2 * FIPS-180-2 compliant SHA-256 implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 * This file is part of mbed TLS (https://tls.mbed.org)
24 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
26 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29 #if !defined(MBEDTLS_CONFIG_FILE)
30 #include "mbedtls/config.h"
32 #include MBEDTLS_CONFIG_FILE
35 #if defined(MBEDTLS_SHA256_C)
37 #include "mbedtls/sha256.h"
41 #if defined(MBEDTLS_SELF_TEST)
42 #if defined(MBEDTLS_PLATFORM_C)
43 #include "mbedtls/platform.h"
47 #define mbedtls_printf printf
48 #define mbedtls_calloc calloc
49 #define mbedtls_free free
50 #endif /* MBEDTLS_PLATFORM_C */
51 #endif /* MBEDTLS_SELF_TEST */
53 #if !defined(MBEDTLS_SHA256_ALT)
55 /* Implementation that should never be optimized out by the compiler */
56 static void mbedtls_zeroize( void *v
, size_t n
) {
57 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
61 * 32-bit integer manipulation macros (big endian)
64 #define GET_UINT32_BE(n,b,i) \
66 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
67 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
69 | ( (uint32_t) (b)[(i) + 3] ); \
74 #define PUT_UINT32_BE(n,b,i) \
76 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
77 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
78 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
79 (b)[(i) + 3] = (unsigned char) ( (n) ); \
83 void mbedtls_sha256_init( mbedtls_sha256_context
*ctx
)
85 memset( ctx
, 0, sizeof( mbedtls_sha256_context
) );
88 void mbedtls_sha256_free( mbedtls_sha256_context
*ctx
)
93 mbedtls_zeroize( ctx
, sizeof( mbedtls_sha256_context
) );
96 void mbedtls_sha256_clone( mbedtls_sha256_context
*dst
,
97 const mbedtls_sha256_context
*src
)
103 * SHA-256 context setup
105 void mbedtls_sha256_starts( mbedtls_sha256_context
*ctx
, int is224
)
113 ctx
->state
[0] = 0x6A09E667;
114 ctx
->state
[1] = 0xBB67AE85;
115 ctx
->state
[2] = 0x3C6EF372;
116 ctx
->state
[3] = 0xA54FF53A;
117 ctx
->state
[4] = 0x510E527F;
118 ctx
->state
[5] = 0x9B05688C;
119 ctx
->state
[6] = 0x1F83D9AB;
120 ctx
->state
[7] = 0x5BE0CD19;
125 ctx
->state
[0] = 0xC1059ED8;
126 ctx
->state
[1] = 0x367CD507;
127 ctx
->state
[2] = 0x3070DD17;
128 ctx
->state
[3] = 0xF70E5939;
129 ctx
->state
[4] = 0xFFC00B31;
130 ctx
->state
[5] = 0x68581511;
131 ctx
->state
[6] = 0x64F98FA7;
132 ctx
->state
[7] = 0xBEFA4FA4;
138 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
139 static const uint32_t K
[] =
141 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
142 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
143 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
144 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
145 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
146 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
147 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
148 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
149 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
150 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
151 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
152 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
153 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
154 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
155 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
156 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
159 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
160 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
162 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
163 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
165 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
166 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
168 #define F0(x,y,z) ((x & y) | (z & (x | y)))
169 #define F1(x,y,z) (z ^ (x & (y ^ z)))
173 W[t] = S1(W[t - 2]) + W[t - 7] + \
174 S0(W[t - 15]) + W[t - 16] \
177 #define P(a,b,c,d,e,f,g,h,x,K) \
179 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
180 temp2 = S2(a) + F0(a,b,c); \
181 d += temp1; h = temp1 + temp2; \
184 void mbedtls_sha256_process( mbedtls_sha256_context
*ctx
, const unsigned char data
[64] )
186 uint32_t temp1
, temp2
, W
[64];
190 for( i
= 0; i
< 8; i
++ )
191 A
[i
] = ctx
->state
[i
];
193 #if defined(MBEDTLS_SHA256_SMALLER)
194 for( i
= 0; i
< 64; i
++ )
197 GET_UINT32_BE( W
[i
], data
, 4 * i
);
201 P( A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], W
[i
], K
[i
] );
203 temp1
= A
[7]; A
[7] = A
[6]; A
[6] = A
[5]; A
[5] = A
[4]; A
[4] = A
[3];
204 A
[3] = A
[2]; A
[2] = A
[1]; A
[1] = A
[0]; A
[0] = temp1
;
206 #else /* MBEDTLS_SHA256_SMALLER */
207 for( i
= 0; i
< 16; i
++ )
208 GET_UINT32_BE( W
[i
], data
, 4 * i
);
210 for( i
= 0; i
< 16; i
+= 8 )
212 P( A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], W
[i
+0], K
[i
+0] );
213 P( A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], W
[i
+1], K
[i
+1] );
214 P( A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], W
[i
+2], K
[i
+2] );
215 P( A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], W
[i
+3], K
[i
+3] );
216 P( A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], W
[i
+4], K
[i
+4] );
217 P( A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], W
[i
+5], K
[i
+5] );
218 P( A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], W
[i
+6], K
[i
+6] );
219 P( A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], W
[i
+7], K
[i
+7] );
222 for( i
= 16; i
< 64; i
+= 8 )
224 P( A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], R(i
+0), K
[i
+0] );
225 P( A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], R(i
+1), K
[i
+1] );
226 P( A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], A
[5], R(i
+2), K
[i
+2] );
227 P( A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], A
[4], R(i
+3), K
[i
+3] );
228 P( A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], A
[3], R(i
+4), K
[i
+4] );
229 P( A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], A
[2], R(i
+5), K
[i
+5] );
230 P( A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], A
[1], R(i
+6), K
[i
+6] );
231 P( A
[1], A
[2], A
[3], A
[4], A
[5], A
[6], A
[7], A
[0], R(i
+7), K
[i
+7] );
233 #endif /* MBEDTLS_SHA256_SMALLER */
235 for( i
= 0; i
< 8; i
++ )
236 ctx
->state
[i
] += A
[i
];
238 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
241 * SHA-256 process buffer
243 void mbedtls_sha256_update( mbedtls_sha256_context
*ctx
, const unsigned char *input
,
252 left
= ctx
->total
[0] & 0x3F;
255 ctx
->total
[0] += (uint32_t) ilen
;
256 ctx
->total
[0] &= 0xFFFFFFFF;
258 if( ctx
->total
[0] < (uint32_t) ilen
)
261 if( left
&& ilen
>= fill
)
263 memcpy( (void *) (ctx
->buffer
+ left
), input
, fill
);
264 mbedtls_sha256_process( ctx
, ctx
->buffer
);
272 mbedtls_sha256_process( ctx
, input
);
278 memcpy( (void *) (ctx
->buffer
+ left
), input
, ilen
);
281 static const unsigned char sha256_padding
[64] =
283 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
284 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
285 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
286 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
290 * SHA-256 final digest
292 void mbedtls_sha256_finish( mbedtls_sha256_context
*ctx
, unsigned char output
[32] )
296 unsigned char msglen
[8];
298 high
= ( ctx
->total
[0] >> 29 )
299 | ( ctx
->total
[1] << 3 );
300 low
= ( ctx
->total
[0] << 3 );
302 PUT_UINT32_BE( high
, msglen
, 0 );
303 PUT_UINT32_BE( low
, msglen
, 4 );
305 last
= ctx
->total
[0] & 0x3F;
306 padn
= ( last
< 56 ) ? ( 56 - last
) : ( 120 - last
);
308 mbedtls_sha256_update( ctx
, sha256_padding
, padn
);
309 mbedtls_sha256_update( ctx
, msglen
, 8 );
311 PUT_UINT32_BE( ctx
->state
[0], output
, 0 );
312 PUT_UINT32_BE( ctx
->state
[1], output
, 4 );
313 PUT_UINT32_BE( ctx
->state
[2], output
, 8 );
314 PUT_UINT32_BE( ctx
->state
[3], output
, 12 );
315 PUT_UINT32_BE( ctx
->state
[4], output
, 16 );
316 PUT_UINT32_BE( ctx
->state
[5], output
, 20 );
317 PUT_UINT32_BE( ctx
->state
[6], output
, 24 );
319 if( ctx
->is224
== 0 )
320 PUT_UINT32_BE( ctx
->state
[7], output
, 28 );
323 #endif /* !MBEDTLS_SHA256_ALT */
326 * output = SHA-256( input buffer )
328 void mbedtls_sha256( const unsigned char *input
, size_t ilen
,
329 unsigned char output
[32], int is224
)
331 mbedtls_sha256_context ctx
;
333 mbedtls_sha256_init( &ctx
);
334 mbedtls_sha256_starts( &ctx
, is224
);
335 mbedtls_sha256_update( &ctx
, input
, ilen
);
336 mbedtls_sha256_finish( &ctx
, output
);
337 mbedtls_sha256_free( &ctx
);
340 #if defined(MBEDTLS_SELF_TEST)
342 * FIPS-180-2 test vectors
344 static const unsigned char sha256_test_buf
[3][57] =
347 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
351 static const int sha256_test_buflen
[3] =
356 static const unsigned char sha256_test_sum
[6][32] =
359 * SHA-224 test vectors
361 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
362 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
363 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
364 0xE3, 0x6C, 0x9D, 0xA7 },
365 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
366 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
367 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
368 0x52, 0x52, 0x25, 0x25 },
369 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
370 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
371 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
372 0x4E, 0xE7, 0xAD, 0x67 },
375 * SHA-256 test vectors
377 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
378 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
379 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
380 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
381 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
382 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
383 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
384 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
385 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
386 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
387 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
388 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
394 int mbedtls_sha256_self_test( int verbose
)
396 int i
, j
, k
, buflen
, ret
= 0;
398 unsigned char sha256sum
[32];
399 mbedtls_sha256_context ctx
;
401 buf
= mbedtls_calloc( 1024, sizeof(unsigned char) );
405 mbedtls_printf( "Buffer allocation failed\n" );
410 mbedtls_sha256_init( &ctx
);
412 for( i
= 0; i
< 6; i
++ )
418 mbedtls_printf( " SHA-%d test #%d: ", 256 - k
* 32, j
+ 1 );
420 mbedtls_sha256_starts( &ctx
, k
);
424 memset( buf
, 'a', buflen
= 1000 );
426 for( j
= 0; j
< 1000; j
++ )
427 mbedtls_sha256_update( &ctx
, buf
, buflen
);
430 mbedtls_sha256_update( &ctx
, sha256_test_buf
[j
],
431 sha256_test_buflen
[j
] );
433 mbedtls_sha256_finish( &ctx
, sha256sum
);
435 if( memcmp( sha256sum
, sha256_test_sum
[i
], 32 - k
* 4 ) != 0 )
438 mbedtls_printf( "failed\n" );
445 mbedtls_printf( "passed\n" );
449 mbedtls_printf( "\n" );
452 mbedtls_sha256_free( &ctx
);
458 #endif /* MBEDTLS_SELF_TEST */
460 #endif /* MBEDTLS_SHA256_C */