]> cvs.zerfleddert.de Git - proxmark3-svn/blob - common/sha256.c
CHG: 'analyse hid' added @holiman 's permute functions to the output to verify
[proxmark3-svn] / common / sha256.c
1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
5 *
6 * This file is part of mbed TLS (https://tls.mbed.org)
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22 /*
23 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
24 *
25 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
26 */
27
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 //#include "mbedtls/config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33
34 #if defined(MBEDTLS_SHA256_C)
35
36 #include "mbedtls/sha256.h"
37
38 #include <string.h>
39
40 #if defined(MBEDTLS_SELF_TEST)
41 #if defined(MBEDTLS_PLATFORM_C)
42 #include "mbedtls/platform.h"
43 #else
44 #include <stdio.h>
45 #define mbedtls_printf printf
46 #endif /* MBEDTLS_PLATFORM_C */
47 #endif /* MBEDTLS_SELF_TEST */
48
49 /* Implementation that should never be optimized out by the compiler */
50 static void mbedtls_zeroize( void *v, size_t n ) {
51 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
52 }
53
54 #if !defined(MBEDTLS_SHA256_ALT)
55
56 /*
57 * 32-bit integer manipulation macros (big endian)
58 */
59 #ifndef GET_UINT32_BE
60 #define GET_UINT32_BE(n,b,i) \
61 do { \
62 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
63 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
64 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
65 | ( (uint32_t) (b)[(i) + 3] ); \
66 } while( 0 )
67 #endif
68
69 #ifndef PUT_UINT32_BE
70 #define PUT_UINT32_BE(n,b,i) \
71 do { \
72 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
73 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
74 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
75 (b)[(i) + 3] = (unsigned char) ( (n) ); \
76 } while( 0 )
77 #endif
78
79 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
80 {
81 memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
82 }
83
84 void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
85 {
86 if( ctx == NULL )
87 return;
88
89 mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
90 }
91
92 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
93 const mbedtls_sha256_context *src )
94 {
95 *dst = *src;
96 }
97
98 /*
99 * SHA-256 context setup
100 */
101 void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
102 {
103 ctx->total[0] = 0;
104 ctx->total[1] = 0;
105
106 if( is224 == 0 )
107 {
108 /* SHA-256 */
109 ctx->state[0] = 0x6A09E667;
110 ctx->state[1] = 0xBB67AE85;
111 ctx->state[2] = 0x3C6EF372;
112 ctx->state[3] = 0xA54FF53A;
113 ctx->state[4] = 0x510E527F;
114 ctx->state[5] = 0x9B05688C;
115 ctx->state[6] = 0x1F83D9AB;
116 ctx->state[7] = 0x5BE0CD19;
117 }
118 else
119 {
120 /* SHA-224 */
121 ctx->state[0] = 0xC1059ED8;
122 ctx->state[1] = 0x367CD507;
123 ctx->state[2] = 0x3070DD17;
124 ctx->state[3] = 0xF70E5939;
125 ctx->state[4] = 0xFFC00B31;
126 ctx->state[5] = 0x68581511;
127 ctx->state[6] = 0x64F98FA7;
128 ctx->state[7] = 0xBEFA4FA4;
129 }
130
131 ctx->is224 = is224;
132 }
133
134 #if !defined(MBEDTLS_SHA256_PROCESS_ALT)
135 static const uint32_t K[] =
136 {
137 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
138 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
139 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
140 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
141 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
142 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
143 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
144 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
145 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
146 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
147 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
148 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
149 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
150 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
151 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
152 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
153 };
154
155 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
156 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
157
158 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
159 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
160
161 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
162 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
163
164 #define F0(x,y,z) ((x & y) | (z & (x | y)))
165 #define F1(x,y,z) (z ^ (x & (y ^ z)))
166
167 #define R(t) \
168 ( \
169 W[t] = S1(W[t - 2]) + W[t - 7] + \
170 S0(W[t - 15]) + W[t - 16] \
171 )
172
173 #define P(a,b,c,d,e,f,g,h,x,K) \
174 { \
175 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
176 temp2 = S2(a) + F0(a,b,c); \
177 d += temp1; h = temp1 + temp2; \
178 }
179
180 void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] )
181 {
182 uint32_t temp1, temp2, W[64];
183 uint32_t A[8];
184 unsigned int i;
185
186 for( i = 0; i < 8; i++ )
187 A[i] = ctx->state[i];
188
189 #if defined(MBEDTLS_SHA256_SMALLER)
190 for( i = 0; i < 64; i++ )
191 {
192 if( i < 16 )
193 GET_UINT32_BE( W[i], data, 4 * i );
194 else
195 R( i );
196
197 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
198
199 temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
200 A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
201 }
202 #else /* MBEDTLS_SHA256_SMALLER */
203 for( i = 0; i < 16; i++ )
204 GET_UINT32_BE( W[i], data, 4 * i );
205
206 for( i = 0; i < 16; i += 8 )
207 {
208 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
209 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
210 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
211 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
212 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
213 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
214 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
215 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
216 }
217
218 for( i = 16; i < 64; i += 8 )
219 {
220 P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
221 P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
222 P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
223 P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
224 P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
225 P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
226 P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
227 P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
228 }
229 #endif /* MBEDTLS_SHA256_SMALLER */
230
231 for( i = 0; i < 8; i++ )
232 ctx->state[i] += A[i];
233 }
234 #endif /* !MBEDTLS_SHA256_PROCESS_ALT */
235
236 /*
237 * SHA-256 process buffer
238 */
239 void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input,
240 size_t ilen )
241 {
242 size_t fill;
243 uint32_t left;
244
245 if( ilen == 0 )
246 return;
247
248 left = ctx->total[0] & 0x3F;
249 fill = 64 - left;
250
251 ctx->total[0] += (uint32_t) ilen;
252 ctx->total[0] &= 0xFFFFFFFF;
253
254 if( ctx->total[0] < (uint32_t) ilen )
255 ctx->total[1]++;
256
257 if( left && ilen >= fill )
258 {
259 memcpy( (void *) (ctx->buffer + left), input, fill );
260 mbedtls_sha256_process( ctx, ctx->buffer );
261 input += fill;
262 ilen -= fill;
263 left = 0;
264 }
265
266 while( ilen >= 64 )
267 {
268 mbedtls_sha256_process( ctx, input );
269 input += 64;
270 ilen -= 64;
271 }
272
273 if( ilen > 0 )
274 memcpy( (void *) (ctx->buffer + left), input, ilen );
275 }
276
277 static const unsigned char sha256_padding[64] =
278 {
279 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
283 };
284
285 /*
286 * SHA-256 final digest
287 */
288 void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] )
289 {
290 uint32_t last, padn;
291 uint32_t high, low;
292 unsigned char msglen[8];
293
294 high = ( ctx->total[0] >> 29 )
295 | ( ctx->total[1] << 3 );
296 low = ( ctx->total[0] << 3 );
297
298 PUT_UINT32_BE( high, msglen, 0 );
299 PUT_UINT32_BE( low, msglen, 4 );
300
301 last = ctx->total[0] & 0x3F;
302 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
303
304 mbedtls_sha256_update( ctx, sha256_padding, padn );
305 mbedtls_sha256_update( ctx, msglen, 8 );
306
307 PUT_UINT32_BE( ctx->state[0], output, 0 );
308 PUT_UINT32_BE( ctx->state[1], output, 4 );
309 PUT_UINT32_BE( ctx->state[2], output, 8 );
310 PUT_UINT32_BE( ctx->state[3], output, 12 );
311 PUT_UINT32_BE( ctx->state[4], output, 16 );
312 PUT_UINT32_BE( ctx->state[5], output, 20 );
313 PUT_UINT32_BE( ctx->state[6], output, 24 );
314
315 if( ctx->is224 == 0 )
316 PUT_UINT32_BE( ctx->state[7], output, 28 );
317 }
318
319 #endif /* !MBEDTLS_SHA256_ALT */
320
321 /*
322 * output = SHA-256( input buffer )
323 */
324 void mbedtls_sha256( const unsigned char *input, size_t ilen,
325 unsigned char output[32], int is224 )
326 {
327 mbedtls_sha256_context ctx;
328
329 mbedtls_sha256_init( &ctx );
330 mbedtls_sha256_starts( &ctx, is224 );
331 mbedtls_sha256_update( &ctx, input, ilen );
332 mbedtls_sha256_finish( &ctx, output );
333 mbedtls_sha256_free( &ctx );
334 }
335
336 #if defined(MBEDTLS_SELF_TEST)
337 /*
338 * FIPS-180-2 test vectors
339 */
340 static const unsigned char sha256_test_buf[3][57] =
341 {
342 { "abc" },
343 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
344 { "" }
345 };
346
347 static const int sha256_test_buflen[3] =
348 {
349 3, 56, 1000
350 };
351
352 static const unsigned char sha256_test_sum[6][32] =
353 {
354 /*
355 * SHA-224 test vectors
356 */
357 { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
358 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
359 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
360 0xE3, 0x6C, 0x9D, 0xA7 },
361 { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
362 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
363 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
364 0x52, 0x52, 0x25, 0x25 },
365 { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
366 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
367 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
368 0x4E, 0xE7, 0xAD, 0x67 },
369
370 /*
371 * SHA-256 test vectors
372 */
373 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
374 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
375 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
376 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
377 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
378 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
379 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
380 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
381 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
382 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
383 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
384 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
385 };
386
387 /*
388 * Checkup routine
389 */
390 int mbedtls_sha256_self_test( int verbose )
391 {
392 int i, j, k, buflen, ret = 0;
393 unsigned char buf[1024];
394 unsigned char sha256sum[32];
395 mbedtls_sha256_context ctx;
396
397 mbedtls_sha256_init( &ctx );
398
399 for( i = 0; i < 6; i++ )
400 {
401 j = i % 3;
402 k = i < 3;
403
404 if( verbose != 0 )
405 mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
406
407 mbedtls_sha256_starts( &ctx, k );
408
409 if( j == 2 )
410 {
411 memset( buf, 'a', buflen = 1000 );
412
413 for( j = 0; j < 1000; j++ )
414 mbedtls_sha256_update( &ctx, buf, buflen );
415 }
416 else
417 mbedtls_sha256_update( &ctx, sha256_test_buf[j],
418 sha256_test_buflen[j] );
419
420 mbedtls_sha256_finish( &ctx, sha256sum );
421
422 if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
423 {
424 if( verbose != 0 )
425 mbedtls_printf( "failed\n" );
426
427 ret = 1;
428 goto exit;
429 }
430
431 if( verbose != 0 )
432 mbedtls_printf( "passed\n" );
433 }
434
435 if( verbose != 0 )
436 mbedtls_printf( "\n" );
437
438 exit:
439 mbedtls_sha256_free( &ctx );
440
441 return( ret );
442 }
443
444 #endif /* MBEDTLS_SELF_TEST */
445
446 #endif /* MBEDTLS_SHA256_C */
Impressum, Datenschutz