3 #ifdef SHA_POLARSSL /* remainder of file */
6 * FIPS-180-2 compliant SHA-256 implementation
8 * Copyright (C) 2006-2010, Brainspark B.V.
10 * This file is part of PolarSSL (http://www.polarssl.org)
11 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
13 * All rights reserved.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License along
26 * with this program; if not, write to the Free Software Foundation, Inc.,
27 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
30 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
32 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
35 #include "polarssl/config.h"
37 #if defined(POLARSSL_SHA2_C)
39 #include "polarssl/sha2.h"
45 * 32-bit integer manipulation macros (big endian)
48 #define GET_ULONG_BE(n,b,i) \
50 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
51 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
52 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
53 | ( (unsigned long) (b)[(i) + 3] ); \
58 #define PUT_ULONG_BE(n,b,i) \
60 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
61 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
62 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
63 (b)[(i) + 3] = (unsigned char) ( (n) ); \
68 * SHA-256 context setup
70 void sha2_starts( sha2_context
*ctx
, int is224
)
78 ctx
->state
[0] = 0x6A09E667;
79 ctx
->state
[1] = 0xBB67AE85;
80 ctx
->state
[2] = 0x3C6EF372;
81 ctx
->state
[3] = 0xA54FF53A;
82 ctx
->state
[4] = 0x510E527F;
83 ctx
->state
[5] = 0x9B05688C;
84 ctx
->state
[6] = 0x1F83D9AB;
85 ctx
->state
[7] = 0x5BE0CD19;
90 ctx
->state
[0] = 0xC1059ED8;
91 ctx
->state
[1] = 0x367CD507;
92 ctx
->state
[2] = 0x3070DD17;
93 ctx
->state
[3] = 0xF70E5939;
94 ctx
->state
[4] = 0xFFC00B31;
95 ctx
->state
[5] = 0x68581511;
96 ctx
->state
[6] = 0x64F98FA7;
97 ctx
->state
[7] = 0xBEFA4FA4;
103 static void sha2_process( sha2_context
*ctx
, const unsigned char data
[64] )
105 unsigned long temp1
, temp2
, W
[64];
106 unsigned long A
, B
, C
, D
, E
, F
, G
, H
;
108 GET_ULONG_BE( W
[ 0], data
, 0 );
109 GET_ULONG_BE( W
[ 1], data
, 4 );
110 GET_ULONG_BE( W
[ 2], data
, 8 );
111 GET_ULONG_BE( W
[ 3], data
, 12 );
112 GET_ULONG_BE( W
[ 4], data
, 16 );
113 GET_ULONG_BE( W
[ 5], data
, 20 );
114 GET_ULONG_BE( W
[ 6], data
, 24 );
115 GET_ULONG_BE( W
[ 7], data
, 28 );
116 GET_ULONG_BE( W
[ 8], data
, 32 );
117 GET_ULONG_BE( W
[ 9], data
, 36 );
118 GET_ULONG_BE( W
[10], data
, 40 );
119 GET_ULONG_BE( W
[11], data
, 44 );
120 GET_ULONG_BE( W
[12], data
, 48 );
121 GET_ULONG_BE( W
[13], data
, 52 );
122 GET_ULONG_BE( W
[14], data
, 56 );
123 GET_ULONG_BE( W
[15], data
, 60 );
125 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
126 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
128 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
129 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
131 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
132 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
134 #define F0(x,y,z) ((x & y) | (z & (x | y)))
135 #define F1(x,y,z) (z ^ (x & (y ^ z)))
139 W[t] = S1(W[t - 2]) + W[t - 7] + \
140 S0(W[t - 15]) + W[t - 16] \
143 #define P(a,b,c,d,e,f,g,h,x,K) \
145 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
146 temp2 = S2(a) + F0(a,b,c); \
147 d += temp1; h = temp1 + temp2; \
159 P( A
, B
, C
, D
, E
, F
, G
, H
, W
[ 0], 0x428A2F98 );
160 P( H
, A
, B
, C
, D
, E
, F
, G
, W
[ 1], 0x71374491 );
161 P( G
, H
, A
, B
, C
, D
, E
, F
, W
[ 2], 0xB5C0FBCF );
162 P( F
, G
, H
, A
, B
, C
, D
, E
, W
[ 3], 0xE9B5DBA5 );
163 P( E
, F
, G
, H
, A
, B
, C
, D
, W
[ 4], 0x3956C25B );
164 P( D
, E
, F
, G
, H
, A
, B
, C
, W
[ 5], 0x59F111F1 );
165 P( C
, D
, E
, F
, G
, H
, A
, B
, W
[ 6], 0x923F82A4 );
166 P( B
, C
, D
, E
, F
, G
, H
, A
, W
[ 7], 0xAB1C5ED5 );
167 P( A
, B
, C
, D
, E
, F
, G
, H
, W
[ 8], 0xD807AA98 );
168 P( H
, A
, B
, C
, D
, E
, F
, G
, W
[ 9], 0x12835B01 );
169 P( G
, H
, A
, B
, C
, D
, E
, F
, W
[10], 0x243185BE );
170 P( F
, G
, H
, A
, B
, C
, D
, E
, W
[11], 0x550C7DC3 );
171 P( E
, F
, G
, H
, A
, B
, C
, D
, W
[12], 0x72BE5D74 );
172 P( D
, E
, F
, G
, H
, A
, B
, C
, W
[13], 0x80DEB1FE );
173 P( C
, D
, E
, F
, G
, H
, A
, B
, W
[14], 0x9BDC06A7 );
174 P( B
, C
, D
, E
, F
, G
, H
, A
, W
[15], 0xC19BF174 );
175 P( A
, B
, C
, D
, E
, F
, G
, H
, R(16), 0xE49B69C1 );
176 P( H
, A
, B
, C
, D
, E
, F
, G
, R(17), 0xEFBE4786 );
177 P( G
, H
, A
, B
, C
, D
, E
, F
, R(18), 0x0FC19DC6 );
178 P( F
, G
, H
, A
, B
, C
, D
, E
, R(19), 0x240CA1CC );
179 P( E
, F
, G
, H
, A
, B
, C
, D
, R(20), 0x2DE92C6F );
180 P( D
, E
, F
, G
, H
, A
, B
, C
, R(21), 0x4A7484AA );
181 P( C
, D
, E
, F
, G
, H
, A
, B
, R(22), 0x5CB0A9DC );
182 P( B
, C
, D
, E
, F
, G
, H
, A
, R(23), 0x76F988DA );
183 P( A
, B
, C
, D
, E
, F
, G
, H
, R(24), 0x983E5152 );
184 P( H
, A
, B
, C
, D
, E
, F
, G
, R(25), 0xA831C66D );
185 P( G
, H
, A
, B
, C
, D
, E
, F
, R(26), 0xB00327C8 );
186 P( F
, G
, H
, A
, B
, C
, D
, E
, R(27), 0xBF597FC7 );
187 P( E
, F
, G
, H
, A
, B
, C
, D
, R(28), 0xC6E00BF3 );
188 P( D
, E
, F
, G
, H
, A
, B
, C
, R(29), 0xD5A79147 );
189 P( C
, D
, E
, F
, G
, H
, A
, B
, R(30), 0x06CA6351 );
190 P( B
, C
, D
, E
, F
, G
, H
, A
, R(31), 0x14292967 );
191 P( A
, B
, C
, D
, E
, F
, G
, H
, R(32), 0x27B70A85 );
192 P( H
, A
, B
, C
, D
, E
, F
, G
, R(33), 0x2E1B2138 );
193 P( G
, H
, A
, B
, C
, D
, E
, F
, R(34), 0x4D2C6DFC );
194 P( F
, G
, H
, A
, B
, C
, D
, E
, R(35), 0x53380D13 );
195 P( E
, F
, G
, H
, A
, B
, C
, D
, R(36), 0x650A7354 );
196 P( D
, E
, F
, G
, H
, A
, B
, C
, R(37), 0x766A0ABB );
197 P( C
, D
, E
, F
, G
, H
, A
, B
, R(38), 0x81C2C92E );
198 P( B
, C
, D
, E
, F
, G
, H
, A
, R(39), 0x92722C85 );
199 P( A
, B
, C
, D
, E
, F
, G
, H
, R(40), 0xA2BFE8A1 );
200 P( H
, A
, B
, C
, D
, E
, F
, G
, R(41), 0xA81A664B );
201 P( G
, H
, A
, B
, C
, D
, E
, F
, R(42), 0xC24B8B70 );
202 P( F
, G
, H
, A
, B
, C
, D
, E
, R(43), 0xC76C51A3 );
203 P( E
, F
, G
, H
, A
, B
, C
, D
, R(44), 0xD192E819 );
204 P( D
, E
, F
, G
, H
, A
, B
, C
, R(45), 0xD6990624 );
205 P( C
, D
, E
, F
, G
, H
, A
, B
, R(46), 0xF40E3585 );
206 P( B
, C
, D
, E
, F
, G
, H
, A
, R(47), 0x106AA070 );
207 P( A
, B
, C
, D
, E
, F
, G
, H
, R(48), 0x19A4C116 );
208 P( H
, A
, B
, C
, D
, E
, F
, G
, R(49), 0x1E376C08 );
209 P( G
, H
, A
, B
, C
, D
, E
, F
, R(50), 0x2748774C );
210 P( F
, G
, H
, A
, B
, C
, D
, E
, R(51), 0x34B0BCB5 );
211 P( E
, F
, G
, H
, A
, B
, C
, D
, R(52), 0x391C0CB3 );
212 P( D
, E
, F
, G
, H
, A
, B
, C
, R(53), 0x4ED8AA4A );
213 P( C
, D
, E
, F
, G
, H
, A
, B
, R(54), 0x5B9CCA4F );
214 P( B
, C
, D
, E
, F
, G
, H
, A
, R(55), 0x682E6FF3 );
215 P( A
, B
, C
, D
, E
, F
, G
, H
, R(56), 0x748F82EE );
216 P( H
, A
, B
, C
, D
, E
, F
, G
, R(57), 0x78A5636F );
217 P( G
, H
, A
, B
, C
, D
, E
, F
, R(58), 0x84C87814 );
218 P( F
, G
, H
, A
, B
, C
, D
, E
, R(59), 0x8CC70208 );
219 P( E
, F
, G
, H
, A
, B
, C
, D
, R(60), 0x90BEFFFA );
220 P( D
, E
, F
, G
, H
, A
, B
, C
, R(61), 0xA4506CEB );
221 P( C
, D
, E
, F
, G
, H
, A
, B
, R(62), 0xBEF9A3F7 );
222 P( B
, C
, D
, E
, F
, G
, H
, A
, R(63), 0xC67178F2 );
235 * SHA-256 process buffer
237 void sha2_update( sha2_context
*ctx
, const unsigned char *input
, int ilen
)
245 left
= ctx
->total
[0] & 0x3F;
248 ctx
->total
[0] += ilen
;
249 ctx
->total
[0] &= 0xFFFFFFFF;
251 if( ctx
->total
[0] < (unsigned long) ilen
)
254 if( left
&& ilen
>= fill
)
256 memcpy( (void *) (ctx
->buffer
+ left
),
257 (void *) input
, fill
);
258 sha2_process( ctx
, ctx
->buffer
);
266 sha2_process( ctx
, input
);
273 memcpy( (void *) (ctx
->buffer
+ left
),
274 (void *) input
, ilen
);
278 static const unsigned char sha2_padding
[64] =
280 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
283 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
287 * SHA-256 final digest
289 void sha2_finish( sha2_context
*ctx
, unsigned char output
[32] )
291 unsigned long last
, padn
;
292 unsigned long high
, low
;
293 unsigned char msglen
[8];
295 high
= ( ctx
->total
[0] >> 29 )
296 | ( ctx
->total
[1] << 3 );
297 low
= ( ctx
->total
[0] << 3 );
299 PUT_ULONG_BE( high
, msglen
, 0 );
300 PUT_ULONG_BE( low
, msglen
, 4 );
302 last
= ctx
->total
[0] & 0x3F;
303 padn
= ( last
< 56 ) ? ( 56 - last
) : ( 120 - last
);
305 sha2_update( ctx
, (unsigned char *) sha2_padding
, padn
);
306 sha2_update( ctx
, msglen
, 8 );
308 PUT_ULONG_BE( ctx
->state
[0], output
, 0 );
309 PUT_ULONG_BE( ctx
->state
[1], output
, 4 );
310 PUT_ULONG_BE( ctx
->state
[2], output
, 8 );
311 PUT_ULONG_BE( ctx
->state
[3], output
, 12 );
312 PUT_ULONG_BE( ctx
->state
[4], output
, 16 );
313 PUT_ULONG_BE( ctx
->state
[5], output
, 20 );
314 PUT_ULONG_BE( ctx
->state
[6], output
, 24 );
316 if( ctx
->is224
== 0 )
317 PUT_ULONG_BE( ctx
->state
[7], output
, 28 );
321 * output = SHA-256( input buffer )
323 void sha2( const unsigned char *input
, int ilen
,
324 unsigned char output
[32], int is224
)
328 sha2_starts( &ctx
, is224
);
329 sha2_update( &ctx
, input
, ilen
);
330 sha2_finish( &ctx
, output
);
332 memset( &ctx
, 0, sizeof( sha2_context
) );
336 * output = SHA-256( file contents )
338 int sha2_file( const char *path
, unsigned char output
[32], int is224
)
343 unsigned char buf
[1024];
345 if( ( f
= fopen( path
, "rb" ) ) == NULL
)
348 sha2_starts( &ctx
, is224
);
350 while( ( n
= fread( buf
, 1, sizeof( buf
), f
) ) > 0 )
351 sha2_update( &ctx
, buf
, (int) n
);
353 sha2_finish( &ctx
, output
);
355 memset( &ctx
, 0, sizeof( sha2_context
) );
357 if( ferror( f
) != 0 )
368 * SHA-256 HMAC context setup
370 void sha2_hmac_starts( sha2_context
*ctx
, const unsigned char *key
, int keylen
,
374 unsigned char sum
[32];
378 sha2( key
, keylen
, sum
, is224
);
379 keylen
= ( is224
) ? 28 : 32;
383 memset( ctx
->ipad
, 0x36, 64 );
384 memset( ctx
->opad
, 0x5C, 64 );
386 for( i
= 0; i
< keylen
; i
++ )
388 ctx
->ipad
[i
] = (unsigned char)( ctx
->ipad
[i
] ^ key
[i
] );
389 ctx
->opad
[i
] = (unsigned char)( ctx
->opad
[i
] ^ key
[i
] );
392 sha2_starts( ctx
, is224
);
393 sha2_update( ctx
, ctx
->ipad
, 64 );
395 memset( sum
, 0, sizeof( sum
) );
399 * SHA-256 HMAC process buffer
401 void sha2_hmac_update( sha2_context
*ctx
, const unsigned char *input
, int ilen
)
403 sha2_update( ctx
, input
, ilen
);
407 * SHA-256 HMAC final digest
409 void sha2_hmac_finish( sha2_context
*ctx
, unsigned char output
[32] )
412 unsigned char tmpbuf
[32];
415 hlen
= ( is224
== 0 ) ? 32 : 28;
417 sha2_finish( ctx
, tmpbuf
);
418 sha2_starts( ctx
, is224
);
419 sha2_update( ctx
, ctx
->opad
, 64 );
420 sha2_update( ctx
, tmpbuf
, hlen
);
421 sha2_finish( ctx
, output
);
423 memset( tmpbuf
, 0, sizeof( tmpbuf
) );
427 * SHA-256 HMAC context reset
429 void sha2_hmac_reset( sha2_context
*ctx
)
431 sha2_starts( ctx
, ctx
->is224
);
432 sha2_update( ctx
, ctx
->ipad
, 64 );
436 * output = HMAC-SHA-256( hmac key, input buffer )
438 void sha2_hmac( const unsigned char *key
, int keylen
,
439 const unsigned char *input
, int ilen
,
440 unsigned char output
[32], int is224
)
444 sha2_hmac_starts( &ctx
, key
, keylen
, is224
);
445 sha2_hmac_update( &ctx
, input
, ilen
);
446 sha2_hmac_finish( &ctx
, output
);
448 memset( &ctx
, 0, sizeof( sha2_context
) );