idnits 2.17.00 (12 Aug 2021) /tmp/idnits37260/draft-eastlake-sha2b-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC3174, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 752 has weird spacing: '...izeBits numbe...' (Using the creation date from RFC3174, updated by this document, for RFC5378 checks: 2001-03-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 16, 2011) is 4142 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'USHAMaxHashSize' is mentioned on line 5538, but not defined -- Looks like a reference, but probably isn't: '4' on line 3198 == Missing Reference: 'SHA1HashSize' is mentioned on line 1564, but not defined == Missing Reference: 'SHA224HashSize' is mentioned on line 1952, but not defined == Missing Reference: 'SHA256HashSize' is mentioned on line 2088, but not defined == Missing Reference: 'SHA384HashSize' is mentioned on line 2779, but not defined == Missing Reference: 'SHA512HashSize' is mentioned on line 2920, but not defined -- Looks like a reference, but probably isn't: '0' on line 5758 -- Looks like a reference, but probably isn't: '1' on line 5757 -- Looks like a reference, but probably isn't: '2' on line 5517 -- Looks like a reference, but probably isn't: '3' on line 3310 -- Looks like a reference, but probably isn't: '8' on line 3114 -- Looks like a reference, but probably isn't: '80' on line 3152 -- Looks like a reference, but probably isn't: '56' on line 2296 -- Looks like a reference, but probably isn't: '57' on line 2297 -- Looks like a reference, but probably isn't: '58' on line 2298 -- Looks like a reference, but probably isn't: '59' on line 2299 -- Looks like a reference, but probably isn't: '60' on line 2300 -- Looks like a reference, but probably isn't: '61' on line 2301 -- Looks like a reference, but probably isn't: '62' on line 2302 -- Looks like a reference, but probably isn't: '63' on line 2303 -- Looks like a reference, but probably isn't: '5' on line 4707 -- Looks like a reference, but probably isn't: '6' on line 3200 -- Looks like a reference, but probably isn't: '7' on line 3201 -- Looks like a reference, but probably isn't: '64' on line 2169 -- Looks like a reference, but probably isn't: '9' on line 3076 -- Looks like a reference, but probably isn't: '10' on line 3115 -- Looks like a reference, but probably isn't: '11' on line 3078 -- Looks like a reference, but probably isn't: '12' on line 3116 -- Looks like a reference, but probably isn't: '13' on line 3080 -- Looks like a reference, but probably isn't: '14' on line 3117 -- Looks like a reference, but probably isn't: '15' on line 3082 -- Looks like a reference, but probably isn't: '112' on line 3312 -- Looks like a reference, but probably isn't: '113' on line 3313 -- Looks like a reference, but probably isn't: '114' on line 3314 -- Looks like a reference, but probably isn't: '115' on line 3315 -- Looks like a reference, but probably isn't: '116' on line 3316 -- Looks like a reference, but probably isn't: '117' on line 3317 -- Looks like a reference, but probably isn't: '118' on line 3318 -- Looks like a reference, but probably isn't: '119' on line 3319 -- Looks like a reference, but probably isn't: '120' on line 3321 -- Looks like a reference, but probably isn't: '121' on line 3322 -- Looks like a reference, but probably isn't: '122' on line 3323 -- Looks like a reference, but probably isn't: '123' on line 3324 -- Looks like a reference, but probably isn't: '124' on line 3325 -- Looks like a reference, but probably isn't: '125' on line 3326 -- Looks like a reference, but probably isn't: '126' on line 3327 -- Looks like a reference, but probably isn't: '127' on line 3328 == Missing Reference: 'RFC 2104' is mentioned on line 3687, but not defined == Missing Reference: 'RFC 2202' is mentioned on line 4299, but not defined == Missing Reference: 'RFC 4231' is mentioned on line 4299, but not defined == Missing Reference: 'TESTCOUNT' is mentioned on line 4518, but not defined == Missing Reference: 'RANDOMCOUNT' is mentioned on line 4520, but not defined == Missing Reference: 'HASHCOUNT' is mentioned on line 5517, but not defined == Missing Reference: 'HMACTESTCOUNT' is mentioned on line 4708, but not defined == Missing Reference: 'HKDFTESTCOUNT' is mentioned on line 4917, but not defined -- Looks like a reference, but probably isn't: '20' on line 5472 -- Looks like a reference, but probably isn't: '4096' on line 5371 -- Looks like a reference, but probably isn't: '1003' on line 5473 -- Obsolete informational reference (is this intentional?): RFC 4634 (Obsoleted by RFC 6234) Summary: 1 error (**), 0 flaws (~~), 16 warnings (==), 50 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Donald Eastlake 2 INTERNET-DRAFT Huawei 3 Obsoletes: 4634 Tony Hansen 4 Updates: 3174 AT&T Labs 5 Intended Status: Informational 6 Expires: July 15, 2011 January 16, 2011 8 US Secure Hash Algorithms 9 (SHA and SHA based HMAC and HKDF) 10 12 Abstract 13 The United States of America has adopted a suite of secure hash 14 algorithms (SHAs), including four beyond SHA-1, as part of a Federal 15 Information Processing Standard (FIPS), specifically SHA-224, 16 SHA-256, SHA-384, and SHA-512. This document makes open source code 17 performing the SHA hash functions conveniently available to the 18 Internet community. The sample code supports input strings of 19 arbitrary bit length. Much of the text herein was adapted by the 20 authors from FIPS 180-2. 22 This document replaces RFC 4634, fixing errata and adding code for an 23 HMAC-based extract-and-expand key derivation function, HKDF (RFC 24 5869). As with RFC 4634, code to perform SHA based HMACs is also 25 included. 27 Status of This Memo 29 This Internet-Draft is submitted to IETF in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Distribution of this document is unlimited. Comments should be sent 33 to the authors. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF), its areas, and its working groups. Note that 37 other groups may also distribute working documents as Internet- 38 Drafts. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 The list of current Internet-Drafts can be accessed at 46 http://www.ietf.org/1id-abstracts.html 48 The list of Internet-Draft Shadow Directories can be accessed at 49 http://www.ietf.org/shadow.html 51 Table of Contents 53 1. Overview of Contents....................................3 54 2. Notation for Bit Strings and Integers...................4 55 3. Operations on Words.....................................5 57 4. Message Padding and Parsing.............................7 58 4.1 SHA-224 and SHA-256....................................7 59 4.2 SHA-384 and SHA-512....................................8 61 5. Functions and Constants Used...........................10 62 5.1 SHA-224 and SHA-256...................................10 63 5.2 SHA-384 and SHA-512...................................11 65 6. Computing the Message Digest...........................12 66 6.1 SHA-224 and SHA-256 Initialization....................12 67 6.2 SHA-224 and SHA-256 Processing........................12 68 6.3 SHA-384 and SHA-512 Initialization....................14 69 6.4 SHA-384 and SHA-512 Processing........................15 71 7. HKDF and SHA Based HMACs...............................17 72 7.1 SHA-Based HMACs.......................................17 73 7.2 HKDF..................................................17 75 8. C Code for SHAs, HMAC, and HKDF........................18 76 8.1 The Header Files......................................21 77 8.1.1 The .h file.........................................21 78 8.1.2 stdint-example.h....................................29 79 8.1.3 sha-private.h.......................................29 80 8.2 The SHA Code..........................................30 81 8.2.1 sha1.c..............................................30 82 8.2.2 sha224-256.c........................................39 83 8.2.3 sha384-512.c........................................50 84 8.2.4 usha.c..............................................71 85 8.3 The HMAC Code.........................................77 86 8.4 The HKDF Code.........................................82 87 8.5 The Test Driver.......................................89 89 9. IANA Considerations...................................120 90 10. Security Considerations..............................120 91 11. Acknowledgements.....................................120 93 12. References...........................................121 94 12.1 Normative References................................121 95 12.2 Informative References..............................121 97 Appendix: Changes from RFC 4634..........................122 99 Appendix Z: RFC Editor Note, Edit History................123 101 1. Overview of Contents 103 This document includes specifications for the United States of 104 America (USA) Federal Information Processing Standard (FIPS) Secure 105 Hash Algorithms (SHAs), code to implement the SHAs, code to implement 106 HMACs based on the SHAs, and code to implement HKDF based on HMAC. 107 Specifications for HMAC and HKDF are not included as they appear 108 elsewhere in the RFC series [RFC2104] [RFC5869]. 110 NOTE: Much of the text below is taken from [SHS] and the assertions 111 of the security of the hash algorithms described therein are made by 112 the US Government, the author of [SHS], not by the authors of this 113 document. 115 The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], 116 SHA-256, SHA-384, and SHA-512, for computing a condensed 117 representation of a message or a data file. (SHA-1 is specified in 118 [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and 119 SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of 120 these algorithms, the result is an output called a message digest. 121 The message digests range in length from 224 to 512 bits, depending 122 on the algorithm. Secure hash algorithms are typically used with 123 other cryptographic algorithms, such as digital signature algorithms 124 and keyed hash authentication codes, the generation of random numbers 125 [RFC4086], or in key derivation functions. 127 The four algorithms specified in this document are called secure 128 because it is computationally infeasible to (1) find a message which 129 corresponds to a given message digest, or (2) to find two different 130 messages that produce the same message digest. Any change to a 131 message in transit will, with very high probability, result in a 132 different message digest. This will result in a verification failure 133 when the secure hash algorithm is used with a digital signature 134 algorithm or a keyed-hash message authentication algorithm. 136 The code provided herein supports input strings of arbitrary bit 137 length. SHA-1's sample code from [RFC3174] has also been updated to 138 handle input strings of arbitrary bit length. Permission is granted 139 for all uses, commercial and non-commercial, of this code. 141 This document obsoletes [RFC4634]; and the changes from that RFC are 142 summarized in the Appendix. 144 ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from 145 [RFC4055], are as follows: 147 id-sha1 OBJECT IDENTIFIER ::= { iso(1) 148 identified-organization(3) oiw(14) 149 secsig(3) algorithms(2) 26 } 151 id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) 152 country(16) us(840) organization(1) gov(101) 153 csor(3) nistalgorithm(4) hashalgs(2) 4 } 154 id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 155 country(16) us(840) organization(1) gov(101) 156 csor(3) nistalgorithm(4) hashalgs(2) 1 } 157 id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 158 country(16) us(840) organization(1) gov(101) 159 csor(3) nistalgorithm(4) hashalgs(2) 2 } 160 id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 161 country(16) us(840) organization(1) gov(101) 162 csor(3) nistalgorithm(4) hashalgs(2) 3 } 164 Section 2 below defines the terminology and functions used as 165 building blocks to form these algorithms. Section 3 describes the 166 fundamental operations on words from which these algorithms are 167 built. Section 4 describes how messages are padded up to an integral 168 multiple of the required block size and then parsed into blocks. 169 Section 5 defines the constants and the composite functions used to 170 specify the hash algorithms. Section 6 gives the actual specification 171 for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 172 provides pointers to the specification of HMAC keyed message 173 authentication codes and to the specification of an extract-and- 174 expand key derivation function based on HMAC. 176 Section 8 gives sample code for the SHA algorithms, for SHA based 177 HMACs, and for HMAC-based extract-and-expand key derivation function. 179 2. Notation for Bit Strings and Integers 181 The following terminology related to bit strings and integers will be 182 used: 184 a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. 185 A hex digit is the representation of a 4-bit string. Examples: 186 7 = 0111, A = 1010. 188 b. A word equals a 32-bit or 64-bit string that may be represented 189 as a sequence of 8 or 16 hex digits, respectively. To convert a 190 word to hex digits, each 4-bit string is converted to its hex 191 equivalent as described in (a) above. Example: 193 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 195 Throughout this document, the "big-endian" convention is used 196 when expressing both 32-bit and 64-bit words, so that within 197 each word the most significant bit is shown in the leftmost bit 198 position. 200 c. An integer may be represented as a word or pair of words. 202 An integer between 0 and 2^32 - 1 inclusive may be represented 203 as a 32-bit word. The least significant four bits of the 204 integer are represented by the rightmost hex digit of the word 205 representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = 206 256+32+2+1 is represented by the hex word, 00000123. 208 The same holds true for an integer between 0 and 2^64-1 209 inclusive, which may be represented as a 64-bit word. 211 If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 212 <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented 213 as words X and Y, respectively, z can be represented as the pair 214 of words (X,Y). 216 Again, the "big-endian" convention is used and the most 217 significant word is in the leftmost word position for values 218 represented by multiple-words. 220 d. block = 512-bit or 1024-bit string. A block (e.g., B) may be 221 represented as a sequence of 32-bit or 64-bit words. 223 3. Operations on Words 225 The following logical operators will be applied to words in all four 226 hash operations specified herein. SHA-224 and SHA-256 operate on 227 32-bit words while SHA-384 and SHA-512 operate on 64-bit words. 229 In the operations below, x<>n is obtained as follows: discard the rightmost n bits 233 of x and then prepend the result with n zeroed bits on the left (the 234 result will still be the same number of bits). 236 a. Bitwise logical word operations 238 X AND Y = bitwise logical "and" of X and Y. 240 X OR Y = bitwise logical "inclusive-or" of X and Y. 242 X XOR Y = bitwise logical "exclusive-or" of X and Y. 244 NOT X = bitwise logical "complement" of X. 246 Example: 247 01101100101110011101001001111011 248 XOR 01100101110000010110100110110111 249 -------------------------------- 250 = 00001001011110001011101111001100 252 b. The operation X + Y is defined as follows: words X and Y 253 represent w-bit integers x and y, where 0 <= x < 2^w and 0 <= y 254 < 2^w. For positive integers n and m, let 256 n mod m 258 be the remainder upon dividing n by m. Compute 260 z = (x + y) mod 2^w. 262 Then 0 <= z < 2^w. Convert z to a word, Z, and define Z = X + 263 Y. 265 c. The right shift operation SHR^n(x), where x is a w-bit word and n 266 is an integer with 0 <= n < w, is defined by 268 SHR^n(x) = x>>n 270 d. The rotate right (circular right shift) operation ROTR^n(x), where 271 x is a w-bit word and n is an integer with 0 <= n < w, is 272 defined by 274 ROTR^n(x) = (x>>n) OR (x<<(w-n)) 276 e. The rotate left (circular left shift) operation ROTL^n(x), where x 277 is a w-bit word and n is an integer with 0 <= n < w, is defined 278 by 280 ROTL^n(X) = (x<>w-n) 282 Note the following equivalence relationships, where w is fixed 283 in each relationship: 285 ROTL^n(x) = ROTR^(w-n)(x) 287 ROTR^n(x) = ROTL^(w-n)(x) 289 4. Message Padding and Parsing 291 The hash functions specified herein are used to compute a message 292 digest for a message or data file that is provided as input. The 293 message or data file should be considered to be a bit string. The 294 length of the message is the number of bits in the message (the empty 295 message has length 0). If the number of bits in a message is a 296 multiple of 8, for compactness we can represent the message in hex. 297 The purpose of message padding is to make the total length of a 298 padded message a multiple of 512 for SHA-224 and SHA-256 or a 299 multiple of 1024 for SHA-384 and SHA-512. 301 The following specifies how this padding shall be performed. As a 302 summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit 303 integer are appended to the end of the message to produce a padded 304 message of length 512*n or 1024*n. The appended integer is the 305 length of the original message. The padded message is then processed 306 by the hash function as n 512-bit or 1024-bit blocks. 308 4.1 SHA-224 and SHA-256 310 Suppose a message has length L < 2^64. Before it is input to the 311 hash function, the message is padded on the right as follows: 313 a. "1" is appended. Example: if the original message is "01010000", 314 this is padded to "010100001". 316 b. K "0"s are appended where K is the smallest, non-negative 317 solution to the equation 319 L + 1 + K = 448 (mod 512) 321 c. Then append the 64-bit block that is L in binary representation. 322 After appending this block, the length of the message will be a 323 multiple of 512 bits. 325 Example: Suppose the original message is the bit string 327 01100001 01100010 01100011 01100100 01100101 329 After step (a) this gives 331 01100001 01100010 01100011 01100100 01100101 1 333 Since L = 40, the number of bits in the above is 41 and K = 407 334 "0"s are appended, making the total now 448. This gives the 335 following in hex: 337 61626364 65800000 00000000 00000000 338 00000000 00000000 00000000 00000000 339 00000000 00000000 00000000 00000000 340 00000000 00000000 342 The 64-bit representation of L = 40 is hex 00000000 00000028. 343 Hence the final padded message is the following hex 345 61626364 65800000 00000000 00000000 346 00000000 00000000 00000000 00000000 347 00000000 00000000 00000000 00000000 348 00000000 00000000 00000000 00000028 350 4.2 SHA-384 and SHA-512 352 Suppose a message has length L < 2^128. Before it is input to the 353 hash function, the message is padded on the right as follows: 355 a. "1" is appended. Example: if the original message is "01010000", 356 this is padded to "010100001". 358 b. K "0"s are appended where K is the smallest, non-negative 359 solution to the equation 361 L + 1 + K = 896 (mod 1024) 363 c. Then append the 128-bit block that is L in binary representation. 364 After appending this block, the length of the message will be a 365 multiple of 1024 bits. 367 Example: Suppose the original message is the bit string 369 01100001 01100010 01100011 01100100 01100101 371 After step (a) this gives 373 01100001 01100010 01100011 01100100 01100101 1 375 Since L = 40, the number of bits in the above is 41 and K = 855 376 "0"s are appended, making the total now 896. This gives the 377 following in hex: 379 61626364 65800000 00000000 00000000 380 00000000 00000000 00000000 00000000 381 00000000 00000000 00000000 00000000 382 00000000 00000000 00000000 00000000 383 00000000 00000000 00000000 00000000 384 00000000 00000000 00000000 00000000 385 00000000 00000000 00000000 00000000 387 The 128-bit representation of L = 40 is hex 00000000 00000000 388 00000000 00000028. Hence the final padded message is the 389 following hex: 391 61626364 65800000 00000000 00000000 392 00000000 00000000 00000000 00000000 393 00000000 00000000 00000000 00000000 394 00000000 00000000 00000000 00000000 395 00000000 00000000 00000000 00000000 396 00000000 00000000 00000000 00000000 397 00000000 00000000 00000000 00000000 398 00000000 00000000 00000000 00000028 400 5. Functions and Constants Used 402 The following subsections give the six logical functions and the 403 table of constants used in each of the hash functions. 405 5.1 SHA-224 and SHA-256 407 SHA-224 and SHA-256 use six logical functions, where each function 408 operates on 32-bit words, which are represented as x, y, and z. The 409 result of each function is a new 32-bit word. 411 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 413 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 415 BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) 417 BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) 419 SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) 421 SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) 423 SHA-224 and SHA-256 use the same sequence of sixty-four constant 424 32-bit words, K0, K1, ..., K63. These words represent the first 425 thirty-two bits of the fractional parts of the cube roots of the 426 first sixty-four prime numbers. In hex, these constant words are as 427 follows (from left to right): 429 428a2f98 71374491 b5c0fbcf e9b5dba5 430 3956c25b 59f111f1 923f82a4 ab1c5ed5 431 d807aa98 12835b01 243185be 550c7dc3 432 72be5d74 80deb1fe 9bdc06a7 c19bf174 433 e49b69c1 efbe4786 0fc19dc6 240ca1cc 434 2de92c6f 4a7484aa 5cb0a9dc 76f988da 435 983e5152 a831c66d b00327c8 bf597fc7 436 c6e00bf3 d5a79147 06ca6351 14292967 437 27b70a85 2e1b2138 4d2c6dfc 53380d13 438 650a7354 766a0abb 81c2c92e 92722c85 439 a2bfe8a1 a81a664b c24b8b70 c76c51a3 440 d192e819 d6990624 f40e3585 106aa070 441 19a4c116 1e376c08 2748774c 34b0bcb5 442 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 443 748f82ee 78a5636f 84c87814 8cc70208 444 90befffa a4506ceb bef9a3f7 c67178f2 446 5.2 SHA-384 and SHA-512 448 SHA-384 and SHA-512 each use six logical functions, where each 449 function operates on 64-bit words, which are represented as x, y, and 450 z. The result of each function is a new 64-bit word. 452 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) 454 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) 456 BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) 458 BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) 460 SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) 462 SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) 464 SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit 465 words, K0, K1, ... K79. These words represent the first sixty-four 466 bits of the fractional parts of the cube roots of the first eighty 467 prime numbers. In hex, these constant words are as follows (from 468 left to right): 470 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc 471 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 472 d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 473 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 474 e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 475 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 476 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 477 c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 478 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df 479 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b 480 a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 481 d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 482 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 483 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 484 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec 485 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b 486 ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 487 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b 488 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c 489 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 491 6. Computing the Message Digest 493 The output of each of the secure hash functions, after being applied 494 to a message of N blocks, is the hash quantity H(N). For SHA-224 and 495 SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, 496 H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to be 497 eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. 499 As described below, the hash words are initialized, modified as each 500 message block is processed, and finally concatenated after processing 501 the last block to yield the output. For SHA-256 and SHA-512, all of 502 the H(N) variables are concatenated while the SHA-224 and SHA-384 503 hashes are produced by omitting some from the final concatenation. 505 6.1 SHA-224 and SHA-256 Initialization 507 For SHA-224, the initial hash value, H(0), consists of the following 508 32-bit words in hex: 510 H(0)0 = c1059ed8 511 H(0)1 = 367cd507 512 H(0)2 = 3070dd17 513 H(0)3 = f70e5939 514 H(0)4 = ffc00b31 515 H(0)5 = 68581511 516 H(0)6 = 64f98fa7 517 H(0)7 = befa4fa4 519 For SHA-256, the initial hash value, H(0), consists of the following 520 eight 32-bit words, in hex. These words were obtained by taking the 521 first thirty-two bits of the fractional parts of the square roots of 522 the first eight prime numbers. 524 H(0)0 = 6a09e667 525 H(0)1 = bb67ae85 526 H(0)2 = 3c6ef372 527 H(0)3 = a54ff53a 528 H(0)4 = 510e527f 529 H(0)5 = 9b05688c 530 H(0)6 = 1f83d9ab 531 H(0)7 = 5be0cd19 533 6.2 SHA-224 and SHA-256 Processing 535 SHA-224 and SHA-256 perform identical processing on messages blocks 536 and differ only in how H(0) is initialized and how they produce their 537 final output. They may be used to hash a message, M, having a length 538 of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message 539 schedule of sixty-four 32-bit words, (2) eight working variables of 540 32 bits each, and (3) a hash value of eight 32-bit words. 542 The words of the message schedule are labeled W0, W1, ..., W63. The 543 eight working variables are labeled a, b, c, d, e, f, g, and h. The 544 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which 545 will hold the initial hash value, H(0), replaced by each successive 546 intermediate hash value (after each message block is processed), 547 H(i), and ending with the final hash value, H(N), after all N blocks 548 are processed. They also use two temporary words, T1 and T2. 550 The input message is padded as described in Section 4.1 above then 551 parsed into 512-bit blocks that are considered to be composed of 16 552 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 553 are then performed for each of the N message blocks. All addition is 554 performed modulo 2^32. 556 For i = 1 to N 558 1. Prepare the message schedule W: 559 For t = 0 to 15 560 Wt = M(i)t 561 For t = 16 to 63 562 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(w(t-15)) + W(t-16) 564 2. Initialize the working variables: 565 a = H(i-1)0 566 b = H(i-1)1 567 c = H(i-1)2 568 d = H(i-1)3 569 e = H(i-1)4 570 f = H(i-1)5 571 g = H(i-1)6 572 h = H(i-1)7 574 3. Perform the main hash computation: 575 For t = 0 to 63 576 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 577 T2 = BSIG0(a) + MAJ(a,b,c) 578 h = g 579 g = f 580 f = e 581 e = d + T1 582 d = c 583 c = b 584 b = a 585 a = T1 + T2 587 4. Compute the intermediate hash value H(i) 588 H(i)0 = a + H(i-1)0 589 H(i)1 = b + H(i-1)1 590 H(i)2 = c + H(i-1)2 591 H(i)3 = d + H(i-1)3 592 H(i)4 = e + H(i-1)4 593 H(i)5 = f + H(i-1)5 594 H(i)6 = g + H(i-1)6 595 H(i)7 = h + H(i-1)7 597 After the above computations have been sequentially performed for all 598 of the blocks in the message, the final output is calculated. For 599 SHA-256, this is the concatenation of all of H(N)0, H(N)1, through 600 H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, 601 through H(N)6. 603 6.3 SHA-384 and SHA-512 Initialization 605 For SHA-384, the initial hash value, H(0), consists of the following 606 eight 64-bit words, in hex. These words were obtained by taking the 607 first sixty-four bits of the fractional parts of the square roots of 608 the ninth through sixteenth prime numbers. 610 H(0)0 = cbbb9d5dc1059ed8 611 H(0)1 = 629a292a367cd507 612 H(0)2 = 9159015a3070dd17 613 H(0)3 = 152fecd8f70e5939 614 H(0)4 = 67332667ffc00b31 615 H(0)5 = 8eb44a8768581511 616 H(0)6 = db0c2e0d64f98fa7 617 H(0)7 = 47b5481dbefa4fa4 619 For SHA-512, the initial hash value, H(0), consists of the following 620 eight 64-bit words, in hex. These words were obtained by taking the 621 first sixty-four bits of the fractional parts of the square roots of 622 the first eight prime numbers. 624 H(0)0 = 6a09e667f3bcc908 625 H(0)1 = bb67ae8584caa73b 626 H(0)2 = 3c6ef372fe94f82b 627 H(0)3 = a54ff53a5f1d36f1 628 H(0)4 = 510e527fade682d1 629 H(0)5 = 9b05688c2b3e6c1f 630 H(0)6 = 1f83d9abfb41bd6b 631 H(0)7 = 5be0cd19137e2179 633 6.4 SHA-384 and SHA-512 Processing 635 SHA-384 and SHA-512 perform identical processing on message blocks 636 and differ only in how H(0) is initialized and how they produce their 637 final output. They may be used to hash a message, M, having a length 638 of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message 639 schedule of eighty 64-bit words, (2) eight working variables of 64 640 bits each, and (3) a hash value of eight 64-bit words. 642 The words of the message schedule are labeled W0, W1, ..., W79. The 643 eight working variables are labeled a, b, c, d, e, f, g, and h. The 644 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7 which 645 will hold the initial hash value, H(0), replaced by each successive 646 intermediate hash value (after each message block is processed), 647 H(i), and ending with the final hash value, H(N) after all N blocks 648 are processed. 650 The input message is padded as described in Section 4.2 above, then 651 parsed into 1024-bit blocks that are considered to be composed of 16 652 64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations 653 are then performed for each of the N message blocks. All addition is 654 performed modulo 2^64. 656 For i = 1 to N 658 1. Prepare the message schedule W: 659 For t = 0 to 15 660 Wt = M(i)t 661 For t = 16 to 79 662 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(W(t-15)) + W(t-16) 664 2. Initialize the working variables: 665 a = H(i-1)0 666 b = H(i-1)1 667 c = H(i-1)2 668 d = H(i-1)3 669 e = H(i-1)4 670 f = H(i-1)5 671 g = H(i-1)6 672 h = H(i-1)7 674 3. Perform the main hash computation: 675 For t = 0 to 79 676 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt 677 T2 = BSIG0(a) + MAJ(a,b,c) 678 h = g 679 g = f 680 f = e 681 e = d + T1 682 d = c 683 c = b 684 b = a 685 a = T1 + T2 687 4. Compute the intermediate hash value H(i) 688 H(i)0 = a + H(i-1)0 689 H(i)1 = b + H(i-1)1 690 H(i)2 = c + H(i-1)2 691 H(i)3 = d + H(i-1)3 692 H(i)4 = e + H(i-1)4 693 H(i)5 = f + H(i-1)5 694 H(i)6 = g + H(i-1)6 695 H(i)7 = h + H(i-1)7 697 After the above computations have been sequentially performed for all 698 of the blocks in the message, the final output is calculated. For 699 SHA-512, this is the concatenation of all of H(N)0, H(N)1, through 700 H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, 701 through H(N)5. 703 7. HKDF and SHA Based HMACs 705 Below are brief descriptions and pointers to more complete 706 descriptions and code for (1) SHA-based HMACs and (2) an HMAC-based 707 extract-and-expand key derivation function. Both HKDF and HMAC were 708 devised by Hugo Krawczyk. 710 7.1 SHA-Based HMACs 712 HMAC is a method for computing a keyed MAC (message authentication 713 code) using a hash function as described in [RFC2104]. It uses a key 714 to mix in with the input text to produce the final hash. 716 Sample code is also provided, in Section 8.3 below, to perform HMAC 717 based on any of the SHA algorithms described herein. The sample code 718 found in [RFC2104] was written in terms of a specified text size. 719 Since SHA is defined in terms of an arbitrary number of bits, the 720 sample HMAC code has been written to allow the text input to HMAC to 721 have an arbitrary number of octets and bits. A fixed length interface 722 is also provided. 724 7.2 HKDF 726 HKDF is a specific key derivation function (KDF), that is, a function 727 of initial keying material from which the KDF derives one or more 728 cryptographically strong secret keys. HKDF, which is described in 729 [RFC5869], is based on HMAC. 731 Sample code for HKDF is provided in Section 8.4 below. 733 8. C Code for SHAs, HMAC, and HKDF 735 Below is a demonstration implementation of these secure hash 736 functions in C. Section 8.1 contains the header file sha.h that 737 declares all constants, structures and functions used by the sha and 738 hmac functions. It includes conditionals based on the state of 739 definition of USE_32BIT_ONLY which, if that symbol is defined at 740 compile time, avoids 64-bit operations. It also contains sha- 741 private.h that provides some declarations common to all the sha 742 functions. Section 8.2 contains the C code for sha1.c, sha224-256.c, 743 sha384-512.c, and usha.c. Section 8.3 contains the C code for the 744 HMAC functions and Section 8.4 contains the C code for HKDF. Section 745 8.5 contains a test driver to exercise the code. 747 For each of the digest lengths $$$, there are the following set of 748 constants, a structure, and functions: 750 Constants: 751 SHA$$$HashSize number of octets in the hash 752 SHA$$$HashSizeBits number of bits in the hash 753 SHA$$$_Message_Block_Size 754 number of octets used in the intermediate 755 message blocks 756 Most functions return an enum value that is one of: 757 shaSuccess(0) on success 758 shaNull(1) when presented with a null pointer parameter 759 shaInputTooLong(2) when the input data is too long 760 shaStateError(3) when SHA$$$Input is called after 761 SHA$$$FinalBits or SHA$$$Result. 763 Structure: 764 typedef SHA$$$Context 765 an opaque structure holding the complete state 766 for producing the hash 768 Functions: 769 int SHA$$$Reset(SHA$$$Context *context); 770 Reset the hash context state 771 int SHA$$$Input(SHA$$$Context *context, const uint8_t *octets, 772 unsigned int bytecount); 773 Incorporate bytecount octets into the hash. 774 int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, 775 unsigned int bitcount); 776 Incorporate bitcount bits into the hash. The bits are in the 777 upper portion of the octet. SHA$$$Input() cannot be called 778 after this. 779 int SHA$$$Result(SHA$$$Context *, 780 uint8_t Message_Digest[SHA$$$HashSize]); 781 Do the final calculations on the hash and copy the value 782 into Message_Digest. 784 In addition, functions with the prefix USHA are provided that take a 785 SHAversion value (SHA$$$) to select the SHA function suite. They add 786 the following constants, structure and function: 788 Constants: 789 shaBadParam(4) constant returned by USHA functions when 790 presented with a bad SHAversion (SHA$$$) 791 parameter or other illegal parameter values 792 USAMaxHashSize maximum of the SHA hash sizes 793 SHA$$$ SHAversion enumeration values, used by usha, 794 hmac and hkdf functions to select the SHA 795 function suite 797 Structure: 798 typedef USHAContext 799 an opaque structure holding the complete state 800 for producing the hash 802 Functions: 803 int USHAReset(USHAContext *context, SHAversion whichSha); 804 Reset the hash context state. 805 int USHAInput(USHAContext context*, 806 const uint8_t *bytes, unsigned int bytecount); 807 Incorporate bytecount octets into the hash. 808 int USHAFinalBits(USHAContext *context, 809 const uint8_t bits, unsigned int bitcount); 810 Incorporate bitcount bits into the hash. 811 int USHAResult(USHAContext *context, 812 uint8_t Message_Digest[USHAMaxHashSize]); 813 Do the final calculations on the hash and copy the value 814 into Message_Digest. Octets in Message_Digest beyond 815 USHAHashSize(whichSha) are left untouched. 816 int USHAHashSize(enum SHAversion whichSha); 817 The number of octets in the given hash. 818 int USHAHashSizeBits(enum SHAversion whichSha); 819 The number of bits in the given hash. 820 int USHABlockSize(enum SHAversion whichSha); 821 The internal block size for the given hash. 822 const char *USHAHashName(enum SHAversion whichSha); 823 This function will return the name of the given SHA 824 algorithm as a string. 826 The hmac functions follow the same pattern to allow any length of 827 text input to be used. 829 Structures: 830 typedef HMACContext an opaque structure holding the complete state 831 for producing the keyed message digest (MAC) 833 Functions: 834 int hmacReset(HMACContext *ctx, enum SHAversion whichSha, 835 const unsigned char *key, int key_len); 836 Reset the MAC context state. 837 int hmacInput(HMACContext *ctx, const unsigned char *text, 838 int text_len); 839 Incorporate text_len octets into the MAC. 840 int hmacFinalBits(HMACContext *ctx, const uint8_t bits, 841 unsigned int bitcount); 842 Incorporate bitcount bits into the MAC. 843 int hmacResult(HMACContext *ctx, 844 uint8_t Message_Digest[USHAMaxHashSize]); 845 Do the final calculations on the MAC and copy the value into 846 Message_Digest. Octets in Message_Digest beyond 847 USHAHashSize(whichSha) are left untouched. 849 In addition, a combined interface is provided, similar to that shown 850 in [RFC2104], that allows a fixed-length text input to be used. 852 int hmac(SHAversion whichSha, 853 const unsigned char *text, int text_len, 854 const unsigned char *key, int key_len, 855 uint8_t Message_Digest[USHAMaxHashSize]); 856 Calculate the given digest for the given text and key, and 857 return the resulting MAC. Octets in Message_Digest beyond 858 USHAHashSize(whichSha) are left untouched. 860 The hkdf functions follow the same pattern to allow any length of 861 text input to be used. 863 Structures: 864 typedef HKDFContext an opaque structure holding the complete state 865 for producing the keying material 866 Functions: 867 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 868 const unsigned char *salt, int salt_len) 869 Reset the key derivation state and initialize it with the 870 salt_len octets of the optional salt. 871 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 872 int ikm_len) 873 Incorporate ikm_len octets into the entropy extractor. 874 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 875 unsigned int ikm_bit_count) 876 Incorporate ikm_bit_count bits into the entropy extractor. 877 int hkdfResult(HKDFContext *context, 878 uint8_t prk[USHAMaxHashSize], 879 const unsigned char *info, int info_len, 880 uint8_t okm[ ], int okm_len) 881 Finish the HKDF extraction and perform the final HKDF 882 expansion, storing the okm_len octets into okm. Optionally 883 store the pseudo-random key (prk) that is generated 884 internally. 886 In addition, combined interfaces are provided, similar to that shown 887 in [RFC5869], that allows a fixed-length text input to be used. 889 int hkdfExtract(SHAversion whichSha, 890 const unsigned char *salt, int salt_len, 891 const unsigned char *ikm, int ikm_len, 892 uint8_t prk[USHAMaxHashSize]) 893 Perform HKDF extraction, combining the salt_len octets of 894 the optional salt with the ikm_len octets of the input 895 keying material (ikm) to form the pseudo-random key prk. 896 The output prk must be large enough to hold the octets 897 appropriate for the given hash type. 899 int hkdfExpand(SHAversion whichSha, 900 const uint8_t prk[ ], int prk_len, 901 const unsigned char *info, int info_len, 902 uint8_t okm[ ], int okm_len) 903 Perform HKDF expansion, combining the prk_len octets of the 904 pseudo-random key prk with the info_len octets of info to 905 form the okm_len octets stored in okm. 907 int hkdf(SHAversion whichSha, 908 const unsigned char *salt, int salt_len, 909 const unsigned char *ikm, int ikm_len, 910 const unsigned char *info, int info_len, 911 uint8_t okm[ ], int okm_len) 912 This combined interface performs both HKDF extraction and 913 expansion. The variables are the same as in hkdfExtract() 914 and hkdfExpand(). 916 8.1 The Header Files 918 8.1.1 The .h file 920 The following sha.h file, as stated in the comments within the file, 921 assumes that is available on your system. If it is not, 922 you should change to including , provided in 923 Section 8.1.2, or the like. 925 /**************************** sha.h ****************************/ 926 /***************** See RFC NNNN for details. *******************/ 927 /* 928 Copyright (c) 2010 IETF Trust and the persons identified as 929 authors of the code. All rights reserved. 931 Redistribution and use in source and binary forms, with or without 932 modification, are permitted provided that the following conditions 933 are met: 935 * Redistributions of source code must retain the above copyright 936 notice, this list of conditions and the following disclaimer. 938 * Redistributions in binary form must reproduce the above copyright 939 notice, this list of conditions and the following disclaimer in 940 the documentation and/or other materials provided with the 941 distribution. 943 * Neither the name of Internet Society, IETF or IETF Trust, nor the 944 names of specific contributors, may be used to endorse or promote 945 products derived from this software without specific prior 946 written permission. 948 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 949 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 950 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 951 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 952 COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 953 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 954 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 955 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 956 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 957 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 958 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 959 POSSIBILITY OF SUCH DAMAGE. 960 */ 961 #ifndef _SHA_H_ 962 #define _SHA_H_ 964 /* 965 * Description: 966 * This file implements the Secure Hash Algorithms 967 * as defined in the U.S. National Institute of Standards 968 * and Technology Federal Information Processing Standards 969 * Publication (FIPS PUB) 180-3 published in October 2008 970 * and formerly defined in its predecessors, FIPS PUB 180-1 971 * and FIP PUB 180-2. 972 * 973 * A combined document showing all algorithms is available at 974 * http://csrc.nist.gov/publications/fips/ 975 * fips180-3/fips180-3_final.pdf 976 * 977 * The five hashes are defined in these sizes: 978 * SHA-1 20 byte / 160 bit 979 * SHA-224 28 byte / 224 bit 980 * SHA-256 32 byte / 256 bit 981 * SHA-384 48 byte / 384 bit 982 * SHA-512 64 byte / 512 bit 983 * 984 * Compilation Note: 985 * These files may be compiled with two options: 986 * USE_32BIT_ONLY - use 32-bit arithmetic only, for systems 987 * without 64-bit integers 988 * 989 * USE_MODIFIED_MACROS - use alternate form of the SHA_Ch() 990 * and SHA_Maj() macros that are equivalent 991 * and potentially faster on many systems 992 * 993 */ 995 #include 996 /* 997 * If you do not have the ISO standard stdint.h header file, then you 998 * must typedef the following: 999 * name meaning 1000 * uint64_t unsigned 64 bit integer 1001 * uint32_t unsigned 32 bit integer 1002 * uint8_t unsigned 8 bit integer (i.e., unsigned char) 1003 * int_least16_t integer of >= 16 bits 1004 * 1005 * See stdint-example.h 1006 */ 1008 #ifndef _SHA_enum_ 1009 #define _SHA_enum_ 1010 /* 1011 * All SHA functions return one of these values. 1012 */ 1013 enum { 1014 shaSuccess = 0, 1015 shaNull, /* Null pointer parameter */ 1016 shaInputTooLong, /* input data too long */ 1017 shaStateError, /* called Input after FinalBits or Result */ 1018 shaBadParam /* passed a bad parameter */ 1019 }; 1020 #endif /* _SHA_enum_ */ 1022 /* 1023 * These constants hold size information for each of the SHA 1024 * hashing operations 1025 */ 1026 enum { 1027 SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, 1028 SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, 1029 SHA512_Message_Block_Size = 128, 1030 USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, 1032 SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, 1033 SHA384HashSize = 48, SHA512HashSize = 64, 1034 USHAMaxHashSize = SHA512HashSize, 1036 SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, 1037 SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, 1038 SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits 1039 }; 1041 /* 1042 * These constants are used in the USHA (unified sha) functions. 1043 */ 1044 typedef enum SHAversion { 1045 SHA1, SHA224, SHA256, SHA384, SHA512 1046 } SHAversion; 1048 /* 1049 * This structure will hold context information for the SHA-1 1050 * hashing operation. 1051 */ 1052 typedef struct SHA1Context { 1053 uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ 1055 uint32_t Length_High; /* Message length in bits */ 1056 uint32_t Length_Low; /* Message length in bits */ 1058 int_least16_t Message_Block_Index; /* Message_Block array index */ 1059 /* 512-bit message blocks */ 1060 uint8_t Message_Block[SHA1_Message_Block_Size]; 1062 int Computed; /* Is the hash computed? */ 1063 int Corrupted; /* Cumulative corruption code */ 1064 } SHA1Context; 1066 /* 1067 * This structure will hold context information for the SHA-256 1068 * hashing operation. 1069 */ 1070 typedef struct SHA256Context { 1071 uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ 1073 uint32_t Length_High; /* Message length in bits */ 1074 uint32_t Length_Low; /* Message length in bits */ 1076 int_least16_t Message_Block_Index; /* Message_Block array index */ 1077 /* 512-bit message blocks */ 1078 uint8_t Message_Block[SHA256_Message_Block_Size]; 1079 int Computed; /* Is the hash computed? */ 1080 int Corrupted; /* Cumulative corruption code */ 1081 } SHA256Context; 1083 /* 1084 * This structure will hold context information for the SHA-512 1085 * hashing operation. 1086 */ 1087 typedef struct SHA512Context { 1088 #ifdef USE_32BIT_ONLY 1089 uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ 1090 uint32_t Length[4]; /* Message length in bits */ 1091 #else /* !USE_32BIT_ONLY */ 1092 uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ 1093 uint64_t Length_High, Length_Low; /* Message length in bits */ 1094 #endif /* USE_32BIT_ONLY */ 1096 int_least16_t Message_Block_Index; /* Message_Block array index */ 1097 /* 1024-bit message blocks */ 1098 uint8_t Message_Block[SHA512_Message_Block_Size]; 1100 int Computed; /* Is the hash computed?*/ 1101 int Corrupted; /* Cumulative corruption code */ 1102 } SHA512Context; 1104 /* 1105 * This structure will hold context information for the SHA-224 1106 * hashing operation. It uses the SHA-256 structure for computation. 1107 */ 1108 typedef struct SHA256Context SHA224Context; 1110 /* 1111 * This structure will hold context information for the SHA-384 1112 * hashing operation. It uses the SHA-512 structure for computation. 1113 */ 1114 typedef struct SHA512Context SHA384Context; 1116 /* 1117 * This structure holds context information for all SHA 1118 * hashing operations. 1119 */ 1120 typedef struct USHAContext { 1121 int whichSha; /* which SHA is being used */ 1122 union { 1123 SHA1Context sha1Context; 1124 SHA224Context sha224Context; SHA256Context sha256Context; 1125 SHA384Context sha384Context; SHA512Context sha512Context; 1126 } ctx; 1127 } USHAContext; 1128 /* 1129 * This structure will hold context information for the HMAC 1130 * keyed hashing operation. 1131 */ 1132 typedef struct HMACContext { 1133 int whichSha; /* which SHA is being used */ 1134 int hashSize; /* hash size of SHA being used */ 1135 int blockSize; /* block size of SHA being used */ 1136 USHAContext shaContext; /* SHA context */ 1137 unsigned char k_opad[USHA_Max_Message_Block_Size]; 1138 /* outer padding - key XORd with opad */ 1139 int Computed; /* Is the MAC computed? */ 1140 int Corrupted; /* Cumulative corruption code */ 1142 } HMACContext; 1144 /* 1145 * This structure will hold context information for the HKDF 1146 * Extract-and-Expand Key Derivation functions. 1147 */ 1148 typedef struct HKDFContext { 1149 int whichSha; /* which SHA is being used */ 1150 HMACContext hmacContext; 1151 int hashSize; /* hash size of SHA being used */ 1152 unsigned char prk[USHAMaxHashSize]; 1153 /* Pseudo Random Key - output of hkdfInput */ 1154 int Computed; /* Is the key material computed? */ 1155 int Corrupted; /* Cumulative corruption code */ 1156 } HKDFContext; 1158 /* 1159 * Function Prototypes 1160 */ 1162 /* SHA-1 */ 1163 extern int SHA1Reset(SHA1Context *); 1164 extern int SHA1Input(SHA1Context *, const uint8_t *bytes, 1165 unsigned int bytecount); 1166 extern int SHA1FinalBits(SHA1Context *, uint8_t bits, 1167 unsigned int bit_count); 1168 extern int SHA1Result(SHA1Context *, 1169 uint8_t Message_Digest[SHA1HashSize]); 1171 /* SHA-224 */ 1172 extern int SHA224Reset(SHA224Context *); 1173 extern int SHA224Input(SHA224Context *, const uint8_t *bytes, 1174 unsigned int bytecount); 1175 extern int SHA224FinalBits(SHA224Context *, uint8_t bits, 1176 unsigned int bit_count); 1177 extern int SHA224Result(SHA224Context *, 1178 uint8_t Message_Digest[SHA224HashSize]); 1180 /* SHA-256 */ 1181 extern int SHA256Reset(SHA256Context *); 1182 extern int SHA256Input(SHA256Context *, const uint8_t *bytes, 1183 unsigned int bytecount); 1184 extern int SHA256FinalBits(SHA256Context *, uint8_t bits, 1185 unsigned int bit_count); 1186 extern int SHA256Result(SHA256Context *, 1187 uint8_t Message_Digest[SHA256HashSize]); 1189 /* SHA-384 */ 1190 extern int SHA384Reset(SHA384Context *); 1191 extern int SHA384Input(SHA384Context *, const uint8_t *bytes, 1192 unsigned int bytecount); 1193 extern int SHA384FinalBits(SHA384Context *, uint8_t bits, 1194 unsigned int bit_count); 1195 extern int SHA384Result(SHA384Context *, 1196 uint8_t Message_Digest[SHA384HashSize]); 1198 /* SHA-512 */ 1199 extern int SHA512Reset(SHA512Context *); 1200 extern int SHA512Input(SHA512Context *, const uint8_t *bytes, 1201 unsigned int bytecount); 1202 extern int SHA512FinalBits(SHA512Context *, uint8_t bits, 1203 unsigned int bit_count); 1204 extern int SHA512Result(SHA512Context *, 1205 uint8_t Message_Digest[SHA512HashSize]); 1207 /* Unified SHA functions, chosen by whichSha */ 1208 extern int USHAReset(USHAContext *context, SHAversion whichSha); 1209 extern int USHAInput(USHAContext *context, 1210 const uint8_t *bytes, unsigned int bytecount); 1211 extern int USHAFinalBits(USHAContext *context, 1212 uint8_t bits, unsigned int bit_count); 1213 extern int USHAResult(USHAContext *context, 1214 uint8_t Message_Digest[USHAMaxHashSize]); 1215 extern int USHABlockSize(enum SHAversion whichSha); 1216 extern int USHAHashSize(enum SHAversion whichSha); 1217 extern int USHAHashSizeBits(enum SHAversion whichSha); 1218 extern const char *USHAHashName(enum SHAversion whichSha); 1220 /* 1221 * HMAC Keyed-Hashing for Message Authentication, RFC 2104, 1222 * for all SHAs. 1223 * This interface allows a fixed-length text input to be used. 1224 */ 1225 extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ 1226 const unsigned char *text, /* pointer to data stream */ 1227 int text_len, /* length of data stream */ 1228 const unsigned char *key, /* pointer to authentication key */ 1229 int key_len, /* length of authentication key */ 1230 uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ 1232 /* 1233 * HMAC Keyed-Hashing for Message Authentication, RFC 2104, 1234 * for all SHAs. 1235 * This interface allows any length of text input to be used. 1236 */ 1237 extern int hmacReset(HMACContext *context, enum SHAversion whichSha, 1238 const unsigned char *key, int key_len); 1239 extern int hmacInput(HMACContext *context, const unsigned char *text, 1240 int text_len); 1241 extern int hmacFinalBits(HMACContext *context, uint8_t bits, 1242 unsigned int bit_count); 1243 extern int hmacResult(HMACContext *context, 1244 uint8_t digest[USHAMaxHashSize]); 1246 /* 1247 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1248 * RFC 5869, for all SHAs. 1249 */ 1250 extern int hkdf(SHAversion whichSha, const unsigned char *salt, 1251 int salt_len, const unsigned char *ikm, int ikm_len, 1252 const unsigned char *info, int info_len, 1253 uint8_t okm[ ], int okm_len); 1254 extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, 1255 int salt_len, const unsigned char *ikm, 1256 int ikm_len, uint8_t prk[USHAMaxHashSize]); 1257 extern int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], 1258 int prk_len, const unsigned char *info, 1259 int info_len, uint8_t okm[ ], int okm_len); 1261 /* 1262 * HKDF HMAC-based Extract-and-Expand Key Derivation Function, 1263 * RFC 5869, for all SHAs. 1264 * This interface allows any length of text input to be used. 1265 */ 1266 extern int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 1267 const unsigned char *salt, int salt_len); 1268 extern int hkdfInput(HKDFContext *context, const unsigned char *ikm, 1269 int ikm_len); 1270 extern int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 1271 unsigned int ikm_bit_count); 1272 extern int hkdfResult(HKDFContext *context, 1273 uint8_t prk[USHAMaxHashSize], 1274 const unsigned char *info, int info_len, 1275 uint8_t okm[USHAMaxHashSize], int okm_len); 1277 #endif /* _SHA_H_ */ 1279 8.1.2 stdint-example.h 1281 If you system does not have , the following should be 1282 adequate as a substitute for compiling the other code in this 1283 document. 1285 /*********************** stdint-example.h **********************/ 1286 /**** Use this file if your system does not have a stdint.h. ***/ 1287 /***************** See RFC NNNN for details. *******************/ 1288 #ifndef STDINT_H 1289 #define STDINT_H 1291 typedef unsigned long long uint64_t; /* unsigned 64 bit integer */ 1292 typedef unsigned int uint32_t; /* unsigned 32 bit integer */ 1293 typedef unsigned char uint8_t; /* unsigned 8 bit integer */ 1294 /* (i.e., unsigned char) */ 1295 typedef int int_least32_t; /* integer of >= 32 bits */ 1296 typedef short int_least16_t; /* integer of >= 16 bits */ 1298 #endif /* STDINT_H */ 1300 8.1.3 sha-private.h 1302 The sha-private.h header file contains definitions that should only 1303 be needed internally in the other code in this document. These 1304 definitions should not be needed in application code calling the code 1305 provided in this document. 1307 /************************ sha-private.h ************************/ 1308 /***************** See RFC NNNN for details. *******************/ 1309 #ifndef _SHA_PRIVATE__H 1310 #define _SHA_PRIVATE__H 1311 /* 1312 * These definitions are defined in FIPS 180-3, section 4.1. 1313 * Ch() and Maj() are defined identically in sections 4.1.1, 1314 * 4.1.2 and 4.1.3. 1315 * 1316 * The definitions used in FIPS 180-3 are as follows: 1317 */ 1319 #ifndef USE_MODIFIED_MACROS 1320 #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 1321 #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 1322 #else /* USE_MODIFIED_MACROS */ 1323 /* 1324 * The following definitions are equivalent and potentially faster. 1325 */ 1327 #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) 1328 #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) 1330 #endif /* USE_MODIFIED_MACROS */ 1332 #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) 1334 #endif /* _SHA_PRIVATE__H */ 1336 8.2 The SHA Code 1338 This code is primarily intended as expository reference code and 1339 could be optimized further. For example, the assignment rotations 1340 through the variables a, b, ..., h could be treated as a cycle and 1341 the loop unrolled, rather than doing the explicit copying. 1343 Note that there are alternative representations of the Ch() and Maj() 1344 functions controlled by an ifdef. 1346 8.2.1 sha1.c 1348 /**************************** sha1.c ***************************/ 1349 /***************** See RFC NNNN for details. *******************/ 1350 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1351 /* authors of the code. All rights reserved. */ 1352 /* See sha.h for terms of use and redistribution. */ 1354 /* 1355 * Description: 1356 * This file implements the Secure Hash Algorithm SHA-1 1357 * as defined in the U.S. National Institute of Standards 1358 * and Technology Federal Information Processing Standards 1359 * Publication (FIPS PUB) 180-3 published in October 2008 1360 * and formerly defined in its predecessors, FIPS PUB 180-1 1361 * and FIP PUB 180-2. 1362 * 1363 * A combined document showing all algorithms is available at 1364 * http://csrc.nist.gov/publications/fips/ 1365 * fips180-3/fips180-3_final.pdf 1366 * 1367 * The SHA-1 algorithm produces a 160-bit message digest for a 1368 * given data stream. It should take about 2**n steps to find a 1369 * message with the same digest as a given message and 1370 * 2**(n/2) to find any two messages with the same digest, 1371 * when n is the digest size in bits. Therefore, this 1372 * algorithm can serve as a means of providing a 1373 * "fingerprint" for a message. 1374 * 1375 * Portability Issues: 1376 * SHA-1 is defined in terms of 32-bit "words". This code 1377 * uses (included via "sha.h") to define 32 and 8 1378 * bit unsigned integer types. If your C compiler does not 1379 * support 32 bit unsigned integers, this code is not 1380 * appropriate. 1381 * 1382 * Caveats: 1383 * SHA-1 is designed to work with messages less than 2^64 bits 1384 * long. This implementation uses SHA1Input() to hash the bits 1385 * that are a multiple of the size of an 8-bit octet, and then 1386 * optionally uses SHA1FinalBits() to hash the final few bits of 1387 * the input. 1388 */ 1390 #include "sha.h" 1391 #include "sha-private.h" 1393 /* 1394 * Define the SHA1 circular left shift macro 1395 */ 1396 #define SHA1_ROTL(bits,word) \ 1397 (((word) << (bits)) | ((word) >> (32-(bits)))) 1399 /* 1400 * Add "length" to the length. 1401 * Set Corrupted when overflow has occurred. 1402 */ 1403 static uint32_t addTemp; 1404 #define SHA1AddLength(context, length) \ 1405 (addTemp = (context)->Length_Low, \ 1406 (context)->Corrupted = \ 1407 (((context)->Length_Low += (length)) < addTemp) && \ 1408 (++(context)->Length_High == 0) ? shaInputTooLong \ 1409 : (context)->Corrupted ) 1411 /* Local Function Prototypes */ 1412 static void SHA1ProcessMessageBlock(SHA1Context *context); 1413 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); 1414 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte); 1416 /* 1417 * SHA1Reset 1418 * 1419 * Description: 1420 * This function will initialize the SHA1Context in preparation 1421 * for computing a new SHA1 message digest. 1422 * 1423 * Parameters: 1424 * context: [in/out] 1425 * The context to reset. 1426 * 1427 * Returns: 1428 * sha Error Code. 1429 * 1430 */ 1431 int SHA1Reset(SHA1Context *context) 1432 { 1433 if (!context) return shaNull; 1435 context->Length_High = context->Length_Low = 0; 1436 context->Message_Block_Index = 0; 1438 /* Initial Hash Values: FIPS 180-3 section 5.3.1 */ 1439 context->Intermediate_Hash[0] = 0x67452301; 1440 context->Intermediate_Hash[1] = 0xEFCDAB89; 1441 context->Intermediate_Hash[2] = 0x98BADCFE; 1442 context->Intermediate_Hash[3] = 0x10325476; 1443 context->Intermediate_Hash[4] = 0xC3D2E1F0; 1445 context->Computed = 0; 1446 context->Corrupted = shaSuccess; 1448 return shaSuccess; 1449 } 1451 /* 1452 * SHA1Input 1453 * 1454 * Description: 1455 * This function accepts an array of octets as the next portion 1456 * of the message. 1457 * 1458 * Parameters: 1459 * context: [in/out] 1460 * The SHA context to update 1461 * message_array[ ]: [in] 1462 * An array of octets representing the next portion of 1463 * the message. 1464 * length: [in] 1465 * The length of the message in message_array 1466 * 1467 * Returns: 1469 * sha Error Code. 1470 * 1471 */ 1472 int SHA1Input(SHA1Context *context, 1473 const uint8_t *message_array, unsigned length) 1474 { 1475 if (!context) return shaNull; 1476 if (!length) return shaSuccess; 1477 if (!message_array) return shaNull; 1478 if (context->Computed) return context->Corrupted = shaStateError; 1479 if (context->Corrupted) return context->Corrupted; 1481 while (length--) { 1482 context->Message_Block[context->Message_Block_Index++] = 1483 *message_array; 1485 if ((SHA1AddLength(context, 8) == shaSuccess) && 1486 (context->Message_Block_Index == SHA1_Message_Block_Size)) 1487 SHA1ProcessMessageBlock(context); 1489 message_array++; 1490 } 1492 return context->Corrupted; 1493 } 1495 /* 1496 * SHA1FinalBits 1497 * 1498 * Description: 1499 * This function will add in any final bits of the message. 1500 * 1501 * Parameters: 1502 * context: [in/out] 1503 * The SHA context to update 1504 * message_bits: [in] 1505 * The final bits of the message, in the upper portion of the 1506 * byte. (Use 0b###00000 instead of 0b00000### to input the 1507 * three bits ###.) 1508 * length: [in] 1509 * The number of bits in message_bits, between 1 and 7. 1510 * 1511 * Returns: 1512 * sha Error Code. 1513 */ 1514 int SHA1FinalBits(SHA1Context *context, uint8_t message_bits, 1515 unsigned int length) 1516 { 1517 static uint8_t masks[8] = { 1518 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 1519 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 1520 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 1521 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 1522 }; 1523 static uint8_t markbit[8] = { 1524 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 1525 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 1526 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 1527 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 1528 }; 1530 if (!context) return shaNull; 1531 if (!length) return shaSuccess; 1532 if (context->Corrupted) return context->Corrupted; 1533 if (context->Computed) return context->Corrupted = shaStateError; 1534 if (length >= 8) return context->Corrupted = shaBadParam; 1536 SHA1AddLength(context, length); 1537 SHA1Finalize(context, 1538 (uint8_t) ((message_bits & masks[length]) | markbit[length])); 1540 return context->Corrupted; 1541 } 1543 /* 1544 * SHA1Result 1545 * 1546 * Description: 1547 * This function will return the 160-bit message digest 1548 * into the Message_Digest array provided by the caller. 1549 * NOTE: 1550 * The first octet of hash is stored in the element with index 0, 1551 * the last octet of hash in the element with index 19. 1552 * 1553 * Parameters: 1554 * context: [in/out] 1555 * The context to use to calculate the SHA-1 hash. 1556 * Message_Digest[ ]: [out] 1557 * Where the digest is returned. 1558 * 1559 * Returns: 1560 * sha Error Code. 1561 * 1562 */ 1563 int SHA1Result(SHA1Context *context, 1564 uint8_t Message_Digest[SHA1HashSize]) 1565 { 1566 int i; 1568 if (!context) return shaNull; 1569 if (!Message_Digest) return shaNull; 1570 if (context->Corrupted) return context->Corrupted; 1572 if (!context->Computed) 1573 SHA1Finalize(context, 0x80); 1575 for (i = 0; i < SHA1HashSize; ++i) 1576 Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] 1577 >> (8 * ( 3 - ( i & 0x03 ) ))); 1579 return shaSuccess; 1580 } 1582 /* 1583 * SHA1ProcessMessageBlock 1584 * 1585 * Description: 1586 * This helper function will process the next 512 bits of the 1587 * message stored in the Message_Block array. 1588 * 1589 * Parameters: 1590 * context: [in/out] 1591 * The SHA context to update 1592 * 1593 * Returns: 1594 * Nothing. 1595 * 1596 * Comments: 1597 * Many of the variable names in this code, especially the 1598 * single character names, were used because those were the 1599 * names used in the Secure Hash Standard. 1600 */ 1601 static void SHA1ProcessMessageBlock(SHA1Context *context) 1602 { 1603 /* Constants defined in FIPS 180-3, section 4.2.1 */ 1604 const uint32_t K[4] = { 1605 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 1606 }; 1607 int t; /* Loop counter */ 1608 uint32_t temp; /* Temporary word value */ 1609 uint32_t W[80]; /* Word sequence */ 1610 uint32_t A, B, C, D, E; /* Word buffers */ 1612 /* 1613 * Initialize the first 16 words in the array W 1614 */ 1615 for (t = 0; t < 16; t++) { 1616 W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; 1617 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; 1618 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; 1619 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); 1620 } 1622 for (t = 16; t < 80; t++) 1623 W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); 1625 A = context->Intermediate_Hash[0]; 1626 B = context->Intermediate_Hash[1]; 1627 C = context->Intermediate_Hash[2]; 1628 D = context->Intermediate_Hash[3]; 1629 E = context->Intermediate_Hash[4]; 1631 for (t = 0; t < 20; t++) { 1632 temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; 1633 E = D; 1634 D = C; 1635 C = SHA1_ROTL(30,B); 1636 B = A; 1637 A = temp; 1638 } 1640 for (t = 20; t < 40; t++) { 1641 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; 1642 E = D; 1643 D = C; 1644 C = SHA1_ROTL(30,B); 1645 B = A; 1646 A = temp; 1647 } 1649 for (t = 40; t < 60; t++) { 1650 temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; 1651 E = D; 1652 D = C; 1653 C = SHA1_ROTL(30,B); 1654 B = A; 1655 A = temp; 1656 } 1658 for (t = 60; t < 80; t++) { 1659 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; 1660 E = D; 1661 D = C; 1662 C = SHA1_ROTL(30,B); 1663 B = A; 1664 A = temp; 1665 } 1667 context->Intermediate_Hash[0] += A; 1668 context->Intermediate_Hash[1] += B; 1669 context->Intermediate_Hash[2] += C; 1670 context->Intermediate_Hash[3] += D; 1671 context->Intermediate_Hash[4] += E; 1673 context->Message_Block_Index = 0; 1674 } 1676 /* 1677 * SHA1Finalize 1678 * 1679 * Description: 1680 * This helper function finishes off the digest calculations. 1681 * 1682 * Parameters: 1683 * context: [in/out] 1684 * The SHA context to update 1685 * Pad_Byte: [in] 1686 * The last byte to add to the message block before the 0-padding 1687 * and length. This will contain the last bits of the message 1688 * followed by another single bit. If the message was an 1689 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1690 * 1691 * Returns: 1692 * sha Error Code. 1693 * 1694 */ 1695 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) 1696 { 1697 int i; 1698 SHA1PadMessage(context, Pad_Byte); 1699 /* message may be sensitive, clear it out */ 1700 for (i = 0; i < SHA1_Message_Block_Size; ++i) 1701 context->Message_Block[i] = 0; 1702 context->Length_High = 0; /* and clear length */ 1703 context->Length_Low = 0; 1704 context->Computed = 1; 1705 } 1707 /* 1708 * SHA1PadMessage 1709 * 1710 * Description: 1711 * According to the standard, the message must be padded to the next 1712 * even multiple of 512 bits. The first padding bit must be a '1'. 1713 * The last 64 bits represent the length of the original message. 1714 * All bits in between should be 0. This helper function will pad 1715 * the message according to those rules by filling the Message_Block 1716 * array accordingly. When it returns, it can be assumed that the 1717 * message digest has been computed. 1718 * 1719 * Parameters: 1720 * context: [in/out] 1721 * The context to pad 1722 * Pad_Byte: [in] 1723 * The last byte to add to the message block before the 0-padding 1724 * and length. This will contain the last bits of the message 1725 * followed by another single bit. If the message was an 1726 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 1727 * 1728 * Returns: 1729 * Nothing. 1730 */ 1731 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) 1732 { 1733 /* 1734 * Check to see if the current message block is too small to hold 1735 * the initial padding bits and length. If so, we will pad the 1736 * block, process it, and then continue padding into a second 1737 * block. 1738 */ 1739 if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { 1740 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1741 while (context->Message_Block_Index < SHA1_Message_Block_Size) 1742 context->Message_Block[context->Message_Block_Index++] = 0; 1744 SHA1ProcessMessageBlock(context); 1745 } else 1746 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 1748 while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) 1749 context->Message_Block[context->Message_Block_Index++] = 0; 1751 /* 1752 * Store the message length as the last 8 octets 1753 */ 1754 context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); 1755 context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); 1756 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); 1757 context->Message_Block[59] = (uint8_t) (context->Length_High); 1758 context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); 1759 context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); 1760 context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); 1761 context->Message_Block[63] = (uint8_t) (context->Length_Low); 1763 SHA1ProcessMessageBlock(context); 1764 } 1765 8.2.2 sha224-256.c 1767 /************************* sha224-256.c ************************/ 1768 /***************** See RFC NNNN for details. *******************/ 1769 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 1770 /* authors of the code. All rights reserved. */ 1771 /* See sha.h for terms of use and redistribution. */ 1773 /* 1774 * Description: 1775 * This file implements the Secure Hash Algorithms SHA-224 and 1776 * SHA-256 as defined in the U.S. National Institute of Standards 1777 * and Technology Federal Information Processing Standards 1778 * Publication (FIPS PUB) 180-3 published in October 2008 1779 * and formerly defined in its predecessors, FIPS PUB 180-1 1780 * and FIP PUB 180-2. 1781 * 1782 * A combined document showing all algorithms is available at 1783 * http://csrc.nist.gov/publications/fips/ 1784 * fips180-3/fips180-3_final.pdf 1785 * 1786 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit 1787 * message digests for a given data stream. It should take about 1788 * 2**n steps to find a message with the same digest as a given 1789 * message and 2**(n/2) to find any two messages with the same 1790 * digest, when n is the digest size in bits. Therefore, this 1791 * algorithm can serve as a means of providing a 1792 * "fingerprint" for a message. 1793 * 1794 * Portability Issues: 1795 * SHA-224 and SHA-256 are defined in terms of 32-bit "words". 1796 * This code uses (included via "sha.h") to define 32 1797 * and 8 bit unsigned integer types. If your C compiler does not 1798 * support 32 bit unsigned integers, this code is not 1799 * appropriate. 1800 * 1801 * Caveats: 1802 * SHA-224 and SHA-256 are designed to work with messages less 1803 * than 2^64 bits long. This implementation uses SHA224/256Input() 1804 * to hash the bits that are a multiple of the size of an 8-bit 1805 * octet, and then optionally uses SHA224/256FinalBits() 1806 * to hash the final few bits of the input. 1807 */ 1809 #include "sha.h" 1810 #include "sha-private.h" 1812 /* Define the SHA shift, rotate left and rotate right macro */ 1813 #define SHA256_SHR(bits,word) ((word) >> (bits)) 1814 #define SHA256_ROTL(bits,word) \ 1815 (((word) << (bits)) | ((word) >> (32-(bits)))) 1816 #define SHA256_ROTR(bits,word) \ 1817 (((word) >> (bits)) | ((word) << (32-(bits)))) 1819 /* Define the SHA SIGMA and sigma macros */ 1820 #define SHA256_SIGMA0(word) \ 1821 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) 1822 #define SHA256_SIGMA1(word) \ 1823 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) 1824 #define SHA256_sigma0(word) \ 1825 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) 1826 #define SHA256_sigma1(word) \ 1827 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) 1829 /* 1830 * Add "length" to the length. 1831 * Set Corrupted when overflow has occurred. 1832 */ 1833 static uint32_t addTemp; 1834 #define SHA224_256AddLength(context, length) \ 1835 (addTemp = (context)->Length_Low, (context)->Corrupted = \ 1836 (((context)->Length_Low += (length)) < addTemp) && \ 1837 (++(context)->Length_High == 0) ? shaInputTooLong : \ 1838 (context)->Corrupted ) 1840 /* Local Function Prototypes */ 1841 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); 1842 static void SHA224_256ProcessMessageBlock(SHA256Context *context); 1843 static void SHA224_256Finalize(SHA256Context *context, 1844 uint8_t Pad_Byte); 1845 static void SHA224_256PadMessage(SHA256Context *context, 1846 uint8_t Pad_Byte); 1847 static int SHA224_256ResultN(SHA256Context *context, 1848 uint8_t Message_Digest[ ], int HashSize); 1850 /* Initial Hash Values: FIPS 180-3 section 5.3.2 */ 1851 static uint32_t SHA224_H0[SHA256HashSize/4] = { 1852 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 1853 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 1854 }; 1856 /* Initial Hash Values: FIPS 180-3 section 5.3.3 */ 1857 static uint32_t SHA256_H0[SHA256HashSize/4] = { 1858 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 1859 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 1860 }; 1862 /* 1863 * SHA224Reset 1864 * 1865 * Description: 1866 * This function will initialize the SHA224Context in preparation 1867 * for computing a new SHA224 message digest. 1868 * 1869 * Parameters: 1870 * context: [in/out] 1871 * The context to reset. 1872 * 1873 * Returns: 1874 * sha Error Code. 1875 */ 1876 int SHA224Reset(SHA224Context *context) 1877 { 1878 return SHA224_256Reset(context, SHA224_H0); 1879 } 1881 /* 1882 * SHA224Input 1883 * 1884 * Description: 1885 * This function accepts an array of octets as the next portion 1886 * of the message. 1887 * 1888 * Parameters: 1889 * context: [in/out] 1890 * The SHA context to update 1891 * message_array[ ]: [in] 1892 * An array of octets representing the next portion of 1893 * the message. 1894 * length: [in] 1895 * The length of the message in message_array 1896 * 1897 * Returns: 1898 * sha Error Code. 1899 * 1900 */ 1901 int SHA224Input(SHA224Context *context, const uint8_t *message_array, 1902 unsigned int length) 1903 { 1904 return SHA256Input(context, message_array, length); 1905 } 1907 /* 1908 * SHA224FinalBits 1909 * 1910 * Description: 1911 * This function will add in any final bits of the message. 1912 * 1913 * Parameters: 1914 * context: [in/out] 1915 * The SHA context to update 1916 * message_bits: [in] 1917 * The final bits of the message, in the upper portion of the 1918 * byte. (Use 0b###00000 instead of 0b00000### to input the 1919 * three bits ###.) 1920 * length: [in] 1921 * The number of bits in message_bits, between 1 and 7. 1922 * 1923 * Returns: 1924 * sha Error Code. 1925 */ 1926 int SHA224FinalBits(SHA224Context *context, 1927 uint8_t message_bits, unsigned int length) 1928 { 1929 return SHA256FinalBits(context, message_bits, length); 1930 } 1932 /* 1933 * SHA224Result 1934 * 1935 * Description: 1936 * This function will return the 224-bit message digest 1937 * into the Message_Digest array provided by the caller. 1938 * NOTE: 1939 * The first octet of hash is stored in the element with index 0, 1940 * the last octet of hash in the element with index 27. 1941 * 1942 * Parameters: 1943 * context: [in/out] 1944 * The context to use to calculate the SHA hash. 1945 * Message_Digest[ ]: [out] 1946 * Where the digest is returned. 1947 * 1948 * Returns: 1949 * sha Error Code. 1950 */ 1951 int SHA224Result(SHA224Context *context, 1952 uint8_t Message_Digest[SHA224HashSize]) 1953 { 1954 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); 1955 } 1957 /* 1958 * SHA256Reset 1959 * 1960 * Description: 1961 * This function will initialize the SHA256Context in preparation 1962 * for computing a new SHA256 message digest. 1963 * 1964 * Parameters: 1966 * context: [in/out] 1967 * The context to reset. 1968 * 1969 * Returns: 1970 * sha Error Code. 1971 */ 1972 int SHA256Reset(SHA256Context *context) 1973 { 1974 return SHA224_256Reset(context, SHA256_H0); 1975 } 1977 /* 1978 * SHA256Input 1979 * 1980 * Description: 1981 * This function accepts an array of octets as the next portion 1982 * of the message. 1983 * 1984 * Parameters: 1985 * context: [in/out] 1986 * The SHA context to update 1987 * message_array[ ]: [in] 1988 * An array of octets representing the next portion of 1989 * the message. 1990 * length: [in] 1991 * The length of the message in message_array 1992 * 1993 * Returns: 1994 * sha Error Code. 1995 */ 1996 int SHA256Input(SHA256Context *context, const uint8_t *message_array, 1997 unsigned int length) 1998 { 1999 if (!context) return shaNull; 2000 if (!length) return shaSuccess; 2001 if (!message_array) return shaNull; 2002 if (context->Computed) return context->Corrupted = shaStateError; 2003 if (context->Corrupted) return context->Corrupted; 2005 while (length--) { 2006 context->Message_Block[context->Message_Block_Index++] = 2007 *message_array; 2009 if ((SHA224_256AddLength(context, 8) == shaSuccess) && 2010 (context->Message_Block_Index == SHA256_Message_Block_Size)) 2011 SHA224_256ProcessMessageBlock(context); 2013 message_array++; 2014 } 2015 return context->Corrupted; 2017 } 2019 /* 2020 * SHA256FinalBits 2021 * 2022 * Description: 2023 * This function will add in any final bits of the message. 2024 * 2025 * Parameters: 2026 * context: [in/out] 2027 * The SHA context to update 2028 * message_bits: [in] 2029 * The final bits of the message, in the upper portion of the 2030 * byte. (Use 0b###00000 instead of 0b00000### to input the 2031 * three bits ###.) 2032 * length: [in] 2033 * The number of bits in message_bits, between 1 and 7. 2034 * 2035 * Returns: 2036 * sha Error Code. 2037 */ 2038 int SHA256FinalBits(SHA256Context *context, 2039 uint8_t message_bits, unsigned int length) 2040 { 2041 static uint8_t masks[8] = { 2042 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2043 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2044 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2045 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2046 }; 2047 static uint8_t markbit[8] = { 2048 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2049 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2050 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2051 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2052 }; 2054 if (!context) return shaNull; 2055 if (!length) return shaSuccess; 2056 if (context->Corrupted) return context->Corrupted; 2057 if (context->Computed) return context->Corrupted = shaStateError; 2058 if (length >= 8) return context->Corrupted = shaBadParam; 2060 SHA224_256AddLength(context, length); 2061 SHA224_256Finalize(context, (uint8_t) 2062 ((message_bits & masks[length]) | markbit[length])); 2064 return context->Corrupted; 2066 } 2068 /* 2069 * SHA256Result 2070 * 2071 * Description: 2072 * This function will return the 256-bit message digest 2073 * into the Message_Digest array provided by the caller. 2074 * NOTE: 2075 * The first octet of hash is stored in the element with index 0, 2076 * the last octet of hash in the element with index 31. 2077 * 2078 * Parameters: 2079 * context: [in/out] 2080 * The context to use to calculate the SHA hash. 2081 * Message_Digest[ ]: [out] 2082 * Where the digest is returned. 2083 * 2084 * Returns: 2085 * sha Error Code. 2086 */ 2087 int SHA256Result(SHA256Context *context, 2088 uint8_t Message_Digest[SHA256HashSize]) 2089 { 2090 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); 2091 } 2093 /* 2094 * SHA224_256Reset 2095 * 2096 * Description: 2097 * This helper function will initialize the SHA256Context in 2098 * preparation for computing a new SHA-224 or SHA-256 message digest. 2099 * 2100 * Parameters: 2101 * context: [in/out] 2102 * The context to reset. 2103 * H0[ ]: [in] 2104 * The initial hash value array to use. 2105 * 2106 * Returns: 2107 * sha Error Code. 2108 */ 2109 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) 2110 { 2111 if (!context) return shaNull; 2113 context->Length_High = context->Length_Low = 0; 2114 context->Message_Block_Index = 0; 2115 context->Intermediate_Hash[0] = H0[0]; 2116 context->Intermediate_Hash[1] = H0[1]; 2117 context->Intermediate_Hash[2] = H0[2]; 2118 context->Intermediate_Hash[3] = H0[3]; 2119 context->Intermediate_Hash[4] = H0[4]; 2120 context->Intermediate_Hash[5] = H0[5]; 2121 context->Intermediate_Hash[6] = H0[6]; 2122 context->Intermediate_Hash[7] = H0[7]; 2124 context->Computed = 0; 2125 context->Corrupted = shaSuccess; 2127 return shaSuccess; 2128 } 2130 /* 2131 * SHA224_256ProcessMessageBlock 2132 * 2133 * Description: 2134 * This helper function will process the next 512 bits of the 2135 * message stored in the Message_Block array. 2136 * 2137 * Parameters: 2138 * context: [in/out] 2139 * The SHA context to update 2140 * 2141 * Returns: 2142 * Nothing. 2143 * 2144 * Comments: 2145 * Many of the variable names in this code, especially the 2146 * single character names, were used because those were the 2147 * names used in the Secure Hash Standard. 2148 */ 2149 static void SHA224_256ProcessMessageBlock(SHA256Context *context) 2150 { 2151 /* Constants defined in FIPS 180-3, section 4.2.2 */ 2152 static const uint32_t K[64] = { 2153 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 2154 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 2155 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 2156 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 2157 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 2158 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 2159 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 2160 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 2161 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 2162 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 2163 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 2164 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 2165 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 2166 }; 2167 int t, t4; /* Loop counter */ 2168 uint32_t temp1, temp2; /* Temporary word value */ 2169 uint32_t W[64]; /* Word sequence */ 2170 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ 2172 /* 2173 * Initialize the first 16 words in the array W 2174 */ 2175 for (t = t4 = 0; t < 16; t++, t4 += 4) 2176 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | 2177 (((uint32_t)context->Message_Block[t4 + 1]) << 16) | 2178 (((uint32_t)context->Message_Block[t4 + 2]) << 8) | 2179 (((uint32_t)context->Message_Block[t4 + 3])); 2181 for (t = 16; t < 64; t++) 2182 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + 2183 SHA256_sigma0(W[t-15]) + W[t-16]; 2185 A = context->Intermediate_Hash[0]; 2186 B = context->Intermediate_Hash[1]; 2187 C = context->Intermediate_Hash[2]; 2188 D = context->Intermediate_Hash[3]; 2189 E = context->Intermediate_Hash[4]; 2190 F = context->Intermediate_Hash[5]; 2191 G = context->Intermediate_Hash[6]; 2192 H = context->Intermediate_Hash[7]; 2194 for (t = 0; t < 64; t++) { 2195 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 2196 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); 2197 H = G; 2198 G = F; 2199 F = E; 2200 E = D + temp1; 2201 D = C; 2202 C = B; 2203 B = A; 2204 A = temp1 + temp2; 2205 } 2207 context->Intermediate_Hash[0] += A; 2208 context->Intermediate_Hash[1] += B; 2209 context->Intermediate_Hash[2] += C; 2210 context->Intermediate_Hash[3] += D; 2211 context->Intermediate_Hash[4] += E; 2212 context->Intermediate_Hash[5] += F; 2213 context->Intermediate_Hash[6] += G; 2214 context->Intermediate_Hash[7] += H; 2215 context->Message_Block_Index = 0; 2216 } 2218 /* 2219 * SHA224_256Finalize 2220 * 2221 * Description: 2222 * This helper function finishes off the digest calculations. 2223 * 2224 * Parameters: 2225 * context: [in/out] 2226 * The SHA context to update 2227 * Pad_Byte: [in] 2228 * The last byte to add to the message block before the 0-padding 2229 * and length. This will contain the last bits of the message 2230 * followed by another single bit. If the message was an 2231 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2232 * 2233 * Returns: 2234 * sha Error Code. 2235 */ 2236 static void SHA224_256Finalize(SHA256Context *context, 2237 uint8_t Pad_Byte) 2238 { 2239 int i; 2240 SHA224_256PadMessage(context, Pad_Byte); 2241 /* message may be sensitive, so clear it out */ 2242 for (i = 0; i < SHA256_Message_Block_Size; ++i) 2243 context->Message_Block[i] = 0; 2244 context->Length_High = 0; /* and clear length */ 2245 context->Length_Low = 0; 2246 context->Computed = 1; 2247 } 2249 /* 2250 * SHA224_256PadMessage 2251 * 2252 * Description: 2253 * According to the standard, the message must be padded to the next 2254 * even multiple of 512 bits. The first padding bit must be a '1'. 2255 * The last 64 bits represent the length of the original message. 2256 * All bits in between should be 0. This helper function will pad 2257 * the message according to those rules by filling the 2258 * Message_Block array accordingly. When it returns, it can be 2259 * assumed that the message digest has been computed. 2260 * 2261 * Parameters: 2262 * context: [in/out] 2263 * The context to pad 2264 * Pad_Byte: [in] 2265 * The last byte to add to the message block before the 0-padding 2266 * and length. This will contain the last bits of the message 2267 * followed by another single bit. If the message was an 2268 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 2269 * 2270 * Returns: 2271 * Nothing. 2272 */ 2273 static void SHA224_256PadMessage(SHA256Context *context, 2274 uint8_t Pad_Byte) 2275 { 2276 /* 2277 * Check to see if the current message block is too small to hold 2278 * the initial padding bits and length. If so, we will pad the 2279 * block, process it, and then continue padding into a second 2280 * block. 2281 */ 2282 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { 2283 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2284 while (context->Message_Block_Index < SHA256_Message_Block_Size) 2285 context->Message_Block[context->Message_Block_Index++] = 0; 2286 SHA224_256ProcessMessageBlock(context); 2287 } else 2288 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 2290 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) 2291 context->Message_Block[context->Message_Block_Index++] = 0; 2293 /* 2294 * Store the message length as the last 8 octets 2295 */ 2296 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); 2297 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); 2298 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); 2299 context->Message_Block[59] = (uint8_t)(context->Length_High); 2300 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); 2301 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); 2302 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); 2303 context->Message_Block[63] = (uint8_t)(context->Length_Low); 2305 SHA224_256ProcessMessageBlock(context); 2306 } 2308 /* 2309 * SHA224_256ResultN 2310 * 2311 * Description: 2312 * This helper function will return the 224-bit or 256-bit message 2313 * digest into the Message_Digest array provided by the caller. 2314 * NOTE: 2316 * The first octet of hash is stored in the element with index 0, 2317 * the last octet of hash in the element with index 27/31. 2318 * 2319 * Parameters: 2320 * context: [in/out] 2321 * The context to use to calculate the SHA hash. 2322 * Message_Digest[ ]: [out] 2323 * Where the digest is returned. 2324 * HashSize: [in] 2325 * The size of the hash, either 28 or 32. 2326 * 2327 * Returns: 2328 * sha Error Code. 2329 */ 2330 static int SHA224_256ResultN(SHA256Context *context, 2331 uint8_t Message_Digest[ ], int HashSize) 2332 { 2333 int i; 2335 if (!context) return shaNull; 2336 if (!Message_Digest) return shaNull; 2337 if (context->Corrupted) return context->Corrupted; 2339 if (!context->Computed) 2340 SHA224_256Finalize(context, 0x80); 2342 for (i = 0; i < HashSize; ++i) 2343 Message_Digest[i] = (uint8_t) 2344 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); 2346 return shaSuccess; 2347 } 2349 8.2.3 sha384-512.c 2351 /************************* sha384-512.c ************************/ 2352 /***************** See RFC NNNN for details. *******************/ 2353 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 2354 /* authors of the code. All rights reserved. */ 2355 /* See sha.h for terms of use and redistribution. */ 2357 /* 2358 * Description: 2359 * This file implements the Secure Hash Algorithms SHA-384 and 2360 * SHA-512 as defined in the U.S. National Institute of Standards 2361 * and Technology Federal Information Processing Standards 2362 * Publication (FIPS PUB) 180-3 published in October 2008 2363 * and formerly defined in its predecessors, FIPS PUB 180-1 2364 * and FIP PUB 180-2. 2365 * 2366 * A combined document showing all algorithms is available at 2367 * http://csrc.nist.gov/publications/fips/ 2368 * fips180-3/fips180-3_final.pdf 2369 * 2370 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit 2371 * message digests for a given data stream. It should take about 2372 * 2**n steps to find a message with the same digest as a given 2373 * message and 2**(n/2) to find any two messages with the same 2374 * digest, when n is the digest size in bits. Therefore, this 2375 * algorithm can serve as a means of providing a 2376 * "fingerprint" for a message. 2377 * 2378 * Portability Issues: 2379 * SHA-384 and SHA-512 are defined in terms of 64-bit "words", 2380 * but if USE_32BIT_ONLY is #defined, this code is implemented in 2381 * terms of 32-bit "words". This code uses (included 2382 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer 2383 * types. If your C compiler does not support 64 bit unsigned 2384 * integers, and you do not #define USE_32BIT_ONLY, this code is 2385 * not appropriate. 2386 * 2387 * Caveats: 2388 * SHA-384 and SHA-512 are designed to work with messages less 2389 * than 2^128 bits long. This implementation uses SHA384/512Input() 2390 * to hash the bits that are a multiple of the size of an 8-bit 2391 * octet, and then optionally uses SHA384/256FinalBits() 2392 * to hash the final few bits of the input. 2393 * 2394 */ 2396 #include "sha.h" 2398 #ifdef USE_32BIT_ONLY 2399 /* 2400 * Define 64-bit arithmetic in terms of 32-bit arithmetic. 2401 * Each 64-bit number is represented in a 2-word array. 2402 * All macros are defined such that the result is the last parameter. 2403 */ 2405 /* 2406 * Define shift, rotate left and rotate right functions 2407 */ 2408 #define SHA512_SHR(bits, word, ret) ( \ 2409 /* (((uint64_t)((word))) >> (bits)) */ \ 2410 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ 2411 ((word)[0] >> (bits)) : 0, \ 2412 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ 2413 ((bits) == 32) ? (word)[0] : \ 2414 ((bits) >= 0) ? \ 2415 (((word)[0] << (32 - (bits))) | \ 2416 ((word)[1] >> (bits))) : 0 ) 2418 #define SHA512_SHL(bits, word, ret) ( \ 2419 /* (((uint64_t)(word)) << (bits)) */ \ 2420 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ 2421 ((bits) == 32) ? (word)[1] : \ 2422 ((bits) >= 0) ? \ 2423 (((word)[0] << (bits)) | \ 2424 ((word)[1] >> (32 - (bits)))) : \ 2425 0, \ 2426 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ 2427 ((word)[1] << (bits)) : 0 ) 2429 /* 2430 * Define 64-bit OR 2431 */ 2432 #define SHA512_OR(word1, word2, ret) ( \ 2433 (ret)[0] = (word1)[0] | (word2)[0], \ 2434 (ret)[1] = (word1)[1] | (word2)[1] ) 2436 /* 2437 * Define 64-bit XOR 2438 */ 2439 #define SHA512_XOR(word1, word2, ret) ( \ 2440 (ret)[0] = (word1)[0] ^ (word2)[0], \ 2441 (ret)[1] = (word1)[1] ^ (word2)[1] ) 2443 /* 2444 * Define 64-bit AND 2445 */ 2446 #define SHA512_AND(word1, word2, ret) ( \ 2447 (ret)[0] = (word1)[0] & (word2)[0], \ 2448 (ret)[1] = (word1)[1] & (word2)[1] ) 2450 /* 2451 * Define 64-bit TILDA 2452 */ 2453 #define SHA512_TILDA(word, ret) \ 2454 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) 2456 /* 2457 * Define 64-bit ADD 2458 */ 2459 #define SHA512_ADD(word1, word2, ret) ( \ 2460 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ 2461 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) 2463 /* 2464 * Add the 4word value in word2 to word1. 2465 */ 2466 static uint32_t ADDTO4_temp, ADDTO4_temp2; 2467 #define SHA512_ADDTO4(word1, word2) ( \ 2468 ADDTO4_temp = (word1)[3], \ 2469 (word1)[3] += (word2)[3], \ 2470 ADDTO4_temp2 = (word1)[2], \ 2471 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ 2472 ADDTO4_temp = (word1)[1], \ 2473 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ 2474 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) 2476 /* 2477 * Add the 2word value in word2 to word1. 2478 */ 2479 static uint32_t ADDTO2_temp; 2480 #define SHA512_ADDTO2(word1, word2) ( \ 2481 ADDTO2_temp = (word1)[1], \ 2482 (word1)[1] += (word2)[1], \ 2483 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) 2485 /* 2486 * SHA rotate ((word >> bits) | (word << (64-bits))) 2487 */ 2488 static uint32_t ROTR_temp1[2], ROTR_temp2[2]; 2489 #define SHA512_ROTR(bits, word, ret) ( \ 2490 SHA512_SHR((bits), (word), ROTR_temp1), \ 2491 SHA512_SHL(64-(bits), (word), ROTR_temp2), \ 2492 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) 2494 /* 2495 * Define the SHA SIGMA and sigma macros 2496 * 2497 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2498 */ 2499 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], 2500 SIGMA0_temp3[2], SIGMA0_temp4[2]; 2501 #define SHA512_SIGMA0(word, ret) ( \ 2502 SHA512_ROTR(28, (word), SIGMA0_temp1), \ 2503 SHA512_ROTR(34, (word), SIGMA0_temp2), \ 2504 SHA512_ROTR(39, (word), SIGMA0_temp3), \ 2505 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ 2506 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) 2508 /* 2509 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) 2510 */ 2511 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], 2512 SIGMA1_temp3[2], SIGMA1_temp4[2]; 2513 #define SHA512_SIGMA1(word, ret) ( \ 2514 SHA512_ROTR(14, (word), SIGMA1_temp1), \ 2515 SHA512_ROTR(18, (word), SIGMA1_temp2), \ 2516 SHA512_ROTR(41, (word), SIGMA1_temp3), \ 2517 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ 2518 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) 2520 /* 2521 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2522 */ 2523 static uint32_t sigma0_temp1[2], sigma0_temp2[2], 2524 sigma0_temp3[2], sigma0_temp4[2]; 2525 #define SHA512_sigma0(word, ret) ( \ 2526 SHA512_ROTR( 1, (word), sigma0_temp1), \ 2527 SHA512_ROTR( 8, (word), sigma0_temp2), \ 2528 SHA512_SHR( 7, (word), sigma0_temp3), \ 2529 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ 2530 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) 2532 /* 2533 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2534 */ 2535 static uint32_t sigma1_temp1[2], sigma1_temp2[2], 2536 sigma1_temp3[2], sigma1_temp4[2]; 2537 #define SHA512_sigma1(word, ret) ( \ 2538 SHA512_ROTR(19, (word), sigma1_temp1), \ 2539 SHA512_ROTR(61, (word), sigma1_temp2), \ 2540 SHA512_SHR( 6, (word), sigma1_temp3), \ 2541 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ 2542 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) 2544 #ifndef USE_MODIFIED_MACROS 2545 /* 2546 * These definitions are the ones used in FIPS 180-3, section 4.1.3 2547 * Ch(x,y,z) ((x & y) ^ (~x & z)) 2548 */ 2549 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; 2550 #define SHA_Ch(x, y, z, ret) ( \ 2551 SHA512_AND(x, y, Ch_temp1), \ 2552 SHA512_TILDA(x, Ch_temp2), \ 2553 SHA512_AND(Ch_temp2, z, Ch_temp3), \ 2554 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) 2556 /* 2557 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) 2558 */ 2559 static uint32_t Maj_temp1[2], Maj_temp2[2], 2560 Maj_temp3[2], Maj_temp4[2]; 2561 #define SHA_Maj(x, y, z, ret) ( \ 2562 SHA512_AND(x, y, Maj_temp1), \ 2563 SHA512_AND(x, z, Maj_temp2), \ 2564 SHA512_AND(y, z, Maj_temp3), \ 2565 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ 2566 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) 2568 #else /* !USE_MODIFIED_MACROS */ 2569 /* 2570 * These definitions are potentially faster equivalents for the ones 2571 * used in FIPS 180-3, section 4.1.3. 2572 * ((x & y) ^ (~x & z)) becomes 2573 * ((x & (y ^ z)) ^ z) 2574 */ 2575 #define SHA_Ch(x, y, z, ret) ( \ 2576 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ 2577 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) 2579 /* 2580 * ((x & y) ^ (x & z) ^ (y & z)) becomes 2581 * ((x & (y | z)) | (y & z)) 2582 */ 2583 #define SHA_Maj(x, y, z, ret) ( \ 2584 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ 2585 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) 2586 #endif /* USE_MODIFIED_MACROS */ 2588 /* 2589 * Add "length" to the length. 2590 * Set Corrupted when overflow has occurred. 2591 */ 2592 static uint32_t addTemp[4] = { 0, 0, 0, 0 }; 2593 #define SHA384_512AddLength(context, length) ( \ 2594 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ 2595 (context)->Corrupted = (((context)->Length[3] < (length)) && \ 2596 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ 2597 ((context)->Length[0] == 0)) ? shaInputTooLong : \ 2598 (context)->Corrupted ) 2600 /* Local Function Prototypes */ 2601 static int SHA384_512Reset(SHA512Context *context, 2602 uint32_t H0[SHA512HashSize/4]); 2603 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2604 static void SHA384_512Finalize(SHA512Context *context, 2605 uint8_t Pad_Byte); 2606 static void SHA384_512PadMessage(SHA512Context *context, 2607 uint8_t Pad_Byte); 2608 static int SHA384_512ResultN( SHA512Context *context, 2609 uint8_t Message_Digest[ ], int HashSize); 2611 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ 2612 static uint32_t SHA384_H0[SHA512HashSize/4] = { 2613 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, 2614 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, 2615 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, 2616 0xBEFA4FA4 2617 }; 2619 static uint32_t SHA512_H0[SHA512HashSize/4] = { 2620 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, 2621 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, 2622 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, 2623 0x137E2179 2624 }; 2626 #else /* !USE_32BIT_ONLY */ 2628 #include "sha-private.h" 2630 /* Define the SHA shift, rotate left and rotate right macro */ 2631 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) 2632 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ 2633 (((uint64_t)(word)) << (64-(bits)))) 2635 /* 2636 * Define the SHA SIGMA and sigma macros 2637 * 2638 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) 2639 */ 2640 #define SHA512_SIGMA0(word) \ 2641 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) 2642 #define SHA512_SIGMA1(word) \ 2643 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) 2644 #define SHA512_sigma0(word) \ 2645 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) 2646 #define SHA512_sigma1(word) \ 2647 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) 2649 /* 2650 * Add "length" to the length. 2651 * Set Corrupted when overflow has occurred. 2652 */ 2653 static uint64_t addTemp; 2654 #define SHA384_512AddLength(context, length) \ 2655 (addTemp = context->Length_Low, context->Corrupted = \ 2656 ((context->Length_Low += length) < addTemp) && \ 2657 (++context->Length_High == 0) ? shaInputTooLong : \ 2658 (context)->Corrupted) 2660 /* Local Function Prototypes */ 2661 static int SHA384_512Reset(SHA512Context *context, 2662 uint64_t H0[SHA512HashSize/8]); 2663 static void SHA384_512ProcessMessageBlock(SHA512Context *context); 2664 static void SHA384_512Finalize(SHA512Context *context, 2665 uint8_t Pad_Byte); 2666 static void SHA384_512PadMessage(SHA512Context *context, 2667 uint8_t Pad_Byte); 2668 static int SHA384_512ResultN(SHA512Context *context, 2669 uint8_t Message_Digest[ ], int HashSize); 2671 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ 2672 static uint64_t SHA384_H0[ ] = { 2673 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 2674 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 2675 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll 2676 }; 2677 static uint64_t SHA512_H0[ ] = { 2678 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 2679 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 2680 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll 2681 }; 2683 #endif /* USE_32BIT_ONLY */ 2685 /* 2686 * SHA384Reset 2687 * 2688 * Description: 2689 * This function will initialize the SHA384Context in preparation 2690 * for computing a new SHA384 message digest. 2691 * 2692 * Parameters: 2693 * context: [in/out] 2694 * The context to reset. 2695 * 2696 * Returns: 2697 * sha Error Code. 2698 * 2699 */ 2700 int SHA384Reset(SHA384Context *context) 2701 { 2702 return SHA384_512Reset(context, SHA384_H0); 2703 } 2705 /* 2706 * SHA384Input 2707 * 2708 * Description: 2709 * This function accepts an array of octets as the next portion 2710 * of the message. 2711 * 2712 * Parameters: 2713 * context: [in/out] 2714 * The SHA context to update 2715 * message_array[ ]: [in] 2716 * An array of octets representing the next portion of 2717 * the message. 2718 * length: [in] 2719 * The length of the message in message_array 2720 * 2721 * Returns: 2722 * sha Error Code. 2723 * 2724 */ 2725 int SHA384Input(SHA384Context *context, 2726 const uint8_t *message_array, unsigned int length) 2727 { 2728 return SHA512Input(context, message_array, length); 2729 } 2731 /* 2732 * SHA384FinalBits 2733 * 2734 * Description: 2735 * This function will add in any final bits of the message. 2736 * 2737 * Parameters: 2738 * context: [in/out] 2739 * The SHA context to update 2740 * message_bits: [in] 2741 * The final bits of the message, in the upper portion of the 2742 * byte. (Use 0b###00000 instead of 0b00000### to input the 2743 * three bits ###.) 2744 * length: [in] 2745 * The number of bits in message_bits, between 1 and 7. 2746 * 2747 * Returns: 2748 * sha Error Code. 2749 * 2750 */ 2751 int SHA384FinalBits(SHA384Context *context, 2752 uint8_t message_bits, unsigned int length) 2753 { 2754 return SHA512FinalBits(context, message_bits, length); 2755 } 2757 /* 2758 * SHA384Result 2759 * 2760 * Description: 2761 * This function will return the 384-bit message digest 2762 * into the Message_Digest array provided by the caller. 2763 * NOTE: 2765 * The first octet of hash is stored in the element with index 0, 2766 * the last octet of hash in the element with index 47. 2767 * 2768 * Parameters: 2769 * context: [in/out] 2770 * The context to use to calculate the SHA hash. 2771 * Message_Digest[ ]: [out] 2772 * Where the digest is returned. 2773 * 2774 * Returns: 2775 * sha Error Code. 2776 * 2777 */ 2778 int SHA384Result(SHA384Context *context, 2779 uint8_t Message_Digest[SHA384HashSize]) 2780 { 2781 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); 2782 } 2784 /* 2785 * SHA512Reset 2786 * 2787 * Description: 2788 * This function will initialize the SHA512Context in preparation 2789 * for computing a new SHA512 message digest. 2790 * 2791 * Parameters: 2792 * context: [in/out] 2793 * The context to reset. 2794 * 2795 * Returns: 2796 * sha Error Code. 2797 * 2798 */ 2799 int SHA512Reset(SHA512Context *context) 2800 { 2801 return SHA384_512Reset(context, SHA512_H0); 2802 } 2804 /* 2805 * SHA512Input 2806 * 2807 * Description: 2808 * This function accepts an array of octets as the next portion 2809 * of the message. 2810 * 2811 * Parameters: 2812 * context: [in/out] 2813 * The SHA context to update 2814 * message_array[ ]: [in] 2815 * An array of octets representing the next portion of 2816 * the message. 2817 * length: [in] 2818 * The length of the message in message_array 2819 * 2820 * Returns: 2821 * sha Error Code. 2822 * 2823 */ 2824 int SHA512Input(SHA512Context *context, 2825 const uint8_t *message_array, 2826 unsigned int length) 2827 { 2828 if (!context) return shaNull; 2829 if (!length) return shaSuccess; 2830 if (!message_array) return shaNull; 2831 if (context->Computed) return context->Corrupted = shaStateError; 2832 if (context->Corrupted) return context->Corrupted; 2834 while (length--) { 2835 context->Message_Block[context->Message_Block_Index++] = 2836 *message_array; 2838 if ((SHA384_512AddLength(context, 8) == shaSuccess) && 2839 (context->Message_Block_Index == SHA512_Message_Block_Size)) 2840 SHA384_512ProcessMessageBlock(context); 2842 message_array++; 2843 } 2845 return context->Corrupted; 2846 } 2848 /* 2849 * SHA512FinalBits 2850 * 2851 * Description: 2852 * This function will add in any final bits of the message. 2853 * 2854 * Parameters: 2855 * context: [in/out] 2856 * The SHA context to update 2857 * message_bits: [in] 2858 * The final bits of the message, in the upper portion of the 2859 * byte. (Use 0b###00000 instead of 0b00000### to input the 2860 * three bits ###.) 2861 * length: [in] 2862 * The number of bits in message_bits, between 1 and 7. 2863 * 2864 * Returns: 2866 * sha Error Code. 2867 * 2868 */ 2869 int SHA512FinalBits(SHA512Context *context, 2870 uint8_t message_bits, unsigned int length) 2871 { 2872 static uint8_t masks[8] = { 2873 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, 2874 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, 2875 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, 2876 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE 2877 }; 2878 static uint8_t markbit[8] = { 2879 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, 2880 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, 2881 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, 2882 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 2883 }; 2885 if (!context) return shaNull; 2886 if (!length) return shaSuccess; 2887 if (context->Corrupted) return context->Corrupted; 2888 if (context->Computed) return context->Corrupted = shaStateError; 2889 if (length >= 8) return context->Corrupted = shaBadParam; 2891 SHA384_512AddLength(context, length); 2892 SHA384_512Finalize(context, (uint8_t) 2893 ((message_bits & masks[length]) | markbit[length])); 2895 return context->Corrupted; 2896 } 2898 /* 2899 * SHA512Result 2900 * 2901 * Description: 2902 * This function will return the 512-bit message digest 2903 * into the Message_Digest array provided by the caller. 2904 * NOTE: 2905 * The first octet of hash is stored in the element with index 0, 2906 * the last octet of hash in the element with index 63. 2907 * 2908 * Parameters: 2909 * context: [in/out] 2910 * The context to use to calculate the SHA hash. 2911 * Message_Digest[ ]: [out] 2912 * Where the digest is returned. 2913 * 2914 * Returns: 2915 * sha Error Code. 2917 * 2918 */ 2919 int SHA512Result(SHA512Context *context, 2920 uint8_t Message_Digest[SHA512HashSize]) 2921 { 2922 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); 2923 } 2925 /* 2926 * SHA384_512Reset 2927 * 2928 * Description: 2929 * This helper function will initialize the SHA512Context in 2930 * preparation for computing a new SHA384 or SHA512 message 2931 * digest. 2932 * 2933 * Parameters: 2934 * context: [in/out] 2935 * The context to reset. 2936 * H0[ ]: [in] 2937 * The initial hash value array to use. 2938 * 2939 * Returns: 2940 * sha Error Code. 2941 * 2942 */ 2943 #ifdef USE_32BIT_ONLY 2944 static int SHA384_512Reset(SHA512Context *context, 2945 uint32_t H0[SHA512HashSize/4]) 2946 #else /* !USE_32BIT_ONLY */ 2947 static int SHA384_512Reset(SHA512Context *context, 2948 uint64_t H0[SHA512HashSize/8]) 2949 #endif /* USE_32BIT_ONLY */ 2950 { 2951 int i; 2952 if (!context) return shaNull; 2954 context->Message_Block_Index = 0; 2956 #ifdef USE_32BIT_ONLY 2957 context->Length[0] = context->Length[1] = 2958 context->Length[2] = context->Length[3] = 0; 2960 for (i = 0; i < SHA512HashSize/4; i++) 2961 context->Intermediate_Hash[i] = H0[i]; 2962 #else /* !USE_32BIT_ONLY */ 2963 context->Length_High = context->Length_Low = 0; 2965 for (i = 0; i < SHA512HashSize/8; i++) 2966 context->Intermediate_Hash[i] = H0[i]; 2968 #endif /* USE_32BIT_ONLY */ 2970 context->Computed = 0; 2971 context->Corrupted = shaSuccess; 2973 return shaSuccess; 2974 } 2976 /* 2977 * SHA384_512ProcessMessageBlock 2978 * 2979 * Description: 2980 * This helper function will process the next 1024 bits of the 2981 * message stored in the Message_Block array. 2982 * 2983 * Parameters: 2984 * context: [in/out] 2985 * The SHA context to update 2986 * 2987 * Returns: 2988 * Nothing. 2989 * 2990 * Comments: 2991 * Many of the variable names in this code, especially the 2992 * single character names, were used because those were the 2993 * names used in the Secure Hash Standard. 2994 * 2995 * 2996 */ 2997 static void SHA384_512ProcessMessageBlock(SHA512Context *context) 2998 { 2999 #ifdef USE_32BIT_ONLY 3000 /* Constants defined in FIPS 180-3, section 4.2.3 */ 3001 static const uint32_t K[80*2] = { 3002 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, 3003 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, 3004 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, 3005 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 3006 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, 3007 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, 3008 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, 3009 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, 3010 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, 3011 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, 3012 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, 3013 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, 3014 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, 3015 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, 3016 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, 3017 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, 3018 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, 3019 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, 3020 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, 3021 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, 3022 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, 3023 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, 3024 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, 3025 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, 3026 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, 3027 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, 3028 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, 3029 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 3030 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, 3031 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, 3032 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, 3033 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 3034 }; 3035 int t, t2, t8; /* Loop counter */ 3036 uint32_t temp1[2], temp2[2], /* Temporary word values */ 3037 temp3[2], temp4[2], temp5[2]; 3038 uint32_t W[2*80]; /* Word sequence */ 3039 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ 3040 E[2], F[2], G[2], H[2]; 3042 /* Initialize the first 16 words in the array W */ 3043 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { 3044 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | 3045 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | 3046 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | 3047 ((((uint32_t)context->Message_Block[t8 + 3]))); 3048 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | 3049 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | 3050 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | 3051 ((((uint32_t)context->Message_Block[t8 + 7]))); 3052 } 3054 for (t = 16; t < 80; t++, t2 += 2) { 3055 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3056 SHA512_sigma0(W[t-15]) + W[t-16]; */ 3057 uint32_t *Wt2 = &W[t2-2*2]; 3058 uint32_t *Wt7 = &W[t2-7*2]; 3059 uint32_t *Wt15 = &W[t2-15*2]; 3060 uint32_t *Wt16 = &W[t2-16*2]; 3061 SHA512_sigma1(Wt2, temp1); 3062 SHA512_ADD(temp1, Wt7, temp2); 3063 SHA512_sigma0(Wt15, temp1); 3064 SHA512_ADD(temp1, Wt16, temp3); 3065 SHA512_ADD(temp2, temp3, &W[t2]); 3066 } 3067 A[0] = context->Intermediate_Hash[0]; 3068 A[1] = context->Intermediate_Hash[1]; 3069 B[0] = context->Intermediate_Hash[2]; 3070 B[1] = context->Intermediate_Hash[3]; 3071 C[0] = context->Intermediate_Hash[4]; 3072 C[1] = context->Intermediate_Hash[5]; 3073 D[0] = context->Intermediate_Hash[6]; 3074 D[1] = context->Intermediate_Hash[7]; 3075 E[0] = context->Intermediate_Hash[8]; 3076 E[1] = context->Intermediate_Hash[9]; 3077 F[0] = context->Intermediate_Hash[10]; 3078 F[1] = context->Intermediate_Hash[11]; 3079 G[0] = context->Intermediate_Hash[12]; 3080 G[1] = context->Intermediate_Hash[13]; 3081 H[0] = context->Intermediate_Hash[14]; 3082 H[1] = context->Intermediate_Hash[15]; 3084 for (t = t2 = 0; t < 80; t++, t2 += 2) { 3085 /* 3086 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3087 */ 3088 SHA512_SIGMA1(E,temp1); 3089 SHA512_ADD(H, temp1, temp2); 3090 SHA_Ch(E,F,G,temp3); 3091 SHA512_ADD(temp2, temp3, temp4); 3092 SHA512_ADD(&K[t2], &W[t2], temp5); 3093 SHA512_ADD(temp4, temp5, temp1); 3094 /* 3095 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3096 */ 3097 SHA512_SIGMA0(A,temp3); 3098 SHA_Maj(A,B,C,temp4); 3099 SHA512_ADD(temp3, temp4, temp2); 3100 H[0] = G[0]; H[1] = G[1]; 3101 G[0] = F[0]; G[1] = F[1]; 3102 F[0] = E[0]; F[1] = E[1]; 3103 SHA512_ADD(D, temp1, E); 3104 D[0] = C[0]; D[1] = C[1]; 3105 C[0] = B[0]; C[1] = B[1]; 3106 B[0] = A[0]; B[1] = A[1]; 3107 SHA512_ADD(temp1, temp2, A); 3108 } 3110 SHA512_ADDTO2(&context->Intermediate_Hash[0], A); 3111 SHA512_ADDTO2(&context->Intermediate_Hash[2], B); 3112 SHA512_ADDTO2(&context->Intermediate_Hash[4], C); 3113 SHA512_ADDTO2(&context->Intermediate_Hash[6], D); 3114 SHA512_ADDTO2(&context->Intermediate_Hash[8], E); 3115 SHA512_ADDTO2(&context->Intermediate_Hash[10], F); 3116 SHA512_ADDTO2(&context->Intermediate_Hash[12], G); 3117 SHA512_ADDTO2(&context->Intermediate_Hash[14], H); 3119 #else /* !USE_32BIT_ONLY */ 3120 /* Constants defined in FIPS 180-3, section 4.2.3 */ 3121 static const uint64_t K[80] = { 3122 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, 3123 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, 3124 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, 3125 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, 3126 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, 3127 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, 3128 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, 3129 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, 3130 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, 3131 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, 3132 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, 3133 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, 3134 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, 3135 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, 3136 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, 3137 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, 3138 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, 3139 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, 3140 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, 3141 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, 3142 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, 3143 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, 3144 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, 3145 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, 3146 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, 3147 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, 3148 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll 3149 }; 3150 int t, t8; /* Loop counter */ 3151 uint64_t temp1, temp2; /* Temporary word value */ 3152 uint64_t W[80]; /* Word sequence */ 3153 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ 3155 /* 3156 * Initialize the first 16 words in the array W 3157 */ 3158 for (t = t8 = 0; t < 16; t++, t8 += 8) 3159 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | 3160 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | 3161 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | 3162 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | 3163 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | 3164 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | 3165 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | 3166 ((uint64_t)(context->Message_Block[t8 + 7])); 3168 for (t = 16; t < 80; t++) 3169 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + 3170 SHA512_sigma0(W[t-15]) + W[t-16]; 3172 A = context->Intermediate_Hash[0]; 3173 B = context->Intermediate_Hash[1]; 3174 C = context->Intermediate_Hash[2]; 3175 D = context->Intermediate_Hash[3]; 3176 E = context->Intermediate_Hash[4]; 3177 F = context->Intermediate_Hash[5]; 3178 G = context->Intermediate_Hash[6]; 3179 H = context->Intermediate_Hash[7]; 3181 for (t = 0; t < 80; t++) { 3182 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; 3183 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); 3184 H = G; 3185 G = F; 3186 F = E; 3187 E = D + temp1; 3188 D = C; 3189 C = B; 3190 B = A; 3191 A = temp1 + temp2; 3192 } 3194 context->Intermediate_Hash[0] += A; 3195 context->Intermediate_Hash[1] += B; 3196 context->Intermediate_Hash[2] += C; 3197 context->Intermediate_Hash[3] += D; 3198 context->Intermediate_Hash[4] += E; 3199 context->Intermediate_Hash[5] += F; 3200 context->Intermediate_Hash[6] += G; 3201 context->Intermediate_Hash[7] += H; 3202 #endif /* USE_32BIT_ONLY */ 3204 context->Message_Block_Index = 0; 3205 } 3207 /* 3208 * SHA384_512Finalize 3209 * 3210 * Description: 3211 * This helper function finishes off the digest calculations. 3212 * 3213 * Parameters: 3214 * context: [in/out] 3215 * The SHA context to update 3216 * Pad_Byte: [in] 3217 * The last byte to add to the message block before the 0-padding 3218 * and length. This will contain the last bits of the message 3219 * followed by another single bit. If the message was an 3220 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 3221 * 3222 * Returns: 3223 * sha Error Code. 3224 * 3225 */ 3226 static void SHA384_512Finalize(SHA512Context *context, 3227 uint8_t Pad_Byte) 3228 { 3229 int_least16_t i; 3230 SHA384_512PadMessage(context, Pad_Byte); 3231 /* message may be sensitive, clear it out */ 3232 for (i = 0; i < SHA512_Message_Block_Size; ++i) 3233 context->Message_Block[i] = 0; 3234 #ifdef USE_32BIT_ONLY /* and clear length */ 3235 context->Length[0] = context->Length[1] = 0; 3236 context->Length[2] = context->Length[3] = 0; 3237 #else /* !USE_32BIT_ONLY */ 3238 context->Length_High = context->Length_Low = 0; 3239 #endif /* USE_32BIT_ONLY */ 3240 context->Computed = 1; 3241 } 3243 /* 3244 * SHA384_512PadMessage 3245 * 3246 * Description: 3247 * According to the standard, the message must be padded to the next 3248 * even multiple of 1024 bits. The first padding bit must be a '1'. 3249 * The last 128 bits represent the length of the original message. 3250 * All bits in between should be 0. This helper function will 3251 * pad the message according to those rules by filling the 3252 * Message_Block array accordingly. When it returns, it can be 3253 * assumed that the message digest has been computed. 3254 * 3255 * Parameters: 3256 * context: [in/out] 3257 * The context to pad 3258 * Pad_Byte: [in] 3259 * The last byte to add to the message block before the 0-padding 3260 * and length. This will contain the last bits of the message 3261 * followed by another single bit. If the message was an 3262 * exact multiple of 8-bits long, Pad_Byte will be 0x80. 3263 * 3264 * Returns: 3265 * Nothing. 3266 * 3267 */ 3269 static void SHA384_512PadMessage(SHA512Context *context, 3270 uint8_t Pad_Byte) 3271 { 3272 /* 3273 * Check to see if the current message block is too small to hold 3274 * the initial padding bits and length. If so, we will pad the 3275 * block, process it, and then continue padding into a second 3276 * block. 3277 */ 3278 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { 3279 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 3280 while (context->Message_Block_Index < SHA512_Message_Block_Size) 3281 context->Message_Block[context->Message_Block_Index++] = 0; 3283 SHA384_512ProcessMessageBlock(context); 3284 } else 3285 context->Message_Block[context->Message_Block_Index++] = Pad_Byte; 3287 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) 3288 context->Message_Block[context->Message_Block_Index++] = 0; 3290 /* 3291 * Store the message length as the last 16 octets 3292 */ 3293 #ifdef USE_32BIT_ONLY 3294 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); 3295 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); 3296 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); 3297 context->Message_Block[115] = (uint8_t)(context->Length[0]); 3298 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); 3299 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); 3300 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); 3301 context->Message_Block[119] = (uint8_t)(context->Length[1]); 3303 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); 3304 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); 3305 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); 3306 context->Message_Block[123] = (uint8_t)(context->Length[2]); 3307 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); 3308 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); 3309 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); 3310 context->Message_Block[127] = (uint8_t)(context->Length[3]); 3311 #else /* !USE_32BIT_ONLY */ 3312 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); 3313 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); 3314 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); 3315 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); 3316 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); 3317 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); 3318 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); 3319 context->Message_Block[119] = (uint8_t)(context->Length_High); 3321 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); 3322 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); 3323 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); 3324 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); 3325 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); 3326 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); 3327 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); 3328 context->Message_Block[127] = (uint8_t)(context->Length_Low); 3329 #endif /* USE_32BIT_ONLY */ 3331 SHA384_512ProcessMessageBlock(context); 3332 } 3334 /* 3335 * SHA384_512ResultN 3336 * 3337 * Description: 3338 * This helper function will return the 384-bit or 512-bit message 3339 * digest into the Message_Digest array provided by the caller. 3340 * NOTE: 3341 * The first octet of hash is stored in the element with index 0, 3342 * the last octet of hash in the element with index 47/63. 3343 * 3344 * Parameters: 3345 * context: [in/out] 3346 * The context to use to calculate the SHA hash. 3347 * Message_Digest[ ]: [out] 3348 * Where the digest is returned. 3349 * HashSize: [in] 3350 * The size of the hash, either 48 or 64. 3351 * 3352 * Returns: 3353 * sha Error Code. 3354 * 3355 */ 3356 static int SHA384_512ResultN(SHA512Context *context, 3357 uint8_t Message_Digest[ ], int HashSize) 3358 { 3359 int i; 3360 #ifdef USE_32BIT_ONLY 3361 int i2; 3362 #endif /* USE_32BIT_ONLY */ 3364 if (!context) return shaNull; 3365 if (!Message_Digest) return shaNull; 3366 if (context->Corrupted) return context->Corrupted; 3368 if (!context->Computed) 3369 SHA384_512Finalize(context, 0x80); 3371 #ifdef USE_32BIT_ONLY 3372 for (i = i2 = 0; i < HashSize; ) { 3373 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3374 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3375 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3376 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3377 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); 3378 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); 3379 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); 3380 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); 3381 } 3382 #else /* !USE_32BIT_ONLY */ 3383 for (i = 0; i < HashSize; ++i) 3384 Message_Digest[i] = (uint8_t) 3385 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); 3386 #endif /* USE_32BIT_ONLY */ 3388 return shaSuccess; 3389 } 3391 8.2.4 usha.c 3393 /**************************** usha.c ***************************/ 3394 /***************** See RFC NNNN for details. *******************/ 3395 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3396 /* authors of the code. All rights reserved. */ 3397 /* See sha.h for terms of use and redistribution. */ 3399 /* 3400 * Description: 3401 * This file implements a unified interface to the SHA algorithms. 3402 */ 3404 #include "sha.h" 3406 /* 3407 * USHAReset 3408 * 3409 * Description: 3410 * This function will initialize the SHA Context in preparation 3411 * for computing a new SHA message digest. 3412 * 3413 * Parameters: 3414 * context: [in/out] 3415 * The context to reset. 3416 * whichSha: [in] 3417 * Selects which SHA reset to call 3418 * 3419 * Returns: 3420 * sha Error Code. 3421 * 3422 */ 3423 int USHAReset(USHAContext *context, enum SHAversion whichSha) 3424 { 3425 if (!context) return shaNull; 3426 context->whichSha = whichSha; 3427 switch (whichSha) { 3428 case SHA1: return SHA1Reset((SHA1Context*)&context->ctx); 3429 case SHA224: return SHA224Reset((SHA224Context*)&context->ctx); 3430 case SHA256: return SHA256Reset((SHA256Context*)&context->ctx); 3431 case SHA384: return SHA384Reset((SHA384Context*)&context->ctx); 3432 case SHA512: return SHA512Reset((SHA512Context*)&context->ctx); 3433 default: return shaBadParam; 3434 } 3435 } 3437 /* 3438 * USHAInput 3439 * 3440 * Description: 3441 * This function accepts an array of octets as the next portion 3442 * of the message. 3443 * 3444 * Parameters: 3445 * context: [in/out] 3446 * The SHA context to update 3447 * message_array: [in] 3448 * An array of octets representing the next portion of 3449 * the message. 3450 * length: [in] 3451 * The length of the message in message_array 3452 * 3453 * Returns: 3454 * sha Error Code. 3455 * 3456 */ 3457 int USHAInput(USHAContext *context, 3458 const uint8_t *bytes, unsigned int bytecount) 3459 { 3460 if (!context) return shaNull; 3461 switch (context->whichSha) { 3462 case SHA1: 3463 return SHA1Input((SHA1Context*)&context->ctx, bytes, 3464 bytecount); 3465 case SHA224: 3466 return SHA224Input((SHA224Context*)&context->ctx, bytes, 3467 bytecount); 3468 case SHA256: 3469 return SHA256Input((SHA256Context*)&context->ctx, bytes, 3470 bytecount); 3471 case SHA384: 3472 return SHA384Input((SHA384Context*)&context->ctx, bytes, 3473 bytecount); 3474 case SHA512: 3475 return SHA512Input((SHA512Context*)&context->ctx, bytes, 3476 bytecount); 3477 default: return shaBadParam; 3478 } 3479 } 3481 /* 3482 * USHAFinalBits 3483 * 3484 * Description: 3485 * This function will add in any final bits of the message. 3486 * 3487 * Parameters: 3488 * context: [in/out] 3489 * The SHA context to update 3490 * message_bits: [in] 3491 * The final bits of the message, in the upper portion of the 3492 * byte. (Use 0b###00000 instead of 0b00000### to input the 3493 * three bits ###.) 3494 * length: [in] 3495 * The number of bits in message_bits, between 1 and 7. 3496 * 3497 * Returns: 3498 * sha Error Code. 3499 */ 3500 int USHAFinalBits(USHAContext *context, 3501 uint8_t bits, unsigned int bit_count) 3502 { 3503 if (!context) return shaNull; 3504 switch (context->whichSha) { 3505 case SHA1: 3506 return SHA1FinalBits((SHA1Context*)&context->ctx, bits, 3507 bit_count); 3508 case SHA224: 3509 return SHA224FinalBits((SHA224Context*)&context->ctx, bits, 3510 bit_count); 3511 case SHA256: 3512 return SHA256FinalBits((SHA256Context*)&context->ctx, bits, 3513 bit_count); 3514 case SHA384: 3515 return SHA384FinalBits((SHA384Context*)&context->ctx, bits, 3516 bit_count); 3518 case SHA512: 3519 return SHA512FinalBits((SHA512Context*)&context->ctx, bits, 3520 bit_count); 3521 default: return shaBadParam; 3522 } 3523 } 3525 /* 3526 * USHAResult 3527 * 3528 * Description: 3529 * This function will return the message digest of the appropriate 3530 * bit size, as returned by USHAHashSizeBits(whichSHA) for the 3531 * 'whichSHA' value used in the preceeding call to USHAReset, 3532 * into the Message_Digest array provided by the caller. 3533 * 3534 * Parameters: 3535 * context: [in/out] 3536 * The context to use to calculate the SHA-1 hash. 3537 * Message_Digest: [out] 3538 * Where the digest is returned. 3539 * 3540 * Returns: 3541 * sha Error Code. 3542 * 3543 */ 3544 int USHAResult(USHAContext *context, 3545 uint8_t Message_Digest[USHAMaxHashSize]) 3546 { 3547 if (!context) return shaNull; 3548 switch (context->whichSha) { 3549 case SHA1: 3550 return SHA1Result((SHA1Context*)&context->ctx, Message_Digest); 3551 case SHA224: 3552 return SHA224Result((SHA224Context*)&context->ctx, 3553 Message_Digest); 3554 case SHA256: 3555 return SHA256Result((SHA256Context*)&context->ctx, 3556 Message_Digest); 3557 case SHA384: 3558 return SHA384Result((SHA384Context*)&context->ctx, 3559 Message_Digest); 3560 case SHA512: 3561 return SHA512Result((SHA512Context*)&context->ctx, 3562 Message_Digest); 3563 default: return shaBadParam; 3564 } 3565 } 3567 /* 3568 * USHABlockSize 3569 * 3570 * Description: 3571 * This function will return the blocksize for the given SHA 3572 * algorithm. 3573 * 3574 * Parameters: 3575 * whichSha: 3576 * which SHA algorithm to query 3577 * 3578 * Returns: 3579 * block size 3580 * 3581 */ 3582 int USHABlockSize(enum SHAversion whichSha) 3583 { 3584 switch (whichSha) { 3585 case SHA1: return SHA1_Message_Block_Size; 3586 case SHA224: return SHA224_Message_Block_Size; 3587 case SHA256: return SHA256_Message_Block_Size; 3588 case SHA384: return SHA384_Message_Block_Size; 3589 default: 3590 case SHA512: return SHA512_Message_Block_Size; 3591 } 3592 } 3594 /* 3595 * USHAHashSize 3596 * 3597 * Description: 3598 * This function will return the hashsize for the given SHA 3599 * algorithm. 3600 * 3601 * Parameters: 3602 * whichSha: 3603 * which SHA algorithm to query 3604 * 3605 * Returns: 3606 * hash size 3607 * 3608 */ 3609 int USHAHashSize(enum SHAversion whichSha) 3610 { 3611 switch (whichSha) { 3612 case SHA1: return SHA1HashSize; 3613 case SHA224: return SHA224HashSize; 3614 case SHA256: return SHA256HashSize; 3615 case SHA384: return SHA384HashSize; 3616 default: 3617 case SHA512: return SHA512HashSize; 3619 } 3620 } 3622 /* 3623 * USHAHashSizeBits 3624 * 3625 * Description: 3626 * This function will return the hashsize for the given SHA 3627 * algorithm, expressed in bits. 3628 * 3629 * Parameters: 3630 * whichSha: 3631 * which SHA algorithm to query 3632 * 3633 * Returns: 3634 * hash size in bits 3635 * 3636 */ 3637 int USHAHashSizeBits(enum SHAversion whichSha) 3638 { 3639 switch (whichSha) { 3640 case SHA1: return SHA1HashSizeBits; 3641 case SHA224: return SHA224HashSizeBits; 3642 case SHA256: return SHA256HashSizeBits; 3643 case SHA384: return SHA384HashSizeBits; 3644 default: 3645 case SHA512: return SHA512HashSizeBits; 3646 } 3647 } 3649 /* 3650 * USHAHashName 3651 * 3652 * Description: 3653 * This function will return the name of the given SHA algorithm 3654 * as a string. 3655 * 3656 * Parameters: 3657 * whichSha: 3658 * which SHA algorithm to query 3659 * 3660 * Returns: 3661 * character string with the name in it 3662 * 3663 */ 3664 const char *USHAHashName(enum SHAversion whichSha) 3665 { 3666 switch (whichSha) { 3667 case SHA1: return "SHA1"; 3668 case SHA224: return "SHA224"; 3669 case SHA256: return "SHA256"; 3670 case SHA384: return "SHA384"; 3671 default: 3672 case SHA512: return "SHA512"; 3673 } 3674 } 3676 8.3 The HMAC Code 3678 /**************************** hmac.c ***************************/ 3679 /***************** See RFC NNNN for details. *******************/ 3680 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3681 /* authors of the code. All rights reserved. */ 3682 /* See sha.h for terms of use and redistribution. */ 3684 /* 3685 * Description: 3686 * This file implements the HMAC algorithm (Keyed-Hashing for 3687 * Message Authentication, [RFC 2104]), expressed in terms of 3688 * the various SHA algorithms. 3689 */ 3691 #include "sha.h" 3693 /* 3694 * hmac 3695 * 3696 * Description: 3697 * This function will compute an HMAC message digest. 3698 * 3699 * Parameters: 3700 * whichSha: [in] 3701 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3702 * message_array[ ]: [in] 3703 * An array of octets representing the message. 3704 * Note: in RFC 2104, this parameter is known 3705 * as 'text'. 3706 * length: [in] 3707 * The length of the message in message_array. 3708 * key[ ]: [in] 3709 * The secret shared key. 3710 * key_len: [in] 3711 * The length of the secret shared key. 3712 * digest[ ]: [out] 3713 * Where the digest is to be returned. 3714 * NOTE: The length of the digest is determined by 3715 * the value of whichSha. 3716 * 3717 * Returns: 3718 * sha Error Code. 3719 * 3720 */ 3721 int hmac(SHAversion whichSha, 3722 const unsigned char *message_array, int length, 3723 const unsigned char *key, int key_len, 3724 uint8_t digest[USHAMaxHashSize]) 3725 { 3726 HMACContext context; 3727 return hmacReset(&context, whichSha, key, key_len) || 3728 hmacInput(&context, message_array, length) || 3729 hmacResult(&context, digest); 3730 } 3732 /* 3733 * hmacReset 3734 * 3735 * Description: 3736 * This function will initialize the hmacContext in preparation 3737 * for computing a new HMAC message digest. 3738 * 3739 * Parameters: 3740 * context: [in/out] 3741 * The context to reset. 3742 * whichSha: [in] 3743 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3744 * key[ ]: [in] 3745 * The secret shared key. 3746 * key_len: [in] 3747 * The length of the secret shared key. 3748 * 3749 * Returns: 3750 * sha Error Code. 3751 * 3752 */ 3753 int hmacReset(HMACContext *context, enum SHAversion whichSha, 3754 const unsigned char *key, int key_len) 3755 { 3756 int i, blocksize, hashsize, ret; 3758 /* inner padding - key XORd with ipad */ 3759 unsigned char k_ipad[USHA_Max_Message_Block_Size]; 3761 /* temporary buffer when keylen > blocksize */ 3762 unsigned char tempkey[USHAMaxHashSize]; 3764 if (!context) return shaNull; 3765 context->Computed = 0; 3766 context->Corrupted = shaSuccess; 3767 blocksize = context->blockSize = USHABlockSize(whichSha); 3768 hashsize = context->hashSize = USHAHashSize(whichSha); 3770 context->whichSha = whichSha; 3772 /* 3773 * If key is longer than the hash blocksize, 3774 * reset it to key = HASH(key). 3775 */ 3776 if (key_len > blocksize) { 3777 USHAContext tcontext; 3778 int err = USHAReset(&tcontext, whichSha) || 3779 USHAInput(&tcontext, key, key_len) || 3780 USHAResult(&tcontext, tempkey); 3781 if (err != shaSuccess) return err; 3783 key = tempkey; 3784 key_len = hashsize; 3785 } 3787 /* 3788 * The HMAC transform looks like: 3789 * 3790 * SHA(K XOR opad, SHA(K XOR ipad, text)) 3791 * 3792 * where K is an n byte key, 0-padded to a total of blocksize bytes, 3793 * ipad is the byte 0x36 repeated blocksize times, 3794 * opad is the byte 0x5c repeated blocksize times, 3795 * and text is the data being protected. 3796 */ 3798 /* store key into the pads, XOR'd with ipad and opad values */ 3799 for (i = 0; i < key_len; i++) { 3800 k_ipad[i] = key[i] ^ 0x36; 3801 context->k_opad[i] = key[i] ^ 0x5c; 3802 } 3803 /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ 3804 for ( ; i < blocksize; i++) { 3805 k_ipad[i] = 0x36; 3806 context->k_opad[i] = 0x5c; 3807 } 3809 /* perform inner hash */ 3810 /* init context for 1st pass */ 3811 ret = USHAReset(&context->shaContext, whichSha) || 3812 /* and start with inner pad */ 3813 USHAInput(&context->shaContext, k_ipad, blocksize); 3814 return context->Corrupted = ret; 3815 } 3816 /* 3817 * hmacInput 3818 * 3819 * Description: 3820 * This function accepts an array of octets as the next portion 3821 * of the message. It may be called multiple times. 3822 * 3823 * Parameters: 3824 * context: [in/out] 3825 * The HMAC context to update 3826 * text[ ]: [in] 3827 * An array of octets representing the next portion of 3828 * the message. 3829 * text_len: [in] 3830 * The length of the message in text 3831 * 3832 * Returns: 3833 * sha Error Code. 3834 * 3835 */ 3836 int hmacInput(HMACContext *context, const unsigned char *text, 3837 int text_len) 3838 { 3839 if (!context) return shaNull; 3840 if (context->Corrupted) return context->Corrupted; 3841 if (context->Computed) return context->Corrupted = shaStateError; 3842 /* then text of datagram */ 3843 return context->Corrupted = 3844 USHAInput(&context->shaContext, text, text_len); 3845 } 3847 /* 3848 * hmacFinalBits 3849 * 3850 * Description: 3851 * This function will add in any final bits of the message. 3852 * 3853 * Parameters: 3854 * context: [in/out] 3855 * The HMAC context to update 3856 * message_bits: [in] 3857 * The final bits of the message, in the upper portion of the 3858 * byte. (Use 0b###00000 instead of 0b00000### to input the 3859 * three bits ###.) 3860 * length: [in] 3861 * The number of bits in message_bits, between 1 and 7. 3862 * 3863 * Returns: 3864 * sha Error Code. 3865 */ 3867 int hmacFinalBits(HMACContext *context, 3868 uint8_t bits, unsigned int bit_count) 3869 { 3870 if (!context) return shaNull; 3871 if (context->Corrupted) return context->Corrupted; 3872 if (context->Computed) return context->Corrupted = shaStateError; 3873 /* then final bits of datagram */ 3874 return context->Corrupted = 3875 USHAFinalBits(&context->shaContext, bits, bit_count); 3876 } 3878 /* 3879 * hmacResult 3880 * 3881 * Description: 3882 * This function will return the N-byte message digest into the 3883 * Message_Digest array provided by the caller. 3884 * 3885 * Parameters: 3886 * context: [in/out] 3887 * The context to use to calculate the HMAC hash. 3888 * digest[ ]: [out] 3889 * Where the digest is returned. 3890 * NOTE 2: The length of the hash is determined by the value of 3891 * whichSha that was passed to hmacReset(). 3892 * 3893 * Returns: 3894 * sha Error Code. 3895 * 3896 */ 3897 int hmacResult(HMACContext *context, uint8_t *digest) 3898 { 3899 int ret; 3900 if (!context) return shaNull; 3901 if (context->Corrupted) return context->Corrupted; 3902 if (context->Computed) return context->Corrupted = shaStateError; 3904 /* finish up 1st pass */ 3905 /* (Use digest here as a temporary buffer.) */ 3906 ret = 3907 USHAResult(&context->shaContext, digest) || 3909 /* perform outer SHA */ 3910 /* init context for 2nd pass */ 3911 USHAReset(&context->shaContext, context->whichSha) || 3913 /* start with outer pad */ 3914 USHAInput(&context->shaContext, context->k_opad, 3915 context->blockSize) || 3917 /* then results of 1st hash */ 3918 USHAInput(&context->shaContext, digest, context->hashSize) || 3920 /* finish up 2nd pass */ 3921 USHAResult(&context->shaContext, digest); 3923 context->Computed = 1; 3924 return context->Corrupted = ret; 3925 } 3927 8.4 The HKDF Code 3929 /**************************** hkdf.c ***************************/ 3930 /***************** See RFC NNNN for details. *******************/ 3931 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 3932 /* authors of the code. All rights reserved. */ 3933 /* See sha.h for terms of use and redistribution. */ 3935 /* 3936 * Description: 3937 * This file implements the HKDF algorithm (HMAC-based 3938 * Extract-and-Expand Key Derivation Function, RFC 5869), 3939 * expressed in terms of the various SHA algorithms. 3940 */ 3942 #include "sha.h" 3943 #include 3944 #include 3946 /* 3947 * hkdf 3948 * 3949 * Description: 3950 * This function will generate keying material using HKDF. 3951 * 3952 * Parameters: 3953 * whichSha: [in] 3954 * One of SHA1, SHA224, SHA256, SHA384, SHA512 3955 * salt[ ]: [in] 3956 * The optional salt value (a non-secret random value); 3957 * if not provided (salt == NULL), it is set internally 3958 * to a string of HashLen(whichSha) zeros. 3959 * salt_len: [in] 3960 * The length of the salt value. (Ignored if salt == NULL.) 3961 * ikm[ ]: [in] 3962 * Input keying material. 3963 * ikm_len: [in] 3964 * The length of the input keying material. 3966 * info[ ]: [in] 3967 * The optional context and application specific information. 3968 * If info == NULL or a zero-length string, it is ignored. 3969 * info_len: [in] 3970 * The length of the optional context and application specific 3971 * information. (Ignored if info == NULL.) 3972 * okm[ ]: [out] 3973 * Where the HKDF is to be stored. 3974 * okm_len: [in] 3975 * The length of the buffer to hold okm. 3976 * okm_len must be <= 255 * USHABlockSize(whichSha) 3977 * 3978 * Notes: 3979 * Calls hkdfExtract() and hkdfExpand(). 3980 * 3981 * Returns: 3982 * sha Error Code. 3983 * 3984 */ 3985 int hkdf(SHAversion whichSha, 3986 const unsigned char *salt, int salt_len, 3987 const unsigned char *ikm, int ikm_len, 3988 const unsigned char *info, int info_len, 3989 uint8_t okm[ ], int okm_len) 3990 { 3991 uint8_t prk[USHAMaxHashSize]; 3992 return hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk) || 3993 hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, 3994 info_len, okm, okm_len); 3995 } 3997 /* 3998 * hkdfExtract 3999 * 4000 * Description: 4001 * This function will perform HKDF extraction. 4002 * 4003 * Parameters: 4004 * whichSha: [in] 4005 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4006 * salt[ ]: [in] 4007 * The optional salt value (a non-secret random value); 4008 * if not provided (salt == NULL), it is set internally 4009 * to a string of HashLen(whichSha) zeros. 4010 * salt_len: [in] 4011 * The length of the salt value. (Ignored if salt == NULL.) 4012 * ikm[ ]: [in] 4013 * Input keying material. 4014 * ikm_len: [in] 4015 * The length of the input keying material. 4017 * prk[ ]: [out] 4018 * Array where the HKDF extraction is to be stored. 4019 * Must be larger than USHAHashSize(whichSha); 4020 * 4021 * Returns: 4022 * sha Error Code. 4023 * 4024 */ 4025 int hkdfExtract(SHAversion whichSha, 4026 const unsigned char *salt, int salt_len, 4027 const unsigned char *ikm, int ikm_len, 4028 uint8_t prk[USHAMaxHashSize]) 4029 { 4030 unsigned char nullSalt[USHAMaxHashSize]; 4031 if (salt == 0) { 4032 salt = nullSalt; 4033 salt_len = USHAHashSize(whichSha); 4034 memset(nullSalt, '\0', salt_len); 4035 } else if (salt_len < 0) { 4036 return shaBadParam; 4037 } 4038 return hmac(whichSha, ikm, ikm_len, salt, salt_len, prk); 4039 } 4041 /* 4042 * hkdfExpand 4043 * 4044 * Description: 4045 * This function will perform HKDF expansion. 4046 * 4047 * Parameters: 4048 * whichSha: [in] 4049 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4050 * prk[ ]: [in] 4051 * The pseudorandom key to be expanded; either obtained 4052 * directly from a cryptographically strong, uniformly 4053 * distributed pseudorandom number generator, or as the 4054 * output from hkdfExtract(). 4055 * prk_len: [in] 4056 * The length of the pseudorandom key in prk; 4057 * should at least be equal to USHAHashSize(whichSHA). 4058 * info[ ]: [in] 4059 * The optional context and application specific information. 4060 * If info == NULL or a zero-length string, it is ignored. 4061 * info_len: [in] 4062 * The length of the optional context and application specific 4063 * information. (Ignored if info == NULL.) 4064 * okm[ ]: [out] 4065 * Where the HKDF is to be stored. 4066 * okm_len: [in] 4067 * The length of the buffer to hold okm. 4068 * okm_len must be <= 255 * USHABlockSize(whichSha) 4069 * 4070 * Returns: 4071 * sha Error Code. 4072 * 4073 */ 4074 int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], int prk_len, 4075 const unsigned char *info, int info_len, 4076 uint8_t okm[ ], int okm_len) 4077 { 4078 int hash_len, N; 4079 unsigned char T[USHAMaxHashSize]; 4080 int Tlen, where, i; 4082 if (info == 0) { 4083 info = (const unsigned char *)""; 4084 info_len = 0; 4085 } else if (info_len < 0) { 4086 return shaBadParam; 4087 } 4088 if (okm_len <= 0) return shaBadParam; 4089 if (!okm) return shaBadParam; 4091 hash_len = USHAHashSize(whichSha); 4092 if (prk_len < hash_len) return shaBadParam; 4093 N = okm_len / hash_len; 4094 if ((okm_len % hash_len) != 0) N++; 4095 if (N > 255) return shaBadParam; 4097 Tlen = 0; 4098 where = 0; 4099 for (i = 1; i <= N; i++) { 4100 HMACContext context; 4101 unsigned char c = i; 4102 int ret = hmacReset(&context, whichSha, prk, prk_len) || 4103 hmacInput(&context, T, Tlen) || 4104 hmacInput(&context, info, info_len) || 4105 hmacInput(&context, &c, 1) || 4106 hmacResult(&context, T); 4107 if (ret != shaSuccess) return ret; 4108 memcpy(okm + where, T, 4109 (i != N) ? hash_len : (okm_len - where)); 4110 where += hash_len; 4111 Tlen = hash_len; 4112 } 4113 return shaSuccess; 4114 } 4116 /* 4117 * hkdfReset 4118 * 4119 * Description: 4120 * This function will initialize the hkdfContext in preparation 4121 * for key derivation using the modular HKDF interface for 4122 * arbitrary length inputs. 4123 * 4124 * Parameters: 4125 * context: [in/out] 4126 * The context to reset. 4127 * whichSha: [in] 4128 * One of SHA1, SHA224, SHA256, SHA384, SHA512 4129 * salt[ ]: [in] 4130 * The optional salt value (a non-secret random value); 4131 * if not provided (salt == NULL), it is set internally 4132 * to a string of HashLen(whichSha) zeros. 4133 * salt_len: [in] 4134 * The length of the salt value. (Ignored if salt == NULL.) 4135 * 4136 * Returns: 4137 * sha Error Code. 4138 * 4139 */ 4140 int hkdfReset(HKDFContext *context, enum SHAversion whichSha, 4141 const unsigned char *salt, int salt_len) 4142 { 4143 unsigned char nullSalt[USHAMaxHashSize]; 4144 if (!context) return shaNull; 4146 context->whichSha = whichSha; 4147 context->hashSize = USHAHashSize(whichSha); 4148 if (salt == 0) { 4149 salt = nullSalt; 4150 salt_len = context->hashSize; 4151 memset(nullSalt, '\0', salt_len); 4152 } 4154 return hmacReset(&context->hmacContext, whichSha, salt, salt_len); 4155 } 4157 /* 4158 * hkdfInput 4159 * 4160 * Description: 4161 * This function accepts an array of octets as the next portion 4162 * of the input keying material. It may be called multiple times. 4163 * 4164 * Parameters: 4165 * context: [in/out] 4166 * The HKDF context to update. 4168 * ikm[ ]: [in] 4169 * An array of octets representing the next portion of 4170 * the input keying material. 4171 * ikm_len: [in] 4172 * The length of ikm. 4173 * 4174 * Returns: 4175 * sha Error Code. 4176 * 4177 */ 4178 int hkdfInput(HKDFContext *context, const unsigned char *ikm, 4179 int ikm_len) 4180 { 4181 if (!context) return shaNull; 4182 if (context->Corrupted) return context->Corrupted; 4183 if (context->Computed) return context->Corrupted = shaStateError; 4184 return hmacInput(&context->hmacContext, ikm, ikm_len); 4185 } 4187 /* 4188 * hkdfFinalBits 4189 * 4190 * Description: 4191 * This function will add in any final bits of the 4192 * input keying material. 4193 * 4194 * Parameters: 4195 * context: [in/out] 4196 * The HKDF context to update 4197 * ikm_bits: [in] 4198 * The final bits of the input keying material, in the upper 4199 * portion of the byte. (Use 0b###00000 instead of 0b00000### 4200 * to input the three bits ###.) 4201 * ikm_bit_count: [in] 4202 * The number of bits in message_bits, between 1 and 7. 4203 * 4204 * Returns: 4205 * sha Error Code. 4206 */ 4207 int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, 4208 unsigned int ikm_bit_count) 4209 { 4210 if (!context) return shaNull; 4211 if (context->Corrupted) return context->Corrupted; 4212 if (context->Computed) return context->Corrupted = shaStateError; 4213 return hmacFinalBits(&context->hmacContext, ikm_bits, ikm_bit_count); 4214 } 4216 /* 4217 * hkdfResult 4218 * 4219 * Description: 4220 * This function will finish the HKDF extraction and perform the 4221 * final HKDF expansion. 4222 * 4223 * Parameters: 4224 * context: [in/out] 4225 * The HKDF context to use to calculate the HKDF hash. 4226 * prk[ ]: [out] 4227 * An optional location to store the HKDF extraction. 4228 * Either NULL, or pointer to a buffer that must be 4229 * larger than USHAHashSize(whichSha); 4230 * info[ ]: [in] 4231 * The optional context and application specific information. 4232 * If info == NULL or a zero-length string, it is ignored. 4233 * info_len: [in] 4234 * The length of the optional context and application specific 4235 * information. (Ignored if info == NULL.) 4236 * okm[ ]: [out] 4237 * Where the HKDF is to be stored. 4238 * okm_len: [in] 4239 * The length of the buffer to hold okm. 4240 * okm_len must be <= 255 * USHABlockSize(whichSha) 4241 * 4242 * Returns: 4243 * sha Error Code. 4244 * 4245 */ 4246 int hkdfResult(HKDFContext *context, 4247 uint8_t prk[USHAMaxHashSize], 4248 const unsigned char *info, int info_len, 4249 uint8_t okm[ ], int okm_len) 4250 { 4251 uint8_t prkbuf[USHAMaxHashSize]; 4252 int ret; 4254 if (!context) return shaNull; 4255 if (context->Corrupted) return context->Corrupted; 4256 if (context->Computed) return context->Corrupted = shaStateError; 4257 if (!okm) return context->Corrupted = shaBadParam; 4258 if (!prk) prk = prkbuf; 4260 ret = hmacResult(&context->hmacContext, prk) || 4261 hkdfExpand(context->whichSha, prk, context->hashSize, info, 4262 info_len, okm, okm_len); 4263 context->Computed = 1; 4264 return context->Corrupted = ret; 4265 } 4266 8.5 The Test Driver 4268 The following code is a main program test driver to exercise the code 4269 in sha1.c, sha224-256.c, sha384-512.c, hmac.c, and hkdf.c. The test 4270 driver can also be used as a standalone program for generating the 4271 hashes. Note that the tests assume that character values are as in 4272 [US-ASCII] and a run time check warns if the code appears to have 4273 been compiled with some other character system. 4275 See also [SHAVS]. 4277 /************************** shatest.c **************************/ 4278 /***************** See RFC NNNN for details. *******************/ 4279 /* Copyright (c) 2010 IETF Trust and the persons identified as */ 4280 /* authors of the code. All rights reserved. */ 4281 /* See sha.h for terms of use and redistribution. */ 4283 /* 4284 * Description: 4285 * This file will exercise the SHA code performing 4286 * the three tests documented in FIPS PUB 180-3 4287 * (http://csrc.nist.gov/publications/fips/ 4288 * fips180-2/fips180-2withchangenotice.pdf) 4289 * one that calls SHAInput with an exact multiple of 512 bits 4290 * the seven tests documented for each algorithm in 4291 * "The Secure Hash Algorithm Validation System (SHAVS)" 4292 * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), 4293 * three of which are bit-level tests 4294 * 4295 * These tests have subsequently been moved to pages linked from 4296 * http://csrc.nist.gov/groups/ST/toolkit/examples.html 4297 * 4298 * This file will exercise the HMAC SHA1 code performing 4299 * the seven tests documented in RFCs [RFC 2202] and [RFC 4231]. 4300 * 4301 * This file will exercise the HKDF code performing 4302 * the seven tests documented in RFC 4869. 4303 * 4304 * To run the tests and just see PASSED/FAILED, use the -p option. 4305 * 4306 * Other options exercise: 4307 * hashing an arbitrary string 4308 * hashing a file's contents 4309 * a few error test checks 4310 * printing the results in raw format 4311 * 4312 * Portability Issues: 4313 * None. 4314 * 4315 */ 4317 #include 4318 #include 4319 #include 4320 #include 4321 #include 4322 #include /* defines getopt() and optarg */ 4323 #include "sha.h" 4325 static int scasecmp(const char *s1, const char *s2); 4327 /* 4328 * Define patterns for testing 4329 */ 4330 #define TEST1 "abc" 4331 #define TEST2_1 \ 4332 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 4333 #define TEST2_2a \ 4334 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 4335 #define TEST2_2b \ 4336 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 4337 #define TEST2_2 TEST2_2a TEST2_2b 4338 #define TEST3 "a" /* times 1000000 */ 4339 #define TEST4a "01234567012345670123456701234567" 4340 #define TEST4b "01234567012345670123456701234567" 4341 /* an exact multiple of 512 bits */ 4342 #define TEST4 TEST4a TEST4b /* times 10 */ 4344 #define TEST7_1 \ 4345 "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" 4346 #define TEST8_1 \ 4347 "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" 4348 #define TEST9_1 \ 4349 "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ 4350 "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ 4351 "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ 4352 "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ 4353 "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" 4354 #define TEST10_1 \ 4355 "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ 4356 "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ 4357 "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ 4358 "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ 4359 "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ 4360 "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ 4361 "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ 4362 "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ 4363 "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ 4364 "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ 4365 "\xcd\xbb\xfb" 4366 #define TEST7_224 \ 4367 "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" 4368 #define TEST8_224 \ 4369 "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" 4370 #define TEST9_224 \ 4371 "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ 4372 "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ 4373 "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ 4374 "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ 4375 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" 4376 #define TEST10_224 \ 4377 "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ 4378 "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ 4379 "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ 4380 "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ 4381 "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ 4382 "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ 4383 "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ 4384 "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ 4385 "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ 4386 "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ 4387 "\x87\x82\x73" 4388 #define TEST7_256 \ 4389 "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" 4390 #define TEST8_256 \ 4391 "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" 4392 #define TEST9_256 \ 4393 "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ 4394 "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ 4395 "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ 4396 "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ 4397 "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" 4398 #define TEST10_256 \ 4399 "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ 4400 "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ 4401 "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ 4402 "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ 4403 "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ 4404 "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ 4405 "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ 4406 "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ 4407 "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ 4408 "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ 4409 "\x3d\x54\xd6" 4410 #define TEST7_384 \ 4411 "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" 4412 #define TEST8_384 \ 4413 "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" 4414 #define TEST9_384 \ 4415 "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ 4416 "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ 4417 "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ 4418 "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ 4419 "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ 4420 "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ 4421 "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ 4422 "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ 4423 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" 4424 #define TEST10_384 \ 4425 "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ 4426 "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ 4427 "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ 4428 "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ 4429 "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ 4430 "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ 4431 "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ 4432 "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ 4433 "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ 4434 "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ 4435 "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ 4436 "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ 4437 "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ 4438 "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ 4439 "\x7e\xd0\x96" 4440 #define TEST7_512 \ 4441 "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" 4442 #define TEST8_512 \ 4443 "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" 4444 #define TEST9_512 \ 4445 "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ 4446 "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ 4447 "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ 4448 "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ 4449 "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ 4450 "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ 4451 "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ 4452 "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ 4453 "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" 4454 #define TEST10_512 \ 4455 "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ 4456 "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ 4457 "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ 4458 "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ 4459 "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ 4460 "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ 4461 "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ 4462 "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ 4463 "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ 4464 "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ 4465 "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ 4466 "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ 4467 "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ 4468 "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ 4469 "\xfb\x40\xd2" 4470 #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ 4471 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" 4472 #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ 4473 "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ 4474 "\x27" 4475 #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ 4476 "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ 4477 "\x27\x9c\x1c\xb0\xa7" 4478 #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ 4479 "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ 4480 "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ 4481 "\xa4\x84\xbe\x74\x53" 4482 #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ 4483 "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ 4484 "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ 4485 "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ 4486 "\x4b\x12\x27\x20\x39" 4488 #define TESTCOUNT 10 4489 #define HASHCOUNT 5 4490 #define RANDOMCOUNT 4 4491 #define HMACTESTCOUNT 7 4492 #define HKDFTESTCOUNT 7 4494 #define PRINTNONE 0 4495 #define PRINTTEXT 1 4496 #define PRINTRAW 2 4497 #define PRINTHEX 3 4498 #define PRINTBASE64 4 4500 #define PRINTPASSFAIL 1 4501 #define PRINTFAIL 2 4503 #define length(x) (sizeof(x)-1) 4505 /* Test arrays for hashes. */ 4506 struct hash { 4507 const char *name; 4508 SHAversion whichSha; 4509 int hashsize; 4510 struct { 4511 const char *testarray; 4512 int length; 4513 long repeatcount; 4514 int extrabits; 4515 int numberExtrabits; 4516 const char *resultarray; 4518 } tests[TESTCOUNT]; 4519 const char *randomtest; 4520 const char *randomresults[RANDOMCOUNT]; 4521 } hashes[HASHCOUNT] = { 4522 { "SHA1", SHA1, SHA1HashSize, 4523 { 4524 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4525 "A9993E364706816ABA3E25717850C26C9CD0D89D" }, 4526 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4527 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, 4528 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4529 "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, 4530 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4531 "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, 4532 /* 5 */ { "", 0, 0, 0x98, 5, 4533 "29826B003B906E660EFF4027CE98AF3531AC75BA" }, 4534 /* 6 */ { "\x5e", 1, 1, 0, 0, 4535 "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, 4536 /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, 4537 "6239781E03729919C01955B3FFA8ACB60B988340" }, 4538 /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, 4539 "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, 4540 /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, 4541 "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, 4542 /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, 4543 "CB0082C8F197D260991BA6A460E76E202BAD27B3" } 4544 }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", 4545 "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", 4546 "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", 4547 "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" 4548 } }, 4549 { "SHA224", SHA224, SHA224HashSize, 4550 { 4551 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4552 "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, 4553 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, 4554 "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, 4555 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4556 "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, 4557 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4558 "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, 4559 /* 5 */ { "", 0, 0, 0x68, 5, 4560 "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, 4561 /* 6 */ { "\x07", 1, 1, 0, 0, 4562 "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, 4563 /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, 4564 "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, 4565 /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, 4566 "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, 4567 /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, 4568 "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, 4569 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, 4570 "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } 4571 }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" 4572 "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" 4573 "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" 4574 "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" 4575 "709563FB916227FED598EB621F" 4576 } }, 4577 { "SHA256", SHA256, SHA256HashSize, 4578 { 4579 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" 4580 "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, 4581 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" 4582 "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, 4583 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" 4584 "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, 4585 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" 4586 "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, 4587 /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" 4588 "09DB45E7823EB5079CE7A573A3760F95" }, 4589 /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" 4590 "6A4E17F75F9518D843709C0C9BC3E3D4" }, 4591 /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" 4592 "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, 4593 /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" 4594 "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, 4595 /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" 4596 "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, 4597 /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" 4598 "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, 4599 }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" 4600 "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" 4601 "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" 4602 "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" 4603 "E31536B70FF906EC51B00447CA97D7DD97C12411F4" 4604 } }, 4605 { "SHA384", SHA384, SHA384HashSize, 4606 { 4607 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4608 "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" 4609 "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, 4610 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4611 "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" 4612 "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, 4613 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4614 "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" 4615 "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, 4616 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4617 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" 4618 "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, 4619 /* 5 */ { "", 0, 0, 0x10, 5, 4620 "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" 4621 "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, 4622 /* 6 */ { "\xb9", 1, 1, 0, 0, 4623 "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" 4624 "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, 4625 /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, 4626 "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" 4627 "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, 4628 /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, 4629 "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" 4630 "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, 4631 /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, 4632 "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" 4633 "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, 4634 /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, 4635 "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" 4636 "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } 4637 }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" 4638 "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" 4639 "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" 4640 "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" 4641 "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" 4642 "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" 4643 "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" 4644 } }, 4645 { "SHA512", SHA512, SHA512HashSize, 4646 { 4647 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, 4648 "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" 4649 "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" 4650 "454D4423643CE80E2A9AC94FA54CA49F" }, 4651 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, 4652 "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" 4653 "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" 4654 "C7D329EEB6DD26545E96E55B874BE909" }, 4655 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, 4656 "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" 4657 "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" 4658 "EB009C5C2C49AA2E4EADB217AD8CC09B" }, 4659 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, 4660 "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" 4661 "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" 4662 "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, 4663 /* 5 */ { "", 0, 0, 0xB0, 5, 4664 "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" 4665 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" 4666 "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, 4667 /* 6 */ { "\xD0", 1, 1, 0, 0, 4668 "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" 4669 "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" 4670 "D6E74CECE9631BFA8A549B4AB3FBBA15" }, 4671 /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, 4672 "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" 4673 "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" 4674 "7359B43E64F8BEC3C1F237119986BBB6" }, 4675 /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, 4676 "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" 4677 "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" 4678 "8213EB1B16F517AD0DE4B2F0C95C90F8" }, 4679 /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, 4680 "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" 4681 "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" 4682 "526F8A0A510E5E53CAFED4355FE7C2F1" }, 4683 /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, 4684 "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" 4685 "C1A16A270D48719377966B957A878E720584779A62825C18" 4686 "DA26415E49A7176A894E7510FD1451F5" } 4687 }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" 4688 "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" 4689 "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" 4690 "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" 4691 "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" 4692 "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" 4693 "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" 4694 "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" 4695 "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" 4696 } 4697 } 4698 }; 4700 /* Test arrays for HMAC. */ 4701 struct hmachash { 4702 const char *keyarray[5]; 4703 int keylength[5]; 4704 const char *dataarray[5]; 4705 int datalength[5]; 4706 const char *resultarray[5]; 4707 int resultlength[5]; 4708 } hmachashes[HMACTESTCOUNT] = { 4709 { /* 1 */ { 4710 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4711 "\x0b\x0b\x0b\x0b\x0b" 4712 }, { 20 }, { 4713 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ 4714 }, { 8 }, { 4715 /* HMAC-SHA-1 */ 4716 "B617318655057264E28BC0B6FB378C8EF146BE00", 4717 /* HMAC-SHA-224 */ 4718 "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", 4719 /* HMAC-SHA-256 */ 4720 "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" 4721 "CFF7", 4722 /* HMAC-SHA-384 */ 4723 "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" 4724 "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", 4725 /* HMAC-SHA-512 */ 4726 "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" 4727 "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" 4728 "3A126854" 4729 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4730 SHA384HashSize, SHA512HashSize } 4731 }, 4732 { /* 2 */ { 4733 "\x4a\x65\x66\x65" /* "Jefe" */ 4734 }, { 4 }, { 4735 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" 4736 "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" 4737 /* "what do ya want for nothing?" */ 4738 }, { 28 }, { 4739 /* HMAC-SHA-1 */ 4740 "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", 4741 /* HMAC-SHA-224 */ 4742 "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", 4743 /* HMAC-SHA-256 */ 4744 "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" 4745 "3843", 4746 /* HMAC-SHA-384 */ 4747 "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" 4748 "445E8E2240CA5E69E2C78B3239ECFAB21649", 4749 /* HMAC-SHA-512 */ 4750 "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" 4751 "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" 4752 "38BCE737" 4753 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4754 SHA384HashSize, SHA512HashSize } 4755 }, 4756 { /* 3 */ 4757 { 4758 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4759 "\xaa\xaa\xaa\xaa\xaa" 4760 }, { 20 }, { 4761 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4762 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4763 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 4764 "\xdd\xdd\xdd\xdd\xdd" 4765 }, { 50 }, { 4766 /* HMAC-SHA-1 */ 4767 "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", 4768 /* HMAC-SHA-224 */ 4769 "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", 4770 /* HMAC-SHA-256 */ 4771 "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" 4772 "65FE", 4773 /* HMAC-SHA-384 */ 4774 "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" 4775 "144B2A5AB39DC13814B94E3AB6E101A34F27", 4776 /* HMAC-SHA-512 */ 4777 "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" 4778 "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" 4779 "E13292FB" 4780 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4781 SHA384HashSize, SHA512HashSize } 4782 }, 4783 { /* 4 */ { 4784 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 4785 "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" 4786 }, { 25 }, { 4787 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4788 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4789 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 4790 "\xcd\xcd\xcd\xcd\xcd" 4791 }, { 50 }, { 4792 /* HMAC-SHA-1 */ 4793 "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 4794 /* HMAC-SHA-224 */ 4795 "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", 4796 /* HMAC-SHA-256 */ 4797 "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" 4798 "665B", 4799 /* HMAC-SHA-384 */ 4800 "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" 4801 "3B4E6801DD23C4A7D679CCF8A386C674CFFB", 4802 /* HMAC-SHA-512 */ 4803 "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" 4804 "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" 4805 "10A298DD" 4806 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4807 SHA384HashSize, SHA512HashSize } 4808 }, 4809 { /* 5 */ { 4810 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 4811 "\x0c\x0c\x0c\x0c\x0c" 4812 }, { 20 }, { 4813 "Test With Truncation" 4814 }, { 20 }, { 4815 /* HMAC-SHA-1 */ 4816 "4C1A03424B55E07FE7F27BE1", 4817 /* HMAC-SHA-224 */ 4818 "0E2AEA68A90C8D37C988BCDB9FCA6FA8", 4819 /* HMAC-SHA-256 */ 4820 "A3B6167473100EE06E0C796C2955552B", 4821 /* HMAC-SHA-384 */ 4822 "3ABF34C3503B2A23A46EFC619BAEF897", 4823 /* HMAC-SHA-512 */ 4824 "415FAD6271580A531D4179BC891D87A6" 4825 }, { 12, 16, 16, 16, 16 } 4826 }, 4827 { /* 6 */ { 4828 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4829 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4830 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4831 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4832 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4833 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4834 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4835 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4836 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4837 }, { 80, 131 }, { 4838 "Test Using Larger Than Block-Size Key - Hash Key First" 4839 }, { 54 }, { 4840 /* HMAC-SHA-1 */ 4841 "AA4AE5E15272D00E95705637CE8A3B55ED402112", 4842 /* HMAC-SHA-224 */ 4843 "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", 4844 /* HMAC-SHA-256 */ 4845 "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" 4846 "7F54", 4847 /* HMAC-SHA-384 */ 4848 "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" 4849 "C4C60C2EF6AB4030FE8296248DF163F44952", 4850 /* HMAC-SHA-512 */ 4851 "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" 4852 "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" 4853 "5D786598" 4854 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4855 SHA384HashSize, SHA512HashSize } 4856 }, 4857 { /* 7 */ { 4858 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4859 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4860 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4861 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4862 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4863 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4864 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4865 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4866 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 4867 }, { 80, 131 }, { 4868 "Test Using Larger Than Block-Size Key and " 4869 "Larger Than One Block-Size Data", 4870 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" 4871 "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" 4872 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" 4873 "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" 4874 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" 4875 "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" 4876 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" 4877 "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" 4878 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" 4879 "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" 4880 "\x6d\x2e" 4881 /* "This is a test using a larger than block-size key and a " 4882 "larger than block-size data. The key needs to be hashed " 4883 "before being used by the HMAC algorithm." */ 4884 }, { 73, 152 }, { 4885 /* HMAC-SHA-1 */ 4886 "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", 4887 /* HMAC-SHA-224 */ 4888 "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", 4889 /* HMAC-SHA-256 */ 4890 "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" 4891 "35E2", 4892 /* HMAC-SHA-384 */ 4893 "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" 4894 "99C5A678CC31E799176D3860E6110C46523E", 4895 /* HMAC-SHA-512 */ 4896 "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" 4897 "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" 4898 "FA8C6A58" 4899 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, 4900 SHA384HashSize, SHA512HashSize } 4901 } 4902 }; 4904 /* Test arrays for HKDF. */ 4905 struct hkdfhash { 4906 SHAversion whichSha; 4907 int ikmlength; 4908 const char *ikmarray; 4909 int saltlength; 4910 const char *saltarray; 4911 int infolength; 4912 const char *infoarray; 4913 int prklength; 4914 const char *prkarray; 4915 int okmlength; 4916 const char *okmarray; 4917 } hkdfhashes[HKDFTESTCOUNT] = { 4918 { /* RFC 5869 A.1. Test Case 1 */ 4919 SHA256, 4920 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4921 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4922 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4923 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4924 32, "077709362C2E32DF0DDC3F0DC47BBA6390B6C73BB50F9C3122EC844A" 4925 "D7C2B3E5", 4926 42, "3CB25F25FAACD57A90434F64D0362F2A2D2D0A90CF1A5A4C5DB02D56" 4927 "ECC4C5BF34007208D5B887185865" 4928 }, 4929 { /* RFC 5869 A.2. Test Case 2 */ 4930 SHA256, 4931 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4932 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4933 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4934 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4935 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4936 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4937 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d" 4938 "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" 4939 "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4940 "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97" 4941 "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5" 4942 "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf", 4943 80, "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd" 4944 "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb" 4945 "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" 4946 "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7" 4947 "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5" 4948 "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 4949 32, "06A6B88C5853361A06104C9CEB35B45C" 4950 "EF760014904671014A193F40C15FC244", 4951 82, "B11E398DC80327A1C8E7F78C596A4934" 4952 "4F012EDA2D4EFAD8A050CC4C19AFA97C" 4953 "59045A99CAC7827271CB41C65E590E09" 4954 "DA3275600C2F09B8367793A9ACA3DB71" 4955 "CC30C58179EC3E87C14C01D5C1F3434F" 4956 "1D87" 4957 }, 4958 { /* RFC 5869 A.3. Test Case 3 */ 4959 SHA256, 4960 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 4961 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4962 0, "", 4963 0, "", 4964 32, "19EF24A32C717B167F33A91D6F648BDF" 4965 "96596776AFDB6377AC434C1C293CCB04", 4966 42, "8DA4E775A563C18F715F802A063C5A31" 4967 "B8A11F5C5EE1879EC3454E5F3C738D2D" 4968 "9D201395FAA4B61A96C8" 4969 }, 4970 { /* RFC 5869 A.4. Test Case 4 */ 4971 SHA1, 4972 11, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 4973 13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 4974 10, "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9", 4975 20, "9B6C18C432A7BF8F0E71C8EB88F4B30BAA2BA243", 4976 42, "085A01EA1B10F36933068B56EFA5AD81" 4977 "A4F14B822F5B091568A9CDD4F155FDA2" 4978 "C22E422478D305F3F896" 4979 }, 4980 { /* RFC 5869 A.5. Test Case 5 */ 4981 SHA1, 4982 80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 4983 "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b" 4984 "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29" 4985 "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37" 4986 "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45" 4987 "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f", 4988 80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D" 4989 "\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B" 4990 "\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 4991 "\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97" 4992 "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5" 4993 "\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 4994 80, "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD" 4995 "\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB" 4996 "\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9" 4997 "\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7" 4998 "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5" 4999 "\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 5000 20, "8ADAE09A2A307059478D309B26C4115A224CFAF6", 5001 82, "0BD770A74D1160F7C9F12CD5912A06EB" 5002 "FF6ADCAE899D92191FE4305673BA2FFE" 5003 "8FA3F1A4E5AD79F3F334B3B202B2173C" 5004 "486EA37CE3D397ED034C7F9DFEB15C5E" 5005 "927336D0441F4C4300E2CFF0D0900B52" 5006 "D3B4" 5007 }, 5008 { /* RFC 5869 A.6. Test Case 6 */ 5009 SHA1, 5010 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 5011 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 5012 0, "", 5013 0, "", 5014 20, "DA8C8A73C7FA77288EC6F5E7C297786AA0D32D01", 5015 42, "0AC1AF7002B3D761D1E55298DA9D0506" 5016 "B9AE52057220A306E07B6B87E8DF21D0" 5017 "EA00033DE03984D34918" 5019 }, 5020 { /* RFC 5869 A.7. Test Case 7. */ 5021 SHA1, 5022 22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 5023 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 5024 0, 0, 5025 0, "", 5026 20, "2ADCCADA18779E7C2077AD2EB19D3F3E731385DD", 5027 42, "2C91117204D745F3500D636A62F64F0A" 5028 "B3BAE548AA53D423B0D1F27EBBA6F5E5" 5029 "673A081D70CCE7ACFC48" 5030 } 5031 }; 5033 /* 5034 * Check the hash value against the expected string, expressed in hex 5035 */ 5036 static const char hexdigits[ ] = "0123456789ABCDEF"; 5037 int checkmatch(const unsigned char *hashvalue, 5038 const char *hexstr, int hashsize) 5039 { 5040 int i; 5041 for (i = 0; i < hashsize; ++i) { 5042 if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) 5043 return 0; 5044 if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; 5045 } 5046 return 1; 5047 } 5049 /* 5050 * Print the string, converting non-printable characters to "." 5051 */ 5052 void printstr(const char *str, int len) 5053 { 5054 for ( ; len-- > 0; str++) 5055 putchar(isprint((unsigned char)*str) ? *str : '.'); 5056 } 5058 /* 5059 * Print the string, converting all characters to hex "## ". 5060 */ 5061 void printxstr(const char *str, int len) 5062 { 5063 char *sep = ""; 5064 for ( ; len-- > 0; str++) { 5065 printf("%s%c%c", sep, hexdigits[(*str >> 4) & 0xF], 5066 hexdigits[*str & 0xF]); 5067 sep = " "; 5068 } 5070 } 5072 /* 5073 * Print a usage message. 5074 */ 5075 void usage(const char *argv0) 5076 { 5077 fprintf(stderr, 5078 "Usage:\n" 5079 "Common options: [-h hash] [-w|-x|-6] [-H]\n" 5080 "Hash a string:\n" 5081 "\t%s [-S expectedresult] -s hashstr [-k key] " 5082 "[-i info -L okm-len]\n" 5083 "Hash a file:\n" 5084 "\t%s [-S expectedresult] -f file [-k key] " 5085 "[-i info -L okm-len]\n" 5086 "Hash a file, ignoring whitespace:\n" 5087 "\t%s [-S expectedresult] -F file [-k key] " 5088 "[-i info -L okm-len]\n" 5089 "Additional bits to add in: [-B bitcount -b bits]\n" 5090 "(If -k,-i&-L are used, run HKDF-SHA###.\n" 5091 " If -k is used, but not -i&-L, run HMAC-SHA###.\n" 5092 " Otherwise, run SHA###.)\n" 5093 "Standard tests:\n" 5094 "\t%s [-m | -d] [-l loopcount] [-t test#] [-e]\n" 5095 "\t\t[-r randomseed] [-R randomloop-count] " 5096 "[-p] [-P|-X]\n" 5097 "-h\thash to test: " 5098 "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" 5099 "-m\tperform hmac standard tests\n" 5100 "-k\tkey for hmac test\n" 5101 "-d\tperform hkdf standard tests\n" 5102 "-t\ttest case to run, 1-10\n" 5103 "-l\thow many times to run the test\n" 5104 "-e\ttest error returns\n" 5105 "-p\tdo not print results\n" 5106 "-P\tdo not print PASSED/FAILED\n" 5107 "-X\tprint FAILED, but not PASSED\n" 5108 "-r\tseed for random test\n" 5109 "-R\thow many times to run random test\n" 5110 "-s\tstring to hash\n" 5111 "-S\texpected result of hashed string, in hex\n" 5112 "-w\toutput hash in raw format\n" 5113 "-x\toutput hash in hex format\n" 5114 "-6\toutput hash in base64 format\n" 5115 "-B\t# extra bits to add in after string or file input\n" 5116 "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" 5117 "-H\tinput hashstr or randomseed is in hex\n" 5118 , argv0, argv0, argv0, argv0); 5119 exit(1); 5121 } 5123 /* 5124 * Print the results and PASS/FAIL. 5125 */ 5126 void printResult(uint8_t *Message_Digest, int hashsize, 5127 const char *hashname, const char *testtype, const char *testname, 5128 const char *resultarray, int printResults, int printPassFail) 5129 { 5130 int i, k; 5131 if (printResults == PRINTTEXT) { 5132 printf("\nhashsize=%d\n", hashsize); 5133 putchar('\t'); 5134 for (i = 0; i < hashsize; ++i) { 5135 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5136 putchar(hexdigits[Message_Digest[i] & 0xF]); 5137 putchar(' '); 5138 } 5139 putchar('\n'); 5140 } else if (printResults == PRINTRAW) { 5141 fwrite(Message_Digest, 1, hashsize, stdout); 5142 } else if (printResults == PRINTHEX) { 5143 for (i = 0; i < hashsize; ++i) { 5144 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); 5145 putchar(hexdigits[Message_Digest[i] & 0xF]); 5146 } 5147 putchar('\n'); 5148 } else if (printResults == PRINTBASE64) { 5149 unsigned char b; 5150 char *sm = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 5151 "0123456789+/"; 5152 for (i = 0; i < hashsize; i += 3) { 5153 putchar(sm[Message_Digest[i] >> 2]); 5154 b = (Message_Digest[i] & 0x03) << 4; 5155 if (i+1 < hashsize) b |= Message_Digest[i+1] >> 4; 5156 putchar(sm[b]); 5157 if (i+1 < hashsize) { 5158 b = (Message_Digest[i+1] & 0x0f) << 2; 5159 if (i+2 < hashsize) b |= Message_Digest[i+2] >> 6; 5160 putchar(sm[b]); 5161 } else putchar('='); 5162 if (i+2 < hashsize) putchar(sm[Message_Digest[i+2] & 0x3f]); 5163 else putchar('='); 5164 } 5165 putchar('\n'); 5166 } 5168 if (printResults && resultarray) { 5169 printf(" Should match:\n\t"); 5170 for (i = 0, k = 0; i < hashsize; i++, k += 2) { 5171 putchar(resultarray[k]); 5172 putchar(resultarray[k+1]); 5173 putchar(' '); 5174 } 5175 putchar('\n'); 5176 } 5178 if (printPassFail && resultarray) { 5179 int ret = checkmatch(Message_Digest, resultarray, hashsize); 5180 if ((printPassFail == PRINTPASSFAIL) || !ret) 5181 printf("%s %s %s: %s\n", hashname, testtype, testname, 5182 ret ? "PASSED" : "FAILED"); 5183 } 5184 } 5186 /* 5187 * Exercise a hash series of functions. The input is the testarray, 5188 * repeated repeatcount times, followed by the extrabits. If the 5189 * result is known, it is in resultarray in uppercase hex. 5190 */ 5191 int hash(int testno, int loopno, int hashno, 5192 const char *testarray, int length, long repeatcount, 5193 int numberExtrabits, int extrabits, const unsigned char *keyarray, 5194 int keylen, const unsigned char *info, int infolen, int okmlen, 5195 const char *resultarray, int hashsize, int printResults, 5196 int printPassFail) 5197 { 5198 USHAContext sha; 5199 HMACContext hmac; 5200 HKDFContext hkdf; 5201 int err, i; 5202 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5203 uint8_t *Message_Digest = Message_Digest_Buf; 5204 char buf[20]; 5206 if (printResults == PRINTTEXT) { 5207 printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, 5208 loopno, repeatcount); 5209 printstr(testarray, length); 5210 printf("'\n\t'"); 5211 printxstr(testarray, length); 5212 printf("'\n"); 5213 printf(" Length=%d bytes (%d bits), ", length, length * 8); 5214 printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); 5215 } 5217 if (info) Message_Digest = malloc(okmlen); 5218 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5219 memset(&hmac, '\343', sizeof(hmac)); 5220 memset(&hkdf, '\343', sizeof(hkdf)); 5221 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5222 keyarray, keylen) : 5223 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5224 keyarray, keylen) : 5225 USHAReset(&sha, hashes[hashno].whichSha); 5226 if (err != shaSuccess) { 5227 fprintf(stderr, "hash(): %sReset Error %d.\n", 5228 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5229 return err; 5230 } 5232 for (i = 0; i < repeatcount; ++i) { 5233 err = info ? hkdfInput(&hkdf, (const uint8_t *)testarray, length) : 5234 keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, 5235 length) : 5236 USHAInput(&sha, (const uint8_t *) testarray, 5237 length); 5238 if (err != shaSuccess) { 5239 fprintf(stderr, "hash(): %sInput Error %d.\n", 5240 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5241 return err; 5242 } 5243 } 5245 if (numberExtrabits > 0) { 5246 err = info ? hkdfFinalBits(&hkdf, extrabits, numberExtrabits) : 5247 keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, 5248 numberExtrabits) : 5249 USHAFinalBits(&sha, (uint8_t) extrabits, 5250 numberExtrabits); 5251 if (err != shaSuccess) { 5252 fprintf(stderr, "hash(): %sFinalBits Error %d.\n", 5253 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5254 return err; 5255 } 5256 } 5258 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5259 Message_Digest, okmlen) : 5260 keyarray ? hmacResult(&hmac, Message_Digest) : 5261 USHAResult(&sha, Message_Digest); 5262 if (err != shaSuccess) { 5263 fprintf(stderr, "hash(): %s Result Error %d, could not compute " 5264 "message digest.\n", 5265 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5266 return err; 5267 } 5269 sprintf(buf, "%d", testno+1); 5270 printResult(Message_Digest, info ? okmlen : hashsize, 5271 hashes[hashno].name, info ? "hkdf standard test" : 5272 keyarray ? "hmac standard test" : "sha standard test", buf, 5273 resultarray, printResults, printPassFail); 5275 return err; 5276 } 5278 /* 5279 * Exercise an HKDF series. The input is the testarray, 5280 * repeated repeatcount times, followed by the extrabits. If the 5281 * result is known, it is in resultarray in uppercase hex. 5282 */ 5283 int hashHkdf(int testno, int loopno, int hashno, 5284 int printResults, int printPassFail) 5285 { 5286 int err; 5287 unsigned char prk[USHAMaxHashSize+1]; 5288 uint8_t okm[255 * USHAMaxHashSize+1]; 5289 char buf[20]; 5291 if (printResults == PRINTTEXT) { 5292 printf("\nTest %d: Iteration %d\n\tSALT\t'", testno+1, loopno); 5293 printxstr(hkdfhashes[testno].saltarray, 5294 hkdfhashes[testno].saltlength); 5295 printf("'\n\tIKM\t'"); 5296 printxstr(hkdfhashes[testno].ikmarray, 5297 hkdfhashes[testno].ikmlength); 5298 printf("'\n\tINFO\t'"); 5299 printxstr(hkdfhashes[testno].infoarray, 5300 hkdfhashes[testno].infolength); 5301 printf("'\n"); 5302 printf(" L=%d bytes\n", hkdfhashes[testno].okmlength); 5303 } 5305 /* Run hkdf() against the test vectors */ 5306 err = hkdf(hkdfhashes[testno].whichSha, 5307 (const uint8_t *) hkdfhashes[testno].saltarray, 5308 hkdfhashes[testno].saltlength, 5309 (const uint8_t *) hkdfhashes[testno].ikmarray, 5310 hkdfhashes[testno].ikmlength, 5311 (const uint8_t *) hkdfhashes[testno].infoarray, 5312 hkdfhashes[testno].infolength, okm, 5313 hkdfhashes[testno].okmlength); 5314 if (err != shaSuccess) { 5315 fprintf(stderr, "hashHkdf(): hkdf Error %d.\n", err); 5316 return err; 5317 } 5318 sprintf(buf, "hkdf %d", testno+1); 5319 printResult(okm, hkdfhashes[testno].okmlength, 5320 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5321 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5323 /* Now run hkdfExtract() by itself against the test vectors */ 5324 /* to verify the intermediate results. */ 5325 err = hkdfExtract(hkdfhashes[testno].whichSha, 5326 (const uint8_t *) hkdfhashes[testno].saltarray, 5327 hkdfhashes[testno].saltlength, 5328 (const uint8_t *) hkdfhashes[testno].ikmarray, 5329 hkdfhashes[testno].ikmlength, prk); 5330 if (err != shaSuccess) { 5331 fprintf(stderr, "hashHkdf(): hkdfExtract Error %d.\n", err); 5332 return err; 5333 } 5334 sprintf(buf, "hkdfExtract %d", testno+1); 5335 printResult(prk, USHAHashSize(hkdfhashes[testno].whichSha), 5336 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5337 buf, hkdfhashes[testno].prkarray, printResults, printPassFail); 5339 /* Now run hkdfExpand() by itself against the test vectors */ 5340 /* using the intermediate results from hkdfExtract. */ 5341 err = hkdfExpand(hkdfhashes[testno].whichSha, prk, 5342 USHAHashSize(hkdfhashes[testno].whichSha), 5343 (const uint8_t *)hkdfhashes[testno].infoarray, 5344 hkdfhashes[testno].infolength, okm, hkdfhashes[testno].okmlength); 5345 if (err != shaSuccess) { 5346 fprintf(stderr, "hashHkdf(): hkdfExpand Error %d.\n", err); 5347 return err; 5348 } 5349 sprintf(buf, "hkdfExpand %d", testno+1); 5350 printResult(okm, hkdfhashes[testno].okmlength, 5351 USHAHashName(hkdfhashes[testno].whichSha), "hkdf standard test", 5352 buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 5354 return err; 5355 } 5357 /* 5358 * Exercise a hash series of functions. The input is a filename. 5359 * If the result is known, it is in resultarray in uppercase hex. 5360 */ 5361 int hashfile(int hashno, const char *hashfilename, int bits, 5362 int bitcount, int skipSpaces, const unsigned char *keyarray, 5363 int keylen, const unsigned char *info, int infolen, int okmlen, 5364 const char *resultarray, int hashsize, 5365 int printResults, int printPassFail) 5366 { 5367 USHAContext sha; 5368 HMACContext hmac; 5369 HKDFContext hkdf; 5370 int err, nread, c; 5371 unsigned char buf[4096]; 5372 uint8_t Message_Digest_Buf[USHAMaxHashSize]; 5373 uint8_t *Message_Digest = Message_Digest_Buf; 5374 unsigned char cc; 5375 FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : 5376 fopen(hashfilename, "r"); 5378 if (!hashfp) { 5379 fprintf(stderr, "cannot open file '%s'\n", hashfilename); 5380 return shaStateError; 5381 } 5383 if (info) Message_Digest = malloc(okmlen); 5384 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ 5385 memset(&hmac, '\343', sizeof(hmac)); 5386 memset(&hkdf, '\343', sizeof(hkdf)); 5387 err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 5388 keyarray, keylen) : 5389 keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 5390 keyarray, keylen) : 5391 USHAReset(&sha, hashes[hashno].whichSha); 5392 if (err != shaSuccess) { 5393 fprintf(stderr, "hashfile(): %sReset Error %d.\n", 5394 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5395 return err; 5396 } 5398 if (skipSpaces) 5399 while ((c = getc(hashfp)) != EOF) { 5400 if (!isspace(c)) { 5401 cc = (unsigned char)c; 5402 err = info ? hkdfInput(&hkdf, &cc, 1) : 5403 keyarray ? hmacInput(&hmac, &cc, 1) : 5404 USHAInput(&sha, &cc, 1); 5405 if (err != shaSuccess) { 5406 fprintf(stderr, "hashfile(): %sInput Error %d.\n", 5407 info ? "hkdf" : keyarray ? "hmac" : "sha", err); 5408 if (hashfp != stdin) fclose(hashfp); 5409 return err; 5410 } 5411 } 5412 } 5413 else 5414 while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { 5415 err = info ? hkdfInput(&hkdf, buf, nread) : 5416 keyarray ? hmacInput(&hmac, buf, nread) : 5417 USHAInput(&sha, buf, nread); 5418 if (err != shaSuccess) { 5419 fprintf(stderr, "hashfile(): %s Error %d.\n", 5420 info ? "hkdf" : keyarray ? "hmacInput" : 5422 "shaInput", err); 5423 if (hashfp != stdin) fclose(hashfp); 5424 return err; 5425 } 5426 } 5428 if (bitcount > 0) 5429 err = info ? hkdfFinalBits(&hkdf, bits, bitcount) : 5430 keyarray ? hmacFinalBits(&hmac, bits, bitcount) : 5431 USHAFinalBits(&sha, bits, bitcount); 5432 if (err != shaSuccess) { 5433 fprintf(stderr, "hashfile(): %s Error %d.\n", 5434 info ? "hkdf" : keyarray ? "hmacFinalBits" : 5435 "shaFinalBits", err); 5436 if (hashfp != stdin) fclose(hashfp); 5437 return err; 5438 } 5440 err = info ? hkdfResult(&hkdf, 0, info, infolen, 5441 Message_Digest, okmlen) : 5442 keyarray ? hmacResult(&hmac, Message_Digest) : 5443 USHAResult(&sha, Message_Digest); 5444 if (err != shaSuccess) { 5445 fprintf(stderr, "hashfile(): %s Error %d.\n", 5446 info ? "hkdf" : keyarray ? "hmacResult" : 5447 "shaResult", err); 5448 if (hashfp != stdin) fclose(hashfp); 5449 return err; 5450 } 5452 printResult(Message_Digest, info ? okmlen : hashsize, 5453 hashes[hashno].name, "file", hashfilename, resultarray, 5454 printResults, printPassFail); 5456 if (hashfp != stdin) fclose(hashfp); 5457 if (info) free(Message_Digest); 5458 return err; 5459 } 5461 /* 5462 * Exercise a hash series of functions through multiple permutations. 5463 * The input is an initial seed. That seed is replicated 3 times. 5464 * For 1000 rounds, the previous three results are used as the input. 5465 * This result is then checked, and used to seed the next cycle. 5466 * If the result is known, it is in resultarrays in uppercase hex. 5467 */ 5468 void randomtest(int hashno, const char *seed, int hashsize, 5469 const char **resultarrays, int randomcount, 5470 int printResults, int printPassFail) 5471 { 5472 int i, j; char buf[20]; 5473 unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; 5475 /* INPUT: Seed - A random seed n bits long */ 5476 memcpy(SEED, seed, hashsize); 5477 if (printResults == PRINTTEXT) { 5478 printf("%s random test seed= '", hashes[hashno].name); 5479 printxstr(seed, hashsize); 5480 printf("'\n"); 5481 } 5483 for (j = 0; j < randomcount; j++) { 5484 /* MD0 = MD1 = MD2 = Seed; */ 5485 memcpy(MD[0], SEED, hashsize); 5486 memcpy(MD[1], SEED, hashsize); 5487 memcpy(MD[2], SEED, hashsize); 5488 for (i=3; i<1003; i++) { 5489 /* Mi = MDi-3 || MDi-2 || MDi-1; */ 5490 USHAContext Mi; 5491 memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ 5492 USHAReset(&Mi, hashes[hashno].whichSha); 5493 USHAInput(&Mi, MD[i-3], hashsize); 5494 USHAInput(&Mi, MD[i-2], hashsize); 5495 USHAInput(&Mi, MD[i-1], hashsize); 5496 /* MDi = SHA(Mi); */ 5497 USHAResult(&Mi, MD[i]); 5498 } 5500 /* MDj = Seed = MDi; */ 5501 memcpy(SEED, MD[i-1], hashsize); 5503 /* OUTPUT: MDj */ 5504 sprintf(buf, "%d", j); 5505 printResult(SEED, hashsize, hashes[hashno].name, "random test", 5506 buf, resultarrays ? resultarrays[j] : 0, printResults, 5507 (j < RANDOMCOUNT) ? printPassFail : 0); 5508 } 5509 } 5511 /* 5512 * Look up a hash name. 5513 */ 5514 int findhash(const char *argv0, const char *opt) 5515 { 5516 int i; 5517 const char *names[HASHCOUNT][2] = { 5518 { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, 5519 { "3", "sha384" }, { "4", "sha512" } 5520 }; 5521 for (i = 0; i < HASHCOUNT; i++) 5522 if ((strcmp(opt, names[i][0]) == 0) || 5523 (scasecmp(opt, names[i][1]) == 0)) 5524 return i; 5526 fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); 5527 usage(argv0); 5528 return 0; 5529 } 5531 /* 5532 * Run some tests that should invoke errors. 5533 */ 5534 void testErrors(int hashnolow, int hashnohigh, int printResults, 5535 int printPassFail) 5536 { 5537 USHAContext usha; 5538 uint8_t Message_Digest[USHAMaxHashSize]; 5539 int hashno, err; 5541 for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { 5542 memset(&usha, '\343', sizeof(usha)); /* force bad data */ 5543 USHAReset(&usha, hashno); 5544 USHAResult(&usha, Message_Digest); 5545 err = USHAInput(&usha, (const unsigned char *)"foo", 3); 5546 if (printResults == PRINTTEXT) 5547 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5548 if ((printPassFail == PRINTPASSFAIL) || 5549 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5550 printf("%s se: %s\n", hashes[hashno].name, 5551 (err == shaStateError) ? "PASSED" : "FAILED"); 5553 err = USHAFinalBits(&usha, 0x80, 3); 5554 if (printResults == PRINTTEXT) 5555 printf ("\nError %d. Should be %d.\n", err, shaStateError); 5556 if ((printPassFail == PRINTPASSFAIL) || 5557 ((printPassFail == PRINTFAIL) && (err != shaStateError))) 5558 printf("%s se: %s\n", hashes[hashno].name, 5559 (err == shaStateError) ? "PASSED" : "FAILED"); 5561 err = USHAReset(0, hashes[hashno].whichSha); 5562 if (printResults == PRINTTEXT) 5563 printf("\nError %d. Should be %d.\n", err, shaNull); 5564 if ((printPassFail == PRINTPASSFAIL) || 5565 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5566 printf("%s usha null: %s\n", hashes[hashno].name, 5567 (err == shaNull) ? "PASSED" : "FAILED"); 5569 switch (hashno) { 5570 case SHA1: err = SHA1Reset(0); break; 5571 case SHA224: err = SHA224Reset(0); break; 5572 case SHA256: err = SHA256Reset(0); break; 5573 case SHA384: err = SHA384Reset(0); break; 5574 case SHA512: err = SHA512Reset(0); break; 5575 } 5576 if (printResults == PRINTTEXT) 5577 printf("\nError %d. Should be %d.\n", err, shaNull); 5578 if ((printPassFail == PRINTPASSFAIL) || 5579 ((printPassFail == PRINTFAIL) && (err != shaNull))) 5580 printf("%s sha null: %s\n", hashes[hashno].name, 5581 (err == shaNull) ? "PASSED" : "FAILED"); 5582 } 5583 } 5585 /* replace a hex string in place with its value */ 5586 int unhexStr(char *hexstr) 5587 { 5588 char *o = hexstr; 5589 int len = 0, nibble1 = 0, nibble2 = 0; 5590 if (!hexstr) return 0; 5591 for ( ; *hexstr; hexstr++) { 5592 if (isalpha((int)(unsigned char)(*hexstr))) { 5593 nibble1 = tolower(*hexstr) - 'a' + 10; 5594 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5595 nibble1 = *hexstr - '0'; 5596 } else { 5597 printf("\nError: bad hex character '%c'\n", *hexstr); 5598 } 5599 if (!*++hexstr) break; 5600 if (isalpha((int)(unsigned char)(*hexstr))) { 5601 nibble2 = tolower(*hexstr) - 'a' + 10; 5602 } else if (isdigit((int)(unsigned char)(*hexstr))) { 5603 nibble2 = *hexstr - '0'; 5604 } else { 5605 printf("\nError: bad hex character '%c'\n", *hexstr); 5606 } 5607 *o++ = (char)((nibble1 << 4) | nibble2); 5608 len++; 5609 } 5610 return len; 5611 } 5613 int main(int argc, char **argv) 5614 { 5615 int i, err; 5616 int loopno, loopnohigh = 1; 5617 int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; 5618 int testno, testnolow = 0, testnohigh; 5619 int ntestnohigh = 0; 5620 int printResults = PRINTTEXT; 5621 int printPassFail = 1; 5622 int checkErrors = 0; 5623 char *hashstr = 0; 5624 int hashlen = 0; 5625 const char *resultstr = 0; 5626 char *randomseedstr = 0; 5627 int runHmacTests = 0; 5628 int runHkdfTests = 0; 5629 char *hmacKey = 0; 5630 int hmaclen = 0; 5631 char *info = 0; 5632 int infolen = 0, okmlen = 0; 5633 int randomcount = RANDOMCOUNT; 5634 const char *hashfilename = 0; 5635 const char *hashFilename = 0; 5636 int extrabits = 0, numberExtrabits = 0; 5637 int strIsHex = 0; 5639 if ('A' != 0x41) { 5640 fprintf(stderr, "%s: ASCII is required for these tests\n", argv[0]); 5641 } 5643 while ((i = getopt(argc, argv, 5644 "6b:B:def:F:h:i:Hk:l:L:mpPr:R:s:S:t:wxX")) != -1) 5645 switch (i) { 5646 case 'b': extrabits = strtol(optarg, 0, 0); break; 5647 case 'B': numberExtrabits = atoi(optarg); break; 5648 case 'd': runHkdfTests = 1; break; 5649 case 'e': checkErrors = 1; break; 5650 case 'f': hashfilename = optarg; break; 5651 case 'F': hashFilename = optarg; break; 5652 case 'h': hashnolow = hashnohigh = findhash(argv[0], optarg); 5653 break; 5654 case 'H': strIsHex = 1; break; 5655 case 'i': info = optarg; infolen = strlen(optarg); break; 5656 case 'k': hmacKey = optarg; hmaclen = strlen(optarg); break; 5657 case 'l': loopnohigh = atoi(optarg); break; 5658 case 'L': okmlen = strtol(optarg, 0, 0); break; 5659 case 'm': runHmacTests = 1; break; 5660 case 'P': printPassFail = 0; break; 5661 case 'p': printResults = PRINTNONE; break; 5662 case 'R': randomcount = atoi(optarg); break; 5663 case 'r': randomseedstr = optarg; break; 5664 case 's': hashstr = optarg; hashlen = strlen(hashstr); break; 5665 case 'S': resultstr = optarg; break; 5666 case 't': testnolow = ntestnohigh = atoi(optarg) - 1; break; 5667 case 'w': printResults = PRINTRAW; break; 5668 case 'x': printResults = PRINTHEX; break; 5669 case 'X': printPassFail = 2; break; 5670 case '6': printResults = PRINTBASE64; break; 5671 default: usage(argv[0]); 5672 } 5674 if (strIsHex) { 5675 hashlen = unhexStr(hashstr); 5676 unhexStr(randomseedstr); 5677 hmaclen = unhexStr(hmacKey); 5678 infolen = unhexStr(info); 5679 } 5680 testnohigh = (ntestnohigh != 0) ? ntestnohigh: 5681 runHmacTests ? (HMACTESTCOUNT-1) : 5682 runHkdfTests ? (HKDFTESTCOUNT-1) : 5683 (TESTCOUNT-1); 5684 if ((testnolow < 0) || 5685 (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || 5686 (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || 5687 (hashstr && (testnolow == testnohigh)) || 5688 (randomcount < 0) || 5689 (resultstr && (!hashstr && !hashfilename && !hashFilename)) || 5690 ((runHmacTests || hmacKey) && randomseedstr) || 5691 (hashfilename && hashFilename) || 5692 (info && ((infolen <= 0) || (okmlen <= 0))) || 5693 (info && !hmacKey)) 5694 usage(argv[0]); 5696 /* 5697 * Perform SHA/HMAC tests 5698 */ 5699 for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { 5700 if (printResults == PRINTTEXT) 5701 printf("Hash %s\n", hashes[hashno].name); 5702 err = shaSuccess; 5704 for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); 5705 ++loopno) { 5706 if (hashstr) 5707 err = hash(0, loopno, hashno, hashstr, hashlen, 1, 5708 numberExtrabits, extrabits, (const unsigned char *)hmacKey, 5709 hmaclen, (const uint8_t *) info, infolen, okmlen, resultstr, 5710 hashes[hashno].hashsize, printResults, printPassFail); 5712 else if (randomseedstr) 5713 randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, 5714 randomcount, printResults, printPassFail); 5716 else if (hashfilename) 5717 err = hashfile(hashno, hashfilename, extrabits, 5718 numberExtrabits, 0, 5719 (const unsigned char *)hmacKey, hmaclen, 5720 (const uint8_t *) info, infolen, okmlen, 5721 resultstr, hashes[hashno].hashsize, 5722 printResults, printPassFail); 5724 else if (hashFilename) 5725 err = hashfile(hashno, hashFilename, extrabits, 5726 numberExtrabits, 1, 5727 (const unsigned char *)hmacKey, hmaclen, 5728 (const uint8_t *) info, infolen, okmlen, 5729 resultstr, hashes[hashno].hashsize, 5730 printResults, printPassFail); 5732 else /* standard tests */ { 5733 for (testno = testnolow; 5734 (testno <= testnohigh) && (err == shaSuccess); ++testno) { 5735 if (runHmacTests) { 5736 err = hash(testno, loopno, hashno, 5737 hmachashes[testno].dataarray[hashno] ? 5738 hmachashes[testno].dataarray[hashno] : 5739 hmachashes[testno].dataarray[1] ? 5740 hmachashes[testno].dataarray[1] : 5741 hmachashes[testno].dataarray[0], 5742 hmachashes[testno].datalength[hashno] ? 5743 hmachashes[testno].datalength[hashno] : 5744 hmachashes[testno].datalength[1] ? 5745 hmachashes[testno].datalength[1] : 5746 hmachashes[testno].datalength[0], 5747 1, 0, 0, 5748 (const unsigned char *)( 5749 hmachashes[testno].keyarray[hashno] ? 5750 hmachashes[testno].keyarray[hashno] : 5751 hmachashes[testno].keyarray[1] ? 5752 hmachashes[testno].keyarray[1] : 5753 hmachashes[testno].keyarray[0]), 5754 hmachashes[testno].keylength[hashno] ? 5755 hmachashes[testno].keylength[hashno] : 5756 hmachashes[testno].keylength[1] ? 5757 hmachashes[testno].keylength[1] : 5758 hmachashes[testno].keylength[0], 5759 0, 0, 0, 5760 hmachashes[testno].resultarray[hashno], 5761 hmachashes[testno].resultlength[hashno], 5762 printResults, printPassFail); 5763 } else if (runHkdfTests) { 5764 err = hashHkdf(testno, loopno, hashno, 5765 printResults, printPassFail); 5766 } else { /* sha tests */ 5767 err = hash(testno, loopno, hashno, 5768 hashes[hashno].tests[testno].testarray, 5769 hashes[hashno].tests[testno].length, 5770 hashes[hashno].tests[testno].repeatcount, 5771 hashes[hashno].tests[testno].numberExtrabits, 5772 hashes[hashno].tests[testno].extrabits, 5773 0, 0, 0, 0, 0, 5774 hashes[hashno].tests[testno].resultarray, 5775 hashes[hashno].hashsize, 5776 printResults, printPassFail); 5777 } 5778 } 5779 if (!runHmacTests && !runHkdfTests) { 5780 randomtest(hashno, hashes[hashno].randomtest, 5781 hashes[hashno].hashsize, hashes[hashno].randomresults, 5782 RANDOMCOUNT, printResults, printPassFail); 5783 } 5784 } 5785 } 5786 } 5788 /* Test some error returns */ 5789 if (checkErrors) { 5790 testErrors(hashnolow, hashnohigh, printResults, printPassFail); 5791 } 5793 return 0; 5794 } 5796 /* 5797 * Compare two strings, case independently. 5798 * Equivalent to strcasecmp() found on some systems. 5799 */ 5800 int scasecmp(const char *s1, const char *s2) 5801 { 5802 for (;;) { 5803 char u1 = tolower(*s1++); 5804 char u2 = tolower(*s2++); 5805 if (u1 != u2) 5806 return u1 - u2; 5807 if (u1 == '\0') 5808 return 0; 5809 } 5810 } 5811 9. IANA Considerations 5813 This document requires no IANA Actions. The RFC Editor should delete 5814 this section before publication. 5816 10. Security Considerations 5818 This document is intended to provide convenient open source access by 5819 the Internet community to the United States of America Federal 5820 Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS 5821 180-2], HMACs based thereon, and HKDF. No independent assertion of 5822 the security of these functions by the authors for any particular use 5823 is intended. 5825 11. Acknowledgements 5827 Thanks for the corrections to [RFC4634] that were provided by Alfred 5828 Hoenes and Jan Andres and to Alfred's comments on the drafts hereof. 5830 12. References 5832 Normative and Informative References appear below. 5834 12.1 Normative References 5836 [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 5837 Hashing for Message Authentication", RFC 2104, February 1997. 5839 [RFC5869] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and- 5840 Expand Key Derivation Function (HKDF)", RFC 5869, May 2010. 5842 [SHS] - "Secure Hash Standard", United States of American, National 5843 Institute of Science and Technology, Federal Information 5844 Processing Standard (FIPS) 180-3, 5845 http://csrc.nist.gov/publications/fips/fips180- 5846 3/fips180-3_final.pdf. 5848 [US-ASCII] - ANSI, "USA Standard Code for Information Interchange", 5849 X3.4, American National Standards Institute: New York, 1968. 5851 12.2 Informative References 5853 [RFC3174] - D. Eastlake 3rd, P. Jones, "US Secure Hash Algorithm 1 5854 (SHA1)", September 2001. 5856 [RFC3874] - R. Housley, "A 224-bit One-way Hash Function: SHA-224", 5857 September 2004. 5859 [RFC4055] - Schaad, J., Kaliski, B., and R. Housley, "Additional 5860 Algorithms and Identifiers for RSA Cryptography for use in the 5861 Internet X.509 Public Key Infrastructure Certificate and 5862 Certificate Revocation List (CRL) Profile", RFC 4055, June 5863 2005. 5865 [RFC4086] - D. Eastlake, S. Crocker, J. Schiller, "Randomness 5866 Requirements for Security", May 2005. 5868 [RFC4634] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash 5869 Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006. 5871 [SHAVS] - "The Secure Hash Algorithm Validation System (SHAVS)", 5872 http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. 5874 Appendix: Changes from RFC 4634 5876 The following changes were made to RFC 4634 to produce this document: 5878 1. Add code for HKDF and brief text about HKDF with pointer to 5879 [RFC5869]. 5881 2. Fix numerous errata filed against [RFC4634] as included below. 5882 Note that in no case did the old code return an incorrect hash 5883 value. 5885 2.a Correct some of the error return values which has erroneously 5886 been "shaNull" to the correct "shaInputTooLong" error. 5888 2.b Update comments and variable names within the code for 5889 consistency and clarity and other editorial changes. 5891 2.c The previous code for SHA-384 and SHA-512 would stop after 5892 2^93 bytes (2^96 bits). The fixed code handles up to 2^125 5893 bytes (2^128 bits). 5895 2.d Add additional error checking including a run time check in 5896 the test driver to detect attempts to run the test driver 5897 after compilation using some other character set instead of 5898 [US-ASCII]. 5900 3. Update boilerplate, remove special license in [RFC4634] as new 5901 boilerplate mandates simplified BSD license. 5903 4. Replace MIT version of getopt with new code to satisfy IETF 5904 incoming and outgoing license restrictions. 5906 5. Other assorted editorial improvements. 5908 Appendix Z: RFC Editor Note, Edit History 5910 RFC Editor Note: All occurrences of "RFC NNNN" should be edited to 5911 replace "NNNN" with this documents RFC number. 5913 RFC Editor: Please delete this Appendix Z on publication. 5915 Z.1 Changes from -00 to -01 5917 Add hash function OIDs and informational reference to [RFC4055]. A 5918 few Editorial changes and typo fixes. 5920 Z.2 Changes from -01 to -02 5922 In shatest.c, replace MIT getopt (xgetopt) code with new code to 5923 avoid possible conflict between MIT license and IETF required BSD 5924 license. 5926 Z.3 Changes from -02 to -03 5928 Problem with MIT getopt is given incompletely in -01 to -02 changes. 5929 Actual problem includes conflict with IETF incoming license 5930 restriction. Also, add this change to Appendix giving changes from 5931 RFC 4634. Update to incorporate RFC number for the HKDF RFC. 5932 Numerous editorial changes. 5934 Z.4 Changes from -03 to -04 5936 Fix typos and nits. 5938 Z.5 Changes from -04 to -05 5940 Resolve AD Review comments: Re-order some Abstract and Introduction 5941 material. Make the RFC Editor notes more prominent. 5943 Author's Address 5945 Donald Eastlake 5946 Huawei 5947 155 Beaver Street 5948 Milford, MA 01757 USA 5950 Telephone: +1-508-333-2270 5951 EMail: d3e3e3@gmail.com 5953 Tony Hansen 5954 AT&T Laboratories 5955 200 Laurel Ave. 5956 Middletown, NJ 07748 USA 5958 Telephone: +1-732-420-8934 5959 EMail: tony+shs@maillennium.att.com 5961 Copyright, Disclaimer, and Additional IPR Provisions 5963 Copyright (c) 2011 IETF Trust and the persons identified as the 5964 document authors. All rights reserved. 5966 This document is subject to BCP 78 and the IETF Trust's Legal 5967 Provisions Relating to IETF Documents 5968 (http://trustee.ietf.org/license-info) in effect on the date of 5969 publication of this document. Please review these documents 5970 carefully, as they describe your rights and restrictions with respect 5971 to this document. Code Components extracted from this document must 5972 include Simplified BSD License text as described in Section 4.e of 5973 the Trust Legal Provisions and are provided without warranty as 5974 described in the BSD License. This Internet-Draft is submitted to 5975 IETF in full conformance with the provisions of BCP 78 and BCP 79.