1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23 /*
24 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
25 *
26 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
27 */
28
29 #if !defined(MBEDTLS_CONFIG_FILE)
30 #include "mbedtls/config.h"
31 #else
32 #include MBEDTLS_CONFIG_FILE
33 #endif
34
35 #if defined(MBEDTLS_SHA256_C)
36
37 #include "mbedtls/sha256.h"
38 #include "mbedtls/platform_util.h"
39
40 #include <string.h>
41
42 #if defined(MBEDTLS_SELF_TEST)
43 #if defined(MBEDTLS_PLATFORM_C)
44 #include "mbedtls/platform.h"
45 #else
46 #include <stdio.h>
47 #include <stdlib.h>
48 #define mbedtls_printf printf
49 #define mbedtls_calloc calloc
50 #define mbedtls_free free
51 #endif /* MBEDTLS_PLATFORM_C */
52 #endif /* MBEDTLS_SELF_TEST */
53
54 #if !defined(MBEDTLS_SHA256_ALT)
55
56 /*
57 * 32-bit integer manipulation macros (big endian)
58 */
59 #ifndef GET_UINT32_BE
60 #define GET_UINT32_BE(n,b,i) \
61 do { \
62 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
63 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
64 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
65 | ( (uint32_t) (b)[(i) + 3] ); \
66 } while( 0 )
67 #endif
68
69 #ifndef PUT_UINT32_BE
70 #define PUT_UINT32_BE(n,b,i) \
71 do { \
72 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
73 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
74 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
75 (b)[(i) + 3] = (unsigned char) ( (n) ); \
76 } while( 0 )
77 #endif
78
mbedtls_sha256_init(mbedtls_sha256_context * ctx)79 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
80 {
81 memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
82 }
83
mbedtls_sha256_free(mbedtls_sha256_context * ctx)84 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
85 {
86 if( ctx == NULL )
87 return;
88
89 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
90 }
91
mbedtls_sha256_clone(mbedtls_sha256_context * dst,const mbedtls_sha256_context * src)92 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
93 const mbedtls_sha256_context *src )
94 {
95 *dst = *src;
96 }
97
98 /*
99 * SHA-256 context setup
100 */
mbedtls_sha256_starts_ret(mbedtls_sha256_context * ctx,int is224)101 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
102 {
103 ctx->total[0] = 0;
104 ctx->total[1] = 0;
105
106 if( is224 == 0 )
107 {
108 /* SHA-256 */
109 ctx->state[0] = 0x6A09E667;
110 ctx->state[1] = 0xBB67AE85;
111 ctx->state[2] = 0x3C6EF372;
112 ctx->state[3] = 0xA54FF53A;
113 ctx->state[4] = 0x510E527F;
114 ctx->state[5] = 0x9B05688C;
115 ctx->state[6] = 0x1F83D9AB;
116 ctx->state[7] = 0x5BE0CD19;
117 }
118 else
119 {
120 /* SHA-224 */
121 ctx->state[0] = 0xC1059ED8;
122 ctx->state[1] = 0x367CD507;
123 ctx->state[2] = 0x3070DD17;
124 ctx->state[3] = 0xF70E5939;
125 ctx->state[4] = 0xFFC00B31;
126 ctx->state[5] = 0x68581511;
127 ctx->state[6] = 0x64F98FA7;
128 ctx->state[7] = 0xBEFA4FA4;
129 }
130
131 ctx->is224 = is224;
132
133 return( 0 );
134 }
135
136 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_sha256_starts(mbedtls_sha256_context * ctx,int is224)137 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
138 int is224 )
139 {
140 mbedtls_sha256_starts_ret( ctx, is224 );
141 }
142 #endif
143
144 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
145 static const uint32_t K[] =
146 {
147 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
148 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
149 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
150 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
151 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
152 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
153 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
154 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
155 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
156 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
157 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
158 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
159 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
160 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
161 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
162 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
163 };
164
165 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
166 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
167
168 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
169 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
170
171 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
172 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
173
174 #define F0(x,y,z) ((x & y) | (z & (x | y)))
175 #define F1(x,y,z) (z ^ (x & (y ^ z)))
176
177 #define R(t) \
178 ( \
179 W[t] = S1(W[t - 2]) + W[t - 7] + \
180 S0(W[t - 15]) + W[t - 16] \
181 )
182
183 #define P(a,b,c,d,e,f,g,h,x,K) \
184 { \
185 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
186 temp2 = S2(a) + F0(a,b,c); \
187 d += temp1; h = temp1 + temp2; \
188 }
189
mbedtls_internal_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[64])190 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
191 const unsigned char data[64] )
192 {
193 uint32_t temp1, temp2, W[64];
194 uint32_t A[8];
195 unsigned int i;
196
197 for( i = 0; i < 8; i++ )
198 A[i] = ctx->state[i];
199
200 #if defined(MBEDTLS_SHA256_SMALLER)
201 for( i = 0; i < 64; i++ )
202 {
203 if( i < 16 )
204 GET_UINT32_BE( W[i], data, 4 * i );
205 else
206 R( i );
207
208 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
209
210 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
211 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
212 }
213 #else /* MBEDTLS_SHA256_SMALLER */
214 for( i = 0; i < 16; i++ )
215 GET_UINT32_BE( W[i], data, 4 * i );
216
217 for( i = 0; i < 16; i += 8 )
218 {
219 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
220 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
221 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
222 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
223 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
224 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
225 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
226 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
227 }
228
229 for( i = 16; i < 64; i += 8 )
230 {
231 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
232 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
233 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
234 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
235 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
236 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
237 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
238 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
239 }
240 #endif /* MBEDTLS_SHA256_SMALLER */
241
242 for( i = 0; i < 8; i++ )
243 ctx->state[i] += A[i];
244
245 return( 0 );
246 }
247
248 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_sha256_process(mbedtls_sha256_context * ctx,const unsigned char data[64])249 void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
250 const unsigned char data[64] )
251 {
252 mbedtls_internal_sha256_process( ctx, data );
253 }
254 #endif
255 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
256
257 /*
258 * SHA-256 process buffer
259 */
mbedtls_sha256_update_ret(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)260 int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
261 const unsigned char *input,
262 size_t ilen )
263 {
264 int ret;
265 size_t fill;
266 uint32_t left;
267
268 if( ilen == 0 )
269 return( 0 );
270
271 left = ctx->total[0] & 0x3F;
272 fill = 64 - left;
273
274 ctx->total[0] += (uint32_t) ilen;
275 ctx->total[0] &= 0xFFFFFFFF;
276
277 if( ctx->total[0] < (uint32_t) ilen )
278 ctx->total[1]++;
279
280 if( left && ilen >= fill )
281 {
282 memcpy( (void *) (ctx->buffer + left), input, fill );
283
284 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
285 return( ret );
286
287 input += fill;
288 ilen -= fill;
289 left = 0;
290 }
291
292 while( ilen >= 64 )
293 {
294 if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
295 return( ret );
296
297 input += 64;
298 ilen -= 64;
299 }
300
301 if( ilen > 0 )
302 memcpy( (void *) (ctx->buffer + left), input, ilen );
303
304 return( 0 );
305 }
306
307 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_sha256_update(mbedtls_sha256_context * ctx,const unsigned char * input,size_t ilen)308 void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
309 const unsigned char *input,
310 size_t ilen )
311 {
312 mbedtls_sha256_update_ret( ctx, input, ilen );
313 }
314 #endif
315
316 /*
317 * SHA-256 final digest
318 */
mbedtls_sha256_finish_ret(mbedtls_sha256_context * ctx,unsigned char output[32])319 int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
320 unsigned char output[32] )
321 {
322 int ret;
323 uint32_t used;
324 uint32_t high, low;
325
326 /*
327 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
328 */
329 used = ctx->total[0] & 0x3F;
330
331 ctx->buffer[used++] = 0x80;
332
333 if( used <= 56 )
334 {
335 /* Enough room for padding + length in current block */
336 memset( ctx->buffer + used, 0, 56 - used );
337 }
338 else
339 {
340 /* We'll need an extra block */
341 memset( ctx->buffer + used, 0, 64 - used );
342
343 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
344 return( ret );
345
346 memset( ctx->buffer, 0, 56 );
347 }
348
349 /*
350 * Add message length
351 */
352 high = ( ctx->total[0] >> 29 )
353 | ( ctx->total[1] << 3 );
354 low = ( ctx->total[0] << 3 );
355
356 PUT_UINT32_BE( high, ctx->buffer, 56 );
357 PUT_UINT32_BE( low, ctx->buffer, 60 );
358
359 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
360 return( ret );
361
362 /*
363 * Output final state
364 */
365 PUT_UINT32_BE( ctx->state[0], output, 0 );
366 PUT_UINT32_BE( ctx->state[1], output, 4 );
367 PUT_UINT32_BE( ctx->state[2], output, 8 );
368 PUT_UINT32_BE( ctx->state[3], output, 12 );
369 PUT_UINT32_BE( ctx->state[4], output, 16 );
370 PUT_UINT32_BE( ctx->state[5], output, 20 );
371 PUT_UINT32_BE( ctx->state[6], output, 24 );
372
373 if( ctx->is224 == 0 )
374 PUT_UINT32_BE( ctx->state[7], output, 28 );
375
376 return( 0 );
377 }
378
379 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_sha256_finish(mbedtls_sha256_context * ctx,unsigned char output[32])380 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
381 unsigned char output[32] )
382 {
383 mbedtls_sha256_finish_ret( ctx, output );
384 }
385 #endif
386
387 #endif /* !MBEDTLS_SHA256_ALT */
388
389 /*
390 * output = SHA-256( input buffer )
391 */
mbedtls_sha256_ret(const unsigned char * input,size_t ilen,unsigned char output[32],int is224)392 int mbedtls_sha256_ret( const unsigned char *input,
393 size_t ilen,
394 unsigned char output[32],
395 int is224 )
396 {
397 int ret;
398 mbedtls_sha256_context ctx;
399
400 mbedtls_sha256_init( &ctx );
401
402 if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 )
403 goto exit;
404
405 if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 )
406 goto exit;
407
408 if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 )
409 goto exit;
410
411 exit:
412 mbedtls_sha256_free( &ctx );
413
414 return( ret );
415 }
416
417 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_sha256(const unsigned char * input,size_t ilen,unsigned char output[32],int is224)418 void mbedtls_sha256( const unsigned char *input,
419 size_t ilen,
420 unsigned char output[32],
421 int is224 )
422 {
423 mbedtls_sha256_ret( input, ilen, output, is224 );
424 }
425 #endif
426
427 #if defined(MBEDTLS_SELF_TEST)
428 /*
429 * FIPS-180-2 test vectors
430 */
431 static const unsigned char sha256_test_buf[3][57] =
432 {
433 { "abc" },
434 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
435 { "" }
436 };
437
438 static const size_t sha256_test_buflen[3] =
439 {
440 3, 56, 1000
441 };
442
443 static const unsigned char sha256_test_sum[6][32] =
444 {
445 /*
446 * SHA-224 test vectors
447 */
448 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
449 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
450 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
451 0xE3, 0x6C, 0x9D, 0xA7 },
452 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
453 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
454 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
455 0x52, 0x52, 0x25, 0x25 },
456 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
457 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
458 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
459 0x4E, 0xE7, 0xAD, 0x67 },
460
461 /*
462 * SHA-256 test vectors
463 */
464 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
465 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
466 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
467 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
468 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
469 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
470 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
471 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
472 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
473 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
474 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
475 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
476 };
477
478 /*
479 * Checkup routine
480 */
mbedtls_sha256_self_test(int verbose)481 int mbedtls_sha256_self_test( int verbose )
482 {
483 int i, j, k, buflen, ret = 0;
484 unsigned char *buf;
485 unsigned char sha256sum[32];
486 mbedtls_sha256_context ctx;
487
488 buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
489 if( NULL == buf )
490 {
491 if( verbose != 0 )
492 mbedtls_printf( "Buffer allocation failed\n" );
493
494 return( 1 );
495 }
496
497 mbedtls_sha256_init( &ctx );
498
499 for( i = 0; i < 6; i++ )
500 {
501 j = i % 3;
502 k = i < 3;
503
504 if( verbose != 0 )
505 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
506
507 if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 )
508 goto fail;
509
510 if( j == 2 )
511 {
512 memset( buf, 'a', buflen = 1000 );
513
514 for( j = 0; j < 1000; j++ )
515 {
516 ret = mbedtls_sha256_update_ret( &ctx, buf, buflen );
517 if( ret != 0 )
518 goto fail;
519 }
520
521 }
522 else
523 {
524 ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j],
525 sha256_test_buflen[j] );
526 if( ret != 0 )
527 goto fail;
528 }
529
530 if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 )
531 goto fail;
532
533
534 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
535 {
536 ret = 1;
537 goto fail;
538 }
539
540 if( verbose != 0 )
541 mbedtls_printf( "passed\n" );
542 }
543
544 if( verbose != 0 )
545 mbedtls_printf( "\n" );
546
547 goto exit;
548
549 fail:
550 if( verbose != 0 )
551 mbedtls_printf( "failed\n" );
552
553 exit:
554 mbedtls_sha256_free( &ctx );
555 mbedtls_free( buf );
556
557 return( ret );
558 }
559
560 #endif /* MBEDTLS_SELF_TEST */
561
562 #endif /* MBEDTLS_SHA256_C */
563