TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/archive/polarssl-1.2 / . / library / sha2.c
blob: 7f9b2203ce5099d3b69f608b932b887d409ddab6 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
Paul Bakker530927b2015-02-13 14:24:10 +0100[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
Manuel Pégourié-Gonnarde12abf92015-01-28 17:13:45 +0000[diff] [blame]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
24 *
25 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
26 */
27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#if defined(POLARSSL_SHA2_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]34#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35#include <stdio.h>
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]36#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Manuel Pégourié-Gonnardaa4e55b2015-08-31 11:22:01 +0200[diff] [blame]38#if !defined(POLARSSL_SHA2_ALT)
39
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]40/* Implementation that should never be optimized out by the compiler */
41static void polarssl_zeroize( void *v, size_t n ) {
42 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
43}
44
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45/*
46 * 32-bit integer manipulation macros (big endian)
47 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]48#ifndef GET_UINT32_BE
49#define GET_UINT32_BE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]51 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
52 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
53 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
54 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]55}
56#endif
57
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]58#ifndef PUT_UINT32_BE
59#define PUT_UINT32_BE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60{ \
61 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
62 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
63 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
64 (b)[(i) + 3] = (unsigned char) ( (n) ); \
65}
66#endif
67
68/*
69 * SHA-256 context setup
70 */
71void sha2_starts( sha2_context *ctx, int is224 )
72{
73 ctx->total[0] = 0;
74 ctx->total[1] = 0;
75
76 if( is224 == 0 )
77 {
78 /* SHA-256 */
79 ctx->state[0] = 0x6A09E667;
80 ctx->state[1] = 0xBB67AE85;
81 ctx->state[2] = 0x3C6EF372;
82 ctx->state[3] = 0xA54FF53A;
83 ctx->state[4] = 0x510E527F;
84 ctx->state[5] = 0x9B05688C;
85 ctx->state[6] = 0x1F83D9AB;
86 ctx->state[7] = 0x5BE0CD19;
87 }
88 else
89 {
90 /* SHA-224 */
91 ctx->state[0] = 0xC1059ED8;
92 ctx->state[1] = 0x367CD507;
93 ctx->state[2] = 0x3070DD17;
94 ctx->state[3] = 0xF70E5939;
95 ctx->state[4] = 0xFFC00B31;
96 ctx->state[5] = 0x68581511;
97 ctx->state[6] = 0x64F98FA7;
98 ctx->state[7] = 0xBEFA4FA4;
99 }
100
101 ctx->is224 = is224;
102}
103
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]104void sha2_process( sha2_context *ctx, const unsigned char data[64] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]105{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]106 uint32_t temp1, temp2, W[64];
107 uint32_t A, B, C, D, E, F, G, H;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]108
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]109 GET_UINT32_BE( W[ 0], data, 0 );
110 GET_UINT32_BE( W[ 1], data, 4 );
111 GET_UINT32_BE( W[ 2], data, 8 );
112 GET_UINT32_BE( W[ 3], data, 12 );
113 GET_UINT32_BE( W[ 4], data, 16 );
114 GET_UINT32_BE( W[ 5], data, 20 );
115 GET_UINT32_BE( W[ 6], data, 24 );
116 GET_UINT32_BE( W[ 7], data, 28 );
117 GET_UINT32_BE( W[ 8], data, 32 );
118 GET_UINT32_BE( W[ 9], data, 36 );
119 GET_UINT32_BE( W[10], data, 40 );
120 GET_UINT32_BE( W[11], data, 44 );
121 GET_UINT32_BE( W[12], data, 48 );
122 GET_UINT32_BE( W[13], data, 52 );
123 GET_UINT32_BE( W[14], data, 56 );
124 GET_UINT32_BE( W[15], data, 60 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]125
126#define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
127#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
128
129#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
130#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
131
132#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
133#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
134
135#define F0(x,y,z) ((x & y) | (z & (x | y)))
136#define F1(x,y,z) (z ^ (x & (y ^ z)))
137
138#define R(t) \
139( \
140 W[t] = S1(W[t - 2]) + W[t - 7] + \
141 S0(W[t - 15]) + W[t - 16] \
142)
143
144#define P(a,b,c,d,e,f,g,h,x,K) \
145{ \
146 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
147 temp2 = S2(a) + F0(a,b,c); \
148 d += temp1; h = temp1 + temp2; \
149}
150
151 A = ctx->state[0];
152 B = ctx->state[1];
153 C = ctx->state[2];
154 D = ctx->state[3];
155 E = ctx->state[4];
156 F = ctx->state[5];
157 G = ctx->state[6];
158 H = ctx->state[7];
159
160 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
161 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
162 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
163 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
164 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
165 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
166 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
167 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
168 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
169 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
170 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
171 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
172 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
173 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
174 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
175 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
176 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
177 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
178 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
179 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
180 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
181 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
182 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
183 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
184 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
185 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
186 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
187 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
188 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
189 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
190 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
191 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
192 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
193 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
194 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
195 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
196 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
197 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
198 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
199 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
200 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
201 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
202 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
203 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
204 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
205 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
206 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
207 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
208 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
209 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
210 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
211 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
212 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
213 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
214 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
215 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
216 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
217 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
218 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
219 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
220 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
221 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
222 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
223 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
224
225 ctx->state[0] += A;
226 ctx->state[1] += B;
227 ctx->state[2] += C;
228 ctx->state[3] += D;
229 ctx->state[4] += E;
230 ctx->state[5] += F;
231 ctx->state[6] += G;
232 ctx->state[7] += H;
233}
234
235/*
236 * SHA-256 process buffer
237 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]238void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]239{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]240 size_t fill;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]241 uint32_t left;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]242
243 if( ilen <= 0 )
244 return;
245
246 left = ctx->total[0] & 0x3F;
247 fill = 64 - left;
248
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]249 ctx->total[0] += (uint32_t) ilen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]250 ctx->total[0] &= 0xFFFFFFFF;
251
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]252 if( ctx->total[0] < (uint32_t) ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]253 ctx->total[1]++;
254
255 if( left && ilen >= fill )
256 {
Paul Bakkereae09db2013-06-06 12:35:54 +0200[diff] [blame]257 memcpy( (void *) (ctx->buffer + left), input, fill );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]258 sha2_process( ctx, ctx->buffer );
259 input += fill;
260 ilen -= fill;
261 left = 0;
262 }
263
264 while( ilen >= 64 )
265 {
266 sha2_process( ctx, input );
267 input += 64;
268 ilen -= 64;
269 }
270
271 if( ilen > 0 )
Paul Bakkereae09db2013-06-06 12:35:54 +0200[diff] [blame]272 memcpy( (void *) (ctx->buffer + left), input, ilen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]273}
274
275static const unsigned char sha2_padding[64] =
276{
277 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
279 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
281};
282
283/*
284 * SHA-256 final digest
285 */
286void sha2_finish( sha2_context *ctx, unsigned char output[32] )
287{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]288 uint32_t last, padn;
289 uint32_t high, low;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]290 unsigned char msglen[8];
291
292 high = ( ctx->total[0] >> 29 )
293 | ( ctx->total[1] << 3 );
294 low = ( ctx->total[0] << 3 );
295
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]296 PUT_UINT32_BE( high, msglen, 0 );
297 PUT_UINT32_BE( low, msglen, 4 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]298
299 last = ctx->total[0] & 0x3F;
300 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
301
Paul Bakkereae09db2013-06-06 12:35:54 +0200[diff] [blame]302 sha2_update( ctx, sha2_padding, padn );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]303 sha2_update( ctx, msglen, 8 );
304
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]305 PUT_UINT32_BE( ctx->state[0], output, 0 );
306 PUT_UINT32_BE( ctx->state[1], output, 4 );
307 PUT_UINT32_BE( ctx->state[2], output, 8 );
308 PUT_UINT32_BE( ctx->state[3], output, 12 );
309 PUT_UINT32_BE( ctx->state[4], output, 16 );
310 PUT_UINT32_BE( ctx->state[5], output, 20 );
311 PUT_UINT32_BE( ctx->state[6], output, 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312
313 if( ctx->is224 == 0 )
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]314 PUT_UINT32_BE( ctx->state[7], output, 28 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315}
316
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]317#endif /* !POLARSSL_SHA2_ALT */
318
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319/*
320 * output = SHA-256( input buffer )
321 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]322void sha2( const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323 unsigned char output[32], int is224 )
324{
325 sha2_context ctx;
326
327 sha2_starts( &ctx, is224 );
328 sha2_update( &ctx, input, ilen );
329 sha2_finish( &ctx, output );
330
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]331 polarssl_zeroize( &ctx, sizeof( sha2_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332}
333
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]334#if defined(POLARSSL_FS_IO)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335/*
336 * output = SHA-256( file contents )
337 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]338int sha2_file( const char *path, unsigned char output[32], int is224 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339{
340 FILE *f;
341 size_t n;
342 sha2_context ctx;
343 unsigned char buf[1024];
344
345 if( ( f = fopen( path, "rb" ) ) == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]346 return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347
348 sha2_starts( &ctx, is224 );
349
350 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]351 sha2_update( &ctx, buf, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352
353 sha2_finish( &ctx, output );
354
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]355 polarssl_zeroize( &ctx, sizeof( sha2_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]356
357 if( ferror( f ) != 0 )
358 {
359 fclose( f );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]360 return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361 }
362
363 fclose( f );
364 return( 0 );
365}
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]366#endif /* POLARSSL_FS_IO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * SHA-256 HMAC context setup
370 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]371void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]372 int is224 )
373{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]374 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375 unsigned char sum[32];
376
377 if( keylen > 64 )
378 {
379 sha2( key, keylen, sum, is224 );
380 keylen = ( is224 ) ? 28 : 32;
381 key = sum;
382 }
383
384 memset( ctx->ipad, 0x36, 64 );
385 memset( ctx->opad, 0x5C, 64 );
386
387 for( i = 0; i < keylen; i++ )
388 {
389 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
390 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
391 }
392
393 sha2_starts( ctx, is224 );
394 sha2_update( ctx, ctx->ipad, 64 );
395
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]396 polarssl_zeroize( sum, sizeof( sum ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397}
398
399/*
400 * SHA-256 HMAC process buffer
401 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]402void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]403{
404 sha2_update( ctx, input, ilen );
405}
406
407/*
408 * SHA-256 HMAC final digest
409 */
410void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
411{
412 int is224, hlen;
413 unsigned char tmpbuf[32];
414
415 is224 = ctx->is224;
416 hlen = ( is224 == 0 ) ? 32 : 28;
417
418 sha2_finish( ctx, tmpbuf );
419 sha2_starts( ctx, is224 );
420 sha2_update( ctx, ctx->opad, 64 );
421 sha2_update( ctx, tmpbuf, hlen );
422 sha2_finish( ctx, output );
423
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]424 polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]425}
426
427/*
Paul Bakker7d3b6612010-03-21 16:23:13 +0000[diff] [blame]428 * SHA-256 HMAC context reset
429 */
430void sha2_hmac_reset( sha2_context *ctx )
431{
432 sha2_starts( ctx, ctx->is224 );
433 sha2_update( ctx, ctx->ipad, 64 );
434}
435
436/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]437 * output = HMAC-SHA-256( hmac key, input buffer )
438 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]439void sha2_hmac( const unsigned char *key, size_t keylen,
440 const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]441 unsigned char output[32], int is224 )
442{
443 sha2_context ctx;
444
445 sha2_hmac_starts( &ctx, key, keylen, is224 );
446 sha2_hmac_update( &ctx, input, ilen );
447 sha2_hmac_finish( &ctx, output );
448
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]449 polarssl_zeroize( &ctx, sizeof( sha2_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]450}
451
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]452#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453/*
454 * FIPS-180-2 test vectors
455 */
456static unsigned char sha2_test_buf[3][57] =
457{
458 { "abc" },
459 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
460 { "" }
461};
462
463static const int sha2_test_buflen[3] =
464{
465 3, 56, 1000
466};
467
468static const unsigned char sha2_test_sum[6][32] =
469{
470 /*
471 * SHA-224 test vectors
472 */
473 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
474 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
475 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
476 0xE3, 0x6C, 0x9D, 0xA7 },
477 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
478 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
479 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
480 0x52, 0x52, 0x25, 0x25 },
481 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
482 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
483 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
484 0x4E, 0xE7, 0xAD, 0x67 },
485
486 /*
487 * SHA-256 test vectors
488 */
489 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
490 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
491 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
492 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
493 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
494 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
495 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
496 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
497 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
498 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
499 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
500 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
501};
502
503/*
504 * RFC 4231 test vectors
505 */
506static unsigned char sha2_hmac_test_key[7][26] =
507{
508 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
509 "\x0B\x0B\x0B\x0B" },
510 { "Jefe" },
511 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
512 "\xAA\xAA\xAA\xAA" },
513 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
514 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
515 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
516 "\x0C\x0C\x0C\x0C" },
517 { "" }, /* 0xAA 131 times */
518 { "" }
519};
520
521static const int sha2_hmac_test_keylen[7] =
522{
523 20, 4, 20, 25, 20, 131, 131
524};
525
526static unsigned char sha2_hmac_test_buf[7][153] =
527{
528 { "Hi There" },
529 { "what do ya want for nothing?" },
530 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
531 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
532 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
533 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
534 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
535 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
536 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
537 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
538 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
539 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
540 { "Test With Truncation" },
541 { "Test Using Larger Than Block-Size Key - Hash Key First" },
542 { "This is a test using a larger than block-size key "
543 "and a larger than block-size data. The key needs to "
544 "be hashed before being used by the HMAC algorithm." }
545};
546
547static const int sha2_hmac_test_buflen[7] =
548{
549 8, 28, 50, 50, 20, 54, 152
550};
551
552static const unsigned char sha2_hmac_test_sum[14][32] =
553{
554 /*
555 * HMAC-SHA-224 test vectors
556 */
557 { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
558 0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
559 0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
560 0x53, 0x68, 0x4B, 0x22 },
561 { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
562 0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
563 0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
564 0x8F, 0xD0, 0x5E, 0x44 },
565 { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
566 0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
567 0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
568 0xEC, 0x83, 0x33, 0xEA },
569 { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
570 0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
571 0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
572 0xE7, 0xAF, 0xEC, 0x5A },
573 { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
574 0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
575 { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
576 0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
577 0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
578 0x3F, 0xA6, 0x87, 0x0E },
579 { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
580 0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
581 0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
582 0xF6, 0xF5, 0x65, 0xD1 },
583
584 /*
585 * HMAC-SHA-256 test vectors
586 */
587 { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
588 0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
589 0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
590 0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
591 { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
592 0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
593 0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
594 0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
595 { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
596 0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
597 0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
598 0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
599 { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
600 0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
601 0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
602 0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
603 { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
604 0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
605 { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
606 0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
607 0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
608 0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
609 { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
610 0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
611 0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
612 0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
613};
614
615/*
616 * Checkup routine
617 */
618int sha2_self_test( int verbose )
619{
620 int i, j, k, buflen;
621 unsigned char buf[1024];
622 unsigned char sha2sum[32];
623 sha2_context ctx;
624
625 for( i = 0; i < 6; i++ )
626 {
627 j = i % 3;
628 k = i < 3;
629
630 if( verbose != 0 )
631 printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
632
633 sha2_starts( &ctx, k );
634
635 if( j == 2 )
636 {
637 memset( buf, 'a', buflen = 1000 );
638
639 for( j = 0; j < 1000; j++ )
640 sha2_update( &ctx, buf, buflen );
641 }
642 else
643 sha2_update( &ctx, sha2_test_buf[j],
644 sha2_test_buflen[j] );
645
646 sha2_finish( &ctx, sha2sum );
647
648 if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
649 {
650 if( verbose != 0 )
651 printf( "failed\n" );
652
653 return( 1 );
654 }
655
656 if( verbose != 0 )
657 printf( "passed\n" );
658 }
659
660 if( verbose != 0 )
661 printf( "\n" );
662
663 for( i = 0; i < 14; i++ )
664 {
665 j = i % 7;
666 k = i < 7;
667
668 if( verbose != 0 )
669 printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
670
671 if( j == 5 || j == 6 )
672 {
673 memset( buf, '\xAA', buflen = 131 );
674 sha2_hmac_starts( &ctx, buf, buflen, k );
675 }
676 else
677 sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
678 sha2_hmac_test_keylen[j], k );
679
680 sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
681 sha2_hmac_test_buflen[j] );
682
683 sha2_hmac_finish( &ctx, sha2sum );
684
685 buflen = ( j == 4 ) ? 16 : 32 - k * 4;
686
687 if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
688 {
689 if( verbose != 0 )
690 printf( "failed\n" );
691
692 return( 1 );
693 }
694
695 if( verbose != 0 )
696 printf( "passed\n" );
697 }
698
699 if( verbose != 0 )
700 printf( "\n" );
701
702 return( 0 );
703}
704
705#endif
706
707#endif