1/*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19/*
20 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
21 *
22 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
23 */
24
25#include "common.h"
26
27#if defined(MBEDTLS_SHA256_C)
28
29#include "mbedtls/sha256.h"
30#include "mbedtls/platform_util.h"
31#include "mbedtls/error.h"
32
33#include <string.h>
34
35#if defined(MBEDTLS_SELF_TEST)
36#if defined(MBEDTLS_PLATFORM_C)
37#include "mbedtls/platform.h"
38#else
39#include <stdio.h>
40#include <stdlib.h>
41#define mbedtls_printf printf
42#define mbedtls_calloc calloc
43#define mbedtls_free free
44#endif /* MBEDTLS_PLATFORM_C */
45#endif /* MBEDTLS_SELF_TEST */
46
47#define SHA256_VALIDATE_RET(cond) \
48 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
49#define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond )
50
51#if !defined(MBEDTLS_SHA256_ALT)
52
53void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
54{
55 SHA256_VALIDATE( ctx != NULL );
56
57 memset( s: ctx, c: 0, n: sizeof( mbedtls_sha256_context ) );
58}
59
60void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
61{
62 if( ctx == NULL )
63 return;
64
65 mbedtls_platform_zeroize( buf: ctx, len: sizeof( mbedtls_sha256_context ) );
66}
67
68void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
69 const mbedtls_sha256_context *src )
70{
71 SHA256_VALIDATE( dst != NULL );
72 SHA256_VALIDATE( src != NULL );
73
74 *dst = *src;
75}
76
77/*
78 * SHA-256 context setup
79 */
80int mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
81{
82 SHA256_VALIDATE_RET( ctx != NULL );
83
84#if defined(MBEDTLS_SHA224_C)
85 SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
86#else
87 SHA256_VALIDATE_RET( is224 == 0 );
88#endif
89
90 ctx->total[0] = 0;
91 ctx->total[1] = 0;
92
93 if( is224 == 0 )
94 {
95 /* SHA-256 */
96 ctx->state[0] = 0x6A09E667;
97 ctx->state[1] = 0xBB67AE85;
98 ctx->state[2] = 0x3C6EF372;
99 ctx->state[3] = 0xA54FF53A;
100 ctx->state[4] = 0x510E527F;
101 ctx->state[5] = 0x9B05688C;
102 ctx->state[6] = 0x1F83D9AB;
103 ctx->state[7] = 0x5BE0CD19;
104 }
105 else
106 {
107#if defined(MBEDTLS_SHA224_C)
108 /* SHA-224 */
109 ctx->state[0] = 0xC1059ED8;
110 ctx->state[1] = 0x367CD507;
111 ctx->state[2] = 0x3070DD17;
112 ctx->state[3] = 0xF70E5939;
113 ctx->state[4] = 0xFFC00B31;
114 ctx->state[5] = 0x68581511;
115 ctx->state[6] = 0x64F98FA7;
116 ctx->state[7] = 0xBEFA4FA4;
117#endif
118 }
119
120 ctx->is224 = is224;
121
122 return( 0 );
123}
124
125#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
126static const uint32_t K[] =
127{
128 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
129 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
130 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
131 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
132 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
133 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
134 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
135 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
136 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
137 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
138 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
139 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
140 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
141 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
142 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
143 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
144};
145
146#define SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
147#define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
148
149#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
150#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
151
152#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
153#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
154
155#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
156#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
157
158#define R(t) \
159 ( \
160 local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
161 S0(local.W[(t) - 15]) + local.W[(t) - 16] \
162 )
163
164#define P(a,b,c,d,e,f,g,h,x,K) \
165 do \
166 { \
167 local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
168 local.temp2 = S2(a) + F0((a),(b),(c)); \
169 (d) += local.temp1; (h) = local.temp1 + local.temp2; \
170 } while( 0 )
171
172int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
173 const unsigned char data[64] )
174{
175 struct
176 {
177 uint32_t temp1, temp2, W[64];
178 uint32_t A[8];
179 } local;
180
181 unsigned int i;
182
183 SHA256_VALIDATE_RET( ctx != NULL );
184 SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
185
186 for( i = 0; i < 8; i++ )
187 local.A[i] = ctx->state[i];
188
189#if defined(MBEDTLS_SHA256_SMALLER)
190 for( i = 0; i < 64; i++ )
191 {
192 if( i < 16 )
193 local.W[i] = MBEDTLS_GET_UINT32_BE( data, 4 * i );
194 else
195 R( i );
196
197 P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
198 local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
199
200 local.temp1 = local.A[7]; local.A[7] = local.A[6];
201 local.A[6] = local.A[5]; local.A[5] = local.A[4];
202 local.A[4] = local.A[3]; local.A[3] = local.A[2];
203 local.A[2] = local.A[1]; local.A[1] = local.A[0];
204 local.A[0] = local.temp1;
205 }
206#else /* MBEDTLS_SHA256_SMALLER */
207 for( i = 0; i < 16; i++ )
208 local.W[i] = MBEDTLS_GET_UINT32_BE( data, 4 * i );
209
210 for( i = 0; i < 16; i += 8 )
211 {
212 P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
213 local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0] );
214 P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
215 local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1] );
216 P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
217 local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2] );
218 P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
219 local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3] );
220 P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
221 local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4] );
222 P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
223 local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5] );
224 P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
225 local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6] );
226 P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
227 local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7] );
228 }
229
230 for( i = 16; i < 64; i += 8 )
231 {
232 P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
233 local.A[5], local.A[6], local.A[7], R(i+0), K[i+0] );
234 P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
235 local.A[4], local.A[5], local.A[6], R(i+1), K[i+1] );
236 P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
237 local.A[3], local.A[4], local.A[5], R(i+2), K[i+2] );
238 P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
239 local.A[2], local.A[3], local.A[4], R(i+3), K[i+3] );
240 P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
241 local.A[1], local.A[2], local.A[3], R(i+4), K[i+4] );
242 P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
243 local.A[0], local.A[1], local.A[2], R(i+5), K[i+5] );
244 P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
245 local.A[7], local.A[0], local.A[1], R(i+6), K[i+6] );
246 P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
247 local.A[6], local.A[7], local.A[0], R(i+7), K[i+7] );
248 }
249#endif /* MBEDTLS_SHA256_SMALLER */
250
251 for( i = 0; i < 8; i++ )
252 ctx->state[i] += local.A[i];
253
254 /* Zeroise buffers and variables to clear sensitive data from memory. */
255 mbedtls_platform_zeroize( buf: &local, len: sizeof( local ) );
256
257 return( 0 );
258}
259
260#endif /* !MBEDTLS_SHA256_PROCESS_ALT */
261
262/*
263 * SHA-256 process buffer
264 */
265int mbedtls_sha256_update( mbedtls_sha256_context *ctx,
266 const unsigned char *input,
267 size_t ilen )
268{
269 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
270 size_t fill;
271 uint32_t left;
272
273 SHA256_VALIDATE_RET( ctx != NULL );
274 SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
275
276 if( ilen == 0 )
277 return( 0 );
278
279 left = ctx->total[0] & 0x3F;
280 fill = 64 - left;
281
282 ctx->total[0] += (uint32_t) ilen;
283 ctx->total[0] &= 0xFFFFFFFF;
284
285 if( ctx->total[0] < (uint32_t) ilen )
286 ctx->total[1]++;
287
288 if( left && ilen >= fill )
289 {
290 memcpy( dest: (void *) (ctx->buffer + left), src: input, n: fill );
291
292 if( ( ret = mbedtls_internal_sha256_process( ctx, data: ctx->buffer ) ) != 0 )
293 return( ret );
294
295 input += fill;
296 ilen -= fill;
297 left = 0;
298 }
299
300 while( ilen >= 64 )
301 {
302 if( ( ret = mbedtls_internal_sha256_process( ctx, data: input ) ) != 0 )
303 return( ret );
304
305 input += 64;
306 ilen -= 64;
307 }
308
309 if( ilen > 0 )
310 memcpy( dest: (void *) (ctx->buffer + left), src: input, n: ilen );
311
312 return( 0 );
313}
314
315/*
316 * SHA-256 final digest
317 */
318int mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
319 unsigned char *output )
320{
321 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
322 uint32_t used;
323 uint32_t high, low;
324
325 SHA256_VALIDATE_RET( ctx != NULL );
326 SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
327
328 /*
329 * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
330 */
331 used = ctx->total[0] & 0x3F;
332
333 ctx->buffer[used++] = 0x80;
334
335 if( used <= 56 )
336 {
337 /* Enough room for padding + length in current block */
338 memset( s: ctx->buffer + used, c: 0, n: 56 - used );
339 }
340 else
341 {
342 /* We'll need an extra block */
343 memset( s: ctx->buffer + used, c: 0, n: 64 - used );
344
345 if( ( ret = mbedtls_internal_sha256_process( ctx, data: ctx->buffer ) ) != 0 )
346 return( ret );
347
348 memset( s: ctx->buffer, c: 0, n: 56 );
349 }
350
351 /*
352 * Add message length
353 */
354 high = ( ctx->total[0] >> 29 )
355 | ( ctx->total[1] << 3 );
356 low = ( ctx->total[0] << 3 );
357
358 MBEDTLS_PUT_UINT32_BE( high, ctx->buffer, 56 );
359 MBEDTLS_PUT_UINT32_BE( low, ctx->buffer, 60 );
360
361 if( ( ret = mbedtls_internal_sha256_process( ctx, data: ctx->buffer ) ) != 0 )
362 return( ret );
363
364 /*
365 * Output final state
366 */
367 MBEDTLS_PUT_UINT32_BE( ctx->state[0], output, 0 );
368 MBEDTLS_PUT_UINT32_BE( ctx->state[1], output, 4 );
369 MBEDTLS_PUT_UINT32_BE( ctx->state[2], output, 8 );
370 MBEDTLS_PUT_UINT32_BE( ctx->state[3], output, 12 );
371 MBEDTLS_PUT_UINT32_BE( ctx->state[4], output, 16 );
372 MBEDTLS_PUT_UINT32_BE( ctx->state[5], output, 20 );
373 MBEDTLS_PUT_UINT32_BE( ctx->state[6], output, 24 );
374
375#if defined(MBEDTLS_SHA224_C)
376 if( ctx->is224 == 0 )
377#endif
378 MBEDTLS_PUT_UINT32_BE( ctx->state[7], output, 28 );
379
380 return( 0 );
381}
382
383#endif /* !MBEDTLS_SHA256_ALT */
384
385/*
386 * output = SHA-256( input buffer )
387 */
388int mbedtls_sha256( const unsigned char *input,
389 size_t ilen,
390 unsigned char *output,
391 int is224 )
392{
393 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
394 mbedtls_sha256_context ctx;
395
396#if defined(MBEDTLS_SHA224_C)
397 SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
398#else
399 SHA256_VALIDATE_RET( is224 == 0 );
400#endif
401
402 SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
403 SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
404
405 mbedtls_sha256_init( ctx: &ctx );
406
407 if( ( ret = mbedtls_sha256_starts( ctx: &ctx, is224 ) ) != 0 )
408 goto exit;
409
410 if( ( ret = mbedtls_sha256_update( ctx: &ctx, input, ilen ) ) != 0 )
411 goto exit;
412
413 if( ( ret = mbedtls_sha256_finish( ctx: &ctx, output ) ) != 0 )
414 goto exit;
415
416exit:
417 mbedtls_sha256_free( ctx: &ctx );
418
419 return( ret );
420}
421
422#if defined(MBEDTLS_SELF_TEST)
423/*
424 * FIPS-180-2 test vectors
425 */
426static const unsigned char sha256_test_buf[3][57] =
427{
428 { "abc" },
429 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
430 { "" }
431};
432
433static const size_t sha256_test_buflen[3] =
434{
435 3, 56, 1000
436};
437
438static const unsigned char sha256_test_sum[6][32] =
439{
440 /*
441 * SHA-224 test vectors
442 */
443 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
444 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
445 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
446 0xE3, 0x6C, 0x9D, 0xA7 },
447 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
448 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
449 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
450 0x52, 0x52, 0x25, 0x25 },
451 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
452 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
453 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
454 0x4E, 0xE7, 0xAD, 0x67 },
455
456 /*
457 * SHA-256 test vectors
458 */
459 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
460 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
461 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
462 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
463 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
464 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
465 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
466 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
467 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
468 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
469 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
470 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
471};
472
473/*
474 * Checkup routine
475 */
476int mbedtls_sha256_self_test( int verbose )
477{
478 int i, j, k, buflen, ret = 0;
479 unsigned char *buf;
480 unsigned char sha256sum[32];
481 mbedtls_sha256_context ctx;
482
483 buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
484 if( NULL == buf )
485 {
486 if( verbose != 0 )
487 mbedtls_printf( "Buffer allocation failed\n" );
488
489 return( 1 );
490 }
491
492 mbedtls_sha256_init( &ctx );
493
494 for( i = 0; i < 6; i++ )
495 {
496 j = i % 3;
497 k = i < 3;
498
499 if( verbose != 0 )
500 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
501
502 if( ( ret = mbedtls_sha256_starts( &ctx, k ) ) != 0 )
503 goto fail;
504
505 if( j == 2 )
506 {
507 memset( buf, 'a', buflen = 1000 );
508
509 for( j = 0; j < 1000; j++ )
510 {
511 ret = mbedtls_sha256_update( &ctx, buf, buflen );
512 if( ret != 0 )
513 goto fail;
514 }
515
516 }
517 else
518 {
519 ret = mbedtls_sha256_update( &ctx, sha256_test_buf[j],
520 sha256_test_buflen[j] );
521 if( ret != 0 )
522 goto fail;
523 }
524
525 if( ( ret = mbedtls_sha256_finish( &ctx, sha256sum ) ) != 0 )
526 goto fail;
527
528
529 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
530 {
531 ret = 1;
532 goto fail;
533 }
534
535 if( verbose != 0 )
536 mbedtls_printf( "passed\n" );
537 }
538
539 if( verbose != 0 )
540 mbedtls_printf( "\n" );
541
542 goto exit;
543
544fail:
545 if( verbose != 0 )
546 mbedtls_printf( "failed\n" );
547
548exit:
549 mbedtls_sha256_free( &ctx );
550 mbedtls_free( buf );
551
552 return( ret );
553}
554
555#endif /* MBEDTLS_SELF_TEST */
556
557#endif /* MBEDTLS_SHA256_C */
558