search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ssl/tls: add proper const attributes to functions, context members
[tropicssl.git] / library / sha2.c
blobbc6b895f5e73bb15d18c1093269743a10f341439
1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
7 *
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35 /*
36 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
37 *
38 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
39 */
40
41 #include "tropicssl/config.h"
42
43 #if defined(TROPICSSL_SHA2_C)
44
45 #include "tropicssl/sha2.h"
46
47 #include <string.h>
48 #include <stdio.h>
49
50 /*
51 * 32-bit integer manipulation macros (big endian)
52 */
53 #ifndef GET_ULONG_BE
54 #define GET_ULONG_BE(n,b,i) \
55 { \
56 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
57 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
58 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
59 | ( (unsigned long) (b)[(i) + 3] ); \
60 }
61 #endif
62
63 #ifndef PUT_ULONG_BE
64 #define PUT_ULONG_BE(n,b,i) \
65 { \
66 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
67 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
68 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
69 (b)[(i) + 3] = (unsigned char) ( (n) ); \
70 }
71 #endif
72
73 /*
74 * SHA-256 context setup
75 */
76 void sha2_starts(sha2_context * ctx, int is224)
77 {
78 ctx->total[0] = 0;
79 ctx->total[1] = 0;
80
81 if (is224 == 0) {
82 /* SHA-256 */
83 ctx->state[0] = 0x6A09E667;
84 ctx->state[1] = 0xBB67AE85;
85 ctx->state[2] = 0x3C6EF372;
86 ctx->state[3] = 0xA54FF53A;
87 ctx->state[4] = 0x510E527F;
88 ctx->state[5] = 0x9B05688C;
89 ctx->state[6] = 0x1F83D9AB;
90 ctx->state[7] = 0x5BE0CD19;
91 } else {
92 /* SHA-224 */
93 ctx->state[0] = 0xC1059ED8;
94 ctx->state[1] = 0x367CD507;
95 ctx->state[2] = 0x3070DD17;
96 ctx->state[3] = 0xF70E5939;
97 ctx->state[4] = 0xFFC00B31;
98 ctx->state[5] = 0x68581511;
99 ctx->state[6] = 0x64F98FA7;
100 ctx->state[7] = 0xBEFA4FA4;
101 }
102
103 ctx->is224 = is224;
104 }
105
106 static void sha2_process(sha2_context * ctx, const unsigned char data[64])
107 {
108 unsigned long temp1, temp2, W[64];
109 unsigned long A, B, C, D, E, F, G, H;
110
111 GET_ULONG_BE(W[0], data, 0);
112 GET_ULONG_BE(W[1], data, 4);
113 GET_ULONG_BE(W[2], data, 8);
114 GET_ULONG_BE(W[3], data, 12);
115 GET_ULONG_BE(W[4], data, 16);
116 GET_ULONG_BE(W[5], data, 20);
117 GET_ULONG_BE(W[6], data, 24);
118 GET_ULONG_BE(W[7], data, 28);
119 GET_ULONG_BE(W[8], data, 32);
120 GET_ULONG_BE(W[9], data, 36);
121 GET_ULONG_BE(W[10], data, 40);
122 GET_ULONG_BE(W[11], data, 44);
123 GET_ULONG_BE(W[12], data, 48);
124 GET_ULONG_BE(W[13], data, 52);
125 GET_ULONG_BE(W[14], data, 56);
126 GET_ULONG_BE(W[15], data, 60);
127
128 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
129 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
130
131 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
132 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
133
134 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
135 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
136
137 #define F0(x,y,z) ((x & y) | (z & (x | y)))
138 #define F1(x,y,z) (z ^ (x & (y ^ z)))
139
140 #define R(t) \
141 ( \
142 W[t] = S1(W[t - 2]) + W[t - 7] + \
143 S0(W[t - 15]) + W[t - 16] \
144 )
145
146 #define P(a,b,c,d,e,f,g,h,x,K) \
147 { \
148 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
149 temp2 = S2(a) + F0(a,b,c); \
150 d += temp1; h = temp1 + temp2; \
151 }
152
153 A = ctx->state[0];
154 B = ctx->state[1];
155 C = ctx->state[2];
156 D = ctx->state[3];
157 E = ctx->state[4];
158 F = ctx->state[5];
159 G = ctx->state[6];
160 H = ctx->state[7];
161
162 P(A, B, C, D, E, F, G, H, W[0], 0x428A2F98);
163 P(H, A, B, C, D, E, F, G, W[1], 0x71374491);
164 P(G, H, A, B, C, D, E, F, W[2], 0xB5C0FBCF);
165 P(F, G, H, A, B, C, D, E, W[3], 0xE9B5DBA5);
166 P(E, F, G, H, A, B, C, D, W[4], 0x3956C25B);
167 P(D, E, F, G, H, A, B, C, W[5], 0x59F111F1);
168 P(C, D, E, F, G, H, A, B, W[6], 0x923F82A4);
169 P(B, C, D, E, F, G, H, A, W[7], 0xAB1C5ED5);
170 P(A, B, C, D, E, F, G, H, W[8], 0xD807AA98);
171 P(H, A, B, C, D, E, F, G, W[9], 0x12835B01);
172 P(G, H, A, B, C, D, E, F, W[10], 0x243185BE);
173 P(F, G, H, A, B, C, D, E, W[11], 0x550C7DC3);
174 P(E, F, G, H, A, B, C, D, W[12], 0x72BE5D74);
175 P(D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE);
176 P(C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7);
177 P(B, C, D, E, F, G, H, A, W[15], 0xC19BF174);
178 P(A, B, C, D, E, F, G, H, R(16), 0xE49B69C1);
179 P(H, A, B, C, D, E, F, G, R(17), 0xEFBE4786);
180 P(G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6);
181 P(F, G, H, A, B, C, D, E, R(19), 0x240CA1CC);
182 P(E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F);
183 P(D, E, F, G, H, A, B, C, R(21), 0x4A7484AA);
184 P(C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC);
185 P(B, C, D, E, F, G, H, A, R(23), 0x76F988DA);
186 P(A, B, C, D, E, F, G, H, R(24), 0x983E5152);
187 P(H, A, B, C, D, E, F, G, R(25), 0xA831C66D);
188 P(G, H, A, B, C, D, E, F, R(26), 0xB00327C8);
189 P(F, G, H, A, B, C, D, E, R(27), 0xBF597FC7);
190 P(E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3);
191 P(D, E, F, G, H, A, B, C, R(29), 0xD5A79147);
192 P(C, D, E, F, G, H, A, B, R(30), 0x06CA6351);
193 P(B, C, D, E, F, G, H, A, R(31), 0x14292967);
194 P(A, B, C, D, E, F, G, H, R(32), 0x27B70A85);
195 P(H, A, B, C, D, E, F, G, R(33), 0x2E1B2138);
196 P(G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC);
197 P(F, G, H, A, B, C, D, E, R(35), 0x53380D13);
198 P(E, F, G, H, A, B, C, D, R(36), 0x650A7354);
199 P(D, E, F, G, H, A, B, C, R(37), 0x766A0ABB);
200 P(C, D, E, F, G, H, A, B, R(38), 0x81C2C92E);
201 P(B, C, D, E, F, G, H, A, R(39), 0x92722C85);
202 P(A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1);
203 P(H, A, B, C, D, E, F, G, R(41), 0xA81A664B);
204 P(G, H, A, B, C, D, E, F, R(42), 0xC24B8B70);
205 P(F, G, H, A, B, C, D, E, R(43), 0xC76C51A3);
206 P(E, F, G, H, A, B, C, D, R(44), 0xD192E819);
207 P(D, E, F, G, H, A, B, C, R(45), 0xD6990624);
208 P(C, D, E, F, G, H, A, B, R(46), 0xF40E3585);
209 P(B, C, D, E, F, G, H, A, R(47), 0x106AA070);
210 P(A, B, C, D, E, F, G, H, R(48), 0x19A4C116);
211 P(H, A, B, C, D, E, F, G, R(49), 0x1E376C08);
212 P(G, H, A, B, C, D, E, F, R(50), 0x2748774C);
213 P(F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5);
214 P(E, F, G, H, A, B, C, D, R(52), 0x391C0CB3);
215 P(D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A);
216 P(C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F);
217 P(B, C, D, E, F, G, H, A, R(55), 0x682E6FF3);
218 P(A, B, C, D, E, F, G, H, R(56), 0x748F82EE);
219 P(H, A, B, C, D, E, F, G, R(57), 0x78A5636F);
220 P(G, H, A, B, C, D, E, F, R(58), 0x84C87814);
221 P(F, G, H, A, B, C, D, E, R(59), 0x8CC70208);
222 P(E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA);
223 P(D, E, F, G, H, A, B, C, R(61), 0xA4506CEB);
224 P(C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7);
225 P(B, C, D, E, F, G, H, A, R(63), 0xC67178F2);
226
227 ctx->state[0] += A;
228 ctx->state[1] += B;
229 ctx->state[2] += C;
230 ctx->state[3] += D;
231 ctx->state[4] += E;
232 ctx->state[5] += F;
233 ctx->state[6] += G;
234 ctx->state[7] += H;
235 }
236
237 /*
238 * SHA-256 process buffer
239 */
240 void sha2_update(sha2_context * ctx, const unsigned char *input, int ilen)
241 {
242 int fill;
243 unsigned long left;
244
245 if (ilen <= 0)
246 return;
247
248 left = ctx->total[0] & 0x3F;
249 fill = 64 - left;
250
251 ctx->total[0] += ilen;
252 ctx->total[0] &= 0xFFFFFFFF;
253
254 if (ctx->total[0] < (unsigned long)ilen)
255 ctx->total[1]++;
256
257 if (left && ilen >= fill) {
258 memcpy((void *)(ctx->buffer + left), (const void *)input, fill);
259 sha2_process(ctx, ctx->buffer);
260 input += fill;
261 ilen -= fill;
262 left = 0;
263 }
264
265 while (ilen >= 64) {
266 sha2_process(ctx, input);
267 input += 64;
268 ilen -= 64;
269 }
270
271 if (ilen > 0) {
272 memcpy((void *)(ctx->buffer + left), (const void *)input, ilen);
273 }
274 }
275
276 static const unsigned char sha2_padding[64] = {
277 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
279 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
280 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
281 };
282
283 /*
284 * SHA-256 final digest
285 */
286 void sha2_finish(sha2_context * ctx, unsigned char output[32])
287 {
288 unsigned long last, padn;
289 unsigned long high, low;
290 unsigned char msglen[8];
291
292 high = (ctx->total[0] >> 29)
293 | (ctx->total[1] << 3);
294 low = (ctx->total[0] << 3);
295
296 PUT_ULONG_BE(high, msglen, 0);
297 PUT_ULONG_BE(low, msglen, 4);
298
299 last = ctx->total[0] & 0x3F;
300 padn = (last < 56) ? (56 - last) : (120 - last);
301
302 sha2_update(ctx, sha2_padding, padn);
303 sha2_update(ctx, msglen, 8);
304
305 PUT_ULONG_BE(ctx->state[0], output, 0);
306 PUT_ULONG_BE(ctx->state[1], output, 4);
307 PUT_ULONG_BE(ctx->state[2], output, 8);
308 PUT_ULONG_BE(ctx->state[3], output, 12);
309 PUT_ULONG_BE(ctx->state[4], output, 16);
310 PUT_ULONG_BE(ctx->state[5], output, 20);
311 PUT_ULONG_BE(ctx->state[6], output, 24);
312
313 if (ctx->is224 == 0)
314 PUT_ULONG_BE(ctx->state[7], output, 28);
315 }
316
317 /*
318 * output = SHA-256( input buffer )
319 */
320 void sha2(const unsigned char *input, int ilen, unsigned char output[32], int is224)
321 {
322 sha2_context ctx;
323
324 sha2_starts(&ctx, is224);
325 sha2_update(&ctx, input, ilen);
326 sha2_finish(&ctx, output);
327
328 memset(&ctx, 0, sizeof(sha2_context));
329 }
330
331 /*
332 * output = SHA-256( file contents )
333 */
334 int sha2_file(const char *path, unsigned char output[32], int is224)
335 {
336 FILE *f;
337 size_t n;
338 sha2_context ctx;
339 unsigned char buf[1024];
340
341 if ((f = fopen(path, "rb")) == NULL)
342 return (1);
343
344 sha2_starts(&ctx, is224);
345
346 while ((n = fread(buf, 1, sizeof(buf), f)) > 0)
347 sha2_update(&ctx, buf, (int)n);
348
349 sha2_finish(&ctx, output);
350
351 memset(&ctx, 0, sizeof(sha2_context));
352
353 if (ferror(f) != 0) {
354 fclose(f);
355 return (2);
356 }
357
358 fclose(f);
359 return (0);
360 }
361
362 /*
363 * SHA-256 HMAC context setup
364 */
365 void sha2_hmac_starts(sha2_context * ctx, const unsigned char *key, int keylen,
366 int is224)
367 {
368 int i;
369 unsigned char sum[32];
370
371 if (keylen > 64) {
372 sha2(key, keylen, sum, is224);
373 keylen = (is224) ? 28 : 32;
374 key = sum;
375 }
376
377 memset(ctx->ipad, 0x36, 64);
378 memset(ctx->opad, 0x5C, 64);
379
380 for (i = 0; i < keylen; i++) {
381 ctx->ipad[i] = (unsigned char)(ctx->ipad[i] ^ key[i]);
382 ctx->opad[i] = (unsigned char)(ctx->opad[i] ^ key[i]);
383 }
384
385 sha2_starts(ctx, is224);
386 sha2_update(ctx, ctx->ipad, 64);
387
388 memset(sum, 0, sizeof(sum));
389 }
390
391 /*
392 * SHA-256 HMAC process buffer
393 */
394 void sha2_hmac_update(sha2_context * ctx, const unsigned char *input, int ilen)
395 {
396 sha2_update(ctx, input, ilen);
397 }
398
399 /*
400 * SHA-256 HMAC final digest
401 */
402 void sha2_hmac_finish(sha2_context * ctx, unsigned char output[32])
403 {
404 int is224, hlen;
405 unsigned char tmpbuf[32];
406
407 is224 = ctx->is224;
408 hlen = (is224 == 0) ? 32 : 28;
409
410 sha2_finish(ctx, tmpbuf);
411 sha2_starts(ctx, is224);
412 sha2_update(ctx, ctx->opad, 64);
413 sha2_update(ctx, tmpbuf, hlen);
414 sha2_finish(ctx, output);
415
416 memset(tmpbuf, 0, sizeof(tmpbuf));
417 }
418
419 /*
420 * output = HMAC-SHA-256( hmac key, input buffer )
421 */
422 void sha2_hmac(const unsigned char *key, int keylen,
423 const unsigned char *input, int ilen,
424 unsigned char output[32], int is224)
425 {
426 sha2_context ctx;
427
428 sha2_hmac_starts(&ctx, key, keylen, is224);
429 sha2_hmac_update(&ctx, input, ilen);
430 sha2_hmac_finish(&ctx, output);
431
432 memset(&ctx, 0, sizeof(sha2_context));
433 }
434
435 #if defined(TROPICSSL_SELF_TEST)
436 /*
437 * FIPS-180-2 test vectors
438 */
439 static unsigned char sha2_test_buf[3][57] = {
440 {"abc"},
441 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
442 {""}
443 };
444
445 static const int sha2_test_buflen[3] = {
446 3, 56, 1000
447 };
448
449 static const unsigned char sha2_test_sum[6][32] = {
450 /*
451 * SHA-224 test vectors
452 */
453 {
454 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
455 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
456 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
457 0xE3, 0x6C, 0x9D, 0xA7},
458 {
459 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
460 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
461 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
462 0x52, 0x52, 0x25, 0x25},
463 {
464 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
465 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
466 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
467 0x4E, 0xE7, 0xAD, 0x67},
468
469 /*
470 * SHA-256 test vectors
471 */
472 {
473 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
474 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
475 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
476 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD},
477 {
478 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
479 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
480 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
481 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1},
482 {
483 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
484 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
485 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
486 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0}
487 };
488
489 /*
490 * RFC 4231 test vectors
491 */
492 static unsigned char sha2_hmac_test_key[7][26] = {
493 {
494 "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
495 "\x0B\x0B\x0B\x0B"},
496 {"Jefe"},
497 {
498 "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
499 "\xAA\xAA\xAA\xAA"},
500 {
501 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
502 "\x11\x12\x13\x14\x15\x16\x17\x18\x19"},
503 {
504 "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
505 "\x0C\x0C\x0C\x0C"},
506 {""}, /* 0xAA 131 times */
507 {""}
508 };
509
510 static const int sha2_hmac_test_keylen[7] = {
511 20, 4, 20, 25, 20, 131, 131
512 };
513
514 static unsigned char sha2_hmac_test_buf[7][153] = {
515 {"Hi There"},
516 {"what do ya want for nothing?"},
517 {
518 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
519 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
520 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
521 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
522 "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"},
523 {
524 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
525 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
526 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
527 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
528 "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"},
529 {"Test With Truncation"},
530 {"Test Using Larger Than Block-Size Key - Hash Key First"},
531 {
532 "This is a test using a larger than block-size key "
533 "and a larger than block-size data. The key needs to "
534 "be hashed before being used by the HMAC algorithm."}
535 };
536
537 static const int sha2_hmac_test_buflen[7] = {
538 8, 28, 50, 50, 20, 54, 152
539 };
540
541 static const unsigned char sha2_hmac_test_sum[14][32] = {
542 /*
543 * HMAC-SHA-224 test vectors
544 */
545 {
546 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
547 0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
548 0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
549 0x53, 0x68, 0x4B, 0x22},
550 {
551 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
552 0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
553 0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
554 0x8F, 0xD0, 0x5E, 0x44},
555 {
556 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
557 0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
558 0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
559 0xEC, 0x83, 0x33, 0xEA},
560 {
561 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
562 0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
563 0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
564 0xE7, 0xAF, 0xEC, 0x5A},
565 {
566 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
567 0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8},
568 {
569 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
570 0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
571 0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
572 0x3F, 0xA6, 0x87, 0x0E},
573 {
574 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
575 0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
576 0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
577 0xF6, 0xF5, 0x65, 0xD1},
578
579 /*
580 * HMAC-SHA-256 test vectors
581 */
582 {
583 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
584 0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
585 0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
586 0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7},
587 {
588 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
589 0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
590 0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
591 0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43},
592 {
593 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
594 0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
595 0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
596 0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE},
597 {
598 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
599 0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
600 0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
601 0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B},
602 {
603 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
604 0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B},
605 {
606 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
607 0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
608 0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
609 0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54},
610 {
611 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
612 0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
613 0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
614 0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2}
615 };
616
617 /*
618 * Checkup routine
619 */
620 int sha2_self_test(int verbose)
621 {
622 int i, j, k, buflen;
623 unsigned char buf[1024];
624 unsigned char sha2sum[32];
625 sha2_context ctx;
626
627 for (i = 0; i < 6; i++) {
628 j = i % 3;
629 k = i < 3;
630
631 if (verbose != 0)
632 printf(" SHA-%d test #%d: ", 256 - k * 32, j + 1);
633
634 sha2_starts(&ctx, k);
635
636 if (j == 2) {
637 memset(buf, 'a', buflen = 1000);
638
639 for (j = 0; j < 1000; j++)
640 sha2_update(&ctx, buf, buflen);
641 } else
642 sha2_update(&ctx, sha2_test_buf[j],
643 sha2_test_buflen[j]);
644
645 sha2_finish(&ctx, sha2sum);
646
647 if (memcmp(sha2sum, sha2_test_sum[i], 32 - k * 4) != 0) {
648 if (verbose != 0)
649 printf("failed\n");
650
651 return (1);
652 }
653
654 if (verbose != 0)
655 printf("passed\n");
656 }
657
658 if (verbose != 0)
659 printf("\n");
660
661 for (i = 0; i < 14; i++) {
662 j = i % 7;
663 k = i < 7;
664
665 if (verbose != 0)
666 printf(" HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1);
667
668 if (j == 5 || j == 6) {
669 memset(buf, '\xAA', buflen = 131);
670 sha2_hmac_starts(&ctx, buf, buflen, k);
671 } else
672 sha2_hmac_starts(&ctx, sha2_hmac_test_key[j],
673 sha2_hmac_test_keylen[j], k);
674
675 sha2_hmac_update(&ctx, sha2_hmac_test_buf[j],
676 sha2_hmac_test_buflen[j]);
677
678 sha2_hmac_finish(&ctx, sha2sum);
679
680 buflen = (j == 4) ? 16 : 32 - k * 4;
681
682 if (memcmp(sha2sum, sha2_hmac_test_sum[i], buflen) != 0) {
683 if (verbose != 0)
684 printf("failed\n");
685
686 return (1);
687 }
688
689 if (verbose != 0)
690 printf("passed\n");
691 }
692
693 if (verbose != 0)
694 printf("\n");
695
696 return (0);
697 }
698
699 #endif
700
701 #endif
fork of last BSD polarssl