2 * FIPS-180-2 compliant SHA-256 implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
24 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
30 #include MBEDTLS_CONFIG_FILE
33 #if defined(MBEDTLS_SHA256_C)
35 #include "mbedtls/sha256.h"
39 #if defined(MBEDTLS_SELF_TEST)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
45 #define mbedtls_printf printf
46 #define mbedtls_calloc calloc
47 #define mbedtls_free free
48 #endif /* MBEDTLS_PLATFORM_C */
49 #endif /* MBEDTLS_SELF_TEST */
51 #if !defined(MBEDTLS_SHA256_ALT)
53 /* Implementation that should never be optimized out by the compiler */
54 static void mbedtls_zeroize( void *v, size_t n ) {
55 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
59 * 32-bit integer manipulation macros (big endian)
62 #define GET_UINT32_BE(n,b,i) \
64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
67 | ( (uint32_t) (b)[(i) + 3] ); \
72 #define PUT_UINT32_BE(n,b,i) \
74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
77 (b)[(i) + 3] = (unsigned char) ( (n) ); \
81 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
83 memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
86 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
91 mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
94 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
95 const mbedtls_sha256_context *src )
101 * SHA-256 context setup
103 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
111 ctx->state[0] = 0x6A09E667;
112 ctx->state[1] = 0xBB67AE85;
113 ctx->state[2] = 0x3C6EF372;
114 ctx->state[3] = 0xA54FF53A;
115 ctx->state[4] = 0x510E527F;
116 ctx->state[5] = 0x9B05688C;
117 ctx->state[6] = 0x1F83D9AB;
118 ctx->state[7] = 0x5BE0CD19;
123 ctx->state[0] = 0xC1059ED8;
124 ctx->state[1] = 0x367CD507;
125 ctx->state[2] = 0x3070DD17;
126 ctx->state[3] = 0xF70E5939;
127 ctx->state[4] = 0xFFC00B31;
128 ctx->state[5] = 0x68581511;
129 ctx->state[6] = 0x64F98FA7;
130 ctx->state[7] = 0xBEFA4FA4;
138 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
141 mbedtls_sha256_starts_ret( ctx, is224 );
144 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
145 static const uint32_t K[] =
147 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
148 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
149 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
150 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
151 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
152 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
153 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
154 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
155 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
156 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
157 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
158 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
159 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
160 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
161 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
162 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
165 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
166 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
168 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
169 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
171 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
172 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
174 #define F0(x,y,z) ((x & y) | (z & (x | y)))
175 #define F1(x,y,z) (z ^ (x & (y ^ z)))
179 W[t] = S1(W[t - 2]) + W[t - 7] + \
180 S0(W[t - 15]) + W[t - 16] \
183 #define P(a,b,c,d,e,f,g,h,x,K) \
185 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
186 temp2 = S2(a) + F0(a,b,c); \
187 d += temp1; h = temp1 + temp2; \
190 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
191 const unsigned char data[64] )
193 uint32_t temp1, temp2, W[64];
197 for( i = 0; i < 8; i++ )
198 A[i] = ctx->state[i];
200 #if defined(MBEDTLS_SHA256_SMALLER)
201 for( i = 0; i < 64; i++ )
204 GET_UINT32_BE( W[i], data, 4 * i );
208 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
210 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
211 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
213 #else /* MBEDTLS_SHA256_SMALLER */
214 for( i = 0; i < 16; i++ )
215 GET_UINT32_BE( W[i], data, 4 * i );
217 for( i = 0; i < 16; i += 8 )
219 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
220 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
221 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
222 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
223 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
224 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
225 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
226 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
229 for( i = 16; i < 64; i += 8 )
231 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
232 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
233 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
234 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
235 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
236 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
237 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
238 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
240 #endif /* MBEDTLS_SHA256_SMALLER */
242 for( i = 0; i < 8; i++ )
243 ctx->state[i] += A[i];
248 void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
249 const unsigned char data[64] )
251 mbedtls_internal_sha256_process( ctx, data );
253 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
256 * SHA-256 process buffer
258 int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
259 const unsigned char *input,
269 left = ctx->total[0] & 0x3F;
272 ctx->total[0] += (uint32_t) ilen;
273 ctx->total[0] &= 0xFFFFFFFF;
275 if( ctx->total[0] < (uint32_t) ilen )
278 if( left && ilen >= fill )
280 memcpy( (void *) (ctx->buffer + left), input, fill );
282 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
292 if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
300 memcpy( (void *) (ctx->buffer + left), input, ilen );
305 void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
306 const unsigned char *input,
309 mbedtls_sha256_update_ret( ctx, input, ilen );
313 * SHA-256 final digest
315 int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
316 unsigned char output[32] )
323 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
325 used = ctx->total[0] & 0x3F;
327 ctx->buffer[used++] = 0x80;
331 /* Enough room for padding + length in current block */
332 memset( ctx->buffer + used, 0, 56 - used );
336 /* We'll need an extra block */
337 memset( ctx->buffer + used, 0, 64 - used );
339 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
342 memset( ctx->buffer, 0, 56 );
348 high = ( ctx->total[0] >> 29 )
349 | ( ctx->total[1] << 3 );
350 low = ( ctx->total[0] << 3 );
352 PUT_UINT32_BE( high, ctx->buffer, 56 );
353 PUT_UINT32_BE( low, ctx->buffer, 60 );
355 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
361 PUT_UINT32_BE( ctx->state[0], output, 0 );
362 PUT_UINT32_BE( ctx->state[1], output, 4 );
363 PUT_UINT32_BE( ctx->state[2], output, 8 );
364 PUT_UINT32_BE( ctx->state[3], output, 12 );
365 PUT_UINT32_BE( ctx->state[4], output, 16 );
366 PUT_UINT32_BE( ctx->state[5], output, 20 );
367 PUT_UINT32_BE( ctx->state[6], output, 24 );
369 if( ctx->is224 == 0 )
370 PUT_UINT32_BE( ctx->state[7], output, 28 );
375 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
376 unsigned char output[32] )
378 mbedtls_sha256_finish_ret( ctx, output );
381 #endif /* !MBEDTLS_SHA256_ALT */
384 * output = SHA-256( input buffer )
386 int mbedtls_sha256_ret( const unsigned char *input,
388 unsigned char output[32],
392 mbedtls_sha256_context ctx;
394 mbedtls_sha256_init( &ctx );
396 if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 )
399 if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 )
402 if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 )
406 mbedtls_sha256_free( &ctx );
411 void mbedtls_sha256( const unsigned char *input,
413 unsigned char output[32],
416 mbedtls_sha256_ret( input, ilen, output, is224 );
419 #if defined(MBEDTLS_SELF_TEST)
421 * FIPS-180-2 test vectors
423 static const unsigned char sha256_test_buf[3][57] =
426 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
430 static const size_t sha256_test_buflen[3] =
435 static const unsigned char sha256_test_sum[6][32] =
438 * SHA-224 test vectors
440 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
441 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
442 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
443 0xE3, 0x6C, 0x9D, 0xA7 },
444 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
445 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
446 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
447 0x52, 0x52, 0x25, 0x25 },
448 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
449 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
450 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
451 0x4E, 0xE7, 0xAD, 0x67 },
454 * SHA-256 test vectors
456 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
457 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
458 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
459 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
460 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
461 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
462 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
463 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
464 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
465 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
466 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
467 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
473 int mbedtls_sha256_self_test( int verbose )
475 int i, j, k, buflen, ret = 0;
477 unsigned char sha256sum[32];
478 mbedtls_sha256_context ctx;
480 buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
484 mbedtls_printf( "Buffer allocation failed\n" );
489 mbedtls_sha256_init( &ctx );
491 for( i = 0; i < 6; i++ )
497 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
499 if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 )
504 memset( buf, 'a', buflen = 1000 );
506 for( j = 0; j < 1000; j++ )
508 ret = mbedtls_sha256_update_ret( &ctx, buf, buflen );
516 ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j],
517 sha256_test_buflen[j] );
522 if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 )
526 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
533 mbedtls_printf( "passed\n" );
537 mbedtls_printf( "\n" );
543 mbedtls_printf( "failed\n" );
546 mbedtls_sha256_free( &ctx );
552 #endif /* MBEDTLS_SELF_TEST */
554 #endif /* MBEDTLS_SHA256_C */