1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19/*
20 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
21 *
22 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
23 */
24
25#include "common.h"
26
27#if defined(MBEDTLS_SHA256_C)
28
29#include "mbedtls/sha256.h"
30#include "mbedtls/platform_util.h"
31#include "mbedtls/error.h"
32
33#include <string.h>
34
35#include "mbedtls/platform.h"
36
37#define SHA256_VALIDATE_RET(cond) \
38 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA)
39#define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE(cond)
40
41#if !defined(MBEDTLS_SHA256_ALT)
42
43void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
44{
45 SHA256_VALIDATE(ctx != NULL);
46
47 memset(ctx, 0, sizeof(mbedtls_sha256_context));
48}
49
50void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
51{
52 if (ctx == NULL) {
53 return;
54 }
55
56 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
57}
58
59void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
60 const mbedtls_sha256_context *src)
61{
62 SHA256_VALIDATE(dst != NULL);
63 SHA256_VALIDATE(src != NULL);
64
65 *dst = *src;
66}
67
68/*
69 * SHA-256 context setup
70 */
71int mbedtls_sha256_starts_ret(mbedtls_sha256_context *ctx, int is224)
72{
73 SHA256_VALIDATE_RET(ctx != NULL);
74 SHA256_VALIDATE_RET(is224 == 0 || is224 == 1);
75
76 ctx->total[0] = 0;
77 ctx->total[1] = 0;
78
79 if (is224 == 0) {
80 /* SHA-256 */
81 ctx->state[0] = 0x6A09E667;
82 ctx->state[1] = 0xBB67AE85;
83 ctx->state[2] = 0x3C6EF372;
84 ctx->state[3] = 0xA54FF53A;
85 ctx->state[4] = 0x510E527F;
86 ctx->state[5] = 0x9B05688C;
87 ctx->state[6] = 0x1F83D9AB;
88 ctx->state[7] = 0x5BE0CD19;
89 } else {
90 /* SHA-224 */
91 ctx->state[0] = 0xC1059ED8;
92 ctx->state[1] = 0x367CD507;
93 ctx->state[2] = 0x3070DD17;
94 ctx->state[3] = 0xF70E5939;
95 ctx->state[4] = 0xFFC00B31;
96 ctx->state[5] = 0x68581511;
97 ctx->state[6] = 0x64F98FA7;
98 ctx->state[7] = 0xBEFA4FA4;
99 }
100
101 ctx->is224 = is224;
102
103 return 0;
104}
105
106#if !defined(MBEDTLS_DEPRECATED_REMOVED)
107void mbedtls_sha256_starts(mbedtls_sha256_context *ctx,
108 int is224)
109{
110 mbedtls_sha256_starts_ret(ctx, is224);
111}
112#endif
113
114#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
115static const uint32_t K[] =
116{
117 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
118 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
119 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
120 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
121 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
122 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
123 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
124 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
125 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
126 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
127 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
128 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
129 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
130 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
131 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
132 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
133};
134
135#define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
136#define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
137
138#define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
139#define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
140
141#define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
142#define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
143
144#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
145#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
146
147#define R(t) \
148 ( \
149 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
150 S0(local.W[(t) - 15]) + local.W[(t) - 16] \
151 )
152
153#define P(a, b, c, d, e, f, g, h, x, K) \
154 do \
155 { \
156 local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \
157 local.temp2 = S2(a) + F0((a), (b), (c)); \
158 (d) += local.temp1; (h) = local.temp1 + local.temp2; \
159 } while (0)
160
161int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
162 const unsigned char data[64])
163{
164 struct {
165 uint32_t temp1, temp2, W[64];
166 uint32_t A[8];
167 } local;
168
169 unsigned int i;
170
171 SHA256_VALIDATE_RET(ctx != NULL);
172 SHA256_VALIDATE_RET((const unsigned char *) data != NULL);
173
174 for (i = 0; i < 8; i++) {
175 local.A[i] = ctx->state[i];
176 }
177
178#if defined(MBEDTLS_SHA256_SMALLER)
179 for (i = 0; i < 64; i++) {
180 if (i < 16) {
181 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
182 } else {
183 R(i);
184 }
185
186 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
187 local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
188
189 local.temp1 = local.A[7]; local.A[7] = local.A[6];
190 local.A[6] = local.A[5]; local.A[5] = local.A[4];
191 local.A[4] = local.A[3]; local.A[3] = local.A[2];
192 local.A[2] = local.A[1]; local.A[1] = local.A[0];
193 local.A[0] = local.temp1;
194 }
195#else /* MBEDTLS_SHA256_SMALLER */
196 for (i = 0; i < 16; i++) {
197 local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
198 }
199
200 for (i = 0; i < 16; i += 8) {
201 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
202 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
203 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
204 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
205 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
206 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
207 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
208 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
209 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
210 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
211 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
212 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
213 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
214 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
215 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
216 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
217 }
218
219 for (i = 16; i < 64; i += 8) {
220 P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
221 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
222 P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
223 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
224 P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
225 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
226 P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
227 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
228 P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
229 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
230 P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
231 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
232 P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
233 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
234 P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
235 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
236 }
237#endif /* MBEDTLS_SHA256_SMALLER */
238
239 for (i = 0; i < 8; i++) {
240 ctx->state[i] += local.A[i];
241 }
242
243 /* Zeroise buffers and variables to clear sensitive data from memory. */
244 mbedtls_platform_zeroize(&local, sizeof(local));
245
246 return 0;
247}
248
249#if !defined(MBEDTLS_DEPRECATED_REMOVED)
250void mbedtls_sha256_process(mbedtls_sha256_context *ctx,
251 const unsigned char data[64])
252{
253 mbedtls_internal_sha256_process(ctx, data);
254}
255#endif
256#endif /* !MBEDTLS_SHA256_PROCESS_ALT */
257
258/*
259 * SHA-256 process buffer
260 */
261int mbedtls_sha256_update_ret(mbedtls_sha256_context *ctx,
262 const unsigned char *input,
263 size_t ilen)
264{
265 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
266 size_t fill;
267 uint32_t left;
268
269 SHA256_VALIDATE_RET(ctx != NULL);
270 SHA256_VALIDATE_RET(ilen == 0 || input != NULL);
271
272 if (ilen == 0) {
273 return 0;
274 }
275
276 left = ctx->total[0] & 0x3F;
277 fill = 64 - left;
278
279 ctx->total[0] += (uint32_t) ilen;
280 ctx->total[0] &= 0xFFFFFFFF;
281
282 if (ctx->total[0] < (uint32_t) ilen) {
283 ctx->total[1]++;
284 }
285
286 if (left && ilen >= fill) {
287 memcpy((void *) (ctx->buffer + left), input, fill);
288
289 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
290 return ret;
291 }
292
293 input += fill;
294 ilen -= fill;
295 left = 0;
296 }
297
298 while (ilen >= 64) {
299 if ((ret = mbedtls_internal_sha256_process(ctx, input)) != 0) {
300 return ret;
301 }
302
303 input += 64;
304 ilen -= 64;
305 }
306
307 if (ilen > 0) {
308 memcpy((void *) (ctx->buffer + left), input, ilen);
309 }
310
311 return 0;
312}
313
314#if !defined(MBEDTLS_DEPRECATED_REMOVED)
315void mbedtls_sha256_update(mbedtls_sha256_context *ctx,
316 const unsigned char *input,
317 size_t ilen)
318{
319 mbedtls_sha256_update_ret(ctx, input, ilen);
320}
321#endif
322
323/*
324 * SHA-256 final digest
325 */
326int mbedtls_sha256_finish_ret(mbedtls_sha256_context *ctx,
327 unsigned char output[32])
328{
329 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
330 uint32_t used;
331 uint32_t high, low;
332
333 SHA256_VALIDATE_RET(ctx != NULL);
334 SHA256_VALIDATE_RET((unsigned char *) output != NULL);
335
336 /*
337 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
338 */
339 used = ctx->total[0] & 0x3F;
340
341 ctx->buffer[used++] = 0x80;
342
343 if (used <= 56) {
344 /* Enough room for padding + length in current block */
345 memset(ctx->buffer + used, 0, 56 - used);
346 } else {
347 /* We'll need an extra block */
348 memset(ctx->buffer + used, 0, 64 - used);
349
350 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
351 return ret;
352 }
353
354 memset(ctx->buffer, 0, 56);
355 }
356
357 /*
358 * Add message length
359 */
360 high = (ctx->total[0] >> 29)
361 | (ctx->total[1] << 3);
362 low = (ctx->total[0] << 3);
363
364 MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
365 MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60);
366
367 if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
368 return ret;
369 }
370
371 /*
372 * Output final state
373 */
374 MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0);
375 MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4);
376 MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8);
377 MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
378 MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
379 MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
380 MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
381
382 if (ctx->is224 == 0) {
383 MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
384 }
385
386 return 0;
387}
388
389#if !defined(MBEDTLS_DEPRECATED_REMOVED)
390void mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
391 unsigned char output[32])
392{
393 mbedtls_sha256_finish_ret(ctx, output);
394}
395#endif
396
397#endif /* !MBEDTLS_SHA256_ALT */
398
399/*
400 * output = SHA-256( input buffer )
401 */
402int mbedtls_sha256_ret(const unsigned char *input,
403 size_t ilen,
404 unsigned char output[32],
405 int is224)
406{
407 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
408 mbedtls_sha256_context ctx;
409
410 SHA256_VALIDATE_RET(is224 == 0 || is224 == 1);
411 SHA256_VALIDATE_RET(ilen == 0 || input != NULL);
412 SHA256_VALIDATE_RET((unsigned char *) output != NULL);
413
414 mbedtls_sha256_init(&ctx);
415
416 if ((ret = mbedtls_sha256_starts_ret(&ctx, is224)) != 0) {
417 goto exit;
418 }
419
420 if ((ret = mbedtls_sha256_update_ret(&ctx, input, ilen)) != 0) {
421 goto exit;
422 }
423
424 if ((ret = mbedtls_sha256_finish_ret(&ctx, output)) != 0) {
425 goto exit;
426 }
427
428exit:
429 mbedtls_sha256_free(&ctx);
430
431 return ret;
432}
433
434#if !defined(MBEDTLS_DEPRECATED_REMOVED)
435void mbedtls_sha256(const unsigned char *input,
436 size_t ilen,
437 unsigned char output[32],
438 int is224)
439{
440 mbedtls_sha256_ret(input, ilen, output, is224);
441}
442#endif
443
444#if defined(MBEDTLS_SELF_TEST)
445/*
446 * FIPS-180-2 test vectors
447 */
448static const unsigned char sha256_test_buf[3][57] =
449{
450 { "abc" },
451 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
452 { "" }
453};
454
455static const size_t sha256_test_buflen[3] =
456{
457 3, 56, 1000
458};
459
460static const unsigned char sha256_test_sum[6][32] =
461{
462 /*
463 * SHA-224 test vectors
464 */
465 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
466 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
467 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
468 0xE3, 0x6C, 0x9D, 0xA7 },
469 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
470 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
471 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
472 0x52, 0x52, 0x25, 0x25 },
473 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
474 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
475 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
476 0x4E, 0xE7, 0xAD, 0x67 },
477
478 /*
479 * SHA-256 test vectors
480 */
481 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
482 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
483 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
484 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
485 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
486 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
487 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
488 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
489 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
490 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
491 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
492 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
493};
494
495/*
496 * Checkup routine
497 */
498int mbedtls_sha256_self_test(int verbose)
499{
500 int i, j, k, buflen, ret = 0;
501 unsigned char *buf;
502 unsigned char sha256sum[32];
503 mbedtls_sha256_context ctx;
504
505 buf = mbedtls_calloc(1024, sizeof(unsigned char));
506 if (NULL == buf) {
507 if (verbose != 0) {
508 mbedtls_printf("Buffer allocation failed\n");
509 }
510
511 return 1;
512 }
513
514 mbedtls_sha256_init(&ctx);
515
516 for (i = 0; i < 6; i++) {
517 j = i % 3;
518 k = i < 3;
519
520 if (verbose != 0) {
521 mbedtls_printf(" SHA-%d test #%d: ", 256 - k * 32, j + 1);
522 }
523
524 if ((ret = mbedtls_sha256_starts_ret(&ctx, k)) != 0) {
525 goto fail;
526 }
527
528 if (j == 2) {
529 memset(buf, 'a', buflen = 1000);
530
531 for (j = 0; j < 1000; j++) {
532 ret = mbedtls_sha256_update_ret(&ctx, buf, buflen);
533 if (ret != 0) {
534 goto fail;
535 }
536 }
537
538 } else {
539 ret = mbedtls_sha256_update_ret(&ctx, sha256_test_buf[j],
540 sha256_test_buflen[j]);
541 if (ret != 0) {
542 goto fail;
543 }
544 }
545
546 if ((ret = mbedtls_sha256_finish_ret(&ctx, sha256sum)) != 0) {
547 goto fail;
548 }
549
550
551 if (memcmp(sha256sum, sha256_test_sum[i], 32 - k * 4) != 0) {
552 ret = 1;
553 goto fail;
554 }
555
556 if (verbose != 0) {
557 mbedtls_printf("passed\n");
558 }
559 }
560
561 if (verbose != 0) {
562 mbedtls_printf("\n");
563 }
564
565 goto exit;
566
567fail:
568 if (verbose != 0) {
569 mbedtls_printf("failed\n");
570 }
571
572exit:
573 mbedtls_sha256_free(&ctx);
574 mbedtls_free(buf);
575
576 return ret;
577}
578
579#endif /* MBEDTLS_SELF_TEST */
580
581#endif /* MBEDTLS_SHA256_C */
582