1 /*
2  *  FIPS-180-2 compliant SHA-256 implementation
3  *
4  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  *
19  *  This file is part of mbed TLS (https://tls.mbed.org)
20  */
21 /*
22  *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
23  *
24  *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
25  */
26 
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
29 #else
30 #include MBEDTLS_CONFIG_FILE
31 #endif
32 
33 #if defined(MBEDTLS_SHA256_C)
34 
35 #include "mbedtls/sha256.h"
36 
37 #include <string.h>
38 
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
42 #else
43 #include <stdio.h>
44 #include <stdlib.h>
45 #define mbedtls_printf printf
46 #define mbedtls_calloc    calloc
47 #define mbedtls_free       free
48 #endif /* MBEDTLS_PLATFORM_C */
49 #endif /* MBEDTLS_SELF_TEST */
50 
51 #if !defined(MBEDTLS_SHA256_ALT)
52 
53 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)54 static void mbedtls_zeroize( void *v, size_t n ) {
55     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
56 }
57 
58 /*
59  * 32-bit integer manipulation macros (big endian)
60  */
61 #ifndef GET_UINT32_BE
62 #define GET_UINT32_BE(n,b,i)                            \
63 do {                                                    \
64     (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
65         | ( (uint32_t) (b)[(i) + 1] << 16 )             \
66         | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
67         | ( (uint32_t) (b)[(i) + 3]       );            \
68 } while( 0 )
69 #endif
70 
71 #ifndef PUT_UINT32_BE
72 #define PUT_UINT32_BE(n,b,i)                            \
73 do {                                                    \
74     (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
75     (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
76     (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
77     (b)[(i) + 3] = (unsigned char) ( (n)       );       \
78 } while( 0 )
79 #endif
80 
mbedtls_sha256_init(mbedtls_sha256_context * ctx)81 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
82 {
83     memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
84 }
85 
mbedtls_sha256_free(mbedtls_sha256_context * ctx)86 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
87 {
88     if( ctx == NULL )
89         return;
90 
91     mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
92 }
93 
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)94 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
95                            const mbedtls_sha256_context *src )
96 {
97     *dst = *src;
98 }
99 
100 /*
101  * SHA-256 context setup
102  */
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)103 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
104 {
105     ctx->total[0] = 0;
106     ctx->total[1] = 0;
107 
108     if( is224 == 0 )
109     {
110         /* SHA-256 */
111         ctx->state[0] = 0x6A09E667;
112         ctx->state[1] = 0xBB67AE85;
113         ctx->state[2] = 0x3C6EF372;
114         ctx->state[3] = 0xA54FF53A;
115         ctx->state[4] = 0x510E527F;
116         ctx->state[5] = 0x9B05688C;
117         ctx->state[6] = 0x1F83D9AB;
118         ctx->state[7] = 0x5BE0CD19;
119     }
120     else
121     {
122         /* SHA-224 */
123         ctx->state[0] = 0xC1059ED8;
124         ctx->state[1] = 0x367CD507;
125         ctx->state[2] = 0x3070DD17;
126         ctx->state[3] = 0xF70E5939;
127         ctx->state[4] = 0xFFC00B31;
128         ctx->state[5] = 0x68581511;
129         ctx->state[6] = 0x64F98FA7;
130         ctx->state[7] = 0xBEFA4FA4;
131     }
132 
133     ctx->is224 = is224;
134 }
135 
136 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
137 static const uint32_t K[] =
138 {
139     0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
140     0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
141     0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
142     0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
143     0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
144     0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
145     0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
146     0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
147     0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
148     0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
149     0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
150     0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
151     0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
152     0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
153     0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
154     0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
155 };
156 
157 #define  SHR(x,n) ((x & 0xFFFFFFFF) >> n)
158 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
159 
160 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^  SHR(x, 3))
161 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^  SHR(x,10))
162 
163 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
164 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
165 
166 #define F0(x,y,z) ((x & y) | (z & (x | y)))
167 #define F1(x,y,z) (z ^ (x & (y ^ z)))
168 
169 #define R(t)                                    \
170 (                                               \
171     W[t] = S1(W[t -  2]) + W[t -  7] +          \
172            S0(W[t - 15]) + W[t - 16]            \
173 )
174 
175 #define P(a,b,c,d,e,f,g,h,x,K)                  \
176 {                                               \
177     temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
178     temp2 = S2(a) + F0(a,b,c);                  \
179     d += temp1; h = temp1 + temp2;              \
180 }
181 
mbedtls_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[64])182 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] )
183 {
184     uint32_t temp1, temp2, W[64];
185     uint32_t A[8];
186     unsigned int i;
187 
188     for( i = 0; i < 8; i++ )
189         A[i] = ctx->state[i];
190 
191 #if defined(MBEDTLS_SHA256_SMALLER)
192     for( i = 0; i < 64; i++ )
193     {
194         if( i < 16 )
195             GET_UINT32_BE( W[i], data, 4 * i );
196         else
197             R( i );
198 
199         P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
200 
201         temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
202         A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
203     }
204 #else /* MBEDTLS_SHA256_SMALLER */
205     for( i = 0; i < 16; i++ )
206         GET_UINT32_BE( W[i], data, 4 * i );
207 
208     for( i = 0; i < 16; i += 8 )
209     {
210         P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
211         P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
212         P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
213         P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
214         P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
215         P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
216         P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
217         P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
218     }
219 
220     for( i = 16; i < 64; i += 8 )
221     {
222         P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
223         P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
224         P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
225         P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
226         P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
227         P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
228         P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
229         P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
230     }
231 #endif /* MBEDTLS_SHA256_SMALLER */
232 
233     for( i = 0; i < 8; i++ )
234         ctx->state[i] += A[i];
235 }
236 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
237 
238 /*
239  * SHA-256 process buffer
240  */
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)241 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input,
242                     size_t ilen )
243 {
244     size_t fill;
245     uint32_t left;
246 
247     if( ilen == 0 )
248         return;
249 
250     left = ctx->total[0] & 0x3F;
251     fill = 64 - left;
252 
253     ctx->total[0] += (uint32_t) ilen;
254     ctx->total[0] &= 0xFFFFFFFF;
255 
256     if( ctx->total[0] < (uint32_t) ilen )
257         ctx->total[1]++;
258 
259     if( left && ilen >= fill )
260     {
261         memcpy( (void *) (ctx->buffer + left), input, fill );
262         mbedtls_sha256_process( ctx, ctx->buffer );
263         input += fill;
264         ilen  -= fill;
265         left = 0;
266     }
267 
268     while( ilen >= 64 )
269     {
270         mbedtls_sha256_process( ctx, input );
271         input += 64;
272         ilen  -= 64;
273     }
274 
275     if( ilen > 0 )
276         memcpy( (void *) (ctx->buffer + left), input, ilen );
277 }
278 
279 static const unsigned char sha256_padding[64] =
280 {
281  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
283     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
284     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
285 };
286 
287 /*
288  * SHA-256 final digest
289  */
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char output[32])290 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] )
291 {
292     uint32_t last, padn;
293     uint32_t high, low;
294     unsigned char msglen[8];
295 
296     high = ( ctx->total[0] >> 29 )
297          | ( ctx->total[1] <<  3 );
298     low  = ( ctx->total[0] <<  3 );
299 
300     PUT_UINT32_BE( high, msglen, 0 );
301     PUT_UINT32_BE( low,  msglen, 4 );
302 
303     last = ctx->total[0] & 0x3F;
304     padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
305 
306     mbedtls_sha256_update( ctx, sha256_padding, padn );
307     mbedtls_sha256_update( ctx, msglen, 8 );
308 
309     PUT_UINT32_BE( ctx->state[0], output,  0 );
310     PUT_UINT32_BE( ctx->state[1], output,  4 );
311     PUT_UINT32_BE( ctx->state[2], output,  8 );
312     PUT_UINT32_BE( ctx->state[3], output, 12 );
313     PUT_UINT32_BE( ctx->state[4], output, 16 );
314     PUT_UINT32_BE( ctx->state[5], output, 20 );
315     PUT_UINT32_BE( ctx->state[6], output, 24 );
316 
317     if( ctx->is224 == 0 )
318         PUT_UINT32_BE( ctx->state[7], output, 28 );
319 }
320 
321 #endif /* !MBEDTLS_SHA256_ALT */
322 
323 /*
324  * output = SHA-256( input buffer )
325  */
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char output[32],int is224)326 void mbedtls_sha256( const unsigned char *input, size_t ilen,
327              unsigned char output[32], int is224 )
328 {
329     mbedtls_sha256_context ctx;
330 
331     mbedtls_sha256_init( &ctx );
332     mbedtls_sha256_starts( &ctx, is224 );
333     mbedtls_sha256_update( &ctx, input, ilen );
334     mbedtls_sha256_finish( &ctx, output );
335     mbedtls_sha256_free( &ctx );
336 }
337 
338 #if defined(MBEDTLS_SELF_TEST)
339 /*
340  * FIPS-180-2 test vectors
341  */
342 static const unsigned char sha256_test_buf[3][57] =
343 {
344     { "abc" },
345     { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
346     { "" }
347 };
348 
349 static const int sha256_test_buflen[3] =
350 {
351     3, 56, 1000
352 };
353 
354 static const unsigned char sha256_test_sum[6][32] =
355 {
356     /*
357      * SHA-224 test vectors
358      */
359     { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
360       0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
361       0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
362       0xE3, 0x6C, 0x9D, 0xA7 },
363     { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
364       0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
365       0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
366       0x52, 0x52, 0x25, 0x25 },
367     { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
368       0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
369       0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
370       0x4E, 0xE7, 0xAD, 0x67 },
371 
372     /*
373      * SHA-256 test vectors
374      */
375     { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
376       0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
377       0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
378       0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
379     { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
380       0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
381       0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
382       0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
383     { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
384       0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
385       0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
386       0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
387 };
388 
389 /*
390  * Checkup routine
391  */
mbedtls_sha256_self_test(int verbose)392 int mbedtls_sha256_self_test( int verbose )
393 {
394     int i, j, k, buflen, ret = 0;
395     unsigned char *buf;
396     unsigned char sha256sum[32];
397     mbedtls_sha256_context ctx;
398 
399     buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
400     if( NULL == buf )
401     {
402         if( verbose != 0 )
403             mbedtls_printf( "Buffer allocation failed\n" );
404 
405         return( 1 );
406     }
407 
408     mbedtls_sha256_init( &ctx );
409 
410     for( i = 0; i < 6; i++ )
411     {
412         j = i % 3;
413         k = i < 3;
414 
415         if( verbose != 0 )
416             mbedtls_printf( "  SHA-%d test #%d: ", 256 - k * 32, j + 1 );
417 
418         mbedtls_sha256_starts( &ctx, k );
419 
420         if( j == 2 )
421         {
422             memset( buf, 'a', buflen = 1000 );
423 
424             for( j = 0; j < 1000; j++ )
425                 mbedtls_sha256_update( &ctx, buf, buflen );
426         }
427         else
428             mbedtls_sha256_update( &ctx, sha256_test_buf[j],
429                                  sha256_test_buflen[j] );
430 
431         mbedtls_sha256_finish( &ctx, sha256sum );
432 
433         if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
434         {
435             if( verbose != 0 )
436                 mbedtls_printf( "failed\n" );
437 
438             ret = 1;
439             goto exit;
440         }
441 
442         if( verbose != 0 )
443             mbedtls_printf( "passed\n" );
444     }
445 
446     if( verbose != 0 )
447         mbedtls_printf( "\n" );
448 
449 exit:
450     mbedtls_sha256_free( &ctx );
451     mbedtls_free( buf );
452 
453     return( ret );
454 }
455 
456 #endif /* MBEDTLS_SELF_TEST */
457 
458 #endif /* MBEDTLS_SHA256_C */
459