BitPunch McEliece  v0.0.4
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
sha512.c
Go to the documentation of this file.
1 /*
2  * FIPS-180-2 compliant SHA-384/512 implementation
3  *
4  * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
5  * Copyright (C) 2015 Frantisek Uhrecky <frantisek.uhrecky[what here]gmail.com>
6  *
7  * This file is part of mbed TLS (https://polarssl.org)
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 /*
24  * The SHA-512 Secure Hash Standard was published by NIST in 2002.
25  *
26  * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
27  */
28 #define POLARSSL_SHA512_C
29 
30 #if defined(POLARSSL_SHA512_C)
31 
32 #include "polarssl/sha512.h"
33 
34 #if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
35 #include <stdio.h>
36 #endif
37 
38 #define polarssl_printf printf
39 
40 /* Implementation that should never be optimized out by the compiler */
41 static void polarssl_zeroize( void *v, size_t n ) {
42  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
43 }
44 
45 #if !defined(POLARSSL_SHA512_ALT)
46 
47 /*
48  * 64-bit integer manipulation macros (big endian)
49  */
50 #ifndef GET_UINT64_BE
51 #define GET_UINT64_BE(n,b,i) \
52 { \
53  (n) = ( (uint64_t) (b)[(i) ] << 56 ) \
54  | ( (uint64_t) (b)[(i) + 1] << 48 ) \
55  | ( (uint64_t) (b)[(i) + 2] << 40 ) \
56  | ( (uint64_t) (b)[(i) + 3] << 32 ) \
57  | ( (uint64_t) (b)[(i) + 4] << 24 ) \
58  | ( (uint64_t) (b)[(i) + 5] << 16 ) \
59  | ( (uint64_t) (b)[(i) + 6] << 8 ) \
60  | ( (uint64_t) (b)[(i) + 7] ); \
61 }
62 #endif /* GET_UINT64_BE */
63 
64 #ifndef PUT_UINT64_BE
65 #define PUT_UINT64_BE(n,b,i) \
66 { \
67  (b)[(i) ] = (unsigned char) ( (n) >> 56 ); \
68  (b)[(i) + 1] = (unsigned char) ( (n) >> 48 ); \
69  (b)[(i) + 2] = (unsigned char) ( (n) >> 40 ); \
70  (b)[(i) + 3] = (unsigned char) ( (n) >> 32 ); \
71  (b)[(i) + 4] = (unsigned char) ( (n) >> 24 ); \
72  (b)[(i) + 5] = (unsigned char) ( (n) >> 16 ); \
73  (b)[(i) + 6] = (unsigned char) ( (n) >> 8 ); \
74  (b)[(i) + 7] = (unsigned char) ( (n) ); \
75 }
76 #endif /* PUT_UINT64_BE */
77 
78 /*
79  * Round constants
80  */
81 static const uint64_t K[80] =
82 {
83  UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
84  UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
85  UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
86  UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
87  UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
88  UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
89  UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
90  UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
91  UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
92  UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
93  UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
94  UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
95  UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
96  UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
97  UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
98  UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
99  UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
100  UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
101  UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
102  UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
103  UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
104  UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
105  UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
106  UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
107  UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
108  UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
109  UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
110  UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
111  UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
112  UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
113  UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
114  UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
115  UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
116  UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
117  UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
118  UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
119  UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
120  UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
121  UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
122  UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
123 };
124 
125 void sha512_init( sha512_context *ctx )
126 {
127  memset( ctx, 0, sizeof( sha512_context ) );
128 }
129 
130 void sha512_free( sha512_context *ctx )
131 {
132  if( ctx == NULL )
133  return;
134 
135  polarssl_zeroize( ctx, sizeof( sha512_context ) );
136 }
137 
138 /*
139  * SHA-512 context setup
140  */
141 void sha512_starts( sha512_context *ctx, int is384 )
142 {
143  ctx->total[0] = 0;
144  ctx->total[1] = 0;
145 
146  if( is384 == 0 )
147  {
148  /* SHA-512 */
149  ctx->state[0] = UL64(0x6A09E667F3BCC908);
150  ctx->state[1] = UL64(0xBB67AE8584CAA73B);
151  ctx->state[2] = UL64(0x3C6EF372FE94F82B);
152  ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
153  ctx->state[4] = UL64(0x510E527FADE682D1);
154  ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
155  ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
156  ctx->state[7] = UL64(0x5BE0CD19137E2179);
157  }
158  else
159  {
160  /* SHA-384 */
161  ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
162  ctx->state[1] = UL64(0x629A292A367CD507);
163  ctx->state[2] = UL64(0x9159015A3070DD17);
164  ctx->state[3] = UL64(0x152FECD8F70E5939);
165  ctx->state[4] = UL64(0x67332667FFC00B31);
166  ctx->state[5] = UL64(0x8EB44A8768581511);
167  ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
168  ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
169  }
170 
171  ctx->is384 = is384;
172 }
173 
174 void sha512_process( sha512_context *ctx, const unsigned char data[128] )
175 {
176  int i;
177  uint64_t temp1, temp2, W[80];
178  uint64_t A, B, C, D, E, F, G, H;
179 
180 #define SHR(x,n) (x >> n)
181 #define ROTR(x,n) (SHR(x,n) | (x << (64 - n)))
182 
183 #define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
184 #define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x, 6))
185 
186 #define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
187 #define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
188 
189 #define F0(x,y,z) ((x & y) | (z & (x | y)))
190 #define F1(x,y,z) (z ^ (x & (y ^ z)))
191 
192 #define P(a,b,c,d,e,f,g,h,x,K) \
193 { \
194  temp1 = h + S3(e) + F1(e,f,g) + K + x; \
195  temp2 = S2(a) + F0(a,b,c); \
196  d += temp1; h = temp1 + temp2; \
197 }
198 
199  for( i = 0; i < 16; i++ )
200  {
201  GET_UINT64_BE( W[i], data, i << 3 );
202  }
203 
204  for( ; i < 80; i++ )
205  {
206  W[i] = S1(W[i - 2]) + W[i - 7] +
207  S0(W[i - 15]) + W[i - 16];
208  }
209 
210  A = ctx->state[0];
211  B = ctx->state[1];
212  C = ctx->state[2];
213  D = ctx->state[3];
214  E = ctx->state[4];
215  F = ctx->state[5];
216  G = ctx->state[6];
217  H = ctx->state[7];
218  i = 0;
219 
220  do
221  {
222  P( A, B, C, D, E, F, G, H, W[i], K[i] ); i++;
223  P( H, A, B, C, D, E, F, G, W[i], K[i] ); i++;
224  P( G, H, A, B, C, D, E, F, W[i], K[i] ); i++;
225  P( F, G, H, A, B, C, D, E, W[i], K[i] ); i++;
226  P( E, F, G, H, A, B, C, D, W[i], K[i] ); i++;
227  P( D, E, F, G, H, A, B, C, W[i], K[i] ); i++;
228  P( C, D, E, F, G, H, A, B, W[i], K[i] ); i++;
229  P( B, C, D, E, F, G, H, A, W[i], K[i] ); i++;
230  }
231  while( i < 80 );
232 
233  ctx->state[0] += A;
234  ctx->state[1] += B;
235  ctx->state[2] += C;
236  ctx->state[3] += D;
237  ctx->state[4] += E;
238  ctx->state[5] += F;
239  ctx->state[6] += G;
240  ctx->state[7] += H;
241 }
242 
243 /*
244  * SHA-512 process buffer
245  */
246 void sha512_update( sha512_context *ctx, const unsigned char *input,
247  size_t ilen )
248 {
249  size_t fill;
250  unsigned int left;
251 
252  if( ilen == 0 )
253  return;
254 
255  left = (unsigned int) (ctx->total[0] & 0x7F);
256  fill = 128 - left;
257 
258  ctx->total[0] += (uint64_t) ilen;
259 
260  if( ctx->total[0] < (uint64_t) ilen )
261  ctx->total[1]++;
262 
263  if( left && ilen >= fill )
264  {
265  memcpy( (void *) (ctx->buffer + left), input, fill );
266  sha512_process( ctx, ctx->buffer );
267  input += fill;
268  ilen -= fill;
269  left = 0;
270  }
271 
272  while( ilen >= 128 )
273  {
274  sha512_process( ctx, input );
275  input += 128;
276  ilen -= 128;
277  }
278 
279  if( ilen > 0 )
280  memcpy( (void *) (ctx->buffer + left), input, ilen );
281 }
282 
283 static const unsigned char sha512_padding[128] =
284 {
285  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
286  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
287  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
288  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
289  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
290  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
291  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
292  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
293 };
294 
295 /*
296  * SHA-512 final digest
297  */
298 void sha512_finish( sha512_context *ctx, unsigned char output[64] )
299 {
300  size_t last, padn;
301  uint64_t high, low;
302  unsigned char msglen[16];
303 
304  high = ( ctx->total[0] >> 61 )
305  | ( ctx->total[1] << 3 );
306  low = ( ctx->total[0] << 3 );
307 
308  PUT_UINT64_BE( high, msglen, 0 );
309  PUT_UINT64_BE( low, msglen, 8 );
310 
311  last = (size_t)( ctx->total[0] & 0x7F );
312  padn = ( last < 112 ) ? ( 112 - last ) : ( 240 - last );
313 
314  sha512_update( ctx, sha512_padding, padn );
315  sha512_update( ctx, msglen, 16 );
316 
317  PUT_UINT64_BE( ctx->state[0], output, 0 );
318  PUT_UINT64_BE( ctx->state[1], output, 8 );
319  PUT_UINT64_BE( ctx->state[2], output, 16 );
320  PUT_UINT64_BE( ctx->state[3], output, 24 );
321  PUT_UINT64_BE( ctx->state[4], output, 32 );
322  PUT_UINT64_BE( ctx->state[5], output, 40 );
323 
324  if( ctx->is384 == 0 )
325  {
326  PUT_UINT64_BE( ctx->state[6], output, 48 );
327  PUT_UINT64_BE( ctx->state[7], output, 56 );
328  }
329 }
330 
331 #endif /* !POLARSSL_SHA512_ALT */
332 
333 /*
334  * output = SHA-512( input buffer )
335  */
336 void sha512( const unsigned char *input, size_t ilen,
337  unsigned char output[64], int is384 )
338 {
339  sha512_context ctx;
340 
341  sha512_init( &ctx );
342  sha512_starts( &ctx, is384 );
343  sha512_update( &ctx, input, ilen );
344  sha512_finish( &ctx, output );
345  sha512_free( &ctx );
346 }
347 
348 #if defined(POLARSSL_FS_IO)
349 /*
350  * output = SHA-512( file contents )
351  */
352 int sha512_file( const char *path, unsigned char output[64], int is384 )
353 {
354  FILE *f;
355  size_t n;
356  sha512_context ctx;
357  unsigned char buf[1024];
358 
359  if( ( f = fopen( path, "rb" ) ) == NULL )
360  return( POLARSSL_ERR_SHA512_FILE_IO_ERROR );
361 
362  sha512_init( &ctx );
363  sha512_starts( &ctx, is384 );
364 
365  while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
366  sha512_update( &ctx, buf, n );
367 
368  sha512_finish( &ctx, output );
369  sha512_free( &ctx );
370 
371  if( ferror( f ) != 0 )
372  {
373  fclose( f );
374  return( POLARSSL_ERR_SHA512_FILE_IO_ERROR );
375  }
376 
377  fclose( f );
378  return( 0 );
379 }
380 #endif /* POLARSSL_FS_IO */
381 
382 #ifdef POLARSSL_SHA512_HMAC
383 /*
384  * SHA-512 HMAC context setup
385  */
386 void sha512_hmac_starts( sha512_context *ctx, const unsigned char *key,
387  size_t keylen, int is384 )
388 {
389  size_t i;
390  unsigned char sum[64];
391 
392  if( keylen > 128 )
393  {
394  sha512( key, keylen, sum, is384 );
395  keylen = ( is384 ) ? 48 : 64;
396  key = sum;
397  }
398 
399  memset( ctx->ipad, 0x36, 128 );
400  memset( ctx->opad, 0x5C, 128 );
401 
402  for( i = 0; i < keylen; i++ )
403  {
404  ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
405  ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
406  }
407 
408  sha512_starts( ctx, is384 );
409  sha512_update( ctx, ctx->ipad, 128 );
410 
411  polarssl_zeroize( sum, sizeof( sum ) );
412 }
413 
414 /*
415  * SHA-512 HMAC process buffer
416  */
417 void sha512_hmac_update( sha512_context *ctx,
418  const unsigned char *input, size_t ilen )
419 {
420  sha512_update( ctx, input, ilen );
421 }
422 
423 /*
424  * SHA-512 HMAC final digest
425  */
426 void sha512_hmac_finish( sha512_context *ctx, unsigned char output[64] )
427 {
428  int is384, hlen;
429  unsigned char tmpbuf[64];
430 
431  is384 = ctx->is384;
432  hlen = ( is384 == 0 ) ? 64 : 48;
433 
434  sha512_finish( ctx, tmpbuf );
435  sha512_starts( ctx, is384 );
436  sha512_update( ctx, ctx->opad, 128 );
437  sha512_update( ctx, tmpbuf, hlen );
438  sha512_finish( ctx, output );
439 
440  polarssl_zeroize( tmpbuf, sizeof( tmpbuf ) );
441 }
442 
443 /*
444  * SHA-512 HMAC context reset
445  */
446 void sha512_hmac_reset( sha512_context *ctx )
447 {
448  sha512_starts( ctx, ctx->is384 );
449  sha512_update( ctx, ctx->ipad, 128 );
450 }
451 
452 /*
453  * output = HMAC-SHA-512( hmac key, input buffer )
454  */
455 void sha512_hmac( const unsigned char *key, size_t keylen,
456  const unsigned char *input, size_t ilen,
457  unsigned char output[64], int is384 )
458 {
459  sha512_context ctx;
460 
461  sha512_init( &ctx );
462  sha512_hmac_starts( &ctx, key, keylen, is384 );
463  sha512_hmac_update( &ctx, input, ilen );
464  sha512_hmac_finish( &ctx, output );
465  sha512_free( &ctx );
466 }
467 #endif // POLARSSL_SHA512_HMAC
468 #ifdef POLARSSL_SELF_TEST
469 
470 /*
471  * FIPS-180-2 test vectors
472  */
473 static unsigned char sha512_test_buf[3][113] =
474 {
475  { "abc" },
476  { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
477  "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
478  { "" }
479 };
480 
481 static const int sha512_test_buflen[3] =
482 {
483  3, 112, 1000
484 };
485 
486 static const unsigned char sha512_test_sum[6][64] =
487 {
488  /*
489  * SHA-384 test vectors
490  */
491  { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
492  0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
493  0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
494  0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
495  0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
496  0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
497  { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
498  0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
499  0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
500  0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
501  0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
502  0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
503  { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
504  0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
505  0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
506  0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
507  0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
508  0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
509 
510  /*
511  * SHA-512 test vectors
512  */
513  { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
514  0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
515  0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
516  0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
517  0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
518  0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
519  0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
520  0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
521  { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
522  0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
523  0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
524  0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
525  0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
526  0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
527  0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
528  0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
529  { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
530  0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
531  0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
532  0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
533  0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
534  0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
535  0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
536  0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
537 };
538 
539 #ifdef POLARSSL_SHA512_HMAC
540 /*
541  * RFC 4231 test vectors
542  */
543 static unsigned char sha512_hmac_test_key[7][26] =
544 {
545  { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
546  "\x0B\x0B\x0B\x0B" },
547  { "Jefe" },
548  { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
549  "\xAA\xAA\xAA\xAA" },
550  { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
551  "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
552  { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
553  "\x0C\x0C\x0C\x0C" },
554  { "" }, /* 0xAA 131 times */
555  { "" }
556 };
557 
558 static const int sha512_hmac_test_keylen[7] =
559 {
560  20, 4, 20, 25, 20, 131, 131
561 };
562 
563 static unsigned char sha512_hmac_test_buf[7][153] =
564 {
565  { "Hi There" },
566  { "what do ya want for nothing?" },
567  { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
568  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
569  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
570  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
571  "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
572  { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
573  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
574  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
575  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
576  "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
577  { "Test With Truncation" },
578  { "Test Using Larger Than Block-Size Key - Hash Key First" },
579  { "This is a test using a larger than block-size key "
580  "and a larger than block-size data. The key needs to "
581  "be hashed before being used by the HMAC algorithm." }
582 };
583 
584 static const int sha512_hmac_test_buflen[7] =
585 {
586  8, 28, 50, 50, 20, 54, 152
587 };
588 
589 static const unsigned char sha512_hmac_test_sum[14][64] =
590 {
591  /*
592  * HMAC-SHA-384 test vectors
593  */
594  { 0xAF, 0xD0, 0x39, 0x44, 0xD8, 0x48, 0x95, 0x62,
595  0x6B, 0x08, 0x25, 0xF4, 0xAB, 0x46, 0x90, 0x7F,
596  0x15, 0xF9, 0xDA, 0xDB, 0xE4, 0x10, 0x1E, 0xC6,
597  0x82, 0xAA, 0x03, 0x4C, 0x7C, 0xEB, 0xC5, 0x9C,
598  0xFA, 0xEA, 0x9E, 0xA9, 0x07, 0x6E, 0xDE, 0x7F,
599  0x4A, 0xF1, 0x52, 0xE8, 0xB2, 0xFA, 0x9C, 0xB6 },
600  { 0xAF, 0x45, 0xD2, 0xE3, 0x76, 0x48, 0x40, 0x31,
601  0x61, 0x7F, 0x78, 0xD2, 0xB5, 0x8A, 0x6B, 0x1B,
602  0x9C, 0x7E, 0xF4, 0x64, 0xF5, 0xA0, 0x1B, 0x47,
603  0xE4, 0x2E, 0xC3, 0x73, 0x63, 0x22, 0x44, 0x5E,
604  0x8E, 0x22, 0x40, 0xCA, 0x5E, 0x69, 0xE2, 0xC7,
605  0x8B, 0x32, 0x39, 0xEC, 0xFA, 0xB2, 0x16, 0x49 },
606  { 0x88, 0x06, 0x26, 0x08, 0xD3, 0xE6, 0xAD, 0x8A,
607  0x0A, 0xA2, 0xAC, 0xE0, 0x14, 0xC8, 0xA8, 0x6F,
608  0x0A, 0xA6, 0x35, 0xD9, 0x47, 0xAC, 0x9F, 0xEB,
609  0xE8, 0x3E, 0xF4, 0xE5, 0x59, 0x66, 0x14, 0x4B,
610  0x2A, 0x5A, 0xB3, 0x9D, 0xC1, 0x38, 0x14, 0xB9,
611  0x4E, 0x3A, 0xB6, 0xE1, 0x01, 0xA3, 0x4F, 0x27 },
612  { 0x3E, 0x8A, 0x69, 0xB7, 0x78, 0x3C, 0x25, 0x85,
613  0x19, 0x33, 0xAB, 0x62, 0x90, 0xAF, 0x6C, 0xA7,
614  0x7A, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9C,
615  0xC5, 0x57, 0x7C, 0x6E, 0x1F, 0x57, 0x3B, 0x4E,
616  0x68, 0x01, 0xDD, 0x23, 0xC4, 0xA7, 0xD6, 0x79,
617  0xCC, 0xF8, 0xA3, 0x86, 0xC6, 0x74, 0xCF, 0xFB },
618  { 0x3A, 0xBF, 0x34, 0xC3, 0x50, 0x3B, 0x2A, 0x23,
619  0xA4, 0x6E, 0xFC, 0x61, 0x9B, 0xAE, 0xF8, 0x97 },
620  { 0x4E, 0xCE, 0x08, 0x44, 0x85, 0x81, 0x3E, 0x90,
621  0x88, 0xD2, 0xC6, 0x3A, 0x04, 0x1B, 0xC5, 0xB4,
622  0x4F, 0x9E, 0xF1, 0x01, 0x2A, 0x2B, 0x58, 0x8F,
623  0x3C, 0xD1, 0x1F, 0x05, 0x03, 0x3A, 0xC4, 0xC6,
624  0x0C, 0x2E, 0xF6, 0xAB, 0x40, 0x30, 0xFE, 0x82,
625  0x96, 0x24, 0x8D, 0xF1, 0x63, 0xF4, 0x49, 0x52 },
626  { 0x66, 0x17, 0x17, 0x8E, 0x94, 0x1F, 0x02, 0x0D,
627  0x35, 0x1E, 0x2F, 0x25, 0x4E, 0x8F, 0xD3, 0x2C,
628  0x60, 0x24, 0x20, 0xFE, 0xB0, 0xB8, 0xFB, 0x9A,
629  0xDC, 0xCE, 0xBB, 0x82, 0x46, 0x1E, 0x99, 0xC5,
630  0xA6, 0x78, 0xCC, 0x31, 0xE7, 0x99, 0x17, 0x6D,
631  0x38, 0x60, 0xE6, 0x11, 0x0C, 0x46, 0x52, 0x3E },
632 
633  /*
634  * HMAC-SHA-512 test vectors
635  */
636  { 0x87, 0xAA, 0x7C, 0xDE, 0xA5, 0xEF, 0x61, 0x9D,
637  0x4F, 0xF0, 0xB4, 0x24, 0x1A, 0x1D, 0x6C, 0xB0,
638  0x23, 0x79, 0xF4, 0xE2, 0xCE, 0x4E, 0xC2, 0x78,
639  0x7A, 0xD0, 0xB3, 0x05, 0x45, 0xE1, 0x7C, 0xDE,
640  0xDA, 0xA8, 0x33, 0xB7, 0xD6, 0xB8, 0xA7, 0x02,
641  0x03, 0x8B, 0x27, 0x4E, 0xAE, 0xA3, 0xF4, 0xE4,
642  0xBE, 0x9D, 0x91, 0x4E, 0xEB, 0x61, 0xF1, 0x70,
643  0x2E, 0x69, 0x6C, 0x20, 0x3A, 0x12, 0x68, 0x54 },
644  { 0x16, 0x4B, 0x7A, 0x7B, 0xFC, 0xF8, 0x19, 0xE2,
645  0xE3, 0x95, 0xFB, 0xE7, 0x3B, 0x56, 0xE0, 0xA3,
646  0x87, 0xBD, 0x64, 0x22, 0x2E, 0x83, 0x1F, 0xD6,
647  0x10, 0x27, 0x0C, 0xD7, 0xEA, 0x25, 0x05, 0x54,
648  0x97, 0x58, 0xBF, 0x75, 0xC0, 0x5A, 0x99, 0x4A,
649  0x6D, 0x03, 0x4F, 0x65, 0xF8, 0xF0, 0xE6, 0xFD,
650  0xCA, 0xEA, 0xB1, 0xA3, 0x4D, 0x4A, 0x6B, 0x4B,
651  0x63, 0x6E, 0x07, 0x0A, 0x38, 0xBC, 0xE7, 0x37 },
652  { 0xFA, 0x73, 0xB0, 0x08, 0x9D, 0x56, 0xA2, 0x84,
653  0xEF, 0xB0, 0xF0, 0x75, 0x6C, 0x89, 0x0B, 0xE9,
654  0xB1, 0xB5, 0xDB, 0xDD, 0x8E, 0xE8, 0x1A, 0x36,
655  0x55, 0xF8, 0x3E, 0x33, 0xB2, 0x27, 0x9D, 0x39,
656  0xBF, 0x3E, 0x84, 0x82, 0x79, 0xA7, 0x22, 0xC8,
657  0x06, 0xB4, 0x85, 0xA4, 0x7E, 0x67, 0xC8, 0x07,
658  0xB9, 0x46, 0xA3, 0x37, 0xBE, 0xE8, 0x94, 0x26,
659  0x74, 0x27, 0x88, 0x59, 0xE1, 0x32, 0x92, 0xFB },
660  { 0xB0, 0xBA, 0x46, 0x56, 0x37, 0x45, 0x8C, 0x69,
661  0x90, 0xE5, 0xA8, 0xC5, 0xF6, 0x1D, 0x4A, 0xF7,
662  0xE5, 0x76, 0xD9, 0x7F, 0xF9, 0x4B, 0x87, 0x2D,
663  0xE7, 0x6F, 0x80, 0x50, 0x36, 0x1E, 0xE3, 0xDB,
664  0xA9, 0x1C, 0xA5, 0xC1, 0x1A, 0xA2, 0x5E, 0xB4,
665  0xD6, 0x79, 0x27, 0x5C, 0xC5, 0x78, 0x80, 0x63,
666  0xA5, 0xF1, 0x97, 0x41, 0x12, 0x0C, 0x4F, 0x2D,
667  0xE2, 0xAD, 0xEB, 0xEB, 0x10, 0xA2, 0x98, 0xDD },
668  { 0x41, 0x5F, 0xAD, 0x62, 0x71, 0x58, 0x0A, 0x53,
669  0x1D, 0x41, 0x79, 0xBC, 0x89, 0x1D, 0x87, 0xA6 },
670  { 0x80, 0xB2, 0x42, 0x63, 0xC7, 0xC1, 0xA3, 0xEB,
671  0xB7, 0x14, 0x93, 0xC1, 0xDD, 0x7B, 0xE8, 0xB4,
672  0x9B, 0x46, 0xD1, 0xF4, 0x1B, 0x4A, 0xEE, 0xC1,
673  0x12, 0x1B, 0x01, 0x37, 0x83, 0xF8, 0xF3, 0x52,
674  0x6B, 0x56, 0xD0, 0x37, 0xE0, 0x5F, 0x25, 0x98,
675  0xBD, 0x0F, 0xD2, 0x21, 0x5D, 0x6A, 0x1E, 0x52,
676  0x95, 0xE6, 0x4F, 0x73, 0xF6, 0x3F, 0x0A, 0xEC,
677  0x8B, 0x91, 0x5A, 0x98, 0x5D, 0x78, 0x65, 0x98 },
678  { 0xE3, 0x7B, 0x6A, 0x77, 0x5D, 0xC8, 0x7D, 0xBA,
679  0xA4, 0xDF, 0xA9, 0xF9, 0x6E, 0x5E, 0x3F, 0xFD,
680  0xDE, 0xBD, 0x71, 0xF8, 0x86, 0x72, 0x89, 0x86,
681  0x5D, 0xF5, 0xA3, 0x2D, 0x20, 0xCD, 0xC9, 0x44,
682  0xB6, 0x02, 0x2C, 0xAC, 0x3C, 0x49, 0x82, 0xB1,
683  0x0D, 0x5E, 0xEB, 0x55, 0xC3, 0xE4, 0xDE, 0x15,
684  0x13, 0x46, 0x76, 0xFB, 0x6D, 0xE0, 0x44, 0x60,
685  0x65, 0xC9, 0x74, 0x40, 0xFA, 0x8C, 0x6A, 0x58 }
686 };
687 #endif // POLARSSL_SHA512_HMAC
688 /*
689  * Checkup routine
690  */
691 int sha512_self_test( int verbose )
692 {
693  int i, j, k, buflen, ret = 0;
694  unsigned char buf[1024];
695  unsigned char sha512sum[64];
696  sha512_context ctx;
697 
698  sha512_init( &ctx );
699 
700  for( i = 0; i < 6; i++ )
701  {
702  j = i % 3;
703  k = i < 3;
704 
705  if( verbose != 0 )
706  polarssl_printf( " SHA-%d test #%d: ", 512 - k * 128, j + 1 );
707 
708  sha512_starts( &ctx, k );
709 
710  if( j == 2 )
711  {
712  memset( buf, 'a', buflen = 1000 );
713 
714  for( j = 0; j < 1000; j++ )
715  sha512_update( &ctx, buf, buflen );
716  }
717  else
718  sha512_update( &ctx, sha512_test_buf[j],
719  sha512_test_buflen[j] );
720 
721  sha512_finish( &ctx, sha512sum );
722 
723  if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
724  {
725  if( verbose != 0 )
726  polarssl_printf( "failed\n" );
727 
728  ret = 1;
729  goto exit;
730  }
731 
732  if( verbose != 0 )
733  polarssl_printf( "passed\n" );
734  }
735 
736  if( verbose != 0 )
737  polarssl_printf( "\n" );
738 #ifdef POLARSSL_SHA512_HMAC
739  for( i = 0; i < 14; i++ )
740  {
741  j = i % 7;
742  k = i < 7;
743 
744  if( verbose != 0 )
745  polarssl_printf( " HMAC-SHA-%d test #%d: ", 512 - k * 128, j + 1 );
746 
747  if( j == 5 || j == 6 )
748  {
749  memset( buf, '\xAA', buflen = 131 );
750  sha512_hmac_starts( &ctx, buf, buflen, k );
751  }
752  else
753  sha512_hmac_starts( &ctx, sha512_hmac_test_key[j],
754  sha512_hmac_test_keylen[j], k );
755 
756  sha512_hmac_update( &ctx, sha512_hmac_test_buf[j],
757  sha512_hmac_test_buflen[j] );
758 
759  sha512_hmac_finish( &ctx, sha512sum );
760 
761  buflen = ( j == 4 ) ? 16 : 64 - k * 16;
762 
763  if( memcmp( sha512sum, sha512_hmac_test_sum[i], buflen ) != 0 )
764  {
765  if( verbose != 0 )
766  polarssl_printf( "failed\n" );
767 
768  ret = 1;
769  goto exit;
770  }
771 
772  if( verbose != 0 )
773  polarssl_printf( "passed\n" );
774  }
775 
776  if( verbose != 0 )
777  polarssl_printf( "\n" );
778 #endif // POLARSSL_SHA512_HMAC
779 exit:
780  sha512_free( &ctx );
781 
782  return( ret );
783 }
784 
785 #endif /* POLARSSL_SELF_TEST */
786 
787 #endif /* POLARSSL_SHA512_C */
sha512_finish
void sha512_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 final digest.
Definition: sha512.c:298
sha512_starts
void sha512_starts(sha512_context *ctx, int is384)
SHA-512 context setup.
Definition: sha512.c:141
UL64
#define UL64(x)
Definition: sha512.h:35
sha512
void sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
Definition: sha512.c:336
sha512_context::ipad
unsigned char ipad[128]
Definition: sha512.h:57
sha512_context::state
uint64_t state[8]
Definition: sha512.h:54
polarssl_printf
#define polarssl_printf
Definition: sha512.c:38
sha512_process
void sha512_process(sha512_context *ctx, const unsigned char data[128])
Definition: sha512.c:174
sha512_init
void sha512_init(sha512_context *ctx)
Initialize SHA-512 context.
Definition: sha512.c:125
sha512_free
void sha512_free(sha512_context *ctx)
Clear SHA-512 context.
Definition: sha512.c:130
sha512_context
SHA-512 context structure.
Definition: sha512.h:51
sha512_file
int sha512_file(const char *path, unsigned char output[64], int is384)
Output = SHA-512( file contents )
POLARSSL_ERR_SHA512_FILE_IO_ERROR
#define POLARSSL_ERR_SHA512_FILE_IO_ERROR
Definition: sha512.h:38
S0
#define S0(x)
sha512_context::is384
int is384
Definition: sha512.h:59
GET_UINT64_BE
#define GET_UINT64_BE(n, b, i)
Definition: sha512.c:51
S1
#define S1(x)
PUT_UINT64_BE
#define PUT_UINT64_BE(n, b, i)
Definition: sha512.c:65
P
#define P(a, b, c, d, e, f, g, h, x, K)
sha512_context::total
uint64_t total[2]
Definition: sha512.h:53
sha512_update
void sha512_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
Definition: sha512.c:246
sha512_context::opad
unsigned char opad[128]
Definition: sha512.h:58
sha512_context::buffer
unsigned char buffer[128]
Definition: sha512.h:55