2 * FIPS-180-2 compliant SHA-256 implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
24 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
30 #include MBEDTLS_CONFIG_FILE
33 #if defined(MBEDTLS_SHA256_C)
35 #include "mbedtls/sha256.h"
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
44 #define mbedtls_printf printf
45 #endif /* MBEDTLS_PLATFORM_C */
46 #endif /* MBEDTLS_SELF_TEST */
48 #if !defined(MBEDTLS_SHA256_ALT)
50 /* Implementation that should never be optimized out by the compiler */
51 static void mbedtls_zeroize( void *v, size_t n ) {
52 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
56 * 32-bit integer manipulation macros (big endian)
59 #define GET_UINT32_BE(n,b,i) \
61 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
62 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
63 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
64 | ( (uint32_t) (b)[(i) + 3] ); \
69 #define PUT_UINT32_BE(n,b,i) \
71 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
72 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
73 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
74 (b)[(i) + 3] = (unsigned char) ( (n) ); \
78 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
80 memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
83 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
88 mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
91 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
92 const mbedtls_sha256_context *src )
98 * SHA-256 context setup
100 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
108 ctx->state[0] = 0x6A09E667;
109 ctx->state[1] = 0xBB67AE85;
110 ctx->state[2] = 0x3C6EF372;
111 ctx->state[3] = 0xA54FF53A;
112 ctx->state[4] = 0x510E527F;
113 ctx->state[5] = 0x9B05688C;
114 ctx->state[6] = 0x1F83D9AB;
115 ctx->state[7] = 0x5BE0CD19;
120 ctx->state[0] = 0xC1059ED8;
121 ctx->state[1] = 0x367CD507;
122 ctx->state[2] = 0x3070DD17;
123 ctx->state[3] = 0xF70E5939;
124 ctx->state[4] = 0xFFC00B31;
125 ctx->state[5] = 0x68581511;
126 ctx->state[6] = 0x64F98FA7;
127 ctx->state[7] = 0xBEFA4FA4;
133 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
134 static const uint32_t K[] =
136 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
137 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
138 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
139 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
140 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
141 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
142 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
143 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
144 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
145 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
146 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
147 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
148 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
149 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
150 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
151 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
154 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
155 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
157 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
158 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
160 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
161 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
163 #define F0(x,y,z) ((x & y) | (z & (x | y)))
164 #define F1(x,y,z) (z ^ (x & (y ^ z)))
168 W[t] = S1(W[t - 2]) + W[t - 7] + \
169 S0(W[t - 15]) + W[t - 16] \
172 #define P(a,b,c,d,e,f,g,h,x,K) \
174 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
175 temp2 = S2(a) + F0(a,b,c); \
176 d += temp1; h = temp1 + temp2; \
179 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] )
181 uint32_t temp1, temp2, W[64];
185 for( i = 0; i < 8; i++ )
186 A[i] = ctx->state[i];
188 #if defined(MBEDTLS_SHA256_SMALLER)
189 for( i = 0; i < 64; i++ )
192 GET_UINT32_BE( W[i], data, 4 * i );
196 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
198 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
199 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
201 #else /* MBEDTLS_SHA256_SMALLER */
202 for( i = 0; i < 16; i++ )
203 GET_UINT32_BE( W[i], data, 4 * i );
205 for( i = 0; i < 16; i += 8 )
207 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
208 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
209 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
210 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
211 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
212 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
213 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
214 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
217 for( i = 16; i < 64; i += 8 )
219 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
220 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
221 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
222 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
223 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
224 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
225 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
226 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
228 #endif /* MBEDTLS_SHA256_SMALLER */
230 for( i = 0; i < 8; i++ )
231 ctx->state[i] += A[i];
233 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
236 * SHA-256 process buffer
238 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input,
247 left = ctx->total[0] & 0x3F;
250 ctx->total[0] += (uint32_t) ilen;
251 ctx->total[0] &= 0xFFFFFFFF;
253 if( ctx->total[0] < (uint32_t) ilen )
256 if( left && ilen >= fill )
258 memcpy( (void *) (ctx->buffer + left), input, fill );
259 mbedtls_sha256_process( ctx, ctx->buffer );
267 mbedtls_sha256_process( ctx, input );
273 memcpy( (void *) (ctx->buffer + left), input, ilen );
276 static const unsigned char sha256_padding[64] =
278 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
279 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
285 * SHA-256 final digest
287 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] )
291 unsigned char msglen[8];
293 high = ( ctx->total[0] >> 29 )
294 | ( ctx->total[1] << 3 );
295 low = ( ctx->total[0] << 3 );
297 PUT_UINT32_BE( high, msglen, 0 );
298 PUT_UINT32_BE( low, msglen, 4 );
300 last = ctx->total[0] & 0x3F;
301 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
303 mbedtls_sha256_update( ctx, sha256_padding, padn );
304 mbedtls_sha256_update( ctx, msglen, 8 );
306 PUT_UINT32_BE( ctx->state[0], output, 0 );
307 PUT_UINT32_BE( ctx->state[1], output, 4 );
308 PUT_UINT32_BE( ctx->state[2], output, 8 );
309 PUT_UINT32_BE( ctx->state[3], output, 12 );
310 PUT_UINT32_BE( ctx->state[4], output, 16 );
311 PUT_UINT32_BE( ctx->state[5], output, 20 );
312 PUT_UINT32_BE( ctx->state[6], output, 24 );
314 if( ctx->is224 == 0 )
315 PUT_UINT32_BE( ctx->state[7], output, 28 );
318 #endif /* !MBEDTLS_SHA256_ALT */
321 * output = SHA-256( input buffer )
323 void mbedtls_sha256( const unsigned char *input, size_t ilen,
324 unsigned char output[32], int is224 )
326 mbedtls_sha256_context ctx;
328 mbedtls_sha256_init( &ctx );
329 mbedtls_sha256_starts( &ctx, is224 );
330 mbedtls_sha256_update( &ctx, input, ilen );
331 mbedtls_sha256_finish( &ctx, output );
332 mbedtls_sha256_free( &ctx );
335 #if defined(MBEDTLS_SELF_TEST)
337 * FIPS-180-2 test vectors
339 static const unsigned char sha256_test_buf[3][57] =
342 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
346 static const int sha256_test_buflen[3] =
351 static const unsigned char sha256_test_sum[6][32] =
354 * SHA-224 test vectors
356 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
357 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
358 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
359 0xE3, 0x6C, 0x9D, 0xA7 },
360 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
361 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
362 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
363 0x52, 0x52, 0x25, 0x25 },
364 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
365 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
366 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
367 0x4E, 0xE7, 0xAD, 0x67 },
370 * SHA-256 test vectors
372 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
373 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
374 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
375 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
376 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
377 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
378 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
379 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
380 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
381 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
382 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
383 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
389 int mbedtls_sha256_self_test( int verbose )
391 int i, j, k, buflen, ret = 0;
392 unsigned char buf[1024];
393 unsigned char sha256sum[32];
394 mbedtls_sha256_context ctx;
396 mbedtls_sha256_init( &ctx );
398 for( i = 0; i < 6; i++ )
404 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
406 mbedtls_sha256_starts( &ctx, k );
410 memset( buf, 'a', buflen = 1000 );
412 for( j = 0; j < 1000; j++ )
413 mbedtls_sha256_update( &ctx, buf, buflen );
416 mbedtls_sha256_update( &ctx, sha256_test_buf[j],
417 sha256_test_buflen[j] );
419 mbedtls_sha256_finish( &ctx, sha256sum );
421 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
424 mbedtls_printf( "failed\n" );
431 mbedtls_printf( "passed\n" );
435 mbedtls_printf( "\n" );
438 mbedtls_sha256_free( &ctx );
443 #endif /* MBEDTLS_SELF_TEST */
445 #endif /* MBEDTLS_SHA256_C */