PolarSSL v1.1.5
sha2.c
Go to the documentation of this file.
1 /*
2  * FIPS-180-2 compliant SHA-256 implementation
3  *
4  * Copyright (C) 2006-2010, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27  *
28  * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29  */
30 
31 #include "polarssl/config.h"
32 
33 #if defined(POLARSSL_SHA2_C)
34 
35 #include "polarssl/sha2.h"
36 
37 #if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
38 #include <stdio.h>
39 #endif
40 
41 /*
42  * 32-bit integer manipulation macros (big endian)
43  */
44 #ifndef GET_ULONG_BE
45 #define GET_ULONG_BE(n,b,i) \
46 { \
47  (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
48  | ( (unsigned long) (b)[(i) + 1] << 16 ) \
49  | ( (unsigned long) (b)[(i) + 2] << 8 ) \
50  | ( (unsigned long) (b)[(i) + 3] ); \
51 }
52 #endif
53 
54 #ifndef PUT_ULONG_BE
55 #define PUT_ULONG_BE(n,b,i) \
56 { \
57  (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
58  (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
59  (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
60  (b)[(i) + 3] = (unsigned char) ( (n) ); \
61 }
62 #endif
63 
64 /*
65  * SHA-256 context setup
66  */
67 void sha2_starts( sha2_context *ctx, int is224 )
68 {
69  ctx->total[0] = 0;
70  ctx->total[1] = 0;
71 
72  if( is224 == 0 )
73  {
74  /* SHA-256 */
75  ctx->state[0] = 0x6A09E667;
76  ctx->state[1] = 0xBB67AE85;
77  ctx->state[2] = 0x3C6EF372;
78  ctx->state[3] = 0xA54FF53A;
79  ctx->state[4] = 0x510E527F;
80  ctx->state[5] = 0x9B05688C;
81  ctx->state[6] = 0x1F83D9AB;
82  ctx->state[7] = 0x5BE0CD19;
83  }
84  else
85  {
86  /* SHA-224 */
87  ctx->state[0] = 0xC1059ED8;
88  ctx->state[1] = 0x367CD507;
89  ctx->state[2] = 0x3070DD17;
90  ctx->state[3] = 0xF70E5939;
91  ctx->state[4] = 0xFFC00B31;
92  ctx->state[5] = 0x68581511;
93  ctx->state[6] = 0x64F98FA7;
94  ctx->state[7] = 0xBEFA4FA4;
95  }
96 
97  ctx->is224 = is224;
98 }
99 
100 static void sha2_process( sha2_context *ctx, const unsigned char data[64] )
101 {
102  unsigned long temp1, temp2, W[64];
103  unsigned long A, B, C, D, E, F, G, H;
104 
105  GET_ULONG_BE( W[ 0], data, 0 );
106  GET_ULONG_BE( W[ 1], data, 4 );
107  GET_ULONG_BE( W[ 2], data, 8 );
108  GET_ULONG_BE( W[ 3], data, 12 );
109  GET_ULONG_BE( W[ 4], data, 16 );
110  GET_ULONG_BE( W[ 5], data, 20 );
111  GET_ULONG_BE( W[ 6], data, 24 );
112  GET_ULONG_BE( W[ 7], data, 28 );
113  GET_ULONG_BE( W[ 8], data, 32 );
114  GET_ULONG_BE( W[ 9], data, 36 );
115  GET_ULONG_BE( W[10], data, 40 );
116  GET_ULONG_BE( W[11], data, 44 );
117  GET_ULONG_BE( W[12], data, 48 );
118  GET_ULONG_BE( W[13], data, 52 );
119  GET_ULONG_BE( W[14], data, 56 );
120  GET_ULONG_BE( W[15], data, 60 );
121 
122 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
123 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
124 
125 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
126 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
127 
128 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
129 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
130 
131 #define F0(x,y,z) ((x & y) | (z & (x | y)))
132 #define F1(x,y,z) (z ^ (x & (y ^ z)))
133 
134 #define R(t) \
135 ( \
136  W[t] = S1(W[t - 2]) + W[t - 7] + \
137  S0(W[t - 15]) + W[t - 16] \
138 )
139 
140 #define P(a,b,c,d,e,f,g,h,x,K) \
141 { \
142  temp1 = h + S3(e) + F1(e,f,g) + K + x; \
143  temp2 = S2(a) + F0(a,b,c); \
144  d += temp1; h = temp1 + temp2; \
145 }
146 
147  A = ctx->state[0];
148  B = ctx->state[1];
149  C = ctx->state[2];
150  D = ctx->state[3];
151  E = ctx->state[4];
152  F = ctx->state[5];
153  G = ctx->state[6];
154  H = ctx->state[7];
155 
156  P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
157  P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
158  P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
159  P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
160  P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
161  P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
162  P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
163  P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
164  P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
165  P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
166  P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
167  P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
168  P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
169  P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
170  P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
171  P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
172  P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
173  P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
174  P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
175  P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
176  P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
177  P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
178  P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
179  P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
180  P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
181  P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
182  P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
183  P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
184  P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
185  P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
186  P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
187  P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
188  P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
189  P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
190  P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
191  P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
192  P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
193  P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
194  P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
195  P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
196  P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
197  P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
198  P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
199  P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
200  P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
201  P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
202  P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
203  P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
204  P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
205  P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
206  P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
207  P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
208  P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
209  P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
210  P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
211  P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
212  P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
213  P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
214  P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
215  P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
216  P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
217  P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
218  P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
219  P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
220 
221  ctx->state[0] += A;
222  ctx->state[1] += B;
223  ctx->state[2] += C;
224  ctx->state[3] += D;
225  ctx->state[4] += E;
226  ctx->state[5] += F;
227  ctx->state[6] += G;
228  ctx->state[7] += H;
229 }
230 
231 /*
232  * SHA-256 process buffer
233  */
234 void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
235 {
236  size_t fill;
237  unsigned long left;
238 
239  if( ilen <= 0 )
240  return;
241 
242  left = ctx->total[0] & 0x3F;
243  fill = 64 - left;
244 
245  ctx->total[0] += (unsigned long) ilen;
246  ctx->total[0] &= 0xFFFFFFFF;
247 
248  if( ctx->total[0] < (unsigned long) ilen )
249  ctx->total[1]++;
250 
251  if( left && ilen >= fill )
252  {
253  memcpy( (void *) (ctx->buffer + left),
254  (void *) input, fill );
255  sha2_process( ctx, ctx->buffer );
256  input += fill;
257  ilen -= fill;
258  left = 0;
259  }
260 
261  while( ilen >= 64 )
262  {
263  sha2_process( ctx, input );
264  input += 64;
265  ilen -= 64;
266  }
267 
268  if( ilen > 0 )
269  {
270  memcpy( (void *) (ctx->buffer + left),
271  (void *) input, ilen );
272  }
273 }
274 
275 static const unsigned char sha2_padding[64] =
276 {
277  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
279  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
281 };
282 
283 /*
284  * SHA-256 final digest
285  */
286 void sha2_finish( sha2_context *ctx, unsigned char output[32] )
287 {
288  unsigned long last, padn;
289  unsigned long high, low;
290  unsigned char msglen[8];
291 
292  high = ( ctx->total[0] >> 29 )
293  | ( ctx->total[1] << 3 );
294  low = ( ctx->total[0] << 3 );
295 
296  PUT_ULONG_BE( high, msglen, 0 );
297  PUT_ULONG_BE( low, msglen, 4 );
298 
299  last = ctx->total[0] & 0x3F;
300  padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
301 
302  sha2_update( ctx, (unsigned char *) sha2_padding, padn );
303  sha2_update( ctx, msglen, 8 );
304 
305  PUT_ULONG_BE( ctx->state[0], output, 0 );
306  PUT_ULONG_BE( ctx->state[1], output, 4 );
307  PUT_ULONG_BE( ctx->state[2], output, 8 );
308  PUT_ULONG_BE( ctx->state[3], output, 12 );
309  PUT_ULONG_BE( ctx->state[4], output, 16 );
310  PUT_ULONG_BE( ctx->state[5], output, 20 );
311  PUT_ULONG_BE( ctx->state[6], output, 24 );
312 
313  if( ctx->is224 == 0 )
314  PUT_ULONG_BE( ctx->state[7], output, 28 );
315 }
316 
317 /*
318  * output = SHA-256( input buffer )
319  */
320 void sha2( const unsigned char *input, size_t ilen,
321  unsigned char output[32], int is224 )
322 {
323  sha2_context ctx;
324 
325  sha2_starts( &ctx, is224 );
326  sha2_update( &ctx, input, ilen );
327  sha2_finish( &ctx, output );
328 
329  memset( &ctx, 0, sizeof( sha2_context ) );
330 }
331 
332 #if defined(POLARSSL_FS_IO)
333 /*
334  * output = SHA-256( file contents )
335  */
336 int sha2_file( const char *path, unsigned char output[32], int is224 )
337 {
338  FILE *f;
339  size_t n;
340  sha2_context ctx;
341  unsigned char buf[1024];
342 
343  if( ( f = fopen( path, "rb" ) ) == NULL )
345 
346  sha2_starts( &ctx, is224 );
347 
348  while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
349  sha2_update( &ctx, buf, n );
350 
351  sha2_finish( &ctx, output );
352 
353  memset( &ctx, 0, sizeof( sha2_context ) );
354 
355  if( ferror( f ) != 0 )
356  {
357  fclose( f );
359  }
360 
361  fclose( f );
362  return( 0 );
363 }
364 #endif /* POLARSSL_FS_IO */
365 
366 /*
367  * SHA-256 HMAC context setup
368  */
369 void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
370  int is224 )
371 {
372  size_t i;
373  unsigned char sum[32];
374 
375  if( keylen > 64 )
376  {
377  sha2( key, keylen, sum, is224 );
378  keylen = ( is224 ) ? 28 : 32;
379  key = sum;
380  }
381 
382  memset( ctx->ipad, 0x36, 64 );
383  memset( ctx->opad, 0x5C, 64 );
384 
385  for( i = 0; i < keylen; i++ )
386  {
387  ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
388  ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
389  }
390 
391  sha2_starts( ctx, is224 );
392  sha2_update( ctx, ctx->ipad, 64 );
393 
394  memset( sum, 0, sizeof( sum ) );
395 }
396 
397 /*
398  * SHA-256 HMAC process buffer
399  */
400 void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
401 {
402  sha2_update( ctx, input, ilen );
403 }
404 
405 /*
406  * SHA-256 HMAC final digest
407  */
408 void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
409 {
410  int is224, hlen;
411  unsigned char tmpbuf[32];
412 
413  is224 = ctx->is224;
414  hlen = ( is224 == 0 ) ? 32 : 28;
415 
416  sha2_finish( ctx, tmpbuf );
417  sha2_starts( ctx, is224 );
418  sha2_update( ctx, ctx->opad, 64 );
419  sha2_update( ctx, tmpbuf, hlen );
420  sha2_finish( ctx, output );
421 
422  memset( tmpbuf, 0, sizeof( tmpbuf ) );
423 }
424 
425 /*
426  * SHA-256 HMAC context reset
427  */
428 void sha2_hmac_reset( sha2_context *ctx )
429 {
430  sha2_starts( ctx, ctx->is224 );
431  sha2_update( ctx, ctx->ipad, 64 );
432 }
433 
434 /*
435  * output = HMAC-SHA-256( hmac key, input buffer )
436  */
437 void sha2_hmac( const unsigned char *key, size_t keylen,
438  const unsigned char *input, size_t ilen,
439  unsigned char output[32], int is224 )
440 {
441  sha2_context ctx;
442 
443  sha2_hmac_starts( &ctx, key, keylen, is224 );
444  sha2_hmac_update( &ctx, input, ilen );
445  sha2_hmac_finish( &ctx, output );
446 
447  memset( &ctx, 0, sizeof( sha2_context ) );
448 }
449 
450 #if defined(POLARSSL_SELF_TEST)
451 /*
452  * FIPS-180-2 test vectors
453  */
454 static unsigned char sha2_test_buf[3][57] =
455 {
456  { "abc" },
457  { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
458  { "" }
459 };
460 
461 static const int sha2_test_buflen[3] =
462 {
463  3, 56, 1000
464 };
465 
466 static const unsigned char sha2_test_sum[6][32] =
467 {
468  /*
469  * SHA-224 test vectors
470  */
471  { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
472  0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
473  0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
474  0xE3, 0x6C, 0x9D, 0xA7 },
475  { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
476  0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
477  0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
478  0x52, 0x52, 0x25, 0x25 },
479  { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
480  0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
481  0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
482  0x4E, 0xE7, 0xAD, 0x67 },
483 
484  /*
485  * SHA-256 test vectors
486  */
487  { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
488  0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
489  0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
490  0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
491  { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
492  0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
493  0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
494  0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
495  { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
496  0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
497  0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
498  0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
499 };
500 
501 /*
502  * RFC 4231 test vectors
503  */
504 static unsigned char sha2_hmac_test_key[7][26] =
505 {
506  { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
507  "\x0B\x0B\x0B\x0B" },
508  { "Jefe" },
509  { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
510  "\xAA\xAA\xAA\xAA" },
511  { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
512  "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
513  { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
514  "\x0C\x0C\x0C\x0C" },
515  { "" }, /* 0xAA 131 times */
516  { "" }
517 };
518 
519 static const int sha2_hmac_test_keylen[7] =
520 {
521  20, 4, 20, 25, 20, 131, 131
522 };
523 
524 static unsigned char sha2_hmac_test_buf[7][153] =
525 {
526  { "Hi There" },
527  { "what do ya want for nothing?" },
528  { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
529  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
530  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
531  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
532  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
533  { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
534  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
535  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
536  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
537  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
538  { "Test With Truncation" },
539  { "Test Using Larger Than Block-Size Key - Hash Key First" },
540  { "This is a test using a larger than block-size key "
541  "and a larger than block-size data. The key needs to "
542  "be hashed before being used by the HMAC algorithm." }
543 };
544 
545 static const int sha2_hmac_test_buflen[7] =
546 {
547  8, 28, 50, 50, 20, 54, 152
548 };
549 
550 static const unsigned char sha2_hmac_test_sum[14][32] =
551 {
552  /*
553  * HMAC-SHA-224 test vectors
554  */
555  { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
556  0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
557  0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
558  0x53, 0x68, 0x4B, 0x22 },
559  { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
560  0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
561  0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
562  0x8F, 0xD0, 0x5E, 0x44 },
563  { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
564  0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
565  0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
566  0xEC, 0x83, 0x33, 0xEA },
567  { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
568  0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
569  0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
570  0xE7, 0xAF, 0xEC, 0x5A },
571  { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
572  0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
573  { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
574  0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
575  0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
576  0x3F, 0xA6, 0x87, 0x0E },
577  { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
578  0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
579  0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
580  0xF6, 0xF5, 0x65, 0xD1 },
581 
582  /*
583  * HMAC-SHA-256 test vectors
584  */
585  { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
586  0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
587  0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
588  0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
589  { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
590  0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
591  0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
592  0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
593  { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
594  0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
595  0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
596  0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
597  { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
598  0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
599  0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
600  0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
601  { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
602  0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
603  { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
604  0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
605  0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
606  0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
607  { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
608  0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
609  0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
610  0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
611 };
612 
613 /*
614  * Checkup routine
615  */
616 int sha2_self_test( int verbose )
617 {
618  int i, j, k, buflen;
619  unsigned char buf[1024];
620  unsigned char sha2sum[32];
621  sha2_context ctx;
622 
623  for( i = 0; i < 6; i++ )
624  {
625  j = i % 3;
626  k = i < 3;
627 
628  if( verbose != 0 )
629  printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
630 
631  sha2_starts( &ctx, k );
632 
633  if( j == 2 )
634  {
635  memset( buf, 'a', buflen = 1000 );
636 
637  for( j = 0; j < 1000; j++ )
638  sha2_update( &ctx, buf, buflen );
639  }
640  else
641  sha2_update( &ctx, sha2_test_buf[j],
642  sha2_test_buflen[j] );
643 
644  sha2_finish( &ctx, sha2sum );
645 
646  if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
647  {
648  if( verbose != 0 )
649  printf( "failed\n" );
650 
651  return( 1 );
652  }
653 
654  if( verbose != 0 )
655  printf( "passed\n" );
656  }
657 
658  if( verbose != 0 )
659  printf( "\n" );
660 
661  for( i = 0; i < 14; i++ )
662  {
663  j = i % 7;
664  k = i < 7;
665 
666  if( verbose != 0 )
667  printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
668 
669  if( j == 5 || j == 6 )
670  {
671  memset( buf, '\xAA', buflen = 131 );
672  sha2_hmac_starts( &ctx, buf, buflen, k );
673  }
674  else
675  sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
676  sha2_hmac_test_keylen[j], k );
677 
678  sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
679  sha2_hmac_test_buflen[j] );
680 
681  sha2_hmac_finish( &ctx, sha2sum );
682 
683  buflen = ( j == 4 ) ? 16 : 32 - k * 4;
684 
685  if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
686  {
687  if( verbose != 0 )
688  printf( "failed\n" );
689 
690  return( 1 );
691  }
692 
693  if( verbose != 0 )
694  printf( "passed\n" );
695  }
696 
697  if( verbose != 0 )
698  printf( "\n" );
699 
700  return( 0 );
701 }
702 
703 #endif
704 
705 #endif