idnits 2.17.00 (12 Aug 2021) /tmp/idnits48318/draft-eastlake-sha2b-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 2) being 59 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4634]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document obsoletes RFC4634, but the abstract doesn't seem to directly say this. It does mention RFC4634 though, so this could be OK. -- The draft header indicates that this document updates RFC3174, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 754 has weird spacing: '...izeBits numbe...' (Using the creation date from RFC3174, updated by this document, for RFC5378 checks: 2001-03-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 28, 2010) is 4405 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'USHAMaxHashSize' is mentioned on line 5551, but not defined -- Looks like a reference, but probably isn't: '4' on line 3250 == Missing Reference: 'SHA1HashSize' is mentioned on line 1508, but not defined == Missing Reference: 'SHA224HashSize' is mentioned on line 1899, but not defined == Missing Reference: 'SHA256HashSize' is mentioned on line 2050, but not defined == Missing Reference: 'SHA384HashSize' is mentioned on line 2741, but not defined == Missing Reference: 'SHA512HashSize' is mentioned on line 2932, but not defined -- Looks like a reference, but probably isn't: '0' on line 5863 -- Looks like a reference, but probably isn't: '1' on line 5902 -- Looks like a reference, but probably isn't: '2' on line 5529 -- Looks like a reference, but probably isn't: '3' on line 3293 -- Looks like a reference, but probably isn't: '8' on line 3167 -- Looks like a reference, but probably isn't: '56' on line 2133 -- Looks like a reference, but probably isn't: '57' on line 2134 -- Looks like a reference, but probably isn't: '58' on line 2135 -- Looks like a reference, but probably isn't: '59' on line 2136 -- Looks like a reference, but probably isn't: '60' on line 2137 -- Looks like a reference, but probably isn't: '61' on line 2138 -- Looks like a reference, but probably isn't: '62' on line 2139 -- Looks like a reference, but probably isn't: '63' on line 2140 -- Looks like a reference, but probably isn't: '80' on line 3204 -- Looks like a reference, but probably isn't: '64' on line 2184 -- Looks like a reference, but probably isn't: '5' on line 4721 -- Looks like a reference, but probably isn't: '6' on line 3252 -- Looks like a reference, but probably isn't: '7' on line 3253 -- Looks like a reference, but probably isn't: '112' on line 3005 -- Looks like a reference, but probably isn't: '113' on line 3006 -- Looks like a reference, but probably isn't: '114' on line 3007 -- Looks like a reference, but probably isn't: '115' on line 3008 -- Looks like a reference, but probably isn't: '116' on line 3009 -- Looks like a reference, but probably isn't: '117' on line 3010 -- Looks like a reference, but probably isn't: '118' on line 3011 -- Looks like a reference, but probably isn't: '119' on line 3012 -- Looks like a reference, but probably isn't: '120' on line 3014 -- Looks like a reference, but probably isn't: '121' on line 3015 -- Looks like a reference, but probably isn't: '122' on line 3016 -- Looks like a reference, but probably isn't: '123' on line 3017 -- Looks like a reference, but probably isn't: '124' on line 3018 -- Looks like a reference, but probably isn't: '125' on line 3019 -- Looks like a reference, but probably isn't: '126' on line 3020 -- Looks like a reference, but probably isn't: '127' on line 3021 -- Looks like a reference, but probably isn't: '9' on line 3129 -- Looks like a reference, but probably isn't: '10' on line 3168 -- Looks like a reference, but probably isn't: '11' on line 3131 -- Looks like a reference, but probably isn't: '12' on line 3169 -- Looks like a reference, but probably isn't: '13' on line 3133 -- Looks like a reference, but probably isn't: '14' on line 3170 -- Looks like a reference, but probably isn't: '15' on line 3135 == Missing Reference: 'TESTCOUNT' is mentioned on line 4529, but not defined == Missing Reference: 'RANDOMCOUNT' is mentioned on line 4531, but not defined == Missing Reference: 'HASHCOUNT' is mentioned on line 5529, but not defined == Missing Reference: 'HMACTESTCOUNT' is mentioned on line 4722, but not defined == Missing Reference: 'HKDFTESTCOUNT' is mentioned on line 4931, but not defined -- Looks like a reference, but probably isn't: '20' on line 5484 -- Looks like a reference, but probably isn't: '4096' on line 5383 -- Looks like a reference, but probably isn't: '1003' on line 5485 == Unused Reference: 'RFC2119' is defined on line 5948, but no explicit reference was found in the text == Outdated reference: draft-krawczyk-hkdf has been published as RFC 5869 -- Obsolete informational reference (is this intentional?): RFC 4634 (Obsoleted by RFC 6234) Summary: 2 errors (**), 0 flaws (~~), 16 warnings (==), 51 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Donald Eastlake 3rd 2 INTERNET-DRAFT Stellar Switches 3 Obsoletes: 4634 Tony Hansen 4 Updates: 3174 AT&T Labs 5 Intended Status: Informational 6 Expires: October 27, 2010 April 28, 2010 8 US Secure Hash Algorithms 9 (SHA and SHA based HMAC and HKDF) 10 12 Abstract 13 This document is an update of [RFC4634] to fix errata and to add code 14 for an HMAC-based extract-and-expand key derivation function. 16 The United States of America has adopted a suite of secure hash 17 algorithms (SHAs), including four beyond SHA-1, as part of a Federal 18 Information Processing Standard (FIPS), specifically SHA-224, 19 SHA-256, SHA-384, and SHA-512. The purpose of this document is to 20 make open source code performing the SHA hash functions conveniently 21 available to the Internet community. The sample code supports input 22 strings of arbitrary bit length. Much of the text herein was adapted 23 by the authors from FIPS 180-2. 25 As with [RFC4634], code to perform SHA based HMACs is included and, 26 new in this version, code for HKDF is included. 28 Status of This Memo 30 This Internet-Draft is submitted to IETF in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Distribution of this document is unlimited. Comments should be sent 34 to the authors. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF), its areas, and its working groups. Note that 38 other groups may also distribute working documents as Internet- 39 Drafts. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 The list of current Internet-Drafts can be accessed at 47 http://www.ietf.org/1id-abstracts.html 49 The list of Internet-Draft Shadow Directories can be accessed at 50 http://www.ietf.org/shadow.html 52 Table of Contents 54 Abstract...................................................1 55 Status of This Memo........................................1 57 1. Overview of Contents....................................3 58 2. Notation for Bit Strings and Integers...................4 59 3. Operations on Words.....................................5 61 4. Message Padding and Parsing.............................7 62 4.1 SHA-224 and SHA-256....................................7 63 4.2 SHA-384 and SHA-512....................................8 65 5. Functions and Constants Used...........................10 66 5.1 SHA-224 and SHA-256...................................10 67 5.2 SHA-384 and SHA-512...................................11 69 6. Computing the Message Digest...........................12 70 6.1 SHA-224 and SHA-256 Initialization....................12 71 6.2 SHA-224 and SHA-256 Processing........................12 72 6.3 SHA-384 and SHA-512 Initialization....................14 73 6.4 SHA-384 and SHA-512 Processing........................15 75 7. HKDF and SHA Based HMACs...............................17 76 7.1 SHA Based HMACs.......................................17 77 7.2 HKDF..................................................17 79 8. C Code for SHAs, HMAC, and HKDF........................18 80 8.1 The .h file...........................................21 81 8.2 The SHA Code..........................................28 82 8.2.1 sha1.c..............................................29 83 8.2.2 sha224-256.c........................................37 84 8.2.3 sha384-512.c........................................49 85 8.2.4 usha.c..............................................70 86 8.2.5 sha-private.h.......................................76 87 8.3 The HMAC Code.........................................77 88 8.4 The HKDF Code.........................................82 89 8.5 The Test Driver.......................................89 91 9. IANA Considerations...................................122 92 10. Security Considerations..............................122 93 11. Acknowledgements.....................................122 95 12. References...........................................123 96 12.1 Normative References................................123 97 12.2 Informative References..............................123 99 Appendix: Changes from RFC 4634..........................125 100 Edit History.............................................126 101 Changes from -00 to -01..................................126 102 Author's Address.........................................127 103 Copyright, Disclaimer, and Additional IPR Provisions.....128 105 1. Overview of Contents 107 This document obsoletes [RFC4634] and the changes from that RFC are 108 summarized in the Appendix below. 110 This document includes specifications for the United States of 111 America (USA) Federal Information Processing Standard (FIPS) Secure 112 Hash Algorithms (SHAs), code to implement the SHAs, code to implement 113 HMACs based on the SHAs, and code to implement HKDF based on HMAC. 114 Specifications for HMAC and HKDF are not included as they appear 115 elsewhere in the RFC series [RFC2104] [RFChkdf]. 117 NOTE: Much of the text below is taken from [FIPS 180-2] and the 118 assertions of the security of the hash algorithms described therein 119 are made by the US Government, the author of [FIPS 180-2], not by the 120 authors of this document. 122 The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], 123 SHA-256, SHA-384, and SHA-512, for computing a condensed 124 representation of a message or a data file. (SHA-1 is specified in 125 [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and 126 SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of 127 these algorithms, the result is an output called a message digest. 128 The message digests range in length from 224 to 512 bits, depending 129 on the algorithm. Secure hash algorithms are typically used with 130 other cryptographic algorithms, such as digital signature algorithms 131 and keyed hash authentication codes, the generation or random numbers 132 [RFC4086], or in key derivation functions. 134 The four algorithms specified in this document are called secure 135 because it is computationally infeasible to (1) find a message which 136 corresponds to a given message digest, or (2) to find two different 137 messages that produce the same message digest. Any change to a 138 message in transit will, with very high probability, result in a 139 different message digest. This will result in a verification failure 140 when the secure hash algorithm is used with a digital signature 141 algorithm or a keyed-hash message authentication algorithm. 143 The code provided herein supports input strings of arbitrary bit 144 length. SHA-1's sample code from [RFC3174] has also been updated to 145 handle input strings of arbitrary bit length. Permission is granted 146 for all uses, commercial and non-commercial, of this code. 148 ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from 149 [RFC4055], are as follows: 151 id-sha1 OBJECT IDENTIFIER ::= { iso(1) 152 identified-organization(3) oiw(14) 153 secsig(3) algorithms(2) 26 } 155 id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) 156 country(16) us(840) organization(1) gov(101) 157 csor(3) nistalgorithm(4) hashalgs(2) 4 } 158 id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 159 country(16) us(840) organization(1) gov(101) 160 csor(3) nistalgorithm(4) hashalgs(2) 1 } 161 id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 162 country(16) us(840) organization(1) gov(101) 163 csor(3) nistalgorithm(4) hashalgs(2) 2 } 164 id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 165 country(16) us(840) organization(1) gov(101) 166 csor(3) nistalgorithm(4) hashalgs(2) 3 } 168 Section 2 below defines the terminology and functions used as 169 building blocks to form these algorithms. Section 3 describes the 170 fundamental operations on words from which these algorithms are 171 built. Section 4 describes how messages are padded up to an integral 172 multiple of the required block size and then parsed into blocks. 173 Section 5 defines the constants and the composite functions used to 174 specify these algorithms. Section 6 gives the actual specification 175 for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 176 provides pointers to the specification of HMAC keyed message 177 authentication codes and to the specification of an extract-and- 178 expand key derivation function based on HMAC. 180 Section 8 gives sample code for the SHA algorithms, for SHA based 181 HMACs, and for HMAC-based extract-and-expand key derivation function. 183 2. Notation for Bit Strings and Integers 185 The following terminology related to bit strings and integers will be 186 used: 188 a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. 189 A hex digit is the representation of a 4-bit string. Examples: 190 7 = 0111, A = 1010. 192 b. A word equals a 32-bit or 64-bit string that may be represented 193 as a sequence of 8 or 16 hex digits, respectively. To convert a 194 word to hex digits, each 4-bit string is converted to its hex 195 equivalent as described in (a) above. Example: 197 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 199 Throughout this document, the "big-endian" convention is used 200 when expressing both 32-bit and 64-bit words, so that within 201 each word the most significant bit is shown in the left-most bit 202 position. 204 c. An integer may be represented as a word or pair of words. 206 An integer between 0 and 2^32 - 1 inclusive may be represented 207 as a 32-bit word. The least significant four bits of the 208 integer are represented by the right-most hex digit of the word 209 representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = 210 256+32+2+1 is represented by the hex word, 00000123. 212 The same holds true for an integer between 0 and 2^64-1 213 inclusive, which may be represented as a 64-bit word. 215 If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 216 <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented 217 as words X and Y, respectively, z can be represented as the pair 218 of words (X,Y). 220 Again, the "big-endian" convention is used and the most 221 significant word is in the left-most word position for values 222 represented by multiple-words. 224 d. block = 512-bit or 1024-bit string. A block (e.g., B) may be 225 represented as a sequence of 32-bit or 64-bit words. 227 3. Operations on Words 229 The following logical operators will be applied to words in all four 230 hash operations specified herein. SHA-224 and SHA-256 operate on 231 32-bit words while SHA-384 and SHA-512 operate on 64-bit words. 233 In the operations below, x<>n is obtained as follows: discard the right-most n bits 237 of x and then prepend the result with n zeroed bits on the left (the 238 result will still be the same number of bits). 240 a. Bitwise logical word operations 242 X AND Y = bitwise logical "and" of X and Y. 244 X OR Y = bitwise logical "inclusive-or" of X and Y. 246 X XOR Y = bitwise logical "exclusive-or" of X and Y. 248 NOT X = bitwise logical "complement" of X. 250 Example: 251 01101100101110011101001001111011 252 XOR 01100101110000010110100110110111 253 -------------------------------- 254 = 00001001011110001011101111001100 256 b. The operation X + Y is defined as follows: words X and Y 257 represent w-bit integers x and y, where 0 <= x < 2^w and 0 <= y 258 < 2^w. For positive integers n and m, let 260 n mod m 262 be the remainder upon dividing n by m. Compute 264 z = (x + y) mod 2^w. 266 Then 0 <= z < 2^w. Convert z to a word, Z, and define Z = X + 267 Y. 269 c. The right shift operation SHR^n(x), where x is a w-bit word and n 270 is an integer with 0 <= n < w, is defined by 272 SHR^n(x) = x>>n 274 d. The rotate right (circular right shift) operation ROTR^n(x), where 275 x is a w-bit word and n is an integer with 0 <= n < w, is 276 defined by 278 ROTR^n(x) = (x>>n) OR (x<<(w-n)) 280 e. The rotate left (circular left shift) operation ROTL^n(x), where x 281 is a w-bit word and n is an integer with 0 <= n < w, is defined 282 by 284 ROTL^n(X) = (x<>w-n) 286 Note the following equivalence relationships, where w is fixed 287 in each relationship: 289 ROTL^n(x) = ROTR^(w-n)(x) 291 ROTR^n(x) = ROTL^(w-n)(x) 293 4. Message Padding and Parsing 295 The hash functions specified herein are used to compute a message 296 digest for a message or data file that is provided as input. The 297 message or data file should be considered to be a bit string. The 298 length of the message is the number of bits in the message (the empty 299 message has length 0). If the number of bits in a message is a 300 multiple of 8, for compactness we can represent the message in hex. 301 The purpose of message padding is to make the total length of a 302 padded message a multiple of 512 for SHA-224 and SHA-256 or a 303 multiple of 1024 for SHA-384 and SHA-512. 305 The following specifies how this padding shall be performed. As a 306 summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit 307 integer are appended to the end of the message to produce a padded 308 message of length 512*n or 1024*n. The appended integer is the 309 length of the original message. The padded message is then processed 310 by the hash function as n 512-bit or 1024-bit blocks. 312 4.1 SHA-224 and SHA-256 314 Suppose a message has length L < 2^64. Before it is input to the 315 hash function, the message is padded on the right as follows: 317 a. "1" is appended. Example: if the original message is "01010000", 318 this is padded to "010100001". 320 b. K "0"s are appended where K is the smallest, non-negative 321 solution to the equation 323 L + 1 + K = 448 (mod 512) 325 c. Then append the 64-bit block that is L in binary representation. 326 After appending this block, the length of the message will be a 327 multiple of 512 bits. 329 Example: Suppose the original message is the bit string 331 01100001 01100010 01100011 01100100 01100101 333 After step (a) this gives 335 01100001 01100010 01100011 01100100 01100101 1 337 Since L = 40, the number of bits in the above is 41 and K = 407 338 "0"s are appended, making the total now 448. This gives the 339 following in hex: 341 61626364 65800000 00000000 00000000 342 00000000 00000000 00000000 00000000 343 00000000 00000000 00000000 00000000 344 00000000 00000000 346 The 64-bit representation of L = 40 is hex 00000000 00000028. 347 Hence the final padded message is the following hex 349 61626364 65800000 00000000 00000000 350 00000000 00000000 00000000 00000000 351 00000000 00000000 00000000 00000000 352 00000000 00000000 00000000 00000028 354 4.2 SHA-384 and SHA-512 356 Suppose a message has length L < 2^128. Before it is input to the 357 hash function, the message is padded on the right as follows: 359 a. "1" is appended. Example: if the original message is "01010000", 360 this is padded to "010100001". 362 b. K "0"s are appended where K is the smallest, non-negative 363 solution to the equation 365 L + 1 + K = 896 (mod 1024) 367 c. Then append the 128-bit block that is L in binary representation. 368 After appending this block, the length of the message will be a 369 multiple of 1024 bits. 371 Example: Suppose the original message is the bit string 373 01100001 01100010 01100011 01100100 01100101 375 After step (a) this gives 377 01100001 01100010 01100011 01100100 01100101 1 379 Since L = 40, the number of bits in the above is 41 and K = 855 380 "0"s are appended, making the total now 896. This gives the 381 following in hex: 383 61626364 65800000 00000000 00000000 384 00000000 00000000 00000000 00000000 385 00000000 00000000 00000000 00000000 386 00000000 00000000 00000000 00000000 387 00000000 00000000 00000000 00000000 388 00000000 00000000 00000000 00000000 389 00000000 00000000 00000000 00000000 391 The 128-bit representation of L = 40 is hex 00000000 00000000 392 00000000 00000028. Hence the final padded message is the 393 following hex: 395 61626364 65800000 00000000 00000000 396 00000000 00000000 00000000 00000000 397 00000000 00000000 00000000 00000000 398 00000000 00000000 00000000 00000000 399 00000000 00000000 00000000 00000000 400 00000000 00000000 00000000 00000000 401 00000000 00000000 00000000 00000000 402 00000000 00000000 00000000 00000028 404 5. Functions and Constants Used 406 The following subsections give the six logical functions and the 407 table of constants used in each of the hash functions. 409 5.1 SHA-224 and SHA-256 411 SHA-224 and SHA-256 use six logical functions, where each function 412 operates on 32-bit words, which are represented as x, y, and z. The 413 result of each function is a new 32-bit word. 415 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 417 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 419 BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) 421 BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) 423 SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) 425 SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) 427 SHA-224 and SHA-256 use the same sequence of sixty-four constant 428 32-bit words, K0, K1, ..., K63. These words represent the first 429 thirty-two bits of the fractional parts of the cube roots of the 430 first sixty-four prime numbers. In hex, these constant words are as 431 follows (from left to right): 433 428a2f98 71374491 b5c0fbcf e9b5dba5 434 3956c25b 59f111f1 923f82a4 ab1c5ed5 435 d807aa98 12835b01 243185be 550c7dc3 436 72be5d74 80deb1fe 9bdc06a7 c19bf174 437 e49b69c1 efbe4786 0fc19dc6 240ca1cc 438 2de92c6f 4a7484aa 5cb0a9dc 76f988da 439 983e5152 a831c66d b00327c8 bf597fc7 440 c6e00bf3 d5a79147 06ca6351 14292967 441 27b70a85 2e1b2138 4d2c6dfc 53380d13 442 650a7354 766a0abb 81c2c92e 92722c85 443 a2bfe8a1 a81a664b c24b8b70 c76c51a3 444 d192e819 d6990624 f40e3585 106aa070 445 19a4c116 1e376c08 2748774c 34b0bcb5 446 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 447 748f82ee 78a5636f 84c87814 8cc70208 448 90befffa a4506ceb bef9a3f7 c67178f2 450 5.2 SHA-384 and SHA-512 452 SHA-384 and SHA-512 each use six logical functions, where each 453 function operates on 64-bit words, which are represented as x, y, and 454 z. The result of each function is a new 64-bit word. 456 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 458 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 460 BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) 462 BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) 464 SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) 466 SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) 468 SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit 469 words, K0, K1, ... K79. These words represent the first sixty-four 470 bits of the fractional parts of the cube roots of the first eighty 471 prime numbers. In hex, these constant words are as follows (from 472 left to right): 474 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc 475 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 476 d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 477 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 478 e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 479 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 480 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 481 c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 482 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df 483 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b 484 a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 485 d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 486 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 487 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 488 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec 489 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b 490 ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 491 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b 492 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c 493 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 495 6. Computing the Message Digest 497 The output of each of the secure hash functions, after being applied 498 to a message of N blocks, is the hash quantity H(N). For SHA-224 and 499 SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, 500 H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to be 501 eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. 503 As described below, the hash words are initialized, modified as each 504 message block is processed, and finally concatenated after processing 505 the last block to yield the output. For SHA-256 and SHA-512, all of 506 the H(N) variables are concatenated while the SHA-224 and SHA-384 507 hashes are produced by omitting some from the final concatenation. 509 6.1 SHA-224 and SHA-256 Initialization 511 For SHA-224, the initial hash value, H(0), consists of the following 512 32-bit words in hex: 514 H(0)0 = c1059ed8 515 H(0)1 = 367cd507 516 H(0)2 = 3070dd17 517 H(0)3 = f70e5939 518 H(0)4 = ffc00b31 519 H(0)5 = 68581511 520 H(0)6 = 64f98fa7 521 H(0)7 = befa4fa4 523 For SHA-256, the initial hash value, H(0), consists of the following 524 eight 32-bit words, in hex. These words were obtained by taking the 525 first thirty-two bits of the fractional parts of the square roots of 526 the first eight prime numbers. 528 H(0)0 = 6a09e667 529 H(0)1 = bb67ae85 530 H(0)2 = 3c6ef372 531 H(0)3 = a54ff53a 532 H(0)4 = 510e527f 533 H(0)5 = 9b05688c 534 H(0)6 = 1f83d9ab 535 H(0)7 = 5be0cd19 537 6.2 SHA-224 and SHA-256 Processing 539 SHA-224 and SHA-256 perform identical processing on messages blocks 540 and differ only in how H(0) is initialized and how they produce their 541 final output. They may be used to hash a message, M, having a length 542 of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message 543 schedule of sixty-four 32-bit words, (2) eight working variables of 544 32 bits each, and (3) a hash value of eight 32-bit words. 546 The words of the message schedule are labeled W0, W1, ..., W63. The 547 eight working variables are labeled a, b, c, d, e, f, g, and h. The 548 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which 549 will hold the initial hash value, H(0), replaced by each successive 550 intermediate hash value (after each message block is processed), 551 H(i), and ending with the final hash value, H(N), after all N blocks 552 are processed. They also use two temporary words, T1 and T2. 554 The input message is padded as described in Section 4.1 above then 555 parsed into 512-bit blocks that are considered to be composed of 16 556 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 557 are then performed for each of the N message blocks. All addition is 558 performed modulo 2^32. 560 For i = 1 to N 562 1. Prepare the message schedule W: 563 For t = 0 to 15 564 Wt = M(i)t 565 For t = 16 to 63 566 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(w(t-15)) + W(t-16) 568 2. Initialize the working variables: 569 a = H(i-1)0 570 b = H(i-1)1 571 c = H(i-1)2 572 d = H(i-1)3 573 e = H(i-1)4 574 f = H(i-1)5 575 g = H(i-1)6 576 h = H(i-1)7 578 3. Perform the main hash computation: 579 For t = 0 to 63 580 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 581 T2 = BSIG0(a) + MAJ(a,b,c) 582 h = g 583 g = f 584 f = e 585 e = d + T1 586 d = c 587 c = b 588 b = a 589 a = T1 + T2 591 4. Compute the intermediate hash value H(i) 592 H(i)0 = a + H(i-1)0 593 H(i)1 = b + H(i-1)1 594 H(i)2 = c + H(i-1)2 595 H(i)3 = d + H(i-1)3 596 H(i)4 = e + H(i-1)4 597 H(i)5 = f + H(i-1)5 598 H(i)6 = g + H(i-1)6 599 H(i)7 = h + H(i-1)7 601 After the above computations have been sequentially performed for all 602 of the blocks in the message, the final output is calculated. For 603 SHA-256, this is the concatenation of all of H(N)0, H(N)1, through 604 H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, 605 through H(N)6. 607 6.3 SHA-384 and SHA-512 Initialization 609 For SHA-384, the initial hash value, H(0), consists of the following 610 eight 64-bit words, in hex. These words were obtained by taking the 611 first sixty-four bits of the fractional parts of the square roots of 612 the ninth through sixteenth prime numbers. 614 H(0)0 = cbbb9d5dc1059ed8 615 H(0)1 = 629a292a367cd507 616 H(0)2 = 9159015a3070dd17 617 H(0)3 = 152fecd8f70e5939 618 H(0)4 = 67332667ffc00b31 619 H(0)5 = 8eb44a8768581511 620 H(0)6 = db0c2e0d64f98fa7 621 H(0)7 = 47b5481dbefa4fa4 623 For SHA-512, the initial hash value, H(0), consists of the following 624 eight 64-bit words, in hex. These words were obtained by taking the 625 first sixty-four bits of the fractional parts of the square roots of 626 the first eight prime numbers. 628 H(0)0 = 6a09e667f3bcc908 629 H(0)1 = bb67ae8584caa73b 630 H(0)2 = 3c6ef372fe94f82b 631 H(0)3 = a54ff53a5f1d36f1 632 H(0)4 = 510e527fade682d1 633 H(0)5 = 9b05688c2b3e6c1f 634 H(0)6 = 1f83d9abfb41bd6b 635 H(0)7 = 5be0cd19137e2179 637 6.4 SHA-384 and SHA-512 Processing 639 SHA-384 and SHA-512 perform identical processing on message blocks 640 and differ only in how H(0) is initialized and how they produce their 641 final output. They may be used to hash a message, M, having a length 642 of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message 643 schedule of eighty 64-bit words, (2) eight working variables of 64 644 bits each, and (3) a hash value of eight 64-bit words. 646 The words of the message schedule are labeled W0, W1, ..., W79. The 647 eight working variables are labeled a, b, c, d, e, f, g, and h. The 648 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7 which 649 will hold the initial hash value, H(0), replaced by each successive 650 intermediate hash value (after each message block is processed), 651 H(i), and ending with the final hash value, H(N) after all N blocks 652 are processed. 654 The input message is padded as described in Section 4.2 above, then 655 parsed into 1024-bit blocks that are considered to be composed of 16 656 64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 657 are then performed for each of the N message blocks. All addition is 658 performed modulo 2^64. 660 For i = 1 to N 662 1. Prepare the message schedule W: 663 For t = 0 to 15 664 Wt = M(i)t 665 For t = 16 to 79 666 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(W(t-15)) + W(t-16) 668 2. Initialize the working variables: 669 a = H(i-1)0 670 b = H(i-1)1 671 c = H(i-1)2 672 d = H(i-1)3 673 e = H(i-1)4 674 f = H(i-1)5 675 g = H(i-1)6 676 h = H(i-1)7 678 3. Perform the main hash computation: 679 For t = 0 to 79 680 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 681 T2 = BSIG0(a) + MAJ(a,b,c) 682 h = g 683 g = f 684 f = e 685 e = d + T1 686 d = c 687 c = b 688 b = a 689 a = T1 + T2 691 4. Compute the intermediate hash value H(i) 692 H(i)0 = a + H(i-1)0 693 H(i)1 = b + H(i-1)1 694 H(i)2 = c + H(i-1)2 695 H(i)3 = d + H(i-1)3 696 H(i)4 = e + H(i-1)4 697 H(i)5 = f + H(i-1)5 698 H(i)6 = g + H(i-1)6 699 H(i)7 = h + H(i-1)7 701 After the above computations have been sequentially performed for all 702 of the blocks in the message, the final output is calculated. For 703 SHA-512, this is the concatenation of all of H(N)0, H(N)1, through 704 H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, 705 through H(N)5. 707 7. HKDF and SHA Based HMACs 709 Below are brief descriptions and pointers to more complete 710 descriptions and code for (1) an HMAC-based extract-and-expand key 711 derivation function and (2) SHA based HMACs. Both HKDF and HMAC were 712 devised by Hugo Krawczyk. 714 7.1 SHA Based HMACs 716 HMAC is a method for computing a keyed MAC (message authentication 717 code) using a hash function as described in [RFC2104]. It uses a key 718 to mix in with the input text to produce the final hash. 720 Sample code is also provided, in Section 8.3 below, to perform HMAC 721 based on any of the SHA algorithms described herein. The sample code 722 found in [RFC2104] was written in terms of a specified text size. 723 Since SHA is defined in terms of an arbitrary number of bits, the 724 sample HMAC code has been written to allow the text input to HMAC to 725 have an arbitrary number of octets and bits. A fixed length interface 726 is also provided. 728 7.2 HKDF 730 HKDF is a specific key derivation function (KDF), that is, a function 731 of initial keying material from which the KDF derives one or more 732 cryptographically strong secret keys. HKDF, which is described in 733 [RFChkdf], is based on HMAC. 735 Sample code for HKDF is provided in Section 8.4 below. 737 8. C Code for SHAs, HMAC, and HKDF 739 Below is a demonstration implementation of these secure hash 740 functions in C. Section 8.1 contains the header file sha.h that 741 declares all constants, structures and functions used by the sha and 742 hmac functions. Section 8.2 contains the C code for sha1.c, 743 sha224-256.c, sha384-512.c, and usha.c along with sha-private.h that 744 provides some declarations common to all the sha functions. Section 745 8.3 contains the C code for the HMAC functions and Section 8.4 746 contains the C code for HKDF. Section 8.5 contains a test driver to 747 exercise the code. 749 For each of the digest length $$$, there are the following set of 750 constants, a structure, and functions: 752 Constants: 753 SHA$$$HashSize number of octets in the hash 754 SHA$$$HashSizeBits number of bits in the hash 755 SHA$$$_Message_Block_Size 756 number of octets used in the intermediate 757 message blocks 758 shaSuccess = 0 constant returned by each function on success 759 shaNull = 1 constant returned by each function when 760 presented with a null pointer parameter 761 shaInputTooLong = 2 constant returned by each function when the 762 input data is too long 763 shaStateError = 3 constant returned by each function when 764 SHA$$$Input is called after SHA$$$FinalBits or 765 SHA$$$Result. 767 Structure: 768 typedef SHA$$$Context 769 an opaque structure holding the complete state 770 for producing the hash 772 Functions: 773 int SHA$$$Reset(SHA$$$Context *context); 774 Reset the hash context state 775 int SHA$$$Input(SHA$$$Context *context, const uint8_t *octets, 776 unsigned int bytecount); 777 Incorporate bytecount octets into the hash. 778 int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, 779 unsigned int bitcount); 780 Incorporate bitcount bits into the hash. The bits are in the 781 upper portion of the octet. SHA$$$Input() cannot be called 782 after this. 783 int SHA$$$Result(SHA$$$Context *, 784 uint8_t Message_Digest[SHA$$$HashSize]); 785 Do the final calculations on the hash and copy the value 786 into Message_Digest. 788 In addition, functions with the prefix USHA are provided that take a 789 SHAversion value (SHA$$$) to select the SHA function suite. They add 790 the following constants, structure and function: 792 Constants: 793 shaBadParam constant returned by USHA functions when 794 presented with a bad SHAversion (SHA$$$) 795 parameter or other illegal parameter values 796 SHA$$$ SHAversion enumeration values, used by usha, 797 hmac and hkdf functions to select the SHA 798 function suite 800 Structure: 801 typedef USHAContext 802 an opaque structure holding the complete state 803 for producing the hash 805 Functions: 806 int USHAReset(USHAContext *context, SHAversion whichSha); 807 Reset the hash context state. 808 int USHAInput(USHAContext context*, 809 const uint8_t *bytes, unsigned int bytecount); 810 Incorporate bytecount octets into the hash. 811 int USHAFinalBits(USHAContext *context, 812 const uint8_t bits, unsigned int bitcount); 813 Incorporate bitcount bits into the hash. 814 int USHAResult(USHAContext *context, 815 uint8_t Message_Digest[USHAMaxHashSize]); 816 Do the final calculations on the hash and copy the value 817 into Message_Digest. Octets in Message_Digest beyond 818 USHAHashSize(whichSha) are left untouched. 819 int USHAHashSize(enum SHAversion whichSha); 820 The number of octets in the given hash. 821 int USHAHashSizeBits(enum SHAversion whichSha); 822 The number of bits in the given hash. 823 int USHABlockSize(enum SHAversion whichSha); 824 The internal block size for the given hash. 825 const char *USHAHashName(enum SHAversion whichSha); 826 This function will return the name of the given SHA 827 algorithm as a string. 829 The hmac functions follow the same pattern to allow any length of 830 text input to be used. 832 Structures: 833 typedef HMACContext an opaque structure holding the complete state 834 for producing the hash 836 Functions: 837 int hmacReset(HMACContext *ctx, enum SHAversion whichSha, 838 const unsigned char *key, int key_len); 839 Reset the hash context state. 840 int hmacInput(HMACContext *ctx, const unsigned char *text, 841 int text_len); 842 Incorporate text_len octets into the hash. 843 int hmacFinalBits(HMACContext *ctx, const uint8_t bits, 844 unsigned int bitcount); 845 Incorporate bitcount bits into the hash. 846 int hmacResult(HMACContext *ctx, 847 uint8_t Message_Digest[USHAMaxHashSize]); 848 Do the final calculations on the hash and copy the value 849 into Message_Digest. Octets in Message_Digest beyond 850 USHAHashSize(whichSha) are left untouched. 852 In addition, a combined interface is provided, similar to that shown 853 in [RFC2104], that allows a fixed-length text input to be used. 855 int hmac(SHAversion whichSha, 856 const unsigned char *text, int text_len, 857 const unsigned char *key, int key_len, 858 uint8_t Message_Digest[USHAMaxHashSize]); 859 Calculate the given digest for the given text and key, and 860 return the resulting hash. Octets in Message_Digest beyond 861 USHAHashSize(whichSha) are left untouched. 863 The hkdf functions follow the same pattern to allow any length of 864 text input to be used. 866 Structures: 867 typedef HKDFContext an opaque structure holding the complete state 868 for producing the hash 869 Functions: 870 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 871 const unsigned char *salt, int salt_len) 872 Reset the hash context state and initialize it with the 873 salt_len octets of the optional salt. 874 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 875 int ikm_len) 876 Incorporate ikm_len octets into the hash. 877 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 878 unsigned int ikm_bit_count) 879 Incorporate ikm_bit_count bits into the hash. 880 int hkdfResult(HKDFContext *context, 881 uint8_t prk[USHAMaxHashSize], 882 const unsigned char *info, int info_len, 883 uint8_t okm[ ], int okm_len) 884 Finish the HKDF extraction and perform the final HKDF 885 expansion, storing the okm_len octets into okm. Optionally 886 store the pseudo-random key (prk) that is generated 887 internally. 889 In addition, combined interfaces are provided, similar to that shown 890 in [RFChkdf], that allows a fixed-length text input to be used. 892 int hkdfExtract(SHAversion whichSha, 893 const unsigned char *salt, int salt_len, 894 const unsigned char *ikm, int ikm_len, 895 uint8_t prk[USHAMaxHashSize]) 896 Perform HKDF extraction, combining the salt_len octets of 897 the optional salt with the ikm_len octets of the input 898 keying material (ikm) to form the pseudo-random key prk. 899 The output prk must be large enough to hold the octets 900 appropriate for the given hash type. 902 int hkdfExpand(SHAversion whichSha, 903 const uint8_t prk[ ], int prk_len, 904 const unsigned char *info, int info_len, 905 uint8_t okm[ ], int okm_len) 906 Perform HKDF expansion, combining the prk_len octets of the 907 pseudo-random key prk with the info_len octets of info to 908 form the okm_len octets stored in okm. 910 int hkdf(SHAversion whichSha, 911 const unsigned char *salt, int salt_len, 912 const unsigned char *ikm, int ikm_len, 913 const unsigned char *info, int info_len, 914 uint8_t okm[ ], int okm_len) 915 This combined interface performs both HKDF extraction and 916 expansion. The variables are the same as in hkdfExtract() 917 and hkdfExpand(). 919 8.1 The .h file 921 /**************************** sha.h ****************************/ 922 /***************** See RFC NNNN for details. *******************/ 923 /* 924 Copyright (c) 2010 IETF Trust and the persons identified as 925 authors of the code. All rights reserved. 927 Redistribution and use in source and binary forms, with or without 928 modification, are permitted provided that the following conditions 929 are met: 931 * Redistributions of source code must retain the above copyright 932 notice, this list of conditions and the following disclaimer. 934 * Redistributions in binary form must reproduce the above copyright 935 notice, this list of conditions and the following disclaimer in 936 the documentation and/or other materials provided with the 937 distribution. 939 * Neither the name of Internet Society, IETF or IETF Trust, nor the 940 names of specific contributors, may be used to endorse or promote 941 products derived from this software without specific prior 942 written permission. 944 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 945 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 946 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 947 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 948 COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 949 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 950 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 951 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 952 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 953 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 954 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 955 POSSIBILITY OF SUCH DAMAGE. 956 */ 957 #ifndef _SHA_H_ 958 #define _SHA_H_ 960 /* 961 * Description: 962 * This file implements the Secure Hash Algorithms 963 * as defined in the National Institute of Standards 964 * and Technology Federal Information Processing Standards 965 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 966 * published on August 1, 2002, and the FIPS PUB 180-2 Change 967 * Notice published on February 28, 2004. 968 * 969 * A combined document showing all algorithms is available at 970 * http://csrc.nist.gov/publications/fips/ 971 * fips180-2/fips180-2withchangenotice.pdf 972 * 973 * The five hashes are defined in these sizes: 974 * SHA-1 20 byte / 160 bit 975 * SHA-224 28 byte / 224 bit 976 * SHA-256 32 byte / 256 bit 977 * SHA-384 48 byte / 384 bit 978 * SHA-512 64 byte / 512 bit 979 */ 981 #include 982 /* 983 * If you do not have the ISO standard stdint.h header file, then you 984 * must typedef the following: 985 * name meaning 986 * uint64_t unsigned 64 bit integer 987 * uint32_t unsigned 32 bit integer 988 * uint8_t unsigned 8 bit integer (i.e., unsigned char) 989 * int_least16_t integer of >= 16 bits 990 * 991 */ 993 #ifndef _SHA_enum_ 994 #define _SHA_enum_ 995 /* 996 * All SHA functions return one of these values. 997 */ 998 enum { 999 shaSuccess = 0, 1000 shaNull, /* Null pointer parameter */ 1001 shaInputTooLong, /* input data too long */ 1002 shaStateError, /* called Input after FinalBits or Result */ 1003 shaBadParam /* passed a bad parameter */ 1004 }; 1005 #endif /* _SHA_enum_ */ 1007 /* 1008 * These constants hold size information for each of the SHA 1009 * hashing operations 1010 */ 1011 enum { 1012 SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, 1013 SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, 1014 SHA512_Message_Block_Size = 128, 1015 USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, 1017 SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, 1018 SHA384HashSize = 48, SHA512HashSize = 64, 1019 USHAMaxHashSize = SHA512HashSize, 1021 SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, 1022 SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, 1023 SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits 1024 }; 1026 /* 1027 * These constants are used in the USHA (unified sha) functions. 1028 */ 1029 typedef enum SHAversion { 1030 SHA1, SHA224, SHA256, SHA384, SHA512 1031 } SHAversion; 1033 /* 1034 * This structure will hold context information for the SHA-1 1035 * hashing operation. 1036 */ 1037 typedef struct SHA1Context { 1038 uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ 1040 uint32_t Length_Low; /* Message length in bits */ 1041 uint32_t Length_High; /* Message length in bits */ 1043 int_least16_t Message_Block_Index; /* Message_Block array index */ 1044 /* 512-bit message blocks */ 1045 uint8_t Message_Block[SHA1_Message_Block_Size]; 1047 int Computed; /* Is the digest computed? */ 1048 int Corrupted; /* Is the digest corrupted? */ 1049 } SHA1Context; 1051 /* 1052 * This structure will hold context information for the SHA-256 1053 * hashing operation. 1054 */ 1055 typedef struct SHA256Context { 1056 uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ 1058 uint32_t Length_Low; /* Message length in bits */ 1059 uint32_t Length_High; /* Message length in bits */ 1061 int_least16_t Message_Block_Index; /* Message_Block array index */ 1062 /* 512-bit message blocks */ 1063 uint8_t Message_Block[SHA256_Message_Block_Size]; 1065 int Computed; /* Is the digest computed? */ 1066 int Corrupted; /* Is the digest corrupted? */ 1067 } SHA256Context; 1069 /* 1070 * This structure will hold context information for the SHA-512 1071 * hashing operation. 1072 */ 1073 typedef struct SHA512Context { 1074 #ifdef USE_32BIT_ONLY 1075 uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ 1076 uint32_t Length[4]; /* Message length in bits */ 1077 #else /* !USE_32BIT_ONLY */ 1078 uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ 1079 uint64_t Length_Low, Length_High; /* Message length in bits */ 1080 #endif /* USE_32BIT_ONLY */ 1082 int_least16_t Message_Block_Index; /* Message_Block array index */ 1083 /* 1024-bit message blocks */ 1085 uint8_t Message_Block[SHA512_Message_Block_Size]; 1087 int Computed; /* Is the digest computed?*/ 1088 int Corrupted; /* Is the digest corrupted? */ 1089 } SHA512Context; 1091 /* 1092 * This structure will hold context information for the SHA-224 1093 * hashing operation. It uses the SHA-256 structure for computation. 1094 */ 1095 typedef struct SHA256Context SHA224Context; 1097 /* 1098 * This structure will hold context information for the SHA-384 1099 * hashing operation. It uses the SHA-512 structure for computation. 1100 */ 1101 typedef struct SHA512Context SHA384Context; 1103 /* 1104 * This structure holds context information for all SHA 1105 * hashing operations. 1106 */ 1107 typedef struct USHAContext { 1108 int whichSha; /* which SHA is being used */ 1109 union { 1110 SHA1Context sha1Context; 1111 SHA224Context sha224Context; SHA256Context sha256Context; 1112 SHA384Context sha384Context; SHA512Context sha512Context; 1113 } ctx; 1114 } USHAContext; 1116 /* 1117 * This structure will hold context information for the HMAC 1118 * keyed hashing operation. 1119 */ 1120 typedef struct HMACContext { 1121 int whichSha; /* which SHA is being used */ 1122 int hashSize; /* hash size of SHA being used */ 1123 int blockSize; /* block size of SHA being used */ 1124 USHAContext shaContext; /* SHA context */ 1125 unsigned char k_opad[USHA_Max_Message_Block_Size]; 1126 /* outer padding - key XORd with opad */ 1127 int Computed; /* Is the digest computed? */ 1128 int Corrupted; /* Is the digest corrupted? */ 1129 } HMACContext; 1131 /* 1132 * This structure will hold context information for the HKDF 1133 * Extract-and-Expand Key Derivation functions. 1135 */ 1136 typedef struct HKDFContext { 1137 int whichSha; /* which SHA is being used */ 1138 HMACContext hmacContext; 1139 int hashSize; /* hash size of SHA being used */ 1140 unsigned char prk[USHAMaxHashSize]; 1141 /* Pseudo Random Key - output of hkdfInput */ 1142 int Computed; /* Is the digest computed? */ 1143 int Corrupted; /* Is the digest corrupted? */ 1144 } HKDFContext; 1146 /* 1147 * Function Prototypes 1148 */ 1150 /* SHA-1 */ 1151 extern int SHA1Reset(SHA1Context *); 1152 extern int SHA1Input(SHA1Context *, const uint8_t *bytes, 1153 unsigned int bytecount); 1154 extern int SHA1FinalBits(SHA1Context *, uint8_t bits, 1155 unsigned int bit_count); 1156 extern int SHA1Result(SHA1Context *, 1157 uint8_t Message_Digest[SHA1HashSize]); 1159 /* SHA-224 */ 1160 extern int SHA224Reset(SHA224Context *); 1161 extern int SHA224Input(SHA224Context *, const uint8_t *bytes, 1162 unsigned int bytecount); 1163 extern int SHA224FinalBits(SHA224Context *, uint8_t bits, 1164 unsigned int bit_count); 1165 extern int SHA224Result(SHA224Context *, 1166 uint8_t Message_Digest[SHA224HashSize]); 1168 /* SHA-256 */ 1169 extern int SHA256Reset(SHA256Context *); 1170 extern int SHA256Input(SHA256Context *, const uint8_t *bytes, 1171 unsigned int bytecount); 1172 extern int SHA256FinalBits(SHA256Context *, uint8_t bits, 1173 unsigned int bit_count); 1174 extern int SHA256Result(SHA256Context *, 1175 uint8_t Message_Digest[SHA256HashSize]); 1177 /* SHA-384 */ 1178 extern int SHA384Reset(SHA384Context *); 1179 extern int SHA384Input(SHA384Context *, const uint8_t *bytes, 1180 unsigned int bytecount); 1181 extern int SHA384FinalBits(SHA384Context *, uint8_t bits, 1182 unsigned int bit_count); 1183 extern int SHA384Result(SHA384Context *, 1184 uint8_t Message_Digest[SHA384HashSize]); 1186 /* SHA-512 */ 1187 extern int SHA512Reset(SHA512Context *); 1188 extern int SHA512Input(SHA512Context *, const uint8_t *bytes, 1189 unsigned int bytecount); 1190 extern int SHA512FinalBits(SHA512Context *, uint8_t bits, 1191 unsigned int bit_count); 1192 extern int SHA512Result(SHA512Context *, 1193 uint8_t Message_Digest[SHA512HashSize]); 1195 /* Unified SHA functions, chosen by whichSha */ 1196 extern int USHAReset(USHAContext *context, SHAversion whichSha); 1197 extern int USHAInput(USHAContext *context, 1198 const uint8_t *bytes, unsigned int bytecount); 1199 extern int USHAFinalBits(USHAContext *context, 1200 uint8_t bits, unsigned int bit_count); 1201 extern int USHAResult(USHAContext *context, 1202 uint8_t Message_Digest[USHAMaxHashSize]); 1203 extern int USHABlockSize(enum SHAversion whichSha); 1204 extern int USHAHashSize(enum SHAversion whichSha); 1205 extern int USHAHashSizeBits(enum SHAversion whichSha); 1206 extern const char *USHAHashName(enum SHAversion whichSha); 1208 /* 1209 * HMAC Keyed-Hashing for Message Authentication, RFC2104, 1210 * for all SHAs. 1211 * This interface allows a fixed-length text input to be used. 1212 */ 1213 extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ 1214 const unsigned char *text, /* pointer to data stream */ 1215 int text_len, /* length of data stream */ 1216 const unsigned char *key, /* pointer to authentication key */ 1217 int key_len, /* length of authentication key */ 1218 uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ 1220 /* 1221 * HMAC Keyed-Hashing for Message Authentication, RFC2104, 1222 * for all SHAs. 1223 * This interface allows any length of text input to be used. 1224 */ 1225 extern int hmacReset(HMACContext *context, enum SHAversion whichSha, 1226 const unsigned char *key, int key_len); 1227 extern int hmacInput(HMACContext *context, const unsigned char *text, 1228 int text_len); 1229 extern int hmacFinalBits(HMACContext *context, uint8_t bits, 1230 unsigned int bit_count); 1231 extern int hmacResult(HMACContext *context, 1232 uint8_t digest[USHAMaxHashSize]); 1234 /* 1235 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1236 * RFCXXXX, for all SHAs. 1237 */ 1238 extern int hkdf(SHAversion whichSha, const unsigned char *salt, 1239 int salt_len, const unsigned char *ikm, int ikm_len, 1240 const unsigned char *info, int info_len, 1241 uint8_t okm[ ], int okm_len); 1242 extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, 1243 int salt_len, const unsigned char *ikm, 1244 int ikm_len, uint8_t prk[USHAMaxHashSize]); 1245 extern int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], 1246 int prk_len, const unsigned char *info, 1247 int info_len, uint8_t okm[ ], int okm_len); 1249 /* 1250 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1251 * RFCXXXX, for all SHAs. 1252 * This interface allows any length of text input to be used. 1253 */ 1254 extern int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 1255 const unsigned char *salt, int salt_len); 1256 extern int hkdfInput(HKDFContext *context, const unsigned char *ikm, 1257 int ikm_len); 1258 extern int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 1259 unsigned int ikm_bit_count); 1260 extern int hkdfResult(HKDFContext *context, 1261 uint8_t prk[USHAMaxHashSize], 1262 const unsigned char *info, int info_len, 1263 uint8_t okm[USHAMaxHashSize], int okm_len); 1265 #endif /* _SHA_H_ */ 1267 8.2 The SHA Code 1269 This code is primarily intended as expository and could be optimized 1270 further. For example, the assignment rotations through the variables 1271 a, b, ..., h could be treated as a cycle and the loop unrolled, 1272 rather than doing the explicit copying. 1274 Note that there are alternative representations of the Ch() and Maj() 1275 functions controlled by an ifdef. 1277 8.2.1 sha1.c 1279 /**************************** sha1.c ***************************/ 1280 /***************** See RFC NNNN for details. *******************/ 1281 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1282 /* authors of the code. All rights reserved. */ 1283 /* See sha.h for terms of use and redistribution. */ 1285 /* 1286 * Description: 1287 * This file implements the Secure Hash Algorithm SHA-1 1288 * as defined in the National Institute of Standards 1289 * and Technology Federal Information Processing Standards 1290 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 1291 * published on August 1, 2002, and the FIPS PUB 180-2 Change 1292 * Notice published on February 28, 2004. 1293 * 1294 * A combined document showing all algorithms is available at 1295 * http://csrc.nist.gov/publications/fips/ 1296 * fips180-2/fips180-2withchangenotice.pdf 1297 * 1298 * The SHA-1 algorithm produces a 160-bit message digest for a 1299 * given data stream. It should take about 2**n steps to find a 1300 * message with the same digest as a given message and 1301 * 2**(n/2) to find any two messages with the same digest, 1302 * when n is the digest size in bits. Therefore, this 1303 * algorithm can serve as a means of providing a 1304 * "fingerprint" for a message. 1305 * 1306 * Portability Issues: 1307 * SHA-1 is defined in terms of 32-bit "words". This code 1308 * uses (included via "sha.h") to define 32 and 8 1309 * bit unsigned integer types. If your C compiler does not 1310 * support 32 bit unsigned integers, this code is not 1311 * appropriate. 1312 * 1313 * Caveats: 1314 * SHA-1 is designed to work with messages less than 2^64 bits 1315 * long. This implementation uses SHA1Input() to hash the bits 1316 * that are a multiple of the size of an 8-bit octet, and then 1317 * optionally uses SHA1FinalBits() to hash the final few bits of 1318 * the input. 1319 */ 1321 #include "sha.h" 1322 #include "sha-private.h" 1324 /* 1325 * Define the SHA1 circular left shift macro 1326 */ 1328 #define SHA1_ROTL(bits,word) \ 1329 (((word) << (bits)) | ((word) >> (32-(bits)))) 1331 /* 1332 * Add "length" to the length. 1333 * Set Corrupted when overflow has occurred. 1334 */ 1335 static uint32_t addTemp; 1336 #define SHA1AddLength(context, length) \ 1337 (addTemp = (context)->Length_Low, \ 1338 (context)->Corrupted = \ 1339 (((context)->Length_Low += (length)) < addTemp) && \ 1340 (++(context)->Length_High == 0) ? shaInputTooLong \ 1341 : shaSuccess ) 1343 /* Local Function Prototypes */ 1344 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); 1345 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte); 1346 static void SHA1ProcessMessageBlock(SHA1Context *context); 1348 /* 1349 * SHA1Reset 1350 * 1351 * Description: 1352 * This function will initialize the SHA1Context in preparation 1353 * for computing a new SHA1 message digest. 1354 * 1355 * Parameters: 1356 * context: [in/out] 1357 * The context to reset. 1358 * 1359 * Returns: 1360 * sha Error Code. 1361 * 1362 */ 1363 int SHA1Reset(SHA1Context *context) 1364 { 1365 if (!context) 1366 return shaNull; 1368 context->Length_Low = 0; 1369 context->Length_High = 0; 1370 context->Message_Block_Index = 0; 1372 /* Initial Hash Values: FIPS-180-2 section 5.3.1 */ 1373 context->Intermediate_Hash[0] = 0x67452301; 1374 context->Intermediate_Hash[1] = 0xEFCDAB89; 1375 context->Intermediate_Hash[2] = 0x98BADCFE; 1376 context->Intermediate_Hash[3] = 0x10325476; 1377 context->Intermediate_Hash[4] = 0xC3D2E1F0; 1378 context->Computed = 0; 1379 context->Corrupted = 0; 1381 return shaSuccess; 1382 } 1384 /* 1385 * SHA1Input 1386 * 1387 * Description: 1388 * This function accepts an array of octets as the next portion 1389 * of the message. 1390 * 1391 * Parameters: 1392 * context: [in/out] 1393 * The SHA context to update 1394 * message_array: [in] 1395 * An array of octets representing the next portion of 1396 * the message. 1397 * length: [in] 1398 * The length of the message in message_array 1399 * 1400 * Returns: 1401 * sha Error Code. 1402 * 1403 */ 1404 int SHA1Input(SHA1Context *context, 1405 const uint8_t *message_array, unsigned length) 1406 { 1407 if (!length) 1408 return shaSuccess; 1410 if (!context || !message_array) 1411 return shaNull; 1413 if (context->Computed) return context->Corrupted = shaStateError; 1414 if (context->Corrupted) return context->Corrupted; 1416 while (length-- && !context->Corrupted) { 1417 context->Message_Block[context->Message_Block_Index++] = 1418 (*message_array & 0xFF); 1420 if ((SHA1AddLength(context, 8) == shaSuccess) && 1421 (context->Message_Block_Index == SHA1_Message_Block_Size)) 1422 SHA1ProcessMessageBlock(context); 1424 message_array++; 1425 } 1427 return context->Corrupted; 1429 } 1431 /* 1432 * SHA1FinalBits 1433 * 1434 * Description: 1435 * This function will add in any final bits of the message. 1436 * 1437 * Parameters: 1438 * context: [in/out] 1439 * The SHA context to update 1440 * message_bits: [in] 1441 * The final bits of the message, in the upper portion of the 1442 * byte. (Use 0b###00000 instead of 0b00000### to input the 1443 * three bits ###.) 1444 * length: [in] 1445 * The number of bits in message_bits, between 1 and 7. 1446 * 1447 * Returns: 1448 * sha Error Code. 1449 */ 1450 int SHA1FinalBits(SHA1Context *context, uint8_t message_bits, 1451 unsigned int length) 1452 { 1453 uint8_t masks[8] = { 1454 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1455 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1456 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1457 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1458 }; 1459 uint8_t markbit[8] = { 1460 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 1461 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 1462 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 1463 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 1464 }; 1466 if (!length) 1467 return shaSuccess; 1469 if (!context) 1470 return shaNull; 1472 if (context->Computed) return context->Corrupted = shaStateError; 1474 if ((length >= 8) || (length == 0)) 1475 return context->Corrupted = shaBadParam; 1477 if (context->Corrupted) 1478 return context->Corrupted; 1480 SHA1AddLength(context, length); 1481 SHA1Finalize(context, 1482 (uint8_t) ((message_bits & masks[length]) | markbit[length])); 1484 return context->Corrupted; 1485 } 1487 /* 1488 * SHA1Result 1489 * 1490 * Description: 1491 * This function will return the 160-bit message digest 1492 * into the Message_Digest array provided by the caller. 1493 * NOTE: 1494 * The first octet of hash is stored in the element with index 0, 1495 * the last octet of hash in the element with index 19. 1496 * 1497 * Parameters: 1498 * context: [in/out] 1499 * The context to use to calculate the SHA-1 hash. 1500 * Message_Digest: [out] 1501 * Where the digest is returned. 1502 * 1503 * Returns: 1504 * sha Error Code. 1505 * 1506 */ 1507 int SHA1Result(SHA1Context *context, 1508 uint8_t Message_Digest[SHA1HashSize]) 1509 { 1510 int i; 1512 if (!context || !Message_Digest) 1513 return shaNull; 1515 if (context->Corrupted) 1516 return context->Corrupted; 1518 if (!context->Computed) 1519 SHA1Finalize(context, 0x80); 1521 for (i = 0; i < SHA1HashSize; ++i) 1522 Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] 1523 >> 8 * ( 3 - ( i & 0x03 ) )); 1525 return shaSuccess; 1526 } 1528 /* 1529 * SHA1Finalize 1530 * 1531 * Description: 1532 * This helper function finishes off the digest calculations. 1533 * 1534 * Parameters: 1535 * context: [in/out] 1536 * The SHA context to update 1537 * Pad_Byte: [in] 1538 * The last byte to add to the digest before the 0-padding 1539 * and length. This will contain the last bits of the message 1540 * followed by another single bit. If the message was an 1541 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1542 * 1543 * Returns: 1544 * sha Error Code. 1545 * 1546 */ 1547 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) 1548 { 1549 int i; 1550 SHA1PadMessage(context, Pad_Byte); 1551 /* message may be sensitive, clear it out */ 1552 for (i = 0; i < SHA1_Message_Block_Size; ++i) 1553 context->Message_Block[i] = 0; 1554 context->Length_Low = 0; /* and clear length */ 1555 context->Length_High = 0; 1556 context->Computed = 1; 1557 } 1559 /* 1560 * SHA1PadMessage 1561 * 1562 * Description: 1563 * According to the standard, the message must be padded to the next 1564 * even multiple of 512 bits. The first padding bit must be a '1'. 1565 * The last 64 bits represent the length of the original message. 1566 * All bits in between should be 0. This helper function will pad 1567 * the message according to those rules by filling the Message_Block 1568 * array accordingly. When it returns, it can be assumed that the 1569 * message digest has been computed. 1570 * 1571 * Parameters: 1572 * context: [in/out] 1573 * The context to pad 1574 * Pad_Byte: [in] 1575 * The last byte to add to the digest before the 0-padding 1576 * and length. This will contain the last bits of the message 1577 * followed by another single bit. If the message was an 1578 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1579 * 1580 * Returns: 1581 * Nothing. 1582 */ 1583 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) 1584 { 1585 /* 1586 * Check to see if the current message block is too small to hold 1587 * the initial padding bits and length. If so, we will pad the 1588 * block, process it, and then continue padding into a second 1589 * block. 1590 */ 1591 if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { 1592 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1593 while (context->Message_Block_Index < SHA1_Message_Block_Size) 1594 context->Message_Block[context->Message_Block_Index++] = 0; 1596 SHA1ProcessMessageBlock(context); 1597 } else 1598 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1600 while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) 1601 context->Message_Block[context->Message_Block_Index++] = 0; 1603 /* 1604 * Store the message length as the last 8 octets 1605 */ 1606 context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); 1607 context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); 1608 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); 1609 context->Message_Block[59] = (uint8_t) (context->Length_High); 1610 context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); 1611 context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); 1612 context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); 1613 context->Message_Block[63] = (uint8_t) (context->Length_Low); 1615 SHA1ProcessMessageBlock(context); 1616 } 1618 /* 1619 * SHA1ProcessMessageBlock 1620 * 1621 * Description: 1622 * This helper function will process the next 512 bits of the 1623 * message stored in the Message_Block array. 1624 * 1625 * Parameters: 1626 * context: [in/out] 1627 * The SHA context to update 1628 * 1629 * Returns: 1631 * Nothing. 1632 * 1633 * Comments: 1634 * Many of the variable names in this code, especially the 1635 * single character names, were used because those were the 1636 * names used in the publication. 1637 */ 1638 static void SHA1ProcessMessageBlock(SHA1Context *context) 1639 { 1640 /* Constants defined in FIPS-180-2, section 4.2.1 */ 1641 const uint32_t K[4] = { 1642 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 1643 }; 1644 int t; /* Loop counter */ 1645 uint32_t temp; /* Temporary word value */ 1646 uint32_t W[80]; /* Word sequence */ 1647 uint32_t A, B, C, D, E; /* Word buffers */ 1649 /* 1650 * Initialize the first 16 words in the array W 1651 */ 1652 for (t = 0; t < 16; t++) { 1653 W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; 1654 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; 1655 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; 1656 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); 1657 } 1659 for (t = 16; t < 80; t++) 1660 W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); 1662 A = context->Intermediate_Hash[0]; 1663 B = context->Intermediate_Hash[1]; 1664 C = context->Intermediate_Hash[2]; 1665 D = context->Intermediate_Hash[3]; 1666 E = context->Intermediate_Hash[4]; 1668 for (t = 0; t < 20; t++) { 1669 temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; 1670 E = D; 1671 D = C; 1672 C = SHA1_ROTL(30,B); 1673 B = A; 1674 A = temp; 1675 } 1677 for (t = 20; t < 40; t++) { 1678 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; 1679 E = D; 1680 D = C; 1681 C = SHA1_ROTL(30,B); 1682 B = A; 1683 A = temp; 1684 } 1686 for (t = 40; t < 60; t++) { 1687 temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; 1688 E = D; 1689 D = C; 1690 C = SHA1_ROTL(30,B); 1691 B = A; 1692 A = temp; 1693 } 1695 for (t = 60; t < 80; t++) { 1696 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; 1697 E = D; 1698 D = C; 1699 C = SHA1_ROTL(30,B); 1700 B = A; 1701 A = temp; 1702 } 1704 context->Intermediate_Hash[0] += A; 1705 context->Intermediate_Hash[1] += B; 1706 context->Intermediate_Hash[2] += C; 1707 context->Intermediate_Hash[3] += D; 1708 context->Intermediate_Hash[4] += E; 1710 context->Message_Block_Index = 0; 1711 } 1713 8.2.2 sha224-256.c 1715 /************************* sha224-256.c ************************/ 1716 /***************** See RFC NNNN for details. *******************/ 1717 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1718 /* authors of the code. All rights reserved. */ 1719 /* See sha.h for terms of use and redistribution. */ 1721 /* 1722 * Description: 1723 * This file implements the Secure Hash Algorithms SHA-224 and 1724 * SHA-256 as defined in the National Institute of Standards 1725 * and Technology Federal Information Processing Standards 1726 * Publication (FIPS PUB) 180-2 published on August 1, 2002, and 1727 * the FIPS PUB 180-2 Change Notice published on February 28, 2004. 1728 * 1729 * A combined document showing all algorithms is available at 1730 * http://csrc.nist.gov/publications/fips/ 1731 * fips180-2/fips180-2withchangenotice.pdf 1732 * 1733 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit 1734 * message digests for a given data stream. It should take about 1735 * 2**n steps to find a message with the same digest as a given 1736 * message and 2**(n/2) to find any two messages with the same 1737 * digest, when n is the digest size in bits. Therefore, this 1738 * algorithm can serve as a means of providing a 1739 * "fingerprint" for a message. 1740 * 1741 * Portability Issues: 1742 * SHA-224 and SHA-256 are defined in terms of 32-bit "words". 1743 * This code uses (included via "sha.h") to define 32 1744 * and 8 bit unsigned integer types. If your C compiler does not 1745 * support 32 bit unsigned integers, this code is not 1746 * appropriate. 1747 * 1748 * Caveats: 1749 * SHA-224 and SHA-256 are designed to work with messages less 1750 * than 2^64 bits long. This implementation uses SHA224/256Input() 1751 * to hash the bits that are a multiple of the size of an 8-bit 1752 * octet, and then optionally uses SHA224/256FinalBits() 1753 * to hash the final few bits of the input. 1754 */ 1756 #include "sha.h" 1757 #include "sha-private.h" 1759 /* Define the SHA shift, rotate left and rotate right macro */ 1760 #define SHA256_SHR(bits,word) ((word) >> (bits)) 1761 #define SHA256_ROTL(bits,word) \ 1762 (((word) << (bits)) | ((word) >> (32-(bits)))) 1763 #define SHA256_ROTR(bits,word) \ 1764 (((word) >> (bits)) | ((word) << (32-(bits)))) 1766 /* Define the SHA SIGMA and sigma macros */ 1767 #define SHA256_SIGMA0(word) \ 1768 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) 1769 #define SHA256_SIGMA1(word) \ 1770 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) 1771 #define SHA256_sigma0(word) \ 1772 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) 1773 #define SHA256_sigma1(word) \ 1774 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) 1776 /* 1777 * Add "length" to the length. 1778 * Set Corrupted when overflow has occurred. 1780 */ 1781 static uint32_t addTemp; 1782 #define SHA224_256AddLength(context, length) \ 1783 (addTemp = (context)->Length_Low, (context)->Corrupted = \ 1784 (((context)->Length_Low += (length)) < addTemp) && \ 1785 (++(context)->Length_High == 0) ? shaInputTooLong : \ 1786 shaSuccess ) 1788 /* Local Function Prototypes */ 1789 static void SHA224_256Finalize(SHA256Context *context, 1790 uint8_t Pad_Byte); 1791 static void SHA224_256PadMessage(SHA256Context *context, 1792 uint8_t Pad_Byte); 1793 static void SHA224_256ProcessMessageBlock(SHA256Context *context); 1794 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); 1795 static int SHA224_256ResultN(SHA256Context *context, 1796 uint8_t Message_Digest[ ], int HashSize); 1798 /* Initial Hash Values: FIPS-180-2 Change Notice 1 */ 1799 static uint32_t SHA224_H0[SHA256HashSize/4] = { 1800 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 1801 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 1802 }; 1804 /* Initial Hash Values: FIPS-180-2 section 5.3.2 */ 1805 static uint32_t SHA256_H0[SHA256HashSize/4] = { 1806 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 1807 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 1808 }; 1810 /* 1811 * SHA224Reset 1812 * 1813 * Description: 1814 * This function will initialize the SHA224Context in preparation 1815 * for computing a new SHA224 message digest. 1816 * 1817 * Parameters: 1818 * context: [in/out] 1819 * The context to reset. 1820 * 1821 * Returns: 1822 * sha Error Code. 1823 */ 1824 int SHA224Reset(SHA224Context *context) 1825 { 1826 return SHA224_256Reset(context, SHA224_H0); 1827 } 1829 /* 1830 * SHA224Input 1831 * 1832 * Description: 1833 * This function accepts an array of octets as the next portion 1834 * of the message. 1835 * 1836 * Parameters: 1837 * context: [in/out] 1838 * The SHA context to update 1839 * message_array: [in] 1840 * An array of octets representing the next portion of 1841 * the message. 1842 * length: [in] 1843 * The length of the message in message_array 1844 * 1845 * Returns: 1846 * sha Error Code. 1847 * 1848 */ 1849 int SHA224Input(SHA224Context *context, const uint8_t *message_array, 1850 unsigned int length) 1851 { 1852 return SHA256Input(context, message_array, length); 1853 } 1855 /* 1856 * SHA224FinalBits 1857 * 1858 * Description: 1859 * This function will add in any final bits of the message. 1860 * 1861 * Parameters: 1862 * context: [in/out] 1863 * The SHA context to update 1864 * message_bits: [in] 1865 * The final bits of the message, in the upper portion of the 1866 * byte. (Use 0b###00000 instead of 0b00000### to input the 1867 * three bits ###.) 1868 * length: [in] 1869 * The number of bits in message_bits, between 1 and 7. 1870 * 1871 * Returns: 1872 * sha Error Code. 1873 */ 1874 int SHA224FinalBits(SHA224Context *context, 1875 uint8_t message_bits, unsigned int length) 1876 { 1877 return SHA256FinalBits(context, message_bits, length); 1878 } 1879 /* 1880 * SHA224Result 1881 * 1882 * Description: 1883 * This function will return the 224-bit message digest 1884 * into the Message_Digest array provided by the caller. 1885 * NOTE: 1886 * The first octet of hash is stored in the element with index 0, 1887 * the last octet of hash in the element with index 27. 1888 * 1889 * Parameters: 1890 * context: [in/out] 1891 * The context to use to calculate the SHA hash. 1892 * Message_Digest: [out] 1893 * Where the digest is returned. 1894 * 1895 * Returns: 1896 * sha Error Code. 1897 */ 1898 int SHA224Result(SHA224Context *context, 1899 uint8_t Message_Digest[SHA224HashSize]) 1900 { 1901 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); 1902 } 1904 /* 1905 * SHA256Reset 1906 * 1907 * Description: 1908 * This function will initialize the SHA256Context in preparation 1909 * for computing a new SHA256 message digest. 1910 * 1911 * Parameters: 1912 * context: [in/out] 1913 * The context to reset. 1914 * 1915 * Returns: 1916 * sha Error Code. 1917 */ 1918 int SHA256Reset(SHA256Context *context) 1919 { 1920 return SHA224_256Reset(context, SHA256_H0); 1921 } 1923 /* 1924 * SHA256Input 1925 * 1926 * Description: 1927 * This function accepts an array of octets as the next portion 1928 * of the message. 1930 * 1931 * Parameters: 1932 * context: [in/out] 1933 * The SHA context to update 1934 * message_array: [in] 1935 * An array of octets representing the next portion of 1936 * the message. 1937 * length: [in] 1938 * The length of the message in message_array 1939 * 1940 * Returns: 1941 * sha Error Code. 1942 */ 1943 int SHA256Input(SHA256Context *context, const uint8_t *message_array, 1944 unsigned int length) 1945 { 1946 if (!length) 1947 return shaSuccess; 1949 if (!context || !message_array) 1950 return shaNull; 1952 if (context->Computed) 1953 return context->Corrupted = shaStateError; 1955 if (context->Corrupted) 1956 return context->Corrupted; 1958 while (length-- && !context->Corrupted) { 1959 context->Message_Block[context->Message_Block_Index++] = 1960 (*message_array & 0xFF); 1962 if ((SHA224_256AddLength(context, 8) == shaSuccess) && 1963 (context->Message_Block_Index == SHA256_Message_Block_Size)) 1964 SHA224_256ProcessMessageBlock(context); 1966 message_array++; 1967 } 1969 return context->Corrupted; 1971 } 1973 /* 1974 * SHA256FinalBits 1975 * 1976 * Description: 1977 * This function will add in any final bits of the message. 1978 * 1979 * Parameters: 1981 * context: [in/out] 1982 * The SHA context to update 1983 * message_bits: [in] 1984 * The final bits of the message, in the upper portion of the 1985 * byte. (Use 0b###00000 instead of 0b00000### to input the 1986 * three bits ###.) 1987 * length: [in] 1988 * The number of bits in message_bits, between 1 and 7. 1989 * 1990 * Returns: 1991 * sha Error Code. 1992 */ 1993 int SHA256FinalBits(SHA256Context *context, 1994 uint8_t message_bits, unsigned int length) 1995 { 1996 uint8_t masks[8] = { 1997 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1998 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1999 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2000 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2001 }; 2002 uint8_t markbit[8] = { 2003 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2004 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2005 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2006 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2007 }; 2009 if (!length) 2010 return shaSuccess; 2012 if (!context) 2013 return shaNull; 2015 if (context->Computed) 2016 return context->Corrupted = shaStateError; 2018 if ((length >= 8) || (length == 0)) 2019 return context->Corrupted = shaBadParam; 2021 if (context->Corrupted) 2022 return context->Corrupted; 2024 SHA224_256AddLength(context, length); 2025 SHA224_256Finalize(context, (uint8_t) 2026 ((message_bits & masks[length]) | markbit[length])); 2028 return context->Corrupted; 2029 } 2030 /* 2031 * SHA256Result 2032 * 2033 * Description: 2034 * This function will return the 256-bit message digest 2035 * into the Message_Digest array provided by the caller. 2036 * NOTE: 2037 * The first octet of hash is stored in the element with index 0, 2038 * the last octet of hash in the element with index 31. 2039 * 2040 * Parameters: 2041 * context: [in/out] 2042 * The context to use to calculate the SHA hash. 2043 * Message_Digest: [out] 2044 * Where the digest is returned. 2045 * 2046 * Returns: 2047 * sha Error Code. 2048 */ 2049 int SHA256Result(SHA256Context *context, 2050 uint8_t Message_Digest[SHA256HashSize]) 2051 { 2052 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); 2053 } 2055 /* 2056 * SHA224_256Finalize 2057 * 2058 * Description: 2059 * This helper function finishes off the digest calculations. 2060 * 2061 * Parameters: 2062 * context: [in/out] 2063 * The SHA context to update 2064 * Pad_Byte: [in] 2065 * The last byte to add to the digest before the 0-padding 2066 * and length. This will contain the last bits of the message 2067 * followed by another single bit. If the message was an 2068 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2069 * 2070 * Returns: 2071 * sha Error Code. 2072 */ 2073 static void SHA224_256Finalize(SHA256Context *context, 2074 uint8_t Pad_Byte) 2075 { 2076 int i; 2077 SHA224_256PadMessage(context, Pad_Byte); 2078 /* message may be sensitive, so clear it out */ 2079 for (i = 0; i < SHA256_Message_Block_Size; ++i) 2080 context->Message_Block[i] = 0; 2081 context->Length_Low = 0; /* and clear length */ 2082 context->Length_High = 0; 2083 context->Computed = 1; 2084 } 2086 /* 2087 * SHA224_256PadMessage 2088 * 2089 * Description: 2090 * According to the standard, the message must be padded to the next 2091 * even multiple of 512 bits. The first padding bit must be a '1'. 2092 * The last 64 bits represent the length of the original message. 2093 * All bits in between should be 0. This helper function will pad 2094 * the message according to those rules by filling the 2095 * Message_Block array accordingly. When it returns, it can be 2096 * assumed that the message digest has been computed. 2097 * 2098 * Parameters: 2099 * context: [in/out] 2100 * The context to pad 2101 * Pad_Byte: [in] 2102 * The last byte to add to the digest before the 0-padding 2103 * and length. This will contain the last bits of the message 2104 * followed by another single bit. If the message was an 2105 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2106 * 2107 * Returns: 2108 * Nothing. 2109 */ 2110 static void SHA224_256PadMessage(SHA256Context *context, 2111 uint8_t Pad_Byte) 2112 { 2113 /* 2114 * Check to see if the current message block is too small to hold 2115 * the initial padding bits and length. If so, we will pad the 2116 * block, process it, and then continue padding into a second 2117 * block. 2118 */ 2119 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { 2120 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2121 while (context->Message_Block_Index < SHA256_Message_Block_Size) 2122 context->Message_Block[context->Message_Block_Index++] = 0; 2123 SHA224_256ProcessMessageBlock(context); 2124 } else 2125 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2127 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) 2128 context->Message_Block[context->Message_Block_Index++] = 0; 2130 /* 2131 * Store the message length as the last 8 octets 2132 */ 2133 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); 2134 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); 2135 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); 2136 context->Message_Block[59] = (uint8_t)(context->Length_High); 2137 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); 2138 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); 2139 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); 2140 context->Message_Block[63] = (uint8_t)(context->Length_Low); 2142 SHA224_256ProcessMessageBlock(context); 2143 } 2145 /* 2146 * SHA224_256ProcessMessageBlock 2147 * 2148 * Description: 2149 * This helper function will process the next 512 bits of the 2150 * message stored in the Message_Block array. 2151 * 2152 * Parameters: 2153 * context: [in/out] 2154 * The SHA context to update 2155 * 2156 * Returns: 2157 * Nothing. 2158 * 2159 * Comments: 2160 * Many of the variable names in this code, especially the 2161 * single character names, were used because those were the 2162 * names used in the publication. 2163 */ 2164 static void SHA224_256ProcessMessageBlock(SHA256Context *context) 2165 { 2166 /* Constants defined in FIPS-180-2, section 4.2.2 */ 2167 static const uint32_t K[64] = { 2168 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 2169 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 2170 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 2171 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 2172 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 2173 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 2174 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 2175 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 2176 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 2177 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 2178 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 2179 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 2180 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 2181 }; 2182 int t, t4; /* Loop counter */ 2183 uint32_t temp1, temp2; /* Temporary word value */ 2184 uint32_t W[64]; /* Word sequence */ 2185 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ 2187 /* 2188 * Initialize the first 16 words in the array W 2189 */ 2190 for (t = t4 = 0; t < 16; t++, t4 += 4) 2191 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | 2192 (((uint32_t)context->Message_Block[t4 + 1]) << 16) | 2193 (((uint32_t)context->Message_Block[t4 + 2]) << 8) | 2194 (((uint32_t)context->Message_Block[t4 + 3])); 2196 for (t = 16; t < 64; t++) 2197 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + 2198 SHA256_sigma0(W[t-15]) + W[t-16]; 2200 A = context->Intermediate_Hash[0]; 2201 B = context->Intermediate_Hash[1]; 2202 C = context->Intermediate_Hash[2]; 2203 D = context->Intermediate_Hash[3]; 2204 E = context->Intermediate_Hash[4]; 2205 F = context->Intermediate_Hash[5]; 2206 G = context->Intermediate_Hash[6]; 2207 H = context->Intermediate_Hash[7]; 2209 for (t = 0; t < 64; t++) { 2210 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 2211 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); 2212 H = G; 2213 G = F; 2214 F = E; 2215 E = D + temp1; 2216 D = C; 2217 C = B; 2218 B = A; 2219 A = temp1 + temp2; 2220 } 2222 context->Intermediate_Hash[0] += A; 2223 context->Intermediate_Hash[1] += B; 2224 context->Intermediate_Hash[2] += C; 2225 context->Intermediate_Hash[3] += D; 2226 context->Intermediate_Hash[4] += E; 2227 context->Intermediate_Hash[5] += F; 2228 context->Intermediate_Hash[6] += G; 2229 context->Intermediate_Hash[7] += H; 2230 context->Message_Block_Index = 0; 2231 } 2233 /* 2234 * SHA224_256Reset 2235 * 2236 * Description: 2237 * This helper function will initialize the SHA256Context in 2238 * preparation for computing a new SHA-224 or SHA-256 message digest. 2239 * 2240 * Parameters: 2241 * context: [in/out] 2242 * The context to reset. 2243 * H0 2244 * The initial hash value to use. 2245 * 2246 * Returns: 2247 * sha Error Code. 2248 */ 2249 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) 2250 { 2251 if (!context) 2252 return shaNull; 2254 context->Length_Low = 0; 2255 context->Length_High = 0; 2256 context->Message_Block_Index = 0; 2258 context->Intermediate_Hash[0] = H0[0]; 2259 context->Intermediate_Hash[1] = H0[1]; 2260 context->Intermediate_Hash[2] = H0[2]; 2261 context->Intermediate_Hash[3] = H0[3]; 2262 context->Intermediate_Hash[4] = H0[4]; 2263 context->Intermediate_Hash[5] = H0[5]; 2264 context->Intermediate_Hash[6] = H0[6]; 2265 context->Intermediate_Hash[7] = H0[7]; 2267 context->Computed = 0; 2268 context->Corrupted = 0; 2270 return shaSuccess; 2271 } 2273 /* 2274 * SHA224_256ResultN 2275 * 2276 * Description: 2277 * This helper function will return the 224-bit or 256-bit message 2278 * digest into the Message_Digest array provided by the caller. 2279 * NOTE: 2281 * The first octet of hash is stored in the element with index 0, 2282 * the last octet of hash in the element with index 27/31. 2283 * 2284 * Parameters: 2285 * context: [in/out] 2286 * The context to use to calculate the SHA hash. 2287 * Message_Digest: [out] 2288 * Where the digest is returned. 2289 * HashSize: [in] 2290 * The size of the hash, either 28 or 32. 2291 * 2292 * Returns: 2293 * sha Error Code. 2294 */ 2295 static int SHA224_256ResultN(SHA256Context *context, 2296 uint8_t Message_Digest[ ], int HashSize) 2297 { 2298 int i; 2300 if (!context || !Message_Digest) 2301 return shaNull; 2303 if (context->Corrupted) 2304 return context->Corrupted; 2306 if (!context->Computed) 2307 SHA224_256Finalize(context, 0x80); 2309 for (i = 0; i < HashSize; ++i) 2310 Message_Digest[i] = (uint8_t) 2311 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); 2313 return shaSuccess; 2314 } 2316 8.2.3 sha384-512.c 2318 /************************* sha384-512.c ************************/ 2319 /***************** See RFC NNNN for details. *******************/ 2320 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 2321 /* authors of the code. All rights reserved. */ 2322 /* See sha.h for terms of use and redistribution. */ 2324 /* 2325 * Description: 2326 * This file implements the Secure Hash Algorithms SHA-384 and 2327 * SHA-512 as defined in the National Institute of Standards 2328 * and Technology Federal Information Processing Standards 2329 * Publication (FIPS PUB) 180-2 published on August 1, 2002, and 2330 * the FIPS PUB 180-2 Change Notice published on February 28, 2004. 2331 * 2332 * A combined document showing all algorithms is available at 2333 * http://csrc.nist.gov/publications/fips/ 2334 * fips180-2/fips180-2withchangenotice.pdf 2335 * 2336 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit 2337 * message digests for a given data stream. It should take about 2338 * 2**n steps to find a message with the same digest as a given 2339 * message and 2**(n/2) to find any two messages with the same 2340 * digest, when n is the digest size in bits. Therefore, this 2341 * algorithm can serve as a means of providing a 2342 * "fingerprint" for a message. 2343 * 2344 * Portability Issues: 2345 * SHA-384 and SHA-512 are defined in terms of 64-bit "words", 2346 * but if USE_32BIT_ONLY is #defined, this code is implemented in 2347 * terms of 32-bit "words". This code uses (included 2348 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer 2349 * types. If your C compiler does not support 64 bit unsigned 2350 * integers, and you do not #define USE_32BIT_ONLY, this code is 2351 * not appropriate. 2352 * 2353 * Caveats: 2354 * SHA-384 and SHA-512 are designed to work with messages less 2355 * than 2^128 bits long. This implementation uses SHA384/512Input() 2356 * to hash the bits that are a multiple of the size of an 8-bit 2357 * octet, and then optionally uses SHA384/256FinalBits() 2358 * to hash the final few bits of the input. 2359 * 2360 */ 2362 #include "sha.h" 2363 #include "sha-private.h" 2365 #ifdef USE_32BIT_ONLY 2366 /* 2367 * Define 64-bit arithmetic in terms of 32-bit arithmetic. 2368 * Each 64-bit number is represented in a 2-word array. 2369 * All macros are defined such that the result is the last parameter. 2370 */ 2372 /* 2373 * Define shift, rotate left and rotate right functions 2374 */ 2375 #define SHA512_SHR(bits, word, ret) ( \ 2376 /* (((uint64_t)((word))) >> (bits)) */ \ 2377 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ 2378 ((word)[0] >> (bits)) : 0, \ 2380 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ 2381 ((bits) == 32) ? (word)[0] : \ 2382 ((bits) >= 0) ? \ 2383 (((word)[0] << (32 - (bits))) | \ 2384 ((word)[1] >> (bits))) : 0 ) 2386 #define SHA512_SHL(bits, word, ret) ( \ 2387 /* (((uint64_t)(word)) << (bits)) */ \ 2388 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ 2389 ((bits) == 32) ? (word)[1] : \ 2390 ((bits) >= 0) ? \ 2391 (((word)[0] << (bits)) | \ 2392 ((word)[1] >> (32 - (bits)))) : \ 2393 0, \ 2394 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ 2395 ((word)[1] << (bits)) : 0 ) 2397 /* 2398 * Define 64-bit OR 2399 */ 2400 #define SHA512_OR(word1, word2, ret) ( \ 2401 (ret)[0] = (word1)[0] | (word2)[0], \ 2402 (ret)[1] = (word1)[1] | (word2)[1] ) 2404 /* 2405 * Define 64-bit XOR 2406 */ 2407 #define SHA512_XOR(word1, word2, ret) ( \ 2408 (ret)[0] = (word1)[0] ^ (word2)[0], \ 2409 (ret)[1] = (word1)[1] ^ (word2)[1] ) 2411 /* 2412 * Define 64-bit AND 2413 */ 2414 #define SHA512_AND(word1, word2, ret) ( \ 2415 (ret)[0] = (word1)[0] & (word2)[0], \ 2416 (ret)[1] = (word1)[1] & (word2)[1] ) 2418 /* 2419 * Define 64-bit TILDA 2420 */ 2421 #define SHA512_TILDA(word, ret) \ 2422 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) 2424 /* 2425 * Define 64-bit ADD 2426 */ 2427 #define SHA512_ADD(word1, word2, ret) ( \ 2428 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ 2429 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) 2431 /* 2432 * Add the 4word value in word2 to word1. 2433 */ 2434 static uint32_t ADDTO4_temp, ADDTO4_temp2; 2435 #define SHA512_ADDTO4(word1, word2) ( \ 2436 ADDTO4_temp = (word1)[3], \ 2437 (word1)[3] += (word2)[3], \ 2438 ADDTO4_temp2 = (word1)[2], \ 2439 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ 2440 ADDTO4_temp = (word1)[1], \ 2441 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ 2442 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) 2444 /* 2445 * Add the 2word value in word2 to word1. 2446 */ 2447 static uint32_t ADDTO2_temp; 2448 #define SHA512_ADDTO2(word1, word2) ( \ 2449 ADDTO2_temp = (word1)[1], \ 2450 (word1)[1] += (word2)[1], \ 2451 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) 2453 /* 2454 * SHA rotate ((word >> bits) | (word << (64-bits))) 2455 */ 2456 static uint32_t ROTR_temp1[2], ROTR_temp2[2]; 2457 #define SHA512_ROTR(bits, word, ret) ( \ 2458 SHA512_SHR((bits), (word), ROTR_temp1), \ 2459 SHA512_SHL(64-(bits), (word), ROTR_temp2), \ 2460 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) 2462 /* 2463 * Define the SHA SIGMA and sigma macros 2464 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2465 */ 2466 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], 2467 SIGMA0_temp3[2], SIGMA0_temp4[2]; 2468 #define SHA512_SIGMA0(word, ret) ( \ 2469 SHA512_ROTR(28, (word), SIGMA0_temp1), \ 2470 SHA512_ROTR(34, (word), SIGMA0_temp2), \ 2471 SHA512_ROTR(39, (word), SIGMA0_temp3), \ 2472 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ 2473 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) 2475 /* 2476 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) 2477 */ 2478 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], 2479 SIGMA1_temp3[2], SIGMA1_temp4[2]; 2480 #define SHA512_SIGMA1(word, ret) ( \ 2481 SHA512_ROTR(14, (word), SIGMA1_temp1), \ 2482 SHA512_ROTR(18, (word), SIGMA1_temp2), \ 2483 SHA512_ROTR(41, (word), SIGMA1_temp3), \ 2484 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ 2485 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) 2487 /* 2488 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2489 */ 2490 static uint32_t sigma0_temp1[2], sigma0_temp2[2], 2491 sigma0_temp3[2], sigma0_temp4[2]; 2492 #define SHA512_sigma0(word, ret) ( \ 2493 SHA512_ROTR( 1, (word), sigma0_temp1), \ 2494 SHA512_ROTR( 8, (word), sigma0_temp2), \ 2495 SHA512_SHR( 7, (word), sigma0_temp3), \ 2496 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ 2497 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) 2499 /* 2500 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2501 */ 2502 static uint32_t sigma1_temp1[2], sigma1_temp2[2], 2503 sigma1_temp3[2], sigma1_temp4[2]; 2504 #define SHA512_sigma1(word, ret) ( \ 2505 SHA512_ROTR(19, (word), sigma1_temp1), \ 2506 SHA512_ROTR(61, (word), sigma1_temp2), \ 2507 SHA512_SHR( 6, (word), sigma1_temp3), \ 2508 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ 2509 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) 2511 #undef SHA_Ch 2512 #undef SHA_Maj 2514 #ifndef USE_MODIFIED_MACROS 2515 /* 2516 * These definitions are the ones used in FIPS-180-2, section 4.1.3 2517 * Ch(x,y,z) ((x & y) ^ (~x & z)) 2518 */ 2519 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; 2520 #define SHA_Ch(x, y, z, ret) ( \ 2521 SHA512_AND(x, y, Ch_temp1), \ 2522 SHA512_TILDA(x, Ch_temp2), \ 2523 SHA512_AND(Ch_temp2, z, Ch_temp3), \ 2524 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) 2526 /* 2527 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) 2528 */ 2529 static uint32_t Maj_temp1[2], Maj_temp2[2], 2530 Maj_temp3[2], Maj_temp4[2]; 2532 #define SHA_Maj(x, y, z, ret) ( \ 2533 SHA512_AND(x, y, Maj_temp1), \ 2534 SHA512_AND(x, z, Maj_temp2), \ 2535 SHA512_AND(y, z, Maj_temp3), \ 2536 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ 2537 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) 2539 #else /* !USE_MODIFIED_MACROS */ 2540 /* 2541 * These definitions are potentially faster equivalents for the ones 2542 * used in FIPS-180-2, section 4.1.3. 2543 * ((x & y) ^ (~x & z)) becomes 2544 * ((x & (y ^ z)) ^ z) 2545 */ 2546 #define SHA_Ch(x, y, z, ret) ( \ 2547 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ 2548 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) 2550 /* 2551 * ((x & y) ^ (x & z) ^ (y & z)) becomes 2552 * ((x & (y | z)) | (y & z)) 2553 */ 2554 #define SHA_Maj(x, y, z, ret) ( \ 2555 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ 2556 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) 2557 #endif /* USE_MODIFIED_MACROS */ 2559 /* 2560 * Add "length" to the length. 2561 * Set Corrupted when overflow has occurred. 2562 */ 2563 static uint32_t addTemp[4] = { 0, 0, 0, 0 }; 2564 #define SHA384_512AddLength(context, length) ( \ 2565 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ 2566 (context)->Corrupted = (((context)->Length[3] < (length)) && \ 2567 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ 2568 ((context)->Length[0] == 0)) ? shaInputTooLong : shaSuccess ) 2570 /* Local Function Prototypes */ 2571 static void SHA384_512Finalize(SHA512Context *context, 2572 uint8_t Pad_Byte); 2573 static void SHA384_512PadMessage(SHA512Context *context, 2574 uint8_t Pad_Byte); 2575 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2576 static int SHA384_512Reset(SHA512Context *context, 2577 uint32_t H0[SHA512HashSize/4]); 2578 static int SHA384_512ResultN( SHA512Context *context, 2579 uint8_t Message_Digest[ ], int HashSize); 2581 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ 2582 static uint32_t SHA384_H0[SHA512HashSize/4] = { 2583 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, 2584 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, 2585 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, 2586 0xBEFA4FA4 2587 }; 2589 static uint32_t SHA512_H0[SHA512HashSize/4] = { 2590 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, 2591 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, 2592 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, 2593 0x137E2179 2594 }; 2596 #else /* !USE_32BIT_ONLY */ 2598 /* Define the SHA shift, rotate left and rotate right macro */ 2599 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) 2600 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ 2601 (((uint64_t)(word)) << (64-(bits)))) 2603 /* Define the SHA SIGMA and sigma macros */ 2604 #define SHA512_SIGMA0(word) \ 2605 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) 2606 #define SHA512_SIGMA1(word) \ 2607 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) 2608 #define SHA512_sigma0(word) \ 2609 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2610 #define SHA512_sigma1(word) \ 2611 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2613 /* 2614 * Add "length" to the length. 2615 * Set Corrupted when overflow has occurred. 2616 */ 2617 static uint64_t addTemp; 2618 #define SHA384_512AddLength(context, length) \ 2619 (addTemp = context->Length_Low, context->Corrupted = \ 2620 ((context->Length_Low += length) < addTemp) && \ 2621 (++context->Length_High == 0) ? 1 : 0) 2623 /* Local Function Prototypes */ 2624 static void SHA384_512Finalize(SHA512Context *context, 2625 uint8_t Pad_Byte); 2626 static void SHA384_512PadMessage(SHA512Context *context, 2627 uint8_t Pad_Byte); 2628 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2629 static int SHA384_512Reset(SHA512Context *context, 2630 uint64_t H0[SHA512HashSize/8]); 2631 static int SHA384_512ResultN(SHA512Context *context, 2632 uint8_t Message_Digest[ ], int HashSize); 2634 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ 2635 static uint64_t SHA384_H0[ ] = { 2636 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 2637 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 2638 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll 2639 }; 2640 static uint64_t SHA512_H0[ ] = { 2641 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 2642 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 2643 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll 2644 }; 2646 #endif /* USE_32BIT_ONLY */ 2648 /* 2649 * SHA384Reset 2650 * 2651 * Description: 2652 * This function will initialize the SHA384Context in preparation 2653 * for computing a new SHA384 message digest. 2654 * 2655 * Parameters: 2656 * context: [in/out] 2657 * The context to reset. 2658 * 2659 * Returns: 2660 * sha Error Code. 2661 * 2662 */ 2663 int SHA384Reset(SHA384Context *context) 2664 { 2665 return SHA384_512Reset(context, SHA384_H0); 2666 } 2668 /* 2669 * SHA384Input 2670 * 2671 * Description: 2672 * This function accepts an array of octets as the next portion 2673 * of the message. 2674 * 2675 * Parameters: 2676 * context: [in/out] 2677 * The SHA context to update 2678 * message_array: [in] 2679 * An array of octets representing the next portion of 2680 * the message. 2681 * length: [in] 2682 * The length of the message in message_array 2683 * 2684 * Returns: 2685 * sha Error Code. 2686 * 2687 */ 2688 int SHA384Input(SHA384Context *context, 2689 const uint8_t *message_array, unsigned int length) 2690 { 2691 return SHA512Input(context, message_array, length); 2692 } 2694 /* 2695 * SHA384FinalBits 2696 * 2697 * Description: 2698 * This function will add in any final bits of the message. 2699 * 2700 * Parameters: 2701 * context: [in/out] 2702 * The SHA context to update 2703 * message_bits: [in] 2704 * The final bits of the message, in the upper portion of the 2705 * byte. (Use 0b###00000 instead of 0b00000### to input the 2706 * three bits ###.) 2707 * length: [in] 2708 * The number of bits in message_bits, between 1 and 7. 2709 * 2710 * Returns: 2711 * sha Error Code. 2712 * 2713 */ 2714 int SHA384FinalBits(SHA384Context *context, 2715 uint8_t message_bits, unsigned int length) 2716 { 2717 return SHA512FinalBits(context, message_bits, length); 2718 } 2720 /* 2721 * SHA384Result 2722 * 2723 * Description: 2724 * This function will return the 384-bit message digest 2725 * into the Message_Digest array provided by the caller. 2726 * NOTE: 2727 * The first octet of hash is stored in the element with index 0, 2728 * the last octet of hash in the element with index 47. 2729 * 2730 * Parameters: 2731 * context: [in/out] 2732 * The context to use to calculate the SHA hash. 2733 * Message_Digest: [out] 2734 * Where the digest is returned. 2735 * 2736 * Returns: 2737 * sha Error Code. 2738 * 2739 */ 2740 int SHA384Result(SHA384Context *context, 2741 uint8_t Message_Digest[SHA384HashSize]) 2742 { 2743 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); 2744 } 2746 /* 2747 * SHA512Reset 2748 * 2749 * Description: 2750 * This function will initialize the SHA512Context in preparation 2751 * for computing a new SHA512 message digest. 2752 * 2753 * Parameters: 2754 * context: [in/out] 2755 * The context to reset. 2756 * 2757 * Returns: 2758 * sha Error Code. 2759 * 2760 */ 2761 int SHA512Reset(SHA512Context *context) 2762 { 2763 return SHA384_512Reset(context, SHA512_H0); 2764 } 2766 /* 2767 * SHA512Input 2768 * 2769 * Description: 2770 * This function accepts an array of octets as the next portion 2771 * of the message. 2772 * 2773 * Parameters: 2774 * context: [in/out] 2775 * The SHA context to update 2776 * message_array: [in] 2777 * An array of octets representing the next portion of 2778 * the message. 2779 * length: [in] 2780 * The length of the message in message_array 2781 * 2782 * Returns: 2783 * sha Error Code. 2784 * 2785 */ 2786 int SHA512Input(SHA512Context *context, 2787 const uint8_t *message_array, 2788 unsigned int length) 2789 { 2790 if (!length) 2791 return shaSuccess; 2793 if (!context || !message_array) 2794 return shaNull; 2796 if (context->Computed) 2797 return context->Corrupted = shaStateError; 2799 if (context->Corrupted) 2800 return context->Corrupted; 2802 while (length-- && !context->Corrupted) { 2803 context->Message_Block[context->Message_Block_Index++] = 2804 (*message_array & 0xFF); 2806 if ((SHA384_512AddLength(context, 8) == shaSuccess) && 2807 (context->Message_Block_Index == SHA512_Message_Block_Size)) 2808 SHA384_512ProcessMessageBlock(context); 2810 message_array++; 2811 } 2813 return context->Corrupted; 2814 } 2816 /* 2817 * SHA512FinalBits 2818 * 2819 * Description: 2820 * This function will add in any final bits of the message. 2821 * 2822 * Parameters: 2823 * context: [in/out] 2824 * The SHA context to update 2825 * message_bits: [in] 2826 * The final bits of the message, in the upper portion of the 2827 * byte. (Use 0b###00000 instead of 0b00000### to input the 2828 * three bits ###.) 2829 * length: [in] 2830 * The number of bits in message_bits, between 1 and 7. 2831 * 2832 * Returns: 2833 * sha Error Code. 2834 * 2835 */ 2836 int SHA512FinalBits(SHA512Context *context, 2837 uint8_t message_bits, unsigned int length) 2838 { 2839 uint8_t masks[8] = { 2840 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2841 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2842 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2843 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2844 }; 2845 uint8_t markbit[8] = { 2846 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2847 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2848 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2849 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2850 }; 2852 if (!length) 2853 return shaSuccess; 2855 if (!context) 2856 return shaNull; 2858 if (context->Computed) 2859 return context->Corrupted = shaStateError; 2861 if ((length >= 8) || (length == 0)) 2862 return context->Corrupted = shaBadParam; 2864 if (context->Corrupted) 2865 return context->Corrupted; 2867 SHA384_512AddLength(context, length); 2868 SHA384_512Finalize(context, (uint8_t) 2869 ((message_bits & masks[length]) | markbit[length])); 2871 return context->Corrupted; 2872 } 2874 /* 2875 * SHA384_512Finalize 2876 * 2877 * Description: 2878 * This helper function finishes off the digest calculations. 2879 * 2880 * Parameters: 2881 * context: [in/out] 2882 * The SHA context to update 2883 * Pad_Byte: [in] 2884 * The last byte to add to the digest before the 0-padding 2885 * and length. This will contain the last bits of the message 2886 * followed by another single bit. If the message was an 2887 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2888 * 2889 * Returns: 2890 * sha Error Code. 2891 * 2892 */ 2893 static void SHA384_512Finalize(SHA512Context *context, 2894 uint8_t Pad_Byte) 2895 { 2896 int_least16_t i; 2897 SHA384_512PadMessage(context, Pad_Byte); 2898 /* message may be sensitive, clear it out */ 2899 for (i = 0; i < SHA512_Message_Block_Size; ++i) 2900 context->Message_Block[i] = 0; 2901 #ifdef USE_32BIT_ONLY /* and clear length */ 2902 context->Length[0] = context->Length[1] = 0; 2903 context->Length[2] = context->Length[3] = 0; 2904 #else /* !USE_32BIT_ONLY */ 2905 context->Length_Low = 0; 2906 context->Length_High = 0; 2907 #endif /* USE_32BIT_ONLY */ 2908 context->Computed = 1; 2909 } 2911 /* 2912 * SHA512Result 2913 * 2914 * Description: 2915 * This function will return the 512-bit message digest 2916 * into the Message_Digest array provided by the caller. 2917 * NOTE: 2918 * The first octet of hash is stored in the element with index 0, 2919 * the last octet of hash in the element with index 63. 2920 * 2921 * Parameters: 2922 * context: [in/out] 2923 * The context to use to calculate the SHA hash. 2924 * Message_Digest: [out] 2925 * Where the digest is returned. 2926 * 2927 * Returns: 2928 * sha Error Code. 2929 * 2930 */ 2931 int SHA512Result(SHA512Context *context, 2932 uint8_t Message_Digest[SHA512HashSize]) 2933 { 2934 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); 2935 } 2937 /* 2938 * SHA384_512PadMessage 2939 * 2940 * Description: 2941 * According to the standard, the message must be padded to the next 2942 * even multiple of 1024 bits. The first padding bit must be a '1'. 2943 * The last 128 bits represent the length of the original message. 2944 * All bits in between should be 0. This helper function will 2945 * pad the message according to those rules by filling the 2946 * Message_Block array accordingly. When it returns, it can be 2947 * assumed that the message digest has been computed. 2948 * 2949 * Parameters: 2950 * context: [in/out] 2951 * The context to pad 2952 * Pad_Byte: [in] 2953 * The last byte to add to the digest before the 0-padding 2954 * and length. This will contain the last bits of the message 2955 * followed by another single bit. If the message was an 2956 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2957 * 2958 * Returns: 2959 * Nothing. 2960 * 2961 */ 2962 static void SHA384_512PadMessage(SHA512Context *context, 2963 uint8_t Pad_Byte) 2964 { 2965 /* 2966 * Check to see if the current message block is too small to hold 2967 * the initial padding bits and length. If so, we will pad the 2968 * block, process it, and then continue padding into a second 2969 * block. 2970 */ 2971 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { 2972 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2973 while (context->Message_Block_Index < SHA512_Message_Block_Size) 2974 context->Message_Block[context->Message_Block_Index++] = 0; 2976 SHA384_512ProcessMessageBlock(context); 2977 } else 2978 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2980 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) 2981 context->Message_Block[context->Message_Block_Index++] = 0; 2983 /* 2984 * Store the message length as the last 16 octets 2985 */ 2986 #ifdef USE_32BIT_ONLY 2987 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); 2988 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); 2989 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); 2990 context->Message_Block[115] = (uint8_t)(context->Length[0]); 2991 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); 2992 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); 2993 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); 2994 context->Message_Block[119] = (uint8_t)(context->Length[1]); 2996 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); 2997 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); 2998 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); 2999 context->Message_Block[123] = (uint8_t)(context->Length[2]); 3000 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); 3001 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); 3002 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); 3003 context->Message_Block[127] = (uint8_t)(context->Length[3]); 3004 #else /* !USE_32BIT_ONLY */ 3005 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); 3006 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); 3007 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); 3008 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); 3009 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); 3010 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); 3011 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); 3012 context->Message_Block[119] = (uint8_t)(context->Length_High); 3014 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); 3015 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); 3016 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); 3017 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); 3018 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); 3019 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); 3020 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); 3021 context->Message_Block[127] = (uint8_t)(context->Length_Low); 3022 #endif /* USE_32BIT_ONLY */ 3024 SHA384_512ProcessMessageBlock(context); 3025 } 3027 /* 3028 * SHA384_512ProcessMessageBlock 3029 * 3030 * Description: 3031 * This helper function will process the next 1024 bits of the 3032 * message stored in the Message_Block array. 3034 * 3035 * Parameters: 3036 * context: [in/out] 3037 * The SHA context to update 3038 * 3039 * Returns: 3040 * Nothing. 3041 * 3042 * Comments: 3043 * Many of the variable names in this code, especially the 3044 * single character names, were used because those were the 3045 * names used in the publication. 3046 * 3047 * 3048 */ 3049 static void SHA384_512ProcessMessageBlock(SHA512Context *context) 3050 { 3051 /* Constants defined in FIPS-180-2, section 4.2.3 */ 3052 #ifdef USE_32BIT_ONLY 3053 static const uint32_t K[80*2] = { 3054 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, 3055 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, 3056 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, 3057 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 3058 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, 3059 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, 3060 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, 3061 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, 3062 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, 3063 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, 3064 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, 3065 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, 3066 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, 3067 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, 3068 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, 3069 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, 3070 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, 3071 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, 3072 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, 3073 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, 3074 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, 3075 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, 3076 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, 3077 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, 3078 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, 3079 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, 3080 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, 3081 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 3082 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, 3083 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, 3084 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, 3085 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 3086 }; 3087 int t, t2, t8; /* Loop counter */ 3088 uint32_t temp1[2], temp2[2], /* Temporary word values */ 3089 temp3[2], temp4[2], temp5[2]; 3090 uint32_t W[2*80]; /* Word sequence */ 3091 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ 3092 E[2], F[2], G[2], H[2]; 3094 /* Initialize the first 16 words in the array W */ 3095 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { 3096 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | 3097 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | 3098 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | 3099 ((((uint32_t)context->Message_Block[t8 + 3]))); 3100 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | 3101 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | 3102 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | 3103 ((((uint32_t)context->Message_Block[t8 + 7]))); 3104 } 3106 for (t = 16; t < 80; t++, t2 += 2) { 3107 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3108 SHA512_sigma0(W[t-15]) + W[t-16]; */ 3109 uint32_t *Wt2 = &W[t2-2*2]; 3110 uint32_t *Wt7 = &W[t2-7*2]; 3111 uint32_t *Wt15 = &W[t2-15*2]; 3112 uint32_t *Wt16 = &W[t2-16*2]; 3113 SHA512_sigma1(Wt2, temp1); 3114 SHA512_ADD(temp1, Wt7, temp2); 3115 SHA512_sigma0(Wt15, temp1); 3116 SHA512_ADD(temp1, Wt16, temp3); 3117 SHA512_ADD(temp2, temp3, &W[t2]); 3118 } 3120 A[0] = context->Intermediate_Hash[0]; 3121 A[1] = context->Intermediate_Hash[1]; 3122 B[0] = context->Intermediate_Hash[2]; 3123 B[1] = context->Intermediate_Hash[3]; 3124 C[0] = context->Intermediate_Hash[4]; 3125 C[1] = context->Intermediate_Hash[5]; 3126 D[0] = context->Intermediate_Hash[6]; 3127 D[1] = context->Intermediate_Hash[7]; 3128 E[0] = context->Intermediate_Hash[8]; 3129 E[1] = context->Intermediate_Hash[9]; 3130 F[0] = context->Intermediate_Hash[10]; 3131 F[1] = context->Intermediate_Hash[11]; 3132 G[0] = context->Intermediate_Hash[12]; 3133 G[1] = context->Intermediate_Hash[13]; 3134 H[0] = context->Intermediate_Hash[14]; 3135 H[1] = context->Intermediate_Hash[15]; 3137 for (t = t2 = 0; t < 80; t++, t2 += 2) { 3138 /* 3139 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3140 */ 3141 SHA512_SIGMA1(E,temp1); 3142 SHA512_ADD(H, temp1, temp2); 3143 SHA_Ch(E,F,G,temp3); 3144 SHA512_ADD(temp2, temp3, temp4); 3145 SHA512_ADD(&K[t2], &W[t2], temp5); 3146 SHA512_ADD(temp4, temp5, temp1); 3147 /* 3148 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3149 */ 3150 SHA512_SIGMA0(A,temp3); 3151 SHA_Maj(A,B,C,temp4); 3152 SHA512_ADD(temp3, temp4, temp2); 3153 H[0] = G[0]; H[1] = G[1]; 3154 G[0] = F[0]; G[1] = F[1]; 3155 F[0] = E[0]; F[1] = E[1]; 3156 SHA512_ADD(D, temp1, E); 3157 D[0] = C[0]; D[1] = C[1]; 3158 C[0] = B[0]; C[1] = B[1]; 3159 B[0] = A[0]; B[1] = A[1]; 3160 SHA512_ADD(temp1, temp2, A); 3161 } 3163 SHA512_ADDTO2(&context->Intermediate_Hash[0], A); 3164 SHA512_ADDTO2(&context->Intermediate_Hash[2], B); 3165 SHA512_ADDTO2(&context->Intermediate_Hash[4], C); 3166 SHA512_ADDTO2(&context->Intermediate_Hash[6], D); 3167 SHA512_ADDTO2(&context->Intermediate_Hash[8], E); 3168 SHA512_ADDTO2(&context->Intermediate_Hash[10], F); 3169 SHA512_ADDTO2(&context->Intermediate_Hash[12], G); 3170 SHA512_ADDTO2(&context->Intermediate_Hash[14], H); 3172 #else /* !USE_32BIT_ONLY */ 3173 static const uint64_t K[80] = { 3174 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, 3175 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, 3176 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, 3177 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, 3178 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, 3179 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, 3180 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, 3181 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, 3182 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, 3183 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, 3184 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, 3185 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, 3186 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, 3187 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, 3188 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, 3189 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, 3190 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, 3191 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, 3192 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, 3193 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, 3194 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, 3195 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, 3196 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, 3197 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, 3198 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, 3199 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, 3200 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll 3201 }; 3202 int t, t8; /* Loop counter */ 3203 uint64_t temp1, temp2; /* Temporary word value */ 3204 uint64_t W[80]; /* Word sequence */ 3205 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ 3207 /* 3208 * Initialize the first 16 words in the array W 3209 */ 3210 for (t = t8 = 0; t < 16; t++, t8 += 8) 3211 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | 3212 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | 3213 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | 3214 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | 3215 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | 3216 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | 3217 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | 3218 ((uint64_t)(context->Message_Block[t8 + 7])); 3220 for (t = 16; t < 80; t++) 3221 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3222 SHA512_sigma0(W[t-15]) + W[t-16]; 3224 A = context->Intermediate_Hash[0]; 3225 B = context->Intermediate_Hash[1]; 3226 C = context->Intermediate_Hash[2]; 3227 D = context->Intermediate_Hash[3]; 3228 E = context->Intermediate_Hash[4]; 3229 F = context->Intermediate_Hash[5]; 3230 G = context->Intermediate_Hash[6]; 3231 H = context->Intermediate_Hash[7]; 3233 for (t = 0; t < 80; t++) { 3234 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3235 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3236 H = G; 3237 G = F; 3238 F = E; 3239 E = D + temp1; 3240 D = C; 3241 C = B; 3242 B = A; 3243 A = temp1 + temp2; 3244 } 3246 context->Intermediate_Hash[0] += A; 3247 context->Intermediate_Hash[1] += B; 3248 context->Intermediate_Hash[2] += C; 3249 context->Intermediate_Hash[3] += D; 3250 context->Intermediate_Hash[4] += E; 3251 context->Intermediate_Hash[5] += F; 3252 context->Intermediate_Hash[6] += G; 3253 context->Intermediate_Hash[7] += H; 3254 #endif /* USE_32BIT_ONLY */ 3256 context->Message_Block_Index = 0; 3257 } 3259 /* 3260 * SHA384_512Reset 3261 * 3262 * Description: 3263 * This helper function will initialize the SHA512Context in 3264 * preparation for computing a new SHA384 or SHA512 message 3265 * digest. 3266 * 3267 * Parameters: 3268 * context: [in/out] 3269 * The context to reset. 3270 * H0 3271 * The initial hash value to use. 3272 * 3273 * Returns: 3274 * sha Error Code. 3275 * 3276 */ 3277 #ifdef USE_32BIT_ONLY 3278 static int SHA384_512Reset(SHA512Context *context, 3279 uint32_t H0[SHA512HashSize/4]) 3280 #else /* !USE_32BIT_ONLY */ 3281 static int SHA384_512Reset(SHA512Context *context, 3282 uint64_t H0[SHA512HashSize/8]) 3283 #endif /* USE_32BIT_ONLY */ 3284 { 3285 int i; 3286 if (!context) 3287 return shaNull; 3289 context->Message_Block_Index = 0; 3291 #ifdef USE_32BIT_ONLY 3292 context->Length[0] = context->Length[1] = 3293 context->Length[2] = context->Length[3] = 0; 3295 for (i = 0; i < SHA512HashSize/4; i++) 3296 context->Intermediate_Hash[i] = H0[i]; 3297 #else /* !USE_32BIT_ONLY */ 3298 context->Length_High = context->Length_Low = 0; 3300 for (i = 0; i < SHA512HashSize/8; i++) 3301 context->Intermediate_Hash[i] = H0[i]; 3302 #endif /* USE_32BIT_ONLY */ 3304 context->Computed = 0; 3305 context->Corrupted = 0; 3307 return shaSuccess; 3308 } 3310 /* 3311 * SHA384_512ResultN 3312 * 3313 * Description: 3314 * This helper function will return the 384-bit or 512-bit message 3315 * digest into the Message_Digest array provided by the caller. 3316 * NOTE: 3317 * The first octet of hash is stored in the element with index 0, 3318 * the last octet of hash in the element with index 47/63. 3319 * 3320 * Parameters: 3321 * context: [in/out] 3322 * The context to use to calculate the SHA hash. 3323 * Message_Digest: [out] 3324 * Where the digest is returned. 3325 * HashSize: [in] 3326 * The size of the hash, either 48 or 64. 3327 * 3328 * Returns: 3329 * sha Error Code. 3330 * 3331 */ 3332 static int SHA384_512ResultN(SHA512Context *context, 3333 uint8_t Message_Digest[ ], int HashSize) 3335 { 3336 int i; 3337 #ifdef USE_32BIT_ONLY 3338 int i2; 3339 #endif /* USE_32BIT_ONLY */ 3341 if (!context || !Message_Digest) 3342 return shaNull; 3344 if (context->Corrupted) 3345 return context->Corrupted; 3347 if (!context->Computed) 3348 SHA384_512Finalize(context, 0x80); 3350 #ifdef USE_32BIT_ONLY 3351 for (i = i2 = 0; i < HashSize; ) { 3352 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3353 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3354 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3355 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3356 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3357 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3358 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3359 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3360 } 3361 #else /* !USE_32BIT_ONLY */ 3362 for (i = 0; i < HashSize; ++i) 3363 Message_Digest[i] = (uint8_t) 3364 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); 3365 #endif /* USE_32BIT_ONLY */ 3367 return shaSuccess; 3368 } 3370 8.2.4 usha.c 3372 /**************************** usha.c ***************************/ 3373 /***************** See RFC NNNN for details. *******************/ 3374 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3375 /* authors of the code. All rights reserved. */ 3376 /* See sha.h for terms of use and redistribution. */ 3378 /* 3379 * Description: 3380 * This file implements a unified interface to the SHA algorithms. 3381 */ 3383 #include "sha.h" 3385 /* 3386 * USHAReset 3387 * 3388 * Description: 3389 * This function will initialize the SHA Context in preparation 3390 * for computing a new SHA message digest. 3391 * 3392 * Parameters: 3393 * context: [in/out] 3394 * The context to reset. 3395 * whichSha: [in] 3396 * Selects which SHA reset to call 3397 * 3398 * Returns: 3399 * sha Error Code. 3400 * 3401 */ 3402 int USHAReset(USHAContext *context, enum SHAversion whichSha) 3403 { 3404 if (context) { 3405 context->whichSha = whichSha; 3406 switch (whichSha) { 3407 case SHA1: return SHA1Reset((SHA1Context*)&context->ctx); 3408 case SHA224: return SHA224Reset((SHA224Context*)&context->ctx); 3409 case SHA256: return SHA256Reset((SHA256Context*)&context->ctx); 3410 case SHA384: return SHA384Reset((SHA384Context*)&context->ctx); 3411 case SHA512: return SHA512Reset((SHA512Context*)&context->ctx); 3412 default: return shaBadParam; 3413 } 3414 } else { 3415 return shaNull; 3416 } 3417 } 3419 /* 3420 * USHAInput 3421 * 3422 * Description: 3423 * This function accepts an array of octets as the next portion 3424 * of the message. 3425 * 3426 * Parameters: 3427 * context: [in/out] 3428 * The SHA context to update 3429 * message_array: [in] 3430 * An array of octets representing the next portion of 3431 * the message. 3432 * length: [in] 3433 * The length of the message in message_array 3434 * 3435 * Returns: 3436 * sha Error Code. 3437 * 3438 */ 3439 int USHAInput(USHAContext *context, 3440 const uint8_t *bytes, unsigned int bytecount) 3441 { 3442 if (context) { 3443 switch (context->whichSha) { 3444 case SHA1: 3445 return SHA1Input((SHA1Context*)&context->ctx, bytes, 3446 bytecount); 3447 case SHA224: 3448 return SHA224Input((SHA224Context*)&context->ctx, bytes, 3449 bytecount); 3450 case SHA256: 3451 return SHA256Input((SHA256Context*)&context->ctx, bytes, 3452 bytecount); 3453 case SHA384: 3454 return SHA384Input((SHA384Context*)&context->ctx, bytes, 3455 bytecount); 3456 case SHA512: 3457 return SHA512Input((SHA512Context*)&context->ctx, bytes, 3458 bytecount); 3459 default: return shaBadParam; 3460 } 3461 } else { 3462 return shaNull; 3463 } 3464 } 3466 /* 3467 * USHAFinalBits 3468 * 3469 * Description: 3470 * This function will add in any final bits of the message. 3471 * 3472 * Parameters: 3473 * context: [in/out] 3474 * The SHA context to update 3475 * message_bits: [in] 3476 * The final bits of the message, in the upper portion of the 3477 * byte. (Use 0b###00000 instead of 0b00000### to input the 3478 * three bits ###.) 3479 * length: [in] 3480 * The number of bits in message_bits, between 1 and 7. 3481 * 3482 * Returns: 3484 * sha Error Code. 3485 */ 3486 int USHAFinalBits(USHAContext *context, 3487 uint8_t bits, unsigned int bit_count) 3488 { 3489 if (context) { 3490 switch (context->whichSha) { 3491 case SHA1: 3492 return SHA1FinalBits((SHA1Context*)&context->ctx, bits, 3493 bit_count); 3494 case SHA224: 3495 return SHA224FinalBits((SHA224Context*)&context->ctx, bits, 3496 bit_count); 3497 case SHA256: 3498 return SHA256FinalBits((SHA256Context*)&context->ctx, bits, 3499 bit_count); 3500 case SHA384: 3501 return SHA384FinalBits((SHA384Context*)&context->ctx, bits, 3502 bit_count); 3503 case SHA512: 3504 return SHA512FinalBits((SHA512Context*)&context->ctx, bits, 3505 bit_count); 3506 default: return shaBadParam; 3507 } 3508 } else { 3509 return shaNull; 3510 } 3511 } 3513 /* 3514 * USHAResult 3515 * 3516 * Description: 3517 * This function will return the message digest of the appropriate 3518 * bit size, as returned by USHAHashSizeBits(whichSHA) for the 3519 * 'whichSHA' value used in the preceeding call to USHAReset, 3520 * into the Message_Digest array provided by the caller. 3521 * 3522 * Parameters: 3523 * context: [in/out] 3524 * The context to use to calculate the SHA-1 hash. 3525 * Message_Digest: [out] 3526 * Where the digest is returned. 3527 * 3528 * Returns: 3529 * sha Error Code. 3530 * 3531 */ 3532 int USHAResult(USHAContext *context, 3533 uint8_t Message_Digest[USHAMaxHashSize]) 3535 { 3536 if (context) { 3537 switch (context->whichSha) { 3538 case SHA1: 3539 return SHA1Result((SHA1Context*)&context->ctx, Message_Digest); 3540 case SHA224: 3541 return SHA224Result((SHA224Context*)&context->ctx, 3542 Message_Digest); 3543 case SHA256: 3544 return SHA256Result((SHA256Context*)&context->ctx, 3545 Message_Digest); 3546 case SHA384: 3547 return SHA384Result((SHA384Context*)&context->ctx, 3548 Message_Digest); 3549 case SHA512: 3550 return SHA512Result((SHA512Context*)&context->ctx, 3551 Message_Digest); 3552 default: return shaBadParam; 3553 } 3554 } else { 3555 return shaNull; 3556 } 3557 } 3559 /* 3560 * USHABlockSize 3561 * 3562 * Description: 3563 * This function will return the blocksize for the given SHA 3564 * algorithm. 3565 * 3566 * Parameters: 3567 * whichSha: 3568 * which SHA algorithm to query 3569 * 3570 * Returns: 3571 * block size 3572 * 3573 */ 3574 int USHABlockSize(enum SHAversion whichSha) 3575 { 3576 switch (whichSha) { 3577 case SHA1: return SHA1_Message_Block_Size; 3578 case SHA224: return SHA224_Message_Block_Size; 3579 case SHA256: return SHA256_Message_Block_Size; 3580 case SHA384: return SHA384_Message_Block_Size; 3581 default: 3582 case SHA512: return SHA512_Message_Block_Size; 3583 } 3584 } 3585 /* 3586 * USHAHashSize 3587 * 3588 * Description: 3589 * This function will return the hashsize for the given SHA 3590 * algorithm. 3591 * 3592 * Parameters: 3593 * whichSha: 3594 * which SHA algorithm to query 3595 * 3596 * Returns: 3597 * hash size 3598 * 3599 */ 3600 int USHAHashSize(enum SHAversion whichSha) 3601 { 3602 switch (whichSha) { 3603 case SHA1: return SHA1HashSize; 3604 case SHA224: return SHA224HashSize; 3605 case SHA256: return SHA256HashSize; 3606 case SHA384: return SHA384HashSize; 3607 default: 3608 case SHA512: return SHA512HashSize; 3609 } 3610 } 3612 /* 3613 * USHAHashSizeBits 3614 * 3615 * Description: 3616 * This function will return the hashsize for the given SHA 3617 * algorithm, expressed in bits. 3618 * 3619 * Parameters: 3620 * whichSha: 3621 * which SHA algorithm to query 3622 * 3623 * Returns: 3624 * hash size in bits 3625 * 3626 */ 3627 int USHAHashSizeBits(enum SHAversion whichSha) 3628 { 3629 switch (whichSha) { 3630 case SHA1: return SHA1HashSizeBits; 3631 case SHA224: return SHA224HashSizeBits; 3632 case SHA256: return SHA256HashSizeBits; 3633 case SHA384: return SHA384HashSizeBits; 3634 default: 3636 case SHA512: return SHA512HashSizeBits; 3637 } 3638 } 3640 /* 3641 * USHAHashName 3642 * 3643 * Description: 3644 * This function will return the name of the given SHA algorithm 3645 * as a string. 3646 * 3647 * Parameters: 3648 * whichSha: 3649 * which SHA algorithm to query 3650 * 3651 * Returns: 3652 * character string with the name in it 3653 * 3654 */ 3655 const char *USHAHashName(enum SHAversion whichSha) 3656 { 3657 switch (whichSha) { 3658 case SHA1: return "SHA1"; 3659 case SHA224: return "SHA224"; 3660 case SHA256: return "SHA256"; 3661 case SHA384: return "SHA384"; 3662 default: 3663 case SHA512: return "SHA512"; 3664 } 3665 } 3667 8.2.5 sha-private.h 3669 /************************ sha-private.h ************************/ 3670 /***************** See RFC NNNN for details. *******************/ 3671 #ifndef _SHA_PRIVATE__H 3672 #define _SHA_PRIVATE__H 3673 /* 3674 * These definitions are defined in FIPS-180-2, section 4.1. 3675 * Ch() and Maj() are defined identically in sections 4.1.1, 3676 * 4.1.2 and 4.1.3. 3677 * 3678 * The definitions used in FIPS-180-2 are as follows: 3679 */ 3681 #ifndef USE_MODIFIED_MACROS 3682 #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 3683 #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 3684 #else /* USE_MODIFIED_MACROS */ 3685 /* 3686 * The following definitions are equivalent and potentially faster. 3687 */ 3689 #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) 3690 #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) 3692 #endif /* USE_MODIFIED_MACROS */ 3694 #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) 3696 #endif /* _SHA_PRIVATE__H */ 3698 8.3 The HMAC Code 3700 /**************************** hmac.c ***************************/ 3701 /***************** See RFC NNNN for details. *******************/ 3702 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3703 /* authors of the code. All rights reserved. */ 3704 /* See sha.h for terms of use and redistribution. */ 3706 /* 3707 * Description: 3708 * This file implements the HMAC algorithm (Keyed-Hashing for 3709 * Message Authentication, [RFC2104]), expressed in terms of the 3710 * various SHA algorithms. 3711 */ 3713 #include "sha.h" 3715 /* 3716 * hmac 3717 * 3718 * Description: 3719 * This function will compute an HMAC message digest. 3720 * 3721 * Parameters: 3722 * whichSha: [in] 3723 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3724 * key: [in] 3725 * The secret shared key. 3726 * key_len: [in] 3727 * The length of the secret shared key. 3728 * message_array: [in] 3729 * An array of octets representing the message. 3730 * Note: in RFC 2109, this parameter is known 3731 * as 'text'. 3733 * length: [in] 3734 * The length of the message in message_array. 3735 * digest: [out] 3736 * Where the digest is returned. 3737 * NOTE: The length of the digest is determined by 3738 * the value of whichSha. 3739 * 3740 * Returns: 3741 * sha Error Code. 3742 * 3743 */ 3744 int hmac(SHAversion whichSha, 3745 const unsigned char *message_array, int length, 3746 const unsigned char *key, int key_len, 3747 uint8_t digest[USHAMaxHashSize]) 3748 { 3749 HMACContext context; 3750 return hmacReset(&context, whichSha, key, key_len) || 3751 hmacInput(&context, message_array, length) || 3752 hmacResult(&context, digest); 3753 } 3755 /* 3756 * hmacReset 3757 * 3758 * Description: 3759 * This function will initialize the hmacContext in preparation 3760 * for computing a new HMAC message digest. 3761 * 3762 * Parameters: 3763 * context: [in/out] 3764 * The context to reset. 3765 * whichSha: [in] 3766 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3767 * key: [in] 3768 * The secret shared key. 3769 * key_len: [in] 3770 * The length of the secret shared key. 3771 * 3772 * Returns: 3773 * sha Error Code. 3774 * 3775 */ 3776 int hmacReset(HMACContext *context, enum SHAversion whichSha, 3777 const unsigned char *key, int key_len) 3778 { 3779 int i, blocksize, hashsize, ret; 3781 /* inner padding - key XORd with ipad */ 3782 unsigned char k_ipad[USHA_Max_Message_Block_Size]; 3783 /* temporary buffer when keylen > blocksize */ 3784 unsigned char tempkey[USHAMaxHashSize]; 3786 if (!context) return shaNull; 3787 context->Computed = 0; 3788 context->Corrupted = shaSuccess; 3790 blocksize = context->blockSize = USHABlockSize(whichSha); 3791 hashsize = context->hashSize = USHAHashSize(whichSha); 3793 context->whichSha = whichSha; 3795 /* 3796 * If key is longer than the hash blocksize, 3797 * reset it to key = HASH(key). 3798 */ 3799 if (key_len > blocksize) { 3800 USHAContext tcontext; 3801 int err = USHAReset(&tcontext, whichSha) || 3802 USHAInput(&tcontext, key, key_len) || 3803 USHAResult(&tcontext, tempkey); 3804 if (err != shaSuccess) return err; 3806 key = tempkey; 3807 key_len = hashsize; 3808 } 3810 /* 3811 * The HMAC transform looks like: 3812 * 3813 * SHA(K XOR opad, SHA(K XOR ipad, text)) 3814 * 3815 * where K is an n byte key, 0-padded to a total of blocksize bytes, 3816 * ipad is the byte 0x36 repeated blocksize times, 3817 * opad is the byte 0x5c repeated blocksize times, 3818 * and text is the data being protected. 3819 */ 3821 /* store key into the pads, XOR'd with ipad and opad values */ 3822 for (i = 0; i < key_len; i++) { 3823 k_ipad[i] = key[i] ^ 0x36; 3824 context->k_opad[i] = key[i] ^ 0x5c; 3825 } 3826 /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ 3827 for ( ; i < blocksize; i++) { 3828 k_ipad[i] = 0x36; 3829 context->k_opad[i] = 0x5c; 3830 } 3832 /* perform inner hash */ 3833 /* init context for 1st pass */ 3834 ret = USHAReset(&context->shaContext, whichSha) || 3835 /* and start with inner pad */ 3836 USHAInput(&context->shaContext, k_ipad, blocksize); 3837 return context->Corrupted = ret; 3838 } 3840 /* 3841 * hmacInput 3842 * 3843 * Description: 3844 * This function accepts an array of octets as the next portion 3845 * of the message. It may be called multiple times. 3846 * 3847 * Parameters: 3848 * context: [in/out] 3849 * The HMAC context to update 3850 * message_array: [in] 3851 * An array of octets representing the next portion of 3852 * the message. 3853 * length: [in] 3854 * The length of the message in message_array 3855 * 3856 * Returns: 3857 * sha Error Code. 3858 * 3859 */ 3860 int hmacInput(HMACContext *context, const unsigned char *text, 3861 int text_len) 3862 { 3863 if (!context) return shaNull; 3864 if (context->Corrupted) return context->Corrupted; 3865 if (context->Computed) return context->Corrupted = shaStateError; 3866 /* then text of datagram */ 3867 return context->Corrupted = 3868 USHAInput(&context->shaContext, text, text_len); 3869 } 3871 /* 3872 * hmacFinalBits 3873 * 3874 * Description: 3875 * This function will add in any final bits of the message. 3876 * 3877 * Parameters: 3878 * context: [in/out] 3879 * The HMAC context to update 3880 * message_bits: [in] 3881 * The final bits of the message, in the upper portion of the 3882 * byte. (Use 0b###00000 instead of 0b00000### to input the 3883 * three bits ###.) 3884 * length: [in] 3885 * The number of bits in message_bits, between 1 and 7. 3886 * 3887 * Returns: 3888 * sha Error Code. 3889 */ 3890 int hmacFinalBits(HMACContext *context, 3891 uint8_t bits, unsigned int bit_count) 3892 { 3893 if (!context) return shaNull; 3894 if (context->Corrupted) return context->Corrupted; 3895 if (context->Computed) return context->Corrupted = shaStateError; 3896 /* then final bits of datagram */ 3897 return context->Corrupted = 3898 USHAFinalBits(&context->shaContext, bits, bit_count); 3899 } 3901 /* 3902 * hmacResult 3903 * 3904 * Description: 3905 * This function will return the N-byte message digest into the 3906 * Message_Digest array provided by the caller. 3907 * 3908 * Parameters: 3909 * context: [in/out] 3910 * The context to use to calculate the HMAC hash. 3911 * digest: [out] 3912 * Where the digest is returned. 3913 * NOTE 2: The length of the hash is determined by the value of 3914 * whichSha that was passed to hmacReset(). 3915 * 3916 * Returns: 3917 * sha Error Code. 3918 * 3919 */ 3920 int hmacResult(HMACContext *context, uint8_t *digest) 3921 { 3922 int ret; 3923 if (!context) return shaNull; 3924 if (context->Corrupted) return context->Corrupted; 3925 if (context->Computed) return context->Corrupted = shaStateError; 3927 /* finish up 1st pass */ 3928 /* (Use digest here as a temporary buffer.) */ 3929 ret = 3930 USHAResult(&context->shaContext, digest) || 3932 /* perform outer SHA */ 3933 /* init context for 2nd pass */ 3934 USHAReset(&context->shaContext, context->whichSha) || 3936 /* start with outer pad */ 3937 USHAInput(&context->shaContext, context->k_opad, 3938 context->blockSize) || 3940 /* then results of 1st hash */ 3941 USHAInput(&context->shaContext, digest, context->hashSize) || 3943 /* finish up 2nd pass */ 3944 USHAResult(&context->shaContext, digest); 3946 context->Computed = 1; 3947 return context->Corrupted = ret; 3948 } 3950 8.4 The HKDF Code 3952 /**************************** hkdf.c ***************************/ 3953 /***************** See RFC NNNN for details. *******************/ 3954 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3955 /* authors of the code. All rights reserved. */ 3956 /* See sha.h for terms of use and redistribution. */ 3958 /* 3959 * Description: 3960 * This file implements the HKDF algorithm (HMAC-based 3961 * Extract-and-Expand Key Derivation Function, RFCXXXX), 3962 * expressed in terms of the various SHA algorithms. 3963 */ 3965 #include "sha.h" 3966 #include 3967 #include 3969 /* 3970 * hkdf 3971 * 3972 * Description: 3973 * This function will compute an HKDF message digest. 3974 * 3975 * Parameters: 3976 * whichSha: [in] 3977 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3978 * salt: [in] 3979 * The optional salt value (a non-secret random value); 3980 * if not provided (salt == NULL), it is set internally 3981 * to a string of HashLen(whichSha) zeros. 3982 * salt_len: [in] 3983 * The length of the salt value. (Ignored if salt == NULL.) 3984 * ikm: [in] 3985 * Input keying material. 3986 * ikm_len: [in] 3987 * The length of the input keying material. 3988 * info: [in] 3989 * The optional context and application specific information. 3990 * If info == NULL or a zero-length string, it is ignored. 3991 * info_len: [in] 3992 * The length of the optional context and application specific 3993 * information. (Ignored if info == NULL.) 3994 * okm: [out] 3995 * Where the HKDF is to be stored. 3996 * okm_len: [in] 3997 * The length of the buffer to hold okm. 3998 * okm_len must be <= 255 * USHABlockSize(whichSha) 3999 * 4000 * Notes: 4001 * Calls hkdfExtract() and hkdfExpand(). 4002 * 4003 * Returns: 4004 * sha Error Code. 4005 * 4006 */ 4007 int hkdf(SHAversion whichSha, 4008 const unsigned char *salt, int salt_len, 4009 const unsigned char *ikm, int ikm_len, 4010 const unsigned char *info, int info_len, 4011 uint8_t okm[ ], int okm_len) 4012 { 4013 uint8_t prk[USHAMaxHashSize]; 4014 return hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk) || 4015 hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, 4016 info_len, okm, okm_len); 4017 } 4019 /* 4020 * hkdfExtract 4021 * 4022 * Description: 4023 * This function will perform HKDF extraction. 4024 * 4025 * Parameters: 4026 * whichSha: [in] 4027 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4028 * salt: [in] 4029 * The optional salt value (a non-secret random value); 4030 * if not provided (salt == NULL), it is set internally 4031 * to a string of HashLen(whichSha) zeros. 4032 * salt_len: [in] 4033 * The length of the salt value. (Ignored if salt == NULL.) 4034 * ikm: [in] 4035 * Input keying material. 4036 * ikm_len: [in] 4037 * The length of the input keying material. 4038 * prk: [out] 4039 * Where the HKDF extraction is to be stored. 4040 * Must be larger than USHAHashSize(whichSha); 4041 * 4042 * Returns: 4043 * sha Error Code. 4044 * 4045 */ 4046 int hkdfExtract(SHAversion whichSha, 4047 const unsigned char *salt, int salt_len, 4048 const unsigned char *ikm, int ikm_len, 4049 uint8_t prk[USHAMaxHashSize]) 4050 { 4051 unsigned char nullSalt[USHAMaxHashSize]; 4052 if (salt == 0) { 4053 salt = nullSalt; 4054 salt_len = USHAHashSize(whichSha); 4055 memset(nullSalt, '\0', salt_len); 4056 } else if (salt_len < 0) { 4057 return shaBadParam; 4058 } 4059 return hmac(whichSha, ikm, ikm_len, salt, salt_len, prk); 4060 } 4062 /* 4063 * hkdfExpand 4064 * 4065 * Description: 4066 * This function will perform HKDF expansion. 4067 * 4068 * Parameters: 4069 * whichSha: [in] 4070 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4071 * info: [in] 4072 * The optional context and application specific information. 4073 * If info == NULL or a zero-length string, it is ignored. 4074 * info_len: [in] 4075 * The length of the optional context and application specific 4076 * information. (Ignored if info == NULL.) 4077 * okm: [out] 4078 * Where the HKDF is to be stored. 4079 * okm_len: [in] 4080 * The length of the buffer to hold okm. 4082 * okm_len must be <= 255 * USHABlockSize(whichSha) 4083 * 4084 * Returns: 4085 * sha Error Code. 4086 * 4087 */ 4088 int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], int prk_len, 4089 const unsigned char *info, int info_len, 4090 uint8_t okm[ ], int okm_len) 4091 { 4092 int hash_len, N; 4093 unsigned char T[USHAMaxHashSize]; 4094 int Tlen, where, i; 4096 if (info == 0) { 4097 info = ""; 4098 info_len = 0; 4099 } else if (info_len < 0) { 4100 return shaBadParam; 4101 } else if (prk_len < 0) { 4102 return shaBadParam; 4103 } else if (!okm) { 4104 return shaBadParam; 4105 } 4107 hash_len = USHAHashSize(whichSha); 4108 if (prk_len < hash_len) return shaBadParam; 4109 N = okm_len / hash_len; 4110 if ((okm_len % hash_len) != 0) N++; 4111 if (N > 255) return shaBadParam; 4113 Tlen = 0; 4114 where = 0; 4115 for (i = 1; i <= N; i++) { 4116 HMACContext context; 4117 unsigned char c = i; 4118 int ret = hmacReset(&context, whichSha, prk, hash_len) || 4119 hmacInput(&context, T, Tlen) || 4120 hmacInput(&context, info, info_len) || 4121 hmacInput(&context, &c, 1) || 4122 hmacResult(&context, T); 4123 if (ret != shaSuccess) return ret; 4124 memcpy(okm + where, T, 4125 (i != N) ? hash_len : (okm_len - where)); 4126 where += hash_len; 4127 Tlen = hash_len; 4128 } 4129 return shaSuccess; 4130 } 4131 /* 4132 * hkdfReset 4133 * 4134 * Description: 4135 * This function will initialize the hkdfContext in preparation 4136 * for computing a new HKDF message digest. It is used for 4137 * arbitrary length inputs. 4138 * 4139 * Parameters: 4140 * context: [in/out] 4141 * The context to reset. 4142 * whichSha: [in] 4143 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4144 * salt: [in] 4145 * The optional salt value (a non-secret random value); 4146 * if not provided (salt == NULL), it is set internally 4147 * to a string of HashLen(whichSha) zeros. 4148 * salt_len: [in] 4149 * The length of the salt value. (Ignored if salt == NULL.) 4150 * 4151 * Returns: 4152 * sha Error Code. 4153 * 4154 */ 4155 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 4156 const unsigned char *salt, int salt_len) 4157 { 4158 unsigned char nullSalt[USHAMaxHashSize]; 4159 if (!context) return shaNull; 4161 context->whichSha = whichSha; 4162 context->hashSize = USHAHashSize(whichSha); 4163 if (salt == 0) { 4164 salt = nullSalt; 4165 salt_len = context->hashSize; 4166 memset(nullSalt, '\0', salt_len); 4167 } 4169 return hmacReset(&context->hmacContext, whichSha, salt, salt_len); 4170 } 4172 /* 4173 * hkdfInput 4174 * 4175 * Description: 4176 * This function accepts an array of octets as the next portion 4177 * of the input keying material. It may be called multiple times. 4178 * 4179 * Parameters: 4180 * context: [in/out] 4181 * The HKDF context to update. 4182 * ikm: [in] 4183 * An array of octets representing the next portion of 4184 * the input keying material. 4185 * ikm_len: [in] 4186 * The length of ikm. 4187 * 4188 * Returns: 4189 * sha Error Code. 4190 * 4191 */ 4192 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 4193 int ikm_len) 4194 { 4195 if (!context) return shaNull; 4196 if (context->Corrupted) return context->Corrupted; 4197 if (context->Computed) return context->Corrupted = shaStateError; 4198 return hmacInput(&context->hmacContext, ikm, ikm_len); 4199 } 4201 /* 4202 * hkdfFinalBits 4203 * 4204 * Description: 4205 * This function will add in any final bits of the 4206 * input keying material. 4207 * 4208 * Parameters: 4209 * context: [in/out] 4210 * The HKDF context to update 4211 * ikm_bits: [in] 4212 * The final bits of the input keying material, in the upper 4213 * portion of the byte. (Use 0b###00000 instead of 0b00000### 4214 * to input the three bits ###.) 4215 * ikm_bit_count: [in] 4216 * The number of bits in message_bits, between 1 and 7. 4217 * 4218 * Returns: 4219 * sha Error Code. 4220 */ 4221 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 4222 unsigned int ikm_bit_count) 4223 { 4224 if (!context) return shaNull; 4225 if (context->Corrupted) return context->Corrupted; 4226 if (context->Computed) return context->Corrupted = shaStateError; 4227 return hmacFinalBits(&context->hmacContext, ikm_bits, ikm_bit_count); 4228 } 4230 /* 4231 * hkdfResult 4232 * 4233 * Description: 4234 * This function will finish the HKDF extraction and perform the 4235 * final HKDF expansion. 4236 * 4237 * Parameters: 4238 * context: [in/out] 4239 * The HKDF context to use to calculate the HKDF hash. 4240 * prk: [out] 4241 * An optional location to store the HKDF extraction. 4242 * Either NULL, or pointer to a buffer that must be 4243 * larger than USHAHashSize(whichSha); 4244 * info: [in] 4245 * The optional context and application specific information. 4246 * If info == NULL or a zero-length string, it is ignored. 4247 * info_len: [in] 4248 * The length of the optional context and application specific 4249 * information. (Ignored if info == NULL.) 4250 * okm: [out] 4251 * Where the HKDF is to be stored. 4252 * okm_len: [in] 4253 * The length of the buffer to hold okm. 4254 * okm_len must be <= 255 * USHABlockSize(whichSha) 4255 * 4256 * Returns: 4257 * sha Error Code. 4258 * 4259 */ 4260 int hkdfResult(HKDFContext *context, 4261 uint8_t prk[USHAMaxHashSize], 4262 const unsigned char *info, int info_len, 4263 uint8_t okm[ ], int okm_len) 4264 { 4265 uint8_t prkbuf[USHAMaxHashSize]; 4266 int ret; 4268 if (!context) return shaNull; 4269 if (context->Corrupted) return context->Corrupted; 4270 if (context->Computed) return context->Corrupted = shaStateError; 4271 if (!okm) return context->Corrupted = shaBadParam; 4272 if (!prk) prk = prkbuf; 4274 ret = hmacResult(&context->hmacContext, prk) || 4275 hkdfExpand(context->whichSha, prk, context->hashSize, info, 4276 info_len, okm, okm_len); 4277 context->Computed = 1; 4278 return context->Corrupted = ret; 4279 } 4280 8.5 The Test Driver 4282 The following code is a main program test driver to exercise the code 4283 in sha1.c, sha224-256.c, sha384-512.c, hmac.c, and hkdf.c. The test 4284 driver can also be used as a standalone program for generating the 4285 hashes. 4287 See also [SHAVS]. 4289 /************************** shatest.c **************************/ 4290 /***************** See RFC NNNN for details. *******************/ 4291 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 4292 /* authors of the code. All rights reserved. */ 4293 /* See sha.h for terms of use and redistribution. */ 4295 /* 4296 * Description: 4297 * This file will exercise the SHA code performing 4298 * the three tests documented in FIPS PUB 180-2 4299 * (http://csrc.nist.gov/publications/fips/ 4300 * fips180-2/fips180-2withchangenotice.pdf) 4301 * one that calls SHAInput with an exact multiple of 512 bits 4302 * the seven tests documented for each algorithm in 4303 * "The Secure Hash Algorithm Validation System (SHAVS)" 4304 * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), 4305 * three of which are bit-level tests 4306 * 4307 * This file will exercise the HMAC SHA1 code performing 4308 * the seven tests documented in RFCs [RFC2202] and [RFC4231]. 4309 * 4310 * This file will exercise the HKDF code performing 4311 * the six tests documented in RFC XXXX. 4312 * 4313 * To run the tests and just see PASSED/FAILED, use the -p option. 4314 * 4315 * Other options exercise: 4316 * hashing an arbitrary string 4317 * hashing a file's contents 4318 * a few error test checks 4319 * printing the results in raw format 4320 * 4321 * Portability Issues: 4322 * None. 4323 * 4324 */ 4326 #include 4327 #include 4328 #include 4329 #include 4330 #include 4331 #include "sha.h" 4333 static int xgetopt(int argc, char **argv, const char *optstring); 4334 extern char *xoptarg; 4335 static int scasecmp(const char *s1, const char *s2); 4337 /* 4338 * Define patterns for testing 4339 */ 4340 #define TEST1 "abc" 4341 #define TEST2_1 \ 4342 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 4343 #define TEST2_2a \ 4344 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 4345 #define TEST2_2b \ 4346 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 4347 #define TEST2_2 TEST2_2a TEST2_2b 4348 #define TEST3 "a" /* times 1000000 */ 4349 #define TEST4a "01234567012345670123456701234567" 4350 #define TEST4b "01234567012345670123456701234567" 4351 /* an exact multiple of 512 bits */ 4352 #define TEST4 TEST4a TEST4b /* times 10 */ 4354 #define TEST7_1 \ 4355 "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" 4356 #define TEST8_1 \ 4357 "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" 4358 #define TEST9_1 \ 4359 "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ 4360 "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ 4361 "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ 4362 "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ 4363 "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" 4364 #define TEST10_1 \ 4365 "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ 4366 "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ 4367 "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ 4368 "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ 4369 "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ 4370 "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ 4371 "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ 4372 "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ 4373 "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ 4374 "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ 4375 "\xcd\xbb\xfb" 4376 #define TEST7_224 \ 4377 "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" 4378 #define TEST8_224 \ 4379 "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" 4381 #define TEST9_224 \ 4382 "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ 4383 "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ 4384 "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ 4385 "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ 4386 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" 4387 #define TEST10_224 \ 4388 "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ 4389 "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ 4390 "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ 4391 "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ 4392 "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ 4393 "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ 4394 "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ 4395 "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ 4396 "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ 4397 "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ 4398 "\x87\x82\x73" 4399 #define TEST7_256 \ 4400 "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" 4401 #define TEST8_256 \ 4402 "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" 4403 #define TEST9_256 \ 4404 "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ 4405 "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ 4406 "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ 4407 "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ 4408 "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" 4409 #define TEST10_256 \ 4410 "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ 4411 "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ 4412 "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ 4413 "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ 4414 "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ 4415 "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ 4416 "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ 4417 "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ 4418 "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ 4419 "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ 4420 "\x3d\x54\xd6" 4421 #define TEST7_384 \ 4422 "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" 4423 #define TEST8_384 \ 4424 "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" 4425 #define TEST9_384 \ 4426 "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ 4427 "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ 4428 "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ 4429 "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ 4430 "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ 4431 "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ 4432 "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ 4433 "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ 4434 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" 4435 #define TEST10_384 \ 4436 "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ 4437 "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ 4438 "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ 4439 "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ 4440 "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ 4441 "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ 4442 "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ 4443 "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ 4444 "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ 4445 "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ 4446 "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ 4447 "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ 4448 "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ 4449 "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ 4450 "\x7e\xd0\x96" 4451 #define TEST7_512 \ 4452 "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" 4453 #define TEST8_512 \ 4454 "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" 4455 #define TEST9_512 \ 4456 "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ 4457 "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ 4458 "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ 4459 "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ 4460 "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ 4461 "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ 4462 "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ 4463 "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ 4464 "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" 4465 #define TEST10_512 \ 4466 "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ 4467 "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ 4468 "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ 4469 "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ 4470 "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ 4471 "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ 4472 "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ 4473 "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ 4474 "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ 4475 "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ 4476 "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ 4477 "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ 4478 "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ 4479 "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ 4480 "\xfb\x40\xd2" 4482 #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ 4483 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" 4484 #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ 4485 "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ 4486 "\x27" 4487 #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ 4488 "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ 4489 "\x27\x9c\x1c\xb0\xa7" 4490 #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ 4491 "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ 4492 "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ 4493 "\xa4\x84\xbe\x74\x53" 4494 #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ 4495 "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ 4496 "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ 4497 "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ 4498 "\x4b\x12\x27\x20\x39" 4500 #define TESTCOUNT 10 4501 #define HASHCOUNT 5 4502 #define RANDOMCOUNT 4 4503 #define HMACTESTCOUNT 7 4504 #define HKDFTESTCOUNT 7 4506 #define PRINTNONE 0 4507 #define PRINTTEXT 1 4508 #define PRINTRAW 2 4509 #define PRINTHEX 3 4510 #define PRINTBASE64 4 4512 #define PRINTPASSFAIL 1 4513 #define PRINTFAIL 2 4515 #define length(x) (sizeof(x)-1) 4517 /* Test arrays for hashes. */ 4518 struct hash { 4519 const char *name; 4520 SHAversion whichSha; 4521 int hashsize; 4522 struct { 4523 const char *testarray; 4524 int length; 4525 long repeatcount; 4526 int extrabits; 4527 int numberExtrabits; 4528 const char *resultarray; 4529 } tests[TESTCOUNT]; 4530 const char *randomtest; 4531 const char *randomresults[RANDOMCOUNT]; 4533 } hashes[HASHCOUNT] = { 4534 { "SHA1", SHA1, SHA1HashSize, 4535 { 4536 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4537 "A9993E364706816ABA3E25717850C26C9CD0D89D" }, 4538 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4539 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, 4540 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4541 "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, 4542 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4543 "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, 4544 /* 5 */ { "", 0, 0, 0x98, 5, 4545 "29826B003B906E660EFF4027CE98AF3531AC75BA" }, 4546 /* 6 */ { "\x5e", 1, 1, 0, 0, 4547 "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, 4548 /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, 4549 "6239781E03729919C01955B3FFA8ACB60B988340" }, 4550 /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, 4551 "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, 4552 /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, 4553 "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, 4554 /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, 4555 "CB0082C8F197D260991BA6A460E76E202BAD27B3" } 4556 }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", 4557 "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", 4558 "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", 4559 "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" 4560 } }, 4561 { "SHA224", SHA224, SHA224HashSize, 4562 { 4563 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4564 "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, 4565 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4566 "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, 4567 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4568 "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, 4569 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4570 "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, 4571 /* 5 */ { "", 0, 0, 0x68, 5, 4572 "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, 4573 /* 6 */ { "\x07", 1, 1, 0, 0, 4574 "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, 4575 /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, 4576 "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, 4577 /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, 4578 "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, 4579 /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, 4580 "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, 4581 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, 4582 "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } 4584 }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" 4585 "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" 4586 "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" 4587 "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" 4588 "709563FB916227FED598EB621F" 4589 } }, 4590 { "SHA256", SHA256, SHA256HashSize, 4591 { 4592 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" 4593 "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, 4594 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" 4595 "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, 4596 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" 4597 "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, 4598 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" 4599 "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, 4600 /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" 4601 "09DB45E7823EB5079CE7A573A3760F95" }, 4602 /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" 4603 "6A4E17F75F9518D843709C0C9BC3E3D4" }, 4604 /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" 4605 "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, 4606 /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" 4607 "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, 4608 /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" 4609 "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, 4610 /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" 4611 "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, 4612 }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" 4613 "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" 4614 "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" 4615 "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" 4616 "E31536B70FF906EC51B00447CA97D7DD97C12411F4" 4617 } }, 4618 { "SHA384", SHA384, SHA384HashSize, 4619 { 4620 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4621 "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" 4622 "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, 4623 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4624 "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" 4625 "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, 4626 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4627 "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" 4628 "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, 4629 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4630 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" 4631 "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, 4632 /* 5 */ { "", 0, 0, 0x10, 5, 4633 "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" 4634 "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, 4635 /* 6 */ { "\xb9", 1, 1, 0, 0, 4636 "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" 4637 "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, 4638 /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, 4639 "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" 4640 "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, 4641 /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, 4642 "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" 4643 "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, 4644 /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, 4645 "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" 4646 "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, 4647 /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, 4648 "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" 4649 "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } 4650 }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" 4651 "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" 4652 "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" 4653 "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" 4654 "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" 4655 "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" 4656 "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" 4657 } }, 4658 { "SHA512", SHA512, SHA512HashSize, 4659 { 4660 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4661 "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" 4662 "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" 4663 "454D4423643CE80E2A9AC94FA54CA49F" }, 4664 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4665 "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" 4666 "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" 4667 "C7D329EEB6DD26545E96E55B874BE909" }, 4668 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4669 "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" 4670 "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" 4671 "EB009C5C2C49AA2E4EADB217AD8CC09B" }, 4672 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4673 "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" 4674 "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" 4675 "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, 4676 /* 5 */ { "", 0, 0, 0xB0, 5, 4677 "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" 4678 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" 4679 "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, 4680 /* 6 */ { "\xD0", 1, 1, 0, 0, 4681 "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" 4682 "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" 4683 "D6E74CECE9631BFA8A549B4AB3FBBA15" }, 4685 /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, 4686 "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" 4687 "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" 4688 "7359B43E64F8BEC3C1F237119986BBB6" }, 4689 /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, 4690 "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" 4691 "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" 4692 "8213EB1B16F517AD0DE4B2F0C95C90F8" }, 4693 /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, 4694 "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" 4695 "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" 4696 "526F8A0A510E5E53CAFED4355FE7C2F1" }, 4697 /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, 4698 "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" 4699 "C1A16A270D48719377966B957A878E720584779A62825C18" 4700 "DA26415E49A7176A894E7510FD1451F5" } 4701 }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" 4702 "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" 4703 "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" 4704 "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" 4705 "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" 4706 "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" 4707 "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" 4708 "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" 4709 "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" 4710 } 4711 } 4712 }; 4714 /* Test arrays for HMAC. */ 4715 struct hmachash { 4716 const char *keyarray[5]; 4717 int keylength[5]; 4718 const char *dataarray[5]; 4719 int datalength[5]; 4720 const char *resultarray[5]; 4721 int resultlength[5]; 4722 } hmachashes[HMACTESTCOUNT] = { 4723 { /* 1 */ { 4724 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4725 "\x0b\x0b\x0b\x0b\x0b" 4726 }, { 20 }, { 4727 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ 4728 }, { 8 }, { 4729 /* HMAC-SHA-1 */ 4730 "B617318655057264E28BC0B6FB378C8EF146BE00", 4731 /* HMAC-SHA-224 */ 4732 "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", 4733 /* HMAC-SHA-256 */ 4734 "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" 4735 "CFF7", 4736 /* HMAC-SHA-384 */ 4737 "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" 4738 "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", 4739 /* HMAC-SHA-512 */ 4740 "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" 4741 "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" 4742 "3A126854" 4743 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4744 SHA384HashSize, SHA512HashSize } 4745 }, 4746 { /* 2 */ { 4747 "\x4a\x65\x66\x65" /* "Jefe" */ 4748 }, { 4 }, { 4749 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" 4750 "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" 4751 /* "what do ya want for nothing?" */ 4752 }, { 28 }, { 4753 /* HMAC-SHA-1 */ 4754 "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 4755 /* HMAC-SHA-224 */ 4756 "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", 4757 /* HMAC-SHA-256 */ 4758 "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" 4759 "3843", 4760 /* HMAC-SHA-384 */ 4761 "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" 4762 "445E8E2240CA5E69E2C78B3239ECFAB21649", 4763 /* HMAC-SHA-512 */ 4764 "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" 4765 "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" 4766 "38BCE737" 4767 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4768 SHA384HashSize, SHA512HashSize } 4769 }, 4770 { /* 3 */ 4771 { 4772 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4773 "\xaa\xaa\xaa\xaa\xaa" 4774 }, { 20 }, { 4775 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4776 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4777 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4778 "\xdd\xdd\xdd\xdd\xdd" 4779 }, { 50 }, { 4780 /* HMAC-SHA-1 */ 4781 "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 4782 /* HMAC-SHA-224 */ 4783 "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", 4784 /* HMAC-SHA-256 */ 4785 "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" 4786 "65FE", 4787 /* HMAC-SHA-384 */ 4788 "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" 4789 "144B2A5AB39DC13814B94E3AB6E101A34F27", 4790 /* HMAC-SHA-512 */ 4791 "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" 4792 "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" 4793 "E13292FB" 4794 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4795 SHA384HashSize, SHA512HashSize } 4796 }, 4797 { /* 4 */ { 4798 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 4799 "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" 4800 }, { 25 }, { 4801 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4802 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4803 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4804 "\xcd\xcd\xcd\xcd\xcd" 4805 }, { 50 }, { 4806 /* HMAC-SHA-1 */ 4807 "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 4808 /* HMAC-SHA-224 */ 4809 "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", 4810 /* HMAC-SHA-256 */ 4811 "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" 4812 "665B", 4813 /* HMAC-SHA-384 */ 4814 "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" 4815 "3B4E6801DD23C4A7D679CCF8A386C674CFFB", 4816 /* HMAC-SHA-512 */ 4817 "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" 4818 "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" 4819 "10A298DD" 4820 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4821 SHA384HashSize, SHA512HashSize } 4822 }, 4823 { /* 5 */ { 4824 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4825 "\x0c\x0c\x0c\x0c\x0c" 4826 }, { 20 }, { 4827 "Test With Truncation" 4828 }, { 20 }, { 4829 /* HMAC-SHA-1 */ 4830 "4C1A03424B55E07FE7F27BE1", 4831 /* HMAC-SHA-224 */ 4832 "0E2AEA68A90C8D37C988BCDB9FCA6FA8", 4833 /* HMAC-SHA-256 */ 4834 "A3B6167473100EE06E0C796C2955552B", 4835 /* HMAC-SHA-384 */ 4836 "3ABF34C3503B2A23A46EFC619BAEF897", 4837 /* HMAC-SHA-512 */ 4838 "415FAD6271580A531D4179BC891D87A6" 4839 }, { 12, 16, 16, 16, 16 } 4840 }, 4841 { /* 6 */ { 4842 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4843 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4844 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4845 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4846 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4847 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4848 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4849 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4850 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4851 }, { 80, 131 }, { 4852 "Test Using Larger Than Block-Size Key - Hash Key First" 4853 }, { 54 }, { 4854 /* HMAC-SHA-1 */ 4855 "AA4AE5E15272D00E95705637CE8A3B55ED402112", 4856 /* HMAC-SHA-224 */ 4857 "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", 4858 /* HMAC-SHA-256 */ 4859 "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" 4860 "7F54", 4861 /* HMAC-SHA-384 */ 4862 "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" 4863 "C4C60C2EF6AB4030FE8296248DF163F44952", 4864 /* HMAC-SHA-512 */ 4865 "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" 4866 "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" 4867 "5D786598" 4868 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4869 SHA384HashSize, SHA512HashSize } 4870 }, 4871 { /* 7 */ { 4872 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4873 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4874 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4875 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4876 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4877 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4878 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4879 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4880 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4881 }, { 80, 131 }, { 4882 "Test Using Larger Than Block-Size Key and " 4883 "Larger Than One Block-Size Data", 4884 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" 4885 "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" 4886 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" 4887 "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" 4888 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" 4889 "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" 4890 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" 4891 "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" 4892 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" 4893 "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" 4894 "\x6d\x2e" 4895 /* "This is a test using a larger than block-size key and a " 4896 "larger than block-size data. The key needs to be hashed " 4897 "before being used by the HMAC algorithm." */ 4898 }, { 73, 152 }, { 4899 /* HMAC-SHA-1 */ 4900 "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", 4901 /* HMAC-SHA-224 */ 4902 "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", 4903 /* HMAC-SHA-256 */ 4904 "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" 4905 "35E2", 4906 /* HMAC-SHA-384 */ 4907 "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" 4908 "99C5A678CC31E799176D3860E6110C46523E", 4909 /* HMAC-SHA-512 */ 4910 "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" 4911 "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" 4912 "FA8C6A58" 4913 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4914 SHA384HashSize, SHA512HashSize } 4915 } 4916 }; 4918 /* Test arrays for HKDF. */ 4919 struct hkdfhash { 4920 SHAversion whichSha; 4921 int ikmlength; 4922 const char *ikmarray; 4923 int saltlength; 4924 const char *saltarray; 4925 int infolength; 4926 const char *infoarray; 4927 int prklength; 4928 const char *prkarray; 4929 int okmlength; 4930 const char *okmarray; 4931 } hkdfhashes[HKDFTESTCOUNT] = { 4932 { /* A.1. Test Case 1 */ 4933 SHA256, 4934 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4935 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4936 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4937 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4938 32, "077709362C2E32DF0DDC3F0DC47BBA6390B6C73BB50F9C3122EC844A" 4939 "D7C2B3E5", 4940 42, "3CB25F25FAACD57A90434F64D0362F2A2D2D0A90CF1A5A4C5DB02D56" 4941 "ECC4C5BF34007208D5B887185865" 4942 }, 4943 { /* A.2. Test Case 2 */ 4944 SHA256, 4945 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4946 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4947 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4948 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4949 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4950 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4951 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d" 4952 "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" 4953 "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4954 "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97" 4955 "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5" 4956 "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf", 4957 80, "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd" 4958 "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb" 4959 "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" 4960 "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7" 4961 "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5" 4962 "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 4963 32, "06A6B88C5853361A06104C9CEB35B45C" 4964 "EF760014904671014A193F40C15FC244", 4965 82, "B11E398DC80327A1C8E7F78C596A4934" 4966 "4F012EDA2D4EFAD8A050CC4C19AFA97C" 4967 "59045A99CAC7827271CB41C65E590E09" 4968 "DA3275600C2F09B8367793A9ACA3DB71" 4969 "CC30C58179EC3E87C14C01D5C1F3434F" 4970 "1D87" 4971 }, 4972 { /* A.3. Test Case 3 */ 4973 SHA256, 4974 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4975 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4976 0, "", 4977 0, "", 4978 32, "19EF24A32C717B167F33A91D6F648BDF" 4979 "96596776AFDB6377AC434C1C293CCB04", 4980 42, "8DA4E775A563C18F715F802A063C5A31" 4981 "B8A11F5C5EE1879EC3454E5F3C738D2D" 4982 "9D201395FAA4B61A96C8" 4983 }, 4984 { /* A.4. Test Case 4 */ 4985 SHA1, 4986 11, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4987 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4988 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4989 20, "9B6C18C432A7BF8F0E71C8EB88F4B30BAA2BA243", 4990 42, "085A01EA1B10F36933068B56EFA5AD81" 4991 "A4F14B822F5B091568A9CDD4F155FDA2" 4992 "C22E422478D305F3F896" 4993 }, 4994 { /* A.5. Test Case 5 */ 4995 SHA1, 4996 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4997 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4998 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4999 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 5000 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 5001 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 5002 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D" 5003 "\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B" 5004 "\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 5005 "\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97" 5006 "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5" 5007 "\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 5008 80, "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD" 5009 "\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB" 5010 "\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9" 5011 "\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7" 5012 "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5" 5013 "\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 5014 20, "8ADAE09A2A307059478D309B26C4115A224CFAF6", 5015 82, "0BD770A74D1160F7C9F12CD5912A06EB" 5016 "FF6ADCAE899D92191FE4305673BA2FFE" 5017 "8FA3F1A4E5AD79F3F334B3B202B2173C" 5018 "486EA37CE3D397ED034C7F9DFEB15C5E" 5019 "927336D0441F4C4300E2CFF0D0900B52" 5020 "D3B4" 5021 }, 5022 { /* A.6. Test Case 6 */ 5023 SHA1, 5024 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 5025 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 5026 0, "", 5027 0, "", 5028 20, "DA8C8A73C7FA77288EC6F5E7C297786AA0D32D01", 5029 42, "0AC1AF7002B3D761D1E55298DA9D0506" 5030 "B9AE52057220A306E07B6B87E8DF21D0" 5031 "EA00033DE03984D34918" 5032 }, 5033 { /* Extra test case, not in RFC XXXX. */ 5034 SHA1, 5035 22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 5036 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 5037 0, 0, 5038 0, "", 5039 20, "2ADCCADA18779E7C2077AD2EB19D3F3E731385DD", 5040 42, "2C91117204D745F3500D636A62F64F0A" 5041 "B3BAE548AA53D423B0D1F27EBBA6F5E5" 5042 "673A081D70CCE7ACFC48" 5043 } 5044 }; 5046 /* 5047 * Check the hash value against the expected string, expressed in hex 5048 */ 5049 static const char hexdigits[ ] = "0123456789ABCDEF"; 5050 int checkmatch(const unsigned char *hashvalue, 5051 const char *hexstr, int hashsize) 5052 { 5053 int i; 5054 for (i = 0; i < hashsize; ++i) { 5055 if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) 5056 return 0; 5057 if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; 5058 } 5059 return 1; 5060 } 5062 /* 5063 * Print the string, converting non-printable characters to "." 5064 */ 5065 void printstr(const char *str, int len) 5066 { 5067 for ( ; len-- > 0; str++) 5068 putchar(isprint((unsigned char)*str) ? *str : '.'); 5069 } 5071 /* 5072 * Print the string, converting all characters to hex "## ". 5073 */ 5074 void printxstr(const char *str, int len) 5075 { 5076 char *sep = ""; 5077 for ( ; len-- > 0; str++) { 5078 printf("%s%c%c", sep, hexdigits[(*str >> 4) & 0xF], 5079 hexdigits[*str & 0xF]); 5080 sep = " "; 5081 } 5082 } 5084 /* 5085 * Print a usage message. 5086 */ 5087 void usage(const char *argv0) 5088 { 5089 fprintf(stderr, 5090 "Usage:\n" 5091 "Common options: [-h hash] [-w|-x|-6] [-H]\n" 5092 "Hash a string:\n" 5093 "\t%s [-S expectedresult] -s hashstr [-k key] " 5094 "[-i info -L okm-len]\n" 5095 "Hash a file:\n" 5096 "\t%s [-S expectedresult] -f file [-k key] " 5097 "[-i info -L okm-len]\n" 5098 "Hash a file, ignoring whitespace:\n" 5099 "\t%s [-S expectedresult] -F file [-k key] " 5100 "[-i info -L okm-len]\n" 5101 "Additional bits to add in: [-B bitcount -b bits]\n" 5102 "(If -k,-i&-L are used, run HKDF-SHA###.\n" 5103 " If -k is used, but not -i&-L, run HMAC-SHA###.\n" 5104 " Otherwise, run SHA###.)\n" 5105 "Standard tests:\n" 5106 "\t%s [-m | -d] [-l loopcount] [-t test#] [-e]\n" 5107 "\t\t[-r randomseed] [-R randomloop-count] " 5108 "[-p] [-P|-X]\n" 5109 "-h\thash to test: " 5110 "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" 5111 "-m\tperform hmac standard tests\n" 5112 "-k\tkey for hmac test\n" 5113 "-d\tperform hkdf standard tests\n" 5114 "-t\ttest case to run, 1-10\n" 5115 "-l\thow many times to run the test\n" 5116 "-e\ttest error returns\n" 5117 "-p\tdo not print results\n" 5118 "-P\tdo not print PASSED/FAILED\n" 5119 "-X\tprint FAILED, but not PASSED\n" 5120 "-r\tseed for random test\n" 5121 "-R\thow many times to run random test\n" 5122 "-s\tstring to hash\n" 5123 "-S\texpected result of hashed string, in hex\n" 5124 "-w\toutput hash in raw format\n" 5125 "-x\toutput hash in hex format\n" 5126 "-6\toutput hash in base64 format\n" 5127 "-B\t# extra bits to add in after string or file input\n" 5128 "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" 5129 "-H\tinput hashstr or randomseed is in hex\n" 5130 , argv0, argv0, argv0, argv0); 5131 exit(1); 5132 } 5134 /* 5135 * Print the results and PASS/FAIL. 5136 */ 5137 void printResult(uint8_t *Message_Digest, int hashsize, 5138 const char *hashname, const char *testtype, const char *testname, 5139 const char *resultarray, int printResults, int printPassFail) 5140 { 5141 int i, k; 5142 if (printResults == PRINTTEXT) { 5143 printf("\nhashsize=%d\n", hashsize); 5144 putchar('\t'); 5145 for (i = 0; i < hashsize; ++i) { 5146 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5147 putchar(hexdigits[Message_Digest[i] & 0xF]); 5148 putchar(' '); 5149 } 5150 putchar('\n'); 5151 } else if (printResults == PRINTRAW) { 5152 fwrite(Message_Digest, 1, hashsize, stdout); 5153 } else if (printResults == PRINTHEX) { 5154 for (i = 0; i < hashsize; ++i) { 5155 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5156 putchar(hexdigits[Message_Digest[i] & 0xF]); 5157 } 5158 putchar('\n'); 5159 } else if (printResults == PRINTBASE64) { 5160 unsigned char b; 5161 char *sm = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 5162 "0123456789+/"; 5163 for (i = 0; i < hashsize; i += 3) { 5164 putchar(sm[Message_Digest[i] >> 2]); 5165 b = (Message_Digest[i] & 0x03) << 4; 5166 if (i+1 < hashsize) b |= Message_Digest[i+1] >> 4; 5167 putchar(sm[b]); 5168 if (i+1 < hashsize) { 5169 b = (Message_Digest[i+1] & 0x0f) << 2; 5170 if (i+2 < hashsize) b |= Message_Digest[i+2] >> 6; 5171 putchar(sm[b]); 5172 } else putchar('='); 5173 if (i+2 < hashsize) putchar(sm[Message_Digest[i+2] & 0x3f]); 5174 else putchar('='); 5175 } 5176 putchar('\n'); 5177 } 5179 if (printResults && resultarray) { 5180 printf(" Should match:\n\t"); 5181 for (i = 0, k = 0; i < hashsize; i++, k += 2) { 5182 putchar(resultarray[k]); 5183 putchar(resultarray[k+1]); 5184 putchar(' '); 5186 } 5187 putchar('\n'); 5188 } 5190 if (printPassFail && resultarray) { 5191 int ret = checkmatch(Message_Digest, resultarray, hashsize); 5192 if ((printPassFail == PRINTPASSFAIL) || !ret) 5193 printf("%s %s %s: %s\n", hashname, testtype, testname, 5194 ret ? "PASSED" : "FAILED"); 5195 } 5196 } 5198 /* 5199 * Exercise a hash series of functions. The input is the testarray, 5200 * repeated repeatcount times, followed by the extrabits. If the 5201 * result is known, it is in resultarray in uppercase hex. 5202 */ 5203 int hash(int testno, int loopno, int hashno, 5204 const char *testarray, int length, long repeatcount, 5205 int numberExtrabits, int extrabits, const unsigned char *keyarray, 5206 int keylen, const unsigned char *info, int infolen, int okmlen, 5207 const char *resultarray, int hashsize, int printResults, 5208 int printPassFail) 5209 { 5210 USHAContext sha; 5211 HMACContext hmac; 5212 HKDFContext hkdf; 5213 int err, i; 5214 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5215 uint8_t *Message_Digest = Message_Digest_Buf; 5216 char buf[20]; 5218 if (printResults == PRINTTEXT) { 5219 printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, 5220 loopno, repeatcount); 5221 printstr(testarray, length); 5222 printf("'\n\t'"); 5223 printxstr(testarray, length); 5224 printf("'\n"); 5225 printf(" Length=%d bytes (%d bits), ", length, length * 8); 5226 printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); 5227 } 5229 if (info) Message_Digest = malloc(okmlen); 5230 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5231 memset(&hmac, '\343', sizeof(hmac)); 5232 memset(&hkdf, '\343', sizeof(hkdf)); 5233 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5234 keyarray, keylen) : 5235 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5236 keyarray, keylen) : 5237 USHAReset(&sha, hashes[hashno].whichSha); 5238 if (err != shaSuccess) { 5239 fprintf(stderr, "hash(): %sReset Error %d.\n", 5240 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5241 return err; 5242 } 5244 for (i = 0; i < repeatcount; ++i) { 5245 err = info ? hkdfInput(&hkdf, testarray, length) : 5246 keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, 5247 length) : 5248 USHAInput(&sha, (const uint8_t *) testarray, 5249 length); 5250 if (err != shaSuccess) { 5251 fprintf(stderr, "hash(): %sInput Error %d.\n", 5252 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5253 return err; 5254 } 5255 } 5257 if (numberExtrabits > 0) { 5258 err = info ? hkdfFinalBits(&hkdf, extrabits, numberExtrabits) : 5259 keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, 5260 numberExtrabits) : 5261 USHAFinalBits(&sha, (uint8_t) extrabits, 5262 numberExtrabits); 5263 if (err != shaSuccess) { 5264 fprintf(stderr, "hash(): %sFinalBits Error %d.\n", 5265 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5266 return err; 5267 } 5268 } 5270 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5271 Message_Digest, okmlen) : 5272 keyarray ? hmacResult(&hmac, Message_Digest) : 5273 USHAResult(&sha, Message_Digest); 5274 if (err != shaSuccess) { 5275 fprintf(stderr, "hash(): %s Result Error %d, could not compute " 5276 "message digest.\n", 5277 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5278 return err; 5279 } 5281 sprintf(buf, "%d", testno+1); 5282 printResult(Message_Digest, info ? okmlen : hashsize, 5283 hashes[hashno].name, info ? "hkdf standard test" : 5284 keyarray ? "hmac standard test" : "sha standard test", buf, 5285 resultarray, printResults, printPassFail); 5287 return err; 5288 } 5290 /* 5291 * Exercise an HKDF series. The input is the testarray, 5292 * repeated repeatcount times, followed by the extrabits. If the 5293 * result is known, it is in resultarray in uppercase hex. 5294 */ 5295 int hashHkdf(int testno, int loopno, int hashno, 5296 int printResults, int printPassFail) 5297 { 5298 int err; 5299 unsigned char prk[USHAMaxHashSize+1]; 5300 uint8_t okm[255 * USHAMaxHashSize+1]; 5301 char buf[20]; 5303 if (printResults == PRINTTEXT) { 5304 printf("\nTest %d: Iteration %d\n\tSALT\t'", testno+1, loopno); 5305 printxstr(hkdfhashes[testno].saltarray, 5306 hkdfhashes[testno].saltlength); 5307 printf("'\n\tIKM\t'"); 5308 printxstr(hkdfhashes[testno].ikmarray, 5309 hkdfhashes[testno].ikmlength); 5310 printf("'\n\tINFO\t'"); 5311 printxstr(hkdfhashes[testno].infoarray, 5312 hkdfhashes[testno].infolength); 5313 printf("'\n"); 5314 printf(" L=%d bytes\n", hkdfhashes[testno].okmlength); 5315 } 5317 /* Run hkdf() against the test vectors */ 5318 err = hkdf(hkdfhashes[testno].whichSha, 5319 hkdfhashes[testno].saltarray, 5320 hkdfhashes[testno].saltlength, 5321 hkdfhashes[testno].ikmarray, 5322 hkdfhashes[testno].ikmlength, 5323 hkdfhashes[testno].infoarray, 5324 hkdfhashes[testno].infolength, okm, 5325 hkdfhashes[testno].okmlength); 5326 if (err != shaSuccess) { 5327 fprintf(stderr, "hashHkdf(): hkdf Error %d.\n", err); 5328 return err; 5329 } 5330 sprintf(buf, "hkdf %d", testno+1); 5331 printResult(okm, hkdfhashes[testno].okmlength, 5332 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5333 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5335 /* Now run hkdfExtract() by itself against the test vectors */ 5336 /* to verify the intermediate results. */ 5337 err = hkdfExtract(hkdfhashes[testno].whichSha, 5338 hkdfhashes[testno].saltarray, 5339 hkdfhashes[testno].saltlength, 5340 hkdfhashes[testno].ikmarray, 5341 hkdfhashes[testno].ikmlength, prk); 5342 if (err != shaSuccess) { 5343 fprintf(stderr, "hashHkdf(): hkdfExtract Error %d.\n", err); 5344 return err; 5345 } 5346 sprintf(buf, "hkdfExtract %d", testno+1); 5347 printResult(prk, USHAHashSize(hkdfhashes[testno].whichSha), 5348 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5349 buf, hkdfhashes[testno].prkarray, printResults, printPassFail); 5351 /* Now run hkdfExpand() by itself against the test vectors */ 5352 /* using the intermediate results from hkdfExtract. */ 5353 err = hkdfExpand(hkdfhashes[testno].whichSha, prk, 5354 USHAHashSize(hkdfhashes[testno].whichSha), 5355 hkdfhashes[testno].infoarray, hkdfhashes[testno].infolength, 5356 okm, hkdfhashes[testno].okmlength); 5357 if (err != shaSuccess) { 5358 fprintf(stderr, "hashHkdf(): hkdfExpand Error %d.\n", err); 5359 return err; 5360 } 5361 sprintf(buf, "hkdfExpand %d", testno+1); 5362 printResult(okm, hkdfhashes[testno].okmlength, 5363 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5364 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5366 return err; 5367 } 5369 /* 5370 * Exercise a hash series of functions. The input is a filename. 5371 * If the result is known, it is in resultarray in uppercase hex. 5372 */ 5373 int hashfile(int hashno, const char *hashfilename, int bits, 5374 int bitcount, int skipSpaces, const unsigned char *keyarray, 5375 int keylen, const unsigned char *info, int infolen, int okmlen, 5376 const char *resultarray, int hashsize, 5377 int printResults, int printPassFail) 5378 { 5379 USHAContext sha; 5380 HMACContext hmac; 5381 HKDFContext hkdf; 5382 int err, nread, c; 5383 unsigned char buf[4096]; 5384 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5385 uint8_t *Message_Digest = Message_Digest_Buf; 5386 unsigned char cc; 5387 FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : 5388 fopen(hashfilename, "r"); 5390 if (!hashfp) { 5391 fprintf(stderr, "cannot open file '%s'\n", hashfilename); 5392 return shaStateError; 5393 } 5395 if (info) Message_Digest = malloc(okmlen); 5396 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5397 memset(&hmac, '\343', sizeof(hmac)); 5398 memset(&hkdf, '\343', sizeof(hkdf)); 5399 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5400 keyarray, keylen) : 5401 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5402 keyarray, keylen) : 5403 USHAReset(&sha, hashes[hashno].whichSha); 5404 if (err != shaSuccess) { 5405 fprintf(stderr, "hashfile(): %sReset Error %d.\n", 5406 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5407 return err; 5408 } 5410 if (skipSpaces) 5411 while ((c = getc(hashfp)) != EOF) { 5412 if (!isspace(c)) { 5413 cc = (unsigned char)c; 5414 err = info ? hkdfInput(&hkdf, &cc, 1) : 5415 keyarray ? hmacInput(&hmac, &cc, 1) : 5416 USHAInput(&sha, &cc, 1); 5417 if (err != shaSuccess) { 5418 fprintf(stderr, "hashfile(): %sInput Error %d.\n", 5419 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5420 if (hashfp != stdin) fclose(hashfp); 5421 return err; 5422 } 5423 } 5424 } 5425 else 5426 while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { 5427 err = info ? hkdfInput(&hkdf, buf, nread) : 5428 keyarray ? hmacInput(&hmac, buf, nread) : 5429 USHAInput(&sha, buf, nread); 5430 if (err != shaSuccess) { 5431 fprintf(stderr, "hashfile(): %s Error %d.\n", 5432 info ? "hkdf" : keyarray ? "hmacInput" : 5433 "shaInput", err); 5434 if (hashfp != stdin) fclose(hashfp); 5435 return err; 5436 } 5438 } 5440 if (bitcount > 0) 5441 err = info ? hkdfFinalBits(&hkdf, bits, bitcount) : 5442 keyarray ? hmacFinalBits(&hmac, bits, bitcount) : 5443 USHAFinalBits(&sha, bits, bitcount); 5444 if (err != shaSuccess) { 5445 fprintf(stderr, "hashfile(): %s Error %d.\n", 5446 info ? "hkdf" : keyarray ? "hmacFinalBits" : 5447 "shaFinalBits", err); 5448 if (hashfp != stdin) fclose(hashfp); 5449 return err; 5450 } 5452 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5453 Message_Digest, okmlen) : 5454 keyarray ? hmacResult(&hmac, Message_Digest) : 5455 USHAResult(&sha, Message_Digest); 5456 if (err != shaSuccess) { 5457 fprintf(stderr, "hashfile(): %s Error %d.\n", 5458 info ? "hkdf" : keyarray ? "hmacResult" : 5459 "shaResult", err); 5460 if (hashfp != stdin) fclose(hashfp); 5461 return err; 5462 } 5464 printResult(Message_Digest, info ? okmlen : hashsize, 5465 hashes[hashno].name, "file", hashfilename, resultarray, 5466 printResults, printPassFail); 5468 if (hashfp != stdin) fclose(hashfp); 5469 if (info) free(Message_Digest); 5470 return err; 5471 } 5473 /* 5474 * Exercise a hash series of functions through multiple permutations. 5475 * The input is an initial seed. That seed is replicated 3 times. 5476 * For 1000 rounds, the previous three results are used as the input. 5477 * This result is then checked, and used to seed the next cycle. 5478 * If the result is known, it is in resultarrays in uppercase hex. 5479 */ 5480 void randomtest(int hashno, const char *seed, int hashsize, 5481 const char **resultarrays, int randomcount, 5482 int printResults, int printPassFail) 5483 { 5484 int i, j; char buf[20]; 5485 unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; 5487 /* INPUT: Seed - A random seed n bits long */ 5488 memcpy(SEED, seed, hashsize); 5489 if (printResults == PRINTTEXT) { 5490 printf("%s random test seed= '", hashes[hashno].name); 5491 printxstr(seed, hashsize); 5492 printf("'\n"); 5493 } 5495 for (j = 0; j < randomcount; j++) { 5496 /* MD0 = MD1 = MD2 = Seed; */ 5497 memcpy(MD[0], SEED, hashsize); 5498 memcpy(MD[1], SEED, hashsize); 5499 memcpy(MD[2], SEED, hashsize); 5500 for (i=3; i<1003; i++) { 5501 /* Mi = MDi-3 || MDi-2 || MDi-1; */ 5502 USHAContext Mi; 5503 memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ 5504 USHAReset(&Mi, hashes[hashno].whichSha); 5505 USHAInput(&Mi, MD[i-3], hashsize); 5506 USHAInput(&Mi, MD[i-2], hashsize); 5507 USHAInput(&Mi, MD[i-1], hashsize); 5508 /* MDi = SHA(Mi); */ 5509 USHAResult(&Mi, MD[i]); 5510 } 5512 /* MDj = Seed = MDi; */ 5513 memcpy(SEED, MD[i-1], hashsize); 5515 /* OUTPUT: MDj */ 5516 sprintf(buf, "%d", j); 5517 printResult(SEED, hashsize, hashes[hashno].name, "random test", 5518 buf, resultarrays ? resultarrays[j] : 0, printResults, 5519 (j < RANDOMCOUNT) ? printPassFail : 0); 5520 } 5521 } 5523 /* 5524 * Look up a hash name. 5525 */ 5526 int findhash(const char *argv0, const char *opt) 5527 { 5528 int i; 5529 const char *names[HASHCOUNT][2] = { 5530 { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, 5531 { "3", "sha384" }, { "4", "sha512" } 5532 }; 5534 for (i = 0; i < HASHCOUNT; i++) 5535 if ((strcmp(opt, names[i][0]) == 0) || 5536 (scasecmp(opt, names[i][1]) == 0)) 5537 return i; 5539 fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); 5540 usage(argv0); 5541 return 0; 5542 } 5544 /* 5545 * Run some tests that should invoke errors. 5546 */ 5547 void testErrors(int hashnolow, int hashnohigh, int printResults, 5548 int printPassFail) 5549 { 5550 USHAContext usha; 5551 uint8_t Message_Digest[USHAMaxHashSize]; 5552 int hashno, err; 5554 for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { 5555 memset(&usha, '\343', sizeof(usha)); /* force bad data */ 5556 USHAReset(&usha, hashno); 5557 USHAResult(&usha, Message_Digest); 5558 err = USHAInput(&usha, (const unsigned char *)"foo", 3); 5559 if (printResults == PRINTTEXT) 5560 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5561 if ((printPassFail == PRINTPASSFAIL) || 5562 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5563 printf("%s se: %s\n", hashes[hashno].name, 5564 (err == shaStateError) ? "PASSED" : "FAILED"); 5566 err = USHAFinalBits(&usha, 0x80, 3); 5567 if (printResults == PRINTTEXT) 5568 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5569 if ((printPassFail == PRINTPASSFAIL) || 5570 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5571 printf("%s se: %s\n", hashes[hashno].name, 5572 (err == shaStateError) ? "PASSED" : "FAILED"); 5574 err = USHAReset(0, hashes[hashno].whichSha); 5575 if (printResults == PRINTTEXT) 5576 printf("\nError %d. Should be %d.\n", err, shaNull); 5577 if ((printPassFail == PRINTPASSFAIL) || 5578 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5579 printf("%s usha null: %s\n", hashes[hashno].name, 5580 (err == shaNull) ? "PASSED" : "FAILED"); 5582 switch (hashno) { 5583 case SHA1: err = SHA1Reset(0); break; 5584 case SHA224: err = SHA224Reset(0); break; 5585 case SHA256: err = SHA256Reset(0); break; 5586 case SHA384: err = SHA384Reset(0); break; 5587 case SHA512: err = SHA512Reset(0); break; 5588 } 5589 if (printResults == PRINTTEXT) 5590 printf("\nError %d. Should be %d.\n", err, shaNull); 5591 if ((printPassFail == PRINTPASSFAIL) || 5592 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5593 printf("%s sha null: %s\n", hashes[hashno].name, 5594 (err == shaNull) ? "PASSED" : "FAILED"); 5595 } 5596 } 5598 /* replace a hex string in place with its value */ 5599 int unhexStr(char *hexstr) 5600 { 5601 char *o = hexstr; 5602 int len = 0, nibble1 = 0, nibble2 = 0; 5603 if (!hexstr) return 0; 5604 for ( ; *hexstr; hexstr++) { 5605 if (isalpha((int)(unsigned char)(*hexstr))) { 5606 nibble1 = tolower(*hexstr) - 'a' + 10; 5607 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5608 nibble1 = *hexstr - '0'; 5609 } else { 5610 printf("\nError: bad hex character '%c'\n", *hexstr); 5611 } 5612 if (!*++hexstr) break; 5613 if (isalpha((int)(unsigned char)(*hexstr))) { 5614 nibble2 = tolower(*hexstr) - 'a' + 10; 5615 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5616 nibble2 = *hexstr - '0'; 5617 } else { 5618 printf("\nError: bad hex character '%c'\n", *hexstr); 5619 } 5620 *o++ = (char)((nibble1 << 4) | nibble2); 5621 len++; 5622 } 5623 return len; 5624 } 5626 int main(int argc, char **argv) 5627 { 5628 int i, err; 5629 int loopno, loopnohigh = 1; 5630 int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; 5631 int testno, testnolow = 0, testnohigh; 5632 int ntestnohigh = 0; 5633 int printResults = PRINTTEXT; 5634 int printPassFail = 1; 5635 int checkErrors = 0; 5636 char *hashstr = 0; 5637 int hashlen = 0; 5638 const char *resultstr = 0; 5639 char *randomseedstr = 0; 5640 int runHmacTests = 0; 5641 int runHkdfTests = 0; 5642 char *hmacKey = 0; 5643 int hmaclen = 0; 5644 char *info = 0; 5645 int infolen = 0, okmlen = 0; 5646 int randomcount = RANDOMCOUNT; 5647 const char *hashfilename = 0; 5648 const char *hashFilename = 0; 5649 int extrabits = 0, numberExtrabits = 0; 5650 int strIsHex = 0; 5652 while ((i = xgetopt(argc, argv, 5653 "6b:B:def:F:h:i:Hk:l:L:mpPr:R:s:S:t:wxX")) != -1) 5654 switch (i) { 5655 case 'b': extrabits = strtol(xoptarg, 0, 0); break; 5656 case 'B': numberExtrabits = atoi(xoptarg); break; 5657 case 'd': runHkdfTests = 1; break; 5658 case 'e': checkErrors = 1; break; 5659 case 'f': hashfilename = xoptarg; break; 5660 case 'F': hashFilename = xoptarg; break; 5661 case 'h': hashnolow = hashnohigh = findhash(argv[0], xoptarg); 5662 break; 5663 case 'H': strIsHex = 1; break; 5664 case 'i': info = xoptarg; infolen = strlen(xoptarg); break; 5665 case 'k': hmacKey = xoptarg; hmaclen = strlen(xoptarg); break; 5666 case 'l': loopnohigh = atoi(xoptarg); break; 5667 case 'L': okmlen = strtol(xoptarg, 0, 0); break; 5668 case 'm': runHmacTests = 1; break; 5669 case 'P': printPassFail = 0; break; 5670 case 'p': printResults = PRINTNONE; break; 5671 case 'R': randomcount = atoi(xoptarg); break; 5672 case 'r': randomseedstr = xoptarg; break; 5673 case 's': hashstr = xoptarg; hashlen = strlen(hashstr); break; 5674 case 'S': resultstr = xoptarg; break; 5675 case 't': testnolow = ntestnohigh = atoi(xoptarg) - 1; break; 5676 case 'w': printResults = PRINTRAW; break; 5677 case 'x': printResults = PRINTHEX; break; 5678 case 'X': printPassFail = 2; break; 5679 case '6': printResults = PRINTBASE64; break; 5680 default: usage(argv[0]); 5681 } 5683 if (strIsHex) { 5684 hashlen = unhexStr(hashstr); 5685 unhexStr(randomseedstr); 5686 hmaclen = unhexStr(hmacKey); 5687 infolen = unhexStr(info); 5688 } 5689 testnohigh = (ntestnohigh != 0) ? ntestnohigh: 5690 runHmacTests ? (HMACTESTCOUNT-1) : 5691 runHkdfTests ? (HKDFTESTCOUNT-1) : 5692 (TESTCOUNT-1); 5693 if ((testnolow < 0) || 5694 (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || 5695 (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || 5696 (hashstr && (testnolow == testnohigh)) || 5697 (randomcount < 0) || 5698 (resultstr && (!hashstr && !hashfilename && !hashFilename)) || 5699 ((runHmacTests || hmacKey) && randomseedstr) || 5700 (hashfilename && hashFilename) || 5701 (info && ((infolen <= 0) || (okmlen <= 0))) || 5702 (info && !hmacKey)) 5703 usage(argv[0]); 5705 /* 5706 * Perform SHA/HMAC tests 5707 */ 5708 for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { 5709 if (printResults == PRINTTEXT) 5710 printf("Hash %s\n", hashes[hashno].name); 5711 err = shaSuccess; 5713 for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); 5714 ++loopno) { 5715 if (hashstr) 5716 err = hash(0, loopno, hashno, hashstr, hashlen, 1, 5717 numberExtrabits, extrabits, (const unsigned char *)hmacKey, 5718 hmaclen, info, infolen, okmlen, resultstr, 5719 hashes[hashno].hashsize, printResults, printPassFail); 5721 else if (randomseedstr) 5722 randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, 5723 randomcount, printResults, printPassFail); 5725 else if (hashfilename) 5726 err = hashfile(hashno, hashfilename, extrabits, 5727 numberExtrabits, 0, 5728 (const unsigned char *)hmacKey, hmaclen, 5729 info, infolen, okmlen, resultstr, 5730 hashes[hashno].hashsize, 5731 printResults, printPassFail); 5733 else if (hashFilename) 5734 err = hashfile(hashno, hashFilename, extrabits, 5735 numberExtrabits, 1, 5736 (const unsigned char *)hmacKey, hmaclen, 5737 info, infolen, okmlen, resultstr, 5738 hashes[hashno].hashsize, 5739 printResults, printPassFail); 5741 else /* standard tests */ { 5742 for (testno = testnolow; 5743 (testno <= testnohigh) && (err == shaSuccess); ++testno) { 5744 if (runHmacTests) { 5745 err = hash(testno, loopno, hashno, 5746 hmachashes[testno].dataarray[hashno] ? 5747 hmachashes[testno].dataarray[hashno] : 5748 hmachashes[testno].dataarray[1] ? 5749 hmachashes[testno].dataarray[1] : 5750 hmachashes[testno].dataarray[0], 5751 hmachashes[testno].datalength[hashno] ? 5752 hmachashes[testno].datalength[hashno] : 5753 hmachashes[testno].datalength[1] ? 5754 hmachashes[testno].datalength[1] : 5755 hmachashes[testno].datalength[0], 5756 1, 0, 0, 5757 (const unsigned char *)( 5758 hmachashes[testno].keyarray[hashno] ? 5759 hmachashes[testno].keyarray[hashno] : 5760 hmachashes[testno].keyarray[1] ? 5761 hmachashes[testno].keyarray[1] : 5762 hmachashes[testno].keyarray[0]), 5763 hmachashes[testno].keylength[hashno] ? 5764 hmachashes[testno].keylength[hashno] : 5765 hmachashes[testno].keylength[1] ? 5766 hmachashes[testno].keylength[1] : 5767 hmachashes[testno].keylength[0], 5768 0, 0, 0, 5769 hmachashes[testno].resultarray[hashno], 5770 hmachashes[testno].resultlength[hashno], 5771 printResults, printPassFail); 5772 } else if (runHkdfTests) { 5773 err = hashHkdf(testno, loopno, hashno, 5774 printResults, printPassFail); 5775 } else { /* sha tests */ 5776 err = hash(testno, loopno, hashno, 5777 hashes[hashno].tests[testno].testarray, 5778 hashes[hashno].tests[testno].length, 5779 hashes[hashno].tests[testno].repeatcount, 5780 hashes[hashno].tests[testno].numberExtrabits, 5781 hashes[hashno].tests[testno].extrabits, 5782 0, 0, 0, 0, 0, 5783 hashes[hashno].tests[testno].resultarray, 5784 hashes[hashno].hashsize, 5785 printResults, printPassFail); 5786 } 5787 } 5788 if (!runHmacTests && !runHkdfTests) { 5789 randomtest(hashno, hashes[hashno].randomtest, 5790 hashes[hashno].hashsize, hashes[hashno].randomresults, 5791 RANDOMCOUNT, printResults, printPassFail); 5792 } 5793 } 5794 } 5795 } 5797 /* Test some error returns */ 5798 if (checkErrors) { 5799 testErrors(hashnolow, hashnohigh, printResults, printPassFail); 5800 } 5802 return 0; 5803 } 5805 /* 5806 * Compare two strings, case independently. 5807 * Equivalent to strcasecmp() found on some systems. 5808 */ 5809 int scasecmp(const char *s1, const char *s2) 5810 { 5811 for (;;) { 5812 char u1 = tolower(*s1++); 5813 char u2 = tolower(*s2++); 5814 if (u1 != u2) 5815 return u1 - u2; 5816 if (u1 == '\0') 5817 return 0; 5818 } 5819 } 5821 /* 5822 * This is a copy of getopt provided for those systems that do not 5823 * have it. The name was changed to xgetopt to not conflict on those 5824 * systems that do have it. Similarly, optarg, optind and opterr 5825 * were renamed to xoptarg, xoptind and xopterr. 5826 * 5827 * Copyright 1990, 1991, 1992 by the Massachusetts Institute of 5828 * Technology and UniSoft Group Limited. 5829 * 5830 * Permission to use, copy, modify, distribute, and sell this software 5831 * and its documentation for any purpose is hereby granted without fee, 5832 * provided that the above copyright notice appear in all copies and 5833 * that both that copyright notice and this permission notice appear in 5834 * supporting documentation, and that the names of MIT and UniSoft not 5835 * be used in advertising or publicity pertaining to distribution of 5836 * the software without specific, written prior permission. MIT and 5837 * UniSoft make no representations about the suitability of this 5838 * software for any purpose. It is provided "as is" without express 5839 * or implied warranty. 5840 * 5841 * $XConsortium: getopt.c,v 1.2 92/07/01 11:59:04 rws Exp $ 5842 * NB: Reformatted to match above style. 5843 */ 5845 char *xoptarg; 5846 int xoptind = 1; 5847 int xopterr = 1; 5849 static int xgetopt(int argc, char **argv, const char *optstring) 5850 { 5851 static int avplace; 5852 char *ap; 5853 char *cp; 5854 int c; 5856 if (xoptind >= argc) 5857 return EOF; 5859 ap = argv[xoptind] + avplace; 5861 /* At beginning of arg but not an option */ 5862 if (avplace == 0) { 5863 if (ap[0] != '-') 5864 return EOF; 5865 else if (ap[1] == '-') { 5866 /* Special end of options option */ 5867 xoptind++; 5868 return EOF; 5869 } else if (ap[1] == '\0') 5870 return EOF; /* single '-' is not allowed */ 5871 } 5873 /* Get next letter */ 5874 avplace++; 5875 c = *++ap; 5877 cp = strchr(optstring, c); 5878 if (cp == NULL || c == ':') { 5879 if (xopterr) 5880 fprintf(stderr, "Unrecognised option -- %c\n", c); 5881 return '?'; 5882 } 5884 if (cp[1] == ':') { 5885 /* There should be an option arg */ 5886 avplace = 0; 5887 if (ap[1] == '\0') { 5888 /* It is a separate arg */ 5889 if (++xoptind >= argc) { 5890 if (xopterr) 5891 fprintf(stderr, "Option requires an argument\n"); 5892 return '?'; 5893 } 5894 xoptarg = argv[xoptind++]; 5895 } else { 5896 /* is attached to option letter */ 5897 xoptarg = ap + 1; 5898 ++xoptind; 5899 } 5900 } else { 5901 /* If we are out of letters then go to next arg */ 5902 if (ap[1] == '\0') { 5903 ++xoptind; 5904 avplace = 0; 5905 } 5907 xoptarg = NULL; 5908 } 5909 return c; 5910 } 5911 9. IANA Considerations 5913 This document requires no IANA Actions. The RFC Editor should delete 5914 this section before publication. 5916 10. Security Considerations 5918 This document is intended to provide convenient open source access by 5919 the Internet community to the United States of America Federal 5920 Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS 5921 180-2], HMACs based thereon, and HKDF. No independent assertion of 5922 the security of these functions by the authors for any particular use 5923 is intended. 5925 11. Acknowledgements 5927 Thanks for the corrections to [RFC4634] that were provided by Alfred 5928 Hoenes and Jan Andres that are incorporated herein. 5930 12. References 5932 RFC Editor Note: All occurances of RFChkdf should be edited to have 5933 the HKDF RFC number instead of "hkdf". All occurances of "RFC NNNN" 5934 should be edited to replace "NNNN" with this documents RFC number. 5935 And this note should be deleted. 5937 12.1 Normative References 5939 [FIPS 180-2] - "Secure Hash Standard", United States of American, 5940 National Institute of Science and Technology, Federal 5941 Information Processing Standard (FIPS) 180-2, 5942 http://csrc.nist.gov/publications/fips/fips180-2/fips180- 5943 2withchangenotice.pdf. 5945 [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 5946 Hashing for Message Authentication", RFC 2104, February 1997. 5948 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 5949 Requirement Levels", BCP 14, RFC 2119, March 1997. 5951 [RFChkdf] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and- 5952 Expand Key Derivation Function (HKDF)", draft-krawczyk-hkdf in 5953 RFC Editor queue, January 2010. 5955 12.2 Informative References 5957 [RFC2202] - P. Cheng, R. Glenn, "Test Cases for HMAC-MD5 and HMAC- 5958 SHA-1", September 1997. 5960 [RFC3174] - D. Eastlake 3rd, P. Jones, "US Secure Hash Algorithm 1 5961 (SHA1)", September 2001. 5963 [RFC3874] - R. Housley, "A 224-bit One-way Hash Function: SHA-224", 5964 September 2004. 5966 [RFC4055] - Schaad, J., Kaliski, B., and R. Housley, "Additional 5967 Algorithms and Identifiers for RSA Cryptography for use in the 5968 Internet X.509 Public Key Infrastructure Certificate and 5969 Certificate Revocation List (CRL) Profile", RFC 4055, June 2005 5971 [RFC4086] - D. Eastlake, S. Crocker, J. Schiller, "Randomness 5972 Requirements for Security", May 2005. 5974 [RFC4231] - M. Nystrom, "Identifiers and Test Vectors for HMAC- 5975 SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 5976 December 2005. 5978 [RFC4634] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash 5979 Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006. 5981 [SHAVS] - "The Secure Hash Algorithm Validation System (SHAVS)", 5982 http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. 5984 Appendix: Changes from RFC 4634 5986 The following changes were made to RFC 4634 to produce this document: 5988 1. Add code for HKDF and brief text about HKDF with pointer to 5989 [RFChkdf]. 5991 2. Fix numerous errata filed against [RFC4634] as below. Note that in 5992 no case did the old code return an incorrect hash value. 5994 2.a Correct some of the error return values which has erroneously 5995 been "shaNull" to the correct "shaInputTooLong" error. 5997 2.b Update comments and variable names within the code for 5998 consistency and clarity and other editorial changes. 6000 2.c The previous code for SHA-384 and SHA-512 would stop after 6001 2^93 bytes (2^96 bits). The fixed code handles up to 2^125 6002 bytes (2^128 bits). 6004 2.d Add additional error checking. 6006 3. Update boilerplate, remove special license in [RFC4634] as new 6007 boilerplate mandates simplified BSD license. 6009 Edit History 6011 RFC Editor, Please delete this section on publication. 6013 Changes from -00 to -01 6015 Add hash function OIDs and informational reference to [RFC4055]. A 6016 few Editorial changes and typo fixes. 6018 Author's Address 6020 Donald E. Eastlake, 3rd 6021 Stellar Switches 6022 155 Beaver Street 6023 Milford, MA 01757 USA 6025 Telephone: +1-508-333-2270 6026 EMail: d3e3e3@gmail.com 6028 Tony Hansen 6029 AT&T Laboratories 6030 200 Laurel Ave. 6031 Middletown, NJ 07748 USA 6033 Telephone: +1-732-420-8934 6034 EMail: tony+shs@maillennium.att.com 6036 Copyright, Disclaimer, and Additional IPR Provisions 6038 Copyright (c) 2010 IETF Trust and the persons identified as the 6039 document authors. All rights reserved. 6041 This document is subject to BCP 78 and the IETF Trust's Legal 6042 Provisions Relating to IETF Documents 6043 (http://trustee.ietf.org/license-info) in effect on the date of 6044 publication of this document. Please review these documents 6045 carefully, as they describe your rights and restrictions with respect 6046 to this document. Code Components extracted from this document must 6047 include Simplified BSD License text as described in Section 4.e of 6048 the Trust Legal Provisions and are provided without warranty as 6049 described in the BSD License. This Internet-Draft is submitted to 6050 IETF in full conformance with the provisions of BCP 78 and BCP 79.