2 * FIPS-180-2 compliant SHA-256 implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
24 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
30 #include MBEDTLS_CONFIG_FILE
33 #if defined(MBEDTLS_SHA256_C)
35 #include "mbedtls/sha256.h"
36 #include "mbedtls/platform_util.h"
40 #if defined(MBEDTLS_SELF_TEST)
41 #if defined(MBEDTLS_PLATFORM_C)
42 #include "mbedtls/platform.h"
46 #define mbedtls_printf printf
47 #define mbedtls_calloc calloc
48 #define mbedtls_free free
49 #endif /* MBEDTLS_PLATFORM_C */
50 #endif /* MBEDTLS_SELF_TEST */
52 #define SHA256_VALIDATE_RET(cond) \
53 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
54 #define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond )
56 #if !defined(MBEDTLS_SHA256_ALT)
59 * 32-bit integer manipulation macros (big endian)
62 #define GET_UINT32_BE(n,b,i) \
64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
67 | ( (uint32_t) (b)[(i) + 3] ); \
72 #define PUT_UINT32_BE(n,b,i) \
74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
77 (b)[(i) + 3] = (unsigned char) ( (n) ); \
81 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
83 SHA256_VALIDATE( ctx != NULL );
85 memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
88 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
93 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
96 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
97 const mbedtls_sha256_context *src )
99 SHA256_VALIDATE( dst != NULL );
100 SHA256_VALIDATE( src != NULL );
106 * SHA-256 context setup
108 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
110 SHA256_VALIDATE_RET( ctx != NULL );
111 SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
119 ctx->state[0] = 0x6A09E667;
120 ctx->state[1] = 0xBB67AE85;
121 ctx->state[2] = 0x3C6EF372;
122 ctx->state[3] = 0xA54FF53A;
123 ctx->state[4] = 0x510E527F;
124 ctx->state[5] = 0x9B05688C;
125 ctx->state[6] = 0x1F83D9AB;
126 ctx->state[7] = 0x5BE0CD19;
131 ctx->state[0] = 0xC1059ED8;
132 ctx->state[1] = 0x367CD507;
133 ctx->state[2] = 0x3070DD17;
134 ctx->state[3] = 0xF70E5939;
135 ctx->state[4] = 0xFFC00B31;
136 ctx->state[5] = 0x68581511;
137 ctx->state[6] = 0x64F98FA7;
138 ctx->state[7] = 0xBEFA4FA4;
146 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
147 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
150 mbedtls_sha256_starts_ret( ctx, is224 );
154 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
155 static const uint32_t K[] =
157 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
158 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
159 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
160 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
161 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
162 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
163 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
164 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
165 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
166 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
167 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
168 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
169 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
170 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
171 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
172 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
175 #define SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
176 #define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
178 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
179 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
181 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
182 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
184 #define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
185 #define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
189 W[t] = S1(W[(t) - 2]) + W[(t) - 7] + \
190 S0(W[(t) - 15]) + W[(t) - 16] \
193 #define P(a,b,c,d,e,f,g,h,x,K) \
196 temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
197 temp2 = S2(a) + F0((a),(b),(c)); \
198 (d) += temp1; (h) = temp1 + temp2; \
201 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
202 const unsigned char data[64] )
204 uint32_t temp1, temp2, W[64];
208 SHA256_VALIDATE_RET( ctx != NULL );
209 SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
211 for( i = 0; i < 8; i++ )
212 A[i] = ctx->state[i];
214 #if defined(MBEDTLS_SHA256_SMALLER)
215 for( i = 0; i < 64; i++ )
218 GET_UINT32_BE( W[i], data, 4 * i );
222 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
224 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
225 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
227 #else /* MBEDTLS_SHA256_SMALLER */
228 for( i = 0; i < 16; i++ )
229 GET_UINT32_BE( W[i], data, 4 * i );
231 for( i = 0; i < 16; i += 8 )
233 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
234 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
235 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
236 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
237 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
238 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
239 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
240 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
243 for( i = 16; i < 64; i += 8 )
245 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
246 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
247 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
248 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
249 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
250 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
251 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
252 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
254 #endif /* MBEDTLS_SHA256_SMALLER */
256 for( i = 0; i < 8; i++ )
257 ctx->state[i] += A[i];
262 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
263 void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
264 const unsigned char data[64] )
266 mbedtls_internal_sha256_process( ctx, data );
269 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
272 * SHA-256 process buffer
274 int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
275 const unsigned char *input,
282 SHA256_VALIDATE_RET( ctx != NULL );
283 SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
288 left = ctx->total[0] & 0x3F;
291 ctx->total[0] += (uint32_t) ilen;
292 ctx->total[0] &= 0xFFFFFFFF;
294 if( ctx->total[0] < (uint32_t) ilen )
297 if( left && ilen >= fill )
299 memcpy( (void *) (ctx->buffer + left), input, fill );
301 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
311 if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
319 memcpy( (void *) (ctx->buffer + left), input, ilen );
324 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
325 void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
326 const unsigned char *input,
329 mbedtls_sha256_update_ret( ctx, input, ilen );
334 * SHA-256 final digest
336 int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
337 unsigned char output[32] )
343 SHA256_VALIDATE_RET( ctx != NULL );
344 SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
347 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
349 used = ctx->total[0] & 0x3F;
351 ctx->buffer[used++] = 0x80;
355 /* Enough room for padding + length in current block */
356 memset( ctx->buffer + used, 0, 56 - used );
360 /* We'll need an extra block */
361 memset( ctx->buffer + used, 0, 64 - used );
363 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
366 memset( ctx->buffer, 0, 56 );
372 high = ( ctx->total[0] >> 29 )
373 | ( ctx->total[1] << 3 );
374 low = ( ctx->total[0] << 3 );
376 PUT_UINT32_BE( high, ctx->buffer, 56 );
377 PUT_UINT32_BE( low, ctx->buffer, 60 );
379 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
385 PUT_UINT32_BE( ctx->state[0], output, 0 );
386 PUT_UINT32_BE( ctx->state[1], output, 4 );
387 PUT_UINT32_BE( ctx->state[2], output, 8 );
388 PUT_UINT32_BE( ctx->state[3], output, 12 );
389 PUT_UINT32_BE( ctx->state[4], output, 16 );
390 PUT_UINT32_BE( ctx->state[5], output, 20 );
391 PUT_UINT32_BE( ctx->state[6], output, 24 );
393 if( ctx->is224 == 0 )
394 PUT_UINT32_BE( ctx->state[7], output, 28 );
399 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
400 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
401 unsigned char output[32] )
403 mbedtls_sha256_finish_ret( ctx, output );
407 #endif /* !MBEDTLS_SHA256_ALT */
410 * output = SHA-256( input buffer )
412 int mbedtls_sha256_ret( const unsigned char *input,
414 unsigned char output[32],
418 mbedtls_sha256_context ctx;
420 SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
421 SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
422 SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
424 mbedtls_sha256_init( &ctx );
426 if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 )
429 if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 )
432 if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 )
436 mbedtls_sha256_free( &ctx );
441 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
442 void mbedtls_sha256( const unsigned char *input,
444 unsigned char output[32],
447 mbedtls_sha256_ret( input, ilen, output, is224 );
451 #if defined(MBEDTLS_SELF_TEST)
453 * FIPS-180-2 test vectors
455 static const unsigned char sha256_test_buf[3][57] =
458 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
462 static const size_t sha256_test_buflen[3] =
467 static const unsigned char sha256_test_sum[6][32] =
470 * SHA-224 test vectors
472 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
473 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
474 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
475 0xE3, 0x6C, 0x9D, 0xA7 },
476 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
477 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
478 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
479 0x52, 0x52, 0x25, 0x25 },
480 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
481 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
482 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
483 0x4E, 0xE7, 0xAD, 0x67 },
486 * SHA-256 test vectors
488 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
489 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
490 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
491 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
492 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
493 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
494 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
495 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
496 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
497 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
498 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
499 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
505 int mbedtls_sha256_self_test( int verbose )
507 int i, j, k, buflen, ret = 0;
509 unsigned char sha256sum[32];
510 mbedtls_sha256_context ctx;
512 buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
516 mbedtls_printf( "Buffer allocation failed\n" );
521 mbedtls_sha256_init( &ctx );
523 for( i = 0; i < 6; i++ )
529 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
531 if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 )
536 memset( buf, 'a', buflen = 1000 );
538 for( j = 0; j < 1000; j++ )
540 ret = mbedtls_sha256_update_ret( &ctx, buf, buflen );
548 ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j],
549 sha256_test_buflen[j] );
554 if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 )
558 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
565 mbedtls_printf( "passed\n" );
569 mbedtls_printf( "\n" );
575 mbedtls_printf( "failed\n" );
578 mbedtls_sha256_free( &ctx );
584 #endif /* MBEDTLS_SELF_TEST */
586 #endif /* MBEDTLS_SHA256_C */