2 * FIPS-180-2 compliant SHA-256 implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
24 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
30 #include MBEDTLS_CONFIG_FILE
33 #if defined(MBEDTLS_SHA256_C)
35 #include "mbedtls/sha256.h"
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
45 #define mbedtls_printf printf
46 #define mbedtls_calloc calloc
47 #define mbedtls_free free
48 #endif /* MBEDTLS_PLATFORM_C */
49 #endif /* MBEDTLS_SELF_TEST */
51 #if !defined(MBEDTLS_SHA256_ALT)
53 /* Implementation that should never be optimized out by the compiler */
54 static void mbedtls_zeroize( void *v, size_t n ) {
55 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
59 * 32-bit integer manipulation macros (big endian)
62 #define GET_UINT32_BE(n,b,i) \
64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
67 | ( (uint32_t) (b)[(i) + 3] ); \
72 #define PUT_UINT32_BE(n,b,i) \
74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
77 (b)[(i) + 3] = (unsigned char) ( (n) ); \
81 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
83 memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
86 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
91 mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
94 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
95 const mbedtls_sha256_context *src )
101 * SHA-256 context setup
103 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
111 ctx->state[0] = 0x6A09E667;
112 ctx->state[1] = 0xBB67AE85;
113 ctx->state[2] = 0x3C6EF372;
114 ctx->state[3] = 0xA54FF53A;
115 ctx->state[4] = 0x510E527F;
116 ctx->state[5] = 0x9B05688C;
117 ctx->state[6] = 0x1F83D9AB;
118 ctx->state[7] = 0x5BE0CD19;
123 ctx->state[0] = 0xC1059ED8;
124 ctx->state[1] = 0x367CD507;
125 ctx->state[2] = 0x3070DD17;
126 ctx->state[3] = 0xF70E5939;
127 ctx->state[4] = 0xFFC00B31;
128 ctx->state[5] = 0x68581511;
129 ctx->state[6] = 0x64F98FA7;
130 ctx->state[7] = 0xBEFA4FA4;
136 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
137 static const uint32_t K[] =
139 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
140 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
141 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
142 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
143 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
144 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
145 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
146 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
147 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
148 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
149 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
150 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
151 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
152 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
153 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
154 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
157 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
158 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
160 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
161 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
163 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
164 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
166 #define F0(x,y,z) ((x & y) | (z & (x | y)))
167 #define F1(x,y,z) (z ^ (x & (y ^ z)))
171 W[t] = S1(W[t - 2]) + W[t - 7] + \
172 S0(W[t - 15]) + W[t - 16] \
175 #define P(a,b,c,d,e,f,g,h,x,K) \
177 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
178 temp2 = S2(a) + F0(a,b,c); \
179 d += temp1; h = temp1 + temp2; \
182 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] )
184 uint32_t temp1, temp2, W[64];
188 for( i = 0; i < 8; i++ )
189 A[i] = ctx->state[i];
191 #if defined(MBEDTLS_SHA256_SMALLER)
192 for( i = 0; i < 64; i++ )
195 GET_UINT32_BE( W[i], data, 4 * i );
199 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
201 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
202 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
204 #else /* MBEDTLS_SHA256_SMALLER */
205 for( i = 0; i < 16; i++ )
206 GET_UINT32_BE( W[i], data, 4 * i );
208 for( i = 0; i < 16; i += 8 )
210 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
211 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
212 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
213 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
214 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
215 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
216 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
217 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
220 for( i = 16; i < 64; i += 8 )
222 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
223 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
224 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
225 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
226 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
227 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
228 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
229 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
231 #endif /* MBEDTLS_SHA256_SMALLER */
233 for( i = 0; i < 8; i++ )
234 ctx->state[i] += A[i];
236 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
239 * SHA-256 process buffer
241 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input,
250 left = ctx->total[0] & 0x3F;
253 ctx->total[0] += (uint32_t) ilen;
254 ctx->total[0] &= 0xFFFFFFFF;
256 if( ctx->total[0] < (uint32_t) ilen )
259 if( left && ilen >= fill )
261 memcpy( (void *) (ctx->buffer + left), input, fill );
262 mbedtls_sha256_process( ctx, ctx->buffer );
270 mbedtls_sha256_process( ctx, input );
276 memcpy( (void *) (ctx->buffer + left), input, ilen );
279 static const unsigned char sha256_padding[64] =
281 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
283 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
284 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
288 * SHA-256 final digest
290 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] )
294 unsigned char msglen[8];
296 high = ( ctx->total[0] >> 29 )
297 | ( ctx->total[1] << 3 );
298 low = ( ctx->total[0] << 3 );
300 PUT_UINT32_BE( high, msglen, 0 );
301 PUT_UINT32_BE( low, msglen, 4 );
303 last = ctx->total[0] & 0x3F;
304 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
306 mbedtls_sha256_update( ctx, sha256_padding, padn );
307 mbedtls_sha256_update( ctx, msglen, 8 );
309 PUT_UINT32_BE( ctx->state[0], output, 0 );
310 PUT_UINT32_BE( ctx->state[1], output, 4 );
311 PUT_UINT32_BE( ctx->state[2], output, 8 );
312 PUT_UINT32_BE( ctx->state[3], output, 12 );
313 PUT_UINT32_BE( ctx->state[4], output, 16 );
314 PUT_UINT32_BE( ctx->state[5], output, 20 );
315 PUT_UINT32_BE( ctx->state[6], output, 24 );
317 if( ctx->is224 == 0 )
318 PUT_UINT32_BE( ctx->state[7], output, 28 );
321 #endif /* !MBEDTLS_SHA256_ALT */
324 * output = SHA-256( input buffer )
326 void mbedtls_sha256( const unsigned char *input, size_t ilen,
327 unsigned char output[32], int is224 )
329 mbedtls_sha256_context ctx;
331 mbedtls_sha256_init( &ctx );
332 mbedtls_sha256_starts( &ctx, is224 );
333 mbedtls_sha256_update( &ctx, input, ilen );
334 mbedtls_sha256_finish( &ctx, output );
335 mbedtls_sha256_free( &ctx );
338 #if defined(MBEDTLS_SELF_TEST)
340 * FIPS-180-2 test vectors
342 static const unsigned char sha256_test_buf[3][57] =
345 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
349 static const int sha256_test_buflen[3] =
354 static const unsigned char sha256_test_sum[6][32] =
357 * SHA-224 test vectors
359 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
360 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
361 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
362 0xE3, 0x6C, 0x9D, 0xA7 },
363 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
364 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
365 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
366 0x52, 0x52, 0x25, 0x25 },
367 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
368 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
369 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
370 0x4E, 0xE7, 0xAD, 0x67 },
373 * SHA-256 test vectors
375 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
376 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
377 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
378 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
379 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
380 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
381 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
382 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
383 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
384 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
385 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
386 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
392 int mbedtls_sha256_self_test( int verbose )
394 int i, j, k, buflen, ret = 0;
396 unsigned char sha256sum[32];
397 mbedtls_sha256_context ctx;
399 buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
403 mbedtls_printf( "Buffer allocation failed\n" );
408 mbedtls_sha256_init( &ctx );
410 for( i = 0; i < 6; i++ )
416 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
418 mbedtls_sha256_starts( &ctx, k );
422 memset( buf, 'a', buflen = 1000 );
424 for( j = 0; j < 1000; j++ )
425 mbedtls_sha256_update( &ctx, buf, buflen );
428 mbedtls_sha256_update( &ctx, sha256_test_buf[j],
429 sha256_test_buflen[j] );
431 mbedtls_sha256_finish( &ctx, sha256sum );
433 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
436 mbedtls_printf( "failed\n" );
443 mbedtls_printf( "passed\n" );
447 mbedtls_printf( "\n" );
450 mbedtls_sha256_free( &ctx );
456 #endif /* MBEDTLS_SELF_TEST */
458 #endif /* MBEDTLS_SHA256_C */