2 * FIPS-180-2 compliant SHA-384/512 implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The SHA-512 Secure Hash Standard was published by NIST in 2002.
24 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
30 #include MBEDTLS_CONFIG_FILE
33 #if defined(MBEDTLS_SHA512_C)
35 #include "mbedtls/sha512.h"
37 #if defined(_MSC_VER) || defined(__WATCOMC__)
38 #define UL64(x) x##ui64
40 #define UL64(x) x##ULL
45 #if defined(MBEDTLS_SELF_TEST)
46 #if defined(MBEDTLS_PLATFORM_C)
47 #include "mbedtls/platform.h"
51 #define mbedtls_printf printf
52 #define mbedtls_calloc calloc
53 #define mbedtls_free free
54 #endif /* MBEDTLS_PLATFORM_C */
55 #endif /* MBEDTLS_SELF_TEST */
57 #if !defined(MBEDTLS_SHA512_ALT)
59 /* Implementation that should never be optimized out by the compiler */
60 static void mbedtls_zeroize( void *v, size_t n ) {
61 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
65 * 64-bit integer manipulation macros (big endian)
68 #define GET_UINT64_BE(n,b,i) \
70 (n) = ( (uint64_t) (b)[(i) ] << 56 ) \
71 | ( (uint64_t) (b)[(i) + 1] << 48 ) \
72 | ( (uint64_t) (b)[(i) + 2] << 40 ) \
73 | ( (uint64_t) (b)[(i) + 3] << 32 ) \
74 | ( (uint64_t) (b)[(i) + 4] << 24 ) \
75 | ( (uint64_t) (b)[(i) + 5] << 16 ) \
76 | ( (uint64_t) (b)[(i) + 6] << 8 ) \
77 | ( (uint64_t) (b)[(i) + 7] ); \
79 #endif /* GET_UINT64_BE */
82 #define PUT_UINT64_BE(n,b,i) \
84 (b)[(i) ] = (unsigned char) ( (n) >> 56 ); \
85 (b)[(i) + 1] = (unsigned char) ( (n) >> 48 ); \
86 (b)[(i) + 2] = (unsigned char) ( (n) >> 40 ); \
87 (b)[(i) + 3] = (unsigned char) ( (n) >> 32 ); \
88 (b)[(i) + 4] = (unsigned char) ( (n) >> 24 ); \
89 (b)[(i) + 5] = (unsigned char) ( (n) >> 16 ); \
90 (b)[(i) + 6] = (unsigned char) ( (n) >> 8 ); \
91 (b)[(i) + 7] = (unsigned char) ( (n) ); \
93 #endif /* PUT_UINT64_BE */
95 void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
97 memset( ctx, 0, sizeof( mbedtls_sha512_context ) );
100 void mbedtls_sha512_free( mbedtls_sha512_context *ctx )
105 mbedtls_zeroize( ctx, sizeof( mbedtls_sha512_context ) );
108 void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
109 const mbedtls_sha512_context *src )
115 * SHA-512 context setup
117 void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 )
125 ctx->state[0] = UL64(0x6A09E667F3BCC908);
126 ctx->state[1] = UL64(0xBB67AE8584CAA73B);
127 ctx->state[2] = UL64(0x3C6EF372FE94F82B);
128 ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
129 ctx->state[4] = UL64(0x510E527FADE682D1);
130 ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
131 ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
132 ctx->state[7] = UL64(0x5BE0CD19137E2179);
137 ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
138 ctx->state[1] = UL64(0x629A292A367CD507);
139 ctx->state[2] = UL64(0x9159015A3070DD17);
140 ctx->state[3] = UL64(0x152FECD8F70E5939);
141 ctx->state[4] = UL64(0x67332667FFC00B31);
142 ctx->state[5] = UL64(0x8EB44A8768581511);
143 ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
144 ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
150 #if !defined(MBEDTLS_SHA512_PROCESS_ALT)
155 static const uint64_t K[80] =
157 UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
158 UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
159 UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
160 UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
161 UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
162 UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
163 UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
164 UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
165 UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
166 UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
167 UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
168 UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
169 UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
170 UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
171 UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
172 UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
173 UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
174 UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
175 UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
176 UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
177 UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
178 UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
179 UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
180 UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
181 UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
182 UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
183 UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
184 UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
185 UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
186 UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
187 UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
188 UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
189 UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
190 UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
191 UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
192 UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
193 UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
194 UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
195 UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
196 UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
199 void mbedtls_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[128] )
202 uint64_t temp1, temp2, W[80];
203 uint64_t A, B, C, D, E, F, G, H;
205 #define SHR(x,n) (x >> n)
206 #define ROTR(x,n) (SHR(x,n) | (x << (64 - n)))
208 #define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
209 #define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x, 6))
211 #define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
212 #define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
214 #define F0(x,y,z) ((x & y) | (z & (x | y)))
215 #define F1(x,y,z) (z ^ (x & (y ^ z)))
217 #define P(a,b,c,d,e,f,g,h,x,K) \
219 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
220 temp2 = S2(a) + F0(a,b,c); \
221 d += temp1; h = temp1 + temp2; \
224 for( i = 0; i < 16; i++ )
226 GET_UINT64_BE( W[i], data, i << 3 );
231 W[i] = S1(W[i - 2]) + W[i - 7] +
232 S0(W[i - 15]) + W[i - 16];
247 P( A, B, C, D, E, F, G, H, W[i], K[i] ); i++;
248 P( H, A, B, C, D, E, F, G, W[i], K[i] ); i++;
249 P( G, H, A, B, C, D, E, F, W[i], K[i] ); i++;
250 P( F, G, H, A, B, C, D, E, W[i], K[i] ); i++;
251 P( E, F, G, H, A, B, C, D, W[i], K[i] ); i++;
252 P( D, E, F, G, H, A, B, C, W[i], K[i] ); i++;
253 P( C, D, E, F, G, H, A, B, W[i], K[i] ); i++;
254 P( B, C, D, E, F, G, H, A, W[i], K[i] ); i++;
267 #endif /* !MBEDTLS_SHA512_PROCESS_ALT */
270 * SHA-512 process buffer
272 void mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *input,
281 left = (unsigned int) (ctx->total[0] & 0x7F);
284 ctx->total[0] += (uint64_t) ilen;
286 if( ctx->total[0] < (uint64_t) ilen )
289 if( left && ilen >= fill )
291 memcpy( (void *) (ctx->buffer + left), input, fill );
292 mbedtls_sha512_process( ctx, ctx->buffer );
300 mbedtls_sha512_process( ctx, input );
306 memcpy( (void *) (ctx->buffer + left), input, ilen );
309 static const unsigned char sha512_padding[128] =
311 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
312 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
313 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
314 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
315 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
316 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
317 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
318 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
322 * SHA-512 final digest
324 void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64] )
328 unsigned char msglen[16];
330 high = ( ctx->total[0] >> 61 )
331 | ( ctx->total[1] << 3 );
332 low = ( ctx->total[0] << 3 );
334 PUT_UINT64_BE( high, msglen, 0 );
335 PUT_UINT64_BE( low, msglen, 8 );
337 last = (size_t)( ctx->total[0] & 0x7F );
338 padn = ( last < 112 ) ? ( 112 - last ) : ( 240 - last );
340 mbedtls_sha512_update( ctx, sha512_padding, padn );
341 mbedtls_sha512_update( ctx, msglen, 16 );
343 PUT_UINT64_BE( ctx->state[0], output, 0 );
344 PUT_UINT64_BE( ctx->state[1], output, 8 );
345 PUT_UINT64_BE( ctx->state[2], output, 16 );
346 PUT_UINT64_BE( ctx->state[3], output, 24 );
347 PUT_UINT64_BE( ctx->state[4], output, 32 );
348 PUT_UINT64_BE( ctx->state[5], output, 40 );
350 if( ctx->is384 == 0 )
352 PUT_UINT64_BE( ctx->state[6], output, 48 );
353 PUT_UINT64_BE( ctx->state[7], output, 56 );
357 #endif /* !MBEDTLS_SHA512_ALT */
360 * output = SHA-512( input buffer )
362 void mbedtls_sha512( const unsigned char *input, size_t ilen,
363 unsigned char output[64], int is384 )
365 mbedtls_sha512_context ctx;
367 mbedtls_sha512_init( &ctx );
368 mbedtls_sha512_starts( &ctx, is384 );
369 mbedtls_sha512_update( &ctx, input, ilen );
370 mbedtls_sha512_finish( &ctx, output );
371 mbedtls_sha512_free( &ctx );
374 #if defined(MBEDTLS_SELF_TEST)
377 * FIPS-180-2 test vectors
379 static const unsigned char sha512_test_buf[3][113] =
382 { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
383 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
387 static const int sha512_test_buflen[3] =
392 static const unsigned char sha512_test_sum[6][64] =
395 * SHA-384 test vectors
397 { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
398 0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
399 0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
400 0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
401 0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
402 0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
403 { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
404 0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
405 0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
406 0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
407 0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
408 0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
409 { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
410 0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
411 0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
412 0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
413 0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
414 0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
417 * SHA-512 test vectors
419 { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
420 0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
421 0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
422 0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
423 0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
424 0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
425 0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
426 0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
427 { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
428 0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
429 0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
430 0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
431 0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
432 0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
433 0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
434 0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
435 { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
436 0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
437 0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
438 0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
439 0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
440 0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
441 0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
442 0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
448 int mbedtls_sha512_self_test( int verbose )
450 int i, j, k, buflen, ret = 0;
452 unsigned char sha512sum[64];
453 mbedtls_sha512_context ctx;
455 buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
459 mbedtls_printf( "Buffer allocation failed\n" );
464 mbedtls_sha512_init( &ctx );
466 for( i = 0; i < 6; i++ )
472 mbedtls_printf( " SHA-%d test #%d: ", 512 - k * 128, j + 1 );
474 mbedtls_sha512_starts( &ctx, k );
478 memset( buf, 'a', buflen = 1000 );
480 for( j = 0; j < 1000; j++ )
481 mbedtls_sha512_update( &ctx, buf, buflen );
484 mbedtls_sha512_update( &ctx, sha512_test_buf[j],
485 sha512_test_buflen[j] );
487 mbedtls_sha512_finish( &ctx, sha512sum );
489 if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
492 mbedtls_printf( "failed\n" );
499 mbedtls_printf( "passed\n" );
503 mbedtls_printf( "\n" );
506 mbedtls_sha512_free( &ctx );
512 #endif /* MBEDTLS_SELF_TEST */
514 #endif /* MBEDTLS_SHA512_C */