idnits 2.17.00 (12 Aug 2021) /tmp/idnits60496/draft-eastlake-sha2b-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4634]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document obsoletes RFC4634, but the abstract doesn't seem to directly say this. It does mention RFC4634 though, so this could be OK. -- The draft header indicates that this document updates RFC3174, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 751 has weird spacing: '...izeBits numbe...' (Using the creation date from RFC3174, updated by this document, for RFC5378 checks: 2001-03-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 9, 2010) is 4394 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'USHAMaxHashSize' is mentioned on line 5548, but not defined -- Looks like a reference, but probably isn't: '4' on line 3247 == Missing Reference: 'SHA1HashSize' is mentioned on line 1505, but not defined == Missing Reference: 'SHA224HashSize' is mentioned on line 1896, but not defined == Missing Reference: 'SHA256HashSize' is mentioned on line 2047, but not defined == Missing Reference: 'SHA384HashSize' is mentioned on line 2738, but not defined == Missing Reference: 'SHA512HashSize' is mentioned on line 2929, but not defined -- Looks like a reference, but probably isn't: '0' on line 5840 -- Looks like a reference, but probably isn't: '1' on line 5892 -- Looks like a reference, but probably isn't: '2' on line 5526 -- Looks like a reference, but probably isn't: '3' on line 3290 -- Looks like a reference, but probably isn't: '8' on line 3164 -- Looks like a reference, but probably isn't: '56' on line 2130 -- Looks like a reference, but probably isn't: '57' on line 2131 -- Looks like a reference, but probably isn't: '58' on line 2132 -- Looks like a reference, but probably isn't: '59' on line 2133 -- Looks like a reference, but probably isn't: '60' on line 2134 -- Looks like a reference, but probably isn't: '61' on line 2135 -- Looks like a reference, but probably isn't: '62' on line 2136 -- Looks like a reference, but probably isn't: '63' on line 2137 -- Looks like a reference, but probably isn't: '80' on line 3201 -- Looks like a reference, but probably isn't: '64' on line 2181 -- Looks like a reference, but probably isn't: '5' on line 4718 -- Looks like a reference, but probably isn't: '6' on line 3249 -- Looks like a reference, but probably isn't: '7' on line 3250 -- Looks like a reference, but probably isn't: '112' on line 3002 -- Looks like a reference, but probably isn't: '113' on line 3003 -- Looks like a reference, but probably isn't: '114' on line 3004 -- Looks like a reference, but probably isn't: '115' on line 3005 -- Looks like a reference, but probably isn't: '116' on line 3006 -- Looks like a reference, but probably isn't: '117' on line 3007 -- Looks like a reference, but probably isn't: '118' on line 3008 -- Looks like a reference, but probably isn't: '119' on line 3009 -- Looks like a reference, but probably isn't: '120' on line 3011 -- Looks like a reference, but probably isn't: '121' on line 3012 -- Looks like a reference, but probably isn't: '122' on line 3013 -- Looks like a reference, but probably isn't: '123' on line 3014 -- Looks like a reference, but probably isn't: '124' on line 3015 -- Looks like a reference, but probably isn't: '125' on line 3016 -- Looks like a reference, but probably isn't: '126' on line 3017 -- Looks like a reference, but probably isn't: '127' on line 3018 -- Looks like a reference, but probably isn't: '9' on line 3126 -- Looks like a reference, but probably isn't: '10' on line 3165 -- Looks like a reference, but probably isn't: '11' on line 3128 -- Looks like a reference, but probably isn't: '12' on line 3166 -- Looks like a reference, but probably isn't: '13' on line 3130 -- Looks like a reference, but probably isn't: '14' on line 3167 -- Looks like a reference, but probably isn't: '15' on line 3132 == Missing Reference: 'TESTCOUNT' is mentioned on line 4526, but not defined == Missing Reference: 'RANDOMCOUNT' is mentioned on line 4528, but not defined == Missing Reference: 'HASHCOUNT' is mentioned on line 5526, but not defined == Missing Reference: 'HMACTESTCOUNT' is mentioned on line 4719, but not defined == Missing Reference: 'HKDFTESTCOUNT' is mentioned on line 4928, but not defined -- Looks like a reference, but probably isn't: '20' on line 5481 -- Looks like a reference, but probably isn't: '4096' on line 5380 -- Looks like a reference, but probably isn't: '1003' on line 5482 == Unused Reference: 'RFC2119' is defined on line 5945, but no explicit reference was found in the text == Outdated reference: draft-krawczyk-hkdf has been published as RFC 5869 -- Obsolete informational reference (is this intentional?): RFC 4634 (Obsoleted by RFC 6234) Summary: 2 errors (**), 0 flaws (~~), 15 warnings (==), 51 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Donald Eastlake 3rd 2 INTERNET-DRAFT Stellar Switches 3 Obsoletes: 4634 Tony Hansen 4 Updates: 3174 AT&T Labs 5 Intended Status: Informational 6 Expires: November 8, 2010 May 9, 2010 8 US Secure Hash Algorithms 9 (SHA and SHA based HMAC and HKDF) 10 12 Abstract 13 This document is an update of [RFC4634] to fix errata and to add code 14 for an HMAC-based extract-and-expand key derivation function. 16 The United States of America has adopted a suite of secure hash 17 algorithms (SHAs), including four beyond SHA-1, as part of a Federal 18 Information Processing Standard (FIPS), specifically SHA-224, 19 SHA-256, SHA-384, and SHA-512. The purpose of this document is to 20 make open source code performing the SHA hash functions conveniently 21 available to the Internet community. The sample code supports input 22 strings of arbitrary bit length. Much of the text herein was adapted 23 by the authors from FIPS 180-2. 25 As with [RFC4634], code to perform SHA based HMACs is included and, 26 new in this version, code for HKDF is included. 28 Status of This Memo 30 This Internet-Draft is submitted to IETF in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Distribution of this document is unlimited. Comments should be sent 34 to the authors. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF), its areas, and its working groups. Note that 38 other groups may also distribute working documents as Internet- 39 Drafts. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 The list of current Internet-Drafts can be accessed at 47 http://www.ietf.org/1id-abstracts.html 49 The list of Internet-Draft Shadow Directories can be accessed at 50 http://www.ietf.org/shadow.html 52 Table of Contents 54 1. Overview of Contents....................................3 55 2. Notation for Bit Strings and Integers...................4 56 3. Operations on Words.....................................5 58 4. Message Padding and Parsing.............................7 59 4.1 SHA-224 and SHA-256....................................7 60 4.2 SHA-384 and SHA-512....................................8 62 5. Functions and Constants Used...........................10 63 5.1 SHA-224 and SHA-256...................................10 64 5.2 SHA-384 and SHA-512...................................11 66 6. Computing the Message Digest...........................12 67 6.1 SHA-224 and SHA-256 Initialization....................12 68 6.2 SHA-224 and SHA-256 Processing........................12 69 6.3 SHA-384 and SHA-512 Initialization....................14 70 6.4 SHA-384 and SHA-512 Processing........................15 72 7. HKDF and SHA Based HMACs...............................17 73 7.1 SHA Based HMACs.......................................17 74 7.2 HKDF..................................................17 76 8. C Code for SHAs, HMAC, and HKDF........................18 77 8.1 The .h file...........................................21 78 8.2 The SHA Code..........................................28 79 8.2.1 sha1.c..............................................29 80 8.2.2 sha224-256.c........................................37 81 8.2.3 sha384-512.c........................................49 82 8.2.4 usha.c..............................................70 83 8.2.5 sha-private.h.......................................76 84 8.3 The HMAC Code.........................................77 85 8.4 The HKDF Code.........................................82 86 8.5 The Test Driver.......................................89 88 9. IANA Considerations...................................122 89 10. Security Considerations..............................122 90 11. Acknowledgements.....................................122 92 12. References...........................................123 93 12.1 Normative References................................123 94 12.2 Informative References..............................123 96 Appendix: Changes from RFC 4634..........................125 98 Edit History.............................................126 99 Changes from -00 to -01..................................126 100 Changes from -01 to -02..................................126 102 1. Overview of Contents 104 This document obsoletes [RFC4634] and the changes from that RFC are 105 summarized in the Appendix below. 107 This document includes specifications for the United States of 108 America (USA) Federal Information Processing Standard (FIPS) Secure 109 Hash Algorithms (SHAs), code to implement the SHAs, code to implement 110 HMACs based on the SHAs, and code to implement HKDF based on HMAC. 111 Specifications for HMAC and HKDF are not included as they appear 112 elsewhere in the RFC series [RFC2104] [RFChkdf]. 114 NOTE: Much of the text below is taken from [FIPS 180-2] and the 115 assertions of the security of the hash algorithms described therein 116 are made by the US Government, the author of [FIPS 180-2], not by the 117 authors of this document. 119 The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], 120 SHA-256, SHA-384, and SHA-512, for computing a condensed 121 representation of a message or a data file. (SHA-1 is specified in 122 [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and 123 SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of 124 these algorithms, the result is an output called a message digest. 125 The message digests range in length from 224 to 512 bits, depending 126 on the algorithm. Secure hash algorithms are typically used with 127 other cryptographic algorithms, such as digital signature algorithms 128 and keyed hash authentication codes, the generation or random numbers 129 [RFC4086], or in key derivation functions. 131 The four algorithms specified in this document are called secure 132 because it is computationally infeasible to (1) find a message which 133 corresponds to a given message digest, or (2) to find two different 134 messages that produce the same message digest. Any change to a 135 message in transit will, with very high probability, result in a 136 different message digest. This will result in a verification failure 137 when the secure hash algorithm is used with a digital signature 138 algorithm or a keyed-hash message authentication algorithm. 140 The code provided herein supports input strings of arbitrary bit 141 length. SHA-1's sample code from [RFC3174] has also been updated to 142 handle input strings of arbitrary bit length. Permission is granted 143 for all uses, commercial and non-commercial, of this code. 145 ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from 146 [RFC4055], are as follows: 148 id-sha1 OBJECT IDENTIFIER ::= { iso(1) 149 identified-organization(3) oiw(14) 150 secsig(3) algorithms(2) 26 } 152 id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) 153 country(16) us(840) organization(1) gov(101) 154 csor(3) nistalgorithm(4) hashalgs(2) 4 } 155 id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 156 country(16) us(840) organization(1) gov(101) 157 csor(3) nistalgorithm(4) hashalgs(2) 1 } 158 id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 159 country(16) us(840) organization(1) gov(101) 160 csor(3) nistalgorithm(4) hashalgs(2) 2 } 161 id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 162 country(16) us(840) organization(1) gov(101) 163 csor(3) nistalgorithm(4) hashalgs(2) 3 } 165 Section 2 below defines the terminology and functions used as 166 building blocks to form these algorithms. Section 3 describes the 167 fundamental operations on words from which these algorithms are 168 built. Section 4 describes how messages are padded up to an integral 169 multiple of the required block size and then parsed into blocks. 170 Section 5 defines the constants and the composite functions used to 171 specify these algorithms. Section 6 gives the actual specification 172 for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 173 provides pointers to the specification of HMAC keyed message 174 authentication codes and to the specification of an extract-and- 175 expand key derivation function based on HMAC. 177 Section 8 gives sample code for the SHA algorithms, for SHA based 178 HMACs, and for HMAC-based extract-and-expand key derivation function. 180 2. Notation for Bit Strings and Integers 182 The following terminology related to bit strings and integers will be 183 used: 185 a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. 186 A hex digit is the representation of a 4-bit string. Examples: 187 7 = 0111, A = 1010. 189 b. A word equals a 32-bit or 64-bit string that may be represented 190 as a sequence of 8 or 16 hex digits, respectively. To convert a 191 word to hex digits, each 4-bit string is converted to its hex 192 equivalent as described in (a) above. Example: 194 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 196 Throughout this document, the "big-endian" convention is used 197 when expressing both 32-bit and 64-bit words, so that within 198 each word the most significant bit is shown in the left-most bit 199 position. 201 c. An integer may be represented as a word or pair of words. 203 An integer between 0 and 2^32 - 1 inclusive may be represented 204 as a 32-bit word. The least significant four bits of the 205 integer are represented by the right-most hex digit of the word 206 representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = 207 256+32+2+1 is represented by the hex word, 00000123. 209 The same holds true for an integer between 0 and 2^64-1 210 inclusive, which may be represented as a 64-bit word. 212 If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 213 <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented 214 as words X and Y, respectively, z can be represented as the pair 215 of words (X,Y). 217 Again, the "big-endian" convention is used and the most 218 significant word is in the left-most word position for values 219 represented by multiple-words. 221 d. block = 512-bit or 1024-bit string. A block (e.g., B) may be 222 represented as a sequence of 32-bit or 64-bit words. 224 3. Operations on Words 226 The following logical operators will be applied to words in all four 227 hash operations specified herein. SHA-224 and SHA-256 operate on 228 32-bit words while SHA-384 and SHA-512 operate on 64-bit words. 230 In the operations below, x<>n is obtained as follows: discard the right-most n bits 234 of x and then prepend the result with n zeroed bits on the left (the 235 result will still be the same number of bits). 237 a. Bitwise logical word operations 239 X AND Y = bitwise logical "and" of X and Y. 241 X OR Y = bitwise logical "inclusive-or" of X and Y. 243 X XOR Y = bitwise logical "exclusive-or" of X and Y. 245 NOT X = bitwise logical "complement" of X. 247 Example: 248 01101100101110011101001001111011 249 XOR 01100101110000010110100110110111 250 -------------------------------- 251 = 00001001011110001011101111001100 253 b. The operation X + Y is defined as follows: words X and Y 254 represent w-bit integers x and y, where 0 <= x < 2^w and 0 <= y 255 < 2^w. For positive integers n and m, let 257 n mod m 259 be the remainder upon dividing n by m. Compute 261 z = (x + y) mod 2^w. 263 Then 0 <= z < 2^w. Convert z to a word, Z, and define Z = X + 264 Y. 266 c. The right shift operation SHR^n(x), where x is a w-bit word and n 267 is an integer with 0 <= n < w, is defined by 269 SHR^n(x) = x>>n 271 d. The rotate right (circular right shift) operation ROTR^n(x), where 272 x is a w-bit word and n is an integer with 0 <= n < w, is 273 defined by 275 ROTR^n(x) = (x>>n) OR (x<<(w-n)) 277 e. The rotate left (circular left shift) operation ROTL^n(x), where x 278 is a w-bit word and n is an integer with 0 <= n < w, is defined 279 by 281 ROTL^n(X) = (x<>w-n) 283 Note the following equivalence relationships, where w is fixed 284 in each relationship: 286 ROTL^n(x) = ROTR^(w-n)(x) 288 ROTR^n(x) = ROTL^(w-n)(x) 290 4. Message Padding and Parsing 292 The hash functions specified herein are used to compute a message 293 digest for a message or data file that is provided as input. The 294 message or data file should be considered to be a bit string. The 295 length of the message is the number of bits in the message (the empty 296 message has length 0). If the number of bits in a message is a 297 multiple of 8, for compactness we can represent the message in hex. 298 The purpose of message padding is to make the total length of a 299 padded message a multiple of 512 for SHA-224 and SHA-256 or a 300 multiple of 1024 for SHA-384 and SHA-512. 302 The following specifies how this padding shall be performed. As a 303 summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit 304 integer are appended to the end of the message to produce a padded 305 message of length 512*n or 1024*n. The appended integer is the 306 length of the original message. The padded message is then processed 307 by the hash function as n 512-bit or 1024-bit blocks. 309 4.1 SHA-224 and SHA-256 311 Suppose a message has length L < 2^64. Before it is input to the 312 hash function, the message is padded on the right as follows: 314 a. "1" is appended. Example: if the original message is "01010000", 315 this is padded to "010100001". 317 b. K "0"s are appended where K is the smallest, non-negative 318 solution to the equation 320 L + 1 + K = 448 (mod 512) 322 c. Then append the 64-bit block that is L in binary representation. 323 After appending this block, the length of the message will be a 324 multiple of 512 bits. 326 Example: Suppose the original message is the bit string 328 01100001 01100010 01100011 01100100 01100101 330 After step (a) this gives 332 01100001 01100010 01100011 01100100 01100101 1 334 Since L = 40, the number of bits in the above is 41 and K = 407 335 "0"s are appended, making the total now 448. This gives the 336 following in hex: 338 61626364 65800000 00000000 00000000 339 00000000 00000000 00000000 00000000 340 00000000 00000000 00000000 00000000 341 00000000 00000000 343 The 64-bit representation of L = 40 is hex 00000000 00000028. 344 Hence the final padded message is the following hex 346 61626364 65800000 00000000 00000000 347 00000000 00000000 00000000 00000000 348 00000000 00000000 00000000 00000000 349 00000000 00000000 00000000 00000028 351 4.2 SHA-384 and SHA-512 353 Suppose a message has length L < 2^128. Before it is input to the 354 hash function, the message is padded on the right as follows: 356 a. "1" is appended. Example: if the original message is "01010000", 357 this is padded to "010100001". 359 b. K "0"s are appended where K is the smallest, non-negative 360 solution to the equation 362 L + 1 + K = 896 (mod 1024) 364 c. Then append the 128-bit block that is L in binary representation. 365 After appending this block, the length of the message will be a 366 multiple of 1024 bits. 368 Example: Suppose the original message is the bit string 370 01100001 01100010 01100011 01100100 01100101 372 After step (a) this gives 374 01100001 01100010 01100011 01100100 01100101 1 376 Since L = 40, the number of bits in the above is 41 and K = 855 377 "0"s are appended, making the total now 896. This gives the 378 following in hex: 380 61626364 65800000 00000000 00000000 381 00000000 00000000 00000000 00000000 382 00000000 00000000 00000000 00000000 383 00000000 00000000 00000000 00000000 384 00000000 00000000 00000000 00000000 385 00000000 00000000 00000000 00000000 386 00000000 00000000 00000000 00000000 388 The 128-bit representation of L = 40 is hex 00000000 00000000 389 00000000 00000028. Hence the final padded message is the 390 following hex: 392 61626364 65800000 00000000 00000000 393 00000000 00000000 00000000 00000000 394 00000000 00000000 00000000 00000000 395 00000000 00000000 00000000 00000000 396 00000000 00000000 00000000 00000000 397 00000000 00000000 00000000 00000000 398 00000000 00000000 00000000 00000000 399 00000000 00000000 00000000 00000028 401 5. Functions and Constants Used 403 The following subsections give the six logical functions and the 404 table of constants used in each of the hash functions. 406 5.1 SHA-224 and SHA-256 408 SHA-224 and SHA-256 use six logical functions, where each function 409 operates on 32-bit words, which are represented as x, y, and z. The 410 result of each function is a new 32-bit word. 412 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 414 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 416 BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) 418 BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) 420 SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) 422 SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) 424 SHA-224 and SHA-256 use the same sequence of sixty-four constant 425 32-bit words, K0, K1, ..., K63. These words represent the first 426 thirty-two bits of the fractional parts of the cube roots of the 427 first sixty-four prime numbers. In hex, these constant words are as 428 follows (from left to right): 430 428a2f98 71374491 b5c0fbcf e9b5dba5 431 3956c25b 59f111f1 923f82a4 ab1c5ed5 432 d807aa98 12835b01 243185be 550c7dc3 433 72be5d74 80deb1fe 9bdc06a7 c19bf174 434 e49b69c1 efbe4786 0fc19dc6 240ca1cc 435 2de92c6f 4a7484aa 5cb0a9dc 76f988da 436 983e5152 a831c66d b00327c8 bf597fc7 437 c6e00bf3 d5a79147 06ca6351 14292967 438 27b70a85 2e1b2138 4d2c6dfc 53380d13 439 650a7354 766a0abb 81c2c92e 92722c85 440 a2bfe8a1 a81a664b c24b8b70 c76c51a3 441 d192e819 d6990624 f40e3585 106aa070 442 19a4c116 1e376c08 2748774c 34b0bcb5 443 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 444 748f82ee 78a5636f 84c87814 8cc70208 445 90befffa a4506ceb bef9a3f7 c67178f2 447 5.2 SHA-384 and SHA-512 449 SHA-384 and SHA-512 each use six logical functions, where each 450 function operates on 64-bit words, which are represented as x, y, and 451 z. The result of each function is a new 64-bit word. 453 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 455 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 457 BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) 459 BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) 461 SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) 463 SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) 465 SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit 466 words, K0, K1, ... K79. These words represent the first sixty-four 467 bits of the fractional parts of the cube roots of the first eighty 468 prime numbers. In hex, these constant words are as follows (from 469 left to right): 471 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc 472 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 473 d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 474 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 475 e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 476 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 477 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 478 c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 479 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df 480 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b 481 a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 482 d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 483 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 484 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 485 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec 486 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b 487 ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 488 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b 489 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c 490 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 492 6. Computing the Message Digest 494 The output of each of the secure hash functions, after being applied 495 to a message of N blocks, is the hash quantity H(N). For SHA-224 and 496 SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, 497 H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to be 498 eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. 500 As described below, the hash words are initialized, modified as each 501 message block is processed, and finally concatenated after processing 502 the last block to yield the output. For SHA-256 and SHA-512, all of 503 the H(N) variables are concatenated while the SHA-224 and SHA-384 504 hashes are produced by omitting some from the final concatenation. 506 6.1 SHA-224 and SHA-256 Initialization 508 For SHA-224, the initial hash value, H(0), consists of the following 509 32-bit words in hex: 511 H(0)0 = c1059ed8 512 H(0)1 = 367cd507 513 H(0)2 = 3070dd17 514 H(0)3 = f70e5939 515 H(0)4 = ffc00b31 516 H(0)5 = 68581511 517 H(0)6 = 64f98fa7 518 H(0)7 = befa4fa4 520 For SHA-256, the initial hash value, H(0), consists of the following 521 eight 32-bit words, in hex. These words were obtained by taking the 522 first thirty-two bits of the fractional parts of the square roots of 523 the first eight prime numbers. 525 H(0)0 = 6a09e667 526 H(0)1 = bb67ae85 527 H(0)2 = 3c6ef372 528 H(0)3 = a54ff53a 529 H(0)4 = 510e527f 530 H(0)5 = 9b05688c 531 H(0)6 = 1f83d9ab 532 H(0)7 = 5be0cd19 534 6.2 SHA-224 and SHA-256 Processing 536 SHA-224 and SHA-256 perform identical processing on messages blocks 537 and differ only in how H(0) is initialized and how they produce their 538 final output. They may be used to hash a message, M, having a length 539 of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message 540 schedule of sixty-four 32-bit words, (2) eight working variables of 541 32 bits each, and (3) a hash value of eight 32-bit words. 543 The words of the message schedule are labeled W0, W1, ..., W63. The 544 eight working variables are labeled a, b, c, d, e, f, g, and h. The 545 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which 546 will hold the initial hash value, H(0), replaced by each successive 547 intermediate hash value (after each message block is processed), 548 H(i), and ending with the final hash value, H(N), after all N blocks 549 are processed. They also use two temporary words, T1 and T2. 551 The input message is padded as described in Section 4.1 above then 552 parsed into 512-bit blocks that are considered to be composed of 16 553 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 554 are then performed for each of the N message blocks. All addition is 555 performed modulo 2^32. 557 For i = 1 to N 559 1. Prepare the message schedule W: 560 For t = 0 to 15 561 Wt = M(i)t 562 For t = 16 to 63 563 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(w(t-15)) + W(t-16) 565 2. Initialize the working variables: 566 a = H(i-1)0 567 b = H(i-1)1 568 c = H(i-1)2 569 d = H(i-1)3 570 e = H(i-1)4 571 f = H(i-1)5 572 g = H(i-1)6 573 h = H(i-1)7 575 3. Perform the main hash computation: 576 For t = 0 to 63 577 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 578 T2 = BSIG0(a) + MAJ(a,b,c) 579 h = g 580 g = f 581 f = e 582 e = d + T1 583 d = c 584 c = b 585 b = a 586 a = T1 + T2 588 4. Compute the intermediate hash value H(i) 589 H(i)0 = a + H(i-1)0 590 H(i)1 = b + H(i-1)1 591 H(i)2 = c + H(i-1)2 592 H(i)3 = d + H(i-1)3 593 H(i)4 = e + H(i-1)4 594 H(i)5 = f + H(i-1)5 595 H(i)6 = g + H(i-1)6 596 H(i)7 = h + H(i-1)7 598 After the above computations have been sequentially performed for all 599 of the blocks in the message, the final output is calculated. For 600 SHA-256, this is the concatenation of all of H(N)0, H(N)1, through 601 H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, 602 through H(N)6. 604 6.3 SHA-384 and SHA-512 Initialization 606 For SHA-384, the initial hash value, H(0), consists of the following 607 eight 64-bit words, in hex. These words were obtained by taking the 608 first sixty-four bits of the fractional parts of the square roots of 609 the ninth through sixteenth prime numbers. 611 H(0)0 = cbbb9d5dc1059ed8 612 H(0)1 = 629a292a367cd507 613 H(0)2 = 9159015a3070dd17 614 H(0)3 = 152fecd8f70e5939 615 H(0)4 = 67332667ffc00b31 616 H(0)5 = 8eb44a8768581511 617 H(0)6 = db0c2e0d64f98fa7 618 H(0)7 = 47b5481dbefa4fa4 620 For SHA-512, the initial hash value, H(0), consists of the following 621 eight 64-bit words, in hex. These words were obtained by taking the 622 first sixty-four bits of the fractional parts of the square roots of 623 the first eight prime numbers. 625 H(0)0 = 6a09e667f3bcc908 626 H(0)1 = bb67ae8584caa73b 627 H(0)2 = 3c6ef372fe94f82b 628 H(0)3 = a54ff53a5f1d36f1 629 H(0)4 = 510e527fade682d1 630 H(0)5 = 9b05688c2b3e6c1f 631 H(0)6 = 1f83d9abfb41bd6b 632 H(0)7 = 5be0cd19137e2179 634 6.4 SHA-384 and SHA-512 Processing 636 SHA-384 and SHA-512 perform identical processing on message blocks 637 and differ only in how H(0) is initialized and how they produce their 638 final output. They may be used to hash a message, M, having a length 639 of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message 640 schedule of eighty 64-bit words, (2) eight working variables of 64 641 bits each, and (3) a hash value of eight 64-bit words. 643 The words of the message schedule are labeled W0, W1, ..., W79. The 644 eight working variables are labeled a, b, c, d, e, f, g, and h. The 645 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7 which 646 will hold the initial hash value, H(0), replaced by each successive 647 intermediate hash value (after each message block is processed), 648 H(i), and ending with the final hash value, H(N) after all N blocks 649 are processed. 651 The input message is padded as described in Section 4.2 above, then 652 parsed into 1024-bit blocks that are considered to be composed of 16 653 64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 654 are then performed for each of the N message blocks. All addition is 655 performed modulo 2^64. 657 For i = 1 to N 659 1. Prepare the message schedule W: 660 For t = 0 to 15 661 Wt = M(i)t 662 For t = 16 to 79 663 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(W(t-15)) + W(t-16) 665 2. Initialize the working variables: 666 a = H(i-1)0 667 b = H(i-1)1 668 c = H(i-1)2 669 d = H(i-1)3 670 e = H(i-1)4 671 f = H(i-1)5 672 g = H(i-1)6 673 h = H(i-1)7 675 3. Perform the main hash computation: 676 For t = 0 to 79 677 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 678 T2 = BSIG0(a) + MAJ(a,b,c) 679 h = g 680 g = f 681 f = e 682 e = d + T1 683 d = c 684 c = b 685 b = a 686 a = T1 + T2 688 4. Compute the intermediate hash value H(i) 689 H(i)0 = a + H(i-1)0 690 H(i)1 = b + H(i-1)1 691 H(i)2 = c + H(i-1)2 692 H(i)3 = d + H(i-1)3 693 H(i)4 = e + H(i-1)4 694 H(i)5 = f + H(i-1)5 695 H(i)6 = g + H(i-1)6 696 H(i)7 = h + H(i-1)7 698 After the above computations have been sequentially performed for all 699 of the blocks in the message, the final output is calculated. For 700 SHA-512, this is the concatenation of all of H(N)0, H(N)1, through 701 H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, 702 through H(N)5. 704 7. HKDF and SHA Based HMACs 706 Below are brief descriptions and pointers to more complete 707 descriptions and code for (1) an HMAC-based extract-and-expand key 708 derivation function and (2) SHA based HMACs. Both HKDF and HMAC were 709 devised by Hugo Krawczyk. 711 7.1 SHA Based HMACs 713 HMAC is a method for computing a keyed MAC (message authentication 714 code) using a hash function as described in [RFC2104]. It uses a key 715 to mix in with the input text to produce the final hash. 717 Sample code is also provided, in Section 8.3 below, to perform HMAC 718 based on any of the SHA algorithms described herein. The sample code 719 found in [RFC2104] was written in terms of a specified text size. 720 Since SHA is defined in terms of an arbitrary number of bits, the 721 sample HMAC code has been written to allow the text input to HMAC to 722 have an arbitrary number of octets and bits. A fixed length interface 723 is also provided. 725 7.2 HKDF 727 HKDF is a specific key derivation function (KDF), that is, a function 728 of initial keying material from which the KDF derives one or more 729 cryptographically strong secret keys. HKDF, which is described in 730 [RFChkdf], is based on HMAC. 732 Sample code for HKDF is provided in Section 8.4 below. 734 8. C Code for SHAs, HMAC, and HKDF 736 Below is a demonstration implementation of these secure hash 737 functions in C. Section 8.1 contains the header file sha.h that 738 declares all constants, structures and functions used by the sha and 739 hmac functions. Section 8.2 contains the C code for sha1.c, 740 sha224-256.c, sha384-512.c, and usha.c along with sha-private.h that 741 provides some declarations common to all the sha functions. Section 742 8.3 contains the C code for the HMAC functions and Section 8.4 743 contains the C code for HKDF. Section 8.5 contains a test driver to 744 exercise the code. 746 For each of the digest length $$$, there are the following set of 747 constants, a structure, and functions: 749 Constants: 750 SHA$$$HashSize number of octets in the hash 751 SHA$$$HashSizeBits number of bits in the hash 752 SHA$$$_Message_Block_Size 753 number of octets used in the intermediate 754 message blocks 755 shaSuccess = 0 constant returned by each function on success 756 shaNull = 1 constant returned by each function when 757 presented with a null pointer parameter 758 shaInputTooLong = 2 constant returned by each function when the 759 input data is too long 760 shaStateError = 3 constant returned by each function when 761 SHA$$$Input is called after SHA$$$FinalBits or 762 SHA$$$Result. 764 Structure: 765 typedef SHA$$$Context 766 an opaque structure holding the complete state 767 for producing the hash 769 Functions: 770 int SHA$$$Reset(SHA$$$Context *context); 771 Reset the hash context state 772 int SHA$$$Input(SHA$$$Context *context, const uint8_t *octets, 773 unsigned int bytecount); 774 Incorporate bytecount octets into the hash. 775 int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, 776 unsigned int bitcount); 777 Incorporate bitcount bits into the hash. The bits are in the 778 upper portion of the octet. SHA$$$Input() cannot be called 779 after this. 780 int SHA$$$Result(SHA$$$Context *, 781 uint8_t Message_Digest[SHA$$$HashSize]); 782 Do the final calculations on the hash and copy the value 783 into Message_Digest. 785 In addition, functions with the prefix USHA are provided that take a 786 SHAversion value (SHA$$$) to select the SHA function suite. They add 787 the following constants, structure and function: 789 Constants: 790 shaBadParam constant returned by USHA functions when 791 presented with a bad SHAversion (SHA$$$) 792 parameter or other illegal parameter values 793 SHA$$$ SHAversion enumeration values, used by usha, 794 hmac and hkdf functions to select the SHA 795 function suite 797 Structure: 798 typedef USHAContext 799 an opaque structure holding the complete state 800 for producing the hash 802 Functions: 803 int USHAReset(USHAContext *context, SHAversion whichSha); 804 Reset the hash context state. 805 int USHAInput(USHAContext context*, 806 const uint8_t *bytes, unsigned int bytecount); 807 Incorporate bytecount octets into the hash. 808 int USHAFinalBits(USHAContext *context, 809 const uint8_t bits, unsigned int bitcount); 810 Incorporate bitcount bits into the hash. 811 int USHAResult(USHAContext *context, 812 uint8_t Message_Digest[USHAMaxHashSize]); 813 Do the final calculations on the hash and copy the value 814 into Message_Digest. Octets in Message_Digest beyond 815 USHAHashSize(whichSha) are left untouched. 816 int USHAHashSize(enum SHAversion whichSha); 817 The number of octets in the given hash. 818 int USHAHashSizeBits(enum SHAversion whichSha); 819 The number of bits in the given hash. 820 int USHABlockSize(enum SHAversion whichSha); 821 The internal block size for the given hash. 822 const char *USHAHashName(enum SHAversion whichSha); 823 This function will return the name of the given SHA 824 algorithm as a string. 826 The hmac functions follow the same pattern to allow any length of 827 text input to be used. 829 Structures: 830 typedef HMACContext an opaque structure holding the complete state 831 for producing the hash 833 Functions: 834 int hmacReset(HMACContext *ctx, enum SHAversion whichSha, 835 const unsigned char *key, int key_len); 836 Reset the hash context state. 837 int hmacInput(HMACContext *ctx, const unsigned char *text, 838 int text_len); 839 Incorporate text_len octets into the hash. 840 int hmacFinalBits(HMACContext *ctx, const uint8_t bits, 841 unsigned int bitcount); 842 Incorporate bitcount bits into the hash. 843 int hmacResult(HMACContext *ctx, 844 uint8_t Message_Digest[USHAMaxHashSize]); 845 Do the final calculations on the hash and copy the value 846 into Message_Digest. Octets in Message_Digest beyond 847 USHAHashSize(whichSha) are left untouched. 849 In addition, a combined interface is provided, similar to that shown 850 in [RFC2104], that allows a fixed-length text input to be used. 852 int hmac(SHAversion whichSha, 853 const unsigned char *text, int text_len, 854 const unsigned char *key, int key_len, 855 uint8_t Message_Digest[USHAMaxHashSize]); 856 Calculate the given digest for the given text and key, and 857 return the resulting hash. Octets in Message_Digest beyond 858 USHAHashSize(whichSha) are left untouched. 860 The hkdf functions follow the same pattern to allow any length of 861 text input to be used. 863 Structures: 864 typedef HKDFContext an opaque structure holding the complete state 865 for producing the hash 866 Functions: 867 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 868 const unsigned char *salt, int salt_len) 869 Reset the hash context state and initialize it with the 870 salt_len octets of the optional salt. 871 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 872 int ikm_len) 873 Incorporate ikm_len octets into the hash. 874 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 875 unsigned int ikm_bit_count) 876 Incorporate ikm_bit_count bits into the hash. 877 int hkdfResult(HKDFContext *context, 878 uint8_t prk[USHAMaxHashSize], 879 const unsigned char *info, int info_len, 880 uint8_t okm[ ], int okm_len) 881 Finish the HKDF extraction and perform the final HKDF 882 expansion, storing the okm_len octets into okm. Optionally 883 store the pseudo-random key (prk) that is generated 884 internally. 886 In addition, combined interfaces are provided, similar to that shown 887 in [RFChkdf], that allows a fixed-length text input to be used. 889 int hkdfExtract(SHAversion whichSha, 890 const unsigned char *salt, int salt_len, 891 const unsigned char *ikm, int ikm_len, 892 uint8_t prk[USHAMaxHashSize]) 893 Perform HKDF extraction, combining the salt_len octets of 894 the optional salt with the ikm_len octets of the input 895 keying material (ikm) to form the pseudo-random key prk. 896 The output prk must be large enough to hold the octets 897 appropriate for the given hash type. 899 int hkdfExpand(SHAversion whichSha, 900 const uint8_t prk[ ], int prk_len, 901 const unsigned char *info, int info_len, 902 uint8_t okm[ ], int okm_len) 903 Perform HKDF expansion, combining the prk_len octets of the 904 pseudo-random key prk with the info_len octets of info to 905 form the okm_len octets stored in okm. 907 int hkdf(SHAversion whichSha, 908 const unsigned char *salt, int salt_len, 909 const unsigned char *ikm, int ikm_len, 910 const unsigned char *info, int info_len, 911 uint8_t okm[ ], int okm_len) 912 This combined interface performs both HKDF extraction and 913 expansion. The variables are the same as in hkdfExtract() 914 and hkdfExpand(). 916 8.1 The .h file 918 /**************************** sha.h ****************************/ 919 /***************** See RFC NNNN for details. *******************/ 920 /* 921 Copyright (c) 2010 IETF Trust and the persons identified as 922 authors of the code. All rights reserved. 924 Redistribution and use in source and binary forms, with or without 925 modification, are permitted provided that the following conditions 926 are met: 928 * Redistributions of source code must retain the above copyright 929 notice, this list of conditions and the following disclaimer. 931 * Redistributions in binary form must reproduce the above copyright 932 notice, this list of conditions and the following disclaimer in 933 the documentation and/or other materials provided with the 934 distribution. 936 * Neither the name of Internet Society, IETF or IETF Trust, nor the 937 names of specific contributors, may be used to endorse or promote 938 products derived from this software without specific prior 939 written permission. 941 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 942 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 943 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 944 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 945 COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 946 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 947 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 948 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 949 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 950 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 951 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 952 POSSIBILITY OF SUCH DAMAGE. 953 */ 954 #ifndef _SHA_H_ 955 #define _SHA_H_ 957 /* 958 * Description: 959 * This file implements the Secure Hash Algorithms 960 * as defined in the National Institute of Standards 961 * and Technology Federal Information Processing Standards 962 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 963 * published on August 1, 2002, and the FIPS PUB 180-2 Change 964 * Notice published on February 28, 2004. 965 * 966 * A combined document showing all algorithms is available at 967 * http://csrc.nist.gov/publications/fips/ 968 * fips180-2/fips180-2withchangenotice.pdf 969 * 970 * The five hashes are defined in these sizes: 971 * SHA-1 20 byte / 160 bit 972 * SHA-224 28 byte / 224 bit 973 * SHA-256 32 byte / 256 bit 974 * SHA-384 48 byte / 384 bit 975 * SHA-512 64 byte / 512 bit 976 */ 978 #include 979 /* 980 * If you do not have the ISO standard stdint.h header file, then you 981 * must typedef the following: 982 * name meaning 983 * uint64_t unsigned 64 bit integer 984 * uint32_t unsigned 32 bit integer 985 * uint8_t unsigned 8 bit integer (i.e., unsigned char) 986 * int_least16_t integer of >= 16 bits 987 * 988 */ 990 #ifndef _SHA_enum_ 991 #define _SHA_enum_ 992 /* 993 * All SHA functions return one of these values. 994 */ 995 enum { 996 shaSuccess = 0, 997 shaNull, /* Null pointer parameter */ 998 shaInputTooLong, /* input data too long */ 999 shaStateError, /* called Input after FinalBits or Result */ 1000 shaBadParam /* passed a bad parameter */ 1001 }; 1002 #endif /* _SHA_enum_ */ 1004 /* 1005 * These constants hold size information for each of the SHA 1006 * hashing operations 1007 */ 1008 enum { 1009 SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, 1010 SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, 1011 SHA512_Message_Block_Size = 128, 1012 USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, 1014 SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, 1015 SHA384HashSize = 48, SHA512HashSize = 64, 1016 USHAMaxHashSize = SHA512HashSize, 1018 SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, 1019 SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, 1020 SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits 1021 }; 1023 /* 1024 * These constants are used in the USHA (unified sha) functions. 1025 */ 1026 typedef enum SHAversion { 1027 SHA1, SHA224, SHA256, SHA384, SHA512 1028 } SHAversion; 1030 /* 1031 * This structure will hold context information for the SHA-1 1032 * hashing operation. 1033 */ 1034 typedef struct SHA1Context { 1035 uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ 1037 uint32_t Length_Low; /* Message length in bits */ 1038 uint32_t Length_High; /* Message length in bits */ 1040 int_least16_t Message_Block_Index; /* Message_Block array index */ 1041 /* 512-bit message blocks */ 1042 uint8_t Message_Block[SHA1_Message_Block_Size]; 1044 int Computed; /* Is the digest computed? */ 1045 int Corrupted; /* Is the digest corrupted? */ 1046 } SHA1Context; 1048 /* 1049 * This structure will hold context information for the SHA-256 1050 * hashing operation. 1051 */ 1052 typedef struct SHA256Context { 1053 uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ 1055 uint32_t Length_Low; /* Message length in bits */ 1056 uint32_t Length_High; /* Message length in bits */ 1058 int_least16_t Message_Block_Index; /* Message_Block array index */ 1059 /* 512-bit message blocks */ 1060 uint8_t Message_Block[SHA256_Message_Block_Size]; 1062 int Computed; /* Is the digest computed? */ 1063 int Corrupted; /* Is the digest corrupted? */ 1064 } SHA256Context; 1066 /* 1067 * This structure will hold context information for the SHA-512 1068 * hashing operation. 1069 */ 1070 typedef struct SHA512Context { 1071 #ifdef USE_32BIT_ONLY 1072 uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ 1073 uint32_t Length[4]; /* Message length in bits */ 1074 #else /* !USE_32BIT_ONLY */ 1075 uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ 1076 uint64_t Length_Low, Length_High; /* Message length in bits */ 1077 #endif /* USE_32BIT_ONLY */ 1079 int_least16_t Message_Block_Index; /* Message_Block array index */ 1080 /* 1024-bit message blocks */ 1082 uint8_t Message_Block[SHA512_Message_Block_Size]; 1084 int Computed; /* Is the digest computed?*/ 1085 int Corrupted; /* Is the digest corrupted? */ 1086 } SHA512Context; 1088 /* 1089 * This structure will hold context information for the SHA-224 1090 * hashing operation. It uses the SHA-256 structure for computation. 1091 */ 1092 typedef struct SHA256Context SHA224Context; 1094 /* 1095 * This structure will hold context information for the SHA-384 1096 * hashing operation. It uses the SHA-512 structure for computation. 1097 */ 1098 typedef struct SHA512Context SHA384Context; 1100 /* 1101 * This structure holds context information for all SHA 1102 * hashing operations. 1103 */ 1104 typedef struct USHAContext { 1105 int whichSha; /* which SHA is being used */ 1106 union { 1107 SHA1Context sha1Context; 1108 SHA224Context sha224Context; SHA256Context sha256Context; 1109 SHA384Context sha384Context; SHA512Context sha512Context; 1110 } ctx; 1111 } USHAContext; 1113 /* 1114 * This structure will hold context information for the HMAC 1115 * keyed hashing operation. 1116 */ 1117 typedef struct HMACContext { 1118 int whichSha; /* which SHA is being used */ 1119 int hashSize; /* hash size of SHA being used */ 1120 int blockSize; /* block size of SHA being used */ 1121 USHAContext shaContext; /* SHA context */ 1122 unsigned char k_opad[USHA_Max_Message_Block_Size]; 1123 /* outer padding - key XORd with opad */ 1124 int Computed; /* Is the digest computed? */ 1125 int Corrupted; /* Is the digest corrupted? */ 1126 } HMACContext; 1128 /* 1129 * This structure will hold context information for the HKDF 1130 * Extract-and-Expand Key Derivation functions. 1132 */ 1133 typedef struct HKDFContext { 1134 int whichSha; /* which SHA is being used */ 1135 HMACContext hmacContext; 1136 int hashSize; /* hash size of SHA being used */ 1137 unsigned char prk[USHAMaxHashSize]; 1138 /* Pseudo Random Key - output of hkdfInput */ 1139 int Computed; /* Is the digest computed? */ 1140 int Corrupted; /* Is the digest corrupted? */ 1141 } HKDFContext; 1143 /* 1144 * Function Prototypes 1145 */ 1147 /* SHA-1 */ 1148 extern int SHA1Reset(SHA1Context *); 1149 extern int SHA1Input(SHA1Context *, const uint8_t *bytes, 1150 unsigned int bytecount); 1151 extern int SHA1FinalBits(SHA1Context *, uint8_t bits, 1152 unsigned int bit_count); 1153 extern int SHA1Result(SHA1Context *, 1154 uint8_t Message_Digest[SHA1HashSize]); 1156 /* SHA-224 */ 1157 extern int SHA224Reset(SHA224Context *); 1158 extern int SHA224Input(SHA224Context *, const uint8_t *bytes, 1159 unsigned int bytecount); 1160 extern int SHA224FinalBits(SHA224Context *, uint8_t bits, 1161 unsigned int bit_count); 1162 extern int SHA224Result(SHA224Context *, 1163 uint8_t Message_Digest[SHA224HashSize]); 1165 /* SHA-256 */ 1166 extern int SHA256Reset(SHA256Context *); 1167 extern int SHA256Input(SHA256Context *, const uint8_t *bytes, 1168 unsigned int bytecount); 1169 extern int SHA256FinalBits(SHA256Context *, uint8_t bits, 1170 unsigned int bit_count); 1171 extern int SHA256Result(SHA256Context *, 1172 uint8_t Message_Digest[SHA256HashSize]); 1174 /* SHA-384 */ 1175 extern int SHA384Reset(SHA384Context *); 1176 extern int SHA384Input(SHA384Context *, const uint8_t *bytes, 1177 unsigned int bytecount); 1178 extern int SHA384FinalBits(SHA384Context *, uint8_t bits, 1179 unsigned int bit_count); 1180 extern int SHA384Result(SHA384Context *, 1181 uint8_t Message_Digest[SHA384HashSize]); 1183 /* SHA-512 */ 1184 extern int SHA512Reset(SHA512Context *); 1185 extern int SHA512Input(SHA512Context *, const uint8_t *bytes, 1186 unsigned int bytecount); 1187 extern int SHA512FinalBits(SHA512Context *, uint8_t bits, 1188 unsigned int bit_count); 1189 extern int SHA512Result(SHA512Context *, 1190 uint8_t Message_Digest[SHA512HashSize]); 1192 /* Unified SHA functions, chosen by whichSha */ 1193 extern int USHAReset(USHAContext *context, SHAversion whichSha); 1194 extern int USHAInput(USHAContext *context, 1195 const uint8_t *bytes, unsigned int bytecount); 1196 extern int USHAFinalBits(USHAContext *context, 1197 uint8_t bits, unsigned int bit_count); 1198 extern int USHAResult(USHAContext *context, 1199 uint8_t Message_Digest[USHAMaxHashSize]); 1200 extern int USHABlockSize(enum SHAversion whichSha); 1201 extern int USHAHashSize(enum SHAversion whichSha); 1202 extern int USHAHashSizeBits(enum SHAversion whichSha); 1203 extern const char *USHAHashName(enum SHAversion whichSha); 1205 /* 1206 * HMAC Keyed-Hashing for Message Authentication, RFC2104, 1207 * for all SHAs. 1208 * This interface allows a fixed-length text input to be used. 1209 */ 1210 extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ 1211 const unsigned char *text, /* pointer to data stream */ 1212 int text_len, /* length of data stream */ 1213 const unsigned char *key, /* pointer to authentication key */ 1214 int key_len, /* length of authentication key */ 1215 uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ 1217 /* 1218 * HMAC Keyed-Hashing for Message Authentication, RFC2104, 1219 * for all SHAs. 1220 * This interface allows any length of text input to be used. 1221 */ 1222 extern int hmacReset(HMACContext *context, enum SHAversion whichSha, 1223 const unsigned char *key, int key_len); 1224 extern int hmacInput(HMACContext *context, const unsigned char *text, 1225 int text_len); 1226 extern int hmacFinalBits(HMACContext *context, uint8_t bits, 1227 unsigned int bit_count); 1228 extern int hmacResult(HMACContext *context, 1229 uint8_t digest[USHAMaxHashSize]); 1231 /* 1232 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1233 * RFCXXXX, for all SHAs. 1234 */ 1235 extern int hkdf(SHAversion whichSha, const unsigned char *salt, 1236 int salt_len, const unsigned char *ikm, int ikm_len, 1237 const unsigned char *info, int info_len, 1238 uint8_t okm[ ], int okm_len); 1239 extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, 1240 int salt_len, const unsigned char *ikm, 1241 int ikm_len, uint8_t prk[USHAMaxHashSize]); 1242 extern int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], 1243 int prk_len, const unsigned char *info, 1244 int info_len, uint8_t okm[ ], int okm_len); 1246 /* 1247 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1248 * RFCXXXX, for all SHAs. 1249 * This interface allows any length of text input to be used. 1250 */ 1251 extern int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 1252 const unsigned char *salt, int salt_len); 1253 extern int hkdfInput(HKDFContext *context, const unsigned char *ikm, 1254 int ikm_len); 1255 extern int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 1256 unsigned int ikm_bit_count); 1257 extern int hkdfResult(HKDFContext *context, 1258 uint8_t prk[USHAMaxHashSize], 1259 const unsigned char *info, int info_len, 1260 uint8_t okm[USHAMaxHashSize], int okm_len); 1262 #endif /* _SHA_H_ */ 1264 8.2 The SHA Code 1266 This code is primarily intended as expository and could be optimized 1267 further. For example, the assignment rotations through the variables 1268 a, b, ..., h could be treated as a cycle and the loop unrolled, 1269 rather than doing the explicit copying. 1271 Note that there are alternative representations of the Ch() and Maj() 1272 functions controlled by an ifdef. 1274 8.2.1 sha1.c 1276 /**************************** sha1.c ***************************/ 1277 /***************** See RFC NNNN for details. *******************/ 1278 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1279 /* authors of the code. All rights reserved. */ 1280 /* See sha.h for terms of use and redistribution. */ 1282 /* 1283 * Description: 1284 * This file implements the Secure Hash Algorithm SHA-1 1285 * as defined in the National Institute of Standards 1286 * and Technology Federal Information Processing Standards 1287 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 1288 * published on August 1, 2002, and the FIPS PUB 180-2 Change 1289 * Notice published on February 28, 2004. 1290 * 1291 * A combined document showing all algorithms is available at 1292 * http://csrc.nist.gov/publications/fips/ 1293 * fips180-2/fips180-2withchangenotice.pdf 1294 * 1295 * The SHA-1 algorithm produces a 160-bit message digest for a 1296 * given data stream. It should take about 2**n steps to find a 1297 * message with the same digest as a given message and 1298 * 2**(n/2) to find any two messages with the same digest, 1299 * when n is the digest size in bits. Therefore, this 1300 * algorithm can serve as a means of providing a 1301 * "fingerprint" for a message. 1302 * 1303 * Portability Issues: 1304 * SHA-1 is defined in terms of 32-bit "words". This code 1305 * uses (included via "sha.h") to define 32 and 8 1306 * bit unsigned integer types. If your C compiler does not 1307 * support 32 bit unsigned integers, this code is not 1308 * appropriate. 1309 * 1310 * Caveats: 1311 * SHA-1 is designed to work with messages less than 2^64 bits 1312 * long. This implementation uses SHA1Input() to hash the bits 1313 * that are a multiple of the size of an 8-bit octet, and then 1314 * optionally uses SHA1FinalBits() to hash the final few bits of 1315 * the input. 1316 */ 1318 #include "sha.h" 1319 #include "sha-private.h" 1321 /* 1322 * Define the SHA1 circular left shift macro 1323 */ 1325 #define SHA1_ROTL(bits,word) \ 1326 (((word) << (bits)) | ((word) >> (32-(bits)))) 1328 /* 1329 * Add "length" to the length. 1330 * Set Corrupted when overflow has occurred. 1331 */ 1332 static uint32_t addTemp; 1333 #define SHA1AddLength(context, length) \ 1334 (addTemp = (context)->Length_Low, \ 1335 (context)->Corrupted = \ 1336 (((context)->Length_Low += (length)) < addTemp) && \ 1337 (++(context)->Length_High == 0) ? shaInputTooLong \ 1338 : shaSuccess ) 1340 /* Local Function Prototypes */ 1341 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); 1342 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte); 1343 static void SHA1ProcessMessageBlock(SHA1Context *context); 1345 /* 1346 * SHA1Reset 1347 * 1348 * Description: 1349 * This function will initialize the SHA1Context in preparation 1350 * for computing a new SHA1 message digest. 1351 * 1352 * Parameters: 1353 * context: [in/out] 1354 * The context to reset. 1355 * 1356 * Returns: 1357 * sha Error Code. 1358 * 1359 */ 1360 int SHA1Reset(SHA1Context *context) 1361 { 1362 if (!context) 1363 return shaNull; 1365 context->Length_Low = 0; 1366 context->Length_High = 0; 1367 context->Message_Block_Index = 0; 1369 /* Initial Hash Values: FIPS-180-2 section 5.3.1 */ 1370 context->Intermediate_Hash[0] = 0x67452301; 1371 context->Intermediate_Hash[1] = 0xEFCDAB89; 1372 context->Intermediate_Hash[2] = 0x98BADCFE; 1373 context->Intermediate_Hash[3] = 0x10325476; 1374 context->Intermediate_Hash[4] = 0xC3D2E1F0; 1375 context->Computed = 0; 1376 context->Corrupted = 0; 1378 return shaSuccess; 1379 } 1381 /* 1382 * SHA1Input 1383 * 1384 * Description: 1385 * This function accepts an array of octets as the next portion 1386 * of the message. 1387 * 1388 * Parameters: 1389 * context: [in/out] 1390 * The SHA context to update 1391 * message_array: [in] 1392 * An array of octets representing the next portion of 1393 * the message. 1394 * length: [in] 1395 * The length of the message in message_array 1396 * 1397 * Returns: 1398 * sha Error Code. 1399 * 1400 */ 1401 int SHA1Input(SHA1Context *context, 1402 const uint8_t *message_array, unsigned length) 1403 { 1404 if (!length) 1405 return shaSuccess; 1407 if (!context || !message_array) 1408 return shaNull; 1410 if (context->Computed) return context->Corrupted = shaStateError; 1411 if (context->Corrupted) return context->Corrupted; 1413 while (length-- && !context->Corrupted) { 1414 context->Message_Block[context->Message_Block_Index++] = 1415 (*message_array & 0xFF); 1417 if ((SHA1AddLength(context, 8) == shaSuccess) && 1418 (context->Message_Block_Index == SHA1_Message_Block_Size)) 1419 SHA1ProcessMessageBlock(context); 1421 message_array++; 1422 } 1424 return context->Corrupted; 1426 } 1428 /* 1429 * SHA1FinalBits 1430 * 1431 * Description: 1432 * This function will add in any final bits of the message. 1433 * 1434 * Parameters: 1435 * context: [in/out] 1436 * The SHA context to update 1437 * message_bits: [in] 1438 * The final bits of the message, in the upper portion of the 1439 * byte. (Use 0b###00000 instead of 0b00000### to input the 1440 * three bits ###.) 1441 * length: [in] 1442 * The number of bits in message_bits, between 1 and 7. 1443 * 1444 * Returns: 1445 * sha Error Code. 1446 */ 1447 int SHA1FinalBits(SHA1Context *context, uint8_t message_bits, 1448 unsigned int length) 1449 { 1450 uint8_t masks[8] = { 1451 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1452 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1453 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1454 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1455 }; 1456 uint8_t markbit[8] = { 1457 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 1458 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 1459 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 1460 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 1461 }; 1463 if (!length) 1464 return shaSuccess; 1466 if (!context) 1467 return shaNull; 1469 if (context->Computed) return context->Corrupted = shaStateError; 1471 if ((length >= 8) || (length == 0)) 1472 return context->Corrupted = shaBadParam; 1474 if (context->Corrupted) 1475 return context->Corrupted; 1477 SHA1AddLength(context, length); 1478 SHA1Finalize(context, 1479 (uint8_t) ((message_bits & masks[length]) | markbit[length])); 1481 return context->Corrupted; 1482 } 1484 /* 1485 * SHA1Result 1486 * 1487 * Description: 1488 * This function will return the 160-bit message digest 1489 * into the Message_Digest array provided by the caller. 1490 * NOTE: 1491 * The first octet of hash is stored in the element with index 0, 1492 * the last octet of hash in the element with index 19. 1493 * 1494 * Parameters: 1495 * context: [in/out] 1496 * The context to use to calculate the SHA-1 hash. 1497 * Message_Digest: [out] 1498 * Where the digest is returned. 1499 * 1500 * Returns: 1501 * sha Error Code. 1502 * 1503 */ 1504 int SHA1Result(SHA1Context *context, 1505 uint8_t Message_Digest[SHA1HashSize]) 1506 { 1507 int i; 1509 if (!context || !Message_Digest) 1510 return shaNull; 1512 if (context->Corrupted) 1513 return context->Corrupted; 1515 if (!context->Computed) 1516 SHA1Finalize(context, 0x80); 1518 for (i = 0; i < SHA1HashSize; ++i) 1519 Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] 1520 >> 8 * ( 3 - ( i & 0x03 ) )); 1522 return shaSuccess; 1523 } 1525 /* 1526 * SHA1Finalize 1527 * 1528 * Description: 1529 * This helper function finishes off the digest calculations. 1530 * 1531 * Parameters: 1532 * context: [in/out] 1533 * The SHA context to update 1534 * Pad_Byte: [in] 1535 * The last byte to add to the digest before the 0-padding 1536 * and length. This will contain the last bits of the message 1537 * followed by another single bit. If the message was an 1538 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1539 * 1540 * Returns: 1541 * sha Error Code. 1542 * 1543 */ 1544 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) 1545 { 1546 int i; 1547 SHA1PadMessage(context, Pad_Byte); 1548 /* message may be sensitive, clear it out */ 1549 for (i = 0; i < SHA1_Message_Block_Size; ++i) 1550 context->Message_Block[i] = 0; 1551 context->Length_Low = 0; /* and clear length */ 1552 context->Length_High = 0; 1553 context->Computed = 1; 1554 } 1556 /* 1557 * SHA1PadMessage 1558 * 1559 * Description: 1560 * According to the standard, the message must be padded to the next 1561 * even multiple of 512 bits. The first padding bit must be a '1'. 1562 * The last 64 bits represent the length of the original message. 1563 * All bits in between should be 0. This helper function will pad 1564 * the message according to those rules by filling the Message_Block 1565 * array accordingly. When it returns, it can be assumed that the 1566 * message digest has been computed. 1567 * 1568 * Parameters: 1569 * context: [in/out] 1570 * The context to pad 1571 * Pad_Byte: [in] 1572 * The last byte to add to the digest before the 0-padding 1573 * and length. This will contain the last bits of the message 1574 * followed by another single bit. If the message was an 1575 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1576 * 1577 * Returns: 1578 * Nothing. 1579 */ 1580 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) 1581 { 1582 /* 1583 * Check to see if the current message block is too small to hold 1584 * the initial padding bits and length. If so, we will pad the 1585 * block, process it, and then continue padding into a second 1586 * block. 1587 */ 1588 if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { 1589 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1590 while (context->Message_Block_Index < SHA1_Message_Block_Size) 1591 context->Message_Block[context->Message_Block_Index++] = 0; 1593 SHA1ProcessMessageBlock(context); 1594 } else 1595 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1597 while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) 1598 context->Message_Block[context->Message_Block_Index++] = 0; 1600 /* 1601 * Store the message length as the last 8 octets 1602 */ 1603 context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); 1604 context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); 1605 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); 1606 context->Message_Block[59] = (uint8_t) (context->Length_High); 1607 context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); 1608 context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); 1609 context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); 1610 context->Message_Block[63] = (uint8_t) (context->Length_Low); 1612 SHA1ProcessMessageBlock(context); 1613 } 1615 /* 1616 * SHA1ProcessMessageBlock 1617 * 1618 * Description: 1619 * This helper function will process the next 512 bits of the 1620 * message stored in the Message_Block array. 1621 * 1622 * Parameters: 1623 * context: [in/out] 1624 * The SHA context to update 1625 * 1626 * Returns: 1628 * Nothing. 1629 * 1630 * Comments: 1631 * Many of the variable names in this code, especially the 1632 * single character names, were used because those were the 1633 * names used in the publication. 1634 */ 1635 static void SHA1ProcessMessageBlock(SHA1Context *context) 1636 { 1637 /* Constants defined in FIPS-180-2, section 4.2.1 */ 1638 const uint32_t K[4] = { 1639 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 1640 }; 1641 int t; /* Loop counter */ 1642 uint32_t temp; /* Temporary word value */ 1643 uint32_t W[80]; /* Word sequence */ 1644 uint32_t A, B, C, D, E; /* Word buffers */ 1646 /* 1647 * Initialize the first 16 words in the array W 1648 */ 1649 for (t = 0; t < 16; t++) { 1650 W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; 1651 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; 1652 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; 1653 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); 1654 } 1656 for (t = 16; t < 80; t++) 1657 W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); 1659 A = context->Intermediate_Hash[0]; 1660 B = context->Intermediate_Hash[1]; 1661 C = context->Intermediate_Hash[2]; 1662 D = context->Intermediate_Hash[3]; 1663 E = context->Intermediate_Hash[4]; 1665 for (t = 0; t < 20; t++) { 1666 temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; 1667 E = D; 1668 D = C; 1669 C = SHA1_ROTL(30,B); 1670 B = A; 1671 A = temp; 1672 } 1674 for (t = 20; t < 40; t++) { 1675 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; 1676 E = D; 1677 D = C; 1678 C = SHA1_ROTL(30,B); 1679 B = A; 1680 A = temp; 1681 } 1683 for (t = 40; t < 60; t++) { 1684 temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; 1685 E = D; 1686 D = C; 1687 C = SHA1_ROTL(30,B); 1688 B = A; 1689 A = temp; 1690 } 1692 for (t = 60; t < 80; t++) { 1693 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; 1694 E = D; 1695 D = C; 1696 C = SHA1_ROTL(30,B); 1697 B = A; 1698 A = temp; 1699 } 1701 context->Intermediate_Hash[0] += A; 1702 context->Intermediate_Hash[1] += B; 1703 context->Intermediate_Hash[2] += C; 1704 context->Intermediate_Hash[3] += D; 1705 context->Intermediate_Hash[4] += E; 1707 context->Message_Block_Index = 0; 1708 } 1710 8.2.2 sha224-256.c 1712 /************************* sha224-256.c ************************/ 1713 /***************** See RFC NNNN for details. *******************/ 1714 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1715 /* authors of the code. All rights reserved. */ 1716 /* See sha.h for terms of use and redistribution. */ 1718 /* 1719 * Description: 1720 * This file implements the Secure Hash Algorithms SHA-224 and 1721 * SHA-256 as defined in the National Institute of Standards 1722 * and Technology Federal Information Processing Standards 1723 * Publication (FIPS PUB) 180-2 published on August 1, 2002, and 1724 * the FIPS PUB 180-2 Change Notice published on February 28, 2004. 1725 * 1726 * A combined document showing all algorithms is available at 1727 * http://csrc.nist.gov/publications/fips/ 1728 * fips180-2/fips180-2withchangenotice.pdf 1729 * 1730 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit 1731 * message digests for a given data stream. It should take about 1732 * 2**n steps to find a message with the same digest as a given 1733 * message and 2**(n/2) to find any two messages with the same 1734 * digest, when n is the digest size in bits. Therefore, this 1735 * algorithm can serve as a means of providing a 1736 * "fingerprint" for a message. 1737 * 1738 * Portability Issues: 1739 * SHA-224 and SHA-256 are defined in terms of 32-bit "words". 1740 * This code uses (included via "sha.h") to define 32 1741 * and 8 bit unsigned integer types. If your C compiler does not 1742 * support 32 bit unsigned integers, this code is not 1743 * appropriate. 1744 * 1745 * Caveats: 1746 * SHA-224 and SHA-256 are designed to work with messages less 1747 * than 2^64 bits long. This implementation uses SHA224/256Input() 1748 * to hash the bits that are a multiple of the size of an 8-bit 1749 * octet, and then optionally uses SHA224/256FinalBits() 1750 * to hash the final few bits of the input. 1751 */ 1753 #include "sha.h" 1754 #include "sha-private.h" 1756 /* Define the SHA shift, rotate left and rotate right macro */ 1757 #define SHA256_SHR(bits,word) ((word) >> (bits)) 1758 #define SHA256_ROTL(bits,word) \ 1759 (((word) << (bits)) | ((word) >> (32-(bits)))) 1760 #define SHA256_ROTR(bits,word) \ 1761 (((word) >> (bits)) | ((word) << (32-(bits)))) 1763 /* Define the SHA SIGMA and sigma macros */ 1764 #define SHA256_SIGMA0(word) \ 1765 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) 1766 #define SHA256_SIGMA1(word) \ 1767 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) 1768 #define SHA256_sigma0(word) \ 1769 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) 1770 #define SHA256_sigma1(word) \ 1771 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) 1773 /* 1774 * Add "length" to the length. 1775 * Set Corrupted when overflow has occurred. 1777 */ 1778 static uint32_t addTemp; 1779 #define SHA224_256AddLength(context, length) \ 1780 (addTemp = (context)->Length_Low, (context)->Corrupted = \ 1781 (((context)->Length_Low += (length)) < addTemp) && \ 1782 (++(context)->Length_High == 0) ? shaInputTooLong : \ 1783 shaSuccess ) 1785 /* Local Function Prototypes */ 1786 static void SHA224_256Finalize(SHA256Context *context, 1787 uint8_t Pad_Byte); 1788 static void SHA224_256PadMessage(SHA256Context *context, 1789 uint8_t Pad_Byte); 1790 static void SHA224_256ProcessMessageBlock(SHA256Context *context); 1791 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); 1792 static int SHA224_256ResultN(SHA256Context *context, 1793 uint8_t Message_Digest[ ], int HashSize); 1795 /* Initial Hash Values: FIPS-180-2 Change Notice 1 */ 1796 static uint32_t SHA224_H0[SHA256HashSize/4] = { 1797 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 1798 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 1799 }; 1801 /* Initial Hash Values: FIPS-180-2 section 5.3.2 */ 1802 static uint32_t SHA256_H0[SHA256HashSize/4] = { 1803 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 1804 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 1805 }; 1807 /* 1808 * SHA224Reset 1809 * 1810 * Description: 1811 * This function will initialize the SHA224Context in preparation 1812 * for computing a new SHA224 message digest. 1813 * 1814 * Parameters: 1815 * context: [in/out] 1816 * The context to reset. 1817 * 1818 * Returns: 1819 * sha Error Code. 1820 */ 1821 int SHA224Reset(SHA224Context *context) 1822 { 1823 return SHA224_256Reset(context, SHA224_H0); 1824 } 1826 /* 1827 * SHA224Input 1828 * 1829 * Description: 1830 * This function accepts an array of octets as the next portion 1831 * of the message. 1832 * 1833 * Parameters: 1834 * context: [in/out] 1835 * The SHA context to update 1836 * message_array: [in] 1837 * An array of octets representing the next portion of 1838 * the message. 1839 * length: [in] 1840 * The length of the message in message_array 1841 * 1842 * Returns: 1843 * sha Error Code. 1844 * 1845 */ 1846 int SHA224Input(SHA224Context *context, const uint8_t *message_array, 1847 unsigned int length) 1848 { 1849 return SHA256Input(context, message_array, length); 1850 } 1852 /* 1853 * SHA224FinalBits 1854 * 1855 * Description: 1856 * This function will add in any final bits of the message. 1857 * 1858 * Parameters: 1859 * context: [in/out] 1860 * The SHA context to update 1861 * message_bits: [in] 1862 * The final bits of the message, in the upper portion of the 1863 * byte. (Use 0b###00000 instead of 0b00000### to input the 1864 * three bits ###.) 1865 * length: [in] 1866 * The number of bits in message_bits, between 1 and 7. 1867 * 1868 * Returns: 1869 * sha Error Code. 1870 */ 1871 int SHA224FinalBits(SHA224Context *context, 1872 uint8_t message_bits, unsigned int length) 1873 { 1874 return SHA256FinalBits(context, message_bits, length); 1875 } 1876 /* 1877 * SHA224Result 1878 * 1879 * Description: 1880 * This function will return the 224-bit message digest 1881 * into the Message_Digest array provided by the caller. 1882 * NOTE: 1883 * The first octet of hash is stored in the element with index 0, 1884 * the last octet of hash in the element with index 27. 1885 * 1886 * Parameters: 1887 * context: [in/out] 1888 * The context to use to calculate the SHA hash. 1889 * Message_Digest: [out] 1890 * Where the digest is returned. 1891 * 1892 * Returns: 1893 * sha Error Code. 1894 */ 1895 int SHA224Result(SHA224Context *context, 1896 uint8_t Message_Digest[SHA224HashSize]) 1897 { 1898 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); 1899 } 1901 /* 1902 * SHA256Reset 1903 * 1904 * Description: 1905 * This function will initialize the SHA256Context in preparation 1906 * for computing a new SHA256 message digest. 1907 * 1908 * Parameters: 1909 * context: [in/out] 1910 * The context to reset. 1911 * 1912 * Returns: 1913 * sha Error Code. 1914 */ 1915 int SHA256Reset(SHA256Context *context) 1916 { 1917 return SHA224_256Reset(context, SHA256_H0); 1918 } 1920 /* 1921 * SHA256Input 1922 * 1923 * Description: 1924 * This function accepts an array of octets as the next portion 1925 * of the message. 1927 * 1928 * Parameters: 1929 * context: [in/out] 1930 * The SHA context to update 1931 * message_array: [in] 1932 * An array of octets representing the next portion of 1933 * the message. 1934 * length: [in] 1935 * The length of the message in message_array 1936 * 1937 * Returns: 1938 * sha Error Code. 1939 */ 1940 int SHA256Input(SHA256Context *context, const uint8_t *message_array, 1941 unsigned int length) 1942 { 1943 if (!length) 1944 return shaSuccess; 1946 if (!context || !message_array) 1947 return shaNull; 1949 if (context->Computed) 1950 return context->Corrupted = shaStateError; 1952 if (context->Corrupted) 1953 return context->Corrupted; 1955 while (length-- && !context->Corrupted) { 1956 context->Message_Block[context->Message_Block_Index++] = 1957 (*message_array & 0xFF); 1959 if ((SHA224_256AddLength(context, 8) == shaSuccess) && 1960 (context->Message_Block_Index == SHA256_Message_Block_Size)) 1961 SHA224_256ProcessMessageBlock(context); 1963 message_array++; 1964 } 1966 return context->Corrupted; 1968 } 1970 /* 1971 * SHA256FinalBits 1972 * 1973 * Description: 1974 * This function will add in any final bits of the message. 1975 * 1976 * Parameters: 1978 * context: [in/out] 1979 * The SHA context to update 1980 * message_bits: [in] 1981 * The final bits of the message, in the upper portion of the 1982 * byte. (Use 0b###00000 instead of 0b00000### to input the 1983 * three bits ###.) 1984 * length: [in] 1985 * The number of bits in message_bits, between 1 and 7. 1986 * 1987 * Returns: 1988 * sha Error Code. 1989 */ 1990 int SHA256FinalBits(SHA256Context *context, 1991 uint8_t message_bits, unsigned int length) 1992 { 1993 uint8_t masks[8] = { 1994 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1995 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1996 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1997 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1998 }; 1999 uint8_t markbit[8] = { 2000 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2001 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2002 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2003 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2004 }; 2006 if (!length) 2007 return shaSuccess; 2009 if (!context) 2010 return shaNull; 2012 if (context->Computed) 2013 return context->Corrupted = shaStateError; 2015 if ((length >= 8) || (length == 0)) 2016 return context->Corrupted = shaBadParam; 2018 if (context->Corrupted) 2019 return context->Corrupted; 2021 SHA224_256AddLength(context, length); 2022 SHA224_256Finalize(context, (uint8_t) 2023 ((message_bits & masks[length]) | markbit[length])); 2025 return context->Corrupted; 2026 } 2027 /* 2028 * SHA256Result 2029 * 2030 * Description: 2031 * This function will return the 256-bit message digest 2032 * into the Message_Digest array provided by the caller. 2033 * NOTE: 2034 * The first octet of hash is stored in the element with index 0, 2035 * the last octet of hash in the element with index 31. 2036 * 2037 * Parameters: 2038 * context: [in/out] 2039 * The context to use to calculate the SHA hash. 2040 * Message_Digest: [out] 2041 * Where the digest is returned. 2042 * 2043 * Returns: 2044 * sha Error Code. 2045 */ 2046 int SHA256Result(SHA256Context *context, 2047 uint8_t Message_Digest[SHA256HashSize]) 2048 { 2049 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); 2050 } 2052 /* 2053 * SHA224_256Finalize 2054 * 2055 * Description: 2056 * This helper function finishes off the digest calculations. 2057 * 2058 * Parameters: 2059 * context: [in/out] 2060 * The SHA context to update 2061 * Pad_Byte: [in] 2062 * The last byte to add to the digest before the 0-padding 2063 * and length. This will contain the last bits of the message 2064 * followed by another single bit. If the message was an 2065 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2066 * 2067 * Returns: 2068 * sha Error Code. 2069 */ 2070 static void SHA224_256Finalize(SHA256Context *context, 2071 uint8_t Pad_Byte) 2072 { 2073 int i; 2074 SHA224_256PadMessage(context, Pad_Byte); 2075 /* message may be sensitive, so clear it out */ 2076 for (i = 0; i < SHA256_Message_Block_Size; ++i) 2077 context->Message_Block[i] = 0; 2078 context->Length_Low = 0; /* and clear length */ 2079 context->Length_High = 0; 2080 context->Computed = 1; 2081 } 2083 /* 2084 * SHA224_256PadMessage 2085 * 2086 * Description: 2087 * According to the standard, the message must be padded to the next 2088 * even multiple of 512 bits. The first padding bit must be a '1'. 2089 * The last 64 bits represent the length of the original message. 2090 * All bits in between should be 0. This helper function will pad 2091 * the message according to those rules by filling the 2092 * Message_Block array accordingly. When it returns, it can be 2093 * assumed that the message digest has been computed. 2094 * 2095 * Parameters: 2096 * context: [in/out] 2097 * The context to pad 2098 * Pad_Byte: [in] 2099 * The last byte to add to the digest before the 0-padding 2100 * and length. This will contain the last bits of the message 2101 * followed by another single bit. If the message was an 2102 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2103 * 2104 * Returns: 2105 * Nothing. 2106 */ 2107 static void SHA224_256PadMessage(SHA256Context *context, 2108 uint8_t Pad_Byte) 2109 { 2110 /* 2111 * Check to see if the current message block is too small to hold 2112 * the initial padding bits and length. If so, we will pad the 2113 * block, process it, and then continue padding into a second 2114 * block. 2115 */ 2116 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { 2117 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2118 while (context->Message_Block_Index < SHA256_Message_Block_Size) 2119 context->Message_Block[context->Message_Block_Index++] = 0; 2120 SHA224_256ProcessMessageBlock(context); 2121 } else 2122 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2124 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) 2125 context->Message_Block[context->Message_Block_Index++] = 0; 2127 /* 2128 * Store the message length as the last 8 octets 2129 */ 2130 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); 2131 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); 2132 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); 2133 context->Message_Block[59] = (uint8_t)(context->Length_High); 2134 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); 2135 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); 2136 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); 2137 context->Message_Block[63] = (uint8_t)(context->Length_Low); 2139 SHA224_256ProcessMessageBlock(context); 2140 } 2142 /* 2143 * SHA224_256ProcessMessageBlock 2144 * 2145 * Description: 2146 * This helper function will process the next 512 bits of the 2147 * message stored in the Message_Block array. 2148 * 2149 * Parameters: 2150 * context: [in/out] 2151 * The SHA context to update 2152 * 2153 * Returns: 2154 * Nothing. 2155 * 2156 * Comments: 2157 * Many of the variable names in this code, especially the 2158 * single character names, were used because those were the 2159 * names used in the publication. 2160 */ 2161 static void SHA224_256ProcessMessageBlock(SHA256Context *context) 2162 { 2163 /* Constants defined in FIPS-180-2, section 4.2.2 */ 2164 static const uint32_t K[64] = { 2165 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 2166 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 2167 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 2168 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 2169 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 2170 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 2171 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 2172 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 2173 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 2174 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 2175 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 2176 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 2177 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 2178 }; 2179 int t, t4; /* Loop counter */ 2180 uint32_t temp1, temp2; /* Temporary word value */ 2181 uint32_t W[64]; /* Word sequence */ 2182 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ 2184 /* 2185 * Initialize the first 16 words in the array W 2186 */ 2187 for (t = t4 = 0; t < 16; t++, t4 += 4) 2188 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | 2189 (((uint32_t)context->Message_Block[t4 + 1]) << 16) | 2190 (((uint32_t)context->Message_Block[t4 + 2]) << 8) | 2191 (((uint32_t)context->Message_Block[t4 + 3])); 2193 for (t = 16; t < 64; t++) 2194 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + 2195 SHA256_sigma0(W[t-15]) + W[t-16]; 2197 A = context->Intermediate_Hash[0]; 2198 B = context->Intermediate_Hash[1]; 2199 C = context->Intermediate_Hash[2]; 2200 D = context->Intermediate_Hash[3]; 2201 E = context->Intermediate_Hash[4]; 2202 F = context->Intermediate_Hash[5]; 2203 G = context->Intermediate_Hash[6]; 2204 H = context->Intermediate_Hash[7]; 2206 for (t = 0; t < 64; t++) { 2207 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 2208 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); 2209 H = G; 2210 G = F; 2211 F = E; 2212 E = D + temp1; 2213 D = C; 2214 C = B; 2215 B = A; 2216 A = temp1 + temp2; 2217 } 2219 context->Intermediate_Hash[0] += A; 2220 context->Intermediate_Hash[1] += B; 2221 context->Intermediate_Hash[2] += C; 2222 context->Intermediate_Hash[3] += D; 2223 context->Intermediate_Hash[4] += E; 2224 context->Intermediate_Hash[5] += F; 2225 context->Intermediate_Hash[6] += G; 2226 context->Intermediate_Hash[7] += H; 2227 context->Message_Block_Index = 0; 2228 } 2230 /* 2231 * SHA224_256Reset 2232 * 2233 * Description: 2234 * This helper function will initialize the SHA256Context in 2235 * preparation for computing a new SHA-224 or SHA-256 message digest. 2236 * 2237 * Parameters: 2238 * context: [in/out] 2239 * The context to reset. 2240 * H0 2241 * The initial hash value to use. 2242 * 2243 * Returns: 2244 * sha Error Code. 2245 */ 2246 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) 2247 { 2248 if (!context) 2249 return shaNull; 2251 context->Length_Low = 0; 2252 context->Length_High = 0; 2253 context->Message_Block_Index = 0; 2255 context->Intermediate_Hash[0] = H0[0]; 2256 context->Intermediate_Hash[1] = H0[1]; 2257 context->Intermediate_Hash[2] = H0[2]; 2258 context->Intermediate_Hash[3] = H0[3]; 2259 context->Intermediate_Hash[4] = H0[4]; 2260 context->Intermediate_Hash[5] = H0[5]; 2261 context->Intermediate_Hash[6] = H0[6]; 2262 context->Intermediate_Hash[7] = H0[7]; 2264 context->Computed = 0; 2265 context->Corrupted = 0; 2267 return shaSuccess; 2268 } 2270 /* 2271 * SHA224_256ResultN 2272 * 2273 * Description: 2274 * This helper function will return the 224-bit or 256-bit message 2275 * digest into the Message_Digest array provided by the caller. 2276 * NOTE: 2278 * The first octet of hash is stored in the element with index 0, 2279 * the last octet of hash in the element with index 27/31. 2280 * 2281 * Parameters: 2282 * context: [in/out] 2283 * The context to use to calculate the SHA hash. 2284 * Message_Digest: [out] 2285 * Where the digest is returned. 2286 * HashSize: [in] 2287 * The size of the hash, either 28 or 32. 2288 * 2289 * Returns: 2290 * sha Error Code. 2291 */ 2292 static int SHA224_256ResultN(SHA256Context *context, 2293 uint8_t Message_Digest[ ], int HashSize) 2294 { 2295 int i; 2297 if (!context || !Message_Digest) 2298 return shaNull; 2300 if (context->Corrupted) 2301 return context->Corrupted; 2303 if (!context->Computed) 2304 SHA224_256Finalize(context, 0x80); 2306 for (i = 0; i < HashSize; ++i) 2307 Message_Digest[i] = (uint8_t) 2308 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); 2310 return shaSuccess; 2311 } 2313 8.2.3 sha384-512.c 2315 /************************* sha384-512.c ************************/ 2316 /***************** See RFC NNNN for details. *******************/ 2317 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 2318 /* authors of the code. All rights reserved. */ 2319 /* See sha.h for terms of use and redistribution. */ 2321 /* 2322 * Description: 2323 * This file implements the Secure Hash Algorithms SHA-384 and 2324 * SHA-512 as defined in the National Institute of Standards 2325 * and Technology Federal Information Processing Standards 2326 * Publication (FIPS PUB) 180-2 published on August 1, 2002, and 2327 * the FIPS PUB 180-2 Change Notice published on February 28, 2004. 2328 * 2329 * A combined document showing all algorithms is available at 2330 * http://csrc.nist.gov/publications/fips/ 2331 * fips180-2/fips180-2withchangenotice.pdf 2332 * 2333 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit 2334 * message digests for a given data stream. It should take about 2335 * 2**n steps to find a message with the same digest as a given 2336 * message and 2**(n/2) to find any two messages with the same 2337 * digest, when n is the digest size in bits. Therefore, this 2338 * algorithm can serve as a means of providing a 2339 * "fingerprint" for a message. 2340 * 2341 * Portability Issues: 2342 * SHA-384 and SHA-512 are defined in terms of 64-bit "words", 2343 * but if USE_32BIT_ONLY is #defined, this code is implemented in 2344 * terms of 32-bit "words". This code uses (included 2345 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer 2346 * types. If your C compiler does not support 64 bit unsigned 2347 * integers, and you do not #define USE_32BIT_ONLY, this code is 2348 * not appropriate. 2349 * 2350 * Caveats: 2351 * SHA-384 and SHA-512 are designed to work with messages less 2352 * than 2^128 bits long. This implementation uses SHA384/512Input() 2353 * to hash the bits that are a multiple of the size of an 8-bit 2354 * octet, and then optionally uses SHA384/256FinalBits() 2355 * to hash the final few bits of the input. 2356 * 2357 */ 2359 #include "sha.h" 2360 #include "sha-private.h" 2362 #ifdef USE_32BIT_ONLY 2363 /* 2364 * Define 64-bit arithmetic in terms of 32-bit arithmetic. 2365 * Each 64-bit number is represented in a 2-word array. 2366 * All macros are defined such that the result is the last parameter. 2367 */ 2369 /* 2370 * Define shift, rotate left and rotate right functions 2371 */ 2372 #define SHA512_SHR(bits, word, ret) ( \ 2373 /* (((uint64_t)((word))) >> (bits)) */ \ 2374 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ 2375 ((word)[0] >> (bits)) : 0, \ 2377 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ 2378 ((bits) == 32) ? (word)[0] : \ 2379 ((bits) >= 0) ? \ 2380 (((word)[0] << (32 - (bits))) | \ 2381 ((word)[1] >> (bits))) : 0 ) 2383 #define SHA512_SHL(bits, word, ret) ( \ 2384 /* (((uint64_t)(word)) << (bits)) */ \ 2385 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ 2386 ((bits) == 32) ? (word)[1] : \ 2387 ((bits) >= 0) ? \ 2388 (((word)[0] << (bits)) | \ 2389 ((word)[1] >> (32 - (bits)))) : \ 2390 0, \ 2391 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ 2392 ((word)[1] << (bits)) : 0 ) 2394 /* 2395 * Define 64-bit OR 2396 */ 2397 #define SHA512_OR(word1, word2, ret) ( \ 2398 (ret)[0] = (word1)[0] | (word2)[0], \ 2399 (ret)[1] = (word1)[1] | (word2)[1] ) 2401 /* 2402 * Define 64-bit XOR 2403 */ 2404 #define SHA512_XOR(word1, word2, ret) ( \ 2405 (ret)[0] = (word1)[0] ^ (word2)[0], \ 2406 (ret)[1] = (word1)[1] ^ (word2)[1] ) 2408 /* 2409 * Define 64-bit AND 2410 */ 2411 #define SHA512_AND(word1, word2, ret) ( \ 2412 (ret)[0] = (word1)[0] & (word2)[0], \ 2413 (ret)[1] = (word1)[1] & (word2)[1] ) 2415 /* 2416 * Define 64-bit TILDA 2417 */ 2418 #define SHA512_TILDA(word, ret) \ 2419 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) 2421 /* 2422 * Define 64-bit ADD 2423 */ 2424 #define SHA512_ADD(word1, word2, ret) ( \ 2425 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ 2426 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) 2428 /* 2429 * Add the 4word value in word2 to word1. 2430 */ 2431 static uint32_t ADDTO4_temp, ADDTO4_temp2; 2432 #define SHA512_ADDTO4(word1, word2) ( \ 2433 ADDTO4_temp = (word1)[3], \ 2434 (word1)[3] += (word2)[3], \ 2435 ADDTO4_temp2 = (word1)[2], \ 2436 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ 2437 ADDTO4_temp = (word1)[1], \ 2438 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ 2439 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) 2441 /* 2442 * Add the 2word value in word2 to word1. 2443 */ 2444 static uint32_t ADDTO2_temp; 2445 #define SHA512_ADDTO2(word1, word2) ( \ 2446 ADDTO2_temp = (word1)[1], \ 2447 (word1)[1] += (word2)[1], \ 2448 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) 2450 /* 2451 * SHA rotate ((word >> bits) | (word << (64-bits))) 2452 */ 2453 static uint32_t ROTR_temp1[2], ROTR_temp2[2]; 2454 #define SHA512_ROTR(bits, word, ret) ( \ 2455 SHA512_SHR((bits), (word), ROTR_temp1), \ 2456 SHA512_SHL(64-(bits), (word), ROTR_temp2), \ 2457 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) 2459 /* 2460 * Define the SHA SIGMA and sigma macros 2461 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2462 */ 2463 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], 2464 SIGMA0_temp3[2], SIGMA0_temp4[2]; 2465 #define SHA512_SIGMA0(word, ret) ( \ 2466 SHA512_ROTR(28, (word), SIGMA0_temp1), \ 2467 SHA512_ROTR(34, (word), SIGMA0_temp2), \ 2468 SHA512_ROTR(39, (word), SIGMA0_temp3), \ 2469 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ 2470 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) 2472 /* 2473 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) 2474 */ 2475 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], 2476 SIGMA1_temp3[2], SIGMA1_temp4[2]; 2477 #define SHA512_SIGMA1(word, ret) ( \ 2478 SHA512_ROTR(14, (word), SIGMA1_temp1), \ 2479 SHA512_ROTR(18, (word), SIGMA1_temp2), \ 2480 SHA512_ROTR(41, (word), SIGMA1_temp3), \ 2481 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ 2482 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) 2484 /* 2485 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2486 */ 2487 static uint32_t sigma0_temp1[2], sigma0_temp2[2], 2488 sigma0_temp3[2], sigma0_temp4[2]; 2489 #define SHA512_sigma0(word, ret) ( \ 2490 SHA512_ROTR( 1, (word), sigma0_temp1), \ 2491 SHA512_ROTR( 8, (word), sigma0_temp2), \ 2492 SHA512_SHR( 7, (word), sigma0_temp3), \ 2493 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ 2494 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) 2496 /* 2497 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2498 */ 2499 static uint32_t sigma1_temp1[2], sigma1_temp2[2], 2500 sigma1_temp3[2], sigma1_temp4[2]; 2501 #define SHA512_sigma1(word, ret) ( \ 2502 SHA512_ROTR(19, (word), sigma1_temp1), \ 2503 SHA512_ROTR(61, (word), sigma1_temp2), \ 2504 SHA512_SHR( 6, (word), sigma1_temp3), \ 2505 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ 2506 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) 2508 #undef SHA_Ch 2509 #undef SHA_Maj 2511 #ifndef USE_MODIFIED_MACROS 2512 /* 2513 * These definitions are the ones used in FIPS-180-2, section 4.1.3 2514 * Ch(x,y,z) ((x & y) ^ (~x & z)) 2515 */ 2516 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; 2517 #define SHA_Ch(x, y, z, ret) ( \ 2518 SHA512_AND(x, y, Ch_temp1), \ 2519 SHA512_TILDA(x, Ch_temp2), \ 2520 SHA512_AND(Ch_temp2, z, Ch_temp3), \ 2521 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) 2523 /* 2524 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) 2525 */ 2526 static uint32_t Maj_temp1[2], Maj_temp2[2], 2527 Maj_temp3[2], Maj_temp4[2]; 2529 #define SHA_Maj(x, y, z, ret) ( \ 2530 SHA512_AND(x, y, Maj_temp1), \ 2531 SHA512_AND(x, z, Maj_temp2), \ 2532 SHA512_AND(y, z, Maj_temp3), \ 2533 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ 2534 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) 2536 #else /* !USE_MODIFIED_MACROS */ 2537 /* 2538 * These definitions are potentially faster equivalents for the ones 2539 * used in FIPS-180-2, section 4.1.3. 2540 * ((x & y) ^ (~x & z)) becomes 2541 * ((x & (y ^ z)) ^ z) 2542 */ 2543 #define SHA_Ch(x, y, z, ret) ( \ 2544 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ 2545 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) 2547 /* 2548 * ((x & y) ^ (x & z) ^ (y & z)) becomes 2549 * ((x & (y | z)) | (y & z)) 2550 */ 2551 #define SHA_Maj(x, y, z, ret) ( \ 2552 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ 2553 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) 2554 #endif /* USE_MODIFIED_MACROS */ 2556 /* 2557 * Add "length" to the length. 2558 * Set Corrupted when overflow has occurred. 2559 */ 2560 static uint32_t addTemp[4] = { 0, 0, 0, 0 }; 2561 #define SHA384_512AddLength(context, length) ( \ 2562 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ 2563 (context)->Corrupted = (((context)->Length[3] < (length)) && \ 2564 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ 2565 ((context)->Length[0] == 0)) ? shaInputTooLong : shaSuccess ) 2567 /* Local Function Prototypes */ 2568 static void SHA384_512Finalize(SHA512Context *context, 2569 uint8_t Pad_Byte); 2570 static void SHA384_512PadMessage(SHA512Context *context, 2571 uint8_t Pad_Byte); 2572 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2573 static int SHA384_512Reset(SHA512Context *context, 2574 uint32_t H0[SHA512HashSize/4]); 2575 static int SHA384_512ResultN( SHA512Context *context, 2576 uint8_t Message_Digest[ ], int HashSize); 2578 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ 2579 static uint32_t SHA384_H0[SHA512HashSize/4] = { 2580 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, 2581 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, 2582 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, 2583 0xBEFA4FA4 2584 }; 2586 static uint32_t SHA512_H0[SHA512HashSize/4] = { 2587 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, 2588 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, 2589 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, 2590 0x137E2179 2591 }; 2593 #else /* !USE_32BIT_ONLY */ 2595 /* Define the SHA shift, rotate left and rotate right macro */ 2596 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) 2597 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ 2598 (((uint64_t)(word)) << (64-(bits)))) 2600 /* Define the SHA SIGMA and sigma macros */ 2601 #define SHA512_SIGMA0(word) \ 2602 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) 2603 #define SHA512_SIGMA1(word) \ 2604 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) 2605 #define SHA512_sigma0(word) \ 2606 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2607 #define SHA512_sigma1(word) \ 2608 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2610 /* 2611 * Add "length" to the length. 2612 * Set Corrupted when overflow has occurred. 2613 */ 2614 static uint64_t addTemp; 2615 #define SHA384_512AddLength(context, length) \ 2616 (addTemp = context->Length_Low, context->Corrupted = \ 2617 ((context->Length_Low += length) < addTemp) && \ 2618 (++context->Length_High == 0) ? 1 : 0) 2620 /* Local Function Prototypes */ 2621 static void SHA384_512Finalize(SHA512Context *context, 2622 uint8_t Pad_Byte); 2623 static void SHA384_512PadMessage(SHA512Context *context, 2624 uint8_t Pad_Byte); 2625 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2626 static int SHA384_512Reset(SHA512Context *context, 2627 uint64_t H0[SHA512HashSize/8]); 2628 static int SHA384_512ResultN(SHA512Context *context, 2629 uint8_t Message_Digest[ ], int HashSize); 2631 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ 2632 static uint64_t SHA384_H0[ ] = { 2633 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 2634 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 2635 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll 2636 }; 2637 static uint64_t SHA512_H0[ ] = { 2638 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 2639 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 2640 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll 2641 }; 2643 #endif /* USE_32BIT_ONLY */ 2645 /* 2646 * SHA384Reset 2647 * 2648 * Description: 2649 * This function will initialize the SHA384Context in preparation 2650 * for computing a new SHA384 message digest. 2651 * 2652 * Parameters: 2653 * context: [in/out] 2654 * The context to reset. 2655 * 2656 * Returns: 2657 * sha Error Code. 2658 * 2659 */ 2660 int SHA384Reset(SHA384Context *context) 2661 { 2662 return SHA384_512Reset(context, SHA384_H0); 2663 } 2665 /* 2666 * SHA384Input 2667 * 2668 * Description: 2669 * This function accepts an array of octets as the next portion 2670 * of the message. 2671 * 2672 * Parameters: 2673 * context: [in/out] 2674 * The SHA context to update 2675 * message_array: [in] 2676 * An array of octets representing the next portion of 2677 * the message. 2678 * length: [in] 2679 * The length of the message in message_array 2680 * 2681 * Returns: 2682 * sha Error Code. 2683 * 2684 */ 2685 int SHA384Input(SHA384Context *context, 2686 const uint8_t *message_array, unsigned int length) 2687 { 2688 return SHA512Input(context, message_array, length); 2689 } 2691 /* 2692 * SHA384FinalBits 2693 * 2694 * Description: 2695 * This function will add in any final bits of the message. 2696 * 2697 * Parameters: 2698 * context: [in/out] 2699 * The SHA context to update 2700 * message_bits: [in] 2701 * The final bits of the message, in the upper portion of the 2702 * byte. (Use 0b###00000 instead of 0b00000### to input the 2703 * three bits ###.) 2704 * length: [in] 2705 * The number of bits in message_bits, between 1 and 7. 2706 * 2707 * Returns: 2708 * sha Error Code. 2709 * 2710 */ 2711 int SHA384FinalBits(SHA384Context *context, 2712 uint8_t message_bits, unsigned int length) 2713 { 2714 return SHA512FinalBits(context, message_bits, length); 2715 } 2717 /* 2718 * SHA384Result 2719 * 2720 * Description: 2721 * This function will return the 384-bit message digest 2722 * into the Message_Digest array provided by the caller. 2723 * NOTE: 2724 * The first octet of hash is stored in the element with index 0, 2725 * the last octet of hash in the element with index 47. 2726 * 2727 * Parameters: 2728 * context: [in/out] 2729 * The context to use to calculate the SHA hash. 2730 * Message_Digest: [out] 2731 * Where the digest is returned. 2732 * 2733 * Returns: 2734 * sha Error Code. 2735 * 2736 */ 2737 int SHA384Result(SHA384Context *context, 2738 uint8_t Message_Digest[SHA384HashSize]) 2739 { 2740 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); 2741 } 2743 /* 2744 * SHA512Reset 2745 * 2746 * Description: 2747 * This function will initialize the SHA512Context in preparation 2748 * for computing a new SHA512 message digest. 2749 * 2750 * Parameters: 2751 * context: [in/out] 2752 * The context to reset. 2753 * 2754 * Returns: 2755 * sha Error Code. 2756 * 2757 */ 2758 int SHA512Reset(SHA512Context *context) 2759 { 2760 return SHA384_512Reset(context, SHA512_H0); 2761 } 2763 /* 2764 * SHA512Input 2765 * 2766 * Description: 2767 * This function accepts an array of octets as the next portion 2768 * of the message. 2769 * 2770 * Parameters: 2771 * context: [in/out] 2772 * The SHA context to update 2773 * message_array: [in] 2774 * An array of octets representing the next portion of 2775 * the message. 2776 * length: [in] 2777 * The length of the message in message_array 2778 * 2779 * Returns: 2780 * sha Error Code. 2781 * 2782 */ 2783 int SHA512Input(SHA512Context *context, 2784 const uint8_t *message_array, 2785 unsigned int length) 2786 { 2787 if (!length) 2788 return shaSuccess; 2790 if (!context || !message_array) 2791 return shaNull; 2793 if (context->Computed) 2794 return context->Corrupted = shaStateError; 2796 if (context->Corrupted) 2797 return context->Corrupted; 2799 while (length-- && !context->Corrupted) { 2800 context->Message_Block[context->Message_Block_Index++] = 2801 (*message_array & 0xFF); 2803 if ((SHA384_512AddLength(context, 8) == shaSuccess) && 2804 (context->Message_Block_Index == SHA512_Message_Block_Size)) 2805 SHA384_512ProcessMessageBlock(context); 2807 message_array++; 2808 } 2810 return context->Corrupted; 2811 } 2813 /* 2814 * SHA512FinalBits 2815 * 2816 * Description: 2817 * This function will add in any final bits of the message. 2818 * 2819 * Parameters: 2820 * context: [in/out] 2821 * The SHA context to update 2822 * message_bits: [in] 2823 * The final bits of the message, in the upper portion of the 2824 * byte. (Use 0b###00000 instead of 0b00000### to input the 2825 * three bits ###.) 2826 * length: [in] 2827 * The number of bits in message_bits, between 1 and 7. 2828 * 2829 * Returns: 2830 * sha Error Code. 2831 * 2832 */ 2833 int SHA512FinalBits(SHA512Context *context, 2834 uint8_t message_bits, unsigned int length) 2835 { 2836 uint8_t masks[8] = { 2837 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2838 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2839 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2840 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2841 }; 2842 uint8_t markbit[8] = { 2843 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2844 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2845 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2846 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2847 }; 2849 if (!length) 2850 return shaSuccess; 2852 if (!context) 2853 return shaNull; 2855 if (context->Computed) 2856 return context->Corrupted = shaStateError; 2858 if ((length >= 8) || (length == 0)) 2859 return context->Corrupted = shaBadParam; 2861 if (context->Corrupted) 2862 return context->Corrupted; 2864 SHA384_512AddLength(context, length); 2865 SHA384_512Finalize(context, (uint8_t) 2866 ((message_bits & masks[length]) | markbit[length])); 2868 return context->Corrupted; 2869 } 2871 /* 2872 * SHA384_512Finalize 2873 * 2874 * Description: 2875 * This helper function finishes off the digest calculations. 2876 * 2877 * Parameters: 2878 * context: [in/out] 2879 * The SHA context to update 2880 * Pad_Byte: [in] 2881 * The last byte to add to the digest before the 0-padding 2882 * and length. This will contain the last bits of the message 2883 * followed by another single bit. If the message was an 2884 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2885 * 2886 * Returns: 2887 * sha Error Code. 2888 * 2889 */ 2890 static void SHA384_512Finalize(SHA512Context *context, 2891 uint8_t Pad_Byte) 2892 { 2893 int_least16_t i; 2894 SHA384_512PadMessage(context, Pad_Byte); 2895 /* message may be sensitive, clear it out */ 2896 for (i = 0; i < SHA512_Message_Block_Size; ++i) 2897 context->Message_Block[i] = 0; 2898 #ifdef USE_32BIT_ONLY /* and clear length */ 2899 context->Length[0] = context->Length[1] = 0; 2900 context->Length[2] = context->Length[3] = 0; 2901 #else /* !USE_32BIT_ONLY */ 2902 context->Length_Low = 0; 2903 context->Length_High = 0; 2904 #endif /* USE_32BIT_ONLY */ 2905 context->Computed = 1; 2906 } 2908 /* 2909 * SHA512Result 2910 * 2911 * Description: 2912 * This function will return the 512-bit message digest 2913 * into the Message_Digest array provided by the caller. 2914 * NOTE: 2915 * The first octet of hash is stored in the element with index 0, 2916 * the last octet of hash in the element with index 63. 2917 * 2918 * Parameters: 2919 * context: [in/out] 2920 * The context to use to calculate the SHA hash. 2921 * Message_Digest: [out] 2922 * Where the digest is returned. 2923 * 2924 * Returns: 2925 * sha Error Code. 2926 * 2927 */ 2928 int SHA512Result(SHA512Context *context, 2929 uint8_t Message_Digest[SHA512HashSize]) 2930 { 2931 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); 2932 } 2934 /* 2935 * SHA384_512PadMessage 2936 * 2937 * Description: 2938 * According to the standard, the message must be padded to the next 2939 * even multiple of 1024 bits. The first padding bit must be a '1'. 2940 * The last 128 bits represent the length of the original message. 2941 * All bits in between should be 0. This helper function will 2942 * pad the message according to those rules by filling the 2943 * Message_Block array accordingly. When it returns, it can be 2944 * assumed that the message digest has been computed. 2945 * 2946 * Parameters: 2947 * context: [in/out] 2948 * The context to pad 2949 * Pad_Byte: [in] 2950 * The last byte to add to the digest before the 0-padding 2951 * and length. This will contain the last bits of the message 2952 * followed by another single bit. If the message was an 2953 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2954 * 2955 * Returns: 2956 * Nothing. 2957 * 2958 */ 2959 static void SHA384_512PadMessage(SHA512Context *context, 2960 uint8_t Pad_Byte) 2961 { 2962 /* 2963 * Check to see if the current message block is too small to hold 2964 * the initial padding bits and length. If so, we will pad the 2965 * block, process it, and then continue padding into a second 2966 * block. 2967 */ 2968 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { 2969 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2970 while (context->Message_Block_Index < SHA512_Message_Block_Size) 2971 context->Message_Block[context->Message_Block_Index++] = 0; 2973 SHA384_512ProcessMessageBlock(context); 2974 } else 2975 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2977 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) 2978 context->Message_Block[context->Message_Block_Index++] = 0; 2980 /* 2981 * Store the message length as the last 16 octets 2982 */ 2983 #ifdef USE_32BIT_ONLY 2984 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); 2985 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); 2986 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); 2987 context->Message_Block[115] = (uint8_t)(context->Length[0]); 2988 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); 2989 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); 2990 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); 2991 context->Message_Block[119] = (uint8_t)(context->Length[1]); 2993 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); 2994 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); 2995 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); 2996 context->Message_Block[123] = (uint8_t)(context->Length[2]); 2997 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); 2998 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); 2999 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); 3000 context->Message_Block[127] = (uint8_t)(context->Length[3]); 3001 #else /* !USE_32BIT_ONLY */ 3002 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); 3003 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); 3004 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); 3005 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); 3006 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); 3007 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); 3008 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); 3009 context->Message_Block[119] = (uint8_t)(context->Length_High); 3011 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); 3012 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); 3013 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); 3014 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); 3015 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); 3016 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); 3017 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); 3018 context->Message_Block[127] = (uint8_t)(context->Length_Low); 3019 #endif /* USE_32BIT_ONLY */ 3021 SHA384_512ProcessMessageBlock(context); 3022 } 3024 /* 3025 * SHA384_512ProcessMessageBlock 3026 * 3027 * Description: 3028 * This helper function will process the next 1024 bits of the 3029 * message stored in the Message_Block array. 3031 * 3032 * Parameters: 3033 * context: [in/out] 3034 * The SHA context to update 3035 * 3036 * Returns: 3037 * Nothing. 3038 * 3039 * Comments: 3040 * Many of the variable names in this code, especially the 3041 * single character names, were used because those were the 3042 * names used in the publication. 3043 * 3044 * 3045 */ 3046 static void SHA384_512ProcessMessageBlock(SHA512Context *context) 3047 { 3048 /* Constants defined in FIPS-180-2, section 4.2.3 */ 3049 #ifdef USE_32BIT_ONLY 3050 static const uint32_t K[80*2] = { 3051 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, 3052 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, 3053 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, 3054 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 3055 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, 3056 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, 3057 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, 3058 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, 3059 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, 3060 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, 3061 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, 3062 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, 3063 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, 3064 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, 3065 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, 3066 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, 3067 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, 3068 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, 3069 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, 3070 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, 3071 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, 3072 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, 3073 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, 3074 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, 3075 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, 3076 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, 3077 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, 3078 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 3079 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, 3080 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, 3081 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, 3082 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 3083 }; 3084 int t, t2, t8; /* Loop counter */ 3085 uint32_t temp1[2], temp2[2], /* Temporary word values */ 3086 temp3[2], temp4[2], temp5[2]; 3087 uint32_t W[2*80]; /* Word sequence */ 3088 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ 3089 E[2], F[2], G[2], H[2]; 3091 /* Initialize the first 16 words in the array W */ 3092 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { 3093 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | 3094 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | 3095 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | 3096 ((((uint32_t)context->Message_Block[t8 + 3]))); 3097 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | 3098 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | 3099 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | 3100 ((((uint32_t)context->Message_Block[t8 + 7]))); 3101 } 3103 for (t = 16; t < 80; t++, t2 += 2) { 3104 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3105 SHA512_sigma0(W[t-15]) + W[t-16]; */ 3106 uint32_t *Wt2 = &W[t2-2*2]; 3107 uint32_t *Wt7 = &W[t2-7*2]; 3108 uint32_t *Wt15 = &W[t2-15*2]; 3109 uint32_t *Wt16 = &W[t2-16*2]; 3110 SHA512_sigma1(Wt2, temp1); 3111 SHA512_ADD(temp1, Wt7, temp2); 3112 SHA512_sigma0(Wt15, temp1); 3113 SHA512_ADD(temp1, Wt16, temp3); 3114 SHA512_ADD(temp2, temp3, &W[t2]); 3115 } 3117 A[0] = context->Intermediate_Hash[0]; 3118 A[1] = context->Intermediate_Hash[1]; 3119 B[0] = context->Intermediate_Hash[2]; 3120 B[1] = context->Intermediate_Hash[3]; 3121 C[0] = context->Intermediate_Hash[4]; 3122 C[1] = context->Intermediate_Hash[5]; 3123 D[0] = context->Intermediate_Hash[6]; 3124 D[1] = context->Intermediate_Hash[7]; 3125 E[0] = context->Intermediate_Hash[8]; 3126 E[1] = context->Intermediate_Hash[9]; 3127 F[0] = context->Intermediate_Hash[10]; 3128 F[1] = context->Intermediate_Hash[11]; 3129 G[0] = context->Intermediate_Hash[12]; 3130 G[1] = context->Intermediate_Hash[13]; 3131 H[0] = context->Intermediate_Hash[14]; 3132 H[1] = context->Intermediate_Hash[15]; 3134 for (t = t2 = 0; t < 80; t++, t2 += 2) { 3135 /* 3136 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3137 */ 3138 SHA512_SIGMA1(E,temp1); 3139 SHA512_ADD(H, temp1, temp2); 3140 SHA_Ch(E,F,G,temp3); 3141 SHA512_ADD(temp2, temp3, temp4); 3142 SHA512_ADD(&K[t2], &W[t2], temp5); 3143 SHA512_ADD(temp4, temp5, temp1); 3144 /* 3145 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3146 */ 3147 SHA512_SIGMA0(A,temp3); 3148 SHA_Maj(A,B,C,temp4); 3149 SHA512_ADD(temp3, temp4, temp2); 3150 H[0] = G[0]; H[1] = G[1]; 3151 G[0] = F[0]; G[1] = F[1]; 3152 F[0] = E[0]; F[1] = E[1]; 3153 SHA512_ADD(D, temp1, E); 3154 D[0] = C[0]; D[1] = C[1]; 3155 C[0] = B[0]; C[1] = B[1]; 3156 B[0] = A[0]; B[1] = A[1]; 3157 SHA512_ADD(temp1, temp2, A); 3158 } 3160 SHA512_ADDTO2(&context->Intermediate_Hash[0], A); 3161 SHA512_ADDTO2(&context->Intermediate_Hash[2], B); 3162 SHA512_ADDTO2(&context->Intermediate_Hash[4], C); 3163 SHA512_ADDTO2(&context->Intermediate_Hash[6], D); 3164 SHA512_ADDTO2(&context->Intermediate_Hash[8], E); 3165 SHA512_ADDTO2(&context->Intermediate_Hash[10], F); 3166 SHA512_ADDTO2(&context->Intermediate_Hash[12], G); 3167 SHA512_ADDTO2(&context->Intermediate_Hash[14], H); 3169 #else /* !USE_32BIT_ONLY */ 3170 static const uint64_t K[80] = { 3171 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, 3172 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, 3173 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, 3174 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, 3175 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, 3176 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, 3177 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, 3178 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, 3179 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, 3180 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, 3181 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, 3182 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, 3183 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, 3184 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, 3185 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, 3186 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, 3187 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, 3188 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, 3189 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, 3190 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, 3191 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, 3192 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, 3193 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, 3194 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, 3195 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, 3196 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, 3197 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll 3198 }; 3199 int t, t8; /* Loop counter */ 3200 uint64_t temp1, temp2; /* Temporary word value */ 3201 uint64_t W[80]; /* Word sequence */ 3202 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ 3204 /* 3205 * Initialize the first 16 words in the array W 3206 */ 3207 for (t = t8 = 0; t < 16; t++, t8 += 8) 3208 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | 3209 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | 3210 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | 3211 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | 3212 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | 3213 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | 3214 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | 3215 ((uint64_t)(context->Message_Block[t8 + 7])); 3217 for (t = 16; t < 80; t++) 3218 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3219 SHA512_sigma0(W[t-15]) + W[t-16]; 3221 A = context->Intermediate_Hash[0]; 3222 B = context->Intermediate_Hash[1]; 3223 C = context->Intermediate_Hash[2]; 3224 D = context->Intermediate_Hash[3]; 3225 E = context->Intermediate_Hash[4]; 3226 F = context->Intermediate_Hash[5]; 3227 G = context->Intermediate_Hash[6]; 3228 H = context->Intermediate_Hash[7]; 3230 for (t = 0; t < 80; t++) { 3231 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3232 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3233 H = G; 3234 G = F; 3235 F = E; 3236 E = D + temp1; 3237 D = C; 3238 C = B; 3239 B = A; 3240 A = temp1 + temp2; 3241 } 3243 context->Intermediate_Hash[0] += A; 3244 context->Intermediate_Hash[1] += B; 3245 context->Intermediate_Hash[2] += C; 3246 context->Intermediate_Hash[3] += D; 3247 context->Intermediate_Hash[4] += E; 3248 context->Intermediate_Hash[5] += F; 3249 context->Intermediate_Hash[6] += G; 3250 context->Intermediate_Hash[7] += H; 3251 #endif /* USE_32BIT_ONLY */ 3253 context->Message_Block_Index = 0; 3254 } 3256 /* 3257 * SHA384_512Reset 3258 * 3259 * Description: 3260 * This helper function will initialize the SHA512Context in 3261 * preparation for computing a new SHA384 or SHA512 message 3262 * digest. 3263 * 3264 * Parameters: 3265 * context: [in/out] 3266 * The context to reset. 3267 * H0 3268 * The initial hash value to use. 3269 * 3270 * Returns: 3271 * sha Error Code. 3272 * 3273 */ 3274 #ifdef USE_32BIT_ONLY 3275 static int SHA384_512Reset(SHA512Context *context, 3276 uint32_t H0[SHA512HashSize/4]) 3277 #else /* !USE_32BIT_ONLY */ 3278 static int SHA384_512Reset(SHA512Context *context, 3279 uint64_t H0[SHA512HashSize/8]) 3280 #endif /* USE_32BIT_ONLY */ 3281 { 3282 int i; 3283 if (!context) 3284 return shaNull; 3286 context->Message_Block_Index = 0; 3288 #ifdef USE_32BIT_ONLY 3289 context->Length[0] = context->Length[1] = 3290 context->Length[2] = context->Length[3] = 0; 3292 for (i = 0; i < SHA512HashSize/4; i++) 3293 context->Intermediate_Hash[i] = H0[i]; 3294 #else /* !USE_32BIT_ONLY */ 3295 context->Length_High = context->Length_Low = 0; 3297 for (i = 0; i < SHA512HashSize/8; i++) 3298 context->Intermediate_Hash[i] = H0[i]; 3299 #endif /* USE_32BIT_ONLY */ 3301 context->Computed = 0; 3302 context->Corrupted = 0; 3304 return shaSuccess; 3305 } 3307 /* 3308 * SHA384_512ResultN 3309 * 3310 * Description: 3311 * This helper function will return the 384-bit or 512-bit message 3312 * digest into the Message_Digest array provided by the caller. 3313 * NOTE: 3314 * The first octet of hash is stored in the element with index 0, 3315 * the last octet of hash in the element with index 47/63. 3316 * 3317 * Parameters: 3318 * context: [in/out] 3319 * The context to use to calculate the SHA hash. 3320 * Message_Digest: [out] 3321 * Where the digest is returned. 3322 * HashSize: [in] 3323 * The size of the hash, either 48 or 64. 3324 * 3325 * Returns: 3326 * sha Error Code. 3327 * 3328 */ 3329 static int SHA384_512ResultN(SHA512Context *context, 3330 uint8_t Message_Digest[ ], int HashSize) 3332 { 3333 int i; 3334 #ifdef USE_32BIT_ONLY 3335 int i2; 3336 #endif /* USE_32BIT_ONLY */ 3338 if (!context || !Message_Digest) 3339 return shaNull; 3341 if (context->Corrupted) 3342 return context->Corrupted; 3344 if (!context->Computed) 3345 SHA384_512Finalize(context, 0x80); 3347 #ifdef USE_32BIT_ONLY 3348 for (i = i2 = 0; i < HashSize; ) { 3349 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3350 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3351 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3352 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3353 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3354 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3355 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3356 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3357 } 3358 #else /* !USE_32BIT_ONLY */ 3359 for (i = 0; i < HashSize; ++i) 3360 Message_Digest[i] = (uint8_t) 3361 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); 3362 #endif /* USE_32BIT_ONLY */ 3364 return shaSuccess; 3365 } 3367 8.2.4 usha.c 3369 /**************************** usha.c ***************************/ 3370 /***************** See RFC NNNN for details. *******************/ 3371 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3372 /* authors of the code. All rights reserved. */ 3373 /* See sha.h for terms of use and redistribution. */ 3375 /* 3376 * Description: 3377 * This file implements a unified interface to the SHA algorithms. 3378 */ 3380 #include "sha.h" 3382 /* 3383 * USHAReset 3384 * 3385 * Description: 3386 * This function will initialize the SHA Context in preparation 3387 * for computing a new SHA message digest. 3388 * 3389 * Parameters: 3390 * context: [in/out] 3391 * The context to reset. 3392 * whichSha: [in] 3393 * Selects which SHA reset to call 3394 * 3395 * Returns: 3396 * sha Error Code. 3397 * 3398 */ 3399 int USHAReset(USHAContext *context, enum SHAversion whichSha) 3400 { 3401 if (context) { 3402 context->whichSha = whichSha; 3403 switch (whichSha) { 3404 case SHA1: return SHA1Reset((SHA1Context*)&context->ctx); 3405 case SHA224: return SHA224Reset((SHA224Context*)&context->ctx); 3406 case SHA256: return SHA256Reset((SHA256Context*)&context->ctx); 3407 case SHA384: return SHA384Reset((SHA384Context*)&context->ctx); 3408 case SHA512: return SHA512Reset((SHA512Context*)&context->ctx); 3409 default: return shaBadParam; 3410 } 3411 } else { 3412 return shaNull; 3413 } 3414 } 3416 /* 3417 * USHAInput 3418 * 3419 * Description: 3420 * This function accepts an array of octets as the next portion 3421 * of the message. 3422 * 3423 * Parameters: 3424 * context: [in/out] 3425 * The SHA context to update 3426 * message_array: [in] 3427 * An array of octets representing the next portion of 3428 * the message. 3429 * length: [in] 3430 * The length of the message in message_array 3431 * 3432 * Returns: 3433 * sha Error Code. 3434 * 3435 */ 3436 int USHAInput(USHAContext *context, 3437 const uint8_t *bytes, unsigned int bytecount) 3438 { 3439 if (context) { 3440 switch (context->whichSha) { 3441 case SHA1: 3442 return SHA1Input((SHA1Context*)&context->ctx, bytes, 3443 bytecount); 3444 case SHA224: 3445 return SHA224Input((SHA224Context*)&context->ctx, bytes, 3446 bytecount); 3447 case SHA256: 3448 return SHA256Input((SHA256Context*)&context->ctx, bytes, 3449 bytecount); 3450 case SHA384: 3451 return SHA384Input((SHA384Context*)&context->ctx, bytes, 3452 bytecount); 3453 case SHA512: 3454 return SHA512Input((SHA512Context*)&context->ctx, bytes, 3455 bytecount); 3456 default: return shaBadParam; 3457 } 3458 } else { 3459 return shaNull; 3460 } 3461 } 3463 /* 3464 * USHAFinalBits 3465 * 3466 * Description: 3467 * This function will add in any final bits of the message. 3468 * 3469 * Parameters: 3470 * context: [in/out] 3471 * The SHA context to update 3472 * message_bits: [in] 3473 * The final bits of the message, in the upper portion of the 3474 * byte. (Use 0b###00000 instead of 0b00000### to input the 3475 * three bits ###.) 3476 * length: [in] 3477 * The number of bits in message_bits, between 1 and 7. 3478 * 3479 * Returns: 3481 * sha Error Code. 3482 */ 3483 int USHAFinalBits(USHAContext *context, 3484 uint8_t bits, unsigned int bit_count) 3485 { 3486 if (context) { 3487 switch (context->whichSha) { 3488 case SHA1: 3489 return SHA1FinalBits((SHA1Context*)&context->ctx, bits, 3490 bit_count); 3491 case SHA224: 3492 return SHA224FinalBits((SHA224Context*)&context->ctx, bits, 3493 bit_count); 3494 case SHA256: 3495 return SHA256FinalBits((SHA256Context*)&context->ctx, bits, 3496 bit_count); 3497 case SHA384: 3498 return SHA384FinalBits((SHA384Context*)&context->ctx, bits, 3499 bit_count); 3500 case SHA512: 3501 return SHA512FinalBits((SHA512Context*)&context->ctx, bits, 3502 bit_count); 3503 default: return shaBadParam; 3504 } 3505 } else { 3506 return shaNull; 3507 } 3508 } 3510 /* 3511 * USHAResult 3512 * 3513 * Description: 3514 * This function will return the message digest of the appropriate 3515 * bit size, as returned by USHAHashSizeBits(whichSHA) for the 3516 * 'whichSHA' value used in the preceeding call to USHAReset, 3517 * into the Message_Digest array provided by the caller. 3518 * 3519 * Parameters: 3520 * context: [in/out] 3521 * The context to use to calculate the SHA-1 hash. 3522 * Message_Digest: [out] 3523 * Where the digest is returned. 3524 * 3525 * Returns: 3526 * sha Error Code. 3527 * 3528 */ 3529 int USHAResult(USHAContext *context, 3530 uint8_t Message_Digest[USHAMaxHashSize]) 3532 { 3533 if (context) { 3534 switch (context->whichSha) { 3535 case SHA1: 3536 return SHA1Result((SHA1Context*)&context->ctx, Message_Digest); 3537 case SHA224: 3538 return SHA224Result((SHA224Context*)&context->ctx, 3539 Message_Digest); 3540 case SHA256: 3541 return SHA256Result((SHA256Context*)&context->ctx, 3542 Message_Digest); 3543 case SHA384: 3544 return SHA384Result((SHA384Context*)&context->ctx, 3545 Message_Digest); 3546 case SHA512: 3547 return SHA512Result((SHA512Context*)&context->ctx, 3548 Message_Digest); 3549 default: return shaBadParam; 3550 } 3551 } else { 3552 return shaNull; 3553 } 3554 } 3556 /* 3557 * USHABlockSize 3558 * 3559 * Description: 3560 * This function will return the blocksize for the given SHA 3561 * algorithm. 3562 * 3563 * Parameters: 3564 * whichSha: 3565 * which SHA algorithm to query 3566 * 3567 * Returns: 3568 * block size 3569 * 3570 */ 3571 int USHABlockSize(enum SHAversion whichSha) 3572 { 3573 switch (whichSha) { 3574 case SHA1: return SHA1_Message_Block_Size; 3575 case SHA224: return SHA224_Message_Block_Size; 3576 case SHA256: return SHA256_Message_Block_Size; 3577 case SHA384: return SHA384_Message_Block_Size; 3578 default: 3579 case SHA512: return SHA512_Message_Block_Size; 3580 } 3581 } 3582 /* 3583 * USHAHashSize 3584 * 3585 * Description: 3586 * This function will return the hashsize for the given SHA 3587 * algorithm. 3588 * 3589 * Parameters: 3590 * whichSha: 3591 * which SHA algorithm to query 3592 * 3593 * Returns: 3594 * hash size 3595 * 3596 */ 3597 int USHAHashSize(enum SHAversion whichSha) 3598 { 3599 switch (whichSha) { 3600 case SHA1: return SHA1HashSize; 3601 case SHA224: return SHA224HashSize; 3602 case SHA256: return SHA256HashSize; 3603 case SHA384: return SHA384HashSize; 3604 default: 3605 case SHA512: return SHA512HashSize; 3606 } 3607 } 3609 /* 3610 * USHAHashSizeBits 3611 * 3612 * Description: 3613 * This function will return the hashsize for the given SHA 3614 * algorithm, expressed in bits. 3615 * 3616 * Parameters: 3617 * whichSha: 3618 * which SHA algorithm to query 3619 * 3620 * Returns: 3621 * hash size in bits 3622 * 3623 */ 3624 int USHAHashSizeBits(enum SHAversion whichSha) 3625 { 3626 switch (whichSha) { 3627 case SHA1: return SHA1HashSizeBits; 3628 case SHA224: return SHA224HashSizeBits; 3629 case SHA256: return SHA256HashSizeBits; 3630 case SHA384: return SHA384HashSizeBits; 3631 default: 3633 case SHA512: return SHA512HashSizeBits; 3634 } 3635 } 3637 /* 3638 * USHAHashName 3639 * 3640 * Description: 3641 * This function will return the name of the given SHA algorithm 3642 * as a string. 3643 * 3644 * Parameters: 3645 * whichSha: 3646 * which SHA algorithm to query 3647 * 3648 * Returns: 3649 * character string with the name in it 3650 * 3651 */ 3652 const char *USHAHashName(enum SHAversion whichSha) 3653 { 3654 switch (whichSha) { 3655 case SHA1: return "SHA1"; 3656 case SHA224: return "SHA224"; 3657 case SHA256: return "SHA256"; 3658 case SHA384: return "SHA384"; 3659 default: 3660 case SHA512: return "SHA512"; 3661 } 3662 } 3664 8.2.5 sha-private.h 3666 /************************ sha-private.h ************************/ 3667 /***************** See RFC NNNN for details. *******************/ 3668 #ifndef _SHA_PRIVATE__H 3669 #define _SHA_PRIVATE__H 3670 /* 3671 * These definitions are defined in FIPS-180-2, section 4.1. 3672 * Ch() and Maj() are defined identically in sections 4.1.1, 3673 * 4.1.2 and 4.1.3. 3674 * 3675 * The definitions used in FIPS-180-2 are as follows: 3676 */ 3678 #ifndef USE_MODIFIED_MACROS 3679 #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 3680 #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 3681 #else /* USE_MODIFIED_MACROS */ 3682 /* 3683 * The following definitions are equivalent and potentially faster. 3684 */ 3686 #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) 3687 #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) 3689 #endif /* USE_MODIFIED_MACROS */ 3691 #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) 3693 #endif /* _SHA_PRIVATE__H */ 3695 8.3 The HMAC Code 3697 /**************************** hmac.c ***************************/ 3698 /***************** See RFC NNNN for details. *******************/ 3699 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3700 /* authors of the code. All rights reserved. */ 3701 /* See sha.h for terms of use and redistribution. */ 3703 /* 3704 * Description: 3705 * This file implements the HMAC algorithm (Keyed-Hashing for 3706 * Message Authentication, [RFC2104]), expressed in terms of the 3707 * various SHA algorithms. 3708 */ 3710 #include "sha.h" 3712 /* 3713 * hmac 3714 * 3715 * Description: 3716 * This function will compute an HMAC message digest. 3717 * 3718 * Parameters: 3719 * whichSha: [in] 3720 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3721 * key: [in] 3722 * The secret shared key. 3723 * key_len: [in] 3724 * The length of the secret shared key. 3725 * message_array: [in] 3726 * An array of octets representing the message. 3727 * Note: in RFC 2109, this parameter is known 3728 * as 'text'. 3730 * length: [in] 3731 * The length of the message in message_array. 3732 * digest: [out] 3733 * Where the digest is returned. 3734 * NOTE: The length of the digest is determined by 3735 * the value of whichSha. 3736 * 3737 * Returns: 3738 * sha Error Code. 3739 * 3740 */ 3741 int hmac(SHAversion whichSha, 3742 const unsigned char *message_array, int length, 3743 const unsigned char *key, int key_len, 3744 uint8_t digest[USHAMaxHashSize]) 3745 { 3746 HMACContext context; 3747 return hmacReset(&context, whichSha, key, key_len) || 3748 hmacInput(&context, message_array, length) || 3749 hmacResult(&context, digest); 3750 } 3752 /* 3753 * hmacReset 3754 * 3755 * Description: 3756 * This function will initialize the hmacContext in preparation 3757 * for computing a new HMAC message digest. 3758 * 3759 * Parameters: 3760 * context: [in/out] 3761 * The context to reset. 3762 * whichSha: [in] 3763 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3764 * key: [in] 3765 * The secret shared key. 3766 * key_len: [in] 3767 * The length of the secret shared key. 3768 * 3769 * Returns: 3770 * sha Error Code. 3771 * 3772 */ 3773 int hmacReset(HMACContext *context, enum SHAversion whichSha, 3774 const unsigned char *key, int key_len) 3775 { 3776 int i, blocksize, hashsize, ret; 3778 /* inner padding - key XORd with ipad */ 3779 unsigned char k_ipad[USHA_Max_Message_Block_Size]; 3780 /* temporary buffer when keylen > blocksize */ 3781 unsigned char tempkey[USHAMaxHashSize]; 3783 if (!context) return shaNull; 3784 context->Computed = 0; 3785 context->Corrupted = shaSuccess; 3787 blocksize = context->blockSize = USHABlockSize(whichSha); 3788 hashsize = context->hashSize = USHAHashSize(whichSha); 3790 context->whichSha = whichSha; 3792 /* 3793 * If key is longer than the hash blocksize, 3794 * reset it to key = HASH(key). 3795 */ 3796 if (key_len > blocksize) { 3797 USHAContext tcontext; 3798 int err = USHAReset(&tcontext, whichSha) || 3799 USHAInput(&tcontext, key, key_len) || 3800 USHAResult(&tcontext, tempkey); 3801 if (err != shaSuccess) return err; 3803 key = tempkey; 3804 key_len = hashsize; 3805 } 3807 /* 3808 * The HMAC transform looks like: 3809 * 3810 * SHA(K XOR opad, SHA(K XOR ipad, text)) 3811 * 3812 * where K is an n byte key, 0-padded to a total of blocksize bytes, 3813 * ipad is the byte 0x36 repeated blocksize times, 3814 * opad is the byte 0x5c repeated blocksize times, 3815 * and text is the data being protected. 3816 */ 3818 /* store key into the pads, XOR'd with ipad and opad values */ 3819 for (i = 0; i < key_len; i++) { 3820 k_ipad[i] = key[i] ^ 0x36; 3821 context->k_opad[i] = key[i] ^ 0x5c; 3822 } 3823 /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ 3824 for ( ; i < blocksize; i++) { 3825 k_ipad[i] = 0x36; 3826 context->k_opad[i] = 0x5c; 3827 } 3829 /* perform inner hash */ 3830 /* init context for 1st pass */ 3831 ret = USHAReset(&context->shaContext, whichSha) || 3832 /* and start with inner pad */ 3833 USHAInput(&context->shaContext, k_ipad, blocksize); 3834 return context->Corrupted = ret; 3835 } 3837 /* 3838 * hmacInput 3839 * 3840 * Description: 3841 * This function accepts an array of octets as the next portion 3842 * of the message. It may be called multiple times. 3843 * 3844 * Parameters: 3845 * context: [in/out] 3846 * The HMAC context to update 3847 * message_array: [in] 3848 * An array of octets representing the next portion of 3849 * the message. 3850 * length: [in] 3851 * The length of the message in message_array 3852 * 3853 * Returns: 3854 * sha Error Code. 3855 * 3856 */ 3857 int hmacInput(HMACContext *context, const unsigned char *text, 3858 int text_len) 3859 { 3860 if (!context) return shaNull; 3861 if (context->Corrupted) return context->Corrupted; 3862 if (context->Computed) return context->Corrupted = shaStateError; 3863 /* then text of datagram */ 3864 return context->Corrupted = 3865 USHAInput(&context->shaContext, text, text_len); 3866 } 3868 /* 3869 * hmacFinalBits 3870 * 3871 * Description: 3872 * This function will add in any final bits of the message. 3873 * 3874 * Parameters: 3875 * context: [in/out] 3876 * The HMAC context to update 3877 * message_bits: [in] 3878 * The final bits of the message, in the upper portion of the 3879 * byte. (Use 0b###00000 instead of 0b00000### to input the 3880 * three bits ###.) 3881 * length: [in] 3882 * The number of bits in message_bits, between 1 and 7. 3883 * 3884 * Returns: 3885 * sha Error Code. 3886 */ 3887 int hmacFinalBits(HMACContext *context, 3888 uint8_t bits, unsigned int bit_count) 3889 { 3890 if (!context) return shaNull; 3891 if (context->Corrupted) return context->Corrupted; 3892 if (context->Computed) return context->Corrupted = shaStateError; 3893 /* then final bits of datagram */ 3894 return context->Corrupted = 3895 USHAFinalBits(&context->shaContext, bits, bit_count); 3896 } 3898 /* 3899 * hmacResult 3900 * 3901 * Description: 3902 * This function will return the N-byte message digest into the 3903 * Message_Digest array provided by the caller. 3904 * 3905 * Parameters: 3906 * context: [in/out] 3907 * The context to use to calculate the HMAC hash. 3908 * digest: [out] 3909 * Where the digest is returned. 3910 * NOTE 2: The length of the hash is determined by the value of 3911 * whichSha that was passed to hmacReset(). 3912 * 3913 * Returns: 3914 * sha Error Code. 3915 * 3916 */ 3917 int hmacResult(HMACContext *context, uint8_t *digest) 3918 { 3919 int ret; 3920 if (!context) return shaNull; 3921 if (context->Corrupted) return context->Corrupted; 3922 if (context->Computed) return context->Corrupted = shaStateError; 3924 /* finish up 1st pass */ 3925 /* (Use digest here as a temporary buffer.) */ 3926 ret = 3927 USHAResult(&context->shaContext, digest) || 3929 /* perform outer SHA */ 3930 /* init context for 2nd pass */ 3931 USHAReset(&context->shaContext, context->whichSha) || 3933 /* start with outer pad */ 3934 USHAInput(&context->shaContext, context->k_opad, 3935 context->blockSize) || 3937 /* then results of 1st hash */ 3938 USHAInput(&context->shaContext, digest, context->hashSize) || 3940 /* finish up 2nd pass */ 3941 USHAResult(&context->shaContext, digest); 3943 context->Computed = 1; 3944 return context->Corrupted = ret; 3945 } 3947 8.4 The HKDF Code 3949 /**************************** hkdf.c ***************************/ 3950 /***************** See RFC NNNN for details. *******************/ 3951 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3952 /* authors of the code. All rights reserved. */ 3953 /* See sha.h for terms of use and redistribution. */ 3955 /* 3956 * Description: 3957 * This file implements the HKDF algorithm (HMAC-based 3958 * Extract-and-Expand Key Derivation Function, RFCXXXX), 3959 * expressed in terms of the various SHA algorithms. 3960 */ 3962 #include "sha.h" 3963 #include 3964 #include 3966 /* 3967 * hkdf 3968 * 3969 * Description: 3970 * This function will compute an HKDF message digest. 3971 * 3972 * Parameters: 3973 * whichSha: [in] 3974 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3975 * salt: [in] 3976 * The optional salt value (a non-secret random value); 3977 * if not provided (salt == NULL), it is set internally 3978 * to a string of HashLen(whichSha) zeros. 3979 * salt_len: [in] 3980 * The length of the salt value. (Ignored if salt == NULL.) 3981 * ikm: [in] 3982 * Input keying material. 3983 * ikm_len: [in] 3984 * The length of the input keying material. 3985 * info: [in] 3986 * The optional context and application specific information. 3987 * If info == NULL or a zero-length string, it is ignored. 3988 * info_len: [in] 3989 * The length of the optional context and application specific 3990 * information. (Ignored if info == NULL.) 3991 * okm: [out] 3992 * Where the HKDF is to be stored. 3993 * okm_len: [in] 3994 * The length of the buffer to hold okm. 3995 * okm_len must be <= 255 * USHABlockSize(whichSha) 3996 * 3997 * Notes: 3998 * Calls hkdfExtract() and hkdfExpand(). 3999 * 4000 * Returns: 4001 * sha Error Code. 4002 * 4003 */ 4004 int hkdf(SHAversion whichSha, 4005 const unsigned char *salt, int salt_len, 4006 const unsigned char *ikm, int ikm_len, 4007 const unsigned char *info, int info_len, 4008 uint8_t okm[ ], int okm_len) 4009 { 4010 uint8_t prk[USHAMaxHashSize]; 4011 return hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk) || 4012 hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, 4013 info_len, okm, okm_len); 4014 } 4016 /* 4017 * hkdfExtract 4018 * 4019 * Description: 4020 * This function will perform HKDF extraction. 4021 * 4022 * Parameters: 4023 * whichSha: [in] 4024 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4025 * salt: [in] 4026 * The optional salt value (a non-secret random value); 4027 * if not provided (salt == NULL), it is set internally 4028 * to a string of HashLen(whichSha) zeros. 4029 * salt_len: [in] 4030 * The length of the salt value. (Ignored if salt == NULL.) 4031 * ikm: [in] 4032 * Input keying material. 4033 * ikm_len: [in] 4034 * The length of the input keying material. 4035 * prk: [out] 4036 * Where the HKDF extraction is to be stored. 4037 * Must be larger than USHAHashSize(whichSha); 4038 * 4039 * Returns: 4040 * sha Error Code. 4041 * 4042 */ 4043 int hkdfExtract(SHAversion whichSha, 4044 const unsigned char *salt, int salt_len, 4045 const unsigned char *ikm, int ikm_len, 4046 uint8_t prk[USHAMaxHashSize]) 4047 { 4048 unsigned char nullSalt[USHAMaxHashSize]; 4049 if (salt == 0) { 4050 salt = nullSalt; 4051 salt_len = USHAHashSize(whichSha); 4052 memset(nullSalt, '\0', salt_len); 4053 } else if (salt_len < 0) { 4054 return shaBadParam; 4055 } 4056 return hmac(whichSha, ikm, ikm_len, salt, salt_len, prk); 4057 } 4059 /* 4060 * hkdfExpand 4061 * 4062 * Description: 4063 * This function will perform HKDF expansion. 4064 * 4065 * Parameters: 4066 * whichSha: [in] 4067 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4068 * info: [in] 4069 * The optional context and application specific information. 4070 * If info == NULL or a zero-length string, it is ignored. 4071 * info_len: [in] 4072 * The length of the optional context and application specific 4073 * information. (Ignored if info == NULL.) 4074 * okm: [out] 4075 * Where the HKDF is to be stored. 4076 * okm_len: [in] 4077 * The length of the buffer to hold okm. 4079 * okm_len must be <= 255 * USHABlockSize(whichSha) 4080 * 4081 * Returns: 4082 * sha Error Code. 4083 * 4084 */ 4085 int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], int prk_len, 4086 const unsigned char *info, int info_len, 4087 uint8_t okm[ ], int okm_len) 4088 { 4089 int hash_len, N; 4090 unsigned char T[USHAMaxHashSize]; 4091 int Tlen, where, i; 4093 if (info == 0) { 4094 info = ""; 4095 info_len = 0; 4096 } else if (info_len < 0) { 4097 return shaBadParam; 4098 } else if (prk_len < 0) { 4099 return shaBadParam; 4100 } else if (!okm) { 4101 return shaBadParam; 4102 } 4104 hash_len = USHAHashSize(whichSha); 4105 if (prk_len < hash_len) return shaBadParam; 4106 N = okm_len / hash_len; 4107 if ((okm_len % hash_len) != 0) N++; 4108 if (N > 255) return shaBadParam; 4110 Tlen = 0; 4111 where = 0; 4112 for (i = 1; i <= N; i++) { 4113 HMACContext context; 4114 unsigned char c = i; 4115 int ret = hmacReset(&context, whichSha, prk, hash_len) || 4116 hmacInput(&context, T, Tlen) || 4117 hmacInput(&context, info, info_len) || 4118 hmacInput(&context, &c, 1) || 4119 hmacResult(&context, T); 4120 if (ret != shaSuccess) return ret; 4121 memcpy(okm + where, T, 4122 (i != N) ? hash_len : (okm_len - where)); 4123 where += hash_len; 4124 Tlen = hash_len; 4125 } 4126 return shaSuccess; 4127 } 4128 /* 4129 * hkdfReset 4130 * 4131 * Description: 4132 * This function will initialize the hkdfContext in preparation 4133 * for computing a new HKDF message digest. It is used for 4134 * arbitrary length inputs. 4135 * 4136 * Parameters: 4137 * context: [in/out] 4138 * The context to reset. 4139 * whichSha: [in] 4140 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4141 * salt: [in] 4142 * The optional salt value (a non-secret random value); 4143 * if not provided (salt == NULL), it is set internally 4144 * to a string of HashLen(whichSha) zeros. 4145 * salt_len: [in] 4146 * The length of the salt value. (Ignored if salt == NULL.) 4147 * 4148 * Returns: 4149 * sha Error Code. 4150 * 4151 */ 4152 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 4153 const unsigned char *salt, int salt_len) 4154 { 4155 unsigned char nullSalt[USHAMaxHashSize]; 4156 if (!context) return shaNull; 4158 context->whichSha = whichSha; 4159 context->hashSize = USHAHashSize(whichSha); 4160 if (salt == 0) { 4161 salt = nullSalt; 4162 salt_len = context->hashSize; 4163 memset(nullSalt, '\0', salt_len); 4164 } 4166 return hmacReset(&context->hmacContext, whichSha, salt, salt_len); 4167 } 4169 /* 4170 * hkdfInput 4171 * 4172 * Description: 4173 * This function accepts an array of octets as the next portion 4174 * of the input keying material. It may be called multiple times. 4175 * 4176 * Parameters: 4177 * context: [in/out] 4178 * The HKDF context to update. 4179 * ikm: [in] 4180 * An array of octets representing the next portion of 4181 * the input keying material. 4182 * ikm_len: [in] 4183 * The length of ikm. 4184 * 4185 * Returns: 4186 * sha Error Code. 4187 * 4188 */ 4189 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 4190 int ikm_len) 4191 { 4192 if (!context) return shaNull; 4193 if (context->Corrupted) return context->Corrupted; 4194 if (context->Computed) return context->Corrupted = shaStateError; 4195 return hmacInput(&context->hmacContext, ikm, ikm_len); 4196 } 4198 /* 4199 * hkdfFinalBits 4200 * 4201 * Description: 4202 * This function will add in any final bits of the 4203 * input keying material. 4204 * 4205 * Parameters: 4206 * context: [in/out] 4207 * The HKDF context to update 4208 * ikm_bits: [in] 4209 * The final bits of the input keying material, in the upper 4210 * portion of the byte. (Use 0b###00000 instead of 0b00000### 4211 * to input the three bits ###.) 4212 * ikm_bit_count: [in] 4213 * The number of bits in message_bits, between 1 and 7. 4214 * 4215 * Returns: 4216 * sha Error Code. 4217 */ 4218 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 4219 unsigned int ikm_bit_count) 4220 { 4221 if (!context) return shaNull; 4222 if (context->Corrupted) return context->Corrupted; 4223 if (context->Computed) return context->Corrupted = shaStateError; 4224 return hmacFinalBits(&context->hmacContext, ikm_bits, ikm_bit_count); 4225 } 4227 /* 4228 * hkdfResult 4229 * 4230 * Description: 4231 * This function will finish the HKDF extraction and perform the 4232 * final HKDF expansion. 4233 * 4234 * Parameters: 4235 * context: [in/out] 4236 * The HKDF context to use to calculate the HKDF hash. 4237 * prk: [out] 4238 * An optional location to store the HKDF extraction. 4239 * Either NULL, or pointer to a buffer that must be 4240 * larger than USHAHashSize(whichSha); 4241 * info: [in] 4242 * The optional context and application specific information. 4243 * If info == NULL or a zero-length string, it is ignored. 4244 * info_len: [in] 4245 * The length of the optional context and application specific 4246 * information. (Ignored if info == NULL.) 4247 * okm: [out] 4248 * Where the HKDF is to be stored. 4249 * okm_len: [in] 4250 * The length of the buffer to hold okm. 4251 * okm_len must be <= 255 * USHABlockSize(whichSha) 4252 * 4253 * Returns: 4254 * sha Error Code. 4255 * 4256 */ 4257 int hkdfResult(HKDFContext *context, 4258 uint8_t prk[USHAMaxHashSize], 4259 const unsigned char *info, int info_len, 4260 uint8_t okm[ ], int okm_len) 4261 { 4262 uint8_t prkbuf[USHAMaxHashSize]; 4263 int ret; 4265 if (!context) return shaNull; 4266 if (context->Corrupted) return context->Corrupted; 4267 if (context->Computed) return context->Corrupted = shaStateError; 4268 if (!okm) return context->Corrupted = shaBadParam; 4269 if (!prk) prk = prkbuf; 4271 ret = hmacResult(&context->hmacContext, prk) || 4272 hkdfExpand(context->whichSha, prk, context->hashSize, info, 4273 info_len, okm, okm_len); 4274 context->Computed = 1; 4275 return context->Corrupted = ret; 4276 } 4277 8.5 The Test Driver 4279 The following code is a main program test driver to exercise the code 4280 in sha1.c, sha224-256.c, sha384-512.c, hmac.c, and hkdf.c. The test 4281 driver can also be used as a standalone program for generating the 4282 hashes. 4284 See also [SHAVS]. 4286 /************************** shatest.c **************************/ 4287 /***************** See RFC NNNN for details. *******************/ 4288 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 4289 /* authors of the code. All rights reserved. */ 4290 /* See sha.h for terms of use and redistribution. */ 4292 /* 4293 * Description: 4294 * This file will exercise the SHA code performing 4295 * the three tests documented in FIPS PUB 180-2 4296 * (http://csrc.nist.gov/publications/fips/ 4297 * fips180-2/fips180-2withchangenotice.pdf) 4298 * one that calls SHAInput with an exact multiple of 512 bits 4299 * the seven tests documented for each algorithm in 4300 * "The Secure Hash Algorithm Validation System (SHAVS)" 4301 * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), 4302 * three of which are bit-level tests 4303 * 4304 * This file will exercise the HMAC SHA1 code performing 4305 * the seven tests documented in RFCs [RFC2202] and [RFC4231]. 4306 * 4307 * This file will exercise the HKDF code performing 4308 * the six tests documented in RFC XXXX. 4309 * 4310 * To run the tests and just see PASSED/FAILED, use the -p option. 4311 * 4312 * Other options exercise: 4313 * hashing an arbitrary string 4314 * hashing a file's contents 4315 * a few error test checks 4316 * printing the results in raw format 4317 * 4318 * Portability Issues: 4319 * None. 4320 * 4321 */ 4323 #include 4324 #include 4325 #include 4326 #include 4327 #include 4328 #include "sha.h" 4330 static int xgetopt(int argc, char **argv, const char *optstring); 4331 extern char *xoptarg; 4332 static int scasecmp(const char *s1, const char *s2); 4334 /* 4335 * Define patterns for testing 4336 */ 4337 #define TEST1 "abc" 4338 #define TEST2_1 \ 4339 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 4340 #define TEST2_2a \ 4341 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 4342 #define TEST2_2b \ 4343 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 4344 #define TEST2_2 TEST2_2a TEST2_2b 4345 #define TEST3 "a" /* times 1000000 */ 4346 #define TEST4a "01234567012345670123456701234567" 4347 #define TEST4b "01234567012345670123456701234567" 4348 /* an exact multiple of 512 bits */ 4349 #define TEST4 TEST4a TEST4b /* times 10 */ 4351 #define TEST7_1 \ 4352 "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" 4353 #define TEST8_1 \ 4354 "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" 4355 #define TEST9_1 \ 4356 "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ 4357 "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ 4358 "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ 4359 "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ 4360 "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" 4361 #define TEST10_1 \ 4362 "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ 4363 "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ 4364 "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ 4365 "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ 4366 "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ 4367 "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ 4368 "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ 4369 "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ 4370 "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ 4371 "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ 4372 "\xcd\xbb\xfb" 4373 #define TEST7_224 \ 4374 "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" 4375 #define TEST8_224 \ 4376 "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" 4378 #define TEST9_224 \ 4379 "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ 4380 "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ 4381 "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ 4382 "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ 4383 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" 4384 #define TEST10_224 \ 4385 "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ 4386 "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ 4387 "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ 4388 "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ 4389 "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ 4390 "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ 4391 "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ 4392 "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ 4393 "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ 4394 "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ 4395 "\x87\x82\x73" 4396 #define TEST7_256 \ 4397 "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" 4398 #define TEST8_256 \ 4399 "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" 4400 #define TEST9_256 \ 4401 "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ 4402 "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ 4403 "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ 4404 "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ 4405 "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" 4406 #define TEST10_256 \ 4407 "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ 4408 "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ 4409 "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ 4410 "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ 4411 "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ 4412 "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ 4413 "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ 4414 "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ 4415 "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ 4416 "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ 4417 "\x3d\x54\xd6" 4418 #define TEST7_384 \ 4419 "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" 4420 #define TEST8_384 \ 4421 "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" 4422 #define TEST9_384 \ 4423 "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ 4424 "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ 4425 "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ 4426 "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ 4427 "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ 4428 "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ 4429 "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ 4430 "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ 4431 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" 4432 #define TEST10_384 \ 4433 "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ 4434 "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ 4435 "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ 4436 "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ 4437 "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ 4438 "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ 4439 "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ 4440 "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ 4441 "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ 4442 "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ 4443 "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ 4444 "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ 4445 "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ 4446 "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ 4447 "\x7e\xd0\x96" 4448 #define TEST7_512 \ 4449 "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" 4450 #define TEST8_512 \ 4451 "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" 4452 #define TEST9_512 \ 4453 "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ 4454 "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ 4455 "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ 4456 "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ 4457 "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ 4458 "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ 4459 "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ 4460 "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ 4461 "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" 4462 #define TEST10_512 \ 4463 "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ 4464 "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ 4465 "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ 4466 "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ 4467 "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ 4468 "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ 4469 "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ 4470 "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ 4471 "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ 4472 "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ 4473 "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ 4474 "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ 4475 "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ 4476 "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ 4477 "\xfb\x40\xd2" 4479 #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ 4480 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" 4481 #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ 4482 "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ 4483 "\x27" 4484 #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ 4485 "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ 4486 "\x27\x9c\x1c\xb0\xa7" 4487 #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ 4488 "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ 4489 "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ 4490 "\xa4\x84\xbe\x74\x53" 4491 #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ 4492 "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ 4493 "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ 4494 "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ 4495 "\x4b\x12\x27\x20\x39" 4497 #define TESTCOUNT 10 4498 #define HASHCOUNT 5 4499 #define RANDOMCOUNT 4 4500 #define HMACTESTCOUNT 7 4501 #define HKDFTESTCOUNT 7 4503 #define PRINTNONE 0 4504 #define PRINTTEXT 1 4505 #define PRINTRAW 2 4506 #define PRINTHEX 3 4507 #define PRINTBASE64 4 4509 #define PRINTPASSFAIL 1 4510 #define PRINTFAIL 2 4512 #define length(x) (sizeof(x)-1) 4514 /* Test arrays for hashes. */ 4515 struct hash { 4516 const char *name; 4517 SHAversion whichSha; 4518 int hashsize; 4519 struct { 4520 const char *testarray; 4521 int length; 4522 long repeatcount; 4523 int extrabits; 4524 int numberExtrabits; 4525 const char *resultarray; 4526 } tests[TESTCOUNT]; 4527 const char *randomtest; 4528 const char *randomresults[RANDOMCOUNT]; 4530 } hashes[HASHCOUNT] = { 4531 { "SHA1", SHA1, SHA1HashSize, 4532 { 4533 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4534 "A9993E364706816ABA3E25717850C26C9CD0D89D" }, 4535 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4536 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, 4537 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4538 "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, 4539 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4540 "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, 4541 /* 5 */ { "", 0, 0, 0x98, 5, 4542 "29826B003B906E660EFF4027CE98AF3531AC75BA" }, 4543 /* 6 */ { "\x5e", 1, 1, 0, 0, 4544 "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, 4545 /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, 4546 "6239781E03729919C01955B3FFA8ACB60B988340" }, 4547 /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, 4548 "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, 4549 /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, 4550 "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, 4551 /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, 4552 "CB0082C8F197D260991BA6A460E76E202BAD27B3" } 4553 }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", 4554 "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", 4555 "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", 4556 "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" 4557 } }, 4558 { "SHA224", SHA224, SHA224HashSize, 4559 { 4560 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4561 "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, 4562 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4563 "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, 4564 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4565 "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, 4566 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4567 "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, 4568 /* 5 */ { "", 0, 0, 0x68, 5, 4569 "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, 4570 /* 6 */ { "\x07", 1, 1, 0, 0, 4571 "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, 4572 /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, 4573 "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, 4574 /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, 4575 "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, 4576 /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, 4577 "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, 4578 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, 4579 "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } 4581 }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" 4582 "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" 4583 "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" 4584 "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" 4585 "709563FB916227FED598EB621F" 4586 } }, 4587 { "SHA256", SHA256, SHA256HashSize, 4588 { 4589 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" 4590 "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, 4591 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" 4592 "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, 4593 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" 4594 "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, 4595 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" 4596 "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, 4597 /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" 4598 "09DB45E7823EB5079CE7A573A3760F95" }, 4599 /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" 4600 "6A4E17F75F9518D843709C0C9BC3E3D4" }, 4601 /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" 4602 "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, 4603 /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" 4604 "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, 4605 /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" 4606 "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, 4607 /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" 4608 "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, 4609 }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" 4610 "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" 4611 "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" 4612 "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" 4613 "E31536B70FF906EC51B00447CA97D7DD97C12411F4" 4614 } }, 4615 { "SHA384", SHA384, SHA384HashSize, 4616 { 4617 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4618 "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" 4619 "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, 4620 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4621 "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" 4622 "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, 4623 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4624 "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" 4625 "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, 4626 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4627 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" 4628 "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, 4629 /* 5 */ { "", 0, 0, 0x10, 5, 4630 "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" 4631 "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, 4632 /* 6 */ { "\xb9", 1, 1, 0, 0, 4633 "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" 4634 "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, 4635 /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, 4636 "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" 4637 "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, 4638 /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, 4639 "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" 4640 "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, 4641 /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, 4642 "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" 4643 "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, 4644 /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, 4645 "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" 4646 "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } 4647 }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" 4648 "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" 4649 "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" 4650 "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" 4651 "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" 4652 "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" 4653 "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" 4654 } }, 4655 { "SHA512", SHA512, SHA512HashSize, 4656 { 4657 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4658 "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" 4659 "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" 4660 "454D4423643CE80E2A9AC94FA54CA49F" }, 4661 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4662 "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" 4663 "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" 4664 "C7D329EEB6DD26545E96E55B874BE909" }, 4665 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4666 "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" 4667 "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" 4668 "EB009C5C2C49AA2E4EADB217AD8CC09B" }, 4669 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4670 "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" 4671 "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" 4672 "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, 4673 /* 5 */ { "", 0, 0, 0xB0, 5, 4674 "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" 4675 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" 4676 "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, 4677 /* 6 */ { "\xD0", 1, 1, 0, 0, 4678 "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" 4679 "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" 4680 "D6E74CECE9631BFA8A549B4AB3FBBA15" }, 4682 /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, 4683 "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" 4684 "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" 4685 "7359B43E64F8BEC3C1F237119986BBB6" }, 4686 /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, 4687 "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" 4688 "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" 4689 "8213EB1B16F517AD0DE4B2F0C95C90F8" }, 4690 /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, 4691 "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" 4692 "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" 4693 "526F8A0A510E5E53CAFED4355FE7C2F1" }, 4694 /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, 4695 "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" 4696 "C1A16A270D48719377966B957A878E720584779A62825C18" 4697 "DA26415E49A7176A894E7510FD1451F5" } 4698 }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" 4699 "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" 4700 "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" 4701 "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" 4702 "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" 4703 "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" 4704 "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" 4705 "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" 4706 "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" 4707 } 4708 } 4709 }; 4711 /* Test arrays for HMAC. */ 4712 struct hmachash { 4713 const char *keyarray[5]; 4714 int keylength[5]; 4715 const char *dataarray[5]; 4716 int datalength[5]; 4717 const char *resultarray[5]; 4718 int resultlength[5]; 4719 } hmachashes[HMACTESTCOUNT] = { 4720 { /* 1 */ { 4721 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4722 "\x0b\x0b\x0b\x0b\x0b" 4723 }, { 20 }, { 4724 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ 4725 }, { 8 }, { 4726 /* HMAC-SHA-1 */ 4727 "B617318655057264E28BC0B6FB378C8EF146BE00", 4728 /* HMAC-SHA-224 */ 4729 "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", 4730 /* HMAC-SHA-256 */ 4731 "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" 4732 "CFF7", 4733 /* HMAC-SHA-384 */ 4734 "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" 4735 "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", 4736 /* HMAC-SHA-512 */ 4737 "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" 4738 "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" 4739 "3A126854" 4740 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4741 SHA384HashSize, SHA512HashSize } 4742 }, 4743 { /* 2 */ { 4744 "\x4a\x65\x66\x65" /* "Jefe" */ 4745 }, { 4 }, { 4746 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" 4747 "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" 4748 /* "what do ya want for nothing?" */ 4749 }, { 28 }, { 4750 /* HMAC-SHA-1 */ 4751 "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 4752 /* HMAC-SHA-224 */ 4753 "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", 4754 /* HMAC-SHA-256 */ 4755 "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" 4756 "3843", 4757 /* HMAC-SHA-384 */ 4758 "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" 4759 "445E8E2240CA5E69E2C78B3239ECFAB21649", 4760 /* HMAC-SHA-512 */ 4761 "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" 4762 "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" 4763 "38BCE737" 4764 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4765 SHA384HashSize, SHA512HashSize } 4766 }, 4767 { /* 3 */ 4768 { 4769 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4770 "\xaa\xaa\xaa\xaa\xaa" 4771 }, { 20 }, { 4772 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4773 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4774 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4775 "\xdd\xdd\xdd\xdd\xdd" 4776 }, { 50 }, { 4777 /* HMAC-SHA-1 */ 4778 "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 4779 /* HMAC-SHA-224 */ 4780 "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", 4781 /* HMAC-SHA-256 */ 4782 "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" 4783 "65FE", 4784 /* HMAC-SHA-384 */ 4785 "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" 4786 "144B2A5AB39DC13814B94E3AB6E101A34F27", 4787 /* HMAC-SHA-512 */ 4788 "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" 4789 "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" 4790 "E13292FB" 4791 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4792 SHA384HashSize, SHA512HashSize } 4793 }, 4794 { /* 4 */ { 4795 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 4796 "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" 4797 }, { 25 }, { 4798 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4799 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4800 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4801 "\xcd\xcd\xcd\xcd\xcd" 4802 }, { 50 }, { 4803 /* HMAC-SHA-1 */ 4804 "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 4805 /* HMAC-SHA-224 */ 4806 "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", 4807 /* HMAC-SHA-256 */ 4808 "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" 4809 "665B", 4810 /* HMAC-SHA-384 */ 4811 "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" 4812 "3B4E6801DD23C4A7D679CCF8A386C674CFFB", 4813 /* HMAC-SHA-512 */ 4814 "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" 4815 "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" 4816 "10A298DD" 4817 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4818 SHA384HashSize, SHA512HashSize } 4819 }, 4820 { /* 5 */ { 4821 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4822 "\x0c\x0c\x0c\x0c\x0c" 4823 }, { 20 }, { 4824 "Test With Truncation" 4825 }, { 20 }, { 4826 /* HMAC-SHA-1 */ 4827 "4C1A03424B55E07FE7F27BE1", 4828 /* HMAC-SHA-224 */ 4829 "0E2AEA68A90C8D37C988BCDB9FCA6FA8", 4830 /* HMAC-SHA-256 */ 4831 "A3B6167473100EE06E0C796C2955552B", 4832 /* HMAC-SHA-384 */ 4833 "3ABF34C3503B2A23A46EFC619BAEF897", 4834 /* HMAC-SHA-512 */ 4835 "415FAD6271580A531D4179BC891D87A6" 4836 }, { 12, 16, 16, 16, 16 } 4837 }, 4838 { /* 6 */ { 4839 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4840 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4841 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4842 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4843 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4844 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4845 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4846 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4847 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4848 }, { 80, 131 }, { 4849 "Test Using Larger Than Block-Size Key - Hash Key First" 4850 }, { 54 }, { 4851 /* HMAC-SHA-1 */ 4852 "AA4AE5E15272D00E95705637CE8A3B55ED402112", 4853 /* HMAC-SHA-224 */ 4854 "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", 4855 /* HMAC-SHA-256 */ 4856 "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" 4857 "7F54", 4858 /* HMAC-SHA-384 */ 4859 "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" 4860 "C4C60C2EF6AB4030FE8296248DF163F44952", 4861 /* HMAC-SHA-512 */ 4862 "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" 4863 "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" 4864 "5D786598" 4865 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4866 SHA384HashSize, SHA512HashSize } 4867 }, 4868 { /* 7 */ { 4869 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4870 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4871 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4872 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4873 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4874 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4875 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4876 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4877 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4878 }, { 80, 131 }, { 4879 "Test Using Larger Than Block-Size Key and " 4880 "Larger Than One Block-Size Data", 4881 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" 4882 "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" 4883 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" 4884 "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" 4885 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" 4886 "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" 4887 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" 4888 "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" 4889 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" 4890 "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" 4891 "\x6d\x2e" 4892 /* "This is a test using a larger than block-size key and a " 4893 "larger than block-size data. The key needs to be hashed " 4894 "before being used by the HMAC algorithm." */ 4895 }, { 73, 152 }, { 4896 /* HMAC-SHA-1 */ 4897 "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", 4898 /* HMAC-SHA-224 */ 4899 "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", 4900 /* HMAC-SHA-256 */ 4901 "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" 4902 "35E2", 4903 /* HMAC-SHA-384 */ 4904 "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" 4905 "99C5A678CC31E799176D3860E6110C46523E", 4906 /* HMAC-SHA-512 */ 4907 "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" 4908 "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" 4909 "FA8C6A58" 4910 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4911 SHA384HashSize, SHA512HashSize } 4912 } 4913 }; 4915 /* Test arrays for HKDF. */ 4916 struct hkdfhash { 4917 SHAversion whichSha; 4918 int ikmlength; 4919 const char *ikmarray; 4920 int saltlength; 4921 const char *saltarray; 4922 int infolength; 4923 const char *infoarray; 4924 int prklength; 4925 const char *prkarray; 4926 int okmlength; 4927 const char *okmarray; 4928 } hkdfhashes[HKDFTESTCOUNT] = { 4929 { /* A.1. Test Case 1 */ 4930 SHA256, 4931 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4932 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4933 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4934 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4935 32, "077709362C2E32DF0DDC3F0DC47BBA6390B6C73BB50F9C3122EC844A" 4936 "D7C2B3E5", 4937 42, "3CB25F25FAACD57A90434F64D0362F2A2D2D0A90CF1A5A4C5DB02D56" 4938 "ECC4C5BF34007208D5B887185865" 4939 }, 4940 { /* A.2. Test Case 2 */ 4941 SHA256, 4942 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4943 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4944 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4945 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4946 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4947 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4948 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d" 4949 "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" 4950 "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4951 "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97" 4952 "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5" 4953 "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf", 4954 80, "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd" 4955 "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb" 4956 "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" 4957 "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7" 4958 "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5" 4959 "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 4960 32, "06A6B88C5853361A06104C9CEB35B45C" 4961 "EF760014904671014A193F40C15FC244", 4962 82, "B11E398DC80327A1C8E7F78C596A4934" 4963 "4F012EDA2D4EFAD8A050CC4C19AFA97C" 4964 "59045A99CAC7827271CB41C65E590E09" 4965 "DA3275600C2F09B8367793A9ACA3DB71" 4966 "CC30C58179EC3E87C14C01D5C1F3434F" 4967 "1D87" 4968 }, 4969 { /* A.3. Test Case 3 */ 4970 SHA256, 4971 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4972 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4973 0, "", 4974 0, "", 4975 32, "19EF24A32C717B167F33A91D6F648BDF" 4976 "96596776AFDB6377AC434C1C293CCB04", 4977 42, "8DA4E775A563C18F715F802A063C5A31" 4978 "B8A11F5C5EE1879EC3454E5F3C738D2D" 4979 "9D201395FAA4B61A96C8" 4980 }, 4981 { /* A.4. Test Case 4 */ 4982 SHA1, 4983 11, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4984 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4985 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4986 20, "9B6C18C432A7BF8F0E71C8EB88F4B30BAA2BA243", 4987 42, "085A01EA1B10F36933068B56EFA5AD81" 4988 "A4F14B822F5B091568A9CDD4F155FDA2" 4989 "C22E422478D305F3F896" 4990 }, 4991 { /* A.5. Test Case 5 */ 4992 SHA1, 4993 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4994 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4995 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4996 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4997 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4998 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4999 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D" 5000 "\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B" 5001 "\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 5002 "\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97" 5003 "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5" 5004 "\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 5005 80, "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD" 5006 "\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB" 5007 "\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9" 5008 "\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7" 5009 "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5" 5010 "\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 5011 20, "8ADAE09A2A307059478D309B26C4115A224CFAF6", 5012 82, "0BD770A74D1160F7C9F12CD5912A06EB" 5013 "FF6ADCAE899D92191FE4305673BA2FFE" 5014 "8FA3F1A4E5AD79F3F334B3B202B2173C" 5015 "486EA37CE3D397ED034C7F9DFEB15C5E" 5016 "927336D0441F4C4300E2CFF0D0900B52" 5017 "D3B4" 5018 }, 5019 { /* A.6. Test Case 6 */ 5020 SHA1, 5021 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 5022 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 5023 0, "", 5024 0, "", 5025 20, "DA8C8A73C7FA77288EC6F5E7C297786AA0D32D01", 5026 42, "0AC1AF7002B3D761D1E55298DA9D0506" 5027 "B9AE52057220A306E07B6B87E8DF21D0" 5028 "EA00033DE03984D34918" 5029 }, 5030 { /* A.7. Test Case 7. */ 5031 SHA1, 5032 22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 5033 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 5034 0, 0, 5035 0, "", 5036 20, "2ADCCADA18779E7C2077AD2EB19D3F3E731385DD", 5037 42, "2C91117204D745F3500D636A62F64F0A" 5038 "B3BAE548AA53D423B0D1F27EBBA6F5E5" 5039 "673A081D70CCE7ACFC48" 5040 } 5041 }; 5043 /* 5044 * Check the hash value against the expected string, expressed in hex 5045 */ 5046 static const char hexdigits[ ] = "0123456789ABCDEF"; 5047 int checkmatch(const unsigned char *hashvalue, 5048 const char *hexstr, int hashsize) 5049 { 5050 int i; 5051 for (i = 0; i < hashsize; ++i) { 5052 if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) 5053 return 0; 5054 if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; 5055 } 5056 return 1; 5057 } 5059 /* 5060 * Print the string, converting non-printable characters to "." 5061 */ 5062 void printstr(const char *str, int len) 5063 { 5064 for ( ; len-- > 0; str++) 5065 putchar(isprint((unsigned char)*str) ? *str : '.'); 5066 } 5068 /* 5069 * Print the string, converting all characters to hex "## ". 5070 */ 5071 void printxstr(const char *str, int len) 5072 { 5073 char *sep = ""; 5074 for ( ; len-- > 0; str++) { 5075 printf("%s%c%c", sep, hexdigits[(*str >> 4) & 0xF], 5076 hexdigits[*str & 0xF]); 5077 sep = " "; 5078 } 5079 } 5081 /* 5082 * Print a usage message. 5083 */ 5084 void usage(const char *argv0) 5085 { 5086 fprintf(stderr, 5087 "Usage:\n" 5088 "Common options: [-h hash] [-w|-x|-6] [-H]\n" 5089 "Hash a string:\n" 5090 "\t%s [-S expectedresult] -s hashstr [-k key] " 5091 "[-i info -L okm-len]\n" 5092 "Hash a file:\n" 5093 "\t%s [-S expectedresult] -f file [-k key] " 5094 "[-i info -L okm-len]\n" 5095 "Hash a file, ignoring whitespace:\n" 5096 "\t%s [-S expectedresult] -F file [-k key] " 5097 "[-i info -L okm-len]\n" 5098 "Additional bits to add in: [-B bitcount -b bits]\n" 5099 "(If -k,-i&-L are used, run HKDF-SHA###.\n" 5100 " If -k is used, but not -i&-L, run HMAC-SHA###.\n" 5101 " Otherwise, run SHA###.)\n" 5102 "Standard tests:\n" 5103 "\t%s [-m | -d] [-l loopcount] [-t test#] [-e]\n" 5104 "\t\t[-r randomseed] [-R randomloop-count] " 5105 "[-p] [-P|-X]\n" 5106 "-h\thash to test: " 5107 "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" 5108 "-m\tperform hmac standard tests\n" 5109 "-k\tkey for hmac test\n" 5110 "-d\tperform hkdf standard tests\n" 5111 "-t\ttest case to run, 1-10\n" 5112 "-l\thow many times to run the test\n" 5113 "-e\ttest error returns\n" 5114 "-p\tdo not print results\n" 5115 "-P\tdo not print PASSED/FAILED\n" 5116 "-X\tprint FAILED, but not PASSED\n" 5117 "-r\tseed for random test\n" 5118 "-R\thow many times to run random test\n" 5119 "-s\tstring to hash\n" 5120 "-S\texpected result of hashed string, in hex\n" 5121 "-w\toutput hash in raw format\n" 5122 "-x\toutput hash in hex format\n" 5123 "-6\toutput hash in base64 format\n" 5124 "-B\t# extra bits to add in after string or file input\n" 5125 "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" 5126 "-H\tinput hashstr or randomseed is in hex\n" 5127 , argv0, argv0, argv0, argv0); 5128 exit(1); 5129 } 5131 /* 5132 * Print the results and PASS/FAIL. 5133 */ 5134 void printResult(uint8_t *Message_Digest, int hashsize, 5135 const char *hashname, const char *testtype, const char *testname, 5136 const char *resultarray, int printResults, int printPassFail) 5137 { 5138 int i, k; 5139 if (printResults == PRINTTEXT) { 5140 printf("\nhashsize=%d\n", hashsize); 5141 putchar('\t'); 5142 for (i = 0; i < hashsize; ++i) { 5143 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5144 putchar(hexdigits[Message_Digest[i] & 0xF]); 5145 putchar(' '); 5146 } 5147 putchar('\n'); 5148 } else if (printResults == PRINTRAW) { 5149 fwrite(Message_Digest, 1, hashsize, stdout); 5150 } else if (printResults == PRINTHEX) { 5151 for (i = 0; i < hashsize; ++i) { 5152 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5153 putchar(hexdigits[Message_Digest[i] & 0xF]); 5154 } 5155 putchar('\n'); 5156 } else if (printResults == PRINTBASE64) { 5157 unsigned char b; 5158 char *sm = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 5159 "0123456789+/"; 5160 for (i = 0; i < hashsize; i += 3) { 5161 putchar(sm[Message_Digest[i] >> 2]); 5162 b = (Message_Digest[i] & 0x03) << 4; 5163 if (i+1 < hashsize) b |= Message_Digest[i+1] >> 4; 5164 putchar(sm[b]); 5165 if (i+1 < hashsize) { 5166 b = (Message_Digest[i+1] & 0x0f) << 2; 5167 if (i+2 < hashsize) b |= Message_Digest[i+2] >> 6; 5168 putchar(sm[b]); 5169 } else putchar('='); 5170 if (i+2 < hashsize) putchar(sm[Message_Digest[i+2] & 0x3f]); 5171 else putchar('='); 5172 } 5173 putchar('\n'); 5174 } 5176 if (printResults && resultarray) { 5177 printf(" Should match:\n\t"); 5178 for (i = 0, k = 0; i < hashsize; i++, k += 2) { 5179 putchar(resultarray[k]); 5180 putchar(resultarray[k+1]); 5181 putchar(' '); 5183 } 5184 putchar('\n'); 5185 } 5187 if (printPassFail && resultarray) { 5188 int ret = checkmatch(Message_Digest, resultarray, hashsize); 5189 if ((printPassFail == PRINTPASSFAIL) || !ret) 5190 printf("%s %s %s: %s\n", hashname, testtype, testname, 5191 ret ? "PASSED" : "FAILED"); 5192 } 5193 } 5195 /* 5196 * Exercise a hash series of functions. The input is the testarray, 5197 * repeated repeatcount times, followed by the extrabits. If the 5198 * result is known, it is in resultarray in uppercase hex. 5199 */ 5200 int hash(int testno, int loopno, int hashno, 5201 const char *testarray, int length, long repeatcount, 5202 int numberExtrabits, int extrabits, const unsigned char *keyarray, 5203 int keylen, const unsigned char *info, int infolen, int okmlen, 5204 const char *resultarray, int hashsize, int printResults, 5205 int printPassFail) 5206 { 5207 USHAContext sha; 5208 HMACContext hmac; 5209 HKDFContext hkdf; 5210 int err, i; 5211 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5212 uint8_t *Message_Digest = Message_Digest_Buf; 5213 char buf[20]; 5215 if (printResults == PRINTTEXT) { 5216 printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, 5217 loopno, repeatcount); 5218 printstr(testarray, length); 5219 printf("'\n\t'"); 5220 printxstr(testarray, length); 5221 printf("'\n"); 5222 printf(" Length=%d bytes (%d bits), ", length, length * 8); 5223 printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); 5224 } 5226 if (info) Message_Digest = malloc(okmlen); 5227 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5228 memset(&hmac, '\343', sizeof(hmac)); 5229 memset(&hkdf, '\343', sizeof(hkdf)); 5230 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5231 keyarray, keylen) : 5232 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5233 keyarray, keylen) : 5234 USHAReset(&sha, hashes[hashno].whichSha); 5235 if (err != shaSuccess) { 5236 fprintf(stderr, "hash(): %sReset Error %d.\n", 5237 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5238 return err; 5239 } 5241 for (i = 0; i < repeatcount; ++i) { 5242 err = info ? hkdfInput(&hkdf, testarray, length) : 5243 keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, 5244 length) : 5245 USHAInput(&sha, (const uint8_t *) testarray, 5246 length); 5247 if (err != shaSuccess) { 5248 fprintf(stderr, "hash(): %sInput Error %d.\n", 5249 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5250 return err; 5251 } 5252 } 5254 if (numberExtrabits > 0) { 5255 err = info ? hkdfFinalBits(&hkdf, extrabits, numberExtrabits) : 5256 keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, 5257 numberExtrabits) : 5258 USHAFinalBits(&sha, (uint8_t) extrabits, 5259 numberExtrabits); 5260 if (err != shaSuccess) { 5261 fprintf(stderr, "hash(): %sFinalBits Error %d.\n", 5262 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5263 return err; 5264 } 5265 } 5267 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5268 Message_Digest, okmlen) : 5269 keyarray ? hmacResult(&hmac, Message_Digest) : 5270 USHAResult(&sha, Message_Digest); 5271 if (err != shaSuccess) { 5272 fprintf(stderr, "hash(): %s Result Error %d, could not compute " 5273 "message digest.\n", 5274 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5275 return err; 5276 } 5278 sprintf(buf, "%d", testno+1); 5279 printResult(Message_Digest, info ? okmlen : hashsize, 5280 hashes[hashno].name, info ? "hkdf standard test" : 5281 keyarray ? "hmac standard test" : "sha standard test", buf, 5282 resultarray, printResults, printPassFail); 5284 return err; 5285 } 5287 /* 5288 * Exercise an HKDF series. The input is the testarray, 5289 * repeated repeatcount times, followed by the extrabits. If the 5290 * result is known, it is in resultarray in uppercase hex. 5291 */ 5292 int hashHkdf(int testno, int loopno, int hashno, 5293 int printResults, int printPassFail) 5294 { 5295 int err; 5296 unsigned char prk[USHAMaxHashSize+1]; 5297 uint8_t okm[255 * USHAMaxHashSize+1]; 5298 char buf[20]; 5300 if (printResults == PRINTTEXT) { 5301 printf("\nTest %d: Iteration %d\n\tSALT\t'", testno+1, loopno); 5302 printxstr(hkdfhashes[testno].saltarray, 5303 hkdfhashes[testno].saltlength); 5304 printf("'\n\tIKM\t'"); 5305 printxstr(hkdfhashes[testno].ikmarray, 5306 hkdfhashes[testno].ikmlength); 5307 printf("'\n\tINFO\t'"); 5308 printxstr(hkdfhashes[testno].infoarray, 5309 hkdfhashes[testno].infolength); 5310 printf("'\n"); 5311 printf(" L=%d bytes\n", hkdfhashes[testno].okmlength); 5312 } 5314 /* Run hkdf() against the test vectors */ 5315 err = hkdf(hkdfhashes[testno].whichSha, 5316 hkdfhashes[testno].saltarray, 5317 hkdfhashes[testno].saltlength, 5318 hkdfhashes[testno].ikmarray, 5319 hkdfhashes[testno].ikmlength, 5320 hkdfhashes[testno].infoarray, 5321 hkdfhashes[testno].infolength, okm, 5322 hkdfhashes[testno].okmlength); 5323 if (err != shaSuccess) { 5324 fprintf(stderr, "hashHkdf(): hkdf Error %d.\n", err); 5325 return err; 5326 } 5327 sprintf(buf, "hkdf %d", testno+1); 5328 printResult(okm, hkdfhashes[testno].okmlength, 5329 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5330 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5332 /* Now run hkdfExtract() by itself against the test vectors */ 5333 /* to verify the intermediate results. */ 5334 err = hkdfExtract(hkdfhashes[testno].whichSha, 5335 hkdfhashes[testno].saltarray, 5336 hkdfhashes[testno].saltlength, 5337 hkdfhashes[testno].ikmarray, 5338 hkdfhashes[testno].ikmlength, prk); 5339 if (err != shaSuccess) { 5340 fprintf(stderr, "hashHkdf(): hkdfExtract Error %d.\n", err); 5341 return err; 5342 } 5343 sprintf(buf, "hkdfExtract %d", testno+1); 5344 printResult(prk, USHAHashSize(hkdfhashes[testno].whichSha), 5345 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5346 buf, hkdfhashes[testno].prkarray, printResults, printPassFail); 5348 /* Now run hkdfExpand() by itself against the test vectors */ 5349 /* using the intermediate results from hkdfExtract. */ 5350 err = hkdfExpand(hkdfhashes[testno].whichSha, prk, 5351 USHAHashSize(hkdfhashes[testno].whichSha), 5352 hkdfhashes[testno].infoarray, hkdfhashes[testno].infolength, 5353 okm, hkdfhashes[testno].okmlength); 5354 if (err != shaSuccess) { 5355 fprintf(stderr, "hashHkdf(): hkdfExpand Error %d.\n", err); 5356 return err; 5357 } 5358 sprintf(buf, "hkdfExpand %d", testno+1); 5359 printResult(okm, hkdfhashes[testno].okmlength, 5360 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5361 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5363 return err; 5364 } 5366 /* 5367 * Exercise a hash series of functions. The input is a filename. 5368 * If the result is known, it is in resultarray in uppercase hex. 5369 */ 5370 int hashfile(int hashno, const char *hashfilename, int bits, 5371 int bitcount, int skipSpaces, const unsigned char *keyarray, 5372 int keylen, const unsigned char *info, int infolen, int okmlen, 5373 const char *resultarray, int hashsize, 5374 int printResults, int printPassFail) 5375 { 5376 USHAContext sha; 5377 HMACContext hmac; 5378 HKDFContext hkdf; 5379 int err, nread, c; 5380 unsigned char buf[4096]; 5381 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5382 uint8_t *Message_Digest = Message_Digest_Buf; 5383 unsigned char cc; 5384 FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : 5385 fopen(hashfilename, "r"); 5387 if (!hashfp) { 5388 fprintf(stderr, "cannot open file '%s'\n", hashfilename); 5389 return shaStateError; 5390 } 5392 if (info) Message_Digest = malloc(okmlen); 5393 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5394 memset(&hmac, '\343', sizeof(hmac)); 5395 memset(&hkdf, '\343', sizeof(hkdf)); 5396 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5397 keyarray, keylen) : 5398 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5399 keyarray, keylen) : 5400 USHAReset(&sha, hashes[hashno].whichSha); 5401 if (err != shaSuccess) { 5402 fprintf(stderr, "hashfile(): %sReset Error %d.\n", 5403 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5404 return err; 5405 } 5407 if (skipSpaces) 5408 while ((c = getc(hashfp)) != EOF) { 5409 if (!isspace(c)) { 5410 cc = (unsigned char)c; 5411 err = info ? hkdfInput(&hkdf, &cc, 1) : 5412 keyarray ? hmacInput(&hmac, &cc, 1) : 5413 USHAInput(&sha, &cc, 1); 5414 if (err != shaSuccess) { 5415 fprintf(stderr, "hashfile(): %sInput Error %d.\n", 5416 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5417 if (hashfp != stdin) fclose(hashfp); 5418 return err; 5419 } 5420 } 5421 } 5422 else 5423 while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { 5424 err = info ? hkdfInput(&hkdf, buf, nread) : 5425 keyarray ? hmacInput(&hmac, buf, nread) : 5426 USHAInput(&sha, buf, nread); 5427 if (err != shaSuccess) { 5428 fprintf(stderr, "hashfile(): %s Error %d.\n", 5429 info ? "hkdf" : keyarray ? "hmacInput" : 5430 "shaInput", err); 5431 if (hashfp != stdin) fclose(hashfp); 5432 return err; 5433 } 5435 } 5437 if (bitcount > 0) 5438 err = info ? hkdfFinalBits(&hkdf, bits, bitcount) : 5439 keyarray ? hmacFinalBits(&hmac, bits, bitcount) : 5440 USHAFinalBits(&sha, bits, bitcount); 5441 if (err != shaSuccess) { 5442 fprintf(stderr, "hashfile(): %s Error %d.\n", 5443 info ? "hkdf" : keyarray ? "hmacFinalBits" : 5444 "shaFinalBits", err); 5445 if (hashfp != stdin) fclose(hashfp); 5446 return err; 5447 } 5449 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5450 Message_Digest, okmlen) : 5451 keyarray ? hmacResult(&hmac, Message_Digest) : 5452 USHAResult(&sha, Message_Digest); 5453 if (err != shaSuccess) { 5454 fprintf(stderr, "hashfile(): %s Error %d.\n", 5455 info ? "hkdf" : keyarray ? "hmacResult" : 5456 "shaResult", err); 5457 if (hashfp != stdin) fclose(hashfp); 5458 return err; 5459 } 5461 printResult(Message_Digest, info ? okmlen : hashsize, 5462 hashes[hashno].name, "file", hashfilename, resultarray, 5463 printResults, printPassFail); 5465 if (hashfp != stdin) fclose(hashfp); 5466 if (info) free(Message_Digest); 5467 return err; 5468 } 5470 /* 5471 * Exercise a hash series of functions through multiple permutations. 5472 * The input is an initial seed. That seed is replicated 3 times. 5473 * For 1000 rounds, the previous three results are used as the input. 5474 * This result is then checked, and used to seed the next cycle. 5475 * If the result is known, it is in resultarrays in uppercase hex. 5476 */ 5477 void randomtest(int hashno, const char *seed, int hashsize, 5478 const char **resultarrays, int randomcount, 5479 int printResults, int printPassFail) 5480 { 5481 int i, j; char buf[20]; 5482 unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; 5484 /* INPUT: Seed - A random seed n bits long */ 5485 memcpy(SEED, seed, hashsize); 5486 if (printResults == PRINTTEXT) { 5487 printf("%s random test seed= '", hashes[hashno].name); 5488 printxstr(seed, hashsize); 5489 printf("'\n"); 5490 } 5492 for (j = 0; j < randomcount; j++) { 5493 /* MD0 = MD1 = MD2 = Seed; */ 5494 memcpy(MD[0], SEED, hashsize); 5495 memcpy(MD[1], SEED, hashsize); 5496 memcpy(MD[2], SEED, hashsize); 5497 for (i=3; i<1003; i++) { 5498 /* Mi = MDi-3 || MDi-2 || MDi-1; */ 5499 USHAContext Mi; 5500 memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ 5501 USHAReset(&Mi, hashes[hashno].whichSha); 5502 USHAInput(&Mi, MD[i-3], hashsize); 5503 USHAInput(&Mi, MD[i-2], hashsize); 5504 USHAInput(&Mi, MD[i-1], hashsize); 5505 /* MDi = SHA(Mi); */ 5506 USHAResult(&Mi, MD[i]); 5507 } 5509 /* MDj = Seed = MDi; */ 5510 memcpy(SEED, MD[i-1], hashsize); 5512 /* OUTPUT: MDj */ 5513 sprintf(buf, "%d", j); 5514 printResult(SEED, hashsize, hashes[hashno].name, "random test", 5515 buf, resultarrays ? resultarrays[j] : 0, printResults, 5516 (j < RANDOMCOUNT) ? printPassFail : 0); 5517 } 5518 } 5520 /* 5521 * Look up a hash name. 5522 */ 5523 int findhash(const char *argv0, const char *opt) 5524 { 5525 int i; 5526 const char *names[HASHCOUNT][2] = { 5527 { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, 5528 { "3", "sha384" }, { "4", "sha512" } 5529 }; 5531 for (i = 0; i < HASHCOUNT; i++) 5532 if ((strcmp(opt, names[i][0]) == 0) || 5533 (scasecmp(opt, names[i][1]) == 0)) 5534 return i; 5536 fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); 5537 usage(argv0); 5538 return 0; 5539 } 5541 /* 5542 * Run some tests that should invoke errors. 5543 */ 5544 void testErrors(int hashnolow, int hashnohigh, int printResults, 5545 int printPassFail) 5546 { 5547 USHAContext usha; 5548 uint8_t Message_Digest[USHAMaxHashSize]; 5549 int hashno, err; 5551 for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { 5552 memset(&usha, '\343', sizeof(usha)); /* force bad data */ 5553 USHAReset(&usha, hashno); 5554 USHAResult(&usha, Message_Digest); 5555 err = USHAInput(&usha, (const unsigned char *)"foo", 3); 5556 if (printResults == PRINTTEXT) 5557 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5558 if ((printPassFail == PRINTPASSFAIL) || 5559 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5560 printf("%s se: %s\n", hashes[hashno].name, 5561 (err == shaStateError) ? "PASSED" : "FAILED"); 5563 err = USHAFinalBits(&usha, 0x80, 3); 5564 if (printResults == PRINTTEXT) 5565 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5566 if ((printPassFail == PRINTPASSFAIL) || 5567 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5568 printf("%s se: %s\n", hashes[hashno].name, 5569 (err == shaStateError) ? "PASSED" : "FAILED"); 5571 err = USHAReset(0, hashes[hashno].whichSha); 5572 if (printResults == PRINTTEXT) 5573 printf("\nError %d. Should be %d.\n", err, shaNull); 5574 if ((printPassFail == PRINTPASSFAIL) || 5575 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5576 printf("%s usha null: %s\n", hashes[hashno].name, 5577 (err == shaNull) ? "PASSED" : "FAILED"); 5579 switch (hashno) { 5580 case SHA1: err = SHA1Reset(0); break; 5581 case SHA224: err = SHA224Reset(0); break; 5582 case SHA256: err = SHA256Reset(0); break; 5583 case SHA384: err = SHA384Reset(0); break; 5584 case SHA512: err = SHA512Reset(0); break; 5585 } 5586 if (printResults == PRINTTEXT) 5587 printf("\nError %d. Should be %d.\n", err, shaNull); 5588 if ((printPassFail == PRINTPASSFAIL) || 5589 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5590 printf("%s sha null: %s\n", hashes[hashno].name, 5591 (err == shaNull) ? "PASSED" : "FAILED"); 5592 } 5593 } 5595 /* replace a hex string in place with its value */ 5596 int unhexStr(char *hexstr) 5597 { 5598 char *o = hexstr; 5599 int len = 0, nibble1 = 0, nibble2 = 0; 5600 if (!hexstr) return 0; 5601 for ( ; *hexstr; hexstr++) { 5602 if (isalpha((int)(unsigned char)(*hexstr))) { 5603 nibble1 = tolower(*hexstr) - 'a' + 10; 5604 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5605 nibble1 = *hexstr - '0'; 5606 } else { 5607 printf("\nError: bad hex character '%c'\n", *hexstr); 5608 } 5609 if (!*++hexstr) break; 5610 if (isalpha((int)(unsigned char)(*hexstr))) { 5611 nibble2 = tolower(*hexstr) - 'a' + 10; 5612 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5613 nibble2 = *hexstr - '0'; 5614 } else { 5615 printf("\nError: bad hex character '%c'\n", *hexstr); 5616 } 5617 *o++ = (char)((nibble1 << 4) | nibble2); 5618 len++; 5619 } 5620 return len; 5621 } 5623 int main(int argc, char **argv) 5624 { 5625 int i, err; 5626 int loopno, loopnohigh = 1; 5627 int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; 5628 int testno, testnolow = 0, testnohigh; 5629 int ntestnohigh = 0; 5630 int printResults = PRINTTEXT; 5631 int printPassFail = 1; 5632 int checkErrors = 0; 5633 char *hashstr = 0; 5634 int hashlen = 0; 5635 const char *resultstr = 0; 5636 char *randomseedstr = 0; 5637 int runHmacTests = 0; 5638 int runHkdfTests = 0; 5639 char *hmacKey = 0; 5640 int hmaclen = 0; 5641 char *info = 0; 5642 int infolen = 0, okmlen = 0; 5643 int randomcount = RANDOMCOUNT; 5644 const char *hashfilename = 0; 5645 const char *hashFilename = 0; 5646 int extrabits = 0, numberExtrabits = 0; 5647 int strIsHex = 0; 5649 while ((i = xgetopt(argc, argv, 5650 "6b:B:def:F:h:i:Hk:l:L:mpPr:R:s:S:t:wxX")) != -1) 5651 switch (i) { 5652 case 'b': extrabits = strtol(xoptarg, 0, 0); break; 5653 case 'B': numberExtrabits = atoi(xoptarg); break; 5654 case 'd': runHkdfTests = 1; break; 5655 case 'e': checkErrors = 1; break; 5656 case 'f': hashfilename = xoptarg; break; 5657 case 'F': hashFilename = xoptarg; break; 5658 case 'h': hashnolow = hashnohigh = findhash(argv[0], xoptarg); 5659 break; 5660 case 'H': strIsHex = 1; break; 5661 case 'i': info = xoptarg; infolen = strlen(xoptarg); break; 5662 case 'k': hmacKey = xoptarg; hmaclen = strlen(xoptarg); break; 5663 case 'l': loopnohigh = atoi(xoptarg); break; 5664 case 'L': okmlen = strtol(xoptarg, 0, 0); break; 5665 case 'm': runHmacTests = 1; break; 5666 case 'P': printPassFail = 0; break; 5667 case 'p': printResults = PRINTNONE; break; 5668 case 'R': randomcount = atoi(xoptarg); break; 5669 case 'r': randomseedstr = xoptarg; break; 5670 case 's': hashstr = xoptarg; hashlen = strlen(hashstr); break; 5671 case 'S': resultstr = xoptarg; break; 5672 case 't': testnolow = ntestnohigh = atoi(xoptarg) - 1; break; 5673 case 'w': printResults = PRINTRAW; break; 5674 case 'x': printResults = PRINTHEX; break; 5675 case 'X': printPassFail = 2; break; 5676 case '6': printResults = PRINTBASE64; break; 5677 default: usage(argv[0]); 5678 } 5680 if (strIsHex) { 5681 hashlen = unhexStr(hashstr); 5682 unhexStr(randomseedstr); 5683 hmaclen = unhexStr(hmacKey); 5684 infolen = unhexStr(info); 5685 } 5686 testnohigh = (ntestnohigh != 0) ? ntestnohigh: 5687 runHmacTests ? (HMACTESTCOUNT-1) : 5688 runHkdfTests ? (HKDFTESTCOUNT-1) : 5689 (TESTCOUNT-1); 5690 if ((testnolow < 0) || 5691 (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || 5692 (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || 5693 (hashstr && (testnolow == testnohigh)) || 5694 (randomcount < 0) || 5695 (resultstr && (!hashstr && !hashfilename && !hashFilename)) || 5696 ((runHmacTests || hmacKey) && randomseedstr) || 5697 (hashfilename && hashFilename) || 5698 (info && ((infolen <= 0) || (okmlen <= 0))) || 5699 (info && !hmacKey)) 5700 usage(argv[0]); 5702 /* 5703 * Perform SHA/HMAC tests 5704 */ 5705 for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { 5706 if (printResults == PRINTTEXT) 5707 printf("Hash %s\n", hashes[hashno].name); 5708 err = shaSuccess; 5710 for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); 5711 ++loopno) { 5712 if (hashstr) 5713 err = hash(0, loopno, hashno, hashstr, hashlen, 1, 5714 numberExtrabits, extrabits, (const unsigned char *)hmacKey, 5715 hmaclen, info, infolen, okmlen, resultstr, 5716 hashes[hashno].hashsize, printResults, printPassFail); 5718 else if (randomseedstr) 5719 randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, 5720 randomcount, printResults, printPassFail); 5722 else if (hashfilename) 5723 err = hashfile(hashno, hashfilename, extrabits, 5724 numberExtrabits, 0, 5725 (const unsigned char *)hmacKey, hmaclen, 5726 info, infolen, okmlen, resultstr, 5727 hashes[hashno].hashsize, 5728 printResults, printPassFail); 5730 else if (hashFilename) 5731 err = hashfile(hashno, hashFilename, extrabits, 5732 numberExtrabits, 1, 5733 (const unsigned char *)hmacKey, hmaclen, 5734 info, infolen, okmlen, resultstr, 5735 hashes[hashno].hashsize, 5736 printResults, printPassFail); 5738 else /* standard tests */ { 5739 for (testno = testnolow; 5740 (testno <= testnohigh) && (err == shaSuccess); ++testno) { 5741 if (runHmacTests) { 5742 err = hash(testno, loopno, hashno, 5743 hmachashes[testno].dataarray[hashno] ? 5744 hmachashes[testno].dataarray[hashno] : 5745 hmachashes[testno].dataarray[1] ? 5746 hmachashes[testno].dataarray[1] : 5747 hmachashes[testno].dataarray[0], 5748 hmachashes[testno].datalength[hashno] ? 5749 hmachashes[testno].datalength[hashno] : 5750 hmachashes[testno].datalength[1] ? 5751 hmachashes[testno].datalength[1] : 5752 hmachashes[testno].datalength[0], 5753 1, 0, 0, 5754 (const unsigned char *)( 5755 hmachashes[testno].keyarray[hashno] ? 5756 hmachashes[testno].keyarray[hashno] : 5757 hmachashes[testno].keyarray[1] ? 5758 hmachashes[testno].keyarray[1] : 5759 hmachashes[testno].keyarray[0]), 5760 hmachashes[testno].keylength[hashno] ? 5761 hmachashes[testno].keylength[hashno] : 5762 hmachashes[testno].keylength[1] ? 5763 hmachashes[testno].keylength[1] : 5764 hmachashes[testno].keylength[0], 5765 0, 0, 0, 5766 hmachashes[testno].resultarray[hashno], 5767 hmachashes[testno].resultlength[hashno], 5768 printResults, printPassFail); 5769 } else if (runHkdfTests) { 5770 err = hashHkdf(testno, loopno, hashno, 5771 printResults, printPassFail); 5772 } else { /* sha tests */ 5773 err = hash(testno, loopno, hashno, 5774 hashes[hashno].tests[testno].testarray, 5775 hashes[hashno].tests[testno].length, 5776 hashes[hashno].tests[testno].repeatcount, 5777 hashes[hashno].tests[testno].numberExtrabits, 5778 hashes[hashno].tests[testno].extrabits, 5779 0, 0, 0, 0, 0, 5780 hashes[hashno].tests[testno].resultarray, 5781 hashes[hashno].hashsize, 5782 printResults, printPassFail); 5783 } 5784 } 5785 if (!runHmacTests && !runHkdfTests) { 5786 randomtest(hashno, hashes[hashno].randomtest, 5787 hashes[hashno].hashsize, hashes[hashno].randomresults, 5788 RANDOMCOUNT, printResults, printPassFail); 5789 } 5790 } 5791 } 5792 } 5794 /* Test some error returns */ 5795 if (checkErrors) { 5796 testErrors(hashnolow, hashnohigh, printResults, printPassFail); 5797 } 5799 return 0; 5800 } 5802 /* 5803 * Compare two strings, case independently. 5804 * Equivalent to strcasecmp() found on some systems. 5805 */ 5806 int scasecmp(const char *s1, const char *s2) 5807 { 5808 for (;;) { 5809 char u1 = tolower(*s1++); 5810 char u2 = tolower(*s2++); 5811 if (u1 != u2) 5812 return u1 - u2; 5813 if (u1 == '\0') 5814 return 0; 5815 } 5816 } 5818 /* 5819 * This is a copy of getopt provided for those systems that do not 5820 * have it. The name was changed to xgetopt to not conflict on those 5821 * systems that do have it. Similarly, optarg, optopt, optind and 5822 * opterr were renamed to xoptarg, xoptopt, xoptind and xopterr, 5823 * respectively. 5824 */ 5826 int xoptind = 1; /* location in argv */ 5827 char *xoptarg = 0; /* argument to option */ 5828 int xoptopt = 0; /* current option */ 5829 int xopterr = 1; /* print error messages */ 5830 static int xoptplace = 0; /* internal state */ 5832 int xgetopt(int argc, char **argv, const char *optstring) 5833 { 5834 char *p; 5835 xoptarg = 0; /* reset argument */ 5836 if (xoptind == argc) { /* end of options */ 5837 return -1; 5838 } 5839 if (xoptplace == 0) { /* at beginning of an option */ 5840 if (argv[xoptind][0] != '-') { /* hit a non-option */ 5841 xoptplace = 0; 5842 return -1; 5843 } 5844 if (argv[xoptind][1] == '-') { /* found --, skip past, end */ 5845 xoptind++; 5846 xoptplace = 0; 5847 return -1; 5848 } 5849 xoptplace = 1; 5850 xoptopt = argv[xoptind][xoptplace]; 5851 p = strchr(optstring, xoptopt); 5852 if (p == 0) { /* option unknown */ 5853 if (xopterr) fprintf(stderr, "Unknown option: %c\n", 5854 xoptopt); 5855 xoptind++; /* prevent infinite loop */ 5856 xoptplace = 0; 5857 return '?'; 5858 } 5859 if (p[1] == ':') { /* need an argument */ 5860 if (argv[xoptind][xoptplace+1]) { /* arg inline */ 5861 xoptarg = argv[xoptind] + xoptplace + 1; 5862 xoptind++; 5863 xoptplace = 0; 5864 return xoptopt; 5865 } 5866 if (xoptind == argc) { 5867 if (xopterr) fprintf(stderr, 5868 "Option -%c requires an argument\n", xoptopt); 5869 return '?'; 5870 } 5871 xoptarg = argv[++xoptind]; /* next is arg */ 5872 xoptind++; /* and move past it */ 5873 xoptplace = 0; 5874 return xoptopt; 5875 } 5876 if (argv[xoptind][xoptplace+1]) { /* more inline */ 5877 xoptplace++; 5878 return xoptopt; 5879 } 5880 xoptind++; /* move forward one */ 5881 xoptplace = 0; 5882 return xoptopt; 5883 } 5884 xoptopt = argv[xoptind][xoptplace]; 5885 p = strchr(optstring, xoptopt); 5886 if (p == 0) { /* option unknown */ 5887 if (xopterr) fprintf(stderr, "Unknown option: %c\n", xoptopt); 5888 xoptind++; /* prevent infinite loop */ 5889 xoptplace = 0; 5890 return '?'; 5891 } 5892 if (p[1] == ':') { /* need an argument */ 5893 if (xopterr) fprintf(stderr, 5894 "Option -%c with argument must not be part of " 5895 "multi-character option list\n", xoptopt); 5896 xoptind++; 5897 xoptplace = 0; 5898 return '?'; 5899 } 5900 if (argv[xoptind][xoptplace+1]) { /* more inline */ 5901 xoptplace++; 5902 return xoptopt; 5903 } 5904 xoptind++; /* move forward one */ 5905 xoptplace = 0; 5906 return xoptopt; 5907 } 5908 9. IANA Considerations 5910 This document requires no IANA Actions. The RFC Editor should delete 5911 this section before publication. 5913 10. Security Considerations 5915 This document is intended to provide convenient open source access by 5916 the Internet community to the United States of America Federal 5917 Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS 5918 180-2], HMACs based thereon, and HKDF. No independent assertion of 5919 the security of these functions by the authors for any particular use 5920 is intended. 5922 11. Acknowledgements 5924 Thanks for the corrections to [RFC4634] that were provided by Alfred 5925 Hoenes and Jan Andres that are incorporated herein. 5927 12. References 5929 RFC Editor Note: All occurances of RFChkdf should be edited to have 5930 the HKDF RFC number instead of "hkdf". All occurances of "RFC NNNN" 5931 should be edited to replace "NNNN" with this documents RFC number. 5932 And this note should be deleted. 5934 12.1 Normative References 5936 [FIPS 180-2] - "Secure Hash Standard", United States of American, 5937 National Institute of Science and Technology, Federal 5938 Information Processing Standard (FIPS) 180-2, 5939 http://csrc.nist.gov/publications/fips/fips180-2/fips180- 5940 2withchangenotice.pdf. 5942 [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 5943 Hashing for Message Authentication", RFC 2104, February 1997. 5945 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 5946 Requirement Levels", BCP 14, RFC 2119, March 1997. 5948 [RFChkdf] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and- 5949 Expand Key Derivation Function (HKDF)", draft-krawczyk-hkdf in 5950 RFC Editor queue, January 2010. 5952 12.2 Informative References 5954 [RFC2202] - P. Cheng, R. Glenn, "Test Cases for HMAC-MD5 and HMAC- 5955 SHA-1", September 1997. 5957 [RFC3174] - D. Eastlake 3rd, P. Jones, "US Secure Hash Algorithm 1 5958 (SHA1)", September 2001. 5960 [RFC3874] - R. Housley, "A 224-bit One-way Hash Function: SHA-224", 5961 September 2004. 5963 [RFC4055] - Schaad, J., Kaliski, B., and R. Housley, "Additional 5964 Algorithms and Identifiers for RSA Cryptography for use in the 5965 Internet X.509 Public Key Infrastructure Certificate and 5966 Certificate Revocation List (CRL) Profile", RFC 4055, June 2005 5968 [RFC4086] - D. Eastlake, S. Crocker, J. Schiller, "Randomness 5969 Requirements for Security", May 2005. 5971 [RFC4231] - M. Nystrom, "Identifiers and Test Vectors for HMAC- 5972 SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 5973 December 2005. 5975 [RFC4634] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash 5976 Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006. 5978 [SHAVS] - "The Secure Hash Algorithm Validation System (SHAVS)", 5979 http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. 5981 Appendix: Changes from RFC 4634 5983 The following changes were made to RFC 4634 to produce this document: 5985 1. Add code for HKDF and brief text about HKDF with pointer to 5986 [RFChkdf]. 5988 2. Fix numerous errata filed against [RFC4634] as below. Note that in 5989 no case did the old code return an incorrect hash value. 5991 2.a Correct some of the error return values which has erroneously 5992 been "shaNull" to the correct "shaInputTooLong" error. 5994 2.b Update comments and variable names within the code for 5995 consistency and clarity and other editorial changes. 5997 2.c The previous code for SHA-384 and SHA-512 would stop after 5998 2^93 bytes (2^96 bits). The fixed code handles up to 2^125 5999 bytes (2^128 bits). 6001 2.d Add additional error checking. 6003 3. Update boilerplate, remove special license in [RFC4634] as new 6004 boilerplate mandates simplified BSD license. 6006 Edit History 6008 RFC Editor, Please delete this section on publication. 6010 Changes from -00 to -01 6012 Add hash function OIDs and informational reference to [RFC4055]. A 6013 few Editorial changes and typo fixes. 6015 Changes from -01 to -02 6017 In shatest.c, replace MIT getopt (xgetopt) code with new code to 6018 avoid possible conflict between MIT license and IETF required BSD 6019 license. 6021 Author's Address 6023 Donald E. Eastlake, 3rd 6024 Stellar Switches 6025 155 Beaver Street 6026 Milford, MA 01757 USA 6028 Telephone: +1-508-333-2270 6029 EMail: d3e3e3@gmail.com 6031 Tony Hansen 6032 AT&T Laboratories 6033 200 Laurel Ave. 6034 Middletown, NJ 07748 USA 6036 Telephone: +1-732-420-8934 6037 EMail: tony+shs@maillennium.att.com 6039 Copyright, Disclaimer, and Additional IPR Provisions 6041 Copyright (c) 2010 IETF Trust and the persons identified as the 6042 document authors. All rights reserved. 6044 This document is subject to BCP 78 and the IETF Trust's Legal 6045 Provisions Relating to IETF Documents 6046 (http://trustee.ietf.org/license-info) in effect on the date of 6047 publication of this document. Please review these documents 6048 carefully, as they describe your rights and restrictions with respect 6049 to this document. Code Components extracted from this document must 6050 include Simplified BSD License text as described in Section 4.e of 6051 the Trust Legal Provisions and are provided without warranty as 6052 described in the BSD License. This Internet-Draft is submitted to 6053 IETF in full conformance with the provisions of BCP 78 and BCP 79.