PolarSSL v1.3.2
sha256.c
Go to the documentation of this file.
1 /*
2  * FIPS-180-2 compliant SHA-256 implementation
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27  *
28  * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29  */
30 
31 #include "polarssl/config.h"
32 
33 #if defined(POLARSSL_SHA256_C)
34 
35 #include "polarssl/sha256.h"
36 
37 #if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
38 #include <stdio.h>
39 #endif
40 
41 #if !defined(POLARSSL_SHA256_ALT)
42 
43 /*
44  * 32-bit integer manipulation macros (big endian)
45  */
46 #ifndef GET_UINT32_BE
47 #define GET_UINT32_BE(n,b,i) \
48 { \
49  (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
50  | ( (uint32_t) (b)[(i) + 1] << 16 ) \
51  | ( (uint32_t) (b)[(i) + 2] << 8 ) \
52  | ( (uint32_t) (b)[(i) + 3] ); \
53 }
54 #endif
55 
56 #ifndef PUT_UINT32_BE
57 #define PUT_UINT32_BE(n,b,i) \
58 { \
59  (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
60  (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
61  (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
62  (b)[(i) + 3] = (unsigned char) ( (n) ); \
63 }
64 #endif
65 
66 /*
67  * SHA-256 context setup
68  */
69 void sha256_starts( sha256_context *ctx, int is224 )
70 {
71  ctx->total[0] = 0;
72  ctx->total[1] = 0;
73 
74  if( is224 == 0 )
75  {
76  /* SHA-256 */
77  ctx->state[0] = 0x6A09E667;
78  ctx->state[1] = 0xBB67AE85;
79  ctx->state[2] = 0x3C6EF372;
80  ctx->state[3] = 0xA54FF53A;
81  ctx->state[4] = 0x510E527F;
82  ctx->state[5] = 0x9B05688C;
83  ctx->state[6] = 0x1F83D9AB;
84  ctx->state[7] = 0x5BE0CD19;
85  }
86  else
87  {
88  /* SHA-224 */
89  ctx->state[0] = 0xC1059ED8;
90  ctx->state[1] = 0x367CD507;
91  ctx->state[2] = 0x3070DD17;
92  ctx->state[3] = 0xF70E5939;
93  ctx->state[4] = 0xFFC00B31;
94  ctx->state[5] = 0x68581511;
95  ctx->state[6] = 0x64F98FA7;
96  ctx->state[7] = 0xBEFA4FA4;
97  }
98 
99  ctx->is224 = is224;
100 }
101 
102 void sha256_process( sha256_context *ctx, const unsigned char data[64] )
103 {
104  uint32_t temp1, temp2, W[64];
105  uint32_t A, B, C, D, E, F, G, H;
106 
107  GET_UINT32_BE( W[ 0], data, 0 );
108  GET_UINT32_BE( W[ 1], data, 4 );
109  GET_UINT32_BE( W[ 2], data, 8 );
110  GET_UINT32_BE( W[ 3], data, 12 );
111  GET_UINT32_BE( W[ 4], data, 16 );
112  GET_UINT32_BE( W[ 5], data, 20 );
113  GET_UINT32_BE( W[ 6], data, 24 );
114  GET_UINT32_BE( W[ 7], data, 28 );
115  GET_UINT32_BE( W[ 8], data, 32 );
116  GET_UINT32_BE( W[ 9], data, 36 );
117  GET_UINT32_BE( W[10], data, 40 );
118  GET_UINT32_BE( W[11], data, 44 );
119  GET_UINT32_BE( W[12], data, 48 );
120  GET_UINT32_BE( W[13], data, 52 );
121  GET_UINT32_BE( W[14], data, 56 );
122  GET_UINT32_BE( W[15], data, 60 );
123 
124 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
125 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
126 
127 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
128 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
129 
130 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
131 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
132 
133 #define F0(x,y,z) ((x & y) | (z & (x | y)))
134 #define F1(x,y,z) (z ^ (x & (y ^ z)))
135 
136 #define R(t) \
137 ( \
138  W[t] = S1(W[t - 2]) + W[t - 7] + \
139  S0(W[t - 15]) + W[t - 16] \
140 )
141 
142 #define P(a,b,c,d,e,f,g,h,x,K) \
143 { \
144  temp1 = h + S3(e) + F1(e,f,g) + K + x; \
145  temp2 = S2(a) + F0(a,b,c); \
146  d += temp1; h = temp1 + temp2; \
147 }
148 
149  A = ctx->state[0];
150  B = ctx->state[1];
151  C = ctx->state[2];
152  D = ctx->state[3];
153  E = ctx->state[4];
154  F = ctx->state[5];
155  G = ctx->state[6];
156  H = ctx->state[7];
157 
158  P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
159  P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
160  P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
161  P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
162  P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
163  P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
164  P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
165  P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
166  P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
167  P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
168  P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
169  P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
170  P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
171  P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
172  P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
173  P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
174  P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
175  P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
176  P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
177  P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
178  P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
179  P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
180  P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
181  P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
182  P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
183  P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
184  P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
185  P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
186  P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
187  P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
188  P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
189  P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
190  P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
191  P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
192  P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
193  P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
194  P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
195  P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
196  P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
197  P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
198  P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
199  P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
200  P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
201  P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
202  P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
203  P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
204  P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
205  P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
206  P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
207  P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
208  P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
209  P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
210  P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
211  P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
212  P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
213  P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
214  P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
215  P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
216  P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
217  P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
218  P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
219  P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
220  P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
221  P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
222 
223  ctx->state[0] += A;
224  ctx->state[1] += B;
225  ctx->state[2] += C;
226  ctx->state[3] += D;
227  ctx->state[4] += E;
228  ctx->state[5] += F;
229  ctx->state[6] += G;
230  ctx->state[7] += H;
231 }
232 
233 /*
234  * SHA-256 process buffer
235  */
236 void sha256_update( sha256_context *ctx, const unsigned char *input, size_t ilen )
237 {
238  size_t fill;
239  uint32_t left;
240 
241  if( ilen <= 0 )
242  return;
243 
244  left = ctx->total[0] & 0x3F;
245  fill = 64 - left;
246 
247  ctx->total[0] += (uint32_t) ilen;
248  ctx->total[0] &= 0xFFFFFFFF;
249 
250  if( ctx->total[0] < (uint32_t) ilen )
251  ctx->total[1]++;
252 
253  if( left && ilen >= fill )
254  {
255  memcpy( (void *) (ctx->buffer + left), input, fill );
256  sha256_process( ctx, ctx->buffer );
257  input += fill;
258  ilen -= fill;
259  left = 0;
260  }
261 
262  while( ilen >= 64 )
263  {
264  sha256_process( ctx, input );
265  input += 64;
266  ilen -= 64;
267  }
268 
269  if( ilen > 0 )
270  memcpy( (void *) (ctx->buffer + left), input, ilen );
271 }
272 
273 static const unsigned char sha256_padding[64] =
274 {
275  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
277  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
279 };
280 
281 /*
282  * SHA-256 final digest
283  */
284 void sha256_finish( sha256_context *ctx, unsigned char output[32] )
285 {
286  uint32_t last, padn;
287  uint32_t high, low;
288  unsigned char msglen[8];
289 
290  high = ( ctx->total[0] >> 29 )
291  | ( ctx->total[1] << 3 );
292  low = ( ctx->total[0] << 3 );
293 
294  PUT_UINT32_BE( high, msglen, 0 );
295  PUT_UINT32_BE( low, msglen, 4 );
296 
297  last = ctx->total[0] & 0x3F;
298  padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
299 
300  sha256_update( ctx, sha256_padding, padn );
301  sha256_update( ctx, msglen, 8 );
302 
303  PUT_UINT32_BE( ctx->state[0], output, 0 );
304  PUT_UINT32_BE( ctx->state[1], output, 4 );
305  PUT_UINT32_BE( ctx->state[2], output, 8 );
306  PUT_UINT32_BE( ctx->state[3], output, 12 );
307  PUT_UINT32_BE( ctx->state[4], output, 16 );
308  PUT_UINT32_BE( ctx->state[5], output, 20 );
309  PUT_UINT32_BE( ctx->state[6], output, 24 );
310 
311  if( ctx->is224 == 0 )
312  PUT_UINT32_BE( ctx->state[7], output, 28 );
313 }
314 
315 #endif /* !POLARSSL_SHA256_ALT */
316 
317 /*
318  * output = SHA-256( input buffer )
319  */
320 void sha256( const unsigned char *input, size_t ilen,
321  unsigned char output[32], int is224 )
322 {
323  sha256_context ctx;
324 
325  sha256_starts( &ctx, is224 );
326  sha256_update( &ctx, input, ilen );
327  sha256_finish( &ctx, output );
328 
329  memset( &ctx, 0, sizeof( sha256_context ) );
330 }
331 
332 #if defined(POLARSSL_FS_IO)
333 /*
334  * output = SHA-256( file contents )
335  */
336 int sha256_file( const char *path, unsigned char output[32], int is224 )
337 {
338  FILE *f;
339  size_t n;
340  sha256_context ctx;
341  unsigned char buf[1024];
342 
343  if( ( f = fopen( path, "rb" ) ) == NULL )
345 
346  sha256_starts( &ctx, is224 );
347 
348  while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
349  sha256_update( &ctx, buf, n );
350 
351  sha256_finish( &ctx, output );
352 
353  memset( &ctx, 0, sizeof( sha256_context ) );
354 
355  if( ferror( f ) != 0 )
356  {
357  fclose( f );
359  }
360 
361  fclose( f );
362  return( 0 );
363 }
364 #endif /* POLARSSL_FS_IO */
365 
366 /*
367  * SHA-256 HMAC context setup
368  */
369 void sha256_hmac_starts( sha256_context *ctx, const unsigned char *key,
370  size_t keylen, int is224 )
371 {
372  size_t i;
373  unsigned char sum[32];
374 
375  if( keylen > 64 )
376  {
377  sha256( key, keylen, sum, is224 );
378  keylen = ( is224 ) ? 28 : 32;
379  key = sum;
380  }
381 
382  memset( ctx->ipad, 0x36, 64 );
383  memset( ctx->opad, 0x5C, 64 );
384 
385  for( i = 0; i < keylen; i++ )
386  {
387  ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
388  ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
389  }
390 
391  sha256_starts( ctx, is224 );
392  sha256_update( ctx, ctx->ipad, 64 );
393 
394  memset( sum, 0, sizeof( sum ) );
395 }
396 
397 /*
398  * SHA-256 HMAC process buffer
399  */
400 void sha256_hmac_update( sha256_context *ctx, const unsigned char *input, size_t ilen )
401 {
402  sha256_update( ctx, input, ilen );
403 }
404 
405 /*
406  * SHA-256 HMAC final digest
407  */
408 void sha256_hmac_finish( sha256_context *ctx, unsigned char output[32] )
409 {
410  int is224, hlen;
411  unsigned char tmpbuf[32];
412 
413  is224 = ctx->is224;
414  hlen = ( is224 == 0 ) ? 32 : 28;
415 
416  sha256_finish( ctx, tmpbuf );
417  sha256_starts( ctx, is224 );
418  sha256_update( ctx, ctx->opad, 64 );
419  sha256_update( ctx, tmpbuf, hlen );
420  sha256_finish( ctx, output );
421 
422  memset( tmpbuf, 0, sizeof( tmpbuf ) );
423 }
424 
425 /*
426  * SHA-256 HMAC context reset
427  */
429 {
430  sha256_starts( ctx, ctx->is224 );
431  sha256_update( ctx, ctx->ipad, 64 );
432 }
433 
434 /*
435  * output = HMAC-SHA-256( hmac key, input buffer )
436  */
437 void sha256_hmac( const unsigned char *key, size_t keylen,
438  const unsigned char *input, size_t ilen,
439  unsigned char output[32], int is224 )
440 {
441  sha256_context ctx;
442 
443  sha256_hmac_starts( &ctx, key, keylen, is224 );
444  sha256_hmac_update( &ctx, input, ilen );
445  sha256_hmac_finish( &ctx, output );
446 
447  memset( &ctx, 0, sizeof( sha256_context ) );
448 }
449 
450 #if defined(POLARSSL_SELF_TEST)
451 /*
452  * FIPS-180-2 test vectors
453  */
454 static unsigned char sha256_test_buf[3][57] =
455 {
456  { "abc" },
457  { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
458  { "" }
459 };
460 
461 static const int sha256_test_buflen[3] =
462 {
463  3, 56, 1000
464 };
465 
466 static const unsigned char sha256_test_sum[6][32] =
467 {
468  /*
469  * SHA-224 test vectors
470  */
471  { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
472  0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
473  0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
474  0xE3, 0x6C, 0x9D, 0xA7 },
475  { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
476  0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
477  0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
478  0x52, 0x52, 0x25, 0x25 },
479  { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
480  0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
481  0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
482  0x4E, 0xE7, 0xAD, 0x67 },
483 
484  /*
485  * SHA-256 test vectors
486  */
487  { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
488  0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
489  0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
490  0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
491  { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
492  0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
493  0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
494  0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
495  { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
496  0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
497  0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
498  0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
499 };
500 
501 /*
502  * RFC 4231 test vectors
503  */
504 static unsigned char sha256_hmac_test_key[7][26] =
505 {
506  { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
507  "\x0B\x0B\x0B\x0B" },
508  { "Jefe" },
509  { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
510  "\xAA\xAA\xAA\xAA" },
511  { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
512  "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
513  { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
514  "\x0C\x0C\x0C\x0C" },
515  { "" }, /* 0xAA 131 times */
516  { "" }
517 };
518 
519 static const int sha256_hmac_test_keylen[7] =
520 {
521  20, 4, 20, 25, 20, 131, 131
522 };
523 
524 static unsigned char sha256_hmac_test_buf[7][153] =
525 {
526  { "Hi There" },
527  { "what do ya want for nothing?" },
528  { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
529  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
530  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
531  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
532  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
533  { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
534  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
535  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
536  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
537  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
538  { "Test With Truncation" },
539  { "Test Using Larger Than Block-Size Key - Hash Key First" },
540  { "This is a test using a larger than block-size key "
541  "and a larger than block-size data. The key needs to "
542  "be hashed before being used by the HMAC algorithm." }
543 };
544 
545 static const int sha256_hmac_test_buflen[7] =
546 {
547  8, 28, 50, 50, 20, 54, 152
548 };
549 
550 static const unsigned char sha256_hmac_test_sum[14][32] =
551 {
552  /*
553  * HMAC-SHA-224 test vectors
554  */
555  { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
556  0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
557  0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
558  0x53, 0x68, 0x4B, 0x22 },
559  { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
560  0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
561  0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
562  0x8F, 0xD0, 0x5E, 0x44 },
563  { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
564  0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
565  0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
566  0xEC, 0x83, 0x33, 0xEA },
567  { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
568  0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
569  0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
570  0xE7, 0xAF, 0xEC, 0x5A },
571  { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
572  0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
573  { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
574  0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
575  0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
576  0x3F, 0xA6, 0x87, 0x0E },
577  { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
578  0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
579  0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
580  0xF6, 0xF5, 0x65, 0xD1 },
581 
582  /*
583  * HMAC-SHA-256 test vectors
584  */
585  { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
586  0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
587  0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
588  0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
589  { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
590  0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
591  0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
592  0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
593  { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
594  0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
595  0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
596  0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
597  { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
598  0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
599  0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
600  0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
601  { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
602  0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
603  { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
604  0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
605  0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
606  0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
607  { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
608  0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
609  0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
610  0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
611 };
612 
613 /*
614  * Checkup routine
615  */
616 int sha256_self_test( int verbose )
617 {
618  int i, j, k, buflen;
619  unsigned char buf[1024];
620  unsigned char sha256sum[32];
621  sha256_context ctx;
622 
623  for( i = 0; i < 6; i++ )
624  {
625  j = i % 3;
626  k = i < 3;
627 
628  if( verbose != 0 )
629  printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
630 
631  sha256_starts( &ctx, k );
632 
633  if( j == 2 )
634  {
635  memset( buf, 'a', buflen = 1000 );
636 
637  for( j = 0; j < 1000; j++ )
638  sha256_update( &ctx, buf, buflen );
639  }
640  else
641  sha256_update( &ctx, sha256_test_buf[j],
642  sha256_test_buflen[j] );
643 
644  sha256_finish( &ctx, sha256sum );
645 
646  if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
647  {
648  if( verbose != 0 )
649  printf( "failed\n" );
650 
651  return( 1 );
652  }
653 
654  if( verbose != 0 )
655  printf( "passed\n" );
656  }
657 
658  if( verbose != 0 )
659  printf( "\n" );
660 
661  for( i = 0; i < 14; i++ )
662  {
663  j = i % 7;
664  k = i < 7;
665 
666  if( verbose != 0 )
667  printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
668 
669  if( j == 5 || j == 6 )
670  {
671  memset( buf, '\xAA', buflen = 131 );
672  sha256_hmac_starts( &ctx, buf, buflen, k );
673  }
674  else
675  sha256_hmac_starts( &ctx, sha256_hmac_test_key[j],
676  sha256_hmac_test_keylen[j], k );
677 
678  sha256_hmac_update( &ctx, sha256_hmac_test_buf[j],
679  sha256_hmac_test_buflen[j] );
680 
681  sha256_hmac_finish( &ctx, sha256sum );
682 
683  buflen = ( j == 4 ) ? 16 : 32 - k * 4;
684 
685  if( memcmp( sha256sum, sha256_hmac_test_sum[i], buflen ) != 0 )
686  {
687  if( verbose != 0 )
688  printf( "failed\n" );
689 
690  return( 1 );
691  }
692 
693  if( verbose != 0 )
694  printf( "passed\n" );
695  }
696 
697  if( verbose != 0 )
698  printf( "\n" );
699 
700  return( 0 );
701 }
702 
703 #endif
704 
705 #endif
void sha256_hmac_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 HMAC process buffer.
uint32_t total[2]
Definition: sha256.h:56
uint32_t state[8]
Definition: sha256.h:57
int sha256_file(const char *path, unsigned char output[32], int is224)
Output = SHA-256( file contents )
void sha256_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
void sha256(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
Configuration options (set of defines)
unsigned char opad[64]
Definition: sha256.h:61
unsigned char ipad[64]
Definition: sha256.h:60
void sha256_hmac_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 HMAC final digest.
unsigned char buffer[64]
Definition: sha256.h:58
void sha256_hmac_starts(sha256_context *ctx, const unsigned char *key, size_t keylen, int is224)
SHA-256 HMAC context setup.
#define PUT_UINT32_BE(n, b, i)
int sha256_self_test(int verbose)
Checkup routine.
void sha256_starts(sha256_context *ctx, int is224)
SHA-256 context setup.
#define POLARSSL_ERR_SHA256_FILE_IO_ERROR
Read/write error in file.
Definition: sha256.h:41
void sha256_hmac_reset(sha256_context *ctx)
SHA-256 HMAC context reset.
void sha256_process(sha256_context *ctx, const unsigned char data[64])
void sha256_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 final digest.
#define GET_UINT32_BE(n, b, i)
SHA-256 context structure.
Definition: sha256.h:54
SHA-224 and SHA-256 cryptographic hash function.