2 * FIPS-180-2 compliant SHA-256 implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 * This file is part of mbed TLS (https://tls.mbed.org)
24 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
26 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29 #if !defined(MBEDTLS_CONFIG_FILE)
30 #include "mbedtls/config.h"
32 #include MBEDTLS_CONFIG_FILE
35 #if defined(MBEDTLS_SHA256_C)
37 #include "mbedtls/sha256.h"
41 #if defined(MBEDTLS_SELF_TEST)
42 #if defined(MBEDTLS_PLATFORM_C)
43 #include "mbedtls/platform.h"
47 #define mbedtls_printf printf
48 #define mbedtls_calloc calloc
49 #define mbedtls_free free
50 #endif /* MBEDTLS_PLATFORM_C */
51 #endif /* MBEDTLS_SELF_TEST */
53 #if !defined(MBEDTLS_SHA256_ALT)
55 /* Implementation that should never be optimized out by the compiler */
56 static void mbedtls_zeroize( void *v
, size_t n
) {
57 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
61 * 32-bit integer manipulation macros (big endian)
64 #define GET_UINT32_BE(n,b,i) \
66 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
67 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
69 | ( (uint32_t) (b)[(i) + 3] ); \
74 #define PUT_UINT32_BE(n,b,i) \
76 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
77 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
78 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
79 (b)[(i) + 3] = (unsigned char) ( (n) ); \
83 void mbedtls_sha256_init( mbedtls_sha256_context
*ctx
)
85 memset( ctx
, 0, sizeof( mbedtls_sha256_context
) );
88 void mbedtls_sha256_free( mbedtls_sha256_context
*ctx
)
93 mbedtls_zeroize( ctx
, sizeof( mbedtls_sha256_context
) );
96 void mbedtls_sha256_clone( mbedtls_sha256_context
*dst
,
97 const mbedtls_sha256_context
*src
)
103 * SHA-256 context setup
105 int mbedtls_sha256_starts_ret( mbedtls_sha256_context
*ctx
, int is224
)
113 ctx
->state
[0] = 0x6A09E667;
114 ctx
->state
[1] = 0xBB67AE85;
115 ctx
->state
[2] = 0x3C6EF372;
116 ctx
->state
[3] = 0xA54FF53A;
117 ctx
->state
[4] = 0x510E527F;
118 ctx
->state
[5] = 0x9B05688C;
119 ctx
->state
[6] = 0x1F83D9AB;
120 ctx
->state
[7] = 0x5BE0CD19;
125 ctx
->state
[0] = 0xC1059ED8;
126 ctx
->state
[1] = 0x367CD507;
127 ctx
->state
[2] = 0x3070DD17;
128 ctx
->state
[3] = 0xF70E5939;
129 ctx
->state
[4] = 0xFFC00B31;
130 ctx
->state
[5] = 0x68581511;
131 ctx
->state
[6] = 0x64F98FA7;
132 ctx
->state
[7] = 0xBEFA4FA4;
140 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
141 void mbedtls_sha256_starts( mbedtls_sha256_context
*ctx
,
144 mbedtls_sha256_starts_ret( ctx
, is224
);
148 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
149 static const uint32_t K
[] =
151 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
152 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
153 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
154 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
155 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
156 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
157 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
158 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
159 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
160 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
161 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
162 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
163 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
164 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
165 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
166 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
169 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
170 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
172 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
173 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
175 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
176 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
178 #define F0(x,y,z) ((x & y) | (z & (x | y)))
179 #define F1(x,y,z) (z ^ (x & (y ^ z)))
183 W[t] = S1(W[t - 2]) + W[t - 7] + \
184 S0(W[t - 15]) + W[t - 16] \
187 #define P(a,b,c,d,e,f,g,h,x,K) \
189 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
190 temp2 = S2(a) + F0(a,b,c); \
191 d += temp1; h = temp1 + temp2; \
194 int mbedtls_internal_sha256_process( mbedtls_sha256_context
*ctx
,
195 const unsigned char data
[64] )
197 uint32_t temp1
, temp2
, W
[64];
201 for( i
= 0; i
< 8; i
++ )
202 A
[i
] = ctx
->state
[i
];
204 #if defined(MBEDTLS_SHA256_SMALLER)
205 for( i
= 0; i
< 64; i
++ )
208 GET_UINT32_BE( W
[i
], data
, 4 * i
);
212 P( A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], W
[i
], K
[i
] );
214 temp1
= A
[7]; A
[7] = A
[6]; A
[6] = A
[5]; A
[5] = A
[4]; A
[4] = A
[3];
215 A
[3] = A
[2]; A
[2] = A
[1]; A
[1] = A
[0]; A
[0] = temp1
;
217 #else /* MBEDTLS_SHA256_SMALLER */
218 for( i
= 0; i
< 16; i
++ )
219 GET_UINT32_BE( W
[i
], data
, 4 * i
);
221 for( i
= 0; i
< 16; i
+= 8 )
223 P( A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], W
[i
+0], K
[i
+0] );
224 P( A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], W
[i
+1], K
[i
+1] );
225 P( A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], W
[i
+2], K
[i
+2] );
226 P( A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], W
[i
+3], K
[i
+3] );
227 P( A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], W
[i
+4], K
[i
+4] );
228 P( A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], W
[i
+5], K
[i
+5] );
229 P( A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], W
[i
+6], K
[i
+6] );
230 P( A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], W
[i
+7], K
[i
+7] );
233 for( i
= 16; i
< 64; i
+= 8 )
235 P( A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], R(i
+0), K
[i
+0] );
236 P( A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], R(i
+1), K
[i
+1] );
237 P( A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], R(i
+2), K
[i
+2] );
238 P( A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], R(i
+3), K
[i
+3] );
239 P( A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], R(i
+4), K
[i
+4] );
240 P( A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], R(i
+5), K
[i
+5] );
241 P( A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], R(i
+6), K
[i
+6] );
242 P( A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], R(i
+7), K
[i
+7] );
244 #endif /* MBEDTLS_SHA256_SMALLER */
246 for( i
= 0; i
< 8; i
++ )
247 ctx
->state
[i
] += A
[i
];
252 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
253 void mbedtls_sha256_process( mbedtls_sha256_context
*ctx
,
254 const unsigned char data
[64] )
256 mbedtls_internal_sha256_process( ctx
, data
);
259 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
262 * SHA-256 process buffer
264 int mbedtls_sha256_update_ret( mbedtls_sha256_context
*ctx
,
265 const unsigned char *input
,
275 left
= ctx
->total
[0] & 0x3F;
278 ctx
->total
[0] += (uint32_t) ilen
;
279 ctx
->total
[0] &= 0xFFFFFFFF;
281 if( ctx
->total
[0] < (uint32_t) ilen
)
284 if( left
&& ilen
>= fill
)
286 memcpy( (void *) (ctx
->buffer
+ left
), input
, fill
);
288 if( ( ret
= mbedtls_internal_sha256_process( ctx
, ctx
->buffer
) ) != 0 )
298 if( ( ret
= mbedtls_internal_sha256_process( ctx
, input
) ) != 0 )
306 memcpy( (void *) (ctx
->buffer
+ left
), input
, ilen
);
311 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
312 void mbedtls_sha256_update( mbedtls_sha256_context
*ctx
,
313 const unsigned char *input
,
316 mbedtls_sha256_update_ret( ctx
, input
, ilen
);
321 * SHA-256 final digest
323 int mbedtls_sha256_finish_ret( mbedtls_sha256_context
*ctx
,
324 unsigned char output
[32] )
331 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
333 used
= ctx
->total
[0] & 0x3F;
335 ctx
->buffer
[used
++] = 0x80;
339 /* Enough room for padding + length in current block */
340 memset( ctx
->buffer
+ used
, 0, 56 - used
);
344 /* We'll need an extra block */
345 memset( ctx
->buffer
+ used
, 0, 64 - used
);
347 if( ( ret
= mbedtls_internal_sha256_process( ctx
, ctx
->buffer
) ) != 0 )
350 memset( ctx
->buffer
, 0, 56 );
356 high
= ( ctx
->total
[0] >> 29 )
357 | ( ctx
->total
[1] << 3 );
358 low
= ( ctx
->total
[0] << 3 );
360 PUT_UINT32_BE( high
, ctx
->buffer
, 56 );
361 PUT_UINT32_BE( low
, ctx
->buffer
, 60 );
363 if( ( ret
= mbedtls_internal_sha256_process( ctx
, ctx
->buffer
) ) != 0 )
369 PUT_UINT32_BE( ctx
->state
[0], output
, 0 );
370 PUT_UINT32_BE( ctx
->state
[1], output
, 4 );
371 PUT_UINT32_BE( ctx
->state
[2], output
, 8 );
372 PUT_UINT32_BE( ctx
->state
[3], output
, 12 );
373 PUT_UINT32_BE( ctx
->state
[4], output
, 16 );
374 PUT_UINT32_BE( ctx
->state
[5], output
, 20 );
375 PUT_UINT32_BE( ctx
->state
[6], output
, 24 );
377 if( ctx
->is224
== 0 )
378 PUT_UINT32_BE( ctx
->state
[7], output
, 28 );
383 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
384 void mbedtls_sha256_finish( mbedtls_sha256_context
*ctx
,
385 unsigned char output
[32] )
387 mbedtls_sha256_finish_ret( ctx
, output
);
391 #endif /* !MBEDTLS_SHA256_ALT */
394 * output = SHA-256( input buffer )
396 int mbedtls_sha256_ret( const unsigned char *input
,
398 unsigned char output
[32],
402 mbedtls_sha256_context ctx
;
404 mbedtls_sha256_init( &ctx
);
406 if( ( ret
= mbedtls_sha256_starts_ret( &ctx
, is224
) ) != 0 )
409 if( ( ret
= mbedtls_sha256_update_ret( &ctx
, input
, ilen
) ) != 0 )
412 if( ( ret
= mbedtls_sha256_finish_ret( &ctx
, output
) ) != 0 )
416 mbedtls_sha256_free( &ctx
);
421 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
422 void mbedtls_sha256( const unsigned char *input
,
424 unsigned char output
[32],
427 mbedtls_sha256_ret( input
, ilen
, output
, is224
);
431 #if defined(MBEDTLS_SELF_TEST)
433 * FIPS-180-2 test vectors
435 static const unsigned char sha256_test_buf
[3][57] =
438 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
442 static const size_t sha256_test_buflen
[3] =
447 static const unsigned char sha256_test_sum
[6][32] =
450 * SHA-224 test vectors
452 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
453 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
454 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
455 0xE3, 0x6C, 0x9D, 0xA7 },
456 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
457 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
458 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
459 0x52, 0x52, 0x25, 0x25 },
460 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
461 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
462 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
463 0x4E, 0xE7, 0xAD, 0x67 },
466 * SHA-256 test vectors
468 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
469 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
470 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
471 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
472 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
473 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
474 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
475 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
476 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
477 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
478 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
479 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
485 int mbedtls_sha256_self_test( int verbose
)
487 int i
, j
, k
, buflen
, ret
= 0;
489 unsigned char sha256sum
[32];
490 mbedtls_sha256_context ctx
;
492 buf
= mbedtls_calloc( 1024, sizeof(unsigned char) );
496 mbedtls_printf( "Buffer allocation failed\n" );
501 mbedtls_sha256_init( &ctx
);
503 for( i
= 0; i
< 6; i
++ )
509 mbedtls_printf( " SHA-%d test #%d: ", 256 - k
* 32, j
+ 1 );
511 if( ( ret
= mbedtls_sha256_starts_ret( &ctx
, k
) ) != 0 )
516 memset( buf
, 'a', buflen
= 1000 );
518 for( j
= 0; j
< 1000; j
++ )
520 ret
= mbedtls_sha256_update_ret( &ctx
, buf
, buflen
);
528 ret
= mbedtls_sha256_update_ret( &ctx
, sha256_test_buf
[j
],
529 sha256_test_buflen
[j
] );
534 if( ( ret
= mbedtls_sha256_finish_ret( &ctx
, sha256sum
) ) != 0 )
538 if( memcmp( sha256sum
, sha256_test_sum
[i
], 32 - k
* 4 ) != 0 )
545 mbedtls_printf( "passed\n" );
549 mbedtls_printf( "\n" );
555 mbedtls_printf( "failed\n" );
558 mbedtls_sha256_free( &ctx
);
564 #endif /* MBEDTLS_SELF_TEST */
566 #endif /* MBEDTLS_SHA256_C */