TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 23986e5d5d501ae93bed161752708ba18fb9e016 / . / library / sha2.c
blob: 64ebc43d5b2e560ff028839d3fd86bec66ceafc3 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27 *
28 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29 */
30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#if defined(POLARSSL_SHA2_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37#include <stdio.h>
38
39/*
40 * 32-bit integer manipulation macros (big endian)
41 */
42#ifndef GET_ULONG_BE
43#define GET_ULONG_BE(n,b,i) \
44{ \
45 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
46 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
47 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
48 | ( (unsigned long) (b)[(i) + 3] ); \
49}
50#endif
51
52#ifndef PUT_ULONG_BE
53#define PUT_ULONG_BE(n,b,i) \
54{ \
55 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
56 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
57 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
58 (b)[(i) + 3] = (unsigned char) ( (n) ); \
59}
60#endif
61
62/*
63 * SHA-256 context setup
64 */
65void sha2_starts( sha2_context *ctx, int is224 )
66{
67 ctx->total[0] = 0;
68 ctx->total[1] = 0;
69
70 if( is224 == 0 )
71 {
72 /* SHA-256 */
73 ctx->state[0] = 0x6A09E667;
74 ctx->state[1] = 0xBB67AE85;
75 ctx->state[2] = 0x3C6EF372;
76 ctx->state[3] = 0xA54FF53A;
77 ctx->state[4] = 0x510E527F;
78 ctx->state[5] = 0x9B05688C;
79 ctx->state[6] = 0x1F83D9AB;
80 ctx->state[7] = 0x5BE0CD19;
81 }
82 else
83 {
84 /* SHA-224 */
85 ctx->state[0] = 0xC1059ED8;
86 ctx->state[1] = 0x367CD507;
87 ctx->state[2] = 0x3070DD17;
88 ctx->state[3] = 0xF70E5939;
89 ctx->state[4] = 0xFFC00B31;
90 ctx->state[5] = 0x68581511;
91 ctx->state[6] = 0x64F98FA7;
92 ctx->state[7] = 0xBEFA4FA4;
93 }
94
95 ctx->is224 = is224;
96}
97
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]98static void sha2_process( sha2_context *ctx, const unsigned char data[64] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]99{
100 unsigned long temp1, temp2, W[64];
101 unsigned long A, B, C, D, E, F, G, H;
102
103 GET_ULONG_BE( W[ 0], data, 0 );
104 GET_ULONG_BE( W[ 1], data, 4 );
105 GET_ULONG_BE( W[ 2], data, 8 );
106 GET_ULONG_BE( W[ 3], data, 12 );
107 GET_ULONG_BE( W[ 4], data, 16 );
108 GET_ULONG_BE( W[ 5], data, 20 );
109 GET_ULONG_BE( W[ 6], data, 24 );
110 GET_ULONG_BE( W[ 7], data, 28 );
111 GET_ULONG_BE( W[ 8], data, 32 );
112 GET_ULONG_BE( W[ 9], data, 36 );
113 GET_ULONG_BE( W[10], data, 40 );
114 GET_ULONG_BE( W[11], data, 44 );
115 GET_ULONG_BE( W[12], data, 48 );
116 GET_ULONG_BE( W[13], data, 52 );
117 GET_ULONG_BE( W[14], data, 56 );
118 GET_ULONG_BE( W[15], data, 60 );
119
120#define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
121#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
122
123#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
124#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
125
126#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
127#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
128
129#define F0(x,y,z) ((x & y) | (z & (x | y)))
130#define F1(x,y,z) (z ^ (x & (y ^ z)))
131
132#define R(t) \
133( \
134 W[t] = S1(W[t - 2]) + W[t - 7] + \
135 S0(W[t - 15]) + W[t - 16] \
136)
137
138#define P(a,b,c,d,e,f,g,h,x,K) \
139{ \
140 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
141 temp2 = S2(a) + F0(a,b,c); \
142 d += temp1; h = temp1 + temp2; \
143}
144
145 A = ctx->state[0];
146 B = ctx->state[1];
147 C = ctx->state[2];
148 D = ctx->state[3];
149 E = ctx->state[4];
150 F = ctx->state[5];
151 G = ctx->state[6];
152 H = ctx->state[7];
153
154 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
155 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
156 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
157 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
158 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
159 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
160 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
161 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
162 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
163 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
164 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
165 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
166 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
167 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
168 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
169 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
170 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
171 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
172 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
173 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
174 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
175 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
176 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
177 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
178 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
179 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
180 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
181 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
182 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
183 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
184 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
185 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
186 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
187 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
188 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
189 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
190 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
191 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
192 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
193 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
194 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
195 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
196 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
197 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
198 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
199 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
200 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
201 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
202 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
203 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
204 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
205 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
206 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
207 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
208 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
209 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
210 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
211 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
212 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
213 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
214 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
215 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
216 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
217 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
218
219 ctx->state[0] += A;
220 ctx->state[1] += B;
221 ctx->state[2] += C;
222 ctx->state[3] += D;
223 ctx->state[4] += E;
224 ctx->state[5] += F;
225 ctx->state[6] += G;
226 ctx->state[7] += H;
227}
228
229/*
230 * SHA-256 process buffer
231 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]232void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]233{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]234 size_t fill;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]235 unsigned long left;
236
237 if( ilen <= 0 )
238 return;
239
240 left = ctx->total[0] & 0x3F;
241 fill = 64 - left;
242
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]243 ctx->total[0] += (unsigned long) ilen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244 ctx->total[0] &= 0xFFFFFFFF;
245
246 if( ctx->total[0] < (unsigned long) ilen )
247 ctx->total[1]++;
248
249 if( left && ilen >= fill )
250 {
251 memcpy( (void *) (ctx->buffer + left),
252 (void *) input, fill );
253 sha2_process( ctx, ctx->buffer );
254 input += fill;
255 ilen -= fill;
256 left = 0;
257 }
258
259 while( ilen >= 64 )
260 {
261 sha2_process( ctx, input );
262 input += 64;
263 ilen -= 64;
264 }
265
266 if( ilen > 0 )
267 {
268 memcpy( (void *) (ctx->buffer + left),
269 (void *) input, ilen );
270 }
271}
272
273static const unsigned char sha2_padding[64] =
274{
275 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
277 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
279};
280
281/*
282 * SHA-256 final digest
283 */
284void sha2_finish( sha2_context *ctx, unsigned char output[32] )
285{
286 unsigned long last, padn;
287 unsigned long high, low;
288 unsigned char msglen[8];
289
290 high = ( ctx->total[0] >> 29 )
291 | ( ctx->total[1] << 3 );
292 low = ( ctx->total[0] << 3 );
293
294 PUT_ULONG_BE( high, msglen, 0 );
295 PUT_ULONG_BE( low, msglen, 4 );
296
297 last = ctx->total[0] & 0x3F;
298 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
299
300 sha2_update( ctx, (unsigned char *) sha2_padding, padn );
301 sha2_update( ctx, msglen, 8 );
302
303 PUT_ULONG_BE( ctx->state[0], output, 0 );
304 PUT_ULONG_BE( ctx->state[1], output, 4 );
305 PUT_ULONG_BE( ctx->state[2], output, 8 );
306 PUT_ULONG_BE( ctx->state[3], output, 12 );
307 PUT_ULONG_BE( ctx->state[4], output, 16 );
308 PUT_ULONG_BE( ctx->state[5], output, 20 );
309 PUT_ULONG_BE( ctx->state[6], output, 24 );
310
311 if( ctx->is224 == 0 )
312 PUT_ULONG_BE( ctx->state[7], output, 28 );
313}
314
315/*
316 * output = SHA-256( input buffer )
317 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]318void sha2( const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319 unsigned char output[32], int is224 )
320{
321 sha2_context ctx;
322
323 sha2_starts( &ctx, is224 );
324 sha2_update( &ctx, input, ilen );
325 sha2_finish( &ctx, output );
326
327 memset( &ctx, 0, sizeof( sha2_context ) );
328}
329
330/*
331 * output = SHA-256( file contents )
332 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]333int sha2_file( const char *path, unsigned char output[32], int is224 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]334{
335 FILE *f;
336 size_t n;
337 sha2_context ctx;
338 unsigned char buf[1024];
339
340 if( ( f = fopen( path, "rb" ) ) == NULL )
341 return( 1 );
342
343 sha2_starts( &ctx, is224 );
344
345 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
346 sha2_update( &ctx, buf, (int) n );
347
348 sha2_finish( &ctx, output );
349
350 memset( &ctx, 0, sizeof( sha2_context ) );
351
352 if( ferror( f ) != 0 )
353 {
354 fclose( f );
355 return( 2 );
356 }
357
358 fclose( f );
359 return( 0 );
360}
361
362/*
363 * SHA-256 HMAC context setup
364 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]365void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366 int is224 )
367{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]368 size_t i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 unsigned char sum[32];
370
371 if( keylen > 64 )
372 {
373 sha2( key, keylen, sum, is224 );
374 keylen = ( is224 ) ? 28 : 32;
375 key = sum;
376 }
377
378 memset( ctx->ipad, 0x36, 64 );
379 memset( ctx->opad, 0x5C, 64 );
380
381 for( i = 0; i < keylen; i++ )
382 {
383 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
384 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
385 }
386
387 sha2_starts( ctx, is224 );
388 sha2_update( ctx, ctx->ipad, 64 );
389
390 memset( sum, 0, sizeof( sum ) );
391}
392
393/*
394 * SHA-256 HMAC process buffer
395 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]396void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397{
398 sha2_update( ctx, input, ilen );
399}
400
401/*
402 * SHA-256 HMAC final digest
403 */
404void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
405{
406 int is224, hlen;
407 unsigned char tmpbuf[32];
408
409 is224 = ctx->is224;
410 hlen = ( is224 == 0 ) ? 32 : 28;
411
412 sha2_finish( ctx, tmpbuf );
413 sha2_starts( ctx, is224 );
414 sha2_update( ctx, ctx->opad, 64 );
415 sha2_update( ctx, tmpbuf, hlen );
416 sha2_finish( ctx, output );
417
418 memset( tmpbuf, 0, sizeof( tmpbuf ) );
419}
420
421/*
Paul Bakker7d3b6612010-03-21 16:23:13 +0000[diff] [blame]422 * SHA-256 HMAC context reset
423 */
424void sha2_hmac_reset( sha2_context *ctx )
425{
426 sha2_starts( ctx, ctx->is224 );
427 sha2_update( ctx, ctx->ipad, 64 );
428}
429
430/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431 * output = HMAC-SHA-256( hmac key, input buffer )
432 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame^]433void sha2_hmac( const unsigned char *key, size_t keylen,
434 const unsigned char *input, size_t ilen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]435 unsigned char output[32], int is224 )
436{
437 sha2_context ctx;
438
439 sha2_hmac_starts( &ctx, key, keylen, is224 );
440 sha2_hmac_update( &ctx, input, ilen );
441 sha2_hmac_finish( &ctx, output );
442
443 memset( &ctx, 0, sizeof( sha2_context ) );
444}
445
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]446#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447/*
448 * FIPS-180-2 test vectors
449 */
450static unsigned char sha2_test_buf[3][57] =
451{
452 { "abc" },
453 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
454 { "" }
455};
456
457static const int sha2_test_buflen[3] =
458{
459 3, 56, 1000
460};
461
462static const unsigned char sha2_test_sum[6][32] =
463{
464 /*
465 * SHA-224 test vectors
466 */
467 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
468 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
469 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
470 0xE3, 0x6C, 0x9D, 0xA7 },
471 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
472 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
473 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
474 0x52, 0x52, 0x25, 0x25 },
475 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
476 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
477 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
478 0x4E, 0xE7, 0xAD, 0x67 },
479
480 /*
481 * SHA-256 test vectors
482 */
483 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
484 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
485 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
486 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
487 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
488 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
489 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
490 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
491 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
492 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
493 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
494 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
495};
496
497/*
498 * RFC 4231 test vectors
499 */
500static unsigned char sha2_hmac_test_key[7][26] =
501{
502 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
503 "\x0B\x0B\x0B\x0B" },
504 { "Jefe" },
505 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
506 "\xAA\xAA\xAA\xAA" },
507 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
508 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
509 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
510 "\x0C\x0C\x0C\x0C" },
511 { "" }, /* 0xAA 131 times */
512 { "" }
513};
514
515static const int sha2_hmac_test_keylen[7] =
516{
517 20, 4, 20, 25, 20, 131, 131
518};
519
520static unsigned char sha2_hmac_test_buf[7][153] =
521{
522 { "Hi There" },
523 { "what do ya want for nothing?" },
524 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
525 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
526 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
527 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
528 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
529 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
530 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
531 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
532 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
533 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
534 { "Test With Truncation" },
535 { "Test Using Larger Than Block-Size Key - Hash Key First" },
536 { "This is a test using a larger than block-size key "
537 "and a larger than block-size data. The key needs to "
538 "be hashed before being used by the HMAC algorithm." }
539};
540
541static const int sha2_hmac_test_buflen[7] =
542{
543 8, 28, 50, 50, 20, 54, 152
544};
545
546static const unsigned char sha2_hmac_test_sum[14][32] =
547{
548 /*
549 * HMAC-SHA-224 test vectors
550 */
551 { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
552 0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
553 0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
554 0x53, 0x68, 0x4B, 0x22 },
555 { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
556 0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
557 0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
558 0x8F, 0xD0, 0x5E, 0x44 },
559 { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
560 0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
561 0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
562 0xEC, 0x83, 0x33, 0xEA },
563 { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
564 0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
565 0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
566 0xE7, 0xAF, 0xEC, 0x5A },
567 { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
568 0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
569 { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
570 0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
571 0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
572 0x3F, 0xA6, 0x87, 0x0E },
573 { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
574 0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
575 0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
576 0xF6, 0xF5, 0x65, 0xD1 },
577
578 /*
579 * HMAC-SHA-256 test vectors
580 */
581 { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
582 0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
583 0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
584 0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
585 { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
586 0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
587 0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
588 0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
589 { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
590 0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
591 0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
592 0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
593 { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
594 0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
595 0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
596 0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
597 { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
598 0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
599 { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
600 0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
601 0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
602 0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
603 { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
604 0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
605 0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
606 0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
607};
608
609/*
610 * Checkup routine
611 */
612int sha2_self_test( int verbose )
613{
614 int i, j, k, buflen;
615 unsigned char buf[1024];
616 unsigned char sha2sum[32];
617 sha2_context ctx;
618
619 for( i = 0; i < 6; i++ )
620 {
621 j = i % 3;
622 k = i < 3;
623
624 if( verbose != 0 )
625 printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
626
627 sha2_starts( &ctx, k );
628
629 if( j == 2 )
630 {
631 memset( buf, 'a', buflen = 1000 );
632
633 for( j = 0; j < 1000; j++ )
634 sha2_update( &ctx, buf, buflen );
635 }
636 else
637 sha2_update( &ctx, sha2_test_buf[j],
638 sha2_test_buflen[j] );
639
640 sha2_finish( &ctx, sha2sum );
641
642 if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
643 {
644 if( verbose != 0 )
645 printf( "failed\n" );
646
647 return( 1 );
648 }
649
650 if( verbose != 0 )
651 printf( "passed\n" );
652 }
653
654 if( verbose != 0 )
655 printf( "\n" );
656
657 for( i = 0; i < 14; i++ )
658 {
659 j = i % 7;
660 k = i < 7;
661
662 if( verbose != 0 )
663 printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
664
665 if( j == 5 || j == 6 )
666 {
667 memset( buf, '\xAA', buflen = 131 );
668 sha2_hmac_starts( &ctx, buf, buflen, k );
669 }
670 else
671 sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
672 sha2_hmac_test_keylen[j], k );
673
674 sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
675 sha2_hmac_test_buflen[j] );
676
677 sha2_hmac_finish( &ctx, sha2sum );
678
679 buflen = ( j == 4 ) ? 16 : 32 - k * 4;
680
681 if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
682 {
683 if( verbose != 0 )
684 printf( "failed\n" );
685
686 return( 1 );
687 }
688
689 if( verbose != 0 )
690 printf( "passed\n" );
691 }
692
693 if( verbose != 0 )
694 printf( "\n" );
695
696 return( 0 );
697}
698
699#endif
700
701#endif