idnits 2.17.00 (12 Aug 2021) /tmp/idnits29322/draft-eastlake-sha2b-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC3174, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 749 has weird spacing: '...izeBits numbe...' (Using the creation date from RFC3174, updated by this document, for RFC5378 checks: 2001-03-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 20, 2010) is 4169 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'USHAMaxHashSize' is mentioned on line 5502, but not defined -- Looks like a reference, but probably isn't: '4' on line 3164 == Missing Reference: 'SHA1HashSize' is mentioned on line 1531, but not defined == Missing Reference: 'SHA224HashSize' is mentioned on line 1922, but not defined == Missing Reference: 'SHA256HashSize' is mentioned on line 2057, but not defined == Missing Reference: 'SHA384HashSize' is mentioned on line 2748, but not defined == Missing Reference: 'SHA512HashSize' is mentioned on line 2888, but not defined -- Looks like a reference, but probably isn't: '0' on line 5719 -- Looks like a reference, but probably isn't: '1' on line 5718 -- Looks like a reference, but probably isn't: '2' on line 5480 -- Looks like a reference, but probably isn't: '3' on line 3276 -- Looks like a reference, but probably isn't: '8' on line 3081 -- Looks like a reference, but probably isn't: '80' on line 3119 -- Looks like a reference, but probably isn't: '56' on line 2267 -- Looks like a reference, but probably isn't: '57' on line 2268 -- Looks like a reference, but probably isn't: '58' on line 2269 -- Looks like a reference, but probably isn't: '59' on line 2270 -- Looks like a reference, but probably isn't: '60' on line 2271 -- Looks like a reference, but probably isn't: '61' on line 2272 -- Looks like a reference, but probably isn't: '62' on line 2273 -- Looks like a reference, but probably isn't: '63' on line 2274 -- Looks like a reference, but probably isn't: '5' on line 4672 -- Looks like a reference, but probably isn't: '6' on line 3166 -- Looks like a reference, but probably isn't: '7' on line 3167 -- Looks like a reference, but probably isn't: '64' on line 2140 -- Looks like a reference, but probably isn't: '9' on line 3043 -- Looks like a reference, but probably isn't: '10' on line 3082 -- Looks like a reference, but probably isn't: '11' on line 3045 -- Looks like a reference, but probably isn't: '12' on line 3083 -- Looks like a reference, but probably isn't: '13' on line 3047 -- Looks like a reference, but probably isn't: '14' on line 3084 -- Looks like a reference, but probably isn't: '15' on line 3049 -- Looks like a reference, but probably isn't: '112' on line 3278 -- Looks like a reference, but probably isn't: '113' on line 3279 -- Looks like a reference, but probably isn't: '114' on line 3280 -- Looks like a reference, but probably isn't: '115' on line 3281 -- Looks like a reference, but probably isn't: '116' on line 3282 -- Looks like a reference, but probably isn't: '117' on line 3283 -- Looks like a reference, but probably isn't: '118' on line 3284 -- Looks like a reference, but probably isn't: '119' on line 3285 -- Looks like a reference, but probably isn't: '120' on line 3287 -- Looks like a reference, but probably isn't: '121' on line 3288 -- Looks like a reference, but probably isn't: '122' on line 3289 -- Looks like a reference, but probably isn't: '123' on line 3290 -- Looks like a reference, but probably isn't: '124' on line 3291 -- Looks like a reference, but probably isn't: '125' on line 3292 -- Looks like a reference, but probably isn't: '126' on line 3293 -- Looks like a reference, but probably isn't: '127' on line 3294 == Missing Reference: 'RFC 2104' is mentioned on line 3654, but not defined == Missing Reference: 'RFC 2202' is mentioned on line 4264, but not defined == Missing Reference: 'RFC 4231' is mentioned on line 4264, but not defined == Missing Reference: 'TESTCOUNT' is mentioned on line 4483, but not defined == Missing Reference: 'RANDOMCOUNT' is mentioned on line 4485, but not defined == Missing Reference: 'HASHCOUNT' is mentioned on line 5480, but not defined == Missing Reference: 'HMACTESTCOUNT' is mentioned on line 4673, but not defined == Missing Reference: 'HKDFTESTCOUNT' is mentioned on line 4884, but not defined -- Looks like a reference, but probably isn't: '20' on line 5436 -- Looks like a reference, but probably isn't: '4096' on line 5336 -- Looks like a reference, but probably isn't: '1003' on line 5437 -- Obsolete informational reference (is this intentional?): RFC 4634 (Obsoleted by RFC 6234) Summary: 1 error (**), 0 flaws (~~), 16 warnings (==), 50 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Donald Eastlake 3rd 2 INTERNET-DRAFT Huawei 3 Obsoletes: 4634 Tony Hansen 4 Updates: 3174 AT&T Labs 5 Intended Status: Informational 6 Expires: June 19, 2011 December 20, 2010 8 US Secure Hash Algorithms 9 (SHA and SHA based HMAC and HKDF) 10 12 Abstract 13 The United States of America has adopted a suite of secure hash 14 algorithms (SHAs), including four beyond SHA-1, as part of a Federal 15 Information Processing Standard (FIPS), specifically SHA-224, 16 SHA-256, SHA-384, and SHA-512. This document makes open source code 17 performing the SHA hash functions conveniently available to the 18 Internet community. The sample code supports input strings of 19 arbitrary bit length. Much of the text herein was adapted by the 20 authors from FIPS 180-2. 22 This document replaces RFC 4634, fixing errata and adding code for an 23 HMAC-based extract-and-expand key derivation function, HKDF (RFC 24 5869). As with RFC 4634, code to perform SHA based HMACs is also 25 included. 27 Status of This Memo 29 This Internet-Draft is submitted to IETF in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Distribution of this document is unlimited. Comments should be sent 33 to the authors. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF), its areas, and its working groups. Note that 37 other groups may also distribute working documents as Internet- 38 Drafts. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 The list of current Internet-Drafts can be accessed at 46 http://www.ietf.org/1id-abstracts.html 48 The list of Internet-Draft Shadow Directories can be accessed at 49 http://www.ietf.org/shadow.html 51 Table of Contents 53 1. Overview of Contents....................................3 54 2. Notation for Bit Strings and Integers...................4 55 3. Operations on Words.....................................5 57 4. Message Padding and Parsing.............................7 58 4.1 SHA-224 and SHA-256....................................7 59 4.2 SHA-384 and SHA-512....................................8 61 5. Functions and Constants Used...........................10 62 5.1 SHA-224 and SHA-256...................................10 63 5.2 SHA-384 and SHA-512...................................11 65 6. Computing the Message Digest...........................12 66 6.1 SHA-224 and SHA-256 Initialization....................12 67 6.2 SHA-224 and SHA-256 Processing........................12 68 6.3 SHA-384 and SHA-512 Initialization....................14 69 6.4 SHA-384 and SHA-512 Processing........................15 71 7. HKDF and SHA Based HMACs...............................17 72 7.1 SHA-Based HMACs.......................................17 73 7.2 HKDF..................................................17 75 8. C Code for SHAs, HMAC, and HKDF........................18 76 8.1 The Header Files......................................21 77 8.1.1 The .h file.........................................21 78 8.1.2 sha-private.h.......................................29 79 8.2 The SHA Code..........................................29 80 8.2.1 sha1.c..............................................29 81 8.2.2 sha224-256.c........................................38 82 8.2.3 sha384-512.c........................................50 83 8.2.4 usha.c..............................................70 84 8.3 The HMAC Code.........................................76 85 8.4 The HKDF Code.........................................81 86 8.5 The Test Driver.......................................88 88 9. IANA Considerations...................................119 89 10. Security Considerations..............................119 90 11. Acknowledgements.....................................119 91 12. References...........................................120 92 12.1 Normative References................................120 93 12.2 Informative References..............................120 95 Appendix: Changes from RFC 4634..........................121 96 Appendix Z: RFC Editor Note, Edit History................122 98 1. Overview of Contents 100 This document includes specifications for the United States of 101 America (USA) Federal Information Processing Standard (FIPS) Secure 102 Hash Algorithms (SHAs), code to implement the SHAs, code to implement 103 HMACs based on the SHAs, and code to implement HKDF based on HMAC. 104 Specifications for HMAC and HKDF are not included as they appear 105 elsewhere in the RFC series [RFC2104] [RFC5869]. 107 NOTE: Much of the text below is taken from [SHS] and the assertions 108 of the security of the hash algorithms described therein are made by 109 the US Government, the author of [SHS], not by the authors of this 110 document. 112 The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], 113 SHA-256, SHA-384, and SHA-512, for computing a condensed 114 representation of a message or a data file. (SHA-1 is specified in 115 [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and 116 SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of 117 these algorithms, the result is an output called a message digest. 118 The message digests range in length from 224 to 512 bits, depending 119 on the algorithm. Secure hash algorithms are typically used with 120 other cryptographic algorithms, such as digital signature algorithms 121 and keyed hash authentication codes, the generation of random numbers 122 [RFC4086], or in key derivation functions. 124 The four algorithms specified in this document are called secure 125 because it is computationally infeasible to (1) find a message which 126 corresponds to a given message digest, or (2) to find two different 127 messages that produce the same message digest. Any change to a 128 message in transit will, with very high probability, result in a 129 different message digest. This will result in a verification failure 130 when the secure hash algorithm is used with a digital signature 131 algorithm or a keyed-hash message authentication algorithm. 133 The code provided herein supports input strings of arbitrary bit 134 length. SHA-1's sample code from [RFC3174] has also been updated to 135 handle input strings of arbitrary bit length. Permission is granted 136 for all uses, commercial and non-commercial, of this code. 138 This document obsoletes [RFC4634]; and the changes from that RFC are 139 summarized in the Appendix. 141 ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from 142 [RFC4055], are as follows: 144 id-sha1 OBJECT IDENTIFIER ::= { iso(1) 145 identified-organization(3) oiw(14) 146 secsig(3) algorithms(2) 26 } 148 id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) 149 country(16) us(840) organization(1) gov(101) 150 csor(3) nistalgorithm(4) hashalgs(2) 4 } 151 id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 152 country(16) us(840) organization(1) gov(101) 153 csor(3) nistalgorithm(4) hashalgs(2) 1 } 154 id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 155 country(16) us(840) organization(1) gov(101) 156 csor(3) nistalgorithm(4) hashalgs(2) 2 } 157 id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 158 country(16) us(840) organization(1) gov(101) 159 csor(3) nistalgorithm(4) hashalgs(2) 3 } 161 Section 2 below defines the terminology and functions used as 162 building blocks to form these algorithms. Section 3 describes the 163 fundamental operations on words from which these algorithms are 164 built. Section 4 describes how messages are padded up to an integral 165 multiple of the required block size and then parsed into blocks. 166 Section 5 defines the constants and the composite functions used to 167 specify the hash algorithms. Section 6 gives the actual specification 168 for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 169 provides pointers to the specification of HMAC keyed message 170 authentication codes and to the specification of an extract-and- 171 expand key derivation function based on HMAC. 173 Section 8 gives sample code for the SHA algorithms, for SHA based 174 HMACs, and for HMAC-based extract-and-expand key derivation function. 176 2. Notation for Bit Strings and Integers 178 The following terminology related to bit strings and integers will be 179 used: 181 a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. 182 A hex digit is the representation of a 4-bit string. Examples: 183 7 = 0111, A = 1010. 185 b. A word equals a 32-bit or 64-bit string that may be represented 186 as a sequence of 8 or 16 hex digits, respectively. To convert a 187 word to hex digits, each 4-bit string is converted to its hex 188 equivalent as described in (a) above. Example: 190 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 192 Throughout this document, the "big-endian" convention is used 193 when expressing both 32-bit and 64-bit words, so that within 194 each word the most significant bit is shown in the leftmost bit 195 position. 197 c. An integer may be represented as a word or pair of words. 199 An integer between 0 and 2^32 - 1 inclusive may be represented 200 as a 32-bit word. The least significant four bits of the 201 integer are represented by the rightmost hex digit of the word 202 representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = 203 256+32+2+1 is represented by the hex word, 00000123. 205 The same holds true for an integer between 0 and 2^64-1 206 inclusive, which may be represented as a 64-bit word. 208 If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 209 <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented 210 as words X and Y, respectively, z can be represented as the pair 211 of words (X,Y). 213 Again, the "big-endian" convention is used and the most 214 significant word is in the leftmost word position for values 215 represented by multiple-words. 217 d. block = 512-bit or 1024-bit string. A block (e.g., B) may be 218 represented as a sequence of 32-bit or 64-bit words. 220 3. Operations on Words 222 The following logical operators will be applied to words in all four 223 hash operations specified herein. SHA-224 and SHA-256 operate on 224 32-bit words while SHA-384 and SHA-512 operate on 64-bit words. 226 In the operations below, x<>n is obtained as follows: discard the rightmost n bits 230 of x and then prepend the result with n zeroed bits on the left (the 231 result will still be the same number of bits). 233 a. Bitwise logical word operations 235 X AND Y = bitwise logical "and" of X and Y. 237 X OR Y = bitwise logical "inclusive-or" of X and Y. 239 X XOR Y = bitwise logical "exclusive-or" of X and Y. 241 NOT X = bitwise logical "complement" of X. 243 Example: 244 01101100101110011101001001111011 245 XOR 01100101110000010110100110110111 246 -------------------------------- 247 = 00001001011110001011101111001100 249 b. The operation X + Y is defined as follows: words X and Y 250 represent w-bit integers x and y, where 0 <= x < 2^w and 0 <= y 251 < 2^w. For positive integers n and m, let 253 n mod m 255 be the remainder upon dividing n by m. Compute 257 z = (x + y) mod 2^w. 259 Then 0 <= z < 2^w. Convert z to a word, Z, and define Z = X + 260 Y. 262 c. The right shift operation SHR^n(x), where x is a w-bit word and n 263 is an integer with 0 <= n < w, is defined by 265 SHR^n(x) = x>>n 267 d. The rotate right (circular right shift) operation ROTR^n(x), where 268 x is a w-bit word and n is an integer with 0 <= n < w, is 269 defined by 271 ROTR^n(x) = (x>>n) OR (x<<(w-n)) 273 e. The rotate left (circular left shift) operation ROTL^n(x), where x 274 is a w-bit word and n is an integer with 0 <= n < w, is defined 275 by 277 ROTL^n(X) = (x<>w-n) 279 Note the following equivalence relationships, where w is fixed 280 in each relationship: 282 ROTL^n(x) = ROTR^(w-n)(x) 284 ROTR^n(x) = ROTL^(w-n)(x) 286 4. Message Padding and Parsing 288 The hash functions specified herein are used to compute a message 289 digest for a message or data file that is provided as input. The 290 message or data file should be considered to be a bit string. The 291 length of the message is the number of bits in the message (the empty 292 message has length 0). If the number of bits in a message is a 293 multiple of 8, for compactness we can represent the message in hex. 294 The purpose of message padding is to make the total length of a 295 padded message a multiple of 512 for SHA-224 and SHA-256 or a 296 multiple of 1024 for SHA-384 and SHA-512. 298 The following specifies how this padding shall be performed. As a 299 summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit 300 integer are appended to the end of the message to produce a padded 301 message of length 512*n or 1024*n. The appended integer is the 302 length of the original message. The padded message is then processed 303 by the hash function as n 512-bit or 1024-bit blocks. 305 4.1 SHA-224 and SHA-256 307 Suppose a message has length L < 2^64. Before it is input to the 308 hash function, the message is padded on the right as follows: 310 a. "1" is appended. Example: if the original message is "01010000", 311 this is padded to "010100001". 313 b. K "0"s are appended where K is the smallest, non-negative 314 solution to the equation 316 L + 1 + K = 448 (mod 512) 318 c. Then append the 64-bit block that is L in binary representation. 319 After appending this block, the length of the message will be a 320 multiple of 512 bits. 322 Example: Suppose the original message is the bit string 324 01100001 01100010 01100011 01100100 01100101 326 After step (a) this gives 328 01100001 01100010 01100011 01100100 01100101 1 330 Since L = 40, the number of bits in the above is 41 and K = 407 331 "0"s are appended, making the total now 448. This gives the 332 following in hex: 334 61626364 65800000 00000000 00000000 335 00000000 00000000 00000000 00000000 336 00000000 00000000 00000000 00000000 337 00000000 00000000 339 The 64-bit representation of L = 40 is hex 00000000 00000028. 340 Hence the final padded message is the following hex 342 61626364 65800000 00000000 00000000 343 00000000 00000000 00000000 00000000 344 00000000 00000000 00000000 00000000 345 00000000 00000000 00000000 00000028 347 4.2 SHA-384 and SHA-512 349 Suppose a message has length L < 2^128. Before it is input to the 350 hash function, the message is padded on the right as follows: 352 a. "1" is appended. Example: if the original message is "01010000", 353 this is padded to "010100001". 355 b. K "0"s are appended where K is the smallest, non-negative 356 solution to the equation 358 L + 1 + K = 896 (mod 1024) 360 c. Then append the 128-bit block that is L in binary representation. 361 After appending this block, the length of the message will be a 362 multiple of 1024 bits. 364 Example: Suppose the original message is the bit string 366 01100001 01100010 01100011 01100100 01100101 368 After step (a) this gives 370 01100001 01100010 01100011 01100100 01100101 1 372 Since L = 40, the number of bits in the above is 41 and K = 855 373 "0"s are appended, making the total now 896. This gives the 374 following in hex: 376 61626364 65800000 00000000 00000000 377 00000000 00000000 00000000 00000000 378 00000000 00000000 00000000 00000000 379 00000000 00000000 00000000 00000000 380 00000000 00000000 00000000 00000000 381 00000000 00000000 00000000 00000000 382 00000000 00000000 00000000 00000000 384 The 128-bit representation of L = 40 is hex 00000000 00000000 385 00000000 00000028. Hence the final padded message is the 386 following hex: 388 61626364 65800000 00000000 00000000 389 00000000 00000000 00000000 00000000 390 00000000 00000000 00000000 00000000 391 00000000 00000000 00000000 00000000 392 00000000 00000000 00000000 00000000 393 00000000 00000000 00000000 00000000 394 00000000 00000000 00000000 00000000 395 00000000 00000000 00000000 00000028 397 5. Functions and Constants Used 399 The following subsections give the six logical functions and the 400 table of constants used in each of the hash functions. 402 5.1 SHA-224 and SHA-256 404 SHA-224 and SHA-256 use six logical functions, where each function 405 operates on 32-bit words, which are represented as x, y, and z. The 406 result of each function is a new 32-bit word. 408 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 410 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 412 BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) 414 BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) 416 SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) 418 SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) 420 SHA-224 and SHA-256 use the same sequence of sixty-four constant 421 32-bit words, K0, K1, ..., K63. These words represent the first 422 thirty-two bits of the fractional parts of the cube roots of the 423 first sixty-four prime numbers. In hex, these constant words are as 424 follows (from left to right): 426 428a2f98 71374491 b5c0fbcf e9b5dba5 427 3956c25b 59f111f1 923f82a4 ab1c5ed5 428 d807aa98 12835b01 243185be 550c7dc3 429 72be5d74 80deb1fe 9bdc06a7 c19bf174 430 e49b69c1 efbe4786 0fc19dc6 240ca1cc 431 2de92c6f 4a7484aa 5cb0a9dc 76f988da 432 983e5152 a831c66d b00327c8 bf597fc7 433 c6e00bf3 d5a79147 06ca6351 14292967 434 27b70a85 2e1b2138 4d2c6dfc 53380d13 435 650a7354 766a0abb 81c2c92e 92722c85 436 a2bfe8a1 a81a664b c24b8b70 c76c51a3 437 d192e819 d6990624 f40e3585 106aa070 438 19a4c116 1e376c08 2748774c 34b0bcb5 439 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 440 748f82ee 78a5636f 84c87814 8cc70208 441 90befffa a4506ceb bef9a3f7 c67178f2 443 5.2 SHA-384 and SHA-512 445 SHA-384 and SHA-512 each use six logical functions, where each 446 function operates on 64-bit words, which are represented as x, y, and 447 z. The result of each function is a new 64-bit word. 449 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 451 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 453 BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) 455 BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) 457 SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) 459 SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) 461 SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit 462 words, K0, K1, ... K79. These words represent the first sixty-four 463 bits of the fractional parts of the cube roots of the first eighty 464 prime numbers. In hex, these constant words are as follows (from 465 left to right): 467 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc 468 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 469 d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 470 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 471 e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 472 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 473 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 474 c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 475 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df 476 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b 477 a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 478 d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 479 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 480 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 481 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec 482 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b 483 ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 484 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b 485 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c 486 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 488 6. Computing the Message Digest 490 The output of each of the secure hash functions, after being applied 491 to a message of N blocks, is the hash quantity H(N). For SHA-224 and 492 SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, 493 H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to be 494 eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. 496 As described below, the hash words are initialized, modified as each 497 message block is processed, and finally concatenated after processing 498 the last block to yield the output. For SHA-256 and SHA-512, all of 499 the H(N) variables are concatenated while the SHA-224 and SHA-384 500 hashes are produced by omitting some from the final concatenation. 502 6.1 SHA-224 and SHA-256 Initialization 504 For SHA-224, the initial hash value, H(0), consists of the following 505 32-bit words in hex: 507 H(0)0 = c1059ed8 508 H(0)1 = 367cd507 509 H(0)2 = 3070dd17 510 H(0)3 = f70e5939 511 H(0)4 = ffc00b31 512 H(0)5 = 68581511 513 H(0)6 = 64f98fa7 514 H(0)7 = befa4fa4 516 For SHA-256, the initial hash value, H(0), consists of the following 517 eight 32-bit words, in hex. These words were obtained by taking the 518 first thirty-two bits of the fractional parts of the square roots of 519 the first eight prime numbers. 521 H(0)0 = 6a09e667 522 H(0)1 = bb67ae85 523 H(0)2 = 3c6ef372 524 H(0)3 = a54ff53a 525 H(0)4 = 510e527f 526 H(0)5 = 9b05688c 527 H(0)6 = 1f83d9ab 528 H(0)7 = 5be0cd19 530 6.2 SHA-224 and SHA-256 Processing 532 SHA-224 and SHA-256 perform identical processing on messages blocks 533 and differ only in how H(0) is initialized and how they produce their 534 final output. They may be used to hash a message, M, having a length 535 of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message 536 schedule of sixty-four 32-bit words, (2) eight working variables of 537 32 bits each, and (3) a hash value of eight 32-bit words. 539 The words of the message schedule are labeled W0, W1, ..., W63. The 540 eight working variables are labeled a, b, c, d, e, f, g, and h. The 541 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which 542 will hold the initial hash value, H(0), replaced by each successive 543 intermediate hash value (after each message block is processed), 544 H(i), and ending with the final hash value, H(N), after all N blocks 545 are processed. They also use two temporary words, T1 and T2. 547 The input message is padded as described in Section 4.1 above then 548 parsed into 512-bit blocks that are considered to be composed of 16 549 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 550 are then performed for each of the N message blocks. All addition is 551 performed modulo 2^32. 553 For i = 1 to N 555 1. Prepare the message schedule W: 556 For t = 0 to 15 557 Wt = M(i)t 558 For t = 16 to 63 559 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(w(t-15)) + W(t-16) 561 2. Initialize the working variables: 562 a = H(i-1)0 563 b = H(i-1)1 564 c = H(i-1)2 565 d = H(i-1)3 566 e = H(i-1)4 567 f = H(i-1)5 568 g = H(i-1)6 569 h = H(i-1)7 571 3. Perform the main hash computation: 572 For t = 0 to 63 573 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 574 T2 = BSIG0(a) + MAJ(a,b,c) 575 h = g 576 g = f 577 f = e 578 e = d + T1 579 d = c 580 c = b 581 b = a 582 a = T1 + T2 584 4. Compute the intermediate hash value H(i) 585 H(i)0 = a + H(i-1)0 586 H(i)1 = b + H(i-1)1 587 H(i)2 = c + H(i-1)2 588 H(i)3 = d + H(i-1)3 589 H(i)4 = e + H(i-1)4 590 H(i)5 = f + H(i-1)5 591 H(i)6 = g + H(i-1)6 592 H(i)7 = h + H(i-1)7 594 After the above computations have been sequentially performed for all 595 of the blocks in the message, the final output is calculated. For 596 SHA-256, this is the concatenation of all of H(N)0, H(N)1, through 597 H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, 598 through H(N)6. 600 6.3 SHA-384 and SHA-512 Initialization 602 For SHA-384, the initial hash value, H(0), consists of the following 603 eight 64-bit words, in hex. These words were obtained by taking the 604 first sixty-four bits of the fractional parts of the square roots of 605 the ninth through sixteenth prime numbers. 607 H(0)0 = cbbb9d5dc1059ed8 608 H(0)1 = 629a292a367cd507 609 H(0)2 = 9159015a3070dd17 610 H(0)3 = 152fecd8f70e5939 611 H(0)4 = 67332667ffc00b31 612 H(0)5 = 8eb44a8768581511 613 H(0)6 = db0c2e0d64f98fa7 614 H(0)7 = 47b5481dbefa4fa4 616 For SHA-512, the initial hash value, H(0), consists of the following 617 eight 64-bit words, in hex. These words were obtained by taking the 618 first sixty-four bits of the fractional parts of the square roots of 619 the first eight prime numbers. 621 H(0)0 = 6a09e667f3bcc908 622 H(0)1 = bb67ae8584caa73b 623 H(0)2 = 3c6ef372fe94f82b 624 H(0)3 = a54ff53a5f1d36f1 625 H(0)4 = 510e527fade682d1 626 H(0)5 = 9b05688c2b3e6c1f 627 H(0)6 = 1f83d9abfb41bd6b 628 H(0)7 = 5be0cd19137e2179 630 6.4 SHA-384 and SHA-512 Processing 632 SHA-384 and SHA-512 perform identical processing on message blocks 633 and differ only in how H(0) is initialized and how they produce their 634 final output. They may be used to hash a message, M, having a length 635 of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message 636 schedule of eighty 64-bit words, (2) eight working variables of 64 637 bits each, and (3) a hash value of eight 64-bit words. 639 The words of the message schedule are labeled W0, W1, ..., W79. The 640 eight working variables are labeled a, b, c, d, e, f, g, and h. The 641 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7 which 642 will hold the initial hash value, H(0), replaced by each successive 643 intermediate hash value (after each message block is processed), 644 H(i), and ending with the final hash value, H(N) after all N blocks 645 are processed. 647 The input message is padded as described in Section 4.2 above, then 648 parsed into 1024-bit blocks that are considered to be composed of 16 649 64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 650 are then performed for each of the N message blocks. All addition is 651 performed modulo 2^64. 653 For i = 1 to N 655 1. Prepare the message schedule W: 656 For t = 0 to 15 657 Wt = M(i)t 658 For t = 16 to 79 659 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(W(t-15)) + W(t-16) 661 2. Initialize the working variables: 662 a = H(i-1)0 663 b = H(i-1)1 664 c = H(i-1)2 665 d = H(i-1)3 666 e = H(i-1)4 667 f = H(i-1)5 668 g = H(i-1)6 669 h = H(i-1)7 671 3. Perform the main hash computation: 672 For t = 0 to 79 673 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 674 T2 = BSIG0(a) + MAJ(a,b,c) 675 h = g 676 g = f 677 f = e 678 e = d + T1 679 d = c 680 c = b 681 b = a 682 a = T1 + T2 684 4. Compute the intermediate hash value H(i) 685 H(i)0 = a + H(i-1)0 686 H(i)1 = b + H(i-1)1 687 H(i)2 = c + H(i-1)2 688 H(i)3 = d + H(i-1)3 689 H(i)4 = e + H(i-1)4 690 H(i)5 = f + H(i-1)5 691 H(i)6 = g + H(i-1)6 692 H(i)7 = h + H(i-1)7 694 After the above computations have been sequentially performed for all 695 of the blocks in the message, the final output is calculated. For 696 SHA-512, this is the concatenation of all of H(N)0, H(N)1, through 697 H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, 698 through H(N)5. 700 7. HKDF and SHA Based HMACs 702 Below are brief descriptions and pointers to more complete 703 descriptions and code for (1) SHA-based HMACs and (2) an HMAC-based 704 extract-and-expand key derivation function. Both HKDF and HMAC were 705 devised by Hugo Krawczyk. 707 7.1 SHA-Based HMACs 709 HMAC is a method for computing a keyed MAC (message authentication 710 code) using a hash function as described in [RFC2104]. It uses a key 711 to mix in with the input text to produce the final hash. 713 Sample code is also provided, in Section 8.3 below, to perform HMAC 714 based on any of the SHA algorithms described herein. The sample code 715 found in [RFC2104] was written in terms of a specified text size. 716 Since SHA is defined in terms of an arbitrary number of bits, the 717 sample HMAC code has been written to allow the text input to HMAC to 718 have an arbitrary number of octets and bits. A fixed length interface 719 is also provided. 721 7.2 HKDF 723 HKDF is a specific key derivation function (KDF), that is, a function 724 of initial keying material from which the KDF derives one or more 725 cryptographically strong secret keys. HKDF, which is described in 726 [RFC5869], is based on HMAC. 728 Sample code for HKDF is provided in Section 8.4 below. 730 8. C Code for SHAs, HMAC, and HKDF 732 Below is a demonstration implementation of these secure hash 733 functions in C. Section 8.1 contains the header file sha.h that 734 declares all constants, structures and functions used by the sha and 735 hmac functions. It includes conditionals based on the state of 736 definition of USE_32BIT_ONLY which, if that symbol is defined at 737 compile time, avoids 64-bit operations. It also contains sha- 738 private.h that provides some declarations common to all the sha 739 functions. Section 8.2 contains the C code for sha1.c, sha224-256.c, 740 sha384-512.c, and usha.c. Section 8.3 contains the C code for the 741 HMAC functions and Section 8.4 contains the C code for HKDF. Section 742 8.5 contains a test driver to exercise the code. 744 For each of the digest lengths $$$, there are the following set of 745 constants, a structure, and functions: 747 Constants: 748 SHA$$$HashSize number of octets in the hash 749 SHA$$$HashSizeBits number of bits in the hash 750 SHA$$$_Message_Block_Size 751 number of octets used in the intermediate 752 message blocks 753 Most functions return an enum value that is one of: 754 shaSuccess(0) on success 755 shaNull(1) when presented with a null pointer parameter 756 shaInputTooLong(2) when the input data is too long 757 shaStateError(3) when SHA$$$Input is called after 758 SHA$$$FinalBits or SHA$$$Result. 760 Structure: 761 typedef SHA$$$Context 762 an opaque structure holding the complete state 763 for producing the hash 765 Functions: 766 int SHA$$$Reset(SHA$$$Context *context); 767 Reset the hash context state 768 int SHA$$$Input(SHA$$$Context *context, const uint8_t *octets, 769 unsigned int bytecount); 770 Incorporate bytecount octets into the hash. 771 int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, 772 unsigned int bitcount); 773 Incorporate bitcount bits into the hash. The bits are in the 774 upper portion of the octet. SHA$$$Input() cannot be called 775 after this. 776 int SHA$$$Result(SHA$$$Context *, 777 uint8_t Message_Digest[SHA$$$HashSize]); 778 Do the final calculations on the hash and copy the value 779 into Message_Digest. 781 In addition, functions with the prefix USHA are provided that take a 782 SHAversion value (SHA$$$) to select the SHA function suite. They add 783 the following constants, structure and function: 785 Constants: 786 shaBadParam(4) constant returned by USHA functions when 787 presented with a bad SHAversion (SHA$$$) 788 parameter or other illegal parameter values 789 USAMaxHashSize maximum of the SHA hash sizes 790 SHA$$$ SHAversion enumeration values, used by usha, 791 hmac and hkdf functions to select the SHA 792 function suite 794 Structure: 795 typedef USHAContext 796 an opaque structure holding the complete state 797 for producing the hash 799 Functions: 800 int USHAReset(USHAContext *context, SHAversion whichSha); 801 Reset the hash context state. 802 int USHAInput(USHAContext context*, 803 const uint8_t *bytes, unsigned int bytecount); 804 Incorporate bytecount octets into the hash. 805 int USHAFinalBits(USHAContext *context, 806 const uint8_t bits, unsigned int bitcount); 807 Incorporate bitcount bits into the hash. 808 int USHAResult(USHAContext *context, 809 uint8_t Message_Digest[USHAMaxHashSize]); 810 Do the final calculations on the hash and copy the value 811 into Message_Digest. Octets in Message_Digest beyond 812 USHAHashSize(whichSha) are left untouched. 813 int USHAHashSize(enum SHAversion whichSha); 814 The number of octets in the given hash. 815 int USHAHashSizeBits(enum SHAversion whichSha); 816 The number of bits in the given hash. 817 int USHABlockSize(enum SHAversion whichSha); 818 The internal block size for the given hash. 819 const char *USHAHashName(enum SHAversion whichSha); 820 This function will return the name of the given SHA 821 algorithm as a string. 823 The hmac functions follow the same pattern to allow any length of 824 text input to be used. 826 Structures: 827 typedef HMACContext an opaque structure holding the complete state 828 for producing the keyed message digest (MAC) 830 Functions: 831 int hmacReset(HMACContext *ctx, enum SHAversion whichSha, 832 const unsigned char *key, int key_len); 833 Reset the MAC context state. 834 int hmacInput(HMACContext *ctx, const unsigned char *text, 835 int text_len); 836 Incorporate text_len octets into the MAC. 837 int hmacFinalBits(HMACContext *ctx, const uint8_t bits, 838 unsigned int bitcount); 839 Incorporate bitcount bits into the MAC. 840 int hmacResult(HMACContext *ctx, 841 uint8_t Message_Digest[USHAMaxHashSize]); 842 Do the final calculations on the MAC and copy the value into 843 Message_Digest. Octets in Message_Digest beyond 844 USHAHashSize(whichSha) are left untouched. 846 In addition, a combined interface is provided, similar to that shown 847 in [RFC2104], that allows a fixed-length text input to be used. 849 int hmac(SHAversion whichSha, 850 const unsigned char *text, int text_len, 851 const unsigned char *key, int key_len, 852 uint8_t Message_Digest[USHAMaxHashSize]); 853 Calculate the given digest for the given text and key, and 854 return the resulting MAC. Octets in Message_Digest beyond 855 USHAHashSize(whichSha) are left untouched. 857 The hkdf functions follow the same pattern to allow any length of 858 text input to be used. 860 Structures: 861 typedef HKDFContext an opaque structure holding the complete state 862 for producing the keying material 863 Functions: 864 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 865 const unsigned char *salt, int salt_len) 866 Reset the key derivation state and initialize it with the 867 salt_len octets of the optional salt. 868 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 869 int ikm_len) 870 Incorporate ikm_len octets into the entropy extractor. 871 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 872 unsigned int ikm_bit_count) 873 Incorporate ikm_bit_count bits into the entropy extractor. 874 int hkdfResult(HKDFContext *context, 875 uint8_t prk[USHAMaxHashSize], 876 const unsigned char *info, int info_len, 877 uint8_t okm[ ], int okm_len) 878 Finish the HKDF extraction and perform the final HKDF 879 expansion, storing the okm_len octets into okm. Optionally 880 store the pseudo-random key (prk) that is generated 881 internally. 883 In addition, combined interfaces are provided, similar to that shown 884 in [RFC5869], that allows a fixed-length text input to be used. 886 int hkdfExtract(SHAversion whichSha, 887 const unsigned char *salt, int salt_len, 888 const unsigned char *ikm, int ikm_len, 889 uint8_t prk[USHAMaxHashSize]) 890 Perform HKDF extraction, combining the salt_len octets of 891 the optional salt with the ikm_len octets of the input 892 keying material (ikm) to form the pseudo-random key prk. 893 The output prk must be large enough to hold the octets 894 appropriate for the given hash type. 896 int hkdfExpand(SHAversion whichSha, 897 const uint8_t prk[ ], int prk_len, 898 const unsigned char *info, int info_len, 899 uint8_t okm[ ], int okm_len) 900 Perform HKDF expansion, combining the prk_len octets of the 901 pseudo-random key prk with the info_len octets of info to 902 form the okm_len octets stored in okm. 904 int hkdf(SHAversion whichSha, 905 const unsigned char *salt, int salt_len, 906 const unsigned char *ikm, int ikm_len, 907 const unsigned char *info, int info_len, 908 uint8_t okm[ ], int okm_len) 909 This combined interface performs both HKDF extraction and 910 expansion. The variables are the same as in hkdfExtract() 911 and hkdfExpand(). 913 8.1 The Header Files 915 8.1.1 The .h file 917 /**************************** sha.h ****************************/ 918 /***************** See RFC NNNN for details. *******************/ 919 /* 920 Copyright (c) 2010 IETF Trust and the persons identified as 921 authors of the code. All rights reserved. 923 Redistribution and use in source and binary forms, with or without 924 modification, are permitted provided that the following conditions 925 are met: 927 * Redistributions of source code must retain the above copyright 928 notice, this list of conditions and the following disclaimer. 930 * Redistributions in binary form must reproduce the above copyright 931 notice, this list of conditions and the following disclaimer in 932 the documentation and/or other materials provided with the 933 distribution. 935 * Neither the name of Internet Society, IETF or IETF Trust, nor the 936 names of specific contributors, may be used to endorse or promote 937 products derived from this software without specific prior 938 written permission. 940 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 941 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 942 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 943 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 944 COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 945 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 946 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 947 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 948 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 949 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 950 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 951 POSSIBILITY OF SUCH DAMAGE. 952 */ 953 #ifndef _SHA_H_ 954 #define _SHA_H_ 956 /* 957 * Description: 958 * This file implements the Secure Hash Algorithms 959 * as defined in the U.S. National Institute of Standards 960 * and Technology Federal Information Processing Standards 961 * Publication (FIPS PUB) 180-3 published in October 2008 962 * and formerly defined in its predecessors, FIPS PUB 180-1 963 * and FIP PUB 180-2. 964 * 965 * A combined document showing all algorithms is available at 966 * http://csrc.nist.gov/publications/fips/ 967 * fips180-3/fips180-3_final.pdf 968 * 969 * The five hashes are defined in these sizes: 970 * SHA-1 20 byte / 160 bit 971 * SHA-224 28 byte / 224 bit 972 * SHA-256 32 byte / 256 bit 973 * SHA-384 48 byte / 384 bit 974 * SHA-512 64 byte / 512 bit 975 * 976 * Compilation Note: 978 * These files may be compiled with two options: 979 * USE_32BIT_ONLY - use 32-bit arithmetic only, for systems 980 * without 64-bit integers 981 * 982 * USE_MODIFIED_MACROS - use alternate form of the SHA_Ch() 983 * and SHA_Maj() macros that are equivalent 984 * and potentially faster on many systems 985 * 986 */ 988 #include 989 /* 990 * If you do not have the ISO standard stdint.h header file, then you 991 * must typedef the following: 992 * name meaning 993 * uint64_t unsigned 64 bit integer 994 * uint32_t unsigned 32 bit integer 995 * uint8_t unsigned 8 bit integer (i.e., unsigned char) 996 * int_least16_t integer of >= 16 bits 997 * 998 */ 1000 #ifndef _SHA_enum_ 1001 #define _SHA_enum_ 1002 /* 1003 * All SHA functions return one of these values. 1004 */ 1005 enum { 1006 shaSuccess = 0, 1007 shaNull, /* Null pointer parameter */ 1008 shaInputTooLong, /* input data too long */ 1009 shaStateError, /* called Input after FinalBits or Result */ 1010 shaBadParam /* passed a bad parameter */ 1011 }; 1012 #endif /* _SHA_enum_ */ 1014 /* 1015 * These constants hold size information for each of the SHA 1016 * hashing operations 1017 */ 1018 enum { 1019 SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, 1020 SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, 1021 SHA512_Message_Block_Size = 128, 1022 USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, 1024 SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, 1025 SHA384HashSize = 48, SHA512HashSize = 64, 1026 USHAMaxHashSize = SHA512HashSize, 1027 SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, 1028 SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, 1029 SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits 1030 }; 1032 /* 1033 * These constants are used in the USHA (unified sha) functions. 1034 */ 1035 typedef enum SHAversion { 1036 SHA1, SHA224, SHA256, SHA384, SHA512 1037 } SHAversion; 1039 /* 1040 * This structure will hold context information for the SHA-1 1041 * hashing operation. 1042 */ 1043 typedef struct SHA1Context { 1044 uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ 1046 uint32_t Length_High; /* Message length in bits */ 1047 uint32_t Length_Low; /* Message length in bits */ 1049 int_least16_t Message_Block_Index; /* Message_Block array index */ 1050 /* 512-bit message blocks */ 1051 uint8_t Message_Block[SHA1_Message_Block_Size]; 1053 int Computed; /* Is the hash computed? */ 1054 int Corrupted; /* Cumulative corruption code */ 1055 } SHA1Context; 1057 /* 1058 * This structure will hold context information for the SHA-256 1059 * hashing operation. 1060 */ 1061 typedef struct SHA256Context { 1062 uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ 1064 uint32_t Length_High; /* Message length in bits */ 1065 uint32_t Length_Low; /* Message length in bits */ 1067 int_least16_t Message_Block_Index; /* Message_Block array index */ 1068 /* 512-bit message blocks */ 1069 uint8_t Message_Block[SHA256_Message_Block_Size]; 1071 int Computed; /* Is the hash computed? */ 1072 int Corrupted; /* Cumulative corruption code */ 1073 } SHA256Context; 1075 /* 1076 * This structure will hold context information for the SHA-512 1077 * hashing operation. 1078 */ 1079 typedef struct SHA512Context { 1080 #ifdef USE_32BIT_ONLY 1081 uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ 1082 uint32_t Length[4]; /* Message length in bits */ 1083 #else /* !USE_32BIT_ONLY */ 1084 uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ 1085 uint64_t Length_High, Length_Low; /* Message length in bits */ 1086 #endif /* USE_32BIT_ONLY */ 1088 int_least16_t Message_Block_Index; /* Message_Block array index */ 1089 /* 1024-bit message blocks */ 1090 uint8_t Message_Block[SHA512_Message_Block_Size]; 1092 int Computed; /* Is the hash computed?*/ 1093 int Corrupted; /* Cumulative corruption code */ 1094 } SHA512Context; 1096 /* 1097 * This structure will hold context information for the SHA-224 1098 * hashing operation. It uses the SHA-256 structure for computation. 1099 */ 1100 typedef struct SHA256Context SHA224Context; 1102 /* 1103 * This structure will hold context information for the SHA-384 1104 * hashing operation. It uses the SHA-512 structure for computation. 1105 */ 1106 typedef struct SHA512Context SHA384Context; 1108 /* 1109 * This structure holds context information for all SHA 1110 * hashing operations. 1111 */ 1112 typedef struct USHAContext { 1113 int whichSha; /* which SHA is being used */ 1114 union { 1115 SHA1Context sha1Context; 1116 SHA224Context sha224Context; SHA256Context sha256Context; 1117 SHA384Context sha384Context; SHA512Context sha512Context; 1118 } ctx; 1119 } USHAContext; 1121 /* 1122 * This structure will hold context information for the HMAC 1123 * keyed hashing operation. 1124 */ 1125 typedef struct HMACContext { 1126 int whichSha; /* which SHA is being used */ 1127 int hashSize; /* hash size of SHA being used */ 1128 int blockSize; /* block size of SHA being used */ 1129 USHAContext shaContext; /* SHA context */ 1130 unsigned char k_opad[USHA_Max_Message_Block_Size]; 1131 /* outer padding - key XORd with opad */ 1132 int Computed; /* Is the MAC computed? */ 1133 int Corrupted; /* Cumulative corruption code */ 1135 } HMACContext; 1137 /* 1138 * This structure will hold context information for the HKDF 1139 * Extract-and-Expand Key Derivation functions. 1140 */ 1141 typedef struct HKDFContext { 1142 int whichSha; /* which SHA is being used */ 1143 HMACContext hmacContext; 1144 int hashSize; /* hash size of SHA being used */ 1145 unsigned char prk[USHAMaxHashSize]; 1146 /* Pseudo Random Key - output of hkdfInput */ 1147 int Computed; /* Is the key material computed? */ 1148 int Corrupted; /* Cumulative corruption code */ 1149 } HKDFContext; 1151 /* 1152 * Function Prototypes 1153 */ 1155 /* SHA-1 */ 1156 extern int SHA1Reset(SHA1Context *); 1157 extern int SHA1Input(SHA1Context *, const uint8_t *bytes, 1158 unsigned int bytecount); 1159 extern int SHA1FinalBits(SHA1Context *, uint8_t bits, 1160 unsigned int bit_count); 1161 extern int SHA1Result(SHA1Context *, 1162 uint8_t Message_Digest[SHA1HashSize]); 1164 /* SHA-224 */ 1165 extern int SHA224Reset(SHA224Context *); 1166 extern int SHA224Input(SHA224Context *, const uint8_t *bytes, 1167 unsigned int bytecount); 1168 extern int SHA224FinalBits(SHA224Context *, uint8_t bits, 1169 unsigned int bit_count); 1170 extern int SHA224Result(SHA224Context *, 1171 uint8_t Message_Digest[SHA224HashSize]); 1173 /* SHA-256 */ 1174 extern int SHA256Reset(SHA256Context *); 1175 extern int SHA256Input(SHA256Context *, const uint8_t *bytes, 1176 unsigned int bytecount); 1177 extern int SHA256FinalBits(SHA256Context *, uint8_t bits, 1178 unsigned int bit_count); 1179 extern int SHA256Result(SHA256Context *, 1180 uint8_t Message_Digest[SHA256HashSize]); 1182 /* SHA-384 */ 1183 extern int SHA384Reset(SHA384Context *); 1184 extern int SHA384Input(SHA384Context *, const uint8_t *bytes, 1185 unsigned int bytecount); 1186 extern int SHA384FinalBits(SHA384Context *, uint8_t bits, 1187 unsigned int bit_count); 1188 extern int SHA384Result(SHA384Context *, 1189 uint8_t Message_Digest[SHA384HashSize]); 1191 /* SHA-512 */ 1192 extern int SHA512Reset(SHA512Context *); 1193 extern int SHA512Input(SHA512Context *, const uint8_t *bytes, 1194 unsigned int bytecount); 1195 extern int SHA512FinalBits(SHA512Context *, uint8_t bits, 1196 unsigned int bit_count); 1197 extern int SHA512Result(SHA512Context *, 1198 uint8_t Message_Digest[SHA512HashSize]); 1200 /* Unified SHA functions, chosen by whichSha */ 1201 extern int USHAReset(USHAContext *context, SHAversion whichSha); 1202 extern int USHAInput(USHAContext *context, 1203 const uint8_t *bytes, unsigned int bytecount); 1204 extern int USHAFinalBits(USHAContext *context, 1205 uint8_t bits, unsigned int bit_count); 1206 extern int USHAResult(USHAContext *context, 1207 uint8_t Message_Digest[USHAMaxHashSize]); 1208 extern int USHABlockSize(enum SHAversion whichSha); 1209 extern int USHAHashSize(enum SHAversion whichSha); 1210 extern int USHAHashSizeBits(enum SHAversion whichSha); 1211 extern const char *USHAHashName(enum SHAversion whichSha); 1213 /* 1214 * HMAC Keyed-Hashing for Message Authentication, RFC 2104, 1215 * for all SHAs. 1216 * This interface allows a fixed-length text input to be used. 1217 */ 1218 extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ 1219 const unsigned char *text, /* pointer to data stream */ 1220 int text_len, /* length of data stream */ 1221 const unsigned char *key, /* pointer to authentication key */ 1222 int key_len, /* length of authentication key */ 1223 uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ 1225 /* 1226 * HMAC Keyed-Hashing for Message Authentication, RFC 2104, 1227 * for all SHAs. 1228 * This interface allows any length of text input to be used. 1229 */ 1230 extern int hmacReset(HMACContext *context, enum SHAversion whichSha, 1231 const unsigned char *key, int key_len); 1232 extern int hmacInput(HMACContext *context, const unsigned char *text, 1233 int text_len); 1234 extern int hmacFinalBits(HMACContext *context, uint8_t bits, 1235 unsigned int bit_count); 1236 extern int hmacResult(HMACContext *context, 1237 uint8_t digest[USHAMaxHashSize]); 1239 /* 1240 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1241 * RFC 5869, for all SHAs. 1242 */ 1243 extern int hkdf(SHAversion whichSha, const unsigned char *salt, 1244 int salt_len, const unsigned char *ikm, int ikm_len, 1245 const unsigned char *info, int info_len, 1246 uint8_t okm[ ], int okm_len); 1247 extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, 1248 int salt_len, const unsigned char *ikm, 1249 int ikm_len, uint8_t prk[USHAMaxHashSize]); 1250 extern int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], 1251 int prk_len, const unsigned char *info, 1252 int info_len, uint8_t okm[ ], int okm_len); 1254 /* 1255 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1256 * RFC 5869, for all SHAs. 1257 * This interface allows any length of text input to be used. 1258 */ 1259 extern int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 1260 const unsigned char *salt, int salt_len); 1261 extern int hkdfInput(HKDFContext *context, const unsigned char *ikm, 1262 int ikm_len); 1263 extern int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 1264 unsigned int ikm_bit_count); 1265 extern int hkdfResult(HKDFContext *context, 1266 uint8_t prk[USHAMaxHashSize], 1267 const unsigned char *info, int info_len, 1268 uint8_t okm[USHAMaxHashSize], int okm_len); 1270 #endif /* _SHA_H_ */ 1271 8.1.2 sha-private.h 1273 /************************ sha-private.h ************************/ 1274 /***************** See RFC NNNN for details. *******************/ 1275 #ifndef _SHA_PRIVATE__H 1276 #define _SHA_PRIVATE__H 1277 /* 1278 * These definitions are defined in FIPS 180-3, section 4.1. 1279 * Ch() and Maj() are defined identically in sections 4.1.1, 1280 * 4.1.2 and 4.1.3. 1281 * 1282 * The definitions used in FIPS 180-3 are as follows: 1283 */ 1285 #ifndef USE_MODIFIED_MACROS 1286 #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 1287 #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 1289 #else /* USE_MODIFIED_MACROS */ 1290 /* 1291 * The following definitions are equivalent and potentially faster. 1292 */ 1294 #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) 1295 #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) 1297 #endif /* USE_MODIFIED_MACROS */ 1299 #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) 1301 #endif /* _SHA_PRIVATE__H */ 1303 8.2 The SHA Code 1305 This code is primarily intended as expository and could be optimized 1306 further. For example, the assignment rotations through the variables 1307 a, b, ..., h could be treated as a cycle and the loop unrolled, 1308 rather than doing the explicit copying. 1310 Note that there are alternative representations of the Ch() and Maj() 1311 functions controlled by an ifdef. 1313 8.2.1 sha1.c 1315 /**************************** sha1.c ***************************/ 1316 /***************** See RFC NNNN for details. *******************/ 1317 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1318 /* authors of the code. All rights reserved. */ 1319 /* See sha.h for terms of use and redistribution. */ 1321 /* 1322 * Description: 1323 * This file implements the Secure Hash Algorithm SHA-1 1324 * as defined in the U.S. National Institute of Standards 1325 * and Technology Federal Information Processing Standards 1326 * Publication (FIPS PUB) 180-3 published in October 2008 1327 * and formerly defined in its predecessors, FIPS PUB 180-1 1328 * and FIP PUB 180-2. 1329 * 1330 * A combined document showing all algorithms is available at 1331 * http://csrc.nist.gov/publications/fips/ 1332 * fips180-3/fips180-3_final.pdf 1333 * 1334 * The SHA-1 algorithm produces a 160-bit message digest for a 1335 * given data stream. It should take about 2**n steps to find a 1336 * message with the same digest as a given message and 1337 * 2**(n/2) to find any two messages with the same digest, 1338 * when n is the digest size in bits. Therefore, this 1339 * algorithm can serve as a means of providing a 1340 * "fingerprint" for a message. 1341 * 1342 * Portability Issues: 1343 * SHA-1 is defined in terms of 32-bit "words". This code 1344 * uses (included via "sha.h") to define 32 and 8 1345 * bit unsigned integer types. If your C compiler does not 1346 * support 32 bit unsigned integers, this code is not 1347 * appropriate. 1348 * 1349 * Caveats: 1350 * SHA-1 is designed to work with messages less than 2^64 bits 1351 * long. This implementation uses SHA1Input() to hash the bits 1352 * that are a multiple of the size of an 8-bit octet, and then 1353 * optionally uses SHA1FinalBits() to hash the final few bits of 1354 * the input. 1355 */ 1357 #include "sha.h" 1358 #include "sha-private.h" 1360 /* 1361 * Define the SHA1 circular left shift macro 1362 */ 1363 #define SHA1_ROTL(bits,word) \ 1364 (((word) << (bits)) | ((word) >> (32-(bits)))) 1366 /* 1367 * Add "length" to the length. 1368 * Set Corrupted when overflow has occurred. 1369 */ 1370 static uint32_t addTemp; 1371 #define SHA1AddLength(context, length) \ 1372 (addTemp = (context)->Length_Low, \ 1373 (context)->Corrupted = \ 1374 (((context)->Length_Low += (length)) < addTemp) && \ 1375 (++(context)->Length_High == 0) ? shaInputTooLong \ 1376 : (context)->Corrupted ) 1378 /* Local Function Prototypes */ 1379 static void SHA1ProcessMessageBlock(SHA1Context *context); 1380 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); 1381 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte); 1383 /* 1384 * SHA1Reset 1385 * 1386 * Description: 1387 * This function will initialize the SHA1Context in preparation 1388 * for computing a new SHA1 message digest. 1389 * 1390 * Parameters: 1391 * context: [in/out] 1392 * The context to reset. 1393 * 1394 * Returns: 1395 * sha Error Code. 1396 * 1397 */ 1398 int SHA1Reset(SHA1Context *context) 1399 { 1400 if (!context) return shaNull; 1402 context->Length_High = context->Length_Low = 0; 1403 context->Message_Block_Index = 0; 1405 /* Initial Hash Values: FIPS 180-3 section 5.3.1 */ 1406 context->Intermediate_Hash[0] = 0x67452301; 1407 context->Intermediate_Hash[1] = 0xEFCDAB89; 1408 context->Intermediate_Hash[2] = 0x98BADCFE; 1409 context->Intermediate_Hash[3] = 0x10325476; 1410 context->Intermediate_Hash[4] = 0xC3D2E1F0; 1412 context->Computed = 0; 1413 context->Corrupted = shaSuccess; 1415 return shaSuccess; 1416 } 1417 /* 1418 * SHA1Input 1419 * 1420 * Description: 1421 * This function accepts an array of octets as the next portion 1422 * of the message. 1423 * 1424 * Parameters: 1425 * context: [in/out] 1426 * The SHA context to update 1427 * message_array[ ]: [in] 1428 * An array of octets representing the next portion of 1429 * the message. 1430 * length: [in] 1431 * The length of the message in message_array 1432 * 1433 * Returns: 1434 * sha Error Code. 1435 * 1436 */ 1437 int SHA1Input(SHA1Context *context, 1438 const uint8_t *message_array, unsigned length) 1439 { 1440 if (!context) return shaNull; 1441 if (!length) return shaSuccess; 1442 if (!message_array) return shaNull; 1443 if (context->Computed) return context->Corrupted = shaStateError; 1444 if (context->Corrupted) return context->Corrupted; 1446 while (length--) { 1447 context->Message_Block[context->Message_Block_Index++] = 1448 *message_array; 1450 if ((SHA1AddLength(context, 8) == shaSuccess) && 1451 (context->Message_Block_Index == SHA1_Message_Block_Size)) 1452 SHA1ProcessMessageBlock(context); 1454 message_array++; 1455 } 1457 return context->Corrupted; 1458 } 1460 /* 1461 * SHA1FinalBits 1462 * 1463 * Description: 1464 * This function will add in any final bits of the message. 1465 * 1466 * Parameters: 1468 * context: [in/out] 1469 * The SHA context to update 1470 * message_bits: [in] 1471 * The final bits of the message, in the upper portion of the 1472 * byte. (Use 0b###00000 instead of 0b00000### to input the 1473 * three bits ###.) 1474 * length: [in] 1475 * The number of bits in message_bits, between 1 and 7. 1476 * 1477 * Returns: 1478 * sha Error Code. 1479 */ 1480 int SHA1FinalBits(SHA1Context *context, uint8_t message_bits, 1481 unsigned int length) 1482 { 1483 static uint8_t masks[8] = { 1484 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1485 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1486 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1487 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1488 }; 1489 static uint8_t markbit[8] = { 1490 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 1491 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 1492 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 1493 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 1494 }; 1496 if (!context) return shaNull; 1497 if (!length) return shaSuccess; 1498 if (context->Corrupted) return context->Corrupted; 1499 if (context->Computed) return context->Corrupted = shaStateError; 1500 if (length >= 8) return context->Corrupted = shaBadParam; 1502 SHA1AddLength(context, length); 1503 SHA1Finalize(context, 1504 (uint8_t) ((message_bits & masks[length]) | markbit[length])); 1506 return context->Corrupted; 1507 } 1509 /* 1510 * SHA1Result 1511 * 1512 * Description: 1513 * This function will return the 160-bit message digest 1514 * into the Message_Digest array provided by the caller. 1515 * NOTE: 1516 * The first octet of hash is stored in the element with index 0, 1517 * the last octet of hash in the element with index 19. 1519 * 1520 * Parameters: 1521 * context: [in/out] 1522 * The context to use to calculate the SHA-1 hash. 1523 * Message_Digest[ ]: [out] 1524 * Where the digest is returned. 1525 * 1526 * Returns: 1527 * sha Error Code. 1528 * 1529 */ 1530 int SHA1Result(SHA1Context *context, 1531 uint8_t Message_Digest[SHA1HashSize]) 1532 { 1533 int i; 1535 if (!context) return shaNull; 1536 if (!Message_Digest) return shaNull; 1537 if (context->Corrupted) return context->Corrupted; 1539 if (!context->Computed) 1540 SHA1Finalize(context, 0x80); 1542 for (i = 0; i < SHA1HashSize; ++i) 1543 Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] 1544 >> (8 * ( 3 - ( i & 0x03 ) ))); 1546 return shaSuccess; 1547 } 1549 /* 1550 * SHA1ProcessMessageBlock 1551 * 1552 * Description: 1553 * This helper function will process the next 512 bits of the 1554 * message stored in the Message_Block array. 1555 * 1556 * Parameters: 1557 * context: [in/out] 1558 * The SHA context to update 1559 * 1560 * Returns: 1561 * Nothing. 1562 * 1563 * Comments: 1564 * Many of the variable names in this code, especially the 1565 * single character names, were used because those were the 1566 * names used in the Secure Hash Standard. 1567 */ 1568 static void SHA1ProcessMessageBlock(SHA1Context *context) 1569 { 1570 /* Constants defined in FIPS 180-3, section 4.2.1 */ 1571 const uint32_t K[4] = { 1572 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 1573 }; 1574 int t; /* Loop counter */ 1575 uint32_t temp; /* Temporary word value */ 1576 uint32_t W[80]; /* Word sequence */ 1577 uint32_t A, B, C, D, E; /* Word buffers */ 1579 /* 1580 * Initialize the first 16 words in the array W 1581 */ 1582 for (t = 0; t < 16; t++) { 1583 W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; 1584 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; 1585 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; 1586 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); 1587 } 1589 for (t = 16; t < 80; t++) 1590 W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); 1592 A = context->Intermediate_Hash[0]; 1593 B = context->Intermediate_Hash[1]; 1594 C = context->Intermediate_Hash[2]; 1595 D = context->Intermediate_Hash[3]; 1596 E = context->Intermediate_Hash[4]; 1598 for (t = 0; t < 20; t++) { 1599 temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; 1600 E = D; 1601 D = C; 1602 C = SHA1_ROTL(30,B); 1603 B = A; 1604 A = temp; 1605 } 1607 for (t = 20; t < 40; t++) { 1608 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; 1609 E = D; 1610 D = C; 1611 C = SHA1_ROTL(30,B); 1612 B = A; 1613 A = temp; 1614 } 1616 for (t = 40; t < 60; t++) { 1617 temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; 1618 E = D; 1619 D = C; 1620 C = SHA1_ROTL(30,B); 1621 B = A; 1622 A = temp; 1623 } 1625 for (t = 60; t < 80; t++) { 1626 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; 1627 E = D; 1628 D = C; 1629 C = SHA1_ROTL(30,B); 1630 B = A; 1631 A = temp; 1632 } 1634 context->Intermediate_Hash[0] += A; 1635 context->Intermediate_Hash[1] += B; 1636 context->Intermediate_Hash[2] += C; 1637 context->Intermediate_Hash[3] += D; 1638 context->Intermediate_Hash[4] += E; 1640 context->Message_Block_Index = 0; 1641 } 1643 /* 1644 * SHA1Finalize 1645 * 1646 * Description: 1647 * This helper function finishes off the digest calculations. 1648 * 1649 * Parameters: 1650 * context: [in/out] 1651 * The SHA context to update 1652 * Pad_Byte: [in] 1653 * The last byte to add to the message block before the 0-padding 1654 * and length. This will contain the last bits of the message 1655 * followed by another single bit. If the message was an 1656 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1657 * 1658 * Returns: 1659 * sha Error Code. 1660 * 1661 */ 1662 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) 1663 { 1664 int i; 1665 SHA1PadMessage(context, Pad_Byte); 1666 /* message may be sensitive, clear it out */ 1667 for (i = 0; i < SHA1_Message_Block_Size; ++i) 1668 context->Message_Block[i] = 0; 1670 context->Length_High = 0; /* and clear length */ 1671 context->Length_Low = 0; 1672 context->Computed = 1; 1673 } 1675 /* 1676 * SHA1PadMessage 1677 * 1678 * Description: 1679 * According to the standard, the message must be padded to the next 1680 * even multiple of 512 bits. The first padding bit must be a '1'. 1681 * The last 64 bits represent the length of the original message. 1682 * All bits in between should be 0. This helper function will pad 1683 * the message according to those rules by filling the Message_Block 1684 * array accordingly. When it returns, it can be assumed that the 1685 * message digest has been computed. 1686 * 1687 * Parameters: 1688 * context: [in/out] 1689 * The context to pad 1690 * Pad_Byte: [in] 1691 * The last byte to add to the message block before the 0-padding 1692 * and length. This will contain the last bits of the message 1693 * followed by another single bit. If the message was an 1694 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1695 * 1696 * Returns: 1697 * Nothing. 1698 */ 1699 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) 1700 { 1701 /* 1702 * Check to see if the current message block is too small to hold 1703 * the initial padding bits and length. If so, we will pad the 1704 * block, process it, and then continue padding into a second 1705 * block. 1706 */ 1707 if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { 1708 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1709 while (context->Message_Block_Index < SHA1_Message_Block_Size) 1710 context->Message_Block[context->Message_Block_Index++] = 0; 1712 SHA1ProcessMessageBlock(context); 1713 } else 1714 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1716 while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) 1717 context->Message_Block[context->Message_Block_Index++] = 0; 1719 /* 1720 * Store the message length as the last 8 octets 1721 */ 1722 context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); 1723 context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); 1724 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); 1725 context->Message_Block[59] = (uint8_t) (context->Length_High); 1726 context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); 1727 context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); 1728 context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); 1729 context->Message_Block[63] = (uint8_t) (context->Length_Low); 1731 SHA1ProcessMessageBlock(context); 1732 } 1734 8.2.2 sha224-256.c 1736 /************************* sha224-256.c ************************/ 1737 /***************** See RFC NNNN for details. *******************/ 1738 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1739 /* authors of the code. All rights reserved. */ 1740 /* See sha.h for terms of use and redistribution. */ 1742 /* 1743 * Description: 1744 * This file implements the Secure Hash Algorithms SHA-224 and 1745 * SHA-256 as defined in the U.S. National Institute of Standards 1746 * and Technology Federal Information Processing Standards 1747 * Publication (FIPS PUB) 180-3 published in October 2008 1748 * and formerly defined in its predecessors, FIPS PUB 180-1 1749 * and FIP PUB 180-2. 1750 * 1751 * A combined document showing all algorithms is available at 1752 * http://csrc.nist.gov/publications/fips/ 1753 * fips180-3/fips180-3_final.pdf 1754 * 1755 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit 1756 * message digests for a given data stream. It should take about 1757 * 2**n steps to find a message with the same digest as a given 1758 * message and 2**(n/2) to find any two messages with the same 1759 * digest, when n is the digest size in bits. Therefore, this 1760 * algorithm can serve as a means of providing a 1761 * "fingerprint" for a message. 1762 * 1763 * Portability Issues: 1764 * SHA-224 and SHA-256 are defined in terms of 32-bit "words". 1765 * This code uses (included via "sha.h") to define 32 1766 * and 8 bit unsigned integer types. If your C compiler does not 1767 * support 32 bit unsigned integers, this code is not 1768 * appropriate. 1769 * 1770 * Caveats: 1771 * SHA-224 and SHA-256 are designed to work with messages less 1772 * than 2^64 bits long. This implementation uses SHA224/256Input() 1773 * to hash the bits that are a multiple of the size of an 8-bit 1774 * octet, and then optionally uses SHA224/256FinalBits() 1775 * to hash the final few bits of the input. 1776 */ 1778 #include "sha.h" 1779 #include "sha-private.h" 1781 /* Define the SHA shift, rotate left and rotate right macro */ 1782 #define SHA256_SHR(bits,word) ((word) >> (bits)) 1783 #define SHA256_ROTL(bits,word) \ 1784 (((word) << (bits)) | ((word) >> (32-(bits)))) 1785 #define SHA256_ROTR(bits,word) \ 1786 (((word) >> (bits)) | ((word) << (32-(bits)))) 1788 /* Define the SHA SIGMA and sigma macros */ 1789 #define SHA256_SIGMA0(word) \ 1790 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) 1791 #define SHA256_SIGMA1(word) \ 1792 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) 1793 #define SHA256_sigma0(word) \ 1794 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) 1795 #define SHA256_sigma1(word) \ 1796 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) 1798 /* 1799 * Add "length" to the length. 1800 * Set Corrupted when overflow has occurred. 1801 */ 1802 static uint32_t addTemp; 1803 #define SHA224_256AddLength(context, length) \ 1804 (addTemp = (context)->Length_Low, (context)->Corrupted = \ 1805 (((context)->Length_Low += (length)) < addTemp) && \ 1806 (++(context)->Length_High == 0) ? shaInputTooLong : \ 1807 (context)->Corrupted ) 1809 /* Local Function Prototypes */ 1810 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); 1811 static void SHA224_256ProcessMessageBlock(SHA256Context *context); 1812 static void SHA224_256Finalize(SHA256Context *context, 1813 uint8_t Pad_Byte); 1814 static void SHA224_256PadMessage(SHA256Context *context, 1815 uint8_t Pad_Byte); 1816 static int SHA224_256ResultN(SHA256Context *context, 1817 uint8_t Message_Digest[ ], int HashSize); 1819 /* Initial Hash Values: FIPS 180-3 section 5.3.2 */ 1820 static uint32_t SHA224_H0[SHA256HashSize/4] = { 1821 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 1822 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 1823 }; 1825 /* Initial Hash Values: FIPS 180-3 section 5.3.3 */ 1826 static uint32_t SHA256_H0[SHA256HashSize/4] = { 1827 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 1828 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 1829 }; 1831 /* 1832 * SHA224Reset 1833 * 1834 * Description: 1835 * This function will initialize the SHA224Context in preparation 1836 * for computing a new SHA224 message digest. 1837 * 1838 * Parameters: 1839 * context: [in/out] 1840 * The context to reset. 1841 * 1842 * Returns: 1843 * sha Error Code. 1844 */ 1845 int SHA224Reset(SHA224Context *context) 1846 { 1847 return SHA224_256Reset(context, SHA224_H0); 1848 } 1850 /* 1851 * SHA224Input 1852 * 1853 * Description: 1854 * This function accepts an array of octets as the next portion 1855 * of the message. 1856 * 1857 * Parameters: 1858 * context: [in/out] 1859 * The SHA context to update 1860 * message_array[ ]: [in] 1861 * An array of octets representing the next portion of 1862 * the message. 1863 * length: [in] 1864 * The length of the message in message_array 1865 * 1866 * Returns: 1867 * sha Error Code. 1868 * 1869 */ 1870 int SHA224Input(SHA224Context *context, const uint8_t *message_array, 1871 unsigned int length) 1872 { 1873 return SHA256Input(context, message_array, length); 1874 } 1876 /* 1877 * SHA224FinalBits 1878 * 1879 * Description: 1880 * This function will add in any final bits of the message. 1881 * 1882 * Parameters: 1883 * context: [in/out] 1884 * The SHA context to update 1885 * message_bits: [in] 1886 * The final bits of the message, in the upper portion of the 1887 * byte. (Use 0b###00000 instead of 0b00000### to input the 1888 * three bits ###.) 1889 * length: [in] 1890 * The number of bits in message_bits, between 1 and 7. 1891 * 1892 * Returns: 1893 * sha Error Code. 1894 */ 1895 int SHA224FinalBits(SHA224Context *context, 1896 uint8_t message_bits, unsigned int length) 1897 { 1898 return SHA256FinalBits(context, message_bits, length); 1899 } 1901 /* 1902 * SHA224Result 1903 * 1904 * Description: 1905 * This function will return the 224-bit message digest 1906 * into the Message_Digest array provided by the caller. 1907 * NOTE: 1908 * The first octet of hash is stored in the element with index 0, 1909 * the last octet of hash in the element with index 27. 1910 * 1911 * Parameters: 1912 * context: [in/out] 1913 * The context to use to calculate the SHA hash. 1914 * Message_Digest[ ]: [out] 1915 * Where the digest is returned. 1916 * 1917 * Returns: 1918 * sha Error Code. 1920 */ 1921 int SHA224Result(SHA224Context *context, 1922 uint8_t Message_Digest[SHA224HashSize]) 1923 { 1924 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); 1925 } 1927 /* 1928 * SHA256Reset 1929 * 1930 * Description: 1931 * This function will initialize the SHA256Context in preparation 1932 * for computing a new SHA256 message digest. 1933 * 1934 * Parameters: 1935 * context: [in/out] 1936 * The context to reset. 1937 * 1938 * Returns: 1939 * sha Error Code. 1940 */ 1941 int SHA256Reset(SHA256Context *context) 1942 { 1943 return SHA224_256Reset(context, SHA256_H0); 1944 } 1946 /* 1947 * SHA256Input 1948 * 1949 * Description: 1950 * This function accepts an array of octets as the next portion 1951 * of the message. 1952 * 1953 * Parameters: 1954 * context: [in/out] 1955 * The SHA context to update 1956 * message_array[ ]: [in] 1957 * An array of octets representing the next portion of 1958 * the message. 1959 * length: [in] 1960 * The length of the message in message_array 1961 * 1962 * Returns: 1963 * sha Error Code. 1964 */ 1965 int SHA256Input(SHA256Context *context, const uint8_t *message_array, 1966 unsigned int length) 1967 { 1968 if (!context) return shaNull; 1969 if (!length) return shaSuccess; 1970 if (!message_array) return shaNull; 1971 if (context->Computed) return context->Corrupted = shaStateError; 1972 if (context->Corrupted) return context->Corrupted; 1974 while (length--) { 1975 context->Message_Block[context->Message_Block_Index++] = 1976 *message_array; 1978 if ((SHA224_256AddLength(context, 8) == shaSuccess) && 1979 (context->Message_Block_Index == SHA256_Message_Block_Size)) 1980 SHA224_256ProcessMessageBlock(context); 1982 message_array++; 1983 } 1985 return context->Corrupted; 1987 } 1989 /* 1990 * SHA256FinalBits 1991 * 1992 * Description: 1993 * This function will add in any final bits of the message. 1994 * 1995 * Parameters: 1996 * context: [in/out] 1997 * The SHA context to update 1998 * message_bits: [in] 1999 * The final bits of the message, in the upper portion of the 2000 * byte. (Use 0b###00000 instead of 0b00000### to input the 2001 * three bits ###.) 2002 * length: [in] 2003 * The number of bits in message_bits, between 1 and 7. 2004 * 2005 * Returns: 2006 * sha Error Code. 2007 */ 2008 int SHA256FinalBits(SHA256Context *context, 2009 uint8_t message_bits, unsigned int length) 2010 { 2011 static uint8_t masks[8] = { 2012 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2013 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2014 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2015 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2016 }; 2017 static uint8_t markbit[8] = { 2018 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2019 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2020 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2021 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2022 }; 2024 if (!context) return shaNull; 2025 if (!length) return shaSuccess; 2026 if (context->Corrupted) return context->Corrupted; 2027 if (context->Computed) return context->Corrupted = shaStateError; 2028 if (length >= 8) return context->Corrupted = shaBadParam; 2030 SHA224_256AddLength(context, length); 2031 SHA224_256Finalize(context, (uint8_t) 2032 ((message_bits & masks[length]) | markbit[length])); 2034 return context->Corrupted; 2035 } 2037 /* 2038 * SHA256Result 2039 * 2040 * Description: 2041 * This function will return the 256-bit message digest 2042 * into the Message_Digest array provided by the caller. 2043 * NOTE: 2044 * The first octet of hash is stored in the element with index 0, 2045 * the last octet of hash in the element with index 31. 2046 * 2047 * Parameters: 2048 * context: [in/out] 2049 * The context to use to calculate the SHA hash. 2050 * Message_Digest[ ]: [out] 2051 * Where the digest is returned. 2052 * 2053 * Returns: 2054 * sha Error Code. 2055 */ 2056 int SHA256Result(SHA256Context *context, 2057 uint8_t Message_Digest[SHA256HashSize]) 2058 { 2059 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); 2060 } 2062 /* 2063 * SHA224_256Reset 2064 * 2065 * Description: 2066 * This helper function will initialize the SHA256Context in 2067 * preparation for computing a new SHA-224 or SHA-256 message digest. 2068 * 2069 * Parameters: 2071 * context: [in/out] 2072 * The context to reset. 2073 * H0[ ]: [in] 2074 * The initial hash value array to use. 2075 * 2076 * Returns: 2077 * sha Error Code. 2078 */ 2079 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) 2080 { 2081 if (!context) return shaNull; 2083 context->Length_High = context->Length_Low = 0; 2084 context->Message_Block_Index = 0; 2086 context->Intermediate_Hash[0] = H0[0]; 2087 context->Intermediate_Hash[1] = H0[1]; 2088 context->Intermediate_Hash[2] = H0[2]; 2089 context->Intermediate_Hash[3] = H0[3]; 2090 context->Intermediate_Hash[4] = H0[4]; 2091 context->Intermediate_Hash[5] = H0[5]; 2092 context->Intermediate_Hash[6] = H0[6]; 2093 context->Intermediate_Hash[7] = H0[7]; 2095 context->Computed = 0; 2096 context->Corrupted = shaSuccess; 2098 return shaSuccess; 2099 } 2101 /* 2102 * SHA224_256ProcessMessageBlock 2103 * 2104 * Description: 2105 * This helper function will process the next 512 bits of the 2106 * message stored in the Message_Block array. 2107 * 2108 * Parameters: 2109 * context: [in/out] 2110 * The SHA context to update 2111 * 2112 * Returns: 2113 * Nothing. 2114 * 2115 * Comments: 2116 * Many of the variable names in this code, especially the 2117 * single character names, were used because those were the 2118 * names used in the Secure Hash Standard. 2119 */ 2120 static void SHA224_256ProcessMessageBlock(SHA256Context *context) 2121 { 2122 /* Constants defined in FIPS 180-3, section 4.2.2 */ 2123 static const uint32_t K[64] = { 2124 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 2125 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 2126 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 2127 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 2128 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 2129 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 2130 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 2131 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 2132 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 2133 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 2134 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 2135 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 2136 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 2137 }; 2138 int t, t4; /* Loop counter */ 2139 uint32_t temp1, temp2; /* Temporary word value */ 2140 uint32_t W[64]; /* Word sequence */ 2141 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ 2143 /* 2144 * Initialize the first 16 words in the array W 2145 */ 2146 for (t = t4 = 0; t < 16; t++, t4 += 4) 2147 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | 2148 (((uint32_t)context->Message_Block[t4 + 1]) << 16) | 2149 (((uint32_t)context->Message_Block[t4 + 2]) << 8) | 2150 (((uint32_t)context->Message_Block[t4 + 3])); 2152 for (t = 16; t < 64; t++) 2153 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + 2154 SHA256_sigma0(W[t-15]) + W[t-16]; 2156 A = context->Intermediate_Hash[0]; 2157 B = context->Intermediate_Hash[1]; 2158 C = context->Intermediate_Hash[2]; 2159 D = context->Intermediate_Hash[3]; 2160 E = context->Intermediate_Hash[4]; 2161 F = context->Intermediate_Hash[5]; 2162 G = context->Intermediate_Hash[6]; 2163 H = context->Intermediate_Hash[7]; 2165 for (t = 0; t < 64; t++) { 2166 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 2167 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); 2168 H = G; 2169 G = F; 2170 F = E; 2171 E = D + temp1; 2172 D = C; 2173 C = B; 2174 B = A; 2175 A = temp1 + temp2; 2176 } 2178 context->Intermediate_Hash[0] += A; 2179 context->Intermediate_Hash[1] += B; 2180 context->Intermediate_Hash[2] += C; 2181 context->Intermediate_Hash[3] += D; 2182 context->Intermediate_Hash[4] += E; 2183 context->Intermediate_Hash[5] += F; 2184 context->Intermediate_Hash[6] += G; 2185 context->Intermediate_Hash[7] += H; 2187 context->Message_Block_Index = 0; 2188 } 2190 /* 2191 * SHA224_256Finalize 2192 * 2193 * Description: 2194 * This helper function finishes off the digest calculations. 2195 * 2196 * Parameters: 2197 * context: [in/out] 2198 * The SHA context to update 2199 * Pad_Byte: [in] 2200 * The last byte to add to the message block before the 0-padding 2201 * and length. This will contain the last bits of the message 2202 * followed by another single bit. If the message was an 2203 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2204 * 2205 * Returns: 2206 * sha Error Code. 2207 */ 2208 static void SHA224_256Finalize(SHA256Context *context, 2209 uint8_t Pad_Byte) 2210 { 2211 int i; 2212 SHA224_256PadMessage(context, Pad_Byte); 2213 /* message may be sensitive, so clear it out */ 2214 for (i = 0; i < SHA256_Message_Block_Size; ++i) 2215 context->Message_Block[i] = 0; 2216 context->Length_High = 0; /* and clear length */ 2217 context->Length_Low = 0; 2218 context->Computed = 1; 2219 } 2220 /* 2221 * SHA224_256PadMessage 2222 * 2223 * Description: 2224 * According to the standard, the message must be padded to the next 2225 * even multiple of 512 bits. The first padding bit must be a '1'. 2226 * The last 64 bits represent the length of the original message. 2227 * All bits in between should be 0. This helper function will pad 2228 * the message according to those rules by filling the 2229 * Message_Block array accordingly. When it returns, it can be 2230 * assumed that the message digest has been computed. 2231 * 2232 * Parameters: 2233 * context: [in/out] 2234 * The context to pad 2235 * Pad_Byte: [in] 2236 * The last byte to add to the message block before the 0-padding 2237 * and length. This will contain the last bits of the message 2238 * followed by another single bit. If the message was an 2239 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2240 * 2241 * Returns: 2242 * Nothing. 2243 */ 2244 static void SHA224_256PadMessage(SHA256Context *context, 2245 uint8_t Pad_Byte) 2246 { 2247 /* 2248 * Check to see if the current message block is too small to hold 2249 * the initial padding bits and length. If so, we will pad the 2250 * block, process it, and then continue padding into a second 2251 * block. 2252 */ 2253 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { 2254 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2255 while (context->Message_Block_Index < SHA256_Message_Block_Size) 2256 context->Message_Block[context->Message_Block_Index++] = 0; 2257 SHA224_256ProcessMessageBlock(context); 2258 } else 2259 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2261 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) 2262 context->Message_Block[context->Message_Block_Index++] = 0; 2264 /* 2265 * Store the message length as the last 8 octets 2266 */ 2267 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); 2268 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); 2269 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); 2270 context->Message_Block[59] = (uint8_t)(context->Length_High); 2271 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); 2272 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); 2273 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); 2274 context->Message_Block[63] = (uint8_t)(context->Length_Low); 2276 SHA224_256ProcessMessageBlock(context); 2277 } 2279 /* 2280 * SHA224_256ResultN 2281 * 2282 * Description: 2283 * This helper function will return the 224-bit or 256-bit message 2284 * digest into the Message_Digest array provided by the caller. 2285 * NOTE: 2286 * The first octet of hash is stored in the element with index 0, 2287 * the last octet of hash in the element with index 27/31. 2288 * 2289 * Parameters: 2290 * context: [in/out] 2291 * The context to use to calculate the SHA hash. 2292 * Message_Digest[ ]: [out] 2293 * Where the digest is returned. 2294 * HashSize: [in] 2295 * The size of the hash, either 28 or 32. 2296 * 2297 * Returns: 2298 * sha Error Code. 2299 */ 2300 static int SHA224_256ResultN(SHA256Context *context, 2301 uint8_t Message_Digest[ ], int HashSize) 2302 { 2303 int i; 2305 if (!context) return shaNull; 2306 if (!Message_Digest) return shaNull; 2307 if (context->Corrupted) return context->Corrupted; 2309 if (!context->Computed) 2310 SHA224_256Finalize(context, 0x80); 2312 for (i = 0; i < HashSize; ++i) 2313 Message_Digest[i] = (uint8_t) 2314 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); 2316 return shaSuccess; 2317 } 2318 8.2.3 sha384-512.c 2320 /************************* sha384-512.c ************************/ 2321 /***************** See RFC NNNN for details. *******************/ 2322 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 2323 /* authors of the code. All rights reserved. */ 2324 /* See sha.h for terms of use and redistribution. */ 2326 /* 2327 * Description: 2328 * This file implements the Secure Hash Algorithms SHA-384 and 2329 * SHA-512 as defined in the U.S. National Institute of Standards 2330 * and Technology Federal Information Processing Standards 2331 * Publication (FIPS PUB) 180-3 published in October 2008 2332 * and formerly defined in its predecessors, FIPS PUB 180-1 2333 * and FIP PUB 180-2. 2334 * 2335 * A combined document showing all algorithms is available at 2336 * http://csrc.nist.gov/publications/fips/ 2337 * fips180-3/fips180-3_final.pdf 2338 * 2339 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit 2340 * message digests for a given data stream. It should take about 2341 * 2**n steps to find a message with the same digest as a given 2342 * message and 2**(n/2) to find any two messages with the same 2343 * digest, when n is the digest size in bits. Therefore, this 2344 * algorithm can serve as a means of providing a 2345 * "fingerprint" for a message. 2346 * 2347 * Portability Issues: 2348 * SHA-384 and SHA-512 are defined in terms of 64-bit "words", 2349 * but if USE_32BIT_ONLY is #defined, this code is implemented in 2350 * terms of 32-bit "words". This code uses (included 2351 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer 2352 * types. If your C compiler does not support 64 bit unsigned 2353 * integers, and you do not #define USE_32BIT_ONLY, this code is 2354 * not appropriate. 2355 * 2356 * Caveats: 2357 * SHA-384 and SHA-512 are designed to work with messages less 2358 * than 2^128 bits long. This implementation uses SHA384/512Input() 2359 * to hash the bits that are a multiple of the size of an 8-bit 2360 * octet, and then optionally uses SHA384/256FinalBits() 2361 * to hash the final few bits of the input. 2362 * 2363 */ 2365 #include "sha.h" 2367 #ifdef USE_32BIT_ONLY 2368 /* 2369 * Define 64-bit arithmetic in terms of 32-bit arithmetic. 2370 * Each 64-bit number is represented in a 2-word array. 2371 * All macros are defined such that the result is the last parameter. 2372 */ 2374 /* 2375 * Define shift, rotate left and rotate right functions 2376 */ 2377 #define SHA512_SHR(bits, word, ret) ( \ 2378 /* (((uint64_t)((word))) >> (bits)) */ \ 2379 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ 2380 ((word)[0] >> (bits)) : 0, \ 2381 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ 2382 ((bits) == 32) ? (word)[0] : \ 2383 ((bits) >= 0) ? \ 2384 (((word)[0] << (32 - (bits))) | \ 2385 ((word)[1] >> (bits))) : 0 ) 2387 #define SHA512_SHL(bits, word, ret) ( \ 2388 /* (((uint64_t)(word)) << (bits)) */ \ 2389 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ 2390 ((bits) == 32) ? (word)[1] : \ 2391 ((bits) >= 0) ? \ 2392 (((word)[0] << (bits)) | \ 2393 ((word)[1] >> (32 - (bits)))) : \ 2394 0, \ 2395 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ 2396 ((word)[1] << (bits)) : 0 ) 2398 /* 2399 * Define 64-bit OR 2400 */ 2401 #define SHA512_OR(word1, word2, ret) ( \ 2402 (ret)[0] = (word1)[0] | (word2)[0], \ 2403 (ret)[1] = (word1)[1] | (word2)[1] ) 2405 /* 2406 * Define 64-bit XOR 2407 */ 2408 #define SHA512_XOR(word1, word2, ret) ( \ 2409 (ret)[0] = (word1)[0] ^ (word2)[0], \ 2410 (ret)[1] = (word1)[1] ^ (word2)[1] ) 2412 /* 2413 * Define 64-bit AND 2414 */ 2415 #define SHA512_AND(word1, word2, ret) ( \ 2416 (ret)[0] = (word1)[0] & (word2)[0], \ 2417 (ret)[1] = (word1)[1] & (word2)[1] ) 2419 /* 2420 * Define 64-bit TILDA 2421 */ 2422 #define SHA512_TILDA(word, ret) \ 2423 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) 2425 /* 2426 * Define 64-bit ADD 2427 */ 2428 #define SHA512_ADD(word1, word2, ret) ( \ 2429 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ 2430 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) 2432 /* 2433 * Add the 4word value in word2 to word1. 2434 */ 2435 static uint32_t ADDTO4_temp, ADDTO4_temp2; 2436 #define SHA512_ADDTO4(word1, word2) ( \ 2437 ADDTO4_temp = (word1)[3], \ 2438 (word1)[3] += (word2)[3], \ 2439 ADDTO4_temp2 = (word1)[2], \ 2440 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ 2441 ADDTO4_temp = (word1)[1], \ 2442 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ 2443 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) 2445 /* 2446 * Add the 2word value in word2 to word1. 2447 */ 2448 static uint32_t ADDTO2_temp; 2449 #define SHA512_ADDTO2(word1, word2) ( \ 2450 ADDTO2_temp = (word1)[1], \ 2451 (word1)[1] += (word2)[1], \ 2452 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) 2454 /* 2455 * SHA rotate ((word >> bits) | (word << (64-bits))) 2456 */ 2457 static uint32_t ROTR_temp1[2], ROTR_temp2[2]; 2458 #define SHA512_ROTR(bits, word, ret) ( \ 2459 SHA512_SHR((bits), (word), ROTR_temp1), \ 2460 SHA512_SHL(64-(bits), (word), ROTR_temp2), \ 2461 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) 2463 /* 2464 * Define the SHA SIGMA and sigma macros 2465 * 2466 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2467 */ 2468 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], 2469 SIGMA0_temp3[2], SIGMA0_temp4[2]; 2470 #define SHA512_SIGMA0(word, ret) ( \ 2471 SHA512_ROTR(28, (word), SIGMA0_temp1), \ 2472 SHA512_ROTR(34, (word), SIGMA0_temp2), \ 2473 SHA512_ROTR(39, (word), SIGMA0_temp3), \ 2474 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ 2475 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) 2477 /* 2478 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) 2479 */ 2480 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], 2481 SIGMA1_temp3[2], SIGMA1_temp4[2]; 2482 #define SHA512_SIGMA1(word, ret) ( \ 2483 SHA512_ROTR(14, (word), SIGMA1_temp1), \ 2484 SHA512_ROTR(18, (word), SIGMA1_temp2), \ 2485 SHA512_ROTR(41, (word), SIGMA1_temp3), \ 2486 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ 2487 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) 2489 /* 2490 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2491 */ 2492 static uint32_t sigma0_temp1[2], sigma0_temp2[2], 2493 sigma0_temp3[2], sigma0_temp4[2]; 2494 #define SHA512_sigma0(word, ret) ( \ 2495 SHA512_ROTR( 1, (word), sigma0_temp1), \ 2496 SHA512_ROTR( 8, (word), sigma0_temp2), \ 2497 SHA512_SHR( 7, (word), sigma0_temp3), \ 2498 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ 2499 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) 2501 /* 2502 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2503 */ 2504 static uint32_t sigma1_temp1[2], sigma1_temp2[2], 2505 sigma1_temp3[2], sigma1_temp4[2]; 2506 #define SHA512_sigma1(word, ret) ( \ 2507 SHA512_ROTR(19, (word), sigma1_temp1), \ 2508 SHA512_ROTR(61, (word), sigma1_temp2), \ 2509 SHA512_SHR( 6, (word), sigma1_temp3), \ 2510 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ 2511 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) 2513 #ifndef USE_MODIFIED_MACROS 2514 /* 2515 * These definitions are the ones used in FIPS 180-3, section 4.1.3 2516 * Ch(x,y,z) ((x & y) ^ (~x & z)) 2517 */ 2518 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; 2519 #define SHA_Ch(x, y, z, ret) ( \ 2520 SHA512_AND(x, y, Ch_temp1), \ 2521 SHA512_TILDA(x, Ch_temp2), \ 2522 SHA512_AND(Ch_temp2, z, Ch_temp3), \ 2523 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) 2525 /* 2526 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) 2527 */ 2528 static uint32_t Maj_temp1[2], Maj_temp2[2], 2529 Maj_temp3[2], Maj_temp4[2]; 2530 #define SHA_Maj(x, y, z, ret) ( \ 2531 SHA512_AND(x, y, Maj_temp1), \ 2532 SHA512_AND(x, z, Maj_temp2), \ 2533 SHA512_AND(y, z, Maj_temp3), \ 2534 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ 2535 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) 2537 #else /* !USE_MODIFIED_MACROS */ 2538 /* 2539 * These definitions are potentially faster equivalents for the ones 2540 * used in FIPS 180-3, section 4.1.3. 2541 * ((x & y) ^ (~x & z)) becomes 2542 * ((x & (y ^ z)) ^ z) 2543 */ 2544 #define SHA_Ch(x, y, z, ret) ( \ 2545 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ 2546 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) 2548 /* 2549 * ((x & y) ^ (x & z) ^ (y & z)) becomes 2550 * ((x & (y | z)) | (y & z)) 2551 */ 2552 #define SHA_Maj(x, y, z, ret) ( \ 2553 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ 2554 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) 2555 #endif /* USE_MODIFIED_MACROS */ 2557 /* 2558 * Add "length" to the length. 2559 * Set Corrupted when overflow has occurred. 2560 */ 2561 static uint32_t addTemp[4] = { 0, 0, 0, 0 }; 2562 #define SHA384_512AddLength(context, length) ( \ 2563 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ 2564 (context)->Corrupted = (((context)->Length[3] < (length)) && \ 2565 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ 2566 ((context)->Length[0] == 0)) ? shaInputTooLong : \ 2567 (context)->Corrupted ) 2569 /* Local Function Prototypes */ 2570 static int SHA384_512Reset(SHA512Context *context, 2571 uint32_t H0[SHA512HashSize/4]); 2572 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2573 static void SHA384_512Finalize(SHA512Context *context, 2574 uint8_t Pad_Byte); 2575 static void SHA384_512PadMessage(SHA512Context *context, 2576 uint8_t Pad_Byte); 2577 static int SHA384_512ResultN( SHA512Context *context, 2578 uint8_t Message_Digest[ ], int HashSize); 2580 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ 2581 static uint32_t SHA384_H0[SHA512HashSize/4] = { 2582 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, 2583 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, 2584 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, 2585 0xBEFA4FA4 2586 }; 2588 static uint32_t SHA512_H0[SHA512HashSize/4] = { 2589 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, 2590 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, 2591 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, 2592 0x137E2179 2593 }; 2595 #else /* !USE_32BIT_ONLY */ 2597 #include "sha-private.h" 2599 /* Define the SHA shift, rotate left and rotate right macro */ 2600 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) 2601 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ 2602 (((uint64_t)(word)) << (64-(bits)))) 2604 /* 2605 * Define the SHA SIGMA and sigma macros 2606 * 2607 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2608 */ 2609 #define SHA512_SIGMA0(word) \ 2610 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) 2611 #define SHA512_SIGMA1(word) \ 2612 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) 2613 #define SHA512_sigma0(word) \ 2614 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2615 #define SHA512_sigma1(word) \ 2616 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2618 /* 2619 * Add "length" to the length. 2620 * Set Corrupted when overflow has occurred. 2621 */ 2622 static uint64_t addTemp; 2623 #define SHA384_512AddLength(context, length) \ 2624 (addTemp = context->Length_Low, context->Corrupted = \ 2625 ((context->Length_Low += length) < addTemp) && \ 2626 (++context->Length_High == 0) ? shaInputTooLong : \ 2627 (context)->Corrupted) 2629 /* Local Function Prototypes */ 2630 static int SHA384_512Reset(SHA512Context *context, 2631 uint64_t H0[SHA512HashSize/8]); 2632 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2633 static void SHA384_512Finalize(SHA512Context *context, 2634 uint8_t Pad_Byte); 2635 static void SHA384_512PadMessage(SHA512Context *context, 2636 uint8_t Pad_Byte); 2637 static int SHA384_512ResultN(SHA512Context *context, 2638 uint8_t Message_Digest[ ], int HashSize); 2640 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ 2641 static uint64_t SHA384_H0[ ] = { 2642 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 2643 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 2644 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll 2645 }; 2646 static uint64_t SHA512_H0[ ] = { 2647 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 2648 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 2649 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll 2650 }; 2652 #endif /* USE_32BIT_ONLY */ 2654 /* 2655 * SHA384Reset 2656 * 2657 * Description: 2658 * This function will initialize the SHA384Context in preparation 2659 * for computing a new SHA384 message digest. 2660 * 2661 * Parameters: 2662 * context: [in/out] 2663 * The context to reset. 2664 * 2665 * Returns: 2666 * sha Error Code. 2667 * 2668 */ 2670 int SHA384Reset(SHA384Context *context) 2671 { 2672 return SHA384_512Reset(context, SHA384_H0); 2673 } 2675 /* 2676 * SHA384Input 2677 * 2678 * Description: 2679 * This function accepts an array of octets as the next portion 2680 * of the message. 2681 * 2682 * Parameters: 2683 * context: [in/out] 2684 * The SHA context to update 2685 * message_array[ ]: [in] 2686 * An array of octets representing the next portion of 2687 * the message. 2688 * length: [in] 2689 * The length of the message in message_array 2690 * 2691 * Returns: 2692 * sha Error Code. 2693 * 2694 */ 2695 int SHA384Input(SHA384Context *context, 2696 const uint8_t *message_array, unsigned int length) 2697 { 2698 return SHA512Input(context, message_array, length); 2699 } 2701 /* 2702 * SHA384FinalBits 2703 * 2704 * Description: 2705 * This function will add in any final bits of the message. 2706 * 2707 * Parameters: 2708 * context: [in/out] 2709 * The SHA context to update 2710 * message_bits: [in] 2711 * The final bits of the message, in the upper portion of the 2712 * byte. (Use 0b###00000 instead of 0b00000### to input the 2713 * three bits ###.) 2714 * length: [in] 2715 * The number of bits in message_bits, between 1 and 7. 2716 * 2717 * Returns: 2718 * sha Error Code. 2719 * 2720 */ 2721 int SHA384FinalBits(SHA384Context *context, 2722 uint8_t message_bits, unsigned int length) 2723 { 2724 return SHA512FinalBits(context, message_bits, length); 2725 } 2727 /* 2728 * SHA384Result 2729 * 2730 * Description: 2731 * This function will return the 384-bit message digest 2732 * into the Message_Digest array provided by the caller. 2733 * NOTE: 2734 * The first octet of hash is stored in the element with index 0, 2735 * the last octet of hash in the element with index 47. 2736 * 2737 * Parameters: 2738 * context: [in/out] 2739 * The context to use to calculate the SHA hash. 2740 * Message_Digest[ ]: [out] 2741 * Where the digest is returned. 2742 * 2743 * Returns: 2744 * sha Error Code. 2745 * 2746 */ 2747 int SHA384Result(SHA384Context *context, 2748 uint8_t Message_Digest[SHA384HashSize]) 2749 { 2750 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); 2751 } 2753 /* 2754 * SHA512Reset 2755 * 2756 * Description: 2757 * This function will initialize the SHA512Context in preparation 2758 * for computing a new SHA512 message digest. 2759 * 2760 * Parameters: 2761 * context: [in/out] 2762 * The context to reset. 2763 * 2764 * Returns: 2765 * sha Error Code. 2766 * 2767 */ 2768 int SHA512Reset(SHA512Context *context) 2769 { 2770 return SHA384_512Reset(context, SHA512_H0); 2771 } 2773 /* 2774 * SHA512Input 2775 * 2776 * Description: 2777 * This function accepts an array of octets as the next portion 2778 * of the message. 2779 * 2780 * Parameters: 2781 * context: [in/out] 2782 * The SHA context to update 2783 * message_array[ ]: [in] 2784 * An array of octets representing the next portion of 2785 * the message. 2786 * length: [in] 2787 * The length of the message in message_array 2788 * 2789 * Returns: 2790 * sha Error Code. 2791 * 2792 */ 2793 int SHA512Input(SHA512Context *context, 2794 const uint8_t *message_array, 2795 unsigned int length) 2796 { 2797 if (!context) return shaNull; 2798 if (!length) return shaSuccess; 2799 if (!message_array) return shaNull; 2800 if (context->Computed) return context->Corrupted = shaStateError; 2801 if (context->Corrupted) return context->Corrupted; 2803 while (length--) { 2804 context->Message_Block[context->Message_Block_Index++] = 2805 *message_array; 2807 if ((SHA384_512AddLength(context, 8) == shaSuccess) && 2808 (context->Message_Block_Index == SHA512_Message_Block_Size)) 2809 SHA384_512ProcessMessageBlock(context); 2811 message_array++; 2812 } 2814 return context->Corrupted; 2815 } 2817 /* 2818 * SHA512FinalBits 2819 * 2820 * Description: 2821 * This function will add in any final bits of the message. 2822 * 2823 * Parameters: 2824 * context: [in/out] 2825 * The SHA context to update 2826 * message_bits: [in] 2827 * The final bits of the message, in the upper portion of the 2828 * byte. (Use 0b###00000 instead of 0b00000### to input the 2829 * three bits ###.) 2830 * length: [in] 2831 * The number of bits in message_bits, between 1 and 7. 2832 * 2833 * Returns: 2834 * sha Error Code. 2835 * 2836 */ 2837 int SHA512FinalBits(SHA512Context *context, 2838 uint8_t message_bits, unsigned int length) 2839 { 2840 static uint8_t masks[8] = { 2841 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2842 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2843 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2844 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2845 }; 2846 static uint8_t markbit[8] = { 2847 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2848 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2849 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2850 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2851 }; 2853 if (!context) return shaNull; 2854 if (!length) return shaSuccess; 2855 if (context->Corrupted) return context->Corrupted; 2856 if (context->Computed) return context->Corrupted = shaStateError; 2857 if (length >= 8) return context->Corrupted = shaBadParam; 2859 SHA384_512AddLength(context, length); 2860 SHA384_512Finalize(context, (uint8_t) 2861 ((message_bits & masks[length]) | markbit[length])); 2863 return context->Corrupted; 2864 } 2866 /* 2867 * SHA512Result 2868 * 2869 * Description: 2871 * This function will return the 512-bit message digest 2872 * into the Message_Digest array provided by the caller. 2873 * NOTE: 2874 * The first octet of hash is stored in the element with index 0, 2875 * the last octet of hash in the element with index 63. 2876 * 2877 * Parameters: 2878 * context: [in/out] 2879 * The context to use to calculate the SHA hash. 2880 * Message_Digest[ ]: [out] 2881 * Where the digest is returned. 2882 * 2883 * Returns: 2884 * sha Error Code. 2885 * 2886 */ 2887 int SHA512Result(SHA512Context *context, 2888 uint8_t Message_Digest[SHA512HashSize]) 2889 { 2890 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); 2891 } 2893 /* 2894 * SHA384_512Reset 2895 * 2896 * Description: 2897 * This helper function will initialize the SHA512Context in 2898 * preparation for computing a new SHA384 or SHA512 message 2899 * digest. 2900 * 2901 * Parameters: 2902 * context: [in/out] 2903 * The context to reset. 2904 * H0[ ]: [in] 2905 * The initial hash value array to use. 2906 * 2907 * Returns: 2908 * sha Error Code. 2909 * 2910 */ 2911 #ifdef USE_32BIT_ONLY 2912 static int SHA384_512Reset(SHA512Context *context, 2913 uint32_t H0[SHA512HashSize/4]) 2914 #else /* !USE_32BIT_ONLY */ 2915 static int SHA384_512Reset(SHA512Context *context, 2916 uint64_t H0[SHA512HashSize/8]) 2917 #endif /* USE_32BIT_ONLY */ 2918 { 2919 int i; 2920 if (!context) return shaNull; 2921 context->Message_Block_Index = 0; 2923 #ifdef USE_32BIT_ONLY 2924 context->Length[0] = context->Length[1] = 2925 context->Length[2] = context->Length[3] = 0; 2927 for (i = 0; i < SHA512HashSize/4; i++) 2928 context->Intermediate_Hash[i] = H0[i]; 2929 #else /* !USE_32BIT_ONLY */ 2930 context->Length_High = context->Length_Low = 0; 2932 for (i = 0; i < SHA512HashSize/8; i++) 2933 context->Intermediate_Hash[i] = H0[i]; 2934 #endif /* USE_32BIT_ONLY */ 2936 context->Computed = 0; 2937 context->Corrupted = shaSuccess; 2939 return shaSuccess; 2940 } 2942 /* 2943 * SHA384_512ProcessMessageBlock 2944 * 2945 * Description: 2946 * This helper function will process the next 1024 bits of the 2947 * message stored in the Message_Block array. 2948 * 2949 * Parameters: 2950 * context: [in/out] 2951 * The SHA context to update 2952 * 2953 * Returns: 2954 * Nothing. 2955 * 2956 * Comments: 2957 * Many of the variable names in this code, especially the 2958 * single character names, were used because those were the 2959 * names used in the Secure Hash Standard. 2960 * 2961 * 2962 */ 2963 static void SHA384_512ProcessMessageBlock(SHA512Context *context) 2964 { 2965 #ifdef USE_32BIT_ONLY 2966 /* Constants defined in FIPS 180-3, section 4.2.3 */ 2967 static const uint32_t K[80*2] = { 2968 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, 2969 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, 2970 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, 2971 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 2972 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, 2973 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, 2974 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, 2975 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, 2976 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, 2977 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, 2978 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, 2979 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, 2980 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, 2981 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, 2982 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, 2983 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, 2984 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, 2985 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, 2986 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, 2987 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, 2988 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, 2989 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, 2990 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, 2991 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, 2992 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, 2993 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, 2994 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, 2995 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 2996 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, 2997 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, 2998 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, 2999 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 3000 }; 3001 int t, t2, t8; /* Loop counter */ 3002 uint32_t temp1[2], temp2[2], /* Temporary word values */ 3003 temp3[2], temp4[2], temp5[2]; 3004 uint32_t W[2*80]; /* Word sequence */ 3005 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ 3006 E[2], F[2], G[2], H[2]; 3008 /* Initialize the first 16 words in the array W */ 3009 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { 3010 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | 3011 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | 3012 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | 3013 ((((uint32_t)context->Message_Block[t8 + 3]))); 3014 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | 3015 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | 3016 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | 3017 ((((uint32_t)context->Message_Block[t8 + 7]))); 3018 } 3020 for (t = 16; t < 80; t++, t2 += 2) { 3021 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3022 SHA512_sigma0(W[t-15]) + W[t-16]; */ 3023 uint32_t *Wt2 = &W[t2-2*2]; 3024 uint32_t *Wt7 = &W[t2-7*2]; 3025 uint32_t *Wt15 = &W[t2-15*2]; 3026 uint32_t *Wt16 = &W[t2-16*2]; 3027 SHA512_sigma1(Wt2, temp1); 3028 SHA512_ADD(temp1, Wt7, temp2); 3029 SHA512_sigma0(Wt15, temp1); 3030 SHA512_ADD(temp1, Wt16, temp3); 3031 SHA512_ADD(temp2, temp3, &W[t2]); 3032 } 3034 A[0] = context->Intermediate_Hash[0]; 3035 A[1] = context->Intermediate_Hash[1]; 3036 B[0] = context->Intermediate_Hash[2]; 3037 B[1] = context->Intermediate_Hash[3]; 3038 C[0] = context->Intermediate_Hash[4]; 3039 C[1] = context->Intermediate_Hash[5]; 3040 D[0] = context->Intermediate_Hash[6]; 3041 D[1] = context->Intermediate_Hash[7]; 3042 E[0] = context->Intermediate_Hash[8]; 3043 E[1] = context->Intermediate_Hash[9]; 3044 F[0] = context->Intermediate_Hash[10]; 3045 F[1] = context->Intermediate_Hash[11]; 3046 G[0] = context->Intermediate_Hash[12]; 3047 G[1] = context->Intermediate_Hash[13]; 3048 H[0] = context->Intermediate_Hash[14]; 3049 H[1] = context->Intermediate_Hash[15]; 3051 for (t = t2 = 0; t < 80; t++, t2 += 2) { 3052 /* 3053 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3054 */ 3055 SHA512_SIGMA1(E,temp1); 3056 SHA512_ADD(H, temp1, temp2); 3057 SHA_Ch(E,F,G,temp3); 3058 SHA512_ADD(temp2, temp3, temp4); 3059 SHA512_ADD(&K[t2], &W[t2], temp5); 3060 SHA512_ADD(temp4, temp5, temp1); 3061 /* 3062 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3063 */ 3064 SHA512_SIGMA0(A,temp3); 3065 SHA_Maj(A,B,C,temp4); 3066 SHA512_ADD(temp3, temp4, temp2); 3067 H[0] = G[0]; H[1] = G[1]; 3068 G[0] = F[0]; G[1] = F[1]; 3069 F[0] = E[0]; F[1] = E[1]; 3070 SHA512_ADD(D, temp1, E); 3071 D[0] = C[0]; D[1] = C[1]; 3072 C[0] = B[0]; C[1] = B[1]; 3073 B[0] = A[0]; B[1] = A[1]; 3074 SHA512_ADD(temp1, temp2, A); 3075 } 3077 SHA512_ADDTO2(&context->Intermediate_Hash[0], A); 3078 SHA512_ADDTO2(&context->Intermediate_Hash[2], B); 3079 SHA512_ADDTO2(&context->Intermediate_Hash[4], C); 3080 SHA512_ADDTO2(&context->Intermediate_Hash[6], D); 3081 SHA512_ADDTO2(&context->Intermediate_Hash[8], E); 3082 SHA512_ADDTO2(&context->Intermediate_Hash[10], F); 3083 SHA512_ADDTO2(&context->Intermediate_Hash[12], G); 3084 SHA512_ADDTO2(&context->Intermediate_Hash[14], H); 3086 #else /* !USE_32BIT_ONLY */ 3087 /* Constants defined in FIPS 180-3, section 4.2.3 */ 3088 static const uint64_t K[80] = { 3089 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, 3090 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, 3091 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, 3092 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, 3093 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, 3094 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, 3095 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, 3096 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, 3097 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, 3098 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, 3099 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, 3100 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, 3101 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, 3102 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, 3103 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, 3104 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, 3105 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, 3106 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, 3107 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, 3108 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, 3109 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, 3110 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, 3111 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, 3112 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, 3113 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, 3114 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, 3115 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll 3116 }; 3117 int t, t8; /* Loop counter */ 3118 uint64_t temp1, temp2; /* Temporary word value */ 3119 uint64_t W[80]; /* Word sequence */ 3120 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ 3121 /* 3122 * Initialize the first 16 words in the array W 3123 */ 3124 for (t = t8 = 0; t < 16; t++, t8 += 8) 3125 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | 3126 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | 3127 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | 3128 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | 3129 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | 3130 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | 3131 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | 3132 ((uint64_t)(context->Message_Block[t8 + 7])); 3134 for (t = 16; t < 80; t++) 3135 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3136 SHA512_sigma0(W[t-15]) + W[t-16]; 3138 A = context->Intermediate_Hash[0]; 3139 B = context->Intermediate_Hash[1]; 3140 C = context->Intermediate_Hash[2]; 3141 D = context->Intermediate_Hash[3]; 3142 E = context->Intermediate_Hash[4]; 3143 F = context->Intermediate_Hash[5]; 3144 G = context->Intermediate_Hash[6]; 3145 H = context->Intermediate_Hash[7]; 3147 for (t = 0; t < 80; t++) { 3148 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3149 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3150 H = G; 3151 G = F; 3152 F = E; 3153 E = D + temp1; 3154 D = C; 3155 C = B; 3156 B = A; 3157 A = temp1 + temp2; 3158 } 3160 context->Intermediate_Hash[0] += A; 3161 context->Intermediate_Hash[1] += B; 3162 context->Intermediate_Hash[2] += C; 3163 context->Intermediate_Hash[3] += D; 3164 context->Intermediate_Hash[4] += E; 3165 context->Intermediate_Hash[5] += F; 3166 context->Intermediate_Hash[6] += G; 3167 context->Intermediate_Hash[7] += H; 3168 #endif /* USE_32BIT_ONLY */ 3170 context->Message_Block_Index = 0; 3172 } 3174 /* 3175 * SHA384_512Finalize 3176 * 3177 * Description: 3178 * This helper function finishes off the digest calculations. 3179 * 3180 * Parameters: 3181 * context: [in/out] 3182 * The SHA context to update 3183 * Pad_Byte: [in] 3184 * The last byte to add to the message block before the 0-padding 3185 * and length. This will contain the last bits of the message 3186 * followed by another single bit. If the message was an 3187 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 3188 * 3189 * Returns: 3190 * sha Error Code. 3191 * 3192 */ 3193 static void SHA384_512Finalize(SHA512Context *context, 3194 uint8_t Pad_Byte) 3195 { 3196 int_least16_t i; 3197 SHA384_512PadMessage(context, Pad_Byte); 3198 /* message may be sensitive, clear it out */ 3199 for (i = 0; i < SHA512_Message_Block_Size; ++i) 3200 context->Message_Block[i] = 0; 3201 #ifdef USE_32BIT_ONLY /* and clear length */ 3202 context->Length[0] = context->Length[1] = 0; 3203 context->Length[2] = context->Length[3] = 0; 3204 #else /* !USE_32BIT_ONLY */ 3205 context->Length_High = context->Length_Low = 0; 3206 #endif /* USE_32BIT_ONLY */ 3207 context->Computed = 1; 3208 } 3210 /* 3211 * SHA384_512PadMessage 3212 * 3213 * Description: 3214 * According to the standard, the message must be padded to the next 3215 * even multiple of 1024 bits. The first padding bit must be a '1'. 3216 * The last 128 bits represent the length of the original message. 3217 * All bits in between should be 0. This helper function will 3218 * pad the message according to those rules by filling the 3219 * Message_Block array accordingly. When it returns, it can be 3220 * assumed that the message digest has been computed. 3221 * 3222 * Parameters: 3223 * context: [in/out] 3224 * The context to pad 3225 * Pad_Byte: [in] 3226 * The last byte to add to the message block before the 0-padding 3227 * and length. This will contain the last bits of the message 3228 * followed by another single bit. If the message was an 3229 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 3230 * 3231 * Returns: 3232 * Nothing. 3233 * 3234 */ 3235 static void SHA384_512PadMessage(SHA512Context *context, 3236 uint8_t Pad_Byte) 3237 { 3238 /* 3239 * Check to see if the current message block is too small to hold 3240 * the initial padding bits and length. If so, we will pad the 3241 * block, process it, and then continue padding into a second 3242 * block. 3243 */ 3244 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { 3245 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 3246 while (context->Message_Block_Index < SHA512_Message_Block_Size) 3247 context->Message_Block[context->Message_Block_Index++] = 0; 3249 SHA384_512ProcessMessageBlock(context); 3250 } else 3251 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 3253 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) 3254 context->Message_Block[context->Message_Block_Index++] = 0; 3256 /* 3257 * Store the message length as the last 16 octets 3258 */ 3259 #ifdef USE_32BIT_ONLY 3260 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); 3261 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); 3262 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); 3263 context->Message_Block[115] = (uint8_t)(context->Length[0]); 3264 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); 3265 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); 3266 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); 3267 context->Message_Block[119] = (uint8_t)(context->Length[1]); 3269 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); 3270 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); 3271 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); 3272 context->Message_Block[123] = (uint8_t)(context->Length[2]); 3273 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); 3274 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); 3275 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); 3276 context->Message_Block[127] = (uint8_t)(context->Length[3]); 3277 #else /* !USE_32BIT_ONLY */ 3278 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); 3279 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); 3280 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); 3281 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); 3282 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); 3283 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); 3284 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); 3285 context->Message_Block[119] = (uint8_t)(context->Length_High); 3287 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); 3288 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); 3289 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); 3290 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); 3291 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); 3292 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); 3293 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); 3294 context->Message_Block[127] = (uint8_t)(context->Length_Low); 3295 #endif /* USE_32BIT_ONLY */ 3297 SHA384_512ProcessMessageBlock(context); 3298 } 3300 /* 3301 * SHA384_512ResultN 3302 * 3303 * Description: 3304 * This helper function will return the 384-bit or 512-bit message 3305 * digest into the Message_Digest array provided by the caller. 3306 * NOTE: 3307 * The first octet of hash is stored in the element with index 0, 3308 * the last octet of hash in the element with index 47/63. 3309 * 3310 * Parameters: 3311 * context: [in/out] 3312 * The context to use to calculate the SHA hash. 3313 * Message_Digest[ ]: [out] 3314 * Where the digest is returned. 3315 * HashSize: [in] 3316 * The size of the hash, either 48 or 64. 3317 * 3318 * Returns: 3319 * sha Error Code. 3320 * 3321 */ 3323 static int SHA384_512ResultN(SHA512Context *context, 3324 uint8_t Message_Digest[ ], int HashSize) 3325 { 3326 int i; 3327 #ifdef USE_32BIT_ONLY 3328 int i2; 3329 #endif /* USE_32BIT_ONLY */ 3331 if (!context) return shaNull; 3332 if (!Message_Digest) return shaNull; 3333 if (context->Corrupted) return context->Corrupted; 3335 if (!context->Computed) 3336 SHA384_512Finalize(context, 0x80); 3338 #ifdef USE_32BIT_ONLY 3339 for (i = i2 = 0; i < HashSize; ) { 3340 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3341 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3342 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3343 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3344 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3345 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3346 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3347 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3348 } 3349 #else /* !USE_32BIT_ONLY */ 3350 for (i = 0; i < HashSize; ++i) 3351 Message_Digest[i] = (uint8_t) 3352 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); 3353 #endif /* USE_32BIT_ONLY */ 3355 return shaSuccess; 3356 } 3358 8.2.4 usha.c 3360 /**************************** usha.c ***************************/ 3361 /***************** See RFC NNNN for details. *******************/ 3362 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3363 /* authors of the code. All rights reserved. */ 3364 /* See sha.h for terms of use and redistribution. */ 3366 /* 3367 * Description: 3368 * This file implements a unified interface to the SHA algorithms. 3369 */ 3371 #include "sha.h" 3373 /* 3374 * USHAReset 3375 * 3376 * Description: 3377 * This function will initialize the SHA Context in preparation 3378 * for computing a new SHA message digest. 3379 * 3380 * Parameters: 3381 * context: [in/out] 3382 * The context to reset. 3383 * whichSha: [in] 3384 * Selects which SHA reset to call 3385 * 3386 * Returns: 3387 * sha Error Code. 3388 * 3389 */ 3390 int USHAReset(USHAContext *context, enum SHAversion whichSha) 3391 { 3392 if (!context) return shaNull; 3393 context->whichSha = whichSha; 3394 switch (whichSha) { 3395 case SHA1: return SHA1Reset((SHA1Context*)&context->ctx); 3396 case SHA224: return SHA224Reset((SHA224Context*)&context->ctx); 3397 case SHA256: return SHA256Reset((SHA256Context*)&context->ctx); 3398 case SHA384: return SHA384Reset((SHA384Context*)&context->ctx); 3399 case SHA512: return SHA512Reset((SHA512Context*)&context->ctx); 3400 default: return shaBadParam; 3401 } 3402 } 3404 /* 3405 * USHAInput 3406 * 3407 * Description: 3408 * This function accepts an array of octets as the next portion 3409 * of the message. 3410 * 3411 * Parameters: 3412 * context: [in/out] 3413 * The SHA context to update 3414 * message_array: [in] 3415 * An array of octets representing the next portion of 3416 * the message. 3417 * length: [in] 3418 * The length of the message in message_array 3419 * 3420 * Returns: 3422 * sha Error Code. 3423 * 3424 */ 3425 int USHAInput(USHAContext *context, 3426 const uint8_t *bytes, unsigned int bytecount) 3427 { 3428 if (!context) return shaNull; 3429 switch (context->whichSha) { 3430 case SHA1: 3431 return SHA1Input((SHA1Context*)&context->ctx, bytes, 3432 bytecount); 3433 case SHA224: 3434 return SHA224Input((SHA224Context*)&context->ctx, bytes, 3435 bytecount); 3436 case SHA256: 3437 return SHA256Input((SHA256Context*)&context->ctx, bytes, 3438 bytecount); 3439 case SHA384: 3440 return SHA384Input((SHA384Context*)&context->ctx, bytes, 3441 bytecount); 3442 case SHA512: 3443 return SHA512Input((SHA512Context*)&context->ctx, bytes, 3444 bytecount); 3445 default: return shaBadParam; 3446 } 3447 } 3449 /* 3450 * USHAFinalBits 3451 * 3452 * Description: 3453 * This function will add in any final bits of the message. 3454 * 3455 * Parameters: 3456 * context: [in/out] 3457 * The SHA context to update 3458 * message_bits: [in] 3459 * The final bits of the message, in the upper portion of the 3460 * byte. (Use 0b###00000 instead of 0b00000### to input the 3461 * three bits ###.) 3462 * length: [in] 3463 * The number of bits in message_bits, between 1 and 7. 3464 * 3465 * Returns: 3466 * sha Error Code. 3467 */ 3468 int USHAFinalBits(USHAContext *context, 3469 uint8_t bits, unsigned int bit_count) 3470 { 3471 if (!context) return shaNull; 3472 switch (context->whichSha) { 3473 case SHA1: 3474 return SHA1FinalBits((SHA1Context*)&context->ctx, bits, 3475 bit_count); 3476 case SHA224: 3477 return SHA224FinalBits((SHA224Context*)&context->ctx, bits, 3478 bit_count); 3479 case SHA256: 3480 return SHA256FinalBits((SHA256Context*)&context->ctx, bits, 3481 bit_count); 3482 case SHA384: 3483 return SHA384FinalBits((SHA384Context*)&context->ctx, bits, 3484 bit_count); 3485 case SHA512: 3486 return SHA512FinalBits((SHA512Context*)&context->ctx, bits, 3487 bit_count); 3488 default: return shaBadParam; 3489 } 3490 } 3492 /* 3493 * USHAResult 3494 * 3495 * Description: 3496 * This function will return the message digest of the appropriate 3497 * bit size, as returned by USHAHashSizeBits(whichSHA) for the 3498 * 'whichSHA' value used in the preceeding call to USHAReset, 3499 * into the Message_Digest array provided by the caller. 3500 * 3501 * Parameters: 3502 * context: [in/out] 3503 * The context to use to calculate the SHA-1 hash. 3504 * Message_Digest: [out] 3505 * Where the digest is returned. 3506 * 3507 * Returns: 3508 * sha Error Code. 3509 * 3510 */ 3511 int USHAResult(USHAContext *context, 3512 uint8_t Message_Digest[USHAMaxHashSize]) 3513 { 3514 if (!context) return shaNull; 3515 switch (context->whichSha) { 3516 case SHA1: 3517 return SHA1Result((SHA1Context*)&context->ctx, Message_Digest); 3518 case SHA224: 3519 return SHA224Result((SHA224Context*)&context->ctx, 3520 Message_Digest); 3521 case SHA256: 3523 return SHA256Result((SHA256Context*)&context->ctx, 3524 Message_Digest); 3525 case SHA384: 3526 return SHA384Result((SHA384Context*)&context->ctx, 3527 Message_Digest); 3528 case SHA512: 3529 return SHA512Result((SHA512Context*)&context->ctx, 3530 Message_Digest); 3531 default: return shaBadParam; 3532 } 3533 } 3535 /* 3536 * USHABlockSize 3537 * 3538 * Description: 3539 * This function will return the blocksize for the given SHA 3540 * algorithm. 3541 * 3542 * Parameters: 3543 * whichSha: 3544 * which SHA algorithm to query 3545 * 3546 * Returns: 3547 * block size 3548 * 3549 */ 3550 int USHABlockSize(enum SHAversion whichSha) 3551 { 3552 switch (whichSha) { 3553 case SHA1: return SHA1_Message_Block_Size; 3554 case SHA224: return SHA224_Message_Block_Size; 3555 case SHA256: return SHA256_Message_Block_Size; 3556 case SHA384: return SHA384_Message_Block_Size; 3557 default: 3558 case SHA512: return SHA512_Message_Block_Size; 3559 } 3560 } 3562 /* 3563 * USHAHashSize 3564 * 3565 * Description: 3566 * This function will return the hashsize for the given SHA 3567 * algorithm. 3568 * 3569 * Parameters: 3570 * whichSha: 3571 * which SHA algorithm to query 3572 * 3573 * Returns: 3574 * hash size 3575 * 3576 */ 3577 int USHAHashSize(enum SHAversion whichSha) 3578 { 3579 switch (whichSha) { 3580 case SHA1: return SHA1HashSize; 3581 case SHA224: return SHA224HashSize; 3582 case SHA256: return SHA256HashSize; 3583 case SHA384: return SHA384HashSize; 3584 default: 3585 case SHA512: return SHA512HashSize; 3586 } 3587 } 3589 /* 3590 * USHAHashSizeBits 3591 * 3592 * Description: 3593 * This function will return the hashsize for the given SHA 3594 * algorithm, expressed in bits. 3595 * 3596 * Parameters: 3597 * whichSha: 3598 * which SHA algorithm to query 3599 * 3600 * Returns: 3601 * hash size in bits 3602 * 3603 */ 3604 int USHAHashSizeBits(enum SHAversion whichSha) 3605 { 3606 switch (whichSha) { 3607 case SHA1: return SHA1HashSizeBits; 3608 case SHA224: return SHA224HashSizeBits; 3609 case SHA256: return SHA256HashSizeBits; 3610 case SHA384: return SHA384HashSizeBits; 3611 default: 3612 case SHA512: return SHA512HashSizeBits; 3613 } 3614 } 3616 /* 3617 * USHAHashName 3618 * 3619 * Description: 3620 * This function will return the name of the given SHA algorithm 3621 * as a string. 3622 * 3623 * Parameters: 3624 * whichSha: 3625 * which SHA algorithm to query 3626 * 3627 * Returns: 3628 * character string with the name in it 3629 * 3630 */ 3631 const char *USHAHashName(enum SHAversion whichSha) 3632 { 3633 switch (whichSha) { 3634 case SHA1: return "SHA1"; 3635 case SHA224: return "SHA224"; 3636 case SHA256: return "SHA256"; 3637 case SHA384: return "SHA384"; 3638 default: 3639 case SHA512: return "SHA512"; 3640 } 3641 } 3643 8.3 The HMAC Code 3645 /**************************** hmac.c ***************************/ 3646 /***************** See RFC NNNN for details. *******************/ 3647 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3648 /* authors of the code. All rights reserved. */ 3649 /* See sha.h for terms of use and redistribution. */ 3651 /* 3652 * Description: 3653 * This file implements the HMAC algorithm (Keyed-Hashing for 3654 * Message Authentication, [RFC 2104]), expressed in terms of 3655 * the various SHA algorithms. 3656 */ 3658 #include "sha.h" 3660 /* 3661 * hmac 3662 * 3663 * Description: 3664 * This function will compute an HMAC message digest. 3665 * 3666 * Parameters: 3667 * whichSha: [in] 3668 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3669 * message_array[ ]: [in] 3670 * An array of octets representing the message. 3672 * Note: in RFC 2104, this parameter is known 3673 * as 'text'. 3674 * length: [in] 3675 * The length of the message in message_array. 3676 * key[ ]: [in] 3677 * The secret shared key. 3678 * key_len: [in] 3679 * The length of the secret shared key. 3680 * digest[ ]: [out] 3681 * Where the digest is to be returned. 3682 * NOTE: The length of the digest is determined by 3683 * the value of whichSha. 3684 * 3685 * Returns: 3686 * sha Error Code. 3687 * 3688 */ 3689 int hmac(SHAversion whichSha, 3690 const unsigned char *message_array, int length, 3691 const unsigned char *key, int key_len, 3692 uint8_t digest[USHAMaxHashSize]) 3693 { 3694 HMACContext context; 3695 return hmacReset(&context, whichSha, key, key_len) || 3696 hmacInput(&context, message_array, length) || 3697 hmacResult(&context, digest); 3698 } 3700 /* 3701 * hmacReset 3702 * 3703 * Description: 3704 * This function will initialize the hmacContext in preparation 3705 * for computing a new HMAC message digest. 3706 * 3707 * Parameters: 3708 * context: [in/out] 3709 * The context to reset. 3710 * whichSha: [in] 3711 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3712 * key[ ]: [in] 3713 * The secret shared key. 3714 * key_len: [in] 3715 * The length of the secret shared key. 3716 * 3717 * Returns: 3718 * sha Error Code. 3719 * 3720 */ 3721 int hmacReset(HMACContext *context, enum SHAversion whichSha, 3722 const unsigned char *key, int key_len) 3723 { 3724 int i, blocksize, hashsize, ret; 3726 /* inner padding - key XORd with ipad */ 3727 unsigned char k_ipad[USHA_Max_Message_Block_Size]; 3729 /* temporary buffer when keylen > blocksize */ 3730 unsigned char tempkey[USHAMaxHashSize]; 3732 if (!context) return shaNull; 3733 context->Computed = 0; 3734 context->Corrupted = shaSuccess; 3736 blocksize = context->blockSize = USHABlockSize(whichSha); 3737 hashsize = context->hashSize = USHAHashSize(whichSha); 3739 context->whichSha = whichSha; 3741 /* 3742 * If key is longer than the hash blocksize, 3743 * reset it to key = HASH(key). 3744 */ 3745 if (key_len > blocksize) { 3746 USHAContext tcontext; 3747 int err = USHAReset(&tcontext, whichSha) || 3748 USHAInput(&tcontext, key, key_len) || 3749 USHAResult(&tcontext, tempkey); 3750 if (err != shaSuccess) return err; 3752 key = tempkey; 3753 key_len = hashsize; 3754 } 3756 /* 3757 * The HMAC transform looks like: 3758 * 3759 * SHA(K XOR opad, SHA(K XOR ipad, text)) 3760 * 3761 * where K is an n byte key, 0-padded to a total of blocksize bytes, 3762 * ipad is the byte 0x36 repeated blocksize times, 3763 * opad is the byte 0x5c repeated blocksize times, 3764 * and text is the data being protected. 3765 */ 3767 /* store key into the pads, XOR'd with ipad and opad values */ 3768 for (i = 0; i < key_len; i++) { 3769 k_ipad[i] = key[i] ^ 0x36; 3770 context->k_opad[i] = key[i] ^ 0x5c; 3771 } 3772 /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ 3773 for ( ; i < blocksize; i++) { 3774 k_ipad[i] = 0x36; 3775 context->k_opad[i] = 0x5c; 3776 } 3778 /* perform inner hash */ 3779 /* init context for 1st pass */ 3780 ret = USHAReset(&context->shaContext, whichSha) || 3781 /* and start with inner pad */ 3782 USHAInput(&context->shaContext, k_ipad, blocksize); 3783 return context->Corrupted = ret; 3784 } 3786 /* 3787 * hmacInput 3788 * 3789 * Description: 3790 * This function accepts an array of octets as the next portion 3791 * of the message. It may be called multiple times. 3792 * 3793 * Parameters: 3794 * context: [in/out] 3795 * The HMAC context to update 3796 * text[ ]: [in] 3797 * An array of octets representing the next portion of 3798 * the message. 3799 * text_len: [in] 3800 * The length of the message in text 3801 * 3802 * Returns: 3803 * sha Error Code. 3804 * 3805 */ 3806 int hmacInput(HMACContext *context, const unsigned char *text, 3807 int text_len) 3808 { 3809 if (!context) return shaNull; 3810 if (context->Corrupted) return context->Corrupted; 3811 if (context->Computed) return context->Corrupted = shaStateError; 3812 /* then text of datagram */ 3813 return context->Corrupted = 3814 USHAInput(&context->shaContext, text, text_len); 3815 } 3817 /* 3818 * hmacFinalBits 3819 * 3820 * Description: 3821 * This function will add in any final bits of the message. 3823 * 3824 * Parameters: 3825 * context: [in/out] 3826 * The HMAC context to update 3827 * message_bits: [in] 3828 * The final bits of the message, in the upper portion of the 3829 * byte. (Use 0b###00000 instead of 0b00000### to input the 3830 * three bits ###.) 3831 * length: [in] 3832 * The number of bits in message_bits, between 1 and 7. 3833 * 3834 * Returns: 3835 * sha Error Code. 3836 */ 3837 int hmacFinalBits(HMACContext *context, 3838 uint8_t bits, unsigned int bit_count) 3839 { 3840 if (!context) return shaNull; 3841 if (context->Corrupted) return context->Corrupted; 3842 if (context->Computed) return context->Corrupted = shaStateError; 3843 /* then final bits of datagram */ 3844 return context->Corrupted = 3845 USHAFinalBits(&context->shaContext, bits, bit_count); 3846 } 3848 /* 3849 * hmacResult 3850 * 3851 * Description: 3852 * This function will return the N-byte message digest into the 3853 * Message_Digest array provided by the caller. 3854 * 3855 * Parameters: 3856 * context: [in/out] 3857 * The context to use to calculate the HMAC hash. 3858 * digest[ ]: [out] 3859 * Where the digest is returned. 3860 * NOTE 2: The length of the hash is determined by the value of 3861 * whichSha that was passed to hmacReset(). 3862 * 3863 * Returns: 3864 * sha Error Code. 3865 * 3866 */ 3867 int hmacResult(HMACContext *context, uint8_t *digest) 3868 { 3869 int ret; 3870 if (!context) return shaNull; 3871 if (context->Corrupted) return context->Corrupted; 3872 if (context->Computed) return context->Corrupted = shaStateError; 3873 /* finish up 1st pass */ 3874 /* (Use digest here as a temporary buffer.) */ 3875 ret = 3876 USHAResult(&context->shaContext, digest) || 3878 /* perform outer SHA */ 3879 /* init context for 2nd pass */ 3880 USHAReset(&context->shaContext, context->whichSha) || 3882 /* start with outer pad */ 3883 USHAInput(&context->shaContext, context->k_opad, 3884 context->blockSize) || 3886 /* then results of 1st hash */ 3887 USHAInput(&context->shaContext, digest, context->hashSize) || 3889 /* finish up 2nd pass */ 3890 USHAResult(&context->shaContext, digest); 3892 context->Computed = 1; 3893 return context->Corrupted = ret; 3894 } 3896 8.4 The HKDF Code 3898 /**************************** hkdf.c ***************************/ 3899 /***************** See RFC NNNN for details. *******************/ 3900 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3901 /* authors of the code. All rights reserved. */ 3902 /* See sha.h for terms of use and redistribution. */ 3904 /* 3905 * Description: 3906 * This file implements the HKDF algorithm (HMAC-based 3907 * Extract-and-Expand Key Derivation Function, RFC 5869), 3908 * expressed in terms of the various SHA algorithms. 3909 */ 3911 #include "sha.h" 3912 #include 3913 #include 3915 /* 3916 * hkdf 3917 * 3918 * Description: 3919 * This function will generate keying material using HKDF. 3920 * 3921 * Parameters: 3922 * whichSha: [in] 3923 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3924 * salt[ ]: [in] 3925 * The optional salt value (a non-secret random value); 3926 * if not provided (salt == NULL), it is set internally 3927 * to a string of HashLen(whichSha) zeros. 3928 * salt_len: [in] 3929 * The length of the salt value. (Ignored if salt == NULL.) 3930 * ikm[ ]: [in] 3931 * Input keying material. 3932 * ikm_len: [in] 3933 * The length of the input keying material. 3934 * info[ ]: [in] 3935 * The optional context and application specific information. 3936 * If info == NULL or a zero-length string, it is ignored. 3937 * info_len: [in] 3938 * The length of the optional context and application specific 3939 * information. (Ignored if info == NULL.) 3940 * okm[ ]: [out] 3941 * Where the HKDF is to be stored. 3942 * okm_len: [in] 3943 * The length of the buffer to hold okm. 3944 * okm_len must be <= 255 * USHABlockSize(whichSha) 3945 * 3946 * Notes: 3947 * Calls hkdfExtract() and hkdfExpand(). 3948 * 3949 * Returns: 3950 * sha Error Code. 3951 * 3952 */ 3953 int hkdf(SHAversion whichSha, 3954 const unsigned char *salt, int salt_len, 3955 const unsigned char *ikm, int ikm_len, 3956 const unsigned char *info, int info_len, 3957 uint8_t okm[ ], int okm_len) 3958 { 3959 uint8_t prk[USHAMaxHashSize]; 3960 return hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk) || 3961 hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, 3962 info_len, okm, okm_len); 3963 } 3965 /* 3966 * hkdfExtract 3967 * 3968 * Description: 3969 * This function will perform HKDF extraction. 3970 * 3971 * Parameters: 3972 * whichSha: [in] 3973 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3974 * salt[ ]: [in] 3975 * The optional salt value (a non-secret random value); 3976 * if not provided (salt == NULL), it is set internally 3977 * to a string of HashLen(whichSha) zeros. 3978 * salt_len: [in] 3979 * The length of the salt value. (Ignored if salt == NULL.) 3980 * ikm[ ]: [in] 3981 * Input keying material. 3982 * ikm_len: [in] 3983 * The length of the input keying material. 3984 * prk[ ]: [out] 3985 * Array where the HKDF extraction is to be stored. 3986 * Must be larger than USHAHashSize(whichSha); 3987 * 3988 * Returns: 3989 * sha Error Code. 3990 * 3991 */ 3992 int hkdfExtract(SHAversion whichSha, 3993 const unsigned char *salt, int salt_len, 3994 const unsigned char *ikm, int ikm_len, 3995 uint8_t prk[USHAMaxHashSize]) 3996 { 3997 unsigned char nullSalt[USHAMaxHashSize]; 3998 if (salt == 0) { 3999 salt = nullSalt; 4000 salt_len = USHAHashSize(whichSha); 4001 memset(nullSalt, '\0', salt_len); 4002 } else if (salt_len < 0) { 4003 return shaBadParam; 4004 } 4005 return hmac(whichSha, ikm, ikm_len, salt, salt_len, prk); 4006 } 4008 /* 4009 * hkdfExpand 4010 * 4011 * Description: 4012 * This function will perform HKDF expansion. 4013 * 4014 * Parameters: 4015 * whichSha: [in] 4016 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4017 * prk[ ]: [in] 4018 * The pseudorandom key to be expanded; either obtained 4019 * directly from a cryptographically strong, uniformly 4020 * distributed pseudorandom number generator, or as the 4021 * output from hkdfExtract(). 4022 * prk_len: [in] 4023 * The length of the pseudorandom key in prk; 4024 * should at least be equal to USHAHashSize(whichSHA). 4025 * info[ ]: [in] 4026 * The optional context and application specific information. 4027 * If info == NULL or a zero-length string, it is ignored. 4028 * info_len: [in] 4029 * The length of the optional context and application specific 4030 * information. (Ignored if info == NULL.) 4031 * okm[ ]: [out] 4032 * Where the HKDF is to be stored. 4033 * okm_len: [in] 4034 * The length of the buffer to hold okm. 4035 * okm_len must be <= 255 * USHABlockSize(whichSha) 4036 * 4037 * Returns: 4038 * sha Error Code. 4039 * 4040 */ 4041 int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], int prk_len, 4042 const unsigned char *info, int info_len, 4043 uint8_t okm[ ], int okm_len) 4044 { 4045 int hash_len, N; 4046 unsigned char T[USHAMaxHashSize]; 4047 int Tlen, where, i; 4049 if (info == 0) { 4050 info = (const unsigned char *)""; 4051 info_len = 0; 4052 } else if (info_len < 0) { 4053 return shaBadParam; 4054 } 4055 if (okm_len <= 0) return shaBadParam; 4056 if (!okm) return shaBadParam; 4058 hash_len = USHAHashSize(whichSha); 4059 if (prk_len < hash_len) return shaBadParam; 4060 N = okm_len / hash_len; 4061 if ((okm_len % hash_len) != 0) N++; 4062 if (N > 255) return shaBadParam; 4064 Tlen = 0; 4065 where = 0; 4066 for (i = 1; i <= N; i++) { 4067 HMACContext context; 4068 unsigned char c = i; 4069 int ret = hmacReset(&context, whichSha, prk, prk_len) || 4070 hmacInput(&context, T, Tlen) || 4071 hmacInput(&context, info, info_len) || 4072 hmacInput(&context, &c, 1) || 4073 hmacResult(&context, T); 4074 if (ret != shaSuccess) return ret; 4075 memcpy(okm + where, T, 4076 (i != N) ? hash_len : (okm_len - where)); 4077 where += hash_len; 4078 Tlen = hash_len; 4079 } 4080 return shaSuccess; 4081 } 4083 /* 4084 * hkdfReset 4085 * 4086 * Description: 4087 * This function will initialize the hkdfContext in preparation 4088 * for key derivation using the modular HKDF interface for 4089 * arbitrary length inputs. 4090 * 4091 * Parameters: 4092 * context: [in/out] 4093 * The context to reset. 4094 * whichSha: [in] 4095 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4096 * salt[ ]: [in] 4097 * The optional salt value (a non-secret random value); 4098 * if not provided (salt == NULL), it is set internally 4099 * to a string of HashLen(whichSha) zeros. 4100 * salt_len: [in] 4101 * The length of the salt value. (Ignored if salt == NULL.) 4102 * 4103 * Returns: 4104 * sha Error Code. 4105 * 4106 */ 4107 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 4108 const unsigned char *salt, int salt_len) 4109 { 4110 unsigned char nullSalt[USHAMaxHashSize]; 4111 if (!context) return shaNull; 4113 context->whichSha = whichSha; 4114 context->hashSize = USHAHashSize(whichSha); 4115 if (salt == 0) { 4116 salt = nullSalt; 4117 salt_len = context->hashSize; 4118 memset(nullSalt, '\0', salt_len); 4119 } 4120 return hmacReset(&context->hmacContext, whichSha, salt, salt_len); 4121 } 4123 /* 4124 * hkdfInput 4125 * 4126 * Description: 4127 * This function accepts an array of octets as the next portion 4128 * of the input keying material. It may be called multiple times. 4129 * 4130 * Parameters: 4131 * context: [in/out] 4132 * The HKDF context to update. 4133 * ikm[ ]: [in] 4134 * An array of octets representing the next portion of 4135 * the input keying material. 4136 * ikm_len: [in] 4137 * The length of ikm. 4138 * 4139 * Returns: 4140 * sha Error Code. 4141 * 4142 */ 4143 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 4144 int ikm_len) 4145 { 4146 if (!context) return shaNull; 4147 if (context->Corrupted) return context->Corrupted; 4148 if (context->Computed) return context->Corrupted = shaStateError; 4149 return hmacInput(&context->hmacContext, ikm, ikm_len); 4150 } 4152 /* 4153 * hkdfFinalBits 4154 * 4155 * Description: 4156 * This function will add in any final bits of the 4157 * input keying material. 4158 * 4159 * Parameters: 4160 * context: [in/out] 4161 * The HKDF context to update 4162 * ikm_bits: [in] 4163 * The final bits of the input keying material, in the upper 4164 * portion of the byte. (Use 0b###00000 instead of 0b00000### 4165 * to input the three bits ###.) 4166 * ikm_bit_count: [in] 4167 * The number of bits in message_bits, between 1 and 7. 4168 * 4169 * Returns: 4171 * sha Error Code. 4172 */ 4173 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 4174 unsigned int ikm_bit_count) 4175 { 4176 if (!context) return shaNull; 4177 if (context->Corrupted) return context->Corrupted; 4178 if (context->Computed) return context->Corrupted = shaStateError; 4179 return hmacFinalBits(&context->hmacContext, ikm_bits, ikm_bit_count); 4180 } 4182 /* 4183 * hkdfResult 4184 * 4185 * Description: 4186 * This function will finish the HKDF extraction and perform the 4187 * final HKDF expansion. 4188 * 4189 * Parameters: 4190 * context: [in/out] 4191 * The HKDF context to use to calculate the HKDF hash. 4192 * prk[ ]: [out] 4193 * An optional location to store the HKDF extraction. 4194 * Either NULL, or pointer to a buffer that must be 4195 * larger than USHAHashSize(whichSha); 4196 * info[ ]: [in] 4197 * The optional context and application specific information. 4198 * If info == NULL or a zero-length string, it is ignored. 4199 * info_len: [in] 4200 * The length of the optional context and application specific 4201 * information. (Ignored if info == NULL.) 4202 * okm[ ]: [out] 4203 * Where the HKDF is to be stored. 4204 * okm_len: [in] 4205 * The length of the buffer to hold okm. 4206 * okm_len must be <= 255 * USHABlockSize(whichSha) 4207 * 4208 * Returns: 4209 * sha Error Code. 4210 * 4211 */ 4212 int hkdfResult(HKDFContext *context, 4213 uint8_t prk[USHAMaxHashSize], 4214 const unsigned char *info, int info_len, 4215 uint8_t okm[ ], int okm_len) 4216 { 4217 uint8_t prkbuf[USHAMaxHashSize]; 4218 int ret; 4220 if (!context) return shaNull; 4221 if (context->Corrupted) return context->Corrupted; 4222 if (context->Computed) return context->Corrupted = shaStateError; 4223 if (!okm) return context->Corrupted = shaBadParam; 4224 if (!prk) prk = prkbuf; 4226 ret = hmacResult(&context->hmacContext, prk) || 4227 hkdfExpand(context->whichSha, prk, context->hashSize, info, 4228 info_len, okm, okm_len); 4229 context->Computed = 1; 4230 return context->Corrupted = ret; 4231 } 4233 8.5 The Test Driver 4235 The following code is a main program test driver to exercise the code 4236 in sha1.c, sha224-256.c, sha384-512.c, hmac.c, and hkdf.c. The test 4237 driver can also be used as a standalone program for generating the 4238 hashes. 4240 See also [SHAVS]. 4242 /************************** shatest.c **************************/ 4243 /***************** See RFC NNNN for details. *******************/ 4244 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 4245 /* authors of the code. All rights reserved. */ 4246 /* See sha.h for terms of use and redistribution. */ 4248 /* 4249 * Description: 4250 * This file will exercise the SHA code performing 4251 * the three tests documented in FIPS PUB 180-3 4252 * (http://csrc.nist.gov/publications/fips/ 4253 * fips180-2/fips180-2withchangenotice.pdf) 4254 * one that calls SHAInput with an exact multiple of 512 bits 4255 * the seven tests documented for each algorithm in 4256 * "The Secure Hash Algorithm Validation System (SHAVS)" 4257 * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), 4258 * three of which are bit-level tests 4259 * 4260 * These tests have subsequently been moved to pages linked from 4261 * http://csrc.nist.gov/groups/ST/toolkit/examples.html 4262 * 4263 * This file will exercise the HMAC SHA1 code performing 4264 * the seven tests documented in RFCs [RFC 2202] and [RFC 4231]. 4265 * 4266 * This file will exercise the HKDF code performing 4267 * the seven tests documented in RFC 4869. 4268 * 4269 * To run the tests and just see PASSED/FAILED, use the -p option. 4270 * 4271 * Other options exercise: 4272 * hashing an arbitrary string 4273 * hashing a file's contents 4274 * a few error test checks 4275 * printing the results in raw format 4276 * 4277 * Portability Issues: 4278 * None. 4279 * 4280 */ 4282 #include 4283 #include 4284 #include 4285 #include 4286 #include 4287 #include /* defines getopt() and optarg */ 4288 #include "sha.h" 4290 static int scasecmp(const char *s1, const char *s2); 4292 /* 4293 * Define patterns for testing 4294 */ 4295 #define TEST1 "abc" 4296 #define TEST2_1 \ 4297 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 4298 #define TEST2_2a \ 4299 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 4300 #define TEST2_2b \ 4301 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 4302 #define TEST2_2 TEST2_2a TEST2_2b 4303 #define TEST3 "a" /* times 1000000 */ 4304 #define TEST4a "01234567012345670123456701234567" 4305 #define TEST4b "01234567012345670123456701234567" 4306 /* an exact multiple of 512 bits */ 4307 #define TEST4 TEST4a TEST4b /* times 10 */ 4309 #define TEST7_1 \ 4310 "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" 4311 #define TEST8_1 \ 4312 "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" 4313 #define TEST9_1 \ 4314 "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ 4315 "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ 4316 "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ 4317 "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ 4318 "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" 4320 #define TEST10_1 \ 4321 "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ 4322 "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ 4323 "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ 4324 "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ 4325 "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ 4326 "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ 4327 "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ 4328 "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ 4329 "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ 4330 "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ 4331 "\xcd\xbb\xfb" 4332 #define TEST7_224 \ 4333 "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" 4334 #define TEST8_224 \ 4335 "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" 4336 #define TEST9_224 \ 4337 "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ 4338 "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ 4339 "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ 4340 "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ 4341 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" 4342 #define TEST10_224 \ 4343 "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ 4344 "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ 4345 "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ 4346 "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ 4347 "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ 4348 "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ 4349 "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ 4350 "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ 4351 "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ 4352 "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ 4353 "\x87\x82\x73" 4354 #define TEST7_256 \ 4355 "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" 4356 #define TEST8_256 \ 4357 "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" 4358 #define TEST9_256 \ 4359 "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ 4360 "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ 4361 "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ 4362 "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ 4363 "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" 4364 #define TEST10_256 \ 4365 "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ 4366 "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ 4367 "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ 4368 "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ 4369 "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ 4370 "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ 4371 "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ 4372 "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ 4373 "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ 4374 "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ 4375 "\x3d\x54\xd6" 4376 #define TEST7_384 \ 4377 "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" 4378 #define TEST8_384 \ 4379 "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" 4380 #define TEST9_384 \ 4381 "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ 4382 "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ 4383 "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ 4384 "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ 4385 "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ 4386 "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ 4387 "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ 4388 "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ 4389 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" 4390 #define TEST10_384 \ 4391 "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ 4392 "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ 4393 "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ 4394 "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ 4395 "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ 4396 "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ 4397 "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ 4398 "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ 4399 "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ 4400 "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ 4401 "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ 4402 "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ 4403 "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ 4404 "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ 4405 "\x7e\xd0\x96" 4406 #define TEST7_512 \ 4407 "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" 4408 #define TEST8_512 \ 4409 "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" 4410 #define TEST9_512 \ 4411 "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ 4412 "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ 4413 "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ 4414 "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ 4415 "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ 4416 "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ 4417 "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ 4418 "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ 4419 "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" 4421 #define TEST10_512 \ 4422 "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ 4423 "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ 4424 "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ 4425 "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ 4426 "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ 4427 "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ 4428 "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ 4429 "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ 4430 "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ 4431 "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ 4432 "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ 4433 "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ 4434 "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ 4435 "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ 4436 "\xfb\x40\xd2" 4437 #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ 4438 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" 4439 #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ 4440 "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ 4441 "\x27" 4442 #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ 4443 "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ 4444 "\x27\x9c\x1c\xb0\xa7" 4445 #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ 4446 "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ 4447 "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ 4448 "\xa4\x84\xbe\x74\x53" 4449 #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ 4450 "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ 4451 "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ 4452 "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ 4453 "\x4b\x12\x27\x20\x39" 4455 #define TESTCOUNT 10 4456 #define HASHCOUNT 5 4457 #define RANDOMCOUNT 4 4458 #define HMACTESTCOUNT 7 4459 #define HKDFTESTCOUNT 7 4461 #define PRINTNONE 0 4462 #define PRINTTEXT 1 4463 #define PRINTRAW 2 4464 #define PRINTHEX 3 4465 #define PRINTBASE64 4 4467 #define PRINTPASSFAIL 1 4468 #define PRINTFAIL 2 4470 #define length(x) (sizeof(x)-1) 4471 /* Test arrays for hashes. */ 4472 struct hash { 4473 const char *name; 4474 SHAversion whichSha; 4475 int hashsize; 4476 struct { 4477 const char *testarray; 4478 int length; 4479 long repeatcount; 4480 int extrabits; 4481 int numberExtrabits; 4482 const char *resultarray; 4483 } tests[TESTCOUNT]; 4484 const char *randomtest; 4485 const char *randomresults[RANDOMCOUNT]; 4486 } hashes[HASHCOUNT] = { 4487 { "SHA1", SHA1, SHA1HashSize, 4488 { 4489 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4490 "A9993E364706816ABA3E25717850C26C9CD0D89D" }, 4491 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4492 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, 4493 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4494 "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, 4495 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4496 "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, 4497 /* 5 */ { "", 0, 0, 0x98, 5, 4498 "29826B003B906E660EFF4027CE98AF3531AC75BA" }, 4499 /* 6 */ { "\x5e", 1, 1, 0, 0, 4500 "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, 4501 /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, 4502 "6239781E03729919C01955B3FFA8ACB60B988340" }, 4503 /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, 4504 "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, 4505 /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, 4506 "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, 4507 /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, 4508 "CB0082C8F197D260991BA6A460E76E202BAD27B3" } 4509 }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", 4510 "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", 4511 "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", 4512 "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" 4513 } }, 4514 { "SHA224", SHA224, SHA224HashSize, 4515 { 4516 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4517 "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, 4518 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4519 "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, 4520 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4521 "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, 4522 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4523 "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, 4524 /* 5 */ { "", 0, 0, 0x68, 5, 4525 "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, 4526 /* 6 */ { "\x07", 1, 1, 0, 0, 4527 "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, 4528 /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, 4529 "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, 4530 /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, 4531 "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, 4532 /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, 4533 "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, 4534 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, 4535 "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } 4536 }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" 4537 "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" 4538 "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" 4539 "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" 4540 "709563FB916227FED598EB621F" 4541 } }, 4542 { "SHA256", SHA256, SHA256HashSize, 4543 { 4544 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" 4545 "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, 4546 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" 4547 "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, 4548 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" 4549 "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, 4550 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" 4551 "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, 4552 /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" 4553 "09DB45E7823EB5079CE7A573A3760F95" }, 4554 /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" 4555 "6A4E17F75F9518D843709C0C9BC3E3D4" }, 4556 /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" 4557 "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, 4558 /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" 4559 "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, 4560 /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" 4561 "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, 4562 /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" 4563 "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, 4564 }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" 4565 "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" 4566 "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" 4567 "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" 4568 "E31536B70FF906EC51B00447CA97D7DD97C12411F4" 4569 } }, 4570 { "SHA384", SHA384, SHA384HashSize, 4571 { 4572 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4573 "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" 4574 "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, 4575 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4576 "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" 4577 "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, 4578 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4579 "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" 4580 "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, 4581 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4582 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" 4583 "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, 4584 /* 5 */ { "", 0, 0, 0x10, 5, 4585 "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" 4586 "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, 4587 /* 6 */ { "\xb9", 1, 1, 0, 0, 4588 "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" 4589 "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, 4590 /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, 4591 "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" 4592 "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, 4593 /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, 4594 "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" 4595 "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, 4596 /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, 4597 "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" 4598 "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, 4599 /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, 4600 "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" 4601 "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } 4602 }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" 4603 "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" 4604 "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" 4605 "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" 4606 "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" 4607 "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" 4608 "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" 4609 } }, 4610 { "SHA512", SHA512, SHA512HashSize, 4611 { 4612 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4613 "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" 4614 "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" 4615 "454D4423643CE80E2A9AC94FA54CA49F" }, 4616 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4617 "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" 4618 "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" 4619 "C7D329EEB6DD26545E96E55B874BE909" }, 4620 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4621 "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" 4622 "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" 4623 "EB009C5C2C49AA2E4EADB217AD8CC09B" }, 4624 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4625 "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" 4626 "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" 4627 "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, 4628 /* 5 */ { "", 0, 0, 0xB0, 5, 4629 "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" 4630 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" 4631 "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, 4632 /* 6 */ { "\xD0", 1, 1, 0, 0, 4633 "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" 4634 "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" 4635 "D6E74CECE9631BFA8A549B4AB3FBBA15" }, 4636 /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, 4637 "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" 4638 "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" 4639 "7359B43E64F8BEC3C1F237119986BBB6" }, 4640 /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, 4641 "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" 4642 "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" 4643 "8213EB1B16F517AD0DE4B2F0C95C90F8" }, 4644 /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, 4645 "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" 4646 "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" 4647 "526F8A0A510E5E53CAFED4355FE7C2F1" }, 4648 /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, 4649 "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" 4650 "C1A16A270D48719377966B957A878E720584779A62825C18" 4651 "DA26415E49A7176A894E7510FD1451F5" } 4652 }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" 4653 "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" 4654 "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" 4655 "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" 4656 "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" 4657 "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" 4658 "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" 4659 "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" 4660 "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" 4661 } 4662 } 4663 }; 4665 /* Test arrays for HMAC. */ 4666 struct hmachash { 4667 const char *keyarray[5]; 4668 int keylength[5]; 4669 const char *dataarray[5]; 4670 int datalength[5]; 4671 const char *resultarray[5]; 4672 int resultlength[5]; 4673 } hmachashes[HMACTESTCOUNT] = { 4674 { /* 1 */ { 4675 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4676 "\x0b\x0b\x0b\x0b\x0b" 4677 }, { 20 }, { 4678 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ 4679 }, { 8 }, { 4680 /* HMAC-SHA-1 */ 4681 "B617318655057264E28BC0B6FB378C8EF146BE00", 4682 /* HMAC-SHA-224 */ 4683 "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", 4684 /* HMAC-SHA-256 */ 4685 "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" 4686 "CFF7", 4687 /* HMAC-SHA-384 */ 4688 "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" 4689 "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", 4690 /* HMAC-SHA-512 */ 4691 "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" 4692 "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" 4693 "3A126854" 4694 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4695 SHA384HashSize, SHA512HashSize } 4696 }, 4697 { /* 2 */ { 4698 "\x4a\x65\x66\x65" /* "Jefe" */ 4699 }, { 4 }, { 4700 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" 4701 "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" 4702 /* "what do ya want for nothing?" */ 4703 }, { 28 }, { 4704 /* HMAC-SHA-1 */ 4705 "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 4706 /* HMAC-SHA-224 */ 4707 "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", 4708 /* HMAC-SHA-256 */ 4709 "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" 4710 "3843", 4711 /* HMAC-SHA-384 */ 4712 "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" 4713 "445E8E2240CA5E69E2C78B3239ECFAB21649", 4714 /* HMAC-SHA-512 */ 4715 "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" 4716 "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" 4717 "38BCE737" 4718 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4719 SHA384HashSize, SHA512HashSize } 4720 }, 4721 { /* 3 */ 4722 { 4723 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4724 "\xaa\xaa\xaa\xaa\xaa" 4725 }, { 20 }, { 4726 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4727 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4728 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4729 "\xdd\xdd\xdd\xdd\xdd" 4730 }, { 50 }, { 4731 /* HMAC-SHA-1 */ 4732 "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 4733 /* HMAC-SHA-224 */ 4734 "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", 4735 /* HMAC-SHA-256 */ 4736 "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" 4737 "65FE", 4738 /* HMAC-SHA-384 */ 4739 "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" 4740 "144B2A5AB39DC13814B94E3AB6E101A34F27", 4741 /* HMAC-SHA-512 */ 4742 "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" 4743 "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" 4744 "E13292FB" 4745 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4746 SHA384HashSize, SHA512HashSize } 4747 }, 4748 { /* 4 */ { 4749 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 4750 "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" 4751 }, { 25 }, { 4752 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4753 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4754 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4755 "\xcd\xcd\xcd\xcd\xcd" 4756 }, { 50 }, { 4757 /* HMAC-SHA-1 */ 4758 "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 4759 /* HMAC-SHA-224 */ 4760 "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", 4761 /* HMAC-SHA-256 */ 4762 "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" 4763 "665B", 4764 /* HMAC-SHA-384 */ 4765 "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" 4766 "3B4E6801DD23C4A7D679CCF8A386C674CFFB", 4767 /* HMAC-SHA-512 */ 4768 "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" 4769 "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" 4770 "10A298DD" 4772 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4773 SHA384HashSize, SHA512HashSize } 4774 }, 4775 { /* 5 */ { 4776 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4777 "\x0c\x0c\x0c\x0c\x0c" 4778 }, { 20 }, { 4779 "Test With Truncation" 4780 }, { 20 }, { 4781 /* HMAC-SHA-1 */ 4782 "4C1A03424B55E07FE7F27BE1", 4783 /* HMAC-SHA-224 */ 4784 "0E2AEA68A90C8D37C988BCDB9FCA6FA8", 4785 /* HMAC-SHA-256 */ 4786 "A3B6167473100EE06E0C796C2955552B", 4787 /* HMAC-SHA-384 */ 4788 "3ABF34C3503B2A23A46EFC619BAEF897", 4789 /* HMAC-SHA-512 */ 4790 "415FAD6271580A531D4179BC891D87A6" 4791 }, { 12, 16, 16, 16, 16 } 4792 }, 4793 { /* 6 */ { 4794 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4795 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4796 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4797 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4798 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4799 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4800 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4801 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4802 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4803 }, { 80, 131 }, { 4804 "Test Using Larger Than Block-Size Key - Hash Key First" 4805 }, { 54 }, { 4806 /* HMAC-SHA-1 */ 4807 "AA4AE5E15272D00E95705637CE8A3B55ED402112", 4808 /* HMAC-SHA-224 */ 4809 "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", 4810 /* HMAC-SHA-256 */ 4811 "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" 4812 "7F54", 4813 /* HMAC-SHA-384 */ 4814 "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" 4815 "C4C60C2EF6AB4030FE8296248DF163F44952", 4816 /* HMAC-SHA-512 */ 4817 "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" 4818 "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" 4819 "5D786598" 4820 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4821 SHA384HashSize, SHA512HashSize } 4823 }, 4824 { /* 7 */ { 4825 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4826 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4827 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4828 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4829 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4830 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4831 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4832 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4833 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4834 }, { 80, 131 }, { 4835 "Test Using Larger Than Block-Size Key and " 4836 "Larger Than One Block-Size Data", 4837 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" 4838 "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" 4839 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" 4840 "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" 4841 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" 4842 "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" 4843 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" 4844 "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" 4845 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" 4846 "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" 4847 "\x6d\x2e" 4848 /* "This is a test using a larger than block-size key and a " 4849 "larger than block-size data. The key needs to be hashed " 4850 "before being used by the HMAC algorithm." */ 4851 }, { 73, 152 }, { 4852 /* HMAC-SHA-1 */ 4853 "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", 4854 /* HMAC-SHA-224 */ 4855 "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", 4856 /* HMAC-SHA-256 */ 4857 "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" 4858 "35E2", 4859 /* HMAC-SHA-384 */ 4860 "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" 4861 "99C5A678CC31E799176D3860E6110C46523E", 4862 /* HMAC-SHA-512 */ 4863 "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" 4864 "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" 4865 "FA8C6A58" 4866 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4867 SHA384HashSize, SHA512HashSize } 4868 } 4869 }; 4871 /* Test arrays for HKDF. */ 4872 struct hkdfhash { 4873 SHAversion whichSha; 4874 int ikmlength; 4875 const char *ikmarray; 4876 int saltlength; 4877 const char *saltarray; 4878 int infolength; 4879 const char *infoarray; 4880 int prklength; 4881 const char *prkarray; 4882 int okmlength; 4883 const char *okmarray; 4884 } hkdfhashes[HKDFTESTCOUNT] = { 4885 { /* RFC 5869 A.1. Test Case 1 */ 4886 SHA256, 4887 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4888 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4889 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4890 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4891 32, "077709362C2E32DF0DDC3F0DC47BBA6390B6C73BB50F9C3122EC844A" 4892 "D7C2B3E5", 4893 42, "3CB25F25FAACD57A90434F64D0362F2A2D2D0A90CF1A5A4C5DB02D56" 4894 "ECC4C5BF34007208D5B887185865" 4895 }, 4896 { /* RFC 5869 A.2. Test Case 2 */ 4897 SHA256, 4898 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4899 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4900 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4901 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4902 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4903 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4904 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d" 4905 "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" 4906 "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4907 "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97" 4908 "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5" 4909 "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf", 4910 80, "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd" 4911 "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb" 4912 "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" 4913 "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7" 4914 "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5" 4915 "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 4916 32, "06A6B88C5853361A06104C9CEB35B45C" 4917 "EF760014904671014A193F40C15FC244", 4918 82, "B11E398DC80327A1C8E7F78C596A4934" 4919 "4F012EDA2D4EFAD8A050CC4C19AFA97C" 4920 "59045A99CAC7827271CB41C65E590E09" 4921 "DA3275600C2F09B8367793A9ACA3DB71" 4922 "CC30C58179EC3E87C14C01D5C1F3434F" 4923 "1D87" 4924 }, 4925 { /* RFC 5869 A.3. Test Case 3 */ 4926 SHA256, 4927 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4928 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4929 0, "", 4930 0, "", 4931 32, "19EF24A32C717B167F33A91D6F648BDF" 4932 "96596776AFDB6377AC434C1C293CCB04", 4933 42, "8DA4E775A563C18F715F802A063C5A31" 4934 "B8A11F5C5EE1879EC3454E5F3C738D2D" 4935 "9D201395FAA4B61A96C8" 4936 }, 4937 { /* RFC 5869 A.4. Test Case 4 */ 4938 SHA1, 4939 11, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4940 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4941 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4942 20, "9B6C18C432A7BF8F0E71C8EB88F4B30BAA2BA243", 4943 42, "085A01EA1B10F36933068B56EFA5AD81" 4944 "A4F14B822F5B091568A9CDD4F155FDA2" 4945 "C22E422478D305F3F896" 4946 }, 4947 { /* RFC 5869 A.5. Test Case 5 */ 4948 SHA1, 4949 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4950 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4951 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4952 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4953 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4954 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4955 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D" 4956 "\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B" 4957 "\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4958 "\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97" 4959 "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5" 4960 "\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 4961 80, "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD" 4962 "\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB" 4963 "\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9" 4964 "\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7" 4965 "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5" 4966 "\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 4967 20, "8ADAE09A2A307059478D309B26C4115A224CFAF6", 4968 82, "0BD770A74D1160F7C9F12CD5912A06EB" 4969 "FF6ADCAE899D92191FE4305673BA2FFE" 4970 "8FA3F1A4E5AD79F3F334B3B202B2173C" 4971 "486EA37CE3D397ED034C7F9DFEB15C5E" 4972 "927336D0441F4C4300E2CFF0D0900B52" 4973 "D3B4" 4974 }, 4975 { /* RFC 5869 A.6. Test Case 6 */ 4976 SHA1, 4977 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4978 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4979 0, "", 4980 0, "", 4981 20, "DA8C8A73C7FA77288EC6F5E7C297786AA0D32D01", 4982 42, "0AC1AF7002B3D761D1E55298DA9D0506" 4983 "B9AE52057220A306E07B6B87E8DF21D0" 4984 "EA00033DE03984D34918" 4985 }, 4986 { /* RFC 5869 A.7. Test Case 7. */ 4987 SHA1, 4988 22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4989 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 4990 0, 0, 4991 0, "", 4992 20, "2ADCCADA18779E7C2077AD2EB19D3F3E731385DD", 4993 42, "2C91117204D745F3500D636A62F64F0A" 4994 "B3BAE548AA53D423B0D1F27EBBA6F5E5" 4995 "673A081D70CCE7ACFC48" 4996 } 4997 }; 4999 /* 5000 * Check the hash value against the expected string, expressed in hex 5001 */ 5002 static const char hexdigits[ ] = "0123456789ABCDEF"; 5003 int checkmatch(const unsigned char *hashvalue, 5004 const char *hexstr, int hashsize) 5005 { 5006 int i; 5007 for (i = 0; i < hashsize; ++i) { 5008 if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) 5009 return 0; 5010 if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; 5011 } 5012 return 1; 5013 } 5015 /* 5016 * Print the string, converting non-printable characters to "." 5017 */ 5018 void printstr(const char *str, int len) 5019 { 5020 for ( ; len-- > 0; str++) 5021 putchar(isprint((unsigned char)*str) ? *str : '.'); 5022 } 5023 /* 5024 * Print the string, converting all characters to hex "## ". 5025 */ 5026 void printxstr(const char *str, int len) 5027 { 5028 char *sep = ""; 5029 for ( ; len-- > 0; str++) { 5030 printf("%s%c%c", sep, hexdigits[(*str >> 4) & 0xF], 5031 hexdigits[*str & 0xF]); 5032 sep = " "; 5033 } 5034 } 5036 /* 5037 * Print a usage message. 5038 */ 5039 void usage(const char *argv0) 5040 { 5041 fprintf(stderr, 5042 "Usage:\n" 5043 "Common options: [-h hash] [-w|-x|-6] [-H]\n" 5044 "Hash a string:\n" 5045 "\t%s [-S expectedresult] -s hashstr [-k key] " 5046 "[-i info -L okm-len]\n" 5047 "Hash a file:\n" 5048 "\t%s [-S expectedresult] -f file [-k key] " 5049 "[-i info -L okm-len]\n" 5050 "Hash a file, ignoring whitespace:\n" 5051 "\t%s [-S expectedresult] -F file [-k key] " 5052 "[-i info -L okm-len]\n" 5053 "Additional bits to add in: [-B bitcount -b bits]\n" 5054 "(If -k,-i&-L are used, run HKDF-SHA###.\n" 5055 " If -k is used, but not -i&-L, run HMAC-SHA###.\n" 5056 " Otherwise, run SHA###.)\n" 5057 "Standard tests:\n" 5058 "\t%s [-m | -d] [-l loopcount] [-t test#] [-e]\n" 5059 "\t\t[-r randomseed] [-R randomloop-count] " 5060 "[-p] [-P|-X]\n" 5061 "-h\thash to test: " 5062 "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" 5063 "-m\tperform hmac standard tests\n" 5064 "-k\tkey for hmac test\n" 5065 "-d\tperform hkdf standard tests\n" 5066 "-t\ttest case to run, 1-10\n" 5067 "-l\thow many times to run the test\n" 5068 "-e\ttest error returns\n" 5069 "-p\tdo not print results\n" 5070 "-P\tdo not print PASSED/FAILED\n" 5071 "-X\tprint FAILED, but not PASSED\n" 5072 "-r\tseed for random test\n" 5073 "-R\thow many times to run random test\n" 5074 "-s\tstring to hash\n" 5075 "-S\texpected result of hashed string, in hex\n" 5076 "-w\toutput hash in raw format\n" 5077 "-x\toutput hash in hex format\n" 5078 "-6\toutput hash in base64 format\n" 5079 "-B\t# extra bits to add in after string or file input\n" 5080 "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" 5081 "-H\tinput hashstr or randomseed is in hex\n" 5082 , argv0, argv0, argv0, argv0); 5083 exit(1); 5084 } 5086 /* 5087 * Print the results and PASS/FAIL. 5088 */ 5089 void printResult(uint8_t *Message_Digest, int hashsize, 5090 const char *hashname, const char *testtype, const char *testname, 5091 const char *resultarray, int printResults, int printPassFail) 5092 { 5093 int i, k; 5094 if (printResults == PRINTTEXT) { 5095 printf("\nhashsize=%d\n", hashsize); 5096 putchar('\t'); 5097 for (i = 0; i < hashsize; ++i) { 5098 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5099 putchar(hexdigits[Message_Digest[i] & 0xF]); 5100 putchar(' '); 5101 } 5102 putchar('\n'); 5103 } else if (printResults == PRINTRAW) { 5104 fwrite(Message_Digest, 1, hashsize, stdout); 5105 } else if (printResults == PRINTHEX) { 5106 for (i = 0; i < hashsize; ++i) { 5107 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5108 putchar(hexdigits[Message_Digest[i] & 0xF]); 5109 } 5110 putchar('\n'); 5111 } else if (printResults == PRINTBASE64) { 5112 unsigned char b; 5113 char *sm = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 5114 "0123456789+/"; 5115 for (i = 0; i < hashsize; i += 3) { 5116 putchar(sm[Message_Digest[i] >> 2]); 5117 b = (Message_Digest[i] & 0x03) << 4; 5118 if (i+1 < hashsize) b |= Message_Digest[i+1] >> 4; 5119 putchar(sm[b]); 5120 if (i+1 < hashsize) { 5121 b = (Message_Digest[i+1] & 0x0f) << 2; 5122 if (i+2 < hashsize) b |= Message_Digest[i+2] >> 6; 5123 putchar(sm[b]); 5124 } else putchar('='); 5125 if (i+2 < hashsize) putchar(sm[Message_Digest[i+2] & 0x3f]); 5126 else putchar('='); 5127 } 5128 putchar('\n'); 5129 } 5131 if (printResults && resultarray) { 5132 printf(" Should match:\n\t"); 5133 for (i = 0, k = 0; i < hashsize; i++, k += 2) { 5134 putchar(resultarray[k]); 5135 putchar(resultarray[k+1]); 5136 putchar(' '); 5137 } 5138 putchar('\n'); 5139 } 5141 if (printPassFail && resultarray) { 5142 int ret = checkmatch(Message_Digest, resultarray, hashsize); 5143 if ((printPassFail == PRINTPASSFAIL) || !ret) 5144 printf("%s %s %s: %s\n", hashname, testtype, testname, 5145 ret ? "PASSED" : "FAILED"); 5146 } 5147 } 5149 /* 5150 * Exercise a hash series of functions. The input is the testarray, 5151 * repeated repeatcount times, followed by the extrabits. If the 5152 * result is known, it is in resultarray in uppercase hex. 5153 */ 5154 int hash(int testno, int loopno, int hashno, 5155 const char *testarray, int length, long repeatcount, 5156 int numberExtrabits, int extrabits, const unsigned char *keyarray, 5157 int keylen, const unsigned char *info, int infolen, int okmlen, 5158 const char *resultarray, int hashsize, int printResults, 5159 int printPassFail) 5160 { 5161 USHAContext sha; 5162 HMACContext hmac; 5163 HKDFContext hkdf; 5164 int err, i; 5165 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5166 uint8_t *Message_Digest = Message_Digest_Buf; 5167 char buf[20]; 5169 if (printResults == PRINTTEXT) { 5170 printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, 5171 loopno, repeatcount); 5172 printstr(testarray, length); 5173 printf("'\n\t'"); 5174 printxstr(testarray, length); 5175 printf("'\n"); 5176 printf(" Length=%d bytes (%d bits), ", length, length * 8); 5177 printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); 5178 } 5180 if (info) Message_Digest = malloc(okmlen); 5181 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5182 memset(&hmac, '\343', sizeof(hmac)); 5183 memset(&hkdf, '\343', sizeof(hkdf)); 5184 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5185 keyarray, keylen) : 5186 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5187 keyarray, keylen) : 5188 USHAReset(&sha, hashes[hashno].whichSha); 5189 if (err != shaSuccess) { 5190 fprintf(stderr, "hash(): %sReset Error %d.\n", 5191 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5192 return err; 5193 } 5195 for (i = 0; i < repeatcount; ++i) { 5196 err = info ? hkdfInput(&hkdf, (const uint8_t *)testarray, length) : 5197 keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, 5198 length) : 5199 USHAInput(&sha, (const uint8_t *) testarray, 5200 length); 5201 if (err != shaSuccess) { 5202 fprintf(stderr, "hash(): %sInput Error %d.\n", 5203 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5204 return err; 5205 } 5206 } 5208 if (numberExtrabits > 0) { 5209 err = info ? hkdfFinalBits(&hkdf, extrabits, numberExtrabits) : 5210 keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, 5211 numberExtrabits) : 5212 USHAFinalBits(&sha, (uint8_t) extrabits, 5213 numberExtrabits); 5214 if (err != shaSuccess) { 5215 fprintf(stderr, "hash(): %sFinalBits Error %d.\n", 5216 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5217 return err; 5218 } 5219 } 5221 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5222 Message_Digest, okmlen) : 5224 keyarray ? hmacResult(&hmac, Message_Digest) : 5225 USHAResult(&sha, Message_Digest); 5226 if (err != shaSuccess) { 5227 fprintf(stderr, "hash(): %s Result Error %d, could not compute " 5228 "message digest.\n", 5229 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5230 return err; 5231 } 5233 sprintf(buf, "%d", testno+1); 5234 printResult(Message_Digest, info ? okmlen : hashsize, 5235 hashes[hashno].name, info ? "hkdf standard test" : 5236 keyarray ? "hmac standard test" : "sha standard test", buf, 5237 resultarray, printResults, printPassFail); 5239 return err; 5240 } 5242 /* 5243 * Exercise an HKDF series. The input is the testarray, 5244 * repeated repeatcount times, followed by the extrabits. If the 5245 * result is known, it is in resultarray in uppercase hex. 5246 */ 5247 int hashHkdf(int testno, int loopno, int hashno, 5248 int printResults, int printPassFail) 5249 { 5250 int err; 5251 unsigned char prk[USHAMaxHashSize+1]; 5252 uint8_t okm[255 * USHAMaxHashSize+1]; 5253 char buf[20]; 5255 if (printResults == PRINTTEXT) { 5256 printf("\nTest %d: Iteration %d\n\tSALT\t'", testno+1, loopno); 5257 printxstr(hkdfhashes[testno].saltarray, 5258 hkdfhashes[testno].saltlength); 5259 printf("'\n\tIKM\t'"); 5260 printxstr(hkdfhashes[testno].ikmarray, 5261 hkdfhashes[testno].ikmlength); 5262 printf("'\n\tINFO\t'"); 5263 printxstr(hkdfhashes[testno].infoarray, 5264 hkdfhashes[testno].infolength); 5265 printf("'\n"); 5266 printf(" L=%d bytes\n", hkdfhashes[testno].okmlength); 5267 } 5269 /* Run hkdf() against the test vectors */ 5270 err = hkdf(hkdfhashes[testno].whichSha, 5271 (const uint8_t *) hkdfhashes[testno].saltarray, 5272 hkdfhashes[testno].saltlength, 5273 (const uint8_t *) hkdfhashes[testno].ikmarray, 5274 hkdfhashes[testno].ikmlength, 5275 (const uint8_t *) hkdfhashes[testno].infoarray, 5276 hkdfhashes[testno].infolength, okm, 5277 hkdfhashes[testno].okmlength); 5278 if (err != shaSuccess) { 5279 fprintf(stderr, "hashHkdf(): hkdf Error %d.\n", err); 5280 return err; 5281 } 5282 sprintf(buf, "hkdf %d", testno+1); 5283 printResult(okm, hkdfhashes[testno].okmlength, 5284 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5285 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5287 /* Now run hkdfExtract() by itself against the test vectors */ 5288 /* to verify the intermediate results. */ 5289 err = hkdfExtract(hkdfhashes[testno].whichSha, 5290 (const uint8_t *) hkdfhashes[testno].saltarray, 5291 hkdfhashes[testno].saltlength, 5292 (const uint8_t *) hkdfhashes[testno].ikmarray, 5293 hkdfhashes[testno].ikmlength, prk); 5294 if (err != shaSuccess) { 5295 fprintf(stderr, "hashHkdf(): hkdfExtract Error %d.\n", err); 5296 return err; 5297 } 5298 sprintf(buf, "hkdfExtract %d", testno+1); 5299 printResult(prk, USHAHashSize(hkdfhashes[testno].whichSha), 5300 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5301 buf, hkdfhashes[testno].prkarray, printResults, printPassFail); 5303 /* Now run hkdfExpand() by itself against the test vectors */ 5304 /* using the intermediate results from hkdfExtract. */ 5305 err = hkdfExpand(hkdfhashes[testno].whichSha, prk, 5306 USHAHashSize(hkdfhashes[testno].whichSha), 5307 (const uint8_t *)hkdfhashes[testno].infoarray, 5308 hkdfhashes[testno].infolength, okm, hkdfhashes[testno].okmlength); 5309 if (err != shaSuccess) { 5310 fprintf(stderr, "hashHkdf(): hkdfExpand Error %d.\n", err); 5311 return err; 5312 } 5313 sprintf(buf, "hkdfExpand %d", testno+1); 5314 printResult(okm, hkdfhashes[testno].okmlength, 5315 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5316 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5318 return err; 5319 } 5321 /* 5322 * Exercise a hash series of functions. The input is a filename. 5323 * If the result is known, it is in resultarray in uppercase hex. 5325 */ 5326 int hashfile(int hashno, const char *hashfilename, int bits, 5327 int bitcount, int skipSpaces, const unsigned char *keyarray, 5328 int keylen, const unsigned char *info, int infolen, int okmlen, 5329 const char *resultarray, int hashsize, 5330 int printResults, int printPassFail) 5331 { 5332 USHAContext sha; 5333 HMACContext hmac; 5334 HKDFContext hkdf; 5335 int err, nread, c; 5336 unsigned char buf[4096]; 5337 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5338 uint8_t *Message_Digest = Message_Digest_Buf; 5339 unsigned char cc; 5340 FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : 5341 fopen(hashfilename, "r"); 5343 if (!hashfp) { 5344 fprintf(stderr, "cannot open file '%s'\n", hashfilename); 5345 return shaStateError; 5346 } 5348 if (info) Message_Digest = malloc(okmlen); 5349 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5350 memset(&hmac, '\343', sizeof(hmac)); 5351 memset(&hkdf, '\343', sizeof(hkdf)); 5352 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5353 keyarray, keylen) : 5354 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5355 keyarray, keylen) : 5356 USHAReset(&sha, hashes[hashno].whichSha); 5357 if (err != shaSuccess) { 5358 fprintf(stderr, "hashfile(): %sReset Error %d.\n", 5359 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5360 return err; 5361 } 5363 if (skipSpaces) 5364 while ((c = getc(hashfp)) != EOF) { 5365 if (!isspace(c)) { 5366 cc = (unsigned char)c; 5367 err = info ? hkdfInput(&hkdf, &cc, 1) : 5368 keyarray ? hmacInput(&hmac, &cc, 1) : 5369 USHAInput(&sha, &cc, 1); 5370 if (err != shaSuccess) { 5371 fprintf(stderr, "hashfile(): %sInput Error %d.\n", 5372 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5373 if (hashfp != stdin) fclose(hashfp); 5374 return err; 5376 } 5377 } 5378 } 5379 else 5380 while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { 5381 err = info ? hkdfInput(&hkdf, buf, nread) : 5382 keyarray ? hmacInput(&hmac, buf, nread) : 5383 USHAInput(&sha, buf, nread); 5384 if (err != shaSuccess) { 5385 fprintf(stderr, "hashfile(): %s Error %d.\n", 5386 info ? "hkdf" : keyarray ? "hmacInput" : 5387 "shaInput", err); 5388 if (hashfp != stdin) fclose(hashfp); 5389 return err; 5390 } 5391 } 5393 if (bitcount > 0) 5394 err = info ? hkdfFinalBits(&hkdf, bits, bitcount) : 5395 keyarray ? hmacFinalBits(&hmac, bits, bitcount) : 5396 USHAFinalBits(&sha, bits, bitcount); 5397 if (err != shaSuccess) { 5398 fprintf(stderr, "hashfile(): %s Error %d.\n", 5399 info ? "hkdf" : keyarray ? "hmacFinalBits" : 5400 "shaFinalBits", err); 5401 if (hashfp != stdin) fclose(hashfp); 5402 return err; 5403 } 5405 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5406 Message_Digest, okmlen) : 5407 keyarray ? hmacResult(&hmac, Message_Digest) : 5408 USHAResult(&sha, Message_Digest); 5409 if (err != shaSuccess) { 5410 fprintf(stderr, "hashfile(): %s Error %d.\n", 5411 info ? "hkdf" : keyarray ? "hmacResult" : 5412 "shaResult", err); 5413 if (hashfp != stdin) fclose(hashfp); 5414 return err; 5415 } 5417 printResult(Message_Digest, info ? okmlen : hashsize, 5418 hashes[hashno].name, "file", hashfilename, resultarray, 5419 printResults, printPassFail); 5421 if (hashfp != stdin) fclose(hashfp); 5422 if (info) free(Message_Digest); 5423 return err; 5424 } 5425 /* 5426 * Exercise a hash series of functions through multiple permutations. 5427 * The input is an initial seed. That seed is replicated 3 times. 5428 * For 1000 rounds, the previous three results are used as the input. 5429 * This result is then checked, and used to seed the next cycle. 5430 * If the result is known, it is in resultarrays in uppercase hex. 5431 */ 5432 void randomtest(int hashno, const char *seed, int hashsize, 5433 const char **resultarrays, int randomcount, 5434 int printResults, int printPassFail) 5435 { 5436 int i, j; char buf[20]; 5437 unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; 5439 /* INPUT: Seed - A random seed n bits long */ 5440 memcpy(SEED, seed, hashsize); 5441 if (printResults == PRINTTEXT) { 5442 printf("%s random test seed= '", hashes[hashno].name); 5443 printxstr(seed, hashsize); 5444 printf("'\n"); 5445 } 5447 for (j = 0; j < randomcount; j++) { 5448 /* MD0 = MD1 = MD2 = Seed; */ 5449 memcpy(MD[0], SEED, hashsize); 5450 memcpy(MD[1], SEED, hashsize); 5451 memcpy(MD[2], SEED, hashsize); 5452 for (i=3; i<1003; i++) { 5453 /* Mi = MDi-3 || MDi-2 || MDi-1; */ 5454 USHAContext Mi; 5455 memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ 5456 USHAReset(&Mi, hashes[hashno].whichSha); 5457 USHAInput(&Mi, MD[i-3], hashsize); 5458 USHAInput(&Mi, MD[i-2], hashsize); 5459 USHAInput(&Mi, MD[i-1], hashsize); 5460 /* MDi = SHA(Mi); */ 5461 USHAResult(&Mi, MD[i]); 5462 } 5464 /* MDj = Seed = MDi; */ 5465 memcpy(SEED, MD[i-1], hashsize); 5467 /* OUTPUT: MDj */ 5468 sprintf(buf, "%d", j); 5469 printResult(SEED, hashsize, hashes[hashno].name, "random test", 5470 buf, resultarrays ? resultarrays[j] : 0, printResults, 5471 (j < RANDOMCOUNT) ? printPassFail : 0); 5472 } 5473 } 5474 /* 5475 * Look up a hash name. 5476 */ 5477 int findhash(const char *argv0, const char *opt) 5478 { 5479 int i; 5480 const char *names[HASHCOUNT][2] = { 5481 { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, 5482 { "3", "sha384" }, { "4", "sha512" } 5483 }; 5485 for (i = 0; i < HASHCOUNT; i++) 5486 if ((strcmp(opt, names[i][0]) == 0) || 5487 (scasecmp(opt, names[i][1]) == 0)) 5488 return i; 5490 fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); 5491 usage(argv0); 5492 return 0; 5493 } 5495 /* 5496 * Run some tests that should invoke errors. 5497 */ 5498 void testErrors(int hashnolow, int hashnohigh, int printResults, 5499 int printPassFail) 5500 { 5501 USHAContext usha; 5502 uint8_t Message_Digest[USHAMaxHashSize]; 5503 int hashno, err; 5505 for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { 5506 memset(&usha, '\343', sizeof(usha)); /* force bad data */ 5507 USHAReset(&usha, hashno); 5508 USHAResult(&usha, Message_Digest); 5509 err = USHAInput(&usha, (const unsigned char *)"foo", 3); 5510 if (printResults == PRINTTEXT) 5511 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5512 if ((printPassFail == PRINTPASSFAIL) || 5513 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5514 printf("%s se: %s\n", hashes[hashno].name, 5515 (err == shaStateError) ? "PASSED" : "FAILED"); 5517 err = USHAFinalBits(&usha, 0x80, 3); 5518 if (printResults == PRINTTEXT) 5519 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5520 if ((printPassFail == PRINTPASSFAIL) || 5521 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5522 printf("%s se: %s\n", hashes[hashno].name, 5523 (err == shaStateError) ? "PASSED" : "FAILED"); 5525 err = USHAReset(0, hashes[hashno].whichSha); 5526 if (printResults == PRINTTEXT) 5527 printf("\nError %d. Should be %d.\n", err, shaNull); 5528 if ((printPassFail == PRINTPASSFAIL) || 5529 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5530 printf("%s usha null: %s\n", hashes[hashno].name, 5531 (err == shaNull) ? "PASSED" : "FAILED"); 5533 switch (hashno) { 5534 case SHA1: err = SHA1Reset(0); break; 5535 case SHA224: err = SHA224Reset(0); break; 5536 case SHA256: err = SHA256Reset(0); break; 5537 case SHA384: err = SHA384Reset(0); break; 5538 case SHA512: err = SHA512Reset(0); break; 5539 } 5540 if (printResults == PRINTTEXT) 5541 printf("\nError %d. Should be %d.\n", err, shaNull); 5542 if ((printPassFail == PRINTPASSFAIL) || 5543 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5544 printf("%s sha null: %s\n", hashes[hashno].name, 5545 (err == shaNull) ? "PASSED" : "FAILED"); 5546 } 5547 } 5549 /* replace a hex string in place with its value */ 5550 int unhexStr(char *hexstr) 5551 { 5552 char *o = hexstr; 5553 int len = 0, nibble1 = 0, nibble2 = 0; 5554 if (!hexstr) return 0; 5555 for ( ; *hexstr; hexstr++) { 5556 if (isalpha((int)(unsigned char)(*hexstr))) { 5557 nibble1 = tolower(*hexstr) - 'a' + 10; 5558 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5559 nibble1 = *hexstr - '0'; 5560 } else { 5561 printf("\nError: bad hex character '%c'\n", *hexstr); 5562 } 5563 if (!*++hexstr) break; 5564 if (isalpha((int)(unsigned char)(*hexstr))) { 5565 nibble2 = tolower(*hexstr) - 'a' + 10; 5566 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5567 nibble2 = *hexstr - '0'; 5568 } else { 5569 printf("\nError: bad hex character '%c'\n", *hexstr); 5570 } 5571 *o++ = (char)((nibble1 << 4) | nibble2); 5572 len++; 5573 } 5574 return len; 5576 } 5578 int main(int argc, char **argv) 5579 { 5580 int i, err; 5581 int loopno, loopnohigh = 1; 5582 int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; 5583 int testno, testnolow = 0, testnohigh; 5584 int ntestnohigh = 0; 5585 int printResults = PRINTTEXT; 5586 int printPassFail = 1; 5587 int checkErrors = 0; 5588 char *hashstr = 0; 5589 int hashlen = 0; 5590 const char *resultstr = 0; 5591 char *randomseedstr = 0; 5592 int runHmacTests = 0; 5593 int runHkdfTests = 0; 5594 char *hmacKey = 0; 5595 int hmaclen = 0; 5596 char *info = 0; 5597 int infolen = 0, okmlen = 0; 5598 int randomcount = RANDOMCOUNT; 5599 const char *hashfilename = 0; 5600 const char *hashFilename = 0; 5601 int extrabits = 0, numberExtrabits = 0; 5602 int strIsHex = 0; 5604 while ((i = getopt(argc, argv, 5605 "6b:B:def:F:h:i:Hk:l:L:mpPr:R:s:S:t:wxX")) != -1) 5606 switch (i) { 5607 case 'b': extrabits = strtol(optarg, 0, 0); break; 5608 case 'B': numberExtrabits = atoi(optarg); break; 5609 case 'd': runHkdfTests = 1; break; 5610 case 'e': checkErrors = 1; break; 5611 case 'f': hashfilename = optarg; break; 5612 case 'F': hashFilename = optarg; break; 5613 case 'h': hashnolow = hashnohigh = findhash(argv[0], optarg); 5614 break; 5615 case 'H': strIsHex = 1; break; 5616 case 'i': info = optarg; infolen = strlen(optarg); break; 5617 case 'k': hmacKey = optarg; hmaclen = strlen(optarg); break; 5618 case 'l': loopnohigh = atoi(optarg); break; 5619 case 'L': okmlen = strtol(optarg, 0, 0); break; 5620 case 'm': runHmacTests = 1; break; 5621 case 'P': printPassFail = 0; break; 5622 case 'p': printResults = PRINTNONE; break; 5623 case 'R': randomcount = atoi(optarg); break; 5624 case 'r': randomseedstr = optarg; break; 5625 case 's': hashstr = optarg; hashlen = strlen(hashstr); break; 5626 case 'S': resultstr = optarg; break; 5627 case 't': testnolow = ntestnohigh = atoi(optarg) - 1; break; 5628 case 'w': printResults = PRINTRAW; break; 5629 case 'x': printResults = PRINTHEX; break; 5630 case 'X': printPassFail = 2; break; 5631 case '6': printResults = PRINTBASE64; break; 5632 default: usage(argv[0]); 5633 } 5635 if (strIsHex) { 5636 hashlen = unhexStr(hashstr); 5637 unhexStr(randomseedstr); 5638 hmaclen = unhexStr(hmacKey); 5639 infolen = unhexStr(info); 5640 } 5641 testnohigh = (ntestnohigh != 0) ? ntestnohigh: 5642 runHmacTests ? (HMACTESTCOUNT-1) : 5643 runHkdfTests ? (HKDFTESTCOUNT-1) : 5644 (TESTCOUNT-1); 5645 if ((testnolow < 0) || 5646 (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || 5647 (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || 5648 (hashstr && (testnolow == testnohigh)) || 5649 (randomcount < 0) || 5650 (resultstr && (!hashstr && !hashfilename && !hashFilename)) || 5651 ((runHmacTests || hmacKey) && randomseedstr) || 5652 (hashfilename && hashFilename) || 5653 (info && ((infolen <= 0) || (okmlen <= 0))) || 5654 (info && !hmacKey)) 5655 usage(argv[0]); 5657 /* 5658 * Perform SHA/HMAC tests 5659 */ 5660 for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { 5661 if (printResults == PRINTTEXT) 5662 printf("Hash %s\n", hashes[hashno].name); 5663 err = shaSuccess; 5665 for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); 5666 ++loopno) { 5667 if (hashstr) 5668 err = hash(0, loopno, hashno, hashstr, hashlen, 1, 5669 numberExtrabits, extrabits, (const unsigned char *)hmacKey, 5670 hmaclen, (const uint8_t *) info, infolen, okmlen, resultstr, 5671 hashes[hashno].hashsize, printResults, printPassFail); 5673 else if (randomseedstr) 5674 randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, 5675 randomcount, printResults, printPassFail); 5677 else if (hashfilename) 5678 err = hashfile(hashno, hashfilename, extrabits, 5679 numberExtrabits, 0, 5680 (const unsigned char *)hmacKey, hmaclen, 5681 (const uint8_t *) info, infolen, okmlen, 5682 resultstr, hashes[hashno].hashsize, 5683 printResults, printPassFail); 5685 else if (hashFilename) 5686 err = hashfile(hashno, hashFilename, extrabits, 5687 numberExtrabits, 1, 5688 (const unsigned char *)hmacKey, hmaclen, 5689 (const uint8_t *) info, infolen, okmlen, 5690 resultstr, hashes[hashno].hashsize, 5691 printResults, printPassFail); 5693 else /* standard tests */ { 5694 for (testno = testnolow; 5695 (testno <= testnohigh) && (err == shaSuccess); ++testno) { 5696 if (runHmacTests) { 5697 err = hash(testno, loopno, hashno, 5698 hmachashes[testno].dataarray[hashno] ? 5699 hmachashes[testno].dataarray[hashno] : 5700 hmachashes[testno].dataarray[1] ? 5701 hmachashes[testno].dataarray[1] : 5702 hmachashes[testno].dataarray[0], 5703 hmachashes[testno].datalength[hashno] ? 5704 hmachashes[testno].datalength[hashno] : 5705 hmachashes[testno].datalength[1] ? 5706 hmachashes[testno].datalength[1] : 5707 hmachashes[testno].datalength[0], 5708 1, 0, 0, 5709 (const unsigned char *)( 5710 hmachashes[testno].keyarray[hashno] ? 5711 hmachashes[testno].keyarray[hashno] : 5712 hmachashes[testno].keyarray[1] ? 5713 hmachashes[testno].keyarray[1] : 5714 hmachashes[testno].keyarray[0]), 5715 hmachashes[testno].keylength[hashno] ? 5716 hmachashes[testno].keylength[hashno] : 5717 hmachashes[testno].keylength[1] ? 5718 hmachashes[testno].keylength[1] : 5719 hmachashes[testno].keylength[0], 5720 0, 0, 0, 5721 hmachashes[testno].resultarray[hashno], 5722 hmachashes[testno].resultlength[hashno], 5723 printResults, printPassFail); 5724 } else if (runHkdfTests) { 5725 err = hashHkdf(testno, loopno, hashno, 5726 printResults, printPassFail); 5728 } else { /* sha tests */ 5729 err = hash(testno, loopno, hashno, 5730 hashes[hashno].tests[testno].testarray, 5731 hashes[hashno].tests[testno].length, 5732 hashes[hashno].tests[testno].repeatcount, 5733 hashes[hashno].tests[testno].numberExtrabits, 5734 hashes[hashno].tests[testno].extrabits, 5735 0, 0, 0, 0, 0, 5736 hashes[hashno].tests[testno].resultarray, 5737 hashes[hashno].hashsize, 5738 printResults, printPassFail); 5739 } 5740 } 5741 if (!runHmacTests && !runHkdfTests) { 5742 randomtest(hashno, hashes[hashno].randomtest, 5743 hashes[hashno].hashsize, hashes[hashno].randomresults, 5744 RANDOMCOUNT, printResults, printPassFail); 5745 } 5746 } 5747 } 5748 } 5750 /* Test some error returns */ 5751 if (checkErrors) { 5752 testErrors(hashnolow, hashnohigh, printResults, printPassFail); 5753 } 5755 return 0; 5756 } 5758 /* 5759 * Compare two strings, case independently. 5760 * Equivalent to strcasecmp() found on some systems. 5761 */ 5762 int scasecmp(const char *s1, const char *s2) 5763 { 5764 for (;;) { 5765 char u1 = tolower(*s1++); 5766 char u2 = tolower(*s2++); 5767 if (u1 != u2) 5768 return u1 - u2; 5769 if (u1 == '\0') 5770 return 0; 5771 } 5772 } 5773 9. IANA Considerations 5775 This document requires no IANA Actions. The RFC Editor should delete 5776 this section before publication. 5778 10. Security Considerations 5780 This document is intended to provide convenient open source access by 5781 the Internet community to the United States of America Federal 5782 Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS 5783 180-2], HMACs based thereon, and HKDF. No independent assertion of 5784 the security of these functions by the authors for any particular use 5785 is intended. 5787 11. Acknowledgements 5789 Thanks for the corrections to [RFC4634] that were provided by Alfred 5790 Hoenes and Jan Andres and to Alfred's comments on the drafts hereof. 5792 12. References 5794 Normative and Informative References appear below. 5796 12.1 Normative References 5798 [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 5799 Hashing for Message Authentication", RFC 2104, February 1997. 5801 [RFC5869] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and- 5802 Expand Key Derivation Function (HKDF)", RFC 5869, May 2010. 5804 [SHS] - "Secure Hash Standard", United States of American, National 5805 Institute of Science and Technology, Federal Information 5806 Processing Standard (FIPS) 180-3, 5807 http://csrc.nist.gov/publications/fips/fips180- 5808 3/fips180-3_final.pdf. 5810 12.2 Informative References 5812 [RFC3174] - D. Eastlake 3rd, P. Jones, "US Secure Hash Algorithm 1 5813 (SHA1)", September 2001. 5815 [RFC3874] - R. Housley, "A 224-bit One-way Hash Function: SHA-224", 5816 September 2004. 5818 [RFC4055] - Schaad, J., Kaliski, B., and R. Housley, "Additional 5819 Algorithms and Identifiers for RSA Cryptography for use in the 5820 Internet X.509 Public Key Infrastructure Certificate and 5821 Certificate Revocation List (CRL) Profile", RFC 4055, June 5822 2005. 5824 [RFC4086] - D. Eastlake, S. Crocker, J. Schiller, "Randomness 5825 Requirements for Security", May 2005. 5827 [RFC4634] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash 5828 Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006. 5830 [SHAVS] - "The Secure Hash Algorithm Validation System (SHAVS)", 5831 http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. 5833 Appendix: Changes from RFC 4634 5835 The following changes were made to RFC 4634 to produce this document: 5837 1. Add code for HKDF and brief text about HKDF with pointer to 5838 [RFC5869]. 5840 2. Fix numerous errata filed against [RFC4634] as below. Note that in 5841 no case did the old code return an incorrect hash value. 5843 2.a Correct some of the error return values which has erroneously 5844 been "shaNull" to the correct "shaInputTooLong" error. 5846 2.b Update comments and variable names within the code for 5847 consistency and clarity and other editorial changes. 5849 2.c The previous code for SHA-384 and SHA-512 would stop after 5850 2^93 bytes (2^96 bits). The fixed code handles up to 2^125 5851 bytes (2^128 bits). 5853 2.d Add additional error checking. 5855 3. Update boilerplate, remove special license in [RFC4634] as new 5856 boilerplate mandates simplified BSD license. 5858 4. Replace MIT version of getopt with new code to satisfy IETF 5859 incoming and outgoing license restrictions. 5861 5. Other assorted editorial improvements. 5863 Appendix Z: RFC Editor Note, Edit History 5865 RFC Editor Note: All occurrences of "RFC NNNN" should be edited to 5866 replace "NNNN" with this documents RFC number. 5868 RFC Editor: Please delete this Appendix Z on publication. 5870 Z.1 Changes from -00 to -01 5872 Add hash function OIDs and informational reference to [RFC4055]. A 5873 few Editorial changes and typo fixes. 5875 Z.2 Changes from -01 to -02 5877 In shatest.c, replace MIT getopt (xgetopt) code with new code to 5878 avoid possible conflict between MIT license and IETF required BSD 5879 license. 5881 Z.3 Changes from -02 to -03 5883 Problem with MIT getopt is given incompletely in -01 to -02 changes. 5884 Actual problem includes conflict with IETF incoming license 5885 restriction. Also, add this change to Appendix giving changes from 5886 RFC 4634. Update to incorporate RFC number for the HKDF RFC. 5887 Numerous editorial changes. 5889 Z.4 Changes from -03 to -04 5891 Fix typos and nits. 5893 Z.5 Changes from -04 to -05 5895 Resolve AD Review comments: Re-order some Abstract and Introduction 5896 material. Make the RFC Editor notes more prominent. 5898 Author's Address 5900 Donald E. Eastlake, 3rd 5901 Huawei 5902 155 Beaver Street 5903 Milford, MA 01757 USA 5905 Telephone: +1-508-333-2270 5906 EMail: d3e3e3@gmail.com 5908 Tony Hansen 5909 AT&T Laboratories 5910 200 Laurel Ave. 5911 Middletown, NJ 07748 USA 5913 Telephone: +1-732-420-8934 5914 EMail: tony+shs@maillennium.att.com 5916 Copyright, Disclaimer, and Additional IPR Provisions 5918 Copyright (c) 2010 IETF Trust and the persons identified as the 5919 document authors. All rights reserved. 5921 This document is subject to BCP 78 and the IETF Trust's Legal 5922 Provisions Relating to IETF Documents 5923 (http://trustee.ietf.org/license-info) in effect on the date of 5924 publication of this document. Please review these documents 5925 carefully, as they describe your rights and restrictions with respect 5926 to this document. Code Components extracted from this document must 5927 include Simplified BSD License text as described in Section 4.e of 5928 the Trust Legal Provisions and are provided without warranty as 5929 described in the BSD License. This Internet-Draft is submitted to 5930 IETF in full conformance with the provisions of BCP 78 and BCP 79.