1
#pragma clang diagnostic ignored "-Wunknown-warning-option"
2
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
3
#pragma clang diagnostic ignored "-Wsign-conversion"
5
#pragma GCC diagnostic ignored "-Wconversion"
7
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
8
#pragma clang diagnostic ignored "-Wsign-conversion"
10
#pragma GCC diagnostic ignored "-Wconversion"
12
#pragma clang diagnostic ignored "-Wimplicit-int-conversion"
13
#pragma clang diagnostic ignored "-Wsign-conversion"
15
* FIPS-180-2 compliant SHA-256 implementation
17
* Copyright The Mbed TLS Contributors
18
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
20
* This file is provided under the Apache License 2.0, or the
21
* GNU General Public License v2.0 or later.
26
* Licensed under the Apache License, Version 2.0 (the "License"); you may
27
* not use this file except in compliance with the License.
28
* You may obtain a copy of the License at
30
* http://www.apache.org/licenses/LICENSE-2.0
32
* Unless required by applicable law or agreed to in writing, software
33
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
34
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
35
* See the License for the specific language governing permissions and
36
* limitations under the License.
41
* GNU General Public License v2.0 or later:
43
* This program is free software; you can redistribute it and/or modify
44
* it under the terms of the GNU General Public License as published by
45
* the Free Software Foundation; either version 2 of the License, or
46
* (at your option) any later version.
48
* This program is distributed in the hope that it will be useful,
49
* but WITHOUT ANY WARRANTY; without even the implied warranty of
50
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
51
* GNU General Public License for more details.
53
* You should have received a copy of the GNU General Public License along
54
* with this program; if not, write to the Free Software Foundation, Inc.,
55
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
60
* The SHA-256 Secure Hash Standard was published by NIST in 2002.
62
* http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
65
#if !defined(MBEDTLS_CONFIG_FILE)
66
#include "mbedtls/config.h"
68
#include MBEDTLS_CONFIG_FILE
71
#if defined(MBEDTLS_SHA256_C)
73
#include "mbedtls/sha256.h"
74
#include "mbedtls/platform_util.h"
78
#if defined(MBEDTLS_SELF_TEST)
79
#if defined(MBEDTLS_PLATFORM_C)
80
#include "mbedtls/platform.h"
84
#define mbedtls_printf printf
85
#define mbedtls_calloc calloc
86
#define mbedtls_free free
87
#endif /* MBEDTLS_PLATFORM_C */
88
#endif /* MBEDTLS_SELF_TEST */
90
#define SHA256_VALIDATE_RET(cond) \
91
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
92
#define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond )
94
#if !defined(MBEDTLS_SHA256_ALT)
97
* 32-bit integer manipulation macros (big endian)
100
#define GET_UINT32_BE(n,b,i) \
102
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
103
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
104
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
105
| ( (uint32_t) (b)[(i) + 3] ); \
109
#ifndef PUT_UINT32_BE
110
#define PUT_UINT32_BE(n,b,i) \
112
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
113
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
114
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
115
(b)[(i) + 3] = (unsigned char) ( (n) ); \
119
void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
121
SHA256_VALIDATE( ctx != NULL );
123
memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
126
void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
131
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
134
void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
135
const mbedtls_sha256_context *src )
137
SHA256_VALIDATE( dst != NULL );
138
SHA256_VALIDATE( src != NULL );
144
* SHA-256 context setup
146
int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
148
SHA256_VALIDATE_RET( ctx != NULL );
149
SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
157
ctx->state[0] = 0x6A09E667;
158
ctx->state[1] = 0xBB67AE85;
159
ctx->state[2] = 0x3C6EF372;
160
ctx->state[3] = 0xA54FF53A;
161
ctx->state[4] = 0x510E527F;
162
ctx->state[5] = 0x9B05688C;
163
ctx->state[6] = 0x1F83D9AB;
164
ctx->state[7] = 0x5BE0CD19;
169
ctx->state[0] = 0xC1059ED8;
170
ctx->state[1] = 0x367CD507;
171
ctx->state[2] = 0x3070DD17;
172
ctx->state[3] = 0xF70E5939;
173
ctx->state[4] = 0xFFC00B31;
174
ctx->state[5] = 0x68581511;
175
ctx->state[6] = 0x64F98FA7;
176
ctx->state[7] = 0xBEFA4FA4;
184
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
185
void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
188
mbedtls_sha256_starts_ret( ctx, is224 );
192
#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
193
static const uint32_t K[] =
195
0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
196
0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
197
0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
198
0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
199
0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
200
0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
201
0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
202
0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
203
0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
204
0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
205
0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
206
0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
207
0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
208
0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
209
0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
210
0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
213
#define SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
214
#define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
216
#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
217
#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
219
#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
220
#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
222
#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
223
#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
227
local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
228
S0(local.W[(t) - 15]) + local.W[(t) - 16] \
231
#define P(a,b,c,d,e,f,g,h,x,K) \
234
local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
235
local.temp2 = S2(a) + F0((a),(b),(c)); \
236
(d) += local.temp1; (h) = local.temp1 + local.temp2; \
239
int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
240
const unsigned char data[64] )
244
uint32_t temp1, temp2, W[64];
250
SHA256_VALIDATE_RET( ctx != NULL );
251
SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
253
for( i = 0; i < 8; i++ )
254
local.A[i] = ctx->state[i];
256
#if defined(MBEDTLS_SHA256_SMALLER)
257
for( i = 0; i < 64; i++ )
260
GET_UINT32_BE( local.W[i], data, 4 * i );
264
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
265
local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
267
local.temp1 = local.A[7]; local.A[7] = local.A[6];
268
local.A[6] = local.A[5]; local.A[5] = local.A[4];
269
local.A[4] = local.A[3]; local.A[3] = local.A[2];
270
local.A[2] = local.A[1]; local.A[1] = local.A[0];
271
local.A[0] = local.temp1;
273
#else /* MBEDTLS_SHA256_SMALLER */
274
for( i = 0; i < 16; i++ )
275
GET_UINT32_BE( local.W[i], data, 4 * i );
277
for( i = 0; i < 16; i += 8 )
279
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
280
local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0] );
281
P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
282
local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1] );
283
P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
284
local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2] );
285
P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
286
local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3] );
287
P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
288
local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4] );
289
P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
290
local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5] );
291
P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
292
local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6] );
293
P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
294
local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7] );
297
for( i = 16; i < 64; i += 8 )
299
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
300
local.A[5], local.A[6], local.A[7], R(i+0), K[i+0] );
301
P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
302
local.A[4], local.A[5], local.A[6], R(i+1), K[i+1] );
303
P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
304
local.A[3], local.A[4], local.A[5], R(i+2), K[i+2] );
305
P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
306
local.A[2], local.A[3], local.A[4], R(i+3), K[i+3] );
307
P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
308
local.A[1], local.A[2], local.A[3], R(i+4), K[i+4] );
309
P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
310
local.A[0], local.A[1], local.A[2], R(i+5), K[i+5] );
311
P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
312
local.A[7], local.A[0], local.A[1], R(i+6), K[i+6] );
313
P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
314
local.A[6], local.A[7], local.A[0], R(i+7), K[i+7] );
316
#endif /* MBEDTLS_SHA256_SMALLER */
318
for( i = 0; i < 8; i++ )
319
ctx->state[i] += local.A[i];
321
/* Zeroise buffers and variables to clear sensitive data from memory. */
322
mbedtls_platform_zeroize( &local, sizeof( local ) );
327
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
328
void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
329
const unsigned char data[64] )
331
mbedtls_internal_sha256_process( ctx, data );
334
#endif /* !MBEDTLS_SHA256_PROCESS_ALT */
337
* SHA-256 process buffer
339
int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
340
const unsigned char *input,
347
SHA256_VALIDATE_RET( ctx != NULL );
348
SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
353
left = ctx->total[0] & 0x3F;
356
ctx->total[0] += (uint32_t) ilen;
357
ctx->total[0] &= 0xFFFFFFFF;
359
if( ctx->total[0] < (uint32_t) ilen )
362
if( left && ilen >= fill )
364
memcpy( (void *) (ctx->buffer + left), input, fill );
366
if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
376
if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
384
memcpy( (void *) (ctx->buffer + left), input, ilen );
389
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
390
void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
391
const unsigned char *input,
394
mbedtls_sha256_update_ret( ctx, input, ilen );
399
* SHA-256 final digest
401
int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
402
unsigned char output[32] )
408
SHA256_VALIDATE_RET( ctx != NULL );
409
SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
412
* Add padding: 0x80 then 0x00 until 8 bytes remain for the length
414
used = ctx->total[0] & 0x3F;
416
ctx->buffer[used++] = 0x80;
420
/* Enough room for padding + length in current block */
421
memset( ctx->buffer + used, 0, 56 - used );
425
/* We'll need an extra block */
426
memset( ctx->buffer + used, 0, 64 - used );
428
if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
431
memset( ctx->buffer, 0, 56 );
437
high = ( ctx->total[0] >> 29 )
438
| ( ctx->total[1] << 3 );
439
low = ( ctx->total[0] << 3 );
441
PUT_UINT32_BE( high, ctx->buffer, 56 );
442
PUT_UINT32_BE( low, ctx->buffer, 60 );
444
if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
450
PUT_UINT32_BE( ctx->state[0], output, 0 );
451
PUT_UINT32_BE( ctx->state[1], output, 4 );
452
PUT_UINT32_BE( ctx->state[2], output, 8 );
453
PUT_UINT32_BE( ctx->state[3], output, 12 );
454
PUT_UINT32_BE( ctx->state[4], output, 16 );
455
PUT_UINT32_BE( ctx->state[5], output, 20 );
456
PUT_UINT32_BE( ctx->state[6], output, 24 );
458
if( ctx->is224 == 0 )
459
PUT_UINT32_BE( ctx->state[7], output, 28 );
464
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
465
void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
466
unsigned char output[32] )
468
mbedtls_sha256_finish_ret( ctx, output );
472
#endif /* !MBEDTLS_SHA256_ALT */
475
* output = SHA-256( input buffer )
477
int mbedtls_sha256_ret( const unsigned char *input,
479
unsigned char output[32],
483
mbedtls_sha256_context ctx;
485
SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
486
SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
487
SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
489
mbedtls_sha256_init( &ctx );
491
if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 )
494
if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 )
497
if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 )
501
mbedtls_sha256_free( &ctx );
506
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
507
void mbedtls_sha256( const unsigned char *input,
509
unsigned char output[32],
512
mbedtls_sha256_ret( input, ilen, output, is224 );
516
#if defined(MBEDTLS_SELF_TEST)
518
* FIPS-180-2 test vectors
520
static const unsigned char sha256_test_buf[3][57] =
523
{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
527
static const size_t sha256_test_buflen[3] =
532
static const unsigned char sha256_test_sum[6][32] =
535
* SHA-224 test vectors
537
{ 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
538
0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
539
0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
540
0xE3, 0x6C, 0x9D, 0xA7 },
541
{ 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
542
0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
543
0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
544
0x52, 0x52, 0x25, 0x25 },
545
{ 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
546
0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
547
0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
548
0x4E, 0xE7, 0xAD, 0x67 },
551
* SHA-256 test vectors
553
{ 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
554
0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
555
0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
556
0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
557
{ 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
558
0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
559
0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
560
0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
561
{ 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
562
0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
563
0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
564
0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
570
int mbedtls_sha256_self_test( int verbose )
572
int i, j, k, buflen, ret = 0;
574
unsigned char sha256sum[32];
575
mbedtls_sha256_context ctx;
577
buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
581
mbedtls_printf( "Buffer allocation failed\n" );
586
mbedtls_sha256_init( &ctx );
588
for( i = 0; i < 6; i++ )
594
mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
596
if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 )
601
memset( buf, 'a', buflen = 1000 );
603
for( j = 0; j < 1000; j++ )
605
ret = mbedtls_sha256_update_ret( &ctx, buf, buflen );
613
ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j],
614
sha256_test_buflen[j] );
619
if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 )
623
if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
630
mbedtls_printf( "passed\n" );
634
mbedtls_printf( "\n" );
640
mbedtls_printf( "failed\n" );
643
mbedtls_sha256_free( &ctx );
649
#endif /* MBEDTLS_SELF_TEST */
651
#endif /* MBEDTLS_SHA256_C */
added
removed
mbedtls_2.x/sha256.c
