1 /* 2 * FIPS-180-2 compliant SHA-256 implementation 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: GPL-2.0 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License along 18 * with this program; if not, write to the Free Software Foundation, Inc., 19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 /* 24 * The SHA-256 Secure Hash Standard was published by NIST in 2002. 25 * 26 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 27 */ 28 29 #if !defined(MBEDTLS_CONFIG_FILE) 30 #include "mbedtls/config.h" 31 #else 32 #include MBEDTLS_CONFIG_FILE 33 #endif 34 35 #if defined(MBEDTLS_SHA256_C) 36 37 #include "mbedtls/sha256.h" 38 39 #include <string.h> 40 41 #if defined(MBEDTLS_SELF_TEST) 42 #if defined(MBEDTLS_PLATFORM_C) 43 #include "mbedtls/platform.h" 44 #else 45 #include <stdio.h> 46 #include <stdlib.h> 47 #define mbedtls_printf printf 48 #define mbedtls_calloc calloc 49 #define mbedtls_free free 50 #endif /* MBEDTLS_PLATFORM_C */ 51 #endif /* MBEDTLS_SELF_TEST */ 52 53 #if !defined(MBEDTLS_SHA256_ALT) 54 55 /* Implementation that should never be optimized out by the compiler */ 56 static void mbedtls_zeroize( void *v, size_t n ) { 57 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 58 } 59 60 /* 61 * 32-bit integer manipulation macros (big endian) 62 */ 63 #ifndef GET_UINT32_BE 64 #define GET_UINT32_BE(n,b,i) \ 65 do { \ 66 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 67 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 68 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 69 | ( (uint32_t) (b)[(i) + 3] ); \ 70 } while( 0 ) 71 #endif 72 73 #ifndef PUT_UINT32_BE 74 #define PUT_UINT32_BE(n,b,i) \ 75 do { \ 76 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 77 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 78 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 79 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 80 } while( 0 ) 81 #endif 82 83 void mbedtls_sha256_init( mbedtls_sha256_context *ctx ) 84 { 85 memset( ctx, 0, sizeof( mbedtls_sha256_context ) ); 86 } 87 88 void mbedtls_sha256_free( mbedtls_sha256_context *ctx ) 89 { 90 if( ctx == NULL ) 91 return; 92 93 mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) ); 94 } 95 96 void mbedtls_sha256_clone( mbedtls_sha256_context *dst, 97 const mbedtls_sha256_context *src ) 98 { 99 *dst = *src; 100 } 101 102 /* 103 * SHA-256 context setup 104 */ 105 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 ) 106 { 107 ctx->total[0] = 0; 108 ctx->total[1] = 0; 109 110 if( is224 == 0 ) 111 { 112 /* SHA-256 */ 113 ctx->state[0] = 0x6A09E667; 114 ctx->state[1] = 0xBB67AE85; 115 ctx->state[2] = 0x3C6EF372; 116 ctx->state[3] = 0xA54FF53A; 117 ctx->state[4] = 0x510E527F; 118 ctx->state[5] = 0x9B05688C; 119 ctx->state[6] = 0x1F83D9AB; 120 ctx->state[7] = 0x5BE0CD19; 121 } 122 else 123 { 124 /* SHA-224 */ 125 ctx->state[0] = 0xC1059ED8; 126 ctx->state[1] = 0x367CD507; 127 ctx->state[2] = 0x3070DD17; 128 ctx->state[3] = 0xF70E5939; 129 ctx->state[4] = 0xFFC00B31; 130 ctx->state[5] = 0x68581511; 131 ctx->state[6] = 0x64F98FA7; 132 ctx->state[7] = 0xBEFA4FA4; 133 } 134 135 ctx->is224 = is224; 136 137 return( 0 ); 138 } 139 140 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 141 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, 142 int is224 ) 143 { 144 mbedtls_sha256_starts_ret( ctx, is224 ); 145 } 146 #endif 147 148 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) 149 static const uint32_t K[] = 150 { 151 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 152 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, 153 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 154 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174, 155 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 156 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 157 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 158 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967, 159 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 160 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 161 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 162 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 163 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 164 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 165 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 166 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2, 167 }; 168 169 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n) 170 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n))) 171 172 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3)) 173 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10)) 174 175 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22)) 176 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25)) 177 178 #define F0(x,y,z) ((x & y) | (z & (x | y))) 179 #define F1(x,y,z) (z ^ (x & (y ^ z))) 180 181 #define R(t) \ 182 ( \ 183 W[t] = S1(W[t - 2]) + W[t - 7] + \ 184 S0(W[t - 15]) + W[t - 16] \ 185 ) 186 187 #define P(a,b,c,d,e,f,g,h,x,K) \ 188 { \ 189 temp1 = h + S3(e) + F1(e,f,g) + K + x; \ 190 temp2 = S2(a) + F0(a,b,c); \ 191 d += temp1; h = temp1 + temp2; \ 192 } 193 194 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, 195 const unsigned char data[64] ) 196 { 197 uint32_t temp1, temp2, W[64]; 198 uint32_t A[8]; 199 unsigned int i; 200 201 for( i = 0; i < 8; i++ ) 202 A[i] = ctx->state[i]; 203 204 #if defined(MBEDTLS_SHA256_SMALLER) 205 for( i = 0; i < 64; i++ ) 206 { 207 if( i < 16 ) 208 GET_UINT32_BE( W[i], data, 4 * i ); 209 else 210 R( i ); 211 212 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); 213 214 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3]; 215 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1; 216 } 217 #else /* MBEDTLS_SHA256_SMALLER */ 218 for( i = 0; i < 16; i++ ) 219 GET_UINT32_BE( W[i], data, 4 * i ); 220 221 for( i = 0; i < 16; i += 8 ) 222 { 223 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] ); 224 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] ); 225 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] ); 226 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] ); 227 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] ); 228 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] ); 229 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] ); 230 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] ); 231 } 232 233 for( i = 16; i < 64; i += 8 ) 234 { 235 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] ); 236 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] ); 237 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] ); 238 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] ); 239 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] ); 240 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] ); 241 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] ); 242 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] ); 243 } 244 #endif /* MBEDTLS_SHA256_SMALLER */ 245 246 for( i = 0; i < 8; i++ ) 247 ctx->state[i] += A[i]; 248 249 return( 0 ); 250 } 251 252 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 253 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, 254 const unsigned char data[64] ) 255 { 256 mbedtls_internal_sha256_process( ctx, data ); 257 } 258 #endif 259 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */ 260 261 /* 262 * SHA-256 process buffer 263 */ 264 int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, 265 const unsigned char *input, 266 size_t ilen ) 267 { 268 int ret; 269 size_t fill; 270 uint32_t left; 271 272 if( ilen == 0 ) 273 return( 0 ); 274 275 left = ctx->total[0] & 0x3F; 276 fill = 64 - left; 277 278 ctx->total[0] += (uint32_t) ilen; 279 ctx->total[0] &= 0xFFFFFFFF; 280 281 if( ctx->total[0] < (uint32_t) ilen ) 282 ctx->total[1]++; 283 284 if( left && ilen >= fill ) 285 { 286 memcpy( (void *) (ctx->buffer + left), input, fill ); 287 288 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 289 return( ret ); 290 291 input += fill; 292 ilen -= fill; 293 left = 0; 294 } 295 296 while( ilen >= 64 ) 297 { 298 if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 ) 299 return( ret ); 300 301 input += 64; 302 ilen -= 64; 303 } 304 305 if( ilen > 0 ) 306 memcpy( (void *) (ctx->buffer + left), input, ilen ); 307 308 return( 0 ); 309 } 310 311 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 312 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, 313 const unsigned char *input, 314 size_t ilen ) 315 { 316 mbedtls_sha256_update_ret( ctx, input, ilen ); 317 } 318 #endif 319 320 /* 321 * SHA-256 final digest 322 */ 323 int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, 324 unsigned char output[32] ) 325 { 326 int ret; 327 uint32_t used; 328 uint32_t high, low; 329 330 /* 331 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length 332 */ 333 used = ctx->total[0] & 0x3F; 334 335 ctx->buffer[used++] = 0x80; 336 337 if( used <= 56 ) 338 { 339 /* Enough room for padding + length in current block */ 340 memset( ctx->buffer + used, 0, 56 - used ); 341 } 342 else 343 { 344 /* We'll need an extra block */ 345 memset( ctx->buffer + used, 0, 64 - used ); 346 347 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 348 return( ret ); 349 350 memset( ctx->buffer, 0, 56 ); 351 } 352 353 /* 354 * Add message length 355 */ 356 high = ( ctx->total[0] >> 29 ) 357 | ( ctx->total[1] << 3 ); 358 low = ( ctx->total[0] << 3 ); 359 360 PUT_UINT32_BE( high, ctx->buffer, 56 ); 361 PUT_UINT32_BE( low, ctx->buffer, 60 ); 362 363 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 364 return( ret ); 365 366 /* 367 * Output final state 368 */ 369 PUT_UINT32_BE( ctx->state[0], output, 0 ); 370 PUT_UINT32_BE( ctx->state[1], output, 4 ); 371 PUT_UINT32_BE( ctx->state[2], output, 8 ); 372 PUT_UINT32_BE( ctx->state[3], output, 12 ); 373 PUT_UINT32_BE( ctx->state[4], output, 16 ); 374 PUT_UINT32_BE( ctx->state[5], output, 20 ); 375 PUT_UINT32_BE( ctx->state[6], output, 24 ); 376 377 if( ctx->is224 == 0 ) 378 PUT_UINT32_BE( ctx->state[7], output, 28 ); 379 380 return( 0 ); 381 } 382 383 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 384 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, 385 unsigned char output[32] ) 386 { 387 mbedtls_sha256_finish_ret( ctx, output ); 388 } 389 #endif 390 391 #endif /* !MBEDTLS_SHA256_ALT */ 392 393 /* 394 * output = SHA-256( input buffer ) 395 */ 396 int mbedtls_sha256_ret( const unsigned char *input, 397 size_t ilen, 398 unsigned char output[32], 399 int is224 ) 400 { 401 int ret; 402 mbedtls_sha256_context ctx; 403 404 mbedtls_sha256_init( &ctx ); 405 406 if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 ) 407 goto exit; 408 409 if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 ) 410 goto exit; 411 412 if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 ) 413 goto exit; 414 415 exit: 416 mbedtls_sha256_free( &ctx ); 417 418 return( ret ); 419 } 420 421 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 422 void mbedtls_sha256( const unsigned char *input, 423 size_t ilen, 424 unsigned char output[32], 425 int is224 ) 426 { 427 mbedtls_sha256_ret( input, ilen, output, is224 ); 428 } 429 #endif 430 431 #if defined(MBEDTLS_SELF_TEST) 432 /* 433 * FIPS-180-2 test vectors 434 */ 435 static const unsigned char sha256_test_buf[3][57] = 436 { 437 { "abc" }, 438 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 439 { "" } 440 }; 441 442 static const size_t sha256_test_buflen[3] = 443 { 444 3, 56, 1000 445 }; 446 447 static const unsigned char sha256_test_sum[6][32] = 448 { 449 /* 450 * SHA-224 test vectors 451 */ 452 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22, 453 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3, 454 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7, 455 0xE3, 0x6C, 0x9D, 0xA7 }, 456 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC, 457 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50, 458 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19, 459 0x52, 0x52, 0x25, 0x25 }, 460 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8, 461 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B, 462 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE, 463 0x4E, 0xE7, 0xAD, 0x67 }, 464 465 /* 466 * SHA-256 test vectors 467 */ 468 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, 469 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, 470 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, 471 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD }, 472 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8, 473 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39, 474 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67, 475 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 }, 476 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92, 477 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67, 478 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E, 479 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 } 480 }; 481 482 /* 483 * Checkup routine 484 */ 485 int mbedtls_sha256_self_test( int verbose ) 486 { 487 int i, j, k, buflen, ret = 0; 488 unsigned char *buf; 489 unsigned char sha256sum[32]; 490 mbedtls_sha256_context ctx; 491 492 buf = mbedtls_calloc( 1024, sizeof(unsigned char) ); 493 if( NULL == buf ) 494 { 495 if( verbose != 0 ) 496 mbedtls_printf( "Buffer allocation failed\n" ); 497 498 return( 1 ); 499 } 500 501 mbedtls_sha256_init( &ctx ); 502 503 for( i = 0; i < 6; i++ ) 504 { 505 j = i % 3; 506 k = i < 3; 507 508 if( verbose != 0 ) 509 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 ); 510 511 if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 ) 512 goto fail; 513 514 if( j == 2 ) 515 { 516 memset( buf, 'a', buflen = 1000 ); 517 518 for( j = 0; j < 1000; j++ ) 519 { 520 ret = mbedtls_sha256_update_ret( &ctx, buf, buflen ); 521 if( ret != 0 ) 522 goto fail; 523 } 524 525 } 526 else 527 { 528 ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j], 529 sha256_test_buflen[j] ); 530 if( ret != 0 ) 531 goto fail; 532 } 533 534 if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 ) 535 goto fail; 536 537 538 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 ) 539 { 540 ret = 1; 541 goto fail; 542 } 543 544 if( verbose != 0 ) 545 mbedtls_printf( "passed\n" ); 546 } 547 548 if( verbose != 0 ) 549 mbedtls_printf( "\n" ); 550 551 goto exit; 552 553 fail: 554 if( verbose != 0 ) 555 mbedtls_printf( "failed\n" ); 556 557 exit: 558 mbedtls_sha256_free( &ctx ); 559 mbedtls_free( buf ); 560 561 return( ret ); 562 } 563 564 #endif /* MBEDTLS_SELF_TEST */ 565 566 #endif /* MBEDTLS_SHA256_C */ 567