2 RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011
7 Copyright (c) 2011 IETF Trust and the persons identified as the
8 document authors. All rights reserved.
10 This document is subject to BCP 78 and the IETF Trust's Legal
11 Provisions Relating to IETF Documents
12 (http://trustee.ietf.org/license-info) in effect on the date of
13 publication of this document. Please review these documents
14 carefully, as they describe your rights and restrictions with respect
15 to this document. Code Components extracted from this document must
16 include Simplified BSD License text as described in Section 4.e of
17 the Trust Legal Provisions and are provided without warranty as
18 described in the Simplified BSD License.
21 /************************* sha224-256.c ************************/
22 /***************** See RFC 6234 for details. *******************/
23 /* Copyright (c) 2011 IETF Trust and the persons identified as */
24 /* authors of the code. All rights reserved. */
25 /* See sha.h for terms of use and redistribution. */
29 * This file implements the Secure Hash Algorithms SHA-224 and
30 * SHA-256 as defined in the U.S. National Institute of Standards
31 * and Technology Federal Information Processing Standards
32 * Publication (FIPS PUB) 180-3 published in October 2008
33 * and formerly defined in its predecessors, FIPS PUB 180-1
36 * A combined document showing all algorithms is available at
37 * http://csrc.nist.gov/publications/fips/
38 * fips180-3/fips180-3_final.pdf
40 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit
41 * message digests for a given data stream. It should take about
42 * 2**n steps to find a message with the same digest as a given
43 * message and 2**(n/2) to find any two messages with the same
44 * digest, when n is the digest size in bits. Therefore, this
45 * algorithm can serve as a means of providing a
46 * "fingerprint" for a message.
49 * SHA-224 and SHA-256 are defined in terms of 32-bit "words".
50 * This code uses <stdint.h> (included via "sha.h") to define 32-
51 * and 8-bit unsigned integer types. If your C compiler does not
52 * support 32-bit unsigned integers, this code is not
56 * SHA-224 and SHA-256 are designed to work with messages less
57 * than 2^64 bits long. This implementation uses SHA224/256Input()
58 * to hash the bits that are a multiple of the size of an 8-bit
59 * octet, and then optionally uses SHA224/256FinalBits()
60 * to hash the final few bits of the input.
63 #include "tests/sha.h"
64 #include "tests/sha-private.h"
66 /* Define the SHA shift, rotate left, and rotate right macros */
67 #define SHA256_SHR(bits,word) ((word) >> (bits))
68 #define SHA256_ROTL(bits,word) \
69 (((word) << (bits)) | ((word) >> (32-(bits))))
70 #define SHA256_ROTR(bits,word) \
71 (((word) >> (bits)) | ((word) << (32-(bits))))
73 /* Define the SHA SIGMA and sigma macros */
74 #define SHA256_SIGMA0(word) \
75 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word))
76 #define SHA256_SIGMA1(word) \
77 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word))
78 #define SHA256_sigma0(word) \
79 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word))
80 #define SHA256_sigma1(word) \
81 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word))
84 * Add "length" to the length.
85 * Set Corrupted when overflow has occurred.
87 static uint32_t addTemp;
88 #define SHA224_256AddLength(context, length) \
89 (addTemp = (context)->Length_Low, (context)->Corrupted = \
90 (((context)->Length_Low += (length)) < addTemp) && \
91 (++(context)->Length_High == 0) ? shaInputTooLong : \
92 (context)->Corrupted )
94 /* Local Function Prototypes */
95 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0);
96 static void SHA224_256ProcessMessageBlock(SHA256Context *context);
97 static void SHA224_256Finalize(SHA256Context *context,
99 static void SHA224_256PadMessage(SHA256Context *context,
101 static int SHA224_256ResultN(SHA256Context *context,
102 uint8_t Message_Digest[ ], int HashSize);
104 /* Initial Hash Values: FIPS 180-3 section 5.3.2 */
105 static uint32_t SHA224_H0[SHA256HashSize/4] = {
106 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939,
107 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4
110 /* Initial Hash Values: FIPS 180-3 section 5.3.3 */
111 static uint32_t SHA256_H0[SHA256HashSize/4] = {
112 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
113 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
120 * This function will initialize the SHA224Context in preparation
121 * for computing a new SHA224 message digest.
125 * The context to reset.
130 int SHA224Reset(SHA224Context *context)
132 return SHA224_256Reset(context, SHA224_H0);
139 * This function accepts an array of octets as the next portion
144 * The SHA context to update.
145 * message_array[ ]: [in]
146 * An array of octets representing the next portion of
149 * The length of the message in message_array.
155 int SHA224Input(SHA224Context *context, const uint8_t *message_array,
158 return SHA256Input(context, message_array, length);
165 * This function will add in any final bits of the message.
169 * The SHA context to update.
171 * The final bits of the message, in the upper portion of the
172 * byte. (Use 0b###00000 instead of 0b00000### to input the
175 * The number of bits in message_bits, between 1 and 7.
180 int SHA224FinalBits(SHA224Context *context,
181 uint8_t message_bits, unsigned int length)
183 return SHA256FinalBits(context, message_bits, length);
190 * This function will return the 224-bit message digest
191 * into the Message_Digest array provided by the caller.
193 * The first octet of hash is stored in the element with index 0,
194 * the last octet of hash in the element with index 27.
198 * The context to use to calculate the SHA hash.
199 * Message_Digest[ ]: [out]
200 * Where the digest is returned.
205 int SHA224Result(SHA224Context *context,
206 uint8_t Message_Digest[SHA224HashSize])
208 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize);
215 * This function will initialize the SHA256Context in preparation
216 * for computing a new SHA256 message digest.
220 * The context to reset.
225 int SHA256Reset(SHA256Context *context)
227 return SHA224_256Reset(context, SHA256_H0);
234 * This function accepts an array of octets as the next portion
239 * The SHA context to update.
240 * message_array[ ]: [in]
241 * An array of octets representing the next portion of
244 * The length of the message in message_array.
249 int SHA256Input(SHA256Context *context, const uint8_t *message_array,
252 if (!context) return shaNull;
253 if (!length) return shaSuccess;
254 if (!message_array) return shaNull;
255 if (context->Computed) return context->Corrupted = shaStateError;
256 if (context->Corrupted) return context->Corrupted;
259 context->Message_Block[context->Message_Block_Index++] =
262 if ((SHA224_256AddLength(context, 8) == shaSuccess) &&
263 (context->Message_Block_Index == SHA256_Message_Block_Size))
264 SHA224_256ProcessMessageBlock(context);
269 return context->Corrupted;
277 * This function will add in any final bits of the message.
281 * The SHA context to update.
283 * The final bits of the message, in the upper portion of the
284 * byte. (Use 0b###00000 instead of 0b00000### to input the
287 * The number of bits in message_bits, between 1 and 7.
292 int SHA256FinalBits(SHA256Context *context,
293 uint8_t message_bits, unsigned int length)
295 static uint8_t masks[8] = {
296 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
297 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
298 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
299 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
301 static uint8_t markbit[8] = {
302 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
303 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
304 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
305 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
308 if (!context) return shaNull;
309 if (!length) return shaSuccess;
310 if (context->Corrupted) return context->Corrupted;
311 if (context->Computed) return context->Corrupted = shaStateError;
312 if (length >= 8) return context->Corrupted = shaBadParam;
314 SHA224_256AddLength(context, length);
315 SHA224_256Finalize(context, (uint8_t)
316 ((message_bits & masks[length]) | markbit[length]));
318 return context->Corrupted;
325 * This function will return the 256-bit message digest
326 * into the Message_Digest array provided by the caller.
328 * The first octet of hash is stored in the element with index 0,
329 * the last octet of hash in the element with index 31.
333 * The context to use to calculate the SHA hash.
334 * Message_Digest[ ]: [out]
335 * Where the digest is returned.
340 int SHA256Result(SHA256Context *context,
341 uint8_t Message_Digest[SHA256HashSize])
343 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize);
350 * This helper function will initialize the SHA256Context in
351 * preparation for computing a new SHA-224 or SHA-256 message digest.
355 * The context to reset.
357 * The initial hash value array to use.
362 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0)
364 if (!context) return shaNull;
366 context->Length_High = context->Length_Low = 0;
367 context->Message_Block_Index = 0;
369 context->Intermediate_Hash[0] = H0[0];
370 context->Intermediate_Hash[1] = H0[1];
371 context->Intermediate_Hash[2] = H0[2];
372 context->Intermediate_Hash[3] = H0[3];
373 context->Intermediate_Hash[4] = H0[4];
374 context->Intermediate_Hash[5] = H0[5];
375 context->Intermediate_Hash[6] = H0[6];
376 context->Intermediate_Hash[7] = H0[7];
378 context->Computed = 0;
379 context->Corrupted = shaSuccess;
385 * SHA224_256ProcessMessageBlock
388 * This helper function will process the next 512 bits of the
389 * message stored in the Message_Block array.
393 * The SHA context to update.
399 * Many of the variable names in this code, especially the
400 * single character names, were used because those were the
401 * names used in the Secure Hash Standard.
403 static void SHA224_256ProcessMessageBlock(SHA256Context *context)
405 /* Constants defined in FIPS 180-3, section 4.2.2 */
406 static const uint32_t K[64] = {
407 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
408 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
409 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
410 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
411 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
412 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
413 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
414 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
415 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
416 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
417 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
418 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
419 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
421 int t, t4; /* Loop counter */
422 uint32_t temp1, temp2; /* Temporary word value */
423 uint32_t W[64]; /* Word sequence */
424 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */
427 * Initialize the first 16 words in the array W
429 for (t = t4 = 0; t < 16; t++, t4 += 4)
430 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) |
431 (((uint32_t)context->Message_Block[t4 + 1]) << 16) |
432 (((uint32_t)context->Message_Block[t4 + 2]) << 8) |
433 (((uint32_t)context->Message_Block[t4 + 3]));
435 for (t = 16; t < 64; t++)
436 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] +
437 SHA256_sigma0(W[t-15]) + W[t-16];
439 A = context->Intermediate_Hash[0];
440 B = context->Intermediate_Hash[1];
441 C = context->Intermediate_Hash[2];
442 D = context->Intermediate_Hash[3];
443 E = context->Intermediate_Hash[4];
444 F = context->Intermediate_Hash[5];
445 G = context->Intermediate_Hash[6];
446 H = context->Intermediate_Hash[7];
448 for (t = 0; t < 64; t++) {
449 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
450 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C);
461 context->Intermediate_Hash[0] += A;
462 context->Intermediate_Hash[1] += B;
463 context->Intermediate_Hash[2] += C;
464 context->Intermediate_Hash[3] += D;
465 context->Intermediate_Hash[4] += E;
466 context->Intermediate_Hash[5] += F;
467 context->Intermediate_Hash[6] += G;
468 context->Intermediate_Hash[7] += H;
470 context->Message_Block_Index = 0;
477 * This helper function finishes off the digest calculations.
481 * The SHA context to update.
483 * The last byte to add to the message block before the 0-padding
484 * and length. This will contain the last bits of the message
485 * followed by another single bit. If the message was an
486 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
491 static void SHA224_256Finalize(SHA256Context *context,
495 SHA224_256PadMessage(context, Pad_Byte);
496 /* message may be sensitive, so clear it out */
497 for (i = 0; i < SHA256_Message_Block_Size; ++i)
498 context->Message_Block[i] = 0;
499 context->Length_High = 0; /* and clear length */
500 context->Length_Low = 0;
501 context->Computed = 1;
505 * SHA224_256PadMessage
508 * According to the standard, the message must be padded to the next
509 * even multiple of 512 bits. The first padding bit must be a '1'.
510 * The last 64 bits represent the length of the original message.
511 * All bits in between should be 0. This helper function will pad
512 * the message according to those rules by filling the
513 * Message_Block array accordingly. When it returns, it can be
514 * assumed that the message digest has been computed.
518 * The context to pad.
520 * The last byte to add to the message block before the 0-padding
521 * and length. This will contain the last bits of the message
522 * followed by another single bit. If the message was an
523 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
528 static void SHA224_256PadMessage(SHA256Context *context,
532 * Check to see if the current message block is too small to hold
533 * the initial padding bits and length. If so, we will pad the
534 * block, process it, and then continue padding into a second
537 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) {
538 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
539 while (context->Message_Block_Index < SHA256_Message_Block_Size)
540 context->Message_Block[context->Message_Block_Index++] = 0;
541 SHA224_256ProcessMessageBlock(context);
543 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
545 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8))
546 context->Message_Block[context->Message_Block_Index++] = 0;
549 * Store the message length as the last 8 octets
551 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24);
552 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16);
553 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8);
554 context->Message_Block[59] = (uint8_t)(context->Length_High);
555 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24);
556 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16);
557 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8);
558 context->Message_Block[63] = (uint8_t)(context->Length_Low);
560 SHA224_256ProcessMessageBlock(context);
567 * This helper function will return the 224-bit or 256-bit message
568 * digest into the Message_Digest array provided by the caller.
570 * The first octet of hash is stored in the element with index 0,
571 * the last octet of hash in the element with index 27/31.
575 * The context to use to calculate the SHA hash.
576 * Message_Digest[ ]: [out]
577 * Where the digest is returned.
579 * The size of the hash, either 28 or 32.
584 static int SHA224_256ResultN(SHA256Context *context,
585 uint8_t Message_Digest[ ], int HashSize)
589 if (!context) return shaNull;
590 if (!Message_Digest) return shaNull;
591 if (context->Corrupted) return context->Corrupted;
593 if (!context->Computed)
594 SHA224_256Finalize(context, 0x80);
596 for (i = 0; i < HashSize; ++i)
597 Message_Digest[i] = (uint8_t)
598 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) ));