idnits 2.17.00 (12 Aug 2021) /tmp/idnits54443/draft-eastlake-sha2b-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC3174, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 755 has weird spacing: '...izeBits numbe...' (Using the creation date from RFC3174, updated by this document, for RFC5378 checks: 2001-03-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 22, 2010) is 4258 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'USHAMaxHashSize' is mentioned on line 5508, but not defined -- Looks like a reference, but probably isn't: '4' on line 3170 == Missing Reference: 'SHA1HashSize' is mentioned on line 1537, but not defined == Missing Reference: 'SHA224HashSize' is mentioned on line 1928, but not defined == Missing Reference: 'SHA256HashSize' is mentioned on line 2063, but not defined == Missing Reference: 'SHA384HashSize' is mentioned on line 2754, but not defined == Missing Reference: 'SHA512HashSize' is mentioned on line 2894, but not defined -- Looks like a reference, but probably isn't: '0' on line 5725 -- Looks like a reference, but probably isn't: '1' on line 5724 -- Looks like a reference, but probably isn't: '2' on line 5486 -- Looks like a reference, but probably isn't: '3' on line 3282 -- Looks like a reference, but probably isn't: '8' on line 3087 -- Looks like a reference, but probably isn't: '80' on line 3125 -- Looks like a reference, but probably isn't: '56' on line 2273 -- Looks like a reference, but probably isn't: '57' on line 2274 -- Looks like a reference, but probably isn't: '58' on line 2275 -- Looks like a reference, but probably isn't: '59' on line 2276 -- Looks like a reference, but probably isn't: '60' on line 2277 -- Looks like a reference, but probably isn't: '61' on line 2278 -- Looks like a reference, but probably isn't: '62' on line 2279 -- Looks like a reference, but probably isn't: '63' on line 2280 -- Looks like a reference, but probably isn't: '5' on line 4678 -- Looks like a reference, but probably isn't: '6' on line 3172 -- Looks like a reference, but probably isn't: '7' on line 3173 -- Looks like a reference, but probably isn't: '64' on line 2146 -- Looks like a reference, but probably isn't: '9' on line 3049 -- Looks like a reference, but probably isn't: '10' on line 3088 -- Looks like a reference, but probably isn't: '11' on line 3051 -- Looks like a reference, but probably isn't: '12' on line 3089 -- Looks like a reference, but probably isn't: '13' on line 3053 -- Looks like a reference, but probably isn't: '14' on line 3090 -- Looks like a reference, but probably isn't: '15' on line 3055 -- Looks like a reference, but probably isn't: '112' on line 3284 -- Looks like a reference, but probably isn't: '113' on line 3285 -- Looks like a reference, but probably isn't: '114' on line 3286 -- Looks like a reference, but probably isn't: '115' on line 3287 -- Looks like a reference, but probably isn't: '116' on line 3288 -- Looks like a reference, but probably isn't: '117' on line 3289 -- Looks like a reference, but probably isn't: '118' on line 3290 -- Looks like a reference, but probably isn't: '119' on line 3291 -- Looks like a reference, but probably isn't: '120' on line 3293 -- Looks like a reference, but probably isn't: '121' on line 3294 -- Looks like a reference, but probably isn't: '122' on line 3295 -- Looks like a reference, but probably isn't: '123' on line 3296 -- Looks like a reference, but probably isn't: '124' on line 3297 -- Looks like a reference, but probably isn't: '125' on line 3298 -- Looks like a reference, but probably isn't: '126' on line 3299 -- Looks like a reference, but probably isn't: '127' on line 3300 == Missing Reference: 'RFC 2104' is mentioned on line 3660, but not defined == Missing Reference: 'RFC 2202' is mentioned on line 4270, but not defined == Missing Reference: 'RFC 4231' is mentioned on line 4270, but not defined == Missing Reference: 'TESTCOUNT' is mentioned on line 4489, but not defined == Missing Reference: 'RANDOMCOUNT' is mentioned on line 4491, but not defined == Missing Reference: 'HASHCOUNT' is mentioned on line 5486, but not defined == Missing Reference: 'HMACTESTCOUNT' is mentioned on line 4679, but not defined == Missing Reference: 'HKDFTESTCOUNT' is mentioned on line 4890, but not defined -- Looks like a reference, but probably isn't: '20' on line 5442 -- Looks like a reference, but probably isn't: '4096' on line 5342 -- Looks like a reference, but probably isn't: '1003' on line 5443 -- Obsolete informational reference (is this intentional?): RFC 4634 (Obsoleted by RFC 6234) Summary: 1 error (**), 0 flaws (~~), 16 warnings (==), 50 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Donald Eastlake 3rd 2 INTERNET-DRAFT Stellar Switches 3 Obsoletes: 4634 Tony Hansen 4 Updates: 3174 AT&T Labs 5 Intended Status: Informational 6 Expires: March 21, 2011 September 22, 2010 8 US Secure Hash Algorithms 9 (SHA and SHA based HMAC and HKDF) 10 12 Abstract 13 This document replaces RFC 4634, fixing errata and adding code for an 14 HMAC-based extract-and-expand key derivation function. 16 The United States of America has adopted a suite of secure hash 17 algorithms (SHAs), including four beyond SHA-1, as part of a Federal 18 Information Processing Standard (FIPS), specifically SHA-224, 19 SHA-256, SHA-384, and SHA-512. This document makes open source code 20 performing the SHA hash functions conveniently available to the 21 Internet community. The sample code supports input strings of 22 arbitrary bit length. Much of the text herein was adapted by the 23 authors from FIPS 180-2. 25 As with RFC 4634, code to perform SHA based HMACs is included and, 26 new in this version, code for HKDF (RFC 5869) is included. 28 Status of This Memo 30 This Internet-Draft is submitted to IETF in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Distribution of this document is unlimited. Comments should be sent 34 to the authors. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF), its areas, and its working groups. Note that 38 other groups may also distribute working documents as Internet- 39 Drafts. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 The list of current Internet-Drafts can be accessed at 47 http://www.ietf.org/1id-abstracts.html 49 The list of Internet-Draft Shadow Directories can be accessed at 50 http://www.ietf.org/shadow.html 52 Table of Contents 54 1. Overview of Contents....................................3 55 2. Notation for Bit Strings and Integers...................4 56 3. Operations on Words.....................................5 58 4. Message Padding and Parsing.............................7 59 4.1 SHA-224 and SHA-256....................................7 60 4.2 SHA-384 and SHA-512....................................8 62 5. Functions and Constants Used...........................10 63 5.1 SHA-224 and SHA-256...................................10 64 5.2 SHA-384 and SHA-512...................................11 66 6. Computing the Message Digest...........................12 67 6.1 SHA-224 and SHA-256 Initialization....................12 68 6.2 SHA-224 and SHA-256 Processing........................12 69 6.3 SHA-384 and SHA-512 Initialization....................14 70 6.4 SHA-384 and SHA-512 Processing........................15 72 7. HKDF and SHA Based HMACs...............................17 73 7.1 SHA-Based HMACs.......................................17 74 7.2 HKDF..................................................17 76 8. C Code for SHAs, HMAC, and HKDF........................18 77 8.1 The Header Files......................................21 78 8.1.1 The .h file.........................................21 79 8.1.2 sha-private.h.......................................29 80 8.2 The SHA Code..........................................29 81 8.2.1 sha1.c..............................................29 82 8.2.2 sha224-256.c........................................38 83 8.2.3 sha384-512.c........................................50 84 8.2.4 usha.c..............................................70 85 8.3 The HMAC Code.........................................76 86 8.4 The HKDF Code.........................................81 87 8.5 The Test Driver.......................................88 89 9. IANA Considerations...................................119 90 10. Security Considerations..............................119 91 11. Acknowledgements.....................................119 92 12. References...........................................120 93 12.1 Normative References................................120 94 12.2 Informative References..............................120 96 Appendix: Changes from RFC 4634..........................121 98 Appendix Z: Edit History.................................122 99 Z.1 Changes from -00 to -01..............................122 100 Z.2 Changes from -01 to -02..............................122 101 Z.3 Changes from -02 to -03..............................122 102 Z.4 Changes from -03 to -04..............................122 104 1. Overview of Contents 106 This document obsoletes [RFC4634]; and the changes from that RFC are 107 summarized in the Appendix. 109 This document includes specifications for the United States of 110 America (USA) Federal Information Processing Standard (FIPS) Secure 111 Hash Algorithms (SHAs), code to implement the SHAs, code to implement 112 HMACs based on the SHAs, and code to implement HKDF based on HMAC. 113 Specifications for HMAC and HKDF are not included as they appear 114 elsewhere in the RFC series [RFC2104] [RFC5869]. 116 NOTE: Much of the text below is taken from [SHS] and the assertions 117 of the security of the hash algorithms described therein are made by 118 the US Government, the author of [SHS], not by the authors of this 119 document. 121 The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], 122 SHA-256, SHA-384, and SHA-512, for computing a condensed 123 representation of a message or a data file. (SHA-1 is specified in 124 [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and 125 SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of 126 these algorithms, the result is an output called a message digest. 127 The message digests range in length from 224 to 512 bits, depending 128 on the algorithm. Secure hash algorithms are typically used with 129 other cryptographic algorithms, such as digital signature algorithms 130 and keyed hash authentication codes, the generation of random numbers 131 [RFC4086], or in key derivation functions. 133 The four algorithms specified in this document are called secure 134 because it is computationally infeasible to (1) find a message which 135 corresponds to a given message digest, or (2) to find two different 136 messages that produce the same message digest. Any change to a 137 message in transit will, with very high probability, result in a 138 different message digest. This will result in a verification failure 139 when the secure hash algorithm is used with a digital signature 140 algorithm or a keyed-hash message authentication algorithm. 142 The code provided herein supports input strings of arbitrary bit 143 length. SHA-1's sample code from [RFC3174] has also been updated to 144 handle input strings of arbitrary bit length. Permission is granted 145 for all uses, commercial and non-commercial, of this code. 147 ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from 148 [RFC4055], are as follows: 150 id-sha1 OBJECT IDENTIFIER ::= { iso(1) 151 identified-organization(3) oiw(14) 152 secsig(3) algorithms(2) 26 } 154 id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) 155 country(16) us(840) organization(1) gov(101) 156 csor(3) nistalgorithm(4) hashalgs(2) 4 } 157 id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 158 country(16) us(840) organization(1) gov(101) 159 csor(3) nistalgorithm(4) hashalgs(2) 1 } 160 id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 161 country(16) us(840) organization(1) gov(101) 162 csor(3) nistalgorithm(4) hashalgs(2) 2 } 163 id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 164 country(16) us(840) organization(1) gov(101) 165 csor(3) nistalgorithm(4) hashalgs(2) 3 } 167 Section 2 below defines the terminology and functions used as 168 building blocks to form these algorithms. Section 3 describes the 169 fundamental operations on words from which these algorithms are 170 built. Section 4 describes how messages are padded up to an integral 171 multiple of the required block size and then parsed into blocks. 172 Section 5 defines the constants and the composite functions used to 173 specify the hash algorithms. Section 6 gives the actual specification 174 for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 175 provides pointers to the specification of HMAC keyed message 176 authentication codes and to the specification of an extract-and- 177 expand key derivation function based on HMAC. 179 Section 8 gives sample code for the SHA algorithms, for SHA based 180 HMACs, and for HMAC-based extract-and-expand key derivation function. 182 2. Notation for Bit Strings and Integers 184 The following terminology related to bit strings and integers will be 185 used: 187 a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. 188 A hex digit is the representation of a 4-bit string. Examples: 189 7 = 0111, A = 1010. 191 b. A word equals a 32-bit or 64-bit string that may be represented 192 as a sequence of 8 or 16 hex digits, respectively. To convert a 193 word to hex digits, each 4-bit string is converted to its hex 194 equivalent as described in (a) above. Example: 196 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 198 Throughout this document, the "big-endian" convention is used 199 when expressing both 32-bit and 64-bit words, so that within 200 each word the most significant bit is shown in the leftmost bit 201 position. 203 c. An integer may be represented as a word or pair of words. 205 An integer between 0 and 2^32 - 1 inclusive may be represented 206 as a 32-bit word. The least significant four bits of the 207 integer are represented by the rightmost hex digit of the word 208 representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = 209 256+32+2+1 is represented by the hex word, 00000123. 211 The same holds true for an integer between 0 and 2^64-1 212 inclusive, which may be represented as a 64-bit word. 214 If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 215 <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented 216 as words X and Y, respectively, z can be represented as the pair 217 of words (X,Y). 219 Again, the "big-endian" convention is used and the most 220 significant word is in the leftmost word position for values 221 represented by multiple-words. 223 d. block = 512-bit or 1024-bit string. A block (e.g., B) may be 224 represented as a sequence of 32-bit or 64-bit words. 226 3. Operations on Words 228 The following logical operators will be applied to words in all four 229 hash operations specified herein. SHA-224 and SHA-256 operate on 230 32-bit words while SHA-384 and SHA-512 operate on 64-bit words. 232 In the operations below, x<>n is obtained as follows: discard the rightmost n bits 236 of x and then prepend the result with n zeroed bits on the left (the 237 result will still be the same number of bits). 239 a. Bitwise logical word operations 241 X AND Y = bitwise logical "and" of X and Y. 243 X OR Y = bitwise logical "inclusive-or" of X and Y. 245 X XOR Y = bitwise logical "exclusive-or" of X and Y. 247 NOT X = bitwise logical "complement" of X. 249 Example: 250 01101100101110011101001001111011 251 XOR 01100101110000010110100110110111 252 -------------------------------- 253 = 00001001011110001011101111001100 255 b. The operation X + Y is defined as follows: words X and Y 256 represent w-bit integers x and y, where 0 <= x < 2^w and 0 <= y 257 < 2^w. For positive integers n and m, let 259 n mod m 261 be the remainder upon dividing n by m. Compute 263 z = (x + y) mod 2^w. 265 Then 0 <= z < 2^w. Convert z to a word, Z, and define Z = X + 266 Y. 268 c. The right shift operation SHR^n(x), where x is a w-bit word and n 269 is an integer with 0 <= n < w, is defined by 271 SHR^n(x) = x>>n 273 d. The rotate right (circular right shift) operation ROTR^n(x), where 274 x is a w-bit word and n is an integer with 0 <= n < w, is 275 defined by 277 ROTR^n(x) = (x>>n) OR (x<<(w-n)) 279 e. The rotate left (circular left shift) operation ROTL^n(x), where x 280 is a w-bit word and n is an integer with 0 <= n < w, is defined 281 by 283 ROTL^n(X) = (x<>w-n) 285 Note the following equivalence relationships, where w is fixed 286 in each relationship: 288 ROTL^n(x) = ROTR^(w-n)(x) 290 ROTR^n(x) = ROTL^(w-n)(x) 292 4. Message Padding and Parsing 294 The hash functions specified herein are used to compute a message 295 digest for a message or data file that is provided as input. The 296 message or data file should be considered to be a bit string. The 297 length of the message is the number of bits in the message (the empty 298 message has length 0). If the number of bits in a message is a 299 multiple of 8, for compactness we can represent the message in hex. 300 The purpose of message padding is to make the total length of a 301 padded message a multiple of 512 for SHA-224 and SHA-256 or a 302 multiple of 1024 for SHA-384 and SHA-512. 304 The following specifies how this padding shall be performed. As a 305 summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit 306 integer are appended to the end of the message to produce a padded 307 message of length 512*n or 1024*n. The appended integer is the 308 length of the original message. The padded message is then processed 309 by the hash function as n 512-bit or 1024-bit blocks. 311 4.1 SHA-224 and SHA-256 313 Suppose a message has length L < 2^64. Before it is input to the 314 hash function, the message is padded on the right as follows: 316 a. "1" is appended. Example: if the original message is "01010000", 317 this is padded to "010100001". 319 b. K "0"s are appended where K is the smallest, non-negative 320 solution to the equation 322 L + 1 + K = 448 (mod 512) 324 c. Then append the 64-bit block that is L in binary representation. 325 After appending this block, the length of the message will be a 326 multiple of 512 bits. 328 Example: Suppose the original message is the bit string 330 01100001 01100010 01100011 01100100 01100101 332 After step (a) this gives 334 01100001 01100010 01100011 01100100 01100101 1 336 Since L = 40, the number of bits in the above is 41 and K = 407 337 "0"s are appended, making the total now 448. This gives the 338 following in hex: 340 61626364 65800000 00000000 00000000 341 00000000 00000000 00000000 00000000 342 00000000 00000000 00000000 00000000 343 00000000 00000000 345 The 64-bit representation of L = 40 is hex 00000000 00000028. 346 Hence the final padded message is the following hex 348 61626364 65800000 00000000 00000000 349 00000000 00000000 00000000 00000000 350 00000000 00000000 00000000 00000000 351 00000000 00000000 00000000 00000028 353 4.2 SHA-384 and SHA-512 355 Suppose a message has length L < 2^128. Before it is input to the 356 hash function, the message is padded on the right as follows: 358 a. "1" is appended. Example: if the original message is "01010000", 359 this is padded to "010100001". 361 b. K "0"s are appended where K is the smallest, non-negative 362 solution to the equation 364 L + 1 + K = 896 (mod 1024) 366 c. Then append the 128-bit block that is L in binary representation. 367 After appending this block, the length of the message will be a 368 multiple of 1024 bits. 370 Example: Suppose the original message is the bit string 372 01100001 01100010 01100011 01100100 01100101 374 After step (a) this gives 376 01100001 01100010 01100011 01100100 01100101 1 378 Since L = 40, the number of bits in the above is 41 and K = 855 379 "0"s are appended, making the total now 896. This gives the 380 following in hex: 382 61626364 65800000 00000000 00000000 383 00000000 00000000 00000000 00000000 384 00000000 00000000 00000000 00000000 385 00000000 00000000 00000000 00000000 386 00000000 00000000 00000000 00000000 387 00000000 00000000 00000000 00000000 388 00000000 00000000 00000000 00000000 390 The 128-bit representation of L = 40 is hex 00000000 00000000 391 00000000 00000028. Hence the final padded message is the 392 following hex: 394 61626364 65800000 00000000 00000000 395 00000000 00000000 00000000 00000000 396 00000000 00000000 00000000 00000000 397 00000000 00000000 00000000 00000000 398 00000000 00000000 00000000 00000000 399 00000000 00000000 00000000 00000000 400 00000000 00000000 00000000 00000000 401 00000000 00000000 00000000 00000028 403 5. Functions and Constants Used 405 The following subsections give the six logical functions and the 406 table of constants used in each of the hash functions. 408 5.1 SHA-224 and SHA-256 410 SHA-224 and SHA-256 use six logical functions, where each function 411 operates on 32-bit words, which are represented as x, y, and z. The 412 result of each function is a new 32-bit word. 414 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 416 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 418 BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) 420 BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) 422 SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) 424 SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) 426 SHA-224 and SHA-256 use the same sequence of sixty-four constant 427 32-bit words, K0, K1, ..., K63. These words represent the first 428 thirty-two bits of the fractional parts of the cube roots of the 429 first sixty-four prime numbers. In hex, these constant words are as 430 follows (from left to right): 432 428a2f98 71374491 b5c0fbcf e9b5dba5 433 3956c25b 59f111f1 923f82a4 ab1c5ed5 434 d807aa98 12835b01 243185be 550c7dc3 435 72be5d74 80deb1fe 9bdc06a7 c19bf174 436 e49b69c1 efbe4786 0fc19dc6 240ca1cc 437 2de92c6f 4a7484aa 5cb0a9dc 76f988da 438 983e5152 a831c66d b00327c8 bf597fc7 439 c6e00bf3 d5a79147 06ca6351 14292967 440 27b70a85 2e1b2138 4d2c6dfc 53380d13 441 650a7354 766a0abb 81c2c92e 92722c85 442 a2bfe8a1 a81a664b c24b8b70 c76c51a3 443 d192e819 d6990624 f40e3585 106aa070 444 19a4c116 1e376c08 2748774c 34b0bcb5 445 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 446 748f82ee 78a5636f 84c87814 8cc70208 447 90befffa a4506ceb bef9a3f7 c67178f2 449 5.2 SHA-384 and SHA-512 451 SHA-384 and SHA-512 each use six logical functions, where each 452 function operates on 64-bit words, which are represented as x, y, and 453 z. The result of each function is a new 64-bit word. 455 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 457 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 459 BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) 461 BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) 463 SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) 465 SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) 467 SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit 468 words, K0, K1, ... K79. These words represent the first sixty-four 469 bits of the fractional parts of the cube roots of the first eighty 470 prime numbers. In hex, these constant words are as follows (from 471 left to right): 473 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc 474 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 475 d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 476 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 477 e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 478 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 479 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 480 c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 481 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df 482 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b 483 a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 484 d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 485 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 486 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 487 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec 488 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b 489 ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 490 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b 491 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c 492 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 494 6. Computing the Message Digest 496 The output of each of the secure hash functions, after being applied 497 to a message of N blocks, is the hash quantity H(N). For SHA-224 and 498 SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, 499 H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to be 500 eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. 502 As described below, the hash words are initialized, modified as each 503 message block is processed, and finally concatenated after processing 504 the last block to yield the output. For SHA-256 and SHA-512, all of 505 the H(N) variables are concatenated while the SHA-224 and SHA-384 506 hashes are produced by omitting some from the final concatenation. 508 6.1 SHA-224 and SHA-256 Initialization 510 For SHA-224, the initial hash value, H(0), consists of the following 511 32-bit words in hex: 513 H(0)0 = c1059ed8 514 H(0)1 = 367cd507 515 H(0)2 = 3070dd17 516 H(0)3 = f70e5939 517 H(0)4 = ffc00b31 518 H(0)5 = 68581511 519 H(0)6 = 64f98fa7 520 H(0)7 = befa4fa4 522 For SHA-256, the initial hash value, H(0), consists of the following 523 eight 32-bit words, in hex. These words were obtained by taking the 524 first thirty-two bits of the fractional parts of the square roots of 525 the first eight prime numbers. 527 H(0)0 = 6a09e667 528 H(0)1 = bb67ae85 529 H(0)2 = 3c6ef372 530 H(0)3 = a54ff53a 531 H(0)4 = 510e527f 532 H(0)5 = 9b05688c 533 H(0)6 = 1f83d9ab 534 H(0)7 = 5be0cd19 536 6.2 SHA-224 and SHA-256 Processing 538 SHA-224 and SHA-256 perform identical processing on messages blocks 539 and differ only in how H(0) is initialized and how they produce their 540 final output. They may be used to hash a message, M, having a length 541 of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message 542 schedule of sixty-four 32-bit words, (2) eight working variables of 543 32 bits each, and (3) a hash value of eight 32-bit words. 545 The words of the message schedule are labeled W0, W1, ..., W63. The 546 eight working variables are labeled a, b, c, d, e, f, g, and h. The 547 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which 548 will hold the initial hash value, H(0), replaced by each successive 549 intermediate hash value (after each message block is processed), 550 H(i), and ending with the final hash value, H(N), after all N blocks 551 are processed. They also use two temporary words, T1 and T2. 553 The input message is padded as described in Section 4.1 above then 554 parsed into 512-bit blocks that are considered to be composed of 16 555 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 556 are then performed for each of the N message blocks. All addition is 557 performed modulo 2^32. 559 For i = 1 to N 561 1. Prepare the message schedule W: 562 For t = 0 to 15 563 Wt = M(i)t 564 For t = 16 to 63 565 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(w(t-15)) + W(t-16) 567 2. Initialize the working variables: 568 a = H(i-1)0 569 b = H(i-1)1 570 c = H(i-1)2 571 d = H(i-1)3 572 e = H(i-1)4 573 f = H(i-1)5 574 g = H(i-1)6 575 h = H(i-1)7 577 3. Perform the main hash computation: 578 For t = 0 to 63 579 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 580 T2 = BSIG0(a) + MAJ(a,b,c) 581 h = g 582 g = f 583 f = e 584 e = d + T1 585 d = c 586 c = b 587 b = a 588 a = T1 + T2 590 4. Compute the intermediate hash value H(i) 591 H(i)0 = a + H(i-1)0 592 H(i)1 = b + H(i-1)1 593 H(i)2 = c + H(i-1)2 594 H(i)3 = d + H(i-1)3 595 H(i)4 = e + H(i-1)4 596 H(i)5 = f + H(i-1)5 597 H(i)6 = g + H(i-1)6 598 H(i)7 = h + H(i-1)7 600 After the above computations have been sequentially performed for all 601 of the blocks in the message, the final output is calculated. For 602 SHA-256, this is the concatenation of all of H(N)0, H(N)1, through 603 H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, 604 through H(N)6. 606 6.3 SHA-384 and SHA-512 Initialization 608 For SHA-384, the initial hash value, H(0), consists of the following 609 eight 64-bit words, in hex. These words were obtained by taking the 610 first sixty-four bits of the fractional parts of the square roots of 611 the ninth through sixteenth prime numbers. 613 H(0)0 = cbbb9d5dc1059ed8 614 H(0)1 = 629a292a367cd507 615 H(0)2 = 9159015a3070dd17 616 H(0)3 = 152fecd8f70e5939 617 H(0)4 = 67332667ffc00b31 618 H(0)5 = 8eb44a8768581511 619 H(0)6 = db0c2e0d64f98fa7 620 H(0)7 = 47b5481dbefa4fa4 622 For SHA-512, the initial hash value, H(0), consists of the following 623 eight 64-bit words, in hex. These words were obtained by taking the 624 first sixty-four bits of the fractional parts of the square roots of 625 the first eight prime numbers. 627 H(0)0 = 6a09e667f3bcc908 628 H(0)1 = bb67ae8584caa73b 629 H(0)2 = 3c6ef372fe94f82b 630 H(0)3 = a54ff53a5f1d36f1 631 H(0)4 = 510e527fade682d1 632 H(0)5 = 9b05688c2b3e6c1f 633 H(0)6 = 1f83d9abfb41bd6b 634 H(0)7 = 5be0cd19137e2179 636 6.4 SHA-384 and SHA-512 Processing 638 SHA-384 and SHA-512 perform identical processing on message blocks 639 and differ only in how H(0) is initialized and how they produce their 640 final output. They may be used to hash a message, M, having a length 641 of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message 642 schedule of eighty 64-bit words, (2) eight working variables of 64 643 bits each, and (3) a hash value of eight 64-bit words. 645 The words of the message schedule are labeled W0, W1, ..., W79. The 646 eight working variables are labeled a, b, c, d, e, f, g, and h. The 647 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7 which 648 will hold the initial hash value, H(0), replaced by each successive 649 intermediate hash value (after each message block is processed), 650 H(i), and ending with the final hash value, H(N) after all N blocks 651 are processed. 653 The input message is padded as described in Section 4.2 above, then 654 parsed into 1024-bit blocks that are considered to be composed of 16 655 64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 656 are then performed for each of the N message blocks. All addition is 657 performed modulo 2^64. 659 For i = 1 to N 661 1. Prepare the message schedule W: 662 For t = 0 to 15 663 Wt = M(i)t 664 For t = 16 to 79 665 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(W(t-15)) + W(t-16) 667 2. Initialize the working variables: 668 a = H(i-1)0 669 b = H(i-1)1 670 c = H(i-1)2 671 d = H(i-1)3 672 e = H(i-1)4 673 f = H(i-1)5 674 g = H(i-1)6 675 h = H(i-1)7 677 3. Perform the main hash computation: 678 For t = 0 to 79 679 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 680 T2 = BSIG0(a) + MAJ(a,b,c) 681 h = g 682 g = f 683 f = e 684 e = d + T1 685 d = c 686 c = b 687 b = a 688 a = T1 + T2 690 4. Compute the intermediate hash value H(i) 691 H(i)0 = a + H(i-1)0 692 H(i)1 = b + H(i-1)1 693 H(i)2 = c + H(i-1)2 694 H(i)3 = d + H(i-1)3 695 H(i)4 = e + H(i-1)4 696 H(i)5 = f + H(i-1)5 697 H(i)6 = g + H(i-1)6 698 H(i)7 = h + H(i-1)7 700 After the above computations have been sequentially performed for all 701 of the blocks in the message, the final output is calculated. For 702 SHA-512, this is the concatenation of all of H(N)0, H(N)1, through 703 H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, 704 through H(N)5. 706 7. HKDF and SHA Based HMACs 708 Below are brief descriptions and pointers to more complete 709 descriptions and code for (1) SHA-based HMACs and (2) an HMAC-based 710 extract-and-expand key derivation function. Both HKDF and HMAC were 711 devised by Hugo Krawczyk. 713 7.1 SHA-Based HMACs 715 HMAC is a method for computing a keyed MAC (message authentication 716 code) using a hash function as described in [RFC2104]. It uses a key 717 to mix in with the input text to produce the final hash. 719 Sample code is also provided, in Section 8.3 below, to perform HMAC 720 based on any of the SHA algorithms described herein. The sample code 721 found in [RFC2104] was written in terms of a specified text size. 722 Since SHA is defined in terms of an arbitrary number of bits, the 723 sample HMAC code has been written to allow the text input to HMAC to 724 have an arbitrary number of octets and bits. A fixed length interface 725 is also provided. 727 7.2 HKDF 729 HKDF is a specific key derivation function (KDF), that is, a function 730 of initial keying material from which the KDF derives one or more 731 cryptographically strong secret keys. HKDF, which is described in 732 [RFC5869], is based on HMAC. 734 Sample code for HKDF is provided in Section 8.4 below. 736 8. C Code for SHAs, HMAC, and HKDF 738 Below is a demonstration implementation of these secure hash 739 functions in C. Section 8.1 contains the header file sha.h that 740 declares all constants, structures and functions used by the sha and 741 hmac functions. It includes conditionals based on the state of 742 definition of USE_32BIT_ONLY which, if that symbol is defined at 743 compile time, avoids 64-bit operations. It also contains sha- 744 private.h that provides some declarations common to all the sha 745 functions. Section 8.2 contains the C code for sha1.c, sha224-256.c, 746 sha384-512.c, and usha.c. Section 8.3 contains the C code for the 747 HMAC functions and Section 8.4 contains the C code for HKDF. Section 748 8.5 contains a test driver to exercise the code. 750 For each of the digest lengths $$$, there are the following set of 751 constants, a structure, and functions: 753 Constants: 754 SHA$$$HashSize number of octets in the hash 755 SHA$$$HashSizeBits number of bits in the hash 756 SHA$$$_Message_Block_Size 757 number of octets used in the intermediate 758 message blocks 759 Most functions return an enum value that is one of: 760 shaSuccess(0) on success 761 shaNull(1) when presented with a null pointer parameter 762 shaInputTooLong(2) when the input data is too long 763 shaStateError(3) when SHA$$$Input is called after 764 SHA$$$FinalBits or SHA$$$Result. 766 Structure: 767 typedef SHA$$$Context 768 an opaque structure holding the complete state 769 for producing the hash 771 Functions: 772 int SHA$$$Reset(SHA$$$Context *context); 773 Reset the hash context state 774 int SHA$$$Input(SHA$$$Context *context, const uint8_t *octets, 775 unsigned int bytecount); 776 Incorporate bytecount octets into the hash. 777 int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, 778 unsigned int bitcount); 779 Incorporate bitcount bits into the hash. The bits are in the 780 upper portion of the octet. SHA$$$Input() cannot be called 781 after this. 782 int SHA$$$Result(SHA$$$Context *, 783 uint8_t Message_Digest[SHA$$$HashSize]); 784 Do the final calculations on the hash and copy the value 785 into Message_Digest. 787 In addition, functions with the prefix USHA are provided that take a 788 SHAversion value (SHA$$$) to select the SHA function suite. They add 789 the following constants, structure and function: 791 Constants: 792 shaBadParam(4) constant returned by USHA functions when 793 presented with a bad SHAversion (SHA$$$) 794 parameter or other illegal parameter values 795 USAMaxHashSize maximumof the SHA has sizes 796 SHA$$$ SHAversion enumeration values, used by usha, 797 hmac and hkdf functions to select the SHA 798 function suite 800 Structure: 801 typedef USHAContext 802 an opaque structure holding the complete state 803 for producing the hash 805 Functions: 806 int USHAReset(USHAContext *context, SHAversion whichSha); 807 Reset the hash context state. 808 int USHAInput(USHAContext context*, 809 const uint8_t *bytes, unsigned int bytecount); 810 Incorporate bytecount octets into the hash. 811 int USHAFinalBits(USHAContext *context, 812 const uint8_t bits, unsigned int bitcount); 813 Incorporate bitcount bits into the hash. 814 int USHAResult(USHAContext *context, 815 uint8_t Message_Digest[USHAMaxHashSize]); 816 Do the final calculations on the hash and copy the value 817 into Message_Digest. Octets in Message_Digest beyond 818 USHAHashSize(whichSha) are left untouched. 819 int USHAHashSize(enum SHAversion whichSha); 820 The number of octets in the given hash. 821 int USHAHashSizeBits(enum SHAversion whichSha); 822 The number of bits in the given hash. 823 int USHABlockSize(enum SHAversion whichSha); 824 The internal block size for the given hash. 825 const char *USHAHashName(enum SHAversion whichSha); 826 This function will return the name of the given SHA 827 algorithm as a string. 829 The hmac functions follow the same pattern to allow any length of 830 text input to be used. 832 Structures: 833 typedef HMACContext an opaque structure holding the complete state 834 for producing the keyed message digest (MAC) 836 Functions: 837 int hmacReset(HMACContext *ctx, enum SHAversion whichSha, 838 const unsigned char *key, int key_len); 839 Reset the MAC context state. 840 int hmacInput(HMACContext *ctx, const unsigned char *text, 841 int text_len); 842 Incorporate text_len octets into the MAC. 843 int hmacFinalBits(HMACContext *ctx, const uint8_t bits, 844 unsigned int bitcount); 845 Incorporate bitcount bits into the MAC. 846 int hmacResult(HMACContext *ctx, 847 uint8_t Message_Digest[USHAMaxHashSize]); 848 Do the final calculations on the MAC and copy the value into 849 Message_Digest. Octets in Message_Digest beyond 850 USHAHashSize(whichSha) are left untouched. 852 In addition, a combined interface is provided, similar to that shown 853 in [RFC2104], that allows a fixed-length text input to be used. 855 int hmac(SHAversion whichSha, 856 const unsigned char *text, int text_len, 857 const unsigned char *key, int key_len, 858 uint8_t Message_Digest[USHAMaxHashSize]); 859 Calculate the given digest for the given text and key, and 860 return the resulting MAC. Octets in Message_Digest beyond 861 USHAHashSize(whichSha) are left untouched. 863 The hkdf functions follow the same pattern to allow any length of 864 text input to be used. 866 Structures: 867 typedef HKDFContext an opaque structure holding the complete state 868 for producing the keying material 869 Functions: 870 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 871 const unsigned char *salt, int salt_len) 872 Reset the key derivation state and initialize it with the 873 salt_len octets of the optional salt. 874 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 875 int ikm_len) 876 Incorporate ikm_len octets into the entropy extractor. 877 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 878 unsigned int ikm_bit_count) 879 Incorporate ikm_bit_count bits into the entropy extractor. 880 int hkdfResult(HKDFContext *context, 881 uint8_t prk[USHAMaxHashSize], 882 const unsigned char *info, int info_len, 883 uint8_t okm[ ], int okm_len) 884 Finish the HKDF extraction and perform the final HKDF 885 expansion, storing the okm_len octets into okm. Optionally 886 store the pseudo-random key (prk) that is generated 887 internally. 889 In addition, combined interfaces are provided, similar to that shown 890 in [RFC5869], that allows a fixed-length text input to be used. 892 int hkdfExtract(SHAversion whichSha, 893 const unsigned char *salt, int salt_len, 894 const unsigned char *ikm, int ikm_len, 895 uint8_t prk[USHAMaxHashSize]) 896 Perform HKDF extraction, combining the salt_len octets of 897 the optional salt with the ikm_len octets of the input 898 keying material (ikm) to form the pseudo-random key prk. 899 The output prk must be large enough to hold the octets 900 appropriate for the given hash type. 902 int hkdfExpand(SHAversion whichSha, 903 const uint8_t prk[ ], int prk_len, 904 const unsigned char *info, int info_len, 905 uint8_t okm[ ], int okm_len) 906 Perform HKDF expansion, combining the prk_len octets of the 907 pseudo-random key prk with the info_len octets of info to 908 form the okm_len octets stored in okm. 910 int hkdf(SHAversion whichSha, 911 const unsigned char *salt, int salt_len, 912 const unsigned char *ikm, int ikm_len, 913 const unsigned char *info, int info_len, 914 uint8_t okm[ ], int okm_len) 915 This combined interface performs both HKDF extraction and 916 expansion. The variables are the same as in hkdfExtract() 917 and hkdfExpand(). 919 8.1 The Header Files 921 8.1.1 The .h file 923 /**************************** sha.h ****************************/ 924 /***************** See RFC NNNN for details. *******************/ 925 /* 926 Copyright (c) 2010 IETF Trust and the persons identified as 927 authors of the code. All rights reserved. 929 Redistribution and use in source and binary forms, with or without 930 modification, are permitted provided that the following conditions 931 are met: 933 * Redistributions of source code must retain the above copyright 934 notice, this list of conditions and the following disclaimer. 936 * Redistributions in binary form must reproduce the above copyright 937 notice, this list of conditions and the following disclaimer in 938 the documentation and/or other materials provided with the 939 distribution. 941 * Neither the name of Internet Society, IETF or IETF Trust, nor the 942 names of specific contributors, may be used to endorse or promote 943 products derived from this software without specific prior 944 written permission. 946 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 947 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 948 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 949 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 950 COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 951 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 952 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 953 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 954 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 955 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 956 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 957 POSSIBILITY OF SUCH DAMAGE. 958 */ 959 #ifndef _SHA_H_ 960 #define _SHA_H_ 962 /* 963 * Description: 964 * This file implements the Secure Hash Algorithms 965 * as defined in the U.S. National Institute of Standards 966 * and Technology Federal Information Processing Standards 967 * Publication (FIPS PUB) 180-3 published in October 2008 968 * and formerly defined in its predecessors, FIPS PUB 180-1 969 * and FIP PUB 180-2. 970 * 971 * A combined document showing all algorithms is available at 972 * http://csrc.nist.gov/publications/fips/ 973 * fips180-3/fips180-3_final.pdf 974 * 975 * The five hashes are defined in these sizes: 976 * SHA-1 20 byte / 160 bit 977 * SHA-224 28 byte / 224 bit 978 * SHA-256 32 byte / 256 bit 979 * SHA-384 48 byte / 384 bit 980 * SHA-512 64 byte / 512 bit 981 * 982 * Compilation Note: 984 * These files may be compiled with two options: 985 * USE_32BIT_ONLY - use 32-bit arithmetic only, for systems 986 * without 64-bit integers 987 * 988 * USE_MODIFIED_MACROS - use alternate form of the SHA_Ch() 989 * and SHA_Maj() macros that are equivalent 990 * and potentially faster on many systems 991 * 992 */ 994 #include 995 /* 996 * If you do not have the ISO standard stdint.h header file, then you 997 * must typedef the following: 998 * name meaning 999 * uint64_t unsigned 64 bit integer 1000 * uint32_t unsigned 32 bit integer 1001 * uint8_t unsigned 8 bit integer (i.e., unsigned char) 1002 * int_least16_t integer of >= 16 bits 1003 * 1004 */ 1006 #ifndef _SHA_enum_ 1007 #define _SHA_enum_ 1008 /* 1009 * All SHA functions return one of these values. 1010 */ 1011 enum { 1012 shaSuccess = 0, 1013 shaNull, /* Null pointer parameter */ 1014 shaInputTooLong, /* input data too long */ 1015 shaStateError, /* called Input after FinalBits or Result */ 1016 shaBadParam /* passed a bad parameter */ 1017 }; 1018 #endif /* _SHA_enum_ */ 1020 /* 1021 * These constants hold size information for each of the SHA 1022 * hashing operations 1023 */ 1024 enum { 1025 SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, 1026 SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, 1027 SHA512_Message_Block_Size = 128, 1028 USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, 1030 SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, 1031 SHA384HashSize = 48, SHA512HashSize = 64, 1032 USHAMaxHashSize = SHA512HashSize, 1033 SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, 1034 SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, 1035 SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits 1036 }; 1038 /* 1039 * These constants are used in the USHA (unified sha) functions. 1040 */ 1041 typedef enum SHAversion { 1042 SHA1, SHA224, SHA256, SHA384, SHA512 1043 } SHAversion; 1045 /* 1046 * This structure will hold context information for the SHA-1 1047 * hashing operation. 1048 */ 1049 typedef struct SHA1Context { 1050 uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ 1052 uint32_t Length_High; /* Message length in bits */ 1053 uint32_t Length_Low; /* Message length in bits */ 1055 int_least16_t Message_Block_Index; /* Message_Block array index */ 1056 /* 512-bit message blocks */ 1057 uint8_t Message_Block[SHA1_Message_Block_Size]; 1059 int Computed; /* Is the hash computed? */ 1060 int Corrupted; /* Cumulative corruption code */ 1061 } SHA1Context; 1063 /* 1064 * This structure will hold context information for the SHA-256 1065 * hashing operation. 1066 */ 1067 typedef struct SHA256Context { 1068 uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ 1070 uint32_t Length_High; /* Message length in bits */ 1071 uint32_t Length_Low; /* Message length in bits */ 1073 int_least16_t Message_Block_Index; /* Message_Block array index */ 1074 /* 512-bit message blocks */ 1075 uint8_t Message_Block[SHA256_Message_Block_Size]; 1077 int Computed; /* Is the hash computed? */ 1078 int Corrupted; /* Cumulative corruption code */ 1079 } SHA256Context; 1081 /* 1082 * This structure will hold context information for the SHA-512 1083 * hashing operation. 1084 */ 1085 typedef struct SHA512Context { 1086 #ifdef USE_32BIT_ONLY 1087 uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ 1088 uint32_t Length[4]; /* Message length in bits */ 1089 #else /* !USE_32BIT_ONLY */ 1090 uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ 1091 uint64_t Length_High, Length_Low; /* Message length in bits */ 1092 #endif /* USE_32BIT_ONLY */ 1094 int_least16_t Message_Block_Index; /* Message_Block array index */ 1095 /* 1024-bit message blocks */ 1096 uint8_t Message_Block[SHA512_Message_Block_Size]; 1098 int Computed; /* Is the hash computed?*/ 1099 int Corrupted; /* Cumulative corruption code */ 1100 } SHA512Context; 1102 /* 1103 * This structure will hold context information for the SHA-224 1104 * hashing operation. It uses the SHA-256 structure for computation. 1105 */ 1106 typedef struct SHA256Context SHA224Context; 1108 /* 1109 * This structure will hold context information for the SHA-384 1110 * hashing operation. It uses the SHA-512 structure for computation. 1111 */ 1112 typedef struct SHA512Context SHA384Context; 1114 /* 1115 * This structure holds context information for all SHA 1116 * hashing operations. 1117 */ 1118 typedef struct USHAContext { 1119 int whichSha; /* which SHA is being used */ 1120 union { 1121 SHA1Context sha1Context; 1122 SHA224Context sha224Context; SHA256Context sha256Context; 1123 SHA384Context sha384Context; SHA512Context sha512Context; 1124 } ctx; 1125 } USHAContext; 1127 /* 1128 * This structure will hold context information for the HMAC 1129 * keyed hashing operation. 1130 */ 1131 typedef struct HMACContext { 1132 int whichSha; /* which SHA is being used */ 1133 int hashSize; /* hash size of SHA being used */ 1134 int blockSize; /* block size of SHA being used */ 1135 USHAContext shaContext; /* SHA context */ 1136 unsigned char k_opad[USHA_Max_Message_Block_Size]; 1137 /* outer padding - key XORd with opad */ 1138 int Computed; /* Is the MAC computed? */ 1139 int Corrupted; /* Cumulative corruption code */ 1141 } HMACContext; 1143 /* 1144 * This structure will hold context information for the HKDF 1145 * Extract-and-Expand Key Derivation functions. 1146 */ 1147 typedef struct HKDFContext { 1148 int whichSha; /* which SHA is being used */ 1149 HMACContext hmacContext; 1150 int hashSize; /* hash size of SHA being used */ 1151 unsigned char prk[USHAMaxHashSize]; 1152 /* Pseudo Random Key - output of hkdfInput */ 1153 int Computed; /* Is the key material computed? */ 1154 int Corrupted; /* Cumulative corruption code */ 1155 } HKDFContext; 1157 /* 1158 * Function Prototypes 1159 */ 1161 /* SHA-1 */ 1162 extern int SHA1Reset(SHA1Context *); 1163 extern int SHA1Input(SHA1Context *, const uint8_t *bytes, 1164 unsigned int bytecount); 1165 extern int SHA1FinalBits(SHA1Context *, uint8_t bits, 1166 unsigned int bit_count); 1167 extern int SHA1Result(SHA1Context *, 1168 uint8_t Message_Digest[SHA1HashSize]); 1170 /* SHA-224 */ 1171 extern int SHA224Reset(SHA224Context *); 1172 extern int SHA224Input(SHA224Context *, const uint8_t *bytes, 1173 unsigned int bytecount); 1174 extern int SHA224FinalBits(SHA224Context *, uint8_t bits, 1175 unsigned int bit_count); 1176 extern int SHA224Result(SHA224Context *, 1177 uint8_t Message_Digest[SHA224HashSize]); 1179 /* SHA-256 */ 1180 extern int SHA256Reset(SHA256Context *); 1181 extern int SHA256Input(SHA256Context *, const uint8_t *bytes, 1182 unsigned int bytecount); 1183 extern int SHA256FinalBits(SHA256Context *, uint8_t bits, 1184 unsigned int bit_count); 1185 extern int SHA256Result(SHA256Context *, 1186 uint8_t Message_Digest[SHA256HashSize]); 1188 /* SHA-384 */ 1189 extern int SHA384Reset(SHA384Context *); 1190 extern int SHA384Input(SHA384Context *, const uint8_t *bytes, 1191 unsigned int bytecount); 1192 extern int SHA384FinalBits(SHA384Context *, uint8_t bits, 1193 unsigned int bit_count); 1194 extern int SHA384Result(SHA384Context *, 1195 uint8_t Message_Digest[SHA384HashSize]); 1197 /* SHA-512 */ 1198 extern int SHA512Reset(SHA512Context *); 1199 extern int SHA512Input(SHA512Context *, const uint8_t *bytes, 1200 unsigned int bytecount); 1201 extern int SHA512FinalBits(SHA512Context *, uint8_t bits, 1202 unsigned int bit_count); 1203 extern int SHA512Result(SHA512Context *, 1204 uint8_t Message_Digest[SHA512HashSize]); 1206 /* Unified SHA functions, chosen by whichSha */ 1207 extern int USHAReset(USHAContext *context, SHAversion whichSha); 1208 extern int USHAInput(USHAContext *context, 1209 const uint8_t *bytes, unsigned int bytecount); 1210 extern int USHAFinalBits(USHAContext *context, 1211 uint8_t bits, unsigned int bit_count); 1212 extern int USHAResult(USHAContext *context, 1213 uint8_t Message_Digest[USHAMaxHashSize]); 1214 extern int USHABlockSize(enum SHAversion whichSha); 1215 extern int USHAHashSize(enum SHAversion whichSha); 1216 extern int USHAHashSizeBits(enum SHAversion whichSha); 1217 extern const char *USHAHashName(enum SHAversion whichSha); 1219 /* 1220 * HMAC Keyed-Hashing for Message Authentication, RFC 2104, 1221 * for all SHAs. 1222 * This interface allows a fixed-length text input to be used. 1223 */ 1224 extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ 1225 const unsigned char *text, /* pointer to data stream */ 1226 int text_len, /* length of data stream */ 1227 const unsigned char *key, /* pointer to authentication key */ 1228 int key_len, /* length of authentication key */ 1229 uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ 1231 /* 1232 * HMAC Keyed-Hashing for Message Authentication, RFC 2104, 1233 * for all SHAs. 1234 * This interface allows any length of text input to be used. 1235 */ 1236 extern int hmacReset(HMACContext *context, enum SHAversion whichSha, 1237 const unsigned char *key, int key_len); 1238 extern int hmacInput(HMACContext *context, const unsigned char *text, 1239 int text_len); 1240 extern int hmacFinalBits(HMACContext *context, uint8_t bits, 1241 unsigned int bit_count); 1242 extern int hmacResult(HMACContext *context, 1243 uint8_t digest[USHAMaxHashSize]); 1245 /* 1246 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1247 * RFC 5869, for all SHAs. 1248 */ 1249 extern int hkdf(SHAversion whichSha, const unsigned char *salt, 1250 int salt_len, const unsigned char *ikm, int ikm_len, 1251 const unsigned char *info, int info_len, 1252 uint8_t okm[ ], int okm_len); 1253 extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, 1254 int salt_len, const unsigned char *ikm, 1255 int ikm_len, uint8_t prk[USHAMaxHashSize]); 1256 extern int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], 1257 int prk_len, const unsigned char *info, 1258 int info_len, uint8_t okm[ ], int okm_len); 1260 /* 1261 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1262 * RFC 5869, for all SHAs. 1263 * This interface allows any length of text input to be used. 1264 */ 1265 extern int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 1266 const unsigned char *salt, int salt_len); 1267 extern int hkdfInput(HKDFContext *context, const unsigned char *ikm, 1268 int ikm_len); 1269 extern int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 1270 unsigned int ikm_bit_count); 1271 extern int hkdfResult(HKDFContext *context, 1272 uint8_t prk[USHAMaxHashSize], 1273 const unsigned char *info, int info_len, 1274 uint8_t okm[USHAMaxHashSize], int okm_len); 1276 #endif /* _SHA_H_ */ 1277 8.1.2 sha-private.h 1279 /************************ sha-private.h ************************/ 1280 /***************** See RFC NNNN for details. *******************/ 1281 #ifndef _SHA_PRIVATE__H 1282 #define _SHA_PRIVATE__H 1283 /* 1284 * These definitions are defined in FIPS 180-3, section 4.1. 1285 * Ch() and Maj() are defined identically in sections 4.1.1, 1286 * 4.1.2 and 4.1.3. 1287 * 1288 * The definitions used in FIPS 180-3 are as follows: 1289 */ 1291 #ifndef USE_MODIFIED_MACROS 1292 #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 1293 #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 1295 #else /* USE_MODIFIED_MACROS */ 1296 /* 1297 * The following definitions are equivalent and potentially faster. 1298 */ 1300 #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) 1301 #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) 1303 #endif /* USE_MODIFIED_MACROS */ 1305 #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) 1307 #endif /* _SHA_PRIVATE__H */ 1309 8.2 The SHA Code 1311 This code is primarily intended as expository and could be optimized 1312 further. For example, the assignment rotations through the variables 1313 a, b, ..., h could be treated as a cycle and the loop unrolled, 1314 rather than doing the explicit copying. 1316 Note that there are alternative representations of the Ch() and Maj() 1317 functions controlled by an ifdef. 1319 8.2.1 sha1.c 1321 /**************************** sha1.c ***************************/ 1322 /***************** See RFC NNNN for details. *******************/ 1323 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1324 /* authors of the code. All rights reserved. */ 1325 /* See sha.h for terms of use and redistribution. */ 1327 /* 1328 * Description: 1329 * This file implements the Secure Hash Algorithm SHA-1 1330 * as defined in the U.S. National Institute of Standards 1331 * and Technology Federal Information Processing Standards 1332 * Publication (FIPS PUB) 180-3 published in October 2008 1333 * and formerly defined in its predecessors, FIPS PUB 180-1 1334 * and FIP PUB 180-2. 1335 * 1336 * A combined document showing all algorithms is available at 1337 * http://csrc.nist.gov/publications/fips/ 1338 * fips180-3/fips180-3_final.pdf 1339 * 1340 * The SHA-1 algorithm produces a 160-bit message digest for a 1341 * given data stream. It should take about 2**n steps to find a 1342 * message with the same digest as a given message and 1343 * 2**(n/2) to find any two messages with the same digest, 1344 * when n is the digest size in bits. Therefore, this 1345 * algorithm can serve as a means of providing a 1346 * "fingerprint" for a message. 1347 * 1348 * Portability Issues: 1349 * SHA-1 is defined in terms of 32-bit "words". This code 1350 * uses (included via "sha.h") to define 32 and 8 1351 * bit unsigned integer types. If your C compiler does not 1352 * support 32 bit unsigned integers, this code is not 1353 * appropriate. 1354 * 1355 * Caveats: 1356 * SHA-1 is designed to work with messages less than 2^64 bits 1357 * long. This implementation uses SHA1Input() to hash the bits 1358 * that are a multiple of the size of an 8-bit octet, and then 1359 * optionally uses SHA1FinalBits() to hash the final few bits of 1360 * the input. 1361 */ 1363 #include "sha.h" 1364 #include "sha-private.h" 1366 /* 1367 * Define the SHA1 circular left shift macro 1368 */ 1369 #define SHA1_ROTL(bits,word) \ 1370 (((word) << (bits)) | ((word) >> (32-(bits)))) 1372 /* 1373 * Add "length" to the length. 1374 * Set Corrupted when overflow has occurred. 1375 */ 1376 static uint32_t addTemp; 1377 #define SHA1AddLength(context, length) \ 1378 (addTemp = (context)->Length_Low, \ 1379 (context)->Corrupted = \ 1380 (((context)->Length_Low += (length)) < addTemp) && \ 1381 (++(context)->Length_High == 0) ? shaInputTooLong \ 1382 : (context)->Corrupted ) 1384 /* Local Function Prototypes */ 1385 static void SHA1ProcessMessageBlock(SHA1Context *context); 1386 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); 1387 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte); 1389 /* 1390 * SHA1Reset 1391 * 1392 * Description: 1393 * This function will initialize the SHA1Context in preparation 1394 * for computing a new SHA1 message digest. 1395 * 1396 * Parameters: 1397 * context: [in/out] 1398 * The context to reset. 1399 * 1400 * Returns: 1401 * sha Error Code. 1402 * 1403 */ 1404 int SHA1Reset(SHA1Context *context) 1405 { 1406 if (!context) return shaNull; 1408 context->Length_High = context->Length_Low = 0; 1409 context->Message_Block_Index = 0; 1411 /* Initial Hash Values: FIPS 180-3 section 5.3.1 */ 1412 context->Intermediate_Hash[0] = 0x67452301; 1413 context->Intermediate_Hash[1] = 0xEFCDAB89; 1414 context->Intermediate_Hash[2] = 0x98BADCFE; 1415 context->Intermediate_Hash[3] = 0x10325476; 1416 context->Intermediate_Hash[4] = 0xC3D2E1F0; 1418 context->Computed = 0; 1419 context->Corrupted = shaSuccess; 1421 return shaSuccess; 1422 } 1423 /* 1424 * SHA1Input 1425 * 1426 * Description: 1427 * This function accepts an array of octets as the next portion 1428 * of the message. 1429 * 1430 * Parameters: 1431 * context: [in/out] 1432 * The SHA context to update 1433 * message_array[ ]: [in] 1434 * An array of octets representing the next portion of 1435 * the message. 1436 * length: [in] 1437 * The length of the message in message_array 1438 * 1439 * Returns: 1440 * sha Error Code. 1441 * 1442 */ 1443 int SHA1Input(SHA1Context *context, 1444 const uint8_t *message_array, unsigned length) 1445 { 1446 if (!context) return shaNull; 1447 if (!length) return shaSuccess; 1448 if (!message_array) return shaNull; 1449 if (context->Computed) return context->Corrupted = shaStateError; 1450 if (context->Corrupted) return context->Corrupted; 1452 while (length--) { 1453 context->Message_Block[context->Message_Block_Index++] = 1454 *message_array; 1456 if ((SHA1AddLength(context, 8) == shaSuccess) && 1457 (context->Message_Block_Index == SHA1_Message_Block_Size)) 1458 SHA1ProcessMessageBlock(context); 1460 message_array++; 1461 } 1463 return context->Corrupted; 1464 } 1466 /* 1467 * SHA1FinalBits 1468 * 1469 * Description: 1470 * This function will add in any final bits of the message. 1471 * 1472 * Parameters: 1474 * context: [in/out] 1475 * The SHA context to update 1476 * message_bits: [in] 1477 * The final bits of the message, in the upper portion of the 1478 * byte. (Use 0b###00000 instead of 0b00000### to input the 1479 * three bits ###.) 1480 * length: [in] 1481 * The number of bits in message_bits, between 1 and 7. 1482 * 1483 * Returns: 1484 * sha Error Code. 1485 */ 1486 int SHA1FinalBits(SHA1Context *context, uint8_t message_bits, 1487 unsigned int length) 1488 { 1489 static uint8_t masks[8] = { 1490 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1491 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1492 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1493 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1494 }; 1495 static uint8_t markbit[8] = { 1496 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 1497 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 1498 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 1499 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 1500 }; 1502 if (!context) return shaNull; 1503 if (!length) return shaSuccess; 1504 if (context->Corrupted) return context->Corrupted; 1505 if (context->Computed) return context->Corrupted = shaStateError; 1506 if (length >= 8) return context->Corrupted = shaBadParam; 1508 SHA1AddLength(context, length); 1509 SHA1Finalize(context, 1510 (uint8_t) ((message_bits & masks[length]) | markbit[length])); 1512 return context->Corrupted; 1513 } 1515 /* 1516 * SHA1Result 1517 * 1518 * Description: 1519 * This function will return the 160-bit message digest 1520 * into the Message_Digest array provided by the caller. 1521 * NOTE: 1522 * The first octet of hash is stored in the element with index 0, 1523 * the last octet of hash in the element with index 19. 1525 * 1526 * Parameters: 1527 * context: [in/out] 1528 * The context to use to calculate the SHA-1 hash. 1529 * Message_Digest[ ]: [out] 1530 * Where the digest is returned. 1531 * 1532 * Returns: 1533 * sha Error Code. 1534 * 1535 */ 1536 int SHA1Result(SHA1Context *context, 1537 uint8_t Message_Digest[SHA1HashSize]) 1538 { 1539 int i; 1541 if (!context) return shaNull; 1542 if (!Message_Digest) return shaNull; 1543 if (context->Corrupted) return context->Corrupted; 1545 if (!context->Computed) 1546 SHA1Finalize(context, 0x80); 1548 for (i = 0; i < SHA1HashSize; ++i) 1549 Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] 1550 >> (8 * ( 3 - ( i & 0x03 ) ))); 1552 return shaSuccess; 1553 } 1555 /* 1556 * SHA1ProcessMessageBlock 1557 * 1558 * Description: 1559 * This helper function will process the next 512 bits of the 1560 * message stored in the Message_Block array. 1561 * 1562 * Parameters: 1563 * context: [in/out] 1564 * The SHA context to update 1565 * 1566 * Returns: 1567 * Nothing. 1568 * 1569 * Comments: 1570 * Many of the variable names in this code, especially the 1571 * single character names, were used because those were the 1572 * names used in the Secure Hash Standard. 1573 */ 1574 static void SHA1ProcessMessageBlock(SHA1Context *context) 1575 { 1576 /* Constants defined in FIPS 180-3, section 4.2.1 */ 1577 const uint32_t K[4] = { 1578 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 1579 }; 1580 int t; /* Loop counter */ 1581 uint32_t temp; /* Temporary word value */ 1582 uint32_t W[80]; /* Word sequence */ 1583 uint32_t A, B, C, D, E; /* Word buffers */ 1585 /* 1586 * Initialize the first 16 words in the array W 1587 */ 1588 for (t = 0; t < 16; t++) { 1589 W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; 1590 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; 1591 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; 1592 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); 1593 } 1595 for (t = 16; t < 80; t++) 1596 W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); 1598 A = context->Intermediate_Hash[0]; 1599 B = context->Intermediate_Hash[1]; 1600 C = context->Intermediate_Hash[2]; 1601 D = context->Intermediate_Hash[3]; 1602 E = context->Intermediate_Hash[4]; 1604 for (t = 0; t < 20; t++) { 1605 temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; 1606 E = D; 1607 D = C; 1608 C = SHA1_ROTL(30,B); 1609 B = A; 1610 A = temp; 1611 } 1613 for (t = 20; t < 40; t++) { 1614 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; 1615 E = D; 1616 D = C; 1617 C = SHA1_ROTL(30,B); 1618 B = A; 1619 A = temp; 1620 } 1622 for (t = 40; t < 60; t++) { 1623 temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; 1624 E = D; 1625 D = C; 1626 C = SHA1_ROTL(30,B); 1627 B = A; 1628 A = temp; 1629 } 1631 for (t = 60; t < 80; t++) { 1632 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; 1633 E = D; 1634 D = C; 1635 C = SHA1_ROTL(30,B); 1636 B = A; 1637 A = temp; 1638 } 1640 context->Intermediate_Hash[0] += A; 1641 context->Intermediate_Hash[1] += B; 1642 context->Intermediate_Hash[2] += C; 1643 context->Intermediate_Hash[3] += D; 1644 context->Intermediate_Hash[4] += E; 1646 context->Message_Block_Index = 0; 1647 } 1649 /* 1650 * SHA1Finalize 1651 * 1652 * Description: 1653 * This helper function finishes off the digest calculations. 1654 * 1655 * Parameters: 1656 * context: [in/out] 1657 * The SHA context to update 1658 * Pad_Byte: [in] 1659 * The last byte to add to the message block before the 0-padding 1660 * and length. This will contain the last bits of the message 1661 * followed by another single bit. If the message was an 1662 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1663 * 1664 * Returns: 1665 * sha Error Code. 1666 * 1667 */ 1668 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) 1669 { 1670 int i; 1671 SHA1PadMessage(context, Pad_Byte); 1672 /* message may be sensitive, clear it out */ 1673 for (i = 0; i < SHA1_Message_Block_Size; ++i) 1674 context->Message_Block[i] = 0; 1676 context->Length_High = 0; /* and clear length */ 1677 context->Length_Low = 0; 1678 context->Computed = 1; 1679 } 1681 /* 1682 * SHA1PadMessage 1683 * 1684 * Description: 1685 * According to the standard, the message must be padded to the next 1686 * even multiple of 512 bits. The first padding bit must be a '1'. 1687 * The last 64 bits represent the length of the original message. 1688 * All bits in between should be 0. This helper function will pad 1689 * the message according to those rules by filling the Message_Block 1690 * array accordingly. When it returns, it can be assumed that the 1691 * message digest has been computed. 1692 * 1693 * Parameters: 1694 * context: [in/out] 1695 * The context to pad 1696 * Pad_Byte: [in] 1697 * The last byte to add to the message block before the 0-padding 1698 * and length. This will contain the last bits of the message 1699 * followed by another single bit. If the message was an 1700 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1701 * 1702 * Returns: 1703 * Nothing. 1704 */ 1705 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) 1706 { 1707 /* 1708 * Check to see if the current message block is too small to hold 1709 * the initial padding bits and length. If so, we will pad the 1710 * block, process it, and then continue padding into a second 1711 * block. 1712 */ 1713 if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { 1714 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1715 while (context->Message_Block_Index < SHA1_Message_Block_Size) 1716 context->Message_Block[context->Message_Block_Index++] = 0; 1718 SHA1ProcessMessageBlock(context); 1719 } else 1720 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1722 while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) 1723 context->Message_Block[context->Message_Block_Index++] = 0; 1725 /* 1726 * Store the message length as the last 8 octets 1727 */ 1728 context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); 1729 context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); 1730 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); 1731 context->Message_Block[59] = (uint8_t) (context->Length_High); 1732 context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); 1733 context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); 1734 context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); 1735 context->Message_Block[63] = (uint8_t) (context->Length_Low); 1737 SHA1ProcessMessageBlock(context); 1738 } 1740 8.2.2 sha224-256.c 1742 /************************* sha224-256.c ************************/ 1743 /***************** See RFC NNNN for details. *******************/ 1744 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1745 /* authors of the code. All rights reserved. */ 1746 /* See sha.h for terms of use and redistribution. */ 1748 /* 1749 * Description: 1750 * This file implements the Secure Hash Algorithms SHA-224 and 1751 * SHA-256 as defined in the U.S. National Institute of Standards 1752 * and Technology Federal Information Processing Standards 1753 * Publication (FIPS PUB) 180-3 published in October 2008 1754 * and formerly defined in its predecessors, FIPS PUB 180-1 1755 * and FIP PUB 180-2. 1756 * 1757 * A combined document showing all algorithms is available at 1758 * http://csrc.nist.gov/publications/fips/ 1759 * fips180-3/fips180-3_final.pdf 1760 * 1761 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit 1762 * message digests for a given data stream. It should take about 1763 * 2**n steps to find a message with the same digest as a given 1764 * message and 2**(n/2) to find any two messages with the same 1765 * digest, when n is the digest size in bits. Therefore, this 1766 * algorithm can serve as a means of providing a 1767 * "fingerprint" for a message. 1768 * 1769 * Portability Issues: 1770 * SHA-224 and SHA-256 are defined in terms of 32-bit "words". 1771 * This code uses (included via "sha.h") to define 32 1772 * and 8 bit unsigned integer types. If your C compiler does not 1773 * support 32 bit unsigned integers, this code is not 1774 * appropriate. 1775 * 1776 * Caveats: 1777 * SHA-224 and SHA-256 are designed to work with messages less 1778 * than 2^64 bits long. This implementation uses SHA224/256Input() 1779 * to hash the bits that are a multiple of the size of an 8-bit 1780 * octet, and then optionally uses SHA224/256FinalBits() 1781 * to hash the final few bits of the input. 1782 */ 1784 #include "sha.h" 1785 #include "sha-private.h" 1787 /* Define the SHA shift, rotate left and rotate right macro */ 1788 #define SHA256_SHR(bits,word) ((word) >> (bits)) 1789 #define SHA256_ROTL(bits,word) \ 1790 (((word) << (bits)) | ((word) >> (32-(bits)))) 1791 #define SHA256_ROTR(bits,word) \ 1792 (((word) >> (bits)) | ((word) << (32-(bits)))) 1794 /* Define the SHA SIGMA and sigma macros */ 1795 #define SHA256_SIGMA0(word) \ 1796 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) 1797 #define SHA256_SIGMA1(word) \ 1798 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) 1799 #define SHA256_sigma0(word) \ 1800 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) 1801 #define SHA256_sigma1(word) \ 1802 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) 1804 /* 1805 * Add "length" to the length. 1806 * Set Corrupted when overflow has occurred. 1807 */ 1808 static uint32_t addTemp; 1809 #define SHA224_256AddLength(context, length) \ 1810 (addTemp = (context)->Length_Low, (context)->Corrupted = \ 1811 (((context)->Length_Low += (length)) < addTemp) && \ 1812 (++(context)->Length_High == 0) ? shaInputTooLong : \ 1813 (context)->Corrupted ) 1815 /* Local Function Prototypes */ 1816 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); 1817 static void SHA224_256ProcessMessageBlock(SHA256Context *context); 1818 static void SHA224_256Finalize(SHA256Context *context, 1819 uint8_t Pad_Byte); 1820 static void SHA224_256PadMessage(SHA256Context *context, 1821 uint8_t Pad_Byte); 1822 static int SHA224_256ResultN(SHA256Context *context, 1823 uint8_t Message_Digest[ ], int HashSize); 1825 /* Initial Hash Values: FIPS 180-3 section 5.3.2 */ 1826 static uint32_t SHA224_H0[SHA256HashSize/4] = { 1827 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 1828 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 1829 }; 1831 /* Initial Hash Values: FIPS 180-3 section 5.3.3 */ 1832 static uint32_t SHA256_H0[SHA256HashSize/4] = { 1833 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 1834 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 1835 }; 1837 /* 1838 * SHA224Reset 1839 * 1840 * Description: 1841 * This function will initialize the SHA224Context in preparation 1842 * for computing a new SHA224 message digest. 1843 * 1844 * Parameters: 1845 * context: [in/out] 1846 * The context to reset. 1847 * 1848 * Returns: 1849 * sha Error Code. 1850 */ 1851 int SHA224Reset(SHA224Context *context) 1852 { 1853 return SHA224_256Reset(context, SHA224_H0); 1854 } 1856 /* 1857 * SHA224Input 1858 * 1859 * Description: 1860 * This function accepts an array of octets as the next portion 1861 * of the message. 1862 * 1863 * Parameters: 1864 * context: [in/out] 1865 * The SHA context to update 1866 * message_array[ ]: [in] 1867 * An array of octets representing the next portion of 1868 * the message. 1869 * length: [in] 1870 * The length of the message in message_array 1871 * 1872 * Returns: 1873 * sha Error Code. 1874 * 1875 */ 1876 int SHA224Input(SHA224Context *context, const uint8_t *message_array, 1877 unsigned int length) 1878 { 1879 return SHA256Input(context, message_array, length); 1880 } 1882 /* 1883 * SHA224FinalBits 1884 * 1885 * Description: 1886 * This function will add in any final bits of the message. 1887 * 1888 * Parameters: 1889 * context: [in/out] 1890 * The SHA context to update 1891 * message_bits: [in] 1892 * The final bits of the message, in the upper portion of the 1893 * byte. (Use 0b###00000 instead of 0b00000### to input the 1894 * three bits ###.) 1895 * length: [in] 1896 * The number of bits in message_bits, between 1 and 7. 1897 * 1898 * Returns: 1899 * sha Error Code. 1900 */ 1901 int SHA224FinalBits(SHA224Context *context, 1902 uint8_t message_bits, unsigned int length) 1903 { 1904 return SHA256FinalBits(context, message_bits, length); 1905 } 1907 /* 1908 * SHA224Result 1909 * 1910 * Description: 1911 * This function will return the 224-bit message digest 1912 * into the Message_Digest array provided by the caller. 1913 * NOTE: 1914 * The first octet of hash is stored in the element with index 0, 1915 * the last octet of hash in the element with index 27. 1916 * 1917 * Parameters: 1918 * context: [in/out] 1919 * The context to use to calculate the SHA hash. 1920 * Message_Digest[ ]: [out] 1921 * Where the digest is returned. 1922 * 1923 * Returns: 1924 * sha Error Code. 1926 */ 1927 int SHA224Result(SHA224Context *context, 1928 uint8_t Message_Digest[SHA224HashSize]) 1929 { 1930 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); 1931 } 1933 /* 1934 * SHA256Reset 1935 * 1936 * Description: 1937 * This function will initialize the SHA256Context in preparation 1938 * for computing a new SHA256 message digest. 1939 * 1940 * Parameters: 1941 * context: [in/out] 1942 * The context to reset. 1943 * 1944 * Returns: 1945 * sha Error Code. 1946 */ 1947 int SHA256Reset(SHA256Context *context) 1948 { 1949 return SHA224_256Reset(context, SHA256_H0); 1950 } 1952 /* 1953 * SHA256Input 1954 * 1955 * Description: 1956 * This function accepts an array of octets as the next portion 1957 * of the message. 1958 * 1959 * Parameters: 1960 * context: [in/out] 1961 * The SHA context to update 1962 * message_array[ ]: [in] 1963 * An array of octets representing the next portion of 1964 * the message. 1965 * length: [in] 1966 * The length of the message in message_array 1967 * 1968 * Returns: 1969 * sha Error Code. 1970 */ 1971 int SHA256Input(SHA256Context *context, const uint8_t *message_array, 1972 unsigned int length) 1973 { 1974 if (!context) return shaNull; 1975 if (!length) return shaSuccess; 1976 if (!message_array) return shaNull; 1977 if (context->Computed) return context->Corrupted = shaStateError; 1978 if (context->Corrupted) return context->Corrupted; 1980 while (length--) { 1981 context->Message_Block[context->Message_Block_Index++] = 1982 *message_array; 1984 if ((SHA224_256AddLength(context, 8) == shaSuccess) && 1985 (context->Message_Block_Index == SHA256_Message_Block_Size)) 1986 SHA224_256ProcessMessageBlock(context); 1988 message_array++; 1989 } 1991 return context->Corrupted; 1993 } 1995 /* 1996 * SHA256FinalBits 1997 * 1998 * Description: 1999 * This function will add in any final bits of the message. 2000 * 2001 * Parameters: 2002 * context: [in/out] 2003 * The SHA context to update 2004 * message_bits: [in] 2005 * The final bits of the message, in the upper portion of the 2006 * byte. (Use 0b###00000 instead of 0b00000### to input the 2007 * three bits ###.) 2008 * length: [in] 2009 * The number of bits in message_bits, between 1 and 7. 2010 * 2011 * Returns: 2012 * sha Error Code. 2013 */ 2014 int SHA256FinalBits(SHA256Context *context, 2015 uint8_t message_bits, unsigned int length) 2016 { 2017 static uint8_t masks[8] = { 2018 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2019 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2020 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2021 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2022 }; 2023 static uint8_t markbit[8] = { 2024 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2025 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2026 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2027 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2028 }; 2030 if (!context) return shaNull; 2031 if (!length) return shaSuccess; 2032 if (context->Corrupted) return context->Corrupted; 2033 if (context->Computed) return context->Corrupted = shaStateError; 2034 if (length >= 8) return context->Corrupted = shaBadParam; 2036 SHA224_256AddLength(context, length); 2037 SHA224_256Finalize(context, (uint8_t) 2038 ((message_bits & masks[length]) | markbit[length])); 2040 return context->Corrupted; 2041 } 2043 /* 2044 * SHA256Result 2045 * 2046 * Description: 2047 * This function will return the 256-bit message digest 2048 * into the Message_Digest array provided by the caller. 2049 * NOTE: 2050 * The first octet of hash is stored in the element with index 0, 2051 * the last octet of hash in the element with index 31. 2052 * 2053 * Parameters: 2054 * context: [in/out] 2055 * The context to use to calculate the SHA hash. 2056 * Message_Digest[ ]: [out] 2057 * Where the digest is returned. 2058 * 2059 * Returns: 2060 * sha Error Code. 2061 */ 2062 int SHA256Result(SHA256Context *context, 2063 uint8_t Message_Digest[SHA256HashSize]) 2064 { 2065 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); 2066 } 2068 /* 2069 * SHA224_256Reset 2070 * 2071 * Description: 2072 * This helper function will initialize the SHA256Context in 2073 * preparation for computing a new SHA-224 or SHA-256 message digest. 2074 * 2075 * Parameters: 2077 * context: [in/out] 2078 * The context to reset. 2079 * H0[ ]: [in] 2080 * The initial hash value array to use. 2081 * 2082 * Returns: 2083 * sha Error Code. 2084 */ 2085 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) 2086 { 2087 if (!context) return shaNull; 2089 context->Length_High = context->Length_Low = 0; 2090 context->Message_Block_Index = 0; 2092 context->Intermediate_Hash[0] = H0[0]; 2093 context->Intermediate_Hash[1] = H0[1]; 2094 context->Intermediate_Hash[2] = H0[2]; 2095 context->Intermediate_Hash[3] = H0[3]; 2096 context->Intermediate_Hash[4] = H0[4]; 2097 context->Intermediate_Hash[5] = H0[5]; 2098 context->Intermediate_Hash[6] = H0[6]; 2099 context->Intermediate_Hash[7] = H0[7]; 2101 context->Computed = 0; 2102 context->Corrupted = shaSuccess; 2104 return shaSuccess; 2105 } 2107 /* 2108 * SHA224_256ProcessMessageBlock 2109 * 2110 * Description: 2111 * This helper function will process the next 512 bits of the 2112 * message stored in the Message_Block array. 2113 * 2114 * Parameters: 2115 * context: [in/out] 2116 * The SHA context to update 2117 * 2118 * Returns: 2119 * Nothing. 2120 * 2121 * Comments: 2122 * Many of the variable names in this code, especially the 2123 * single character names, were used because those were the 2124 * names used in the Secure Hash Standard. 2125 */ 2126 static void SHA224_256ProcessMessageBlock(SHA256Context *context) 2127 { 2128 /* Constants defined in FIPS 180-3, section 4.2.2 */ 2129 static const uint32_t K[64] = { 2130 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 2131 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 2132 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 2133 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 2134 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 2135 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 2136 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 2137 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 2138 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 2139 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 2140 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 2141 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 2142 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 2143 }; 2144 int t, t4; /* Loop counter */ 2145 uint32_t temp1, temp2; /* Temporary word value */ 2146 uint32_t W[64]; /* Word sequence */ 2147 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ 2149 /* 2150 * Initialize the first 16 words in the array W 2151 */ 2152 for (t = t4 = 0; t < 16; t++, t4 += 4) 2153 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | 2154 (((uint32_t)context->Message_Block[t4 + 1]) << 16) | 2155 (((uint32_t)context->Message_Block[t4 + 2]) << 8) | 2156 (((uint32_t)context->Message_Block[t4 + 3])); 2158 for (t = 16; t < 64; t++) 2159 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + 2160 SHA256_sigma0(W[t-15]) + W[t-16]; 2162 A = context->Intermediate_Hash[0]; 2163 B = context->Intermediate_Hash[1]; 2164 C = context->Intermediate_Hash[2]; 2165 D = context->Intermediate_Hash[3]; 2166 E = context->Intermediate_Hash[4]; 2167 F = context->Intermediate_Hash[5]; 2168 G = context->Intermediate_Hash[6]; 2169 H = context->Intermediate_Hash[7]; 2171 for (t = 0; t < 64; t++) { 2172 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 2173 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); 2174 H = G; 2175 G = F; 2176 F = E; 2177 E = D + temp1; 2178 D = C; 2179 C = B; 2180 B = A; 2181 A = temp1 + temp2; 2182 } 2184 context->Intermediate_Hash[0] += A; 2185 context->Intermediate_Hash[1] += B; 2186 context->Intermediate_Hash[2] += C; 2187 context->Intermediate_Hash[3] += D; 2188 context->Intermediate_Hash[4] += E; 2189 context->Intermediate_Hash[5] += F; 2190 context->Intermediate_Hash[6] += G; 2191 context->Intermediate_Hash[7] += H; 2193 context->Message_Block_Index = 0; 2194 } 2196 /* 2197 * SHA224_256Finalize 2198 * 2199 * Description: 2200 * This helper function finishes off the digest calculations. 2201 * 2202 * Parameters: 2203 * context: [in/out] 2204 * The SHA context to update 2205 * Pad_Byte: [in] 2206 * The last byte to add to the message block before the 0-padding 2207 * and length. This will contain the last bits of the message 2208 * followed by another single bit. If the message was an 2209 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2210 * 2211 * Returns: 2212 * sha Error Code. 2213 */ 2214 static void SHA224_256Finalize(SHA256Context *context, 2215 uint8_t Pad_Byte) 2216 { 2217 int i; 2218 SHA224_256PadMessage(context, Pad_Byte); 2219 /* message may be sensitive, so clear it out */ 2220 for (i = 0; i < SHA256_Message_Block_Size; ++i) 2221 context->Message_Block[i] = 0; 2222 context->Length_High = 0; /* and clear length */ 2223 context->Length_Low = 0; 2224 context->Computed = 1; 2225 } 2226 /* 2227 * SHA224_256PadMessage 2228 * 2229 * Description: 2230 * According to the standard, the message must be padded to the next 2231 * even multiple of 512 bits. The first padding bit must be a '1'. 2232 * The last 64 bits represent the length of the original message. 2233 * All bits in between should be 0. This helper function will pad 2234 * the message according to those rules by filling the 2235 * Message_Block array accordingly. When it returns, it can be 2236 * assumed that the message digest has been computed. 2237 * 2238 * Parameters: 2239 * context: [in/out] 2240 * The context to pad 2241 * Pad_Byte: [in] 2242 * The last byte to add to the message block before the 0-padding 2243 * and length. This will contain the last bits of the message 2244 * followed by another single bit. If the message was an 2245 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2246 * 2247 * Returns: 2248 * Nothing. 2249 */ 2250 static void SHA224_256PadMessage(SHA256Context *context, 2251 uint8_t Pad_Byte) 2252 { 2253 /* 2254 * Check to see if the current message block is too small to hold 2255 * the initial padding bits and length. If so, we will pad the 2256 * block, process it, and then continue padding into a second 2257 * block. 2258 */ 2259 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { 2260 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2261 while (context->Message_Block_Index < SHA256_Message_Block_Size) 2262 context->Message_Block[context->Message_Block_Index++] = 0; 2263 SHA224_256ProcessMessageBlock(context); 2264 } else 2265 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2267 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) 2268 context->Message_Block[context->Message_Block_Index++] = 0; 2270 /* 2271 * Store the message length as the last 8 octets 2272 */ 2273 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); 2274 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); 2275 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); 2276 context->Message_Block[59] = (uint8_t)(context->Length_High); 2277 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); 2278 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); 2279 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); 2280 context->Message_Block[63] = (uint8_t)(context->Length_Low); 2282 SHA224_256ProcessMessageBlock(context); 2283 } 2285 /* 2286 * SHA224_256ResultN 2287 * 2288 * Description: 2289 * This helper function will return the 224-bit or 256-bit message 2290 * digest into the Message_Digest array provided by the caller. 2291 * NOTE: 2292 * The first octet of hash is stored in the element with index 0, 2293 * the last octet of hash in the element with index 27/31. 2294 * 2295 * Parameters: 2296 * context: [in/out] 2297 * The context to use to calculate the SHA hash. 2298 * Message_Digest[ ]: [out] 2299 * Where the digest is returned. 2300 * HashSize: [in] 2301 * The size of the hash, either 28 or 32. 2302 * 2303 * Returns: 2304 * sha Error Code. 2305 */ 2306 static int SHA224_256ResultN(SHA256Context *context, 2307 uint8_t Message_Digest[ ], int HashSize) 2308 { 2309 int i; 2311 if (!context) return shaNull; 2312 if (!Message_Digest) return shaNull; 2313 if (context->Corrupted) return context->Corrupted; 2315 if (!context->Computed) 2316 SHA224_256Finalize(context, 0x80); 2318 for (i = 0; i < HashSize; ++i) 2319 Message_Digest[i] = (uint8_t) 2320 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); 2322 return shaSuccess; 2323 } 2324 8.2.3 sha384-512.c 2326 /************************* sha384-512.c ************************/ 2327 /***************** See RFC NNNN for details. *******************/ 2328 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 2329 /* authors of the code. All rights reserved. */ 2330 /* See sha.h for terms of use and redistribution. */ 2332 /* 2333 * Description: 2334 * This file implements the Secure Hash Algorithms SHA-384 and 2335 * SHA-512 as defined in the U.S. National Institute of Standards 2336 * and Technology Federal Information Processing Standards 2337 * Publication (FIPS PUB) 180-3 published in October 2008 2338 * and formerly defined in its predecessors, FIPS PUB 180-1 2339 * and FIP PUB 180-2. 2340 * 2341 * A combined document showing all algorithms is available at 2342 * http://csrc.nist.gov/publications/fips/ 2343 * fips180-3/fips180-3_final.pdf 2344 * 2345 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit 2346 * message digests for a given data stream. It should take about 2347 * 2**n steps to find a message with the same digest as a given 2348 * message and 2**(n/2) to find any two messages with the same 2349 * digest, when n is the digest size in bits. Therefore, this 2350 * algorithm can serve as a means of providing a 2351 * "fingerprint" for a message. 2352 * 2353 * Portability Issues: 2354 * SHA-384 and SHA-512 are defined in terms of 64-bit "words", 2355 * but if USE_32BIT_ONLY is #defined, this code is implemented in 2356 * terms of 32-bit "words". This code uses (included 2357 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer 2358 * types. If your C compiler does not support 64 bit unsigned 2359 * integers, and you do not #define USE_32BIT_ONLY, this code is 2360 * not appropriate. 2361 * 2362 * Caveats: 2363 * SHA-384 and SHA-512 are designed to work with messages less 2364 * than 2^128 bits long. This implementation uses SHA384/512Input() 2365 * to hash the bits that are a multiple of the size of an 8-bit 2366 * octet, and then optionally uses SHA384/256FinalBits() 2367 * to hash the final few bits of the input. 2368 * 2369 */ 2371 #include "sha.h" 2373 #ifdef USE_32BIT_ONLY 2374 /* 2375 * Define 64-bit arithmetic in terms of 32-bit arithmetic. 2376 * Each 64-bit number is represented in a 2-word array. 2377 * All macros are defined such that the result is the last parameter. 2378 */ 2380 /* 2381 * Define shift, rotate left and rotate right functions 2382 */ 2383 #define SHA512_SHR(bits, word, ret) ( \ 2384 /* (((uint64_t)((word))) >> (bits)) */ \ 2385 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ 2386 ((word)[0] >> (bits)) : 0, \ 2387 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ 2388 ((bits) == 32) ? (word)[0] : \ 2389 ((bits) >= 0) ? \ 2390 (((word)[0] << (32 - (bits))) | \ 2391 ((word)[1] >> (bits))) : 0 ) 2393 #define SHA512_SHL(bits, word, ret) ( \ 2394 /* (((uint64_t)(word)) << (bits)) */ \ 2395 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ 2396 ((bits) == 32) ? (word)[1] : \ 2397 ((bits) >= 0) ? \ 2398 (((word)[0] << (bits)) | \ 2399 ((word)[1] >> (32 - (bits)))) : \ 2400 0, \ 2401 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ 2402 ((word)[1] << (bits)) : 0 ) 2404 /* 2405 * Define 64-bit OR 2406 */ 2407 #define SHA512_OR(word1, word2, ret) ( \ 2408 (ret)[0] = (word1)[0] | (word2)[0], \ 2409 (ret)[1] = (word1)[1] | (word2)[1] ) 2411 /* 2412 * Define 64-bit XOR 2413 */ 2414 #define SHA512_XOR(word1, word2, ret) ( \ 2415 (ret)[0] = (word1)[0] ^ (word2)[0], \ 2416 (ret)[1] = (word1)[1] ^ (word2)[1] ) 2418 /* 2419 * Define 64-bit AND 2420 */ 2421 #define SHA512_AND(word1, word2, ret) ( \ 2422 (ret)[0] = (word1)[0] & (word2)[0], \ 2423 (ret)[1] = (word1)[1] & (word2)[1] ) 2425 /* 2426 * Define 64-bit TILDA 2427 */ 2428 #define SHA512_TILDA(word, ret) \ 2429 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) 2431 /* 2432 * Define 64-bit ADD 2433 */ 2434 #define SHA512_ADD(word1, word2, ret) ( \ 2435 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ 2436 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) 2438 /* 2439 * Add the 4word value in word2 to word1. 2440 */ 2441 static uint32_t ADDTO4_temp, ADDTO4_temp2; 2442 #define SHA512_ADDTO4(word1, word2) ( \ 2443 ADDTO4_temp = (word1)[3], \ 2444 (word1)[3] += (word2)[3], \ 2445 ADDTO4_temp2 = (word1)[2], \ 2446 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ 2447 ADDTO4_temp = (word1)[1], \ 2448 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ 2449 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) 2451 /* 2452 * Add the 2word value in word2 to word1. 2453 */ 2454 static uint32_t ADDTO2_temp; 2455 #define SHA512_ADDTO2(word1, word2) ( \ 2456 ADDTO2_temp = (word1)[1], \ 2457 (word1)[1] += (word2)[1], \ 2458 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) 2460 /* 2461 * SHA rotate ((word >> bits) | (word << (64-bits))) 2462 */ 2463 static uint32_t ROTR_temp1[2], ROTR_temp2[2]; 2464 #define SHA512_ROTR(bits, word, ret) ( \ 2465 SHA512_SHR((bits), (word), ROTR_temp1), \ 2466 SHA512_SHL(64-(bits), (word), ROTR_temp2), \ 2467 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) 2469 /* 2470 * Define the SHA SIGMA and sigma macros 2471 * 2472 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2473 */ 2474 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], 2475 SIGMA0_temp3[2], SIGMA0_temp4[2]; 2476 #define SHA512_SIGMA0(word, ret) ( \ 2477 SHA512_ROTR(28, (word), SIGMA0_temp1), \ 2478 SHA512_ROTR(34, (word), SIGMA0_temp2), \ 2479 SHA512_ROTR(39, (word), SIGMA0_temp3), \ 2480 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ 2481 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) 2483 /* 2484 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) 2485 */ 2486 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], 2487 SIGMA1_temp3[2], SIGMA1_temp4[2]; 2488 #define SHA512_SIGMA1(word, ret) ( \ 2489 SHA512_ROTR(14, (word), SIGMA1_temp1), \ 2490 SHA512_ROTR(18, (word), SIGMA1_temp2), \ 2491 SHA512_ROTR(41, (word), SIGMA1_temp3), \ 2492 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ 2493 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) 2495 /* 2496 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2497 */ 2498 static uint32_t sigma0_temp1[2], sigma0_temp2[2], 2499 sigma0_temp3[2], sigma0_temp4[2]; 2500 #define SHA512_sigma0(word, ret) ( \ 2501 SHA512_ROTR( 1, (word), sigma0_temp1), \ 2502 SHA512_ROTR( 8, (word), sigma0_temp2), \ 2503 SHA512_SHR( 7, (word), sigma0_temp3), \ 2504 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ 2505 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) 2507 /* 2508 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2509 */ 2510 static uint32_t sigma1_temp1[2], sigma1_temp2[2], 2511 sigma1_temp3[2], sigma1_temp4[2]; 2512 #define SHA512_sigma1(word, ret) ( \ 2513 SHA512_ROTR(19, (word), sigma1_temp1), \ 2514 SHA512_ROTR(61, (word), sigma1_temp2), \ 2515 SHA512_SHR( 6, (word), sigma1_temp3), \ 2516 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ 2517 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) 2519 #ifndef USE_MODIFIED_MACROS 2520 /* 2521 * These definitions are the ones used in FIPS 180-3, section 4.1.3 2522 * Ch(x,y,z) ((x & y) ^ (~x & z)) 2523 */ 2524 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; 2525 #define SHA_Ch(x, y, z, ret) ( \ 2526 SHA512_AND(x, y, Ch_temp1), \ 2527 SHA512_TILDA(x, Ch_temp2), \ 2528 SHA512_AND(Ch_temp2, z, Ch_temp3), \ 2529 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) 2531 /* 2532 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) 2533 */ 2534 static uint32_t Maj_temp1[2], Maj_temp2[2], 2535 Maj_temp3[2], Maj_temp4[2]; 2536 #define SHA_Maj(x, y, z, ret) ( \ 2537 SHA512_AND(x, y, Maj_temp1), \ 2538 SHA512_AND(x, z, Maj_temp2), \ 2539 SHA512_AND(y, z, Maj_temp3), \ 2540 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ 2541 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) 2543 #else /* !USE_MODIFIED_MACROS */ 2544 /* 2545 * These definitions are potentially faster equivalents for the ones 2546 * used in FIPS 180-3, section 4.1.3. 2547 * ((x & y) ^ (~x & z)) becomes 2548 * ((x & (y ^ z)) ^ z) 2549 */ 2550 #define SHA_Ch(x, y, z, ret) ( \ 2551 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ 2552 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) 2554 /* 2555 * ((x & y) ^ (x & z) ^ (y & z)) becomes 2556 * ((x & (y | z)) | (y & z)) 2557 */ 2558 #define SHA_Maj(x, y, z, ret) ( \ 2559 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ 2560 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) 2561 #endif /* USE_MODIFIED_MACROS */ 2563 /* 2564 * Add "length" to the length. 2565 * Set Corrupted when overflow has occurred. 2566 */ 2567 static uint32_t addTemp[4] = { 0, 0, 0, 0 }; 2568 #define SHA384_512AddLength(context, length) ( \ 2569 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ 2570 (context)->Corrupted = (((context)->Length[3] < (length)) && \ 2571 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ 2572 ((context)->Length[0] == 0)) ? shaInputTooLong : \ 2573 (context)->Corrupted ) 2575 /* Local Function Prototypes */ 2576 static int SHA384_512Reset(SHA512Context *context, 2577 uint32_t H0[SHA512HashSize/4]); 2578 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2579 static void SHA384_512Finalize(SHA512Context *context, 2580 uint8_t Pad_Byte); 2581 static void SHA384_512PadMessage(SHA512Context *context, 2582 uint8_t Pad_Byte); 2583 static int SHA384_512ResultN( SHA512Context *context, 2584 uint8_t Message_Digest[ ], int HashSize); 2586 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ 2587 static uint32_t SHA384_H0[SHA512HashSize/4] = { 2588 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, 2589 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, 2590 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, 2591 0xBEFA4FA4 2592 }; 2594 static uint32_t SHA512_H0[SHA512HashSize/4] = { 2595 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, 2596 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, 2597 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, 2598 0x137E2179 2599 }; 2601 #else /* !USE_32BIT_ONLY */ 2603 #include "sha-private.h" 2605 /* Define the SHA shift, rotate left and rotate right macro */ 2606 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) 2607 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ 2608 (((uint64_t)(word)) << (64-(bits)))) 2610 /* 2611 * Define the SHA SIGMA and sigma macros 2612 * 2613 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2614 */ 2615 #define SHA512_SIGMA0(word) \ 2616 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) 2617 #define SHA512_SIGMA1(word) \ 2618 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) 2619 #define SHA512_sigma0(word) \ 2620 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2621 #define SHA512_sigma1(word) \ 2622 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2624 /* 2625 * Add "length" to the length. 2626 * Set Corrupted when overflow has occurred. 2627 */ 2628 static uint64_t addTemp; 2629 #define SHA384_512AddLength(context, length) \ 2630 (addTemp = context->Length_Low, context->Corrupted = \ 2631 ((context->Length_Low += length) < addTemp) && \ 2632 (++context->Length_High == 0) ? shaInputTooLong : \ 2633 (context)->Corrupted) 2635 /* Local Function Prototypes */ 2636 static int SHA384_512Reset(SHA512Context *context, 2637 uint64_t H0[SHA512HashSize/8]); 2638 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2639 static void SHA384_512Finalize(SHA512Context *context, 2640 uint8_t Pad_Byte); 2641 static void SHA384_512PadMessage(SHA512Context *context, 2642 uint8_t Pad_Byte); 2643 static int SHA384_512ResultN(SHA512Context *context, 2644 uint8_t Message_Digest[ ], int HashSize); 2646 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ 2647 static uint64_t SHA384_H0[ ] = { 2648 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 2649 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 2650 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll 2651 }; 2652 static uint64_t SHA512_H0[ ] = { 2653 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 2654 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 2655 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll 2656 }; 2658 #endif /* USE_32BIT_ONLY */ 2660 /* 2661 * SHA384Reset 2662 * 2663 * Description: 2664 * This function will initialize the SHA384Context in preparation 2665 * for computing a new SHA384 message digest. 2666 * 2667 * Parameters: 2668 * context: [in/out] 2669 * The context to reset. 2670 * 2671 * Returns: 2672 * sha Error Code. 2673 * 2674 */ 2676 int SHA384Reset(SHA384Context *context) 2677 { 2678 return SHA384_512Reset(context, SHA384_H0); 2679 } 2681 /* 2682 * SHA384Input 2683 * 2684 * Description: 2685 * This function accepts an array of octets as the next portion 2686 * of the message. 2687 * 2688 * Parameters: 2689 * context: [in/out] 2690 * The SHA context to update 2691 * message_array[ ]: [in] 2692 * An array of octets representing the next portion of 2693 * the message. 2694 * length: [in] 2695 * The length of the message in message_array 2696 * 2697 * Returns: 2698 * sha Error Code. 2699 * 2700 */ 2701 int SHA384Input(SHA384Context *context, 2702 const uint8_t *message_array, unsigned int length) 2703 { 2704 return SHA512Input(context, message_array, length); 2705 } 2707 /* 2708 * SHA384FinalBits 2709 * 2710 * Description: 2711 * This function will add in any final bits of the message. 2712 * 2713 * Parameters: 2714 * context: [in/out] 2715 * The SHA context to update 2716 * message_bits: [in] 2717 * The final bits of the message, in the upper portion of the 2718 * byte. (Use 0b###00000 instead of 0b00000### to input the 2719 * three bits ###.) 2720 * length: [in] 2721 * The number of bits in message_bits, between 1 and 7. 2722 * 2723 * Returns: 2724 * sha Error Code. 2725 * 2726 */ 2727 int SHA384FinalBits(SHA384Context *context, 2728 uint8_t message_bits, unsigned int length) 2729 { 2730 return SHA512FinalBits(context, message_bits, length); 2731 } 2733 /* 2734 * SHA384Result 2735 * 2736 * Description: 2737 * This function will return the 384-bit message digest 2738 * into the Message_Digest array provided by the caller. 2739 * NOTE: 2740 * The first octet of hash is stored in the element with index 0, 2741 * the last octet of hash in the element with index 47. 2742 * 2743 * Parameters: 2744 * context: [in/out] 2745 * The context to use to calculate the SHA hash. 2746 * Message_Digest[ ]: [out] 2747 * Where the digest is returned. 2748 * 2749 * Returns: 2750 * sha Error Code. 2751 * 2752 */ 2753 int SHA384Result(SHA384Context *context, 2754 uint8_t Message_Digest[SHA384HashSize]) 2755 { 2756 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); 2757 } 2759 /* 2760 * SHA512Reset 2761 * 2762 * Description: 2763 * This function will initialize the SHA512Context in preparation 2764 * for computing a new SHA512 message digest. 2765 * 2766 * Parameters: 2767 * context: [in/out] 2768 * The context to reset. 2769 * 2770 * Returns: 2771 * sha Error Code. 2772 * 2773 */ 2774 int SHA512Reset(SHA512Context *context) 2775 { 2776 return SHA384_512Reset(context, SHA512_H0); 2777 } 2779 /* 2780 * SHA512Input 2781 * 2782 * Description: 2783 * This function accepts an array of octets as the next portion 2784 * of the message. 2785 * 2786 * Parameters: 2787 * context: [in/out] 2788 * The SHA context to update 2789 * message_array[ ]: [in] 2790 * An array of octets representing the next portion of 2791 * the message. 2792 * length: [in] 2793 * The length of the message in message_array 2794 * 2795 * Returns: 2796 * sha Error Code. 2797 * 2798 */ 2799 int SHA512Input(SHA512Context *context, 2800 const uint8_t *message_array, 2801 unsigned int length) 2802 { 2803 if (!context) return shaNull; 2804 if (!length) return shaSuccess; 2805 if (!message_array) return shaNull; 2806 if (context->Computed) return context->Corrupted = shaStateError; 2807 if (context->Corrupted) return context->Corrupted; 2809 while (length--) { 2810 context->Message_Block[context->Message_Block_Index++] = 2811 *message_array; 2813 if ((SHA384_512AddLength(context, 8) == shaSuccess) && 2814 (context->Message_Block_Index == SHA512_Message_Block_Size)) 2815 SHA384_512ProcessMessageBlock(context); 2817 message_array++; 2818 } 2820 return context->Corrupted; 2821 } 2823 /* 2824 * SHA512FinalBits 2825 * 2826 * Description: 2827 * This function will add in any final bits of the message. 2828 * 2829 * Parameters: 2830 * context: [in/out] 2831 * The SHA context to update 2832 * message_bits: [in] 2833 * The final bits of the message, in the upper portion of the 2834 * byte. (Use 0b###00000 instead of 0b00000### to input the 2835 * three bits ###.) 2836 * length: [in] 2837 * The number of bits in message_bits, between 1 and 7. 2838 * 2839 * Returns: 2840 * sha Error Code. 2841 * 2842 */ 2843 int SHA512FinalBits(SHA512Context *context, 2844 uint8_t message_bits, unsigned int length) 2845 { 2846 static uint8_t masks[8] = { 2847 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2848 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2849 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2850 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2851 }; 2852 static uint8_t markbit[8] = { 2853 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2854 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2855 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2856 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2857 }; 2859 if (!context) return shaNull; 2860 if (!length) return shaSuccess; 2861 if (context->Corrupted) return context->Corrupted; 2862 if (context->Computed) return context->Corrupted = shaStateError; 2863 if (length >= 8) return context->Corrupted = shaBadParam; 2865 SHA384_512AddLength(context, length); 2866 SHA384_512Finalize(context, (uint8_t) 2867 ((message_bits & masks[length]) | markbit[length])); 2869 return context->Corrupted; 2870 } 2872 /* 2873 * SHA512Result 2874 * 2875 * Description: 2877 * This function will return the 512-bit message digest 2878 * into the Message_Digest array provided by the caller. 2879 * NOTE: 2880 * The first octet of hash is stored in the element with index 0, 2881 * the last octet of hash in the element with index 63. 2882 * 2883 * Parameters: 2884 * context: [in/out] 2885 * The context to use to calculate the SHA hash. 2886 * Message_Digest[ ]: [out] 2887 * Where the digest is returned. 2888 * 2889 * Returns: 2890 * sha Error Code. 2891 * 2892 */ 2893 int SHA512Result(SHA512Context *context, 2894 uint8_t Message_Digest[SHA512HashSize]) 2895 { 2896 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); 2897 } 2899 /* 2900 * SHA384_512Reset 2901 * 2902 * Description: 2903 * This helper function will initialize the SHA512Context in 2904 * preparation for computing a new SHA384 or SHA512 message 2905 * digest. 2906 * 2907 * Parameters: 2908 * context: [in/out] 2909 * The context to reset. 2910 * H0[ ]: [in] 2911 * The initial hash value array to use. 2912 * 2913 * Returns: 2914 * sha Error Code. 2915 * 2916 */ 2917 #ifdef USE_32BIT_ONLY 2918 static int SHA384_512Reset(SHA512Context *context, 2919 uint32_t H0[SHA512HashSize/4]) 2920 #else /* !USE_32BIT_ONLY */ 2921 static int SHA384_512Reset(SHA512Context *context, 2922 uint64_t H0[SHA512HashSize/8]) 2923 #endif /* USE_32BIT_ONLY */ 2924 { 2925 int i; 2926 if (!context) return shaNull; 2927 context->Message_Block_Index = 0; 2929 #ifdef USE_32BIT_ONLY 2930 context->Length[0] = context->Length[1] = 2931 context->Length[2] = context->Length[3] = 0; 2933 for (i = 0; i < SHA512HashSize/4; i++) 2934 context->Intermediate_Hash[i] = H0[i]; 2935 #else /* !USE_32BIT_ONLY */ 2936 context->Length_High = context->Length_Low = 0; 2938 for (i = 0; i < SHA512HashSize/8; i++) 2939 context->Intermediate_Hash[i] = H0[i]; 2940 #endif /* USE_32BIT_ONLY */ 2942 context->Computed = 0; 2943 context->Corrupted = shaSuccess; 2945 return shaSuccess; 2946 } 2948 /* 2949 * SHA384_512ProcessMessageBlock 2950 * 2951 * Description: 2952 * This helper function will process the next 1024 bits of the 2953 * message stored in the Message_Block array. 2954 * 2955 * Parameters: 2956 * context: [in/out] 2957 * The SHA context to update 2958 * 2959 * Returns: 2960 * Nothing. 2961 * 2962 * Comments: 2963 * Many of the variable names in this code, especially the 2964 * single character names, were used because those were the 2965 * names used in the Secure Hash Standard. 2966 * 2967 * 2968 */ 2969 static void SHA384_512ProcessMessageBlock(SHA512Context *context) 2970 { 2971 #ifdef USE_32BIT_ONLY 2972 /* Constants defined in FIPS 180-3, section 4.2.3 */ 2973 static const uint32_t K[80*2] = { 2974 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, 2975 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, 2976 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, 2977 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 2978 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, 2979 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, 2980 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, 2981 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, 2982 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, 2983 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, 2984 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, 2985 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, 2986 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, 2987 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, 2988 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, 2989 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, 2990 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, 2991 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, 2992 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, 2993 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, 2994 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, 2995 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, 2996 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, 2997 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, 2998 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, 2999 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, 3000 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, 3001 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 3002 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, 3003 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, 3004 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, 3005 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 3006 }; 3007 int t, t2, t8; /* Loop counter */ 3008 uint32_t temp1[2], temp2[2], /* Temporary word values */ 3009 temp3[2], temp4[2], temp5[2]; 3010 uint32_t W[2*80]; /* Word sequence */ 3011 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ 3012 E[2], F[2], G[2], H[2]; 3014 /* Initialize the first 16 words in the array W */ 3015 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { 3016 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | 3017 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | 3018 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | 3019 ((((uint32_t)context->Message_Block[t8 + 3]))); 3020 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | 3021 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | 3022 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | 3023 ((((uint32_t)context->Message_Block[t8 + 7]))); 3024 } 3026 for (t = 16; t < 80; t++, t2 += 2) { 3027 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3028 SHA512_sigma0(W[t-15]) + W[t-16]; */ 3029 uint32_t *Wt2 = &W[t2-2*2]; 3030 uint32_t *Wt7 = &W[t2-7*2]; 3031 uint32_t *Wt15 = &W[t2-15*2]; 3032 uint32_t *Wt16 = &W[t2-16*2]; 3033 SHA512_sigma1(Wt2, temp1); 3034 SHA512_ADD(temp1, Wt7, temp2); 3035 SHA512_sigma0(Wt15, temp1); 3036 SHA512_ADD(temp1, Wt16, temp3); 3037 SHA512_ADD(temp2, temp3, &W[t2]); 3038 } 3040 A[0] = context->Intermediate_Hash[0]; 3041 A[1] = context->Intermediate_Hash[1]; 3042 B[0] = context->Intermediate_Hash[2]; 3043 B[1] = context->Intermediate_Hash[3]; 3044 C[0] = context->Intermediate_Hash[4]; 3045 C[1] = context->Intermediate_Hash[5]; 3046 D[0] = context->Intermediate_Hash[6]; 3047 D[1] = context->Intermediate_Hash[7]; 3048 E[0] = context->Intermediate_Hash[8]; 3049 E[1] = context->Intermediate_Hash[9]; 3050 F[0] = context->Intermediate_Hash[10]; 3051 F[1] = context->Intermediate_Hash[11]; 3052 G[0] = context->Intermediate_Hash[12]; 3053 G[1] = context->Intermediate_Hash[13]; 3054 H[0] = context->Intermediate_Hash[14]; 3055 H[1] = context->Intermediate_Hash[15]; 3057 for (t = t2 = 0; t < 80; t++, t2 += 2) { 3058 /* 3059 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3060 */ 3061 SHA512_SIGMA1(E,temp1); 3062 SHA512_ADD(H, temp1, temp2); 3063 SHA_Ch(E,F,G,temp3); 3064 SHA512_ADD(temp2, temp3, temp4); 3065 SHA512_ADD(&K[t2], &W[t2], temp5); 3066 SHA512_ADD(temp4, temp5, temp1); 3067 /* 3068 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3069 */ 3070 SHA512_SIGMA0(A,temp3); 3071 SHA_Maj(A,B,C,temp4); 3072 SHA512_ADD(temp3, temp4, temp2); 3073 H[0] = G[0]; H[1] = G[1]; 3074 G[0] = F[0]; G[1] = F[1]; 3075 F[0] = E[0]; F[1] = E[1]; 3076 SHA512_ADD(D, temp1, E); 3077 D[0] = C[0]; D[1] = C[1]; 3078 C[0] = B[0]; C[1] = B[1]; 3079 B[0] = A[0]; B[1] = A[1]; 3080 SHA512_ADD(temp1, temp2, A); 3081 } 3083 SHA512_ADDTO2(&context->Intermediate_Hash[0], A); 3084 SHA512_ADDTO2(&context->Intermediate_Hash[2], B); 3085 SHA512_ADDTO2(&context->Intermediate_Hash[4], C); 3086 SHA512_ADDTO2(&context->Intermediate_Hash[6], D); 3087 SHA512_ADDTO2(&context->Intermediate_Hash[8], E); 3088 SHA512_ADDTO2(&context->Intermediate_Hash[10], F); 3089 SHA512_ADDTO2(&context->Intermediate_Hash[12], G); 3090 SHA512_ADDTO2(&context->Intermediate_Hash[14], H); 3092 #else /* !USE_32BIT_ONLY */ 3093 /* Constants defined in FIPS 180-3, section 4.2.3 */ 3094 static const uint64_t K[80] = { 3095 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, 3096 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, 3097 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, 3098 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, 3099 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, 3100 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, 3101 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, 3102 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, 3103 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, 3104 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, 3105 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, 3106 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, 3107 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, 3108 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, 3109 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, 3110 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, 3111 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, 3112 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, 3113 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, 3114 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, 3115 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, 3116 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, 3117 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, 3118 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, 3119 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, 3120 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, 3121 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll 3122 }; 3123 int t, t8; /* Loop counter */ 3124 uint64_t temp1, temp2; /* Temporary word value */ 3125 uint64_t W[80]; /* Word sequence */ 3126 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ 3127 /* 3128 * Initialize the first 16 words in the array W 3129 */ 3130 for (t = t8 = 0; t < 16; t++, t8 += 8) 3131 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | 3132 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | 3133 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | 3134 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | 3135 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | 3136 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | 3137 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | 3138 ((uint64_t)(context->Message_Block[t8 + 7])); 3140 for (t = 16; t < 80; t++) 3141 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3142 SHA512_sigma0(W[t-15]) + W[t-16]; 3144 A = context->Intermediate_Hash[0]; 3145 B = context->Intermediate_Hash[1]; 3146 C = context->Intermediate_Hash[2]; 3147 D = context->Intermediate_Hash[3]; 3148 E = context->Intermediate_Hash[4]; 3149 F = context->Intermediate_Hash[5]; 3150 G = context->Intermediate_Hash[6]; 3151 H = context->Intermediate_Hash[7]; 3153 for (t = 0; t < 80; t++) { 3154 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3155 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3156 H = G; 3157 G = F; 3158 F = E; 3159 E = D + temp1; 3160 D = C; 3161 C = B; 3162 B = A; 3163 A = temp1 + temp2; 3164 } 3166 context->Intermediate_Hash[0] += A; 3167 context->Intermediate_Hash[1] += B; 3168 context->Intermediate_Hash[2] += C; 3169 context->Intermediate_Hash[3] += D; 3170 context->Intermediate_Hash[4] += E; 3171 context->Intermediate_Hash[5] += F; 3172 context->Intermediate_Hash[6] += G; 3173 context->Intermediate_Hash[7] += H; 3174 #endif /* USE_32BIT_ONLY */ 3176 context->Message_Block_Index = 0; 3178 } 3180 /* 3181 * SHA384_512Finalize 3182 * 3183 * Description: 3184 * This helper function finishes off the digest calculations. 3185 * 3186 * Parameters: 3187 * context: [in/out] 3188 * The SHA context to update 3189 * Pad_Byte: [in] 3190 * The last byte to add to the message block before the 0-padding 3191 * and length. This will contain the last bits of the message 3192 * followed by another single bit. If the message was an 3193 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 3194 * 3195 * Returns: 3196 * sha Error Code. 3197 * 3198 */ 3199 static void SHA384_512Finalize(SHA512Context *context, 3200 uint8_t Pad_Byte) 3201 { 3202 int_least16_t i; 3203 SHA384_512PadMessage(context, Pad_Byte); 3204 /* message may be sensitive, clear it out */ 3205 for (i = 0; i < SHA512_Message_Block_Size; ++i) 3206 context->Message_Block[i] = 0; 3207 #ifdef USE_32BIT_ONLY /* and clear length */ 3208 context->Length[0] = context->Length[1] = 0; 3209 context->Length[2] = context->Length[3] = 0; 3210 #else /* !USE_32BIT_ONLY */ 3211 context->Length_High = context->Length_Low = 0; 3212 #endif /* USE_32BIT_ONLY */ 3213 context->Computed = 1; 3214 } 3216 /* 3217 * SHA384_512PadMessage 3218 * 3219 * Description: 3220 * According to the standard, the message must be padded to the next 3221 * even multiple of 1024 bits. The first padding bit must be a '1'. 3222 * The last 128 bits represent the length of the original message. 3223 * All bits in between should be 0. This helper function will 3224 * pad the message according to those rules by filling the 3225 * Message_Block array accordingly. When it returns, it can be 3226 * assumed that the message digest has been computed. 3227 * 3228 * Parameters: 3229 * context: [in/out] 3230 * The context to pad 3231 * Pad_Byte: [in] 3232 * The last byte to add to the message block before the 0-padding 3233 * and length. This will contain the last bits of the message 3234 * followed by another single bit. If the message was an 3235 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 3236 * 3237 * Returns: 3238 * Nothing. 3239 * 3240 */ 3241 static void SHA384_512PadMessage(SHA512Context *context, 3242 uint8_t Pad_Byte) 3243 { 3244 /* 3245 * Check to see if the current message block is too small to hold 3246 * the initial padding bits and length. If so, we will pad the 3247 * block, process it, and then continue padding into a second 3248 * block. 3249 */ 3250 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { 3251 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 3252 while (context->Message_Block_Index < SHA512_Message_Block_Size) 3253 context->Message_Block[context->Message_Block_Index++] = 0; 3255 SHA384_512ProcessMessageBlock(context); 3256 } else 3257 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 3259 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) 3260 context->Message_Block[context->Message_Block_Index++] = 0; 3262 /* 3263 * Store the message length as the last 16 octets 3264 */ 3265 #ifdef USE_32BIT_ONLY 3266 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); 3267 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); 3268 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); 3269 context->Message_Block[115] = (uint8_t)(context->Length[0]); 3270 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); 3271 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); 3272 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); 3273 context->Message_Block[119] = (uint8_t)(context->Length[1]); 3275 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); 3276 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); 3277 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); 3278 context->Message_Block[123] = (uint8_t)(context->Length[2]); 3279 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); 3280 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); 3281 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); 3282 context->Message_Block[127] = (uint8_t)(context->Length[3]); 3283 #else /* !USE_32BIT_ONLY */ 3284 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); 3285 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); 3286 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); 3287 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); 3288 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); 3289 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); 3290 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); 3291 context->Message_Block[119] = (uint8_t)(context->Length_High); 3293 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); 3294 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); 3295 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); 3296 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); 3297 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); 3298 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); 3299 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); 3300 context->Message_Block[127] = (uint8_t)(context->Length_Low); 3301 #endif /* USE_32BIT_ONLY */ 3303 SHA384_512ProcessMessageBlock(context); 3304 } 3306 /* 3307 * SHA384_512ResultN 3308 * 3309 * Description: 3310 * This helper function will return the 384-bit or 512-bit message 3311 * digest into the Message_Digest array provided by the caller. 3312 * NOTE: 3313 * The first octet of hash is stored in the element with index 0, 3314 * the last octet of hash in the element with index 47/63. 3315 * 3316 * Parameters: 3317 * context: [in/out] 3318 * The context to use to calculate the SHA hash. 3319 * Message_Digest[ ]: [out] 3320 * Where the digest is returned. 3321 * HashSize: [in] 3322 * The size of the hash, either 48 or 64. 3323 * 3324 * Returns: 3325 * sha Error Code. 3326 * 3327 */ 3329 static int SHA384_512ResultN(SHA512Context *context, 3330 uint8_t Message_Digest[ ], int HashSize) 3331 { 3332 int i; 3333 #ifdef USE_32BIT_ONLY 3334 int i2; 3335 #endif /* USE_32BIT_ONLY */ 3337 if (!context) return shaNull; 3338 if (!Message_Digest) return shaNull; 3339 if (context->Corrupted) return context->Corrupted; 3341 if (!context->Computed) 3342 SHA384_512Finalize(context, 0x80); 3344 #ifdef USE_32BIT_ONLY 3345 for (i = i2 = 0; i < HashSize; ) { 3346 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3347 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3348 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3349 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3350 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3351 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3352 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3353 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3354 } 3355 #else /* !USE_32BIT_ONLY */ 3356 for (i = 0; i < HashSize; ++i) 3357 Message_Digest[i] = (uint8_t) 3358 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); 3359 #endif /* USE_32BIT_ONLY */ 3361 return shaSuccess; 3362 } 3364 8.2.4 usha.c 3366 /**************************** usha.c ***************************/ 3367 /***************** See RFC NNNN for details. *******************/ 3368 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3369 /* authors of the code. All rights reserved. */ 3370 /* See sha.h for terms of use and redistribution. */ 3372 /* 3373 * Description: 3374 * This file implements a unified interface to the SHA algorithms. 3375 */ 3377 #include "sha.h" 3379 /* 3380 * USHAReset 3381 * 3382 * Description: 3383 * This function will initialize the SHA Context in preparation 3384 * for computing a new SHA message digest. 3385 * 3386 * Parameters: 3387 * context: [in/out] 3388 * The context to reset. 3389 * whichSha: [in] 3390 * Selects which SHA reset to call 3391 * 3392 * Returns: 3393 * sha Error Code. 3394 * 3395 */ 3396 int USHAReset(USHAContext *context, enum SHAversion whichSha) 3397 { 3398 if (!context) return shaNull; 3399 context->whichSha = whichSha; 3400 switch (whichSha) { 3401 case SHA1: return SHA1Reset((SHA1Context*)&context->ctx); 3402 case SHA224: return SHA224Reset((SHA224Context*)&context->ctx); 3403 case SHA256: return SHA256Reset((SHA256Context*)&context->ctx); 3404 case SHA384: return SHA384Reset((SHA384Context*)&context->ctx); 3405 case SHA512: return SHA512Reset((SHA512Context*)&context->ctx); 3406 default: return shaBadParam; 3407 } 3408 } 3410 /* 3411 * USHAInput 3412 * 3413 * Description: 3414 * This function accepts an array of octets as the next portion 3415 * of the message. 3416 * 3417 * Parameters: 3418 * context: [in/out] 3419 * The SHA context to update 3420 * message_array: [in] 3421 * An array of octets representing the next portion of 3422 * the message. 3423 * length: [in] 3424 * The length of the message in message_array 3425 * 3426 * Returns: 3428 * sha Error Code. 3429 * 3430 */ 3431 int USHAInput(USHAContext *context, 3432 const uint8_t *bytes, unsigned int bytecount) 3433 { 3434 if (!context) return shaNull; 3435 switch (context->whichSha) { 3436 case SHA1: 3437 return SHA1Input((SHA1Context*)&context->ctx, bytes, 3438 bytecount); 3439 case SHA224: 3440 return SHA224Input((SHA224Context*)&context->ctx, bytes, 3441 bytecount); 3442 case SHA256: 3443 return SHA256Input((SHA256Context*)&context->ctx, bytes, 3444 bytecount); 3445 case SHA384: 3446 return SHA384Input((SHA384Context*)&context->ctx, bytes, 3447 bytecount); 3448 case SHA512: 3449 return SHA512Input((SHA512Context*)&context->ctx, bytes, 3450 bytecount); 3451 default: return shaBadParam; 3452 } 3453 } 3455 /* 3456 * USHAFinalBits 3457 * 3458 * Description: 3459 * This function will add in any final bits of the message. 3460 * 3461 * Parameters: 3462 * context: [in/out] 3463 * The SHA context to update 3464 * message_bits: [in] 3465 * The final bits of the message, in the upper portion of the 3466 * byte. (Use 0b###00000 instead of 0b00000### to input the 3467 * three bits ###.) 3468 * length: [in] 3469 * The number of bits in message_bits, between 1 and 7. 3470 * 3471 * Returns: 3472 * sha Error Code. 3473 */ 3474 int USHAFinalBits(USHAContext *context, 3475 uint8_t bits, unsigned int bit_count) 3476 { 3477 if (!context) return shaNull; 3478 switch (context->whichSha) { 3479 case SHA1: 3480 return SHA1FinalBits((SHA1Context*)&context->ctx, bits, 3481 bit_count); 3482 case SHA224: 3483 return SHA224FinalBits((SHA224Context*)&context->ctx, bits, 3484 bit_count); 3485 case SHA256: 3486 return SHA256FinalBits((SHA256Context*)&context->ctx, bits, 3487 bit_count); 3488 case SHA384: 3489 return SHA384FinalBits((SHA384Context*)&context->ctx, bits, 3490 bit_count); 3491 case SHA512: 3492 return SHA512FinalBits((SHA512Context*)&context->ctx, bits, 3493 bit_count); 3494 default: return shaBadParam; 3495 } 3496 } 3498 /* 3499 * USHAResult 3500 * 3501 * Description: 3502 * This function will return the message digest of the appropriate 3503 * bit size, as returned by USHAHashSizeBits(whichSHA) for the 3504 * 'whichSHA' value used in the preceeding call to USHAReset, 3505 * into the Message_Digest array provided by the caller. 3506 * 3507 * Parameters: 3508 * context: [in/out] 3509 * The context to use to calculate the SHA-1 hash. 3510 * Message_Digest: [out] 3511 * Where the digest is returned. 3512 * 3513 * Returns: 3514 * sha Error Code. 3515 * 3516 */ 3517 int USHAResult(USHAContext *context, 3518 uint8_t Message_Digest[USHAMaxHashSize]) 3519 { 3520 if (!context) return shaNull; 3521 switch (context->whichSha) { 3522 case SHA1: 3523 return SHA1Result((SHA1Context*)&context->ctx, Message_Digest); 3524 case SHA224: 3525 return SHA224Result((SHA224Context*)&context->ctx, 3526 Message_Digest); 3527 case SHA256: 3529 return SHA256Result((SHA256Context*)&context->ctx, 3530 Message_Digest); 3531 case SHA384: 3532 return SHA384Result((SHA384Context*)&context->ctx, 3533 Message_Digest); 3534 case SHA512: 3535 return SHA512Result((SHA512Context*)&context->ctx, 3536 Message_Digest); 3537 default: return shaBadParam; 3538 } 3539 } 3541 /* 3542 * USHABlockSize 3543 * 3544 * Description: 3545 * This function will return the blocksize for the given SHA 3546 * algorithm. 3547 * 3548 * Parameters: 3549 * whichSha: 3550 * which SHA algorithm to query 3551 * 3552 * Returns: 3553 * block size 3554 * 3555 */ 3556 int USHABlockSize(enum SHAversion whichSha) 3557 { 3558 switch (whichSha) { 3559 case SHA1: return SHA1_Message_Block_Size; 3560 case SHA224: return SHA224_Message_Block_Size; 3561 case SHA256: return SHA256_Message_Block_Size; 3562 case SHA384: return SHA384_Message_Block_Size; 3563 default: 3564 case SHA512: return SHA512_Message_Block_Size; 3565 } 3566 } 3568 /* 3569 * USHAHashSize 3570 * 3571 * Description: 3572 * This function will return the hashsize for the given SHA 3573 * algorithm. 3574 * 3575 * Parameters: 3576 * whichSha: 3577 * which SHA algorithm to query 3578 * 3579 * Returns: 3580 * hash size 3581 * 3582 */ 3583 int USHAHashSize(enum SHAversion whichSha) 3584 { 3585 switch (whichSha) { 3586 case SHA1: return SHA1HashSize; 3587 case SHA224: return SHA224HashSize; 3588 case SHA256: return SHA256HashSize; 3589 case SHA384: return SHA384HashSize; 3590 default: 3591 case SHA512: return SHA512HashSize; 3592 } 3593 } 3595 /* 3596 * USHAHashSizeBits 3597 * 3598 * Description: 3599 * This function will return the hashsize for the given SHA 3600 * algorithm, expressed in bits. 3601 * 3602 * Parameters: 3603 * whichSha: 3604 * which SHA algorithm to query 3605 * 3606 * Returns: 3607 * hash size in bits 3608 * 3609 */ 3610 int USHAHashSizeBits(enum SHAversion whichSha) 3611 { 3612 switch (whichSha) { 3613 case SHA1: return SHA1HashSizeBits; 3614 case SHA224: return SHA224HashSizeBits; 3615 case SHA256: return SHA256HashSizeBits; 3616 case SHA384: return SHA384HashSizeBits; 3617 default: 3618 case SHA512: return SHA512HashSizeBits; 3619 } 3620 } 3622 /* 3623 * USHAHashName 3624 * 3625 * Description: 3626 * This function will return the name of the given SHA algorithm 3627 * as a string. 3628 * 3629 * Parameters: 3630 * whichSha: 3631 * which SHA algorithm to query 3632 * 3633 * Returns: 3634 * character string with the name in it 3635 * 3636 */ 3637 const char *USHAHashName(enum SHAversion whichSha) 3638 { 3639 switch (whichSha) { 3640 case SHA1: return "SHA1"; 3641 case SHA224: return "SHA224"; 3642 case SHA256: return "SHA256"; 3643 case SHA384: return "SHA384"; 3644 default: 3645 case SHA512: return "SHA512"; 3646 } 3647 } 3649 8.3 The HMAC Code 3651 /**************************** hmac.c ***************************/ 3652 /***************** See RFC NNNN for details. *******************/ 3653 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3654 /* authors of the code. All rights reserved. */ 3655 /* See sha.h for terms of use and redistribution. */ 3657 /* 3658 * Description: 3659 * This file implements the HMAC algorithm (Keyed-Hashing for 3660 * Message Authentication, [RFC 2104]), expressed in terms of 3661 * the various SHA algorithms. 3662 */ 3664 #include "sha.h" 3666 /* 3667 * hmac 3668 * 3669 * Description: 3670 * This function will compute an HMAC message digest. 3671 * 3672 * Parameters: 3673 * whichSha: [in] 3674 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3675 * message_array[ ]: [in] 3676 * An array of octets representing the message. 3678 * Note: in RFC 2104, this parameter is known 3679 * as 'text'. 3680 * length: [in] 3681 * The length of the message in message_array. 3682 * key[ ]: [in] 3683 * The secret shared key. 3684 * key_len: [in] 3685 * The length of the secret shared key. 3686 * digest[ ]: [out] 3687 * Where the digest is to be returned. 3688 * NOTE: The length of the digest is determined by 3689 * the value of whichSha. 3690 * 3691 * Returns: 3692 * sha Error Code. 3693 * 3694 */ 3695 int hmac(SHAversion whichSha, 3696 const unsigned char *message_array, int length, 3697 const unsigned char *key, int key_len, 3698 uint8_t digest[USHAMaxHashSize]) 3699 { 3700 HMACContext context; 3701 return hmacReset(&context, whichSha, key, key_len) || 3702 hmacInput(&context, message_array, length) || 3703 hmacResult(&context, digest); 3704 } 3706 /* 3707 * hmacReset 3708 * 3709 * Description: 3710 * This function will initialize the hmacContext in preparation 3711 * for computing a new HMAC message digest. 3712 * 3713 * Parameters: 3714 * context: [in/out] 3715 * The context to reset. 3716 * whichSha: [in] 3717 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3718 * key[ ]: [in] 3719 * The secret shared key. 3720 * key_len: [in] 3721 * The length of the secret shared key. 3722 * 3723 * Returns: 3724 * sha Error Code. 3725 * 3726 */ 3727 int hmacReset(HMACContext *context, enum SHAversion whichSha, 3728 const unsigned char *key, int key_len) 3729 { 3730 int i, blocksize, hashsize, ret; 3732 /* inner padding - key XORd with ipad */ 3733 unsigned char k_ipad[USHA_Max_Message_Block_Size]; 3735 /* temporary buffer when keylen > blocksize */ 3736 unsigned char tempkey[USHAMaxHashSize]; 3738 if (!context) return shaNull; 3739 context->Computed = 0; 3740 context->Corrupted = shaSuccess; 3742 blocksize = context->blockSize = USHABlockSize(whichSha); 3743 hashsize = context->hashSize = USHAHashSize(whichSha); 3745 context->whichSha = whichSha; 3747 /* 3748 * If key is longer than the hash blocksize, 3749 * reset it to key = HASH(key). 3750 */ 3751 if (key_len > blocksize) { 3752 USHAContext tcontext; 3753 int err = USHAReset(&tcontext, whichSha) || 3754 USHAInput(&tcontext, key, key_len) || 3755 USHAResult(&tcontext, tempkey); 3756 if (err != shaSuccess) return err; 3758 key = tempkey; 3759 key_len = hashsize; 3760 } 3762 /* 3763 * The HMAC transform looks like: 3764 * 3765 * SHA(K XOR opad, SHA(K XOR ipad, text)) 3766 * 3767 * where K is an n byte key, 0-padded to a total of blocksize bytes, 3768 * ipad is the byte 0x36 repeated blocksize times, 3769 * opad is the byte 0x5c repeated blocksize times, 3770 * and text is the data being protected. 3771 */ 3773 /* store key into the pads, XOR'd with ipad and opad values */ 3774 for (i = 0; i < key_len; i++) { 3775 k_ipad[i] = key[i] ^ 0x36; 3776 context->k_opad[i] = key[i] ^ 0x5c; 3777 } 3778 /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ 3779 for ( ; i < blocksize; i++) { 3780 k_ipad[i] = 0x36; 3781 context->k_opad[i] = 0x5c; 3782 } 3784 /* perform inner hash */ 3785 /* init context for 1st pass */ 3786 ret = USHAReset(&context->shaContext, whichSha) || 3787 /* and start with inner pad */ 3788 USHAInput(&context->shaContext, k_ipad, blocksize); 3789 return context->Corrupted = ret; 3790 } 3792 /* 3793 * hmacInput 3794 * 3795 * Description: 3796 * This function accepts an array of octets as the next portion 3797 * of the message. It may be called multiple times. 3798 * 3799 * Parameters: 3800 * context: [in/out] 3801 * The HMAC context to update 3802 * text[ ]: [in] 3803 * An array of octets representing the next portion of 3804 * the message. 3805 * text_len: [in] 3806 * The length of the message in text 3807 * 3808 * Returns: 3809 * sha Error Code. 3810 * 3811 */ 3812 int hmacInput(HMACContext *context, const unsigned char *text, 3813 int text_len) 3814 { 3815 if (!context) return shaNull; 3816 if (context->Corrupted) return context->Corrupted; 3817 if (context->Computed) return context->Corrupted = shaStateError; 3818 /* then text of datagram */ 3819 return context->Corrupted = 3820 USHAInput(&context->shaContext, text, text_len); 3821 } 3823 /* 3824 * hmacFinalBits 3825 * 3826 * Description: 3827 * This function will add in any final bits of the message. 3829 * 3830 * Parameters: 3831 * context: [in/out] 3832 * The HMAC context to update 3833 * message_bits: [in] 3834 * The final bits of the message, in the upper portion of the 3835 * byte. (Use 0b###00000 instead of 0b00000### to input the 3836 * three bits ###.) 3837 * length: [in] 3838 * The number of bits in message_bits, between 1 and 7. 3839 * 3840 * Returns: 3841 * sha Error Code. 3842 */ 3843 int hmacFinalBits(HMACContext *context, 3844 uint8_t bits, unsigned int bit_count) 3845 { 3846 if (!context) return shaNull; 3847 if (context->Corrupted) return context->Corrupted; 3848 if (context->Computed) return context->Corrupted = shaStateError; 3849 /* then final bits of datagram */ 3850 return context->Corrupted = 3851 USHAFinalBits(&context->shaContext, bits, bit_count); 3852 } 3854 /* 3855 * hmacResult 3856 * 3857 * Description: 3858 * This function will return the N-byte message digest into the 3859 * Message_Digest array provided by the caller. 3860 * 3861 * Parameters: 3862 * context: [in/out] 3863 * The context to use to calculate the HMAC hash. 3864 * digest[ ]: [out] 3865 * Where the digest is returned. 3866 * NOTE 2: The length of the hash is determined by the value of 3867 * whichSha that was passed to hmacReset(). 3868 * 3869 * Returns: 3870 * sha Error Code. 3871 * 3872 */ 3873 int hmacResult(HMACContext *context, uint8_t *digest) 3874 { 3875 int ret; 3876 if (!context) return shaNull; 3877 if (context->Corrupted) return context->Corrupted; 3878 if (context->Computed) return context->Corrupted = shaStateError; 3879 /* finish up 1st pass */ 3880 /* (Use digest here as a temporary buffer.) */ 3881 ret = 3882 USHAResult(&context->shaContext, digest) || 3884 /* perform outer SHA */ 3885 /* init context for 2nd pass */ 3886 USHAReset(&context->shaContext, context->whichSha) || 3888 /* start with outer pad */ 3889 USHAInput(&context->shaContext, context->k_opad, 3890 context->blockSize) || 3892 /* then results of 1st hash */ 3893 USHAInput(&context->shaContext, digest, context->hashSize) || 3895 /* finish up 2nd pass */ 3896 USHAResult(&context->shaContext, digest); 3898 context->Computed = 1; 3899 return context->Corrupted = ret; 3900 } 3902 8.4 The HKDF Code 3904 /**************************** hkdf.c ***************************/ 3905 /***************** See RFC NNNN for details. *******************/ 3906 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3907 /* authors of the code. All rights reserved. */ 3908 /* See sha.h for terms of use and redistribution. */ 3910 /* 3911 * Description: 3912 * This file implements the HKDF algorithm (HMAC-based 3913 * Extract-and-Expand Key Derivation Function, RFC 5869), 3914 * expressed in terms of the various SHA algorithms. 3915 */ 3917 #include "sha.h" 3918 #include 3919 #include 3921 /* 3922 * hkdf 3923 * 3924 * Description: 3925 * This function will generate keying material using HKDF. 3926 * 3927 * Parameters: 3928 * whichSha: [in] 3929 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3930 * salt[ ]: [in] 3931 * The optional salt value (a non-secret random value); 3932 * if not provided (salt == NULL), it is set internally 3933 * to a string of HashLen(whichSha) zeros. 3934 * salt_len: [in] 3935 * The length of the salt value. (Ignored if salt == NULL.) 3936 * ikm[ ]: [in] 3937 * Input keying material. 3938 * ikm_len: [in] 3939 * The length of the input keying material. 3940 * info[ ]: [in] 3941 * The optional context and application specific information. 3942 * If info == NULL or a zero-length string, it is ignored. 3943 * info_len: [in] 3944 * The length of the optional context and application specific 3945 * information. (Ignored if info == NULL.) 3946 * okm[ ]: [out] 3947 * Where the HKDF is to be stored. 3948 * okm_len: [in] 3949 * The length of the buffer to hold okm. 3950 * okm_len must be <= 255 * USHABlockSize(whichSha) 3951 * 3952 * Notes: 3953 * Calls hkdfExtract() and hkdfExpand(). 3954 * 3955 * Returns: 3956 * sha Error Code. 3957 * 3958 */ 3959 int hkdf(SHAversion whichSha, 3960 const unsigned char *salt, int salt_len, 3961 const unsigned char *ikm, int ikm_len, 3962 const unsigned char *info, int info_len, 3963 uint8_t okm[ ], int okm_len) 3964 { 3965 uint8_t prk[USHAMaxHashSize]; 3966 return hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk) || 3967 hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, 3968 info_len, okm, okm_len); 3969 } 3971 /* 3972 * hkdfExtract 3973 * 3974 * Description: 3975 * This function will perform HKDF extraction. 3976 * 3977 * Parameters: 3978 * whichSha: [in] 3979 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3980 * salt[ ]: [in] 3981 * The optional salt value (a non-secret random value); 3982 * if not provided (salt == NULL), it is set internally 3983 * to a string of HashLen(whichSha) zeros. 3984 * salt_len: [in] 3985 * The length of the salt value. (Ignored if salt == NULL.) 3986 * ikm[ ]: [in] 3987 * Input keying material. 3988 * ikm_len: [in] 3989 * The length of the input keying material. 3990 * prk[ ]: [out] 3991 * Array where the HKDF extraction is to be stored. 3992 * Must be larger than USHAHashSize(whichSha); 3993 * 3994 * Returns: 3995 * sha Error Code. 3996 * 3997 */ 3998 int hkdfExtract(SHAversion whichSha, 3999 const unsigned char *salt, int salt_len, 4000 const unsigned char *ikm, int ikm_len, 4001 uint8_t prk[USHAMaxHashSize]) 4002 { 4003 unsigned char nullSalt[USHAMaxHashSize]; 4004 if (salt == 0) { 4005 salt = nullSalt; 4006 salt_len = USHAHashSize(whichSha); 4007 memset(nullSalt, '\0', salt_len); 4008 } else if (salt_len < 0) { 4009 return shaBadParam; 4010 } 4011 return hmac(whichSha, ikm, ikm_len, salt, salt_len, prk); 4012 } 4014 /* 4015 * hkdfExpand 4016 * 4017 * Description: 4018 * This function will perform HKDF expansion. 4019 * 4020 * Parameters: 4021 * whichSha: [in] 4022 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4023 * prk[ ]: [in] 4024 * The pseudorandom key to be expanded; either obtained 4025 * directly from a cryptographically strong, uniformly 4026 * distributed pseudorandom number generator, or as the 4027 * output from hkdfExtract(). 4028 * prk_len: [in] 4029 * The length of the pseudorandom key in prk; 4030 * should at least be equal to USHAHashSize(whichSHA). 4031 * info[ ]: [in] 4032 * The optional context and application specific information. 4033 * If info == NULL or a zero-length string, it is ignored. 4034 * info_len: [in] 4035 * The length of the optional context and application specific 4036 * information. (Ignored if info == NULL.) 4037 * okm[ ]: [out] 4038 * Where the HKDF is to be stored. 4039 * okm_len: [in] 4040 * The length of the buffer to hold okm. 4041 * okm_len must be <= 255 * USHABlockSize(whichSha) 4042 * 4043 * Returns: 4044 * sha Error Code. 4045 * 4046 */ 4047 int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], int prk_len, 4048 const unsigned char *info, int info_len, 4049 uint8_t okm[ ], int okm_len) 4050 { 4051 int hash_len, N; 4052 unsigned char T[USHAMaxHashSize]; 4053 int Tlen, where, i; 4055 if (info == 0) { 4056 info = (const unsigned char *)""; 4057 info_len = 0; 4058 } else if (info_len < 0) { 4059 return shaBadParam; 4060 } 4061 if (okm_len <= 0) return shaBadParam; 4062 if (!okm) return shaBadParam; 4064 hash_len = USHAHashSize(whichSha); 4065 if (prk_len < hash_len) return shaBadParam; 4066 N = okm_len / hash_len; 4067 if ((okm_len % hash_len) != 0) N++; 4068 if (N > 255) return shaBadParam; 4070 Tlen = 0; 4071 where = 0; 4072 for (i = 1; i <= N; i++) { 4073 HMACContext context; 4074 unsigned char c = i; 4075 int ret = hmacReset(&context, whichSha, prk, prk_len) || 4076 hmacInput(&context, T, Tlen) || 4077 hmacInput(&context, info, info_len) || 4078 hmacInput(&context, &c, 1) || 4079 hmacResult(&context, T); 4080 if (ret != shaSuccess) return ret; 4081 memcpy(okm + where, T, 4082 (i != N) ? hash_len : (okm_len - where)); 4083 where += hash_len; 4084 Tlen = hash_len; 4085 } 4086 return shaSuccess; 4087 } 4089 /* 4090 * hkdfReset 4091 * 4092 * Description: 4093 * This function will initialize the hkdfContext in preparation 4094 * for key derivation using the modular HKDF interface for 4095 * arbitrary length inputs. 4096 * 4097 * Parameters: 4098 * context: [in/out] 4099 * The context to reset. 4100 * whichSha: [in] 4101 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4102 * salt[ ]: [in] 4103 * The optional salt value (a non-secret random value); 4104 * if not provided (salt == NULL), it is set internally 4105 * to a string of HashLen(whichSha) zeros. 4106 * salt_len: [in] 4107 * The length of the salt value. (Ignored if salt == NULL.) 4108 * 4109 * Returns: 4110 * sha Error Code. 4111 * 4112 */ 4113 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 4114 const unsigned char *salt, int salt_len) 4115 { 4116 unsigned char nullSalt[USHAMaxHashSize]; 4117 if (!context) return shaNull; 4119 context->whichSha = whichSha; 4120 context->hashSize = USHAHashSize(whichSha); 4121 if (salt == 0) { 4122 salt = nullSalt; 4123 salt_len = context->hashSize; 4124 memset(nullSalt, '\0', salt_len); 4125 } 4126 return hmacReset(&context->hmacContext, whichSha, salt, salt_len); 4127 } 4129 /* 4130 * hkdfInput 4131 * 4132 * Description: 4133 * This function accepts an array of octets as the next portion 4134 * of the input keying material. It may be called multiple times. 4135 * 4136 * Parameters: 4137 * context: [in/out] 4138 * The HKDF context to update. 4139 * ikm[ ]: [in] 4140 * An array of octets representing the next portion of 4141 * the input keying material. 4142 * ikm_len: [in] 4143 * The length of ikm. 4144 * 4145 * Returns: 4146 * sha Error Code. 4147 * 4148 */ 4149 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 4150 int ikm_len) 4151 { 4152 if (!context) return shaNull; 4153 if (context->Corrupted) return context->Corrupted; 4154 if (context->Computed) return context->Corrupted = shaStateError; 4155 return hmacInput(&context->hmacContext, ikm, ikm_len); 4156 } 4158 /* 4159 * hkdfFinalBits 4160 * 4161 * Description: 4162 * This function will add in any final bits of the 4163 * input keying material. 4164 * 4165 * Parameters: 4166 * context: [in/out] 4167 * The HKDF context to update 4168 * ikm_bits: [in] 4169 * The final bits of the input keying material, in the upper 4170 * portion of the byte. (Use 0b###00000 instead of 0b00000### 4171 * to input the three bits ###.) 4172 * ikm_bit_count: [in] 4173 * The number of bits in message_bits, between 1 and 7. 4174 * 4175 * Returns: 4177 * sha Error Code. 4178 */ 4179 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 4180 unsigned int ikm_bit_count) 4181 { 4182 if (!context) return shaNull; 4183 if (context->Corrupted) return context->Corrupted; 4184 if (context->Computed) return context->Corrupted = shaStateError; 4185 return hmacFinalBits(&context->hmacContext, ikm_bits, ikm_bit_count); 4186 } 4188 /* 4189 * hkdfResult 4190 * 4191 * Description: 4192 * This function will finish the HKDF extraction and perform the 4193 * final HKDF expansion. 4194 * 4195 * Parameters: 4196 * context: [in/out] 4197 * The HKDF context to use to calculate the HKDF hash. 4198 * prk[ ]: [out] 4199 * An optional location to store the HKDF extraction. 4200 * Either NULL, or pointer to a buffer that must be 4201 * larger than USHAHashSize(whichSha); 4202 * info[ ]: [in] 4203 * The optional context and application specific information. 4204 * If info == NULL or a zero-length string, it is ignored. 4205 * info_len: [in] 4206 * The length of the optional context and application specific 4207 * information. (Ignored if info == NULL.) 4208 * okm[ ]: [out] 4209 * Where the HKDF is to be stored. 4210 * okm_len: [in] 4211 * The length of the buffer to hold okm. 4212 * okm_len must be <= 255 * USHABlockSize(whichSha) 4213 * 4214 * Returns: 4215 * sha Error Code. 4216 * 4217 */ 4218 int hkdfResult(HKDFContext *context, 4219 uint8_t prk[USHAMaxHashSize], 4220 const unsigned char *info, int info_len, 4221 uint8_t okm[ ], int okm_len) 4222 { 4223 uint8_t prkbuf[USHAMaxHashSize]; 4224 int ret; 4226 if (!context) return shaNull; 4227 if (context->Corrupted) return context->Corrupted; 4228 if (context->Computed) return context->Corrupted = shaStateError; 4229 if (!okm) return context->Corrupted = shaBadParam; 4230 if (!prk) prk = prkbuf; 4232 ret = hmacResult(&context->hmacContext, prk) || 4233 hkdfExpand(context->whichSha, prk, context->hashSize, info, 4234 info_len, okm, okm_len); 4235 context->Computed = 1; 4236 return context->Corrupted = ret; 4237 } 4239 8.5 The Test Driver 4241 The following code is a main program test driver to exercise the code 4242 in sha1.c, sha224-256.c, sha384-512.c, hmac.c, and hkdf.c. The test 4243 driver can also be used as a standalone program for generating the 4244 hashes. 4246 See also [SHAVS]. 4248 /************************** shatest.c **************************/ 4249 /***************** See RFC NNNN for details. *******************/ 4250 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 4251 /* authors of the code. All rights reserved. */ 4252 /* See sha.h for terms of use and redistribution. */ 4254 /* 4255 * Description: 4256 * This file will exercise the SHA code performing 4257 * the three tests documented in FIPS PUB 180-3 4258 * (http://csrc.nist.gov/publications/fips/ 4259 * fips180-2/fips180-2withchangenotice.pdf) 4260 * one that calls SHAInput with an exact multiple of 512 bits 4261 * the seven tests documented for each algorithm in 4262 * "The Secure Hash Algorithm Validation System (SHAVS)" 4263 * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), 4264 * three of which are bit-level tests 4265 * 4266 * These tests have subsequently been moved to pages linked from 4267 * http://csrc.nist.gov/groups/ST/toolkit/examples.html 4268 * 4269 * This file will exercise the HMAC SHA1 code performing 4270 * the seven tests documented in RFCs [RFC 2202] and [RFC 4231]. 4271 * 4272 * This file will exercise the HKDF code performing 4273 * the seven tests documented in RFC 4869. 4274 * 4275 * To run the tests and just see PASSED/FAILED, use the -p option. 4276 * 4277 * Other options exercise: 4278 * hashing an arbitrary string 4279 * hashing a file's contents 4280 * a few error test checks 4281 * printing the results in raw format 4282 * 4283 * Portability Issues: 4284 * None. 4285 * 4286 */ 4288 #include 4289 #include 4290 #include 4291 #include 4292 #include 4293 #include /* defines getopt() and optarg */ 4294 #include "sha.h" 4296 static int scasecmp(const char *s1, const char *s2); 4298 /* 4299 * Define patterns for testing 4300 */ 4301 #define TEST1 "abc" 4302 #define TEST2_1 \ 4303 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 4304 #define TEST2_2a \ 4305 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 4306 #define TEST2_2b \ 4307 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 4308 #define TEST2_2 TEST2_2a TEST2_2b 4309 #define TEST3 "a" /* times 1000000 */ 4310 #define TEST4a "01234567012345670123456701234567" 4311 #define TEST4b "01234567012345670123456701234567" 4312 /* an exact multiple of 512 bits */ 4313 #define TEST4 TEST4a TEST4b /* times 10 */ 4315 #define TEST7_1 \ 4316 "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" 4317 #define TEST8_1 \ 4318 "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" 4319 #define TEST9_1 \ 4320 "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ 4321 "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ 4322 "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ 4323 "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ 4324 "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" 4326 #define TEST10_1 \ 4327 "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ 4328 "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ 4329 "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ 4330 "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ 4331 "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ 4332 "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ 4333 "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ 4334 "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ 4335 "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ 4336 "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ 4337 "\xcd\xbb\xfb" 4338 #define TEST7_224 \ 4339 "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" 4340 #define TEST8_224 \ 4341 "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" 4342 #define TEST9_224 \ 4343 "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ 4344 "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ 4345 "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ 4346 "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ 4347 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" 4348 #define TEST10_224 \ 4349 "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ 4350 "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ 4351 "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ 4352 "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ 4353 "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ 4354 "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ 4355 "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ 4356 "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ 4357 "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ 4358 "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ 4359 "\x87\x82\x73" 4360 #define TEST7_256 \ 4361 "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" 4362 #define TEST8_256 \ 4363 "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" 4364 #define TEST9_256 \ 4365 "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ 4366 "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ 4367 "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ 4368 "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ 4369 "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" 4370 #define TEST10_256 \ 4371 "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ 4372 "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ 4373 "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ 4374 "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ 4375 "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ 4376 "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ 4377 "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ 4378 "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ 4379 "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ 4380 "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ 4381 "\x3d\x54\xd6" 4382 #define TEST7_384 \ 4383 "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" 4384 #define TEST8_384 \ 4385 "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" 4386 #define TEST9_384 \ 4387 "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ 4388 "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ 4389 "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ 4390 "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ 4391 "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ 4392 "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ 4393 "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ 4394 "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ 4395 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" 4396 #define TEST10_384 \ 4397 "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ 4398 "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ 4399 "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ 4400 "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ 4401 "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ 4402 "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ 4403 "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ 4404 "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ 4405 "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ 4406 "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ 4407 "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ 4408 "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ 4409 "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ 4410 "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ 4411 "\x7e\xd0\x96" 4412 #define TEST7_512 \ 4413 "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" 4414 #define TEST8_512 \ 4415 "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" 4416 #define TEST9_512 \ 4417 "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ 4418 "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ 4419 "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ 4420 "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ 4421 "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ 4422 "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ 4423 "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ 4424 "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ 4425 "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" 4427 #define TEST10_512 \ 4428 "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ 4429 "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ 4430 "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ 4431 "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ 4432 "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ 4433 "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ 4434 "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ 4435 "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ 4436 "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ 4437 "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ 4438 "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ 4439 "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ 4440 "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ 4441 "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ 4442 "\xfb\x40\xd2" 4443 #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ 4444 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" 4445 #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ 4446 "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ 4447 "\x27" 4448 #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ 4449 "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ 4450 "\x27\x9c\x1c\xb0\xa7" 4451 #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ 4452 "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ 4453 "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ 4454 "\xa4\x84\xbe\x74\x53" 4455 #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ 4456 "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ 4457 "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ 4458 "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ 4459 "\x4b\x12\x27\x20\x39" 4461 #define TESTCOUNT 10 4462 #define HASHCOUNT 5 4463 #define RANDOMCOUNT 4 4464 #define HMACTESTCOUNT 7 4465 #define HKDFTESTCOUNT 7 4467 #define PRINTNONE 0 4468 #define PRINTTEXT 1 4469 #define PRINTRAW 2 4470 #define PRINTHEX 3 4471 #define PRINTBASE64 4 4473 #define PRINTPASSFAIL 1 4474 #define PRINTFAIL 2 4476 #define length(x) (sizeof(x)-1) 4477 /* Test arrays for hashes. */ 4478 struct hash { 4479 const char *name; 4480 SHAversion whichSha; 4481 int hashsize; 4482 struct { 4483 const char *testarray; 4484 int length; 4485 long repeatcount; 4486 int extrabits; 4487 int numberExtrabits; 4488 const char *resultarray; 4489 } tests[TESTCOUNT]; 4490 const char *randomtest; 4491 const char *randomresults[RANDOMCOUNT]; 4492 } hashes[HASHCOUNT] = { 4493 { "SHA1", SHA1, SHA1HashSize, 4494 { 4495 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4496 "A9993E364706816ABA3E25717850C26C9CD0D89D" }, 4497 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4498 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, 4499 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4500 "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, 4501 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4502 "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, 4503 /* 5 */ { "", 0, 0, 0x98, 5, 4504 "29826B003B906E660EFF4027CE98AF3531AC75BA" }, 4505 /* 6 */ { "\x5e", 1, 1, 0, 0, 4506 "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, 4507 /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, 4508 "6239781E03729919C01955B3FFA8ACB60B988340" }, 4509 /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, 4510 "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, 4511 /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, 4512 "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, 4513 /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, 4514 "CB0082C8F197D260991BA6A460E76E202BAD27B3" } 4515 }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", 4516 "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", 4517 "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", 4518 "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" 4519 } }, 4520 { "SHA224", SHA224, SHA224HashSize, 4521 { 4522 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4523 "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, 4524 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4525 "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, 4526 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4527 "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, 4528 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4529 "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, 4530 /* 5 */ { "", 0, 0, 0x68, 5, 4531 "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, 4532 /* 6 */ { "\x07", 1, 1, 0, 0, 4533 "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, 4534 /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, 4535 "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, 4536 /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, 4537 "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, 4538 /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, 4539 "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, 4540 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, 4541 "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } 4542 }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" 4543 "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" 4544 "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" 4545 "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" 4546 "709563FB916227FED598EB621F" 4547 } }, 4548 { "SHA256", SHA256, SHA256HashSize, 4549 { 4550 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" 4551 "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, 4552 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" 4553 "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, 4554 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" 4555 "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, 4556 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" 4557 "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, 4558 /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" 4559 "09DB45E7823EB5079CE7A573A3760F95" }, 4560 /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" 4561 "6A4E17F75F9518D843709C0C9BC3E3D4" }, 4562 /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" 4563 "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, 4564 /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" 4565 "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, 4566 /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" 4567 "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, 4568 /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" 4569 "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, 4570 }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" 4571 "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" 4572 "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" 4573 "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" 4574 "E31536B70FF906EC51B00447CA97D7DD97C12411F4" 4575 } }, 4576 { "SHA384", SHA384, SHA384HashSize, 4577 { 4578 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4579 "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" 4580 "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, 4581 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4582 "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" 4583 "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, 4584 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4585 "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" 4586 "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, 4587 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4588 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" 4589 "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, 4590 /* 5 */ { "", 0, 0, 0x10, 5, 4591 "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" 4592 "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, 4593 /* 6 */ { "\xb9", 1, 1, 0, 0, 4594 "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" 4595 "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, 4596 /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, 4597 "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" 4598 "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, 4599 /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, 4600 "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" 4601 "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, 4602 /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, 4603 "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" 4604 "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, 4605 /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, 4606 "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" 4607 "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } 4608 }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" 4609 "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" 4610 "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" 4611 "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" 4612 "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" 4613 "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" 4614 "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" 4615 } }, 4616 { "SHA512", SHA512, SHA512HashSize, 4617 { 4618 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4619 "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" 4620 "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" 4621 "454D4423643CE80E2A9AC94FA54CA49F" }, 4622 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4623 "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" 4624 "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" 4625 "C7D329EEB6DD26545E96E55B874BE909" }, 4626 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4627 "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" 4628 "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" 4629 "EB009C5C2C49AA2E4EADB217AD8CC09B" }, 4630 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4631 "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" 4632 "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" 4633 "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, 4634 /* 5 */ { "", 0, 0, 0xB0, 5, 4635 "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" 4636 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" 4637 "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, 4638 /* 6 */ { "\xD0", 1, 1, 0, 0, 4639 "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" 4640 "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" 4641 "D6E74CECE9631BFA8A549B4AB3FBBA15" }, 4642 /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, 4643 "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" 4644 "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" 4645 "7359B43E64F8BEC3C1F237119986BBB6" }, 4646 /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, 4647 "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" 4648 "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" 4649 "8213EB1B16F517AD0DE4B2F0C95C90F8" }, 4650 /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, 4651 "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" 4652 "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" 4653 "526F8A0A510E5E53CAFED4355FE7C2F1" }, 4654 /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, 4655 "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" 4656 "C1A16A270D48719377966B957A878E720584779A62825C18" 4657 "DA26415E49A7176A894E7510FD1451F5" } 4658 }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" 4659 "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" 4660 "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" 4661 "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" 4662 "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" 4663 "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" 4664 "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" 4665 "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" 4666 "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" 4667 } 4668 } 4669 }; 4671 /* Test arrays for HMAC. */ 4672 struct hmachash { 4673 const char *keyarray[5]; 4674 int keylength[5]; 4675 const char *dataarray[5]; 4676 int datalength[5]; 4677 const char *resultarray[5]; 4678 int resultlength[5]; 4679 } hmachashes[HMACTESTCOUNT] = { 4680 { /* 1 */ { 4681 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4682 "\x0b\x0b\x0b\x0b\x0b" 4683 }, { 20 }, { 4684 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ 4685 }, { 8 }, { 4686 /* HMAC-SHA-1 */ 4687 "B617318655057264E28BC0B6FB378C8EF146BE00", 4688 /* HMAC-SHA-224 */ 4689 "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", 4690 /* HMAC-SHA-256 */ 4691 "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" 4692 "CFF7", 4693 /* HMAC-SHA-384 */ 4694 "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" 4695 "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", 4696 /* HMAC-SHA-512 */ 4697 "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" 4698 "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" 4699 "3A126854" 4700 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4701 SHA384HashSize, SHA512HashSize } 4702 }, 4703 { /* 2 */ { 4704 "\x4a\x65\x66\x65" /* "Jefe" */ 4705 }, { 4 }, { 4706 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" 4707 "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" 4708 /* "what do ya want for nothing?" */ 4709 }, { 28 }, { 4710 /* HMAC-SHA-1 */ 4711 "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 4712 /* HMAC-SHA-224 */ 4713 "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", 4714 /* HMAC-SHA-256 */ 4715 "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" 4716 "3843", 4717 /* HMAC-SHA-384 */ 4718 "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" 4719 "445E8E2240CA5E69E2C78B3239ECFAB21649", 4720 /* HMAC-SHA-512 */ 4721 "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" 4722 "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" 4723 "38BCE737" 4724 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4725 SHA384HashSize, SHA512HashSize } 4726 }, 4727 { /* 3 */ 4728 { 4729 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4730 "\xaa\xaa\xaa\xaa\xaa" 4731 }, { 20 }, { 4732 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4733 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4734 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4735 "\xdd\xdd\xdd\xdd\xdd" 4736 }, { 50 }, { 4737 /* HMAC-SHA-1 */ 4738 "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 4739 /* HMAC-SHA-224 */ 4740 "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", 4741 /* HMAC-SHA-256 */ 4742 "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" 4743 "65FE", 4744 /* HMAC-SHA-384 */ 4745 "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" 4746 "144B2A5AB39DC13814B94E3AB6E101A34F27", 4747 /* HMAC-SHA-512 */ 4748 "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" 4749 "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" 4750 "E13292FB" 4751 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4752 SHA384HashSize, SHA512HashSize } 4753 }, 4754 { /* 4 */ { 4755 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 4756 "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" 4757 }, { 25 }, { 4758 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4759 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4760 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4761 "\xcd\xcd\xcd\xcd\xcd" 4762 }, { 50 }, { 4763 /* HMAC-SHA-1 */ 4764 "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 4765 /* HMAC-SHA-224 */ 4766 "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", 4767 /* HMAC-SHA-256 */ 4768 "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" 4769 "665B", 4770 /* HMAC-SHA-384 */ 4771 "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" 4772 "3B4E6801DD23C4A7D679CCF8A386C674CFFB", 4773 /* HMAC-SHA-512 */ 4774 "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" 4775 "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" 4776 "10A298DD" 4778 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4779 SHA384HashSize, SHA512HashSize } 4780 }, 4781 { /* 5 */ { 4782 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4783 "\x0c\x0c\x0c\x0c\x0c" 4784 }, { 20 }, { 4785 "Test With Truncation" 4786 }, { 20 }, { 4787 /* HMAC-SHA-1 */ 4788 "4C1A03424B55E07FE7F27BE1", 4789 /* HMAC-SHA-224 */ 4790 "0E2AEA68A90C8D37C988BCDB9FCA6FA8", 4791 /* HMAC-SHA-256 */ 4792 "A3B6167473100EE06E0C796C2955552B", 4793 /* HMAC-SHA-384 */ 4794 "3ABF34C3503B2A23A46EFC619BAEF897", 4795 /* HMAC-SHA-512 */ 4796 "415FAD6271580A531D4179BC891D87A6" 4797 }, { 12, 16, 16, 16, 16 } 4798 }, 4799 { /* 6 */ { 4800 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4801 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4802 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4803 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4804 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4805 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4806 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4807 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4808 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4809 }, { 80, 131 }, { 4810 "Test Using Larger Than Block-Size Key - Hash Key First" 4811 }, { 54 }, { 4812 /* HMAC-SHA-1 */ 4813 "AA4AE5E15272D00E95705637CE8A3B55ED402112", 4814 /* HMAC-SHA-224 */ 4815 "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", 4816 /* HMAC-SHA-256 */ 4817 "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" 4818 "7F54", 4819 /* HMAC-SHA-384 */ 4820 "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" 4821 "C4C60C2EF6AB4030FE8296248DF163F44952", 4822 /* HMAC-SHA-512 */ 4823 "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" 4824 "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" 4825 "5D786598" 4826 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4827 SHA384HashSize, SHA512HashSize } 4829 }, 4830 { /* 7 */ { 4831 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4832 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4833 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4834 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4835 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4836 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4837 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4838 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4839 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4840 }, { 80, 131 }, { 4841 "Test Using Larger Than Block-Size Key and " 4842 "Larger Than One Block-Size Data", 4843 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" 4844 "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" 4845 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" 4846 "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" 4847 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" 4848 "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" 4849 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" 4850 "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" 4851 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" 4852 "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" 4853 "\x6d\x2e" 4854 /* "This is a test using a larger than block-size key and a " 4855 "larger than block-size data. The key needs to be hashed " 4856 "before being used by the HMAC algorithm." */ 4857 }, { 73, 152 }, { 4858 /* HMAC-SHA-1 */ 4859 "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", 4860 /* HMAC-SHA-224 */ 4861 "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", 4862 /* HMAC-SHA-256 */ 4863 "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" 4864 "35E2", 4865 /* HMAC-SHA-384 */ 4866 "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" 4867 "99C5A678CC31E799176D3860E6110C46523E", 4868 /* HMAC-SHA-512 */ 4869 "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" 4870 "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" 4871 "FA8C6A58" 4872 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4873 SHA384HashSize, SHA512HashSize } 4874 } 4875 }; 4877 /* Test arrays for HKDF. */ 4878 struct hkdfhash { 4879 SHAversion whichSha; 4880 int ikmlength; 4881 const char *ikmarray; 4882 int saltlength; 4883 const char *saltarray; 4884 int infolength; 4885 const char *infoarray; 4886 int prklength; 4887 const char *prkarray; 4888 int okmlength; 4889 const char *okmarray; 4890 } hkdfhashes[HKDFTESTCOUNT] = { 4891 { /* RFC 5869 A.1. Test Case 1 */ 4892 SHA256, 4893 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4894 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4895 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4896 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4897 32, "077709362C2E32DF0DDC3F0DC47BBA6390B6C73BB50F9C3122EC844A" 4898 "D7C2B3E5", 4899 42, "3CB25F25FAACD57A90434F64D0362F2A2D2D0A90CF1A5A4C5DB02D56" 4900 "ECC4C5BF34007208D5B887185865" 4901 }, 4902 { /* RFC 5869 A.2. Test Case 2 */ 4903 SHA256, 4904 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4905 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4906 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4907 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4908 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4909 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4910 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d" 4911 "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" 4912 "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4913 "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97" 4914 "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5" 4915 "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf", 4916 80, "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd" 4917 "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb" 4918 "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" 4919 "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7" 4920 "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5" 4921 "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 4922 32, "06A6B88C5853361A06104C9CEB35B45C" 4923 "EF760014904671014A193F40C15FC244", 4924 82, "B11E398DC80327A1C8E7F78C596A4934" 4925 "4F012EDA2D4EFAD8A050CC4C19AFA97C" 4926 "59045A99CAC7827271CB41C65E590E09" 4927 "DA3275600C2F09B8367793A9ACA3DB71" 4928 "CC30C58179EC3E87C14C01D5C1F3434F" 4929 "1D87" 4930 }, 4931 { /* RFC 5869 A.3. Test Case 3 */ 4932 SHA256, 4933 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4934 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4935 0, "", 4936 0, "", 4937 32, "19EF24A32C717B167F33A91D6F648BDF" 4938 "96596776AFDB6377AC434C1C293CCB04", 4939 42, "8DA4E775A563C18F715F802A063C5A31" 4940 "B8A11F5C5EE1879EC3454E5F3C738D2D" 4941 "9D201395FAA4B61A96C8" 4942 }, 4943 { /* RFC 5869 A.4. Test Case 4 */ 4944 SHA1, 4945 11, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4946 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4947 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4948 20, "9B6C18C432A7BF8F0E71C8EB88F4B30BAA2BA243", 4949 42, "085A01EA1B10F36933068B56EFA5AD81" 4950 "A4F14B822F5B091568A9CDD4F155FDA2" 4951 "C22E422478D305F3F896" 4952 }, 4953 { /* RFC 5869 A.5. Test Case 5 */ 4954 SHA1, 4955 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4956 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4957 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4958 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4959 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4960 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4961 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D" 4962 "\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B" 4963 "\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4964 "\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97" 4965 "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5" 4966 "\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 4967 80, "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD" 4968 "\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB" 4969 "\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9" 4970 "\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7" 4971 "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5" 4972 "\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 4973 20, "8ADAE09A2A307059478D309B26C4115A224CFAF6", 4974 82, "0BD770A74D1160F7C9F12CD5912A06EB" 4975 "FF6ADCAE899D92191FE4305673BA2FFE" 4976 "8FA3F1A4E5AD79F3F334B3B202B2173C" 4977 "486EA37CE3D397ED034C7F9DFEB15C5E" 4978 "927336D0441F4C4300E2CFF0D0900B52" 4979 "D3B4" 4980 }, 4981 { /* RFC 5869 A.6. Test Case 6 */ 4982 SHA1, 4983 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4984 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4985 0, "", 4986 0, "", 4987 20, "DA8C8A73C7FA77288EC6F5E7C297786AA0D32D01", 4988 42, "0AC1AF7002B3D761D1E55298DA9D0506" 4989 "B9AE52057220A306E07B6B87E8DF21D0" 4990 "EA00033DE03984D34918" 4991 }, 4992 { /* RFC 5869 A.7. Test Case 7. */ 4993 SHA1, 4994 22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4995 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 4996 0, 0, 4997 0, "", 4998 20, "2ADCCADA18779E7C2077AD2EB19D3F3E731385DD", 4999 42, "2C91117204D745F3500D636A62F64F0A" 5000 "B3BAE548AA53D423B0D1F27EBBA6F5E5" 5001 "673A081D70CCE7ACFC48" 5002 } 5003 }; 5005 /* 5006 * Check the hash value against the expected string, expressed in hex 5007 */ 5008 static const char hexdigits[ ] = "0123456789ABCDEF"; 5009 int checkmatch(const unsigned char *hashvalue, 5010 const char *hexstr, int hashsize) 5011 { 5012 int i; 5013 for (i = 0; i < hashsize; ++i) { 5014 if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) 5015 return 0; 5016 if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; 5017 } 5018 return 1; 5019 } 5021 /* 5022 * Print the string, converting non-printable characters to "." 5023 */ 5024 void printstr(const char *str, int len) 5025 { 5026 for ( ; len-- > 0; str++) 5027 putchar(isprint((unsigned char)*str) ? *str : '.'); 5028 } 5029 /* 5030 * Print the string, converting all characters to hex "## ". 5031 */ 5032 void printxstr(const char *str, int len) 5033 { 5034 char *sep = ""; 5035 for ( ; len-- > 0; str++) { 5036 printf("%s%c%c", sep, hexdigits[(*str >> 4) & 0xF], 5037 hexdigits[*str & 0xF]); 5038 sep = " "; 5039 } 5040 } 5042 /* 5043 * Print a usage message. 5044 */ 5045 void usage(const char *argv0) 5046 { 5047 fprintf(stderr, 5048 "Usage:\n" 5049 "Common options: [-h hash] [-w|-x|-6] [-H]\n" 5050 "Hash a string:\n" 5051 "\t%s [-S expectedresult] -s hashstr [-k key] " 5052 "[-i info -L okm-len]\n" 5053 "Hash a file:\n" 5054 "\t%s [-S expectedresult] -f file [-k key] " 5055 "[-i info -L okm-len]\n" 5056 "Hash a file, ignoring whitespace:\n" 5057 "\t%s [-S expectedresult] -F file [-k key] " 5058 "[-i info -L okm-len]\n" 5059 "Additional bits to add in: [-B bitcount -b bits]\n" 5060 "(If -k,-i&-L are used, run HKDF-SHA###.\n" 5061 " If -k is used, but not -i&-L, run HMAC-SHA###.\n" 5062 " Otherwise, run SHA###.)\n" 5063 "Standard tests:\n" 5064 "\t%s [-m | -d] [-l loopcount] [-t test#] [-e]\n" 5065 "\t\t[-r randomseed] [-R randomloop-count] " 5066 "[-p] [-P|-X]\n" 5067 "-h\thash to test: " 5068 "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" 5069 "-m\tperform hmac standard tests\n" 5070 "-k\tkey for hmac test\n" 5071 "-d\tperform hkdf standard tests\n" 5072 "-t\ttest case to run, 1-10\n" 5073 "-l\thow many times to run the test\n" 5074 "-e\ttest error returns\n" 5075 "-p\tdo not print results\n" 5076 "-P\tdo not print PASSED/FAILED\n" 5077 "-X\tprint FAILED, but not PASSED\n" 5078 "-r\tseed for random test\n" 5079 "-R\thow many times to run random test\n" 5080 "-s\tstring to hash\n" 5081 "-S\texpected result of hashed string, in hex\n" 5082 "-w\toutput hash in raw format\n" 5083 "-x\toutput hash in hex format\n" 5084 "-6\toutput hash in base64 format\n" 5085 "-B\t# extra bits to add in after string or file input\n" 5086 "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" 5087 "-H\tinput hashstr or randomseed is in hex\n" 5088 , argv0, argv0, argv0, argv0); 5089 exit(1); 5090 } 5092 /* 5093 * Print the results and PASS/FAIL. 5094 */ 5095 void printResult(uint8_t *Message_Digest, int hashsize, 5096 const char *hashname, const char *testtype, const char *testname, 5097 const char *resultarray, int printResults, int printPassFail) 5098 { 5099 int i, k; 5100 if (printResults == PRINTTEXT) { 5101 printf("\nhashsize=%d\n", hashsize); 5102 putchar('\t'); 5103 for (i = 0; i < hashsize; ++i) { 5104 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5105 putchar(hexdigits[Message_Digest[i] & 0xF]); 5106 putchar(' '); 5107 } 5108 putchar('\n'); 5109 } else if (printResults == PRINTRAW) { 5110 fwrite(Message_Digest, 1, hashsize, stdout); 5111 } else if (printResults == PRINTHEX) { 5112 for (i = 0; i < hashsize; ++i) { 5113 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5114 putchar(hexdigits[Message_Digest[i] & 0xF]); 5115 } 5116 putchar('\n'); 5117 } else if (printResults == PRINTBASE64) { 5118 unsigned char b; 5119 char *sm = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 5120 "0123456789+/"; 5121 for (i = 0; i < hashsize; i += 3) { 5122 putchar(sm[Message_Digest[i] >> 2]); 5123 b = (Message_Digest[i] & 0x03) << 4; 5124 if (i+1 < hashsize) b |= Message_Digest[i+1] >> 4; 5125 putchar(sm[b]); 5126 if (i+1 < hashsize) { 5127 b = (Message_Digest[i+1] & 0x0f) << 2; 5128 if (i+2 < hashsize) b |= Message_Digest[i+2] >> 6; 5129 putchar(sm[b]); 5130 } else putchar('='); 5131 if (i+2 < hashsize) putchar(sm[Message_Digest[i+2] & 0x3f]); 5132 else putchar('='); 5133 } 5134 putchar('\n'); 5135 } 5137 if (printResults && resultarray) { 5138 printf(" Should match:\n\t"); 5139 for (i = 0, k = 0; i < hashsize; i++, k += 2) { 5140 putchar(resultarray[k]); 5141 putchar(resultarray[k+1]); 5142 putchar(' '); 5143 } 5144 putchar('\n'); 5145 } 5147 if (printPassFail && resultarray) { 5148 int ret = checkmatch(Message_Digest, resultarray, hashsize); 5149 if ((printPassFail == PRINTPASSFAIL) || !ret) 5150 printf("%s %s %s: %s\n", hashname, testtype, testname, 5151 ret ? "PASSED" : "FAILED"); 5152 } 5153 } 5155 /* 5156 * Exercise a hash series of functions. The input is the testarray, 5157 * repeated repeatcount times, followed by the extrabits. If the 5158 * result is known, it is in resultarray in uppercase hex. 5159 */ 5160 int hash(int testno, int loopno, int hashno, 5161 const char *testarray, int length, long repeatcount, 5162 int numberExtrabits, int extrabits, const unsigned char *keyarray, 5163 int keylen, const unsigned char *info, int infolen, int okmlen, 5164 const char *resultarray, int hashsize, int printResults, 5165 int printPassFail) 5166 { 5167 USHAContext sha; 5168 HMACContext hmac; 5169 HKDFContext hkdf; 5170 int err, i; 5171 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5172 uint8_t *Message_Digest = Message_Digest_Buf; 5173 char buf[20]; 5175 if (printResults == PRINTTEXT) { 5176 printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, 5177 loopno, repeatcount); 5178 printstr(testarray, length); 5179 printf("'\n\t'"); 5180 printxstr(testarray, length); 5181 printf("'\n"); 5182 printf(" Length=%d bytes (%d bits), ", length, length * 8); 5183 printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); 5184 } 5186 if (info) Message_Digest = malloc(okmlen); 5187 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5188 memset(&hmac, '\343', sizeof(hmac)); 5189 memset(&hkdf, '\343', sizeof(hkdf)); 5190 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5191 keyarray, keylen) : 5192 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5193 keyarray, keylen) : 5194 USHAReset(&sha, hashes[hashno].whichSha); 5195 if (err != shaSuccess) { 5196 fprintf(stderr, "hash(): %sReset Error %d.\n", 5197 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5198 return err; 5199 } 5201 for (i = 0; i < repeatcount; ++i) { 5202 err = info ? hkdfInput(&hkdf, (const uint8_t *)testarray, length) : 5203 keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, 5204 length) : 5205 USHAInput(&sha, (const uint8_t *) testarray, 5206 length); 5207 if (err != shaSuccess) { 5208 fprintf(stderr, "hash(): %sInput Error %d.\n", 5209 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5210 return err; 5211 } 5212 } 5214 if (numberExtrabits > 0) { 5215 err = info ? hkdfFinalBits(&hkdf, extrabits, numberExtrabits) : 5216 keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, 5217 numberExtrabits) : 5218 USHAFinalBits(&sha, (uint8_t) extrabits, 5219 numberExtrabits); 5220 if (err != shaSuccess) { 5221 fprintf(stderr, "hash(): %sFinalBits Error %d.\n", 5222 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5223 return err; 5224 } 5225 } 5227 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5228 Message_Digest, okmlen) : 5230 keyarray ? hmacResult(&hmac, Message_Digest) : 5231 USHAResult(&sha, Message_Digest); 5232 if (err != shaSuccess) { 5233 fprintf(stderr, "hash(): %s Result Error %d, could not compute " 5234 "message digest.\n", 5235 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5236 return err; 5237 } 5239 sprintf(buf, "%d", testno+1); 5240 printResult(Message_Digest, info ? okmlen : hashsize, 5241 hashes[hashno].name, info ? "hkdf standard test" : 5242 keyarray ? "hmac standard test" : "sha standard test", buf, 5243 resultarray, printResults, printPassFail); 5245 return err; 5246 } 5248 /* 5249 * Exercise an HKDF series. The input is the testarray, 5250 * repeated repeatcount times, followed by the extrabits. If the 5251 * result is known, it is in resultarray in uppercase hex. 5252 */ 5253 int hashHkdf(int testno, int loopno, int hashno, 5254 int printResults, int printPassFail) 5255 { 5256 int err; 5257 unsigned char prk[USHAMaxHashSize+1]; 5258 uint8_t okm[255 * USHAMaxHashSize+1]; 5259 char buf[20]; 5261 if (printResults == PRINTTEXT) { 5262 printf("\nTest %d: Iteration %d\n\tSALT\t'", testno+1, loopno); 5263 printxstr(hkdfhashes[testno].saltarray, 5264 hkdfhashes[testno].saltlength); 5265 printf("'\n\tIKM\t'"); 5266 printxstr(hkdfhashes[testno].ikmarray, 5267 hkdfhashes[testno].ikmlength); 5268 printf("'\n\tINFO\t'"); 5269 printxstr(hkdfhashes[testno].infoarray, 5270 hkdfhashes[testno].infolength); 5271 printf("'\n"); 5272 printf(" L=%d bytes\n", hkdfhashes[testno].okmlength); 5273 } 5275 /* Run hkdf() against the test vectors */ 5276 err = hkdf(hkdfhashes[testno].whichSha, 5277 (const uint8_t *) hkdfhashes[testno].saltarray, 5278 hkdfhashes[testno].saltlength, 5279 (const uint8_t *) hkdfhashes[testno].ikmarray, 5280 hkdfhashes[testno].ikmlength, 5281 (const uint8_t *) hkdfhashes[testno].infoarray, 5282 hkdfhashes[testno].infolength, okm, 5283 hkdfhashes[testno].okmlength); 5284 if (err != shaSuccess) { 5285 fprintf(stderr, "hashHkdf(): hkdf Error %d.\n", err); 5286 return err; 5287 } 5288 sprintf(buf, "hkdf %d", testno+1); 5289 printResult(okm, hkdfhashes[testno].okmlength, 5290 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5291 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5293 /* Now run hkdfExtract() by itself against the test vectors */ 5294 /* to verify the intermediate results. */ 5295 err = hkdfExtract(hkdfhashes[testno].whichSha, 5296 (const uint8_t *) hkdfhashes[testno].saltarray, 5297 hkdfhashes[testno].saltlength, 5298 (const uint8_t *) hkdfhashes[testno].ikmarray, 5299 hkdfhashes[testno].ikmlength, prk); 5300 if (err != shaSuccess) { 5301 fprintf(stderr, "hashHkdf(): hkdfExtract Error %d.\n", err); 5302 return err; 5303 } 5304 sprintf(buf, "hkdfExtract %d", testno+1); 5305 printResult(prk, USHAHashSize(hkdfhashes[testno].whichSha), 5306 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5307 buf, hkdfhashes[testno].prkarray, printResults, printPassFail); 5309 /* Now run hkdfExpand() by itself against the test vectors */ 5310 /* using the intermediate results from hkdfExtract. */ 5311 err = hkdfExpand(hkdfhashes[testno].whichSha, prk, 5312 USHAHashSize(hkdfhashes[testno].whichSha), 5313 (const uint8_t *)hkdfhashes[testno].infoarray, 5314 hkdfhashes[testno].infolength, okm, hkdfhashes[testno].okmlength); 5315 if (err != shaSuccess) { 5316 fprintf(stderr, "hashHkdf(): hkdfExpand Error %d.\n", err); 5317 return err; 5318 } 5319 sprintf(buf, "hkdfExpand %d", testno+1); 5320 printResult(okm, hkdfhashes[testno].okmlength, 5321 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5322 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5324 return err; 5325 } 5327 /* 5328 * Exercise a hash series of functions. The input is a filename. 5329 * If the result is known, it is in resultarray in uppercase hex. 5331 */ 5332 int hashfile(int hashno, const char *hashfilename, int bits, 5333 int bitcount, int skipSpaces, const unsigned char *keyarray, 5334 int keylen, const unsigned char *info, int infolen, int okmlen, 5335 const char *resultarray, int hashsize, 5336 int printResults, int printPassFail) 5337 { 5338 USHAContext sha; 5339 HMACContext hmac; 5340 HKDFContext hkdf; 5341 int err, nread, c; 5342 unsigned char buf[4096]; 5343 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5344 uint8_t *Message_Digest = Message_Digest_Buf; 5345 unsigned char cc; 5346 FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : 5347 fopen(hashfilename, "r"); 5349 if (!hashfp) { 5350 fprintf(stderr, "cannot open file '%s'\n", hashfilename); 5351 return shaStateError; 5352 } 5354 if (info) Message_Digest = malloc(okmlen); 5355 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5356 memset(&hmac, '\343', sizeof(hmac)); 5357 memset(&hkdf, '\343', sizeof(hkdf)); 5358 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5359 keyarray, keylen) : 5360 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5361 keyarray, keylen) : 5362 USHAReset(&sha, hashes[hashno].whichSha); 5363 if (err != shaSuccess) { 5364 fprintf(stderr, "hashfile(): %sReset Error %d.\n", 5365 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5366 return err; 5367 } 5369 if (skipSpaces) 5370 while ((c = getc(hashfp)) != EOF) { 5371 if (!isspace(c)) { 5372 cc = (unsigned char)c; 5373 err = info ? hkdfInput(&hkdf, &cc, 1) : 5374 keyarray ? hmacInput(&hmac, &cc, 1) : 5375 USHAInput(&sha, &cc, 1); 5376 if (err != shaSuccess) { 5377 fprintf(stderr, "hashfile(): %sInput Error %d.\n", 5378 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5379 if (hashfp != stdin) fclose(hashfp); 5380 return err; 5382 } 5383 } 5384 } 5385 else 5386 while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { 5387 err = info ? hkdfInput(&hkdf, buf, nread) : 5388 keyarray ? hmacInput(&hmac, buf, nread) : 5389 USHAInput(&sha, buf, nread); 5390 if (err != shaSuccess) { 5391 fprintf(stderr, "hashfile(): %s Error %d.\n", 5392 info ? "hkdf" : keyarray ? "hmacInput" : 5393 "shaInput", err); 5394 if (hashfp != stdin) fclose(hashfp); 5395 return err; 5396 } 5397 } 5399 if (bitcount > 0) 5400 err = info ? hkdfFinalBits(&hkdf, bits, bitcount) : 5401 keyarray ? hmacFinalBits(&hmac, bits, bitcount) : 5402 USHAFinalBits(&sha, bits, bitcount); 5403 if (err != shaSuccess) { 5404 fprintf(stderr, "hashfile(): %s Error %d.\n", 5405 info ? "hkdf" : keyarray ? "hmacFinalBits" : 5406 "shaFinalBits", err); 5407 if (hashfp != stdin) fclose(hashfp); 5408 return err; 5409 } 5411 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5412 Message_Digest, okmlen) : 5413 keyarray ? hmacResult(&hmac, Message_Digest) : 5414 USHAResult(&sha, Message_Digest); 5415 if (err != shaSuccess) { 5416 fprintf(stderr, "hashfile(): %s Error %d.\n", 5417 info ? "hkdf" : keyarray ? "hmacResult" : 5418 "shaResult", err); 5419 if (hashfp != stdin) fclose(hashfp); 5420 return err; 5421 } 5423 printResult(Message_Digest, info ? okmlen : hashsize, 5424 hashes[hashno].name, "file", hashfilename, resultarray, 5425 printResults, printPassFail); 5427 if (hashfp != stdin) fclose(hashfp); 5428 if (info) free(Message_Digest); 5429 return err; 5430 } 5431 /* 5432 * Exercise a hash series of functions through multiple permutations. 5433 * The input is an initial seed. That seed is replicated 3 times. 5434 * For 1000 rounds, the previous three results are used as the input. 5435 * This result is then checked, and used to seed the next cycle. 5436 * If the result is known, it is in resultarrays in uppercase hex. 5437 */ 5438 void randomtest(int hashno, const char *seed, int hashsize, 5439 const char **resultarrays, int randomcount, 5440 int printResults, int printPassFail) 5441 { 5442 int i, j; char buf[20]; 5443 unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; 5445 /* INPUT: Seed - A random seed n bits long */ 5446 memcpy(SEED, seed, hashsize); 5447 if (printResults == PRINTTEXT) { 5448 printf("%s random test seed= '", hashes[hashno].name); 5449 printxstr(seed, hashsize); 5450 printf("'\n"); 5451 } 5453 for (j = 0; j < randomcount; j++) { 5454 /* MD0 = MD1 = MD2 = Seed; */ 5455 memcpy(MD[0], SEED, hashsize); 5456 memcpy(MD[1], SEED, hashsize); 5457 memcpy(MD[2], SEED, hashsize); 5458 for (i=3; i<1003; i++) { 5459 /* Mi = MDi-3 || MDi-2 || MDi-1; */ 5460 USHAContext Mi; 5461 memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ 5462 USHAReset(&Mi, hashes[hashno].whichSha); 5463 USHAInput(&Mi, MD[i-3], hashsize); 5464 USHAInput(&Mi, MD[i-2], hashsize); 5465 USHAInput(&Mi, MD[i-1], hashsize); 5466 /* MDi = SHA(Mi); */ 5467 USHAResult(&Mi, MD[i]); 5468 } 5470 /* MDj = Seed = MDi; */ 5471 memcpy(SEED, MD[i-1], hashsize); 5473 /* OUTPUT: MDj */ 5474 sprintf(buf, "%d", j); 5475 printResult(SEED, hashsize, hashes[hashno].name, "random test", 5476 buf, resultarrays ? resultarrays[j] : 0, printResults, 5477 (j < RANDOMCOUNT) ? printPassFail : 0); 5478 } 5479 } 5480 /* 5481 * Look up a hash name. 5482 */ 5483 int findhash(const char *argv0, const char *opt) 5484 { 5485 int i; 5486 const char *names[HASHCOUNT][2] = { 5487 { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, 5488 { "3", "sha384" }, { "4", "sha512" } 5489 }; 5491 for (i = 0; i < HASHCOUNT; i++) 5492 if ((strcmp(opt, names[i][0]) == 0) || 5493 (scasecmp(opt, names[i][1]) == 0)) 5494 return i; 5496 fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); 5497 usage(argv0); 5498 return 0; 5499 } 5501 /* 5502 * Run some tests that should invoke errors. 5503 */ 5504 void testErrors(int hashnolow, int hashnohigh, int printResults, 5505 int printPassFail) 5506 { 5507 USHAContext usha; 5508 uint8_t Message_Digest[USHAMaxHashSize]; 5509 int hashno, err; 5511 for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { 5512 memset(&usha, '\343', sizeof(usha)); /* force bad data */ 5513 USHAReset(&usha, hashno); 5514 USHAResult(&usha, Message_Digest); 5515 err = USHAInput(&usha, (const unsigned char *)"foo", 3); 5516 if (printResults == PRINTTEXT) 5517 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5518 if ((printPassFail == PRINTPASSFAIL) || 5519 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5520 printf("%s se: %s\n", hashes[hashno].name, 5521 (err == shaStateError) ? "PASSED" : "FAILED"); 5523 err = USHAFinalBits(&usha, 0x80, 3); 5524 if (printResults == PRINTTEXT) 5525 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5526 if ((printPassFail == PRINTPASSFAIL) || 5527 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5528 printf("%s se: %s\n", hashes[hashno].name, 5529 (err == shaStateError) ? "PASSED" : "FAILED"); 5531 err = USHAReset(0, hashes[hashno].whichSha); 5532 if (printResults == PRINTTEXT) 5533 printf("\nError %d. Should be %d.\n", err, shaNull); 5534 if ((printPassFail == PRINTPASSFAIL) || 5535 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5536 printf("%s usha null: %s\n", hashes[hashno].name, 5537 (err == shaNull) ? "PASSED" : "FAILED"); 5539 switch (hashno) { 5540 case SHA1: err = SHA1Reset(0); break; 5541 case SHA224: err = SHA224Reset(0); break; 5542 case SHA256: err = SHA256Reset(0); break; 5543 case SHA384: err = SHA384Reset(0); break; 5544 case SHA512: err = SHA512Reset(0); break; 5545 } 5546 if (printResults == PRINTTEXT) 5547 printf("\nError %d. Should be %d.\n", err, shaNull); 5548 if ((printPassFail == PRINTPASSFAIL) || 5549 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5550 printf("%s sha null: %s\n", hashes[hashno].name, 5551 (err == shaNull) ? "PASSED" : "FAILED"); 5552 } 5553 } 5555 /* replace a hex string in place with its value */ 5556 int unhexStr(char *hexstr) 5557 { 5558 char *o = hexstr; 5559 int len = 0, nibble1 = 0, nibble2 = 0; 5560 if (!hexstr) return 0; 5561 for ( ; *hexstr; hexstr++) { 5562 if (isalpha((int)(unsigned char)(*hexstr))) { 5563 nibble1 = tolower(*hexstr) - 'a' + 10; 5564 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5565 nibble1 = *hexstr - '0'; 5566 } else { 5567 printf("\nError: bad hex character '%c'\n", *hexstr); 5568 } 5569 if (!*++hexstr) break; 5570 if (isalpha((int)(unsigned char)(*hexstr))) { 5571 nibble2 = tolower(*hexstr) - 'a' + 10; 5572 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5573 nibble2 = *hexstr - '0'; 5574 } else { 5575 printf("\nError: bad hex character '%c'\n", *hexstr); 5576 } 5577 *o++ = (char)((nibble1 << 4) | nibble2); 5578 len++; 5579 } 5580 return len; 5582 } 5584 int main(int argc, char **argv) 5585 { 5586 int i, err; 5587 int loopno, loopnohigh = 1; 5588 int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; 5589 int testno, testnolow = 0, testnohigh; 5590 int ntestnohigh = 0; 5591 int printResults = PRINTTEXT; 5592 int printPassFail = 1; 5593 int checkErrors = 0; 5594 char *hashstr = 0; 5595 int hashlen = 0; 5596 const char *resultstr = 0; 5597 char *randomseedstr = 0; 5598 int runHmacTests = 0; 5599 int runHkdfTests = 0; 5600 char *hmacKey = 0; 5601 int hmaclen = 0; 5602 char *info = 0; 5603 int infolen = 0, okmlen = 0; 5604 int randomcount = RANDOMCOUNT; 5605 const char *hashfilename = 0; 5606 const char *hashFilename = 0; 5607 int extrabits = 0, numberExtrabits = 0; 5608 int strIsHex = 0; 5610 while ((i = getopt(argc, argv, 5611 "6b:B:def:F:h:i:Hk:l:L:mpPr:R:s:S:t:wxX")) != -1) 5612 switch (i) { 5613 case 'b': extrabits = strtol(optarg, 0, 0); break; 5614 case 'B': numberExtrabits = atoi(optarg); break; 5615 case 'd': runHkdfTests = 1; break; 5616 case 'e': checkErrors = 1; break; 5617 case 'f': hashfilename = optarg; break; 5618 case 'F': hashFilename = optarg; break; 5619 case 'h': hashnolow = hashnohigh = findhash(argv[0], optarg); 5620 break; 5621 case 'H': strIsHex = 1; break; 5622 case 'i': info = optarg; infolen = strlen(optarg); break; 5623 case 'k': hmacKey = optarg; hmaclen = strlen(optarg); break; 5624 case 'l': loopnohigh = atoi(optarg); break; 5625 case 'L': okmlen = strtol(optarg, 0, 0); break; 5626 case 'm': runHmacTests = 1; break; 5627 case 'P': printPassFail = 0; break; 5628 case 'p': printResults = PRINTNONE; break; 5629 case 'R': randomcount = atoi(optarg); break; 5630 case 'r': randomseedstr = optarg; break; 5631 case 's': hashstr = optarg; hashlen = strlen(hashstr); break; 5632 case 'S': resultstr = optarg; break; 5633 case 't': testnolow = ntestnohigh = atoi(optarg) - 1; break; 5634 case 'w': printResults = PRINTRAW; break; 5635 case 'x': printResults = PRINTHEX; break; 5636 case 'X': printPassFail = 2; break; 5637 case '6': printResults = PRINTBASE64; break; 5638 default: usage(argv[0]); 5639 } 5641 if (strIsHex) { 5642 hashlen = unhexStr(hashstr); 5643 unhexStr(randomseedstr); 5644 hmaclen = unhexStr(hmacKey); 5645 infolen = unhexStr(info); 5646 } 5647 testnohigh = (ntestnohigh != 0) ? ntestnohigh: 5648 runHmacTests ? (HMACTESTCOUNT-1) : 5649 runHkdfTests ? (HKDFTESTCOUNT-1) : 5650 (TESTCOUNT-1); 5651 if ((testnolow < 0) || 5652 (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || 5653 (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || 5654 (hashstr && (testnolow == testnohigh)) || 5655 (randomcount < 0) || 5656 (resultstr && (!hashstr && !hashfilename && !hashFilename)) || 5657 ((runHmacTests || hmacKey) && randomseedstr) || 5658 (hashfilename && hashFilename) || 5659 (info && ((infolen <= 0) || (okmlen <= 0))) || 5660 (info && !hmacKey)) 5661 usage(argv[0]); 5663 /* 5664 * Perform SHA/HMAC tests 5665 */ 5666 for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { 5667 if (printResults == PRINTTEXT) 5668 printf("Hash %s\n", hashes[hashno].name); 5669 err = shaSuccess; 5671 for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); 5672 ++loopno) { 5673 if (hashstr) 5674 err = hash(0, loopno, hashno, hashstr, hashlen, 1, 5675 numberExtrabits, extrabits, (const unsigned char *)hmacKey, 5676 hmaclen, (const uint8_t *) info, infolen, okmlen, resultstr, 5677 hashes[hashno].hashsize, printResults, printPassFail); 5679 else if (randomseedstr) 5680 randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, 5681 randomcount, printResults, printPassFail); 5683 else if (hashfilename) 5684 err = hashfile(hashno, hashfilename, extrabits, 5685 numberExtrabits, 0, 5686 (const unsigned char *)hmacKey, hmaclen, 5687 (const uint8_t *) info, infolen, okmlen, 5688 resultstr, hashes[hashno].hashsize, 5689 printResults, printPassFail); 5691 else if (hashFilename) 5692 err = hashfile(hashno, hashFilename, extrabits, 5693 numberExtrabits, 1, 5694 (const unsigned char *)hmacKey, hmaclen, 5695 (const uint8_t *) info, infolen, okmlen, 5696 resultstr, hashes[hashno].hashsize, 5697 printResults, printPassFail); 5699 else /* standard tests */ { 5700 for (testno = testnolow; 5701 (testno <= testnohigh) && (err == shaSuccess); ++testno) { 5702 if (runHmacTests) { 5703 err = hash(testno, loopno, hashno, 5704 hmachashes[testno].dataarray[hashno] ? 5705 hmachashes[testno].dataarray[hashno] : 5706 hmachashes[testno].dataarray[1] ? 5707 hmachashes[testno].dataarray[1] : 5708 hmachashes[testno].dataarray[0], 5709 hmachashes[testno].datalength[hashno] ? 5710 hmachashes[testno].datalength[hashno] : 5711 hmachashes[testno].datalength[1] ? 5712 hmachashes[testno].datalength[1] : 5713 hmachashes[testno].datalength[0], 5714 1, 0, 0, 5715 (const unsigned char *)( 5716 hmachashes[testno].keyarray[hashno] ? 5717 hmachashes[testno].keyarray[hashno] : 5718 hmachashes[testno].keyarray[1] ? 5719 hmachashes[testno].keyarray[1] : 5720 hmachashes[testno].keyarray[0]), 5721 hmachashes[testno].keylength[hashno] ? 5722 hmachashes[testno].keylength[hashno] : 5723 hmachashes[testno].keylength[1] ? 5724 hmachashes[testno].keylength[1] : 5725 hmachashes[testno].keylength[0], 5726 0, 0, 0, 5727 hmachashes[testno].resultarray[hashno], 5728 hmachashes[testno].resultlength[hashno], 5729 printResults, printPassFail); 5730 } else if (runHkdfTests) { 5731 err = hashHkdf(testno, loopno, hashno, 5732 printResults, printPassFail); 5734 } else { /* sha tests */ 5735 err = hash(testno, loopno, hashno, 5736 hashes[hashno].tests[testno].testarray, 5737 hashes[hashno].tests[testno].length, 5738 hashes[hashno].tests[testno].repeatcount, 5739 hashes[hashno].tests[testno].numberExtrabits, 5740 hashes[hashno].tests[testno].extrabits, 5741 0, 0, 0, 0, 0, 5742 hashes[hashno].tests[testno].resultarray, 5743 hashes[hashno].hashsize, 5744 printResults, printPassFail); 5745 } 5746 } 5747 if (!runHmacTests && !runHkdfTests) { 5748 randomtest(hashno, hashes[hashno].randomtest, 5749 hashes[hashno].hashsize, hashes[hashno].randomresults, 5750 RANDOMCOUNT, printResults, printPassFail); 5751 } 5752 } 5753 } 5754 } 5756 /* Test some error returns */ 5757 if (checkErrors) { 5758 testErrors(hashnolow, hashnohigh, printResults, printPassFail); 5759 } 5761 return 0; 5762 } 5764 /* 5765 * Compare two strings, case independently. 5766 * Equivalent to strcasecmp() found on some systems. 5767 */ 5768 int scasecmp(const char *s1, const char *s2) 5769 { 5770 for (;;) { 5771 char u1 = tolower(*s1++); 5772 char u2 = tolower(*s2++); 5773 if (u1 != u2) 5774 return u1 - u2; 5775 if (u1 == '\0') 5776 return 0; 5777 } 5778 } 5779 9. IANA Considerations 5781 This document requires no IANA Actions. The RFC Editor should delete 5782 this section before publication. 5784 10. Security Considerations 5786 This document is intended to provide convenient open source access by 5787 the Internet community to the United States of America Federal 5788 Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS 5789 180-2], HMACs based thereon, and HKDF. No independent assertion of 5790 the security of these functions by the authors for any particular use 5791 is intended. 5793 11. Acknowledgements 5795 Thanks for the corrections to [RFC4634] that were provided by Alfred 5796 Hoenes and Jan Andres and to Alfred's comments on the drafts hereof. 5798 12. References 5800 RFC Editor Note: All occurances of "RFC NNNN" should be edited to 5801 replace "NNNN" with this documents RFC number and this note should be 5802 deleted. 5804 12.1 Normative References 5806 [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 5807 Hashing for Message Authentication", RFC 2104, February 1997. 5809 [RFC5869] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and- 5810 Expand Key Derivation Function (HKDF)", RFC 5869, May 2010. 5812 [SHS] - "Secure Hash Standard", United States of American, National 5813 Institute of Science and Technology, Federal Information 5814 Processing Standard (FIPS) 180-3, 5815 http://csrc.nist.gov/publications/fips/fips180- 5816 3/fips180-3_final.pdf. 5818 12.2 Informative References 5820 [RFC3174] - D. Eastlake 3rd, P. Jones, "US Secure Hash Algorithm 1 5821 (SHA1)", September 2001. 5823 [RFC3874] - R. Housley, "A 224-bit One-way Hash Function: SHA-224", 5824 September 2004. 5826 [RFC4055] - Schaad, J., Kaliski, B., and R. Housley, "Additional 5827 Algorithms and Identifiers for RSA Cryptography for use in the 5828 Internet X.509 Public Key Infrastructure Certificate and 5829 Certificate Revocation List (CRL) Profile", RFC 4055, June 5830 2005. 5832 [RFC4086] - D. Eastlake, S. Crocker, J. Schiller, "Randomness 5833 Requirements for Security", May 2005. 5835 [RFC4634] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash 5836 Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006. 5838 [SHAVS] - "The Secure Hash Algorithm Validation System (SHAVS)", 5839 http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. 5841 Appendix: Changes from RFC 4634 5843 The following changes were made to RFC 4634 to produce this document: 5845 1. Add code for HKDF and brief text about HKDF with pointer to 5846 [RFC5869]. 5848 2. Fix numerous errata filed against [RFC4634] as below. Note that in 5849 no case did the old code return an incorrect hash value. 5851 2.a Correct some of the error return values which has erroneously 5852 been "shaNull" to the correct "shaInputTooLong" error. 5854 2.b Update comments and variable names within the code for 5855 consistency and clarity and other editorial changes. 5857 2.c The previous code for SHA-384 and SHA-512 would stop after 5858 2^93 bytes (2^96 bits). The fixed code handles up to 2^125 5859 bytes (2^128 bits). 5861 2.d Add additional error checking. 5863 3. Update boilerplate, remove special license in [RFC4634] as new 5864 boilerplate mandates simplified BSD license. 5866 4. Replace MIT version of getopt with new code to satisfy IETF 5867 incoming and outgoing license restrictions. 5869 5. Other assorted editorial improvements. 5871 Appendix Z: Edit History 5873 RFC Editor, Please delete this Appendix Z on publication. 5875 Z.1 Changes from -00 to -01 5877 Add hash function OIDs and informational reference to [RFC4055]. A 5878 few Editorial changes and typo fixes. 5880 Z.2 Changes from -01 to -02 5882 In shatest.c, replace MIT getopt (xgetopt) code with new code to 5883 avoid possible conflict between MIT license and IETF required BSD 5884 license. 5886 Z.3 Changes from -02 to -03 5888 Problem with MIT getopt is given incompletely in -01 to -02 changes. 5889 Actual problem includes conflict with IETF incoming license 5890 restriction. Also, add this change to Appendix giving changes from 5891 RFC 4634. Update to incorporate RFC number for the HKDF RFC. 5892 Numerous editorial changes. 5894 Z.4 Changes from -03 to -04 5896 Fix typos and nits. 5898 Author's Address 5900 Donald E. Eastlake, 3rd 5901 Stellar Switches 5902 155 Beaver Street 5903 Milford, MA 01757 USA 5905 Telephone: +1-508-333-2270 5906 EMail: d3e3e3@gmail.com 5908 Tony Hansen 5909 AT&T Laboratories 5910 200 Laurel Ave. 5911 Middletown, NJ 07748 USA 5913 Telephone: +1-732-420-8934 5914 EMail: tony+shs@maillennium.att.com 5916 Copyright, Disclaimer, and Additional IPR Provisions 5918 Copyright (c) 2010 IETF Trust and the persons identified as the 5919 document authors. All rights reserved. 5921 This document is subject to BCP 78 and the IETF Trust's Legal 5922 Provisions Relating to IETF Documents 5923 (http://trustee.ietf.org/license-info) in effect on the date of 5924 publication of this document. Please review these documents 5925 carefully, as they describe your rights and restrictions with respect 5926 to this document. Code Components extracted from this document must 5927 include Simplified BSD License text as described in Section 4.e of 5928 the Trust Legal Provisions and are provided without warranty as 5929 described in the BSD License. This Internet-Draft is submitted to 5930 IETF in full conformance with the provisions of BCP 78 and BCP 79.