idnits 2.17.00 (12 Aug 2021) /tmp/idnits1014/draft-eastlake-sha2b-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4634]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document obsoletes RFC4634, but the abstract doesn't seem to directly say this. It does mention RFC4634 though, so this could be OK. -- The draft header indicates that this document updates RFC3174, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 730 has weird spacing: '...izeBits numbe...' (Using the creation date from RFC3174, updated by this document, for RFC5378 checks: 2001-03-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 13, 2010) is 4420 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'USHAMaxHashSize' is mentioned on line 5530, but not defined -- Looks like a reference, but probably isn't: '4' on line 3229 == Missing Reference: 'SHA1HashSize' is mentioned on line 1487, but not defined == Missing Reference: 'SHA224HashSize' is mentioned on line 1878, but not defined == Missing Reference: 'SHA256HashSize' is mentioned on line 2029, but not defined == Missing Reference: 'SHA384HashSize' is mentioned on line 2720, but not defined == Missing Reference: 'SHA512HashSize' is mentioned on line 2911, but not defined -- Looks like a reference, but probably isn't: '0' on line 5842 -- Looks like a reference, but probably isn't: '1' on line 5881 -- Looks like a reference, but probably isn't: '2' on line 5508 -- Looks like a reference, but probably isn't: '3' on line 3272 -- Looks like a reference, but probably isn't: '8' on line 3146 -- Looks like a reference, but probably isn't: '56' on line 2112 -- Looks like a reference, but probably isn't: '57' on line 2113 -- Looks like a reference, but probably isn't: '58' on line 2114 -- Looks like a reference, but probably isn't: '59' on line 2115 -- Looks like a reference, but probably isn't: '60' on line 2116 -- Looks like a reference, but probably isn't: '61' on line 2117 -- Looks like a reference, but probably isn't: '62' on line 2118 -- Looks like a reference, but probably isn't: '63' on line 2119 -- Looks like a reference, but probably isn't: '80' on line 3183 -- Looks like a reference, but probably isn't: '64' on line 2163 -- Looks like a reference, but probably isn't: '5' on line 4700 -- Looks like a reference, but probably isn't: '6' on line 3231 -- Looks like a reference, but probably isn't: '7' on line 3232 -- Looks like a reference, but probably isn't: '112' on line 2984 -- Looks like a reference, but probably isn't: '113' on line 2985 -- Looks like a reference, but probably isn't: '114' on line 2986 -- Looks like a reference, but probably isn't: '115' on line 2987 -- Looks like a reference, but probably isn't: '116' on line 2988 -- Looks like a reference, but probably isn't: '117' on line 2989 -- Looks like a reference, but probably isn't: '118' on line 2990 -- Looks like a reference, but probably isn't: '119' on line 2991 -- Looks like a reference, but probably isn't: '120' on line 2993 -- Looks like a reference, but probably isn't: '121' on line 2994 -- Looks like a reference, but probably isn't: '122' on line 2995 -- Looks like a reference, but probably isn't: '123' on line 2996 -- Looks like a reference, but probably isn't: '124' on line 2997 -- Looks like a reference, but probably isn't: '125' on line 2998 -- Looks like a reference, but probably isn't: '126' on line 2999 -- Looks like a reference, but probably isn't: '127' on line 3000 -- Looks like a reference, but probably isn't: '9' on line 3108 -- Looks like a reference, but probably isn't: '10' on line 3147 -- Looks like a reference, but probably isn't: '11' on line 3110 -- Looks like a reference, but probably isn't: '12' on line 3148 -- Looks like a reference, but probably isn't: '13' on line 3112 -- Looks like a reference, but probably isn't: '14' on line 3149 -- Looks like a reference, but probably isn't: '15' on line 3114 == Missing Reference: 'TESTCOUNT' is mentioned on line 4508, but not defined == Missing Reference: 'RANDOMCOUNT' is mentioned on line 4510, but not defined == Missing Reference: 'HASHCOUNT' is mentioned on line 5508, but not defined == Missing Reference: 'HMACTESTCOUNT' is mentioned on line 4701, but not defined == Missing Reference: 'HKDFTESTCOUNT' is mentioned on line 4910, but not defined -- Looks like a reference, but probably isn't: '20' on line 5463 -- Looks like a reference, but probably isn't: '4096' on line 5362 -- Looks like a reference, but probably isn't: '1003' on line 5464 == Unused Reference: 'RFC2119' is defined on line 5927, but no explicit reference was found in the text == Outdated reference: draft-krawczyk-hkdf has been published as RFC 5869 -- Obsolete informational reference (is this intentional?): RFC 4634 (Obsoleted by RFC 6234) Summary: 2 errors (**), 0 flaws (~~), 15 warnings (==), 51 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Donald Eastlake 3rd 2 INTERNET-DRAFT Stellar Switches 3 Obsoletes: 4634 Tony Hansen 4 Updates: 3174 AT&T Labs 5 Intended Status: Informational 6 Expires: October 12, 2010 April 13, 2010 8 US Secure Hash Algorithms 9 (SHA and SHA based HMAC and HKDF) 10 12 Abstract 13 This document is an update of [RFC4634] to fix errata and to add code 14 for an HMAC-based extract-and-expand key derivation function. 16 The United States of America has adopted a suite of secure hash 17 algorithms (SHAs), including four beyond SHA-1, as part of a Federal 18 Information Processing Standard (FIPS), specifically SHA-224, 19 SHA-256, SHA-384, and SHA-512. The purpose of this document is to 20 make open source code performing the SHA hash functions conveniently 21 available to the Internet community. The sample code supports input 22 strings of arbitrary bit length. Much of the text herein was adapted 23 by the authors from FIPS 180-2. 25 As with [RFC4634], code to perform SHA based HMACs is included and, 26 new in this version, code for HKDF is included. 28 Status of This Document 30 This Internet-Draft is submitted to IETF in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Distribution of this document is unlimited. Comments should be sent 34 to the authors. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF), its areas, and its working groups. Note that 38 other groups may also distribute working documents as Internet- 39 Drafts. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 The list of current Internet-Drafts can be accessed at 47 http://www.ietf.org/1id-abstracts.html 49 The list of Internet-Draft Shadow Directories can be accessed at 50 http://www.ietf.org/shadow.html 52 Table of Contents 54 Status of This Document....................................1 56 1. Overview of Contents....................................3 57 2. Notation for Bit Strings and Integers...................4 58 3. Operations on Words.....................................5 60 4. Message Padding and Parsing.............................7 61 4.1 SHA-224 and SHA-256....................................7 62 4.2 SHA-384 and SHA-512....................................8 64 5. Functions and Constants Used...........................10 65 5.1 SHA-224 and SHA-256...................................10 66 5.2 SHA-384 and SHA-512...................................11 68 6. Computing the Message Digest...........................12 69 6.1 SHA-224 and SHA-256 Initialization....................12 70 6.2 SHA-224 and SHA-256 Processing........................12 71 6.3 SHA-384 and SHA-512 Initialization....................14 72 6.4 SHA-384 and SHA-512 Processing........................15 74 7. HKDF and SHA Based HMACs...............................17 75 7.1 SHA Based HMACs.......................................17 76 7.2 HKDF..................................................17 78 8. C Code for SHAs, HMAC, and HKDF........................18 79 8.1 The .h file...........................................21 80 8.2 The SHA Code..........................................28 81 8.2.1 sha1.c..............................................29 82 8.2.2 sha224-256.c........................................37 83 8.2.3 sha384-512.c........................................49 84 8.2.4 usha.c..............................................70 85 8.2.5 sha-private.h.......................................76 86 8.3 The HMAC Code.........................................77 87 8.4 The HKDF Code.........................................82 88 8.5 The Test Driver.......................................89 90 9. IANA Considerations...................................122 91 10. Security Considerations..............................122 92 11. Acknowledgements.....................................122 94 12. References...........................................123 95 12.1 Normative References................................123 96 12.2 Informative References..............................123 98 Appendix: Changes from RFC 4634..........................125 99 Author's Address.........................................126 100 Copyright, Disclaimer, and Additional IPR Provisions.....127 102 1. Overview of Contents 104 This document obsoletes [RFC4634] and the changes from that RFC are 105 summarized in the Appendix below. 107 This document includes specifications for the United States of 108 America (USA) Federal Information Processing Standard (FIPS) Secure 109 Hash Algorithms (SHAs), code to implement the SHAs, code to implement 110 HMACs based on the SHAs, and code to implement HKDF based on HMAC. 111 Specifications for HMAC and HKDF are not included as they appear 112 elsewhere in the RFC series [RFC2104] [RFChkdf]. 114 NOTE: Much of the text below is taken from [FIPS 180-2] and the 115 assertions of the security of the hash algorithms described therein 116 are made by the US Government, the author of [FIPS 180-2], not by the 117 authors of this document. 119 The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], 120 SHA-256, SHA-384, and SHA-512, for computing a condensed 121 representation of a message or a data file. (SHA-1 is specified in 122 [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and 123 SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of 124 these algorithms, the result is an output called a message digest. 125 The message digests range in length from 224 to 512 bits, depending 126 on the algorithm. Secure hash algorithms are typically used with 127 other cryptographic algorithms, such as digital signature algorithms 128 and keyed hash authentication codes, the generation or random numbers 129 [RFC4086], or in key derivation functions. 131 The four algorithms specified in this document are called secure 132 because it is computationally infeasible to (1) find a message which 133 corresponds to a given message digest, or (2) to find two different 134 messages that produce the same message digest. Any change to a 135 message in transit will, with very high probability, result in a 136 different message digest. This will result in a verification failure 137 when the secure hash algorithm is used with a digital signature 138 algorithm or a keyed-hash message authentication algorithm. 140 The code provided herein supports input strings of arbitrary bit 141 length. SHA-1's sample code from [RFC3174] has also been updated to 142 handle input strings of arbitrary bit length. Permission is granted 143 for all uses, commercial and non-commercial, of this code. 145 Section 2 below defines the terminology and functions used as 146 building blocks to form these algorithms. Section 3 describes the 147 fundamental operations on words from which these algorithms are 148 built. Section 4 describes how messages are padded up to an integral 149 multiple of the required block size and then parsed into blocks. 150 Section 5 defines the constants and the composite functions used to 151 specify these algorithms. Section 6 gives the actual specification 152 for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 153 provides pointers to the specification of HMAC keyed message 154 authentication codes and to the specification of an extract-and- 155 expand key derivation function based on HMAC. 157 Section 8 gives sample code for the SHA algorithms, for SHA based 158 HMACs, and for HMAC-based extract-and-expand key derivation function. 160 2. Notation for Bit Strings and Integers 162 The following terminology related to bit strings and integers will be 163 used: 165 a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. 166 A hex digit is the representation of a 4-bit string. Examples: 167 7 = 0111, A = 1010. 169 b. A word equals a 32-bit or 64-bit string that may be represented 170 as a sequence of 8 or 16 hex digits, respectively. To convert a 171 word to hex digits, each 4-bit string is converted to its hex 172 equivalent as described in (a) above. Example: 174 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 176 Throughout this document, the "big-endian" convention is used 177 when expressing both 32-bit and 64-bit words, so that within 178 each word the most significant bit is shown in the left-most bit 179 position. 181 c. An integer may be represented as a word or pair of words. 183 An integer between 0 and 2^32 - 1 inclusive may be represented 184 as a 32-bit word. The least significant four bits of the 185 integer are represented by the right-most hex digit of the word 186 representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = 187 256+32+2+1 is represented by the hex word, 00000123. 189 The same holds true for an integer between 0 and 2^64-1 190 inclusive, which may be represented as a 64-bit word. 192 If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 193 <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented 194 as words X and Y, respectively, z can be represented as the pair 195 of words (X,Y). 197 Again, the "big-endian" convention is used and the most 198 significant word is in the left-most word position for values 199 represented by multiple-words. 201 d. block = 512-bit or 1024-bit string. A block (e.g., B) may be 202 represented as a sequence of 32-bit or 64-bit words. 204 3. Operations on Words 206 The following logical operators will be applied to words in all four 207 hash operations specified herein. SHA-224 and SHA-256 operate on 208 32-bit words while SHA-384 and SHA-512 operate on 64-bit words. 210 In the operations below, x<>n is obtained as follows: discard the right-most n bits 214 of x and then prepend the result with n zeroed bits on the left (the 215 result will still be the same number of bits). 217 a. Bitwise logical word operations 219 X AND Y = bitwise logical "and" of X and Y. 221 X OR Y = bitwise logical "inclusive-or" of X and Y. 223 X XOR Y = bitwise logical "exclusive-or" of X and Y. 225 NOT X = bitwise logical "complement" of X. 227 Example: 228 01101100101110011101001001111011 229 XOR 01100101110000010110100110110111 230 -------------------------------- 231 = 00001001011110001011101111001100 233 b. The operation X + Y is defined as follows: words X and Y 234 represent w-bit integers x and y, where 0 <= x < 2^w and 0 <= y 235 < 2^w. For positive integers n and m, let 237 n mod m 239 be the remainder upon dividing n by m. Compute 241 z = (x + y) mod 2^w. 243 Then 0 <= z < 2^w. Convert z to a word, Z, and define Z = X + 244 Y. 246 c. The right shift operation SHR^n(x), where x is a w-bit word and n 247 is an integer with 0 <= n < w, is defined by 248 SHR^n(x) = x>>n 250 d. The rotate right (circular right shift) operation ROTR^n(x), where 251 x is a w-bit word and n is an integer with 0 <= n < w, is 252 defined by 254 ROTR^n(x) = (x>>n) OR (x<<(w-n)) 256 e. The rotate left (circular left shift) operation ROTL^n(x), where x 257 is a w-bit word and n is an integer with 0 <= n < w, is defined 258 by 260 ROTL^n(X) = (x<>w-n) 262 Note the following equivalence relationships, where w is fixed 263 in each relationship: 265 ROTL^n(x) = ROTR^(w-n)(x) 267 ROTR^n(x) = ROTL^(w-n)(x) 269 4. Message Padding and Parsing 271 The hash functions specified herein are used to compute a message 272 digest for a message or data file that is provided as input. The 273 message or data file should be considered to be a bit string. The 274 length of the message is the number of bits in the message (the empty 275 message has length 0). If the number of bits in a message is a 276 multiple of 8, for compactness we can represent the message in hex. 277 The purpose of message padding is to make the total length of a 278 padded message a multiple of 512 for SHA-224 and SHA-256 or a 279 multiple of 1024 for SHA-384 and SHA-512. 281 The following specifies how this padding shall be performed. As a 282 summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit 283 integer are appended to the end of the message to produce a padded 284 message of length 512*n or 1024*n. The appended integer is the 285 length of the original message. The padded message is then processed 286 by the hash function as n 512-bit or 1024-bit blocks. 288 4.1 SHA-224 and SHA-256 290 Suppose a message has length L < 2^64. Before it is input to the 291 hash function, the message is padded on the right as follows: 293 a. "1" is appended. Example: if the original message is "01010000", 294 this is padded to "010100001". 296 b. K "0"s are appended where K is the smallest, non-negative 297 solution to the equation 299 L + 1 + K = 448 (mod 512) 301 c. Then append the 64-bit block that is L in binary representation. 302 After appending this block, the length of the message will be a 303 multiple of 512 bits. 305 Example: Suppose the original message is the bit string 307 01100001 01100010 01100011 01100100 01100101 309 After step (a) this gives 311 01100001 01100010 01100011 01100100 01100101 1 313 Since L = 40, the number of bits in the above is 41 and K = 407 314 "0"s are appended, making the total now 448. This gives the 315 following in hex: 317 61626364 65800000 00000000 00000000 318 00000000 00000000 00000000 00000000 319 00000000 00000000 00000000 00000000 320 00000000 00000000 322 The 64-bit representation of L = 40 is hex 00000000 00000028. 323 Hence the final padded message is the following hex 325 61626364 65800000 00000000 00000000 326 00000000 00000000 00000000 00000000 327 00000000 00000000 00000000 00000000 328 00000000 00000000 00000000 00000028 330 4.2 SHA-384 and SHA-512 332 Suppose a message has length L < 2^128. Before it is input to the 333 hash function, the message is padded on the right as follows: 335 a. "1" is appended. Example: if the original message is "01010000", 336 this is padded to "010100001". 338 b. K "0"s are appended where K is the smallest, non-negative 339 solution to the equation 341 L + 1 + K = 896 (mod 1024) 343 c. Then append the 128-bit block that is L in binary representation. 344 After appending this block, the length of the message will be a 345 multiple of 1024 bits. 347 Example: Suppose the original message is the bit string 349 01100001 01100010 01100011 01100100 01100101 351 After step (a) this gives 353 01100001 01100010 01100011 01100100 01100101 1 355 Since L = 40, the number of bits in the above is 41 and K = 855 356 "0"s are appended, making the total now 896. This gives the 357 following in hex: 359 61626364 65800000 00000000 00000000 360 00000000 00000000 00000000 00000000 361 00000000 00000000 00000000 00000000 362 00000000 00000000 00000000 00000000 363 00000000 00000000 00000000 00000000 364 00000000 00000000 00000000 00000000 365 00000000 00000000 00000000 00000000 367 The 128-bit representation of L = 40 is hex 00000000 00000000 368 00000000 00000028. Hence the final padded message is the 369 following hex: 371 61626364 65800000 00000000 00000000 372 00000000 00000000 00000000 00000000 373 00000000 00000000 00000000 00000000 374 00000000 00000000 00000000 00000000 375 00000000 00000000 00000000 00000000 376 00000000 00000000 00000000 00000000 377 00000000 00000000 00000000 00000000 378 00000000 00000000 00000000 00000028 380 5. Functions and Constants Used 382 The following subsections give the six logical functions and the 383 table of constants used in each of the hash functions. 385 5.1 SHA-224 and SHA-256 387 SHA-224 and SHA-256 use six logical functions, where each function 388 operates on 32-bit words, which are represented as x, y, and z. The 389 result of each function is a new 32-bit word. 391 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 393 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 395 BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) 397 BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) 399 SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) 401 SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) 403 SHA-224 and SHA-256 use the same sequence of sixty-four constant 404 32-bit words, K0, K1, ..., K63. These words represent the first 405 thirty-two bits of the fractional parts of the cube roots of the 406 first sixty-four prime numbers. In hex, these constant words are as 407 follows (from left to right): 409 428a2f98 71374491 b5c0fbcf e9b5dba5 410 3956c25b 59f111f1 923f82a4 ab1c5ed5 411 d807aa98 12835b01 243185be 550c7dc3 412 72be5d74 80deb1fe 9bdc06a7 c19bf174 413 e49b69c1 efbe4786 0fc19dc6 240ca1cc 414 2de92c6f 4a7484aa 5cb0a9dc 76f988da 415 983e5152 a831c66d b00327c8 bf597fc7 416 c6e00bf3 d5a79147 06ca6351 14292967 417 27b70a85 2e1b2138 4d2c6dfc 53380d13 418 650a7354 766a0abb 81c2c92e 92722c85 419 a2bfe8a1 a81a664b c24b8b70 c76c51a3 420 d192e819 d6990624 f40e3585 106aa070 421 19a4c116 1e376c08 2748774c 34b0bcb5 422 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 423 748f82ee 78a5636f 84c87814 8cc70208 424 90befffa a4506ceb bef9a3f7 c67178f2 426 5.2 SHA-384 and SHA-512 428 SHA-384 and SHA-512 each use six logical functions, where each 429 function operates on 64-bit words, which are represented as x, y, and 430 z. The result of each function is a new 64-bit word. 432 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 434 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 436 BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) 438 BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) 440 SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) 442 SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) 444 SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit 445 words, K0, K1, ... K79. These words represent the first sixty-four 446 bits of the fractional parts of the cube roots of the first eighty 447 prime numbers. In hex, these constant words are as follows (from 448 left to right): 450 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc 451 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 452 d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 453 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 454 e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 455 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 456 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 457 c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 458 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df 459 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b 460 a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 461 d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 462 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 463 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 464 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec 465 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b 466 ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 467 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b 468 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c 469 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 471 6. Computing the Message Digest 473 The output of each of the secure hash functions, after being applied 474 to a message of N blocks, is the hash quantity H(N). For SHA-224 and 475 SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, 476 H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to be 477 eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. 479 As described below, the hash words are initialized, modified as each 480 message block is processed, and finally concatenated after processing 481 the last block to yield the output. For SHA-256 and SHA-512, all of 482 the H(N) variables are concatenated while the SHA-224 and SHA-384 483 hashes are produced by omitting some from the final concatenation. 485 6.1 SHA-224 and SHA-256 Initialization 487 For SHA-224, the initial hash value, H(0), consists of the following 488 32-bit words in hex: 490 H(0)0 = c1059ed8 491 H(0)1 = 367cd507 492 H(0)2 = 3070dd17 493 H(0)3 = f70e5939 494 H(0)4 = ffc00b31 495 H(0)5 = 68581511 496 H(0)6 = 64f98fa7 497 H(0)7 = befa4fa4 499 For SHA-256, the initial hash value, H(0), consists of the following 500 eight 32-bit words, in hex. These words were obtained by taking the 501 first thirty-two bits of the fractional parts of the square roots of 502 the first eight prime numbers. 504 H(0)0 = 6a09e667 505 H(0)1 = bb67ae85 506 H(0)2 = 3c6ef372 507 H(0)3 = a54ff53a 508 H(0)4 = 510e527f 509 H(0)5 = 9b05688c 510 H(0)6 = 1f83d9ab 511 H(0)7 = 5be0cd19 513 6.2 SHA-224 and SHA-256 Processing 515 SHA-224 and SHA-256 perform identical processing on messages blocks 516 and differ only in how H(0) is initialized and how they produce their 517 final output. They may be used to hash a message, M, having a length 518 of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message 519 schedule of sixty-four 32-bit words, (2) eight working variables of 520 32 bits each, and (3) a hash value of eight 32-bit words. 522 The words of the message schedule are labeled W0, W1, ..., W63. The 523 eight working variables are labeled a, b, c, d, e, f, g, and h. The 524 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which 525 will hold the initial hash value, H(0), replaced by each successive 526 intermediate hash value (after each message block is processed), 527 H(i), and ending with the final hash value, H(N), after all N blocks 528 are processed. They also use two temporary words, T1 and T2. 530 The input message is padded as described in Section 4.1 above then 531 parsed into 512-bit blocks that are considered to be composed of 16 532 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 533 are then performed for each of the N message blocks. All addition is 534 performed modulo 2^32. 536 For i = 1 to N 538 1. Prepare the message schedule W: 539 For t = 0 to 15 540 Wt = M(i)t 541 For t = 16 to 63 542 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(w(t-15)) + W(t-16) 544 2. Initialize the working variables: 545 a = H(i-1)0 546 b = H(i-1)1 547 c = H(i-1)2 548 d = H(i-1)3 549 e = H(i-1)4 550 f = H(i-1)5 551 g = H(i-1)6 552 h = H(i-1)7 554 3. Perform the main hash computation: 555 For t = 0 to 63 556 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 557 T2 = BSIG0(a) + MAJ(a,b,c) 558 h = g 559 g = f 560 f = e 561 e = d + T1 562 d = c 563 c = b 564 b = a 565 a = T1 + T2 567 4. Compute the intermediate hash value H(i) 568 H(i)0 = a + H(i-1)0 569 H(i)1 = b + H(i-1)1 570 H(i)2 = c + H(i-1)2 571 H(i)3 = d + H(i-1)3 572 H(i)4 = e + H(i-1)4 573 H(i)5 = f + H(i-1)5 574 H(i)6 = g + H(i-1)6 575 H(i)7 = h + H(i-1)7 577 After the above computations have been sequentially performed for all 578 of the blocks in the message, the final output is calculated. For 579 SHA-256, this is the concatenation of all of H(N)0, H(N)1, through 580 H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, 581 through H(N)6. 583 6.3 SHA-384 and SHA-512 Initialization 585 For SHA-384, the initial hash value, H(0), consists of the following 586 eight 64-bit words, in hex. These words were obtained by taking the 587 first sixty-four bits of the fractional parts of the square roots of 588 the ninth through sixteenth prime numbers. 590 H(0)0 = cbbb9d5dc1059ed8 591 H(0)1 = 629a292a367cd507 592 H(0)2 = 9159015a3070dd17 593 H(0)3 = 152fecd8f70e5939 594 H(0)4 = 67332667ffc00b31 595 H(0)5 = 8eb44a8768581511 596 H(0)6 = db0c2e0d64f98fa7 597 H(0)7 = 47b5481dbefa4fa4 599 For SHA-512, the initial hash value, H(0), consists of the following 600 eight 64-bit words, in hex. These words were obtained by taking the 601 first sixty-four bits of the fractional parts of the square roots of 602 the first eight prime numbers. 604 H(0)0 = 6a09e667f3bcc908 605 H(0)1 = bb67ae8584caa73b 606 H(0)2 = 3c6ef372fe94f82b 607 H(0)3 = a54ff53a5f1d36f1 608 H(0)4 = 510e527fade682d1 609 H(0)5 = 9b05688c2b3e6c1f 610 H(0)6 = 1f83d9abfb41bd6b 611 H(0)7 = 5be0cd19137e2179 613 6.4 SHA-384 and SHA-512 Processing 615 SHA-384 and SHA-512 perform identical processing on message blocks 616 and differ only in how H(0) is initialized and how they produce their 617 final output. They may be used to hash a message, M, having a length 618 of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message 619 schedule of eighty 64-bit words, (2) eight working variables of 64 620 bits each, and (3) a hash value of eight 64-bit words. 622 The words of the message schedule are labeled W0, W1, ..., W79. The 623 eight working variables are labeled a, b, c, d, e, f, g, and h. The 624 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7 which 625 will hold the initial hash value, H(0), replaced by each successive 626 intermediate hash value (after each message block is processed), 627 H(i), and ending with the final hash value, H(N) after all N blocks 628 are processed. 630 The input message is padded as described in Section 4.2 above, then 631 parsed into 1024-bit blocks that are considered to be composed of 16 632 64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 633 are then performed for each of the N message blocks. All addition is 634 performed modulo 2^64. 636 For i = 1 to N 638 1. Prepare the message schedule W: 639 For t = 0 to 15 640 Wt = M(i)t 641 For t = 16 to 79 642 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(W(t-15)) + W(t-16) 644 2. Initialize the working variables: 645 a = H(i-1)0 646 b = H(i-1)1 647 c = H(i-1)2 648 d = H(i-1)3 649 e = H(i-1)4 650 f = H(i-1)5 651 g = H(i-1)6 652 h = H(i-1)7 654 3. Perform the main hash computation: 655 For t = 0 to 79 656 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 657 T2 = BSIG0(a) + MAJ(a,b,c) 658 h = g 659 g = f 660 f = e 661 e = d + T1 662 d = c 663 c = b 664 b = a 665 a = T1 + T2 667 4. Compute the intermediate hash value H(i) 668 H(i)0 = a + H(i-1)0 669 H(i)1 = b + H(i-1)1 670 H(i)2 = c + H(i-1)2 671 H(i)3 = d + H(i-1)3 672 H(i)4 = e + H(i-1)4 673 H(i)5 = f + H(i-1)5 674 H(i)6 = g + H(i-1)6 675 H(i)7 = h + H(i-1)7 677 After the above computations have been sequentially performed for all 678 of the blocks in the message, the final output is calculated. For 679 SHA-512, this is the concatenation of all of H(N)0, H(N)1, through 680 H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, 681 through H(N)5. 683 7. HKDF and SHA Based HMACs 685 Below are brief descriptions and pointers to more complete 686 descriptions and code for (1) an HMAC-based extract-and-expand key 687 derivation function and (2) SHA based HMACs. Both HKDF and HMAC were 688 devised by Hugo Krawczyk. 690 7.1 SHA Based HMACs 692 HMAC is a method for computing a keyed MAC (message authentication 693 code) using a hash function as described in [RFC2104]. It uses a key 694 to mix in with the input text to produce the final hash. 696 Sample code is also provided, in Section 8.3 below, to perform HMAC 697 based on any of the SHA algorithms described herein. The sample code 698 found in [RFC2104] was written in terms of a specified text size. 699 Since SHA is defined in terms of an arbitrary number of bits, the 700 sample HMAC code has been written to allow the text input to HMAC to 701 have an arbitrary number of octets and bits. A fixed length interface 702 is also provided. 704 7.2 HKDF 706 HKDF is a specific key derivation function (KDF), that is, a function 707 of initial keying material from which the KDF derives one or more 708 cryptographically strong secret keys. HKDF, which is described in 709 [RFChkdf], is based on HMAC. 711 Sample code for HKDF is provided in Section 8.4 below. 713 8. C Code for SHAs, HMAC, and HKDF 715 Below is a demonstration implementation of these secure hash 716 functions in C. Section 8.1 contains the header file sha.h that 717 declares all constants, structures and functions used by the sha and 718 hmac functions. Section 8.2 contains the C code for sha1.c, 719 sha224-256.c, sha384-512.c, and usha.c along with sha-private.h that 720 provides some declarations common to all the sha functions. Section 721 8.3 contains the C code for the HMAC functions and Section 8.4 722 contains the C code for HKDF. Section 8.5 contains a test driver to 723 exercise the code. 725 For each of the digest length $$$, there are the following set of 726 constants, a structure, and functions: 728 Constants: 729 SHA$$$HashSize number of octets in the hash 730 SHA$$$HashSizeBits number of bits in the hash 731 SHA$$$_Message_Block_Size 732 number of octets used in the intermediate 733 message blocks 734 shaSuccess = 0 constant returned by each function on success 735 shaNull = 1 constant returned by each function when 736 presented with a null pointer parameter 737 shaInputTooLong = 2 constant returned by each function when the 738 input data is too long 739 shaStateError constant returned by each function when 740 SHA$$$Input is called after SHA$$$FinalBits or 741 SHA$$$Result. 743 Structure: 744 typedef SHA$$$Context 745 an opaque structure holding the complete state 746 for producing the hash 748 Functions: 749 int SHA$$$Reset(SHA$$$Context *context); 750 Reset the hash context state 751 int SHA$$$Input(SHA$$$Context *context, const uint8_t *octets, 752 unsigned int bytecount); 753 Incorporate bytecount octets into the hash. 754 int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, 755 unsigned int bitcount); 756 Incorporate bitcount bits into the hash. The bits are in the 757 upper portion of the octet. SHA$$$Input() cannot be called 758 after this. 759 int SHA$$$Result(SHA$$$Context *, 760 uint8_t Message_Digest[SHA$$$HashSize]); 761 Do the final calculations on the hash and copy the value 762 into Message_Digest. 764 In addition, functions with the prefix USHA are provided that take a 765 SHAversion value (SHA$$$) to select the SHA function suite. They add 766 the following constants, structure and function: 768 Constants: 769 shaBadParam constant returned by USHA functions when 770 presented with a bad SHAversion (SHA$$$) 771 parameter or other illegal parameter values 772 SHA$$$ SHAversion enumeration values, used by usha, 773 hmac and hkdf functions to select the SHA 774 function suite 776 Structure: 777 typedef USHAContext 778 an opaque structure holding the complete state 779 for producing the hash 781 Functions: 782 int USHAReset(USHAContext *context, SHAversion whichSha); 783 Reset the hash context state. 784 int USHAInput(USHAContext context*, 785 const uint8_t *bytes, unsigned int bytecount); 786 Incorporate bytecount octets into the hash. 787 int USHAFinalBits(USHAContext *context, 788 const uint8_t bits, unsigned int bitcount); 789 Incorporate bitcount bits into the hash. 790 int USHAResult(USHAContext *context, 791 uint8_t Message_Digest[USHAMaxHashSize]); 792 Do the final calculations on the hash and copy the value 793 into Message_Digest. Octets in Message_Digest beyond 794 USHAHashSize(whichSha) are left untouched. 795 int USHAHashSize(enum SHAversion whichSha); 796 The number of octets in the given hash. 797 int USHAHashSizeBits(enum SHAversion whichSha); 798 The number of bits in the given hash. 799 int USHABlockSize(enum SHAversion whichSha); 800 The internal block size for the given hash. 801 const char *USHAHashName(enum SHAversion whichSha); 802 This function will return the name of the given SHA 803 algorithm as a string. 805 The hmac functions follow the same pattern to allow any length of 806 text input to be used. 808 Structures: 809 typedef HMACContext an opaque structure holding the complete state 810 for producing the hash 812 Functions: 813 int hmacReset(HMACContext *ctx, enum SHAversion whichSha, 814 const unsigned char *key, int key_len); 815 Reset the hash context state. 816 int hmacInput(HMACContext *ctx, const unsigned char *text, 817 int text_len); 818 Incorporate text_len octets into the hash. 819 int hmacFinalBits(HMACContext *ctx, const uint8_t bits, 820 unsigned int bitcount); 821 Incorporate bitcount bits into the hash. 822 int hmacResult(HMACContext *ctx, 823 uint8_t Message_Digest[USHAMaxHashSize]); 824 Do the final calculations on the hash and copy the value 825 into Message_Digest. Octets in Message_Digest beyond 826 USHAHashSize(whichSha) are left untouched. 828 In addition, a combined interface is provided, similar to that shown 829 in [RFC2104], that allows a fixed-length text input to be used. 831 int hmac(SHAversion whichSha, 832 const unsigned char *text, int text_len, 833 const unsigned char *key, int key_len, 834 uint8_t Message_Digest[USHAMaxHashSize]); 835 Calculate the given digest for the given text and key, and 836 return the resulting hash. Octets in Message_Digest beyond 837 USHAHashSize(whichSha) are left untouched. 839 The hkdf functions follow the same pattern to allow any length of 840 text input to be used. 842 Structures: 843 typedef HKDFContext an opaque structure holding the complete state 844 for producing the hash 845 Functions: 846 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 847 const unsigned char *salt, int salt_len) 848 Reset the hash context state and initialize it with the 849 salt_len octets of the optional salt. 850 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 851 int ikm_len) 852 Incorporate ikm_len octets into the hash. 853 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 854 unsigned int ikm_bit_count) 855 Incorporate ikm_bit_count bits into the hash. 856 int hkdfResult(HKDFContext *context, 857 uint8_t prk[USHAMaxHashSize], 858 /* ^ An optional location to store the HKDF 859 extraction. Either NULL, or pointer to a buffer 860 that must be larger than USHAHashSize(whichSha) 861 */ 863 const unsigned char *info, int info_len, 864 uint8_t okm[ ], int okm_len) 865 Finish the HKDF extraction and perform the final HKDF 866 expansion, storing the okm_len octets into okm. Optionally 867 store the pseudo-random key (prk) that is generated 868 internally. 870 In addition, combined interfaces are provided, similar to that shown 871 in [RFChkdf], that allows a fixed-length text input to be used. 873 int hkdfExtract(SHAversion whichSha, 874 const unsigned char *salt, int salt_len, 875 const unsigned char *ikm, int ikm_len, 876 uint8_t prk[USHAMaxHashSize]) 877 Perform HKDF extraction, combining the salt_len octets of 878 the optional salt with the ikm_len octets of the input 879 keying material (ikm) to form the pseudo-random key prk. 880 The output prk must be large enough to hold the octets 881 appropriate for the given hash type. 883 int hkdfExpand(SHAversion whichSha, 884 const uint8_t prk[ ], int prk_len, 885 const unsigned char *info, int info_len, 886 uint8_t okm[ ], int okm_len) 887 Perform HKDF expansion, combining the prk_len octets of the 888 pseudo-random key prk with the info_len octets of info to 889 form the okm_len octets stored in okm. 891 int hkdf(SHAversion whichSha, 892 const unsigned char *salt, int salt_len, 893 const unsigned char *ikm, int ikm_len, 894 const unsigned char *info, int info_len, 895 uint8_t okm[ ], int okm_len) 896 This combined interface performs both HKDF extraction and 897 expansion. The variables are the same as in hkdfExtract() 898 and hkdf Expand(). 900 8.1 The .h file 902 /**************************** sha.h ****************************/ 903 /***************** See RFC NNNN for details. *******************/ 904 /* 905 Copyright (c) 2010 IETF Trust and the persons identified as 906 authors of the code. All rights reserved. 908 Redistribution and use in source and binary forms, with or without 909 modification, are permitted provided that the following conditions 910 are met: 912 * Redistributions of source code must retain the above copyright 913 notice, this list of conditions and the following disclaimer. 915 * Redistributions in binary form must reproduce the above copyright 916 notice, this list of conditions and the following disclaimer in 917 the documentation and/or other materials provided with the 918 distribution. 920 * Neither the name of Internet Society, IETF or IETF Trust, nor the 921 names of specific contributors, may be used to endorse or promote 922 products derived from this software without specific prior 923 written permission. 925 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 926 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 927 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 928 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 929 COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 930 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 931 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 932 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 933 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 934 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 935 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 936 POSSIBILITY OF SUCH DAMAGE. 937 */ 938 #ifndef _SHA_H_ 939 #define _SHA_H_ 941 /* 942 * Description: 943 * This file implements the Secure Hash Algorithms 944 * as defined in the National Institute of Standards 945 * and Technology Federal Information Processing Standards 946 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 947 * published on August 1, 2002, and the FIPS PUB 180-2 Change 948 * Notice published on February 28, 2004. 949 * 950 * A combined document showing all algorithms is available at 951 * http://csrc.nist.gov/publications/fips/ 952 * fips180-2/fips180-2withchangenotice.pdf 953 * 954 * The five hashes are defined in these sizes: 955 * SHA-1 20 byte / 160 bit 956 * SHA-224 28 byte / 224 bit 957 * SHA-256 32 byte / 256 bit 958 * SHA-384 48 byte / 384 bit 959 * SHA-512 64 byte / 512 bit 960 */ 962 #include 963 /* 964 * If you do not have the ISO standard stdint.h header file, then you 965 * must typedef the following: 966 * name meaning 967 * uint64_t unsigned 64 bit integer 968 * uint32_t unsigned 32 bit integer 969 * uint8_t unsigned 8 bit integer (i.e., unsigned char) 970 * int_least16_t integer of >= 16 bits 971 * 972 */ 974 #ifndef _SHA_enum_ 975 #define _SHA_enum_ 976 /* 977 * All SHA functions return one of these values. 978 */ 979 enum { 980 shaSuccess = 0, 981 shaNull, /* Null pointer parameter */ 982 shaInputTooLong, /* input data too long */ 983 shaStateError, /* called Input after FinalBits or Result */ 984 shaBadParam /* passed a bad parameter */ 985 }; 986 #endif /* _SHA_enum_ */ 988 /* 989 * These constants hold size information for each of the SHA 990 * hashing operations 991 */ 992 enum { 993 SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, 994 SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, 995 SHA512_Message_Block_Size = 128, 996 USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, 998 SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, 999 SHA384HashSize = 48, SHA512HashSize = 64, 1000 USHAMaxHashSize = SHA512HashSize, 1002 SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, 1003 SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, 1004 SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits 1005 }; 1007 /* 1008 * These constants are used in the USHA (unified sha) functions. 1009 */ 1010 typedef enum SHAversion { 1011 SHA1, SHA224, SHA256, SHA384, SHA512 1013 } SHAversion; 1015 /* 1016 * This structure will hold context information for the SHA-1 1017 * hashing operation. 1018 */ 1019 typedef struct SHA1Context { 1020 uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ 1022 uint32_t Length_Low; /* Message length in bits */ 1023 uint32_t Length_High; /* Message length in bits */ 1025 int_least16_t Message_Block_Index; /* Message_Block array index */ 1026 /* 512-bit message blocks */ 1027 uint8_t Message_Block[SHA1_Message_Block_Size]; 1029 int Computed; /* Is the digest computed? */ 1030 int Corrupted; /* Is the digest corrupted? */ 1031 } SHA1Context; 1033 /* 1034 * This structure will hold context information for the SHA-256 1035 * hashing operation. 1036 */ 1037 typedef struct SHA256Context { 1038 uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ 1040 uint32_t Length_Low; /* Message length in bits */ 1041 uint32_t Length_High; /* Message length in bits */ 1043 int_least16_t Message_Block_Index; /* Message_Block array index */ 1044 /* 512-bit message blocks */ 1045 uint8_t Message_Block[SHA256_Message_Block_Size]; 1047 int Computed; /* Is the digest computed? */ 1048 int Corrupted; /* Is the digest corrupted? */ 1049 } SHA256Context; 1051 /* 1052 * This structure will hold context information for the SHA-512 1053 * hashing operation. 1054 */ 1055 typedef struct SHA512Context { 1056 #ifdef USE_32BIT_ONLY 1057 uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ 1058 uint32_t Length[4]; /* Message length in bits */ 1059 #else /* !USE_32BIT_ONLY */ 1060 uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ 1061 uint64_t Length_Low, Length_High; /* Message length in bits */ 1062 #endif /* USE_32BIT_ONLY */ 1063 int_least16_t Message_Block_Index; /* Message_Block array index */ 1064 /* 1024-bit message blocks */ 1065 uint8_t Message_Block[SHA512_Message_Block_Size]; 1067 int Computed; /* Is the digest computed?*/ 1068 int Corrupted; /* Is the digest corrupted? */ 1069 } SHA512Context; 1071 /* 1072 * This structure will hold context information for the SHA-224 1073 * hashing operation. It uses the SHA-256 structure for computation. 1074 */ 1075 typedef struct SHA256Context SHA224Context; 1077 /* 1078 * This structure will hold context information for the SHA-384 1079 * hashing operation. It uses the SHA-512 structure for computation. 1080 */ 1081 typedef struct SHA512Context SHA384Context; 1083 /* 1084 * This structure holds context information for all SHA 1085 * hashing operations. 1086 */ 1087 typedef struct USHAContext { 1088 int whichSha; /* which SHA is being used */ 1089 union { 1090 SHA1Context sha1Context; 1091 SHA224Context sha224Context; SHA256Context sha256Context; 1092 SHA384Context sha384Context; SHA512Context sha512Context; 1093 } ctx; 1094 } USHAContext; 1096 /* 1097 * This structure will hold context information for the HMAC 1098 * keyed hashing operation. 1099 */ 1100 typedef struct HMACContext { 1101 int whichSha; /* which SHA is being used */ 1102 int hashSize; /* hash size of SHA being used */ 1103 int blockSize; /* block size of SHA being used */ 1104 USHAContext shaContext; /* SHA context */ 1105 unsigned char k_opad[USHA_Max_Message_Block_Size]; 1106 /* outer padding - key XORd with opad */ 1107 int Computed; /* Is the digest computed? */ 1108 int Corrupted; /* Is the digest corrupted? */ 1109 } HMACContext; 1111 /* 1112 * This structure will hold context information for the HKDF 1113 * Extract-and-Expand Key Derivation functions. 1114 */ 1115 typedef struct HKDFContext { 1116 int whichSha; /* which SHA is being used */ 1117 HMACContext hmacContext; 1118 int hashSize; /* hash size of SHA being used */ 1119 unsigned char prk[USHAMaxHashSize]; 1120 /* Pseudo Random Key - output of hkdfInput */ 1121 int Computed; /* Is the digest computed? */ 1122 int Corrupted; /* Is the digest corrupted? */ 1123 } HKDFContext; 1125 /* 1126 * Function Prototypes 1127 */ 1129 /* SHA-1 */ 1130 extern int SHA1Reset(SHA1Context *); 1131 extern int SHA1Input(SHA1Context *, const uint8_t *bytes, 1132 unsigned int bytecount); 1133 extern int SHA1FinalBits(SHA1Context *, uint8_t bits, 1134 unsigned int bit_count); 1135 extern int SHA1Result(SHA1Context *, 1136 uint8_t Message_Digest[SHA1HashSize]); 1138 /* SHA-224 */ 1139 extern int SHA224Reset(SHA224Context *); 1140 extern int SHA224Input(SHA224Context *, const uint8_t *bytes, 1141 unsigned int bytecount); 1142 extern int SHA224FinalBits(SHA224Context *, uint8_t bits, 1143 unsigned int bit_count); 1144 extern int SHA224Result(SHA224Context *, 1145 uint8_t Message_Digest[SHA224HashSize]); 1147 /* SHA-256 */ 1148 extern int SHA256Reset(SHA256Context *); 1149 extern int SHA256Input(SHA256Context *, const uint8_t *bytes, 1150 unsigned int bytecount); 1151 extern int SHA256FinalBits(SHA256Context *, uint8_t bits, 1152 unsigned int bit_count); 1153 extern int SHA256Result(SHA256Context *, 1154 uint8_t Message_Digest[SHA256HashSize]); 1156 /* SHA-384 */ 1157 extern int SHA384Reset(SHA384Context *); 1158 extern int SHA384Input(SHA384Context *, const uint8_t *bytes, 1159 unsigned int bytecount); 1160 extern int SHA384FinalBits(SHA384Context *, uint8_t bits, 1161 unsigned int bit_count); 1162 extern int SHA384Result(SHA384Context *, 1163 uint8_t Message_Digest[SHA384HashSize]); 1165 /* SHA-512 */ 1166 extern int SHA512Reset(SHA512Context *); 1167 extern int SHA512Input(SHA512Context *, const uint8_t *bytes, 1168 unsigned int bytecount); 1169 extern int SHA512FinalBits(SHA512Context *, uint8_t bits, 1170 unsigned int bit_count); 1171 extern int SHA512Result(SHA512Context *, 1172 uint8_t Message_Digest[SHA512HashSize]); 1174 /* Unified SHA functions, chosen by whichSha */ 1175 extern int USHAReset(USHAContext *context, SHAversion whichSha); 1176 extern int USHAInput(USHAContext *context, 1177 const uint8_t *bytes, unsigned int bytecount); 1178 extern int USHAFinalBits(USHAContext *context, 1179 uint8_t bits, unsigned int bit_count); 1180 extern int USHAResult(USHAContext *context, 1181 uint8_t Message_Digest[USHAMaxHashSize]); 1182 extern int USHABlockSize(enum SHAversion whichSha); 1183 extern int USHAHashSize(enum SHAversion whichSha); 1184 extern int USHAHashSizeBits(enum SHAversion whichSha); 1185 extern const char *USHAHashName(enum SHAversion whichSha); 1187 /* 1188 * HMAC Keyed-Hashing for Message Authentication, RFC2104, 1189 * for all SHAs. 1190 * This interface allows a fixed-length text input to be used. 1191 */ 1192 extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ 1193 const unsigned char *text, /* pointer to data stream */ 1194 int text_len, /* length of data stream */ 1195 const unsigned char *key, /* pointer to authentication key */ 1196 int key_len, /* length of authentication key */ 1197 uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ 1199 /* 1200 * HMAC Keyed-Hashing for Message Authentication, RFC2104, 1201 * for all SHAs. 1202 * This interface allows any length of text input to be used. 1203 */ 1204 extern int hmacReset(HMACContext *context, enum SHAversion whichSha, 1205 const unsigned char *key, int key_len); 1206 extern int hmacInput(HMACContext *context, const unsigned char *text, 1207 int text_len); 1208 extern int hmacFinalBits(HMACContext *context, uint8_t bits, 1209 unsigned int bit_count); 1210 extern int hmacResult(HMACContext *context, 1211 uint8_t digest[USHAMaxHashSize]); 1213 /* 1214 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1215 * RFChkdf, for all SHAs. 1216 */ 1217 extern int hkdf(SHAversion whichSha, const unsigned char *salt, 1218 int salt_len, const unsigned char *ikm, int ikm_len, 1219 const unsigned char *info, int info_len, 1220 uint8_t okm[ ], int okm_len); 1221 extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, 1222 int salt_len, const unsigned char *ikm, 1223 int ikm_len, uint8_t prk[USHAMaxHashSize]); 1224 extern int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], 1225 int prk_len, const unsigned char *info, 1226 int info_len, uint8_t okm[ ], int okm_len); 1228 /* 1229 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1230 * RFChkdf, for all SHAs. 1231 * This interface allows any length of text input to be used. 1232 */ 1233 extern int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 1234 const unsigned char *salt, int salt_len); 1235 extern int hkdfInput(HKDFContext *context, const unsigned char *ikm, 1236 int ikm_len); 1237 extern int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 1238 unsigned int ikm_bit_count); 1239 extern int hkdfResult(HKDFContext *context, 1240 uint8_t prk[USHAMaxHashSize], 1241 const unsigned char *info, int info_len, 1242 uint8_t okm[USHAMaxHashSize], int okm_len); 1244 #endif /* _SHA_H_ */ 1246 8.2 The SHA Code 1248 This code is primarily intended as expository and could be optimized 1249 further. For example, the assignment rotations through the variables 1250 a, b, ..., h could be treated as a cycle and the loop unrolled, 1251 rather than doing the explicit copying. 1253 Note that there are alternative representations of the Ch() and Maj() 1254 functions controlled by an ifdef. 1256 8.2.1 sha1.c 1258 /**************************** sha1.c ***************************/ 1259 /***************** See RFC NNNN for details. *******************/ 1260 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1261 /* authors of the code. All rights reserved. */ 1262 /* See sha.h for terms of use and redistribution. */ 1264 /* 1265 * Description: 1266 * This file implements the Secure Hash Algorithm SHA-1 1267 * as defined in the National Institute of Standards 1268 * and Technology Federal Information Processing Standards 1269 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 1270 * published on August 1, 2002, and the FIPS PUB 180-2 Change 1271 * Notice published on February 28, 2004. 1272 * 1273 * A combined document showing all algorithms is available at 1274 * http://csrc.nist.gov/publications/fips/ 1275 * fips180-2/fips180-2withchangenotice.pdf 1276 * 1277 * The SHA-1 algorithm produces a 160-bit message digest for a 1278 * given data stream. It should take about 2**n steps to find a 1279 * message with the same digest as a given message and 1280 * 2**(n/2) to find any two messages with the same digest, 1281 * when n is the digest size in bits. Therefore, this 1282 * algorithm can serve as a means of providing a 1283 * "fingerprint" for a message. 1284 * 1285 * Portability Issues: 1286 * SHA-1 is defined in terms of 32-bit "words". This code 1287 * uses (included via "sha.h") to define 32 and 8 1288 * bit unsigned integer types. If your C compiler does not 1289 * support 32 bit unsigned integers, this code is not 1290 * appropriate. 1291 * 1292 * Caveats: 1293 * SHA-1 is designed to work with messages less than 2^64 bits 1294 * long. This implementation uses SHA1Input() to hash the bits 1295 * that are a multiple of the size of an 8-bit octet, and then 1296 * optionally uses SHA1FinalBits() to hash the final few bits of 1297 * the input. 1298 */ 1300 #include "sha.h" 1301 #include "sha-private.h" 1303 /* 1304 * Define the SHA1 circular left shift macro 1305 */ 1307 #define SHA1_ROTL(bits,word) \ 1308 (((word) << (bits)) | ((word) >> (32-(bits)))) 1310 /* 1311 * Add "length" to the length. 1312 * Set Corrupted when overflow has occurred. 1313 */ 1314 static uint32_t addTemp; 1315 #define SHA1AddLength(context, length) \ 1316 (addTemp = (context)->Length_Low, \ 1317 (context)->Corrupted = \ 1318 (((context)->Length_Low += (length)) < addTemp) && \ 1319 (++(context)->Length_High == 0) ? shaInputTooLong \ 1320 : shaSuccess ) 1322 /* Local Function Prototypes */ 1323 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); 1324 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte); 1325 static void SHA1ProcessMessageBlock(SHA1Context *context); 1327 /* 1328 * SHA1Reset 1329 * 1330 * Description: 1331 * This function will initialize the SHA1Context in preparation 1332 * for computing a new SHA1 message digest. 1333 * 1334 * Parameters: 1335 * context: [in/out] 1336 * The context to reset. 1337 * 1338 * Returns: 1339 * sha Error Code. 1340 * 1341 */ 1342 int SHA1Reset(SHA1Context *context) 1343 { 1344 if (!context) 1345 return shaNull; 1347 context->Length_Low = 0; 1348 context->Length_High = 0; 1349 context->Message_Block_Index = 0; 1351 /* Initial Hash Values: FIPS-180-2 section 5.3.1 */ 1352 context->Intermediate_Hash[0] = 0x67452301; 1353 context->Intermediate_Hash[1] = 0xEFCDAB89; 1354 context->Intermediate_Hash[2] = 0x98BADCFE; 1355 context->Intermediate_Hash[3] = 0x10325476; 1356 context->Intermediate_Hash[4] = 0xC3D2E1F0; 1357 context->Computed = 0; 1358 context->Corrupted = 0; 1360 return shaSuccess; 1361 } 1363 /* 1364 * SHA1Input 1365 * 1366 * Description: 1367 * This function accepts an array of octets as the next portion 1368 * of the message. 1369 * 1370 * Parameters: 1371 * context: [in/out] 1372 * The SHA context to update 1373 * message_array: [in] 1374 * An array of octets representing the next portion of 1375 * the message. 1376 * length: [in] 1377 * The length of the message in message_array 1378 * 1379 * Returns: 1380 * sha Error Code. 1381 * 1382 */ 1383 int SHA1Input(SHA1Context *context, 1384 const uint8_t *message_array, unsigned length) 1385 { 1386 if (!length) 1387 return shaSuccess; 1389 if (!context || !message_array) 1390 return shaNull; 1392 if (context->Computed) return context->Corrupted = shaStateError; 1393 if (context->Corrupted) return context->Corrupted; 1395 while (length-- && !context->Corrupted) { 1396 context->Message_Block[context->Message_Block_Index++] = 1397 (*message_array & 0xFF); 1399 if ((SHA1AddLength(context, 8) == shaSuccess) && 1400 (context->Message_Block_Index == SHA1_Message_Block_Size)) 1401 SHA1ProcessMessageBlock(context); 1403 message_array++; 1404 } 1406 return context->Corrupted; 1408 } 1410 /* 1411 * SHA1FinalBits 1412 * 1413 * Description: 1414 * This function will add in any final bits of the message. 1415 * 1416 * Parameters: 1417 * context: [in/out] 1418 * The SHA context to update 1419 * message_bits: [in] 1420 * The final bits of the message, in the upper portion of the 1421 * byte. (Use 0b###00000 instead of 0b00000### to input the 1422 * three bits ###.) 1423 * length: [in] 1424 * The number of bits in message_bits, between 1 and 7. 1425 * 1426 * Returns: 1427 * sha Error Code. 1428 */ 1429 int SHA1FinalBits(SHA1Context *context, uint8_t message_bits, 1430 unsigned int length) 1431 { 1432 uint8_t masks[8] = { 1433 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1434 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1435 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1436 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1437 }; 1438 uint8_t markbit[8] = { 1439 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 1440 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 1441 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 1442 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 1443 }; 1445 if (!length) 1446 return shaSuccess; 1448 if (!context) 1449 return shaNull; 1451 if (context->Computed) return context->Corrupted = shaStateError; 1453 if ((length >= 8) || (length == 0)) 1454 return context->Corrupted = shaBadParam; 1456 if (context->Corrupted) 1457 return context->Corrupted; 1459 SHA1AddLength(context, length); 1460 SHA1Finalize(context, 1461 (uint8_t) ((message_bits & masks[length]) | markbit[length])); 1463 return context->Corrupted; 1464 } 1466 /* 1467 * SHA1Result 1468 * 1469 * Description: 1470 * This function will return the 160-bit message digest 1471 * into the Message_Digest array provided by the caller. 1472 * NOTE: 1473 * The first octet of hash is stored in the element with index 0, 1474 * the last octet of hash in the element with index 19. 1475 * 1476 * Parameters: 1477 * context: [in/out] 1478 * The context to use to calculate the SHA-1 hash. 1479 * Message_Digest: [out] 1480 * Where the digest is returned. 1481 * 1482 * Returns: 1483 * sha Error Code. 1484 * 1485 */ 1486 int SHA1Result(SHA1Context *context, 1487 uint8_t Message_Digest[SHA1HashSize]) 1488 { 1489 int i; 1491 if (!context || !Message_Digest) 1492 return shaNull; 1494 if (context->Corrupted) 1495 return context->Corrupted; 1497 if (!context->Computed) 1498 SHA1Finalize(context, 0x80); 1500 for (i = 0; i < SHA1HashSize; ++i) 1501 Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] 1502 >> 8 * ( 3 - ( i & 0x03 ) )); 1504 return shaSuccess; 1505 } 1507 /* 1508 * SHA1Finalize 1509 * 1510 * Description: 1511 * This helper function finishes off the digest calculations. 1512 * 1513 * Parameters: 1514 * context: [in/out] 1515 * The SHA context to update 1516 * Pad_Byte: [in] 1517 * The last byte to add to the digest before the 0-padding 1518 * and length. This will contain the last bits of the message 1519 * followed by another single bit. If the message was an 1520 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1521 * 1522 * Returns: 1523 * sha Error Code. 1524 * 1525 */ 1526 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) 1527 { 1528 int i; 1529 SHA1PadMessage(context, Pad_Byte); 1530 /* message may be sensitive, clear it out */ 1531 for (i = 0; i < SHA1_Message_Block_Size; ++i) 1532 context->Message_Block[i] = 0; 1533 context->Length_Low = 0; /* and clear length */ 1534 context->Length_High = 0; 1535 context->Computed = 1; 1536 } 1538 /* 1539 * SHA1PadMessage 1540 * 1541 * Description: 1542 * According to the standard, the message must be padded to the next 1543 * even multiple of 512 bits. The first padding bit must be a '1'. 1544 * The last 64 bits represent the length of the original message. 1545 * All bits in between should be 0. This helper function will pad 1546 * the message according to those rules by filling the Message_Block 1547 * array accordingly. When it returns, it can be assumed that the 1548 * message digest has been computed. 1549 * 1550 * Parameters: 1551 * context: [in/out] 1552 * The context to pad 1553 * Pad_Byte: [in] 1554 * The last byte to add to the digest before the 0-padding 1555 * and length. This will contain the last bits of the message 1556 * followed by another single bit. If the message was an 1557 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1558 * 1559 * Returns: 1560 * Nothing. 1561 */ 1562 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) 1563 { 1564 /* 1565 * Check to see if the current message block is too small to hold 1566 * the initial padding bits and length. If so, we will pad the 1567 * block, process it, and then continue padding into a second 1568 * block. 1569 */ 1570 if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { 1571 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1572 while (context->Message_Block_Index < SHA1_Message_Block_Size) 1573 context->Message_Block[context->Message_Block_Index++] = 0; 1575 SHA1ProcessMessageBlock(context); 1576 } else 1577 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1579 while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) 1580 context->Message_Block[context->Message_Block_Index++] = 0; 1582 /* 1583 * Store the message length as the last 8 octets 1584 */ 1585 context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); 1586 context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); 1587 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); 1588 context->Message_Block[59] = (uint8_t) (context->Length_High); 1589 context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); 1590 context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); 1591 context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); 1592 context->Message_Block[63] = (uint8_t) (context->Length_Low); 1594 SHA1ProcessMessageBlock(context); 1595 } 1597 /* 1598 * SHA1ProcessMessageBlock 1599 * 1600 * Description: 1601 * This helper function will process the next 512 bits of the 1602 * message stored in the Message_Block array. 1603 * 1604 * Parameters: 1605 * context: [in/out] 1606 * The SHA context to update 1607 * 1608 * Returns: 1610 * Nothing. 1611 * 1612 * Comments: 1613 * Many of the variable names in this code, especially the 1614 * single character names, were used because those were the 1615 * names used in the publication. 1616 */ 1617 static void SHA1ProcessMessageBlock(SHA1Context *context) 1618 { 1619 /* Constants defined in FIPS-180-2, section 4.2.1 */ 1620 const uint32_t K[4] = { 1621 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 1622 }; 1623 int t; /* Loop counter */ 1624 uint32_t temp; /* Temporary word value */ 1625 uint32_t W[80]; /* Word sequence */ 1626 uint32_t A, B, C, D, E; /* Word buffers */ 1628 /* 1629 * Initialize the first 16 words in the array W 1630 */ 1631 for (t = 0; t < 16; t++) { 1632 W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; 1633 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; 1634 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; 1635 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); 1636 } 1638 for (t = 16; t < 80; t++) 1639 W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); 1641 A = context->Intermediate_Hash[0]; 1642 B = context->Intermediate_Hash[1]; 1643 C = context->Intermediate_Hash[2]; 1644 D = context->Intermediate_Hash[3]; 1645 E = context->Intermediate_Hash[4]; 1647 for (t = 0; t < 20; t++) { 1648 temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; 1649 E = D; 1650 D = C; 1651 C = SHA1_ROTL(30,B); 1652 B = A; 1653 A = temp; 1654 } 1656 for (t = 20; t < 40; t++) { 1657 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; 1658 E = D; 1659 D = C; 1660 C = SHA1_ROTL(30,B); 1661 B = A; 1662 A = temp; 1663 } 1665 for (t = 40; t < 60; t++) { 1666 temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; 1667 E = D; 1668 D = C; 1669 C = SHA1_ROTL(30,B); 1670 B = A; 1671 A = temp; 1672 } 1674 for (t = 60; t < 80; t++) { 1675 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; 1676 E = D; 1677 D = C; 1678 C = SHA1_ROTL(30,B); 1679 B = A; 1680 A = temp; 1681 } 1683 context->Intermediate_Hash[0] += A; 1684 context->Intermediate_Hash[1] += B; 1685 context->Intermediate_Hash[2] += C; 1686 context->Intermediate_Hash[3] += D; 1687 context->Intermediate_Hash[4] += E; 1689 context->Message_Block_Index = 0; 1690 } 1692 8.2.2 sha224-256.c 1694 /************************* sha224-256.c ************************/ 1695 /***************** See RFC NNNN for details. *******************/ 1696 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1697 /* authors of the code. All rights reserved. */ 1698 /* See sha.h for terms of use and redistribution. */ 1700 /* 1701 * Description: 1702 * This file implements the Secure Hash Algorithms SHA-224 and 1703 * SHA-256 as defined in the National Institute of Standards 1704 * and Technology Federal Information Processing Standards 1705 * Publication (FIPS PUB) 180-2 published on August 1, 2002, and 1706 * the FIPS PUB 180-2 Change Notice published on February 28, 2004. 1707 * 1708 * A combined document showing all algorithms is available at 1709 * http://csrc.nist.gov/publications/fips/ 1710 * fips180-2/fips180-2withchangenotice.pdf 1711 * 1712 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit 1713 * message digests for a given data stream. It should take about 1714 * 2**n steps to find a message with the same digest as a given 1715 * message and 2**(n/2) to find any two messages with the same 1716 * digest, when n is the digest size in bits. Therefore, this 1717 * algorithm can serve as a means of providing a 1718 * "fingerprint" for a message. 1719 * 1720 * Portability Issues: 1721 * SHA-224 and SHA-256 are defined in terms of 32-bit "words". 1722 * This code uses (included via "sha.h") to define 32 1723 * and 8 bit unsigned integer types. If your C compiler does not 1724 * support 32 bit unsigned integers, this code is not 1725 * appropriate. 1726 * 1727 * Caveats: 1728 * SHA-224 and SHA-256 are designed to work with messages less 1729 * than 2^64 bits long. This implementation uses SHA224/256Input() 1730 * to hash the bits that are a multiple of the size of an 8-bit 1731 * octet, and then optionally uses SHA224/256FinalBits() 1732 * to hash the final few bits of the input. 1733 */ 1735 #include "sha.h" 1736 #include "sha-private.h" 1738 /* Define the SHA shift, rotate left and rotate right macro */ 1739 #define SHA256_SHR(bits,word) ((word) >> (bits)) 1740 #define SHA256_ROTL(bits,word) \ 1741 (((word) << (bits)) | ((word) >> (32-(bits)))) 1742 #define SHA256_ROTR(bits,word) \ 1743 (((word) >> (bits)) | ((word) << (32-(bits)))) 1745 /* Define the SHA SIGMA and sigma macros */ 1746 #define SHA256_SIGMA0(word) \ 1747 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) 1748 #define SHA256_SIGMA1(word) \ 1749 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) 1750 #define SHA256_sigma0(word) \ 1751 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) 1752 #define SHA256_sigma1(word) \ 1753 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) 1755 /* 1756 * Add "length" to the length. 1757 * Set Corrupted when overflow has occurred. 1759 */ 1760 static uint32_t addTemp; 1761 #define SHA224_256AddLength(context, length) \ 1762 (addTemp = (context)->Length_Low, (context)->Corrupted = \ 1763 (((context)->Length_Low += (length)) < addTemp) && \ 1764 (++(context)->Length_High == 0) ? shaInputTooLong : \ 1765 shaSuccess ) 1767 /* Local Function Prototypes */ 1768 static void SHA224_256Finalize(SHA256Context *context, 1769 uint8_t Pad_Byte); 1770 static void SHA224_256PadMessage(SHA256Context *context, 1771 uint8_t Pad_Byte); 1772 static void SHA224_256ProcessMessageBlock(SHA256Context *context); 1773 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); 1774 static int SHA224_256ResultN(SHA256Context *context, 1775 uint8_t Message_Digest[ ], int HashSize); 1777 /* Initial Hash Values: FIPS-180-2 Change Notice 1 */ 1778 static uint32_t SHA224_H0[SHA256HashSize/4] = { 1779 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 1780 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 1781 }; 1783 /* Initial Hash Values: FIPS-180-2 section 5.3.2 */ 1784 static uint32_t SHA256_H0[SHA256HashSize/4] = { 1785 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 1786 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 1787 }; 1789 /* 1790 * SHA224Reset 1791 * 1792 * Description: 1793 * This function will initialize the SHA224Context in preparation 1794 * for computing a new SHA224 message digest. 1795 * 1796 * Parameters: 1797 * context: [in/out] 1798 * The context to reset. 1799 * 1800 * Returns: 1801 * sha Error Code. 1802 */ 1803 int SHA224Reset(SHA224Context *context) 1804 { 1805 return SHA224_256Reset(context, SHA224_H0); 1806 } 1808 /* 1809 * SHA224Input 1810 * 1811 * Description: 1812 * This function accepts an array of octets as the next portion 1813 * of the message. 1814 * 1815 * Parameters: 1816 * context: [in/out] 1817 * The SHA context to update 1818 * message_array: [in] 1819 * An array of octets representing the next portion of 1820 * the message. 1821 * length: [in] 1822 * The length of the message in message_array 1823 * 1824 * Returns: 1825 * sha Error Code. 1826 * 1827 */ 1828 int SHA224Input(SHA224Context *context, const uint8_t *message_array, 1829 unsigned int length) 1830 { 1831 return SHA256Input(context, message_array, length); 1832 } 1834 /* 1835 * SHA224FinalBits 1836 * 1837 * Description: 1838 * This function will add in any final bits of the message. 1839 * 1840 * Parameters: 1841 * context: [in/out] 1842 * The SHA context to update 1843 * message_bits: [in] 1844 * The final bits of the message, in the upper portion of the 1845 * byte. (Use 0b###00000 instead of 0b00000### to input the 1846 * three bits ###.) 1847 * length: [in] 1848 * The number of bits in message_bits, between 1 and 7. 1849 * 1850 * Returns: 1851 * sha Error Code. 1852 */ 1853 int SHA224FinalBits(SHA224Context *context, 1854 uint8_t message_bits, unsigned int length) 1855 { 1856 return SHA256FinalBits(context, message_bits, length); 1857 } 1858 /* 1859 * SHA224Result 1860 * 1861 * Description: 1862 * This function will return the 224-bit message digest 1863 * into the Message_Digest array provided by the caller. 1864 * NOTE: 1865 * The first octet of hash is stored in the element with index 0, 1866 * the last octet of hash in the element with index 27. 1867 * 1868 * Parameters: 1869 * context: [in/out] 1870 * The context to use to calculate the SHA hash. 1871 * Message_Digest: [out] 1872 * Where the digest is returned. 1873 * 1874 * Returns: 1875 * sha Error Code. 1876 */ 1877 int SHA224Result(SHA224Context *context, 1878 uint8_t Message_Digest[SHA224HashSize]) 1879 { 1880 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); 1881 } 1883 /* 1884 * SHA256Reset 1885 * 1886 * Description: 1887 * This function will initialize the SHA256Context in preparation 1888 * for computing a new SHA256 message digest. 1889 * 1890 * Parameters: 1891 * context: [in/out] 1892 * The context to reset. 1893 * 1894 * Returns: 1895 * sha Error Code. 1896 */ 1897 int SHA256Reset(SHA256Context *context) 1898 { 1899 return SHA224_256Reset(context, SHA256_H0); 1900 } 1902 /* 1903 * SHA256Input 1904 * 1905 * Description: 1906 * This function accepts an array of octets as the next portion 1907 * of the message. 1909 * 1910 * Parameters: 1911 * context: [in/out] 1912 * The SHA context to update 1913 * message_array: [in] 1914 * An array of octets representing the next portion of 1915 * the message. 1916 * length: [in] 1917 * The length of the message in message_array 1918 * 1919 * Returns: 1920 * sha Error Code. 1921 */ 1922 int SHA256Input(SHA256Context *context, const uint8_t *message_array, 1923 unsigned int length) 1924 { 1925 if (!length) 1926 return shaSuccess; 1928 if (!context || !message_array) 1929 return shaNull; 1931 if (context->Computed) 1932 return context->Corrupted = shaStateError; 1934 if (context->Corrupted) 1935 return context->Corrupted; 1937 while (length-- && !context->Corrupted) { 1938 context->Message_Block[context->Message_Block_Index++] = 1939 (*message_array & 0xFF); 1941 if ((SHA224_256AddLength(context, 8) == shaSuccess) && 1942 (context->Message_Block_Index == SHA256_Message_Block_Size)) 1943 SHA224_256ProcessMessageBlock(context); 1945 message_array++; 1946 } 1948 return context->Corrupted; 1950 } 1952 /* 1953 * SHA256FinalBits 1954 * 1955 * Description: 1956 * This function will add in any final bits of the message. 1957 * 1958 * Parameters: 1960 * context: [in/out] 1961 * The SHA context to update 1962 * message_bits: [in] 1963 * The final bits of the message, in the upper portion of the 1964 * byte. (Use 0b###00000 instead of 0b00000### to input the 1965 * three bits ###.) 1966 * length: [in] 1967 * The number of bits in message_bits, between 1 and 7. 1968 * 1969 * Returns: 1970 * sha Error Code. 1971 */ 1972 int SHA256FinalBits(SHA256Context *context, 1973 uint8_t message_bits, unsigned int length) 1974 { 1975 uint8_t masks[8] = { 1976 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1977 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1978 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1979 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1980 }; 1981 uint8_t markbit[8] = { 1982 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 1983 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 1984 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 1985 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 1986 }; 1988 if (!length) 1989 return shaSuccess; 1991 if (!context) 1992 return shaNull; 1994 if (context->Computed) 1995 return context->Corrupted = shaStateError; 1997 if ((length >= 8) || (length == 0)) 1998 return context->Corrupted = shaBadParam; 2000 if (context->Corrupted) 2001 return context->Corrupted; 2003 SHA224_256AddLength(context, length); 2004 SHA224_256Finalize(context, (uint8_t) 2005 ((message_bits & masks[length]) | markbit[length])); 2007 return context->Corrupted; 2008 } 2009 /* 2010 * SHA256Result 2011 * 2012 * Description: 2013 * This function will return the 256-bit message digest 2014 * into the Message_Digest array provided by the caller. 2015 * NOTE: 2016 * The first octet of hash is stored in the element with index 0, 2017 * the last octet of hash in the element with index 31. 2018 * 2019 * Parameters: 2020 * context: [in/out] 2021 * The context to use to calculate the SHA hash. 2022 * Message_Digest: [out] 2023 * Where the digest is returned. 2024 * 2025 * Returns: 2026 * sha Error Code. 2027 */ 2028 int SHA256Result(SHA256Context *context, 2029 uint8_t Message_Digest[SHA256HashSize]) 2030 { 2031 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); 2032 } 2034 /* 2035 * SHA224_256Finalize 2036 * 2037 * Description: 2038 * This helper function finishes off the digest calculations. 2039 * 2040 * Parameters: 2041 * context: [in/out] 2042 * The SHA context to update 2043 * Pad_Byte: [in] 2044 * The last byte to add to the digest before the 0-padding 2045 * and length. This will contain the last bits of the message 2046 * followed by another single bit. If the message was an 2047 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2048 * 2049 * Returns: 2050 * sha Error Code. 2051 */ 2052 static void SHA224_256Finalize(SHA256Context *context, 2053 uint8_t Pad_Byte) 2054 { 2055 int i; 2056 SHA224_256PadMessage(context, Pad_Byte); 2057 /* message may be sensitive, so clear it out */ 2058 for (i = 0; i < SHA256_Message_Block_Size; ++i) 2059 context->Message_Block[i] = 0; 2060 context->Length_Low = 0; /* and clear length */ 2061 context->Length_High = 0; 2062 context->Computed = 1; 2063 } 2065 /* 2066 * SHA224_256PadMessage 2067 * 2068 * Description: 2069 * According to the standard, the message must be padded to the next 2070 * even multiple of 512 bits. The first padding bit must be a '1'. 2071 * The last 64 bits represent the length of the original message. 2072 * All bits in between should be 0. This helper function will pad 2073 * the message according to those rules by filling the 2074 * Message_Block array accordingly. When it returns, it can be 2075 * assumed that the message digest has been computed. 2076 * 2077 * Parameters: 2078 * context: [in/out] 2079 * The context to pad 2080 * Pad_Byte: [in] 2081 * The last byte to add to the digest before the 0-padding 2082 * and length. This will contain the last bits of the message 2083 * followed by another single bit. If the message was an 2084 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2085 * 2086 * Returns: 2087 * Nothing. 2088 */ 2089 static void SHA224_256PadMessage(SHA256Context *context, 2090 uint8_t Pad_Byte) 2091 { 2092 /* 2093 * Check to see if the current message block is too small to hold 2094 * the initial padding bits and length. If so, we will pad the 2095 * block, process it, and then continue padding into a second 2096 * block. 2097 */ 2098 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { 2099 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2100 while (context->Message_Block_Index < SHA256_Message_Block_Size) 2101 context->Message_Block[context->Message_Block_Index++] = 0; 2102 SHA224_256ProcessMessageBlock(context); 2103 } else 2104 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2106 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) 2107 context->Message_Block[context->Message_Block_Index++] = 0; 2109 /* 2110 * Store the message length as the last 8 octets 2111 */ 2112 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); 2113 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); 2114 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); 2115 context->Message_Block[59] = (uint8_t)(context->Length_High); 2116 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); 2117 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); 2118 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); 2119 context->Message_Block[63] = (uint8_t)(context->Length_Low); 2121 SHA224_256ProcessMessageBlock(context); 2122 } 2124 /* 2125 * SHA224_256ProcessMessageBlock 2126 * 2127 * Description: 2128 * This helper function will process the next 512 bits of the 2129 * message stored in the Message_Block array. 2130 * 2131 * Parameters: 2132 * context: [in/out] 2133 * The SHA context to update 2134 * 2135 * Returns: 2136 * Nothing. 2137 * 2138 * Comments: 2139 * Many of the variable names in this code, especially the 2140 * single character names, were used because those were the 2141 * names used in the publication. 2142 */ 2143 static void SHA224_256ProcessMessageBlock(SHA256Context *context) 2144 { 2145 /* Constants defined in FIPS-180-2, section 4.2.2 */ 2146 static const uint32_t K[64] = { 2147 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 2148 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 2149 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 2150 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 2151 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 2152 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 2153 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 2154 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 2155 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 2156 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 2157 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 2158 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 2159 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 2160 }; 2161 int t, t4; /* Loop counter */ 2162 uint32_t temp1, temp2; /* Temporary word value */ 2163 uint32_t W[64]; /* Word sequence */ 2164 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ 2166 /* 2167 * Initialize the first 16 words in the array W 2168 */ 2169 for (t = t4 = 0; t < 16; t++, t4 += 4) 2170 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | 2171 (((uint32_t)context->Message_Block[t4 + 1]) << 16) | 2172 (((uint32_t)context->Message_Block[t4 + 2]) << 8) | 2173 (((uint32_t)context->Message_Block[t4 + 3])); 2175 for (t = 16; t < 64; t++) 2176 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + 2177 SHA256_sigma0(W[t-15]) + W[t-16]; 2179 A = context->Intermediate_Hash[0]; 2180 B = context->Intermediate_Hash[1]; 2181 C = context->Intermediate_Hash[2]; 2182 D = context->Intermediate_Hash[3]; 2183 E = context->Intermediate_Hash[4]; 2184 F = context->Intermediate_Hash[5]; 2185 G = context->Intermediate_Hash[6]; 2186 H = context->Intermediate_Hash[7]; 2188 for (t = 0; t < 64; t++) { 2189 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 2190 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); 2191 H = G; 2192 G = F; 2193 F = E; 2194 E = D + temp1; 2195 D = C; 2196 C = B; 2197 B = A; 2198 A = temp1 + temp2; 2199 } 2201 context->Intermediate_Hash[0] += A; 2202 context->Intermediate_Hash[1] += B; 2203 context->Intermediate_Hash[2] += C; 2204 context->Intermediate_Hash[3] += D; 2205 context->Intermediate_Hash[4] += E; 2206 context->Intermediate_Hash[5] += F; 2207 context->Intermediate_Hash[6] += G; 2208 context->Intermediate_Hash[7] += H; 2209 context->Message_Block_Index = 0; 2210 } 2212 /* 2213 * SHA224_256Reset 2214 * 2215 * Description: 2216 * This helper function will initialize the SHA256Context in 2217 * preparation for computing a new SHA-224 or SHA-256 message digest. 2218 * 2219 * Parameters: 2220 * context: [in/out] 2221 * The context to reset. 2222 * H0 2223 * The initial hash value to use. 2224 * 2225 * Returns: 2226 * sha Error Code. 2227 */ 2228 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) 2229 { 2230 if (!context) 2231 return shaNull; 2233 context->Length_Low = 0; 2234 context->Length_High = 0; 2235 context->Message_Block_Index = 0; 2237 context->Intermediate_Hash[0] = H0[0]; 2238 context->Intermediate_Hash[1] = H0[1]; 2239 context->Intermediate_Hash[2] = H0[2]; 2240 context->Intermediate_Hash[3] = H0[3]; 2241 context->Intermediate_Hash[4] = H0[4]; 2242 context->Intermediate_Hash[5] = H0[5]; 2243 context->Intermediate_Hash[6] = H0[6]; 2244 context->Intermediate_Hash[7] = H0[7]; 2246 context->Computed = 0; 2247 context->Corrupted = 0; 2249 return shaSuccess; 2250 } 2252 /* 2253 * SHA224_256ResultN 2254 * 2255 * Description: 2256 * This helper function will return the 224-bit or 256-bit message 2257 * digest into the Message_Digest array provided by the caller. 2258 * NOTE: 2260 * The first octet of hash is stored in the element with index 0, 2261 * the last octet of hash in the element with index 27/31. 2262 * 2263 * Parameters: 2264 * context: [in/out] 2265 * The context to use to calculate the SHA hash. 2266 * Message_Digest: [out] 2267 * Where the digest is returned. 2268 * HashSize: [in] 2269 * The size of the hash, either 28 or 32. 2270 * 2271 * Returns: 2272 * sha Error Code. 2273 */ 2274 static int SHA224_256ResultN(SHA256Context *context, 2275 uint8_t Message_Digest[ ], int HashSize) 2276 { 2277 int i; 2279 if (!context || !Message_Digest) 2280 return shaNull; 2282 if (context->Corrupted) 2283 return context->Corrupted; 2285 if (!context->Computed) 2286 SHA224_256Finalize(context, 0x80); 2288 for (i = 0; i < HashSize; ++i) 2289 Message_Digest[i] = (uint8_t) 2290 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); 2292 return shaSuccess; 2293 } 2295 8.2.3 sha384-512.c 2297 /************************* sha384-512.c ************************/ 2298 /***************** See RFC NNNN for details. *******************/ 2299 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 2300 /* authors of the code. All rights reserved. */ 2301 /* See sha.h for terms of use and redistribution. */ 2303 /* 2304 * Description: 2305 * This file implements the Secure Hash Algorithms SHA-384 and 2306 * SHA-512 as defined in the National Institute of Standards 2307 * and Technology Federal Information Processing Standards 2308 * Publication (FIPS PUB) 180-2 published on August 1, 2002, and 2309 * the FIPS PUB 180-2 Change Notice published on February 28, 2004. 2310 * 2311 * A combined document showing all algorithms is available at 2312 * http://csrc.nist.gov/publications/fips/ 2313 * fips180-2/fips180-2withchangenotice.pdf 2314 * 2315 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit 2316 * message digests for a given data stream. It should take about 2317 * 2**n steps to find a message with the same digest as a given 2318 * message and 2**(n/2) to find any two messages with the same 2319 * digest, when n is the digest size in bits. Therefore, this 2320 * algorithm can serve as a means of providing a 2321 * "fingerprint" for a message. 2322 * 2323 * Portability Issues: 2324 * SHA-384 and SHA-512 are defined in terms of 64-bit "words", 2325 * but if USE_32BIT_ONLY is #defined, this code is implemented in 2326 * terms of 32-bit "words". This code uses (included 2327 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer 2328 * types. If your C compiler does not support 64 bit unsigned 2329 * integers, and you do not #define USE_32BIT_ONLY, this code is 2330 * not appropriate. 2331 * 2332 * Caveats: 2333 * SHA-384 and SHA-512 are designed to work with messages less 2334 * than 2^128 bits long. This implementation uses SHA384/512Input() 2335 * to hash the bits that are a multiple of the size of an 8-bit 2336 * octet, and then optionally uses SHA384/256FinalBits() 2337 * to hash the final few bits of the input. 2338 * 2339 */ 2341 #include "sha.h" 2342 #include "sha-private.h" 2344 #ifdef USE_32BIT_ONLY 2345 /* 2346 * Define 64-bit arithmetic in terms of 32-bit arithmetic. 2347 * Each 64-bit number is represented in a 2-word array. 2348 * All macros are defined such that the result is the last parameter. 2349 */ 2351 /* 2352 * Define shift, rotate left and rotate right functions 2353 */ 2354 #define SHA512_SHR(bits, word, ret) ( \ 2355 /* (((uint64_t)((word))) >> (bits)) */ \ 2356 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ 2357 ((word)[0] >> (bits)) : 0, \ 2359 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ 2360 ((bits) == 32) ? (word)[0] : \ 2361 ((bits) >= 0) ? \ 2362 (((word)[0] << (32 - (bits))) | \ 2363 ((word)[1] >> (bits))) : 0 ) 2365 #define SHA512_SHL(bits, word, ret) ( \ 2366 /* (((uint64_t)(word)) << (bits)) */ \ 2367 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ 2368 ((bits) == 32) ? (word)[1] : \ 2369 ((bits) >= 0) ? \ 2370 (((word)[0] << (bits)) | \ 2371 ((word)[1] >> (32 - (bits)))) : \ 2372 0, \ 2373 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ 2374 ((word)[1] << (bits)) : 0 ) 2376 /* 2377 * Define 64-bit OR 2378 */ 2379 #define SHA512_OR(word1, word2, ret) ( \ 2380 (ret)[0] = (word1)[0] | (word2)[0], \ 2381 (ret)[1] = (word1)[1] | (word2)[1] ) 2383 /* 2384 * Define 64-bit XOR 2385 */ 2386 #define SHA512_XOR(word1, word2, ret) ( \ 2387 (ret)[0] = (word1)[0] ^ (word2)[0], \ 2388 (ret)[1] = (word1)[1] ^ (word2)[1] ) 2390 /* 2391 * Define 64-bit AND 2392 */ 2393 #define SHA512_AND(word1, word2, ret) ( \ 2394 (ret)[0] = (word1)[0] & (word2)[0], \ 2395 (ret)[1] = (word1)[1] & (word2)[1] ) 2397 /* 2398 * Define 64-bit TILDA 2399 */ 2400 #define SHA512_TILDA(word, ret) \ 2401 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) 2403 /* 2404 * Define 64-bit ADD 2405 */ 2406 #define SHA512_ADD(word1, word2, ret) ( \ 2407 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ 2408 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) 2410 /* 2411 * Add the 4word value in word2 to word1. 2412 */ 2413 static uint32_t ADDTO4_temp, ADDTO4_temp2; 2414 #define SHA512_ADDTO4(word1, word2) ( \ 2415 ADDTO4_temp = (word1)[3], \ 2416 (word1)[3] += (word2)[3], \ 2417 ADDTO4_temp2 = (word1)[2], \ 2418 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ 2419 ADDTO4_temp = (word1)[1], \ 2420 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ 2421 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) 2423 /* 2424 * Add the 2word value in word2 to word1. 2425 */ 2426 static uint32_t ADDTO2_temp; 2427 #define SHA512_ADDTO2(word1, word2) ( \ 2428 ADDTO2_temp = (word1)[1], \ 2429 (word1)[1] += (word2)[1], \ 2430 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) 2432 /* 2433 * SHA rotate ((word >> bits) | (word << (64-bits))) 2434 */ 2435 static uint32_t ROTR_temp1[2], ROTR_temp2[2]; 2436 #define SHA512_ROTR(bits, word, ret) ( \ 2437 SHA512_SHR((bits), (word), ROTR_temp1), \ 2438 SHA512_SHL(64-(bits), (word), ROTR_temp2), \ 2439 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) 2441 /* 2442 * Define the SHA SIGMA and sigma macros 2443 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2444 */ 2445 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], 2446 SIGMA0_temp3[2], SIGMA0_temp4[2]; 2447 #define SHA512_SIGMA0(word, ret) ( \ 2448 SHA512_ROTR(28, (word), SIGMA0_temp1), \ 2449 SHA512_ROTR(34, (word), SIGMA0_temp2), \ 2450 SHA512_ROTR(39, (word), SIGMA0_temp3), \ 2451 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ 2452 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) 2454 /* 2455 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) 2456 */ 2457 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], 2458 SIGMA1_temp3[2], SIGMA1_temp4[2]; 2459 #define SHA512_SIGMA1(word, ret) ( \ 2460 SHA512_ROTR(14, (word), SIGMA1_temp1), \ 2461 SHA512_ROTR(18, (word), SIGMA1_temp2), \ 2462 SHA512_ROTR(41, (word), SIGMA1_temp3), \ 2463 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ 2464 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) 2466 /* 2467 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2468 */ 2469 static uint32_t sigma0_temp1[2], sigma0_temp2[2], 2470 sigma0_temp3[2], sigma0_temp4[2]; 2471 #define SHA512_sigma0(word, ret) ( \ 2472 SHA512_ROTR( 1, (word), sigma0_temp1), \ 2473 SHA512_ROTR( 8, (word), sigma0_temp2), \ 2474 SHA512_SHR( 7, (word), sigma0_temp3), \ 2475 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ 2476 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) 2478 /* 2479 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2480 */ 2481 static uint32_t sigma1_temp1[2], sigma1_temp2[2], 2482 sigma1_temp3[2], sigma1_temp4[2]; 2483 #define SHA512_sigma1(word, ret) ( \ 2484 SHA512_ROTR(19, (word), sigma1_temp1), \ 2485 SHA512_ROTR(61, (word), sigma1_temp2), \ 2486 SHA512_SHR( 6, (word), sigma1_temp3), \ 2487 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ 2488 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) 2490 #undef SHA_Ch 2491 #undef SHA_Maj 2493 #ifndef USE_MODIFIED_MACROS 2494 /* 2495 * These definitions are the ones used in FIPS-180-2, section 4.1.3 2496 * Ch(x,y,z) ((x & y) ^ (~x & z)) 2497 */ 2498 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; 2499 #define SHA_Ch(x, y, z, ret) ( \ 2500 SHA512_AND(x, y, Ch_temp1), \ 2501 SHA512_TILDA(x, Ch_temp2), \ 2502 SHA512_AND(Ch_temp2, z, Ch_temp3), \ 2503 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) 2505 /* 2506 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) 2507 */ 2508 static uint32_t Maj_temp1[2], Maj_temp2[2], 2509 Maj_temp3[2], Maj_temp4[2]; 2511 #define SHA_Maj(x, y, z, ret) ( \ 2512 SHA512_AND(x, y, Maj_temp1), \ 2513 SHA512_AND(x, z, Maj_temp2), \ 2514 SHA512_AND(y, z, Maj_temp3), \ 2515 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ 2516 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) 2518 #else /* !USE_MODIFIED_MACROS */ 2519 /* 2520 * These definitions are potentially faster equivalents for the ones 2521 * used in FIPS-180-2, section 4.1.3. 2522 * ((x & y) ^ (~x & z)) becomes 2523 * ((x & (y ^ z)) ^ z) 2524 */ 2525 #define SHA_Ch(x, y, z, ret) ( \ 2526 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ 2527 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) 2529 /* 2530 * ((x & y) ^ (x & z) ^ (y & z)) becomes 2531 * ((x & (y | z)) | (y & z)) 2532 */ 2533 #define SHA_Maj(x, y, z, ret) ( \ 2534 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ 2535 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) 2536 #endif /* USE_MODIFIED_MACROS */ 2538 /* 2539 * Add "length" to the length. 2540 * Set Corrupted when overflow has occurred. 2541 */ 2542 static uint32_t addTemp[4] = { 0, 0, 0, 0 }; 2543 #define SHA384_512AddLength(context, length) ( \ 2544 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ 2545 (context)->Corrupted = (((context)->Length[3] < (length)) && \ 2546 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ 2547 ((context)->Length[0] == 0)) ? shaInputTooLong : shaSuccess ) 2549 /* Local Function Prototypes */ 2550 static void SHA384_512Finalize(SHA512Context *context, 2551 uint8_t Pad_Byte); 2552 static void SHA384_512PadMessage(SHA512Context *context, 2553 uint8_t Pad_Byte); 2554 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2555 static int SHA384_512Reset(SHA512Context *context, 2556 uint32_t H0[SHA512HashSize/4]); 2557 static int SHA384_512ResultN( SHA512Context *context, 2558 uint8_t Message_Digest[ ], int HashSize); 2560 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ 2561 static uint32_t SHA384_H0[SHA512HashSize/4] = { 2562 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, 2563 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, 2564 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, 2565 0xBEFA4FA4 2566 }; 2568 static uint32_t SHA512_H0[SHA512HashSize/4] = { 2569 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, 2570 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, 2571 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, 2572 0x137E2179 2573 }; 2575 #else /* !USE_32BIT_ONLY */ 2577 /* Define the SHA shift, rotate left and rotate right macro */ 2578 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) 2579 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ 2580 (((uint64_t)(word)) << (64-(bits)))) 2582 /* Define the SHA SIGMA and sigma macros */ 2583 #define SHA512_SIGMA0(word) \ 2584 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) 2585 #define SHA512_SIGMA1(word) \ 2586 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) 2587 #define SHA512_sigma0(word) \ 2588 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2589 #define SHA512_sigma1(word) \ 2590 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2592 /* 2593 * Add "length" to the length. 2594 * Set Corrupted when overflow has occurred. 2595 */ 2596 static uint64_t addTemp; 2597 #define SHA384_512AddLength(context, length) \ 2598 (addTemp = context->Length_Low, context->Corrupted = \ 2599 ((context->Length_Low += length) < addTemp) && \ 2600 (++context->Length_High == 0) ? 1 : 0) 2602 /* Local Function Prototypes */ 2603 static void SHA384_512Finalize(SHA512Context *context, 2604 uint8_t Pad_Byte); 2605 static void SHA384_512PadMessage(SHA512Context *context, 2606 uint8_t Pad_Byte); 2607 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2608 static int SHA384_512Reset(SHA512Context *context, 2609 uint64_t H0[SHA512HashSize/8]); 2610 static int SHA384_512ResultN(SHA512Context *context, 2611 uint8_t Message_Digest[ ], int HashSize); 2613 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ 2614 static uint64_t SHA384_H0[ ] = { 2615 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 2616 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 2617 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll 2618 }; 2619 static uint64_t SHA512_H0[ ] = { 2620 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 2621 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 2622 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll 2623 }; 2625 #endif /* USE_32BIT_ONLY */ 2627 /* 2628 * SHA384Reset 2629 * 2630 * Description: 2631 * This function will initialize the SHA384Context in preparation 2632 * for computing a new SHA384 message digest. 2633 * 2634 * Parameters: 2635 * context: [in/out] 2636 * The context to reset. 2637 * 2638 * Returns: 2639 * sha Error Code. 2640 * 2641 */ 2642 int SHA384Reset(SHA384Context *context) 2643 { 2644 return SHA384_512Reset(context, SHA384_H0); 2645 } 2647 /* 2648 * SHA384Input 2649 * 2650 * Description: 2651 * This function accepts an array of octets as the next portion 2652 * of the message. 2653 * 2654 * Parameters: 2655 * context: [in/out] 2656 * The SHA context to update 2657 * message_array: [in] 2658 * An array of octets representing the next portion of 2659 * the message. 2660 * length: [in] 2661 * The length of the message in message_array 2662 * 2663 * Returns: 2664 * sha Error Code. 2665 * 2666 */ 2667 int SHA384Input(SHA384Context *context, 2668 const uint8_t *message_array, unsigned int length) 2669 { 2670 return SHA512Input(context, message_array, length); 2671 } 2673 /* 2674 * SHA384FinalBits 2675 * 2676 * Description: 2677 * This function will add in any final bits of the message. 2678 * 2679 * Parameters: 2680 * context: [in/out] 2681 * The SHA context to update 2682 * message_bits: [in] 2683 * The final bits of the message, in the upper portion of the 2684 * byte. (Use 0b###00000 instead of 0b00000### to input the 2685 * three bits ###.) 2686 * length: [in] 2687 * The number of bits in message_bits, between 1 and 7. 2688 * 2689 * Returns: 2690 * sha Error Code. 2691 * 2692 */ 2693 int SHA384FinalBits(SHA384Context *context, 2694 uint8_t message_bits, unsigned int length) 2695 { 2696 return SHA512FinalBits(context, message_bits, length); 2697 } 2699 /* 2700 * SHA384Result 2701 * 2702 * Description: 2703 * This function will return the 384-bit message digest 2704 * into the Message_Digest array provided by the caller. 2705 * NOTE: 2706 * The first octet of hash is stored in the element with index 0, 2707 * the last octet of hash in the element with index 47. 2708 * 2709 * Parameters: 2710 * context: [in/out] 2711 * The context to use to calculate the SHA hash. 2712 * Message_Digest: [out] 2713 * Where the digest is returned. 2714 * 2715 * Returns: 2716 * sha Error Code. 2717 * 2718 */ 2719 int SHA384Result(SHA384Context *context, 2720 uint8_t Message_Digest[SHA384HashSize]) 2721 { 2722 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); 2723 } 2725 /* 2726 * SHA512Reset 2727 * 2728 * Description: 2729 * This function will initialize the SHA512Context in preparation 2730 * for computing a new SHA512 message digest. 2731 * 2732 * Parameters: 2733 * context: [in/out] 2734 * The context to reset. 2735 * 2736 * Returns: 2737 * sha Error Code. 2738 * 2739 */ 2740 int SHA512Reset(SHA512Context *context) 2741 { 2742 return SHA384_512Reset(context, SHA512_H0); 2743 } 2745 /* 2746 * SHA512Input 2747 * 2748 * Description: 2749 * This function accepts an array of octets as the next portion 2750 * of the message. 2751 * 2752 * Parameters: 2753 * context: [in/out] 2754 * The SHA context to update 2755 * message_array: [in] 2756 * An array of octets representing the next portion of 2757 * the message. 2758 * length: [in] 2759 * The length of the message in message_array 2760 * 2761 * Returns: 2762 * sha Error Code. 2763 * 2764 */ 2765 int SHA512Input(SHA512Context *context, 2766 const uint8_t *message_array, 2767 unsigned int length) 2768 { 2769 if (!length) 2770 return shaSuccess; 2772 if (!context || !message_array) 2773 return shaNull; 2775 if (context->Computed) 2776 return context->Corrupted = shaStateError; 2778 if (context->Corrupted) 2779 return context->Corrupted; 2781 while (length-- && !context->Corrupted) { 2782 context->Message_Block[context->Message_Block_Index++] = 2783 (*message_array & 0xFF); 2785 if ((SHA384_512AddLength(context, 8) == shaSuccess) && 2786 (context->Message_Block_Index == SHA512_Message_Block_Size)) 2787 SHA384_512ProcessMessageBlock(context); 2789 message_array++; 2790 } 2792 return context->Corrupted; 2793 } 2795 /* 2796 * SHA512FinalBits 2797 * 2798 * Description: 2799 * This function will add in any final bits of the message. 2800 * 2801 * Parameters: 2802 * context: [in/out] 2803 * The SHA context to update 2804 * message_bits: [in] 2805 * The final bits of the message, in the upper portion of the 2806 * byte. (Use 0b###00000 instead of 0b00000### to input the 2807 * three bits ###.) 2808 * length: [in] 2809 * The number of bits in message_bits, between 1 and 7. 2810 * 2811 * Returns: 2812 * sha Error Code. 2813 * 2814 */ 2815 int SHA512FinalBits(SHA512Context *context, 2816 uint8_t message_bits, unsigned int length) 2817 { 2818 uint8_t masks[8] = { 2819 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2820 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2821 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2822 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2823 }; 2824 uint8_t markbit[8] = { 2825 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2826 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2827 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2828 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2829 }; 2831 if (!length) 2832 return shaSuccess; 2834 if (!context) 2835 return shaNull; 2837 if (context->Computed) 2838 return context->Corrupted = shaStateError; 2840 if ((length >= 8) || (length == 0)) 2841 return context->Corrupted = shaBadParam; 2843 if (context->Corrupted) 2844 return context->Corrupted; 2846 SHA384_512AddLength(context, length); 2847 SHA384_512Finalize(context, (uint8_t) 2848 ((message_bits & masks[length]) | markbit[length])); 2850 return context->Corrupted; 2851 } 2853 /* 2854 * SHA384_512Finalize 2855 * 2856 * Description: 2857 * This helper function finishes off the digest calculations. 2858 * 2859 * Parameters: 2860 * context: [in/out] 2861 * The SHA context to update 2862 * Pad_Byte: [in] 2863 * The last byte to add to the digest before the 0-padding 2864 * and length. This will contain the last bits of the message 2865 * followed by another single bit. If the message was an 2866 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2867 * 2868 * Returns: 2869 * sha Error Code. 2870 * 2871 */ 2872 static void SHA384_512Finalize(SHA512Context *context, 2873 uint8_t Pad_Byte) 2874 { 2875 int_least16_t i; 2876 SHA384_512PadMessage(context, Pad_Byte); 2877 /* message may be sensitive, clear it out */ 2878 for (i = 0; i < SHA512_Message_Block_Size; ++i) 2879 context->Message_Block[i] = 0; 2880 #ifdef USE_32BIT_ONLY /* and clear length */ 2881 context->Length[0] = context->Length[1] = 0; 2882 context->Length[2] = context->Length[3] = 0; 2883 #else /* !USE_32BIT_ONLY */ 2884 context->Length_Low = 0; 2885 context->Length_High = 0; 2886 #endif /* USE_32BIT_ONLY */ 2887 context->Computed = 1; 2888 } 2890 /* 2891 * SHA512Result 2892 * 2893 * Description: 2894 * This function will return the 512-bit message digest 2895 * into the Message_Digest array provided by the caller. 2896 * NOTE: 2897 * The first octet of hash is stored in the element with index 0, 2898 * the last octet of hash in the element with index 63. 2899 * 2900 * Parameters: 2901 * context: [in/out] 2902 * The context to use to calculate the SHA hash. 2903 * Message_Digest: [out] 2904 * Where the digest is returned. 2905 * 2906 * Returns: 2907 * sha Error Code. 2908 * 2909 */ 2910 int SHA512Result(SHA512Context *context, 2911 uint8_t Message_Digest[SHA512HashSize]) 2912 { 2913 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); 2914 } 2916 /* 2917 * SHA384_512PadMessage 2918 * 2919 * Description: 2920 * According to the standard, the message must be padded to the next 2921 * even multiple of 1024 bits. The first padding bit must be a '1'. 2922 * The last 128 bits represent the length of the original message. 2923 * All bits in between should be 0. This helper function will 2924 * pad the message according to those rules by filling the 2925 * Message_Block array accordingly. When it returns, it can be 2926 * assumed that the message digest has been computed. 2927 * 2928 * Parameters: 2929 * context: [in/out] 2930 * The context to pad 2931 * Pad_Byte: [in] 2932 * The last byte to add to the digest before the 0-padding 2933 * and length. This will contain the last bits of the message 2934 * followed by another single bit. If the message was an 2935 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2936 * 2937 * Returns: 2938 * Nothing. 2939 * 2940 */ 2941 static void SHA384_512PadMessage(SHA512Context *context, 2942 uint8_t Pad_Byte) 2943 { 2944 /* 2945 * Check to see if the current message block is too small to hold 2946 * the initial padding bits and length. If so, we will pad the 2947 * block, process it, and then continue padding into a second 2948 * block. 2949 */ 2950 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { 2951 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2952 while (context->Message_Block_Index < SHA512_Message_Block_Size) 2953 context->Message_Block[context->Message_Block_Index++] = 0; 2955 SHA384_512ProcessMessageBlock(context); 2956 } else 2957 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2959 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) 2960 context->Message_Block[context->Message_Block_Index++] = 0; 2962 /* 2963 * Store the message length as the last 16 octets 2964 */ 2965 #ifdef USE_32BIT_ONLY 2966 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); 2967 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); 2968 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); 2969 context->Message_Block[115] = (uint8_t)(context->Length[0]); 2970 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); 2971 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); 2972 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); 2973 context->Message_Block[119] = (uint8_t)(context->Length[1]); 2975 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); 2976 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); 2977 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); 2978 context->Message_Block[123] = (uint8_t)(context->Length[2]); 2979 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); 2980 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); 2981 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); 2982 context->Message_Block[127] = (uint8_t)(context->Length[3]); 2983 #else /* !USE_32BIT_ONLY */ 2984 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); 2985 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); 2986 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); 2987 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); 2988 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); 2989 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); 2990 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); 2991 context->Message_Block[119] = (uint8_t)(context->Length_High); 2993 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); 2994 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); 2995 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); 2996 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); 2997 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); 2998 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); 2999 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); 3000 context->Message_Block[127] = (uint8_t)(context->Length_Low); 3001 #endif /* USE_32BIT_ONLY */ 3003 SHA384_512ProcessMessageBlock(context); 3004 } 3006 /* 3007 * SHA384_512ProcessMessageBlock 3008 * 3009 * Description: 3010 * This helper function will process the next 1024 bits of the 3011 * message stored in the Message_Block array. 3013 * 3014 * Parameters: 3015 * context: [in/out] 3016 * The SHA context to update 3017 * 3018 * Returns: 3019 * Nothing. 3020 * 3021 * Comments: 3022 * Many of the variable names in this code, especially the 3023 * single character names, were used because those were the 3024 * names used in the publication. 3025 * 3026 * 3027 */ 3028 static void SHA384_512ProcessMessageBlock(SHA512Context *context) 3029 { 3030 /* Constants defined in FIPS-180-2, section 4.2.3 */ 3031 #ifdef USE_32BIT_ONLY 3032 static const uint32_t K[80*2] = { 3033 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, 3034 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, 3035 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, 3036 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 3037 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, 3038 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, 3039 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, 3040 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, 3041 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, 3042 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, 3043 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, 3044 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, 3045 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, 3046 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, 3047 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, 3048 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, 3049 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, 3050 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, 3051 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, 3052 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, 3053 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, 3054 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, 3055 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, 3056 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, 3057 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, 3058 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, 3059 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, 3060 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 3061 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, 3062 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, 3063 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, 3064 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 3065 }; 3066 int t, t2, t8; /* Loop counter */ 3067 uint32_t temp1[2], temp2[2], /* Temporary word values */ 3068 temp3[2], temp4[2], temp5[2]; 3069 uint32_t W[2*80]; /* Word sequence */ 3070 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ 3071 E[2], F[2], G[2], H[2]; 3073 /* Initialize the first 16 words in the array W */ 3074 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { 3075 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | 3076 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | 3077 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | 3078 ((((uint32_t)context->Message_Block[t8 + 3]))); 3079 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | 3080 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | 3081 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | 3082 ((((uint32_t)context->Message_Block[t8 + 7]))); 3083 } 3085 for (t = 16; t < 80; t++, t2 += 2) { 3086 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3087 SHA512_sigma0(W[t-15]) + W[t-16]; */ 3088 uint32_t *Wt2 = &W[t2-2*2]; 3089 uint32_t *Wt7 = &W[t2-7*2]; 3090 uint32_t *Wt15 = &W[t2-15*2]; 3091 uint32_t *Wt16 = &W[t2-16*2]; 3092 SHA512_sigma1(Wt2, temp1); 3093 SHA512_ADD(temp1, Wt7, temp2); 3094 SHA512_sigma0(Wt15, temp1); 3095 SHA512_ADD(temp1, Wt16, temp3); 3096 SHA512_ADD(temp2, temp3, &W[t2]); 3097 } 3099 A[0] = context->Intermediate_Hash[0]; 3100 A[1] = context->Intermediate_Hash[1]; 3101 B[0] = context->Intermediate_Hash[2]; 3102 B[1] = context->Intermediate_Hash[3]; 3103 C[0] = context->Intermediate_Hash[4]; 3104 C[1] = context->Intermediate_Hash[5]; 3105 D[0] = context->Intermediate_Hash[6]; 3106 D[1] = context->Intermediate_Hash[7]; 3107 E[0] = context->Intermediate_Hash[8]; 3108 E[1] = context->Intermediate_Hash[9]; 3109 F[0] = context->Intermediate_Hash[10]; 3110 F[1] = context->Intermediate_Hash[11]; 3111 G[0] = context->Intermediate_Hash[12]; 3112 G[1] = context->Intermediate_Hash[13]; 3113 H[0] = context->Intermediate_Hash[14]; 3114 H[1] = context->Intermediate_Hash[15]; 3116 for (t = t2 = 0; t < 80; t++, t2 += 2) { 3117 /* 3118 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3119 */ 3120 SHA512_SIGMA1(E,temp1); 3121 SHA512_ADD(H, temp1, temp2); 3122 SHA_Ch(E,F,G,temp3); 3123 SHA512_ADD(temp2, temp3, temp4); 3124 SHA512_ADD(&K[t2], &W[t2], temp5); 3125 SHA512_ADD(temp4, temp5, temp1); 3126 /* 3127 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3128 */ 3129 SHA512_SIGMA0(A,temp3); 3130 SHA_Maj(A,B,C,temp4); 3131 SHA512_ADD(temp3, temp4, temp2); 3132 H[0] = G[0]; H[1] = G[1]; 3133 G[0] = F[0]; G[1] = F[1]; 3134 F[0] = E[0]; F[1] = E[1]; 3135 SHA512_ADD(D, temp1, E); 3136 D[0] = C[0]; D[1] = C[1]; 3137 C[0] = B[0]; C[1] = B[1]; 3138 B[0] = A[0]; B[1] = A[1]; 3139 SHA512_ADD(temp1, temp2, A); 3140 } 3142 SHA512_ADDTO2(&context->Intermediate_Hash[0], A); 3143 SHA512_ADDTO2(&context->Intermediate_Hash[2], B); 3144 SHA512_ADDTO2(&context->Intermediate_Hash[4], C); 3145 SHA512_ADDTO2(&context->Intermediate_Hash[6], D); 3146 SHA512_ADDTO2(&context->Intermediate_Hash[8], E); 3147 SHA512_ADDTO2(&context->Intermediate_Hash[10], F); 3148 SHA512_ADDTO2(&context->Intermediate_Hash[12], G); 3149 SHA512_ADDTO2(&context->Intermediate_Hash[14], H); 3151 #else /* !USE_32BIT_ONLY */ 3152 static const uint64_t K[80] = { 3153 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, 3154 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, 3155 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, 3156 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, 3157 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, 3158 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, 3159 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, 3160 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, 3161 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, 3162 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, 3163 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, 3164 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, 3165 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, 3166 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, 3167 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, 3168 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, 3169 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, 3170 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, 3171 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, 3172 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, 3173 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, 3174 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, 3175 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, 3176 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, 3177 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, 3178 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, 3179 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll 3180 }; 3181 int t, t8; /* Loop counter */ 3182 uint64_t temp1, temp2; /* Temporary word value */ 3183 uint64_t W[80]; /* Word sequence */ 3184 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ 3186 /* 3187 * Initialize the first 16 words in the array W 3188 */ 3189 for (t = t8 = 0; t < 16; t++, t8 += 8) 3190 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | 3191 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | 3192 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | 3193 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | 3194 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | 3195 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | 3196 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | 3197 ((uint64_t)(context->Message_Block[t8 + 7])); 3199 for (t = 16; t < 80; t++) 3200 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3201 SHA512_sigma0(W[t-15]) + W[t-16]; 3203 A = context->Intermediate_Hash[0]; 3204 B = context->Intermediate_Hash[1]; 3205 C = context->Intermediate_Hash[2]; 3206 D = context->Intermediate_Hash[3]; 3207 E = context->Intermediate_Hash[4]; 3208 F = context->Intermediate_Hash[5]; 3209 G = context->Intermediate_Hash[6]; 3210 H = context->Intermediate_Hash[7]; 3212 for (t = 0; t < 80; t++) { 3213 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3214 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3215 H = G; 3216 G = F; 3217 F = E; 3218 E = D + temp1; 3219 D = C; 3220 C = B; 3221 B = A; 3222 A = temp1 + temp2; 3223 } 3225 context->Intermediate_Hash[0] += A; 3226 context->Intermediate_Hash[1] += B; 3227 context->Intermediate_Hash[2] += C; 3228 context->Intermediate_Hash[3] += D; 3229 context->Intermediate_Hash[4] += E; 3230 context->Intermediate_Hash[5] += F; 3231 context->Intermediate_Hash[6] += G; 3232 context->Intermediate_Hash[7] += H; 3233 #endif /* USE_32BIT_ONLY */ 3235 context->Message_Block_Index = 0; 3236 } 3238 /* 3239 * SHA384_512Reset 3240 * 3241 * Description: 3242 * This helper function will initialize the SHA512Context in 3243 * preparation for computing a new SHA384 or SHA512 message 3244 * digest. 3245 * 3246 * Parameters: 3247 * context: [in/out] 3248 * The context to reset. 3249 * H0 3250 * The initial hash value to use. 3251 * 3252 * Returns: 3253 * sha Error Code. 3254 * 3255 */ 3256 #ifdef USE_32BIT_ONLY 3257 static int SHA384_512Reset(SHA512Context *context, 3258 uint32_t H0[SHA512HashSize/4]) 3259 #else /* !USE_32BIT_ONLY */ 3260 static int SHA384_512Reset(SHA512Context *context, 3261 uint64_t H0[SHA512HashSize/8]) 3262 #endif /* USE_32BIT_ONLY */ 3263 { 3264 int i; 3265 if (!context) 3266 return shaNull; 3268 context->Message_Block_Index = 0; 3270 #ifdef USE_32BIT_ONLY 3271 context->Length[0] = context->Length[1] = 3272 context->Length[2] = context->Length[3] = 0; 3274 for (i = 0; i < SHA512HashSize/4; i++) 3275 context->Intermediate_Hash[i] = H0[i]; 3276 #else /* !USE_32BIT_ONLY */ 3277 context->Length_High = context->Length_Low = 0; 3279 for (i = 0; i < SHA512HashSize/8; i++) 3280 context->Intermediate_Hash[i] = H0[i]; 3281 #endif /* USE_32BIT_ONLY */ 3283 context->Computed = 0; 3284 context->Corrupted = 0; 3286 return shaSuccess; 3287 } 3289 /* 3290 * SHA384_512ResultN 3291 * 3292 * Description: 3293 * This helper function will return the 384-bit or 512-bit message 3294 * digest into the Message_Digest array provided by the caller. 3295 * NOTE: 3296 * The first octet of hash is stored in the element with index 0, 3297 * the last octet of hash in the element with index 47/63. 3298 * 3299 * Parameters: 3300 * context: [in/out] 3301 * The context to use to calculate the SHA hash. 3302 * Message_Digest: [out] 3303 * Where the digest is returned. 3304 * HashSize: [in] 3305 * The size of the hash, either 48 or 64. 3306 * 3307 * Returns: 3308 * sha Error Code. 3309 * 3310 */ 3311 static int SHA384_512ResultN(SHA512Context *context, 3312 uint8_t Message_Digest[ ], int HashSize) 3314 { 3315 int i; 3316 #ifdef USE_32BIT_ONLY 3317 int i2; 3318 #endif /* USE_32BIT_ONLY */ 3320 if (!context || !Message_Digest) 3321 return shaNull; 3323 if (context->Corrupted) 3324 return context->Corrupted; 3326 if (!context->Computed) 3327 SHA384_512Finalize(context, 0x80); 3329 #ifdef USE_32BIT_ONLY 3330 for (i = i2 = 0; i < HashSize; ) { 3331 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3332 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3333 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3334 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3335 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3336 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3337 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3338 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3339 } 3340 #else /* !USE_32BIT_ONLY */ 3341 for (i = 0; i < HashSize; ++i) 3342 Message_Digest[i] = (uint8_t) 3343 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); 3344 #endif /* USE_32BIT_ONLY */ 3346 return shaSuccess; 3347 } 3349 8.2.4 usha.c 3351 /**************************** usha.c ***************************/ 3352 /***************** See RFC NNNN for details. *******************/ 3353 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3354 /* authors of the code. All rights reserved. */ 3355 /* See sha.h for terms of use and redistribution. */ 3357 /* 3358 * Description: 3359 * This file implements a unified interface to the SHA algorithms. 3360 */ 3362 #include "sha.h" 3364 /* 3365 * USHAReset 3366 * 3367 * Description: 3368 * This function will initialize the SHA Context in preparation 3369 * for computing a new SHA message digest. 3370 * 3371 * Parameters: 3372 * context: [in/out] 3373 * The context to reset. 3374 * whichSha: [in] 3375 * Selects which SHA reset to call 3376 * 3377 * Returns: 3378 * sha Error Code. 3379 * 3380 */ 3381 int USHAReset(USHAContext *context, enum SHAversion whichSha) 3382 { 3383 if (context) { 3384 context->whichSha = whichSha; 3385 switch (whichSha) { 3386 case SHA1: return SHA1Reset((SHA1Context*)&context->ctx); 3387 case SHA224: return SHA224Reset((SHA224Context*)&context->ctx); 3388 case SHA256: return SHA256Reset((SHA256Context*)&context->ctx); 3389 case SHA384: return SHA384Reset((SHA384Context*)&context->ctx); 3390 case SHA512: return SHA512Reset((SHA512Context*)&context->ctx); 3391 default: return shaBadParam; 3392 } 3393 } else { 3394 return shaNull; 3395 } 3396 } 3398 /* 3399 * USHAInput 3400 * 3401 * Description: 3402 * This function accepts an array of octets as the next portion 3403 * of the message. 3404 * 3405 * Parameters: 3406 * context: [in/out] 3407 * The SHA context to update 3408 * message_array: [in] 3409 * An array of octets representing the next portion of 3410 * the message. 3411 * length: [in] 3412 * The length of the message in message_array 3413 * 3414 * Returns: 3415 * sha Error Code. 3416 * 3417 */ 3418 int USHAInput(USHAContext *context, 3419 const uint8_t *bytes, unsigned int bytecount) 3420 { 3421 if (context) { 3422 switch (context->whichSha) { 3423 case SHA1: 3424 return SHA1Input((SHA1Context*)&context->ctx, bytes, 3425 bytecount); 3426 case SHA224: 3427 return SHA224Input((SHA224Context*)&context->ctx, bytes, 3428 bytecount); 3429 case SHA256: 3430 return SHA256Input((SHA256Context*)&context->ctx, bytes, 3431 bytecount); 3432 case SHA384: 3433 return SHA384Input((SHA384Context*)&context->ctx, bytes, 3434 bytecount); 3435 case SHA512: 3436 return SHA512Input((SHA512Context*)&context->ctx, bytes, 3437 bytecount); 3438 default: return shaBadParam; 3439 } 3440 } else { 3441 return shaNull; 3442 } 3443 } 3445 /* 3446 * USHAFinalBits 3447 * 3448 * Description: 3449 * This function will add in any final bits of the message. 3450 * 3451 * Parameters: 3452 * context: [in/out] 3453 * The SHA context to update 3454 * message_bits: [in] 3455 * The final bits of the message, in the upper portion of the 3456 * byte. (Use 0b###00000 instead of 0b00000### to input the 3457 * three bits ###.) 3458 * length: [in] 3459 * The number of bits in message_bits, between 1 and 7. 3460 * 3461 * Returns: 3463 * sha Error Code. 3464 */ 3465 int USHAFinalBits(USHAContext *context, 3466 uint8_t bits, unsigned int bit_count) 3467 { 3468 if (context) { 3469 switch (context->whichSha) { 3470 case SHA1: 3471 return SHA1FinalBits((SHA1Context*)&context->ctx, bits, 3472 bit_count); 3473 case SHA224: 3474 return SHA224FinalBits((SHA224Context*)&context->ctx, bits, 3475 bit_count); 3476 case SHA256: 3477 return SHA256FinalBits((SHA256Context*)&context->ctx, bits, 3478 bit_count); 3479 case SHA384: 3480 return SHA384FinalBits((SHA384Context*)&context->ctx, bits, 3481 bit_count); 3482 case SHA512: 3483 return SHA512FinalBits((SHA512Context*)&context->ctx, bits, 3484 bit_count); 3485 default: return shaBadParam; 3486 } 3487 } else { 3488 return shaNull; 3489 } 3490 } 3492 /* 3493 * USHAResult 3494 * 3495 * Description: 3496 * This function will return the message digest of the appropriate 3497 * bit size, as returned by USHAHashSizeBits(whichSHA) for the 3498 * 'whichSHA' value used in the preceeding call to USHAReset, 3499 * into the Message_Digest array provided by the caller. 3500 * 3501 * Parameters: 3502 * context: [in/out] 3503 * The context to use to calculate the SHA-1 hash. 3504 * Message_Digest: [out] 3505 * Where the digest is returned. 3506 * 3507 * Returns: 3508 * sha Error Code. 3509 * 3510 */ 3511 int USHAResult(USHAContext *context, 3512 uint8_t Message_Digest[USHAMaxHashSize]) 3514 { 3515 if (context) { 3516 switch (context->whichSha) { 3517 case SHA1: 3518 return SHA1Result((SHA1Context*)&context->ctx, Message_Digest); 3519 case SHA224: 3520 return SHA224Result((SHA224Context*)&context->ctx, 3521 Message_Digest); 3522 case SHA256: 3523 return SHA256Result((SHA256Context*)&context->ctx, 3524 Message_Digest); 3525 case SHA384: 3526 return SHA384Result((SHA384Context*)&context->ctx, 3527 Message_Digest); 3528 case SHA512: 3529 return SHA512Result((SHA512Context*)&context->ctx, 3530 Message_Digest); 3531 default: return shaBadParam; 3532 } 3533 } else { 3534 return shaNull; 3535 } 3536 } 3538 /* 3539 * USHABlockSize 3540 * 3541 * Description: 3542 * This function will return the blocksize for the given SHA 3543 * algorithm. 3544 * 3545 * Parameters: 3546 * whichSha: 3547 * which SHA algorithm to query 3548 * 3549 * Returns: 3550 * block size 3551 * 3552 */ 3553 int USHABlockSize(enum SHAversion whichSha) 3554 { 3555 switch (whichSha) { 3556 case SHA1: return SHA1_Message_Block_Size; 3557 case SHA224: return SHA224_Message_Block_Size; 3558 case SHA256: return SHA256_Message_Block_Size; 3559 case SHA384: return SHA384_Message_Block_Size; 3560 default: 3561 case SHA512: return SHA512_Message_Block_Size; 3562 } 3563 } 3564 /* 3565 * USHAHashSize 3566 * 3567 * Description: 3568 * This function will return the hashsize for the given SHA 3569 * algorithm. 3570 * 3571 * Parameters: 3572 * whichSha: 3573 * which SHA algorithm to query 3574 * 3575 * Returns: 3576 * hash size 3577 * 3578 */ 3579 int USHAHashSize(enum SHAversion whichSha) 3580 { 3581 switch (whichSha) { 3582 case SHA1: return SHA1HashSize; 3583 case SHA224: return SHA224HashSize; 3584 case SHA256: return SHA256HashSize; 3585 case SHA384: return SHA384HashSize; 3586 default: 3587 case SHA512: return SHA512HashSize; 3588 } 3589 } 3591 /* 3592 * USHAHashSizeBits 3593 * 3594 * Description: 3595 * This function will return the hashsize for the given SHA 3596 * algorithm, expressed in bits. 3597 * 3598 * Parameters: 3599 * whichSha: 3600 * which SHA algorithm to query 3601 * 3602 * Returns: 3603 * hash size in bits 3604 * 3605 */ 3606 int USHAHashSizeBits(enum SHAversion whichSha) 3607 { 3608 switch (whichSha) { 3609 case SHA1: return SHA1HashSizeBits; 3610 case SHA224: return SHA224HashSizeBits; 3611 case SHA256: return SHA256HashSizeBits; 3612 case SHA384: return SHA384HashSizeBits; 3613 default: 3615 case SHA512: return SHA512HashSizeBits; 3616 } 3617 } 3619 /* 3620 * USHAHashName 3621 * 3622 * Description: 3623 * This function will return the name of the given SHA algorithm 3624 * as a string. 3625 * 3626 * Parameters: 3627 * whichSha: 3628 * which SHA algorithm to query 3629 * 3630 * Returns: 3631 * character string with the name in it 3632 * 3633 */ 3634 const char *USHAHashName(enum SHAversion whichSha) 3635 { 3636 switch (whichSha) { 3637 case SHA1: return "SHA1"; 3638 case SHA224: return "SHA224"; 3639 case SHA256: return "SHA256"; 3640 case SHA384: return "SHA384"; 3641 default: 3642 case SHA512: return "SHA512"; 3643 } 3644 } 3646 8.2.5 sha-private.h 3648 /************************ sha-private.h ************************/ 3649 /***************** See RFC NNNN for details. *******************/ 3650 #ifndef _SHA_PRIVATE__H 3651 #define _SHA_PRIVATE__H 3652 /* 3653 * These definitions are defined in FIPS-180-2, section 4.1. 3654 * Ch() and Maj() are defined identically in sections 4.1.1, 3655 * 4.1.2 and 4.1.3. 3656 * 3657 * The definitions used in FIPS-180-2 are as follows: 3658 */ 3660 #ifndef USE_MODIFIED_MACROS 3661 #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 3662 #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 3663 #else /* USE_MODIFIED_MACROS */ 3664 /* 3665 * The following definitions are equivalent and potentially faster. 3666 */ 3668 #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) 3669 #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) 3671 #endif /* USE_MODIFIED_MACROS */ 3673 #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) 3675 #endif /* _SHA_PRIVATE__H */ 3677 8.3 The HMAC Code 3679 /**************************** hmac.c ***************************/ 3680 /***************** See RFC NNNN for details. *******************/ 3681 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3682 /* authors of the code. All rights reserved. */ 3683 /* See sha.h for terms of use and redistribution. */ 3685 /* 3686 * Description: 3687 * This file implements the HMAC algorithm (Keyed-Hashing for 3688 * Message Authentication, [RFC2104]), expressed in terms of the 3689 * various SHA algorithms. 3690 */ 3692 #include "sha.h" 3694 /* 3695 * hmac 3696 * 3697 * Description: 3698 * This function will compute an HMAC message digest. 3699 * 3700 * Parameters: 3701 * whichSha: [in] 3702 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3703 * key: [in] 3704 * The secret shared key. 3705 * key_len: [in] 3706 * The length of the secret shared key. 3707 * message_array: [in] 3708 * An array of octets representing the message. 3709 * Note: in RFC 2109, this parameter is known 3710 * as 'text'. 3712 * length: [in] 3713 * The length of the message in message_array. 3714 * digest: [out] 3715 * Where the digest is returned. 3716 * NOTE: The length of the digest is determined by 3717 * the value of whichSha. 3718 * 3719 * Returns: 3720 * sha Error Code. 3721 * 3722 */ 3723 int hmac(SHAversion whichSha, 3724 const unsigned char *message_array, int length, 3725 const unsigned char *key, int key_len, 3726 uint8_t digest[USHAMaxHashSize]) 3727 { 3728 HMACContext context; 3729 return hmacReset(&context, whichSha, key, key_len) || 3730 hmacInput(&context, message_array, length) || 3731 hmacResult(&context, digest); 3732 } 3734 /* 3735 * hmacReset 3736 * 3737 * Description: 3738 * This function will initialize the hmacContext in preparation 3739 * for computing a new HMAC message digest. 3740 * 3741 * Parameters: 3742 * context: [in/out] 3743 * The context to reset. 3744 * whichSha: [in] 3745 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3746 * key: [in] 3747 * The secret shared key. 3748 * key_len: [in] 3749 * The length of the secret shared key. 3750 * 3751 * Returns: 3752 * sha Error Code. 3753 * 3754 */ 3755 int hmacReset(HMACContext *context, enum SHAversion whichSha, 3756 const unsigned char *key, int key_len) 3757 { 3758 int i, blocksize, hashsize, ret; 3760 /* inner padding - key XORd with ipad */ 3761 unsigned char k_ipad[USHA_Max_Message_Block_Size]; 3762 /* temporary buffer when keylen > blocksize */ 3763 unsigned char tempkey[USHAMaxHashSize]; 3765 if (!context) return shaNull; 3766 context->Computed = 0; 3767 context->Corrupted = shaSuccess; 3769 blocksize = context->blockSize = USHABlockSize(whichSha); 3770 hashsize = context->hashSize = USHAHashSize(whichSha); 3772 context->whichSha = whichSha; 3774 /* 3775 * If key is longer than the hash blocksize, 3776 * reset it to key = HASH(key). 3777 */ 3778 if (key_len > blocksize) { 3779 USHAContext tcontext; 3780 int err = USHAReset(&tcontext, whichSha) || 3781 USHAInput(&tcontext, key, key_len) || 3782 USHAResult(&tcontext, tempkey); 3783 if (err != shaSuccess) return err; 3785 key = tempkey; 3786 key_len = hashsize; 3787 } 3789 /* 3790 * The HMAC transform looks like: 3791 * 3792 * SHA(K XOR opad, SHA(K XOR ipad, text)) 3793 * 3794 * where K is an n byte key, 0-padded to a total of blocksize bytes, 3795 * ipad is the byte 0x36 repeated blocksize times, 3796 * opad is the byte 0x5c repeated blocksize times, 3797 * and text is the data being protected. 3798 */ 3800 /* store key into the pads, XOR'd with ipad and opad values */ 3801 for (i = 0; i < key_len; i++) { 3802 k_ipad[i] = key[i] ^ 0x36; 3803 context->k_opad[i] = key[i] ^ 0x5c; 3804 } 3805 /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ 3806 for ( ; i < blocksize; i++) { 3807 k_ipad[i] = 0x36; 3808 context->k_opad[i] = 0x5c; 3809 } 3811 /* perform inner hash */ 3812 /* init context for 1st pass */ 3813 ret = USHAReset(&context->shaContext, whichSha) || 3814 /* and start with inner pad */ 3815 USHAInput(&context->shaContext, k_ipad, blocksize); 3816 return context->Corrupted = ret; 3817 } 3819 /* 3820 * hmacInput 3821 * 3822 * Description: 3823 * This function accepts an array of octets as the next portion 3824 * of the message. It may be called multiple times. 3825 * 3826 * Parameters: 3827 * context: [in/out] 3828 * The HMAC context to update 3829 * message_array: [in] 3830 * An array of octets representing the next portion of 3831 * the message. 3832 * length: [in] 3833 * The length of the message in message_array 3834 * 3835 * Returns: 3836 * sha Error Code. 3837 * 3838 */ 3839 int hmacInput(HMACContext *context, const unsigned char *text, 3840 int text_len) 3841 { 3842 if (!context) return shaNull; 3843 if (context->Corrupted) return context->Corrupted; 3844 if (context->Computed) return context->Corrupted = shaStateError; 3845 /* then text of datagram */ 3846 return context->Corrupted = 3847 USHAInput(&context->shaContext, text, text_len); 3848 } 3850 /* 3851 * hmacFinalBits 3852 * 3853 * Description: 3854 * This function will add in any final bits of the message. 3855 * 3856 * Parameters: 3857 * context: [in/out] 3858 * The HMAC context to update 3859 * message_bits: [in] 3860 * The final bits of the message, in the upper portion of the 3861 * byte. (Use 0b###00000 instead of 0b00000### to input the 3862 * three bits ###.) 3863 * length: [in] 3864 * The number of bits in message_bits, between 1 and 7. 3865 * 3866 * Returns: 3867 * sha Error Code. 3868 */ 3869 int hmacFinalBits(HMACContext *context, 3870 uint8_t bits, unsigned int bit_count) 3871 { 3872 if (!context) return shaNull; 3873 if (context->Corrupted) return context->Corrupted; 3874 if (context->Computed) return context->Corrupted = shaStateError; 3875 /* then final bits of datagram */ 3876 return context->Corrupted = 3877 USHAFinalBits(&context->shaContext, bits, bit_count); 3878 } 3880 /* 3881 * hmacResult 3882 * 3883 * Description: 3884 * This function will return the N-byte message digest into the 3885 * Message_Digest array provided by the caller. 3886 * 3887 * Parameters: 3888 * context: [in/out] 3889 * The context to use to calculate the HMAC hash. 3890 * digest: [out] 3891 * Where the digest is returned. 3892 * NOTE 2: The length of the hash is determined by the value of 3893 * whichSha that was passed to hmacReset(). 3894 * 3895 * Returns: 3896 * sha Error Code. 3897 * 3898 */ 3899 int hmacResult(HMACContext *context, uint8_t *digest) 3900 { 3901 int ret; 3902 if (!context) return shaNull; 3903 if (context->Corrupted) return context->Corrupted; 3904 if (context->Computed) return context->Corrupted = shaStateError; 3906 /* finish up 1st pass */ 3907 /* (Use digest here as a temporary buffer.) */ 3908 ret = 3909 USHAResult(&context->shaContext, digest) || 3911 /* perform outer SHA */ 3912 /* init context for 2nd pass */ 3913 USHAReset(&context->shaContext, context->whichSha) || 3915 /* start with outer pad */ 3916 USHAInput(&context->shaContext, context->k_opad, 3917 context->blockSize) || 3919 /* then results of 1st hash */ 3920 USHAInput(&context->shaContext, digest, context->hashSize) || 3922 /* finish up 2nd pass */ 3923 USHAResult(&context->shaContext, digest); 3925 context->Computed = 1; 3926 return context->Corrupted = ret; 3927 } 3929 8.4 The HKDF Code 3931 /**************************** hkdf.c ***************************/ 3932 /***************** See RFC NNNN for details. *******************/ 3933 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3934 /* authors of the code. All rights reserved. */ 3935 /* See sha.h for terms of use and redistribution. */ 3937 /* 3938 * Description: 3939 * This file implements the HKDF algorithm (HMAC-based 3940 * Extract-and-Expand Key Derivation Function, RFChkdf), 3941 * expressed in terms of the various SHA algorithms. 3942 */ 3944 #include "sha.h" 3945 #include 3946 #include 3948 /* 3949 * hkdf 3950 * 3951 * Description: 3952 * This function will compute an HKDF message digest. 3953 * 3954 * Parameters: 3955 * whichSha: [in] 3956 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3957 * salt: [in] 3958 * The optional salt value (a non-secret random value); 3959 * if not provided (salt == NULL), it is set internally 3960 * to a string of HashLen(whichSha) zeros. 3961 * salt_len: [in] 3962 * The length of the salt value. (Ignored if salt == NULL.) 3963 * ikm: [in] 3964 * Input keying material. 3965 * ikm_len: [in] 3966 * The length of the input keying material. 3967 * info: [in] 3968 * The optional context and application specific information. 3969 * If info == NULL or a zero-length string, it is ignored. 3970 * info_len: [in] 3971 * The length of the optional context and application specific 3972 * information. (Ignored if info == NULL.) 3973 * okm: [out] 3974 * Where the HKDF is to be stored. 3975 * okm_len: [in] 3976 * The length of the buffer to hold okm. 3977 * okm_len must be <= 255 * USHABlockSize(whichSha) 3978 * 3979 * Notes: 3980 * Calls hkdfExtract() and hkdfExpand(). 3981 * 3982 * Returns: 3983 * sha Error Code. 3984 * 3985 */ 3986 int hkdf(SHAversion whichSha, 3987 const unsigned char *salt, int salt_len, 3988 const unsigned char *ikm, int ikm_len, 3989 const unsigned char *info, int info_len, 3990 uint8_t okm[ ], int okm_len) 3991 { 3992 uint8_t prk[USHAMaxHashSize]; 3993 return hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk) || 3994 hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, 3995 info_len, okm, okm_len); 3996 } 3998 /* 3999 * hkdfExtract 4000 * 4001 * Description: 4002 * This function will perform HKDF extraction. 4003 * 4004 * Parameters: 4005 * whichSha: [in] 4006 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4007 * salt: [in] 4008 * The optional salt value (a non-secret random value); 4009 * if not provided (salt == NULL), it is set internally 4010 * to a string of HashLen(whichSha) zeros. 4011 * salt_len: [in] 4012 * The length of the salt value. (Ignored if salt == NULL.) 4013 * ikm: [in] 4014 * Input keying material. 4015 * ikm_len: [in] 4016 * The length of the input keying material. 4017 * prk: [out] 4018 * Where the HKDF extraction is to be stored. 4019 * Must be larger than USHAHashSize(whichSha); 4020 * 4021 * Returns: 4022 * sha Error Code. 4023 * 4024 */ 4025 int hkdfExtract(SHAversion whichSha, 4026 const unsigned char *salt, int salt_len, 4027 const unsigned char *ikm, int ikm_len, 4028 uint8_t prk[USHAMaxHashSize]) 4029 { 4030 unsigned char nullSalt[USHAMaxHashSize]; 4031 if (salt == 0) { 4032 salt = nullSalt; 4033 salt_len = USHAHashSize(whichSha); 4034 memset(nullSalt, '\0', salt_len); 4035 } else if (salt_len < 0) { 4036 return shaBadParam; 4037 } 4038 return hmac(whichSha, ikm, ikm_len, salt, salt_len, prk); 4039 } 4041 /* 4042 * hkdfExpand 4043 * 4044 * Description: 4045 * This function will perform HKDF expansion. 4046 * 4047 * Parameters: 4048 * whichSha: [in] 4049 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4050 * info: [in] 4051 * The optional context and application specific information. 4052 * If info == NULL or a zero-length string, it is ignored. 4053 * info_len: [in] 4054 * The length of the optional context and application specific 4055 * information. (Ignored if info == NULL.) 4056 * okm: [out] 4057 * Where the HKDF is to be stored. 4058 * okm_len: [in] 4059 * The length of the buffer to hold okm. 4061 * okm_len must be <= 255 * USHABlockSize(whichSha) 4062 * 4063 * Returns: 4064 * sha Error Code. 4065 * 4066 */ 4067 int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], int prk_len, 4068 const unsigned char *info, int info_len, 4069 uint8_t okm[ ], int okm_len) 4070 { 4071 int hash_len, N; 4072 unsigned char T[USHAMaxHashSize]; 4073 int Tlen, where, i; 4075 if (info == 0) { 4076 info = ""; 4077 info_len = 0; 4078 } else if (info_len < 0) { 4079 return shaBadParam; 4080 } else if (prk_len < 0) { 4081 return shaBadParam; 4082 } else if (!okm) { 4083 return shaBadParam; 4084 } 4086 hash_len = USHAHashSize(whichSha); 4087 if (prk_len < hash_len) return shaBadParam; 4088 N = okm_len / hash_len; 4089 if ((okm_len % hash_len) != 0) N++; 4090 if (N > 255) return shaBadParam; 4092 Tlen = 0; 4093 where = 0; 4094 for (i = 1; i <= N; i++) { 4095 HMACContext context; 4096 unsigned char c = i; 4097 int ret = hmacReset(&context, whichSha, prk, hash_len) || 4098 hmacInput(&context, T, Tlen) || 4099 hmacInput(&context, info, info_len) || 4100 hmacInput(&context, &c, 1) || 4101 hmacResult(&context, T); 4102 if (ret != shaSuccess) return ret; 4103 memcpy(okm + where, T, 4104 (i != N) ? hash_len : (okm_len - where)); 4105 where += hash_len; 4106 Tlen = hash_len; 4107 } 4108 return shaSuccess; 4109 } 4110 /* 4111 * hkdfReset 4112 * 4113 * Description: 4114 * This function will initialize the hkdfContext in preparation 4115 * for computing a new HKDF message digest. It is used for 4116 * arbitrary length inputs. 4117 * 4118 * Parameters: 4119 * context: [in/out] 4120 * The context to reset. 4121 * whichSha: [in] 4122 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4123 * salt: [in] 4124 * The optional salt value (a non-secret random value); 4125 * if not provided (salt == NULL), it is set internally 4126 * to a string of HashLen(whichSha) zeros. 4127 * salt_len: [in] 4128 * The length of the salt value. (Ignored if salt == NULL.) 4129 * 4130 * Returns: 4131 * sha Error Code. 4132 * 4133 */ 4134 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 4135 const unsigned char *salt, int salt_len) 4136 { 4137 unsigned char nullSalt[USHAMaxHashSize]; 4138 if (!context) return shaNull; 4140 context->whichSha = whichSha; 4141 context->hashSize = USHAHashSize(whichSha); 4142 if (salt == 0) { 4143 salt = nullSalt; 4144 salt_len = context->hashSize; 4145 memset(nullSalt, '\0', salt_len); 4146 } 4148 return hmacReset(&context->hmacContext, whichSha, salt, salt_len); 4149 } 4151 /* 4152 * hkdfInput 4153 * 4154 * Description: 4155 * This function accepts an array of octets as the next portion 4156 * of the input keying material. It may be called multiple times. 4157 * 4158 * Parameters: 4159 * context: [in/out] 4160 * The HKDF context to update. 4161 * ikm: [in] 4162 * An array of octets representing the next portion of 4163 * the input keying material. 4164 * ikm_len: [in] 4165 * The length of ikm. 4166 * 4167 * Returns: 4168 * sha Error Code. 4169 * 4170 */ 4171 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 4172 int ikm_len) 4173 { 4174 if (!context) return shaNull; 4175 if (context->Corrupted) return context->Corrupted; 4176 if (context->Computed) return context->Corrupted = shaStateError; 4177 return hmacInput(&context->hmacContext, ikm, ikm_len); 4178 } 4180 /* 4181 * hkdfFinalBits 4182 * 4183 * Description: 4184 * This function will add in any final bits of the 4185 * input keying material. 4186 * 4187 * Parameters: 4188 * context: [in/out] 4189 * The HKDF context to update 4190 * ikm_bits: [in] 4191 * The final bits of the input keying material, in the upper 4192 * portion of the byte. (Use 0b###00000 instead of 0b00000### 4193 * to input the three bits ###.) 4194 * ikm_bit_count: [in] 4195 * The number of bits in message_bits, between 1 and 7. 4196 * 4197 * Returns: 4198 * sha Error Code. 4199 */ 4200 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 4201 unsigned int ikm_bit_count) 4202 { 4203 if (!context) return shaNull; 4204 if (context->Corrupted) return context->Corrupted; 4205 if (context->Computed) return context->Corrupted = shaStateError; 4206 return hmacFinalBits(&context->hmacContext, ikm_bits, ikm_bit_count); 4207 } 4209 /* 4210 * hkdfResult 4211 * 4212 * Description: 4213 * This function will finish the HKDF extraction and perform the 4214 * final HKDF expansion. 4215 * 4216 * Parameters: 4217 * context: [in/out] 4218 * The HKDF context to use to calculate the HKDF hash. 4219 * prk: [out] 4220 * An optional location to store the HKDF extraction. 4221 * Either NULL, or pointer to a buffer that must be 4222 * larger than USHAHashSize(whichSha); 4223 * info: [in] 4224 * The optional context and application specific information. 4225 * If info == NULL or a zero-length string, it is ignored. 4226 * info_len: [in] 4227 * The length of the optional context and application specific 4228 * information. (Ignored if info == NULL.) 4229 * okm: [out] 4230 * Where the HKDF is to be stored. 4231 * okm_len: [in] 4232 * The length of the buffer to hold okm. 4233 * okm_len must be <= 255 * USHABlockSize(whichSha) 4234 * 4235 * Returns: 4236 * sha Error Code. 4237 * 4238 */ 4239 int hkdfResult(HKDFContext *context, 4240 uint8_t prk[USHAMaxHashSize], 4241 const unsigned char *info, int info_len, 4242 uint8_t okm[ ], int okm_len) 4243 { 4244 uint8_t prkbuf[USHAMaxHashSize]; 4245 int ret; 4247 if (!context) return shaNull; 4248 if (context->Corrupted) return context->Corrupted; 4249 if (context->Computed) return context->Corrupted = shaStateError; 4250 if (!okm) return context->Corrupted = shaBadParam; 4251 if (!prk) prk = prkbuf; 4253 ret = hmacResult(&context->hmacContext, prk) || 4254 hkdfExpand(context->whichSha, prk, context->hashSize, info, 4255 info_len, okm, okm_len); 4256 context->Computed = 1; 4257 return context->Corrupted = ret; 4258 } 4259 8.5 The Test Driver 4261 The following code is a main program test driver to exercise the code 4262 in sha1.c, sha224-256.c, sha384-512.c, hmac.c, and hkdf.c. The test 4263 driver can also be used as a standalone program for generating the 4264 hashes. 4266 See also [SHAVS]. 4268 /************************** shatest.c **************************/ 4269 /***************** See RFC NNNN for details. *******************/ 4270 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 4271 /* authors of the code. All rights reserved. */ 4272 /* See sha.h for terms of use and redistribution. */ 4274 /* 4275 * Description: 4276 * This file will exercise the SHA code performing 4277 * the three tests documented in FIPS PUB 180-2 4278 * (http://csrc.nist.gov/publications/fips/ 4279 * fips180-2/fips180-2withchangenotice.pdf) 4280 * one that calls SHAInput with an exact multiple of 512 bits 4281 * the seven tests documented for each algorithm in 4282 * "The Secure Hash Algorithm Validation System (SHAVS)" 4283 * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), 4284 * three of which are bit-level tests 4285 * 4286 * This file will exercise the HMAC SHA1 code performing 4287 * the seven tests documented in RFCs [RFC2202] and [RFC4231]. 4288 * 4289 * This file will exercise the HKDF code performing 4290 * the six tests documented in RFChkdf. 4291 * 4292 * To run the tests and just see PASSED/FAILED, use the -p option. 4293 * 4294 * Other options exercise: 4295 * hashing an arbitrary string 4296 * hashing a file's contents 4297 * a few error test checks 4298 * printing the results in raw format 4299 * 4300 * Portability Issues: 4301 * None. 4302 * 4303 */ 4305 #include 4306 #include 4307 #include 4308 #include 4309 #include 4310 #include "sha.h" 4312 static int xgetopt(int argc, char **argv, const char *optstring); 4313 extern char *xoptarg; 4314 static int scasecmp(const char *s1, const char *s2); 4316 /* 4317 * Define patterns for testing 4318 */ 4319 #define TEST1 "abc" 4320 #define TEST2_1 \ 4321 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 4322 #define TEST2_2a \ 4323 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 4324 #define TEST2_2b \ 4325 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 4326 #define TEST2_2 TEST2_2a TEST2_2b 4327 #define TEST3 "a" /* times 1000000 */ 4328 #define TEST4a "01234567012345670123456701234567" 4329 #define TEST4b "01234567012345670123456701234567" 4330 /* an exact multiple of 512 bits */ 4331 #define TEST4 TEST4a TEST4b /* times 10 */ 4333 #define TEST7_1 \ 4334 "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" 4335 #define TEST8_1 \ 4336 "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" 4337 #define TEST9_1 \ 4338 "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ 4339 "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ 4340 "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ 4341 "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ 4342 "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" 4343 #define TEST10_1 \ 4344 "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ 4345 "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ 4346 "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ 4347 "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ 4348 "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ 4349 "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ 4350 "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ 4351 "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ 4352 "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ 4353 "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ 4354 "\xcd\xbb\xfb" 4355 #define TEST7_224 \ 4356 "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" 4357 #define TEST8_224 \ 4358 "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" 4360 #define TEST9_224 \ 4361 "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ 4362 "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ 4363 "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ 4364 "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ 4365 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" 4366 #define TEST10_224 \ 4367 "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ 4368 "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ 4369 "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ 4370 "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ 4371 "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ 4372 "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ 4373 "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ 4374 "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ 4375 "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ 4376 "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ 4377 "\x87\x82\x73" 4378 #define TEST7_256 \ 4379 "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" 4380 #define TEST8_256 \ 4381 "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" 4382 #define TEST9_256 \ 4383 "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ 4384 "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ 4385 "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ 4386 "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ 4387 "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" 4388 #define TEST10_256 \ 4389 "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ 4390 "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ 4391 "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ 4392 "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ 4393 "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ 4394 "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ 4395 "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ 4396 "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ 4397 "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ 4398 "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ 4399 "\x3d\x54\xd6" 4400 #define TEST7_384 \ 4401 "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" 4402 #define TEST8_384 \ 4403 "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" 4404 #define TEST9_384 \ 4405 "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ 4406 "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ 4407 "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ 4408 "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ 4409 "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ 4410 "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ 4411 "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ 4412 "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ 4413 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" 4414 #define TEST10_384 \ 4415 "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ 4416 "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ 4417 "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ 4418 "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ 4419 "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ 4420 "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ 4421 "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ 4422 "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ 4423 "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ 4424 "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ 4425 "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ 4426 "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ 4427 "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ 4428 "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ 4429 "\x7e\xd0\x96" 4430 #define TEST7_512 \ 4431 "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" 4432 #define TEST8_512 \ 4433 "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" 4434 #define TEST9_512 \ 4435 "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ 4436 "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ 4437 "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ 4438 "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ 4439 "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ 4440 "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ 4441 "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ 4442 "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ 4443 "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" 4444 #define TEST10_512 \ 4445 "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ 4446 "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ 4447 "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ 4448 "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ 4449 "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ 4450 "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ 4451 "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ 4452 "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ 4453 "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ 4454 "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ 4455 "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ 4456 "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ 4457 "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ 4458 "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ 4459 "\xfb\x40\xd2" 4461 #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ 4462 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" 4463 #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ 4464 "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ 4465 "\x27" 4466 #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ 4467 "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ 4468 "\x27\x9c\x1c\xb0\xa7" 4469 #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ 4470 "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ 4471 "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ 4472 "\xa4\x84\xbe\x74\x53" 4473 #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ 4474 "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ 4475 "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ 4476 "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ 4477 "\x4b\x12\x27\x20\x39" 4479 #define TESTCOUNT 10 4480 #define HASHCOUNT 5 4481 #define RANDOMCOUNT 4 4482 #define HMACTESTCOUNT 7 4483 #define HKDFTESTCOUNT 7 4485 #define PRINTNONE 0 4486 #define PRINTTEXT 1 4487 #define PRINTRAW 2 4488 #define PRINTHEX 3 4489 #define PRINTBASE64 4 4491 #define PRINTPASSFAIL 1 4492 #define PRINTFAIL 2 4494 #define length(x) (sizeof(x)-1) 4496 /* Test arrays for hashes. */ 4497 struct hash { 4498 const char *name; 4499 SHAversion whichSha; 4500 int hashsize; 4501 struct { 4502 const char *testarray; 4503 int length; 4504 long repeatcount; 4505 int extrabits; 4506 int numberExtrabits; 4507 const char *resultarray; 4508 } tests[TESTCOUNT]; 4509 const char *randomtest; 4510 const char *randomresults[RANDOMCOUNT]; 4512 } hashes[HASHCOUNT] = { 4513 { "SHA1", SHA1, SHA1HashSize, 4514 { 4515 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4516 "A9993E364706816ABA3E25717850C26C9CD0D89D" }, 4517 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4518 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, 4519 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4520 "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, 4521 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4522 "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, 4523 /* 5 */ { "", 0, 0, 0x98, 5, 4524 "29826B003B906E660EFF4027CE98AF3531AC75BA" }, 4525 /* 6 */ { "\x5e", 1, 1, 0, 0, 4526 "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, 4527 /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, 4528 "6239781E03729919C01955B3FFA8ACB60B988340" }, 4529 /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, 4530 "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, 4531 /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, 4532 "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, 4533 /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, 4534 "CB0082C8F197D260991BA6A460E76E202BAD27B3" } 4535 }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", 4536 "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", 4537 "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", 4538 "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" 4539 } }, 4540 { "SHA224", SHA224, SHA224HashSize, 4541 { 4542 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4543 "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, 4544 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4545 "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, 4546 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4547 "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, 4548 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4549 "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, 4550 /* 5 */ { "", 0, 0, 0x68, 5, 4551 "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, 4552 /* 6 */ { "\x07", 1, 1, 0, 0, 4553 "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, 4554 /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, 4555 "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, 4556 /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, 4557 "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, 4558 /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, 4559 "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, 4560 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, 4561 "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } 4563 }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" 4564 "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" 4565 "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" 4566 "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" 4567 "709563FB916227FED598EB621F" 4568 } }, 4569 { "SHA256", SHA256, SHA256HashSize, 4570 { 4571 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" 4572 "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, 4573 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" 4574 "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, 4575 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" 4576 "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, 4577 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" 4578 "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, 4579 /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" 4580 "09DB45E7823EB5079CE7A573A3760F95" }, 4581 /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" 4582 "6A4E17F75F9518D843709C0C9BC3E3D4" }, 4583 /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" 4584 "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, 4585 /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" 4586 "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, 4587 /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" 4588 "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, 4589 /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" 4590 "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, 4591 }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" 4592 "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" 4593 "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" 4594 "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" 4595 "E31536B70FF906EC51B00447CA97D7DD97C12411F4" 4596 } }, 4597 { "SHA384", SHA384, SHA384HashSize, 4598 { 4599 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4600 "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" 4601 "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, 4602 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4603 "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" 4604 "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, 4605 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4606 "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" 4607 "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, 4608 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4609 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" 4610 "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, 4611 /* 5 */ { "", 0, 0, 0x10, 5, 4612 "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" 4613 "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, 4614 /* 6 */ { "\xb9", 1, 1, 0, 0, 4615 "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" 4616 "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, 4617 /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, 4618 "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" 4619 "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, 4620 /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, 4621 "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" 4622 "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, 4623 /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, 4624 "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" 4625 "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, 4626 /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, 4627 "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" 4628 "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } 4629 }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" 4630 "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" 4631 "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" 4632 "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" 4633 "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" 4634 "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" 4635 "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" 4636 } }, 4637 { "SHA512", SHA512, SHA512HashSize, 4638 { 4639 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4640 "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" 4641 "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" 4642 "454D4423643CE80E2A9AC94FA54CA49F" }, 4643 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4644 "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" 4645 "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" 4646 "C7D329EEB6DD26545E96E55B874BE909" }, 4647 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4648 "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" 4649 "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" 4650 "EB009C5C2C49AA2E4EADB217AD8CC09B" }, 4651 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4652 "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" 4653 "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" 4654 "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, 4655 /* 5 */ { "", 0, 0, 0xB0, 5, 4656 "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" 4657 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" 4658 "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, 4659 /* 6 */ { "\xD0", 1, 1, 0, 0, 4660 "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" 4661 "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" 4662 "D6E74CECE9631BFA8A549B4AB3FBBA15" }, 4664 /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, 4665 "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" 4666 "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" 4667 "7359B43E64F8BEC3C1F237119986BBB6" }, 4668 /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, 4669 "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" 4670 "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" 4671 "8213EB1B16F517AD0DE4B2F0C95C90F8" }, 4672 /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, 4673 "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" 4674 "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" 4675 "526F8A0A510E5E53CAFED4355FE7C2F1" }, 4676 /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, 4677 "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" 4678 "C1A16A270D48719377966B957A878E720584779A62825C18" 4679 "DA26415E49A7176A894E7510FD1451F5" } 4680 }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" 4681 "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" 4682 "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" 4683 "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" 4684 "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" 4685 "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" 4686 "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" 4687 "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" 4688 "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" 4689 } 4690 } 4691 }; 4693 /* Test arrays for HMAC. */ 4694 struct hmachash { 4695 const char *keyarray[5]; 4696 int keylength[5]; 4697 const char *dataarray[5]; 4698 int datalength[5]; 4699 const char *resultarray[5]; 4700 int resultlength[5]; 4701 } hmachashes[HMACTESTCOUNT] = { 4702 { /* 1 */ { 4703 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4704 "\x0b\x0b\x0b\x0b\x0b" 4705 }, { 20 }, { 4706 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ 4707 }, { 8 }, { 4708 /* HMAC-SHA-1 */ 4709 "B617318655057264E28BC0B6FB378C8EF146BE00", 4710 /* HMAC-SHA-224 */ 4711 "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", 4712 /* HMAC-SHA-256 */ 4713 "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" 4714 "CFF7", 4715 /* HMAC-SHA-384 */ 4716 "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" 4717 "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", 4718 /* HMAC-SHA-512 */ 4719 "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" 4720 "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" 4721 "3A126854" 4722 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4723 SHA384HashSize, SHA512HashSize } 4724 }, 4725 { /* 2 */ { 4726 "\x4a\x65\x66\x65" /* "Jefe" */ 4727 }, { 4 }, { 4728 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" 4729 "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" 4730 /* "what do ya want for nothing?" */ 4731 }, { 28 }, { 4732 /* HMAC-SHA-1 */ 4733 "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 4734 /* HMAC-SHA-224 */ 4735 "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", 4736 /* HMAC-SHA-256 */ 4737 "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" 4738 "3843", 4739 /* HMAC-SHA-384 */ 4740 "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" 4741 "445E8E2240CA5E69E2C78B3239ECFAB21649", 4742 /* HMAC-SHA-512 */ 4743 "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" 4744 "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" 4745 "38BCE737" 4746 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4747 SHA384HashSize, SHA512HashSize } 4748 }, 4749 { /* 3 */ 4750 { 4751 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4752 "\xaa\xaa\xaa\xaa\xaa" 4753 }, { 20 }, { 4754 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4755 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4756 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4757 "\xdd\xdd\xdd\xdd\xdd" 4758 }, { 50 }, { 4759 /* HMAC-SHA-1 */ 4760 "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 4761 /* HMAC-SHA-224 */ 4762 "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", 4763 /* HMAC-SHA-256 */ 4764 "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" 4765 "65FE", 4766 /* HMAC-SHA-384 */ 4767 "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" 4768 "144B2A5AB39DC13814B94E3AB6E101A34F27", 4769 /* HMAC-SHA-512 */ 4770 "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" 4771 "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" 4772 "E13292FB" 4773 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4774 SHA384HashSize, SHA512HashSize } 4775 }, 4776 { /* 4 */ { 4777 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 4778 "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" 4779 }, { 25 }, { 4780 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4781 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4782 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4783 "\xcd\xcd\xcd\xcd\xcd" 4784 }, { 50 }, { 4785 /* HMAC-SHA-1 */ 4786 "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 4787 /* HMAC-SHA-224 */ 4788 "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", 4789 /* HMAC-SHA-256 */ 4790 "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" 4791 "665B", 4792 /* HMAC-SHA-384 */ 4793 "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" 4794 "3B4E6801DD23C4A7D679CCF8A386C674CFFB", 4795 /* HMAC-SHA-512 */ 4796 "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" 4797 "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" 4798 "10A298DD" 4799 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4800 SHA384HashSize, SHA512HashSize } 4801 }, 4802 { /* 5 */ { 4803 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4804 "\x0c\x0c\x0c\x0c\x0c" 4805 }, { 20 }, { 4806 "Test With Truncation" 4807 }, { 20 }, { 4808 /* HMAC-SHA-1 */ 4809 "4C1A03424B55E07FE7F27BE1", 4810 /* HMAC-SHA-224 */ 4811 "0E2AEA68A90C8D37C988BCDB9FCA6FA8", 4812 /* HMAC-SHA-256 */ 4813 "A3B6167473100EE06E0C796C2955552B", 4814 /* HMAC-SHA-384 */ 4815 "3ABF34C3503B2A23A46EFC619BAEF897", 4816 /* HMAC-SHA-512 */ 4817 "415FAD6271580A531D4179BC891D87A6" 4818 }, { 12, 16, 16, 16, 16 } 4819 }, 4820 { /* 6 */ { 4821 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4822 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4823 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4824 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4825 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4826 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4827 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4828 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4829 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4830 }, { 80, 131 }, { 4831 "Test Using Larger Than Block-Size Key - Hash Key First" 4832 }, { 54 }, { 4833 /* HMAC-SHA-1 */ 4834 "AA4AE5E15272D00E95705637CE8A3B55ED402112", 4835 /* HMAC-SHA-224 */ 4836 "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", 4837 /* HMAC-SHA-256 */ 4838 "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" 4839 "7F54", 4840 /* HMAC-SHA-384 */ 4841 "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" 4842 "C4C60C2EF6AB4030FE8296248DF163F44952", 4843 /* HMAC-SHA-512 */ 4844 "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" 4845 "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" 4846 "5D786598" 4847 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4848 SHA384HashSize, SHA512HashSize } 4849 }, 4850 { /* 7 */ { 4851 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4852 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4853 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4854 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4855 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4856 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4857 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4858 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4859 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4860 }, { 80, 131 }, { 4861 "Test Using Larger Than Block-Size Key and " 4862 "Larger Than One Block-Size Data", 4863 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" 4864 "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" 4865 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" 4866 "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" 4867 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" 4868 "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" 4869 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" 4870 "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" 4871 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" 4872 "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" 4873 "\x6d\x2e" 4874 /* "This is a test using a larger than block-size key and a " 4875 "larger than block-size data. The key needs to be hashed " 4876 "before being used by the HMAC algorithm." */ 4877 }, { 73, 152 }, { 4878 /* HMAC-SHA-1 */ 4879 "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", 4880 /* HMAC-SHA-224 */ 4881 "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", 4882 /* HMAC-SHA-256 */ 4883 "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" 4884 "35E2", 4885 /* HMAC-SHA-384 */ 4886 "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" 4887 "99C5A678CC31E799176D3860E6110C46523E", 4888 /* HMAC-SHA-512 */ 4889 "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" 4890 "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" 4891 "FA8C6A58" 4892 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4893 SHA384HashSize, SHA512HashSize } 4894 } 4895 }; 4897 /* Test arrays for HKDF. */ 4898 struct hkdfhash { 4899 SHAversion whichSha; 4900 int ikmlength; 4901 const char *ikmarray; 4902 int saltlength; 4903 const char *saltarray; 4904 int infolength; 4905 const char *infoarray; 4906 int prklength; 4907 const char *prkarray; 4908 int okmlength; 4909 const char *okmarray; 4910 } hkdfhashes[HKDFTESTCOUNT] = { 4911 { /* A.1. Test Case 1 */ 4912 SHA256, 4913 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4914 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4915 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4916 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4917 32, "077709362C2E32DF0DDC3F0DC47BBA6390B6C73BB50F9C3122EC844A" 4918 "D7C2B3E5", 4919 42, "3CB25F25FAACD57A90434F64D0362F2A2D2D0A90CF1A5A4C5DB02D56" 4920 "ECC4C5BF34007208D5B887185865" 4921 }, 4922 { /* A.2. Test Case 2 */ 4923 SHA256, 4924 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4925 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4926 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4927 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4928 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4929 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4930 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d" 4931 "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" 4932 "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4933 "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97" 4934 "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5" 4935 "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf", 4936 80, "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd" 4937 "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb" 4938 "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" 4939 "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7" 4940 "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5" 4941 "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 4942 32, "06A6B88C5853361A06104C9CEB35B45C" 4943 "EF760014904671014A193F40C15FC244", 4944 82, "B11E398DC80327A1C8E7F78C596A4934" 4945 "4F012EDA2D4EFAD8A050CC4C19AFA97C" 4946 "59045A99CAC7827271CB41C65E590E09" 4947 "DA3275600C2F09B8367793A9ACA3DB71" 4948 "CC30C58179EC3E87C14C01D5C1F3434F" 4949 "1D87" 4950 }, 4951 { /* A.3. Test Case 3 */ 4952 SHA256, 4953 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4954 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4955 0, "", 4956 0, "", 4957 32, "19EF24A32C717B167F33A91D6F648BDF" 4958 "96596776AFDB6377AC434C1C293CCB04", 4959 42, "8DA4E775A563C18F715F802A063C5A31" 4960 "B8A11F5C5EE1879EC3454E5F3C738D2D" 4961 "9D201395FAA4B61A96C8" 4962 }, 4963 { /* A.4. Test Case 4 */ 4964 SHA1, 4965 11, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4966 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4967 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4968 20, "9B6C18C432A7BF8F0E71C8EB88F4B30BAA2BA243", 4969 42, "085A01EA1B10F36933068B56EFA5AD81" 4970 "A4F14B822F5B091568A9CDD4F155FDA2" 4971 "C22E422478D305F3F896" 4972 }, 4973 { /* A.5. Test Case 5 */ 4974 SHA1, 4975 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4976 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4977 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4978 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4979 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4980 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4981 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D" 4982 "\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B" 4983 "\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4984 "\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97" 4985 "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5" 4986 "\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 4987 80, "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD" 4988 "\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB" 4989 "\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9" 4990 "\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7" 4991 "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5" 4992 "\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 4993 20, "8ADAE09A2A307059478D309B26C4115A224CFAF6", 4994 82, "0BD770A74D1160F7C9F12CD5912A06EB" 4995 "FF6ADCAE899D92191FE4305673BA2FFE" 4996 "8FA3F1A4E5AD79F3F334B3B202B2173C" 4997 "486EA37CE3D397ED034C7F9DFEB15C5E" 4998 "927336D0441F4C4300E2CFF0D0900B52" 4999 "D3B4" 5000 }, 5001 { /* A.6. Test Case 6 */ 5002 SHA1, 5003 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 5004 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 5005 0, "", 5006 0, "", 5007 20, "DA8C8A73C7FA77288EC6F5E7C297786AA0D32D01", 5008 42, "0AC1AF7002B3D761D1E55298DA9D0506" 5009 "B9AE52057220A306E07B6B87E8DF21D0" 5010 "EA00033DE03984D34918" 5011 }, 5012 { /* Extra test case, not in RFChkdf. */ 5013 SHA1, 5014 22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 5015 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 5016 0, 0, 5017 0, "", 5018 20, "2ADCCADA18779E7C2077AD2EB19D3F3E731385DD", 5019 42, "2C91117204D745F3500D636A62F64F0A" 5020 "B3BAE548AA53D423B0D1F27EBBA6F5E5" 5021 "673A081D70CCE7ACFC48" 5022 } 5023 }; 5025 /* 5026 * Check the hash value against the expected string, expressed in hex 5027 */ 5028 static const char hexdigits[ ] = "0123456789ABCDEF"; 5029 int checkmatch(const unsigned char *hashvalue, 5030 const char *hexstr, int hashsize) 5031 { 5032 int i; 5033 for (i = 0; i < hashsize; ++i) { 5034 if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) 5035 return 0; 5036 if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; 5037 } 5038 return 1; 5039 } 5041 /* 5042 * Print the string, converting non-printable characters to "." 5043 */ 5044 void printstr(const char *str, int len) 5045 { 5046 for ( ; len-- > 0; str++) 5047 putchar(isprint((unsigned char)*str) ? *str : '.'); 5048 } 5050 /* 5051 * Print the string, converting all characters to hex "## ". 5052 */ 5053 void printxstr(const char *str, int len) 5054 { 5055 char *sep = ""; 5056 for ( ; len-- > 0; str++) { 5057 printf("%s%c%c", sep, hexdigits[(*str >> 4) & 0xF], 5058 hexdigits[*str & 0xF]); 5059 sep = " "; 5060 } 5061 } 5063 /* 5064 * Print a usage message. 5065 */ 5066 void usage(const char *argv0) 5067 { 5068 fprintf(stderr, 5069 "Usage:\n" 5070 "Common options: [-h hash] [-w|-x|-6] [-H]\n" 5071 "Hash a string:\n" 5072 "\t%s [-S expectedresult] -s hashstr [-k key] " 5073 "[-i info -L okm-len]\n" 5074 "Hash a file:\n" 5075 "\t%s [-S expectedresult] -f file [-k key] " 5076 "[-i info -L okm-len]\n" 5077 "Hash a file, ignoring whitespace:\n" 5078 "\t%s [-S expectedresult] -F file [-k key] " 5079 "[-i info -L okm-len]\n" 5080 "Additional bits to add in: [-B bitcount -b bits]\n" 5081 "(If -k,-i&-L are used, run HKDF-SHA###.\n" 5082 " If -k is used, but not -i&-L, run HMAC-SHA###.\n" 5083 " Otherwise, run SHA###.)\n" 5084 "Standard tests:\n" 5085 "\t%s [-m | -d] [-l loopcount] [-t test#] [-e]\n" 5086 "\t\t[-r randomseed] [-R randomloop-count] " 5087 "[-p] [-P|-X]\n" 5088 "-h\thash to test: " 5089 "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" 5090 "-m\tperform hmac standard tests\n" 5091 "-k\tkey for hmac test\n" 5092 "-d\tperform hkdf standard tests\n" 5093 "-t\ttest case to run, 1-10\n" 5094 "-l\thow many times to run the test\n" 5095 "-e\ttest error returns\n" 5096 "-p\tdo not print results\n" 5097 "-P\tdo not print PASSED/FAILED\n" 5098 "-X\tprint FAILED, but not PASSED\n" 5099 "-r\tseed for random test\n" 5100 "-R\thow many times to run random test\n" 5101 "-s\tstring to hash\n" 5102 "-S\texpected result of hashed string, in hex\n" 5103 "-w\toutput hash in raw format\n" 5104 "-x\toutput hash in hex format\n" 5105 "-6\toutput hash in base64 format\n" 5106 "-B\t# extra bits to add in after string or file input\n" 5107 "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" 5108 "-H\tinput hashstr or randomseed is in hex\n" 5109 , argv0, argv0, argv0, argv0); 5110 exit(1); 5111 } 5113 /* 5114 * Print the results and PASS/FAIL. 5115 */ 5116 void printResult(uint8_t *Message_Digest, int hashsize, 5117 const char *hashname, const char *testtype, const char *testname, 5118 const char *resultarray, int printResults, int printPassFail) 5119 { 5120 int i, k; 5121 if (printResults == PRINTTEXT) { 5122 printf("\nhashsize=%d\n", hashsize); 5123 putchar('\t'); 5124 for (i = 0; i < hashsize; ++i) { 5125 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5126 putchar(hexdigits[Message_Digest[i] & 0xF]); 5127 putchar(' '); 5128 } 5129 putchar('\n'); 5130 } else if (printResults == PRINTRAW) { 5131 fwrite(Message_Digest, 1, hashsize, stdout); 5132 } else if (printResults == PRINTHEX) { 5133 for (i = 0; i < hashsize; ++i) { 5134 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5135 putchar(hexdigits[Message_Digest[i] & 0xF]); 5136 } 5137 putchar('\n'); 5138 } else if (printResults == PRINTBASE64) { 5139 unsigned char b; 5140 char *sm = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 5141 "0123456789+/"; 5142 for (i = 0; i < hashsize; i += 3) { 5143 putchar(sm[Message_Digest[i] >> 2]); 5144 b = (Message_Digest[i] & 0x03) << 4; 5145 if (i+1 < hashsize) b |= Message_Digest[i+1] >> 4; 5146 putchar(sm[b]); 5147 if (i+1 < hashsize) { 5148 b = (Message_Digest[i+1] & 0x0f) << 2; 5149 if (i+2 < hashsize) b |= Message_Digest[i+2] >> 6; 5150 putchar(sm[b]); 5151 } else putchar('='); 5152 if (i+2 < hashsize) putchar(sm[Message_Digest[i+2] & 0x3f]); 5153 else putchar('='); 5154 } 5155 putchar('\n'); 5156 } 5158 if (printResults && resultarray) { 5159 printf(" Should match:\n\t"); 5160 for (i = 0, k = 0; i < hashsize; i++, k += 2) { 5161 putchar(resultarray[k]); 5162 putchar(resultarray[k+1]); 5163 putchar(' '); 5165 } 5166 putchar('\n'); 5167 } 5169 if (printPassFail && resultarray) { 5170 int ret = checkmatch(Message_Digest, resultarray, hashsize); 5171 if ((printPassFail == PRINTPASSFAIL) || !ret) 5172 printf("%s %s %s: %s\n", hashname, testtype, testname, 5173 ret ? "PASSED" : "FAILED"); 5174 } 5175 } 5177 /* 5178 * Exercise a hash series of functions. The input is the testarray, 5179 * repeated repeatcount times, followed by the extrabits. If the 5180 * result is known, it is in resultarray in uppercase hex. 5181 */ 5182 int hash(int testno, int loopno, int hashno, 5183 const char *testarray, int length, long repeatcount, 5184 int numberExtrabits, int extrabits, const unsigned char *keyarray, 5185 int keylen, const unsigned char *info, int infolen, int okmlen, 5186 const char *resultarray, int hashsize, int printResults, 5187 int printPassFail) 5188 { 5189 USHAContext sha; 5190 HMACContext hmac; 5191 HKDFContext hkdf; 5192 int err, i; 5193 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5194 uint8_t *Message_Digest = Message_Digest_Buf; 5195 char buf[20]; 5197 if (printResults == PRINTTEXT) { 5198 printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, 5199 loopno, repeatcount); 5200 printstr(testarray, length); 5201 printf("'\n\t'"); 5202 printxstr(testarray, length); 5203 printf("'\n"); 5204 printf(" Length=%d bytes (%d bits), ", length, length * 8); 5205 printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); 5206 } 5208 if (info) Message_Digest = malloc(okmlen); 5209 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5210 memset(&hmac, '\343', sizeof(hmac)); 5211 memset(&hkdf, '\343', sizeof(hkdf)); 5212 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5213 keyarray, keylen) : 5214 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5215 keyarray, keylen) : 5216 USHAReset(&sha, hashes[hashno].whichSha); 5217 if (err != shaSuccess) { 5218 fprintf(stderr, "hash(): %sReset Error %d.\n", 5219 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5220 return err; 5221 } 5223 for (i = 0; i < repeatcount; ++i) { 5224 err = info ? hkdfInput(&hkdf, testarray, length) : 5225 keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, 5226 length) : 5227 USHAInput(&sha, (const uint8_t *) testarray, 5228 length); 5229 if (err != shaSuccess) { 5230 fprintf(stderr, "hash(): %sInput Error %d.\n", 5231 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5232 return err; 5233 } 5234 } 5236 if (numberExtrabits > 0) { 5237 err = info ? hkdfFinalBits(&hkdf, extrabits, numberExtrabits) : 5238 keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, 5239 numberExtrabits) : 5240 USHAFinalBits(&sha, (uint8_t) extrabits, 5241 numberExtrabits); 5242 if (err != shaSuccess) { 5243 fprintf(stderr, "hash(): %sFinalBits Error %d.\n", 5244 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5245 return err; 5246 } 5247 } 5249 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5250 Message_Digest, okmlen) : 5251 keyarray ? hmacResult(&hmac, Message_Digest) : 5252 USHAResult(&sha, Message_Digest); 5253 if (err != shaSuccess) { 5254 fprintf(stderr, "hash(): %s Result Error %d, could not compute " 5255 "message digest.\n", 5256 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5257 return err; 5258 } 5260 sprintf(buf, "%d", testno+1); 5261 printResult(Message_Digest, info ? okmlen : hashsize, 5262 hashes[hashno].name, info ? "hkdf standard test" : 5263 keyarray ? "hmac standard test" : "sha standard test", buf, 5264 resultarray, printResults, printPassFail); 5266 return err; 5267 } 5269 /* 5270 * Exercise an HKDF series. The input is the testarray, 5271 * repeated repeatcount times, followed by the extrabits. If the 5272 * result is known, it is in resultarray in uppercase hex. 5273 */ 5274 int hashHkdf(int testno, int loopno, int hashno, 5275 int printResults, int printPassFail) 5276 { 5277 int err; 5278 unsigned char prk[USHAMaxHashSize+1]; 5279 uint8_t okm[255 * USHAMaxHashSize+1]; 5280 char buf[20]; 5282 if (printResults == PRINTTEXT) { 5283 printf("\nTest %d: Iteration %d\n\tSALT\t'", testno+1, loopno); 5284 printxstr(hkdfhashes[testno].saltarray, 5285 hkdfhashes[testno].saltlength); 5286 printf("'\n\tIKM\t'"); 5287 printxstr(hkdfhashes[testno].ikmarray, 5288 hkdfhashes[testno].ikmlength); 5289 printf("'\n\tINFO\t'"); 5290 printxstr(hkdfhashes[testno].infoarray, 5291 hkdfhashes[testno].infolength); 5292 printf("'\n"); 5293 printf(" L=%d bytes\n", hkdfhashes[testno].okmlength); 5294 } 5296 /* Run hkdf() against the test vectors */ 5297 err = hkdf(hkdfhashes[testno].whichSha, 5298 hkdfhashes[testno].saltarray, 5299 hkdfhashes[testno].saltlength, 5300 hkdfhashes[testno].ikmarray, 5301 hkdfhashes[testno].ikmlength, 5302 hkdfhashes[testno].infoarray, 5303 hkdfhashes[testno].infolength, okm, 5304 hkdfhashes[testno].okmlength); 5305 if (err != shaSuccess) { 5306 fprintf(stderr, "hashHkdf(): hkdf Error %d.\n", err); 5307 return err; 5308 } 5309 sprintf(buf, "hkdf %d", testno+1); 5310 printResult(okm, hkdfhashes[testno].okmlength, 5311 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5312 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5314 /* Now run hkdfExtract() by itself against the test vectors */ 5315 /* to verify the intermediate results. */ 5316 err = hkdfExtract(hkdfhashes[testno].whichSha, 5317 hkdfhashes[testno].saltarray, 5318 hkdfhashes[testno].saltlength, 5319 hkdfhashes[testno].ikmarray, 5320 hkdfhashes[testno].ikmlength, prk); 5321 if (err != shaSuccess) { 5322 fprintf(stderr, "hashHkdf(): hkdfExtract Error %d.\n", err); 5323 return err; 5324 } 5325 sprintf(buf, "hkdfExtract %d", testno+1); 5326 printResult(prk, USHAHashSize(hkdfhashes[testno].whichSha), 5327 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5328 buf, hkdfhashes[testno].prkarray, printResults, printPassFail); 5330 /* Now run hkdfExpand() by itself against the test vectors */ 5331 /* using the intermediate results from hkdfExtract. */ 5332 err = hkdfExpand(hkdfhashes[testno].whichSha, prk, 5333 USHAHashSize(hkdfhashes[testno].whichSha), 5334 hkdfhashes[testno].infoarray, hkdfhashes[testno].infolength, 5335 okm, hkdfhashes[testno].okmlength); 5336 if (err != shaSuccess) { 5337 fprintf(stderr, "hashHkdf(): hkdfExpand Error %d.\n", err); 5338 return err; 5339 } 5340 sprintf(buf, "hkdfExpand %d", testno+1); 5341 printResult(okm, hkdfhashes[testno].okmlength, 5342 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5343 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5345 return err; 5346 } 5348 /* 5349 * Exercise a hash series of functions. The input is a filename. 5350 * If the result is known, it is in resultarray in uppercase hex. 5351 */ 5352 int hashfile(int hashno, const char *hashfilename, int bits, 5353 int bitcount, int skipSpaces, const unsigned char *keyarray, 5354 int keylen, const unsigned char *info, int infolen, int okmlen, 5355 const char *resultarray, int hashsize, 5356 int printResults, int printPassFail) 5357 { 5358 USHAContext sha; 5359 HMACContext hmac; 5360 HKDFContext hkdf; 5361 int err, nread, c; 5362 unsigned char buf[4096]; 5363 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5364 uint8_t *Message_Digest = Message_Digest_Buf; 5365 unsigned char cc; 5366 FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : 5367 fopen(hashfilename, "r"); 5369 if (!hashfp) { 5370 fprintf(stderr, "cannot open file '%s'\n", hashfilename); 5371 return shaStateError; 5372 } 5374 if (info) Message_Digest = malloc(okmlen); 5375 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5376 memset(&hmac, '\343', sizeof(hmac)); 5377 memset(&hkdf, '\343', sizeof(hkdf)); 5378 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5379 keyarray, keylen) : 5380 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5381 keyarray, keylen) : 5382 USHAReset(&sha, hashes[hashno].whichSha); 5383 if (err != shaSuccess) { 5384 fprintf(stderr, "hashfile(): %sReset Error %d.\n", 5385 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5386 return err; 5387 } 5389 if (skipSpaces) 5390 while ((c = getc(hashfp)) != EOF) { 5391 if (!isspace(c)) { 5392 cc = (unsigned char)c; 5393 err = info ? hkdfInput(&hkdf, &cc, 1) : 5394 keyarray ? hmacInput(&hmac, &cc, 1) : 5395 USHAInput(&sha, &cc, 1); 5396 if (err != shaSuccess) { 5397 fprintf(stderr, "hashfile(): %sInput Error %d.\n", 5398 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5399 if (hashfp != stdin) fclose(hashfp); 5400 return err; 5401 } 5402 } 5403 } 5404 else 5405 while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { 5406 err = info ? hkdfInput(&hkdf, buf, nread) : 5407 keyarray ? hmacInput(&hmac, buf, nread) : 5408 USHAInput(&sha, buf, nread); 5409 if (err != shaSuccess) { 5410 fprintf(stderr, "hashfile(): %s Error %d.\n", 5411 info ? "hkdf" : keyarray ? "hmacInput" : 5412 "shaInput", err); 5413 if (hashfp != stdin) fclose(hashfp); 5414 return err; 5415 } 5417 } 5419 if (bitcount > 0) 5420 err = info ? hkdfFinalBits(&hkdf, bits, bitcount) : 5421 keyarray ? hmacFinalBits(&hmac, bits, bitcount) : 5422 USHAFinalBits(&sha, bits, bitcount); 5423 if (err != shaSuccess) { 5424 fprintf(stderr, "hashfile(): %s Error %d.\n", 5425 info ? "hkdf" : keyarray ? "hmacFinalBits" : 5426 "shaFinalBits", err); 5427 if (hashfp != stdin) fclose(hashfp); 5428 return err; 5429 } 5431 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5432 Message_Digest, okmlen) : 5433 keyarray ? hmacResult(&hmac, Message_Digest) : 5434 USHAResult(&sha, Message_Digest); 5435 if (err != shaSuccess) { 5436 fprintf(stderr, "hashfile(): %s Error %d.\n", 5437 info ? "hkdf" : keyarray ? "hmacResult" : 5438 "shaResult", err); 5439 if (hashfp != stdin) fclose(hashfp); 5440 return err; 5441 } 5443 printResult(Message_Digest, info ? okmlen : hashsize, 5444 hashes[hashno].name, "file", hashfilename, resultarray, 5445 printResults, printPassFail); 5447 if (hashfp != stdin) fclose(hashfp); 5448 if (info) free(Message_Digest); 5449 return err; 5450 } 5452 /* 5453 * Exercise a hash series of functions through multiple permutations. 5454 * The input is an initial seed. That seed is replicated 3 times. 5455 * For 1000 rounds, the previous three results are used as the input. 5456 * This result is then checked, and used to seed the next cycle. 5457 * If the result is known, it is in resultarrays in uppercase hex. 5458 */ 5459 void randomtest(int hashno, const char *seed, int hashsize, 5460 const char **resultarrays, int randomcount, 5461 int printResults, int printPassFail) 5462 { 5463 int i, j; char buf[20]; 5464 unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; 5466 /* INPUT: Seed - A random seed n bits long */ 5467 memcpy(SEED, seed, hashsize); 5468 if (printResults == PRINTTEXT) { 5469 printf("%s random test seed= '", hashes[hashno].name); 5470 printxstr(seed, hashsize); 5471 printf("'\n"); 5472 } 5474 for (j = 0; j < randomcount; j++) { 5475 /* MD0 = MD1 = MD2 = Seed; */ 5476 memcpy(MD[0], SEED, hashsize); 5477 memcpy(MD[1], SEED, hashsize); 5478 memcpy(MD[2], SEED, hashsize); 5479 for (i=3; i<1003; i++) { 5480 /* Mi = MDi-3 || MDi-2 || MDi-1; */ 5481 USHAContext Mi; 5482 memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ 5483 USHAReset(&Mi, hashes[hashno].whichSha); 5484 USHAInput(&Mi, MD[i-3], hashsize); 5485 USHAInput(&Mi, MD[i-2], hashsize); 5486 USHAInput(&Mi, MD[i-1], hashsize); 5487 /* MDi = SHA(Mi); */ 5488 USHAResult(&Mi, MD[i]); 5489 } 5491 /* MDj = Seed = MDi; */ 5492 memcpy(SEED, MD[i-1], hashsize); 5494 /* OUTPUT: MDj */ 5495 sprintf(buf, "%d", j); 5496 printResult(SEED, hashsize, hashes[hashno].name, "random test", 5497 buf, resultarrays ? resultarrays[j] : 0, printResults, 5498 (j < RANDOMCOUNT) ? printPassFail : 0); 5499 } 5500 } 5502 /* 5503 * Look up a hash name. 5504 */ 5505 int findhash(const char *argv0, const char *opt) 5506 { 5507 int i; 5508 const char *names[HASHCOUNT][2] = { 5509 { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, 5510 { "3", "sha384" }, { "4", "sha512" } 5511 }; 5513 for (i = 0; i < HASHCOUNT; i++) 5514 if ((strcmp(opt, names[i][0]) == 0) || 5515 (scasecmp(opt, names[i][1]) == 0)) 5516 return i; 5518 fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); 5519 usage(argv0); 5520 return 0; 5521 } 5523 /* 5524 * Run some tests that should invoke errors. 5525 */ 5526 void testErrors(int hashnolow, int hashnohigh, int printResults, 5527 int printPassFail) 5528 { 5529 USHAContext usha; 5530 uint8_t Message_Digest[USHAMaxHashSize]; 5531 int hashno, err; 5533 for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { 5534 memset(&usha, '\343', sizeof(usha)); /* force bad data */ 5535 USHAReset(&usha, hashno); 5536 USHAResult(&usha, Message_Digest); 5537 err = USHAInput(&usha, (const unsigned char *)"foo", 3); 5538 if (printResults == PRINTTEXT) 5539 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5540 if ((printPassFail == PRINTPASSFAIL) || 5541 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5542 printf("%s se: %s\n", hashes[hashno].name, 5543 (err == shaStateError) ? "PASSED" : "FAILED"); 5545 err = USHAFinalBits(&usha, 0x80, 3); 5546 if (printResults == PRINTTEXT) 5547 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5548 if ((printPassFail == PRINTPASSFAIL) || 5549 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5550 printf("%s se: %s\n", hashes[hashno].name, 5551 (err == shaStateError) ? "PASSED" : "FAILED"); 5553 err = USHAReset(0, hashes[hashno].whichSha); 5554 if (printResults == PRINTTEXT) 5555 printf("\nError %d. Should be %d.\n", err, shaNull); 5556 if ((printPassFail == PRINTPASSFAIL) || 5557 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5558 printf("%s usha null: %s\n", hashes[hashno].name, 5559 (err == shaNull) ? "PASSED" : "FAILED"); 5561 switch (hashno) { 5562 case SHA1: err = SHA1Reset(0); break; 5563 case SHA224: err = SHA224Reset(0); break; 5564 case SHA256: err = SHA256Reset(0); break; 5565 case SHA384: err = SHA384Reset(0); break; 5566 case SHA512: err = SHA512Reset(0); break; 5567 } 5568 if (printResults == PRINTTEXT) 5569 printf("\nError %d. Should be %d.\n", err, shaNull); 5570 if ((printPassFail == PRINTPASSFAIL) || 5571 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5572 printf("%s sha null: %s\n", hashes[hashno].name, 5573 (err == shaNull) ? "PASSED" : "FAILED"); 5574 } 5575 } 5577 /* replace a hex string in place with its value */ 5578 int unhexStr(char *hexstr) 5579 { 5580 char *o = hexstr; 5581 int len = 0, nibble1 = 0, nibble2 = 0; 5582 if (!hexstr) return 0; 5583 for ( ; *hexstr; hexstr++) { 5584 if (isalpha((int)(unsigned char)(*hexstr))) { 5585 nibble1 = tolower(*hexstr) - 'a' + 10; 5586 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5587 nibble1 = *hexstr - '0'; 5588 } else { 5589 printf("\nError: bad hex character '%c'\n", *hexstr); 5590 } 5591 if (!*++hexstr) break; 5592 if (isalpha((int)(unsigned char)(*hexstr))) { 5593 nibble2 = tolower(*hexstr) - 'a' + 10; 5594 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5595 nibble2 = *hexstr - '0'; 5596 } else { 5597 printf("\nError: bad hex character '%c'\n", *hexstr); 5598 } 5599 *o++ = (char)((nibble1 << 4) | nibble2); 5600 len++; 5601 } 5602 return len; 5603 } 5605 int main(int argc, char **argv) 5606 { 5607 int i, err; 5608 int loopno, loopnohigh = 1; 5609 int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; 5610 int testno, testnolow = 0, testnohigh; 5611 int ntestnohigh = 0; 5612 int printResults = PRINTTEXT; 5613 int printPassFail = 1; 5614 int checkErrors = 0; 5615 char *hashstr = 0; 5616 int hashlen = 0; 5617 const char *resultstr = 0; 5618 char *randomseedstr = 0; 5619 int runHmacTests = 0; 5620 int runHkdfTests = 0; 5621 char *hmacKey = 0; 5622 int hmaclen = 0; 5623 char *info = 0; 5624 int infolen = 0, okmlen = 0; 5625 int randomcount = RANDOMCOUNT; 5626 const char *hashfilename = 0; 5627 const char *hashFilename = 0; 5628 int extrabits = 0, numberExtrabits = 0; 5629 int strIsHex = 0; 5631 while ((i = xgetopt(argc, argv, 5632 "6b:B:def:F:h:i:Hk:l:L:mpPr:R:s:S:t:wxX")) != -1) 5633 switch (i) { 5634 case 'b': extrabits = strtol(xoptarg, 0, 0); break; 5635 case 'B': numberExtrabits = atoi(xoptarg); break; 5636 case 'd': runHkdfTests = 1; break; 5637 case 'e': checkErrors = 1; break; 5638 case 'f': hashfilename = xoptarg; break; 5639 case 'F': hashFilename = xoptarg; break; 5640 case 'h': hashnolow = hashnohigh = findhash(argv[0], xoptarg); 5641 break; 5642 case 'H': strIsHex = 1; break; 5643 case 'i': info = xoptarg; infolen = strlen(xoptarg); break; 5644 case 'k': hmacKey = xoptarg; hmaclen = strlen(xoptarg); break; 5645 case 'l': loopnohigh = atoi(xoptarg); break; 5646 case 'L': okmlen = strtol(xoptarg, 0, 0); break; 5647 case 'm': runHmacTests = 1; break; 5648 case 'P': printPassFail = 0; break; 5649 case 'p': printResults = PRINTNONE; break; 5650 case 'R': randomcount = atoi(xoptarg); break; 5651 case 'r': randomseedstr = xoptarg; break; 5652 case 's': hashstr = xoptarg; hashlen = strlen(hashstr); break; 5653 case 'S': resultstr = xoptarg; break; 5654 case 't': testnolow = ntestnohigh = atoi(xoptarg) - 1; break; 5655 case 'w': printResults = PRINTRAW; break; 5656 case 'x': printResults = PRINTHEX; break; 5657 case 'X': printPassFail = 2; break; 5658 case '6': printResults = PRINTBASE64; break; 5659 default: usage(argv[0]); 5660 } 5662 if (strIsHex) { 5663 hashlen = unhexStr(hashstr); 5664 unhexStr(randomseedstr); 5665 hmaclen = unhexStr(hmacKey); 5666 infolen = unhexStr(info); 5667 } 5668 testnohigh = (ntestnohigh != 0) ? ntestnohigh: 5669 runHmacTests ? (HMACTESTCOUNT-1) : 5670 runHkdfTests ? (HKDFTESTCOUNT-1) : 5671 (TESTCOUNT-1); 5672 if ((testnolow < 0) || 5673 (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || 5674 (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || 5675 (hashstr && (testnolow == testnohigh)) || 5676 (randomcount < 0) || 5677 (resultstr && (!hashstr && !hashfilename && !hashFilename)) || 5678 ((runHmacTests || hmacKey) && randomseedstr) || 5679 (hashfilename && hashFilename) || 5680 (info && ((infolen <= 0) || (okmlen <= 0))) || 5681 (info && !hmacKey)) 5682 usage(argv[0]); 5684 /* 5685 * Perform SHA/HMAC tests 5686 */ 5687 for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { 5688 if (printResults == PRINTTEXT) 5689 printf("Hash %s\n", hashes[hashno].name); 5690 err = shaSuccess; 5692 for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); 5693 ++loopno) { 5694 if (hashstr) 5695 err = hash(0, loopno, hashno, hashstr, hashlen, 1, 5696 numberExtrabits, extrabits, (const unsigned char *)hmacKey, 5697 hmaclen, info, infolen, okmlen, resultstr, 5698 hashes[hashno].hashsize, printResults, printPassFail); 5700 else if (randomseedstr) 5701 randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, 5702 randomcount, printResults, printPassFail); 5704 else if (hashfilename) 5705 err = hashfile(hashno, hashfilename, extrabits, 5706 numberExtrabits, 0, 5707 (const unsigned char *)hmacKey, hmaclen, 5708 info, infolen, okmlen, resultstr, 5709 hashes[hashno].hashsize, 5710 printResults, printPassFail); 5712 else if (hashFilename) 5713 err = hashfile(hashno, hashFilename, extrabits, 5714 numberExtrabits, 1, 5715 (const unsigned char *)hmacKey, hmaclen, 5716 info, infolen, okmlen, resultstr, 5717 hashes[hashno].hashsize, 5718 printResults, printPassFail); 5720 else /* standard tests */ { 5721 for (testno = testnolow; 5722 (testno <= testnohigh) && (err == shaSuccess); ++testno) { 5723 if (runHmacTests) { 5724 err = hash(testno, loopno, hashno, 5725 hmachashes[testno].dataarray[hashno] ? 5726 hmachashes[testno].dataarray[hashno] : 5727 hmachashes[testno].dataarray[1] ? 5728 hmachashes[testno].dataarray[1] : 5729 hmachashes[testno].dataarray[0], 5730 hmachashes[testno].datalength[hashno] ? 5731 hmachashes[testno].datalength[hashno] : 5732 hmachashes[testno].datalength[1] ? 5733 hmachashes[testno].datalength[1] : 5734 hmachashes[testno].datalength[0], 5735 1, 0, 0, 5736 (const unsigned char *)( 5737 hmachashes[testno].keyarray[hashno] ? 5738 hmachashes[testno].keyarray[hashno] : 5739 hmachashes[testno].keyarray[1] ? 5740 hmachashes[testno].keyarray[1] : 5741 hmachashes[testno].keyarray[0]), 5742 hmachashes[testno].keylength[hashno] ? 5743 hmachashes[testno].keylength[hashno] : 5744 hmachashes[testno].keylength[1] ? 5745 hmachashes[testno].keylength[1] : 5746 hmachashes[testno].keylength[0], 5747 0, 0, 0, 5748 hmachashes[testno].resultarray[hashno], 5749 hmachashes[testno].resultlength[hashno], 5750 printResults, printPassFail); 5751 } else if (runHkdfTests) { 5752 err = hashHkdf(testno, loopno, hashno, 5753 printResults, printPassFail); 5754 } else { /* sha tests */ 5755 err = hash(testno, loopno, hashno, 5756 hashes[hashno].tests[testno].testarray, 5757 hashes[hashno].tests[testno].length, 5758 hashes[hashno].tests[testno].repeatcount, 5759 hashes[hashno].tests[testno].numberExtrabits, 5760 hashes[hashno].tests[testno].extrabits, 5761 0, 0, 0, 0, 0, 5762 hashes[hashno].tests[testno].resultarray, 5763 hashes[hashno].hashsize, 5764 printResults, printPassFail); 5765 } 5766 } 5767 if (!runHmacTests && !runHkdfTests) { 5768 randomtest(hashno, hashes[hashno].randomtest, 5769 hashes[hashno].hashsize, hashes[hashno].randomresults, 5770 RANDOMCOUNT, printResults, printPassFail); 5771 } 5772 } 5773 } 5774 } 5776 /* Test some error returns */ 5777 if (checkErrors) { 5778 testErrors(hashnolow, hashnohigh, printResults, printPassFail); 5779 } 5781 return 0; 5782 } 5784 /* 5785 * Compare two strings, case independently. 5786 * Equivalent to strcasecmp() found on some systems. 5787 */ 5788 int scasecmp(const char *s1, const char *s2) 5789 { 5790 for (;;) { 5791 char u1 = tolower(*s1++); 5792 char u2 = tolower(*s2++); 5793 if (u1 != u2) 5794 return u1 - u2; 5795 if (u1 == '\0') 5796 return 0; 5797 } 5798 } 5800 /* 5801 * This is a copy of getopt provided for those systems that do not 5802 * have it. The name was changed to xgetopt to not conflict on those 5803 * systems that do have it. Similarly, optarg, optind and opterr 5804 * were renamed to xoptarg, xoptind and xopterr. 5805 * 5806 * Copyright 1990, 1991, 1992 by the Massachusetts Institute of 5807 * Technology and UniSoft Group Limited. 5808 * 5809 * Permission to use, copy, modify, distribute, and sell this software 5810 * and its documentation for any purpose is hereby granted without fee, 5811 * provided that the above copyright notice appear in all copies and 5812 * that both that copyright notice and this permission notice appear in 5813 * supporting documentation, and that the names of MIT and UniSoft not 5814 * be used in advertising or publicity pertaining to distribution of 5815 * the software without specific, written prior permission. MIT and 5816 * UniSoft make no representations about the suitability of this 5817 * software for any purpose. It is provided "as is" without express 5818 * or implied warranty. 5819 * 5820 * $XConsortium: getopt.c,v 1.2 92/07/01 11:59:04 rws Exp $ 5821 * NB: Reformatted to match above style. 5822 */ 5824 char *xoptarg; 5825 int xoptind = 1; 5826 int xopterr = 1; 5828 static int xgetopt(int argc, char **argv, const char *optstring) 5829 { 5830 static int avplace; 5831 char *ap; 5832 char *cp; 5833 int c; 5835 if (xoptind >= argc) 5836 return EOF; 5838 ap = argv[xoptind] + avplace; 5840 /* At beginning of arg but not an option */ 5841 if (avplace == 0) { 5842 if (ap[0] != '-') 5843 return EOF; 5844 else if (ap[1] == '-') { 5845 /* Special end of options option */ 5846 xoptind++; 5847 return EOF; 5848 } else if (ap[1] == '\0') 5849 return EOF; /* single '-' is not allowed */ 5850 } 5852 /* Get next letter */ 5853 avplace++; 5854 c = *++ap; 5856 cp = strchr(optstring, c); 5857 if (cp == NULL || c == ':') { 5858 if (xopterr) 5859 fprintf(stderr, "Unrecognised option -- %c\n", c); 5860 return '?'; 5861 } 5863 if (cp[1] == ':') { 5864 /* There should be an option arg */ 5865 avplace = 0; 5866 if (ap[1] == '\0') { 5867 /* It is a separate arg */ 5868 if (++xoptind >= argc) { 5869 if (xopterr) 5870 fprintf(stderr, "Option requires an argument\n"); 5871 return '?'; 5872 } 5873 xoptarg = argv[xoptind++]; 5874 } else { 5875 /* is attached to option letter */ 5876 xoptarg = ap + 1; 5877 ++xoptind; 5878 } 5879 } else { 5880 /* If we are out of letters then go to next arg */ 5881 if (ap[1] == '\0') { 5882 ++xoptind; 5883 avplace = 0; 5884 } 5886 xoptarg = NULL; 5887 } 5888 return c; 5889 } 5890 9. IANA Considerations 5892 This document requires no IANA Actions. The RFC Editor should delete 5893 this section before publication. 5895 10. Security Considerations 5897 This document is intended to provide convenient open source access by 5898 the Internet community to the United States of America Federal 5899 Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS 5900 180-2], HMACs based thereon, and HKDF. No independent assertion of 5901 the security of these functions by the authors for any particular use 5902 is intended. 5904 11. Acknowledgements 5906 Thanks for the corrections to [RFC4634] that were provided by Alfred 5907 Hoenes and Jan Andres that are incorporated herein. 5909 12. References 5911 RFC Editor Note: All occurances of RFChkdf should be edited to have 5912 the HKDF RFC number instead of "hkdf". All occurances of "RFC NNNN" 5913 should be edited to replace "NNNN" with this documents RFC number. 5914 And this note should be deleted. 5916 12.1 Normative References 5918 [FIPS 180-2] - "Secure Hash Standard", United States of American, 5919 National Institute of Science and Technology, Federal 5920 Information Processing Standard (FIPS) 180-2, 5921 http://csrc.nist.gov/publications/fips/fips180-2/fips180- 5922 2withchangenotice.pdf. 5924 [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 5925 Hashing for Message Authentication", RFC 2104, February 1997. 5927 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 5928 Requirement Levels", BCP 14, RFC 2119, March 1997. 5930 [RFChkdf] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and- 5931 Expand Key Derivation Function (HKDF)", draft-krawczyk-hkdf in 5932 RFC Editor queue, January 2010. 5934 12.2 Informative References 5936 [RFC2202] - P. Cheng, R. Glenn, "Test Cases for HMAC-MD5 and HMAC- 5937 SHA-1", September 1997. 5939 [RFC3174] - D. Eastlake 3rd, P. Jones, "US Secure Hash Algorithm 1 5940 (SHA1)", September 2001. 5942 [RFC3874] - R. Housley, "A 224-bit One-way Hash Function: SHA-224", 5943 September 2004. 5945 [RFC4086] - D. Eastlake, S. Crocker, J. Schiller, "Randomness 5946 Requirements for Security", May 2005. 5948 [RFC4231] - M. Nystrom, "Identifiers and Test Vectors for HMAC- 5949 SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 5950 December 2005. 5952 [RFC4634] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash 5953 Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006. 5955 [SHAVS] - "The Secure Hash Algorithm Validation System (SHAVS)", 5956 http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. 5958 Appendix: Changes from RFC 4634 5960 The following changes were made to RFC 4634 to produce this document: 5962 1. Add code for HKDF and brief text about HKDF with pointer to 5963 [RFChkdf]. 5965 2. Fix numerous errata filed against [RFC4634] as below. Note that in 5966 no case did the old code return an incorrect hash value. 5968 2.a Correct some of the error return values which has erroneously 5969 been "shaNull" to the correct "shaInputTooLong" error. 5971 2.b Update comments and variable names within the code for 5972 consistency and clarity and other editorial changes. 5974 2.c The previous code for SHA-384 and SHA-512 would stop after 5975 2^93 bytes (2^96 bits). The fixed code handles up to 2^125 5976 bytes (2^128 bits). 5978 2.d Add additional error checking. 5980 3. Update boilerplate, remove special license in [RFC4634] as new 5981 boilerplate mandates simplified BSD license. 5983 Author's Address 5985 Donald E. Eastlake, 3rd 5986 Stellar Switches 5987 155 Beaver Street 5988 Milford, MA 01757 USA 5990 Telephone: +1-508-333-2270 5991 EMail: d3e3e3@gmail.com 5993 Tony Hansen 5994 AT&T Laboratories 5995 200 Laurel Ave. 5996 Middletown, NJ 07748 USA 5998 Telephone: +1-732-420-8934 5999 EMail: tony+shs@millennium.att.com 6001 Copyright, Disclaimer, and Additional IPR Provisions 6003 Copyright (c) 2010 IETF Trust and the persons identified as the 6004 document authors. All rights reserved. 6006 This document is subject to BCP 78 and the IETF Trust's Legal 6007 Provisions Relating to IETF Documents 6008 (http://trustee.ietf.org/license-info) in effect on the date of 6009 publication of this document. Please review these documents 6010 carefully, as they describe your rights and restrictions with respect 6011 to this document. Code Components extracted from this document must 6012 include Simplified BSD License text as described in Section 4.e of 6013 the Trust Legal Provisions and are provided without warranty as 6014 described in the BSD License. This Internet-Draft is submitted to 6015 IETF in full conformance with the provisions of BCP 78 and BCP 79.