1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * FIPS-180-2 compliant SHA-256 implementation 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The SHA-256 Secure Hash Standard was published by NIST in 2002. 23 * 24 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 25 */ 26 27 #if !defined(MBEDTLS_CONFIG_FILE) 28 #include "mbedtls/config.h" 29 #else 30 #include MBEDTLS_CONFIG_FILE 31 #endif 32 33 #if defined(MBEDTLS_SHA256_C) 34 35 #include "mbedtls/sha256.h" 36 #include "mbedtls/platform_util.h" 37 38 #include <string.h> 39 40 #if defined(MBEDTLS_SELF_TEST) 41 #if defined(MBEDTLS_PLATFORM_C) 42 #include "mbedtls/platform.h" 43 #else 44 #include <stdio.h> 45 #include <stdlib.h> 46 #define mbedtls_printf printf 47 #define mbedtls_calloc calloc 48 #define mbedtls_free free 49 #endif /* MBEDTLS_PLATFORM_C */ 50 #endif /* MBEDTLS_SELF_TEST */ 51 52 #define SHA256_VALIDATE_RET(cond) \ 53 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA ) 54 #define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond ) 55 56 #if !defined(MBEDTLS_SHA256_ALT) 57 58 /* 59 * 32-bit integer manipulation macros (big endian) 60 */ 61 #ifndef GET_UINT32_BE 62 #define GET_UINT32_BE(n,b,i) \ 63 do { \ 64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 67 | ( (uint32_t) (b)[(i) + 3] ); \ 68 } while( 0 ) 69 #endif 70 71 #ifndef PUT_UINT32_BE 72 #define PUT_UINT32_BE(n,b,i) \ 73 do { \ 74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 77 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 78 } while( 0 ) 79 #endif 80 81 void mbedtls_sha256_init( mbedtls_sha256_context *ctx ) 82 { 83 SHA256_VALIDATE( ctx != NULL ); 84 85 memset( ctx, 0, sizeof( mbedtls_sha256_context ) ); 86 } 87 88 void mbedtls_sha256_free( mbedtls_sha256_context *ctx ) 89 { 90 if( ctx == NULL ) 91 return; 92 93 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) ); 94 } 95 96 void mbedtls_sha256_clone( mbedtls_sha256_context *dst, 97 const mbedtls_sha256_context *src ) 98 { 99 SHA256_VALIDATE( dst != NULL ); 100 SHA256_VALIDATE( src != NULL ); 101 102 *dst = *src; 103 } 104 105 /* 106 * SHA-256 context setup 107 */ 108 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 ) 109 { 110 SHA256_VALIDATE_RET( ctx != NULL ); 111 SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 ); 112 113 ctx->total[0] = 0; 114 ctx->total[1] = 0; 115 116 if( is224 == 0 ) 117 { 118 /* SHA-256 */ 119 ctx->state[0] = 0x6A09E667; 120 ctx->state[1] = 0xBB67AE85; 121 ctx->state[2] = 0x3C6EF372; 122 ctx->state[3] = 0xA54FF53A; 123 ctx->state[4] = 0x510E527F; 124 ctx->state[5] = 0x9B05688C; 125 ctx->state[6] = 0x1F83D9AB; 126 ctx->state[7] = 0x5BE0CD19; 127 } 128 else 129 { 130 /* SHA-224 */ 131 ctx->state[0] = 0xC1059ED8; 132 ctx->state[1] = 0x367CD507; 133 ctx->state[2] = 0x3070DD17; 134 ctx->state[3] = 0xF70E5939; 135 ctx->state[4] = 0xFFC00B31; 136 ctx->state[5] = 0x68581511; 137 ctx->state[6] = 0x64F98FA7; 138 ctx->state[7] = 0xBEFA4FA4; 139 } 140 141 ctx->is224 = is224; 142 143 return( 0 ); 144 } 145 146 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 147 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, 148 int is224 ) 149 { 150 mbedtls_sha256_starts_ret( ctx, is224 ); 151 } 152 #endif 153 154 #if !defined(MBEDTLS_SHA256_PROCESS_ALT) 155 static const uint32_t K[] = 156 { 157 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 158 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, 159 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 160 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174, 161 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 162 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 163 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 164 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967, 165 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 166 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 167 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 168 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 169 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 170 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 171 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 172 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2, 173 }; 174 175 #define SHR(x,n) (((x) & 0xFFFFFFFF) >> (n)) 176 #define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n)))) 177 178 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3)) 179 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10)) 180 181 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22)) 182 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25)) 183 184 #define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) 185 #define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) 186 187 #define R(t) \ 188 ( \ 189 W[t] = S1(W[(t) - 2]) + W[(t) - 7] + \ 190 S0(W[(t) - 15]) + W[(t) - 16] \ 191 ) 192 193 #define P(a,b,c,d,e,f,g,h,x,K) \ 194 do \ 195 { \ 196 temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \ 197 temp2 = S2(a) + F0((a),(b),(c)); \ 198 (d) += temp1; (h) = temp1 + temp2; \ 199 } while( 0 ) 200 201 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, 202 const unsigned char data[64] ) 203 { 204 uint32_t temp1, temp2, W[64]; 205 uint32_t A[8]; 206 unsigned int i; 207 208 SHA256_VALIDATE_RET( ctx != NULL ); 209 SHA256_VALIDATE_RET( (const unsigned char *)data != NULL ); 210 211 for( i = 0; i < 8; i++ ) 212 A[i] = ctx->state[i]; 213 214 #if defined(MBEDTLS_SHA256_SMALLER) 215 for( i = 0; i < 64; i++ ) 216 { 217 if( i < 16 ) 218 GET_UINT32_BE( W[i], data, 4 * i ); 219 else 220 R( i ); 221 222 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); 223 224 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3]; 225 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1; 226 } 227 #else /* MBEDTLS_SHA256_SMALLER */ 228 for( i = 0; i < 16; i++ ) 229 GET_UINT32_BE( W[i], data, 4 * i ); 230 231 for( i = 0; i < 16; i += 8 ) 232 { 233 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] ); 234 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] ); 235 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] ); 236 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] ); 237 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] ); 238 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] ); 239 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] ); 240 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] ); 241 } 242 243 for( i = 16; i < 64; i += 8 ) 244 { 245 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] ); 246 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] ); 247 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] ); 248 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] ); 249 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] ); 250 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] ); 251 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] ); 252 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] ); 253 } 254 #endif /* MBEDTLS_SHA256_SMALLER */ 255 256 for( i = 0; i < 8; i++ ) 257 ctx->state[i] += A[i]; 258 259 return( 0 ); 260 } 261 262 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 263 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, 264 const unsigned char data[64] ) 265 { 266 mbedtls_internal_sha256_process( ctx, data ); 267 } 268 #endif 269 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */ 270 271 /* 272 * SHA-256 process buffer 273 */ 274 int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, 275 const unsigned char *input, 276 size_t ilen ) 277 { 278 int ret; 279 size_t fill; 280 uint32_t left; 281 282 SHA256_VALIDATE_RET( ctx != NULL ); 283 SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); 284 285 if( ilen == 0 ) 286 return( 0 ); 287 288 left = ctx->total[0] & 0x3F; 289 fill = 64 - left; 290 291 ctx->total[0] += (uint32_t) ilen; 292 ctx->total[0] &= 0xFFFFFFFF; 293 294 if( ctx->total[0] < (uint32_t) ilen ) 295 ctx->total[1]++; 296 297 if( left && ilen >= fill ) 298 { 299 memcpy( (void *) (ctx->buffer + left), input, fill ); 300 301 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 302 return( ret ); 303 304 input += fill; 305 ilen -= fill; 306 left = 0; 307 } 308 309 while( ilen >= 64 ) 310 { 311 if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 ) 312 return( ret ); 313 314 input += 64; 315 ilen -= 64; 316 } 317 318 if( ilen > 0 ) 319 memcpy( (void *) (ctx->buffer + left), input, ilen ); 320 321 return( 0 ); 322 } 323 324 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 325 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, 326 const unsigned char *input, 327 size_t ilen ) 328 { 329 mbedtls_sha256_update_ret( ctx, input, ilen ); 330 } 331 #endif 332 333 /* 334 * SHA-256 final digest 335 */ 336 int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, 337 unsigned char output[32] ) 338 { 339 int ret; 340 uint32_t used; 341 uint32_t high, low; 342 343 SHA256_VALIDATE_RET( ctx != NULL ); 344 SHA256_VALIDATE_RET( (unsigned char *)output != NULL ); 345 346 /* 347 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length 348 */ 349 used = ctx->total[0] & 0x3F; 350 351 ctx->buffer[used++] = 0x80; 352 353 if( used <= 56 ) 354 { 355 /* Enough room for padding + length in current block */ 356 memset( ctx->buffer + used, 0, 56 - used ); 357 } 358 else 359 { 360 /* We'll need an extra block */ 361 memset( ctx->buffer + used, 0, 64 - used ); 362 363 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 364 return( ret ); 365 366 memset( ctx->buffer, 0, 56 ); 367 } 368 369 /* 370 * Add message length 371 */ 372 high = ( ctx->total[0] >> 29 ) 373 | ( ctx->total[1] << 3 ); 374 low = ( ctx->total[0] << 3 ); 375 376 PUT_UINT32_BE( high, ctx->buffer, 56 ); 377 PUT_UINT32_BE( low, ctx->buffer, 60 ); 378 379 if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) 380 return( ret ); 381 382 /* 383 * Output final state 384 */ 385 PUT_UINT32_BE( ctx->state[0], output, 0 ); 386 PUT_UINT32_BE( ctx->state[1], output, 4 ); 387 PUT_UINT32_BE( ctx->state[2], output, 8 ); 388 PUT_UINT32_BE( ctx->state[3], output, 12 ); 389 PUT_UINT32_BE( ctx->state[4], output, 16 ); 390 PUT_UINT32_BE( ctx->state[5], output, 20 ); 391 PUT_UINT32_BE( ctx->state[6], output, 24 ); 392 393 if( ctx->is224 == 0 ) 394 PUT_UINT32_BE( ctx->state[7], output, 28 ); 395 396 return( 0 ); 397 } 398 399 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 400 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, 401 unsigned char output[32] ) 402 { 403 mbedtls_sha256_finish_ret( ctx, output ); 404 } 405 #endif 406 407 #endif /* !MBEDTLS_SHA256_ALT */ 408 409 /* 410 * output = SHA-256( input buffer ) 411 */ 412 int mbedtls_sha256_ret( const unsigned char *input, 413 size_t ilen, 414 unsigned char output[32], 415 int is224 ) 416 { 417 int ret; 418 mbedtls_sha256_context ctx; 419 420 SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 ); 421 SHA256_VALIDATE_RET( ilen == 0 || input != NULL ); 422 SHA256_VALIDATE_RET( (unsigned char *)output != NULL ); 423 424 mbedtls_sha256_init( &ctx ); 425 426 if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 ) 427 goto exit; 428 429 if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 ) 430 goto exit; 431 432 if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 ) 433 goto exit; 434 435 exit: 436 mbedtls_sha256_free( &ctx ); 437 438 return( ret ); 439 } 440 441 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 442 void mbedtls_sha256( const unsigned char *input, 443 size_t ilen, 444 unsigned char output[32], 445 int is224 ) 446 { 447 mbedtls_sha256_ret( input, ilen, output, is224 ); 448 } 449 #endif 450 451 #if defined(MBEDTLS_SELF_TEST) 452 /* 453 * FIPS-180-2 test vectors 454 */ 455 static const unsigned char sha256_test_buf[3][57] = 456 { 457 { "abc" }, 458 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, 459 { "" } 460 }; 461 462 static const size_t sha256_test_buflen[3] = 463 { 464 3, 56, 1000 465 }; 466 467 static const unsigned char sha256_test_sum[6][32] = 468 { 469 /* 470 * SHA-224 test vectors 471 */ 472 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22, 473 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3, 474 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7, 475 0xE3, 0x6C, 0x9D, 0xA7 }, 476 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC, 477 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50, 478 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19, 479 0x52, 0x52, 0x25, 0x25 }, 480 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8, 481 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B, 482 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE, 483 0x4E, 0xE7, 0xAD, 0x67 }, 484 485 /* 486 * SHA-256 test vectors 487 */ 488 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, 489 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, 490 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, 491 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD }, 492 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8, 493 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39, 494 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67, 495 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 }, 496 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92, 497 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67, 498 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E, 499 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 } 500 }; 501 502 /* 503 * Checkup routine 504 */ 505 int mbedtls_sha256_self_test( int verbose ) 506 { 507 int i, j, k, buflen, ret = 0; 508 unsigned char *buf; 509 unsigned char sha256sum[32]; 510 mbedtls_sha256_context ctx; 511 512 buf = mbedtls_calloc( 1024, sizeof(unsigned char) ); 513 if( NULL == buf ) 514 { 515 if( verbose != 0 ) 516 mbedtls_printf( "Buffer allocation failed\n" ); 517 518 return( 1 ); 519 } 520 521 mbedtls_sha256_init( &ctx ); 522 523 for( i = 0; i < 6; i++ ) 524 { 525 j = i % 3; 526 k = i < 3; 527 528 if( verbose != 0 ) 529 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 ); 530 531 if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 ) 532 goto fail; 533 534 if( j == 2 ) 535 { 536 memset( buf, 'a', buflen = 1000 ); 537 538 for( j = 0; j < 1000; j++ ) 539 { 540 ret = mbedtls_sha256_update_ret( &ctx, buf, buflen ); 541 if( ret != 0 ) 542 goto fail; 543 } 544 545 } 546 else 547 { 548 ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j], 549 sha256_test_buflen[j] ); 550 if( ret != 0 ) 551 goto fail; 552 } 553 554 if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 ) 555 goto fail; 556 557 558 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 ) 559 { 560 ret = 1; 561 goto fail; 562 } 563 564 if( verbose != 0 ) 565 mbedtls_printf( "passed\n" ); 566 } 567 568 if( verbose != 0 ) 569 mbedtls_printf( "\n" ); 570 571 goto exit; 572 573 fail: 574 if( verbose != 0 ) 575 mbedtls_printf( "failed\n" ); 576 577 exit: 578 mbedtls_sha256_free( &ctx ); 579 mbedtls_free( buf ); 580 581 return( ret ); 582 } 583 584 #endif /* MBEDTLS_SELF_TEST */ 585 586 #endif /* MBEDTLS_SHA256_C */ 587