TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9120018f3df6563920b1cafc60146e795d998818 / . / library / sha2.c
blob: 8afe73ca3c514a24b425324c18c1e14cb95b27cf [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]4 * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
5 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]6 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]7 * Joined copyright on original XySSL code with: Christophe Devine
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23/*
24 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
25 *
26 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#if defined(POLARSSL_SHA2_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
35#include <string.h>
36#include <stdio.h>
37
38/*
39 * 32-bit integer manipulation macros (big endian)
40 */
41#ifndef GET_ULONG_BE
42#define GET_ULONG_BE(n,b,i) \
43{ \
44 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
45 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
46 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 3] ); \
48}
49#endif
50
51#ifndef PUT_ULONG_BE
52#define PUT_ULONG_BE(n,b,i) \
53{ \
54 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
55 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
56 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 3] = (unsigned char) ( (n) ); \
58}
59#endif
60
61/*
62 * SHA-256 context setup
63 */
64void sha2_starts( sha2_context *ctx, int is224 )
65{
66 ctx->total[0] = 0;
67 ctx->total[1] = 0;
68
69 if( is224 == 0 )
70 {
71 /* SHA-256 */
72 ctx->state[0] = 0x6A09E667;
73 ctx->state[1] = 0xBB67AE85;
74 ctx->state[2] = 0x3C6EF372;
75 ctx->state[3] = 0xA54FF53A;
76 ctx->state[4] = 0x510E527F;
77 ctx->state[5] = 0x9B05688C;
78 ctx->state[6] = 0x1F83D9AB;
79 ctx->state[7] = 0x5BE0CD19;
80 }
81 else
82 {
83 /* SHA-224 */
84 ctx->state[0] = 0xC1059ED8;
85 ctx->state[1] = 0x367CD507;
86 ctx->state[2] = 0x3070DD17;
87 ctx->state[3] = 0xF70E5939;
88 ctx->state[4] = 0xFFC00B31;
89 ctx->state[5] = 0x68581511;
90 ctx->state[6] = 0x64F98FA7;
91 ctx->state[7] = 0xBEFA4FA4;
92 }
93
94 ctx->is224 = is224;
95}
96
97static void sha2_process( sha2_context *ctx, unsigned char data[64] )
98{
99 unsigned long temp1, temp2, W[64];
100 unsigned long A, B, C, D, E, F, G, H;
101
102 GET_ULONG_BE( W[ 0], data, 0 );
103 GET_ULONG_BE( W[ 1], data, 4 );
104 GET_ULONG_BE( W[ 2], data, 8 );
105 GET_ULONG_BE( W[ 3], data, 12 );
106 GET_ULONG_BE( W[ 4], data, 16 );
107 GET_ULONG_BE( W[ 5], data, 20 );
108 GET_ULONG_BE( W[ 6], data, 24 );
109 GET_ULONG_BE( W[ 7], data, 28 );
110 GET_ULONG_BE( W[ 8], data, 32 );
111 GET_ULONG_BE( W[ 9], data, 36 );
112 GET_ULONG_BE( W[10], data, 40 );
113 GET_ULONG_BE( W[11], data, 44 );
114 GET_ULONG_BE( W[12], data, 48 );
115 GET_ULONG_BE( W[13], data, 52 );
116 GET_ULONG_BE( W[14], data, 56 );
117 GET_ULONG_BE( W[15], data, 60 );
118
119#define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
120#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
121
122#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
123#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
124
125#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
126#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
127
128#define F0(x,y,z) ((x & y) | (z & (x | y)))
129#define F1(x,y,z) (z ^ (x & (y ^ z)))
130
131#define R(t) \
132( \
133 W[t] = S1(W[t - 2]) + W[t - 7] + \
134 S0(W[t - 15]) + W[t - 16] \
135)
136
137#define P(a,b,c,d,e,f,g,h,x,K) \
138{ \
139 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
140 temp2 = S2(a) + F0(a,b,c); \
141 d += temp1; h = temp1 + temp2; \
142}
143
144 A = ctx->state[0];
145 B = ctx->state[1];
146 C = ctx->state[2];
147 D = ctx->state[3];
148 E = ctx->state[4];
149 F = ctx->state[5];
150 G = ctx->state[6];
151 H = ctx->state[7];
152
153 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
154 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
155 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
156 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
157 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
158 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
159 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
160 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
161 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
162 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
163 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
164 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
165 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
166 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
167 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
168 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
169 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
170 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
171 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
172 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
173 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
174 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
175 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
176 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
177 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
178 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
179 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
180 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
181 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
182 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
183 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
184 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
185 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
186 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
187 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
188 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
189 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
190 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
191 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
192 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
193 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
194 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
195 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
196 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
197 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
198 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
199 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
200 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
201 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
202 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
203 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
204 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
205 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
206 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
207 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
208 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
209 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
210 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
211 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
212 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
213 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
214 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
215 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
216 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
217
218 ctx->state[0] += A;
219 ctx->state[1] += B;
220 ctx->state[2] += C;
221 ctx->state[3] += D;
222 ctx->state[4] += E;
223 ctx->state[5] += F;
224 ctx->state[6] += G;
225 ctx->state[7] += H;
226}
227
228/*
229 * SHA-256 process buffer
230 */
231void sha2_update( sha2_context *ctx, unsigned char *input, int ilen )
232{
233 int fill;
234 unsigned long left;
235
236 if( ilen <= 0 )
237 return;
238
239 left = ctx->total[0] & 0x3F;
240 fill = 64 - left;
241
242 ctx->total[0] += ilen;
243 ctx->total[0] &= 0xFFFFFFFF;
244
245 if( ctx->total[0] < (unsigned long) ilen )
246 ctx->total[1]++;
247
248 if( left && ilen >= fill )
249 {
250 memcpy( (void *) (ctx->buffer + left),
251 (void *) input, fill );
252 sha2_process( ctx, ctx->buffer );
253 input += fill;
254 ilen -= fill;
255 left = 0;
256 }
257
258 while( ilen >= 64 )
259 {
260 sha2_process( ctx, input );
261 input += 64;
262 ilen -= 64;
263 }
264
265 if( ilen > 0 )
266 {
267 memcpy( (void *) (ctx->buffer + left),
268 (void *) input, ilen );
269 }
270}
271
272static const unsigned char sha2_padding[64] =
273{
274 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
275 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
277 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
278};
279
280/*
281 * SHA-256 final digest
282 */
283void sha2_finish( sha2_context *ctx, unsigned char output[32] )
284{
285 unsigned long last, padn;
286 unsigned long high, low;
287 unsigned char msglen[8];
288
289 high = ( ctx->total[0] >> 29 )
290 | ( ctx->total[1] << 3 );
291 low = ( ctx->total[0] << 3 );
292
293 PUT_ULONG_BE( high, msglen, 0 );
294 PUT_ULONG_BE( low, msglen, 4 );
295
296 last = ctx->total[0] & 0x3F;
297 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
298
299 sha2_update( ctx, (unsigned char *) sha2_padding, padn );
300 sha2_update( ctx, msglen, 8 );
301
302 PUT_ULONG_BE( ctx->state[0], output, 0 );
303 PUT_ULONG_BE( ctx->state[1], output, 4 );
304 PUT_ULONG_BE( ctx->state[2], output, 8 );
305 PUT_ULONG_BE( ctx->state[3], output, 12 );
306 PUT_ULONG_BE( ctx->state[4], output, 16 );
307 PUT_ULONG_BE( ctx->state[5], output, 20 );
308 PUT_ULONG_BE( ctx->state[6], output, 24 );
309
310 if( ctx->is224 == 0 )
311 PUT_ULONG_BE( ctx->state[7], output, 28 );
312}
313
314/*
315 * output = SHA-256( input buffer )
316 */
317void sha2( unsigned char *input, int ilen,
318 unsigned char output[32], int is224 )
319{
320 sha2_context ctx;
321
322 sha2_starts( &ctx, is224 );
323 sha2_update( &ctx, input, ilen );
324 sha2_finish( &ctx, output );
325
326 memset( &ctx, 0, sizeof( sha2_context ) );
327}
328
329/*
330 * output = SHA-256( file contents )
331 */
332int sha2_file( char *path, unsigned char output[32], int is224 )
333{
334 FILE *f;
335 size_t n;
336 sha2_context ctx;
337 unsigned char buf[1024];
338
339 if( ( f = fopen( path, "rb" ) ) == NULL )
340 return( 1 );
341
342 sha2_starts( &ctx, is224 );
343
344 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
345 sha2_update( &ctx, buf, (int) n );
346
347 sha2_finish( &ctx, output );
348
349 memset( &ctx, 0, sizeof( sha2_context ) );
350
351 if( ferror( f ) != 0 )
352 {
353 fclose( f );
354 return( 2 );
355 }
356
357 fclose( f );
358 return( 0 );
359}
360
361/*
362 * SHA-256 HMAC context setup
363 */
364void sha2_hmac_starts( sha2_context *ctx, unsigned char *key, int keylen,
365 int is224 )
366{
367 int i;
368 unsigned char sum[32];
369
370 if( keylen > 64 )
371 {
372 sha2( key, keylen, sum, is224 );
373 keylen = ( is224 ) ? 28 : 32;
374 key = sum;
375 }
376
377 memset( ctx->ipad, 0x36, 64 );
378 memset( ctx->opad, 0x5C, 64 );
379
380 for( i = 0; i < keylen; i++ )
381 {
382 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
383 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
384 }
385
386 sha2_starts( ctx, is224 );
387 sha2_update( ctx, ctx->ipad, 64 );
388
389 memset( sum, 0, sizeof( sum ) );
390}
391
392/*
393 * SHA-256 HMAC process buffer
394 */
395void sha2_hmac_update( sha2_context *ctx, unsigned char *input, int ilen )
396{
397 sha2_update( ctx, input, ilen );
398}
399
400/*
401 * SHA-256 HMAC final digest
402 */
403void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
404{
405 int is224, hlen;
406 unsigned char tmpbuf[32];
407
408 is224 = ctx->is224;
409 hlen = ( is224 == 0 ) ? 32 : 28;
410
411 sha2_finish( ctx, tmpbuf );
412 sha2_starts( ctx, is224 );
413 sha2_update( ctx, ctx->opad, 64 );
414 sha2_update( ctx, tmpbuf, hlen );
415 sha2_finish( ctx, output );
416
417 memset( tmpbuf, 0, sizeof( tmpbuf ) );
418}
419
420/*
421 * output = HMAC-SHA-256( hmac key, input buffer )
422 */
423void sha2_hmac( unsigned char *key, int keylen,
424 unsigned char *input, int ilen,
425 unsigned char output[32], int is224 )
426{
427 sha2_context ctx;
428
429 sha2_hmac_starts( &ctx, key, keylen, is224 );
430 sha2_hmac_update( &ctx, input, ilen );
431 sha2_hmac_finish( &ctx, output );
432
433 memset( &ctx, 0, sizeof( sha2_context ) );
434}
435
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]436#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]437/*
438 * FIPS-180-2 test vectors
439 */
440static unsigned char sha2_test_buf[3][57] =
441{
442 { "abc" },
443 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
444 { "" }
445};
446
447static const int sha2_test_buflen[3] =
448{
449 3, 56, 1000
450};
451
452static const unsigned char sha2_test_sum[6][32] =
453{
454 /*
455 * SHA-224 test vectors
456 */
457 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
458 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
459 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
460 0xE3, 0x6C, 0x9D, 0xA7 },
461 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
462 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
463 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
464 0x52, 0x52, 0x25, 0x25 },
465 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
466 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
467 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
468 0x4E, 0xE7, 0xAD, 0x67 },
469
470 /*
471 * SHA-256 test vectors
472 */
473 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
474 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
475 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
476 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
477 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
478 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
479 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
480 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
481 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
482 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
483 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
484 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
485};
486
487/*
488 * RFC 4231 test vectors
489 */
490static unsigned char sha2_hmac_test_key[7][26] =
491{
492 { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
493 "\x0B\x0B\x0B\x0B" },
494 { "Jefe" },
495 { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
496 "\xAA\xAA\xAA\xAA" },
497 { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
498 "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
499 { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
500 "\x0C\x0C\x0C\x0C" },
501 { "" }, /* 0xAA 131 times */
502 { "" }
503};
504
505static const int sha2_hmac_test_keylen[7] =
506{
507 20, 4, 20, 25, 20, 131, 131
508};
509
510static unsigned char sha2_hmac_test_buf[7][153] =
511{
512 { "Hi There" },
513 { "what do ya want for nothing?" },
514 { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
515 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
516 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
517 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
518 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
519 { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
520 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
521 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
522 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
523 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
524 { "Test With Truncation" },
525 { "Test Using Larger Than Block-Size Key - Hash Key First" },
526 { "This is a test using a larger than block-size key "
527 "and a larger than block-size data. The key needs to "
528 "be hashed before being used by the HMAC algorithm." }
529};
530
531static const int sha2_hmac_test_buflen[7] =
532{
533 8, 28, 50, 50, 20, 54, 152
534};
535
536static const unsigned char sha2_hmac_test_sum[14][32] =
537{
538 /*
539 * HMAC-SHA-224 test vectors
540 */
541 { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
542 0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
543 0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
544 0x53, 0x68, 0x4B, 0x22 },
545 { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
546 0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
547 0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
548 0x8F, 0xD0, 0x5E, 0x44 },
549 { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
550 0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
551 0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
552 0xEC, 0x83, 0x33, 0xEA },
553 { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
554 0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
555 0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
556 0xE7, 0xAF, 0xEC, 0x5A },
557 { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
558 0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
559 { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
560 0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
561 0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
562 0x3F, 0xA6, 0x87, 0x0E },
563 { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
564 0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
565 0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
566 0xF6, 0xF5, 0x65, 0xD1 },
567
568 /*
569 * HMAC-SHA-256 test vectors
570 */
571 { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
572 0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
573 0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
574 0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
575 { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
576 0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
577 0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
578 0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
579 { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
580 0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
581 0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
582 0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
583 { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
584 0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
585 0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
586 0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
587 { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
588 0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
589 { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
590 0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
591 0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
592 0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
593 { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
594 0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
595 0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
596 0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
597};
598
599/*
600 * Checkup routine
601 */
602int sha2_self_test( int verbose )
603{
604 int i, j, k, buflen;
605 unsigned char buf[1024];
606 unsigned char sha2sum[32];
607 sha2_context ctx;
608
609 for( i = 0; i < 6; i++ )
610 {
611 j = i % 3;
612 k = i < 3;
613
614 if( verbose != 0 )
615 printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
616
617 sha2_starts( &ctx, k );
618
619 if( j == 2 )
620 {
621 memset( buf, 'a', buflen = 1000 );
622
623 for( j = 0; j < 1000; j++ )
624 sha2_update( &ctx, buf, buflen );
625 }
626 else
627 sha2_update( &ctx, sha2_test_buf[j],
628 sha2_test_buflen[j] );
629
630 sha2_finish( &ctx, sha2sum );
631
632 if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
633 {
634 if( verbose != 0 )
635 printf( "failed\n" );
636
637 return( 1 );
638 }
639
640 if( verbose != 0 )
641 printf( "passed\n" );
642 }
643
644 if( verbose != 0 )
645 printf( "\n" );
646
647 for( i = 0; i < 14; i++ )
648 {
649 j = i % 7;
650 k = i < 7;
651
652 if( verbose != 0 )
653 printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
654
655 if( j == 5 || j == 6 )
656 {
657 memset( buf, '\xAA', buflen = 131 );
658 sha2_hmac_starts( &ctx, buf, buflen, k );
659 }
660 else
661 sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
662 sha2_hmac_test_keylen[j], k );
663
664 sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
665 sha2_hmac_test_buflen[j] );
666
667 sha2_hmac_finish( &ctx, sha2sum );
668
669 buflen = ( j == 4 ) ? 16 : 32 - k * 4;
670
671 if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
672 {
673 if( verbose != 0 )
674 printf( "failed\n" );
675
676 return( 1 );
677 }
678
679 if( verbose != 0 )
680 printf( "passed\n" );
681 }
682
683 if( verbose != 0 )
684 printf( "\n" );
685
686 return( 0 );
687}
688
689#endif
690
691#endif