TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 13e2dfecaa48933daa7565c1c760803abe479471 / . / library / sha2.c
blob: da558d74fb87614ec130ed31bc1aad9b66a79808 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker785a9ee2009-01-25 14:15:10 +0000[diff] [blame]6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
24 *
25 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
26 */
27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#if defined(POLARSSL_SHA2_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
34#include <string.h>
35#include <stdio.h>
36
37/*
38 * 32-bit integer manipulation macros (big endian)
39 */
40#ifndef GET_ULONG_BE
41#define GET_ULONG_BE(n,b,i) \
42{ \
43 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
44 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
45 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
46 | ( (unsigned long) (b)[(i) + 3] ); \
47}
48#endif
49
50#ifndef PUT_ULONG_BE
51#define PUT_ULONG_BE(n,b,i) \
52{ \
53 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
54 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
55 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
56 (b)[(i) + 3] = (unsigned char) ( (n) ); \
57}
58#endif
59
60/*
61 * SHA-256 context setup
62 */
63void sha2_starts( sha2_context *ctx, int is224 )
64{
65 ctx->total[0] = 0;
66 ctx->total[1] = 0;
67
68 if( is224 == 0 )
69 {
70 /* SHA-256 */
71 ctx->state[0] = 0x6A09E667;
72 ctx->state[1] = 0xBB67AE85;
73 ctx->state[2] = 0x3C6EF372;
74 ctx->state[3] = 0xA54FF53A;
75 ctx->state[4] = 0x510E527F;
76 ctx->state[5] = 0x9B05688C;
77 ctx->state[6] = 0x1F83D9AB;
78 ctx->state[7] = 0x5BE0CD19;
79 }
80 else
81 {
82 /* SHA-224 */
83 ctx->state[0] = 0xC1059ED8;
84 ctx->state[1] = 0x367CD507;
85 ctx->state[2] = 0x3070DD17;
86 ctx->state[3] = 0xF70E5939;
87 ctx->state[4] = 0xFFC00B31;
88 ctx->state[5] = 0x68581511;
89 ctx->state[6] = 0x64F98FA7;
90 ctx->state[7] = 0xBEFA4FA4;
91 }
92
93 ctx->is224 = is224;
94}
95
96static void sha2_process( sha2_context *ctx, unsigned char data[64] )
97{
98 unsigned long temp1, temp2, W[64];
99 unsigned long A, B, C, D, E, F, G, H;
100
101 GET_ULONG_BE( W[ 0], data, 0 );
102 GET_ULONG_BE( W[ 1], data, 4 );
103 GET_ULONG_BE( W[ 2], data, 8 );
104 GET_ULONG_BE( W[ 3], data, 12 );
105 GET_ULONG_BE( W[ 4], data, 16 );
106 GET_ULONG_BE( W[ 5], data, 20 );
107 GET_ULONG_BE( W[ 6], data, 24 );
108 GET_ULONG_BE( W[ 7], data, 28 );
109 GET_ULONG_BE( W[ 8], data, 32 );
110 GET_ULONG_BE( W[ 9], data, 36 );
111 GET_ULONG_BE( W[10], data, 40 );
112 GET_ULONG_BE( W[11], data, 44 );
113 GET_ULONG_BE( W[12], data, 48 );
114 GET_ULONG_BE( W[13], data, 52 );
115 GET_ULONG_BE( W[14], data, 56 );
116 GET_ULONG_BE( W[15], data, 60 );
117
118#define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
119#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
120
121#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
122#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
123
124#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
125#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
126
127#define F0(x,y,z) ((x & y) | (z & (x | y)))
128#define F1(x,y,z) (z ^ (x & (y ^ z)))
129
130#define R(t) \
131( \
132 W[t] = S1(W[t - 2]) + W[t - 7] + \
133 S0(W[t - 15]) + W[t - 16] \
134)
135
136#define P(a,b,c,d,e,f,g,h,x,K) \
137{ \
138 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
139 temp2 = S2(a) + F0(a,b,c); \
140 d += temp1; h = temp1 + temp2; \
141}
142
143 A = ctx->state[0];
144 B = ctx->state[1];
145 C = ctx->state[2];
146 D = ctx->state[3];
147 E = ctx->state[4];
148 F = ctx->state[5];
149 G = ctx->state[6];
150 H = ctx->state[7];
151
152 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
153 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
154 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
155 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
156 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
157 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
158 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
159 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
160 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
161 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
162 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
163 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
164 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
165 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
166 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
167 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
168 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
169 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
170 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
171 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
172 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
173 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
174 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
175 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
176 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
177 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
178 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
179 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
180 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
181 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
182 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
183 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
184 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
185 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
186 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
187 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
188 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
189 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
190 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
191 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
192 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
193 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
194 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
195 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
196 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
197 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
198 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
199 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
200 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
201 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
202 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
203 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
204 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
205 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
206 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
207 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
208 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
209 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
210 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
211 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
212 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
213 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
214 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
215 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
216
217 ctx->state[0] += A;
218 ctx->state[1] += B;
219 ctx->state[2] += C;
220 ctx->state[3] += D;
221 ctx->state[4] += E;
222 ctx->state[5] += F;
223 ctx->state[6] += G;
224 ctx->state[7] += H;
225}
226
227/*
228 * SHA-256 process buffer
229 */
230void sha2_update( sha2_context *ctx, unsigned char *input, int ilen )
231{
232 int fill;
233 unsigned long left;
234
235 if( ilen <= 0 )
236 return;
237
238 left = ctx->total[0] & 0x3F;
239 fill = 64 - left;
240
241 ctx->total[0] += ilen;
242 ctx->total[0] &= 0xFFFFFFFF;
243
244 if( ctx->total[0] < (unsigned long) ilen )
245 ctx->total[1]++;
246
247 if( left && ilen >= fill )
248 {
249 memcpy( (void *) (ctx->buffer + left),
250 (void *) input, fill );
251 sha2_process( ctx, ctx->buffer );
252 input += fill;
253 ilen -= fill;
254 left = 0;
255 }
256
257 while( ilen >= 64 )
258 {
259 sha2_process( ctx, input );
260 input += 64;
261 ilen -= 64;
262 }
263
264 if( ilen > 0 )
265 {
266 memcpy( (void *) (ctx->buffer + left),
267 (void *) input, ilen );
268 }
269}
270
271static const unsigned char sha2_padding[64] =
272{
273 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
274 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
275 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
277};
278
279/*
280 * SHA-256 final digest
281 */
282void sha2_finish( sha2_context *ctx, unsigned char output[32] )
283{
284 unsigned long last, padn;
285 unsigned long high, low;
286 unsigned char msglen[8];
287
288 high = ( ctx->total[0] >> 29 )
289 | ( ctx->total[1] << 3 );
290 low = ( ctx->total[0] << 3 );
291
292 PUT_ULONG_BE( high, msglen, 0 );
293 PUT_ULONG_BE( low, msglen, 4 );
294
295 last = ctx->total[0] & 0x3F;
296 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
297
298 sha2_update( ctx, (unsigned char *) sha2_padding, padn );
299 sha2_update( ctx, msglen, 8 );
300
301 PUT_ULONG_BE( ctx->state[0], output, 0 );
302 PUT_ULONG_BE( ctx->state[1], output, 4 );
303 PUT_ULONG_BE( ctx->state[2], output, 8 );
304 PUT_ULONG_BE( ctx->state[3], output, 12 );
305 PUT_ULONG_BE( ctx->state[4], output, 16 );
306 PUT_ULONG_BE( ctx->state[5], output, 20 );
307 PUT_ULONG_BE( ctx->state[6], output, 24 );
308
309 if( ctx->is224 == 0 )
310 PUT_ULONG_BE( ctx->state[7], output, 28 );
311}
312
313/*
314 * output = SHA-256( input buffer )
315 */
316void sha2( unsigned char *input, int ilen,
317 unsigned char output[32], int is224 )
318{
319 sha2_context ctx;
320
321 sha2_starts( &ctx, is224 );
322 sha2_update( &ctx, input, ilen );
323 sha2_finish( &ctx, output );
324
325 memset( &ctx, 0, sizeof( sha2_context ) );
326}
327
328/*
329 * output = SHA-256( file contents )
330 */
331int sha2_file( char *path, unsigned char output[32], int is224 )
332{
333 FILE *f;
334 size_t n;
335 sha2_context ctx;
336 unsigned char buf[1024];
337
338 if( ( f = fopen( path, "rb" ) ) == NULL )
339 return( 1 );
340
341 sha2_starts( &ctx, is224 );
342
343 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
344 sha2_update( &ctx, buf, (int) n );
345
346 sha2_finish( &ctx, output );
347
348 memset( &ctx, 0, sizeof( sha2_context ) );
349
350 if( ferror( f ) != 0 )
351 {
352 fclose( f );
353 return( 2 );
354 }
355
356 fclose( f );
357 return( 0 );
358}
359
360/*
361 * SHA-256 HMAC context setup
362 */
363void sha2_hmac_starts( sha2_context *ctx, unsigned char *key, int keylen,
364 int is224 )
365{
366 int i;
367 unsigned char sum[32];
368
369 if( keylen > 64 )
370 {
371 sha2( key, keylen, sum, is224 );
372 keylen = ( is224 ) ? 28 : 32;
373 key = sum;
374 }
375
376 memset( ctx->ipad, 0x36, 64 );
377 memset( ctx->opad, 0x5C, 64 );
378
379 for( i = 0; i < keylen; i++ )
380 {
381 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
382 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
383 }
384
385 sha2_starts( ctx, is224 );
386 sha2_update( ctx, ctx->ipad, 64 );
387
388 memset( sum, 0, sizeof( sum ) );
389}
390
391/*
392 * SHA-256 HMAC process buffer
393 */
394void sha2_hmac_update( sha2_context *ctx, unsigned char *input, int ilen )
395{
396 sha2_update( ctx, input, ilen );
397}
398
399/*
400 * SHA-256 HMAC final digest
401 */
402void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
403{
404 int is224, hlen;
405 unsigned char tmpbuf[32];
406
407 is224 = ctx->is224;
408 hlen = ( is224 == 0 ) ? 32 : 28;
409
410 sha2_finish( ctx, tmpbuf );
411 sha2_starts( ctx, is224 );
412 sha2_update( ctx, ctx->opad, 64 );
413 sha2_update( ctx, tmpbuf, hlen );
414 sha2_finish( ctx, output );
415
416 memset( tmpbuf, 0, sizeof( tmpbuf ) );
417}
418
419/*
420 * output = HMAC-SHA-256( hmac key, input buffer )
421 */
422void sha2_hmac( unsigned char *key, int keylen,
423 unsigned char *input, int ilen,
424 unsigned char output[32], int is224 )
425{
426 sha2_context ctx;
427
428 sha2_hmac_starts( &ctx, key, keylen, is224 );
429 sha2_hmac_update( &ctx, input, ilen );
430 sha2_hmac_finish( &ctx, output );
431
432 memset( &ctx, 0, sizeof( sha2_context ) );
433}
434
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]435#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436/*
437 * FIPS-180-2 test vectors
438 */
439static unsigned char sha2_test_buf[3][57] =
440{
441 { "abc" },
442 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
443 { "" }
444};
445
446static const int sha2_test_buflen[3] =
447{
448 3, 56, 1000
449};
450
451static const unsigned char sha2_test_sum[6][32] =
452{
453 /*
454 * SHA-224 test vectors
455 */
456 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
457 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
458 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
459 0xE3, 0x6C, 0x9D, 0xA7 },
460 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
461 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
462 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
463 0x52, 0x52, 0x25, 0x25 },
464 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
465 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
466 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
467 0x4E, 0xE7, 0xAD, 0x67 },
468
469 /*
470 * SHA-256 test vectors
471 */
472 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
473 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
474 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
475 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
476 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
477 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
478 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
479 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
480 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
481 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
482 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
483 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
484};
485
486/*
487 * RFC 4231 test vectors
488 */
489static unsigned char sha2_hmac_test_key[7][26] =
490{
491 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
492 "\x0B\x0B\x0B\x0B" },
493 { "Jefe" },
494 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
495 "\xAA\xAA\xAA\xAA" },
496 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
497 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
498 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
499 "\x0C\x0C\x0C\x0C" },
500 { "" }, /* 0xAA 131 times */
501 { "" }
502};
503
504static const int sha2_hmac_test_keylen[7] =
505{
506 20, 4, 20, 25, 20, 131, 131
507};
508
509static unsigned char sha2_hmac_test_buf[7][153] =
510{
511 { "Hi There" },
512 { "what do ya want for nothing?" },
513 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
514 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
515 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
516 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
517 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
518 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
519 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
520 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
521 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
522 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
523 { "Test With Truncation" },
524 { "Test Using Larger Than Block-Size Key - Hash Key First" },
525 { "This is a test using a larger than block-size key "
526 "and a larger than block-size data. The key needs to "
527 "be hashed before being used by the HMAC algorithm." }
528};
529
530static const int sha2_hmac_test_buflen[7] =
531{
532 8, 28, 50, 50, 20, 54, 152
533};
534
535static const unsigned char sha2_hmac_test_sum[14][32] =
536{
537 /*
538 * HMAC-SHA-224 test vectors
539 */
540 { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
541 0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
542 0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
543 0x53, 0x68, 0x4B, 0x22 },
544 { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
545 0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
546 0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
547 0x8F, 0xD0, 0x5E, 0x44 },
548 { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
549 0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
550 0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
551 0xEC, 0x83, 0x33, 0xEA },
552 { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
553 0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
554 0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
555 0xE7, 0xAF, 0xEC, 0x5A },
556 { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
557 0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
558 { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
559 0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
560 0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
561 0x3F, 0xA6, 0x87, 0x0E },
562 { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
563 0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
564 0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
565 0xF6, 0xF5, 0x65, 0xD1 },
566
567 /*
568 * HMAC-SHA-256 test vectors
569 */
570 { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
571 0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
572 0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
573 0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
574 { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
575 0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
576 0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
577 0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
578 { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
579 0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
580 0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
581 0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
582 { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
583 0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
584 0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
585 0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
586 { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
587 0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
588 { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
589 0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
590 0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
591 0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
592 { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
593 0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
594 0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
595 0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
596};
597
598/*
599 * Checkup routine
600 */
601int sha2_self_test( int verbose )
602{
603 int i, j, k, buflen;
604 unsigned char buf[1024];
605 unsigned char sha2sum[32];
606 sha2_context ctx;
607
608 for( i = 0; i < 6; i++ )
609 {
610 j = i % 3;
611 k = i < 3;
612
613 if( verbose != 0 )
614 printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
615
616 sha2_starts( &ctx, k );
617
618 if( j == 2 )
619 {
620 memset( buf, 'a', buflen = 1000 );
621
622 for( j = 0; j < 1000; j++ )
623 sha2_update( &ctx, buf, buflen );
624 }
625 else
626 sha2_update( &ctx, sha2_test_buf[j],
627 sha2_test_buflen[j] );
628
629 sha2_finish( &ctx, sha2sum );
630
631 if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
632 {
633 if( verbose != 0 )
634 printf( "failed\n" );
635
636 return( 1 );
637 }
638
639 if( verbose != 0 )
640 printf( "passed\n" );
641 }
642
643 if( verbose != 0 )
644 printf( "\n" );
645
646 for( i = 0; i < 14; i++ )
647 {
648 j = i % 7;
649 k = i < 7;
650
651 if( verbose != 0 )
652 printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
653
654 if( j == 5 || j == 6 )
655 {
656 memset( buf, '\xAA', buflen = 131 );
657 sha2_hmac_starts( &ctx, buf, buflen, k );
658 }
659 else
660 sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
661 sha2_hmac_test_keylen[j], k );
662
663 sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
664 sha2_hmac_test_buflen[j] );
665
666 sha2_hmac_finish( &ctx, sha2sum );
667
668 buflen = ( j == 4 ) ? 16 : 32 - k * 4;
669
670 if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
671 {
672 if( verbose != 0 )
673 printf( "failed\n" );
674
675 return( 1 );
676 }
677
678 if( verbose != 0 )
679 printf( "passed\n" );
680 }
681
682 if( verbose != 0 )
683 printf( "\n" );
684
685 return( 0 );
686}
687
688#endif
689
690#endif