1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21 /*
22 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
23 *
24 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
25 */
26
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
29 #else
30 #include MBEDTLS_CONFIG_FILE
31 #endif
32
33 #if defined(MBEDTLS_SHA256_C)
34
35 #include "mbedtls/sha256.h"
36
37 #include <string.h>
38
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
42 #else
43 #include <stdio.h>
44 #include <stdlib.h>
45 #define mbedtls_printf printf
46 #define mbedtls_calloc calloc
47 #define mbedtls_free free
48 #endif /* MBEDTLS_PLATFORM_C */
49 #endif /* MBEDTLS_SELF_TEST */
50
51 #if !defined(MBEDTLS_SHA256_ALT)
52
53 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)54 static void mbedtls_zeroize( void *v, size_t n ) {
55 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
56 }
57
58 /*
59 * 32-bit integer manipulation macros (big endian)
60 */
61 #ifndef GET_UINT32_BE
62 #define GET_UINT32_BE(n,b,i) \
63 do { \
64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
67 | ( (uint32_t) (b)[(i) + 3] ); \
68 } while( 0 )
69 #endif
70
71 #ifndef PUT_UINT32_BE
72 #define PUT_UINT32_BE(n,b,i) \
73 do { \
74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
77 (b)[(i) + 3] = (unsigned char) ( (n) ); \
78 } while( 0 )
79 #endif
80
mbedtls_sha256_init(mbedtls_sha256_context * ctx)81 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
82 {
83 memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
84 }
85
mbedtls_sha256_free(mbedtls_sha256_context * ctx)86 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
87 {
88 if( ctx == NULL )
89 return;
90
91 mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
92 }
93
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)94 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
95 const mbedtls_sha256_context *src )
96 {
97 *dst = *src;
98 }
99
100 /*
101 * SHA-256 context setup
102 */
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)103 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
104 {
105 ctx->total[0] = 0;
106 ctx->total[1] = 0;
107
108 if( is224 == 0 )
109 {
110 /* SHA-256 */
111 ctx->state[0] = 0x6A09E667;
112 ctx->state[1] = 0xBB67AE85;
113 ctx->state[2] = 0x3C6EF372;
114 ctx->state[3] = 0xA54FF53A;
115 ctx->state[4] = 0x510E527F;
116 ctx->state[5] = 0x9B05688C;
117 ctx->state[6] = 0x1F83D9AB;
118 ctx->state[7] = 0x5BE0CD19;
119 }
120 else
121 {
122 /* SHA-224 */
123 ctx->state[0] = 0xC1059ED8;
124 ctx->state[1] = 0x367CD507;
125 ctx->state[2] = 0x3070DD17;
126 ctx->state[3] = 0xF70E5939;
127 ctx->state[4] = 0xFFC00B31;
128 ctx->state[5] = 0x68581511;
129 ctx->state[6] = 0x64F98FA7;
130 ctx->state[7] = 0xBEFA4FA4;
131 }
132
133 ctx->is224 = is224;
134 }
135
136 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
137 static const uint32_t K[] =
138 {
139 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
140 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
141 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
142 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
143 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
144 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
145 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
146 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
147 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
148 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
149 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
150 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
151 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
152 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
153 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
154 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
155 };
156
157 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
158 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
159
160 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
161 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
162
163 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
164 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
165
166 #define F0(x,y,z) ((x & y) | (z & (x | y)))
167 #define F1(x,y,z) (z ^ (x & (y ^ z)))
168
169 #define R(t) \
170 ( \
171 W[t] = S1(W[t - 2]) + W[t - 7] + \
172 S0(W[t - 15]) + W[t - 16] \
173 )
174
175 #define P(a,b,c,d,e,f,g,h,x,K) \
176 { \
177 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
178 temp2 = S2(a) + F0(a,b,c); \
179 d += temp1; h = temp1 + temp2; \
180 }
181
mbedtls_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[64])182 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] )
183 {
184 uint32_t temp1, temp2, W[64];
185 uint32_t A[8];
186 unsigned int i;
187
188 for( i = 0; i < 8; i++ )
189 A[i] = ctx->state[i];
190
191 #if defined(MBEDTLS_SHA256_SMALLER)
192 for( i = 0; i < 64; i++ )
193 {
194 if( i < 16 )
195 GET_UINT32_BE( W[i], data, 4 * i );
196 else
197 R( i );
198
199 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
200
201 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
202 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
203 }
204 #else /* MBEDTLS_SHA256_SMALLER */
205 for( i = 0; i < 16; i++ )
206 GET_UINT32_BE( W[i], data, 4 * i );
207
208 for( i = 0; i < 16; i += 8 )
209 {
210 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
211 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
212 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
213 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
214 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
215 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
216 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
217 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
218 }
219
220 for( i = 16; i < 64; i += 8 )
221 {
222 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
223 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
224 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
225 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
226 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
227 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
228 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
229 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
230 }
231 #endif /* MBEDTLS_SHA256_SMALLER */
232
233 for( i = 0; i < 8; i++ )
234 ctx->state[i] += A[i];
235 }
236 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
237
238 /*
239 * SHA-256 process buffer
240 */
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)241 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input,
242 size_t ilen )
243 {
244 size_t fill;
245 uint32_t left;
246
247 if( ilen == 0 )
248 return;
249
250 left = ctx->total[0] & 0x3F;
251 fill = 64 - left;
252
253 ctx->total[0] += (uint32_t) ilen;
254 ctx->total[0] &= 0xFFFFFFFF;
255
256 if( ctx->total[0] < (uint32_t) ilen )
257 ctx->total[1]++;
258
259 if( left && ilen >= fill )
260 {
261 memcpy( (void *) (ctx->buffer + left), input, fill );
262 mbedtls_sha256_process( ctx, ctx->buffer );
263 input += fill;
264 ilen -= fill;
265 left = 0;
266 }
267
268 while( ilen >= 64 )
269 {
270 mbedtls_sha256_process( ctx, input );
271 input += 64;
272 ilen -= 64;
273 }
274
275 if( ilen > 0 )
276 memcpy( (void *) (ctx->buffer + left), input, ilen );
277 }
278
279 static const unsigned char sha256_padding[64] =
280 {
281 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
283 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
284 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
285 };
286
287 /*
288 * SHA-256 final digest
289 */
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char output[32])290 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] )
291 {
292 uint32_t last, padn;
293 uint32_t high, low;
294 unsigned char msglen[8];
295
296 high = ( ctx->total[0] >> 29 )
297 | ( ctx->total[1] << 3 );
298 low = ( ctx->total[0] << 3 );
299
300 PUT_UINT32_BE( high, msglen, 0 );
301 PUT_UINT32_BE( low, msglen, 4 );
302
303 last = ctx->total[0] & 0x3F;
304 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
305
306 mbedtls_sha256_update( ctx, sha256_padding, padn );
307 mbedtls_sha256_update( ctx, msglen, 8 );
308
309 PUT_UINT32_BE( ctx->state[0], output, 0 );
310 PUT_UINT32_BE( ctx->state[1], output, 4 );
311 PUT_UINT32_BE( ctx->state[2], output, 8 );
312 PUT_UINT32_BE( ctx->state[3], output, 12 );
313 PUT_UINT32_BE( ctx->state[4], output, 16 );
314 PUT_UINT32_BE( ctx->state[5], output, 20 );
315 PUT_UINT32_BE( ctx->state[6], output, 24 );
316
317 if( ctx->is224 == 0 )
318 PUT_UINT32_BE( ctx->state[7], output, 28 );
319 }
320
321 #endif /* !MBEDTLS_SHA256_ALT */
322
323 /*
324 * output = SHA-256( input buffer )
325 */
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char output[32],int is224)326 void mbedtls_sha256( const unsigned char *input, size_t ilen,
327 unsigned char output[32], int is224 )
328 {
329 mbedtls_sha256_context ctx;
330
331 mbedtls_sha256_init( &ctx );
332 mbedtls_sha256_starts( &ctx, is224 );
333 mbedtls_sha256_update( &ctx, input, ilen );
334 mbedtls_sha256_finish( &ctx, output );
335 mbedtls_sha256_free( &ctx );
336 }
337
338 #if defined(MBEDTLS_SELF_TEST)
339 /*
340 * FIPS-180-2 test vectors
341 */
342 static const unsigned char sha256_test_buf[3][57] =
343 {
344 { "abc" },
345 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
346 { "" }
347 };
348
349 static const int sha256_test_buflen[3] =
350 {
351 3, 56, 1000
352 };
353
354 static const unsigned char sha256_test_sum[6][32] =
355 {
356 /*
357 * SHA-224 test vectors
358 */
359 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
360 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
361 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
362 0xE3, 0x6C, 0x9D, 0xA7 },
363 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
364 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
365 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
366 0x52, 0x52, 0x25, 0x25 },
367 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
368 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
369 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
370 0x4E, 0xE7, 0xAD, 0x67 },
371
372 /*
373 * SHA-256 test vectors
374 */
375 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
376 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
377 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
378 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
379 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
380 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
381 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
382 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
383 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
384 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
385 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
386 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
387 };
388
389 /*
390 * Checkup routine
391 */
mbedtls_sha256_self_test(int verbose)392 int mbedtls_sha256_self_test( int verbose )
393 {
394 int i, j, k, buflen, ret = 0;
395 unsigned char *buf;
396 unsigned char sha256sum[32];
397 mbedtls_sha256_context ctx;
398
399 buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
400 if( NULL == buf )
401 {
402 if( verbose != 0 )
403 mbedtls_printf( "Buffer allocation failed\n" );
404
405 return( 1 );
406 }
407
408 mbedtls_sha256_init( &ctx );
409
410 for( i = 0; i < 6; i++ )
411 {
412 j = i % 3;
413 k = i < 3;
414
415 if( verbose != 0 )
416 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
417
418 mbedtls_sha256_starts( &ctx, k );
419
420 if( j == 2 )
421 {
422 memset( buf, 'a', buflen = 1000 );
423
424 for( j = 0; j < 1000; j++ )
425 mbedtls_sha256_update( &ctx, buf, buflen );
426 }
427 else
428 mbedtls_sha256_update( &ctx, sha256_test_buf[j],
429 sha256_test_buflen[j] );
430
431 mbedtls_sha256_finish( &ctx, sha256sum );
432
433 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
434 {
435 if( verbose != 0 )
436 mbedtls_printf( "failed\n" );
437
438 ret = 1;
439 goto exit;
440 }
441
442 if( verbose != 0 )
443 mbedtls_printf( "passed\n" );
444 }
445
446 if( verbose != 0 )
447 mbedtls_printf( "\n" );
448
449 exit:
450 mbedtls_sha256_free( &ctx );
451 mbedtls_free( buf );
452
453 return( ret );
454 }
455
456 #endif /* MBEDTLS_SELF_TEST */
457
458 #endif /* MBEDTLS_SHA256_C */
459
