API Documentation (Doxygen generated)

These pages are generated with doxygen directly from the source code!

sha2.c
Go to the documentation of this file.
1 /*
2  * FIPS-180-2 compliant SHA-256 implementation
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27  *
28  * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29  */
30 
31 #include "polarssl/config.h"
32 
33 #if defined(POLARSSL_SHA2_C)
34 
35 #include "polarssl/sha2.h"
36 
37 #if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
38 #include <stdio.h>
39 #endif
40 
41 #if !defined(POLARSSL_SHA2_ALT)
42 
43 /*
44  * 32-bit integer manipulation macros (big endian)
45  */
46 #ifndef GET_UINT32_BE
47 #define GET_UINT32_BE(n,b,i) \
48 { \
49  (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
50  | ( (uint32_t) (b)[(i) + 1] << 16 ) \
51  | ( (uint32_t) (b)[(i) + 2] << 8 ) \
52  | ( (uint32_t) (b)[(i) + 3] ); \
53 }
54 #endif
55 
56 #ifndef PUT_UINT32_BE
57 #define PUT_UINT32_BE(n,b,i) \
58 { \
59  (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
60  (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
61  (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
62  (b)[(i) + 3] = (unsigned char) ( (n) ); \
63 }
64 #endif
65 
66 /*
67  * SHA-256 context setup
68  */
69 void sha2_starts( sha2_context *ctx, int is224 )
70 {
71  ctx->total[0] = 0;
72  ctx->total[1] = 0;
73 
74  if( is224 == 0 )
75  {
76  /* SHA-256 */
77  ctx->state[0] = 0x6A09E667;
78  ctx->state[1] = 0xBB67AE85;
79  ctx->state[2] = 0x3C6EF372;
80  ctx->state[3] = 0xA54FF53A;
81  ctx->state[4] = 0x510E527F;
82  ctx->state[5] = 0x9B05688C;
83  ctx->state[6] = 0x1F83D9AB;
84  ctx->state[7] = 0x5BE0CD19;
85  }
86  else
87  {
88  /* SHA-224 */
89  ctx->state[0] = 0xC1059ED8;
90  ctx->state[1] = 0x367CD507;
91  ctx->state[2] = 0x3070DD17;
92  ctx->state[3] = 0xF70E5939;
93  ctx->state[4] = 0xFFC00B31;
94  ctx->state[5] = 0x68581511;
95  ctx->state[6] = 0x64F98FA7;
96  ctx->state[7] = 0xBEFA4FA4;
97  }
98 
99  ctx->is224 = is224;
100 }
101 
102 void sha2_process( sha2_context *ctx, const unsigned char data[64] )
103 {
104  uint32_t temp1, temp2, W[64];
105  uint32_t A, B, C, D, E, F, G, H;
106 
107  GET_UINT32_BE( W[ 0], data, 0 );
108  GET_UINT32_BE( W[ 1], data, 4 );
109  GET_UINT32_BE( W[ 2], data, 8 );
110  GET_UINT32_BE( W[ 3], data, 12 );
111  GET_UINT32_BE( W[ 4], data, 16 );
112  GET_UINT32_BE( W[ 5], data, 20 );
113  GET_UINT32_BE( W[ 6], data, 24 );
114  GET_UINT32_BE( W[ 7], data, 28 );
115  GET_UINT32_BE( W[ 8], data, 32 );
116  GET_UINT32_BE( W[ 9], data, 36 );
117  GET_UINT32_BE( W[10], data, 40 );
118  GET_UINT32_BE( W[11], data, 44 );
119  GET_UINT32_BE( W[12], data, 48 );
120  GET_UINT32_BE( W[13], data, 52 );
121  GET_UINT32_BE( W[14], data, 56 );
122  GET_UINT32_BE( W[15], data, 60 );
123 
124 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
125 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
126 
127 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
128 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
129 
130 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
131 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
132 
133 #define F0(x,y,z) ((x & y) | (z & (x | y)))
134 #define F1(x,y,z) (z ^ (x & (y ^ z)))
135 
136 #define R(t) \
137 ( \
138  W[t] = S1(W[t - 2]) + W[t - 7] + \
139  S0(W[t - 15]) + W[t - 16] \
140 )
141 
142 #define P(a,b,c,d,e,f,g,h,x,K) \
143 { \
144  temp1 = h + S3(e) + F1(e,f,g) + K + x; \
145  temp2 = S2(a) + F0(a,b,c); \
146  d += temp1; h = temp1 + temp2; \
147 }
148 
149  A = ctx->state[0];
150  B = ctx->state[1];
151  C = ctx->state[2];
152  D = ctx->state[3];
153  E = ctx->state[4];
154  F = ctx->state[5];
155  G = ctx->state[6];
156  H = ctx->state[7];
157 
158  P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
159  P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
160  P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
161  P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
162  P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
163  P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
164  P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
165  P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
166  P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
167  P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
168  P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
169  P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
170  P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
171  P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
172  P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
173  P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
174  P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
175  P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
176  P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
177  P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
178  P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
179  P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
180  P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
181  P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
182  P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
183  P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
184  P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
185  P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
186  P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
187  P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
188  P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
189  P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
190  P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
191  P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
192  P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
193  P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
194  P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
195  P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
196  P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
197  P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
198  P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
199  P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
200  P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
201  P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
202  P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
203  P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
204  P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
205  P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
206  P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
207  P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
208  P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
209  P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
210  P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
211  P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
212  P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
213  P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
214  P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
215  P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
216  P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
217  P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
218  P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
219  P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
220  P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
221  P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
222 
223  ctx->state[0] += A;
224  ctx->state[1] += B;
225  ctx->state[2] += C;
226  ctx->state[3] += D;
227  ctx->state[4] += E;
228  ctx->state[5] += F;
229  ctx->state[6] += G;
230  ctx->state[7] += H;
231 }
232 
233 /*
234  * SHA-256 process buffer
235  */
236 void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
237 {
238  size_t fill;
239  uint32_t left;
240 
241  if( ilen <= 0 )
242  return;
243 
244  left = ctx->total[0] & 0x3F;
245  fill = 64 - left;
246 
247  ctx->total[0] += (uint32_t) ilen;
248  ctx->total[0] &= 0xFFFFFFFF;
249 
250  if( ctx->total[0] < (uint32_t) ilen )
251  ctx->total[1]++;
252 
253  if( left && ilen >= fill )
254  {
255  memcpy( (void *) (ctx->buffer + left), input, fill );
256  sha2_process( ctx, ctx->buffer );
257  input += fill;
258  ilen -= fill;
259  left = 0;
260  }
261 
262  while( ilen >= 64 )
263  {
264  sha2_process( ctx, input );
265  input += 64;
266  ilen -= 64;
267  }
268 
269  if( ilen > 0 )
270  memcpy( (void *) (ctx->buffer + left), input, ilen );
271 }
272 
273 static const unsigned char sha2_padding[64] =
274 {
275  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
277  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
279 };
280 
281 /*
282  * SHA-256 final digest
283  */
284 void sha2_finish( sha2_context *ctx, unsigned char output[32] )
285 {
286  uint32_t last, padn;
287  uint32_t high, low;
288  unsigned char msglen[8];
289 
290  high = ( ctx->total[0] >> 29 )
291  | ( ctx->total[1] << 3 );
292  low = ( ctx->total[0] << 3 );
293 
294  PUT_UINT32_BE( high, msglen, 0 );
295  PUT_UINT32_BE( low, msglen, 4 );
296 
297  last = ctx->total[0] & 0x3F;
298  padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
299 
300  sha2_update( ctx, sha2_padding, padn );
301  sha2_update( ctx, msglen, 8 );
302 
303  PUT_UINT32_BE( ctx->state[0], output, 0 );
304  PUT_UINT32_BE( ctx->state[1], output, 4 );
305  PUT_UINT32_BE( ctx->state[2], output, 8 );
306  PUT_UINT32_BE( ctx->state[3], output, 12 );
307  PUT_UINT32_BE( ctx->state[4], output, 16 );
308  PUT_UINT32_BE( ctx->state[5], output, 20 );
309  PUT_UINT32_BE( ctx->state[6], output, 24 );
310 
311  if( ctx->is224 == 0 )
312  PUT_UINT32_BE( ctx->state[7], output, 28 );
313 }
314 
315 #endif /* !POLARSSL_SHA2_ALT */
316 
317 /*
318  * output = SHA-256( input buffer )
319  */
320 void sha2( const unsigned char *input, size_t ilen,
321  unsigned char output[32], int is224 )
322 {
323  sha2_context ctx;
324 
325  sha2_starts( &ctx, is224 );
326  sha2_update( &ctx, input, ilen );
327  sha2_finish( &ctx, output );
328 
329  memset( &ctx, 0, sizeof( sha2_context ) );
330 }
331 
332 #if defined(POLARSSL_FS_IO)
333 /*
334  * output = SHA-256( file contents )
335  */
336 int sha2_file( const char *path, unsigned char output[32], int is224 )
337 {
338  FILE *f;
339  size_t n;
340  sha2_context ctx;
341  unsigned char buf[1024];
342 
343  if( ( f = fopen( path, "rb" ) ) == NULL )
345 
346  sha2_starts( &ctx, is224 );
347 
348  while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
349  sha2_update( &ctx, buf, n );
350 
351  sha2_finish( &ctx, output );
352 
353  memset( &ctx, 0, sizeof( sha2_context ) );
354 
355  if( ferror( f ) != 0 )
356  {
357  fclose( f );
359  }
360 
361  fclose( f );
362  return( 0 );
363 }
364 #endif /* POLARSSL_FS_IO */
365 
366 /*
367  * SHA-256 HMAC context setup
368  */
369 void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
370  int is224 )
371 {
372  size_t i;
373  unsigned char sum[32];
374 
375  if( keylen > 64 )
376  {
377  sha2( key, keylen, sum, is224 );
378  keylen = ( is224 ) ? 28 : 32;
379  key = sum;
380  }
381 
382  memset( ctx->ipad, 0x36, 64 );
383  memset( ctx->opad, 0x5C, 64 );
384 
385  for( i = 0; i < keylen; i++ )
386  {
387  ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
388  ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
389  }
390 
391  sha2_starts( ctx, is224 );
392  sha2_update( ctx, ctx->ipad, 64 );
393 
394  memset( sum, 0, sizeof( sum ) );
395 }
396 
397 /*
398  * SHA-256 HMAC process buffer
399  */
400 void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
401 {
402  sha2_update( ctx, input, ilen );
403 }
404 
405 /*
406  * SHA-256 HMAC final digest
407  */
408 void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
409 {
410  int is224, hlen;
411  unsigned char tmpbuf[32];
412 
413  is224 = ctx->is224;
414  hlen = ( is224 == 0 ) ? 32 : 28;
415 
416  sha2_finish( ctx, tmpbuf );
417  sha2_starts( ctx, is224 );
418  sha2_update( ctx, ctx->opad, 64 );
419  sha2_update( ctx, tmpbuf, hlen );
420  sha2_finish( ctx, output );
421 
422  memset( tmpbuf, 0, sizeof( tmpbuf ) );
423 }
424 
425 /*
426  * SHA-256 HMAC context reset
427  */
428 void sha2_hmac_reset( sha2_context *ctx )
429 {
430  sha2_starts( ctx, ctx->is224 );
431  sha2_update( ctx, ctx->ipad, 64 );
432 }
433 
434 /*
435  * output = HMAC-SHA-256( hmac key, input buffer )
436  */
437 void sha2_hmac( const unsigned char *key, size_t keylen,
438  const unsigned char *input, size_t ilen,
439  unsigned char output[32], int is224 )
440 {
441  sha2_context ctx;
442 
443  sha2_hmac_starts( &ctx, key, keylen, is224 );
444  sha2_hmac_update( &ctx, input, ilen );
445  sha2_hmac_finish( &ctx, output );
446 
447  memset( &ctx, 0, sizeof( sha2_context ) );
448 }
449 
450 #if defined(POLARSSL_SELF_TEST)
451 /*
452  * FIPS-180-2 test vectors
453  */
454 static unsigned char sha2_test_buf[3][57] =
455 {
456  { "abc" },
457  { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
458  { "" }
459 };
460 
461 static const int sha2_test_buflen[3] =
462 {
463  3, 56, 1000
464 };
465 
466 static const unsigned char sha2_test_sum[6][32] =
467 {
468  /*
469  * SHA-224 test vectors
470  */
471  { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
472  0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
473  0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
474  0xE3, 0x6C, 0x9D, 0xA7 },
475  { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
476  0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
477  0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
478  0x52, 0x52, 0x25, 0x25 },
479  { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
480  0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
481  0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
482  0x4E, 0xE7, 0xAD, 0x67 },
483 
484  /*
485  * SHA-256 test vectors
486  */
487  { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
488  0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
489  0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
490  0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
491  { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
492  0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
493  0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
494  0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
495  { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
496  0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
497  0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
498  0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
499 };
500 
501 /*
502  * RFC 4231 test vectors
503  */
504 static unsigned char sha2_hmac_test_key[7][26] =
505 {
506  { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
507  "\x0B\x0B\x0B\x0B" },
508  { "Jefe" },
509  { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
510  "\xAA\xAA\xAA\xAA" },
511  { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
512  "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
513  { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
514  "\x0C\x0C\x0C\x0C" },
515  { "" }, /* 0xAA 131 times */
516  { "" }
517 };
518 
519 static const int sha2_hmac_test_keylen[7] =
520 {
521  20, 4, 20, 25, 20, 131, 131
522 };
523 
524 static unsigned char sha2_hmac_test_buf[7][153] =
525 {
526  { "Hi There" },
527  { "what do ya want for nothing?" },
528  { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
529  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
530  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
531  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
532  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
533  { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
534  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
535  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
536  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
537  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
538  { "Test With Truncation" },
539  { "Test Using Larger Than Block-Size Key - Hash Key First" },
540  { "This is a test using a larger than block-size key "
541  "and a larger than block-size data. The key needs to "
542  "be hashed before being used by the HMAC algorithm." }
543 };
544 
545 static const int sha2_hmac_test_buflen[7] =
546 {
547  8, 28, 50, 50, 20, 54, 152
548 };
549 
550 static const unsigned char sha2_hmac_test_sum[14][32] =
551 {
552  /*
553  * HMAC-SHA-224 test vectors
554  */
555  { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
556  0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
557  0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
558  0x53, 0x68, 0x4B, 0x22 },
559  { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
560  0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
561  0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
562  0x8F, 0xD0, 0x5E, 0x44 },
563  { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
564  0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
565  0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
566  0xEC, 0x83, 0x33, 0xEA },
567  { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
568  0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
569  0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
570  0xE7, 0xAF, 0xEC, 0x5A },
571  { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
572  0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
573  { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
574  0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
575  0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
576  0x3F, 0xA6, 0x87, 0x0E },
577  { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
578  0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
579  0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
580  0xF6, 0xF5, 0x65, 0xD1 },
581 
582  /*
583  * HMAC-SHA-256 test vectors
584  */
585  { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
586  0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
587  0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
588  0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
589  { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
590  0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
591  0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
592  0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
593  { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
594  0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
595  0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
596  0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
597  { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
598  0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
599  0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
600  0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
601  { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
602  0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
603  { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
604  0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
605  0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
606  0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
607  { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
608  0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
609  0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
610  0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
611 };
612 
613 /*
614  * Checkup routine
615  */
616 int sha2_self_test( int verbose )
617 {
618  int i, j, k, buflen;
619  unsigned char buf[1024];
620  unsigned char sha2sum[32];
621  sha2_context ctx;
622 
623  for( i = 0; i < 6; i++ )
624  {
625  j = i % 3;
626  k = i < 3;
627 
628  if( verbose != 0 )
629  printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
630 
631  sha2_starts( &ctx, k );
632 
633  if( j == 2 )
634  {
635  memset( buf, 'a', buflen = 1000 );
636 
637  for( j = 0; j < 1000; j++ )
638  sha2_update( &ctx, buf, buflen );
639  }
640  else
641  sha2_update( &ctx, sha2_test_buf[j],
642  sha2_test_buflen[j] );
643 
644  sha2_finish( &ctx, sha2sum );
645 
646  if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
647  {
648  if( verbose != 0 )
649  printf( "failed\n" );
650 
651  return( 1 );
652  }
653 
654  if( verbose != 0 )
655  printf( "passed\n" );
656  }
657 
658  if( verbose != 0 )
659  printf( "\n" );
660 
661  for( i = 0; i < 14; i++ )
662  {
663  j = i % 7;
664  k = i < 7;
665 
666  if( verbose != 0 )
667  printf( " HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
668 
669  if( j == 5 || j == 6 )
670  {
671  memset( buf, '\xAA', buflen = 131 );
672  sha2_hmac_starts( &ctx, buf, buflen, k );
673  }
674  else
675  sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
676  sha2_hmac_test_keylen[j], k );
677 
678  sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
679  sha2_hmac_test_buflen[j] );
680 
681  sha2_hmac_finish( &ctx, sha2sum );
682 
683  buflen = ( j == 4 ) ? 16 : 32 - k * 4;
684 
685  if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
686  {
687  if( verbose != 0 )
688  printf( "failed\n" );
689 
690  return( 1 );
691  }
692 
693  if( verbose != 0 )
694  printf( "passed\n" );
695  }
696 
697  if( verbose != 0 )
698  printf( "\n" );
699 
700  return( 0 );
701 }
702 
703 #endif
704 
705 #endif