1 /* 2 * FIPS-180-2 compliant SHA-256 implementation 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 * 46 * This file is part of mbed TLS (https://tls.mbed.org) 47 */ 48 /* 49 * The SHA-256 Secure Hash Standard was published by NIST in 2002. 50 * 51 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 52 */ 53 54 #if !defined(MBEDTLS_CONFIG_FILE) 55 #include "mbedtls/config.h" 56 #else 57 #include MBEDTLS_CONFIG_FILE 58 #endif 59 60 #if defined(MBEDTLS_SHA256_C) 61 62 #include "mbedtls/sha256.h" 63 64 #include <string.h> 65 66 #if defined(MBEDTLS_SELF_TEST) 67 #if defined(MBEDTLS_PLATFORM_C) 68 #include "mbedtls/platform.h" 69 #else 70 #include <stdio.h> 71 #include <stdlib.h> 72 #define mbedtls_printf printf 73 #define mbedtls_calloc calloc 74 #define mbedtls_free free 75 #endif /* MBEDTLS_PLATFORM_C */ 76 #endif /* MBEDTLS_SELF_TEST */ 77 78 #if !defined(MBEDTLS_SHA256_ALT) 79 80 /* Implementation that should never be optimized out by the compiler */ 81 static void mbedtls_zeroize( void *v, size_t n ) { 82 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 83 } 84 85 /* 86 * 32-bit integer manipulation macros (big endian) 87 */ 88 #ifndef GET_UINT32_BE 89 #define GET_UINT32_BE(n,b,i) \ 90 do { \ 91 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 92 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 93 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 94 | ( (uint32_t) (b)[(i) + 3] ); \ 95 } while( 0 ) 96 #endif 97 98 #ifndef PUT_UINT32_BE 99 #define PUT_UINT32_BE(n,b,i) \ 100 do { \ 101 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 102 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 103 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 104 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 105 } while( 0 ) 106 #endif 107 108 void mbedtls_sha256_init( mbedtls_sha256_context *ctx ) 109 { 110 memset( ctx, 0, sizeof( mbedtls_sha256_context ) ); 111 } 112 113 void mbedtls_sha256_free( mbedtls_sha256_context *ctx ) 114 { 115 if( ctx == NULL ) 116 return; 117 118 mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) ); 119 } 120 121 void mbedtls_sha256_clone( mbedtls_sha256_context *dst, 122 const mbedtls_sha256_context *src ) 123 { 124 *dst = *src; 125 } 126 127 /* 128 * SHA-256 context setup 129 */ 130 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 ) 131 { 132 ctx->total[0] = 0; 133 ctx->total[1] = 0; 134 135 if( is224 == 0 ) 136 { 137 /* SHA-256 */ 138 ctx->state[0] = 0x6A09E667; 139 ctx->state[1] = 0xBB67AE85; 140 ctx->state[2] = 0x3C6EF372; 141 ctx->state[3] = 0xA54FF53A; 142 ctx->state[4] = 0x510E527F; 143 ctx->state[5] = 0x9B05688C; 144 ctx->state[6] = 0x1F83D9AB; 145 ctx->state[7] = 0x5BE0CD19; 146 } 147 else 148 { 149 /* SHA-224 */ 150 ctx->state[0] = 0xC1059ED8; 151 ctx->state[1] = 0x367CD507; 152 ctx->state[2] = 0x3070DD17; 153 ctx->state[3] = 0xF70E5939; 154 ctx->state[4] = 0xFFC00B31; 155 ctx->state[5] = 0x68581511; 156 ctx->state[6] = 0x64F98FA7; 157 ctx->state[7] = 0xBEFA4FA4; 158 } 159 160 ctx->is224 = is224; 161 162 return( 0 ); 163 } 164 165 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 166 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, 167 int is224 ) 168 { 169 mbedtls_sha256_starts_ret( ctx, is224 ); 170 } 171 #endif 172 173 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) 174 static const uint32_t K[] = 175 { 176 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 177 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, 178 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 179 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174, 180 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 181 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 182 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 183 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967, 184 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 185 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 186 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 187 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 188 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 189 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 190 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 191 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2, 192 }; 193 194 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n) 195 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n))) 196 197 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3)) 198 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10)) 199 200 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22)) 201 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25)) 202 203 #define F0(x,y,z) ((x & y) | (z & (x | y))) 204 #define F1(x,y,z) (z ^ (x & (y ^ z))) 205 206 #define R(t) \ 207 ( \ 208 W[t] = S1(W[t - 2]) + W[t - 7] + \ 209 S0(W[t - 15]) + W[t - 16] \ 210 ) 211 212 #define P(a,b,c,d,e,f,g,h,x,K) \ 213 { \ 214 temp1 = h + S3(e) + F1(e,f,g) + K + x; \ 215 temp2 = S2(a) + F0(a,b,c); \ 216 d += temp1; h = temp1 + temp2; \ 217 } 218 219 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, 220 const unsigned char data[64] ) 221 { 222 uint32_t temp1, temp2, W[64]; 223 uint32_t A[8]; 224 unsigned int i; 225 226 for( i = 0; i < 8; i++ ) 227 A[i] = ctx->state[i]; 228 229 #if defined(MBEDTLS_SHA256_SMALLER) 230 for( i = 0; i < 64; i++ ) 231 { 232 if( i < 16 ) 233 GET_UINT32_BE( W[i], data, 4 * i ); 234 else 235 R( i ); 236 237 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); 238 239 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3]; 240 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1; 241 } 242 #else /* MBEDTLS_SHA256_SMALLER */ 243 for( i = 0; i < 16; i++ ) 244 GET_UINT32_BE( W[i], data, 4 * i ); 245 246 for( i = 0; i < 16; i += 8 ) 247 { 248 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] ); 249 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] ); 250 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] ); 251 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] ); 252 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] ); 253 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] ); 254 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] ); 255 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] ); 256 } 257 258 for( i = 16; i < 64; i += 8 ) 259 { 260 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] ); 261 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] ); 262 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] ); 263 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] ); 264 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] ); 265 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] ); 266 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] ); 267 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] ); 268 } 269 #endif /* MBEDTLS_SHA256_SMALLER */ 270 271 for( i = 0; i < 8; i++ ) 272 ctx->state[i] += A[i]; 273 274 return( 0 ); 275 } 276 277 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 278 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, 279 const unsigned char data[64] ) 280 { 281 mbedtls_internal_sha256_process( ctx, data ); 282 } 283 #endif 284 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */ 285 286 /* 287 * SHA-256 process buffer 288 */ 289 int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, 290 const unsigned char *input, 291 size_t ilen ) 292 { 293 int ret; 294 size_t fill; 295 uint32_t left; 296 297 if( ilen == 0 ) 298 return( 0 ); 299 300 left = ctx->total[0] & 0x3F; 301 fill = 64 - left; 302 303 ctx->total[0] += (uint32_t) ilen; 304 ctx->total[0] &= 0xFFFFFFFF; 305 306 if( ctx->total[0] < (uint32_t) ilen ) 307 ctx->total[1]++; 308 309 if( left && ilen >= fill ) 310 { 311 memcpy( (void *) (ctx->buffer + left), input, fill ); 312 313 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 314 return( ret ); 315 316 input += fill; 317 ilen -= fill; 318 left = 0; 319 } 320 321 while( ilen >= 64 ) 322 { 323 if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 ) 324 return( ret ); 325 326 input += 64; 327 ilen -= 64; 328 } 329 330 if( ilen > 0 ) 331 memcpy( (void *) (ctx->buffer + left), input, ilen ); 332 333 return( 0 ); 334 } 335 336 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 337 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, 338 const unsigned char *input, 339 size_t ilen ) 340 { 341 mbedtls_sha256_update_ret( ctx, input, ilen ); 342 } 343 #endif 344 345 /* 346 * SHA-256 final digest 347 */ 348 int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, 349 unsigned char output[32] ) 350 { 351 int ret; 352 uint32_t used; 353 uint32_t high, low; 354 355 /* 356 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length 357 */ 358 used = ctx->total[0] & 0x3F; 359 360 ctx->buffer[used++] = 0x80; 361 362 if( used <= 56 ) 363 { 364 /* Enough room for padding + length in current block */ 365 memset( ctx->buffer + used, 0, 56 - used ); 366 } 367 else 368 { 369 /* We'll need an extra block */ 370 memset( ctx->buffer + used, 0, 64 - used ); 371 372 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 373 return( ret ); 374 375 memset( ctx->buffer, 0, 56 ); 376 } 377 378 /* 379 * Add message length 380 */ 381 high = ( ctx->total[0] >> 29 ) 382 | ( ctx->total[1] << 3 ); 383 low = ( ctx->total[0] << 3 ); 384 385 PUT_UINT32_BE( high, ctx->buffer, 56 ); 386 PUT_UINT32_BE( low, ctx->buffer, 60 ); 387 388 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 389 return( ret ); 390 391 /* 392 * Output final state 393 */ 394 PUT_UINT32_BE( ctx->state[0], output, 0 ); 395 PUT_UINT32_BE( ctx->state[1], output, 4 ); 396 PUT_UINT32_BE( ctx->state[2], output, 8 ); 397 PUT_UINT32_BE( ctx->state[3], output, 12 ); 398 PUT_UINT32_BE( ctx->state[4], output, 16 ); 399 PUT_UINT32_BE( ctx->state[5], output, 20 ); 400 PUT_UINT32_BE( ctx->state[6], output, 24 ); 401 402 if( ctx->is224 == 0 ) 403 PUT_UINT32_BE( ctx->state[7], output, 28 ); 404 405 return( 0 ); 406 } 407 408 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 409 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, 410 unsigned char output[32] ) 411 { 412 mbedtls_sha256_finish_ret( ctx, output ); 413 } 414 #endif 415 416 #endif /* !MBEDTLS_SHA256_ALT */ 417 418 /* 419 * output = SHA-256( input buffer ) 420 */ 421 int mbedtls_sha256_ret( const unsigned char *input, 422 size_t ilen, 423 unsigned char output[32], 424 int is224 ) 425 { 426 int ret; 427 mbedtls_sha256_context ctx; 428 429 mbedtls_sha256_init( &ctx ); 430 431 if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 ) 432 goto exit; 433 434 if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 ) 435 goto exit; 436 437 if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 ) 438 goto exit; 439 440 exit: 441 mbedtls_sha256_free( &ctx ); 442 443 return( ret ); 444 } 445 446 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 447 void mbedtls_sha256( const unsigned char *input, 448 size_t ilen, 449 unsigned char output[32], 450 int is224 ) 451 { 452 mbedtls_sha256_ret( input, ilen, output, is224 ); 453 } 454 #endif 455 456 #if defined(MBEDTLS_SELF_TEST) 457 /* 458 * FIPS-180-2 test vectors 459 */ 460 static const unsigned char sha256_test_buf[3][57] = 461 { 462 { "abc" }, 463 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 464 { "" } 465 }; 466 467 static const size_t sha256_test_buflen[3] = 468 { 469 3, 56, 1000 470 }; 471 472 static const unsigned char sha256_test_sum[6][32] = 473 { 474 /* 475 * SHA-224 test vectors 476 */ 477 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22, 478 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3, 479 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7, 480 0xE3, 0x6C, 0x9D, 0xA7 }, 481 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC, 482 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50, 483 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19, 484 0x52, 0x52, 0x25, 0x25 }, 485 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8, 486 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B, 487 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE, 488 0x4E, 0xE7, 0xAD, 0x67 }, 489 490 /* 491 * SHA-256 test vectors 492 */ 493 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, 494 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, 495 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, 496 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD }, 497 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8, 498 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39, 499 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67, 500 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 }, 501 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92, 502 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67, 503 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E, 504 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 } 505 }; 506 507 /* 508 * Checkup routine 509 */ 510 int mbedtls_sha256_self_test( int verbose ) 511 { 512 int i, j, k, buflen, ret = 0; 513 unsigned char *buf; 514 unsigned char sha256sum[32]; 515 mbedtls_sha256_context ctx; 516 517 buf = mbedtls_calloc( 1024, sizeof(unsigned char) ); 518 if( NULL == buf ) 519 { 520 if( verbose != 0 ) 521 mbedtls_printf( "Buffer allocation failed\n" ); 522 523 return( 1 ); 524 } 525 526 mbedtls_sha256_init( &ctx ); 527 528 for( i = 0; i < 6; i++ ) 529 { 530 j = i % 3; 531 k = i < 3; 532 533 if( verbose != 0 ) 534 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 ); 535 536 if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 ) 537 goto fail; 538 539 if( j == 2 ) 540 { 541 memset( buf, 'a', buflen = 1000 ); 542 543 for( j = 0; j < 1000; j++ ) 544 { 545 ret = mbedtls_sha256_update_ret( &ctx, buf, buflen ); 546 if( ret != 0 ) 547 goto fail; 548 } 549 550 } 551 else 552 { 553 ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j], 554 sha256_test_buflen[j] ); 555 if( ret != 0 ) 556 goto fail; 557 } 558 559 if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 ) 560 goto fail; 561 562 563 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 ) 564 { 565 ret = 1; 566 goto fail; 567 } 568 569 if( verbose != 0 ) 570 mbedtls_printf( "passed\n" ); 571 } 572 573 if( verbose != 0 ) 574 mbedtls_printf( "\n" ); 575 576 goto exit; 577 578 fail: 579 if( verbose != 0 ) 580 mbedtls_printf( "failed\n" ); 581 582 exit: 583 mbedtls_sha256_free( &ctx ); 584 mbedtls_free( buf ); 585 586 return( ret ); 587 } 588 589 #endif /* MBEDTLS_SELF_TEST */ 590 591 #endif /* MBEDTLS_SHA256_C */ 592