Network Working Group D. Eastlake 3rd Request for Comments: 4634 Motorola Labs Updates: 3174 T. Hansen Category: Informational AT&T Labs July 2006 US Secure Hash Algorithms (SHA and HMAC-SHA) Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The United States of America has adopted a suite of Secure Hash Algorithms (SHAs), including four beyond SHA-1, as part of a Federal Information Processing Standard (FIPS), specifically SHA-224 (RFC 3874), SHA-256, SHA-384, and SHA-512. The purpose of this document is to make source code performing these hash functions conveniently available to the Internet community. The sample code supports input strings of arbitrary bit length. SHA-1's sample code from RFC 3174 has also been updated to handle input strings of arbitrary bit length. Most of the text herein was adapted by the authors from FIPS 180-2. Code to perform SHA-based HMACs, with arbitrary bit length text, is also included. Eastlake 3rd & Hansen Informational [Page 1] RFC 4634 SHAs and HMAC-SHAs July 2006 Table of Contents 1. Overview of Contents ............................................3 1.1. License ....................................................4 2. Notation for Bit Strings and Integers ...........................4 3. Operations on Words .............................................5 4. Message Padding and Parsing .....................................6 4.1. SHA-224 and SHA-256 ........................................7 4.2. SHA-384 and SHA-512 ........................................8 5. Functions and Constants Used ....................................9 5.1. SHA-224 and SHA-256 ........................................9 5.2. SHA-384 and SHA-512 .......................................10 6. Computing the Message Digest ...................................11 6.1. SHA-224 and SHA-256 Initialization ........................11 6.2. SHA-224 and SHA-256 Processing ............................11 6.3. SHA-384 and SHA-512 Initialization ........................13 6.4. SHA-384 and SHA-512 Processing ............................14 7. SHA-Based HMACs ................................................15 8. C Code for SHAs ................................................15 8.1. The .h File ...............................................18 8.2. The SHA Code ..............................................24 8.2.1. sha1.c .............................................24 8.2.2. sha224-256.c .......................................33 8.2.3. sha384-512.c .......................................45 8.2.4. usha.c .............................................67 8.2.5. sha-private.h ......................................72 8.3. The HMAC Code .............................................73 8.4. The Test Driver ...........................................78 9. Security Considerations .......................................106 10. Normative References .........................................106 11. Informative References .......................................106 Eastlake 3rd & Hansen Informational [Page 2] RFC 4634 SHAs and HMAC-SHAs July 2006 1. Overview of Contents NOTE: Much of the text below is taken from [FIPS180-2] and assertions therein of the security of the algorithms described are made by the US Government, the author of [FIPS180-2], and not by the authors of this document. The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], SHA-256, SHA-384, and SHA-512, for computing a condensed representation of a message or a data file. (SHA-1 is specified in [RFC3174].) When a message of any length >n d. The rotate right (circular right shift) operation ROTR^n(x), where x is a w-bit word and n is an integer with 0 >n) OR (x>w-n) Note the following equivalence relationships, where w is fixed in each relationship: ROTL^n(x) = ROTR^(w-x)(x) ROTR^n(x) = ROTL^(w-n)(x) 4. Message Padding and Parsing The hash functions specified herein are used to compute a message digest for a message or data file that is provided as input. The message or data file should be considered to be a bit string. The length of the message is the number of bits in the message (the empty message has length 0). If the number of bits in a message is a multiple of 8, for compactness we can represent the message in hex. The purpose of message padding is to make the total length of a padded message a multiple of 512 for SHA-224 and SHA-256 or a multiple of 1024 for SHA-384 and SHA-512. The following specifies how this padding shall be performed. As a summary, a "1" followed by a number of "0"s followed by a 64-bit or 128-bit integer are appended to the end of the message to produce a padded message of length 512*n or 1024*n. The minimum number of "0"s necessary to meet this criterion is used. The appended integer is the length of the original message. The padded message is then processed by the hash function as n 512-bit or 1024-bit blocks. Eastlake 3rd & Hansen Informational [Page 6] RFC 4634 SHAs and HMAC-SHAs July 2006 4.1. SHA-224 and SHA-256 Suppose a message has length L /* * If you do not have the ISO standard stdint.h header file, then you Eastlake 3rd & Hansen Informational [Page 18] RFC 4634 SHAs and HMAC-SHAs July 2006 * must typedef the following: * name meaning * uint64_t unsigned 64 bit integer * uint32_t unsigned 32 bit integer * uint8_t unsigned 8 bit integer (i.e., unsigned char) * int_least16_t integer of >= 16 bits * */ #ifndef _SHA_enum_ #define _SHA_enum_ /* * All SHA functions return one of these values. */ enum { shaSuccess = 0, shaNull, /* Null pointer parameter */ shaInputTooLong, /* input data too long */ shaStateError, /* called Input after FinalBits or Result */ shaBadParam /* passed a bad parameter */ }; #endif /* _SHA_enum_ */ /* * These constants hold size information for each of the SHA * hashing operations */ enum { SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, SHA512_Message_Block_Size = 128, USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, SHA384HashSize = 48, SHA512HashSize = 64, USHAMaxHashSize = SHA512HashSize, SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits }; /* * These constants are used in the USHA (unified sha) functions. */ typedef enum SHAversion { SHA1, SHA224, SHA256, SHA384, SHA512 } SHAversion; Eastlake 3rd & Hansen Informational [Page 19] RFC 4634 SHAs and HMAC-SHAs July 2006 /* * This structure will hold context information for the SHA-1 * hashing operation. */ typedef struct SHA1Context { uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ uint32_t Length_Low; /* Message length in bits */ uint32_t Length_High; /* Message length in bits */ int_least16_t Message_Block_Index; /* Message_Block array index */ /* 512-bit message blocks */ uint8_t Message_Block[SHA1_Message_Block_Size]; int Computed; /* Is the digest computed? */ int Corrupted; /* Is the digest corrupted? */ } SHA1Context; /* * This structure will hold context information for the SHA-256 * hashing operation. */ typedef struct SHA256Context { uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ uint32_t Length_Low; /* Message length in bits */ uint32_t Length_High; /* Message length in bits */ int_least16_t Message_Block_Index; /* Message_Block array index */ /* 512-bit message blocks */ uint8_t Message_Block[SHA256_Message_Block_Size]; int Computed; /* Is the digest computed? */ int Corrupted; /* Is the digest corrupted? */ } SHA256Context; /* * This structure will hold context information for the SHA-512 * hashing operation. */ typedef struct SHA512Context { #ifdef USE_32BIT_ONLY uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ uint32_t Length[4]; /* Message length in bits */ #else /* !USE_32BIT_ONLY */ uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ uint64_t Length_Low, Length_High; /* Message length in bits */ #endif /* USE_32BIT_ONLY */ Eastlake 3rd & Hansen Informational [Page 20] RFC 4634 SHAs and HMAC-SHAs July 2006 int_least16_t Message_Block_Index; /* Message_Block array index */ /* 1024-bit message blocks */ uint8_t Message_Block[SHA512_Message_Block_Size]; int Computed; /* Is the digest computed?*/ int Corrupted; /* Is the digest corrupted? */ } SHA512Context; /* * This structure will hold context information for the SHA-224 * hashing operation. It uses the SHA-256 structure for computation. */ typedef struct SHA256Context SHA224Context; /* * This structure will hold context information for the SHA-384 * hashing operation. It uses the SHA-512 structure for computation. */ typedef struct SHA512Context SHA384Context; /* * This structure holds context information for all SHA * hashing operations. */ typedef struct USHAContext { int whichSha; /* which SHA is being used */ union { SHA1Context sha1Context; SHA224Context sha224Context; SHA256Context sha256Context; SHA384Context sha384Context; SHA512Context sha512Context; } ctx; } USHAContext; /* * This structure will hold context information for the HMAC * keyed hashing operation. */ typedef struct HMACContext { int whichSha; /* which SHA is being used */ int hashSize; /* hash size of SHA being used */ int blockSize; /* block size of SHA being used */ USHAContext shaContext; /* SHA context */ unsigned char k_opad[USHA_Max_Message_Block_Size]; /* outer padding - key XORd with opad */ } HMACContext; Eastlake 3rd & Hansen Informational [Page 21] RFC 4634 SHAs and HMAC-SHAs July 2006 /* * Function Prototypes */ /* SHA-1 */ extern int SHA1Reset(SHA1Context *); extern int SHA1Input(SHA1Context *, const uint8_t *bytes, unsigned int bytecount); extern int SHA1FinalBits(SHA1Context *, const uint8_t bits, unsigned int bitcount); extern int SHA1Result(SHA1Context *, uint8_t Message_Digest[SHA1HashSize]); /* SHA-224 */ extern int SHA224Reset(SHA224Context *); extern int SHA224Input(SHA224Context *, const uint8_t *bytes, unsigned int bytecount); extern int SHA224FinalBits(SHA224Context *, const uint8_t bits, unsigned int bitcount); extern int SHA224Result(SHA224Context *, uint8_t Message_Digest[SHA224HashSize]); /* SHA-256 */ extern int SHA256Reset(SHA256Context *); extern int SHA256Input(SHA256Context *, const uint8_t *bytes, unsigned int bytecount); extern int SHA256FinalBits(SHA256Context *, const uint8_t bits, unsigned int bitcount); extern int SHA256Result(SHA256Context *, uint8_t Message_Digest[SHA256HashSize]); /* SHA-384 */ extern int SHA384Reset(SHA384Context *); extern int SHA384Input(SHA384Context *, const uint8_t *bytes, unsigned int bytecount); extern int SHA384FinalBits(SHA384Context *, const uint8_t bits, unsigned int bitcount); extern int SHA384Result(SHA384Context *, uint8_t Message_Digest[SHA384HashSize]); /* SHA-512 */ extern int SHA512Reset(SHA512Context *); extern int SHA512Input(SHA512Context *, const uint8_t *bytes, unsigned int bytecount); extern int SHA512FinalBits(SHA512Context *, const uint8_t bits, unsigned int bitcount); extern int SHA512Result(SHA512Context *, uint8_t Message_Digest[SHA512HashSize]); Eastlake 3rd & Hansen Informational [Page 22] RFC 4634 SHAs and HMAC-SHAs July 2006 /* Unified SHA functions, chosen by whichSha */ extern int USHAReset(USHAContext *, SHAversion whichSha); extern int USHAInput(USHAContext *, const uint8_t *bytes, unsigned int bytecount); extern int USHAFinalBits(USHAContext *, const uint8_t bits, unsigned int bitcount); extern int USHAResult(USHAContext *, uint8_t Message_Digest[USHAMaxHashSize]); extern int USHABlockSize(enum SHAversion whichSha); extern int USHAHashSize(enum SHAversion whichSha); extern int USHAHashSizeBits(enum SHAversion whichSha); /* * HMAC Keyed-Hashing for Message Authentication, RFC2104, * for all SHAs. * This interface allows a fixed-length text input to be used. */ extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ const unsigned char *text, /* pointer to data stream */ int text_len, /* length of data stream */ const unsigned char *key, /* pointer to authentication key */ int key_len, /* length of authentication key */ uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ /* * HMAC Keyed-Hashing for Message Authentication, RFC2104, * for all SHAs. * This interface allows any length of text input to be used. */ extern int hmacReset(HMACContext *ctx, enum SHAversion whichSha, const unsigned char *key, int key_len); extern int hmacInput(HMACContext *ctx, const unsigned char *text, int text_len); extern int hmacFinalBits(HMACContext *ctx, const uint8_t bits, unsigned int bitcount); extern int hmacResult(HMACContext *ctx, uint8_t digest[USHAMaxHashSize]); #endif /* _SHA_H_ */ Eastlake 3rd & Hansen Informational [Page 23] RFC 4634 SHAs and HMAC-SHAs July 2006 8.2. The SHA Code This code is primarily intended as expository and could be optimized further. For example, the assignment rotations through the variables a, b, ..., h could be treated as a cycle and the loop unrolled, rather than doing the explicit copying. Note that there are alternative representations of the Ch() and Maj() functions controlled by an ifdef. 8.2.1. sha1.c /**************************** sha1.c ****************************/ /******************** See RFC 4634 for details ******************/ /* * Description: * This file implements the Secure Hash Signature Standard * algorithms as defined in the National Institute of Standards * and Technology Federal Information Processing Standards * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 * published on August 1, 2002, and the FIPS PUB 180-2 Change * Notice published on February 28, 2004. * * A combined document showing all algorithms is available at * http://csrc.nist.gov/publications/fips/ * fips180-2/fips180-2withchangenotice.pdf * * The SHA-1 algorithm produces a 160-bit message digest for a * given data stream. It should take about 2**n steps to find a * message with the same digest as a given message and * 2**(n/2) to find any two messages with the same digest, * when n is the digest size in bits. Therefore, this * algorithm can serve as a means of providing a * "fingerprint" for a message. * * Portability Issues: * SHA-1 is defined in terms of 32-bit "words". This code * uses (included via "sha.h") to define 32 and 8 * bit unsigned integer types. If your C compiler does not * support 32 bit unsigned integers, this code is not * appropriate. * * Caveats: * SHA-1 is designed to work with messages less than 2^64 bits * long. This implementation uses SHA1Input() to hash the bits * that are a multiple of the size of an 8-bit character, and then * uses SHA1FinalBits() to hash the final few bits of the input. */ Eastlake 3rd & Hansen Informational [Page 24] RFC 4634 SHAs and HMAC-SHAs July 2006 #include "sha.h" #include "sha-private.h" /* * Define the SHA1 circular left shift macro */ #define SHA1_ROTL(bits,word) \ (((word) > (32-(bits)))) /* * add "length" to the length */ static uint32_t addTemp; #define SHA1AddLength(context, length) \ (addTemp = (context)->Length_Low, \ (context)->Corrupted = \ (((context)->Length_Low += (length)) Length_High == 0) ? 1 : 0) /* Local Function Prototypes */ static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); static void SHA1PadMessage(SHA1Context *, uint8_t Pad_Byte); static void SHA1ProcessMessageBlock(SHA1Context *); /* * SHA1Reset * * Description: * This function will initialize the SHA1Context in preparation * for computing a new SHA1 message digest. * * Parameters: * context: [in/out] * The context to reset. * * Returns: * sha Error Code. * */ int SHA1Reset(SHA1Context *context) { if (!context) return shaNull; context->Length_Low = 0; context->Length_High = 0; context->Message_Block_Index = 0; Eastlake 3rd & Hansen Informational [Page 25] RFC 4634 SHAs and HMAC-SHAs July 2006 /* Initial Hash Values: FIPS-180-2 section 5.3.1 */ context->Intermediate_Hash[0] = 0x67452301; context->Intermediate_Hash[1] = 0xEFCDAB89; context->Intermediate_Hash[2] = 0x98BADCFE; context->Intermediate_Hash[3] = 0x10325476; context->Intermediate_Hash[4] = 0xC3D2E1F0; context->Computed = 0; context->Corrupted = 0; return shaSuccess; } /* * SHA1Input * * Description: * This function accepts an array of octets as the next portion * of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_array: [in] * An array of characters representing the next portion of * the message. * length: [in] * The length of the message in message_array * * Returns: * sha Error Code. * */ int SHA1Input(SHA1Context *context, const uint8_t *message_array, unsigned length) { if (!length) return shaSuccess; if (!context || !message_array) return shaNull; if (context->Computed) { context->Corrupted = shaStateError; return shaStateError; } if (context->Corrupted) Eastlake 3rd & Hansen Informational [Page 26] RFC 4634 SHAs and HMAC-SHAs July 2006 return context->Corrupted; while (length-- && !context->Corrupted) { context->Message_Block[context->Message_Block_Index++] = (*message_array & 0xFF); if (!SHA1AddLength(context, 8) && (context->Message_Block_Index == SHA1_Message_Block_Size)) SHA1ProcessMessageBlock(context); message_array++; } return shaSuccess; } /* * SHA1FinalBits * * Description: * This function will add in any final bits of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_bits: [in] * The final bits of the message, in the upper portion of the * byte. (Use 0b###00000 instead of 0b00000### to input the * three bits ###.) * length: [in] * The number of bits in message_bits, between 1 and 7. * * Returns: * sha Error Code. */ int SHA1FinalBits(SHA1Context *context, const uint8_t message_bits, unsigned int length) { uint8_t masks[8] = { /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE }; uint8_t markbit[8] = { /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, Eastlake 3rd & Hansen Informational [Page 27] RFC 4634 SHAs and HMAC-SHAs July 2006 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 }; if (!length) return shaSuccess; if (!context) return shaNull; if (context->Computed || (length >= 8) || (length == 0)) { context->Corrupted = shaStateError; return shaStateError; } if (context->Corrupted) return context->Corrupted; SHA1AddLength(context, length); SHA1Finalize(context, (uint8_t) ((message_bits & masks[length]) | markbit[length])); return shaSuccess; } /* * SHA1Result * * Description: * This function will return the 160-bit message digest into the * Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the 19th element. * * Parameters: * context: [in/out] * The context to use to calculate the SHA-1 hash. * Message_Digest: [out] * Where the digest is returned. * * Returns: * sha Error Code. * */ int SHA1Result(SHA1Context *context, uint8_t Message_Digest[SHA1HashSize]) { int i; Eastlake 3rd & Hansen Informational [Page 28] RFC 4634 SHAs and HMAC-SHAs July 2006 if (!context || !Message_Digest) return shaNull; if (context->Corrupted) return context->Corrupted; if (!context->Computed) SHA1Finalize(context, 0x80); for (i = 0; i Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); return shaSuccess; } /* * SHA1Finalize * * Description: * This helper function finishes off the digest calculations. * * Parameters: * context: [in/out] * The SHA context to update * Pad_Byte: [in] * The last byte to add to the digest before the 0-padding * and length. This will contain the last bits of the message * followed by another single bit. If the message was an * exact multiple of 8-bits long, Pad_Byte will be 0x80. * * Returns: * sha Error Code. * */ static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) { int i; SHA1PadMessage(context, Pad_Byte); /* message may be sensitive, clear it out */ for (i = 0; i Message_Block[i] = 0; context->Length_Low = 0; /* and clear length */ context->Length_High = 0; context->Computed = 1; } /* Eastlake 3rd & Hansen Informational [Page 29] RFC 4634 SHAs and HMAC-SHAs July 2006 * SHA1PadMessage * * Description: * According to the standard, the message must be padded to an * even 512 bits. The first padding bit must be a '1'. The last * 64 bits represent the length of the original message. All bits * in between should be 0. This helper function will pad the * message according to those rules by filling the Message_Block * array accordingly. When it returns, it can be assumed that the * message digest has been computed. * * Parameters: * context: [in/out] * The context to pad * Pad_Byte: [in] * The last byte to add to the digest before the 0-padding * and length. This will contain the last bits of the message * followed by another single bit. If the message was an * exact multiple of 8-bits long, Pad_Byte will be 0x80. * * Returns: * Nothing. */ static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) { /* * Check to see if the current message block is too small to hold * the initial padding bits and length. If so, we will pad the * block, process it, and then continue padding into a second * block. */ if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { context->Message_Block[context->Message_Block_Index++] = Pad_Byte; while (context->Message_Block_Index Message_Block[context->Message_Block_Index++] = 0; SHA1ProcessMessageBlock(context); } else context->Message_Block[context->Message_Block_Index++] = Pad_Byte; while (context->Message_Block_Index Message_Block[context->Message_Block_Index++] = 0; /* * Store the message length as the last 8 octets */ context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); Eastlake 3rd & Hansen Informational [Page 30] RFC 4634 SHAs and HMAC-SHAs July 2006 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); context->Message_Block[59] = (uint8_t) (context->Length_High); context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); context->Message_Block[63] = (uint8_t) (context->Length_Low); SHA1ProcessMessageBlock(context); } /* * SHA1ProcessMessageBlock * * Description: * This helper function will process the next 512 bits of the * message stored in the Message_Block array. * * Parameters: * None. * * Returns: * Nothing. * * Comments: * Many of the variable names in this code, especially the * single character names, were used because those were the * names used in the publication. */ static void SHA1ProcessMessageBlock(SHA1Context *context) { /* Constants defined in FIPS-180-2, section 4.2.1 */ const uint32_t K[4] = { 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 }; int t; /* Loop counter */ uint32_t temp; /* Temporary word value */ uint32_t W[80]; /* Word sequence */ uint32_t A, B, C, D, E; /* Word buffers */ /* * Initialize the first 16 words in the array W */ for (t = 0; t Message_Block[t * 4]) Message_Block[t * 4 + 1]) Message_Block[t * 4 + 2]) Message_Block[t * 4 + 3]); } Eastlake 3rd & Hansen Informational [Page 31] RFC 4634 SHAs and HMAC-SHAs July 2006 for (t = 16; t Intermediate_Hash[0]; B = context->Intermediate_Hash[1]; C = context->Intermediate_Hash[2]; D = context->Intermediate_Hash[3]; E = context->Intermediate_Hash[4]; for (t = 0; t Intermediate_Hash[0] += A; context->Intermediate_Hash[1] += B; context->Intermediate_Hash[2] += C; Eastlake 3rd & Hansen Informational [Page 32] RFC 4634 SHAs and HMAC-SHAs July 2006 context->Intermediate_Hash[3] += D; context->Intermediate_Hash[4] += E; context->Message_Block_Index = 0; } 8.2.2. sha224-256.c /*************************** sha224-256.c ***************************/ /********************* See RFC 4634 for details *********************/ /* * Description: * This file implements the Secure Hash Signature Standard * algorithms as defined in the National Institute of Standards * and Technology Federal Information Processing Standards * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 * published on August 1, 2002, and the FIPS PUB 180-2 Change * Notice published on February 28, 2004. * * A combined document showing all algorithms is available at * http://csrc.nist.gov/publications/fips/ * fips180-2/fips180-2withchangenotice.pdf * * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit * message digests for a given data stream. It should take about * 2**n steps to find a message with the same digest as a given * message and 2**(n/2) to find any two messages with the same * digest, when n is the digest size in bits. Therefore, this * algorithm can serve as a means of providing a * "fingerprint" for a message. * * Portability Issues: * SHA-224 and SHA-256 are defined in terms of 32-bit "words". * This code uses (included via "sha.h") to define 32 * and 8 bit unsigned integer types. If your C compiler does not * support 32 bit unsigned integers, this code is not * appropriate. * * Caveats: * SHA-224 and SHA-256 are designed to work with messages less * than 2^64 bits long. This implementation uses SHA224/256Input() * to hash the bits that are a multiple of the size of an 8-bit * character, and then uses SHA224/256FinalBits() to hash the * final few bits of the input. */ #include "sha.h" #include "sha-private.h" Eastlake 3rd & Hansen Informational [Page 33] RFC 4634 SHAs and HMAC-SHAs July 2006 /* Define the SHA shift, rotate left and rotate right macro */ #define SHA256_SHR(bits,word) ((word) >> (bits)) #define SHA256_ROTL(bits,word) \ (((word) > (32-(bits)))) #define SHA256_ROTR(bits,word) \ (((word) >> (bits)) | ((word) Length_Low, (context)->Corrupted = \ (((context)->Length_Low += (length)) Length_High == 0) ? 1 : 0) /* Local Function Prototypes */ static void SHA224_256Finalize(SHA256Context *context, uint8_t Pad_Byte); static void SHA224_256PadMessage(SHA256Context *context, uint8_t Pad_Byte); static void SHA224_256ProcessMessageBlock(SHA256Context *context); static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); static int SHA224_256ResultN(SHA256Context *context, uint8_t Message_Digest[], int HashSize); /* Initial Hash Values: FIPS-180-2 Change Notice 1 */ static uint32_t SHA224_H0[SHA256HashSize/4] = { 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 }; /* Initial Hash Values: FIPS-180-2 section 5.3.2 */ static uint32_t SHA256_H0[SHA256HashSize/4] = { 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 }; Eastlake 3rd & Hansen Informational [Page 34] RFC 4634 SHAs and HMAC-SHAs July 2006 /* * SHA224Reset * * Description: * This function will initialize the SHA384Context in preparation * for computing a new SHA224 message digest. * * Parameters: * context: [in/out] * The context to reset. * * Returns: * sha Error Code. */ int SHA224Reset(SHA224Context *context) { return SHA224_256Reset(context, SHA224_H0); } /* * SHA224Input * * Description: * This function accepts an array of octets as the next portion * of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_array: [in] * An array of characters representing the next portion of * the message. * length: [in] * The length of the message in message_array * * Returns: * sha Error Code. * */ int SHA224Input(SHA224Context *context, const uint8_t *message_array, unsigned int length) { return SHA256Input(context, message_array, length); } /* * SHA224FinalBits * Eastlake 3rd & Hansen Informational [Page 35] RFC 4634 SHAs and HMAC-SHAs July 2006 * Description: * This function will add in any final bits of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_bits: [in] * The final bits of the message, in the upper portion of the * byte. (Use 0b###00000 instead of 0b00000### to input the * three bits ###.) * length: [in] * The number of bits in message_bits, between 1 and 7. * * Returns: * sha Error Code. */ int SHA224FinalBits( SHA224Context *context, const uint8_t message_bits, unsigned int length) { return SHA256FinalBits(context, message_bits, length); } /* * SHA224Result * * Description: * This function will return the 224-bit message * digest into the Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the 28th element. * * Parameters: * context: [in/out] * The context to use to calculate the SHA hash. * Message_Digest: [out] * Where the digest is returned. * * Returns: * sha Error Code. */ int SHA224Result(SHA224Context *context, uint8_t Message_Digest[SHA224HashSize]) { return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); } /* * SHA256Reset Eastlake 3rd & Hansen Informational [Page 36] RFC 4634 SHAs and HMAC-SHAs July 2006 * * Description: * This function will initialize the SHA256Context in preparation * for computing a new SHA256 message digest. * * Parameters: * context: [in/out] * The context to reset. * * Returns: * sha Error Code. */ int SHA256Reset(SHA256Context *context) { return SHA224_256Reset(context, SHA256_H0); } /* * SHA256Input * * Description: * This function accepts an array of octets as the next portion * of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_array: [in] * An array of characters representing the next portion of * the message. * length: [in] * The length of the message in message_array * * Returns: * sha Error Code. */ int SHA256Input(SHA256Context *context, const uint8_t *message_array, unsigned int length) { if (!length) return shaSuccess; if (!context || !message_array) return shaNull; if (context->Computed) { context->Corrupted = shaStateError; return shaStateError; Eastlake 3rd & Hansen Informational [Page 37] RFC 4634 SHAs and HMAC-SHAs July 2006 } if (context->Corrupted) return context->Corrupted; while (length-- && !context->Corrupted) { context->Message_Block[context->Message_Block_Index++] = (*message_array & 0xFF); if (!SHA224_256AddLength(context, 8) && (context->Message_Block_Index == SHA256_Message_Block_Size)) SHA224_256ProcessMessageBlock(context); message_array++; } return shaSuccess; } /* * SHA256FinalBits * * Description: * This function will add in any final bits of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_bits: [in] * The final bits of the message, in the upper portion of the * byte. (Use 0b###00000 instead of 0b00000### to input the * three bits ###.) * length: [in] * The number of bits in message_bits, between 1 and 7. * * Returns: * sha Error Code. */ int SHA256FinalBits(SHA256Context *context, const uint8_t message_bits, unsigned int length) { uint8_t masks[8] = { /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE }; Eastlake 3rd & Hansen Informational [Page 38] RFC 4634 SHAs and HMAC-SHAs July 2006 uint8_t markbit[8] = { /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 }; if (!length) return shaSuccess; if (!context) return shaNull; if ((context->Computed) || (length >= 8) || (length == 0)) { context->Corrupted = shaStateError; return shaStateError; } if (context->Corrupted) return context->Corrupted; SHA224_256AddLength(context, length); SHA224_256Finalize(context, (uint8_t) ((message_bits & masks[length]) | markbit[length])); return shaSuccess; } /* * SHA256Result * * Description: * This function will return the 256-bit message * digest into the Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the 32nd element. * * Parameters: * context: [in/out] * The context to use to calculate the SHA hash. * Message_Digest: [out] * Where the digest is returned. * * Returns: * sha Error Code. */ int SHA256Result(SHA256Context *context, uint8_t Message_Digest[]) { Eastlake 3rd & Hansen Informational [Page 39] RFC 4634 SHAs and HMAC-SHAs July 2006 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); } /* * SHA224_256Finalize * * Description: * This helper function finishes off the digest calculations. * * Parameters: * context: [in/out] * The SHA context to update * Pad_Byte: [in] * The last byte to add to the digest before the 0-padding * and length. This will contain the last bits of the message * followed by another single bit. If the message was an * exact multiple of 8-bits long, Pad_Byte will be 0x80. * * Returns: * sha Error Code. */ static void SHA224_256Finalize(SHA256Context *context, uint8_t Pad_Byte) { int i; SHA224_256PadMessage(context, Pad_Byte); /* message may be sensitive, so clear it out */ for (i = 0; i Message_Block[i] = 0; context->Length_Low = 0; /* and clear length */ context->Length_High = 0; context->Computed = 1; } /* * SHA224_256PadMessage * * Description: * According to the standard, the message must be padded to an * even 512 bits. The first padding bit must be a '1'. The * last 64 bits represent the length of the original message. * All bits in between should be 0. This helper function will pad * the message according to those rules by filling the * Message_Block array accordingly. When it returns, it can be * assumed that the message digest has been computed. * * Parameters: * context: [in/out] Eastlake 3rd & Hansen Informational [Page 40] RFC 4634 SHAs and HMAC-SHAs July 2006 * The context to pad * Pad_Byte: [in] * The last byte to add to the digest before the 0-padding * and length. This will contain the last bits of the message * followed by another single bit. If the message was an * exact multiple of 8-bits long, Pad_Byte will be 0x80. * * Returns: * Nothing. */ static void SHA224_256PadMessage(SHA256Context *context, uint8_t Pad_Byte) { /* * Check to see if the current message block is too small to hold * the initial padding bits and length. If so, we will pad the * block, process it, and then continue padding into a second * block. */ if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { context->Message_Block[context->Message_Block_Index++] = Pad_Byte; while (context->Message_Block_Index Message_Block[context->Message_Block_Index++] = 0; SHA224_256ProcessMessageBlock(context); } else context->Message_Block[context->Message_Block_Index++] = Pad_Byte; while (context->Message_Block_Index Message_Block[context->Message_Block_Index++] = 0; /* * Store the message length as the last 8 octets */ context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); context->Message_Block[59] = (uint8_t)(context->Length_High); context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); context->Message_Block[63] = (uint8_t)(context->Length_Low); SHA224_256ProcessMessageBlock(context); } /* * SHA224_256ProcessMessageBlock * Eastlake 3rd & Hansen Informational [Page 41] RFC 4634 SHAs and HMAC-SHAs July 2006 * Description: * This function will process the next 512 bits of the message * stored in the Message_Block array. * * Parameters: * context: [in/out] * The SHA context to update * * Returns: * Nothing. * * Comments: * Many of the variable names in this code, especially the * single character names, were used because those were the * names used in the publication. */ static void SHA224_256ProcessMessageBlock(SHA256Context *context) { /* Constants defined in FIPS-180-2, section 4.2.2 */ static const uint32_t K[64] = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 }; int t, t4; /* Loop counter */ uint32_t temp1, temp2; /* Temporary word value */ uint32_t W[64]; /* Word sequence */ uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ /* * Initialize the first 16 words in the array W */ for (t = t4 = 0; t Message_Block[t4]) Message_Block[t4 + 1]) Message_Block[t4 + 2]) Message_Block[t4 + 3])); Eastlake 3rd & Hansen Informational [Page 42] RFC 4634 SHAs and HMAC-SHAs July 2006 for (t = 16; t Intermediate_Hash[0]; B = context->Intermediate_Hash[1]; C = context->Intermediate_Hash[2]; D = context->Intermediate_Hash[3]; E = context->Intermediate_Hash[4]; F = context->Intermediate_Hash[5]; G = context->Intermediate_Hash[6]; H = context->Intermediate_Hash[7]; for (t = 0; t Intermediate_Hash[0] += A; context->Intermediate_Hash[1] += B; context->Intermediate_Hash[2] += C; context->Intermediate_Hash[3] += D; context->Intermediate_Hash[4] += E; context->Intermediate_Hash[5] += F; context->Intermediate_Hash[6] += G; context->Intermediate_Hash[7] += H; context->Message_Block_Index = 0; } /* * SHA224_256Reset * * Description: * This helper function will initialize the SHA256Context in * preparation for computing a new SHA256 message digest. * * Parameters: * context: [in/out] * The context to reset. Eastlake 3rd & Hansen Informational [Page 43] RFC 4634 SHAs and HMAC-SHAs July 2006 * H0 * The initial hash value to use. * * Returns: * sha Error Code. */ static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) { if (!context) return shaNull; context->Length_Low = 0; context->Length_High = 0; context->Message_Block_Index = 0; context->Intermediate_Hash[0] = H0[0]; context->Intermediate_Hash[1] = H0[1]; context->Intermediate_Hash[2] = H0[2]; context->Intermediate_Hash[3] = H0[3]; context->Intermediate_Hash[4] = H0[4]; context->Intermediate_Hash[5] = H0[5]; context->Intermediate_Hash[6] = H0[6]; context->Intermediate_Hash[7] = H0[7]; context->Computed = 0; context->Corrupted = 0; return shaSuccess; } /* * SHA224_256ResultN * * Description: * This helper function will return the 224-bit or 256-bit message * digest into the Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the 28th/32nd element. * * Parameters: * context: [in/out] * The context to use to calculate the SHA hash. * Message_Digest: [out] * Where the digest is returned. * HashSize: [in] * The size of the hash, either 28 or 32. * * Returns: Eastlake 3rd & Hansen Informational [Page 44] RFC 4634 SHAs and HMAC-SHAs July 2006 * sha Error Code. */ static int SHA224_256ResultN(SHA256Context *context, uint8_t Message_Digest[], int HashSize) { int i; if (!context || !Message_Digest) return shaNull; if (context->Corrupted) return context->Corrupted; if (!context->Computed) SHA224_256Finalize(context, 0x80); for (i = 0; i Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); return shaSuccess; } 8.2.3. sha384-512.c /*************************** sha384-512.c ***************************/ /********************* See RFC 4634 for details *********************/ /* * Description: * This file implements the Secure Hash Signature Standard * algorithms as defined in the National Institute of Standards * and Technology Federal Information Processing Standards * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 * published on August 1, 2002, and the FIPS PUB 180-2 Change * Notice published on February 28, 2004. * * A combined document showing all algorithms is available at * http://csrc.nist.gov/publications/fips/ * fips180-2/fips180-2withchangenotice.pdf * * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit * message digests for a given data stream. It should take about * 2**n steps to find a message with the same digest as a given * message and 2**(n/2) to find any two messages with the same * digest, when n is the digest size in bits. Therefore, this * algorithm can serve as a means of providing a * "fingerprint" for a message. * Eastlake 3rd & Hansen Informational [Page 45] RFC 4634 SHAs and HMAC-SHAs July 2006 * Portability Issues: * SHA-384 and SHA-512 are defined in terms of 64-bit "words", * but if USE_32BIT_ONLY is #defined, this code is implemented in * terms of 32-bit "words". This code uses (included * via "sha.h") to define the 64, 32 and 8 bit unsigned integer * types. If your C compiler does not support 64 bit unsigned * integers, and you do not #define USE_32BIT_ONLY, this code is * not appropriate. * * Caveats: * SHA-384 and SHA-512 are designed to work with messages less * than 2^128 bits long. This implementation uses * SHA384/512Input() to hash the bits that are a multiple of the * size of an 8-bit character, and then uses SHA384/256FinalBits() * to hash the final few bits of the input. * */ #include "sha.h" #include "sha-private.h" #ifdef USE_32BIT_ONLY /* * Define 64-bit arithmetic in terms of 32-bit arithmetic. * Each 64-bit number is represented in a 2-word array. * All macros are defined such that the result is the last parameter. */ /* * Define shift, rotate left and rotate right functions */ #define SHA512_SHR(bits, word, ret) ( \ /* (((uint64_t)((word))) >> (bits)) */ \ (ret)[0] = (((bits) = 0)) ? \ ((word)[0] >> (bits)) : 0, \ (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ ((bits) == 32) ? (word)[0] : \ ((bits) >= 0) ? \ (((word)[0] > (bits))) : 0 ) #define SHA512_SHL(bits, word, ret) ( \ /* (((uint64_t)(word)) 32) ? ((word)[1] = 0) ? \ (((word)[0] > (32 - (bits)))) : \ Eastlake 3rd & Hansen Informational [Page 46] RFC 4634 SHAs and HMAC-SHAs July 2006 0, \ (ret)[1] = (((bits) = 0)) ? \ ((word)[1] > bits) | (word Length, addTemp), \ (context)->Corrupted = (((context)->Length[3] == 0) && \ ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ ((context)->Length[0] > (bits)) #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ (((uint64_t)(word)) Length_Low, context->Corrupted = \ ((context->Length_Low += length) Length_High == 0) ? 1 : 0) /* Local Function Prototypes */ static void SHA384_512Finalize(SHA512Context *context, uint8_t Pad_Byte); static void SHA384_512PadMessage(SHA512Context *context, uint8_t Pad_Byte); static void SHA384_512ProcessMessageBlock(SHA512Context *context); static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]); static int SHA384_512ResultN(SHA512Context *context, uint8_t Message_Digest[], int HashSize); /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ static uint64_t SHA384_H0[] = { 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll Eastlake 3rd & Hansen Informational [Page 51] RFC 4634 SHAs and HMAC-SHAs July 2006 }; static uint64_t SHA512_H0[] = { 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll }; #endif /* USE_32BIT_ONLY */ /* * SHA384Reset * * Description: * This function will initialize the SHA384Context in preparation * for computing a new SHA384 message digest. * * Parameters: * context: [in/out] * The context to reset. * * Returns: * sha Error Code. * */ int SHA384Reset(SHA384Context *context) { return SHA384_512Reset(context, SHA384_H0); } /* * SHA384Input * * Description: * This function accepts an array of octets as the next portion * of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_array: [in] * An array of characters representing the next portion of * the message. * length: [in] * The length of the message in message_array * * Returns: * sha Error Code. * Eastlake 3rd & Hansen Informational [Page 52] RFC 4634 SHAs and HMAC-SHAs July 2006 */ int SHA384Input(SHA384Context *context, const uint8_t *message_array, unsigned int length) { return SHA512Input(context, message_array, length); } /* * SHA384FinalBits * * Description: * This function will add in any final bits of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_bits: [in] * The final bits of the message, in the upper portion of the * byte. (Use 0b###00000 instead of 0b00000### to input the * three bits ###.) * length: [in] * The number of bits in message_bits, between 1 and 7. * * Returns: * sha Error Code. * */ int SHA384FinalBits(SHA384Context *context, const uint8_t message_bits, unsigned int length) { return SHA512FinalBits(context, message_bits, length); } /* * SHA384Result * * Description: * This function will return the 384-bit message * digest into the Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the 48th element. * * Parameters: * context: [in/out] * The context to use to calculate the SHA hash. * Message_Digest: [out] * Where the digest is returned. * Eastlake 3rd & Hansen Informational [Page 53] RFC 4634 SHAs and HMAC-SHAs July 2006 * Returns: * sha Error Code. * */ int SHA384Result(SHA384Context *context, uint8_t Message_Digest[SHA384HashSize]) { return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); } /* * SHA512Reset * * Description: * This function will initialize the SHA512Context in preparation * for computing a new SHA512 message digest. * * Parameters: * context: [in/out] * The context to reset. * * Returns: * sha Error Code. * */ int SHA512Reset(SHA512Context *context) { return SHA384_512Reset(context, SHA512_H0); } /* * SHA512Input * * Description: * This function accepts an array of octets as the next portion * of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_array: [in] * An array of characters representing the next portion of * the message. * length: [in] * The length of the message in message_array * * Returns: * sha Error Code. Eastlake 3rd & Hansen Informational [Page 54] RFC 4634 SHAs and HMAC-SHAs July 2006 * */ int SHA512Input(SHA512Context *context, const uint8_t *message_array, unsigned int length) { if (!length) return shaSuccess; if (!context || !message_array) return shaNull; if (context->Computed) { context->Corrupted = shaStateError; return shaStateError; } if (context->Corrupted) return context->Corrupted; while (length-- && !context->Corrupted) { context->Message_Block[context->Message_Block_Index++] = (*message_array & 0xFF); if (!SHA384_512AddLength(context, 8) && (context->Message_Block_Index == SHA512_Message_Block_Size)) SHA384_512ProcessMessageBlock(context); message_array++; } return shaSuccess; } /* * SHA512FinalBits * * Description: * This function will add in any final bits of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_bits: [in] * The final bits of the message, in the upper portion of the * byte. (Use 0b###00000 instead of 0b00000### to input the * three bits ###.) * length: [in] Eastlake 3rd & Hansen Informational [Page 55] RFC 4634 SHAs and HMAC-SHAs July 2006 * The number of bits in message_bits, between 1 and 7. * * Returns: * sha Error Code. * */ int SHA512FinalBits(SHA512Context *context, const uint8_t message_bits, unsigned int length) { uint8_t masks[8] = { /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE }; uint8_t markbit[8] = { /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 }; if (!length) return shaSuccess; if (!context) return shaNull; if ((context->Computed) || (length >= 8) || (length == 0)) { context->Corrupted = shaStateError; return shaStateError; } if (context->Corrupted) return context->Corrupted; SHA384_512AddLength(context, length); SHA384_512Finalize(context, (uint8_t) ((message_bits & masks[length]) | markbit[length])); return shaSuccess; } /* * SHA384_512Finalize * * Description: * This helper function finishes off the digest calculations. Eastlake 3rd & Hansen Informational [Page 56] RFC 4634 SHAs and HMAC-SHAs July 2006 * * Parameters: * context: [in/out] * The SHA context to update * Pad_Byte: [in] * The last byte to add to the digest before the 0-padding * and length. This will contain the last bits of the message * followed by another single bit. If the message was an * exact multiple of 8-bits long, Pad_Byte will be 0x80. * * Returns: * sha Error Code. * */ static void SHA384_512Finalize(SHA512Context *context, uint8_t Pad_Byte) { int_least16_t i; SHA384_512PadMessage(context, Pad_Byte); /* message may be sensitive, clear it out */ for (i = 0; i Message_Block[i] = 0; #ifdef USE_32BIT_ONLY /* and clear length */ context->Length[0] = context->Length[1] = 0; context->Length[2] = context->Length[3] = 0; #else /* !USE_32BIT_ONLY */ context->Length_Low = 0; context->Length_High = 0; #endif /* USE_32BIT_ONLY */ context->Computed = 1; } /* * SHA512Result * * Description: * This function will return the 512-bit message * digest into the Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the 64th element. * * Parameters: * context: [in/out] * The context to use to calculate the SHA hash. * Message_Digest: [out] * Where the digest is returned. * * Returns: Eastlake 3rd & Hansen Informational [Page 57] RFC 4634 SHAs and HMAC-SHAs July 2006 * sha Error Code. * */ int SHA512Result(SHA512Context *context, uint8_t Message_Digest[SHA512HashSize]) { return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); } /* * SHA384_512PadMessage * * Description: * According to the standard, the message must be padded to an * even 1024 bits. The first padding bit must be a '1'. The * last 128 bits represent the length of the original message. * All bits in between should be 0. This helper function will * pad the message according to those rules by filling the * Message_Block array accordingly. When it returns, it can be * assumed that the message digest has been computed. * * Parameters: * context: [in/out] * The context to pad * Pad_Byte: [in] * The last byte to add to the digest before the 0-padding * and length. This will contain the last bits of the message * followed by another single bit. If the message was an * exact multiple of 8-bits long, Pad_Byte will be 0x80. * * Returns: * Nothing. * */ static void SHA384_512PadMessage(SHA512Context *context, uint8_t Pad_Byte) { /* * Check to see if the current message block is too small to hold * the initial padding bits and length. If so, we will pad the * block, process it, and then continue padding into a second * block. */ if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { context->Message_Block[context->Message_Block_Index++] = Pad_Byte; while (context->Message_Block_Index Message_Block[context->Message_Block_Index++] = 0; Eastlake 3rd & Hansen Informational [Page 58] RFC 4634 SHAs and HMAC-SHAs July 2006 SHA384_512ProcessMessageBlock(context); } else context->Message_Block[context->Message_Block_Index++] = Pad_Byte; while (context->Message_Block_Index Message_Block[context->Message_Block_Index++] = 0; /* * Store the message length as the last 16 octets */ #ifdef USE_32BIT_ONLY context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); context->Message_Block[115] = (uint8_t)(context->Length[0]); context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); context->Message_Block[119] = (uint8_t)(context->Length[1]); context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); context->Message_Block[123] = (uint8_t)(context->Length[2]); context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); context->Message_Block[127] = (uint8_t)(context->Length[3]); #else /* !USE_32BIT_ONLY */ context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); context->Message_Block[119] = (uint8_t)(context->Length_High); context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); context->Message_Block[127] = (uint8_t)(context->Length_Low); #endif /* USE_32BIT_ONLY */ Eastlake 3rd & Hansen Informational [Page 59] RFC 4634 SHAs and HMAC-SHAs July 2006 SHA384_512ProcessMessageBlock(context); } /* * SHA384_512ProcessMessageBlock * * Description: * This helper function will process the next 1024 bits of the * message stored in the Message_Block array. * * Parameters: * context: [in/out] * The SHA context to update * * Returns: * Nothing. * * Comments: * Many of the variable names in this code, especially the * single character names, were used because those were the * names used in the publication. * * */ static void SHA384_512ProcessMessageBlock(SHA512Context *context) { /* Constants defined in FIPS-180-2, section 4.2.3 */ #ifdef USE_32BIT_ONLY static const uint32_t K[80*2] = { 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, Eastlake 3rd & Hansen Informational [Page 60] RFC 4634 SHAs and HMAC-SHAs July 2006 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 }; int t, t2, t8; /* Loop counter */ uint32_t temp1[2], temp2[2], /* Temporary word values */ temp3[2], temp4[2], temp5[2]; uint32_t W[2*80]; /* Word sequence */ uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ E[2], F[2], G[2], H[2]; /* Initialize the first 16 words in the array W */ for (t = t2 = t8 = 0; t Message_Block[t8 ])) Message_Block[t8 + 1])) Message_Block[t8 + 2])) Message_Block[t8 + 3]))); W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) Message_Block[t8 + 5])) Message_Block[t8 + 6])) Message_Block[t8 + 7]))); } for (t = 16; t Intermediate_Hash[0]; Eastlake 3rd & Hansen Informational [Page 61] RFC 4634 SHAs and HMAC-SHAs July 2006 A[1] = context->Intermediate_Hash[1]; B[0] = context->Intermediate_Hash[2]; B[1] = context->Intermediate_Hash[3]; C[0] = context->Intermediate_Hash[4]; C[1] = context->Intermediate_Hash[5]; D[0] = context->Intermediate_Hash[6]; D[1] = context->Intermediate_Hash[7]; E[0] = context->Intermediate_Hash[8]; E[1] = context->Intermediate_Hash[9]; F[0] = context->Intermediate_Hash[10]; F[1] = context->Intermediate_Hash[11]; G[0] = context->Intermediate_Hash[12]; G[1] = context->Intermediate_Hash[13]; H[0] = context->Intermediate_Hash[14]; H[1] = context->Intermediate_Hash[15]; for (t = t2 = 0; t Intermediate_Hash[0], A); SHA512_ADDTO2(&context->Intermediate_Hash[2], B); SHA512_ADDTO2(&context->Intermediate_Hash[4], C); SHA512_ADDTO2(&context->Intermediate_Hash[6], D); SHA512_ADDTO2(&context->Intermediate_Hash[8], E); SHA512_ADDTO2(&context->Intermediate_Hash[10], F); Eastlake 3rd & Hansen Informational [Page 62] RFC 4634 SHAs and HMAC-SHAs July 2006 SHA512_ADDTO2(&context->Intermediate_Hash[12], G); SHA512_ADDTO2(&context->Intermediate_Hash[14], H); #else /* !USE_32BIT_ONLY */ static const uint64_t K[80] = { 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll }; int t, t8; /* Loop counter */ uint64_t temp1, temp2; /* Temporary word value */ uint64_t W[80]; /* Word sequence */ uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ /* * Initialize the first 16 words in the array W */ for (t = t8 = 0; t Message_Block[t8 ]) Message_Block[t8 + 1]) Message_Block[t8 + 2]) Message_Block[t8 + 3]) Message_Block[t8 + 4]) Message_Block[t8 + 5]) Message_Block[t8 + 6]) Message_Block[t8 + 7])); for (t = 16; t Intermediate_Hash[0]; B = context->Intermediate_Hash[1]; C = context->Intermediate_Hash[2]; D = context->Intermediate_Hash[3]; E = context->Intermediate_Hash[4]; F = context->Intermediate_Hash[5]; G = context->Intermediate_Hash[6]; H = context->Intermediate_Hash[7]; for (t = 0; t Intermediate_Hash[0] += A; context->Intermediate_Hash[1] += B; context->Intermediate_Hash[2] += C; context->Intermediate_Hash[3] += D; context->Intermediate_Hash[4] += E; context->Intermediate_Hash[5] += F; context->Intermediate_Hash[6] += G; context->Intermediate_Hash[7] += H; #endif /* USE_32BIT_ONLY */ context->Message_Block_Index = 0; } /* * SHA384_512Reset * * Description: * This helper function will initialize the SHA512Context in * preparation for computing a new SHA384 or SHA512 message Eastlake 3rd & Hansen Informational [Page 64] RFC 4634 SHAs and HMAC-SHAs July 2006 * digest. * * Parameters: * context: [in/out] * The context to reset. * H0 * The initial hash value to use. * * Returns: * sha Error Code. * */ #ifdef USE_32BIT_ONLY static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]) #else /* !USE_32BIT_ONLY */ static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]) #endif /* USE_32BIT_ONLY */ { int i; if (!context) return shaNull; context->Message_Block_Index = 0; #ifdef USE_32BIT_ONLY context->Length[0] = context->Length[1] = 0; context->Length[2] = context->Length[3] = 0; for (i = 0; i Intermediate_Hash[i] = H0[i]; #else /* !USE_32BIT_ONLY */ context->Length_High = context->Length_Low = 0; for (i = 0; i Intermediate_Hash[i] = H0[i]; #endif /* USE_32BIT_ONLY */ context->Computed = 0; context->Corrupted = 0; return shaSuccess; } /* * SHA384_512ResultN * * Description: * This helper function will return the 384-bit or 512-bit message Eastlake 3rd & Hansen Informational [Page 65] RFC 4634 SHAs and HMAC-SHAs July 2006 * digest into the Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the 48th/64th element. * * Parameters: * context: [in/out] * The context to use to calculate the SHA hash. * Message_Digest: [out] * Where the digest is returned. * HashSize: [in] * The size of the hash, either 48 or 64. * * Returns: * sha Error Code. * */ static int SHA384_512ResultN(SHA512Context *context, uint8_t Message_Digest[], int HashSize) { int i; #ifdef USE_32BIT_ONLY int i2; #endif /* USE_32BIT_ONLY */ if (!context || !Message_Digest) return shaNull; if (context->Corrupted) return context->Corrupted; if (!context->Computed) SHA384_512Finalize(context, 0x80); #ifdef USE_32BIT_ONLY for (i = i2 = 0; i Intermediate_Hash[i2]>>24); Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); } #else /* !USE_32BIT_ONLY */ for (i = 0; i Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); #endif /* USE_32BIT_ONLY */ return shaSuccess; } 8.2.4. usha.c /**************************** usha.c ****************************/ /******************** See RFC 4634 for details ******************/ /* * Description: * This file implements a unified interface to the SHA algorithms. */ #include "sha.h" /* * USHAReset * * Description: * This function will initialize the SHA Context in preparation * for computing a new SHA message digest. * * Parameters: * context: [in/out] * The context to reset. * whichSha: [in] * Selects which SHA reset to call * * Returns: * sha Error Code. * */ int USHAReset(USHAContext *ctx, enum SHAversion whichSha) { if (ctx) { ctx->whichSha = whichSha; switch (whichSha) { case SHA1: return SHA1Reset((SHA1Context*)&ctx->ctx); case SHA224: return SHA224Reset((SHA224Context*)&ctx->ctx); case SHA256: return SHA256Reset((SHA256Context*)&ctx->ctx); case SHA384: return SHA384Reset((SHA384Context*)&ctx->ctx); case SHA512: return SHA512Reset((SHA512Context*)&ctx->ctx); default: return shaBadParam; } } else { return shaNull; Eastlake 3rd & Hansen Informational [Page 67] RFC 4634 SHAs and HMAC-SHAs July 2006 } } /* * USHAInput * * Description: * This function accepts an array of octets as the next portion * of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_array: [in] * An array of characters representing the next portion of * the message. * length: [in] * The length of the message in message_array * * Returns: * sha Error Code. * */ int USHAInput(USHAContext *ctx, const uint8_t *bytes, unsigned int bytecount) { if (ctx) { switch (ctx->whichSha) { case SHA1: return SHA1Input((SHA1Context*)&ctx->ctx, bytes, bytecount); case SHA224: return SHA224Input((SHA224Context*)&ctx->ctx, bytes, bytecount); case SHA256: return SHA256Input((SHA256Context*)&ctx->ctx, bytes, bytecount); case SHA384: return SHA384Input((SHA384Context*)&ctx->ctx, bytes, bytecount); case SHA512: return SHA512Input((SHA512Context*)&ctx->ctx, bytes, bytecount); default: return shaBadParam; } } else { return shaNull; } } Eastlake 3rd & Hansen Informational [Page 68] RFC 4634 SHAs and HMAC-SHAs July 2006 /* * USHAFinalBits * * Description: * This function will add in any final bits of the message. * * Parameters: * context: [in/out] * The SHA context to update * message_bits: [in] * The final bits of the message, in the upper portion of the * byte. (Use 0b###00000 instead of 0b00000### to input the * three bits ###.) * length: [in] * The number of bits in message_bits, between 1 and 7. * * Returns: * sha Error Code. */ int USHAFinalBits(USHAContext *ctx, const uint8_t bits, unsigned int bitcount) { if (ctx) { switch (ctx->whichSha) { case SHA1: return SHA1FinalBits((SHA1Context*)&ctx->ctx, bits, bitcount); case SHA224: return SHA224FinalBits((SHA224Context*)&ctx->ctx, bits, bitcount); case SHA256: return SHA256FinalBits((SHA256Context*)&ctx->ctx, bits, bitcount); case SHA384: return SHA384FinalBits((SHA384Context*)&ctx->ctx, bits, bitcount); case SHA512: return SHA512FinalBits((SHA512Context*)&ctx->ctx, bits, bitcount); default: return shaBadParam; } } else { return shaNull; } } /* * USHAResult * Eastlake 3rd & Hansen Informational [Page 69] RFC 4634 SHAs and HMAC-SHAs July 2006 * Description: * This function will return the 160-bit message digest into the * Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the 19th element. * * Parameters: * context: [in/out] * The context to use to calculate the SHA-1 hash. * Message_Digest: [out] * Where the digest is returned. * * Returns: * sha Error Code. * */ int USHAResult(USHAContext *ctx, uint8_t Message_Digest[USHAMaxHashSize]) { if (ctx) { switch (ctx->whichSha) { case SHA1: return SHA1Result((SHA1Context*)&ctx->ctx, Message_Digest); case SHA224: return SHA224Result((SHA224Context*)&ctx->ctx, Message_Digest); case SHA256: return SHA256Result((SHA256Context*)&ctx->ctx, Message_Digest); case SHA384: return SHA384Result((SHA384Context*)&ctx->ctx, Message_Digest); case SHA512: return SHA512Result((SHA512Context*)&ctx->ctx, Message_Digest); default: return shaBadParam; } } else { return shaNull; } } /* * USHABlockSize * * Description: * This function will return the blocksize for the given SHA * algorithm. * * Parameters: * whichSha: * which SHA algorithm to query Eastlake 3rd & Hansen Informational [Page 70] RFC 4634 SHAs and HMAC-SHAs July 2006 * * Returns: * block size * */ int USHABlockSize(enum SHAversion whichSha) { switch (whichSha) { case SHA1: return SHA1_Message_Block_Size; case SHA224: return SHA224_Message_Block_Size; case SHA256: return SHA256_Message_Block_Size; case SHA384: return SHA384_Message_Block_Size; default: case SHA512: return SHA512_Message_Block_Size; } } /* * USHAHashSize * * Description: * This function will return the hashsize for the given SHA * algorithm. * * Parameters: * whichSha: * which SHA algorithm to query * * Returns: * hash size * */ int USHAHashSize(enum SHAversion whichSha) { switch (whichSha) { case SHA1: return SHA1HashSize; case SHA224: return SHA224HashSize; case SHA256: return SHA256HashSize; case SHA384: return SHA384HashSize; default: case SHA512: return SHA512HashSize; } } /* * USHAHashSizeBits * * Description: Eastlake 3rd & Hansen Informational [Page 71] RFC 4634 SHAs and HMAC-SHAs July 2006 * This function will return the hashsize for the given SHA * algorithm, expressed in bits. * * Parameters: * whichSha: * which SHA algorithm to query * * Returns: * hash size in bits * */ int USHAHashSizeBits(enum SHAversion whichSha) { switch (whichSha) { case SHA1: return SHA1HashSizeBits; case SHA224: return SHA224HashSizeBits; case SHA256: return SHA256HashSizeBits; case SHA384: return SHA384HashSizeBits; default: case SHA512: return SHA512HashSizeBits; } } 8.2.5. sha-private.h /*************************** sha-private.h ***************************/ /********************** See RFC 4634 for details *********************/ #ifndef _SHA_PRIVATE__H #define _SHA_PRIVATE__H /* * These definitions are defined in FIPS-180-2, section 4.1. * Ch() and Maj() are defined identically in sections 4.1.1, * 4.1.2 and 4.1.3. * * The definitions used in FIPS-180-2 are as follows: */ #ifndef USE_MODIFIED_MACROS #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) #else /* USE_MODIFIED_MACROS */ /* * The following definitions are equivalent and potentially faster. */ #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) Eastlake 3rd & Hansen Informational [Page 72] RFC 4634 SHAs and HMAC-SHAs July 2006 #endif /* USE_MODIFIED_MACROS */ #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) #endif /* _SHA_PRIVATE__H */ 8.3 The HMAC Code /**************************** hmac.c ****************************/ /******************** See RFC 4634 for details ******************/ /* * Description: * This file implements the HMAC algorithm (Keyed-Hashing for * Message Authentication, RFC2104), expressed in terms of the * various SHA algorithms. */ #include "sha.h" /* * hmac * * Description: * This function will compute an HMAC message digest. * * Parameters: * whichSha: [in] * One of SHA1, SHA224, SHA256, SHA384, SHA512 * key: [in] * The secret shared key. * key_len: [in] * The length of the secret shared key. * message_array: [in] * An array of characters representing the message. * length: [in] * The length of the message in message_array * digest: [out] * Where the digest is returned. * NOTE: The length of the digest is determined by * the value of whichSha. * * Returns: * sha Error Code. * */ int hmac(SHAversion whichSha, const unsigned char *text, int text_len, const unsigned char *key, int key_len, uint8_t digest[USHAMaxHashSize]) Eastlake 3rd & Hansen Informational [Page 73] RFC 4634 SHAs and HMAC-SHAs July 2006 { HMACContext ctx; return hmacReset(&ctx, whichSha, key, key_len) || hmacInput(&ctx, text, text_len) || hmacResult(&ctx, digest); } /* * hmacReset * * Description: * This function will initialize the hmacContext in preparation * for computing a new HMAC message digest. * * Parameters: * context: [in/out] * The context to reset. * whichSha: [in] * One of SHA1, SHA224, SHA256, SHA384, SHA512 * key: [in] * The secret shared key. * key_len: [in] * The length of the secret shared key. * * Returns: * sha Error Code. * */ int hmacReset(HMACContext *ctx, enum SHAversion whichSha, const unsigned char *key, int key_len) { int i, blocksize, hashsize; /* inner padding - key XORd with ipad */ unsigned char k_ipad[USHA_Max_Message_Block_Size]; /* temporary buffer when keylen > blocksize */ unsigned char tempkey[USHAMaxHashSize]; if (!ctx) return shaNull; blocksize = ctx->blockSize = USHABlockSize(whichSha); hashsize = ctx->hashSize = USHAHashSize(whichSha); ctx->whichSha = whichSha; /* * If key is longer than the hash blocksize, Eastlake 3rd & Hansen Informational [Page 74] RFC 4634 SHAs and HMAC-SHAs July 2006 * reset it to key = HASH(key). */ if (key_len > blocksize) { USHAContext tctx; int err = USHAReset(&tctx, whichSha) || USHAInput(&tctx, key, key_len) || USHAResult(&tctx, tempkey); if (err != shaSuccess) return err; key = tempkey; key_len = hashsize; } /* * The HMAC transform looks like: * * SHA(K XOR opad, SHA(K XOR ipad, text)) * * where K is an n byte key. * ipad is the byte 0x36 repeated blocksize times * opad is the byte 0x5c repeated blocksize times * and text is the data being protected. */ /* store key into the pads, XOR'd with ipad and opad values */ for (i = 0; i k_opad[i] = key[i] ^ 0x5c; } /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ for ( ; i k_opad[i] = 0x5c; } /* perform inner hash */ /* init context for 1st pass */ return USHAReset(&ctx->shaContext, whichSha) || /* and start with inner pad */ USHAInput(&ctx->shaContext, k_ipad, blocksize); } /* * hmacInput * * Description: * This function accepts an array of octets as the next portion * of the message. Eastlake 3rd & Hansen Informational [Page 75] RFC 4634 SHAs and HMAC-SHAs July 2006 * * Parameters: * context: [in/out] * The HMAC context to update * message_array: [in] * An array of characters representing the next portion of * the message. * length: [in] * The length of the message in message_array * * Returns: * sha Error Code. * */ int hmacInput(HMACContext *ctx, const unsigned char *text, int text_len) { if (!ctx) return shaNull; /* then text of datagram */ return USHAInput(&ctx->shaContext, text, text_len); } /* * HMACFinalBits * * Description: * This function will add in any final bits of the message. * * Parameters: * context: [in/out] * The HMAC context to update * message_bits: [in] * The final bits of the message, in the upper portion of the * byte. (Use 0b###00000 instead of 0b00000### to input the * three bits ###.) * length: [in] * The number of bits in message_bits, between 1 and 7. * * Returns: * sha Error Code. */ int hmacFinalBits(HMACContext *ctx, const uint8_t bits, unsigned int bitcount) { if (!ctx) return shaNull; /* then final bits of datagram */ return USHAFinalBits(&ctx->shaContext, bits, bitcount); Eastlake 3rd & Hansen Informational [Page 76] RFC 4634 SHAs and HMAC-SHAs July 2006 } /* * HMACResult * * Description: * This function will return the N-byte message digest into the * Message_Digest array provided by the caller. * NOTE: The first octet of hash is stored in the 0th element, * the last octet of hash in the Nth element. * * Parameters: * context: [in/out] * The context to use to calculate the HMAC hash. * digest: [out] * Where the digest is returned. * NOTE 2: The length of the hash is determined by the value of * whichSha that was passed to hmacReset(). * * Returns: * sha Error Code. * */ int hmacResult(HMACContext *ctx, uint8_t *digest) { if (!ctx) return shaNull; /* finish up 1st pass */ /* (Use digest here as a temporary buffer.) */ return USHAResult(&ctx->shaContext, digest) || /* perform outer SHA */ /* init context for 2nd pass */ USHAReset(&ctx->shaContext, ctx->whichSha) || /* start with outer pad */ USHAInput(&ctx->shaContext, ctx->k_opad, ctx->blockSize) || /* then results of 1st hash */ USHAInput(&ctx->shaContext, digest, ctx->hashSize) || /* finish up 2nd pass */ USHAResult(&ctx->shaContext, digest); } Eastlake 3rd & Hansen Informational [Page 77] RFC 4634 SHAs and HMAC-SHAs July 2006 8.4. The Test Driver The following code is a main program test driver to exercise the code in sha1.c, sha224-256.c, and sha384-512.c. The test driver can also be used as a stand-alone program for generating the hashes. See also [RFC2202], [RFC4231], and [SHAVS]. /**************************** shatest.c ****************************/ /********************* See RFC 4634 for details ********************/ /* * Description: * This file will exercise the SHA code performing * the three tests documented in FIPS PUB 180-2 * (http://csrc.nist.gov/publications/fips/ * fips180-2/fips180-2withchangenotice.pdf) * one that calls SHAInput with an exact multiple of 512 bits * the seven tests documented for each algorithm in * "The Secure Hash Algorithm Validation System (SHAVS)", * three of which are bit-level tests * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf) * * This file will exercise the HMAC SHA1 code performing * the seven tests documented in RFCs 2202 and 4231. * * To run the tests and just see PASSED/FAILED, use the -p option. * * Other options exercise: * hashing an arbitrary string * hashing a file's contents * a few error test checks * printing the results in raw format * * Portability Issues: * None. * */ #include #include #include #include #include #include "sha.h" static int xgetopt(int argc, char **argv, const char *optstring); extern char *xoptarg; static int scasecmp(const char *s1, const char *s2); Eastlake 3rd & Hansen Informational [Page 78] RFC 4634 SHAs and HMAC-SHAs July 2006 /* * Define patterns for testing */ #define TEST1 "abc" #define TEST2_1 \ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" #define TEST2_2a \ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" #define TEST2_2b \ "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" #define TEST2_2 TEST2_2a TEST2_2b #define TEST3 "a" /* times 1000000 */ #define TEST4a "01234567012345670123456701234567" #define TEST4b "01234567012345670123456701234567" /* an exact multiple of 512 bits */ #define TEST4 TEST4a TEST4b /* times 10 */ #define TEST7_1 \ "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" #define TEST8_1 \ "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" #define TEST9_1 \ "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" #define TEST10_1 \ "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ "\xcd\xbb\xfb" #define TEST7_224 \ "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" #define TEST8_224 \ "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" #define TEST9_224 \ "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ Eastlake 3rd & Hansen Informational [Page 79] RFC 4634 SHAs and HMAC-SHAs July 2006 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" #define TEST10_224 \ "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ "\x87\x82\x73" #define TEST7_256 \ "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" #define TEST8_256 \ "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" #define TEST9_256 \ "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" #define TEST10_256 \ "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ "\x3d\x54\xd6" #define TEST7_384 \ "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" #define TEST8_384 \ "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" #define TEST9_384 \ "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ Eastlake 3rd & Hansen Informational [Page 80] RFC 4634 SHAs and HMAC-SHAs July 2006 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" #define TEST10_384 \ "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ "\x7e\xd0\x96" #define TEST7_512 \ "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" #define TEST8_512 \ "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" #define TEST9_512 \ "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" #define TEST10_512 \ "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ "\xfb\x40\xd2" #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ Eastlake 3rd & Hansen Informational [Page 81] RFC 4634 SHAs and HMAC-SHAs July 2006 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ "\x27" #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ "\x27\x9c\x1c\xb0\xa7" #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ "\xa4\x84\xbe\x74\x53" #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ "\x4b\x12\x27\x20\x39" #define TESTCOUNT 10 #define HASHCOUNT 5 #define RANDOMCOUNT 4 #define HMACTESTCOUNT 7 #define PRINTNONE 0 #define PRINTTEXT 1 #define PRINTRAW 2 #define PRINTHEX 3 #define PRINTBASE64 4 #define PRINTPASSFAIL 1 #define PRINTFAIL 2 #define length(x) (sizeof(x)-1) /* Test arrays for hashes. */ struct hash { const char *name; SHAversion whichSha; int hashsize; struct { const char *testarray; int length; long repeatcount; int extrabits; int numberExtrabits; const char *resultarray; } tests[TESTCOUNT]; const char *randomtest; const char *randomresults[RANDOMCOUNT]; Eastlake 3rd & Hansen Informational [Page 82] RFC 4634 SHAs and HMAC-SHAs July 2006 } hashes[HASHCOUNT] = { { "SHA1", SHA1, SHA1HashSize, { /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "A9993E364706816ABA3E25717850C26C9CD0D89D" }, /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, /* 5 */ { "", 0, 0, 0x98, 5, "29826B003B906E660EFF4027CE98AF3531AC75BA" }, /* 6 */ { "\x5e", 1, 1, 0, 0, "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, "6239781E03729919C01955B3FFA8ACB60B988340" }, /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, "CB0082C8F197D260991BA6A460E76E202BAD27B3" } }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" } }, { "SHA224", SHA224, SHA224HashSize, { /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, /* 5 */ { "", 0, 0, 0x68, 5, "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, /* 6 */ { "\x07", 1, 1, 0, 0, "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, Eastlake 3rd & Hansen Informational [Page 83] RFC 4634 SHAs and HMAC-SHAs July 2006 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" "709563FB916227FED598EB621F" } }, { "SHA256", SHA256, SHA256HashSize, { /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" "09DB45E7823EB5079CE7A573A3760F95" }, /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" "6A4E17F75F9518D843709C0C9BC3E3D4" }, /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" "E31536B70FF906EC51B00447CA97D7DD97C12411F4" } }, { "SHA384", SHA384, SHA384HashSize, { /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, /* 4 */ { TEST4, length(TEST4), 10, 0, 0, Eastlake 3rd & Hansen Informational [Page 84] RFC 4634 SHAs and HMAC-SHAs July 2006 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, /* 5 */ { "", 0, 0, 0x10, 5, "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, /* 6 */ { "\xb9", 1, 1, 0, 0, "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" } }, { "SHA512", SHA512, SHA512HashSize, { /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" "454D4423643CE80E2A9AC94FA54CA49F" }, /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" "C7D329EEB6DD26545E96E55B874BE909" }, /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" "EB009C5C2C49AA2E4EADB217AD8CC09B" }, /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, /* 5 */ { "", 0, 0, 0xB0, 5, "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" Eastlake 3rd & Hansen Informational [Page 85] RFC 4634 SHAs and HMAC-SHAs July 2006 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, /* 6 */ { "\xD0", 1, 1, 0, 0, "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" "D6E74CECE9631BFA8A549B4AB3FBBA15" }, /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" "7359B43E64F8BEC3C1F237119986BBB6" }, /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" "8213EB1B16F517AD0DE4B2F0C95C90F8" }, /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" "526F8A0A510E5E53CAFED4355FE7C2F1" }, /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" "C1A16A270D48719377966B957A878E720584779A62825C18" "DA26415E49A7176A894E7510FD1451F5" } }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" } } }; /* Test arrays for HMAC. */ struct hmachash { const char *keyarray[5]; int keylength[5]; const char *dataarray[5]; int datalength[5]; const char *resultarray[5]; int resultlength[5]; } hmachashes[HMACTESTCOUNT] = { { /* 1 */ { "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" "\x0b\x0b\x0b\x0b\x0b" }, { 20 }, { Eastlake 3rd & Hansen Informational [Page 86] RFC 4634 SHAs and HMAC-SHAs July 2006 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ }, { 8 }, { /* HMAC-SHA-1 */ "B617318655057264E28BC0B6FB378C8EF146BE00", /* HMAC-SHA-224 */ "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", /* HMAC-SHA-256 */ "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" "CFF7", /* HMAC-SHA-384 */ "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", /* HMAC-SHA-512 */ "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" "3A126854" }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, SHA384HashSize, SHA512HashSize } }, { /* 2 */ { "\x4a\x65\x66\x65" /* "Jefe" */ }, { 4 }, { "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" /* "what do ya want for nothing?" */ }, { 28 }, { /* HMAC-SHA-1 */ "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", /* HMAC-SHA-224 */ "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", /* HMAC-SHA-256 */ "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" "3843", /* HMAC-SHA-384 */ "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" "445E8E2240CA5E69E2C78B3239ECFAB21649", /* HMAC-SHA-512 */ "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" "38BCE737" }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, SHA384HashSize, SHA512HashSize } }, { /* 3 */ { "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa" }, { 20 }, { Eastlake 3rd & Hansen Informational [Page 87] RFC 4634 SHAs and HMAC-SHAs July 2006 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" "\xdd\xdd\xdd\xdd\xdd" }, { 50 }, { /* HMAC-SHA-1 */ "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", /* HMAC-SHA-224 */ "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", /* HMAC-SHA-256 */ "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" "65FE", /* HMAC-SHA-384 */ "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" "144B2A5AB39DC13814B94E3AB6E101A34F27", /* HMAC-SHA-512 */ "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" "E13292FB" }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, SHA384HashSize, SHA512HashSize } }, { /* 4 */ { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" }, { 25 }, { "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" "\xcd\xcd\xcd\xcd\xcd" }, { 50 }, { /* HMAC-SHA-1 */ "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", /* HMAC-SHA-224 */ "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", /* HMAC-SHA-256 */ "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" "665B", /* HMAC-SHA-384 */ "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" "3B4E6801DD23C4A7D679CCF8A386C674CFFB", /* HMAC-SHA-512 */ "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" "10A298DD" }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, SHA384HashSize, SHA512HashSize } }, Eastlake 3rd & Hansen Informational [Page 88] RFC 4634 SHAs and HMAC-SHAs July 2006 { /* 5 */ { "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" "\x0c\x0c\x0c\x0c\x0c" }, { 20 }, { "Test With Truncation" }, { 20 }, { /* HMAC-SHA-1 */ "4C1A03424B55E07FE7F27BE1", /* HMAC-SHA-224 */ "0E2AEA68A90C8D37C988BCDB9FCA6FA8", /* HMAC-SHA-256 */ "A3B6167473100EE06E0C796C2955552B", /* HMAC-SHA-384 */ "3ABF34C3503B2A23A46EFC619BAEF897", /* HMAC-SHA-512 */ "415FAD6271580A531D4179BC891D87A6" }, { 12, 16, 16, 16, 16 } }, { /* 6 */ { "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" }, { 80, 131 }, { "Test Using Larger Than Block-Size Key - Hash Key First" }, { 54 }, { /* HMAC-SHA-1 */ "AA4AE5E15272D00E95705637CE8A3B55ED402112", /* HMAC-SHA-224 */ "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", /* HMAC-SHA-256 */ "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" "7F54", /* HMAC-SHA-384 */ "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" "C4C60C2EF6AB4030FE8296248DF163F44952", /* HMAC-SHA-512 */ "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" "5D786598" }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, SHA384HashSize, SHA512HashSize } }, Eastlake 3rd & Hansen Informational [Page 89] RFC 4634 SHAs and HMAC-SHAs July 2006 { /* 7 */ { "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" }, { 80, 131 }, { "Test Using Larger Than Block-Size Key and " "Larger Than One Block-Size Data", "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" "\x6d\x2e" /* "This is a test using a larger than block-size key and a " "larger than block-size data. The key needs to be hashed " "before being used by the HMAC algorithm." */ }, { 73, 152 }, { /* HMAC-SHA-1 */ "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", /* HMAC-SHA-224 */ "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", /* HMAC-SHA-256 */ "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" "35E2", /* HMAC-SHA-384 */ "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" "99C5A678CC31E799176D3860E6110C46523E", /* HMAC-SHA-512 */ "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" "FA8C6A58" }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, SHA384HashSize, SHA512HashSize } } }; /* Eastlake 3rd & Hansen Informational [Page 90] RFC 4634 SHAs and HMAC-SHAs July 2006 * Check the hash value against the expected string, expressed in hex */ static const char hexdigits[] = "0123456789ABCDEF"; int checkmatch(const unsigned char *hashvalue, const char *hexstr, int hashsize) { int i; for (i = 0; i > 4) & 0xF]) return 0; if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; } return 1; } /* * Print the string, converting non-printable characters to "." */ void printstr(const char *str, int len) { for ( ; len-- > 0; str++) putchar(isprint((unsigned char)*str) ? *str : '.'); } /* * Print the string, converting non-printable characters to hex "## ". */ void printxstr(const char *str, int len) { for ( ; len-- > 0; str++) printf("%c%c ", hexdigits[(*str >> 4) & 0xF], hexdigits[*str & 0xF]); } /* * Print a usage message. */ void usage(const char *argv0) { fprintf(stderr, "Usage:\n" "Common options: [-h hash] [-w|-x] [-H]\n" "Standard tests:\n" "\t%s [-m] [-l loopcount] [-t test#] [-e]\n" "\t\t[-r randomseed] [-R randomloop-count] " "[-p] [-P|-X]\n" "Hash a string:\n" "\t%s [-S expectedresult] -s hashstr [-k key]\n" Eastlake 3rd & Hansen Informational [Page 91] RFC 4634 SHAs and HMAC-SHAs July 2006 "Hash a file:\n" "\t%s [-S expectedresult] -f file [-k key]\n" "Hash a file, ignoring whitespace:\n" "\t%s [-S expectedresult] -F file [-k key]\n" "Additional bits to add in: [-B bitcount -b bits]\n" "-h\thash to test: " "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" "-m\tperform hmac test\n" "-k\tkey for hmac test\n" "-t\ttest case to run, 1-10\n" "-l\thow many times to run the test\n" "-e\ttest error returns\n" "-p\tdo not print results\n" "-P\tdo not print PASSED/FAILED\n" "-X\tprint FAILED, but not PASSED\n" "-r\tseed for random test\n" "-R\thow many times to run random test\n" "-s\tstring to hash\n" "-S\texpected result of hashed string, in hex\n" "-w\toutput hash in raw format\n" "-x\toutput hash in hex format\n" "-B\t# extra bits to add in after string or file input\n" "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" "-H\tinput hashstr or randomseed is in hex\n" , argv0, argv0, argv0, argv0); exit(1); } /* * Print the results and PASS/FAIL. */ void printResult(uint8_t *Message_Digest, int hashsize, const char *hashname, const char *testtype, const char *testname, const char *resultarray, int printResults, int printPassFail) { int i, k; if (printResults == PRINTTEXT) { putchar('\t'); for (i = 0; i > 4) & 0xF]); putchar(hexdigits[Message_Digest[i] & 0xF]); putchar(' '); } putchar('\n'); } else if (printResults == PRINTRAW) { fwrite(Message_Digest, 1, hashsize, stdout); } else if (printResults == PRINTHEX) { for (i = 0; i > 4) & 0xF]); putchar(hexdigits[Message_Digest[i] & 0xF]); } putchar('\n'); } if (printResults && resultarray) { printf(" Should match:\n\t"); for (i = 0, k = 0; i 0) { err = keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, numberExtrabits) : USHAFinalBits(&sha, (uint8_t) extrabits, numberExtrabits); if (err != shaSuccess) { fprintf(stderr, "hash(): %sFinalBits Error %d.\n", keyarray ? "hmac" : "sha", err); return err; } } err = keyarray ? hmacResult(&hmac, Message_Digest) : USHAResult(&sha, Message_Digest); if (err != shaSuccess) { fprintf(stderr, "hash(): %s Result Error %d, could not " "compute message digest.\n", keyarray ? "hmac" : "sha", err); return err; } sprintf(buf, "%d", testno+1); Eastlake 3rd & Hansen Informational [Page 94] RFC 4634 SHAs and HMAC-SHAs July 2006 printResult(Message_Digest, hashsize, hashes[hashno].name, keyarray ? "hmac standard test" : "sha standard test", buf, resultarray, printResults, printPassFail); return err; } /* * Exercise a hash series of functions. The input is a filename. * If the result is known, it is in resultarray in uppercase hex. */ int hashfile(int hashno, const char *hashfilename, int bits, int bitcount, int skipSpaces, const unsigned char *keyarray, int keylen, const char *resultarray, int hashsize, int printResults, int printPassFail) { USHAContext sha; HMACContext hmac; int err, nread, c; unsigned char buf[4096]; uint8_t Message_Digest[USHAMaxHashSize]; unsigned char cc; FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : fopen(hashfilename, "r"); if (!hashfp) { fprintf(stderr, "cannot open file '%s'\n", hashfilename); return shaStateError; } memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ memset(&hmac, '\343', sizeof(hmac)); err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, keyarray, keylen) : USHAReset(&sha, hashes[hashno].whichSha); if (err != shaSuccess) { fprintf(stderr, "hashfile(): %sReset Error %d.\n", keyarray ? "hmac" : "sha", err); return err; } if (skipSpaces) while ((c = getc(hashfp)) != EOF) { if (!isspace(c)) { cc = (unsigned char)c; err = keyarray ? hmacInput(&hmac, &cc, 1) : USHAInput(&sha, &cc, 1); Eastlake 3rd & Hansen Informational [Page 95] RFC 4634 SHAs and HMAC-SHAs July 2006 if (err != shaSuccess) { fprintf(stderr, "hashfile(): %sInput Error %d.\n", keyarray ? "hmac" : "sha", err); if (hashfp != stdin) fclose(hashfp); return err; } } } else while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { err = keyarray ? hmacInput(&hmac, buf, nread) : USHAInput(&sha, buf, nread); if (err != shaSuccess) { fprintf(stderr, "hashfile(): %s Error %d.\n", keyarray ? "hmacInput" : "shaInput", err); if (hashfp != stdin) fclose(hashfp); return err; } } if (bitcount > 0) err = keyarray ? hmacFinalBits(&hmac, bits, bitcount) : USHAFinalBits(&sha, bits, bitcount); if (err != shaSuccess) { fprintf(stderr, "hashfile(): %s Error %d.\n", keyarray ? "hmacResult" : "shaResult", err); if (hashfp != stdin) fclose(hashfp); return err; } err = keyarray ? hmacResult(&hmac, Message_Digest) : USHAResult(&sha, Message_Digest); if (err != shaSuccess) { fprintf(stderr, "hashfile(): %s Error %d.\n", keyarray ? "hmacResult" : "shaResult", err); if (hashfp != stdin) fclose(hashfp); return err; } printResult(Message_Digest, hashsize, hashes[hashno].name, "file", hashfilename, resultarray, printResults, printPassFail); if (hashfp != stdin) fclose(hashfp); return err; } /* * Exercise a hash series of functions through multiple permutations. Eastlake 3rd & Hansen Informational [Page 96] RFC 4634 SHAs and HMAC-SHAs July 2006 * The input is an initial seed. That seed is replicated 3 times. * For 1000 rounds, the previous three results are used as the input. * This result is then checked, and used to seed the next cycle. * If the result is known, it is in resultarrays in uppercase hex. */ void randomtest(int hashno, const char *seed, int hashsize, const char **resultarrays, int randomcount, int printResults, int printPassFail) { int i, j; char buf[20]; unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; /* INPUT: Seed - A random seed n bits long */ memcpy(SEED, seed, hashsize); if (printResults == PRINTTEXT) { printf("%s random test seed= '", hashes[hashno].name); printxstr(seed, hashsize); printf("'\n"); } for (j = 0; j = (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || (hashnolow = HASHCOUNT) || (hashstr && (testnolow == testnohigh)) || (randomcount = argc) return EOF; ap = argv[xoptind] + avplace; /* At beginning of arg but not an option */ if (avplace == 0) { if (ap[0] != '-') return EOF; else if (ap[1] == '-') { /* Special end of options option */ xoptind++; return EOF; } else if (ap[1] == '\0') return EOF; /* single '-' is not allowed */ } /* Get next letter */ avplace++; c = *++ap; Eastlake 3rd & Hansen Informational [Page 104] RFC 4634 SHAs and HMAC-SHAs July 2006 cp = strchr(optstring, c); if (cp == NULL || c == ':') { if (xopterr) fprintf(stderr, "Unrecognised option -- %c\n", c); return '?'; } if (cp[1] == ':') { /* There should be an option arg */ avplace = 0; if (ap[1] == '\0') { /* It is a separate arg */ if (++xoptind >= argc) { if (xopterr) fprintf(stderr, "Option requires an argument\n"); return '?'; } xoptarg = argv[xoptind++]; } else { /* is attached to option letter */ xoptarg = ap + 1; ++xoptind; } } else { /* If we are out of letters then go to next arg */ if (ap[1] == '\0') { ++xoptind; avplace = 0; } xoptarg = NULL; } return c; } Eastlake 3rd & Hansen Informational [Page 105] RFC 4634 SHAs and HMAC-SHAs July 2006 9. Security Considerations This document is intended to provides the Internet community convenient access to source code that implements the United States of America Federal Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS180-2] and HMACs based upon these one-way hash functions. See license in Section 1.1. No independent assertion of the security of this hash function by the authors for any particular use is intended. 10. Normative References [FIPS180-2] "Secure Hash Standard", United States of America, National Institute of Standards and Technology, Federal Information Processing Standard (FIPS) 180-2, http://csrc.nist.gov/publications/fips/fips180-2/ fips180-2withchangenotice.pdf. [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997. 11. Informative References [RFC2202] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1", RFC 2202, September 1997. [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)", RFC 3174, September 2001. [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", RFC 3874, September 2004. [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005. [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC 4231, December 2005. [SHAVS] "The Secure Hash Algorithm Validation System (SHAVS)", http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. Eastlake 3rd & Hansen Informational [Page 106] RFC 4634 SHAs and HMAC-SHAs July 2006 Authors' Addresses Donald E. Eastlake, 3rd Motorola Laboratories 155 Beaver Street Milford, MA 01757 USA Phone: +1-508-786-7554 (w) EMail: [email protected] Tony Hansen AT&T Laboratories 200 Laurel Ave. Middletown, NJ 07748 USA Phone: +1-732-420-8934 (w) EMail: [email protected] Eastlake 3rd & Hansen Informational [Page 107] RFC 4634 SHAs and HMAC-SHAs July 2006 Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at [email protected]. Acknowledgement Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Eastlake 3rd & Hansen Informational [Page 108]