx->state[2] = 0x3C6EF372;
78 ctx->state[3] = 0xA54FF53A;
79 ctx->state[4] = 0x510E527F;
80 ctx->state[5] = 0x9B05688C;
81 ctx->state[6] = 0x1F83D9AB;
82 ctx->state[7] = 0x5BE0CD19;
83 }
84 else
85 {
86 /* SHA-224 */
87 ctx->state[0] = 0xC1059ED8;
88 ctx->state[1] = 0x367CD507;
89 ctx->state[2] = 0x3070DD17;
90 ctx->state[3] = 0xF70E5939;
91 ctx->state[4] = 0xFFC00B31;
92 ctx->state[5] = 0x68581511;
93 ctx->state[6] = 0x64F98FA7;
94 ctx->state[7] = 0xBEFA4FA4;
95 }
96
97 ctx->is224 = is224;
98}
99
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]100static void sha2_process( sha2_context *ctx, const unsigned char data[64] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]101{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]102 uint32_t temp1, temp2, W[64];
103 uint32_t A, B, C, D, E, F, G, H;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]104
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]105 GET_UINT32_BE( W[ 0], data, 0 );
106 GET_UINT32_BE( W[ 1], data, 4 );
107 GET_UINT32_BE( W[ 2], data, 8 );
108 GET_UINT32_BE( W[ 3], data, 12 );
109 GET_UINT32_BE( W[ 4], data, 16 );
110 GET_UINT32_BE( W[ 5], data, 20 );
111 GET_UINT32_BE( W[ 6], data, 24 );
112 GET_UINT32_BE( W[ 7], data, 28 );
113 GET_UINT32_BE( W[ 8], data, 32 );
114 GET_UINT32_BE( W[ 9], data, 36 );
115 GET_UINT32_BE( W[10], data, 40 );
116 GET_UINT32_BE( W[11], data, 44 );
117 GET_UINT32_BE( W[12], data, 48 );
118 GET_UINT32_BE( W[13], data, 52 );
119 GET_UINT32_BE( W[14], data, 56 );
120 GET_UINT32_BE( W[15], data, 60 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]121
122#define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
123#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
124
125#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
126#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
127
128#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
129#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
130
131#define F0(x,y,z) ((x & y) | (z & (x | y)))
132#define F1(x,y,z) (z ^ (x & (y ^ z)))
133
134#define R(t) \
135( \
136 W[t] = S1(W[t - 2]) + W[t - 7] + \
137 S0(W[t - 15]) + W[t - 16] \
138)
139
140#define P(a,b,c,d,e,f,g,h,x,K) \
141{ \
142 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
143 temp2 = S2(a) + F0(a,b,c); \
144 d += temp1; h = temp1 + temp2; \
145}
146
147 A = ctx->state[0];
148 B = ctx->state[1];
149 C = ctx->state[2];
150 D = ctx->state[3];
151 E = ctx->state[4];
152 F = ctx->state[5];
153 G = ctx->state[6];
154 H = ctx->state[7];
155
156 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
157 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
158 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
159 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
160 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
161 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
162 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
163 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
164 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
165 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
166 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
167 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
168 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
169 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
170 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
171 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
172 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
173 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
174 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
175 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
176 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
177 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
178 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
179 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
180 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
181 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
182 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
183 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
184 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
185 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
186 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
187 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
188 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
189 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
190 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
191 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
192 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
193 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
194 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
195 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
196 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
197 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
198 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
199 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
200 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
201 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
202 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
203 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
204 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
205 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
206 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
207 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
208 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
209 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
210 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
211 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
212 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
213 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
214 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
215 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
216 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
217 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
218 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
219 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
220
221 ctx->state[0] += A;
222 ctx->state[1] += B;
223 ctx->state[2] += C;
224 ctx->state[3] += D;
225 ctx->state[4] += E;
226 ctx->state[5] += F;
227 ctx->state[6] += G;
228 ctx->state[7] += H;
229}
230
231/*
232 * SHA-256 process buffer
233 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]234void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]235{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]236 size_t fill;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]237 uint32_t left;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238
239 if( ilen <= 0 )
240 return;
241
242 left = ctx->total[0] & 0x3F;
243 fill = 64 - left;
244
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]245 ctx->total[0] += (uint32_t) ilen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]246 ctx->total[0] &= 0xFFFFFFFF;
247
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]248 if( ctx->total[0] < (uint32_t) ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]249 ctx->total[1]++;
250
251 if( left && ilen >= fill )
252 {
253 memcpy( (void *) (ctx->buffer + left),
254 (void *) input, fill );
255 sha2_process( ctx, ctx->buffer );
256 input += fill;
257 ilen -= fill;
258 left = 0;
259 }
260
261 while( ilen >= 64 )
262 {
263 sha2_process( ctx, input );
264 input += 64;
265 ilen -= 64;
266 }
267
268 if( ilen > 0 )
269 {
270 memcpy( (void *) (ctx->buffer + left),
271 (void *) input, ilen );
272 }
273}
274
275static const unsigned char sha2_padding[64] =
276{
277 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
279 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
281};
282
283/*
284 * SHA-256 final digest
285 */
286void sha2_finish( sha2_context *ctx, unsigned char output[32] )
287{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]288 uint32_t last, padn;
289 uint32_t high, low;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]290 unsigned char msglen[8];
291
292 high = ( ctx->total[0] >> 29 )
293 | ( ctx->total[1] << 3 );
294 low = ( ctx->total[0] << 3 );
295
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]296 PUT_UINT32_BE( high, msglen, 0 );
297 PUT_UINT32_BE( low, msglen, 4 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]298
299 last = ctx->total[0] & 0x3F;
300 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
301
302 sha2_update( ctx, (unsigned char *) sha2_padding, padn );
303 sha2_update( ctx, msglen, 8 );
304
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]305 PUT_UINT32_BE( ctx->state[0], output, 0 );
306 PUT_UINT32_BE( ctx->state[1], output, 4 );
307 PUT_UINT32_BE( ctx->state[2], output, 8 );
308 PUT_UINT32_BE( ctx->state[3], output, 12 );
309 PUT_UINT32_BE( ctx->state[4], output, 16 );
310 PUT_UINT32_BE( ctx->state[5], output, 20 );
311 PUT_UINT32_BE( ctx->state[6], output, 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312
313 if( ctx->is224 == 0 )
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]314 PUT_UINT32_BE( ctx->state[7], output, 28 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315}
316
317/*
318 * output = SHA-256( input buffer )
319 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]320void sha2( const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321 unsigned char output[32], int is224 )
322{
323 sha2_context ctx;
324
325 sha2_starts( &ctx, is224 );
326 sha2_update( &ctx, input, ilen );
327 sha2_finish( &ctx, output );
328
329 memset( &ctx, 0, sizeof( sha2_context ) );
330}
331
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]332#if defined(POLARSSL_FS_IO)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333/*
334 * output = SHA-256( file contents )
335 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]336int sha2_file( const char *path, unsigned char output[32], int is224 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337{
338 FILE *f;
339 size_t n;
340 sha2_context ctx;
341 unsigned char buf[1024];
342
343 if( ( f = fopen( path, "rb" ) ) == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]344 return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345
346 sha2_starts( &ctx, is224 );
347
348 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]349 sha2_update( &ctx, buf, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350
351 sha2_finish( &ctx, output );
352
353 memset( &ctx, 0, sizeof( sha2_context ) );
354
355 if( ferror( f ) != 0 )
356 {
357 fclose( f );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]358 return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359 }
360
361 fclose( f );
362 return( 0 );
363}
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]364#endif /* POLARSSL_FS_IO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365
366/*
367 * SHA-256 HMAC context setup
368 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]369void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370 int is224 )
371{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]372 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373 unsigned char sum[32];
374
375 if( keylen > 64 )
376 {
377 sha2( key, keylen, sum, is224 );
378 keylen = ( is224 ) ? 28 : 32;
379 key = sum;
380 }
381
382 memset( ctx->ipad, 0x36, 64 );
383 memset( ctx->opad, 0x5C, 64 );
384
385 for( i = 0; i < keylen; i++ )
386 {
387 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
388 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
389 }
390
391 sha2_starts( ctx, is224 );
392 sha2_update( ctx, ctx->ipad, 64 );
393
394 memset( sum, 0, sizeof( sum ) );
395}
396
397/*
398 * SHA-256 HMAC process buffer
399 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]400void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401{
402 sha2_update( ctx, input, ilen );
403}
404
405/*
406 * SHA-256 HMAC final digest
407 */
408void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
409{
410 int is224, hlen;
411 unsigned char tmpbuf[32];
412
413 is224 = ctx->is224;
414 hlen = ( is224 == 0 ) ? 32 : 28;
415
416 sha2_finish( ctx, tmpbuf );
417 sha2_starts( ctx, is224 );
418 sha2_update( ctx, ctx->opad, 64 );
419 sha2_update( ctx, tmpbuf, hlen );
420 sha2_finish( ctx, output );
421
422 memset( tmpbuf, 0, sizeof( tmpbuf ) );
423}
424
425/*
Paul Bakker7d3b6612010-03-21 16:23:13 +0000[diff] [blame]426 * SHA-256 HMAC context reset
427 */
428void sha2_hmac_reset( sha2_context *ctx )
429{
430 sha2_starts( ctx, ctx->is224 );
431 sha2_update( ctx, ctx->ipad, 64 );
432}
433
434/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]435 * output = HMAC-SHA-256( hmac key, input buffer )
436 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]437void sha2_hmac( const unsigned char *key, size_t keylen,
438 const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]439 unsigned char output[32], int is224 )
440{
441 sha2_context ctx;
442
443 sha2_hmac_starts( &ctx, key, keylen, is224 );
444 sha2_hmac_update( &ctx, input, ilen );
445 sha2_hmac_finish( &ctx, output );
446
447 memset( &ctx, 0, sizeof( sha2_context ) );
448}
449
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]450#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451/*
452 * FIPS-180-2 test vectors
453 */
454static unsigned char sha2_test_buf[3][57] =
455{
456 { "abc" },
457 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
458 { "" }
459};
460
461static const int sha2_test_buflen[3] =
462{
463 3, 56, 1000
464};
465
466static const unsigned char sha2_test_sum[6][32] =
467{
468 /*
469 * SHA-224 test vectors
470 */
471 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
472 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
473 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
474 0xE3, 0x6C, 0x9D, 0xA7 },
475 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
476 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
477 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
478 0x52, 0x52, 0x25, 0x25 },
479 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
480 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
481 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
482 0x4E, 0xE7, 0xAD, 0x67 },
483
484 /*
485 * SHA-256 test vectors
486 */
487 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
488 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
489 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
490 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
491 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
492 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
493 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
494 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
495 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
496 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
497 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
498 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
499};
500
501/*
502 * RFC 4231 test vectors
503 */
504static unsigned char sha2_hmac_test_key[7][26] =
505{
506 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
507 "\x0B\x0B\x0B\x0B" },
508 { "Jefe" },
509 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
510 "\xAA\xAA\xAA\xAA" },
511 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
512 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
513 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
514 "\x0C\x0C\x0C\x0C" },
515 { "" }, /* 0xAA 131 times */
516 { "" }
517};
518
519static const int sha2_hmac_test_keylen[7] =
520{
521 20, 4, 20, 25, 20, 131, 131
522};
523
524static unsigned char sha2_hmac_test_buf[7][153] =
525{
526 { "Hi There" },
527 { "what do ya want for nothing?" },
528 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
529 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
530 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
531 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
532 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
533 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
534 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
535 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
536 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
537 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
538 { "Test With Truncation" },
539 { "Test Using Larger Than Block-Size Key - Hash Key First" },
540 { "This is a test using a larger than block-size key "
541 "and a larger than block-size data. The key needs to "
542 "be hashed before being used by the HMAC algorithm." }
543};
544
545static const int sha2_hmac_test_buflen[7] =
546{
547 8, 28, 50, 50, 20, 54, 152
548};
549
550static const unsigned char sha2_hmac_test_sum[14][32] =
551{
552 /*
553 * HMAC-SHA-224 test vectors
554 */
555 { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
556 0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
557 0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
558 0x53, 0x68, 0x4B, 0x22 },
559 { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
560 0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
561 0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
562 0x8F, 0xD0, 0x5E, 0x44 },
563 { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
564 0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
565 0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
566 0xEC, 0x83, 0x33, 0xEA },
567 { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
568 0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
569 0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
570 0xE7, 0xAF, 0xEC, 0x5A },
571 { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
572 0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
573 { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
574 0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
575 0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
576 0x3F, 0xA6, 0x87, 0x0E },
577 { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
578 0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
579 0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
580 0xF6, 0xF5, 0x65, 0xD1 },
581
582 /*
583 * HMAC-SHA-256 test vectors
584 */
585 { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
586 0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
587 0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
588 0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
589 { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
590 0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
591 0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
592 0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
593 { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
594 0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
595 0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
596 0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
597 { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
598 0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
599 0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
600 0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
601 { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
602 0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
603 { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
604 0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
605 0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
606 0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
607 { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
608 0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
609 0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
610 0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
611};
612
613/*
614 * Checkup routine
615 */
616int sha2_self_test( int verbose )
617{
618 int i, j, k, buflen;
619 unsigned char buf[1024];
620 unsigned char sha2sum[32];
621 sha2_context ctx;
622
623 for( i = 0; i < 6; i++ )
624 {
625 j = i % 3;
626 k = i < 3;
627
628 if( verbose != 0 )
629 printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
630
631 sha2_starts( &ctx, k );
632
633 if( j == 2 )
634 {
635 memset( buf, 'a', buflen = 1000 );
636
637 for( j = 0; j < 1000; j++ )
638 sha2_update( &ctx, buf, buflen );
639 }
640 else
641 sha2_update( &ctx, sha2_test_buf[j],
642 sha2_test_buflen[j] );
643
644 sha2_finish( &ctx, sha2sum );
645
646 if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
647 {
648 if( verbose != 0 )
649 printf( "failed\n" );
650
651 return( 1 );
652 }
653
654 if( verbose != 0 )
655 printf( "passed\n" );
656 }
657
658 if( verbose != 0 )
659 printf( "\n" );
660
661 for( i = 0; i < 14; i++ )
662 {
663 j = i % 7;
664 k = i < 7;
665
666 if( verbose != 0 )
667 printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
668
669 if( j == 5 || j == 6 )
670 {
671 memset( buf, '\xAA', buflen = 131 );
672 sha2_hmac_starts( &ctx, buf, buflen, k );
673 }
674 else
675 sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
676 sha2_hmac_test_keylen[j], k );
677
678 sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
679 sha2_hmac_test_buflen[j] );
680
681 sha2_hmac_finish( &ctx, sha2sum );
682
683 buflen = ( j == 4 ) ? 16 : 32 - k * 4;
684
685 if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
686 {
687 if( verbose != 0 )
688 printf( "failed\n" );
689
690 return( 1 );
691 }
692
693 if( verbose != 0 )
694 printf( "passed\n" );
695 }
696
697 if( verbose != 0 )
698 printf( "\n" );
699
700 return( 0 );
701}
702
703#endif
704
705#endif