TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 3c2122ff9df373dca325998ef3f2ec2be986f1ac / . / library / sha2.c
blob: 7b375ff49c92254fb50913f0b024c4a32ac78688 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27 *
28 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29 */
30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#if defined(POLARSSL_SHA2_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]37#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38#include <stdio.h>
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]39#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
41/*
42 * 32-bit integer manipulation macros (big endian)
43 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]44#ifndef GET_UINT32_BE
45#define GET_UINT32_BE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]47 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
48 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
49 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
50 | ( (uint32_t) (b)[(i) + 3] ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51}
52#endif
53
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]54#ifndef PUT_UINT32_BE
55#define PUT_UINT32_BE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56{ \
57 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
58 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
59 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
60 (b)[(i) + 3] = (unsigned char) ( (n) ); \
61}
62#endif
63
64/*
65 * SHA-256 context setup
66 */
67void sha2_starts( sha2_context *ctx, int is224 )
68{
69 ctx->total[0] = 0;
70 ctx->total[1] = 0;
71
72 if( is224 == 0 )
73 {
74 /* SHA-256 */
75 ctx->state[0] = 0x6A09E667;
76 ctx->state[1] = 0xBB67AE85;
77 ctx->state[2] = 0x3C6EF372;
78 ctx->state[3] = 0xA54FF53A;
79 ctx->state[4] = 0x510E527F;
80 ctx->state[5] = 0x9B05688C;
81 ctx->state[6] = 0x1F83D9AB;
82 ctx->state[7] = 0x5BE0CD19;
83 }
84 else
85 {
86 /* SHA-224 */
87 ctx->state[0] = 0xC1059ED8;
88 ctx->state[1] = 0x367CD507;
89 ctx->state[2] = 0x3070DD17;
90 ctx->state[3] = 0xF70E5939;
91 ctx->state[4] = 0xFFC00B31;
92 ctx->state[5] = 0x68581511;
93 ctx->state[6] = 0x64F98FA7;
94 ctx->state[7] = 0xBEFA4FA4;
95 }
96
97 ctx->is224 = is224;
98}
99
Paul Bakkere47b34b2013-02-27 14:48:00 +0100[diff] [blame]100void sha2_process( sha2_context *ctx, const unsigned char data[64] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]101{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]102 uint32_t temp1, temp2, W[64];
103 uint32_t A, B, C, D, E, F, G, H;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]104
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]105 GET_UINT32_BE( W[ 0], data, 0 );
106 GET_UINT32_BE( W[ 1], data, 4 );
107 GET_UINT32_BE( W[ 2], data, 8 );
108 GET_UINT32_BE( W[ 3], data, 12 );
109 GET_UINT32_BE( W[ 4], data, 16 );
110 GET_UINT32_BE( W[ 5], data, 20 );
111 GET_UINT32_BE( W[ 6], data, 24 );
112 GET_UINT32_BE( W[ 7], data, 28 );
113 GET_UINT32_BE( W[ 8], data, 32 );
114 GET_UINT32_BE( W[ 9], data, 36 );
115 GET_UINT32_BE( W[10], data, 40 );
116 GET_UINT32_BE( W[11], data, 44 );
117 GET_UINT32_BE( W[12], data, 48 );
118 GET_UINT32_BE( W[13], data, 52 );
119 GET_UINT32_BE( W[14], data, 56 );
120 GET_UINT32_BE( W[15], data, 60 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]121
122#define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
123#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
124
125#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
126#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
127
128#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
129#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
130
131#define F0(x,y,z) ((x & y) | (z & (x | y)))
132#define F1(x,y,z) (z ^ (x & (y ^ z)))
133
134#define R(t) \
135( \
136 W[t] = S1(W[t - 2]) + W[t - 7] + \
137 S0(W[t - 15]) + W[t - 16] \
138)
139
140#define P(a,b,c,d,e,f,g,h,x,K) \
141{ \
142 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
143 temp2 = S2(a) + F0(a,b,c); \
144 d += temp1; h = temp1 + temp2; \
145}
146
147 A = ctx->state[0];
148 B = ctx->state[1];
149 C = ctx->state[2];
150 D = ctx->state[3];
151 E = ctx->state[4];
152 F = ctx->state[5];
153 G = ctx->state[6];
154 H = ctx->state[7];
155
156 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
157 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
158 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
159 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
160 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
161 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
162 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
163 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
164 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
165 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
166 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
167 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
168 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
169 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
170 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
171 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
172 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
173 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
174 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
175 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
176 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
177 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
178 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
179 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
180 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
181 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
182 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
183 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
184 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
185 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
186 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
187 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
188 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
189 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
190 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
191 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
192 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
193 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
194 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
195 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
196 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
197 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
198 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
199 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
200 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
201 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
202 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
203 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
204 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
205 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
206 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
207 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
208 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
209 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
210 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
211 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
212 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
213 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
214 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
215 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
216 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
217 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
218 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
219 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
220
221 ctx->state[0] += A;
222 ctx->state[1] += B;
223 ctx->state[2] += C;
224 ctx->state[3] += D;
225 ctx->state[4] += E;
226 ctx->state[5] += F;
227 ctx->state[6] += G;
228 ctx->state[7] += H;
229}
230
231/*
232 * SHA-256 process buffer
233 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]234void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]235{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]236 size_t fill;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]237 uint32_t left;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238
239 if( ilen <= 0 )
240 return;
241
242 left = ctx->total[0] & 0x3F;
243 fill = 64 - left;
244
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]245 ctx->total[0] += (uint32_t) ilen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]246 ctx->total[0] &= 0xFFFFFFFF;
247
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]248 if( ctx->total[0] < (uint32_t) ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]249 ctx->total[1]++;
250
251 if( left && ilen >= fill )
252 {
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame^]253 memcpy( (void *) (ctx->buffer + left), input, fill );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]254 sha2_process( ctx, ctx->buffer );
255 input += fill;
256 ilen -= fill;
257 left = 0;
258 }
259
260 while( ilen >= 64 )
261 {
262 sha2_process( ctx, input );
263 input += 64;
264 ilen -= 64;
265 }
266
267 if( ilen > 0 )
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame^]268 memcpy( (void *) (ctx->buffer + left), input, ilen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]269}
270
271static const unsigned char sha2_padding[64] =
272{
273 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
274 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
275 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
277};
278
279/*
280 * SHA-256 final digest
281 */
282void sha2_finish( sha2_context *ctx, unsigned char output[32] )
283{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]284 uint32_t last, padn;
285 uint32_t high, low;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]286 unsigned char msglen[8];
287
288 high = ( ctx->total[0] >> 29 )
289 | ( ctx->total[1] << 3 );
290 low = ( ctx->total[0] << 3 );
291
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]292 PUT_UINT32_BE( high, msglen, 0 );
293 PUT_UINT32_BE( low, msglen, 4 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]294
295 last = ctx->total[0] & 0x3F;
296 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
297
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame^]298 sha2_update( ctx, sha2_padding, padn );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]299 sha2_update( ctx, msglen, 8 );
300
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]301 PUT_UINT32_BE( ctx->state[0], output, 0 );
302 PUT_UINT32_BE( ctx->state[1], output, 4 );
303 PUT_UINT32_BE( ctx->state[2], output, 8 );
304 PUT_UINT32_BE( ctx->state[3], output, 12 );
305 PUT_UINT32_BE( ctx->state[4], output, 16 );
306 PUT_UINT32_BE( ctx->state[5], output, 20 );
307 PUT_UINT32_BE( ctx->state[6], output, 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308
309 if( ctx->is224 == 0 )
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]310 PUT_UINT32_BE( ctx->state[7], output, 28 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]311}
312
313/*
314 * output = SHA-256( input buffer )
315 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]316void sha2( const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317 unsigned char output[32], int is224 )
318{
319 sha2_context ctx;
320
321 sha2_starts( &ctx, is224 );
322 sha2_update( &ctx, input, ilen );
323 sha2_finish( &ctx, output );
324
325 memset( &ctx, 0, sizeof( sha2_context ) );
326}
327
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]328#if defined(POLARSSL_FS_IO)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]329/*
330 * output = SHA-256( file contents )
331 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]332int sha2_file( const char *path, unsigned char output[32], int is224 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333{
334 FILE *f;
335 size_t n;
336 sha2_context ctx;
337 unsigned char buf[1024];
338
339 if( ( f = fopen( path, "rb" ) ) == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]340 return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341
342 sha2_starts( &ctx, is224 );
343
344 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]345 sha2_update( &ctx, buf, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346
347 sha2_finish( &ctx, output );
348
349 memset( &ctx, 0, sizeof( sha2_context ) );
350
351 if( ferror( f ) != 0 )
352 {
353 fclose( f );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]354 return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355 }
356
357 fclose( f );
358 return( 0 );
359}
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]360#endif /* POLARSSL_FS_IO */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361
362/*
363 * SHA-256 HMAC context setup
364 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]365void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366 int is224 )
367{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]368 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 unsigned char sum[32];
370
371 if( keylen > 64 )
372 {
373 sha2( key, keylen, sum, is224 );
374 keylen = ( is224 ) ? 28 : 32;
375 key = sum;
376 }
377
378 memset( ctx->ipad, 0x36, 64 );
379 memset( ctx->opad, 0x5C, 64 );
380
381 for( i = 0; i < keylen; i++ )
382 {
383 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
384 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
385 }
386
387 sha2_starts( ctx, is224 );
388 sha2_update( ctx, ctx->ipad, 64 );
389
390 memset( sum, 0, sizeof( sum ) );
391}
392
393/*
394 * SHA-256 HMAC process buffer
395 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]396void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397{
398 sha2_update( ctx, input, ilen );
399}
400
401/*
402 * SHA-256 HMAC final digest
403 */
404void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
405{
406 int is224, hlen;
407 unsigned char tmpbuf[32];
408
409 is224 = ctx->is224;
410 hlen = ( is224 == 0 ) ? 32 : 28;
411
412 sha2_finish( ctx, tmpbuf );
413 sha2_starts( ctx, is224 );
414 sha2_update( ctx, ctx->opad, 64 );
415 sha2_update( ctx, tmpbuf, hlen );
416 sha2_finish( ctx, output );
417
418 memset( tmpbuf, 0, sizeof( tmpbuf ) );
419}
420
421/*
Paul Bakker7d3b6612010-03-21 16:23:13 +0000[diff] [blame]422 * SHA-256 HMAC context reset
423 */
424void sha2_hmac_reset( sha2_context *ctx )
425{
426 sha2_starts( ctx, ctx->is224 );
427 sha2_update( ctx, ctx->ipad, 64 );
428}
429
430/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431 * output = HMAC-SHA-256( hmac key, input buffer )
432 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]433void sha2_hmac( const unsigned char *key, size_t keylen,
434 const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]435 unsigned char output[32], int is224 )
436{
437 sha2_context ctx;
438
439 sha2_hmac_starts( &ctx, key, keylen, is224 );
440 sha2_hmac_update( &ctx, input, ilen );
441 sha2_hmac_finish( &ctx, output );
442
443 memset( &ctx, 0, sizeof( sha2_context ) );
444}
445
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]446#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447/*
448 * FIPS-180-2 test vectors
449 */
450static unsigned char sha2_test_buf[3][57] =
451{
452 { "abc" },
453 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
454 { "" }
455};
456
457static const int sha2_test_buflen[3] =
458{
459 3, 56, 1000
460};
461
462static const unsigned char sha2_test_sum[6][32] =
463{
464 /*
465 * SHA-224 test vectors
466 */
467 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
468 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
469 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
470 0xE3, 0x6C, 0x9D, 0xA7 },
471 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
472 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
473 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
474 0x52, 0x52, 0x25, 0x25 },
475 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
476 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
477 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
478 0x4E, 0xE7, 0xAD, 0x67 },
479
480 /*
481 * SHA-256 test vectors
482 */
483 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
484 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
485 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
486 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
487 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
488 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
489 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
490 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
491 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
492 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
493 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
494 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
495};
496
497/*
498 * RFC 4231 test vectors
499 */
500static unsigned char sha2_hmac_test_key[7][26] =
501{
502 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
503 "\x0B\x0B\x0B\x0B" },
504 { "Jefe" },
505 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
506 "\xAA\xAA\xAA\xAA" },
507 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
508 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
509 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
510 "\x0C\x0C\x0C\x0C" },
511 { "" }, /* 0xAA 131 times */
512 { "" }
513};
514
515static const int sha2_hmac_test_keylen[7] =
516{
517 20, 4, 20, 25, 20, 131, 131
518};
519
520static unsigned char sha2_hmac_test_buf[7][153] =
521{
522 { "Hi There" },
523 { "what do ya want for nothing?" },
524 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
525 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
526 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
527 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
528 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
529 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
530 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
531 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
532 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
533 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
534 { "Test With Truncation" },
535 { "Test Using Larger Than Block-Size Key - Hash Key First" },
536 { "This is a test using a larger than block-size key "
537 "and a larger than block-size data. The key needs to "
538 "be hashed before being used by the HMAC algorithm." }
539};
540
541static const int sha2_hmac_test_buflen[7] =
542{
543 8, 28, 50, 50, 20, 54, 152
544};
545
546static const unsigned char sha2_hmac_test_sum[14][32] =
547{
548 /*
549 * HMAC-SHA-224 test vectors
550 */
551 { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
552 0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
553 0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
554 0x53, 0x68, 0x4B, 0x22 },
555 { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
556 0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
557 0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
558 0x8F, 0xD0, 0x5E, 0x44 },
559 { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
560 0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
561 0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
562 0xEC, 0x83, 0x33, 0xEA },
563 { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
564 0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
565 0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
566 0xE7, 0xAF, 0xEC, 0x5A },
567 { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
568 0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
569 { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
570 0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
571 0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
572 0x3F, 0xA6, 0x87, 0x0E },
573 { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
574 0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
575 0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
576 0xF6, 0xF5, 0x65, 0xD1 },
577
578 /*
579 * HMAC-SHA-256 test vectors
580 */
581 { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
582 0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
583 0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
584 0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
585 { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
586 0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
587 0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
588 0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
589 { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
590 0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
591 0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
592 0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
593 { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
594 0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
595 0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
596 0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
597 { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
598 0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
599 { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
600 0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
601 0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
602 0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
603 { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
604 0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
605 0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
606 0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
607};
608
609/*
610 * Checkup routine
611 */
612int sha2_self_test( int verbose )
613{
614 int i, j, k, buflen;
615 unsigned char buf[1024];
616 unsigned char sha2sum[32];
617 sha2_context ctx;
618
619 for( i = 0; i < 6; i++ )
620 {
621 j = i % 3;
622 k = i < 3;
623
624 if( verbose != 0 )
625 printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
626
627 sha2_starts( &ctx, k );
628
629 if( j == 2 )
630 {
631 memset( buf, 'a', buflen = 1000 );
632
633 for( j = 0; j < 1000; j++ )
634 sha2_update( &ctx, buf, buflen );
635 }
636 else
637 sha2_update( &ctx, sha2_test_buf[j],
638 sha2_test_buflen[j] );
639
640 sha2_finish( &ctx, sha2sum );
641
642 if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
643 {
644 if( verbose != 0 )
645 printf( "failed\n" );
646
647 return( 1 );
648 }
649
650 if( verbose != 0 )
651 printf( "passed\n" );
652 }
653
654 if( verbose != 0 )
655 printf( "\n" );
656
657 for( i = 0; i < 14; i++ )
658 {
659 j = i % 7;
660 k = i < 7;
661
662 if( verbose != 0 )
663 printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
664
665 if( j == 5 || j == 6 )
666 {
667 memset( buf, '\xAA', buflen = 131 );
668 sha2_hmac_starts( &ctx, buf, buflen, k );
669 }
670 else
671 sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
672 sha2_hmac_test_keylen[j], k );
673
674 sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
675 sha2_hmac_test_buflen[j] );
676
677 sha2_hmac_finish( &ctx, sha2sum );
678
679 buflen = ( j == 4 ) ? 16 : 32 - k * 4;
680
681 if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
682 {
683 if( verbose != 0 )
684 printf( "failed\n" );
685
686 return( 1 );
687 }
688
689 if( verbose != 0 )
690 printf( "passed\n" );
691 }
692
693 if( verbose != 0 )
694 printf( "\n" );
695
696 return( 0 );
697}
698
699#endif
700
701#endif