idnits 2.17.00 (12 Aug 2021) /tmp/idnits36275/draft-eastlake-sha2b-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC4634, but the abstract doesn't seem to directly say this. It does mention RFC4634 though, so this could be OK. -- The draft header indicates that this document updates RFC3174, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 755 has weird spacing: '...izeBits numbe...' (Using the creation date from RFC3174, updated by this document, for RFC5378 checks: 2001-03-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 30, 2010) is 4312 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'USHAMaxHashSize' is mentioned on line 5555, but not defined -- Looks like a reference, but probably isn't: '4' on line 3290 == Missing Reference: 'SHA1HashSize' is mentioned on line 1547, but not defined == Missing Reference: 'SHA224HashSize' is mentioned on line 1939, but not defined == Missing Reference: 'SHA256HashSize' is mentioned on line 2090, but not defined == Missing Reference: 'SHA384HashSize' is mentioned on line 2781, but not defined == Missing Reference: 'SHA512HashSize' is mentioned on line 2972, but not defined -- Looks like a reference, but probably isn't: '0' on line 5771 -- Looks like a reference, but probably isn't: '1' on line 5770 -- Looks like a reference, but probably isn't: '2' on line 5533 -- Looks like a reference, but probably isn't: '3' on line 3333 -- Looks like a reference, but probably isn't: '8' on line 3207 -- Looks like a reference, but probably isn't: '56' on line 2173 -- Looks like a reference, but probably isn't: '57' on line 2174 -- Looks like a reference, but probably isn't: '58' on line 2175 -- Looks like a reference, but probably isn't: '59' on line 2176 -- Looks like a reference, but probably isn't: '60' on line 2177 -- Looks like a reference, but probably isn't: '61' on line 2178 -- Looks like a reference, but probably isn't: '62' on line 2179 -- Looks like a reference, but probably isn't: '63' on line 2180 -- Looks like a reference, but probably isn't: '80' on line 3244 -- Looks like a reference, but probably isn't: '64' on line 2224 -- Looks like a reference, but probably isn't: '5' on line 4726 -- Looks like a reference, but probably isn't: '6' on line 3292 -- Looks like a reference, but probably isn't: '7' on line 3293 -- Looks like a reference, but probably isn't: '112' on line 3045 -- Looks like a reference, but probably isn't: '113' on line 3046 -- Looks like a reference, but probably isn't: '114' on line 3047 -- Looks like a reference, but probably isn't: '115' on line 3048 -- Looks like a reference, but probably isn't: '116' on line 3049 -- Looks like a reference, but probably isn't: '117' on line 3050 -- Looks like a reference, but probably isn't: '118' on line 3051 -- Looks like a reference, but probably isn't: '119' on line 3052 -- Looks like a reference, but probably isn't: '120' on line 3054 -- Looks like a reference, but probably isn't: '121' on line 3055 -- Looks like a reference, but probably isn't: '122' on line 3056 -- Looks like a reference, but probably isn't: '123' on line 3057 -- Looks like a reference, but probably isn't: '124' on line 3058 -- Looks like a reference, but probably isn't: '125' on line 3059 -- Looks like a reference, but probably isn't: '126' on line 3060 -- Looks like a reference, but probably isn't: '127' on line 3061 -- Looks like a reference, but probably isn't: '9' on line 3169 -- Looks like a reference, but probably isn't: '10' on line 3208 -- Looks like a reference, but probably isn't: '11' on line 3171 -- Looks like a reference, but probably isn't: '12' on line 3209 -- Looks like a reference, but probably isn't: '13' on line 3173 -- Looks like a reference, but probably isn't: '14' on line 3210 -- Looks like a reference, but probably isn't: '15' on line 3175 == Missing Reference: 'RFC 2104' is mentioned on line 3718, but not defined == Missing Reference: 'RFC 2202' is mentioned on line 4319, but not defined == Missing Reference: 'RFC 4231' is mentioned on line 4319, but not defined == Missing Reference: 'TESTCOUNT' is mentioned on line 4537, but not defined == Missing Reference: 'RANDOMCOUNT' is mentioned on line 4539, but not defined == Missing Reference: 'HASHCOUNT' is mentioned on line 5533, but not defined == Missing Reference: 'HMACTESTCOUNT' is mentioned on line 4727, but not defined == Missing Reference: 'HKDFTESTCOUNT' is mentioned on line 4937, but not defined -- Looks like a reference, but probably isn't: '20' on line 5487 -- Looks like a reference, but probably isn't: '4096' on line 5387 -- Looks like a reference, but probably isn't: '1003' on line 5488 == Unused Reference: 'RFC2119' is defined on line 5854, but no explicit reference was found in the text == Unused Reference: 'RFC2202' is defined on line 5868, but no explicit reference was found in the text == Unused Reference: 'RFC4231' is defined on line 5885, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 4634 (Obsoleted by RFC 6234) Summary: 1 error (**), 0 flaws (~~), 19 warnings (==), 51 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Donald Eastlake 3rd 2 INTERNET-DRAFT Stellar Switches 3 Obsoletes: 4634 Tony Hansen 4 Updates: 3174 AT&T Labs 5 Intended Status: Informational 6 Expires: January 29, 2011 July 30, 2010 8 US Secure Hash Algorithms 9 (SHA and SHA based HMAC and HKDF) 10 12 Abstract 13 This document is an update of RFC 4634 to fix errata and to add code 14 for an HMAC-based extract-and-expand key derivation function. 16 The United States of America has adopted a suite of secure hash 17 algorithms (SHAs), including four beyond SHA-1, as part of a Federal 18 Information Processing Standard (FIPS), specifically SHA-224, 19 SHA-256, SHA-384, and SHA-512. The purpose of this document is to 20 make open source code performing the SHA hash functions conveniently 21 available to the Internet community. The sample code supports input 22 strings of arbitrary bit length. Much of the text herein was adapted 23 by the authors from FIPS 180-2. 25 As with RFC 4634, code to perform SHA based HMACs is included and, 26 new in this version, code for HKDF (RFC 5869) is included. 28 Status of This Memo 30 This Internet-Draft is submitted to IETF in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Distribution of this document is unlimited. Comments should be sent 34 to the authors. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF), its areas, and its working groups. Note that 38 other groups may also distribute working documents as Internet- 39 Drafts. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 The list of current Internet-Drafts can be accessed at 47 http://www.ietf.org/1id-abstracts.html 49 The list of Internet-Draft Shadow Directories can be accessed at 50 http://www.ietf.org/shadow.html 52 Table of Contents 54 1. Overview of Contents....................................3 55 2. Notation for Bit Strings and Integers...................4 56 3. Operations on Words.....................................5 58 4. Message Padding and Parsing.............................7 59 4.1 SHA-224 and SHA-256....................................7 60 4.2 SHA-384 and SHA-512....................................8 62 5. Functions and Constants Used...........................10 63 5.1 SHA-224 and SHA-256...................................10 64 5.2 SHA-384 and SHA-512...................................11 66 6. Computing the Message Digest...........................12 67 6.1 SHA-224 and SHA-256 Initialization....................12 68 6.2 SHA-224 and SHA-256 Processing........................12 69 6.3 SHA-384 and SHA-512 Initialization....................14 70 6.4 SHA-384 and SHA-512 Processing........................15 72 7. HKDF and SHA Based HMACs...............................17 73 7.1 SHA-Based HMACs.......................................17 74 7.2 HKDF..................................................17 76 8. C Code for SHAs, HMAC, and HKDF........................18 77 8.1 The Header Files......................................21 78 8.1.1 The .h file.........................................21 79 8.1.2 sha-private.h.......................................29 80 8.2 The SHA Code..........................................29 81 8.2.1 sha1.c..............................................29 82 8.2.2 sha224-256.c........................................38 83 8.2.3 sha384-512.c........................................50 84 8.2.4 usha.c..............................................71 85 8.3 The HMAC Code.........................................77 86 8.4 The HKDF Code.........................................82 87 8.5 The Test Driver.......................................89 89 9. IANA Considerations...................................120 90 10. Security Considerations..............................120 91 11. Acknowledgements.....................................120 93 12. References...........................................121 94 12.1 Normative References................................121 95 12.2 Informative References..............................121 97 Appendix: Changes from RFC 4634..........................123 99 Appendix Z: Edit History.................................124 100 Z.1 Changes from -00 to -01..............................124 101 Z.2 Changes from -01 to -02..............................124 102 Z.3 Changes from -02 to -03..............................124 104 1. Overview of Contents 106 This document obsoletes [RFC4634]; and the changes from that RFC are 107 summarized in the Appendix. 109 This document includes specifications for the United States of 110 America (USA) Federal Information Processing Standard (FIPS) Secure 111 Hash Algorithms (SHAs), code to implement the SHAs, code to implement 112 HMACs based on the SHAs, and code to implement HKDF based on HMAC. 113 Specifications for HMAC and HKDF are not included as they appear 114 elsewhere in the RFC series [RFC2104] [RFC5869]. 116 NOTE: Much of the text below is taken from [SHS] and the assertions 117 of the security of the hash algorithms described therein are made by 118 the US Government, the author of [SHS], not by the authors of this 119 document. 121 The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], 122 SHA-256, SHA-384, and SHA-512, for computing a condensed 123 representation of a message or a data file. (SHA-1 is specified in 124 [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and 125 SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of 126 these algorithms, the result is an output called a message digest. 127 The message digests range in length from 224 to 512 bits, depending 128 on the algorithm. Secure hash algorithms are typically used with 129 other cryptographic algorithms, such as digital signature algorithms 130 and keyed hash authentication codes, the generation of random numbers 131 [RFC4086], or in key derivation functions. 133 The four algorithms specified in this document are called secure 134 because it is computationally infeasible to (1) find a message which 135 corresponds to a given message digest, or (2) to find two different 136 messages that produce the same message digest. Any change to a 137 message in transit will, with very high probability, result in a 138 different message digest. This will result in a verification failure 139 when the secure hash algorithm is used with a digital signature 140 algorithm or a keyed-hash message authentication algorithm. 142 The code provided herein supports input strings of arbitrary bit 143 length. SHA-1's sample code from [RFC3174] has also been updated to 144 handle input strings of arbitrary bit length. Permission is granted 145 for all uses, commercial and non-commercial, of this code. 147 ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from 148 [RFC4055], are as follows: 150 id-sha1 OBJECT IDENTIFIER ::= { iso(1) 151 identified-organization(3) oiw(14) 152 secsig(3) algorithms(2) 26 } 154 id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) 155 country(16) us(840) organization(1) gov(101) 156 csor(3) nistalgorithm(4) hashalgs(2) 4 } 157 id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 158 country(16) us(840) organization(1) gov(101) 159 csor(3) nistalgorithm(4) hashalgs(2) 1 } 160 id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 161 country(16) us(840) organization(1) gov(101) 162 csor(3) nistalgorithm(4) hashalgs(2) 2 } 163 id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 164 country(16) us(840) organization(1) gov(101) 165 csor(3) nistalgorithm(4) hashalgs(2) 3 } 167 Section 2 below defines the terminology and functions used as 168 building blocks to form these algorithms. Section 3 describes the 169 fundamental operations on words from which these algorithms are 170 built. Section 4 describes how messages are padded up to an integral 171 multiple of the required block size and then parsed into blocks. 172 Section 5 defines the constants and the composite functions used to 173 specify the hash algorithms. Section 6 gives the actual specification 174 for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 175 provides pointers to the specification of HMAC keyed message 176 authentication codes and to the specification of an extract-and- 177 expand key derivation function based on HMAC. 179 Section 8 gives sample code for the SHA algorithms, for SHA based 180 HMACs, and for HMAC-based extract-and-expand key derivation function. 182 2. Notation for Bit Strings and Integers 184 The following terminology related to bit strings and integers will be 185 used: 187 a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. 188 A hex digit is the representation of a 4-bit string. Examples: 189 7 = 0111, A = 1010. 191 b. A word equals a 32-bit or 64-bit string that may be represented 192 as a sequence of 8 or 16 hex digits, respectively. To convert a 193 word to hex digits, each 4-bit string is converted to its hex 194 equivalent as described in (a) above. Example: 196 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 198 Throughout this document, the "big-endian" convention is used 199 when expressing both 32-bit and 64-bit words, so that within 200 each word the most significant bit is shown in the leftmost bit 201 position. 203 c. An integer may be represented as a word or pair of words. 205 An integer between 0 and 2^32 - 1 inclusive may be represented 206 as a 32-bit word. The least significant four bits of the 207 integer are represented by the rightmost hex digit of the word 208 representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = 209 256+32+2+1 is represented by the hex word, 00000123. 211 The same holds true for an integer between 0 and 2^64-1 212 inclusive, which may be represented as a 64-bit word. 214 If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 215 <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented 216 as words X and Y, respectively, z can be represented as the pair 217 of words (X,Y). 219 Again, the "big-endian" convention is used and the most 220 significant word is in the leftmost word position for values 221 represented by multiple-words. 223 d. block = 512-bit or 1024-bit string. A block (e.g., B) may be 224 represented as a sequence of 32-bit or 64-bit words. 226 3. Operations on Words 228 The following logical operators will be applied to words in all four 229 hash operations specified herein. SHA-224 and SHA-256 operate on 230 32-bit words while SHA-384 and SHA-512 operate on 64-bit words. 232 In the operations below, x<>n is obtained as follows: discard the rightmost n bits 236 of x and then prepend the result with n zeroed bits on the left (the 237 result will still be the same number of bits). 239 a. Bitwise logical word operations 241 X AND Y = bitwise logical "and" of X and Y. 243 X OR Y = bitwise logical "inclusive-or" of X and Y. 245 X XOR Y = bitwise logical "exclusive-or" of X and Y. 247 NOT X = bitwise logical "complement" of X. 249 Example: 250 01101100101110011101001001111011 251 XOR 01100101110000010110100110110111 252 -------------------------------- 253 = 00001001011110001011101111001100 255 b. The operation X + Y is defined as follows: words X and Y 256 represent w-bit integers x and y, where 0 <= x < 2^w and 0 <= y 257 < 2^w. For positive integers n and m, let 259 n mod m 261 be the remainder upon dividing n by m. Compute 263 z = (x + y) mod 2^w. 265 Then 0 <= z < 2^w. Convert z to a word, Z, and define Z = X + 266 Y. 268 c. The right shift operation SHR^n(x), where x is a w-bit word and n 269 is an integer with 0 <= n < w, is defined by 271 SHR^n(x) = x>>n 273 d. The rotate right (circular right shift) operation ROTR^n(x), where 274 x is a w-bit word and n is an integer with 0 <= n < w, is 275 defined by 277 ROTR^n(x) = (x>>n) OR (x<<(w-n)) 279 e. The rotate left (circular left shift) operation ROTL^n(x), where x 280 is a w-bit word and n is an integer with 0 <= n < w, is defined 281 by 283 ROTL^n(X) = (x<>w-n) 285 Note the following equivalence relationships, where w is fixed 286 in each relationship: 288 ROTL^n(x) = ROTR^(w-n)(x) 290 ROTR^n(x) = ROTL^(w-n)(x) 292 4. Message Padding and Parsing 294 The hash functions specified herein are used to compute a message 295 digest for a message or data file that is provided as input. The 296 message or data file should be considered to be a bit string. The 297 length of the message is the number of bits in the message (the empty 298 message has length 0). If the number of bits in a message is a 299 multiple of 8, for compactness we can represent the message in hex. 300 The purpose of message padding is to make the total length of a 301 padded message a multiple of 512 for SHA-224 and SHA-256 or a 302 multiple of 1024 for SHA-384 and SHA-512. 304 The following specifies how this padding shall be performed. As a 305 summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit 306 integer are appended to the end of the message to produce a padded 307 message of length 512*n or 1024*n. The appended integer is the 308 length of the original message. The padded message is then processed 309 by the hash function as n 512-bit or 1024-bit blocks. 311 4.1 SHA-224 and SHA-256 313 Suppose a message has length L < 2^64. Before it is input to the 314 hash function, the message is padded on the right as follows: 316 a. "1" is appended. Example: if the original message is "01010000", 317 this is padded to "010100001". 319 b. K "0"s are appended where K is the smallest, non-negative 320 solution to the equation 322 L + 1 + K = 448 (mod 512) 324 c. Then append the 64-bit block that is L in binary representation. 325 After appending this block, the length of the message will be a 326 multiple of 512 bits. 328 Example: Suppose the original message is the bit string 330 01100001 01100010 01100011 01100100 01100101 332 After step (a) this gives 334 01100001 01100010 01100011 01100100 01100101 1 336 Since L = 40, the number of bits in the above is 41 and K = 407 337 "0"s are appended, making the total now 448. This gives the 338 following in hex: 340 61626364 65800000 00000000 00000000 341 00000000 00000000 00000000 00000000 342 00000000 00000000 00000000 00000000 343 00000000 00000000 345 The 64-bit representation of L = 40 is hex 00000000 00000028. 346 Hence the final padded message is the following hex 348 61626364 65800000 00000000 00000000 349 00000000 00000000 00000000 00000000 350 00000000 00000000 00000000 00000000 351 00000000 00000000 00000000 00000028 353 4.2 SHA-384 and SHA-512 355 Suppose a message has length L < 2^128. Before it is input to the 356 hash function, the message is padded on the right as follows: 358 a. "1" is appended. Example: if the original message is "01010000", 359 this is padded to "010100001". 361 b. K "0"s are appended where K is the smallest, non-negative 362 solution to the equation 364 L + 1 + K = 896 (mod 1024) 366 c. Then append the 128-bit block that is L in binary representation. 367 After appending this block, the length of the message will be a 368 multiple of 1024 bits. 370 Example: Suppose the original message is the bit string 372 01100001 01100010 01100011 01100100 01100101 374 After step (a) this gives 376 01100001 01100010 01100011 01100100 01100101 1 378 Since L = 40, the number of bits in the above is 41 and K = 855 379 "0"s are appended, making the total now 896. This gives the 380 following in hex: 382 61626364 65800000 00000000 00000000 383 00000000 00000000 00000000 00000000 384 00000000 00000000 00000000 00000000 385 00000000 00000000 00000000 00000000 386 00000000 00000000 00000000 00000000 387 00000000 00000000 00000000 00000000 388 00000000 00000000 00000000 00000000 390 The 128-bit representation of L = 40 is hex 00000000 00000000 391 00000000 00000028. Hence the final padded message is the 392 following hex: 394 61626364 65800000 00000000 00000000 395 00000000 00000000 00000000 00000000 396 00000000 00000000 00000000 00000000 397 00000000 00000000 00000000 00000000 398 00000000 00000000 00000000 00000000 399 00000000 00000000 00000000 00000000 400 00000000 00000000 00000000 00000000 401 00000000 00000000 00000000 00000028 403 5. Functions and Constants Used 405 The following subsections give the six logical functions and the 406 table of constants used in each of the hash functions. 408 5.1 SHA-224 and SHA-256 410 SHA-224 and SHA-256 use six logical functions, where each function 411 operates on 32-bit words, which are represented as x, y, and z. The 412 result of each function is a new 32-bit word. 414 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 416 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 418 BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) 420 BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) 422 SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) 424 SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) 426 SHA-224 and SHA-256 use the same sequence of sixty-four constant 427 32-bit words, K0, K1, ..., K63. These words represent the first 428 thirty-two bits of the fractional parts of the cube roots of the 429 first sixty-four prime numbers. In hex, these constant words are as 430 follows (from left to right): 432 428a2f98 71374491 b5c0fbcf e9b5dba5 433 3956c25b 59f111f1 923f82a4 ab1c5ed5 434 d807aa98 12835b01 243185be 550c7dc3 435 72be5d74 80deb1fe 9bdc06a7 c19bf174 436 e49b69c1 efbe4786 0fc19dc6 240ca1cc 437 2de92c6f 4a7484aa 5cb0a9dc 76f988da 438 983e5152 a831c66d b00327c8 bf597fc7 439 c6e00bf3 d5a79147 06ca6351 14292967 440 27b70a85 2e1b2138 4d2c6dfc 53380d13 441 650a7354 766a0abb 81c2c92e 92722c85 442 a2bfe8a1 a81a664b c24b8b70 c76c51a3 443 d192e819 d6990624 f40e3585 106aa070 444 19a4c116 1e376c08 2748774c 34b0bcb5 445 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 446 748f82ee 78a5636f 84c87814 8cc70208 447 90befffa a4506ceb bef9a3f7 c67178f2 449 5.2 SHA-384 and SHA-512 451 SHA-384 and SHA-512 each use six logical functions, where each 452 function operates on 64-bit words, which are represented as x, y, and 453 z. The result of each function is a new 64-bit word. 455 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 457 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 459 BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) 461 BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) 463 SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) 465 SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) 467 SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit 468 words, K0, K1, ... K79. These words represent the first sixty-four 469 bits of the fractional parts of the cube roots of the first eighty 470 prime numbers. In hex, these constant words are as follows (from 471 left to right): 473 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc 474 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 475 d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 476 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 477 e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 478 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 479 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 480 c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 481 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df 482 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b 483 a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 484 d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 485 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 486 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 487 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec 488 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b 489 ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 490 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b 491 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c 492 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 494 6. Computing the Message Digest 496 The output of each of the secure hash functions, after being applied 497 to a message of N blocks, is the hash quantity H(N). For SHA-224 and 498 SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, 499 H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to be 500 eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. 502 As described below, the hash words are initialized, modified as each 503 message block is processed, and finally concatenated after processing 504 the last block to yield the output. For SHA-256 and SHA-512, all of 505 the H(N) variables are concatenated while the SHA-224 and SHA-384 506 hashes are produced by omitting some from the final concatenation. 508 6.1 SHA-224 and SHA-256 Initialization 510 For SHA-224, the initial hash value, H(0), consists of the following 511 32-bit words in hex: 513 H(0)0 = c1059ed8 514 H(0)1 = 367cd507 515 H(0)2 = 3070dd17 516 H(0)3 = f70e5939 517 H(0)4 = ffc00b31 518 H(0)5 = 68581511 519 H(0)6 = 64f98fa7 520 H(0)7 = befa4fa4 522 For SHA-256, the initial hash value, H(0), consists of the following 523 eight 32-bit words, in hex. These words were obtained by taking the 524 first thirty-two bits of the fractional parts of the square roots of 525 the first eight prime numbers. 527 H(0)0 = 6a09e667 528 H(0)1 = bb67ae85 529 H(0)2 = 3c6ef372 530 H(0)3 = a54ff53a 531 H(0)4 = 510e527f 532 H(0)5 = 9b05688c 533 H(0)6 = 1f83d9ab 534 H(0)7 = 5be0cd19 536 6.2 SHA-224 and SHA-256 Processing 538 SHA-224 and SHA-256 perform identical processing on messages blocks 539 and differ only in how H(0) is initialized and how they produce their 540 final output. They may be used to hash a message, M, having a length 541 of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message 542 schedule of sixty-four 32-bit words, (2) eight working variables of 543 32 bits each, and (3) a hash value of eight 32-bit words. 545 The words of the message schedule are labeled W0, W1, ..., W63. The 546 eight working variables are labeled a, b, c, d, e, f, g, and h. The 547 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which 548 will hold the initial hash value, H(0), replaced by each successive 549 intermediate hash value (after each message block is processed), 550 H(i), and ending with the final hash value, H(N), after all N blocks 551 are processed. They also use two temporary words, T1 and T2. 553 The input message is padded as described in Section 4.1 above then 554 parsed into 512-bit blocks that are considered to be composed of 16 555 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 556 are then performed for each of the N message blocks. All addition is 557 performed modulo 2^32. 559 For i = 1 to N 561 1. Prepare the message schedule W: 562 For t = 0 to 15 563 Wt = M(i)t 564 For t = 16 to 63 565 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(w(t-15)) + W(t-16) 567 2. Initialize the working variables: 568 a = H(i-1)0 569 b = H(i-1)1 570 c = H(i-1)2 571 d = H(i-1)3 572 e = H(i-1)4 573 f = H(i-1)5 574 g = H(i-1)6 575 h = H(i-1)7 577 3. Perform the main hash computation: 578 For t = 0 to 63 579 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 580 T2 = BSIG0(a) + MAJ(a,b,c) 581 h = g 582 g = f 583 f = e 584 e = d + T1 585 d = c 586 c = b 587 b = a 588 a = T1 + T2 590 4. Compute the intermediate hash value H(i) 591 H(i)0 = a + H(i-1)0 592 H(i)1 = b + H(i-1)1 593 H(i)2 = c + H(i-1)2 594 H(i)3 = d + H(i-1)3 595 H(i)4 = e + H(i-1)4 596 H(i)5 = f + H(i-1)5 597 H(i)6 = g + H(i-1)6 598 H(i)7 = h + H(i-1)7 600 After the above computations have been sequentially performed for all 601 of the blocks in the message, the final output is calculated. For 602 SHA-256, this is the concatenation of all of H(N)0, H(N)1, through 603 H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, 604 through H(N)6. 606 6.3 SHA-384 and SHA-512 Initialization 608 For SHA-384, the initial hash value, H(0), consists of the following 609 eight 64-bit words, in hex. These words were obtained by taking the 610 first sixty-four bits of the fractional parts of the square roots of 611 the ninth through sixteenth prime numbers. 613 H(0)0 = cbbb9d5dc1059ed8 614 H(0)1 = 629a292a367cd507 615 H(0)2 = 9159015a3070dd17 616 H(0)3 = 152fecd8f70e5939 617 H(0)4 = 67332667ffc00b31 618 H(0)5 = 8eb44a8768581511 619 H(0)6 = db0c2e0d64f98fa7 620 H(0)7 = 47b5481dbefa4fa4 622 For SHA-512, the initial hash value, H(0), consists of the following 623 eight 64-bit words, in hex. These words were obtained by taking the 624 first sixty-four bits of the fractional parts of the square roots of 625 the first eight prime numbers. 627 H(0)0 = 6a09e667f3bcc908 628 H(0)1 = bb67ae8584caa73b 629 H(0)2 = 3c6ef372fe94f82b 630 H(0)3 = a54ff53a5f1d36f1 631 H(0)4 = 510e527fade682d1 632 H(0)5 = 9b05688c2b3e6c1f 633 H(0)6 = 1f83d9abfb41bd6b 634 H(0)7 = 5be0cd19137e2179 636 6.4 SHA-384 and SHA-512 Processing 638 SHA-384 and SHA-512 perform identical processing on message blocks 639 and differ only in how H(0) is initialized and how they produce their 640 final output. They may be used to hash a message, M, having a length 641 of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message 642 schedule of eighty 64-bit words, (2) eight working variables of 64 643 bits each, and (3) a hash value of eight 64-bit words. 645 The words of the message schedule are labeled W0, W1, ..., W79. The 646 eight working variables are labeled a, b, c, d, e, f, g, and h. The 647 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7 which 648 will hold the initial hash value, H(0), replaced by each successive 649 intermediate hash value (after each message block is processed), 650 H(i), and ending with the final hash value, H(N) after all N blocks 651 are processed. 653 The input message is padded as described in Section 4.2 above, then 654 parsed into 1024-bit blocks that are considered to be composed of 16 655 64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 656 are then performed for each of the N message blocks. All addition is 657 performed modulo 2^64. 659 For i = 1 to N 661 1. Prepare the message schedule W: 662 For t = 0 to 15 663 Wt = M(i)t 664 For t = 16 to 79 665 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(W(t-15)) + W(t-16) 667 2. Initialize the working variables: 668 a = H(i-1)0 669 b = H(i-1)1 670 c = H(i-1)2 671 d = H(i-1)3 672 e = H(i-1)4 673 f = H(i-1)5 674 g = H(i-1)6 675 h = H(i-1)7 677 3. Perform the main hash computation: 678 For t = 0 to 79 679 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 680 T2 = BSIG0(a) + MAJ(a,b,c) 681 h = g 682 g = f 683 f = e 684 e = d + T1 685 d = c 686 c = b 687 b = a 688 a = T1 + T2 690 4. Compute the intermediate hash value H(i) 691 H(i)0 = a + H(i-1)0 692 H(i)1 = b + H(i-1)1 693 H(i)2 = c + H(i-1)2 694 H(i)3 = d + H(i-1)3 695 H(i)4 = e + H(i-1)4 696 H(i)5 = f + H(i-1)5 697 H(i)6 = g + H(i-1)6 698 H(i)7 = h + H(i-1)7 700 After the above computations have been sequentially performed for all 701 of the blocks in the message, the final output is calculated. For 702 SHA-512, this is the concatenation of all of H(N)0, H(N)1, through 703 H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, 704 through H(N)5. 706 7. HKDF and SHA Based HMACs 708 Below are brief descriptions and pointers to more complete 709 descriptions and code for (1) SHA-based HMACs and (2) an HMAC-based 710 extract-and-expand key derivation function. Both HKDF and HMAC were 711 devised by Hugo Krawczyk. 713 7.1 SHA-Based HMACs 715 HMAC is a method for computing a keyed MAC (message authentication 716 code) using a hash function as described in [RFC2104]. It uses a key 717 to mix in with the input text to produce the final hash. 719 Sample code is also provided, in Section 8.3 below, to perform HMAC 720 based on any of the SHA algorithms described herein. The sample code 721 found in [RFC2104] was written in terms of a specified text size. 722 Since SHA is defined in terms of an arbitrary number of bits, the 723 sample HMAC code has been written to allow the text input to HMAC to 724 have an arbitrary number of octets and bits. A fixed length interface 725 is also provided. 727 7.2 HKDF 729 HKDF is a specific key derivation function (KDF), that is, a function 730 of initial keying material from which the KDF derives one or more 731 cryptographically strong secret keys. HKDF, which is described in 732 [RFC5869], is based on HMAC. 734 Sample code for HKDF is provided in Section 8.4 below. 736 8. C Code for SHAs, HMAC, and HKDF 738 Below is a demonstration implementation of these secure hash 739 functions in C. Section 8.1 contains the header file sha.h that 740 declares all constants, structures and functions used by the sha and 741 hmac functions. It includes conditionals based on the state of 742 definition of USE_32BIT_ONLY which, if that symbol is defined at 743 compile time, avoids 64-bit operations. It also contains sha- 744 private.h that provides some declarations common to all the sha 745 functions. Section 8.2 contains the C code for sha1.c, sha224-256.c, 746 sha384-512.c, and usha.c. Section 8.3 contains the C code for the 747 HMAC functions and Section 8.4 contains the C code for HKDF. Section 748 8.5 contains a test driver to exercise the code. 750 For each of the digest lengths $$$, there are the following set of 751 constants, a structure, and functions: 753 Constants: 754 SHA$$$HashSize number of octets in the hash 755 SHA$$$HashSizeBits number of bits in the hash 756 SHA$$$_Message_Block_Size 757 number of octets used in the intermediate 758 message blocks 759 Most functions return an enum value that is one of: 760 shaSuccess(0) on success 761 shaNull(1) when presented with a null pointer parameter 762 shaInputTooLong(2) when the input data is too long 763 shaStateError(3) when SHA$$$Input is called after 764 SHA$$$FinalBits or SHA$$$Result. 766 Structure: 767 typedef SHA$$$Context 768 an opaque structure holding the complete state 769 for producing the hash 771 Functions: 772 int SHA$$$Reset(SHA$$$Context *context); 773 Reset the hash context state 774 int SHA$$$Input(SHA$$$Context *context, const uint8_t *octets, 775 unsigned int bytecount); 776 Incorporate bytecount octets into the hash. 777 int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, 778 unsigned int bitcount); 779 Incorporate bitcount bits into the hash. The bits are in the 780 upper portion of the octet. SHA$$$Input() cannot be called 781 after this. 782 int SHA$$$Result(SHA$$$Context *, 783 uint8_t Message_Digest[SHA$$$HashSize]); 784 Do the final calculations on the hash and copy the value 785 into Message_Digest. 787 In addition, functions with the prefix USHA are provided that take a 788 SHAversion value (SHA$$$) to select the SHA function suite. They add 789 the following constants, structure and function: 791 Constants: 792 shaBadParam(4) constant returned by USHA functions when 793 presented with a bad SHAversion (SHA$$$) 794 parameter or other illegal parameter values 795 USAMaxHashSize maximumof the SHA has sizes 796 SHA$$$ SHAversion enumeration values, used by usha, 797 hmac and hkdf functions to select the SHA 798 function suite 800 Structure: 801 typedef USHAContext 802 an opaque structure holding the complete state 803 for producing the hash 805 Functions: 806 int USHAReset(USHAContext *context, SHAversion whichSha); 807 Reset the hash context state. 808 int USHAInput(USHAContext context*, 809 const uint8_t *bytes, unsigned int bytecount); 810 Incorporate bytecount octets into the hash. 811 int USHAFinalBits(USHAContext *context, 812 const uint8_t bits, unsigned int bitcount); 813 Incorporate bitcount bits into the hash. 814 int USHAResult(USHAContext *context, 815 uint8_t Message_Digest[USHAMaxHashSize]); 816 Do the final calculations on the hash and copy the value 817 into Message_Digest. Octets in Message_Digest beyond 818 USHAHashSize(whichSha) are left untouched. 819 int USHAHashSize(enum SHAversion whichSha); 820 The number of octets in the given hash. 821 int USHAHashSizeBits(enum SHAversion whichSha); 822 The number of bits in the given hash. 823 int USHABlockSize(enum SHAversion whichSha); 824 The internal block size for the given hash. 825 const char *USHAHashName(enum SHAversion whichSha); 826 This function will return the name of the given SHA 827 algorithm as a string. 829 The hmac functions follow the same pattern to allow any length of 830 text input to be used. 832 Structures: 833 typedef HMACContext an opaque structure holding the complete state 834 for producing the keyed message digest (MAC) 836 Functions: 837 int hmacReset(HMACContext *ctx, enum SHAversion whichSha, 838 const unsigned char *key, int key_len); 839 Reset the MAC context state. 840 int hmacInput(HMACContext *ctx, const unsigned char *text, 841 int text_len); 842 Incorporate text_len octets into the MAC. 843 int hmacFinalBits(HMACContext *ctx, const uint8_t bits, 844 unsigned int bitcount); 845 Incorporate bitcount bits into the MAC. 846 int hmacResult(HMACContext *ctx, 847 uint8_t Message_Digest[USHAMaxHashSize]); 848 Do the final calculations on the MAC and copy the value into 849 Message_Digest. Octets in Message_Digest beyond 850 USHAHashSize(whichSha) are left untouched. 852 In addition, a combined interface is provided, similar to that shown 853 in [RFC2104], that allows a fixed-length text input to be used. 855 int hmac(SHAversion whichSha, 856 const unsigned char *text, int text_len, 857 const unsigned char *key, int key_len, 858 uint8_t Message_Digest[USHAMaxHashSize]); 859 Calculate the given digest for the given text and key, and 860 return the resulting MAC. Octets in Message_Digest beyond 861 USHAHashSize(whichSha) are left untouched. 863 The hkdf functions follow the same pattern to allow any length of 864 text input to be used. 866 Structures: 867 typedef HKDFContext an opaque structure holding the complete state 868 for producing the keying material 869 Functions: 870 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 871 const unsigned char *salt, int salt_len) 872 Reset the key derivation state and initialize it with the 873 salt_len octets of the optional salt. 874 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 875 int ikm_len) 876 Incorporate ikm_len octets into the entropy extractor. 877 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 878 unsigned int ikm_bit_count) 879 Incorporate ikm_bit_count bits into the entropy extractor. 880 int hkdfResult(HKDFContext *context, 881 uint8_t prk[USHAMaxHashSize], 882 const unsigned char *info, int info_len, 883 uint8_t okm[ ], int okm_len) 884 Finish the HKDF extraction and perform the final HKDF 885 expansion, storing the okm_len octets into okm. Optionally 886 store the pseudo-random key (prk) that is generated 887 internally. 889 In addition, combined interfaces are provided, similar to that shown 890 in [RFC5869], that allows a fixed-length text input to be used. 892 int hkdfExtract(SHAversion whichSha, 893 const unsigned char *salt, int salt_len, 894 const unsigned char *ikm, int ikm_len, 895 uint8_t prk[USHAMaxHashSize]) 896 Perform HKDF extraction, combining the salt_len octets of 897 the optional salt with the ikm_len octets of the input 898 keying material (ikm) to form the pseudo-random key prk. 899 The output prk must be large enough to hold the octets 900 appropriate for the given hash type. 902 int hkdfExpand(SHAversion whichSha, 903 const uint8_t prk[ ], int prk_len, 904 const unsigned char *info, int info_len, 905 uint8_t okm[ ], int okm_len) 906 Perform HKDF expansion, combining the prk_len octets of the 907 pseudo-random key prk with the info_len octets of info to 908 form the okm_len octets stored in okm. 910 int hkdf(SHAversion whichSha, 911 const unsigned char *salt, int salt_len, 912 const unsigned char *ikm, int ikm_len, 913 const unsigned char *info, int info_len, 914 uint8_t okm[ ], int okm_len) 915 This combined interface performs both HKDF extraction and 916 expansion. The variables are the same as in hkdfExtract() 917 and hkdfExpand(). 919 8.1 The Header Files 921 8.1.1 The .h file 923 /**************************** sha.h ****************************/ 924 /***************** See RFC NNNN for details. *******************/ 925 /* 926 Copyright (c) 2010 IETF Trust and the persons identified as 927 authors of the code. All rights reserved. 929 Redistribution and use in source and binary forms, with or without 930 modification, are permitted provided that the following conditions 931 are met: 933 * Redistributions of source code must retain the above copyright 934 notice, this list of conditions and the following disclaimer. 936 * Redistributions in binary form must reproduce the above copyright 937 notice, this list of conditions and the following disclaimer in 938 the documentation and/or other materials provided with the 939 distribution. 941 * Neither the name of Internet Society, IETF or IETF Trust, nor the 942 names of specific contributors, may be used to endorse or promote 943 products derived from this software without specific prior 944 written permission. 946 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 947 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 948 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 949 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 950 COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 951 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 952 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 953 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 954 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 955 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 956 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 957 POSSIBILITY OF SUCH DAMAGE. 958 */ 959 #ifndef _SHA_H_ 960 #define _SHA_H_ 962 /* 963 * Description: 964 * This file implements the Secure Hash Algorithms 965 * as defined in the National Institute of Standards 966 * and Technology Federal Information Processing Standards 967 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 968 * published on August 1, 2002, and the FIPS PUB 180-2 Change 969 * Notice published on February 28, 2004. 970 * 971 * A combined document showing all algorithms is available at 972 * http://csrc.nist.gov/publications/fips/ 973 * fips180-2/fips180-2withchangenotice.pdf 974 * 975 * The five hashes are defined in these sizes: 976 * SHA-1 20 byte / 160 bit 977 * SHA-224 28 byte / 224 bit 978 * SHA-256 32 byte / 256 bit 979 * SHA-384 48 byte / 384 bit 980 * SHA-512 64 byte / 512 bit 981 * 982 * Compilation Note: 984 * These files may be compiled with two options: 985 * USE_32BIT_ONLY - use 32-bit arithmetic only, for systems 986 * without 64-bit integers 987 * 988 * USE_MODIFIED_MACROS - use alternate form of the SHA_Ch() 989 * and SHA_Maj() macros that are equivalent 990 * and potentially faster on many systems 991 * 992 */ 994 #include 995 /* 996 * If you do not have the ISO standard stdint.h header file, then you 997 * must typedef the following: 998 * name meaning 999 * uint64_t unsigned 64 bit integer 1000 * uint32_t unsigned 32 bit integer 1001 * uint8_t unsigned 8 bit integer (i.e., unsigned char) 1002 * int_least16_t integer of >= 16 bits 1003 * 1004 */ 1006 #ifndef _SHA_enum_ 1007 #define _SHA_enum_ 1008 /* 1009 * All SHA functions return one of these values. 1010 */ 1011 enum { 1012 shaSuccess = 0, 1013 shaNull, /* Null pointer parameter */ 1014 shaInputTooLong, /* input data too long */ 1015 shaStateError, /* called Input after FinalBits or Result */ 1016 shaBadParam /* passed a bad parameter */ 1017 }; 1018 #endif /* _SHA_enum_ */ 1020 /* 1021 * These constants hold size information for each of the SHA 1022 * hashing operations 1023 */ 1024 enum { 1025 SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, 1026 SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, 1027 SHA512_Message_Block_Size = 128, 1028 USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, 1030 SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, 1031 SHA384HashSize = 48, SHA512HashSize = 64, 1032 USHAMaxHashSize = SHA512HashSize, 1033 SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, 1034 SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, 1035 SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits 1036 }; 1038 /* 1039 * These constants are used in the USHA (unified sha) functions. 1040 */ 1041 typedef enum SHAversion { 1042 SHA1, SHA224, SHA256, SHA384, SHA512 1043 } SHAversion; 1045 /* 1046 * This structure will hold context information for the SHA-1 1047 * hashing operation. 1048 */ 1049 typedef struct SHA1Context { 1050 uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ 1052 uint32_t Length_Low; /* Message length in bits */ 1053 uint32_t Length_High; /* Message length in bits */ 1055 int_least16_t Message_Block_Index; /* Message_Block array index */ 1056 /* 512-bit message blocks */ 1057 uint8_t Message_Block[SHA1_Message_Block_Size]; 1059 int Computed; /* Is the digest computed? */ 1060 int Corrupted; /* Is the digest corrupted? */ 1061 } SHA1Context; 1063 /* 1064 * This structure will hold context information for the SHA-256 1065 * hashing operation. 1066 */ 1067 typedef struct SHA256Context { 1068 uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ 1070 uint32_t Length_Low; /* Message length in bits */ 1071 uint32_t Length_High; /* Message length in bits */ 1073 int_least16_t Message_Block_Index; /* Message_Block array index */ 1074 /* 512-bit message blocks */ 1075 uint8_t Message_Block[SHA256_Message_Block_Size]; 1077 int Computed; /* Is the digest computed? */ 1078 int Corrupted; /* Is the digest corrupted? */ 1079 } SHA256Context; 1081 /* 1082 * This structure will hold context information for the SHA-512 1083 * hashing operation. 1084 */ 1085 typedef struct SHA512Context { 1086 #ifdef USE_32BIT_ONLY 1087 uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ 1088 uint32_t Length[4]; /* Message length in bits */ 1089 #else /* !USE_32BIT_ONLY */ 1090 uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ 1091 uint64_t Length_Low, Length_High; /* Message length in bits */ 1092 #endif /* USE_32BIT_ONLY */ 1094 int_least16_t Message_Block_Index; /* Message_Block array index */ 1095 /* 1024-bit message blocks */ 1096 uint8_t Message_Block[SHA512_Message_Block_Size]; 1098 int Computed; /* Is the digest computed?*/ 1099 int Corrupted; /* Is the digest corrupted? */ 1100 } SHA512Context; 1102 /* 1103 * This structure will hold context information for the SHA-224 1104 * hashing operation. It uses the SHA-256 structure for computation. 1105 */ 1106 typedef struct SHA256Context SHA224Context; 1108 /* 1109 * This structure will hold context information for the SHA-384 1110 * hashing operation. It uses the SHA-512 structure for computation. 1111 */ 1112 typedef struct SHA512Context SHA384Context; 1114 /* 1115 * This structure holds context information for all SHA 1116 * hashing operations. 1117 */ 1118 typedef struct USHAContext { 1119 int whichSha; /* which SHA is being used */ 1120 union { 1121 SHA1Context sha1Context; 1122 SHA224Context sha224Context; SHA256Context sha256Context; 1123 SHA384Context sha384Context; SHA512Context sha512Context; 1124 } ctx; 1125 } USHAContext; 1127 /* 1128 * This structure will hold context information for the HMAC 1129 * keyed hashing operation. 1130 */ 1131 typedef struct HMACContext { 1132 int whichSha; /* which SHA is being used */ 1133 int hashSize; /* hash size of SHA being used */ 1134 int blockSize; /* block size of SHA being used */ 1135 USHAContext shaContext; /* SHA context */ 1136 unsigned char k_opad[USHA_Max_Message_Block_Size]; 1137 /* outer padding - key XORd with opad */ 1138 int Computed; /* Is the digest computed? */ 1139 int Corrupted; /* Is the digest corrupted? */ 1140 } HMACContext; 1142 /* 1143 * This structure will hold context information for the HKDF 1144 * Extract-and-Expand Key Derivation functions. 1145 */ 1146 typedef struct HKDFContext { 1147 int whichSha; /* which SHA is being used */ 1148 HMACContext hmacContext; 1149 int hashSize; /* hash size of SHA being used */ 1150 unsigned char prk[USHAMaxHashSize]; 1151 /* Pseudo Random Key - output of hkdfInput */ 1152 int Computed; /* Is the digest computed? */ 1153 int Corrupted; /* Is the digest corrupted? */ 1154 } HKDFContext; 1156 /* 1157 * Function Prototypes 1158 */ 1160 /* SHA-1 */ 1161 extern int SHA1Reset(SHA1Context *); 1162 extern int SHA1Input(SHA1Context *, const uint8_t *bytes, 1163 unsigned int bytecount); 1164 extern int SHA1FinalBits(SHA1Context *, uint8_t bits, 1165 unsigned int bit_count); 1166 extern int SHA1Result(SHA1Context *, 1167 uint8_t Message_Digest[SHA1HashSize]); 1169 /* SHA-224 */ 1170 extern int SHA224Reset(SHA224Context *); 1171 extern int SHA224Input(SHA224Context *, const uint8_t *bytes, 1172 unsigned int bytecount); 1173 extern int SHA224FinalBits(SHA224Context *, uint8_t bits, 1174 unsigned int bit_count); 1175 extern int SHA224Result(SHA224Context *, 1176 uint8_t Message_Digest[SHA224HashSize]); 1178 /* SHA-256 */ 1179 extern int SHA256Reset(SHA256Context *); 1180 extern int SHA256Input(SHA256Context *, const uint8_t *bytes, 1181 unsigned int bytecount); 1182 extern int SHA256FinalBits(SHA256Context *, uint8_t bits, 1183 unsigned int bit_count); 1184 extern int SHA256Result(SHA256Context *, 1185 uint8_t Message_Digest[SHA256HashSize]); 1187 /* SHA-384 */ 1188 extern int SHA384Reset(SHA384Context *); 1189 extern int SHA384Input(SHA384Context *, const uint8_t *bytes, 1190 unsigned int bytecount); 1191 extern int SHA384FinalBits(SHA384Context *, uint8_t bits, 1192 unsigned int bit_count); 1193 extern int SHA384Result(SHA384Context *, 1194 uint8_t Message_Digest[SHA384HashSize]); 1196 /* SHA-512 */ 1197 extern int SHA512Reset(SHA512Context *); 1198 extern int SHA512Input(SHA512Context *, const uint8_t *bytes, 1199 unsigned int bytecount); 1200 extern int SHA512FinalBits(SHA512Context *, uint8_t bits, 1201 unsigned int bit_count); 1202 extern int SHA512Result(SHA512Context *, 1203 uint8_t Message_Digest[SHA512HashSize]); 1205 /* Unified SHA functions, chosen by whichSha */ 1206 extern int USHAReset(USHAContext *context, SHAversion whichSha); 1207 extern int USHAInput(USHAContext *context, 1208 const uint8_t *bytes, unsigned int bytecount); 1209 extern int USHAFinalBits(USHAContext *context, 1210 uint8_t bits, unsigned int bit_count); 1211 extern int USHAResult(USHAContext *context, 1212 uint8_t Message_Digest[USHAMaxHashSize]); 1213 extern int USHABlockSize(enum SHAversion whichSha); 1214 extern int USHAHashSize(enum SHAversion whichSha); 1215 extern int USHAHashSizeBits(enum SHAversion whichSha); 1216 extern const char *USHAHashName(enum SHAversion whichSha); 1218 /* 1219 * HMAC Keyed-Hashing for Message Authentication, RFC 2104, 1220 * for all SHAs. 1221 * This interface allows a fixed-length text input to be used. 1222 */ 1223 extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ 1224 const unsigned char *text, /* pointer to data stream */ 1225 int text_len, /* length of data stream */ 1226 const unsigned char *key, /* pointer to authentication key */ 1227 int key_len, /* length of authentication key */ 1228 uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ 1230 /* 1231 * HMAC Keyed-Hashing for Message Authentication, RFC 2104, 1232 * for all SHAs. 1233 * This interface allows any length of text input to be used. 1234 */ 1235 extern int hmacReset(HMACContext *context, enum SHAversion whichSha, 1236 const unsigned char *key, int key_len); 1237 extern int hmacInput(HMACContext *context, const unsigned char *text, 1238 int text_len); 1239 extern int hmacFinalBits(HMACContext *context, uint8_t bits, 1240 unsigned int bit_count); 1241 extern int hmacResult(HMACContext *context, 1242 uint8_t digest[USHAMaxHashSize]); 1244 /* 1245 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1246 * RFC 5869, for all SHAs. 1247 */ 1248 extern int hkdf(SHAversion whichSha, const unsigned char *salt, 1249 int salt_len, const unsigned char *ikm, int ikm_len, 1250 const unsigned char *info, int info_len, 1251 uint8_t okm[ ], int okm_len); 1252 extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, 1253 int salt_len, const unsigned char *ikm, 1254 int ikm_len, uint8_t prk[USHAMaxHashSize]); 1255 extern int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], 1256 int prk_len, const unsigned char *info, 1257 int info_len, uint8_t okm[ ], int okm_len); 1259 /* 1260 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1261 * RFC 5869, for all SHAs. 1262 * This interface allows any length of text input to be used. 1263 */ 1264 extern int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 1265 const unsigned char *salt, int salt_len); 1266 extern int hkdfInput(HKDFContext *context, const unsigned char *ikm, 1267 int ikm_len); 1268 extern int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 1269 unsigned int ikm_bit_count); 1270 extern int hkdfResult(HKDFContext *context, 1271 uint8_t prk[USHAMaxHashSize], 1272 const unsigned char *info, int info_len, 1273 uint8_t okm[USHAMaxHashSize], int okm_len); 1275 #endif /* _SHA_H_ */ 1276 8.1.2 sha-private.h 1278 /************************ sha-private.h ************************/ 1279 /***************** See RFC NNNN for details. *******************/ 1280 #ifndef _SHA_PRIVATE__H 1281 #define _SHA_PRIVATE__H 1282 /* 1283 * These definitions are defined in FIPS-180-2, section 4.1. 1284 * Ch() and Maj() are defined identically in sections 4.1.1, 1285 * 4.1.2 and 4.1.3. 1286 * 1287 * The definitions used in FIPS-180-2 are as follows: 1288 */ 1290 #ifndef USE_MODIFIED_MACROS 1291 #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 1292 #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 1294 #else /* USE_MODIFIED_MACROS */ 1295 /* 1296 * The following definitions are equivalent and potentially faster. 1297 */ 1299 #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) 1300 #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) 1302 #endif /* USE_MODIFIED_MACROS */ 1304 #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) 1306 #endif /* _SHA_PRIVATE__H */ 1308 8.2 The SHA Code 1310 This code is primarily intended as expository and could be optimized 1311 further. For example, the assignment rotations through the variables 1312 a, b, ..., h could be treated as a cycle and the loop unrolled, 1313 rather than doing the explicit copying. 1315 Note that there are alternative representations of the Ch() and Maj() 1316 functions controlled by an ifdef. 1318 8.2.1 sha1.c 1320 /**************************** sha1.c ***************************/ 1321 /***************** See RFC NNNN for details. *******************/ 1322 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1323 /* authors of the code. All rights reserved. */ 1324 /* See sha.h for terms of use and redistribution. */ 1326 /* 1327 * Description: 1328 * This file implements the Secure Hash Algorithm SHA-1 1329 * as defined in the National Institute of Standards 1330 * and Technology Federal Information Processing Standards 1331 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 1332 * published on August 1, 2002, and the FIPS PUB 180-2 Change 1333 * Notice published on February 28, 2004. 1334 * 1335 * A combined document showing all algorithms is available at 1336 * http://csrc.nist.gov/publications/fips/ 1337 * fips180-2/fips180-2withchangenotice.pdf 1338 * 1339 * The SHA-1 algorithm produces a 160-bit message digest for a 1340 * given data stream. It should take about 2**n steps to find a 1341 * message with the same digest as a given message and 1342 * 2**(n/2) to find any two messages with the same digest, 1343 * when n is the digest size in bits. Therefore, this 1344 * algorithm can serve as a means of providing a 1345 * "fingerprint" for a message. 1346 * 1347 * Portability Issues: 1348 * SHA-1 is defined in terms of 32-bit "words". This code 1349 * uses (included via "sha.h") to define 32 and 8 1350 * bit unsigned integer types. If your C compiler does not 1351 * support 32 bit unsigned integers, this code is not 1352 * appropriate. 1353 * 1354 * Caveats: 1355 * SHA-1 is designed to work with messages less than 2^64 bits 1356 * long. This implementation uses SHA1Input() to hash the bits 1357 * that are a multiple of the size of an 8-bit octet, and then 1358 * optionally uses SHA1FinalBits() to hash the final few bits of 1359 * the input. 1360 */ 1362 #include "sha.h" 1363 #include "sha-private.h" 1365 /* 1366 * Define the SHA1 circular left shift macro 1367 */ 1368 #define SHA1_ROTL(bits,word) \ 1369 (((word) << (bits)) | ((word) >> (32-(bits)))) 1371 /* 1372 * Add "length" to the length. 1373 * Set Corrupted when overflow has occurred. 1374 */ 1375 static uint32_t addTemp; 1376 #define SHA1AddLength(context, length) \ 1377 (addTemp = (context)->Length_Low, \ 1378 (context)->Corrupted = \ 1379 (((context)->Length_Low += (length)) < addTemp) && \ 1380 (++(context)->Length_High == 0) ? shaInputTooLong \ 1381 : shaSuccess ) 1383 /* Local Function Prototypes */ 1384 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); 1385 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte); 1386 static void SHA1ProcessMessageBlock(SHA1Context *context); 1388 /* 1389 * SHA1Reset 1390 * 1391 * Description: 1392 * This function will initialize the SHA1Context in preparation 1393 * for computing a new SHA1 message digest. 1394 * 1395 * Parameters: 1396 * context: [in/out] 1397 * The context to reset. 1398 * 1399 * Returns: 1400 * sha Error Code. 1401 * 1402 */ 1403 int SHA1Reset(SHA1Context *context) 1404 { 1405 if (!context) 1406 return shaNull; 1408 context->Length_Low = 0; 1409 context->Length_High = 0; 1410 context->Message_Block_Index = 0; 1412 /* Initial Hash Values: FIPS-180-2 section 5.3.1 */ 1413 context->Intermediate_Hash[0] = 0x67452301; 1414 context->Intermediate_Hash[1] = 0xEFCDAB89; 1415 context->Intermediate_Hash[2] = 0x98BADCFE; 1416 context->Intermediate_Hash[3] = 0x10325476; 1417 context->Intermediate_Hash[4] = 0xC3D2E1F0; 1419 context->Computed = 0; 1420 context->Corrupted = 0; 1421 return shaSuccess; 1422 } 1424 /* 1425 * SHA1Input 1426 * 1427 * Description: 1428 * This function accepts an array of octets as the next portion 1429 * of the message. 1430 * 1431 * Parameters: 1432 * context: [in/out] 1433 * The SHA context to update 1434 * message_array: [in] 1435 * An array of octets representing the next portion of 1436 * the message. 1437 * length: [in] 1438 * The length of the message in message_array 1439 * 1440 * Returns: 1441 * sha Error Code. 1442 * 1443 */ 1444 int SHA1Input(SHA1Context *context, 1445 const uint8_t *message_array, unsigned length) 1446 { 1447 if (!length) 1448 return shaSuccess; 1450 if (!context || !message_array) 1451 return shaNull; 1453 if (context->Computed) return context->Corrupted = shaStateError; 1454 if (context->Corrupted) return context->Corrupted; 1456 while (length-- && !context->Corrupted) { 1457 context->Message_Block[context->Message_Block_Index++] = 1458 (*message_array & 0xFF); 1460 if ((SHA1AddLength(context, 8) == shaSuccess) && 1461 (context->Message_Block_Index == SHA1_Message_Block_Size)) 1462 SHA1ProcessMessageBlock(context); 1464 message_array++; 1465 } 1467 return context->Corrupted; 1468 } 1470 /* 1471 * SHA1FinalBits 1472 * 1473 * Description: 1474 * This function will add in any final bits of the message. 1475 * 1476 * Parameters: 1477 * context: [in/out] 1478 * The SHA context to update 1479 * message_bits: [in] 1480 * The final bits of the message, in the upper portion of the 1481 * byte. (Use 0b###00000 instead of 0b00000### to input the 1482 * three bits ###.) 1483 * length: [in] 1484 * The number of bits in message_bits, between 1 and 7. 1485 * 1486 * Returns: 1487 * sha Error Code. 1488 */ 1489 int SHA1FinalBits(SHA1Context *context, uint8_t message_bits, 1490 unsigned int length) 1491 { 1492 uint8_t masks[8] = { 1493 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1494 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1495 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1496 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1497 }; 1498 uint8_t markbit[8] = { 1499 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 1500 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 1501 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 1502 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 1503 }; 1505 if (!length) 1506 return shaSuccess; 1508 if (!context) 1509 return shaNull; 1511 if (context->Computed) return context->Corrupted = shaStateError; 1513 if ((length >= 8) || (length == 0)) 1514 return context->Corrupted = shaBadParam; 1516 if (context->Corrupted) 1517 return context->Corrupted; 1519 SHA1AddLength(context, length); 1520 SHA1Finalize(context, 1521 (uint8_t) ((message_bits & masks[length]) | markbit[length])); 1523 return context->Corrupted; 1524 } 1526 /* 1527 * SHA1Result 1528 * 1529 * Description: 1530 * This function will return the 160-bit message digest 1531 * into the Message_Digest array provided by the caller. 1532 * NOTE: 1533 * The first octet of hash is stored in the element with index 0, 1534 * the last octet of hash in the element with index 19. 1535 * 1536 * Parameters: 1537 * context: [in/out] 1538 * The context to use to calculate the SHA-1 hash. 1539 * Message_Digest: [out] 1540 * Where the digest is returned. 1541 * 1542 * Returns: 1543 * sha Error Code. 1544 * 1545 */ 1546 int SHA1Result(SHA1Context *context, 1547 uint8_t Message_Digest[SHA1HashSize]) 1548 { 1549 int i; 1551 if (!context || !Message_Digest) 1552 return shaNull; 1554 if (context->Corrupted) 1555 return context->Corrupted; 1557 if (!context->Computed) 1558 SHA1Finalize(context, 0x80); 1560 for (i = 0; i < SHA1HashSize; ++i) 1561 Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] 1562 >> 8 * ( 3 - ( i & 0x03 ) )); 1564 return shaSuccess; 1565 } 1567 /* 1568 * SHA1Finalize 1569 * 1570 * Description: 1572 * This helper function finishes off the digest calculations. 1573 * 1574 * Parameters: 1575 * context: [in/out] 1576 * The SHA context to update 1577 * Pad_Byte: [in] 1578 * The last byte to add to the digest before the 0-padding 1579 * and length. This will contain the last bits of the message 1580 * followed by another single bit. If the message was an 1581 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1582 * 1583 * Returns: 1584 * sha Error Code. 1585 * 1586 */ 1587 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) 1588 { 1589 int i; 1590 SHA1PadMessage(context, Pad_Byte); 1591 /* message may be sensitive, clear it out */ 1592 for (i = 0; i < SHA1_Message_Block_Size; ++i) 1593 context->Message_Block[i] = 0; 1594 context->Length_Low = 0; /* and clear length */ 1595 context->Length_High = 0; 1596 context->Computed = 1; 1597 } 1599 /* 1600 * SHA1PadMessage 1601 * 1602 * Description: 1603 * According to the standard, the message must be padded to the next 1604 * even multiple of 512 bits. The first padding bit must be a '1'. 1605 * The last 64 bits represent the length of the original message. 1606 * All bits in between should be 0. This helper function will pad 1607 * the message according to those rules by filling the Message_Block 1608 * array accordingly. When it returns, it can be assumed that the 1609 * message digest has been computed. 1610 * 1611 * Parameters: 1612 * context: [in/out] 1613 * The context to pad 1614 * Pad_Byte: [in] 1615 * The last byte to add to the digest before the 0-padding 1616 * and length. This will contain the last bits of the message 1617 * followed by another single bit. If the message was an 1618 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1619 * 1620 * Returns: 1621 * Nothing. 1623 */ 1624 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) 1625 { 1626 /* 1627 * Check to see if the current message block is too small to hold 1628 * the initial padding bits and length. If so, we will pad the 1629 * block, process it, and then continue padding into a second 1630 * block. 1631 */ 1632 if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { 1633 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1634 while (context->Message_Block_Index < SHA1_Message_Block_Size) 1635 context->Message_Block[context->Message_Block_Index++] = 0; 1637 SHA1ProcessMessageBlock(context); 1638 } else 1639 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1641 while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) 1642 context->Message_Block[context->Message_Block_Index++] = 0; 1644 /* 1645 * Store the message length as the last 8 octets 1646 */ 1647 context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); 1648 context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); 1649 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); 1650 context->Message_Block[59] = (uint8_t) (context->Length_High); 1651 context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); 1652 context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); 1653 context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); 1654 context->Message_Block[63] = (uint8_t) (context->Length_Low); 1656 SHA1ProcessMessageBlock(context); 1657 } 1659 /* 1660 * SHA1ProcessMessageBlock 1661 * 1662 * Description: 1663 * This helper function will process the next 512 bits of the 1664 * message stored in the Message_Block array. 1665 * 1666 * Parameters: 1667 * context: [in/out] 1668 * The SHA context to update 1669 * 1670 * Returns: 1671 * Nothing. 1672 * 1673 * Comments: 1674 * Many of the variable names in this code, especially the 1675 * single character names, were used because those were the 1676 * names used in the publication. 1677 */ 1678 static void SHA1ProcessMessageBlock(SHA1Context *context) 1679 { 1680 /* Constants defined in FIPS-180-2, section 4.2.1 */ 1681 const uint32_t K[4] = { 1682 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 1683 }; 1684 int t; /* Loop counter */ 1685 uint32_t temp; /* Temporary word value */ 1686 uint32_t W[80]; /* Word sequence */ 1687 uint32_t A, B, C, D, E; /* Word buffers */ 1689 /* 1690 * Initialize the first 16 words in the array W 1691 */ 1692 for (t = 0; t < 16; t++) { 1693 W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; 1694 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; 1695 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; 1696 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); 1697 } 1699 for (t = 16; t < 80; t++) 1700 W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); 1702 A = context->Intermediate_Hash[0]; 1703 B = context->Intermediate_Hash[1]; 1704 C = context->Intermediate_Hash[2]; 1705 D = context->Intermediate_Hash[3]; 1706 E = context->Intermediate_Hash[4]; 1708 for (t = 0; t < 20; t++) { 1709 temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; 1710 E = D; 1711 D = C; 1712 C = SHA1_ROTL(30,B); 1713 B = A; 1714 A = temp; 1715 } 1717 for (t = 20; t < 40; t++) { 1718 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; 1719 E = D; 1720 D = C; 1721 C = SHA1_ROTL(30,B); 1722 B = A; 1723 A = temp; 1724 } 1726 for (t = 40; t < 60; t++) { 1727 temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; 1728 E = D; 1729 D = C; 1730 C = SHA1_ROTL(30,B); 1731 B = A; 1732 A = temp; 1733 } 1735 for (t = 60; t < 80; t++) { 1736 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; 1737 E = D; 1738 D = C; 1739 C = SHA1_ROTL(30,B); 1740 B = A; 1741 A = temp; 1742 } 1744 context->Intermediate_Hash[0] += A; 1745 context->Intermediate_Hash[1] += B; 1746 context->Intermediate_Hash[2] += C; 1747 context->Intermediate_Hash[3] += D; 1748 context->Intermediate_Hash[4] += E; 1750 context->Message_Block_Index = 0; 1751 } 1753 8.2.2 sha224-256.c 1755 /************************* sha224-256.c ************************/ 1756 /***************** See RFC NNNN for details. *******************/ 1757 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1758 /* authors of the code. All rights reserved. */ 1759 /* See sha.h for terms of use and redistribution. */ 1761 /* 1762 * Description: 1763 * This file implements the Secure Hash Algorithms SHA-224 and 1764 * SHA-256 as defined in the National Institute of Standards 1765 * and Technology Federal Information Processing Standards 1766 * Publication (FIPS PUB) 180-2 published on August 1, 2002, and 1767 * the FIPS PUB 180-2 Change Notice published on February 28, 2004. 1768 * 1769 * A combined document showing all algorithms is available at 1770 * http://csrc.nist.gov/publications/fips/ 1771 * fips180-2/fips180-2withchangenotice.pdf 1772 * 1773 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit 1774 * message digests for a given data stream. It should take about 1775 * 2**n steps to find a message with the same digest as a given 1776 * message and 2**(n/2) to find any two messages with the same 1777 * digest, when n is the digest size in bits. Therefore, this 1778 * algorithm can serve as a means of providing a 1779 * "fingerprint" for a message. 1780 * 1781 * Portability Issues: 1782 * SHA-224 and SHA-256 are defined in terms of 32-bit "words". 1783 * This code uses (included via "sha.h") to define 32 1784 * and 8 bit unsigned integer types. If your C compiler does not 1785 * support 32 bit unsigned integers, this code is not 1786 * appropriate. 1787 * 1788 * Caveats: 1789 * SHA-224 and SHA-256 are designed to work with messages less 1790 * than 2^64 bits long. This implementation uses SHA224/256Input() 1791 * to hash the bits that are a multiple of the size of an 8-bit 1792 * octet, and then optionally uses SHA224/256FinalBits() 1793 * to hash the final few bits of the input. 1794 */ 1796 #include "sha.h" 1797 #include "sha-private.h" 1799 /* Define the SHA shift, rotate left and rotate right macro */ 1800 #define SHA256_SHR(bits,word) ((word) >> (bits)) 1801 #define SHA256_ROTL(bits,word) \ 1802 (((word) << (bits)) | ((word) >> (32-(bits)))) 1803 #define SHA256_ROTR(bits,word) \ 1804 (((word) >> (bits)) | ((word) << (32-(bits)))) 1806 /* Define the SHA SIGMA and sigma macros */ 1807 #define SHA256_SIGMA0(word) \ 1808 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) 1809 #define SHA256_SIGMA1(word) \ 1810 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) 1811 #define SHA256_sigma0(word) \ 1812 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) 1813 #define SHA256_sigma1(word) \ 1814 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) 1816 /* 1817 * Add "length" to the length. 1818 * Set Corrupted when overflow has occurred. 1819 */ 1820 static uint32_t addTemp; 1821 #define SHA224_256AddLength(context, length) \ 1822 (addTemp = (context)->Length_Low, (context)->Corrupted = \ 1823 (((context)->Length_Low += (length)) < addTemp) && \ 1824 (++(context)->Length_High == 0) ? shaInputTooLong : \ 1825 shaSuccess ) 1827 /* Local Function Prototypes */ 1828 static void SHA224_256Finalize(SHA256Context *context, 1829 uint8_t Pad_Byte); 1830 static void SHA224_256PadMessage(SHA256Context *context, 1831 uint8_t Pad_Byte); 1832 static void SHA224_256ProcessMessageBlock(SHA256Context *context); 1833 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); 1834 static int SHA224_256ResultN(SHA256Context *context, 1835 uint8_t Message_Digest[ ], int HashSize); 1837 /* Initial Hash Values: FIPS-180-2 Change Notice 1 */ 1838 static uint32_t SHA224_H0[SHA256HashSize/4] = { 1839 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 1840 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 1841 }; 1843 /* Initial Hash Values: FIPS-180-2 section 5.3.2 */ 1844 static uint32_t SHA256_H0[SHA256HashSize/4] = { 1845 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 1846 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 1847 }; 1849 /* 1850 * SHA224Reset 1851 * 1852 * Description: 1853 * This function will initialize the SHA224Context in preparation 1854 * for computing a new SHA224 message digest. 1855 * 1856 * Parameters: 1857 * context: [in/out] 1858 * The context to reset. 1859 * 1860 * Returns: 1861 * sha Error Code. 1862 */ 1863 int SHA224Reset(SHA224Context *context) 1864 { 1865 return SHA224_256Reset(context, SHA224_H0); 1866 } 1868 /* 1869 * SHA224Input 1870 * 1871 * Description: 1872 * This function accepts an array of octets as the next portion 1873 * of the message. 1874 * 1875 * Parameters: 1876 * context: [in/out] 1877 * The SHA context to update 1878 * message_array: [in] 1879 * An array of octets representing the next portion of 1880 * the message. 1881 * length: [in] 1882 * The length of the message in message_array 1883 * 1884 * Returns: 1885 * sha Error Code. 1886 * 1887 */ 1888 int SHA224Input(SHA224Context *context, const uint8_t *message_array, 1889 unsigned int length) 1890 { 1891 return SHA256Input(context, message_array, length); 1892 } 1894 /* 1895 * SHA224FinalBits 1896 * 1897 * Description: 1898 * This function will add in any final bits of the message. 1899 * 1900 * Parameters: 1901 * context: [in/out] 1902 * The SHA context to update 1903 * message_bits: [in] 1904 * The final bits of the message, in the upper portion of the 1905 * byte. (Use 0b###00000 instead of 0b00000### to input the 1906 * three bits ###.) 1907 * length: [in] 1908 * The number of bits in message_bits, between 1 and 7. 1909 * 1910 * Returns: 1911 * sha Error Code. 1912 */ 1913 int SHA224FinalBits(SHA224Context *context, 1914 uint8_t message_bits, unsigned int length) 1915 { 1916 return SHA256FinalBits(context, message_bits, length); 1917 } 1919 /* 1920 * SHA224Result 1921 * 1922 * Description: 1923 * This function will return the 224-bit message digest 1924 * into the Message_Digest array provided by the caller. 1925 * NOTE: 1926 * The first octet of hash is stored in the element with index 0, 1927 * the last octet of hash in the element with index 27. 1928 * 1929 * Parameters: 1930 * context: [in/out] 1931 * The context to use to calculate the SHA hash. 1932 * Message_Digest: [out] 1933 * Where the digest is returned. 1934 * 1935 * Returns: 1936 * sha Error Code. 1937 */ 1938 int SHA224Result(SHA224Context *context, 1939 uint8_t Message_Digest[SHA224HashSize]) 1940 { 1941 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); 1942 } 1944 /* 1945 * SHA256Reset 1946 * 1947 * Description: 1948 * This function will initialize the SHA256Context in preparation 1949 * for computing a new SHA256 message digest. 1950 * 1951 * Parameters: 1952 * context: [in/out] 1953 * The context to reset. 1954 * 1955 * Returns: 1956 * sha Error Code. 1957 */ 1958 int SHA256Reset(SHA256Context *context) 1959 { 1960 return SHA224_256Reset(context, SHA256_H0); 1961 } 1963 /* 1964 * SHA256Input 1965 * 1966 * Description: 1967 * This function accepts an array of octets as the next portion 1968 * of the message. 1969 * 1970 * Parameters: 1972 * context: [in/out] 1973 * The SHA context to update 1974 * message_array: [in] 1975 * An array of octets representing the next portion of 1976 * the message. 1977 * length: [in] 1978 * The length of the message in message_array 1979 * 1980 * Returns: 1981 * sha Error Code. 1982 */ 1983 int SHA256Input(SHA256Context *context, const uint8_t *message_array, 1984 unsigned int length) 1985 { 1986 if (!length) 1987 return shaSuccess; 1989 if (!context || !message_array) 1990 return shaNull; 1992 if (context->Computed) 1993 return context->Corrupted = shaStateError; 1995 if (context->Corrupted) 1996 return context->Corrupted; 1998 while (length-- && !context->Corrupted) { 1999 context->Message_Block[context->Message_Block_Index++] = 2000 (*message_array & 0xFF); 2002 if ((SHA224_256AddLength(context, 8) == shaSuccess) && 2003 (context->Message_Block_Index == SHA256_Message_Block_Size)) 2004 SHA224_256ProcessMessageBlock(context); 2006 message_array++; 2007 } 2009 return context->Corrupted; 2011 } 2013 /* 2014 * SHA256FinalBits 2015 * 2016 * Description: 2017 * This function will add in any final bits of the message. 2018 * 2019 * Parameters: 2020 * context: [in/out] 2021 * The SHA context to update 2022 * message_bits: [in] 2023 * The final bits of the message, in the upper portion of the 2024 * byte. (Use 0b###00000 instead of 0b00000### to input the 2025 * three bits ###.) 2026 * length: [in] 2027 * The number of bits in message_bits, between 1 and 7. 2028 * 2029 * Returns: 2030 * sha Error Code. 2031 */ 2032 int SHA256FinalBits(SHA256Context *context, 2033 uint8_t message_bits, unsigned int length) 2034 { 2035 uint8_t masks[8] = { 2036 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2037 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2038 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2039 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2040 }; 2041 uint8_t markbit[8] = { 2042 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2043 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2044 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2045 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2046 }; 2048 if (!length) 2049 return shaSuccess; 2051 if (!context) 2052 return shaNull; 2054 if (context->Computed) 2055 return context->Corrupted = shaStateError; 2057 if ((length >= 8) || (length == 0)) 2058 return context->Corrupted = shaBadParam; 2060 if (context->Corrupted) 2061 return context->Corrupted; 2063 SHA224_256AddLength(context, length); 2064 SHA224_256Finalize(context, (uint8_t) 2065 ((message_bits & masks[length]) | markbit[length])); 2067 return context->Corrupted; 2068 } 2070 /* 2071 * SHA256Result 2072 * 2073 * Description: 2074 * This function will return the 256-bit message digest 2075 * into the Message_Digest array provided by the caller. 2076 * NOTE: 2077 * The first octet of hash is stored in the element with index 0, 2078 * the last octet of hash in the element with index 31. 2079 * 2080 * Parameters: 2081 * context: [in/out] 2082 * The context to use to calculate the SHA hash. 2083 * Message_Digest: [out] 2084 * Where the digest is returned. 2085 * 2086 * Returns: 2087 * sha Error Code. 2088 */ 2089 int SHA256Result(SHA256Context *context, 2090 uint8_t Message_Digest[SHA256HashSize]) 2091 { 2092 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); 2093 } 2095 /* 2096 * SHA224_256Finalize 2097 * 2098 * Description: 2099 * This helper function finishes off the digest calculations. 2100 * 2101 * Parameters: 2102 * context: [in/out] 2103 * The SHA context to update 2104 * Pad_Byte: [in] 2105 * The last byte to add to the digest before the 0-padding 2106 * and length. This will contain the last bits of the message 2107 * followed by another single bit. If the message was an 2108 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2109 * 2110 * Returns: 2111 * sha Error Code. 2112 */ 2113 static void SHA224_256Finalize(SHA256Context *context, 2114 uint8_t Pad_Byte) 2115 { 2116 int i; 2117 SHA224_256PadMessage(context, Pad_Byte); 2118 /* message may be sensitive, so clear it out */ 2119 for (i = 0; i < SHA256_Message_Block_Size; ++i) 2120 context->Message_Block[i] = 0; 2121 context->Length_Low = 0; /* and clear length */ 2122 context->Length_High = 0; 2123 context->Computed = 1; 2124 } 2126 /* 2127 * SHA224_256PadMessage 2128 * 2129 * Description: 2130 * According to the standard, the message must be padded to the next 2131 * even multiple of 512 bits. The first padding bit must be a '1'. 2132 * The last 64 bits represent the length of the original message. 2133 * All bits in between should be 0. This helper function will pad 2134 * the message according to those rules by filling the 2135 * Message_Block array accordingly. When it returns, it can be 2136 * assumed that the message digest has been computed. 2137 * 2138 * Parameters: 2139 * context: [in/out] 2140 * The context to pad 2141 * Pad_Byte: [in] 2142 * The last byte to add to the digest before the 0-padding 2143 * and length. This will contain the last bits of the message 2144 * followed by another single bit. If the message was an 2145 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2146 * 2147 * Returns: 2148 * Nothing. 2149 */ 2150 static void SHA224_256PadMessage(SHA256Context *context, 2151 uint8_t Pad_Byte) 2152 { 2153 /* 2154 * Check to see if the current message block is too small to hold 2155 * the initial padding bits and length. If so, we will pad the 2156 * block, process it, and then continue padding into a second 2157 * block. 2158 */ 2159 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { 2160 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2161 while (context->Message_Block_Index < SHA256_Message_Block_Size) 2162 context->Message_Block[context->Message_Block_Index++] = 0; 2163 SHA224_256ProcessMessageBlock(context); 2164 } else 2165 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2167 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) 2168 context->Message_Block[context->Message_Block_Index++] = 0; 2170 /* 2171 * Store the message length as the last 8 octets 2172 */ 2173 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); 2174 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); 2175 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); 2176 context->Message_Block[59] = (uint8_t)(context->Length_High); 2177 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); 2178 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); 2179 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); 2180 context->Message_Block[63] = (uint8_t)(context->Length_Low); 2182 SHA224_256ProcessMessageBlock(context); 2183 } 2185 /* 2186 * SHA224_256ProcessMessageBlock 2187 * 2188 * Description: 2189 * This helper function will process the next 512 bits of the 2190 * message stored in the Message_Block array. 2191 * 2192 * Parameters: 2193 * context: [in/out] 2194 * The SHA context to update 2195 * 2196 * Returns: 2197 * Nothing. 2198 * 2199 * Comments: 2200 * Many of the variable names in this code, especially the 2201 * single character names, were used because those were the 2202 * names used in the publication. 2203 */ 2204 static void SHA224_256ProcessMessageBlock(SHA256Context *context) 2205 { 2206 /* Constants defined in FIPS-180-2, section 4.2.2 */ 2207 static const uint32_t K[64] = { 2208 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 2209 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 2210 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 2211 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 2212 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 2213 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 2214 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 2215 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 2216 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 2217 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 2218 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 2219 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 2220 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 2221 }; 2222 int t, t4; /* Loop counter */ 2223 uint32_t temp1, temp2; /* Temporary word value */ 2224 uint32_t W[64]; /* Word sequence */ 2225 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ 2227 /* 2228 * Initialize the first 16 words in the array W 2229 */ 2230 for (t = t4 = 0; t < 16; t++, t4 += 4) 2231 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | 2232 (((uint32_t)context->Message_Block[t4 + 1]) << 16) | 2233 (((uint32_t)context->Message_Block[t4 + 2]) << 8) | 2234 (((uint32_t)context->Message_Block[t4 + 3])); 2236 for (t = 16; t < 64; t++) 2237 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + 2238 SHA256_sigma0(W[t-15]) + W[t-16]; 2240 A = context->Intermediate_Hash[0]; 2241 B = context->Intermediate_Hash[1]; 2242 C = context->Intermediate_Hash[2]; 2243 D = context->Intermediate_Hash[3]; 2244 E = context->Intermediate_Hash[4]; 2245 F = context->Intermediate_Hash[5]; 2246 G = context->Intermediate_Hash[6]; 2247 H = context->Intermediate_Hash[7]; 2249 for (t = 0; t < 64; t++) { 2250 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 2251 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); 2252 H = G; 2253 G = F; 2254 F = E; 2255 E = D + temp1; 2256 D = C; 2257 C = B; 2258 B = A; 2259 A = temp1 + temp2; 2260 } 2262 context->Intermediate_Hash[0] += A; 2263 context->Intermediate_Hash[1] += B; 2264 context->Intermediate_Hash[2] += C; 2265 context->Intermediate_Hash[3] += D; 2266 context->Intermediate_Hash[4] += E; 2267 context->Intermediate_Hash[5] += F; 2268 context->Intermediate_Hash[6] += G; 2269 context->Intermediate_Hash[7] += H; 2271 context->Message_Block_Index = 0; 2273 } 2275 /* 2276 * SHA224_256Reset 2277 * 2278 * Description: 2279 * This helper function will initialize the SHA256Context in 2280 * preparation for computing a new SHA-224 or SHA-256 message digest. 2281 * 2282 * Parameters: 2283 * context: [in/out] 2284 * The context to reset. 2285 * H0 2286 * The initial hash value to use. 2287 * 2288 * Returns: 2289 * sha Error Code. 2290 */ 2291 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) 2292 { 2293 if (!context) 2294 return shaNull; 2296 context->Length_Low = 0; 2297 context->Length_High = 0; 2298 context->Message_Block_Index = 0; 2300 context->Intermediate_Hash[0] = H0[0]; 2301 context->Intermediate_Hash[1] = H0[1]; 2302 context->Intermediate_Hash[2] = H0[2]; 2303 context->Intermediate_Hash[3] = H0[3]; 2304 context->Intermediate_Hash[4] = H0[4]; 2305 context->Intermediate_Hash[5] = H0[5]; 2306 context->Intermediate_Hash[6] = H0[6]; 2307 context->Intermediate_Hash[7] = H0[7]; 2309 context->Computed = 0; 2310 context->Corrupted = 0; 2312 return shaSuccess; 2313 } 2315 /* 2316 * SHA224_256ResultN 2317 * 2318 * Description: 2319 * This helper function will return the 224-bit or 256-bit message 2320 * digest into the Message_Digest array provided by the caller. 2321 * NOTE: 2322 * The first octet of hash is stored in the element with index 0, 2323 * the last octet of hash in the element with index 27/31. 2324 * 2325 * Parameters: 2326 * context: [in/out] 2327 * The context to use to calculate the SHA hash. 2328 * Message_Digest: [out] 2329 * Where the digest is returned. 2330 * HashSize: [in] 2331 * The size of the hash, either 28 or 32. 2332 * 2333 * Returns: 2334 * sha Error Code. 2335 */ 2336 static int SHA224_256ResultN(SHA256Context *context, 2337 uint8_t Message_Digest[ ], int HashSize) 2338 { 2339 int i; 2341 if (!context || !Message_Digest) 2342 return shaNull; 2344 if (context->Corrupted) 2345 return context->Corrupted; 2347 if (!context->Computed) 2348 SHA224_256Finalize(context, 0x80); 2350 for (i = 0; i < HashSize; ++i) 2351 Message_Digest[i] = (uint8_t) 2352 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); 2354 return shaSuccess; 2355 } 2357 8.2.3 sha384-512.c 2359 /************************* sha384-512.c ************************/ 2360 /***************** See RFC NNNN for details. *******************/ 2361 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 2362 /* authors of the code. All rights reserved. */ 2363 /* See sha.h for terms of use and redistribution. */ 2365 /* 2366 * Description: 2367 * This file implements the Secure Hash Algorithms SHA-384 and 2368 * SHA-512 as defined in the National Institute of Standards 2369 * and Technology Federal Information Processing Standards 2370 * Publication (FIPS PUB) 180-2 published on August 1, 2002, and 2371 * the FIPS PUB 180-2 Change Notice published on February 28, 2004. 2372 * 2373 * A combined document showing all algorithms is available at 2374 * http://csrc.nist.gov/publications/fips/ 2375 * fips180-2/fips180-2withchangenotice.pdf 2376 * 2377 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit 2378 * message digests for a given data stream. It should take about 2379 * 2**n steps to find a message with the same digest as a given 2380 * message and 2**(n/2) to find any two messages with the same 2381 * digest, when n is the digest size in bits. Therefore, this 2382 * algorithm can serve as a means of providing a 2383 * "fingerprint" for a message. 2384 * 2385 * Portability Issues: 2386 * SHA-384 and SHA-512 are defined in terms of 64-bit "words", 2387 * but if USE_32BIT_ONLY is #defined, this code is implemented in 2388 * terms of 32-bit "words". This code uses (included 2389 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer 2390 * types. If your C compiler does not support 64 bit unsigned 2391 * integers, and you do not #define USE_32BIT_ONLY, this code is 2392 * not appropriate. 2393 * 2394 * Caveats: 2395 * SHA-384 and SHA-512 are designed to work with messages less 2396 * than 2^128 bits long. This implementation uses SHA384/512Input() 2397 * to hash the bits that are a multiple of the size of an 8-bit 2398 * octet, and then optionally uses SHA384/256FinalBits() 2399 * to hash the final few bits of the input. 2400 * 2401 */ 2403 #include "sha.h" 2404 #include "sha-private.h" 2406 #ifdef USE_32BIT_ONLY 2407 /* 2408 * Define 64-bit arithmetic in terms of 32-bit arithmetic. 2409 * Each 64-bit number is represented in a 2-word array. 2410 * All macros are defined such that the result is the last parameter. 2411 */ 2413 /* 2414 * Define shift, rotate left and rotate right functions 2415 */ 2416 #define SHA512_SHR(bits, word, ret) ( \ 2417 /* (((uint64_t)((word))) >> (bits)) */ \ 2418 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ 2419 ((word)[0] >> (bits)) : 0, \ 2420 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ 2421 ((bits) == 32) ? (word)[0] : \ 2422 ((bits) >= 0) ? \ 2423 (((word)[0] << (32 - (bits))) | \ 2424 ((word)[1] >> (bits))) : 0 ) 2426 #define SHA512_SHL(bits, word, ret) ( \ 2427 /* (((uint64_t)(word)) << (bits)) */ \ 2428 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ 2429 ((bits) == 32) ? (word)[1] : \ 2430 ((bits) >= 0) ? \ 2431 (((word)[0] << (bits)) | \ 2432 ((word)[1] >> (32 - (bits)))) : \ 2433 0, \ 2434 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ 2435 ((word)[1] << (bits)) : 0 ) 2437 /* 2438 * Define 64-bit OR 2439 */ 2440 #define SHA512_OR(word1, word2, ret) ( \ 2441 (ret)[0] = (word1)[0] | (word2)[0], \ 2442 (ret)[1] = (word1)[1] | (word2)[1] ) 2444 /* 2445 * Define 64-bit XOR 2446 */ 2447 #define SHA512_XOR(word1, word2, ret) ( \ 2448 (ret)[0] = (word1)[0] ^ (word2)[0], \ 2449 (ret)[1] = (word1)[1] ^ (word2)[1] ) 2451 /* 2452 * Define 64-bit AND 2453 */ 2454 #define SHA512_AND(word1, word2, ret) ( \ 2455 (ret)[0] = (word1)[0] & (word2)[0], \ 2456 (ret)[1] = (word1)[1] & (word2)[1] ) 2458 /* 2459 * Define 64-bit TILDA 2460 */ 2461 #define SHA512_TILDA(word, ret) \ 2462 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) 2464 /* 2465 * Define 64-bit ADD 2466 */ 2467 #define SHA512_ADD(word1, word2, ret) ( \ 2468 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ 2469 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) 2471 /* 2472 * Add the 4word value in word2 to word1. 2473 */ 2474 static uint32_t ADDTO4_temp, ADDTO4_temp2; 2475 #define SHA512_ADDTO4(word1, word2) ( \ 2476 ADDTO4_temp = (word1)[3], \ 2477 (word1)[3] += (word2)[3], \ 2478 ADDTO4_temp2 = (word1)[2], \ 2479 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ 2480 ADDTO4_temp = (word1)[1], \ 2481 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ 2482 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) 2484 /* 2485 * Add the 2word value in word2 to word1. 2486 */ 2487 static uint32_t ADDTO2_temp; 2488 #define SHA512_ADDTO2(word1, word2) ( \ 2489 ADDTO2_temp = (word1)[1], \ 2490 (word1)[1] += (word2)[1], \ 2491 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) 2493 /* 2494 * SHA rotate ((word >> bits) | (word << (64-bits))) 2495 */ 2496 static uint32_t ROTR_temp1[2], ROTR_temp2[2]; 2497 #define SHA512_ROTR(bits, word, ret) ( \ 2498 SHA512_SHR((bits), (word), ROTR_temp1), \ 2499 SHA512_SHL(64-(bits), (word), ROTR_temp2), \ 2500 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) 2502 /* 2503 * Define the SHA SIGMA and sigma macros 2504 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2505 */ 2506 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], 2507 SIGMA0_temp3[2], SIGMA0_temp4[2]; 2508 #define SHA512_SIGMA0(word, ret) ( \ 2509 SHA512_ROTR(28, (word), SIGMA0_temp1), \ 2510 SHA512_ROTR(34, (word), SIGMA0_temp2), \ 2511 SHA512_ROTR(39, (word), SIGMA0_temp3), \ 2512 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ 2513 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) 2515 /* 2516 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) 2517 */ 2518 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], 2519 SIGMA1_temp3[2], SIGMA1_temp4[2]; 2520 #define SHA512_SIGMA1(word, ret) ( \ 2521 SHA512_ROTR(14, (word), SIGMA1_temp1), \ 2522 SHA512_ROTR(18, (word), SIGMA1_temp2), \ 2523 SHA512_ROTR(41, (word), SIGMA1_temp3), \ 2524 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ 2525 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) 2527 /* 2528 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2529 */ 2530 static uint32_t sigma0_temp1[2], sigma0_temp2[2], 2531 sigma0_temp3[2], sigma0_temp4[2]; 2532 #define SHA512_sigma0(word, ret) ( \ 2533 SHA512_ROTR( 1, (word), sigma0_temp1), \ 2534 SHA512_ROTR( 8, (word), sigma0_temp2), \ 2535 SHA512_SHR( 7, (word), sigma0_temp3), \ 2536 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ 2537 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) 2539 /* 2540 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2541 */ 2542 static uint32_t sigma1_temp1[2], sigma1_temp2[2], 2543 sigma1_temp3[2], sigma1_temp4[2]; 2544 #define SHA512_sigma1(word, ret) ( \ 2545 SHA512_ROTR(19, (word), sigma1_temp1), \ 2546 SHA512_ROTR(61, (word), sigma1_temp2), \ 2547 SHA512_SHR( 6, (word), sigma1_temp3), \ 2548 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ 2549 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) 2551 #undef SHA_Ch 2552 #undef SHA_Maj 2554 #ifndef USE_MODIFIED_MACROS 2555 /* 2556 * These definitions are the ones used in FIPS-180-2, section 4.1.3 2557 * Ch(x,y,z) ((x & y) ^ (~x & z)) 2558 */ 2559 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; 2560 #define SHA_Ch(x, y, z, ret) ( \ 2561 SHA512_AND(x, y, Ch_temp1), \ 2562 SHA512_TILDA(x, Ch_temp2), \ 2563 SHA512_AND(Ch_temp2, z, Ch_temp3), \ 2564 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) 2566 /* 2567 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) 2568 */ 2569 static uint32_t Maj_temp1[2], Maj_temp2[2], 2570 Maj_temp3[2], Maj_temp4[2]; 2572 #define SHA_Maj(x, y, z, ret) ( \ 2573 SHA512_AND(x, y, Maj_temp1), \ 2574 SHA512_AND(x, z, Maj_temp2), \ 2575 SHA512_AND(y, z, Maj_temp3), \ 2576 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ 2577 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) 2579 #else /* !USE_MODIFIED_MACROS */ 2580 /* 2581 * These definitions are potentially faster equivalents for the ones 2582 * used in FIPS-180-2, section 4.1.3. 2583 * ((x & y) ^ (~x & z)) becomes 2584 * ((x & (y ^ z)) ^ z) 2585 */ 2586 #define SHA_Ch(x, y, z, ret) ( \ 2587 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ 2588 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) 2590 /* 2591 * ((x & y) ^ (x & z) ^ (y & z)) becomes 2592 * ((x & (y | z)) | (y & z)) 2593 */ 2594 #define SHA_Maj(x, y, z, ret) ( \ 2595 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ 2596 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) 2597 #endif /* USE_MODIFIED_MACROS */ 2599 /* 2600 * Add "length" to the length. 2601 * Set Corrupted when overflow has occurred. 2602 */ 2603 static uint32_t addTemp[4] = { 0, 0, 0, 0 }; 2604 #define SHA384_512AddLength(context, length) ( \ 2605 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ 2606 (context)->Corrupted = (((context)->Length[3] < (length)) && \ 2607 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ 2608 ((context)->Length[0] == 0)) ? shaInputTooLong : shaSuccess ) 2610 /* Local Function Prototypes */ 2611 static void SHA384_512Finalize(SHA512Context *context, 2612 uint8_t Pad_Byte); 2613 static void SHA384_512PadMessage(SHA512Context *context, 2614 uint8_t Pad_Byte); 2615 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2616 static int SHA384_512Reset(SHA512Context *context, 2617 uint32_t H0[SHA512HashSize/4]); 2618 static int SHA384_512ResultN( SHA512Context *context, 2619 uint8_t Message_Digest[ ], int HashSize); 2621 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ 2622 static uint32_t SHA384_H0[SHA512HashSize/4] = { 2623 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, 2624 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, 2625 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, 2626 0xBEFA4FA4 2627 }; 2629 static uint32_t SHA512_H0[SHA512HashSize/4] = { 2630 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, 2631 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, 2632 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, 2633 0x137E2179 2634 }; 2636 #else /* !USE_32BIT_ONLY */ 2638 /* Define the SHA shift, rotate left and rotate right macro */ 2639 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) 2640 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ 2641 (((uint64_t)(word)) << (64-(bits)))) 2643 /* Define the SHA SIGMA and sigma macros */ 2644 #define SHA512_SIGMA0(word) \ 2645 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) 2646 #define SHA512_SIGMA1(word) \ 2647 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) 2648 #define SHA512_sigma0(word) \ 2649 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2650 #define SHA512_sigma1(word) \ 2651 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2653 /* 2654 * Add "length" to the length. 2655 * Set Corrupted when overflow has occurred. 2656 */ 2657 static uint64_t addTemp; 2658 #define SHA384_512AddLength(context, length) \ 2659 (addTemp = context->Length_Low, context->Corrupted = \ 2660 ((context->Length_Low += length) < addTemp) && \ 2661 (++context->Length_High == 0) ? 1 : 0) 2663 /* Local Function Prototypes */ 2664 static void SHA384_512Finalize(SHA512Context *context, 2665 uint8_t Pad_Byte); 2666 static void SHA384_512PadMessage(SHA512Context *context, 2667 uint8_t Pad_Byte); 2668 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2669 static int SHA384_512Reset(SHA512Context *context, 2670 uint64_t H0[SHA512HashSize/8]); 2671 static int SHA384_512ResultN(SHA512Context *context, 2672 uint8_t Message_Digest[ ], int HashSize); 2674 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ 2675 static uint64_t SHA384_H0[ ] = { 2676 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 2677 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 2678 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll 2679 }; 2680 static uint64_t SHA512_H0[ ] = { 2681 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 2682 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 2683 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll 2684 }; 2686 #endif /* USE_32BIT_ONLY */ 2688 /* 2689 * SHA384Reset 2690 * 2691 * Description: 2692 * This function will initialize the SHA384Context in preparation 2693 * for computing a new SHA384 message digest. 2694 * 2695 * Parameters: 2696 * context: [in/out] 2697 * The context to reset. 2698 * 2699 * Returns: 2700 * sha Error Code. 2701 * 2702 */ 2703 int SHA384Reset(SHA384Context *context) 2704 { 2705 return SHA384_512Reset(context, SHA384_H0); 2706 } 2708 /* 2709 * SHA384Input 2710 * 2711 * Description: 2712 * This function accepts an array of octets as the next portion 2713 * of the message. 2714 * 2715 * Parameters: 2716 * context: [in/out] 2717 * The SHA context to update 2718 * message_array: [in] 2719 * An array of octets representing the next portion of 2720 * the message. 2721 * length: [in] 2722 * The length of the message in message_array 2723 * 2724 * Returns: 2725 * sha Error Code. 2726 * 2727 */ 2728 int SHA384Input(SHA384Context *context, 2729 const uint8_t *message_array, unsigned int length) 2730 { 2731 return SHA512Input(context, message_array, length); 2732 } 2734 /* 2735 * SHA384FinalBits 2736 * 2737 * Description: 2738 * This function will add in any final bits of the message. 2739 * 2740 * Parameters: 2741 * context: [in/out] 2742 * The SHA context to update 2743 * message_bits: [in] 2744 * The final bits of the message, in the upper portion of the 2745 * byte. (Use 0b###00000 instead of 0b00000### to input the 2746 * three bits ###.) 2747 * length: [in] 2748 * The number of bits in message_bits, between 1 and 7. 2749 * 2750 * Returns: 2751 * sha Error Code. 2752 * 2753 */ 2754 int SHA384FinalBits(SHA384Context *context, 2755 uint8_t message_bits, unsigned int length) 2756 { 2757 return SHA512FinalBits(context, message_bits, length); 2758 } 2760 /* 2761 * SHA384Result 2762 * 2763 * Description: 2764 * This function will return the 384-bit message digest 2765 * into the Message_Digest array provided by the caller. 2766 * NOTE: 2767 * The first octet of hash is stored in the element with index 0, 2768 * the last octet of hash in the element with index 47. 2769 * 2770 * Parameters: 2771 * context: [in/out] 2772 * The context to use to calculate the SHA hash. 2773 * Message_Digest: [out] 2774 * Where the digest is returned. 2775 * 2776 * Returns: 2777 * sha Error Code. 2778 * 2779 */ 2780 int SHA384Result(SHA384Context *context, 2781 uint8_t Message_Digest[SHA384HashSize]) 2782 { 2783 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); 2784 } 2786 /* 2787 * SHA512Reset 2788 * 2789 * Description: 2790 * This function will initialize the SHA512Context in preparation 2791 * for computing a new SHA512 message digest. 2792 * 2793 * Parameters: 2794 * context: [in/out] 2795 * The context to reset. 2796 * 2797 * Returns: 2798 * sha Error Code. 2799 * 2800 */ 2801 int SHA512Reset(SHA512Context *context) 2802 { 2803 return SHA384_512Reset(context, SHA512_H0); 2804 } 2806 /* 2807 * SHA512Input 2808 * 2809 * Description: 2810 * This function accepts an array of octets as the next portion 2811 * of the message. 2812 * 2813 * Parameters: 2814 * context: [in/out] 2815 * The SHA context to update 2816 * message_array: [in] 2817 * An array of octets representing the next portion of 2818 * the message. 2819 * length: [in] 2820 * The length of the message in message_array 2821 * 2822 * Returns: 2823 * sha Error Code. 2824 * 2825 */ 2826 int SHA512Input(SHA512Context *context, 2827 const uint8_t *message_array, 2828 unsigned int length) 2829 { 2830 if (!length) 2831 return shaSuccess; 2833 if (!context || !message_array) 2834 return shaNull; 2836 if (context->Computed) 2837 return context->Corrupted = shaStateError; 2839 if (context->Corrupted) 2840 return context->Corrupted; 2842 while (length-- && !context->Corrupted) { 2843 context->Message_Block[context->Message_Block_Index++] = 2844 (*message_array & 0xFF); 2846 if ((SHA384_512AddLength(context, 8) == shaSuccess) && 2847 (context->Message_Block_Index == SHA512_Message_Block_Size)) 2848 SHA384_512ProcessMessageBlock(context); 2850 message_array++; 2851 } 2853 return context->Corrupted; 2854 } 2856 /* 2857 * SHA512FinalBits 2858 * 2859 * Description: 2860 * This function will add in any final bits of the message. 2861 * 2862 * Parameters: 2863 * context: [in/out] 2864 * The SHA context to update 2865 * message_bits: [in] 2866 * The final bits of the message, in the upper portion of the 2867 * byte. (Use 0b###00000 instead of 0b00000### to input the 2868 * three bits ###.) 2869 * length: [in] 2870 * The number of bits in message_bits, between 1 and 7. 2871 * 2872 * Returns: 2873 * sha Error Code. 2874 * 2875 */ 2876 int SHA512FinalBits(SHA512Context *context, 2877 uint8_t message_bits, unsigned int length) 2878 { 2879 uint8_t masks[8] = { 2880 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2881 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2882 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2883 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2884 }; 2885 uint8_t markbit[8] = { 2886 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2887 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2888 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2889 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2890 }; 2892 if (!length) 2893 return shaSuccess; 2895 if (!context) 2896 return shaNull; 2898 if (context->Computed) 2899 return context->Corrupted = shaStateError; 2901 if ((length >= 8) || (length == 0)) 2902 return context->Corrupted = shaBadParam; 2904 if (context->Corrupted) 2905 return context->Corrupted; 2907 SHA384_512AddLength(context, length); 2908 SHA384_512Finalize(context, (uint8_t) 2909 ((message_bits & masks[length]) | markbit[length])); 2911 return context->Corrupted; 2912 } 2914 /* 2915 * SHA384_512Finalize 2916 * 2917 * Description: 2918 * This helper function finishes off the digest calculations. 2919 * 2920 * Parameters: 2921 * context: [in/out] 2922 * The SHA context to update 2923 * Pad_Byte: [in] 2924 * The last byte to add to the digest before the 0-padding 2925 * and length. This will contain the last bits of the message 2926 * followed by another single bit. If the message was an 2927 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2928 * 2929 * Returns: 2930 * sha Error Code. 2931 * 2932 */ 2933 static void SHA384_512Finalize(SHA512Context *context, 2934 uint8_t Pad_Byte) 2935 { 2936 int_least16_t i; 2937 SHA384_512PadMessage(context, Pad_Byte); 2938 /* message may be sensitive, clear it out */ 2939 for (i = 0; i < SHA512_Message_Block_Size; ++i) 2940 context->Message_Block[i] = 0; 2941 #ifdef USE_32BIT_ONLY /* and clear length */ 2942 context->Length[0] = context->Length[1] = 0; 2943 context->Length[2] = context->Length[3] = 0; 2944 #else /* !USE_32BIT_ONLY */ 2945 context->Length_Low = 0; 2946 context->Length_High = 0; 2947 #endif /* USE_32BIT_ONLY */ 2948 context->Computed = 1; 2949 } 2951 /* 2952 * SHA512Result 2953 * 2954 * Description: 2955 * This function will return the 512-bit message digest 2956 * into the Message_Digest array provided by the caller. 2957 * NOTE: 2958 * The first octet of hash is stored in the element with index 0, 2959 * the last octet of hash in the element with index 63. 2960 * 2961 * Parameters: 2962 * context: [in/out] 2963 * The context to use to calculate the SHA hash. 2964 * Message_Digest: [out] 2965 * Where the digest is returned. 2966 * 2967 * Returns: 2968 * sha Error Code. 2969 * 2970 */ 2971 int SHA512Result(SHA512Context *context, 2972 uint8_t Message_Digest[SHA512HashSize]) 2973 { 2974 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); 2975 } 2977 /* 2978 * SHA384_512PadMessage 2979 * 2980 * Description: 2981 * According to the standard, the message must be padded to the next 2982 * even multiple of 1024 bits. The first padding bit must be a '1'. 2983 * The last 128 bits represent the length of the original message. 2984 * All bits in between should be 0. This helper function will 2985 * pad the message according to those rules by filling the 2986 * Message_Block array accordingly. When it returns, it can be 2987 * assumed that the message digest has been computed. 2988 * 2989 * Parameters: 2990 * context: [in/out] 2991 * The context to pad 2992 * Pad_Byte: [in] 2993 * The last byte to add to the digest before the 0-padding 2994 * and length. This will contain the last bits of the message 2995 * followed by another single bit. If the message was an 2996 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2997 * 2998 * Returns: 2999 * Nothing. 3000 * 3001 */ 3002 static void SHA384_512PadMessage(SHA512Context *context, 3003 uint8_t Pad_Byte) 3004 { 3005 /* 3006 * Check to see if the current message block is too small to hold 3007 * the initial padding bits and length. If so, we will pad the 3008 * block, process it, and then continue padding into a second 3009 * block. 3010 */ 3011 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { 3012 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 3013 while (context->Message_Block_Index < SHA512_Message_Block_Size) 3014 context->Message_Block[context->Message_Block_Index++] = 0; 3016 SHA384_512ProcessMessageBlock(context); 3017 } else 3018 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 3020 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) 3021 context->Message_Block[context->Message_Block_Index++] = 0; 3023 /* 3024 * Store the message length as the last 16 octets 3025 */ 3026 #ifdef USE_32BIT_ONLY 3027 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); 3028 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); 3029 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); 3030 context->Message_Block[115] = (uint8_t)(context->Length[0]); 3031 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); 3032 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); 3033 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); 3034 context->Message_Block[119] = (uint8_t)(context->Length[1]); 3036 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); 3037 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); 3038 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); 3039 context->Message_Block[123] = (uint8_t)(context->Length[2]); 3040 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); 3041 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); 3042 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); 3043 context->Message_Block[127] = (uint8_t)(context->Length[3]); 3044 #else /* !USE_32BIT_ONLY */ 3045 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); 3046 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); 3047 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); 3048 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); 3049 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); 3050 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); 3051 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); 3052 context->Message_Block[119] = (uint8_t)(context->Length_High); 3054 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); 3055 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); 3056 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); 3057 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); 3058 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); 3059 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); 3060 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); 3061 context->Message_Block[127] = (uint8_t)(context->Length_Low); 3062 #endif /* USE_32BIT_ONLY */ 3064 SHA384_512ProcessMessageBlock(context); 3065 } 3067 /* 3068 * SHA384_512ProcessMessageBlock 3069 * 3070 * Description: 3071 * This helper function will process the next 1024 bits of the 3072 * message stored in the Message_Block array. 3074 * 3075 * Parameters: 3076 * context: [in/out] 3077 * The SHA context to update 3078 * 3079 * Returns: 3080 * Nothing. 3081 * 3082 * Comments: 3083 * Many of the variable names in this code, especially the 3084 * single character names, were used because those were the 3085 * names used in the publication. 3086 * 3087 * 3088 */ 3089 static void SHA384_512ProcessMessageBlock(SHA512Context *context) 3090 { 3091 /* Constants defined in FIPS-180-2, section 4.2.3 */ 3092 #ifdef USE_32BIT_ONLY 3093 static const uint32_t K[80*2] = { 3094 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, 3095 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, 3096 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, 3097 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 3098 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, 3099 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, 3100 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, 3101 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, 3102 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, 3103 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, 3104 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, 3105 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, 3106 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, 3107 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, 3108 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, 3109 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, 3110 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, 3111 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, 3112 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, 3113 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, 3114 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, 3115 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, 3116 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, 3117 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, 3118 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, 3119 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, 3120 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, 3121 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 3122 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, 3123 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, 3124 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, 3125 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 3126 }; 3127 int t, t2, t8; /* Loop counter */ 3128 uint32_t temp1[2], temp2[2], /* Temporary word values */ 3129 temp3[2], temp4[2], temp5[2]; 3130 uint32_t W[2*80]; /* Word sequence */ 3131 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ 3132 E[2], F[2], G[2], H[2]; 3134 /* Initialize the first 16 words in the array W */ 3135 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { 3136 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | 3137 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | 3138 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | 3139 ((((uint32_t)context->Message_Block[t8 + 3]))); 3140 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | 3141 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | 3142 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | 3143 ((((uint32_t)context->Message_Block[t8 + 7]))); 3144 } 3146 for (t = 16; t < 80; t++, t2 += 2) { 3147 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3148 SHA512_sigma0(W[t-15]) + W[t-16]; */ 3149 uint32_t *Wt2 = &W[t2-2*2]; 3150 uint32_t *Wt7 = &W[t2-7*2]; 3151 uint32_t *Wt15 = &W[t2-15*2]; 3152 uint32_t *Wt16 = &W[t2-16*2]; 3153 SHA512_sigma1(Wt2, temp1); 3154 SHA512_ADD(temp1, Wt7, temp2); 3155 SHA512_sigma0(Wt15, temp1); 3156 SHA512_ADD(temp1, Wt16, temp3); 3157 SHA512_ADD(temp2, temp3, &W[t2]); 3158 } 3160 A[0] = context->Intermediate_Hash[0]; 3161 A[1] = context->Intermediate_Hash[1]; 3162 B[0] = context->Intermediate_Hash[2]; 3163 B[1] = context->Intermediate_Hash[3]; 3164 C[0] = context->Intermediate_Hash[4]; 3165 C[1] = context->Intermediate_Hash[5]; 3166 D[0] = context->Intermediate_Hash[6]; 3167 D[1] = context->Intermediate_Hash[7]; 3168 E[0] = context->Intermediate_Hash[8]; 3169 E[1] = context->Intermediate_Hash[9]; 3170 F[0] = context->Intermediate_Hash[10]; 3171 F[1] = context->Intermediate_Hash[11]; 3172 G[0] = context->Intermediate_Hash[12]; 3173 G[1] = context->Intermediate_Hash[13]; 3174 H[0] = context->Intermediate_Hash[14]; 3175 H[1] = context->Intermediate_Hash[15]; 3177 for (t = t2 = 0; t < 80; t++, t2 += 2) { 3178 /* 3179 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3180 */ 3181 SHA512_SIGMA1(E,temp1); 3182 SHA512_ADD(H, temp1, temp2); 3183 SHA_Ch(E,F,G,temp3); 3184 SHA512_ADD(temp2, temp3, temp4); 3185 SHA512_ADD(&K[t2], &W[t2], temp5); 3186 SHA512_ADD(temp4, temp5, temp1); 3187 /* 3188 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3189 */ 3190 SHA512_SIGMA0(A,temp3); 3191 SHA_Maj(A,B,C,temp4); 3192 SHA512_ADD(temp3, temp4, temp2); 3193 H[0] = G[0]; H[1] = G[1]; 3194 G[0] = F[0]; G[1] = F[1]; 3195 F[0] = E[0]; F[1] = E[1]; 3196 SHA512_ADD(D, temp1, E); 3197 D[0] = C[0]; D[1] = C[1]; 3198 C[0] = B[0]; C[1] = B[1]; 3199 B[0] = A[0]; B[1] = A[1]; 3200 SHA512_ADD(temp1, temp2, A); 3201 } 3203 SHA512_ADDTO2(&context->Intermediate_Hash[0], A); 3204 SHA512_ADDTO2(&context->Intermediate_Hash[2], B); 3205 SHA512_ADDTO2(&context->Intermediate_Hash[4], C); 3206 SHA512_ADDTO2(&context->Intermediate_Hash[6], D); 3207 SHA512_ADDTO2(&context->Intermediate_Hash[8], E); 3208 SHA512_ADDTO2(&context->Intermediate_Hash[10], F); 3209 SHA512_ADDTO2(&context->Intermediate_Hash[12], G); 3210 SHA512_ADDTO2(&context->Intermediate_Hash[14], H); 3212 #else /* !USE_32BIT_ONLY */ 3213 static const uint64_t K[80] = { 3214 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, 3215 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, 3216 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, 3217 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, 3218 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, 3219 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, 3220 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, 3221 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, 3222 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, 3223 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, 3224 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, 3225 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, 3226 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, 3227 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, 3228 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, 3229 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, 3230 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, 3231 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, 3232 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, 3233 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, 3234 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, 3235 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, 3236 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, 3237 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, 3238 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, 3239 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, 3240 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll 3241 }; 3242 int t, t8; /* Loop counter */ 3243 uint64_t temp1, temp2; /* Temporary word value */ 3244 uint64_t W[80]; /* Word sequence */ 3245 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ 3247 /* 3248 * Initialize the first 16 words in the array W 3249 */ 3250 for (t = t8 = 0; t < 16; t++, t8 += 8) 3251 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | 3252 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | 3253 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | 3254 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | 3255 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | 3256 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | 3257 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | 3258 ((uint64_t)(context->Message_Block[t8 + 7])); 3260 for (t = 16; t < 80; t++) 3261 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3262 SHA512_sigma0(W[t-15]) + W[t-16]; 3264 A = context->Intermediate_Hash[0]; 3265 B = context->Intermediate_Hash[1]; 3266 C = context->Intermediate_Hash[2]; 3267 D = context->Intermediate_Hash[3]; 3268 E = context->Intermediate_Hash[4]; 3269 F = context->Intermediate_Hash[5]; 3270 G = context->Intermediate_Hash[6]; 3271 H = context->Intermediate_Hash[7]; 3273 for (t = 0; t < 80; t++) { 3274 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3275 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3276 H = G; 3277 G = F; 3278 F = E; 3279 E = D + temp1; 3280 D = C; 3281 C = B; 3282 B = A; 3283 A = temp1 + temp2; 3284 } 3286 context->Intermediate_Hash[0] += A; 3287 context->Intermediate_Hash[1] += B; 3288 context->Intermediate_Hash[2] += C; 3289 context->Intermediate_Hash[3] += D; 3290 context->Intermediate_Hash[4] += E; 3291 context->Intermediate_Hash[5] += F; 3292 context->Intermediate_Hash[6] += G; 3293 context->Intermediate_Hash[7] += H; 3294 #endif /* USE_32BIT_ONLY */ 3296 context->Message_Block_Index = 0; 3297 } 3299 /* 3300 * SHA384_512Reset 3301 * 3302 * Description: 3303 * This helper function will initialize the SHA512Context in 3304 * preparation for computing a new SHA384 or SHA512 message 3305 * digest. 3306 * 3307 * Parameters: 3308 * context: [in/out] 3309 * The context to reset. 3310 * H0 3311 * The initial hash value to use. 3312 * 3313 * Returns: 3314 * sha Error Code. 3315 * 3316 */ 3317 #ifdef USE_32BIT_ONLY 3318 static int SHA384_512Reset(SHA512Context *context, 3319 uint32_t H0[SHA512HashSize/4]) 3320 #else /* !USE_32BIT_ONLY */ 3321 static int SHA384_512Reset(SHA512Context *context, 3322 uint64_t H0[SHA512HashSize/8]) 3323 #endif /* USE_32BIT_ONLY */ 3324 { 3325 int i; 3326 if (!context) 3327 return shaNull; 3329 context->Message_Block_Index = 0; 3331 #ifdef USE_32BIT_ONLY 3332 context->Length[0] = context->Length[1] = 3333 context->Length[2] = context->Length[3] = 0; 3335 for (i = 0; i < SHA512HashSize/4; i++) 3336 context->Intermediate_Hash[i] = H0[i]; 3337 #else /* !USE_32BIT_ONLY */ 3338 context->Length_High = context->Length_Low = 0; 3340 for (i = 0; i < SHA512HashSize/8; i++) 3341 context->Intermediate_Hash[i] = H0[i]; 3342 #endif /* USE_32BIT_ONLY */ 3344 context->Computed = 0; 3345 context->Corrupted = 0; 3347 return shaSuccess; 3348 } 3350 /* 3351 * SHA384_512ResultN 3352 * 3353 * Description: 3354 * This helper function will return the 384-bit or 512-bit message 3355 * digest into the Message_Digest array provided by the caller. 3356 * NOTE: 3357 * The first octet of hash is stored in the element with index 0, 3358 * the last octet of hash in the element with index 47/63. 3359 * 3360 * Parameters: 3361 * context: [in/out] 3362 * The context to use to calculate the SHA hash. 3363 * Message_Digest: [out] 3364 * Where the digest is returned. 3365 * HashSize: [in] 3366 * The size of the hash, either 48 or 64. 3367 * 3368 * Returns: 3369 * sha Error Code. 3370 * 3371 */ 3372 static int SHA384_512ResultN(SHA512Context *context, 3373 uint8_t Message_Digest[ ], int HashSize) 3375 { 3376 int i; 3377 #ifdef USE_32BIT_ONLY 3378 int i2; 3379 #endif /* USE_32BIT_ONLY */ 3381 if (!context || !Message_Digest) 3382 return shaNull; 3384 if (context->Corrupted) 3385 return context->Corrupted; 3387 if (!context->Computed) 3388 SHA384_512Finalize(context, 0x80); 3390 #ifdef USE_32BIT_ONLY 3391 for (i = i2 = 0; i < HashSize; ) { 3392 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3393 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3394 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3395 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3396 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3397 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3398 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3399 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3400 } 3401 #else /* !USE_32BIT_ONLY */ 3402 for (i = 0; i < HashSize; ++i) 3403 Message_Digest[i] = (uint8_t) 3404 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); 3405 #endif /* USE_32BIT_ONLY */ 3407 return shaSuccess; 3408 } 3410 8.2.4 usha.c 3412 /**************************** usha.c ***************************/ 3413 /***************** See RFC NNNN for details. *******************/ 3414 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3415 /* authors of the code. All rights reserved. */ 3416 /* See sha.h for terms of use and redistribution. */ 3418 /* 3419 * Description: 3420 * This file implements a unified interface to the SHA algorithms. 3421 */ 3423 #include "sha.h" 3425 /* 3426 * USHAReset 3427 * 3428 * Description: 3429 * This function will initialize the SHA Context in preparation 3430 * for computing a new SHA message digest. 3431 * 3432 * Parameters: 3433 * context: [in/out] 3434 * The context to reset. 3435 * whichSha: [in] 3436 * Selects which SHA reset to call 3437 * 3438 * Returns: 3439 * sha Error Code. 3440 * 3441 */ 3442 int USHAReset(USHAContext *context, enum SHAversion whichSha) 3443 { 3444 if (context) { 3445 context->whichSha = whichSha; 3446 switch (whichSha) { 3447 case SHA1: return SHA1Reset((SHA1Context*)&context->ctx); 3448 case SHA224: return SHA224Reset((SHA224Context*)&context->ctx); 3449 case SHA256: return SHA256Reset((SHA256Context*)&context->ctx); 3450 case SHA384: return SHA384Reset((SHA384Context*)&context->ctx); 3451 case SHA512: return SHA512Reset((SHA512Context*)&context->ctx); 3452 default: return shaBadParam; 3453 } 3454 } else { 3455 return shaNull; 3456 } 3457 } 3459 /* 3460 * USHAInput 3461 * 3462 * Description: 3463 * This function accepts an array of octets as the next portion 3464 * of the message. 3465 * 3466 * Parameters: 3467 * context: [in/out] 3468 * The SHA context to update 3469 * message_array: [in] 3470 * An array of octets representing the next portion of 3471 * the message. 3472 * length: [in] 3473 * The length of the message in message_array 3474 * 3475 * Returns: 3476 * sha Error Code. 3477 * 3478 */ 3479 int USHAInput(USHAContext *context, 3480 const uint8_t *bytes, unsigned int bytecount) 3481 { 3482 if (context) { 3483 switch (context->whichSha) { 3484 case SHA1: 3485 return SHA1Input((SHA1Context*)&context->ctx, bytes, 3486 bytecount); 3487 case SHA224: 3488 return SHA224Input((SHA224Context*)&context->ctx, bytes, 3489 bytecount); 3490 case SHA256: 3491 return SHA256Input((SHA256Context*)&context->ctx, bytes, 3492 bytecount); 3493 case SHA384: 3494 return SHA384Input((SHA384Context*)&context->ctx, bytes, 3495 bytecount); 3496 case SHA512: 3497 return SHA512Input((SHA512Context*)&context->ctx, bytes, 3498 bytecount); 3499 default: return shaBadParam; 3500 } 3501 } else { 3502 return shaNull; 3503 } 3504 } 3506 /* 3507 * USHAFinalBits 3508 * 3509 * Description: 3510 * This function will add in any final bits of the message. 3511 * 3512 * Parameters: 3513 * context: [in/out] 3514 * The SHA context to update 3515 * message_bits: [in] 3516 * The final bits of the message, in the upper portion of the 3517 * byte. (Use 0b###00000 instead of 0b00000### to input the 3518 * three bits ###.) 3519 * length: [in] 3520 * The number of bits in message_bits, between 1 and 7. 3521 * 3522 * Returns: 3524 * sha Error Code. 3525 */ 3526 int USHAFinalBits(USHAContext *context, 3527 uint8_t bits, unsigned int bit_count) 3528 { 3529 if (context) { 3530 switch (context->whichSha) { 3531 case SHA1: 3532 return SHA1FinalBits((SHA1Context*)&context->ctx, bits, 3533 bit_count); 3534 case SHA224: 3535 return SHA224FinalBits((SHA224Context*)&context->ctx, bits, 3536 bit_count); 3537 case SHA256: 3538 return SHA256FinalBits((SHA256Context*)&context->ctx, bits, 3539 bit_count); 3540 case SHA384: 3541 return SHA384FinalBits((SHA384Context*)&context->ctx, bits, 3542 bit_count); 3543 case SHA512: 3544 return SHA512FinalBits((SHA512Context*)&context->ctx, bits, 3545 bit_count); 3546 default: return shaBadParam; 3547 } 3548 } else { 3549 return shaNull; 3550 } 3551 } 3553 /* 3554 * USHAResult 3555 * 3556 * Description: 3557 * This function will return the message digest of the appropriate 3558 * bit size, as returned by USHAHashSizeBits(whichSHA) for the 3559 * 'whichSHA' value used in the preceeding call to USHAReset, 3560 * into the Message_Digest array provided by the caller. 3561 * 3562 * Parameters: 3563 * context: [in/out] 3564 * The context to use to calculate the SHA-1 hash. 3565 * Message_Digest: [out] 3566 * Where the digest is returned. 3567 * 3568 * Returns: 3569 * sha Error Code. 3570 * 3571 */ 3572 int USHAResult(USHAContext *context, 3573 uint8_t Message_Digest[USHAMaxHashSize]) 3575 { 3576 if (context) { 3577 switch (context->whichSha) { 3578 case SHA1: 3579 return SHA1Result((SHA1Context*)&context->ctx, Message_Digest); 3580 case SHA224: 3581 return SHA224Result((SHA224Context*)&context->ctx, 3582 Message_Digest); 3583 case SHA256: 3584 return SHA256Result((SHA256Context*)&context->ctx, 3585 Message_Digest); 3586 case SHA384: 3587 return SHA384Result((SHA384Context*)&context->ctx, 3588 Message_Digest); 3589 case SHA512: 3590 return SHA512Result((SHA512Context*)&context->ctx, 3591 Message_Digest); 3592 default: return shaBadParam; 3593 } 3594 } else { 3595 return shaNull; 3596 } 3597 } 3599 /* 3600 * USHABlockSize 3601 * 3602 * Description: 3603 * This function will return the blocksize for the given SHA 3604 * algorithm. 3605 * 3606 * Parameters: 3607 * whichSha: 3608 * which SHA algorithm to query 3609 * 3610 * Returns: 3611 * block size 3612 * 3613 */ 3614 int USHABlockSize(enum SHAversion whichSha) 3615 { 3616 switch (whichSha) { 3617 case SHA1: return SHA1_Message_Block_Size; 3618 case SHA224: return SHA224_Message_Block_Size; 3619 case SHA256: return SHA256_Message_Block_Size; 3620 case SHA384: return SHA384_Message_Block_Size; 3621 default: 3622 case SHA512: return SHA512_Message_Block_Size; 3623 } 3624 } 3625 /* 3626 * USHAHashSize 3627 * 3628 * Description: 3629 * This function will return the hashsize for the given SHA 3630 * algorithm. 3631 * 3632 * Parameters: 3633 * whichSha: 3634 * which SHA algorithm to query 3635 * 3636 * Returns: 3637 * hash size 3638 * 3639 */ 3640 int USHAHashSize(enum SHAversion whichSha) 3641 { 3642 switch (whichSha) { 3643 case SHA1: return SHA1HashSize; 3644 case SHA224: return SHA224HashSize; 3645 case SHA256: return SHA256HashSize; 3646 case SHA384: return SHA384HashSize; 3647 default: 3648 case SHA512: return SHA512HashSize; 3649 } 3650 } 3652 /* 3653 * USHAHashSizeBits 3654 * 3655 * Description: 3656 * This function will return the hashsize for the given SHA 3657 * algorithm, expressed in bits. 3658 * 3659 * Parameters: 3660 * whichSha: 3661 * which SHA algorithm to query 3662 * 3663 * Returns: 3664 * hash size in bits 3665 * 3666 */ 3667 int USHAHashSizeBits(enum SHAversion whichSha) 3668 { 3669 switch (whichSha) { 3670 case SHA1: return SHA1HashSizeBits; 3671 case SHA224: return SHA224HashSizeBits; 3672 case SHA256: return SHA256HashSizeBits; 3673 case SHA384: return SHA384HashSizeBits; 3674 default: 3676 case SHA512: return SHA512HashSizeBits; 3677 } 3678 } 3680 /* 3681 * USHAHashName 3682 * 3683 * Description: 3684 * This function will return the name of the given SHA algorithm 3685 * as a string. 3686 * 3687 * Parameters: 3688 * whichSha: 3689 * which SHA algorithm to query 3690 * 3691 * Returns: 3692 * character string with the name in it 3693 * 3694 */ 3695 const char *USHAHashName(enum SHAversion whichSha) 3696 { 3697 switch (whichSha) { 3698 case SHA1: return "SHA1"; 3699 case SHA224: return "SHA224"; 3700 case SHA256: return "SHA256"; 3701 case SHA384: return "SHA384"; 3702 default: 3703 case SHA512: return "SHA512"; 3704 } 3705 } 3707 8.3 The HMAC Code 3709 /**************************** hmac.c ***************************/ 3710 /***************** See RFC NNNN for details. *******************/ 3711 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3712 /* authors of the code. All rights reserved. */ 3713 /* See sha.h for terms of use and redistribution. */ 3715 /* 3716 * Description: 3717 * This file implements the HMAC algorithm (Keyed-Hashing for 3718 * Message Authentication, [RFC 2104]), expressed in terms of 3719 * the various SHA algorithms. 3720 */ 3722 #include "sha.h" 3723 /* 3724 * hmac 3725 * 3726 * Description: 3727 * This function will compute an HMAC message digest. 3728 * 3729 * Parameters: 3730 * whichSha: [in] 3731 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3732 * key: [in] 3733 * The secret shared key. 3734 * key_len: [in] 3735 * The length of the secret shared key. 3736 * message_array: [in] 3737 * An array of octets representing the message. 3738 * Note: in RFC 2109, this parameter is known 3739 * as 'text'. 3740 * length: [in] 3741 * The length of the message in message_array. 3742 * digest: [out] 3743 * Where the digest is returned. 3744 * NOTE: The length of the digest is determined by 3745 * the value of whichSha. 3746 * 3747 * Returns: 3748 * sha Error Code. 3749 * 3750 */ 3751 int hmac(SHAversion whichSha, 3752 const unsigned char *message_array, int length, 3753 const unsigned char *key, int key_len, 3754 uint8_t digest[USHAMaxHashSize]) 3755 { 3756 HMACContext context; 3757 return hmacReset(&context, whichSha, key, key_len) || 3758 hmacInput(&context, message_array, length) || 3759 hmacResult(&context, digest); 3760 } 3762 /* 3763 * hmacReset 3764 * 3765 * Description: 3766 * This function will initialize the hmacContext in preparation 3767 * for computing a new HMAC message digest. 3768 * 3769 * Parameters: 3770 * context: [in/out] 3771 * The context to reset. 3772 * whichSha: [in] 3773 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3774 * key: [in] 3775 * The secret shared key. 3776 * key_len: [in] 3777 * The length of the secret shared key. 3778 * 3779 * Returns: 3780 * sha Error Code. 3781 * 3782 */ 3783 int hmacReset(HMACContext *context, enum SHAversion whichSha, 3784 const unsigned char *key, int key_len) 3785 { 3786 int i, blocksize, hashsize, ret; 3788 /* inner padding - key XORd with ipad */ 3789 unsigned char k_ipad[USHA_Max_Message_Block_Size]; 3791 /* temporary buffer when keylen > blocksize */ 3792 unsigned char tempkey[USHAMaxHashSize]; 3794 if (!context) return shaNull; 3795 context->Computed = 0; 3796 context->Corrupted = shaSuccess; 3798 blocksize = context->blockSize = USHABlockSize(whichSha); 3799 hashsize = context->hashSize = USHAHashSize(whichSha); 3801 context->whichSha = whichSha; 3803 /* 3804 * If key is longer than the hash blocksize, 3805 * reset it to key = HASH(key). 3806 */ 3807 if (key_len > blocksize) { 3808 USHAContext tcontext; 3809 int err = USHAReset(&tcontext, whichSha) || 3810 USHAInput(&tcontext, key, key_len) || 3811 USHAResult(&tcontext, tempkey); 3812 if (err != shaSuccess) return err; 3814 key = tempkey; 3815 key_len = hashsize; 3816 } 3818 /* 3819 * The HMAC transform looks like: 3820 * 3821 * SHA(K XOR opad, SHA(K XOR ipad, text)) 3822 * 3823 * where K is an n byte key, 0-padded to a total of blocksize bytes, 3824 * ipad is the byte 0x36 repeated blocksize times, 3825 * opad is the byte 0x5c repeated blocksize times, 3826 * and text is the data being protected. 3827 */ 3829 /* store key into the pads, XOR'd with ipad and opad values */ 3830 for (i = 0; i < key_len; i++) { 3831 k_ipad[i] = key[i] ^ 0x36; 3832 context->k_opad[i] = key[i] ^ 0x5c; 3833 } 3834 /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ 3835 for ( ; i < blocksize; i++) { 3836 k_ipad[i] = 0x36; 3837 context->k_opad[i] = 0x5c; 3838 } 3840 /* perform inner hash */ 3841 /* init context for 1st pass */ 3842 ret = USHAReset(&context->shaContext, whichSha) || 3843 /* and start with inner pad */ 3844 USHAInput(&context->shaContext, k_ipad, blocksize); 3845 return context->Corrupted = ret; 3846 } 3848 /* 3849 * hmacInput 3850 * 3851 * Description: 3852 * This function accepts an array of octets as the next portion 3853 * of the message. It may be called multiple times. 3854 * 3855 * Parameters: 3856 * context: [in/out] 3857 * The HMAC context to update 3858 * message_array: [in] 3859 * An array of octets representing the next portion of 3860 * the message. 3861 * length: [in] 3862 * The length of the message in message_array 3863 * 3864 * Returns: 3865 * sha Error Code. 3866 * 3867 */ 3868 int hmacInput(HMACContext *context, const unsigned char *text, 3869 int text_len) 3870 { 3871 if (!context) return shaNull; 3872 if (context->Corrupted) return context->Corrupted; 3873 if (context->Computed) return context->Corrupted = shaStateError; 3874 /* then text of datagram */ 3875 return context->Corrupted = 3876 USHAInput(&context->shaContext, text, text_len); 3877 } 3879 /* 3880 * hmacFinalBits 3881 * 3882 * Description: 3883 * This function will add in any final bits of the message. 3884 * 3885 * Parameters: 3886 * context: [in/out] 3887 * The HMAC context to update 3888 * message_bits: [in] 3889 * The final bits of the message, in the upper portion of the 3890 * byte. (Use 0b###00000 instead of 0b00000### to input the 3891 * three bits ###.) 3892 * length: [in] 3893 * The number of bits in message_bits, between 1 and 7. 3894 * 3895 * Returns: 3896 * sha Error Code. 3897 */ 3898 int hmacFinalBits(HMACContext *context, 3899 uint8_t bits, unsigned int bit_count) 3900 { 3901 if (!context) return shaNull; 3902 if (context->Corrupted) return context->Corrupted; 3903 if (context->Computed) return context->Corrupted = shaStateError; 3904 /* then final bits of datagram */ 3905 return context->Corrupted = 3906 USHAFinalBits(&context->shaContext, bits, bit_count); 3907 } 3909 /* 3910 * hmacResult 3911 * 3912 * Description: 3913 * This function will return the N-byte message digest into the 3914 * Message_Digest array provided by the caller. 3915 * 3916 * Parameters: 3917 * context: [in/out] 3918 * The context to use to calculate the HMAC hash. 3919 * digest: [out] 3920 * Where the digest is returned. 3921 * NOTE 2: The length of the hash is determined by the value of 3922 * whichSha that was passed to hmacReset(). 3924 * 3925 * Returns: 3926 * sha Error Code. 3927 * 3928 */ 3929 int hmacResult(HMACContext *context, uint8_t *digest) 3930 { 3931 int ret; 3932 if (!context) return shaNull; 3933 if (context->Corrupted) return context->Corrupted; 3934 if (context->Computed) return context->Corrupted = shaStateError; 3936 /* finish up 1st pass */ 3937 /* (Use digest here as a temporary buffer.) */ 3938 ret = 3939 USHAResult(&context->shaContext, digest) || 3941 /* perform outer SHA */ 3942 /* init context for 2nd pass */ 3943 USHAReset(&context->shaContext, context->whichSha) || 3945 /* start with outer pad */ 3946 USHAInput(&context->shaContext, context->k_opad, 3947 context->blockSize) || 3949 /* then results of 1st hash */ 3950 USHAInput(&context->shaContext, digest, context->hashSize) || 3952 /* finish up 2nd pass */ 3953 USHAResult(&context->shaContext, digest); 3955 context->Computed = 1; 3956 return context->Corrupted = ret; 3957 } 3959 8.4 The HKDF Code 3961 /**************************** hkdf.c ***************************/ 3962 /***************** See RFC NNNN for details. *******************/ 3963 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3964 /* authors of the code. All rights reserved. */ 3965 /* See sha.h for terms of use and redistribution. */ 3967 /* 3968 * Description: 3969 * This file implements the HKDF algorithm (HMAC-based 3970 * Extract-and-Expand Key Derivation Function, RFC 5869), 3971 * expressed in terms of the various SHA algorithms. 3973 */ 3975 #include "sha.h" 3976 #include 3977 #include 3979 /* 3980 * hkdf 3981 * 3982 * Description: 3983 * This function will compute an HKDF message digest. 3984 * 3985 * Parameters: 3986 * whichSha: [in] 3987 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3988 * salt: [in] 3989 * The optional salt value (a non-secret random value); 3990 * if not provided (salt == NULL), it is set internally 3991 * to a string of HashLen(whichSha) zeros. 3992 * salt_len: [in] 3993 * The length of the salt value. (Ignored if salt == NULL.) 3994 * ikm: [in] 3995 * Input keying material. 3996 * ikm_len: [in] 3997 * The length of the input keying material. 3998 * info: [in] 3999 * The optional context and application specific information. 4000 * If info == NULL or a zero-length string, it is ignored. 4001 * info_len: [in] 4002 * The length of the optional context and application specific 4003 * information. (Ignored if info == NULL.) 4004 * okm: [out] 4005 * Where the HKDF is to be stored. 4006 * okm_len: [in] 4007 * The length of the buffer to hold okm. 4008 * okm_len must be <= 255 * USHABlockSize(whichSha) 4009 * 4010 * Notes: 4011 * Calls hkdfExtract() and hkdfExpand(). 4012 * 4013 * Returns: 4014 * sha Error Code. 4015 * 4016 */ 4017 int hkdf(SHAversion whichSha, 4018 const unsigned char *salt, int salt_len, 4019 const unsigned char *ikm, int ikm_len, 4020 const unsigned char *info, int info_len, 4021 uint8_t okm[ ], int okm_len) 4022 { 4023 uint8_t prk[USHAMaxHashSize]; 4024 return hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk) || 4025 hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, 4026 info_len, okm, okm_len); 4027 } 4029 /* 4030 * hkdfExtract 4031 * 4032 * Description: 4033 * This function will perform HKDF extraction. 4034 * 4035 * Parameters: 4036 * whichSha: [in] 4037 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4038 * salt: [in] 4039 * The optional salt value (a non-secret random value); 4040 * if not provided (salt == NULL), it is set internally 4041 * to a string of HashLen(whichSha) zeros. 4042 * salt_len: [in] 4043 * The length of the salt value. (Ignored if salt == NULL.) 4044 * ikm: [in] 4045 * Input keying material. 4046 * ikm_len: [in] 4047 * The length of the input keying material. 4048 * prk: [out] 4049 * Where the HKDF extraction is to be stored. 4050 * Must be larger than USHAHashSize(whichSha); 4051 * 4052 * Returns: 4053 * sha Error Code. 4054 * 4055 */ 4056 int hkdfExtract(SHAversion whichSha, 4057 const unsigned char *salt, int salt_len, 4058 const unsigned char *ikm, int ikm_len, 4059 uint8_t prk[USHAMaxHashSize]) 4060 { 4061 unsigned char nullSalt[USHAMaxHashSize]; 4062 if (salt == 0) { 4063 salt = nullSalt; 4064 salt_len = USHAHashSize(whichSha); 4065 memset(nullSalt, '\0', salt_len); 4066 } else if (salt_len < 0) { 4067 return shaBadParam; 4068 } 4069 return hmac(whichSha, ikm, ikm_len, salt, salt_len, prk); 4070 } 4072 /* 4073 * hkdfExpand 4074 * 4075 * Description: 4076 * This function will perform HKDF expansion. 4077 * 4078 * Parameters: 4079 * whichSha: [in] 4080 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4081 * info: [in] 4082 * The optional context and application specific information. 4083 * If info == NULL or a zero-length string, it is ignored. 4084 * info_len: [in] 4085 * The length of the optional context and application specific 4086 * information. (Ignored if info == NULL.) 4087 * okm: [out] 4088 * Where the HKDF is to be stored. 4089 * okm_len: [in] 4090 * The length of the buffer to hold okm. 4091 * okm_len must be <= 255 * USHABlockSize(whichSha) 4092 * 4093 * Returns: 4094 * sha Error Code. 4095 * 4096 */ 4097 int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], int prk_len, 4098 const unsigned char *info, int info_len, 4099 uint8_t okm[ ], int okm_len) 4100 { 4101 int hash_len, N; 4102 unsigned char T[USHAMaxHashSize]; 4103 int Tlen, where, i; 4105 if (info == 0) { 4106 info = (const unsigned char *)""; 4107 info_len = 0; 4108 } else if (info_len < 0) { 4109 return shaBadParam; 4110 } else if (prk_len < 0) { 4111 return shaBadParam; 4112 } else if (!okm) { 4113 return shaBadParam; 4114 } 4116 hash_len = USHAHashSize(whichSha); 4117 if (prk_len < hash_len) return shaBadParam; 4118 N = okm_len / hash_len; 4119 if ((okm_len % hash_len) != 0) N++; 4120 if (N > 255) return shaBadParam; 4122 Tlen = 0; 4123 where = 0; 4124 for (i = 1; i <= N; i++) { 4125 HMACContext context; 4126 unsigned char c = i; 4127 int ret = hmacReset(&context, whichSha, prk, hash_len) || 4128 hmacInput(&context, T, Tlen) || 4129 hmacInput(&context, info, info_len) || 4130 hmacInput(&context, &c, 1) || 4131 hmacResult(&context, T); 4132 if (ret != shaSuccess) return ret; 4133 memcpy(okm + where, T, 4134 (i != N) ? hash_len : (okm_len - where)); 4135 where += hash_len; 4136 Tlen = hash_len; 4137 } 4138 return shaSuccess; 4139 } 4141 /* 4142 * hkdfReset 4143 * 4144 * Description: 4145 * This function will initialize the hkdfContext in preparation 4146 * for computing a new HKDF message digest. It is used for 4147 * arbitrary length inputs. 4148 * 4149 * Parameters: 4150 * context: [in/out] 4151 * The context to reset. 4152 * whichSha: [in] 4153 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4154 * salt: [in] 4155 * The optional salt value (a non-secret random value); 4156 * if not provided (salt == NULL), it is set internally 4157 * to a string of HashLen(whichSha) zeros. 4158 * salt_len: [in] 4159 * The length of the salt value. (Ignored if salt == NULL.) 4160 * 4161 * Returns: 4162 * sha Error Code. 4163 * 4164 */ 4165 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 4166 const unsigned char *salt, int salt_len) 4167 { 4168 unsigned char nullSalt[USHAMaxHashSize]; 4169 if (!context) return shaNull; 4171 context->whichSha = whichSha; 4172 context->hashSize = USHAHashSize(whichSha); 4173 if (salt == 0) { 4174 salt = nullSalt; 4175 salt_len = context->hashSize; 4176 memset(nullSalt, '\0', salt_len); 4177 } 4179 return hmacReset(&context->hmacContext, whichSha, salt, salt_len); 4180 } 4182 /* 4183 * hkdfInput 4184 * 4185 * Description: 4186 * This function accepts an array of octets as the next portion 4187 * of the input keying material. It may be called multiple times. 4188 * 4189 * Parameters: 4190 * context: [in/out] 4191 * The HKDF context to update. 4192 * ikm: [in] 4193 * An array of octets representing the next portion of 4194 * the input keying material. 4195 * ikm_len: [in] 4196 * The length of ikm. 4197 * 4198 * Returns: 4199 * sha Error Code. 4200 * 4201 */ 4202 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 4203 int ikm_len) 4204 { 4205 if (!context) return shaNull; 4206 if (context->Corrupted) return context->Corrupted; 4207 if (context->Computed) return context->Corrupted = shaStateError; 4208 return hmacInput(&context->hmacContext, ikm, ikm_len); 4209 } 4211 /* 4212 * hkdfFinalBits 4213 * 4214 * Description: 4215 * This function will add in any final bits of the 4216 * input keying material. 4217 * 4218 * Parameters: 4219 * context: [in/out] 4220 * The HKDF context to update 4221 * ikm_bits: [in] 4222 * The final bits of the input keying material, in the upper 4223 * portion of the byte. (Use 0b###00000 instead of 0b00000### 4224 * to input the three bits ###.) 4225 * ikm_bit_count: [in] 4226 * The number of bits in message_bits, between 1 and 7. 4227 * 4228 * Returns: 4229 * sha Error Code. 4230 */ 4231 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 4232 unsigned int ikm_bit_count) 4233 { 4234 if (!context) return shaNull; 4235 if (context->Corrupted) return context->Corrupted; 4236 if (context->Computed) return context->Corrupted = shaStateError; 4237 return hmacFinalBits(&context->hmacContext, ikm_bits, ikm_bit_count); 4238 } 4240 /* 4241 * hkdfResult 4242 * 4243 * Description: 4244 * This function will finish the HKDF extraction and perform the 4245 * final HKDF expansion. 4246 * 4247 * Parameters: 4248 * context: [in/out] 4249 * The HKDF context to use to calculate the HKDF hash. 4250 * prk: [out] 4251 * An optional location to store the HKDF extraction. 4252 * Either NULL, or pointer to a buffer that must be 4253 * larger than USHAHashSize(whichSha); 4254 * info: [in] 4255 * The optional context and application specific information. 4256 * If info == NULL or a zero-length string, it is ignored. 4257 * info_len: [in] 4258 * The length of the optional context and application specific 4259 * information. (Ignored if info == NULL.) 4260 * okm: [out] 4261 * Where the HKDF is to be stored. 4262 * okm_len: [in] 4263 * The length of the buffer to hold okm. 4264 * okm_len must be <= 255 * USHABlockSize(whichSha) 4265 * 4266 * Returns: 4267 * sha Error Code. 4268 * 4269 */ 4270 int hkdfResult(HKDFContext *context, 4271 uint8_t prk[USHAMaxHashSize], 4272 const unsigned char *info, int info_len, 4273 uint8_t okm[ ], int okm_len) 4274 { 4275 uint8_t prkbuf[USHAMaxHashSize]; 4276 int ret; 4278 if (!context) return shaNull; 4279 if (context->Corrupted) return context->Corrupted; 4280 if (context->Computed) return context->Corrupted = shaStateError; 4281 if (!okm) return context->Corrupted = shaBadParam; 4282 if (!prk) prk = prkbuf; 4284 ret = hmacResult(&context->hmacContext, prk) || 4285 hkdfExpand(context->whichSha, prk, context->hashSize, info, 4286 info_len, okm, okm_len); 4287 context->Computed = 1; 4288 return context->Corrupted = ret; 4289 } 4291 8.5 The Test Driver 4293 The following code is a main program test driver to exercise the code 4294 in sha1.c, sha224-256.c, sha384-512.c, hmac.c, and hkdf.c. The test 4295 driver can also be used as a standalone program for generating the 4296 hashes. 4298 See also [SHAVS]. 4300 /************************** shatest.c **************************/ 4301 /***************** See RFC NNNN for details. *******************/ 4302 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 4303 /* authors of the code. All rights reserved. */ 4304 /* See sha.h for terms of use and redistribution. */ 4306 /* 4307 * Description: 4308 * This file will exercise the SHA code performing 4309 * the three tests documented in FIPS PUB 180-2 4310 * (http://csrc.nist.gov/publications/fips/ 4311 * fips180-2/fips180-2withchangenotice.pdf) 4312 * one that calls SHAInput with an exact multiple of 512 bits 4313 * the seven tests documented for each algorithm in 4314 * "The Secure Hash Algorithm Validation System (SHAVS)" 4315 * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), 4316 * three of which are bit-level tests 4317 * 4318 * This file will exercise the HMAC SHA1 code performing 4319 * the seven tests documented in RFCs [RFC 2202] and [RFC 4231]. 4320 * 4321 * This file will exercise the HKDF code performing 4322 * the seven tests documented in RFC 4869. 4323 * 4324 * To run the tests and just see PASSED/FAILED, use the -p option. 4325 * 4326 * Other options exercise: 4327 * hashing an arbitrary string 4328 * hashing a file's contents 4329 * a few error test checks 4330 * printing the results in raw format 4331 * 4332 * Portability Issues: 4333 * None. 4334 * 4335 */ 4337 #include 4338 #include 4339 #include 4340 #include 4341 #include 4342 #include /* defines getopt() and optarg */ 4343 #include "sha.h" 4345 static int scasecmp(const char *s1, const char *s2); 4347 /* 4348 * Define patterns for testing 4349 */ 4350 #define TEST1 "abc" 4351 #define TEST2_1 \ 4352 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 4353 #define TEST2_2a \ 4354 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 4355 #define TEST2_2b \ 4356 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 4357 #define TEST2_2 TEST2_2a TEST2_2b 4358 #define TEST3 "a" /* times 1000000 */ 4359 #define TEST4a "01234567012345670123456701234567" 4360 #define TEST4b "01234567012345670123456701234567" 4361 /* an exact multiple of 512 bits */ 4362 #define TEST4 TEST4a TEST4b /* times 10 */ 4364 #define TEST7_1 \ 4365 "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" 4366 #define TEST8_1 \ 4367 "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" 4368 #define TEST9_1 \ 4369 "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ 4370 "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ 4371 "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ 4372 "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ 4373 "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" 4374 #define TEST10_1 \ 4375 "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ 4376 "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ 4377 "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ 4378 "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ 4379 "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ 4380 "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ 4381 "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ 4382 "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ 4383 "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ 4384 "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ 4385 "\xcd\xbb\xfb" 4386 #define TEST7_224 \ 4387 "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" 4388 #define TEST8_224 \ 4389 "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" 4390 #define TEST9_224 \ 4391 "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ 4392 "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ 4393 "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ 4394 "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ 4395 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" 4396 #define TEST10_224 \ 4397 "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ 4398 "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ 4399 "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ 4400 "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ 4401 "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ 4402 "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ 4403 "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ 4404 "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ 4405 "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ 4406 "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ 4407 "\x87\x82\x73" 4408 #define TEST7_256 \ 4409 "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" 4410 #define TEST8_256 \ 4411 "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" 4412 #define TEST9_256 \ 4413 "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ 4414 "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ 4415 "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ 4416 "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ 4417 "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" 4418 #define TEST10_256 \ 4419 "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ 4420 "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ 4421 "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ 4422 "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ 4423 "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ 4424 "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ 4425 "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ 4426 "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ 4427 "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ 4428 "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ 4429 "\x3d\x54\xd6" 4430 #define TEST7_384 \ 4431 "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" 4432 #define TEST8_384 \ 4433 "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" 4434 #define TEST9_384 \ 4435 "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ 4436 "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ 4437 "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ 4438 "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ 4439 "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ 4440 "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ 4441 "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ 4442 "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ 4443 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" 4444 #define TEST10_384 \ 4445 "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ 4446 "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ 4447 "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ 4448 "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ 4449 "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ 4450 "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ 4451 "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ 4452 "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ 4453 "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ 4454 "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ 4455 "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ 4456 "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ 4457 "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ 4458 "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ 4459 "\x7e\xd0\x96" 4460 #define TEST7_512 \ 4461 "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" 4462 #define TEST8_512 \ 4463 "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" 4464 #define TEST9_512 \ 4465 "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ 4466 "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ 4467 "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ 4468 "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ 4469 "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ 4470 "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ 4471 "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ 4472 "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ 4473 "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" 4474 #define TEST10_512 \ 4475 "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ 4476 "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ 4477 "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ 4478 "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ 4479 "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ 4480 "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ 4481 "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ 4482 "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ 4483 "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ 4484 "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ 4485 "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ 4486 "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ 4487 "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ 4488 "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ 4489 "\xfb\x40\xd2" 4490 #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ 4491 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" 4492 #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ 4493 "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ 4494 "\x27" 4495 #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ 4496 "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ 4497 "\x27\x9c\x1c\xb0\xa7" 4498 #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ 4499 "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ 4500 "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ 4501 "\xa4\x84\xbe\x74\x53" 4502 #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ 4503 "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ 4504 "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ 4505 "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ 4506 "\x4b\x12\x27\x20\x39" 4508 #define TESTCOUNT 10 4509 #define HASHCOUNT 5 4510 #define RANDOMCOUNT 4 4511 #define HMACTESTCOUNT 7 4512 #define HKDFTESTCOUNT 7 4514 #define PRINTNONE 0 4515 #define PRINTTEXT 1 4516 #define PRINTRAW 2 4517 #define PRINTHEX 3 4518 #define PRINTBASE64 4 4520 #define PRINTPASSFAIL 1 4521 #define PRINTFAIL 2 4523 #define length(x) (sizeof(x)-1) 4525 /* Test arrays for hashes. */ 4526 struct hash { 4527 const char *name; 4528 SHAversion whichSha; 4529 int hashsize; 4530 struct { 4531 const char *testarray; 4532 int length; 4533 long repeatcount; 4534 int extrabits; 4535 int numberExtrabits; 4536 const char *resultarray; 4537 } tests[TESTCOUNT]; 4538 const char *randomtest; 4539 const char *randomresults[RANDOMCOUNT]; 4540 } hashes[HASHCOUNT] = { 4541 { "SHA1", SHA1, SHA1HashSize, 4542 { 4543 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4544 "A9993E364706816ABA3E25717850C26C9CD0D89D" }, 4545 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4546 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, 4547 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4548 "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, 4549 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4550 "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, 4551 /* 5 */ { "", 0, 0, 0x98, 5, 4552 "29826B003B906E660EFF4027CE98AF3531AC75BA" }, 4553 /* 6 */ { "\x5e", 1, 1, 0, 0, 4554 "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, 4555 /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, 4556 "6239781E03729919C01955B3FFA8ACB60B988340" }, 4557 /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, 4558 "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, 4559 /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, 4560 "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, 4561 /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, 4562 "CB0082C8F197D260991BA6A460E76E202BAD27B3" } 4563 }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", 4564 "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", 4565 "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", 4566 "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" 4567 } }, 4568 { "SHA224", SHA224, SHA224HashSize, 4569 { 4570 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4571 "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, 4572 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4573 "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, 4574 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4575 "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, 4576 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4577 "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, 4578 /* 5 */ { "", 0, 0, 0x68, 5, 4579 "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, 4580 /* 6 */ { "\x07", 1, 1, 0, 0, 4581 "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, 4582 /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, 4583 "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, 4584 /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, 4585 "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, 4586 /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, 4587 "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, 4588 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, 4589 "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } 4590 }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" 4591 "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" 4592 "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" 4593 "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" 4594 "709563FB916227FED598EB621F" 4595 } }, 4596 { "SHA256", SHA256, SHA256HashSize, 4597 { 4598 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" 4599 "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, 4600 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" 4601 "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, 4602 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" 4603 "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, 4604 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" 4605 "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, 4606 /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" 4607 "09DB45E7823EB5079CE7A573A3760F95" }, 4608 /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" 4609 "6A4E17F75F9518D843709C0C9BC3E3D4" }, 4610 /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" 4611 "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, 4612 /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" 4613 "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, 4614 /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" 4615 "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, 4616 /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" 4617 "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, 4618 }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" 4619 "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" 4620 "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" 4621 "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" 4622 "E31536B70FF906EC51B00447CA97D7DD97C12411F4" 4623 } }, 4624 { "SHA384", SHA384, SHA384HashSize, 4625 { 4626 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4627 "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" 4628 "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, 4629 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4630 "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" 4631 "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, 4632 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4633 "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" 4634 "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, 4635 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4636 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" 4637 "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, 4638 /* 5 */ { "", 0, 0, 0x10, 5, 4639 "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" 4640 "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, 4641 /* 6 */ { "\xb9", 1, 1, 0, 0, 4642 "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" 4643 "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, 4644 /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, 4645 "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" 4646 "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, 4647 /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, 4648 "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" 4649 "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, 4650 /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, 4651 "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" 4652 "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, 4653 /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, 4654 "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" 4655 "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } 4656 }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" 4657 "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" 4658 "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" 4659 "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" 4660 "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" 4661 "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" 4662 "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" 4663 } }, 4664 { "SHA512", SHA512, SHA512HashSize, 4665 { 4666 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4667 "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" 4668 "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" 4669 "454D4423643CE80E2A9AC94FA54CA49F" }, 4670 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4671 "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" 4672 "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" 4673 "C7D329EEB6DD26545E96E55B874BE909" }, 4674 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4675 "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" 4676 "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" 4677 "EB009C5C2C49AA2E4EADB217AD8CC09B" }, 4678 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4679 "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" 4680 "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" 4681 "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, 4682 /* 5 */ { "", 0, 0, 0xB0, 5, 4683 "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" 4684 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" 4685 "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, 4686 /* 6 */ { "\xD0", 1, 1, 0, 0, 4687 "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" 4688 "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" 4689 "D6E74CECE9631BFA8A549B4AB3FBBA15" }, 4690 /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, 4691 "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" 4692 "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" 4693 "7359B43E64F8BEC3C1F237119986BBB6" }, 4694 /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, 4695 "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" 4696 "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" 4697 "8213EB1B16F517AD0DE4B2F0C95C90F8" }, 4698 /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, 4699 "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" 4700 "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" 4701 "526F8A0A510E5E53CAFED4355FE7C2F1" }, 4702 /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, 4703 "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" 4704 "C1A16A270D48719377966B957A878E720584779A62825C18" 4705 "DA26415E49A7176A894E7510FD1451F5" } 4706 }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" 4707 "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" 4708 "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" 4709 "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" 4710 "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" 4711 "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" 4712 "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" 4713 "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" 4714 "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" 4715 } 4716 } 4717 }; 4719 /* Test arrays for HMAC. */ 4720 struct hmachash { 4721 const char *keyarray[5]; 4722 int keylength[5]; 4723 const char *dataarray[5]; 4724 int datalength[5]; 4725 const char *resultarray[5]; 4726 int resultlength[5]; 4727 } hmachashes[HMACTESTCOUNT] = { 4728 { /* 1 */ { 4729 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4730 "\x0b\x0b\x0b\x0b\x0b" 4731 }, { 20 }, { 4732 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ 4733 }, { 8 }, { 4734 /* HMAC-SHA-1 */ 4735 "B617318655057264E28BC0B6FB378C8EF146BE00", 4736 /* HMAC-SHA-224 */ 4737 "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", 4738 /* HMAC-SHA-256 */ 4739 "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" 4740 "CFF7", 4741 /* HMAC-SHA-384 */ 4742 "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" 4743 "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", 4744 /* HMAC-SHA-512 */ 4745 "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" 4746 "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" 4747 "3A126854" 4748 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4749 SHA384HashSize, SHA512HashSize } 4750 }, 4751 { /* 2 */ { 4752 "\x4a\x65\x66\x65" /* "Jefe" */ 4753 }, { 4 }, { 4754 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" 4755 "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" 4756 /* "what do ya want for nothing?" */ 4757 }, { 28 }, { 4758 /* HMAC-SHA-1 */ 4759 "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 4760 /* HMAC-SHA-224 */ 4761 "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", 4762 /* HMAC-SHA-256 */ 4763 "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" 4764 "3843", 4765 /* HMAC-SHA-384 */ 4766 "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" 4767 "445E8E2240CA5E69E2C78B3239ECFAB21649", 4768 /* HMAC-SHA-512 */ 4769 "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" 4770 "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" 4771 "38BCE737" 4772 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4773 SHA384HashSize, SHA512HashSize } 4774 }, 4775 { /* 3 */ 4776 { 4777 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4778 "\xaa\xaa\xaa\xaa\xaa" 4779 }, { 20 }, { 4780 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4781 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4782 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4783 "\xdd\xdd\xdd\xdd\xdd" 4784 }, { 50 }, { 4785 /* HMAC-SHA-1 */ 4786 "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 4787 /* HMAC-SHA-224 */ 4788 "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", 4789 /* HMAC-SHA-256 */ 4790 "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" 4791 "65FE", 4792 /* HMAC-SHA-384 */ 4793 "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" 4794 "144B2A5AB39DC13814B94E3AB6E101A34F27", 4795 /* HMAC-SHA-512 */ 4796 "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" 4797 "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" 4798 "E13292FB" 4799 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4800 SHA384HashSize, SHA512HashSize } 4801 }, 4802 { /* 4 */ { 4803 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 4804 "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" 4805 }, { 25 }, { 4806 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4807 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4808 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4809 "\xcd\xcd\xcd\xcd\xcd" 4810 }, { 50 }, { 4811 /* HMAC-SHA-1 */ 4812 "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 4813 /* HMAC-SHA-224 */ 4814 "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", 4815 /* HMAC-SHA-256 */ 4816 "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" 4817 "665B", 4818 /* HMAC-SHA-384 */ 4819 "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" 4820 "3B4E6801DD23C4A7D679CCF8A386C674CFFB", 4821 /* HMAC-SHA-512 */ 4822 "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" 4823 "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" 4824 "10A298DD" 4825 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4826 SHA384HashSize, SHA512HashSize } 4827 }, 4828 { /* 5 */ { 4829 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4830 "\x0c\x0c\x0c\x0c\x0c" 4831 }, { 20 }, { 4832 "Test With Truncation" 4833 }, { 20 }, { 4834 /* HMAC-SHA-1 */ 4835 "4C1A03424B55E07FE7F27BE1", 4836 /* HMAC-SHA-224 */ 4837 "0E2AEA68A90C8D37C988BCDB9FCA6FA8", 4838 /* HMAC-SHA-256 */ 4839 "A3B6167473100EE06E0C796C2955552B", 4840 /* HMAC-SHA-384 */ 4841 "3ABF34C3503B2A23A46EFC619BAEF897", 4842 /* HMAC-SHA-512 */ 4843 "415FAD6271580A531D4179BC891D87A6" 4844 }, { 12, 16, 16, 16, 16 } 4845 }, 4846 { /* 6 */ { 4847 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4848 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4849 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4850 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4851 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4852 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4853 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4854 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4855 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4856 }, { 80, 131 }, { 4857 "Test Using Larger Than Block-Size Key - Hash Key First" 4858 }, { 54 }, { 4859 /* HMAC-SHA-1 */ 4860 "AA4AE5E15272D00E95705637CE8A3B55ED402112", 4861 /* HMAC-SHA-224 */ 4862 "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", 4863 /* HMAC-SHA-256 */ 4864 "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" 4865 "7F54", 4866 /* HMAC-SHA-384 */ 4867 "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" 4868 "C4C60C2EF6AB4030FE8296248DF163F44952", 4869 /* HMAC-SHA-512 */ 4870 "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" 4871 "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" 4872 "5D786598" 4873 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4874 SHA384HashSize, SHA512HashSize } 4875 }, 4876 { /* 7 */ { 4877 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4878 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4879 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4880 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4881 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4882 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4883 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4884 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4885 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4886 }, { 80, 131 }, { 4887 "Test Using Larger Than Block-Size Key and " 4888 "Larger Than One Block-Size Data", 4889 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" 4890 "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" 4891 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" 4892 "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" 4893 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" 4894 "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" 4895 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" 4896 "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" 4897 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" 4898 "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" 4899 "\x6d\x2e" 4900 /* "This is a test using a larger than block-size key and a " 4901 "larger than block-size data. The key needs to be hashed " 4902 "before being used by the HMAC algorithm." */ 4903 }, { 73, 152 }, { 4904 /* HMAC-SHA-1 */ 4905 "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", 4906 /* HMAC-SHA-224 */ 4907 "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", 4908 /* HMAC-SHA-256 */ 4909 "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" 4910 "35E2", 4911 /* HMAC-SHA-384 */ 4912 "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" 4913 "99C5A678CC31E799176D3860E6110C46523E", 4914 /* HMAC-SHA-512 */ 4915 "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" 4916 "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" 4917 "FA8C6A58" 4918 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4919 SHA384HashSize, SHA512HashSize } 4920 } 4922 }; 4924 /* Test arrays for HKDF. */ 4925 struct hkdfhash { 4926 SHAversion whichSha; 4927 int ikmlength; 4928 const char *ikmarray; 4929 int saltlength; 4930 const char *saltarray; 4931 int infolength; 4932 const char *infoarray; 4933 int prklength; 4934 const char *prkarray; 4935 int okmlength; 4936 const char *okmarray; 4937 } hkdfhashes[HKDFTESTCOUNT] = { 4938 { /* RFC 5869 A.1. Test Case 1 */ 4939 SHA256, 4940 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4941 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4942 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4943 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4944 32, "077709362C2E32DF0DDC3F0DC47BBA6390B6C73BB50F9C3122EC844A" 4945 "D7C2B3E5", 4946 42, "3CB25F25FAACD57A90434F64D0362F2A2D2D0A90CF1A5A4C5DB02D56" 4947 "ECC4C5BF34007208D5B887185865" 4948 }, 4949 { /* RFC 5869 A.2. Test Case 2 */ 4950 SHA256, 4951 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4952 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4953 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4954 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4955 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4956 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4957 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d" 4958 "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" 4959 "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4960 "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97" 4961 "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5" 4962 "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf", 4963 80, "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd" 4964 "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb" 4965 "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" 4966 "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7" 4967 "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5" 4968 "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 4969 32, "06A6B88C5853361A06104C9CEB35B45C" 4970 "EF760014904671014A193F40C15FC244", 4971 82, "B11E398DC80327A1C8E7F78C596A4934" 4972 "4F012EDA2D4EFAD8A050CC4C19AFA97C" 4973 "59045A99CAC7827271CB41C65E590E09" 4974 "DA3275600C2F09B8367793A9ACA3DB71" 4975 "CC30C58179EC3E87C14C01D5C1F3434F" 4976 "1D87" 4977 }, 4978 { /* RFC 5869 A.3. Test Case 3 */ 4979 SHA256, 4980 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4981 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4982 0, "", 4983 0, "", 4984 32, "19EF24A32C717B167F33A91D6F648BDF" 4985 "96596776AFDB6377AC434C1C293CCB04", 4986 42, "8DA4E775A563C18F715F802A063C5A31" 4987 "B8A11F5C5EE1879EC3454E5F3C738D2D" 4988 "9D201395FAA4B61A96C8" 4989 }, 4990 { /* RFC 5869 A.4. Test Case 4 */ 4991 SHA1, 4992 11, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4993 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4994 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4995 20, "9B6C18C432A7BF8F0E71C8EB88F4B30BAA2BA243", 4996 42, "085A01EA1B10F36933068B56EFA5AD81" 4997 "A4F14B822F5B091568A9CDD4F155FDA2" 4998 "C22E422478D305F3F896" 4999 }, 5000 { /* RFC 5869 A.5. Test Case 5 */ 5001 SHA1, 5002 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 5003 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 5004 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 5005 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 5006 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 5007 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 5008 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D" 5009 "\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B" 5010 "\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 5011 "\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97" 5012 "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5" 5013 "\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 5014 80, "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD" 5015 "\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB" 5016 "\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9" 5017 "\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7" 5018 "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5" 5019 "\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 5020 20, "8ADAE09A2A307059478D309B26C4115A224CFAF6", 5021 82, "0BD770A74D1160F7C9F12CD5912A06EB" 5022 "FF6ADCAE899D92191FE4305673BA2FFE" 5023 "8FA3F1A4E5AD79F3F334B3B202B2173C" 5024 "486EA37CE3D397ED034C7F9DFEB15C5E" 5025 "927336D0441F4C4300E2CFF0D0900B52" 5026 "D3B4" 5027 }, 5028 { /* RFC 5869 A.6. Test Case 6 */ 5029 SHA1, 5030 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 5031 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 5032 0, "", 5033 0, "", 5034 20, "DA8C8A73C7FA77288EC6F5E7C297786AA0D32D01", 5035 42, "0AC1AF7002B3D761D1E55298DA9D0506" 5036 "B9AE52057220A306E07B6B87E8DF21D0" 5037 "EA00033DE03984D34918" 5038 }, 5039 { /* RFC 5869 A.7. Test Case 7. */ 5040 SHA1, 5041 22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 5042 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 5043 0, 0, 5044 0, "", 5045 20, "2ADCCADA18779E7C2077AD2EB19D3F3E731385DD", 5046 42, "2C91117204D745F3500D636A62F64F0A" 5047 "B3BAE548AA53D423B0D1F27EBBA6F5E5" 5048 "673A081D70CCE7ACFC48" 5049 } 5050 }; 5052 /* 5053 * Check the hash value against the expected string, expressed in hex 5054 */ 5055 static const char hexdigits[ ] = "0123456789ABCDEF"; 5056 int checkmatch(const unsigned char *hashvalue, 5057 const char *hexstr, int hashsize) 5058 { 5059 int i; 5060 for (i = 0; i < hashsize; ++i) { 5061 if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) 5062 return 0; 5063 if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; 5064 } 5065 return 1; 5066 } 5068 /* 5069 * Print the string, converting non-printable characters to "." 5070 */ 5071 void printstr(const char *str, int len) 5072 { 5073 for ( ; len-- > 0; str++) 5074 putchar(isprint((unsigned char)*str) ? *str : '.'); 5075 } 5077 /* 5078 * Print the string, converting all characters to hex "## ". 5079 */ 5080 void printxstr(const char *str, int len) 5081 { 5082 char *sep = ""; 5083 for ( ; len-- > 0; str++) { 5084 printf("%s%c%c", sep, hexdigits[(*str >> 4) & 0xF], 5085 hexdigits[*str & 0xF]); 5086 sep = " "; 5087 } 5088 } 5090 /* 5091 * Print a usage message. 5092 */ 5093 void usage(const char *argv0) 5094 { 5095 fprintf(stderr, 5096 "Usage:\n" 5097 "Common options: [-h hash] [-w|-x|-6] [-H]\n" 5098 "Hash a string:\n" 5099 "\t%s [-S expectedresult] -s hashstr [-k key] " 5100 "[-i info -L okm-len]\n" 5101 "Hash a file:\n" 5102 "\t%s [-S expectedresult] -f file [-k key] " 5103 "[-i info -L okm-len]\n" 5104 "Hash a file, ignoring whitespace:\n" 5105 "\t%s [-S expectedresult] -F file [-k key] " 5106 "[-i info -L okm-len]\n" 5107 "Additional bits to add in: [-B bitcount -b bits]\n" 5108 "(If -k,-i&-L are used, run HKDF-SHA###.\n" 5109 " If -k is used, but not -i&-L, run HMAC-SHA###.\n" 5110 " Otherwise, run SHA###.)\n" 5111 "Standard tests:\n" 5112 "\t%s [-m | -d] [-l loopcount] [-t test#] [-e]\n" 5113 "\t\t[-r randomseed] [-R randomloop-count] " 5114 "[-p] [-P|-X]\n" 5115 "-h\thash to test: " 5116 "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" 5117 "-m\tperform hmac standard tests\n" 5118 "-k\tkey for hmac test\n" 5119 "-d\tperform hkdf standard tests\n" 5120 "-t\ttest case to run, 1-10\n" 5121 "-l\thow many times to run the test\n" 5122 "-e\ttest error returns\n" 5123 "-p\tdo not print results\n" 5124 "-P\tdo not print PASSED/FAILED\n" 5125 "-X\tprint FAILED, but not PASSED\n" 5126 "-r\tseed for random test\n" 5127 "-R\thow many times to run random test\n" 5128 "-s\tstring to hash\n" 5129 "-S\texpected result of hashed string, in hex\n" 5130 "-w\toutput hash in raw format\n" 5131 "-x\toutput hash in hex format\n" 5132 "-6\toutput hash in base64 format\n" 5133 "-B\t# extra bits to add in after string or file input\n" 5134 "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" 5135 "-H\tinput hashstr or randomseed is in hex\n" 5136 , argv0, argv0, argv0, argv0); 5137 exit(1); 5138 } 5140 /* 5141 * Print the results and PASS/FAIL. 5142 */ 5143 void printResult(uint8_t *Message_Digest, int hashsize, 5144 const char *hashname, const char *testtype, const char *testname, 5145 const char *resultarray, int printResults, int printPassFail) 5146 { 5147 int i, k; 5148 if (printResults == PRINTTEXT) { 5149 printf("\nhashsize=%d\n", hashsize); 5150 putchar('\t'); 5151 for (i = 0; i < hashsize; ++i) { 5152 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5153 putchar(hexdigits[Message_Digest[i] & 0xF]); 5154 putchar(' '); 5155 } 5156 putchar('\n'); 5157 } else if (printResults == PRINTRAW) { 5158 fwrite(Message_Digest, 1, hashsize, stdout); 5159 } else if (printResults == PRINTHEX) { 5160 for (i = 0; i < hashsize; ++i) { 5161 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5162 putchar(hexdigits[Message_Digest[i] & 0xF]); 5163 } 5164 putchar('\n'); 5165 } else if (printResults == PRINTBASE64) { 5166 unsigned char b; 5167 char *sm = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 5168 "0123456789+/"; 5169 for (i = 0; i < hashsize; i += 3) { 5170 putchar(sm[Message_Digest[i] >> 2]); 5171 b = (Message_Digest[i] & 0x03) << 4; 5172 if (i+1 < hashsize) b |= Message_Digest[i+1] >> 4; 5173 putchar(sm[b]); 5174 if (i+1 < hashsize) { 5175 b = (Message_Digest[i+1] & 0x0f) << 2; 5176 if (i+2 < hashsize) b |= Message_Digest[i+2] >> 6; 5177 putchar(sm[b]); 5178 } else putchar('='); 5179 if (i+2 < hashsize) putchar(sm[Message_Digest[i+2] & 0x3f]); 5180 else putchar('='); 5181 } 5182 putchar('\n'); 5183 } 5185 if (printResults && resultarray) { 5186 printf(" Should match:\n\t"); 5187 for (i = 0, k = 0; i < hashsize; i++, k += 2) { 5188 putchar(resultarray[k]); 5189 putchar(resultarray[k+1]); 5190 putchar(' '); 5191 } 5192 putchar('\n'); 5193 } 5195 if (printPassFail && resultarray) { 5196 int ret = checkmatch(Message_Digest, resultarray, hashsize); 5197 if ((printPassFail == PRINTPASSFAIL) || !ret) 5198 printf("%s %s %s: %s\n", hashname, testtype, testname, 5199 ret ? "PASSED" : "FAILED"); 5200 } 5201 } 5203 /* 5204 * Exercise a hash series of functions. The input is the testarray, 5205 * repeated repeatcount times, followed by the extrabits. If the 5206 * result is known, it is in resultarray in uppercase hex. 5207 */ 5208 int hash(int testno, int loopno, int hashno, 5209 const char *testarray, int length, long repeatcount, 5210 int numberExtrabits, int extrabits, const unsigned char *keyarray, 5211 int keylen, const unsigned char *info, int infolen, int okmlen, 5212 const char *resultarray, int hashsize, int printResults, 5213 int printPassFail) 5214 { 5215 USHAContext sha; 5216 HMACContext hmac; 5217 HKDFContext hkdf; 5218 int err, i; 5219 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5220 uint8_t *Message_Digest = Message_Digest_Buf; 5221 char buf[20]; 5222 if (printResults == PRINTTEXT) { 5223 printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, 5224 loopno, repeatcount); 5225 printstr(testarray, length); 5226 printf("'\n\t'"); 5227 printxstr(testarray, length); 5228 printf("'\n"); 5229 printf(" Length=%d bytes (%d bits), ", length, length * 8); 5230 printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); 5231 } 5233 if (info) Message_Digest = malloc(okmlen); 5234 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5235 memset(&hmac, '\343', sizeof(hmac)); 5236 memset(&hkdf, '\343', sizeof(hkdf)); 5237 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5238 keyarray, keylen) : 5239 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5240 keyarray, keylen) : 5241 USHAReset(&sha, hashes[hashno].whichSha); 5242 if (err != shaSuccess) { 5243 fprintf(stderr, "hash(): %sReset Error %d.\n", 5244 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5245 return err; 5246 } 5248 for (i = 0; i < repeatcount; ++i) { 5249 err = info ? hkdfInput(&hkdf, (const uint8_t *)testarray, length) : 5250 keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, 5251 length) : 5252 USHAInput(&sha, (const uint8_t *) testarray, 5253 length); 5254 if (err != shaSuccess) { 5255 fprintf(stderr, "hash(): %sInput Error %d.\n", 5256 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5257 return err; 5258 } 5259 } 5261 if (numberExtrabits > 0) { 5262 err = info ? hkdfFinalBits(&hkdf, extrabits, numberExtrabits) : 5263 keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, 5264 numberExtrabits) : 5265 USHAFinalBits(&sha, (uint8_t) extrabits, 5266 numberExtrabits); 5267 if (err != shaSuccess) { 5268 fprintf(stderr, "hash(): %sFinalBits Error %d.\n", 5269 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5270 return err; 5271 } 5273 } 5275 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5276 Message_Digest, okmlen) : 5277 keyarray ? hmacResult(&hmac, Message_Digest) : 5278 USHAResult(&sha, Message_Digest); 5279 if (err != shaSuccess) { 5280 fprintf(stderr, "hash(): %s Result Error %d, could not compute " 5281 "message digest.\n", 5282 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5283 return err; 5284 } 5286 sprintf(buf, "%d", testno+1); 5287 printResult(Message_Digest, info ? okmlen : hashsize, 5288 hashes[hashno].name, info ? "hkdf standard test" : 5289 keyarray ? "hmac standard test" : "sha standard test", buf, 5290 resultarray, printResults, printPassFail); 5292 return err; 5293 } 5295 /* 5296 * Exercise an HKDF series. The input is the testarray, 5297 * repeated repeatcount times, followed by the extrabits. If the 5298 * result is known, it is in resultarray in uppercase hex. 5299 */ 5300 int hashHkdf(int testno, int loopno, int hashno, 5301 int printResults, int printPassFail) 5302 { 5303 int err; 5304 unsigned char prk[USHAMaxHashSize+1]; 5305 uint8_t okm[255 * USHAMaxHashSize+1]; 5306 char buf[20]; 5308 if (printResults == PRINTTEXT) { 5309 printf("\nTest %d: Iteration %d\n\tSALT\t'", testno+1, loopno); 5310 printxstr(hkdfhashes[testno].saltarray, 5311 hkdfhashes[testno].saltlength); 5312 printf("'\n\tIKM\t'"); 5313 printxstr(hkdfhashes[testno].ikmarray, 5314 hkdfhashes[testno].ikmlength); 5315 printf("'\n\tINFO\t'"); 5316 printxstr(hkdfhashes[testno].infoarray, 5317 hkdfhashes[testno].infolength); 5318 printf("'\n"); 5319 printf(" L=%d bytes\n", hkdfhashes[testno].okmlength); 5320 } 5322 /* Run hkdf() against the test vectors */ 5323 err = hkdf(hkdfhashes[testno].whichSha, 5324 (const uint8_t *) hkdfhashes[testno].saltarray, 5325 hkdfhashes[testno].saltlength, 5326 (const uint8_t *) hkdfhashes[testno].ikmarray, 5327 hkdfhashes[testno].ikmlength, 5328 (const uint8_t *) hkdfhashes[testno].infoarray, 5329 hkdfhashes[testno].infolength, okm, 5330 hkdfhashes[testno].okmlength); 5331 if (err != shaSuccess) { 5332 fprintf(stderr, "hashHkdf(): hkdf Error %d.\n", err); 5333 return err; 5334 } 5335 sprintf(buf, "hkdf %d", testno+1); 5336 printResult(okm, hkdfhashes[testno].okmlength, 5337 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5338 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5340 /* Now run hkdfExtract() by itself against the test vectors */ 5341 /* to verify the intermediate results. */ 5342 err = hkdfExtract(hkdfhashes[testno].whichSha, 5343 (const uint8_t *) hkdfhashes[testno].saltarray, 5344 hkdfhashes[testno].saltlength, 5345 (const uint8_t *) hkdfhashes[testno].ikmarray, 5346 hkdfhashes[testno].ikmlength, prk); 5347 if (err != shaSuccess) { 5348 fprintf(stderr, "hashHkdf(): hkdfExtract Error %d.\n", err); 5349 return err; 5350 } 5351 sprintf(buf, "hkdfExtract %d", testno+1); 5352 printResult(prk, USHAHashSize(hkdfhashes[testno].whichSha), 5353 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5354 buf, hkdfhashes[testno].prkarray, printResults, printPassFail); 5356 /* Now run hkdfExpand() by itself against the test vectors */ 5357 /* using the intermediate results from hkdfExtract. */ 5358 err = hkdfExpand(hkdfhashes[testno].whichSha, prk, 5359 USHAHashSize(hkdfhashes[testno].whichSha), 5360 (const uint8_t *)hkdfhashes[testno].infoarray, 5361 hkdfhashes[testno].infolength, okm, hkdfhashes[testno].okmlength); 5362 if (err != shaSuccess) { 5363 fprintf(stderr, "hashHkdf(): hkdfExpand Error %d.\n", err); 5364 return err; 5365 } 5366 sprintf(buf, "hkdfExpand %d", testno+1); 5367 printResult(okm, hkdfhashes[testno].okmlength, 5368 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5369 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5371 return err; 5372 } 5373 /* 5374 * Exercise a hash series of functions. The input is a filename. 5375 * If the result is known, it is in resultarray in uppercase hex. 5376 */ 5377 int hashfile(int hashno, const char *hashfilename, int bits, 5378 int bitcount, int skipSpaces, const unsigned char *keyarray, 5379 int keylen, const unsigned char *info, int infolen, int okmlen, 5380 const char *resultarray, int hashsize, 5381 int printResults, int printPassFail) 5382 { 5383 USHAContext sha; 5384 HMACContext hmac; 5385 HKDFContext hkdf; 5386 int err, nread, c; 5387 unsigned char buf[4096]; 5388 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5389 uint8_t *Message_Digest = Message_Digest_Buf; 5390 unsigned char cc; 5391 FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : 5392 fopen(hashfilename, "r"); 5394 if (!hashfp) { 5395 fprintf(stderr, "cannot open file '%s'\n", hashfilename); 5396 return shaStateError; 5397 } 5399 if (info) Message_Digest = malloc(okmlen); 5400 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5401 memset(&hmac, '\343', sizeof(hmac)); 5402 memset(&hkdf, '\343', sizeof(hkdf)); 5403 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5404 keyarray, keylen) : 5405 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5406 keyarray, keylen) : 5407 USHAReset(&sha, hashes[hashno].whichSha); 5408 if (err != shaSuccess) { 5409 fprintf(stderr, "hashfile(): %sReset Error %d.\n", 5410 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5411 return err; 5412 } 5414 if (skipSpaces) 5415 while ((c = getc(hashfp)) != EOF) { 5416 if (!isspace(c)) { 5417 cc = (unsigned char)c; 5418 err = info ? hkdfInput(&hkdf, &cc, 1) : 5419 keyarray ? hmacInput(&hmac, &cc, 1) : 5420 USHAInput(&sha, &cc, 1); 5421 if (err != shaSuccess) { 5422 fprintf(stderr, "hashfile(): %sInput Error %d.\n", 5423 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5424 if (hashfp != stdin) fclose(hashfp); 5425 return err; 5426 } 5427 } 5428 } 5429 else 5430 while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { 5431 err = info ? hkdfInput(&hkdf, buf, nread) : 5432 keyarray ? hmacInput(&hmac, buf, nread) : 5433 USHAInput(&sha, buf, nread); 5434 if (err != shaSuccess) { 5435 fprintf(stderr, "hashfile(): %s Error %d.\n", 5436 info ? "hkdf" : keyarray ? "hmacInput" : 5437 "shaInput", err); 5438 if (hashfp != stdin) fclose(hashfp); 5439 return err; 5440 } 5441 } 5443 if (bitcount > 0) 5444 err = info ? hkdfFinalBits(&hkdf, bits, bitcount) : 5445 keyarray ? hmacFinalBits(&hmac, bits, bitcount) : 5446 USHAFinalBits(&sha, bits, bitcount); 5447 if (err != shaSuccess) { 5448 fprintf(stderr, "hashfile(): %s Error %d.\n", 5449 info ? "hkdf" : keyarray ? "hmacFinalBits" : 5450 "shaFinalBits", err); 5451 if (hashfp != stdin) fclose(hashfp); 5452 return err; 5453 } 5455 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5456 Message_Digest, okmlen) : 5457 keyarray ? hmacResult(&hmac, Message_Digest) : 5458 USHAResult(&sha, Message_Digest); 5459 if (err != shaSuccess) { 5460 fprintf(stderr, "hashfile(): %s Error %d.\n", 5461 info ? "hkdf" : keyarray ? "hmacResult" : 5462 "shaResult", err); 5463 if (hashfp != stdin) fclose(hashfp); 5464 return err; 5465 } 5467 printResult(Message_Digest, info ? okmlen : hashsize, 5468 hashes[hashno].name, "file", hashfilename, resultarray, 5469 printResults, printPassFail); 5471 if (hashfp != stdin) fclose(hashfp); 5472 if (info) free(Message_Digest); 5473 return err; 5474 } 5476 /* 5477 * Exercise a hash series of functions through multiple permutations. 5478 * The input is an initial seed. That seed is replicated 3 times. 5479 * For 1000 rounds, the previous three results are used as the input. 5480 * This result is then checked, and used to seed the next cycle. 5481 * If the result is known, it is in resultarrays in uppercase hex. 5482 */ 5483 void randomtest(int hashno, const char *seed, int hashsize, 5484 const char **resultarrays, int randomcount, 5485 int printResults, int printPassFail) 5486 { 5487 int i, j; char buf[20]; 5488 unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; 5490 /* INPUT: Seed - A random seed n bits long */ 5491 memcpy(SEED, seed, hashsize); 5492 if (printResults == PRINTTEXT) { 5493 printf("%s random test seed= '", hashes[hashno].name); 5494 printxstr(seed, hashsize); 5495 printf("'\n"); 5496 } 5498 for (j = 0; j < randomcount; j++) { 5499 /* MD0 = MD1 = MD2 = Seed; */ 5500 memcpy(MD[0], SEED, hashsize); 5501 memcpy(MD[1], SEED, hashsize); 5502 memcpy(MD[2], SEED, hashsize); 5503 for (i=3; i<1003; i++) { 5504 /* Mi = MDi-3 || MDi-2 || MDi-1; */ 5505 USHAContext Mi; 5506 memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ 5507 USHAReset(&Mi, hashes[hashno].whichSha); 5508 USHAInput(&Mi, MD[i-3], hashsize); 5509 USHAInput(&Mi, MD[i-2], hashsize); 5510 USHAInput(&Mi, MD[i-1], hashsize); 5511 /* MDi = SHA(Mi); */ 5512 USHAResult(&Mi, MD[i]); 5513 } 5515 /* MDj = Seed = MDi; */ 5516 memcpy(SEED, MD[i-1], hashsize); 5518 /* OUTPUT: MDj */ 5519 sprintf(buf, "%d", j); 5520 printResult(SEED, hashsize, hashes[hashno].name, "random test", 5521 buf, resultarrays ? resultarrays[j] : 0, printResults, 5522 (j < RANDOMCOUNT) ? printPassFail : 0); 5524 } 5525 } 5527 /* 5528 * Look up a hash name. 5529 */ 5530 int findhash(const char *argv0, const char *opt) 5531 { 5532 int i; 5533 const char *names[HASHCOUNT][2] = { 5534 { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, 5535 { "3", "sha384" }, { "4", "sha512" } 5536 }; 5538 for (i = 0; i < HASHCOUNT; i++) 5539 if ((strcmp(opt, names[i][0]) == 0) || 5540 (scasecmp(opt, names[i][1]) == 0)) 5541 return i; 5543 fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); 5544 usage(argv0); 5545 return 0; 5546 } 5548 /* 5549 * Run some tests that should invoke errors. 5550 */ 5551 void testErrors(int hashnolow, int hashnohigh, int printResults, 5552 int printPassFail) 5553 { 5554 USHAContext usha; 5555 uint8_t Message_Digest[USHAMaxHashSize]; 5556 int hashno, err; 5558 for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { 5559 memset(&usha, '\343', sizeof(usha)); /* force bad data */ 5560 USHAReset(&usha, hashno); 5561 USHAResult(&usha, Message_Digest); 5562 err = USHAInput(&usha, (const unsigned char *)"foo", 3); 5563 if (printResults == PRINTTEXT) 5564 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5565 if ((printPassFail == PRINTPASSFAIL) || 5566 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5567 printf("%s se: %s\n", hashes[hashno].name, 5568 (err == shaStateError) ? "PASSED" : "FAILED"); 5570 err = USHAFinalBits(&usha, 0x80, 3); 5571 if (printResults == PRINTTEXT) 5572 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5573 if ((printPassFail == PRINTPASSFAIL) || 5574 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5575 printf("%s se: %s\n", hashes[hashno].name, 5576 (err == shaStateError) ? "PASSED" : "FAILED"); 5578 err = USHAReset(0, hashes[hashno].whichSha); 5579 if (printResults == PRINTTEXT) 5580 printf("\nError %d. Should be %d.\n", err, shaNull); 5581 if ((printPassFail == PRINTPASSFAIL) || 5582 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5583 printf("%s usha null: %s\n", hashes[hashno].name, 5584 (err == shaNull) ? "PASSED" : "FAILED"); 5586 switch (hashno) { 5587 case SHA1: err = SHA1Reset(0); break; 5588 case SHA224: err = SHA224Reset(0); break; 5589 case SHA256: err = SHA256Reset(0); break; 5590 case SHA384: err = SHA384Reset(0); break; 5591 case SHA512: err = SHA512Reset(0); break; 5592 } 5593 if (printResults == PRINTTEXT) 5594 printf("\nError %d. Should be %d.\n", err, shaNull); 5595 if ((printPassFail == PRINTPASSFAIL) || 5596 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5597 printf("%s sha null: %s\n", hashes[hashno].name, 5598 (err == shaNull) ? "PASSED" : "FAILED"); 5599 } 5600 } 5602 /* replace a hex string in place with its value */ 5603 int unhexStr(char *hexstr) 5604 { 5605 char *o = hexstr; 5606 int len = 0, nibble1 = 0, nibble2 = 0; 5607 if (!hexstr) return 0; 5608 for ( ; *hexstr; hexstr++) { 5609 if (isalpha((int)(unsigned char)(*hexstr))) { 5610 nibble1 = tolower(*hexstr) - 'a' + 10; 5611 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5612 nibble1 = *hexstr - '0'; 5613 } else { 5614 printf("\nError: bad hex character '%c'\n", *hexstr); 5615 } 5616 if (!*++hexstr) break; 5617 if (isalpha((int)(unsigned char)(*hexstr))) { 5618 nibble2 = tolower(*hexstr) - 'a' + 10; 5619 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5620 nibble2 = *hexstr - '0'; 5621 } else { 5622 printf("\nError: bad hex character '%c'\n", *hexstr); 5623 } 5624 *o++ = (char)((nibble1 << 4) | nibble2); 5625 len++; 5626 } 5627 return len; 5628 } 5630 int main(int argc, char **argv) 5631 { 5632 int i, err; 5633 int loopno, loopnohigh = 1; 5634 int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; 5635 int testno, testnolow = 0, testnohigh; 5636 int ntestnohigh = 0; 5637 int printResults = PRINTTEXT; 5638 int printPassFail = 1; 5639 int checkErrors = 0; 5640 char *hashstr = 0; 5641 int hashlen = 0; 5642 const char *resultstr = 0; 5643 char *randomseedstr = 0; 5644 int runHmacTests = 0; 5645 int runHkdfTests = 0; 5646 char *hmacKey = 0; 5647 int hmaclen = 0; 5648 char *info = 0; 5649 int infolen = 0, okmlen = 0; 5650 int randomcount = RANDOMCOUNT; 5651 const char *hashfilename = 0; 5652 const char *hashFilename = 0; 5653 int extrabits = 0, numberExtrabits = 0; 5654 int strIsHex = 0; 5656 while ((i = getopt(argc, argv, 5657 "6b:B:def:F:h:i:Hk:l:L:mpPr:R:s:S:t:wxX")) != -1) 5658 switch (i) { 5659 case 'b': extrabits = strtol(optarg, 0, 0); break; 5660 case 'B': numberExtrabits = atoi(optarg); break; 5661 case 'd': runHkdfTests = 1; break; 5662 case 'e': checkErrors = 1; break; 5663 case 'f': hashfilename = optarg; break; 5664 case 'F': hashFilename = optarg; break; 5665 case 'h': hashnolow = hashnohigh = findhash(argv[0], optarg); 5666 break; 5667 case 'H': strIsHex = 1; break; 5668 case 'i': info = optarg; infolen = strlen(optarg); break; 5669 case 'k': hmacKey = optarg; hmaclen = strlen(optarg); break; 5670 case 'l': loopnohigh = atoi(optarg); break; 5671 case 'L': okmlen = strtol(optarg, 0, 0); break; 5672 case 'm': runHmacTests = 1; break; 5673 case 'P': printPassFail = 0; break; 5674 case 'p': printResults = PRINTNONE; break; 5675 case 'R': randomcount = atoi(optarg); break; 5676 case 'r': randomseedstr = optarg; break; 5677 case 's': hashstr = optarg; hashlen = strlen(hashstr); break; 5678 case 'S': resultstr = optarg; break; 5679 case 't': testnolow = ntestnohigh = atoi(optarg) - 1; break; 5680 case 'w': printResults = PRINTRAW; break; 5681 case 'x': printResults = PRINTHEX; break; 5682 case 'X': printPassFail = 2; break; 5683 case '6': printResults = PRINTBASE64; break; 5684 default: usage(argv[0]); 5685 } 5687 if (strIsHex) { 5688 hashlen = unhexStr(hashstr); 5689 unhexStr(randomseedstr); 5690 hmaclen = unhexStr(hmacKey); 5691 infolen = unhexStr(info); 5692 } 5693 testnohigh = (ntestnohigh != 0) ? ntestnohigh: 5694 runHmacTests ? (HMACTESTCOUNT-1) : 5695 runHkdfTests ? (HKDFTESTCOUNT-1) : 5696 (TESTCOUNT-1); 5697 if ((testnolow < 0) || 5698 (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || 5699 (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || 5700 (hashstr && (testnolow == testnohigh)) || 5701 (randomcount < 0) || 5702 (resultstr && (!hashstr && !hashfilename && !hashFilename)) || 5703 ((runHmacTests || hmacKey) && randomseedstr) || 5704 (hashfilename && hashFilename) || 5705 (info && ((infolen <= 0) || (okmlen <= 0))) || 5706 (info && !hmacKey)) 5707 usage(argv[0]); 5709 /* 5710 * Perform SHA/HMAC tests 5711 */ 5712 for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { 5713 if (printResults == PRINTTEXT) 5714 printf("Hash %s\n", hashes[hashno].name); 5715 err = shaSuccess; 5717 for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); 5718 ++loopno) { 5719 if (hashstr) 5720 err = hash(0, loopno, hashno, hashstr, hashlen, 1, 5721 numberExtrabits, extrabits, (const unsigned char *)hmacKey, 5722 hmaclen, (const uint8_t *) info, infolen, okmlen, resultstr, 5723 hashes[hashno].hashsize, printResults, printPassFail); 5725 else if (randomseedstr) 5726 randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, 5727 randomcount, printResults, printPassFail); 5729 else if (hashfilename) 5730 err = hashfile(hashno, hashfilename, extrabits, 5731 numberExtrabits, 0, 5732 (const unsigned char *)hmacKey, hmaclen, 5733 (const uint8_t *) info, infolen, okmlen, 5734 resultstr, hashes[hashno].hashsize, 5735 printResults, printPassFail); 5737 else if (hashFilename) 5738 err = hashfile(hashno, hashFilename, extrabits, 5739 numberExtrabits, 1, 5740 (const unsigned char *)hmacKey, hmaclen, 5741 (const uint8_t *) info, infolen, okmlen, 5742 resultstr, hashes[hashno].hashsize, 5743 printResults, printPassFail); 5745 else /* standard tests */ { 5746 for (testno = testnolow; 5747 (testno <= testnohigh) && (err == shaSuccess); ++testno) { 5748 if (runHmacTests) { 5749 err = hash(testno, loopno, hashno, 5750 hmachashes[testno].dataarray[hashno] ? 5751 hmachashes[testno].dataarray[hashno] : 5752 hmachashes[testno].dataarray[1] ? 5753 hmachashes[testno].dataarray[1] : 5754 hmachashes[testno].dataarray[0], 5755 hmachashes[testno].datalength[hashno] ? 5756 hmachashes[testno].datalength[hashno] : 5757 hmachashes[testno].datalength[1] ? 5758 hmachashes[testno].datalength[1] : 5759 hmachashes[testno].datalength[0], 5760 1, 0, 0, 5761 (const unsigned char *)( 5762 hmachashes[testno].keyarray[hashno] ? 5763 hmachashes[testno].keyarray[hashno] : 5764 hmachashes[testno].keyarray[1] ? 5765 hmachashes[testno].keyarray[1] : 5766 hmachashes[testno].keyarray[0]), 5767 hmachashes[testno].keylength[hashno] ? 5768 hmachashes[testno].keylength[hashno] : 5769 hmachashes[testno].keylength[1] ? 5770 hmachashes[testno].keylength[1] : 5771 hmachashes[testno].keylength[0], 5772 0, 0, 0, 5773 hmachashes[testno].resultarray[hashno], 5774 hmachashes[testno].resultlength[hashno], 5775 printResults, printPassFail); 5776 } else if (runHkdfTests) { 5777 err = hashHkdf(testno, loopno, hashno, 5778 printResults, printPassFail); 5779 } else { /* sha tests */ 5780 err = hash(testno, loopno, hashno, 5781 hashes[hashno].tests[testno].testarray, 5782 hashes[hashno].tests[testno].length, 5783 hashes[hashno].tests[testno].repeatcount, 5784 hashes[hashno].tests[testno].numberExtrabits, 5785 hashes[hashno].tests[testno].extrabits, 5786 0, 0, 0, 0, 0, 5787 hashes[hashno].tests[testno].resultarray, 5788 hashes[hashno].hashsize, 5789 printResults, printPassFail); 5790 } 5791 } 5792 if (!runHmacTests && !runHkdfTests) { 5793 randomtest(hashno, hashes[hashno].randomtest, 5794 hashes[hashno].hashsize, hashes[hashno].randomresults, 5795 RANDOMCOUNT, printResults, printPassFail); 5796 } 5797 } 5798 } 5799 } 5801 /* Test some error returns */ 5802 if (checkErrors) { 5803 testErrors(hashnolow, hashnohigh, printResults, printPassFail); 5804 } 5806 return 0; 5807 } 5809 /* 5810 * Compare two strings, case independently. 5811 * Equivalent to strcasecmp() found on some systems. 5812 */ 5813 int scasecmp(const char *s1, const char *s2) 5814 { 5815 for (;;) { 5816 char u1 = tolower(*s1++); 5817 char u2 = tolower(*s2++); 5818 if (u1 != u2) 5819 return u1 - u2; 5820 if (u1 == '\0') 5821 return 0; 5822 } 5823 } 5824 9. IANA Considerations 5826 This document requires no IANA Actions. The RFC Editor should delete 5827 this section before publication. 5829 10. Security Considerations 5831 This document is intended to provide convenient open source access by 5832 the Internet community to the United States of America Federal 5833 Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS 5834 180-2], HMACs based thereon, and HKDF. No independent assertion of 5835 the security of these functions by the authors for any particular use 5836 is intended. 5838 11. Acknowledgements 5840 Thanks for the corrections to [RFC4634] that were provided by Alfred 5841 Hoenes and Jan Andres and to Alfred's comments on the drafts hereof. 5843 12. References 5845 RFC Editor Note: All occurances of "RFC NNNN" should be edited to 5846 replace "NNNN" with this documents RFC number and this note should be 5847 deleted. 5849 12.1 Normative References 5851 [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 5852 Hashing for Message Authentication", RFC 2104, February 1997. 5854 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 5855 Requirement Levels", BCP 14, RFC 2119, March 1997. 5857 [RFC5869] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and- 5858 Expand Key Derivation Function (HKDF)", RFC 5869, May 2010. 5860 [SHS] - "Secure Hash Standard", United States of American, National 5861 Institute of Science and Technology, Federal Information 5862 Processing Standard (FIPS) 180-3, 5863 http://csrc.nist.gov/publications/fips/fips180- 5864 3/fips180-3_final.pdf. 5866 12.2 Informative References 5868 [RFC2202] - P. Cheng, R. Glenn, "Test Cases for HMAC-MD5 and HMAC- 5869 SHA-1", September 1997. 5871 [RFC3174] - D. Eastlake 3rd, P. Jones, "US Secure Hash Algorithm 1 5872 (SHA1)", September 2001. 5874 [RFC3874] - R. Housley, "A 224-bit One-way Hash Function: SHA-224", 5875 September 2004. 5877 [RFC4055] - Schaad, J., Kaliski, B., and R. Housley, "Additional 5878 Algorithms and Identifiers for RSA Cryptography for use in the 5879 Internet X.509 Public Key Infrastructure Certificate and 5880 Certificate Revocation List (CRL) Profile", RFC 4055, June 2005 5882 [RFC4086] - D. Eastlake, S. Crocker, J. Schiller, "Randomness 5883 Requirements for Security", May 2005. 5885 [RFC4231] - M. Nystrom, "Identifiers and Test Vectors for HMAC- 5886 SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 5887 December 2005. 5889 [RFC4634] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash 5890 Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006. 5892 [SHAVS] - "The Secure Hash Algorithm Validation System (SHAVS)", 5893 http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. 5895 Appendix: Changes from RFC 4634 5897 The following changes were made to RFC 4634 to produce this document: 5899 1. Add code for HKDF and brief text about HKDF with pointer to 5900 [RFC5869]. 5902 2. Fix numerous errata filed against [RFC4634] as below. Note that in 5903 no case did the old code return an incorrect hash value. 5905 2.a Correct some of the error return values which has erroneously 5906 been "shaNull" to the correct "shaInputTooLong" error. 5908 2.b Update comments and variable names within the code for 5909 consistency and clarity and other editorial changes. 5911 2.c The previous code for SHA-384 and SHA-512 would stop after 5912 2^93 bytes (2^96 bits). The fixed code handles up to 2^125 5913 bytes (2^128 bits). 5915 2.d Add additional error checking. 5917 3. Update boilerplate, remove special license in [RFC4634] as new 5918 boilerplate mandates simplified BSD license. 5920 4. Repalce MIT version of getopt with new code to satisfy IETF 5921 incoming and outgoing license restrictions. 5923 5. Other assorted editorial improvements. 5925 Appendix Z: Edit History 5927 RFC Editor, Please delete this Appendix Z on publication. 5929 Z.1 Changes from -00 to -01 5931 Add hash function OIDs and informational reference to [RFC4055]. A 5932 few Editorial changes and typo fixes. 5934 Z.2 Changes from -01 to -02 5936 In shatest.c, replace MIT getopt (xgetopt) code with new code to 5937 avoid possible conflict between MIT license and IETF required BSD 5938 license. 5940 Z.3 Changes from -02 to -03 5942 Problem with MIT getopt is given incompletely in -01 to -02 changes. 5943 Actual problem includes conflict with IETF incoming license 5944 restriction. Also, add this change to Appendix giving changes from 5945 RFC 4634. Update to incorporate RFC number for the HKDF RFC. 5946 Numerous editorial changes. 5948 Author's Address 5950 Donald E. Eastlake, 3rd 5951 Stellar Switches 5952 155 Beaver Street 5953 Milford, MA 01757 USA 5955 Telephone: +1-508-333-2270 5956 EMail: d3e3e3@gmail.com 5958 Tony Hansen 5959 AT&T Laboratories 5960 200 Laurel Ave. 5961 Middletown, NJ 07748 USA 5963 Telephone: +1-732-420-8934 5964 EMail: tony+shs@maillennium.att.com 5966 Copyright, Disclaimer, and Additional IPR Provisions 5968 Copyright (c) 2010 IETF Trust and the persons identified as the 5969 document authors. All rights reserved. 5971 This document is subject to BCP 78 and the IETF Trust's Legal 5972 Provisions Relating to IETF Documents 5973 (http://trustee.ietf.org/license-info) in effect on the date of 5974 publication of this document. Please review these documents 5975 carefully, as they describe your rights and restrictions with respect 5976 to this document. Code Components extracted from this document must 5977 include Simplified BSD License text as described in Section 4.e of 5978 the Trust Legal Provisions and are provided without warranty as 5979 described in the BSD License. This Internet-Draft is submitted to 5980 IETF in full conformance with the provisions of BCP 78 and BCP 79.