1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * FIPS-180-2 compliant SHA-256 implementation 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The SHA-256 Secure Hash Standard was published by NIST in 2002. 23 * 24 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 25 */ 26 27 #if !defined(MBEDTLS_CONFIG_FILE) 28 #include "mbedtls/config.h" 29 #else 30 #include MBEDTLS_CONFIG_FILE 31 #endif 32 33 #if defined(MBEDTLS_SHA256_C) 34 35 #include "mbedtls/sha256.h" 36 #include "mbedtls/platform_util.h" 37 #include "mbedtls/error.h" 38 39 #include <string.h> 40 41 #if defined(MBEDTLS_SELF_TEST) 42 #if defined(MBEDTLS_PLATFORM_C) 43 #include "mbedtls/platform.h" 44 #else 45 #include <stdio.h> 46 #include <stdlib.h> 47 #define mbedtls_printf printf 48 #define mbedtls_calloc calloc 49 #define mbedtls_free free 50 #endif /* MBEDTLS_PLATFORM_C */ 51 #endif /* MBEDTLS_SELF_TEST */ 52 53 #define SHA256_VALIDATE_RET(cond) \ 54 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA ) 55 #define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond ) 56 57 #if !defined(MBEDTLS_SHA256_ALT) 58 59 /* 60 * 32-bit integer manipulation macros (big endian) 61 */ 62 #ifndef GET_UINT32_BE 63 #define GET_UINT32_BE(n,b,i) \ 64 do { \ 65 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 66 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 67 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 68 | ( (uint32_t) (b)[(i) + 3] ); \ 69 } while( 0 ) 70 #endif 71 72 #ifndef PUT_UINT32_BE 73 #define PUT_UINT32_BE(n,b,i) \ 74 do { \ 75 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 76 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 77 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 78 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 79 } while( 0 ) 80 #endif 81 82 void mbedtls_sha256_init( mbedtls_sha256_context *ctx ) 83 { 84 SHA256_VALIDATE( ctx != NULL ); 85 86 memset( ctx, 0, sizeof( mbedtls_sha256_context ) ); 87 } 88 89 void mbedtls_sha256_free( mbedtls_sha256_context *ctx ) 90 { 91 if( ctx == NULL ) 92 return; 93 94 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) ); 95 } 96 97 void mbedtls_sha256_clone( mbedtls_sha256_context *dst, 98 const mbedtls_sha256_context *src ) 99 { 100 SHA256_VALIDATE( dst != NULL ); 101 SHA256_VALIDATE( src != NULL ); 102 103 *dst = *src; 104 } 105 106 /* 107 * SHA-256 context setup 108 */ 109 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 ) 110 { 111 SHA256_VALIDATE_RET( ctx != NULL ); 112 SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 ); 113 114 ctx->total[0] = 0; 115 ctx->total[1] = 0; 116 117 if( is224 == 0 ) 118 { 119 /* SHA-256 */ 120 ctx->state[0] = 0x6A09E667; 121 ctx->state[1] = 0xBB67AE85; 122 ctx->state[2] = 0x3C6EF372; 123 ctx->state[3] = 0xA54FF53A; 124 ctx->state[4] = 0x510E527F; 125 ctx->state[5] = 0x9B05688C; 126 ctx->state[6] = 0x1F83D9AB; 127 ctx->state[7] = 0x5BE0CD19; 128 } 129 else 130 { 131 /* SHA-224 */ 132 ctx->state[0] = 0xC1059ED8; 133 ctx->state[1] = 0x367CD507; 134 ctx->state[2] = 0x3070DD17; 135 ctx->state[3] = 0xF70E5939; 136 ctx->state[4] = 0xFFC00B31; 137 ctx->state[5] = 0x68581511; 138 ctx->state[6] = 0x64F98FA7; 139 ctx->state[7] = 0xBEFA4FA4; 140 } 141 142 ctx->is224 = is224; 143 144 return( 0 ); 145 } 146 147 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 148 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, 149 int is224 ) 150 { 151 mbedtls_sha256_starts_ret( ctx, is224 ); 152 } 153 #endif 154 155 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) 156 static const uint32_t K[] = 157 { 158 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 159 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, 160 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 161 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174, 162 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 163 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 164 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 165 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967, 166 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 167 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 168 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 169 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 170 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 171 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 172 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 173 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2, 174 }; 175 176 #define SHR(x,n) (((x) & 0xFFFFFFFF) >> (n)) 177 #define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n)))) 178 179 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3)) 180 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10)) 181 182 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22)) 183 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25)) 184 185 #define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) 186 #define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) 187 188 #define R(t) \ 189 ( \ 190 W[t] = S1(W[(t) - 2]) + W[(t) - 7] + \ 191 S0(W[(t) - 15]) + W[(t) - 16] \ 192 ) 193 194 #define P(a,b,c,d,e,f,g,h,x,K) \ 195 do \ 196 { \ 197 temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \ 198 temp2 = S2(a) + F0((a),(b),(c)); \ 199 (d) += temp1; (h) = temp1 + temp2; \ 200 } while( 0 ) 201 202 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, 203 const unsigned char data[64] ) 204 { 205 uint32_t temp1, temp2, W[64]; 206 uint32_t A[8]; 207 unsigned int i; 208 209 SHA256_VALIDATE_RET( ctx != NULL ); 210 SHA256_VALIDATE_RET( (const unsigned char *)data != NULL ); 211 212 for( i = 0; i < 8; i++ ) 213 A[i] = ctx->state[i]; 214 215 #if defined(MBEDTLS_SHA256_SMALLER) 216 for( i = 0; i < 64; i++ ) 217 { 218 if( i < 16 ) 219 GET_UINT32_BE( W[i], data, 4 * i ); 220 else 221 R( i ); 222 223 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); 224 225 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3]; 226 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1; 227 } 228 #else /* MBEDTLS_SHA256_SMALLER */ 229 for( i = 0; i < 16; i++ ) 230 GET_UINT32_BE( W[i], data, 4 * i ); 231 232 for( i = 0; i < 16; i += 8 ) 233 { 234 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] ); 235 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] ); 236 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] ); 237 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] ); 238 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] ); 239 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] ); 240 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] ); 241 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] ); 242 } 243 244 for( i = 16; i < 64; i += 8 ) 245 { 246 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] ); 247 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] ); 248 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] ); 249 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] ); 250 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] ); 251 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] ); 252 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] ); 253 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] ); 254 } 255 #endif /* MBEDTLS_SHA256_SMALLER */ 256 257 for( i = 0; i < 8; i++ ) 258 ctx->state[i] += A[i]; 259 260 return( 0 ); 261 } 262 263 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 264 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, 265 const unsigned char data[64] ) 266 { 267 mbedtls_internal_sha256_process( ctx, data ); 268 } 269 #endif 270 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */ 271 272 /* 273 * SHA-256 process buffer 274 */ 275 int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, 276 const unsigned char *input, 277 size_t ilen ) 278 { 279 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 280 size_t fill; 281 uint32_t left; 282 283 SHA256_VALIDATE_RET( ctx != NULL ); 284 SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); 285 286 if( ilen == 0 ) 287 return( 0 ); 288 289 left = ctx->total[0] & 0x3F; 290 fill = 64 - left; 291 292 ctx->total[0] += (uint32_t) ilen; 293 ctx->total[0] &= 0xFFFFFFFF; 294 295 if( ctx->total[0] < (uint32_t) ilen ) 296 ctx->total[1]++; 297 298 if( left && ilen >= fill ) 299 { 300 memcpy( (void *) (ctx->buffer + left), input, fill ); 301 302 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 303 return( ret ); 304 305 input += fill; 306 ilen -= fill; 307 left = 0; 308 } 309 310 while( ilen >= 64 ) 311 { 312 if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 ) 313 return( ret ); 314 315 input += 64; 316 ilen -= 64; 317 } 318 319 if( ilen > 0 ) 320 memcpy( (void *) (ctx->buffer + left), input, ilen ); 321 322 return( 0 ); 323 } 324 325 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 326 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, 327 const unsigned char *input, 328 size_t ilen ) 329 { 330 mbedtls_sha256_update_ret( ctx, input, ilen ); 331 } 332 #endif 333 334 /* 335 * SHA-256 final digest 336 */ 337 int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, 338 unsigned char output[32] ) 339 { 340 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 341 uint32_t used; 342 uint32_t high, low; 343 344 SHA256_VALIDATE_RET( ctx != NULL ); 345 SHA256_VALIDATE_RET( (unsigned char *)output != NULL ); 346 347 /* 348 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length 349 */ 350 used = ctx->total[0] & 0x3F; 351 352 ctx->buffer[used++] = 0x80; 353 354 if( used <= 56 ) 355 { 356 /* Enough room for padding + length in current block */ 357 memset( ctx->buffer + used, 0, 56 - used ); 358 } 359 else 360 { 361 /* We'll need an extra block */ 362 memset( ctx->buffer + used, 0, 64 - used ); 363 364 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 365 return( ret ); 366 367 memset( ctx->buffer, 0, 56 ); 368 } 369 370 /* 371 * Add message length 372 */ 373 high = ( ctx->total[0] >> 29 ) 374 | ( ctx->total[1] << 3 ); 375 low = ( ctx->total[0] << 3 ); 376 377 PUT_UINT32_BE( high, ctx->buffer, 56 ); 378 PUT_UINT32_BE( low, ctx->buffer, 60 ); 379 380 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 381 return( ret ); 382 383 /* 384 * Output final state 385 */ 386 PUT_UINT32_BE( ctx->state[0], output, 0 ); 387 PUT_UINT32_BE( ctx->state[1], output, 4 ); 388 PUT_UINT32_BE( ctx->state[2], output, 8 ); 389 PUT_UINT32_BE( ctx->state[3], output, 12 ); 390 PUT_UINT32_BE( ctx->state[4], output, 16 ); 391 PUT_UINT32_BE( ctx->state[5], output, 20 ); 392 PUT_UINT32_BE( ctx->state[6], output, 24 ); 393 394 if( ctx->is224 == 0 ) 395 PUT_UINT32_BE( ctx->state[7], output, 28 ); 396 397 return( 0 ); 398 } 399 400 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 401 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, 402 unsigned char output[32] ) 403 { 404 mbedtls_sha256_finish_ret( ctx, output ); 405 } 406 #endif 407 408 #endif /* !MBEDTLS_SHA256_ALT */ 409 410 /* 411 * output = SHA-256( input buffer ) 412 */ 413 int mbedtls_sha256_ret( const unsigned char *input, 414 size_t ilen, 415 unsigned char output[32], 416 int is224 ) 417 { 418 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 419 mbedtls_sha256_context ctx; 420 421 SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 ); 422 SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); 423 SHA256_VALIDATE_RET( (unsigned char *)output != NULL ); 424 425 mbedtls_sha256_init( &ctx ); 426 427 if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 ) 428 goto exit; 429 430 if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 ) 431 goto exit; 432 433 if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 ) 434 goto exit; 435 436 exit: 437 mbedtls_sha256_free( &ctx ); 438 439 return( ret ); 440 } 441 442 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 443 void mbedtls_sha256( const unsigned char *input, 444 size_t ilen, 445 unsigned char output[32], 446 int is224 ) 447 { 448 mbedtls_sha256_ret( input, ilen, output, is224 ); 449 } 450 #endif 451 452 #if defined(MBEDTLS_SELF_TEST) 453 /* 454 * FIPS-180-2 test vectors 455 */ 456 static const unsigned char sha256_test_buf[3][57] = 457 { 458 { "abc" }, 459 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 460 { "" } 461 }; 462 463 static const size_t sha256_test_buflen[3] = 464 { 465 3, 56, 1000 466 }; 467 468 static const unsigned char sha256_test_sum[6][32] = 469 { 470 /* 471 * SHA-224 test vectors 472 */ 473 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22, 474 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3, 475 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7, 476 0xE3, 0x6C, 0x9D, 0xA7 }, 477 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC, 478 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50, 479 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19, 480 0x52, 0x52, 0x25, 0x25 }, 481 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8, 482 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B, 483 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE, 484 0x4E, 0xE7, 0xAD, 0x67 }, 485 486 /* 487 * SHA-256 test vectors 488 */ 489 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, 490 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, 491 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, 492 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD }, 493 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8, 494 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39, 495 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67, 496 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 }, 497 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92, 498 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67, 499 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E, 500 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 } 501 }; 502 503 /* 504 * Checkup routine 505 */ 506 int mbedtls_sha256_self_test( int verbose ) 507 { 508 int i, j, k, buflen, ret = 0; 509 unsigned char *buf; 510 unsigned char sha256sum[32]; 511 mbedtls_sha256_context ctx; 512 513 buf = mbedtls_calloc( 1024, sizeof(unsigned char) ); 514 if( NULL == buf ) 515 { 516 if( verbose != 0 ) 517 mbedtls_printf( "Buffer allocation failed\n" ); 518 519 return( 1 ); 520 } 521 522 mbedtls_sha256_init( &ctx ); 523 524 for( i = 0; i < 6; i++ ) 525 { 526 j = i % 3; 527 k = i < 3; 528 529 if( verbose != 0 ) 530 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 ); 531 532 if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 ) 533 goto fail; 534 535 if( j == 2 ) 536 { 537 memset( buf, 'a', buflen = 1000 ); 538 539 for( j = 0; j < 1000; j++ ) 540 { 541 ret = mbedtls_sha256_update_ret( &ctx, buf, buflen ); 542 if( ret != 0 ) 543 goto fail; 544 } 545 546 } 547 else 548 { 549 ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j], 550 sha256_test_buflen[j] ); 551 if( ret != 0 ) 552 goto fail; 553 } 554 555 if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 ) 556 goto fail; 557 558 559 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 ) 560 { 561 ret = 1; 562 goto fail; 563 } 564 565 if( verbose != 0 ) 566 mbedtls_printf( "passed\n" ); 567 } 568 569 if( verbose != 0 ) 570 mbedtls_printf( "\n" ); 571 572 goto exit; 573 574 fail: 575 if( verbose != 0 ) 576 mbedtls_printf( "failed\n" ); 577 578 exit: 579 mbedtls_sha256_free( &ctx ); 580 mbedtls_free( buf ); 581 582 return( ret ); 583 } 584 585 #endif /* MBEDTLS_SELF_TEST */ 586 587 #endif /* MBEDTLS_SHA256_C */ 588