PolarSSL v1.3.7
sha512.c
Go to the documentation of this file.
1 /*
2  * FIPS-180-2 compliant SHA-384/512 implementation
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SHA-512 Secure Hash Standard was published by NIST in 2002.
27  *
28  * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29  */
30 
31 #if !defined(POLARSSL_CONFIG_FILE)
32 #include "polarssl/config.h"
33 #else
34 #include POLARSSL_CONFIG_FILE
35 #endif
36 
37 #if defined(POLARSSL_SHA512_C)
38 
39 #include "polarssl/sha512.h"
40 
41 #if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
42 #include <stdio.h>
43 #endif
44 
45 #if defined(POLARSSL_PLATFORM_C)
46 #include "polarssl/platform.h"
47 #else
48 #define polarssl_printf printf
49 #endif
50 
51 #if !defined(POLARSSL_SHA512_ALT)
52 
53 /*
54  * 64-bit integer manipulation macros (big endian)
55  */
56 #ifndef GET_UINT64_BE
57 #define GET_UINT64_BE(n,b,i) \
58 { \
59  (n) = ( (uint64_t) (b)[(i) ] << 56 ) \
60  | ( (uint64_t) (b)[(i) + 1] << 48 ) \
61  | ( (uint64_t) (b)[(i) + 2] << 40 ) \
62  | ( (uint64_t) (b)[(i) + 3] << 32 ) \
63  | ( (uint64_t) (b)[(i) + 4] << 24 ) \
64  | ( (uint64_t) (b)[(i) + 5] << 16 ) \
65  | ( (uint64_t) (b)[(i) + 6] << 8 ) \
66  | ( (uint64_t) (b)[(i) + 7] ); \
67 }
68 #endif /* GET_UINT64_BE */
69 
70 #ifndef PUT_UINT64_BE
71 #define PUT_UINT64_BE(n,b,i) \
72 { \
73  (b)[(i) ] = (unsigned char) ( (n) >> 56 ); \
74  (b)[(i) + 1] = (unsigned char) ( (n) >> 48 ); \
75  (b)[(i) + 2] = (unsigned char) ( (n) >> 40 ); \
76  (b)[(i) + 3] = (unsigned char) ( (n) >> 32 ); \
77  (b)[(i) + 4] = (unsigned char) ( (n) >> 24 ); \
78  (b)[(i) + 5] = (unsigned char) ( (n) >> 16 ); \
79  (b)[(i) + 6] = (unsigned char) ( (n) >> 8 ); \
80  (b)[(i) + 7] = (unsigned char) ( (n) ); \
81 }
82 #endif /* PUT_UINT64_BE */
83 
84 /*
85  * Round constants
86  */
87 static const uint64_t K[80] =
88 {
89  UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
90  UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
91  UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
92  UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
93  UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
94  UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
95  UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
96  UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
97  UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
98  UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
99  UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
100  UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
101  UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
102  UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
103  UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
104  UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
105  UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
106  UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
107  UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
108  UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
109  UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
110  UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
111  UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
112  UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
113  UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
114  UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
115  UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
116  UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
117  UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
118  UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
119  UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
120  UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
121  UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
122  UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
123  UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
124  UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
125  UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
126  UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
127  UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
128  UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
129 };
130 
131 /*
132  * SHA-512 context setup
133  */
134 void sha512_starts( sha512_context *ctx, int is384 )
135 {
136  ctx->total[0] = 0;
137  ctx->total[1] = 0;
138 
139  if( is384 == 0 )
140  {
141  /* SHA-512 */
142  ctx->state[0] = UL64(0x6A09E667F3BCC908);
143  ctx->state[1] = UL64(0xBB67AE8584CAA73B);
144  ctx->state[2] = UL64(0x3C6EF372FE94F82B);
145  ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
146  ctx->state[4] = UL64(0x510E527FADE682D1);
147  ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
148  ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
149  ctx->state[7] = UL64(0x5BE0CD19137E2179);
150  }
151  else
152  {
153  /* SHA-384 */
154  ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
155  ctx->state[1] = UL64(0x629A292A367CD507);
156  ctx->state[2] = UL64(0x9159015A3070DD17);
157  ctx->state[3] = UL64(0x152FECD8F70E5939);
158  ctx->state[4] = UL64(0x67332667FFC00B31);
159  ctx->state[5] = UL64(0x8EB44A8768581511);
160  ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
161  ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
162  }
163 
164  ctx->is384 = is384;
165 }
166 
167 void sha512_process( sha512_context *ctx, const unsigned char data[128] )
168 {
169  int i;
170  uint64_t temp1, temp2, W[80];
171  uint64_t A, B, C, D, E, F, G, H;
172 
173 #define SHR(x,n) (x >> n)
174 #define ROTR(x,n) (SHR(x,n) | (x << (64 - n)))
175 
176 #define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
177 #define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x, 6))
178 
179 #define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
180 #define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
181 
182 #define F0(x,y,z) ((x & y) | (z & (x | y)))
183 #define F1(x,y,z) (z ^ (x & (y ^ z)))
184 
185 #define P(a,b,c,d,e,f,g,h,x,K) \
186 { \
187  temp1 = h + S3(e) + F1(e,f,g) + K + x; \
188  temp2 = S2(a) + F0(a,b,c); \
189  d += temp1; h = temp1 + temp2; \
190 }
191 
192  for( i = 0; i < 16; i++ )
193  {
194  GET_UINT64_BE( W[i], data, i << 3 );
195  }
196 
197  for( ; i < 80; i++ )
198  {
199  W[i] = S1(W[i - 2]) + W[i - 7] +
200  S0(W[i - 15]) + W[i - 16];
201  }
202 
203  A = ctx->state[0];
204  B = ctx->state[1];
205  C = ctx->state[2];
206  D = ctx->state[3];
207  E = ctx->state[4];
208  F = ctx->state[5];
209  G = ctx->state[6];
210  H = ctx->state[7];
211  i = 0;
212 
213  do
214  {
215  P( A, B, C, D, E, F, G, H, W[i], K[i] ); i++;
216  P( H, A, B, C, D, E, F, G, W[i], K[i] ); i++;
217  P( G, H, A, B, C, D, E, F, W[i], K[i] ); i++;
218  P( F, G, H, A, B, C, D, E, W[i], K[i] ); i++;
219  P( E, F, G, H, A, B, C, D, W[i], K[i] ); i++;
220  P( D, E, F, G, H, A, B, C, W[i], K[i] ); i++;
221  P( C, D, E, F, G, H, A, B, W[i], K[i] ); i++;
222  P( B, C, D, E, F, G, H, A, W[i], K[i] ); i++;
223  }
224  while( i < 80 );
225 
226  ctx->state[0] += A;
227  ctx->state[1] += B;
228  ctx->state[2] += C;
229  ctx->state[3] += D;
230  ctx->state[4] += E;
231  ctx->state[5] += F;
232  ctx->state[6] += G;
233  ctx->state[7] += H;
234 }
235 
236 /*
237  * SHA-512 process buffer
238  */
239 void sha512_update( sha512_context *ctx, const unsigned char *input,
240  size_t ilen )
241 {
242  size_t fill;
243  unsigned int left;
244 
245  if( ilen <= 0 )
246  return;
247 
248  left = (unsigned int) (ctx->total[0] & 0x7F);
249  fill = 128 - left;
250 
251  ctx->total[0] += (uint64_t) ilen;
252 
253  if( ctx->total[0] < (uint64_t) ilen )
254  ctx->total[1]++;
255 
256  if( left && ilen >= fill )
257  {
258  memcpy( (void *) (ctx->buffer + left), input, fill );
259  sha512_process( ctx, ctx->buffer );
260  input += fill;
261  ilen -= fill;
262  left = 0;
263  }
264 
265  while( ilen >= 128 )
266  {
267  sha512_process( ctx, input );
268  input += 128;
269  ilen -= 128;
270  }
271 
272  if( ilen > 0 )
273  memcpy( (void *) (ctx->buffer + left), input, ilen );
274 }
275 
276 static const unsigned char sha512_padding[128] =
277 {
278  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
279  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
283  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
284  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
285  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
286 };
287 
288 /*
289  * SHA-512 final digest
290  */
291 void sha512_finish( sha512_context *ctx, unsigned char output[64] )
292 {
293  size_t last, padn;
294  uint64_t high, low;
295  unsigned char msglen[16];
296 
297  high = ( ctx->total[0] >> 61 )
298  | ( ctx->total[1] << 3 );
299  low = ( ctx->total[0] << 3 );
300 
301  PUT_UINT64_BE( high, msglen, 0 );
302  PUT_UINT64_BE( low, msglen, 8 );
303 
304  last = (size_t)( ctx->total[0] & 0x7F );
305  padn = ( last < 112 ) ? ( 112 - last ) : ( 240 - last );
306 
307  sha512_update( ctx, sha512_padding, padn );
308  sha512_update( ctx, msglen, 16 );
309 
310  PUT_UINT64_BE( ctx->state[0], output, 0 );
311  PUT_UINT64_BE( ctx->state[1], output, 8 );
312  PUT_UINT64_BE( ctx->state[2], output, 16 );
313  PUT_UINT64_BE( ctx->state[3], output, 24 );
314  PUT_UINT64_BE( ctx->state[4], output, 32 );
315  PUT_UINT64_BE( ctx->state[5], output, 40 );
316 
317  if( ctx->is384 == 0 )
318  {
319  PUT_UINT64_BE( ctx->state[6], output, 48 );
320  PUT_UINT64_BE( ctx->state[7], output, 56 );
321  }
322 }
323 
324 #endif /* !POLARSSL_SHA512_ALT */
325 
326 /*
327  * output = SHA-512( input buffer )
328  */
329 void sha512( const unsigned char *input, size_t ilen,
330  unsigned char output[64], int is384 )
331 {
332  sha512_context ctx;
333 
334  sha512_starts( &ctx, is384 );
335  sha512_update( &ctx, input, ilen );
336  sha512_finish( &ctx, output );
337 
338  memset( &ctx, 0, sizeof( sha512_context ) );
339 }
340 
341 #if defined(POLARSSL_FS_IO)
342 /*
343  * output = SHA-512( file contents )
344  */
345 int sha512_file( const char *path, unsigned char output[64], int is384 )
346 {
347  FILE *f;
348  size_t n;
349  sha512_context ctx;
350  unsigned char buf[1024];
351 
352  if( ( f = fopen( path, "rb" ) ) == NULL )
354 
355  sha512_starts( &ctx, is384 );
356 
357  while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
358  sha512_update( &ctx, buf, n );
359 
360  sha512_finish( &ctx, output );
361 
362  memset( &ctx, 0, sizeof( sha512_context ) );
363 
364  if( ferror( f ) != 0 )
365  {
366  fclose( f );
368  }
369 
370  fclose( f );
371  return( 0 );
372 }
373 #endif /* POLARSSL_FS_IO */
374 
375 /*
376  * SHA-512 HMAC context setup
377  */
378 void sha512_hmac_starts( sha512_context *ctx, const unsigned char *key,
379  size_t keylen, int is384 )
380 {
381  size_t i;
382  unsigned char sum[64];
383 
384  if( keylen > 128 )
385  {
386  sha512( key, keylen, sum, is384 );
387  keylen = ( is384 ) ? 48 : 64;
388  key = sum;
389  }
390 
391  memset( ctx->ipad, 0x36, 128 );
392  memset( ctx->opad, 0x5C, 128 );
393 
394  for( i = 0; i < keylen; i++ )
395  {
396  ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
397  ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
398  }
399 
400  sha512_starts( ctx, is384 );
401  sha512_update( ctx, ctx->ipad, 128 );
402 
403  memset( sum, 0, sizeof( sum ) );
404 }
405 
406 /*
407  * SHA-512 HMAC process buffer
408  */
410  const unsigned char *input, size_t ilen )
411 {
412  sha512_update( ctx, input, ilen );
413 }
414 
415 /*
416  * SHA-512 HMAC final digest
417  */
418 void sha512_hmac_finish( sha512_context *ctx, unsigned char output[64] )
419 {
420  int is384, hlen;
421  unsigned char tmpbuf[64];
422 
423  is384 = ctx->is384;
424  hlen = ( is384 == 0 ) ? 64 : 48;
425 
426  sha512_finish( ctx, tmpbuf );
427  sha512_starts( ctx, is384 );
428  sha512_update( ctx, ctx->opad, 128 );
429  sha512_update( ctx, tmpbuf, hlen );
430  sha512_finish( ctx, output );
431 
432  memset( tmpbuf, 0, sizeof( tmpbuf ) );
433 }
434 
435 /*
436  * SHA-512 HMAC context reset
437  */
439 {
440  sha512_starts( ctx, ctx->is384 );
441  sha512_update( ctx, ctx->ipad, 128 );
442 }
443 
444 /*
445  * output = HMAC-SHA-512( hmac key, input buffer )
446  */
447 void sha512_hmac( const unsigned char *key, size_t keylen,
448  const unsigned char *input, size_t ilen,
449  unsigned char output[64], int is384 )
450 {
451  sha512_context ctx;
452 
453  sha512_hmac_starts( &ctx, key, keylen, is384 );
454  sha512_hmac_update( &ctx, input, ilen );
455  sha512_hmac_finish( &ctx, output );
456 
457  memset( &ctx, 0, sizeof( sha512_context ) );
458 }
459 
460 #if defined(POLARSSL_SELF_TEST)
461 
462 /*
463  * FIPS-180-2 test vectors
464  */
465 static unsigned char sha512_test_buf[3][113] =
466 {
467  { "abc" },
468  { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
469  "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
470  { "" }
471 };
472 
473 static const int sha512_test_buflen[3] =
474 {
475  3, 112, 1000
476 };
477 
478 static const unsigned char sha512_test_sum[6][64] =
479 {
480  /*
481  * SHA-384 test vectors
482  */
483  { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
484  0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
485  0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
486  0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
487  0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
488  0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
489  { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
490  0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
491  0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
492  0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
493  0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
494  0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
495  { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
496  0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
497  0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
498  0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
499  0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
500  0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
501 
502  /*
503  * SHA-512 test vectors
504  */
505  { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
506  0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
507  0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
508  0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
509  0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
510  0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
511  0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
512  0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
513  { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
514  0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
515  0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
516  0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
517  0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
518  0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
519  0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
520  0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
521  { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
522  0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
523  0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
524  0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
525  0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
526  0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
527  0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
528  0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
529 };
530 
531 /*
532  * RFC 4231 test vectors
533  */
534 static unsigned char sha512_hmac_test_key[7][26] =
535 {
536  { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
537  "\x0B\x0B\x0B\x0B" },
538  { "Jefe" },
539  { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
540  "\xAA\xAA\xAA\xAA" },
541  { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
542  "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
543  { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
544  "\x0C\x0C\x0C\x0C" },
545  { "" }, /* 0xAA 131 times */
546  { "" }
547 };
548 
549 static const int sha512_hmac_test_keylen[7] =
550 {
551  20, 4, 20, 25, 20, 131, 131
552 };
553 
554 static unsigned char sha512_hmac_test_buf[7][153] =
555 {
556  { "Hi There" },
557  { "what do ya want for nothing?" },
558  { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
559  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
560  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
561  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
562  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
563  { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
564  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
565  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
566  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
567  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
568  { "Test With Truncation" },
569  { "Test Using Larger Than Block-Size Key - Hash Key First" },
570  { "This is a test using a larger than block-size key "
571  "and a larger than block-size data. The key needs to "
572  "be hashed before being used by the HMAC algorithm." }
573 };
574 
575 static const int sha512_hmac_test_buflen[7] =
576 {
577  8, 28, 50, 50, 20, 54, 152
578 };
579 
580 static const unsigned char sha512_hmac_test_sum[14][64] =
581 {
582  /*
583  * HMAC-SHA-384 test vectors
584  */
585  { 0xAF, 0xD0, 0x39, 0x44, 0xD8, 0x48, 0x95, 0x62,
586  0x6B, 0x08, 0x25, 0xF4, 0xAB, 0x46, 0x90, 0x7F,
587  0x15, 0xF9, 0xDA, 0xDB, 0xE4, 0x10, 0x1E, 0xC6,
588  0x82, 0xAA, 0x03, 0x4C, 0x7C, 0xEB, 0xC5, 0x9C,
589  0xFA, 0xEA, 0x9E, 0xA9, 0x07, 0x6E, 0xDE, 0x7F,
590  0x4A, 0xF1, 0x52, 0xE8, 0xB2, 0xFA, 0x9C, 0xB6 },
591  { 0xAF, 0x45, 0xD2, 0xE3, 0x76, 0x48, 0x40, 0x31,
592  0x61, 0x7F, 0x78, 0xD2, 0xB5, 0x8A, 0x6B, 0x1B,
593  0x9C, 0x7E, 0xF4, 0x64, 0xF5, 0xA0, 0x1B, 0x47,
594  0xE4, 0x2E, 0xC3, 0x73, 0x63, 0x22, 0x44, 0x5E,
595  0x8E, 0x22, 0x40, 0xCA, 0x5E, 0x69, 0xE2, 0xC7,
596  0x8B, 0x32, 0x39, 0xEC, 0xFA, 0xB2, 0x16, 0x49 },
597  { 0x88, 0x06, 0x26, 0x08, 0xD3, 0xE6, 0xAD, 0x8A,
598  0x0A, 0xA2, 0xAC, 0xE0, 0x14, 0xC8, 0xA8, 0x6F,
599  0x0A, 0xA6, 0x35, 0xD9, 0x47, 0xAC, 0x9F, 0xEB,
600  0xE8, 0x3E, 0xF4, 0xE5, 0x59, 0x66, 0x14, 0x4B,
601  0x2A, 0x5A, 0xB3, 0x9D, 0xC1, 0x38, 0x14, 0xB9,
602  0x4E, 0x3A, 0xB6, 0xE1, 0x01, 0xA3, 0x4F, 0x27 },
603  { 0x3E, 0x8A, 0x69, 0xB7, 0x78, 0x3C, 0x25, 0x85,
604  0x19, 0x33, 0xAB, 0x62, 0x90, 0xAF, 0x6C, 0xA7,
605  0x7A, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9C,
606  0xC5, 0x57, 0x7C, 0x6E, 0x1F, 0x57, 0x3B, 0x4E,
607  0x68, 0x01, 0xDD, 0x23, 0xC4, 0xA7, 0xD6, 0x79,
608  0xCC, 0xF8, 0xA3, 0x86, 0xC6, 0x74, 0xCF, 0xFB },
609  { 0x3A, 0xBF, 0x34, 0xC3, 0x50, 0x3B, 0x2A, 0x23,
610  0xA4, 0x6E, 0xFC, 0x61, 0x9B, 0xAE, 0xF8, 0x97 },
611  { 0x4E, 0xCE, 0x08, 0x44, 0x85, 0x81, 0x3E, 0x90,
612  0x88, 0xD2, 0xC6, 0x3A, 0x04, 0x1B, 0xC5, 0xB4,
613  0x4F, 0x9E, 0xF1, 0x01, 0x2A, 0x2B, 0x58, 0x8F,
614  0x3C, 0xD1, 0x1F, 0x05, 0x03, 0x3A, 0xC4, 0xC6,
615  0x0C, 0x2E, 0xF6, 0xAB, 0x40, 0x30, 0xFE, 0x82,
616  0x96, 0x24, 0x8D, 0xF1, 0x63, 0xF4, 0x49, 0x52 },
617  { 0x66, 0x17, 0x17, 0x8E, 0x94, 0x1F, 0x02, 0x0D,
618  0x35, 0x1E, 0x2F, 0x25, 0x4E, 0x8F, 0xD3, 0x2C,
619  0x60, 0x24, 0x20, 0xFE, 0xB0, 0xB8, 0xFB, 0x9A,
620  0xDC, 0xCE, 0xBB, 0x82, 0x46, 0x1E, 0x99, 0xC5,
621  0xA6, 0x78, 0xCC, 0x31, 0xE7, 0x99, 0x17, 0x6D,
622  0x38, 0x60, 0xE6, 0x11, 0x0C, 0x46, 0x52, 0x3E },
623 
624  /*
625  * HMAC-SHA-512 test vectors
626  */
627  { 0x87, 0xAA, 0x7C, 0xDE, 0xA5, 0xEF, 0x61, 0x9D,
628  0x4F, 0xF0, 0xB4, 0x24, 0x1A, 0x1D, 0x6C, 0xB0,
629  0x23, 0x79, 0xF4, 0xE2, 0xCE, 0x4E, 0xC2, 0x78,
630  0x7A, 0xD0, 0xB3, 0x05, 0x45, 0xE1, 0x7C, 0xDE,
631  0xDA, 0xA8, 0x33, 0xB7, 0xD6, 0xB8, 0xA7, 0x02,
632  0x03, 0x8B, 0x27, 0x4E, 0xAE, 0xA3, 0xF4, 0xE4,
633  0xBE, 0x9D, 0x91, 0x4E, 0xEB, 0x61, 0xF1, 0x70,
634  0x2E, 0x69, 0x6C, 0x20, 0x3A, 0x12, 0x68, 0x54 },
635  { 0x16, 0x4B, 0x7A, 0x7B, 0xFC, 0xF8, 0x19, 0xE2,
636  0xE3, 0x95, 0xFB, 0xE7, 0x3B, 0x56, 0xE0, 0xA3,
637  0x87, 0xBD, 0x64, 0x22, 0x2E, 0x83, 0x1F, 0xD6,
638  0x10, 0x27, 0x0C, 0xD7, 0xEA, 0x25, 0x05, 0x54,
639  0x97, 0x58, 0xBF, 0x75, 0xC0, 0x5A, 0x99, 0x4A,
640  0x6D, 0x03, 0x4F, 0x65, 0xF8, 0xF0, 0xE6, 0xFD,
641  0xCA, 0xEA, 0xB1, 0xA3, 0x4D, 0x4A, 0x6B, 0x4B,
642  0x63, 0x6E, 0x07, 0x0A, 0x38, 0xBC, 0xE7, 0x37 },
643  { 0xFA, 0x73, 0xB0, 0x08, 0x9D, 0x56, 0xA2, 0x84,
644  0xEF, 0xB0, 0xF0, 0x75, 0x6C, 0x89, 0x0B, 0xE9,
645  0xB1, 0xB5, 0xDB, 0xDD, 0x8E, 0xE8, 0x1A, 0x36,
646  0x55, 0xF8, 0x3E, 0x33, 0xB2, 0x27, 0x9D, 0x39,
647  0xBF, 0x3E, 0x84, 0x82, 0x79, 0xA7, 0x22, 0xC8,
648  0x06, 0xB4, 0x85, 0xA4, 0x7E, 0x67, 0xC8, 0x07,
649  0xB9, 0x46, 0xA3, 0x37, 0xBE, 0xE8, 0x94, 0x26,
650  0x74, 0x27, 0x88, 0x59, 0xE1, 0x32, 0x92, 0xFB },
651  { 0xB0, 0xBA, 0x46, 0x56, 0x37, 0x45, 0x8C, 0x69,
652  0x90, 0xE5, 0xA8, 0xC5, 0xF6, 0x1D, 0x4A, 0xF7,
653  0xE5, 0x76, 0xD9, 0x7F, 0xF9, 0x4B, 0x87, 0x2D,
654  0xE7, 0x6F, 0x80, 0x50, 0x36, 0x1E, 0xE3, 0xDB,
655  0xA9, 0x1C, 0xA5, 0xC1, 0x1A, 0xA2, 0x5E, 0xB4,
656  0xD6, 0x79, 0x27, 0x5C, 0xC5, 0x78, 0x80, 0x63,
657  0xA5, 0xF1, 0x97, 0x41, 0x12, 0x0C, 0x4F, 0x2D,
658  0xE2, 0xAD, 0xEB, 0xEB, 0x10, 0xA2, 0x98, 0xDD },
659  { 0x41, 0x5F, 0xAD, 0x62, 0x71, 0x58, 0x0A, 0x53,
660  0x1D, 0x41, 0x79, 0xBC, 0x89, 0x1D, 0x87, 0xA6 },
661  { 0x80, 0xB2, 0x42, 0x63, 0xC7, 0xC1, 0xA3, 0xEB,
662  0xB7, 0x14, 0x93, 0xC1, 0xDD, 0x7B, 0xE8, 0xB4,
663  0x9B, 0x46, 0xD1, 0xF4, 0x1B, 0x4A, 0xEE, 0xC1,
664  0x12, 0x1B, 0x01, 0x37, 0x83, 0xF8, 0xF3, 0x52,
665  0x6B, 0x56, 0xD0, 0x37, 0xE0, 0x5F, 0x25, 0x98,
666  0xBD, 0x0F, 0xD2, 0x21, 0x5D, 0x6A, 0x1E, 0x52,
667  0x95, 0xE6, 0x4F, 0x73, 0xF6, 0x3F, 0x0A, 0xEC,
668  0x8B, 0x91, 0x5A, 0x98, 0x5D, 0x78, 0x65, 0x98 },
669  { 0xE3, 0x7B, 0x6A, 0x77, 0x5D, 0xC8, 0x7D, 0xBA,
670  0xA4, 0xDF, 0xA9, 0xF9, 0x6E, 0x5E, 0x3F, 0xFD,
671  0xDE, 0xBD, 0x71, 0xF8, 0x86, 0x72, 0x89, 0x86,
672  0x5D, 0xF5, 0xA3, 0x2D, 0x20, 0xCD, 0xC9, 0x44,
673  0xB6, 0x02, 0x2C, 0xAC, 0x3C, 0x49, 0x82, 0xB1,
674  0x0D, 0x5E, 0xEB, 0x55, 0xC3, 0xE4, 0xDE, 0x15,
675  0x13, 0x46, 0x76, 0xFB, 0x6D, 0xE0, 0x44, 0x60,
676  0x65, 0xC9, 0x74, 0x40, 0xFA, 0x8C, 0x6A, 0x58 }
677 };
678 
679 /*
680  * Checkup routine
681  */
682 int sha512_self_test( int verbose )
683 {
684  int i, j, k, buflen;
685  unsigned char buf[1024];
686  unsigned char sha512sum[64];
687  sha512_context ctx;
688 
689  for( i = 0; i < 6; i++ )
690  {
691  j = i % 3;
692  k = i < 3;
693 
694  if( verbose != 0 )
695  polarssl_printf( " SHA-%d test #%d: ", 512 - k * 128, j + 1 );
696 
697  sha512_starts( &ctx, k );
698 
699  if( j == 2 )
700  {
701  memset( buf, 'a', buflen = 1000 );
702 
703  for( j = 0; j < 1000; j++ )
704  sha512_update( &ctx, buf, buflen );
705  }
706  else
707  sha512_update( &ctx, sha512_test_buf[j],
708  sha512_test_buflen[j] );
709 
710  sha512_finish( &ctx, sha512sum );
711 
712  if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
713  {
714  if( verbose != 0 )
715  polarssl_printf( "failed\n" );
716 
717  return( 1 );
718  }
719 
720  if( verbose != 0 )
721  polarssl_printf( "passed\n" );
722  }
723 
724  if( verbose != 0 )
725  polarssl_printf( "\n" );
726 
727  for( i = 0; i < 14; i++ )
728  {
729  j = i % 7;
730  k = i < 7;
731 
732  if( verbose != 0 )
733  polarssl_printf( " HMAC-SHA-%d test #%d: ", 512 - k * 128, j + 1 );
734 
735  if( j == 5 || j == 6 )
736  {
737  memset( buf, '\xAA', buflen = 131 );
738  sha512_hmac_starts( &ctx, buf, buflen, k );
739  }
740  else
741  sha512_hmac_starts( &ctx, sha512_hmac_test_key[j],
742  sha512_hmac_test_keylen[j], k );
743 
744  sha512_hmac_update( &ctx, sha512_hmac_test_buf[j],
745  sha512_hmac_test_buflen[j] );
746 
747  sha512_hmac_finish( &ctx, sha512sum );
748 
749  buflen = ( j == 4 ) ? 16 : 64 - k * 16;
750 
751  if( memcmp( sha512sum, sha512_hmac_test_sum[i], buflen ) != 0 )
752  {
753  if( verbose != 0 )
754  polarssl_printf( "failed\n" );
755 
756  return( 1 );
757  }
758 
759  if( verbose != 0 )
760  polarssl_printf( "passed\n" );
761  }
762 
763  if( verbose != 0 )
764  polarssl_printf( "\n" );
765 
766  return( 0 );
767 }
768 
769 #endif /* POLARSSL_SELF_TEST */
770 
771 #endif /* POLARSSL_SHA512_C */
void sha512_hmac_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 HMAC process buffer.
Configuration options (set of defines)
PolarSSL Platform abstraction layer.
void sha512_process(sha512_context *ctx, const unsigned char data[128])
#define UL64(x)
Definition: sha512.h:43
unsigned char buffer[128]
Definition: sha512.h:63
SHA-512 context structure.
Definition: sha512.h:59
void sha512_hmac_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 HMAC final digest.
void sha512_starts(sha512_context *ctx, int is384)
SHA-512 context setup.
int sha512_self_test(int verbose)
Checkup routine.
void sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
int sha512_file(const char *path, unsigned char output[64], int is384)
Output = SHA-512( file contents )
unsigned char opad[128]
Definition: sha512.h:66
void sha512_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
void sha512_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 final digest.
#define POLARSSL_ERR_SHA512_FILE_IO_ERROR
Read/write error in file.
Definition: sha512.h:46
#define polarssl_printf
Definition: platform.h:109
SHA-384 and SHA-512 cryptographic hash function.
uint64_t total[2]
Definition: sha512.h:61
void sha512_hmac_starts(sha512_context *ctx, const unsigned char *key, size_t keylen, int is384)
SHA-512 HMAC context setup.
void sha512_hmac_reset(sha512_context *ctx)
SHA-512 HMAC context reset.
unsigned char ipad[128]
Definition: sha512.h:65
uint64_t state[8]
Definition: sha512.h:62
void sha512_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.