PolarSSL v1.3.7
sha256.c
Go to the documentation of this file.
1 /*
2  * FIPS-180-2 compliant SHA-256 implementation
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27  *
28  * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29  */
30 
31 #if !defined(POLARSSL_CONFIG_FILE)
32 #include "polarssl/config.h"
33 #else
34 #include POLARSSL_CONFIG_FILE
35 #endif
36 
37 #if defined(POLARSSL_SHA256_C)
38 
39 #include "polarssl/sha256.h"
40 
41 #if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
42 #include <stdio.h>
43 #endif
44 
45 #if defined(POLARSSL_PLATFORM_C)
46 #include "polarssl/platform.h"
47 #else
48 #define polarssl_printf printf
49 #endif
50 
51 #if !defined(POLARSSL_SHA256_ALT)
52 
53 /*
54  * 32-bit integer manipulation macros (big endian)
55  */
56 #ifndef GET_UINT32_BE
57 #define GET_UINT32_BE(n,b,i) \
58 { \
59  (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
60  | ( (uint32_t) (b)[(i) + 1] << 16 ) \
61  | ( (uint32_t) (b)[(i) + 2] << 8 ) \
62  | ( (uint32_t) (b)[(i) + 3] ); \
63 }
64 #endif
65 
66 #ifndef PUT_UINT32_BE
67 #define PUT_UINT32_BE(n,b,i) \
68 { \
69  (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
70  (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
71  (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
72  (b)[(i) + 3] = (unsigned char) ( (n) ); \
73 }
74 #endif
75 
76 /*
77  * SHA-256 context setup
78  */
79 void sha256_starts( sha256_context *ctx, int is224 )
80 {
81  ctx->total[0] = 0;
82  ctx->total[1] = 0;
83 
84  if( is224 == 0 )
85  {
86  /* SHA-256 */
87  ctx->state[0] = 0x6A09E667;
88  ctx->state[1] = 0xBB67AE85;
89  ctx->state[2] = 0x3C6EF372;
90  ctx->state[3] = 0xA54FF53A;
91  ctx->state[4] = 0x510E527F;
92  ctx->state[5] = 0x9B05688C;
93  ctx->state[6] = 0x1F83D9AB;
94  ctx->state[7] = 0x5BE0CD19;
95  }
96  else
97  {
98  /* SHA-224 */
99  ctx->state[0] = 0xC1059ED8;
100  ctx->state[1] = 0x367CD507;
101  ctx->state[2] = 0x3070DD17;
102  ctx->state[3] = 0xF70E5939;
103  ctx->state[4] = 0xFFC00B31;
104  ctx->state[5] = 0x68581511;
105  ctx->state[6] = 0x64F98FA7;
106  ctx->state[7] = 0xBEFA4FA4;
107  }
108 
109  ctx->is224 = is224;
110 }
111 
112 void sha256_process( sha256_context *ctx, const unsigned char data[64] )
113 {
114  uint32_t temp1, temp2, W[64];
115  uint32_t A, B, C, D, E, F, G, H;
116 
117  GET_UINT32_BE( W[ 0], data, 0 );
118  GET_UINT32_BE( W[ 1], data, 4 );
119  GET_UINT32_BE( W[ 2], data, 8 );
120  GET_UINT32_BE( W[ 3], data, 12 );
121  GET_UINT32_BE( W[ 4], data, 16 );
122  GET_UINT32_BE( W[ 5], data, 20 );
123  GET_UINT32_BE( W[ 6], data, 24 );
124  GET_UINT32_BE( W[ 7], data, 28 );
125  GET_UINT32_BE( W[ 8], data, 32 );
126  GET_UINT32_BE( W[ 9], data, 36 );
127  GET_UINT32_BE( W[10], data, 40 );
128  GET_UINT32_BE( W[11], data, 44 );
129  GET_UINT32_BE( W[12], data, 48 );
130  GET_UINT32_BE( W[13], data, 52 );
131  GET_UINT32_BE( W[14], data, 56 );
132  GET_UINT32_BE( W[15], data, 60 );
133 
134 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
135 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
136 
137 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
138 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
139 
140 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
141 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
142 
143 #define F0(x,y,z) ((x & y) | (z & (x | y)))
144 #define F1(x,y,z) (z ^ (x & (y ^ z)))
145 
146 #define R(t) \
147 ( \
148  W[t] = S1(W[t - 2]) + W[t - 7] + \
149  S0(W[t - 15]) + W[t - 16] \
150 )
151 
152 #define P(a,b,c,d,e,f,g,h,x,K) \
153 { \
154  temp1 = h + S3(e) + F1(e,f,g) + K + x; \
155  temp2 = S2(a) + F0(a,b,c); \
156  d += temp1; h = temp1 + temp2; \
157 }
158 
159  A = ctx->state[0];
160  B = ctx->state[1];
161  C = ctx->state[2];
162  D = ctx->state[3];
163  E = ctx->state[4];
164  F = ctx->state[5];
165  G = ctx->state[6];
166  H = ctx->state[7];
167 
168  P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
169  P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
170  P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
171  P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
172  P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
173  P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
174  P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
175  P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
176  P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
177  P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
178  P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
179  P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
180  P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
181  P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
182  P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
183  P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
184  P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
185  P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
186  P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
187  P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
188  P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
189  P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
190  P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
191  P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
192  P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
193  P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
194  P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
195  P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
196  P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
197  P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
198  P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
199  P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
200  P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
201  P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
202  P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
203  P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
204  P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
205  P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
206  P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
207  P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
208  P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
209  P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
210  P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
211  P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
212  P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
213  P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
214  P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
215  P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
216  P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
217  P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
218  P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
219  P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
220  P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
221  P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
222  P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
223  P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
224  P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
225  P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
226  P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
227  P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
228  P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
229  P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
230  P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
231  P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
232 
233  ctx->state[0] += A;
234  ctx->state[1] += B;
235  ctx->state[2] += C;
236  ctx->state[3] += D;
237  ctx->state[4] += E;
238  ctx->state[5] += F;
239  ctx->state[6] += G;
240  ctx->state[7] += H;
241 }
242 
243 /*
244  * SHA-256 process buffer
245  */
246 void sha256_update( sha256_context *ctx, const unsigned char *input,
247  size_t ilen )
248 {
249  size_t fill;
250  uint32_t left;
251 
252  if( ilen <= 0 )
253  return;
254 
255  left = ctx->total[0] & 0x3F;
256  fill = 64 - left;
257 
258  ctx->total[0] += (uint32_t) ilen;
259  ctx->total[0] &= 0xFFFFFFFF;
260 
261  if( ctx->total[0] < (uint32_t) ilen )
262  ctx->total[1]++;
263 
264  if( left && ilen >= fill )
265  {
266  memcpy( (void *) (ctx->buffer + left), input, fill );
267  sha256_process( ctx, ctx->buffer );
268  input += fill;
269  ilen -= fill;
270  left = 0;
271  }
272 
273  while( ilen >= 64 )
274  {
275  sha256_process( ctx, input );
276  input += 64;
277  ilen -= 64;
278  }
279 
280  if( ilen > 0 )
281  memcpy( (void *) (ctx->buffer + left), input, ilen );
282 }
283 
284 static const unsigned char sha256_padding[64] =
285 {
286  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
287  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
288  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
289  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
290 };
291 
292 /*
293  * SHA-256 final digest
294  */
295 void sha256_finish( sha256_context *ctx, unsigned char output[32] )
296 {
297  uint32_t last, padn;
298  uint32_t high, low;
299  unsigned char msglen[8];
300 
301  high = ( ctx->total[0] >> 29 )
302  | ( ctx->total[1] << 3 );
303  low = ( ctx->total[0] << 3 );
304 
305  PUT_UINT32_BE( high, msglen, 0 );
306  PUT_UINT32_BE( low, msglen, 4 );
307 
308  last = ctx->total[0] & 0x3F;
309  padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
310 
311  sha256_update( ctx, sha256_padding, padn );
312  sha256_update( ctx, msglen, 8 );
313 
314  PUT_UINT32_BE( ctx->state[0], output, 0 );
315  PUT_UINT32_BE( ctx->state[1], output, 4 );
316  PUT_UINT32_BE( ctx->state[2], output, 8 );
317  PUT_UINT32_BE( ctx->state[3], output, 12 );
318  PUT_UINT32_BE( ctx->state[4], output, 16 );
319  PUT_UINT32_BE( ctx->state[5], output, 20 );
320  PUT_UINT32_BE( ctx->state[6], output, 24 );
321 
322  if( ctx->is224 == 0 )
323  PUT_UINT32_BE( ctx->state[7], output, 28 );
324 }
325 
326 #endif /* !POLARSSL_SHA256_ALT */
327 
328 /*
329  * output = SHA-256( input buffer )
330  */
331 void sha256( const unsigned char *input, size_t ilen,
332  unsigned char output[32], int is224 )
333 {
334  sha256_context ctx;
335 
336  sha256_starts( &ctx, is224 );
337  sha256_update( &ctx, input, ilen );
338  sha256_finish( &ctx, output );
339 
340  memset( &ctx, 0, sizeof( sha256_context ) );
341 }
342 
343 #if defined(POLARSSL_FS_IO)
344 /*
345  * output = SHA-256( file contents )
346  */
347 int sha256_file( const char *path, unsigned char output[32], int is224 )
348 {
349  FILE *f;
350  size_t n;
351  sha256_context ctx;
352  unsigned char buf[1024];
353 
354  if( ( f = fopen( path, "rb" ) ) == NULL )
356 
357  sha256_starts( &ctx, is224 );
358 
359  while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
360  sha256_update( &ctx, buf, n );
361 
362  sha256_finish( &ctx, output );
363 
364  memset( &ctx, 0, sizeof( sha256_context ) );
365 
366  if( ferror( f ) != 0 )
367  {
368  fclose( f );
370  }
371 
372  fclose( f );
373  return( 0 );
374 }
375 #endif /* POLARSSL_FS_IO */
376 
377 /*
378  * SHA-256 HMAC context setup
379  */
380 void sha256_hmac_starts( sha256_context *ctx, const unsigned char *key,
381  size_t keylen, int is224 )
382 {
383  size_t i;
384  unsigned char sum[32];
385 
386  if( keylen > 64 )
387  {
388  sha256( key, keylen, sum, is224 );
389  keylen = ( is224 ) ? 28 : 32;
390  key = sum;
391  }
392 
393  memset( ctx->ipad, 0x36, 64 );
394  memset( ctx->opad, 0x5C, 64 );
395 
396  for( i = 0; i < keylen; i++ )
397  {
398  ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
399  ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
400  }
401 
402  sha256_starts( ctx, is224 );
403  sha256_update( ctx, ctx->ipad, 64 );
404 
405  memset( sum, 0, sizeof( sum ) );
406 }
407 
408 /*
409  * SHA-256 HMAC process buffer
410  */
411 void sha256_hmac_update( sha256_context *ctx, const unsigned char *input,
412  size_t ilen )
413 {
414  sha256_update( ctx, input, ilen );
415 }
416 
417 /*
418  * SHA-256 HMAC final digest
419  */
420 void sha256_hmac_finish( sha256_context *ctx, unsigned char output[32] )
421 {
422  int is224, hlen;
423  unsigned char tmpbuf[32];
424 
425  is224 = ctx->is224;
426  hlen = ( is224 == 0 ) ? 32 : 28;
427 
428  sha256_finish( ctx, tmpbuf );
429  sha256_starts( ctx, is224 );
430  sha256_update( ctx, ctx->opad, 64 );
431  sha256_update( ctx, tmpbuf, hlen );
432  sha256_finish( ctx, output );
433 
434  memset( tmpbuf, 0, sizeof( tmpbuf ) );
435 }
436 
437 /*
438  * SHA-256 HMAC context reset
439  */
441 {
442  sha256_starts( ctx, ctx->is224 );
443  sha256_update( ctx, ctx->ipad, 64 );
444 }
445 
446 /*
447  * output = HMAC-SHA-256( hmac key, input buffer )
448  */
449 void sha256_hmac( const unsigned char *key, size_t keylen,
450  const unsigned char *input, size_t ilen,
451  unsigned char output[32], int is224 )
452 {
453  sha256_context ctx;
454 
455  sha256_hmac_starts( &ctx, key, keylen, is224 );
456  sha256_hmac_update( &ctx, input, ilen );
457  sha256_hmac_finish( &ctx, output );
458 
459  memset( &ctx, 0, sizeof( sha256_context ) );
460 }
461 
462 #if defined(POLARSSL_SELF_TEST)
463 /*
464  * FIPS-180-2 test vectors
465  */
466 static unsigned char sha256_test_buf[3][57] =
467 {
468  { "abc" },
469  { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
470  { "" }
471 };
472 
473 static const int sha256_test_buflen[3] =
474 {
475  3, 56, 1000
476 };
477 
478 static const unsigned char sha256_test_sum[6][32] =
479 {
480  /*
481  * SHA-224 test vectors
482  */
483  { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
484  0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
485  0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
486  0xE3, 0x6C, 0x9D, 0xA7 },
487  { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
488  0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
489  0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
490  0x52, 0x52, 0x25, 0x25 },
491  { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
492  0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
493  0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
494  0x4E, 0xE7, 0xAD, 0x67 },
495 
496  /*
497  * SHA-256 test vectors
498  */
499  { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
500  0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
501  0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
502  0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
503  { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
504  0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
505  0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
506  0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
507  { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
508  0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
509  0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
510  0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
511 };
512 
513 /*
514  * RFC 4231 test vectors
515  */
516 static unsigned char sha256_hmac_test_key[7][26] =
517 {
518  { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
519  "\x0B\x0B\x0B\x0B" },
520  { "Jefe" },
521  { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
522  "\xAA\xAA\xAA\xAA" },
523  { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
524  "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
525  { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
526  "\x0C\x0C\x0C\x0C" },
527  { "" }, /* 0xAA 131 times */
528  { "" }
529 };
530 
531 static const int sha256_hmac_test_keylen[7] =
532 {
533  20, 4, 20, 25, 20, 131, 131
534 };
535 
536 static unsigned char sha256_hmac_test_buf[7][153] =
537 {
538  { "Hi There" },
539  { "what do ya want for nothing?" },
540  { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
541  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
542  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
543  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
544  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
545  { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
546  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
547  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
548  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
549  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
550  { "Test With Truncation" },
551  { "Test Using Larger Than Block-Size Key - Hash Key First" },
552  { "This is a test using a larger than block-size key "
553  "and a larger than block-size data. The key needs to "
554  "be hashed before being used by the HMAC algorithm." }
555 };
556 
557 static const int sha256_hmac_test_buflen[7] =
558 {
559  8, 28, 50, 50, 20, 54, 152
560 };
561 
562 static const unsigned char sha256_hmac_test_sum[14][32] =
563 {
564  /*
565  * HMAC-SHA-224 test vectors
566  */
567  { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
568  0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
569  0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
570  0x53, 0x68, 0x4B, 0x22 },
571  { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
572  0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
573  0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
574  0x8F, 0xD0, 0x5E, 0x44 },
575  { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
576  0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
577  0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
578  0xEC, 0x83, 0x33, 0xEA },
579  { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
580  0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
581  0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
582  0xE7, 0xAF, 0xEC, 0x5A },
583  { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
584  0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
585  { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
586  0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
587  0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
588  0x3F, 0xA6, 0x87, 0x0E },
589  { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
590  0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
591  0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
592  0xF6, 0xF5, 0x65, 0xD1 },
593 
594  /*
595  * HMAC-SHA-256 test vectors
596  */
597  { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
598  0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
599  0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
600  0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
601  { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
602  0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
603  0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
604  0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
605  { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
606  0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
607  0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
608  0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
609  { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
610  0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
611  0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
612  0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
613  { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
614  0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
615  { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
616  0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
617  0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
618  0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
619  { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
620  0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
621  0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
622  0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
623 };
624 
625 /*
626  * Checkup routine
627  */
628 int sha256_self_test( int verbose )
629 {
630  int i, j, k, buflen;
631  unsigned char buf[1024];
632  unsigned char sha256sum[32];
633  sha256_context ctx;
634 
635  for( i = 0; i < 6; i++ )
636  {
637  j = i % 3;
638  k = i < 3;
639 
640  if( verbose != 0 )
641  polarssl_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
642 
643  sha256_starts( &ctx, k );
644 
645  if( j == 2 )
646  {
647  memset( buf, 'a', buflen = 1000 );
648 
649  for( j = 0; j < 1000; j++ )
650  sha256_update( &ctx, buf, buflen );
651  }
652  else
653  sha256_update( &ctx, sha256_test_buf[j],
654  sha256_test_buflen[j] );
655 
656  sha256_finish( &ctx, sha256sum );
657 
658  if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
659  {
660  if( verbose != 0 )
661  polarssl_printf( "failed\n" );
662 
663  return( 1 );
664  }
665 
666  if( verbose != 0 )
667  polarssl_printf( "passed\n" );
668  }
669 
670  if( verbose != 0 )
671  polarssl_printf( "\n" );
672 
673  for( i = 0; i < 14; i++ )
674  {
675  j = i % 7;
676  k = i < 7;
677 
678  if( verbose != 0 )
679  polarssl_printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
680 
681  if( j == 5 || j == 6 )
682  {
683  memset( buf, '\xAA', buflen = 131 );
684  sha256_hmac_starts( &ctx, buf, buflen, k );
685  }
686  else
687  sha256_hmac_starts( &ctx, sha256_hmac_test_key[j],
688  sha256_hmac_test_keylen[j], k );
689 
690  sha256_hmac_update( &ctx, sha256_hmac_test_buf[j],
691  sha256_hmac_test_buflen[j] );
692 
693  sha256_hmac_finish( &ctx, sha256sum );
694 
695  buflen = ( j == 4 ) ? 16 : 32 - k * 4;
696 
697  if( memcmp( sha256sum, sha256_hmac_test_sum[i], buflen ) != 0 )
698  {
699  if( verbose != 0 )
700  polarssl_printf( "failed\n" );
701 
702  return( 1 );
703  }
704 
705  if( verbose != 0 )
706  polarssl_printf( "passed\n" );
707  }
708 
709  if( verbose != 0 )
710  polarssl_printf( "\n" );
711 
712  return( 0 );
713 }
714 
715 #endif /* POLARSSL_SELF_TEST */
716 
717 #endif /* POLARSSL_SHA256_C */
void sha256_hmac_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 HMAC process buffer.
uint32_t total[2]
Definition: sha256.h:60
uint32_t state[8]
Definition: sha256.h:61
int sha256_file(const char *path, unsigned char output[32], int is224)
Output = SHA-256( file contents )
void sha256_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
void sha256(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
Configuration options (set of defines)
PolarSSL Platform abstraction layer.
unsigned char opad[64]
Definition: sha256.h:65
unsigned char ipad[64]
Definition: sha256.h:64
void sha256_hmac_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 HMAC final digest.
unsigned char buffer[64]
Definition: sha256.h:62
void sha256_hmac_starts(sha256_context *ctx, const unsigned char *key, size_t keylen, int is224)
SHA-256 HMAC context setup.
int sha256_self_test(int verbose)
Checkup routine.
void sha256_starts(sha256_context *ctx, int is224)
SHA-256 context setup.
#define POLARSSL_ERR_SHA256_FILE_IO_ERROR
Read/write error in file.
Definition: sha256.h:45
void sha256_hmac_reset(sha256_context *ctx)
SHA-256 HMAC context reset.
void sha256_process(sha256_context *ctx, const unsigned char data[64])
#define polarssl_printf
Definition: platform.h:109
void sha256_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 final digest.
SHA-256 context structure.
Definition: sha256.h:58
SHA-224 and SHA-256 cryptographic hash function.